From 69eb9a1ab5b375aee9c8fe6a7d1523d61cd04d80 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 7 Sep 2023 19:54:20 -0400 Subject: [PATCH 001/155] src, tests: flatten all changes Signed-off-by: William Woodruff --- .../hazmat/bindings/_rust/x509.pyi | 14 + src/cryptography/x509/__init__.py | 1 + src/cryptography/x509/verification.py | 76 +- src/rust/Cargo.lock | 22 +- src/rust/Cargo.toml | 1 + .../cryptography-x509-validation/Cargo.toml | 4 + .../src/certificate.rs | 20 + .../cryptography-x509-validation/src/lib.rs | 480 ++++++++++++ .../src/policy/mod.rs | 714 ++++++++++++++++++ .../src/trust_store.rs | 31 + .../cryptography-x509-validation/src/types.rs | 2 +- src/rust/cryptography-x509/src/extensions.rs | 1 + src/rust/src/x509/verify.rs | 254 ++++++- tests/x509/test_verification.py | 105 ++- 14 files changed, 1718 insertions(+), 7 deletions(-) create mode 100644 src/rust/cryptography-x509-validation/src/certificate.rs create mode 100644 src/rust/cryptography-x509-validation/src/policy/mod.rs create mode 100644 src/rust/cryptography-x509-validation/src/trust_store.rs diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 9be3dabe6703..8d65a479d90c 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -2,6 +2,8 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +import datetime + from cryptography import x509 from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.padding import PSS, PKCS1v15 @@ -34,12 +36,24 @@ def create_x509_crl( private_key: PrivateKeyTypes, hash_algorithm: hashes.HashAlgorithm | None, ) -> x509.CertificateRevocationList: ... +def create_policy( + profile: x509.verification.Profile, + name: x509.verification.Subject | None, + time: datetime.datetime | None, +) -> x509.verification.Policy: ... +def verify( + leaf: x509.Certificate, + policy: Policy, + intermediates: list[x509.Certificate], + store: x509.verification.Store, +) -> list[x509.Certificate]: ... class Sct: ... class Certificate: ... class RevokedCertificate: ... class CertificateRevocationList: ... class CertificateSigningRequest: ... +class Policy: ... class Store: def __init__(self, certs: list[x509.Certificate]) -> None: ... diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index 80c5b4dd14b5..931618aa49d1 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -171,6 +171,7 @@ __all__ = [ "certificate_transparency", + "verification", "load_pem_x509_certificate", "load_pem_x509_certificates", "load_der_x509_certificate", diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index c622c47e2a2d..884a645f42d6 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -2,8 +2,80 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. -from cryptography.hazmat.bindings._rust import x509 as rust_x509 +from __future__ import annotations + +import datetime +import typing -__all__ = ["Store"] +from cryptography import utils +from cryptography.hazmat.bindings._rust import x509 as rust_x509 +from cryptography.x509.general_name import DNSName, IPAddress Store = rust_x509.Store + +Subject = typing.Union[DNSName, IPAddress] + + +class Profile(utils.Enum): + RFC5280 = 0 + WebPKI = 1 + + +Policy = rust_x509.Policy + + +class PolicyBuilder: + def __init__( + self, + *, + subject: Subject | None = None, + time: datetime.datetime | None = None, + profile: Profile = Profile.WebPKI, + ): + self._subject = subject + self._time = time + self._profile = profile + + def subject(self, new_subject: Subject) -> PolicyBuilder: + """ + Sets the expected certificate subject. + """ + return PolicyBuilder( + subject=new_subject, time=self._time, profile=self._profile + ) + + def time(self, new_time: datetime.datetime) -> PolicyBuilder: + """ + Sets the validation time. + """ + return PolicyBuilder( + subject=self._subject, time=new_time, profile=self._profile + ) + + def profile(self, new_profile: Profile) -> PolicyBuilder: + """ + Sets the underlying profile for this policy. + """ + return PolicyBuilder( + subject=self._subject, time=self._time, profile=new_profile + ) + + def build(self) -> Policy: + """ + Construct a `Policy` from this `PolicyBuilder`. + """ + + return rust_x509.create_policy( + self._profile, self._subject, self._time + ) + + +verify = rust_x509.verify + +__all__ = [ + "verify", + "Policy", + "PolicyBuilder", + "Profile", + "Store", +] diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index e19f5b5abbd6..0940b19c7d61 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -28,6 +28,12 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" +[[package]] +name = "base64" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" + [[package]] name = "base64" version = "0.21.2" @@ -83,11 +89,12 @@ dependencies = [ "cryptography-cffi", "cryptography-openssl", "cryptography-x509", + "cryptography-x509-validation", "foreign-types-shared", "once_cell", "openssl", "openssl-sys", - "pem", + "pem 3.0.1", "pyo3", "self_cell", ] @@ -105,6 +112,8 @@ version = "0.1.0" dependencies = [ "asn1", "cryptography-x509", + "once_cell", + "pem 1.1.1", ] [[package]] @@ -220,13 +229,22 @@ dependencies = [ "windows-targets", ] +[[package]] +name = "pem" +version = "1.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a8835c273a76a90455d7344889b0964598e3316e2a79ede8e36f16bdcf2228b8" +dependencies = [ + "base64 0.13.1", +] + [[package]] name = "pem" version = "3.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ed3127afbfc30b4cad60c34aeb741fb562a808642b81142bcf4afb73142da960" dependencies = [ - "base64", + "base64 0.21.2", ] [[package]] diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 77455d375f75..86ef601d65d0 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -13,6 +13,7 @@ pyo3 = { version = "0.19", features = ["abi3-py37"] } asn1 = { version = "0.15.5", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } +cryptography-x509-validation = { path = "cryptography-x509-validation" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.56" diff --git a/src/rust/cryptography-x509-validation/Cargo.toml b/src/rust/cryptography-x509-validation/Cargo.toml index 49c608dcbec6..44e85fd129fa 100644 --- a/src/rust/cryptography-x509-validation/Cargo.toml +++ b/src/rust/cryptography-x509-validation/Cargo.toml @@ -10,3 +10,7 @@ rust-version = "1.63.0" [dependencies] asn1 = { version = "0.15.5", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } +once_cell = "1" + +[dev-dependencies] +pem = "1.1" diff --git a/src/rust/cryptography-x509-validation/src/certificate.rs b/src/rust/cryptography-x509-validation/src/certificate.rs new file mode 100644 index 000000000000..b706456b8317 --- /dev/null +++ b/src/rust/cryptography-x509-validation/src/certificate.rs @@ -0,0 +1,20 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +//! Validation-specific certificate functionality. + +use cryptography_x509::certificate::Certificate; + +use crate::ops::CryptoOps; + +pub(crate) fn cert_is_self_issued(cert: &Certificate) -> bool { + cert.issuer() == cert.subject() +} + +pub(crate) fn cert_is_self_signed(cert: &Certificate, ops: &B) -> bool { + match ops.public_key(cert) { + Some(pk) => cert_is_self_issued(cert) && ops.is_signed_by(cert, pk), + None => false, + } +} diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 212642f6d428..3550f63fba7a 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -4,5 +4,485 @@ #![forbid(unsafe_code)] +pub mod certificate; pub mod ops; +pub mod policy; +pub mod trust_store; pub mod types; + +use std::collections::HashSet; + +use cryptography_x509::certificate::Certificate; +use ops::CryptoOps; +use policy::{Policy, PolicyError}; +use trust_store::Store; + +#[derive(Debug, PartialEq)] +pub enum ValidationError { + Policy(PolicyError), +} + +impl From for ValidationError { + fn from(value: PolicyError) -> Self { + ValidationError::Policy(value) + } +} + +pub type Chain<'c> = Vec>; + +pub fn verify<'leaf: 'chain, 'inter: 'chain, 'store: 'chain, 'chain, B: CryptoOps>( + leaf: &'chain Certificate<'leaf>, + intermediates: impl IntoIterator>, + policy: &Policy, + store: &'chain Store<'store>, +) -> Result, ValidationError> { + let builder = ChainBuilder::new(HashSet::from_iter(intermediates), policy, store); + + builder.build_chain(leaf) +} + +struct ChainBuilder<'a, 'inter, 'store, B: CryptoOps> { + intermediates: HashSet>, + policy: &'a Policy<'a, B>, + store: &'a Store<'store>, +} + +impl<'a, 'inter, 'store, 'leaf, 'chain, 'work, B: CryptoOps> ChainBuilder<'a, 'inter, 'store, B> +where + 'leaf: 'chain, + 'inter: 'chain, + 'store: 'chain, + 'work: 'leaf + 'inter, + 'chain: 'work, +{ + fn new( + intermediates: HashSet>, + policy: &'a Policy, + store: &'a Store<'store>, + ) -> Self { + Self { + intermediates, + policy, + store, + } + } + + fn potential_issuers( + &'a self, + cert: &'a Certificate<'work>, + ) -> impl Iterator> + '_ { + // TODO: Optimizations: + // * Use a backing structure that allows us to search by name + // rather than doing a linear scan + // * Search by AKI and other identifiers? + self.intermediates + .iter() + // NOTE: The intermediate set isn't allowed to offer a self-signed + // certificate as a candidate, since self-signed certs can only + // be roots. + .filter(|&candidate| *candidate != *cert) + .chain(self.store.iter()) + .filter(|&candidate| candidate.subject() == cert.issuer()) + } + + fn build_chain_inner( + &self, + working_cert: &Certificate<'work>, + current_depth: u8, + ) -> Result, ValidationError> { + if current_depth > self.policy.max_chain_depth { + return Err(PolicyError::Other("chain construction exceeds max depth").into()); + } + + // Look in the store's root set to see if the working cert is listed. + // If it is, we've reached the end. + // + // Observe that no issuer connection or signature verification happens + // here: inclusion in the root set implies a trust relationship, + // even if the working certificate is an EE or intermediate CA. + if self.store.contains(working_cert) { + return Ok(vec![working_cert.clone()]); + } + + // Otherwise, we collect a list of potential issuers for this cert, + // and continue with the first that verifies. + for issuing_cert_candidate in self.potential_issuers(working_cert) { + // A candidate issuer is said to verify if it both + // signs for the working certificate and conforms to the + // policy. + if let Ok(next_depth) = + self.policy + .valid_issuer(issuing_cert_candidate, working_cert, current_depth) + { + let mut chain = vec![working_cert.clone()]; + chain.extend(self.build_chain_inner(issuing_cert_candidate, next_depth)?); + return Ok(chain); + } + } + + // We only reach this if we fail to hit our base case above, or if + // a chain building step fails to find a next valid certificate. + Err(PolicyError::Other("chain construction exhausted all candidates").into()) + } + + fn build_chain(&self, leaf: &Certificate<'leaf>) -> Result, ValidationError> { + // Before anything else, check whether the given leaf cert + // is well-formed according to our policy (and its underlying + // certificate profile). + // + // In the case that the leaf is an EE, this includes a check + // against the EE cert's SANs. + self.policy.permits_leaf(leaf)?; + + // NOTE: We start the chain depth at 1, indicating the EE. + self.build_chain_inner(leaf, 1) + } +} + +#[cfg(test)] +pub(crate) mod tests { + use super::*; + + #[macro_export] + macro_rules! cert { + ($pem:literal) => {{ + let parsed = Box::leak(Box::new(pem::parse($pem).unwrap())); + asn1::parse_single::(&parsed.contents).unwrap() + }}; + } + + pub(crate) struct NullBackend {} + impl CryptoOps for NullBackend { + type Key = (); + + fn public_key(&self, _cert: &Certificate) -> Option { + Some(()) + } + + fn is_signed_by(&self, _cert: &Certificate, _key: Self::Key) -> bool { + true + } + } + + #[test] + fn test_verify_trivial() { + let ee = cert!( + " +-----BEGIN CERTIFICATE----- +MIIDMTCCAhmgAwIBAgIUcNqk/7PML+7lLXVcx3gjsq65hM4wDQYJKoZIhvcNAQEL +BQAwLDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxlbi0w +MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14 +NTA5LWxpbWJvLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAunA2 +HOgxI+I/RYPFB+4eAEz36KqDLCkGHYi4SPa5pX/hD+F+aEFWmboqdwgSpgRks8LS +a9dZO8Fg+Or8HQ6WFOrAtWcWX2KlRXSF6A7M0lUPVrSmmgcwp6yOyMAVCEumRk7l +lEG9TJSK0pInEC2gAmRY95sTiGYgyu/0OFbZk6rZRJtpq617d84D6EkJz80I9XIa +dejC1/V7YAbWIvJ+gJDvoQ0zz9//bZkDNHVRP/8rhMvo9JCBZoCqPohDQg/kJzk0 +0Dw1bUiGmnyGOOyjjBVjG0BpZ5cJeYeIR+vBKjbdskwf+fNRAfgg3mx/GTBkpAWb +TdxOdON0VlNTTLSThwIDAQABo10wWzAdBgNVHQ4EFgQUYEyaR1+cGsp4ksddTVm4 +2vR5mXYwHwYDVR0jBBgwFoAUHyKN5Jy/CWcuUTv4icRmQ9lqy20wDAYDVR0TAQH/ +BAIwADALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAB8/04XbnzEumwLE +BwrG8ddJw09M9bfyHZE3o2fP3axfoCmPb148W0EKjd3/ta0C0IS6FSSAZjE0omQy +PFB5R2VyjR9/MSP0CbRu/kgku8yUzTA8XuJjUWwCT+JYxP7peOAIBoKFJpuHy4dq +5omfndXDKmVUzzWSUhPMIFrlk0QX/V7fC3LAMwtjuhdJ7KlrNVyYUuOpYgS0jTYQ +BpcoQFqXRmO2v1kO+A8KIO9+ZWDnOP9ma1YFbrHfPU9Px5j5OexDQ+nJ+2iLiHdo +DA9R5Sse+51/INk+4ZNZxO4BuoSNYz991KGUX/3w5EF7vsC1DX6Gf8E8HCMd2sYR +8S06Qm0= +-----END CERTIFICATE----- +" + ); + + let intermediate = cert!( + " +-----BEGIN CERTIFICATE----- +MIIEOTCCAiGgAwIBAgIUR2Y0g1z8TPo2nJguc6VquNHd5QwwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY +DzI5NjkwNTAyMTkwMDAwWjAsMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVk +aWF0ZS1wYXRobGVuLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCN +oX/AIxNzzgD9D9Jkyx0nj2bNPblIYkl3UZK9v8+oTAkDkkk9fwZJfrzgNk7DYZ7L +CN9urM5NmQkmEb0h4iBHwxZ2srfSX5Q2406FqZe/naDvPRS6SH06nYlEAyFM0AYq +hyfQq/eNpqHv+/2HPRYmoBAD0mnDPF50aI6p5EpLt+HRRp4aoJDZCLuat1YnEm4U +eEqRQPdJNjEAqU7rpoJ3I0tDQMg8VwZbtIQizfFAgq+iaoOVFtywCnD6C6GmLNXr +uFrBSii0GBk1Wj/ilORzE6y0CQQB+0b0pw1qXvWhnDh9KmIrUGng6rhEqn9M+ygB +G0OX+9bOrqe7DMG9wVKrAgMBAAGjYzBhMB0GA1UdDgQWBBQfIo3knL8JZy5RO/iJ +xGZD2WrLbTAfBgNVHSMEGDAWgBQk6STcTVDVaZDL0bPuPX6jOckpLTASBgNVHRMB +Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsFAAOCAgEA4KB4 +ZLZsoKnY/bOKZmsT8hYVlzlFWCjitKt0wW5oQ888xB6mRuF7RN4UB4vS+wGsxD+U +Uruv0wfehEfuljN9N67pKpzE38ZzbvDuyhCHTGl/swLVlASWQPdPIG/fba/SFDqC +zvCQ2O1EZCNsixw2EVi6u/9CJQPmTab6kgQE0z6R1Xsd5Jr8FkG3funRtbeKAIyG +Gal8jBztw7ND06B+NlTSUK7S8nASK1FF8UXl9eDzkgc///NEF3BN4GWDE1wqv4KD +d3KAhCC3Jc8pjVnkKhLT5JHc7Xm4wI9NTM5Z6OU9dazUbg1ZPSxny8ZLym+6uTaz +wiDfWSDiuJFs7hvAeSZxJ9YAqqtATMaDaidSZGg3hFsXlrZ55J6MgxMw0J2Yelvv +/1dTUaNSH5E8o4y2EDZDY+F6w4qyrSv8Y/LGCjAqA+2KyZ5UYwTvAZBmW8aex1kc +t4nmFaYww8mXjV0BKT8IpocQwEg0nCTGFBcym+JQ5gsZDrVo5tpwFh0uDMnCp4ZW +9pvsY4dYKErjakjVxNfm3zucWb+i87m0N+XkosGshvZzCyiAJllZvIAz9rYGlgpL +lIxFcUftR94ANsows30zT+mkrh9YotLzKzTfL7QGd8+MIbahfasLY91UISP90ExR +iVjMQ19R8XwBE6n9t+BePjjvfF5ws+ahgpjx1AM= +-----END CERTIFICATE----- +" + ); + + let root = cert!( + " +-----BEGIN CERTIFICATE----- +MIIFAzCCAuugAwIBAgIULk/1FzjhdjPggYD8EUdUtMKIXQIwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY +DzI5NjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDjaj2hSumOoxmHtQmAcR907Whw +2xHWQLa+v9mcsJbPMu2rwwhEs6MYWB2U3YV8BRtdLTFwUm7+JLZv9KSdk440Z5Ts +Ohm8XtieZRI2CEs4ypFyT15jDfY4T7U49mTSuZ9JuoFlsWrhm6R8+4xmkto/PTUr +x+xwgCyHPJlfxIQg5jlpwyoUK+Yl1h1moAyvWJBz5cUj+FENrXvwhvhfoBEo42Q7 +LRU1st9LBnR3rvpUbd2BcABsXIqIyAd+Lu57bhFZ+abLnhVa7JNOeucMZ7BWH9N4 +RSZn3iXmyOElpB2h4Us2Phzj9X6flfWCiHGPHnMs+Ndz4oQ3OScQcEZ3bMIJ3fwy +c5pnNr9Eq1f+uKNXfq7IXyg45Ho7iVhuk4ZpAaqAyKFiryusqYDBjHnWkiIbE2dX +aOTk1SQNuYOj3JhrwDFgfdZ+0mtWXW7Y/V93Dx1n0EkIoRahVCOkxGBm+a6Mr3G+ +PqFAPioKOgjB9DI8uGtVA9YjwE0bXLeIuMswL5LGdo4ULhaqpHmhLDnO3DFGT5x4 +jgbT1r+K/N7lPIpkrcXAIsCzuQ73eUlo6anrO+WrJ/L99rRAbWKGAKN2HO1N+x/K +weVRCL794ZXABqf9HmHxB0MlRLEBfOjcUmTghlPsmYMI47Sjrf0IdfFgZ3XU9MLP +HZ0U1J2LKGqi4PUqbwIDAQABoz8wPTAdBgNVHQ4EFgQUJOkk3E1Q1WmQy9Gz7j1+ +oznJKS0wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEL +BQADggIBAF/+zaqgfk5+AughIdfUDt+BspxDcp17Mv1O0UlbdfitFbQrJmLcz8qs +ZTYKZ3rcIZMEXUPVB64UgAd5QGa6Xb8wqYy93PuZoeB65KA3gPKOlRVo881FD4iT +Cb/ztZnHSpyDzYtyl5ECmeuJgEybRbZMcxovBngaFunI0K2+q4OzApak0hj/4oii +X6DAA25og2oM2iHEhG7eaemBxp62Lmboew4tKV8Sa8uwy8RxWJwRYlVkcI8uBFep +otfno/4IALx0nyXmEyRnLT6NNwNMakvf/95xU7qqn25s0xF+0G1EOIPma5pCBIF7 +Y+kS2JaS4uhI66mrDTEvwtrDA/zNwPl6C3kHZlaRYiFTNxXeTfZKO+pA49ww0GzK +56KVef2E0d2zeEwZ2S5baGMtI1KssxY7eQIPY8cidUdaCeFQE/NKkGnOLVqT/LNF +gpkjybz/BQmGBCTQI5UWDj49UPoRVP8gXC0TyIPRIeITpXSmnpiDn4gPqC1+Z7jA +lJu1dP3ITd84CVkhuHOe9oLtECWSQENKxfEY+145iqHsgsG8Vim3tZyYJsWI5V0x +utv77PsVLZNG9QiyDMKbkVFk9+BzOnXWpFxyEys9A5HNBn1pVp30lu0EMqhChoR6 +NlIpBxyLOUUx0e7+ooHYTUm9rNHmAYadjwNk3phoRzSQHhAQFjVQ +-----END CERTIFICATE----- +" + ); + + let store = Store::new([root.clone()]); + let ops = NullBackend {}; + let time = asn1::DateTime::new(2023, 1, 1, 0, 0, 0).unwrap(); + let policy: Policy<_> = Policy::rfc5280(ops, None, time); + + let chain = verify(&ee, [intermediate.clone()], &policy, &store).unwrap(); + assert_eq!(chain.len(), 3); + assert!(chain[0] == ee); + assert!(chain[1] == intermediate); + assert!(chain[2] == root); + } + + #[test] + fn test_verify_trivial_missing_root() { + let ee = cert!( + " +-----BEGIN CERTIFICATE----- +MIIDMTCCAhmgAwIBAgIUcNqk/7PML+7lLXVcx3gjsq65hM4wDQYJKoZIhvcNAQEL +BQAwLDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxlbi0w +MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14 +NTA5LWxpbWJvLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAunA2 +HOgxI+I/RYPFB+4eAEz36KqDLCkGHYi4SPa5pX/hD+F+aEFWmboqdwgSpgRks8LS +a9dZO8Fg+Or8HQ6WFOrAtWcWX2KlRXSF6A7M0lUPVrSmmgcwp6yOyMAVCEumRk7l +lEG9TJSK0pInEC2gAmRY95sTiGYgyu/0OFbZk6rZRJtpq617d84D6EkJz80I9XIa +dejC1/V7YAbWIvJ+gJDvoQ0zz9//bZkDNHVRP/8rhMvo9JCBZoCqPohDQg/kJzk0 +0Dw1bUiGmnyGOOyjjBVjG0BpZ5cJeYeIR+vBKjbdskwf+fNRAfgg3mx/GTBkpAWb +TdxOdON0VlNTTLSThwIDAQABo10wWzAdBgNVHQ4EFgQUYEyaR1+cGsp4ksddTVm4 +2vR5mXYwHwYDVR0jBBgwFoAUHyKN5Jy/CWcuUTv4icRmQ9lqy20wDAYDVR0TAQH/ +BAIwADALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAB8/04XbnzEumwLE +BwrG8ddJw09M9bfyHZE3o2fP3axfoCmPb148W0EKjd3/ta0C0IS6FSSAZjE0omQy +PFB5R2VyjR9/MSP0CbRu/kgku8yUzTA8XuJjUWwCT+JYxP7peOAIBoKFJpuHy4dq +5omfndXDKmVUzzWSUhPMIFrlk0QX/V7fC3LAMwtjuhdJ7KlrNVyYUuOpYgS0jTYQ +BpcoQFqXRmO2v1kO+A8KIO9+ZWDnOP9ma1YFbrHfPU9Px5j5OexDQ+nJ+2iLiHdo +DA9R5Sse+51/INk+4ZNZxO4BuoSNYz991KGUX/3w5EF7vsC1DX6Gf8E8HCMd2sYR +8S06Qm0= +-----END CERTIFICATE----- + " + ); + + let intermediate = cert!( + " +-----BEGIN CERTIFICATE----- +MIIEOTCCAiGgAwIBAgIUR2Y0g1z8TPo2nJguc6VquNHd5QwwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY +DzI5NjkwNTAyMTkwMDAwWjAsMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVk +aWF0ZS1wYXRobGVuLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCN +oX/AIxNzzgD9D9Jkyx0nj2bNPblIYkl3UZK9v8+oTAkDkkk9fwZJfrzgNk7DYZ7L +CN9urM5NmQkmEb0h4iBHwxZ2srfSX5Q2406FqZe/naDvPRS6SH06nYlEAyFM0AYq +hyfQq/eNpqHv+/2HPRYmoBAD0mnDPF50aI6p5EpLt+HRRp4aoJDZCLuat1YnEm4U +eEqRQPdJNjEAqU7rpoJ3I0tDQMg8VwZbtIQizfFAgq+iaoOVFtywCnD6C6GmLNXr +uFrBSii0GBk1Wj/ilORzE6y0CQQB+0b0pw1qXvWhnDh9KmIrUGng6rhEqn9M+ygB +G0OX+9bOrqe7DMG9wVKrAgMBAAGjYzBhMB0GA1UdDgQWBBQfIo3knL8JZy5RO/iJ +xGZD2WrLbTAfBgNVHSMEGDAWgBQk6STcTVDVaZDL0bPuPX6jOckpLTASBgNVHRMB +Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsFAAOCAgEA4KB4 +ZLZsoKnY/bOKZmsT8hYVlzlFWCjitKt0wW5oQ888xB6mRuF7RN4UB4vS+wGsxD+U +Uruv0wfehEfuljN9N67pKpzE38ZzbvDuyhCHTGl/swLVlASWQPdPIG/fba/SFDqC +zvCQ2O1EZCNsixw2EVi6u/9CJQPmTab6kgQE0z6R1Xsd5Jr8FkG3funRtbeKAIyG +Gal8jBztw7ND06B+NlTSUK7S8nASK1FF8UXl9eDzkgc///NEF3BN4GWDE1wqv4KD +d3KAhCC3Jc8pjVnkKhLT5JHc7Xm4wI9NTM5Z6OU9dazUbg1ZPSxny8ZLym+6uTaz +wiDfWSDiuJFs7hvAeSZxJ9YAqqtATMaDaidSZGg3hFsXlrZ55J6MgxMw0J2Yelvv +/1dTUaNSH5E8o4y2EDZDY+F6w4qyrSv8Y/LGCjAqA+2KyZ5UYwTvAZBmW8aex1kc +t4nmFaYww8mXjV0BKT8IpocQwEg0nCTGFBcym+JQ5gsZDrVo5tpwFh0uDMnCp4ZW +9pvsY4dYKErjakjVxNfm3zucWb+i87m0N+XkosGshvZzCyiAJllZvIAz9rYGlgpL +lIxFcUftR94ANsows30zT+mkrh9YotLzKzTfL7QGd8+MIbahfasLY91UISP90ExR +iVjMQ19R8XwBE6n9t+BePjjvfF5ws+ahgpjx1AM= +-----END CERTIFICATE----- + " + ); + + let store = Store::new([]); + let ops = NullBackend {}; + let time = asn1::DateTime::new(2023, 1, 1, 0, 0, 0).unwrap(); + let policy: Policy<_> = Policy::rfc5280(ops, None, time); + assert!( + verify(&ee, [intermediate.clone()], &policy, &store) + == Err(PolicyError::Other("chain construction exhausted all candidates").into()) + ); + } + + #[test] + fn test_verify_pathlen_violated() { + let ee = cert!( + " +-----BEGIN CERTIFICATE----- +MIIEaTCCAlGgAwIBAgIUcoYtjE7xI0Afx91WvWxcJAKYJRowDQYJKoZIhvcNAQEL +BQAwZzE5MDcGA1UECwwwMTA5MTQ2ODU3OTYwNzQyMDY3Nzk4MzI5NzE5Nzg1NDc2 +ODM4MDMxMDA1Njk2Njg2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0 +ZS1wYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgx +FjAUBgNVBAMMDXg1MDktbGltYm8tZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCrozwOGLyFsGXZMx7GJxB+wSuyiNQqS23EYPci7ms63M8iyWBK+gq8 +grziRLdchB+4ID70jz8ik3OZ3Fhew+RC3NV0wKbQSzqgoF+ym6/yN5PipSsJUrdJ +Coktb69R7F55jiVJF3GghyB20JQyAL7whXcUjzQ4VOLfwp2I5ioAnYCG/7NetCgP +CWXkseMGYfJRsvpIB/CXIMlwvTIMSR/kgfeeyScl5JGjMxRF6sih81JL2GIu6Sts +TVQIuYJXEtnJUmn8fRDItu44m+sGpmT2bnyEMUFmSLGyxALviayDhLFZFG3DKMwh +CoO9fWQBuie+rvrSMY6DIP5TQj4JIiZHAgMBAAGjWjBYMB0GA1UdDgQWBBSzKwH4 +TC1o+Zwgh7TXbi4D3qnCnDAfBgNVHSMEGDAWgBSdZzog5CmYVJ0DfuO8DjLw5TAy +bzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAmQhP +2EI0G3rGUy+kEmjd7eG+fZ4ChXFcGGCxcGs7ZUDg1/h2OkQU93CmzCTWCbOB6+7E +Ct2HqmdTJIngZJ9Irk3gJsJ28mBfKCJ7+W1Q/OuchPR0VDhUxpctWk01CMXLxi5F +bgjxvhMY/0PMUiGon7dj0+ZG847zQuZcoB3Ffa6UrRtPNzXFLlSW4YtqPd7MN+vc +SwiJMMXWtxYbavdUQStcQtFecF+GZ36sKqfiNkvOA4A+/piUIkfLK1gNEuzQM8qV +k91xfDoB+3OP+0I5b52aI7ia4PLnMBKdhPguBieLo09i1VavsLHS/3ouWOKdkDET +TzyWdowdzDGc9+cMABuQtRmnY+OwWRRfzWwLjSQAKqhxDsfpmanOhh058opyRfhY +1R60Jjzq0R5S+OKk1gh/ccZZPGgX1zB4jXp8bRugIJup2q3fqQzxAzcqAKScCclA +gd5BB+ouo7Q9I1uSeor/u/2q45wwPqJvDZIuUB9bPSq4ij4LOr2IlVYN16FvxXIQ +1Eazyv4c6kG/Aus+qp3yCex2xa0ds1eLby76l9d+PYobm7AQldciF1vmRjItHHaz +r/yKTsYRN9TmY2itfQROsUg5WmKRixFXAUyBmgb+FWftevQyMpZcT8bG6Hg/PaYN +0cC73F5qsc2+cRW1xdDl7xW+iPMKz/KmPnat7Jo= +-----END CERTIFICATE----- + " + ); + + let ica1 = cert!( + " +-----BEGIN CERTIFICATE----- +MIIFdDCCA1ygAwIBAgIUEx5Qe1ttWaNTfPXCZa/SVBOBwq4wDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY +DzI5NjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyMDQ5MTQxOTI2OTEyODcwMjE1 +NTE3NDU4NDQ3MzQ0NDc3NjIxNTIxOTE4MjMwNzcxKjAoBgNVBAMMIXg1MDktbGlt +Ym8taW50ZXJtZWRpYXRlLXBhdGhsZW4tMDCCAiIwDQYJKoZIhvcNAQEBBQADggIP +ADCCAgoCggIBALIF/FHh0En9tNBNGnS32DiksKh4aFhuypOqwMNs0S60DFFLVn53 +pRbDT/evYCaKMR6dDQ83WpZkZFsmi+y4TeIr7Pcp573w5vjS+0nS2OXX0t3mOK+e +6x91RMnIuaH/getOBQ5+g46C+dauxVYh+NWM7XrHFJTvGZZpVl2yGkwES0SSN1Ru +9hkc7iWGch0Gn95cBILSQuZbMYfx4zVAhqnCLM4BnNPKXqpfV9Ikn/K2Ok7hpd0/ +8dE3WsdxorqA/YTBLN4DoEqsLILgTl/HeI8+i6nfniC67JPfQBI09jetwy9IHDJl +Y6ZHiNYSR3BBKl9WDFcyfLTvy11Zi89fTvEge4eazlUl2K/q3pL775y2Ek0aCQ2f +3gXDoSfccJF/oBhgNCyZzWUW9Rq0FZtmxkQbJzGF51gRuiG/L1UaligPQQ47FtQE +Im0e8gV2BrL3USd/m0xsR0zSxZVZmQEQyrtod/WdUtOdx1BUE7QvXmWVp4+QB7hg +oMgOumReR13KQ8aXd1Bfj5OiBc1B9UaL2N7/PzquNpuLt8x+jjSuw67zZee5URuw +4zVx050j83f/qDjzKAwb1rcxdjUGvLVJVwAqcxiTHOH1nLlNVbK5u8sVQsnYDaB2 +jT+RXKcsnY7tmN21x+T84GsFADNpAy2YoUlYeAqQ8NK0kVA/U8AJPQjfAgMBAAGj +YzBhMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMB8GA1UdIwQYMBaA +FNAxi7w73NS0/VlZibm1DltIotGEMB0GA1UdDgQWBBTrJrLI8aeMGxO0Tj6pD4B1 +n2d4NDANBgkqhkiG9w0BAQsFAAOCAgEAeKKpKejROdi709D0INzcf1RtOlGcoxlh +oIbIRuYZraFJlsqQbSYbJvOPGumDwAqTibO//re796yu5nQme1YNPzNGxMJe/lm7 +kUFcXO4/QIxXxh32/PSX2C/EEO3Yg2eBdnoqOC2qwAsJnP5NLV4usIE1V7w5mRx8 +Ykunqi0hTAg2bUaPKfmgWa1B9d0VzAtSXyUFASYuiPTkqzyT17ehrLcXfbRoHUdz +xkt4GmLpf/0DsjPLjmnWxhuBYlEOiy+O0XHJBBmDJEQi26kahNqnspTCxJ0PRxza +jqZzwuTxi53PCAsJwY2ZiicWUPMJ3xHembjSZZkuU9hcb1aixkbkSnE7JtleCCHt +Txbim0s8IpExpqo/25oBLsX1VTwGl2kpzClVzc+zY0jLLrbhg1LRz0ZNQvWov3cm +a8jjOBvaR1BZ0/yvk6wxpInESuGkAtCoNeJCqipA88LKT2KY1QzgxEbN7um+StWS +xGoCyOvujQfc3/wjaUmiMY2+wt5DCSHKALA88yzU12iL8b6crPK3V3UUcKUwbocg +bEb5VT5KwAotK1cpdc4agZCnrUCVS7kBUufKHYPwseT5gAFLXEYK8UoS0WTCVn8z +tTZE2qAbb7TJzjcnpSw6PzU2xPEFVtbsVE7YcRkYtbhRLV32dHrnhOYSjwHPfr4y +NSqd4SA0rBE= +-----END CERTIFICATE----- + " + ); + + let ica2 = cert!( + " +-----BEGIN CERTIFICATE----- +MIIFwTCCA6mgAwIBAgIUcmzLOEoPYUSPHc9kvZxdQY9aJdowDQYJKoZIhvcNAQEL +BQAwZzE5MDcGA1UECwwwMjA0OTE0MTkyNjkxMjg3MDIxNTUxNzQ1ODQ0NzM0NDQ3 +NzYyMTUyMTkxODIzMDc3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0 +ZS1wYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcx +OTA3BgNVBAsMMDEwOTE0Njg1Nzk2MDc0MjA2Nzc5ODMyOTcxOTc4NTQ3NjgzODAz +MTAwNTY5NjY4NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0 +aGxlbi0wMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy8cq9B1+iaEJ +oOs/rcgWYpJMUY8bM+spsl6Pn8WeZhPKCW5naM+H6pvmBLg5Zeeld3goo30RqO4F +yRsOXVPXoJPqJWJFC5d8MRKJb1YEwuCUU9cKcSuQiln4HUBYPW5bqkCE/JhfohXI +dc9H1o6zeyyj7lgrKBVQmeObOj/XmAF2GNdWH2bIh1RBl4A/1CxXwml4Kog7TzXD +qx/d1Kloa89cmaj5H5drIgCy0aRNwRy9RHWE76Pcb8SjqITWPHONA+gelANoglfq +iFPZ51opTKi6OvvCptsgSRYPBHak6FQG9jPj7BF/YiRulyQYMBKkGISNExILtsre +a1a+dytNOa4VlsIAraGw4YdIhKgM4hbilE6q69cUeojeVW3C6TvlR158KC1Rsv7P +VY7K2ZGW0eIUWKr/32tWOJMNBOalZwMGTBxyoJEWIINyskEU0xvLI5pdWjWHixsG +7fxUvKDtsCeE+dpATSP81AaxUA1BtTh51oQVOd4XQJnkpBV789Fg5BlF5Bx7PpHl +vhqUmLcOWtrBIR40BxYIUiCvcR4ettqguuY4SucYCAlJw7UoMxx1yNz4jfE4bJY5 ++I6qyZXsQtlBo6WgQbXLI3dt1sWR+yrUDYIrlFpWrYDwfzpFav2nMfj7Pku0tzF0 +KLgpE7yXaZxH2fhBhC7XcdEZMGsp3w8CAwEAAaNjMGEwEgYDVR0TAQH/BAgwBgEB +/wIBADALBgNVHQ8EBAMCAgQwHwYDVR0jBBgwFoAU6yayyPGnjBsTtE4+qQ+AdZ9n +eDQwHQYDVR0OBBYEFJ1nOiDkKZhUnQN+47wOMvDlMDJvMA0GCSqGSIb3DQEBCwUA +A4ICAQB4UMVhJdP000QgoUj8Z0bZx//6HEH2nAXPRNFwmzOFUjXS+qb0lMwrhXOy +BVIHWuGPUDZy+qVXnw7nVt9sfPFGUjgXQ4jNWOm2lQsfJ6LP1j4Gj0+SzKfz8MgH +i1gYCZeejJ5h2yhAyfZ39i8arJmIeToPIn+Lesp/53cAexTlCwszgR37yWaG+5UU +AeCA+7pcqx0Qm5BgoEUOLikUT8GfwX9C3E084UjUrgy6vJN+Bx76TFqahQA/ErSy +11Ek431nkGOIDc33rpfs/AYSTShsSlB8xu328Pmn20p1REbpcJDPmDE5dLNd5S/u +pgLMWo9bbLE6qsi5BBOyVuzCzihN9CmSPfux1jTAGMKsVHeRiN+9nCWFxL786Rzy +IptR/SEuLiBB6DUJVXAPNuSRUWkEX94vPIy0vTlOaDcmSy9X5XE47MKBo9Ct/c5o +Qn4edY6URTSV6regYIfGfK9IioLZwI7j/AMbldscQ92tB9HsKGzZYTD47kr7c7IL +RwCibhrqroUllMCQ109R1KtyBDgNedHFQ7wWDj8ESGJFiEgO4RwU8a+trf+Ky+He ++CHtXoZcy/ROaeqaRCvDG9253IFxi0/3zUHf9TFT+FvmgcVwXi9jNdEDpncKZ+Vw +TqGoQg2eW2AXbkZ+XrIgt+oKwFZndF05kAMeDTxTyOv2kQH/fA== +-----END CERTIFICATE----- + " + ); + + let root = cert!( + " +-----BEGIN CERTIFICATE----- +MIIFAzCCAuugAwIBAgIUI+SrkcegkxHgRJZ21QU8ACJ6DOUwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY +DzI5NjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC8y9k0m4pz4olDu9ec65yjJLci +RaQS81pkY2h8SxLhTFTtloAG1QszR3xHOyfN8dKyXd7DMjKHZAy019TmuDxHyVqv +CxhoDX6qVLHcGVhSajgAYnPxJ0DlTMjhNK1sDv0xgokGj9SsbA6E2NMgF0hVqSP1 +fM/IsCo6NYJLZREki4vGJ/Wejv6krT7sNPqICRSJXJB/L9NYNZTSjo4Ju5cdEVuA +r6X0O0r3T4FZUDV68ft7qHJl0iV+u1ScTh8SmKQwVKdH5k4+g5ZNeFRqe07rm6Y9 +owWxVfb1+cm5crHGGKxqtBmj2YHj4nhQlLHxzfylMKN4rw8DN2PUQ8Mf7tkoN3kc +S4QkgLMwRWdbIrRlluZQAt9SWg2dbi0M39iXQQZD+pu9GoHcckOgMm+rVQrfn+W9 ++njiB74S8QKkZCoCU6WRpU+sSiNUTZwCO8E4pTPzpMMbYm95GQbRchZdnu5t2ABR +TpMPLiLIp09bcAq0ZtNvoQ1Qa4NQ1opJaZvph/EseubZ5QPP/4zABu6zb/kZn53b +l7R+ykMTNgXw2lWLGqAOzsqid5Aidp3dVZhelSaQ7XBaMU9vTAlktD+EYUowNJgR +TROMOcYsmnxqatwoQwgi+lXArL7wRcU6Kv6Ex8IlpwlzirC3za7uh2Pg4aKXsxZc +kcJiaR+q81XPcJarrwIDAQABoz8wPTAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQE +AwICBDAdBgNVHQ4EFgQU0DGLvDvc1LT9WVmJubUOW0ii0YQwDQYJKoZIhvcNAQEL +BQADggIBACmN5xJFpIFxP9meIa9DEncT931WL3poaPJn7yDKu5a8kJfmphVJU0KT +DOlAxLqeg4C3r/9733UHJQveAi+Mdns8O7ibBML8ge3pYEfccG/Naj4PyMbTLCHa +VLAzii2yXrUA+snNkJDuXuGQ9jSzJhan4E+ujZRt74Pt0vIR592/Jwa6CsPtlUXm +XVVwlXtah9dVwRcGHY8NyE1j01PlGtou7qcVaMWPcoKpWJEOb/IMz2zuq4u1bteE +WPEEwoc4z1DNoAXJVmew0h4NfDQem0qf21AyKx0VOybKYj+sM1rca3DhVh6doY95 +9FhQzMTIeTyF0Ha409mI01Uo21Mw2K3CuRMBFFzHqiQp/FtDOghk3DPwe4Uj3Yv7 +Y7C/lmEavH6eaaUoXHTlvsFjYGjnuV2eT4YYm0kvhJNp5YYxJxjXTV8mVYTy4Wd9 +yLO64Q84KAFCZfYJLXpaGZXe7H5Ki1iNabRJr7YldXGY0BPQ6GCwFB/eIgEOIrqb +wlQr0hCXx0OC3uts94nuOCpra86EaQs/qzJ1yMLxpUEN3JP8lBaj/uRXNhqC8R5+ +dw/3BAjyHf+7GbtUY+tWIU2voxs1PWQpkU8BSnXlkBBT5OwIM6gq7FrAEs020/EA +CPz+qQOJcoMt8w6dIMgADFNgoigKtKM1rX7D0UuuOUVYNfq9ERVf +-----END CERTIFICATE----- + " + ); + + let store = Store::new([root]); + let ops = NullBackend {}; + let time = asn1::DateTime::new(2023, 1, 1, 0, 0, 0).unwrap(); + let policy: Policy<_> = Policy::rfc5280(ops, None, time); + assert!( + verify(&ee, [ica1.clone(), ica2.clone()], &policy, &store) + == Err(PolicyError::Other("chain construction exhausted all candidates").into()) + ); + } +} diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs new file mode 100644 index 000000000000..ee31db3b3d04 --- /dev/null +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -0,0 +1,714 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use std::collections::HashSet; + +use asn1::ObjectIdentifier; +use cryptography_x509::certificate::Certificate; +use cryptography_x509::common::{ + AlgorithmIdentifier, AlgorithmParameters, RsaPssParameters, PSS_SHA256_HASH_ALG, + PSS_SHA256_MASK_GEN_ALG, PSS_SHA384_HASH_ALG, PSS_SHA384_MASK_GEN_ALG, PSS_SHA512_HASH_ALG, + PSS_SHA512_MASK_GEN_ALG, +}; +use cryptography_x509::extensions::{ + AuthorityKeyIdentifier, BasicConstraints, DuplicateExtensionsError, ExtendedKeyUsage, + Extension, KeyUsage, SubjectAlternativeName, +}; +use cryptography_x509::name::GeneralName; +use cryptography_x509::oid::{ + AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID, EKU_SERVER_AUTH_OID, + EXTENDED_KEY_USAGE_OID, KEY_USAGE_OID, SUBJECT_ALTERNATIVE_NAME_OID, + SUBJECT_DIRECTORY_ATTRIBUTES_OID, SUBJECT_KEY_IDENTIFIER_OID, +}; +use once_cell::sync::Lazy; + +use crate::certificate::{cert_is_self_issued, cert_is_self_signed}; +use crate::ops::CryptoOps; +use crate::types::{DNSName, DNSPattern, IPAddress, IPRange}; + +const RFC5280_CRITICAL_CA_EXTENSIONS: &[asn1::ObjectIdentifier] = + &[BASIC_CONSTRAINTS_OID, KEY_USAGE_OID]; +const RFC5280_CRITICAL_EE_EXTENSIONS: &[asn1::ObjectIdentifier] = + &[BASIC_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID]; + +static WEBPKI_PERMITTED_ALGORITHMS: Lazy>> = Lazy::new(|| { + HashSet::from([ + // RSASSA‐PKCS1‐v1_5 with SHA‐256 + AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::RsaWithSha256(Some(())), + }, + // RSASSA‐PKCS1‐v1_5 with SHA‐384 + AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::RsaWithSha384(Some(())), + }, + // RSASSA‐PKCS1‐v1_5 with SHA‐512 + AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::RsaWithSha512(Some(())), + }, + // RSASSA‐PSS with SHA‐256, MGF‐1 with SHA‐256, and a salt length of 32 bytes + AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::RsaPss(Some(Box::new(RsaPssParameters { + hash_algorithm: PSS_SHA256_HASH_ALG, + mask_gen_algorithm: PSS_SHA256_MASK_GEN_ALG, + salt_length: 32, + _trailer_field: Default::default(), + }))), + }, + // RSASSA‐PSS with SHA‐384, MGF‐1 with SHA‐384, and a salt length of 48 bytes + AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::RsaPss(Some(Box::new(RsaPssParameters { + hash_algorithm: PSS_SHA384_HASH_ALG, + mask_gen_algorithm: PSS_SHA384_MASK_GEN_ALG, + salt_length: 48, + _trailer_field: Default::default(), + }))), + }, + // RSASSA‐PSS with SHA‐512, MGF‐1 with SHA‐512, and a salt length of 64 bytes + AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::RsaPss(Some(Box::new(RsaPssParameters { + hash_algorithm: PSS_SHA512_HASH_ALG, + mask_gen_algorithm: PSS_SHA512_MASK_GEN_ALG, + salt_length: 64, + _trailer_field: Default::default(), + }))), + }, + // For P-256: the signature MUST use ECDSA with SHA‐256 + AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::EcDsaWithSha256(Some(())), + }, + // For P-384: the signature MUST use ECDSA with SHA‐384 + AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::EcDsaWithSha384(Some(())), + }, + // For P-521: the signature MUST use ECDSA with SHA‐512 + AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::EcDsaWithSha512(Some(())), + }, + ]) +}); + +#[derive(Debug, PartialEq)] +pub enum PolicyError { + Malformed(asn1::ParseError), + DuplicateExtension(DuplicateExtensionsError), + Other(&'static str), +} + +impl From for PolicyError { + fn from(value: asn1::ParseError) -> Self { + Self::Malformed(value) + } +} + +impl From for PolicyError { + fn from(value: DuplicateExtensionsError) -> Self { + Self::DuplicateExtension(value) + } +} + +impl From<&'static str> for PolicyError { + fn from(value: &'static str) -> Self { + Self::Other(value) + } +} + +/// Represents a logical certificate "subject," i.e. a principal matching +/// one of the names listed in a certificate's `subjectAltNames` extension. +pub enum Subject<'a> { + DNS(DNSName<'a>), + IP(IPAddress), +} + +impl Subject<'_> { + fn general_name_matches(&self, general_name: &GeneralName) -> bool { + match (general_name, self) { + (GeneralName::DNSName(pattern), Self::DNS(name)) => { + if let Some(pattern) = DNSPattern::new(pattern.0) { + pattern.matches(name) + } else { + false + } + } + (GeneralName::IPAddress(pattern), Self::IP(name)) => { + if let Some(pattern) = IPRange::from_bytes(pattern) { + pattern.matches(name) + } else { + false + } + } + _ => false, + } + } + + /// Returns true if any of the names in the given `SubjectAlternativeName` + /// match this `Subject`. + pub fn matches(&self, san: SubjectAlternativeName) -> bool { + let mut san = san; + san.any(|gn| self.general_name_matches(&gn)) + } +} + +impl<'a> From> for Subject<'a> { + fn from(value: DNSName<'a>) -> Self { + Self::DNS(value) + } +} + +impl From for Subject<'_> { + fn from(value: IPAddress) -> Self { + Self::IP(value) + } +} + +/// A `Policy` describes user-configurable aspects of X.509 path validation. +/// +/// A policy contains multiple moving parts: +/// +/// 1. An inner `Profile`, which specifies the valid "shape" of certificates +/// in this policy (e.g., certificates that must conform to RFC 5280); +/// 2. Additional user-specified constraints, such as restrictions on +/// signature and algorithm types. +pub struct Policy<'a, B: CryptoOps> { + ops: B, + + /// The X.509 profile to use in this policy. + // pub profile: P, + + /// A top-level constraint on the length of paths constructed under + /// this policy. + /// + /// Note that this has different semantics from `pathLenConstraint`: + /// it controls the *overall* non-self-issued chain length, not the number + /// of non-self-issued intermediates in the chain. + pub max_chain_depth: u8, + + /// A subject (i.e. DNS name or other name format) that any EE certificates + /// validated by this policy must match. + /// If `None`, the EE certificate must not contain a SAN. + // TODO: Make this an enum with supported SAN variants. + pub subject: Option>, + + /// The validation time. All certificates validated by this policy must + /// be valid at this time. + pub validation_time: asn1::DateTime, + + // NOTE: Like the validation time, this conceptually belongs + // in the underlying profile. + /// An extended key usage that must appear in EEs validated by this policy. + pub extended_key_usage: ObjectIdentifier, + + /// The set of permitted signature algorithms, identified by their + /// algorithm identifiers. + /// + /// If not `None`, all certificates validated by this policy MUST + /// have a signature algorithm in this set. + /// + /// If `None`, all signature algorithms are permitted. + pub permitted_algorithms: Option>>, + + critical_ca_extensions: HashSet, + critical_ee_extensions: HashSet, +} + +impl<'a, B: CryptoOps> Policy<'a, B> { + /// Create a new policy with defaults for the certificate profile defined in + /// RFC 5280. + pub fn rfc5280(ops: B, subject: Option>, time: asn1::DateTime) -> Self { + Self { + ops, + max_chain_depth: 8, + subject, + validation_time: time, + extended_key_usage: EKU_SERVER_AUTH_OID.clone(), + // NOTE: RFC 5280 imposes no signature algorithm restrictions. + permitted_algorithms: None, + critical_ca_extensions: RFC5280_CRITICAL_CA_EXTENSIONS.iter().cloned().collect(), + critical_ee_extensions: RFC5280_CRITICAL_EE_EXTENSIONS.iter().cloned().collect(), + } + } + + /// Create a new policy with defaults for the certificate profile defined in + /// the CA/B Forum's Basic Requirements. + pub fn webpki(ops: B, subject: Option>, time: asn1::DateTime) -> Self { + Self { + ops, + max_chain_depth: 8, + subject, + validation_time: time, + extended_key_usage: EKU_SERVER_AUTH_OID.clone(), + permitted_algorithms: Some(WEBPKI_PERMITTED_ALGORITHMS.clone()), + critical_ca_extensions: RFC5280_CRITICAL_CA_EXTENSIONS.iter().cloned().collect(), + critical_ee_extensions: RFC5280_CRITICAL_EE_EXTENSIONS.iter().cloned().collect(), + } + } +} + +impl<'a, B: CryptoOps> Policy<'a, B> { + /// Inform this policy of an expected critical extension in CA certificates. + /// + /// This allows the policy to accept critical extensions that the underlying + /// profile does not cover. The user is responsible for separately validating + /// these extensions. + pub fn assert_critical_ca_extension(mut self, oid: ObjectIdentifier) -> Self { + self.critical_ca_extensions.insert(oid); + self + } + + /// Inform this policy of an expected critical extension in EE certificates. + /// + /// This allows the policy to accept critical extensions that the underlying + /// profile does not cover. The user is responsible for separately validating + /// these extensions. + pub fn assert_critical_ee_extension(mut self, oid: ObjectIdentifier) -> Self { + self.critical_ee_extensions.insert(oid); + self + } + + /// Configure this policy's validation time, i.e. the time referenced + /// for certificate validity period checks. + pub fn with_validation_time(mut self, time: asn1::DateTime) -> Self { + self.validation_time = time; + self + } + + /// Configure this policy's maximum chain building depth, i.e. the + /// longest chain that path construction will attempt before giving up. + pub fn with_max_chain_depth(mut self, depth: u8) -> Self { + self.max_chain_depth = depth; + self + } + + fn permits_basic(&self, cert: &Certificate) -> Result<(), PolicyError> { + let extensions = cert.extensions()?; + + // 5280 4.1.1.1: tbsCertificate + // No checks required. + + // 5280 4.1.1.2 / 4.1.2.3: signatureAlgorithm / TBS Certificate Signature + // The top-level signatureAlgorithm and TBSCert signature algorithm + // MUST match. + if cert.signature_alg != cert.tbs_cert.signature_alg { + return Err("mismatch between signatureAlgorithm and SPKI algorithm".into()); + } + + // 5280 4.1.1.3: signatureValue + // No checks required. + + // 5280 4.1.2.1: Version + // No checks required; implementations SHOULD be prepared to accept + // any version certificate. + + // 5280 4.1.2.2: Serial Number + // Conforming CAs MUST NOT use serial numbers longer than 20 octets. + // NOTE: In practice, this requires us to check for an encoding of + // 21 octets, since some CAs generate 20 bytes of randomness and + // then forget to check whether that number would be negative, resulting + // in a 21-byte encoding. + if !(1..=21).contains(&cert.tbs_cert.serial.as_bytes().len()) { + return Err("certificate must have a serial between 1 and 20 octets".into()); + } + + // 5280 4.1.2.3: Signature + // See check under 4.1.1.2. + + // 5280 4.1.2.4: Issuer + // The issuer MUST be a non-empty distinguished name. + if cert.issuer().is_empty() { + return Err("certificate must have a non-empty Issuer".into()); + } + + // 5280 4.1.2.5: Validity + // Validity dates before 2050 MUST be encoded as UTCTime; + // dates in or after 2050 MUST be encoded as GeneralizedTime. + // TODO: The existing `tbs_cert.validity` types don't expose this + // underlying detail. This check has no practical effect on the + // correctness of the certificate, so it's pretty low priority. + if &self.validation_time < cert.tbs_cert.validity.not_before.as_datetime() + || &self.validation_time > cert.tbs_cert.validity.not_after.as_datetime() + { + return Err(PolicyError::Other("cert is not valid at validation time")); + } + + // 5280 4.1.2.6: Subject + // Devolved to `permits_ca` and `permits_ee`. + + // 5280 4.1.2.7: Subject Public Key Info + // No checks required. + + // 5280 4.1.2.8: Unique Identifiers + // These fields MUST only appear if the certificate version is 2 or 3. + // TODO: Check this. + + // 5280 4.1.2.9: Extensions + // This field must MUST only appear if the certificate version is 3, + // and it MUST be non-empty if present. + // TODO: Check this. + + // 5280 4.2.1.1: Authority Key Identifier + // Certificates MUST have an AuthorityKeyIdentifier, it MUST contain + // the keyIdentifier field, and it MUST NOT be critical. + // The exception to this is self-signed certificates, which MAY + // omit the AuthorityKeyIdentifier. + if let Some(aki) = extensions.get_extension(&AUTHORITY_KEY_IDENTIFIER_OID) { + if aki.critical { + return Err("AuthorityKeyIdentifier must not be marked critical".into()); + } + + let aki: AuthorityKeyIdentifier = aki.value()?; + if aki.key_identifier.is_none() { + return Err("AuthorityKeyIdentifier.keyIdentifier must be present".into()); + } + } else if !cert_is_self_signed(cert, &self.ops) { + return Err( + "certificates must have a AuthorityKeyIdentifier unless self-signed".into(), + ); + } + + // 5280 4.2.1.2: Subject Key Identifier + // Developed to `permits_ca`. + + // 5280 4.2.1.3: Key Usage + if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { + // KeyUsage must have at least one bit asserted, if present. + let key_usage: KeyUsage = key_usage.value()?; + if key_usage.is_zeroed() { + return Err("KeyUsage must have at least one usage asserted, when present".into()); + } + + // encipherOnly or decipherOnly without keyAgreement is not well defined. + // TODO: Check on a policy basis instead? + if !key_usage.key_agreement() + && (key_usage.encipher_only() || key_usage.decipher_only()) + { + return Err( + "KeyUsage encipherOnly and decipherOnly can only be true when keyAgreement is true" + .into(), + ); + } + } + + // 5280 4.2.1.4: Certificate Policies + // No checks required. + + // 5280 4.2.1.5: Policy Mappings + // No checks required. + + // 5280 4.2.1.8: Subject Directory Attributes + // Conforming CAs MUST mark this extension as non-critical. + if extensions + .get_extension(&SUBJECT_DIRECTORY_ATTRIBUTES_OID) + .map_or(false, |e| e.critical) + { + return Err("SubjectDirectoryAttributes must not be marked critical".into()); + } + + // Non-profile checks follow. + + if let Some(permitted_algorithms) = &self.permitted_algorithms { + if !permitted_algorithms.contains(&cert.signature_alg) { + // TODO: Should probably include the OID here. + return Err("Forbidden signature algorithm".into()); + } + } + + Ok(()) + } + + fn permits_san(&self, san_ext: Option>) -> Result<(), PolicyError> { + // TODO: Check if the underlying profile requires a SAN here; + // if it does and `name` is `None`, then fail. + + match (&self.subject, san_ext) { + // If we're given both an expected name and the cert has a SAN, + // then we attempt to match them. + (Some(sub), Some(san)) => { + let san: SubjectAlternativeName = san.value()?; + match sub.matches(san) { + true => Ok(()), + false => Err(PolicyError::Other("EE cert has no matching SAN")), + } + } + // If we aren't given a name but the cert contains a SAN, + // we complain loudly (under the theory that the user has misused + // our API and actually intended to match against the SAN). + (None, Some(_)) => Err(PolicyError::Other( + "EE cert has subjectAltName but no expected name given to match against", + )), + // If we're given an expected name but the cert doesn't contain a + // SAN, we error. + (Some(_), None) => Err(PolicyError::Other( + "EE cert has no subjectAltName but expected name given", + )), + // No expected name and no SAN, no problem. + (None, None) => Ok(()), + } + } + + fn permits_eku(&self, eku_ext: Option>) -> Result<(), PolicyError> { + if let Some(ext) = eku_ext { + let mut ekus: ExtendedKeyUsage = ext.value()?; + + if ekus.any(|eku| eku == self.extended_key_usage) { + Ok(()) + } else { + Err(PolicyError::Other("required EKU not found")) + } + } else { + // If our cert doesn't specify an EKU, then we have nothing to check. + // This is consistent with the CA/B BRs: a root CA MUST NOT contain + // an EKU extension. + // See: CA/B Baseline Requirements v2.0.0: 7.1.2.1.2 + Ok(()) + } + } + + /// Checks whether the given "leaf" certificate is compatible with this policy. + /// + /// A "leaf" certificate is just the certificate in the leaf position during + /// path validation, whether it be a CA or EE. As such, `permits_leaf` + /// is logically equivalent to `permits_ee(leaf) || permits_ca(leaf)`. + pub(crate) fn permits_leaf(&self, leaf: &Certificate) -> Result<(), PolicyError> { + // NOTE: Perform `permits_ee` first, since 99% of path validations should have + // an EE certificate in the leaf position. + self.permits_ee(leaf).or_else(|_| self.permits_ca(leaf)) + } + + /// Checks whether the given CA certificate is compatible with this policy. + pub(crate) fn permits_ca(&self, cert: &Certificate) -> Result<(), PolicyError> { + self.permits_basic(cert)?; + + let extensions = cert.extensions()?; + + // 5280 4.1.2.6: Subject + // CA certificates MUST have a subject populated with a non-empty distinguished name. + if cert.subject().is_empty() { + return Err("CA certificate must have a non-empty Subject".into()); + } + + // 5280 4.2: + // CA certificates must contain a few core extensions. This implies + // that the CA certificate must be a v3 certificate, since earlier + // versions lack extensions entirely. + if cert.tbs_cert.version != 2 { + return Err("CA certificate must be an X509v3 certificate".into()); + } + + // 5280 4.2.1.2: + // CA certificates MUST have a SubjectKeyIdentifier and it MUST NOT be + // critical. + if let Some(ski) = extensions.get_extension(&SUBJECT_KEY_IDENTIFIER_OID) { + if ski.critical { + return Err( + "SubjectKeyIdentifier must not be marked critical in a CA Certificate".into(), + ); + } + } else { + return Err("store certificates must have a SubjectKeyIdentifier extension".into()); + } + + // 5280 4.2.1.3: + // CA certificates MUST have a KeyUsage, it SHOULD be critical, + // and it MUST have `keyCertSign` asserted. + if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { + // TODO: Check `key_usage.critical` on a policy basis here? + + let key_usage: KeyUsage = key_usage.value()?; + + if !key_usage.key_cert_sign() { + return Err("KeyUsage.keyCertSign must be asserted in a CA certificate".into()); + } + } else { + return Err("CA certificates must have a KeyUsage extension".into()); + } + + // 5280 4.2.1.9: Basic Constraints + // CA certificates MUST have a BasicConstraints, it MUST be critical, + // and it MUST have `cA` asserted. + if let Some(basic_constraints) = extensions.get_extension(&BASIC_CONSTRAINTS_OID) { + if !basic_constraints.critical { + return Err("BasicConstraints must be marked critical in a CA certificate".into()); + } + + let basic_constraints: BasicConstraints = basic_constraints.value()?; + if !basic_constraints.ca { + return Err("BasicConstraints.cA must be asserted in a CA certificate".into()); + } + } else { + return Err("CA certificates must have a BasicConstraints extension".into()); + } + + // 5280 4.2.1.10: Name Constraints + // If present, NameConstraints MUST be critical. + + // 5280 4.2.1.11: Policy Constraints + // If present, PolicyConstraints MUST be critical. + + // CA certificates must also adhere to the expected EKU. + self.permits_eku(extensions.get_extension(&EXTENDED_KEY_USAGE_OID))?; + + // TODO: Policy-level checks for EKUs, algorthms, etc. + + // Finally, check whether every critical extension in this CA + // certificate is accounted for. + for ext in extensions.iter() { + if ext.critical && !self.critical_ca_extensions.contains(&ext.extn_id) { + return Err(PolicyError::Other( + "CA certificate contains unaccounted critical extension", + )); + } + } + + Ok(()) + } + + /// Checks whether the given EE certificate is compatible with this policy. + pub(crate) fn permits_ee(&self, cert: &Certificate) -> Result<(), PolicyError> { + // An end entity cert is considered "permitted" under a policy if: + // 1. It satisfies the basic (both EE and CA) requirements of the underlying profile; + // 2. It satisfies the EE-specific requirements of the profile; + // 3. It satisfies the policy's own requirements (e.g. the cert's SANs + // match the policy's name). + self.permits_basic(cert)?; + + let extensions = cert.extensions()?; + + // 5280 4.2.1.3: Key Usage + // It isn't stated explicitly, but an EE is defined to be not a CA, + // so it MUST NOT assert keyCertSign. + if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { + let key_usage: KeyUsage = key_usage.value()?; + + if key_usage.key_cert_sign() { + return Err(PolicyError::Other( + "EE is marked as a CA certificate (keyUsage.keyCertSign)", + )); + } + } + + // 5280 4.1.2.6 / 4.2.1.6: Subject / Subject Alternative Name + // EE certificates MAY have their subject in either the subject or subjectAltName. + // If the subject is empty, then the subjectAltName MUST be marked critical. + if cert.subject().is_empty() { + match extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { + Some(san) => { + if !san.critical { + return Err( + "EE without a subject must have a critical subjectAltName".into() + ); + } + + // TODO: There must be at least one SAN, and no SAN may be empty. + } + None => return Err("EE without a subject must have a subjectAltName".into()), + } + } + + // TODO: Pedantic: When the subject is non-empty, subjectAltName SHOULD + // be marked as non-critical. + + // 5280 4.2.1.5: Policy Mappings + // The RFC is not clear on whether these may appear in EE certificates. + + // 5280 4.2.1.9: Basic Constraints + // We refute `KeyUsage.keyCertSign` above, so `BasicConstraints.cA` MUST NOT + // be asserted. + if let Some(basic_constraints) = extensions.get_extension(&BASIC_CONSTRAINTS_OID) { + let basic_constraints: BasicConstraints = basic_constraints.value()?; + + if basic_constraints.ca { + return Err(PolicyError::Other( + "EE is marked as a CA certificate (basicConstraints.cA)", + )); + } + } + + // 5280 4.2.1.10: Name Constraints + // NameConstraints MUST NOT appear in EE certificates. + + // 5280 4.2.1.11: Policy Constraints + // The RFC is not clear on whether these may appear in EE certificates. + + self.permits_san(extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID))?; + self.permits_eku(extensions.get_extension(&EXTENDED_KEY_USAGE_OID))?; + + // TODO: Policy-level checks here for KUs, algorithms, etc. + + // Finally, check whether every critical extension in this EE certificate + // is accounted for. + for ext in extensions.iter() { + if ext.critical && !self.critical_ee_extensions.contains(&ext.extn_id) { + return Err(PolicyError::Other( + "EE certificate contains unaccounted critical extensions", + )); + } + } + + Ok(()) + } + + /// Checks whether `issuer` is a valid issuing CA for `child` at a + /// path-building depth of `current_depth`. + /// + /// This checks that `issuer` is permitted under this policy and that + /// it was used to sign for `child`. + /// + /// On success, this function returns the new path-building depth. This + /// may or may not be a higher number than the original depth, depending + /// on the kind of validation performed (e.g., whether the issuer was + /// self-issued). + pub(crate) fn valid_issuer( + &self, + issuer: &Certificate, + child: &Certificate, + current_depth: u8, + ) -> Result { + // The issuer needs to be a valid CA. + self.permits_ca(issuer)?; + + let issuer_extensions = issuer.extensions()?; + + if let Some(bc) = issuer_extensions.get_extension(&BASIC_CONSTRAINTS_OID) { + let bc: BasicConstraints = bc + .value() + .map_err(|_| PolicyError::Other("issuer has malformed basicConstraints"))?; + + // NOTE: `current_depth` starts at 1, indicating the EE cert in the chain. + // Path length constraints only concern the intermediate portion of a chain, + // so we have to adjust by 1. + if bc + .path_length + .map_or(false, |len| (current_depth as u64) - 1 > len) + { + return Err(PolicyError::Other("path length constraint violated")); + } + } + + let pk = self + .ops + .public_key(issuer) + .ok_or(PolicyError::Other("issuer has malformed public key"))?; + if !self.ops.is_signed_by(child, pk) { + return Err(PolicyError::Other("signature does not match")); + } + + // Self-issued issuers don't increase the working depth. + // NOTE: This is technically part of the profile's semantics. + match cert_is_self_issued(issuer) { + true => Ok(current_depth), + false => Ok(current_depth + 1), + } + } +} + +#[cfg(test)] +mod tests {} diff --git a/src/rust/cryptography-x509-validation/src/trust_store.rs b/src/rust/cryptography-x509-validation/src/trust_store.rs new file mode 100644 index 000000000000..23bc84145bb6 --- /dev/null +++ b/src/rust/cryptography-x509-validation/src/trust_store.rs @@ -0,0 +1,31 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use std::collections::HashSet; + +use cryptography_x509::certificate::Certificate; + +/// A `Store` represents the core state needed for X.509 path validation. +pub struct Store<'a> { + trusted_certs: HashSet>, +} + +impl<'a> Store<'a> { + /// Create a new `Store` from the given iterable certificate source. + pub fn new(trusted: impl IntoIterator>) -> Self { + Store { + trusted_certs: HashSet::from_iter(trusted), + } + } + + /// Returns whether this store contains the given certificate. + pub fn contains(&self, cert: &Certificate<'a>) -> bool { + self.trusted_certs.contains(cert) + } + + /// Returns an iterator over all certificates in this store. + pub fn iter(&self) -> impl Iterator> { + self.trusted_certs.iter() + } +} diff --git a/src/rust/cryptography-x509-validation/src/types.rs b/src/rust/cryptography-x509-validation/src/types.rs index 20b42bc06f61..576ba69cf94d 100644 --- a/src/rust/cryptography-x509-validation/src/types.rs +++ b/src/rust/cryptography-x509-validation/src/types.rs @@ -20,7 +20,7 @@ use std::str::FromStr; /// # use cryptography_x509_validation::types::DNSName; /// assert_eq!(DNSName::new("foo.com").unwrap(), DNSName::new("FOO.com").unwrap()); /// ``` -#[derive(Debug)] +#[derive(Clone, Debug)] pub struct DNSName<'a>(asn1::IA5String<'a>); impl<'a> DNSName<'a> { diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index cb24682a3b7b..ede8a6151b8a 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -8,6 +8,7 @@ use crate::common; use crate::crl; use crate::name; +#[derive(Debug, PartialEq)] pub struct DuplicateExtensionsError(pub asn1::ObjectIdentifier); pub type RawExtensions<'a> = common::Asn1ReadableOrWritable< diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index aef4d6a1c3ce..1da7b591e341 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -2,7 +2,21 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::x509::certificate::Certificate as PyCertificate; +use cryptography_x509::certificate::Certificate; +use cryptography_x509_validation::{ + ops::CryptoOps, + policy::{Policy, Subject}, + trust_store::Store, + types::{DNSName, IPAddress}, +}; + +use crate::error::CryptographyResult; + +use super::{ + certificate::{Certificate as PyCertificate, OwnedCertificate}, + common::datetime_now, + py_to_datetime, sign, +}; #[pyo3::pyclass( frozen, @@ -24,8 +38,246 @@ impl PyStore { } } +pub(crate) struct PyCryptoOps {} + +impl CryptoOps for PyCryptoOps { + // NOTE: This "key" type also carries any error that might happen + // during key serialization/loading. This isn't ideal but also is + // not a significant issue, since its only use is in checking + // another certificate's signature (where an error means that the + // signature check fails trivially). + type Key = pyo3::Py; + + fn public_key(&self, cert: &Certificate<'_>) -> Option { + pyo3::Python::with_gil(|py| -> Option { + // This makes an unnecessary copy. It'd be nice to get rid of it. + let spki_der = + pyo3::types::PyBytes::new(py, &asn1::write_single(&cert.tbs_cert.spki).ok()?); + Some( + py.import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.serialization" + )) + .ok()? + .getattr(pyo3::intern!(py, "load_der_public_key")) + .ok()? + .call1((spki_der,)) + .ok()? + .into(), + ) + }) + } + + fn is_signed_by(&self, cert: &Certificate<'_>, key: Self::Key) -> bool { + pyo3::Python::with_gil(|py| -> CryptographyResult<()> { + sign::verify_signature_with_signature_algorithm( + py, + key.as_ref(py), + &cert.signature_alg, + cert.signature.as_bytes(), + &asn1::write_single(&cert.tbs_cert)?, + ) + }) + .is_ok() + } +} + +// NOTE: pyO3 classes can't be generic over a trait, which our profile API requires. +// Our workaround is to unfold each profile variant in this enum, which produces +// a small amount of (internal) duplication in exchange for the monomorphism that +// pyO3 needs. +struct FixedPolicy<'a>(Policy<'a, PyCryptoOps>); + +/// This enum exists solely to provide heterogeneously typed ownership for `OwnedPolicy`. +enum SubjectOwner { + // NOTE: This is ugly, but is effectively the easiest way to use a uniform + // `OwnedPolicy` API when policies aren't strictly required to contain a subject. + None, + // TODO: Switch this to `Py` once Pyo3's `to_str()` preserves a + // lifetime relationship between an a `PyString` and its borrowed `&str` + // reference in all limited API builds. PyO3 can't currently do that in + // older limited API builds because it needs `PyUnicode_AsUTF8AndSize` to do + // so, which was only stabilized with 3.10. + DNSName(String), + IPAddress(pyo3::Py), +} + +self_cell::self_cell!( + struct OwnedPolicy { + owner: SubjectOwner, + + #[covariant] + dependent: FixedPolicy, + } +); + +#[pyo3::pyclass( + frozen, + name = "Policy", + module = "cryptography.hazmat.bindings._rust.x509" +)] +struct PyPolicy(OwnedPolicy); + +impl PyPolicy { + fn as_policy(&self) -> &Policy<'_, PyCryptoOps> { + &self.0.borrow_dependent().0 + } +} + +fn build_subject_owner( + py: pyo3::Python<'_>, + subject: pyo3::Py, +) -> pyo3::PyResult { + let subject = subject.as_ref(py); + + if subject.is_none() { + return Ok(SubjectOwner::None); + } + + let x509_general_name_module = + py.import(pyo3::intern!(py, "cryptography.x509.general_name"))?; + let dns_name_class = x509_general_name_module.getattr(pyo3::intern!(py, "DNSName"))?; + let ip_address_class = x509_general_name_module.getattr(pyo3::intern!(py, "IPAddress"))?; + + if subject.is_instance(dns_name_class)? { + let value = subject + .getattr(pyo3::intern!(py, "value"))? + .downcast::()?; + + Ok(SubjectOwner::DNSName(value.to_str()?.to_owned())) + } else if subject.is_instance(ip_address_class)? { + let value = subject + .getattr(pyo3::intern!(py, "packed"))? + .downcast::()?; + + Ok(SubjectOwner::IPAddress(value.into())) + } else { + Err(pyo3::exceptions::PyTypeError::new_err( + "unsupported subject type", + )) + } +} + +fn build_subject<'a>( + py: pyo3::Python<'_>, + subject: &'a SubjectOwner, +) -> pyo3::PyResult>> { + match subject { + SubjectOwner::None => Ok(None), + SubjectOwner::DNSName(dns_name) => { + let dns_name = DNSName::new(dns_name) + .ok_or_else(|| pyo3::exceptions::PyValueError::new_err("invalid domain name"))?; + + Ok(Some(Subject::DNS(dns_name))) + } + SubjectOwner::IPAddress(ip_addr) => { + let ip_addr = IPAddress::from_bytes(ip_addr.as_bytes(py)) + .ok_or_else(|| pyo3::exceptions::PyValueError::new_err("invalid IP address"))?; + + Ok(Some(Subject::IP(ip_addr))) + } + } +} + +#[pyo3::prelude::pyfunction] +fn create_policy( + py: pyo3::Python<'_>, + profile: &pyo3::PyAny, + subject: pyo3::Py, + time: Option<&pyo3::PyAny>, +) -> pyo3::PyResult { + let x509_module = py.import(pyo3::intern!(py, "cryptography.x509.verification"))?; + let rfc5280 = x509_module + .getattr(pyo3::intern!(py, "Profile"))? + .get_item(pyo3::intern!(py, "RFC5280"))?; + let webpki = x509_module + .getattr(pyo3::intern!(py, "Profile"))? + .get_item(pyo3::intern!(py, "WebPKI"))?; + + let time = match time { + Some(time) => py_to_datetime(py, time)?, + None => datetime_now(py)?, + }; + + let subject_owner = build_subject_owner(py, subject)?; + let policy = if profile.eq(rfc5280)? { + OwnedPolicy::try_new(subject_owner, |subject_owner| { + let subject = build_subject(py, subject_owner)?; + Ok::, pyo3::PyErr>(FixedPolicy(Policy::rfc5280( + PyCryptoOps {}, + subject, + time, + ))) + })? + } else if profile.eq(webpki)? { + OwnedPolicy::try_new(subject_owner, |subject_owner| { + let subject = build_subject(py, subject_owner)?; + Ok::, pyo3::PyErr>(FixedPolicy(Policy::webpki( + PyCryptoOps {}, + subject, + time, + ))) + })? + } else { + return Err(pyo3::exceptions::PyValueError::new_err( + "invalid profile specified; expected a Profile variant", + )); + }; + + Ok(PyPolicy(policy)) +} + +#[pyo3::prelude::pyfunction] +fn verify<'p>( + py: pyo3::Python<'p>, + leaf: &PyCertificate, + policy: &PyPolicy, + intermediates: &'p pyo3::types::PyList, + store: &'p PyStore, +) -> CryptographyResult> { + let intermediates = intermediates + .iter() + .map(|o| o.extract::>()) + .collect::, _>>()?; + let store = Store::new( + store + .0 + .iter() + .map(|t| t.get().raw.borrow_dependent().clone()), + ); + + let policy = policy.as_policy(); + let chain = cryptography_x509_validation::verify( + leaf.raw.borrow_dependent(), + intermediates + .iter() + .map(|i| i.raw.borrow_dependent().clone()), + policy, + &store, + ) + .map_err(|e| pyo3::exceptions::PyValueError::new_err(format!("validation failed: {e:?}")))?; + + // TODO: Optimize this? Turning a Certificate back into a PyCertificate + // involves a full round-trip back through DER, which isn't ideal. + chain + .iter() + .map(|c| { + let raw = pyo3::types::PyBytes::new(py, &asn1::write_single(c)?); + Ok(PyCertificate { + raw: OwnedCertificate::try_new(raw.into(), |raw| { + asn1::parse_single(raw.as_bytes(py)) + })?, + cached_extensions: pyo3::once_cell::GILOnceCell::new(), + }) + }) + .collect() +} + pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_class::()?; + module.add_class::()?; + module.add_function(pyo3::wrap_pyfunction!(verify, module)?)?; + module.add_function(pyo3::wrap_pyfunction!(create_policy, module)?)?; Ok(()) } diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 8e8ad3b0900d..8882482c7018 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -7,10 +7,113 @@ import pytest from cryptography import x509 -from cryptography.x509.verification import Store +from cryptography.x509 import load_pem_x509_certificate +from cryptography.x509.verification import ( + PolicyBuilder, + Profile, + Store, + verify, +) from tests.x509.test_x509 import _load_cert +def test_verify_basic(): + ee = load_pem_x509_certificate( + b""" +-----BEGIN CERTIFICATE----- +MIIDMTCCAhmgAwIBAgIUcNqk/7PML+7lLXVcx3gjsq65hM4wDQYJKoZIhvcNAQEL +BQAwLDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxlbi0w +MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14 +NTA5LWxpbWJvLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAunA2 +HOgxI+I/RYPFB+4eAEz36KqDLCkGHYi4SPa5pX/hD+F+aEFWmboqdwgSpgRks8LS +a9dZO8Fg+Or8HQ6WFOrAtWcWX2KlRXSF6A7M0lUPVrSmmgcwp6yOyMAVCEumRk7l +lEG9TJSK0pInEC2gAmRY95sTiGYgyu/0OFbZk6rZRJtpq617d84D6EkJz80I9XIa +dejC1/V7YAbWIvJ+gJDvoQ0zz9//bZkDNHVRP/8rhMvo9JCBZoCqPohDQg/kJzk0 +0Dw1bUiGmnyGOOyjjBVjG0BpZ5cJeYeIR+vBKjbdskwf+fNRAfgg3mx/GTBkpAWb +TdxOdON0VlNTTLSThwIDAQABo10wWzAdBgNVHQ4EFgQUYEyaR1+cGsp4ksddTVm4 +2vR5mXYwHwYDVR0jBBgwFoAUHyKN5Jy/CWcuUTv4icRmQ9lqy20wDAYDVR0TAQH/ +BAIwADALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAB8/04XbnzEumwLE +BwrG8ddJw09M9bfyHZE3o2fP3axfoCmPb148W0EKjd3/ta0C0IS6FSSAZjE0omQy +PFB5R2VyjR9/MSP0CbRu/kgku8yUzTA8XuJjUWwCT+JYxP7peOAIBoKFJpuHy4dq +5omfndXDKmVUzzWSUhPMIFrlk0QX/V7fC3LAMwtjuhdJ7KlrNVyYUuOpYgS0jTYQ +BpcoQFqXRmO2v1kO+A8KIO9+ZWDnOP9ma1YFbrHfPU9Px5j5OexDQ+nJ+2iLiHdo +DA9R5Sse+51/INk+4ZNZxO4BuoSNYz991KGUX/3w5EF7vsC1DX6Gf8E8HCMd2sYR +8S06Qm0= +-----END CERTIFICATE----- +""" + ) + + intermediate = load_pem_x509_certificate( + b""" +-----BEGIN CERTIFICATE----- +MIIEOTCCAiGgAwIBAgIUR2Y0g1z8TPo2nJguc6VquNHd5QwwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY +DzI5NjkwNTAyMTkwMDAwWjAsMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVk +aWF0ZS1wYXRobGVuLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCN +oX/AIxNzzgD9D9Jkyx0nj2bNPblIYkl3UZK9v8+oTAkDkkk9fwZJfrzgNk7DYZ7L +CN9urM5NmQkmEb0h4iBHwxZ2srfSX5Q2406FqZe/naDvPRS6SH06nYlEAyFM0AYq +hyfQq/eNpqHv+/2HPRYmoBAD0mnDPF50aI6p5EpLt+HRRp4aoJDZCLuat1YnEm4U +eEqRQPdJNjEAqU7rpoJ3I0tDQMg8VwZbtIQizfFAgq+iaoOVFtywCnD6C6GmLNXr +uFrBSii0GBk1Wj/ilORzE6y0CQQB+0b0pw1qXvWhnDh9KmIrUGng6rhEqn9M+ygB +G0OX+9bOrqe7DMG9wVKrAgMBAAGjYzBhMB0GA1UdDgQWBBQfIo3knL8JZy5RO/iJ +xGZD2WrLbTAfBgNVHSMEGDAWgBQk6STcTVDVaZDL0bPuPX6jOckpLTASBgNVHRMB +Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsFAAOCAgEA4KB4 +ZLZsoKnY/bOKZmsT8hYVlzlFWCjitKt0wW5oQ888xB6mRuF7RN4UB4vS+wGsxD+U +Uruv0wfehEfuljN9N67pKpzE38ZzbvDuyhCHTGl/swLVlASWQPdPIG/fba/SFDqC +zvCQ2O1EZCNsixw2EVi6u/9CJQPmTab6kgQE0z6R1Xsd5Jr8FkG3funRtbeKAIyG +Gal8jBztw7ND06B+NlTSUK7S8nASK1FF8UXl9eDzkgc///NEF3BN4GWDE1wqv4KD +d3KAhCC3Jc8pjVnkKhLT5JHc7Xm4wI9NTM5Z6OU9dazUbg1ZPSxny8ZLym+6uTaz +wiDfWSDiuJFs7hvAeSZxJ9YAqqtATMaDaidSZGg3hFsXlrZ55J6MgxMw0J2Yelvv +/1dTUaNSH5E8o4y2EDZDY+F6w4qyrSv8Y/LGCjAqA+2KyZ5UYwTvAZBmW8aex1kc +t4nmFaYww8mXjV0BKT8IpocQwEg0nCTGFBcym+JQ5gsZDrVo5tpwFh0uDMnCp4ZW +9pvsY4dYKErjakjVxNfm3zucWb+i87m0N+XkosGshvZzCyiAJllZvIAz9rYGlgpL +lIxFcUftR94ANsows30zT+mkrh9YotLzKzTfL7QGd8+MIbahfasLY91UISP90ExR +iVjMQ19R8XwBE6n9t+BePjjvfF5ws+ahgpjx1AM= +-----END CERTIFICATE----- +""" + ) + + root = load_pem_x509_certificate( + b""" +-----BEGIN CERTIFICATE----- +MIIFAzCCAuugAwIBAgIULk/1FzjhdjPggYD8EUdUtMKIXQIwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY +DzI5NjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDjaj2hSumOoxmHtQmAcR907Whw +2xHWQLa+v9mcsJbPMu2rwwhEs6MYWB2U3YV8BRtdLTFwUm7+JLZv9KSdk440Z5Ts +Ohm8XtieZRI2CEs4ypFyT15jDfY4T7U49mTSuZ9JuoFlsWrhm6R8+4xmkto/PTUr +x+xwgCyHPJlfxIQg5jlpwyoUK+Yl1h1moAyvWJBz5cUj+FENrXvwhvhfoBEo42Q7 +LRU1st9LBnR3rvpUbd2BcABsXIqIyAd+Lu57bhFZ+abLnhVa7JNOeucMZ7BWH9N4 +RSZn3iXmyOElpB2h4Us2Phzj9X6flfWCiHGPHnMs+Ndz4oQ3OScQcEZ3bMIJ3fwy +c5pnNr9Eq1f+uKNXfq7IXyg45Ho7iVhuk4ZpAaqAyKFiryusqYDBjHnWkiIbE2dX +aOTk1SQNuYOj3JhrwDFgfdZ+0mtWXW7Y/V93Dx1n0EkIoRahVCOkxGBm+a6Mr3G+ +PqFAPioKOgjB9DI8uGtVA9YjwE0bXLeIuMswL5LGdo4ULhaqpHmhLDnO3DFGT5x4 +jgbT1r+K/N7lPIpkrcXAIsCzuQ73eUlo6anrO+WrJ/L99rRAbWKGAKN2HO1N+x/K +weVRCL794ZXABqf9HmHxB0MlRLEBfOjcUmTghlPsmYMI47Sjrf0IdfFgZ3XU9MLP +HZ0U1J2LKGqi4PUqbwIDAQABoz8wPTAdBgNVHQ4EFgQUJOkk3E1Q1WmQy9Gz7j1+ +oznJKS0wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEL +BQADggIBAF/+zaqgfk5+AughIdfUDt+BspxDcp17Mv1O0UlbdfitFbQrJmLcz8qs +ZTYKZ3rcIZMEXUPVB64UgAd5QGa6Xb8wqYy93PuZoeB65KA3gPKOlRVo881FD4iT +Cb/ztZnHSpyDzYtyl5ECmeuJgEybRbZMcxovBngaFunI0K2+q4OzApak0hj/4oii +X6DAA25og2oM2iHEhG7eaemBxp62Lmboew4tKV8Sa8uwy8RxWJwRYlVkcI8uBFep +otfno/4IALx0nyXmEyRnLT6NNwNMakvf/95xU7qqn25s0xF+0G1EOIPma5pCBIF7 +Y+kS2JaS4uhI66mrDTEvwtrDA/zNwPl6C3kHZlaRYiFTNxXeTfZKO+pA49ww0GzK +56KVef2E0d2zeEwZ2S5baGMtI1KssxY7eQIPY8cidUdaCeFQE/NKkGnOLVqT/LNF +gpkjybz/BQmGBCTQI5UWDj49UPoRVP8gXC0TyIPRIeITpXSmnpiDn4gPqC1+Z7jA +lJu1dP3ITd84CVkhuHOe9oLtECWSQENKxfEY+145iqHsgsG8Vim3tZyYJsWI5V0x +utv77PsVLZNG9QiyDMKbkVFk9+BzOnXWpFxyEys9A5HNBn1pVp30lu0EMqhChoR6 +NlIpBxyLOUUx0e7+ooHYTUm9rNHmAYadjwNk3phoRzSQHhAQFjVQ +-----END CERTIFICATE----- +""" + ) + + policy = PolicyBuilder(profile=Profile.RFC5280).build() + store = Store([root]) + chain = verify(ee, policy, [intermediate], store) + + assert chain == [ee, intermediate, root] + + class TestStore: def test_store_rejects_empty_list(self): with pytest.raises(ValueError): From 7e1f72afde1e87c3906258db816ff550cbc3148f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 3 Oct 2023 18:06:33 -0400 Subject: [PATCH 002/155] make `cargo doc` happy Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 8e4dccfc752f..9042ada1df38 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -98,7 +98,7 @@ static ECDSA_SHA512: AlgorithmIdentifier<'_> = AlgorithmIdentifier { }; /// Permitted algorithms, from CA/B Forum's Baseline Requirements, section 7.1.3.2 (pages 96-98) -/// https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf +/// pub static WEBPKI_PERMITTED_ALGORITHMS: Lazy>> = Lazy::new(|| { HashSet::from([ &RSASSA_PKCS1V15_SHA256, From 30509a8193ad4f8ab942f9dc480afad1642d5c8a Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 5 Oct 2023 12:42:14 -0400 Subject: [PATCH 003/155] verify: move API to ServerVerifier.verify Signed-off-by: William Woodruff --- src/rust/src/x509/verify.rs | 106 ++++++++++++++++-------------------- 1 file changed, 47 insertions(+), 59 deletions(-) diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index c76cad544f3d..313abf0c4d13 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -93,6 +93,53 @@ impl PyServerVerifier { fn validation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { datetime_to_py(py, &self.as_policy().validation_time) } + + fn verify<'p>( + &self, + py: pyo3::Python<'p>, + leaf: &PyCertificate, + intermediates: &'p pyo3::types::PyList, + store: &'p PyStore, + ) -> CryptographyResult> { + let intermediates = intermediates + .iter() + .map(|o| o.extract::>()) + .collect::, _>>()?; + let store = Store::new( + store + .0 + .iter() + .map(|t| t.get().raw.borrow_dependent().clone()), + ); + + let policy = self.as_policy(); + let chain = cryptography_x509_validation::verify( + leaf.raw.borrow_dependent(), + intermediates + .iter() + .map(|i| i.raw.borrow_dependent().clone()), + policy, + &store, + ) + .map_err(|e| { + pyo3::exceptions::PyValueError::new_err(format!("validation failed: {e:?}")) + })?; + + // TODO: Optimize this? Turning a Certificate back into a PyCertificate + // involves a full round-trip back through DER, which isn't ideal. + chain + .iter() + .map(|c| { + let raw = pyo3::types::PyBytes::new(py, &asn1::write_single(c)?); + Ok(PyCertificate { + raw: OwnedCertificate::try_new(raw.into(), |raw| { + asn1::parse_single(raw.as_bytes(py)) + })?, + cached_extensions: pyo3::once_cell::GILOnceCell::new(), + }) + }) + .collect() + } } fn build_subject_owner( @@ -188,65 +235,6 @@ impl PyStore { } } -#[pyo3::pyclass( - frozen, - name = "Policy", - module = "cryptography.hazmat.bindings._rust.x509" -)] -struct PyPolicy(OwnedPolicy); - -impl PyPolicy { - fn as_policy(&self) -> &Policy<'_, PyCryptoOps> { - &self.0.borrow_dependent().0 - } -} - -#[pyo3::prelude::pyfunction] -fn verify<'p>( - py: pyo3::Python<'p>, - leaf: &PyCertificate, - policy: &PyPolicy, - intermediates: &'p pyo3::types::PyList, - store: &'p PyStore, -) -> CryptographyResult> { - let intermediates = intermediates - .iter() - .map(|o| o.extract::>()) - .collect::, _>>()?; - let store = Store::new( - store - .0 - .iter() - .map(|t| t.get().raw.borrow_dependent().clone()), - ); - - let policy = policy.as_policy(); - let chain = cryptography_x509_validation::verify( - leaf.raw.borrow_dependent(), - intermediates - .iter() - .map(|i| i.raw.borrow_dependent().clone()), - policy, - &store, - ) - .map_err(|e| pyo3::exceptions::PyValueError::new_err(format!("validation failed: {e:?}")))?; - - // TODO: Optimize this? Turning a Certificate back into a PyCertificate - // involves a full round-trip back through DER, which isn't ideal. - chain - .iter() - .map(|c| { - let raw = pyo3::types::PyBytes::new(py, &asn1::write_single(c)?); - Ok(PyCertificate { - raw: OwnedCertificate::try_new(raw.into(), |raw| { - asn1::parse_single(raw.as_bytes(py)) - })?, - cached_extensions: pyo3::once_cell::GILOnceCell::new(), - }) - }) - .collect() -} - pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_class::()?; module.add_class::()?; From 4658f70b73f91d618d7d7a0275ae75c4a6719e84 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 5 Oct 2023 14:01:10 -0400 Subject: [PATCH 004/155] fix tests Signed-off-by: William Woodruff --- .../hazmat/bindings/_rust/x509.pyi | 7 +- .../src/policy/mod.rs | 7 +- src/rust/src/x509/verify.rs | 1 - tests/x509/test_verification.py | 162 ++++++++++-------- 4 files changed, 102 insertions(+), 75 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 56a0f9732713..0835b5659993 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -47,13 +47,18 @@ class Certificate: ... class RevokedCertificate: ... class CertificateRevocationList: ... class CertificateSigningRequest: ... -class Policy: ... class ServerVerifier: @property def subject(self) -> x509.verification.Subject: ... @property def validation_time(self) -> datetime.datetime: ... + def verify( + self, + leaf: x509.Certificate, + intermediates: list[x509.Certificate], + store: Store, + ) -> list[x509.Certificate]: ... class Store: def __init__(self, certs: list[x509.Certificate]) -> None: ... diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 9042ada1df38..cf3d731f2f32 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -115,8 +115,11 @@ pub static WEBPKI_PERMITTED_ALGORITHMS: Lazy>> const RFC5280_CRITICAL_CA_EXTENSIONS: &[asn1::ObjectIdentifier] = &[BASIC_CONSTRAINTS_OID, KEY_USAGE_OID]; -const RFC5280_CRITICAL_EE_EXTENSIONS: &[asn1::ObjectIdentifier] = - &[BASIC_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID]; +const RFC5280_CRITICAL_EE_EXTENSIONS: &[asn1::ObjectIdentifier] = &[ + BASIC_CONSTRAINTS_OID, + SUBJECT_ALTERNATIVE_NAME_OID, + KEY_USAGE_OID, +]; #[derive(Debug, PartialEq)] pub enum PolicyError { diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 313abf0c4d13..178965713e0b 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -238,7 +238,6 @@ impl PyStore { pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_class::()?; module.add_class::()?; - module.add_function(pyo3::wrap_pyfunction!(verify, module)?)?; module.add_function(pyo3::wrap_pyfunction!(create_server_verifier, module)?)?; Ok(()) diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 9c0306e04c59..9b0c149ab4fb 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -14,7 +14,6 @@ from cryptography.x509.verification import ( PolicyBuilder, Store, - verify, ) from tests.x509.test_x509 import _load_cert @@ -23,24 +22,34 @@ def test_verify_basic(): ee = load_pem_x509_certificate( b""" -----BEGIN CERTIFICATE----- -MIIDMTCCAhmgAwIBAgIUcNqk/7PML+7lLXVcx3gjsq65hM4wDQYJKoZIhvcNAQEL -BQAwLDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxlbi0w -MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14 -NTA5LWxpbWJvLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAunA2 -HOgxI+I/RYPFB+4eAEz36KqDLCkGHYi4SPa5pX/hD+F+aEFWmboqdwgSpgRks8LS -a9dZO8Fg+Or8HQ6WFOrAtWcWX2KlRXSF6A7M0lUPVrSmmgcwp6yOyMAVCEumRk7l -lEG9TJSK0pInEC2gAmRY95sTiGYgyu/0OFbZk6rZRJtpq617d84D6EkJz80I9XIa -dejC1/V7YAbWIvJ+gJDvoQ0zz9//bZkDNHVRP/8rhMvo9JCBZoCqPohDQg/kJzk0 -0Dw1bUiGmnyGOOyjjBVjG0BpZ5cJeYeIR+vBKjbdskwf+fNRAfgg3mx/GTBkpAWb -TdxOdON0VlNTTLSThwIDAQABo10wWzAdBgNVHQ4EFgQUYEyaR1+cGsp4ksddTVm4 -2vR5mXYwHwYDVR0jBBgwFoAUHyKN5Jy/CWcuUTv4icRmQ9lqy20wDAYDVR0TAQH/ -BAIwADALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAB8/04XbnzEumwLE -BwrG8ddJw09M9bfyHZE3o2fP3axfoCmPb148W0EKjd3/ta0C0IS6FSSAZjE0omQy -PFB5R2VyjR9/MSP0CbRu/kgku8yUzTA8XuJjUWwCT+JYxP7peOAIBoKFJpuHy4dq -5omfndXDKmVUzzWSUhPMIFrlk0QX/V7fC3LAMwtjuhdJ7KlrNVyYUuOpYgS0jTYQ -BpcoQFqXRmO2v1kO+A8KIO9+ZWDnOP9ma1YFbrHfPU9Px5j5OexDQ+nJ+2iLiHdo -DA9R5Sse+51/INk+4ZNZxO4BuoSNYz991KGUX/3w5EF7vsC1DX6Gf8E8HCMd2sYR -8S06Qm0= +MIIFJDCCBAygAwIBAgISBCjrgR1TEHICklNpQDzj1PqPMA0GCSqGSIb3DQEBCwUA +MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD +EwJSMzAeFw0yMzA1MjkxODQ0MDBaFw0yMzA4MjcxODQzNTlaMBoxGDAWBgNVBAMT +D2NyeXB0b2dyYXBoeS5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AObo0GReSiFFL4eMlFHutcV+LpLDorPpzzFxxJsXhrm19GyWYHdr4ml7GIAEjqI7 +QZp0aYw1lmtHwgNnaRySU+aWj6LMWI/rIP5rXZYIZLyXSfLbHP0xlfYEvcrcprOm +Au0YuQgy3TBO0qz6FKx5PtfbDc7p/LYD5tnG5NkbQ4o+7Ko361w787WSb8OV5NFd +nPqSeIjwxqSy62G6oOHL4wRFDTCOdNjHeYJnPC0L3P9qkGeC6zjqt2h8Q+GE9zNQ +enqaEOeBIZo46mti6Tvzzc7dqILw1ATqIXJdjwABzuT8Ob34/LsPorLQoRP1+YHF +++D2JyyvYKM/aFpQI+HHfGUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd +BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV +HQ4EFgQUOtGXHs6fLoMQEwjlwSu88r4qLf0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu +UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v +cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y +Zy8wGgYDVR0RBBMwEYIPY3J5cHRvZ3JhcGh5LmlvMEwGA1UdIARFMEMwCAYGZ4EM +AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0 +c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAtz77JN+cTbp1 +8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGIaQn30wAABAMASDBGAiEAglrQJj8G +a7/1upmZ2Is6AqPT9pQpSty0sH4PgnqyQxICIQDEpKnk6Rt6KzvEpIIIEtXgrYx+ +crerlx4SQVQbnwfz0gB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS +AAABiGkJ9+sAAAQDAEYwRAIgaLwFE4CfhV09wq5IR5zmo/90y5OQJ2MnW5gpRZZh +s4YCICEAGxUN/f95xFmxOCfqXv3SEozwkrMHA33abVjCQiaGMA0GCSqGSIb3DQEB +CwUAA4IBAQBSTN5U/3yp6cGMBXlS5WcrB/XOY6TtxPmeSvLM3vqNbpRGu1JOFFtn +31eweHOTj66GWowSy9+uAhp1V9Uf0hoJMa/b+CkCelyJN4QZCcMfhKrPAD4prbHa +GYFaLo5SQqkK1hYHo9LH+qhaOBx9hF5aLrGbEFWXQE9/W7KSeCzz6LBLw9xVrB2v +NTLlXXt5tUiczOIzge5KGaSQr5wgc1viddcRsYuZjtgWlqJ5E5QcZxD8xLTfBe5W +9vl/k1CB4CZ1IG8Sa9+n91Kxm3HTLL6TcrEOutChwMfZfrLH/piWoRQxezCpn82N +RaeeHd1Bv3oH3SeVJUHLxgzUv/dh6GSi -----END CERTIFICATE----- """ ) @@ -48,29 +57,34 @@ def test_verify_basic(): intermediate = load_pem_x509_certificate( b""" -----BEGIN CERTIFICATE----- -MIIEOTCCAiGgAwIBAgIUR2Y0g1z8TPo2nJguc6VquNHd5QwwDQYJKoZIhvcNAQEL -BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY -DzI5NjkwNTAyMTkwMDAwWjAsMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVk -aWF0ZS1wYXRobGVuLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCN -oX/AIxNzzgD9D9Jkyx0nj2bNPblIYkl3UZK9v8+oTAkDkkk9fwZJfrzgNk7DYZ7L -CN9urM5NmQkmEb0h4iBHwxZ2srfSX5Q2406FqZe/naDvPRS6SH06nYlEAyFM0AYq -hyfQq/eNpqHv+/2HPRYmoBAD0mnDPF50aI6p5EpLt+HRRp4aoJDZCLuat1YnEm4U -eEqRQPdJNjEAqU7rpoJ3I0tDQMg8VwZbtIQizfFAgq+iaoOVFtywCnD6C6GmLNXr -uFrBSii0GBk1Wj/ilORzE6y0CQQB+0b0pw1qXvWhnDh9KmIrUGng6rhEqn9M+ygB -G0OX+9bOrqe7DMG9wVKrAgMBAAGjYzBhMB0GA1UdDgQWBBQfIo3knL8JZy5RO/iJ -xGZD2WrLbTAfBgNVHSMEGDAWgBQk6STcTVDVaZDL0bPuPX6jOckpLTASBgNVHRMB -Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsFAAOCAgEA4KB4 -ZLZsoKnY/bOKZmsT8hYVlzlFWCjitKt0wW5oQ888xB6mRuF7RN4UB4vS+wGsxD+U -Uruv0wfehEfuljN9N67pKpzE38ZzbvDuyhCHTGl/swLVlASWQPdPIG/fba/SFDqC -zvCQ2O1EZCNsixw2EVi6u/9CJQPmTab6kgQE0z6R1Xsd5Jr8FkG3funRtbeKAIyG -Gal8jBztw7ND06B+NlTSUK7S8nASK1FF8UXl9eDzkgc///NEF3BN4GWDE1wqv4KD -d3KAhCC3Jc8pjVnkKhLT5JHc7Xm4wI9NTM5Z6OU9dazUbg1ZPSxny8ZLym+6uTaz -wiDfWSDiuJFs7hvAeSZxJ9YAqqtATMaDaidSZGg3hFsXlrZ55J6MgxMw0J2Yelvv -/1dTUaNSH5E8o4y2EDZDY+F6w4qyrSv8Y/LGCjAqA+2KyZ5UYwTvAZBmW8aex1kc -t4nmFaYww8mXjV0BKT8IpocQwEg0nCTGFBcym+JQ5gsZDrVo5tpwFh0uDMnCp4ZW -9pvsY4dYKErjakjVxNfm3zucWb+i87m0N+XkosGshvZzCyiAJllZvIAz9rYGlgpL -lIxFcUftR94ANsows30zT+mkrh9YotLzKzTfL7QGd8+MIbahfasLY91UISP90ExR -iVjMQ19R8XwBE6n9t+BePjjvfF5ws+ahgpjx1AM= +MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw +WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP +R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx +sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm +NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg +Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG +/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB +Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA +FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw +Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB +gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W +PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl +ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz +CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm +lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 +avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 +yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O +yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids +hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ +HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv +MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX +nLRbwHOoq7hHwg== -----END CERTIFICATE----- """ ) @@ -78,40 +92,46 @@ def test_verify_basic(): root = load_pem_x509_certificate( b""" -----BEGIN CERTIFICATE----- -MIIFAzCCAuugAwIBAgIULk/1FzjhdjPggYD8EUdUtMKIXQIwDQYJKoZIhvcNAQEL -BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY -DzI5NjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwggIi -MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDjaj2hSumOoxmHtQmAcR907Whw -2xHWQLa+v9mcsJbPMu2rwwhEs6MYWB2U3YV8BRtdLTFwUm7+JLZv9KSdk440Z5Ts -Ohm8XtieZRI2CEs4ypFyT15jDfY4T7U49mTSuZ9JuoFlsWrhm6R8+4xmkto/PTUr -x+xwgCyHPJlfxIQg5jlpwyoUK+Yl1h1moAyvWJBz5cUj+FENrXvwhvhfoBEo42Q7 -LRU1st9LBnR3rvpUbd2BcABsXIqIyAd+Lu57bhFZ+abLnhVa7JNOeucMZ7BWH9N4 -RSZn3iXmyOElpB2h4Us2Phzj9X6flfWCiHGPHnMs+Ndz4oQ3OScQcEZ3bMIJ3fwy -c5pnNr9Eq1f+uKNXfq7IXyg45Ho7iVhuk4ZpAaqAyKFiryusqYDBjHnWkiIbE2dX -aOTk1SQNuYOj3JhrwDFgfdZ+0mtWXW7Y/V93Dx1n0EkIoRahVCOkxGBm+a6Mr3G+ -PqFAPioKOgjB9DI8uGtVA9YjwE0bXLeIuMswL5LGdo4ULhaqpHmhLDnO3DFGT5x4 -jgbT1r+K/N7lPIpkrcXAIsCzuQ73eUlo6anrO+WrJ/L99rRAbWKGAKN2HO1N+x/K -weVRCL794ZXABqf9HmHxB0MlRLEBfOjcUmTghlPsmYMI47Sjrf0IdfFgZ3XU9MLP -HZ0U1J2LKGqi4PUqbwIDAQABoz8wPTAdBgNVHQ4EFgQUJOkk3E1Q1WmQy9Gz7j1+ -oznJKS0wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEL -BQADggIBAF/+zaqgfk5+AughIdfUDt+BspxDcp17Mv1O0UlbdfitFbQrJmLcz8qs -ZTYKZ3rcIZMEXUPVB64UgAd5QGa6Xb8wqYy93PuZoeB65KA3gPKOlRVo881FD4iT -Cb/ztZnHSpyDzYtyl5ECmeuJgEybRbZMcxovBngaFunI0K2+q4OzApak0hj/4oii -X6DAA25og2oM2iHEhG7eaemBxp62Lmboew4tKV8Sa8uwy8RxWJwRYlVkcI8uBFep -otfno/4IALx0nyXmEyRnLT6NNwNMakvf/95xU7qqn25s0xF+0G1EOIPma5pCBIF7 -Y+kS2JaS4uhI66mrDTEvwtrDA/zNwPl6C3kHZlaRYiFTNxXeTfZKO+pA49ww0GzK -56KVef2E0d2zeEwZ2S5baGMtI1KssxY7eQIPY8cidUdaCeFQE/NKkGnOLVqT/LNF -gpkjybz/BQmGBCTQI5UWDj49UPoRVP8gXC0TyIPRIeITpXSmnpiDn4gPqC1+Z7jA -lJu1dP3ITd84CVkhuHOe9oLtECWSQENKxfEY+145iqHsgsG8Vim3tZyYJsWI5V0x -utv77PsVLZNG9QiyDMKbkVFk9+BzOnXWpFxyEys9A5HNBn1pVp30lu0EMqhChoR6 -NlIpBxyLOUUx0e7+ooHYTUm9rNHmAYadjwNk3phoRzSQHhAQFjVQ +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 +WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu +ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc +h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ +0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U +A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW +T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH +B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC +B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv +KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn +OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn +jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw +qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI +rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq +hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ +3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK +NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 +ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur +TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC +jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc +oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq +4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA +mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d +emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- """ ) - policy = PolicyBuilder().build_server_verifier() + verifier = ( + PolicyBuilder() + .time(datetime.datetime(2023, 7, 10)) + .build_server_verifier(subject=DNSName("cryptography.io")) + ) store = Store([root]) - chain = verify(ee, policy, [intermediate], store) + chain = verifier.verify(ee, [intermediate], store) assert chain == [ee, intermediate, root] From 1420533c3c5761161dcf40473686da99a54045b8 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 5 Oct 2023 14:26:16 -0400 Subject: [PATCH 005/155] extensions: derive Eq Signed-off-by: William Woodruff --- src/rust/cryptography-x509/src/extensions.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 51d40b1a5d99..99575a46b290 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -8,7 +8,7 @@ use crate::common; use crate::crl; use crate::name; -#[derive(Debug, PartialEq)] +#[derive(Debug, PartialEq, Eq)] pub struct DuplicateExtensionsError(pub asn1::ObjectIdentifier); pub type RawExtensions<'a> = common::Asn1ReadableOrWritable< From 43999ac74f86b492a033903aa30b5e63839bf9c6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 5 Oct 2023 15:23:56 -0400 Subject: [PATCH 006/155] policy: another Eq derive Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index cf3d731f2f32..a1daee0a5350 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -121,7 +121,7 @@ const RFC5280_CRITICAL_EE_EXTENSIONS: &[asn1::ObjectIdentifier] = &[ KEY_USAGE_OID, ]; -#[derive(Debug, PartialEq)] +#[derive(Debug, PartialEq, Eq)] pub enum PolicyError { Malformed(asn1::ParseError), DuplicateExtension(DuplicateExtensionsError), From c220117323966605ddc2a6b8ee6c45fb9fa4412b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 5 Oct 2023 18:39:59 -0400 Subject: [PATCH 007/155] [DEMO] declarative extension policies Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 171 ++++++++++++++++++ .../src/policy/mod.rs | 58 +++--- 2 files changed, 192 insertions(+), 37 deletions(-) create mode 100644 src/rust/cryptography-x509-validation/src/policy/extension.rs diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs new file mode 100644 index 000000000000..21194ba4fc1e --- /dev/null +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -0,0 +1,171 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use asn1::ObjectIdentifier; +use cryptography_x509::{ + certificate::Certificate, + extensions::{Extension, Extensions}, +}; + +use crate::ops::CryptoOps; + +use super::{Policy, PolicyError}; + +/// Represents different criticality states for an extension. +pub(crate) enum Criticality { + /// The extension MUST be marked as critical. + Critical, + /// The extension MAY be marked as critical. + Agnostic, + /// The extension MUST NOT be marked as critical. + NonCritical, +} + +impl Criticality { + pub(crate) fn permits(&self, critical: bool) -> bool { + match (self, critical) { + (Criticality::Critical, true) => true, + (Criticality::Critical, false) => false, + (Criticality::Agnostic, _) => true, + (Criticality::NonCritical, true) => false, + (Criticality::NonCritical, false) => true, + } + } +} + +type ExtensionValidatorCallback = + fn(&Policy<'_, B>, &Certificate<'_>, &Extension<'_>) -> Result<(), PolicyError>; + +/// Represents different validation states for an extension. +pub(crate) enum ExtensionValidator { + /// The extension MUST NOT be present. + NotPresent, + /// The extension MUST be present. + Present { + /// The extension's criticality. + criticality: Criticality, + /// An optional validator over the extension's inner contents, with + /// the surrounding `Policy` as context. + validator: Option>, + }, + /// The extension MAY be present. + MaybePresent { + criticality: Criticality, + validator: Option>, + }, +} + +/// A "policy" for validating a specific X.509v3 extension, identified by +/// its OID. +pub(crate) struct ExtensionPolicy { + pub(crate) oid: asn1::ObjectIdentifier, + pub(crate) validator: ExtensionValidator, +} + +impl ExtensionPolicy { + pub(crate) fn not_present(oid: ObjectIdentifier) -> Self { + Self { + oid, + validator: ExtensionValidator::NotPresent, + } + } + + pub(crate) fn present( + oid: ObjectIdentifier, + criticality: Criticality, + validator: Option>, + ) -> Self { + Self { + oid, + validator: ExtensionValidator::Present { + criticality, + validator, + }, + } + } + + pub(crate) fn permits( + &self, + policy: &Policy<'_, B>, + cert: &Certificate<'_>, + extensions: &Extensions<'_>, + ) -> Result<(), PolicyError> { + match (&self.validator, extensions.get_extension(&self.oid)) { + // Extension MUST NOT be present and isn't; OK. + (ExtensionValidator::NotPresent, None) => Ok(()), + // Extension MUST NOT be present but is; NOT OK. + (ExtensionValidator::NotPresent, Some(_)) => Err(PolicyError::Other( + "EE certificate contains prohibited extension", + )), + // Extension MUST be present but is not; NOT OK. + (ExtensionValidator::Present { .. }, None) => Err(PolicyError::Other( + "EE certificate is missing required extension", + )), + // Extension MUST be present and is; check it. + ( + ExtensionValidator::Present { + criticality, + validator, + }, + Some(extn), + ) => { + if !criticality.permits(extn.critical) { + return Err(PolicyError::Other( + "EE certificate extension has incorrect criticality", + )); + } + + // If a custom validator is supplied, apply it. + validator.map_or(Ok(()), |v| v(policy, cert, &extn)) + } + // Extension MAY be present and is; check it. + ( + ExtensionValidator::MaybePresent { + criticality, + validator, + }, + Some(extn), + ) => { + if !criticality.permits(extn.critical) { + return Err(PolicyError::Other( + "EE certificate extension has incorrect criticality", + )); + } + + // If a custom validator is supplied, apply it. + validator.map_or(Ok(()), |v| v(policy, cert, &extn)) + } + // Extension MAY be present and isn't; OK. + (ExtensionValidator::MaybePresent { .. }, None) => Ok(()), + } + } +} + +pub(crate) mod ee {} + +pub(crate) mod ca { + use cryptography_x509::{ + certificate::Certificate, + extensions::{Extension, KeyUsage}, + }; + + use crate::{ + ops::CryptoOps, + policy::{Policy, PolicyError}, + }; + + pub(crate) fn key_usage( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: &Extension<'_>, + ) -> Result<(), PolicyError> { + let key_usage: KeyUsage<'_> = extn.value()?; + + if !key_usage.key_cert_sign() { + return Err("keyUsage.keyCertSign must be asserted in a CA certificate".into()); + } + + Ok(()) + } +} diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index a1daee0a5350..71b89fb0d991 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +mod extension; + use std::collections::HashSet; use asn1::ObjectIdentifier; @@ -24,6 +26,7 @@ use cryptography_x509::oid::{ SUBJECT_DIRECTORY_ATTRIBUTES_OID, SUBJECT_KEY_IDENTIFIER_OID, }; +use self::extension::{ca, Criticality, ExtensionPolicy}; use crate::certificate::{cert_is_self_issued, cert_is_self_signed}; use crate::ops::CryptoOps; use crate::types::{DNSName, DNSPattern, IPAddress, IPRange}; @@ -220,6 +223,9 @@ pub struct Policy<'a, B: CryptoOps> { pub critical_ca_extensions: HashSet, pub critical_ee_extensions: HashSet, + + ca_extension_policies: Vec>, + ee_extension_policies: Vec>, } impl<'a, B: CryptoOps> Policy<'a, B> { @@ -241,6 +247,17 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ), critical_ca_extensions: RFC5280_CRITICAL_CA_EXTENSIONS.iter().cloned().collect(), critical_ee_extensions: RFC5280_CRITICAL_EE_EXTENSIONS.iter().cloned().collect(), + ca_extension_policies: Vec::from([ + // 5280 4.2.1.2: Subject Key Identifier + ExtensionPolicy::present( + SUBJECT_KEY_IDENTIFIER_OID, + Criticality::NonCritical, + None, + ), + // 5280 4.2.1.3: Key Usage + ExtensionPolicy::present(KEY_USAGE_OID, Criticality::Agnostic, Some(ca::key_usage)), + ]), + ee_extension_policies: Vec::from([ExtensionPolicy::not_present(KEY_USAGE_OID)]), } } @@ -459,32 +476,8 @@ impl<'a, B: CryptoOps> Policy<'a, B> { return Err("CA certificate must be an X509v3 certificate".into()); } - // 5280 4.2.1.2: - // CA certificates MUST have a SubjectKeyIdentifier and it MUST NOT be - // critical. - if let Some(ski) = extensions.get_extension(&SUBJECT_KEY_IDENTIFIER_OID) { - if ski.critical { - return Err( - "SubjectKeyIdentifier must not be marked critical in a CA Certificate".into(), - ); - } - } else { - return Err("store certificates must have a SubjectKeyIdentifier extension".into()); - } - - // 5280 4.2.1.3: - // CA certificates MUST have a KeyUsage, it SHOULD be critical, - // and it MUST have `keyCertSign` asserted. - if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { - // TODO: Check `key_usage.critical` on a policy basis here? - - let key_usage: KeyUsage<'_> = key_usage.value()?; - - if !key_usage.key_cert_sign() { - return Err("KeyUsage.keyCertSign must be asserted in a CA certificate".into()); - } - } else { - return Err("CA certificates must have a KeyUsage extension".into()); + for ext_policy in self.ca_extension_policies.iter() { + ext_policy.permits(self, cert, &extensions)?; } // 5280 4.2.1.9: Basic Constraints @@ -538,17 +531,8 @@ impl<'a, B: CryptoOps> Policy<'a, B> { let extensions = cert.extensions()?; - // 5280 4.2.1.3: Key Usage - // It isn't stated explicitly, but an EE is defined to be not a CA, - // so it MUST NOT assert keyCertSign. - if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { - let key_usage: KeyUsage<'_> = key_usage.value()?; - - if key_usage.key_cert_sign() { - return Err(PolicyError::Other( - "EE is marked as a CA certificate (keyUsage.keyCertSign)", - )); - } + for ext_policy in self.ee_extension_policies.iter() { + ext_policy.permits(self, cert, &extensions)?; } // 5280 4.1.2.6 / 4.2.1.6: Subject / Subject Alternative Name From 25655ad896bc69f8d9100e351ab8ab1c8c0ed4ff Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 5 Oct 2023 19:38:58 -0400 Subject: [PATCH 008/155] more extension policy refactoring Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 82 +++++++++++++++- .../src/policy/mod.rs | 97 ++++++------------- 2 files changed, 112 insertions(+), 67 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 21194ba4fc1e..cdef1016770c 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -85,6 +85,20 @@ impl ExtensionPolicy { } } + pub(crate) fn maybe_present( + oid: ObjectIdentifier, + criticality: Criticality, + validator: Option>, + ) -> Self { + Self { + oid, + validator: ExtensionValidator::MaybePresent { + criticality, + validator, + }, + } + } + pub(crate) fn permits( &self, policy: &Policy<'_, B>, @@ -142,12 +156,62 @@ impl ExtensionPolicy { } } -pub(crate) mod ee {} +pub(crate) mod ee { + use cryptography_x509::{ + certificate::Certificate, + extensions::{BasicConstraints, Extension}, + }; + + use crate::{ + ops::CryptoOps, + policy::{Policy, PolicyError}, + }; + + pub(crate) fn basic_constraints( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: &Extension<'_>, + ) -> Result<(), PolicyError> { + let basic_constraints: BasicConstraints = extn.value()?; + + if basic_constraints.ca { + return Err("basicConstraints.cA must not be asserted in an EE certificate".into()); + } + + Ok(()) + } + + pub(crate) fn subject_alternative_name( + _policy: &Policy<'_, B>, + cert: &Certificate<'_>, + extn: &Extension<'_>, + ) -> Result<(), PolicyError> { + match (cert.subject().is_empty(), extn.critical) { + // If the subject is empty, the SAN MUST be critical. + (true, false) => { + return Err("EE subjectAltName MUST be critical when subject is empty".into()); + } + // If the subject is non-empty, the SAN MUST NOT be critical. + (false, true) => { + return Err( + "EE subjectAltName MUST NOT be critical when subject is nonempty".into(), + ) + } + _ => (), + }; + + // For Subscriber Certificates, the Subject Alternative Name MUST be present and MUST contain at + // least one dNSName or iPAddress GeneralName. See below for further requirements about the + // permitted fields and their validation requirements + + Ok(()) + } +} pub(crate) mod ca { use cryptography_x509::{ certificate::Certificate, - extensions::{Extension, KeyUsage}, + extensions::{BasicConstraints, Extension, KeyUsage}, }; use crate::{ @@ -168,4 +232,18 @@ pub(crate) mod ca { Ok(()) } + + pub(crate) fn basic_constraints( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: &Extension<'_>, + ) -> Result<(), PolicyError> { + let basic_constraints: BasicConstraints = extn.value()?; + + if !basic_constraints.ca { + return Err("basicConstraints.cA must be asserted in a CA certificate".into()); + } + + Ok(()) + } } diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 71b89fb0d991..63ee6317e9b3 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -22,11 +22,11 @@ use cryptography_x509::extensions::{ use cryptography_x509::name::GeneralName; use cryptography_x509::oid::{ AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID, EKU_SERVER_AUTH_OID, - EXTENDED_KEY_USAGE_OID, KEY_USAGE_OID, SUBJECT_ALTERNATIVE_NAME_OID, - SUBJECT_DIRECTORY_ATTRIBUTES_OID, SUBJECT_KEY_IDENTIFIER_OID, + EXTENDED_KEY_USAGE_OID, KEY_USAGE_OID, NAME_CONSTRAINTS_OID, POLICY_CONSTRAINTS_OID, + SUBJECT_ALTERNATIVE_NAME_OID, SUBJECT_DIRECTORY_ATTRIBUTES_OID, SUBJECT_KEY_IDENTIFIER_OID, }; -use self::extension::{ca, Criticality, ExtensionPolicy}; +use self::extension::{ca, ee, Criticality, ExtensionPolicy}; use crate::certificate::{cert_is_self_issued, cert_is_self_signed}; use crate::ops::CryptoOps; use crate::types::{DNSName, DNSPattern, IPAddress, IPRange}; @@ -256,8 +256,35 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ), // 5280 4.2.1.3: Key Usage ExtensionPolicy::present(KEY_USAGE_OID, Criticality::Agnostic, Some(ca::key_usage)), + // 5280 4.2.1.9: Basic Constraints + ExtensionPolicy::present( + BASIC_CONSTRAINTS_OID, + Criticality::Critical, + Some(ca::basic_constraints), + ), + // 5280 4.2.1.10: Name Constraints + ExtensionPolicy::maybe_present(NAME_CONSTRAINTS_OID, Criticality::Critical, None), + // 5280 4.2.1.10: Policy Constraints + ExtensionPolicy::maybe_present(POLICY_CONSTRAINTS_OID, Criticality::Critical, None), + ]), + ee_extension_policies: Vec::from([ + // 5280 4.2.1.3: Key Usage + ExtensionPolicy::not_present(KEY_USAGE_OID), + // CA/B 7.1.2.7.12 Subscriber Certificate Subject Alternative Name + ExtensionPolicy::present( + SUBJECT_ALTERNATIVE_NAME_OID, + Criticality::Agnostic, + Some(ee::subject_alternative_name), + ), + // 5280 4.2.1.9: Basic Constraints + ExtensionPolicy::maybe_present( + BASIC_CONSTRAINTS_OID, + Criticality::Agnostic, + Some(ee::basic_constraints), + ), + // 5280 4.2.1.10: Name Constraints + ExtensionPolicy::not_present(NAME_CONSTRAINTS_OID), ]), - ee_extension_policies: Vec::from([ExtensionPolicy::not_present(KEY_USAGE_OID)]), } } @@ -460,8 +487,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { pub(crate) fn permits_ca(&self, cert: &Certificate<'_>) -> Result<(), PolicyError> { self.permits_basic(cert)?; - let extensions = cert.extensions()?; - // 5280 4.1.2.6: Subject // CA certificates MUST have a subject populated with a non-empty distinguished name. if cert.subject().is_empty() { @@ -476,32 +501,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { return Err("CA certificate must be an X509v3 certificate".into()); } + let extensions = cert.extensions()?; for ext_policy in self.ca_extension_policies.iter() { ext_policy.permits(self, cert, &extensions)?; } - // 5280 4.2.1.9: Basic Constraints - // CA certificates MUST have a BasicConstraints, it MUST be critical, - // and it MUST have `cA` asserted. - if let Some(basic_constraints) = extensions.get_extension(&BASIC_CONSTRAINTS_OID) { - if !basic_constraints.critical { - return Err("BasicConstraints must be marked critical in a CA certificate".into()); - } - - let basic_constraints: BasicConstraints = basic_constraints.value()?; - if !basic_constraints.ca { - return Err("BasicConstraints.cA must be asserted in a CA certificate".into()); - } - } else { - return Err("CA certificates must have a BasicConstraints extension".into()); - } - - // 5280 4.2.1.10: Name Constraints - // If present, NameConstraints MUST be critical. - - // 5280 4.2.1.11: Policy Constraints - // If present, PolicyConstraints MUST be critical. - // CA certificates must also adhere to the expected EKU. self.permits_eku(extensions.get_extension(&EXTENDED_KEY_USAGE_OID))?; @@ -535,46 +539,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ext_policy.permits(self, cert, &extensions)?; } - // 5280 4.1.2.6 / 4.2.1.6: Subject / Subject Alternative Name - // EE certificates MAY have their subject in either the subject or subjectAltName. - // If the subject is empty, then the subjectAltName MUST be marked critical. - if cert.subject().is_empty() { - match extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { - Some(san) => { - if !san.critical { - return Err( - "EE without a subject must have a critical subjectAltName".into() - ); - } - - // TODO: There must be at least one SAN, and no SAN may be empty. - } - None => return Err("EE without a subject must have a subjectAltName".into()), - } - } - - // TODO: Pedantic: When the subject is non-empty, subjectAltName SHOULD - // be marked as non-critical. - // 5280 4.2.1.5: Policy Mappings // The RFC is not clear on whether these may appear in EE certificates. - // 5280 4.2.1.9: Basic Constraints - // We refute `KeyUsage.keyCertSign` above, so `BasicConstraints.cA` MUST NOT - // be asserted. - if let Some(basic_constraints) = extensions.get_extension(&BASIC_CONSTRAINTS_OID) { - let basic_constraints: BasicConstraints = basic_constraints.value()?; - - if basic_constraints.ca { - return Err(PolicyError::Other( - "EE is marked as a CA certificate (basicConstraints.cA)", - )); - } - } - - // 5280 4.2.1.10: Name Constraints - // NameConstraints MUST NOT appear in EE certificates. - // 5280 4.2.1.11: Policy Constraints // The RFC is not clear on whether these may appear in EE certificates. From 7c771554d2ecd7e3000e7d189b6702da5a74b634 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 6 Oct 2023 11:32:28 -0400 Subject: [PATCH 009/155] fixup tests Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 432 +++++++----------- .../src/policy/mod.rs | 2 +- 2 files changed, 163 insertions(+), 271 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 8ab0d44ab08c..07c16290b1f1 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -143,7 +143,7 @@ where #[cfg(test)] pub(crate) mod tests { use super::*; - use crate::ops::tests::NullOps; + use crate::{ops::tests::NullOps, types::DNSName}; #[macro_export] macro_rules! cert { @@ -158,24 +158,34 @@ pub(crate) mod tests { let ee = cert!( " -----BEGIN CERTIFICATE----- -MIIDMTCCAhmgAwIBAgIUcNqk/7PML+7lLXVcx3gjsq65hM4wDQYJKoZIhvcNAQEL -BQAwLDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxlbi0w -MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14 -NTA5LWxpbWJvLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAunA2 -HOgxI+I/RYPFB+4eAEz36KqDLCkGHYi4SPa5pX/hD+F+aEFWmboqdwgSpgRks8LS -a9dZO8Fg+Or8HQ6WFOrAtWcWX2KlRXSF6A7M0lUPVrSmmgcwp6yOyMAVCEumRk7l -lEG9TJSK0pInEC2gAmRY95sTiGYgyu/0OFbZk6rZRJtpq617d84D6EkJz80I9XIa -dejC1/V7YAbWIvJ+gJDvoQ0zz9//bZkDNHVRP/8rhMvo9JCBZoCqPohDQg/kJzk0 -0Dw1bUiGmnyGOOyjjBVjG0BpZ5cJeYeIR+vBKjbdskwf+fNRAfgg3mx/GTBkpAWb -TdxOdON0VlNTTLSThwIDAQABo10wWzAdBgNVHQ4EFgQUYEyaR1+cGsp4ksddTVm4 -2vR5mXYwHwYDVR0jBBgwFoAUHyKN5Jy/CWcuUTv4icRmQ9lqy20wDAYDVR0TAQH/ -BAIwADALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAB8/04XbnzEumwLE -BwrG8ddJw09M9bfyHZE3o2fP3axfoCmPb148W0EKjd3/ta0C0IS6FSSAZjE0omQy -PFB5R2VyjR9/MSP0CbRu/kgku8yUzTA8XuJjUWwCT+JYxP7peOAIBoKFJpuHy4dq -5omfndXDKmVUzzWSUhPMIFrlk0QX/V7fC3LAMwtjuhdJ7KlrNVyYUuOpYgS0jTYQ -BpcoQFqXRmO2v1kO+A8KIO9+ZWDnOP9ma1YFbrHfPU9Px5j5OexDQ+nJ+2iLiHdo -DA9R5Sse+51/INk+4ZNZxO4BuoSNYz991KGUX/3w5EF7vsC1DX6Gf8E8HCMd2sYR -8S06Qm0= +MIIFJDCCBAygAwIBAgISBCjrgR1TEHICklNpQDzj1PqPMA0GCSqGSIb3DQEBCwUA +MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD +EwJSMzAeFw0yMzA1MjkxODQ0MDBaFw0yMzA4MjcxODQzNTlaMBoxGDAWBgNVBAMT +D2NyeXB0b2dyYXBoeS5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AObo0GReSiFFL4eMlFHutcV+LpLDorPpzzFxxJsXhrm19GyWYHdr4ml7GIAEjqI7 +QZp0aYw1lmtHwgNnaRySU+aWj6LMWI/rIP5rXZYIZLyXSfLbHP0xlfYEvcrcprOm +Au0YuQgy3TBO0qz6FKx5PtfbDc7p/LYD5tnG5NkbQ4o+7Ko361w787WSb8OV5NFd +nPqSeIjwxqSy62G6oOHL4wRFDTCOdNjHeYJnPC0L3P9qkGeC6zjqt2h8Q+GE9zNQ +enqaEOeBIZo46mti6Tvzzc7dqILw1ATqIXJdjwABzuT8Ob34/LsPorLQoRP1+YHF +++D2JyyvYKM/aFpQI+HHfGUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd +BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV +HQ4EFgQUOtGXHs6fLoMQEwjlwSu88r4qLf0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu +UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v +cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y +Zy8wGgYDVR0RBBMwEYIPY3J5cHRvZ3JhcGh5LmlvMEwGA1UdIARFMEMwCAYGZ4EM +AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0 +c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAtz77JN+cTbp1 +8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGIaQn30wAABAMASDBGAiEAglrQJj8G +a7/1upmZ2Is6AqPT9pQpSty0sH4PgnqyQxICIQDEpKnk6Rt6KzvEpIIIEtXgrYx+ +crerlx4SQVQbnwfz0gB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS +AAABiGkJ9+sAAAQDAEYwRAIgaLwFE4CfhV09wq5IR5zmo/90y5OQJ2MnW5gpRZZh +s4YCICEAGxUN/f95xFmxOCfqXv3SEozwkrMHA33abVjCQiaGMA0GCSqGSIb3DQEB +CwUAA4IBAQBSTN5U/3yp6cGMBXlS5WcrB/XOY6TtxPmeSvLM3vqNbpRGu1JOFFtn +31eweHOTj66GWowSy9+uAhp1V9Uf0hoJMa/b+CkCelyJN4QZCcMfhKrPAD4prbHa +GYFaLo5SQqkK1hYHo9LH+qhaOBx9hF5aLrGbEFWXQE9/W7KSeCzz6LBLw9xVrB2v +NTLlXXt5tUiczOIzge5KGaSQr5wgc1viddcRsYuZjtgWlqJ5E5QcZxD8xLTfBe5W +9vl/k1CB4CZ1IG8Sa9+n91Kxm3HTLL6TcrEOutChwMfZfrLH/piWoRQxezCpn82N +RaeeHd1Bv3oH3SeVJUHLxgzUv/dh6GSi -----END CERTIFICATE----- " ); @@ -183,29 +193,34 @@ DA9R5Sse+51/INk+4ZNZxO4BuoSNYz991KGUX/3w5EF7vsC1DX6Gf8E8HCMd2sYR let intermediate = cert!( " -----BEGIN CERTIFICATE----- -MIIEOTCCAiGgAwIBAgIUR2Y0g1z8TPo2nJguc6VquNHd5QwwDQYJKoZIhvcNAQEL -BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY -DzI5NjkwNTAyMTkwMDAwWjAsMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVk -aWF0ZS1wYXRobGVuLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCN -oX/AIxNzzgD9D9Jkyx0nj2bNPblIYkl3UZK9v8+oTAkDkkk9fwZJfrzgNk7DYZ7L -CN9urM5NmQkmEb0h4iBHwxZ2srfSX5Q2406FqZe/naDvPRS6SH06nYlEAyFM0AYq -hyfQq/eNpqHv+/2HPRYmoBAD0mnDPF50aI6p5EpLt+HRRp4aoJDZCLuat1YnEm4U -eEqRQPdJNjEAqU7rpoJ3I0tDQMg8VwZbtIQizfFAgq+iaoOVFtywCnD6C6GmLNXr -uFrBSii0GBk1Wj/ilORzE6y0CQQB+0b0pw1qXvWhnDh9KmIrUGng6rhEqn9M+ygB -G0OX+9bOrqe7DMG9wVKrAgMBAAGjYzBhMB0GA1UdDgQWBBQfIo3knL8JZy5RO/iJ -xGZD2WrLbTAfBgNVHSMEGDAWgBQk6STcTVDVaZDL0bPuPX6jOckpLTASBgNVHRMB -Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsFAAOCAgEA4KB4 -ZLZsoKnY/bOKZmsT8hYVlzlFWCjitKt0wW5oQ888xB6mRuF7RN4UB4vS+wGsxD+U -Uruv0wfehEfuljN9N67pKpzE38ZzbvDuyhCHTGl/swLVlASWQPdPIG/fba/SFDqC -zvCQ2O1EZCNsixw2EVi6u/9CJQPmTab6kgQE0z6R1Xsd5Jr8FkG3funRtbeKAIyG -Gal8jBztw7ND06B+NlTSUK7S8nASK1FF8UXl9eDzkgc///NEF3BN4GWDE1wqv4KD -d3KAhCC3Jc8pjVnkKhLT5JHc7Xm4wI9NTM5Z6OU9dazUbg1ZPSxny8ZLym+6uTaz -wiDfWSDiuJFs7hvAeSZxJ9YAqqtATMaDaidSZGg3hFsXlrZ55J6MgxMw0J2Yelvv -/1dTUaNSH5E8o4y2EDZDY+F6w4qyrSv8Y/LGCjAqA+2KyZ5UYwTvAZBmW8aex1kc -t4nmFaYww8mXjV0BKT8IpocQwEg0nCTGFBcym+JQ5gsZDrVo5tpwFh0uDMnCp4ZW -9pvsY4dYKErjakjVxNfm3zucWb+i87m0N+XkosGshvZzCyiAJllZvIAz9rYGlgpL -lIxFcUftR94ANsows30zT+mkrh9YotLzKzTfL7QGd8+MIbahfasLY91UISP90ExR -iVjMQ19R8XwBE6n9t+BePjjvfF5ws+ahgpjx1AM= +MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw +WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP +R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx +sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm +NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg +Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG +/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB +Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA +FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw +Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB +gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W +PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl +ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz +CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm +lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 +avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 +yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O +yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids +hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ +HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv +MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX +nLRbwHOoq7hHwg== -----END CERTIFICATE----- " ); @@ -213,41 +228,49 @@ iVjMQ19R8XwBE6n9t+BePjjvfF5ws+ahgpjx1AM= let root = cert!( " -----BEGIN CERTIFICATE----- -MIIFAzCCAuugAwIBAgIULk/1FzjhdjPggYD8EUdUtMKIXQIwDQYJKoZIhvcNAQEL -BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY -DzI5NjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwggIi -MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDjaj2hSumOoxmHtQmAcR907Whw -2xHWQLa+v9mcsJbPMu2rwwhEs6MYWB2U3YV8BRtdLTFwUm7+JLZv9KSdk440Z5Ts -Ohm8XtieZRI2CEs4ypFyT15jDfY4T7U49mTSuZ9JuoFlsWrhm6R8+4xmkto/PTUr -x+xwgCyHPJlfxIQg5jlpwyoUK+Yl1h1moAyvWJBz5cUj+FENrXvwhvhfoBEo42Q7 -LRU1st9LBnR3rvpUbd2BcABsXIqIyAd+Lu57bhFZ+abLnhVa7JNOeucMZ7BWH9N4 -RSZn3iXmyOElpB2h4Us2Phzj9X6flfWCiHGPHnMs+Ndz4oQ3OScQcEZ3bMIJ3fwy -c5pnNr9Eq1f+uKNXfq7IXyg45Ho7iVhuk4ZpAaqAyKFiryusqYDBjHnWkiIbE2dX -aOTk1SQNuYOj3JhrwDFgfdZ+0mtWXW7Y/V93Dx1n0EkIoRahVCOkxGBm+a6Mr3G+ -PqFAPioKOgjB9DI8uGtVA9YjwE0bXLeIuMswL5LGdo4ULhaqpHmhLDnO3DFGT5x4 -jgbT1r+K/N7lPIpkrcXAIsCzuQ73eUlo6anrO+WrJ/L99rRAbWKGAKN2HO1N+x/K -weVRCL794ZXABqf9HmHxB0MlRLEBfOjcUmTghlPsmYMI47Sjrf0IdfFgZ3XU9MLP -HZ0U1J2LKGqi4PUqbwIDAQABoz8wPTAdBgNVHQ4EFgQUJOkk3E1Q1WmQy9Gz7j1+ -oznJKS0wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEL -BQADggIBAF/+zaqgfk5+AughIdfUDt+BspxDcp17Mv1O0UlbdfitFbQrJmLcz8qs -ZTYKZ3rcIZMEXUPVB64UgAd5QGa6Xb8wqYy93PuZoeB65KA3gPKOlRVo881FD4iT -Cb/ztZnHSpyDzYtyl5ECmeuJgEybRbZMcxovBngaFunI0K2+q4OzApak0hj/4oii -X6DAA25og2oM2iHEhG7eaemBxp62Lmboew4tKV8Sa8uwy8RxWJwRYlVkcI8uBFep -otfno/4IALx0nyXmEyRnLT6NNwNMakvf/95xU7qqn25s0xF+0G1EOIPma5pCBIF7 -Y+kS2JaS4uhI66mrDTEvwtrDA/zNwPl6C3kHZlaRYiFTNxXeTfZKO+pA49ww0GzK -56KVef2E0d2zeEwZ2S5baGMtI1KssxY7eQIPY8cidUdaCeFQE/NKkGnOLVqT/LNF -gpkjybz/BQmGBCTQI5UWDj49UPoRVP8gXC0TyIPRIeITpXSmnpiDn4gPqC1+Z7jA -lJu1dP3ITd84CVkhuHOe9oLtECWSQENKxfEY+145iqHsgsG8Vim3tZyYJsWI5V0x -utv77PsVLZNG9QiyDMKbkVFk9+BzOnXWpFxyEys9A5HNBn1pVp30lu0EMqhChoR6 -NlIpBxyLOUUx0e7+ooHYTUm9rNHmAYadjwNk3phoRzSQHhAQFjVQ +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 +WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu +ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc +h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ +0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U +A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW +T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH +B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC +B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv +KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn +OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn +jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw +qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI +rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq +hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ +3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK +NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 +ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur +TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC +jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc +oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq +4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA +mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d +emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- " ); let store = Store::new([root.clone()]); let ops = NullOps {}; - let time = asn1::DateTime::new(2023, 1, 1, 0, 0, 0).unwrap(); - let policy: Policy<'_, _> = Policy::new(ops, None, time); + let time = asn1::DateTime::new(2023, 7, 10, 0, 0, 0).unwrap(); + let policy: Policy<'_, _> = Policy::new( + ops, + Some(policy::Subject::DNS( + DNSName::new("cryptography.io").unwrap(), + )), + time, + ); let chain = verify(&ee, [intermediate.clone()], &policy, &store).unwrap(); assert_eq!(chain.len(), 3); @@ -261,217 +284,86 @@ NlIpBxyLOUUx0e7+ooHYTUm9rNHmAYadjwNk3phoRzSQHhAQFjVQ let ee = cert!( " -----BEGIN CERTIFICATE----- -MIIDMTCCAhmgAwIBAgIUcNqk/7PML+7lLXVcx3gjsq65hM4wDQYJKoZIhvcNAQEL -BQAwLDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxlbi0w -MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14 -NTA5LWxpbWJvLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAunA2 -HOgxI+I/RYPFB+4eAEz36KqDLCkGHYi4SPa5pX/hD+F+aEFWmboqdwgSpgRks8LS -a9dZO8Fg+Or8HQ6WFOrAtWcWX2KlRXSF6A7M0lUPVrSmmgcwp6yOyMAVCEumRk7l -lEG9TJSK0pInEC2gAmRY95sTiGYgyu/0OFbZk6rZRJtpq617d84D6EkJz80I9XIa -dejC1/V7YAbWIvJ+gJDvoQ0zz9//bZkDNHVRP/8rhMvo9JCBZoCqPohDQg/kJzk0 -0Dw1bUiGmnyGOOyjjBVjG0BpZ5cJeYeIR+vBKjbdskwf+fNRAfgg3mx/GTBkpAWb -TdxOdON0VlNTTLSThwIDAQABo10wWzAdBgNVHQ4EFgQUYEyaR1+cGsp4ksddTVm4 -2vR5mXYwHwYDVR0jBBgwFoAUHyKN5Jy/CWcuUTv4icRmQ9lqy20wDAYDVR0TAQH/ -BAIwADALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAB8/04XbnzEumwLE -BwrG8ddJw09M9bfyHZE3o2fP3axfoCmPb148W0EKjd3/ta0C0IS6FSSAZjE0omQy -PFB5R2VyjR9/MSP0CbRu/kgku8yUzTA8XuJjUWwCT+JYxP7peOAIBoKFJpuHy4dq -5omfndXDKmVUzzWSUhPMIFrlk0QX/V7fC3LAMwtjuhdJ7KlrNVyYUuOpYgS0jTYQ -BpcoQFqXRmO2v1kO+A8KIO9+ZWDnOP9ma1YFbrHfPU9Px5j5OexDQ+nJ+2iLiHdo -DA9R5Sse+51/INk+4ZNZxO4BuoSNYz991KGUX/3w5EF7vsC1DX6Gf8E8HCMd2sYR -8S06Qm0= +MIIFJDCCBAygAwIBAgISBCjrgR1TEHICklNpQDzj1PqPMA0GCSqGSIb3DQEBCwUA +MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD +EwJSMzAeFw0yMzA1MjkxODQ0MDBaFw0yMzA4MjcxODQzNTlaMBoxGDAWBgNVBAMT +D2NyeXB0b2dyYXBoeS5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AObo0GReSiFFL4eMlFHutcV+LpLDorPpzzFxxJsXhrm19GyWYHdr4ml7GIAEjqI7 +QZp0aYw1lmtHwgNnaRySU+aWj6LMWI/rIP5rXZYIZLyXSfLbHP0xlfYEvcrcprOm +Au0YuQgy3TBO0qz6FKx5PtfbDc7p/LYD5tnG5NkbQ4o+7Ko361w787WSb8OV5NFd +nPqSeIjwxqSy62G6oOHL4wRFDTCOdNjHeYJnPC0L3P9qkGeC6zjqt2h8Q+GE9zNQ +enqaEOeBIZo46mti6Tvzzc7dqILw1ATqIXJdjwABzuT8Ob34/LsPorLQoRP1+YHF +++D2JyyvYKM/aFpQI+HHfGUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd +BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV +HQ4EFgQUOtGXHs6fLoMQEwjlwSu88r4qLf0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu +UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v +cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y +Zy8wGgYDVR0RBBMwEYIPY3J5cHRvZ3JhcGh5LmlvMEwGA1UdIARFMEMwCAYGZ4EM +AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0 +c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAtz77JN+cTbp1 +8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGIaQn30wAABAMASDBGAiEAglrQJj8G +a7/1upmZ2Is6AqPT9pQpSty0sH4PgnqyQxICIQDEpKnk6Rt6KzvEpIIIEtXgrYx+ +crerlx4SQVQbnwfz0gB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS +AAABiGkJ9+sAAAQDAEYwRAIgaLwFE4CfhV09wq5IR5zmo/90y5OQJ2MnW5gpRZZh +s4YCICEAGxUN/f95xFmxOCfqXv3SEozwkrMHA33abVjCQiaGMA0GCSqGSIb3DQEB +CwUAA4IBAQBSTN5U/3yp6cGMBXlS5WcrB/XOY6TtxPmeSvLM3vqNbpRGu1JOFFtn +31eweHOTj66GWowSy9+uAhp1V9Uf0hoJMa/b+CkCelyJN4QZCcMfhKrPAD4prbHa +GYFaLo5SQqkK1hYHo9LH+qhaOBx9hF5aLrGbEFWXQE9/W7KSeCzz6LBLw9xVrB2v +NTLlXXt5tUiczOIzge5KGaSQr5wgc1viddcRsYuZjtgWlqJ5E5QcZxD8xLTfBe5W +9vl/k1CB4CZ1IG8Sa9+n91Kxm3HTLL6TcrEOutChwMfZfrLH/piWoRQxezCpn82N +RaeeHd1Bv3oH3SeVJUHLxgzUv/dh6GSi -----END CERTIFICATE----- - " +" ); let intermediate = cert!( " -----BEGIN CERTIFICATE----- -MIIEOTCCAiGgAwIBAgIUR2Y0g1z8TPo2nJguc6VquNHd5QwwDQYJKoZIhvcNAQEL -BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY -DzI5NjkwNTAyMTkwMDAwWjAsMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVk -aWF0ZS1wYXRobGVuLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCN -oX/AIxNzzgD9D9Jkyx0nj2bNPblIYkl3UZK9v8+oTAkDkkk9fwZJfrzgNk7DYZ7L -CN9urM5NmQkmEb0h4iBHwxZ2srfSX5Q2406FqZe/naDvPRS6SH06nYlEAyFM0AYq -hyfQq/eNpqHv+/2HPRYmoBAD0mnDPF50aI6p5EpLt+HRRp4aoJDZCLuat1YnEm4U -eEqRQPdJNjEAqU7rpoJ3I0tDQMg8VwZbtIQizfFAgq+iaoOVFtywCnD6C6GmLNXr -uFrBSii0GBk1Wj/ilORzE6y0CQQB+0b0pw1qXvWhnDh9KmIrUGng6rhEqn9M+ygB -G0OX+9bOrqe7DMG9wVKrAgMBAAGjYzBhMB0GA1UdDgQWBBQfIo3knL8JZy5RO/iJ -xGZD2WrLbTAfBgNVHSMEGDAWgBQk6STcTVDVaZDL0bPuPX6jOckpLTASBgNVHRMB -Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsFAAOCAgEA4KB4 -ZLZsoKnY/bOKZmsT8hYVlzlFWCjitKt0wW5oQ888xB6mRuF7RN4UB4vS+wGsxD+U -Uruv0wfehEfuljN9N67pKpzE38ZzbvDuyhCHTGl/swLVlASWQPdPIG/fba/SFDqC -zvCQ2O1EZCNsixw2EVi6u/9CJQPmTab6kgQE0z6R1Xsd5Jr8FkG3funRtbeKAIyG -Gal8jBztw7ND06B+NlTSUK7S8nASK1FF8UXl9eDzkgc///NEF3BN4GWDE1wqv4KD -d3KAhCC3Jc8pjVnkKhLT5JHc7Xm4wI9NTM5Z6OU9dazUbg1ZPSxny8ZLym+6uTaz -wiDfWSDiuJFs7hvAeSZxJ9YAqqtATMaDaidSZGg3hFsXlrZ55J6MgxMw0J2Yelvv -/1dTUaNSH5E8o4y2EDZDY+F6w4qyrSv8Y/LGCjAqA+2KyZ5UYwTvAZBmW8aex1kc -t4nmFaYww8mXjV0BKT8IpocQwEg0nCTGFBcym+JQ5gsZDrVo5tpwFh0uDMnCp4ZW -9pvsY4dYKErjakjVxNfm3zucWb+i87m0N+XkosGshvZzCyiAJllZvIAz9rYGlgpL -lIxFcUftR94ANsows30zT+mkrh9YotLzKzTfL7QGd8+MIbahfasLY91UISP90ExR -iVjMQ19R8XwBE6n9t+BePjjvfF5ws+ahgpjx1AM= +MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw +WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP +R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx +sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm +NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg +Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG +/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB +Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA +FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw +Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB +gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W +PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl +ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz +CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm +lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 +avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 +yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O +yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids +hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ +HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv +MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX +nLRbwHOoq7hHwg== -----END CERTIFICATE----- - " +" ); let store = Store::new([]); let ops = NullOps {}; - let time = asn1::DateTime::new(2023, 1, 1, 0, 0, 0).unwrap(); - let policy: Policy<'_, _> = Policy::new(ops, None, time); - assert!( - verify(&ee, [intermediate.clone()], &policy, &store) - == Err(PolicyError::Other("chain construction exhausted all candidates").into()) - ); - } - - #[test] - fn test_verify_pathlen_violated() { - let ee = cert!( - " ------BEGIN CERTIFICATE----- -MIIEaTCCAlGgAwIBAgIUcoYtjE7xI0Afx91WvWxcJAKYJRowDQYJKoZIhvcNAQEL -BQAwZzE5MDcGA1UECwwwMTA5MTQ2ODU3OTYwNzQyMDY3Nzk4MzI5NzE5Nzg1NDc2 -ODM4MDMxMDA1Njk2Njg2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0 -ZS1wYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgx -FjAUBgNVBAMMDXg1MDktbGltYm8tZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQCrozwOGLyFsGXZMx7GJxB+wSuyiNQqS23EYPci7ms63M8iyWBK+gq8 -grziRLdchB+4ID70jz8ik3OZ3Fhew+RC3NV0wKbQSzqgoF+ym6/yN5PipSsJUrdJ -Coktb69R7F55jiVJF3GghyB20JQyAL7whXcUjzQ4VOLfwp2I5ioAnYCG/7NetCgP -CWXkseMGYfJRsvpIB/CXIMlwvTIMSR/kgfeeyScl5JGjMxRF6sih81JL2GIu6Sts -TVQIuYJXEtnJUmn8fRDItu44m+sGpmT2bnyEMUFmSLGyxALviayDhLFZFG3DKMwh -CoO9fWQBuie+rvrSMY6DIP5TQj4JIiZHAgMBAAGjWjBYMB0GA1UdDgQWBBSzKwH4 -TC1o+Zwgh7TXbi4D3qnCnDAfBgNVHSMEGDAWgBSdZzog5CmYVJ0DfuO8DjLw5TAy -bzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAmQhP -2EI0G3rGUy+kEmjd7eG+fZ4ChXFcGGCxcGs7ZUDg1/h2OkQU93CmzCTWCbOB6+7E -Ct2HqmdTJIngZJ9Irk3gJsJ28mBfKCJ7+W1Q/OuchPR0VDhUxpctWk01CMXLxi5F -bgjxvhMY/0PMUiGon7dj0+ZG847zQuZcoB3Ffa6UrRtPNzXFLlSW4YtqPd7MN+vc -SwiJMMXWtxYbavdUQStcQtFecF+GZ36sKqfiNkvOA4A+/piUIkfLK1gNEuzQM8qV -k91xfDoB+3OP+0I5b52aI7ia4PLnMBKdhPguBieLo09i1VavsLHS/3ouWOKdkDET -TzyWdowdzDGc9+cMABuQtRmnY+OwWRRfzWwLjSQAKqhxDsfpmanOhh058opyRfhY -1R60Jjzq0R5S+OKk1gh/ccZZPGgX1zB4jXp8bRugIJup2q3fqQzxAzcqAKScCclA -gd5BB+ouo7Q9I1uSeor/u/2q45wwPqJvDZIuUB9bPSq4ij4LOr2IlVYN16FvxXIQ -1Eazyv4c6kG/Aus+qp3yCex2xa0ds1eLby76l9d+PYobm7AQldciF1vmRjItHHaz -r/yKTsYRN9TmY2itfQROsUg5WmKRixFXAUyBmgb+FWftevQyMpZcT8bG6Hg/PaYN -0cC73F5qsc2+cRW1xdDl7xW+iPMKz/KmPnat7Jo= ------END CERTIFICATE----- - " - ); - - let ica1 = cert!( - " ------BEGIN CERTIFICATE----- -MIIFdDCCA1ygAwIBAgIUEx5Qe1ttWaNTfPXCZa/SVBOBwq4wDQYJKoZIhvcNAQEL -BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY -DzI5NjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyMDQ5MTQxOTI2OTEyODcwMjE1 -NTE3NDU4NDQ3MzQ0NDc3NjIxNTIxOTE4MjMwNzcxKjAoBgNVBAMMIXg1MDktbGlt -Ym8taW50ZXJtZWRpYXRlLXBhdGhsZW4tMDCCAiIwDQYJKoZIhvcNAQEBBQADggIP -ADCCAgoCggIBALIF/FHh0En9tNBNGnS32DiksKh4aFhuypOqwMNs0S60DFFLVn53 -pRbDT/evYCaKMR6dDQ83WpZkZFsmi+y4TeIr7Pcp573w5vjS+0nS2OXX0t3mOK+e -6x91RMnIuaH/getOBQ5+g46C+dauxVYh+NWM7XrHFJTvGZZpVl2yGkwES0SSN1Ru -9hkc7iWGch0Gn95cBILSQuZbMYfx4zVAhqnCLM4BnNPKXqpfV9Ikn/K2Ok7hpd0/ -8dE3WsdxorqA/YTBLN4DoEqsLILgTl/HeI8+i6nfniC67JPfQBI09jetwy9IHDJl -Y6ZHiNYSR3BBKl9WDFcyfLTvy11Zi89fTvEge4eazlUl2K/q3pL775y2Ek0aCQ2f -3gXDoSfccJF/oBhgNCyZzWUW9Rq0FZtmxkQbJzGF51gRuiG/L1UaligPQQ47FtQE -Im0e8gV2BrL3USd/m0xsR0zSxZVZmQEQyrtod/WdUtOdx1BUE7QvXmWVp4+QB7hg -oMgOumReR13KQ8aXd1Bfj5OiBc1B9UaL2N7/PzquNpuLt8x+jjSuw67zZee5URuw -4zVx050j83f/qDjzKAwb1rcxdjUGvLVJVwAqcxiTHOH1nLlNVbK5u8sVQsnYDaB2 -jT+RXKcsnY7tmN21x+T84GsFADNpAy2YoUlYeAqQ8NK0kVA/U8AJPQjfAgMBAAGj -YzBhMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMB8GA1UdIwQYMBaA -FNAxi7w73NS0/VlZibm1DltIotGEMB0GA1UdDgQWBBTrJrLI8aeMGxO0Tj6pD4B1 -n2d4NDANBgkqhkiG9w0BAQsFAAOCAgEAeKKpKejROdi709D0INzcf1RtOlGcoxlh -oIbIRuYZraFJlsqQbSYbJvOPGumDwAqTibO//re796yu5nQme1YNPzNGxMJe/lm7 -kUFcXO4/QIxXxh32/PSX2C/EEO3Yg2eBdnoqOC2qwAsJnP5NLV4usIE1V7w5mRx8 -Ykunqi0hTAg2bUaPKfmgWa1B9d0VzAtSXyUFASYuiPTkqzyT17ehrLcXfbRoHUdz -xkt4GmLpf/0DsjPLjmnWxhuBYlEOiy+O0XHJBBmDJEQi26kahNqnspTCxJ0PRxza -jqZzwuTxi53PCAsJwY2ZiicWUPMJ3xHembjSZZkuU9hcb1aixkbkSnE7JtleCCHt -Txbim0s8IpExpqo/25oBLsX1VTwGl2kpzClVzc+zY0jLLrbhg1LRz0ZNQvWov3cm -a8jjOBvaR1BZ0/yvk6wxpInESuGkAtCoNeJCqipA88LKT2KY1QzgxEbN7um+StWS -xGoCyOvujQfc3/wjaUmiMY2+wt5DCSHKALA88yzU12iL8b6crPK3V3UUcKUwbocg -bEb5VT5KwAotK1cpdc4agZCnrUCVS7kBUufKHYPwseT5gAFLXEYK8UoS0WTCVn8z -tTZE2qAbb7TJzjcnpSw6PzU2xPEFVtbsVE7YcRkYtbhRLV32dHrnhOYSjwHPfr4y -NSqd4SA0rBE= ------END CERTIFICATE----- - " - ); - - let ica2 = cert!( - " ------BEGIN CERTIFICATE----- -MIIFwTCCA6mgAwIBAgIUcmzLOEoPYUSPHc9kvZxdQY9aJdowDQYJKoZIhvcNAQEL -BQAwZzE5MDcGA1UECwwwMjA0OTE0MTkyNjkxMjg3MDIxNTUxNzQ1ODQ0NzM0NDQ3 -NzYyMTUyMTkxODIzMDc3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0 -ZS1wYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcx -OTA3BgNVBAsMMDEwOTE0Njg1Nzk2MDc0MjA2Nzc5ODMyOTcxOTc4NTQ3NjgzODAz -MTAwNTY5NjY4NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0 -aGxlbi0wMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy8cq9B1+iaEJ -oOs/rcgWYpJMUY8bM+spsl6Pn8WeZhPKCW5naM+H6pvmBLg5Zeeld3goo30RqO4F -yRsOXVPXoJPqJWJFC5d8MRKJb1YEwuCUU9cKcSuQiln4HUBYPW5bqkCE/JhfohXI -dc9H1o6zeyyj7lgrKBVQmeObOj/XmAF2GNdWH2bIh1RBl4A/1CxXwml4Kog7TzXD -qx/d1Kloa89cmaj5H5drIgCy0aRNwRy9RHWE76Pcb8SjqITWPHONA+gelANoglfq -iFPZ51opTKi6OvvCptsgSRYPBHak6FQG9jPj7BF/YiRulyQYMBKkGISNExILtsre -a1a+dytNOa4VlsIAraGw4YdIhKgM4hbilE6q69cUeojeVW3C6TvlR158KC1Rsv7P -VY7K2ZGW0eIUWKr/32tWOJMNBOalZwMGTBxyoJEWIINyskEU0xvLI5pdWjWHixsG -7fxUvKDtsCeE+dpATSP81AaxUA1BtTh51oQVOd4XQJnkpBV789Fg5BlF5Bx7PpHl -vhqUmLcOWtrBIR40BxYIUiCvcR4ettqguuY4SucYCAlJw7UoMxx1yNz4jfE4bJY5 -+I6qyZXsQtlBo6WgQbXLI3dt1sWR+yrUDYIrlFpWrYDwfzpFav2nMfj7Pku0tzF0 -KLgpE7yXaZxH2fhBhC7XcdEZMGsp3w8CAwEAAaNjMGEwEgYDVR0TAQH/BAgwBgEB -/wIBADALBgNVHQ8EBAMCAgQwHwYDVR0jBBgwFoAU6yayyPGnjBsTtE4+qQ+AdZ9n -eDQwHQYDVR0OBBYEFJ1nOiDkKZhUnQN+47wOMvDlMDJvMA0GCSqGSIb3DQEBCwUA -A4ICAQB4UMVhJdP000QgoUj8Z0bZx//6HEH2nAXPRNFwmzOFUjXS+qb0lMwrhXOy -BVIHWuGPUDZy+qVXnw7nVt9sfPFGUjgXQ4jNWOm2lQsfJ6LP1j4Gj0+SzKfz8MgH -i1gYCZeejJ5h2yhAyfZ39i8arJmIeToPIn+Lesp/53cAexTlCwszgR37yWaG+5UU -AeCA+7pcqx0Qm5BgoEUOLikUT8GfwX9C3E084UjUrgy6vJN+Bx76TFqahQA/ErSy -11Ek431nkGOIDc33rpfs/AYSTShsSlB8xu328Pmn20p1REbpcJDPmDE5dLNd5S/u -pgLMWo9bbLE6qsi5BBOyVuzCzihN9CmSPfux1jTAGMKsVHeRiN+9nCWFxL786Rzy -IptR/SEuLiBB6DUJVXAPNuSRUWkEX94vPIy0vTlOaDcmSy9X5XE47MKBo9Ct/c5o -Qn4edY6URTSV6regYIfGfK9IioLZwI7j/AMbldscQ92tB9HsKGzZYTD47kr7c7IL -RwCibhrqroUllMCQ109R1KtyBDgNedHFQ7wWDj8ESGJFiEgO4RwU8a+trf+Ky+He -+CHtXoZcy/ROaeqaRCvDG9253IFxi0/3zUHf9TFT+FvmgcVwXi9jNdEDpncKZ+Vw -TqGoQg2eW2AXbkZ+XrIgt+oKwFZndF05kAMeDTxTyOv2kQH/fA== ------END CERTIFICATE----- - " - ); - - let root = cert!( - " ------BEGIN CERTIFICATE----- -MIIFAzCCAuugAwIBAgIUI+SrkcegkxHgRJZ21QU8ACJ6DOUwDQYJKoZIhvcNAQEL -BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY -DzI5NjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwggIi -MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC8y9k0m4pz4olDu9ec65yjJLci -RaQS81pkY2h8SxLhTFTtloAG1QszR3xHOyfN8dKyXd7DMjKHZAy019TmuDxHyVqv -CxhoDX6qVLHcGVhSajgAYnPxJ0DlTMjhNK1sDv0xgokGj9SsbA6E2NMgF0hVqSP1 -fM/IsCo6NYJLZREki4vGJ/Wejv6krT7sNPqICRSJXJB/L9NYNZTSjo4Ju5cdEVuA -r6X0O0r3T4FZUDV68ft7qHJl0iV+u1ScTh8SmKQwVKdH5k4+g5ZNeFRqe07rm6Y9 -owWxVfb1+cm5crHGGKxqtBmj2YHj4nhQlLHxzfylMKN4rw8DN2PUQ8Mf7tkoN3kc -S4QkgLMwRWdbIrRlluZQAt9SWg2dbi0M39iXQQZD+pu9GoHcckOgMm+rVQrfn+W9 -+njiB74S8QKkZCoCU6WRpU+sSiNUTZwCO8E4pTPzpMMbYm95GQbRchZdnu5t2ABR -TpMPLiLIp09bcAq0ZtNvoQ1Qa4NQ1opJaZvph/EseubZ5QPP/4zABu6zb/kZn53b -l7R+ykMTNgXw2lWLGqAOzsqid5Aidp3dVZhelSaQ7XBaMU9vTAlktD+EYUowNJgR -TROMOcYsmnxqatwoQwgi+lXArL7wRcU6Kv6Ex8IlpwlzirC3za7uh2Pg4aKXsxZc -kcJiaR+q81XPcJarrwIDAQABoz8wPTAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQE -AwICBDAdBgNVHQ4EFgQU0DGLvDvc1LT9WVmJubUOW0ii0YQwDQYJKoZIhvcNAQEL -BQADggIBACmN5xJFpIFxP9meIa9DEncT931WL3poaPJn7yDKu5a8kJfmphVJU0KT -DOlAxLqeg4C3r/9733UHJQveAi+Mdns8O7ibBML8ge3pYEfccG/Naj4PyMbTLCHa -VLAzii2yXrUA+snNkJDuXuGQ9jSzJhan4E+ujZRt74Pt0vIR592/Jwa6CsPtlUXm -XVVwlXtah9dVwRcGHY8NyE1j01PlGtou7qcVaMWPcoKpWJEOb/IMz2zuq4u1bteE -WPEEwoc4z1DNoAXJVmew0h4NfDQem0qf21AyKx0VOybKYj+sM1rca3DhVh6doY95 -9FhQzMTIeTyF0Ha409mI01Uo21Mw2K3CuRMBFFzHqiQp/FtDOghk3DPwe4Uj3Yv7 -Y7C/lmEavH6eaaUoXHTlvsFjYGjnuV2eT4YYm0kvhJNp5YYxJxjXTV8mVYTy4Wd9 -yLO64Q84KAFCZfYJLXpaGZXe7H5Ki1iNabRJr7YldXGY0BPQ6GCwFB/eIgEOIrqb -wlQr0hCXx0OC3uts94nuOCpra86EaQs/qzJ1yMLxpUEN3JP8lBaj/uRXNhqC8R5+ -dw/3BAjyHf+7GbtUY+tWIU2voxs1PWQpkU8BSnXlkBBT5OwIM6gq7FrAEs020/EA -CPz+qQOJcoMt8w6dIMgADFNgoigKtKM1rX7D0UuuOUVYNfq9ERVf ------END CERTIFICATE----- - " + let time = asn1::DateTime::new(2023, 7, 10, 0, 0, 0).unwrap(); + let policy: Policy<'_, _> = Policy::new( + ops, + Some(policy::Subject::DNS( + DNSName::new("cryptography.io").unwrap(), + )), + time, ); - - let store = Store::new([root]); - let ops = NullOps {}; - let time = asn1::DateTime::new(2023, 1, 1, 0, 0, 0).unwrap(); - let policy: Policy<'_, _> = Policy::new(ops, None, time); - assert!( - verify(&ee, [ica1.clone(), ica2.clone()], &policy, &store) - == Err(PolicyError::Other("chain construction exhausted all candidates").into()) + assert_eq!( + verify(&ee, [intermediate.clone()], &policy, &store).err(), + Some(PolicyError::Other("chain construction exhausted all candidates").into()) ); } } diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 63ee6317e9b3..2a7191bc84cc 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -269,7 +269,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ]), ee_extension_policies: Vec::from([ // 5280 4.2.1.3: Key Usage - ExtensionPolicy::not_present(KEY_USAGE_OID), + ExtensionPolicy::maybe_present(KEY_USAGE_OID, Criticality::Agnostic, None), // CA/B 7.1.2.7.12 Subscriber Certificate Subject Alternative Name ExtensionPolicy::present( SUBJECT_ALTERNATIVE_NAME_OID, From b7205be1994ec078f712dc1ec67a1b3204f23fb7 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Sat, 7 Oct 2023 05:29:14 +1100 Subject: [PATCH 010/155] rust: support name constraints (#4) * rust: WIP code to verify name constraints * rust: get DNS name constraints working * rust: fix DNS pattern match check * lib: clippage Signed-off-by: William Woodruff * lib: fmt Signed-off-by: William Woodruff * WIP to store `GeneralName` directly * lib: fmt Signed-off-by: William Woodruff * lib: reuse Chain type Signed-off-by: William Woodruff * extensions: drop unnecessary self lifetime bound (#9650) Signed-off-by: William Woodruff * validation: fix lifetimes Signed-off-by: William Woodruff * certificate: increase lifetime precisions (#9651) Similar to #9650: adding explicit lifetimes here prevents Rust from binding `&self` to the placeholder lifetime, which it does by default. The in turn allows the return values here to outlive `&self`. Signed-off-by: William Woodruff * Rename chain result to something more idiomatic * Use default annotation for name constraints * Simplify constraint subtree collection * Create separate `DNSConstraint` type * Add CA and EE name constraint checks * rust: Revert `permits_leaf` refactor * rust: Make name constraint matching slightly more correct * rust: Fix `IPAddress._packed` call * rust: Account for the case when an IP SAN doesn't represent a range * rust: Refine name constraint logic for SANs * rust: Use `matches!` macro * rust: Don't apply name constraints to self-issued certs unless its the leaf * DNSConstraint: newtype pattern Signed-off-by: William Woodruff * oops Signed-off-by: William Woodruff * types: refactor, test DNSConstraint Signed-off-by: William Woodruff * types: another constraint test for good measure Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff Co-authored-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 190 +++++++++++++++++- .../src/policy/mod.rs | 50 +++-- .../cryptography-x509-validation/src/types.rs | 97 ++++++++- 3 files changed, 300 insertions(+), 37 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 07c16290b1f1..6e243e5dd64e 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -13,10 +13,22 @@ pub mod types; use std::collections::HashSet; -use cryptography_x509::certificate::Certificate; +use crate::certificate::cert_is_self_issued; +use crate::types::{DNSConstraint, IPAddress, IPRange}; +use crate::ApplyNameConstraintStatus::{Applied, Skipped}; +use cryptography_x509::extensions::Extensions; +use cryptography_x509::{ + certificate::Certificate, + extensions::{ + DuplicateExtensionsError, NameConstraints, SequenceOfSubtrees, SubjectAlternativeName, + }, + name::GeneralName, + oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID}, +}; use ops::CryptoOps; use policy::{Policy, PolicyError}; use trust_store::Store; +use types::DNSName; #[derive(Debug, PartialEq)] pub enum ValidationError { @@ -29,7 +41,26 @@ impl From for ValidationError { } } +impl From for ValidationError { + fn from(value: asn1::ParseError) -> Self { + ValidationError::Policy(PolicyError::Malformed(value)) + } +} + +impl From for ValidationError { + fn from(value: DuplicateExtensionsError) -> Self { + ValidationError::Policy(PolicyError::DuplicateExtension(value)) + } +} + +#[derive(Default)] +pub struct AccumulatedNameConstraints<'a> { + pub permitted: Vec>, + pub excluded: Vec>, +} + pub type Chain<'c> = Vec>; +type IntermediateChain<'c> = (Chain<'c>, AccumulatedNameConstraints<'c>); pub fn verify<'leaf: 'chain, 'inter: 'chain, 'store: 'chain, 'chain, B: CryptoOps>( leaf: &'chain Certificate<'leaf>, @@ -48,6 +79,28 @@ struct ChainBuilder<'a, 'inter, 'store, B: CryptoOps> { store: &'a Store<'store>, } +// When applying a name constraint, we need to distinguish between a few different scenarios: +// * `Applied(true)`: The name constraint is the same type as the SAN and matches. +// * `Applied(false)`: The name constraint is the same type as the SAN and does not match. +// * `Skipped`: The name constraint is a different type to the SAN. +enum ApplyNameConstraintStatus { + Applied(bool), + Skipped, +} + +impl ApplyNameConstraintStatus { + fn is_applied(&self) -> bool { + matches!(self, Applied(_)) + } + + fn is_match(&self) -> bool { + match self { + Applied(a) => *a, + _ => false, + } + } +} + impl<'a, 'inter, 'store, 'leaf, 'chain, 'work, B: CryptoOps> ChainBuilder<'a, 'inter, 'store, B> where 'leaf: 'chain, @@ -86,11 +139,104 @@ where .filter(|&candidate| candidate.subject() == cert.issuer()) } - fn build_chain_inner( + fn build_name_constraints_subtrees( &self, + subtrees: SequenceOfSubtrees<'work>, + ) -> Vec> { + subtrees.unwrap_read().clone().map(|x| x.base).collect() + } + + fn build_name_constraints( + &self, + constraints: &mut AccumulatedNameConstraints<'work>, + working_cert: &'a Certificate<'work>, + ) -> Result<(), ValidationError> { + let extensions: Extensions<'work> = working_cert.extensions()?; + if let Some(nc) = extensions.get_extension(&NAME_CONSTRAINTS_OID) { + let nc: NameConstraints<'work> = nc.value()?; + if let Some(permitted_subtrees) = nc.permitted_subtrees { + constraints + .permitted + .extend(self.build_name_constraints_subtrees(permitted_subtrees)); + } + if let Some(excluded_subtrees) = nc.excluded_subtrees { + constraints + .excluded + .extend(self.build_name_constraints_subtrees(excluded_subtrees)); + } + } + Ok(()) + } + + fn apply_name_constraint( + &self, + constraint: &GeneralName<'work>, + san: &GeneralName<'_>, + ) -> Result { + match (constraint, san) { + (GeneralName::DNSName(pattern), GeneralName::DNSName(name)) => { + if let Some(pattern) = DNSConstraint::new(pattern.0) { + let name = DNSName::new(name.0).unwrap(); + Ok(Applied(pattern.matches(&name))) + } else { + Err(PolicyError::Other("malformed DNS name constraint").into()) + } + } + (GeneralName::IPAddress(pattern), GeneralName::IPAddress(name)) => { + if let Some(pattern) = IPRange::from_bytes(pattern) { + let name = IPAddress::from_bytes(name).unwrap(); + Ok(Applied(pattern.matches(&name))) + } else { + Err(PolicyError::Other("malformed IP name constraint").into()) + } + } + _ => Ok(Skipped), + } + } + + fn apply_name_constraints( + &self, + constraints: &AccumulatedNameConstraints<'work>, working_cert: &Certificate<'work>, + ) -> Result<(), ValidationError> { + let extensions = working_cert.extensions()?; + if let Some(sans) = extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { + let sans: SubjectAlternativeName<'_> = sans.value()?; + for san in sans.clone() { + // If there are no applicable constraints, the SAN is considered valid so let's default to true. + let mut permit = true; + for c in constraints.permitted.iter() { + let status = self.apply_name_constraint(c, &san)?; + if status.is_applied() { + permit = status.is_match(); + if permit { + break; + } + } + } + if !permit { + return Err( + PolicyError::Other("no permitted name constraints matched SAN").into(), + ); + } + for c in constraints.excluded.iter() { + let status = self.apply_name_constraint(c, &san)?; + if status.is_match() { + return Err( + PolicyError::Other("excluded name constraint matched SAN").into() + ); + } + } + } + } + Ok(()) + } + + fn build_chain_inner( + &self, + working_cert: &'a Certificate<'work>, current_depth: u8, - ) -> Result, ValidationError> { + ) -> Result, ValidationError> { if current_depth > self.policy.max_chain_depth { return Err(PolicyError::Other("chain construction exceeds max depth").into()); } @@ -102,7 +248,9 @@ where // here: inclusion in the root set implies a trust relationship, // even if the working certificate is an EE or intermediate CA. if self.store.contains(working_cert) { - return Ok(vec![working_cert.clone()]); + let mut constraints = AccumulatedNameConstraints::default(); + self.build_name_constraints(&mut constraints, working_cert)?; + return Ok((vec![working_cert.clone()], constraints)); } // Otherwise, we collect a list of potential issuers for this cert, @@ -115,9 +263,23 @@ where self.policy .valid_issuer(issuing_cert_candidate, working_cert, current_depth) { - let mut chain = vec![working_cert.clone()]; - chain.extend(self.build_chain_inner(issuing_cert_candidate, next_depth)?); - return Ok(chain); + let result = self.build_chain_inner(issuing_cert_candidate, next_depth); + if let Ok(result) = result { + let (remaining, mut constraints) = result; + // Name constraints are not applied to self-issued certificates unless they're the leaf certificate in the chain. + let skip_name_constraints = + cert_is_self_issued(working_cert) && current_depth != 1; + if skip_name_constraints + || self + .apply_name_constraints(&constraints, working_cert) + .is_ok() + { + let mut chain: Vec> = vec![working_cert.clone()]; + chain.extend(remaining); + self.build_name_constraints(&mut constraints, working_cert)?; + return Ok((chain, constraints)); + } + } } } @@ -126,7 +288,10 @@ where Err(PolicyError::Other("chain construction exhausted all candidates").into()) } - fn build_chain(&self, leaf: &Certificate<'leaf>) -> Result, ValidationError> { + fn build_chain( + &self, + leaf: &'chain Certificate<'leaf>, + ) -> Result, ValidationError> { // Before anything else, check whether the given leaf cert // is well-formed according to our policy (and its underlying // certificate profile). @@ -136,7 +301,14 @@ where self.policy.permits_leaf(leaf)?; // NOTE: We start the chain depth at 1, indicating the EE. - self.build_chain_inner(leaf, 1) + let result = self.build_chain_inner(leaf, 1); + match result { + Ok(result) => { + let (chain, _) = result; + Ok(chain) + } + Err(error) => Err(error), + } } } diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 2a7191bc84cc..f6b30d3c49cc 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -29,7 +29,7 @@ use cryptography_x509::oid::{ use self::extension::{ca, ee, Criticality, ExtensionPolicy}; use crate::certificate::{cert_is_self_issued, cert_is_self_signed}; use crate::ops::CryptoOps; -use crate::types::{DNSName, DNSPattern, IPAddress, IPRange}; +use crate::types::{DNSName, DNSPattern, IPAddress}; // RSASSA‐PKCS1‐v1_5 with SHA‐256 static RSASSA_PKCS1V15_SHA256: AlgorithmIdentifier<'_> = AlgorithmIdentifier { @@ -162,8 +162,8 @@ impl Subject<'_> { (GeneralName::DNSName(pattern), Self::DNS(name)) => { DNSPattern::new(pattern.0).map_or(false, |p| p.matches(name)) } - (GeneralName::IPAddress(pattern), Self::IP(name)) => { - IPRange::from_bytes(pattern).map_or(false, |p| p.matches(name)) + (GeneralName::IPAddress(addr), Self::IP(name)) => { + IPAddress::from_bytes(addr).map_or(false, |addr| addr == *name) } _ => false, } @@ -478,9 +478,16 @@ impl<'a, B: CryptoOps> Policy<'a, B> { /// path validation, whether it be a CA or EE. As such, `permits_leaf` /// is logically equivalent to `permits_ee(leaf) || permits_ca(leaf)`. pub(crate) fn permits_leaf(&self, leaf: &Certificate<'_>) -> Result<(), PolicyError> { - // NOTE: Perform `permits_ee` first, since 99% of path validations should have - // an EE certificate in the leaf position. - self.permits_ee(leaf).or_else(|_| self.permits_ca(leaf)) + // NOTE: Avoid refactoring this to `permits_ee() || permits_ca()` or any variation thereof. + // Code like this will propagate irrelevant error messages out of the API. + let extensions = leaf.extensions()?; + if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { + let key_usage: KeyUsage<'_> = key_usage.value()?; + if key_usage.key_cert_sign() { + return self.permits_ca(leaf); + } + } + self.permits_ee(leaf) } /// Checks whether the given CA certificate is compatible with this policy. @@ -758,28 +765,27 @@ mod tests { assert!(!ip_sub.matches(&any_cryptography_io)); } - // Single SAN, IP range. + // Single SAN, IP address. { - // 127.0.0.1/24 - let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1, 255, 255, 255, 0]); + let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1]); let san_der = asn1::write_single(&SequenceOfWriter::new([ip_gn])).unwrap(); - let local_24 = asn1::parse_single::>(&san_der).unwrap(); + let localhost = asn1::parse_single::>(&san_der).unwrap(); - assert!(ip_sub.matches(&local_24)); - assert!(!domain_sub.matches(&local_24)); + assert!(ip_sub.matches(&localhost)); + assert!(!domain_sub.matches(&localhost)); } - // Multiple SANs, both domain wildcard and IP range. + // Multiple SANs, both domain wildcard and IP address. { let domain_gn = GeneralName::DNSName(UnvalidatedIA5String("*.cryptography.io")); - let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1, 255, 255, 255, 0]); + let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1]); let san_der = asn1::write_single(&SequenceOfWriter::new([domain_gn, ip_gn])).unwrap(); - let any_cryptography_io_or_local_24 = + let any_cryptography_io_or_localhost = asn1::parse_single::>(&san_der).unwrap(); - assert!(domain_sub.matches(&any_cryptography_io_or_local_24)); - assert!(ip_sub.matches(&any_cryptography_io_or_local_24)); + assert!(domain_sub.matches(&any_cryptography_io_or_localhost)); + assert!(ip_sub.matches(&any_cryptography_io_or_localhost)); } // Single SAN, invalid domain pattern. @@ -791,15 +797,5 @@ mod tests { assert!(!domain_sub.matches(&any_cryptography_io)); } - - // Single SAN, invalid IP range. - { - // 127.0.0.1/24 - let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1, 1, 255, 1, 0]); - let san_der = asn1::write_single(&SequenceOfWriter::new([ip_gn])).unwrap(); - let local_24 = asn1::parse_single::>(&san_der).unwrap(); - - assert!(!ip_sub.matches(&local_24)); - } } } diff --git a/src/rust/cryptography-x509-validation/src/types.rs b/src/rust/cryptography-x509-validation/src/types.rs index 515962ad13aa..88fc395caebf 100644 --- a/src/rust/cryptography-x509-validation/src/types.rs +++ b/src/rust/cryptography-x509-validation/src/types.rs @@ -69,6 +69,16 @@ impl<'a> DNSName<'a> { None => None, } } + + /// Returns this DNS name's labels, in reversed order + /// (from top-level domain to most-specific subdomain). + fn rlabels(&self) -> impl Iterator { + self.as_str() + .split('.') + .collect::>() + .into_iter() + .rev() + } } impl PartialEq for DNSName<'_> { @@ -113,6 +123,59 @@ impl<'a> DNSPattern<'a> { } } +/// A `DNSConstraint` represents a DNS name constraint as defined in [RFC 5280 4.2.1.10]. +/// +/// [RFC 5280 4.2.1.10]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 +#[derive(Debug, PartialEq)] +pub struct DNSConstraint<'a>(DNSName<'a>); + +impl<'a> DNSConstraint<'a> { + pub fn new(pattern: &'a str) -> Option { + DNSName::new(pattern).map(Self) + } + + /// Returns true if this `DNSConstraint` matches the given name. + /// + /// Constraint matching is defined by RFC 5280: any DNS name that can + /// be constructed by simply adding zero or more labels to the left-hand + /// side of the name satisfies the name constraint. + /// + /// ```rust + /// # use cryptography_x509_validation::types::{DNSConstraint, DNSName}; + /// let example_com = DNSName::new("example.com").unwrap(); + /// let badexample_com = DNSName::new("badexample.com").unwrap(); + /// let foo_example_com = DNSName::new("foo.example.com").unwrap(); + /// assert!(DNSConstraint::from(example_com.clone()).matches(&example_com)); + /// assert!(DNSConstraint::from(example_com.clone()).matches(&foo_example_com)); + /// assert!(!DNSConstraint::from(example_com.clone()).matches(&badexample_com)); + /// ``` + pub fn matches(&self, name: &DNSName<'_>) -> bool { + // NOTE: This may seem like an obtuse way to perform label matching, + // but it saves us a few allocations: we create an intermediate + // vector for each reversed label set, but the strings themselves + // are never cloned. By contrast, a substring check would require + // us to clone each string and do case normalization. + // Note also that we check the length in advance: Rust's zip + // implementation terminates with the shorter iterator, so we need + // to first check that the candidate name is at least as long as + // the constraint it's matching against. + name.as_str().len() >= self.0.as_str().len() + && self + .0 + .rlabels() + .zip(name.rlabels()) + .skip_while(|(a, o)| a.eq_ignore_ascii_case(o)) + .next() + .is_none() + } +} + +impl<'a> From> for DNSConstraint<'a> { + fn from(value: DNSName<'a>) -> Self { + Self(value) + } +} + #[derive(Copy, Clone, Debug, PartialEq, Eq)] pub struct IPAddress(IpAddr); @@ -252,7 +315,7 @@ impl IPRange { #[cfg(test)] mod tests { - use crate::types::{DNSName, DNSPattern, IPAddress, IPRange}; + use crate::types::{DNSConstraint, DNSName, DNSPattern, IPAddress, IPRange}; #[test] fn test_dnsname_debug_trait() { @@ -286,6 +349,8 @@ mod tests { assert_eq!(DNSName::new("foo.bar-.example.com"), None); assert_eq!(DNSName::new(&"a".repeat(64)), None); assert_eq!(DNSName::new("⚠️"), None); + assert_eq!(DNSName::new(".foo.example"), None); + assert_eq!(DNSName::new(".example.com"), None); let long_valid_label = "a".repeat(63); let long_name = std::iter::repeat(long_valid_label) @@ -386,6 +451,36 @@ mod tests { assert!(!any_localhost.matches(&DNSName::new("localhost").unwrap())); } + #[test] + fn test_dnsconstraint_new() { + assert_eq!(DNSConstraint::new(""), None); + assert_eq!(DNSConstraint::new("."), None); + assert_eq!(DNSConstraint::new("*."), None); + assert_eq!(DNSConstraint::new("*"), None); + assert_eq!(DNSConstraint::new(".example"), None); + assert_eq!(DNSConstraint::new("*.example"), None); + assert_eq!(DNSConstraint::new("*.example.com"), None); + + assert!(DNSConstraint::new("example").is_some()); + assert!(DNSConstraint::new("example.com").is_some()); + assert!(DNSConstraint::new("foo.example.com").is_some()); + } + + #[test] + fn test_dnsconstraint_matches() { + let example_com = DNSConstraint::new("example.com").unwrap(); + + // Exact domain and arbitrary subdomains match. + assert!(example_com.matches(&DNSName::new("example.com").unwrap())); + assert!(example_com.matches(&DNSName::new("foo.example.com").unwrap())); + assert!(example_com.matches(&DNSName::new("foo.bar.baz.quux.example.com").unwrap())); + + // Parent domains, distinct domains, and substring domains do not match. + assert!(!example_com.matches(&DNSName::new("com").unwrap())); + assert!(!example_com.matches(&DNSName::new("badexample.com").unwrap())); + assert!(!example_com.matches(&DNSName::new("wrong.com").unwrap())); + } + #[test] fn test_ipaddress_from_str() { assert_ne!(IPAddress::from_str("192.168.1.1"), None) From d663c071affc609041ac8c31f6ed52b1821a55fd Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 6 Oct 2023 14:35:24 -0400 Subject: [PATCH 011/155] types: clippage Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/types.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/types.rs b/src/rust/cryptography-x509-validation/src/types.rs index 88fc395caebf..d0196c739704 100644 --- a/src/rust/cryptography-x509-validation/src/types.rs +++ b/src/rust/cryptography-x509-validation/src/types.rs @@ -164,9 +164,7 @@ impl<'a> DNSConstraint<'a> { .0 .rlabels() .zip(name.rlabels()) - .skip_while(|(a, o)| a.eq_ignore_ascii_case(o)) - .next() - .is_none() + .all(|(a, o)| a.eq_ignore_ascii_case(o)) } } From 5285a9a72d5a85dd7a08bc682d4b2eac77181527 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Tue, 17 Oct 2023 02:49:09 +1100 Subject: [PATCH 012/155] rust: check for malformed `AuthorityInformationAccess` extension (#5) * rust: check for malformed `AuthorityInformationAccess` extension * policy: do AIA check as an ExtensionPolicy Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff Co-authored-by: William Woodruff --- .../src/policy/extension.rs | 24 +++++++++++++++++++ .../src/policy/mod.rs | 20 ++++++++++++---- 2 files changed, 40 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index cdef1016770c..a2308ff944b4 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -247,3 +247,27 @@ pub(crate) mod ca { Ok(()) } } + +pub(crate) mod common { + use cryptography_x509::{ + certificate::Certificate, + extensions::{Extension, SequenceOfAccessDescriptions}, + }; + + use crate::{ + ops::CryptoOps, + policy::{Policy, PolicyError}, + }; + + pub(crate) fn authority_information_access( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: &Extension<'_>, + ) -> Result<(), PolicyError> { + // We don't currently do anything useful with these, but we + // do check that they're well-formed. + let _: SequenceOfAccessDescriptions<'_> = extn.value()?; + + Ok(()) + } +} diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index f6b30d3c49cc..ecff58d07340 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -21,12 +21,13 @@ use cryptography_x509::extensions::{ }; use cryptography_x509::name::GeneralName; use cryptography_x509::oid::{ - AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID, EKU_SERVER_AUTH_OID, - EXTENDED_KEY_USAGE_OID, KEY_USAGE_OID, NAME_CONSTRAINTS_OID, POLICY_CONSTRAINTS_OID, - SUBJECT_ALTERNATIVE_NAME_OID, SUBJECT_DIRECTORY_ATTRIBUTES_OID, SUBJECT_KEY_IDENTIFIER_OID, + AUTHORITY_INFORMATION_ACCESS_OID, AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID, + EKU_SERVER_AUTH_OID, EXTENDED_KEY_USAGE_OID, KEY_USAGE_OID, NAME_CONSTRAINTS_OID, + POLICY_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID, SUBJECT_DIRECTORY_ATTRIBUTES_OID, + SUBJECT_KEY_IDENTIFIER_OID, }; -use self::extension::{ca, ee, Criticality, ExtensionPolicy}; +use self::extension::{ca, common, ee, Criticality, ExtensionPolicy}; use crate::certificate::{cert_is_self_issued, cert_is_self_signed}; use crate::ops::CryptoOps; use crate::types::{DNSName, DNSPattern, IPAddress}; @@ -224,6 +225,7 @@ pub struct Policy<'a, B: CryptoOps> { pub critical_ca_extensions: HashSet, pub critical_ee_extensions: HashSet, + common_extension_policies: Vec>, ca_extension_policies: Vec>, ee_extension_policies: Vec>, } @@ -247,6 +249,12 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ), critical_ca_extensions: RFC5280_CRITICAL_CA_EXTENSIONS.iter().cloned().collect(), critical_ee_extensions: RFC5280_CRITICAL_EE_EXTENSIONS.iter().cloned().collect(), + common_extension_policies: Vec::from([ExtensionPolicy::maybe_present( + // 5280 4.2.2.1: Authority Information Access + AUTHORITY_INFORMATION_ACCESS_OID, + Criticality::NonCritical, + Some(common::authority_information_access), + )]), ca_extension_policies: Vec::from([ // 5280 4.2.1.2: Subject Key Identifier ExtensionPolicy::present( @@ -354,6 +362,10 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // and it MUST be non-empty if present. // TODO: Check this. + for ext_policy in self.common_extension_policies.iter() { + ext_policy.permits(self, cert, &extensions)?; + } + // 5280 4.2.1.1: Authority Key Identifier // Certificates MUST have an AuthorityKeyIdentifier, it MUST contain // the keyIdentifier field, and it MUST NOT be critical. From 2adf17710c9f7a02694b43f07502a7f7620a6558 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 19 Oct 2023 10:56:59 -0400 Subject: [PATCH 013/155] validation: refactor maybe_present extn handling More expressive. Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 67 +++++++--- .../src/policy/mod.rs | 120 ++++-------------- 2 files changed, 75 insertions(+), 112 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index a2308ff944b4..ed416cdc7ebc 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -34,9 +34,12 @@ impl Criticality { } } -type ExtensionValidatorCallback = +type PresentExtensionValidatorCallback = fn(&Policy<'_, B>, &Certificate<'_>, &Extension<'_>) -> Result<(), PolicyError>; +type MaybeExtensionValidatorCallback = + fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> Result<(), PolicyError>; + /// Represents different validation states for an extension. pub(crate) enum ExtensionValidator { /// The extension MUST NOT be present. @@ -47,12 +50,13 @@ pub(crate) enum ExtensionValidator { criticality: Criticality, /// An optional validator over the extension's inner contents, with /// the surrounding `Policy` as context. - validator: Option>, + validator: Option>, }, - /// The extension MAY be present. + /// The extension MAY be present; the interior validator is + /// always called if supplied, including if the extension is not present. MaybePresent { criticality: Criticality, - validator: Option>, + validator: Option>, }, } @@ -74,7 +78,7 @@ impl ExtensionPolicy { pub(crate) fn present( oid: ObjectIdentifier, criticality: Criticality, - validator: Option>, + validator: Option>, ) -> Self { Self { oid, @@ -88,7 +92,7 @@ impl ExtensionPolicy { pub(crate) fn maybe_present( oid: ObjectIdentifier, criticality: Criticality, - validator: Option>, + validator: Option>, ) -> Self { Self { oid, @@ -133,25 +137,27 @@ impl ExtensionPolicy { // If a custom validator is supplied, apply it. validator.map_or(Ok(()), |v| v(policy, cert, &extn)) } - // Extension MAY be present and is; check it. + // Extension MAY be present. ( ExtensionValidator::MaybePresent { criticality, validator, }, - Some(extn), + extn, ) => { - if !criticality.permits(extn.critical) { + // If the extension is present, apply our criticality check. + if extn + .as_ref() + .map_or(false, |extn| !criticality.permits(extn.critical)) + { return Err(PolicyError::Other( "EE certificate extension has incorrect criticality", )); } // If a custom validator is supplied, apply it. - validator.map_or(Ok(()), |v| v(policy, cert, &extn)) + validator.map_or(Ok(()), |v| v(policy, cert, extn.as_ref())) } - // Extension MAY be present and isn't; OK. - (ExtensionValidator::MaybePresent { .. }, None) => Ok(()), } } } @@ -170,12 +176,14 @@ pub(crate) mod ee { pub(crate) fn basic_constraints( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, - extn: &Extension<'_>, + extn: Option<&Extension<'_>>, ) -> Result<(), PolicyError> { - let basic_constraints: BasicConstraints = extn.value()?; + if let Some(extn) = extn { + let basic_constraints: BasicConstraints = extn.value()?; - if basic_constraints.ca { - return Err("basicConstraints.cA must not be asserted in an EE certificate".into()); + if basic_constraints.ca { + return Err("basicConstraints.cA must not be asserted in an EE certificate".into()); + } } Ok(()) @@ -215,10 +223,27 @@ pub(crate) mod ca { }; use crate::{ + certificate::cert_is_self_signed, ops::CryptoOps, policy::{Policy, PolicyError}, }; + pub(crate) fn authority_key_identifier( + policy: &Policy<'_, B>, + cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), PolicyError> { + // The Authority Key Identifier MUST be present, with one exception: + // self-signed CAs may omit it. + if extn.is_none() && !cert_is_self_signed(cert, &policy.ops) { + return Err( + "authorityKeyIdentifier must be present in cross-signed CA certificate".into(), + ); + } + + Ok(()) + } + pub(crate) fn key_usage( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, @@ -262,11 +287,13 @@ pub(crate) mod common { pub(crate) fn authority_information_access( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, - extn: &Extension<'_>, + extn: Option<&Extension<'_>>, ) -> Result<(), PolicyError> { - // We don't currently do anything useful with these, but we - // do check that they're well-formed. - let _: SequenceOfAccessDescriptions<'_> = extn.value()?; + if let Some(extn) = extn { + // We don't currently do anything useful with these, but we + // do check that they're well-formed. + let _: SequenceOfAccessDescriptions<'_> = extn.value()?; + } Ok(()) } diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index ecff58d07340..a23230811669 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -249,13 +249,27 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ), critical_ca_extensions: RFC5280_CRITICAL_CA_EXTENSIONS.iter().cloned().collect(), critical_ee_extensions: RFC5280_CRITICAL_EE_EXTENSIONS.iter().cloned().collect(), - common_extension_policies: Vec::from([ExtensionPolicy::maybe_present( + common_extension_policies: Vec::from([ + // 5280 4.2.1.8: Subject Directory Attributes + ExtensionPolicy::maybe_present( + SUBJECT_DIRECTORY_ATTRIBUTES_OID, + Criticality::NonCritical, + None, + ), // 5280 4.2.2.1: Authority Information Access - AUTHORITY_INFORMATION_ACCESS_OID, - Criticality::NonCritical, - Some(common::authority_information_access), - )]), + ExtensionPolicy::maybe_present( + AUTHORITY_INFORMATION_ACCESS_OID, + Criticality::NonCritical, + Some(common::authority_information_access), + ), + ]), ca_extension_policies: Vec::from([ + // 5280 4.2.1.1: Authority Key Identifier + ExtensionPolicy::maybe_present( + AUTHORITY_KEY_IDENTIFIER_OID, + Criticality::NonCritical, + Some(ca::authority_key_identifier), + ), // 5280 4.2.1.2: Subject Key Identifier ExtensionPolicy::present( SUBJECT_KEY_IDENTIFIER_OID, @@ -276,6 +290,12 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ExtensionPolicy::maybe_present(POLICY_CONSTRAINTS_OID, Criticality::Critical, None), ]), ee_extension_policies: Vec::from([ + // 5280 4.2.1.1.: Authority Key Identifier + ExtensionPolicy::present( + AUTHORITY_KEY_IDENTIFIER_OID, + Criticality::NonCritical, + None, + ), // 5280 4.2.1.3: Key Usage ExtensionPolicy::maybe_present(KEY_USAGE_OID, Criticality::Agnostic, None), // CA/B 7.1.2.7.12 Subscriber Certificate Subject Alternative Name @@ -299,9 +319,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { fn permits_basic(&self, cert: &Certificate<'_>) -> Result<(), PolicyError> { let extensions = cert.extensions()?; - // 5280 4.1.1.1: tbsCertificate - // No checks required. - // 5280 4.1.1.2 / 4.1.2.3: signatureAlgorithm / TBS Certificate Signature // The top-level signatureAlgorithm and TBSCert signature algorithm // MUST match. @@ -309,13 +326,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { return Err("mismatch between signatureAlgorithm and SPKI algorithm".into()); } - // 5280 4.1.1.3: signatureValue - // No checks required. - - // 5280 4.1.2.1: Version - // No checks required; implementations SHOULD be prepared to accept - // any version certificate. - // 5280 4.1.2.2: Serial Number // Conforming CAs MUST NOT use serial numbers longer than 20 octets. // NOTE: In practice, this requires us to check for an encoding of @@ -326,9 +336,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { return Err("certificate must have a serial between 1 and 20 octets".into()); } - // 5280 4.1.2.3: Signature - // See check under 4.1.1.2. - // 5280 4.1.2.4: Issuer // The issuer MUST be a non-empty distinguished name. if cert.issuer().is_empty() { @@ -347,85 +354,14 @@ impl<'a, B: CryptoOps> Policy<'a, B> { return Err(PolicyError::Other("cert is not valid at validation time")); } - // 5280 4.1.2.6: Subject - // Devolved to `permits_ca` and `permits_ee`. - - // 5280 4.1.2.7: Subject Public Key Info - // No checks required. - - // 5280 4.1.2.8: Unique Identifiers - // These fields MUST only appear if the certificate version is 2 or 3. - // TODO: Check this. - - // 5280 4.1.2.9: Extensions - // This field must MUST only appear if the certificate version is 3, - // and it MUST be non-empty if present. - // TODO: Check this. - + // Extension policy checks. for ext_policy in self.common_extension_policies.iter() { ext_policy.permits(self, cert, &extensions)?; } - // 5280 4.2.1.1: Authority Key Identifier - // Certificates MUST have an AuthorityKeyIdentifier, it MUST contain - // the keyIdentifier field, and it MUST NOT be critical. - // The exception to this is self-signed certificates, which MAY - // omit the AuthorityKeyIdentifier. - if let Some(aki) = extensions.get_extension(&AUTHORITY_KEY_IDENTIFIER_OID) { - if aki.critical { - return Err("AuthorityKeyIdentifier must not be marked critical".into()); - } - - let aki: AuthorityKeyIdentifier<'_> = aki.value()?; - if aki.key_identifier.is_none() { - return Err("AuthorityKeyIdentifier.keyIdentifier must be present".into()); - } - } else if !cert_is_self_signed(cert, &self.ops) { - return Err( - "certificates must have a AuthorityKeyIdentifier unless self-signed".into(), - ); - } - - // 5280 4.2.1.2: Subject Key Identifier - // Developed to `permits_ca`. - - // 5280 4.2.1.3: Key Usage - if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { - // KeyUsage must have at least one bit asserted, if present. - let key_usage: KeyUsage<'_> = key_usage.value()?; - if key_usage.is_zeroed() { - return Err("KeyUsage must have at least one usage asserted, when present".into()); - } - - // encipherOnly or decipherOnly without keyAgreement is not well defined. - // TODO: Check on a policy basis instead? - if !key_usage.key_agreement() - && (key_usage.encipher_only() || key_usage.decipher_only()) - { - return Err( - "KeyUsage encipherOnly and decipherOnly can only be true when keyAgreement is true" - .into(), - ); - } - } - - // 5280 4.2.1.4: Certificate Policies - // No checks required. - - // 5280 4.2.1.5: Policy Mappings - // No checks required. - - // 5280 4.2.1.8: Subject Directory Attributes - // Conforming CAs MUST mark this extension as non-critical. - if extensions - .get_extension(&SUBJECT_DIRECTORY_ATTRIBUTES_OID) - .map_or(false, |e| e.critical) - { - return Err("SubjectDirectoryAttributes must not be marked critical".into()); - } - - // Non-profile checks follow. + // TODO: CA/B 7.1.3.1 SubjectPublicKeyInfo + // CA/B 7.1.3.2 Signature AlgorithmIdentifier if let Some(permitted_algorithms) = &self.permitted_algorithms { if !permitted_algorithms.contains(&cert.signature_alg) { // TODO: Should probably include the OID here. From 625fa415d66203edcd1fe0cd7fdb6fea5b2e02bc Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Tue, 24 Oct 2023 16:01:11 +1100 Subject: [PATCH 014/155] tests: Add `x509-limbo` test (#1) * tests: Add `x509-limbo` test tests: Use subtests in `test_limbo` Use the correct peer name types tests: Flip the Limbo validation kind to `SERVER` * tests: Update `limbo.json` * tests: Fix Limbo tests that exercise unsupported features * test: Use new server verifier API * test: Don't allow empty peer name since the API requires it * rust: Add name constraints OID to critical extensions list * rust: Fix check for leaf certificates when applying name constraints * test: Remove assert for `extended_key_usage` Limbo data since we're populating it now * test: Update `limbo.json` * test: Skip EKU Limbo tests * test: Add comments to explain why we're skipping certain Limbo tests * rust: Leave comment explaining `is_leaf` parameter --- .../cryptography-x509-validation/src/lib.rs | 14 +- .../src/policy/mod.rs | 2 +- tests/x509/test_verification.py | 95 ++ vectors/cryptography_vectors/x509/limbo.json | 1388 +++++++++++++++++ 4 files changed, 1493 insertions(+), 6 deletions(-) create mode 100644 vectors/cryptography_vectors/x509/limbo.json diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 30fc7feeca9c..461ca7c20960 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -236,6 +236,7 @@ where &self, working_cert: &'a Certificate<'work>, current_depth: u8, + is_leaf: bool, ) -> Result, ValidationError> { if current_depth > self.policy.max_chain_depth { return Err(PolicyError::Other("chain construction exceeds max depth").into()); @@ -263,12 +264,15 @@ where self.policy .valid_issuer(issuing_cert_candidate, working_cert, current_depth) { - let result = self.build_chain_inner(issuing_cert_candidate, next_depth); + let result = self.build_chain_inner(issuing_cert_candidate, next_depth, false); if let Ok(result) = result { let (remaining, mut constraints) = result; - // Name constraints are not applied to self-issued certificates unless they're the leaf certificate in the chain. - let skip_name_constraints = - cert_is_self_issued(working_cert) && current_depth != 1; + // Name constraints are not applied to self-issued certificates unless they're + // the leaf certificate in the chain. + // + // NOTE: We can't simply check the `current_depth` since self-issued + // certificates don't increase the working depth. + let skip_name_constraints = cert_is_self_issued(working_cert) && !is_leaf; if skip_name_constraints || self .apply_name_constraints(&constraints, working_cert) @@ -301,7 +305,7 @@ where self.policy.permits_leaf(leaf)?; // NOTE: We start the chain depth at 1, indicating the EE. - let result = self.build_chain_inner(leaf, 1); + let result = self.build_chain_inner(leaf, 1, true); match result { Ok(result) => { let (chain, _) = result; diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 328649cd24d8..bfc1ba061c14 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -118,7 +118,7 @@ pub static WEBPKI_PERMITTED_ALGORITHMS: Lazy>> }); const RFC5280_CRITICAL_CA_EXTENSIONS: &[asn1::ObjectIdentifier] = - &[BASIC_CONSTRAINTS_OID, KEY_USAGE_OID]; + &[BASIC_CONSTRAINTS_OID, KEY_USAGE_OID, NAME_CONSTRAINTS_OID]; const RFC5280_CRITICAL_EE_EXTENSIONS: &[asn1::ObjectIdentifier] = &[ BASIC_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID, diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 9b0c149ab4fb..a2c8b564f30e 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -3,11 +3,13 @@ # for complete details. import datetime +import json import os from ipaddress import IPv4Address import pytest +import cryptography_vectors from cryptography import x509 from cryptography.x509 import load_pem_x509_certificate from cryptography.x509.general_name import DNSName, IPAddress @@ -18,6 +20,87 @@ from tests.x509.test_x509 import _load_cert +def _get_limbo_peer(expected_peer, testcase_id): + if expected_peer is None: + assert False, f"{testcase_id}: no expected peer name" + kind = expected_peer["kind"] + value = expected_peer["value"] + if kind == "DNS": + return x509.DNSName(value) + elif kind == "IP": + return x509.IPAddress(IPv4Address(value)) + else: + assert False, f"{testcase_id}: unexpected peer kind: {kind}" + + +LIMBO_UNSUPPORTED_FEATURES = { + # NOTE: Path validation is required to reject wildcards on public suffixes, + # however this isn't practical and most implementations make no attempt to + # comply with this. + "pedantic-public-suffix-wildcard", + # TODO: We don't support Distinguished Name Constraints yet. + "name-constraint-dn", + # TODO: We don't support Extended Key Usage yet. + "eku", +} + + +def _limbo_testcase(testcase): + features = testcase["features"] + if features is not None and LIMBO_UNSUPPORTED_FEATURES.intersection( + features + ): + return + testcase_id = testcase["id"] + assert ( + testcase["validation_kind"] == "SERVER" + ), f"{testcase_id}: non-SERVER testcases not supported yet" + assert ( + testcase["signature_algorithms"] is None + ), f"{testcase_id}: signature_algorithms not supported yet" + assert ( + testcase["extended_key_usage"] is None + ), f"{testcase_id}: extended_key_usage not supported yet" + assert ( + testcase["expected_peer_names"] is None + ), f"{testcase_id}: expected_peer_names not supported yet" + + trusted_certs = [ + load_pem_x509_certificate(cert.encode()) + for cert in testcase["trusted_certs"] + ] + untrusted_intermediates = [ + load_pem_x509_certificate(cert.encode()) + for cert in testcase["untrusted_intermediates"] + ] + peer_certificate = load_pem_x509_certificate( + testcase["peer_certificate"].encode() + ) + peer_name = _get_limbo_peer(testcase["expected_peer_name"], testcase_id) + validation_time = testcase["validation_time"] + validation_time = ( + datetime.datetime.fromisoformat(validation_time) + if validation_time is not None + else None + ) + should_pass = testcase["expected_result"] == "SUCCESS" + + verifier = PolicyBuilder(time=validation_time).build_server_verifier( + peer_name + ) + store = Store(trusted_certs) + + try: + verifier.verify(peer_certificate, untrusted_intermediates, store) + assert ( + should_pass + ), f"{testcase_id}: verification succeeded when we expected failure" + except ValueError as e: + assert ( + not should_pass + ), f"{testcase_id}: verification failed when we expected success: {e}" + + def test_verify_basic(): ee = load_pem_x509_certificate( b""" @@ -200,3 +283,15 @@ def test_store_initializes(self): x509.load_pem_x509_certificate, ) assert Store([cert]) is not None + + +def test_limbo(subtests): + limbo_file = cryptography_vectors.open_vector_file( + os.path.join("x509", "limbo.json"), "r" + ) + with limbo_file: + limbo = json.load(limbo_file) + testcases = limbo["testcases"] + for testcase in testcases: + with subtests.test(): + _limbo_testcase(testcase) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json new file mode 100644 index 000000000000..4a8072e94e5a --- /dev/null +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -0,0 +1,1388 @@ +{ + "version": 1, + "testcases": [ + { + "id": "pathlen::ee-with-intermediate-pathlen-0", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQVq52m5E2E/waq2yRAH7sDFMZhEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATfNoIQAku97oJFYxEDz86tPlICvOaDrhDkSMq9\n7t9BZE8TZP0fNlkxitugO8ecFvnyOiJUZgesZQzr7txkC36qo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKM7G1VOOjr9bqwPhe2nefKQXCjYwCgYIKoZIzj0EAwIDRwAwRAIg\nEPdA2CidwrlFFP872wdDK5BECBfiNs+kdauG+LQBFWYCIDLq9hdmJ+5UfHiknlxg\nNDLX3ezbOo2mPxo5nYI097tJ\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUAcD7rr/7CK8kL2pi8LD23lkJxR4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAzNzMxMDc2NTcyNzI0NDMyMzI2MjQ3\nMzI5Mzc1NzYxNTY5OTI4OTk1OTU5MjA5MTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIZKGLRtotlR9vvfAk0hyKwMePG5oZT8woPphRhezpsF3MU4KNIHlc0fhHTHqMzb\nfJnSbrCam0vDxxHD6rSjYICjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCjOxtVT\njo6/W6sD4Xtp3nykFwo2MB0GA1UdDgQWBBSrEWAsW4OvLW2Rxj2CeUGe7+nQETAK\nBggqhkjOPQQDAgNIADBFAiA+ZtgqZQ/UENXrx4c8KL+Yn1nvhm3ij1sVHfmpCFwV\n0AIhAJYhCiMUCWl7yiHbKy/oc1bkA3xIuYliZRpyNylPQgln\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUWIFddnBzpriJaCdQYtHP2k4KFDkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzczMTA3NjU3MjcyNDQzMjMyNjI0NzMyOTM3NTc2MTU2OTky\nODk5NTk1OTIwOTEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATw\nTXdiphFw619w0z1p/zuNDPA5wjJDrte5cDk0DFDaNAurJAAVp3tOa60+N+LlWwC2\nJFgfoGElKYU/495g2xnQo3IwcDAdBgNVHQ4EFgQUcnXS5pQQW14Wh8Gi864gjwi4\n9L0wHwYDVR0jBBgwFoAUqxFgLFuDry1tkcY9gnlBnu/p0BEwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAPbEvaN1tUq5yAoghubHMPkHDDEGmFyBA9iOtFTkviAjAiEAvGkFQgWn\n9xP59WaHDGplkR4X0eDJ4R0iOM66OEgjhLo=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "pathlen::ee-with-intermediate-pathlen-1", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHRrhNIt12Po6OW+63TXLYng3N9wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZMT3cL1NSUu3v1jTHzmVIg45HgkdirXkCL10+\nWjE7FdUsXqjrY6yf0psTWTyhAu8utT5ciVqQF+tx6Z10AVuVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpL6Jm7zRC8nnGqh5GkStvqm4sSgwCgYIKoZIzj0EAwIDSAAwRQIh\nAJ6LQWpA6HweOpxkblckWuHT2uErIuJs8p/o2AR0dNAjAiBOp8xXvyV6NE3eoomQ\nhf+55yPH8aIVLy3yUGjjEpCz1g==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUF0xE4YzgpSmhif4jA9Iw2yNi3CkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAxNjYxNjAxNjk4NzM0NDU0NTkzMjA4\nMjMxNTcwNjgyMzEwODQxMzE3NTU3MDIyMzYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDU/JOy35ZplweZ+HuLzJP4RTWNA85IOx3wsJ8SEkdwv3uUeCvZnPG5TyNLrJ+IC\n/TNtNEqv1Bc37I6DNsYQRFejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKS+iZu8\n0QvJ5xqoeRpErb6puLEoMB0GA1UdDgQWBBRQEXvRCMl++ytDpYp5l4s2d9hrPDAK\nBggqhkjOPQQDAgNIADBFAiAA8IK69tn34bRNbVD+jU3sgLe51QQpC6wGuWb6s94M\nOgIhANhavekchx/ymI7DWRk1Ni4zrFN/fIAkKkNznl901ReK\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUSFjTSqI3cwqc998B/Sv7OwwZDbkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY2MTYwMTY5ODczNDQ1NDU5MzIwODIzMTU3MDY4MjMxMDg0\nMTMxNzU1NzAyMjM2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQv\n/OaSkEqQH3i2dQVRsXjTqKrU6b6ksR+Grm9N9OdpAH3CEE/ahJ7P03skQjJeg8QY\nsoz1ojtBBNyjbuw83nY/o3IwcDAdBgNVHQ4EFgQUO5oIrMRdF865hnFagXQVvwLo\nNxowHwYDVR0jBBgwFoAUUBF70QjJfvsrQ6WKeZeLNnfYazwwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgGSJzcImStU8tEiX6hofM2pD+PbYoOy6OSywWQ7doNcQCIQD/rCmz9JLJ\nlTXQ7HaWvZwyakS/9pFMinV/DSJOahilfw==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "pathlen::ee-with-intermediate-pathlen-2", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDaDA6pleUox1oUu+bx1RKPbkW28wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARD1KjxrHX2Mel2I7qUQGrx8lsOBchwNHFrQ6R5\ntp4BtX2S+cIbvSktvG0GnBQh+tY9hyWL/ItlsUo8RzzxnpXCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUY4Gj3ZBpTKK1O4+B/wlnd8w0unAwCgYIKoZIzj0EAwIDSAAwRQIg\nTKwElOp6yc1fI/YdHWGTNu1GO5i+pF4EXJH2dpetMlkCIQDYybnb5MfEKzkJI90k\nOozbKgHwtRnwGAzZzX3h1BA59A==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIICADCCAaWgAwIBAgIUC0sW/2iG9SHkmZTpZM88NAIaFM0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBmMTgwNgYDVQQLDC83NzgwMTgwNDY0MTMwOTIwNDUzMDM2\nMjU4MjIzNTEzNjA0NjQwMTM5ODc5MTAyMzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n1Q5psEU2DA4hRIRLjU/pJeVYHBlZwDXDQa5YeqCyYaiCzy8z23w2plGIbFtq7lcV\nNFWudL9JKcl6NIZn8y2vCKN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUY4Gj3ZBp\nTKK1O4+B/wlnd8w0unAwHQYDVR0OBBYEFLOzwGrMFTftgSkKhhbe8DC89dRzMAoG\nCCqGSM49BAMCA0kAMEYCIQCur4uVSJt20SmtGE6+fxCjABQH7yclEymM7EQMycyd\nqQIhAIAcv6cz/fj5r7+mcgSqG5e1ZukKVZnGubB9Voo6MgI7\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZqgAwIBAgIUPU47mDywVvPLws+7btSxm8T3pI4wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNzc4MDE4MDQ2NDEzMDkyMDQ1MzAzNjI1ODIyMzUxMzYwNDY0\nMDEzOTg3OTEwMjMxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMjAgFw03MDAxMDExMDAwMDBaGA8yOTY5MDUwMzEwMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCjr\nf092A93N44KQ7v2+DssYX17kNqncydo2+O+KlSPQjdiHnXSIS9ABXWq0R9+9wf+x\nr1yZDSNZ9eO8WPkgHOWjcjBwMB0GA1UdDgQWBBQHztpzlYNXzkDzbELzWk5Wzw6F\n+jAfBgNVHSMEGDAWgBSzs8BqzBU37YEpCoYW3vAwvPXUczAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJ\nADBGAiEAtMmx/MqlLDvdcluIR9QCRIWxSML9dHD3ZmvyH5hb2SsCIQC4D1LCt6/u\n6uOpumrIegeP1SnzjVxSLgk0lXKWTGnYsg==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "pathlen::validation-ignores-pathlen-in-leaf", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH9IOKhwFCiLmSVeHFvWquGieqY0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATq/UgSIzhW/MsS99k5/14TYHLUAqH2PSdQv335\nBBSYimvRalNYNlKhxRapEw1U+7les5kK5zh3ly/wLSKYdWhKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJlnfOKxtLUvKP1WZvrWmS5PuYuowCgYIKoZIzj0EAwIDSAAwRQIh\nANXqvS2ZjrfHCvnOGU7FFDDxGBmJ11P+B9Tfl+/yOLpdAiAax36Ct4Z99uKh+T8o\n9jmOWJW6+Y8NshLhDbnnQjGBwg==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUPwAFUjOlCPH3L1kjnUsAtONdA40wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAxODE2NjMxMDQyODgzMzc0NjIzODky\nMTI1NzcwMDgwNTExNzc3MzUyNjQ4NDAwNzcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBM9TD37p7FW/eb3yraSErIffkcB/+3DeT45yhGN7pLLuvBDTCXPjfZD7Mq7m3OCh\nKUfBYFMx57FSt/K9L77VwaSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCZZ3zis\nbS1Lyj9Vmb61pkuT7mLqMB0GA1UdDgQWBBSibjRsYGecrWeB6y0oWQczkz4uUDAK\nBggqhkjOPQQDAgNIADBFAiEA5gvaIv+eAG2f190v6PFDBqm2Ny2rndoZROWsT3PM\npfYCIDotSqxq1BmjNEdDrz278233s1QwsdUzdpgmunfi0vx8\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUSTIZMNXCHQ2nJHLD9CmnTRzeO/8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgxNjYzMTA0Mjg4MzM3NDYyMzg5MjEyNTc3MDA4MDUxMTc3\nNzM1MjY0ODQwMDc3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMGcxOTA3\nBgNVBAsMMDM1OTY2Njg4MjA5NTEzMzE3NDU0MTMyODI5MDUzMjMzOTgzMTIxNjA4\nNDQxOTQ2OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdpe4+6D3lRWQUgsY8Pg+5OG0\ngrZoD+onzhLgFKRV0TreUhWTeu6F+RVfH6O2uPTtoc1RgHxftcoyaDx93PwKF6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUom40bGBnnK1ngestKFkHM5M+LlAwHQYD\nVR0OBBYEFE7IROnaT96wz1QY41KY5hQlhvlzMAoGCCqGSM49BAMCA0gAMEUCIFbK\n5A7VUfvMsbbtRnZ8xToQ+EBZRN8fmLPZ+3Jihn/2AiEA/ca1cK262sR8ATnGH0Qf\ncwpuwOiXk8MT+ykw0DoNBvg=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "pathlen::intermediate-violates-pathlen-0", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUFVfNbR2nLFOkTTuMhan7oAAR3lowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASVKAfwhcUnwqLnvjk3HD8dY4kclIyfUWzpQLg0\nuzXUf7QHfrKFDfArsHGQ2rmH435BYz7JFQBVyF8pce7QDtq9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHziE5hMyqalSvV+6+Tvhc3NDZ2wwCgYIKoZIzj0EAwIDSAAwRQIg\nK55IuqSFmp808OJiaDuM7Zd75gN2sUs3SVcaoqHUR4ACIQCkkP06CDXvuK9H8VwO\nuv1i5PrC6ROwZE8iJTHcglAp5w==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUPQkrQva2SUQWDd2tXhxW1Qr2odUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAxMjE4NDY4NjYxNjgzODI0MjM5NjEw\nMTE1NDAzMjY5MzA5ODMwMzI0MDE4MTMwODIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAVEsC6GxYymVxtZiZ2grPb8Vl5oeARfF1CfDbAFBqZ2kI4gbEmbyrTNheeJz7lO\n6/sGwQZe3Uz8YJYof2PMFt6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFB84hOYT\nMqmpUr1fuvk74XNzQ2dsMB0GA1UdDgQWBBTfNekfoJTBZerQgK4K5p/PC5mddTAK\nBggqhkjOPQQDAgNIADBFAiB3cMyuDkWUlV+z7+dohXmkHE67eTcBL0jSUjc1WOXZ\nXgIhAJL+c/g3jfPUndpKVhwQzuEjhd0FYxd6ToZ8EvLmbDfX\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUPNEMd8xPriL5nsZRREu2zH5upCEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTIxODQ2ODY2MTY4MzgyNDIzOTYxMDExNTQwMzI2OTMwOTgz\nMDMyNDAxODEzMDgyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMGcxOTA3\nBgNVBAsMMDM0ODQ1MjkxMjM0MTkwODg0MDA2MDYyNDE4NTQxNzk2Mzc1MDg0OTgx\nOTA5MTQxMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOYT3nU7JGyoOjbXzpIC8LCbf\nkE07iAEJWX2QpZPRBYO4AY82gmIABd6Y4fKk/+2QYB9/BcOR8kJITu2dd5dm9KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU3zXpH6CUwWXq0ICuCuafzwuZnXUwHQYD\nVR0OBBYEFBQymhu5RZDnvAhkNl+iKShlJ7yoMAoGCCqGSM49BAMCA0gAMEUCIDvI\nczJoM2Un4n501LMwIAGDBOrmVvS/PkmbWBU3ogzBAiEAgVI4W0CQwoXZlUx1teXg\nQ1Gfn9mI4o6HvcE8CQUbTno=\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUcoS3OHlZSOSoDm9LMb9zV8J5koUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzQ4NDUyOTEyMzQxOTA4ODQwMDYwNjI0MTg1NDE3OTYzNzUw\nODQ5ODE5MDkxNDEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3\nSboRQEQBWblR8xTMW3pN6AhCXiMFnIOTCOF60IZUghMlmwadEVmJWp3Pz5p6yMZ7\nJ8ggIgsPUcAFfwmv+JnDo3IwcDAdBgNVHQ4EFgQUWBGu5BB4li2yGs5aYT31ARyx\nG04wHwYDVR0jBBgwFoAUFDKaG7lFkOe8CGQ2X6IpKGUnvKgwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgf0NqHIaHpRiC652gmaBhDjs2HhEWaIkVr+1acwTOVvoCIHBv6Hr/QEcH\n6hcQc6Ko9y12vLVtNwo4I8Yu57x2fn26\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "pathlen::intermediate-pathlen-may-increase", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUP/vVP0tSomSW+KGRe3Uyte0lmSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQbNuxZM7hpg6w9lbDNJ8R3NmY1LWNtpKmR5if5\nKQ7LHpFrguYqz7FE/lAWU83kTn7JH266IUHKR+gPE6KjnyfXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8d8m5cxrAdwiISCdgCX2rFuopn8wCgYIKoZIzj0EAwIDSQAwRgIh\nAJGx/3EyGC403LiE6JIXw9OHRLxK5nPthKFlWSRxS2A1AiEAqgp2L39yuv1KaC8B\nsCWp/8zNHjuq0JuIMeNXB8KvkFA=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUGf7hWZ5rmhlb0Hmzv8uuYzrhI/kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAzNjUyODI0ODIwNjE1NDY4MTkxMzMw\nMzYzNzYwNjI0MTMxODMyMzQ3MDgxODMzMzcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBH1/K9AXzBPQB/uR793lIfy/KIxQNM6HGVj4+p/wNliYDeN6GAY+d1pQSODfbnD3\npy5y53Q87VdUa2yPUX0X1aSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPHfJuXM\nawHcIiEgnYAl9qxbqKZ/MB0GA1UdDgQWBBRxcWxnu1kiMW/Zuviw1jfnL7QtMTAK\nBggqhkjOPQQDAgNHADBEAiA55CRFfal41srofF8QWxZ6s/b3sI2k55CxnvvwQIQY\nbQIgY2DNx60WV9XbQvQvq2YvZIVj1uPldg5BK+1GA3czJcQ=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUZNJBg/D6HogESQxz/zQ3PZJszoUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzY1MjgyNDgyMDYxNTQ2ODE5MTMzMDM2Mzc2MDYyNDEzMTgz\nMjM0NzA4MTgzMzM3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMGcxOTA3\nBgNVBAsMMDE0ODQwODc4OTMxMTA2NDc5MzAwMDg3NTUzNDg3OTE5MjUyNzI1MDA2\nNjA1NjE4NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbKe1/v7yLQ++9rrgAiUnmbd6\nGt62Nw6PMe7nM6J1gRNCXLeJ3b2siBL+U2+FFDF3UO71K6KrqrGewQsMmUYCnqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUcXFsZ7tZIjFv2br4sNY35y+0LTEwHQYD\nVR0OBBYEFMA1On4PDu+n1WoNCi9evcWXK0NBMAoGCCqGSM49BAMCA0gAMEUCIQCC\nOYBVxdTGDgVPHwdSHKQsxbx93M+qd/0IZ2wZzYY0zQIgVbYhnSBNhgu8499+rrpc\nhj5Miz7UrUTrfYj/ZPYNpnI=\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUOtMcPUhCY7T4foWdZZj2YsL1klQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQ4NDA4Nzg5MzExMDY0NzkzMDAwODc1NTM0ODc5MTkyNTI3\nMjUwMDY2MDU2MTg1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARm\nXrhuC6H8CCyCIRz00iOTJnbYzq7ECm3PNGzZV7X/NA8eDxQ2GaQk/qu9SgbDC5oj\nQEGxp+RAww3i46ieiTKOo3IwcDAdBgNVHQ4EFgQU4AIwqp+LAyiOHKGlZ53ICSFw\nmIMwHwYDVR0jBBgwFoAUwDU6fg8O76fVag0KL169xZcrQ0EwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAKNG4nfwpuL55ykMYSjWFoxefCPmFDwjTpYCR4b8FZeuAiAu8JRjzCLD\n8vGZ6CSzChZUKa5XBZISx0OSpb2kn5GX1g==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "pathlen::intermediate-pathlen-too-long", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUERqHWf1YfFAZELkUtvq8xL1rMmIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwF+VvRURKlw7Ms4ttQkiAqLysYwvHPVBu6DrY\nxu7QXizvWVLNw3kkOpRSK7nyqia/vw7OIpBOUSkIdOT3+Wgio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMFytRjouReKiRWwCa+IPhsOf6v0wCgYIKoZIzj0EAwIDRwAwRAIg\nYE32v74hhOgDXJePggzsDy7qQityM6/+9vnQnglE4l0CIH80yOtg9zR4JljsOBYc\n86vcQr57asAqBJAaEoPAtdvp\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIULJJN1b1F67WWSwCtVN+dBgEzN0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBmMTgwNgYDVQQLDC85NzY0NDQ1MzI1OTY1MjYzODEzMjM5\nOTg5Mzc2NzI0NzYwODQzNjI0MzUwOTg1ODEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nFJdoj2eXOpmTdtD0/Aj2/GAIQf1A0+lIDkAAxUHCllUhq3fCH3TGjdmVfzZziF4c\nGjPS9IjeRpMh+2gtFGOl46N7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUMFytRjou\nReKiRWwCa+IPhsOf6v0wHQYDVR0OBBYEFGvbYxEI0JyCwNv+rlzPH1Wjnt+IMAoG\nCCqGSM49BAMCA0cAMEQCICQCXYpeY0g5/Pg8yEvAvT9uc2yBpvvigGSUYu5oNxED\nAiBUmXmqCaYLYdJeKTyoT8+CDY7kQr/GtCjdE1IbnXkuiA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUT+X1bZ/sFpAi6Gz+E7k9CFSgL2owCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvOTc2NDQ0NTMyNTk2NTI2MzgxMzIzOTk4OTM3NjcyNDc2MDg0\nMzYyNDM1MDk4NTgxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw03MDAxMDExMDAwMDBaGA8yOTY5MDUwMzEwMDAwMFowZzE5MDcG\nA1UECwwwMjU0NDU4MjgzMDkyOTgyNDUwMTgzNDYyNzUzNjQ2NjI5MTE1MTU2NzM4\nODE1ODE5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARWG+/fgoT28sRfb5l21ci9U27Q\nRral0cw7+mRoCy0HnfRSYHAIwEbZCd6MfDIDD+rHXIUJJ/ONVmJZgb5BZ8QWo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRr22MRCNCcgsDb/q5czx9Vo57fiDAdBgNV\nHQ4EFgQUnUZSdvMwMNOGKJ6raO10TteRkFkwCgYIKoZIzj0EAwIDSAAwRQIgTAzd\nEO00uh/muM5WtYCPo8HbhjYF8Sy8zVpHmslbXccCIQCujhnuzfcBRVE2tqN73sdr\nmmV7Y+Ar4jrMYL9afjd9tg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUB/Sn9ijJrlcPqVzhJfs3yv46s6wwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjU0NDU4MjgzMDkyOTgyNDUwMTgzNDYyNzUzNjQ2NjI5MTE1\nMTU2NzM4ODE1ODE5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMGcxOTA3\nBgNVBAsMMDQ1NjEzODUyMTM1ODk1MTIwMTc3NzYzNjk4NzUyMzA5MDQzMzY4NzM4\nNzM4NTcwNjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPtm+eIY19bcKRq2t5wo9MPOM\nO35aV/AkkYv7iH5FeEsRpsMTRfifBWLUeydQxuiG3GiwPdpZERktqFTHIuZoaqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUnUZSdvMwMNOGKJ6raO10TteRkFkwHQYD\nVR0OBBYEFHrIqfaqn9NUvr7vFvTCqaz1xCEqMAoGCCqGSM49BAMCA0gAMEUCIFgW\nri0/FZamR133Uv9ktLwOdwQMrHpFhiFqArNt7bGKAiEA9au0LAts3mm1Iu8R2W2o\nR+kifYCu0pMquTeaBozyCyE=\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUeVlGusz7oo+wf0PV2fIN86HW/mwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDU2MTM4NTIxMzU4OTUxMjAxNzc3NjM2OTg3NTIzMDkwNDMz\nNjg3Mzg3Mzg1NzA2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARh\n7u67PIYiKzUuyQf3BiSXCImxDcqe0EIh82neHzhlJebeQnHk7S+K/pnQE/fsFh0y\nRsDKSBloRLSB5NsqbgQ3o3IwcDAdBgNVHQ4EFgQUZJXW8Ik92SVajknOHFAe64X/\nOCUwHwYDVR0jBBgwFoAUesip9qqf01S+vu8W9MKprPXEISowCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAJZDvBIUyAAH9Z88WfC+sWUDDCf8fam8673t9ip0xeFxAiEAnixIIum5\nh/rp8LAGNsv+tGYPGGnUpCRDp9SWdVM8bbc=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "pathlen::self-issued-certs-pathlen", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUHn1aB54mKvlwuQ9Ki0y/KygGYqYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQbina5eCgjsL2rCo92cjyr4TCLCLWasyAtBN1S\n9KfDKveqbrbAslagieZvqMQv3XEXiu+bLUnb7fHftx95DHuWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4k6yzpP8LXvBvFcZA8M/56DYrWAwCgYIKoZIzj0EAwIDRwAwRAIg\nR2dPfZOGGqbQV9ZbPFggBR1ejlBYNUxMSPEXGQeaedECIFcX9OYlkZxD0/0r0LXV\nv6iSdtNFHdkNut+u6dOWndFa\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUULn8c6+yLxUKZ/nqTNOKzSPEhyEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAxNzQwNjUxNTg5NzI0NTgxNDI3MjY5\nOTY2MTY4OTA0NzQ3NDg5MzMyMDgxNzExNzQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNGsbEeKZKjhrJJQqJ9U8onBU8Hvsq9JwZhASoYuUm5WDGlES05MEqXU3p7mNm9e\nhm6p+YWz0Mp5qDnWRHjrscOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOJOss6T\n/C17wbxXGQPDP+eg2K1gMB0GA1UdDgQWBBTcwCSWZTaJcCg3IHTIYpTkHVefCDAK\nBggqhkjOPQQDAgNIADBFAiEA6Q+eDSPBJ2yn0EAG0MzIY/A25KMIm4hsftUBKyxE\ntNICIAT3cDlheOIHZkaFJ8AeokdumDMZhdLYMw8h5gu9dX8h\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUWiHq64z673cHvOWaomLH0ATsA44wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTc0MDY1MTU4OTcyNDU4MTQyNzI2OTk2NjE2ODkwNDc0NzQ4\nOTMzMjA4MTcxMTc0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMGcxOTA3\nBgNVBAsMMDE3NDA2NTE1ODk3MjQ1ODE0MjcyNjk5NjYxNjg5MDQ3NDc0ODkzMzIw\nODE3MTE3NDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKs8LdDCsBTA6Gm1R97CgOfmv\nUYTWY9nrJeRJv0jy2EdkWq+UDMdMRFl/FWvqBjeqJQVz0+dtShvztNs3N3RB1aN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU3MAklmU2iXAoNyB0yGKU5B1XnwgwHQYD\nVR0OBBYEFFWI49p4+cyrP0zTL65pvg/4r31oMAoGCCqGSM49BAMCA0kAMEYCIQDO\n5vJvcFG2ViG1U+8Cca+O8qNnmHF77r9KpkdqxMv8MwIhALXo9uU97/3m/o2BwsQL\ndLKbazvEtjUnFPRYQ/C906Xy\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUDGh+MLDxnDB2KQdianVxQ6zo5sgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTc0MDY1MTU4OTcyNDU4MTQyNzI2OTk2NjE2ODkwNDc0NzQ4\nOTMzMjA4MTcxMTc0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMGcxOTA3\nBgNVBAsMMDUxNDU2NTU1ODM5NDM1NjE3NjYxMzg3MTE1MDA0Nzk0NjM1ODQyNjM1\nMDM4ODExMDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExF4Fn/05QGQMEPh3NBef1F/Y\n5udZFVYbQ0kZWbGSAMr80TBpyMjjve5ssQ7hJBYcw0rvyko8DARGviJwI+RMsKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUVYjj2nj5zKs/TNMvrmm+D/ivfWgwHQYD\nVR0OBBYEFLgQTID5NzA8l7I+gR96nPCnp8I4MAoGCCqGSM49BAMCA0gAMEUCIH3i\nrLLWm5Og8bqUx+be/SpRzlwT10Ulo9wV33CLjQEGAiEAkV5F6MiEv9YmM3Q1fxsW\niog6+lGrRgkTMmso5u7Ec7c=\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIULQ0rFW4clV71GO46M0PEeIIzMl0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTE0NTY1NTU4Mzk0MzU2MTc2NjEzODcxMTUwMDQ3OTQ2MzU4\nNDI2MzUwMzg4MTEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR+\n7m3T9umb3FxtxUJ4ma2MfIo7V8UM03oNZi4/4ZYOd1F9Zl443ac7611Kvtb6675P\nEF86V+rKivwp+tFoMdIdo3IwcDAdBgNVHQ4EFgQUGN2estsRXoo4tdWhZKv6Vv1f\n0iAwHwYDVR0jBBgwFoAUuBBMgPk3MDyXsj6BH3qc8KenwjgwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhANgw2FST+aCytCintj5ESA1oQBq+XpEHciRGvf1qm3LcAiBVHCpQyZP4\nVrlnekmgALJjVdJcve1VPwHssGfAWIDIZw==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::empty-issuer", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBcTCCARigAwIBAgIUSo05I/IH823ig84zabU1OdiJ04IwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDExMDAwMDBaGA8yOTY5MDUwMzEwMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaXAqC5L5Uzf2\nsdn+jwfcK7TX1bYfVhz1H5yDNL3hbIQL50YOx25NCaI14SBtZ+FzIXaJWhoVpF12\ngqSGu7LAuaNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFNgM366kzBCSIxAvx24iGHt/no2E\nMAoGCCqGSM49BAMCA0cAMEQCICEmSmTODKF8XUog+RB/mIU5eHnZ5Z4c1T+4TvU/\nCRAFAiB9d40nHm0LJKqj/8qZOFiFcodsvFFOss8v630OWDqiNA==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUugAwIBAgIUT0dIsihJGuIVLS4UDDwkEWZHSRswCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTEwMDAwMFoYDzI5Njkw\nNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEZW8Ze2Wjv9kj6OcH0sHGy+GvbH9DQeACK5tlHeA03k3L\nmcNGCwrkdoyqyeIhixd2uIDTnp0evoCq2Txd6jjgI6NyMHAwHQYDVR0OBBYEFIMH\nSMRCMRtwdi81tI1dGbmw9iQXMB8GA1UdIwQYMBaAFNgM366kzBCSIxAvx24iGHt/\nno2EMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0cAMEQCH0yl/bgonscA3mPdggRgRAH1SuL3XCs9qHLk\nVEPjl/0CIQDdkPKWmewKDfgx8SspPDp570hABLahEUjjq46ew6bHuQ==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::unknown-critical-extension-ee", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAR9w9MZ5JgLSyxm6vMtoesbBIUcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtkXCUoWbhBB2K8IzVwyJgZdADTVBoCoWNV+EX\nVxSSOeOqAG3lbAOhOPltlUV5q9I+yNGwN1e+IeZ5N5tX0l+/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdDsr9CI5NM+DdfJmqov2QHy43lEwCgYIKoZIzj0EAwIDSAAwRQIh\nAJdMOJ1Wf/97u9iGpVScwUkb6VLKyLxnpLMjjx9LNbKSAiAF76krXeoFs8TvVN9c\n5DT7MgHKQxUL5CAvRvzRkGbuHQ==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUOj+UcmQnh15O9VsUOnr5Ne4CHREwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVsuPMqjdEmG4CNpsthHCT5QLxH7fo1CTlOtWM4oy\nshGJMKJxYCbj9LW6AE322GQ38KvmXwPsjIw/W88sMuzuj6OBhzCBhDAdBgNVHQ4E\nFgQUlnUPnQEHk5yJfnq3e7oytbaN3P4wHwYDVR0jBBgwFoAUdDsr9CI5NM+DdfJm\nqov2QHy43lEwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNIADBFAiEA\n0gfslBc1U/GvgfVmVdo/NPQJGxmYLVuOcxd6p+FzHOsCIENJVsjsVzoR6J3Z5Rei\nI94oPa9SpfGVITBW7FFiYaQf\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::unknown-critical-extension-root", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUGTMejRVlCwNZlhOwBNzig0YmQuIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARkhId5Bz4Te2b4AjlN2qTz97APNLSwYWlxTcNa\n972DPKE1PgFh5/RvOXwJK9+braIhiGF3r1zPGFaX3087x0Bho2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7y6qMiSzfwzVtitH+Nd9fHrNjjowEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEAtyWITotfbBcgCrtiUT2AJb1BjMDeok6E1cUu\ngJWfK1ACICF1WEtl8cZ9HJCnFnG/Ga96PQsJjhtny8n55dbneuEQ\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUFp0et3Dpqu7D71OhpBgFZUueGlUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdo8KnmSFqxQNbWMmg8ku3vwnvrls3AbqdOTFqPt0\nTg/56+BpttKKxicou6MAvB+FIkzIXcKLLHvzOySe/CwkPKNyMHAwHQYDVR0OBBYE\nFItNKANL6fSjJawZgprJiyPHlA24MB8GA1UdIwQYMBaAFO8uqjIks38M1bYrR/jX\nfXx6zY46MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGnnhWTbBrdQjTbu8KGcIrr/YEkfwSoT\nI/AAhGftC0uBAiAfhgrrKlhg/UcVV3CfqWvJaq4BI7DGkSeA1enbbnLd/w==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::unknown-critical-extension-intermediate", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUD3BfTVou7h0fr2lGIgs9HV584t0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASAHf3ASB1LYsFTLb1roA6DJ644aia+I1aSddsK\nwsTpBfScvBOF+W4KapGCD1TqKuEea5DHmscp0rD5W6v4yt2bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG+CyYlXdtZ24iH7hxP0XywJYJMkwCgYIKoZIzj0EAwIDSAAwRQIh\nAIJYaur2UTiTPR9TFCoWYOce5Gr22hp+PrCYqPkCUHPIAiBlEoWX6BnMrJicNa+U\nmVeJ32PpAtZNRqfGkYKJn8Ltng==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIICFDCCAbugAwIBAgIUCoaQBPdBjHWOx7BTMPVxy5qaOvswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBmMTgwNgYDVQQLDC84ODE0MDg0NzAxMzM3Mjk4NzU4ODA4\nNTc4MTY3MjM4NTczMDc2MjQ4NTA2NDQxMzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n8DVp6Jn+G1Xe7kZttgfLsl0CxKo0NJDoekCi4fjX2FAQ7or20lTYlUcm1mzonNZe\nt1Pry3ea1hmSmMGdz6qiU6OBkDCBjTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBQb4LJi\nVd21nbiIfuHE/RfLAlgkyTAdBgNVHQ4EFgQUu85tC9/2vR/o9FYQpiBzkp5BGi0w\nEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNHADBEAiBaJnn8pb0M+3vZ\n6mDa3lSm380mUKew8e3VGwOnQPnZQgIgOKAbTqjip0FLMA29CYAuu1QRo2RZeh8p\nxfP6YWTWd6o=\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZqgAwIBAgIUTAnI20mloLWA2bCYeP6qF8OylKwwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvODgxNDA4NDcwMTMzNzI5ODc1ODgwODU3ODE2NzIzODU3MzA3\nNjI0ODUwNjQ0MTMxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDExMDAwMDBaGA8yOTY5MDUwMzEwMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDIF\nQxKAk6YNHXt3LEben2ZJ7xMgiOeKPZ0lKikIEmXuf9CciK7CXKnDYQles3osspl8\nh3T2N5pgckxO/po3DtWjcjBwMB0GA1UdDgQWBBSmmlVJW82mB+Q12ksl6I1l2UYA\nuTAfBgNVHSMEGDAWgBS7zm0L3/a9H+j0VhCmIHOSnkEaLTAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNH\nADBEAiBOgnU3Q6JlUttRCIjzvw0cI/eqgRwAp0uIn6Md/G5qcAIgZn32hKUWNZSx\ncofSFLElHEyHjaT8OpD3hym4lHXNgKs=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::critical-aki", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUL2YY8j8x0Vr6kLVAvIVh0xyIBNcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQK0PVC9qNyqK0NuWrkTIEt19/9wT4++UKGgH9L\nfKYlC41vu967gsqkaIIFEdnPedcEsj9uc1CpXlcwFDaTXA0no3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQIB214FwKVaHvIZ6JcraKPEDAWBjAdBgNVHQ4EFgQUCAdt\neBcClWh7yGeiXK2ijxAwFgYwCgYIKoZIzj0EAwIDSAAwRQIgdQ0afti9LHUqLWlW\nQXw2/r/siNW3HD+VUZidqUMNZ5oCIQCWBrL7MQ4hmxitBEjnfF09h8A1wAE2OkcZ\nI1QMBPuqvQ==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUNKd40r7yZT0QQr+AuMpDyJ8+VrIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBW7XwPGLDFwd/IMwjhcfftJ1QP+eLBJOFlZ/Dv6G\n9E/0HyfpgESE1DyTn4dzDrzCuc3ZGQ+L7BVu0w7egZtH26NyMHAwHQYDVR0OBBYE\nFC28y212K1DPU44LfXmB7A82oRORMB8GA1UdIwQYMBaAFAgHbXgXApVoe8hnolyt\noo8QMBYGMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDd1KszcM0qnBrJXV6n6IN6qW5gfOas\n+62LsHMtEIrXFwIhAKxobPDa8VnDYsDl8YhBMypbUCfyOTmVt3lofrdv6tEg\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::self-signed-root-missing-aki", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZXd2G2PMHewZAI1To6T7/zwdPsgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnt0FppObHHzAAcREGELDqblxxuRZvnW4u2Xei\nuVT1BovGHxVAMcUJw2YCTMCzKYRZQrQAA7R0t1G/MqJkywCIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVdB7Rt4LD75qdlABE93NyqScvSEwCgYIKoZIzj0EAwIDSAAwRQIg\naHuwOY1Dw8Hfcw7cbc4U+qy4H9N299SBXqIfaRZIRoICIQDyw9zddBwTiPW8rAf9\nnF+0XJVTQ1tdxS/BgYJeotF78w==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUWG+4+8uNhe61Dcdcfp58ho9GHDwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEItLcVV03dU4XV0aP0XBPBnHTdcZtnRd+17YN2IKg\nOBwjrtVHNnQse0fS0OUrUJ9FRK0IXlfs/aKYhmGFPpx4qaNyMHAwHQYDVR0OBBYE\nFMKMNCnHVNBGaOkzruNvnT7tEKx1MB8GA1UdIwQYMBaAFFXQe0beCw++anZQARPd\nzcqknL0hMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDRwUQYe6NNaB0wZjZzgS6lB79swyTs\nJVDy5BCyNCdHjgIhAMZOOjwPEsH6b8/yRub2+D334qxAGVJ1QAWof6Fq1rSy\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::cross-signed-root-missing-aki", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUSvEUDo/GnEiBHvSnifQmGhtr2h8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDA1ODE4MDE1OTQ1OTA0MDM5NTg4MTUx\nMTY3OTA3ODM3NDQ3NzIxMzA3Mzg2MzA2OTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBB2rheT680Mtu3sOwgki7rIkG7JdULA/iTgC4FuYXjla9mUecTRddDzoxe/IRc0f\nnD9nfxDl+bGbR5mwCtsbuxWjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQnmotcKMlX\nrkLW8QGJ7F0TtJUr9DAKBggqhkjOPQQDAgNIADBFAiEA+mBomEvyGTYjjj0vqvc4\nPwXnsOu98pV3bdQ9iFmCKrECIGizJYMhdTxCb4ZSaJQs9xmziIkT7xDofPHqwDCW\nSNWo\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUAld6ve1EatjvjX7yAeEn9R0XOiAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTgxODAxNTk0NTkwNDAzOTU4ODE1MTE2NzkwNzgzNzQ0Nzcy\nMTMwNzM4NjMwNjk0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASF\njdHztuw3dKQhfoa85GdQc88nr1cDX+zW5eZszEnd/RN8L6mPHNxzKjcG7xi9sd3Z\ngAunK28ZbidQkA/ZZ+qYo3IwcDAdBgNVHQ4EFgQUVNiYUZK/ZrYA0foUt/dQaavg\n7aYwHwYDVR0jBBgwFoAUJ5qLXCjJV65C1vEBiexdE7SVK/QwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAODNNSysOMCoLtQl0gDaWljM9GWJRZBrGM1AfMWCxYuuAiEAkFbPSV+7\n+AvVnI5UnSf86xJwXnWm0R411JcJopcFycU=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::intermediate-missing-aki", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSaaShEjzk/fP5m+p95Y1rkmQMnwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT2MYrmXQRsmWDLJ7ENp1G7sWSk2ti2v1UYc5VP\nBnoitlR82XOm38XyzXvsOVMWa/vy/er9rkWkior+o4exPSTCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaD2smuTnNdPn0aHv1QktovY28eUwCgYIKoZIzj0EAwIDSQAwRgIh\nAJiqQcJIRMaVkRZOwH/syiNwK1obS95yT9sSQJ1uWqcHAiEAmanrVYAI5x6OScuX\nlFC0Rfats2DNpWwLvFTNUCCoSiY=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUGq4g8WiwyxciX8Mjr4+VT4QFLSAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDA0MjA0NzEwMTMzODEwODM5ODQyNTE0\nNDk3Nzc2Mzg0ODgxMzAzMTU2MDQ3MzQ1ODgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMgzrgxouPh7Ijmn6iXJQLizyqFOuc9XI7tmHycT03BABmFHIkd5qGu6nxuFMs7k\n8eQcWiarCE4Jbj6N0ef65sajWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQiNkClPOEt\nSq0Yrjs5FeNKHx1sKTAKBggqhkjOPQQDAgNHADBEAiB9u3s6p5YrowowI+kbA4W8\n837nGopG0kUOGJOFBVrIhwIgGej82zGG0CI+1rNd2mOK3uzTn4blKx+zlaGhZ+6A\nwCY=\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUO794rcJxY89fy8OuabMEQMqXF9UwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDIwNDcxMDEzMzgxMDgzOTg0MjUxNDQ5Nzc3NjM4NDg4MTMw\nMzE1NjA0NzM0NTg4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ6\naMZTNrPo2VpHqukcnCDPAg2RC1Wzg2P1lW5HUVZqFxLUSAIetUPf5a/gnTkE5sD7\nHZFISR6x9Z6oZASruXido3IwcDAdBgNVHQ4EFgQUFZrbt+b1aNRV1rRrQFGfreSH\n4aEwHwYDVR0jBBgwFoAUIjZApTzhLUqtGK47ORXjSh8dbCkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhALFl990dXyWXs0q+Q4PYmWbv1orCB2wlJhNKCps5cqUvAiEAnBwMi4XN\n8f08cSDndTM+EoNfeoqBnwKX17zDYXLzJvM=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::leaf-missing-aki", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUKdW5/JOb8ajt4iT5nlfuLSAVqZ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARmDcNctLiElRYPhLTpamSwcZjxFR2n33dPA2z1\nEG8xOI9Fj+BTa4hWQc7W576rW+oXuXDSL31LJJbjx+60g3GVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwJPPa20CfiUbXCxSoIZfNVcVCZ8wCgYIKoZIzj0EAwIDRwAwRAIg\nbXdY7rr0S8fQ0YQkXTCLCo8U5kRhyJJaqi5hoPo7WKQCIFC46Ev2kqCc4fJI+Zgz\nHKv66vGgAdyhfhSUK++5hI4d\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhzCCAS2gAwIBAgIUW+3lZ8YrNOI+xPkK0mxeDmAKwMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEA5rAs7Etc4sjJME1b+gY5f2nRAgXPjbUIPnFoFBR\nQATYwtFYLW7zCFrXQk2lqDdnyKearHNJKing2j0H00wSRaNRME8wHQYDVR0OBBYE\nFEkG1QCCDONuEd3VANKO2F7ZLqtPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCrrcjTyNrD\nirZByEgxBbD91ar/RwsE2itcKZeqpbHE1AIgOD19RD8247/UnWgDWFq3tZTMlBoV\nJGfhjKqi6ujXnpk=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::critical-ski", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATigAwIBAgIUQDIiBqM9rJpgfSO1IjhkO2a5X4cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARSLbLUf9wuFPEeHY8C+JbE1Mn1ZYTu8QGUcAjy\nyaRsX1JKkbzjUNStHAN8fjByGKnSZB1Fo7wCqG0ltxXluzpUo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUB4T7QeRiNGeMn2QmDbFXspJDNVUwCgYIKoZIzj0EAwIDSQAw\nRgIhAPfC+edAUJTjjbzn/IIJ9OtcLVUnU9r+FlvF6XRffKvCAiEAuiOATo5Lb99W\n6NdJlcLMSnrWD/C9sJB9t5wZLEWl8So=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUdxTWJGeqTXr8mVEexq4DyjHv3s4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEbqCv00mrigUDH1aPARw9Qjghvq32s9UfYeFMLQ3E\n0DxXdJKML36EN9XgIXXxXnfrk8cnG60Fq2YLcYf/kCncT6NyMHAwHQYDVR0OBBYE\nFF5wMe1Tca/w+NDTOOQZAllu9OT/MB8GA1UdIwQYMBaAFMY6rm6WzfoOpJ8fBIvZ\nfQVKEGBjMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDV0ZItEBqJjG41CYu0fL/tD20rWBw4\nAVxF9VJmvh+lpQIgIiK93Vs5NYsc2pwv41eUaBRvV6RPhSdMjp57NmkdWpo=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::missing-ski", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUGqfcmYhXA5fWFpfaOaZu97m4KIwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATB793JYyGkMvX/S3DEukdgxupK3Z4oxX8p/djA\n6zmfu/07R3iLKoB7VtVBEWo0D/aHyjMmDzvfFImQBRaARu9AozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiAHufJq4IgzAtW98Hb8JMsCKhMM4N5CtRWUr7de1kNy\nJQIhAP/+hZk8rxD9g94udEMfQkycH6qQj+KvLal2zCjaSHbV\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUOys+jO1xQZTxtE5rbF53kM/tP/IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAENXJqEH20jhiJ/F4kMNHdJ+JruX0Nj5NJ8tXoT5QZ\nBSGOGYjrLtwezx5d12be2A9JjYK11eAN5PImTwHQPNCyq6NyMHAwHQYDVR0OBBYE\nFIBgGF6BZnpU9TpwJynBZ3VwWb53MB8GA1UdIwQYMBaAFB/ACKEsIVpvWLdoTChR\nZzldu7FYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIAEdsAB7BUON1d+7PJhdbwNfbi+uSF5Q\n0qYGSk1QpYizAiAkijTGiGNLqgV1D6r/GhBiA/5llRGRixvi4AE0/6G5SQ==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::multiple-chains-expired-intermediate", + "features": null, + "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYdOoxA1e/aB1UgJuDlYuvGf4EnQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLMl+k/SPeUv4zJRJfW61UfFuE+jb4tk4JygfU\n8wk+1/KDXjuL9lemtV6+qvpJCqk+H8g32Ypln+wiKXUrDZl3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBQNIAj2Xz3sOZqwcKItBNBJ7z9kwCgYIKoZIzj0EAwIDSQAwRgIh\nAM+okTZ6prmzU9JwT96AWz6H/1A+3idA7eCtSEO5AV9pAiEAvvg5egjt5R+2nz0v\nbO9KXbkdi317CXQXwcjp/tus1P8=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUFSMv0SfHE5xk/4QgTs4VwRYoYJ0wCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMTAwMDAwWhgP\nMjk2OTA1MDMxMDAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGB4r0iBta5baqTipaG/jJU+tM+zMJoYJ\nQC1XKGR08dB5vLU0rP/Yn0xMvOlbTSLH0PbjzNMNT0x1caqUZqQ9WKNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFPSOcfMt7Wzd3Q0U6/7RV1LTdW//MAoGCCqGSM49BAMCA0cA\nMEQCIGmbp2YbhduAnJDAw2d20be+B3PEGCxRHy5n0RsDqhaxAiBaegtDtwGNOyh/\nBzeqlCxOnEz+B7vbCiT+QZH9pmppbA==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUN+CxOPSIGZBbU3QN+kcyHKQy8sAwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMTAwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLMl+k/SPeUv4zJRJfW61UfFuE+jb4tk4JygfU\n8wk+1/KDXjuL9lemtV6+qvpJCqk+H8g32Ypln+wiKXUrDZl3o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBT0jnHzLe1s3d0NFOv+0VdS03Vv/zAdBgNVHQ4EFgQUBQNI\nAj2Xz3sOZqwcKItBNBJ7z9kwCgYIKoZIzj0EAwIDSAAwRQIhAKB/Jhar9t/NwIzW\nAIPnyuOlRCpIBY4IpbBNUOVSEMtLAiA70p73JCAwu/0lxO4/2rbVNKKRv8hEKLeD\nEJMy/8fY3w==\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUQ6nvGHLG1k7AQS1d5XivaLjCT8AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEb1PGqanM/LPGG7683C7wI2ohpFmqzf8rf1vq/Y/7\ng6zHNmgCre/p+TC1igRqS6yYGOXPPkNccDfm15vLIz5nCKNyMHAwHQYDVR0OBBYE\nFEBIT5M1Fk4Nn4/nNVXFpSd1MLBaMB8GA1UdIwQYMBaAFAUDSAI9l897DmasHCiL\nQTQSe8/ZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDEZ3kX8U90TCvt/IXRy7BiAj+oY2zE+\nmEpZXJ8R7XhFAiAKSwu/o/Oj7qbwoDfm81KNpT1lK0Qbh/v5csr6cVTxGw==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::chain-untrusted-root", + "features": null, + "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUDdW/CR6hlH9WnQm7+sBnd+Y1z90wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEx\nMDAwMDBaGA8yOTY5MDUwMzEwMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABO9272xHvqEe\nrdjkWV6TZy1+sUP2ucjjmSPBYWfq1Php1LiDbMg5THqUa4lENt6kcbIk6loO+78n\nDcBt6O2chG+jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBS0ma9Lysj3BTfAwrhxVUVeDIaX\npTAKBggqhkjOPQQDAgNIADBFAiEAkBTX2TIQtao/zYMa2GenpwhLFREW6nKbLg2T\nnR7+njECICvy5A3R0kBUeizu+bdtHb6iEEryvItl555WZY0vbpsd\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUE7rvcJYFjM+4z16+l9guu0lDJUAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyzeq+vSnVuMG71nD1IrQQmAz8wfaEon7vVKNC\nEZCfP5dBpQqhHhAZZKKjSRBvTZ17UdtrWNMHDGK1CgLpc3Hoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBzFDbCErwshD958WsERYPSP8rxwwCgYIKoZIzj0EAwIDSQAwRgIh\nAJB7KXHxQ/TI2Shrirc7LBUcMFGUMEROin3ZHsct+j/1AiEA6G1s0rms49oFTnF5\nl/qlYmG7TkLiqAOg+hjptB9Na5M=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUFshDxv/5vikVAEchjzDqQXyzBD0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAxMTI2Mzk2MjEzOTk5NTU0NDk1NTU2\nMTE5NzE5MTcxNjIzNDA1ODQ1NzQzNjI5NDQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLtGPd1xLpFWm8/MUTl6r3Gyjo5HtAcpl2/vTuko2J8o13TtTvelc5YQq2OWNyFc\nP9rm5uw5Vw3r4cY+7wRYW/SjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAcxQ2wh\nK8LIQ/efFrBEWD0j/K8cMB0GA1UdDgQWBBRpo4k9QCSer555gzOPXY8OoFIY4zAK\nBggqhkjOPQQDAgNIADBFAiBut1Vv1XvFnlYLIX/sXhoHmoH022ReEIqDSX5nsirJ\nFwIhAKu1RMTlp4jX6z5dpfdIy3lbmsQC5q7EIUYbUPZP/deJ\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUXwjD6odYIds8EypWYY9AhlAYQe4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTEyNjM5NjIxMzk5OTU1NDQ5NTU1NjExOTcxOTE3MTYyMzQw\nNTg0NTc0MzYyOTQ0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATi\nhUk5n2hHaLkowS0+EojNdgFLRq4T6167a9eXWd8Upvx1On4G017l15War4tzI4Kj\nehhj1xX7nBHwBpkFj2uWo3IwcDAdBgNVHQ4EFgQUVVJWMOyiSte5zFrZIYZd7zCX\nO+gwHwYDVR0jBBgwFoAUaaOJPUAknq+eeYMzj12PDqBSGOMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgDKT8jDWujUJXIwLKJsIwMtRVwyovVwi6vbBKgGfi0MYCIQCdZl6m60Zd\neRDxbXsn9fcPtbHk9HaK0yF8DD+Dw0akYg==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::intermediate-ca-without-ca-bit", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUINvWogPhgVAc9AsIEIyankEXMXYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXltjJnIKHFsxLanzQqPPaIc4HXElN0OirP32X\nrHX67I/a8SofYX5ko65EXjz649zMKK9ELbZxMlROMv7PbKu6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/YCnftQN3UbtQv5zWFEOmDe4jjUwCgYIKoZIzj0EAwIDSAAwRQIh\nALsNb27R2WLhe8Z95xQfqGOZL+i5mSAGaQ8CVn4dDHuYAiBuN8JD7SD4mMztUDvF\niAKisU1r9l5Z4Q3J+iwsMQggjw==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIULZmjGHXfYhSUWzIEbCdZr0xBw1gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBqMTkwNwYDVQQLDDAxODc1OTAyNjUwMjQ5MzI0ODI2ODY4\nNDc5NTEyODM5NjkxODc3MDEzMjUyNDY4MzgxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABJf9Tjx2wZU3EdB8+iPDwkcIxZplj20exzQcaULpDNz2w7njc+8e9NsUSDmr\n026SC5lnooHAhz5K4ytgMaSpCg2jdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFP2Ap37UDd1G\n7UL+c1hRDpg3uI41MB0GA1UdDgQWBBSbjz4764E/TewrOUwNlfRHIrpa8zAKBggq\nhkjOPQQDAgNIADBFAiBLIAICB4Bd/uDfaBqBUP0xtZa4K1Qk7WEWuybE6NyCzwIh\nAPQr3PlS5ZlpJmt5rRMvA2WjTj5zk4Pg+p8nMUaj0S+g\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+DCCAZ6gAwIBAgIUQGpLWvpMKSOuAwDJ5oe3q5zmmrYwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTg3NTkwMjY1MDI0OTMyNDgyNjg2ODQ3OTUxMjgzOTY5MTg3\nNzAxMzI1MjQ2ODM4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAATiif3WmhhxjEXTpetjtl+UNoWv+JgQigPVCCBY3PmQSmAQzlGcx9wSdq2uMQlb\nhjvtctMrWFt63vt8XktW+09go3IwcDAdBgNVHQ4EFgQU2UZWp2ZFafeaUe8lrprO\nRecu0icwHwYDVR0jBBgwFoAUm48+O+uBP03sKzlMDZX0RyK6WvMwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIgJuOYPKFb8R1iuOYKZLxGl73j/CxU1CnltF0+p8ecZG4CIQDAKRxh\n6viVItJ6OScFZBZfdIb4xUT2UXLIDRSdbAvzQA==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::intermediate-ca-missing-basic-constraints", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeKMH/DEuqwxLWybIZKkxLZzPkOcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1XUyAua42oT0siz+a4qcJpJ2+41T/Auus0I0E\nwjC22QHv22KkekeN5NcUcmprzHCbq8zCg0lyyj0Oqdgfw+S/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBylGFpTdS1RD4ynZxzX1XGht6KEwCgYIKoZIzj0EAwIDRwAwRAIg\nRLdes3L1e2mH9Kwro0jcsW0ZX0cXL7UrnNHdjyHXI/sCIEvJn9nxllobGvt5VlDn\nIk2YgjQ6tDWwWNRxxYB1WYDj\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+TCCAZ6gAwIBAgIUKzYjiR7olZNXZz6DdXAEdnCH5KEwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNjg4NzE0NjA5NTY4NzUzNzA3NTkzMzIyMTMyMTM0NjI0Nzkx\nNzU1MzEyMDQyMjE1MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAATgDTN/A6dnUH6oku+xjthx+qCf5nKhJXhCyLiQeHjEja02ZaSfg9/ToXZW/THP\ncJ0rrtBNtwrnvbhcibGZDkG8o3IwcDAdBgNVHQ4EFgQUFrYa58TvncKSZ5MkSyYA\n8haAsnAwHwYDVR0jBBgwFoAUamD6lTg7DJZQMGZkvXPZ/rYKBUAwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSQAwRgIhAImRoLjWeRBeZ4ikWl5SeZgPFWI2FmsL51yC3NP9cEwaAiEApIKq\nQHzwLp6PYqCHhorXnaztdE2t5V2RaQO/kYDr7Oc=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::root-missing-basic-constraints", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUJlHgPRvOCUC0CJvZZDNOgW8hEVAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASSfHtgGIlKTVLTTuLAiZ5oC+ZezWc0Y1kyTPL/\nHXrmzvaW1pM6itbXpgl+DEmkg2wbK+pabX9sxrohrlALRwHgo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFFNNMHEGFhRi\n+bax2hqKX/T3jKL6MAoGCCqGSM49BAMCA0gAMEUCIQCur5rGfF7YwXg9906+MaYZ\nelzwwd4f1WVe8/8SeISSIQIgKEkN5H4ewN0X1ldC8dzaF8v47K3ytwYdrBcYhYkM\niSM=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUGB7stw4uekE0Kx9agKhiNlQkEXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEnmOz/7oYeh2baEPgF4xi9RExUVl1SNgnegJc6OFJ\n26xHIp4rHEWUhRCeVww0K6LOgjh3J9lf02X3yNoAiEX8MqNyMHAwHQYDVR0OBBYE\nFL/5Sj2aNHi2sC5NcoOu6mSaqEi+MB8GA1UdIwQYMBaAFFNNMHEGFhRi+bax2hqK\nX/T3jKL6MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIDyVqWGvnV//JqPtVk8QhOITW/77gNNE\ncufaEdXtR74zAiEA68LJ/synkgIcqG+xJ1lajvcM8dvpr6pPaOK98Dl33xM=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::root-non-critical-basic-constraints", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUapGTG1NVzB1rS8sdel15YiiOJIowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAStNpSoZPdLhhrCa0yh2qovxgDCa9l0wl987wYo\nHcQv8xAkWyUGlTe/JXY+n4ta2MSorXL7xcsZM+6C/fOtkS72o1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUNDwgPdO/IGcWWlo8tBibN1KQ6hEwCgYIKoZIzj0EAwIDSAAwRQIgfLug\nuAs12BTmWiP/tzeTt0BpDpTc/GBtKPStssq1NjACIQDNZOF4UUMP9BD/j/qsOa6Z\nvYdmNlm5dvmWUPMu7+L+xQ==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUL7dNzKqk0auzTHrzr5nLOhE7yocwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEbWJg/DkObUoS34vOwd+P+yzwdrWvdbIXSh7gkOhf\nvIqSy7e0dxUaTak3TJPo4ES381oPHzJbtDUIOwVIXfDLyKNyMHAwHQYDVR0OBBYE\nFILOhp6U501sw3So1+g05zsht+cxMB8GA1UdIwQYMBaAFDQ8ID3TvyBnFlpaPLQY\nmzdSkOoRMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDAn6TCBenDoPWpdiURFdnHiOgNK7s4\nGvssax+kRg31rgIhAIAPC1b7hz/0BxaF2UOmN8fHXx1hsSUZ/KQyem6iHKsG\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::root-inconsistent-ca-extensions", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUIRovVbGQ9NuG7JkPycVmyBMw1HswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpJfy3hOz3zKSXDJUrodoGOqpCOj8sM1wUplZU\nLjJdrUC93Zjhyh6VdGLKLX7aA/CAwYS+hnvjMMgsGZ1pyt9xo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQGXS4bqgIhukNOyq4juFbi7kvPdzAKBggqhkjOPQQDAgNIADBFAiB5\nSq6pP7LS7MjogcZzV3PELMlXV1LhHNj3sh4ira1JTwIhAOELIvkUGvu81YZXCur8\nsxlwH/GNwoPmHRulsTBpNC+E\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIULXkdDdBLUJN8o74AUmFosGZQ7LUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEtE4gTVEBotigp9EtaAnSbtsiHN3W8L3BAWE4cCYV\n0JSfASLrlQ2OBGY1gIkzrQohVq7UbsqLKayHk5Hwn6Di0aNyMHAwHQYDVR0OBBYE\nFLoMTqcLRCnNTGQV+HhTZ1gppdlHMB8GA1UdIwQYMBaAFAZdLhuqAiG6Q07KriO4\nVuLuS893MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEE+3ghNpOcW6bAvd/h5KDSp2RO7aitb\n7Wnkd+dWlQnHAiEA5EmcswTKq3eHpbEGv+SpwZMJzwa0TdmhmMYe1JVVSSY=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ica-ku-keycertsign", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTgxHn801idPZONR9BxnbTU7C6h8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASOgkiFn06aFOFg47NE/81PWDfNjOGLSNfc0ZvG\n+Zkw4CF8VPBQt/DmFKKPWz5AXUzCaz3jWUhCuJzQBERqD+0Oo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPyvLIPOL7j8vT8yjSRIDjSWpDg4wCgYIKoZIzj0EAwIDSAAwRQIh\nAJgr7fOMVdSD1+9jxilcATjMBHqFuqyNDf4Lsvta+czFAiAiiKiSOTcqWfK3YXto\n8i9BrA64EBhrOtlK2qAUBCF39Q==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUK0y7fwvoLqpXc/UAgzh6CZ+E8+kwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDQ1NTc1MTI4NDE2NjA5MDcyMTE4NTA2MjkzMDg0MzM2NzU4\nOTE3MDY4Njc5NzExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASK\n9h+MBwuik7vDGj7rs1jyn+KIVaF1H3ZT6LKFZ9THV8GbopMsDB/DSgnhTics5T7T\nX3PeGRFxml41EdoPfAd8o3IwcDAdBgNVHQ4EFgQU4r9yHcwLlCaERMvEnfNOcU3I\nvDwwHwYDVR0jBBgwFoAU8ccBEGC9pq+P6dfat5eBPYixUPMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAM+qre5dBMHWytwxCGBb4bieLL2GpWwn91F4IptNfYW7AiATozbCJbxS\nufqE7roEflNq74BimVCjVcCj0fhBXO4eiw==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::leaf-ku-keycertsign", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUaRzM+6wGvnBliTrnaz9TkVbeAVYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLHIfMjgaAQ+Hhx2ia2W/Izp7Mzxx1MOgLFfXl\nzryaJn897ofQGNKt1Wq7hiV1c2WervVp8C10OZm1u9raFWvKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjVqdi56wuufNtfbtWYUvLe5LJPcwCgYIKoZIzj0EAwIDSQAwRgIh\nANF1x0XZCAzOyE/qDzESjl2GWU+vagXJmnuETqLMGOEKAiEAj+v+S1lX8XwKOaRO\nokSHM7j9Aey+JDhOEI5S7OiWzxQ=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUaNqtZzxRVvuKbKJq935j1bHVlMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAERoJDP1VBPu0aBlpJF/TXUqjnyK48Vm/JuqeExPuv\nETZ5qN7J6cppB6qZ3Ud7VKapRaPayRd+IYqPUwvyvAYP9qNyMHAwHQYDVR0OBBYE\nFMOptGLT32V5N/FwAWcH+JglDhrHMB8GA1UdIwQYMBaAFI1anYuesLrnzbX27VmF\nLy3uSyT3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIG1XdtsPmGJ6Do7Km8DrY4AqqlHD116A\ny0QMQgDXcD0/AiBaj31FFF7yoJrLehdGEs2Lw1jRejG7VWkoEY3UX6g5Dw==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-permitted-dns-mismatch", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUcMw0FDOQWWV7g2ijTFfhMGNi4ycwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCWvpLIf8PNw2VnF8+mm7yJh0X96g7aTZyIDKj\nwUWzmSz3XQ7mrKoFdjDb+JiCqRrqG7vtJYUjMVvTady4jgxto3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM/H0CGAqDjoMriCl9wMbUvPESo0wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIC8OrZ57bpJ9y433djaB5S/Z\nHk04054YON1ybF1RY9gDAiBK9yulkfjsNjDM6bEDPALiGeQdMB97NCMKi2k/ljlv\nLg==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUcrNJ4b72XngF8zlKfRMSdDngKcwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEWAZOrJNuvRBtavxmgP0pdHlgjJqVPct7sd2BhxwN\nwfIStUA7DSREmwZfRH4gJPE+UKmgVsX9PHG5T5Y0C25d+KN2MHQwHQYDVR0OBBYE\nFCK+o5QQkUBagI1AHM5yaQWiR2XtMB8GA1UdIwQYMBaAFDPx9AhgKg46DK4gpfcD\nG1LzxEqNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAm7PEj2yb9uBHoLKJ8GZYLzUK\nJw8hxnoDIWZmfINX3SkCIEg/5Z4pNF6MCyQxpGojjma6yu+vGwcmSfyCdzxhtgP2\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-excluded-dns-match", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUIF0S2aa151yHGsK/wwIDpjSKEZAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASeHFh0bAyg4xSWpGWO8D1pxLKYvbllfYaznJAB\nyVaMFIG3fC4d28RhouwmpirXKi0ELKB6YNpjo0E+w1NlvA/Jo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURfzPsRJ6TmT1efvBgx2Y3Qy2vTgwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD2DXm+umDb+DXs04PEvELH\nkC92w0FFfGPxxWbhpTIgJwIhAPyWO1fag/ZtFiu0wW4z7zSXrqcYQ7/LmNyv08QZ\n8tdK\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUGN24AyOXEPewGNGE0O8EDRvW/s8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEHz5Tn2rNYoXd/OL34Xg7JHDULt6uyNMwWqr6CfpP\nZl32JPCeYB91IMi9hxW78256hNFbmBo0TKIRoteNOXrcwaNyMHAwHQYDVR0OBBYE\nFHgg+2suMzGBgKjS+jzsmkLC0jovMB8GA1UdIwQYMBaAFEX8z7ESek5k9Xn7wYMd\nmN0Mtr04MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICX//DTtIkQ3H6gUc1VS3bJa1vEfUWFk\nzQeCX648kWs5AiEA+n3MiaCZze62XCBTZY3+Vqji+pIh0PW+7PyDtGSpYsw=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-permitted-dns-match", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUDmnVb59I7O3enPXS85Lr9JXpENAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARqLlj8YpIjk323cHQ/x+jmeBuT3clyklfED3fu\nW8Hw2pa+KWj0EpmNHad/w2rX+HRWEF1qziVF9kYj2mZbIGgKo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUowmtxlIVYbXu/hbDFto5ttLxDeowHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFfxDNCyUhxPTDkLoEY/W3c7\nVjYcDQEnOhGAiQ3wYlBEAiEA1/Lkv9RIlZiBhMF19LsGTnweKqM/zastcOZTHC22\njG0=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUdU7fnCl1YR094IN4cRtGHxEcOZQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEg7P0DV8fI4eyiAMl9zLDMLavi9J430PI91D4/YB7\nRZ8NokXiMByf/fzCtAFf0W0/s8USFfURETKdsg92RXu0Q6NyMHAwHQYDVR0OBBYE\nFKIZ3b/ecNcr0e72VCEsuFZPYDEbMB8GA1UdIwQYMBaAFKMJrcZSFWG17v4Wwxba\nObbS8Q3qMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDLjo4eD/Tn7IRF47wOuMfkQHLAVAd/\nvOAx3hRiD3wQhAIgFgZPTVnPGQSVZJUJ2BvtvJNs2LdlBuru0kaJWcqOR+E=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-permitted-dns-match-more", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUQnbF4LONh3mBHbwt1CiEgtpHjaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQt9ff7yjtAQbWC0RcL1ilQQXn72mQP7PSlljH\nB8UElCqueMpKGVysmf1KnXDg1H3nT012dCxeZVVN/Qw+ySE7o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnw1TTFapv+g/fGbnv2XsfkwD33wwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIAVagAXl7PVV1kPOpUWP3K77\nRpj6bViDLBRJ+VAIx3sRAiBV/7WjsO88np4z523KyRIbEBkg3VvZ/9ozOj9DeApY\nEA==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUWQUlopBU7bgiw/7aneZtJQEcG1IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpeR9MhLEU5Wm+O5Q5GeEpVpkvw4gNVZnIa0mkMlN\nhAyfNkeOkc13+QqpDL71ZSlnRjoCtJIUZsEFyI8UqSSCZKN6MHgwHQYDVR0OBBYE\nFOgow1KA35Kp1242LFiUOHum+WC3MB8GA1UdIwQYMBaAFJ8NU0xWqb/oP3xm579l\n7H5MA998MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhALlRm0QfvOUdkOcqT4Gr\nWQRmLM8F5ZvNAAcBViwK++wQAiEAg2bJlaTHMV5x+KGNhDYbO+4E+H6gONgbjbaL\nYbqdSS8=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "foo.bar.example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-excluded-dns-match-second", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUCUs1Ytpr/Ui0wMzf4eyFSARjQjUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMmWNM3iLroq7R4xGrclBnXPxNy2ZHOujGky6a\ndLp/Th3TCjlgm1J1rn5jab1GeadCS3BQTjVnoJ0LG85Cdewqo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQenSSl8MCY6ZMQFBzONWByR2HVODApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAO1r\nDcXDVsb2b2KxAwYWje/mHAheWclOWrqmQAo/DFYXAiEAgOLpy3fbLUjCPLIGI6Ks\n0qvuA9cKG+MfqhdQprXvd6g=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUVlbfqIADnZgqUmAKtjMKyxrUfXEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdRMGxRDmJwfsr1yPVzHvCoSIWLs96RP4S4GRrLWf\noi9wJbA/kje59N2OOZROKkVNCYv24Ksv7D8S6IxI+dMmsKOBjDCBiTAdBgNVHQ4E\nFgQU49kgH3b7aI5X9npsQ8SxjiS0WxMwHwYDVR0jBBgwFoAUHp0kpfDAmOmTEBQc\nzjVgckdh1TgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCmvq3IR7F9mbLkGpGMGyH5TU+y2AkDY80g6EpZToXg3AIhAPQfn6jvIHEC\nQ09tD4+I4pybnzJCCV4noPXSV3uIS3b0\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-permitted-ip-mismatch", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUFVXf+16XqjKLi/xStqHLIfWRlOgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATcxFT0nhDOyL9QHbc2DcoYS/mtI+ej9dp07/XK\nBZJFsNvM3pDdIBVubW+JZZlMo60vFuuagrLQ418sf0y40BgMo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjFqyCe1aITn46uwzik1x9Y0o9UIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDwtNyG+rgiN2K9D7hmzkdBoWny\noou/32mDKEz5VEBlaQIgY9J32TDyCh4Se4cY2Wav0jHcT1rDevKO5u0s+/U1pTU=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUZHVmHvKEKZfm0MwYOst1rvlP+NswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVhMVKjvLSLlq+Rs40QK7M0+fCRRWvwCmP8NRIAIp\nEhniGNwcOAafdACDECoiF9LiME2el8qZRK+0EzeJsBI/HqNrMGkwHQYDVR0OBBYE\nFPi7eXc31FzO1z8spKko7ch2fqU5MB8GA1UdIwQYMBaAFIxasgntWiE5+OrsM4pN\ncfWNKPVCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDRwAwRAIgBfw/60CJDp+egpHkyj/tfI8WENE6GeIzh2G8s8aW\nhUsCIB3648jomeKreTqORv0zOY0/blDk+Yrpo5PYtzF3UoLN\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "IP", + "value": "192.0.3.1" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-excluded-ip-match", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUATpR2hx/P4FnEFlrVduuSVXb/SYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHMWyjwqolk6a73JVPmS8fHP2Dk1ppF16bdSJ2\nt5tAnAjJz6BPieiijU/qJKdGmrPeXHvJSePC6NpwdYQ22BXMo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNcv6yRBh38+ENWgppBJknbSz9MowGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCaWUs5iWqVXnfh7pQqQLcQa7xS\nXcLDGgt+bYPW1NK7WQIgOSC7DiQgBn17ntHvB+xaX/8QLieGLaFkt1vKz5eJvMU=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUGzbZhuJWa3mNqXaueWG+xzBfKGEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpWGnaEfGaBtc0AXplHektVez4h5b50caxNxanvZP\nw3/fGaXbmMrqC7BOKV1gmtq8o0duR2bb3L+S+sqou7W4sqNrMGkwHQYDVR0OBBYE\nFIlxB35/kaZh/86ZyCMgy3z5+knyMB8GA1UdIwQYMBaAFDXL+skQYd/PhDVoKaQS\nZJ20s/TKMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDRwAwRAIgBk71IAsvZWy1i1lyQpaLWrwOF5cOOBoQro9sPcqK\nnFQCICE5Dmo++O09bDihsFsHcMesHTHHNAZQwuTTO3SOICaV\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "IP", + "value": "192.0.2.1" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-permitted-ip-match", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUDE6GCy68E7mAEVmsuQu3SubuSFEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQaOqKopYiJplQEBhTi5KgblXhnKNEPjza0jVY\nAdnAPRbmlnFFFPYw83rxR1z3vRl5SnPPDg2rrsEeFtbKFYNho3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJUgrWnA4bedsmXnu2WeQ0Tdn0DEwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIG9fAn70DT5Zsad8RdaUCFkT1ayF\nXZgdBYev2M5G2pjgAiB+ot7et4xdeOpmadp/YBhG+/EbzbNS8fRuDeb49o9aWA==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUMzE4LJf6HZxgWZwdjaaDWbsgY0EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEvYqkeJ3Mf5Nv0Fvav+y0b8+FrZgfOl2nRzuCePyS\nr+2cbX2kgw8L/Ok9vCgPavHrgQKCGXrYFW3jZPMC/sHD9KNrMGkwHQYDVR0OBBYE\nFIHCzQUHeUGLE3Ih5T8SA/KZcqDHMB8GA1UdIwQYMBaAFCVIK1pwOG3nbJl57tln\nkNE3Z9AxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIhAJuKvvjSUr13W0wvxCIja5bJGCsJKbrUrlZZ1x3X\nzMK6AiBJzg7zKmQ05lxtdTbhi3vo7CnEbDbKaqH2FYzo6c3uBw==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "IP", + "value": "192.0.2.1" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-permitted-dn-mismatch", + "features": [ + "name-constraint-dn" + ], + "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUULUxihnZyg0wkl/7Lk9RjMab/cUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYtQM5ovoYu19wVIfQybqvlkpx6slEfFa8UMeN\n/iX8AJgEeyUJ4T1Nr+GCZLjtrbVSoMsb/6D9FNrqpWPNJM+Po3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqBHYBs3luysk07O9h0q0JifnyewwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhANZlhRErsSEKWI3e\ncHpIA8woYrjQYXATD3G0lUfEU7SxAiEA39YVYZLq55InTYKyV7ToXgpECWcgz2uA\nxd/k90hLVQI=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUXU0UgWp6+iUodSAC7kiDSz1vm6swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEHgxg4RTmqaQG4aYf0zIM5owNqgW99MUmB0X7LGRBHXv1sYGf\nhq1t10boAn0vc43sfMH4+5Q202Rf22a1xqIkK6N7MHkwHQYDVR0OBBYEFJh9M5YI\n6kf2KA/YG92SGDAcpSkLMB8GA1UdIwQYMBaAFKgR2AbN5bsrJNOzvYdKtCYn58ns\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0cAMEQCIH1TQ/Db2ncs4DivztzrWz+y7gl0\nkl0SbV4ZqK1Jv2FpAiAEvQcnqTQc+q/6xMLveXZRaKJ1gSYR7jZmLmc4YlThaw==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-excluded-dn-match", + "features": [ + "name-constraint-dn" + ], + "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUNfIaYNdJ4zS5I03SjgEYzr2MW7EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbrqv88G3kCbUyKBJNAUmHfTyDCl+6vLUggiB3\nfmH4/fP/b0+7QwVWtpECqwQNqgiHozxmPSh3YfcSQNN/A3Kno3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6VLWnWwWS/CNPGe6+K6lXUF8jR4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAOhEtaMVUdFjSsvg\n9uNT2clb8ubrEpcJ1gWvOhjEzJA5AiANXstTYxSg0zmJlfPamt1cY+0RsqBLJeZa\nPdg4sbolOg==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUJhuiJCp++V/AH7i4bzuR/8wvrw4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQF9gM51rt40evzOYLL0I4qh5u2Uyla++MI0AsEDJwXq7fOH1n/2LHL\neQjtmokaOo6WlRcjhh+A5LXMbr/QNUKLo3cwdTAdBgNVHQ4EFgQU7I5ycAf532Qj\ntC/ZTqxpJCr+aukwHwYDVR0jBBgwFoAU6VLWnWwWS/CNPGe6+K6lXUF8jR4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEAkH+N5Z0n+sOsR76qbAFBY0JJqUU05tgi6TFv\nl4QvzcYCIA4hg1KGtzc+nGiEoXXDC6LB31KjqnPABPKb1J6X+Q/r\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-permitted-dn-match", + "features": [ + "name-constraint-dn" + ], + "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUTBCkzRszyA/EJ3Vo2ms7UMCzB50wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR1XxB82J4+KZ/+nQ7rhYEEh8iViR3GGedGNiPO\nIRk1gFUiyI4gHqRdH8TIjVbAvhHU0uuSPoA7CiwPUlHTqQ2go3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvyyDAFoWGjkQ39BMEOwyt7eobLIwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAIUJpCy1K1CFVfe0\nBEaOihcwf8zI7GUDVxBes99dSgwwAiBG2cz81DlW4B3v4z1HqbE5Tbq7jQWH+cQX\nyUtAfgQonw==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUF28a4s2UWyd5mCBAxiaJvWTE7owwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARCg1UCzxlO3K4rAdWWm1k6cXE8tbXpxElN51Evz0iWN+l/C7jf3Ajt\nvS1RcGClCmTCFYUGEXCLRcWWMGcwOtrYo3cwdTAdBgNVHQ4EFgQU6KiQHFF/fMIL\n0cwlK2tsvqQXqSQwHwYDVR0jBBgwFoAUvyyDAFoWGjkQ39BMEOwyt7eobLIwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNHADBEAiBnhghAYxmR3QRP6mTQmZEV4WX5Q7GgDxRdRV6W\nx0p6VgIgJNafKQRZ25d2f07y1BPUXTH5Zo9XPfH28wFmWNyWYfE=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-permitted-dn-match-subject-san-mismatch", + "features": [ + "name-constraint-dn" + ], + "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUICe75hWAxmlE0crbWGlqFwDi+vIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/4C4PVVV90Ta4NNjz5JWtn8mjkjI2HYiXXD+r\nrEGt1b+RMafVRUbwHEzZAQvx9CRfAOMmWHuXtICZXIra+knvo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmf68XuFsh8MPjurPBquzsKaFyFIwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgXQYSfOaCKVUBCoU+\njvohjl8wFqPidqsaSwcZ/pddfhcCIGJQbQq58YtXbNQUR8MVdQZFkHCyuYcsdV9h\nhMsbnJT7\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIURGos8Ih8K8PEVBjJHcsTqoBlN4swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAECk0+fpJ60RCHZd0fbR0qRo74ZY2kGO4S9+e8kI7A6GXzulfe\n7EFbaRXdoYLd6+3o5SitkhaCTALNBbOfIoeUSaN3MHUwHQYDVR0OBBYEFIdTVZlu\n9NWbOYXO/dK7+D27PDj7MB8GA1UdIwQYMBaAFJn+vF7hbIfDD47qzwars7CmhchS\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgPGWEYs6UzNpI+/Lqu01wvwvhXxa4gqy5\nT4NriseZMHACIQCEYid7msmZ+UgeYalydZeaE4oaluMAAoX5PalD06SNKA==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-excluded-dn-match-sub-mismatch", + "features": [ + "name-constraint-dn" + ], + "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUYAG6PaicRIyPa39aW4oNBJwCF7QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS9sTvyzKhEmhAKwgy50Yk+CKbb00AF5MWkU7RN\n6X/KiI0h0IUL54keNaAlikoS0MH3g3/hhIIIZIPaWnys002Jo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMkNa58KGYVx8bGXEUvKH1eCO3oUwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgDnBHPN9wLdaGClgi\nAOEpaCoL6VQoRmeMEctSaNhp/8sCIQCLlIANZevpme9QFraNJLkMC1VVIr4UIsaG\npryLNJ2/Pw==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUfKxQZeQnxtKg6puwxS1mECY8+qEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARaEFbfU3zHVIB82rhWU4JXbzIIpj54roTFIdOkLg5CS9d/Fhha1fqg\nAQaMJeUgLs/1ePfqSTho0StR6HalheVlo3sweTAdBgNVHQ4EFgQUOpOJEUZt2JF/\n7khCabZbdHL/GQ0wHwYDVR0jBBgwFoAUMkNa58KGYVx8bGXEUvKH1eCO3oUwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAMvhKRuyUlvHQQyUb74Z9Y+Epyy2T3kH\nLhZva8Q7axtEAiEAxdKA/yMfDFnFreSiyP4W98GE0KRZeWzGDFRRGmY7wWg=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-permitted-self-issued", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUClRoKHFxK7JJ7Fwgcdt9T3OachowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASj0j6mWT0vMKSAAmf3ffkgxwcK1Eo5I19nIhJ5\nDNZ6RvvMh4jK6hyVtuZwCpumFW1zeDCApl+lsaxnDCl/ox18o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFE0gdFri9ZOxnEqpXs5Aq2uf2WimMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBnHPX2dO7oCKz8eg0Q\nY2fs44yyZF2w0GrJnPFJC/H0jgIgb9oFS+6QnHXbIXDHsCGUgY2y7BJBaREzEhPX\n/eG3vrw=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUeFThrcQkYgH/s21TYuXyRBP3Bi0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQtDevoZOtjmUrL2CWGwUe9On/rXzP/pfz9xL2z\nJuG8TX4a/nloYGbKKl952L1kHKBkzpT4h/QpB597kxaVEPhOo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUTSB0WuL1k7GcSqlezkCra5/ZaKYwHQYDVR0OBBYEFN8L\nqCa2Ju36R5Y+/B+f6EuIy4ZWMAoGCCqGSM49BAMCA0cAMEQCIDGyq51WeEKw4+y0\nl938drIvhALMSzmunLOWtjOapkNWAiBLG9DPGQuV6XFMsUhWgUgyEFg4nlG/SWx4\nisrAcAuNtA==\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUGj7sFjGic0y9yB2jY48Ckk5YEY4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEErs432rvkizC9kN3PDTeuc4F7gqpKy1KK7nEMlBk\nI1dmOv7qSq3PVVlRO4V3BFb/rnmamEDGD9qk+rodozJ566NyMHAwHQYDVR0OBBYE\nFHRaS7724BfWfTPdHmNNasDzGHUVMB8GA1UdIwQYMBaAFN8LqCa2Ju36R5Y+/B+f\n6EuIy4ZWMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCLiy/o7cK8kDwHsZGuzQsivqP6Kapf\nrybVpu+8QwGZ4gIhAL1TeBoXItAi8Xb4st+rIevlz0TJ081sngIdOgt387e/\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-excluded-self-issued-leaf", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUGHkhzv6o6IoKjUM8vozN7UN5A4MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR9I0+tUCa7JG1K2hvq/bGM70Q0HFzJalJRZLLB\njb4/IYWZLSJk55iwfA+/4J1OLV4ADD0BL2ehc8LqFxxAap3po3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU97PqfiJhvPycyo7th/sUEPPZM6gwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDI0vlnjXckgkBZmyfm/66C\ncEV/H1da6+im3ZCr68uv8QIhAJy536zvn+kGTgev/LggvNpDyiIyNa/2awwM/jsi\nZ07x\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUaAaaXBkqxk7PYL1+EunssXoW+VEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQ1MFp/qNlROR0Iw8gNn7Q2QU5Cod2QWrFSj8o\ntYvPyerzwmLUxOkgEZ1FzalwyXKoiUiJGzX+saHChkflE4hRo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU97PqfiJhvPycyo7th/sUEPPZM6gwHQYDVR0OBBYEFF/i\nwE9M8XwuAqoId07ehkhUqhEzMAoGCCqGSM49BAMCA0gAMEUCIDLx7ocNbSKDEWfh\nZftE30hxWIDNT9lNL04NfIQiG8pgAiEAn210S6VE7XFostQ6SJIh9HCeTcF6XWuz\ntHdhKsFg2os=\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUdEL8xp2DvEYya5+3VK28MbgvnUQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR9de9Lbebh1CbmPzj97ti9DYD9WEKGjd9hN4UI\nYlaGfabYNme4ooU0Bx/NXJG4WHhE9aZ/7o3wGG6E9duhcpbgo3YwdDAdBgNVHQ4E\nFgQUr7ynrdmRggxbRP/TeVVIR+oW/sUwHwYDVR0jBBgwFoAUX+LAT0zxfC4Cqgh3\nTt6GSFSqETMwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDyizsFBTgPuxV9yRzqPq848\nyFgRMSXb8z7t/qqZXcuzAiBepTa76JkSGn8DpbSCF3kpM27t5NOwfyWI3+vkN1Ok\nfQ==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "not-example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-excluded-match-permitted-and-excluded", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUSnwewg2Tc6MX0FVgt+MJAetvbe8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATdJ63Cqj9xFqZYcFrpgRG/XAMguqOIdkkxeLej\nlGY4AEUq9Go3DkExlstkRhdmm7ErQxK+TfoqcnLciXK9EXKNo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSYpchFpoSkj0EmNAICU+khLELLVzAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEA7wLoHf7zGMkJvwoLb570G+gFAxXrtdvS8aN8hh68gYUCIHptBj4+rxLnPu75\n5A4oyPJTJ5R20dI6SmeJTVCJsb9F\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUeY+tK/b4fD/i1Oui7AupdogTo3AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAExtbTM78gPd408wu/9lc6YdGq16uV91DnM/UKXSf6\ns608A93kDSkPFEcrhpHh8eroMLbCUGEjK3fEgjRSz4nj9aNyMHAwHQYDVR0OBBYE\nFJKsCHxj6NaN6SxoilpwIWSYjVXpMB8GA1UdIwQYMBaAFJilyEWmhKSPQSY0AgJT\n6SEsQstXMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEXhybAbR+oJloZYk+yb7VcR8S6munuO\nPE7sjZx9oDE6AiEAndyliC/FmpHyROj86cYqnMlIZzzz6so95ojdcH/ocko=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-permitted-different-constraint-type", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUUqN62S4ETzXRpEifclOOL4EejHYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR04u7p+O+PRPtdnvsAVhoENgjA+NyWqAYbUZY+\nNQX5FiS+KVbzOwHA7YmRg3FnsUVgnKF7ED1ubLdw+tkajfRco3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3VNFfY0vyzWw9zi73vwgE4+cw/8wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQDwg+W6xmn59jRB6eOS3xJ2BjQz\nshjIX9qn0sN3xuxhtQIhAPSD6J+qZt3GAu5BzEcrh+VOCnriDbT2pFB3sJw3qECI\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUMZSrBrZo3grHKVHmggz9cs5Em4QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEuWPBqnPe20IJZxQAbdZxYTPuFwZWXnu/Pb3HZtpP\nU/6G2t4/t09tfJv21JvvMy8XBrPurTDGxGtysNb2A/9tw6NyMHAwHQYDVR0OBBYE\nFNCqyP4yRp0IzCNc6gRzGY3Fp/63MB8GA1UdIwQYMBaAFN1TRX2NL8s1sPc4u978\nIBOPnMP/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIAXj8hXcOC5j1LS8QnMn6ujMd4Iv+jll\nxRAwFdfQQViJAiAymWMXu5MWox1H0RbniZO2K2F9NiBSuxNKt4kD+3P9IQ==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ee-aia", + "features": null, + "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTdUnCuM/IL0H7aOD7YwTvbvsebgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQTXbDZ6weCKj9g7J7143o+3vQrKxYKI21yAUSC\newn11W4LTMcgbVHO/DhDIqLJYTKGHUDdZNr+HqRfmPNp1mzJo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMyTD39H1uGh0tgNczOm+cC2bQhMwCgYIKoZIzj0EAwIDSAAwRQIg\nQSqrnywb6AZyPm2wpf/q9sefSN1JX3BYJhEuttwFVNECIQCf3bIY8b+aZnoqmq5A\nAUTsN1r9Rrs7fghiN+AIQBt6EA==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1DCCAXmgAwIBAgIULdVl8s8N+5qw2HqL0k9jIICynwAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAELEqQX9Fm3iBd4PCFFVLC5zxGyoPOrVHD9LvDCDR0\nT563wkHICWqovg3G9KusmTmNzLWj3ATZjyCXxNM7BKa+XqOBnDCBmTAdBgNVHQ4E\nFgQUMb2kH5GRIv/yjCY//9idpEHLmzIwHwYDVR0jBBgwFoAUMyTD39H1uGh0tgNc\nzOm+cC2bQhMwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEAmoxp8PFjFOpxJaJZJy2O2SX9ZZl3BGRWO7PY\nmpcDXhYCIQDKLMAKARoVNxww1nboJKmdZn/7vu8G4wpnadykP766vA==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ee-critical-aia-invalid", + "features": null, + "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUP1kkhSBnXMsLfosNpaeWbrSKucgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEqXYyUDxvFTMiCRlgX1n5kQAL5ZVGu60fk6RQ\nDsgCnyAWoBfppnGiOkTp3Xt9FBSbE3difowepiEctmfN0B5Bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFCY2LR9ZjwDfKG3snJj4OmYZZtkwCgYIKoZIzj0EAwIDSAAwRQIh\nAJ7vuYcG6csDNW8+iLbgKu48GfIzufVYH6Lbe300BCeQAiBV2D3Ws8t2mv9SEZfw\naIn0VKAVjJcVib37hD72tcPeFg==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXygAwIBAgIUUHc3xpSSfI4LUlS4VkCViGB41SQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEYU/K0OsWlqFH6Z60U1RjuhcV2L+nVbdZ+1apuVNB\nj2JeUZCujV89EmoFw4dGSQfquECReQVscBnO0yk3/SDldaOBnzCBnDAdBgNVHQ4E\nFgQUApSOgMaXLmTm7SUnrTUMDZeFNoYwHwYDVR0jBBgwFoAUFCY2LR9ZjwDfKG3s\nnJj4OmYZZtkwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAoQzTQAsrvRuSE7c83W+t2bS+hX+C/tiQc\nkhRfHWJFJgIhAJ8HXl2TR4th5ydEAb+qsaYxt0lJhPftd50B1oQLZX8i\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::cryptographydotio-chain", + "features": null, + "description": "Verifies against a saved copy of `cryptography.io`'s chain. This should\ntrivially succeed.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\nWhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\nZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\nMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\nh77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\nA5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\nT8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\nB5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\nB5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\nKBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\nOlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\njh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\nqHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\nrU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\nhkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\nubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\nNFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\nORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\nTkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\njNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\noyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\nmRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\nemyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\nWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\nRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\nR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\nsxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\nNHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\nZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\nAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\nAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\nFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\nAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\nOi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\ngt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\nPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\nikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\nCkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\nlJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\navAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\nyJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\nyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\nhCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\nHlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\nMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\nnLRbwHOoq7hHwg==\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIFJDCCBAygAwIBAgISBCjrgR1TEHICklNpQDzj1PqPMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMzA1MjkxODQ0MDBaFw0yMzA4MjcxODQzNTlaMBoxGDAWBgNVBAMT\nD2NyeXB0b2dyYXBoeS5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAObo0GReSiFFL4eMlFHutcV+LpLDorPpzzFxxJsXhrm19GyWYHdr4ml7GIAEjqI7\nQZp0aYw1lmtHwgNnaRySU+aWj6LMWI/rIP5rXZYIZLyXSfLbHP0xlfYEvcrcprOm\nAu0YuQgy3TBO0qz6FKx5PtfbDc7p/LYD5tnG5NkbQ4o+7Ko361w787WSb8OV5NFd\nnPqSeIjwxqSy62G6oOHL4wRFDTCOdNjHeYJnPC0L3P9qkGeC6zjqt2h8Q+GE9zNQ\nenqaEOeBIZo46mti6Tvzzc7dqILw1ATqIXJdjwABzuT8Ob34/LsPorLQoRP1+YHF\n++D2JyyvYKM/aFpQI+HHfGUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd\nBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV\nHQ4EFgQUOtGXHs6fLoMQEwjlwSu88r4qLf0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu\nUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v\ncjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y\nZy8wGgYDVR0RBBMwEYIPY3J5cHRvZ3JhcGh5LmlvMEwGA1UdIARFMEMwCAYGZ4EM\nAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0\nc2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAtz77JN+cTbp1\n8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGIaQn30wAABAMASDBGAiEAglrQJj8G\na7/1upmZ2Is6AqPT9pQpSty0sH4PgnqyQxICIQDEpKnk6Rt6KzvEpIIIEtXgrYx+\ncrerlx4SQVQbnwfz0gB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS\nAAABiGkJ9+sAAAQDAEYwRAIgaLwFE4CfhV09wq5IR5zmo/90y5OQJ2MnW5gpRZZh\ns4YCICEAGxUN/f95xFmxOCfqXv3SEozwkrMHA33abVjCQiaGMA0GCSqGSIb3DQEB\nCwUAA4IBAQBSTN5U/3yp6cGMBXlS5WcrB/XOY6TtxPmeSvLM3vqNbpRGu1JOFFtn\n31eweHOTj66GWowSy9+uAhp1V9Uf0hoJMa/b+CkCelyJN4QZCcMfhKrPAD4prbHa\nGYFaLo5SQqkK1hYHo9LH+qhaOBx9hF5aLrGbEFWXQE9/W7KSeCzz6LBLw9xVrB2v\nNTLlXXt5tUiczOIzge5KGaSQr5wgc1viddcRsYuZjtgWlqJ5E5QcZxD8xLTfBe5W\n9vl/k1CB4CZ1IG8Sa9+n91Kxm3HTLL6TcrEOutChwMfZfrLH/piWoRQxezCpn82N\nRaeeHd1Bv3oH3SeVJUHLxgzUv/dh6GSi\n-----END CERTIFICATE-----\n", + "validation_time": "2023-07-10T00:00:00+00:00", + "signature_algorithms": null, + "key_usage": [ + "digitalSignature" + ], + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "cryptography.io" + }, + "expected_peer_names": null + }, + { + "id": "webpki::cryptographydotio-chain-missing-intermediate", + "features": null, + "description": "Verifies against a saved copy of `cryptography.io`'s chain, but without its\nintermediates. This should trivially fail.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\nWhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\nZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\nMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\nh77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\nA5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\nT8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\nB5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\nB5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\nKBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\nOlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\njh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\nqHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\nrU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\nhkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\nubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\nNFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\nORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\nTkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\njNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\noyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\nmRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\nemyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIFJDCCBAygAwIBAgISBCjrgR1TEHICklNpQDzj1PqPMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMzA1MjkxODQ0MDBaFw0yMzA4MjcxODQzNTlaMBoxGDAWBgNVBAMT\nD2NyeXB0b2dyYXBoeS5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAObo0GReSiFFL4eMlFHutcV+LpLDorPpzzFxxJsXhrm19GyWYHdr4ml7GIAEjqI7\nQZp0aYw1lmtHwgNnaRySU+aWj6LMWI/rIP5rXZYIZLyXSfLbHP0xlfYEvcrcprOm\nAu0YuQgy3TBO0qz6FKx5PtfbDc7p/LYD5tnG5NkbQ4o+7Ko361w787WSb8OV5NFd\nnPqSeIjwxqSy62G6oOHL4wRFDTCOdNjHeYJnPC0L3P9qkGeC6zjqt2h8Q+GE9zNQ\nenqaEOeBIZo46mti6Tvzzc7dqILw1ATqIXJdjwABzuT8Ob34/LsPorLQoRP1+YHF\n++D2JyyvYKM/aFpQI+HHfGUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd\nBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV\nHQ4EFgQUOtGXHs6fLoMQEwjlwSu88r4qLf0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu\nUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v\ncjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y\nZy8wGgYDVR0RBBMwEYIPY3J5cHRvZ3JhcGh5LmlvMEwGA1UdIARFMEMwCAYGZ4EM\nAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0\nc2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAtz77JN+cTbp1\n8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGIaQn30wAABAMASDBGAiEAglrQJj8G\na7/1upmZ2Is6AqPT9pQpSty0sH4PgnqyQxICIQDEpKnk6Rt6KzvEpIIIEtXgrYx+\ncrerlx4SQVQbnwfz0gB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS\nAAABiGkJ9+sAAAQDAEYwRAIgaLwFE4CfhV09wq5IR5zmo/90y5OQJ2MnW5gpRZZh\ns4YCICEAGxUN/f95xFmxOCfqXv3SEozwkrMHA33abVjCQiaGMA0GCSqGSIb3DQEB\nCwUAA4IBAQBSTN5U/3yp6cGMBXlS5WcrB/XOY6TtxPmeSvLM3vqNbpRGu1JOFFtn\n31eweHOTj66GWowSy9+uAhp1V9Uf0hoJMa/b+CkCelyJN4QZCcMfhKrPAD4prbHa\nGYFaLo5SQqkK1hYHo9LH+qhaOBx9hF5aLrGbEFWXQE9/W7KSeCzz6LBLw9xVrB2v\nNTLlXXt5tUiczOIzge5KGaSQr5wgc1viddcRsYuZjtgWlqJ5E5QcZxD8xLTfBe5W\n9vl/k1CB4CZ1IG8Sa9+n91Kxm3HTLL6TcrEOutChwMfZfrLH/piWoRQxezCpn82N\nRaeeHd1Bv3oH3SeVJUHLxgzUv/dh6GSi\n-----END CERTIFICATE-----\n", + "validation_time": "2023-07-10T00:00:00+00:00", + "signature_algorithms": null, + "key_usage": [ + "digitalSignature" + ], + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "cryptography.io" + }, + "expected_peer_names": null + }, + { + "id": "webpki::exact-san", + "features": null, + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUWjFg3+OXrEGV1pz9m/12UzkWAD8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARqxs6gJswCthUaoAnKs/SmyVgI20SZpiQXRfIk\nG4l9bywQzk39koWRxGmmYwzOIE1I0YjsmnVLHWNRg6aCMN6co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1i8uM59AUH8ZG9rHfteRQIOqLvAwCgYIKoZIzj0EAwIDSQAwRgIh\nAOIRGYmVvSksgSe0ea+aSd36fiPxsmsE0VY7nziiEXE1AiEA7AsuRG348yzJgOko\nCl1lY9F11AaCqFzxFM9aXwwI/14=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUfqS+KaIzPspckXW+5rZuktD4GEUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEIO3RnJ2twHD6xoirNCCip2NwKb/caKrm84T93PZN\nPZ/kGvxvFOSjcHKf63/klMv9uaftTINtEjpcMtJsB3nr+aNyMHAwHQYDVR0OBBYE\nFA06jOcoNEu1MMNcqcYZ/1YB18A+MB8GA1UdIwQYMBaAFNYvLjOfQFB/GRvax37X\nkUCDqi7wMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDZXZzPsJ6CHncDYxvxnp89c9XKRlV8\nTdqj+6U9a6HwhQIgGDnzNBHfjVZn+GMwRTD1fsR9MTlAsJrRbksBMm5PZ6o=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::mismatch-domain-san", + "features": null, + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUbHh6CovDlb6uPMTlcxFLbx4sH4IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToFJBILSJqi+n/WK86rcySwwoYiWCoC1ONPb2f\nFL5Bp5HJR69RpplQFNTjyHPF/i10Vrzq+GyYKMh5f/7miryno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZVD+VprnugmEPQPsF5FDF6Ove+8wCgYIKoZIzj0EAwIDRwAwRAIg\nMncBgs5USBmsMLgf+ZcS38W4+qhAstKF5z4ymw7zEC0CIBZRBBPux2Uy1qINxQcf\nxMBNsVMWwvzZ8iGNynoKQQoW\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUJHMK9EJ4hqVYBd3pHtCH4cpes8gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE7Zlcyy4FUJoLllcTiSrznkf2HoufyZWfIlKOcMVP\nuf2nnLm+wdl6cr3om2u2ZwIaLA+h/bcj1b70vMVThg5SkKNyMHAwHQYDVR0OBBYE\nFKfExoru4JiQsZNRUexa6mTVyiTOMB8GA1UdIwQYMBaAFGVQ/laa57oJhD0D7BeR\nQxejr3vvMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQClnkIpBZ9yFzNPvInUGihY5SzSsvWn\nsjEMmemzl0T2vwIgepq/cvoHsCY5WDTTQyHTdtjMPGVOJ0dSTAhrukN1Fd0=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example2.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::mismatch-subdomain-san", + "features": null, + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUet5mliK4PovJgKk9PBXF5qYJ+OwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS40T5zGhzA4ohDMCXtvVrOf2MgnrHWlS5pJLXy\ncQqfey0YPP+JLG+l+pD8Iaz9FPtnHVT/2RPD6l74i8H/kW85o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpsK7gwnbhW14+bIUw0st5wZHg/QwCgYIKoZIzj0EAwIDRwAwRAIg\nRcjL9E132AHBhSlMuUv2B66bjLrc6GdVqhmet9gC/G0CIDX9kHXltVHXYkWmJlqs\nThg7jmXdnQIaC8MFJX9EPVeL\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUVUjGi/8OhKk4GoOdaYpODXJII7MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEWYuu8JfP0c/fU308Zox1LAPj+oJfp5WMvKI7E8Z8\n+tXK93pELlNiHSWqRaklun80n5YuTWgeN2ZSYIY53/ZuBqN2MHQwHQYDVR0OBBYE\nFDhjkuwNalqCynB4d2zb8wWy7AFzMB8GA1UdIwQYMBaAFKbCu4MJ24VtePmyFMNL\nLecGR4P0MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA6UQpWlUumVEPHEl23SRWMbj5\n7yMAI+7tPKNCGRY5seUCIQC6lw90PxxspaOaYOmkLenXWcFenOD/5qB6YNrgcyBf\nJw==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "def.example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::mismatch-subdomain-apex-san", + "features": null, + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGtsGnCkwStYq1nfxzI+rJTGdbw8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR9XBiQr74hkLFX704vUtddREeVdomrmTIFbmkb\nBMSqQ40BpCOsDJAtpYNnTQHpBoSc34JZlxDWAulwAGuUDMzCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsaB+RIn9eKcs24PzTBITtGdi+vwwCgYIKoZIzj0EAwIDSAAwRQIh\nAKZgi7BRF3/06vBHJj7kqmGftqD0J/NZatWftZQ86p0lAiB3YEDLU0W1FH/6Sp17\n1Hu+kcYAOxnQkyGPho/94zYq8g==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIURYEbTkhHCfGlCz+q+E+cfbSpmjIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEs0oRsiKpuwcApCQz3e+fFbrvkUM83eO93sUCkYK7\nwcrOPlx+5yu74TVgM7RJXUYY/o73u/7Tqllv3z9vBIUdf6NyMHAwHQYDVR0OBBYE\nFPyE48vAGesrTWzbhLf2zMuvWWaKMB8GA1UdIwQYMBaAFLGgfkSJ/XinLNuD80wS\nE7RnYvr8MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIA87tvVvbN2Tv1azorfVu6vludpTh2tn\nfZeS+esx+MfqAiAMRoseDD9vIub8yTYln+acMifMlvnR++fDaIUdVJgNDA==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "abc.example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::mismatch-apex-subdomain-san", + "features": null, + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUR7bd7FS6LaCyUSn0C/6L6PhGogEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQiaHmLrdC/HR1S8Swau1kyL9/VoGa4K+iC4dho\nLavM8EBQo9q8uBj78y5X8Z6hUtE2XO/+NVNvwrx0gHfwNfFGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAXzy/Su0zW0U7uj00SGDS7+GhgEwCgYIKoZIzj0EAwIDSAAwRQIh\nAM5UVGlnVSZ7slT8JQjcDlOuW//x7ZdeMXXvCLIgRnapAiAifEanBPxVxsjaOIpQ\nARNs5fXMdP/LpdmL2jNtOJu2kA==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUWQNx8laeJMGGI99M2Z3G8tA1rL4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZsPY2IfHkLg+Cfrmc6wbN4eIjCMJZk0tv/5/O1R7\nEDqR5i+HNnsq1lbw9Gg2AO1w7uO4Vgp+tU8Eet0s5Knxf6N2MHQwHQYDVR0OBBYE\nFK3pWJeRk+cUOE5trWID7lK1AJd2MB8GA1UdIwQYMBaAFAF88v0rtM1tFO7o9NEh\ng0u/hoYBMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAHwm3Iax9GOMzxYGAAtYUyJbvM\nqajuXZQKKs7bCqPBXAIhAIF3O74Ffzogzyh02HiQCwm2hN0lilr8M5vy9/djTIqq\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::public-suffix-wildcard-san", + "features": [ + "pedantic-public-suffix-wildcard" + ], + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUPy9ZBcCLoaQC8qC7cKfQMAxD1ncwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/PlzCn9fKT0hSqp8j7H7dXjxRw22sKEhV37Gs\nol9rqsUOrHQBRCaIZ6jIx/3FAFQrN2qxkZXETBuGvBwPJYdMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUc277pK0q2bB1lEWBmszC3+OhjkgwCgYIKoZIzj0EAwIDSQAwRgIh\nAIMwTVdIK28c/Yccc3XPD3wb2narGXsk8vHf/uIQK4OSAiEA14wxeyJ5BcdAmRzr\n0RmfHVndMa00IDDCT9s6xjoLXuE=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUigAwIBAgIUQ4SGtLp9ShVuzBdNObMfQnIYdU0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEsb2o2vbTQpLDmEgxhVpbBHTgShCo1gBF62e/vPyc\n3yRyO3xKzquG5TvDIndtqyvVIBjBhMp7MWcqzURuQDXlV6NsMGowHQYDVR0OBBYE\nFO+q3BHvmAGSti6dyW3qsFIIYPFoMB8GA1UdIwQYMBaAFHNu+6StKtmwdZRFgZrM\nwt/joY5IMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0gAMEUCIB8hkWZ8TQ6QnFqUc34aoXFha6g/ZiSy0EMh4vcT\nuJj7AiEAgNylgrcO5i11gUK+j4Y8CZIq+GqMONWmgre0SEVACRQ=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::leftmost-wildcard-san", + "features": null, + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVlfEL7UIrMjx3hub/hivh4KcbGIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS78wXDmfp2aGhNXRfgdcFxsz9QeRTHiV/8MdjD\npTbTx3pQ9rtB+WHVHcA3IKrciBBqmiTGpJlJBaEN0Rq2AQsOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURBs1RUGgdG+mSPrDIIa4NZPSrGowCgYIKoZIzj0EAwIDRwAwRAIg\nLcpzvhwuhqigVsVObor9U0NITozOmyoW+F3EeodN/qECIFo/AMGrFRluFNrNpo4p\n1NKt3bFdcVof5bzgB3Rmmgi7\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUdq0YAX0GuQmEzW4U7envVaGxe+kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEiOUiXxcnXr4rK7JKNJjMYRJS20qylrlqO6+FWJpe\nTTDoavbcDA0Jyl7i9BHABB31EAwIYU9YmtBrcFA886ugcKN0MHIwHQYDVR0OBBYE\nFC0jsELPTF8ISMiWYgk9HYEagyDkMB8GA1UdIwQYMBaAFEQbNUVBoHRvpkj6wyCG\nuDWT0qxqMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhANskdjpKlTa3ruDT7uQ5GIzgIHrK\nKxYgZBn/C/SUdrcYAiBQcz4rCZoaEXmoDKlCrbWN27oAx92Xcx/0GuXFA4z/mw==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "foo.example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::wildcard-embedded-leftmost-san", + "features": null, + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIURnlKN0TPxp/AbcIDiALqGEzvYr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMUwHFkZpzcTlp8pYC7pVOKQhcRW8mwW41pIOs\n3sFlzd9ZoaQcDcF0TCWZ7bbYngmLYS+/JSr2eIYfpL98kXzeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzZPo26jXz6BqaeTE0tJzMgHWDbUwCgYIKoZIzj0EAwIDRwAwRAIg\nMDkld6pIMIAxJBFuviViSOQF5cD6zyWF5Zp85oDqkGkCIAYwrVeU7tZBGNHRWShz\nx1IyV7MhMcWtFE/UWHFRtwqe\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUT3bxzKn5CEZJ6UIbxjtfL3uTWWowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEimuCwZMYvYAvq+l44yhn6eWFmvGIPIbE0Vao8xHV\nnNYx07n7TsI+g2q0iUSxVEiYfwAfhly+Qjq6IwBVbL0XZaN2MHQwHQYDVR0OBBYE\nFFYn7zNeU3E1ParD2Sp1GArMWGxbMB8GA1UdIwQYMBaAFM2T6Nuo18+gamnkxNLS\nczIB1g21MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiA08z72tffwwz8k0sVk4eJnMn+q\nEowa0l47dgxLSQV2hAIhAJ733aRS2WDgvRk9xnZCrZdRgdwVXDpF3R6+3TWaSdZ5\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "baz.example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::wildcard-not-in-leftmost-san", + "features": null, + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUPQf70ClwwK/iRahaGH6xM+mynA4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLeT8gfgseyImBxAclEKPA868gNFxumxeJkIKR\nNtkqahaLx8LfIlqgSBt6bqDGboMS1epcq5LrmSjw19om9ZZzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2dGB3g0xPuQZLUI4RIrW+dIQ2bswCgYIKoZIzj0EAwIDRwAwRAIg\nF/x2TLmy5nFQfioDtjo0a3XU5ixs6fjExLSc8wgHjWECIEe/EP+N4goD4VIKPXp2\nnYcQMz5VnQSMu6qqs8cGT4gj\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIULBRO0Y/3VPcPMMf1IX2mLAWDvQswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEUCu3zmBkQe8wpZG1hLAlFqU8tIKPWQKKIB9YQ5U8\nfQz25266v9dgSXE8HCynu4Axmo8gCJMTrYUlkJkgnj6mFKN4MHYwHQYDVR0OBBYE\nFMFhNJ/oWAIydwHcW3zj0MoDew+7MB8GA1UdIwQYMBaAFNnRgd4NMT7kGS1COESK\n1vnSENm7MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEJXYFW0gR7vt+lYSXoA+PkS\naZmRXH+9X6hXm3U7dWOFAiByPThqzMB813qJ54GYi4FDK6lFMFquH/k+IlgdgsOr\nvA==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "foo.bar.example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::wildcard-match-across-labels-san", + "features": null, + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNAdbuV/1nCFsFcEh4x5aJNmZrX4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToy42e2/5o5g9FtFtUyVZ69v6XoZh5WyL3uI+v\nUsAQnzOd7Jj45mkA1X7+5ktt0k6gjdSnme5vhnd2cQNo/Gk5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSNdECjEr+/G7N5EHaKY96QpK1mkwCgYIKoZIzj0EAwIDSAAwRQIg\nIzr8gVaXjl/AEU3r4w8X76X/a/e/LIQ4EwQVxqxwaNMCIQCbrUen1MOS1Li7irun\n8ofxi7KaGEEhP8iaG8V3UEzelA==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUTzmADW40b4SpDWa1Brxy6bqmumUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE2keRMFhsX6BC3IG5yWZaxrEBRmLog2DHaNEgTJtP\n1F+ik16nNpyiRb4OlAh4BVk+u4L503COhwlbcYAyvRdJ3KN0MHIwHQYDVR0OBBYE\nFI75eC15IAfZ5CwGPFrAMXP+jfmkMB8GA1UdIwQYMBaAFEjXRAoxK/vxuzeRB2im\nPekKStZpMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAITA15NhhROtAIqPVgSgAixyuow+\nFIchSCw1uTsuUQS0AiEAw05i7QAAlaICOHQ4VN2KvE9/JK7M3kSvUBtfavfRHJ8=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "foo.bar.example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::wildcard-embedded-ulabel-san", + "features": null, + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUV10VqnxdMHTLUvVy60NltyjU3iQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARsk3OcbOYId/eSZKnTyaewd6TzxWq2LHeA+RTB\nBPvC5sBDat5uSC8U8Lb05oHB4XwVT/bYhVqmvmGTe9oAC53Bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6N5EgL1m+vlXJFSv91RezfmBeSkwCgYIKoZIzj0EAwIDSQAwRgIh\nAKe+fliLt1ok1tcXEdr0SS2debL5nTFLo9lvOcq752Q3AiEApEG9JQXimquj7R8u\n8trL7z63TU6sox0Th6fVFPi209c=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUMF9hoZaXyitloFwf/oRlYaQoZXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdKB2CZ3jmmstfiQk6Rofsumb9Nv0iBM9px+NGO/z\nx9DIsQiQYegMS+a7h1GsqeMwtEahCRlmEE5Hq1uoy4dnS6OBgTB/MB0GA1UdDgQW\nBBQYZ6iX04iCLRXfxjqvTwPWbBu2hDAfBgNVHSMEGDAWgBTo3kSAvWb6+VckVK/3\nVF7N+YF5KTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAvq5hpckA\nI7hYhUzr4RPW8su1gLHqu0Jarmv1tpbkCmUCID8T3QO8TA49BdyvAhHtPwSzO1Eh\ntea4udfESUYmqf4a\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "xn--bliss-1b3c148a.example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::unicode-emoji-san", + "features": null, + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfRZdquBneFwAAC566PKen2T6UyQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATCjKyENEiSg+jN+MX+/FrKWYN8JsiedBWMQRPl\nDk9ryu+JWlhPLPdDqr1WboxiM0tS5onR4FHNcw0b6/70BbLCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUC9zK3UgvaG8N9b+ag/SpfoZ0tFgwCgYIKoZIzj0EAwIDRwAwRAIg\nLpJR7sUZebbjmLDHaWGt2EjRGzNV5mq8trB48gaf+RcCIHBKpwM/X3Izaw3a7xfD\ntNEUFZ31vKP49ie62UMhpBps\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUA5lJE7lAhWAGuH7OP5ExdtOyFm4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEzpOkpyznDcS1wggAnRQ1q4peoNj/BB1ty2GbAWCk\nxrW5ihlNmL4XL1fcMbXxq7kQBjej/GG+c5IZic5Q16sobqN3MHUwHQYDVR0OBBYE\nFNAkh25zNTnrYsDjIYY/j/7FgXGtMB8GA1UdIwQYMBaAFAvcyt1IL2hvDfW/moP0\nqX6GdLRYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgfgTdxOwRW8PD9TdIIqph+qfI\nXFaD9OMU8/aBEJLbmHUCIQCi3WzXGWlQd4qeUuoTeHywefTwcN76uGM0VB8LCcMo\nxA==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "xn--628h.example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::malformed-aia", + "features": null, + "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUeWh3SJz25bi0PRIbYvUSyVzhs8IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATygFTzzo7vBqyzMdpQ+YtnQ3h01auVaNB+dHjc\nKyonQyymxNYV2+g28vJncAxY0TICSaHKzrHmJ6f2SN/2E74Ko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUumNerO56ypB4ktaosa0kp4vtBP4wCgYIKoZIzj0EAwIDSQAwRgIh\nAIgX4cpDgI8P43uW9QBD7DXMZ5q7kkW+p346Fe9nEIELAiEA2YFRnEqxPjJ+cYQJ\ngsVmVW1QsrWvbiA+sX+0SrYYsM0=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIULaMsd9CZ6SEmGwhP0LV1Qh6y3r4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVhRVymNkrWJe3lXz5+fWIClFwkTAAU0MBdDjwoTa\nfmgNx4QAVPFgP/ZM7RN4Fy8S2zEszn8Hz6CtpokrfceMy6OBijCBhzAdBgNVHQ4E\nFgQUCfyGZfguYQb8EjP1CdYSYDDgT9EwHwYDVR0jBBgwFoAUumNerO56ypB4ktao\nsa0kp4vtBP4wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNJADBG\nAiEAmL0PS5OqUTLhrRHGFo1UYCsdC61divNLudD1Iql77KgCIQDneE8CvLa0QTjF\nGh/+jWLMtDtbO6FMZEuGIl3sY3ynlQ==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::root-with-extkeyusage", + "features": [ + "eku" + ], + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUftG10oPr0BFj5jCFez5uYsj6NuEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEgywg3DLO6VIFbgcwTITE6ovz2zVn2Ma4Rfjq\nSZKZRhfYlU+i3CZ9nua/dMH/+Owetqk0/4qS4uhgYDGQdJ2+o2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYzZ8b7OuhQVaoh8j0szFkES4Yq0wEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAOnPAR5TX7QKkvea5JE+82DbffS/Rk13/a3J\ncp83HDphAiBV6OVEdWtKXBVe8AUNs1Gil0n0Trgg2lWLsyOIB9HBjg==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUJjMycHllBsn/s98ClNH6LfHjcuswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETTnkxOhBV7RJ0RwvsZNM44NSa7nlwmekEjypAEn2\nOWA+3FEMYM7UoS5O6FZ29eNtoElPGf9fabPapHW7hZsAz6NyMHAwHQYDVR0OBBYE\nFAfeyI2a32tMLGz3QKUavIp3SLkJMB8GA1UdIwQYMBaAFGM2fG+zroUFWqIfI9LM\nxZBEuGKtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBljdDh641+7ItAJNYrca/f58+n9cqHV\n/Gsqg/LnqpXJAiEA6s5dcpxMAHtsTlQv7n1o4vvFwHxsTph30bgI5yOQu1U=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": [ + "serverAuth" + ], + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + } + ] +} From ba37c80662a669852f5c735232e4078367e584fd Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Wed, 25 Oct 2023 10:08:09 +1100 Subject: [PATCH 015/155] rust: Use extension policy mechanism to check for unaccounted critical extensions (#6) * rust: Use extension policy mechanism to check for unaccounted critical extensions * validation/policy: slightly more efficient critical matching Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff Co-authored-by: William Woodruff --- .../src/policy/mod.rs | 79 ++++++------------- 1 file changed, 26 insertions(+), 53 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index bfc1ba061c14..b7a3cd7d8aec 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -117,14 +117,6 @@ pub static WEBPKI_PERMITTED_ALGORITHMS: Lazy>> ]) }); -const RFC5280_CRITICAL_CA_EXTENSIONS: &[asn1::ObjectIdentifier] = - &[BASIC_CONSTRAINTS_OID, KEY_USAGE_OID, NAME_CONSTRAINTS_OID]; -const RFC5280_CRITICAL_EE_EXTENSIONS: &[asn1::ObjectIdentifier] = &[ - BASIC_CONSTRAINTS_OID, - SUBJECT_ALTERNATIVE_NAME_OID, - KEY_USAGE_OID, -]; - #[derive(Debug, PartialEq, Eq)] pub enum PolicyError { Malformed(asn1::ParseError), @@ -222,9 +214,6 @@ pub struct Policy<'a, B: CryptoOps> { /// If `None`, all signature algorithms are permitted. pub permitted_algorithms: Option>>, - pub critical_ca_extensions: HashSet, - pub critical_ee_extensions: HashSet, - common_extension_policies: Vec>, ca_extension_policies: Vec>, ee_extension_policies: Vec>, @@ -247,8 +236,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .cloned() .collect(), ), - critical_ca_extensions: RFC5280_CRITICAL_CA_EXTENSIONS.iter().cloned().collect(), - critical_ee_extensions: RFC5280_CRITICAL_EE_EXTENSIONS.iter().cloned().collect(), common_extension_policies: Vec::from([ // 5280 4.2.1.8: Subject Directory Attributes ExtensionPolicy::maybe_present( @@ -369,6 +356,28 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } } + // Check that all critical extensions in this certificate are accounted for. + let critical_extensions = extensions + .iter() + .filter(|e| e.critical) + .map(|e| e.extn_id) + .collect::>(); + let checked_extensions = self + .common_extension_policies + .iter() + .chain(self.ca_extension_policies.iter()) + .chain(self.ee_extension_policies.iter()) + .map(|p| p.oid.clone()) + .collect::>(); + let unchecked_extensions = critical_extensions + .difference(&checked_extensions) + .collect::>(); + + if !unchecked_extensions.is_empty() { + // TODO: Render the OIDs here. + return Err("certificate contains unaccounted-for critical extensions".into()); + } + Ok(()) } @@ -466,16 +475,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // TODO: Policy-level checks for EKUs, algorthms, etc. - // Finally, check whether every critical extension in this CA - // certificate is accounted for. - for ext in extensions.iter() { - if ext.critical && !self.critical_ca_extensions.contains(&ext.extn_id) { - return Err(PolicyError::Other( - "CA certificate contains unaccounted critical extension", - )); - } - } - Ok(()) } @@ -505,16 +504,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // TODO: Policy-level checks here for KUs, algorithms, etc. - // Finally, check whether every critical extension in this EE certificate - // is accounted for. - for ext in extensions.iter() { - if ext.critical && !self.critical_ee_extensions.contains(&ext.extn_id) { - return Err(PolicyError::Other( - "EE certificate contains unaccounted critical extensions", - )); - } - } - Ok(()) } @@ -583,15 +572,14 @@ mod tests { }; use crate::{ - ops::tests::NullOps, - policy::{Subject, RFC5280_CRITICAL_CA_EXTENSIONS, RFC5280_CRITICAL_EE_EXTENSIONS}, + policy::Subject, types::{DNSName, IPAddress}, }; use super::{ - Policy, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, - RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, - RSASSA_PSS_SHA512, WEBPKI_PERMITTED_ALGORITHMS, + ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, RSASSA_PKCS1V15_SHA384, + RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, RSASSA_PSS_SHA512, + WEBPKI_PERMITTED_ALGORITHMS, }; #[test] @@ -669,21 +657,6 @@ mod tests { } } - #[test] - fn test_policy_critical_extensions() { - let time = asn1::DateTime::new(2023, 9, 12, 1, 1, 1).unwrap(); - let policy = Policy::new(NullOps {}, None, time); - - assert_eq!( - policy.critical_ca_extensions, - RFC5280_CRITICAL_CA_EXTENSIONS.iter().cloned().collect() - ); - assert_eq!( - policy.critical_ee_extensions, - RFC5280_CRITICAL_EE_EXTENSIONS.iter().cloned().collect() - ); - } - #[test] fn test_subject_from_impls() { assert!(matches!( From 21b80268ba9d246a575f132a4c9806d1daa1a83c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 24 Oct 2023 18:19:21 -0500 Subject: [PATCH 016/155] clippy fixes Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/ops.rs | 8 +++++--- src/rust/cryptography-x509-validation/src/trust_store.rs | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/ops.rs b/src/rust/cryptography-x509-validation/src/ops.rs index 47529cf0bc0f..9be641202957 100644 --- a/src/rust/cryptography-x509-validation/src/ops.rs +++ b/src/rust/cryptography-x509-validation/src/ops.rs @@ -73,8 +73,10 @@ zl9HYIMxATFyqSiD9jsx let ops = NullOps {}; assert_eq!(ops.public_key(&cert), Ok(())); - assert!(ops - .verify_signed_by(&cert, ops.public_key(&cert).unwrap()) - .is_ok()); + assert!({ + ops.public_key(&cert).unwrap(); + ops.verify_signed_by(&cert, ()) + } + .is_ok()); } } diff --git a/src/rust/cryptography-x509-validation/src/trust_store.rs b/src/rust/cryptography-x509-validation/src/trust_store.rs index 0b2556d5337a..a6722d90573a 100644 --- a/src/rust/cryptography-x509-validation/src/trust_store.rs +++ b/src/rust/cryptography-x509-validation/src/trust_store.rs @@ -39,6 +39,6 @@ mod tests { let store = Store::new([cert.clone()]); assert!(store.contains(&cert)); - assert!(store.iter().collect::>() == Vec::from([&cert])); + assert!(store.iter().collect::>() == [&cert]); } } From 22328683848a97beda274892a58baff2919ad246 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 24 Oct 2023 18:20:26 -0500 Subject: [PATCH 017/155] derive Eq Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 461ca7c20960..18e65896e609 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -30,7 +30,7 @@ use policy::{Policy, PolicyError}; use trust_store::Store; use types::DNSName; -#[derive(Debug, PartialEq)] +#[derive(Debug, PartialEq, Eq)] pub enum ValidationError { Policy(PolicyError), } From d91f9767bbf93e0def0a336a7aaf5ca984aeba81 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 24 Oct 2023 18:28:25 -0500 Subject: [PATCH 018/155] policy: clippage Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index b7a3cd7d8aec..795e00bd24b2 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -369,11 +369,12 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .chain(self.ee_extension_policies.iter()) .map(|p| p.oid.clone()) .collect::>(); - let unchecked_extensions = critical_extensions - .difference(&checked_extensions) - .collect::>(); - if !unchecked_extensions.is_empty() { + if !critical_extensions + .difference(&checked_extensions) + .next() + .is_none() + { // TODO: Render the OIDs here. return Err("certificate contains unaccounted-for critical extensions".into()); } From 9e04a6ad11e9c273ae5af77a59436386a3147d08 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 24 Oct 2023 18:34:25 -0500 Subject: [PATCH 019/155] remove double negative Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 795e00bd24b2..24cd1ea0ff65 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -370,10 +370,10 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .map(|p| p.oid.clone()) .collect::>(); - if !critical_extensions + if critical_extensions .difference(&checked_extensions) .next() - .is_none() + .is_some() { // TODO: Render the OIDs here. return Err("certificate contains unaccounted-for critical extensions".into()); From 0f21360a54c27ebb91a9e602917f2942e56b6ef5 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 24 Oct 2023 18:53:07 -0500 Subject: [PATCH 020/155] test_verification: move asserts Free coverage. Signed-off-by: William Woodruff --- tests/x509/test_verification.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index a2c8b564f30e..b3ac66f1f910 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -21,16 +21,18 @@ def _get_limbo_peer(expected_peer, testcase_id): - if expected_peer is None: - assert False, f"{testcase_id}: no expected peer name" + assert expected_peer is not None, f"{testcase_id}: no expected peer name" + kind = expected_peer["kind"] + assert kind in ( + "DNS", + "IP", + ), f"{testcase_id}: unexpected peer kind: {kind}" value = expected_peer["value"] if kind == "DNS": return x509.DNSName(value) - elif kind == "IP": - return x509.IPAddress(IPv4Address(value)) else: - assert False, f"{testcase_id}: unexpected peer kind: {kind}" + return x509.IPAddress(IPv4Address(value)) LIMBO_UNSUPPORTED_FEATURES = { From 8d9d223cbc011bc15d3171e8d16b681e392964ac Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 25 Oct 2023 22:54:28 -0400 Subject: [PATCH 021/155] drop unused From impl Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 24cd1ea0ff65..14276f7e836e 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -130,12 +130,6 @@ impl From for PolicyError { } } -impl From for PolicyError { - fn from(value: DuplicateExtensionsError) -> Self { - Self::DuplicateExtension(value) - } -} - impl From<&'static str> for PolicyError { fn from(value: &'static str) -> Self { Self::Other(value) From 5ef5ecb5ebf22d480917a6457ffccdd037bc7743 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 25 Oct 2023 22:58:16 -0400 Subject: [PATCH 022/155] Revert "drop unused From impl" This reverts commit 8d9d223cbc011bc15d3171e8d16b681e392964ac. --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 14276f7e836e..24cd1ea0ff65 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -130,6 +130,12 @@ impl From for PolicyError { } } +impl From for PolicyError { + fn from(value: DuplicateExtensionsError) -> Self { + Self::DuplicateExtension(value) + } +} + impl From<&'static str> for PolicyError { fn from(value: &'static str) -> Self { Self::Other(value) From f02458eefcf416c2eccfd057ae32d5cb07d6005d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 28 Oct 2023 10:43:09 +0200 Subject: [PATCH 023/155] fixup AKI handling, update limbo Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 31 +- vectors/cryptography_vectors/x509/limbo.json | 395 +++++++++++------- 2 files changed, 276 insertions(+), 150 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index ae1a54318c78..184764b1a5cd 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -228,7 +228,7 @@ pub(crate) mod ee { pub(crate) mod ca { use cryptography_x509::{ certificate::Certificate, - extensions::{BasicConstraints, Extension, KeyUsage}, + extensions::{AuthorityKeyIdentifier, BasicConstraints, Extension, KeyUsage}, }; use crate::{ @@ -244,10 +244,31 @@ pub(crate) mod ca { ) -> Result<(), PolicyError> { // The Authority Key Identifier MUST be present, with one exception: // self-signed CAs may omit it. - if extn.is_none() && !cert_is_self_signed(cert, &policy.ops) { - return Err( - "authorityKeyIdentifier must be present in cross-signed CA certificate".into(), - ); + match extn { + Some(extn) => { + let aki: AuthorityKeyIdentifier<'_> = extn.value()?; + // 7.1.2.11.1 Authority Key Identifier: + // authorityCertIssuer and authorityCertSerialNumber MUST NOT be present. + if aki.authority_cert_issuer.is_some() { + return Err( + "authorityKeyIdentifier must not contain authorityCertIssuer".into(), + ); + } + + if aki.authority_cert_serial_number.is_some() { + return Err( + "authorityKeyIdentifier must not contain authorityCertSerialNumber".into(), + ); + } + } + None => { + if !cert_is_self_signed(cert, &policy.ops) { + return Err( + "authorityKeyIdentifier must be present in cross-signed CA certificate" + .into(), + ); + } + } } Ok(()) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 4a8072e94e5a..742cc107ee5c 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQVq52m5E2E/waq2yRAH7sDFMZhEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATfNoIQAku97oJFYxEDz86tPlICvOaDrhDkSMq9\n7t9BZE8TZP0fNlkxitugO8ecFvnyOiJUZgesZQzr7txkC36qo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKM7G1VOOjr9bqwPhe2nefKQXCjYwCgYIKoZIzj0EAwIDRwAwRAIg\nEPdA2CidwrlFFP872wdDK5BECBfiNs+kdauG+LQBFWYCIDLq9hdmJ+5UfHiknlxg\nNDLX3ezbOo2mPxo5nYI097tJ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSslWloMkEhFKLUC3DygjX4sjqMYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjyO0YwM5sRq61AzxLnWHXlduAmUx9WrclpDP3\n6aStANSZ2G+w7jjShAM6fQMDKiuOGMozH2AAScpM6RG9N3vJo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUExr9DDhjj+AfRh/rdOykq5cX5kYwCgYIKoZIzj0EAwIDSAAwRQIh\nAPA96B9tU7aX9w3r8eKituIZ2tXfJVopejrI7UBVS00BAiApumw465k6hhe+Bz6I\n8AP5s4t9couAZwkAq+Y2y3Q+vQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUAcD7rr/7CK8kL2pi8LD23lkJxR4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAzNzMxMDc2NTcyNzI0NDMyMzI2MjQ3\nMzI5Mzc1NzYxNTY5OTI4OTk1OTU5MjA5MTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIZKGLRtotlR9vvfAk0hyKwMePG5oZT8woPphRhezpsF3MU4KNIHlc0fhHTHqMzb\nfJnSbrCam0vDxxHD6rSjYICjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCjOxtVT\njo6/W6sD4Xtp3nykFwo2MB0GA1UdDgQWBBSrEWAsW4OvLW2Rxj2CeUGe7+nQETAK\nBggqhkjOPQQDAgNIADBFAiA+ZtgqZQ/UENXrx4c8KL+Yn1nvhm3ij1sVHfmpCFwV\n0AIhAJYhCiMUCWl7yiHbKy/oc1bkA3xIuYliZRpyNylPQgln\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUEMY9R/qbaPSEVaQzmQrB1cOBj3IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0MjY5NTUzMDk2OTkxMzAxMDYxNTQ2\nMjE5MTUxMDU5NTE4MzA4NTkwNTUzNDM4MTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNuMTFVlH6WcI12Lqez0WtE22U4nXLuxxZ3zzvnBGwZ39XwThLb10UfX/05gomAn\ncG7wfvOshwPyr5nI/G0HIC+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBMa/Qw4\nY4/gH0Yf63TspKuXF+ZGMB0GA1UdDgQWBBRTw18dmhs+Max6Zq21PlMPzt8uFTAK\nBggqhkjOPQQDAgNIADBFAiBUmFyuSHCNC8/lSrwrX/6ec7TMo5W1hNxCtS2mTTGv\nIwIhAPW6aB9HK8sE9WNOiIHRgXdfr3V34HtvvS9nq26wqII9\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUWIFddnBzpriJaCdQYtHP2k4KFDkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzczMTA3NjU3MjcyNDQzMjMyNjI0NzMyOTM3NTc2MTU2OTky\nODk5NTk1OTIwOTEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATw\nTXdiphFw619w0z1p/zuNDPA5wjJDrte5cDk0DFDaNAurJAAVp3tOa60+N+LlWwC2\nJFgfoGElKYU/495g2xnQo3IwcDAdBgNVHQ4EFgQUcnXS5pQQW14Wh8Gi864gjwi4\n9L0wHwYDVR0jBBgwFoAUqxFgLFuDry1tkcY9gnlBnu/p0BEwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAPbEvaN1tUq5yAoghubHMPkHDDEGmFyBA9iOtFTkviAjAiEAvGkFQgWn\n9xP59WaHDGplkR4X0eDJ4R0iOM66OEgjhLo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUB8lXOcuVQ2HEzWPoMWs0KwPuF9owCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI2OTU1MzA5Njk5MTMwMTA2MTU0NjIxOTE1MTA1OTUxODMw\nODU5MDU1MzQzODE0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQW\nPfIM892nsFWNjJdCxqnggrWd4p/D1HyIE8Rh1tfF5zpnQJc9SwJULbbDyJDXybCD\n/LNLg05EUnbtd/F4VhXwo3IwcDAdBgNVHQ4EFgQUpJDm9fIB15CPrJ6QUup309ky\nY1EwHwYDVR0jBBgwFoAUU8NfHZobPjGsemattT5TD87fLhUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAK376REzVdc2l7ruzhAj8BXkeiCkGlhN4oC0xVMKn2jIAiAkDiGhTexD\nrLU5PaBFdCiTmlAxSE7rMcjwzeGknxAwkg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHRrhNIt12Po6OW+63TXLYng3N9wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZMT3cL1NSUu3v1jTHzmVIg45HgkdirXkCL10+\nWjE7FdUsXqjrY6yf0psTWTyhAu8utT5ciVqQF+tx6Z10AVuVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpL6Jm7zRC8nnGqh5GkStvqm4sSgwCgYIKoZIzj0EAwIDSAAwRQIh\nAJ6LQWpA6HweOpxkblckWuHT2uErIuJs8p/o2AR0dNAjAiBOp8xXvyV6NE3eoomQ\nhf+55yPH8aIVLy3yUGjjEpCz1g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQvENP/Wb/XcRuBKSqJTjeZ6yZhQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS6gysijSGXL8gDL4mLibUaXrboxnSExOIkLk7z\nHMZm2cBuDqMJX+VY6Yq0a+iKrGGBNbddug/0eYParmgeqtxYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWRxrwjWoLYncDZDmEHWsJC+s70QwCgYIKoZIzj0EAwIDRwAwRAIg\nGqvSZPbQz5IGKbFd56jHi1uY/m866aVxMlsnfOc8koECIBRAsddOXwnkjOEZqqdf\n7c7goiKvAVucm4hPSzv5HPTz\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUF0xE4YzgpSmhif4jA9Iw2yNi3CkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAxNjYxNjAxNjk4NzM0NDU0NTkzMjA4\nMjMxNTcwNjgyMzEwODQxMzE3NTU3MDIyMzYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDU/JOy35ZplweZ+HuLzJP4RTWNA85IOx3wsJ8SEkdwv3uUeCvZnPG5TyNLrJ+IC\n/TNtNEqv1Bc37I6DNsYQRFejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKS+iZu8\n0QvJ5xqoeRpErb6puLEoMB0GA1UdDgQWBBRQEXvRCMl++ytDpYp5l4s2d9hrPDAK\nBggqhkjOPQQDAgNIADBFAiAA8IK69tn34bRNbVD+jU3sgLe51QQpC6wGuWb6s94M\nOgIhANhavekchx/ymI7DWRk1Ni4zrFN/fIAkKkNznl901ReK\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUBcByF/SbuQHuRNykNjyfNH3tYigwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzODIxNjkwMjQ2OTExOTYzMjM1NDI0\nNjkzMzM3ODEzMzgwMjk3OTgxMDQxMzEwOTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPvcRf6crmzJ2IliFgqSffHijKvp06OFQMRjluOOD8LRFrchuSMZYH/ztYO0XhMG\nDiV+mAeS5L5+GzDQEjW8T/mjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFkca8I1\nqC2J3A2Q5hB1rCQvrO9EMB0GA1UdDgQWBBQ3r169n4SQ9/iHeaaM5USDOonV4TAK\nBggqhkjOPQQDAgNIADBFAiEAuNCqW2yW5u0HFnLteUZh19U/Hq0yeYPnDoWguuTM\nRJoCIAXuNBz3qVWA1NQE07aQHs90TOH7lAn41EDTonuK9s9f\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUSFjTSqI3cwqc998B/Sv7OwwZDbkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY2MTYwMTY5ODczNDQ1NDU5MzIwODIzMTU3MDY4MjMxMDg0\nMTMxNzU1NzAyMjM2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQv\n/OaSkEqQH3i2dQVRsXjTqKrU6b6ksR+Grm9N9OdpAH3CEE/ahJ7P03skQjJeg8QY\nsoz1ojtBBNyjbuw83nY/o3IwcDAdBgNVHQ4EFgQUO5oIrMRdF865hnFagXQVvwLo\nNxowHwYDVR0jBBgwFoAUUBF70QjJfvsrQ6WKeZeLNnfYazwwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgGSJzcImStU8tEiX6hofM2pD+PbYoOy6OSywWQ7doNcQCIQD/rCmz9JLJ\nlTXQ7HaWvZwyakS/9pFMinV/DSJOahilfw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUDULAArP3ZQD74UF0OGPpvz1XfEcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzgyMTY5MDI0NjkxMTk2MzIzNTQyNDY5MzMzNzgxMzM4MDI5\nNzk4MTA0MTMxMDkyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATd\nRQOr6OWqg/wX214X7jJxiALrPBofxcoFO3GWS1ZTEJR0/vR7F9oNCySyb/P+oc2X\nmkgfX3MGfQPZvhz9TwCao3IwcDAdBgNVHQ4EFgQU1Ewyo6mySXifz9ut/aasynlk\nvIMwHwYDVR0jBBgwFoAUN69evZ+EkPf4h3mmjOVEgzqJ1eEwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgRuNPBay6vto9q8ea8/Eq63QupO3y2rcORgQqAzgpWEECIGNCwOAK+BlM\nx5NMEWUf2ATu+aokzHsg4babrUeA1Ejm\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDaDA6pleUox1oUu+bx1RKPbkW28wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARD1KjxrHX2Mel2I7qUQGrx8lsOBchwNHFrQ6R5\ntp4BtX2S+cIbvSktvG0GnBQh+tY9hyWL/ItlsUo8RzzxnpXCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUY4Gj3ZBpTKK1O4+B/wlnd8w0unAwCgYIKoZIzj0EAwIDSAAwRQIg\nTKwElOp6yc1fI/YdHWGTNu1GO5i+pF4EXJH2dpetMlkCIQDYybnb5MfEKzkJI90k\nOozbKgHwtRnwGAzZzX3h1BA59A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVPrhie/0yz6a2T5solasTmHK3VwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQR2XvErKQFKbedSnKFsYWGyxZyyynM0f6qsda2\nWp1RYDFw7TGKM9KoSOPbm12pJ1xe/jgcUkBwDjQNE9u+xO8mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0cU3voFI1dXx7VHwXfNzwz8dtx8wCgYIKoZIzj0EAwIDRwAwRAIg\nGtFfqsgvY5l7GcUognZwv82jW6Lq/RGbb5UytttdthYCICqb5a4WLvS4/Y/scypQ\nUg5aKHV3ON+T2JzrJWD2JZ3M\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaWgAwIBAgIUC0sW/2iG9SHkmZTpZM88NAIaFM0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBmMTgwNgYDVQQLDC83NzgwMTgwNDY0MTMwOTIwNDUzMDM2\nMjU4MjIzNTEzNjA0NjQwMTM5ODc5MTAyMzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n1Q5psEU2DA4hRIRLjU/pJeVYHBlZwDXDQa5YeqCyYaiCzy8z23w2plGIbFtq7lcV\nNFWudL9JKcl6NIZn8y2vCKN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUY4Gj3ZBp\nTKK1O4+B/wlnd8w0unAwHQYDVR0OBBYEFLOzwGrMFTftgSkKhhbe8DC89dRzMAoG\nCCqGSM49BAMCA0kAMEYCIQCur4uVSJt20SmtGE6+fxCjABQH7yclEymM7EQMycyd\nqQIhAIAcv6cz/fj5r7+mcgSqG5e1ZukKVZnGubB9Voo6MgI7\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUboYGhaZ3ki6b/Nu8UzILXT7G5d0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0ODUxNTAwNTgyNTA4MTA2MjM3NjAz\nMjkzMzIxMDc3Njk2MDQzMzMzNDI3NDM5MDAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHk6PESR0PFXv/8hodmmXHFYP3YFrI0B6mKzVjbksFc9Aj5kXwdPh/hxYqr/NpHj\n3oLp2Cm0mL9zp1XRzHLHOtKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNHFN76B\nSNXV8e1R8F3zc8M/HbcfMB0GA1UdDgQWBBRxrtI2GMJlj3J3LX2ie71bJQgqlzAK\nBggqhkjOPQQDAgNIADBFAiADs7TVbRPzvPgMZO8WCxdeIPuzShxeqK/fyoJ7aJyB\nYgIhAIq3I2MWRlAG3x7s9CIuG18/zg947LqmO+r0MYk1BnC9\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZqgAwIBAgIUPU47mDywVvPLws+7btSxm8T3pI4wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNzc4MDE4MDQ2NDEzMDkyMDQ1MzAzNjI1ODIyMzUxMzYwNDY0\nMDEzOTg3OTEwMjMxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMjAgFw03MDAxMDExMDAwMDBaGA8yOTY5MDUwMzEwMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCjr\nf092A93N44KQ7v2+DssYX17kNqncydo2+O+KlSPQjdiHnXSIS9ABXWq0R9+9wf+x\nr1yZDSNZ9eO8WPkgHOWjcjBwMB0GA1UdDgQWBBQHztpzlYNXzkDzbELzWk5Wzw6F\n+jAfBgNVHSMEGDAWgBSzs8BqzBU37YEpCoYW3vAwvPXUczAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJ\nADBGAiEAtMmx/MqlLDvdcluIR9QCRIWxSML9dHD3ZmvyH5hb2SsCIQC4D1LCt6/u\n6uOpumrIegeP1SnzjVxSLgk0lXKWTGnYsg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIULl649rRr/1VD30gx7ZU/LTdglX4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDg1MTUwMDU4MjUwODEwNjIzNzYwMzI5MzMyMTA3NzY5NjA0\nMzMzMzQyNzQzOTAwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARO\nx84aYhAFWabJeXOQrOABb3bNzr7RxQMppAwVPBJ9pwg4eAy2Emr+uR+UZrz92zNL\nhqzSDs7szMATGYULKWyco3IwcDAdBgNVHQ4EFgQUEVSbaOCV5dz8xlbLTip/7jE0\nSdIwHwYDVR0jBBgwFoAUca7SNhjCZY9ydy19onu9WyUIKpcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAN+zfEXoG+PcqD7twoW3CAEfRzZj6O3RwR2u+LfA3uNHAiB0iZkbHPvK\nSgNyimFPTI+fy9nTDC65a//4/SuPXoOdgw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH9IOKhwFCiLmSVeHFvWquGieqY0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATq/UgSIzhW/MsS99k5/14TYHLUAqH2PSdQv335\nBBSYimvRalNYNlKhxRapEw1U+7les5kK5zh3ly/wLSKYdWhKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJlnfOKxtLUvKP1WZvrWmS5PuYuowCgYIKoZIzj0EAwIDSAAwRQIh\nANXqvS2ZjrfHCvnOGU7FFDDxGBmJ11P+B9Tfl+/yOLpdAiAax36Ct4Z99uKh+T8o\n9jmOWJW6+Y8NshLhDbnnQjGBwg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJdyxEBOBYsRtjZs+z6WB/F1IduowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZ7+5XG2Z5+QMqQKl716jXOHC/44dyeo2L3AvC\nXgVzLHcu5bRveuNzsyDgyYP1c3JgbQ3adm+HtPfdhFtM4Wjwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYFIShcJdvpcHDOiEEk9yM2Qf2oAwCgYIKoZIzj0EAwIDSAAwRQIh\nAOmLoU1khH/tapBwjL3dQ3iQopQ97DzI4V1wzOPM3VxCAiAbPjw/EXJ1a4kqqZlv\nfGzVlk1maZfTA1ISlCasDjjbTg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUPwAFUjOlCPH3L1kjnUsAtONdA40wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAxODE2NjMxMDQyODgzMzc0NjIzODky\nMTI1NzcwMDgwNTExNzc3MzUyNjQ4NDAwNzcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBM9TD37p7FW/eb3yraSErIffkcB/+3DeT45yhGN7pLLuvBDTCXPjfZD7Mq7m3OCh\nKUfBYFMx57FSt/K9L77VwaSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCZZ3zis\nbS1Lyj9Vmb61pkuT7mLqMB0GA1UdDgQWBBSibjRsYGecrWeB6y0oWQczkz4uUDAK\nBggqhkjOPQQDAgNIADBFAiEA5gvaIv+eAG2f190v6PFDBqm2Ny2rndoZROWsT3PM\npfYCIDotSqxq1BmjNEdDrz278233s1QwsdUzdpgmunfi0vx8\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUZlyKE+XvxcmyY7K3HHfz0hyazb0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyMTYxNTQyNDY4MDkyMTM3MzMyMzk4\nNjY1MTIwODgwMzU4MzEwNzAwMjc0NDU5OTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDx+BOt73/FsLca0tooItlTdeHRT0zcN4i9ye0qy5vJJnByn276K6wP4Vtr2ni3+\nitP076u7rk4XKHjvQeEjMiSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGBSEoXC\nXb6XBwzohBJPcjNkH9qAMB0GA1UdDgQWBBQ9DUlux00rbbXV0W86XXhhcei6IDAK\nBggqhkjOPQQDAgNIADBFAiALKQhtMrWxYs298ZA24POh1ql2yLDOZH5V+VwJhlss\nfQIhAO5gCnSVeIdmBGT3XCB2aONkTloe+pPL/BY8xCL474HF\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUSTIZMNXCHQ2nJHLD9CmnTRzeO/8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgxNjYzMTA0Mjg4MzM3NDYyMzg5MjEyNTc3MDA4MDUxMTc3\nNzM1MjY0ODQwMDc3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMGcxOTA3\nBgNVBAsMMDM1OTY2Njg4MjA5NTEzMzE3NDU0MTMyODI5MDUzMjMzOTgzMTIxNjA4\nNDQxOTQ2OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdpe4+6D3lRWQUgsY8Pg+5OG0\ngrZoD+onzhLgFKRV0TreUhWTeu6F+RVfH6O2uPTtoc1RgHxftcoyaDx93PwKF6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUom40bGBnnK1ngestKFkHM5M+LlAwHQYD\nVR0OBBYEFE7IROnaT96wz1QY41KY5hQlhvlzMAoGCCqGSM49BAMCA0gAMEUCIFbK\n5A7VUfvMsbbtRnZ8xToQ+EBZRN8fmLPZ+3Jihn/2AiEA/ca1cK262sR8ATnGH0Qf\ncwpuwOiXk8MT+ykw0DoNBvg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUKJPex/NAl1g6F/PR3HdcG+H7H6AwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjE2MTU0MjQ2ODA5MjEzNzMzMjM5ODY2NTEyMDg4MDM1ODMx\nMDcwMDI3NDQ1OTk0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDU4NDM4MDc1NTQ0ODc1ODE4NDgxMTM2NzAwNDMyNjUwMzI5Nzk5NzQ0\nMzA5MTkwMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfrIiUGkW4JjH+qq5i/6WlYdn\n2m9jWI6s4zhFjyDrCYwAHH3ROMBmTS3qhJ/9ZvfDkyWh3dz17q6NTYb2iry7LaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUPQ1JbsdNK2211dFvOl14YXHouiAwHQYD\nVR0OBBYEFI55E/ragrre0oXNZwMWANg88w9FMAoGCCqGSM49BAMCA0gAMEUCIQCe\ndxthmzlkfJkmadtvqWI/e1y/cjkhY5xNqriqqXlH4QIgI61R/eIIbD5QCN2NpPcM\nHXBpm7u6ccpaFyE/H/WYKbI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUFVfNbR2nLFOkTTuMhan7oAAR3lowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASVKAfwhcUnwqLnvjk3HD8dY4kclIyfUWzpQLg0\nuzXUf7QHfrKFDfArsHGQ2rmH435BYz7JFQBVyF8pce7QDtq9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHziE5hMyqalSvV+6+Tvhc3NDZ2wwCgYIKoZIzj0EAwIDSAAwRQIg\nK55IuqSFmp808OJiaDuM7Zd75gN2sUs3SVcaoqHUR4ACIQCkkP06CDXvuK9H8VwO\nuv1i5PrC6ROwZE8iJTHcglAp5w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfXGSMd04EBRhlB4o//CM2vazXuEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARG2jBFFvRX2p6cDeWscwzlaA6cLwHHBNfhoLuA\nZSQf9pDrjU3n061LSy1jM5/vJlyfuhH4Yjl0qxQ8j5Xrapn/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4BGVgenjzFpd71Qav+weQXKyrMswCgYIKoZIzj0EAwIDRwAwRAIg\nA4IdE3Joi6VgPnLV53LvwWdN4csZo4HGlChX0vyRCOQCIFOvXEZC56LVAXFcbPuq\n8nUZcNE84vrO5ypynCZTe20e\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUPQkrQva2SUQWDd2tXhxW1Qr2odUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAxMjE4NDY4NjYxNjgzODI0MjM5NjEw\nMTE1NDAzMjY5MzA5ODMwMzI0MDE4MTMwODIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAVEsC6GxYymVxtZiZ2grPb8Vl5oeARfF1CfDbAFBqZ2kI4gbEmbyrTNheeJz7lO\n6/sGwQZe3Uz8YJYof2PMFt6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFB84hOYT\nMqmpUr1fuvk74XNzQ2dsMB0GA1UdDgQWBBTfNekfoJTBZerQgK4K5p/PC5mddTAK\nBggqhkjOPQQDAgNIADBFAiB3cMyuDkWUlV+z7+dohXmkHE67eTcBL0jSUjc1WOXZ\nXgIhAJL+c/g3jfPUndpKVhwQzuEjhd0FYxd6ToZ8EvLmbDfX\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUPNEMd8xPriL5nsZRREu2zH5upCEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTIxODQ2ODY2MTY4MzgyNDIzOTYxMDExNTQwMzI2OTMwOTgz\nMDMyNDAxODEzMDgyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMGcxOTA3\nBgNVBAsMMDM0ODQ1MjkxMjM0MTkwODg0MDA2MDYyNDE4NTQxNzk2Mzc1MDg0OTgx\nOTA5MTQxMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOYT3nU7JGyoOjbXzpIC8LCbf\nkE07iAEJWX2QpZPRBYO4AY82gmIABd6Y4fKk/+2QYB9/BcOR8kJITu2dd5dm9KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU3zXpH6CUwWXq0ICuCuafzwuZnXUwHQYD\nVR0OBBYEFBQymhu5RZDnvAhkNl+iKShlJ7yoMAoGCCqGSM49BAMCA0gAMEUCIDvI\nczJoM2Un4n501LMwIAGDBOrmVvS/PkmbWBU3ogzBAiEAgVI4W0CQwoXZlUx1teXg\nQ1Gfn9mI4o6HvcE8CQUbTno=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUHsoFwI/FYFg68gNw/gSnRRYTzoYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA3MTYxNTY1NjU5MjIwNDYzOTg4OTE5\nOTIwMTQwNTY0NzI2NTEyNzgyMDU1NDIxMTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGltwgJc3QFYrBRVp7qIoXEt6euBU2XUdR6mRZ39FWxQ0gsxmahfZllHwRj3haY9\nWlRWfXiMCgymNYD4MNogosijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOARlYHp\n48xaXe9UGr/sHkFysqzLMB0GA1UdDgQWBBT7+wCcb5k6cSPqee67wfBCjh6PejAK\nBggqhkjOPQQDAgNHADBEAiAw3NH/gB7vY/wV0b0H/rwjpMPOtBgJj2VRnyzc6Ahj\npAIgBitWZoTRfx9dlEtmS0sKGDlCOoh8SLuwDgdrwZSK32M=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUG0cqDF6vYVLUYD/izJGAs/Aqf+wwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzE2MTU2NTY1OTIyMDQ2Mzk4ODkxOTkyMDE0MDU2NDcyNjUx\nMjc4MjA1NTQyMTEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE3NTc3NDk3NDc0MTU2NjkxOTIwMzAyMDAzOTA2NTU0NzMyNzMyOTMw\nODc1NzYzODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENCRUxMbkveC0Z6COsB3q0WB4\nZXudvIUYldP6HwhZvy74Diry3JxuTWM7c0DD/D5PTAfoej8pCnSb2Ujgm7HJlaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU+/sAnG+ZOnEj6nnuu8HwQo4ej3owHQYD\nVR0OBBYEFCneoKj7BP91GgnggLwTGdKZDNszMAoGCCqGSM49BAMCA0kAMEYCIQCS\nLsLxqBXnVad2TjS/Y0/h79keIHBsrpc2eFPmZjup5QIhAMaEZBT6WvXUOftzWpBh\nHp/6MTl0BvuRcbF1vOIqxQf7\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUcoS3OHlZSOSoDm9LMb9zV8J5koUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzQ4NDUyOTEyMzQxOTA4ODQwMDYwNjI0MTg1NDE3OTYzNzUw\nODQ5ODE5MDkxNDEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3\nSboRQEQBWblR8xTMW3pN6AhCXiMFnIOTCOF60IZUghMlmwadEVmJWp3Pz5p6yMZ7\nJ8ggIgsPUcAFfwmv+JnDo3IwcDAdBgNVHQ4EFgQUWBGu5BB4li2yGs5aYT31ARyx\nG04wHwYDVR0jBBgwFoAUFDKaG7lFkOe8CGQ2X6IpKGUnvKgwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgf0NqHIaHpRiC652gmaBhDjs2HhEWaIkVr+1acwTOVvoCIHBv6Hr/QEcH\n6hcQc6Ko9y12vLVtNwo4I8Yu57x2fn26\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIULDApmjKfUEMCncYPrKL4WfLW0pAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTc1Nzc0OTc0NzQxNTY2OTE5MjAzMDIwMDM5MDY1NTQ3MzI3\nMzI5MzA4NzU3NjM4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARc\nIdeb5mKuuI26WYqGYYY2Qh9SvtlrXqSdB1OVzzeLfsytxCiJdhzXgKR0DWqBNx1u\nQjSNivkmmyBOC+J7ADPlo3IwcDAdBgNVHQ4EFgQUpEZBc28SeszkfkhWM3n3e7wc\nHN8wHwYDVR0jBBgwFoAUKd6gqPsE/3UaCeCAvBMZ0pkM2zMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAJFGnEk0RtbGMdstRoT8cQrqr+iSvwt+D16k3VRuz1u0AiEA7q5sO9pB\nuXcsYgqBkzDFOY2C3ZfvCOWOq1J4xgO9b0g=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUP/vVP0tSomSW+KGRe3Uyte0lmSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQbNuxZM7hpg6w9lbDNJ8R3NmY1LWNtpKmR5if5\nKQ7LHpFrguYqz7FE/lAWU83kTn7JH266IUHKR+gPE6KjnyfXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8d8m5cxrAdwiISCdgCX2rFuopn8wCgYIKoZIzj0EAwIDSQAwRgIh\nAJGx/3EyGC403LiE6JIXw9OHRLxK5nPthKFlWSRxS2A1AiEAqgp2L39yuv1KaC8B\nsCWp/8zNHjuq0JuIMeNXB8KvkFA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfWg5cXyPJXTlIkRU8jLoAhVn9Q8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARj7gD0A2JmTXaphZrElRT6DFQxwSV4VZnHJjM3\nrZ28TPIikN1wyIXc5LJZN1Z4nSIx147NfUxWVaAvqS2IKz+Po1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJuqZJZtnPPhBsjmGyXQVafed9xkwCgYIKoZIzj0EAwIDSQAwRgIh\nAPnl3H/RFH5j5TqediqCo8a1pao0hds5MgDFSeZa8vIPAiEA456Uc+iDQicRD5al\nzlf3j7V/puODDHSasXJ0L3UBXQs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUGf7hWZ5rmhlb0Hmzv8uuYzrhI/kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAzNjUyODI0ODIwNjE1NDY4MTkxMzMw\nMzYzNzYwNjI0MTMxODMyMzQ3MDgxODMzMzcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBH1/K9AXzBPQB/uR793lIfy/KIxQNM6HGVj4+p/wNliYDeN6GAY+d1pQSODfbnD3\npy5y53Q87VdUa2yPUX0X1aSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPHfJuXM\nawHcIiEgnYAl9qxbqKZ/MB0GA1UdDgQWBBRxcWxnu1kiMW/Zuviw1jfnL7QtMTAK\nBggqhkjOPQQDAgNHADBEAiA55CRFfal41srofF8QWxZ6s/b3sI2k55CxnvvwQIQY\nbQIgY2DNx60WV9XbQvQvq2YvZIVj1uPldg5BK+1GA3czJcQ=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUZNJBg/D6HogESQxz/zQ3PZJszoUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzY1MjgyNDgyMDYxNTQ2ODE5MTMzMDM2Mzc2MDYyNDEzMTgz\nMjM0NzA4MTgzMzM3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMGcxOTA3\nBgNVBAsMMDE0ODQwODc4OTMxMTA2NDc5MzAwMDg3NTUzNDg3OTE5MjUyNzI1MDA2\nNjA1NjE4NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbKe1/v7yLQ++9rrgAiUnmbd6\nGt62Nw6PMe7nM6J1gRNCXLeJ3b2siBL+U2+FFDF3UO71K6KrqrGewQsMmUYCnqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUcXFsZ7tZIjFv2br4sNY35y+0LTEwHQYD\nVR0OBBYEFMA1On4PDu+n1WoNCi9evcWXK0NBMAoGCCqGSM49BAMCA0gAMEUCIQCC\nOYBVxdTGDgVPHwdSHKQsxbx93M+qd/0IZ2wZzYY0zQIgVbYhnSBNhgu8499+rrpc\nhj5Miz7UrUTrfYj/ZPYNpnI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUMxClCq90rZuVqtR9DY+ia3ll5KEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA3MTU5NDgxMjc4NzE0MDAyMjczNzQ2\nMDM2NTcxMjA5ODA1ODczNDc4MzQzMDM3NTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGpQDjsBV+IBTqVCa+fqOVS+vn+urRj4IlIrqQF66b7zEGHu4Mg5WEJ2Z9FT8A6C\nki+b7IKnxY+anm+fiORV+HyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCbqmSWb\nZzz4QbI5hsl0FWn3nfcZMB0GA1UdDgQWBBS0e++KJd3U5IRoSj0pPDu+ArOxczAK\nBggqhkjOPQQDAgNJADBGAiEA3SBnokQv1clTvTGzo05pZDcjQVTXSHzKEJeG+eZK\nKxsCIQCMTEYhsMR7h5LxGIKmAKcezOyMYKI1u2xnFngoeb2uRw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUP3EobY3h5vtEYnCchFTSpyEWmEcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzE1OTQ4MTI3ODcxNDAwMjI3Mzc0NjAzNjU3MTIwOTgwNTg3\nMzQ3ODM0MzAzNzU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDI5MTUyOTcxODM5ODQxNTQ0MjIzNzczMjk2MzM1MTQ4NDI3NDgxNDk2\nMDkxOTcxMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEB4ZHqFccOxSqQayhNr33U77t\nTQAADZs7GH7E34skBD9zdHiTyCGoGBAgKjDd0nulT6aP5rhl8ds9Gr07bFbaqKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtHvviiXd1OSEaEo9KTw7vgKzsXMwHQYD\nVR0OBBYEFOk09CcyS4X+nxQeZDtWbEeClxJwMAoGCCqGSM49BAMCA0gAMEUCIGW1\n3IGNGIM0oEK2+RGehv00FQZXWiQ59+qZdAdgAcWoAiEAmHxAgMhLp74IR3WkabuW\nGGIguWqTPaM3gwfqkwf4G9Q=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUOtMcPUhCY7T4foWdZZj2YsL1klQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQ4NDA4Nzg5MzExMDY0NzkzMDAwODc1NTM0ODc5MTkyNTI3\nMjUwMDY2MDU2MTg1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARm\nXrhuC6H8CCyCIRz00iOTJnbYzq7ECm3PNGzZV7X/NA8eDxQ2GaQk/qu9SgbDC5oj\nQEGxp+RAww3i46ieiTKOo3IwcDAdBgNVHQ4EFgQU4AIwqp+LAyiOHKGlZ53ICSFw\nmIMwHwYDVR0jBBgwFoAUwDU6fg8O76fVag0KL169xZcrQ0EwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAKNG4nfwpuL55ykMYSjWFoxefCPmFDwjTpYCR4b8FZeuAiAu8JRjzCLD\n8vGZ6CSzChZUKa5XBZISx0OSpb2kn5GX1g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUIHG0eIqeI+fibn+hXvXPRvkQdu8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjkxNTI5NzE4Mzk4NDE1NDQyMjM3NzMyOTYzMzUxNDg0Mjc0\nODE0OTYwOTE5NzEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARO\nlnpRQaRthf4MrMnQPMZzgV3pIyxcd83/7x9CX97mdOfr4W7UTsMDAiubSvs50fmB\njjluURNP1Qzw5aViR/QTo3IwcDAdBgNVHQ4EFgQUqLJmAUWPpMCHoYjY4/PWQiap\ndPQwHwYDVR0jBBgwFoAU6TT0JzJLhf6fFB5kO1ZsR4KXEnAwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAN4O0fpXYhhg5B/Tb0Fm1nDZMBxknb/W1bc0RPfWjJ3DAiEAs6O9WijO\nCcrYKNmmKIJ3oUNuJVihRqhndMlVVxyewxY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUERqHWf1YfFAZELkUtvq8xL1rMmIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwF+VvRURKlw7Ms4ttQkiAqLysYwvHPVBu6DrY\nxu7QXizvWVLNw3kkOpRSK7nyqia/vw7OIpBOUSkIdOT3+Wgio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMFytRjouReKiRWwCa+IPhsOf6v0wCgYIKoZIzj0EAwIDRwAwRAIg\nYE32v74hhOgDXJePggzsDy7qQityM6/+9vnQnglE4l0CIH80yOtg9zR4JljsOBYc\n86vcQr57asAqBJAaEoPAtdvp\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVUYmqDCBKsCCl9MqXlIMXY4GNlswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ3LRxxHYIE2HrSzh99vr+j0IpcA6O/5S7ctYNW\nPH4mOvRmUA8QoZ4SZLMl33OdmtPG0VeEyxeCT8ZvDH26XRDVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUn3EGsW/Z155aQUFOanV7mmAYM7EwCgYIKoZIzj0EAwIDRwAwRAIg\nCEDbTQUfnCipUV+TU1mBUiNLNKX9Qa76lBeE5dglKE0CIEzleYNtlnvkSogvv1k9\nFHfGQ3jHMd3g8LiNsM5D/mGm\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIULJJN1b1F67WWSwCtVN+dBgEzN0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBmMTgwNgYDVQQLDC85NzY0NDQ1MzI1OTY1MjYzODEzMjM5\nOTg5Mzc2NzI0NzYwODQzNjI0MzUwOTg1ODEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nFJdoj2eXOpmTdtD0/Aj2/GAIQf1A0+lIDkAAxUHCllUhq3fCH3TGjdmVfzZziF4c\nGjPS9IjeRpMh+2gtFGOl46N7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUMFytRjou\nReKiRWwCa+IPhsOf6v0wHQYDVR0OBBYEFGvbYxEI0JyCwNv+rlzPH1Wjnt+IMAoG\nCCqGSM49BAMCA0cAMEQCICQCXYpeY0g5/Pg8yEvAvT9uc2yBpvvigGSUYu5oNxED\nAiBUmXmqCaYLYdJeKTyoT8+CDY7kQr/GtCjdE1IbnXkuiA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUT+X1bZ/sFpAi6Gz+E7k9CFSgL2owCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvOTc2NDQ0NTMyNTk2NTI2MzgxMzIzOTk4OTM3NjcyNDc2MDg0\nMzYyNDM1MDk4NTgxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw03MDAxMDExMDAwMDBaGA8yOTY5MDUwMzEwMDAwMFowZzE5MDcG\nA1UECwwwMjU0NDU4MjgzMDkyOTgyNDUwMTgzNDYyNzUzNjQ2NjI5MTE1MTU2NzM4\nODE1ODE5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARWG+/fgoT28sRfb5l21ci9U27Q\nRral0cw7+mRoCy0HnfRSYHAIwEbZCd6MfDIDD+rHXIUJJ/ONVmJZgb5BZ8QWo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRr22MRCNCcgsDb/q5czx9Vo57fiDAdBgNV\nHQ4EFgQUnUZSdvMwMNOGKJ6raO10TteRkFkwCgYIKoZIzj0EAwIDSAAwRQIgTAzd\nEO00uh/muM5WtYCPo8HbhjYF8Sy8zVpHmslbXccCIQCujhnuzfcBRVE2tqN73sdr\nmmV7Y+Ar4jrMYL9afjd9tg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUB/Sn9ijJrlcPqVzhJfs3yv46s6wwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjU0NDU4MjgzMDkyOTgyNDUwMTgzNDYyNzUzNjQ2NjI5MTE1\nMTU2NzM4ODE1ODE5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMGcxOTA3\nBgNVBAsMMDQ1NjEzODUyMTM1ODk1MTIwMTc3NzYzNjk4NzUyMzA5MDQzMzY4NzM4\nNzM4NTcwNjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPtm+eIY19bcKRq2t5wo9MPOM\nO35aV/AkkYv7iH5FeEsRpsMTRfifBWLUeydQxuiG3GiwPdpZERktqFTHIuZoaqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUnUZSdvMwMNOGKJ6raO10TteRkFkwHQYD\nVR0OBBYEFHrIqfaqn9NUvr7vFvTCqaz1xCEqMAoGCCqGSM49BAMCA0gAMEUCIFgW\nri0/FZamR133Uv9ktLwOdwQMrHpFhiFqArNt7bGKAiEA9au0LAts3mm1Iu8R2W2o\nR+kifYCu0pMquTeaBozyCyE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUIlc4M7U+rKKbHO7ieRae308IPnowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0ODY4Mjg2MzUxODI3MDAxNjk5OTI2\nMTMyNzA0OTU4MjY5ODYwMzI4NDQ2NTAwNzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAoJVF+oX5cG0/BgKQhIFbyzxwryTKFiIarDzfX16u6fZVAXEftq6QcXD1lGWyAD\nH/WmMmNhpILECDx9zW7Gk3mjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJ9xBrFv\n2deeWkFBTmp1e5pgGDOxMB0GA1UdDgQWBBSJ8FdxBsZyshFdhnUlhVNLEXhTfjAK\nBggqhkjOPQQDAgNIADBFAiB3TgxNCJrtaUnXWNxCKXDZxwmJKVmYQy70GqedfIqI\nwwIhAI0ZuAZKwTLJfKlOm0U2AIHlAvFbnBlZ//wGZPrtVgxP\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUa4lDVqgyCvt7Aecw4WYul6VDGz8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDg2ODI4NjM1MTgyNzAwMTY5OTkyNjEzMjcwNDk1ODI2OTg2\nMDMyODQ0NjUwMDc1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE5NjA1MDc0NjkyMzYxMTI5MDY3ODYzMjU4OTE1ODE5MjU1OTUyNTk5\nNzMzMDA0MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZHvWhNed1C7MdCzkMTT6GSIm\nH2PuJhrLD/Y/DqduotP22vXK6MCjHAIDtRy0l2gX+IzJqtLKGONm94cuOmc9+qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUifBXcQbGcrIRXYZ1JYVTSxF4U34wHQYD\nVR0OBBYEFPSgMSy9yhJW+eCxGFqNUn6Kf6oQMAoGCCqGSM49BAMCA0cAMEQCIEdM\nes1d5Q7djJIgq5tWWQUlDBFYFJmN3caNz5OI5frwAiBcC1v16KmnosacsohiWPm1\nO/rIc0HcVMfs9eBenpU1qA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUV1ztkwHsv3E2oQuhRGpbup5enRQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTk2MDUwNzQ2OTIzNjExMjkwNjc4NjMyNTg5MTU4MTkyNTU5\nNTI1OTk3MzMwMDQyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDYxMzkyMzA4MDU4MTM2MDY0ODQ4Mzc5NjM2MjUwNzcyNjc3NTk1NzU5\nODcwNjQ5NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7NKk1gF4M9hc14BGVc2q9HPW\n6TQKyi8q4TkL9AO0z/abow9k+Sa0+2lNG80O6cA6q+4xME4r40E6Uuq/QeJU86N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU9KAxLL3KElb54LEYWo1Sfop/qhAwHQYD\nVR0OBBYEFHUnvULlr4ZTAX2J9ZexcEQt8VgBMAoGCCqGSM49BAMCA0cAMEQCIBxq\n/dD6Efh/1k+qf18pyNYCklQUmhucMgAKO09MVL2tAiA1NWyGhxhN/QoJZpRtFd5y\n7NufJmaz0sXgUDvOsl66sg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUeVlGusz7oo+wf0PV2fIN86HW/mwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDU2MTM4NTIxMzU4OTUxMjAxNzc3NjM2OTg3NTIzMDkwNDMz\nNjg3Mzg3Mzg1NzA2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARh\n7u67PIYiKzUuyQf3BiSXCImxDcqe0EIh82neHzhlJebeQnHk7S+K/pnQE/fsFh0y\nRsDKSBloRLSB5NsqbgQ3o3IwcDAdBgNVHQ4EFgQUZJXW8Ik92SVajknOHFAe64X/\nOCUwHwYDVR0jBBgwFoAUesip9qqf01S+vu8W9MKprPXEISowCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAJZDvBIUyAAH9Z88WfC+sWUDDCf8fam8673t9ip0xeFxAiEAnixIIum5\nh/rp8LAGNsv+tGYPGGnUpCRDp9SWdVM8bbc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUO4nOHzKiMd2RrWLGbR6m6hsKq9wwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjEzOTIzMDgwNTgxMzYwNjQ4NDgzNzk2MzYyNTA3NzI2Nzc1\nOTU3NTk4NzA2NDk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATP\nO8MHB+Jjj/ZP2kN+6eFecBDITqkC6N9I7h15lBH5QYNDONpgfjBzXvriCu9f4tnr\nzTXUEpu5tv06c2vQIpiFo3IwcDAdBgNVHQ4EFgQUPhr6mZh7Xwed2RXrIBXZB406\np4swHwYDVR0jBBgwFoAUdSe9QuWvhlMBfYn1l7FwRC3xWAEwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgVzvjPqvQWeuc5dF83wsNFlymqh8P6FXXyvgpOEZ0IlYCIQDMkZ4RwpyM\nw3D1GNQ8WyB7vD++9EXmoj1G4AQWkF265w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUHn1aB54mKvlwuQ9Ki0y/KygGYqYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQbina5eCgjsL2rCo92cjyr4TCLCLWasyAtBN1S\n9KfDKveqbrbAslagieZvqMQv3XEXiu+bLUnb7fHftx95DHuWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4k6yzpP8LXvBvFcZA8M/56DYrWAwCgYIKoZIzj0EAwIDRwAwRAIg\nR2dPfZOGGqbQV9ZbPFggBR1ejlBYNUxMSPEXGQeaedECIFcX9OYlkZxD0/0r0LXV\nv6iSdtNFHdkNut+u6dOWndFa\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUB8JC5t4WuBbeACAb2OD02nAMWLgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATfLMTWxdoLyFXVEJlyS44cs3aq4MQpo6ycduXT\n3JyIemPPM74XZYQHMGKMP3Esa7nEWhYkk04qr+JWj8mNyvMAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/hNmYg1r5rL26Vr67vFRwbtVMacwCgYIKoZIzj0EAwIDSQAwRgIh\nALSQZ33hkH2GMTRXoL/+CXKO7G9OOCCDxvvDTx4txheUAiEAwtjhs2rrYV83dJTn\nBxwH9PnnKaHIuuPPUqJ/xWr/IAQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUULn8c6+yLxUKZ/nqTNOKzSPEhyEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAxNzQwNjUxNTg5NzI0NTgxNDI3MjY5\nOTY2MTY4OTA0NzQ3NDg5MzMyMDgxNzExNzQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNGsbEeKZKjhrJJQqJ9U8onBU8Hvsq9JwZhASoYuUm5WDGlES05MEqXU3p7mNm9e\nhm6p+YWz0Mp5qDnWRHjrscOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOJOss6T\n/C17wbxXGQPDP+eg2K1gMB0GA1UdDgQWBBTcwCSWZTaJcCg3IHTIYpTkHVefCDAK\nBggqhkjOPQQDAgNIADBFAiEA6Q+eDSPBJ2yn0EAG0MzIY/A25KMIm4hsftUBKyxE\ntNICIAT3cDlheOIHZkaFJ8AeokdumDMZhdLYMw8h5gu9dX8h\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUWiHq64z673cHvOWaomLH0ATsA44wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTc0MDY1MTU4OTcyNDU4MTQyNzI2OTk2NjE2ODkwNDc0NzQ4\nOTMzMjA4MTcxMTc0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMGcxOTA3\nBgNVBAsMMDE3NDA2NTE1ODk3MjQ1ODE0MjcyNjk5NjYxNjg5MDQ3NDc0ODkzMzIw\nODE3MTE3NDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKs8LdDCsBTA6Gm1R97CgOfmv\nUYTWY9nrJeRJv0jy2EdkWq+UDMdMRFl/FWvqBjeqJQVz0+dtShvztNs3N3RB1aN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU3MAklmU2iXAoNyB0yGKU5B1XnwgwHQYD\nVR0OBBYEFFWI49p4+cyrP0zTL65pvg/4r31oMAoGCCqGSM49BAMCA0kAMEYCIQDO\n5vJvcFG2ViG1U+8Cca+O8qNnmHF77r9KpkdqxMv8MwIhALXo9uU97/3m/o2BwsQL\ndLKbazvEtjUnFPRYQ/C906Xy\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUDGh+MLDxnDB2KQdianVxQ6zo5sgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTc0MDY1MTU4OTcyNDU4MTQyNzI2OTk2NjE2ODkwNDc0NzQ4\nOTMzMjA4MTcxMTc0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMGcxOTA3\nBgNVBAsMMDUxNDU2NTU1ODM5NDM1NjE3NjYxMzg3MTE1MDA0Nzk0NjM1ODQyNjM1\nMDM4ODExMDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExF4Fn/05QGQMEPh3NBef1F/Y\n5udZFVYbQ0kZWbGSAMr80TBpyMjjve5ssQ7hJBYcw0rvyko8DARGviJwI+RMsKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUVYjj2nj5zKs/TNMvrmm+D/ivfWgwHQYD\nVR0OBBYEFLgQTID5NzA8l7I+gR96nPCnp8I4MAoGCCqGSM49BAMCA0gAMEUCIH3i\nrLLWm5Og8bqUx+be/SpRzlwT10Ulo9wV33CLjQEGAiEAkV5F6MiEv9YmM3Q1fxsW\niog6+lGrRgkTMmso5u7Ec7c=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIUKdcaFPjfJFcfYIIuaOWGvl3rhYUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBmMTgwNgYDVQQLDC80NDI5NTEwNzkzNTMwNDI4NDkyMTQ0\nNjc3MTI2NjQwODcwMTA2ODY1MTAyNjYxNjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nyKOCb5/lhcX9jx7dfEQpKaGsAgdOHoNhDRJZyFsYAa/NgOtZUcudKYuybsAbKBYZ\nSG2l4OiXSYxFfZrFVZfTP6N7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU/hNmYg1r\n5rL26Vr67vFRwbtVMacwHQYDVR0OBBYEFHaTtsGt7qz9L7ZbiD3Lx8bUUl+eMAoG\nCCqGSM49BAMCA0cAMEQCIGJHghsgxGySKnvJQiF111DGzRrqWbj+Wx7HmHI07Uld\nAiB4yjmrFIMWTaYOmvMRy0msbyBYQY73k0ISqmToIC5BHg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSjCCAfGgAwIBAgIUWhheXylA2+tVSl3USKJyz8sVP/0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDQyOTUxMDc5MzUzMDQyODQ5MjE0NDY3NzEyNjY0MDg3MDEw\nNjg2NTEwMjY2MTYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowZjE4MDYG\nA1UECwwvNDQyOTUxMDc5MzUzMDQyODQ5MjE0NDY3NzEyNjY0MDg3MDEwNjg2NTEw\nMjY2MTYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMeOKhJVxgSEsX1C9b+JErE7+Myb\nqFXwTDl2iFs1TPdZKbjccwaChOkWJdTQpJDOw4CYQUyjTw4veaGXHM6MziGjezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFHaTtsGt7qz9L7ZbiD3Lx8bUUl+eMB0GA1Ud\nDgQWBBTVym1T+Zsw0hFiLv7V9lOqOIrTizAKBggqhkjOPQQDAgNHADBEAiAYThyD\nIchM7osI06AAwGDuey24aeTnVgX/vpuOSqQaVQIgdVKTXo5UWNdrNIPazqQBokvK\n3jdRycrA2OvH8Q7Z4p0=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIULeRy1k7Wm5ksyyFogJmuSiZd0RYwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDQyOTUxMDc5MzUzMDQyODQ5MjE0NDY3NzEyNjY0MDg3MDEw\nNjg2NTEwMjY2MTYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowZzE5MDcG\nA1UECwwwNTE0MzUyNjA4MTk1NDQ3ODUwNDA3NTYzOTE3Njc0MjE5MzA5ODg3Mjkw\nNDI1MzQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASmwc84tqu07CsKY6eVAVdVmbhB\nBhSLJbTFV6sMhaVDNdvoA9qTk50Id4n2exXKP4EqSL8b1S3l1OTiXhkQ3uf0o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTVym1T+Zsw0hFiLv7V9lOqOIrTizAdBgNV\nHQ4EFgQUtizo9BBZ36R+ZNGFA42Q04Mt2tkwCgYIKoZIzj0EAwIDSQAwRgIhANBg\nt75Lrq5YNUf8kKzllOynAmzGfEiENRb+D/PibN1ZAiEAvQipXJ5knvH9yeXQiCUw\nc0tABq+/ZP3eddZj482d3fA=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIULQ0rFW4clV71GO46M0PEeIIzMl0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTE0NTY1NTU4Mzk0MzU2MTc2NjEzODcxMTUwMDQ3OTQ2MzU4\nNDI2MzUwMzg4MTEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR+\n7m3T9umb3FxtxUJ4ma2MfIo7V8UM03oNZi4/4ZYOd1F9Zl443ac7611Kvtb6675P\nEF86V+rKivwp+tFoMdIdo3IwcDAdBgNVHQ4EFgQUGN2estsRXoo4tdWhZKv6Vv1f\n0iAwHwYDVR0jBBgwFoAUuBBMgPk3MDyXsj6BH3qc8KenwjgwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhANgw2FST+aCytCintj5ESA1oQBq+XpEHciRGvf1qm3LcAiBVHCpQyZP4\nVrlnekmgALJjVdJcve1VPwHssGfAWIDIZw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUVOp8k2IQACAQ7c+1my06TI5eQSswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTE0MzUyNjA4MTk1NDQ3ODUwNDA3NTYzOTE3Njc0MjE5MzA5\nODg3MjkwNDI1MzQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQw\nMI4yV3yT63/M66sQs/xxJtK5BIpI1DtG4vGAogNDS3RmDmE//nDSr0nJc3zBeiak\nKOwhuLEGZRQuqkiLW0F1o3IwcDAdBgNVHQ4EFgQUTuU/2vhFULYOt0KJDUHE6vrW\nOWEwHwYDVR0jBBgwFoAUtizo9BBZ36R+ZNGFA42Q04Mt2tkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgPJivizrGmg5nWYoBVB8Jq/zylxbGh3uHOJD2UGbp3ooCIFbT9PX1L1Us\ntnqKu+vfHPhkRIktjds4dGFLgYkYA0+j\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcTCCARigAwIBAgIUSo05I/IH823ig84zabU1OdiJ04IwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDExMDAwMDBaGA8yOTY5MDUwMzEwMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaXAqC5L5Uzf2\nsdn+jwfcK7TX1bYfVhz1H5yDNL3hbIQL50YOx25NCaI14SBtZ+FzIXaJWhoVpF12\ngqSGu7LAuaNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFNgM366kzBCSIxAvx24iGHt/no2E\nMAoGCCqGSM49BAMCA0cAMEQCICEmSmTODKF8XUog+RB/mIU5eHnZ5Z4c1T+4TvU/\nCRAFAiB9d40nHm0LJKqj/8qZOFiFcodsvFFOss8v630OWDqiNA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUCgC4SOvc08jsW9w/ygXMl1cEGhgwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESs9tuaILrbRz\nOwD8Id3yrgkph4wog37GObjTjyiUZ6gVj5PQOGGRADFumygKE3oVALyoLZ2YIsr2\nrkHk2CXU4KNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFLZWtfWTTd62JHwtqn+2lX+KftyW\nMAoGCCqGSM49BAMCA0kAMEYCIQDLlHFisj2vqKtv512p3PZuDKvXKr9Zt12kj8mC\nBOb/pgIhAPenLjCOUvwEPcHkjkUt0GzwPccq2C/JlR5AAAWLOpIA\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUugAwIBAgIUT0dIsihJGuIVLS4UDDwkEWZHSRswCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTEwMDAwMFoYDzI5Njkw\nNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEZW8Ze2Wjv9kj6OcH0sHGy+GvbH9DQeACK5tlHeA03k3L\nmcNGCwrkdoyqyeIhixd2uIDTnp0evoCq2Txd6jjgI6NyMHAwHQYDVR0OBBYEFIMH\nSMRCMRtwdi81tI1dGbmw9iQXMB8GA1UdIwQYMBaAFNgM366kzBCSIxAvx24iGHt/\nno2EMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0cAMEQCH0yl/bgonscA3mPdggRgRAH1SuL3XCs9qHLk\nVEPjl/0CIQDdkPKWmewKDfgx8SspPDp570hABLahEUjjq46ew6bHuQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUugAwIBAgIUdtcKWkbNTByGrUv1actClnK1RyswCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEteBmzhoeyH3IR9ZkTPG8Lfd56swLQevkXA6u3w3APCxs\nebplWzbAwTPF+EUvrOgkNfO/tyZZHfdAlz6QlyAD0qNyMHAwHQYDVR0OBBYEFMdj\n24T8C5qBqC8oiWCawDTcJMl1MB8GA1UdIwQYMBaAFLZWtfWTTd62JHwtqn+2lX+K\nftyWMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIBRKA9/KS+/JsJ/bdv5rwhxilK6Ba+7+CtgE\nfdfXRXPJAiEAnM19rBpbkBH4p9OCESNMMlvqgwTha+kGUS4/y0GMmso=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAR9w9MZ5JgLSyxm6vMtoesbBIUcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtkXCUoWbhBB2K8IzVwyJgZdADTVBoCoWNV+EX\nVxSSOeOqAG3lbAOhOPltlUV5q9I+yNGwN1e+IeZ5N5tX0l+/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdDsr9CI5NM+DdfJmqov2QHy43lEwCgYIKoZIzj0EAwIDSAAwRQIh\nAJdMOJ1Wf/97u9iGpVScwUkb6VLKyLxnpLMjjx9LNbKSAiAF76krXeoFs8TvVN9c\n5DT7MgHKQxUL5CAvRvzRkGbuHQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUWSLiqX/vQEhZUxcqp5KjUuwW+J8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARwwAazlbCiUGXmPJvoLiaIY/Z4J4O/BgGTJzsg\nvhbiiGd1MOYTmP1LCRx1voqf3b3mFVdVqOVZRDcwOphIFsxSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGEefpGNRAv6pD1NsJAiBzX47ENUwCgYIKoZIzj0EAwIDRwAwRAIg\nWn+q7oM9vBv6JbIROf/OltfJ29tL5DWkT97/oA7QcYkCIDOHMSxDP/oOO6CejqGz\nmTRyvxN5aB0Q04JGnWa5pGm7\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUOj+UcmQnh15O9VsUOnr5Ne4CHREwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVsuPMqjdEmG4CNpsthHCT5QLxH7fo1CTlOtWM4oy\nshGJMKJxYCbj9LW6AE322GQ38KvmXwPsjIw/W88sMuzuj6OBhzCBhDAdBgNVHQ4E\nFgQUlnUPnQEHk5yJfnq3e7oytbaN3P4wHwYDVR0jBBgwFoAUdDsr9CI5NM+DdfJm\nqov2QHy43lEwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNIADBFAiEA\n0gfslBc1U/GvgfVmVdo/NPQJGxmYLVuOcxd6p+FzHOsCIENJVsjsVzoR6J3Z5Rei\nI94oPa9SpfGVITBW7FFiYaQf\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUJbV4l9oa3w6g/DBnvoLT+57J0bcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE5j3MPa94zDnUBWG6v9BwdsXkzMCoBAiNuUHiEgRH\n1HbVcwpYn2nNOQOgXFmUPTkj+PVbLqwrlN59kl3sQ99jJqOBhzCBhDAdBgNVHQ4E\nFgQU3PCkFywufMlTFU4HE57XkOU4ADUwHwYDVR0jBBgwFoAUGEefpGNRAv6pD1Ns\nJAiBzX47ENUwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNIADBFAiAH\nA6nofbDyNXwgY4Ww2YLQ2UZCfg5g7iB9QSvryOx0ZwIhAMs2BgsBMqNLmqwzPWKb\nQgROsFvBiF5mlQdSw70nsjzo\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUGTMejRVlCwNZlhOwBNzig0YmQuIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARkhId5Bz4Te2b4AjlN2qTz97APNLSwYWlxTcNa\n972DPKE1PgFh5/RvOXwJK9+braIhiGF3r1zPGFaX3087x0Bho2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7y6qMiSzfwzVtitH+Nd9fHrNjjowEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEAtyWITotfbBcgCrtiUT2AJb1BjMDeok6E1cUu\ngJWfK1ACICF1WEtl8cZ9HJCnFnG/Ga96PQsJjhtny8n55dbneuEQ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUc8UXkJrCuAyk8fIixfRFejtPGUwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQSCdFBgwkLMxIXU3b9evlLf654TBrmwNcFhnO\nSIHRZnpK3eHXLOUQ51f9OKQ5Z6gFeHGE0Juu6D5lvtS71sECo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5DWxrmIbnsEN2JNvtfi7GqF1j7cwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEAl37aaT8KeX/W26fC7fGIskMwo2k6zXq2l5nw\nSD1xgygCIG5Z8d7C8zcI7Ke89ba/RU0zEm1KRWfX/2GPvgPkh+vh\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUFp0et3Dpqu7D71OhpBgFZUueGlUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdo8KnmSFqxQNbWMmg8ku3vwnvrls3AbqdOTFqPt0\nTg/56+BpttKKxicou6MAvB+FIkzIXcKLLHvzOySe/CwkPKNyMHAwHQYDVR0OBBYE\nFItNKANL6fSjJawZgprJiyPHlA24MB8GA1UdIwQYMBaAFO8uqjIks38M1bYrR/jX\nfXx6zY46MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGnnhWTbBrdQjTbu8KGcIrr/YEkfwSoT\nI/AAhGftC0uBAiAfhgrrKlhg/UcVV3CfqWvJaq4BI7DGkSeA1enbbnLd/w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUbE3QgxatmudHZ3Qqcpf7eO0iqL8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAExYVg4QSc6SnUAPioSSuMGQa71ueOpYKqHLE2sVnl\nHxDffIxAsHUIymam/Y/L1n/X3mb5UEPIIrtxv0W3Q9I4fKNyMHAwHQYDVR0OBBYE\nFD/o9GZBQ0USrWJpahiivGlAO2k9MB8GA1UdIwQYMBaAFOQ1sa5iG57BDdiTb7X4\nuxqhdY+3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCJlfj6z4xJgXcSoh40laDJ72l5mLYZ\nIn7ypXwpOZwuJQIgEjGwqvVZM0yGjhyymsiO/2Tn18LHhBN8YVeTVacOoKo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,12 +260,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUD3BfTVou7h0fr2lGIgs9HV584t0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASAHf3ASB1LYsFTLb1roA6DJ644aia+I1aSddsK\nwsTpBfScvBOF+W4KapGCD1TqKuEea5DHmscp0rD5W6v4yt2bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG+CyYlXdtZ24iH7hxP0XywJYJMkwCgYIKoZIzj0EAwIDSAAwRQIh\nAIJYaur2UTiTPR9TFCoWYOce5Gr22hp+PrCYqPkCUHPIAiBlEoWX6BnMrJicNa+U\nmVeJ32PpAtZNRqfGkYKJn8Ltng==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUFXFz7l5DNUIeU9J0+3BEigioGg0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpP9XNOz/cSDEGoXjBHL1DQaeZmb7gcc51EyxJ\npLI9keD3Knw6mFImHTBmkkP2MrdNikLhFTHVCWLW4SgCGPxzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkTJBYCd0/7ByTXjoj3vvY9lQu1kwCgYIKoZIzj0EAwIDSQAwRgIh\nAJWA6nfUvGmlq6GlFeJEmCdWDWqt7uaf0Sx5V5wbKCp9AiEAhWqdle8vRo126sII\ny+SDk1hZ+6iQM8JtwmAGCZRcFTc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFDCCAbugAwIBAgIUCoaQBPdBjHWOx7BTMPVxy5qaOvswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBmMTgwNgYDVQQLDC84ODE0MDg0NzAxMzM3Mjk4NzU4ODA4\nNTc4MTY3MjM4NTczMDc2MjQ4NTA2NDQxMzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n8DVp6Jn+G1Xe7kZttgfLsl0CxKo0NJDoekCi4fjX2FAQ7or20lTYlUcm1mzonNZe\nt1Pry3ea1hmSmMGdz6qiU6OBkDCBjTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBQb4LJi\nVd21nbiIfuHE/RfLAlgkyTAdBgNVHQ4EFgQUu85tC9/2vR/o9FYQpiBzkp5BGi0w\nEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNHADBEAiBaJnn8pb0M+3vZ\n6mDa3lSm380mUKew8e3VGwOnQPnZQgIgOKAbTqjip0FLMA29CYAuu1QRo2RZeh8p\nxfP6YWTWd6o=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUbZyXoqI5hu8sAPIFN7uzUnZmGIIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxMjI0MTg4ODk0MjAxMTY0NjU3MzUw\nNjU3NTM2MDY3ODQ1MTE3NDE1MzQ5MzU1NjUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDHMlQHbri5p/CQuOW45ZMvcps8U5g0XM3P/WLflbzUoe5mX/yP+aHqN4P7SfC1h\nLh1cyf51GluUyvrSomcGsO+jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUkTJB\nYCd0/7ByTXjoj3vvY9lQu1kwHQYDVR0OBBYEFGsBgzlohfUtQYeUIUYpbGw3uGei\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIhALFvl0Faxqpf\nlfQNN5yNKHgi1klF3kiWNmBQkYVRO14mAiAqvuiqpNN78DNMfXz6RZNCVMHItc2R\n3z+9rPZAQYpl9g==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZqgAwIBAgIUTAnI20mloLWA2bCYeP6qF8OylKwwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvODgxNDA4NDcwMTMzNzI5ODc1ODgwODU3ODE2NzIzODU3MzA3\nNjI0ODUwNjQ0MTMxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDExMDAwMDBaGA8yOTY5MDUwMzEwMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDIF\nQxKAk6YNHXt3LEben2ZJ7xMgiOeKPZ0lKikIEmXuf9CciK7CXKnDYQles3osspl8\nh3T2N5pgckxO/po3DtWjcjBwMB0GA1UdDgQWBBSmmlVJW82mB+Q12ksl6I1l2UYA\nuTAfBgNVHSMEGDAWgBS7zm0L3/a9H+j0VhCmIHOSnkEaLTAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNH\nADBEAiBOgnU3Q6JlUttRCIjzvw0cI/eqgRwAp0uIn6Md/G5qcAIgZn32hKUWNZSx\ncofSFLElHEyHjaT8OpD3hym4lHXNgKs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUfSC11rfZZxTl8n3eShII35lnOBcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTIyNDE4ODg5NDIwMTE2NDY1NzM1MDY1NzUzNjA2Nzg0NTEx\nNzQxNTM0OTM1NTY1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATT\nUvyDzZ8hSsSxGlxz3syMKXu5vGvfqFyM0z0I09BsyH0WYaCiqWiq/qHRtvE5qo4F\ntMw9jkiagp7ZMkNBclOQo3IwcDAdBgNVHQ4EFgQU8KCNJ5AovWZ4YuueGbvGu4NQ\nSIwwHwYDVR0jBBgwFoAUawGDOWiF9S1Bh5QhRilsbDe4Z6IwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAKu3grJ6Ns9shyglzBnjpZodR2r6LjNrnTvUhUz/72/zAiEA4ZX+rPpa\nsOxn8nOGXJNkYkc1JouYbN5EkIZ5/6Ty8nQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -283,10 +283,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUL2YY8j8x0Vr6kLVAvIVh0xyIBNcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQK0PVC9qNyqK0NuWrkTIEt19/9wT4++UKGgH9L\nfKYlC41vu967gsqkaIIFEdnPedcEsj9uc1CpXlcwFDaTXA0no3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQIB214FwKVaHvIZ6JcraKPEDAWBjAdBgNVHQ4EFgQUCAdt\neBcClWh7yGeiXK2ijxAwFgYwCgYIKoZIzj0EAwIDSAAwRQIgdQ0afti9LHUqLWlW\nQXw2/r/siNW3HD+VUZidqUMNZ5oCIQCWBrL7MQ4hmxitBEjnfF09h8A1wAE2OkcZ\nI1QMBPuqvQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUK52hUOwPfKm86QAazO3YyfvK7LEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQRUoECtq8tSClKf6VdYOaARMZmEi/eDOFRnhFN\n/XpZXHXzW3mWXh7qYEBYep+VDYOIoIHZSsKeu5sq/lqEVc1zo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRAgm/oDirAkw1jQYshFrSJngGylTAdBgNVHQ4EFgQUQIJv\n6A4qwJMNY0GLIRa0iZ4BspUwCgYIKoZIzj0EAwIDSAAwRQIgYzRM1cNtV7c2YTGl\nvlKNtNl56D/Jp35kaWqbeLMQqRoCIQDimEDWQ+s+Rh0Kow9h3EmQqnsRDwi4ekea\nut34HiZKEA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUNKd40r7yZT0QQr+AuMpDyJ8+VrIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBW7XwPGLDFwd/IMwjhcfftJ1QP+eLBJOFlZ/Dv6G\n9E/0HyfpgESE1DyTn4dzDrzCuc3ZGQ+L7BVu0w7egZtH26NyMHAwHQYDVR0OBBYE\nFC28y212K1DPU44LfXmB7A82oRORMB8GA1UdIwQYMBaAFAgHbXgXApVoe8hnolyt\noo8QMBYGMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDd1KszcM0qnBrJXV6n6IN6qW5gfOas\n+62LsHMtEIrXFwIhAKxobPDa8VnDYsDl8YhBMypbUCfyOTmVt3lofrdv6tEg\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUM4iBhKsIiE+cujuqOtzqIgmn3lkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEnSvYXW3xx8ZzHbD+mMrrSdobxfA5wMKAi1t/oEQH\nn3Ut9oOt+r45lrJdKj5eajUT4DkJlLJCHrRx8rG2scN0+aNyMHAwHQYDVR0OBBYE\nFFX3QSbZL08DdsNETbs4Tm1hUC08MB8GA1UdIwQYMBaAFECCb+gOKsCTDWNBiyEW\ntImeAbKVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDSUirSVCnB8svgDBGcs9ZqOfyQzA0z\nqHRgV4ndckn/tQIgHf4Nc63gPa8kepy/c3lRGe3W95EnK4GTVZHPZ6FVkKM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZXd2G2PMHewZAI1To6T7/zwdPsgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnt0FppObHHzAAcREGELDqblxxuRZvnW4u2Xei\nuVT1BovGHxVAMcUJw2YCTMCzKYRZQrQAA7R0t1G/MqJkywCIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVdB7Rt4LD75qdlABE93NyqScvSEwCgYIKoZIzj0EAwIDSAAwRQIg\naHuwOY1Dw8Hfcw7cbc4U+qy4H9N299SBXqIfaRZIRoICIQDyw9zddBwTiPW8rAf9\nnF+0XJVTQ1tdxS/BgYJeotF78w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUaDedYp8cjLC2Up5WYI8pUNF6+o8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQJim3ynm3KldYD38NP6/o8IV8B++hVqKRL4kV\nQws6xUwxQpoqwntFRCS2al7aS5kOqq4pKSYFSJgH5hEJC2QKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqeilfFUl5e6FWpWu51gKCb+UMuIwCgYIKoZIzj0EAwIDSQAwRgIh\nAM7R6RWp2HiPjoiQXjx1w3tfc4yBxRLsMfSfVnmMHZAFAiEA47daULiPHdPzgwE2\nEDfSx0cPrP3RVlXlYWECuFWVxLs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUWG+4+8uNhe61Dcdcfp58ho9GHDwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEItLcVV03dU4XV0aP0XBPBnHTdcZtnRd+17YN2IKg\nOBwjrtVHNnQse0fS0OUrUJ9FRK0IXlfs/aKYhmGFPpx4qaNyMHAwHQYDVR0OBBYE\nFMKMNCnHVNBGaOkzruNvnT7tEKx1MB8GA1UdIwQYMBaAFFXQe0beCw++anZQARPd\nzcqknL0hMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDRwUQYe6NNaB0wZjZzgS6lB79swyTs\nJVDy5BCyNCdHjgIhAMZOOjwPEsH6b8/yRub2+D334qxAGVJ1QAWof6Fq1rSy\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUGnqFPeOZwcH0IC86uV6otfwMWr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEcQNxnkzBIw5YTFp812dV4zuFLxYRDz2HMMs8HC2O\ntaobT7DOp9KFb3vdD1AbepPEwWSDhaTc0l3R4sK0mz202qNyMHAwHQYDVR0OBBYE\nFJ2wp8PSydgNNhWUSVYL3MWknDvGMB8GA1UdIwQYMBaAFKnopXxVJeXuhVqVrudY\nCgm/lDLiMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDAVo8oc0agnkTpiXfMp5B5o4enksiK\nvOb/kP8vWpiSgQIhAJ0+hbm99DJal5fNTIO85YU+Alqkkh4zgxjcsaC0wb7P\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUSvEUDo/GnEiBHvSnifQmGhtr2h8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDA1ODE4MDE1OTQ1OTA0MDM5NTg4MTUx\nMTY3OTA3ODM3NDQ3NzIxMzA3Mzg2MzA2OTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBB2rheT680Mtu3sOwgki7rIkG7JdULA/iTgC4FuYXjla9mUecTRddDzoxe/IRc0f\nnD9nfxDl+bGbR5mwCtsbuxWjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQnmotcKMlX\nrkLW8QGJ7F0TtJUr9DAKBggqhkjOPQQDAgNIADBFAiEA+mBomEvyGTYjjj0vqvc4\nPwXnsOu98pV3bdQ9iFmCKrECIGizJYMhdTxCb4ZSaJQs9xmziIkT7xDofPHqwDCW\nSNWo\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUCUfp2r5edwplLOHejYMVJRbOscIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2MTExNjY2NzQxODgxMjE1ODYwNDQ2\nNDI4OTIxNzQzNDI1MzUxNTY0MjAzMDU4NjYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNDzFid2ebvF0CUp6g4kz1IquBSkB8z5gpd195rpLj5CX7EXBp6GpFT23GE1hOgc\nVXxFKAVbZKhITIu8ihEhbyGjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRxxtXU2d8R\n79xFNQDB+hlyGoPT9jAKBggqhkjOPQQDAgNIADBFAiEAlucN3fQjSA12euwmqK7t\nf+dGyUA4nCSV43tTAA+jlZYCIH08tqCX+dTnLpSz3mCsFg8FIRAqUn0eo682d980\nQ9mf\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUAld6ve1EatjvjX7yAeEn9R0XOiAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTgxODAxNTk0NTkwNDAzOTU4ODE1MTE2NzkwNzgzNzQ0Nzcy\nMTMwNzM4NjMwNjk0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASF\njdHztuw3dKQhfoa85GdQc88nr1cDX+zW5eZszEnd/RN8L6mPHNxzKjcG7xi9sd3Z\ngAunK28ZbidQkA/ZZ+qYo3IwcDAdBgNVHQ4EFgQUVNiYUZK/ZrYA0foUt/dQaavg\n7aYwHwYDVR0jBBgwFoAUJ5qLXCjJV65C1vEBiexdE7SVK/QwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAODNNSysOMCoLtQl0gDaWljM9GWJRZBrGM1AfMWCxYuuAiEAkFbPSV+7\n+AvVnI5UnSf86xJwXnWm0R411JcJopcFycU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUH0TnLjlNhuKnltncPHwTSmXYWPEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjExMTY2Njc0MTg4MTIxNTg2MDQ0NjQyODkyMTc0MzQyNTM1\nMTU2NDIwMzA1ODY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS5\n4rOjSyf6soiThZhyrY0E4SYtUNVOio7UuEtmB8ohAyiMZyCQNTQGxFfgt/Fpm2Sh\nIhzEdmLIpZI5E9Y2TcPJo3IwcDAdBgNVHQ4EFgQUjcClPyWpMGv0HSsOrRqwRnAg\nlGgwHwYDVR0jBBgwFoAUccbV1NnfEe/cRTUAwfoZchqD0/YwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgHGoUPwa7hDslBy+FlsQJ1QbNMjEp+JOPSbwVDxQvDiYCIB28DTLoJ1Uk\ngblIwv5iYCGFmkZ5kL1bSccomZEdVlkf\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,12 +346,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSaaShEjzk/fP5m+p95Y1rkmQMnwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT2MYrmXQRsmWDLJ7ENp1G7sWSk2ti2v1UYc5VP\nBnoitlR82XOm38XyzXvsOVMWa/vy/er9rkWkior+o4exPSTCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaD2smuTnNdPn0aHv1QktovY28eUwCgYIKoZIzj0EAwIDSQAwRgIh\nAJiqQcJIRMaVkRZOwH/syiNwK1obS95yT9sSQJ1uWqcHAiEAmanrVYAI5x6OScuX\nlFC0Rfats2DNpWwLvFTNUCCoSiY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHszR2HXN7/eG4gKL2TyuZ99gu/4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlEWDwdmJvRUPxNTzgyUxkI8LO8MuphCJoJCQ1\neRR1K38c5SNvkgy8luRP8xXMWkZnYWPzzhv9Iy70zY3OMbj+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIxThTj6VX2GSO1MNh4F60gLq4iMwCgYIKoZIzj0EAwIDSAAwRQIg\nfiF5No2thjw5NBcZCYpXu3rEUVLNHHurYIhEXgUSb2oCIQClw2yWXh09Lm/gH934\nO7tupqDG65Pg/2M4cGqd+MIrmQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUGq4g8WiwyxciX8Mjr4+VT4QFLSAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDA0MjA0NzEwMTMzODEwODM5ODQyNTE0\nNDk3Nzc2Mzg0ODgxMzAzMTU2MDQ3MzQ1ODgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMgzrgxouPh7Ijmn6iXJQLizyqFOuc9XI7tmHycT03BABmFHIkd5qGu6nxuFMs7k\n8eQcWiarCE4Jbj6N0ef65sajWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQiNkClPOEt\nSq0Yrjs5FeNKHx1sKTAKBggqhkjOPQQDAgNHADBEAiB9u3s6p5YrowowI+kbA4W8\n837nGopG0kUOGJOFBVrIhwIgGej82zGG0CI+1rNd2mOK3uzTn4blKx+zlaGhZ+6A\nwCY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUP4pHv3bCz8IIP3hLfkQIV9ROz6MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxNzU4MzczNTUyNzA1NTUzODkxMzE5\nNTUyODY0ODczNjQ5MTkwNTM2ODA0MjU5ODIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGzHgsR2BLsCFBuxxRu0aKLVNNdML8IkmCDIYlz4n8F0msJ6mLtXeUIK4qTU6ooP\nyYIk1GyqLsNfCkMG3oXkbuejWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBR/i/BCNzHw\nPhq8deWFHzGkHX/oyTAKBggqhkjOPQQDAgNIADBFAiAIGR3Lo3pPLJ5X5AxFmtuK\n4y8aThWDOVDG7GfJ7KycfgIhALJfHLIeUb0VpTHCH9iHHfuJ6e9+B6gcIr7nCw17\npPmr\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUO794rcJxY89fy8OuabMEQMqXF9UwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDIwNDcxMDEzMzgxMDgzOTg0MjUxNDQ5Nzc3NjM4NDg4MTMw\nMzE1NjA0NzM0NTg4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ6\naMZTNrPo2VpHqukcnCDPAg2RC1Wzg2P1lW5HUVZqFxLUSAIetUPf5a/gnTkE5sD7\nHZFISR6x9Z6oZASruXido3IwcDAdBgNVHQ4EFgQUFZrbt+b1aNRV1rRrQFGfreSH\n4aEwHwYDVR0jBBgwFoAUIjZApTzhLUqtGK47ORXjSh8dbCkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhALFl990dXyWXs0q+Q4PYmWbv1orCB2wlJhNKCps5cqUvAiEAnBwMi4XN\n8f08cSDndTM+EoNfeoqBnwKX17zDYXLzJvM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUWY33h5rTpFTKtAiUXVuETFoyH9EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTc1ODM3MzU1MjcwNTU1Mzg5MTMxOTU1Mjg2NDg3MzY0OTE5\nMDUzNjgwNDI1OTgyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATK\n5hI269nQ1PPQkz4jp0qUlvavsO0bifxlXh13J/wElnqm5DWNkkO77E/vFy6XVfz/\n4wz/Xj3c4GX0PtELb6K9o3IwcDAdBgNVHQ4EFgQUCqs31aHidhRdbio/igoGIEPH\n9fwwHwYDVR0jBBgwFoAUf4vwQjcx8D4avHXlhR8xpB1/6MkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAJKhf/RYpt/vto7PrVbf/b+tisNydwLKHo9czyjAqHdkAiBl12OTk/hK\n9qX/80RfvjIJIgAr3K7So+e3G3YyGnedGw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -369,10 +369,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUKdW5/JOb8ajt4iT5nlfuLSAVqZ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARmDcNctLiElRYPhLTpamSwcZjxFR2n33dPA2z1\nEG8xOI9Fj+BTa4hWQc7W576rW+oXuXDSL31LJJbjx+60g3GVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwJPPa20CfiUbXCxSoIZfNVcVCZ8wCgYIKoZIzj0EAwIDRwAwRAIg\nbXdY7rr0S8fQ0YQkXTCLCo8U5kRhyJJaqi5hoPo7WKQCIFC46Ev2kqCc4fJI+Zgz\nHKv66vGgAdyhfhSUK++5hI4d\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDp6pJ/XYWBh8MXJdt0gl/O+UW/kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARPg+VimqyFDd4RbLG+B43AKgvqxLvuzaaBwp1t\nSfQnGL+pntwzqS3TrDTcpvi2401pbvJEFsVmR9IwD9AXDNDso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVdMgj03v5ez1CemZ9GHJrz3bQTEwCgYIKoZIzj0EAwIDSAAwRQIh\nAIPWYsRFUWqfjksD2u0BFBBesyW+sp9X+aNjBvekO6o9AiBVlrfeyFMze5hQ9k6/\nOfU5YpbJW3hruuAVlJUeLETcjQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhzCCAS2gAwIBAgIUW+3lZ8YrNOI+xPkK0mxeDmAKwMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEA5rAs7Etc4sjJME1b+gY5f2nRAgXPjbUIPnFoFBR\nQATYwtFYLW7zCFrXQk2lqDdnyKearHNJKing2j0H00wSRaNRME8wHQYDVR0OBBYE\nFEkG1QCCDONuEd3VANKO2F7ZLqtPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCrrcjTyNrD\nirZByEgxBbD91ar/RwsE2itcKZeqpbHE1AIgOD19RD8247/UnWgDWFq3tZTMlBoV\nJGfhjKqi6ujXnpk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhjCCAS2gAwIBAgIUPloEcwHy9NFJw7Fui+sKsSGIPywwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEP16jp7Dp2hUfNzHcddddtsNT+BiJz3M2JiesZ3dp\nEpznzc1eCfUO7TW0Ey+TCaRKW5RAsWzf59RD4dVmwHfaUaNRME8wHQYDVR0OBBYE\nFDXdpm8PnWZBnNrvgxYUVk/fJcpmMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIApblv+gliAx\nmvfDw+78ExbaOo3DiB40Ua3NyjzYsBguAiBA7QkWEV8OipVmuAEXl34w1x6aeEGV\n0GNpFUFsChyKww==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkzCCATigAwIBAgIUQDIiBqM9rJpgfSO1IjhkO2a5X4cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARSLbLUf9wuFPEeHY8C+JbE1Mn1ZYTu8QGUcAjy\nyaRsX1JKkbzjUNStHAN8fjByGKnSZB1Fo7wCqG0ltxXluzpUo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUB4T7QeRiNGeMn2QmDbFXspJDNVUwCgYIKoZIzj0EAwIDSQAw\nRgIhAPfC+edAUJTjjbzn/IIJ9OtcLVUnU9r+FlvF6XRffKvCAiEAuiOATo5Lb99W\n6NdJlcLMSnrWD/C9sJB9t5wZLEWl8So=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIULp1S2VNUwJFegM+kdYSeHCSpRPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSt37JWbX7qFwvTMteqUSfbLOZe73yjt+IeFlD\nocoqs+boYklcNb8LHTHqQId/0bmJfn1q6sIpP4VbfsqPL3qJo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQU7o2swNVsouXsZPq2tMpl7rvDeY8wCgYIKoZIzj0EAwIDSAAw\nRQIgNDQjdpkpxih8ZPdPc2BGQlxOBGEm11/9Nho9MsTP42kCIQDAxeB51Y9YzXLK\nP+BkMTPPisw5K/g7V146dQVaM26YMw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUdxTWJGeqTXr8mVEexq4DyjHv3s4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEbqCv00mrigUDH1aPARw9Qjghvq32s9UfYeFMLQ3E\n0DxXdJKML36EN9XgIXXxXnfrk8cnG60Fq2YLcYf/kCncT6NyMHAwHQYDVR0OBBYE\nFF5wMe1Tca/w+NDTOOQZAllu9OT/MB8GA1UdIwQYMBaAFMY6rm6WzfoOpJ8fBIvZ\nfQVKEGBjMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDV0ZItEBqJjG41CYu0fL/tD20rWBw4\nAVxF9VJmvh+lpQIgIiK93Vs5NYsc2pwv41eUaBRvV6RPhSdMjp57NmkdWpo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUSZVW1ChBJceNcCoeUkfdy5FlPc4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEF0d7KcVa/pgC7bj37eJOHEaCiXn5YG0tIwMjiVMl\nFFSmhEqeUqR1AkCPh38xssCOszwCyKHeyoBFBtVoKy76CaNyMHAwHQYDVR0OBBYE\nFMM7R/Hl2RYjnTRU7AHvjiSxRJ81MB8GA1UdIwQYMBaAFFjOyOZqgSKBYEDHXLwv\netqugrS0MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCHoeZgXknRqvaje+1GKvd1SH9R4L/W\nZRybzf1b9yeMrAIhAMCvmmh+QWh9vOAcZvxrMJhB0lI7zjQaRzeSZCjkdDbF\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUGqfcmYhXA5fWFpfaOaZu97m4KIwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATB793JYyGkMvX/S3DEukdgxupK3Z4oxX8p/djA\n6zmfu/07R3iLKoB7VtVBEWo0D/aHyjMmDzvfFImQBRaARu9AozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiAHufJq4IgzAtW98Hb8JMsCKhMM4N5CtRWUr7de1kNy\nJQIhAP/+hZk8rxD9g94udEMfQkycH6qQj+KvLal2zCjaSHbV\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUD6vP+9tpuyoBExJlRdHK5MjW4gswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRavVUUK/M9mQ+tu29CV8x3g5yHJdsN1fyntqj\nx3AFfq8eDhiCEY4giNgi8y/A7I9YITO8FbXihdZutw5GweqaozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAscU9UUJVtpxCBakIWUBTn2dGzDaHC7vZOOkVxBBU\nSCQCIEMt93q1E/1G8FWhDkLtGXPxv09+XmyadZrFaGizhxx4\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUOys+jO1xQZTxtE5rbF53kM/tP/IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAENXJqEH20jhiJ/F4kMNHdJ+JruX0Nj5NJ8tXoT5QZ\nBSGOGYjrLtwezx5d12be2A9JjYK11eAN5PImTwHQPNCyq6NyMHAwHQYDVR0OBBYE\nFIBgGF6BZnpU9TpwJynBZ3VwWb53MB8GA1UdIwQYMBaAFB/ACKEsIVpvWLdoTChR\nZzldu7FYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIAEdsAB7BUON1d+7PJhdbwNfbi+uSF5Q\n0qYGSk1QpYizAiAkijTGiGNLqgV1D6r/GhBiA/5llRGRixvi4AE0/6G5SQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZDJCtg9aB+raui5dh3DYWUhioREwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAECcmYclj2y9Obh6AAlRwGpllW2P0JYBcY0ZJ7NIRN\n3Y6V687cGdnDhNPb9mMsnURBvp0j7cIuSjQ/nT2w3OXP+KNyMHAwHQYDVR0OBBYE\nFDF3X0ru2UPfu4uRxfXb4rhD/5DKMB8GA1UdIwQYMBaAFK6XbKvwJl6UGzfYEZqL\nGD7eQa7oMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDHiQAOPxR7A0K0jlvKTuwR1NkO04SK\nmC1RWf6kTXa5RwIgQQIA1zCHGnoXsrZByg9RVRSpW40uPYbSPZ8Fm99pTCA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,13 +432,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYdOoxA1e/aB1UgJuDlYuvGf4EnQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLMl+k/SPeUv4zJRJfW61UfFuE+jb4tk4JygfU\n8wk+1/KDXjuL9lemtV6+qvpJCqk+H8g32Ypln+wiKXUrDZl3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBQNIAj2Xz3sOZqwcKItBNBJ7z9kwCgYIKoZIzj0EAwIDSQAwRgIh\nAM+okTZ6prmzU9JwT96AWz6H/1A+3idA7eCtSEO5AV9pAiEAvvg5egjt5R+2nz0v\nbO9KXbkdi317CXQXwcjp/tus1P8=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUFSMv0SfHE5xk/4QgTs4VwRYoYJ0wCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMTAwMDAwWhgP\nMjk2OTA1MDMxMDAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGB4r0iBta5baqTipaG/jJU+tM+zMJoYJ\nQC1XKGR08dB5vLU0rP/Yn0xMvOlbTSLH0PbjzNMNT0x1caqUZqQ9WKNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFPSOcfMt7Wzd3Q0U6/7RV1LTdW//MAoGCCqGSM49BAMCA0cA\nMEQCIGmbp2YbhduAnJDAw2d20be+B3PEGCxRHy5n0RsDqhaxAiBaegtDtwGNOyh/\nBzeqlCxOnEz+B7vbCiT+QZH9pmppbA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUV7pIfY/sMhG09D4Clc5OwI9spWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkUlsAUKnDOa/x1GZJeTtUPyNWsgsBlC8e49Nb\n2AjdCVD43j/jOTwVYLs1CvfzP37fKU7l+TDg3BTEltncuE6ho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHG3junpdJwLzpmpqXd6zsKD8qtEwCgYIKoZIzj0EAwIDSAAwRQIh\nAK6Jid8iNlfv0tovbfYm5bk9iUQGgpqkol6AwAT2GFNIAiB2gATwbPCL18Flq05o\nMLIpFpbitYPAb2BWwSpW3UNnNg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUVtylFCXdoEprS9+Y7PIwXv7+0zUwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbK0GEE+qKSnajsZxM/zDZ9vjOt9m4UY5\nXqy8Vjh7gdQ7gd2kO8AZJBj5nmMxSfG4AnZS1+QAT6lRXDoZIgBKmqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFMW/fuE3hv3E6lg2G7hgEyxTGKDKMAoGCCqGSM49BAMCA0cA\nMEQCIEkXC9pRK4izx0wxFrq9WlODkK64DxLY5p/S2wXWWx48AiB8L1zrYeT8hhuu\nk/sjXP/OdUugc0AwRKXqaQQiW29nkg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUN+CxOPSIGZBbU3QN+kcyHKQy8sAwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMTAwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLMl+k/SPeUv4zJRJfW61UfFuE+jb4tk4JygfU\n8wk+1/KDXjuL9lemtV6+qvpJCqk+H8g32Ypln+wiKXUrDZl3o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBT0jnHzLe1s3d0NFOv+0VdS03Vv/zAdBgNVHQ4EFgQUBQNI\nAj2Xz3sOZqwcKItBNBJ7z9kwCgYIKoZIzj0EAwIDSAAwRQIhAKB/Jhar9t/NwIzW\nAIPnyuOlRCpIBY4IpbBNUOVSEMtLAiA70p73JCAwu/0lxO4/2rbVNKKRv8hEKLeD\nEJMy/8fY3w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUJ+ADusxH+V2fTt12Ff0ROUd+jcIwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkUlsAUKnDOa/x1GZJeTtUPyNWsgsBlC8e49Nb\n2AjdCVD43j/jOTwVYLs1CvfzP37fKU7l+TDg3BTEltncuE6ho3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBTFv37hN4b9xOpYNhu4YBMsUxigyjAdBgNVHQ4EFgQUHG3j\nunpdJwLzpmpqXd6zsKD8qtEwCgYIKoZIzj0EAwIDRwAwRAIgC1403zFjG1EeePe4\nQv2oFUNT02ILfAPTTATBBrpz6bwCIDEJOAsycbK0KehPA/3V9cx4z3hktVgCUARd\n5pj1nC/i\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUQ6nvGHLG1k7AQS1d5XivaLjCT8AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEb1PGqanM/LPGG7683C7wI2ohpFmqzf8rf1vq/Y/7\ng6zHNmgCre/p+TC1igRqS6yYGOXPPkNccDfm15vLIz5nCKNyMHAwHQYDVR0OBBYE\nFEBIT5M1Fk4Nn4/nNVXFpSd1MLBaMB8GA1UdIwQYMBaAFAUDSAI9l897DmasHCiL\nQTQSe8/ZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDEZ3kX8U90TCvt/IXRy7BiAj+oY2zE+\nmEpZXJ8R7XhFAiAKSwu/o/Oj7qbwoDfm81KNpT1lK0Qbh/v5csr6cVTxGw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUPCa+SNg/Z8DWzraYaWylgaEc/cUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpsZNYNh5HdbF01RgbxbcvHkLaoBvu92py3yT7pI1\nPGhaMOMQ2skefIeZP7juN+2EYmQncAjKbqGyOZYhUKirkKNyMHAwHQYDVR0OBBYE\nFE6eO+KpJPl/+E0emIGsCUUyHmFlMB8GA1UdIwQYMBaAFBxt47p6XScC86Zqal3e\ns7Cg/KrRMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDPM3WI2vfEgwliG3Hq30RltmDykarO\nEMVxastWBMwYGAIgEJ1Xe+hoDe7jjzkvul0lx83tnViFHsFXR2h8gVrbM5Q=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -456,13 +456,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUDdW/CR6hlH9WnQm7+sBnd+Y1z90wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEx\nMDAwMDBaGA8yOTY5MDUwMzEwMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABO9272xHvqEe\nrdjkWV6TZy1+sUP2ucjjmSPBYWfq1Php1LiDbMg5THqUa4lENt6kcbIk6loO+78n\nDcBt6O2chG+jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBS0ma9Lysj3BTfAwrhxVUVeDIaX\npTAKBggqhkjOPQQDAgNIADBFAiEAkBTX2TIQtao/zYMa2GenpwhLFREW6nKbLg2T\nnR7+njECICvy5A3R0kBUeizu+bdtHb6iEEryvItl555WZY0vbpsd\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUTKX+BJtL82fpxVkHcAPjGuP/8sgwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABF4c3iJ75Xwp\nBRmLFkkW+lnTZbqvwc0WpUiOOidPdWez8Dht2HSDA2QxtktV0KG787/42CkzRxEL\nc7/iX438lC6jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSMjOaVSpx3lSRJ8Nxavemu/xbk\nqDAKBggqhkjOPQQDAgNIADBFAiEAqICJMyxg6t/Nzkg3wSFksoXcqPbJ9q43k+BQ\nwOwUNdcCIBMKkQ+q1R6++6gjqRC6Xcp/rre9A7kSsdUB9IUAczn2\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUE7rvcJYFjM+4z16+l9guu0lDJUAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyzeq+vSnVuMG71nD1IrQQmAz8wfaEon7vVKNC\nEZCfP5dBpQqhHhAZZKKjSRBvTZ17UdtrWNMHDGK1CgLpc3Hoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBzFDbCErwshD958WsERYPSP8rxwwCgYIKoZIzj0EAwIDSQAwRgIh\nAJB7KXHxQ/TI2Shrirc7LBUcMFGUMEROin3ZHsct+j/1AiEA6G1s0rms49oFTnF5\nl/qlYmG7TkLiqAOg+hjptB9Na5M=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUFshDxv/5vikVAEchjzDqQXyzBD0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBnMTkwNwYDVQQLDDAxMTI2Mzk2MjEzOTk5NTU0NDk1NTU2\nMTE5NzE5MTcxNjIzNDA1ODQ1NzQzNjI5NDQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLtGPd1xLpFWm8/MUTl6r3Gyjo5HtAcpl2/vTuko2J8o13TtTvelc5YQq2OWNyFc\nP9rm5uw5Vw3r4cY+7wRYW/SjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAcxQ2wh\nK8LIQ/efFrBEWD0j/K8cMB0GA1UdDgQWBBRpo4k9QCSer555gzOPXY8OoFIY4zAK\nBggqhkjOPQQDAgNIADBFAiBut1Vv1XvFnlYLIX/sXhoHmoH022ReEIqDSX5nsirJ\nFwIhAKu1RMTlp4jX6z5dpfdIy3lbmsQC5q7EIUYbUPZP/deJ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCXYKuC6+R8BZYF4sgdyO9DR4KOwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVTKZlEQCtrTtU+XvXBrWsjog6KMPy+HUPbpjY\nfRVopNcssRx8/65EW+d/c7OldYXeeI6Med1KAlDO4hGVpzleo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOd4TT/IYLyPG48mALquFVpRRUakwCgYIKoZIzj0EAwIDSAAwRQIg\nInARIqU58A9cUX9ZBpPo9HKF48hnRj/mgho4BYzZsqoCIQDeUaTbMHLv5d1NsU6V\nxP2KSoWKXO8YLcU9nGLRWstFlA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUU91kMAobX/B5aHisCMxM47NGZf0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBmMTgwNgYDVQQLDC81NDAxMzMzODY2Nzc4ODQ3OTgwMzcy\nMDczMDA0Mjg3MjMxNzQ0MjYwNDQxMTExNjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nN0PXj9p1gAzVBC0knkfxX2Ij1O6E3uMQohb4EJBdoSq6otSKsPkbAxqFulR3/1KE\nlbMMHfh/SZxlVeLIJkZYIKN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUOd4TT/IY\nLyPG48mALquFVpRRUakwHQYDVR0OBBYEFAqZ9Ku0ou1JHxC4FHiAGBJ1kDIsMAoG\nCCqGSM49BAMCA0gAMEUCIQCaU2BQlmGQFAklG7sQwdsicPwMbfUbyWWc0OiZS6hM\nEQIgeAxgh3i3CaXu33ZdoIa+FaTgZgfezUlRbgux6oXwh4k=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUXwjD6odYIds8EypWYY9AhlAYQe4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTEyNjM5NjIxMzk5OTU1NDQ5NTU1NjExOTcxOTE3MTYyMzQw\nNTg0NTc0MzYyOTQ0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATi\nhUk5n2hHaLkowS0+EojNdgFLRq4T6167a9eXWd8Upvx1On4G017l15War4tzI4Kj\nehhj1xX7nBHwBpkFj2uWo3IwcDAdBgNVHQ4EFgQUVVJWMOyiSte5zFrZIYZd7zCX\nO+gwHwYDVR0jBBgwFoAUaaOJPUAknq+eeYMzj12PDqBSGOMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgDKT8jDWujUJXIwLKJsIwMtRVwyovVwi6vbBKgGfi0MYCIQCdZl6m60Zd\neRDxbXsn9fcPtbHk9HaK0yF8DD+Dw0akYg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZqgAwIBAgIUSMRUkSgLAWwsy5rcdmrX2ASnSk4wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNTQwMTMzMzg2Njc3ODg0Nzk4MDM3MjA3MzAwNDI4NzIzMTc0\nNDI2MDQ0MTExMTYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGv1\no1XaKtMsQXgn1S/6lRaPXvmUgR2OfxbqRUQtlrrzDp90fGY6mT7Cc3ISg3B9pBYP\n8WXsCbtGqPsrTE4uBqajcjBwMB0GA1UdDgQWBBTtdJA3kR9SjYehqHlDQ3K355zb\najAfBgNVHSMEGDAWgBQKmfSrtKLtSR8QuBR4gBgSdZAyLDAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJ\nADBGAiEAw2k9J9+takmmx0rhvM3pxYuYeGzLRVY3NNBTBX35da4CIQC1xV2X3hB/\nCcQzhzH9hgxca/J9joJvFXgaChk4oaDI7g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -480,12 +480,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUINvWogPhgVAc9AsIEIyankEXMXYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXltjJnIKHFsxLanzQqPPaIc4HXElN0OirP32X\nrHX67I/a8SofYX5ko65EXjz649zMKK9ELbZxMlROMv7PbKu6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/YCnftQN3UbtQv5zWFEOmDe4jjUwCgYIKoZIzj0EAwIDSAAwRQIh\nALsNb27R2WLhe8Z95xQfqGOZL+i5mSAGaQ8CVn4dDHuYAiBuN8JD7SD4mMztUDvF\niAKisU1r9l5Z4Q3J+iwsMQggjw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfdqFdo/bqhkgDEiMrWQl3ptOQ5wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARa29jhX6MYREleln8tZM0UDHxFKx4KMU9NXXXJ\nl69cDhVM/mF3bDGO3Foxf5j9tq39t6tem3vZ+NmD4QLk+rjvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU870BVv+PfPrVLJUNJOqvxVyHox0wCgYIKoZIzj0EAwIDSQAwRgIh\nAIthpu2SgNgK1OS+EgH7rr34bV8Omt6i70WTpF7jyhUKAiEAysucFMX0vm7dbBJO\n96GfcP8eoyOTk2I2fZcPeH+dDOM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIULZmjGHXfYhSUWzIEbCdZr0xBw1gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjBqMTkwNwYDVQQLDDAxODc1OTAyNjUwMjQ5MzI0ODI2ODY4\nNDc5NTEyODM5NjkxODc3MDEzMjUyNDY4MzgxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABJf9Tjx2wZU3EdB8+iPDwkcIxZplj20exzQcaULpDNz2w7njc+8e9NsUSDmr\n026SC5lnooHAhz5K4ytgMaSpCg2jdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFP2Ap37UDd1G\n7UL+c1hRDpg3uI41MB0GA1UdDgQWBBSbjz4764E/TewrOUwNlfRHIrpa8zAKBggq\nhkjOPQQDAgNIADBFAiBLIAICB4Bd/uDfaBqBUP0xtZa4K1Qk7WEWuybE6NyCzwIh\nAPQr3PlS5ZlpJmt5rRMvA2WjTj5zk4Pg+p8nMUaj0S+g\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUbMf0khQiJ8feB41FgNfZXK4Szb0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDA3MTg0OTcwMzUwODQ4MjgwMDM1Njcw\nNTc2MTE3MTEwMzkwMzE1NjcyMjg3NDg3MDAxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABLZNkbtLISUkZxoCD35oehN9/172IIUeLlgEJTbccGYtnA8dqCC7IsiwCopX\nzVHgKJn/bdhU40vswWGcer6QV46jdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPO9AVb/j3z6\n1SyVDSTqr8Vch6MdMB0GA1UdDgQWBBRfrKp0mIbBKV9blKFVeRDoapFLQTAKBggq\nhkjOPQQDAgNJADBGAiEAq8Y7Fl68AszYDVzx3r8xr71+Nx0ob1wkdQcrfVj/iCoC\nIQC7x65pZm4KjUvoQ99BfCBAfVSxmfiREDjz03sX/3SK3w==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+DCCAZ6gAwIBAgIUQGpLWvpMKSOuAwDJ5oe3q5zmmrYwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTg3NTkwMjY1MDI0OTMyNDgyNjg2ODQ3OTUxMjgzOTY5MTg3\nNzAxMzI1MjQ2ODM4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAATiif3WmhhxjEXTpetjtl+UNoWv+JgQigPVCCBY3PmQSmAQzlGcx9wSdq2uMQlb\nhjvtctMrWFt63vt8XktW+09go3IwcDAdBgNVHQ4EFgQU2UZWp2ZFafeaUe8lrprO\nRecu0icwHwYDVR0jBBgwFoAUm48+O+uBP03sKzlMDZX0RyK6WvMwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIgJuOYPKFb8R1iuOYKZLxGl73j/CxU1CnltF0+p8ecZG4CIQDAKRxh\n6viVItJ6OScFZBZfdIb4xUT2UXLIDRSdbAvzQA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+DCCAZ6gAwIBAgIUXhZoshII2cKDkJz6crFYvsqfoVEwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNzE4NDk3MDM1MDg0ODI4MDAzNTY3MDU3NjExNzExMDM5MDMx\nNTY3MjI4NzQ4NzAwMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAARPmt4d36ozCrU98Jajv2W+wdUB2x2iBoI/fcPOoX5WlMIprQFpXR/YEHLmBbjJ\nTHeEBgtsqG9PDG/PPz8gEjbEo3IwcDAdBgNVHQ4EFgQUK7Muh5qckJbkTyYtQE2L\nUBlzg4cwHwYDVR0jBBgwFoAUX6yqdJiGwSlfW5ShVXkQ6GqRS0EwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhAIq1My8n0HLVn6LlqeYeHEDk1dV773uig3w6lUpJ28guAiAP/gEB\nyBFbMbjUtIfG6cLvXZMkuTQqm8hU/EvCbzwuog==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -503,10 +503,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeKMH/DEuqwxLWybIZKkxLZzPkOcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1XUyAua42oT0siz+a4qcJpJ2+41T/Auus0I0E\nwjC22QHv22KkekeN5NcUcmprzHCbq8zCg0lyyj0Oqdgfw+S/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBylGFpTdS1RD4ynZxzX1XGht6KEwCgYIKoZIzj0EAwIDRwAwRAIg\nRLdes3L1e2mH9Kwro0jcsW0ZX0cXL7UrnNHdjyHXI/sCIEvJn9nxllobGvt5VlDn\nIk2YgjQ6tDWwWNRxxYB1WYDj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEOCH6OUS3vHpDWx3MPsyHge5nMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATBtIWi1ZYR9ZgJVAX3D3KyXt9uKEZQ6nwCe8ro\na1q5wWagcwMJUYsiun+TVPzVC4W/3ThcKEFRcIyfJAOTzmyvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAXsbAyP06bCSpuPd7kTAmRuEG8YwCgYIKoZIzj0EAwIDSAAwRQIh\nAOAWU0whi/nvJCZ8EW3GyiKJ6Fd7CXlVLkpvFi7o423tAiAJ+JxA5aV/re9bsXQ6\nRU0epKRqZqpM8oL7ftwtMSk0jQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+TCCAZ6gAwIBAgIUKzYjiR7olZNXZz6DdXAEdnCH5KEwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNjg4NzE0NjA5NTY4NzUzNzA3NTkzMzIyMTMyMTM0NjI0Nzkx\nNzU1MzEyMDQyMjE1MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAATgDTN/A6dnUH6oku+xjthx+qCf5nKhJXhCyLiQeHjEja02ZaSfg9/ToXZW/THP\ncJ0rrtBNtwrnvbhcibGZDkG8o3IwcDAdBgNVHQ4EFgQUFrYa58TvncKSZ5MkSyYA\n8haAsnAwHwYDVR0jBBgwFoAUamD6lTg7DJZQMGZkvXPZ/rYKBUAwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSQAwRgIhAImRoLjWeRBeZ4ikWl5SeZgPFWI2FmsL51yC3NP9cEwaAiEApIKq\nQHzwLp6PYqCHhorXnaztdE2t5V2RaQO/kYDr7Oc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZ2gAwIBAgIUXffoF97qqBL45rflDVKaNB305LAwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvOTYzNTEwNTg2NjYyNTMzOTk1MDE2OTk4OTQ2MDYzMDgwODU1\nODAyNTA1ODYzMTYxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEW\nMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLp0ZK/WahFMZ0u+WysSGLBocHwhKvsVGRfoNGpEYzcJY9zkNC2soKTKxauH4lAc\nTBJX5NoNq1r1F8+yLphM9TmjcjBwMB0GA1UdDgQWBBTMB5nVjQ1liu3vPurmdkM6\nNkHHBDAfBgNVHSMEGDAWgBTh0vz1edVbH2W/QAypDZrq9jFUADAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNIADBFAiBY3E5zv7EaPf7DzT0dFtI3zH6pzxNl+POwg0vvvvk4AQIhAMwWINYS\n1EM7rzTNASJGKLWjbvecGimquiPsOyW/Cceh\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUJlHgPRvOCUC0CJvZZDNOgW8hEVAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASSfHtgGIlKTVLTTuLAiZ5oC+ZezWc0Y1kyTPL/\nHXrmzvaW1pM6itbXpgl+DEmkg2wbK+pabX9sxrohrlALRwHgo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFFNNMHEGFhRi\n+bax2hqKX/T3jKL6MAoGCCqGSM49BAMCA0gAMEUCIQCur5rGfF7YwXg9906+MaYZ\nelzwwd4f1WVe8/8SeISSIQIgKEkN5H4ewN0X1ldC8dzaF8v47K3ytwYdrBcYhYkM\niSM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfzCCASSgAwIBAgIUBZWHF1PQ5YK46y4pWU1oqOlFwtgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ67hJO94LRUrcLjN3kakcFgffWG8TR8c/uWz+p\nw+Ok3tNcEabC50B+lW0H70L+F4No6YFsuotufqBB9hO/vkBPo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFF7PmhY0xEuz\ntenXGN5Erd7TqouRMAoGCCqGSM49BAMCA0kAMEYCIQDa/hTp1dJ5n+a9akUDfmxn\nUk+JhtduXzzzINxblfgmrgIhALzHeoRYgx0Qsyp0787UvU1XaJX5NvBUv4MdfLy6\n+6BA\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUGB7stw4uekE0Kx9agKhiNlQkEXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEnmOz/7oYeh2baEPgF4xi9RExUVl1SNgnegJc6OFJ\n26xHIp4rHEWUhRCeVww0K6LOgjh3J9lf02X3yNoAiEX8MqNyMHAwHQYDVR0OBBYE\nFL/5Sj2aNHi2sC5NcoOu6mSaqEi+MB8GA1UdIwQYMBaAFFNNMHEGFhRi+bax2hqK\nX/T3jKL6MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIDyVqWGvnV//JqPtVk8QhOITW/77gNNE\ncufaEdXtR74zAiEA68LJ/synkgIcqG+xJ1lajvcM8dvpr6pPaOK98Dl33xM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUDclQ0HVAtn18pC79l8hGLScmz8MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEHq+EwaGabWjuOur6J+QTO9w+6D6VqjUwKjXJT+Q6\nkylLHSevOpETiUvubmfzOoi+92BLaArIt5wvMzFOjKA3+KNyMHAwHQYDVR0OBBYE\nFPocoM1F/pbxhQx0NImUdNzvYphoMB8GA1UdIwQYMBaAFF7PmhY0xEuztenXGN5E\nrd7TqouRMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIAW87HMYmU0XPxEjGgfmNEde3rRwNUyq\n34oifQDcsezBAiEA+Keu04LLxNKVnbQNpJYHqW9KOVFhk6Y3CYQx2xYZJls=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUapGTG1NVzB1rS8sdel15YiiOJIowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAStNpSoZPdLhhrCa0yh2qovxgDCa9l0wl987wYo\nHcQv8xAkWyUGlTe/JXY+n4ta2MSorXL7xcsZM+6C/fOtkS72o1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUNDwgPdO/IGcWWlo8tBibN1KQ6hEwCgYIKoZIzj0EAwIDSAAwRQIgfLug\nuAs12BTmWiP/tzeTt0BpDpTc/GBtKPStssq1NjACIQDNZOF4UUMP9BD/j/qsOa6Z\nvYdmNlm5dvmWUPMu7+L+xQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUGLwbs3P8x7oNY0o7bEmnebBYlsUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASt9d1pNvjKDhblhAv9tNNvk9SwUnNSGwLQWdDB\nPDjOWA1m/MW7BQls4jjRa+ny5oLEEIPemFqVC9psLVw40KDAo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUDhLS3voOy8b2c34wTz6WFSQko1UwCgYIKoZIzj0EAwIDSAAwRQIgG64H\nXVYP3oofkDrwnzcqODvz7TpTk0WhKAaqZ0hoF/kCIQDKK+DQ/U4ivzQ7J8v9YRwA\nY+na00WDL/sRcXRJkOBucQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUL7dNzKqk0auzTHrzr5nLOhE7yocwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEbWJg/DkObUoS34vOwd+P+yzwdrWvdbIXSh7gkOhf\nvIqSy7e0dxUaTak3TJPo4ES381oPHzJbtDUIOwVIXfDLyKNyMHAwHQYDVR0OBBYE\nFILOhp6U501sw3So1+g05zsht+cxMB8GA1UdIwQYMBaAFDQ8ID3TvyBnFlpaPLQY\nmzdSkOoRMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDAn6TCBenDoPWpdiURFdnHiOgNK7s4\nGvssax+kRg31rgIhAIAPC1b7hz/0BxaF2UOmN8fHXx1hsSUZ/KQyem6iHKsG\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUbQXJ7PvStrYLG4GG9CaG2Ntm+ZUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEPPoH74CxCnO6gNbKOxPBqkDZvfHSmdiE2lN+RgjI\nTNKpghCCtODXo70rPGfAuOTVy6HcwxL5f5NXIywxgTDps6NyMHAwHQYDVR0OBBYE\nFDy0Cl9kualHqfSzApzBBEJDVJ1mMB8GA1UdIwQYMBaAFA4S0t76DsvG9nN+ME8+\nlhUkJKNVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDaCrbGWk/zOGs2hHExjDwUA6LG8ewt\n+yUz6Pq4xd9AOAIgVTT+Rs6QVLWj/mBKHEeVrUVwZZMMvkZClVTHGyOyK4I=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUIRovVbGQ9NuG7JkPycVmyBMw1HswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpJfy3hOz3zKSXDJUrodoGOqpCOj8sM1wUplZU\nLjJdrUC93Zjhyh6VdGLKLX7aA/CAwYS+hnvjMMgsGZ1pyt9xo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQGXS4bqgIhukNOyq4juFbi7kvPdzAKBggqhkjOPQQDAgNIADBFAiB5\nSq6pP7LS7MjogcZzV3PELMlXV1LhHNj3sh4ira1JTwIhAOELIvkUGvu81YZXCur8\nsxlwH/GNwoPmHRulsTBpNC+E\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUQGy56dk2enhx1MUAwdHME0raMHcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQre/gWPZHoxa9cXiH6rry4bcrc8yY60SLemTci\npvtVLMYlKhUvHRyMqcFW2gWFFM7ywDjuAeacidmghVwDx5ixo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBSNQO/vFnYPqFKHhJV/Qn1LJyxEITAKBggqhkjOPQQDAgNHADBEAiBm\nObZSDT8DHDBXPWwhscp3xUHI47ZVyPTFEGg50TaEdQIgZoCSeBIJWLRQFA8ceBXP\n4CVnwKE/w4KYQf93Mfz3S+A=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIULXkdDdBLUJN8o74AUmFosGZQ7LUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEtE4gTVEBotigp9EtaAnSbtsiHN3W8L3BAWE4cCYV\n0JSfASLrlQ2OBGY1gIkzrQohVq7UbsqLKayHk5Hwn6Di0aNyMHAwHQYDVR0OBBYE\nFLoMTqcLRCnNTGQV+HhTZ1gppdlHMB8GA1UdIwQYMBaAFAZdLhuqAiG6Q07KriO4\nVuLuS893MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEE+3ghNpOcW6bAvd/h5KDSp2RO7aitb\n7Wnkd+dWlQnHAiEA5EmcswTKq3eHpbEGv+SpwZMJzwa0TdmhmMYe1JVVSSY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUalWOQUsTnhavG279jfMxmIBqMvcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEqZGk+uSJzTGiWnkAwsCnfWmxhi2Vw8Menx6pSttx\ngO4nYGAmVY/m9GpAqUSIy9KRLNTh06ehRcInAa/aJxUpcaNyMHAwHQYDVR0OBBYE\nFBnfaHUBk08QjDwnBdD3IcL5fRQnMB8GA1UdIwQYMBaAFI1A7+8Wdg+oUoeElX9C\nfUsnLEQhMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGJ0kjUQ6cSF7H6oHtMtyahlIeiXY83p\nWAAMFmnvRjQZAiAvbBxis1lPrZ3xxPauIrA9eu9s5PAnAXrHuW6pUmsypQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTgxHn801idPZONR9BxnbTU7C6h8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASOgkiFn06aFOFg47NE/81PWDfNjOGLSNfc0ZvG\n+Zkw4CF8VPBQt/DmFKKPWz5AXUzCaz3jWUhCuJzQBERqD+0Oo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPyvLIPOL7j8vT8yjSRIDjSWpDg4wCgYIKoZIzj0EAwIDSAAwRQIh\nAJgr7fOMVdSD1+9jxilcATjMBHqFuqyNDf4Lsvta+czFAiAiiKiSOTcqWfK3YXto\n8i9BrA64EBhrOtlK2qAUBCF39Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQX3FePZ0uZdXDKf9ANj2mZnxkAMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6Y9gKpY//alzuNtu3sc8MNJsZ2qolu9HYFKCK\nocyhcx2wCPvdZHfVg+hoQaytNCbL4Cr3GGT42jcMnZ4L2Wawo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSD28yHn54E7anXCb0l3nyVFMryAwCgYIKoZIzj0EAwIDSAAwRQIh\nAOK6vjJkJN2QmlpUdQJLpfgacvyVSi8hod3WsamaWsk8AiBaozfpW+pTor1f39Mo\nxIuK3vnrY1vkC8MxQ5JS/tnojQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUK0y7fwvoLqpXc/UAgzh6CZ+E8+kwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDQ1NTc1MTI4NDE2NjA5MDcyMTE4NTA2MjkzMDg0MzM2NzU4\nOTE3MDY4Njc5NzExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMTAwMDAwWhgPMjk2OTA1MDMxMDAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASK\n9h+MBwuik7vDGj7rs1jyn+KIVaF1H3ZT6LKFZ9THV8GbopMsDB/DSgnhTics5T7T\nX3PeGRFxml41EdoPfAd8o3IwcDAdBgNVHQ4EFgQU4r9yHcwLlCaERMvEnfNOcU3I\nvDwwHwYDVR0jBBgwFoAU8ccBEGC9pq+P6dfat5eBPYixUPMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAM+qre5dBMHWytwxCGBb4bieLL2GpWwn91F4IptNfYW7AiATozbCJbxS\nufqE7roEflNq74BimVCjVcCj0fhBXO4eiw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUOoiKDkG4gzjQHaak+ZTvax4yYsswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzczODg5MTk1NTM1MTc0NjQxODgzOTAwMzczNTcyODc2NTA4\nODA3MTI4MjU2NTE1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT2\n5NbapXoA0QuUb6b7LXRsWCaq1nD4leHS9nX/1KqqaOG4D/ApFeyGvcGPeZhTC5t7\nsH2Lh52tImOCVRwlXqX3o3IwcDAdBgNVHQ4EFgQU35FZrvvX372E/AwhHMN3pbpQ\nsdYwHwYDVR0jBBgwFoAUAHl8fFMIaTOvsLuqsQHzwpoRp1MwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAJCc8TXo/vYDi9AQgdrtX4oFvyw314cfNldCBW/EZDo/AiEA5uGPDFAu\nz0/gXFT6+FTSY7sbk2BMjoNYzh9VeLGrTFI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUaRzM+6wGvnBliTrnaz9TkVbeAVYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLHIfMjgaAQ+Hhx2ia2W/Izp7Mzxx1MOgLFfXl\nzryaJn897ofQGNKt1Wq7hiV1c2WervVp8C10OZm1u9raFWvKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjVqdi56wuufNtfbtWYUvLe5LJPcwCgYIKoZIzj0EAwIDSQAwRgIh\nANF1x0XZCAzOyE/qDzESjl2GWU+vagXJmnuETqLMGOEKAiEAj+v+S1lX8XwKOaRO\nokSHM7j9Aey+JDhOEI5S7OiWzxQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUI9ijdCHOZEVIuIzJqM8bOwTxSn0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXG2FzpFRnUfjF1ZVe7CzZDmOc/WvrLzQOJEHi\nokobKK+7pRaoINk4VHTp0sgKjL4zQZ1JXRP+9bi/g7bzFl1qo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqIlbzVHzfO5peV6m5W2/1uoa8HcwCgYIKoZIzj0EAwIDSAAwRQIh\nAKMEpTc/rzwm+91NsZqKW4IwKqQpmxj1al/c8BhNGzWrAiAgL240wwCxgReQqBPt\nzA2FDvc3i9kbYnYmt2y4P84hYw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUaNqtZzxRVvuKbKJq935j1bHVlMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAERoJDP1VBPu0aBlpJF/TXUqjnyK48Vm/JuqeExPuv\nETZ5qN7J6cppB6qZ3Ud7VKapRaPayRd+IYqPUwvyvAYP9qNyMHAwHQYDVR0OBBYE\nFMOptGLT32V5N/FwAWcH+JglDhrHMB8GA1UdIwQYMBaAFI1anYuesLrnzbX27VmF\nLy3uSyT3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIG1XdtsPmGJ6Do7Km8DrY4AqqlHD116A\ny0QMQgDXcD0/AiBaj31FFF7yoJrLehdGEs2Lw1jRejG7VWkoEY3UX6g5Dw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUMCTBNkcGI61c5pTxEhMfb0wwIjgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAErYcDLC/RV0ogElx3LK+ve+3Siis0jRQfyvjkgrtq\n94hIPLUk44SUyiHrpqZg1bHcujiqXsaRZ8wDvh3ma171KaNyMHAwHQYDVR0OBBYE\nFDzDBBP3X66EKPQkhXnc9jtn9MEAMB8GA1UdIwQYMBaAFKiJW81R83zuaXlepuVt\nv9bqGvB3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICN/KYZHIbs5Ma6h8V1QGjOmtbtWqPdB\njR8MqZguGermAiEArG50OijIbh8gdZUC5zdoCS9PCc/MeOhZyDqUxRaaueA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUcMw0FDOQWWV7g2ijTFfhMGNi4ycwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCWvpLIf8PNw2VnF8+mm7yJh0X96g7aTZyIDKj\nwUWzmSz3XQ7mrKoFdjDb+JiCqRrqG7vtJYUjMVvTady4jgxto3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM/H0CGAqDjoMriCl9wMbUvPESo0wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIC8OrZ57bpJ9y433djaB5S/Z\nHk04054YON1ybF1RY9gDAiBK9yulkfjsNjDM6bEDPALiGeQdMB97NCMKi2k/ljlv\nLg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUJhY+ZvrnFTALxzrntSwnsscPjFowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkYTE4FpLxKrZreuO7XUI8Nh3RTWhOA5JdnFq5\nv2RgTlPtClEp9K3EPyTM1r07qtpYL0ImDul248xOAWk6bV3so3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU24M6m1J+COxSKzre3dSM82RVzVowHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGuBGfDQGGoIq1gxg9QR6af5\n4/Q7D6eVWVjh8oiVVxYvAiAY2zMA1yCEkQY7o4rBnqc7HrEQNzGvGkRm5ipGP7S7\n8A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUcrNJ4b72XngF8zlKfRMSdDngKcwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEWAZOrJNuvRBtavxmgP0pdHlgjJqVPct7sd2BhxwN\nwfIStUA7DSREmwZfRH4gJPE+UKmgVsX9PHG5T5Y0C25d+KN2MHQwHQYDVR0OBBYE\nFCK+o5QQkUBagI1AHM5yaQWiR2XtMB8GA1UdIwQYMBaAFDPx9AhgKg46DK4gpfcD\nG1LzxEqNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAm7PEj2yb9uBHoLKJ8GZYLzUK\nJw8hxnoDIWZmfINX3SkCIEg/5Z4pNF6MCyQxpGojjma6yu+vGwcmSfyCdzxhtgP2\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVKgAwIBAgIUeF2Obp4CdVErx8jCDvsnTYz9eF8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE49j86dIAHMGtvcxFR53uY8ILIJ8w1LEpLh4UFkzc\nKXUesfY/erxbjo2+im6x7y4E5yiCUH2AxjFIrq8sVWx7aKN2MHQwHQYDVR0OBBYE\nFJITOirwmghH9U6F5tj6QL+5lrOoMB8GA1UdIwQYMBaAFNuDOptSfgjsUis63t3U\njPNkVc1aMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiB0dpGYTvu0gI85ui8zBYKbq79E\nE3uLVNbOPwfzCmaSmwIgHycNrSNI3POdZs19QLUpmHHZx3pPVGVvrKnPKnnG74M=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUIF0S2aa151yHGsK/wwIDpjSKEZAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASeHFh0bAyg4xSWpGWO8D1pxLKYvbllfYaznJAB\nyVaMFIG3fC4d28RhouwmpirXKi0ELKB6YNpjo0E+w1NlvA/Jo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURfzPsRJ6TmT1efvBgx2Y3Qy2vTgwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD2DXm+umDb+DXs04PEvELH\nkC92w0FFfGPxxWbhpTIgJwIhAPyWO1fag/ZtFiu0wW4z7zSXrqcYQ7/LmNyv08QZ\n8tdK\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUQiO8MlwxB0MJmUWBm3Ay+MHvKCkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARd+T3G8j61hJCf0POAJ7g+ipY/1HGKpdXOXADs\nwXFxUZLV+riWwTDm4sMauEYczf/CwpvRySzubt2FyDDJWtaco3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnEsapsyaXJEdb5f0KrdApmy1Y2QwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDXprrQkM0D4DF/sn4Ci4ss\n0oc4OCvmtpQBDK1igMMzQAIgZWlOEpHDl312FOd9wWoMTPPbGf6rOC93yLHWPamW\nV8E=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUGN24AyOXEPewGNGE0O8EDRvW/s8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEHz5Tn2rNYoXd/OL34Xg7JHDULt6uyNMwWqr6CfpP\nZl32JPCeYB91IMi9hxW78256hNFbmBo0TKIRoteNOXrcwaNyMHAwHQYDVR0OBBYE\nFHgg+2suMzGBgKjS+jzsmkLC0jovMB8GA1UdIwQYMBaAFEX8z7ESek5k9Xn7wYMd\nmN0Mtr04MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICX//DTtIkQ3H6gUc1VS3bJa1vEfUWFk\nzQeCX648kWs5AiEA+n3MiaCZze62XCBTZY3+Vqji+pIh0PW+7PyDtGSpYsw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUXCLQEsDrfbeox1+J1BNHLX+caHEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZyGQ3CGDfv5kbNnUemF/ffZCNfmbbR34fyLwlqbz\np+2efG8JwMCN7b070ZAQKnGkTwNWcZtBVanlnm5xuHV1sqNyMHAwHQYDVR0OBBYE\nFN1gsPRUCYVsDJurthE7FEOsTz8vMB8GA1UdIwQYMBaAFJxLGqbMmlyRHW+X9Cq3\nQKZstWNkMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCuLYuSrSgI092pQGN6Nrn823k9QkPA\nKWLvwGJoFVg9ggIhALb43nVdDBz4RgwGgzkTJKI9ZsBvEqAvoGpZdZw/Dx2N\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUDmnVb59I7O3enPXS85Lr9JXpENAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARqLlj8YpIjk323cHQ/x+jmeBuT3clyklfED3fu\nW8Hw2pa+KWj0EpmNHad/w2rX+HRWEF1qziVF9kYj2mZbIGgKo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUowmtxlIVYbXu/hbDFto5ttLxDeowHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFfxDNCyUhxPTDkLoEY/W3c7\nVjYcDQEnOhGAiQ3wYlBEAiEA1/Lkv9RIlZiBhMF19LsGTnweKqM/zastcOZTHC22\njG0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUDIZy31x70pW9LB81VN4SzjUB1S4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS+cCCL+Zm/Rut98iAWg8+oI/3yn7FmygcoWCpN\nqtuFdehsAmMzHA/lOxgLUNtknzlwTqEtyqS8o5jQTW05noIko3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMp3kqfq6Q462RRfbVElKGSewAMQwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFdmXmo3wRc2LeerXDCCZL+m\nmyqW5mPAIGDHf5fvVdYcAiEAsjygPh005KwHEKS+Ascw4NB3Zo23xSJkXsVywFXt\n9V8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUdU7fnCl1YR094IN4cRtGHxEcOZQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEg7P0DV8fI4eyiAMl9zLDMLavi9J430PI91D4/YB7\nRZ8NokXiMByf/fzCtAFf0W0/s8USFfURETKdsg92RXu0Q6NyMHAwHQYDVR0OBBYE\nFKIZ3b/ecNcr0e72VCEsuFZPYDEbMB8GA1UdIwQYMBaAFKMJrcZSFWG17v4Wwxba\nObbS8Q3qMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDLjo4eD/Tn7IRF47wOuMfkQHLAVAd/\nvOAx3hRiD3wQhAIgFgZPTVnPGQSVZJUJ2BvtvJNs2LdlBuru0kaJWcqOR+E=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIULq7pzlwKOBtmOA2FMzDh/pLbJyQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEmLP/DzWcSFd9rfzLxLW+jD3kAwym+OrWy9rkMs+9\nKEs3DHI00eRrJA3PO1gWkUToept3p1WKiRqEWcik8t2Cp6NyMHAwHQYDVR0OBBYE\nFF+L1r+CIlSWU9sEgETr24PLMFb9MB8GA1UdIwQYMBaAFDKd5Kn6ukOOtkUX21RJ\nShknsADEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIG8GNMfhgkVjMRyM6dQVXBb99JQjmHCe\nWnkIRITQJgspAiAuXfIrSKwx0kt7DmLGW2V44ZhZo9sHoW2gCPb+AA4how==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUQnbF4LONh3mBHbwt1CiEgtpHjaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQt9ff7yjtAQbWC0RcL1ilQQXn72mQP7PSlljH\nB8UElCqueMpKGVysmf1KnXDg1H3nT012dCxeZVVN/Qw+ySE7o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnw1TTFapv+g/fGbnv2XsfkwD33wwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIAVagAXl7PVV1kPOpUWP3K77\nRpj6bViDLBRJ+VAIx3sRAiBV/7WjsO88np4z523KyRIbEBkg3VvZ/9ozOj9DeApY\nEA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUYxBz8aeBdBKkObpInkyehA/59l4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAROkw3LpibF3TPHGkBhxsNpxYxrZh8HLyGmAh6Q\nD6sjQu4kk0bM78noYrLHPhM/d20orfhur1y/C+j5uILbiFByo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvfoVNDfgt2+NH8qt7x1ZbQSOaqIwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC9AC7bKquqOH1i1N8GGdjs\n8vQ6hnIZZXGFWRqGhN6OngIgYYz2UiRLz9jYZDQvQ2hgAmhYjWGYcU1oKhjHq2nt\nOco=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUWQUlopBU7bgiw/7aneZtJQEcG1IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpeR9MhLEU5Wm+O5Q5GeEpVpkvw4gNVZnIa0mkMlN\nhAyfNkeOkc13+QqpDL71ZSlnRjoCtJIUZsEFyI8UqSSCZKN6MHgwHQYDVR0OBBYE\nFOgow1KA35Kp1242LFiUOHum+WC3MB8GA1UdIwQYMBaAFJ8NU0xWqb/oP3xm579l\n7H5MA998MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhALlRm0QfvOUdkOcqT4Gr\nWQRmLM8F5ZvNAAcBViwK++wQAiEAg2bJlaTHMV5x+KGNhDYbO+4E+H6gONgbjbaL\nYbqdSS8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUCmnojKSUU0uZNPCPpTk/hI0wuC8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEwiYOKGBOXYPxhYwKymHcxvNuiHgZNO5dNmxMM6Zs\nvVcy8ycCEzoTMPoEoDxRnW5ob3wIFwT3IUg9iiAiofgMbqN6MHgwHQYDVR0OBBYE\nFI7Er3n0JrgFVuOqPsLPRzKjkIe1MB8GA1UdIwQYMBaAFL36FTQ34LdvjR/Kre8d\nWW0EjmqiMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIge/R++wm20+c7Jw02snZH\nsz7jAEG+J2LHE4w1nzSLH2UCIQDC3w1BlrGf7pHAYWhMfHeBpV1p2q2g+AtbM6J4\nadWdAQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUCUs1Ytpr/Ui0wMzf4eyFSARjQjUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMmWNM3iLroq7R4xGrclBnXPxNy2ZHOujGky6a\ndLp/Th3TCjlgm1J1rn5jab1GeadCS3BQTjVnoJ0LG85Cdewqo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQenSSl8MCY6ZMQFBzONWByR2HVODApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAO1r\nDcXDVsb2b2KxAwYWje/mHAheWclOWrqmQAo/DFYXAiEAgOLpy3fbLUjCPLIGI6Ks\n0qvuA9cKG+MfqhdQprXvd6g=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUWrYakY373oJWViM+lZv2b/W7kWowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQPPShEoglG3X4m67fIZnOTVIz3D8b6znk5j+/\npZIaCmujpW3xv94fVWknvB+MHrZlKmpJ3fu7YZDnPNjdwxbao4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSvTuC8il/dl1rQY2+iqdTBhXyrUTApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAK5X\njxchdacaiQLbBAzQOxZ/ZusmyRMvMilDPMAZFtx8AiBO05EEeLKn0K6macE3hNVx\nE8gBTC4308k95jos69KkUg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUVlbfqIADnZgqUmAKtjMKyxrUfXEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdRMGxRDmJwfsr1yPVzHvCoSIWLs96RP4S4GRrLWf\noi9wJbA/kje59N2OOZROKkVNCYv24Ksv7D8S6IxI+dMmsKOBjDCBiTAdBgNVHQ4E\nFgQU49kgH3b7aI5X9npsQ8SxjiS0WxMwHwYDVR0jBBgwFoAUHp0kpfDAmOmTEBQc\nzjVgckdh1TgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCmvq3IR7F9mbLkGpGMGyH5TU+y2AkDY80g6EpZToXg3AIhAPQfn6jvIHEC\nQ09tD4+I4pybnzJCCV4noPXSV3uIS3b0\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUSNyHqrA27YqyT2ja//lFg2fQb10wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEUR4V+rVl7YR86UbV9x4n2R6I8SJeIYasKoCFKTpw\n68iTD6lxutvToTjpA4VhgdsdjF2XxsITjRiMYZxDaJbqVKOBjDCBiTAdBgNVHQ4E\nFgQUqOdLi3ekIIfWNJjPcT1MpdRiD7kwHwYDVR0jBBgwFoAUr07gvIpf3Zda0GNv\noqnUwYV8q1EwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCTHO8Tk/l+ADnpo1jX7c03v9T8jtZ7AdbSgA+6HwpFvwIhAM5siYWurVYV\nmDB+eX1kg+fTGjkvrXsHa2eGezQ0gX/O\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUFVXf+16XqjKLi/xStqHLIfWRlOgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATcxFT0nhDOyL9QHbc2DcoYS/mtI+ej9dp07/XK\nBZJFsNvM3pDdIBVubW+JZZlMo60vFuuagrLQ418sf0y40BgMo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjFqyCe1aITn46uwzik1x9Y0o9UIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDwtNyG+rgiN2K9D7hmzkdBoWny\noou/32mDKEz5VEBlaQIgY9J32TDyCh4Se4cY2Wav0jHcT1rDevKO5u0s+/U1pTU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUdhFAhWZUHL1VHpuHU6nCUK5QbC4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS+OQS8Iiw+e2v0gXNIfY8vjMPPXvwvXa6Z0z9K\np2eutu4lRpShIe/tb6OUIHW0DMqgRhRKSWVg4jAAvWx7M5E9o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuHCOILTlOiM3pUWiLyeHJTWolAQwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIE9VZM/TiBEBiHezFTeNjJlSc4bK\ns7Yk1nRsYH35gKTPAiAnk11PEpLCaUxO4CEQIVNObR8OmAVfmcB3EqGJjPwxTA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUZHVmHvKEKZfm0MwYOst1rvlP+NswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVhMVKjvLSLlq+Rs40QK7M0+fCRRWvwCmP8NRIAIp\nEhniGNwcOAafdACDECoiF9LiME2el8qZRK+0EzeJsBI/HqNrMGkwHQYDVR0OBBYE\nFPi7eXc31FzO1z8spKko7ch2fqU5MB8GA1UdIwQYMBaAFIxasgntWiE5+OrsM4pN\ncfWNKPVCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDRwAwRAIgBfw/60CJDp+egpHkyj/tfI8WENE6GeIzh2G8s8aW\nhUsCIB3648jomeKreTqORv0zOY0/blDk+Yrpo5PYtzF3UoLN\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUC8WdJu7ZIEngeCeKXxvaNyVyjCowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEw1KvYSfwPwoFKA72D51Cl7Sa7wgRv3Q5WNjZr1zr\nS3EMh7NqFVpcZB/vSGcAL+f4/ZrAZCS9VSjZ1afBRTKVSaNrMGkwHQYDVR0OBBYE\nFNtThJLKxh5JUiseEBYNvIKurxQKMB8GA1UdIwQYMBaAFLhwjiC05TojN6VFoi8n\nhyU1qJQEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDRwAwRAIgH+YgQNGCwkRdx5ODFOhkKZhk/rVNWazw68szwVpq\nkMICIDjJbHji8w+5MBD4NxhbwQinwswsOqpbep03KtlktyTu\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUATpR2hx/P4FnEFlrVduuSVXb/SYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHMWyjwqolk6a73JVPmS8fHP2Dk1ppF16bdSJ2\nt5tAnAjJz6BPieiijU/qJKdGmrPeXHvJSePC6NpwdYQ22BXMo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNcv6yRBh38+ENWgppBJknbSz9MowGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCaWUs5iWqVXnfh7pQqQLcQa7xS\nXcLDGgt+bYPW1NK7WQIgOSC7DiQgBn17ntHvB+xaX/8QLieGLaFkt1vKz5eJvMU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUIPRV3Syy4PQI7mHpkKFNEfEZmlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzjxh2oikTZ9d3CFt119L88hucqPTJdkk6C1k9\n90FnYFabeaGEApysK7HW8QPvze6R0SjoXw8DohOqc+o3Ulm8o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUT7b3mGbrr7zBU8TYFDuX8C6Zg5IwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQDGFjAe3zAKTSSOE8l33xXwsp1h\n+NmDPw9gMr/ylVB0UAIhAKOIeLOzA8GnKF9gG7gcGznC+xUj7L5G1Eu2P2DTCC4X\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUGzbZhuJWa3mNqXaueWG+xzBfKGEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpWGnaEfGaBtc0AXplHektVez4h5b50caxNxanvZP\nw3/fGaXbmMrqC7BOKV1gmtq8o0duR2bb3L+S+sqou7W4sqNrMGkwHQYDVR0OBBYE\nFIlxB35/kaZh/86ZyCMgy3z5+knyMB8GA1UdIwQYMBaAFDXL+skQYd/PhDVoKaQS\nZJ20s/TKMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDRwAwRAIgBk71IAsvZWy1i1lyQpaLWrwOF5cOOBoQro9sPcqK\nnFQCICE5Dmo++O09bDihsFsHcMesHTHHNAZQwuTTO3SOICaV\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUdJ7bfe3ZAt0AC7Rc3ZVFdBOxKHgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEsD1f3cuiIlmEnM8y/vHJ/1ga6tPxasBijPFPAmtP\nOQkbmRiUb50rN9RlxTVPenaJl2QmLwQzemxe6Giyfe12taNrMGkwHQYDVR0OBBYE\nFOzvIWtIWTOZC/v+Nv2JGyTJvRLsMB8GA1UdIwQYMBaAFE+295hm66+8wVPE2BQ7\nl/AumYOSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIhAMAH/Evw2+jKQ2G33NnKWmqwvSgCnK3UZ38vxRRg\nQoGSAiBZ7Fy3CyqI5/9KZtQea42Ovi9gh032zKDJO/40STGzXg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUDE6GCy68E7mAEVmsuQu3SubuSFEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQaOqKopYiJplQEBhTi5KgblXhnKNEPjza0jVY\nAdnAPRbmlnFFFPYw83rxR1z3vRl5SnPPDg2rrsEeFtbKFYNho3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJUgrWnA4bedsmXnu2WeQ0Tdn0DEwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIG9fAn70DT5Zsad8RdaUCFkT1ayF\nXZgdBYev2M5G2pjgAiB+ot7et4xdeOpmadp/YBhG+/EbzbNS8fRuDeb49o9aWA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUBSQ9OffRWejOh6Hj5VEz5O1nvdIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQNIkdqKba48OOcp6bLCqs+kq4FgHoyphqGrCV\nuUKoX7yHtBGy3w+D2f2NDaokekXM48dh3yG5DO/V1ipTg9M5o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyIk+spkGJpnUVkaAS0a+TfT4NJ8wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCmmMHgDeKRAn+fiSwasn/3AYFZ\nPktFjuChKkDx2l4I9AIgQZmVCerPDg6/mLA4QMIvzTg3RNrT2HU4A/Acq8hU8Qc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUMzE4LJf6HZxgWZwdjaaDWbsgY0EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEvYqkeJ3Mf5Nv0Fvav+y0b8+FrZgfOl2nRzuCePyS\nr+2cbX2kgw8L/Ok9vCgPavHrgQKCGXrYFW3jZPMC/sHD9KNrMGkwHQYDVR0OBBYE\nFIHCzQUHeUGLE3Ih5T8SA/KZcqDHMB8GA1UdIwQYMBaAFCVIK1pwOG3nbJl57tln\nkNE3Z9AxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIhAJuKvvjSUr13W0wvxCIja5bJGCsJKbrUrlZZ1x3X\nzMK6AiBJzg7zKmQ05lxtdTbhi3vo7CnEbDbKaqH2FYzo6c3uBw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUeihLTWQ9S7n1a1Dns1UgEhhFhAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEOhzP+fLEFfQOJp72LTc5Clli8/8cMDFpyIM7djV4\nu99T9/OX5BpLuPgKuL0uGGHd50CmSlb++0DvTCI5vTE4DKNrMGkwHQYDVR0OBBYE\nFC8Kd85uIfA9kVXoYAAGLH79OHjoMB8GA1UdIwQYMBaAFMiJPrKZBiaZ1FZGgEtG\nvk30+DSfMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIhAPyS5U4+Z44UuTo/Z4hiEKqvSzaeIssu4WCgpAk3\n0NUIAiAyOJuvO/MJ04aGv9RPxlW8/aFup8uAtvq9fULPe++wPg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -799,10 +799,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUULUxihnZyg0wkl/7Lk9RjMab/cUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYtQM5ovoYu19wVIfQybqvlkpx6slEfFa8UMeN\n/iX8AJgEeyUJ4T1Nr+GCZLjtrbVSoMsb/6D9FNrqpWPNJM+Po3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqBHYBs3luysk07O9h0q0JifnyewwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhANZlhRErsSEKWI3e\ncHpIA8woYrjQYXATD3G0lUfEU7SxAiEA39YVYZLq55InTYKyV7ToXgpECWcgz2uA\nxd/k90hLVQI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUYXaCo4mGaC5GbtJgHi6JncYMz4MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQX/xCXXCzeGTUbpwhixstgmvGgb9hJkKm73Gn2\ncvC7QXP7jnlkgHKFDlrb5L/glgyO3QXddcHGwbuG5Mabfsq3o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUL4G2jZ+U/mor7xcICb65hvCQXgEwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAO/sv/DVdBzBBFSG\nD6sVpKT0kOXGUybD09dX4VSfB2tiAiBdaK/nlNSsqZ7EJUDg4kGThnp1vb59JOKt\ngXJuTf3jHA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUXU0UgWp6+iUodSAC7kiDSz1vm6swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEHgxg4RTmqaQG4aYf0zIM5owNqgW99MUmB0X7LGRBHXv1sYGf\nhq1t10boAn0vc43sfMH4+5Q202Rf22a1xqIkK6N7MHkwHQYDVR0OBBYEFJh9M5YI\n6kf2KA/YG92SGDAcpSkLMB8GA1UdIwQYMBaAFKgR2AbN5bsrJNOzvYdKtCYn58ns\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0cAMEQCIH1TQ/Db2ncs4DivztzrWz+y7gl0\nkl0SbV4ZqK1Jv2FpAiAEvQcnqTQc+q/6xMLveXZRaKJ1gSYR7jZmLmc4YlThaw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUD9O1Kntq6otNJ983YJphikYCeI0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE/XHGJsIcRcLUv9uFru472NHRdTesayDORksm74yGTnNjN8D5\nsOhYMFRUm8NNbCn92r7WwQ800+AiRr5AMAhxg6N7MHkwHQYDVR0OBBYEFC9XBc51\n3zFY61h9Lx8DbsK39IqGMB8GA1UdIwQYMBaAFC+Bto2flP5qK+8XCAm+uYbwkF4B\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0kAMEYCIQCvTD3aCPHevAdHoWydQQuExrDP\nby692Y0kNZPjMnr04gIhAJBzMdaMhXzmHhF3NrIYo79psXiqESYkIWDCpvcQpVzG\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -822,10 +822,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUNfIaYNdJ4zS5I03SjgEYzr2MW7EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbrqv88G3kCbUyKBJNAUmHfTyDCl+6vLUggiB3\nfmH4/fP/b0+7QwVWtpECqwQNqgiHozxmPSh3YfcSQNN/A3Kno3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6VLWnWwWS/CNPGe6+K6lXUF8jR4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAOhEtaMVUdFjSsvg\n9uNT2clb8ubrEpcJ1gWvOhjEzJA5AiANXstTYxSg0zmJlfPamt1cY+0RsqBLJeZa\nPdg4sbolOg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUQyknugQnYhv61gmsXMo3uTEX6s8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgZJv1Yi7J5HKZoVh/8HuFwvp72GbN7vDCH3wc\nk1k95KJdgf6SIrcx0wlBqCuSxdJza4/8heSlHGkVthD8Xri3o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyUSUFAOGR57CW51Jd1ugaE1LSmkwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALLenxQpkriZ+8hU\n1MbHDWZM/h+jcHW1No/fyQW5fSkZAiAhz6c5rQZ86iX0yCqYTRXTAKDn8qCHAT/c\nMvqrMnp+1Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUJhuiJCp++V/AH7i4bzuR/8wvrw4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQF9gM51rt40evzOYLL0I4qh5u2Uyla++MI0AsEDJwXq7fOH1n/2LHL\neQjtmokaOo6WlRcjhh+A5LXMbr/QNUKLo3cwdTAdBgNVHQ4EFgQU7I5ycAf532Qj\ntC/ZTqxpJCr+aukwHwYDVR0jBBgwFoAU6VLWnWwWS/CNPGe6+K6lXUF8jR4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEAkH+N5Z0n+sOsR76qbAFBY0JJqUU05tgi6TFv\nl4QvzcYCIA4hg1KGtzc+nGiEoXXDC6LB31KjqnPABPKb1J6X+Q/r\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUTdRwuUWSnJ84Qe0/SQko0zkJgwgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARIU14D6PnGh1Q++AKaKF/jssiw6zVNl06jo275I1JCEKePpEeevMrr\n78OgadTwMPr1EK5pfPsZdck/1tlCAz25o3cwdTAdBgNVHQ4EFgQUY5IuZeu9HE0t\n0LcWF5SFzt3oS+IwHwYDVR0jBBgwFoAUyUSUFAOGR57CW51Jd1ugaE1LSmkwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNJADBGAiEA2r/n4CsrYtopq7qKK7CQOwxTDVgWtnHookiK\nh8faOo4CIQDFfUNuTw97sLZJ7/Wg2sgng+dZrjC3WpK6zjXMfju7Zg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -845,10 +845,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUTBCkzRszyA/EJ3Vo2ms7UMCzB50wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR1XxB82J4+KZ/+nQ7rhYEEh8iViR3GGedGNiPO\nIRk1gFUiyI4gHqRdH8TIjVbAvhHU0uuSPoA7CiwPUlHTqQ2go3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvyyDAFoWGjkQ39BMEOwyt7eobLIwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAIUJpCy1K1CFVfe0\nBEaOihcwf8zI7GUDVxBes99dSgwwAiBG2cz81DlW4B3v4z1HqbE5Tbq7jQWH+cQX\nyUtAfgQonw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUG/cfqKjwkcMj1CdR2VTe22rNJ9YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATvQnz3xfopO6WGH1lnuhVpe5B18DlhiS0Tcr8t\nwsaJrUknlhN9V1Kw4UhfaaRtJ/Frt7O8qs+LfFzEkF0baFNNo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0RlC/oy80wM/AZqZN1bAQX91zGkwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAJQrDjHAP89+m4S1\ngESifYKZ1kygYcLb2IAcsY+w3ODLAiEAkNEN01jWDlLHo461eixuZs9JRSfmZ4sA\nlNM8Z3sQFBk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUF28a4s2UWyd5mCBAxiaJvWTE7owwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARCg1UCzxlO3K4rAdWWm1k6cXE8tbXpxElN51Evz0iWN+l/C7jf3Ajt\nvS1RcGClCmTCFYUGEXCLRcWWMGcwOtrYo3cwdTAdBgNVHQ4EFgQU6KiQHFF/fMIL\n0cwlK2tsvqQXqSQwHwYDVR0jBBgwFoAUvyyDAFoWGjkQ39BMEOwyt7eobLIwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNHADBEAiBnhghAYxmR3QRP6mTQmZEV4WX5Q7GgDxRdRV6W\nx0p6VgIgJNafKQRZ25d2f07y1BPUXTH5Zo9XPfH28wFmWNyWYfE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUWTM8dOsWfqfAhSqeIUgbgzM0E0YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARm9BBYq76srskog644PE9SpoofZ0Fi4pmF6urRbhJG/Cg3uCpqxZeJ\n3QjIGVGb9TxQLChi0IL6o30fc0IBj9Lno3cwdTAdBgNVHQ4EFgQUk1rwAtMLZm0i\n3uzQb5yfHSOht8UwHwYDVR0jBBgwFoAU0RlC/oy80wM/AZqZN1bAQX91zGkwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiAc6LIdzpIyNLbVwJm9dWMYxImCJqLGAHR28dML\noYMSFgIhAM+VE5e3hu/TgnzGBMvfkmYuSuvILjdH+Cpb3uglZcPB\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -868,10 +868,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUICe75hWAxmlE0crbWGlqFwDi+vIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/4C4PVVV90Ta4NNjz5JWtn8mjkjI2HYiXXD+r\nrEGt1b+RMafVRUbwHEzZAQvx9CRfAOMmWHuXtICZXIra+knvo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmf68XuFsh8MPjurPBquzsKaFyFIwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgXQYSfOaCKVUBCoU+\njvohjl8wFqPidqsaSwcZ/pddfhcCIGJQbQq58YtXbNQUR8MVdQZFkHCyuYcsdV9h\nhMsbnJT7\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUViEHetWrzzrJEZ2VWiqz4doDVM4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARITnMWJq40yD5cnFu4XX+walDocB3pVNIQVumS\nrkaKHeZeth102oUf19vM8Kh8MTYKle198YTa0VU5CGfg93n+o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXBLtQ6zm06P3CNmM3HYXKpv9PBwwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgG+D/ZqTXlhxScRq4\nDbl9LV0l8DsM/9BJRXP7dkkDkz0CIQCqSrlQp+aAcRVvyRgplIYz3P/QtN9y6EYb\nmQ9bhiClzA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIURGos8Ih8K8PEVBjJHcsTqoBlN4swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAECk0+fpJ60RCHZd0fbR0qRo74ZY2kGO4S9+e8kI7A6GXzulfe\n7EFbaRXdoYLd6+3o5SitkhaCTALNBbOfIoeUSaN3MHUwHQYDVR0OBBYEFIdTVZlu\n9NWbOYXO/dK7+D27PDj7MB8GA1UdIwQYMBaAFJn+vF7hbIfDD47qzwars7CmhchS\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgPGWEYs6UzNpI+/Lqu01wvwvhXxa4gqy5\nT4NriseZMHACIQCEYid7msmZ+UgeYalydZeaE4oaluMAAoX5PalD06SNKA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUCuLrDGYJdTfhC4e2nQrqGBe7fNYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEEqgyZhqj8BwvOoqNIZRKg8ioNQsuEsci2POOGy6sO8m3JFU4\njWHHqDp6C6KHp/8OjfvTmIBPJ/QMz2y2Z1z3tqN3MHUwHQYDVR0OBBYEFLBgBfly\nV/VE/f/o3J87Fxje5CjeMB8GA1UdIwQYMBaAFFwS7UOs5tOj9wjZjNx2Fyqb/Twc\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgEekj18H71YTS9914rFfNNQLR7PhTRmG3\n3Ingl76uuwQCIALIohi4qGP6pwjMB9Cs3OCOAmM3nGvNDizf8aVBRlI4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -891,10 +891,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUYAG6PaicRIyPa39aW4oNBJwCF7QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS9sTvyzKhEmhAKwgy50Yk+CKbb00AF5MWkU7RN\n6X/KiI0h0IUL54keNaAlikoS0MH3g3/hhIIIZIPaWnys002Jo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMkNa58KGYVx8bGXEUvKH1eCO3oUwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgDnBHPN9wLdaGClgi\nAOEpaCoL6VQoRmeMEctSaNhp/8sCIQCLlIANZevpme9QFraNJLkMC1VVIr4UIsaG\npryLNJ2/Pw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUa7AVGJNu9xhTvYe2/RLQF/JYIEQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPuhrNpCrm4oHVrBIGvpwRb5rbpQuOdhH1t8+J\nMnZCoTkCy/7eDogJeNNFZINVxprRCjP9A1GtaFc25VoBe/9Bo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnIv3fcfVoLMyhFv6QMABcftPaT4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAJsDLScrVQAzEUx/\ns21Md7cJcBhLUP4Wb36eMq5G7FN5AiEAj1A3cdBsQ0yXv4FJd+fhKcH/dI2GEbLU\n3MdhkavYUaE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUfKxQZeQnxtKg6puwxS1mECY8+qEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARaEFbfU3zHVIB82rhWU4JXbzIIpj54roTFIdOkLg5CS9d/Fhha1fqg\nAQaMJeUgLs/1ePfqSTho0StR6HalheVlo3sweTAdBgNVHQ4EFgQUOpOJEUZt2JF/\n7khCabZbdHL/GQ0wHwYDVR0jBBgwFoAUMkNa58KGYVx8bGXEUvKH1eCO3oUwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAMvhKRuyUlvHQQyUb74Z9Y+Epyy2T3kH\nLhZva8Q7axtEAiEAxdKA/yMfDFnFreSiyP4W98GE0KRZeWzGDFRRGmY7wWg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUZ8JB9aEH+1pWZxQ8JHyUSpTHmSEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATeIqyE6s8JjalQbAgjT9fQEsWygva8jFPrU8YE7hFXDXOq4CKbhRGs\nkewTY/HkwP5HgKEn4+OYGO0Kh8fR0G/5o3sweTAdBgNVHQ4EFgQUYqj9KIw/08hm\nMBoHPEQ4wPUUwvAwHwYDVR0jBBgwFoAUnIv3fcfVoLMyhFv6QMABcftPaT4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSAAwRQIgYoK9SO2qcfJiB9LGTJOYZ/qr1+g4mx/P\nnXHIngYDla0CIQCvWjb2QvFCO64pZ1j8CIqGc/+OJv6yFDBQfUIhLVZxDA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,12 +912,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUClRoKHFxK7JJ7Fwgcdt9T3OachowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASj0j6mWT0vMKSAAmf3ffkgxwcK1Eo5I19nIhJ5\nDNZ6RvvMh4jK6hyVtuZwCpumFW1zeDCApl+lsaxnDCl/ox18o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFE0gdFri9ZOxnEqpXs5Aq2uf2WimMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBnHPX2dO7oCKz8eg0Q\nY2fs44yyZF2w0GrJnPFJC/H0jgIgb9oFS+6QnHXbIXDHsCGUgY2y7BJBaREzEhPX\n/eG3vrw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUPke/vYfEZ7XCvlrkzuZfyZHTYMgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmgceoKHHyTEhNH1yYdAbdDXPf6Fkj6i8aMR8J\nKU77IdJRFaljFjXVsBs2JSP/gPNnX9O4LeoeXLdOzj7GOXxho3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFOuWDYSVmY++zxXG75v0+VUuF9hwMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAkEYqH3ntlpdTlVa0\nlEsRoMNBdXw/Dr/80mq2pr3fdL8CIQCl9JldrXJd92WPpcP+af3UW8yCHsn14x6S\n1iNYfZ4MlQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUeFThrcQkYgH/s21TYuXyRBP3Bi0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQtDevoZOtjmUrL2CWGwUe9On/rXzP/pfz9xL2z\nJuG8TX4a/nloYGbKKl952L1kHKBkzpT4h/QpB597kxaVEPhOo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUTSB0WuL1k7GcSqlezkCra5/ZaKYwHQYDVR0OBBYEFN8L\nqCa2Ju36R5Y+/B+f6EuIy4ZWMAoGCCqGSM49BAMCA0cAMEQCIDGyq51WeEKw4+y0\nl938drIvhALMSzmunLOWtjOapkNWAiBLG9DPGQuV6XFMsUhWgUgyEFg4nlG/SWx4\nisrAcAuNtA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUA5gf1w945riLW4dRt6SL5DRjlqQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQqp/kEpXOlFL3T3hS45CYHPD4z6VdfooTr5Ibq\nxX50VP21NuMNAQh8nf0EzS+D6XOYipJdEPyLxLE7+75V2NDxo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU65YNhJWZj77PFcbvm/T5VS4X2HAwHQYDVR0OBBYEFAu6\ngX9tH1NUUhwhEBCuSb5bxB8YMAoGCCqGSM49BAMCA0cAMEQCIBSNglgpthL4O0FG\nJIo7cBCHUqe46DVRtL9fWSrmEVRmAiAFkl/GE0uGyoPF5bmkXUmgTKUyV4nc9mwL\nuzUQabQmEg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUGj7sFjGic0y9yB2jY48Ckk5YEY4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEErs432rvkizC9kN3PDTeuc4F7gqpKy1KK7nEMlBk\nI1dmOv7qSq3PVVlRO4V3BFb/rnmamEDGD9qk+rodozJ566NyMHAwHQYDVR0OBBYE\nFHRaS7724BfWfTPdHmNNasDzGHUVMB8GA1UdIwQYMBaAFN8LqCa2Ju36R5Y+/B+f\n6EuIy4ZWMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCLiy/o7cK8kDwHsZGuzQsivqP6Kapf\nrybVpu+8QwGZ4gIhAL1TeBoXItAi8Xb4st+rIevlz0TJ081sngIdOgt387e/\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUN0WFzLAOkPQjcWfiOO2L3vVeFBEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEc459iVBvmvGjM7X12MO0uNl6HPSGIoDm/fTIwaDx\nQ2BmYpbqMAy5fpaCeseBsTKayQvc9VVi9rZrej38FWEjLaNyMHAwHQYDVR0OBBYE\nFDQN05Yo0TehKOELXH/ds+fx8QVeMB8GA1UdIwQYMBaAFAu6gX9tH1NUUhwhEBCu\nSb5bxB8YMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFqxE+68nDx1jgL5jpCGgtjoaFutcMyF\nuiXBr2PhFIkqAiAYuvnyJgOWchAs1uaBpqer88kU/VGws3h2mwKh9/xahg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -935,12 +935,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUGHkhzv6o6IoKjUM8vozN7UN5A4MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR9I0+tUCa7JG1K2hvq/bGM70Q0HFzJalJRZLLB\njb4/IYWZLSJk55iwfA+/4J1OLV4ADD0BL2ehc8LqFxxAap3po3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU97PqfiJhvPycyo7th/sUEPPZM6gwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDI0vlnjXckgkBZmyfm/66C\ncEV/H1da6+im3ZCr68uv8QIhAJy536zvn+kGTgev/LggvNpDyiIyNa/2awwM/jsi\nZ07x\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIURlC3pTAPh8p3ZHJo0xAj2OOVOCYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQcwv0Lt5Z/LtX3ZF/nOi1DbP1syokGMShGIM+O\nVQTWU8Vr5K0DChSePc1I70mzbLw67WctooAXTJl145LffwPBo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzP++3Fazj8lCQuUJDE0LvOFMTS8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDEGywvoGNM8xjettE6TQNZ\nBEeEcHpTa2AXI3p5ziIHvAIhAPyBslhg77AMI2qEXDufm69D0X1CGXFzMnsccDAz\nuTT4\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUaAaaXBkqxk7PYL1+EunssXoW+VEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQ1MFp/qNlROR0Iw8gNn7Q2QU5Cod2QWrFSj8o\ntYvPyerzwmLUxOkgEZ1FzalwyXKoiUiJGzX+saHChkflE4hRo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU97PqfiJhvPycyo7th/sUEPPZM6gwHQYDVR0OBBYEFF/i\nwE9M8XwuAqoId07ehkhUqhEzMAoGCCqGSM49BAMCA0gAMEUCIDLx7ocNbSKDEWfh\nZftE30hxWIDNT9lNL04NfIQiG8pgAiEAn210S6VE7XFostQ6SJIh9HCeTcF6XWuz\ntHdhKsFg2os=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVqgAwIBAgIUO+lQVdosWnnMHEhdwlXaNPkl9sUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZnmnn4fEKXMKOHswU7tuH+dTgB73JBrC7Rdq9\nFCAW1ftIwvtL555h/66vpp0oQwxVcZyWccyUzUTfHcls5fXTo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUzP++3Fazj8lCQuUJDE0LvOFMTS8wHQYDVR0OBBYEFH46\nZWz6hNSj6S/8LhGqQtx8YfENMAoGCCqGSM49BAMCA0YAMEMCHx0QRLnzecxPEXVf\nCqt/ECTXUEOCqcXza6K36jun3aACICrfXwvVHkPYGUQ82h1RZKT4CeYHhiLX8aCl\nyrdcT5Ms\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUdEL8xp2DvEYya5+3VK28MbgvnUQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR9de9Lbebh1CbmPzj97ti9DYD9WEKGjd9hN4UI\nYlaGfabYNme4ooU0Bx/NXJG4WHhE9aZ/7o3wGG6E9duhcpbgo3YwdDAdBgNVHQ4E\nFgQUr7ynrdmRggxbRP/TeVVIR+oW/sUwHwYDVR0jBBgwFoAUX+LAT0zxfC4Cqgh3\nTt6GSFSqETMwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDyizsFBTgPuxV9yRzqPq848\nyFgRMSXb8z7t/qqZXcuzAiBepTa76JkSGn8DpbSCF3kpM27t5NOwfyWI3+vkN1Ok\nfQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUJ8qh73HUBp2+f1GBN66Opd4cj3cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARgc3uiGVcFZdfXQkfkU6olLL5g4jhyMQjyZu0a\n6l+BZUwVaps3l2sz9jw/7K/ff/upOwWN/SZ3ljZogTzhBXaZo3YwdDAdBgNVHQ4E\nFgQUNYes7GII1fhN4/rTNiR9YXCqHn4wHwYDVR0jBBgwFoAUfjplbPqE1KPpL/wu\nEapC3Hxh8Q0wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDECE8wD1XSt7a0eSc0H2BR\nIIu8hUq2RrF63VsKKG8aPgIhAKisD8CRTZq1FLg6W5siPNFHGlv+HKcfyFHkn3md\nXomu\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -958,10 +958,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUSnwewg2Tc6MX0FVgt+MJAetvbe8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATdJ63Cqj9xFqZYcFrpgRG/XAMguqOIdkkxeLej\nlGY4AEUq9Go3DkExlstkRhdmm7ErQxK+TfoqcnLciXK9EXKNo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSYpchFpoSkj0EmNAICU+khLELLVzAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEA7wLoHf7zGMkJvwoLb570G+gFAxXrtdvS8aN8hh68gYUCIHptBj4+rxLnPu75\n5A4oyPJTJ5R20dI6SmeJTVCJsb9F\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUGEOlzXtVGvM17Dhq1wIrKVt8hvAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATBOGTBJ2PeAV23MAuaXnlUn8gz97OX1XAwJ/2d\ny2VpkjjNIr+ZAlNFazaW6oocMOy7R52mGD3q9amvCKm9GwsDo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRqJ4jXUexAihq6gd5n9GglbfNZtTAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBRTBQMrasAyeTLlROWhZBCyk0nc9kkpGkY3+KkyBLiMQIgeVweUf9f+P5JkgX/\n48bHDdw4miF3aRb4tpyh1Hv08t8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUeY+tK/b4fD/i1Oui7AupdogTo3AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAExtbTM78gPd408wu/9lc6YdGq16uV91DnM/UKXSf6\ns608A93kDSkPFEcrhpHh8eroMLbCUGEjK3fEgjRSz4nj9aNyMHAwHQYDVR0OBBYE\nFJKsCHxj6NaN6SxoilpwIWSYjVXpMB8GA1UdIwQYMBaAFJilyEWmhKSPQSY0AgJT\n6SEsQstXMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEXhybAbR+oJloZYk+yb7VcR8S6munuO\nPE7sjZx9oDE6AiEAndyliC/FmpHyROj86cYqnMlIZzzz6so95ojdcH/ocko=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUFP+FmO9z2bF1pl69davWK1Lv9CYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEYy+3lPGypo4g2+pW2v6RkW9KPyvRXS7uYG5XcYNS\nQCcRlJSGXF/9Tyeg0XWqjjWKjJk4JCokL3i8LX0OKL8H+aNyMHAwHQYDVR0OBBYE\nFMk3Dp5CqoLL0MvDoPA38IOBYFLEMB8GA1UdIwQYMBaAFGoniNdR7ECKGrqB3mf0\naCVt81m1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDiP6rH95PJEQzgBMiHB6xzanHBPj1X\n7JywfhxOH+0G/QIgUikGOGJk9+/pzQmt7fSNoyKpWv4txK+8LTKTz1SYctU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUUqN62S4ETzXRpEifclOOL4EejHYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR04u7p+O+PRPtdnvsAVhoENgjA+NyWqAYbUZY+\nNQX5FiS+KVbzOwHA7YmRg3FnsUVgnKF7ED1ubLdw+tkajfRco3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3VNFfY0vyzWw9zi73vwgE4+cw/8wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQDwg+W6xmn59jRB6eOS3xJ2BjQz\nshjIX9qn0sN3xuxhtQIhAPSD6J+qZt3GAu5BzEcrh+VOCnriDbT2pFB3sJw3qECI\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUfh1OVYqjfwEdq3rQMw7rASKp0eUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzdWNPiWtt+JGr1P+ivXDLTxE39NaldWXRFJbT\n9wcYz06xzKM8kbVz2RlyP0fXiKTjUlKOSn/WMT+mWWsDg1llo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUo8wp2s8rLxum+MPGmjSz8b4guygwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQD9Dysm2icAUh6csHb87zvg4T/h\ny+zJlltE3zgh3g1x7AIhAPSsPim/es0Kd0IcQQoMSgTADAxxlsobly1/QAySCZCr\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUMZSrBrZo3grHKVHmggz9cs5Em4QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEuWPBqnPe20IJZxQAbdZxYTPuFwZWXnu/Pb3HZtpP\nU/6G2t4/t09tfJv21JvvMy8XBrPurTDGxGtysNb2A/9tw6NyMHAwHQYDVR0OBBYE\nFNCqyP4yRp0IzCNc6gRzGY3Fp/63MB8GA1UdIwQYMBaAFN1TRX2NL8s1sPc4u978\nIBOPnMP/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIAXj8hXcOC5j1LS8QnMn6ujMd4Iv+jll\nxRAwFdfQQViJAiAymWMXu5MWox1H0RbniZO2K2F9NiBSuxNKt4kD+3P9IQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUC6qvsyWThq2Z5tisozAUcVZTtXIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEAxbauQKQ73B89aF+8bLFLcUznxDDLDJlMCjPv//0\nc1jSBm9ICPAvbbuEWqK1RNz3JWLoifrYdsZ+GY6Q7n3wPKNyMHAwHQYDVR0OBBYE\nFF6duHfWxhlBZIqhxIW8QwkG/nv3MB8GA1UdIwQYMBaAFKPMKdrPKy8bpvjDxpo0\ns/G+ILsoMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCLAj6E+Gzl+t/LxoeFU8S5c9yyGLId\nKkCR2XWISP2wJgIhAMhwb+6fwDjVW2XmxOFm5t/3bwv7Ti3Wq6cS9+7KBtsr\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTdUnCuM/IL0H7aOD7YwTvbvsebgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQTXbDZ6weCKj9g7J7143o+3vQrKxYKI21yAUSC\newn11W4LTMcgbVHO/DhDIqLJYTKGHUDdZNr+HqRfmPNp1mzJo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMyTD39H1uGh0tgNczOm+cC2bQhMwCgYIKoZIzj0EAwIDSAAwRQIg\nQSqrnywb6AZyPm2wpf/q9sefSN1JX3BYJhEuttwFVNECIQCf3bIY8b+aZnoqmq5A\nAUTsN1r9Rrs7fghiN+AIQBt6EA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJijWMi8gTo707IUxrYn5OXoF4R4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCFoXzDMJlML8lfdzXfMu+etScxVDPH5jSUYYO\n56Or3D4U0xHHPvbdJ34RwSSt9hHh7Zc9Nn/FIb0qp5bU75KPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzoH+SOn8GjD789jWgUse6GdsdBwwCgYIKoZIzj0EAwIDSAAwRQIg\nWxkNigB1rsf6IG+9ifS3/Bf7cJQHse6Fyq6ODdwg8m4CIQCnVG1uX5UpzZYd+k8G\nLkmYNKYCAYBv0VMrNat7myR2hg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1DCCAXmgAwIBAgIULdVl8s8N+5qw2HqL0k9jIICynwAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAELEqQX9Fm3iBd4PCFFVLC5zxGyoPOrVHD9LvDCDR0\nT563wkHICWqovg3G9KusmTmNzLWj3ATZjyCXxNM7BKa+XqOBnDCBmTAdBgNVHQ4E\nFgQUMb2kH5GRIv/yjCY//9idpEHLmzIwHwYDVR0jBBgwFoAUMyTD39H1uGh0tgNc\nzOm+cC2bQhMwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEAmoxp8PFjFOpxJaJZJy2O2SX9ZZl3BGRWO7PY\nmpcDXhYCIQDKLMAKARoVNxww1nboJKmdZn/7vu8G4wpnadykP766vA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAXmgAwIBAgIUcPxpn+/WRE0CN+xBydabkXao6PgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBLZ7QOdGS31aBTgzt7nsblk+GsWXf/hUPwc9AlFi\nFCyxWVMw+mp0P6IUri05/46vruaT8V5zEd34O7VXM+hSEaOBnDCBmTAdBgNVHQ4E\nFgQU8nVSva/+FepWLOi8tRADqbsDFZcwHwYDVR0jBBgwFoAUzoH+SOn8GjD789jW\ngUse6GdsdBwwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiEAyKqHK7h6egcRU8KzCedlPCXqUxzukZoRwTNx\nbC86lG0CIBaO980+ZUAQEmxYSo3YjONRigpGkEEYLs5xWI2CR+N5\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,31 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUP1kkhSBnXMsLfosNpaeWbrSKucgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEqXYyUDxvFTMiCRlgX1n5kQAL5ZVGu60fk6RQ\nDsgCnyAWoBfppnGiOkTp3Xt9FBSbE3difowepiEctmfN0B5Bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFCY2LR9ZjwDfKG3snJj4OmYZZtkwCgYIKoZIzj0EAwIDSAAwRQIh\nAJ7vuYcG6csDNW8+iLbgKu48GfIzufVYH6Lbe300BCeQAiBV2D3Ws8t2mv9SEZfw\naIn0VKAVjJcVib37hD72tcPeFg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUV4G9+Osz/PYyXsgYDDmcQhEVCiEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARI+mGyotxAYDes2pD4VoQShG9hzeHy+GOKhHjV\nI1HpizYsveC9tdneQz04p/8T+PBIbbJ1w0+3UppnZhwe42QCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMNH8aF5UtNCLRS1YQ4WSjAgqNZYwCgYIKoZIzj0EAwIDSQAwRgIh\nAPIdtSJXvKgsdMGZtrS105d2ALioOUXtpfrLo/OLxtsgAiEAhU/IFvI5UG9z/Ktk\nnjhSf/sK9lR4hKQ3+98Vakp9IfI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXygAwIBAgIUUHc3xpSSfI4LUlS4VkCViGB41SQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEYU/K0OsWlqFH6Z60U1RjuhcV2L+nVbdZ+1apuVNB\nj2JeUZCujV89EmoFw4dGSQfquECReQVscBnO0yk3/SDldaOBnzCBnDAdBgNVHQ4E\nFgQUApSOgMaXLmTm7SUnrTUMDZeFNoYwHwYDVR0jBBgwFoAUFCY2LR9ZjwDfKG3s\nnJj4OmYZZtkwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAoQzTQAsrvRuSE7c83W+t2bS+hX+C/tiQc\nkhRfHWJFJgIhAJ8HXl2TR4th5ydEAb+qsaYxt0lJhPftd50B1oQLZX8i\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXygAwIBAgIUbm9x3MbQI20Ci0IeFZXk6tPhvqswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEcObOHxRydAiHdon5f6vTahkM2Qg6dme0PycqTWej\nfRw2+uOuXZMnBjkGh2HraJBrEGebpS8F7ERgQON7O9dPXKOBnzCBnDAdBgNVHQ4E\nFgQUzG5zvliITVDPwNxhdbnLqZpzJNowHwYDVR0jBBgwFoAUMNH8aF5UtNCLRS1Y\nQ4WSjAgqNZYwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAjqDCmnWP2UGV61AccFklJoIxuXdVP7re\nlKaJjHSo57UCIG/wgFnI5T5p109Bi/0GUc8QdN3385K+dVUzD7gPUAEs\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::san-noncritical-with-empty-subject", + "features": null, + "description": "Produces an **invalid** chain with an EE cert.\n\nThis EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfUc0f56arPov5bqIv2Vh/j1JnmowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASH0yZ8HyW1cc8DjfIMNzAuLTbCBvRsMtqSx9CU\nJM9yjsFcp0v5/SNs56n2PppN/sHlKURPrSSJaW4RwoAiOOW0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEffrycSaVOhRRwITyde9adTuyMYwCgYIKoZIzj0EAwIDSQAwRgIh\nAMtbbDNJ2nkR1u75+UlpqmYC6RKb4WPYIjJc0rUoPIrBAiEA/7+HsVLNhCQW2Asj\nOv/vxd/ySNbx664Aa9Wt0LIDVXA=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATagAwIBAgIURLJnuVrNwiMSLhTOG3mzvM4wxP4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9sh9wpw9\nQdT5Vqp5Mo8VtR+RO6jrnzKfTZ5QpyovhRryM+aWpdtXg/2PSM9pxePbxypnslL7\ndlyBnmssX72qv6NyMHAwHQYDVR0OBBYEFGBLZIYWXpC/RqWI9U0F4JKO0Ud0MB8G\nA1UdIwQYMBaAFBH368nEmlToUUcCE8nXvWnU7sjGMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQC\nIH/tNffYIKn1muqP3/7Rzn9V6q41LO2dJ+CEtK/kXVgTAiBw0x2LOwxZ4kqEhUht\nAa4hDmYmWUxc73zIEGbKesDFcw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1090,10 +1111,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUWjFg3+OXrEGV1pz9m/12UzkWAD8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARqxs6gJswCthUaoAnKs/SmyVgI20SZpiQXRfIk\nG4l9bywQzk39koWRxGmmYwzOIE1I0YjsmnVLHWNRg6aCMN6co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1i8uM59AUH8ZG9rHfteRQIOqLvAwCgYIKoZIzj0EAwIDSQAwRgIh\nAOIRGYmVvSksgSe0ea+aSd36fiPxsmsE0VY7nziiEXE1AiEA7AsuRG348yzJgOko\nCl1lY9F11AaCqFzxFM9aXwwI/14=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUaEvLnIHo3y+NrUZ5dwUDi9/A6KIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/r94CZ8fchqUwEjVewgj8jaci5YYAIM5Wwszj\nxwi2x8vqoKjgfii5qgt2xLRGB/xvSznZK2b++BQgoPbWUXq5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMKsGiy5oYwdrVmIVraOCCQaoZ2gwCgYIKoZIzj0EAwIDRwAwRAIg\naFaL+2ANyRJSYMnffrVQ6H3T556arDbsyTAmsu1oUz0CIBuLXC6oTjJ+r3TJxgaD\nndwzxlmyu0pjflq5ApWDESRS\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUfqS+KaIzPspckXW+5rZuktD4GEUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEIO3RnJ2twHD6xoirNCCip2NwKb/caKrm84T93PZN\nPZ/kGvxvFOSjcHKf63/klMv9uaftTINtEjpcMtJsB3nr+aNyMHAwHQYDVR0OBBYE\nFA06jOcoNEu1MMNcqcYZ/1YB18A+MB8GA1UdIwQYMBaAFNYvLjOfQFB/GRvax37X\nkUCDqi7wMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDZXZzPsJ6CHncDYxvxnp89c9XKRlV8\nTdqj+6U9a6HwhQIgGDnzNBHfjVZn+GMwRTD1fsR9MTlAsJrRbksBMm5PZ6o=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUeFq6Cg8EcNPuXMiRGZv5BByyv20wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEyBAl4HeVY8RKr1ce/xHT6U6b6IzMGETn4/xCWe50\nEgWw37Jay5q5iNxHZa1+Wu0+cjSByppAVtHdiA4YbyaCJKNyMHAwHQYDVR0OBBYE\nFJK6xkk4sfpTMPR//5wbDcuCHllsMB8GA1UdIwQYMBaAFDCrBosuaGMHa1ZiFa2j\nggkGqGdoMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHLas44OyYJdmZ7sp+s3a+yvJxutLDj7\nKC2NOYdi7RAiAiAon7NhY17cpNY7nHtdya9kOTbxAnBBUMOeYHL/bXdgYg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1111,10 +1132,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUbHh6CovDlb6uPMTlcxFLbx4sH4IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToFJBILSJqi+n/WK86rcySwwoYiWCoC1ONPb2f\nFL5Bp5HJR69RpplQFNTjyHPF/i10Vrzq+GyYKMh5f/7miryno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZVD+VprnugmEPQPsF5FDF6Ove+8wCgYIKoZIzj0EAwIDRwAwRAIg\nMncBgs5USBmsMLgf+ZcS38W4+qhAstKF5z4ymw7zEC0CIBZRBBPux2Uy1qINxQcf\nxMBNsVMWwvzZ8iGNynoKQQoW\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPdB7NVbZ27+qK1b9XwZB2D4pehswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARG0OGP/woPrdfQaJILbktVBvMgP1LDgbuQK4eQ\nzoZ9WPSQiIxQy3spFM0rJppn+4oxLMkNWFCemMhXdSvhZcoWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuZauLN5wsB41aqcjujBAlF/Xz3UwCgYIKoZIzj0EAwIDSAAwRQIh\nAKG7h+CR7tX4gs53HbHBqN0UpU8MxMxag4Ybk38Ea9p0AiAGA6eSEavNV1rN7hE/\n2nfWLuWEberP3v7Kht03BtK+aQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUJHMK9EJ4hqVYBd3pHtCH4cpes8gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE7Zlcyy4FUJoLllcTiSrznkf2HoufyZWfIlKOcMVP\nuf2nnLm+wdl6cr3om2u2ZwIaLA+h/bcj1b70vMVThg5SkKNyMHAwHQYDVR0OBBYE\nFKfExoru4JiQsZNRUexa6mTVyiTOMB8GA1UdIwQYMBaAFGVQ/laa57oJhD0D7BeR\nQxejr3vvMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQClnkIpBZ9yFzNPvInUGihY5SzSsvWn\nsjEMmemzl0T2vwIgepq/cvoHsCY5WDTTQyHTdtjMPGVOJ0dSTAhrukN1Fd0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUDAGbZhQV9y5q2xNSVKK234q6X08wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEP5dFeWtEZKeT/sB84NXWJB+LrJXO8PeNdlZHc+k4\nXw9z5m2OJ+KtqZSxNTQTxHfcktHWCVVSIAL0dTcMzujMqqNyMHAwHQYDVR0OBBYE\nFKE7VfbnROtJ6Xr6G9DAbWPUStSSMB8GA1UdIwQYMBaAFLmWrizecLAeNWqnI7ow\nQJRf1891MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIH47mg+avujrNlajAsThBfv9xhVIRfrb\nDMH4rKHxGhaAAiB5EvorQuCY8Y/WfNT5sV2Gy2RTlD4z18czh/ksxa7giw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1132,10 +1153,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUet5mliK4PovJgKk9PBXF5qYJ+OwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS40T5zGhzA4ohDMCXtvVrOf2MgnrHWlS5pJLXy\ncQqfey0YPP+JLG+l+pD8Iaz9FPtnHVT/2RPD6l74i8H/kW85o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpsK7gwnbhW14+bIUw0st5wZHg/QwCgYIKoZIzj0EAwIDRwAwRAIg\nRcjL9E132AHBhSlMuUv2B66bjLrc6GdVqhmet9gC/G0CIDX9kHXltVHXYkWmJlqs\nThg7jmXdnQIaC8MFJX9EPVeL\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUL7VNIvYiwa2nnMkDCeD9SJo+rQ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQNf2u5Y5+p/4U8MvpKCYUBDrkH8ViOY/ydlXQ5\nm82mdYE5OTCHlmSnLSUOOt5bP09P45FkQ3o1Gig+/eVtFPdgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzNddE+IWU42CIw1MOo6Opol6T0AwCgYIKoZIzj0EAwIDRwAwRAIg\nWLeWVlGEjbPP4WoWYa6RBYmo3APVtnEcyyoQTjRJxo0CIGInAb+U4NlrROMSeQT/\nD6l7GLVMDDxlSWaSb3A5FTbO\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUVUjGi/8OhKk4GoOdaYpODXJII7MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEWYuu8JfP0c/fU308Zox1LAPj+oJfp5WMvKI7E8Z8\n+tXK93pELlNiHSWqRaklun80n5YuTWgeN2ZSYIY53/ZuBqN2MHQwHQYDVR0OBBYE\nFDhjkuwNalqCynB4d2zb8wWy7AFzMB8GA1UdIwQYMBaAFKbCu4MJ24VtePmyFMNL\nLecGR4P0MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA6UQpWlUumVEPHEl23SRWMbj5\n7yMAI+7tPKNCGRY5seUCIQC6lw90PxxspaOaYOmkLenXWcFenOD/5qB6YNrgcyBf\nJw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUcRp9QvzAqtNtLVKC1iSlY5Qjg3UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEk/Mu/9wZWK+whL9LcU+ucRfEylBk7ED0UGYt4Wfa\nT0rWC2gN/+QdmzTtvViA4nkxYZuqrGPM0C+m6FRN+ymVOaN2MHQwHQYDVR0OBBYE\nFLvNOEGdIh2h4Qe2ihUW5nzG1mn8MB8GA1UdIwQYMBaAFMzXXRPiFlONgiMNTDqO\njqaJek9AMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBo1m6GzlQIU17isTikPVOhTzgO\nRtDQ+ZhooldO6z2FRAIhAJq/kYGbkt7hq8eHoPIWxTdtNbPFD23CKqnsuAuzcJmR\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1153,10 +1174,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGtsGnCkwStYq1nfxzI+rJTGdbw8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR9XBiQr74hkLFX704vUtddREeVdomrmTIFbmkb\nBMSqQ40BpCOsDJAtpYNnTQHpBoSc34JZlxDWAulwAGuUDMzCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsaB+RIn9eKcs24PzTBITtGdi+vwwCgYIKoZIzj0EAwIDSAAwRQIh\nAKZgi7BRF3/06vBHJj7kqmGftqD0J/NZatWftZQ86p0lAiB3YEDLU0W1FH/6Sp17\n1Hu+kcYAOxnQkyGPho/94zYq8g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNPsq/ql9EBRGpYO2g8oVy7OiHfwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASXo+i1wGhtJwjs2cwYctjQHc7t0qfkBd75j6WZ\nwm6AasLY6Jbj/tugrBlzTS/aL/Znm1KXdWQl0VonqWWynZhMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURUYK/0Q0ZTagzHcpC49L4y+3nGQwCgYIKoZIzj0EAwIDSAAwRQIg\nCHfuNq4//QRwgVAF4RpNHzdxaA3/nRfMnWsjSf0Whr8CIQCRqAb1xRqDAYpfBM2m\n+sWVJ8zUUV9ovSs6YgvF8sG0sQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIURYEbTkhHCfGlCz+q+E+cfbSpmjIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEs0oRsiKpuwcApCQz3e+fFbrvkUM83eO93sUCkYK7\nwcrOPlx+5yu74TVgM7RJXUYY/o73u/7Tqllv3z9vBIUdf6NyMHAwHQYDVR0OBBYE\nFPyE48vAGesrTWzbhLf2zMuvWWaKMB8GA1UdIwQYMBaAFLGgfkSJ/XinLNuD80wS\nE7RnYvr8MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIA87tvVvbN2Tv1azorfVu6vludpTh2tn\nfZeS+esx+MfqAiAMRoseDD9vIub8yTYln+acMifMlvnR++fDaIUdVJgNDA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUFNuNpxd22MjDcXiz+cP9I9oTwuowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBvWY63JcFnMHwt5vubZDhzmrjpfcujLdbzMgZ7X2\n1CXn/8P/YuAY0zXrslwIPHsu/SKIAJTBplgxPbB673VnmKNyMHAwHQYDVR0OBBYE\nFEhBw3Nf6JgbYVs0I2CTTBpdLsIUMB8GA1UdIwQYMBaAFEVGCv9ENGU2oMx3KQuP\nS+Mvt5xkMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIC7AvsI0THbLZyIc3cXc5odTEyC3b8Tk\n3uh1CC/bGFfEAiEAzrt8ixo/S/3xh2C5GjZmMMaeSxqX+GLbMaGuwiITCss=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1174,10 +1195,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUR7bd7FS6LaCyUSn0C/6L6PhGogEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQiaHmLrdC/HR1S8Swau1kyL9/VoGa4K+iC4dho\nLavM8EBQo9q8uBj78y5X8Z6hUtE2XO/+NVNvwrx0gHfwNfFGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAXzy/Su0zW0U7uj00SGDS7+GhgEwCgYIKoZIzj0EAwIDSAAwRQIh\nAM5UVGlnVSZ7slT8JQjcDlOuW//x7ZdeMXXvCLIgRnapAiAifEanBPxVxsjaOIpQ\nARNs5fXMdP/LpdmL2jNtOJu2kA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZ3jLGTr+ghsX6N5vbvxgrjHOtsQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATc0hAEWr7DyHASvVXWIDffA8raDevNKIip714E\nAJ8NDQNQOKGlKVfnSXyb+D6OVphXiYqmeBHRXtMQRgxotChmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPXUvgjAY1+7V+FdOmhiwSDxV44owCgYIKoZIzj0EAwIDRwAwRAIg\nERc/bcu5YrIbUrgv6m3t2mI236xcCKq9z1hVi4AV7oYCIFBlMO47ZyuBSIl+QNIp\nyfKsvO+5IgqdMvGkL3e5aLnL\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUWQNx8laeJMGGI99M2Z3G8tA1rL4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZsPY2IfHkLg+Cfrmc6wbN4eIjCMJZk0tv/5/O1R7\nEDqR5i+HNnsq1lbw9Gg2AO1w7uO4Vgp+tU8Eet0s5Knxf6N2MHQwHQYDVR0OBBYE\nFK3pWJeRk+cUOE5trWID7lK1AJd2MB8GA1UdIwQYMBaAFAF88v0rtM1tFO7o9NEh\ng0u/hoYBMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAHwm3Iax9GOMzxYGAAtYUyJbvM\nqajuXZQKKs7bCqPBXAIhAIF3O74Ffzogzyh02HiQCwm2hN0lilr8M5vy9/djTIqq\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUdP+x9KmEyDcoJhSgIz7OY+0HZzUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAECKzGBq6CHn54ZG333GH5iIWhZ3kZ7aERMdK/0LAz\niA1Is3KefU1N/eaPHUzW2GvcFx+Yg5GdDVRAuclkmkW5UKN2MHQwHQYDVR0OBBYE\nFONYvx6Mui0eMJW8FF6ii0WXQLYjMB8GA1UdIwQYMBaAFD11L4IwGNfu1fhXTpoY\nsEg8VeOKMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAwfBTC7ru2A6N8IlcgyuJ0CCd\nTDbjF2YkkixkoHt4p7kCIDK1D3XL3sAEvEGDnXeZBiqsTt81MCphIHxvcAiWLXAb\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1197,10 +1218,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUPy9ZBcCLoaQC8qC7cKfQMAxD1ncwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/PlzCn9fKT0hSqp8j7H7dXjxRw22sKEhV37Gs\nol9rqsUOrHQBRCaIZ6jIx/3FAFQrN2qxkZXETBuGvBwPJYdMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUc277pK0q2bB1lEWBmszC3+OhjkgwCgYIKoZIzj0EAwIDSQAwRgIh\nAIMwTVdIK28c/Yccc3XPD3wb2narGXsk8vHf/uIQK4OSAiEA14wxeyJ5BcdAmRzr\n0RmfHVndMa00IDDCT9s6xjoLXuE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUXlj5sX4B7y5nQeqnRMah/h0qokMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASgzxmOavADoeS0g9Re5DTZFUMI74r72KBFBAsX\niV4G0Bf7d7gvkcvc2gr0a729B1WRpNsKxHCBEnsjIYnzrtJDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUd/5ORXuwizUzMGdHmcm2Vwr8o6kwCgYIKoZIzj0EAwIDRwAwRAIg\nUHxuuIzmlKIMVv8GSZa1cmHORLqURt1ja/1zNamaMQUCIE5vr9Fp+gfiqpmGyLgN\nwTHbRGkTWflF/hPLrJ8bgUc5\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUigAwIBAgIUQ4SGtLp9ShVuzBdNObMfQnIYdU0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEsb2o2vbTQpLDmEgxhVpbBHTgShCo1gBF62e/vPyc\n3yRyO3xKzquG5TvDIndtqyvVIBjBhMp7MWcqzURuQDXlV6NsMGowHQYDVR0OBBYE\nFO+q3BHvmAGSti6dyW3qsFIIYPFoMB8GA1UdIwQYMBaAFHNu+6StKtmwdZRFgZrM\nwt/joY5IMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0gAMEUCIB8hkWZ8TQ6QnFqUc34aoXFha6g/ZiSy0EMh4vcT\nuJj7AiEAgNylgrcO5i11gUK+j4Y8CZIq+GqMONWmgre0SEVACRQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUigAwIBAgIUCD40c2QTg8AtTZYFmhQCkh2iH9cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE7xKMl9FB+bNGpU1NEUVY/8MNsHC53Tbvq60HQ37Y\nVxVMZd7fq96jnqd5xM3Yy39kuXF7UGu7yOYpHFc+C34rFKNsMGowHQYDVR0OBBYE\nFGOBuu92Ne6AZuZFTTGuXC0SgRk+MB8GA1UdIwQYMBaAFHf+TkV7sIs1MzBnR5nJ\ntlcK/KOpMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0kAMEYCIQDiYxIob82R9EqdxUElQh6zdN9F0W7x90Qt35RI\np0fnnQIhALcHj6kKjUmBD4NgmEmn6rRDwW5VLBhhEr9chXu3uXs+\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1218,10 +1239,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVlfEL7UIrMjx3hub/hivh4KcbGIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS78wXDmfp2aGhNXRfgdcFxsz9QeRTHiV/8MdjD\npTbTx3pQ9rtB+WHVHcA3IKrciBBqmiTGpJlJBaEN0Rq2AQsOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURBs1RUGgdG+mSPrDIIa4NZPSrGowCgYIKoZIzj0EAwIDRwAwRAIg\nLcpzvhwuhqigVsVObor9U0NITozOmyoW+F3EeodN/qECIFo/AMGrFRluFNrNpo4p\n1NKt3bFdcVof5bzgB3Rmmgi7\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIqKtbJvjkQMvFpn2sN/0nZMrP9owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkktP/ZG0RTGqeKQQoCExeR09RLaPp6LBfwnsL\nNZ5T8kBQ8czwsfho+xJY3Ae2Oysjs2QouHMvpNn1DlajW3P6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBuY7AMYf5JNhHTZoGDZC9XAxsGwwCgYIKoZIzj0EAwIDSAAwRQIg\nIAkSeKKocl3MpBcUZtS5jpT0JE8PyivbfVjYO0XfqKgCIQClJKsa7ymjbdRvvLrv\nmxQRN1ZLph1I9krKWlwG512Drg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUdq0YAX0GuQmEzW4U7envVaGxe+kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEiOUiXxcnXr4rK7JKNJjMYRJS20qylrlqO6+FWJpe\nTTDoavbcDA0Jyl7i9BHABB31EAwIYU9YmtBrcFA886ugcKN0MHIwHQYDVR0OBBYE\nFC0jsELPTF8ISMiWYgk9HYEagyDkMB8GA1UdIwQYMBaAFEQbNUVBoHRvpkj6wyCG\nuDWT0qxqMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhANskdjpKlTa3ruDT7uQ5GIzgIHrK\nKxYgZBn/C/SUdrcYAiBQcz4rCZoaEXmoDKlCrbWN27oAx92Xcx/0GuXFA4z/mw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUYY6PnLK2UjtastWLE2G2HbwSagQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEB45VjAg/oHadlK537gkLRcX7l5wnpctWRUNQMA/s\nS40fci9xumRQPGswe/p853a7f9oAFKnGd0YK0MbmCvEsQ6N0MHIwHQYDVR0OBBYE\nFNxYxr279Unf/7mIW6qjOXI8Aq/HMB8GA1UdIwQYMBaAFAbmOwDGH+STYR02aBg2\nQvVwMbBsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgNSTy6RWYP1FwRLsc4NvxexkqlGvu\nXd9QbK7fbLh/+BMCIAzuVahGEcIBi0VDfCc0LtSSha4IwHzI31kURXv4vClA\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1239,10 +1260,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIURnlKN0TPxp/AbcIDiALqGEzvYr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMUwHFkZpzcTlp8pYC7pVOKQhcRW8mwW41pIOs\n3sFlzd9ZoaQcDcF0TCWZ7bbYngmLYS+/JSr2eIYfpL98kXzeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzZPo26jXz6BqaeTE0tJzMgHWDbUwCgYIKoZIzj0EAwIDRwAwRAIg\nMDkld6pIMIAxJBFuviViSOQF5cD6zyWF5Zp85oDqkGkCIAYwrVeU7tZBGNHRWShz\nx1IyV7MhMcWtFE/UWHFRtwqe\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUS2JBYcX9r2wbQIxUB3cusOvvcUUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiwxClw8ARWhbO+7QcSyPGyBBTz0NDwOoZpnnt\nbW4A0mZaZhPjsjcoHMmkY5cB0frmHho5tGw4rktHBQ30Ni93o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0xcoA2YEsrF0H3JMgc0Wgsy75/AwCgYIKoZIzj0EAwIDSAAwRQIg\nOGHOo7fxonfGFaKMymuKBv7PwnlkqRYMAGfIaGgcmnICIQCfbXkQls4v65jh+QDO\ngodRY05+beUPebfe8Gnd4zNY0w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUT3bxzKn5CEZJ6UIbxjtfL3uTWWowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEimuCwZMYvYAvq+l44yhn6eWFmvGIPIbE0Vao8xHV\nnNYx07n7TsI+g2q0iUSxVEiYfwAfhly+Qjq6IwBVbL0XZaN2MHQwHQYDVR0OBBYE\nFFYn7zNeU3E1ParD2Sp1GArMWGxbMB8GA1UdIwQYMBaAFM2T6Nuo18+gamnkxNLS\nczIB1g21MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiA08z72tffwwz8k0sVk4eJnMn+q\nEowa0l47dgxLSQV2hAIhAJ733aRS2WDgvRk9xnZCrZdRgdwVXDpF3R6+3TWaSdZ5\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUPokQh4sPxpm5LGzUx7qRugErUfAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEe3Avad2JxbEhDawC6YMWpNA2vrozgnv0UWnW/XJi\nOT1wYcUayy7DCwO0hdOqNdUeR/CKW3kPKjxVoRCoteXM26N2MHQwHQYDVR0OBBYE\nFC3pI1uKby42njT9K0a4nemiyBSHMB8GA1UdIwQYMBaAFNMXKANmBLKxdB9yTIHN\nFoLMu+fwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEArIHfG3E32OEaMAaPnb0eQLEo\n7BtLSXjYDccdYXRNgTICIB+PvPSUHyPXid4GgxhmXhISKlOAay4CzUXoaObymTvk\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1260,10 +1281,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUPQf70ClwwK/iRahaGH6xM+mynA4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLeT8gfgseyImBxAclEKPA868gNFxumxeJkIKR\nNtkqahaLx8LfIlqgSBt6bqDGboMS1epcq5LrmSjw19om9ZZzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2dGB3g0xPuQZLUI4RIrW+dIQ2bswCgYIKoZIzj0EAwIDRwAwRAIg\nF/x2TLmy5nFQfioDtjo0a3XU5ixs6fjExLSc8wgHjWECIEe/EP+N4goD4VIKPXp2\nnYcQMz5VnQSMu6qqs8cGT4gj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUXks7lNqo+p+yZqP9ZK1ZBH/8+6YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7anBKyZ5w0WSi7xGQv8pIxGU6jjW9UrEkwQXH\nSC5V7YV5Kj1bwKuxrldBDtLb7bpFU89pEsoDoWb7523waIIvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeGsqog0URNcaQiP8b5M3p1SaX5QwCgYIKoZIzj0EAwIDRwAwRAIg\nIV6tJu+y+0+8iAb8BZesgw/kw1cIpdL9CO278zEJ1boCIG+4bTjBjEdRGR0Z907r\nqV9y7WFES8uwYvNX05S0KfhP\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIULBRO0Y/3VPcPMMf1IX2mLAWDvQswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEUCu3zmBkQe8wpZG1hLAlFqU8tIKPWQKKIB9YQ5U8\nfQz25266v9dgSXE8HCynu4Axmo8gCJMTrYUlkJkgnj6mFKN4MHYwHQYDVR0OBBYE\nFMFhNJ/oWAIydwHcW3zj0MoDew+7MB8GA1UdIwQYMBaAFNnRgd4NMT7kGS1COESK\n1vnSENm7MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEJXYFW0gR7vt+lYSXoA+PkS\naZmRXH+9X6hXm3U7dWOFAiByPThqzMB813qJ54GYi4FDK6lFMFquH/k+IlgdgsOr\nvA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUGSWA4zB5wAPuHG2A/lo0+0K1os0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEU+CeSLHscH7z+y+dMgtyhSAkz56brZKRzI4Hq6HY\nNEtU5cCO6dFXPe8FSARhXTnpKmWmbQy7EtYyywdSQ1JFHKN4MHYwHQYDVR0OBBYE\nFOZZAsBa9xyar/On8RAyCpAzAu9uMB8GA1UdIwQYMBaAFHhrKqINFETXGkIj/G+T\nN6dUml+UMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGrauXTqSujjO2Rnx1wJm4oz\nZOIoNG7paZhWbmbABfSZAiEAmCrkPuIlRySG1d2WojO09BONhQpdIWdzs5i9AOne\nFg0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1281,10 +1302,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNAdbuV/1nCFsFcEh4x5aJNmZrX4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToy42e2/5o5g9FtFtUyVZ69v6XoZh5WyL3uI+v\nUsAQnzOd7Jj45mkA1X7+5ktt0k6gjdSnme5vhnd2cQNo/Gk5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSNdECjEr+/G7N5EHaKY96QpK1mkwCgYIKoZIzj0EAwIDSAAwRQIg\nIzr8gVaXjl/AEU3r4w8X76X/a/e/LIQ4EwQVxqxwaNMCIQCbrUen1MOS1Li7irun\n8ofxi7KaGEEhP8iaG8V3UEzelA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUMIN0tyQbJBAOkLGhEZsAE10e0VMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASy8HtZHyIqepMVc7UDd6tNQ7Rem87kqWay7+KW\n6UZ38nBrX/2mjOdjorfqBTYkCwmlabNwyRaq7uiNeMywRFzjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU77TtTTvSlpvBudCSq9ietIVLvbYwCgYIKoZIzj0EAwIDRwAwRAIg\nD9L67MppqQt6sW25pSOBXM8hidXMpv/wgDaf1TmsByECIH4xP1rftdyjnTBqnqjp\ng2f2A03zDorjYijML+hKKM7J\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUTzmADW40b4SpDWa1Brxy6bqmumUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE2keRMFhsX6BC3IG5yWZaxrEBRmLog2DHaNEgTJtP\n1F+ik16nNpyiRb4OlAh4BVk+u4L503COhwlbcYAyvRdJ3KN0MHIwHQYDVR0OBBYE\nFI75eC15IAfZ5CwGPFrAMXP+jfmkMB8GA1UdIwQYMBaAFEjXRAoxK/vxuzeRB2im\nPekKStZpMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAITA15NhhROtAIqPVgSgAixyuow+\nFIchSCw1uTsuUQS0AiEAw05i7QAAlaICOHQ4VN2KvE9/JK7M3kSvUBtfavfRHJ8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUXqNt075chFmmmNq9q137duVgdVIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE2sAp7v5GYYAoEL9VA8PStSfXsq8SSDh+yVks2Zt8\nh3gpS9OsPJWs44U06Cn4a2j3bkzj8n4VE2OavFrc2rQ0rqN0MHIwHQYDVR0OBBYE\nFF9AO+TADrdQmqEun8ZESa9GmUGHMB8GA1UdIwQYMBaAFO+07U070pabwbnQkqvY\nnrSFS722MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgIBRit3J44Xi5cmvLLQ82XdbmhZff\n2rgMv4ykqmQiD74CIQDz3G/3oh5wfJKl1uKkoneGnEn21VXDXi4+gz7h/DSHTw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1302,10 +1323,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUV10VqnxdMHTLUvVy60NltyjU3iQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARsk3OcbOYId/eSZKnTyaewd6TzxWq2LHeA+RTB\nBPvC5sBDat5uSC8U8Lb05oHB4XwVT/bYhVqmvmGTe9oAC53Bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6N5EgL1m+vlXJFSv91RezfmBeSkwCgYIKoZIzj0EAwIDSQAwRgIh\nAKe+fliLt1ok1tcXEdr0SS2debL5nTFLo9lvOcq752Q3AiEApEG9JQXimquj7R8u\n8trL7z63TU6sox0Th6fVFPi209c=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUFDGyTnEO0wkb49OUpnzw8pkJi50wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ+V/pR7WMTY8Af7TcUy7LFRhoPp9YKhBcvSSrP\nLAyghsyDvT1IEHkLmyJH/SRr9S2IzUZMmlTgwqeu921zywFBo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTRYhXN3DbE/lk0dIJOugnQ6xvjAwCgYIKoZIzj0EAwIDSQAwRgIh\nAJkXQovHn65HsTpJw0xhb8ylXUa9/8H8l+k1LWpkfztUAiEA0kAIJq7O58LQwPAi\nAwvjrAYC7zz99Vo4rEl1LzHw8Vc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUMF9hoZaXyitloFwf/oRlYaQoZXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdKB2CZ3jmmstfiQk6Rofsumb9Nv0iBM9px+NGO/z\nx9DIsQiQYegMS+a7h1GsqeMwtEahCRlmEE5Hq1uoy4dnS6OBgTB/MB0GA1UdDgQW\nBBQYZ6iX04iCLRXfxjqvTwPWbBu2hDAfBgNVHSMEGDAWgBTo3kSAvWb6+VckVK/3\nVF7N+YF5KTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAvq5hpckA\nI7hYhUzr4RPW8su1gLHqu0Jarmv1tpbkCmUCID8T3QO8TA49BdyvAhHtPwSzO1Eh\ntea4udfESUYmqf4a\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV6gAwIBAgIUPSvrDwP916xAIdC7/TQJnCamD5EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEqhxbW7Duncp0j2EjZyVSw036NK2GITFsBRwLio+f\nrYqHZ73CH7UXipRPGPWqMuCAWcGeVWyyLpIWrpBhWZ0ypKOBgTB/MB0GA1UdDgQW\nBBQAJqJ99frSLCpD3gRtSZt5w6dkzzAfBgNVHSMEGDAWgBRNFiFc3cNsT+WTR0gk\n66CdDrG+MDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBnZW3kYTPF\nmSheTUUai++2D2BbAxUDgLOJrkAli3Oq/wIgOObDLdy741hpwpfX8uGIkMMNZHLk\naMCh6cFSCGRCJZE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1323,10 +1344,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfRZdquBneFwAAC566PKen2T6UyQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATCjKyENEiSg+jN+MX+/FrKWYN8JsiedBWMQRPl\nDk9ryu+JWlhPLPdDqr1WboxiM0tS5onR4FHNcw0b6/70BbLCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUC9zK3UgvaG8N9b+ag/SpfoZ0tFgwCgYIKoZIzj0EAwIDRwAwRAIg\nLpJR7sUZebbjmLDHaWGt2EjRGzNV5mq8trB48gaf+RcCIHBKpwM/X3Izaw3a7xfD\ntNEUFZ31vKP49ie62UMhpBps\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZTQuX5/+Ou+VI5bDNZmqEspJ2gwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS04MX2eTZWCTUv45Wp+ePWZbRB4IhUX/PzoBWu\nnHBH9UrhIbjC5E5jug0TGUn4VBJjT8lr+toJdIlkV6w+zeLdo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1IHXwcN20HWWR+ZmiZSi7bUGbYUwCgYIKoZIzj0EAwIDRwAwRAIg\nC+s9WvoEQzUx8IB0Ycz94hZl0kjlatD2YYNuWqCM4kICIDhX9oSeGtSRMkyYlMAz\nmgEcXYta8pwO35SJZoyZWo4/\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUA5lJE7lAhWAGuH7OP5ExdtOyFm4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEzpOkpyznDcS1wggAnRQ1q4peoNj/BB1ty2GbAWCk\nxrW5ihlNmL4XL1fcMbXxq7kQBjej/GG+c5IZic5Q16sobqN3MHUwHQYDVR0OBBYE\nFNAkh25zNTnrYsDjIYY/j/7FgXGtMB8GA1UdIwQYMBaAFAvcyt1IL2hvDfW/moP0\nqX6GdLRYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgfgTdxOwRW8PD9TdIIqph+qfI\nXFaD9OMU8/aBEJLbmHUCIQCi3WzXGWlQd4qeUuoTeHywefTwcN76uGM0VB8LCcMo\nxA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIULfH4uKLH2p31qUbnfCnmxWXecJ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEu3+BhaggSGRQM1oyxOAb9HsBx1YLSFRxTyNdWvE/\nOBRONrk9Ine6OedC8a5trjtKq7GOkYAcQxxpojj2s3TsKqN3MHUwHQYDVR0OBBYE\nFA3iGMJuXiVTw07+3Wm99oNnYJo/MB8GA1UdIwQYMBaAFNSB18HDdtB1lkfmZomU\nou21Bm2FMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgHzZArfwV2j+l/uQzot+LXa/w\nFL0dMUM6ubw1az/cdrYCIQD2jRBGBN+p4aQvmnovfJ76fEheYMi5XQLY96LKG8yb\nPQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1344,10 +1365,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUeWh3SJz25bi0PRIbYvUSyVzhs8IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATygFTzzo7vBqyzMdpQ+YtnQ3h01auVaNB+dHjc\nKyonQyymxNYV2+g28vJncAxY0TICSaHKzrHmJ6f2SN/2E74Ko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUumNerO56ypB4ktaosa0kp4vtBP4wCgYIKoZIzj0EAwIDSQAwRgIh\nAIgX4cpDgI8P43uW9QBD7DXMZ5q7kkW+p346Fe9nEIELAiEA2YFRnEqxPjJ+cYQJ\ngsVmVW1QsrWvbiA+sX+0SrYYsM0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUJgnStIT2FI/7XFt+O/c//rCrSAQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpCUDvs+doBN0NAzbnlDxvVitdPsdgPyhbtfOO\nXTRaXgOZtng4jf1Wyo3XM1VRtQGzgoWpS/kcYy+h7QCgiJeGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfkgqMi3uk6lX0O6FD7V/pP9GSYEwCgYIKoZIzj0EAwIDSQAwRgIh\nAO28KIEy9bGQY7pS9Zfz0V/dg2KuAFrDdeXE6SyMlTS3AiEAlJaGVNzZIUi7oiOA\nALLutPTymc873FFN7CAYfojD2lA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIULaMsd9CZ6SEmGwhP0LV1Qh6y3r4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVhRVymNkrWJe3lXz5+fWIClFwkTAAU0MBdDjwoTa\nfmgNx4QAVPFgP/ZM7RN4Fy8S2zEszn8Hz6CtpokrfceMy6OBijCBhzAdBgNVHQ4E\nFgQUCfyGZfguYQb8EjP1CdYSYDDgT9EwHwYDVR0jBBgwFoAUumNerO56ypB4ktao\nsa0kp4vtBP4wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNJADBG\nAiEAmL0PS5OqUTLhrRHGFo1UYCsdC61divNLudD1Iql77KgCIQDneE8CvLa0QTjF\nGh/+jWLMtDtbO6FMZEuGIl3sY3ynlQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUeUEVRhEX7/RmLYZXt0CrrJia2QIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEbwz9FA0Kda5NVsJiK3MHy32ZvqXPxQQiqcsltdXX\nPrFnS7+ebHtojNM03WW57AiJoqJgc6N7K1L4HlTsMWMnCKOBijCBhzAdBgNVHQ4E\nFgQUwCHcW73mShEwUUvS7fsq8ukWOqEwHwYDVR0jBBgwFoAUfkgqMi3uk6lX0O6F\nD7V/pP9GSYEwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNIADBF\nAiBAMFhJa1EArc+Wm6enpOLecCs4jmpz7wY4PXcr0BSArQIhAMiyKcStpGXXs0XA\nToGSCTHyv7dSOPD+N5xqXlrMQn0P\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1367,10 +1388,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUftG10oPr0BFj5jCFez5uYsj6NuEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEgywg3DLO6VIFbgcwTITE6ovz2zVn2Ma4Rfjq\nSZKZRhfYlU+i3CZ9nua/dMH/+Owetqk0/4qS4uhgYDGQdJ2+o2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYzZ8b7OuhQVaoh8j0szFkES4Yq0wEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAOnPAR5TX7QKkvea5JE+82DbffS/Rk13/a3J\ncp83HDphAiBV6OVEdWtKXBVe8AUNs1Gil0n0Trgg2lWLsyOIB9HBjg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUqgAwIBAgIUKFfOAekoSFVDIz4K8tgSKDZUBMowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzozEYdOgwNi0Bf3jOGBQarMSfPfH1jUGF/KQg\nNm/RmqM7aXalBfT2V7aD/M8Q6fa1IgcsQ+ML3yI9fCelsKnfo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwLd/K5ON9W2IBB+eNI1nvAvRcYQwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDRwAwRAIgLDK6NIVZzEiSRVPNrmsZsSLRCfV5DbmIpn08\nGbb+07kCIDdKDRrjaaMhRDKTKka9Z+CmvY7QTN8OWHM11fEdlJ+y\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUJjMycHllBsn/s98ClNH6LfHjcuswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTEwMDAwMFoYDzI5\nNjkwNTAzMTAwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETTnkxOhBV7RJ0RwvsZNM44NSa7nlwmekEjypAEn2\nOWA+3FEMYM7UoS5O6FZ29eNtoElPGf9fabPapHW7hZsAz6NyMHAwHQYDVR0OBBYE\nFAfeyI2a32tMLGz3QKUavIp3SLkJMB8GA1UdIwQYMBaAFGM2fG+zroUFWqIfI9LM\nxZBEuGKtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBljdDh641+7ItAJNYrca/f58+n9cqHV\n/Gsqg/LnqpXJAiEA6s5dcpxMAHtsTlQv7n1o4vvFwHxsTph30bgI5yOQu1U=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUQwSXHqw5/JShDfGN/GvDEt5PPZAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpkJlqq3ojea8zL2D7cwhT2gRcqH90vPBZH7q2f0D\n9QtqMJHFI/CDp6Xo/FCO2IraaKHOZkICrZiLih/RfgeGJ6NyMHAwHQYDVR0OBBYE\nFBjYhBr1BZ2g34x6uDY0J6prAX+0MB8GA1UdIwQYMBaAFMC3fyuTjfVtiAQfnjSN\nZ7wL0XGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIF95gh9vieUNpXUzMIrmIsmAhXJstie/\nFhoIlZQn9j7UAiA7YotHNyzyDYws1kpuLEFNptdy0hzvDvw+wkcbnw6Gkg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1383,6 +1404,90 @@ "value": "example.com" }, "expected_peer_names": null + }, + { + "id": "webpki::root-with-aki-authoritycertissuer", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUHUo5Oqpbu9off8gXmBVj26BmWyUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToZrGM+Oo1CPXfTpQ+j4zzRcbf/pANGA4ELFlG\n1h5mIU6ah6zvydMgP8qyge5mFB5y1IMKGkDWjjA49J6pCqSro4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFMch/n+yBCVr4KAhR2J+f+L0vHW4oROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBTHIf5/sgQla+CgIUdifn/i9Lx1uDAKBggqhkjOPQQD\nAgNIADBFAiEAtydkiNJ2ugPxI4bQfC6gSsscqVJMxE9Mfi7vNvw3NJ4CIBt7eze5\n4nrzhTj/GDyW5JL3kAa9+WgG3a/jnNgRgYZQ\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUUDStz4TYE0KAajyJtaCY51sc0rkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEnJ/p7qjtwLOFnUwAFmkh1QPpIebF6QQPCIXONCPh\nXemQ3AIrI9j0j8xfwxHsY6UDpo4h0Fp0hEkI3XncrF4KkKNyMHAwHQYDVR0OBBYE\nFKiYYC3vzk5iYDr9p0Fa97VW4E/6MB8GA1UdIwQYMBaAFMch/n+yBCVr4KAhR2J+\nf+L0vHW4MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC+K0frdxeT8dtLXaAe4JuLJT7Pc9Bv\nGYfxTagdEPcExAIhAIOdpBhA/WNxRLJTkcqKbJoAWkJOrimWhypIEuWnF1Ce\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::root-with-aki-authoritycertserialnumber", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUVRR69IxwKiLFJezUBveRLNxz2f4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARIdIwOPZGITyF6TGymjhLL7s1T34eYkAMjzrQd\nu7mlYapYdwEPIyVxHjdM9m1Bnu1L2dnX6nJTTAZcmVE1JJ5jo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBSdi6SzpxgpSB4ZuZv8IEEViRYcy4ICBNIwHQYDVR0OBBYEFJ2L\npLOnGClIHhm5m/wgQRWJFhzLMAoGCCqGSM49BAMCA0cAMEQCIEW1HUJkZdwhiYXQ\ntsUAZ4yIjo9DyvWSkt1oK7gdb/kgAiA0Wh/l4p+nc7mFL0HTn65dcgwYTXdoJMJz\nCWUo+iM1Rw==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUWrnLdCejw6YwdFXi5x/8/lswNDYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEs0dOx2Adrg7bdfhnbrfL+BVkAOAJbOIYE8wgXy8x\nvJBiG0LuZ+EgKcJ1QqZ0+Sk3wUADgbWb5FyYB67R4+M6bqNyMHAwHQYDVR0OBBYE\nFF6Ny2pWm+8YsnKTW+Pl5LxEadNxMB8GA1UdIwQYMBaAFJ2LpLOnGClIHhm5m/wg\nQRWJFhzLMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCN3TRzTfkqVbCSEwpmTK2Bau8/+5xz\nY9V5t+ZHr2kFcAIhAMdRusItLOoE0V9C+gxNZzOY489aFfZBBukA4o2n3HF5\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::root-with-aki-all-fields", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUexEew3qQTahKmXqqyLjb4MEZMlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCzk87uGUiHJ01n/HJ5t0R1PHLe8vf07cNPsZ9\nzGaUvyP3UWnMEmssETiV/ZS58VLZudBNSgYD3UEbFOwWq9bfo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFPx0z3ZaoHmxedQ1b5PANlcNJ8bWoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQU/HTPdlqgebF51DVvk8A2Vw0nxtYwCgYIKoZI\nzj0EAwIDSAAwRQIgOggwbMd94Al58coNvuybmdhoee0xpQaX9od/S3A/DHcCIQDn\nmzLqFf1SuvzIdeI4B5dn8nU4/fOM9B0sJeWHPOYptg==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUMQ3UIqH30jq3PGvxWMFxnFKHHhIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdmorhT0r7Y6+Dv1ueYLUHZwUpB/vOAVqbwrowAO2\nUOtFf3Ofx1b4HvNQGud+iYSNcA//vqoUYqk8kxgs6pUaXqNyMHAwHQYDVR0OBBYE\nFDffJ7Vy5xqmagMAtnHZXxvesErqMB8GA1UdIwQYMBaAFPx0z3ZaoHmxedQ1b5PA\nNlcNJ8bWMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDzmQJceiVcXzZyqjM4FQfzqbdcnA0H\nZWO1IRaHvJ6s7wIhAPFrjChSjlAotng3aI3WJkiwLC5uZxD/bza+1iNo6xC+\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::san-critical-with-nonempty-subject", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaig2XKTxCFHEhBmBzKDNdxo9cbEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZetFabVqzbOOUy/uwzBxc0SAwq8WwNJa7CLle\nxgN3Z36hev5LDMu6JqagmUCTXU8yUMny4ENxnsTW0AjkNpd7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUr/EUcJ5QMpcliIKhpLH+LAWEv3QwCgYIKoZIzj0EAwIDSAAwRQIh\nAIHEAaYIDOYRFxleKwbJ60N/WGAi+Em5iANCa3ue+WnlAiBtaiDE/OVWfSYzWl+S\nLddAsgotdzOt1EYs9fmX2Haugg==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUZA8a/lG9VNPqm/0euQ2zyhwGn4UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABEMrUiMtj+rY1bUTcFYNfLLlo4WsaqxZVI1rjdCJ\n7/es9eq1ao353rMpFqALbz5+0zF4X13Lgap3nhNtujvEgEijdTBzMB0GA1UdDgQW\nBBRcsgHquDMKg9E9lEG86JY/QTWEYTAfBgNVHSMEGDAWgBSv8RRwnlAylyWIgqGk\nsf4sBYS/dDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAeLMTd4bAxSwI5Oy9/xJ9g2Uyr\ny6FHTn8Z6hwJRCTQVwIhALjs1+6SJfJN24rV4ENhjrXbpk5ftQLTsGL7qnH426ku\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null } ] } From 95ac2e720ee36c90fc7d452f48212f0af0fdaabb Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 28 Oct 2023 11:06:11 +0200 Subject: [PATCH 024/155] bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 335 ++++++++++--------- 1 file changed, 178 insertions(+), 157 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 742cc107ee5c..4f082c55f623 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSslWloMkEhFKLUC3DygjX4sjqMYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjyO0YwM5sRq61AzxLnWHXlduAmUx9WrclpDP3\n6aStANSZ2G+w7jjShAM6fQMDKiuOGMozH2AAScpM6RG9N3vJo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUExr9DDhjj+AfRh/rdOykq5cX5kYwCgYIKoZIzj0EAwIDSAAwRQIh\nAPA96B9tU7aX9w3r8eKituIZ2tXfJVopejrI7UBVS00BAiApumw465k6hhe+Bz6I\n8AP5s4t9couAZwkAq+Y2y3Q+vQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQWo6gbrRnLAjczNRQh5yjRmTmkUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpNP8MomtfRwP6zk1/aqFs6yOyTeVKHBSsQn0u\nUal4ij75s++Ga76chhunW6BdgK8pYNZAY0p1UcnVAsQ/lwlLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUw7cXs7ell6Fd48hzKEulFQaS2SgwCgYIKoZIzj0EAwIDSAAwRQIh\nAMPemXAv7ij2qDFd++mkDEz2iX2Y70GIxVyVo295ksOnAiAHFznPj+f2tNVHB/BH\nd6Jum8/GdKKKk4neGiynIYv3JA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUEMY9R/qbaPSEVaQzmQrB1cOBj3IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0MjY5NTUzMDk2OTkxMzAxMDYxNTQ2\nMjE5MTUxMDU5NTE4MzA4NTkwNTUzNDM4MTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNuMTFVlH6WcI12Lqez0WtE22U4nXLuxxZ3zzvnBGwZ39XwThLb10UfX/05gomAn\ncG7wfvOshwPyr5nI/G0HIC+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBMa/Qw4\nY4/gH0Yf63TspKuXF+ZGMB0GA1UdDgQWBBRTw18dmhs+Max6Zq21PlMPzt8uFTAK\nBggqhkjOPQQDAgNIADBFAiBUmFyuSHCNC8/lSrwrX/6ec7TMo5W1hNxCtS2mTTGv\nIwIhAPW6aB9HK8sE9WNOiIHRgXdfr3V34HtvvS9nq26wqII9\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUd+CzA5mEjWTcGfp616LrzOyqqXIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzNzM0NTMzNzU3NTE5Mjc5NjUyOTM5\nNzg1NzY4MTM0ODk1MzQwNDA1MjU3NDA2MTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHXzpGiK1MOTs/Pbh9AGSGWpHF9QXPenbHc8aoIL9AX7YOn7aol6AwD192tS+4Vf\ncdXz5OYas2Phw4Zzmthbr42jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMO3F7O3\npZehXePIcyhLpRUGktkoMB0GA1UdDgQWBBShr64xiOq4mxWF/KUbkTErbplKCDAK\nBggqhkjOPQQDAgNHADBEAiA75iKTexI9MrR36ztMBe8Zmbs+wG3lORW348W/xzqA\nhwIgelILa73teYc24tPU7UFKCktAoRfp4mIPZGFGashdB/g=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUB8lXOcuVQ2HEzWPoMWs0KwPuF9owCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI2OTU1MzA5Njk5MTMwMTA2MTU0NjIxOTE1MTA1OTUxODMw\nODU5MDU1MzQzODE0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQW\nPfIM892nsFWNjJdCxqnggrWd4p/D1HyIE8Rh1tfF5zpnQJc9SwJULbbDyJDXybCD\n/LNLg05EUnbtd/F4VhXwo3IwcDAdBgNVHQ4EFgQUpJDm9fIB15CPrJ6QUup309ky\nY1EwHwYDVR0jBBgwFoAUU8NfHZobPjGsemattT5TD87fLhUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAK376REzVdc2l7ruzhAj8BXkeiCkGlhN4oC0xVMKn2jIAiAkDiGhTexD\nrLU5PaBFdCiTmlAxSE7rMcjwzeGknxAwkg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUYlwy7t9ZLJjo4i0i+Eqk+igIN5gwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzczNDUzMzc1NzUxOTI3OTY1MjkzOTc4NTc2ODEzNDg5NTM0\nMDQwNTI1NzQwNjEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARY\nOssaxzgodbsFDkpJvYeqPhSHsiAB9pMXs3fAgEeB/RJbE03mP362ij+gNvSxyZSz\nxeYCKfgu/PvRdt/reo+jo3IwcDAdBgNVHQ4EFgQU31Mv6Kb1pesU0sZt7Ul00Sqw\nf+QwHwYDVR0jBBgwFoAUoa+uMYjquJsVhfylG5ExK26ZSggwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgTTrHjweQF4+vdANI/VSI+6yIKN7MvE8BK8Wo9fujxusCIDhCpvEbsO0l\nl9xh1UTusm1u/tY3sqGOJ0bqRz+zvtEQ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQvENP/Wb/XcRuBKSqJTjeZ6yZhQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS6gysijSGXL8gDL4mLibUaXrboxnSExOIkLk7z\nHMZm2cBuDqMJX+VY6Yq0a+iKrGGBNbddug/0eYParmgeqtxYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWRxrwjWoLYncDZDmEHWsJC+s70QwCgYIKoZIzj0EAwIDRwAwRAIg\nGqvSZPbQz5IGKbFd56jHi1uY/m866aVxMlsnfOc8koECIBRAsddOXwnkjOEZqqdf\n7c7goiKvAVucm4hPSzv5HPTz\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURQJLhJtgc+qkm7XGmpVmBsgnXdIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARWGZ4BQ3SkHbeBqXYArEDStPMheN1U/eGmfCku\nPo0IgUSOpguDTBqp9N5tuDDGNGu3s6c01q+TkpSrVsrz3/iMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBE4AECkP/+joFuvYMEPNcrTpb8MwCgYIKoZIzj0EAwIDSQAwRgIh\nANbAc7n6CCDV9DBgrQ93JEdeBKUa/s2EW23YUGth3qp3AiEAi3Am8l8dllF1ytzD\n+caF0cPrx8CJSXI3nxkYDCzbwVM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUBcByF/SbuQHuRNykNjyfNH3tYigwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzODIxNjkwMjQ2OTExOTYzMjM1NDI0\nNjkzMzM3ODEzMzgwMjk3OTgxMDQxMzEwOTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPvcRf6crmzJ2IliFgqSffHijKvp06OFQMRjluOOD8LRFrchuSMZYH/ztYO0XhMG\nDiV+mAeS5L5+GzDQEjW8T/mjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFkca8I1\nqC2J3A2Q5hB1rCQvrO9EMB0GA1UdDgQWBBQ3r169n4SQ9/iHeaaM5USDOonV4TAK\nBggqhkjOPQQDAgNIADBFAiEAuNCqW2yW5u0HFnLteUZh19U/Hq0yeYPnDoWguuTM\nRJoCIAXuNBz3qVWA1NQE07aQHs90TOH7lAn41EDTonuK9s9f\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUO5w66FofhYZiw5paN+3EWAV7DEswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzOTM5NzE1NDMyMjI0OTA0NTQ5MTMy\nNjUyMDg1MTk1NjgxMDQzNDc4NTc4MDQ3NTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKtQpZ++DSGsj+IFhdT8onaM3OEKsmBG/LhlMUPZREG8TaltgNCBaQi2gS8+fmjL\nelf/Ugr887v8UetnQcIcml2jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAROABAp\nD//o6Bbr2DBDzXK06W/DMB0GA1UdDgQWBBR3YhDpem6qzi8pp209rwpjVXrQFjAK\nBggqhkjOPQQDAgNJADBGAiEArrN5+bIASVu1YmiyZIGwKzBpMH0TTXYZrFZB1lKx\nxD0CIQD7uP2fdNxpvNM4uXDBlBkP0NHVmNgPvYq3kKiFz9U+tA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUDULAArP3ZQD74UF0OGPpvz1XfEcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzgyMTY5MDI0NjkxMTk2MzIzNTQyNDY5MzMzNzgxMzM4MDI5\nNzk4MTA0MTMxMDkyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATd\nRQOr6OWqg/wX214X7jJxiALrPBofxcoFO3GWS1ZTEJR0/vR7F9oNCySyb/P+oc2X\nmkgfX3MGfQPZvhz9TwCao3IwcDAdBgNVHQ4EFgQU1Ewyo6mySXifz9ut/aasynlk\nvIMwHwYDVR0jBBgwFoAUN69evZ+EkPf4h3mmjOVEgzqJ1eEwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgRuNPBay6vto9q8ea8/Eq63QupO3y2rcORgQqAzgpWEECIGNCwOAK+BlM\nx5NMEWUf2ATu+aokzHsg4babrUeA1Ejm\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUOhdqQ7p5EwwbSj2e/+poqtTtIv4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkzOTcxNTQzMjIyNDkwNDU0OTEzMjY1MjA4NTE5NTY4MTA0\nMzQ3ODU3ODA0NzU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATN\nr1fST3/RJvhMyFHJ3oXrS8g2NDgEbTVk1ayX8opkkn22BLxMxQp+tml4n6bFqyku\n8OoL9P8MHc/mfAnkZq/Wo3IwcDAdBgNVHQ4EFgQUDhZczQTZIO/UZ62Kawbn7Otw\nW+YwHwYDVR0jBBgwFoAUd2IQ6Xpuqs4vKadtPa8KY1V60BYwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgCGXHXYEvXIfE5lFLrqCgDbt3UdCLUkwrUejCG9nwSYUCIQCCxlFtLTQ7\nwxJOu4+py25ZXt6t46oezaUp4VLtuz8i9w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVPrhie/0yz6a2T5solasTmHK3VwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQR2XvErKQFKbedSnKFsYWGyxZyyynM0f6qsda2\nWp1RYDFw7TGKM9KoSOPbm12pJ1xe/jgcUkBwDjQNE9u+xO8mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0cU3voFI1dXx7VHwXfNzwz8dtx8wCgYIKoZIzj0EAwIDRwAwRAIg\nGtFfqsgvY5l7GcUognZwv82jW6Lq/RGbb5UytttdthYCICqb5a4WLvS4/Y/scypQ\nUg5aKHV3ON+T2JzrJWD2JZ3M\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUF2XScCvjxS2FbKwR3q28D89mVoAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7VmDloB+nlnta9PRdsI70IKkAvxC3tFidyB4+\nxHGHiRSlQG3kZCATZxrqpdKareUqxZys/sLoJhaStXz6vOQxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3wQesDHqxfVbXm+z1BcGUpNfpSYwCgYIKoZIzj0EAwIDSQAwRgIh\nAOeKgwKRN3ny4SpVHKEWqhCzE/o2DVhj5c/YwiwfzgniAiEAouDZKK4VOlbAMmIa\ns3JiWuwfMG/A1mauaagLkg/RFJw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUboYGhaZ3ki6b/Nu8UzILXT7G5d0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0ODUxNTAwNTgyNTA4MTA2MjM3NjAz\nMjkzMzIxMDc3Njk2MDQzMzMzNDI3NDM5MDAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHk6PESR0PFXv/8hodmmXHFYP3YFrI0B6mKzVjbksFc9Aj5kXwdPh/hxYqr/NpHj\n3oLp2Cm0mL9zp1XRzHLHOtKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNHFN76B\nSNXV8e1R8F3zc8M/HbcfMB0GA1UdDgQWBBRxrtI2GMJlj3J3LX2ie71bJQgqlzAK\nBggqhkjOPQQDAgNIADBFAiADs7TVbRPzvPgMZO8WCxdeIPuzShxeqK/fyoJ7aJyB\nYgIhAIq3I2MWRlAG3x7s9CIuG18/zg947LqmO+r0MYk1BnC9\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUOePN24I6CVFzaG8ji4f6F9e9PxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxMzM1Nzc0OTQ3NDQwMTAxMjEyMzg0\nNTIwMTk0NTA2ODQxMDE1OTk5NTc1MDU2NjQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFPlnXD95Le1YhErT/q/EZogE1y4QSc/c1FeqM1BggFhjgEwqblg/XmRv9LfwXzU\nJwDVV8AaYFTt+YICCoCJH3SjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFN8EHrAx\n6sX1W15vs9QXBlKTX6UmMB0GA1UdDgQWBBQ58YUOzsfm0LRZKIp12e+njo7ydDAK\nBggqhkjOPQQDAgNJADBGAiEAlF4eDtnN65sew9zMxU7mprZ5JHZdej6U/I7p1Kmo\nq5gCIQC8RUa09zvAzaVnPm63AnS9O713NSwlroab1Wlv1MREDA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIULl649rRr/1VD30gx7ZU/LTdglX4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDg1MTUwMDU4MjUwODEwNjIzNzYwMzI5MzMyMTA3NzY5NjA0\nMzMzMzQyNzQzOTAwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARO\nx84aYhAFWabJeXOQrOABb3bNzr7RxQMppAwVPBJ9pwg4eAy2Emr+uR+UZrz92zNL\nhqzSDs7szMATGYULKWyco3IwcDAdBgNVHQ4EFgQUEVSbaOCV5dz8xlbLTip/7jE0\nSdIwHwYDVR0jBBgwFoAUca7SNhjCZY9ydy19onu9WyUIKpcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAN+zfEXoG+PcqD7twoW3CAEfRzZj6O3RwR2u+LfA3uNHAiB0iZkbHPvK\nSgNyimFPTI+fy9nTDC65a//4/SuPXoOdgw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUb4QA8n7dUiU8+ul0yF71dO5QGx0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTMzNTc3NDk0NzQ0MDEwMTIxMjM4NDUyMDE5NDUwNjg0MTAx\nNTk5OTU3NTA1NjY0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATS\n3WUNtImaZDmoMqQjeBZuJQye4+1h2ihHDwvMHHlZVovJN5pl/6JvNfOWIJ1TkPdL\n4IEW3U11fkTwu0yvqZS9o3IwcDAdBgNVHQ4EFgQUizh3b+6TtBmy3hiOAd94O2yH\n7vgwHwYDVR0jBBgwFoAUOfGFDs7H5tC0WSiKddnvp46O8nQwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgeCyU20yo3TBpn84I/pLI4RvfO2WpbalcBOpYaJnif7wCIA81besJXOP+\nBQWHY2Nf+Ah2R9c82LrdIY9m+7VUS5jO\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJdyxEBOBYsRtjZs+z6WB/F1IduowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZ7+5XG2Z5+QMqQKl716jXOHC/44dyeo2L3AvC\nXgVzLHcu5bRveuNzsyDgyYP1c3JgbQ3adm+HtPfdhFtM4Wjwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYFIShcJdvpcHDOiEEk9yM2Qf2oAwCgYIKoZIzj0EAwIDSAAwRQIh\nAOmLoU1khH/tapBwjL3dQ3iQopQ97DzI4V1wzOPM3VxCAiAbPjw/EXJ1a4kqqZlv\nfGzVlk1maZfTA1ISlCasDjjbTg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUC7tpBTR0bofNyK+lohm7GfuNVTkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASS3zeSAraz9hiCZYfbms/NkTwLCNfl/o9tljpt\n8hQYt2EnYdJCq7reEg8nw0Wk0uhS0JBq+BbWRYiwABPba18zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfBRDBN9JypnACGUo1eYle8fpyB8wCgYIKoZIzj0EAwIDRwAwRAIg\nYdfqq54WDvjTbjKH+iPe23dTPMsq4Q7PA+mcuSTEyvICIFBVIYAOoWCzGaYFDJmn\nrpjapLSAW12VnZjvIV3an+uY\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUZlyKE+XvxcmyY7K3HHfz0hyazb0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyMTYxNTQyNDY4MDkyMTM3MzMyMzk4\nNjY1MTIwODgwMzU4MzEwNzAwMjc0NDU5OTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDx+BOt73/FsLca0tooItlTdeHRT0zcN4i9ye0qy5vJJnByn276K6wP4Vtr2ni3+\nitP076u7rk4XKHjvQeEjMiSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGBSEoXC\nXb6XBwzohBJPcjNkH9qAMB0GA1UdDgQWBBQ9DUlux00rbbXV0W86XXhhcei6IDAK\nBggqhkjOPQQDAgNIADBFAiALKQhtMrWxYs298ZA24POh1ql2yLDOZH5V+VwJhlss\nfQIhAO5gCnSVeIdmBGT3XCB2aONkTloe+pPL/BY8xCL474HF\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaWgAwIBAgIUGsSaoEQ9uutLDmwtM+c9xf/V5iowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBmMTgwNgYDVQQLDC82Njk3ODI4NjM5MjM0NjUzNDc2NTU3\nMzAyMjk1MTI1MDA1ODgyODAwNzE2NzI4OTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nmnriKWN/Akqxa+mAg5TAPlOhB2pChV6P/no1ZwziLRKLenE1Ivza+wDj90n0aXVl\n4vy1f1pHw0rT4MO0W7cVAaN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUfBRDBN9J\nypnACGUo1eYle8fpyB8wHQYDVR0OBBYEFDZVFzZOLQxz3gVNwkIJnrUi2HDmMAoG\nCCqGSM49BAMCA0kAMEYCIQCKdI4/Qee8mmhg84sObPN1iP9RndrSo7i+HvNOBf49\nzwIhAMUDndwK45BkFO0kc59q7Zdu24N1ZJBRpACBLXMysooT\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUKJPex/NAl1g6F/PR3HdcG+H7H6AwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjE2MTU0MjQ2ODA5MjEzNzMzMjM5ODY2NTEyMDg4MDM1ODMx\nMDcwMDI3NDQ1OTk0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDU4NDM4MDc1NTQ0ODc1ODE4NDgxMTM2NzAwNDMyNjUwMzI5Nzk5NzQ0\nMzA5MTkwMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfrIiUGkW4JjH+qq5i/6WlYdn\n2m9jWI6s4zhFjyDrCYwAHH3ROMBmTS3qhJ/9ZvfDkyWh3dz17q6NTYb2iry7LaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUPQ1JbsdNK2211dFvOl14YXHouiAwHQYD\nVR0OBBYEFI55E/ragrre0oXNZwMWANg88w9FMAoGCCqGSM49BAMCA0gAMEUCIQCe\ndxthmzlkfJkmadtvqWI/e1y/cjkhY5xNqriqqXlH4QIgI61R/eIIbD5QCN2NpPcM\nHXBpm7u6ccpaFyE/H/WYKbI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUAv8f378ERSq5F7dFoQV/26MFiucwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNjY5NzgyODYzOTIzNDY1MzQ3NjU1NzMwMjI5NTEyNTAwNTg4\nMjgwMDcxNjcyODkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowZzE5MDcG\nA1UECwwwMTUyODE4MTc1OTI4MjUyMDUzMTg1NzE4NjYxMjc3NzYzNzI1MzM2MTU1\nMzgzMzM4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/nYaehoVgpUKQ7yyt5EMCr5qq\nALkQ96cthzYYf3N3SfKqn/SgtYuTUkrXYw6fm3xEo+7WpcewdMDVkesCKNYPo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBQ2VRc2Ti0Mc94FTcJCCZ61Ithw5jAdBgNV\nHQ4EFgQUous3sW0tdFhSFsC761YXCGaLfGswCgYIKoZIzj0EAwIDSAAwRQIhAPX1\n+pkglzR658BWREqd9X9uHc+dhzqk+vmCx52EisKqAiB6PCWA4YN/FqjxfcyB1bea\nN79QDhwOVrmwJe+BAKgKOA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfXGSMd04EBRhlB4o//CM2vazXuEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARG2jBFFvRX2p6cDeWscwzlaA6cLwHHBNfhoLuA\nZSQf9pDrjU3n061LSy1jM5/vJlyfuhH4Yjl0qxQ8j5Xrapn/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4BGVgenjzFpd71Qav+weQXKyrMswCgYIKoZIzj0EAwIDRwAwRAIg\nA4IdE3Joi6VgPnLV53LvwWdN4csZo4HGlChX0vyRCOQCIFOvXEZC56LVAXFcbPuq\n8nUZcNE84vrO5ypynCZTe20e\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUWdyAiqTokchpRVDKG1qFiS0I9p4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATY9lvcgA/7C88+NBYKc7FVBJT7HO8xqyPfJJbK\nqEb0SSurDNwF92ehUM0I1l7veFcEqCn8T9fQZFDoT6mVVySVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFZAR1ZLjfpTlGFbF4iq4wDZXdYEwCgYIKoZIzj0EAwIDSQAwRgIh\nAJbG7z1R2sdusoaENNPqSJi0mNroKTzMns3yLhgprnaEAiEA7h/BDIApulc8Z3+Q\n7iUwsaPtPiUk+hxi6zOiMxvCQEw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUHsoFwI/FYFg68gNw/gSnRRYTzoYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA3MTYxNTY1NjU5MjIwNDYzOTg4OTE5\nOTIwMTQwNTY0NzI2NTEyNzgyMDU1NDIxMTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGltwgJc3QFYrBRVp7qIoXEt6euBU2XUdR6mRZ39FWxQ0gsxmahfZllHwRj3haY9\nWlRWfXiMCgymNYD4MNogosijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOARlYHp\n48xaXe9UGr/sHkFysqzLMB0GA1UdDgQWBBT7+wCcb5k6cSPqee67wfBCjh6PejAK\nBggqhkjOPQQDAgNHADBEAiAw3NH/gB7vY/wV0b0H/rwjpMPOtBgJj2VRnyzc6Ahj\npAIgBitWZoTRfx9dlEtmS0sKGDlCOoh8SLuwDgdrwZSK32M=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUG0cqDF6vYVLUYD/izJGAs/Aqf+wwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzE2MTU2NTY1OTIyMDQ2Mzk4ODkxOTkyMDE0MDU2NDcyNjUx\nMjc4MjA1NTQyMTEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE3NTc3NDk3NDc0MTU2NjkxOTIwMzAyMDAzOTA2NTU0NzMyNzMyOTMw\nODc1NzYzODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENCRUxMbkveC0Z6COsB3q0WB4\nZXudvIUYldP6HwhZvy74Diry3JxuTWM7c0DD/D5PTAfoej8pCnSb2Ujgm7HJlaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU+/sAnG+ZOnEj6nnuu8HwQo4ej3owHQYD\nVR0OBBYEFCneoKj7BP91GgnggLwTGdKZDNszMAoGCCqGSM49BAMCA0kAMEYCIQCS\nLsLxqBXnVad2TjS/Y0/h79keIHBsrpc2eFPmZjup5QIhAMaEZBT6WvXUOftzWpBh\nHp/6MTl0BvuRcbF1vOIqxQf7\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUcDgIqS3vc0fmIiDPcu8LzDFQeUUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MTMwMTc1NDAwOTc3NjUzMTYxNTY0\nNzc0Mjc4OTAyODQwOTA2NDQxNjU2MjE0MDYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCNqT/bBDjNC7+rIFTgwBKxbbgsNaGg13es8PFdIPDFjrIEzmZgPOV53ddi7ox2B\npmt34fu9xuYvPvRJRg3Myx2jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBWQEdWS\n436U5RhWxeIquMA2V3WBMB0GA1UdDgQWBBQHvDRIvrcBa62FztSoi3cAdREc0TAK\nBggqhkjOPQQDAgNIADBFAiEAod5iK++VYkfRqVvyLBp8xg+rz1diajRdEwo41J5I\neWACIE2XLPbiDLm/nq5v/KSEUs5FrjSUXl1SHjYVGS/I6qxg\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIURmApVYfj4h7LOuVVx3qSmMAMWnIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTEzMDE3NTQwMDk3NzY1MzE2MTU2NDc3NDI3ODkwMjg0MDkw\nNjQ0MTY1NjIxNDA2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDY0MDY1NjU2MjUzMDQ1Mzc2MjI2MzY0OTQyMDA1NjE2NTIyNDQ4MTI5\nNzU2MTkyNTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGRgwNTq7nMt5Ol6xI2Z1NyvX\njuPwSEmLpAW+M39dOUly0Oag/612u/mNdYwQysqo4vwdI6GIQnEGtjk6SQ5oyKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUB7w0SL63AWuthc7UqIt3AHURHNEwHQYD\nVR0OBBYEFKsSzn/cfuPi4uEfrKrjrENEUVGlMAoGCCqGSM49BAMCA0cAMEQCIDG+\nhFEQkKhhHOf5uuIhNsJF3WANDMy87n06tI3BgOlJAiBCtwQNbqlETy+di6O9FYSY\np3S/UIwE2Qifp3Z5ZhuAyA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIULDApmjKfUEMCncYPrKL4WfLW0pAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTc1Nzc0OTc0NzQxNTY2OTE5MjAzMDIwMDM5MDY1NTQ3MzI3\nMzI5MzA4NzU3NjM4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARc\nIdeb5mKuuI26WYqGYYY2Qh9SvtlrXqSdB1OVzzeLfsytxCiJdhzXgKR0DWqBNx1u\nQjSNivkmmyBOC+J7ADPlo3IwcDAdBgNVHQ4EFgQUpEZBc28SeszkfkhWM3n3e7wc\nHN8wHwYDVR0jBBgwFoAUKd6gqPsE/3UaCeCAvBMZ0pkM2zMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAJFGnEk0RtbGMdstRoT8cQrqr+iSvwt+D16k3VRuz1u0AiEA7q5sO9pB\nuXcsYgqBkzDFOY2C3ZfvCOWOq1J4xgO9b0g=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUZfz28VRnRfk3m1/g3szYce5o1yIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjQwNjU2NTYyNTMwNDUzNzYyMjYzNjQ5NDIwMDU2MTY1MjI0\nNDgxMjk3NTYxOTI1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAART\nnnggl1Ugd0Hx5kxcV8cCtYtiarDh7VYMr0ymjFIqoO8zM9bTEd1x9YnwQY3GD1af\nKc1b7uUxm/9/q2Hi0MBLo3IwcDAdBgNVHQ4EFgQUhBeg1OydugsYGYMeWI3WYUab\nGmwwHwYDVR0jBBgwFoAUqxLOf9x+4+Li4R+squOsQ0RRUaUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgDjm2F58cLj7bH+0+ZXxQjmWHVct0Gs8WKOH02cv+dasCIF/fVmmhi79d\nQrKDsjDjlTfLCUO4ZwKyseKGr6MfXBY4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfWg5cXyPJXTlIkRU8jLoAhVn9Q8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARj7gD0A2JmTXaphZrElRT6DFQxwSV4VZnHJjM3\nrZ28TPIikN1wyIXc5LJZN1Z4nSIx147NfUxWVaAvqS2IKz+Po1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJuqZJZtnPPhBsjmGyXQVafed9xkwCgYIKoZIzj0EAwIDSQAwRgIh\nAPnl3H/RFH5j5TqediqCo8a1pao0hds5MgDFSeZa8vIPAiEA456Uc+iDQicRD5al\nzlf3j7V/puODDHSasXJ0L3UBXQs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdtF/WG/puWXT0zmcAsBS/wHWhuIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2KA1kDihPcrLigVgKmPTrIuSHvEPkmQcEbAKg\n/JEhtykW6iTuasd5jt3J5Mm3b+i1hdp2pgJQ236YjfDtj8jgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0KnGw4193GV7OCFib7do7rnef/UwCgYIKoZIzj0EAwIDRwAwRAIg\nSVPqW8caZOVREh22q68IfT6UJDFeg7K9S6J1Dp5Kkk8CIHr1JCG163jv5yt0rjVq\nOFimnviqbU2eemLFI6+Sb8xN\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUMxClCq90rZuVqtR9DY+ia3ll5KEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA3MTU5NDgxMjc4NzE0MDAyMjczNzQ2\nMDM2NTcxMjA5ODA1ODczNDc4MzQzMDM3NTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGpQDjsBV+IBTqVCa+fqOVS+vn+urRj4IlIrqQF66b7zEGHu4Mg5WEJ2Z9FT8A6C\nki+b7IKnxY+anm+fiORV+HyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCbqmSWb\nZzz4QbI5hsl0FWn3nfcZMB0GA1UdDgQWBBS0e++KJd3U5IRoSj0pPDu+ArOxczAK\nBggqhkjOPQQDAgNJADBGAiEA3SBnokQv1clTvTGzo05pZDcjQVTXSHzKEJeG+eZK\nKxsCIQCMTEYhsMR7h5LxGIKmAKcezOyMYKI1u2xnFngoeb2uRw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUP3EobY3h5vtEYnCchFTSpyEWmEcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzE1OTQ4MTI3ODcxNDAwMjI3Mzc0NjAzNjU3MTIwOTgwNTg3\nMzQ3ODM0MzAzNzU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDI5MTUyOTcxODM5ODQxNTQ0MjIzNzczMjk2MzM1MTQ4NDI3NDgxNDk2\nMDkxOTcxMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEB4ZHqFccOxSqQayhNr33U77t\nTQAADZs7GH7E34skBD9zdHiTyCGoGBAgKjDd0nulT6aP5rhl8ds9Gr07bFbaqKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtHvviiXd1OSEaEo9KTw7vgKzsXMwHQYD\nVR0OBBYEFOk09CcyS4X+nxQeZDtWbEeClxJwMAoGCCqGSM49BAMCA0gAMEUCIGW1\n3IGNGIM0oEK2+RGehv00FQZXWiQ59+qZdAdgAcWoAiEAmHxAgMhLp74IR3WkabuW\nGGIguWqTPaM3gwfqkwf4G9Q=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUDXEkDyv7BduuaBJAqd+JYSoIoZYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2NzgzMzI4NjAwNTc2MjU0NTk3MDM1\nNDI5MDc0MTM4NjY1NDkwNjA0MTc1MjEzNzgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNxALqfAwp7Ykvr7gIO9C3Y14ijWQ9jThhp1yw4jraM0hWNIs/zV9ZxmB3NKKk95\nvj+0I4NWf6kEbgV9lRkWDCmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNCpxsON\nfdxlezghYm+3aO653n/1MB0GA1UdDgQWBBSyhvbZkWqCBCP5CAOlgJoRwZPWEzAK\nBggqhkjOPQQDAgNJADBGAiEA9FhFZEGlGfbyVihhA+IpcK3cWBkLaon8to2sNqSr\nRrACIQDjl6OjDBPVK5X6gFuNWOGnDNbKIc9ghM3Vcacoej4ijA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIUcMk3qPaWF++1nfrHfq28YtMFeBowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjc4MzMyODYwMDU3NjI1NDU5NzAzNTQyOTA3NDEzODY2NTQ5\nMDYwNDE3NTIxMzc4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzc2NzQwMDA1NDMzMTMzMTEwNTYwMjE2MDc2MzI4NjM0MDU0NjEzNDQy\nMDExNTQyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQu0zNIkn6nJSVq5OckLDuWohcV\n5ccudM4KaQlSB7wTWOc0VGiGqCWyEA64++ZeQW9byMepmyXL6wy/RjxM2H56o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgECMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSyhvbZkWqCBCP5CAOlgJoRwZPWEzAdBgNV\nHQ4EFgQUCU2O4BKHKBOTYDqYpRt4fGlo5KgwCgYIKoZIzj0EAwIDSQAwRgIhAKQI\nFBp3+J8gVc3344xxTVSkfmAf0cYwbxPAgoaDXEHYAiEAzoAX9PveQVRHu05cJyTL\n6nuX5+MW24JIYvz7TYEY98k=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUIHG0eIqeI+fibn+hXvXPRvkQdu8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjkxNTI5NzE4Mzk4NDE1NDQyMjM3NzMyOTYzMzUxNDg0Mjc0\nODE0OTYwOTE5NzEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARO\nlnpRQaRthf4MrMnQPMZzgV3pIyxcd83/7x9CX97mdOfr4W7UTsMDAiubSvs50fmB\njjluURNP1Qzw5aViR/QTo3IwcDAdBgNVHQ4EFgQUqLJmAUWPpMCHoYjY4/PWQiap\ndPQwHwYDVR0jBBgwFoAU6TT0JzJLhf6fFB5kO1ZsR4KXEnAwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAN4O0fpXYhhg5B/Tb0Fm1nDZMBxknb/W1bc0RPfWjJ3DAiEAs6O9WijO\nCcrYKNmmKIJ3oUNuJVihRqhndMlVVxyewxY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZqgAwIBAgIUB3Rwb9d78MbArn/+dtUBQQ1JGW8wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNzY3NDAwMDU0MzMxMzMxMTA1NjAyMTYwNzYzMjg2MzQwNTQ2\nMTM0NDIwMTE1NDIxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMjAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHoG\n31xn7CIyTt3wNzkMHdMICYB79BhCGfgXRS4ANubqFn2l1lrzHHo513ANqU6lDKuG\n5/YaZkvsYRcGLbgUawajcjBwMB0GA1UdDgQWBBTO7WsjZq1EWWTft/wyuVDXXWHf\nuDAfBgNVHSMEGDAWgBQJTY7gEocoE5NgOpilG3h8aWjkqDAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNH\nADBEAiBzxezMMyaz9G2wz+tek1QGx3r5E/QjLf7/62lS+YcOXAIgE1eM+zDCkhYG\nSlgx3ANpTitxeh182y8xYafK/y9MtKc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVUYmqDCBKsCCl9MqXlIMXY4GNlswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ3LRxxHYIE2HrSzh99vr+j0IpcA6O/5S7ctYNW\nPH4mOvRmUA8QoZ4SZLMl33OdmtPG0VeEyxeCT8ZvDH26XRDVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUn3EGsW/Z155aQUFOanV7mmAYM7EwCgYIKoZIzj0EAwIDRwAwRAIg\nCEDbTQUfnCipUV+TU1mBUiNLNKX9Qa76lBeE5dglKE0CIEzleYNtlnvkSogvv1k9\nFHfGQ3jHMd3g8LiNsM5D/mGm\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeZYekUlWpqkXig09xnAk7NVEtnowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjJYbikwOSFX50F8l3EYvhN4f9DcjjpOzhzawZ\nKlBO1dKDp2ZFjtA5Q2RJ61Ls3SwS9X6UH+h2v++tm7fAJFSlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWobie3DJNltro7fy5Aa7bDkDtogwCgYIKoZIzj0EAwIDSAAwRQIg\nfgyUAC/oFYS5vkFWKUjB9S/VdyA6olFOrVnCVrIIb0MCIQDzCzEO4d4fk6DdTso4\n6pJX+GajtU3gl80YGECmiQnFFw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUIlc4M7U+rKKbHO7ieRae308IPnowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0ODY4Mjg2MzUxODI3MDAxNjk5OTI2\nMTMyNzA0OTU4MjY5ODYwMzI4NDQ2NTAwNzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAoJVF+oX5cG0/BgKQhIFbyzxwryTKFiIarDzfX16u6fZVAXEftq6QcXD1lGWyAD\nH/WmMmNhpILECDx9zW7Gk3mjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJ9xBrFv\n2deeWkFBTmp1e5pgGDOxMB0GA1UdDgQWBBSJ8FdxBsZyshFdhnUlhVNLEXhTfjAK\nBggqhkjOPQQDAgNIADBFAiB3TgxNCJrtaUnXWNxCKXDZxwmJKVmYQy70GqedfIqI\nwwIhAI0ZuAZKwTLJfKlOm0U2AIHlAvFbnBlZ//wGZPrtVgxP\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUa4lDVqgyCvt7Aecw4WYul6VDGz8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDg2ODI4NjM1MTgyNzAwMTY5OTkyNjEzMjcwNDk1ODI2OTg2\nMDMyODQ0NjUwMDc1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE5NjA1MDc0NjkyMzYxMTI5MDY3ODYzMjU4OTE1ODE5MjU1OTUyNTk5\nNzMzMDA0MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZHvWhNed1C7MdCzkMTT6GSIm\nH2PuJhrLD/Y/DqduotP22vXK6MCjHAIDtRy0l2gX+IzJqtLKGONm94cuOmc9+qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUifBXcQbGcrIRXYZ1JYVTSxF4U34wHQYD\nVR0OBBYEFPSgMSy9yhJW+eCxGFqNUn6Kf6oQMAoGCCqGSM49BAMCA0cAMEQCIEdM\nes1d5Q7djJIgq5tWWQUlDBFYFJmN3caNz5OI5frwAiBcC1v16KmnosacsohiWPm1\nO/rIc0HcVMfs9eBenpU1qA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUV1ztkwHsv3E2oQuhRGpbup5enRQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTk2MDUwNzQ2OTIzNjExMjkwNjc4NjMyNTg5MTU4MTkyNTU5\nNTI1OTk3MzMwMDQyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDYxMzkyMzA4MDU4MTM2MDY0ODQ4Mzc5NjM2MjUwNzcyNjc3NTk1NzU5\nODcwNjQ5NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7NKk1gF4M9hc14BGVc2q9HPW\n6TQKyi8q4TkL9AO0z/abow9k+Sa0+2lNG80O6cA6q+4xME4r40E6Uuq/QeJU86N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU9KAxLL3KElb54LEYWo1Sfop/qhAwHQYD\nVR0OBBYEFHUnvULlr4ZTAX2J9ZexcEQt8VgBMAoGCCqGSM49BAMCA0cAMEQCIBxq\n/dD6Efh/1k+qf18pyNYCklQUmhucMgAKO09MVL2tAiA1NWyGhxhN/QoJZpRtFd5y\n7NufJmaz0sXgUDvOsl66sg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUQtuKAEb4+y9e29B2n3l1a7XiNngwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2OTQxMzU2NTc4NTY0Njg4OTM3NDU4\nODg5NDIzNjYwNjM0MTEwODM3ODAzMzkzMjIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJhU0WF00mQ26wL9U76s4yUhbxEXPvMj1FB/O3b5UgERNZcwh1N2CZgOR5THB1RH\ntRJObIv4n8eIbnziDdvWzwqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFqG4ntw\nyTZba6O38uQGu2w5A7aIMB0GA1UdDgQWBBQOnrZ4TdPhzsFrT2xkRHUKXVYsxjAK\nBggqhkjOPQQDAgNJADBGAiEA5NEVsgXFxBNqSu4RzuVbbxfKL2nteaDZntYC/JhH\nyGECIQCaZJfxtyBQDQ1DVU1t4EhWvwS8wiJv2jewGMnwafxQVA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUENCkDxNYzapGFxFMYS7ZmiKmeFgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjk0MTM1NjU3ODU2NDY4ODkzNzQ1ODg4OTQyMzY2MDYzNDEx\nMDgzNzgwMzM5MzIyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDM4MTY4OTI3NTY2MjY0ODk0MTk0NTE3MzI4NTU0NzQ4ODAxNDUxMTE0\nNTg5MTQ0ODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENOAGV3uueIJ/3lRwm6KqqZBd\nt5lhLh6fFOiAuZiarl+T9kku9d3Jbo1iBgu2/SMCB2wc2n2EIyJGnq3NSyCYHqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUDp62eE3T4c7Ba09sZER1Cl1WLMYwHQYD\nVR0OBBYEFGeXewGkTZwBau93fk9ydkqFHETFMAoGCCqGSM49BAMCA0gAMEUCIDJn\nClS7Y00XQkUoxXtb5FJe+UkJHDsLc5vz6oIzJSP3AiEAzqR2qxyi6moCVLjPzPrY\ncNy84hOn9zivxsdK0Qz5F+w=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUJyk+Yv+k9S8QEf/e+YZJvoQAkbIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzgxNjg5Mjc1NjYyNjQ4OTQxOTQ1MTczMjg1NTQ3NDg4MDE0\nNTExMTQ1ODkxNDQ4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzk1OTk2Njk4ODc5MzIwNTM5OTIzNjA5NDA5ODIwMDA0MjE2MDYwNDIw\nNDU0NDg4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZ8HKHBA/SYoXTFM2E/ThaVfnc\nYvsptQg9JkmkbftsgcVTQm/visxbWXJJY9pdQw/5kDD9o6OdkAUtmsOP6iyYo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRnl3sBpE2cAWrvd35PcnZKhRxExTAdBgNV\nHQ4EFgQUtjkFciqGivJUyOZsVKzOznYV4XIwCgYIKoZIzj0EAwIDSAAwRQIgT4qZ\neh2RNHjySyyxJ2DeoqPe0WcKrkv1TSerRQ5DUFYCIQClgLV7pzjcRlnCHvAyioF+\nmpBczkXTgPjJUPSKmgNu9Q==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUO4nOHzKiMd2RrWLGbR6m6hsKq9wwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjEzOTIzMDgwNTgxMzYwNjQ4NDgzNzk2MzYyNTA3NzI2Nzc1\nOTU3NTk4NzA2NDk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATP\nO8MHB+Jjj/ZP2kN+6eFecBDITqkC6N9I7h15lBH5QYNDONpgfjBzXvriCu9f4tnr\nzTXUEpu5tv06c2vQIpiFo3IwcDAdBgNVHQ4EFgQUPhr6mZh7Xwed2RXrIBXZB406\np4swHwYDVR0jBBgwFoAUdSe9QuWvhlMBfYn1l7FwRC3xWAEwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgVzvjPqvQWeuc5dF83wsNFlymqh8P6FXXyvgpOEZ0IlYCIQDMkZ4RwpyM\nw3D1GNQ8WyB7vD++9EXmoj1G4AQWkF265w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZqgAwIBAgIUQUOaEfWr35GpnGtwM69DbROwNccwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvOTU5OTY2OTg4NzkzMjA1Mzk5MjM2MDk0MDk4MjAwMDQyMTYw\nNjA0MjA0NTQ0ODgxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNUc\nlbkkc/hrfHETETaDljRmeNU1T1+0RdlEqy3f/m0oql1DSy/9/2o9Lhunoc68XHhR\nVCFZoY6+4k8hRvvxhxKjcjBwMB0GA1UdDgQWBBSfNZ6j0zUNmEN9l0mAbRCDeb8q\npzAfBgNVHSMEGDAWgBS2OQVyKoaK8lTI5mxUrM7OdhXhcjAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJ\nADBGAiEAmXeO6hm4CHJEgt33TtAANX+W/TaMrbXY1mqDOWZSuuYCIQDeyxESECCw\ncc+Mwl1T0ChGPLZP4J+EJ35VWWuzcFhGPQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUB8JC5t4WuBbeACAb2OD02nAMWLgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATfLMTWxdoLyFXVEJlyS44cs3aq4MQpo6ycduXT\n3JyIemPPM74XZYQHMGKMP3Esa7nEWhYkk04qr+JWj8mNyvMAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/hNmYg1r5rL26Vr67vFRwbtVMacwCgYIKoZIzj0EAwIDSQAwRgIh\nALSQZ33hkH2GMTRXoL/+CXKO7G9OOCCDxvvDTx4txheUAiEAwtjhs2rrYV83dJTn\nBxwH9PnnKaHIuuPPUqJ/xWr/IAQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUKtdhKal3t7DIPRIIMXr4eDIiSb8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQo9FMV2DTRn/ljGU08vDSQTitJ0oybm0ec4iPP\nb/pOtIuN3msYhA7rOAW9/kzGMTzaFP+53+ZMt0/qGClt8I7oo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU12OUSdTIpACIIgOLU7M4s+FB/4wwCgYIKoZIzj0EAwIDRwAwRAIg\nPVOSGK3opm6UzVgB3pVNLFRowHmrI724+ILn/R3Xd8ECIBmvtYWum3F7PxIR/NOj\nC24OpmXLAuT+l7D9/stwGI0W\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIUKdcaFPjfJFcfYIIuaOWGvl3rhYUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBmMTgwNgYDVQQLDC80NDI5NTEwNzkzNTMwNDI4NDkyMTQ0\nNjc3MTI2NjQwODcwMTA2ODY1MTAyNjYxNjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nyKOCb5/lhcX9jx7dfEQpKaGsAgdOHoNhDRJZyFsYAa/NgOtZUcudKYuybsAbKBYZ\nSG2l4OiXSYxFfZrFVZfTP6N7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU/hNmYg1r\n5rL26Vr67vFRwbtVMacwHQYDVR0OBBYEFHaTtsGt7qz9L7ZbiD3Lx8bUUl+eMAoG\nCCqGSM49BAMCA0cAMEQCIGJHghsgxGySKnvJQiF111DGzRrqWbj+Wx7HmHI07Uld\nAiB4yjmrFIMWTaYOmvMRy0msbyBYQY73k0ISqmToIC5BHg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSjCCAfGgAwIBAgIUWhheXylA2+tVSl3USKJyz8sVP/0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDQyOTUxMDc5MzUzMDQyODQ5MjE0NDY3NzEyNjY0MDg3MDEw\nNjg2NTEwMjY2MTYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowZjE4MDYG\nA1UECwwvNDQyOTUxMDc5MzUzMDQyODQ5MjE0NDY3NzEyNjY0MDg3MDEwNjg2NTEw\nMjY2MTYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMeOKhJVxgSEsX1C9b+JErE7+Myb\nqFXwTDl2iFs1TPdZKbjccwaChOkWJdTQpJDOw4CYQUyjTw4veaGXHM6MziGjezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFHaTtsGt7qz9L7ZbiD3Lx8bUUl+eMB0GA1Ud\nDgQWBBTVym1T+Zsw0hFiLv7V9lOqOIrTizAKBggqhkjOPQQDAgNHADBEAiAYThyD\nIchM7osI06AAwGDuey24aeTnVgX/vpuOSqQaVQIgdVKTXo5UWNdrNIPazqQBokvK\n3jdRycrA2OvH8Q7Z4p0=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIULeRy1k7Wm5ksyyFogJmuSiZd0RYwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDQyOTUxMDc5MzUzMDQyODQ5MjE0NDY3NzEyNjY0MDg3MDEw\nNjg2NTEwMjY2MTYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowZzE5MDcG\nA1UECwwwNTE0MzUyNjA4MTk1NDQ3ODUwNDA3NTYzOTE3Njc0MjE5MzA5ODg3Mjkw\nNDI1MzQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASmwc84tqu07CsKY6eVAVdVmbhB\nBhSLJbTFV6sMhaVDNdvoA9qTk50Id4n2exXKP4EqSL8b1S3l1OTiXhkQ3uf0o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTVym1T+Zsw0hFiLv7V9lOqOIrTizAdBgNV\nHQ4EFgQUtizo9BBZ36R+ZNGFA42Q04Mt2tkwCgYIKoZIzj0EAwIDSQAwRgIhANBg\nt75Lrq5YNUf8kKzllOynAmzGfEiENRb+D/PibN1ZAiEAvQipXJ5knvH9yeXQiCUw\nc0tABq+/ZP3eddZj482d3fA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUT3fc59yYjajVLeOLT9XEfeON/H0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyNDQ1ODA3MzY2NjA4NTg5MDg3OTY1\nMjUyNzYxODA0OTYzMzc2ODYxMjgzODAzNTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBO8jlLBLvEb4V9qrX5+aXNl++5F5j+OTI3HTEyNRm24LO/WRZVbpy8z1kpQaPHOJ\nMJRw6drRBKQZSl3+dz1dgaSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNdjlEnU\nyKQAiCIDi1OzOLPhQf+MMB0GA1UdDgQWBBRotRd/qm4n6wp6CIakIYxcQao47TAK\nBggqhkjOPQQDAgNHADBEAiBoLcF9dmzuPcVDezkObAD0nvBHiNiTpMt8FnGhl1GT\nAAIgS79/aGtAGC/0hXYEVOHr0C4O1G7fokjU05MN5/nhpP4=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUZd1boBi4gQnCOyWx4goMViZKWa0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjQ0NTgwNzM2NjYwODU4OTA4Nzk2NTI1Mjc2MTgwNDk2MzM3\nNjg2MTI4MzgwMzUxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDI0NDU4MDczNjY2MDg1ODkwODc5NjUyNTI3NjE4MDQ5NjMzNzY4NjEy\nODM4MDM1MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErMhTHZj2GqZwDe2CPcWcjy7m\n5fYoJ5vDXiEhuKgfdbJJOOGd3DMpd9zYcV/ax/UPLP3UhmLXBlJuPxH8IPH9YKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUaLUXf6puJ+sKegiGpCGMXEGqOO0wHQYD\nVR0OBBYEFFI2GaRrVu25BeXjMdE5PYIxuJhKMAoGCCqGSM49BAMCA0cAMEQCIAon\nlwec+yNrBxu7afe365WUW/uwePIATaNA6JzWCb1DAiACVrzOFnSO35mhqP4Xfmrc\n1bl8YscatDsveQ47gF45Tw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUMxXXHsJIzSgch3EUlkoosyFXGQEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjQ0NTgwNzM2NjYwODU4OTA4Nzk2NTI1Mjc2MTgwNDk2MzM3\nNjg2MTI4MzgwMzUxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDU4MTU0NDUxNDIzODE0MTAyODkxOTIzODI0MTc3NTQ2NzU2OTA5OTEw\nMjExNjI2OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXJmLSgg2K5cWDGMOIJZAY1oZ\nz35w5iOo6ubG9500gVcx3vAltA6e5hDHX1Mm+nXVYeBKMRA/w8eU4LR9v99x/qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUUjYZpGtW7bkF5eMx0Tk9gjG4mEowHQYD\nVR0OBBYEFBYwAYVIHganeIenmy3ZFzuRadN2MAoGCCqGSM49BAMCA0gAMEUCIQD7\n4YhVL0i+Af9wQWCTULpM7ZJsDiszrqUjocG0sI7TPQIgBO4i7I9+9o+ydUt1JUZt\nh9fh8GpQcyqqfrhxV1z/F3k=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUVOp8k2IQACAQ7c+1my06TI5eQSswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTE0MzUyNjA4MTk1NDQ3ODUwNDA3NTYzOTE3Njc0MjE5MzA5\nODg3MjkwNDI1MzQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQw\nMI4yV3yT63/M66sQs/xxJtK5BIpI1DtG4vGAogNDS3RmDmE//nDSr0nJc3zBeiak\nKOwhuLEGZRQuqkiLW0F1o3IwcDAdBgNVHQ4EFgQUTuU/2vhFULYOt0KJDUHE6vrW\nOWEwHwYDVR0jBBgwFoAUtizo9BBZ36R+ZNGFA42Q04Mt2tkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgPJivizrGmg5nWYoBVB8Jq/zylxbGh3uHOJD2UGbp3ooCIFbT9PX1L1Us\ntnqKu+vfHPhkRIktjds4dGFLgYkYA0+j\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUAY04ymvcCUH2Czss9LtelXfSv0swCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTgxNTQ0NTE0MjM4MTQxMDI4OTE5MjM4MjQxNzc1NDY3NTY5\nMDk5MTAyMTE2MjY5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS1\nTHrR6Q8zGYjlq4VSwrNjxVKlSt39rvDjxCLe6D833wf4Ma2VSOwVhj2CxND7Dw5j\nSZQsXNiI1chAIfPB/dv2o3IwcDAdBgNVHQ4EFgQUTJlq7YKDbv0wp+LhU/w9WYDL\nGd0wHwYDVR0jBBgwFoAUFjABhUgeBqd4h6ebLdkXO5Fp03YwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgSIOMA64rpAChMelxx/E8YGQ3gT2YYriARNvtA5IAzicCICWau7aYVcJ0\nFebvhZRUOB50PQgEwyZhDPChViisXwwb\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -192,15 +192,36 @@ "expected_peer_names": null }, { - "id": "rfc5280::empty-issuer", + "id": "rfc5280::ee-empty-issuer", "features": null, "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUCgC4SOvc08jsW9w/ygXMl1cEGhgwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESs9tuaILrbRz\nOwD8Id3yrgkph4wog37GObjTjyiUZ6gVj5PQOGGRADFumygKE3oVALyoLZ2YIsr2\nrkHk2CXU4KNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFLZWtfWTTd62JHwtqn+2lX+KftyW\nMAoGCCqGSM49BAMCA0kAMEYCIQDLlHFisj2vqKtv512p3PZuDKvXKr9Zt12kj8mC\nBOb/pgIhAPenLjCOUvwEPcHkjkUt0GzwPccq2C/JlR5AAAWLOpIA\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcTCCARigAwIBAgIUZa04YC+70gyUkiJFd3gBLydY/DcwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqqrQrnlOcGqN\nkC9V35FPa5em/OzbwrobZE0MJTEK3c0uUrUQuaIGyIjO90OANNkWlK+MKk3bP45E\nbPR7RuB37KNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFKDqxDrPcrm51py8RwOfmxiwtXbC\nMAoGCCqGSM49BAMCA0cAMEQCIByI7kBigurqwNNAhb7H/tY5mdv5J0GUf4bFZcSV\naSdoAiBzxNehVFNVbrJv+iXnQivz9juafRqU696uoeEEAT3lvg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUugAwIBAgIUdtcKWkbNTByGrUv1actClnK1RyswCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEteBmzhoeyH3IR9ZkTPG8Lfd56swLQevkXA6u3w3APCxs\nebplWzbAwTPF+EUvrOgkNfO/tyZZHfdAlz6QlyAD0qNyMHAwHQYDVR0OBBYEFMdj\n24T8C5qBqC8oiWCawDTcJMl1MB8GA1UdIwQYMBaAFLZWtfWTTd62JHwtqn+2lX+K\nftyWMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIBRKA9/KS+/JsJ/bdv5rwhxilK6Ba+7+CtgE\nfdfXRXPJAiEAnM19rBpbkBH4p9OCESNMMlvqgwTha+kGUS4/y0GMmso=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUugAwIBAgIUfCMtcxMw33pdx4KlQTP56NziCKkwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEhuXipZNqjKaPPo5eRMrHp4vbbjkRr9ftD92AzYrzy8VX\n3Qf6tAprDOVY8PkRkdYswXN95cpyD1b20cPddS23x6NyMHAwHQYDVR0OBBYEFNF0\nsqWh3oOcvaBC6HU0Jvd7lehSMB8GA1UdIwQYMBaAFKDqxDrPcrm51py8RwOfmxiw\ntXbCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0cAMEQCIH3BeacAZ8G0fwan6vb5+cgt99cFuWBo5BOC\navLJeQBjAiAxPeNTdzwysK9RIadteSK8QZlf3UTnYq6Sr6ycy1HcVw==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-empty-subject", + "features": null, + "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUJ0AVHD51+YrUeMlCwFAax/Qg2VswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7yOjjbaQ\n6r/kgWSF0f2x0ay0dUC2fIghkAC5lNE0Pk55Ngzpq1VEtLZucFrFyO51t8WmDuDI\nIbjCKvhyb4runqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFM0LDm0F3hoAsw5LTdQMfKXT\n5rGnMAoGCCqGSM49BAMCA0gAMEUCIQCEAiwGNmT/0EFbV034HZmPfSPzWejWuOEt\n/ztqpnQbPwIgMDel7MXCfLHdj5WIX78rO3URD7PAyX35GqBAcXOXRqI=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUarAngXv1rUAxY107z+KOBTTOT7MwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQGA1UEAwwN\neDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDXBUiPbmCR3\njwDNaSl5qFPKkoHOiyN9Sv514RviClEIWuCQ483DJTnD9FHyBVRNs9utszpoMlb4\naIpaZkEYoUijcjBwMB0GA1UdDgQWBBTNumJXlZCroaXBMOz0Pm3+hLvJ4TAfBgNV\nHSMEGDAWgBTNCw5tBd4aALMOS03UDHyl0+axpzAJBgNVHRMEAjAAMAsGA1UdDwQE\nAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA\ny04Im9W4G+gD+29/kFF39SBy9aBnNsmx4SnSXYZ+GV4CIQCMbVQ/i80V0FnMna+C\n//mm84zGZBPZy5KDhqeUZPLrJQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUWSLiqX/vQEhZUxcqp5KjUuwW+J8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARwwAazlbCiUGXmPJvoLiaIY/Z4J4O/BgGTJzsg\nvhbiiGd1MOYTmP1LCRx1voqf3b3mFVdVqOVZRDcwOphIFsxSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGEefpGNRAv6pD1NsJAiBzX47ENUwCgYIKoZIzj0EAwIDRwAwRAIg\nWn+q7oM9vBv6JbIROf/OltfJ29tL5DWkT97/oA7QcYkCIDOHMSxDP/oOO6CejqGz\nmTRyvxN5aB0Q04JGnWa5pGm7\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIb8J0q0T7VNqZz/7yHsBPlFoAWwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXrqq59E1DBJpdYPQ0sqQ0xWJI2sGyt4RcVnCa\nuWhyp86mAstUp6s7/Xeadwla+wkkvg9Zk7zB1Ev5gIbazUCQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgZaATKq+/xb0Bh+3Oogec4c+UXkwCgYIKoZIzj0EAwIDSAAwRQIg\nao4thbrtM9z52dG+UntbrJ1ix1jrR6fWwWIog17WUUsCIQD+yt5rrs2H2odOs8jG\njAe711MFhbwGq1CKmjjRB5lS4Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUJbV4l9oa3w6g/DBnvoLT+57J0bcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE5j3MPa94zDnUBWG6v9BwdsXkzMCoBAiNuUHiEgRH\n1HbVcwpYn2nNOQOgXFmUPTkj+PVbLqwrlN59kl3sQ99jJqOBhzCBhDAdBgNVHQ4E\nFgQU3PCkFywufMlTFU4HE57XkOU4ADUwHwYDVR0jBBgwFoAUGEefpGNRAv6pD1Ns\nJAiBzX47ENUwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNIADBFAiAH\nA6nofbDyNXwgY4Ww2YLQ2UZCfg5g7iB9QSvryOx0ZwIhAMs2BgsBMqNLmqwzPWKb\nQgROsFvBiF5mlQdSw70nsjzo\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUT79OR3h+dVhqN17MOujryou9ExAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE9PYgJ/Cqai4HIwvoMkd25zvVR18BJI5sGalcdNYs\nbv65Rg7YN1SR570gXXDZ1VLk0znRhekU/dUMkFhGTZropqOBhzCBhDAdBgNVHQ4E\nFgQUvFMK2r9rO0K7/EA9EbL5DmnLYV8wHwYDVR0jBBgwFoAUgZaATKq+/xb0Bh+3\nOogec4c+UXkwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNJADBGAiEA\n7uLL/x3e0qzeWbH7wTuLqU9dq0p49rXv+QFSCFBKws8CIQDodbJTZX0xdIfAJ+dI\nfs5XuZvwe4gdXpb3XU5nfxr2Vg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUc8UXkJrCuAyk8fIixfRFejtPGUwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQSCdFBgwkLMxIXU3b9evlLf654TBrmwNcFhnO\nSIHRZnpK3eHXLOUQ51f9OKQ5Z6gFeHGE0Juu6D5lvtS71sECo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5DWxrmIbnsEN2JNvtfi7GqF1j7cwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEAl37aaT8KeX/W26fC7fGIskMwo2k6zXq2l5nw\nSD1xgygCIG5Z8d7C8zcI7Ke89ba/RU0zEm1KRWfX/2GPvgPkh+vh\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUdxTYuELlL8wzchrGpjQ4Y6UsK1IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6mH5KFngdlqOoWRYU2EcvLf2aPa+wDrVuhRm7\nBmIIlHSLoq6ey/9IOltqdOHr+KCx1ISzwtfYeLg9AKjS/Lrko2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULWK1/kmHFUQxn5DTi2IExsaEiaYwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNHADBEAiB1qTtdv5MC4NYwwGV+wsWeRw7DPAqDC99zxGXQ\nkUdm4wIgSUShuZJBUFC7n4Drx862BTsavQMfywYBeKS7QGVW3eM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUbE3QgxatmudHZ3Qqcpf7eO0iqL8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAExYVg4QSc6SnUAPioSSuMGQa71ueOpYKqHLE2sVnl\nHxDffIxAsHUIymam/Y/L1n/X3mb5UEPIIrtxv0W3Q9I4fKNyMHAwHQYDVR0OBBYE\nFD/o9GZBQ0USrWJpahiivGlAO2k9MB8GA1UdIwQYMBaAFOQ1sa5iG57BDdiTb7X4\nuxqhdY+3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCJlfj6z4xJgXcSoh40laDJ72l5mLYZ\nIn7ypXwpOZwuJQIgEjGwqvVZM0yGjhyymsiO/2Tn18LHhBN8YVeTVacOoKo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUd7Ic8ASz/J1HtDS0ekG2Aw5XiGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVPDuDFYj5k+yVt0msVyINUXOJIiSmr3nHBpNMqs7\noGkHmsg/D/is+GzP7R7oC6q5v7MAqN1M+7uCxP4/628WraNyMHAwHQYDVR0OBBYE\nFMnRAET0Up7MC4tuurVFeD9JCqriMB8GA1UdIwQYMBaAFC1itf5JhxVEMZ+Q04ti\nBMbGhImmMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDaguvLuREd0NM+OdPCwtsN5rGpul0r\nmosMrHceVcjDJQIgZPhdRr8HR15pMCjpFBO5zcIWeGJhtc1ZBwcrU8uikUQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUFXFz7l5DNUIeU9J0+3BEigioGg0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpP9XNOz/cSDEGoXjBHL1DQaeZmb7gcc51EyxJ\npLI9keD3Knw6mFImHTBmkkP2MrdNikLhFTHVCWLW4SgCGPxzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkTJBYCd0/7ByTXjoj3vvY9lQu1kwCgYIKoZIzj0EAwIDSQAwRgIh\nAJWA6nfUvGmlq6GlFeJEmCdWDWqt7uaf0Sx5V5wbKCp9AiEAhWqdle8vRo126sII\ny+SDk1hZ+6iQM8JtwmAGCZRcFTc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUYHv+ewml/DddUonCoxrbPLbBawQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT70MawMiMSGmUtgZLBiBuveTZFoE1H3GAgtKT+\nLJu+kn+wictmKoTPpFcR33A/kZgKAVVsidMB/7/eNCg6B4zXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdEPH+DUrCZySzgoLMJhSx2oExAIwCgYIKoZIzj0EAwIDRwAwRAIg\nblT5Yd4EsBKEbGTBkXed2K1cP5krpxBXS3GLCt02tZgCICwaNkQ1ihDxcrlS/JdX\niXLTUF/UArewsOkmKkf5efyn\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUbZyXoqI5hu8sAPIFN7uzUnZmGIIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxMjI0MTg4ODk0MjAxMTY0NjU3MzUw\nNjU3NTM2MDY3ODQ1MTE3NDE1MzQ5MzU1NjUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDHMlQHbri5p/CQuOW45ZMvcps8U5g0XM3P/WLflbzUoe5mX/yP+aHqN4P7SfC1h\nLh1cyf51GluUyvrSomcGsO+jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUkTJB\nYCd0/7ByTXjoj3vvY9lQu1kwHQYDVR0OBBYEFGsBgzlohfUtQYeUIUYpbGw3uGei\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIhALFvl0Faxqpf\nlfQNN5yNKHgi1klF3kiWNmBQkYVRO14mAiAqvuiqpNN78DNMfXz6RZNCVMHItc2R\n3z+9rPZAQYpl9g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFzCCAbygAwIBAgIUZnF+ZOLxNoaoE9xdRXv4kumUrE0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1NTA4MjgyNzQwNDY2OTA1NTU4NDgy\nNDMzOTAzODcyNDIzNzc2ODUxMzI5OTUzMzIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMV1oxhm4x5XqMQvPLmNcegB/MkDCqLG2A6ws9bHYShVvpfn9SFDYO2QYOyHsq/J\nMS7HLXbp0MmijBeYh0VlVJajgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUdEPH\n+DUrCZySzgoLMJhSx2oExAIwHQYDVR0OBBYEFKo+0dkZyPR8wt1F2kEFTcMjfBUv\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAKy/eYGxYboJ\n2oTTXW6+08ADNenGQI+/Gg1UrWQIxYFZAiEAgrucvsLnPRq5D2Hhtm2tnCmSqnC5\n2SfJMVM060TS1bw=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUfSC11rfZZxTl8n3eShII35lnOBcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTIyNDE4ODg5NDIwMTE2NDY1NzM1MDY1NzUzNjA2Nzg0NTEx\nNzQxNTM0OTM1NTY1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATT\nUvyDzZ8hSsSxGlxz3syMKXu5vGvfqFyM0z0I09BsyH0WYaCiqWiq/qHRtvE5qo4F\ntMw9jkiagp7ZMkNBclOQo3IwcDAdBgNVHQ4EFgQU8KCNJ5AovWZ4YuueGbvGu4NQ\nSIwwHwYDVR0jBBgwFoAUawGDOWiF9S1Bh5QhRilsbDe4Z6IwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAKu3grJ6Ns9shyglzBnjpZodR2r6LjNrnTvUhUz/72/zAiEA4ZX+rPpa\nsOxn8nOGXJNkYkc1JouYbN5EkIZ5/6Ty8nQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUKVW6biGpyG3FyAQ5sgN0xBq9NZ0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTUwODI4Mjc0MDQ2NjkwNTU1ODQ4MjQzMzkwMzg3MjQyMzc3\nNjg1MTMyOTk1MzMyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQd\nJYHO+iZ08T/UeMUdbxEYl5v/FcpQIs/BOGbS1/HLQcVkHGkDsE2LXQ4EabzeJwy8\nlAR1OZqjegIlJXUTBo8to3IwcDAdBgNVHQ4EFgQUmZUwZL5S7T65Q6kDX7wlaHYe\nkbowHwYDVR0jBBgwFoAUqj7R2RnI9HzC3UXaQQVNwyN8FS8wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAKdzFfA8ymi7tx7ILc2hlu3idBRj0EwaeAr0I/iM7rw1AiEArZHyoILZ\n/wylSOCJBlJLnNhGsZ07ZNcccC/tS+66cy4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -283,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUK52hUOwPfKm86QAazO3YyfvK7LEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQRUoECtq8tSClKf6VdYOaARMZmEi/eDOFRnhFN\n/XpZXHXzW3mWXh7qYEBYep+VDYOIoIHZSsKeu5sq/lqEVc1zo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRAgm/oDirAkw1jQYshFrSJngGylTAdBgNVHQ4EFgQUQIJv\n6A4qwJMNY0GLIRa0iZ4BspUwCgYIKoZIzj0EAwIDSAAwRQIgYzRM1cNtV7c2YTGl\nvlKNtNl56D/Jp35kaWqbeLMQqRoCIQDimEDWQ+s+Rh0Kow9h3EmQqnsRDwi4ekea\nut34HiZKEA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUUu4bEpAFb5hic+h+IzCu6mHc9EYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAShy1i860NhBBKi0jqH/Isgi+abxUKBxJYbLqUD\ndHFpIeDjO+oNmlJRPHSgeZAtUByWls1dXpW0ENZpnF+Z4g9lo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBSCrL6bF4AAvWIpVfRSayEIuXV7wjAdBgNVHQ4EFgQUgqy+\nmxeAAL1iKVX0UmshCLl1e8IwCgYIKoZIzj0EAwIDSAAwRQIgNCduBAxQd9L5VWqI\nuDwF16/yvCVgP1n30SSpab/3REACIQCiMvmp4isFJB9RrMO+r1dE0CitewnAaq9m\nWUqheLmmUQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUM4iBhKsIiE+cujuqOtzqIgmn3lkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEnSvYXW3xx8ZzHbD+mMrrSdobxfA5wMKAi1t/oEQH\nn3Ut9oOt+r45lrJdKj5eajUT4DkJlLJCHrRx8rG2scN0+aNyMHAwHQYDVR0OBBYE\nFFX3QSbZL08DdsNETbs4Tm1hUC08MB8GA1UdIwQYMBaAFECCb+gOKsCTDWNBiyEW\ntImeAbKVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDSUirSVCnB8svgDBGcs9ZqOfyQzA0z\nqHRgV4ndckn/tQIgHf4Nc63gPa8kepy/c3lRGe3W95EnK4GTVZHPZ6FVkKM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUNpaIXIuej24kZ2AI5ws70o0x7a0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEX6BEQnhwsKvoK4PdpPJkC5GITUgSH7njGZBaSBUm\nCsw44dSWakfuG0PzeMGJ0uFyec7sliAK02vL+3hCAZOvuqNyMHAwHQYDVR0OBBYE\nFAS05bnmDpnVPE8QtkeNhGdKDbdWMB8GA1UdIwQYMBaAFIKsvpsXgAC9YilV9FJr\nIQi5dXvCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDmQF+3lqLvQG6wdj2vB9L1nmhB9OqV\n+Rd+3h/9FLQrrAIhAPsa6ET122tGt8ao/y8INS5T+qYdXI/dw4+L1lal1kfi\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUaDedYp8cjLC2Up5WYI8pUNF6+o8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQJim3ynm3KldYD38NP6/o8IV8B++hVqKRL4kV\nQws6xUwxQpoqwntFRCS2al7aS5kOqq4pKSYFSJgH5hEJC2QKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqeilfFUl5e6FWpWu51gKCb+UMuIwCgYIKoZIzj0EAwIDSQAwRgIh\nAM7R6RWp2HiPjoiQXjx1w3tfc4yBxRLsMfSfVnmMHZAFAiEA47daULiPHdPzgwE2\nEDfSx0cPrP3RVlXlYWECuFWVxLs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfLn2zJzH86GuhkdPD0G/eEgNHB0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQuou7udetoso7UDxiNamwjskK7XHqspKzLTGNO\n0gA6HuFqXzgldR1QQZpnf1P0m5U/r0HOcZpp7+0X8gfBSrDno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUl+ojIECfj9W+UBQG543Mu3DrMfEwCgYIKoZIzj0EAwIDSAAwRQIh\nAI1Q9EG1Ovep9fRZO/TTmmkjr5iq80Pogq7u2okLoBJLAiAdobXog4SyyYI1ZqtD\nAC40GQS4OGORa2MR7Rq8juuqJg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUGnqFPeOZwcH0IC86uV6otfwMWr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEcQNxnkzBIw5YTFp812dV4zuFLxYRDz2HMMs8HC2O\ntaobT7DOp9KFb3vdD1AbepPEwWSDhaTc0l3R4sK0mz202qNyMHAwHQYDVR0OBBYE\nFJ2wp8PSydgNNhWUSVYL3MWknDvGMB8GA1UdIwQYMBaAFKnopXxVJeXuhVqVrudY\nCgm/lDLiMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDAVo8oc0agnkTpiXfMp5B5o4enksiK\nvOb/kP8vWpiSgQIhAJ0+hbm99DJal5fNTIO85YU+Alqkkh4zgxjcsaC0wb7P\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUX07XsyLG++TWHAMmYoUyCWzeB2gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVSf71D3/2dUmy0zvrDuNS4k/VMjzdw+h1Njh0LZ8\n/1XA4wj/ViK2GbEoRJ4HTsgQp9/GRbQ4IuUEu97y0PlFGqNyMHAwHQYDVR0OBBYE\nFD6524/ywRS8Kqb4bPFJ2tZW9dO9MB8GA1UdIwQYMBaAFJfqIyBAn4/VvlAUBueN\nzLtw6zHxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDRKqfv//NhTAsCsIoAaff6MEbxpc0p\n1sbhJUfueGb4fQIgNXBuO1uYtAJUopCYa3IXDyWdfKvDiN1izsHk23Pk5aM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUCUfp2r5edwplLOHejYMVJRbOscIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2MTExNjY2NzQxODgxMjE1ODYwNDQ2\nNDI4OTIxNzQzNDI1MzUxNTY0MjAzMDU4NjYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNDzFid2ebvF0CUp6g4kz1IquBSkB8z5gpd195rpLj5CX7EXBp6GpFT23GE1hOgc\nVXxFKAVbZKhITIu8ihEhbyGjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRxxtXU2d8R\n79xFNQDB+hlyGoPT9jAKBggqhkjOPQQDAgNIADBFAiEAlucN3fQjSA12euwmqK7t\nf+dGyUA4nCSV43tTAA+jlZYCIH08tqCX+dTnLpSz3mCsFg8FIRAqUn0eo682d980\nQ9mf\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUQJ7PHeNrVJyEiSVA5F77/7jtQDQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0OTMwMzg0MjM0ODAyMDExMDQzNzU1\nMjgwNjc3MzY3OTAyMDQ0MzA3MjQyOTkyMTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJzXfgVCXQLxu1WodzlH3ZBubUWapu5Bh9frXxVf1JibvcvQfjj82oo9AzvNSxKX\nrLFIOtMXP8l9c0Aru7dPvY+jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQONi1l5Fqm\n3kFU84oz0w2PETsYAjAKBggqhkjOPQQDAgNIADBFAiEA9JUQfNS5kPbyV76xiOFI\nTR7+jLkHx5DSS6kg3DMymXgCIFT1QL8QNJI4sdtZ7Hi9wei8rqvbKe1tmMjfOAtz\nlD5y\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUH0TnLjlNhuKnltncPHwTSmXYWPEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjExMTY2Njc0MTg4MTIxNTg2MDQ0NjQyODkyMTc0MzQyNTM1\nMTU2NDIwMzA1ODY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS5\n4rOjSyf6soiThZhyrY0E4SYtUNVOio7UuEtmB8ohAyiMZyCQNTQGxFfgt/Fpm2Sh\nIhzEdmLIpZI5E9Y2TcPJo3IwcDAdBgNVHQ4EFgQUjcClPyWpMGv0HSsOrRqwRnAg\nlGgwHwYDVR0jBBgwFoAUccbV1NnfEe/cRTUAwfoZchqD0/YwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgHGoUPwa7hDslBy+FlsQJ1QbNMjEp+JOPSbwVDxQvDiYCIB28DTLoJ1Uk\ngblIwv5iYCGFmkZ5kL1bSccomZEdVlkf\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIURSJnutnpvh0KrlQLKyXVZXDwORowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDkzMDM4NDIzNDgwMjAxMTA0Mzc1NTI4MDY3NzM2NzkwMjA0\nNDMwNzI0Mjk5MjEyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQD\nwR1xEBJTbIhiy1QF7JkilbBdRdE3wAL9fZlbCXmaj7mPQVfRORxjx3yD7p/ujTEL\nPVz2uGWCtP/HT0jAKYYho3IwcDAdBgNVHQ4EFgQUqVW+ZnJXEYQOABsiapemDJWm\nG3IwHwYDVR0jBBgwFoAUDjYtZeRapt5BVPOKM9MNjxE7GAIwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgGY2RiGEoT2AlEZvtIGTvK4Bx9PyUHBcDQjSBhViQXHECIA63lgavtf4L\nHkw4Q3qjScI9Klx/SSgxXlVwO/Lvn0I5\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHszR2HXN7/eG4gKL2TyuZ99gu/4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlEWDwdmJvRUPxNTzgyUxkI8LO8MuphCJoJCQ1\neRR1K38c5SNvkgy8luRP8xXMWkZnYWPzzhv9Iy70zY3OMbj+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIxThTj6VX2GSO1MNh4F60gLq4iMwCgYIKoZIzj0EAwIDSAAwRQIg\nfiF5No2thjw5NBcZCYpXu3rEUVLNHHurYIhEXgUSb2oCIQClw2yWXh09Lm/gH934\nO7tupqDG65Pg/2M4cGqd+MIrmQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYyrsfz8ltbm7lU17LhQvwRoCC04wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQbaOFUnkoxEHXMmG6cw5dSnU/fEwj+fNC1bfPy\nAIknu8cRdAK9J7jrnOTW9ANN4Zd4wj+Oloe6wcR9g7FFCdZKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDfBB70+OS4coBaxJCyErNhHpYh0wCgYIKoZIzj0EAwIDSAAwRQIg\nUqTERed0wqa7vtfBySo5qj62MUtIVGi9/tifRsK3ZhsCIQClE3GjsljGLHTwJ1S5\nb1GaOttuKQUexv69lqxHr0as0w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUP4pHv3bCz8IIP3hLfkQIV9ROz6MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxNzU4MzczNTUyNzA1NTUzODkxMzE5\nNTUyODY0ODczNjQ5MTkwNTM2ODA0MjU5ODIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGzHgsR2BLsCFBuxxRu0aKLVNNdML8IkmCDIYlz4n8F0msJ6mLtXeUIK4qTU6ooP\nyYIk1GyqLsNfCkMG3oXkbuejWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBR/i/BCNzHw\nPhq8deWFHzGkHX/oyTAKBggqhkjOPQQDAgNIADBFAiAIGR3Lo3pPLJ5X5AxFmtuK\n4y8aThWDOVDG7GfJ7KycfgIhALJfHLIeUb0VpTHCH9iHHfuJ6e9+B6gcIr7nCw17\npPmr\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUJGBAjP3aocK96jRoiSzUB5Os39wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1NjYxNDczMTk0MDkxNzYwNTc5OTgw\nMzcyMTQ1NDI5NTY4NTAxMTI4MTM0Njg0OTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBB2FF+aFxHI4jZIPzGw0iB3fJAPbSh57HK2bLvXyTm7bY/aJx1O95hXIX04KRddr\n5g60m9oocep8/dWUSr4Y2y+jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSOrZztItsn\nrN4V6VXfw0QNlaz4ijAKBggqhkjOPQQDAgNJADBGAiEA62zoZKxw7LIuIncz85Qi\nAbM0iw/DExw/4rIRN2NY2fECIQCWe2rugK1IVOBv4voFIe4smTjb+P2hrRiwaeyS\ny9SHTQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUWY33h5rTpFTKtAiUXVuETFoyH9EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTc1ODM3MzU1MjcwNTU1Mzg5MTMxOTU1Mjg2NDg3MzY0OTE5\nMDUzNjgwNDI1OTgyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATK\n5hI269nQ1PPQkz4jp0qUlvavsO0bifxlXh13J/wElnqm5DWNkkO77E/vFy6XVfz/\n4wz/Xj3c4GX0PtELb6K9o3IwcDAdBgNVHQ4EFgQUCqs31aHidhRdbio/igoGIEPH\n9fwwHwYDVR0jBBgwFoAUf4vwQjcx8D4avHXlhR8xpB1/6MkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAJKhf/RYpt/vto7PrVbf/b+tisNydwLKHo9czyjAqHdkAiBl12OTk/hK\n9qX/80RfvjIJIgAr3K7So+e3G3YyGnedGw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUb8eXpxQT7fbSYL4qjcXZ575PiTUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTY2MTQ3MzE5NDA5MTc2MDU3OTk4MDM3MjE0NTQyOTU2ODUw\nMTEyODEzNDY4NDk0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARv\n6HTRPEEHQSY0zf3scAm1v0nFPgNREkSq2U6Be1s7HQiUX7L22GxA4DicodiU3Tty\nSamv1YTNVEvxczSNTDOPo3IwcDAdBgNVHQ4EFgQUYLO9ky6a/e/pht090KsSKbBZ\neicwHwYDVR0jBBgwFoAUjq2c7SLbJ6zeFelV38NEDZWs+IowCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgPceB3wjTXZv8DvVdS1v+T0eaOYdEIWg7Dzs8M+FOi40CIFSbxiuQLpLw\n+ZftyoQIrb+UgZCqXxfgvBRbfOjtRuBV\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -369,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDp6pJ/XYWBh8MXJdt0gl/O+UW/kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARPg+VimqyFDd4RbLG+B43AKgvqxLvuzaaBwp1t\nSfQnGL+pntwzqS3TrDTcpvi2401pbvJEFsVmR9IwD9AXDNDso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVdMgj03v5ez1CemZ9GHJrz3bQTEwCgYIKoZIzj0EAwIDSAAwRQIh\nAIPWYsRFUWqfjksD2u0BFBBesyW+sp9X+aNjBvekO6o9AiBVlrfeyFMze5hQ9k6/\nOfU5YpbJW3hruuAVlJUeLETcjQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZFJ8343Pzno++hqex/Qa7r4kI0cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASTBtJRcpHEvqhOHaDoikUzDn3uexGAN8sbuelO\n4UO3n9Yi4RSGZatOdc1HdTKUdewMsjVgBfChVbExIRBRUezwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUF3X9Aqvk3oSi+BhYqzipIMCvUOcwCgYIKoZIzj0EAwIDRwAwRAIg\ndVh/IbOZ0U54+DT4AhKH0in2qBq+YZHsdbfGc1oVpeQCIHe35/2s9839cqFnX7Kd\ntYT0OFAuJXtET9YYcC3wV/WC\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhjCCAS2gAwIBAgIUPloEcwHy9NFJw7Fui+sKsSGIPywwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEP16jp7Dp2hUfNzHcddddtsNT+BiJz3M2JiesZ3dp\nEpznzc1eCfUO7TW0Ey+TCaRKW5RAsWzf59RD4dVmwHfaUaNRME8wHQYDVR0OBBYE\nFDXdpm8PnWZBnNrvgxYUVk/fJcpmMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIApblv+gliAx\nmvfDw+78ExbaOo3DiB40Ua3NyjzYsBguAiBA7QkWEV8OipVmuAEXl34w1x6aeEGV\n0GNpFUFsChyKww==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhzCCAS2gAwIBAgIUEm+zQPh1afRE8j8Wq/C6MDJ+yrAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEAb7zUXYmrETH9OLlLSUOxMAwjbKZQrlr+4iyLEeH\nJSPuOmC4CiyCh9iMAhe5ccE8HtXiMnXLvTBtRw091kR7jKNRME8wHQYDVR0OBBYE\nFGXx8qCN/6UrrFaRqXObGT1F5P/HMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDZ2junJbds\nebou4jIQsMuyMIRNQYhKU5lFUiN9tTnJEQIgNNX+b62LChKYYIJ14B+1zCIvQh5i\nyvuIP96SH1MvLX0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIULp1S2VNUwJFegM+kdYSeHCSpRPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSt37JWbX7qFwvTMteqUSfbLOZe73yjt+IeFlD\nocoqs+boYklcNb8LHTHqQId/0bmJfn1q6sIpP4VbfsqPL3qJo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQU7o2swNVsouXsZPq2tMpl7rvDeY8wCgYIKoZIzj0EAwIDSAAw\nRQIgNDQjdpkpxih8ZPdPc2BGQlxOBGEm11/9Nho9MsTP42kCIQDAxeB51Y9YzXLK\nP+BkMTPPisw5K/g7V146dQVaM26YMw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUMFl6n+HiCbDcgY1h6QU8VMMXSaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASLq4Xwy5M9QcxkXxN3AMIVTBC6ouDGWhnrtkrq\nYPiDdS4ISgv+7RdqIekWyeztdgkF4Q6BuBMXMBziMrIrb3k7o1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQU/3MdUr2FabGdcRJtzbKKp/OXB3AwCgYIKoZIzj0EAwIDSAAw\nRQIhALxCUozF30vYvtMdzrKL2dfgALB/z+0cJ7XfvmL111WCAiBe0aU3435Llcos\nMy4RmjJCT+ehg8w9dX61HULX3GVFyA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUSZVW1ChBJceNcCoeUkfdy5FlPc4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEF0d7KcVa/pgC7bj37eJOHEaCiXn5YG0tIwMjiVMl\nFFSmhEqeUqR1AkCPh38xssCOszwCyKHeyoBFBtVoKy76CaNyMHAwHQYDVR0OBBYE\nFMM7R/Hl2RYjnTRU7AHvjiSxRJ81MB8GA1UdIwQYMBaAFFjOyOZqgSKBYEDHXLwv\netqugrS0MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCHoeZgXknRqvaje+1GKvd1SH9R4L/W\nZRybzf1b9yeMrAIhAMCvmmh+QWh9vOAcZvxrMJhB0lI7zjQaRzeSZCjkdDbF\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUduIA2yiIf4lVFxmgZfXbRM51S8YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEa8RqJHs6FT2ZapWFYlR+kzJJXgzNDkYei6aNmBfE\ngNrwjq5hVZ/a8ogMQhoLDtMMexVNoz/mrEdxVIo/oKD15qNyMHAwHQYDVR0OBBYE\nFFRaOn0d2Jhj5TkRneaWE8kKcERxMB8GA1UdIwQYMBaAFKjPD33LUUJ+vQ6udXlO\nZDlguR8cMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCw+MdjCZnLIObmhfc5jKS+OivDbO/m\nqK96X2Dp7uYTnwIgOp7jHdzCfDIKsTi6FMFGqMuFyb93ni9FdHwIzrHlLlM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUD6vP+9tpuyoBExJlRdHK5MjW4gswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRavVUUK/M9mQ+tu29CV8x3g5yHJdsN1fyntqj\nx3AFfq8eDhiCEY4giNgi8y/A7I9YITO8FbXihdZutw5GweqaozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAscU9UUJVtpxCBakIWUBTn2dGzDaHC7vZOOkVxBBU\nSCQCIEMt93q1E/1G8FWhDkLtGXPxv09+XmyadZrFaGizhxx4\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBbzCCARagAwIBAgIUYUP2sdji7QAxfDMQ9DnFejXGDJIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrAvMSZPPfUTiMexj/6mH1+Opcmg6rypC4mmC3\nbp7KsRep9HOLyqgCNcjofKEc22+RW2vZBXkgvLZLJ0qexcaCozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBoJtkwmqcZr4sCpCdoY2hStk0C7Hej7Gc4Br1bAA+E\nhQIgY6oLrezv8ju0aAZszaB9YEkaRdWGCDFpeMFMRwUyOGw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZDJCtg9aB+raui5dh3DYWUhioREwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAECcmYclj2y9Obh6AAlRwGpllW2P0JYBcY0ZJ7NIRN\n3Y6V687cGdnDhNPb9mMsnURBvp0j7cIuSjQ/nT2w3OXP+KNyMHAwHQYDVR0OBBYE\nFDF3X0ru2UPfu4uRxfXb4rhD/5DKMB8GA1UdIwQYMBaAFK6XbKvwJl6UGzfYEZqL\nGD7eQa7oMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDHiQAOPxR7A0K0jlvKTuwR1NkO04SK\nmC1RWf6kTXa5RwIgQQIA1zCHGnoXsrZByg9RVRSpW40uPYbSPZ8Fm99pTCA=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUE+Q1qRbIs6omvVGuSeFWr79J5i8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEaB/PzkGwxGxTbDAI3IG8nw7Tcw0evDe9J8ZVMltY\nnA8YopF1UbhYXzN63QBcbsnintjnTjgVeohlM76c2vwQ56NyMHAwHQYDVR0OBBYE\nFPlLl1h+sDYo/lf/8MqH9de0gc27MB8GA1UdIwQYMBaAFCUHqA8kpnqYe9CSRX4Q\n0RBF/D+sMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD+C6txxqSYZIrJwnWauDeX5mNOrJXO\nJ2Z9ibnX7DS2IAIhAP8ASyDpDTI8gJbI6SCSYTV3Zbg/Dhlp1S7xOSHr5pgc\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUV7pIfY/sMhG09D4Clc5OwI9spWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkUlsAUKnDOa/x1GZJeTtUPyNWsgsBlC8e49Nb\n2AjdCVD43j/jOTwVYLs1CvfzP37fKU7l+TDg3BTEltncuE6ho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHG3junpdJwLzpmpqXd6zsKD8qtEwCgYIKoZIzj0EAwIDSAAwRQIh\nAK6Jid8iNlfv0tovbfYm5bk9iUQGgpqkol6AwAT2GFNIAiB2gATwbPCL18Flq05o\nMLIpFpbitYPAb2BWwSpW3UNnNg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUVtylFCXdoEprS9+Y7PIwXv7+0zUwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbK0GEE+qKSnajsZxM/zDZ9vjOt9m4UY5\nXqy8Vjh7gdQ7gd2kO8AZJBj5nmMxSfG4AnZS1+QAT6lRXDoZIgBKmqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFMW/fuE3hv3E6lg2G7hgEyxTGKDKMAoGCCqGSM49BAMCA0cA\nMEQCIEkXC9pRK4izx0wxFrq9WlODkK64DxLY5p/S2wXWWx48AiB8L1zrYeT8hhuu\nk/sjXP/OdUugc0AwRKXqaQQiW29nkg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNfMVzs3XrnjPxx/20u+rtqm7SxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATnJ89i8sP9Vv6+ZK/d2EbWn9fX8363KGW416FB\nT+0dZ80iYp3SJmzcJb0ZPmGcMom08F4VWbyAtqF1eNEGtbaYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFuqTM4aSZMFW1DSY/Seokr3shXwwCgYIKoZIzj0EAwIDSAAwRQIh\nAKMJq/vh3JPJiX1XXWj3DFT3gUD2Pq5PEZtco7tUyZkRAiBE5rFPxRRTBr+B7dwk\n5L8YWInTZFx+geHIZbigUz5ZAg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBlDCCATmgAwIBAgIUOhre1gI6AZnlAut3sM3ZwBP+gjUwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQcUojLFkelR5wH95k/vU/VhpCpImPN58\nKmtNigN09OhvDEXDGmTnOo9qTQEHguSP2hKzyu4amoLHrIzNZ5SLPaNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFFzb8y9OuerdQ2UenioSTa66KbmkMAoGCCqGSM49BAMCA0kA\nMEYCIQCGxwJAu3PZIX4dFc3xQY/ImFytmlnlyE5spwUfXCSpVgIhAMMZLSjSVF3h\n5oBhE5FoHMXx43yNZlvrw5elZJA1mXS9\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUJ+ADusxH+V2fTt12Ff0ROUd+jcIwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkUlsAUKnDOa/x1GZJeTtUPyNWsgsBlC8e49Nb\n2AjdCVD43j/jOTwVYLs1CvfzP37fKU7l+TDg3BTEltncuE6ho3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBTFv37hN4b9xOpYNhu4YBMsUxigyjAdBgNVHQ4EFgQUHG3j\nunpdJwLzpmpqXd6zsKD8qtEwCgYIKoZIzj0EAwIDRwAwRAIgC1403zFjG1EeePe4\nQv2oFUNT02ILfAPTTATBBrpz6bwCIDEJOAsycbK0KehPA/3V9cx4z3hktVgCUARd\n5pj1nC/i\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUSGWafhB2freU6p/3Au2E3NcihIgwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATnJ89i8sP9Vv6+ZK/d2EbWn9fX8363KGW416FB\nT+0dZ80iYp3SJmzcJb0ZPmGcMom08F4VWbyAtqF1eNEGtbaYo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBRc2/MvTrnq3UNlHp4qEk2uuim5pDAdBgNVHQ4EFgQUFuqT\nM4aSZMFW1DSY/Seokr3shXwwCgYIKoZIzj0EAwIDSQAwRgIhAJut777Aau19T2qc\nJthHOSVwUqQaRVyDn99mo8u0DOVLAiEAv/kn18fI4/ph0eXcc7E9nPrAGH9sOjh7\nq6zqKUzNehE=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUPCa+SNg/Z8DWzraYaWylgaEc/cUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpsZNYNh5HdbF01RgbxbcvHkLaoBvu92py3yT7pI1\nPGhaMOMQ2skefIeZP7juN+2EYmQncAjKbqGyOZYhUKirkKNyMHAwHQYDVR0OBBYE\nFE6eO+KpJPl/+E0emIGsCUUyHmFlMB8GA1UdIwQYMBaAFBxt47p6XScC86Zqal3e\ns7Cg/KrRMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDPM3WI2vfEgwliG3Hq30RltmDykarO\nEMVxastWBMwYGAIgEJ1Xe+hoDe7jjzkvul0lx83tnViFHsFXR2h8gVrbM5Q=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUDcRgjp7t3ADhNgEwOXO6GXa+S0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3c3fTdL9zljlk0xSF4T2CdBzjA58mO2x6VIsVJQ7\nm1pUKvoyQgwK5ESW35HVURoyXzdl9iseXB7Eq/oCf/4hY6NyMHAwHQYDVR0OBBYE\nFH/+QGUQ6FTaWVoE8BJAHz1IAQWzMB8GA1UdIwQYMBaAFBbqkzOGkmTBVtQ0mP0n\nqJK97IV8MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC6AvFI+0G5szhdCer8LMt0wgnKO04F\nx7+R0wZuZr9ynAIhAMWcjdXgUgPZtExwMkEb/PnDzbk9CVlc6hsc96+qlSsP\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -456,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUTKX+BJtL82fpxVkHcAPjGuP/8sgwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABF4c3iJ75Xwp\nBRmLFkkW+lnTZbqvwc0WpUiOOidPdWez8Dht2HSDA2QxtktV0KG787/42CkzRxEL\nc7/iX438lC6jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSMjOaVSpx3lSRJ8Nxavemu/xbk\nqDAKBggqhkjOPQQDAgNIADBFAiEAqICJMyxg6t/Nzkg3wSFksoXcqPbJ9q43k+BQ\nwOwUNdcCIBMKkQ+q1R6++6gjqRC6Xcp/rre9A7kSsdUB9IUAczn2\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUe2IzWvmfe/YbORRehKsp8fPhmYQwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI6UKHyOvI2V\ncz8K2tCcTzPVdT89jnB6MAxV3TLM1UU18mEG5CE5W1q9vZooTuFtpis6DR9q+blH\nS/K5wDlhgA+jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBR+Dye3FYcPO2EXMvkCFUIBXH04\n/zAKBggqhkjOPQQDAgNIADBFAiEA0cRVC4AjD5Xlh8tpeJak674ZdwDbs4n05jtV\ng6V/cpACIDzTJbExl3hZprCTXvxO+x2IpjnbW+j7E/GAzsdXxGQc\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCXYKuC6+R8BZYF4sgdyO9DR4KOwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVTKZlEQCtrTtU+XvXBrWsjog6KMPy+HUPbpjY\nfRVopNcssRx8/65EW+d/c7OldYXeeI6Med1KAlDO4hGVpzleo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOd4TT/IYLyPG48mALquFVpRRUakwCgYIKoZIzj0EAwIDSAAwRQIg\nInARIqU58A9cUX9ZBpPo9HKF48hnRj/mgho4BYzZsqoCIQDeUaTbMHLv5d1NsU6V\nxP2KSoWKXO8YLcU9nGLRWstFlA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUU91kMAobX/B5aHisCMxM47NGZf0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBmMTgwNgYDVQQLDC81NDAxMzMzODY2Nzc4ODQ3OTgwMzcy\nMDczMDA0Mjg3MjMxNzQ0MjYwNDQxMTExNjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nN0PXj9p1gAzVBC0knkfxX2Ij1O6E3uMQohb4EJBdoSq6otSKsPkbAxqFulR3/1KE\nlbMMHfh/SZxlVeLIJkZYIKN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUOd4TT/IY\nLyPG48mALquFVpRRUakwHQYDVR0OBBYEFAqZ9Ku0ou1JHxC4FHiAGBJ1kDIsMAoG\nCCqGSM49BAMCA0gAMEUCIQCaU2BQlmGQFAklG7sQwdsicPwMbfUbyWWc0OiZS6hM\nEQIgeAxgh3i3CaXu33ZdoIa+FaTgZgfezUlRbgux6oXwh4k=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUb9YCKdVuOk8pNgjLlC6VQ6ukV/AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATDrVsV2FFR7W0Ka8daHlDofw4hJoDzoqrhB0qX\nutot8FWsOjfXxDWOWjYA5MCKBEvkeTWU2nycpxymmJq5dC7Xo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/DoJ33fHuxsysZ7j1O13P4pHya8wCgYIKoZIzj0EAwIDRwAwRAIg\nYBBblzs+2abxbciPTEKLsl8JzDQmEHYGjU5qZSH8PjgCIH1zrFLCSKJWAhDgY7ud\nZwwfceR3OMVW3FIBcuCFqQ+p\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUes2AWyR56GHbVXeo0br27qz8y74wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2Mzg0NzA1MjM0OTM3Nzg1NDYyMjky\nOTk4ODA3MTQ3Mjk5MDA1NDgyODI0MDY4OTYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCBnmjvAFrjdavguHIU72FlenjOg3BnBsh9qovst78auTDlLTu+n90RlSPf3kZBz\nR3AtrZQPHim81G3y9oYYL6+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPw6Cd93\nx7sbMrGe49Ttdz+KR8mvMB0GA1UdDgQWBBQ817dRArgBfXBM5MVLmRiUa3HsRzAK\nBggqhkjOPQQDAgNHADBEAiBRzueNSW116sU4FbweI4SbBCPTVKIlU36jQgcIxrzm\nKQIgGlB0UtPYChY0LQ10fGMQQVyDWANq45oicGxvZB5WSps=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZqgAwIBAgIUSMRUkSgLAWwsy5rcdmrX2ASnSk4wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNTQwMTMzMzg2Njc3ODg0Nzk4MDM3MjA3MzAwNDI4NzIzMTc0\nNDI2MDQ0MTExMTYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGv1\no1XaKtMsQXgn1S/6lRaPXvmUgR2OfxbqRUQtlrrzDp90fGY6mT7Cc3ISg3B9pBYP\n8WXsCbtGqPsrTE4uBqajcjBwMB0GA1UdDgQWBBTtdJA3kR9SjYehqHlDQ3K355zb\najAfBgNVHSMEGDAWgBQKmfSrtKLtSR8QuBR4gBgSdZAyLDAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJ\nADBGAiEAw2k9J9+takmmx0rhvM3pxYuYeGzLRVY3NNBTBX35da4CIQC1xV2X3hB/\nCcQzhzH9hgxca/J9joJvFXgaChk4oaDI7g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUYG9om5wk/eihcLKS7sCU5CHnOfIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjM4NDcwNTIzNDkzNzc4NTQ2MjI5Mjk5ODgwNzE0NzI5OTAw\nNTQ4MjgyNDA2ODk2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZ\nlT9niPusyoHMdPyTPa3qbxgUkScmVY20GuoSNHn44LTQm9DUaov8TZn3HUqPrXHl\nLjp4n4y5KTUBpzBz5lvAo3IwcDAdBgNVHQ4EFgQUgWUQtXSyGDjbI7iCDVICHyQ1\ntgMwHwYDVR0jBBgwFoAUPNe3UQK4AX1wTOTFS5kYlGtx7EcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhALSH97YSocVEcKIyr+yqWv/3RsFBsXRhHmUOYwagEAxSAiEA7SWFuG5U\nNxI92d35GQBcE5Z9pU5I/+wtsS2aNNh01tI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -480,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfdqFdo/bqhkgDEiMrWQl3ptOQ5wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARa29jhX6MYREleln8tZM0UDHxFKx4KMU9NXXXJ\nl69cDhVM/mF3bDGO3Foxf5j9tq39t6tem3vZ+NmD4QLk+rjvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU870BVv+PfPrVLJUNJOqvxVyHox0wCgYIKoZIzj0EAwIDSQAwRgIh\nAIthpu2SgNgK1OS+EgH7rr34bV8Omt6i70WTpF7jyhUKAiEAysucFMX0vm7dbBJO\n96GfcP8eoyOTk2I2fZcPeH+dDOM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWMXXFayQp66Ef5OYXB+LnIQg64wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEeyLgu/JQx4TDmmVebtKFJH2a93xsmp5apHnQ\nvC5Ps4sK+tttClVL2+adsiHyNjxN12IGTOyKxyd4RoS3pyIHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxkGQfZZHsXaE1BIvwknu442s43YwCgYIKoZIzj0EAwIDSAAwRQIh\nAKRQLWSplnfNtwMGqBQPcf3VAG3XfZTFmts+wV1gDC0FAiBI8ntaED/ydzOiVo4q\nByxrv+iUdcTHmhQI1Py0CF3hUw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUbMf0khQiJ8feB41FgNfZXK4Szb0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDA3MTg0OTcwMzUwODQ4MjgwMDM1Njcw\nNTc2MTE3MTEwMzkwMzE1NjcyMjg3NDg3MDAxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABLZNkbtLISUkZxoCD35oehN9/172IIUeLlgEJTbccGYtnA8dqCC7IsiwCopX\nzVHgKJn/bdhU40vswWGcer6QV46jdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPO9AVb/j3z6\n1SyVDSTqr8Vch6MdMB0GA1UdDgQWBBRfrKp0mIbBKV9blKFVeRDoapFLQTAKBggq\nhkjOPQQDAgNJADBGAiEAq8Y7Fl68AszYDVzx3r8xr71+Nx0ob1wkdQcrfVj/iCoC\nIQC7x65pZm4KjUvoQ99BfCBAfVSxmfiREDjz03sX/3SK3w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIULTmPF4oeulG2iXIDbaFOohNm5lIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDA1MDY4MDMxNzExNTMzOTE3NTE2OTU4\nODA4MzkxMTgwMzc0MjgwMTg4MDczNjg1ODgxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABKwPq/GgcMeTdEuQaNmrk8O1vr6RWUHxzMesYVhoUcDq+g+Vsgi79oG2JJb9\nefn1BEBTRTPBEDMiy5+9Vgxg11OjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMZBkH2WR7F2\nhNQSL8JJ7uONrON2MB0GA1UdDgQWBBT6QydaUfTghekm6tarfGbC0FzuATAKBggq\nhkjOPQQDAgNHADBEAiAyQ0ZQl7Tmry4JuwFP7sOhSm9y3MUSWxGganascJd64gIg\nB5JF3EVr8ChZsucJzNNLiCj/wxmslEwOFnZa99Am5FM=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+DCCAZ6gAwIBAgIUXhZoshII2cKDkJz6crFYvsqfoVEwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNzE4NDk3MDM1MDg0ODI4MDAzNTY3MDU3NjExNzExMDM5MDMx\nNTY3MjI4NzQ4NzAwMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAARPmt4d36ozCrU98Jajv2W+wdUB2x2iBoI/fcPOoX5WlMIprQFpXR/YEHLmBbjJ\nTHeEBgtsqG9PDG/PPz8gEjbEo3IwcDAdBgNVHQ4EFgQUK7Muh5qckJbkTyYtQE2L\nUBlzg4cwHwYDVR0jBBgwFoAUX6yqdJiGwSlfW5ShVXkQ6GqRS0EwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhAIq1My8n0HLVn6LlqeYeHEDk1dV773uig3w6lUpJ28guAiAP/gEB\nyBFbMbjUtIfG6cLvXZMkuTQqm8hU/EvCbzwuog==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+TCCAZ6gAwIBAgIUURtQUbx8oVfodPg/W5YEZf7tDhYwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTA2ODAzMTcxMTUzMzkxNzUxNjk1ODgwODM5MTE4MDM3NDI4\nMDE4ODA3MzY4NTg4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAQodQ+MTg1/cLShePhQK5UL8IvxulM2FCos5D0fxMoSFqCH2ORQoBQl2aSITEXn\nyS2kfqezvTCth7hdmTdz56dKo3IwcDAdBgNVHQ4EFgQUPgXQ8y+JsO3MH1qrj3C/\n44mHU0IwHwYDVR0jBBgwFoAU+kMnWlH04IXpJurWq3xmwtBc7gEwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSQAwRgIhANr+uqTPmJxkoCruNQobkNG4iAIx8GtsAPJ8PZOoa2zxAiEAwCg6\nmLEY+QG+JSTkeLdIRa6jS8ul3kHS98Oa+QZxKQk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -503,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEOCH6OUS3vHpDWx3MPsyHge5nMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATBtIWi1ZYR9ZgJVAX3D3KyXt9uKEZQ6nwCe8ro\na1q5wWagcwMJUYsiun+TVPzVC4W/3ThcKEFRcIyfJAOTzmyvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAXsbAyP06bCSpuPd7kTAmRuEG8YwCgYIKoZIzj0EAwIDSAAwRQIh\nAOAWU0whi/nvJCZ8EW3GyiKJ6Fd7CXlVLkpvFi7o423tAiAJ+JxA5aV/re9bsXQ6\nRU0epKRqZqpM8oL7ftwtMSk0jQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaZXS/7kIHddIcT3Vtpj76qZMQk4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXX06u9wyDqpeOFhRYMMJ2ZhObzu3kMrakD0q1\nDcFz1i0tQRh0bjQ4pngskL3/skp5gunxfOebqJ3xcOURoeFmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfh3PxfGAD6IEqYIA8esVqGghX70wCgYIKoZIzj0EAwIDSAAwRQIh\nAIRhKPxGPjJ0nN3L+lDRdNbwzxs/UF7e3dcpxVxqauzTAiAjgz0yDbJJOf9zGMej\n8SF693S1fKgTdR1zDFbWgo9Hwg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZ2gAwIBAgIUXffoF97qqBL45rflDVKaNB305LAwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvOTYzNTEwNTg2NjYyNTMzOTk1MDE2OTk4OTQ2MDYzMDgwODU1\nODAyNTA1ODYzMTYxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEW\nMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLp0ZK/WahFMZ0u+WysSGLBocHwhKvsVGRfoNGpEYzcJY9zkNC2soKTKxauH4lAc\nTBJX5NoNq1r1F8+yLphM9TmjcjBwMB0GA1UdDgQWBBTMB5nVjQ1liu3vPurmdkM6\nNkHHBDAfBgNVHSMEGDAWgBTh0vz1edVbH2W/QAypDZrq9jFUADAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNIADBFAiBY3E5zv7EaPf7DzT0dFtI3zH6pzxNl+POwg0vvvvk4AQIhAMwWINYS\n1EM7rzTNASJGKLWjbvecGimquiPsOyW/Cceh\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+DCCAZ6gAwIBAgIUMhPXtAAJmC3+iSQaFRuliPMc4qcwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNjAyNzg1MjIyNTY5MDgyNzcwMjI1MTAzODg2Mjc1NzYzMjAx\nMzk5ODMyOTg2MTkwMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAASs1svbBd9SbSV00pWVKCC9qGKmW73O4I9npQDxniiHP0A1UNwIkFwWxP973pKB\ncWw/hP9XkLw97F+l08ZZbGUxo3IwcDAdBgNVHQ4EFgQUxJBKb0Hem5saPt6XCfIK\nPvoBaGYwHwYDVR0jBBgwFoAUwI3KoE56rgNs9kswP/RXrRIiE0EwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIgEHmxY5KaWthP/QjYrhxN0yG3D0H5RzwxhLL+tf9tOlkCIQCQD9zj\nr2tREaof+GVv3dPiOYQl3MteIIWfzuGz5RjsMQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfzCCASSgAwIBAgIUBZWHF1PQ5YK46y4pWU1oqOlFwtgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ67hJO94LRUrcLjN3kakcFgffWG8TR8c/uWz+p\nw+Ok3tNcEabC50B+lW0H70L+F4No6YFsuotufqBB9hO/vkBPo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFF7PmhY0xEuz\ntenXGN5Erd7TqouRMAoGCCqGSM49BAMCA0kAMEYCIQDa/hTp1dJ5n+a9akUDfmxn\nUk+JhtduXzzzINxblfgmrgIhALzHeoRYgx0Qsyp0787UvU1XaJX5NvBUv4MdfLy6\n+6BA\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfTCCASSgAwIBAgIUQfeN4fIK7gq8xQlWD15NDHdveJQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQOZNzKJDTaN9lblfeCTZ6VgbuEygipVSx4bxEU\n0Kgb7CZDjt9fewUxpypP49GgCKfV5bzy63W0uU0ZTShIOk1ho0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFATpA04TjUVp\nt7KOPCqxmOUOkNdQMAoGCCqGSM49BAMCA0cAMEQCIDKQHgCNkSMeVaN2hvigBvKA\nGUH5pHh4c/tQ0hRN/9/hAiBEKUVDT1+8ASQsOpNSB5CPaalbC7RHxpdyTkg2KIo3\nDA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUDclQ0HVAtn18pC79l8hGLScmz8MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEHq+EwaGabWjuOur6J+QTO9w+6D6VqjUwKjXJT+Q6\nkylLHSevOpETiUvubmfzOoi+92BLaArIt5wvMzFOjKA3+KNyMHAwHQYDVR0OBBYE\nFPocoM1F/pbxhQx0NImUdNzvYphoMB8GA1UdIwQYMBaAFF7PmhY0xEuztenXGN5E\nrd7TqouRMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIAW87HMYmU0XPxEjGgfmNEde3rRwNUyq\n34oifQDcsezBAiEA+Keu04LLxNKVnbQNpJYHqW9KOVFhk6Y3CYQx2xYZJls=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUQbiurrcZiigVI4VarIHOWBpt6mIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEobNkJfy/JVYpaMYBedYYApHbq/6AAV8qRS0CdlJF\nJfZo+6Ktl5O2ieBNy6//p3BP/ckvTgdS5cPCo8rIVe2gIKNyMHAwHQYDVR0OBBYE\nFPzHuH3+VugOWdQBFHefh2WUvpGtMB8GA1UdIwQYMBaAFATpA04TjUVpt7KOPCqx\nmOUOkNdQMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHIIL4PntcQyLQ+Bn/TkP94S0z7DULR2\nF+RcYAwo9b0EAiBmjVZgyIKHLoUb9T/daUrtfMKXOQG10+JmWN48Te05hg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUGLwbs3P8x7oNY0o7bEmnebBYlsUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASt9d1pNvjKDhblhAv9tNNvk9SwUnNSGwLQWdDB\nPDjOWA1m/MW7BQls4jjRa+ny5oLEEIPemFqVC9psLVw40KDAo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUDhLS3voOy8b2c34wTz6WFSQko1UwCgYIKoZIzj0EAwIDSAAwRQIgG64H\nXVYP3oofkDrwnzcqODvz7TpTk0WhKAaqZ0hoF/kCIQDKK+DQ/U4ivzQ7J8v9YRwA\nY+na00WDL/sRcXRJkOBucQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUVlKPaUFVWwlN4iNxurej/pY9AlwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQco95i9R2JxFwknuwCV6FsPAcux8DEBk0i8o0B\nM6BO16cxL01roxRruZIgSTB1jbp8FyX6XSODWyXhB1Fdauwvo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUnFaZdDYKb75Rl8Db8IHChnRdDLEwCgYIKoZIzj0EAwIDSAAwRQIgZjgy\nvIsrkV6gRdB/sHe9exkd4B8MQRIiCX8b6s8VvT0CIQCQkqZZ9Nd7t+nYo+pG/ySi\n1mdnvb5BFoF2x7BLpMPR2g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUbQXJ7PvStrYLG4GG9CaG2Ntm+ZUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEPPoH74CxCnO6gNbKOxPBqkDZvfHSmdiE2lN+RgjI\nTNKpghCCtODXo70rPGfAuOTVy6HcwxL5f5NXIywxgTDps6NyMHAwHQYDVR0OBBYE\nFDy0Cl9kualHqfSzApzBBEJDVJ1mMB8GA1UdIwQYMBaAFA4S0t76DsvG9nN+ME8+\nlhUkJKNVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDaCrbGWk/zOGs2hHExjDwUA6LG8ewt\n+yUz6Pq4xd9AOAIgVTT+Rs6QVLWj/mBKHEeVrUVwZZMMvkZClVTHGyOyK4I=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUVAKDWglblhZDIHGvJkfC2HLR13YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEzYko1B3Y1PSI6p8s7EASqolIrTrBFsWqs092ndoZ\nqh+o99TpIWRv+fID2MJqq9phMV1fmyeA0zJKmKGVyImPp6NyMHAwHQYDVR0OBBYE\nFPIjbXfQuKYtdbCUmGNYGLjeuzeqMB8GA1UdIwQYMBaAFJxWmXQ2Cm++UZfA2/CB\nwoZ0XQyxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBJFFyO94DjYryqHb8h4KLAn52YhXUxO\nNa+6hLpKLaWVAiEAqg/JtervPQwBI2Gowjn/XCWvm36u2K8Ah/YCdiDf2cQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUQGy56dk2enhx1MUAwdHME0raMHcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQre/gWPZHoxa9cXiH6rry4bcrc8yY60SLemTci\npvtVLMYlKhUvHRyMqcFW2gWFFM7ywDjuAeacidmghVwDx5ixo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBSNQO/vFnYPqFKHhJV/Qn1LJyxEITAKBggqhkjOPQQDAgNHADBEAiBm\nObZSDT8DHDBXPWwhscp3xUHI47ZVyPTFEGg50TaEdQIgZoCSeBIJWLRQFA8ceBXP\n4CVnwKE/w4KYQf93Mfz3S+A=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUMw0myHtCaM7AA9qh2TwRWwpzqoIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQRPfJoAhHqepkQ2TuvzszNNtGHD/kUTUCXIr/o\n6h+giS8SkkULO6XdGBhY71Sn/ojvgiMUWDy2qUxx11T/qV6Oo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBT5i8AUGFpvZY6qJWMEMKUw+JrzbzAKBggqhkjOPQQDAgNIADBFAiEA\n2VjwmhgU+DaqJ+dhXGlOtw2h+SFwqcxB6kz5RLPAvpYCIA2sx+TFUyi1JvjCn9yt\neyVe3FTILWuPr60NACAjZOAG\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUalWOQUsTnhavG279jfMxmIBqMvcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEqZGk+uSJzTGiWnkAwsCnfWmxhi2Vw8Menx6pSttx\ngO4nYGAmVY/m9GpAqUSIy9KRLNTh06ehRcInAa/aJxUpcaNyMHAwHQYDVR0OBBYE\nFBnfaHUBk08QjDwnBdD3IcL5fRQnMB8GA1UdIwQYMBaAFI1A7+8Wdg+oUoeElX9C\nfUsnLEQhMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGJ0kjUQ6cSF7H6oHtMtyahlIeiXY83p\nWAAMFmnvRjQZAiAvbBxis1lPrZ3xxPauIrA9eu9s5PAnAXrHuW6pUmsypQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUJvz/mOjrltJ2qVfirWnKzN3GEUMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEHEs6kRObOKxlegf8Ac09adW1cw11hqNL/aWOcAPI\nZI7Zlk15j3hQQFc4B3ynwheqhmqFmdWbZkpqNVabPkeNa6NyMHAwHQYDVR0OBBYE\nFMiElkvmLH0YSnCgQypPoknKlx5xMB8GA1UdIwQYMBaAFPmLwBQYWm9ljqolYwQw\npTD4mvNvMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDQZcY4IGScDPHSAKBx0t47Qf+DhZHs\nNXkuLF6cuB+6zAIga7ElsxabpzTFH2HHHf3QnZNMS6yA8MY6lWt6jgdHPrA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQX3FePZ0uZdXDKf9ANj2mZnxkAMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6Y9gKpY//alzuNtu3sc8MNJsZ2qolu9HYFKCK\nocyhcx2wCPvdZHfVg+hoQaytNCbL4Cr3GGT42jcMnZ4L2Wawo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSD28yHn54E7anXCb0l3nyVFMryAwCgYIKoZIzj0EAwIDSAAwRQIh\nAOK6vjJkJN2QmlpUdQJLpfgacvyVSi8hod3WsamaWsk8AiBaozfpW+pTor1f39Mo\nxIuK3vnrY1vkC8MxQ5JS/tnojQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUP/RFAFP2trqXx38ZLEK6O2iGFvIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDMkF/r1RI0orF8FrI4dGuaVSyJ0UeNYlbL5Uo\naon2mUKrtXz+mc+R6Td4WI5V5Kn+fEFW8X7khb4D3ICfHlCno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnpsnbvgg+0quuKykg1OwwkFr8IYwCgYIKoZIzj0EAwIDSQAwRgIh\nAPj+5S9VY65hg3KKJ9Jh0d0LxQW3D/67medCKb7Z6wmcAiEAkhkEnGcyvhmrBi3L\nrLO2hFSErVvYbIm9xVtdY66DF6g=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUOoiKDkG4gzjQHaak+ZTvax4yYsswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzczODg5MTk1NTM1MTc0NjQxODgzOTAwMzczNTcyODc2NTA4\nODA3MTI4MjU2NTE1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT2\n5NbapXoA0QuUb6b7LXRsWCaq1nD4leHS9nX/1KqqaOG4D/ApFeyGvcGPeZhTC5t7\nsH2Lh52tImOCVRwlXqX3o3IwcDAdBgNVHQ4EFgQU35FZrvvX372E/AwhHMN3pbpQ\nsdYwHwYDVR0jBBgwFoAUAHl8fFMIaTOvsLuqsQHzwpoRp1MwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAJCc8TXo/vYDi9AQgdrtX4oFvyw314cfNldCBW/EZDo/AiEA5uGPDFAu\nz0/gXFT6+FTSY7sbk2BMjoNYzh9VeLGrTFI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUGzKe7/RRxUTA2agNOxXB6kKplPQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzY1MTEzODExMjQ5Njc5NTg4Mzg5NTQ4NDg2ODM5NzEwNzQ3\nMzUwMTA0Njc2MDgyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATE\nijlJW4QrSgPjQE2bTMtCgt6GKU/iWOFiaLgjbvK9XatvM1m3HB0pmQTL0bJtjcHz\np4rhDTVhejq0aXcQlSdyo3IwcDAdBgNVHQ4EFgQUVrfMHNHfaFf1pGlHy03TF+Cl\nccIwHwYDVR0jBBgwFoAUcsVf45NLB8R4FYVwRUmaLG3mgLcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhANmGF5NBg+iMr7t0tjo26fk8fto/hY8kNq8ICUNMk5FgAiEA8O9pk1qB\n/ea53kdkGkyDJkyGRLXVBqXf5I5e3XgjVmY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUI9ijdCHOZEVIuIzJqM8bOwTxSn0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXG2FzpFRnUfjF1ZVe7CzZDmOc/WvrLzQOJEHi\nokobKK+7pRaoINk4VHTp0sgKjL4zQZ1JXRP+9bi/g7bzFl1qo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqIlbzVHzfO5peV6m5W2/1uoa8HcwCgYIKoZIzj0EAwIDSAAwRQIh\nAKMEpTc/rzwm+91NsZqKW4IwKqQpmxj1al/c8BhNGzWrAiAgL240wwCxgReQqBPt\nzA2FDvc3i9kbYnYmt2y4P84hYw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfWeNpnxFrC/rq84ZGgt8gBaGO84wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARAcAn8vFOHLWqKOw3+4TiVqTdILGwPAQHwF6NX\nayN5KDzrC9mm9+SkhElzbH+4pD0tmGDtY6xV2MVmEI1/QV5No1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJZBJAHLP4B9fYi9i5Fk54KkecBQwCgYIKoZIzj0EAwIDSQAwRgIh\nAKMzfAjEG7HdTaNRJP9RED3FYqwJz17rySn1boP7Hg6vAiEA52eC10x5d6A9J92M\nDu3rkPolJ9M8u4kMfoXVszxpgX0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUMCTBNkcGI61c5pTxEhMfb0wwIjgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAErYcDLC/RV0ogElx3LK+ve+3Siis0jRQfyvjkgrtq\n94hIPLUk44SUyiHrpqZg1bHcujiqXsaRZ8wDvh3ma171KaNyMHAwHQYDVR0OBBYE\nFDzDBBP3X66EKPQkhXnc9jtn9MEAMB8GA1UdIwQYMBaAFKiJW81R83zuaXlepuVt\nv9bqGvB3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICN/KYZHIbs5Ma6h8V1QGjOmtbtWqPdB\njR8MqZguGermAiEArG50OijIbh8gdZUC5zdoCS9PCc/MeOhZyDqUxRaaueA=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUcnPG9KTnajEo8NooF8IsFmwhiSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE5azvK+z/lt2+mJD2nKv6DXNo2b+CQKWmb9Yp9yC2\n8gW4tBiLYhUMw2/RkHxb3GDfgvBEG65zogbMNFEWUL0uC6NyMHAwHQYDVR0OBBYE\nFLqYTC6CS6mVaPxr9oFqZ57Gu6znMB8GA1UdIwQYMBaAFCWQSQByz+AfX2IvYuRZ\nOeCpHnAUMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC3W1Moup3q15dXXObzDy3+rKCHOb5S\nJeLoDCMgT3rFKQIhAKvHOsWi964Crf6YQEu/kxXBFR/wh3lIIiQ9LYKVUOYy\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUJhY+ZvrnFTALxzrntSwnsscPjFowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkYTE4FpLxKrZreuO7XUI8Nh3RTWhOA5JdnFq5\nv2RgTlPtClEp9K3EPyTM1r07qtpYL0ImDul248xOAWk6bV3so3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU24M6m1J+COxSKzre3dSM82RVzVowHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGuBGfDQGGoIq1gxg9QR6af5\n4/Q7D6eVWVjh8oiVVxYvAiAY2zMA1yCEkQY7o4rBnqc7HrEQNzGvGkRm5ipGP7S7\n8A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUTMulkJ8mgYKpWpje38LzQebIiWswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMLolNKIH1uXajUnLN/INLAMKmOWoS2UEGifIa\nY9OI99fk/Zb6QAFmN5Pk0h1iEYo/Me/SpHZUPjiwlYFdfpqao3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUI1V/O2MRARnjJsPPVwJ0+UGT1NAwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGjcTdvn9PkQy8Q8H+cftL16\n56Yd8RTF3mCDuBzAzLDWAiEA+XAi69XhPLdUQ6GdMoXY34KiBxTn7t8Hz+qHtk6C\npcw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVKgAwIBAgIUeF2Obp4CdVErx8jCDvsnTYz9eF8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE49j86dIAHMGtvcxFR53uY8ILIJ8w1LEpLh4UFkzc\nKXUesfY/erxbjo2+im6x7y4E5yiCUH2AxjFIrq8sVWx7aKN2MHQwHQYDVR0OBBYE\nFJITOirwmghH9U6F5tj6QL+5lrOoMB8GA1UdIwQYMBaAFNuDOptSfgjsUis63t3U\njPNkVc1aMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiB0dpGYTvu0gI85ui8zBYKbq79E\nE3uLVNbOPwfzCmaSmwIgHycNrSNI3POdZs19QLUpmHHZx3pPVGVvrKnPKnnG74M=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUT63ldl9cJXQTpKraWxSmaxmdBzgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEltTtADplkIphgsK9wFQcOXzzdLG0bAMg4/8n014i\n9IWOG6MyiPA2YxQFsrDPlJiyO/IrxDTsWZIItsqi9ly3y6N2MHQwHQYDVR0OBBYE\nFFhfFdH4PSpPbNvjDTKFnbTVVdq/MB8GA1UdIwQYMBaAFCNVfztjEQEZ4ybDz1cC\ndPlBk9TQMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAi3PzjO/M3FIg3kdUPZdrUsCt\nuqGE1AOrGb/C71cUtk4CIQCzzc5LU5Wyww8+ChZ8ALwuXyzRCoP+wGqqRGoSLnQt\nfw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUQiO8MlwxB0MJmUWBm3Ay+MHvKCkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARd+T3G8j61hJCf0POAJ7g+ipY/1HGKpdXOXADs\nwXFxUZLV+riWwTDm4sMauEYczf/CwpvRySzubt2FyDDJWtaco3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnEsapsyaXJEdb5f0KrdApmy1Y2QwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDXprrQkM0D4DF/sn4Ci4ss\n0oc4OCvmtpQBDK1igMMzQAIgZWlOEpHDl312FOd9wWoMTPPbGf6rOC93yLHWPamW\nV8E=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUMVOZMmzcMfSHdmq0Lb5A/gTF6I8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATv+aLOsgZZslDOOhZ9DDlx/LEis5627bVmA2Zn\nMgUqOC5tgex424RG3pfQN8eT0r2RquU5j/tkIdTNxO6yVc9Mo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNnnoAXiBCuuI/aDzAYv9w1wpVLQwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCGpdt7AeM++DkSvZDBIoPI\npQUP6EV+wZsIKYxBnlGYGwIga2UKUiskp1W8Xdbjn7HgbmMcblcwxK/dF2bdE76V\nR5c=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUXCLQEsDrfbeox1+J1BNHLX+caHEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZyGQ3CGDfv5kbNnUemF/ffZCNfmbbR34fyLwlqbz\np+2efG8JwMCN7b070ZAQKnGkTwNWcZtBVanlnm5xuHV1sqNyMHAwHQYDVR0OBBYE\nFN1gsPRUCYVsDJurthE7FEOsTz8vMB8GA1UdIwQYMBaAFJxLGqbMmlyRHW+X9Cq3\nQKZstWNkMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCuLYuSrSgI092pQGN6Nrn823k9QkPA\nKWLvwGJoFVg9ggIhALb43nVdDBz4RgwGgzkTJKI9ZsBvEqAvoGpZdZw/Dx2N\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUHpp20Zq953lRBwUXseFSwsh5itUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE0v9ZfFKwNK6YFGwrEigoKqH46lsqTvyG9qntUgDI\n++I77CQXDrpFUhpZGtGR+F5EykLb+aATy2YQy+t7pv7SjqNyMHAwHQYDVR0OBBYE\nFHu+HN26RBgKQM9WYZPktObZ2apcMB8GA1UdIwQYMBaAFDZ56AF4gQrriP2g8wGL\n/cNcKVS0MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDNKpHfo4DhCbbQSCrBgdpzG5Q6iZyb\nV73s7EDlKuCFuAIhAOO8l5ejpmrsZ7yInLxcK56zc6WHmBgmJZJgziTDjaLJ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUDIZy31x70pW9LB81VN4SzjUB1S4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS+cCCL+Zm/Rut98iAWg8+oI/3yn7FmygcoWCpN\nqtuFdehsAmMzHA/lOxgLUNtknzlwTqEtyqS8o5jQTW05noIko3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMp3kqfq6Q462RRfbVElKGSewAMQwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFdmXmo3wRc2LeerXDCCZL+m\nmyqW5mPAIGDHf5fvVdYcAiEAsjygPh005KwHEKS+Ascw4NB3Zo23xSJkXsVywFXt\n9V8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUIvLpUqeGMCOKIwOkBft14jvow7IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxP/PR+QpEMDhtpeYo4NE2rnxKDtl/wRhGNctb\nI/IxtkYlIWXOMxEXflX+HW60RocAzfhomkgutNzfxptWh9GTo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzPiE2hRgdmxtpnbhQ98LQYiFrncwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCRiQ8yjvXRo3lpZIAEKNt4\ndjCx5Bs2fgLB73oNkXedCwIhAP/teXVOPeSMY42MH4du2YOl0y02XRG0wdcnBxSk\nUOz3\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIULq7pzlwKOBtmOA2FMzDh/pLbJyQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEmLP/DzWcSFd9rfzLxLW+jD3kAwym+OrWy9rkMs+9\nKEs3DHI00eRrJA3PO1gWkUToept3p1WKiRqEWcik8t2Cp6NyMHAwHQYDVR0OBBYE\nFF+L1r+CIlSWU9sEgETr24PLMFb9MB8GA1UdIwQYMBaAFDKd5Kn6ukOOtkUX21RJ\nShknsADEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIG8GNMfhgkVjMRyM6dQVXBb99JQjmHCe\nWnkIRITQJgspAiAuXfIrSKwx0kt7DmLGW2V44ZhZo9sHoW2gCPb+AA4how==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUCE/BjjB8kzefRfWSYiEUvKcZLwkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEupAtGcGlXLDd+cK48lWHYz9Ly4VeWQ6DpiIfV5lB\nLYvYD/I1LsxeMYP/UmFaPcWAXMJ5YyTrNPT/hPPdL/G82qNyMHAwHQYDVR0OBBYE\nFLrJcIRZoePAlVYLLQE1C3VVrDknMB8GA1UdIwQYMBaAFMz4hNoUYHZsbaZ24UPf\nC0GIha53MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC5SBt+e/B8tSWYGnNFG0Me2F/GEfd7\nWKnvemCoZQQ4jwIhAOLW/By1Dv0fS8lI+JOoqNCxcEsv6MWf6IGeQlBCE/6H\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUYxBz8aeBdBKkObpInkyehA/59l4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAROkw3LpibF3TPHGkBhxsNpxYxrZh8HLyGmAh6Q\nD6sjQu4kk0bM78noYrLHPhM/d20orfhur1y/C+j5uILbiFByo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvfoVNDfgt2+NH8qt7x1ZbQSOaqIwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC9AC7bKquqOH1i1N8GGdjs\n8vQ6hnIZZXGFWRqGhN6OngIgYYz2UiRLz9jYZDQvQ2hgAmhYjWGYcU1oKhjHq2nt\nOco=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUPNWeqVGz5mbh0+DdqPFAUWbt2bwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxRpnnbmXLqi0W0pm5VDktCgFE7Gpfs1piEojl\n2HQp2oFLNWjRAGVyHxHQ9YcXMeukV7vc8ghygR+xt46QrrrUo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7toSk5PeID2v/EWvVeRP0YKIvKowHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDljTbLhBv/g62r/0zRFdch\nZVmvrxxCN/NxWzzaza6GXAIgKBtgwfrlhjAVQULbxpjHYvZjwPglwFwC4MFTb9Fi\nLdQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUCmnojKSUU0uZNPCPpTk/hI0wuC8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEwiYOKGBOXYPxhYwKymHcxvNuiHgZNO5dNmxMM6Zs\nvVcy8ycCEzoTMPoEoDxRnW5ob3wIFwT3IUg9iiAiofgMbqN6MHgwHQYDVR0OBBYE\nFI7Er3n0JrgFVuOqPsLPRzKjkIe1MB8GA1UdIwQYMBaAFL36FTQ34LdvjR/Kre8d\nWW0EjmqiMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIge/R++wm20+c7Jw02snZH\nsz7jAEG+J2LHE4w1nzSLH2UCIQDC3w1BlrGf7pHAYWhMfHeBpV1p2q2g+AtbM6J4\nadWdAQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUCuuo812+EhB7UVf5mBIoMTgTCsAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEohtFwoltdY7G+gRVSmby0RzYykpFHtSFQ/jiTuKJ\n1xGiMa6BrKIZ96ITUTNv6w7yJA67fCGm56D4NV3UJW9HOKN6MHgwHQYDVR0OBBYE\nFIRLq3eX3/1nd6sY3lqd5QGf1UOeMB8GA1UdIwQYMBaAFO7aEpOT3iA9r/xFr1Xk\nT9GCiLyqMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgYPBoqzK3ZPzpBhvZynfN\nOAnpfn/mnf6ocxBaM7S+QDwCIEDRyvkqA5gd8yTZ4YheDLqdn1dPmjjnRO6jwTiK\nNbe7\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUWrYakY373oJWViM+lZv2b/W7kWowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQPPShEoglG3X4m67fIZnOTVIz3D8b6znk5j+/\npZIaCmujpW3xv94fVWknvB+MHrZlKmpJ3fu7YZDnPNjdwxbao4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSvTuC8il/dl1rQY2+iqdTBhXyrUTApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAK5X\njxchdacaiQLbBAzQOxZ/ZusmyRMvMilDPMAZFtx8AiBO05EEeLKn0K6macE3hNVx\nE8gBTC4308k95jos69KkUg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUTv81bGukTkg6cYz/2o7d1wXxGOcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJgpEmsCk9aFuzXmUuuPc7VC4ufjayvjs4pond\nxY14mQAMLo50YHhVdgNwZCJwoLThqW12oRO9AeojsJdXVCseo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSjEQ91rqgNrjyhbSp0vII6EfkyTzApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgV1iM\nlCKGuZoBI/Q+4HgB7QYu58spTx8MiezWyNSSG8QCIQC3fvt4iQTguIeZou/6VXSs\nEUxBH8ZBb4t5EWtYfaQTbA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUSNyHqrA27YqyT2ja//lFg2fQb10wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEUR4V+rVl7YR86UbV9x4n2R6I8SJeIYasKoCFKTpw\n68iTD6lxutvToTjpA4VhgdsdjF2XxsITjRiMYZxDaJbqVKOBjDCBiTAdBgNVHQ4E\nFgQUqOdLi3ekIIfWNJjPcT1MpdRiD7kwHwYDVR0jBBgwFoAUr07gvIpf3Zda0GNv\noqnUwYV8q1EwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCTHO8Tk/l+ADnpo1jX7c03v9T8jtZ7AdbSgA+6HwpFvwIhAM5siYWurVYV\nmDB+eX1kg+fTGjkvrXsHa2eGezQ0gX/O\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUWg1stlLQ6k/jqWVGBt6Y4G+B1X8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/cKAVzB5fb17N5POxtyjZRWRHjkiMP6Frl0MJnTp\nbjjWblpFx/LbJBVRXe9wwnt/tNBHrecKT2uR7Byo/TRBAqOBjDCBiTAdBgNVHQ4E\nFgQUJXqXFI4JofVderNmF8OzS/+QY9YwHwYDVR0jBBgwFoAUoxEPda6oDa48oW0q\ndLyCOhH5Mk8wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCMu7gYL1gOAEFozQxL5USs05iA9BJIXElBdYsVrernUgIhANQbGr3qnNJ/\naURyAVTS0mCJ3HmmCu9w6JwUrP4XgOcW\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUdhFAhWZUHL1VHpuHU6nCUK5QbC4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS+OQS8Iiw+e2v0gXNIfY8vjMPPXvwvXa6Z0z9K\np2eutu4lRpShIe/tb6OUIHW0DMqgRhRKSWVg4jAAvWx7M5E9o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuHCOILTlOiM3pUWiLyeHJTWolAQwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIE9VZM/TiBEBiHezFTeNjJlSc4bK\ns7Yk1nRsYH35gKTPAiAnk11PEpLCaUxO4CEQIVNObR8OmAVfmcB3EqGJjPwxTA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUDvS1MJltTgT12GM067cD03244vUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQiaPHWhqclndJff9qqvX1xAzu9zUWcLwpXkjtj\nCfod4A8lKRkqJ9VHtOtxq8JmUke9U/7+nk1Yr84gOl6tnjbto3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHpUdtDYE8Ul/j2obsti1Rc70Tb4wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIA2DRRRPQ/iEJnjJPgvoTPUtbSoe\nc6otgcpkNOp/8wVcAiAgeN3z79KMifZDvX02j1RWZI+6PyAntrwqSpRtypqSfQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUC8WdJu7ZIEngeCeKXxvaNyVyjCowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEw1KvYSfwPwoFKA72D51Cl7Sa7wgRv3Q5WNjZr1zr\nS3EMh7NqFVpcZB/vSGcAL+f4/ZrAZCS9VSjZ1afBRTKVSaNrMGkwHQYDVR0OBBYE\nFNtThJLKxh5JUiseEBYNvIKurxQKMB8GA1UdIwQYMBaAFLhwjiC05TojN6VFoi8n\nhyU1qJQEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDRwAwRAIgH+YgQNGCwkRdx5ODFOhkKZhk/rVNWazw68szwVpq\nkMICIDjJbHji8w+5MBD4NxhbwQinwswsOqpbep03KtlktyTu\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUd5A570/hF633EYIO9QggfNAJ69YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZrRgnG/K0indN0WYTtpipp3NyrqER9q+6J5mRKx7\nriYF00JtFrUvS4WfjS0c1DmoXthWHqpBoPLXN+YCZ7E3BqNrMGkwHQYDVR0OBBYE\nFJDAGU2XCbIAh2O3QmUqIiVdxxWaMB8GA1UdIwQYMBaAFB6VHbQ2BPFJf49qG7LY\ntUXO9E2+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDSAAwRQIhAPzVPv7l+pR9i3G5vfjRQGVP0k8XlX3/pwbXvSHL\nH+gLAiAZEDWsU+2/yTOtibuUyad8N2FoHJK66BbD+aE8+Dn1Zg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUIPRV3Syy4PQI7mHpkKFNEfEZmlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzjxh2oikTZ9d3CFt119L88hucqPTJdkk6C1k9\n90FnYFabeaGEApysK7HW8QPvze6R0SjoXw8DohOqc+o3Ulm8o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUT7b3mGbrr7zBU8TYFDuX8C6Zg5IwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQDGFjAe3zAKTSSOE8l33xXwsp1h\n+NmDPw9gMr/ylVB0UAIhAKOIeLOzA8GnKF9gG7gcGznC+xUj7L5G1Eu2P2DTCC4X\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUYFupI6mBKN929H62mVbBPGnOXjcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR9+8PhNQA2FcCK0dPArjAtAyJCZrjvFi1IGlAt\nWLd+DrwTw6sZOHZPXK4VZNOD3Cu3RSxVJZvknEO3bK0qIvOJo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiqh6Ik9c2iP8zIElR6O5pfojGgMwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIDIqV6pdnDTKGvkYDAsWlihRcVE/\nlLVQhylrVlniM4WHAiEAnjF86KGqc/U4uKL50YmtGSrsDyZbXTWRLch4uC9XlRY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUdJ7bfe3ZAt0AC7Rc3ZVFdBOxKHgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEsD1f3cuiIlmEnM8y/vHJ/1ga6tPxasBijPFPAmtP\nOQkbmRiUb50rN9RlxTVPenaJl2QmLwQzemxe6Giyfe12taNrMGkwHQYDVR0OBBYE\nFOzvIWtIWTOZC/v+Nv2JGyTJvRLsMB8GA1UdIwQYMBaAFE+295hm66+8wVPE2BQ7\nl/AumYOSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIhAMAH/Evw2+jKQ2G33NnKWmqwvSgCnK3UZ38vxRRg\nQoGSAiBZ7Fy3CyqI5/9KZtQea42Ovi9gh032zKDJO/40STGzXg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUKVb/eQKgPffeZvhTNAr1XCh4cG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEtXxrYSIXvbSFTM6xMkt5Gfv3FBLWa6va0F2Z0Oy8\nSQc7Looh6NHQjXOmJ53pu45uSsNtw0jzQnq7QqnCFxDqxaNrMGkwHQYDVR0OBBYE\nFOrdBstUf1YZY2AvWzSqRVIojkkEMB8GA1UdIwQYMBaAFIqoeiJPXNoj/MyBJUej\nuaX6IxoDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDRwAwRAIgbDHEfpmX6DrubEe5pAMkAWg/drQq1Kpq0JAerU/H\noCsCICVmK3UPbeUl1gjTEq6P+hqI6hIa02lUqmLustMPrQ6I\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUBSQ9OffRWejOh6Hj5VEz5O1nvdIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQNIkdqKba48OOcp6bLCqs+kq4FgHoyphqGrCV\nuUKoX7yHtBGy3w+D2f2NDaokekXM48dh3yG5DO/V1ipTg9M5o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyIk+spkGJpnUVkaAS0a+TfT4NJ8wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCmmMHgDeKRAn+fiSwasn/3AYFZ\nPktFjuChKkDx2l4I9AIgQZmVCerPDg6/mLA4QMIvzTg3RNrT2HU4A/Acq8hU8Qc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUIkqtG/iwK1TsBKwr8sstrcdG3DUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbdUJununqp/xMuoXtuE5NenMqE5Rw3tRyjHUA\nQYghjopO/yQSjREEuLLFEtRAwKj+qrhx4Ok7VPV4aCgfKUSYo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPRYE9OnoaribFJaxVuzcczOa5iIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIF59PjGbu05dm1evgMuQnocjP9y+\n8UVaIXleue6DuV78AiAtlCQTsAqKC+Kiv0+LcYSfUbTx47Rf7cD51/TGtU7KPQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUeihLTWQ9S7n1a1Dns1UgEhhFhAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEOhzP+fLEFfQOJp72LTc5Clli8/8cMDFpyIM7djV4\nu99T9/OX5BpLuPgKuL0uGGHd50CmSlb++0DvTCI5vTE4DKNrMGkwHQYDVR0OBBYE\nFC8Kd85uIfA9kVXoYAAGLH79OHjoMB8GA1UdIwQYMBaAFMiJPrKZBiaZ1FZGgEtG\nvk30+DSfMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIhAPyS5U4+Z44UuTo/Z4hiEKqvSzaeIssu4WCgpAk3\n0NUIAiAyOJuvO/MJ04aGv9RPxlW8/aFup8uAtvq9fULPe++wPg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUAxZUskCScHOycnpOX/DyAjeZ/10wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE6SpPyOgsWIntdIUjzGifNel5EEb/t++UGe5IuyDh\nWZS3y3xIXQwcE68jQBv/TvTCtjOw234drYgUWsOYFarAyaNrMGkwHQYDVR0OBBYE\nFKusE4juCm0L6SlLDbcMDlKphNg4MB8GA1UdIwQYMBaAFD0WBPTp6Gq4mxSWsVbs\n3HMzmuYiMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDRwAwRAIgSe+M/BdIx/DJj9deYMx121E1entPN02UgqzpZypH\n7gMCIH9Ri8RPWmXutSAC1j+MTHxfILL7Dt63XKnhjXTI9ket\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -799,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUYXaCo4mGaC5GbtJgHi6JncYMz4MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQX/xCXXCzeGTUbpwhixstgmvGgb9hJkKm73Gn2\ncvC7QXP7jnlkgHKFDlrb5L/glgyO3QXddcHGwbuG5Mabfsq3o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUL4G2jZ+U/mor7xcICb65hvCQXgEwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAO/sv/DVdBzBBFSG\nD6sVpKT0kOXGUybD09dX4VSfB2tiAiBdaK/nlNSsqZ7EJUDg4kGThnp1vb59JOKt\ngXJuTf3jHA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUEVy1h7NAv6sxgSCmyBwnNIJnciwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATn+TcilRdvivBjZlLPM5aJsFFbkZJDZG0RNIaq\nXkpBg1HMQGehrb6bJ4NO2mZdErmfl3NKPsoYDMrzt+qnNB3qo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaBDYlhP2lNBrYxnmctGwxitBou8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgMzjxP+vMw6qfL7mu\nPO0iv0m+ywRmpYdh7zV/IrLLWlkCIQCPCEw8zTV8XW7Vk0QTJmCrsDWtCPLwPFmT\nC3Kf//1gjQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUD9O1Kntq6otNJ983YJphikYCeI0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE/XHGJsIcRcLUv9uFru472NHRdTesayDORksm74yGTnNjN8D5\nsOhYMFRUm8NNbCn92r7WwQ800+AiRr5AMAhxg6N7MHkwHQYDVR0OBBYEFC9XBc51\n3zFY61h9Lx8DbsK39IqGMB8GA1UdIwQYMBaAFC+Bto2flP5qK+8XCAm+uYbwkF4B\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0kAMEYCIQCvTD3aCPHevAdHoWydQQuExrDP\nby692Y0kNZPjMnr04gIhAJBzMdaMhXzmHhF3NrIYo79psXiqESYkIWDCpvcQpVzG\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUJiNecWXHuHsRl4iyktCHEio36SEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEoi9BjzRrcciIEHmtJP6J48e9/WruJP4ZrHAdA1dSzgWsmxLD\nQp5IC0i1d/kElpLtEsTV9PiNSdvH+o3uZyTb8KN7MHkwHQYDVR0OBBYEFLjWEaeJ\nYcHihHY2Esd50F9m4eduMB8GA1UdIwQYMBaAFGgQ2JYT9pTQa2MZ5nLRsMYrQaLv\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0cAMEQCIHhgfGuT0uHEK5WLuhMpu6GdQujs\nwcxYgFJca/0St9x+AiBlRW1MZsoEYqn8S6+KCzWj/FwpNoTEIYIO0/yLeJml+g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -822,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUQyknugQnYhv61gmsXMo3uTEX6s8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgZJv1Yi7J5HKZoVh/8HuFwvp72GbN7vDCH3wc\nk1k95KJdgf6SIrcx0wlBqCuSxdJza4/8heSlHGkVthD8Xri3o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyUSUFAOGR57CW51Jd1ugaE1LSmkwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALLenxQpkriZ+8hU\n1MbHDWZM/h+jcHW1No/fyQW5fSkZAiAhz6c5rQZ86iX0yCqYTRXTAKDn8qCHAT/c\nMvqrMnp+1Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUYs0ix1CHrGLe2faf0jRvYw4ENYgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLo1HI0EGMJ+XS856NXzlNx3GGs8XqeEnR9PDl\nFiS49Ec69lsMlnewzUWMe3lQUQ89GVypDmnA1HEob4bVzM2Yo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUagy6yxwILwzjcEGDCiwGBqQYCPUwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAK6Fbw6an7hoZvvJ\nSnpM/V3AJdohhVnzuodUxF+IwgeGAiEAzAv/zgQz3q2WXkqXxRiibw9XaSz8X3be\ntBTTDRs4VUI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUTdRwuUWSnJ84Qe0/SQko0zkJgwgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARIU14D6PnGh1Q++AKaKF/jssiw6zVNl06jo275I1JCEKePpEeevMrr\n78OgadTwMPr1EK5pfPsZdck/1tlCAz25o3cwdTAdBgNVHQ4EFgQUY5IuZeu9HE0t\n0LcWF5SFzt3oS+IwHwYDVR0jBBgwFoAUyUSUFAOGR57CW51Jd1ugaE1LSmkwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNJADBGAiEA2r/n4CsrYtopq7qKK7CQOwxTDVgWtnHookiK\nh8faOo4CIQDFfUNuTw97sLZJ7/Wg2sgng+dZrjC3WpK6zjXMfju7Zg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUONLVu452pR2F1Nw+0GOnchoYt5cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATTXvCgn5dpLvstl2/uoL/YAb0N5uhdymjeu3cYViYHoLdITP9w3TDr\n6Qy9lJwLWQtbWjKhGsB+0d5CJLMIe3oGo3cwdTAdBgNVHQ4EFgQUn5iER81rZqjL\nYRWg2haOtMloirwwHwYDVR0jBBgwFoAUagy6yxwILwzjcEGDCiwGBqQYCPUwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNHADBEAiA+DD26HSXErv/uIaJS2sykcFMMzuNqw8ye47ut\nZaBOIAIgA3gbL4Juh1tohED1ueGU+3Ma5AxONaDTJquC40Y4mW4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -845,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUG/cfqKjwkcMj1CdR2VTe22rNJ9YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATvQnz3xfopO6WGH1lnuhVpe5B18DlhiS0Tcr8t\nwsaJrUknlhN9V1Kw4UhfaaRtJ/Frt7O8qs+LfFzEkF0baFNNo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0RlC/oy80wM/AZqZN1bAQX91zGkwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAJQrDjHAP89+m4S1\ngESifYKZ1kygYcLb2IAcsY+w3ODLAiEAkNEN01jWDlLHo461eixuZs9JRSfmZ4sA\nlNM8Z3sQFBk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUBmYEb2Ntv+J//+oyc/vcYe1t+PAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR1W2djxrPfVEr7rs6lM3vlL/vJ9s2SKlOoiN/V\nWOez5I5jpKup+W7wvOXxfyNAW1JE89Q9RdELtTQg8HOjpnlBo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUf410uleQxgN+aWHFlzjD3cjEZMcwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgXMNrtb2imiOcLlIX\nb/sCromUAw0Qq+LV32QDsEAPRGYCIBV3pFUpllzjIAi51H4t3Ttckp28Ql0fR+V7\nRFxDTtZI\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUWTM8dOsWfqfAhSqeIUgbgzM0E0YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARm9BBYq76srskog644PE9SpoofZ0Fi4pmF6urRbhJG/Cg3uCpqxZeJ\n3QjIGVGb9TxQLChi0IL6o30fc0IBj9Lno3cwdTAdBgNVHQ4EFgQUk1rwAtMLZm0i\n3uzQb5yfHSOht8UwHwYDVR0jBBgwFoAU0RlC/oy80wM/AZqZN1bAQX91zGkwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiAc6LIdzpIyNLbVwJm9dWMYxImCJqLGAHR28dML\noYMSFgIhAM+VE5e3hu/TgnzGBMvfkmYuSuvILjdH+Cpb3uglZcPB\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUMXngpWJ6tWxAg7EKIMHa4E6MusYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATXC/M7nySgknEyOEKs7oX4PKoY7gQZgpI6JDrapdujPL5o0zYLVRP/\nUkEn/8ba+EJ0S4KpBm6DYs57uMZZIxtSo3cwdTAdBgNVHQ4EFgQUd3RtnLEHtR28\niSJuQ7i/2W4Wz5UwHwYDVR0jBBgwFoAUf410uleQxgN+aWHFlzjD3cjEZMcwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiBqq6q8cxMdPlEtiwO0EE2xW8LfTHRQ4EYISdRa\nkhNVhAIhALatbSqvNTkkU84EDoL/3VOlX+4XWsdmYplsNnb5QYuQ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -868,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUViEHetWrzzrJEZ2VWiqz4doDVM4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARITnMWJq40yD5cnFu4XX+walDocB3pVNIQVumS\nrkaKHeZeth102oUf19vM8Kh8MTYKle198YTa0VU5CGfg93n+o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXBLtQ6zm06P3CNmM3HYXKpv9PBwwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgG+D/ZqTXlhxScRq4\nDbl9LV0l8DsM/9BJRXP7dkkDkz0CIQCqSrlQp+aAcRVvyRgplIYz3P/QtN9y6EYb\nmQ9bhiClzA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUIUuPKhf0UFP82zOU9eGUDhTwoJQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARCsaTllfi+UGmDYhgqFf1Whsb8L/nVCV003gKG\nDWnDRoKmCVB4UkSfLF3Q9yJK2VkpQye1Tvnx/YMUiwwW0HA9o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUt0xYbc8AG2KaUSF/8DUPuIDVQQowIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgdUO2Zk2YY1qVfn+Y\nj+GoKDNS4+PEOfdo/1z+AevhRdACIQD50NysPp2Boc1koRQuPcp/6nmb4tXZCu/u\nUxWGjF37xw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUCuLrDGYJdTfhC4e2nQrqGBe7fNYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEEqgyZhqj8BwvOoqNIZRKg8ioNQsuEsci2POOGy6sO8m3JFU4\njWHHqDp6C6KHp/8OjfvTmIBPJ/QMz2y2Z1z3tqN3MHUwHQYDVR0OBBYEFLBgBfly\nV/VE/f/o3J87Fxje5CjeMB8GA1UdIwQYMBaAFFwS7UOs5tOj9wjZjNx2Fyqb/Twc\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgEekj18H71YTS9914rFfNNQLR7PhTRmG3\n3Ingl76uuwQCIALIohi4qGP6pwjMB9Cs3OCOAmM3nGvNDizf8aVBRlI4\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUUqBTMSAD2BDlFuUBs1yQaYbT5ycwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEste4LiNkp/f5afUT4dxuoFTrVhaYeO+IzcIONhpd5ocZ3YQ4\nIj+F2LEgZv6NKWMUxdgnVeW0zKS44YcDSe9kB6N3MHUwHQYDVR0OBBYEFOqPwA7i\nRqSx6IB+FzISJHBsZmBQMB8GA1UdIwQYMBaAFLdMWG3PABtimlEhf/A1D7iA1UEK\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKeCcGzm5PURpPbkeCTc2G22EtrHcCAM\nc5snJ+rKK76ZAiEAwEJ3QC37kHtPB2dciywFJlXDzmCRJ3DBm0L82rZjWq8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -891,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUa7AVGJNu9xhTvYe2/RLQF/JYIEQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPuhrNpCrm4oHVrBIGvpwRb5rbpQuOdhH1t8+J\nMnZCoTkCy/7eDogJeNNFZINVxprRCjP9A1GtaFc25VoBe/9Bo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnIv3fcfVoLMyhFv6QMABcftPaT4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAJsDLScrVQAzEUx/\ns21Md7cJcBhLUP4Wb36eMq5G7FN5AiEAj1A3cdBsQ0yXv4FJd+fhKcH/dI2GEbLU\n3MdhkavYUaE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUVQ9HcJp1E4rlH+LwouRGY0QDPoQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ3iXijPkrou85tglBiGvP1nUPB7+YlcKExEr5x\n+MDk1lWVt6y5ouurr7I4+9Sx/M1y6BQv5aBWvZVB9nDej7fEo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+8TjzWFycXIDRB1zaa8nh3t15GYwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAN+pHpfucQD7Tuyv\nCXaaV7HUu0j82U1MIvbhlrrAlBVsAiB5yqsMt9D/HYkZDOc3AXBwa/i2hb8rY4HL\npd471pGOPQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUZ8JB9aEH+1pWZxQ8JHyUSpTHmSEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATeIqyE6s8JjalQbAgjT9fQEsWygva8jFPrU8YE7hFXDXOq4CKbhRGs\nkewTY/HkwP5HgKEn4+OYGO0Kh8fR0G/5o3sweTAdBgNVHQ4EFgQUYqj9KIw/08hm\nMBoHPEQ4wPUUwvAwHwYDVR0jBBgwFoAUnIv3fcfVoLMyhFv6QMABcftPaT4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSAAwRQIgYoK9SO2qcfJiB9LGTJOYZ/qr1+g4mx/P\nnXHIngYDla0CIQCvWjb2QvFCO64pZ1j8CIqGc/+OJv6yFDBQfUIhLVZxDA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUQF2e3fBI6F7F/CYW01ZQYbKEroswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATmgvysGfXDiPsk9aiARsKchEJaNUboaOLqvoLD94lM59+KGpQOfi/M\nYMvD8+0ei0WjHvmthvgYmpfAkwUs4Ujwo3sweTAdBgNVHQ4EFgQUkAdn1allK4NZ\nhGBsw2fPkz42WUUwHwYDVR0jBBgwFoAU+8TjzWFycXIDRB1zaa8nh3t15GYwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSAAwRQIhAJhyqlmczqBLqJR3AEfEikHfunDY7qy8\nnsw1cpLMdkzOAiBfFUp4JFG0s2o69mUz6sJNJ9E2JdKFTTqLYpQhusqVXw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUPke/vYfEZ7XCvlrkzuZfyZHTYMgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmgceoKHHyTEhNH1yYdAbdDXPf6Fkj6i8aMR8J\nKU77IdJRFaljFjXVsBs2JSP/gPNnX9O4LeoeXLdOzj7GOXxho3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFOuWDYSVmY++zxXG75v0+VUuF9hwMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAkEYqH3ntlpdTlVa0\nlEsRoMNBdXw/Dr/80mq2pr3fdL8CIQCl9JldrXJd92WPpcP+af3UW8yCHsn14x6S\n1iNYfZ4MlQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUQVeFCaSbfiGqOvzsv7S7Y8KpdlAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnLTDeUPFp7sks72Wsh5W92/qpr7x1y9c750dl\nmLMqOa5FQZ0zbMDzpVaY6JhCFmNAAgkH6GjShMBdZBZV9N3Vo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFGdIAmRSfiTRrFvkChO3f+Rqh7dPMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiA/Y/0qgOvXHIm3xQz9\n0hrrR+kPt0FRAeJ+V6dU3QR8owIgCiCT9LrJF329m2ZKwHNi6Rq0yBQOFY3/xoSb\nzMAJFZw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUA5gf1w945riLW4dRt6SL5DRjlqQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQqp/kEpXOlFL3T3hS45CYHPD4z6VdfooTr5Ibq\nxX50VP21NuMNAQh8nf0EzS+D6XOYipJdEPyLxLE7+75V2NDxo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU65YNhJWZj77PFcbvm/T5VS4X2HAwHQYDVR0OBBYEFAu6\ngX9tH1NUUhwhEBCuSb5bxB8YMAoGCCqGSM49BAMCA0cAMEQCIBSNglgpthL4O0FG\nJIo7cBCHUqe46DVRtL9fWSrmEVRmAiAFkl/GE0uGyoPF5bmkXUmgTKUyV4nc9mwL\nuzUQabQmEg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUNwoeDwXjHMVLA8PAtp53cGaRziMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS45YQmyj1yVqn7Niwu/g17AIIdaO64odEp05Cb\ncVSWHOhoKBbsenaadob7o9gugfMQZphIpDIZwJ6IuBtfAlnto3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUZ0gCZFJ+JNGsW+QKE7d/5GqHt08wHQYDVR0OBBYEFE0l\nS/u3yTHfoJxkWL+Fu55qoUz/MAoGCCqGSM49BAMCA0gAMEUCIQDNqVihZ3VAkkqj\nJGPkLbuLiiZpMHBJeM7MoZAbibbBqQIgWjzp9nXK3KJbh0Z/pLXvZ26FT1ormcSL\nGA08B0vMZwQ=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUN0WFzLAOkPQjcWfiOO2L3vVeFBEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEc459iVBvmvGjM7X12MO0uNl6HPSGIoDm/fTIwaDx\nQ2BmYpbqMAy5fpaCeseBsTKayQvc9VVi9rZrej38FWEjLaNyMHAwHQYDVR0OBBYE\nFDQN05Yo0TehKOELXH/ds+fx8QVeMB8GA1UdIwQYMBaAFAu6gX9tH1NUUhwhEBCu\nSb5bxB8YMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFqxE+68nDx1jgL5jpCGgtjoaFutcMyF\nuiXBr2PhFIkqAiAYuvnyJgOWchAs1uaBpqer88kU/VGws3h2mwKh9/xahg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIURe0/Cr4KffaPRFdD1w1F+LJPnDQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEl2OnmSZwt8iE62pnYyGTuejzXGEJx+qNi5nMLngh\nM5rIWaiq787HUUFijw4WcqAh8mLnB/CsbfY+TVrYBrWn/KNyMHAwHQYDVR0OBBYE\nFAlQwo4ZslS/zxwN7rI7f9t/d7hfMB8GA1UdIwQYMBaAFE0lS/u3yTHfoJxkWL+F\nu55qoUz/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD3xVz/fRPGCON4XpNl+CGm/V0hxFQ5\npDe6FFGvTfIAUAIhAPo6uPidox/bpWhhb1HaakLLAGTg4AmlvcWIwUJusc96\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -935,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIURlC3pTAPh8p3ZHJo0xAj2OOVOCYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQcwv0Lt5Z/LtX3ZF/nOi1DbP1syokGMShGIM+O\nVQTWU8Vr5K0DChSePc1I70mzbLw67WctooAXTJl145LffwPBo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzP++3Fazj8lCQuUJDE0LvOFMTS8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDEGywvoGNM8xjettE6TQNZ\nBEeEcHpTa2AXI3p5ziIHvAIhAPyBslhg77AMI2qEXDufm69D0X1CGXFzMnsccDAz\nuTT4\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUF5zPFyptsvJqPXotnLM+xg6XLjEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1wVoLT6W/RNAnr7wK1j3E2/H0qwa9oRJ+xU2y\n/Dhj5dAhQTeW9lDMrG1zMYCr5wl2iVGDk/zUT+7TnI+QX6cJo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEAnEaK8VJQFs6vDnU0jrhC5W6/YwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDy1HXNAvtVWN3hw0qcvTuN\n7fUI0WHnUC3QIIDi4ug16gIhAOLUX+62g3urOLgUNU07y8h8XmADe85Wjd3+k7pX\nTh0h\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVqgAwIBAgIUO+lQVdosWnnMHEhdwlXaNPkl9sUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZnmnn4fEKXMKOHswU7tuH+dTgB73JBrC7Rdq9\nFCAW1ftIwvtL555h/66vpp0oQwxVcZyWccyUzUTfHcls5fXTo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUzP++3Fazj8lCQuUJDE0LvOFMTS8wHQYDVR0OBBYEFH46\nZWz6hNSj6S/8LhGqQtx8YfENMAoGCCqGSM49BAMCA0YAMEMCHx0QRLnzecxPEXVf\nCqt/ECTXUEOCqcXza6K36jun3aACICrfXwvVHkPYGUQ82h1RZKT4CeYHhiLX8aCl\nyrdcT5Ms\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUZ1OJo4QkLoY0mgrVrNuveyYUC18wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQzG8rdpZ/W8fj3XG3TJNWOTxeA1f4YB/oc0/Z4\ngS/x7tdHGfEiPLi+0WisigxUa9Rwj8pHvb5XQXdDMtlr7lRVo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUEAnEaK8VJQFs6vDnU0jrhC5W6/YwHQYDVR0OBBYEFGNd\n5A9YvpcCfkKuRdY4P/v+FX4vMAoGCCqGSM49BAMCA0cAMEQCIC01rwbt1U7RcYbX\npRT65JhNcf77uci+t8rM6yt3xpx6AiAXKBesIXByTDM5nUpCyAvqsu++QaHfxzLz\ntAZw/ICSZg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUJ8qh73HUBp2+f1GBN66Opd4cj3cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARgc3uiGVcFZdfXQkfkU6olLL5g4jhyMQjyZu0a\n6l+BZUwVaps3l2sz9jw/7K/ff/upOwWN/SZ3ljZogTzhBXaZo3YwdDAdBgNVHQ4E\nFgQUNYes7GII1fhN4/rTNiR9YXCqHn4wHwYDVR0jBBgwFoAUfjplbPqE1KPpL/wu\nEapC3Hxh8Q0wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDECE8wD1XSt7a0eSc0H2BR\nIIu8hUq2RrF63VsKKG8aPgIhAKisD8CRTZq1FLg6W5siPNFHGlv+HKcfyFHkn3md\nXomu\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUfxgO9MGvC3oh8PXcwR84XmEQ8MUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARN108xZe1qddKnfWRvJknmdOdVu276x3HHCMME\nwwANWjOdPVeAnwWcNZCstH39YlwmC8wEst7jj5oJm4NzTywYo3YwdDAdBgNVHQ4E\nFgQUg6D8pOLtwxb7UbctEVwROJh3Gx0wHwYDVR0jBBgwFoAUY13kD1i+lwJ+Qq5F\n1jg/+/4Vfi8wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCsu5P7DH64FmEcM3c6edUm\nff9yYgJCABn5qn4qrT/xyAIgXi2wkg+uKnGwvo4ILa+/qMsNyGeA8zoC9NUwpeyI\nhR8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -958,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUGEOlzXtVGvM17Dhq1wIrKVt8hvAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATBOGTBJ2PeAV23MAuaXnlUn8gz97OX1XAwJ/2d\ny2VpkjjNIr+ZAlNFazaW6oocMOy7R52mGD3q9amvCKm9GwsDo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRqJ4jXUexAihq6gd5n9GglbfNZtTAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBRTBQMrasAyeTLlROWhZBCyk0nc9kkpGkY3+KkyBLiMQIgeVweUf9f+P5JkgX/\n48bHDdw4miF3aRb4tpyh1Hv08t8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUZWp4xWiY63rgRvmZg8ZzdqKobJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEYyPmRAzkHvCAZ8MEDJSRZy/y8DI1SD3alZFa\nBPcNlL2vnGJtLP6HBILNG2r8RFGJManFhdxhaonYOe6hqxOzo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQYdIEm4Apk/dOBusUV8kz+NWhLnTAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAFgmE2COeF3+IStzhJbZrtqNhadRwTUOVndBRnelKsNAIgdTcssk5Pe9k0j6WI\nVhImvhyquOIaHVm3FcKs6nXiixE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUFP+FmO9z2bF1pl69davWK1Lv9CYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEYy+3lPGypo4g2+pW2v6RkW9KPyvRXS7uYG5XcYNS\nQCcRlJSGXF/9Tyeg0XWqjjWKjJk4JCokL3i8LX0OKL8H+aNyMHAwHQYDVR0OBBYE\nFMk3Dp5CqoLL0MvDoPA38IOBYFLEMB8GA1UdIwQYMBaAFGoniNdR7ECKGrqB3mf0\naCVt81m1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDiP6rH95PJEQzgBMiHB6xzanHBPj1X\n7JywfhxOH+0G/QIgUikGOGJk9+/pzQmt7fSNoyKpWv4txK+8LTKTz1SYctU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUdRnOi+j+FA7L/60I2gIqdLZea4wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXAyywoIWFqGkZ0zYsxMnlR9ov8qMQwuAXO/zf+bg\nR3TVaJxF1nRHrsuvpQwP31DJXOIG1alJVvcC+9z3UIV93KNyMHAwHQYDVR0OBBYE\nFKb1LnuRx1VEueXcul4ZZEFq1J/MMB8GA1UdIwQYMBaAFBh0gSbgCmT904G6xRXy\nTP41aEudMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDEPzWDsujpUAw5LW84b6dGag0DHAyb\nJWx7n+os6onGigIhAPZLopQQhFFj+FF8dyTp021PtlgqpMmwa5XKJh7ik8zV\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUfh1OVYqjfwEdq3rQMw7rASKp0eUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzdWNPiWtt+JGr1P+ivXDLTxE39NaldWXRFJbT\n9wcYz06xzKM8kbVz2RlyP0fXiKTjUlKOSn/WMT+mWWsDg1llo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUo8wp2s8rLxum+MPGmjSz8b4guygwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQD9Dysm2icAUh6csHb87zvg4T/h\ny+zJlltE3zgh3g1x7AIhAPSsPim/es0Kd0IcQQoMSgTADAxxlsobly1/QAySCZCr\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUAcG5W6xckc2kzBVGm+9fs3ffsDswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrXAYqaxsIPPsueSiso/bWe8FYyLH5N+a3wFPf\n5XyIeN0RngXCWIg0GFTy92VCUe3MvQUX2JlNmmCOvRgUKLpCo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIWUamPrYWHZxhutjVWvWM1/E6zYwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIF08sllAOmE6U5WT2xeZcjNUjkls\nqAbhVeBgLTRg+DLvAiEApnNJovO+MwXBSIb8ZfOXn+5dW+7xZbtyO0oZ6cyH6Jo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUC6qvsyWThq2Z5tisozAUcVZTtXIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEAxbauQKQ73B89aF+8bLFLcUznxDDLDJlMCjPv//0\nc1jSBm9ICPAvbbuEWqK1RNz3JWLoifrYdsZ+GY6Q7n3wPKNyMHAwHQYDVR0OBBYE\nFF6duHfWxhlBZIqhxIW8QwkG/nv3MB8GA1UdIwQYMBaAFKPMKdrPKy8bpvjDxpo0\ns/G+ILsoMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCLAj6E+Gzl+t/LxoeFU8S5c9yyGLId\nKkCR2XWISP2wJgIhAMhwb+6fwDjVW2XmxOFm5t/3bwv7Ti3Wq6cS9+7KBtsr\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUYkv2rbnNqC3gS9ZiKRM7ARcbn5EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAERlUFkez8MrSIj8Mw5hlBH3O72f9dPFmyW2+7Qyan\nFSU/N5JgGNdIBIN3nkkOYiuPFuHyzHFLdaOoBHF1OVg+r6NyMHAwHQYDVR0OBBYE\nFLFQG6AJlsh7kfg/jyXlDZULVJXOMB8GA1UdIwQYMBaAFCFlGpj62Fh2cYbrY1Vr\n1jNfxOs2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCSM9Ysk9lqk/Y9odIrWdszlhTqywuE\nkI0RXt0DpHZTFAIgXCd3r5hO106nGB9mKJ0s8VKb4rPBuU+cNe6H8qWdM5s=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1021,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJijWMi8gTo707IUxrYn5OXoF4R4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCFoXzDMJlML8lfdzXfMu+etScxVDPH5jSUYYO\n56Or3D4U0xHHPvbdJ34RwSSt9hHh7Zc9Nn/FIb0qp5bU75KPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzoH+SOn8GjD789jWgUse6GdsdBwwCgYIKoZIzj0EAwIDSAAwRQIg\nWxkNigB1rsf6IG+9ifS3/Bf7cJQHse6Fyq6ODdwg8m4CIQCnVG1uX5UpzZYd+k8G\nLkmYNKYCAYBv0VMrNat7myR2hg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUX15AljDZxEsrsf4R+odnMtKNwoYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/sZLc/o0Fi7tMgL363Nk3PQnxfx4PuDsIH0SY\nrVlcszzTgu6VhJSTZvtodb/4A9pTpyp16GWimHDXzeSpI1qdo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUve1h3bd+2IYtDzJ3f1IgkD9ajPgwCgYIKoZIzj0EAwIDRwAwRAIg\nTVkwiIdjt6B2+kET9Q3Fv/tqq5rmIUI2bYobThed8LwCIA+rJcJEMOWjNq37YAiL\nRXjeeuQWzPqlMQLktJt3tHk1\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAXmgAwIBAgIUcPxpn+/WRE0CN+xBydabkXao6PgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBLZ7QOdGS31aBTgzt7nsblk+GsWXf/hUPwc9AlFi\nFCyxWVMw+mp0P6IUri05/46vruaT8V5zEd34O7VXM+hSEaOBnDCBmTAdBgNVHQ4E\nFgQU8nVSva/+FepWLOi8tRADqbsDFZcwHwYDVR0jBBgwFoAUzoH+SOn8GjD789jW\ngUse6GdsdBwwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiEAyKqHK7h6egcRU8KzCedlPCXqUxzukZoRwTNx\nbC86lG0CIBaO980+ZUAQEmxYSo3YjONRigpGkEEYLs5xWI2CR+N5\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0jCCAXmgAwIBAgIUCSED63GNJ+WB54nfE6IOkUCrP3UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEwhlEGhijAPCwIooJqwgwJRwDAW/hQgz2bDriH0Tk\nLsSVurhaOzxkCuqOaoa7LwHyFzLlEoH7lYolsvlguyVs4qOBnDCBmTAdBgNVHQ4E\nFgQUzxqWAzmRQpuIs2A6kk9zBJeCW+QwHwYDVR0jBBgwFoAUve1h3bd+2IYtDzJ3\nf1IgkD9ajPgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNHADBEAiBK15mGJVt8oDLoSIAzPN3KKegMSxS2+vPivXfX\nSAg24gIgGKlh7vKSUBDyWGI2OKdLVQAWezPMn8P9/K9O4/+6N6Y=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1042,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUV4G9+Osz/PYyXsgYDDmcQhEVCiEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARI+mGyotxAYDes2pD4VoQShG9hzeHy+GOKhHjV\nI1HpizYsveC9tdneQz04p/8T+PBIbbJ1w0+3UppnZhwe42QCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMNH8aF5UtNCLRS1YQ4WSjAgqNZYwCgYIKoZIzj0EAwIDSQAwRgIh\nAPIdtSJXvKgsdMGZtrS105d2ALioOUXtpfrLo/OLxtsgAiEAhU/IFvI5UG9z/Ktk\nnjhSf/sK9lR4hKQ3+98Vakp9IfI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMLZ40DKtot4RrFnwydQwxLNVTiswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASvAXHg07SaYIske9Bly0Auu+FnSBKNA/fzC0m5\nNEczUbn4rrXj4DgkxdMcRnK8TkcYPQihbGHQQnPuGLAWpxRWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEQ/sjkBDQ6zvhQMytgUaTY6YEe0wCgYIKoZIzj0EAwIDSAAwRQIg\nCcVOfVdS+N8WUERySfuVMJSUa6fbtojIKZYH7UZ1cHsCIQCQXHAjTfSfKoIJyato\n2tJeiQw+h/kXBOVJdg9vrJwpbg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXygAwIBAgIUbm9x3MbQI20Ci0IeFZXk6tPhvqswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEcObOHxRydAiHdon5f6vTahkM2Qg6dme0PycqTWej\nfRw2+uOuXZMnBjkGh2HraJBrEGebpS8F7ERgQON7O9dPXKOBnzCBnDAdBgNVHQ4E\nFgQUzG5zvliITVDPwNxhdbnLqZpzJNowHwYDVR0jBBgwFoAUMNH8aF5UtNCLRS1Y\nQ4WSjAgqNZYwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAjqDCmnWP2UGV61AccFklJoIxuXdVP7re\nlKaJjHSo57UCIG/wgFnI5T5p109Bi/0GUc8QdN3385K+dVUzD7gPUAEs\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXygAwIBAgIUReL8KzGLm0XuuSlFKgfBu0/bKjQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEyPO33Ll/bkkfPpIuLKQa/sgf32qRpSM3NpHq8GQg\nCbGsEwlopPTWIhVKe1SJ3A69DSCIM1KuW6pUQVmkjzCnYqOBnzCBnDAdBgNVHQ4E\nFgQUnG2Ofxi8JNEhDf++1FXjdZoSkxswHwYDVR0jBBgwFoAUEQ/sjkBDQ6zvhQMy\ntgUaTY6YEe0wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA4PDKTCnResswPu828ZzKBqzkiFCV8Xk4\nHOzGRHEsC1kCIAUwC4cE5dqzdZVeomUCEX30JCqWV/+2NgBB9YdtCikw\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1039,13 +1060,13 @@ { "id": "rfc5280::san-noncritical-with-empty-subject", "features": null, - "description": "Produces an **invalid** chain with an EE cert.\n\nThis EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", + "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfUc0f56arPov5bqIv2Vh/j1JnmowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASH0yZ8HyW1cc8DjfIMNzAuLTbCBvRsMtqSx9CU\nJM9yjsFcp0v5/SNs56n2PppN/sHlKURPrSSJaW4RwoAiOOW0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEffrycSaVOhRRwITyde9adTuyMYwCgYIKoZIzj0EAwIDSQAwRgIh\nAMtbbDNJ2nkR1u75+UlpqmYC6RKb4WPYIjJc0rUoPIrBAiEA/7+HsVLNhCQW2Asj\nOv/vxd/ySNbx664Aa9Wt0LIDVXA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYpDOHrrg2p53lHiLAW2+T3Fc2lMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8rwjfPLnRpfe0+Mvwr0hzpZ9KTNuS6X7OFH/Z\nlHQSJaqHgiDQ+hjVKCnHHveEnghpOTb9gSfFikppS/U5xb7Uo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqywp7F9ErMYpKbEP6zwqSO3WtakwCgYIKoZIzj0EAwIDSAAwRQIg\nTlpIq3OarsrremRlYF4okV/7eDbRoyuAe6CNfuuA2fcCIQC37EFCWVGM4uJhy7A6\nxAaokPjT0u80hf1FV2htL0l+1g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATagAwIBAgIURLJnuVrNwiMSLhTOG3mzvM4wxP4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9sh9wpw9\nQdT5Vqp5Mo8VtR+RO6jrnzKfTZ5QpyovhRryM+aWpdtXg/2PSM9pxePbxypnslL7\ndlyBnmssX72qv6NyMHAwHQYDVR0OBBYEFGBLZIYWXpC/RqWI9U0F4JKO0Ud0MB8G\nA1UdIwQYMBaAFBH368nEmlToUUcCE8nXvWnU7sjGMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQC\nIH/tNffYIKn1muqP3/7Rzn9V6q41LO2dJ+CEtK/kXVgTAiBw0x2LOwxZ4kqEhUht\nAa4hDmYmWUxc73zIEGbKesDFcw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkDCCATagAwIBAgIUIjrAjiIdPw9ezmIBeuj9Zg0xI1swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErzsHOCAy\n1DO1dLvuemHJCXyzE0f5j+B8b0+yHiSUwvvWPkBkjPDG0UCYJ/SXmfRamQGCWF/8\n7nVUypQivYYDa6NyMHAwHQYDVR0OBBYEFMJqoHQ3TeKKSkCpyGYAFOA6PJYCMB8G\nA1UdIwQYMBaAFKssKexfRKzGKSmxD+s8Kkjt1rWpMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQDAfcu0sYrfAZJ8eiND3uCqhkQTl4876TQ87E9WzjGqIAIgGjQYIUOPhYd1ypZq\nSfRhF5+4bGSmGmBfC/v3HBT2nY8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1111,10 +1132,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUaEvLnIHo3y+NrUZ5dwUDi9/A6KIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/r94CZ8fchqUwEjVewgj8jaci5YYAIM5Wwszj\nxwi2x8vqoKjgfii5qgt2xLRGB/xvSznZK2b++BQgoPbWUXq5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMKsGiy5oYwdrVmIVraOCCQaoZ2gwCgYIKoZIzj0EAwIDRwAwRAIg\naFaL+2ANyRJSYMnffrVQ6H3T556arDbsyTAmsu1oUz0CIBuLXC6oTjJ+r3TJxgaD\nndwzxlmyu0pjflq5ApWDESRS\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKPvgmvF5q29cyVmBfUfn7hLyyXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1w97xr9DkRsoRMGH/lQ+BjQse+WDjvOissPan\noWGFX5GoJyziAGrSnXPq6En22tWZkLOQ6L48bzmkx0AaiPS1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVvg6OXPIcE9jTcJpSUKV7wtH6xMwCgYIKoZIzj0EAwIDSAAwRQIg\nf5yp//uXq817FeG89DfV18BMpdC6lgh7Bq8Gf16uwMgCIQDrFci0Lx76OoRWma4Q\nqHz87qW4W+djBBFIyogUoCtqew==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUeFq6Cg8EcNPuXMiRGZv5BByyv20wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEyBAl4HeVY8RKr1ce/xHT6U6b6IzMGETn4/xCWe50\nEgWw37Jay5q5iNxHZa1+Wu0+cjSByppAVtHdiA4YbyaCJKNyMHAwHQYDVR0OBBYE\nFJK6xkk4sfpTMPR//5wbDcuCHllsMB8GA1UdIwQYMBaAFDCrBosuaGMHa1ZiFa2j\nggkGqGdoMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHLas44OyYJdmZ7sp+s3a+yvJxutLDj7\nKC2NOYdi7RAiAiAon7NhY17cpNY7nHtdya9kOTbxAnBBUMOeYHL/bXdgYg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUdF0SyOOoo5ySdhEFvO2ZpMvs6nIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVslr9M6Yq0FERJ+iJcOzLKS+BNObTGUFcSeP2K95\nh4QvBKsEuV/bYEqwnRwu36FdYKdafwXc6JIX5kcXqYt00KNyMHAwHQYDVR0OBBYE\nFLV8FNzXsz0A6vNYgIWcdsxsPs+4MB8GA1UdIwQYMBaAFFb4OjlzyHBPY03CaUlC\nle8LR+sTMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHX/8cqeXG5PZ2L1SKQhCvgti3cHiuY9\n69v9bAt2lr0NAiAmjk19XNof3OpVFq6dKERSNxVkO+GHGk5AqQXha12eJA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1132,10 +1153,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPdB7NVbZ27+qK1b9XwZB2D4pehswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARG0OGP/woPrdfQaJILbktVBvMgP1LDgbuQK4eQ\nzoZ9WPSQiIxQy3spFM0rJppn+4oxLMkNWFCemMhXdSvhZcoWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuZauLN5wsB41aqcjujBAlF/Xz3UwCgYIKoZIzj0EAwIDSAAwRQIh\nAKG7h+CR7tX4gs53HbHBqN0UpU8MxMxag4Ybk38Ea9p0AiAGA6eSEavNV1rN7hE/\n2nfWLuWEberP3v7Kht03BtK+aQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSm+o+b+Ci32aoX7o2c1ef9WBbawwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ+ZvCR4F3jzZvxTOP4aXN0oh2JaiwzdxUB8LrV\ng3kii/iiPzKHdK9g5XGE7QteRGAsv1ASwjt8gHtnOcQoTMk1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbVt54FSq1Z4EvBe5n10DkT2FVpEwCgYIKoZIzj0EAwIDSAAwRQIh\nAPjH3hpIex055yd98BsEUG8kINl5bIKjRU+uB6C+qQTiAiBEW3OjW2+w5mjEkkrG\nLgoAKbcWjaF7Vj9FwQldstjLiw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUDAGbZhQV9y5q2xNSVKK234q6X08wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEP5dFeWtEZKeT/sB84NXWJB+LrJXO8PeNdlZHc+k4\nXw9z5m2OJ+KtqZSxNTQTxHfcktHWCVVSIAL0dTcMzujMqqNyMHAwHQYDVR0OBBYE\nFKE7VfbnROtJ6Xr6G9DAbWPUStSSMB8GA1UdIwQYMBaAFLmWrizecLAeNWqnI7ow\nQJRf1891MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIH47mg+avujrNlajAsThBfv9xhVIRfrb\nDMH4rKHxGhaAAiB5EvorQuCY8Y/WfNT5sV2Gy2RTlD4z18czh/ksxa7giw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUTsuyESNShgr/MHFdlz6ThrBV7SMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEz2hUo80y9RdBzUp5OC8jooL7Vq+siauMwLGzH48G\nk3XeWIKsZpZ4zMTAZ25m75uWKmmhmbMglMeV/jlhxnubzaNyMHAwHQYDVR0OBBYE\nFPaKs3srqRtWlGfFfh4zXwn8pV07MB8GA1UdIwQYMBaAFG1beeBUqtWeBLwXuZ9d\nA5E9hVaRMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDO+wTSi9ulZaUZrg0l29xePtdw9lkF\nsPBtmaRGwqBjoAIhAIfxTXnmfSNhtdeh+XDzwrphP5gT2CgxcTdM2kFJRRDS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1153,10 +1174,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUL7VNIvYiwa2nnMkDCeD9SJo+rQ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQNf2u5Y5+p/4U8MvpKCYUBDrkH8ViOY/ydlXQ5\nm82mdYE5OTCHlmSnLSUOOt5bP09P45FkQ3o1Gig+/eVtFPdgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzNddE+IWU42CIw1MOo6Opol6T0AwCgYIKoZIzj0EAwIDRwAwRAIg\nWLeWVlGEjbPP4WoWYa6RBYmo3APVtnEcyyoQTjRJxo0CIGInAb+U4NlrROMSeQT/\nD6l7GLVMDDxlSWaSb3A5FTbO\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUqkf9/+1RmAYGG/5AwwN7z/NHVQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDDjz9KbbAMXngSn6bAvfkV9do+sYNntFotrc6\nFHcGetzc4Y+sE3aSox3S1KgoQWLUrnvfQIjkDqjQzknt8INfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7/CAYXhOcE4uvIfEesLWxpUeNY0wCgYIKoZIzj0EAwIDSQAwRgIh\nAKEL9zFH5bdXCHKS36+Zgo+J/wX3M5+ZSPYLMYyn+mmuAiEA0ExQQoX+KQkN8ewL\n7JXBPA3OuMbXoMlSB9ukvCHMEtw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUcRp9QvzAqtNtLVKC1iSlY5Qjg3UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEk/Mu/9wZWK+whL9LcU+ucRfEylBk7ED0UGYt4Wfa\nT0rWC2gN/+QdmzTtvViA4nkxYZuqrGPM0C+m6FRN+ymVOaN2MHQwHQYDVR0OBBYE\nFLvNOEGdIh2h4Qe2ihUW5nzG1mn8MB8GA1UdIwQYMBaAFMzXXRPiFlONgiMNTDqO\njqaJek9AMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBo1m6GzlQIU17isTikPVOhTzgO\nRtDQ+ZhooldO6z2FRAIhAJq/kYGbkt7hq8eHoPIWxTdtNbPFD23CKqnsuAuzcJmR\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIURSWjty+GxLswwW1nZNKlqtnUVvIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpp6DHPC4XQFrEFzCLuuu4pw9nMPGlIgeBAT7UEl2\nVEQklvDG9HxlADPfbfQNFJBkiyjmbLoijR4Uacgp14byq6N2MHQwHQYDVR0OBBYE\nFMl4zpMaEdb0J/4ueaVCHA5u9jXJMB8GA1UdIwQYMBaAFO/wgGF4TnBOLryHxHrC\n1saVHjWNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiB3HplP9vvcrCTRJRIUyvoBUrAC\nb8CX3JWRy46XJIukmgIhAPqpAYXQSFNYpOKQ1Re/yStaKom5GNUzDQBFhboM0lJo\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1174,10 +1195,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNPsq/ql9EBRGpYO2g8oVy7OiHfwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASXo+i1wGhtJwjs2cwYctjQHc7t0qfkBd75j6WZ\nwm6AasLY6Jbj/tugrBlzTS/aL/Znm1KXdWQl0VonqWWynZhMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURUYK/0Q0ZTagzHcpC49L4y+3nGQwCgYIKoZIzj0EAwIDSAAwRQIg\nCHfuNq4//QRwgVAF4RpNHzdxaA3/nRfMnWsjSf0Whr8CIQCRqAb1xRqDAYpfBM2m\n+sWVJ8zUUV9ovSs6YgvF8sG0sQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNsic8CCufeuGMav/65DJUNHwWq4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATOEt50kXfzXG++EVhEflPvP1QXa4Jwg3KeV5pK\n8Q/Snx0dZyM5Dhxvjgm+zNY46S27/euoO7fjtHdoZf0ejmslo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeVol89vC9StdzM2MrDdFd6Vn7bswCgYIKoZIzj0EAwIDSAAwRQIh\nAMNuigruvMfcdCPxvE9xDXGAsac1By4MW5WetiLhLOj6AiBdHaxD0rhz/QdxqmQG\n6OV4QRfqmRkUxWt9N/38e+4z9g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUFNuNpxd22MjDcXiz+cP9I9oTwuowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBvWY63JcFnMHwt5vubZDhzmrjpfcujLdbzMgZ7X2\n1CXn/8P/YuAY0zXrslwIPHsu/SKIAJTBplgxPbB673VnmKNyMHAwHQYDVR0OBBYE\nFEhBw3Nf6JgbYVs0I2CTTBpdLsIUMB8GA1UdIwQYMBaAFEVGCv9ENGU2oMx3KQuP\nS+Mvt5xkMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIC7AvsI0THbLZyIc3cXc5odTEyC3b8Tk\n3uh1CC/bGFfEAiEAzrt8ixo/S/3xh2C5GjZmMMaeSxqX+GLbMaGuwiITCss=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUEZP1kdG4w11eatWp5GjShYXCeBkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE95Z2aFVSSeFV0gX5h2W9MNANnI+dfv8GNDCH2PVF\nUbr8Pzp6MPRg0gX+oQOV+aZ4b+fWK6fhfPcXkIFZZhKFGaNyMHAwHQYDVR0OBBYE\nFPADBPR6X0NuLk7TgH0g9YqFc6xNMB8GA1UdIwQYMBaAFHlaJfPbwvUrXczNjKw3\nRXelZ+27MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDXUx92NpXffNW509f9+T1s3Xofct71\nfdkwwrNrcX6qBwIhANE/GzrVSSV1kIn7VPt8jIXKw8ldXVX2jhNIHdjzvQyi\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1195,10 +1216,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZ3jLGTr+ghsX6N5vbvxgrjHOtsQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATc0hAEWr7DyHASvVXWIDffA8raDevNKIip714E\nAJ8NDQNQOKGlKVfnSXyb+D6OVphXiYqmeBHRXtMQRgxotChmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPXUvgjAY1+7V+FdOmhiwSDxV44owCgYIKoZIzj0EAwIDRwAwRAIg\nERc/bcu5YrIbUrgv6m3t2mI236xcCKq9z1hVi4AV7oYCIFBlMO47ZyuBSIl+QNIp\nyfKsvO+5IgqdMvGkL3e5aLnL\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUToZJ3aGxZ4HD50hJHAjo1DsAZNMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmZbzNXOq8H6l1a7Y0WYY5cMHsUb40qyL7GuDX\n6QysxvJ2/qcpUNk7xNr5prh44+nnBuLNk/1eenuhPZc9IO6ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/TZ+KhgFyTjVS2tVw32HHhdJ368wCgYIKoZIzj0EAwIDRwAwRAIg\nHwJ78mGiLMZ7dqkIqoIYJzAAYAqI4D2j02jUTliGOf8CIBg2AQEhlpe7OHTF9wWW\nkoLiJXxT6f2IIMNKt89IOY0X\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUdP+x9KmEyDcoJhSgIz7OY+0HZzUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAECKzGBq6CHn54ZG333GH5iIWhZ3kZ7aERMdK/0LAz\niA1Is3KefU1N/eaPHUzW2GvcFx+Yg5GdDVRAuclkmkW5UKN2MHQwHQYDVR0OBBYE\nFONYvx6Mui0eMJW8FF6ii0WXQLYjMB8GA1UdIwQYMBaAFD11L4IwGNfu1fhXTpoY\nsEg8VeOKMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAwfBTC7ru2A6N8IlcgyuJ0CCd\nTDbjF2YkkixkoHt4p7kCIDK1D3XL3sAEvEGDnXeZBiqsTt81MCphIHxvcAiWLXAb\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUatUQZ8EodWvrxxQ4KJd8WHJ050owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE+9jN24eo16a4lsgTheGbUtW8yofMtQB0OSpE3piP\n3est9oIixnEBMyzn8VWe+7lFsbh3xt3/YQKCLM96n3/5EaN2MHQwHQYDVR0OBBYE\nFL0CVOHmwIpFtel2ZDndH8bu6Ff2MB8GA1UdIwQYMBaAFP02fioYBck41UtrVcN9\nhx4XSd+vMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAv4kbdZog9O+O5AIWVu0LszEK\nNuf7tYHptjd6t511hmoCIQChiV8oCdBvFaF5BWAbzGSvFjl4aE4z2JuRg2z3Ksjw\nRg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1218,10 +1239,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUXlj5sX4B7y5nQeqnRMah/h0qokMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASgzxmOavADoeS0g9Re5DTZFUMI74r72KBFBAsX\niV4G0Bf7d7gvkcvc2gr0a729B1WRpNsKxHCBEnsjIYnzrtJDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUd/5ORXuwizUzMGdHmcm2Vwr8o6kwCgYIKoZIzj0EAwIDRwAwRAIg\nUHxuuIzmlKIMVv8GSZa1cmHORLqURt1ja/1zNamaMQUCIE5vr9Fp+gfiqpmGyLgN\nwTHbRGkTWflF/hPLrJ8bgUc5\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZ4UBgsu/Llu5boLtJl8t6smkQi8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQaFrxtWE6zrENxMgGDS4nOJUkgXQwkO8PwhdYG\nblc7MlDih1uleY2NWT8Zt7dpQKrPq+DiFGamlTDc1bYWNPwmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHBuNfEvqy1oNLB7GCuKtBlzYOAwwCgYIKoZIzj0EAwIDSQAwRgIh\nAKIaXjVoKsR06jfK7n/06UtBJfHXocNCljXhf7ZRyj0dAiEA2G2GQgvRLX85h26M\nZyCUHBsfA3gj8rJKTEBxXA/x6MA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUigAwIBAgIUCD40c2QTg8AtTZYFmhQCkh2iH9cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE7xKMl9FB+bNGpU1NEUVY/8MNsHC53Tbvq60HQ37Y\nVxVMZd7fq96jnqd5xM3Yy39kuXF7UGu7yOYpHFc+C34rFKNsMGowHQYDVR0OBBYE\nFGOBuu92Ne6AZuZFTTGuXC0SgRk+MB8GA1UdIwQYMBaAFHf+TkV7sIs1MzBnR5nJ\ntlcK/KOpMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0kAMEYCIQDiYxIob82R9EqdxUElQh6zdN9F0W7x90Qt35RI\np0fnnQIhALcHj6kKjUmBD4NgmEmn6rRDwW5VLBhhEr9chXu3uXs+\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUigAwIBAgIUD7cOQ7PQz+lKqPZQz0yhIgK3U6swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE0GD+QjOibepj8zYS6DYomMSNqnkmi4Pw6nrHEpXs\nkzfC08dyrapWfbRBF/jd2O6D8ZG6GqTvsbBN4RAfUYCnFqNsMGowHQYDVR0OBBYE\nFCkk3HW8p1htHHCp5hRnYoXHIey6MB8GA1UdIwQYMBaAFBwbjXxL6staDSwexgri\nrQZc2DgMMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0gAMEUCIQCiM9xRm6+1H3zyH7rr6Bf+28U13Yoqjbxb9yDa\nvCB1vAIgaxNGWASyHaLz7dRVG3AKO2JPwQjihU3t5608I1enl00=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1239,10 +1260,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIqKtbJvjkQMvFpn2sN/0nZMrP9owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkktP/ZG0RTGqeKQQoCExeR09RLaPp6LBfwnsL\nNZ5T8kBQ8czwsfho+xJY3Ae2Oysjs2QouHMvpNn1DlajW3P6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBuY7AMYf5JNhHTZoGDZC9XAxsGwwCgYIKoZIzj0EAwIDSAAwRQIg\nIAkSeKKocl3MpBcUZtS5jpT0JE8PyivbfVjYO0XfqKgCIQClJKsa7ymjbdRvvLrv\nmxQRN1ZLph1I9krKWlwG512Drg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULuPa3QbuJUJPoBonwh1Ws0BMaF4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASTdLulVCAKYY3Qnt4BanG94/sqmY7pq+WXB0S4\nyQNbE3E0mmThrLugohSDJTZ6OnEES0WG9OH9dxp25izXSES2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfveMYh4+3g3CMk+8FbimOU8WOzkwCgYIKoZIzj0EAwIDRwAwRAIg\nL9ChcQfQLxz9UarDb3fCpPsWSaI/zQHRobyFXEtTsKICIAliCrt14OqvlPj4UV7v\nPBP8KAUM+xTqLtoA/IhiZIoD\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUYY6PnLK2UjtastWLE2G2HbwSagQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEB45VjAg/oHadlK537gkLRcX7l5wnpctWRUNQMA/s\nS40fci9xumRQPGswe/p853a7f9oAFKnGd0YK0MbmCvEsQ6N0MHIwHQYDVR0OBBYE\nFNxYxr279Unf/7mIW6qjOXI8Aq/HMB8GA1UdIwQYMBaAFAbmOwDGH+STYR02aBg2\nQvVwMbBsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgNSTy6RWYP1FwRLsc4NvxexkqlGvu\nXd9QbK7fbLh/+BMCIAzuVahGEcIBi0VDfCc0LtSSha4IwHzI31kURXv4vClA\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUT4gzMZzMqQQptTPfZ5Zg1wN2DgQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEyPk6n+aZ/9bN5IkUQF7EFpuIo1WrF6XeJBjMmKZC\nCzW8gbUeKI1xpCPe3DQYtE8Qr2GJexQHobZhidjr59A7qKN0MHIwHQYDVR0OBBYE\nFPnD3o+HxO+TTZDWBCoi1rkdMFtHMB8GA1UdIwQYMBaAFH73jGIePt4NwjJPvBW4\npjlPFjs5MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAIfHi1OJzJWCWcHTDmXXBRyJQAC+\nJlTKTkOyXSEjBOM2AiEAkBBlJqZmEZud+M/m3craLlYmEwmiN69YzD2vRAttsao=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1260,10 +1281,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUS2JBYcX9r2wbQIxUB3cusOvvcUUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiwxClw8ARWhbO+7QcSyPGyBBTz0NDwOoZpnnt\nbW4A0mZaZhPjsjcoHMmkY5cB0frmHho5tGw4rktHBQ30Ni93o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0xcoA2YEsrF0H3JMgc0Wgsy75/AwCgYIKoZIzj0EAwIDSAAwRQIg\nOGHOo7fxonfGFaKMymuKBv7PwnlkqRYMAGfIaGgcmnICIQCfbXkQls4v65jh+QDO\ngodRY05+beUPebfe8Gnd4zNY0w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCqS5Xvj1F/71Qtf/JsO9anNeKP4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEDV6aMgv7BTHEcRYs02PFFj6WcnCA0BybCcEu\n4W7MMRIRDomoNBh1swloVBXzFdDGd4jGcJp9Ic4sYPH/1jyLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5NdGzToJdVgXZsZ4pPxIszbbHTcwCgYIKoZIzj0EAwIDSAAwRQIh\nAOjqZ1ux/aMXCS3Ro8kd2j8y4GBHEEAWBUzsvA3XJClpAiAJF5TIvKXoNpK+t38/\nteOKoSuoNDPanIk2DssybbGIew==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUPokQh4sPxpm5LGzUx7qRugErUfAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEe3Avad2JxbEhDawC6YMWpNA2vrozgnv0UWnW/XJi\nOT1wYcUayy7DCwO0hdOqNdUeR/CKW3kPKjxVoRCoteXM26N2MHQwHQYDVR0OBBYE\nFC3pI1uKby42njT9K0a4nemiyBSHMB8GA1UdIwQYMBaAFNMXKANmBLKxdB9yTIHN\nFoLMu+fwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEArIHfG3E32OEaMAaPnb0eQLEo\n7BtLSXjYDccdYXRNgTICIB+PvPSUHyPXid4GgxhmXhISKlOAay4CzUXoaObymTvk\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUEKcMtsuetp5qEj4rSCHb/vIWGEkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEthPWNpOP0lsmNCqWEOB3saVsQ7UN1N9pdhCKBFE/\nPwLzum6PuIT79rKFvQPCKEE35lJ9y6axzqX7PlwAUkrf5qN2MHQwHQYDVR0OBBYE\nFCWy/N0nnUeUJJEcCBkGb7PuRiMXMB8GA1UdIwQYMBaAFOTXRs06CXVYF2bGeKT8\nSLM22x03MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAcXDleiCrNKQCbN8KZugaWhkZ0\nNC6LNGVNu6jdwL4DYAIhALiinRp4zKamJjQkKaFq0of0IE8PtGvESaz5ikwp4Ydw\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1281,10 +1302,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUXks7lNqo+p+yZqP9ZK1ZBH/8+6YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7anBKyZ5w0WSi7xGQv8pIxGU6jjW9UrEkwQXH\nSC5V7YV5Kj1bwKuxrldBDtLb7bpFU89pEsoDoWb7523waIIvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeGsqog0URNcaQiP8b5M3p1SaX5QwCgYIKoZIzj0EAwIDRwAwRAIg\nIV6tJu+y+0+8iAb8BZesgw/kw1cIpdL9CO278zEJ1boCIG+4bTjBjEdRGR0Z907r\nqV9y7WFES8uwYvNX05S0KfhP\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcG2gthDJvNMAp1aF2iFIjQBbGDEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpPK8rizjKhRXgPxtrCWy2oW9Js45UlXrp2dAW\nwjaPtkGlH5CQbA627BI+Sd7HiAcJsP29poPT7fSJWx1xsBuKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURP4Ohq0FdQMNkoa9DLKUqhOxLOIwCgYIKoZIzj0EAwIDSAAwRQIh\nAJFQgT2WJiJUT1KLULsg+yd9ygIugBFqVMVocHpYgmGMAiBnnQ8+W8l7vsZiV4JZ\nFD19bFLNq6+GtfZXVTLKa40wjA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUGSWA4zB5wAPuHG2A/lo0+0K1os0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEU+CeSLHscH7z+y+dMgtyhSAkz56brZKRzI4Hq6HY\nNEtU5cCO6dFXPe8FSARhXTnpKmWmbQy7EtYyywdSQ1JFHKN4MHYwHQYDVR0OBBYE\nFOZZAsBa9xyar/On8RAyCpAzAu9uMB8GA1UdIwQYMBaAFHhrKqINFETXGkIj/G+T\nN6dUml+UMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGrauXTqSujjO2Rnx1wJm4oz\nZOIoNG7paZhWbmbABfSZAiEAmCrkPuIlRySG1d2WojO09BONhQpdIWdzs5i9AOne\nFg0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUR8Cifc+u+0bYxR36fsqFveNOk8AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEh7J/v9+bwb/IZ6rq2/kyzOFvXzruGGGB56Osa8rw\nVfrCoTuTW34qeGH9C1norWaOikx9sALygACfRZhLpVhwB6N4MHYwHQYDVR0OBBYE\nFAsJ9BnvvxXkBiRMrK2QJt7JVZE3MB8GA1UdIwQYMBaAFET+DoatBXUDDZKGvQyy\nlKoTsSziMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDn2JoJ7nGcPa74exk8gi/h\n0argVy8PpoWIPgBpyxMZfQIgRQ4CyFbFu2CnKUZQhtmFggv/8aa2hSTaKqkWRY5u\ni5Y=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1302,10 +1323,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUMIN0tyQbJBAOkLGhEZsAE10e0VMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASy8HtZHyIqepMVc7UDd6tNQ7Rem87kqWay7+KW\n6UZ38nBrX/2mjOdjorfqBTYkCwmlabNwyRaq7uiNeMywRFzjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU77TtTTvSlpvBudCSq9ietIVLvbYwCgYIKoZIzj0EAwIDRwAwRAIg\nD9L67MppqQt6sW25pSOBXM8hidXMpv/wgDaf1TmsByECIH4xP1rftdyjnTBqnqjp\ng2f2A03zDorjYijML+hKKM7J\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUONFlqqkuKd1sI4ix0WvpEYgwoZ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQoP0tS1udzGrFmFP5icoLZmP1527XdVVs0q8uE\nu0ThoezjacfkUxN455MPGhuNTNKVtjArmvJ6CkLM5b2EW1y2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUn7tJe5SbhTwTcoBAUvmQvZnO3mcwCgYIKoZIzj0EAwIDSAAwRQIg\nZmv7POPltuB/BadpcG6hrm30W1RUIe6jgOwUUkX7tqcCIQD9vFmfScfLwQj65LqN\nMsbmBVWrtddkqI2rcwt4UIl6eQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUXqNt075chFmmmNq9q137duVgdVIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE2sAp7v5GYYAoEL9VA8PStSfXsq8SSDh+yVks2Zt8\nh3gpS9OsPJWs44U06Cn4a2j3bkzj8n4VE2OavFrc2rQ0rqN0MHIwHQYDVR0OBBYE\nFF9AO+TADrdQmqEun8ZESa9GmUGHMB8GA1UdIwQYMBaAFO+07U070pabwbnQkqvY\nnrSFS722MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgIBRit3J44Xi5cmvLLQ82XdbmhZff\n2rgMv4ykqmQiD74CIQDz3G/3oh5wfJKl1uKkoneGnEn21VXDXi4+gz7h/DSHTw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUWCmV+gEHpdctktCGJxxJkpZZCPwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEoy3yTx6g9s1iFXja2GeqdMIgqQzPllqtXRYPtHNs\nHP9MdvycTawCvq/tHCOX26L3lYJ+xUBw4a9ebZGrRwJJaqN0MHIwHQYDVR0OBBYE\nFBXhq8Il5Aw6ZMmo+yWhS3jx8sDHMB8GA1UdIwQYMBaAFJ+7SXuUm4U8E3KAQFL5\nkL2Zzt5nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgB7h1yMQpeqpbMPzVlqQbHcAa3pGs\nlR3oc3kwPqzqgG8CIQDzj9jC6LW8LZW1gBh7YTmyk+EVhYANS3J4GT3ceBlM/Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1323,10 +1344,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUFDGyTnEO0wkb49OUpnzw8pkJi50wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ+V/pR7WMTY8Af7TcUy7LFRhoPp9YKhBcvSSrP\nLAyghsyDvT1IEHkLmyJH/SRr9S2IzUZMmlTgwqeu921zywFBo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTRYhXN3DbE/lk0dIJOugnQ6xvjAwCgYIKoZIzj0EAwIDSQAwRgIh\nAJkXQovHn65HsTpJw0xhb8ylXUa9/8H8l+k1LWpkfztUAiEA0kAIJq7O58LQwPAi\nAwvjrAYC7zz99Vo4rEl1LzHw8Vc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUW6einfxQyec59gWTN3KGOLS6pPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARj+DHS7Odo2iTuJbpFXYMiJzXjJ9bUxnzThuUR\nBpLaBHqOYfX1lX+jstndakApWAq5XTXux8uREHRl7kV2u/Y7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHnWz2+TNCXsTZqof4KLPhcC/TY0wCgYIKoZIzj0EAwIDRwAwRAIg\nMlGLXlAJHG6utBQt68vMRuc/nJ2kb7UWN2J6bMM/AN8CIDuQqnyANHj8ocV226xP\nbCDFjcrIRPx5v36LBE4ySPaY\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV6gAwIBAgIUPSvrDwP916xAIdC7/TQJnCamD5EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEqhxbW7Duncp0j2EjZyVSw036NK2GITFsBRwLio+f\nrYqHZ73CH7UXipRPGPWqMuCAWcGeVWyyLpIWrpBhWZ0ypKOBgTB/MB0GA1UdDgQW\nBBQAJqJ99frSLCpD3gRtSZt5w6dkzzAfBgNVHSMEGDAWgBRNFiFc3cNsT+WTR0gk\n66CdDrG+MDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBnZW3kYTPF\nmSheTUUai++2D2BbAxUDgLOJrkAli3Oq/wIgOObDLdy741hpwpfX8uGIkMMNZHLk\naMCh6cFSCGRCJZE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV6gAwIBAgIUVYRc8YoEnU3ClK2672As3F3x3O0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAExrLtsrN8odAFsPEYT/vkmpEehbJWYsLoTGDrfBod\nxPx2zLjV56ySrvofTJmY2qg5joEnMXaX/pyCxGGy7uCOEKOBgTB/MB0GA1UdDgQW\nBBS7P496/PvIG/4OckIAEgzgsLzQKzAfBgNVHSMEGDAWgBQedbPb5M0JexNmqh/g\nos+FwL9NjTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAgBfjrl0M\n4jSfRjpr00UEv3Gl5RE+M64np1/Y7UAteq8CIQDXkdCUVkwLimAR9H1GiUFNS51K\neYwhMJWXXi00EnUNaQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1344,10 +1365,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZTQuX5/+Ou+VI5bDNZmqEspJ2gwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS04MX2eTZWCTUv45Wp+ePWZbRB4IhUX/PzoBWu\nnHBH9UrhIbjC5E5jug0TGUn4VBJjT8lr+toJdIlkV6w+zeLdo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1IHXwcN20HWWR+ZmiZSi7bUGbYUwCgYIKoZIzj0EAwIDRwAwRAIg\nC+s9WvoEQzUx8IB0Ycz94hZl0kjlatD2YYNuWqCM4kICIDhX9oSeGtSRMkyYlMAz\nmgEcXYta8pwO35SJZoyZWo4/\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUAsZWmI61CjUgFl+c/8772zzARKkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS5V609GTL8d2ErD4Z+6nzb9Elxhr8cjjIt+3+a\nQaoZynq0S9374nQgc0Bt60GBo2AE2aBZKgB6zZ9dNn/ABMAmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTklAmtgpPFm6aLzmAtfY8pqmGX4wCgYIKoZIzj0EAwIDSQAwRgIh\nAPus5ysOOL4rYZNkpDvBjcRDHjVYST9ORQipuU80TqteAiEAodVKDPTPHBLAdb5x\nAleRwZ7tmxOKW5aS+0P4YUdhcCo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIULfH4uKLH2p31qUbnfCnmxWXecJ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEu3+BhaggSGRQM1oyxOAb9HsBx1YLSFRxTyNdWvE/\nOBRONrk9Ine6OedC8a5trjtKq7GOkYAcQxxpojj2s3TsKqN3MHUwHQYDVR0OBBYE\nFA3iGMJuXiVTw07+3Wm99oNnYJo/MB8GA1UdIwQYMBaAFNSB18HDdtB1lkfmZomU\nou21Bm2FMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgHzZArfwV2j+l/uQzot+LXa/w\nFL0dMUM6ubw1az/cdrYCIQD2jRBGBN+p4aQvmnovfJ76fEheYMi5XQLY96LKG8yb\nPQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUOwUgjLB4eEnySQIYkF/OITiAvUcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEO/x/HwJ4g55qPCRAFcBiUduhuL3enPz36v3A97tG\n2gql8OpzQFL+qWwRookBHju1n0Er77dcV2MNtMKnS22Dw6N3MHUwHQYDVR0OBBYE\nFKVGN/uLf7FoQGfrDbeqfkh8Nrt5MB8GA1UdIwQYMBaAFE5JQJrYKTxZumi85gLX\n2PKaphl+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOYNLvc3FQZszkN+XW6j/BRk\ng06W/UtkNnSV5A27fu9uAiAOYL+vMHnj33If2LYhqea8fAgRS9Nd7upcXTTdQVfl\nyQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1365,10 +1386,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUJgnStIT2FI/7XFt+O/c//rCrSAQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpCUDvs+doBN0NAzbnlDxvVitdPsdgPyhbtfOO\nXTRaXgOZtng4jf1Wyo3XM1VRtQGzgoWpS/kcYy+h7QCgiJeGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfkgqMi3uk6lX0O6FD7V/pP9GSYEwCgYIKoZIzj0EAwIDSQAwRgIh\nAO28KIEy9bGQY7pS9Zfz0V/dg2KuAFrDdeXE6SyMlTS3AiEAlJaGVNzZIUi7oiOA\nALLutPTymc873FFN7CAYfojD2lA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUY/LJLOYqiZ0tn+6k2RM6D/hhl5YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8fXFE3tWp5vvCejk4bPuSNiBqy+t+7BU1FR00\nOU1PjQyoSHl5kJzA63TJApno3pR6Hs2FkdxKXS4gEBDh/tAgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTu8xhzi8ofGOT88Cj71cr0A23MMwCgYIKoZIzj0EAwIDRwAwRAIg\nODffMmwz4TFRsXWijcMRgurNV9IEXGpcmUEDxWkUfAsCIB2O53UmQY3tbzD7jlTY\nTEX14bsENslHHoyoIBf8rR/F\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUeUEVRhEX7/RmLYZXt0CrrJia2QIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEbwz9FA0Kda5NVsJiK3MHy32ZvqXPxQQiqcsltdXX\nPrFnS7+ebHtojNM03WW57AiJoqJgc6N7K1L4HlTsMWMnCKOBijCBhzAdBgNVHQ4E\nFgQUwCHcW73mShEwUUvS7fsq8ukWOqEwHwYDVR0jBBgwFoAUfkgqMi3uk6lX0O6F\nD7V/pP9GSYEwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNIADBF\nAiBAMFhJa1EArc+Wm6enpOLecCs4jmpz7wY4PXcr0BSArQIhAMiyKcStpGXXs0XA\nToGSCTHyv7dSOPD+N5xqXlrMQn0P\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUDKpAfGzdU+VqzbZr/a8/Z0+s6mswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE4G4U7kVZ7+F2tud6z6RSAhuItBb4hkb50I4G1/JX\nAdV6xm+p7skhO4SVmnDjCgHWn4yj2AKzr/JqiSXuWiVfIaOBijCBhzAdBgNVHQ4E\nFgQU/EEo5CzM/KpCYNAdbMVhu3fI8pgwHwYDVR0jBBgwFoAUTu8xhzi8ofGOT88C\nj71cr0A23MMwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNHADBE\nAiAGVFP5j1IJjljOLTPSnCUnXAG1Kf4I5PTEvOQg714n4AIgbvBsDYwaInds8J+1\n6VtAP0/ge58accpxk8zKO6ZNW0s=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1388,10 +1409,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUqgAwIBAgIUKFfOAekoSFVDIz4K8tgSKDZUBMowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzozEYdOgwNi0Bf3jOGBQarMSfPfH1jUGF/KQg\nNm/RmqM7aXalBfT2V7aD/M8Q6fa1IgcsQ+ML3yI9fCelsKnfo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwLd/K5ON9W2IBB+eNI1nvAvRcYQwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDRwAwRAIgLDK6NIVZzEiSRVPNrmsZsSLRCfV5DbmIpn08\nGbb+07kCIDdKDRrjaaMhRDKTKka9Z+CmvY7QTN8OWHM11fEdlJ+y\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUV4G3kjy371gl+OZT+MhZPz3JHZgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwgHisMy1QdIf/BB1V4f8HNsacQ5JU2epnTDdD\nUCP5daiEsZkYC11X5FBduktYWHCcGtJRrfYLv8UY1Pc0o+wvo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/Zfbj9QhFSisfuXOspZSVY6WDl0wEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAOKl6z+55iAcnGTjnFPjh8PXdsMXVb5teiLD\nsvoEQF/rAiAm9V+h4QQhx3qrCG5ePrFI0YMUZsr91HO/O6Ksq5ooug==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUQwSXHqw5/JShDfGN/GvDEt5PPZAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpkJlqq3ojea8zL2D7cwhT2gRcqH90vPBZH7q2f0D\n9QtqMJHFI/CDp6Xo/FCO2IraaKHOZkICrZiLih/RfgeGJ6NyMHAwHQYDVR0OBBYE\nFBjYhBr1BZ2g34x6uDY0J6prAX+0MB8GA1UdIwQYMBaAFMC3fyuTjfVtiAQfnjSN\nZ7wL0XGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIF95gh9vieUNpXUzMIrmIsmAhXJstie/\nFhoIlZQn9j7UAiA7YotHNyzyDYws1kpuLEFNptdy0hzvDvw+wkcbnw6Gkg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUa7w+3Km0jvqV8NeDU39jKQp/uBswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAElAU/dn74q1EN+vFy10164zimwB6hE6ZL52lRIkVS\n3ZSvGu4QxYi53aEBJ42wUY1SC11iLodMVDcWEAuU2DH1bqNyMHAwHQYDVR0OBBYE\nFEf6VbQz9jc7IBNqkfiUClX7c9gJMB8GA1UdIwQYMBaAFP2X24/UIRUorH7lzrKW\nUlWOlg5dMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGll9AGsP3BKmFnQugI3jpgrTqa0nBTB\na9zYMMAHVh5AAiAIvweGsZiuNeP+/HgaPtRcnQlgZsqzT+nfHLIsktaAfA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1411,10 +1432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUHUo5Oqpbu9off8gXmBVj26BmWyUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToZrGM+Oo1CPXfTpQ+j4zzRcbf/pANGA4ELFlG\n1h5mIU6ah6zvydMgP8qyge5mFB5y1IMKGkDWjjA49J6pCqSro4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFMch/n+yBCVr4KAhR2J+f+L0vHW4oROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBTHIf5/sgQla+CgIUdifn/i9Lx1uDAKBggqhkjOPQQD\nAgNIADBFAiEAtydkiNJ2ugPxI4bQfC6gSsscqVJMxE9Mfi7vNvw3NJ4CIBt7eze5\n4nrzhTj/GDyW5JL3kAa9+WgG3a/jnNgRgYZQ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxjCCAW2gAwIBAgIUUZqOv0QLgjWuYO3AT5DayVJ8Wh0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARWNi7d3urmx2PBgJb1POi2Nfdzyf8vDELVNv9c\nY81bB+f2hS/JsMu7Jnk2b1VeNKjyZqloxRpY4QJVPyvaw5y6o4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFEFaLyjxgxMq4i9xXXFsm+eTr905oROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBRBWi8o8YMTKuIvcV1xbJvnk6/dOTAKBggqhkjOPQQD\nAgNHADBEAiAYOw/39LZ0nIviN5/WolUnG91rmc2D8yyMH6nJXb5HlgIgL12P+vsx\n+mr2Mud4Uc47bKEyAKyFASR2jUCDlAPM8fc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUUDStz4TYE0KAajyJtaCY51sc0rkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEnJ/p7qjtwLOFnUwAFmkh1QPpIebF6QQPCIXONCPh\nXemQ3AIrI9j0j8xfwxHsY6UDpo4h0Fp0hEkI3XncrF4KkKNyMHAwHQYDVR0OBBYE\nFKiYYC3vzk5iYDr9p0Fa97VW4E/6MB8GA1UdIwQYMBaAFMch/n+yBCVr4KAhR2J+\nf+L0vHW4MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC+K0frdxeT8dtLXaAe4JuLJT7Pc9Bv\nGYfxTagdEPcExAIhAIOdpBhA/WNxRLJTkcqKbJoAWkJOrimWhypIEuWnF1Ce\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUfuSQ1BdsGP+JKYv8qvK2kvQS//IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAER6bl+ujy1aQfZftvUDPwZ2JViDWI0/kJVwutRPm7\n2H9in4nj524pyGiYtRQCLUF80kUFyCo5m3cgrZOzzjESSqNyMHAwHQYDVR0OBBYE\nFK06FzG8c6YqWUlKeGIXJpt5GIKRMB8GA1UdIwQYMBaAFEFaLyjxgxMq4i9xXXFs\nm+eTr905MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC9NeakmSzzrc5L9g0exi4szom8ySbZ\naLjTi+64HSSVPgIhAOXohClLlDH8gIf7KrDXRzl9dPtL0/3WcuSUu9X2VYsQ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1432,10 +1453,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUVRR69IxwKiLFJezUBveRLNxz2f4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARIdIwOPZGITyF6TGymjhLL7s1T34eYkAMjzrQd\nu7mlYapYdwEPIyVxHjdM9m1Bnu1L2dnX6nJTTAZcmVE1JJ5jo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBSdi6SzpxgpSB4ZuZv8IEEViRYcy4ICBNIwHQYDVR0OBBYEFJ2L\npLOnGClIHhm5m/wgQRWJFhzLMAoGCCqGSM49BAMCA0cAMEQCIEW1HUJkZdwhiYXQ\ntsUAZ4yIjo9DyvWSkt1oK7gdb/kgAiA0Wh/l4p+nc7mFL0HTn65dcgwYTXdoJMJz\nCWUo+iM1Rw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUVhh6SVLuMPew/GC/QFXvGNIlcEIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATfA0MIxnNvcPdTy+l6tCE+FaOcpaTcyiz0eGht\n0meCyilxc66J0e6v6EQcVQfNfyKbrDnzpqkI8ruypwjNJpx1o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBTlFneRITx4hDfvKh78tF7sac40BYICBNIwHQYDVR0OBBYEFOUW\nd5EhPHiEN+8qHvy0XuxpzjQFMAoGCCqGSM49BAMCA0gAMEUCIQD2FGXFYERGXqsy\nEXsXoWVmB9UMPhbITtW7hQSolkAHRAIgJ37ioX65tM+Yc7ZPCPXAf8FRarDnmxzB\njwPdrFVjOvg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUWrnLdCejw6YwdFXi5x/8/lswNDYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEs0dOx2Adrg7bdfhnbrfL+BVkAOAJbOIYE8wgXy8x\nvJBiG0LuZ+EgKcJ1QqZ0+Sk3wUADgbWb5FyYB67R4+M6bqNyMHAwHQYDVR0OBBYE\nFF6Ny2pWm+8YsnKTW+Pl5LxEadNxMB8GA1UdIwQYMBaAFJ2LpLOnGClIHhm5m/wg\nQRWJFhzLMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCN3TRzTfkqVbCSEwpmTK2Bau8/+5xz\nY9V5t+ZHr2kFcAIhAMdRusItLOoE0V9C+gxNZzOY489aFfZBBukA4o2n3HF5\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUT6ECpWwWVdrmoyUx6CzMKiUKiogwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEJFwjSCVVKeP30ccdtLMIJ3p5hRETqoP1vykKkdn9\nW/dailTho5SI9mysCvBN+6+h2FSNpRGT8/50qGekL7fD0KNyMHAwHQYDVR0OBBYE\nFMFdN58EFhT5qg74+UtdZrv/RnNoMB8GA1UdIwQYMBaAFOUWd5EhPHiEN+8qHvy0\nXuxpzjQFMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBu7IRO86v4e0T3CQYYrxzWim1cRalyY\n6Cnow6KCXUhvAiBeWo0yj2bxRuHVd+fIZ8ASp8N1vq/ucI9A02asaM+tZw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1453,10 +1474,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUexEew3qQTahKmXqqyLjb4MEZMlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCzk87uGUiHJ01n/HJ5t0R1PHLe8vf07cNPsZ9\nzGaUvyP3UWnMEmssETiV/ZS58VLZudBNSgYD3UEbFOwWq9bfo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFPx0z3ZaoHmxedQ1b5PANlcNJ8bWoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQU/HTPdlqgebF51DVvk8A2Vw0nxtYwCgYIKoZI\nzj0EAwIDSAAwRQIgOggwbMd94Al58coNvuybmdhoee0xpQaX9od/S3A/DHcCIQDn\nmzLqFf1SuvzIdeI4B5dn8nU4/fOM9B0sJeWHPOYptg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUaYX9hUOdMlmvHZjNqrMmyFv2JA4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATfrP6oH68f+LMC1ABcSJfWZiNeEIf/ueHY/sst\nEI9ZpA0QhmbZH2qJr3raDa8KRsT3Mhrhekr05+bClnRpd54co4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFMFznyUW1VzQSJ7pl1m9BLa0BDx3oROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUwXOfJRbVXNBInumXWb0EtrQEPHcwCgYIKoZI\nzj0EAwIDSAAwRQIgW5OqNUlTQcV05a+9vCTiVdxiHXMiWM6veaik9CMsqmACIQCQ\nWb+Pws+NqY3IRiLxNiRCoTLTlUheuKDG6iXzqKAjFw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUMQ3UIqH30jq3PGvxWMFxnFKHHhIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdmorhT0r7Y6+Dv1ueYLUHZwUpB/vOAVqbwrowAO2\nUOtFf3Ofx1b4HvNQGud+iYSNcA//vqoUYqk8kxgs6pUaXqNyMHAwHQYDVR0OBBYE\nFDffJ7Vy5xqmagMAtnHZXxvesErqMB8GA1UdIwQYMBaAFPx0z3ZaoHmxedQ1b5PA\nNlcNJ8bWMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDzmQJceiVcXzZyqjM4FQfzqbdcnA0H\nZWO1IRaHvJ6s7wIhAPFrjChSjlAotng3aI3WJkiwLC5uZxD/bza+1iNo6xC+\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUMDj5T2xW6CaMcqfP0yHq9H23/8AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEj6VIRNDRVpqhmhyo18lqZiFvradgXj3rHx+4Z+dR\nkK6N41cNXQaUwwuskX4pmewLubx5HqgyJgdnRLgA7uz6fKNyMHAwHQYDVR0OBBYE\nFEVUwD9tzt9H6ttMsbfBVHwJt8GoMB8GA1UdIwQYMBaAFMFznyUW1VzQSJ7pl1m9\nBLa0BDx3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIA0woP2IDES+LrFNDQsLmtJ4qnVZPrR8\nQNGfigkbmApRAiEAvgMhamCXQkUewhRNHNaZLXxuPLGUhnBpepML1/Spp+w=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1474,10 +1495,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaig2XKTxCFHEhBmBzKDNdxo9cbEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZetFabVqzbOOUy/uwzBxc0SAwq8WwNJa7CLle\nxgN3Z36hev5LDMu6JqagmUCTXU8yUMny4ENxnsTW0AjkNpd7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUr/EUcJ5QMpcliIKhpLH+LAWEv3QwCgYIKoZIzj0EAwIDSAAwRQIh\nAIHEAaYIDOYRFxleKwbJ60N/WGAi+Em5iANCa3ue+WnlAiBtaiDE/OVWfSYzWl+S\nLddAsgotdzOt1EYs9fmX2Haugg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUPkDzp8VZYp2cTfENKdFKP3jXOeQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT0xjDVdmo8ukoJepSyFNhFpMyFtssOwBvs29pK\n5lO5Omh/+sQSW3qpyZGJDHqPgt7aT9OBjTDuKUzjOD/4F1V/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIQ26GhggwYx9onXd6IgN1+1kK4AwCgYIKoZIzj0EAwIDRwAwRAIg\nFAptOwh8MeM/MxGjvxVQNNriRhzIyUrKZjPrcVurKRsCIAVUeVENGLNjdnUBYg86\ncmB8K/4afrrq3txXphTcTOPK\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUZA8a/lG9VNPqm/0euQ2zyhwGn4UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABEMrUiMtj+rY1bUTcFYNfLLlo4WsaqxZVI1rjdCJ\n7/es9eq1ao353rMpFqALbz5+0zF4X13Lgap3nhNtujvEgEijdTBzMB0GA1UdDgQW\nBBRcsgHquDMKg9E9lEG86JY/QTWEYTAfBgNVHSMEGDAWgBSv8RRwnlAylyWIgqGk\nsf4sBYS/dDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAeLMTd4bAxSwI5Oy9/xJ9g2Uyr\ny6FHTn8Z6hwJRCTQVwIhALjs1+6SJfJN24rV4ENhjrXbpk5ftQLTsGL7qnH426ku\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVKgAwIBAgIUXQm0w/2L1lKuNonuRLlZ0bOK8U8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABE8XmPHt+d4Y/MqWmgUd+B8ISxv+zBiaIZsX/FA9\nsfZszNhrKUPrYeQ+80OfVowbn4VLKZU/faeBrsH1ZDdgnpujdTBzMB0GA1UdDgQW\nBBSxlxUiyP0eg59uzHAp6IxXCosw1DAfBgNVHSMEGDAWgBQhDboaGCDBjH2idd3o\niA3X7WQrgDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAlBlpaobV+ncEIyd2/fqxEcDYM\n8GSF/djEIFfx53AjPQIgKpDVZXGSdR6VtZdy9yAicuHh0VWzgDPyY7oRereqpjg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From 5153a6955268883fbc1d1e9c5b427f4abc1c442a Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sun, 29 Oct 2023 09:35:54 +0100 Subject: [PATCH 025/155] bump limbo suite Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 400 +++++++++++-------- 1 file changed, 243 insertions(+), 157 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 4f082c55f623..e6c83e20d018 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQWo6gbrRnLAjczNRQh5yjRmTmkUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpNP8MomtfRwP6zk1/aqFs6yOyTeVKHBSsQn0u\nUal4ij75s++Ga76chhunW6BdgK8pYNZAY0p1UcnVAsQ/lwlLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUw7cXs7ell6Fd48hzKEulFQaS2SgwCgYIKoZIzj0EAwIDSAAwRQIh\nAMPemXAv7ij2qDFd++mkDEz2iX2Y70GIxVyVo295ksOnAiAHFznPj+f2tNVHB/BH\nd6Jum8/GdKKKk4neGiynIYv3JA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEjVtg1LAUzPxmS5F1eu3RMEG1dowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASr477Q2SMcsjeKrbUp3YQuQoz3CpaSSSGLRI8L\n1CTPlbYo2ROFknsAbM3A3SnyQYErwBf9ZAmb0IYfcUb9x4tco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyasg4QCU+9ey5ytLt2cUHQDwRg0wCgYIKoZIzj0EAwIDSAAwRQIg\nLqurv3xmJS6C8qZKrzkh923qVbM4w9vYXDswggrRI3UCIQDW1BuTvc7xk5fGiufD\nVXpIa2AbXVnvQIPQU/g8n7p13w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUd+CzA5mEjWTcGfp616LrzOyqqXIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzNzM0NTMzNzU3NTE5Mjc5NjUyOTM5\nNzg1NzY4MTM0ODk1MzQwNDA1MjU3NDA2MTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHXzpGiK1MOTs/Pbh9AGSGWpHF9QXPenbHc8aoIL9AX7YOn7aol6AwD192tS+4Vf\ncdXz5OYas2Phw4Zzmthbr42jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMO3F7O3\npZehXePIcyhLpRUGktkoMB0GA1UdDgQWBBShr64xiOq4mxWF/KUbkTErbplKCDAK\nBggqhkjOPQQDAgNHADBEAiA75iKTexI9MrR36ztMBe8Zmbs+wG3lORW348W/xzqA\nhwIgelILa73teYc24tPU7UFKCktAoRfp4mIPZGFGashdB/g=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUf+5Wiojc+0iKPPXVUHyzjhQ2+BgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxMDM5NTMzMTMyOTY1MDMxNjcxNzkx\nMjc0Mjk5MDkyOTMxNzAzMDM1NTA1NDMzMjIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGGJ0Kfb2VGHtRiBAUDDASnCliq0o0dAqs5m/KxhYNuvZe475bTMgaMfMI4D9z6I\nYqGDZF0j8F0zjZY9DFjfUPejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMmrIOEA\nlPvXsucrS7dnFB0A8EYNMB0GA1UdDgQWBBR/K42o5t5e78d+f3PFJbI5OSwTejAK\nBggqhkjOPQQDAgNHADBEAiAoBmPeNYeiXUqe3lng4M6nSi4GNWn4RbB/RMnMrQag\nsAIgeGYeJ8uMRljftVvgaS/sGapBaU55O8dk1TYEZHSYbqY=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUYlwy7t9ZLJjo4i0i+Eqk+igIN5gwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzczNDUzMzc1NzUxOTI3OTY1MjkzOTc4NTc2ODEzNDg5NTM0\nMDQwNTI1NzQwNjEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARY\nOssaxzgodbsFDkpJvYeqPhSHsiAB9pMXs3fAgEeB/RJbE03mP362ij+gNvSxyZSz\nxeYCKfgu/PvRdt/reo+jo3IwcDAdBgNVHQ4EFgQU31Mv6Kb1pesU0sZt7Ul00Sqw\nf+QwHwYDVR0jBBgwFoAUoa+uMYjquJsVhfylG5ExK26ZSggwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgTTrHjweQF4+vdANI/VSI+6yIKN7MvE8BK8Wo9fujxusCIDhCpvEbsO0l\nl9xh1UTusm1u/tY3sqGOJ0bqRz+zvtEQ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUBoH9lqJDYSBRMMo8Q2ORS9ZCw48wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTAzOTUzMzEzMjk2NTAzMTY3MTc5MTI3NDI5OTA5MjkzMTcw\nMzAzNTUwNTQzMzIyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS+\n4kQc6EnRA14wy6MonVOi6dpPrs0ZoRbWHTwYjwOjvRfRarvybhCnM6h5rmnwrDFa\n7xIZaSBSQ+glAGMgMZ2qo3IwcDAdBgNVHQ4EFgQU4d/OGssb3HD6jFkyWt6OjH/i\nfTIwHwYDVR0jBBgwFoAUfyuNqObeXu/Hfn9zxSWyOTksE3owCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAL8mAVKJUIqdzqKS6wd7oCLHOfL31ty6KT0dVo6a241SAiAW0qSx0EXa\noWQiGdUjpeQG4WCL3uLxiYAVO6eVmtSDkg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURQJLhJtgc+qkm7XGmpVmBsgnXdIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARWGZ4BQ3SkHbeBqXYArEDStPMheN1U/eGmfCku\nPo0IgUSOpguDTBqp9N5tuDDGNGu3s6c01q+TkpSrVsrz3/iMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBE4AECkP/+joFuvYMEPNcrTpb8MwCgYIKoZIzj0EAwIDSQAwRgIh\nANbAc7n6CCDV9DBgrQ93JEdeBKUa/s2EW23YUGth3qp3AiEAi3Am8l8dllF1ytzD\n+caF0cPrx8CJSXI3nxkYDCzbwVM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWP6GPN5GBcK70+rVcuNl9QtSYYQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpt+qqood2UfYK7N85ZUwLl6EjnnIJXHKQ90rx\nwTcIXXI835yvRPHftGrqR2ZlUE26iRHnalWC294eXQbHHXyvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXbwGC5J01dk+7yB5dA8Rz3GnqKUwCgYIKoZIzj0EAwIDSAAwRQIg\nKadSAu/ZU2+2WTDdHJqU6u2ESPEs5Km8EJ7OB5E7KKICIQCj834ZBeeyMhNNysqb\nGJww4SFtdepfEGxYeKJRIpL5iw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUO5w66FofhYZiw5paN+3EWAV7DEswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzOTM5NzE1NDMyMjI0OTA0NTQ5MTMy\nNjUyMDg1MTk1NjgxMDQzNDc4NTc4MDQ3NTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKtQpZ++DSGsj+IFhdT8onaM3OEKsmBG/LhlMUPZREG8TaltgNCBaQi2gS8+fmjL\nelf/Ugr887v8UetnQcIcml2jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAROABAp\nD//o6Bbr2DBDzXK06W/DMB0GA1UdDgQWBBR3YhDpem6qzi8pp209rwpjVXrQFjAK\nBggqhkjOPQQDAgNJADBGAiEArrN5+bIASVu1YmiyZIGwKzBpMH0TTXYZrFZB1lKx\nxD0CIQD7uP2fdNxpvNM4uXDBlBkP0NHVmNgPvYq3kKiFz9U+tA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUFa0hkYD91MlHK2r36RH8rNNbwoYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MDgwNjcyNzA4NzE2MzM3MjAyMjQ2\nMTUzODU5OTI0ODI5Mzg1Njg4MDkwMTM2MzYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBF1aq7D13H9Sd935lHypyL4Ex8J2zLXkfjCSl0ECUn5D8Rzu6yIiDjMl/14CPpjG\nEUZegbbz5JMSpMQtyX/WISWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFF28BguS\ndNXZPu8geXQPEc9xp6ilMB0GA1UdDgQWBBQgTcpEy+V0/n1RhNyg8S17lf0hRTAK\nBggqhkjOPQQDAgNIADBFAiAjya/mxPkSLQdkZ03rul379Er89aZUvHtY98Ht3JcJ\nAAIhAMpZk0UBD0+uGtpNMHFYUaG9wARBY44iTpIpg6O+WrBJ\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUOhdqQ7p5EwwbSj2e/+poqtTtIv4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkzOTcxNTQzMjIyNDkwNDU0OTEzMjY1MjA4NTE5NTY4MTA0\nMzQ3ODU3ODA0NzU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATN\nr1fST3/RJvhMyFHJ3oXrS8g2NDgEbTVk1ayX8opkkn22BLxMxQp+tml4n6bFqyku\n8OoL9P8MHc/mfAnkZq/Wo3IwcDAdBgNVHQ4EFgQUDhZczQTZIO/UZ62Kawbn7Otw\nW+YwHwYDVR0jBBgwFoAUd2IQ6Xpuqs4vKadtPa8KY1V60BYwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgCGXHXYEvXIfE5lFLrqCgDbt3UdCLUkwrUejCG9nwSYUCIQCCxlFtLTQ7\nwxJOu4+py25ZXt6t46oezaUp4VLtuz8i9w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUfh4kezo7iWbEm4Rvx3eLy+2stCkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTA4MDY3MjcwODcxNjMzNzIwMjI0NjE1Mzg1OTkyNDgyOTM4\nNTY4ODA5MDEzNjM2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASt\nYSKJXRlX9pY7SOw4JYvY5pDTqQAx/zQUzmHsR76jB/mjGmP7eFfYShQf4YXlIH4T\ni7que83VYe0wAZvYdmvco3IwcDAdBgNVHQ4EFgQUesT77McPapNxHxFvVWxKOwhg\nNvswHwYDVR0jBBgwFoAUIE3KRMvldP59UYTcoPEte5X9IUUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgZNkU0OmtLGA2kpt4qA4O8vgo6mohY2qDEk9UM5O7d48CIFLSfVEA1cB6\nZRMtvt9dzsrmyh4enGFh1f0aEQ18mT0N\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUF2XScCvjxS2FbKwR3q28D89mVoAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7VmDloB+nlnta9PRdsI70IKkAvxC3tFidyB4+\nxHGHiRSlQG3kZCATZxrqpdKareUqxZys/sLoJhaStXz6vOQxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3wQesDHqxfVbXm+z1BcGUpNfpSYwCgYIKoZIzj0EAwIDSQAwRgIh\nAOeKgwKRN3ny4SpVHKEWqhCzE/o2DVhj5c/YwiwfzgniAiEAouDZKK4VOlbAMmIa\ns3JiWuwfMG/A1mauaagLkg/RFJw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUW7hQ41wdGDbHfHtDsOBcup4N9TwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASlsl49UJaqnYmc6qyl1Ra74yrurnyJ5FTlJhuB\nW/Vkd0GCunrUKnAnv9l2kj5XosgFGQ91/JePYrY8e96s5NL9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdFPnmtUrDUbU65WE7bWY9XjaVMUwCgYIKoZIzj0EAwIDSAAwRQIh\nAMnkK2drRPXbI1ZVd/Ri0njjpN3Lmo6hlitfWBnCYlGqAiBsHbcHIPM9AJ77dqhT\nHO3+BW84zDjgIHPvizcr6wHmZA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUOePN24I6CVFzaG8ji4f6F9e9PxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxMzM1Nzc0OTQ3NDQwMTAxMjEyMzg0\nNTIwMTk0NTA2ODQxMDE1OTk5NTc1MDU2NjQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFPlnXD95Le1YhErT/q/EZogE1y4QSc/c1FeqM1BggFhjgEwqblg/XmRv9LfwXzU\nJwDVV8AaYFTt+YICCoCJH3SjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFN8EHrAx\n6sX1W15vs9QXBlKTX6UmMB0GA1UdDgQWBBQ58YUOzsfm0LRZKIp12e+njo7ydDAK\nBggqhkjOPQQDAgNJADBGAiEAlF4eDtnN65sew9zMxU7mprZ5JHZdej6U/I7p1Kmo\nq5gCIQC8RUa09zvAzaVnPm63AnS9O713NSwlroab1Wlv1MREDA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUGyi4udNUJsALxL5iI/YjK+cMc10wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MjM2Mjg1NDM2MTA5MTA5MDY1NzUw\nMjA2NDA3MTQzNTYwNzQwMTAzNTgxODMyMjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMB6nzNi9sLpdm829NHyQdRctu6Z4KZtMcdupz/JgWkv1FDr0JTcCcmLrJ0mvOOB\n+lEOzNtD3Nl8oTanAEa2hgSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFHRT55rV\nKw1G1OuVhO21mPV42lTFMB0GA1UdDgQWBBRzkrSTV9MgW1c1Iwv9GAVn97BFFzAK\nBggqhkjOPQQDAgNIADBFAiEAn6iWG6HgsCIYKwwNm/JHHuXIpC2Bre7Ta8b3ygBn\nTEoCIHAt9p0pYrlWeC8/F5QmnTilI/2yzrWMK25TE2xncdxR\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUb4QA8n7dUiU8+ul0yF71dO5QGx0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTMzNTc3NDk0NzQ0MDEwMTIxMjM4NDUyMDE5NDUwNjg0MTAx\nNTk5OTU3NTA1NjY0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATS\n3WUNtImaZDmoMqQjeBZuJQye4+1h2ihHDwvMHHlZVovJN5pl/6JvNfOWIJ1TkPdL\n4IEW3U11fkTwu0yvqZS9o3IwcDAdBgNVHQ4EFgQUizh3b+6TtBmy3hiOAd94O2yH\n7vgwHwYDVR0jBBgwFoAUOfGFDs7H5tC0WSiKddnvp46O8nQwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgeCyU20yo3TBpn84I/pLI4RvfO2WpbalcBOpYaJnif7wCIA81besJXOP+\nBQWHY2Nf+Ah2R9c82LrdIY9m+7VUS5jO\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUDV7KzW7vlzBgj5lWh4SnJOQzbW8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTIzNjI4NTQzNjEwOTEwOTA2NTc1MDIwNjQwNzE0MzU2MDc0\nMDEwMzU4MTgzMjI4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARG\n9dJNgH6/6J7NjhSHNBMqKW24UfDVydatDVLp7mTQXCyT+fSG/PyFeJ7h4evWdenb\nJL+9QhpD5G3SR3BMqZZao3IwcDAdBgNVHQ4EFgQUSrOJMk5tomL5is/YS5OK+aZd\nHsEwHwYDVR0jBBgwFoAUc5K0k1fTIFtXNSML/RgFZ/ewRRcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAMdLldlqHAcBRTVhwQe/lLpHtSZXWpkP+/LrE1kpKrVpAiAJvauS+Qeq\n4y75dokrgh55Pd4r6P9cAr01wJPke0zTEg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUC7tpBTR0bofNyK+lohm7GfuNVTkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASS3zeSAraz9hiCZYfbms/NkTwLCNfl/o9tljpt\n8hQYt2EnYdJCq7reEg8nw0Wk0uhS0JBq+BbWRYiwABPba18zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfBRDBN9JypnACGUo1eYle8fpyB8wCgYIKoZIzj0EAwIDRwAwRAIg\nYdfqq54WDvjTbjKH+iPe23dTPMsq4Q7PA+mcuSTEyvICIFBVIYAOoWCzGaYFDJmn\nrpjapLSAW12VnZjvIV3an+uY\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULaeHOztRO17EEn/jnh/TjKB9ul4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASbBU+3qZKN9UiQOD5B+RxTOQLJ7QsIatzBWHqa\noAjBGsQJvwOfq34dlwZSziAc43wxpVk/9sUi/ECwlWbzdxkyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUihjDl75s4rxjSMKO3izzYGsuWUwwCgYIKoZIzj0EAwIDSAAwRQIh\nANcwb4O5tgcHrmYwFQ3TOI+TnnB2s2xC3Cx0N9JapNsRAiBC9dZdbQRl9C/IwMx3\nV9E5AtUktIc+FP5Xhj5dEt/tEA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaWgAwIBAgIUGsSaoEQ9uutLDmwtM+c9xf/V5iowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBmMTgwNgYDVQQLDC82Njk3ODI4NjM5MjM0NjUzNDc2NTU3\nMzAyMjk1MTI1MDA1ODgyODAwNzE2NzI4OTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nmnriKWN/Akqxa+mAg5TAPlOhB2pChV6P/no1ZwziLRKLenE1Ivza+wDj90n0aXVl\n4vy1f1pHw0rT4MO0W7cVAaN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUfBRDBN9J\nypnACGUo1eYle8fpyB8wHQYDVR0OBBYEFDZVFzZOLQxz3gVNwkIJnrUi2HDmMAoG\nCCqGSM49BAMCA0kAMEYCIQCKdI4/Qee8mmhg84sObPN1iP9RndrSo7i+HvNOBf49\nzwIhAMUDndwK45BkFO0kc59q7Zdu24N1ZJBRpACBLXMysooT\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUEJzA18rQoCKSGQvusoqu0+hCXo8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyNjA2NDA1ODk0NDkzMzQwNjA1OTA5\nNDEyNTM4NzU2OTkzOTg4OTk2OTQxNTYzODIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBD8vNJxl9yh2k/rKYftBkLonY9drq0MxDK0QqdMM4UhgUg/cCXaNpNXFaIK8nap6\nBW1fn/SC4xZMK/N0stQlH0mjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIoYw5e+\nbOK8Y0jCjt4s82BrLllMMB0GA1UdDgQWBBR951B8q0746XQQbTka4J59MD3JQTAK\nBggqhkjOPQQDAgNIADBFAiBbuLulvpoXFxQ3Xt0VEnhSVXj3yuUlH5Iz1qcO1JVM\nhQIhAPcIIdJN2BLWNV7viM37PDeWVg3zy1lvZUdbjKpf7wmq\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUAv8f378ERSq5F7dFoQV/26MFiucwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNjY5NzgyODYzOTIzNDY1MzQ3NjU1NzMwMjI5NTEyNTAwNTg4\nMjgwMDcxNjcyODkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowZzE5MDcG\nA1UECwwwMTUyODE4MTc1OTI4MjUyMDUzMTg1NzE4NjYxMjc3NzYzNzI1MzM2MTU1\nMzgzMzM4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/nYaehoVgpUKQ7yyt5EMCr5qq\nALkQ96cthzYYf3N3SfKqn/SgtYuTUkrXYw6fm3xEo+7WpcewdMDVkesCKNYPo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBQ2VRc2Ti0Mc94FTcJCCZ61Ithw5jAdBgNV\nHQ4EFgQUous3sW0tdFhSFsC761YXCGaLfGswCgYIKoZIzj0EAwIDSAAwRQIhAPX1\n+pkglzR658BWREqd9X9uHc+dhzqk+vmCx52EisKqAiB6PCWA4YN/FqjxfcyB1bea\nN79QDhwOVrmwJe+BAKgKOA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIUA2S7Ynlt9z89+cm2K/uTO7C3wL8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjYwNjQwNTg5NDQ5MzM0MDYwNTkwOTQxMjUzODc1Njk5Mzk4\nODk5Njk0MTU2MzgyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzk0ODM5NTY3NTczMzQ3Mjk2Mzg2NTczMTIxNjYzNzMzMDMwNzYxMzgy\nNjk4NjM5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASiC2oYlxVbj9KS5k8yREcLbqQi\n7LO7uMh1q/I9iGBR9LhRXX7g4IRJvWJNGjurmOuIGVbOIa+wEM61cCpqb4/oo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBR951B8q0746XQQbTka4J59MD3JQTAdBgNV\nHQ4EFgQUl+fXeqxR8gjKoIyNGmQLv3BV+3cwCgYIKoZIzj0EAwIDRwAwRAIgYtY1\nJ5Ur6hawZw01bOyNx6MgjuxlGnIBiPMM+ZnzJVcCIEPHmwI6EO0477R2SMYuJwhc\nyDdf9pTHZLir67xZqymF\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUWdyAiqTokchpRVDKG1qFiS0I9p4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATY9lvcgA/7C88+NBYKc7FVBJT7HO8xqyPfJJbK\nqEb0SSurDNwF92ehUM0I1l7veFcEqCn8T9fQZFDoT6mVVySVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFZAR1ZLjfpTlGFbF4iq4wDZXdYEwCgYIKoZIzj0EAwIDSQAwRgIh\nAJbG7z1R2sdusoaENNPqSJi0mNroKTzMns3yLhgprnaEAiEA7h/BDIApulc8Z3+Q\n7iUwsaPtPiUk+hxi6zOiMxvCQEw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbTlp+mIbEPbc/BPmrYEU5ZnZbc8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATb0QwDviAniAUmeuBJAxsSmSA3DPz9lA6fCo/+\nTVxNzYAOLXtSCwTprUU+nU2LoYnbMtQHzxpPreKO9gWbLC6zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmsuksJys92HssHXmRC2R5fFZDFkwCgYIKoZIzj0EAwIDSAAwRQIg\nUthZZOajFR2KJWX1Iu7amRT4uXFO9Eb3YUgT/G/N2HgCIQCfz6pKtAix3BpVOJbx\n2ngLxo7WUNJ38lapJGvuBLT6/w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUcDgIqS3vc0fmIiDPcu8LzDFQeUUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MTMwMTc1NDAwOTc3NjUzMTYxNTY0\nNzc0Mjc4OTAyODQwOTA2NDQxNjU2MjE0MDYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCNqT/bBDjNC7+rIFTgwBKxbbgsNaGg13es8PFdIPDFjrIEzmZgPOV53ddi7ox2B\npmt34fu9xuYvPvRJRg3Myx2jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBWQEdWS\n436U5RhWxeIquMA2V3WBMB0GA1UdDgQWBBQHvDRIvrcBa62FztSoi3cAdREc0TAK\nBggqhkjOPQQDAgNIADBFAiEAod5iK++VYkfRqVvyLBp8xg+rz1diajRdEwo41J5I\neWACIE2XLPbiDLm/nq5v/KSEUs5FrjSUXl1SHjYVGS/I6qxg\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIURmApVYfj4h7LOuVVx3qSmMAMWnIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTEzMDE3NTQwMDk3NzY1MzE2MTU2NDc3NDI3ODkwMjg0MDkw\nNjQ0MTY1NjIxNDA2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDY0MDY1NjU2MjUzMDQ1Mzc2MjI2MzY0OTQyMDA1NjE2NTIyNDQ4MTI5\nNzU2MTkyNTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGRgwNTq7nMt5Ol6xI2Z1NyvX\njuPwSEmLpAW+M39dOUly0Oag/612u/mNdYwQysqo4vwdI6GIQnEGtjk6SQ5oyKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUB7w0SL63AWuthc7UqIt3AHURHNEwHQYD\nVR0OBBYEFKsSzn/cfuPi4uEfrKrjrENEUVGlMAoGCCqGSM49BAMCA0cAMEQCIDG+\nhFEQkKhhHOf5uuIhNsJF3WANDMy87n06tI3BgOlJAiBCtwQNbqlETy+di6O9FYSY\np3S/UIwE2Qifp3Z5ZhuAyA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUTQoIILVGzwLfxp2yPss/URKK7RswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2MjM1NjAzNjg0ODcxMzQxOTg0MDAx\nNjkyNTgyNDgzNzMxMTY1ODEzNDI0NDA5MTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIAUM92ZzUvgmPgqAqdi2HEixvAgMb38e4zPZAxBfR1T9omcgCu2o2DKg8yS8NvO\n9Lsow8ZGdVqAyPRGux7FFQmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJrLpLCc\nrPdh7LB15kQtkeXxWQxZMB0GA1UdDgQWBBSB/qNV1EgRI9WexSjTtjtJsQl2MzAK\nBggqhkjOPQQDAgNIADBFAiEAl0+oSvaOeaixYywG5CGf2ZZNHrn9TtoqPmuxD5JV\njGECIGbw/WWnhzf/Qh+qUS7JcmuQPTAkmGUE+DwYeaM36Ua9\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUYd0bZXtcSkeDosSNgBi642A33+kwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjIzNTYwMzY4NDg3MTM0MTk4NDAwMTY5MjU4MjQ4MzczMTE2\nNTgxMzQyNDQwOTExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDQzOTgxNjAwNDgzMzcwMjA3MTg1MzAzODIwMDY0ODI3Mzc3MTA0NTU5\nNDAwMDY2NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7jRH1j3DBQWxACMDGW/KXgxR\nWOiJ7RsjzYo81uqcIadtd43I5BUCVtNYc5Ay0XPel0qq7dsG3kn87JW2ENRUKaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUgf6jVdRIESPVnsUo07Y7SbEJdjMwHQYD\nVR0OBBYEFI1zmT0rUZtb/EwvEYaHZbSFLh5RMAoGCCqGSM49BAMCA0kAMEYCIQDy\nqm3wZm74ndXUfGSFCSbmtXPTQYYL98G/iur0WX4LqgIhAI5kKp0XFqrYiGTuBOzi\nDQL8pnkpKFPvEiw3LVgVQbFq\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUZfz28VRnRfk3m1/g3szYce5o1yIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjQwNjU2NTYyNTMwNDUzNzYyMjYzNjQ5NDIwMDU2MTY1MjI0\nNDgxMjk3NTYxOTI1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAART\nnnggl1Ugd0Hx5kxcV8cCtYtiarDh7VYMr0ymjFIqoO8zM9bTEd1x9YnwQY3GD1af\nKc1b7uUxm/9/q2Hi0MBLo3IwcDAdBgNVHQ4EFgQUhBeg1OydugsYGYMeWI3WYUab\nGmwwHwYDVR0jBBgwFoAUqxLOf9x+4+Li4R+squOsQ0RRUaUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgDjm2F58cLj7bH+0+ZXxQjmWHVct0Gs8WKOH02cv+dasCIF/fVmmhi79d\nQrKDsjDjlTfLCUO4ZwKyseKGr6MfXBY4\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUTs2zCNAbTAWVQz13YLxHie2MRSkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDM5ODE2MDA0ODMzNzAyMDcxODUzMDM4MjAwNjQ4MjczNzcx\nMDQ1NTk0MDAwNjY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQz\nVBQCa5mbY29beV3zJBAXA0j46CMmkSBva1bmm+CX8KfjKZgxK0cyfjW3VkQEhdVl\niCBFZDqVS4nc66AusiCGo3IwcDAdBgNVHQ4EFgQUHsJsFZ885hH+kH0T1mVU8iL6\naR4wHwYDVR0jBBgwFoAUjXOZPStRm1v8TC8RhodltIUuHlEwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAJDY8g/sBXMjsrj99LdON1eCPPp1sVAJMkPe+ykcenQKAiA3zQ6uKTtW\n5RDReB8KxZ7mwQUBS+nqICHXk04qT0vccA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdtF/WG/puWXT0zmcAsBS/wHWhuIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2KA1kDihPcrLigVgKmPTrIuSHvEPkmQcEbAKg\n/JEhtykW6iTuasd5jt3J5Mm3b+i1hdp2pgJQ236YjfDtj8jgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0KnGw4193GV7OCFib7do7rnef/UwCgYIKoZIzj0EAwIDRwAwRAIg\nSVPqW8caZOVREh22q68IfT6UJDFeg7K9S6J1Dp5Kkk8CIHr1JCG163jv5yt0rjVq\nOFimnviqbU2eemLFI6+Sb8xN\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgITIC5qm8pa0l8IddFQhCG3bFKDCjAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2\nOTA1MDMwMTAwMDBaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABMnhBU/4BCuHWfJ9eNpArHeOUYi+TJ5o71Qu+VBz\naVEt0ukdb2FpA5c43M8RJvKkn1pY6BW8qcEqzGZG7c1fnz2jVzBVMA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBTopGOkpcZUmj279fAbGUsFnJIiWTAKBggqhkjOPQQDAgNHADBEAiB4\nmW0dqf3x5HJP5ac6bTKtbkZytEaIEzRPeIMwTwTaGgIgFe9yVjDGtSl2pBu30PFf\ndRTt8KvwEeo6+GoNtIYbVLs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUDXEkDyv7BduuaBJAqd+JYSoIoZYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2NzgzMzI4NjAwNTc2MjU0NTk3MDM1\nNDI5MDc0MTM4NjY1NDkwNjA0MTc1MjEzNzgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNxALqfAwp7Ykvr7gIO9C3Y14ijWQ9jThhp1yw4jraM0hWNIs/zV9ZxmB3NKKk95\nvj+0I4NWf6kEbgV9lRkWDCmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNCpxsON\nfdxlezghYm+3aO653n/1MB0GA1UdDgQWBBSyhvbZkWqCBCP5CAOlgJoRwZPWEzAK\nBggqhkjOPQQDAgNJADBGAiEA9FhFZEGlGfbyVihhA+IpcK3cWBkLaon8to2sNqSr\nRrACIQDjl6OjDBPVK5X6gFuNWOGnDNbKIc9ghM3Vcacoej4ijA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIUcMk3qPaWF++1nfrHfq28YtMFeBowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjc4MzMyODYwMDU3NjI1NDU5NzAzNTQyOTA3NDEzODY2NTQ5\nMDYwNDE3NTIxMzc4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzc2NzQwMDA1NDMzMTMzMTEwNTYwMjE2MDc2MzI4NjM0MDU0NjEzNDQy\nMDExNTQyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQu0zNIkn6nJSVq5OckLDuWohcV\n5ccudM4KaQlSB7wTWOc0VGiGqCWyEA64++ZeQW9byMepmyXL6wy/RjxM2H56o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgECMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSyhvbZkWqCBCP5CAOlgJoRwZPWEzAdBgNV\nHQ4EFgQUCU2O4BKHKBOTYDqYpRt4fGlo5KgwCgYIKoZIzj0EAwIDSQAwRgIhAKQI\nFBp3+J8gVc3344xxTVSkfmAf0cYwbxPAgoaDXEHYAiEAzoAX9PveQVRHu05cJyTL\n6nuX5+MW24JIYvz7TYEY98k=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUNrwvYrnfdYAhn9FDfaKcFq4322EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBkMTYwNAYDVQQLDC03MTc2NjcyODg1MTc3NTk5Mjc2Mjc3\nNzA2NDYzNDcwNjEzNDQ1NTkzMzQxNTQxKjAoBgNVBAMMIXg1MDktbGltYm8taW50\nZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPsk\nJjV2OxNAL6/xkObVWSqo0a/V7+KnEdfPVlyTu4eO5zx+EM1QaU8LEn3OqqlOgjVi\nuSLtlPfdkdjIpQ5LAQKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOikY6SlxlSa\nPbv18BsZSwWckiJZMB0GA1UdDgQWBBSP6krQ+A4Yccdf8t9AQeIqOcfjCzAKBggq\nhkjOPQQDAgNIADBFAiB+r2RdM5CKXBktz8vu7M8i5UcEun+3QvPbZDaGpILZ9QIh\nAPYukWhmPflB55mtKTPUwXKfRMGCRwnhJIphxS1wCfeG\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSjCCAfCgAwIBAgIUERwaQAj9mGAH+Gybggg3fixfoYYwCgYIKoZIzj0EAwIw\nZDE2MDQGA1UECwwtNzE3NjY3Mjg4NTE3NzU5OTI3NjI3NzcwNjQ2MzQ3MDYxMzQ0\nNTU5MzM0MTU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRo\nbGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3BgNV\nBAsMMDMxMjQ4MjE2OTU5Mzk4OTI4NzA1NTk1NzY0MDAzODk4MTI2NTIyODc4ODM5\nMDc1MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxlbi0y\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEN2bAN5G879qxzW/INZC/x6QgMMJb\nv+pXl3284RLw/Pyip/gmn6hkFuDwqvug9761ikjHQgExDHJkaDztmvwI8qN7MHkw\nEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wHwYDVR0jBBgwFoAUj+pK0PgOGHHHX/LfQEHiKjnH4wswHQYDVR0O\nBBYEFCrGonD0lH64SBfeX84ynw82cR91MAoGCCqGSM49BAMCA0gAMEUCIG/786lz\nbXYZ+U5p5qThAo38B5ahruXVz4O0YJZIp1nJAiEAhUcNfDflNUkpQargDwzj/jDA\nvM/RlX6MAnLwdQAlS1c=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZqgAwIBAgIUB3Rwb9d78MbArn/+dtUBQQ1JGW8wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNzY3NDAwMDU0MzMxMzMxMTA1NjAyMTYwNzYzMjg2MzQwNTQ2\nMTM0NDIwMTE1NDIxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMjAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHoG\n31xn7CIyTt3wNzkMHdMICYB79BhCGfgXRS4ANubqFn2l1lrzHHo513ANqU6lDKuG\n5/YaZkvsYRcGLbgUawajcjBwMB0GA1UdDgQWBBTO7WsjZq1EWWTft/wyuVDXXWHf\nuDAfBgNVHSMEGDAWgBQJTY7gEocoE5NgOpilG3h8aWjkqDAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNH\nADBEAiBzxezMMyaz9G2wz+tek1QGx3r5E/QjLf7/62lS+YcOXAIgE1eM+zDCkhYG\nSlgx3ANpTitxeh182y8xYafK/y9MtKc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUcRDr6ZkNsyw+dJxXzl20VdtDNJAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzEyNDgyMTY5NTkzOTg5Mjg3MDU1OTU3NjQwMDM4OTgxMjY1\nMjI4Nzg4MzkwNzUzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR1\nXFIiQHjsNWiAOphYCHgOTqCcaBmNGwzawuh7SMwS3hzslCe3Y5yTZJnwllIcNamr\ncznQBd84xXmuPmBkVw2do3IwcDAdBgNVHQ4EFgQUZu3kQuI5/fqSesLFKdUST/O1\ncPowHwYDVR0jBBgwFoAUKsaicPSUfrhIF95fzjKfDzZxH3UwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhANTILSGD1+WB9RZ4xrw0T3pXHgwFKRWSG/gvBOdo/osXAiEA99fXItJY\nGFvs6RmzHCUXA8cL7zJm4IoEgEXbO6+A0V8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeZYekUlWpqkXig09xnAk7NVEtnowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjJYbikwOSFX50F8l3EYvhN4f9DcjjpOzhzawZ\nKlBO1dKDp2ZFjtA5Q2RJ61Ls3SwS9X6UH+h2v++tm7fAJFSlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWobie3DJNltro7fy5Aa7bDkDtogwCgYIKoZIzj0EAwIDSAAwRQIg\nfgyUAC/oFYS5vkFWKUjB9S/VdyA6olFOrVnCVrIIb0MCIQDzCzEO4d4fk6DdTso4\n6pJX+GajtU3gl80YGECmiQnFFw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUb9Lo/YuDFXGdLa3UMzbIKrXxrJAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEI7iP9XKdekwJs0GxuL9uQe7pDEjhnWnwHxrk\n4Fp0Ob4z/Aq7tK1Viq4nANa3dbaPhMzBz/rF5jUvffXxz4OWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEg5jPQ77ebVDpFeJlomJJF4ZDeIwCgYIKoZIzj0EAwIDSAAwRQIg\nNpM4vZqBTLumaJvfcKYA+8LJJ0cs6hCucRm48Nli6ewCIQCRuxvZs+y1Snx17ICI\n73SzZn2jnGJDKga1RJd9eqa76Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUQtuKAEb4+y9e29B2n3l1a7XiNngwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2OTQxMzU2NTc4NTY0Njg4OTM3NDU4\nODg5NDIzNjYwNjM0MTEwODM3ODAzMzkzMjIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJhU0WF00mQ26wL9U76s4yUhbxEXPvMj1FB/O3b5UgERNZcwh1N2CZgOR5THB1RH\ntRJObIv4n8eIbnziDdvWzwqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFqG4ntw\nyTZba6O38uQGu2w5A7aIMB0GA1UdDgQWBBQOnrZ4TdPhzsFrT2xkRHUKXVYsxjAK\nBggqhkjOPQQDAgNJADBGAiEA5NEVsgXFxBNqSu4RzuVbbxfKL2nteaDZntYC/JhH\nyGECIQCaZJfxtyBQDQ1DVU1t4EhWvwS8wiJv2jewGMnwafxQVA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUENCkDxNYzapGFxFMYS7ZmiKmeFgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjk0MTM1NjU3ODU2NDY4ODkzNzQ1ODg4OTQyMzY2MDYzNDEx\nMDgzNzgwMzM5MzIyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDM4MTY4OTI3NTY2MjY0ODk0MTk0NTE3MzI4NTU0NzQ4ODAxNDUxMTE0\nNTg5MTQ0ODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENOAGV3uueIJ/3lRwm6KqqZBd\nt5lhLh6fFOiAuZiarl+T9kku9d3Jbo1iBgu2/SMCB2wc2n2EIyJGnq3NSyCYHqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUDp62eE3T4c7Ba09sZER1Cl1WLMYwHQYD\nVR0OBBYEFGeXewGkTZwBau93fk9ydkqFHETFMAoGCCqGSM49BAMCA0gAMEUCIDJn\nClS7Y00XQkUoxXtb5FJe+UkJHDsLc5vz6oIzJSP3AiEAzqR2qxyi6moCVLjPzPrY\ncNy84hOn9zivxsdK0Qz5F+w=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUJyk+Yv+k9S8QEf/e+YZJvoQAkbIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzgxNjg5Mjc1NjYyNjQ4OTQxOTQ1MTczMjg1NTQ3NDg4MDE0\nNTExMTQ1ODkxNDQ4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzk1OTk2Njk4ODc5MzIwNTM5OTIzNjA5NDA5ODIwMDA0MjE2MDYwNDIw\nNDU0NDg4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZ8HKHBA/SYoXTFM2E/ThaVfnc\nYvsptQg9JkmkbftsgcVTQm/visxbWXJJY9pdQw/5kDD9o6OdkAUtmsOP6iyYo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRnl3sBpE2cAWrvd35PcnZKhRxExTAdBgNV\nHQ4EFgQUtjkFciqGivJUyOZsVKzOznYV4XIwCgYIKoZIzj0EAwIDSAAwRQIgT4qZ\neh2RNHjySyyxJ2DeoqPe0WcKrkv1TSerRQ5DUFYCIQClgLV7pzjcRlnCHvAyioF+\nmpBczkXTgPjJUPSKmgNu9Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUZtLXL2tX9/B9mh4eRAchS/5QG5cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2Mzg0MDE0MjgzODAzNTU5MzQ2NTg4\nNTQ1MjI4ODg4NDM0NjI4NTQxNDk1MTY0MzIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJWm79+Rip6cOMMZH01538gZKNQSwRixg+psXTuTUlJa7YbBe3pf3djUU5d67pRT\nEPYAX7rBiUHJPrg/CUlXG+ajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBIOYz0O\n+3m1Q6RXiZaJiSReGQ3iMB0GA1UdDgQWBBQGJyFKullTawBOIMwPw9B1lOpz0zAK\nBggqhkjOPQQDAgNHADBEAiBcmdp03LHwO2QP9/HIhkFA0/9jXrjepGDN6k6YwQLQ\npgIged0Gafe9tiLlGLBeNyWt2UxDN5ioBnCFruGUO5TOJ1M=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUf9dUCpfGYZKnrN6wC3muYYtGiZ8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjM4NDAxNDI4MzgwMzU1OTM0NjU4ODU0NTIyODg4ODQzNDYy\nODU0MTQ5NTE2NDMyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDU4NzAxODk2MDM5MzE1Mzc5MDI1MzEyMTU2MDExMzI2MjUyOTU0MTk3\nMDA3NDUxOTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPkhJUhHTiSGi5anSwp+CazQ3\nKGim11KJviZz+QePbSDPQ94Rv6YwzjCL+TZ9FYKxP5MWkpswT1dzv614cHpEmKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUBichSrpZU2sATiDMD8PQdZTqc9MwHQYD\nVR0OBBYEFPaxteQMJO9QitJvfsRge+q5z/dwMAoGCCqGSM49BAMCA0cAMEQCIHNE\nR0uw99ZsTaFjtyxa4mihJ1cSX/vCsunUfHgxuRa3AiB+RAirU0NQNweLU7TKFjVc\nmg78HJcnNy+h0h+cJ6kVaQ==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUFzS2AIj5MEDx3ATXWVrjiuM4uUYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTg3MDE4OTYwMzkzMTUzNzkwMjUzMTIxNTYwMTEzMjYyNTI5\nNTQxOTcwMDc0NTE5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDcyOTg0MzgwOTE0ODg5NzEyMTc3NzU5MDg2MDQxNzc2NjkxMDQ1MzYw\nODc3ODE0MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDe41WEgMdtK9YRaJxmkWknVj\ngU9plTguyzSFffDNQ278xhReYiqiX6a2TzYeI/hrGu+4UOti11HCKuK6m7IafaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU9rG15Awk71CK0m9+xGB76rnP93AwHQYD\nVR0OBBYEFNwRvxlyu6MGWGGWvWfgbtdD22qpMAoGCCqGSM49BAMCA0gAMEUCIGIA\nDmnPb8UOB1RK+jCB2IHbF11HPpNTVo4FAgHFIru/AiEAkYYrtEP7NwfOuR3tEN+r\nLn1xMVuPftTjkR6iRWjo1YM=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZqgAwIBAgIUQUOaEfWr35GpnGtwM69DbROwNccwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvOTU5OTY2OTg4NzkzMjA1Mzk5MjM2MDk0MDk4MjAwMDQyMTYw\nNjA0MjA0NTQ0ODgxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNUc\nlbkkc/hrfHETETaDljRmeNU1T1+0RdlEqy3f/m0oql1DSy/9/2o9Lhunoc68XHhR\nVCFZoY6+4k8hRvvxhxKjcjBwMB0GA1UdDgQWBBSfNZ6j0zUNmEN9l0mAbRCDeb8q\npzAfBgNVHSMEGDAWgBS2OQVyKoaK8lTI5mxUrM7OdhXhcjAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJ\nADBGAiEAmXeO6hm4CHJEgt33TtAANX+W/TaMrbXY1mqDOWZSuuYCIQDeyxESECCw\ncc+Mwl1T0ChGPLZP4J+EJ35VWWuzcFhGPQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUWMZWyWi+4YRInuX2ucTjVlfTSVwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzI5ODQzODA5MTQ4ODk3MTIxNzc3NTkwODYwNDE3NzY2OTEw\nNDUzNjA4Nzc4MTQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATm\n4UFPgtxtHAl5X7l8lI6slQWqqOFh5066fZZkBROXdI1IdyVxb9Tk/2w8WT4S+QE/\nCjWKYX7gb24r+0i4U3TDo3IwcDAdBgNVHQ4EFgQUU3iXvGSEQ6hw4a4hVm2CLRvY\ng7EwHwYDVR0jBBgwFoAU3BG/GXK7owZYYZa9Z+Bu10PbaqkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhALUDTASAkpv+Zz7SPhriDDhfcijfs1AquhSqR4aNvKkGAiB/IkEFmc/Y\nxN8QbaNcYdlaY6I6eOuwtIJ/JnyOerU4sw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUKtdhKal3t7DIPRIIMXr4eDIiSb8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQo9FMV2DTRn/ljGU08vDSQTitJ0oybm0ec4iPP\nb/pOtIuN3msYhA7rOAW9/kzGMTzaFP+53+ZMt0/qGClt8I7oo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU12OUSdTIpACIIgOLU7M4s+FB/4wwCgYIKoZIzj0EAwIDRwAwRAIg\nPVOSGK3opm6UzVgB3pVNLFRowHmrI724+ILn/R3Xd8ECIBmvtYWum3F7PxIR/NOj\nC24OpmXLAuT+l7D9/stwGI0W\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH7/iXqE0ZL4DdPToKnpSoBIe5y4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASHWILDjvSc6ovs0lFWn5l72mXNiB7WUl0emIsy\ny1xStpfqpB6ECdaA+xIhJ8FFA4oOw5/ygx7J7luQN5jOEuQFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUokDcxoqLjEg+1CYq0jEh5w3K12IwCgYIKoZIzj0EAwIDSAAwRQIh\nAKn5a8Wgpt3y922B2icKhK+KNbmpHqDDassmKIy01/phAiATxnl3cR/t3Jn5bAx4\nMi0ue7RLMdm/FwEsmml556CTWA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUT3fc59yYjajVLeOLT9XEfeON/H0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyNDQ1ODA3MzY2NjA4NTg5MDg3OTY1\nMjUyNzYxODA0OTYzMzc2ODYxMjgzODAzNTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBO8jlLBLvEb4V9qrX5+aXNl++5F5j+OTI3HTEyNRm24LO/WRZVbpy8z1kpQaPHOJ\nMJRw6drRBKQZSl3+dz1dgaSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNdjlEnU\nyKQAiCIDi1OzOLPhQf+MMB0GA1UdDgQWBBRotRd/qm4n6wp6CIakIYxcQao47TAK\nBggqhkjOPQQDAgNHADBEAiBoLcF9dmzuPcVDezkObAD0nvBHiNiTpMt8FnGhl1GT\nAAIgS79/aGtAGC/0hXYEVOHr0C4O1G7fokjU05MN5/nhpP4=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUZd1boBi4gQnCOyWx4goMViZKWa0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjQ0NTgwNzM2NjYwODU4OTA4Nzk2NTI1Mjc2MTgwNDk2MzM3\nNjg2MTI4MzgwMzUxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDI0NDU4MDczNjY2MDg1ODkwODc5NjUyNTI3NjE4MDQ5NjMzNzY4NjEy\nODM4MDM1MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErMhTHZj2GqZwDe2CPcWcjy7m\n5fYoJ5vDXiEhuKgfdbJJOOGd3DMpd9zYcV/ax/UPLP3UhmLXBlJuPxH8IPH9YKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUaLUXf6puJ+sKegiGpCGMXEGqOO0wHQYD\nVR0OBBYEFFI2GaRrVu25BeXjMdE5PYIxuJhKMAoGCCqGSM49BAMCA0cAMEQCIAon\nlwec+yNrBxu7afe365WUW/uwePIATaNA6JzWCb1DAiACVrzOFnSO35mhqP4Xfmrc\n1bl8YscatDsveQ47gF45Tw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUMxXXHsJIzSgch3EUlkoosyFXGQEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjQ0NTgwNzM2NjYwODU4OTA4Nzk2NTI1Mjc2MTgwNDk2MzM3\nNjg2MTI4MzgwMzUxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDU4MTU0NDUxNDIzODE0MTAyODkxOTIzODI0MTc3NTQ2NzU2OTA5OTEw\nMjExNjI2OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXJmLSgg2K5cWDGMOIJZAY1oZ\nz35w5iOo6ubG9500gVcx3vAltA6e5hDHX1Mm+nXVYeBKMRA/w8eU4LR9v99x/qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUUjYZpGtW7bkF5eMx0Tk9gjG4mEowHQYD\nVR0OBBYEFBYwAYVIHganeIenmy3ZFzuRadN2MAoGCCqGSM49BAMCA0gAMEUCIQD7\n4YhVL0i+Af9wQWCTULpM7ZJsDiszrqUjocG0sI7TPQIgBO4i7I9+9o+ydUt1JUZt\nh9fh8GpQcyqqfrhxV1z/F3k=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUOdTAK4sBIXGUftZQEZETkSYlWOQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxODEyNTc4NzU4MDU4OTkxOTI3MDg2\nMTQ4NDEzNzY0NDM1OTIxNjgzODMxMTMwMDYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJ75A3Nt0iHzhfTpTtgCANEfcfHrYDR+MX7WpcQzky/HT4w7vE0lIuQwvWK/mOnP\ni6HPaS8GqvPzWGpPyUa0jyyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKJA3MaK\ni4xIPtQmKtIxIecNytdiMB0GA1UdDgQWBBTMU0I8PADj2TFnXT7fv978cohMRzAK\nBggqhkjOPQQDAgNIADBFAiEAuOxLEAmZD2Ogl+GMlF5f5aLcR7fPaQN8lDG8KQnz\nv58CIGBhriEkrN+Wl9MKPmYyPJeZx0/YexqDjsOeIE6p4AWW\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIULq8gfGHhYEM5Y3W/Ri8pjPVFNZMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgxMjU3ODc1ODA1ODk5MTkyNzA4NjE0ODQxMzc2NDQzNTky\nMTY4MzgzMTEzMDA2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE4MTI1Nzg3NTgwNTg5OTE5MjcwODYxNDg0MTM3NjQ0MzU5MjE2ODM4\nMzExMzAwNjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEb+vHIu99LBwZXUaCmHLuJH7h\nZjcbUVXW8SSEOGXYQ12A2sqT5ShN9LmV8zRfK3OnihFddNeWQm+6iNZeRyDm0qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUzFNCPDwA49kxZ10+37/e/HKITEcwHQYD\nVR0OBBYEFB2/paumYb/tDsZ42/lclqrTCw2BMAoGCCqGSM49BAMCA0cAMEQCIBEr\nrnqs2K4rNbAO+X4ih3PIuX8HpvYN1pZBOEzU1St+AiBYwLUu2UD4yYQYUY1PTioj\nETwDSr/ZjMYJoszjU88R7g==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUBCbJOCHrpL0MpJY0G+S1P9Sy/gAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgxMjU3ODc1ODA1ODk5MTkyNzA4NjE0ODQxMzc2NDQzNTky\nMTY4MzgzMTEzMDA2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDI2NjUxOTAzNTc4NTkwODEyNjUxMDQzMjQzMDY2NTAzODM3Mjc5MTgy\nNDc1ODE2MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6m106elehqB3dRb6EoFlNVqP\nsYLCUNNOo44vKwWM8zuZI1JCFdN2amDB+n3LwDXiOAHHFT40E41Z8LziF/ca3qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUHb+lq6Zhv+0Oxnjb+VyWqtMLDYEwHQYD\nVR0OBBYEFKs+Q5cGHu20FliXkQe00uHBof1AMAoGCCqGSM49BAMCA0cAMEQCICJ0\n3Abb8NtvlKVfsmrcGR1i9R1lAJ89E7z//1jGrt7rAiBop5r2k/3wt+gZPCGiGBoz\nUWx3TJ+T4q/db/ysMzWF2Q==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUAY04ymvcCUH2Czss9LtelXfSv0swCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTgxNTQ0NTE0MjM4MTQxMDI4OTE5MjM4MjQxNzc1NDY3NTY5\nMDk5MTAyMTE2MjY5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS1\nTHrR6Q8zGYjlq4VSwrNjxVKlSt39rvDjxCLe6D833wf4Ma2VSOwVhj2CxND7Dw5j\nSZQsXNiI1chAIfPB/dv2o3IwcDAdBgNVHQ4EFgQUTJlq7YKDbv0wp+LhU/w9WYDL\nGd0wHwYDVR0jBBgwFoAUFjABhUgeBqd4h6ebLdkXO5Fp03YwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgSIOMA64rpAChMelxx/E8YGQ3gT2YYriARNvtA5IAzicCICWau7aYVcJ0\nFebvhZRUOB50PQgEwyZhDPChViisXwwb\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUYNUZRkiZU9P3VBmlMqzjRjj5oLgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjY2NTE5MDM1Nzg1OTA4MTI2NTEwNDMyNDMwNjY1MDM4Mzcy\nNzkxODI0NzU4MTYzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQl\nV1NDSB6b/Sxt7i0h0E8e5qzfJnFCS7C/yCWeZGsFSQpaW4LjJeGu7RzsZ1gWIhPw\ndzNbSiW0J37dxBSqtkgQo3IwcDAdBgNVHQ4EFgQUUUfCJpIFzqXdMHo3e2Ml6rKa\nKz8wHwYDVR0jBBgwFoAUqz5DlwYe7bQWWJeRB7TS4cGh/UAwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgP6BlJvVPkdRefqOllTT5DGpwj/qeSdDNfVK5U9KE6o4CIQDrGmD01Hyt\nqQxi3q/BwetfSz+bdLJLPYW8NsiuaIw4ng==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcTCCARigAwIBAgIUZa04YC+70gyUkiJFd3gBLydY/DcwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqqrQrnlOcGqN\nkC9V35FPa5em/OzbwrobZE0MJTEK3c0uUrUQuaIGyIjO90OANNkWlK+MKk3bP45E\nbPR7RuB37KNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFKDqxDrPcrm51py8RwOfmxiwtXbC\nMAoGCCqGSM49BAMCA0cAMEQCIByI7kBigurqwNNAhb7H/tY5mdv5J0GUf4bFZcSV\naSdoAiBzxNehVFNVbrJv+iXnQivz9juafRqU696uoeEEAT3lvg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUUjTrELZehLm3Y551YDxcDxejMQswCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUxUXyUlsU8n0\nym04iCyo4oMd7J2vVH+apZ2xoNTaO43xmbM0z5KuetGJVc3NZnHggxfR5edkPMbH\nryQYgKCE3qNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFC1BC71o13YEVMWNofMbPmAKukWo\nMAoGCCqGSM49BAMCA0kAMEYCIQCXZgS2WmiEk1b8EVAwWbK17b+j2wDD85QP4Hfs\n4VP9WAIhAIr1tTxxB6AAysXs446N7J34VCbpSESHoLM1sHMaVvDP\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUugAwIBAgIUfCMtcxMw33pdx4KlQTP56NziCKkwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEhuXipZNqjKaPPo5eRMrHp4vbbjkRr9ftD92AzYrzy8VX\n3Qf6tAprDOVY8PkRkdYswXN95cpyD1b20cPddS23x6NyMHAwHQYDVR0OBBYEFNF0\nsqWh3oOcvaBC6HU0Jvd7lehSMB8GA1UdIwQYMBaAFKDqxDrPcrm51py8RwOfmxiw\ntXbCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0cAMEQCIH3BeacAZ8G0fwan6vb5+cgt99cFuWBo5BOC\navLJeQBjAiAxPeNTdzwysK9RIadteSK8QZlf3UTnYq6Sr6ycy1HcVw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUugAwIBAgIUXH6llF8pEUNy+WlndGXNAIFx1IkwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEsh1iPj7gVEBERGn393Dvd24jmHp4vxUxTdyUEy72qkGW\nOF5/B7gRBpFwWoxlb+R3JMG/+Gb48XUqxCfwsKUSQKNyMHAwHQYDVR0OBBYEFBpg\ntWx31hTnVduLi7lxy2jrnTcuMB8GA1UdIwQYMBaAFC1BC71o13YEVMWNofMbPmAK\nukWoMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIDZefM1jDMzRzunbqfNH9D4TPVKDPbkpyl42\nT6gvupjaAiEAgyO4AUyBNUE23973Pz0uV7R/Hzr9PAFzQmqg6NdjxNE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUJ0AVHD51+YrUeMlCwFAax/Qg2VswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7yOjjbaQ\n6r/kgWSF0f2x0ay0dUC2fIghkAC5lNE0Pk55Ngzpq1VEtLZucFrFyO51t8WmDuDI\nIbjCKvhyb4runqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFM0LDm0F3hoAsw5LTdQMfKXT\n5rGnMAoGCCqGSM49BAMCA0gAMEUCIQCEAiwGNmT/0EFbV034HZmPfSPzWejWuOEt\n/ztqpnQbPwIgMDel7MXCfLHdj5WIX78rO3URD7PAyX35GqBAcXOXRqI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUTLWmeI+XPxcg1mn83tioWbXBb3IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOR6uNoLZ\n3218jriIATcpHDkV+LY+zvK1al7Tb/8pgETQyL+iSv22eTjAPEz2s1iPj02n0Re+\ndRo08POMvTqstqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFD2gR1gjGAzyIByiBzUAs03H\ndkPWMAoGCCqGSM49BAMCA0gAMEUCIHzsV3MjxtZPDeoH+BBIBnChrZR5TKvA+xAU\n3KCv620cAiEA4rciZMeYY+t8zdVnm/0A2qLvl1OFnwXR5TAIqGrQbME=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUarAngXv1rUAxY107z+KOBTTOT7MwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQGA1UEAwwN\neDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDXBUiPbmCR3\njwDNaSl5qFPKkoHOiyN9Sv514RviClEIWuCQ483DJTnD9FHyBVRNs9utszpoMlb4\naIpaZkEYoUijcjBwMB0GA1UdDgQWBBTNumJXlZCroaXBMOz0Pm3+hLvJ4TAfBgNV\nHSMEGDAWgBTNCw5tBd4aALMOS03UDHyl0+axpzAJBgNVHRMEAjAAMAsGA1UdDwQE\nAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA\ny04Im9W4G+gD+29/kFF39SBy9aBnNsmx4SnSXYZ+GV4CIQCMbVQ/i80V0FnMna+C\n//mm84zGZBPZy5KDhqeUZPLrJQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUQisuSWa8PDhSVN/v4LvsYgDUBhwwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQGA1UEAwwN\neDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABF78g8F5CUlu\nK2hPYoldOAsc2j8iCpVb3M8Z7Ton75itDtZ/njLZUaLX7wgM9x7aR/VAqPq0LBij\nPwUe/HQHcECjcjBwMB0GA1UdDgQWBBRXH4h9Nm/V4jy+3vRFdASvMqH0PjAfBgNV\nHSMEGDAWgBQ9oEdYIxgM8iAcogc1ALNNx3ZD1jAJBgNVHRMEAjAAMAsGA1UdDwQE\nAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBS\n69fgI7ptgeE3BxKdIy7SdmhKeC45PektcTK0z+TO/wIhAM6F1jQL+ZqstlWhAYhY\nwtIDcve7B0Ql27+cn+BA9ZnL\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIb8J0q0T7VNqZz/7yHsBPlFoAWwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXrqq59E1DBJpdYPQ0sqQ0xWJI2sGyt4RcVnCa\nuWhyp86mAstUp6s7/Xeadwla+wkkvg9Zk7zB1Ev5gIbazUCQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgZaATKq+/xb0Bh+3Oogec4c+UXkwCgYIKoZIzj0EAwIDSAAwRQIg\nao4thbrtM9z52dG+UntbrJ1ix1jrR6fWwWIog17WUUsCIQD+yt5rrs2H2odOs8jG\njAe711MFhbwGq1CKmjjRB5lS4Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXTpjKrV6JwbmILkW5WsaADcP0lkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpirmRVCKAoZP5Q32R7AS6o8iI5X8pSAZJHqn4\niNsSdGL3Nul3Gs+c6/DvD79wUFQvpgofmsxrHX3F7oOOxcAao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3WhC4a+3/iYr+Y6n+vDlZI7iCa8wCgYIKoZIzj0EAwIDSQAwRgIh\nAPCmOsSleACVu12HIoeH4zQh0UofoptFF63r1Nv9gxIbAiEA4aAeaH5pMf7SU7rq\nchGFwmh1wuACCEy6TGt+fgI6KbA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUT79OR3h+dVhqN17MOujryou9ExAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE9PYgJ/Cqai4HIwvoMkd25zvVR18BJI5sGalcdNYs\nbv65Rg7YN1SR570gXXDZ1VLk0znRhekU/dUMkFhGTZropqOBhzCBhDAdBgNVHQ4E\nFgQUvFMK2r9rO0K7/EA9EbL5DmnLYV8wHwYDVR0jBBgwFoAUgZaATKq+/xb0Bh+3\nOogec4c+UXkwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNJADBGAiEA\n7uLL/x3e0qzeWbH7wTuLqU9dq0p49rXv+QFSCFBKws8CIQDodbJTZX0xdIfAJ+dI\nfs5XuZvwe4gdXpb3XU5nfxr2Vg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWSgAwIBAgIUWpvO+MDPMvo74UZ7lFCOebO3GlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEjidJ2/7eQhNphRJBa7FnO7Y+Gln9Pqd/A15vsuwd\n1wlDQ+WBK3rKSjf+0CAh+MUYNzk8rZvsmkwBJaNeLjYWV6OBhzCBhDAdBgNVHQ4E\nFgQUcepNkd7TXAs0EQ/wZMWF3ctleOQwHwYDVR0jBBgwFoAU3WhC4a+3/iYr+Y6n\n+vDlZI7iCa8wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNHADBEAiBP\nZRC43aGEB1MzpRaxdgAr8yTxASD2oijEybclmeogxwIgU2wV/PowhsxaaRrcSJy1\ncITdbf1E4sExMLFYNzJiiy8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUdxTYuELlL8wzchrGpjQ4Y6UsK1IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6mH5KFngdlqOoWRYU2EcvLf2aPa+wDrVuhRm7\nBmIIlHSLoq6ey/9IOltqdOHr+KCx1ISzwtfYeLg9AKjS/Lrko2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULWK1/kmHFUQxn5DTi2IExsaEiaYwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNHADBEAiB1qTtdv5MC4NYwwGV+wsWeRw7DPAqDC99zxGXQ\nkUdm4wIgSUShuZJBUFC7n4Drx862BTsavQMfywYBeKS7QGVW3eM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUe+J2q7H0z0cYZ9a/dc9zOBE2iFswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARGgfzBsjP7ES1z8h9M/79/+qLoXXjXL7lApGiZ\nURRh/vtR6LOYGeLiRDWVKjYlS8o/8RFB2+IFF0W+KSE16Gv8o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6dX/95dlJMKuNtfKLeKKlcsh76wwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNJADBGAiEA4ne0Sx0FtVMdFfIsodz2O2vs1pB9qXMR9Wr/\nFKlrNWQCIQCx5ikzbjT5D6/kzBbln4y9PHfVmTCcEyf3QK0xhREjFg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUd7Ic8ASz/J1HtDS0ekG2Aw5XiGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVPDuDFYj5k+yVt0msVyINUXOJIiSmr3nHBpNMqs7\noGkHmsg/D/is+GzP7R7oC6q5v7MAqN1M+7uCxP4/628WraNyMHAwHQYDVR0OBBYE\nFMnRAET0Up7MC4tuurVFeD9JCqriMB8GA1UdIwQYMBaAFC1itf5JhxVEMZ+Q04ti\nBMbGhImmMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDaguvLuREd0NM+OdPCwtsN5rGpul0r\nmosMrHceVcjDJQIgZPhdRr8HR15pMCjpFBO5zcIWeGJhtc1ZBwcrU8uikUQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUGy18NAqc7O1azhGfQeLxSwKKea4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAElIc3+9OllItfmfahBV1+Rjmw+aMDmhxjdq1kK4b7\ndUtB9RYi1Wq7na91za2aecG45f5P4XQvMOZfBGW9QwBNJqNyMHAwHQYDVR0OBBYE\nFAlJNOBzm14HGd9qcJr2KqLInX05MB8GA1UdIwQYMBaAFOnV//eXZSTCrjbXyi3i\nipXLIe+sMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCQFSmr4P/kZ76IqpJhS3yRPsL0CiV1\n1ZKVtJ6/xuzOEgIgTEkWNQWBQ8zAaeChWSFevvMpK9351166+aOb2PJoc1Q=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUYHv+ewml/DddUonCoxrbPLbBawQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT70MawMiMSGmUtgZLBiBuveTZFoE1H3GAgtKT+\nLJu+kn+wictmKoTPpFcR33A/kZgKAVVsidMB/7/eNCg6B4zXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdEPH+DUrCZySzgoLMJhSx2oExAIwCgYIKoZIzj0EAwIDRwAwRAIg\nblT5Yd4EsBKEbGTBkXed2K1cP5krpxBXS3GLCt02tZgCICwaNkQ1ihDxcrlS/JdX\niXLTUF/UArewsOkmKkf5efyn\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUXWFPsJiIoLRQpEZ4iJ8R/I+jzk8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6xogAYuMR3JSatG3cyzjwt9ZbuKtL3ZHYsfJW\nV7FzMchUydzbRoTEUb8bCYGgbkg+hzhep+cVSi9zdRTW022co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvv/onk6rFJ78lrDhppWIpf4DsFAwCgYIKoZIzj0EAwIDRwAwRAIg\nNTlZCCgpuO+TEFTzc8CPR2SlKJAIphCxoiCOIZ0GJwICIGe4XRxlwe2a9yhKTG63\naBJ+aDtROSKh8MqlS90y7Dj8\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFzCCAbygAwIBAgIUZnF+ZOLxNoaoE9xdRXv4kumUrE0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1NTA4MjgyNzQwNDY2OTA1NTU4NDgy\nNDMzOTAzODcyNDIzNzc2ODUxMzI5OTUzMzIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMV1oxhm4x5XqMQvPLmNcegB/MkDCqLG2A6ws9bHYShVvpfn9SFDYO2QYOyHsq/J\nMS7HLXbp0MmijBeYh0VlVJajgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUdEPH\n+DUrCZySzgoLMJhSx2oExAIwHQYDVR0OBBYEFKo+0dkZyPR8wt1F2kEFTcMjfBUv\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAKy/eYGxYboJ\n2oTTXW6+08ADNenGQI+/Gg1UrWQIxYFZAiEAgrucvsLnPRq5D2Hhtm2tnCmSqnC5\n2SfJMVM060TS1bw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUYJNsDsMSNR0u4rfPwHVD2yoIzr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MzMxMDYyNTU5MzM5MTE4MDA1NDY2\nOTcxODE2MzI1OTAyMTA0MjMzMTg2Mjk5NjcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMTT14irhRuS4J5BcsqkEBrVP6kkJbJMQbYmc1lz1AAWMUHy56KWGcTQPSOKHWuk\nE4VceETM7MELhAXQ7F+qoS6jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUvv/o\nnk6rFJ78lrDhppWIpf4DsFAwHQYDVR0OBBYEFEciiZxX+rfYoU4mqIRPVkbrIcMF\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgSaP1wokSQU3N\npx1BtcPYP0SIUG/XRw2K2H8TuNduudwCIQDZ+zvVwDaMTZhSN515Es5KYcdkB+cS\nkSEAwXfYNNn6DA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUKVW6biGpyG3FyAQ5sgN0xBq9NZ0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTUwODI4Mjc0MDQ2NjkwNTU1ODQ4MjQzMzkwMzg3MjQyMzc3\nNjg1MTMyOTk1MzMyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQd\nJYHO+iZ08T/UeMUdbxEYl5v/FcpQIs/BOGbS1/HLQcVkHGkDsE2LXQ4EabzeJwy8\nlAR1OZqjegIlJXUTBo8to3IwcDAdBgNVHQ4EFgQUmZUwZL5S7T65Q6kDX7wlaHYe\nkbowHwYDVR0jBBgwFoAUqj7R2RnI9HzC3UXaQQVNwyN8FS8wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAKdzFfA8ymi7tx7ILc2hlu3idBRj0EwaeAr0I/iM7rw1AiEArZHyoILZ\n/wylSOCJBlJLnNhGsZ07ZNcccC/tS+66cy4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUQXrHpmCFcDlioAHzNH4YD9H0QaYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTMzMTA2MjU1OTMzOTExODAwNTQ2Njk3MTgxNjMyNTkwMjEw\nNDIzMzE4NjI5OTY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARW\n0T4Q/uYFwv3ULxL4DEi/SRBq3m87WE03tTz8qhYdoR1IJCJL+fZfJyUixd2un1s6\nqNLHrnYWLb+R8lxLVRjlo3IwcDAdBgNVHQ4EFgQUze1Lg1varJtv80+eRsyf7wWX\njI0wHwYDVR0jBBgwFoAURyKJnFf6t9ihTiaohE9WRushwwUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAKOXPqeECdGD36CsDToznBoXCnY4Azs8QMZrpNfi/IvKAiEAihAG1pvH\nbzV6f2LdHGTS01UexU7uwARjJgpVPEa6xzY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUUu4bEpAFb5hic+h+IzCu6mHc9EYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAShy1i860NhBBKi0jqH/Isgi+abxUKBxJYbLqUD\ndHFpIeDjO+oNmlJRPHSgeZAtUByWls1dXpW0ENZpnF+Z4g9lo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBSCrL6bF4AAvWIpVfRSayEIuXV7wjAdBgNVHQ4EFgQUgqy+\nmxeAAL1iKVX0UmshCLl1e8IwCgYIKoZIzj0EAwIDSAAwRQIgNCduBAxQd9L5VWqI\nuDwF16/yvCVgP1n30SSpab/3REACIQCiMvmp4isFJB9RrMO+r1dE0CitewnAaq9m\nWUqheLmmUQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUU29xx7JciTZbAnHF9c3Ozqvrr64wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1zQFrFh9ydrYwnHrT1T1ZZom0UwN1so9g2hMs\noVxoJKziN28lO7BJOKvAXT/di64an42N8r1/aIm5KanH1um7o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRVNV/2UyvCHXI0A/qU77g2hR+ggDAdBgNVHQ4EFgQUVTVf\n9lMrwh1yNAP6lO+4NoUfoIAwCgYIKoZIzj0EAwIDSAAwRQIhAKWSr6G2eDPiEFB5\nR9t1ELhkybJHzwPTeWS62SB2HfDXAiBzXZo008jUjlF6AV65uic9swpXqG1qrqH+\nO5lSNrWgXQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUNpaIXIuej24kZ2AI5ws70o0x7a0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEX6BEQnhwsKvoK4PdpPJkC5GITUgSH7njGZBaSBUm\nCsw44dSWakfuG0PzeMGJ0uFyec7sliAK02vL+3hCAZOvuqNyMHAwHQYDVR0OBBYE\nFAS05bnmDpnVPE8QtkeNhGdKDbdWMB8GA1UdIwQYMBaAFIKsvpsXgAC9YilV9FJr\nIQi5dXvCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDmQF+3lqLvQG6wdj2vB9L1nmhB9OqV\n+Rd+3h/9FLQrrAIhAPsa6ET122tGt8ao/y8INS5T+qYdXI/dw4+L1lal1kfi\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIULtaKflIUfEdr9unwLLzM5rMvAMcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEcZBFQnonGVXeR2tm8wFvuEoRWnHrvYUVdDe1sUg2\nqD1z3FujC24Glgf+R5GgZ1UubDHu6Es6Pzfu2tTBt2nlNKNyMHAwHQYDVR0OBBYE\nFPx4BZZW74jiZOPWUPwvxCbDLyQ+MB8GA1UdIwQYMBaAFFU1X/ZTK8IdcjQD+pTv\nuDaFH6CAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCyu3lAQfK8TurpV/Y/3aAQHzR7hZQZ\nR8paF5Z5qlevDAIhALnFxoukC377vh6A9Em3eqfQvsHgCd9kt7IY9kM+Xowc\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfLn2zJzH86GuhkdPD0G/eEgNHB0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQuou7udetoso7UDxiNamwjskK7XHqspKzLTGNO\n0gA6HuFqXzgldR1QQZpnf1P0m5U/r0HOcZpp7+0X8gfBSrDno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUl+ojIECfj9W+UBQG543Mu3DrMfEwCgYIKoZIzj0EAwIDSAAwRQIh\nAI1Q9EG1Ovep9fRZO/TTmmkjr5iq80Pogq7u2okLoBJLAiAdobXog4SyyYI1ZqtD\nAC40GQS4OGORa2MR7Rq8juuqJg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCSY2G8gsQFx4SlbEj4CBvRdLGvIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARyKUNVyNZkyBZ7A/hpylZ582RWc0aVdzvyLTPc\n45I5+EubFCSkFqJiLhTAU4ANrYMu8j8DpSdgnxleDCuDLGCYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYI4WvxrtlmdII9Flw34zeuitHFIwCgYIKoZIzj0EAwIDSAAwRQIh\nALTG7vsK4i/YaDrAxpbIDfTt++1AVqvrCNEfkp68qJ5hAiAvN8Z+vaNM7bCd+g4w\nRIsXR+3gkdScZlfT/ZnIR1waEQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUX07XsyLG++TWHAMmYoUyCWzeB2gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVSf71D3/2dUmy0zvrDuNS4k/VMjzdw+h1Njh0LZ8\n/1XA4wj/ViK2GbEoRJ4HTsgQp9/GRbQ4IuUEu97y0PlFGqNyMHAwHQYDVR0OBBYE\nFD6524/ywRS8Kqb4bPFJ2tZW9dO9MB8GA1UdIwQYMBaAFJfqIyBAn4/VvlAUBueN\nzLtw6zHxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDRKqfv//NhTAsCsIoAaff6MEbxpc0p\n1sbhJUfueGb4fQIgNXBuO1uYtAJUopCYa3IXDyWdfKvDiN1izsHk23Pk5aM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUDK2lH5poQZdmFi4tCdwo35oEUcUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEDo04QWVyHcCUiyJJCPhN0iZMU1eC/WOqoCrGd+ov\nqqoc2xD29XJnBEq9y8guSEPc4re2V/l6HkFmHquyJCb3o6NyMHAwHQYDVR0OBBYE\nFGgVCUWLDuXWY8zW4PeYTttq5rGuMB8GA1UdIwQYMBaAFGCOFr8a7ZZnSCPRZcN+\nM3rorRxSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDn7dachtiQoQyN3G6k1lmR4sVGEDBY\nSZkvk+fdujlSmgIhAOaj9kLAFU4GM0To1LxqrSZCWMVl1XzRwQp6Vjqv9a5q\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUQJ7PHeNrVJyEiSVA5F77/7jtQDQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0OTMwMzg0MjM0ODAyMDExMDQzNzU1\nMjgwNjc3MzY3OTAyMDQ0MzA3MjQyOTkyMTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJzXfgVCXQLxu1WodzlH3ZBubUWapu5Bh9frXxVf1JibvcvQfjj82oo9AzvNSxKX\nrLFIOtMXP8l9c0Aru7dPvY+jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQONi1l5Fqm\n3kFU84oz0w2PETsYAjAKBggqhkjOPQQDAgNIADBFAiEA9JUQfNS5kPbyV76xiOFI\nTR7+jLkHx5DSS6kg3DMymXgCIFT1QL8QNJI4sdtZ7Hi9wei8rqvbKe1tmMjfOAtz\nlD5y\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYSgAwIBAgIUTAdHwlapxozb1WHIMYHqevvmDLQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBmMTgwNgYDVQQLDC8xOTUyMzQyMjg1NTk1NTIzMDIyMjI3\nNzI2ODk3MzQ4NDY1NzQ5NDA4MTk2ODc4MTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nIT6x06TzuHb9YOwkcQsW0w/CwfvNW0AGPBmtpogF2kPQooxGEEvTqOYWQ3On5uJE\nEYfMswe5hoD6z+SHa1SIaqNaMFgwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFKFEuBme5EtK\nRkOcnUpKAkHK9F3vMAoGCCqGSM49BAMCA0kAMEYCIQDel0qUyWoUPx9EGZ89BwFr\nlj40bldFFT86yzGh0gwN1wIhANrIzZ7sUoZ9IrgILDQDYaGtcPqZTU+746gFNzq1\nfH41\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIURSJnutnpvh0KrlQLKyXVZXDwORowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDkzMDM4NDIzNDgwMjAxMTA0Mzc1NTI4MDY3NzM2NzkwMjA0\nNDMwNzI0Mjk5MjEyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQD\nwR1xEBJTbIhiy1QF7JkilbBdRdE3wAL9fZlbCXmaj7mPQVfRORxjx3yD7p/ujTEL\nPVz2uGWCtP/HT0jAKYYho3IwcDAdBgNVHQ4EFgQUqVW+ZnJXEYQOABsiapemDJWm\nG3IwHwYDVR0jBBgwFoAUDjYtZeRapt5BVPOKM9MNjxE7GAIwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgGY2RiGEoT2AlEZvtIGTvK4Bx9PyUHBcDQjSBhViQXHECIA63lgavtf4L\nHkw4Q3qjScI9Klx/SSgxXlVwO/Lvn0I5\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZqgAwIBAgIUMtBHX17X4HT4TgA/gQVg3BuavOIwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMTk1MjM0MjI4NTU5NTUyMzAyMjIyNzcyNjg5NzM0ODQ2NTc0\nOTQwODE5Njg3ODExKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPW8\nqIiRxJG5WRhdqeu1xyo8l/lyNgK8+Jn7+nc5EJjxepMnIefNgFo9mWd6tBAALOE0\n69F51rlz3n6RdnbUxJijcjBwMB0GA1UdDgQWBBRWWZFyYfKgNztf841bugNJd3hI\niDAfBgNVHSMEGDAWgBShRLgZnuRLSkZDnJ1KSgJByvRd7zAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNI\nADBFAiEA9w9EzrrpAUgF/4r5nkO6YD0DyqZMkVxiE4Q4hmZRkd0CIEvZ7Z6xmQAp\nXt984gJMiVjK/Lm1bcD/hu95vMCbyiFs\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYyrsfz8ltbm7lU17LhQvwRoCC04wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQbaOFUnkoxEHXMmG6cw5dSnU/fEwj+fNC1bfPy\nAIknu8cRdAK9J7jrnOTW9ANN4Zd4wj+Oloe6wcR9g7FFCdZKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDfBB70+OS4coBaxJCyErNhHpYh0wCgYIKoZIzj0EAwIDSAAwRQIg\nUqTERed0wqa7vtfBySo5qj62MUtIVGi9/tifRsK3ZhsCIQClE3GjsljGLHTwJ1S5\nb1GaOttuKQUexv69lqxHr0as0w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJb1z3cRzLI1tqmW7kPoin8Y8BfswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQul76DkZluDQsfg4Ff8loq2is9L64Qc5OsXQeJ\n+Y1FLxUw3F+41OJtK0ACPGZXZi97Yg6FTGxu/oLgONuxgUCEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpnli18VYWnwqDmeEIPkS+zTbi8YwCgYIKoZIzj0EAwIDRwAwRAIg\nXmawAx9Exgu+1OiFnjkw3FfKc9fdu6sQE+V/dV3BA28CICFW/9bTlnRcCytFpBYI\n4Utfe7QEHu1sv28Ci516TkVJ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUJGBAjP3aocK96jRoiSzUB5Os39wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1NjYxNDczMTk0MDkxNzYwNTc5OTgw\nMzcyMTQ1NDI5NTY4NTAxMTI4MTM0Njg0OTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBB2FF+aFxHI4jZIPzGw0iB3fJAPbSh57HK2bLvXyTm7bY/aJx1O95hXIX04KRddr\n5g60m9oocep8/dWUSr4Y2y+jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSOrZztItsn\nrN4V6VXfw0QNlaz4ijAKBggqhkjOPQQDAgNJADBGAiEA62zoZKxw7LIuIncz85Qi\nAbM0iw/DExw/4rIRN2NY2fECIQCWe2rugK1IVOBv4voFIe4smTjb+P2hrRiwaeyS\ny9SHTQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUBwpnqahX1vrbeX1PYx2czPYqd6gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyMTU0NTc1OTI3Mzk0MTYyOTcwNjk4\nNDk3MTY3MTYzNDgwMTA4NzE1NzIzOTk2MTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBO9d+uqOAMBeF+c/et4odh6/71iyAKV4lNC62nJ4szSptlp7YyiM5ttwrycQfgQW\nOPwoJ6oDfyeNf5jY9J31EzWjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSA41i9wv5U\nWfw5+40qdPs9fPnAKzAKBggqhkjOPQQDAgNIADBFAiEAjXdmrxmov6Bf58fv3S1q\nX40GBE0DG6RSV4UPygBqxAkCIERUBteI0QadL19m8xgdG3EgoUc+30r9bBqJoSLA\nP8BF\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUb8eXpxQT7fbSYL4qjcXZ575PiTUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTY2MTQ3MzE5NDA5MTc2MDU3OTk4MDM3MjE0NTQyOTU2ODUw\nMTEyODEzNDY4NDk0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARv\n6HTRPEEHQSY0zf3scAm1v0nFPgNREkSq2U6Be1s7HQiUX7L22GxA4DicodiU3Tty\nSamv1YTNVEvxczSNTDOPo3IwcDAdBgNVHQ4EFgQUYLO9ky6a/e/pht090KsSKbBZ\neicwHwYDVR0jBBgwFoAUjq2c7SLbJ6zeFelV38NEDZWs+IowCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgPceB3wjTXZv8DvVdS1v+T0eaOYdEIWg7Dzs8M+FOi40CIFSbxiuQLpLw\n+ZftyoQIrb+UgZCqXxfgvBRbfOjtRuBV\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUZY8F7oOEmxz6+iyjeMu9oEC0izEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjE1NDU3NTkyNzM5NDE2Mjk3MDY5ODQ5NzE2NzE2MzQ4MDEw\nODcxNTcyMzk5NjExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7\nwuEU2Esdl7JL0WeRpC8bv7YhoHh4RyezZ8dOfU/koI5oYzsW9CVKeamTJ9WvbAtQ\nSh37i/RMTndt4BnsOJk9o3IwcDAdBgNVHQ4EFgQULK5+4CCc3m7ywcEggX+8UuuQ\npfEwHwYDVR0jBBgwFoAUgONYvcL+VFn8OfuNKnT7PXz5wCswCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAP0lT/jl0ID2hP1lCq0ih3I9aXrC9AgX5jVAQU3a6jyiAiAubH/ox/kf\nLpp8aEWJvCckczLMBXNufm7j8BF4OyfEow==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZFJ8343Pzno++hqex/Qa7r4kI0cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASTBtJRcpHEvqhOHaDoikUzDn3uexGAN8sbuelO\n4UO3n9Yi4RSGZatOdc1HdTKUdewMsjVgBfChVbExIRBRUezwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUF3X9Aqvk3oSi+BhYqzipIMCvUOcwCgYIKoZIzj0EAwIDRwAwRAIg\ndVh/IbOZ0U54+DT4AhKH0in2qBq+YZHsdbfGc1oVpeQCIHe35/2s9839cqFnX7Kd\ntYT0OFAuJXtET9YYcC3wV/WC\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZkG7oP8/W486hrYndtKgx9YvGcwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQGMEChcyvILN9pRPT0xQG66Lxi6QV/GhfcqnZi\nno1Fx1E6twXrpHOCOBUlMwtiL367zY1QE6K8M3ut4EKkhhx4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcaJFvaKVAIjB+tGgoeEZCbbQ1P4wCgYIKoZIzj0EAwIDSQAwRgIh\nAMHpFLBx7fpkEulEgqxkAdLRAyFMx5Vjz0GCZBXm4ldwAiEAqti0hijCeVsFkqkz\nvBh2cbsmPQYdCCoOELEAUrFoVNw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhzCCAS2gAwIBAgIUEm+zQPh1afRE8j8Wq/C6MDJ+yrAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEAb7zUXYmrETH9OLlLSUOxMAwjbKZQrlr+4iyLEeH\nJSPuOmC4CiyCh9iMAhe5ccE8HtXiMnXLvTBtRw091kR7jKNRME8wHQYDVR0OBBYE\nFGXx8qCN/6UrrFaRqXObGT1F5P/HMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDZ2junJbds\nebou4jIQsMuyMIRNQYhKU5lFUiN9tTnJEQIgNNX+b62LChKYYIJ14B+1zCIvQh5i\nyvuIP96SH1MvLX0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBiDCCAS2gAwIBAgIUW/b+e7tz/+bPVT1QB8WzExDCV4swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEUG9EG/0fAxSIfnEInzDZ4QGDZeOWwf7WO/HMnC3U\nAreeVO+yX55qGOlpPZoZjU3KMS3b8Ggfkf4fjPJCkzQfXaNRME8wHQYDVR0OBBYE\nFHLsckTdVLRRmTbrHtOUJDFkcPqVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCLcQYHetxg\n4wkpSyFjxpIoZwY1QzSTFW0PBo396D1oHAIhAO4kX/ZD7RNPWgq6/Ku+cuy6DcZw\nr+qaCxxBYcIjQgwW\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUMFl6n+HiCbDcgY1h6QU8VMMXSaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASLq4Xwy5M9QcxkXxN3AMIVTBC6ouDGWhnrtkrq\nYPiDdS4ISgv+7RdqIekWyeztdgkF4Q6BuBMXMBziMrIrb3k7o1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQU/3MdUr2FabGdcRJtzbKKp/OXB3AwCgYIKoZIzj0EAwIDSAAw\nRQIhALxCUozF30vYvtMdzrKL2dfgALB/z+0cJ7XfvmL111WCAiBe0aU3435Llcos\nMy4RmjJCT+ehg8w9dX61HULX3GVFyA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUIzRU9Sf+J6dT8J479A4qzOg8dLswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARkSpz3EHvzJ3i3UIfHox2PgHW93a0ztDFwUONU\nUusqWLyImcrzyArDxn2K17KRPyAzOnNTYifhnjX4EJzl2J0Ko1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUn3SmMEWEcBWWlV2DwW4kdZOW42MwCgYIKoZIzj0EAwIDSAAw\nRQIhAPk3/2mqqBsejbESG7mPiRmPXL1Bd2Bo1h5AoodaqO6XAiBmhak98frGlGe9\nPOc4Qc2SKyiotCzp9oDlfs/4ioQnCQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUduIA2yiIf4lVFxmgZfXbRM51S8YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEa8RqJHs6FT2ZapWFYlR+kzJJXgzNDkYei6aNmBfE\ngNrwjq5hVZ/a8ogMQhoLDtMMexVNoz/mrEdxVIo/oKD15qNyMHAwHQYDVR0OBBYE\nFFRaOn0d2Jhj5TkRneaWE8kKcERxMB8GA1UdIwQYMBaAFKjPD33LUUJ+vQ6udXlO\nZDlguR8cMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCw+MdjCZnLIObmhfc5jKS+OivDbO/m\nqK96X2Dp7uYTnwIgOp7jHdzCfDIKsTi6FMFGqMuFyb93ni9FdHwIzrHlLlM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUNyVgNatY364QhbAaKrzvO+D0R20wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAERONRlD33WWy/+NX7cTIPKXpl/8AsQTZygr3K3XHP\nV00yjsppnlns8F44Aw8uKoor2GYIHEq7/a7DbZDl4rptK6NyMHAwHQYDVR0OBBYE\nFJmzthS/Q54g4mtD2xl5IEIU5l5sMB8GA1UdIwQYMBaAFGR0r4dyiCdciBMOfiVW\nh1lEVo/sMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICI+q1v50aUfPuiOcoL52QR8iak6/KSl\nLy/qRJzXDty+AiBKCEO2owMHxkoew7hP/EwjOB57YaGDJH8UP99/WSd5aA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBbzCCARagAwIBAgIUYUP2sdji7QAxfDMQ9DnFejXGDJIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrAvMSZPPfUTiMexj/6mH1+Opcmg6rypC4mmC3\nbp7KsRep9HOLyqgCNcjofKEc22+RW2vZBXkgvLZLJ0qexcaCozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBoJtkwmqcZr4sCpCdoY2hStk0C7Hej7Gc4Br1bAA+E\nhQIgY6oLrezv8ju0aAZszaB9YEkaRdWGCDFpeMFMRwUyOGw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUX3a+3rTZeUR9bxqAoqQL7V5pL5MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATdBmQiRRp4bP8RU7f/Fu2R2AjIiCy3gSaBLoZt\n6B4Qg760aLezzQ9TViEUS2nBOqfjLhJci9kJXeZF/c73sbjGozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAy5BNUQKuIZqcsRKihqFkP7iAZok98m+CvIpILcOG\n68MCIFixP+rHYv+2wgGTAj/YWIlUrfcn0dK0MKTKodpfjPAg\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUE+Q1qRbIs6omvVGuSeFWr79J5i8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEaB/PzkGwxGxTbDAI3IG8nw7Tcw0evDe9J8ZVMltY\nnA8YopF1UbhYXzN63QBcbsnintjnTjgVeohlM76c2vwQ56NyMHAwHQYDVR0OBBYE\nFPlLl1h+sDYo/lf/8MqH9de0gc27MB8GA1UdIwQYMBaAFCUHqA8kpnqYe9CSRX4Q\n0RBF/D+sMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD+C6txxqSYZIrJwnWauDeX5mNOrJXO\nJ2Z9ibnX7DS2IAIhAP8ASyDpDTI8gJbI6SCSYTV3Zbg/Dhlp1S7xOSHr5pgc\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUcjUxPNMvU0tc1nbLhxMCW9/lQ2QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEqPuLufvVWd8kIv8nQ91TJ+H0ZGNkryZG5TKy98lm\nSUBxZIq+5UsMvcGXcBeMhDN7uYYNpmdPY5Ia5AFJ3dMdUaNyMHAwHQYDVR0OBBYE\nFBvOxbBO+GDyUdAKrJPWLs0Rq+h4MB8GA1UdIwQYMBaAFN+Bg8780RX4r7sMcDR7\n5C2eUIM9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIC2DsCn0stVmufnghVXBabcRS210uAK6\nl7yhqIuQ7kMEAiAnovu6mSVgPghXiyQPCzMaofd7ytImXeb/HM8Dlw/L5g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNfMVzs3XrnjPxx/20u+rtqm7SxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATnJ89i8sP9Vv6+ZK/d2EbWn9fX8363KGW416FB\nT+0dZ80iYp3SJmzcJb0ZPmGcMom08F4VWbyAtqF1eNEGtbaYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFuqTM4aSZMFW1DSY/Seokr3shXwwCgYIKoZIzj0EAwIDSAAwRQIh\nAKMJq/vh3JPJiX1XXWj3DFT3gUD2Pq5PEZtco7tUyZkRAiBE5rFPxRRTBr+B7dwk\n5L8YWInTZFx+geHIZbigUz5ZAg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBlDCCATmgAwIBAgIUOhre1gI6AZnlAut3sM3ZwBP+gjUwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQcUojLFkelR5wH95k/vU/VhpCpImPN58\nKmtNigN09OhvDEXDGmTnOo9qTQEHguSP2hKzyu4amoLHrIzNZ5SLPaNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFFzb8y9OuerdQ2UenioSTa66KbmkMAoGCCqGSM49BAMCA0kA\nMEYCIQCGxwJAu3PZIX4dFc3xQY/ImFytmlnlyE5spwUfXCSpVgIhAMMZLSjSVF3h\n5oBhE5FoHMXx43yNZlvrw5elZJA1mXS9\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEn2z/An+sD+uvViruiv99WzZt+swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQD1dilcL/S/ceS47n7TxD/IJJWpJcU/JIkT2ei\nLhlZMpTtP7e5ZZeNw9/pHvlPjtK5SXmjZGnrykJeIxjcfZTbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhx7oC0plfPSdxkHl9oJW8Foimv0wCgYIKoZIzj0EAwIDRwAwRAIg\nOVKnSiGOB+MnSHgrlZGmxsgFHgdiywpT9fN6ygqfEvICIGWKdOle/1eieXDrQJAv\nAwrRsCoPkvM8T4DY1CRvElRU\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUSPa89DGzLcnR0NwGmyxiFqiTbRQwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYbBVeCdx+/DlZugOnSU9/fy1dhUvB0Tj\nZXVss/HqHYzfkNs3QJYIv3s+6K3YbDStfyPXf6tFbd8dNz4QuH8jQqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFKN7ZHRRwBq6/5z63T0EYqxtNxRDMAoGCCqGSM49BAMCA0gA\nMEUCIDAto6HFFqMkviPkji1XQYApvtq3Ikao4fo0ws0oST87AiEAn7G9T3I3IL85\nCIyiQ1e/iujYpuCibOXfNNFxD3S6fnI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUSGWafhB2freU6p/3Au2E3NcihIgwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATnJ89i8sP9Vv6+ZK/d2EbWn9fX8363KGW416FB\nT+0dZ80iYp3SJmzcJb0ZPmGcMom08F4VWbyAtqF1eNEGtbaYo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBRc2/MvTrnq3UNlHp4qEk2uuim5pDAdBgNVHQ4EFgQUFuqT\nM4aSZMFW1DSY/Seokr3shXwwCgYIKoZIzj0EAwIDSQAwRgIhAJut777Aau19T2qc\nJthHOSVwUqQaRVyDn99mo8u0DOVLAiEAv/kn18fI4/ph0eXcc7E9nPrAGH9sOjh7\nq6zqKUzNehE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUZ20AQi2602qDWw2XEcAiHYLQYdowCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQD1dilcL/S/ceS47n7TxD/IJJWpJcU/JIkT2ei\nLhlZMpTtP7e5ZZeNw9/pHvlPjtK5SXmjZGnrykJeIxjcfZTbo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBSje2R0UcAauv+c+t09BGKsbTcUQzAdBgNVHQ4EFgQUhx7o\nC0plfPSdxkHl9oJW8Foimv0wCgYIKoZIzj0EAwIDSQAwRgIhALDRZACYCKGe0zil\nwI7x9QPXqM8pOyDK1CNyt8aMKnE9AiEA29JVRA3kP0p7qgahrgVID5w64RVgDn65\n3atlw+53jlA=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUDcRgjp7t3ADhNgEwOXO6GXa+S0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3c3fTdL9zljlk0xSF4T2CdBzjA58mO2x6VIsVJQ7\nm1pUKvoyQgwK5ESW35HVURoyXzdl9iseXB7Eq/oCf/4hY6NyMHAwHQYDVR0OBBYE\nFH/+QGUQ6FTaWVoE8BJAHz1IAQWzMB8GA1UdIwQYMBaAFBbqkzOGkmTBVtQ0mP0n\nqJK97IV8MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC6AvFI+0G5szhdCer8LMt0wgnKO04F\nx7+R0wZuZr9ynAIhAMWcjdXgUgPZtExwMkEb/PnDzbk9CVlc6hsc96+qlSsP\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUKhaYiAqTtqO9SU8UmAG4NAdhwYMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAErA4vbJ3oji3lzto7uytrdFzeC2yNhBGcNg6vsj2y\nd413CaQ1E8KObtB3igvvq16wKuG11YXxUxjicyl008miXKNyMHAwHQYDVR0OBBYE\nFA31mL0O/yQHJaGrQ4Qp7vj+30ngMB8GA1UdIwQYMBaAFIce6AtKZXz0ncZB5faC\nVvBaIpr9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBTV1b5BnuOtuFK/8W3yzlTMqiZk9EHJ\nc9Ism4f2d2IGAiEAtxChETHYFHpcDqrkXkCcvwOLMuZVnGyl025weio/EwU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUe2IzWvmfe/YbORRehKsp8fPhmYQwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI6UKHyOvI2V\ncz8K2tCcTzPVdT89jnB6MAxV3TLM1UU18mEG5CE5W1q9vZooTuFtpis6DR9q+blH\nS/K5wDlhgA+jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBR+Dye3FYcPO2EXMvkCFUIBXH04\n/zAKBggqhkjOPQQDAgNIADBFAiEA0cRVC4AjD5Xlh8tpeJak674ZdwDbs4n05jtV\ng6V/cpACIDzTJbExl3hZprCTXvxO+x2IpjnbW+j7E/GAzsdXxGQc\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUT0+r1BIq8diapwx/m3euXhVdp8gwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLzOE+1e6wDM\n3gNiV/7mjO5lxXK3Xkoyl/hLXRGnkN6hgK3d/AR/G/n0AzYHCqaoE0w46m9MHMfT\nwpFmIojIMYKjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBR6us9uIHFPRCuNdJuNNVxXiDJI\n6zAKBggqhkjOPQQDAgNIADBFAiEAs9313qJAKFw+nzDQRtAG6AoOZe4Iq2p2VIR/\nOce6j44CIDhsmXLrCFqxJCw3q4jJ1/V1G/kdXBFLRD/9YPFMUwQe\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUb9YCKdVuOk8pNgjLlC6VQ6ukV/AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATDrVsV2FFR7W0Ka8daHlDofw4hJoDzoqrhB0qX\nutot8FWsOjfXxDWOWjYA5MCKBEvkeTWU2nycpxymmJq5dC7Xo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/DoJ33fHuxsysZ7j1O13P4pHya8wCgYIKoZIzj0EAwIDRwAwRAIg\nYBBblzs+2abxbciPTEKLsl8JzDQmEHYGjU5qZSH8PjgCIH1zrFLCSKJWAhDgY7ud\nZwwfceR3OMVW3FIBcuCFqQ+p\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUes2AWyR56GHbVXeo0br27qz8y74wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2Mzg0NzA1MjM0OTM3Nzg1NDYyMjky\nOTk4ODA3MTQ3Mjk5MDA1NDgyODI0MDY4OTYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCBnmjvAFrjdavguHIU72FlenjOg3BnBsh9qovst78auTDlLTu+n90RlSPf3kZBz\nR3AtrZQPHim81G3y9oYYL6+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPw6Cd93\nx7sbMrGe49Ttdz+KR8mvMB0GA1UdDgQWBBQ817dRArgBfXBM5MVLmRiUa3HsRzAK\nBggqhkjOPQQDAgNHADBEAiBRzueNSW116sU4FbweI4SbBCPTVKIlU36jQgcIxrzm\nKQIgGlB0UtPYChY0LQ10fGMQQVyDWANq45oicGxvZB5WSps=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBQ8gwDDQCT4E8zuCo2xkKR4vtG8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwyANSBPGylc9ZQaaO9Wtx74b7d3yFP6O22S14\nfcRyojMKVDpddMKkX7/WUyACAoRGntp0kaIsPb0OF18LJnUlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzOYdcQSlBi4WhvYHPA1rXin2m7swCgYIKoZIzj0EAwIDSAAwRQIh\nAJ9juIvz8ocT35QJA0ofn7DLGARGpeCD8vf2r0sf+jMaAiAnz03S08AFOkq+iVeG\no1JpIrm2KDYSUOXLAmQVGpF1zg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUNiWl2ByiMD6Nss3NibqvQjkOlpUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBmMTgwNgYDVQQLDC8yODg4MjMxODAyNDM0NDU1MTExNTk4\nMjEzNjkzNDI1NTAxNTg1ODk0MjIyNzU2NzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nCXodD05eO+hHfWY1ckH7UoTYbL7Q6Gnb597jXiGBOmJFdFe1TLWmjJsTf5tmxOpU\nOy+3O+0Q1NmYyzchInP5z6N7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUzOYdcQSl\nBi4WhvYHPA1rXin2m7swHQYDVR0OBBYEFJQeOznZDky9YN2PVTYTRIbkhQGlMAoG\nCCqGSM49BAMCA0gAMEUCIE1TfEt0W/tMUT3YJ8qj78oAirLvePgNK+IbmKCfVGBF\nAiEAumbVwynKCg0d+DPLILc5T/bWhwExq2xadi0zHM59nuE=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUYG9om5wk/eihcLKS7sCU5CHnOfIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjM4NDcwNTIzNDkzNzc4NTQ2MjI5Mjk5ODgwNzE0NzI5OTAw\nNTQ4MjgyNDA2ODk2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZ\nlT9niPusyoHMdPyTPa3qbxgUkScmVY20GuoSNHn44LTQm9DUaov8TZn3HUqPrXHl\nLjp4n4y5KTUBpzBz5lvAo3IwcDAdBgNVHQ4EFgQUgWUQtXSyGDjbI7iCDVICHyQ1\ntgMwHwYDVR0jBBgwFoAUPNe3UQK4AX1wTOTFS5kYlGtx7EcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhALSH97YSocVEcKIyr+yqWv/3RsFBsXRhHmUOYwagEAxSAiEA7SWFuG5U\nNxI92d35GQBcE5Z9pU5I/+wtsS2aNNh01tI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZqgAwIBAgIUdk/S8PqHBERqe3D+AOu9hTt1SmswCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjg4ODIzMTgwMjQzNDQ1NTExMTU5ODIxMzY5MzQyNTUwMTU4\nNTg5NDIyMjc1NjcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFJz\nrHdGE8V6ATZxjDGkEJyNTmnJ0T4woD0JlXRpDTv6V1LgLNjHvI/5FPpsChjvWOjM\nJcAtVnF2JTkBX4qLlFWjcjBwMB0GA1UdDgQWBBTecz9UkmNWVf/By0En8cAm1XJh\nKTAfBgNVHSMEGDAWgBSUHjs52Q5MvWDdj1U2E0SG5IUBpTAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNI\nADBFAiASuKoIap1GEk6+TITIsNt84x2Moie5qqqHS7x1WdQ+rgIhAL2+NuffYXpS\n2JOR16z+02j5UozFxhQpyaO9R7DL0l2x\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWMXXFayQp66Ef5OYXB+LnIQg64wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEeyLgu/JQx4TDmmVebtKFJH2a93xsmp5apHnQ\nvC5Ps4sK+tttClVL2+adsiHyNjxN12IGTOyKxyd4RoS3pyIHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxkGQfZZHsXaE1BIvwknu442s43YwCgYIKoZIzj0EAwIDSAAwRQIh\nAKRQLWSplnfNtwMGqBQPcf3VAG3XfZTFmts+wV1gDC0FAiBI8ntaED/ydzOiVo4q\nByxrv+iUdcTHmhQI1Py0CF3hUw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSIY7EV20+KKs7AodoVmknwSgNGIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2tA9QSoq+XBYeEFpvZp0XWvmo77tFVIYs7FOO\ndWKP7GTQ/G5nbk1rkjZ21bMLeXD+IB5DqrroLn4W/E/NQQY4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNCp6QRg/Bff6LIvJDl5hT3TQMdQwCgYIKoZIzj0EAwIDSAAwRQIg\nFxLB/jOhH3PI/RfbRe6SWyf6QLZFI8YjsR1/0H81WvoCIQD4UGNaCh27W1/6A6lg\nNbAUjZ2WAp6mACMZTHHtFwmymA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIULTmPF4oeulG2iXIDbaFOohNm5lIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDA1MDY4MDMxNzExNTMzOTE3NTE2OTU4\nODA4MzkxMTgwMzc0MjgwMTg4MDczNjg1ODgxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABKwPq/GgcMeTdEuQaNmrk8O1vr6RWUHxzMesYVhoUcDq+g+Vsgi79oG2JJb9\nefn1BEBTRTPBEDMiy5+9Vgxg11OjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMZBkH2WR7F2\nhNQSL8JJ7uONrON2MB0GA1UdDgQWBBT6QydaUfTghekm6tarfGbC0FzuATAKBggq\nhkjOPQQDAgNHADBEAiAyQ0ZQl7Tmry4JuwFP7sOhSm9y3MUSWxGganascJd64gIg\nB5JF3EVr8ChZsucJzNNLiCj/wxmslEwOFnZa99Am5FM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUGWfRAM7pdS6ee+x8rkl22O0ZRvowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDA0MTQwNDA3ODA4OTAxNDc2MjA3MjQ4\nNTI0MjkxNjg2NTMxNDY1NjA3Njg1MjEzMTQxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABF7RENUQKzjFrMYC1CDbMZeh7nRpobhlQoWbyQacT2Mrioh+Tzq2DPQ5KcdV\nfqe1nTkFs7bvRoSedH+d6QHWDrajdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDQqekEYPwX3\n+iyLyQ5eYU900DHUMB0GA1UdDgQWBBQ4+HBmrZQfs2zQYyDHjqns/iJHRzAKBggq\nhkjOPQQDAgNIADBFAiBiGn+uDN0YC9fszDIm2Huq2Myh2pQRrOF/3VH1cDRNnAIh\nAJuZ3HjT9BHBOVlN8kSpngUuTqaORLjr5kRn/3Zv5Xr2\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+TCCAZ6gAwIBAgIUURtQUbx8oVfodPg/W5YEZf7tDhYwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTA2ODAzMTcxMTUzMzkxNzUxNjk1ODgwODM5MTE4MDM3NDI4\nMDE4ODA3MzY4NTg4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAQodQ+MTg1/cLShePhQK5UL8IvxulM2FCos5D0fxMoSFqCH2ORQoBQl2aSITEXn\nyS2kfqezvTCth7hdmTdz56dKo3IwcDAdBgNVHQ4EFgQUPgXQ8y+JsO3MH1qrj3C/\n44mHU0IwHwYDVR0jBBgwFoAU+kMnWlH04IXpJurWq3xmwtBc7gEwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSQAwRgIhANr+uqTPmJxkoCruNQobkNG4iAIx8GtsAPJ8PZOoa2zxAiEAwCg6\nmLEY+QG+JSTkeLdIRa6jS8ul3kHS98Oa+QZxKQk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZ6gAwIBAgIUOmQgfePCP5hdRoLgaL2g6cOBGcEwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDE0MDQwNzgwODkwMTQ3NjIwNzI0ODUyNDI5MTY4NjUzMTQ2\nNTYwNzY4NTIxMzE0MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAATYLg2bgd9qXuN7+6TogUCJ8gj4cQMhNt0H3xAvfSDvTl/HHaBY8lfnCrX9k5RU\nFvR0Ux02/vgAq/oegoWNfnKIo3IwcDAdBgNVHQ4EFgQU+jg65bLNuJmQvyDMYw8E\n3IjPktcwHwYDVR0jBBgwFoAUOPhwZq2UH7Ns0GMgx46p7P4iR0cwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDRwAwRAIgaY/OXf9eNWDbxN9L9ysHdKuBjXv7ulqjmArkTQWkPEQCIAmfw+uX\n8oCEsYFicwywUJ0hlbPAxp2CVo0Ls1DNDtlC\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaZXS/7kIHddIcT3Vtpj76qZMQk4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXX06u9wyDqpeOFhRYMMJ2ZhObzu3kMrakD0q1\nDcFz1i0tQRh0bjQ4pngskL3/skp5gunxfOebqJ3xcOURoeFmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfh3PxfGAD6IEqYIA8esVqGghX70wCgYIKoZIzj0EAwIDSAAwRQIh\nAIRhKPxGPjJ0nN3L+lDRdNbwzxs/UF7e3dcpxVxqauzTAiAjgz0yDbJJOf9zGMej\n8SF693S1fKgTdR1zDFbWgo9Hwg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUB2gF2+0Fh+aEGCsDIBTjDE90+P4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATK4cAqZn1QhlZfiFM4Ew+G4btcapLCsErHX0IV\nVBsDjFh61rzUm97mNSJTwqkwrvbhhxza/35pHZfvbaTJZ5hgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPeTrsRLBvhGJ4dTPfBe62FMvpvEwCgYIKoZIzj0EAwIDRwAwRAIg\nYaFZxPtGVypHajKwM7Zzw8L/sU5LoYFMthwrQK+FQ1ICIHGoXBuFnDWJjJmg52jo\nERPcQJFdxS+M1JDgNLwNAlOf\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+DCCAZ6gAwIBAgIUMhPXtAAJmC3+iSQaFRuliPMc4qcwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNjAyNzg1MjIyNTY5MDgyNzcwMjI1MTAzODg2Mjc1NzYzMjAx\nMzk5ODMyOTg2MTkwMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAASs1svbBd9SbSV00pWVKCC9qGKmW73O4I9npQDxniiHP0A1UNwIkFwWxP973pKB\ncWw/hP9XkLw97F+l08ZZbGUxo3IwcDAdBgNVHQ4EFgQUxJBKb0Hem5saPt6XCfIK\nPvoBaGYwHwYDVR0jBBgwFoAUwI3KoE56rgNs9kswP/RXrRIiE0EwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIgEHmxY5KaWthP/QjYrhxN0yG3D0H5RzwxhLL+tf9tOlkCIQCQD9zj\nr2tREaof+GVv3dPiOYQl3MteIIWfzuGz5RjsMQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZ2gAwIBAgIUCj3E1gZDgss/rniA4c9cZXKaUW4wCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvNDIyODI3MjMyOTQ3Mzc4Mjg4MzcwODEyOTkzNTE2MjY2NTY3\nMzY1MDQ3NzI4NjIxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEW\nMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNTT7/Rre+H3161o4qDxgyQ5bg3vbQSbFjbGR6FMOIa02MJlMMqTIe+/Vplr+468\ntVfNmZGgsaJIEiM9UHGbOTGjcjBwMB0GA1UdDgQWBBRk/D1XB1tIQ1kb+6atzyOj\nmFkfdzAfBgNVHSMEGDAWgBQIIryeAG21lVw7LyLSd8+Hdg5jcjAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNIADBFAiEAirlUTDEyct5qdwZjxlCVQxeWCo/JuhzDld9CccyitVMCIDXboBEs\nn1Ug6IYNmLuDByAvjCxkoV2j0ZG+K9x1XsAM\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfTCCASSgAwIBAgIUQfeN4fIK7gq8xQlWD15NDHdveJQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQOZNzKJDTaN9lblfeCTZ6VgbuEygipVSx4bxEU\n0Kgb7CZDjt9fewUxpypP49GgCKfV5bzy63W0uU0ZTShIOk1ho0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFATpA04TjUVp\nt7KOPCqxmOUOkNdQMAoGCCqGSM49BAMCA0cAMEQCIDKQHgCNkSMeVaN2hvigBvKA\nGUH5pHh4c/tQ0hRN/9/hAiBEKUVDT1+8ASQsOpNSB5CPaalbC7RHxpdyTkg2KIo3\nDA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUPMlb3FBe+oa6WKEEDRvCziapyuwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATU5ei+cuJCBsSlllNa02nNN6u2jjdt/mUEBL4g\nEy7XxbMKExHZfm+Ngfxe/mG2kSAGEPuWKbKX0uNF0Z0iHv35o0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFDxYKOqffGA5\nN66TgT1s0jy0GasCMAoGCCqGSM49BAMCA0gAMEUCIQD86N7NhF3m8x6DMo2YM1wZ\nEyisOPDo8DZH5mzn9++QvwIgQqyg1oz/zIQt0jF0+WviNKZusqJOMRtc0fdvnCN7\nySA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUQbiurrcZiigVI4VarIHOWBpt6mIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEobNkJfy/JVYpaMYBedYYApHbq/6AAV8qRS0CdlJF\nJfZo+6Ktl5O2ieBNy6//p3BP/ckvTgdS5cPCo8rIVe2gIKNyMHAwHQYDVR0OBBYE\nFPzHuH3+VugOWdQBFHefh2WUvpGtMB8GA1UdIwQYMBaAFATpA04TjUVpt7KOPCqx\nmOUOkNdQMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHIIL4PntcQyLQ+Bn/TkP94S0z7DULR2\nF+RcYAwo9b0EAiBmjVZgyIKHLoUb9T/daUrtfMKXOQG10+JmWN48Te05hg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUbARlsdh6+dTXiToY2nrMGIERsYMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEwal8EKkyK478qpDAEcTG9RS2NfG17PS0ldBFC8Ph\nG1XpCdGdDPkKJMjwnIjyM0cvBzvIHyH3xNFj5Vcb45gkIqNyMHAwHQYDVR0OBBYE\nFPzQDVtD6/H47G7ezoNqoNqgWCZIMB8GA1UdIwQYMBaAFDxYKOqffGA5N66TgT1s\n0jy0GasCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCOm8/qTsNDpqriejI9pEqACqm9Rp/Q\n4Hv1YTLN0oI38AIhAN9AyR7XEXC1+cfvYdRwSJk2HarY3rXyqIo0K5YMF/3f\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUVlKPaUFVWwlN4iNxurej/pY9AlwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQco95i9R2JxFwknuwCV6FsPAcux8DEBk0i8o0B\nM6BO16cxL01roxRruZIgSTB1jbp8FyX6XSODWyXhB1Fdauwvo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUnFaZdDYKb75Rl8Db8IHChnRdDLEwCgYIKoZIzj0EAwIDSAAwRQIgZjgy\nvIsrkV6gRdB/sHe9exkd4B8MQRIiCX8b6s8VvT0CIQCQkqZZ9Nd7t+nYo+pG/ySi\n1mdnvb5BFoF2x7BLpMPR2g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUU8NScZTotbEdnwZe4oKVPXcBjUwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATb7AWOab9uqL4MmWv6/VoEZWdqjAevwmzxhUmC\neqA4YsEHN8wOSkiwbRRlWtEqJxg92DvumaOqjWP4HjFUCsSko1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQU8VYPtN/mJrVz9Fn7iRmat9yvw+0wCgYIKoZIzj0EAwIDSAAwRQIgKCbA\nQlC7h6me7scUUXkW4KiqYesoYYLb04BWsDgsTCECIQDidkO0gsZzZa3D8cnLq1el\nIxgOQdzu7RpBZuk8U0hStQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUVAKDWglblhZDIHGvJkfC2HLR13YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEzYko1B3Y1PSI6p8s7EASqolIrTrBFsWqs092ndoZ\nqh+o99TpIWRv+fID2MJqq9phMV1fmyeA0zJKmKGVyImPp6NyMHAwHQYDVR0OBBYE\nFPIjbXfQuKYtdbCUmGNYGLjeuzeqMB8GA1UdIwQYMBaAFJxWmXQ2Cm++UZfA2/CB\nwoZ0XQyxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBJFFyO94DjYryqHb8h4KLAn52YhXUxO\nNa+6hLpKLaWVAiEAqg/JtervPQwBI2Gowjn/XCWvm36u2K8Ah/YCdiDf2cQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUfQZaedp+x04Lh1m9ZnHrb0cBE+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXRyS5yGQFV1exGmUwjDp4YgI7nhDRX+Xab7CeApt\npqkLYFxQlAVzXOHt5loZELXghwWnRpepKWDGvA3wMh1ISaNyMHAwHQYDVR0OBBYE\nFNWx2hcXkw+8HPkMDu9MBU46oud6MB8GA1UdIwQYMBaAFPFWD7Tf5ia1c/RZ+4kZ\nmrfcr8PtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDqAbwWfnB21lbMZ8kn1RFkb8cl3EiC\nSnLlCJd4Wy8GPQIhAOra6Vv9Rb14qbrYzlbtOd0AIBdZ7Rw/hIPEG/BerawG\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUMw0myHtCaM7AA9qh2TwRWwpzqoIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQRPfJoAhHqepkQ2TuvzszNNtGHD/kUTUCXIr/o\n6h+giS8SkkULO6XdGBhY71Sn/ojvgiMUWDy2qUxx11T/qV6Oo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBT5i8AUGFpvZY6qJWMEMKUw+JrzbzAKBggqhkjOPQQDAgNIADBFAiEA\n2VjwmhgU+DaqJ+dhXGlOtw2h+SFwqcxB6kz5RLPAvpYCIA2sx+TFUyi1JvjCn9yt\neyVe3FTILWuPr60NACAjZOAG\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUe8vMMvnxSJHsU6GFJ4mf4Zk+cXowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARuUG2nF2oFaHsMf/M6jn7wr+Wsn4Sss8C8I3AS\n1gUeSnmNhLnImQ+/8q1B+6qUkTxs4h/4lk/CNtnUXThlGCjBo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBRiJhq7yoGqMgc06mJzEIM2NtFipDAKBggqhkjOPQQDAgNIADBFAiAq\nOa3pTIPwDeOYM5GEg+85DujJc/J1g7fOtLgan4VB5wIhAPiej40F0q8Wblg+ZfAe\nH4fRU9kObW4FqiDbzHKimU8w\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUJvz/mOjrltJ2qVfirWnKzN3GEUMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEHEs6kRObOKxlegf8Ac09adW1cw11hqNL/aWOcAPI\nZI7Zlk15j3hQQFc4B3ynwheqhmqFmdWbZkpqNVabPkeNa6NyMHAwHQYDVR0OBBYE\nFMiElkvmLH0YSnCgQypPoknKlx5xMB8GA1UdIwQYMBaAFPmLwBQYWm9ljqolYwQw\npTD4mvNvMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDQZcY4IGScDPHSAKBx0t47Qf+DhZHs\nNXkuLF6cuB+6zAIga7ElsxabpzTFH2HHHf3QnZNMS6yA8MY6lWt6jgdHPrA=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUMdcQJX6qCJqzVbRFBHutz2NJbrIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEowcnVKeEuQKDS8o1pFV85jsg3ZfcrwUv7WThVzr+\n/6xlS/YB/szCI1FiNOx2gTPFeTNLtVYP0BAFUyw/aFtnZKNyMHAwHQYDVR0OBBYE\nFG5gMoRMXBxn2twhS/0aIa1b3ma9MB8GA1UdIwQYMBaAFGImGrvKgaoyBzTqYnMQ\ngzY20WKkMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIA001aAcMBhqFiZJ/RkjpMeljNZjfcSd\nSx7mypc50vs9AiEA9oLmw1Lw3Rtl/0P/c14B+oPbmTsVYnSRqJe4DBAdaj8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUP/RFAFP2trqXx38ZLEK6O2iGFvIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDMkF/r1RI0orF8FrI4dGuaVSyJ0UeNYlbL5Uo\naon2mUKrtXz+mc+R6Td4WI5V5Kn+fEFW8X7khb4D3ICfHlCno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnpsnbvgg+0quuKykg1OwwkFr8IYwCgYIKoZIzj0EAwIDSQAwRgIh\nAPj+5S9VY65hg3KKJ9Jh0d0LxQW3D/67medCKb7Z6wmcAiEAkhkEnGcyvhmrBi3L\nrLO2hFSErVvYbIm9xVtdY66DF6g=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUHOkumZnKXKpMOYoNBI1q9wzgzhUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATxpxe5I/6w2OjfPzFtl5nNymYf2Hj2VPkIVrUf\nGWeTwFXZ6pVWOhOxj5GL/s1oRpyikEtoKRjEaSgkvdQizZGbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbiD3wsURFFN0GlnSbxKQ/XWbCBswCgYIKoZIzj0EAwIDRwAwRAIg\nF5kht5C6wcsac5+mlXmyxaZxsXTAasKotySFktCR8eICIE0mks6f07TbL9tBTzE1\nWAOLNxjpEImtbIla6K/hN27u\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUGzKe7/RRxUTA2agNOxXB6kKplPQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzY1MTEzODExMjQ5Njc5NTg4Mzg5NTQ4NDg2ODM5NzEwNzQ3\nMzUwMTA0Njc2MDgyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATE\nijlJW4QrSgPjQE2bTMtCgt6GKU/iWOFiaLgjbvK9XatvM1m3HB0pmQTL0bJtjcHz\np4rhDTVhejq0aXcQlSdyo3IwcDAdBgNVHQ4EFgQUVrfMHNHfaFf1pGlHy03TF+Cl\nccIwHwYDVR0jBBgwFoAUcsVf45NLB8R4FYVwRUmaLG3mgLcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhANmGF5NBg+iMr7t0tjo26fk8fto/hY8kNq8ICUNMk5FgAiEA8O9pk1qB\n/ea53kdkGkyDJkyGRLXVBqXf5I5e3XgjVmY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUP1G4AqM1kMoriuyZlwpSVZU5VUwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY1MDUxODc0NjQ3MTAyNzQ4NTQwMDE0MjU0MDkwMjc1MjE1\nNjEyMjE5MjgwOTE3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ2\nU41twpcnurYu2dqn63RoxW3fIjX98LZFMhgTdifAK1uxkIa0WiNPI14UZU0NDEKn\ntDP3sAtxrYu6BLWrpzqPo3IwcDAdBgNVHQ4EFgQUsBxdrTSEYaf8Q9yWWNNQmW8m\nv0YwHwYDVR0jBBgwFoAUdXm2lbL0CPECbOImXCKwZVue/WMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAJaUT6teHT1BmzPmJKDYbfuHwmLIIMEhBQmbwuz5cqshAiBIHDq/TXRv\nhF4tvJktFgcU0ABOWoyYDknQEV1qNEiZ8A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfWeNpnxFrC/rq84ZGgt8gBaGO84wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARAcAn8vFOHLWqKOw3+4TiVqTdILGwPAQHwF6NX\nayN5KDzrC9mm9+SkhElzbH+4pD0tmGDtY6xV2MVmEI1/QV5No1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJZBJAHLP4B9fYi9i5Fk54KkecBQwCgYIKoZIzj0EAwIDSQAwRgIh\nAKMzfAjEG7HdTaNRJP9RED3FYqwJz17rySn1boP7Hg6vAiEA52eC10x5d6A9J92M\nDu3rkPolJ9M8u4kMfoXVszxpgX0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUV6pWIg0G8hVEmW2DfqphvbXf7AowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQi0gbj0qH3A3P24e9rnlxNOr771Sey1FlqETdu\nto6HaBpcCzqxZmCszfNJBNFVkp4dECrk/BoXaiwTRsLZygdCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkHlECIGMk2pLg4UlKA5qJIZ7UNkwCgYIKoZIzj0EAwIDSAAwRQIh\nAJx+vSKGNKzwo5ePrIXgzDYHJrcVN7qpp0fxoedTw8bnAiB8agjFi2B6Nz5Ga9EV\nJenbUyPZ2WWJnu3CUoCeVX5viQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUcnPG9KTnajEo8NooF8IsFmwhiSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE5azvK+z/lt2+mJD2nKv6DXNo2b+CQKWmb9Yp9yC2\n8gW4tBiLYhUMw2/RkHxb3GDfgvBEG65zogbMNFEWUL0uC6NyMHAwHQYDVR0OBBYE\nFLqYTC6CS6mVaPxr9oFqZ57Gu6znMB8GA1UdIwQYMBaAFCWQSQByz+AfX2IvYuRZ\nOeCpHnAUMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC3W1Moup3q15dXXObzDy3+rKCHOb5S\nJeLoDCMgT3rFKQIhAKvHOsWi964Crf6YQEu/kxXBFR/wh3lIIiQ9LYKVUOYy\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUMLXksy2zJ/vGPpkjn7iJDuL00a0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEk7ctgbLtcLzr3L36Cg2oSqhlbg7bt8MwP5DJKVb9\nZAMikmHCDgBRsdSfDX3o7I30tNTrg51IdfYyiEGWxZvZUaNyMHAwHQYDVR0OBBYE\nFLcH5MNbWwadAgLpcoFRPSNII1quMB8GA1UdIwQYMBaAFJB5RAiBjJNqS4OFJSgO\naiSGe1DZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHCD03I0XXHT9dGZefYtKOyrze4T2GZI\nZgMvXUv5Gx8IAiEA4lR/AIx9GgPtsgk1D3/jXb03DsXdVq5r7sromNDdeNU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUTMulkJ8mgYKpWpje38LzQebIiWswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMLolNKIH1uXajUnLN/INLAMKmOWoS2UEGifIa\nY9OI99fk/Zb6QAFmN5Pk0h1iEYo/Me/SpHZUPjiwlYFdfpqao3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUI1V/O2MRARnjJsPPVwJ0+UGT1NAwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGjcTdvn9PkQy8Q8H+cftL16\n56Yd8RTF3mCDuBzAzLDWAiEA+XAi69XhPLdUQ6GdMoXY34KiBxTn7t8Hz+qHtk6C\npcw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUaESv6zXxq2vU8sHHAWLJSn5OdZ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASVIRuSrdntvpf3PhJHILqH7pOpNJL6zqYohly8\nh/Q/q3pPj3DPhayRLF6TgaQS2IjSG4WcNY87z7MFRulSv61Ho3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUW0dvjrTDhAPJgsEYh0M6alluWRowHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDEU9z0d9ZW57qscJit2seG\nO0fSZGBYMnJ70+dHV6FuDAIgCJ6Kl4Xlb1E2s6DjLhhTBFXu1ip8bWrOcuRAB5Pq\nXeY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUT63ldl9cJXQTpKraWxSmaxmdBzgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEltTtADplkIphgsK9wFQcOXzzdLG0bAMg4/8n014i\n9IWOG6MyiPA2YxQFsrDPlJiyO/IrxDTsWZIItsqi9ly3y6N2MHQwHQYDVR0OBBYE\nFFhfFdH4PSpPbNvjDTKFnbTVVdq/MB8GA1UdIwQYMBaAFCNVfztjEQEZ4ybDz1cC\ndPlBk9TQMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAi3PzjO/M3FIg3kdUPZdrUsCt\nuqGE1AOrGb/C71cUtk4CIQCzzc5LU5Wyww8+ChZ8ALwuXyzRCoP+wGqqRGoSLnQt\nfw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUBnCi5PQURiN6Ggb+RoaO/BCNPmswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE7LB9SHB8w7Jdyvme4u/Ys+WOh0vFINj/H6OfCMDA\nsQluG10h2CNG7x83XDF/4fOj3UubHSbf4smTqseOOc2f4KN2MHQwHQYDVR0OBBYE\nFNFALoaG94B7mWp3l25YiPn+Dm+PMB8GA1UdIwQYMBaAFFtHb460w4QDyYLBGIdD\nOmpZblkaMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA0IxNGYzqtr0yPGLTZDhOqZkQ\nlPQ8AuT3ervIxjsPmN0CIAFRJ86nBUd5oCat4Pu5BsOTziVIO78Ju5/TRztAUl3r\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUMVOZMmzcMfSHdmq0Lb5A/gTF6I8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATv+aLOsgZZslDOOhZ9DDlx/LEis5627bVmA2Zn\nMgUqOC5tgex424RG3pfQN8eT0r2RquU5j/tkIdTNxO6yVc9Mo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNnnoAXiBCuuI/aDzAYv9w1wpVLQwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCGpdt7AeM++DkSvZDBIoPI\npQUP6EV+wZsIKYxBnlGYGwIga2UKUiskp1W8Xdbjn7HgbmMcblcwxK/dF2bdE76V\nR5c=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIURS1z8Hs4tCNc/MRz+6G/6Vfm8cgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATKsJkOo21QIz0VAZgiMlQtuAKRDx6pdpyGUFqP\nfi0ROLdGecZTKRXqaRireSWHb7l0l2UYmmO1z87tphL1hNfKo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQHbom5856W/rTmahAveR++QJXkUwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDx88mtBfR1MHKGbAkOmY3+\nTUWWPR+W+3jZFliBCTbKWAIgafk6jJnok1fjvre7rrNPWBJ+7aLB7DTxQtd1vXPP\nSKA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUHpp20Zq953lRBwUXseFSwsh5itUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE0v9ZfFKwNK6YFGwrEigoKqH46lsqTvyG9qntUgDI\n++I77CQXDrpFUhpZGtGR+F5EykLb+aATy2YQy+t7pv7SjqNyMHAwHQYDVR0OBBYE\nFHu+HN26RBgKQM9WYZPktObZ2apcMB8GA1UdIwQYMBaAFDZ56AF4gQrriP2g8wGL\n/cNcKVS0MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDNKpHfo4DhCbbQSCrBgdpzG5Q6iZyb\nV73s7EDlKuCFuAIhAOO8l5ejpmrsZ7yInLxcK56zc6WHmBgmJZJgziTDjaLJ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUN6mSthJjdOBBkwHARBjTZ7R0dxswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdIRuNSuUQNZRCzFPnxB0LC3ppqxUjzI2rYLYcsr7\nAr2Yiz5jlmw/ENUaAkqkP9ETWxlovcCPdnQJ7RvtOqoHw6NyMHAwHQYDVR0OBBYE\nFMVf24I3ouUO/DZWHddqitsNriyRMB8GA1UdIwQYMBaAFEB26JufOelv605moQL3\nkfvkCV5FMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGrzfBwrFromHJZaPbpacbKvIqP+ZW3X\nEooS9p15B3xWAiAOPAOTlgobreG2cpSBwOFdqbVv46iS0IYwC+SLDIny1Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUIvLpUqeGMCOKIwOkBft14jvow7IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxP/PR+QpEMDhtpeYo4NE2rnxKDtl/wRhGNctb\nI/IxtkYlIWXOMxEXflX+HW60RocAzfhomkgutNzfxptWh9GTo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzPiE2hRgdmxtpnbhQ98LQYiFrncwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCRiQ8yjvXRo3lpZIAEKNt4\ndjCx5Bs2fgLB73oNkXedCwIhAP/teXVOPeSMY42MH4du2YOl0y02XRG0wdcnBxSk\nUOz3\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUSnyG5RIVqiY0V2hSSWZDVQXE6n8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQqUDc00ZA0uCx7K6goL5+QAOOLgPsylZPkQKj6\nWB58uj1n7LRxeuYIVtTNAnj8dHETGdQLhWoo3EOBYmQgjz6qo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1CNOakQYd1GJUMbtcUWNRQKMuC8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCieKfXata4tDCOzfFcgNjz\noEV37GHdkrqBsInSlCX4LwIhAKuEI4oz11eY8V+PWod3St0Mr64SM+PwnJjBPoPi\nvwqO\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUCE/BjjB8kzefRfWSYiEUvKcZLwkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEupAtGcGlXLDd+cK48lWHYz9Ly4VeWQ6DpiIfV5lB\nLYvYD/I1LsxeMYP/UmFaPcWAXMJ5YyTrNPT/hPPdL/G82qNyMHAwHQYDVR0OBBYE\nFLrJcIRZoePAlVYLLQE1C3VVrDknMB8GA1UdIwQYMBaAFMz4hNoUYHZsbaZ24UPf\nC0GIha53MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC5SBt+e/B8tSWYGnNFG0Me2F/GEfd7\nWKnvemCoZQQ4jwIhAOLW/By1Dv0fS8lI+JOoqNCxcEsv6MWf6IGeQlBCE/6H\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUE6KGKs4ivrVwck5Gj4NFMup1w9wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEvAIU+d3PGrNOe59H4s/mUmf3d+P5k8+c0+AJYirn\n34aJxxnKh2MSMbs4xTKVdO55byFiB/gXSX8Mkh5rms2mfaNyMHAwHQYDVR0OBBYE\nFH0qACju/Y/ZLil2bOa4ObHxthJBMB8GA1UdIwQYMBaAFNQjTmpEGHdRiVDG7XFF\njUUCjLgvMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIH2+4kC/uk8KZnqpl6COV7kJnN6+cgFn\n4a1Jj4LR5wfEAiEAgudSIXRNJT4VuHkqQSW9Sa65sUr9yukuKdL/ukZGb/0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUPNWeqVGz5mbh0+DdqPFAUWbt2bwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxRpnnbmXLqi0W0pm5VDktCgFE7Gpfs1piEojl\n2HQp2oFLNWjRAGVyHxHQ9YcXMeukV7vc8ghygR+xt46QrrrUo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7toSk5PeID2v/EWvVeRP0YKIvKowHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDljTbLhBv/g62r/0zRFdch\nZVmvrxxCN/NxWzzaza6GXAIgKBtgwfrlhjAVQULbxpjHYvZjwPglwFwC4MFTb9Fi\nLdQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUZqP8HdeAd1JoqTzlcWSzXkXG4rQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARKhx11arDDgokSAeuDJFks3x2ZZRcuthBun1KB\nfPYnJX3AmTDgAbb6XMM88fVHZCZPxhztm+h+I6PP2xP6cNYpo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFNngsOIrZqxZrrjrYxdDIDVnpMQwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEqTe27bK2JOp6E2qm7M0W9B\nhUYvWx+RDfFmrk+6BPKyAiAOfdAakcRJqpxQmu4Vn7BmbQdeoIspx5/jblxWG4R/\n+g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUCuuo812+EhB7UVf5mBIoMTgTCsAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEohtFwoltdY7G+gRVSmby0RzYykpFHtSFQ/jiTuKJ\n1xGiMa6BrKIZ96ITUTNv6w7yJA67fCGm56D4NV3UJW9HOKN6MHgwHQYDVR0OBBYE\nFIRLq3eX3/1nd6sY3lqd5QGf1UOeMB8GA1UdIwQYMBaAFO7aEpOT3iA9r/xFr1Xk\nT9GCiLyqMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgYPBoqzK3ZPzpBhvZynfN\nOAnpfn/mnf6ocxBaM7S+QDwCIEDRyvkqA5gd8yTZ4YheDLqdn1dPmjjnRO6jwTiK\nNbe7\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUcMooM3Cw2CWVpRyE+VjZb9yj/VEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZg2g2R6gjep1ufUWzlkknP1GWPIdU/9CONfwvCTU\nFAJX5SQ2pUv+KiIZEUiQpH3+PzBOWNpcNcmjIqvNQEt586N6MHgwHQYDVR0OBBYE\nFFsjj1hF+Is9cEtBhmEI3mAnd7f2MB8GA1UdIwQYMBaAFBTZ4LDiK2asWa6462MX\nQyA1Z6TEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgTdyW8e+L8FrEyFNY9sQW\n+9d7knoQ32tWp8uvCm3jaOcCIQCM1zQq7F7jUUwGJ6VrkV+ZbcNnfoocllZzFK6C\n8cyBzA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUTv81bGukTkg6cYz/2o7d1wXxGOcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJgpEmsCk9aFuzXmUuuPc7VC4ufjayvjs4pond\nxY14mQAMLo50YHhVdgNwZCJwoLThqW12oRO9AeojsJdXVCseo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSjEQ91rqgNrjyhbSp0vII6EfkyTzApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgV1iM\nlCKGuZoBI/Q+4HgB7QYu58spTx8MiezWyNSSG8QCIQC3fvt4iQTguIeZou/6VXSs\nEUxBH8ZBb4t5EWtYfaQTbA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUCStBiriuDW7axlZJDEqpijle9EAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZIUBDAVtyB/J3IkhucyyXNx0MB412vhkdLo6X\nQ7UYUhEHdEzLChggYLljynsuqAMolhI5fa4hfOSOvSsFHHbZo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSPHBc8ALwjgSFYoTzgTWbSEICBmTApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAIbR\nJIkVrJHucWU3vPCGS32rhjJ8wBTzyjH5hS2j1HRlAiAxrb85T3P8a24Hu8ACuJ7g\nJdNvqaEhq0aGPIgWJE8uUg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUWg1stlLQ6k/jqWVGBt6Y4G+B1X8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/cKAVzB5fb17N5POxtyjZRWRHjkiMP6Frl0MJnTp\nbjjWblpFx/LbJBVRXe9wwnt/tNBHrecKT2uR7Byo/TRBAqOBjDCBiTAdBgNVHQ4E\nFgQUJXqXFI4JofVderNmF8OzS/+QY9YwHwYDVR0jBBgwFoAUoxEPda6oDa48oW0q\ndLyCOhH5Mk8wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCMu7gYL1gOAEFozQxL5USs05iA9BJIXElBdYsVrernUgIhANQbGr3qnNJ/\naURyAVTS0mCJ3HmmCu9w6JwUrP4XgOcW\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUfLjVuirk5E3QzNodqptT3j5eFOowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE63YwZ6bImIfYocLuJ8I3ENdgAIu0DPs2Z8jzzGvo\nO9uGLWSbtbqNnC910JF/aQ6JBMlIDYe7rr/YONuYmktZyKOBjDCBiTAdBgNVHQ4E\nFgQUKmDYa/a4RBeQyBORGrvltcwi6W8wHwYDVR0jBBgwFoAUjxwXPAC8I4EhWKE8\n4E1m0hCAgZkwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDD79Jbn1l4RUJR2vP/liJKb+3+5mWt+TvHRdFb/9NSFgIhAP5snxSgGZ2u\nqzP6D/NVOmVfcFnLC1k5qHgw4tUEZ0P6\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUDvS1MJltTgT12GM067cD03244vUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQiaPHWhqclndJff9qqvX1xAzu9zUWcLwpXkjtj\nCfod4A8lKRkqJ9VHtOtxq8JmUke9U/7+nk1Yr84gOl6tnjbto3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHpUdtDYE8Ul/j2obsti1Rc70Tb4wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIA2DRRRPQ/iEJnjJPgvoTPUtbSoe\nc6otgcpkNOp/8wVcAiAgeN3z79KMifZDvX02j1RWZI+6PyAntrwqSpRtypqSfQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUFShyIlznNjll98gO6bLZDKNzN8owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARdzEgOpSiiWXJ6nmqu2fnTZHwHIuz/k6wMPrXv\nDtlrYJKfPqXOUrSU88mVmnBGJAKif3RKYEDUk+DUSEaKlEAko3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULhM0bQ75miQeRmFAHeWZSqC0StIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIB0/OEjSmftAdduf19gb4w3YIuKR\nclQuKR3suE2ftsjSAiEAiJOS6H6f769VXAdpaeilIBbBfCOcZnYUSPlFTYxWxx0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUd5A570/hF633EYIO9QggfNAJ69YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZrRgnG/K0indN0WYTtpipp3NyrqER9q+6J5mRKx7\nriYF00JtFrUvS4WfjS0c1DmoXthWHqpBoPLXN+YCZ7E3BqNrMGkwHQYDVR0OBBYE\nFJDAGU2XCbIAh2O3QmUqIiVdxxWaMB8GA1UdIwQYMBaAFB6VHbQ2BPFJf49qG7LY\ntUXO9E2+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDSAAwRQIhAPzVPv7l+pR9i3G5vfjRQGVP0k8XlX3/pwbXvSHL\nH+gLAiAZEDWsU+2/yTOtibuUyad8N2FoHJK66BbD+aE8+Dn1Zg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUOY2yCr36mvDfyXZMoC2TqfSB9j8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3cX4hFa7WArIibT8fRf0D4bxFGVKGRUmG3BCJye6\n03kP1ZCPOQMJhPhgCuj1+3wm3T6Z+XpC3PncJ2OeW8oWx6NrMGkwHQYDVR0OBBYE\nFGf4KWABaTgkbb5SHHsQ7BO61O1sMB8GA1UdIwQYMBaAFC4TNG0O+ZokHkZhQB3l\nmUqgtErSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDRwAwRAIgaX30MKNz4BsQVGuuRfHdit3Follzj3OCex+NVc3Z\nUBsCIE7YDq3y3UaDpapwq1glxV+ZHQHzeYRe7I5m1eEQRAvl\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUYFupI6mBKN929H62mVbBPGnOXjcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR9+8PhNQA2FcCK0dPArjAtAyJCZrjvFi1IGlAt\nWLd+DrwTw6sZOHZPXK4VZNOD3Cu3RSxVJZvknEO3bK0qIvOJo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiqh6Ik9c2iP8zIElR6O5pfojGgMwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIDIqV6pdnDTKGvkYDAsWlihRcVE/\nlLVQhylrVlniM4WHAiEAnjF86KGqc/U4uKL50YmtGSrsDyZbXTWRLch4uC9XlRY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUek3YMJJpAyWG8GuD4yPlHRQgjcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATk0FbxJrBpDzQY0rDgXnoiLoSNkDR9HForpnfs\nmbNug0L1SWcXXXThcN2qoFlECBoU5DLimZyXIvHN3XSZL94qo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU28T2v/uXbEUtiegcrk4SBS/bcz8wGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDBsqQy+PEZxWVxe7SK0oZxUPFs\nGQ/+oNsugITAnEgZ2QIgYpo1464YFmkDHfyqAZD+YAivaPZ6eK+G0NkPGmeSTGA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUKVb/eQKgPffeZvhTNAr1XCh4cG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEtXxrYSIXvbSFTM6xMkt5Gfv3FBLWa6va0F2Z0Oy8\nSQc7Looh6NHQjXOmJ53pu45uSsNtw0jzQnq7QqnCFxDqxaNrMGkwHQYDVR0OBBYE\nFOrdBstUf1YZY2AvWzSqRVIojkkEMB8GA1UdIwQYMBaAFIqoeiJPXNoj/MyBJUej\nuaX6IxoDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDRwAwRAIgbDHEfpmX6DrubEe5pAMkAWg/drQq1Kpq0JAerU/H\noCsCICVmK3UPbeUl1gjTEq6P+hqI6hIa02lUqmLustMPrQ6I\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUAbD+e6f/Pz+CGHMuu6FBM8Uz1D4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEh3BLWERpapkikHxeM0nBWre0U34+KmU4bcYKl5zn\nCa8gV0D8VGPdNImMIBnlAazy1cTtN9/5fOBirU0jVyikzaNrMGkwHQYDVR0OBBYE\nFJM0wY8V4VHOgYCFPtNPvoJQ1pIvMB8GA1UdIwQYMBaAFNvE9r/7l2xFLYnoHK5O\nEgUv23M/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDRwAwRAIgJi0SbFRaLsOpAbkg57QHe2cPG1F4HQgT4unW19Kp\npyUCIDjpz6iJmSE3O9cF7tpa2ne2PfXERUiCdrIjrVskknW+\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUIkqtG/iwK1TsBKwr8sstrcdG3DUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbdUJununqp/xMuoXtuE5NenMqE5Rw3tRyjHUA\nQYghjopO/yQSjREEuLLFEtRAwKj+qrhx4Ok7VPV4aCgfKUSYo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPRYE9OnoaribFJaxVuzcczOa5iIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIF59PjGbu05dm1evgMuQnocjP9y+\n8UVaIXleue6DuV78AiAtlCQTsAqKC+Kiv0+LcYSfUbTx47Rf7cD51/TGtU7KPQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUaEkrKve6V02BPCYqYN5NiRFFOFAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMdgXFrkkfdniFhhx3FRZuaDvu/QGhOv06vAt1\nuTWy6km5ibcpQAKCHb7hVhYXmWdUa93be3J+p/iT8GFK9Vy2o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUF9vD360FndXCjLF1NTAVVy72SowwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIH2owPzNxUxYOZYph9/1stf1mII2\ny6TBIruKm91DxumpAiAkSAGxgSjGrZ8e39xwRl77ttbKSp1Mk4rmZ/S0ehBhsg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUAxZUskCScHOycnpOX/DyAjeZ/10wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE6SpPyOgsWIntdIUjzGifNel5EEb/t++UGe5IuyDh\nWZS3y3xIXQwcE68jQBv/TvTCtjOw234drYgUWsOYFarAyaNrMGkwHQYDVR0OBBYE\nFKusE4juCm0L6SlLDbcMDlKphNg4MB8GA1UdIwQYMBaAFD0WBPTp6Gq4mxSWsVbs\n3HMzmuYiMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDRwAwRAIgSe+M/BdIx/DJj9deYMx121E1entPN02UgqzpZypH\n7gMCIH9Ri8RPWmXutSAC1j+MTHxfILL7Dt63XKnhjXTI9ket\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUBbuumRgU9jGx9ctpaqfcA0LcJGYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEyDMlzbI/c0NDSr+4Xr775JaxPOSbKjdGivQwnLTX\nr4TE9Cuh/TzXJU1hLqmd1v3CzXhKWG8BSqE38u4Bbcb2BKNrMGkwHQYDVR0OBBYE\nFFEC1jGHrbGZBkbENqH1KQkyxPDJMB8GA1UdIwQYMBaAFBfbw9+tBZ3VwoyxdTUw\nFVcu9kqMMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDRwAwRAIgbGlQC3qyhWXPU6IW/tlFS+0DHj3RHDLwc3Mj0zBS\nH4wCIHMKUxnfqs+LKZlbTNJeOSLHChClGA7qNIilDR3NXrnY\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUEVy1h7NAv6sxgSCmyBwnNIJnciwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATn+TcilRdvivBjZlLPM5aJsFFbkZJDZG0RNIaq\nXkpBg1HMQGehrb6bJ4NO2mZdErmfl3NKPsoYDMrzt+qnNB3qo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaBDYlhP2lNBrYxnmctGwxitBou8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgMzjxP+vMw6qfL7mu\nPO0iv0m+ywRmpYdh7zV/IrLLWlkCIQCPCEw8zTV8XW7Vk0QTJmCrsDWtCPLwPFmT\nC3Kf//1gjQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUEVbULWRxOtFC6/fDxutINPncTakwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARRvLBfXU+uSx3/tfKr2bxJIFYVRZrP3MxrKPMm\nK0+glhxfDAkwnM5tEsy3/efjIXPFN1Ej5Rc0IiatlDGdZsEqo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhSdtFgUNQ7bkgbPa4AFQUxJrEscwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhANtGoQDbHroyaBmd\nFXIS8payoDU2BQafCjrkDFv3IysBAiEA+rXYpI+wTI0vx1t+jwVoHmSCArDliTP5\nPUlaYgwwkmk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUJiNecWXHuHsRl4iyktCHEio36SEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEoi9BjzRrcciIEHmtJP6J48e9/WruJP4ZrHAdA1dSzgWsmxLD\nQp5IC0i1d/kElpLtEsTV9PiNSdvH+o3uZyTb8KN7MHkwHQYDVR0OBBYEFLjWEaeJ\nYcHihHY2Esd50F9m4eduMB8GA1UdIwQYMBaAFGgQ2JYT9pTQa2MZ5nLRsMYrQaLv\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0cAMEQCIHhgfGuT0uHEK5WLuhMpu6GdQujs\nwcxYgFJca/0St9x+AiBlRW1MZsoEYqn8S6+KCzWj/FwpNoTEIYIO0/yLeJml+g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUUvXLjWZ0La0KK/0mIUQEJ6Zqz3wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEuYmYXpxPgT1lQYMnJkgHsHKbU6H0zJl0AQ33buszJpSYLOio\n3Ax4SFawYdDnHNvq9m9m1BNAFT0jjmSXiN3vZqN7MHkwHQYDVR0OBBYEFBwI0Mf0\nTdSJn+2jJSyIty0aDphgMB8GA1UdIwQYMBaAFIUnbRYFDUO25IGz2uABUFMSaxLH\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIQD8LJhqBZIRRc2AllhCwel72P0y\nJERoWWnNBN7EIuvdNwIgdJBb6hnoYyyWJvXrBvQrAZsWNafshR9RSH7uSEp8BZA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUYs0ix1CHrGLe2faf0jRvYw4ENYgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLo1HI0EGMJ+XS856NXzlNx3GGs8XqeEnR9PDl\nFiS49Ec69lsMlnewzUWMe3lQUQ89GVypDmnA1HEob4bVzM2Yo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUagy6yxwILwzjcEGDCiwGBqQYCPUwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAK6Fbw6an7hoZvvJ\nSnpM/V3AJdohhVnzuodUxF+IwgeGAiEAzAv/zgQz3q2WXkqXxRiibw9XaSz8X3be\ntBTTDRs4VUI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUCHLY5Se+GN2xWKjcW7V7r40lVtUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXAmqdWpGOBPeSgGDeaECaCwI+530L71W3SVKk\nVAyFVSzxW4DvJpBygcrmztZyRrqlwiU6lhP9tBY1JmvPygI1o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVbvN3T5m7Fao1euyB4eNiwJQPKIwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgER06DY3miXH4aOUD\nvc26MtZeAoQWJbqJQbD2ghcAAoQCIFa335gLkvn7S68oxuM2iYZpEIAQyxDYdIXt\nKcY2qLe0\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUONLVu452pR2F1Nw+0GOnchoYt5cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATTXvCgn5dpLvstl2/uoL/YAb0N5uhdymjeu3cYViYHoLdITP9w3TDr\n6Qy9lJwLWQtbWjKhGsB+0d5CJLMIe3oGo3cwdTAdBgNVHQ4EFgQUn5iER81rZqjL\nYRWg2haOtMloirwwHwYDVR0jBBgwFoAUagy6yxwILwzjcEGDCiwGBqQYCPUwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNHADBEAiA+DD26HSXErv/uIaJS2sykcFMMzuNqw8ye47ut\nZaBOIAIgA3gbL4Juh1tohED1ueGU+3Ma5AxONaDTJquC40Y4mW4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUcMBfUZ0+U5X7YOPZkzeReSVrHukwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARGndmoB6xEXnliGdZ5aZEU/HI4/VvC11CTCccJtdTqvHM+YbUnAeUL\nvbY8dakLS2Mfs4Z5WKVioQnzJspAo7FBo3cwdTAdBgNVHQ4EFgQUASnXac8ZmFxq\nlfAvCZg2VdkivG0wHwYDVR0jBBgwFoAUVbvN3T5m7Fao1euyB4eNiwJQPKIwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNJADBGAiEAgkzPnNsLkkPM5uM8eu5bbGO1P5dP/cgXBwMk\njCGQdGcCIQCMV7qdcCSU1/PqvHG4Str+8iIEEQ9DfeMyf1sIqFJ0RA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUBmYEb2Ntv+J//+oyc/vcYe1t+PAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR1W2djxrPfVEr7rs6lM3vlL/vJ9s2SKlOoiN/V\nWOez5I5jpKup+W7wvOXxfyNAW1JE89Q9RdELtTQg8HOjpnlBo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUf410uleQxgN+aWHFlzjD3cjEZMcwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgXMNrtb2imiOcLlIX\nb/sCromUAw0Qq+LV32QDsEAPRGYCIBV3pFUpllzjIAi51H4t3Ttckp28Ql0fR+V7\nRFxDTtZI\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUGun5m164K0pp0k/V4ir+3K4/g54wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQWDga5lrGpGnwvVjw9fIVErxVeKHgMCjGUXssY\namJrOXQASZALF8lD4MvSw885u9G0tjdGqFelUPnpjxVJdQp5o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvyhm1u9RLr6n0KqG7F8FsJqe8LgwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgFKVdUFNNgkY4epE3\ns5tcf9yMawFvaMeHEhbWO/TtRBsCIEipf1Iv8qMARkuKMLuY+bg/clRlv+47OGme\nJX6d0404\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUMXngpWJ6tWxAg7EKIMHa4E6MusYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATXC/M7nySgknEyOEKs7oX4PKoY7gQZgpI6JDrapdujPL5o0zYLVRP/\nUkEn/8ba+EJ0S4KpBm6DYs57uMZZIxtSo3cwdTAdBgNVHQ4EFgQUd3RtnLEHtR28\niSJuQ7i/2W4Wz5UwHwYDVR0jBBgwFoAUf410uleQxgN+aWHFlzjD3cjEZMcwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiBqq6q8cxMdPlEtiwO0EE2xW8LfTHRQ4EYISdRa\nkhNVhAIhALatbSqvNTkkU84EDoL/3VOlX+4XWsdmYplsNnb5QYuQ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUOVSBiQeX/Zb4moJAH6yuUhIk37gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASdEk6rG3ZblGW1Ble8GeLmdmw6kyGBhijmhgMPOFOXzhasatA4Jp8v\nZqsAmZhB7GkRATFFVjWJnY7ibkv0niJdo3cwdTAdBgNVHQ4EFgQUbRyIk9SgyKep\nSOHPS0DdtK+HUg0wHwYDVR0jBBgwFoAUvyhm1u9RLr6n0KqG7F8FsJqe8LgwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEApK+aJG76/iAJRKeZfZziAQJvc4Um21s54GdH\nv5C6DQ0CIDjH3dghWZP8yT10H63CUgXohTwbovcB/PjgH8OIXakl\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUIUuPKhf0UFP82zOU9eGUDhTwoJQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARCsaTllfi+UGmDYhgqFf1Whsb8L/nVCV003gKG\nDWnDRoKmCVB4UkSfLF3Q9yJK2VkpQye1Tvnx/YMUiwwW0HA9o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUt0xYbc8AG2KaUSF/8DUPuIDVQQowIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgdUO2Zk2YY1qVfn+Y\nj+GoKDNS4+PEOfdo/1z+AevhRdACIQD50NysPp2Boc1koRQuPcp/6nmb4tXZCu/u\nUxWGjF37xw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUOikhIPdm+iqiPyYZs6jd1c67ejowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARu/Wubx/sFveHeuliVAWa3GguQ/7JresiZ1FTX\n4ZMxYbpmIRXnspe3Q1KkCM5Bwpi6BCE/PLWGwn816DzFhgGKo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDzF1zbsS/YrP6w2T5txsrAnd7NcwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgNmoYakNf49/EpS4t\nYuovgB0Ap2uKZMLHYPdbFXzpF+QCIELkgjoTqrMsDItLWMgEZzTHLbSl33++YN5v\nIOFXIDC8\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUUqBTMSAD2BDlFuUBs1yQaYbT5ycwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEste4LiNkp/f5afUT4dxuoFTrVhaYeO+IzcIONhpd5ocZ3YQ4\nIj+F2LEgZv6NKWMUxdgnVeW0zKS44YcDSe9kB6N3MHUwHQYDVR0OBBYEFOqPwA7i\nRqSx6IB+FzISJHBsZmBQMB8GA1UdIwQYMBaAFLdMWG3PABtimlEhf/A1D7iA1UEK\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKeCcGzm5PURpPbkeCTc2G22EtrHcCAM\nc5snJ+rKK76ZAiEAwEJ3QC37kHtPB2dciywFJlXDzmCRJ3DBm0L82rZjWq8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUMQpoMehajIDrXQv7HVw9C/zbIegwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE93et/1T/oogu7o9tnIWFBIao/U1AOIbsCwC8H9+MB7UDFvST\nT0xCsv5KI7n4goBHJm1su/vvkKYN/CjvpIbTaKN3MHUwHQYDVR0OBBYEFHEc7apZ\nrNCK9KwEE3zrYc6EUHhnMB8GA1UdIwQYMBaAFA8xdc27Ev2Kz+sNk+bcbKwJ3ezX\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAInKn9yPvihQo7F1bcnYb9O+OB1T5qGl\nQIce64EK9UBcAiEAtdGGkerV/z0FPXKphSAx+QyXvYuDlkY1KQOmqISdgfY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUVQ9HcJp1E4rlH+LwouRGY0QDPoQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ3iXijPkrou85tglBiGvP1nUPB7+YlcKExEr5x\n+MDk1lWVt6y5ouurr7I4+9Sx/M1y6BQv5aBWvZVB9nDej7fEo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+8TjzWFycXIDRB1zaa8nh3t15GYwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAN+pHpfucQD7Tuyv\nCXaaV7HUu0j82U1MIvbhlrrAlBVsAiB5yqsMt9D/HYkZDOc3AXBwa/i2hb8rY4HL\npd471pGOPQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUDmsjqH2LAm84wddrzTAeAuXmgi8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATViHjrkifLsTUGQ5TBRthn2K+VA+BJXYtx5mOC\nisAE7JsBBu7k7M9aD3tTDr66J4+rZcnwCclmfvGu7Cc+wKu0o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUY6nOFgIiI3eQvl1BUy8gjL5qLPgwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgOKGNdOCGOOIsENWq\n+on8dxk4bn9sNXl2xpeQmHdJfusCIQDfRirwX9kB0Gj38TL2SxTjutQv1KCsXL2G\nBrfWqYQE2g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUQF2e3fBI6F7F/CYW01ZQYbKEroswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATmgvysGfXDiPsk9aiARsKchEJaNUboaOLqvoLD94lM59+KGpQOfi/M\nYMvD8+0ei0WjHvmthvgYmpfAkwUs4Ujwo3sweTAdBgNVHQ4EFgQUkAdn1allK4NZ\nhGBsw2fPkz42WUUwHwYDVR0jBBgwFoAU+8TjzWFycXIDRB1zaa8nh3t15GYwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSAAwRQIhAJhyqlmczqBLqJR3AEfEikHfunDY7qy8\nnsw1cpLMdkzOAiBfFUp4JFG0s2o69mUz6sJNJ9E2JdKFTTqLYpQhusqVXw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUDxSzHVK0HbWzHZwGGJHITk17bY0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQKgLN6LkQKuIRrY0IYq8BsRPg3EGdWho4iMc1fMoIx6E3we/NezIiH\n7//TB0u/o5BUMfzg4juxLBe6NZY8HiN1o3sweTAdBgNVHQ4EFgQU7ZmycKTocB3e\nFLwO3uy24UdaoI8wHwYDVR0jBBgwFoAUY6nOFgIiI3eQvl1BUy8gjL5qLPgwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSAAwRQIgTBbYDIoLgF+4CGOiSKnpoi7lrWjc7m5p\nZ30Zcf5Az4cCIQCOBSKHCJlvXmhUAE764Ah1hp+JzAj7uhoATuOVD6xSNQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUQVeFCaSbfiGqOvzsv7S7Y8KpdlAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnLTDeUPFp7sks72Wsh5W92/qpr7x1y9c750dl\nmLMqOa5FQZ0zbMDzpVaY6JhCFmNAAgkH6GjShMBdZBZV9N3Vo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFGdIAmRSfiTRrFvkChO3f+Rqh7dPMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiA/Y/0qgOvXHIm3xQz9\n0hrrR+kPt0FRAeJ+V6dU3QR8owIgCiCT9LrJF329m2ZKwHNi6Rq0yBQOFY3/xoSb\nzMAJFZw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUeBZzbt9IwLdjzFbE3jzK+UtASOowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQDBu/fNUXs5zygsKX6mUson869zBTaj+Iw2NG\nr6qmytSBFj7kCinxUb2P0/qMJ6vFNjE0ozMi9kz2AdO9qlvQo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFJHCPL6tSWIdfzsJSmc4qULWmMplMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA/+yia4wl9feYHFiP\n+WuKb1xkfFIAfKIUtYz9t6qxft4CIQCqJx889WPG7vOSbgTK749AUHUbEAbeki6y\nVVx6TO7z8Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUNwoeDwXjHMVLA8PAtp53cGaRziMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS45YQmyj1yVqn7Niwu/g17AIIdaO64odEp05Cb\ncVSWHOhoKBbsenaadob7o9gugfMQZphIpDIZwJ6IuBtfAlnto3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUZ0gCZFJ+JNGsW+QKE7d/5GqHt08wHQYDVR0OBBYEFE0l\nS/u3yTHfoJxkWL+Fu55qoUz/MAoGCCqGSM49BAMCA0gAMEUCIQDNqVihZ3VAkkqj\nJGPkLbuLiiZpMHBJeM7MoZAbibbBqQIgWjzp9nXK3KJbh0Z/pLXvZ26FT1ormcSL\nGA08B0vMZwQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUKc0SN1jroVvHeSgf/TsHJTLNeAEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQcWDcUu25H1Dy75AVM4qiwpy6McRwRj8MjJdj6\n55HLKjSJy7riVhpQoxG2Wfk+OmHRJ4bN5oh9Y36vd7rfZHQ8o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUkcI8vq1JYh1/OwlKZzipQtaYymUwHQYDVR0OBBYEFIjP\n3a14NsjQT82y1CAkd45qvAMJMAoGCCqGSM49BAMCA0kAMEYCIQCj2+/+gRRNQoRh\nFxow3NtpipfTUsB4JnEYDK6pzssvJgIhAIFVI0DD+3l8cTBThs3X9FfZJYzt1oDG\nyyPYGYlbE/Vv\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIURe0/Cr4KffaPRFdD1w1F+LJPnDQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEl2OnmSZwt8iE62pnYyGTuejzXGEJx+qNi5nMLngh\nM5rIWaiq787HUUFijw4WcqAh8mLnB/CsbfY+TVrYBrWn/KNyMHAwHQYDVR0OBBYE\nFAlQwo4ZslS/zxwN7rI7f9t/d7hfMB8GA1UdIwQYMBaAFE0lS/u3yTHfoJxkWL+F\nu55qoUz/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD3xVz/fRPGCON4XpNl+CGm/V0hxFQ5\npDe6FFGvTfIAUAIhAPo6uPidox/bpWhhb1HaakLLAGTg4AmlvcWIwUJusc96\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUA8RGSnpmwbCAiqXi+eTzvahN0nIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEISkhmcyvSFkpGqA12jQLwrpR7xC8yZRkZntjpw+f\nSc0GDNB+BSxIb/qIfXRafqyI0i6hJHkcXT5ApTWVW2eESqNyMHAwHQYDVR0OBBYE\nFB8J0pgbpqrkjZlY+QJN4EvBlyuFMB8GA1UdIwQYMBaAFIjP3a14NsjQT82y1CAk\nd45qvAMJMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDeU3DQGJMNmK/2D26NsrbxwBECeE70\nbSZzj8//SFAsxgIgWRoqhYAT5nlP2ey+tmXsXfqYI1urlLcnVJSWxJaaDhY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUF5zPFyptsvJqPXotnLM+xg6XLjEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1wVoLT6W/RNAnr7wK1j3E2/H0qwa9oRJ+xU2y\n/Dhj5dAhQTeW9lDMrG1zMYCr5wl2iVGDk/zUT+7TnI+QX6cJo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEAnEaK8VJQFs6vDnU0jrhC5W6/YwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDy1HXNAvtVWN3hw0qcvTuN\n7fUI0WHnUC3QIIDi4ug16gIhAOLUX+62g3urOLgUNU07y8h8XmADe85Wjd3+k7pX\nTh0h\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUejfgnxkwbZzrKpRdYLIXQcUKX/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASnogrwzjjXh6aENJyD/9JzZZFMn4CHiXZh81De\nBt+nCUJaqJjp8hLmGhG2OlJJTWq/x79K48JAcYx92Py+nelUo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8ZlwTn/VHgp3q4XeQ++LataFTv0wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDA3GK58c/THKOV3H1Mg2HU\notT4VE0NTG2SzciIeEDjigIgZ+1dORwRz6IMnCog60UHKAz7NeyAuBFzjyMvK6gm\nQpE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUZ1OJo4QkLoY0mgrVrNuveyYUC18wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQzG8rdpZ/W8fj3XG3TJNWOTxeA1f4YB/oc0/Z4\ngS/x7tdHGfEiPLi+0WisigxUa9Rwj8pHvb5XQXdDMtlr7lRVo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUEAnEaK8VJQFs6vDnU0jrhC5W6/YwHQYDVR0OBBYEFGNd\n5A9YvpcCfkKuRdY4P/v+FX4vMAoGCCqGSM49BAMCA0cAMEQCIC01rwbt1U7RcYbX\npRT65JhNcf77uci+t8rM6yt3xpx6AiAXKBesIXByTDM5nUpCyAvqsu++QaHfxzLz\ntAZw/ICSZg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUNJuCSpN3R0vdTnaF0NropGu4FNYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT5r5fNvEaXLjRow8g24xABAwqSoVUGyAfnd3cO\nZEb7dnsrWdAzf94AxlZAWGcfufDJ6RGVTflvCZSVQYFqHqqMo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU8ZlwTn/VHgp3q4XeQ++LataFTv0wHQYDVR0OBBYEFJTj\nEklgq4CdCYhxmKaSgvevNaRiMAoGCCqGSM49BAMCA0kAMEYCIQDHUq/Q2nGxXOPd\nEP7Yw/GzXDb3EuQLH34UDzsB8ikILAIhAP5MjCeOPh++HrCyYKHmb5eSK5xNDt29\nhss0OnlePQx2\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUfxgO9MGvC3oh8PXcwR84XmEQ8MUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARN108xZe1qddKnfWRvJknmdOdVu276x3HHCMME\nwwANWjOdPVeAnwWcNZCstH39YlwmC8wEst7jj5oJm4NzTywYo3YwdDAdBgNVHQ4E\nFgQUg6D8pOLtwxb7UbctEVwROJh3Gx0wHwYDVR0jBBgwFoAUY13kD1i+lwJ+Qq5F\n1jg/+/4Vfi8wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCsu5P7DH64FmEcM3c6edUm\nff9yYgJCABn5qn4qrT/xyAIgXi2wkg+uKnGwvo4ILa+/qMsNyGeA8zoC9NUwpeyI\nhR8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUfRNQOm7IhUPi7+FOM23MhTBLVjYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARskENqVnNwq3OMGBqTSosV5G8zLQjL0NQE1A1X\n3v8HVMgpBWOtDcaIge56seHpItM0nrdJyUOxvXG1ws74wWH5o3YwdDAdBgNVHQ4E\nFgQUeBiJPxwxSWkp7DDpYNy8sPWpYCEwHwYDVR0jBBgwFoAUlOMSSWCrgJ0JiHGY\nppKC9681pGIwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGq2TZznDirvF4qbalOHKkp9\nQXvu52bjrK49d98RSe3tAiEA1duZBl/1MKUeNXuMleO0P1naDOjCHt1oV4uiQzIo\nNnk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUZWp4xWiY63rgRvmZg8ZzdqKobJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEYyPmRAzkHvCAZ8MEDJSRZy/y8DI1SD3alZFa\nBPcNlL2vnGJtLP6HBILNG2r8RFGJManFhdxhaonYOe6hqxOzo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQYdIEm4Apk/dOBusUV8kz+NWhLnTAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAFgmE2COeF3+IStzhJbZrtqNhadRwTUOVndBRnelKsNAIgdTcssk5Pe9k0j6WI\nVhImvhyquOIaHVm3FcKs6nXiixE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUR9cr4xtX5vJOVpVC6SO5yjcw5NswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQSiMMkpT21O6kD3ALMiXO0L60Pkiez6tJchtg3\n01+FBr6Jo44cx6nYVM/cnvdY8ox3ld7KLcFpu1nRwxiswVj7o4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRpG+wV8REH1A9/HWQfO9bIHzr97zAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiBVZmIOIC+8SC77Twz0wX//aRJ2gEgbSYFb0IqYjT/bjgIhAN8EAq/F+vyfjCol\nw1+/tumJvx9NGP4QV2f/DxwFIW1l\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUdRnOi+j+FA7L/60I2gIqdLZea4wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXAyywoIWFqGkZ0zYsxMnlR9ov8qMQwuAXO/zf+bg\nR3TVaJxF1nRHrsuvpQwP31DJXOIG1alJVvcC+9z3UIV93KNyMHAwHQYDVR0OBBYE\nFKb1LnuRx1VEueXcul4ZZEFq1J/MMB8GA1UdIwQYMBaAFBh0gSbgCmT904G6xRXy\nTP41aEudMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDEPzWDsujpUAw5LW84b6dGag0DHAyb\nJWx7n+os6onGigIhAPZLopQQhFFj+FF8dyTp021PtlgqpMmwa5XKJh7ik8zV\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUJNZcVtj4Rj8Xx2J0ZzTOlNLDWIEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE91YMmSQ/sa+heUnIbA4XGieWpyTbmYt2mekQ6af+\njHERqzwUOyj7djSoMhJoarsvNRK1Lnx7Y7PEfK/XDWOGxaNyMHAwHQYDVR0OBBYE\nFLsqMTtKUbumVtO4qYHErOHAivUXMB8GA1UdIwQYMBaAFGkb7BXxEQfUD38dZB87\n1sgfOv3vMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDK/vHytH8QK4HpudxBqqNAaXCyrGFq\nNfRNkfuJcT2afAIgZ51QukD1EsN6f94/Eh8uyu7Wfx2Cgl56OKODMVWBYi8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUAcG5W6xckc2kzBVGm+9fs3ffsDswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrXAYqaxsIPPsueSiso/bWe8FYyLH5N+a3wFPf\n5XyIeN0RngXCWIg0GFTy92VCUe3MvQUX2JlNmmCOvRgUKLpCo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIWUamPrYWHZxhutjVWvWM1/E6zYwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIF08sllAOmE6U5WT2xeZcjNUjkls\nqAbhVeBgLTRg+DLvAiEApnNJovO+MwXBSIb8ZfOXn+5dW+7xZbtyO0oZ6cyH6Jo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUfj98XYCNm6zG4bD10P2lX1TyywEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQtsMUlXCPYwCfp9blr1/mTwy6Yt2h9+LhHhTRH\nZFUFwLWlOU63apLHAtxKETZX0xZCfXyFeaX8iOY92/IA0jebo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIZGOWLHcAEI5XfulCPC/nijyvuswGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCZf2cLusSylNUYKYWfhDKezJu+\npjZI6T6ODzqjyNmCLgIgZZR6zKVnw4OO0fYE3gmWmrMirkMYRF1uDvcz0ZBEseg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUYkv2rbnNqC3gS9ZiKRM7ARcbn5EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAERlUFkez8MrSIj8Mw5hlBH3O72f9dPFmyW2+7Qyan\nFSU/N5JgGNdIBIN3nkkOYiuPFuHyzHFLdaOoBHF1OVg+r6NyMHAwHQYDVR0OBBYE\nFLFQG6AJlsh7kfg/jyXlDZULVJXOMB8GA1UdIwQYMBaAFCFlGpj62Fh2cYbrY1Vr\n1jNfxOs2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCSM9Ysk9lqk/Y9odIrWdszlhTqywuE\nkI0RXt0DpHZTFAIgXCd3r5hO106nGB9mKJ0s8VKb4rPBuU+cNe6H8qWdM5s=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUHpmmOVbBT0jE1UU7sBr4NOjRKV4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE8Ez8y8cGjzDrSMJVNMCftL9SNQVYyCjzxduZIMtQ\nkUsqxQ4mRgATSVvYHU1l4IlHMej3SSmDNAivzUy833dWbqNyMHAwHQYDVR0OBBYE\nFFX+jYeJ03cv92TT6ZufsABdAibcMB8GA1UdIwQYMBaAFCGRjlix3ABCOV37pQjw\nv54o8r7rMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFjgL3/I2BUMPENItBUTIWRZNOufm02t\npntYXR0J0W7VAiEAtXOSilA29SmrHHyGcB1NdQMgbL/Nrbhk1ewmjJThOTE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUX15AljDZxEsrsf4R+odnMtKNwoYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/sZLc/o0Fi7tMgL363Nk3PQnxfx4PuDsIH0SY\nrVlcszzTgu6VhJSTZvtodb/4A9pTpyp16GWimHDXzeSpI1qdo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUve1h3bd+2IYtDzJ3f1IgkD9ajPgwCgYIKoZIzj0EAwIDRwAwRAIg\nTVkwiIdjt6B2+kET9Q3Fv/tqq5rmIUI2bYobThed8LwCIA+rJcJEMOWjNq37YAiL\nRXjeeuQWzPqlMQLktJt3tHk1\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEcTV5xaHa6FfR6ZsUFz4sXFq4EgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxHpS0X0AQmZR72bDwYanAKe5vPuvcwEtfzN1h\n/6xSvaEo9nkILLs0+swPqFIKc+FcShChV0MSaCoI8LttjDeEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcw05+Vq4osu5HK5A4WRV4kiEtlcwCgYIKoZIzj0EAwIDRwAwRAIg\nCHPBsfRsIQuejdmJlzW8FVyDAmU0ld+Yn23BnM05/38CIBOan5m3jDSxlcmt4rOo\noJ1gLjoMJbK5rs0djJ8WSPQl\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0jCCAXmgAwIBAgIUCSED63GNJ+WB54nfE6IOkUCrP3UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEwhlEGhijAPCwIooJqwgwJRwDAW/hQgz2bDriH0Tk\nLsSVurhaOzxkCuqOaoa7LwHyFzLlEoH7lYolsvlguyVs4qOBnDCBmTAdBgNVHQ4E\nFgQUzxqWAzmRQpuIs2A6kk9zBJeCW+QwHwYDVR0jBBgwFoAUve1h3bd+2IYtDzJ3\nf1IgkD9ajPgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNHADBEAiBK15mGJVt8oDLoSIAzPN3KKegMSxS2+vPivXfX\nSAg24gIgGKlh7vKSUBDyWGI2OKdLVQAWezPMn8P9/K9O4/+6N6Y=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAXmgAwIBAgIUHbh2GMV10EiewQY973ItL52B77swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEgd6oFtHeZPmeBCHeW78V5L6+G0zdO3NzT+bHbzmd\nhaiy4qfvbdJ82562/sBiO0VAS+i749oJMSyO71ikuxfnhaOBnDCBmTAdBgNVHQ4E\nFgQUGJv6JPKdaW+X60QMYGh4gDfXobwwHwYDVR0jBBgwFoAUcw05+Vq4osu5HK5A\n4WRV4kiEtlcwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiEAgbw05nTvk3SS4CXUhKd+fcMg8Z4Y3eG0/i1P\nbeQZ3psCIBAWyV4EuLqnFjySCaSM7jAim8TG3NG8ljREqkySBYSN\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMLZ40DKtot4RrFnwydQwxLNVTiswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASvAXHg07SaYIske9Bly0Auu+FnSBKNA/fzC0m5\nNEczUbn4rrXj4DgkxdMcRnK8TkcYPQihbGHQQnPuGLAWpxRWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEQ/sjkBDQ6zvhQMytgUaTY6YEe0wCgYIKoZIzj0EAwIDSAAwRQIg\nCcVOfVdS+N8WUERySfuVMJSUa6fbtojIKZYH7UZ1cHsCIQCQXHAjTfSfKoIJyato\n2tJeiQw+h/kXBOVJdg9vrJwpbg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUIMdIrRGaRtU1uPEV+UKBzQZBXiAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAThpJUjRJg5dkII2hlKs2KI7Og4LTRjUvqJaFiJ\nmvqq7x3Do+MGSUv0j8IsLDLZX5gvwuGZ2jVfcMLpnMVkhCzyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUK09BgetWS0GW0do2Wr+C32uScJ0wCgYIKoZIzj0EAwIDRwAwRAIg\nNVcivBcnSmzKXEvyuNN9yyhILaDnGBpnO1YSkFUpjXECIFHk5m2G0+FSdKK7HixF\nGbsySWaJ5IEYTPFjct34DjVv\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXygAwIBAgIUReL8KzGLm0XuuSlFKgfBu0/bKjQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEyPO33Ll/bkkfPpIuLKQa/sgf32qRpSM3NpHq8GQg\nCbGsEwlopPTWIhVKe1SJ3A69DSCIM1KuW6pUQVmkjzCnYqOBnzCBnDAdBgNVHQ4E\nFgQUnG2Ofxi8JNEhDf++1FXjdZoSkxswHwYDVR0jBBgwFoAUEQ/sjkBDQ6zvhQMy\ntgUaTY6YEe0wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA4PDKTCnResswPu828ZzKBqzkiFCV8Xk4\nHOzGRHEsC1kCIAUwC4cE5dqzdZVeomUCEX30JCqWV/+2NgBB9YdtCikw\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXygAwIBAgIUchjVLo6Gk4tNew65YpWhfonlew8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAELXzzqw2P04P72RUVXzneTnP6iw60SrFeG5txfEOB\n7WSZp6/AJw4prShovJ0XRAxQAjo2p6Hcf+NTwFcIUQCt0KOBnzCBnDAdBgNVHQ4E\nFgQU+fXUEELGe6QcpgPD4jm/ZQH/SoEwHwYDVR0jBBgwFoAUK09BgetWS0GW0do2\nWr+C32uScJ0wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiAaGahhn/zvkuSqIABK/qln3zExINeQT/ZH\nvOL7DoooIAIgOci5cat2JjDlIwkFHjTKCkUU3iyMKgVJdcTRac9cKFE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYpDOHrrg2p53lHiLAW2+T3Fc2lMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8rwjfPLnRpfe0+Mvwr0hzpZ9KTNuS6X7OFH/Z\nlHQSJaqHgiDQ+hjVKCnHHveEnghpOTb9gSfFikppS/U5xb7Uo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqywp7F9ErMYpKbEP6zwqSO3WtakwCgYIKoZIzj0EAwIDSAAwRQIg\nTlpIq3OarsrremRlYF4okV/7eDbRoyuAe6CNfuuA2fcCIQC37EFCWVGM4uJhy7A6\nxAaokPjT0u80hf1FV2htL0l+1g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUTX/40u//NXzf9qtyisquxojcCgkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQn23PaMH78thKOp+IxbBNia5TLO/KoWOnRgIfu\nMuBQLVF4uSWix1ZFP+PfpiKQ6xVEW5xfmdzH4ovj5zFb/muSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0LnQCum28WPNQogcsUHkH/bUXi0wCgYIKoZIzj0EAwIDSQAwRgIh\nALoYOZ4YWyAuFTBgAYUnVIPeSXjcNeazo/z2ezQoGQBcAiEAj9CB/gXMgffUoFe1\n+o8QBQiFqhvXaLiPgTrCdvVQ2pM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkDCCATagAwIBAgIUIjrAjiIdPw9ezmIBeuj9Zg0xI1swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErzsHOCAy\n1DO1dLvuemHJCXyzE0f5j+B8b0+yHiSUwvvWPkBkjPDG0UCYJ/SXmfRamQGCWF/8\n7nVUypQivYYDa6NyMHAwHQYDVR0OBBYEFMJqoHQ3TeKKSkCpyGYAFOA6PJYCMB8G\nA1UdIwQYMBaAFKssKexfRKzGKSmxD+s8Kkjt1rWpMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQDAfcu0sYrfAZJ8eiND3uCqhkQTl4876TQ87E9WzjGqIAIgGjQYIUOPhYd1ypZq\nSfRhF5+4bGSmGmBfC/v3HBT2nY8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkDCCATagAwIBAgIUXOlS0d3VlFsHdZV4tH7Hqa95f1YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV7nFn4H4\nWds3QHLaU03icy1DuSvCPU7FlVO0jkFVRdGjwnYsj2znZjTKUCY3CzY4oC5YOXTZ\nJ1UxNrzorpC0AqNyMHAwHQYDVR0OBBYEFNeCH0T4dT8ntGzmdF/eE4uIFbb5MB8G\nA1UdIwQYMBaAFNC50ArptvFjzUKIHLFB5B/21F4tMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIC5ZqhRCsNz7skY0Wnn78ZsuuCJuAsiPYMMRfrYbTd4PAiEA8SGaQ0SZszD9Twp6\n8W/uFhrUsQv8d9/xMu8rfBy57M0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1132,10 +1132,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKPvgmvF5q29cyVmBfUfn7hLyyXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1w97xr9DkRsoRMGH/lQ+BjQse+WDjvOissPan\noWGFX5GoJyziAGrSnXPq6En22tWZkLOQ6L48bzmkx0AaiPS1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVvg6OXPIcE9jTcJpSUKV7wtH6xMwCgYIKoZIzj0EAwIDSAAwRQIg\nf5yp//uXq817FeG89DfV18BMpdC6lgh7Bq8Gf16uwMgCIQDrFci0Lx76OoRWma4Q\nqHz87qW4W+djBBFIyogUoCtqew==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUDeicPaIIeIWSrg5lNuBbUN+9kpcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ4EkijhqribYFyXAoHWFJr+PqaiCi9pvYdgVXe\npMFPK6USlGKIxcRb+4JKL6QKN1cboJ0OtmPhoBYS1ar3m18So1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM337NaE5ZrL5KWUv8BiZ/OiasdMwCgYIKoZIzj0EAwIDSQAwRgIh\nALoHVA3holVIBxS+OKCtkhE+6VIAqr8dB7lJVPYItXdfAiEAjXuLWghRPxWYZB8p\nVw5HabA8qwgTA0/+r4YG9XZrI6c=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUdF0SyOOoo5ySdhEFvO2ZpMvs6nIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVslr9M6Yq0FERJ+iJcOzLKS+BNObTGUFcSeP2K95\nh4QvBKsEuV/bYEqwnRwu36FdYKdafwXc6JIX5kcXqYt00KNyMHAwHQYDVR0OBBYE\nFLV8FNzXsz0A6vNYgIWcdsxsPs+4MB8GA1UdIwQYMBaAFFb4OjlzyHBPY03CaUlC\nle8LR+sTMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHX/8cqeXG5PZ2L1SKQhCvgti3cHiuY9\n69v9bAt2lr0NAiAmjk19XNof3OpVFq6dKERSNxVkO+GHGk5AqQXha12eJA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUXbR6wHGcf8xlwQO8OlZBuAGcMH0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpA1UYo4A6x0VK3xYFLVI/9BUKpQevG42zr5RMMFP\nCKkXbqSafqxboyfS311OAOs3HTVven4eLacvqA4unB8TOaNyMHAwHQYDVR0OBBYE\nFFFL2dwBYE0oVzOXI6RqpT7YMJ6aMB8GA1UdIwQYMBaAFDN9+zWhOWay+SllL/AY\nmfzomrHTMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHJJ+DoZTpHVyXnILQ/u7EgFQdItUI5P\n8zc12SNBs3ERAiEAiSgxdG+bRgb7KPPD8gy8LyFOATtigtPM7XEegqr4lcs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1153,10 +1153,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSm+o+b+Ci32aoX7o2c1ef9WBbawwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ+ZvCR4F3jzZvxTOP4aXN0oh2JaiwzdxUB8LrV\ng3kii/iiPzKHdK9g5XGE7QteRGAsv1ASwjt8gHtnOcQoTMk1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbVt54FSq1Z4EvBe5n10DkT2FVpEwCgYIKoZIzj0EAwIDSAAwRQIh\nAPjH3hpIex055yd98BsEUG8kINl5bIKjRU+uB6C+qQTiAiBEW3OjW2+w5mjEkkrG\nLgoAKbcWjaF7Vj9FwQldstjLiw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUIp/opegRXduaFDc5NA1aaCBp+VUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATIU1zWEs71yAtI+5ubI3zq3LN7Xg2co5KEUJqB\ndItninQzPW2+zxl7IzpR25xDL3abuMMRQCOaEQhul7zZNZmWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhq/kWu0dh9x4HjQB8++7rhcxChswCgYIKoZIzj0EAwIDRwAwRAIg\nYaab6khaRKQ7I8Bx5SIjr0jzVvF/ArKgiRyFsH+1Eh0CIDnQEI5r7wZy5tYtn+f3\nmFeAeBSEdHorbXfZ31RYlW1E\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUTsuyESNShgr/MHFdlz6ThrBV7SMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEz2hUo80y9RdBzUp5OC8jooL7Vq+siauMwLGzH48G\nk3XeWIKsZpZ4zMTAZ25m75uWKmmhmbMglMeV/jlhxnubzaNyMHAwHQYDVR0OBBYE\nFPaKs3srqRtWlGfFfh4zXwn8pV07MB8GA1UdIwQYMBaAFG1beeBUqtWeBLwXuZ9d\nA5E9hVaRMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDO+wTSi9ulZaUZrg0l29xePtdw9lkF\nsPBtmaRGwqBjoAIhAIfxTXnmfSNhtdeh+XDzwrphP5gT2CgxcTdM2kFJRRDS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUPFIVEMPOTucJSlxa5qYrP+1oibEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEqZ/lqHtpyd4lcJI1yZQg3I9/yaYfmj0tkzG/YYmK\nKhB9KiP3Er9eMVPtCwT2T/e0783RSWGyhCWsQq2KLglXqKNyMHAwHQYDVR0OBBYE\nFN7Z7A6aN2/U1iKYv4FJO5gNrhdPMB8GA1UdIwQYMBaAFIav5FrtHYfceB40AfPv\nu64XMQobMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCz3xADfveL5bkYcZ1B4/DCTH2CvjCy\nHrt8T6mfov4NhQIhAOZsXRtpQ/V++wCJiGyv5z1005pHiPsfDkrFY5k/b5Ko\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1174,10 +1174,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUqkf9/+1RmAYGG/5AwwN7z/NHVQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDDjz9KbbAMXngSn6bAvfkV9do+sYNntFotrc6\nFHcGetzc4Y+sE3aSox3S1KgoQWLUrnvfQIjkDqjQzknt8INfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7/CAYXhOcE4uvIfEesLWxpUeNY0wCgYIKoZIzj0EAwIDSQAwRgIh\nAKEL9zFH5bdXCHKS36+Zgo+J/wX3M5+ZSPYLMYyn+mmuAiEA0ExQQoX+KQkN8ewL\n7JXBPA3OuMbXoMlSB9ukvCHMEtw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUc7V2Gasj7y1DVUZVnByQxvmfsRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASXXKHhRFNAYJ1CG32Ecw5JULxQsaC4INfL5RjH\nsS2HNJ3VxT/vVIQlOjKlVSaBC8oqhLlIm7RelRiRxZsOFZvGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJkmOIwSz288YbUqHgT5SjuaWDs8wCgYIKoZIzj0EAwIDSAAwRQIh\nAMVMZLBRwZF1k3MoTYBwrYwN5neo+ayr2xAOZG36WraQAiAfG8p4siN5qF7dBlwq\n1xpACTQXG3VSUA/ZYBBtymB7gg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIURSWjty+GxLswwW1nZNKlqtnUVvIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpp6DHPC4XQFrEFzCLuuu4pw9nMPGlIgeBAT7UEl2\nVEQklvDG9HxlADPfbfQNFJBkiyjmbLoijR4Uacgp14byq6N2MHQwHQYDVR0OBBYE\nFMl4zpMaEdb0J/4ueaVCHA5u9jXJMB8GA1UdIwQYMBaAFO/wgGF4TnBOLryHxHrC\n1saVHjWNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiB3HplP9vvcrCTRJRIUyvoBUrAC\nb8CX3JWRy46XJIukmgIhAPqpAYXQSFNYpOKQ1Re/yStaKom5GNUzDQBFhboM0lJo\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUWIzC8h63wnOk/zETjzWnsitKQGEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBgAbtQTJbpjmxHvjI9oXicPwksvMvHzBwvHhx345\nFnK1c6sWu6c+5N6kyOOdt7Xg5TCWFDC+RBhavn6NQRzdHKN2MHQwHQYDVR0OBBYE\nFFluHdNtyl8b+fVWuH0vB7SaevhYMB8GA1UdIwQYMBaAFCZJjiMEs9vPGG1Kh4E+\nUo7mlg7PMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAqi2NapqFx3L6pl/zVak5mh58\nS6BHMn0hr5e5TeUhzlsCIFCVHiUX00wtfeFdFEBM0wQIlMQjtfAtEPi93qw0LvTQ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1195,10 +1195,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNsic8CCufeuGMav/65DJUNHwWq4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATOEt50kXfzXG++EVhEflPvP1QXa4Jwg3KeV5pK\n8Q/Snx0dZyM5Dhxvjgm+zNY46S27/euoO7fjtHdoZf0ejmslo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeVol89vC9StdzM2MrDdFd6Vn7bswCgYIKoZIzj0EAwIDSAAwRQIh\nAMNuigruvMfcdCPxvE9xDXGAsac1By4MW5WetiLhLOj6AiBdHaxD0rhz/QdxqmQG\n6OV4QRfqmRkUxWt9N/38e+4z9g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJIFZvYkZmgd18sL0yp6HOC6djMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASrSke+Vi0FoutpN6PLNAe2ak0iUqgkVWdColNx\nQPo6DnBMLu07kL+UtY1jqf97VwLxVnx12fx0gaZxW5YAmLKBo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURxorhfWuRIsiq0O3P6RcQ1hour8wCgYIKoZIzj0EAwIDSAAwRQIg\nMnivmee8WeHAg8abCK7PJXv+B+zRvD32QOJQbB709moCIQDBiADr2Jmw5g2BPQK4\nemavGYui8m+v1RCvR/+FpuBBHQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUEZP1kdG4w11eatWp5GjShYXCeBkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE95Z2aFVSSeFV0gX5h2W9MNANnI+dfv8GNDCH2PVF\nUbr8Pzp6MPRg0gX+oQOV+aZ4b+fWK6fhfPcXkIFZZhKFGaNyMHAwHQYDVR0OBBYE\nFPADBPR6X0NuLk7TgH0g9YqFc6xNMB8GA1UdIwQYMBaAFHlaJfPbwvUrXczNjKw3\nRXelZ+27MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDXUx92NpXffNW509f9+T1s3Xofct71\nfdkwwrNrcX6qBwIhANE/GzrVSSV1kIn7VPt8jIXKw8ldXVX2jhNIHdjzvQyi\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUGa+oS0/SaJxjvNJON0yxJ1TzoJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEYJhTmNaSvt9y12s6D9VBVreDW3KC+qhXiBLpkbpC\nKc99Vl2YEAfYVXlk6kMt5+WqJmX/ApQ4qzGk3MpXQcEAl6NyMHAwHQYDVR0OBBYE\nFGNc1DvpPyjBd3txgEYlQUIAODQ9MB8GA1UdIwQYMBaAFEcaK4X1rkSLIqtDtz+k\nXENYaLq/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCUCId077G1Tze87MmbeBx3wP8UEGOm\nKw4PTlnXKeSjDQIhAP8LBrmCPGN4YHV/H30fPNdEjM2ia2PU515NoWtBB0YC\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1216,10 +1216,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUToZJ3aGxZ4HD50hJHAjo1DsAZNMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmZbzNXOq8H6l1a7Y0WYY5cMHsUb40qyL7GuDX\n6QysxvJ2/qcpUNk7xNr5prh44+nnBuLNk/1eenuhPZc9IO6ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/TZ+KhgFyTjVS2tVw32HHhdJ368wCgYIKoZIzj0EAwIDRwAwRAIg\nHwJ78mGiLMZ7dqkIqoIYJzAAYAqI4D2j02jUTliGOf8CIBg2AQEhlpe7OHTF9wWW\nkoLiJXxT6f2IIMNKt89IOY0X\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUJ3p4UKKui5ta0tlBkpQLsDYxOZ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0+kVNZybYbkpZm4S48FUtVTEU3TMrQQsMabe0\npqH9DCv4xa0IS/6AKjNtJ6rANxNiThvJx2VE86ale4xJcDroo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmCslXqxOgsBlvtzpMEFtE8EKBgwwCgYIKoZIzj0EAwIDSQAwRgIh\nAJos1KZg6r3hLlevPrxvPMvfb3imShqA5wboaiBwWh/rAiEA4lc47FEt0p2ezP4R\ntk8Joq57BMHMpZdEF6h4lCc9uz0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUatUQZ8EodWvrxxQ4KJd8WHJ050owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE+9jN24eo16a4lsgTheGbUtW8yofMtQB0OSpE3piP\n3est9oIixnEBMyzn8VWe+7lFsbh3xt3/YQKCLM96n3/5EaN2MHQwHQYDVR0OBBYE\nFL0CVOHmwIpFtel2ZDndH8bu6Ff2MB8GA1UdIwQYMBaAFP02fioYBck41UtrVcN9\nhx4XSd+vMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAv4kbdZog9O+O5AIWVu0LszEK\nNuf7tYHptjd6t511hmoCIQChiV8oCdBvFaF5BWAbzGSvFjl4aE4z2JuRg2z3Ksjw\nRg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUTs3TDHUFl6WW0YlIUkjFTW9BIAAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEuVqJ5ar53T+f5n/VrGLa/s9EOJVaSPuflzpIeFb+\n2YyKYQ82FUXqagMhqJtlpueHH+7Wk2BNOIuPovJZwcgUm6N2MHQwHQYDVR0OBBYE\nFBAxQPC1nY3EwZNAFQYMphHrvp9WMB8GA1UdIwQYMBaAFJgrJV6sToLAZb7c6TBB\nbRPBCgYMMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAkDd69f6sX4M3+yVxmT1v5FIs\nVEdRd9CrtQIrz33wXikCIQCGkL5XJ6iiE1kYuVpSuTYaq3+3HLOLKUgXaADCrS9S\n4A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1239,10 +1239,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZ4UBgsu/Llu5boLtJl8t6smkQi8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQaFrxtWE6zrENxMgGDS4nOJUkgXQwkO8PwhdYG\nblc7MlDih1uleY2NWT8Zt7dpQKrPq+DiFGamlTDc1bYWNPwmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHBuNfEvqy1oNLB7GCuKtBlzYOAwwCgYIKoZIzj0EAwIDSQAwRgIh\nAKIaXjVoKsR06jfK7n/06UtBJfHXocNCljXhf7ZRyj0dAiEA2G2GQgvRLX85h26M\nZyCUHBsfA3gj8rJKTEBxXA/x6MA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSRNRh7fSsJ6NsEUt+W38UWe6jFkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0bMM7AMZyoT1Sd+87XtEmTNwM8qMKTC0s4CTV\nai5p9EcknNIPplgKTopIaF2j2LMepkixaV3KGVyW7SKQn2Wwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOm5FBVRTt0Ih/gaIXE2B+A6+8WEwCgYIKoZIzj0EAwIDSQAwRgIh\nAOwmEfqPVHHxA/6y8VN6y3RJSgCJYPmJ68W4a2YN5bDJAiEA4djvfCuIn9Kl6+fU\nL9YUTVBrS/glRm0oQqMPZShPcYc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUigAwIBAgIUD7cOQ7PQz+lKqPZQz0yhIgK3U6swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE0GD+QjOibepj8zYS6DYomMSNqnkmi4Pw6nrHEpXs\nkzfC08dyrapWfbRBF/jd2O6D8ZG6GqTvsbBN4RAfUYCnFqNsMGowHQYDVR0OBBYE\nFCkk3HW8p1htHHCp5hRnYoXHIey6MB8GA1UdIwQYMBaAFBwbjXxL6staDSwexgri\nrQZc2DgMMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0gAMEUCIQCiM9xRm6+1H3zyH7rr6Bf+28U13Yoqjbxb9yDa\nvCB1vAIgaxNGWASyHaLz7dRVG3AKO2JPwQjihU3t5608I1enl00=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUigAwIBAgIUENOlrWVtl5flZzOWs7Im3jj5ywQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE1KdsUSzXac3ovSeI8udpgE1rl912A4ePvChfSRS5\nPEDVGGFqF+QjnRMmih6cniGTQReZ6G7H7fMqggEgMKpBTaNsMGowHQYDVR0OBBYE\nFN9VD4gLh/XzHqUBsdjdvsKFiOQKMB8GA1UdIwQYMBaAFDpuRQVUU7dCIf4GiFxN\ngfgOvvFhMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0gAMEUCIHbaI+y1CJ+bBHwQM37aV0gIazHrWVpsGkKwsq0e\nG45WAiEAvFylkj5rrmE+f0Ze/Klk39ypGdkuy+P4JP7UFFS8uag=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1260,10 +1260,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULuPa3QbuJUJPoBonwh1Ws0BMaF4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASTdLulVCAKYY3Qnt4BanG94/sqmY7pq+WXB0S4\nyQNbE3E0mmThrLugohSDJTZ6OnEES0WG9OH9dxp25izXSES2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfveMYh4+3g3CMk+8FbimOU8WOzkwCgYIKoZIzj0EAwIDRwAwRAIg\nL9ChcQfQLxz9UarDb3fCpPsWSaI/zQHRobyFXEtTsKICIAliCrt14OqvlPj4UV7v\nPBP8KAUM+xTqLtoA/IhiZIoD\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUB5G4YJqeMfTZD5cB4pRS00dWpqowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATmf5FdExl1+YkDBP7CFwlZzPfm/HT7YhO6gJ0/\nVePCE+Va1FBOKzxupQhKy9FWYzGcxpJkMkek+oyCmozBl8AVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNlq7RzNkE5seBGZ++fc/GS753PUwCgYIKoZIzj0EAwIDSAAwRQIh\nAO22wSRI+/WKzBJT7H4Vd6RV3CiUA4Ez0NFAHwIAgWRWAiBGlpNCDV0LanL2NVBT\nfwKOcSTaUkgFYNYPjqlgDd7Qcw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUT4gzMZzMqQQptTPfZ5Zg1wN2DgQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEyPk6n+aZ/9bN5IkUQF7EFpuIo1WrF6XeJBjMmKZC\nCzW8gbUeKI1xpCPe3DQYtE8Qr2GJexQHobZhidjr59A7qKN0MHIwHQYDVR0OBBYE\nFPnD3o+HxO+TTZDWBCoi1rkdMFtHMB8GA1UdIwQYMBaAFH73jGIePt4NwjJPvBW4\npjlPFjs5MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAIfHi1OJzJWCWcHTDmXXBRyJQAC+\nJlTKTkOyXSEjBOM2AiEAkBBlJqZmEZud+M/m3craLlYmEwmiN69YzD2vRAttsao=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUZL60NEXRJhiGR3HH89E383q+IZEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEh1r9TxM6wZPEWkaJfr3S7xTjDQ6wt0LEkAaYO8XL\nF6akTKjhGBEja5A+CmqCW5P9Z/X2elNG6OETheq+qDxxxKN0MHIwHQYDVR0OBBYE\nFItNgUY86LbY/bms42PMsijXJWkLMB8GA1UdIwQYMBaAFDZau0czZBObHgRmfvn3\nPxku+dz1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOyVh2fyoZAB6vXEetaa0EHQvtAp\nS5Wf8PG6r5+yCsB7AiAvrzRCC0HIZpown5kLAN+semxTiuSx/511GXLWp8cwVw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1281,10 +1281,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCqS5Xvj1F/71Qtf/JsO9anNeKP4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEDV6aMgv7BTHEcRYs02PFFj6WcnCA0BybCcEu\n4W7MMRIRDomoNBh1swloVBXzFdDGd4jGcJp9Ic4sYPH/1jyLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5NdGzToJdVgXZsZ4pPxIszbbHTcwCgYIKoZIzj0EAwIDSAAwRQIh\nAOjqZ1ux/aMXCS3Ro8kd2j8y4GBHEEAWBUzsvA3XJClpAiAJF5TIvKXoNpK+t38/\nteOKoSuoNDPanIk2DssybbGIew==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXYjbJITS27pt4tFf6bP/C6IVtXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARAXt0opc4ttfavsIh8XoCczqlTKmQSnFgpOtZ5\nxkmszd0yIeUUpWy91HeWqqGXjNV02MyD6vsuuSQO0gFftNkRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUTtrNsVHZOJ/ttcHT+uR8TSRu+4wCgYIKoZIzj0EAwIDSAAwRQIg\nbCs5q/FDKnJ20xGi/7e/fDyGySYnsUvNf1jgiE7SKbcCIQC2lXGgWtvXFrYQoftd\n/s8V6cbYSm+00moj6on3LBKY1g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUEKcMtsuetp5qEj4rSCHb/vIWGEkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEthPWNpOP0lsmNCqWEOB3saVsQ7UN1N9pdhCKBFE/\nPwLzum6PuIT79rKFvQPCKEE35lJ9y6axzqX7PlwAUkrf5qN2MHQwHQYDVR0OBBYE\nFCWy/N0nnUeUJJEcCBkGb7PuRiMXMB8GA1UdIwQYMBaAFOTXRs06CXVYF2bGeKT8\nSLM22x03MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAcXDleiCrNKQCbN8KZugaWhkZ0\nNC6LNGVNu6jdwL4DYAIhALiinRp4zKamJjQkKaFq0of0IE8PtGvESaz5ikwp4Ydw\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUHD3pXfhVatctZ0hhvh63KxeyBIYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETMHxBaUH3I/NizpE5jrL56xU1ITfugsmD8enb3Ty\nyDGcN9zqdtNcjRoT9zXqadyIKdlDS+oEJrvWsHIJAgEJ1qN2MHQwHQYDVR0OBBYE\nFNNNVeCwsvxlkUMPPuqcHGlNqeIPMB8GA1UdIwQYMBaAFFE7azbFR2Tif7bXB0/r\nkfE0kbvuMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAzpqePRE03P9VxfKdfUVdc5ec\nzH5VaHDE8r5vX+m+w8ECIQD2KtzQZm7NpPbr9jSDWtFESsbg5fYdkDAUt8fHX7wL\npw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1302,10 +1302,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcG2gthDJvNMAp1aF2iFIjQBbGDEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpPK8rizjKhRXgPxtrCWy2oW9Js45UlXrp2dAW\nwjaPtkGlH5CQbA627BI+Sd7HiAcJsP29poPT7fSJWx1xsBuKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURP4Ohq0FdQMNkoa9DLKUqhOxLOIwCgYIKoZIzj0EAwIDSAAwRQIh\nAJFQgT2WJiJUT1KLULsg+yd9ygIugBFqVMVocHpYgmGMAiBnnQ8+W8l7vsZiV4JZ\nFD19bFLNq6+GtfZXVTLKa40wjA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCamyA8qSSKP6P8fe6Trr0R6e6nAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxJItl/KiKakKoVsG0SEJt1XkyvvqmVgRPa/nZ\nwBrxWouDuqS1h4hVTxKrJw2AN2B4E/Clp4wZXDQONTwBDan1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG7SNju8Pw3Z6AemMZ1JBbTSbyIAwCgYIKoZIzj0EAwIDSAAwRQIh\nAL66MpTPF6+XMooN5eLkhU3SDUHahPPSvrvr5jCX/TFAAiASx+zOB3M1V3GasL7C\niflELuBstsVpOBCo93CKDivRyQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUR8Cifc+u+0bYxR36fsqFveNOk8AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEh7J/v9+bwb/IZ6rq2/kyzOFvXzruGGGB56Osa8rw\nVfrCoTuTW34qeGH9C1norWaOikx9sALygACfRZhLpVhwB6N4MHYwHQYDVR0OBBYE\nFAsJ9BnvvxXkBiRMrK2QJt7JVZE3MB8GA1UdIwQYMBaAFET+DoatBXUDDZKGvQyy\nlKoTsSziMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDn2JoJ7nGcPa74exk8gi/h\n0argVy8PpoWIPgBpyxMZfQIgRQ4CyFbFu2CnKUZQhtmFggv/8aa2hSTaKqkWRY5u\ni5Y=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUdLYHxN1kUGsZhActmOGMWOJNud0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAENxPpoikindoiLz5mTz6wyBwhma9mEK6NdOifTUj9\nntoRa5g7YyiGff8ciPYQC7HG2ieIeLF9gvlvNKkyxSZOK6N4MHYwHQYDVR0OBBYE\nFEQebbZVu4LG1CJIYo6mVtRdD89MMB8GA1UdIwQYMBaAFBu0jY7vD8N2egHpjGdS\nQW00m8iAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCvdmpyp5Wow9dq+xnwhi8U\nMsRh+7nKIDahW+auUbdkMAIhAOIirsX0bpl2C9DOOZwqarmKXhli0t9CYEVIKeQB\nJdYo\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1323,10 +1323,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUONFlqqkuKd1sI4ix0WvpEYgwoZ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQoP0tS1udzGrFmFP5icoLZmP1527XdVVs0q8uE\nu0ThoezjacfkUxN455MPGhuNTNKVtjArmvJ6CkLM5b2EW1y2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUn7tJe5SbhTwTcoBAUvmQvZnO3mcwCgYIKoZIzj0EAwIDSAAwRQIg\nZmv7POPltuB/BadpcG6hrm30W1RUIe6jgOwUUkX7tqcCIQD9vFmfScfLwQj65LqN\nMsbmBVWrtddkqI2rcwt4UIl6eQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQvVraAlb6ha1sL+QvhyL8Ch30jswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARatiTa6rg1qvBI17GhTNhDI2Dmc0LdNt1YT3qT\nBFHmt7WK0MgkaIccdjQzkgRDuQh7xPwAOQGTGT7yQmnF223Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVh290n1bhAYOhUas58rpp4nhhIMwCgYIKoZIzj0EAwIDSAAwRQIh\nALIxLd0qM3XPL6sUEg4eEqwYRFjAIDPWOOXdQZBuqZBqAiBu/n00xh8Gne504As4\nMghMFj34LKW719dEZXLOAdqzTQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUWCmV+gEHpdctktCGJxxJkpZZCPwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEoy3yTx6g9s1iFXja2GeqdMIgqQzPllqtXRYPtHNs\nHP9MdvycTawCvq/tHCOX26L3lYJ+xUBw4a9ebZGrRwJJaqN0MHIwHQYDVR0OBBYE\nFBXhq8Il5Aw6ZMmo+yWhS3jx8sDHMB8GA1UdIwQYMBaAFJ+7SXuUm4U8E3KAQFL5\nkL2Zzt5nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgB7h1yMQpeqpbMPzVlqQbHcAa3pGs\nlR3oc3kwPqzqgG8CIQDzj9jC6LW8LZW1gBh7YTmyk+EVhYANS3J4GT3ceBlM/Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUUWEh69N/Ko9H2l/YRyYlP2MqfDswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEOa7QrT/XRob67hAixOf4jQkqRlCUkZaD4WQ28ssw\no6kEdXfks0JdYk09lUSAElBFEtBhfZkALTkyCg8lIKjd7qN0MHIwHQYDVR0OBBYE\nFEbuNGr5syZzlxhWe+6xa33caRk4MB8GA1UdIwQYMBaAFFYdvdJ9W4QGDoVGrOfK\n6aeJ4YSDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgHiIHINuBV01qh7FMPs4PTVms29YK\n4+s0/mN+Cro8+AgCIQD21wdciRQkiKjGeiPvHh3BaIlA4uW6aC6SMn7U8RSDIg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1344,10 +1344,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUW6einfxQyec59gWTN3KGOLS6pPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARj+DHS7Odo2iTuJbpFXYMiJzXjJ9bUxnzThuUR\nBpLaBHqOYfX1lX+jstndakApWAq5XTXux8uREHRl7kV2u/Y7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHnWz2+TNCXsTZqof4KLPhcC/TY0wCgYIKoZIzj0EAwIDRwAwRAIg\nMlGLXlAJHG6utBQt68vMRuc/nJ2kb7UWN2J6bMM/AN8CIDuQqnyANHj8ocV226xP\nbCDFjcrIRPx5v36LBE4ySPaY\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbwCw3YIWj4HC5mOoHNpJVW8kwdYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyfr8x0W9TzE2Reux+mwEJbR/g0k7v8LkiTa/S\noS/Y1DLVs2gqPJ/199tVnkVKDzglk+MPYqGRfsE/ZGSIKY2jo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEK1vtffOkYzWMA/1XRi/D8OPDxgwCgYIKoZIzj0EAwIDSAAwRQIh\nALndZVMs2yR/iMKw85QjtEM+R14K+d8rZNCvxNOZAC4DAiAF8JoLX2Le9fhe2lud\nzx1OL/PnPMe/sfdDhIWWKJia4w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV6gAwIBAgIUVYRc8YoEnU3ClK2672As3F3x3O0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAExrLtsrN8odAFsPEYT/vkmpEehbJWYsLoTGDrfBod\nxPx2zLjV56ySrvofTJmY2qg5joEnMXaX/pyCxGGy7uCOEKOBgTB/MB0GA1UdDgQW\nBBS7P496/PvIG/4OckIAEgzgsLzQKzAfBgNVHSMEGDAWgBQedbPb5M0JexNmqh/g\nos+FwL9NjTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAgBfjrl0M\n4jSfRjpr00UEv3Gl5RE+M64np1/Y7UAteq8CIQDXkdCUVkwLimAR9H1GiUFNS51K\neYwhMJWXXi00EnUNaQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUbiNyrm9VQjwYU4alowtF7mmbc4gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETiaUI8GzV5nrbXarS2EpD/GNfjfb8Ek3PsUatYXS\n6VMal1wENMaGm8NjysGGppGqaI5o40reV8u73+cRELSGt6OBgTB/MB0GA1UdDgQW\nBBSgB0Jzm2qu/8MfxtSXBeKHuNFjADAfBgNVHSMEGDAWgBQQrW+1986RjNYwD/Vd\nGL8Pw48PGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiADnVFQLSJr\nYOCmLR5P+UWverKvKZyA1nkYzcfnfT2MLQIhALScuvvhbNUUni+f4xuLUtsUFXcO\nmnYjkm4KQsX+RJ6Y\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1365,10 +1365,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUAsZWmI61CjUgFl+c/8772zzARKkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS5V609GTL8d2ErD4Z+6nzb9Elxhr8cjjIt+3+a\nQaoZynq0S9374nQgc0Bt60GBo2AE2aBZKgB6zZ9dNn/ABMAmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTklAmtgpPFm6aLzmAtfY8pqmGX4wCgYIKoZIzj0EAwIDSQAwRgIh\nAPus5ysOOL4rYZNkpDvBjcRDHjVYST9ORQipuU80TqteAiEAodVKDPTPHBLAdb5x\nAleRwZ7tmxOKW5aS+0P4YUdhcCo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUR+N9HHdyG5488MXBaQrtGVnhQsAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAStBU9BPGDFaeMyq1hjuKB15c+v2vLbMvwOeg+6\nTLGClvPuaX7LRibXv2Yj0PULBUSx2N72BXkEYbQCOOHoBqPKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUf3cTdFky4KtmtkfBp8XGdW7HSd8wCgYIKoZIzj0EAwIDSAAwRQIh\nAOBYgPdn9OA3kQlr0sbHk5zx4suaEhKuk4F1mhEYl+1DAiANQTJIsPSwk3A4NZbg\nJvJeW6/48pqjOZ0l6IeB1BQLWQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUOwUgjLB4eEnySQIYkF/OITiAvUcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEO/x/HwJ4g55qPCRAFcBiUduhuL3enPz36v3A97tG\n2gql8OpzQFL+qWwRookBHju1n0Er77dcV2MNtMKnS22Dw6N3MHUwHQYDVR0OBBYE\nFKVGN/uLf7FoQGfrDbeqfkh8Nrt5MB8GA1UdIwQYMBaAFE5JQJrYKTxZumi85gLX\n2PKaphl+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOYNLvc3FQZszkN+XW6j/BRk\ng06W/UtkNnSV5A27fu9uAiAOYL+vMHnj33If2LYhqea8fAgRS9Nd7upcXTTdQVfl\nyQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUBzbHTiNJxfYkO+q7fnWtvZeYz5owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAESLT98VToVOuorN0xt4qIZvtys4beKHQijqGjSVz6\ngYUkl8lvP7hfQSDHcm5nPoCY8nYYnreYMRBwpqLRW8sEc6N3MHUwHQYDVR0OBBYE\nFE8mOj7nvEtqD5HdkAp0s0P409n2MB8GA1UdIwQYMBaAFH93E3RZMuCrZrZHwafF\nxnVux0nfMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgIwc422am6bW7uuROZ2vcgGo0\nC74fJa0q7KJGxcwwGpUCIQCX2+cMVL+GqH7lgfQRVux1EDxLTWQoA6bvjKLjlx1i\nWQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1386,10 +1386,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUY/LJLOYqiZ0tn+6k2RM6D/hhl5YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8fXFE3tWp5vvCejk4bPuSNiBqy+t+7BU1FR00\nOU1PjQyoSHl5kJzA63TJApno3pR6Hs2FkdxKXS4gEBDh/tAgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTu8xhzi8ofGOT88Cj71cr0A23MMwCgYIKoZIzj0EAwIDRwAwRAIg\nODffMmwz4TFRsXWijcMRgurNV9IEXGpcmUEDxWkUfAsCIB2O53UmQY3tbzD7jlTY\nTEX14bsENslHHoyoIBf8rR/F\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUT034C4ENOb8qiqZIkh49h13fcKswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATReMneULnE+Uv48udBkE8Et1zRJcBs7xt2T1p3\nEF894lme6buJcykgRp0Y+uRls6a51cSgkX+LGT2/UB58D//Mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWrJ3hGrB5p0z4q9imrjrpDGA6LgwCgYIKoZIzj0EAwIDRwAwRAIg\nSDewVRBfblnr+FVlU4tFVI3yYBeDuuAgOCffjGzmoCQCIGGZlQaq1scqlZviYLAS\naOMunvP4TfaD0S3XcAvQ00L1\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUDKpAfGzdU+VqzbZr/a8/Z0+s6mswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE4G4U7kVZ7+F2tud6z6RSAhuItBb4hkb50I4G1/JX\nAdV6xm+p7skhO4SVmnDjCgHWn4yj2AKzr/JqiSXuWiVfIaOBijCBhzAdBgNVHQ4E\nFgQU/EEo5CzM/KpCYNAdbMVhu3fI8pgwHwYDVR0jBBgwFoAUTu8xhzi8ofGOT88C\nj71cr0A23MMwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNHADBE\nAiAGVFP5j1IJjljOLTPSnCUnXAG1Kf4I5PTEvOQg714n4AIgbvBsDYwaInds8J+1\n6VtAP0/ge58accpxk8zKO6ZNW0s=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUA3Ii48ofIwpJYwq9/+di/9ynwPswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEEm39a919TQs+RUaDaYQfr7HP8Y3R2MjNTXAt9qSF\njQmrX/pydLr4tZfcYJmmSu1Q1Btv353Lg0fRjZ8vwcj02aOBijCBhzAdBgNVHQ4E\nFgQUpCMvuWMsTAdH9q7Uv01GsOV/CZIwHwYDVR0jBBgwFoAUWrJ3hGrB5p0z4q9i\nmrjrpDGA6LgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNIADBF\nAiEA/7qBXVcBp35WMOhQchlObNuc7SzxiMScrvyA97gYO4gCIGUO9ECwNOIvhcgn\noIYzRCLhTaKaQ2dQ4JHOSqWlMxiS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1409,10 +1409,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUV4G3kjy371gl+OZT+MhZPz3JHZgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwgHisMy1QdIf/BB1V4f8HNsacQ5JU2epnTDdD\nUCP5daiEsZkYC11X5FBduktYWHCcGtJRrfYLv8UY1Pc0o+wvo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/Zfbj9QhFSisfuXOspZSVY6WDl0wEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAOKl6z+55iAcnGTjnFPjh8PXdsMXVb5teiLD\nsvoEQF/rAiAm9V+h4QQhx3qrCG5ePrFI0YMUZsr91HO/O6Ksq5ooug==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIULjd8FGl2QPBanLhDNEKxY1bnLF0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCzYsYfDEpKxbO7uwSXAzekzDnHqcUANBbOFb9\nS64jQZNqFCf1+h2VtKVBRH3YiTL0odqLzr73ikwF8Wp5evy4o2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzIhRyN0xBkGQnFY+8Y+AM+f5SmQwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAPn3rq9xI5ZbPIKsiIRW1wYT3SOoz0DTxFWv\nO39YR/IiAiBBfnP+Kogk0FL8eoSjRgFGJBTEQmmbu7onVa8rykCSiA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUa7w+3Km0jvqV8NeDU39jKQp/uBswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAElAU/dn74q1EN+vFy10164zimwB6hE6ZL52lRIkVS\n3ZSvGu4QxYi53aEBJ42wUY1SC11iLodMVDcWEAuU2DH1bqNyMHAwHQYDVR0OBBYE\nFEf6VbQz9jc7IBNqkfiUClX7c9gJMB8GA1UdIwQYMBaAFP2X24/UIRUorH7lzrKW\nUlWOlg5dMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGll9AGsP3BKmFnQugI3jpgrTqa0nBTB\na9zYMMAHVh5AAiAIvweGsZiuNeP+/HgaPtRcnQlgZsqzT+nfHLIsktaAfA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUIK6MiV/agb6cS45WTMsdkaEWweswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEDS116FGNLD1+t3BoLiljg9j1OZ+YMjsLqGPMCRlF\n8Qn+Oo8dwxJjiAkb0iX1CrHPJpJtsESwGPDJgiMr1GO3uqNyMHAwHQYDVR0OBBYE\nFFvW1e9p95MEP979HMMip8abnIAYMB8GA1UdIwQYMBaAFMyIUcjdMQZBkJxWPvGP\ngDPn+UpkMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEWnYj1dmiRGF9QrRGOl/Y2FGWgtHRLW\nlpHmEaw3m2I6AiEAi0wuiOeBDmqvsRmTxBXAJdM7YYYP75eSZGRsyA0Tr4M=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1432,10 +1432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxjCCAW2gAwIBAgIUUZqOv0QLgjWuYO3AT5DayVJ8Wh0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARWNi7d3urmx2PBgJb1POi2Nfdzyf8vDELVNv9c\nY81bB+f2hS/JsMu7Jnk2b1VeNKjyZqloxRpY4QJVPyvaw5y6o4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFEFaLyjxgxMq4i9xXXFsm+eTr905oROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBRBWi8o8YMTKuIvcV1xbJvnk6/dOTAKBggqhkjOPQQD\nAgNHADBEAiAYOw/39LZ0nIviN5/WolUnG91rmc2D8yyMH6nJXb5HlgIgL12P+vsx\n+mr2Mud4Uc47bKEyAKyFASR2jUCDlAPM8fc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUVewcgksWQsaV1AufTSt/U6R/S/MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVnP4apaiMNO9R0HWBXRYJpDuMvXRbG1G/AUEF\n8I+G3xN7Zq2HwDlNCVtImSfWhJsf5bJEwKhU7JGYOH033rGho4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFMPxYYASvF7QW60+gJD8bHUonBeboROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBTD8WGAErxe0FutPoCQ/Gx1KJwXmzAKBggqhkjOPQQD\nAgNIADBFAiAh1c7QCsHChXXA4I0KXhE9uKY7zqcLrubTCOLyuZ5kUgIhALgsHfiL\nqzlGBhu7dqjDjIVuS54yCUU97zL+ngAAeHcM\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUfuSQ1BdsGP+JKYv8qvK2kvQS//IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAER6bl+ujy1aQfZftvUDPwZ2JViDWI0/kJVwutRPm7\n2H9in4nj524pyGiYtRQCLUF80kUFyCo5m3cgrZOzzjESSqNyMHAwHQYDVR0OBBYE\nFK06FzG8c6YqWUlKeGIXJpt5GIKRMB8GA1UdIwQYMBaAFEFaLyjxgxMq4i9xXXFs\nm+eTr905MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC9NeakmSzzrc5L9g0exi4szom8ySbZ\naLjTi+64HSSVPgIhAOXohClLlDH8gIf7KrDXRzl9dPtL0/3WcuSUu9X2VYsQ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUX0LTIjV+qrusPMEhP7fqaXsuakEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAED36Ner+LS47usvJ5XEb7/dQuRspj09EZpUcHOAkh\nE0MU0J552U2K05Q9rUmhFR9bt4vB4Bx5+WEZbQRC/vPQ8aNyMHAwHQYDVR0OBBYE\nFAkeB+UXTSf5vTAkAxtmceJ6CuUIMB8GA1UdIwQYMBaAFMPxYYASvF7QW60+gJD8\nbHUonBebMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQClynLJldYI08KyTa7a/jDrkm7L2RTu\nkXgamfPEAGLbPQIhANVzVWpbCKHDlXrfPR1JYyqqRod1S2LaKDrpQ4hPL3kD\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1453,10 +1453,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUVhh6SVLuMPew/GC/QFXvGNIlcEIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATfA0MIxnNvcPdTy+l6tCE+FaOcpaTcyiz0eGht\n0meCyilxc66J0e6v6EQcVQfNfyKbrDnzpqkI8ruypwjNJpx1o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBTlFneRITx4hDfvKh78tF7sac40BYICBNIwHQYDVR0OBBYEFOUW\nd5EhPHiEN+8qHvy0XuxpzjQFMAoGCCqGSM49BAMCA0gAMEUCIQD2FGXFYERGXqsy\nEXsXoWVmB9UMPhbITtW7hQSolkAHRAIgJ37ioX65tM+Yc7ZPCPXAf8FRarDnmxzB\njwPdrFVjOvg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUPDQ2Tca4pcXKggk8HlphWOXPCWowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQzHtzm1yha8Rx+rG6ZeJpG7iM2QzHrt0sTug4Z\n6Mbm2DV5Oay7lLXiqyEV03hFXSS3F6SMx02LMfzomLn6BJdSo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBRHIf55HE3S356w9W7VD5bAZgxYfIICBNIwHQYDVR0OBBYEFEch\n/nkcTdLfnrD1btUPlsBmDFh8MAoGCCqGSM49BAMCA0gAMEUCIBoa7wjTm25UyTvJ\nUwAkm/M4dhmW8zFsbUegWS5xr7FSAiEAglaS7HAyBeQfxrZ/Wy1YqYeQx4JCGr3+\n7jmzwYvvCnQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUT6ECpWwWVdrmoyUx6CzMKiUKiogwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEJFwjSCVVKeP30ccdtLMIJ3p5hRETqoP1vykKkdn9\nW/dailTho5SI9mysCvBN+6+h2FSNpRGT8/50qGekL7fD0KNyMHAwHQYDVR0OBBYE\nFMFdN58EFhT5qg74+UtdZrv/RnNoMB8GA1UdIwQYMBaAFOUWd5EhPHiEN+8qHvy0\nXuxpzjQFMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBu7IRO86v4e0T3CQYYrxzWim1cRalyY\n6Cnow6KCXUhvAiBeWo0yj2bxRuHVd+fIZ8ASp8N1vq/ucI9A02asaM+tZw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUMY9So5rJF3f4NCZUfGLOFtb5xqEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEcEjFLbExvEx26ZMS4JV6JqiDOrmBLMHUhG6BXggR\nW8lGrOlzHOTL7TWLjml+a2s+r6XY+lYttk+SMCrZilOrL6NyMHAwHQYDVR0OBBYE\nFK/xtPYYOjflSvJKiCFW2An+heZ6MB8GA1UdIwQYMBaAFEch/nkcTdLfnrD1btUP\nlsBmDFh8MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC8K2rzyOPE+siDVf5rZUa4UTpArPFC\nynfSdsr7LtfsQwIhAPq1UqZIjvHVlmD3e8v3gMqWiqnxNbwydfGcLqpDhWh3\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1474,10 +1474,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUaYX9hUOdMlmvHZjNqrMmyFv2JA4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATfrP6oH68f+LMC1ABcSJfWZiNeEIf/ueHY/sst\nEI9ZpA0QhmbZH2qJr3raDa8KRsT3Mhrhekr05+bClnRpd54co4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFMFznyUW1VzQSJ7pl1m9BLa0BDx3oROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUwXOfJRbVXNBInumXWb0EtrQEPHcwCgYIKoZI\nzj0EAwIDSAAwRQIgW5OqNUlTQcV05a+9vCTiVdxiHXMiWM6veaik9CMsqmACIQCQ\nWb+Pws+NqY3IRiLxNiRCoTLTlUheuKDG6iXzqKAjFw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUbgDbKrm7F98hDmH57VLX7JlmGPwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ2lYGNiMOAZiZJEg3A4dmbatLae9ejFiIVlEfE\nrYyWm56ZKB6ko3PZyNhgR5zMRSZk620CY+pyMzbdB6Vd5Ivpo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFK96iwWWP3LjcVNg7x/BxGokUx0doROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUr3qLBZY/cuNxU2DvH8HEaiRTHR0wCgYIKoZI\nzj0EAwIDSAAwRQIhAIScp3G1+jnDqoejbDFScqQ/KSAUH/FrSsjMC4jmET6OAiBu\n5jgrbrT3+sKMopc63hPgfQdcpb5EmqRZCRihHFswYA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUMDj5T2xW6CaMcqfP0yHq9H23/8AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEj6VIRNDRVpqhmhyo18lqZiFvradgXj3rHx+4Z+dR\nkK6N41cNXQaUwwuskX4pmewLubx5HqgyJgdnRLgA7uz6fKNyMHAwHQYDVR0OBBYE\nFEVUwD9tzt9H6ttMsbfBVHwJt8GoMB8GA1UdIwQYMBaAFMFznyUW1VzQSJ7pl1m9\nBLa0BDx3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIA0woP2IDES+LrFNDQsLmtJ4qnVZPrR8\nQNGfigkbmApRAiEAvgMhamCXQkUewhRNHNaZLXxuPLGUhnBpepML1/Spp+w=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUMzb3DA4RdzRPIn6ysrIdGzv7eMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEW2MLXL73T3lbP40gDHucLjYc6uRJzvC2NU9vBPvo\n42j451I+9SelwQnMEV4HGn7hos23ldwdath/f7X7gXRD9qNyMHAwHQYDVR0OBBYE\nFEBTqbIwshqNz8h797OXXJLxYHG5MB8GA1UdIwQYMBaAFK96iwWWP3LjcVNg7x/B\nxGokUx0dMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCNavsMTPp81HqvTGJ/3RXIu7Jumj4u\nyrF6+8QEwFm8MwIgOUUtqFj37Q8vk6D1m9DyW2DqpDvL4tiLtfkseE71Z+I=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1495,10 +1495,96 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUPkDzp8VZYp2cTfENKdFKP3jXOeQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT0xjDVdmo8ukoJepSyFNhFpMyFtssOwBvs29pK\n5lO5Omh/+sQSW3qpyZGJDHqPgt7aT9OBjTDuKUzjOD/4F1V/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIQ26GhggwYx9onXd6IgN1+1kK4AwCgYIKoZIzj0EAwIDRwAwRAIg\nFAptOwh8MeM/MxGjvxVQNNriRhzIyUrKZjPrcVurKRsCIAVUeVENGLNjdnUBYg86\ncmB8K/4afrrq3txXphTcTOPK\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBHvKtHrwel738XCTyHoUp8YvoIwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATIwvttQidICBKBFyanmIAaVyIlDN6+KWyBLPOy\nrzNkEifdQbTfbJSRTP5ZCRTMVaN00+vwgTPoPczZBS7wFTDgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxK/OCO8PZOMf+pBU465QeIOY5JYwCgYIKoZIzj0EAwIDSAAwRQIh\nAII5Ruz8zJYC1UMDZpt00Qr8ALKgm46r9f8KMsBtUgazAiB9Xlbt8QtoQp34ECn0\nlwIiPaxObDN3rIsuwimIN09cFQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVKgAwIBAgIUXQm0w/2L1lKuNonuRLlZ0bOK8U8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABE8XmPHt+d4Y/MqWmgUd+B8ISxv+zBiaIZsX/FA9\nsfZszNhrKUPrYeQ+80OfVowbn4VLKZU/faeBrsH1ZDdgnpujdTBzMB0GA1UdDgQW\nBBSxlxUiyP0eg59uzHAp6IxXCosw1DAfBgNVHSMEGDAWgBQhDboaGCDBjH2idd3o\niA3X7WQrgDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAlBlpaobV+ncEIyd2/fqxEcDYM\n8GSF/djEIFfx53AjPQIgKpDVZXGSdR6VtZdy9yAicuHh0VWzgDPyY7oRereqpjg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUPn+b54O/kVkM7SS3v2xHmCmoGkEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABD+IzA8pvVzKSg8zmKLXhWhHsErCHdNhkliaPKKf\nbfJXNbJFpYtBxKm/JDoGaLWCXDSJQpKe41UQ/T3QLeFpnuyjdTBzMB0GA1UdDgQW\nBBQgjHgfC8YHZrNK68++fUyrHIz9fDAfBgNVHSMEGDAWgBTEr84I7w9k4x/6kFTj\nrlB4g5jkljAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAF5JlpMk02awbgUPkJLFzu78sd\neV5UWJ12uJcFIR5MpAIhANDlkiXLaxB/+NereiWF646azDdmlSnsgJJy0qxN2Gy1\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::forbidden-p192-spki-leaf", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUBR53/MxvtOJDSpycAdKlfwufEiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARd6yB+5zC7uT4YI24UiCasDHIOVb7NxlQbiUA4\n8gCOw82NxbHSS/SgXxxVkSo0BcjcHB2/0kLdYimico2Jc5v+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUk2fPCs/XHknWob9P2YWdvLx23UowCgYIKoZIzj0EAwIDSQAwRgIh\nAKLf/kQeJ5hY5sDYDr05akJRD5e14zztbpO61iHpJDmZAiEAo4YM63qaCH3qYbE5\nxNUSS9o8wqH1aTID6mZxhFj+8AI=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBlzCCAT6gAwIBAgIUetI35FnKvze1VBKYGNy/cOXP55gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMEkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQEDMgAEGZfNTvM7i9jOq0GTRIm11nrwsz9Y/ApLmsCisk1+\nSi0tAEFerJ0jadGlQbebRtCko3IwcDAdBgNVHQ4EFgQU6MUCTtYrhiZ2AO2s/Td0\nPt4LfnwwHwYDVR0jBBgwFoAUk2fPCs/XHknWob9P2YWdvLx23UowCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDRwAwRAIgWxGv3tX+KNV/dwjvj1G/UDCm1c4YfTnSa0LLN5M0dugCIEIm4DD5\nUwBYHaFse7Mmp4EYPs4Y8OmLX9lZJsglNnbC\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::forbidden-dsa-spki-leaf", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVEs7w9vkSxlp8OPiNMzkMFT+RbIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNRyRqvDexhCmpu9ByqdM4VvWv5I7+VddDJo81\nVfr/v4jP/xdceKwv5VUwpWQH4uiyY8UJh461lQcu80BY0pgbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUclLwHHgfHLdXXlL60fgramPuTJQwCgYIKoZIzj0EAwIDRwAwRAIg\nQotXN+XIAQq2Tfv6RwYhKozDBOfA4e6vRrVhvViZo+sCIAeWcHq5eHO41iaKpDo6\nxHCfLhbp1m7JlGracFGSBWWT\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGGDCCBb6gAwIBAgIUSU7+Kl4xMhIZMaMwRBExBP8Kdd4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExzCCAzkG\nByqGSM44BAEwggMsAoIBgQDteTZxYtDvXNQGe/xqnWhsCN75MT6EbtPUxsiQipKA\nk3CoD26oIWv4HVtfyL6AhsgKcH6mckNP2vjiu7MaryIzH6N/H40EVyJapSHG4KH+\nrtrFx6l5wRAv0aLl4IvqD3c923+s1OmwwKXKHeA7o7D+Q3krTNITFP2dc+NWa23v\n0W0btM20d+5pOxIZcgCXSvGvWAFzn+w9hp9I5tRybqinUnPZIWaTj0jZOkwHv10d\n2Rcl4M2hLmmrdWWK61uMiItOdajus+m5qtBgRpS2Pae+WdAQHEG0qJNvP6g/r5L6\nz/+RGVC8TCueLuhZ5r98weJtr8sdLIydhO3XUfkg1YiuLQkdNPeWwQocic6qQLCT\nwUo2tcEXGsim5Xlcx2vlHnW8WLwy6wKWRxNVzrivLdyrsKVUIzXb7Rg49u0NIoPB\nzKRErIGQiT1uoK1MWsDW6G9XgBsBBe5+OgdvVy5hmu11gvnRa/YqLirEoi4NyX2r\n/gZG3VgntfFrd/6AtSg7ezsCIQD5N9G7fhLlZIcLMrCsZQK1s5B0DBIPZi2VVkR0\nrkCNAQKCAYBvdMJlaG10sG7yTKljsSDLgtY3jIXmT9twTHkgzDFxIo8XOW6HBLNI\nUhcvz2Q4MRIDjSm/NqhRNdX6ChbtxAZclJbTyfTim30J6HLFLCOUTf4+rP5qdKUD\nmMTkLvY3BwLEtpuTNRs0YCdk9pr0WE964lT9YQR7lGAHwrtVLk32WkIM90nVFsbN\nzUtDfh6nAhFdaH0XZWxKb/6ss1Hg/rOtD61zn+gCFBDA7yrsPxEpgAMsMQ6Dy41u\niZ9WxQaoc9UR0YHI1j2ge1AP7jbvy+aGW/39ES2xpXbkzfGq3REvfMynSrz65Esc\nEURGg2i3VxQoyZbjcLW7wegR2PvgXr4WJbVkeTtfz0vB7usMX7yD0GGkI1Z5P3G2\nEFIKsARj3Tyxolq/bzYdYkDX4lIHEGnOXQ/7F8odhFipZmlPG7YORCOf4ObuAwqG\nkadrA9r9pSQ5ZN/6WnXNn/87XpDkqranPZMLgERsy2zj0ldJMumSI3AeMpr1zp0I\ngtncah0CdboDggGGAAKCAYEAwh3YTlboK3PE4WgYK1GBhCBbE0BPn54G3T6sCMWm\nPahfu19w2jTE+6fNs844zVMfVNpe2Z5naM9qdpji+wZIXwU5pMwdQUYZve85pdRq\nk7LdxRoNKu0w8WsBSYnapD8uqODlS8NOCsvHZxYTmVr9efx1PCestXK10O+32XTg\nBHH7+7CebKS0Al8LonvIWWM2x7h3i74x7CUZsyUw1VqCXooSw6m89vXXANEzvaD6\n3WzLm5zEEH/j5T53SEU/pOeccAohqpNbWu8G00/k+f8FvnegtX67lZeoU5tkGvIJ\nzyr1cFC9Lf/RQAOyBWsVpnL6TZI5EW8wqxmwyoM0eiuxKSHQegYJqU/tlJMz4/jM\nBkN8g8kEzD1J6GFxslPIBECevF3TFEvbrA8iTLqT+x8vKCht5vfI8ifXV0Cdu2KY\n8F84jqiClC9uxdS7EUroNMx6yCtfX32I6nhXlJqY9L4d4VbFVKUadq5quuLKnYWS\nFDEHOEHKHoa4Q5CX8jj9a9Vpo3IwcDAdBgNVHQ4EFgQU3kOs9ca2BkqWo2wi9mJN\nM0rkv8YwHwYDVR0jBBgwFoAUclLwHHgfHLdXXlL60fgramPuTJQwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhANQwMbQ73qvd217OykZHm3r+Mt43OxNPoYNYpp6vfCa4AiBA0BiG\nuAAkUDoFGl1JkDALNrHXylozmOGWGa2EfO7uzg==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::forbidden-signature-algorithm-in-root", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIGADCCBaagAwIBAgIUDaJ/6tLx3/9po+TllYHwdln10iowCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzoGByqGSM44BAEwggMtAoIBgQD5zbhr1z6GZ6FklnceMlxhgWP75mm3lLn82g5Z\ne1URaivrBHsN2hNxVSngVq2Oo8+Am+IVtMMolPJY1YYdJadcuDjss+AXuV9ln9xJ\n1oanUD0Y3vUJEMehLcpzYXVZuSOAE9U85okxsP/B/QuZaZH0XxPCHQBUo0PgztV7\nHSlK5JRaI06L6IhV8BcVz4Yu9umfm1z4iGL33SSVS7SgAUs8pkG2efj3YKJMeUeM\n3FcRnRSGVCCw2g8wftgCLj0LLLI7OAWw7oLjcYGEi0rdznVYBWE2q5lhviwBAgPZ\n9IqD+5SBpT5R8oNkytjVF4EfxtTgGkYmGlkltOrVhl5rqqs4CrJRqVx9QdsIofwY\nH/yjGamTpdqGLml+IEKnklyxI1cEdRjNLY7YdtQgJ8GlG1BUikn9ZqYF8LBFzKM3\nJkU0WJcijzacORcpCX1L3SEjEwaqwQpWh/UfZ5Yq/81Ou75WerqEK6/Rs1b8/Rjh\nP2KEvYyDuhZ8WewecIu61is4jXsCIQCfMtODPli8rza6yi3Of40eeM10jJYZpFcP\nVrQVqg8BjQKCAYEA11eE12OGdqTbfMjyFjgcoNFXeVL5qQfNXQq7rqnsPFgD7ycn\nCCCPFf8vuuxrfBdxkQZzLqqbHk3Ql6jfv1Zu0r/dyoSn19nvOz1x9wHNdy61tuPD\njfGK2PbNs/hA65+vkS7MTsqnxfw2/VAIphQ4Vf+NpS2SfPTT75d5Gjd/sYIW9qNd\nHpn/O0MHsUXyFSfdJJFzsQETrIiHch/E4/RVMwX8bM+UpIXSNg53KMn8XkV47zIZ\nIEjC8MgNOcn/Rsg/1D+G9e7dGorfkD9mDbTePXYTsG6dwpp6F2lsrdWfmMP0Klbj\nSCo2//OjAZen1kucTyEnryh/HViz/jG0twKp3natiFiwhc90UqNNQfvNlqIppzkp\niQMXZvlOW+xwTbMigjakhJ3KALIBROyh7ll74hhPRJTVQeVc6zFQ0155yVddrq2f\nNotqRyo4WGEpcJji/ZC0QjLFJb8L0UOJxLOcaicJ+BHxrqaYBHizGhdS05nMHDEC\nSNKRpvRXLSTMKcffA4IBhQACggGAHEhIkkpnkMwEM5O/qxEg0qElvzeGK53FOGrr\n6JHL8Ri+AnJOt3fDQs/lB3MnWBtk5uTh7uk8J8bddU6A+f0M336SaStG7ZqdnZwc\nMzYEIl/o6fJTRSF7XSsQ+cDYj6Z/OK4PTmtScNRYktIljbkxGaU9a/mrNN9wFi7m\njCrp8MytEkx0oqrdRoZxzoidor0mEobgt96gFZ9chHZuAP68mZeERTcThWhG1K/L\nSkzvVijs7SKKl0IJuR/2h6ri6x7V7gAFjOO9eHMVYfI+CWS4fd74P3JDLoGuSHS1\nx3QdXCekFRQm5X+aoWiaAe0kdZtDjAOjmjrJO+denOtCl0TDVqYBtG0/UL1pbbZ3\nesc+5CR+YWgrBB44HxSXfyHOqtrQx5szgPC4x03ch4+Wxi651yozHfzpVcaIJ5h/\n+Eq+6bLN4Cg0Oy3n8aF71zU/f2iG6n8wX1hdVMHfCiUWPAcCASK3nZLX9FgoOE6j\n+eCurdNVd/SsndffebHIlP5xFhm9o1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUuto29/Oa\nYsokCpcWg3/EwzDbBT0wCwYJYIZIAWUDBAMCA0cAMEQCIAjLYU/9zyOGVMevb9XK\nELG0h4m+kKtnvVyeTJsM/scrAiBwjtHX1MaxK2Pm2wsaDPaRZvaTaI9RDUElIJZI\nzJ33og==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUXZ5XbhfuODBz3NMDlpNN0Lp/D0IwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowGDEWMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABHOdQKCh2jqGtVLK0evxpiysG1TLsvUvwhfhn2VP\nwOK+0LYiAqKAFL6xWKt15Mq0oFD+5DaragZOxW1YPGq4fkOjcjBwMB0GA1UdDgQW\nBBS0B4EKNh3Q9Lmqh2WApYq04m+44zAfBgNVHSMEGDAWgBS62jb385piyiQKlxaD\nf8TDMNsFPTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTALBglghkgBZQMEAwIDRwAwRAIgK0u4LcJVrYJ0y3ObTO8jcxEY5Cwn\nWf3sqjJHhOQ3RBkCIAJO9xxJSEd+TbypO4EOb/pmU9oon7cCTxUhccM9Ccz2\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::forbidden-signature-algorithm-in-leaf", + "features": [ + "pedantic-webpki" + ], + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUT5H0KBFyNeteSK2a0ct2fK/4wi4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2xi0NWPHrpNOoB235kjTFjIqiknN3PpQTlbrk\nlpLmHYkfGh0kKRwGjCTLXfyZ06vCfv3YzPUgEZOS8r2loWc/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUS+vbGDOpHiI0/BSJR0Jq0o2F9iIwCgYIKoZIzj0EAwIDSAAwRQIg\naCZ8d+7SOhM37o2VCH2Ouigm3jg6ciabqMaFBH215O4CIQDAgZ6gP+QEB+HGt/t8\nTgO6tLT8iBadZ6ECqLy7zKCYUQ==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFzCCBb2gAwIBAgIUbw/L/oYrm0GKHEgZ1dED4t28IdQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExjCCAzkG\nByqGSM44BAEwggMsAoIBgQDzd6/L/l2Xs2yMX1U/eDMgc/sCruJzGIPByGYFUFJq\nhXY69BbKZ8Ag0fh05/QbEE9ORr2JYNao1VgWy4OlrH2UUad2oWn+FP2wmHDgIQhM\n/4lRkVQUTibn+WsNvRRy0aUMX/NB2z50WxOI4Jr9gcVkGrQSFBhDbhfUXeZvl7t2\njfmTtDQRhh1E69U6ImB05nihT7TPO4azMO6R3lykGrVEESVp8B/Jdnr3eEXb4D5L\n9kkiOQ0/kdcVlXr/XzDxa86ziXXXKt7X41OhABaxfimJyEMHWroUQEtSzcBI+hSg\naV2YIA/TmKEZf+HiHkFPqDU1Ub6LUSD2Ve/CBeevECGStzn6ZMOrACHVN28H1Gh+\n0m+OAafea40GNX3DRNuRWCWOZ9fNe7wTAAIf/kocKsNg1T1ey4ltHNmpmFUL2Ymr\nIdBGac/rw+0m1vdsZHK3ddFQQwEu4NfY63e+lUubF2Ymv9dT/aKNe7QhE0X1yb4E\n785eglXsvKr/bwQdlbzu3cUCIQC6ePhdoXLPrictVT24fipgFBTiTdzXp71Oxg2L\n1jNpZwKCAYAGodPDmicfW7rWPLvS/Kw2UROvAkDvm9+giVmBq7BiiL70fK9HHWvy\n2Jf6jbeG5HIsUSllr255HEZBsTunGJDQ++lHOxZ8KJblauOxWWYZVR256RQa1AVt\nJKm+TVqk21uMXL1MYrCIUa+SQAXV4FMBh1ytPrTr0aLNtz/ooyq7NH0ErjIU0o75\nZMSA9EgCGnqs5IpVbcLo+HJJM4N9kEEE8LuHs/ccYKKBvFyoV5ii5C/ueEMl1Fn7\n8XRzsyIeoziskjj75qn9oyVyQJ4mI9sS6BKkTPZsYjisohL01o+8BPYUaLgY7DYv\nsJKlMEebweR7xxsV5r/NNr4csSNVbhiRarL/CXxuCLUeqIlwk33lN8dARNctF/Cl\nCWCjTabDlcyDqDzfhr4t0/Oy8fCJo2DrbBgT/roelFpfY5+PTKNwNGnHqLAFDr9B\nhlFsK7dyNHSmw1fE26SQPGvKEZkLUYnl6+9mha8Hey8SLvzdzWNUHZcJ/Hu6/IiE\nBWILxUM4s44DggGFAAKCAYBNlqq/gISXGuXL60hZuVUSyCEwHKfJzc5wbu6MRScz\n6r48kJFAF3MZ1IVWdVQdHr/td7J7NHXZU4zCSMHhF+nQzdMbUyQ73qov49PFa9bV\nv9yq+tQTPm9F261LS7eARuTgJj0zi6UtZNkdwDZdO0lf7HfBAzBX4cYsHgoPAmyu\nsK8JOHrA5xBTMxLOcHY2mHxQFYcf3KSOaEnjzLZR7TITEkGvULL82Eu07N7BFVYU\nlOniF82okE3vwLZoXd564qLcS1YLP1zzn/htVrY50R1a9UjrNM2IYmn/WnN+9gOF\n6vm2jCtCQSZJNNDnSrZ3t7839qmf+aXb3CNd27zUxDSZHLuYLoe+5899WDByE//n\n8zn6W50K3ws4yAhAEXTFngkeGojsTTHujxcxtlWvgK8w6sylGmBcaaOJycKyiYE2\nPW3JsisqxPUf7M3Fb9Toryga9kOrkGj4Nwetx2nS4EMLV2sOFQDkiNRDDeOVKStI\nAmxNQ5zd0ZmbdcB92Xodn+6jcjBwMB0GA1UdDgQWBBQIR2T53CX9/J8c3/hN/g05\nNezwUjAfBgNVHSMEGDAWgBRL69sYM6keIjT8FIlHQmrSjYX2IjAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNIADBFAiBayy5d5QG13z+EIVmZyWB/u7YRXUMx4hF60DlxjkFBLAIhAPY6vCyC\nB8ITo7pGVlXeuAlkgqx1smn/QIUspDPNsrGQ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From 8a702a95e4a43f068df857b090ec868bac8ea6e9 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 30 Oct 2023 18:47:47 -0400 Subject: [PATCH 026/155] validation/policy: clean up TODOs and NOTEs a bit Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 5f5cb416692e..172852209470 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -537,29 +537,18 @@ impl<'a, B: CryptoOps> Policy<'a, B> { /// Checks whether the given EE certificate is compatible with this policy. pub(crate) fn permits_ee(&self, cert: &Certificate<'_>) -> Result<(), PolicyError> { - // An end entity cert is considered "permitted" under a policy if: - // 1. It satisfies the basic (both EE and CA) requirements of the underlying profile; - // 2. It satisfies the EE-specific requirements of the profile; - // 3. It satisfies the policy's own requirements (e.g. the cert's SANs - // match the policy's name). self.permits_basic(cert)?; let extensions = cert.extensions()?; - for ext_policy in self.ee_extension_policies.iter() { ext_policy.permits(self, cert, &extensions)?; } - // 5280 4.2.1.5: Policy Mappings - // The RFC is not clear on whether these may appear in EE certificates. - - // 5280 4.2.1.11: Policy Constraints - // The RFC is not clear on whether these may appear in EE certificates. - + // TODO: These should become extension policies. self.permits_san(extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID))?; self.permits_eku(extensions.get_extension(&EXTENDED_KEY_USAGE_OID))?; - // TODO: Policy-level checks here for KUs, algorithms, etc. + // TODO: Policy-level checks here for KUs, etc. Ok(()) } @@ -610,7 +599,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } // Self-issued issuers don't increase the working depth. - // NOTE: This is technically part of the profile's semantics. match cert_is_self_issued(issuer) { true => Ok(current_depth), false => Ok(current_depth + 1), From a356e0518867c4c3850592d5cba09ba7fc3c9ced Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 30 Oct 2023 19:24:41 -0400 Subject: [PATCH 027/155] validation/policy: drop unreachable check Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 172852209470..76a60dc22c52 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -510,9 +510,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // 5280 4.1.2.6: Subject // CA certificates MUST have a subject populated with a non-empty distinguished name. - if cert.subject().is_empty() { - return Err("CA certificate must have a non-empty Subject".into()); - } + // No check required here: `permits_basic` checks that the issuer is non-empty + // and `ChainBuilder::potential_issuers` enforces subject/issuer matching, + // meaning that an CA with an empty subject cannot occur in a built chain. // 5280 4.2: // CA certificates must contain a few core extensions. This implies From 9d5a3130b6e0767968e70336731a1f5b990c42d4 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 31 Oct 2023 11:34:17 -0400 Subject: [PATCH 028/155] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 372 +++++++++++-------- 1 file changed, 207 insertions(+), 165 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index e6c83e20d018..9a52df024f51 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEjVtg1LAUzPxmS5F1eu3RMEG1dowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASr477Q2SMcsjeKrbUp3YQuQoz3CpaSSSGLRI8L\n1CTPlbYo2ROFknsAbM3A3SnyQYErwBf9ZAmb0IYfcUb9x4tco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyasg4QCU+9ey5ytLt2cUHQDwRg0wCgYIKoZIzj0EAwIDSAAwRQIg\nLqurv3xmJS6C8qZKrzkh923qVbM4w9vYXDswggrRI3UCIQDW1BuTvc7xk5fGiufD\nVXpIa2AbXVnvQIPQU/g8n7p13w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUjdfFtHvrxj8NjRV6277+dOzJ8QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtwUdc8GkX/3T+P7dzJ7h+hcoJU0YmDqwsQAuC\nPqyzdBqCq2dlT5yOWHw7rU9r6On5GOPT982w69F+wdTsxaKzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvHcWNfUf3HdLmN6RT0NeyXKX+WUwCgYIKoZIzj0EAwIDSAAwRQIh\nAOXq1ziNhvUzdg/Z4r9mpTalcjUQ/Y/AjWC7mEyXB4ZPAiA9JDI/zQXtmkowoYPK\nE6C277kkQSLeBKB36SNVg5boqw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUf+5Wiojc+0iKPPXVUHyzjhQ2+BgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxMDM5NTMzMTMyOTY1MDMxNjcxNzkx\nMjc0Mjk5MDkyOTMxNzAzMDM1NTA1NDMzMjIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGGJ0Kfb2VGHtRiBAUDDASnCliq0o0dAqs5m/KxhYNuvZe475bTMgaMfMI4D9z6I\nYqGDZF0j8F0zjZY9DFjfUPejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMmrIOEA\nlPvXsucrS7dnFB0A8EYNMB0GA1UdDgQWBBR/K42o5t5e78d+f3PFJbI5OSwTejAK\nBggqhkjOPQQDAgNHADBEAiAoBmPeNYeiXUqe3lng4M6nSi4GNWn4RbB/RMnMrQag\nsAIgeGYeJ8uMRljftVvgaS/sGapBaU55O8dk1TYEZHSYbqY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUW6oEDznA6odAXS6IiCcMfNHFWQ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0NjkzNzIwNjc2MjU5MDI3NzYyMTM0\nMjk0MjAxOTExNDAyMDI2MzExODg5MTYxNjQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBElFP5EJI1CvFOpqo/WnPsuFNe7IY/S7zwOqkl1IVaiVCzg1QvTPLIi+a04rkxzo\ncl7nl1OW+HpcszOTl7D9AoSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLx3FjX1\nH9x3S5jekU9DXslyl/llMB0GA1UdDgQWBBTIgyoLwKoLUTxFRkrulerBvTonLzAK\nBggqhkjOPQQDAgNJADBGAiEAw77zfvFTq1NkkhnobPBfOOfFGF8sYMpUHa9/dtSW\ny54CIQDh1GqZjeJAss2+XJMSDYKKOwTQDuP17TrUyfELNuqD2w==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUBoH9lqJDYSBRMMo8Q2ORS9ZCw48wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTAzOTUzMzEzMjk2NTAzMTY3MTc5MTI3NDI5OTA5MjkzMTcw\nMzAzNTUwNTQzMzIyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS+\n4kQc6EnRA14wy6MonVOi6dpPrs0ZoRbWHTwYjwOjvRfRarvybhCnM6h5rmnwrDFa\n7xIZaSBSQ+glAGMgMZ2qo3IwcDAdBgNVHQ4EFgQU4d/OGssb3HD6jFkyWt6OjH/i\nfTIwHwYDVR0jBBgwFoAUfyuNqObeXu/Hfn9zxSWyOTksE3owCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAL8mAVKJUIqdzqKS6wd7oCLHOfL31ty6KT0dVo6a241SAiAW0qSx0EXa\noWQiGdUjpeQG4WCL3uLxiYAVO6eVmtSDkg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUGtt5whSbjQFbKqBma4tw8kDLEG4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDY5MzcyMDY3NjI1OTAyNzc2MjEzNDI5NDIwMTkxMTQwMjAy\nNjMxMTg4OTE2MTY0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATB\nIeAI3XfW9LsD32oSW9tEYKc6KNqk+Ck9Yo8qyVq4U9b/7HhuWZ68asF+uXgMQk8d\nVEo0v9/xrQYAVl+G/bVuo3IwcDAdBgNVHQ4EFgQUdFK4H8z5JSxZIx6yyykmaC6+\nqSUwHwYDVR0jBBgwFoAUyIMqC8CqC1E8RUZK7pXqwb06Jy8wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAPjEdzspX4Crhy5smNi9j84iymutSBAjfAkkycxGAA9PAiBYe3l1bd7O\n1FayDwnsDt4HcF+rzM0vlaEf9s0fh8/c1g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWP6GPN5GBcK70+rVcuNl9QtSYYQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpt+qqood2UfYK7N85ZUwLl6EjnnIJXHKQ90rx\nwTcIXXI835yvRPHftGrqR2ZlUE26iRHnalWC294eXQbHHXyvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXbwGC5J01dk+7yB5dA8Rz3GnqKUwCgYIKoZIzj0EAwIDSAAwRQIg\nKadSAu/ZU2+2WTDdHJqU6u2ESPEs5Km8EJ7OB5E7KKICIQCj834ZBeeyMhNNysqb\nGJww4SFtdepfEGxYeKJRIpL5iw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUX0dCYtxbJb8cNk+ysNKa6+to/QowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASH4ib0tqaWetJ6DzbZZ85iNUcZKo6T/N4zbV11\nl5ZkG3pMjdpcTQeR6zigH39wvf2U7Bl1tUNW2D9CJBz5Wpyao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlDlAO67OhTCPrF7GzugZmv8ae9MwCgYIKoZIzj0EAwIDSAAwRQIh\nAKghrDeRd+kbuxit1jycdAjDww/TCfFhrfZP95lKyIDkAiAnOtivhZEqxmDmyaOi\nI7BLKpOfciLWjOcZv70s2Llw4Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUFa0hkYD91MlHK2r36RH8rNNbwoYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MDgwNjcyNzA4NzE2MzM3MjAyMjQ2\nMTUzODU5OTI0ODI5Mzg1Njg4MDkwMTM2MzYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBF1aq7D13H9Sd935lHypyL4Ex8J2zLXkfjCSl0ECUn5D8Rzu6yIiDjMl/14CPpjG\nEUZegbbz5JMSpMQtyX/WISWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFF28BguS\ndNXZPu8geXQPEc9xp6ilMB0GA1UdDgQWBBQgTcpEy+V0/n1RhNyg8S17lf0hRTAK\nBggqhkjOPQQDAgNIADBFAiAjya/mxPkSLQdkZ03rul379Er89aZUvHtY98Ht3JcJ\nAAIhAMpZk0UBD0+uGtpNMHFYUaG9wARBY44iTpIpg6O+WrBJ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUPUGjTTsjr82OdHnFs9udI3cvqwswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1NDM5NDMyNTkxODg4MDczMDcxNTA3\nMTk1NzYyOTgwNDM3MzYxNjAwMjI4ODc2OTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIuj5EnzvhWKLnqQ8rdJVb5YQKuQnGNPKr1Jj3retpqnLrS54PTN4hJMqaJzuExm\nqaRspd89XST3NO9EAhPPhYmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJQ5QDuu\nzoUwj6xexs7oGZr/GnvTMB0GA1UdDgQWBBTDLaMYlkYuPds54uv+yafcQ6WyTjAK\nBggqhkjOPQQDAgNIADBFAiA8al9Abwy33leecVUKmWnc/eT0FLU2GDFDxSY0mwXc\noAIhAIOEmoWuxO0OMpSiBPubtg3jYPsXJrMc7HAPSzJMAJpr\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUfh4kezo7iWbEm4Rvx3eLy+2stCkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTA4MDY3MjcwODcxNjMzNzIwMjI0NjE1Mzg1OTkyNDgyOTM4\nNTY4ODA5MDEzNjM2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASt\nYSKJXRlX9pY7SOw4JYvY5pDTqQAx/zQUzmHsR76jB/mjGmP7eFfYShQf4YXlIH4T\ni7que83VYe0wAZvYdmvco3IwcDAdBgNVHQ4EFgQUesT77McPapNxHxFvVWxKOwhg\nNvswHwYDVR0jBBgwFoAUIE3KRMvldP59UYTcoPEte5X9IUUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgZNkU0OmtLGA2kpt4qA4O8vgo6mohY2qDEk9UM5O7d48CIFLSfVEA1cB6\nZRMtvt9dzsrmyh4enGFh1f0aEQ18mT0N\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUdSrKNUZkAl5MrSXPbW8WlJ31cr4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTQzOTQzMjU5MTg4ODA3MzA3MTUwNzE5NTc2Mjk4MDQzNzM2\nMTYwMDIyODg3NjkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS1\nMR42Y300fFoY1moOlv7Spz7eTMcOi0fBCujsv6JGcBoO9/B0DWJke9yUb4JrMZSs\nWNMNOmhv7jjmWbirsv5So3IwcDAdBgNVHQ4EFgQUC40DQ9a38xpeUw6lNgPeW8Qy\neXwwHwYDVR0jBBgwFoAUwy2jGJZGLj3bOeLr/smn3EOlsk4wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgK24c2+GxhlWs3rJS10knoSaF8sNJwwlLS2dK9H0uVd8CIQCtcTjk3oAI\nIpGRt6c5aTOn8VzWqJm2ZbtveVyxzOa7bQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUW7hQ41wdGDbHfHtDsOBcup4N9TwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASlsl49UJaqnYmc6qyl1Ra74yrurnyJ5FTlJhuB\nW/Vkd0GCunrUKnAnv9l2kj5XosgFGQ91/JePYrY8e96s5NL9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdFPnmtUrDUbU65WE7bWY9XjaVMUwCgYIKoZIzj0EAwIDSAAwRQIh\nAMnkK2drRPXbI1ZVd/Ri0njjpN3Lmo6hlitfWBnCYlGqAiBsHbcHIPM9AJ77dqhT\nHO3+BW84zDjgIHPvizcr6wHmZA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbuZUk5NiJEG/nx9dNf1NRQASATowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATIfQX8bW62EcZLEbRlAN5WGAzx2pR1o+mJFUHn\nZIrSpMPIP8X0x40bPwpo4TCu/fHy0DdGjIZXkKA6Ae7BPLSCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnPK7gYytf9JPlitAeMW/8y4dp70wCgYIKoZIzj0EAwIDSAAwRQIg\nWgXg25U2PfBJnVjVsh++ReZyem+GHP1LFNqcMoBOHswCIQDnxu2/CHbxz43eAwTa\n4Aiw0sA+SxH/dG87DqnsGBMbOA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUGyi4udNUJsALxL5iI/YjK+cMc10wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MjM2Mjg1NDM2MTA5MTA5MDY1NzUw\nMjA2NDA3MTQzNTYwNzQwMTAzNTgxODMyMjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMB6nzNi9sLpdm829NHyQdRctu6Z4KZtMcdupz/JgWkv1FDr0JTcCcmLrJ0mvOOB\n+lEOzNtD3Nl8oTanAEa2hgSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFHRT55rV\nKw1G1OuVhO21mPV42lTFMB0GA1UdDgQWBBRzkrSTV9MgW1c1Iwv9GAVn97BFFzAK\nBggqhkjOPQQDAgNIADBFAiEAn6iWG6HgsCIYKwwNm/JHHuXIpC2Bre7Ta8b3ygBn\nTEoCIHAt9p0pYrlWeC8/F5QmnTilI/2yzrWMK25TE2xncdxR\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUQoVexDPiPKgjy1aVixABQWkJ3x4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MzMxMjU1MjM4MzU3MTY2OTIwNzUy\nNzA4MzI3ODk4Nzk0NzMxNDIyNzYxNjE4NTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOI/jHTGECYv1G1mMIZVLfH6LX87PsMT7hzUT6IWgot3hf1uZVMOMeWpqK9jI7VD\n5bbQzfUOjeSgOg3ijqA9O8ijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJzyu4GM\nrX/ST5YrQHjFv/MuHae9MB0GA1UdDgQWBBQcCPHyxhe54sxhF/PgjAeW7/5xpjAK\nBggqhkjOPQQDAgNHADBEAiAa6MHuyh6e/8VZhiGEc//zChkqtH+a0j4FTKVcLWuK\n5gIgBtWfkQumLEskU6zfvI7rEpiK9g9EQc6w7GpvESgADdY=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUDV7KzW7vlzBgj5lWh4SnJOQzbW8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTIzNjI4NTQzNjEwOTEwOTA2NTc1MDIwNjQwNzE0MzU2MDc0\nMDEwMzU4MTgzMjI4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARG\n9dJNgH6/6J7NjhSHNBMqKW24UfDVydatDVLp7mTQXCyT+fSG/PyFeJ7h4evWdenb\nJL+9QhpD5G3SR3BMqZZao3IwcDAdBgNVHQ4EFgQUSrOJMk5tomL5is/YS5OK+aZd\nHsEwHwYDVR0jBBgwFoAUc5K0k1fTIFtXNSML/RgFZ/ewRRcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAMdLldlqHAcBRTVhwQe/lLpHtSZXWpkP+/LrE1kpKrVpAiAJvauS+Qeq\n4y75dokrgh55Pd4r6P9cAr01wJPke0zTEg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUXVGz4/lR8aKO56V/JSKrVTkwLQkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMzMTI1NTIzODM1NzE2NjkyMDc1MjcwODMyNzg5ODc5NDcz\nMTQyMjc2MTYxODUwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQS\n9MKYXytnqU0IrKV84zIZGlluZUD9qEMVyA3T3iAPrI8LjiE44CUfBP/tLjsH/NA0\nGfogb4ZBuHJeno2HJNdqo3IwcDAdBgNVHQ4EFgQUt14iIXVtjb6VdSSSi5zu61lh\nqBAwHwYDVR0jBBgwFoAUHAjx8sYXueLMYRfz4IwHlu/+caYwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhANImSVNVhLP3jdUTvzyV1R2P0mRoQLsHq6Q6zVgpaflnAiA5w3vDQDMd\nQKtKB0UAKdFBBam8PHZnrrkuKD+ioqJRqQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULaeHOztRO17EEn/jnh/TjKB9ul4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASbBU+3qZKN9UiQOD5B+RxTOQLJ7QsIatzBWHqa\noAjBGsQJvwOfq34dlwZSziAc43wxpVk/9sUi/ECwlWbzdxkyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUihjDl75s4rxjSMKO3izzYGsuWUwwCgYIKoZIzj0EAwIDSAAwRQIh\nANcwb4O5tgcHrmYwFQ3TOI+TnnB2s2xC3Cx0N9JapNsRAiBC9dZdbQRl9C/IwMx3\nV9E5AtUktIc+FP5Xhj5dEt/tEA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOODjIWOBmS/ht8kkPFkbLtCyvNAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARyg2yDR/CA9lsKuJSwA/0PbEVgMztk2e0rxeX8\nYySXfj5pmGe9tutm7PHWfjripNQKGZ0dXU/pPCeRWpfWsJAUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQg2SYkfd5V1ZIEVqS047Ln4I/JUwCgYIKoZIzj0EAwIDRwAwRAIg\nUJrh+joXP8XSCyQKFLq63wUJHddXxYjHQkE20hOuuNQCID3KvkUDtzIx3H5gBqQN\n9xdtuVm6C4uUpQZKHA1r83yI\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUEJzA18rQoCKSGQvusoqu0+hCXo8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyNjA2NDA1ODk0NDkzMzQwNjA1OTA5\nNDEyNTM4NzU2OTkzOTg4OTk2OTQxNTYzODIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBD8vNJxl9yh2k/rKYftBkLonY9drq0MxDK0QqdMM4UhgUg/cCXaNpNXFaIK8nap6\nBW1fn/SC4xZMK/N0stQlH0mjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIoYw5e+\nbOK8Y0jCjt4s82BrLllMMB0GA1UdDgQWBBR951B8q0746XQQbTka4J59MD3JQTAK\nBggqhkjOPQQDAgNIADBFAiBbuLulvpoXFxQ3Xt0VEnhSVXj3yuUlH5Iz1qcO1JVM\nhQIhAPcIIdJN2BLWNV7viM37PDeWVg3zy1lvZUdbjKpf7wmq\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUYJB0DmZyvXvzLfqfwP5pxlKQMnMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMjQ3MTg2MzU5NDEwOTY5NzU3ODc0\nMjUxMDc1MjI3NTE4MjUzNjczMzE0MjEzOTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLmTYM8eajoT7LWgeoIhJMIbIFCAdq/q51rCapiZB5gJOzU7vEBfRXQfow5pFG5Q\nfLyWFBHovevikD1Y3k4L+t+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEINkmJH\n3eVdWSBFaktOOy5+CPyVMB0GA1UdDgQWBBTzF9N1MCTv2hgXQp8c6rqr1E+ERTAK\nBggqhkjOPQQDAgNIADBFAiBkmj06OfwIpL3PgEmK4iM4CTGrd1TAq5Q1l7wMLN2A\nUwIhAJcVSYyseij+VxVqbpAgov/nI8ZqkwXZhCnokrX3xlIK\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIUA2S7Ynlt9z89+cm2K/uTO7C3wL8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjYwNjQwNTg5NDQ5MzM0MDYwNTkwOTQxMjUzODc1Njk5Mzk4\nODk5Njk0MTU2MzgyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzk0ODM5NTY3NTczMzQ3Mjk2Mzg2NTczMTIxNjYzNzMzMDMwNzYxMzgy\nNjk4NjM5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASiC2oYlxVbj9KS5k8yREcLbqQi\n7LO7uMh1q/I9iGBR9LhRXX7g4IRJvWJNGjurmOuIGVbOIa+wEM61cCpqb4/oo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBR951B8q0746XQQbTka4J59MD3JQTAdBgNV\nHQ4EFgQUl+fXeqxR8gjKoIyNGmQLv3BV+3cwCgYIKoZIzj0EAwIDRwAwRAIgYtY1\nJ5Ur6hawZw01bOyNx6MgjuxlGnIBiPMM+ZnzJVcCIEPHmwI6EO0477R2SMYuJwhc\nyDdf9pTHZLir67xZqymF\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgITQyN987G3uYA468v5byMvodayqDAKBggqhkjOPQQDAjBn\nMTkwNwYDVQQLDDAzMjQ3MTg2MzU5NDEwOTY5NzU3ODc0MjUxMDc1MjI3NTE4MjUz\nNjczMzE0MjEzOTIxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwNTUxMjg0NTMxMjMyOTc1MjQ1NzQ4MTg2MzYzOTUyNTQ3OTQ1MTcxOTA1\nNDI2MDM1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrHiZU+tpwIewlqntI5Nmn46Rm\n84ptjOFHVHG+N5+peX1xVAL8swDy1jZJH69XsYgXR7bDJYXf5fDpUr44NV+Ho3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTzF9N1MCTv2hgXQp8c6rqr1E+ERTAdBgNV\nHQ4EFgQUFTym8fBPsGlAEKDcfzyWaAx3ps4wCgYIKoZIzj0EAwIDSAAwRQIgdfBz\nooJWof9a1P39op/G3wF8e8Sxpbt+S5Fv0kSQ1kgCIQDG/obogcjj0gwytLtVzLzI\niO1NGitVcvUJ1Q1r0CaJaw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbTlp+mIbEPbc/BPmrYEU5ZnZbc8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATb0QwDviAniAUmeuBJAxsSmSA3DPz9lA6fCo/+\nTVxNzYAOLXtSCwTprUU+nU2LoYnbMtQHzxpPreKO9gWbLC6zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmsuksJys92HssHXmRC2R5fFZDFkwCgYIKoZIzj0EAwIDSAAwRQIg\nUthZZOajFR2KJWX1Iu7amRT4uXFO9Eb3YUgT/G/N2HgCIQCfz6pKtAix3BpVOJbx\n2ngLxo7WUNJ38lapJGvuBLT6/w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUf8wxRiPG4LMGszX4/MTgr7cwJ3EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ/erWpehA/s0amOiiOgT1qdoAIciIzU0Kb9H8O\nc5jkeU/N+6UQWW53FyoJepHCdAwqIybdIZdG4w9q5SPKgqIPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUV8BXRhUCbvKL1Ay66yqmGnO00D8wCgYIKoZIzj0EAwIDSAAwRQIg\nRSYDqMLW8ojAWkBCYgy9b9rHfIEm50OSkfFFHa1WTqQCIQDXgBmfmORgd/TPWPxB\nSHpSNsBYgSckMaMcJcyRKEa23A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUTQoIILVGzwLfxp2yPss/URKK7RswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2MjM1NjAzNjg0ODcxMzQxOTg0MDAx\nNjkyNTgyNDgzNzMxMTY1ODEzNDI0NDA5MTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIAUM92ZzUvgmPgqAqdi2HEixvAgMb38e4zPZAxBfR1T9omcgCu2o2DKg8yS8NvO\n9Lsow8ZGdVqAyPRGux7FFQmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJrLpLCc\nrPdh7LB15kQtkeXxWQxZMB0GA1UdDgQWBBSB/qNV1EgRI9WexSjTtjtJsQl2MzAK\nBggqhkjOPQQDAgNIADBFAiEAl0+oSvaOeaixYywG5CGf2ZZNHrn9TtoqPmuxD5JV\njGECIGbw/WWnhzf/Qh+qUS7JcmuQPTAkmGUE+DwYeaM36Ua9\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUYd0bZXtcSkeDosSNgBi642A33+kwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjIzNTYwMzY4NDg3MTM0MTk4NDAwMTY5MjU4MjQ4MzczMTE2\nNTgxMzQyNDQwOTExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDQzOTgxNjAwNDgzMzcwMjA3MTg1MzAzODIwMDY0ODI3Mzc3MTA0NTU5\nNDAwMDY2NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7jRH1j3DBQWxACMDGW/KXgxR\nWOiJ7RsjzYo81uqcIadtd43I5BUCVtNYc5Ay0XPel0qq7dsG3kn87JW2ENRUKaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUgf6jVdRIESPVnsUo07Y7SbEJdjMwHQYD\nVR0OBBYEFI1zmT0rUZtb/EwvEYaHZbSFLh5RMAoGCCqGSM49BAMCA0kAMEYCIQDy\nqm3wZm74ndXUfGSFCSbmtXPTQYYL98G/iur0WX4LqgIhAI5kKp0XFqrYiGTuBOzi\nDQL8pnkpKFPvEiw3LVgVQbFq\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUExV1CDCJulDValMokPAjG6BAQ/0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA3Mjk1OTU0NzIyODQ0NTk4MTk0OTAz\nODg1MDgxMjM5MDQ3NTk0MDk2MDQwNDQ2NTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBItcSP2xpSa4GnwuPz+22GPBtHBrJnaG7EXk3X8xKXb2pJlP1yt4LZXveLUcnUa8\nweW+fb++cDoAr9un02tvRsmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFfAV0YV\nAm7yi9QMuusqphpztNA/MB0GA1UdDgQWBBQQzSOLPfYJx0N3NptWl1F56pC/wjAK\nBggqhkjOPQQDAgNIADBFAiEAhbHv8AGWUPORbfKr1fqnOS8uQGpyYvypRfENbKsE\niSICIGP+PgAhZQ9lXHNeVL1+jDHqKXsY3awtNHBuTFPQ4bfJ\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUQGx9wM0oGlDSPFGnJrhuaZbzcmgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzI5NTk1NDcyMjg0NDU5ODE5NDkwMzg4NTA4MTIzOTA0NzU5\nNDA5NjA0MDQ0NjU3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDEwODk0OTMzNTIxOTA1MzExMjc2MjU1MDcwNjAzNTAyMDU1Nzg5MjQw\nODMyOTIxMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyNPjsSR+Q/cJEH3umFP8cIIK\ngg8o2k+mBKIG+0tmtObO27A1NaFC2U2ZuQ26PF3qWTOgkLQIeQajN+dy+wKyk6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUEM0jiz32CcdDdzabVpdReeqQv8IwHQYD\nVR0OBBYEFNA8ZAU3Mj5E2WouSy2Y4yTf78ZdMAoGCCqGSM49BAMCA0gAMEUCIQDD\nW9ngfSIDopr3SkZbqMqm0QD8tgWPOtqgK7Akw2dcnAIgZH+fiOmqZU8vAciUDk4k\ngoJfB0oJRtI9mc1Bzn0HyW0=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUTs2zCNAbTAWVQz13YLxHie2MRSkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDM5ODE2MDA0ODMzNzAyMDcxODUzMDM4MjAwNjQ4MjczNzcx\nMDQ1NTk0MDAwNjY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQz\nVBQCa5mbY29beV3zJBAXA0j46CMmkSBva1bmm+CX8KfjKZgxK0cyfjW3VkQEhdVl\niCBFZDqVS4nc66AusiCGo3IwcDAdBgNVHQ4EFgQUHsJsFZ885hH+kH0T1mVU8iL6\naR4wHwYDVR0jBBgwFoAUjXOZPStRm1v8TC8RhodltIUuHlEwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAJDY8g/sBXMjsrj99LdON1eCPPp1sVAJMkPe+ykcenQKAiA3zQ6uKTtW\n5RDReB8KxZ7mwQUBS+nqICHXk04qT0vccA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUJe/5BVu+qL1eYcl1qtyKevSkzHwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTA4OTQ5MzM1MjE5MDUzMTEyNzYyNTUwNzA2MDM1MDIwNTU3\nODkyNDA4MzI5MjEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARQ\nxAQNkzcMHyZFtRFAe+r21kQ7mu+1/TeYtSaSkPZcp45hGr8Pw0dqeH8MjwN+YpJp\nFWhNazqJuuSkGVL43tiLo3IwcDAdBgNVHQ4EFgQUQYGkCBhYLe0d9jLESJ4juzAM\nnxEwHwYDVR0jBBgwFoAU0DxkBTcyPkTZai5LLZjjJN/vxl0wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgQ5aiw0nnggX5Rw3LXnySyERuQ+OPgbIRA+CjEr7cnCMCIQCWZXb6HvLE\nekNCT1Nu0HEA7xBrpeaE/RhqwABJjBF3uw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgITIC5qm8pa0l8IddFQhCG3bFKDCjAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2\nOTA1MDMwMTAwMDBaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABMnhBU/4BCuHWfJ9eNpArHeOUYi+TJ5o71Qu+VBz\naVEt0ukdb2FpA5c43M8RJvKkn1pY6BW8qcEqzGZG7c1fnz2jVzBVMA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBTopGOkpcZUmj279fAbGUsFnJIiWTAKBggqhkjOPQQDAgNHADBEAiB4\nmW0dqf3x5HJP5ac6bTKtbkZytEaIEzRPeIMwTwTaGgIgFe9yVjDGtSl2pBu30PFf\ndRTt8KvwEeo6+GoNtIYbVLs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQrooPmZOgtrw0mcAZ53Zc+5czOwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLJNaqtnvKNt1yARnpEyEoVBGyLhSudrz4Fe9K\nmwk+9cVaro4PyUpuBcn9NwjnXcqHzYiUMUyUGKns7UCX0t8jo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUv2BRKltVTjAP7tOtX71mzbB2llkwCgYIKoZIzj0EAwIDSAAwRQIh\nAJLpNJrFtiOLJUtcNRNrzhppsuHGYfVFFkyOS+fe//KJAiBqeubTebe7nb3J+JC9\nFdEP2UUDYNDvmMOWD232IGsJQQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUNrwvYrnfdYAhn9FDfaKcFq4322EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBkMTYwNAYDVQQLDC03MTc2NjcyODg1MTc3NTk5Mjc2Mjc3\nNzA2NDYzNDcwNjEzNDQ1NTkzMzQxNTQxKjAoBgNVBAMMIXg1MDktbGltYm8taW50\nZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPsk\nJjV2OxNAL6/xkObVWSqo0a/V7+KnEdfPVlyTu4eO5zx+EM1QaU8LEn3OqqlOgjVi\nuSLtlPfdkdjIpQ5LAQKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOikY6SlxlSa\nPbv18BsZSwWckiJZMB0GA1UdDgQWBBSP6krQ+A4Yccdf8t9AQeIqOcfjCzAKBggq\nhkjOPQQDAgNIADBFAiB+r2RdM5CKXBktz8vu7M8i5UcEun+3QvPbZDaGpILZ9QIh\nAPYukWhmPflB55mtKTPUwXKfRMGCRwnhJIphxS1wCfeG\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSjCCAfCgAwIBAgIUERwaQAj9mGAH+Gybggg3fixfoYYwCgYIKoZIzj0EAwIw\nZDE2MDQGA1UECwwtNzE3NjY3Mjg4NTE3NzU5OTI3NjI3NzcwNjQ2MzQ3MDYxMzQ0\nNTU5MzM0MTU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRo\nbGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3BgNV\nBAsMMDMxMjQ4MjE2OTU5Mzk4OTI4NzA1NTk1NzY0MDAzODk4MTI2NTIyODc4ODM5\nMDc1MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxlbi0y\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEN2bAN5G879qxzW/INZC/x6QgMMJb\nv+pXl3284RLw/Pyip/gmn6hkFuDwqvug9761ikjHQgExDHJkaDztmvwI8qN7MHkw\nEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wHwYDVR0jBBgwFoAUj+pK0PgOGHHHX/LfQEHiKjnH4wswHQYDVR0O\nBBYEFCrGonD0lH64SBfeX84ynw82cR91MAoGCCqGSM49BAMCA0gAMEUCIG/786lz\nbXYZ+U5p5qThAo38B5ahruXVz4O0YJZIp1nJAiEAhUcNfDflNUkpQargDwzj/jDA\nvM/RlX6MAnLwdQAlS1c=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUSWz30vHfDRS9ZIAlcIi4hs5lyz0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzODA5NDQ4MzUyMDYyMzMwMzI3OTYz\nMDk1NDA4MjcwMzU0Njc3NjIwODA5OTI0OTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFKSziZ3lTzojjLzawD1ATDFYty47SGBuFx3ymYpIb513FNeVDsSbg7hjmJj1o2v\nfWwuQfK97fdIL93NujDpYdCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFL9gUSpb\nVU4wD+7TrV+9Zs2wdpZZMB0GA1UdDgQWBBRYLcySfIy5A4lCDUE52GRZZIrApzAK\nBggqhkjOPQQDAgNHADBEAiBxk2j0K8G7+H6SOzFY+/evgrgvI5mZ0jgKe5vWGldm\nigIgL353FxA9mN1aNKAFHPFb7rRuSeGvWHtGI7aAhIY1iiE=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUG1TUyZZ7Cjt581lInL7cdt7vgwswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzgwOTQ0ODM1MjA2MjMzMDMyNzk2MzA5NTQwODI3MDM1NDY3\nNzYyMDgwOTkyNDkyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQxOTE4NjM5NTI2NzAwNTg4NTI0NDQyNDY1ODM0NDI2OTMwNzQ2NTkw\nNzQyNDA2MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQwHOAJzmgJlwLg2PDjsFXA72\ni6Hakz51n/56np2Nathg0sDf8ekVhDeemae43LSCltPyHY4cAbmCGBDrPzz4zaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUWC3MknyMuQOJQg1BOdhkWWSKwKcwHQYD\nVR0OBBYEFA2yQWpVGFvNmwMJW5klq87/VekOMAoGCCqGSM49BAMCA0kAMEYCIQDR\n5mkxWauQtN+tiRY+PtKMi/Q+gjGN7w/lWpa77TlExAIhAKVSpQR2tApLpOgvIQV/\nF4cQAwn6kSuEjwFgtURdFdoL\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUcRDr6ZkNsyw+dJxXzl20VdtDNJAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzEyNDgyMTY5NTkzOTg5Mjg3MDU1OTU3NjQwMDM4OTgxMjY1\nMjI4Nzg4MzkwNzUzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR1\nXFIiQHjsNWiAOphYCHgOTqCcaBmNGwzawuh7SMwS3hzslCe3Y5yTZJnwllIcNamr\ncznQBd84xXmuPmBkVw2do3IwcDAdBgNVHQ4EFgQUZu3kQuI5/fqSesLFKdUST/O1\ncPowHwYDVR0jBBgwFoAUKsaicPSUfrhIF95fzjKfDzZxH3UwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhANTILSGD1+WB9RZ4xrw0T3pXHgwFKRWSG/gvBOdo/osXAiEA99fXItJY\nGFvs6RmzHCUXA8cL7zJm4IoEgEXbO6+A0V8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIULhVb/DjFSVELys+SoAa4/7ltNb8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDE5MTg2Mzk1MjY3MDA1ODg1MjQ0NDI0NjU4MzQ0MjY5MzA3\nNDY1OTA3NDI0MDYxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARC\neH4GDv6wo+Nult8QR9KpO/E7nYlzavEB+FyGQEXjSazdeTbVJCL62GUjj7T2Cfsj\nPNJwpZGS09EWnCLoVvK6o3IwcDAdBgNVHQ4EFgQUiYkEUlUPOEJnwNLxNRozUeKx\nE9AwHwYDVR0jBBgwFoAUDbJBalUYW82bAwlbmSWrzv9V6Q4wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgA5Rnkg5J8BmdMkzZCFP2i2o7CqslCWhxhUNZ8V0FuMkCIQDG0NBulIYO\nogzcjWC3JsociydED3N0WjW23qykzEZJIw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUb9Lo/YuDFXGdLa3UMzbIKrXxrJAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEI7iP9XKdekwJs0GxuL9uQe7pDEjhnWnwHxrk\n4Fp0Ob4z/Aq7tK1Viq4nANa3dbaPhMzBz/rF5jUvffXxz4OWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEg5jPQ77ebVDpFeJlomJJF4ZDeIwCgYIKoZIzj0EAwIDSAAwRQIg\nNpM4vZqBTLumaJvfcKYA+8LJJ0cs6hCucRm48Nli6ewCIQCRuxvZs+y1Snx17ICI\n73SzZn2jnGJDKga1RJd9eqa76Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZ0eOF+AwqSgt0l+EGiut+Auh6XgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQc310/4+jRBNt5TMZNcMS37+eLHAB7GyX72kZR\ng/uJ3sYsK6T8U7y80nBfTnej2qaDNn/n2BWX+ORbtQiL/plYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU61+tyxB8Uduikacm62ovnjqkOZMwCgYIKoZIzj0EAwIDRwAwRAIg\nMmfA3XJO1M5yFgKjMEhmnEHlIxDv4K6VuFuyw/shYnICIBPpIc7XH1pfxrOLQ1dI\nqiuCSam/njO/1ASjz4gaZupA\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUZtLXL2tX9/B9mh4eRAchS/5QG5cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2Mzg0MDE0MjgzODAzNTU5MzQ2NTg4\nNTQ1MjI4ODg4NDM0NjI4NTQxNDk1MTY0MzIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJWm79+Rip6cOMMZH01538gZKNQSwRixg+psXTuTUlJa7YbBe3pf3djUU5d67pRT\nEPYAX7rBiUHJPrg/CUlXG+ajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBIOYz0O\n+3m1Q6RXiZaJiSReGQ3iMB0GA1UdDgQWBBQGJyFKullTawBOIMwPw9B1lOpz0zAK\nBggqhkjOPQQDAgNHADBEAiBcmdp03LHwO2QP9/HIhkFA0/9jXrjepGDN6k6YwQLQ\npgIged0Gafe9tiLlGLBeNyWt2UxDN5ioBnCFruGUO5TOJ1M=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUf9dUCpfGYZKnrN6wC3muYYtGiZ8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjM4NDAxNDI4MzgwMzU1OTM0NjU4ODU0NTIyODg4ODQzNDYy\nODU0MTQ5NTE2NDMyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDU4NzAxODk2MDM5MzE1Mzc5MDI1MzEyMTU2MDExMzI2MjUyOTU0MTk3\nMDA3NDUxOTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPkhJUhHTiSGi5anSwp+CazQ3\nKGim11KJviZz+QePbSDPQ94Rv6YwzjCL+TZ9FYKxP5MWkpswT1dzv614cHpEmKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUBichSrpZU2sATiDMD8PQdZTqc9MwHQYD\nVR0OBBYEFPaxteQMJO9QitJvfsRge+q5z/dwMAoGCCqGSM49BAMCA0cAMEQCIHNE\nR0uw99ZsTaFjtyxa4mihJ1cSX/vCsunUfHgxuRa3AiB+RAirU0NQNweLU7TKFjVc\nmg78HJcnNy+h0h+cJ6kVaQ==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUFzS2AIj5MEDx3ATXWVrjiuM4uUYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTg3MDE4OTYwMzkzMTUzNzkwMjUzMTIxNTYwMTEzMjYyNTI5\nNTQxOTcwMDc0NTE5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDcyOTg0MzgwOTE0ODg5NzEyMTc3NzU5MDg2MDQxNzc2NjkxMDQ1MzYw\nODc3ODE0MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDe41WEgMdtK9YRaJxmkWknVj\ngU9plTguyzSFffDNQ278xhReYiqiX6a2TzYeI/hrGu+4UOti11HCKuK6m7IafaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU9rG15Awk71CK0m9+xGB76rnP93AwHQYD\nVR0OBBYEFNwRvxlyu6MGWGGWvWfgbtdD22qpMAoGCCqGSM49BAMCA0gAMEUCIGIA\nDmnPb8UOB1RK+jCB2IHbF11HPpNTVo4FAgHFIru/AiEAkYYrtEP7NwfOuR3tEN+r\nLn1xMVuPftTjkR6iRWjo1YM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHfgSF00yURlc6fwabAj0HOrl8hwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1ODk2MjE3ODAzNzMwNDc2MjY1OTEy\nMzI4MzE1NDcxNDQyMzkyOTQyMzU5Mjg5NTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGVKHq4RItuiZCY0n7n5T7zWY+YxP235dQyHCxUTFQYMgcoxlbP2sdy7+aND7j4t\nauyjFvvXmpkcamcUL95Hs0yjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOtfrcsQ\nfFHbopGnJutqL546pDmTMB0GA1UdDgQWBBSSeTKttVbcRQZJiIx6O2VgGwXuYTAK\nBggqhkjOPQQDAgNIADBFAiAU4hzcvYjnSlhC3V5sfjuWdNrNxZjahRkY5vI9aTbz\nXwIhAIk73+kG4EA+6x5ug+csoY59EuCxjLI0EOIhb4kBQcCR\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUQgnc/c/e4TQPV08icFyUVkL4gPMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTg5NjIxNzgwMzczMDQ3NjI2NTkxMjMyODMxNTQ3MTQ0MjM5\nMjk0MjM1OTI4OTUyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE3MTA5Mjg5MzExMzM3OTk2NzAxMDg4OTA0Mjg1NTc4NTQxODM2NDg0\nNTE1ODk0MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhnewbij5DQH5faQoICgARJo7\naJentAx+2fLwMvsji33Zb42CNFJMdlPQJalzZnJrFE0D+VgHQm4BKBUf+mVVpKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUknkyrbVW3EUGSYiMejtlYBsF7mEwHQYD\nVR0OBBYEFFzJy+pP8t68Wck3KWqSbqQpz6X1MAoGCCqGSM49BAMCA0kAMEYCIQCH\nhF5sLlDNls1irvGJwUYoQL/CribX5YeQefd2DP5LlgIhAJDbsn9D2JHAs+TxXiZx\nltRfJQc4VpX9jqtX6rRoAY8I\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUdY0Ds5H+wc8MMg9L56pedjZ36mUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTcxMDkyODkzMTEzMzc5OTY3MDEwODg5MDQyODU1Nzg1NDE4\nMzY0ODQ1MTU4OTQwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM3NzAxMzM0ODY1MTgxMTQ1NTE1NjIwMDI0NjA3ODg2NDE2NjY0NjA1\nMzM3MjE0NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKuqIZAo0ZIvpg6VwuR81RAea\nAm0n5Unaa5L0ju0zg5aKOrl79Ky0kjEYf0i+Bxwtu3Xo7Wr9uzC+EbBNI6cYmqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUXMnL6k/y3rxZyTcpapJupCnPpfUwHQYD\nVR0OBBYEFPiIwEw6bwrEO2MBwThl3hGy/eLDMAoGCCqGSM49BAMCA0gAMEUCIQC6\nZGoeA9d1+ERTJozTQU16AGqBKwpGrHaJ9xUmzS6J0QIgD6TP9Q/XKYcUWZcicSgS\nWkUbhAzCj7+2ADXb5IFQfMw=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUWMZWyWi+4YRInuX2ucTjVlfTSVwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzI5ODQzODA5MTQ4ODk3MTIxNzc3NTkwODYwNDE3NzY2OTEw\nNDUzNjA4Nzc4MTQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATm\n4UFPgtxtHAl5X7l8lI6slQWqqOFh5066fZZkBROXdI1IdyVxb9Tk/2w8WT4S+QE/\nCjWKYX7gb24r+0i4U3TDo3IwcDAdBgNVHQ4EFgQUU3iXvGSEQ6hw4a4hVm2CLRvY\ng7EwHwYDVR0jBBgwFoAU3BG/GXK7owZYYZa9Z+Bu10PbaqkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhALUDTASAkpv+Zz7SPhriDDhfcijfs1AquhSqR4aNvKkGAiB/IkEFmc/Y\nxN8QbaNcYdlaY6I6eOuwtIJ/JnyOerU4sw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIULBgkZSbVikGW8IAIW+pw9bIiaaowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzc3MDEzMzQ4NjUxODExNDU1MTU2MjAwMjQ2MDc4ODY0MTY2\nNjQ2MDUzMzcyMTQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATj\n82mKcbzkgXMjfyydz+9VqNNY8rT29N99pI4pvDrFTrSTgtC4h9rdZssC3StF1qA8\nD77KhqwYdiMkn384n/wIo3IwcDAdBgNVHQ4EFgQU2QznaJouicgWKTJ+EElsnCGN\nHfIwHwYDVR0jBBgwFoAU+IjATDpvCsQ7YwHBOGXeEbL94sMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgMSfFZsfHFREZKxYESZ1cWWTF67JE16eF0xp3skX5uQ0CIQDhdjtRl8g2\nGO9dBWv/tQJO/SXeJc+d63/Bs++3ACmYNg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH7/iXqE0ZL4DdPToKnpSoBIe5y4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASHWILDjvSc6ovs0lFWn5l72mXNiB7WUl0emIsy\ny1xStpfqpB6ECdaA+xIhJ8FFA4oOw5/ygx7J7luQN5jOEuQFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUokDcxoqLjEg+1CYq0jEh5w3K12IwCgYIKoZIzj0EAwIDSAAwRQIh\nAKn5a8Wgpt3y922B2icKhK+KNbmpHqDDassmKIy01/phAiATxnl3cR/t3Jn5bAx4\nMi0ue7RLMdm/FwEsmml556CTWA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUd2NN3yEK3YVMxIq4GUqmZqgygWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAShmxMb9GglTrGPZLMD1PISRia4vTKM/VmkP2o/\n9XnfoYlogdryNMt6G3YlKvHRYuPET0riPWmJ5CwWgPWZphmjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6/JA47FtpwCrIrqwmERpYmmoIxQwCgYIKoZIzj0EAwIDSQAwRgIh\nAOpaXqFjaIrke20WZ3ae6dgZf5NwuBwu56ryCP7Wjxn0AiEA97WPiVDMSDC3XbCB\nhE/g+KoP8rc8r6gn35adVThoEAA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUOdTAK4sBIXGUftZQEZETkSYlWOQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxODEyNTc4NzU4MDU4OTkxOTI3MDg2\nMTQ4NDEzNzY0NDM1OTIxNjgzODMxMTMwMDYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJ75A3Nt0iHzhfTpTtgCANEfcfHrYDR+MX7WpcQzky/HT4w7vE0lIuQwvWK/mOnP\ni6HPaS8GqvPzWGpPyUa0jyyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKJA3MaK\ni4xIPtQmKtIxIecNytdiMB0GA1UdDgQWBBTMU0I8PADj2TFnXT7fv978cohMRzAK\nBggqhkjOPQQDAgNIADBFAiEAuOxLEAmZD2Ogl+GMlF5f5aLcR7fPaQN8lDG8KQnz\nv58CIGBhriEkrN+Wl9MKPmYyPJeZx0/YexqDjsOeIE6p4AWW\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIULq8gfGHhYEM5Y3W/Ri8pjPVFNZMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgxMjU3ODc1ODA1ODk5MTkyNzA4NjE0ODQxMzc2NDQzNTky\nMTY4MzgzMTEzMDA2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE4MTI1Nzg3NTgwNTg5OTE5MjcwODYxNDg0MTM3NjQ0MzU5MjE2ODM4\nMzExMzAwNjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEb+vHIu99LBwZXUaCmHLuJH7h\nZjcbUVXW8SSEOGXYQ12A2sqT5ShN9LmV8zRfK3OnihFddNeWQm+6iNZeRyDm0qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUzFNCPDwA49kxZ10+37/e/HKITEcwHQYD\nVR0OBBYEFB2/paumYb/tDsZ42/lclqrTCw2BMAoGCCqGSM49BAMCA0cAMEQCIBEr\nrnqs2K4rNbAO+X4ih3PIuX8HpvYN1pZBOEzU1St+AiBYwLUu2UD4yYQYUY1PTioj\nETwDSr/ZjMYJoszjU88R7g==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUBCbJOCHrpL0MpJY0G+S1P9Sy/gAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgxMjU3ODc1ODA1ODk5MTkyNzA4NjE0ODQxMzc2NDQzNTky\nMTY4MzgzMTEzMDA2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDI2NjUxOTAzNTc4NTkwODEyNjUxMDQzMjQzMDY2NTAzODM3Mjc5MTgy\nNDc1ODE2MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6m106elehqB3dRb6EoFlNVqP\nsYLCUNNOo44vKwWM8zuZI1JCFdN2amDB+n3LwDXiOAHHFT40E41Z8LziF/ca3qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUHb+lq6Zhv+0Oxnjb+VyWqtMLDYEwHQYD\nVR0OBBYEFKs+Q5cGHu20FliXkQe00uHBof1AMAoGCCqGSM49BAMCA0cAMEQCICJ0\n3Abb8NtvlKVfsmrcGR1i9R1lAJ89E7z//1jGrt7rAiBop5r2k/3wt+gZPCGiGBoz\nUWx3TJ+T4q/db/ysMzWF2Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUEZmpR/Xls/0Hgswm0hkWrBXr73EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2ODE1ODQ0NTkwNzU1OTY5NDM3ODYx\nMzkzNTg3Mjc4NDcyNDUzMTY5ODQzMDgwNjYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAaxxNsMTnj/QTiwUrGGakss4SNTTo0RLjDbg4bkNtoy+fWQt50SXMGBR26yHKFL\niMNDD1CJKX4Z4LeLcHP1osOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOvyQOOx\nbacAqyK6sJhEaWJpqCMUMB0GA1UdDgQWBBSeHdcMMAbluZdCJ5co/B3ckjHnUzAK\nBggqhkjOPQQDAgNHADBEAiA+1snyMwGWSa2tS3DC4A0cO9acg788FHp5hoLcnb0h\nrAIgJOr24zXG0oFwqy2fzNrmHAzNVluYa2yz9nuOSjm0rJE=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUO2pSuUHJ+4Mq0V9Xchk6Akuf0hswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjgxNTg0NDU5MDc1NTk2OTQzNzg2MTM5MzU4NzI3ODQ3MjQ1\nMzE2OTg0MzA4MDY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDY4MTU4NDQ1OTA3NTU5Njk0Mzc4NjEzOTM1ODcyNzg0NzI0NTMxNjk4\nNDMwODA2NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgJrM6DaEU8SYr1pFVNmEysGh\n1G0/1ZkLmLOk0+r6LNyrb7k/2Bq+tdtxlGwC2BPW17/BNAkQobNMwoRIrsASkKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUnh3XDDAG5bmXQieXKPwd3JIx51MwHQYD\nVR0OBBYEFM//N35XbLiNFJserFbmEqzv8KUAMAoGCCqGSM49BAMCA0cAMEQCIALE\nV8hssIdzYnL0ifwDUV5GLA+jpHR9an1dxIpsB27ZAiAj8pugHJgBz6QMnS9wA+Bi\necCIDrb7JjsenJdMB6yhIw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUHIxyU7Oa6E89bXeM3zXERbTVGp8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjgxNTg0NDU5MDc1NTk2OTQzNzg2MTM5MzU4NzI3ODQ3MjQ1\nMzE2OTg0MzA4MDY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMzOTIwMTU0MDcxNjc4MzYzNTM2ODEzNTM2Mjk4NzczMDEwOTA0NTM1\nNzQwMDYwMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE40UVWrpBcfESHMVhgM1Rydaz\n5bxD5QLrG9vv+EbZ7dTHAWZEwWoL1bGjOrcWwuT+VywCElq3NvPHVKMjRofpzqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUz/83fldsuI0Umx6sVuYSrO/wpQAwHQYD\nVR0OBBYEFGyDQl9aqz2OChVbvK9+itfi9LNDMAoGCCqGSM49BAMCA0cAMEQCIACc\n3BkEbn1cfSaPGUM70m0jvXxpsJ2LdBZSSmVid8TZAiBdAcbhHQSOV95bXee9igND\nc4rf5iyJ5QdpuIp4sSXQRg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUYNUZRkiZU9P3VBmlMqzjRjj5oLgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjY2NTE5MDM1Nzg1OTA4MTI2NTEwNDMyNDMwNjY1MDM4Mzcy\nNzkxODI0NzU4MTYzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQl\nV1NDSB6b/Sxt7i0h0E8e5qzfJnFCS7C/yCWeZGsFSQpaW4LjJeGu7RzsZ1gWIhPw\ndzNbSiW0J37dxBSqtkgQo3IwcDAdBgNVHQ4EFgQUUUfCJpIFzqXdMHo3e2Ml6rKa\nKz8wHwYDVR0jBBgwFoAUqz5DlwYe7bQWWJeRB7TS4cGh/UAwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgP6BlJvVPkdRefqOllTT5DGpwj/qeSdDNfVK5U9KE6o4CIQDrGmD01Hyt\nqQxi3q/BwetfSz+bdLJLPYW8NsiuaIw4ng==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUQh8ePtHdIDmymt9iAseRpBxHpJQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzM5MjAxNTQwNzE2NzgzNjM1MzY4MTM1MzYyOTg3NzMwMTA5\nMDQ1MzU3NDAwNjAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATC\nLURT9L9LbR94Wf/ZtVEjpg9Xn1nA4vfn+/P4ukSaYdqD9bllI8rAd+O0kki38jVT\n979q3n46ymPamd2MvzLfo3IwcDAdBgNVHQ4EFgQU2JPlj1m0904051JOR6y3wBpS\nK70wHwYDVR0jBBgwFoAUbINCX1qrPY4KFVu8r36K1+L0s0MwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgZn4eP5KRSFR6rmSyMRnLqx2xPkmagvlyolnaX1z4v0oCIGmV1kOCpqsq\nJX/aZvtN7C7npN0zP14fR0XXAh9wTTD+\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUUjTrELZehLm3Y551YDxcDxejMQswCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUxUXyUlsU8n0\nym04iCyo4oMd7J2vVH+apZ2xoNTaO43xmbM0z5KuetGJVc3NZnHggxfR5edkPMbH\nryQYgKCE3qNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFC1BC71o13YEVMWNofMbPmAKukWo\nMAoGCCqGSM49BAMCA0kAMEYCIQCXZgS2WmiEk1b8EVAwWbK17b+j2wDD85QP4Hfs\n4VP9WAIhAIr1tTxxB6AAysXs446N7J34VCbpSESHoLM1sHMaVvDP\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARigAwIBAgIUVXkwDwGXFktIvZ5IpK/7AppX7BYwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsJlJKF8ZfhHe\ndhd0yn1EU2xHS01TzZTYOqnRw/iLr9HnqivMg/+ahrHvPMoIMW51UHngDDFQWfMp\n37iOmQNnS6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFLvoEP+Ad7tw2B6ZtS/K9GWFkj5X\nMAoGCCqGSM49BAMCA0YAMEMCHyEMNqRaAFvpJY3GAqUlJGgSkQoRfDkCrwej8Yz8\nTFUCICQDJN/i+sgZzvCsHlQ4rfF7oDo4BVf5or7QcO3gq1Q/\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUugAwIBAgIUXH6llF8pEUNy+WlndGXNAIFx1IkwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEsh1iPj7gVEBERGn393Dvd24jmHp4vxUxTdyUEy72qkGW\nOF5/B7gRBpFwWoxlb+R3JMG/+Gb48XUqxCfwsKUSQKNyMHAwHQYDVR0OBBYEFBpg\ntWx31hTnVduLi7lxy2jrnTcuMB8GA1UdIwQYMBaAFC1BC71o13YEVMWNofMbPmAK\nukWoMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIDZefM1jDMzRzunbqfNH9D4TPVKDPbkpyl42\nT6gvupjaAiEAgyO4AUyBNUE23973Pz0uV7R/Hzr9PAFzQmqg6NdjxNE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUugAwIBAgIUL61FLsmDUUqZymQT0G/4fXNCfxswCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAExKk0ZOCPTEySe2OXQa2TEhQDWkEW2ghNOIm9coR1CCkc\np2EyrrhzaxRxkNOoFJqIHf/lUBJVJRTJyhha6FeBpaNyMHAwHQYDVR0OBBYEFJMF\nGfPjgk32fWoWBUpt9wBvzlPeMB8GA1UdIwQYMBaAFLvoEP+Ad7tw2B6ZtS/K9GWF\nkj5XMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIQDWQxKXPhYbAYNE1oU6xjCEnvY3tYdajLim\n8iLTUvXFEQIgVga8ctCVXu0osKRFH619CIaYiv6X8fzAa/qJXnU1IU0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUTLWmeI+XPxcg1mn83tioWbXBb3IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOR6uNoLZ\n3218jriIATcpHDkV+LY+zvK1al7Tb/8pgETQyL+iSv22eTjAPEz2s1iPj02n0Re+\ndRo08POMvTqstqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFD2gR1gjGAzyIByiBzUAs03H\ndkPWMAoGCCqGSM49BAMCA0gAMEUCIHzsV3MjxtZPDeoH+BBIBnChrZR5TKvA+xAU\n3KCv620cAiEA4rciZMeYY+t8zdVnm/0A2qLvl1OFnwXR5TAIqGrQbME=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUH8a41o1e1PL9ucHGNjAnWfPdVcEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1BlmRL1B\n8mFhnWv+gdSJkKvywojnGkoFcuydKmJY9vLBrPL9neG7BF6ul/NLtBvTSOTjxEO3\nXre7mwJejXjdOqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFLtfol4cwaPiMbH13zGG9xrz\nT7IhMAoGCCqGSM49BAMCA0gAMEUCIGozEUbWOUFN43iqoM7u1Zkbz4nANbH77lmx\nBmpflGsmAiEAqHecav7adokKRNXLxumKzGiGFD7AFrrdPmmEFPbjREU=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUQisuSWa8PDhSVN/v4LvsYgDUBhwwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQGA1UEAwwN\neDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABF78g8F5CUlu\nK2hPYoldOAsc2j8iCpVb3M8Z7Ton75itDtZ/njLZUaLX7wgM9x7aR/VAqPq0LBij\nPwUe/HQHcECjcjBwMB0GA1UdDgQWBBRXH4h9Nm/V4jy+3vRFdASvMqH0PjAfBgNV\nHSMEGDAWgBQ9oEdYIxgM8iAcogc1ALNNx3ZD1jAJBgNVHRMEAjAAMAsGA1UdDwQE\nAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBS\n69fgI7ptgeE3BxKdIy7SdmhKeC45PektcTK0z+TO/wIhAM6F1jQL+ZqstlWhAYhY\nwtIDcve7B0Ql27+cn+BA9ZnL\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUQSY6ID9yBYRBZuPk5PFo50SOwVEwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowGDEWMBQGA1UEAwwN\neDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEpdaDdKcYgg\njhnOvyNXdwtJHicJN5tE98zyZxwGITETD2Vdi29KWwItkTDk6BHFp9w3hOGIyMhi\nKnlQsPyOonKjcjBwMB0GA1UdDgQWBBT+hvPB1S+vvf1me5L3MBdM+LqxvzAfBgNV\nHSMEGDAWgBS7X6JeHMGj4jGx9d8xhvca80+yITAJBgNVHRMEAjAAMAsGA1UdDwQE\nAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA\n+I9FTIpqgmNr8O7jAEu8LKJxbedIOql97uEl9cIFZNQCIQCf+FJiWW+bTZW86Upm\nNOIEmMTKODUTRSR1ExUGnQb8EA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXTpjKrV6JwbmILkW5WsaADcP0lkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpirmRVCKAoZP5Q32R7AS6o8iI5X8pSAZJHqn4\niNsSdGL3Nul3Gs+c6/DvD79wUFQvpgofmsxrHX3F7oOOxcAao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3WhC4a+3/iYr+Y6n+vDlZI7iCa8wCgYIKoZIzj0EAwIDSQAwRgIh\nAPCmOsSleACVu12HIoeH4zQh0UofoptFF63r1Nv9gxIbAiEA4aAeaH5pMf7SU7rq\nchGFwmh1wuACCEy6TGt+fgI6KbA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVTnIR9f1BG7gD//7SjItGKIKk1gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASwOAQ/mf/ncMPfGtNVrppLsCP1/OrSLoFjpmsf\nG1FDCP1HagYQg9zEbU83BWNSWROzdHvzgL+sF8CaWLsXZUx7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXvxoSKqjE4crPnYzTRPxSRVwj2cwCgYIKoZIzj0EAwIDSAAwRQIg\nWzGYPeT1Ro3Bp4iifLBzuNUQ2lV3zkr1kGUVbK7hcFgCIQDgLnomPk1Oy3Rr4lqH\n/0J3dZUrWi9eK/NVGziZS4sMwQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWSgAwIBAgIUWpvO+MDPMvo74UZ7lFCOebO3GlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEjidJ2/7eQhNphRJBa7FnO7Y+Gln9Pqd/A15vsuwd\n1wlDQ+WBK3rKSjf+0CAh+MUYNzk8rZvsmkwBJaNeLjYWV6OBhzCBhDAdBgNVHQ4E\nFgQUcepNkd7TXAs0EQ/wZMWF3ctleOQwHwYDVR0jBBgwFoAU3WhC4a+3/iYr+Y6n\n+vDlZI7iCa8wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNHADBEAiBP\nZRC43aGEB1MzpRaxdgAr8yTxASD2oijEybclmeogxwIgU2wV/PowhsxaaRrcSJy1\ncITdbf1E4sExMLFYNzJiiy8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUUV+aI6B7qV5mqgiuL6Wp8ILa5WcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEg2+Kxl8ak5/NZqk0k+bGB613mHqUXVI1hU6nd+3n\nhCVWUihP/WLGsWh76GLVGZQmYiY8Hw9wrR5yXJE+mgUlB6OBhzCBhDAdBgNVHQ4E\nFgQU6L4hFOiIdzNWfg1sdj6I89Hr8DQwHwYDVR0jBBgwFoAUXvxoSKqjE4crPnYz\nTRPxSRVwj2cwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNJADBGAiEA\nkFvk9psvsr4zHviUlS80/Af5ciKE1cXa1xE8KtwwMXYCIQCyeqqgg0xYlBlts2WR\n8QPL1n1WhH3i05nwUW6Tu0wu3g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUe+J2q7H0z0cYZ9a/dc9zOBE2iFswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARGgfzBsjP7ES1z8h9M/79/+qLoXXjXL7lApGiZ\nURRh/vtR6LOYGeLiRDWVKjYlS8o/8RFB2+IFF0W+KSE16Gv8o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6dX/95dlJMKuNtfKLeKKlcsh76wwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNJADBGAiEA4ne0Sx0FtVMdFfIsodz2O2vs1pB9qXMR9Wr/\nFKlrNWQCIQCx5ikzbjT5D6/kzBbln4y9PHfVmTCcEyf3QK0xhREjFg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUCHmtFiqs/hmRoiX9nYhxhCNAh2cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQM/xxRuI4wWnEdNc48U53PZ+adTwowzb3Mw88g\nyFWoBNzcqriEuKTU8S06eLzHNUgGFesmCAYyA8CR/ngbeuY8o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVxoX4SU/ZlY4zPBBLvGNopq3jOowEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEA2ec2AgJnCF8Iq4cDYyEUMOlVD9eP6Sbxefdu\nOaTMaVkCIA8j5YsWbram2fnwBqCsAD542DMX0sw0ZUDYVTUX4msP\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUGy18NAqc7O1azhGfQeLxSwKKea4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAElIc3+9OllItfmfahBV1+Rjmw+aMDmhxjdq1kK4b7\ndUtB9RYi1Wq7na91za2aecG45f5P4XQvMOZfBGW9QwBNJqNyMHAwHQYDVR0OBBYE\nFAlJNOBzm14HGd9qcJr2KqLInX05MB8GA1UdIwQYMBaAFOnV//eXZSTCrjbXyi3i\nipXLIe+sMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCQFSmr4P/kZ76IqpJhS3yRPsL0CiV1\n1ZKVtJ6/xuzOEgIgTEkWNQWBQ8zAaeChWSFevvMpK9351166+aOb2PJoc1Q=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUFiKeDERNgzwyYI+fqpeSzh7tMe0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEiBtNGt58P1D15RncOlNIRifoZSvdhVQCvOf49hp+\n9jOMlr2uqD0q7nnlaGXoeSqUdS87Mx1KdR/c71jSW619ZaNyMHAwHQYDVR0OBBYE\nFKrvZgOiGZciDjzdBVA7TGX0TrzqMB8GA1UdIwQYMBaAFFcaF+ElP2ZWOMzwQS7x\njaKat4zqMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDqkgnu4mCeft+3U5mNv5IUYSTb6cyD\nh0gUtGn58vyIQQIhAKYv++qynsE6zOB4lQv9msQc6uMXxUpgdyM34/iG5FuJ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUXWFPsJiIoLRQpEZ4iJ8R/I+jzk8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6xogAYuMR3JSatG3cyzjwt9ZbuKtL3ZHYsfJW\nV7FzMchUydzbRoTEUb8bCYGgbkg+hzhep+cVSi9zdRTW022co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvv/onk6rFJ78lrDhppWIpf4DsFAwCgYIKoZIzj0EAwIDRwAwRAIg\nNTlZCCgpuO+TEFTzc8CPR2SlKJAIphCxoiCOIZ0GJwICIGe4XRxlwe2a9yhKTG63\naBJ+aDtROSKh8MqlS90y7Dj8\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUF+a3v9nco49ZU/R2mjKg2PPV2dowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQOHIJZ8So6fZZ8P9hNnDZR9YvOl0hxfi8D+cws\n1imhRTyI+DPptcC21oUih6keeBccleMrWKZeo28X17Eb9uHPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtXcUhQam2iO9K9n/bD72XFHIf98wCgYIKoZIzj0EAwIDRwAwRAIg\nQ/OL3K7EJuT+Hvl59wv2H2o59TlocuDQfKmbwNtE8lYCIFlUf7PhUnRMPoppLVkg\niNKjX5J6WhznvGow9vapkSSv\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUYJNsDsMSNR0u4rfPwHVD2yoIzr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MzMxMDYyNTU5MzM5MTE4MDA1NDY2\nOTcxODE2MzI1OTAyMTA0MjMzMTg2Mjk5NjcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMTT14irhRuS4J5BcsqkEBrVP6kkJbJMQbYmc1lz1AAWMUHy56KWGcTQPSOKHWuk\nE4VceETM7MELhAXQ7F+qoS6jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUvv/o\nnk6rFJ78lrDhppWIpf4DsFAwHQYDVR0OBBYEFEciiZxX+rfYoU4mqIRPVkbrIcMF\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgSaP1wokSQU3N\npx1BtcPYP0SIUG/XRw2K2H8TuNduudwCIQDZ+zvVwDaMTZhSN515Es5KYcdkB+cS\nkSEAwXfYNNn6DA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFTCCAbygAwIBAgIUbnBgja8OT6VvJ0chUWRd9qNAiyYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxMzY0NTE5NjU5NTY0NTYwNDQxODg1\nNDEwODA0OTMwODAzNDU1MDQwMDA2MjkyMTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCAXFZmQmClAwdm3fNs/I5Yl9YNqRESGI3xiuSWM/0WZs5PA0Vt+nsoIXWXE0zCZ\nZSOgb4oLQ6IH6QGR8U+qvjqjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtXcU\nhQam2iO9K9n/bD72XFHIf98wHQYDVR0OBBYEFMow73vHCv6RlU87NF6VLtRPLLpX\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDRwAwRAIgbP4n36cHSvae\nLCWU6xTkmyom1P/z/4CSztRQPiE79YwCIGKhU9rr4QcCQk6Pa5QMmTL7FzD6Pi8n\nPnHK4Tb0EAeV\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUQXrHpmCFcDlioAHzNH4YD9H0QaYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTMzMTA2MjU1OTMzOTExODAwNTQ2Njk3MTgxNjMyNTkwMjEw\nNDIzMzE4NjI5OTY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARW\n0T4Q/uYFwv3ULxL4DEi/SRBq3m87WE03tTz8qhYdoR1IJCJL+fZfJyUixd2un1s6\nqNLHrnYWLb+R8lxLVRjlo3IwcDAdBgNVHQ4EFgQUze1Lg1varJtv80+eRsyf7wWX\njI0wHwYDVR0jBBgwFoAURyKJnFf6t9ihTiaohE9WRushwwUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAKOXPqeECdGD36CsDToznBoXCnY4Azs8QMZrpNfi/IvKAiEAihAG1pvH\nbzV6f2LdHGTS01UexU7uwARjJgpVPEa6xzY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUBBkEaTUzU/pcy6LWjDUBEjaCxpQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTM2NDUxOTY1OTU2NDU2MDQ0MTg4NTQxMDgwNDkzMDgwMzQ1\nNTA0MDAwNjI5MjEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARF\nkRhk2uoMfh41mVRxmQggVen0FEhxDW6pNNx6Ej1SnVw+WjYMO1pIWI13odzDwZ2N\n4Jm5+alaPy/txsXISnUAo3IwcDAdBgNVHQ4EFgQUBBmDRqQ+gakcxfc9XFvD+aeW\n7G8wHwYDVR0jBBgwFoAUyjDve8cK/pGVTzs0XpUu1E8sulcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAIxcDYaswBelyIr71Y+u94nVI1g+teMin0JXi9LlQxedAiByVx6qJDt5\n3wb7gb7xCf//zu+CbcHTylOdFUuMAwN6+g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUU29xx7JciTZbAnHF9c3Ozqvrr64wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1zQFrFh9ydrYwnHrT1T1ZZom0UwN1so9g2hMs\noVxoJKziN28lO7BJOKvAXT/di64an42N8r1/aIm5KanH1um7o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRVNV/2UyvCHXI0A/qU77g2hR+ggDAdBgNVHQ4EFgQUVTVf\n9lMrwh1yNAP6lO+4NoUfoIAwCgYIKoZIzj0EAwIDSAAwRQIhAKWSr6G2eDPiEFB5\nR9t1ELhkybJHzwPTeWS62SB2HfDXAiBzXZo008jUjlF6AV65uic9swpXqG1qrqH+\nO5lSNrWgXQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUVMDwvgh0/rKbgLAvUQAXu5HLE60wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNJDcmLWzOLZMgAl4aIl97a1bmu3UbIqg+rABb\nDCmV3J28FYfjBZFxDllAGkCyvWYEbELY2Yftb3gTTX712p7co3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQ7CHEIWDyj3Zh59gHyc7au68+ipzAdBgNVHQ4EFgQUOwhx\nCFg8o92YefYB8nO2ruvPoqcwCgYIKoZIzj0EAwIDSAAwRQIgOotsuMNabpjn8va5\neY1kmEol/Jw9nfsiMHmnDPBHLhwCIQCeBww0do8oSJELOQWUtMn7YcAbi6W9CTHL\nGhc8m6M9ng==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIULtaKflIUfEdr9unwLLzM5rMvAMcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEcZBFQnonGVXeR2tm8wFvuEoRWnHrvYUVdDe1sUg2\nqD1z3FujC24Glgf+R5GgZ1UubDHu6Es6Pzfu2tTBt2nlNKNyMHAwHQYDVR0OBBYE\nFPx4BZZW74jiZOPWUPwvxCbDLyQ+MB8GA1UdIwQYMBaAFFU1X/ZTK8IdcjQD+pTv\nuDaFH6CAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCyu3lAQfK8TurpV/Y/3aAQHzR7hZQZ\nR8paF5Z5qlevDAIhALnFxoukC377vh6A9Em3eqfQvsHgCd9kt7IY9kM+Xowc\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZ2iUgbQbPnHV9S32ffb/UFacqlcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEq2hap23RAbjOpJ0XhVRCaT5bbSW9rpbhqO93OgvX\nn8+vQadtBmVg9LhmrT0UfArn9+IT0bUK3uns2NJhmisJUaNyMHAwHQYDVR0OBBYE\nFJ5p82rfkqnAobc2KgMV5rzD+1jSMB8GA1UdIwQYMBaAFDsIcQhYPKPdmHn2AfJz\ntq7rz6KnMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEPuhDLFuAYfjGE6w0zGJkJYy/sDDBAv\n94t+UOoF/BKIAiEAo1EXh//sRHXU90TsoYP/kXVAplivFu198z54QhVrREo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCSY2G8gsQFx4SlbEj4CBvRdLGvIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARyKUNVyNZkyBZ7A/hpylZ582RWc0aVdzvyLTPc\n45I5+EubFCSkFqJiLhTAU4ANrYMu8j8DpSdgnxleDCuDLGCYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYI4WvxrtlmdII9Flw34zeuitHFIwCgYIKoZIzj0EAwIDSAAwRQIh\nALTG7vsK4i/YaDrAxpbIDfTt++1AVqvrCNEfkp68qJ5hAiAvN8Z+vaNM7bCd+g4w\nRIsXR+3gkdScZlfT/ZnIR1waEQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfv4u8UPFM1OQXfhdZcsgyuylo7QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASz/+/ZmOQwjT9WIC6sXdOM2Wr/TwD5mUjjJ7EM\nDqcBt79r3qoN8nizPQgYkoykT9woHygoCPPsPpSWirOSelGxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXTfqQVZmy9QgEf++jJGyLunclAowCgYIKoZIzj0EAwIDSAAwRQIg\nMPM/mkyZY6KLRMVrobavgX+hOLnf6R0HzbOQKEyktLYCIQDFnySjlW7VSyQSesAW\nRDu1FvYEmJ83ImsgVyQhyFSD7g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUDK2lH5poQZdmFi4tCdwo35oEUcUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEDo04QWVyHcCUiyJJCPhN0iZMU1eC/WOqoCrGd+ov\nqqoc2xD29XJnBEq9y8guSEPc4re2V/l6HkFmHquyJCb3o6NyMHAwHQYDVR0OBBYE\nFGgVCUWLDuXWY8zW4PeYTttq5rGuMB8GA1UdIwQYMBaAFGCOFr8a7ZZnSCPRZcN+\nM3rorRxSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDn7dachtiQoQyN3G6k1lmR4sVGEDBY\nSZkvk+fdujlSmgIhAOaj9kLAFU4GM0To1LxqrSZCWMVl1XzRwQp6Vjqv9a5q\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUCtf6+UZdMljw491JGxpB0Lhwht0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEGtAXrMdh7Cq3VACnRzZjZwvS7kkZMFExl1/9/Rpe\nECeEd5WkChWTOYGKglLN5eU06BpG2u1v+ZWA/dbhB8uIlKNyMHAwHQYDVR0OBBYE\nFBZWDJ8Xi9Pwt9j2/EMwsqXgEfoZMB8GA1UdIwQYMBaAFF036kFWZsvUIBH/voyR\nsi7p3JQKMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCdxI4B/hmwYF5dgMhmA+xcWb4v2xoX\nm8uiCc8ItTHkxwIhAOoFWdlAO+DnQzjPfdlkm3MHSSi5EWZ0GpHszbOkoqRX\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYSgAwIBAgIUTAdHwlapxozb1WHIMYHqevvmDLQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBmMTgwNgYDVQQLDC8xOTUyMzQyMjg1NTk1NTIzMDIyMjI3\nNzI2ODk3MzQ4NDY1NzQ5NDA4MTk2ODc4MTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nIT6x06TzuHb9YOwkcQsW0w/CwfvNW0AGPBmtpogF2kPQooxGEEvTqOYWQ3On5uJE\nEYfMswe5hoD6z+SHa1SIaqNaMFgwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFKFEuBme5EtK\nRkOcnUpKAkHK9F3vMAoGCCqGSM49BAMCA0kAMEYCIQDel0qUyWoUPx9EGZ89BwFr\nlj40bldFFT86yzGh0gwN1wIhANrIzZ7sUoZ9IrgILDQDYaGtcPqZTU+746gFNzq1\nfH41\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUedMDqoabQ9/iPt+23R31wceHw5owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTU2OTE1OTE0Mzc0MTI3MDMyMjUy\nMDUzMjU4NzU3MzQwMDcyODIwMDY3OTYzNTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHIKemQ681HQg0UNyrQoI3EetnoEOAGVV8/QjE+DcP+YI56xiNxSg8x0Tm27ciVN\nvZPRXADzw6nYW8VA/xCvohejWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSiKYWZsMJa\nG+wMlmYU2kJtA6XpFDAKBggqhkjOPQQDAgNJADBGAiEAkVz12Ize5yLqX2bDOIc8\n/ClaSS5hmlHvurzpqJukPywCIQD3m9sfHcz4TtkQRW//B+dThMbgj+81Fbj6CEu0\nCUUGwQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZqgAwIBAgIUMtBHX17X4HT4TgA/gQVg3BuavOIwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMTk1MjM0MjI4NTU5NTUyMzAyMjIyNzcyNjg5NzM0ODQ2NTc0\nOTQwODE5Njg3ODExKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPW8\nqIiRxJG5WRhdqeu1xyo8l/lyNgK8+Jn7+nc5EJjxepMnIefNgFo9mWd6tBAALOE0\n69F51rlz3n6RdnbUxJijcjBwMB0GA1UdDgQWBBRWWZFyYfKgNztf841bugNJd3hI\niDAfBgNVHSMEGDAWgBShRLgZnuRLSkZDnJ1KSgJByvRd7zAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNI\nADBFAiEA9w9EzrrpAUgF/4r5nkO6YD0DyqZMkVxiE4Q4hmZRkd0CIEvZ7Z6xmQAp\nXt984gJMiVjK/Lm1bcD/hu95vMCbyiFs\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUZ324pVePpxsSZuYIxRX5bpqUDDEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDk1NjkxNTkxNDM3NDEyNzAzMjI1MjA1MzI1ODc1NzM0MDA3\nMjgyMDA2Nzk2MzU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASl\nd7sAoo+kyzbXp75FX5qrUF4Zi7SBMHhksj8GQqLplC9GSIQFMf7slsS/30x/do7r\n/ZgeJcX9YUbeSmYIpg5/o3IwcDAdBgNVHQ4EFgQUI6y3kAj4glfho9LnIkouE2cH\nq4IwHwYDVR0jBBgwFoAUoimFmbDCWhvsDJZmFNpCbQOl6RQwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgJjnlKdpCjMtyZytblBsjksxcJ3raQpRm1+mtw8ou/soCIQCMQvPxt6E+\nfHf0ZhgCyZWkez20foBkSTk8oV8sP0DnbA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJb1z3cRzLI1tqmW7kPoin8Y8BfswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQul76DkZluDQsfg4Ff8loq2is9L64Qc5OsXQeJ\n+Y1FLxUw3F+41OJtK0ACPGZXZi97Yg6FTGxu/oLgONuxgUCEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpnli18VYWnwqDmeEIPkS+zTbi8YwCgYIKoZIzj0EAwIDRwAwRAIg\nXmawAx9Exgu+1OiFnjkw3FfKc9fdu6sQE+V/dV3BA28CICFW/9bTlnRcCytFpBYI\n4Utfe7QEHu1sv28Ci516TkVJ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPqUTIHZVZTUf+3P3IWYVMqEgnXEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFRAf+jwPrVlAM1+cYR/3WIIIrSVshNT449tYd\nJJR8aftl/FWbpUfzNbqW71dPlC0oxgO1JCTlCVsIGeclDHmio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUW7MweaJTzBOsoPaDfv8WkL/Kw5QwCgYIKoZIzj0EAwIDSAAwRQIg\nHFLMF89PA6JIvu+z6RUQaAzx7QHgag33UCkh7p0vmFcCIQCMQHGatcVB6lr86rjx\nxr90D1UtDMXDKI5wkSJvT+1PqQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUBwpnqahX1vrbeX1PYx2czPYqd6gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyMTU0NTc1OTI3Mzk0MTYyOTcwNjk4\nNDk3MTY3MTYzNDgwMTA4NzE1NzIzOTk2MTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBO9d+uqOAMBeF+c/et4odh6/71iyAKV4lNC62nJ4szSptlp7YyiM5ttwrycQfgQW\nOPwoJ6oDfyeNf5jY9J31EzWjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSA41i9wv5U\nWfw5+40qdPs9fPnAKzAKBggqhkjOPQQDAgNIADBFAiEAjXdmrxmov6Bf58fv3S1q\nX40GBE0DG6RSV4UPygBqxAkCIERUBteI0QadL19m8xgdG3EgoUc+30r9bBqJoSLA\nP8BF\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUN7UrbAufoojA0XpjA9Sh9D0g7TIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzNTc2Mzg3MTY5Mjg1OTYzNDk3MDM0\nODE1NjkzNjI0MTk3MTU0NjY2OTUwNTY3NTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCJmzRcHeD4GpQ7qRMVTfpomLrj6rrwVN5Y+ng7IvXvt9VijdF98Ei9ebhovZbXW\ncZr9WW7uXKvJDKuibenKbTajWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRYspp1UF1t\nfANSy9FiN7M9A4/gezAKBggqhkjOPQQDAgNJADBGAiEAnrDtn9v3Z33y0r2oh83H\nfVdojLi15tgUjTjpacXifh0CIQCOTOZziTWottwHUtLeql92lKM/xF+T8k9U6P3E\nJ8JX3A==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUZY8F7oOEmxz6+iyjeMu9oEC0izEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjE1NDU3NTkyNzM5NDE2Mjk3MDY5ODQ5NzE2NzE2MzQ4MDEw\nODcxNTcyMzk5NjExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7\nwuEU2Esdl7JL0WeRpC8bv7YhoHh4RyezZ8dOfU/koI5oYzsW9CVKeamTJ9WvbAtQ\nSh37i/RMTndt4BnsOJk9o3IwcDAdBgNVHQ4EFgQULK5+4CCc3m7ywcEggX+8UuuQ\npfEwHwYDVR0jBBgwFoAUgONYvcL+VFn8OfuNKnT7PXz5wCswCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAP0lT/jl0ID2hP1lCq0ih3I9aXrC9AgX5jVAQU3a6jyiAiAubH/ox/kf\nLpp8aEWJvCckczLMBXNufm7j8BF4OyfEow==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUCrpMMjo/Ym8U0Ga8vl0PcCo70powCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzU3NjM4NzE2OTI4NTk2MzQ5NzAzNDgxNTY5MzYyNDE5NzE1\nNDY2Njk1MDU2NzUzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARM\nogD5EH1f6hYshQHGMxqVywBY0LGpeIiRzdgHaohok2b/6zStRXoXyYR5lERmkA6e\nx5AigPFkQzDtsZgQx0nOo3IwcDAdBgNVHQ4EFgQUlr+N1oDq629G8IdpmlNKdQn6\n+cMwHwYDVR0jBBgwFoAUWLKadVBdbXwDUsvRYjezPQOP4HswCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAIbut9tPrmraE/9KqGsdn892HA6xVsCFEvfcfx2ybymLAiEAkzHqWrtp\nNfhKHOUTotxmeiZ/rTRi+sD1PStTGvdQdVI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZkG7oP8/W486hrYndtKgx9YvGcwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQGMEChcyvILN9pRPT0xQG66Lxi6QV/GhfcqnZi\nno1Fx1E6twXrpHOCOBUlMwtiL367zY1QE6K8M3ut4EKkhhx4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcaJFvaKVAIjB+tGgoeEZCbbQ1P4wCgYIKoZIzj0EAwIDSQAwRgIh\nAMHpFLBx7fpkEulEgqxkAdLRAyFMx5Vjz0GCZBXm4ldwAiEAqti0hijCeVsFkqkz\nvBh2cbsmPQYdCCoOELEAUrFoVNw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGYcqC1A3dW/SqfJ2uOaJKlN5Ra4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMDzXt7hjWrN6JG5xRzEch3tJo8G85ky+qLGxn\n5xVVRZtPc/0aPEsZLVUNu7PNJClzk9p4agaWxyxTHHCH1hbqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz5zuiT8JxUkFhKHd9AJs0HmCBoMwCgYIKoZIzj0EAwIDSAAwRQIh\nALQPOYwwdNxasRacioh2pRdV1zWtC0kh2t1ihm4WZpFPAiBnXYgnBHxV4g468D5X\nxf/foCJmpG5GEBSIUthkaeIr6Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBiDCCAS2gAwIBAgIUW/b+e7tz/+bPVT1QB8WzExDCV4swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEUG9EG/0fAxSIfnEInzDZ4QGDZeOWwf7WO/HMnC3U\nAreeVO+yX55qGOlpPZoZjU3KMS3b8Ggfkf4fjPJCkzQfXaNRME8wHQYDVR0OBBYE\nFHLsckTdVLRRmTbrHtOUJDFkcPqVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCLcQYHetxg\n4wkpSyFjxpIoZwY1QzSTFW0PBo396D1oHAIhAO4kX/ZD7RNPWgq6/Ku+cuy6DcZw\nr+qaCxxBYcIjQgwW\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhzCCAS2gAwIBAgIUSRjGg6zgfRyGXaZ3oe8D9WrJPP8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE7fkRDkC1oGr7hIjN73iw9LNRb3Lj6jie4wvo90wp\n/VAwtjRWUImSzY+AofraU2Ks2hV0nNjh8IZtYBnbmupdcqNRME8wHQYDVR0OBBYE\nFDstfE17TpUcYQo4Cytr1TR4e3rnMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCVj+u4rbH3\nc8f7V3Vn4KsrOyoe0asJ2ECQSY5B/a0/XgIgbjFnWEriw7fAbYyFO5rYmnYBbiH+\nyMhz9XaGyowTB7Q=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUIzRU9Sf+J6dT8J479A4qzOg8dLswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARkSpz3EHvzJ3i3UIfHox2PgHW93a0ztDFwUONU\nUusqWLyImcrzyArDxn2K17KRPyAzOnNTYifhnjX4EJzl2J0Ko1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUn3SmMEWEcBWWlV2DwW4kdZOW42MwCgYIKoZIzj0EAwIDSAAw\nRQIhAPk3/2mqqBsejbESG7mPiRmPXL1Bd2Bo1h5AoodaqO6XAiBmhak98frGlGe9\nPOc4Qc2SKyiotCzp9oDlfs/4ioQnCQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUZvFDgi/0P9YtXNUCc9ovLoQ6qnswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVhem8KkkNw3b44MxBjDDVlLQpQugAMUUyaloE\nnr0pdqNQxfsA9ngIgv7EjZ+5a59jtzZtKcYRFctdpPSbAEwvo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUSojPWer5d0w2S1Q0MgaiZSFqcv0wCgYIKoZIzj0EAwIDSAAw\nRQIgSHBVoJkNvBg1gJzbpc0coGjM0YYKvCxOFFtE/wmo7iQCIQC9MbtN4xVzpWF0\nWhjUHpDRvNwydGGNkZhR+XUmWn17lw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUNyVgNatY364QhbAaKrzvO+D0R20wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAERONRlD33WWy/+NX7cTIPKXpl/8AsQTZygr3K3XHP\nV00yjsppnlns8F44Aw8uKoor2GYIHEq7/a7DbZDl4rptK6NyMHAwHQYDVR0OBBYE\nFJmzthS/Q54g4mtD2xl5IEIU5l5sMB8GA1UdIwQYMBaAFGR0r4dyiCdciBMOfiVW\nh1lEVo/sMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICI+q1v50aUfPuiOcoL52QR8iak6/KSl\nLy/qRJzXDty+AiBKCEO2owMHxkoew7hP/EwjOB57YaGDJH8UP99/WSd5aA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUB5OpCrSwP58DGbCIK/MXmt0jkskwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEzzVg8PM0Yw+7nk+liOPEtezI/O4pYThc+bMttcLF\n/ZDqkmN8/EPBt5mUhNxKiQd6yOGgrWB1tEQbQNECqPFqoaNyMHAwHQYDVR0OBBYE\nFKO/ArfEIPqyOWFHWLwireqvOrizMB8GA1UdIwQYMBaAFPmolT8XD+UtcQs+/k99\nvPjrpPG4MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDneus7VcK7WeJOeZiI/WmFQH3YYZx8\ndhgSWbjED9QM9AIhAMIUVSKo9gLZxG/twuSExIotN1EbYWASsZLlN57Gdo0m\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUX3a+3rTZeUR9bxqAoqQL7V5pL5MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATdBmQiRRp4bP8RU7f/Fu2R2AjIiCy3gSaBLoZt\n6B4Qg760aLezzQ9TViEUS2nBOqfjLhJci9kJXeZF/c73sbjGozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAy5BNUQKuIZqcsRKihqFkP7iAZok98m+CvIpILcOG\n68MCIFixP+rHYv+2wgGTAj/YWIlUrfcn0dK0MKTKodpfjPAg\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUHuhlZaEwQTn05YQTEXo8TGFNy6cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhTSrPvCrX2vxMrQw3IFMi8MvWwVMcsTHfdoGH\nng65AOD4OCY31noKJh8CtvvDiQllSnD2dj5dJ9RSfr7w/NTzozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEA9cvkKxpU97YiUM2kR31fjsN8K0udev5FEyPtI0C/\niHkCIGjfL1Bt8oBTv4yGdc6Q94vRw9+tlD5CUAoCluB4z7Pj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUcjUxPNMvU0tc1nbLhxMCW9/lQ2QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEqPuLufvVWd8kIv8nQ91TJ+H0ZGNkryZG5TKy98lm\nSUBxZIq+5UsMvcGXcBeMhDN7uYYNpmdPY5Ia5AFJ3dMdUaNyMHAwHQYDVR0OBBYE\nFBvOxbBO+GDyUdAKrJPWLs0Rq+h4MB8GA1UdIwQYMBaAFN+Bg8780RX4r7sMcDR7\n5C2eUIM9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIC2DsCn0stVmufnghVXBabcRS210uAK6\nl7yhqIuQ7kMEAiAnovu6mSVgPghXiyQPCzMaofd7ytImXeb/HM8Dlw/L5g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUKj8uIzvoDzgrWz2Jf01tqpCDSEAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEP5Y0jN6/oUY5b1un0zA5CIhqrgsulPECguyk4T6Y\nWB1wWCLyAWOTKPfZ46BrwIY0Vq+mmvjh8Ck7TPssdD8EKKNyMHAwHQYDVR0OBBYE\nFD14DMsF4I0Gdd7WiIEw8E/CqOW8MB8GA1UdIwQYMBaAFBCOyI0943zrJyrm/2Zg\nm5itkPLZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIC0QH2k3suXan5AlysnQ2e1TAOjoFAQY\nhxgkW/9PbNZQAiA7MBtgWNO6hFBnFkIimaSBuE6ytbq36BVW0TkblPI+qw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEn2z/An+sD+uvViruiv99WzZt+swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQD1dilcL/S/ceS47n7TxD/IJJWpJcU/JIkT2ei\nLhlZMpTtP7e5ZZeNw9/pHvlPjtK5SXmjZGnrykJeIxjcfZTbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhx7oC0plfPSdxkHl9oJW8Foimv0wCgYIKoZIzj0EAwIDRwAwRAIg\nOVKnSiGOB+MnSHgrlZGmxsgFHgdiywpT9fN6ygqfEvICIGWKdOle/1eieXDrQJAv\nAwrRsCoPkvM8T4DY1CRvElRU\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUSPa89DGzLcnR0NwGmyxiFqiTbRQwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYbBVeCdx+/DlZugOnSU9/fy1dhUvB0Tj\nZXVss/HqHYzfkNs3QJYIv3s+6K3YbDStfyPXf6tFbd8dNz4QuH8jQqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFKN7ZHRRwBq6/5z63T0EYqxtNxRDMAoGCCqGSM49BAMCA0gA\nMEUCIDAto6HFFqMkviPkji1XQYApvtq3Ikao4fo0ws0oST87AiEAn7G9T3I3IL85\nCIyiQ1e/iujYpuCibOXfNNFxD3S6fnI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDikRryepoIIUGHwsdTdN60ACWkcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRSyNeBA9niq8dIC9KYP/CDIdjNem/acc0flVW\nCkN8MHF7lZ8JKheLxfd8qjedMzAoGujjQQIDBJ0kPLu+8urQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUA5IV+lcoZOYfXv+s+5aq0jYCOq4wCgYIKoZIzj0EAwIDSAAwRQIh\nAIhcwlGvDf9wjWnq1aOd66eogYahx0t/gWutefjxmPcbAiAlHfBLYSEChP4wtIqK\nr1j55KMzs+FK2jRHzuk2tHffPw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUCpafwHFy2Evy6eGIxycQXdcIJbwwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcTduyp136HeUUlm42Vdkl2LdMd5AbM0j\nkq0usxNIlZrr0X/68qa7DjK1iMR+3r/K8nojJCnyLRCvLbHuMr80o6NXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFD2hZ21y8NMbE6McezdyjEvNphfqMAoGCCqGSM49BAMCA0gA\nMEUCIFSSlss+PB/xtkVKb+IZJfhKBA+xtGoI/3w1ncxUzuFQAiEAsl8bRXjpu71P\no2QUYNeHiy807Gu6zFN0SRYkTUI4gXw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUZ20AQi2602qDWw2XEcAiHYLQYdowCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQD1dilcL/S/ceS47n7TxD/IJJWpJcU/JIkT2ei\nLhlZMpTtP7e5ZZeNw9/pHvlPjtK5SXmjZGnrykJeIxjcfZTbo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBSje2R0UcAauv+c+t09BGKsbTcUQzAdBgNVHQ4EFgQUhx7o\nC0plfPSdxkHl9oJW8Foimv0wCgYIKoZIzj0EAwIDSQAwRgIhALDRZACYCKGe0zil\nwI7x9QPXqM8pOyDK1CNyt8aMKnE9AiEA29JVRA3kP0p7qgahrgVID5w64RVgDn65\n3atlw+53jlA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIURu9sOOmXDs2fpjPSJx9d3uRLt3gwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRSyNeBA9niq8dIC9KYP/CDIdjNem/acc0flVW\nCkN8MHF7lZ8JKheLxfd8qjedMzAoGujjQQIDBJ0kPLu+8urQo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBQ9oWdtcvDTGxOjHHs3coxLzaYX6jAdBgNVHQ4EFgQUA5IV\n+lcoZOYfXv+s+5aq0jYCOq4wCgYIKoZIzj0EAwIDSAAwRQIhAOCgnlbKqxFD5D2o\nE2srYa+195RQ63RuqsWi03/OGw9nAiA60XHN2K1/BM3Q2dvPCwRSdcL+kvsRm/hv\ns9FxEs43rA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUKhaYiAqTtqO9SU8UmAG4NAdhwYMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAErA4vbJ3oji3lzto7uytrdFzeC2yNhBGcNg6vsj2y\nd413CaQ1E8KObtB3igvvq16wKuG11YXxUxjicyl008miXKNyMHAwHQYDVR0OBBYE\nFA31mL0O/yQHJaGrQ4Qp7vj+30ngMB8GA1UdIwQYMBaAFIce6AtKZXz0ncZB5faC\nVvBaIpr9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBTV1b5BnuOtuFK/8W3yzlTMqiZk9EHJ\nc9Ism4f2d2IGAiEAtxChETHYFHpcDqrkXkCcvwOLMuZVnGyl025weio/EwU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUJKF9jH4wmxjGDrMZT9i4v/jo/ZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE5queJojuzFMd8rpoPBI9kGg38EoF0KsDuLBkYBfK\nrDfNJMgEkSLqDM7rFjLh0KVHiOMKhOJl4DXHGfm+3wvdCqNyMHAwHQYDVR0OBBYE\nFOdCWOrPbdQE64mMG4lBCerZ9InZMB8GA1UdIwQYMBaAFAOSFfpXKGTmH17/rPuW\nqtI2AjquMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDdcyAbguX+nwKX0nLdI9oFKhuYE2ZN\ngscWPnS6c5L+WQIhAOifVbtwb5aEpjGOUyalzWvycBOT38Pbxgq/PwNfy/Z0\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUT0+r1BIq8diapwx/m3euXhVdp8gwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLzOE+1e6wDM\n3gNiV/7mjO5lxXK3Xkoyl/hLXRGnkN6hgK3d/AR/G/n0AzYHCqaoE0w46m9MHMfT\nwpFmIojIMYKjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBR6us9uIHFPRCuNdJuNNVxXiDJI\n6zAKBggqhkjOPQQDAgNIADBFAiEAs9313qJAKFw+nzDQRtAG6AoOZe4Iq2p2VIR/\nOce6j44CIDhsmXLrCFqxJCw3q4jJ1/V1G/kdXBFLRD/9YPFMUwQe\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUeXHnp0he3l/Sg29rz9wwu3Rzu6MwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNbVQTxHzL5F\nA3PGkdBcrS6zBx9yA4/pIklOpqmGsEXIVFsRakJdZ+DunWuS2EAl603w62nYp06A\nh+3hySQiYCajVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBStuhyayBVfmY0h1SbXbmwYyv2z\nPjAKBggqhkjOPQQDAgNHADBEAiBYT9EVW1AMgIDAMLlusJSBras/8OvVT+Eeg5Sh\nhSi4SwIgT4PQfMFX6FyX0ydbsLRX6rsgHdu40R7lA6sF011jqk0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBQ8gwDDQCT4E8zuCo2xkKR4vtG8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwyANSBPGylc9ZQaaO9Wtx74b7d3yFP6O22S14\nfcRyojMKVDpddMKkX7/WUyACAoRGntp0kaIsPb0OF18LJnUlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzOYdcQSlBi4WhvYHPA1rXin2m7swCgYIKoZIzj0EAwIDSAAwRQIh\nAJ9juIvz8ocT35QJA0ofn7DLGARGpeCD8vf2r0sf+jMaAiAnz03S08AFOkq+iVeG\no1JpIrm2KDYSUOXLAmQVGpF1zg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUNiWl2ByiMD6Nss3NibqvQjkOlpUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBmMTgwNgYDVQQLDC8yODg4MjMxODAyNDM0NDU1MTExNTk4\nMjEzNjkzNDI1NTAxNTg1ODk0MjIyNzU2NzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nCXodD05eO+hHfWY1ckH7UoTYbL7Q6Gnb597jXiGBOmJFdFe1TLWmjJsTf5tmxOpU\nOy+3O+0Q1NmYyzchInP5z6N7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUzOYdcQSl\nBi4WhvYHPA1rXin2m7swHQYDVR0OBBYEFJQeOznZDky9YN2PVTYTRIbkhQGlMAoG\nCCqGSM49BAMCA0gAMEUCIE1TfEt0W/tMUT3YJ8qj78oAirLvePgNK+IbmKCfVGBF\nAiEAumbVwynKCg0d+DPLILc5T/bWhwExq2xadi0zHM59nuE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWZwEKpymEyB8fZE7tUZOCeKspkYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASH33HsNhKtdVsNLevQeTNBxwXo4fpHwFPIRZzY\n7f9vPbhTmiCltb5FjDI73r6+rLMWBt+7RSfOz65NG5qXBINQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvoOMxZaC3++l7Ycz/UNq/IJEb6UwCgYIKoZIzj0EAwIDSAAwRQIh\nAOB5v2ELtrAbdJkMX1a2AfW38Gyvdcb7xL+EudheGhhcAiBtfIyJotLdHixgiaf+\nOmeYHvkue96yYdAkqwj4ww0rSA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUacJxT9C9BcoY/A4wa0ikPQr3ziwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MTE1Nzk0NTc4MDM1MTc1MDkxNDc4\nMDY2OTkzMTkyNzA1MDQxODczOTkyODQyOTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJx6luav6DRFNO3jbziabyZWZh9V7X21b4bp8uISbHQvJHPpZcVWdnUO3oQbBV04\nzip6laxSarAjn9VoriDWqKijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFL6DjMWW\ngt/vpe2HM/1DavyCRG+lMB0GA1UdDgQWBBQjyuX6DgQAUvSsk069XzhM5ARLQDAK\nBggqhkjOPQQDAgNIADBFAiACFvF2bzqOorV/B+hy8cYeIjwhVk5h+BvX9lgBT+xl\nOAIhANmRfjaJK5taTZoMRQ6Q8ijEvJAMeG4JDqjsxt0aIcbO\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZqgAwIBAgIUdk/S8PqHBERqe3D+AOu9hTt1SmswCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjg4ODIzMTgwMjQzNDQ1NTExMTU5ODIxMzY5MzQyNTUwMTU4\nNTg5NDIyMjc1NjcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFJz\nrHdGE8V6ATZxjDGkEJyNTmnJ0T4woD0JlXRpDTv6V1LgLNjHvI/5FPpsChjvWOjM\nJcAtVnF2JTkBX4qLlFWjcjBwMB0GA1UdDgQWBBTecz9UkmNWVf/By0En8cAm1XJh\nKTAfBgNVHSMEGDAWgBSUHjs52Q5MvWDdj1U2E0SG5IUBpTAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNI\nADBFAiASuKoIap1GEk6+TITIsNt84x2Moie5qqqHS7x1WdQ+rgIhAL2+NuffYXpS\n2JOR16z+02j5UozFxhQpyaO9R7DL0l2x\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUZSRffMeoL59/hK22atvn2KrOeRswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTExNTc5NDU3ODAzNTE3NTA5MTQ3ODA2Njk5MzE5MjcwNTA0\nMTg3Mzk5Mjg0Mjk0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATl\nboCESNu24Cj+9CCdGIdxlM3JiVeNSBC40TH0ANKneNoUY2n3WT41mZZVG99EWTS1\nwuYMw8t/GWxsanXOK7R5o3IwcDAdBgNVHQ4EFgQU8O7Uw1lw8dmfMl0FPwtAbeKm\nVYkwHwYDVR0jBBgwFoAUI8rl+g4EAFL0rJNOvV84TOQES0AwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAMaYd5isoRJR1f5rbkGRKfE27U/4HVWJvDjbStf/Kr48AiEAj8P2axWk\ng//to22/3vgA8uzaKt8HjwNOvI2Upb9g/t0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSIY7EV20+KKs7AodoVmknwSgNGIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2tA9QSoq+XBYeEFpvZp0XWvmo77tFVIYs7FOO\ndWKP7GTQ/G5nbk1rkjZ21bMLeXD+IB5DqrroLn4W/E/NQQY4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNCp6QRg/Bff6LIvJDl5hT3TQMdQwCgYIKoZIzj0EAwIDSAAwRQIg\nFxLB/jOhH3PI/RfbRe6SWyf6QLZFI8YjsR1/0H81WvoCIQD4UGNaCh27W1/6A6lg\nNbAUjZ2WAp6mACMZTHHtFwmymA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbO57cAVB3tefeCrXtUEVL+sFSkYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQKjDjTVzO7OyaB7eu7JtAGV3R/dErPGEkHTR7x\n1xonTSWJWqkT+e3gvMRctq9JtmJg6520B4HYwkiDCXss7Q9mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpKkSiAKTrCCvFLBC+Y0+OsvHHN8wCgYIKoZIzj0EAwIDSAAwRQIg\nYcvtTPloPlZnUGhOjNIRdXO/2zB/42vAb5REl4MQ84gCIQD8LQEa5K+RYzM0skUc\nhf6wnOmh5xxsqelnGxZa4nfHww==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUGWfRAM7pdS6ee+x8rkl22O0ZRvowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDA0MTQwNDA3ODA4OTAxNDc2MjA3MjQ4\nNTI0MjkxNjg2NTMxNDY1NjA3Njg1MjEzMTQxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABF7RENUQKzjFrMYC1CDbMZeh7nRpobhlQoWbyQacT2Mrioh+Tzq2DPQ5KcdV\nfqe1nTkFs7bvRoSedH+d6QHWDrajdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDQqekEYPwX3\n+iyLyQ5eYU900DHUMB0GA1UdDgQWBBQ4+HBmrZQfs2zQYyDHjqns/iJHRzAKBggq\nhkjOPQQDAgNIADBFAiBiGn+uDN0YC9fszDIm2Huq2Myh2pQRrOF/3VH1cDRNnAIh\nAJuZ3HjT9BHBOVlN8kSpngUuTqaORLjr5kRn/3Zv5Xr2\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUcVNpPXIOhmvsawfAtxuHCeg5ukowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDA2MjE4ODkzMzM1MzYwMDc4MTc2MzMz\nODAxNjY3NjUxNTc4OTA3ODY1NDcwMjY1MDIxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABEHnpL4Ox6MxUTz4qqH2SUvf36kdxsKcK4eyCbvTqAVSj5BWp3Tpo6eL+K+H\nwagFRN1SUS5ru6LxvMwhlAxONQejdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKSpEogCk6wg\nrxSwQvmNPjrLxxzfMB0GA1UdDgQWBBSXh2LLugY75k+Sn7hnfeDPpF7SjTAKBggq\nhkjOPQQDAgNJADBGAiEAy/vUZNWdEUXK6nrZZ4p2eOHjvrHdnrBBxCc2CGmsct8C\nIQDKSjiqzZC9hK9HZN1kY9r7/6H0c2bj3Lu5+GDvIpskKQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZ6gAwIBAgIUOmQgfePCP5hdRoLgaL2g6cOBGcEwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDE0MDQwNzgwODkwMTQ3NjIwNzI0ODUyNDI5MTY4NjUzMTQ2\nNTYwNzY4NTIxMzE0MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAATYLg2bgd9qXuN7+6TogUCJ8gj4cQMhNt0H3xAvfSDvTl/HHaBY8lfnCrX9k5RU\nFvR0Ux02/vgAq/oegoWNfnKIo3IwcDAdBgNVHQ4EFgQU+jg65bLNuJmQvyDMYw8E\n3IjPktcwHwYDVR0jBBgwFoAUOPhwZq2UH7Ns0GMgx46p7P4iR0cwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDRwAwRAIgaY/OXf9eNWDbxN9L9ysHdKuBjXv7ulqjmArkTQWkPEQCIAmfw+uX\n8oCEsYFicwywUJ0hlbPAxp2CVo0Ls1DNDtlC\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+DCCAZ6gAwIBAgIUGCQ4MZYpATeBkfOctTtrj+9a6cowCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNjIxODg5MzMzNTM2MDA3ODE3NjMzMzgwMTY2NzY1MTU3ODkw\nNzg2NTQ3MDI2NTAyMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAS45Iejq006v4o3O9g3jhbG9/07SmIUnG/TYacbdgNnrcXXIb8S+APG6Fjd1dWX\n+j0IxCpTRhB5jSMICe/T/WjQo3IwcDAdBgNVHQ4EFgQU5O5JN9Y0LBl1shn81WPZ\nL61QPkQwHwYDVR0jBBgwFoAUl4diy7oGO+ZPkp+4Z33gz6Re0o0wCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhALd5nEptbRtJtCh3soRDG94kc5a4ITY2OXH4LGedo/rrAiAFxCIl\nBAjl2prBmYHr77ye77iIHBVYUBx8CwOh1EcWTw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUB2gF2+0Fh+aEGCsDIBTjDE90+P4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATK4cAqZn1QhlZfiFM4Ew+G4btcapLCsErHX0IV\nVBsDjFh61rzUm97mNSJTwqkwrvbhhxza/35pHZfvbaTJZ5hgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPeTrsRLBvhGJ4dTPfBe62FMvpvEwCgYIKoZIzj0EAwIDRwAwRAIg\nYaFZxPtGVypHajKwM7Zzw8L/sU5LoYFMthwrQK+FQ1ICIHGoXBuFnDWJjJmg52jo\nERPcQJFdxS+M1JDgNLwNAlOf\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUA859vWLnSWXEn1B8VnlV6jJfyD4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASDqr+Q5Avqpe+6StH4YW+IDNG7pWSjkkFBbypI\nbXTaz6YkcrIWTzZqsV9KGKjz1dYXdzJ7qNDetqrdLqqBBQEpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiadP2djeKvrGMquicc/aXu8EGOowCgYIKoZIzj0EAwIDRwAwRAIg\nDzNSvQ/kggIysVJ6YZbq1Q/VOevLkPA4ZgHCme0XVGoCIBlL0DLI978J+X+s4WCe\nVII8ZXBt9O5sUxMHqJ1EABqu\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZ2gAwIBAgIUCj3E1gZDgss/rniA4c9cZXKaUW4wCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvNDIyODI3MjMyOTQ3Mzc4Mjg4MzcwODEyOTkzNTE2MjY2NTY3\nMzY1MDQ3NzI4NjIxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowGDEW\nMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNTT7/Rre+H3161o4qDxgyQ5bg3vbQSbFjbGR6FMOIa02MJlMMqTIe+/Vplr+468\ntVfNmZGgsaJIEiM9UHGbOTGjcjBwMB0GA1UdDgQWBBRk/D1XB1tIQ1kb+6atzyOj\nmFkfdzAfBgNVHSMEGDAWgBQIIryeAG21lVw7LyLSd8+Hdg5jcjAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNIADBFAiEAirlUTDEyct5qdwZjxlCVQxeWCo/JuhzDld9CccyitVMCIDXboBEs\nn1Ug6IYNmLuDByAvjCxkoV2j0ZG+K9x1XsAM\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZ2gAwIBAgIUZPgSaFVCRG2HHCJN6h99VJdMkPswCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvMjE3MzE4NzkzMDM5NDI4OTc4NjgwOTY2NTQ2MTU0NDkxNjcx\nOTQ4MjY0NTkxOTgxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowGDEW\nMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBA7aHXcYev9kJcbGJePayzJ1y1dLAh18DUiwQrhZOaqo1KyUlQ7SokHrl67jecsD\ntmohQhX0Xx/tQQT+KSFQXHijcjBwMB0GA1UdDgQWBBSs2V5+0yBifTNBcVdNho+q\nJi1N6DAfBgNVHSMEGDAWgBS6c3lNz1wUlVGMo/8V6eZ49b/w1jAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNIADBFAiBZubtq4se6osKtLkcIH2gQfjA7fQQ2BDdIFdjyd9UMTgIhAKULEesu\nVTo/eMgl7kJmduUNLGs7NBjVTBnif0xl3v0X\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUPMlb3FBe+oa6WKEEDRvCziapyuwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATU5ei+cuJCBsSlllNa02nNN6u2jjdt/mUEBL4g\nEy7XxbMKExHZfm+Ngfxe/mG2kSAGEPuWKbKX0uNF0Z0iHv35o0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFDxYKOqffGA5\nN66TgT1s0jy0GasCMAoGCCqGSM49BAMCA0gAMEUCIQD86N7NhF3m8x6DMo2YM1wZ\nEyisOPDo8DZH5mzn9++QvwIgQqyg1oz/zIQt0jF0+WviNKZusqJOMRtc0fdvnCN7\nySA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUIq3Jr35TeMIYuXJ+K3b0snrTFP8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgxuIjB/zRCaPAWuitZ0oNrBAIyo8YsnE62lLG\nXkXdLLbgCFaZ/Gowd4dtaFdOkwSO30f3qxCq2BfYpkXfs/vXo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCLt+CxpGJL/\nEwt4N4Wb+QrfVBLDMAoGCCqGSM49BAMCA0gAMEUCIQDnkTfFGKcKLU/K3uAlB2hD\n8vyT3T1bYyBdhZIvHTahOAIgEi5PJ1jTsOOPcUEBrzqk6muslD6xZ1G2GqXK9uSj\nUd0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUbARlsdh6+dTXiToY2nrMGIERsYMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEwal8EKkyK478qpDAEcTG9RS2NfG17PS0ldBFC8Ph\nG1XpCdGdDPkKJMjwnIjyM0cvBzvIHyH3xNFj5Vcb45gkIqNyMHAwHQYDVR0OBBYE\nFPzQDVtD6/H47G7ezoNqoNqgWCZIMB8GA1UdIwQYMBaAFDxYKOqffGA5N66TgT1s\n0jy0GasCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCOm8/qTsNDpqriejI9pEqACqm9Rp/Q\n4Hv1YTLN0oI38AIhAN9AyR7XEXC1+cfvYdRwSJk2HarY3rXyqIo0K5YMF/3f\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUBOCrlr+rlU+U7AtDzbPo0vEFWocwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE+9WPgESh8QjnUR/RH09LUa3LdwTpqU8GFsDgrfbC\ngEn5sNdPwwkkPvVu0swOBzSkEDk6sOAjGIzWDRB1J+UBUaNyMHAwHQYDVR0OBBYE\nFPyoKYo5xEeJ7hQPgz/FYzNDPhqQMB8GA1UdIwQYMBaAFCLt+CxpGJL/Ewt4N4Wb\n+QrfVBLDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBN28pRnHoJFDA+kGoA0u1O1qJbSa4Ca\neoGK9sEICZiIAiEArFrFJB7vbBRBTA0yYo1UTsG4m80/Q9hQeuYJ55IYjb0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUU8NScZTotbEdnwZe4oKVPXcBjUwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATb7AWOab9uqL4MmWv6/VoEZWdqjAevwmzxhUmC\neqA4YsEHN8wOSkiwbRRlWtEqJxg92DvumaOqjWP4HjFUCsSko1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQU8VYPtN/mJrVz9Fn7iRmat9yvw+0wCgYIKoZIzj0EAwIDSAAwRQIgKCbA\nQlC7h6me7scUUXkW4KiqYesoYYLb04BWsDgsTCECIQDidkO0gsZzZa3D8cnLq1el\nIxgOQdzu7RpBZuk8U0hStQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUOsIP15na04R06sXH21FQNmGHsPwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+i74DSB17pxuql9RpUQ7Ez/LpMaYT6D+xOixl\npjeovfuzWkq02RIPS97H2ovziefb9V5FCqx+S2pCKkEFKlRwo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUOVssD2h4UGG9sQuWohjNHMw52W0wCgYIKoZIzj0EAwIDSAAwRQIgLs/G\n+600kA4rwAKiBPhjT+Psin3LBBegLZWpHFj770MCIQC3+m9YhLs1OppISP95VXPB\nN+Vy0Y5aULiIITDae8HCSQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUfQZaedp+x04Lh1m9ZnHrb0cBE+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXRyS5yGQFV1exGmUwjDp4YgI7nhDRX+Xab7CeApt\npqkLYFxQlAVzXOHt5loZELXghwWnRpepKWDGvA3wMh1ISaNyMHAwHQYDVR0OBBYE\nFNWx2hcXkw+8HPkMDu9MBU46oud6MB8GA1UdIwQYMBaAFPFWD7Tf5ia1c/RZ+4kZ\nmrfcr8PtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDqAbwWfnB21lbMZ8kn1RFkb8cl3EiC\nSnLlCJd4Wy8GPQIhAOra6Vv9Rb14qbrYzlbtOd0AIBdZ7Rw/hIPEG/BerawG\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUFzWadWeAis/9AVXHH2CZM/U5FZcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE2YLFFhvVNb/0djZItnh9+JRZv210e0Q6BRFcTyR4\nZOVn2XC+/GRWvlrtkMBPzCsQ09nG2JRWJGhFBmAvaD7pmKNyMHAwHQYDVR0OBBYE\nFBNtCJ0FYnmcpoTXfAjV4VXxK29tMB8GA1UdIwQYMBaAFDlbLA9oeFBhvbELlqIY\nzRzMOdltMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCFjf8Jo/a7J6bMHs2El4X6ydzdtD4g\nH0UR6gxFyc/JLwIhAI+SA2TNGQotr8fxxXkSchcLo+UQVnFX65zO0KcbNTG9\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUe8vMMvnxSJHsU6GFJ4mf4Zk+cXowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARuUG2nF2oFaHsMf/M6jn7wr+Wsn4Sss8C8I3AS\n1gUeSnmNhLnImQ+/8q1B+6qUkTxs4h/4lk/CNtnUXThlGCjBo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBRiJhq7yoGqMgc06mJzEIM2NtFipDAKBggqhkjOPQQDAgNIADBFAiAq\nOa3pTIPwDeOYM5GEg+85DujJc/J1g7fOtLgan4VB5wIhAPiej40F0q8Wblg+ZfAe\nH4fRU9kObW4FqiDbzHKimU8w\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUXVE8zr98rmgNCy4a3hytVR3hwsIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLlUJHVkDjUJMFsrOvWI1P7HrVK1nIYiIsFSzA\nTHFyFMKtPcqynNgiU3kTwlRrmfeYn5t9vI4X9J/htotwPpVWo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQk8FDujSgkW/Cef7nGN/6yE05VtTAKBggqhkjOPQQDAgNIADBFAiEA\n+0jtJKjlWw2Jmw3K7wUSZEzj/Om5W0S4L4ubRjhbbSICIAE3nY+cWbCopz8/wnnd\nvonzOhLs4VApB4zTZsXYKnSG\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUMdcQJX6qCJqzVbRFBHutz2NJbrIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEowcnVKeEuQKDS8o1pFV85jsg3ZfcrwUv7WThVzr+\n/6xlS/YB/szCI1FiNOx2gTPFeTNLtVYP0BAFUyw/aFtnZKNyMHAwHQYDVR0OBBYE\nFG5gMoRMXBxn2twhS/0aIa1b3ma9MB8GA1UdIwQYMBaAFGImGrvKgaoyBzTqYnMQ\ngzY20WKkMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIA001aAcMBhqFiZJ/RkjpMeljNZjfcSd\nSx7mypc50vs9AiEA9oLmw1Lw3Rtl/0P/c14B+oPbmTsVYnSRqJe4DBAdaj8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUU+w4GBedV4xkmUn5HDJJNPiTfDAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXQTNoGcr2smU2oNzMp7HafaaDRt5LW9yopfX7g7p\nVkVaR5wwhV297bpWE386otGNIE4qcI6EzhriL7YAvQM/9aNyMHAwHQYDVR0OBBYE\nFPS1F/JUAjRGfTaweTRYqFHZQFrtMB8GA1UdIwQYMBaAFCTwUO6NKCRb8J5/ucY3\n/rITTlW1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD9YjvM57f/PTMn7nty9pvFxQfJL7Lw\nM3wqLXstN0Dr0gIhAPJvPCZFmLE7NeuppLKbEFlKecnOwqmn1edKhx+te9iO\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUHOkumZnKXKpMOYoNBI1q9wzgzhUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATxpxe5I/6w2OjfPzFtl5nNymYf2Hj2VPkIVrUf\nGWeTwFXZ6pVWOhOxj5GL/s1oRpyikEtoKRjEaSgkvdQizZGbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbiD3wsURFFN0GlnSbxKQ/XWbCBswCgYIKoZIzj0EAwIDRwAwRAIg\nF5kht5C6wcsac5+mlXmyxaZxsXTAasKotySFktCR8eICIE0mks6f07TbL9tBTzE1\nWAOLNxjpEImtbIla6K/hN27u\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSKN3JFkq7hsbchgmcNM6+HHV4BQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2OgquiI9qe76oRqt0AgrUhl7rU8nrDlRObvkU\nWtrMOaUT+OkVmMYKxIUBRr7snHxxBHyVWHqHJq/pigJSFEkqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7eTpYOfOUWkAWemGCpNhkxpGgFswCgYIKoZIzj0EAwIDSAAwRQIg\nLiD/WcVkHtCFF//XWuWVq6O0cJ5Hi1oAK2t6uH7/7f0CIQDpVwwpczGS9zt6vP3A\n7V2bJqoHgaSBq+tJgBc+G3Iihg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUP1G4AqM1kMoriuyZlwpSVZU5VUwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY1MDUxODc0NjQ3MTAyNzQ4NTQwMDE0MjU0MDkwMjc1MjE1\nNjEyMjE5MjgwOTE3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ2\nU41twpcnurYu2dqn63RoxW3fIjX98LZFMhgTdifAK1uxkIa0WiNPI14UZU0NDEKn\ntDP3sAtxrYu6BLWrpzqPo3IwcDAdBgNVHQ4EFgQUsBxdrTSEYaf8Q9yWWNNQmW8m\nv0YwHwYDVR0jBBgwFoAUdXm2lbL0CPECbOImXCKwZVue/WMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAJaUT6teHT1BmzPmJKDYbfuHwmLIIMEhBQmbwuz5cqshAiBIHDq/TXRv\nhF4tvJktFgcU0ABOWoyYDknQEV1qNEiZ8A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUAzDaKH3yzz9CCo/r9Iw5p7f8StEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDE0NjkyNzM1Njk3MzkyMjIzMzk0MDQ4MzczNDkxNDcyMjI5\nNjYxNDI5NTg3OTg4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATy\nT8OdlXPuscCxdXOPV0+gbWw+Bb6cAYhtwsvFF2/hpf/v1qjHmtYxW69lpGS4dr/L\nCe2NpzeW7paqPzlIK929o3IwcDAdBgNVHQ4EFgQUVEFEy6MKZVaVoNxty+ZVont6\nwc0wHwYDVR0jBBgwFoAUQb1tL0vyug93cJmQIJhrKAiw2K0wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgPUB5eyLGH32KArMTSXb3P50Oz2USTQ7qfNww+DvZuR4CIHi6P2DTPsrJ\nDmtrWr1jyCYS7Y0FZaiWk5ml2syqSMyt\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUV6pWIg0G8hVEmW2DfqphvbXf7AowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQi0gbj0qH3A3P24e9rnlxNOr771Sey1FlqETdu\nto6HaBpcCzqxZmCszfNJBNFVkp4dECrk/BoXaiwTRsLZygdCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkHlECIGMk2pLg4UlKA5qJIZ7UNkwCgYIKoZIzj0EAwIDSAAwRQIh\nAJx+vSKGNKzwo5ePrIXgzDYHJrcVN7qpp0fxoedTw8bnAiB8agjFi2B6Nz5Ga9EV\nJenbUyPZ2WWJnu3CUoCeVX5viQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCS7gnF6YgHTO/V5NE3guI2E1izgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATmblmk8N6OFTh873kYgdPw0MdtUO7nsZr8x/Mh\n2tBzemIsAnot1nP4DH/vPK/qSvlwj/eqjGIryw/m/bB8pfDvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQ2o/fq25VoNGZmNIJBu/L3YMK+wwCgYIKoZIzj0EAwIDSQAwRgIh\nAMXS5StN+2u9NVwZl2B+Y3OCQs/obXS96ewzkL+kZq6XAiEA/9BnkyihFs76LH5w\nd1tZpFo1IsEk2OSH3L5N5D2QTPg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUMLXksy2zJ/vGPpkjn7iJDuL00a0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEk7ctgbLtcLzr3L36Cg2oSqhlbg7bt8MwP5DJKVb9\nZAMikmHCDgBRsdSfDX3o7I30tNTrg51IdfYyiEGWxZvZUaNyMHAwHQYDVR0OBBYE\nFLcH5MNbWwadAgLpcoFRPSNII1quMB8GA1UdIwQYMBaAFJB5RAiBjJNqS4OFJSgO\naiSGe1DZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHCD03I0XXHT9dGZefYtKOyrze4T2GZI\nZgMvXUv5Gx8IAiEA4lR/AIx9GgPtsgk1D3/jXb03DsXdVq5r7sromNDdeNU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUCF36XFuc44Ys0kWUaKH8BFSqdk4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETuqgLFtrwH9YlPIXpQ7BQ6MIyczX6gvFnJc2ZGnc\nRfHZ72uQCK+fT9PgTDA/pSFJi6etIQls0m4tPe1S/w1IwqNyMHAwHQYDVR0OBBYE\nFLvLCLEsQH1nBMS9wYKXcxkS51xVMB8GA1UdIwQYMBaAFENqP36tuVaDRmZjSCQb\nvy92DCvsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDzVdmW9ff7x27MQW2+XmagjYbq3J0F\nmTnx/2Wqseh1CAIhAJxA/dZRItekdJ5hB08HTOXee2ef73B9a9/1vCulNhfn\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUaESv6zXxq2vU8sHHAWLJSn5OdZ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASVIRuSrdntvpf3PhJHILqH7pOpNJL6zqYohly8\nh/Q/q3pPj3DPhayRLF6TgaQS2IjSG4WcNY87z7MFRulSv61Ho3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUW0dvjrTDhAPJgsEYh0M6alluWRowHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDEU9z0d9ZW57qscJit2seG\nO0fSZGBYMnJ70+dHV6FuDAIgCJ6Kl4Xlb1E2s6DjLhhTBFXu1ip8bWrOcuRAB5Pq\nXeY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIULVy1UMfZ6nfyCM9llsaWAu/gA/gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToJjUmo0P8117VwJ0hJiaKEwNAYRfwnAypJOdx\n3rd18LgOCS1k30aysMhyHxaqNwx1pbYzmWg7GFd0PKyxtpsTo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUza5f7dRAE5LY5bDFv+2fq5Hd3+swHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCJYEBzkRUpQpyhZIctbw/2\nkg4DzxgrwKX8ksg6ItBfJgIgZyIucJOQgTxdc1NHrUBKx9Z2I2XnIBzdx7N/qpaG\nHOg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUBnCi5PQURiN6Ggb+RoaO/BCNPmswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE7LB9SHB8w7Jdyvme4u/Ys+WOh0vFINj/H6OfCMDA\nsQluG10h2CNG7x83XDF/4fOj3UubHSbf4smTqseOOc2f4KN2MHQwHQYDVR0OBBYE\nFNFALoaG94B7mWp3l25YiPn+Dm+PMB8GA1UdIwQYMBaAFFtHb460w4QDyYLBGIdD\nOmpZblkaMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA0IxNGYzqtr0yPGLTZDhOqZkQ\nlPQ8AuT3ervIxjsPmN0CIAFRJ86nBUd5oCat4Pu5BsOTziVIO78Ju5/TRztAUl3r\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUIt9acl+QOpohXR6+mp1dM+RuC7AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZkyYoRlLZmBR6IJ3TynUFtNAqegMHJZ++ujjb1ng\neH66D3ggvDgB5HaT7A5wYh5nkdzCPnYtVlN33ArENnNtmqN2MHQwHQYDVR0OBBYE\nFMjfDgJ9JN1hiGk4OyhQJ54rRn1tMB8GA1UdIwQYMBaAFM2uX+3UQBOS2OWwxb/t\nn6uR3d/rMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAn5zngn40b1nVpB7fx2YBO8j5\nWvzN7idLs6uLfwX7DFkCIHwQyWiOqDUWy1TLLetG6NYuYT3esLpEd9pZTEvjNtFy\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIURS1z8Hs4tCNc/MRz+6G/6Vfm8cgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATKsJkOo21QIz0VAZgiMlQtuAKRDx6pdpyGUFqP\nfi0ROLdGecZTKRXqaRireSWHb7l0l2UYmmO1z87tphL1hNfKo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQHbom5856W/rTmahAveR++QJXkUwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDx88mtBfR1MHKGbAkOmY3+\nTUWWPR+W+3jZFliBCTbKWAIgafk6jJnok1fjvre7rrNPWBJ+7aLB7DTxQtd1vXPP\nSKA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUHKWrBEx+jKwQxm4PoUy9IV7OMvQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARv6AJAxvGgvAZIy4xFb4jzzrmunSTZ63Pfjhtt\nEqbZ6CgFJniDPBViG5RDL5eB7BBTgxZ0tYIXxsxI+4a63Ylpo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfCMSMA0CZxGnTKKdXitM5eMqrD4wHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDjDK8QOveILQpdoxYrH2ns\n2Ezz1CEAb2T4f+7KRilq5QIhAM5+CS0H5G7b4jHrTpP5ysNtmNk6FvlSnlcF5twr\n+019\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUN6mSthJjdOBBkwHARBjTZ7R0dxswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdIRuNSuUQNZRCzFPnxB0LC3ppqxUjzI2rYLYcsr7\nAr2Yiz5jlmw/ENUaAkqkP9ETWxlovcCPdnQJ7RvtOqoHw6NyMHAwHQYDVR0OBBYE\nFMVf24I3ouUO/DZWHddqitsNriyRMB8GA1UdIwQYMBaAFEB26JufOelv605moQL3\nkfvkCV5FMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGrzfBwrFromHJZaPbpacbKvIqP+ZW3X\nEooS9p15B3xWAiAOPAOTlgobreG2cpSBwOFdqbVv46iS0IYwC+SLDIny1Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUYOwNiYRyDk1Lx8b6yU1M7uPaM/swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE0M9x19J8RJaPOX+8rPNGl0hDK7TGQxdHl2CpP7Jl\nKAHJpkX+CuNkFToFucswpH9eft/TVHPKzO0i/lI5PPYNF6NyMHAwHQYDVR0OBBYE\nFB+Y4ij/efHzjmgTS5z85WP5oNxCMB8GA1UdIwQYMBaAFHwjEjANAmcRp0yinV4r\nTOXjKqw+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD01ORC7BXl6osxfY/gstHODaj6HjvJ\nj5uexg9i8e0WEwIhAJdrN5SMWg2od4GhqIWm4ixqkLXbUNwkwh/RG4YcS9K2\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUSnyG5RIVqiY0V2hSSWZDVQXE6n8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQqUDc00ZA0uCx7K6goL5+QAOOLgPsylZPkQKj6\nWB58uj1n7LRxeuYIVtTNAnj8dHETGdQLhWoo3EOBYmQgjz6qo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1CNOakQYd1GJUMbtcUWNRQKMuC8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCieKfXata4tDCOzfFcgNjz\noEV37GHdkrqBsInSlCX4LwIhAKuEI4oz11eY8V+PWod3St0Mr64SM+PwnJjBPoPi\nvwqO\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUQ5dqjw+LFrQQJqlFAjyo6pO+3m0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQl433N7DCN9CqLaVKAUsMCUuStrLIUrXZ8aeUX\naPmgO4MF8t+RUCy2tzL+mJB/CjNAsEWB6ZCkEjS2+64uFd8eo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0nJGSMnHI/qkDFdq3xSapVd0S68wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC3HodaraFcNiWZve2ZAgcl\nGsDCmngoRPnfV+W6vY3gKQIgEZSPYl7EUw0cvBgNFn0h3AH1/k0+Q5rrzAn2uFUi\n3GE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUE6KGKs4ivrVwck5Gj4NFMup1w9wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEvAIU+d3PGrNOe59H4s/mUmf3d+P5k8+c0+AJYirn\n34aJxxnKh2MSMbs4xTKVdO55byFiB/gXSX8Mkh5rms2mfaNyMHAwHQYDVR0OBBYE\nFH0qACju/Y/ZLil2bOa4ObHxthJBMB8GA1UdIwQYMBaAFNQjTmpEGHdRiVDG7XFF\njUUCjLgvMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIH2+4kC/uk8KZnqpl6COV7kJnN6+cgFn\n4a1Jj4LR5wfEAiEAgudSIXRNJT4VuHkqQSW9Sa65sUr9yukuKdL/ukZGb/0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUFTF5Ll6H18miRRGbJ5+1aEL5ZoUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEND/9CVBZ4l9GhfUIaTNSocTRCmDn9wQgno1i7Jtp\nkNKuVasC7mrbX3WPGzJ5XPw4OIiKSze4ETuOqMpEiPfNX6NyMHAwHQYDVR0OBBYE\nFDBAHV5QsQStsweR+iVda8YwB6UnMB8GA1UdIwQYMBaAFNJyRkjJxyP6pAxXat8U\nmqVXdEuvMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGACjkK3IY6a/ggTn2Nn8WVgFFPqYIm/\nVac/qpDDsS4NAiEAyJ1CbYZLENTMTpBo/OAzuYO39DfUShtMo7YIyqUaddk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUZqP8HdeAd1JoqTzlcWSzXkXG4rQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARKhx11arDDgokSAeuDJFks3x2ZZRcuthBun1KB\nfPYnJX3AmTDgAbb6XMM88fVHZCZPxhztm+h+I6PP2xP6cNYpo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFNngsOIrZqxZrrjrYxdDIDVnpMQwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEqTe27bK2JOp6E2qm7M0W9B\nhUYvWx+RDfFmrk+6BPKyAiAOfdAakcRJqpxQmu4Vn7BmbQdeoIspx5/jblxWG4R/\n+g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUGYlVz6H+HHbU9C02Qq76zkEUzowwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ7PMYeQ+A14VNZfEsJ9qpikuYk9GIXin/rA+BS\nrh2tEle7TbZFjwKtTHdc0EQeYTtaLOPxbeAYzD6tIOu2FHGAo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIQ0XcxQFuxTtJLJwQRxPHYkg/LgwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICp8sPphgyYy9YrN+h48zxGi\nCjVs9Cjhdl5h6UdyWLFsAiBSP68G27zM2do39ZeEvV3wv3SDYLqvpIIra4MyfdB8\nBg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUcMooM3Cw2CWVpRyE+VjZb9yj/VEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZg2g2R6gjep1ufUWzlkknP1GWPIdU/9CONfwvCTU\nFAJX5SQ2pUv+KiIZEUiQpH3+PzBOWNpcNcmjIqvNQEt586N6MHgwHQYDVR0OBBYE\nFFsjj1hF+Is9cEtBhmEI3mAnd7f2MB8GA1UdIwQYMBaAFBTZ4LDiK2asWa6462MX\nQyA1Z6TEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgTdyW8e+L8FrEyFNY9sQW\n+9d7knoQ32tWp8uvCm3jaOcCIQCM1zQq7F7jUUwGJ6VrkV+ZbcNnfoocllZzFK6C\n8cyBzA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUbJYtAhlJmeFTQSMcF3jKIFlIWGowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE2oZFz6YuvEdE0//ALgL5Vg6auqLeQbpUHRvbmKip\nivuwd5z5DpT1ia6kREq6/olUj8j7QDmgUtla5moeQNasoKN6MHgwHQYDVR0OBBYE\nFIj9ZzH5VO9w5rVJ59SvXYNImWe1MB8GA1UdIwQYMBaAFCENF3MUBbsU7SSycEEc\nTx2JIPy4MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgArmvpJxE9uZjx8ftRc3W\nNKgfVrov5+BAD1BsUnTsSvcCIQDh6bvWdfNkd+xFE18EFJ1/qQkYOJ6hXGfyuzRL\n/m8hDQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUCStBiriuDW7axlZJDEqpijle9EAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZIUBDAVtyB/J3IkhucyyXNx0MB412vhkdLo6X\nQ7UYUhEHdEzLChggYLljynsuqAMolhI5fa4hfOSOvSsFHHbZo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSPHBc8ALwjgSFYoTzgTWbSEICBmTApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAIbR\nJIkVrJHucWU3vPCGS32rhjJ8wBTzyjH5hS2j1HRlAiAxrb85T3P8a24Hu8ACuJ7g\nJdNvqaEhq0aGPIgWJE8uUg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUSWSZWbWkrV3n+0+ysILWeBV4YwUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARojgbV/2bUbKaX7Ypbb4WIVLf2IlfMVLVC3hbZ\nRy8WFTAaaGp9fR9BGNKRhwm83r3Nk3gyaQ9l/UL0RomSFHGOo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRFtwxncR5E8JKQBzHZoLhMq/WyKjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgdCJU\nqT4+XUnOY/qCvDKK0zapUis9XtXbugkjMqLsQXsCIQD579EqvGj6EhKil/E+JsuY\n/WzANB6gJ6ChCNJmqV0Tlg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUfLjVuirk5E3QzNodqptT3j5eFOowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE63YwZ6bImIfYocLuJ8I3ENdgAIu0DPs2Z8jzzGvo\nO9uGLWSbtbqNnC910JF/aQ6JBMlIDYe7rr/YONuYmktZyKOBjDCBiTAdBgNVHQ4E\nFgQUKmDYa/a4RBeQyBORGrvltcwi6W8wHwYDVR0jBBgwFoAUjxwXPAC8I4EhWKE8\n4E1m0hCAgZkwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDD79Jbn1l4RUJR2vP/liJKb+3+5mWt+TvHRdFb/9NSFgIhAP5snxSgGZ2u\nqzP6D/NVOmVfcFnLC1k5qHgw4tUEZ0P6\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUcLjKFUTbFJLe/4UcHgeRUm6k6P4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEYFjxRUbY0C86Ae8rDGxOwvWGccJf06dM9+g0pV/A\n1zUXozBxA3bdp1KK1UgssHqv+d7Z0O/TIX+q1RGnFzGE36OBjDCBiTAdBgNVHQ4E\nFgQUze2E5UtFtaF9QTR5KxuRgd3ySoIwHwYDVR0jBBgwFoAURbcMZ3EeRPCSkAcx\n2aC4TKv1siowCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCdwpa37MkDyLjzR9A8oreJeL/mt3RWCH8hzJcz0PLrCgIhAIE1QYe2Nv7z\nsPCO1jVJYcG9gQli3JvCFD+FwMkL3EdP\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUFShyIlznNjll98gO6bLZDKNzN8owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARdzEgOpSiiWXJ6nmqu2fnTZHwHIuz/k6wMPrXv\nDtlrYJKfPqXOUrSU88mVmnBGJAKif3RKYEDUk+DUSEaKlEAko3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULhM0bQ75miQeRmFAHeWZSqC0StIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIB0/OEjSmftAdduf19gb4w3YIuKR\nclQuKR3suE2ftsjSAiEAiJOS6H6f769VXAdpaeilIBbBfCOcZnYUSPlFTYxWxx0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUAWLLWFbnh6RyL4adqcXSRZuW9yowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASY/Ii5o2KwKQ5yFc8gyUXSX0DZHPKDKMAEWMHq\nloRmDf1W+UEIKUdnCJR8+Zzaj/Vg0WQjXm/n85uxgzOwPEQ/o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjzLMZMT0H8/9sKhsa5oma1m0WjYwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIH4eSLST6D5D8r4K2hAV09QnBlMP\narosuQqH25IkfykaAiEA/3pRkoo1+Qc+JzoCl9L1TXnb+v2TEjJjrYFXgIFGAHY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUOY2yCr36mvDfyXZMoC2TqfSB9j8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3cX4hFa7WArIibT8fRf0D4bxFGVKGRUmG3BCJye6\n03kP1ZCPOQMJhPhgCuj1+3wm3T6Z+XpC3PncJ2OeW8oWx6NrMGkwHQYDVR0OBBYE\nFGf4KWABaTgkbb5SHHsQ7BO61O1sMB8GA1UdIwQYMBaAFC4TNG0O+ZokHkZhQB3l\nmUqgtErSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDRwAwRAIgaX30MKNz4BsQVGuuRfHdit3Follzj3OCex+NVc3Z\nUBsCIE7YDq3y3UaDpapwq1glxV+ZHQHzeYRe7I5m1eEQRAvl\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUI9CxympDNedMqQF76Mnlz8w2togwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdJjPIr0Ya83S1YfHhy+OMSsci3pvYfluga6Zz2Nh\nuuIsE6BRSctBXE3saIjm73XSHB0LN9TJlY4xDMO4+XU336NrMGkwHQYDVR0OBBYE\nFBUEqw2I6D3kEjdYsUpi9tAjue82MB8GA1UdIwQYMBaAFI8yzGTE9B/P/bCobGua\nJmtZtFo2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDSAAwRQIhAMgCED3CeStIF/tFpQweTzgljK/LgaXJHXhjFxTg\nKyXsAiBv28Sdc6XA6kQB2AXHQpHSyufb+NOZ1cNAj9agUSYK5A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUek3YMJJpAyWG8GuD4yPlHRQgjcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATk0FbxJrBpDzQY0rDgXnoiLoSNkDR9HForpnfs\nmbNug0L1SWcXXXThcN2qoFlECBoU5DLimZyXIvHN3XSZL94qo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU28T2v/uXbEUtiegcrk4SBS/bcz8wGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDBsqQy+PEZxWVxe7SK0oZxUPFs\nGQ/+oNsugITAnEgZ2QIgYpo1464YFmkDHfyqAZD+YAivaPZ6eK+G0NkPGmeSTGA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUUSIUW3NEPLeNBvg8vQyIAgZ4JZcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQw4LpEb6jGdRgrElm+Y5tg3bBKVcpYbV9/3WWN\noHiL+4yiHfxu1wrOdkxQcrneRKFqKXRlrDi2u6C+RaRR6SEdo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmmw65b3qurDzXAQ4hgaElxHH9x4wGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIFITGrCYp4awi1ApMN+FymusYnNd\n6azSsuwPNU+m46tkAiEA0orPK7idRX3vetzbIdeHynvArwffajdlJTFSrf5MqcE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUAbD+e6f/Pz+CGHMuu6FBM8Uz1D4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEh3BLWERpapkikHxeM0nBWre0U34+KmU4bcYKl5zn\nCa8gV0D8VGPdNImMIBnlAazy1cTtN9/5fOBirU0jVyikzaNrMGkwHQYDVR0OBBYE\nFJM0wY8V4VHOgYCFPtNPvoJQ1pIvMB8GA1UdIwQYMBaAFNvE9r/7l2xFLYnoHK5O\nEgUv23M/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDRwAwRAIgJi0SbFRaLsOpAbkg57QHe2cPG1F4HQgT4unW19Kp\npyUCIDjpz6iJmSE3O9cF7tpa2ne2PfXERUiCdrIjrVskknW+\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUPdeN+cYID9RNIIVIxq7dEfh3KuEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEDHaNFEKHNt6nleQrchZk/N8L3Cbn4RZTfsn+piDg\nf4D0TcGG3mYQwpC/EaVjXA0QhcXCRFMLSoOyt9NVshLGDqNrMGkwHQYDVR0OBBYE\nFKjrOcijAZ+9tMB1STQUF/gzZnmbMB8GA1UdIwQYMBaAFJpsOuW96rqw81wEOIYG\nhJcRx/ceMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIgQ/BPx5WXqK4wAp8/sBo2O50uKmqqcMAH2BUQsVKZ\nZeMCIQD6D51a0X4LyJDHYLVp1zXC9BbBk/M6n7f0AzsF1R7aCA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUaEkrKve6V02BPCYqYN5NiRFFOFAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMdgXFrkkfdniFhhx3FRZuaDvu/QGhOv06vAt1\nuTWy6km5ibcpQAKCHb7hVhYXmWdUa93be3J+p/iT8GFK9Vy2o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUF9vD360FndXCjLF1NTAVVy72SowwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIH2owPzNxUxYOZYph9/1stf1mII2\ny6TBIruKm91DxumpAiAkSAGxgSjGrZ8e39xwRl77ttbKSp1Mk4rmZ/S0ehBhsg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUShjUPueNBDpNsUHvTEUarFbRMfUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/B/STst+jLSDKn5oMtmraU41l9doCi3zSEH/B\nl+A9guHHOZAfQdPzaLjlVC0ek+LizUJkRjUyj+Yg5LIodKs2o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbp6+b2+FZX0+ZiTmxK6X2+AiPyAwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCQ5Ldvpl07vZ263RiYuvqDkvsy\nCpK9s7CBC3aTEXOodgIhAIRnX/CLzG1rAiXV04YFkMYf/KA7zSWPIHfunlZeM5J7\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUegAwIBAgIUBbuumRgU9jGx9ctpaqfcA0LcJGYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEyDMlzbI/c0NDSr+4Xr775JaxPOSbKjdGivQwnLTX\nr4TE9Cuh/TzXJU1hLqmd1v3CzXhKWG8BSqE38u4Bbcb2BKNrMGkwHQYDVR0OBBYE\nFFEC1jGHrbGZBkbENqH1KQkyxPDJMB8GA1UdIwQYMBaAFBfbw9+tBZ3VwoyxdTUw\nFVcu9kqMMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDRwAwRAIgbGlQC3qyhWXPU6IW/tlFS+0DHj3RHDLwc3Mj0zBS\nH4wCIHMKUxnfqs+LKZlbTNJeOSLHChClGA7qNIilDR3NXrnY\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUfCrcVmbHgo6W7y9gMXy8JQwQJw4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpVtyhPQnYILqlVBOI9wFar4QAVwPDC0ZvG4PPaoP\nUc1YMLLvqbdMumc6/jr6aMly9CEuQEGQpNaJe7MAbP+1dKNrMGkwHQYDVR0OBBYE\nFHC/zXuaId4cnqnhvri9aUNpyS7fMB8GA1UdIwQYMBaAFG6evm9vhWV9PmYk5sSu\nl9vgIj8gMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIgW0rLsHsnqwdpAGhmqcU6qC1LZxSmlKXAw/u/UPrM\nUhoCIQCl7a1TlqSCcgZmE2xx515n0VpJMy+h2wrmDdusVObgTg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUEVbULWRxOtFC6/fDxutINPncTakwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARRvLBfXU+uSx3/tfKr2bxJIFYVRZrP3MxrKPMm\nK0+glhxfDAkwnM5tEsy3/efjIXPFN1Ej5Rc0IiatlDGdZsEqo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhSdtFgUNQ7bkgbPa4AFQUxJrEscwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhANtGoQDbHroyaBmd\nFXIS8payoDU2BQafCjrkDFv3IysBAiEA+rXYpI+wTI0vx1t+jwVoHmSCArDliTP5\nPUlaYgwwkmk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUb5ByrUT0dUHH8IcNCk5l9fDI584wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASw7peTufhC+H1+PHNd+LHfu1wDWWbEm+9jzojX\nUG0AzdAQxvgFFAqN3vL1VUM047DreLqhFUrn9pGu++8IMhGBo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2ri2O/R/yOaXjUGFmpsHWgGPdmMwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhANlYdjSGDUXftGcl\n0VHiM/rBoenfCNQlmX1GseUbdKy3AiA61pjOPhZ+N6XXaMMD7wsA0UcU32RB89yw\nAbOHAkTG1A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUUvXLjWZ0La0KK/0mIUQEJ6Zqz3wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEuYmYXpxPgT1lQYMnJkgHsHKbU6H0zJl0AQ33buszJpSYLOio\n3Ax4SFawYdDnHNvq9m9m1BNAFT0jjmSXiN3vZqN7MHkwHQYDVR0OBBYEFBwI0Mf0\nTdSJn+2jJSyIty0aDphgMB8GA1UdIwQYMBaAFIUnbRYFDUO25IGz2uABUFMSaxLH\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIQD8LJhqBZIRRc2AllhCwel72P0y\nJERoWWnNBN7EIuvdNwIgdJBb6hnoYyyWJvXrBvQrAZsWNafshR9RSH7uSEp8BZA=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUOx1PKjP3eFyFsc1+5Om5eak6GGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEfLpLaNMRDLrzlUiDLtsWjTA/EDZobxKcO7HLzVSbeFcM3Cej\nk2tJMKm1hAZq0v+CLVkFSHMC+IZM8EfTtpEm9aN7MHkwHQYDVR0OBBYEFEzxG4t8\nvTpYjXVkfId7TnQJaBBnMB8GA1UdIwQYMBaAFNq4tjv0f8jml41BhZqbB1oBj3Zj\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0kAMEYCIQDJ7nyQdeBWwdmGzYRcww5ywdXE\n4ivdhUkJtRohiM9oKwIhAO5CvmTclsecQnG0DqjOGb3hE28I1w2sADkoYEVvza6G\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUCHLY5Se+GN2xWKjcW7V7r40lVtUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXAmqdWpGOBPeSgGDeaECaCwI+530L71W3SVKk\nVAyFVSzxW4DvJpBygcrmztZyRrqlwiU6lhP9tBY1JmvPygI1o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVbvN3T5m7Fao1euyB4eNiwJQPKIwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgER06DY3miXH4aOUD\nvc26MtZeAoQWJbqJQbD2ghcAAoQCIFa335gLkvn7S68oxuM2iYZpEIAQyxDYdIXt\nKcY2qLe0\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIURP6+ancWM5IQTyTcI7dIvxsUFVgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBiWHaIGZebJjkZ1fr+kUXaryI+FPf+RasKb6W\n5sWcZWB65yQ2E7eEIG+UBC9/B8UUATpQdQ1p1PDPqFOTzcRto3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUK+ygSPH1VRzHC6y2sHEZhDL5Hz4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAJKeP3PFWOO4TbUT\n7NL0mdsm4aJHiCdk7PoavuajydDoAiBbYQ5rWKCOFkSgBuiAtozvaDl1nWwQtP7T\nTOL+hJWlmA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUcMBfUZ0+U5X7YOPZkzeReSVrHukwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARGndmoB6xEXnliGdZ5aZEU/HI4/VvC11CTCccJtdTqvHM+YbUnAeUL\nvbY8dakLS2Mfs4Z5WKVioQnzJspAo7FBo3cwdTAdBgNVHQ4EFgQUASnXac8ZmFxq\nlfAvCZg2VdkivG0wHwYDVR0jBBgwFoAUVbvN3T5m7Fao1euyB4eNiwJQPKIwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNJADBGAiEAgkzPnNsLkkPM5uM8eu5bbGO1P5dP/cgXBwMk\njCGQdGcCIQCMV7qdcCSU1/PqvHG4Str+8iIEEQ9DfeMyf1sIqFJ0RA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUQezmOAOMJUArTEnYv6JTjWWFWmwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATOkvN1te3Ct6cBVBMUXUjh2JXtvQe28JwEQ0TDxnrO86TDSlbF6uxP\n7reYyc9/xhkRYRAiERe9YBeKiQMp9GDzo3cwdTAdBgNVHQ4EFgQUNZczL2EuIGvz\ncNUrrBSPIk9k2bQwHwYDVR0jBBgwFoAUK+ygSPH1VRzHC6y2sHEZhDL5Hz4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNJADBGAiEAlGN9QC/sUOWIGkxnIsL7qCaau850b4wBStyR\nxCujYlICIQDljwWyewnolkOEr8SaxFnfKvQIMgMEbk5jYS7Lh0ipQQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUGun5m164K0pp0k/V4ir+3K4/g54wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQWDga5lrGpGnwvVjw9fIVErxVeKHgMCjGUXssY\namJrOXQASZALF8lD4MvSw885u9G0tjdGqFelUPnpjxVJdQp5o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvyhm1u9RLr6n0KqG7F8FsJqe8LgwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgFKVdUFNNgkY4epE3\ns5tcf9yMawFvaMeHEhbWO/TtRBsCIEipf1Iv8qMARkuKMLuY+bg/clRlv+47OGme\nJX6d0404\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUbkBJftUzUG9cZSWqENyNz1dJa6swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAREbdvIfywp/jGTmecHQW9wadvSFvGnygSIY8Kj\ngKoazDNbJKESH1khAo5Yxp59AKSVSMuOQum6T3ly1Xlz+iSFo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyD66+nJpQwQ3EmNSBXS0pJMHY7EwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgMF2B9+k3OjvvKNnV\nwi+2iTbSiEDc14hdgRfoReAqGU8CIGb42k4N5F6oMznOegdV6jNqQi0U0V1gIjjR\nmUqFqF2X\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUOVSBiQeX/Zb4moJAH6yuUhIk37gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASdEk6rG3ZblGW1Ble8GeLmdmw6kyGBhijmhgMPOFOXzhasatA4Jp8v\nZqsAmZhB7GkRATFFVjWJnY7ibkv0niJdo3cwdTAdBgNVHQ4EFgQUbRyIk9SgyKep\nSOHPS0DdtK+HUg0wHwYDVR0jBBgwFoAUvyhm1u9RLr6n0KqG7F8FsJqe8LgwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEApK+aJG76/iAJRKeZfZziAQJvc4Um21s54GdH\nv5C6DQ0CIDjH3dghWZP8yT10H63CUgXohTwbovcB/PjgH8OIXakl\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUYcvKW7zs+UScx7DeDUmNDXZQXygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARmBga1ygKTJwRBpjbKEK71ocTLJZJ6WjiYyXk7v5ly8fO0JQvZmIKz\nx8yiplcLbwf0cvGN4xErr+H5la0+rQVTo3cwdTAdBgNVHQ4EFgQUbnugLN2slwGi\nOBsf18eqiekAY/MwHwYDVR0jBBgwFoAUyD66+nJpQwQ3EmNSBXS0pJMHY7EwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNHADBEAiAGDGINt1HPCWZx7Z49jj8bA8L4jb9bASB4eJK8\n6ufrDAIgLsWpl9NDS97EXOTCdqL2v5dAZMVwac+FzBty8lutTcE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUOikhIPdm+iqiPyYZs6jd1c67ejowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARu/Wubx/sFveHeuliVAWa3GguQ/7JresiZ1FTX\n4ZMxYbpmIRXnspe3Q1KkCM5Bwpi6BCE/PLWGwn816DzFhgGKo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDzF1zbsS/YrP6w2T5txsrAnd7NcwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgNmoYakNf49/EpS4t\nYuovgB0Ap2uKZMLHYPdbFXzpF+QCIELkgjoTqrMsDItLWMgEZzTHLbSl33++YN5v\nIOFXIDC8\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUAhhykAPeI4VKYu7SXpQ/D2SY2eYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASnLCLPLxu8H3E2Nw2gFVRu+0fNX3m8k8osA1gK\nUvVnMxLCRiU3GgOFwDqZkjNLUSwfh/iIkMAc5KAHTC14fE7Ao3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUf+BOKGw2xKzvggaYz0rVdaFJb4QwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgXPEJRhiFTldrEVpy\nAbtpbctew9b5NwEAAMN1h5Q7ZU0CIQCAfTc4aTvocGy9sLdyifqZfhlcw43/lKnN\nT+Rt68PdZg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUMQpoMehajIDrXQv7HVw9C/zbIegwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE93et/1T/oogu7o9tnIWFBIao/U1AOIbsCwC8H9+MB7UDFvST\nT0xCsv5KI7n4goBHJm1su/vvkKYN/CjvpIbTaKN3MHUwHQYDVR0OBBYEFHEc7apZ\nrNCK9KwEE3zrYc6EUHhnMB8GA1UdIwQYMBaAFA8xdc27Ev2Kz+sNk+bcbKwJ3ezX\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAInKn9yPvihQo7F1bcnYb9O+OB1T5qGl\nQIce64EK9UBcAiEAtdGGkerV/z0FPXKphSAx+QyXvYuDlkY1KQOmqISdgfY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUBmKJ4FvnplORCcGwQSWoCGPcKAMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE0zB0e/6PooT/8/dMajIduhrbcOJcfkyWWyRjjcTGSesYvRqe\n7CMZMSjOuXDD72gE69oQjvic+H6eNWxr53wMNaN3MHUwHQYDVR0OBBYEFFfnK/lD\n8nZSRpKcwOVohT5GVFldMB8GA1UdIwQYMBaAFH/gTihsNsSs74IGmM9K1XWhSW+E\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAPjNKswmw5aEIsCLTO0B3WOJvwkN5KtR\nAbWDcXycvJAAAiEAk8eCP51j4qaphOZsbVoBBzXEjvQ84tYWYN5l8lL1ZQU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUDmsjqH2LAm84wddrzTAeAuXmgi8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATViHjrkifLsTUGQ5TBRthn2K+VA+BJXYtx5mOC\nisAE7JsBBu7k7M9aD3tTDr66J4+rZcnwCclmfvGu7Cc+wKu0o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUY6nOFgIiI3eQvl1BUy8gjL5qLPgwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgOKGNdOCGOOIsENWq\n+on8dxk4bn9sNXl2xpeQmHdJfusCIQDfRirwX9kB0Gj38TL2SxTjutQv1KCsXL2G\nBrfWqYQE2g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIURqYkk7pqDuoe8L/fl8w0Caih77owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASqbE1rIHLv9ya/X5vXEp35FF5hGeeB6TL6Es9O\nebQ9BGVghGz5Idc2HyXxzRBFMwYtENDeDrVBJIldpRAy2UQSo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULlfFBusJ9FQs7xKEubqSxx+hKm4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAIHcpZAO/Y47y0ee\nw8Bqkpp0K4k/eVrM1ByRmgYW9eoAAiBSE2sLb4VmOIB3y8PWrk+WZbbxgyIIFhqo\nKFBZsUKhYg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUDxSzHVK0HbWzHZwGGJHITk17bY0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQKgLN6LkQKuIRrY0IYq8BsRPg3EGdWho4iMc1fMoIx6E3we/NezIiH\n7//TB0u/o5BUMfzg4juxLBe6NZY8HiN1o3sweTAdBgNVHQ4EFgQU7ZmycKTocB3e\nFLwO3uy24UdaoI8wHwYDVR0jBBgwFoAUY6nOFgIiI3eQvl1BUy8gjL5qLPgwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSAAwRQIgTBbYDIoLgF+4CGOiSKnpoi7lrWjc7m5p\nZ30Zcf5Az4cCIQCOBSKHCJlvXmhUAE764Ah1hp+JzAj7uhoATuOVD6xSNQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUBdaJa0nBXwJLSYCBuOm+83831oowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARURKkD1jwupsL+oh2GD6/Uu8s9Q7O8tqiUlgT1F017ck/MrYmhSML4\nvBxsM6uOpDT2wrdgzKDSZNl5W0PdHiD1o3sweTAdBgNVHQ4EFgQUD4yk0m3XX1gp\ntyhYrhbrpPYhQiYwHwYDVR0jBBgwFoAULlfFBusJ9FQs7xKEubqSxx+hKm4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAOTIsHHKAgWlrxDgW9bKl40Gyx1r75//\nvmS4GaBDghYyAiEArfXsmtkk+X2m1Sdz+siBy1bPwoaaOiVPLpECw0iFMvc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUeBZzbt9IwLdjzFbE3jzK+UtASOowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQDBu/fNUXs5zygsKX6mUson869zBTaj+Iw2NG\nr6qmytSBFj7kCinxUb2P0/qMJ6vFNjE0ozMi9kz2AdO9qlvQo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFJHCPL6tSWIdfzsJSmc4qULWmMplMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA/+yia4wl9feYHFiP\n+WuKb1xkfFIAfKIUtYz9t6qxft4CIQCqJx889WPG7vOSbgTK749AUHUbEAbeki6y\nVVx6TO7z8Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUIbVPY2OJB7MVdMpBK/7ulcw0pW0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASk23SGrb3ylNZmthVagtmz2q2B2qTuNosaPKlT\n4GmNj/Dbdvzz9QbEJ1MP0KVRp+ytG+4v5DQlgGWpoBFjNjNDo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFFAR5ViTNgfKvcx3e/84zPQri+CJMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAnGucl50FgqBkcjos\ntt5c6ASrDP5Ljh+xCm1fMRRcjLACIQC0ANKjoulGqEvNnoEuz14X9joe1T81Wq1F\n1ZlKWp2jVw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUKc0SN1jroVvHeSgf/TsHJTLNeAEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQcWDcUu25H1Dy75AVM4qiwpy6McRwRj8MjJdj6\n55HLKjSJy7riVhpQoxG2Wfk+OmHRJ4bN5oh9Y36vd7rfZHQ8o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUkcI8vq1JYh1/OwlKZzipQtaYymUwHQYDVR0OBBYEFIjP\n3a14NsjQT82y1CAkd45qvAMJMAoGCCqGSM49BAMCA0kAMEYCIQCj2+/+gRRNQoRh\nFxow3NtpipfTUsB4JnEYDK6pzssvJgIhAIFVI0DD+3l8cTBThs3X9FfZJYzt1oDG\nyyPYGYlbE/Vv\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUK4VAfM3f/myh533FpyFnMEUUh4UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQlpNLQLyX+bo7ePdm0skrzahqMIzhkE0E32KP\njtBCtJGJh2fO3ztxwlO/8BORtxsc9qX3l70drUiwBQ9LE+kho3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUUBHlWJM2B8q9zHd7/zjM9CuL4IkwHQYDVR0OBBYEFFDm\nBiZMWmbiL4s7aDMxuajQu2kaMAoGCCqGSM49BAMCA0kAMEYCIQD6KIbkN9GZSvYk\nBCKcRCT7Y5hFtCL8jYqgraS7d5Zo1QIhAPQ1YkRpQcobK+tZ0+3kFNvMVFzQFg2n\nOTQLyL4DY6T2\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUA8RGSnpmwbCAiqXi+eTzvahN0nIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEISkhmcyvSFkpGqA12jQLwrpR7xC8yZRkZntjpw+f\nSc0GDNB+BSxIb/qIfXRafqyI0i6hJHkcXT5ApTWVW2eESqNyMHAwHQYDVR0OBBYE\nFB8J0pgbpqrkjZlY+QJN4EvBlyuFMB8GA1UdIwQYMBaAFIjP3a14NsjQT82y1CAk\nd45qvAMJMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDeU3DQGJMNmK/2D26NsrbxwBECeE70\nbSZzj8//SFAsxgIgWRoqhYAT5nlP2ey+tmXsXfqYI1urlLcnVJSWxJaaDhY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUE3bExB2DMNvXFnDsaxe8UVAs/30wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEN9YUyhhoKYeBYQRUdd1oF4XuhEMMqJBYedse3WJk\ndQBH5AjMYFD+trK5zKpuMPb3XXCSwcCb5mkhA5EsKyEdtaNyMHAwHQYDVR0OBBYE\nFJ0kWgPQx9EDT1KSZybTdsddOrVyMB8GA1UdIwQYMBaAFFDmBiZMWmbiL4s7aDMx\nuajQu2kaMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDhZt6SiMmZpidP9JIl2F2kfzRB2wv3\noHkHI1ejRe6UcwIgBJOTn4LSyXcPyvRMGXFwiZEApYnR8exDMQvK6lvkPYE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUejfgnxkwbZzrKpRdYLIXQcUKX/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASnogrwzjjXh6aENJyD/9JzZZFMn4CHiXZh81De\nBt+nCUJaqJjp8hLmGhG2OlJJTWq/x79K48JAcYx92Py+nelUo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8ZlwTn/VHgp3q4XeQ++LataFTv0wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDA3GK58c/THKOV3H1Mg2HU\notT4VE0NTG2SzciIeEDjigIgZ+1dORwRz6IMnCog60UHKAz7NeyAuBFzjyMvK6gm\nQpE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUWyUFw3IpllRe2Y/ScI4TfMESJWwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATqCERV67FkzKoFLErFFWosaItsqGnJbp6huE4d\nWTnPiKZPudM+tYSTwFjSpQ08S/XyGaH670uU1n9DusRG2bklo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUV4mtlpg2xEar2Yabg/tLwTDSPU8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICzB7NZeEUFLym1i3L8HM8SQ\nKUZK1mBPIT+9jfDXj8c/AiEAq4iShV8ivF9W/J2pKNotGcNCg2Z7n3tJkbAvW5jy\nl4A=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUNJuCSpN3R0vdTnaF0NropGu4FNYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT5r5fNvEaXLjRow8g24xABAwqSoVUGyAfnd3cO\nZEb7dnsrWdAzf94AxlZAWGcfufDJ6RGVTflvCZSVQYFqHqqMo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU8ZlwTn/VHgp3q4XeQ++LataFTv0wHQYDVR0OBBYEFJTj\nEklgq4CdCYhxmKaSgvevNaRiMAoGCCqGSM49BAMCA0kAMEYCIQDHUq/Q2nGxXOPd\nEP7Yw/GzXDb3EuQLH34UDzsB8ikILAIhAP5MjCeOPh++HrCyYKHmb5eSK5xNDt29\nhss0OnlePQx2\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUTZkg8wlKBRJneYLuC0wjySJ/H1cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARIbvF6SK5o9VtHqflKYn5eN2j+Od2aX6D9Te37\nDD/EMqk8rNAhfi5w4455MGnufeXLFXlopLMLSQW2ldzWyX8Uo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUV4mtlpg2xEar2Yabg/tLwTDSPU8wHQYDVR0OBBYEFOiE\nlVHoeU1GG13AGa7kQV2ZjDXIMAoGCCqGSM49BAMCA0cAMEQCIDY9lAGqTYbO4Dji\nrZbJBrxbsRkbUVUgnW+BWDP24iDmAiBYCdx6LQAi5eP9e8Hoxbp9+KK2q3bu7CgC\nur31seYLPA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUfRNQOm7IhUPi7+FOM23MhTBLVjYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARskENqVnNwq3OMGBqTSosV5G8zLQjL0NQE1A1X\n3v8HVMgpBWOtDcaIge56seHpItM0nrdJyUOxvXG1ws74wWH5o3YwdDAdBgNVHQ4E\nFgQUeBiJPxwxSWkp7DDpYNy8sPWpYCEwHwYDVR0jBBgwFoAUlOMSSWCrgJ0JiHGY\nppKC9681pGIwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGq2TZznDirvF4qbalOHKkp9\nQXvu52bjrK49d98RSe3tAiEA1duZBl/1MKUeNXuMleO0P1naDOjCHt1oV4uiQzIo\nNnk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUX0FCGPG3fZyz17qlim7Loc9sYa4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8MkuprOsz64hXgPEGjtOiWXzYAv3O03WYHzcr\npWySrjqBEeoe5O+vraKDnGNKu8pRz8UgCTV4x9+hsI4tQoaCo3YwdDAdBgNVHQ4E\nFgQUWHOdLfEs9d5AAfa4Ymr6aOLxwJ4wHwYDVR0jBBgwFoAU6ISVUeh5TUYbXcAZ\nruRBXZmMNcgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCFMOP0hcWpiYyR0VaJKbaa\ni3zGQTq0DEkVgBCWPXdu4wIgH/YLeYmhUY8ok8vZJVKbr3UCDGzSBilK0Y+Cnsc0\nzW4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUR9cr4xtX5vJOVpVC6SO5yjcw5NswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQSiMMkpT21O6kD3ALMiXO0L60Pkiez6tJchtg3\n01+FBr6Jo44cx6nYVM/cnvdY8ox3ld7KLcFpu1nRwxiswVj7o4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRpG+wV8REH1A9/HWQfO9bIHzr97zAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiBVZmIOIC+8SC77Twz0wX//aRJ2gEgbSYFb0IqYjT/bjgIhAN8EAq/F+vyfjCol\nw1+/tumJvx9NGP4QV2f/DxwFIW1l\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUOxNknRkB3g2NknZgf6NZfHBI8m4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASC1SgMSOs89NMcJjQpkifDHvJrWU+1uP1QF3iD\nAMLCR6vRe0w11CdfYnjxdwv4BnfRof2uIvXsuGg9W3pFNQpco4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRFZCSY9vaoppwkV8eD7M3MWjsWqTAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBoUGRV8OZphos1TDr9NbkP56tmphBGSYTkNxwu4RWE9QIgX7ZscrMmBRUtj8px\n2VmYCXJY/OjIpYjsb5F59Du9zVs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUJNZcVtj4Rj8Xx2J0ZzTOlNLDWIEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE91YMmSQ/sa+heUnIbA4XGieWpyTbmYt2mekQ6af+\njHERqzwUOyj7djSoMhJoarsvNRK1Lnx7Y7PEfK/XDWOGxaNyMHAwHQYDVR0OBBYE\nFLsqMTtKUbumVtO4qYHErOHAivUXMB8GA1UdIwQYMBaAFGkb7BXxEQfUD38dZB87\n1sgfOv3vMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDK/vHytH8QK4HpudxBqqNAaXCyrGFq\nNfRNkfuJcT2afAIgZ51QukD1EsN6f94/Eh8uyu7Wfx2Cgl56OKODMVWBYi8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUFXD3RcWfTlcBZIbCuz0tG9q8JvwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEKYJE26AiLXy6adIfBOk7UJ9raIXdOVRiEVBATiCy\nXrYhvYRXpBgG1jjwQyZnwP5T777QIAr+UWW9yoD9+Q5uHaNyMHAwHQYDVR0OBBYE\nFCQKmR8INOyOGtq5gXZTpzHtI0+dMB8GA1UdIwQYMBaAFEVkJJj29qimnCRXx4Ps\nzcxaOxapMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIB0oYq6pHy7TmvP+8MPlIQDopJ9wC8Cq\ny1nR7gog92jpAiEA9GCgEIk87qLfRmmRygCqQzYsHte84+RQpjFAh5tMZFE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUfj98XYCNm6zG4bD10P2lX1TyywEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQtsMUlXCPYwCfp9blr1/mTwy6Yt2h9+LhHhTRH\nZFUFwLWlOU63apLHAtxKETZX0xZCfXyFeaX8iOY92/IA0jebo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIZGOWLHcAEI5XfulCPC/nijyvuswGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCZf2cLusSylNUYKYWfhDKezJu+\npjZI6T6ODzqjyNmCLgIgZZR6zKVnw4OO0fYE3gmWmrMirkMYRF1uDvcz0ZBEseg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUEtoJpq6CAeejDqxskU11AMJnK8IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQ7rVdyDRleygCm1n19dTl6cu8VxZ1s/+aYCuu\nxQbusWGgbirpXMPNKq58NMNRiDhEKb2U4dDnp+jDNv9ThqlJo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUweUivU098FjRR+utqY83iGyAppkwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIByOh7oPfmvrgbEwVVl8MlX5d9Yn\notP+TZR87I5X/IA5AiEAj0SzNrXvj+Ix3SesPcx3Yi+ypR0+6n/Wv8SVQrTeJVA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUHpmmOVbBT0jE1UU7sBr4NOjRKV4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE8Ez8y8cGjzDrSMJVNMCftL9SNQVYyCjzxduZIMtQ\nkUsqxQ4mRgATSVvYHU1l4IlHMej3SSmDNAivzUy833dWbqNyMHAwHQYDVR0OBBYE\nFFX+jYeJ03cv92TT6ZufsABdAibcMB8GA1UdIwQYMBaAFCGRjlix3ABCOV37pQjw\nv54o8r7rMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFjgL3/I2BUMPENItBUTIWRZNOufm02t\npntYXR0J0W7VAiEAtXOSilA29SmrHHyGcB1NdQMgbL/Nrbhk1ewmjJThOTE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUWCJs3XC4O8dA9RaiGgCaYM6aVNcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEp8AsUFRpxF4290mVvc25ivlmzpqtLbXDmkPvpkxR\nXQUxP3dsPp0LwXiPu+8rng2Z5AIlWGMJtU3Gpkc1vRK5aaNyMHAwHQYDVR0OBBYE\nFHdLS6jTBjK2tJnvWBKcubzIZ391MB8GA1UdIwQYMBaAFMHlIr1NPfBY0UfrramP\nN4hsgKaZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDPChlZAW17jcdQPUGGUCiWTboN01l3\ns8uIzyRXfBhBJAIgWjf5LUpN3S3fvN+EaTCZ4lCc7/q2AfkM2y2a2ND7w3w=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1015,16 +1015,58 @@ }, "expected_peer_names": null }, + { + "id": "rfc5280::ca-nameconstraints-invalid-dnsname", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUEYFUoMSYuiaO5BULZI/VUCclb14wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2nT4dEMRyuau3+IwZ7PP+tHL2aShGxP+s1wo/\nvCmD3pPDVGWu2uCCgYlDweC/4xl2ZKYMfVP1DF/4IRqgC6Llo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUniNq+RF08G/jhmjgQQEu7tdKY0MwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgb7ICiwR5sqxnwpg57Oit\nknS89Uf/eceLKdvLT2vtXv0CICsyWPXFYi+5z7vtJV38An8ybFYWVv2j6D8QSc0/\nDz/a\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUCiTsKQszyPPWM4ab80Lu6CzoVsUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE0rkfUNADk469+uePBEqZ+csY+johlap1B3zMKpMQ\nGwJuljVhq+09m3cEoCX3BtFata4shLLBuGli6/+uQpXhnaN2MHQwHQYDVR0OBBYE\nFOg9VoJbxop6L4tDCHe4ycJ+yZI3MB8GA1UdIwQYMBaAFJ4javkRdPBv44Zo4EEB\nLu7XSmNDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2Zvby5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAw8ONQPgbCHfa2SGpoZH6J8xZ\nmjNyZWXdPK4ZEyk3awYCIDkDArEOhD4L8h9Fipuose2bQ/HkM2IPap97xgzv+yN6\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "foo.example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-invalid-ipaddress", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUB3U4O0XDOWkMEJxrgC/F6wqVDmEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKldcpz7NEZxcSLPheHeJqgHk23Bo1ND4zb/li\n5uAkFEnfYjiNn5Owcr0Msgene9NA4B26Ak+JNTu7W6fFPifbo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUI8plBJ5bzkgtYOhuyo2CFn0q9mwwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgPXRDmuE6Qfm41q2r60IjqJfz+QmlL0GS\nxr16BIrL3iwCIBEi4S7+BXG2yazdsSW1rfLyXDzzg8TngOqi0iQxqH1J\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUEUTW0rEqmY3Ox3HCksHqYq7ZtIAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEGdczDWVjroA/hjowFQPqEncH5t1jYfKH5MbdkrYB\nuVyaEHNqMerkx4Kw7woRrZbEhRx3HW6j/C0Tsi3+2j1kN6NrMGkwHQYDVR0OBBYE\nFMI74ptjBCFEDYMEsOztgPUJLl/YMB8GA1UdIwQYMBaAFCPKZQSeW85ILWDobsqN\nghZ9KvZsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBH8AAAEw\nCgYIKoZIzj0EAwIDSAAwRQIgDkDrZEG3KLbfQfwDoSryiX/UxwENX7igymdf98kE\nbWICIQDWOvzbcCSHVQDZ5oj9fvkDaSPKKlUv+RTFbLVl6rAXqg==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "IP", + "value": "127.0.0.1" + }, + "expected_peer_names": null + }, { "id": "rfc5280::ee-aia", "features": null, "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEcTV5xaHa6FfR6ZsUFz4sXFq4EgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxHpS0X0AQmZR72bDwYanAKe5vPuvcwEtfzN1h\n/6xSvaEo9nkILLs0+swPqFIKc+FcShChV0MSaCoI8LttjDeEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcw05+Vq4osu5HK5A4WRV4kiEtlcwCgYIKoZIzj0EAwIDRwAwRAIg\nCHPBsfRsIQuejdmJlzW8FVyDAmU0ld+Yn23BnM05/38CIBOan5m3jDSxlcmt4rOo\noJ1gLjoMJbK5rs0djJ8WSPQl\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUL2DZk0nAgwzm2jPEZ/77bTSrcGcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmgE2gicycSkjppGz6/MfPqyovqLQh8zmhyYee\nYhqdadg+c7hpBR/XnHBtkyDnYxCYj071RbI6VFYX4Obz3W+ao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4O853HWZJ6iu5sF3dzjP9szUQyUwCgYIKoZIzj0EAwIDRwAwRAIg\nIPc4A9/+ZEAY+Da3HKhmPeAcBNtnHCO/+LziYP1gBtUCIFfVCJuhw/WOHXFKhAcH\nDDFUdHKwkyZTEHhbpyj1fyvF\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAXmgAwIBAgIUHbh2GMV10EiewQY973ItL52B77swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEgd6oFtHeZPmeBCHeW78V5L6+G0zdO3NzT+bHbzmd\nhaiy4qfvbdJ82562/sBiO0VAS+i749oJMSyO71ikuxfnhaOBnDCBmTAdBgNVHQ4E\nFgQUGJv6JPKdaW+X60QMYGh4gDfXobwwHwYDVR0jBBgwFoAUcw05+Vq4osu5HK5A\n4WRV4kiEtlcwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiEAgbw05nTvk3SS4CXUhKd+fcMg8Z4Y3eG0/i1P\nbeQZ3psCIBAWyV4EuLqnFjySCaSM7jAim8TG3NG8ljREqkySBYSN\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0jCCAXmgAwIBAgIUNVnKnrjaWn87qqDMhVmg/G96o2swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVdLCgJlIX/Tn8B2P/RAihGPcg/8aiuJpPU1Mr6Wa\n6uVghBtlJK4/2RC2tsV7f+DBYty8wW4mlCKsNHHIIRsQGqOBnDCBmTAdBgNVHQ4E\nFgQUEllIhWRv2lBXPzyKpWLaimv8yB0wHwYDVR0jBBgwFoAU4O853HWZJ6iu5sF3\ndzjP9szUQyUwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNHADBEAiBqHgK/9TQ3xGWfi6UcFP2p9SJrNKjZ/NL6aFh5\nPgx4pQIgEXPxeqafyygzZ6MOMbiTSsAFO4f71N1PBuBLhZ/Jdns=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUIMdIrRGaRtU1uPEV+UKBzQZBXiAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAThpJUjRJg5dkII2hlKs2KI7Og4LTRjUvqJaFiJ\nmvqq7x3Do+MGSUv0j8IsLDLZX5gvwuGZ2jVfcMLpnMVkhCzyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUK09BgetWS0GW0do2Wr+C32uScJ0wCgYIKoZIzj0EAwIDRwAwRAIg\nNVcivBcnSmzKXEvyuNN9yyhILaDnGBpnO1YSkFUpjXECIFHk5m2G0+FSdKK7HixF\nGbsySWaJ5IEYTPFjct34DjVv\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUU3oVxRgwUAalAOkZEzmjnHNeGfswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARG/b9Kme9JY9wQvvpYBLf3LsoROtKpAj4bvVV3\nWPDy6C9NwE4dsUCXjE8maJ4+0LkJTjcAxhFfuhoCw/Sa+yz5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5K8YjxjlDWnRXEFBVyK3AAq0SG4wCgYIKoZIzj0EAwIDSQAwRgIh\nAPnbMU4sNKYkvVJ29UirMVFTaVkchj8NSwteRC+n9NF/AiEAvSW4mLBg7SEQNQVs\nO/GPyipjsWaqd1B6ARpuIPXOoqo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXygAwIBAgIUchjVLo6Gk4tNew65YpWhfonlew8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAELXzzqw2P04P72RUVXzneTnP6iw60SrFeG5txfEOB\n7WSZp6/AJw4prShovJ0XRAxQAjo2p6Hcf+NTwFcIUQCt0KOBnzCBnDAdBgNVHQ4E\nFgQU+fXUEELGe6QcpgPD4jm/ZQH/SoEwHwYDVR0jBBgwFoAUK09BgetWS0GW0do2\nWr+C32uScJ0wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiAaGahhn/zvkuSqIABK/qln3zExINeQT/ZH\nvOL7DoooIAIgOci5cat2JjDlIwkFHjTKCkUU3iyMKgVJdcTRac9cKFE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXygAwIBAgIUCnHvC3XUwuoPScqd63RgGUMNCbUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXGnWazolqmodbj7IU+NF6HJd5dcS7pexi0Mr6oRT\nbUgClxQQtq444GJpo+JyrC9rB4wlxrc0Uy1C5CLra9dRD6OBnzCBnDAdBgNVHQ4E\nFgQUHWZ1TyeJPOAkHl0beV31h/q2JfkwHwYDVR0jBBgwFoAU5K8YjxjlDWnRXEFB\nVyK3AAq0SG4wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBZR5Q3GzBusiotHytUUVK3/tHKgZ2XCP9y\nNsFTuZdTFQIgRmXWft/V5BHiQYZY3MPUA0APT3WCr9LqtfsV6xmFE9k=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUTX/40u//NXzf9qtyisquxojcCgkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQn23PaMH78thKOp+IxbBNia5TLO/KoWOnRgIfu\nMuBQLVF4uSWix1ZFP+PfpiKQ6xVEW5xfmdzH4ovj5zFb/muSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0LnQCum28WPNQogcsUHkH/bUXi0wCgYIKoZIzj0EAwIDSQAwRgIh\nALoYOZ4YWyAuFTBgAYUnVIPeSXjcNeazo/z2ezQoGQBcAiEAj9CB/gXMgffUoFe1\n+o8QBQiFqhvXaLiPgTrCdvVQ2pM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUFkvoUj4nDntgR7sW/NTLDAuHNRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASPPBp3uFnpjPB9CXP09GXdGsjFj5pglE0OvP7X\nDmj6peCL+qAXBySt6CKz64TSx5xTY4eS5a8o6XA4h0BoeQ6Bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxVgHxJ+Br6lqUEitWAjL9MDcUUUwCgYIKoZIzj0EAwIDSQAwRgIh\nAMA49x385gVyijvzJFs3yzkdF8Ii8sUKsICYQAmjkoPRAiEA8ZvkETmVHoNP61vR\nQfqeSTIH/c6dPRWHBqRMBVfDbGY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkDCCATagAwIBAgIUXOlS0d3VlFsHdZV4tH7Hqa95f1YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV7nFn4H4\nWds3QHLaU03icy1DuSvCPU7FlVO0jkFVRdGjwnYsj2znZjTKUCY3CzY4oC5YOXTZ\nJ1UxNrzorpC0AqNyMHAwHQYDVR0OBBYEFNeCH0T4dT8ntGzmdF/eE4uIFbb5MB8G\nA1UdIwQYMBaAFNC50ArptvFjzUKIHLFB5B/21F4tMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIC5ZqhRCsNz7skY0Wnn78ZsuuCJuAsiPYMMRfrYbTd4PAiEA8SGaQ0SZszD9Twp6\n8W/uFhrUsQv8d9/xMu8rfBy57M0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkDCCATagAwIBAgIURcMzCmpjt1RmwBnUVdaxBiGnwYwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeubdQOm3\nbw0PrksR5Z49stXQmcVNDCsjd1MsN9ZE8C37I7QgyNrGPDKXFOUzUB+yzsxHGaCs\ny6IAsI4tAub1tqNyMHAwHQYDVR0OBBYEFHRMrI42n9+YYa1L9IiKLTmWpU4KMB8G\nA1UdIwQYMBaAFMVYB8Sfga+palBIrVgIy/TA3FFFMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIBPMesJldlJRMJ1O6iidTEEpyt7naMV5ICpMKCrRQ/IcAiEA3KdlZzqUk49CRKfN\nfBF2G1xYCjggkiMePwYRDadBK1I=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1132,10 +1174,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUDeicPaIIeIWSrg5lNuBbUN+9kpcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ4EkijhqribYFyXAoHWFJr+PqaiCi9pvYdgVXe\npMFPK6USlGKIxcRb+4JKL6QKN1cboJ0OtmPhoBYS1ar3m18So1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM337NaE5ZrL5KWUv8BiZ/OiasdMwCgYIKoZIzj0EAwIDSQAwRgIh\nALoHVA3holVIBxS+OKCtkhE+6VIAqr8dB7lJVPYItXdfAiEAjXuLWghRPxWYZB8p\nVw5HabA8qwgTA0/+r4YG9XZrI6c=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCJhLV0HWIqFpHmluAQC+qi5lDuAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARCT0E9aZW06sMW/fAD9Ys6vTw3VL5Zy1q/bhnD\nc2T4fWUUKTc+hgUcDrEHVPwcW6hMxmUJ7cVk/ReEEcOWSzhRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUljbuY+c6+huxT0uJvGeJtpvl1aEwCgYIKoZIzj0EAwIDSQAwRgIh\nANQVez50aTzq4nG7XarIMUv5ZRQ+WFigeLKEPzejkxe8AiEA/PzPwiahXMzS8scA\nN61cGERivbqweT+xhDrLBd+dQYM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUXbR6wHGcf8xlwQO8OlZBuAGcMH0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpA1UYo4A6x0VK3xYFLVI/9BUKpQevG42zr5RMMFP\nCKkXbqSafqxboyfS311OAOs3HTVven4eLacvqA4unB8TOaNyMHAwHQYDVR0OBBYE\nFFFL2dwBYE0oVzOXI6RqpT7YMJ6aMB8GA1UdIwQYMBaAFDN9+zWhOWay+SllL/AY\nmfzomrHTMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHJJ+DoZTpHVyXnILQ/u7EgFQdItUI5P\n8zc12SNBs3ERAiEAiSgxdG+bRgb7KPPD8gy8LyFOATtigtPM7XEegqr4lcs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUPIe1uc8p9JGOfApbd62KmoMXK0UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpizKJsYvrROwdmmQcZLnpVDV63TMITnusX1YQ5+T\nv3OxIK0LXfi/Xxjs8JAtID43NxgNYYbXM88ilKxQCxODbKNyMHAwHQYDVR0OBBYE\nFCCa938/Twumf8rgJFDFAvei8Mf5MB8GA1UdIwQYMBaAFJY27mPnOvobsU9Libxn\nibab5dWhMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGnLeqYF6+s+MRIfEVgErUm5dVLLgVCe\nMqqC7NtVEW7AAiBaEIltx35XSZ89mrSnlTknubH10ppvj7sii5qZCNSbPA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1153,10 +1195,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUIp/opegRXduaFDc5NA1aaCBp+VUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATIU1zWEs71yAtI+5ubI3zq3LN7Xg2co5KEUJqB\ndItninQzPW2+zxl7IzpR25xDL3abuMMRQCOaEQhul7zZNZmWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhq/kWu0dh9x4HjQB8++7rhcxChswCgYIKoZIzj0EAwIDRwAwRAIg\nYaab6khaRKQ7I8Bx5SIjr0jzVvF/ArKgiRyFsH+1Eh0CIDnQEI5r7wZy5tYtn+f3\nmFeAeBSEdHorbXfZ31RYlW1E\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeCG4c6nEcWkwuPc++u+RxjUZhBUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiBGBLi7jXZF2iLs5vs6IBVIJ+yYk8HSoyJUdE\nYPcaLIqgNco4isTqeSSXR+J3DDsllzHFNc7HscPCTanImUHFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqDhoZqtkjgcYrNMy3RMT4OJxEzAwCgYIKoZIzj0EAwIDSAAwRQIg\nMTPiwnTON9o5ehTO9G4Z+wrbsUHW+ujhAPmzYD2QFtcCIQDPZKDAqes7wMW+GeKX\nhCULCC+SJkeipZirAVnATgw1aQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUPFIVEMPOTucJSlxa5qYrP+1oibEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEqZ/lqHtpyd4lcJI1yZQg3I9/yaYfmj0tkzG/YYmK\nKhB9KiP3Er9eMVPtCwT2T/e0783RSWGyhCWsQq2KLglXqKNyMHAwHQYDVR0OBBYE\nFN7Z7A6aN2/U1iKYv4FJO5gNrhdPMB8GA1UdIwQYMBaAFIav5FrtHYfceB40AfPv\nu64XMQobMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCz3xADfveL5bkYcZ1B4/DCTH2CvjCy\nHrt8T6mfov4NhQIhAOZsXRtpQ/V++wCJiGyv5z1005pHiPsfDkrFY5k/b5Ko\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUWbzbyODwOTcHxs56i/y8Wuv5RHMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/iBo8FULqNuJT9zjTQHMLuSXiYTiPUjBVfinM4Ee\nw6V+fGs5n1Q9N8C68JqVUpDOJ6GJMn5hA2QTyqkxIKVVCqNyMHAwHQYDVR0OBBYE\nFOW+czlMvVmMXIik4iUvsX7MMqYRMB8GA1UdIwQYMBaAFKg4aGarZI4HGKzTMt0T\nE+DicRMwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC5kC4Vc0uDvCnTcc3siwXah8j8p1p7\nBdwS7buWfmM2YwIhAJE4oMIr8p0g82aBCzvpAEym++8CBtLqpGC4Dr4SIPgV\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1174,10 +1216,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUc7V2Gasj7y1DVUZVnByQxvmfsRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASXXKHhRFNAYJ1CG32Ecw5JULxQsaC4INfL5RjH\nsS2HNJ3VxT/vVIQlOjKlVSaBC8oqhLlIm7RelRiRxZsOFZvGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJkmOIwSz288YbUqHgT5SjuaWDs8wCgYIKoZIzj0EAwIDSAAwRQIh\nAMVMZLBRwZF1k3MoTYBwrYwN5neo+ayr2xAOZG36WraQAiAfG8p4siN5qF7dBlwq\n1xpACTQXG3VSUA/ZYBBtymB7gg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOGmPlYIIxIJMMCLWjtvCZMal1/YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT79MH3jKtwdp3Ed2mQ6O6/HvyiIHFmNOYNS+6O\n+Cq6P/KMLykZfkNmekBUYg6UsAN35On3eYtPTw7Lg6qAZlU5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVfhpEQSPm6l8+q1L0DAVXAKMatcwCgYIKoZIzj0EAwIDRwAwRAIg\nacaVDePHwwqxBiHmXLRmR5BhEgOJjEWH6sU1gdttHwQCID1N5zLP6m4V/N89ccmL\nHCruCW1r+GVJ8naUCPnk4ogu\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUWIzC8h63wnOk/zETjzWnsitKQGEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBgAbtQTJbpjmxHvjI9oXicPwksvMvHzBwvHhx345\nFnK1c6sWu6c+5N6kyOOdt7Xg5TCWFDC+RBhavn6NQRzdHKN2MHQwHQYDVR0OBBYE\nFFluHdNtyl8b+fVWuH0vB7SaevhYMB8GA1UdIwQYMBaAFCZJjiMEs9vPGG1Kh4E+\nUo7mlg7PMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAqi2NapqFx3L6pl/zVak5mh58\nS6BHMn0hr5e5TeUhzlsCIFCVHiUX00wtfeFdFEBM0wQIlMQjtfAtEPi93qw0LvTQ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUabgJ2oJA5BCnD6Qw3J+ZDq29FiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEKSRRA4u0ScGvjcSDQ+V/U+fHtHEs9sViYYfZYAal\nBEgCDToijwyJxZM65eqU3pIepF1iOzcC01EDmZ1qXPjxr6N2MHQwHQYDVR0OBBYE\nFDv5J31g+pbYQMq8lUlI1+h13hDRMB8GA1UdIwQYMBaAFFX4aREEj5upfPqtS9Aw\nFVwCjGrXMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA9h/4THSmp/+7wohOSfYUdYRE\nxGUpQUsoyEVntI/ge/oCIEYDs24QtVBTojBbC7LJOOjiqXCW5/A473DjBl0VlMGp\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1195,10 +1237,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJIFZvYkZmgd18sL0yp6HOC6djMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASrSke+Vi0FoutpN6PLNAe2ak0iUqgkVWdColNx\nQPo6DnBMLu07kL+UtY1jqf97VwLxVnx12fx0gaZxW5YAmLKBo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURxorhfWuRIsiq0O3P6RcQ1hour8wCgYIKoZIzj0EAwIDSAAwRQIg\nMnivmee8WeHAg8abCK7PJXv+B+zRvD32QOJQbB709moCIQDBiADr2Jmw5g2BPQK4\nemavGYui8m+v1RCvR/+FpuBBHQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUThohgt8Xz2P0CDqY3Hkjrxf4CiswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATAqrmg/y+z1tRUZ/ulVoNV9LIACtrOoe/1tp6T\nTsfQXpv7TMAO3scWXQkkCqkDAle86IgrD3s07sO/Oy7qtRYHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkd+XBeRZXwgkKzt7Ei7iJBGP/7cwCgYIKoZIzj0EAwIDSAAwRQIg\nPjCmHmcg4sj5UHn/qfrU4oMo1+PZ1cezB+5liT7hOA0CIQC7Rc2yt/CWg/gGh+c/\ncHMZbMnBrO3khh7S35dAAehYfQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUGa+oS0/SaJxjvNJON0yxJ1TzoJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEYJhTmNaSvt9y12s6D9VBVreDW3KC+qhXiBLpkbpC\nKc99Vl2YEAfYVXlk6kMt5+WqJmX/ApQ4qzGk3MpXQcEAl6NyMHAwHQYDVR0OBBYE\nFGNc1DvpPyjBd3txgEYlQUIAODQ9MB8GA1UdIwQYMBaAFEcaK4X1rkSLIqtDtz+k\nXENYaLq/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCUCId077G1Tze87MmbeBx3wP8UEGOm\nKw4PTlnXKeSjDQIhAP8LBrmCPGN4YHV/H30fPNdEjM2ia2PU515NoWtBB0YC\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUfYh31CnCdzI9mnPut9Gaa1EGaq0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEYf0NTQ1KFIP6Xda2U8c8Sg6XVRUP8f4sNSsK5Z94\nI/BDFmQTaIyBmLrPfc1CbbS6k+mWfS8s36gatJi0w8WVJ6NyMHAwHQYDVR0OBBYE\nFA/JjqVPO/s5gWllhL7/bLwl1uB6MB8GA1UdIwQYMBaAFJHflwXkWV8IJCs7exIu\n4iQRj/+3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIQDCXX6thqfiDd4LYvYjYGiWkbxOVxhM\ndZOPpCldoYwXDwIfFK56cet12ILpbcTLp5tZnZ+AfGvsLmoouHXKDLDl4Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1216,10 +1258,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUJ3p4UKKui5ta0tlBkpQLsDYxOZ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0+kVNZybYbkpZm4S48FUtVTEU3TMrQQsMabe0\npqH9DCv4xa0IS/6AKjNtJ6rANxNiThvJx2VE86ale4xJcDroo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmCslXqxOgsBlvtzpMEFtE8EKBgwwCgYIKoZIzj0EAwIDSQAwRgIh\nAJos1KZg6r3hLlevPrxvPMvfb3imShqA5wboaiBwWh/rAiEA4lc47FEt0p2ezP4R\ntk8Joq57BMHMpZdEF6h4lCc9uz0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUC/IWlMOYevPFCQBvRfVcmAQzMLwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR0Kh0/PRkY9l2RquvfdEuZt/HsPKcg8gaseVIg\nj0vhXaZMFYh88hTFNp6d/z07X1x4qVSjO0iGEm2nLWpVCoU3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUScTZyj5bpCz1JS2L+k6qjuPLtPEwCgYIKoZIzj0EAwIDSQAwRgIh\nAIov1SRvSBeJTP6U3zpBmtbezuaK4djOyAqOMGy5Ia3ZAiEAr5AZ6KwpfCg+sZnG\n3BjU3QMGeHbtrbGckLIlU7A63xo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUTs3TDHUFl6WW0YlIUkjFTW9BIAAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEuVqJ5ar53T+f5n/VrGLa/s9EOJVaSPuflzpIeFb+\n2YyKYQ82FUXqagMhqJtlpueHH+7Wk2BNOIuPovJZwcgUm6N2MHQwHQYDVR0OBBYE\nFBAxQPC1nY3EwZNAFQYMphHrvp9WMB8GA1UdIwQYMBaAFJgrJV6sToLAZb7c6TBB\nbRPBCgYMMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAkDd69f6sX4M3+yVxmT1v5FIs\nVEdRd9CrtQIrz33wXikCIQCGkL5XJ6iiE1kYuVpSuTYaq3+3HLOLKUgXaADCrS9S\n4A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUY/thXtqgBYK83RuX7VYVc6qzTyUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/QO1yNt1LgB/gDHY+Rr9V40C+7MtMkx0w+rYl/8A\nsNV6ogDdyIYUPXo/dkfwKOZAy/FF1a1LFlhLlL8SuA2faaN2MHQwHQYDVR0OBBYE\nFOlrwkxqJ9Ar+yi9iO7P3fj2WLwAMB8GA1UdIwQYMBaAFEnE2co+W6Qs9SUti/pO\nqo7jy7TxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBVJfmC5gcR4HocneeMV2J0FEkJ\netRqxuqUW6gmV7+iMQIhAJgy3voSMdoc69JEfETj2lYB2GSN1rhUar6HG4fVFTuB\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1239,10 +1281,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSRNRh7fSsJ6NsEUt+W38UWe6jFkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0bMM7AMZyoT1Sd+87XtEmTNwM8qMKTC0s4CTV\nai5p9EcknNIPplgKTopIaF2j2LMepkixaV3KGVyW7SKQn2Wwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOm5FBVRTt0Ih/gaIXE2B+A6+8WEwCgYIKoZIzj0EAwIDSQAwRgIh\nAOwmEfqPVHHxA/6y8VN6y3RJSgCJYPmJ68W4a2YN5bDJAiEA4djvfCuIn9Kl6+fU\nL9YUTVBrS/glRm0oQqMPZShPcYc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUE1Ez+G8Fp5IIHRQk91BUj25aTNAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASv9OBC50OmFJYoOcc8xoKMQFcT/PCQ1zYKNSoS\nNQADuBPPweR24/8WuqG01WUMi4e0r9sEUTkUDvTK0u6atIl3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnUI6eWBtmFLmPfar+Qgvi/SraQgwCgYIKoZIzj0EAwIDSAAwRQIg\nTxhTgIi5SSjqQEqp1I8Q0g0m9YdciiQIWFX+mMqxxG4CIQD2xa3n8k7G5HX6qXou\nJY4JkiHwKDUCvpLC2q8X/nj3Sw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUigAwIBAgIUENOlrWVtl5flZzOWs7Im3jj5ywQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE1KdsUSzXac3ovSeI8udpgE1rl912A4ePvChfSRS5\nPEDVGGFqF+QjnRMmih6cniGTQReZ6G7H7fMqggEgMKpBTaNsMGowHQYDVR0OBBYE\nFN9VD4gLh/XzHqUBsdjdvsKFiOQKMB8GA1UdIwQYMBaAFDpuRQVUU7dCIf4GiFxN\ngfgOvvFhMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0gAMEUCIHbaI+y1CJ+bBHwQM37aV0gIazHrWVpsGkKwsq0e\nG45WAiEAvFylkj5rrmE+f0Ze/Klk39ypGdkuy+P4JP7UFFS8uag=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUigAwIBAgIUPGCQe9O3ObeQrwbf4uFrdZyn5QswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEJ8MP02FUodQSmPSXd6RiIK1RgTbGtff4G5qhkGvu\nAK0Japjdw8IOetDQSIEkZgte25TNrsLHjEHAE8LaPGE4VqNsMGowHQYDVR0OBBYE\nFJ/+w3raWjQ6ms3D98uGRGWzPRSqMB8GA1UdIwQYMBaAFJ1COnlgbZhS5j32q/kI\nL4v0q2kIMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0cAMEQCIH6EpdhXCV/G8ydQqMj2r0yuqQCG2BheJ/X/m5UE\nGofsAiBp2r+huPgj506hTxCAVWtaypGH5Hrgt2ivjJgfh53ZXw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1260,10 +1302,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUB5G4YJqeMfTZD5cB4pRS00dWpqowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATmf5FdExl1+YkDBP7CFwlZzPfm/HT7YhO6gJ0/\nVePCE+Va1FBOKzxupQhKy9FWYzGcxpJkMkek+oyCmozBl8AVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNlq7RzNkE5seBGZ++fc/GS753PUwCgYIKoZIzj0EAwIDSAAwRQIh\nAO22wSRI+/WKzBJT7H4Vd6RV3CiUA4Ez0NFAHwIAgWRWAiBGlpNCDV0LanL2NVBT\nfwKOcSTaUkgFYNYPjqlgDd7Qcw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWCw02c1ZByJeHj3nm4VskmRa2XAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYvKtsA351jw2podUbGuf1zURI5nq8P7+RQGNl\nwvYgkJx4DkyJIPsYhKLEQRbR8sjY18ceaZhj0rtkHDIygtjOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXufc55zdfkxGdOsUunelnyuBP+QwCgYIKoZIzj0EAwIDSAAwRQIg\nGrPzVL06H6nHRXPViXZpG/6g47hBLfITYNxc4OZNB2MCIQDc6Hzd+lS0sCekXNBg\nmRbKG6ox/VYn6Zna9mPGTXXtYA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUZL60NEXRJhiGR3HH89E383q+IZEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEh1r9TxM6wZPEWkaJfr3S7xTjDQ6wt0LEkAaYO8XL\nF6akTKjhGBEja5A+CmqCW5P9Z/X2elNG6OETheq+qDxxxKN0MHIwHQYDVR0OBBYE\nFItNgUY86LbY/bms42PMsijXJWkLMB8GA1UdIwQYMBaAFDZau0czZBObHgRmfvn3\nPxku+dz1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOyVh2fyoZAB6vXEetaa0EHQvtAp\nS5Wf8PG6r5+yCsB7AiAvrzRCC0HIZpown5kLAN+semxTiuSx/511GXLWp8cwVw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUecT+6PlepK8VHquHuN6HzYsOV2owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAES5ArpZKvuim+xw7hbjGglRsbjRwEQNC6iH1WoqTb\nQ+pOHG3FcFn2tVCjIOJf/0fSXgy6Ae112wg6NAumP/b3BKN0MHIwHQYDVR0OBBYE\nFJreUnk13r8j9PLNqZm85zLwJerXMB8GA1UdIwQYMBaAFF7n3Oec3X5MRnTrFLp3\npZ8rgT/kMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPaoZiHniIfgOWIzFuFwV+89Vg7P\nNk9sXgU7xgh7a3FjAiB87TqziRz6jDDxuHK7PaKSQJfdgmHBrJCEzEUCK43WUQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1281,10 +1323,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXYjbJITS27pt4tFf6bP/C6IVtXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARAXt0opc4ttfavsIh8XoCczqlTKmQSnFgpOtZ5\nxkmszd0yIeUUpWy91HeWqqGXjNV02MyD6vsuuSQO0gFftNkRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUTtrNsVHZOJ/ttcHT+uR8TSRu+4wCgYIKoZIzj0EAwIDSAAwRQIg\nbCs5q/FDKnJ20xGi/7e/fDyGySYnsUvNf1jgiE7SKbcCIQC2lXGgWtvXFrYQoftd\n/s8V6cbYSm+00moj6on3LBKY1g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEh7Jh3bIUr3XsnLFdoRkxk16gJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQvebXjF5ENvFw++u0jirrm9Kr7KqHA+7F6zlin\nDmDwb/j/9eJLKN8HwzbWQ6JhsnE7lC+wzan1XMb3VblFUXaFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmkpe3vdND4GvOAQuCpmQIoiS/3YwCgYIKoZIzj0EAwIDRwAwRAIg\nBioe8oaUfjnXn942pTXI4Ompn8KqGcuyF9A+q90QcfkCIAnVzdWQpBvgLv31a5uI\nl2y+xIEfvl2Xl0C8NSqBXnxF\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUHD3pXfhVatctZ0hhvh63KxeyBIYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETMHxBaUH3I/NizpE5jrL56xU1ITfugsmD8enb3Ty\nyDGcN9zqdtNcjRoT9zXqadyIKdlDS+oEJrvWsHIJAgEJ1qN2MHQwHQYDVR0OBBYE\nFNNNVeCwsvxlkUMPPuqcHGlNqeIPMB8GA1UdIwQYMBaAFFE7azbFR2Tif7bXB0/r\nkfE0kbvuMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAzpqePRE03P9VxfKdfUVdc5ec\nzH5VaHDE8r5vX+m+w8ECIQD2KtzQZm7NpPbr9jSDWtFESsbg5fYdkDAUt8fHX7wL\npw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUAueeQUXasWyJ+Id5zi55y7+NmYwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEt6rMI5v1JzNbcqrhCA9yHS8LqlAYWhiuMaZ4QDgA\n/xo+F1DEXU2vm1n9zw6QquJA2YLhvKnYF8N8pPjRChTj/aN2MHQwHQYDVR0OBBYE\nFKuzQVJr+MbOHIPSYDv7lDJ8dkZ5MB8GA1UdIwQYMBaAFJpKXt73TQ+BrzgELgqZ\nkCKIkv92MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAtP+23lAx1P0q3qmwEq9WNZqo\nU5Lnar6MTbTunlba2WkCIQC85ba8dkdJ9f6wB0OehDo424f+ckWLHDhdmgXhWDEK\nnQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1302,10 +1344,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCamyA8qSSKP6P8fe6Trr0R6e6nAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxJItl/KiKakKoVsG0SEJt1XkyvvqmVgRPa/nZ\nwBrxWouDuqS1h4hVTxKrJw2AN2B4E/Clp4wZXDQONTwBDan1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG7SNju8Pw3Z6AemMZ1JBbTSbyIAwCgYIKoZIzj0EAwIDSAAwRQIh\nAL66MpTPF6+XMooN5eLkhU3SDUHahPPSvrvr5jCX/TFAAiASx+zOB3M1V3GasL7C\niflELuBstsVpOBCo93CKDivRyQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULvYmlsUZDi1JltJq7dMpElEdFpEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEqU5MtxoNt3amrt5DL6+y3cwo/jS7eGYDGlzG\nsHCDAUsxvoEEKRAfxXLv3eZNYZfu2b1E/bo+6D2fcbkUiAywo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuBt8ikoYh+C+eTnY7VwZv7eHBfcwCgYIKoZIzj0EAwIDSAAwRQIg\nE66jnyrOFeLGEK8VdgeajnWiMGcZ6z47ycnzF8gKTl4CIQCfrCNXlSF46FcZiLKi\nt16LRugZnzneYj9Wv6nHVpz6vQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUdLYHxN1kUGsZhActmOGMWOJNud0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAENxPpoikindoiLz5mTz6wyBwhma9mEK6NdOifTUj9\nntoRa5g7YyiGff8ciPYQC7HG2ieIeLF9gvlvNKkyxSZOK6N4MHYwHQYDVR0OBBYE\nFEQebbZVu4LG1CJIYo6mVtRdD89MMB8GA1UdIwQYMBaAFBu0jY7vD8N2egHpjGdS\nQW00m8iAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCvdmpyp5Wow9dq+xnwhi8U\nMsRh+7nKIDahW+auUbdkMAIhAOIirsX0bpl2C9DOOZwqarmKXhli0t9CYEVIKeQB\nJdYo\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUd6EwEtSpVNqZlzZ8wW4KxAvJTS4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAERDNmdcT/H3Ni9uIezY9NQMTQj3cHP23g73Xoexl3\nU72wtLd7FNqmjRRLivVO6QV4vVBcxMXZcTZbwHG/35IWhaN4MHYwHQYDVR0OBBYE\nFFZDUHHs/YSjeUIOiq3PRuYfVKomMB8GA1UdIwQYMBaAFLgbfIpKGIfgvnk52O1c\nGb+3hwX3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD7410AbwKLkt3kFUH91G+9\nEXCCJeX2wpcHBnclSTWBLwIhAL2jMHTWlIovRltF6dNn4Gbb+JiycCKBpvq9+rAc\nsyS1\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1323,10 +1365,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQvVraAlb6ha1sL+QvhyL8Ch30jswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARatiTa6rg1qvBI17GhTNhDI2Dmc0LdNt1YT3qT\nBFHmt7WK0MgkaIccdjQzkgRDuQh7xPwAOQGTGT7yQmnF223Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVh290n1bhAYOhUas58rpp4nhhIMwCgYIKoZIzj0EAwIDSAAwRQIh\nALIxLd0qM3XPL6sUEg4eEqwYRFjAIDPWOOXdQZBuqZBqAiBu/n00xh8Gne504As4\nMghMFj34LKW719dEZXLOAdqzTQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQWw7sgVkrQIdw4fME0vInkMLlmQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1blFe2dYlsRrZR9Thu5nEM77FQkx0BpQmP/bz\nuTa6RI+/OFLPDUDk6pRQQ3YXKnuMvio+kBa68yjWLqudy6pJo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULfWgwQxuLxSvdW+jW40Bc5AwEXAwCgYIKoZIzj0EAwIDRwAwRAIg\nD1vbuKAQU4KvYDVFZUj7XLwyfkm4/fbiJaEF+lm8fhICIDNJNMExQgFu5RTNFMbS\n/EHaA9JVaW+1tO7ODPvZKuIj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUUWEh69N/Ko9H2l/YRyYlP2MqfDswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEOa7QrT/XRob67hAixOf4jQkqRlCUkZaD4WQ28ssw\no6kEdXfks0JdYk09lUSAElBFEtBhfZkALTkyCg8lIKjd7qN0MHIwHQYDVR0OBBYE\nFEbuNGr5syZzlxhWe+6xa33caRk4MB8GA1UdIwQYMBaAFFYdvdJ9W4QGDoVGrOfK\n6aeJ4YSDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgHiIHINuBV01qh7FMPs4PTVms29YK\n4+s0/mN+Cro8+AgCIQD21wdciRQkiKjGeiPvHh3BaIlA4uW6aC6SMn7U8RSDIg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUfQ/sQP+V9d7UkwIL6Fxc94ycgGowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEvQzm+EDMvyCnCm9MMUExEyPNmmIVKyubbD4bvqph\nfg3aJ6Fc22FqF45WAz700nVjREzoCag0f6kD0GNybHpAZqN0MHIwHQYDVR0OBBYE\nFDgg7onMsX+T00h5bU4h6lYbRxCqMB8GA1UdIwQYMBaAFC31oMEMbi8Ur3Vvo1uN\nAXOQMBFwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgY2j276lwwP5MG+NR2zfoCtRXv9Kq\nGfnqzyg2ltT93H0CIAi4ORIUedv5xuj5UEP1e0+6Y3C5G9YC5Wima/V1vLJb\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1344,10 +1386,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbwCw3YIWj4HC5mOoHNpJVW8kwdYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyfr8x0W9TzE2Reux+mwEJbR/g0k7v8LkiTa/S\noS/Y1DLVs2gqPJ/199tVnkVKDzglk+MPYqGRfsE/ZGSIKY2jo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEK1vtffOkYzWMA/1XRi/D8OPDxgwCgYIKoZIzj0EAwIDSAAwRQIh\nALndZVMs2yR/iMKw85QjtEM+R14K+d8rZNCvxNOZAC4DAiAF8JoLX2Le9fhe2lud\nzx1OL/PnPMe/sfdDhIWWKJia4w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUGQR4qDrlxzk6dfMF04vk2pLvDJEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT145MhXl1QOr+QfDvkkJY42mTASugsqjz2FIAq\noms/DdaNZ0UHBHaW2mzrbvOR4tzpnL5heyP6L+Ht7cpjXwM6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiavTbKz03U3ueVUQaF5Ebi33EkUwCgYIKoZIzj0EAwIDRwAwRAIg\nWQDRPxnDdkvtYFuoSSPdPyZgRR1V1kIew3t31e79XUYCIHgcRZTDJyjLlHS9Tnby\n1Y2eOk2bHjH+LtuMXZGj4swW\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUbiNyrm9VQjwYU4alowtF7mmbc4gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETiaUI8GzV5nrbXarS2EpD/GNfjfb8Ek3PsUatYXS\n6VMal1wENMaGm8NjysGGppGqaI5o40reV8u73+cRELSGt6OBgTB/MB0GA1UdDgQW\nBBSgB0Jzm2qu/8MfxtSXBeKHuNFjADAfBgNVHSMEGDAWgBQQrW+1986RjNYwD/Vd\nGL8Pw48PGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiADnVFQLSJr\nYOCmLR5P+UWverKvKZyA1nkYzcfnfT2MLQIhALScuvvhbNUUni+f4xuLUtsUFXcO\nmnYjkm4KQsX+RJ6Y\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUXi56JvHLGvD+cDp0zGQ658FBIJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXlQ1x1rfF5Q6ZbR3qTsAc6/hci4nES4Z725Rdyjy\nk86ifH31QjdzOUTPfCr9FKMjXMVOsP/0rUgvrsH79Tem7aOBgTB/MB0GA1UdDgQW\nBBRiM3sNkEV0n3273XpPSjKdSvqdRjAfBgNVHSMEGDAWgBSJq9NsrPTdTe55VRBo\nXkRuLfcSRTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA2x62LTXT\n+qHDajGk/gYABC7rtIokKR4jdAWGoH6H0dYCIFz1KlHRX/l7g5x4sK9/zzCRkxSb\ncZtuZgnwJYGJnWF0\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1365,10 +1407,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUR+N9HHdyG5488MXBaQrtGVnhQsAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAStBU9BPGDFaeMyq1hjuKB15c+v2vLbMvwOeg+6\nTLGClvPuaX7LRibXv2Yj0PULBUSx2N72BXkEYbQCOOHoBqPKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUf3cTdFky4KtmtkfBp8XGdW7HSd8wCgYIKoZIzj0EAwIDSAAwRQIh\nAOBYgPdn9OA3kQlr0sbHk5zx4suaEhKuk4F1mhEYl+1DAiANQTJIsPSwk3A4NZbg\nJvJeW6/48pqjOZ0l6IeB1BQLWQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQGKph2+Jn60mb9iCTG+Mh62PXsgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARI+dZ1FuhrS4UFMmMnLcH+jrpsA5wwa+Vfzzf9\ny9FY53qlqVfv476zhXOrgkKKYfeGQXVymmC9ZxPsDY4m4WOho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSQgvZACc56M3MRShbM/Gy7Nr3pYwCgYIKoZIzj0EAwIDSAAwRQIg\nbeW9fH54ngLLQ0AyiZHi2adu6DwME8x+pj6ARWkFMCECIQDBlyzZJTNk7BmArvf2\ncjOhXw4yizz86jfLJWqZVi3wzw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUBzbHTiNJxfYkO+q7fnWtvZeYz5owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAESLT98VToVOuorN0xt4qIZvtys4beKHQijqGjSVz6\ngYUkl8lvP7hfQSDHcm5nPoCY8nYYnreYMRBwpqLRW8sEc6N3MHUwHQYDVR0OBBYE\nFE8mOj7nvEtqD5HdkAp0s0P409n2MB8GA1UdIwQYMBaAFH93E3RZMuCrZrZHwafF\nxnVux0nfMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgIwc422am6bW7uuROZ2vcgGo0\nC74fJa0q7KJGxcwwGpUCIQCX2+cMVL+GqH7lgfQRVux1EDxLTWQoA6bvjKLjlx1i\nWQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVOgAwIBAgIUJXTbUN8K8a4Qxnq9WS1eMp/rDm8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEr0366OijQhhFBt4wkU22d9Tv8VJT11BB9W19yY1+\nSMdYC0PakcAtXXEgzAMqsZRXMU0HqqXPkQHiq0Kdcz7FSqN3MHUwHQYDVR0OBBYE\nFMZekNIpEq8NwJCT4i/jDeXv7vkaMB8GA1UdIwQYMBaAFEkIL2QAnOejNzEUoWzP\nxsuza96WMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgaAxnJtr9nRyvnUpxqZjM5E2z\nU1uPku3mLXIH14jNnTgCIEywKIZheoW39yt8GA8MDBFL1YAynqgxDl/tsdQxJzCv\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1386,10 +1428,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUT034C4ENOb8qiqZIkh49h13fcKswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATReMneULnE+Uv48udBkE8Et1zRJcBs7xt2T1p3\nEF894lme6buJcykgRp0Y+uRls6a51cSgkX+LGT2/UB58D//Mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWrJ3hGrB5p0z4q9imrjrpDGA6LgwCgYIKoZIzj0EAwIDRwAwRAIg\nSDewVRBfblnr+FVlU4tFVI3yYBeDuuAgOCffjGzmoCQCIGGZlQaq1scqlZviYLAS\naOMunvP4TfaD0S3XcAvQ00L1\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUYxSw0EJeCGPh+E+MtcG7WnOST0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAThNmJcG+GpBqEONFHGVFGIrKKBqhbBGO1MJcmn\nZ87pusX6ICvBBxpB8NI4aPiuqknXokNhV+ysUHirBO7T7sKNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdppeynOXynJmYDNXYDro7TOAaa0wCgYIKoZIzj0EAwIDSAAwRQIh\nAJ+pE5hE7lCpWr4w96q+Brfo1W7A4CSqyWq22Gy/Wb6EAiBFJYAFaX3/8EKS6hbs\nFBpGVCDLFLbq2PfrauwRXlF9vA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUA3Ii48ofIwpJYwq9/+di/9ynwPswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEEm39a919TQs+RUaDaYQfr7HP8Y3R2MjNTXAt9qSF\njQmrX/pydLr4tZfcYJmmSu1Q1Btv353Lg0fRjZ8vwcj02aOBijCBhzAdBgNVHQ4E\nFgQUpCMvuWMsTAdH9q7Uv01GsOV/CZIwHwYDVR0jBBgwFoAUWrJ3hGrB5p0z4q9i\nmrjrpDGA6LgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNIADBF\nAiEA/7qBXVcBp35WMOhQchlObNuc7SzxiMScrvyA97gYO4gCIGUO9ECwNOIvhcgn\noIYzRCLhTaKaQ2dQ4JHOSqWlMxiS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUEL/kHwIN2bbot7QOTNHssA/BIzUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEky1VHgjaHYQJjZNJpjbiEEQmA8gvk9PtJzvDDn5z\nIwiHPpameMJ9zp3mQjE7Hk0I4ntrSXj5SYoKAm+GRwMGIaOBijCBhzAdBgNVHQ4E\nFgQUc4HRO61zOgzaofi873m4aEL5qDEwHwYDVR0jBBgwFoAUdppeynOXynJmYDNX\nYDro7TOAaa0wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNIADBF\nAiEAzQWAERojryBIkLm5SZwdDDsafllEZsiE8rjcT4jYu18CIA6qad5u6Kk597Ll\n+TbAAnU+0Jpt5Kf8YGgcI9CqxmFv\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1409,10 +1451,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIULjd8FGl2QPBanLhDNEKxY1bnLF0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCzYsYfDEpKxbO7uwSXAzekzDnHqcUANBbOFb9\nS64jQZNqFCf1+h2VtKVBRH3YiTL0odqLzr73ikwF8Wp5evy4o2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzIhRyN0xBkGQnFY+8Y+AM+f5SmQwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAPn3rq9xI5ZbPIKsiIRW1wYT3SOoz0DTxFWv\nO39YR/IiAiBBfnP+Kogk0FL8eoSjRgFGJBTEQmmbu7onVa8rykCSiA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUqgAwIBAgIUe7DvZjoR3bEeI6ltWO3dEqMy4WAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARsyodOIMDtznW+IHWNR7SxrZMsaMNJgGQFwrpo\nd9OfPYuieynNJvEymN8id7W+NOc6P9zDvQP0ko0p2ju9msDDo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM5TkY5+XivHskHf7FbjyvLQ3xbYwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSQAwRgIhAK61M6M6bj8F3Li7ugAo269tEM1MNxiHVFbq\nxeJNbsqbAiEAkPDqKQyuP3f+eGmlyhqER0hjuSmBBsYCtokeCFhVnn8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUIK6MiV/agb6cS45WTMsdkaEWweswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEDS116FGNLD1+t3BoLiljg9j1OZ+YMjsLqGPMCRlF\n8Qn+Oo8dwxJjiAkb0iX1CrHPJpJtsESwGPDJgiMr1GO3uqNyMHAwHQYDVR0OBBYE\nFFvW1e9p95MEP979HMMip8abnIAYMB8GA1UdIwQYMBaAFMyIUcjdMQZBkJxWPvGP\ngDPn+UpkMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEWnYj1dmiRGF9QrRGOl/Y2FGWgtHRLW\nlpHmEaw3m2I6AiEAi0wuiOeBDmqvsRmTxBXAJdM7YYYP75eSZGRsyA0Tr4M=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUVj41MJHVr5n26MCqlCwXF9c3JbowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEGXuZ0t6XIHSwezPtuXTItq8aStRdkvo+PpgopdEV\n7z/LyBbS774TUQbXF9YG9Ar4gb+InaLmZ24BzsUs0AqX0KNyMHAwHQYDVR0OBBYE\nFMW1Up/VoM6rIcmqd1hDLqxsVipNMB8GA1UdIwQYMBaAFDOU5GOfl4rx7JB3+xW4\n8ry0N8W2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCID9VEN9EJmnFyan1+uGH6OPrzRmnhXJP\nQ3+T2mfn0OIXAiB3D39ge6Cn/k3PunVj32LQiAbVtHSnlJ3wL7mv9Hw4KA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1432,10 +1474,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUVewcgksWQsaV1AufTSt/U6R/S/MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVnP4apaiMNO9R0HWBXRYJpDuMvXRbG1G/AUEF\n8I+G3xN7Zq2HwDlNCVtImSfWhJsf5bJEwKhU7JGYOH033rGho4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFMPxYYASvF7QW60+gJD8bHUonBeboROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBTD8WGAErxe0FutPoCQ/Gx1KJwXmzAKBggqhkjOPQQD\nAgNIADBFAiAh1c7QCsHChXXA4I0KXhE9uKY7zqcLrubTCOLyuZ5kUgIhALgsHfiL\nqzlGBhu7dqjDjIVuS54yCUU97zL+ngAAeHcM\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUQoG0JyM7V5rKuJSlyxlcv5bVnR8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWecFkkPCP67wNgR4VR95crye1HDh1VFhcHQP0\nQxqAkxBzvSHMTFJM19W1V8CuAzorhKge7QqtZZqUXEM59fYRo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFJTUhqum/j1KpvpzkaQ6TxRo8dlyoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBSU1Iarpv49Sqb6c5GkOk8UaPHZcjAKBggqhkjOPQQD\nAgNIADBFAiEA/irM8e53RvJPurwi4JEZAyTlEx44sxrfW/NcjazY9MkCIB9dbnOI\nURHiuWGICI+jQiYRaewlMunYomqBuM7XlLfI\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUX0LTIjV+qrusPMEhP7fqaXsuakEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAED36Ner+LS47usvJ5XEb7/dQuRspj09EZpUcHOAkh\nE0MU0J552U2K05Q9rUmhFR9bt4vB4Bx5+WEZbQRC/vPQ8aNyMHAwHQYDVR0OBBYE\nFAkeB+UXTSf5vTAkAxtmceJ6CuUIMB8GA1UdIwQYMBaAFMPxYYASvF7QW60+gJD8\nbHUonBebMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQClynLJldYI08KyTa7a/jDrkm7L2RTu\nkXgamfPEAGLbPQIhANVzVWpbCKHDlXrfPR1JYyqqRod1S2LaKDrpQ4hPL3kD\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUVzLDfm5PfP77uD/5GpXkqacRn1YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEJKBGtb5ALYZAmExsDoDjIUXTxRzvbYHXEzTgmds6\no/j1PtLq13sKqdID7hKKXCE8b1nVZrI+OPMRZHGZBIv1z6NyMHAwHQYDVR0OBBYE\nFGNUuNtww49xchGsoGrKOcE01ibrMB8GA1UdIwQYMBaAFJTUhqum/j1KpvpzkaQ6\nTxRo8dlyMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIA0r4p0oNGSjZ2ye388p6Fhpoot/3rwq\ns30VCa2G6MAgAiEAvt5zzRjNh1qnHLb7U/UMNkeJUkiM8vfwBTLDfXdSgTM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1453,10 +1495,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUPDQ2Tca4pcXKggk8HlphWOXPCWowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQzHtzm1yha8Rx+rG6ZeJpG7iM2QzHrt0sTug4Z\n6Mbm2DV5Oay7lLXiqyEV03hFXSS3F6SMx02LMfzomLn6BJdSo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBRHIf55HE3S356w9W7VD5bAZgxYfIICBNIwHQYDVR0OBBYEFEch\n/nkcTdLfnrD1btUPlsBmDFh8MAoGCCqGSM49BAMCA0gAMEUCIBoa7wjTm25UyTvJ\nUwAkm/M4dhmW8zFsbUegWS5xr7FSAiEAglaS7HAyBeQfxrZ/Wy1YqYeQx4JCGr3+\n7jmzwYvvCnQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUU83NDVmgs+vTZnsGIuo1YbWOmnEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARISdaAXMy0FyZRsUu1qkbBgeAlrX9L01LQ4n93\nvMtoirKkuYIodJR/W9hu5ovKPxKnvKKWujKESojqrDSOT8ceo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBTZwEZIbylu2qTzNI0gune4XqO9O4ICBNIwHQYDVR0OBBYEFNnA\nRkhvKW7apPM0jSC6d7heo707MAoGCCqGSM49BAMCA0cAMEQCICARaIJircI2NNEE\nLP7RJ86qU6Z+lzMNG+phJTKbgGKaAiAoofoaWsbF0DAeKb9xth7qZ2lPVLPHILtF\nki8D0zYQug==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUMY9So5rJF3f4NCZUfGLOFtb5xqEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEcEjFLbExvEx26ZMS4JV6JqiDOrmBLMHUhG6BXggR\nW8lGrOlzHOTL7TWLjml+a2s+r6XY+lYttk+SMCrZilOrL6NyMHAwHQYDVR0OBBYE\nFK/xtPYYOjflSvJKiCFW2An+heZ6MB8GA1UdIwQYMBaAFEch/nkcTdLfnrD1btUP\nlsBmDFh8MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC8K2rzyOPE+siDVf5rZUa4UTpArPFC\nynfSdsr7LtfsQwIhAPq1UqZIjvHVlmD3e8v3gMqWiqnxNbwydfGcLqpDhWh3\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZ+gsjOuUOpyyHd1oA1HDhjMivVswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEhtId9YKaI8J+GGO0PnusxZPSHKaNwxBzP7NkGwN4\nT94gX2cxhQ0K73+4Fa7+6UkApvSMn4uvyu75Mf0CgOh0DaNyMHAwHQYDVR0OBBYE\nFAXNDaGQUdPwhVHAkv8Rm+ZgWAikMB8GA1UdIwQYMBaAFNnARkhvKW7apPM0jSC6\nd7heo707MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHDx5rPKIXqD3whJAzqvWIRtuBJEN2w4\ns/fBJaTmS9ouAiEAmVjUNuBwQ4GHqU8/u9cXex7mEgwgtL71cOBxMW+Y1Zo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1474,10 +1516,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUbgDbKrm7F98hDmH57VLX7JlmGPwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ2lYGNiMOAZiZJEg3A4dmbatLae9ejFiIVlEfE\nrYyWm56ZKB6ko3PZyNhgR5zMRSZk620CY+pyMzbdB6Vd5Ivpo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFK96iwWWP3LjcVNg7x/BxGokUx0doROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUr3qLBZY/cuNxU2DvH8HEaiRTHR0wCgYIKoZI\nzj0EAwIDSAAwRQIhAIScp3G1+jnDqoejbDFScqQ/KSAUH/FrSsjMC4jmET6OAiBu\n5jgrbrT3+sKMopc63hPgfQdcpb5EmqRZCRihHFswYA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUPwRKGZdexwyHcS2JrTe5iJONnoEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQNC6huK059wZ6d/RPAvbEZL165p8xQ5r9SvyxI\nTwNqrvUz2Bbw+Bs3v+lr0w2XE0ERhDFkplBV/aIA+rtetrm8o4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFKONxNUNBB0shAe5sQHgBsy41EG1oROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUo43E1Q0EHSyEB7mxAeAGzLjUQbUwCgYIKoZI\nzj0EAwIDSAAwRQIhAPDY+aCz39IKTUzw7DJTVGov97D1dBx3w+XC5Y9bKvHvAiB1\n5ormQ1XjCpCUh8BR9unV/TXMeP+7gTI/IgsRncTv9Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUMzb3DA4RdzRPIn6ysrIdGzv7eMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEW2MLXL73T3lbP40gDHucLjYc6uRJzvC2NU9vBPvo\n42j451I+9SelwQnMEV4HGn7hos23ldwdath/f7X7gXRD9qNyMHAwHQYDVR0OBBYE\nFEBTqbIwshqNz8h797OXXJLxYHG5MB8GA1UdIwQYMBaAFK96iwWWP3LjcVNg7x/B\nxGokUx0dMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCNavsMTPp81HqvTGJ/3RXIu7Jumj4u\nyrF6+8QEwFm8MwIgOUUtqFj37Q8vk6D1m9DyW2DqpDvL4tiLtfkseE71Z+I=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUM0DqajKrtJWrannkDZmbVpgLXjMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVjM5Jydzd2frt3ep4CWweq0U+e3aYOzM0kLgZH/s\nCM28KEcNuabeTCHJG56O3/c9kW0iXuhInRekxQpYKCM5yKNyMHAwHQYDVR0OBBYE\nFAZGvtqwIM442pczS42gC6IqJjDEMB8GA1UdIwQYMBaAFKONxNUNBB0shAe5sQHg\nBsy41EG1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCKkV4PW31o3yC7+1TGr6BB+jcZNFA7\nQI8xTOYpLuaGgwIgeQMPEdGPLeAtPaVg/2sZOjkRiMf2Zo93Ro4zKjrp8rk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1495,10 +1537,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBHvKtHrwel738XCTyHoUp8YvoIwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATIwvttQidICBKBFyanmIAaVyIlDN6+KWyBLPOy\nrzNkEifdQbTfbJSRTP5ZCRTMVaN00+vwgTPoPczZBS7wFTDgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxK/OCO8PZOMf+pBU465QeIOY5JYwCgYIKoZIzj0EAwIDSAAwRQIh\nAII5Ruz8zJYC1UMDZpt00Qr8ALKgm46r9f8KMsBtUgazAiB9Xlbt8QtoQp34ECn0\nlwIiPaxObDN3rIsuwimIN09cFQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUP3OCey6tHn/Ki7lSaI++Bxd/86wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCVRtcNAXtxue2RIfDp/RRgRK44KuZXJra5Nab\n5HZHjlQPSgCc9oc3YdU3lw83HNgOGVt1LT8AvZZqfwwKL+mZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTnw0/N7dqJgr0VbGM+Lft1cLoPUwCgYIKoZIzj0EAwIDSQAwRgIh\nAI74Wf5/uPNWdW1qKqUHK/jKZfTjgyCN0BlXZIFTqopcAiEA7LKwgQ5q7hF7BEY6\nHxQJOqXWmkIoso/UlfbECz676Wk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUPn+b54O/kVkM7SS3v2xHmCmoGkEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABD+IzA8pvVzKSg8zmKLXhWhHsErCHdNhkliaPKKf\nbfJXNbJFpYtBxKm/JDoGaLWCXDSJQpKe41UQ/T3QLeFpnuyjdTBzMB0GA1UdDgQW\nBBQgjHgfC8YHZrNK68++fUyrHIz9fDAfBgNVHSMEGDAWgBTEr84I7w9k4x/6kFTj\nrlB4g5jkljAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAF5JlpMk02awbgUPkJLFzu78sd\neV5UWJ12uJcFIR5MpAIhANDlkiXLaxB/+NereiWF646azDdmlSnsgJJy0qxN2Gy1\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVKgAwIBAgIULd66vd36K9Mj5PHPi85OUlBCy8IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABFWoQYvZq19o0IIqtfqOTg+galn0F8+BgqkXPqnp\ntpYmT+3ijZ4Ba1+AODnFZ2JW/5Lt+2VVGm3LnIsFZaVF1LWjdTBzMB0GA1UdDgQW\nBBQmal8B5mQh2gg6/kLyd+BzKBTuLDAfBgNVHSMEGDAWgBROfDT83t2omCvRVsYz\n4t+3Vwug9TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAumG5UwOJnsbtHvoZ4jwLdHQ1m\nDpySvvILOGATVWtcJQIgNS6TbrA+9Sp8B+QO0NKAvBzecVZMN8AzL+He4hnbi7I=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1516,10 +1558,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUBR53/MxvtOJDSpycAdKlfwufEiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARd6yB+5zC7uT4YI24UiCasDHIOVb7NxlQbiUA4\n8gCOw82NxbHSS/SgXxxVkSo0BcjcHB2/0kLdYimico2Jc5v+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUk2fPCs/XHknWob9P2YWdvLx23UowCgYIKoZIzj0EAwIDSQAwRgIh\nAKLf/kQeJ5hY5sDYDr05akJRD5e14zztbpO61iHpJDmZAiEAo4YM63qaCH3qYbE5\nxNUSS9o8wqH1aTID6mZxhFj+8AI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUT6dm5sedu912UHzApT3g2z3YLu0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASy8VulTXBF5J7vDjGDp8rgR3tMvnMRKhziDrt+\noUZWjFIFmCDLjpzGZxPounVXvVzgOSa+2LVok+p6ZRziFYmNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEDZfEObMOQDmrKQAUR0qhU5qbCUwCgYIKoZIzj0EAwIDSQAwRgIh\nAJY/baCOUUvzYtnC42Dsuei73ol1yQPwO2DTJPGYxbT0AiEA2vs+Wx14F/T0YnDl\nJkko8jIef81UpJEP2qxQz5njS/s=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBlzCCAT6gAwIBAgIUetI35FnKvze1VBKYGNy/cOXP55gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMEkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQEDMgAEGZfNTvM7i9jOq0GTRIm11nrwsz9Y/ApLmsCisk1+\nSi0tAEFerJ0jadGlQbebRtCko3IwcDAdBgNVHQ4EFgQU6MUCTtYrhiZ2AO2s/Td0\nPt4LfnwwHwYDVR0jBBgwFoAUk2fPCs/XHknWob9P2YWdvLx23UowCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDRwAwRAIgWxGv3tX+KNV/dwjvj1G/UDCm1c4YfTnSa0LLN5M0dugCIEIm4DD5\nUwBYHaFse7Mmp4EYPs4Y8OmLX9lZJsglNnbC\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUEXvvFrXpUKdEVtEHS+5tYkXcRtwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMEkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQEDMgAEse5FohEGEmibimAFO62DaEFmmnio9saEXh2tPSly\nDO5SRGSF+c8CzXE+I4CmZipbo3IwcDAdBgNVHQ4EFgQUqzd5AoMAYm+n1DmnXyej\nlO0/JpIwHwYDVR0jBBgwFoAUEDZfEObMOQDmrKQAUR0qhU5qbCUwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhAPQ1oEUP3Ydq2C+7Ln+jEG0+dNQi5Qs4t7TU6T1GAi3uAiBv/pzz\nHIXNuJOofePXIWkApI62Cziukeh8F5DwilSwyg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1537,10 +1579,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVEs7w9vkSxlp8OPiNMzkMFT+RbIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNRyRqvDexhCmpu9ByqdM4VvWv5I7+VddDJo81\nVfr/v4jP/xdceKwv5VUwpWQH4uiyY8UJh461lQcu80BY0pgbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUclLwHHgfHLdXXlL60fgramPuTJQwCgYIKoZIzj0EAwIDRwAwRAIg\nQotXN+XIAQq2Tfv6RwYhKozDBOfA4e6vRrVhvViZo+sCIAeWcHq5eHO41iaKpDo6\nxHCfLhbp1m7JlGracFGSBWWT\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUo1Iz5z7wRqM0C90DRmJkHQjWd8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjyVxqwx+rrtD6BxB3dw556gQN7Uf3nikWFLvX\n0YcWB4k6jBJmz1f2djWh7tf4ixSUg+LMiIIj9bKhjuWtXDGMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+qRaoexOGHAjWLzJmbLK8k4Lz3YwCgYIKoZIzj0EAwIDRwAwRAIg\nMBSxeJxqmCE/BgqBWLArtrLjc04Cx5OQB7Lo44dtt2ECIBB3DmX4lgiMioNwM6dA\nDviZYqIOSW9dFs1RIgh2nP8+\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGGDCCBb6gAwIBAgIUSU7+Kl4xMhIZMaMwRBExBP8Kdd4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExzCCAzkG\nByqGSM44BAEwggMsAoIBgQDteTZxYtDvXNQGe/xqnWhsCN75MT6EbtPUxsiQipKA\nk3CoD26oIWv4HVtfyL6AhsgKcH6mckNP2vjiu7MaryIzH6N/H40EVyJapSHG4KH+\nrtrFx6l5wRAv0aLl4IvqD3c923+s1OmwwKXKHeA7o7D+Q3krTNITFP2dc+NWa23v\n0W0btM20d+5pOxIZcgCXSvGvWAFzn+w9hp9I5tRybqinUnPZIWaTj0jZOkwHv10d\n2Rcl4M2hLmmrdWWK61uMiItOdajus+m5qtBgRpS2Pae+WdAQHEG0qJNvP6g/r5L6\nz/+RGVC8TCueLuhZ5r98weJtr8sdLIydhO3XUfkg1YiuLQkdNPeWwQocic6qQLCT\nwUo2tcEXGsim5Xlcx2vlHnW8WLwy6wKWRxNVzrivLdyrsKVUIzXb7Rg49u0NIoPB\nzKRErIGQiT1uoK1MWsDW6G9XgBsBBe5+OgdvVy5hmu11gvnRa/YqLirEoi4NyX2r\n/gZG3VgntfFrd/6AtSg7ezsCIQD5N9G7fhLlZIcLMrCsZQK1s5B0DBIPZi2VVkR0\nrkCNAQKCAYBvdMJlaG10sG7yTKljsSDLgtY3jIXmT9twTHkgzDFxIo8XOW6HBLNI\nUhcvz2Q4MRIDjSm/NqhRNdX6ChbtxAZclJbTyfTim30J6HLFLCOUTf4+rP5qdKUD\nmMTkLvY3BwLEtpuTNRs0YCdk9pr0WE964lT9YQR7lGAHwrtVLk32WkIM90nVFsbN\nzUtDfh6nAhFdaH0XZWxKb/6ss1Hg/rOtD61zn+gCFBDA7yrsPxEpgAMsMQ6Dy41u\niZ9WxQaoc9UR0YHI1j2ge1AP7jbvy+aGW/39ES2xpXbkzfGq3REvfMynSrz65Esc\nEURGg2i3VxQoyZbjcLW7wegR2PvgXr4WJbVkeTtfz0vB7usMX7yD0GGkI1Z5P3G2\nEFIKsARj3Tyxolq/bzYdYkDX4lIHEGnOXQ/7F8odhFipZmlPG7YORCOf4ObuAwqG\nkadrA9r9pSQ5ZN/6WnXNn/87XpDkqranPZMLgERsy2zj0ldJMumSI3AeMpr1zp0I\ngtncah0CdboDggGGAAKCAYEAwh3YTlboK3PE4WgYK1GBhCBbE0BPn54G3T6sCMWm\nPahfu19w2jTE+6fNs844zVMfVNpe2Z5naM9qdpji+wZIXwU5pMwdQUYZve85pdRq\nk7LdxRoNKu0w8WsBSYnapD8uqODlS8NOCsvHZxYTmVr9efx1PCestXK10O+32XTg\nBHH7+7CebKS0Al8LonvIWWM2x7h3i74x7CUZsyUw1VqCXooSw6m89vXXANEzvaD6\n3WzLm5zEEH/j5T53SEU/pOeccAohqpNbWu8G00/k+f8FvnegtX67lZeoU5tkGvIJ\nzyr1cFC9Lf/RQAOyBWsVpnL6TZI5EW8wqxmwyoM0eiuxKSHQegYJqU/tlJMz4/jM\nBkN8g8kEzD1J6GFxslPIBECevF3TFEvbrA8iTLqT+x8vKCht5vfI8ifXV0Cdu2KY\n8F84jqiClC9uxdS7EUroNMx6yCtfX32I6nhXlJqY9L4d4VbFVKUadq5quuLKnYWS\nFDEHOEHKHoa4Q5CX8jj9a9Vpo3IwcDAdBgNVHQ4EFgQU3kOs9ca2BkqWo2wi9mJN\nM0rkv8YwHwYDVR0jBBgwFoAUclLwHHgfHLdXXlL60fgramPuTJQwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhANQwMbQ73qvd217OykZHm3r+Mt43OxNPoYNYpp6vfCa4AiBA0BiG\nuAAkUDoFGl1JkDALNrHXylozmOGWGa2EfO7uzg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFjCCBb2gAwIBAgIUD4YIWlO3QO6vMiYHon45WJG8Q58wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExjCCAzkG\nByqGSM44BAEwggMsAoIBgQCJpziEj4iKi843hzrt1ZfdM2lwNMAs4MRsXx3j5Z9t\njaRnKQ8h+ohXs4lk77lviZhuVNaN5D5osJj3MwKqNAm4fy/5gsaUIkCQ7/9u3tlB\nLgSkUlTuHuE6xhMUaJDWkr6AzjHgqhkmEeeyayuOs3MAnp5hyXdIobsICD7xV9VY\nwR2xuBl6NdGb6u3i8VZAz5QHIH4MKYzi8XRUnnlVp3Z+Ir6UZMLZPrVPPVrlUKSd\nN5ZuK8WGW/VqXGrYQ9z1QvQ70GIddGOc85mNAFj+DcjCtUQC7dymRW9Xk0+7ZJGj\nLTIwo/zMNLpd308oNEY01mc+bkHCglPVYThNiEuVQj41e7BrfzCv5BMw1ZH7Yh33\nxIcpmTeS4U5e/bX9iDkwx2AktjIdVJ//VhF71pG34PWccneCcikNGJr4iTeEHm4q\n7q0g8x7GpMIKKUiKNoE+SYcxgAXbHYGPDzzBuIhORd/b2grz62tnL3neS9J9rglm\nJunIMsXJ9r44kIP+YuJjv6sCIQCfFEjEWtXX4OORxP2aTmtccEUGu/kGjNy27CmM\ncWy+KwKCAYBpTgIJTJpalOwkY6Lge/Aqjef9eQP5ucv7shdtpG2Qt/OfXbzI64X4\nu8arDwds+B0YeXW2ZCCYhIMqKZ2nde4dWpg9fEjcqathlJOx/4sGwSaD2Kfn6EuS\nZ22GPXmPBaXvF2mcBEkiiIx5kAGhaP4hapmAOKdGkHP2lPi2dNCEIt1R+zR6n9Rn\nGID0lvRsoydwEutezVOZKO3qhqxgpiUgFBjvs67AkhBKpaiM55m72ALWtMkl4J0z\nVYrGu67YYJu4rQlUux1/RIdRMuZJhwMKDf8UVle7MPdHwtsy+jZacCEWB3I94PnN\nrXwKV9tN0G6TXLF5GPWK30dDRot5LcstRBuPPOKnPiKIItwD602CDFb/KgVdzTmY\n3TZUh615QuIKghCUdvkhhLl3qHaRrFEs9reW5dWEk8PqMb6D5nzHSesLL6Lj6hYD\nPx5yaxqFuOAlOkbUV08NebaXg8/vZoUGlbN+Ule3gSYvgED9PPUiRXZbWAgOpjxA\nacQuS6cfqXADggGFAAKCAYBhP96OxtDS9jzTtORiItqgj/I6hXr9wh4DbMSEIEq5\nd0VicaonxQ1+j2EJtFMy9x0PLHASOiTjU1ba3g4bpXAZUmAaNqWbaQ8VOo10sMOy\nv8LSzaxsdK32sqh5MLmblai0e06CU7yIExMVbd2KwARnEPLhkh2vcQcE8tmXF/k/\npe4cQqQzZ7p9jZEbHf7MZNNLSUWHhJ9a5dfXcy3ImkvF40sRbxMXu3x4aB5CiBlK\n4Us6CZVJYf8hUff2obqW/JloAckWg9U9K6nkUfxhuRhrgw3Z68CSjkWmQEXpReSM\nQVajMK8DYg3INWUkBjPxbXgrCYPb5dSuW/Jrl9KUqDKl/vwWGn2NrNfXmjIlN6Jw\ngkpIkYwuV+lctHtg9lbMV36aDUAWx71INliU6dgm71nfsTApems3Y+ULi3cjg8YE\naaF578815uvmLVr0oB59FVb1Ptzkqbc25+iYoThzAs+2SWolomT1scsvh5msj6Gm\nn/fWgjrciiH7XhSDNi+b79ujcjBwMB0GA1UdDgQWBBTxCD0i3EFpS5hxO18dSpUJ\ntAZ9rjAfBgNVHSMEGDAWgBT6pFqh7E4YcCNYvMmZssryTgvPdjAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNHADBEAiAKCrNn1kSLIcmPrnGDVQ3nSjdVZ4HH+lhUf3eDHxZ/WgIgHYjElSku\nnB4FG8hTqcGmkIWQpNVrU+RLA4357YwwJ5Y=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1558,10 +1600,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGADCCBaagAwIBAgIUDaJ/6tLx3/9po+TllYHwdln10iowCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzoGByqGSM44BAEwggMtAoIBgQD5zbhr1z6GZ6FklnceMlxhgWP75mm3lLn82g5Z\ne1URaivrBHsN2hNxVSngVq2Oo8+Am+IVtMMolPJY1YYdJadcuDjss+AXuV9ln9xJ\n1oanUD0Y3vUJEMehLcpzYXVZuSOAE9U85okxsP/B/QuZaZH0XxPCHQBUo0PgztV7\nHSlK5JRaI06L6IhV8BcVz4Yu9umfm1z4iGL33SSVS7SgAUs8pkG2efj3YKJMeUeM\n3FcRnRSGVCCw2g8wftgCLj0LLLI7OAWw7oLjcYGEi0rdznVYBWE2q5lhviwBAgPZ\n9IqD+5SBpT5R8oNkytjVF4EfxtTgGkYmGlkltOrVhl5rqqs4CrJRqVx9QdsIofwY\nH/yjGamTpdqGLml+IEKnklyxI1cEdRjNLY7YdtQgJ8GlG1BUikn9ZqYF8LBFzKM3\nJkU0WJcijzacORcpCX1L3SEjEwaqwQpWh/UfZ5Yq/81Ou75WerqEK6/Rs1b8/Rjh\nP2KEvYyDuhZ8WewecIu61is4jXsCIQCfMtODPli8rza6yi3Of40eeM10jJYZpFcP\nVrQVqg8BjQKCAYEA11eE12OGdqTbfMjyFjgcoNFXeVL5qQfNXQq7rqnsPFgD7ycn\nCCCPFf8vuuxrfBdxkQZzLqqbHk3Ql6jfv1Zu0r/dyoSn19nvOz1x9wHNdy61tuPD\njfGK2PbNs/hA65+vkS7MTsqnxfw2/VAIphQ4Vf+NpS2SfPTT75d5Gjd/sYIW9qNd\nHpn/O0MHsUXyFSfdJJFzsQETrIiHch/E4/RVMwX8bM+UpIXSNg53KMn8XkV47zIZ\nIEjC8MgNOcn/Rsg/1D+G9e7dGorfkD9mDbTePXYTsG6dwpp6F2lsrdWfmMP0Klbj\nSCo2//OjAZen1kucTyEnryh/HViz/jG0twKp3natiFiwhc90UqNNQfvNlqIppzkp\niQMXZvlOW+xwTbMigjakhJ3KALIBROyh7ll74hhPRJTVQeVc6zFQ0155yVddrq2f\nNotqRyo4WGEpcJji/ZC0QjLFJb8L0UOJxLOcaicJ+BHxrqaYBHizGhdS05nMHDEC\nSNKRpvRXLSTMKcffA4IBhQACggGAHEhIkkpnkMwEM5O/qxEg0qElvzeGK53FOGrr\n6JHL8Ri+AnJOt3fDQs/lB3MnWBtk5uTh7uk8J8bddU6A+f0M336SaStG7ZqdnZwc\nMzYEIl/o6fJTRSF7XSsQ+cDYj6Z/OK4PTmtScNRYktIljbkxGaU9a/mrNN9wFi7m\njCrp8MytEkx0oqrdRoZxzoidor0mEobgt96gFZ9chHZuAP68mZeERTcThWhG1K/L\nSkzvVijs7SKKl0IJuR/2h6ri6x7V7gAFjOO9eHMVYfI+CWS4fd74P3JDLoGuSHS1\nx3QdXCekFRQm5X+aoWiaAe0kdZtDjAOjmjrJO+denOtCl0TDVqYBtG0/UL1pbbZ3\nesc+5CR+YWgrBB44HxSXfyHOqtrQx5szgPC4x03ch4+Wxi651yozHfzpVcaIJ5h/\n+Eq+6bLN4Cg0Oy3n8aF71zU/f2iG6n8wX1hdVMHfCiUWPAcCASK3nZLX9FgoOE6j\n+eCurdNVd/SsndffebHIlP5xFhm9o1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUuto29/Oa\nYsokCpcWg3/EwzDbBT0wCwYJYIZIAWUDBAMCA0cAMEQCIAjLYU/9zyOGVMevb9XK\nELG0h4m+kKtnvVyeTJsM/scrAiBwjtHX1MaxK2Pm2wsaDPaRZvaTaI9RDUElIJZI\nzJ33og==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGAjCCBaegAwIBAgIUdqPR1tjYGDoK/IUyIWNkgpHDgtEwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIEyDCC\nAzoGByqGSM44BAEwggMtAoIBgQDkPSZfnFfpEKuuxFT0vI2wxzTFhGQw98vjLei7\n+VCZgiJFiMOXwd22YuPcNaK/7Ix0FfUB9f0eX7hQVWP1YSqDTPvhUpSRzgkd5Fgb\njeSs3nrFcaLhPO3FVcsTvyZ4iUKOBZQZsOmtX1/3361QsPe5B5JtU7rn1avlkyI7\n2YkgM/IP0/V+iGE4y64YPN4A1v+cNnaVRA+uvWcrpB16T34n/hmFiiqzyVHPZvba\nCAiSI7r2cy45vZmu8e7N+oTObvGyiaYu5v7B27u/9d9/iuDg2Hs7Jn1qDY0sJ7GU\nFpIn3/W5Wc1yXC2FZL0MvAqmhnLTCcVSIBjzw1dIFjDw8nHG8T+gPO6ILjWgR9Oc\nxXyKbmXjUpAKezaWKuxQV9ICPQxs8FBLh4onc4vfWjYAlC+kT8rlhdTgtSvOBIBy\nm2u4OJw4FkSizRQjXfFChmy1u8FAjti7KlJ7XZJCqVwwrtkQQ13FwBLX3s1PR5nh\nJyvLQ+OtrnL5dLIxq7tU+aH3u1MCIQD1sYhmQi/fgV2U2AVTVAYqq7bcFCf/sCyP\n8KrVzTbSCQKCAYEAwf85TwKAS/iyBgRJE6EIT6fbs9n/z+Is4Jn3ePd1yl7j9cEW\n8K1BsSCSnc3WpJOcrRQB2dfWm6MUDQm9Mi8EPZMzw4m3iQIRJJs3/CnDrGCwBbAh\nRR+/8e7xFC387hDJlmXm3LUJ5vK61nVvCf45XUofmXnIamSaq+03aahqNhf8l5oT\nO+2ndUZDjDr+bR34eAM0dlcLJOunoAojivbPiu4HBD2z1x9IFVXpJ28icU1wbfhU\ns4Y8F/w0sTasSzEGsGhP7QqTAFgAlX9SlyElterd1bnkTAXF5WJk7Y7euWnCXU0p\ncUTOJpvoaTD7KKN5lE7DVUKVm12fldIsNqKGM6WZZHFPGGimGV96wkrOricbvPwB\nDlQNwImvk3BK31v0LcggswB8HM1tVrndb0TZM4rCQhiZXhXymVab2TkaT8bI3kau\nGjV8pG9E1g22aKzTuR+/oXbFg+6hHeVyCX/uMOUov9SrWjGcYXPK83uwyGlW2fdg\nnwLIANP+4FAzz9a8A4IBhgACggGBAIZdydjbzpPw7LssT5pvQ2V70iUwKojqJEKv\nViL/Rg6JJnP4n+4KzUNmdkDTxSXZNQD/xNh9e/jdpnZ7BeeNIe/yZxU3xY9lkcCH\nKlpH8TO+QCb0RwhrjQT9kQ/JKYalr4JoXj4VvToGnsELxIMcszp6xlORgiguaH4j\nRETG5zMQX3AOLNwhDnCqS2k374iGfWDs+uDGhvg9Oi8VRW0Kj93sO9tLfSHVfUCS\nSArCgK0Lhm9DNwTBjPXHqK7Kw4G8MAyeel5MkDv7stH+YDtiyLFnX+2kBFqjLcQG\njDUL3+khrktJ737v4yJg3Q/WoYzEbspXFkfnEJbxmbdGiriy21j1Mhqx8ZYYkq1/\nFnQGjjbyd2mH3b0EEd8sqDSCVRhz9DJfCngFDVvLtCMiOCvvTkrO07qwyx02z8l3\nAev/xvRE1okE1WxVUSEZO9yvGiha+ELSFyceuxkKh7XraecBwEoFJ64YmC5A9/X0\nVW3sBSnDZ6DLNS38nHPJ8zdTq51186NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFLlqlXIL\nkIDQewGSLLbPlluDaltCMAsGCWCGSAFlAwQDAgNIADBFAiA4Nt5QuCmYESDZ84VD\n6WDEmGsIBYzEPocnqGKzyKngrwIhAOp9qk512RYrZEWwCI0MqP3gDZ3Lvxl4NacS\nkznTL5eC\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUXZ5XbhfuODBz3NMDlpNN0Lp/D0IwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowGDEWMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABHOdQKCh2jqGtVLK0evxpiysG1TLsvUvwhfhn2VP\nwOK+0LYiAqKAFL6xWKt15Mq0oFD+5DaragZOxW1YPGq4fkOjcjBwMB0GA1UdDgQW\nBBS0B4EKNh3Q9Lmqh2WApYq04m+44zAfBgNVHSMEGDAWgBS62jb385piyiQKlxaD\nf8TDMNsFPTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTALBglghkgBZQMEAwIDRwAwRAIgK0u4LcJVrYJ0y3ObTO8jcxEY5Cwn\nWf3sqjJHhOQ3RBkCIAJO9xxJSEd+TbypO4EOb/pmU9oon7cCTxUhccM9Ccz2\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUJSa6BHZgOfU/KXuE7UAFldAS2f4wCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGDEWMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABKDWHClg3k9inDvNOwE0uOTR8Y9XkP7dxvPbzqJN\nn8ePIgvamOmc3ltw6M6FrqQeQCVyVzhc8f5d0+4TlwMRHeqjcjBwMB0GA1UdDgQW\nBBSkk2kR6PJF4+nBsqVYWHzf73pxqTAfBgNVHSMEGDAWgBS5apVyC5CA0HsBkiy2\nz5Zbg2pbQjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTALBglghkgBZQMEAwIDRwAwRAIgHZJGGK72d+SBz9wz9rmBFyMXRZJj\nN4h9TasQSdfdzJICIAkoLPdvRuJ16nbpDF0O/cDrWrcpfmBnPCQQPsreFNdK\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1581,10 +1623,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUT5H0KBFyNeteSK2a0ct2fK/4wi4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2xi0NWPHrpNOoB235kjTFjIqiknN3PpQTlbrk\nlpLmHYkfGh0kKRwGjCTLXfyZ06vCfv3YzPUgEZOS8r2loWc/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUS+vbGDOpHiI0/BSJR0Jq0o2F9iIwCgYIKoZIzj0EAwIDSAAwRQIg\naCZ8d+7SOhM37o2VCH2Ouigm3jg6ciabqMaFBH215O4CIQDAgZ6gP+QEB+HGt/t8\nTgO6tLT8iBadZ6ECqLy7zKCYUQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUd5HqXJ7iI8xrkX+o3o7nCMCMJ/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYX38Gj23R9mwnTO1Xf+IvAFHFIXqUD0Gaa1gn\nechyzKL0UAFaohCSkc5zs3T4xFUOCBlfiVZqEwYlwCG6T1meo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkIeef4K7wZrsuzlaW2IHXIRWvzcwCgYIKoZIzj0EAwIDRwAwRAIg\nF+cF+BFXJI49ogDQAUvPTb+xOfZQQ+UmB4AarQ/VYNMCIHXrpHsAKotibojq7+Zy\nr6bWmfTh6YNk2JHl3PR8Cz5F\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFzCCBb2gAwIBAgIUbw/L/oYrm0GKHEgZ1dED4t28IdQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExjCCAzkG\nByqGSM44BAEwggMsAoIBgQDzd6/L/l2Xs2yMX1U/eDMgc/sCruJzGIPByGYFUFJq\nhXY69BbKZ8Ag0fh05/QbEE9ORr2JYNao1VgWy4OlrH2UUad2oWn+FP2wmHDgIQhM\n/4lRkVQUTibn+WsNvRRy0aUMX/NB2z50WxOI4Jr9gcVkGrQSFBhDbhfUXeZvl7t2\njfmTtDQRhh1E69U6ImB05nihT7TPO4azMO6R3lykGrVEESVp8B/Jdnr3eEXb4D5L\n9kkiOQ0/kdcVlXr/XzDxa86ziXXXKt7X41OhABaxfimJyEMHWroUQEtSzcBI+hSg\naV2YIA/TmKEZf+HiHkFPqDU1Ub6LUSD2Ve/CBeevECGStzn6ZMOrACHVN28H1Gh+\n0m+OAafea40GNX3DRNuRWCWOZ9fNe7wTAAIf/kocKsNg1T1ey4ltHNmpmFUL2Ymr\nIdBGac/rw+0m1vdsZHK3ddFQQwEu4NfY63e+lUubF2Ymv9dT/aKNe7QhE0X1yb4E\n785eglXsvKr/bwQdlbzu3cUCIQC6ePhdoXLPrictVT24fipgFBTiTdzXp71Oxg2L\n1jNpZwKCAYAGodPDmicfW7rWPLvS/Kw2UROvAkDvm9+giVmBq7BiiL70fK9HHWvy\n2Jf6jbeG5HIsUSllr255HEZBsTunGJDQ++lHOxZ8KJblauOxWWYZVR256RQa1AVt\nJKm+TVqk21uMXL1MYrCIUa+SQAXV4FMBh1ytPrTr0aLNtz/ooyq7NH0ErjIU0o75\nZMSA9EgCGnqs5IpVbcLo+HJJM4N9kEEE8LuHs/ccYKKBvFyoV5ii5C/ueEMl1Fn7\n8XRzsyIeoziskjj75qn9oyVyQJ4mI9sS6BKkTPZsYjisohL01o+8BPYUaLgY7DYv\nsJKlMEebweR7xxsV5r/NNr4csSNVbhiRarL/CXxuCLUeqIlwk33lN8dARNctF/Cl\nCWCjTabDlcyDqDzfhr4t0/Oy8fCJo2DrbBgT/roelFpfY5+PTKNwNGnHqLAFDr9B\nhlFsK7dyNHSmw1fE26SQPGvKEZkLUYnl6+9mha8Hey8SLvzdzWNUHZcJ/Hu6/IiE\nBWILxUM4s44DggGFAAKCAYBNlqq/gISXGuXL60hZuVUSyCEwHKfJzc5wbu6MRScz\n6r48kJFAF3MZ1IVWdVQdHr/td7J7NHXZU4zCSMHhF+nQzdMbUyQ73qov49PFa9bV\nv9yq+tQTPm9F261LS7eARuTgJj0zi6UtZNkdwDZdO0lf7HfBAzBX4cYsHgoPAmyu\nsK8JOHrA5xBTMxLOcHY2mHxQFYcf3KSOaEnjzLZR7TITEkGvULL82Eu07N7BFVYU\nlOniF82okE3vwLZoXd564qLcS1YLP1zzn/htVrY50R1a9UjrNM2IYmn/WnN+9gOF\n6vm2jCtCQSZJNNDnSrZ3t7839qmf+aXb3CNd27zUxDSZHLuYLoe+5899WDByE//n\n8zn6W50K3ws4yAhAEXTFngkeGojsTTHujxcxtlWvgK8w6sylGmBcaaOJycKyiYE2\nPW3JsisqxPUf7M3Fb9Toryga9kOrkGj4Nwetx2nS4EMLV2sOFQDkiNRDDeOVKStI\nAmxNQ5zd0ZmbdcB92Xodn+6jcjBwMB0GA1UdDgQWBBQIR2T53CX9/J8c3/hN/g05\nNezwUjAfBgNVHSMEGDAWgBRL69sYM6keIjT8FIlHQmrSjYX2IjAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNIADBFAiBayy5d5QG13z+EIVmZyWB/u7YRXUMx4hF60DlxjkFBLAIhAPY6vCyC\nB8ITo7pGVlXeuAlkgqx1smn/QIUspDPNsrGQ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGGTCCBb+gAwIBAgIUdeR6mvhb0Wq3uGcQtKfPqYDN3PswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIEyDCCAzoG\nByqGSM44BAEwggMtAoIBgQDpNooXkmxcF7t92tgnldf8emwmmtMo5P4YN5tSfMXF\n0X2kYa0X7lrCxAUAeQvRr8VeC7OxpcWfceUQkZRX6aj8IKXPrDWQEFUCgymH7/xc\nnW0fMaSt9sXhilUUfH0uVfWBcbU6t5Ig2zwsehadApyPkDnR85tU1mQuxZ7wvwwM\nZCIAXL4xFt0iVYMouGweUlzIlD6lg7BHcroBGr4+WqTuHghfEEUFNmLokWQadVFo\n4JMqy11LtcslytvZYEK60ZA7epvwGR3flrhQLHjCts9JMPLYKZPB++0i/+IHSQrY\nWZ1k8z7ze+VeqB+hHrBWD6X6hGo0idSlJdTfaKhZ2tcDR4Jf+ZxnjCa4qxTVcuOB\nUhgyvaqCOB9dp6pwjSLmQSG4O8kNi7Ifgrtf52r9rLahX1SSQ8cyuGfWuLf55ZhV\n0pGAWdt5Sl3p+P6NA/eyoLuyH4mBMzD0kHoZCTZbawMFq+nhgpcfcIj36iBuCvR1\nGvMg4rIDk4M+wtJ4IPoeaKsCIQD1+/dHuyoA6h/eit3QzirEpWLykThtXO+id51Q\nIGs4ewKCAYEAt/Ki7eSKEATE/baJztwNodJfR20ACJLf0dchptwMkWf6lwBI3QTM\n4m0S2nW5vEnkaR66bxloUs/1A/6SEn0YDIZwiVdLJyLECTJeWKiPDeddfCrZIusI\nFWpX+l072mz652T0XnrtTV+fVxMbXQf8VPTmY/aqPzLQR9yh5BF6IK6UmfFrZT7q\nWb3gPyOar1RRocvOgeTaTbwtm+nWCdM8ZEt7HBP7dMqOLgAoyfgEiCV5ap7OG8nH\nQKTx6AYqc1PX+WW67UPToUdfCy5FoZ3FxNPUA92aQ18tSlCx8iqVmtzdtlLvJoT7\nYTJclIAZjIxNgbawuACUVtBQBuzVnV3cgtx6gH9siqQrVSCs/6wLzM1tTXzsT1wI\n8vmt3uFvvOPBl+9WEWmR6QbfNqvQlgxhJ65aMIZPyVsh66Jd/J5uGiNcMHMpIAsl\nwYkdWvkh5yiCoR6ejwP9Jg2mw/uDGY8/rlQ8IOK2h7umsQ3wxSJLUWhOyvT3WUtg\nnLVh9zlODf3sA4IBhgACggGBAKlK0GDzir5nVhTZZdSf0aUUk40ybYcFEJ0gqriy\nfJSrLlGsi5EIXih5krMjJ0kX4iRA5hL1ol1rurvVFbGl9VZ85MaS0BRJFawa9tsg\nk9mcGocJV08ogYHVEqNJHsDhrQg6xGu1hOf7lA4UWYJcjVDSYM9VobvucPs2oIA2\nqijkDGlxG6AggUT+klMGtmhxDyW3wynHczWAZs7Yqgenhd3ueENK+qszjxR112PF\nc7A9oOX14wSPti58Jst8DDRZatTrPMnu6Pkwk+9zhS6to/u3Ac6VnoOzs/c7XTI2\nbCkCY4rgPK0kT23c14QY/gddTZnc30FLj+Dzt8ny9BWY5Cg4Z2A60tUmDICGANAY\nhCoOEzOO2g5caqPzjXwpjwXrnOiwQpKjY7Pn3q+SfoxbDnGyOcIP+X8x3qHiw8j+\n9mWE+QFAcW/CfI7mWFqUVayVZfaXMfTigTxx0aR6K7FFv5gGkJLQTpJo/jfIf65n\n16E51OEZOEZ5huGiENeX9Hl/UKNyMHAwHQYDVR0OBBYEFF8y93eKUEsqDBKgvXrx\nyNi61RAqMB8GA1UdIwQYMBaAFJCHnn+Cu8Ga7Ls5WltiB1yEVr83MAkGA1UdEwQC\nMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49\nBAMCA0gAMEUCIQDwlclxHNVg/Fc406pMjxC6QEHDMWSTwsgj7zOxR+fPegIgaFFl\n5Vgv9fZYNB+cOsSzzzdvYZ6OpMqI/pJ/ZJPMKSo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From 457df90a9248ff6927c5506a8c9d1ac05640e3a3 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 31 Oct 2023 13:05:14 -0400 Subject: [PATCH 029/155] policy: check for 0 SN explicitly Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 76a60dc22c52..53069a319c95 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -364,12 +364,16 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } // 5280 4.1.2.2: Serial Number - // Conforming CAs MUST NOT use serial numbers longer than 20 octets. - // NOTE: In practice, this requires us to check for an encoding of - // 21 octets, since some CAs generate 20 bytes of randomness and - // then forget to check whether that number would be negative, resulting - // in a 21-byte encoding. - if !(1..=21).contains(&cert.tbs_cert.serial.as_bytes().len()) { + let serial_bytes = cert.tbs_cert.serial.as_bytes(); + if serial_bytes.len() == 1 && serial_bytes[0] == 0 { + // The serial number MUST be a positive integer. + return Err("certificate serial number must not be 0".into()); + } else if !(1..=21).contains(&serial_bytes.len()) { + // Conforming CAs MUST NOT use serial numbers longer than 20 octets. + // NOTE: In practice, this requires us to check for an encoding of + // 21 octets, since some CAs generate 20 bytes of randomness and + // then forget to check whether that number would be negative, resulting + // in a 21-byte encoding. return Err("certificate must have a serial between 1 and 20 octets".into()); } From c54bced83e6c0120eac604bfaa5970a0b1c0f916 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 31 Oct 2023 13:05:23 -0400 Subject: [PATCH 030/155] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 384 +++++++++++-------- 1 file changed, 215 insertions(+), 169 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 9a52df024f51..bafa0cd9437c 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUjdfFtHvrxj8NjRV6277+dOzJ8QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtwUdc8GkX/3T+P7dzJ7h+hcoJU0YmDqwsQAuC\nPqyzdBqCq2dlT5yOWHw7rU9r6On5GOPT982w69F+wdTsxaKzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvHcWNfUf3HdLmN6RT0NeyXKX+WUwCgYIKoZIzj0EAwIDSAAwRQIh\nAOXq1ziNhvUzdg/Z4r9mpTalcjUQ/Y/AjWC7mEyXB4ZPAiA9JDI/zQXtmkowoYPK\nE6C277kkQSLeBKB36SNVg5boqw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCNkAEvn4nqchsV9r+1zuPz3YFIEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNggMNt78KY6Fcaig/NaFFGHokgD86wVeexUPr\nM5e6OWmpz1C3rhsMaNiRz9C31+iQcLBsmcppKKGM8QZmZDnDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5uRBEeRt2/4UQ7YHr0IvX9yJuAAwCgYIKoZIzj0EAwIDSAAwRQIh\nAMUzRvc2zzrRBw8+JLJkOsh3Cwz/H5lJtz0jGyA+w5HuAiBYbPhbQq8uSmNtBnTC\n6BHuW4FZXZRn+Xt9tQl+eSfaKA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUW6oEDznA6odAXS6IiCcMfNHFWQ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0NjkzNzIwNjc2MjU5MDI3NzYyMTM0\nMjk0MjAxOTExNDAyMDI2MzExODg5MTYxNjQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBElFP5EJI1CvFOpqo/WnPsuFNe7IY/S7zwOqkl1IVaiVCzg1QvTPLIi+a04rkxzo\ncl7nl1OW+HpcszOTl7D9AoSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLx3FjX1\nH9x3S5jekU9DXslyl/llMB0GA1UdDgQWBBTIgyoLwKoLUTxFRkrulerBvTonLzAK\nBggqhkjOPQQDAgNJADBGAiEAw77zfvFTq1NkkhnobPBfOOfFGF8sYMpUHa9/dtSW\ny54CIQDh1GqZjeJAss2+XJMSDYKKOwTQDuP17TrUyfELNuqD2w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIUSDtkiyYNZXvAy53X6dT6ljlRViswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC81MDUxMTE5NDMzMjAyMzE0NDQyNjA3\nOTM4NjQ5MDE5MjYzNDM2MTY5MjAzNDE3NzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nVi1hYSE6b254aQDd6+aLBPIqshRiJvFVKxMu9HOk7d4LnsNcQA711WkNpXQFEtJH\nT8vkOCMJ/wG8zQAVSt2C7qN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5uRBEeRt\n2/4UQ7YHr0IvX9yJuAAwHQYDVR0OBBYEFOyf2MVaHiUa1Zq3SU/CCeep8TAUMAoG\nCCqGSM49BAMCA0cAMEQCIHfYPq11XMYVeuY8HOIp3UmJr94vqUGE4AdNrpz7IjjH\nAiAA36phw8jOqDX9FVHv+W/x8kXSFho3c+ZkqMV8WYsYFw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUGtt5whSbjQFbKqBma4tw8kDLEG4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDY5MzcyMDY3NjI1OTAyNzc2MjEzNDI5NDIwMTkxMTQwMjAy\nNjMxMTg4OTE2MTY0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATB\nIeAI3XfW9LsD32oSW9tEYKc6KNqk+Ck9Yo8qyVq4U9b/7HhuWZ68asF+uXgMQk8d\nVEo0v9/xrQYAVl+G/bVuo3IwcDAdBgNVHQ4EFgQUdFK4H8z5JSxZIx6yyykmaC6+\nqSUwHwYDVR0jBBgwFoAUyIMqC8CqC1E8RUZK7pXqwb06Jy8wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAPjEdzspX4Crhy5smNi9j84iymutSBAjfAkkycxGAA9PAiBYe3l1bd7O\n1FayDwnsDt4HcF+rzM0vlaEf9s0fh8/c1g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZqgAwIBAgIUQarisIzt5mEUQeM0L9kPaSiLWs4wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNTA1MTExOTQzMzIwMjMxNDQ0MjYwNzkzODY0OTAxOTI2MzQz\nNjE2OTIwMzQxNzcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOFi\nv2J/0rYjngo2eRsABmYWMF0Im90DbLquSj1KzNN26VzfbRyLJ6ns7j4hwI8Eq9EA\n0aAV5eHbEqA6DCnHTnSjcjBwMB0GA1UdDgQWBBRt2jGf+NnsCl4XQO14dOhAd/qp\nOzAfBgNVHSMEGDAWgBTsn9jFWh4lGtWat0lPwgnnqfEwFDAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNI\nADBFAiB2phz9x7qs/l0Abc8G0klbgTOXG+YPBNuHBD3qQcj0sgIhAM2itlsRdArY\n3Zk3F6yaj1/OGc5yX3S0LbXHpsGitnsN\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUX0dCYtxbJb8cNk+ysNKa6+to/QowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASH4ib0tqaWetJ6DzbZZ85iNUcZKo6T/N4zbV11\nl5ZkG3pMjdpcTQeR6zigH39wvf2U7Bl1tUNW2D9CJBz5Wpyao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlDlAO67OhTCPrF7GzugZmv8ae9MwCgYIKoZIzj0EAwIDSAAwRQIh\nAKghrDeRd+kbuxit1jycdAjDww/TCfFhrfZP95lKyIDkAiAnOtivhZEqxmDmyaOi\nI7BLKpOfciLWjOcZv70s2Llw4Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGtrRM6zc6UKa9khx5cW4PTJL+swwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpJB/pgY2pr/Bzp9irEDudPXJyrE9jUWcnrPhb\n4LblKVLhZ25zG8vX53bvh9AV+VAZjbiPIiq+s+qkXdMwxwtmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzD6V5By0EMTyuwVLkoCKVyhAoz0wCgYIKoZIzj0EAwIDSAAwRQIg\nMCnu4GEwWy4pqFSMR8eCdY63XVZ/2heleY71Oe9NFw0CIQDwTF8kOFyenGtLlM1I\nhWRxjRv2gW8NEmASrEOBfnRu8g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUPUGjTTsjr82OdHnFs9udI3cvqwswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1NDM5NDMyNTkxODg4MDczMDcxNTA3\nMTk1NzYyOTgwNDM3MzYxNjAwMjI4ODc2OTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIuj5EnzvhWKLnqQ8rdJVb5YQKuQnGNPKr1Jj3retpqnLrS54PTN4hJMqaJzuExm\nqaRspd89XST3NO9EAhPPhYmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJQ5QDuu\nzoUwj6xexs7oGZr/GnvTMB0GA1UdDgQWBBTDLaMYlkYuPds54uv+yafcQ6WyTjAK\nBggqhkjOPQQDAgNIADBFAiA8al9Abwy33leecVUKmWnc/eT0FLU2GDFDxSY0mwXc\noAIhAIOEmoWuxO0OMpSiBPubtg3jYPsXJrMc7HAPSzJMAJpr\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUY7BSJmPFDnx004/8FM5vkEZ5e0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNTMzMTM1NDY1NDY2MzQyMDU5OTY2\nNjUzMDY4MDcyMTA0NTgyNjUwNzQ1MzEwMjAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBK4vR0CY5acoNh7VeSHcPzi6y5j/R+JzHTKryGBtcby+vaUKO/OkZybRdxgwfWOM\nssjae1IWx3FXW61HiKoB3zKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMw+leQc\ntBDE8rsFS5KAilcoQKM9MB0GA1UdDgQWBBSj7a6eLzpOzQ+UYnQOKjLURSt75DAK\nBggqhkjOPQQDAgNJADBGAiEAk2hEJiL8ehBHOQvX7eMWk7tXI5qH82HW8YNsO1KO\ngYkCIQClkH7gH0vyCu38WUjwox5J+6nP2ChpvU18jL8nkYx3UA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUdSrKNUZkAl5MrSXPbW8WlJ31cr4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTQzOTQzMjU5MTg4ODA3MzA3MTUwNzE5NTc2Mjk4MDQzNzM2\nMTYwMDIyODg3NjkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS1\nMR42Y300fFoY1moOlv7Spz7eTMcOi0fBCujsv6JGcBoO9/B0DWJke9yUb4JrMZSs\nWNMNOmhv7jjmWbirsv5So3IwcDAdBgNVHQ4EFgQUC40DQ9a38xpeUw6lNgPeW8Qy\neXwwHwYDVR0jBBgwFoAUwy2jGJZGLj3bOeLr/smn3EOlsk4wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgK24c2+GxhlWs3rJS10knoSaF8sNJwwlLS2dK9H0uVd8CIQCtcTjk3oAI\nIpGRt6c5aTOn8VzWqJm2ZbtveVyxzOa7bQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUYrwyPWhoX6uTbYbsTRa1G3KqCagwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTUzMzEzNTQ2NTQ2NjM0MjA1OTk2NjY1MzA2ODA3MjEwNDU4\nMjY1MDc0NTMxMDIwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ0\nJlwGzfaCuGjw5hEfzK1NRQaMtuS0u20d5ON4Joc7kqeyjACV+lx7oYV2zz3t/V5g\nsaxppne0rWHVqTRMr2dYo3IwcDAdBgNVHQ4EFgQUtIp4PWF92V4G3FE+JZlSGO/z\nxN4wHwYDVR0jBBgwFoAUo+2uni86Ts0PlGJ0Dioy1EUre+QwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAODZ8f0WIJZMEA3u8bXIwAXkqjOI59MnAXvuVAwBCdTfAiEA/YWdA+JS\nVIgj+HRm2Q2YgGUcoK2U6d6RX5DlqEmjj9M=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbuZUk5NiJEG/nx9dNf1NRQASATowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATIfQX8bW62EcZLEbRlAN5WGAzx2pR1o+mJFUHn\nZIrSpMPIP8X0x40bPwpo4TCu/fHy0DdGjIZXkKA6Ae7BPLSCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnPK7gYytf9JPlitAeMW/8y4dp70wCgYIKoZIzj0EAwIDSAAwRQIg\nWgXg25U2PfBJnVjVsh++ReZyem+GHP1LFNqcMoBOHswCIQDnxu2/CHbxz43eAwTa\n4Aiw0sA+SxH/dG87DqnsGBMbOA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNdedzaqSb+yXV2weymeakfAFPlUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8E3kUlo7ofENLxn4Dv9mGxxQ5NpU9OsoDW7uH\nqO/apCO++C5jGYYVGOc8qg4XEpfnyAnCy2ThB/pZ1ROwKx/ao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWdHGgdjgBvStwiPaZbuADVDsc4UwCgYIKoZIzj0EAwIDSAAwRQIg\nOmBYqJFhtLWiaxMA7+25VP1EuSs+AHj4E75BY7UEbuECIQD8x8yUzvOVGiMDsAmW\niY3uwQnLku/KadUFJRkHytObwQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUQoVexDPiPKgjy1aVixABQWkJ3x4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MzMxMjU1MjM4MzU3MTY2OTIwNzUy\nNzA4MzI3ODk4Nzk0NzMxNDIyNzYxNjE4NTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOI/jHTGECYv1G1mMIZVLfH6LX87PsMT7hzUT6IWgot3hf1uZVMOMeWpqK9jI7VD\n5bbQzfUOjeSgOg3ijqA9O8ijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJzyu4GM\nrX/ST5YrQHjFv/MuHae9MB0GA1UdDgQWBBQcCPHyxhe54sxhF/PgjAeW7/5xpjAK\nBggqhkjOPQQDAgNHADBEAiAa6MHuyh6e/8VZhiGEc//zChkqtH+a0j4FTKVcLWuK\n5gIgBtWfkQumLEskU6zfvI7rEpiK9g9EQc6w7GpvESgADdY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUf9Ct102DjZlFlUmVBgkbfjU73uYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMDczODQ5MTc2ODQ4NTMxODg2Mjc4\nMjc0MDA0MzgwMzkwMTY4Mjg4MTc0NTY3MjUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKHJ0CCMTErGh/3hrxSxBF4G+xmqa9+3UcgXBR7+G/f2PuImBPvK7wnU+/RxHrsW\nuCFSCXEVa1ExI7/w0w01w1WjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFnRxoHY\n4Ab0rcIj2mW7gA1Q7HOFMB0GA1UdDgQWBBQ5nkJBJ1y30hiksavEgtrN9ufMFjAK\nBggqhkjOPQQDAgNIADBFAiEAn6hvWe+uiBk6grutCibgtL8RvI8vJJornmzHY9x8\nW78CIAcJRi8nZAAIxuZh7rvb6TqY9Rh+ycjCbedMx7aLHDSM\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUXVGz4/lR8aKO56V/JSKrVTkwLQkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMzMTI1NTIzODM1NzE2NjkyMDc1MjcwODMyNzg5ODc5NDcz\nMTQyMjc2MTYxODUwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQS\n9MKYXytnqU0IrKV84zIZGlluZUD9qEMVyA3T3iAPrI8LjiE44CUfBP/tLjsH/NA0\nGfogb4ZBuHJeno2HJNdqo3IwcDAdBgNVHQ4EFgQUt14iIXVtjb6VdSSSi5zu61lh\nqBAwHwYDVR0jBBgwFoAUHAjx8sYXueLMYRfz4IwHlu/+caYwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhANImSVNVhLP3jdUTvzyV1R2P0mRoQLsHq6Q6zVgpaflnAiA5w3vDQDMd\nQKtKB0UAKdFBBam8PHZnrrkuKD+ioqJRqQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUAXsnaTuCto8KFaUbjFbjfyayaNMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzA3Mzg0OTE3Njg0ODUzMTg4NjI3ODI3NDAwNDM4MDM5MDE2\nODI4ODE3NDU2NzI1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATH\nDotgwRCEN3kaVNQbGORQlvgmFCJoNXJry1sN54p2D2mWxv4NwH5f7YnG+k1iuRiq\nAUCSzu8MVLjiIMhRf27ko3IwcDAdBgNVHQ4EFgQUkDP3YMc3lSG5Dc1wZfM7ZC2C\nABwwHwYDVR0jBBgwFoAUOZ5CQSdct9IYpLGrxILazfbnzBYwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgD/956a8EThJYT1XHka5r46K7RnPH/EUEU9qSl6iafIgCIBhKYbdI8IEB\nOrdfUv6l4+ibp+s6IOLUITv3KI2mGM0a\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOODjIWOBmS/ht8kkPFkbLtCyvNAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARyg2yDR/CA9lsKuJSwA/0PbEVgMztk2e0rxeX8\nYySXfj5pmGe9tutm7PHWfjripNQKGZ0dXU/pPCeRWpfWsJAUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQg2SYkfd5V1ZIEVqS047Ln4I/JUwCgYIKoZIzj0EAwIDRwAwRAIg\nUJrh+joXP8XSCyQKFLq63wUJHddXxYjHQkE20hOuuNQCID3KvkUDtzIx3H5gBqQN\n9xdtuVm6C4uUpQZKHA1r83yI\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUaTIhsFabLLdSSFdh+pAWSu6miA4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASoMx5t95Hs/y3wXUbejn2YVImt/8EJTdGRezG9\nLxE2rFHhxtTCmNfi16cW+pSbY6rQgr9kJXhlbzH8+zETI5NWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgPmdaCAKsQ2SdISJvSWLVm00g0owCgYIKoZIzj0EAwIDRwAwRAIg\nXvhOds9wdvQw4r/kKWxtdH575OhVeQ8MP2/O+gJS2BACICI195loKbsLFVh7SGi0\ntYAJtOvgzIoiQPUQR82XdIW5\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUYJB0DmZyvXvzLfqfwP5pxlKQMnMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMjQ3MTg2MzU5NDEwOTY5NzU3ODc0\nMjUxMDc1MjI3NTE4MjUzNjczMzE0MjEzOTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLmTYM8eajoT7LWgeoIhJMIbIFCAdq/q51rCapiZB5gJOzU7vEBfRXQfow5pFG5Q\nfLyWFBHovevikD1Y3k4L+t+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEINkmJH\n3eVdWSBFaktOOy5+CPyVMB0GA1UdDgQWBBTzF9N1MCTv2hgXQp8c6rqr1E+ERTAK\nBggqhkjOPQQDAgNIADBFAiBkmj06OfwIpL3PgEmK4iM4CTGrd1TAq5Q1l7wMLN2A\nUwIhAJcVSYyseij+VxVqbpAgov/nI8ZqkwXZhCnokrX3xlIK\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUfx9MviWtxMsVuqieltLOwq+LsEgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MDA1NjIwMDI5MDY2ODEzMjc5NzU2\nODI5OTE0Nzg2OTI2MjM1MDAwMzMwMzQyNTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFjZJyhu/QIg3kkSxh8Lsfs1hYj2r6688CHNHsX7MiKeJQJ6wb0BuvfUT9MpOr+g\nYckTbBvMsP1I16Pb0eo8V1qjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFID5nWgg\nCrENknSEib0li1ZtNINKMB0GA1UdDgQWBBSB6RYlNaGAKiXCe+It9+GYBFhvkDAK\nBggqhkjOPQQDAgNJADBGAiEAgTAEX2+JyZ23aNHBz6J0LkYWlRHXECRD3gAem2M2\nqhcCIQDHFh0JqHTHafCtM5XIMtpTufhDqrL0A+0kdtd2UFydsA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgITQyN987G3uYA468v5byMvodayqDAKBggqhkjOPQQDAjBn\nMTkwNwYDVQQLDDAzMjQ3MTg2MzU5NDEwOTY5NzU3ODc0MjUxMDc1MjI3NTE4MjUz\nNjczMzE0MjEzOTIxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwNTUxMjg0NTMxMjMyOTc1MjQ1NzQ4MTg2MzYzOTUyNTQ3OTQ1MTcxOTA1\nNDI2MDM1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrHiZU+tpwIewlqntI5Nmn46Rm\n84ptjOFHVHG+N5+peX1xVAL8swDy1jZJH69XsYgXR7bDJYXf5fDpUr44NV+Ho3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTzF9N1MCTv2hgXQp8c6rqr1E+ERTAdBgNV\nHQ4EFgQUFTym8fBPsGlAEKDcfzyWaAx3ps4wCgYIKoZIzj0EAwIDSAAwRQIgdfBz\nooJWof9a1P39op/G3wF8e8Sxpbt+S5Fv0kSQ1kgCIQDG/obogcjj0gwytLtVzLzI\niO1NGitVcvUJ1Q1r0CaJaw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUDXr2K5rx3SSjp7pxAUSLtBq4CjQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAwNTYyMDAyOTA2NjgxMzI3OTc1NjgyOTkxNDc4NjkyNjIz\nNTAwMDMzMDM0MjU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDcyNTczOTgzNjIzMzI0NjI5MjI5NDk0MjY0MTQ5NjI5MjcyNDY1NTk4\nODEyNTc2ODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWhjyfemHyMcWwHqKLejeGMlx\nhm1o3fF/Vt/ahxGimqcClPHuRgK/mu4W33gaq83o/q2I3Ch5x0DPJVRJw80gm6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUgekWJTWhgColwnviLffhmARYb5AwHQYD\nVR0OBBYEFPtesNQPeNxTrd4TtQ5kXOl0AGzwMAoGCCqGSM49BAMCA0gAMEUCIEp1\nwxyujkkDa27Eggs1P+pa2DKUmpEqAO4PdQv3KH36AiEAgd9hZkTe2glwgBsby5Zp\nXclb1aQcniut3MmmRXoUzeQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUf8wxRiPG4LMGszX4/MTgr7cwJ3EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ/erWpehA/s0amOiiOgT1qdoAIciIzU0Kb9H8O\nc5jkeU/N+6UQWW53FyoJepHCdAwqIybdIZdG4w9q5SPKgqIPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUV8BXRhUCbvKL1Ay66yqmGnO00D8wCgYIKoZIzj0EAwIDSAAwRQIg\nRSYDqMLW8ojAWkBCYgy9b9rHfIEm50OSkfFFHa1WTqQCIQDXgBmfmORgd/TPWPxB\nSHpSNsBYgSckMaMcJcyRKEa23A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUaKBrmdai/A+uPJFAIae8NoO678wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ+mmWDbYiuDiRrZ7sAE6G0SpobZM5hHn5QAlZ4\nDeGV8iRbX39Se0lRX0Nqk5AFeuoJ7ywRHox8JEbBlJefWS5Lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqiV9cR2FkOBP+1R1r+tfz8IUoqowCgYIKoZIzj0EAwIDRwAwRAIg\nQUYoPb0KvCsSTVujDtYqFMHLLgnQlW/lk9xaxeMazAACIDT7LFbdytdRf156jZSv\nJ8xBI8G40Ws8KX/JMTvZrUHk\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUExV1CDCJulDValMokPAjG6BAQ/0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA3Mjk1OTU0NzIyODQ0NTk4MTk0OTAz\nODg1MDgxMjM5MDQ3NTk0MDk2MDQwNDQ2NTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBItcSP2xpSa4GnwuPz+22GPBtHBrJnaG7EXk3X8xKXb2pJlP1yt4LZXveLUcnUa8\nweW+fb++cDoAr9un02tvRsmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFfAV0YV\nAm7yi9QMuusqphpztNA/MB0GA1UdDgQWBBQQzSOLPfYJx0N3NptWl1F56pC/wjAK\nBggqhkjOPQQDAgNIADBFAiEAhbHv8AGWUPORbfKr1fqnOS8uQGpyYvypRfENbKsE\niSICIGP+PgAhZQ9lXHNeVL1+jDHqKXsY3awtNHBuTFPQ4bfJ\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUQGx9wM0oGlDSPFGnJrhuaZbzcmgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzI5NTk1NDcyMjg0NDU5ODE5NDkwMzg4NTA4MTIzOTA0NzU5\nNDA5NjA0MDQ0NjU3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDEwODk0OTMzNTIxOTA1MzExMjc2MjU1MDcwNjAzNTAyMDU1Nzg5MjQw\nODMyOTIxMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyNPjsSR+Q/cJEH3umFP8cIIK\ngg8o2k+mBKIG+0tmtObO27A1NaFC2U2ZuQ26PF3qWTOgkLQIeQajN+dy+wKyk6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUEM0jiz32CcdDdzabVpdReeqQv8IwHQYD\nVR0OBBYEFNA8ZAU3Mj5E2WouSy2Y4yTf78ZdMAoGCCqGSM49BAMCA0gAMEUCIQDD\nW9ngfSIDopr3SkZbqMqm0QD8tgWPOtqgK7Akw2dcnAIgZH+fiOmqZU8vAciUDk4k\ngoJfB0oJRtI9mc1Bzn0HyW0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUKAlCDwMjfJJmKRJnqO+fgrFWk94wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0NjYwNTIyNjk5OTAyOTA2MzIyOTkx\nNDM1MzUwMTg1OTczNzU1NjMzOTQ5MDI5NzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDd0nx49BGSjubB5NYW2ylMBuquO2vJ25PMsCPAny+Ipl/nEY2YWjMqXTPJemMU4\nY5IaWP5D5CnJseoU5QSTMBCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKolfXEd\nhZDgT/tUda/rX8/CFKKqMB0GA1UdDgQWBBQyggvQ+OW3jUYnKDsy0ho/86TcZDAK\nBggqhkjOPQQDAgNIADBFAiAviTAZeC/PwTrbr8Q/QUjPzGZovX5ZGabl0DJri9/u\nkgIhAMBftKsTGT01H22TEGgOMrmaiSGUIozUUPMIXN9SGeGJ\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUZEcBqrZBOARxDKMZ+SGkn2W8P5YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDY2MDUyMjY5OTkwMjkwNjMyMjk5MTQzNTM1MDE4NTk3Mzc1\nNTYzMzk0OTAyOTc1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIyODU2NjA5MjA1OTAxOTI5NzU2MzA3ODM3NjA1NDk2MTAzNDEyOTIy\nMDk5ODExMDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKnu5tkzGSo0Guw7deWny1x34\navCf2uKPqSJA4MOqHJA+sPVOWQk0D2ZRXTGUhOdGdAAR2wnhws55MJVlH9g6X6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUMoIL0Pjlt41GJyg7MtIaP/Ok3GQwHQYD\nVR0OBBYEFFl3wq9HgB8OtRf/NPVg7BtH23n9MAoGCCqGSM49BAMCA0kAMEYCIQDi\njtK5wG7vaMN38Fta/i+KuJDNxzWzA238VoOHtOu2gwIhAKpLJVz5xB9sflyqxgBa\ntDgrUUJmuR9chPEH+nl8Rnbq\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUJe/5BVu+qL1eYcl1qtyKevSkzHwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTA4OTQ5MzM1MjE5MDUzMTEyNzYyNTUwNzA2MDM1MDIwNTU3\nODkyNDA4MzI5MjEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARQ\nxAQNkzcMHyZFtRFAe+r21kQ7mu+1/TeYtSaSkPZcp45hGr8Pw0dqeH8MjwN+YpJp\nFWhNazqJuuSkGVL43tiLo3IwcDAdBgNVHQ4EFgQUQYGkCBhYLe0d9jLESJ4juzAM\nnxEwHwYDVR0jBBgwFoAU0DxkBTcyPkTZai5LLZjjJN/vxl0wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgQ5aiw0nnggX5Rw3LXnySyERuQ+OPgbIRA+CjEr7cnCMCIQCWZXb6HvLE\nekNCT1Nu0HEA7xBrpeaE/RhqwABJjBF3uw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUVZjUcJZP5evuzb+B5aWxKrAmkwUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjI4NTY2MDkyMDU5MDE5Mjk3NTYzMDc4Mzc2MDU0OTYxMDM0\nMTI5MjIwOTk4MTEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQA\n6TesGeLq+CNbUaIjFbpp0M0RxGffwF2BYTccVsF3nebcZ10w7l8v9JX8kPuY0BBb\nyamLL3xwTnitQvu0lAguo3IwcDAdBgNVHQ4EFgQU6tKWwuCZYTBIm5lg92e1Isaf\nKJ0wHwYDVR0jBBgwFoAUWXfCr0eAHw61F/809WDsG0fbef0wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAN/0i0vVE8wvtMByqm1ZdZ0iQpy1A3SLLi8F+z3ibl1AAiEApGtV5Hnf\n5W42YAPoNkI8Ud1JCRFgQZInV02x/2RICdw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQrooPmZOgtrw0mcAZ53Zc+5czOwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLJNaqtnvKNt1yARnpEyEoVBGyLhSudrz4Fe9K\nmwk+9cVaro4PyUpuBcn9NwjnXcqHzYiUMUyUGKns7UCX0t8jo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUv2BRKltVTjAP7tOtX71mzbB2llkwCgYIKoZIzj0EAwIDSAAwRQIh\nAJLpNJrFtiOLJUtcNRNrzhppsuHGYfVFFkyOS+fe//KJAiBqeubTebe7nb3J+JC9\nFdEP2UUDYNDvmMOWD232IGsJQQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZhppNZLcbrGcIeJaNI2PCBLYQhEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6scFInXz63TSRKRlCEnTsKZo5LPayLqLlVhLI\n1+OTB6H81lc3dRjx+QCwVt6nQZ6fXpLG8QY8PXL2ky6WgMGGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlSjsRzoyD+3ByOAYrOh20arRuRQwCgYIKoZIzj0EAwIDRwAwRAIg\nVaVgIoGgESMRoHjrffq4Fscgg6eSzdXAjWkJgJw1WCACIBFZ2CEKwprMNddZ6/sq\ntLaiQcEVV2egY5NOJVCf7uDY\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUSWz30vHfDRS9ZIAlcIi4hs5lyz0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzODA5NDQ4MzUyMDYyMzMwMzI3OTYz\nMDk1NDA4MjcwMzU0Njc3NjIwODA5OTI0OTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFKSziZ3lTzojjLzawD1ATDFYty47SGBuFx3ymYpIb513FNeVDsSbg7hjmJj1o2v\nfWwuQfK97fdIL93NujDpYdCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFL9gUSpb\nVU4wD+7TrV+9Zs2wdpZZMB0GA1UdDgQWBBRYLcySfIy5A4lCDUE52GRZZIrApzAK\nBggqhkjOPQQDAgNHADBEAiBxk2j0K8G7+H6SOzFY+/evgrgvI5mZ0jgKe5vWGldm\nigIgL353FxA9mN1aNKAFHPFb7rRuSeGvWHtGI7aAhIY1iiE=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUG1TUyZZ7Cjt581lInL7cdt7vgwswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzgwOTQ0ODM1MjA2MjMzMDMyNzk2MzA5NTQwODI3MDM1NDY3\nNzYyMDgwOTkyNDkyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQxOTE4NjM5NTI2NzAwNTg4NTI0NDQyNDY1ODM0NDI2OTMwNzQ2NTkw\nNzQyNDA2MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQwHOAJzmgJlwLg2PDjsFXA72\ni6Hakz51n/56np2Nathg0sDf8ekVhDeemae43LSCltPyHY4cAbmCGBDrPzz4zaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUWC3MknyMuQOJQg1BOdhkWWSKwKcwHQYD\nVR0OBBYEFA2yQWpVGFvNmwMJW5klq87/VekOMAoGCCqGSM49BAMCA0kAMEYCIQDR\n5mkxWauQtN+tiRY+PtKMi/Q+gjGN7w/lWpa77TlExAIhAKVSpQR2tApLpOgvIQV/\nF4cQAwn6kSuEjwFgtURdFdoL\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHJxht/lrZLA+1Xm2yV8vb/y9ArEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1ODI5MDYwNDMwMTkzOTM1NDcxMzkz\nMzQyMzQ1MTI1NDc4MDk4ODg4NzA4NzU2NjUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBA2N20Yj2c9dDYOEKTVVpKtF6bpKHUZKgDjR1XrID7Xe8ZRMJpZ/fVrGWAdRLGv1\n5wWncaPIJZocuFK5sSWFGuyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJUo7Ec6\nMg/twcjgGKzodtGq0bkUMB0GA1UdDgQWBBRIhShIrXHROJjVZu1ALDhiAw+PHDAK\nBggqhkjOPQQDAgNIADBFAiAXJjtd9Xf49oHvcVUlbB40aiLRR2dZMX5NCbvCv2xW\nTwIhALBkaUvHuMoexC4b43OLNK8JPJuozLl+2w+t+sFHuYvU\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUOZn4NBi++kszHmL0UTuhRhY2pI0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTgyOTA2MDQzMDE5MzkzNTQ3MTM5MzM0MjM0NTEyNTQ3ODA5\nODg4ODcwODc1NjY1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE2MzMzOTE3MDMyODk4MjIwMDA4MzE0MTUzMDExODIxMTU2NTI1NzMw\nMzU4OTU1MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExqTWD8RfDBmq49S0i/mZYeSn\ngqkzoSI0JW6NNJ2it0qkjKqYpI5wMLT4Po4zHz79jQs00D1i9EaYKazXAeDlIaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUSIUoSK1x0TiY1WbtQCw4YgMPjxwwHQYD\nVR0OBBYEFG+rQZku39qgeuDjBD9np5uhxGIbMAoGCCqGSM49BAMCA0cAMEQCIHnl\n2OmXBGZMlv1+dOPqUwtS1QqsEozCnkdkQeQkmb0fAiA0qlQ6SpXtosVckSmXZydN\nuyhajAdjV1WLQ4Ga88FELg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIULhVb/DjFSVELys+SoAa4/7ltNb8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDE5MTg2Mzk1MjY3MDA1ODg1MjQ0NDI0NjU4MzQ0MjY5MzA3\nNDY1OTA3NDI0MDYxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARC\neH4GDv6wo+Nult8QR9KpO/E7nYlzavEB+FyGQEXjSazdeTbVJCL62GUjj7T2Cfsj\nPNJwpZGS09EWnCLoVvK6o3IwcDAdBgNVHQ4EFgQUiYkEUlUPOEJnwNLxNRozUeKx\nE9AwHwYDVR0jBBgwFoAUDbJBalUYW82bAwlbmSWrzv9V6Q4wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgA5Rnkg5J8BmdMkzZCFP2i2o7CqslCWhxhUNZ8V0FuMkCIQDG0NBulIYO\nogzcjWC3JsociydED3N0WjW23qykzEZJIw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIURqxWMnqIRfRNqLRfBeFSsLd72wYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTYzMzM5MTcwMzI4OTgyMjAwMDgzMTQxNTMwMTE4MjExNTY1\nMjU3MzAzNTg5NTUzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATF\nI4Ag0YojqVtawrbO7aLJH7rTdpWDYBCZqReJRu4dXgyNFgePcnMAG23cqDWmDPf9\nUPdf/7Jpj5O1bp8YV2yFo3IwcDAdBgNVHQ4EFgQUtBFyjH0L2bzb0Xs9bSEpYkg1\n+jAwHwYDVR0jBBgwFoAUb6tBmS7f2qB64OMEP2enm6HEYhswCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgNwdoQUaRSWFK7oKXfMP551TBNvhRrL60+eXYnQHRfjUCIGVMw0ut2gmC\nUOdP5RS1UUYFJWtcqXvzbSt4FQvm9TlZ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZ0eOF+AwqSgt0l+EGiut+Auh6XgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQc310/4+jRBNt5TMZNcMS37+eLHAB7GyX72kZR\ng/uJ3sYsK6T8U7y80nBfTnej2qaDNn/n2BWX+ORbtQiL/plYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU61+tyxB8Uduikacm62ovnjqkOZMwCgYIKoZIzj0EAwIDRwAwRAIg\nMmfA3XJO1M5yFgKjMEhmnEHlIxDv4K6VuFuyw/shYnICIBPpIc7XH1pfxrOLQ1dI\nqiuCSam/njO/1ASjz4gaZupA\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCBjK4eGm3OwwYUOIp8gbyLI5zSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYLPzXwrPhUrXJi08t4AR4AWnezhFHttfyJFFJ\np0ILZm6mSxIQG/TKfvqj+77GpMJ16XTPIgYXJSNJJjksZDMGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUb9knBBocZB7fGu9qy8qugeiKEmQwCgYIKoZIzj0EAwIDSAAwRQIh\nAJr65fotujRkKZFoJVsDfxch3hcHaKfoQpXXn2y5b5PSAiBdW9Q71UvUNO6I/jtK\npC3JfA2E92SmZ2/1nTFQxUzpLA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHfgSF00yURlc6fwabAj0HOrl8hwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1ODk2MjE3ODAzNzMwNDc2MjY1OTEy\nMzI4MzE1NDcxNDQyMzkyOTQyMzU5Mjg5NTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGVKHq4RItuiZCY0n7n5T7zWY+YxP235dQyHCxUTFQYMgcoxlbP2sdy7+aND7j4t\nauyjFvvXmpkcamcUL95Hs0yjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOtfrcsQ\nfFHbopGnJutqL546pDmTMB0GA1UdDgQWBBSSeTKttVbcRQZJiIx6O2VgGwXuYTAK\nBggqhkjOPQQDAgNIADBFAiAU4hzcvYjnSlhC3V5sfjuWdNrNxZjahRkY5vI9aTbz\nXwIhAIk73+kG4EA+6x5ug+csoY59EuCxjLI0EOIhb4kBQcCR\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUQgnc/c/e4TQPV08icFyUVkL4gPMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTg5NjIxNzgwMzczMDQ3NjI2NTkxMjMyODMxNTQ3MTQ0MjM5\nMjk0MjM1OTI4OTUyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE3MTA5Mjg5MzExMzM3OTk2NzAxMDg4OTA0Mjg1NTc4NTQxODM2NDg0\nNTE1ODk0MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhnewbij5DQH5faQoICgARJo7\naJentAx+2fLwMvsji33Zb42CNFJMdlPQJalzZnJrFE0D+VgHQm4BKBUf+mVVpKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUknkyrbVW3EUGSYiMejtlYBsF7mEwHQYD\nVR0OBBYEFFzJy+pP8t68Wck3KWqSbqQpz6X1MAoGCCqGSM49BAMCA0kAMEYCIQCH\nhF5sLlDNls1irvGJwUYoQL/CribX5YeQefd2DP5LlgIhAJDbsn9D2JHAs+TxXiZx\nltRfJQc4VpX9jqtX6rRoAY8I\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUdY0Ds5H+wc8MMg9L56pedjZ36mUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTcxMDkyODkzMTEzMzc5OTY3MDEwODg5MDQyODU1Nzg1NDE4\nMzY0ODQ1MTU4OTQwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM3NzAxMzM0ODY1MTgxMTQ1NTE1NjIwMDI0NjA3ODg2NDE2NjY0NjA1\nMzM3MjE0NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKuqIZAo0ZIvpg6VwuR81RAea\nAm0n5Unaa5L0ju0zg5aKOrl79Ky0kjEYf0i+Bxwtu3Xo7Wr9uzC+EbBNI6cYmqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUXMnL6k/y3rxZyTcpapJupCnPpfUwHQYD\nVR0OBBYEFPiIwEw6bwrEO2MBwThl3hGy/eLDMAoGCCqGSM49BAMCA0gAMEUCIQC6\nZGoeA9d1+ERTJozTQU16AGqBKwpGrHaJ9xUmzS6J0QIgD6TP9Q/XKYcUWZcicSgS\nWkUbhAzCj7+2ADXb5IFQfMw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUfOB8Ssygzh836H3u58FOOqziUHgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC80NjIyNDgxNzU5NjU4ODkyNTEwMzI5\nMzc4MDI2NjgxMTg1MjU3OTMxMTA0NTkyOTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nXYC1qvHHAYdCSX+My+J/7qWkFXgEfM4Hj9EhWMX5SCglmd6pk9O6CpHxC63toO6a\nKjr3pO0wn863sAWV04xxHaN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUb9knBBoc\nZB7fGu9qy8qugeiKEmQwHQYDVR0OBBYEFAp9z0vwUxeerxjtwBTtSxoKmboMMAoG\nCCqGSM49BAMCA0gAMEUCIFD+66QaNuhQ1DLTcIIO52YECBeIM6YG7cuv55NozPnQ\nAiEArTH6aDojEd2ckX2958BCFZ9+c5FCzcxQFZeApDujarc=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIUaPmW4Q9tcXfy7l3m5O3htVNn0h0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDYyMjQ4MTc1OTY1ODg5MjUxMDMyOTM3ODAyNjY4MTE4NTI1\nNzkzMTEwNDU5MjkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwNzEyOTIxMDQ5ODgyOTc1MTEwMjk1ODg2ODYxMTA1Njg1MTM4NzcxNzI4\nODE0MjAwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpusCOWd9KnwWahutw7wyF5Sn1\n9A+5JRihW1OECYuMjmDLOTIZhdtMS4+CjOktdzsH+X+cz8PAsH9h70AMDumXo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBQKfc9L8FMXnq8Y7cAU7UsaCpm6DDAdBgNV\nHQ4EFgQUZ2uWOdmcjFBTpxPdXpYDtMadPm4wCgYIKoZIzj0EAwIDSQAwRgIhAIRO\nFAZk1bilGhjKSRtelVt09tSDs+Swo23XWvUBj5rmAiEA+rB05EakmtU0mjDT1FhM\npzBOuV2Gncs0bNo5/HAlcEU=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUey3dLn9+amxnkbHvxUrp4Jj6b6MwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzEyOTIxMDQ5ODgyOTc1MTEwMjk1ODg2ODYxMTA1Njg1MTM4\nNzcxNzI4ODE0MjAwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDU5OTMwMTA2OTE0NzA0MjQzODY0MDYxNDc1NjI4NzUzNjQwMTg1Njgw\nNjI0NDg5MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0OU557b+Z4lXHqHtKlGikElQ\nMzeJra0ZCQOXVeoJ8VfvlQDu/WFN0XX/Rl/z6Zysn21e8O9U8pHTSuzPSpdpU6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUZ2uWOdmcjFBTpxPdXpYDtMadPm4wHQYD\nVR0OBBYEFCyCoceOvRxS2+gnELJYbIjQHBrVMAoGCCqGSM49BAMCA0gAMEUCIH+t\ntHe1iCg8wAXwyoUVCefpqDwA1UgonGC5LMHHFkj5AiEAl0/BEdI/xogQl0X27av9\nodlRXK956RphkNj4j1apIUo=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIULBgkZSbVikGW8IAIW+pw9bIiaaowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzc3MDEzMzQ4NjUxODExNDU1MTU2MjAwMjQ2MDc4ODY0MTY2\nNjQ2MDUzMzcyMTQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATj\n82mKcbzkgXMjfyydz+9VqNNY8rT29N99pI4pvDrFTrSTgtC4h9rdZssC3StF1qA8\nD77KhqwYdiMkn384n/wIo3IwcDAdBgNVHQ4EFgQU2QznaJouicgWKTJ+EElsnCGN\nHfIwHwYDVR0jBBgwFoAU+IjATDpvCsQ7YwHBOGXeEbL94sMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgMSfFZsfHFREZKxYESZ1cWWTF67JE16eF0xp3skX5uQ0CIQDhdjtRl8g2\nGO9dBWv/tQJO/SXeJc+d63/Bs++3ACmYNg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUdFhlIvu8yYJhueesmPhiu+qmdbgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTk5MzAxMDY5MTQ3MDQyNDM4NjQwNjE0NzU2Mjg3NTM2NDAx\nODU2ODA2MjQ0ODkzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATG\n1VWfEuIPyiJMGieW4Kgv0N//fUemt5Q4wBoFEy2edU+JnfvWxrQeBkId4L8phRKF\nbk8Sw3x8KmUfp9U/67mIo3IwcDAdBgNVHQ4EFgQUGjKOOF/gWnETIKxLiBhB4m/k\nepIwHwYDVR0jBBgwFoAULIKhx469HFLb6CcQslhsiNAcGtUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAKpuuN7+pfwZ2CmTVgL8wHL09AlDxkCBS4sOsw3PLrD6AiBAfh0yzIX4\nRxeEYhkHylOiN/6xriFFWx+qPkBChYIASQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUd2NN3yEK3YVMxIq4GUqmZqgygWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAShmxMb9GglTrGPZLMD1PISRia4vTKM/VmkP2o/\n9XnfoYlogdryNMt6G3YlKvHRYuPET0riPWmJ5CwWgPWZphmjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6/JA47FtpwCrIrqwmERpYmmoIxQwCgYIKoZIzj0EAwIDSQAwRgIh\nAOpaXqFjaIrke20WZ3ae6dgZf5NwuBwu56ryCP7Wjxn0AiEA97WPiVDMSDC3XbCB\nhE/g+KoP8rc8r6gn35adVThoEAA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGxCUX0Kgg80o5UhihVX+I6NKx0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6qVL1UN7Zf6n8Oh033viPI427VJOE68G+5Kdo\nSH5Nk+FqvJv8ikV9OKBwhydP2jBJOqB7rbkjfe5ccE6Z65IVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOnuul4z8icAwQb/gJ0Cz4bkjI9AwCgYIKoZIzj0EAwIDSQAwRgIh\nAJxvWF4CivKlcZ+B4YBK4aOhRF9AmMLxT5MTTpf0P82CAiEA4Hsv0UKuEvSfYkQ6\nmHfrY/kPHR3Q7vrjix25AgdP6pQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUEZmpR/Xls/0Hgswm0hkWrBXr73EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2ODE1ODQ0NTkwNzU1OTY5NDM3ODYx\nMzkzNTg3Mjc4NDcyNDUzMTY5ODQzMDgwNjYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAaxxNsMTnj/QTiwUrGGakss4SNTTo0RLjDbg4bkNtoy+fWQt50SXMGBR26yHKFL\niMNDD1CJKX4Z4LeLcHP1osOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOvyQOOx\nbacAqyK6sJhEaWJpqCMUMB0GA1UdDgQWBBSeHdcMMAbluZdCJ5co/B3ckjHnUzAK\nBggqhkjOPQQDAgNHADBEAiA+1snyMwGWSa2tS3DC4A0cO9acg788FHp5hoLcnb0h\nrAIgJOr24zXG0oFwqy2fzNrmHAzNVluYa2yz9nuOSjm0rJE=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUO2pSuUHJ+4Mq0V9Xchk6Akuf0hswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjgxNTg0NDU5MDc1NTk2OTQzNzg2MTM5MzU4NzI3ODQ3MjQ1\nMzE2OTg0MzA4MDY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDY4MTU4NDQ1OTA3NTU5Njk0Mzc4NjEzOTM1ODcyNzg0NzI0NTMxNjk4\nNDMwODA2NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgJrM6DaEU8SYr1pFVNmEysGh\n1G0/1ZkLmLOk0+r6LNyrb7k/2Bq+tdtxlGwC2BPW17/BNAkQobNMwoRIrsASkKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUnh3XDDAG5bmXQieXKPwd3JIx51MwHQYD\nVR0OBBYEFM//N35XbLiNFJserFbmEqzv8KUAMAoGCCqGSM49BAMCA0cAMEQCIALE\nV8hssIdzYnL0ifwDUV5GLA+jpHR9an1dxIpsB27ZAiAj8pugHJgBz6QMnS9wA+Bi\necCIDrb7JjsenJdMB6yhIw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUHIxyU7Oa6E89bXeM3zXERbTVGp8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjgxNTg0NDU5MDc1NTk2OTQzNzg2MTM5MzU4NzI3ODQ3MjQ1\nMzE2OTg0MzA4MDY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMzOTIwMTU0MDcxNjc4MzYzNTM2ODEzNTM2Mjk4NzczMDEwOTA0NTM1\nNzQwMDYwMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE40UVWrpBcfESHMVhgM1Rydaz\n5bxD5QLrG9vv+EbZ7dTHAWZEwWoL1bGjOrcWwuT+VywCElq3NvPHVKMjRofpzqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUz/83fldsuI0Umx6sVuYSrO/wpQAwHQYD\nVR0OBBYEFGyDQl9aqz2OChVbvK9+itfi9LNDMAoGCCqGSM49BAMCA0cAMEQCIACc\n3BkEbn1cfSaPGUM70m0jvXxpsJ2LdBZSSmVid8TZAiBdAcbhHQSOV95bXee9igND\nc4rf5iyJ5QdpuIp4sSXQRg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUFKviETWHZiMkB9/rH5W+Cmk/2TwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNTQ1MTI0ODc3NjkxMjU0MDM1OTk0\nNzUxODU2MDkxNzM5MjIwMDAwODY0MTkyNjQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKx0DjrwMSIoA1MV+KI/NjRkSsIeCzhJKXmSYfnjm9vIQNnVhxr+FnHGL32oQuhF\n7NPqD/ydZUj2OAdaGNdiEiqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDp7rpeM\n/InAMEG/4CdAs+G5IyPQMB0GA1UdDgQWBBSft/+GpdzI4X2eB6WG73M1f8PUETAK\nBggqhkjOPQQDAgNJADBGAiEA77CtYDOnp8yWGHcD/ebi1+c0cwcy6rBaKHqJeQ3q\nLHUCIQCyLqwTkQeA0ipA7BfWEN2JLpXjM+4ay9Qz7MAg6IcZPw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIURNCDi9snbNvflWLBGmwy9ziBUZowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTU0NTEyNDg3NzY5MTI1NDAzNTk5NDc1MTg1NjA5MTczOTIy\nMDAwMDg2NDE5MjY0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE1NDUxMjQ4Nzc2OTEyNTQwMzU5OTQ3NTE4NTYwOTE3MzkyMjAwMDA4\nNjQxOTI2NDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWE7DgOr0N0fR8AcO7fLbYbwn\nRCre1VzQ3naOGMZKeHQg2JTzTeLkqwHCbmTw7k+tjva7Vx73B9YwJvaTX326RqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUn7f/hqXcyOF9ngelhu9zNX/D1BEwHQYD\nVR0OBBYEFP/DiZqNQjh5pXXydqF5rdBjA3xuMAoGCCqGSM49BAMCA0kAMEYCIQD7\nwJoNaGb59DyRwOwD4S4DCRwAphaK62DS8l59xY0bAgIhAOzrD000WTngfLkV4INs\n8jg4ho+Z5dJ4XyjWpfQCDWbP\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUd08HRMWrrdIaslsidGzBuCyGBsIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTU0NTEyNDg3NzY5MTI1NDAzNTk5NDc1MTg1NjA5MTczOTIy\nMDAwMDg2NDE5MjY0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM5Mjg2MTM4NjcxNzMyNzE1ODQzODgzMDMxNTE2OTk0NDM2NjIzNTA1\nOTgzNTI5MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ZXab3JX/Odrq63GcAXxPnro\n6EnJy0pxm67TiEYBwo2RTyJotmXgpB0kAAU+VFS0ip/Wu/C2+Sd3V4JuqcwQFqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU/8OJmo1COHmldfJ2oXmt0GMDfG4wHQYD\nVR0OBBYEFA4UwjHxCpAznWEQG7ousgIOwTE5MAoGCCqGSM49BAMCA0kAMEYCIQCG\n/eQUldkgplGhnYKR0oGn9MLQXHrqrC3d2e55HDY6kQIhAKjoBhTDF1DUrTgTIMQd\n9GCdtU8ykOysBlSqD0H+RFxA\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUQh8ePtHdIDmymt9iAseRpBxHpJQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzM5MjAxNTQwNzE2NzgzNjM1MzY4MTM1MzYyOTg3NzMwMTA5\nMDQ1MzU3NDAwNjAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATC\nLURT9L9LbR94Wf/ZtVEjpg9Xn1nA4vfn+/P4ukSaYdqD9bllI8rAd+O0kki38jVT\n979q3n46ymPamd2MvzLfo3IwcDAdBgNVHQ4EFgQU2JPlj1m0904051JOR6y3wBpS\nK70wHwYDVR0jBBgwFoAUbINCX1qrPY4KFVu8r36K1+L0s0MwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgZn4eP5KRSFR6rmSyMRnLqx2xPkmagvlyolnaX1z4v0oCIGmV1kOCpqsq\nJX/aZvtN7C7npN0zP14fR0XXAh9wTTD+\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUKQy3aYO38dm5obV4Rnc4Hrg+G3EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkyODYxMzg2NzE3MzI3MTU4NDM4ODMwMzE1MTY5OTQ0MzY2\nMjM1MDU5ODM1MjkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQs\n5je9ywlWVtPOvUTLP/G4DANwsZ3mmvmrOspOGDXhrVtYf8Xjvc46xob/OR2LtYNF\nGMivzlWcBtOg41Mw8yGzo3IwcDAdBgNVHQ4EFgQUHHQX3Q5Y15UKuJnCxTjrp+JZ\nNDIwHwYDVR0jBBgwFoAUDhTCMfEKkDOdYRAbui6yAg7BMTkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgf82rJL4rJMBSEk4rGykWquZhwq/SvLMPWN6EUJYmoM0CIETnvKVjBE/2\nSWAiQ3XBffUsGT7rMo/G6OI1R1A2paRc\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARigAwIBAgIUVXkwDwGXFktIvZ5IpK/7AppX7BYwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsJlJKF8ZfhHe\ndhd0yn1EU2xHS01TzZTYOqnRw/iLr9HnqivMg/+ahrHvPMoIMW51UHngDDFQWfMp\n37iOmQNnS6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFLvoEP+Ad7tw2B6ZtS/K9GWFkj5X\nMAoGCCqGSM49BAMCA0YAMEMCHyEMNqRaAFvpJY3GAqUlJGgSkQoRfDkCrwej8Yz8\nTFUCICQDJN/i+sgZzvCsHlQ4rfF7oDo4BVf5or7QcO3gq1Q/\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcTCCARigAwIBAgIURupFSypEutLP/4Fey25UuSoZhOYwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECWGTw34b8GG6\no03HCarTFrxkRoMOjdsfcFfDWecaxRzoGqtwoH5wFku7mTNcnVq7P9Zc1ugrMxdC\nt25eLK0pA6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCkoMeLcfoIt1jTuyZdcsRRUmisk\nMAoGCCqGSM49BAMCA0cAMEQCICQUq6iLH12vMX1S7/b+RK1KjCFi+DnmyhGbG3+k\nYyAEAiBiUAqTIRfK37TzeeaXFLiDbkpcZUIhcd4eebx9Y8fwZg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUugAwIBAgIUL61FLsmDUUqZymQT0G/4fXNCfxswCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAExKk0ZOCPTEySe2OXQa2TEhQDWkEW2ghNOIm9coR1CCkc\np2EyrrhzaxRxkNOoFJqIHf/lUBJVJRTJyhha6FeBpaNyMHAwHQYDVR0OBBYEFJMF\nGfPjgk32fWoWBUpt9wBvzlPeMB8GA1UdIwQYMBaAFLvoEP+Ad7tw2B6ZtS/K9GWF\nkj5XMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIQDWQxKXPhYbAYNE1oU6xjCEnvY3tYdajLim\n8iLTUvXFEQIgVga8ctCVXu0osKRFH619CIaYiv6X8fzAa/qJXnU1IU0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUugAwIBAgIUamTDLkkn0cPJZCLbl/niJre6Jg0wCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEzSd+IWdSN8/YFxaAnKtQQRRIQnB0sPxp3+cbp0C9BwNO\nST3gPoUbrmmZyBuhlvWisM0ZWetODF+k3RQQFi/3aaNyMHAwHQYDVR0OBBYEFEoF\nrUVgteYQBWMKe/TOAsDz2Yc3MB8GA1UdIwQYMBaAFCkoMeLcfoIt1jTuyZdcsRRU\nmiskMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIFA59IJflAbWgdhWY9+GbWf8CEquAABA1Ua2\nOiQNRmZZAiEAvfu0/uXy3EEzQmfeqBN18cGaqLrqES4XqMuVQeZA7Oc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUH8a41o1e1PL9ucHGNjAnWfPdVcEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1BlmRL1B\n8mFhnWv+gdSJkKvywojnGkoFcuydKmJY9vLBrPL9neG7BF6ul/NLtBvTSOTjxEO3\nXre7mwJejXjdOqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFLtfol4cwaPiMbH13zGG9xrz\nT7IhMAoGCCqGSM49BAMCA0gAMEUCIGozEUbWOUFN43iqoM7u1Zkbz4nANbH77lmx\nBmpflGsmAiEAqHecav7adokKRNXLxumKzGiGFD7AFrrdPmmEFPbjREU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUFNwpYyA+pv3cVb5ByzGJcGGDz0YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIiC5oXmu\nTvuIudJyAnK2rdGDVClfPmxvdAUIR9iLtL4UAXbHWRMCdDpL98ftQ/GDVCzmVPvX\nF497usxCUmeU9KNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFFwR2TkA+nvWmx4/s8NsWAa1\nIJCeMAoGCCqGSM49BAMCA0gAMEUCIQCnOukxe6FzEGziyV89gyhH/9SvqDTtUsSG\n7iEVFyUGpQIgMW6f78TuFbv2cP33FZi7EryjlcVbUopuZCoCqD9LKXY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUQSY6ID9yBYRBZuPk5PFo50SOwVEwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowGDEWMBQGA1UEAwwN\neDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEpdaDdKcYgg\njhnOvyNXdwtJHicJN5tE98zyZxwGITETD2Vdi29KWwItkTDk6BHFp9w3hOGIyMhi\nKnlQsPyOonKjcjBwMB0GA1UdDgQWBBT+hvPB1S+vvf1me5L3MBdM+LqxvzAfBgNV\nHSMEGDAWgBS7X6JeHMGj4jGx9d8xhvca80+yITAJBgNVHRMEAjAAMAsGA1UdDwQE\nAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA\n+I9FTIpqgmNr8O7jAEu8LKJxbedIOql97uEl9cIFZNQCIQCf+FJiWW+bTZW86Upm\nNOIEmMTKODUTRSR1ExUGnQb8EA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUUW+N8TznPhGpFaWQ3BBTiTmokY8wCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowGDEWMBQGA1UEAwwN\neDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI9huiINvUUB\nZntni5W56fJs/ajw9+D4jQ5/YxaNmRiTccsuk/+VPGS85W8RcHP7UdH+yf4lrxxn\na1tSo5E5AJqjcjBwMB0GA1UdDgQWBBR8MyC8YbVIytvlT79c4ZUKdk0y9jAfBgNV\nHSMEGDAWgBRcEdk5APp71pseP7PDbFgGtSCQnjAJBgNVHRMEAjAAMAsGA1UdDwQE\nAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA\n3PwiOVbKWfEhihTvyy09JUO9fn/YdqGylKz/W/rNAFECIQDr1K+RlLupUCy/FARv\nDYwRIB6WMpbO7l0PbiLCJR8Akw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVTnIR9f1BG7gD//7SjItGKIKk1gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASwOAQ/mf/ncMPfGtNVrppLsCP1/OrSLoFjpmsf\nG1FDCP1HagYQg9zEbU83BWNSWROzdHvzgL+sF8CaWLsXZUx7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXvxoSKqjE4crPnYzTRPxSRVwj2cwCgYIKoZIzj0EAwIDSAAwRQIg\nWzGYPeT1Ro3Bp4iifLBzuNUQ2lV3zkr1kGUVbK7hcFgCIQDgLnomPk1Oy3Rr4lqH\n/0J3dZUrWi9eK/NVGziZS4sMwQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUT2zYJ00Cm3JOnSYpVybz2u0JrG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWKnGG+sgoA6PyyhT90Uibq3FcHnHhbzMAKEgm\n6jxQSmyKmrJI1iX2Vkd2UNCId/B2Y007shDTLS7Pe22XPQAQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUuCbYL5aCM1/FgeE7dTWOZUgEGowCgYIKoZIzj0EAwIDSAAwRQIh\nAKZBAa7pOw93mb9YPXmA1OaDR4RnfZ955d1avVEo2cAoAiBfBWJTu8WmCysYWEjT\nu5FduXLRKk2lIBNUgl1V/2bXrg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUUV+aI6B7qV5mqgiuL6Wp8ILa5WcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEg2+Kxl8ak5/NZqk0k+bGB613mHqUXVI1hU6nd+3n\nhCVWUihP/WLGsWh76GLVGZQmYiY8Hw9wrR5yXJE+mgUlB6OBhzCBhDAdBgNVHQ4E\nFgQU6L4hFOiIdzNWfg1sdj6I89Hr8DQwHwYDVR0jBBgwFoAUXvxoSKqjE4crPnYz\nTRPxSRVwj2cwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNJADBGAiEA\nkFvk9psvsr4zHviUlS80/Af5ciKE1cXa1xE8KtwwMXYCIQCyeqqgg0xYlBlts2WR\n8QPL1n1WhH3i05nwUW6Tu0wu3g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWSgAwIBAgIUcOCa7aX68Bj73/+7obB3n9MQzQMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEPnb3AqK3kml/1U1Z/8wQvQlgMqFk6Gf1xiGEkc72\nIgU3TtJW0XyDZPqE6pFNxX1L9567R1KwzRy26awLRFZs/KOBhzCBhDAdBgNVHQ4E\nFgQU8bO8Kwdf8IyYNO2Ir9c0JtdacRAwHwYDVR0jBBgwFoAUUuCbYL5aCM1/FgeE\n7dTWOZUgEGowCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNHADBEAiBn\nGNjXRc/P5d8YjQTuFTxZwPDXp7fvebBbNO0V4uLzOwIgbGfV3J/rxAMZJdxcySvY\nsFGOG3RzejWk7KFFdWWc8NI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUCHmtFiqs/hmRoiX9nYhxhCNAh2cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQM/xxRuI4wWnEdNc48U53PZ+adTwowzb3Mw88g\nyFWoBNzcqriEuKTU8S06eLzHNUgGFesmCAYyA8CR/ngbeuY8o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVxoX4SU/ZlY4zPBBLvGNopq3jOowEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEA2ec2AgJnCF8Iq4cDYyEUMOlVD9eP6Sbxefdu\nOaTMaVkCIA8j5YsWbram2fnwBqCsAD542DMX0sw0ZUDYVTUX4msP\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIURx6+zlfX4qS3ivYdPkvAxB8gGvEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ08QYMaTe777Oi8MM5EBkhFC2eLKo8JbSx2SfC\nQSan8n9/1jERWlntBfv1peO9r5RfTejicV83kr9/2CixTBrwo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+i3HgZbPITucjUNiHl4yT2JU4/8wEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNHADBEAiA8rKpxxtEjMRM5Yvd2V9QxrFbMK07VU6YMyt/L\nMqY9KwIgU09PqU0ScVwhNgqrPDBIct9Ep86YbM76Hml9jQl4SJg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUFiKeDERNgzwyYI+fqpeSzh7tMe0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEiBtNGt58P1D15RncOlNIRifoZSvdhVQCvOf49hp+\n9jOMlr2uqD0q7nnlaGXoeSqUdS87Mx1KdR/c71jSW619ZaNyMHAwHQYDVR0OBBYE\nFKrvZgOiGZciDjzdBVA7TGX0TrzqMB8GA1UdIwQYMBaAFFcaF+ElP2ZWOMzwQS7x\njaKat4zqMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDqkgnu4mCeft+3U5mNv5IUYSTb6cyD\nh0gUtGn58vyIQQIhAKYv++qynsE6zOB4lQv9msQc6uMXxUpgdyM34/iG5FuJ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUCfG/EypnYzY24sJDzLW4ahyVsUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEs20YznzEWieWw1j74EPKWNM5B/M8l4nralauyOx8\n4XZ2/L3aUQla3GeRwqX2tgQYd37vcVE1Q4ivsCooU1EhO6NyMHAwHQYDVR0OBBYE\nFPSBK68aKjLeAEARzdmsDCVni+hOMB8GA1UdIwQYMBaAFPotx4GWzyE7nI1DYh5e\nMk9iVOP/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQD6gcyx8f+DqFQNimGIGkz9LgpaC5Tm\nDnWrL99H41DewgIgXf06HTR+WZg4fqAMxnE+dzKMTMUajzF7z7LsqDXZF2A=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUF+a3v9nco49ZU/R2mjKg2PPV2dowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQOHIJZ8So6fZZ8P9hNnDZR9YvOl0hxfi8D+cws\n1imhRTyI+DPptcC21oUih6keeBccleMrWKZeo28X17Eb9uHPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtXcUhQam2iO9K9n/bD72XFHIf98wCgYIKoZIzj0EAwIDRwAwRAIg\nQ/OL3K7EJuT+Hvl59wv2H2o59TlocuDQfKmbwNtE8lYCIFlUf7PhUnRMPoppLVkg\niNKjX5J6WhznvGow9vapkSSv\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUU6g/plnim2o39xHc4dyfFwVA2qkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASndtTAYmFVRvtoUAGVJNR2m5+yovGxBszqFTxN\nqoVsO6PcHw6uxbWsvzlt6Em+MrMtU7Y3bTgLraV3DzoaT5BAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUs0+tMChlhAmulBGIvC8lpJvSdNcwCgYIKoZIzj0EAwIDRwAwRAIg\ndag169ToehIImGW0GZlPc+LHsaVv+Np5VKQg83LHPpkCIDNCFx/v4KqRuTYVu3HY\nIe3q4/DHHO3Jb0mmCz9z3J9I\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFTCCAbygAwIBAgIUbnBgja8OT6VvJ0chUWRd9qNAiyYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxMzY0NTE5NjU5NTY0NTYwNDQxODg1\nNDEwODA0OTMwODAzNDU1MDQwMDA2MjkyMTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCAXFZmQmClAwdm3fNs/I5Yl9YNqRESGI3xiuSWM/0WZs5PA0Vt+nsoIXWXE0zCZ\nZSOgb4oLQ6IH6QGR8U+qvjqjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtXcU\nhQam2iO9K9n/bD72XFHIf98wHQYDVR0OBBYEFMow73vHCv6RlU87NF6VLtRPLLpX\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDRwAwRAIgbP4n36cHSvae\nLCWU6xTkmyom1P/z/4CSztRQPiE79YwCIGKhU9rr4QcCQk6Pa5QMmTL7FzD6Pi8n\nPnHK4Tb0EAeV\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFzCCAbygAwIBAgIUNzxsbv/lF+9v7lG3wGXzgBdJaUAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0Nzc1OTgzMDM4NTIwOTYzMzc4NzQz\nMzMxNTU1Nzg3MjA3NzU3Nzg5OTMyMzI1NTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHhZJ5uCteEkat6mDNYI3FWSn6LW/MhZMToPEOHogGb4CyC+edw2sbyLmipBQd+h\nUV8sa4T9TKn3GXgOhHi3iZmjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUs0+t\nMChlhAmulBGIvC8lpJvSdNcwHQYDVR0OBBYEFGTHmf00c5odjzKtmlm3EikkQ+C+\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAM697vGb7LLo\nL7wXW+OW0MvbpkwSL9eNDIz/knatt9QMAiEAhdsZDjjJLS9ZjkQlHAI//+jWXWuJ\nmsl+7/CQ33CNvtQ=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUBBkEaTUzU/pcy6LWjDUBEjaCxpQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTM2NDUxOTY1OTU2NDU2MDQ0MTg4NTQxMDgwNDkzMDgwMzQ1\nNTA0MDAwNjI5MjEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARF\nkRhk2uoMfh41mVRxmQggVen0FEhxDW6pNNx6Ej1SnVw+WjYMO1pIWI13odzDwZ2N\n4Jm5+alaPy/txsXISnUAo3IwcDAdBgNVHQ4EFgQUBBmDRqQ+gakcxfc9XFvD+aeW\n7G8wHwYDVR0jBBgwFoAUyjDve8cK/pGVTzs0XpUu1E8sulcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAIxcDYaswBelyIr71Y+u94nVI1g+teMin0JXi9LlQxedAiByVx6qJDt5\n3wb7gb7xCf//zu+CbcHTylOdFUuMAwN6+g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUNMMTPLzhXksY2eTG6ZzIv6NwVuUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDc3NTk4MzAzODUyMDk2MzM3ODc0MzMzMTU1NTc4NzIwNzc1\nNzc4OTkzMjMyNTUzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASN\n7HqyETNFOE8/hkOSq0RFOdQcnyISCAc0B2qBKaYbiRQkJ624069XJCcFGKOjVZhg\n2XLefaNWSOVqxqvOCOr+o3IwcDAdBgNVHQ4EFgQUAliZGMBsSpSwn0GSx/YUZePU\nsfMwHwYDVR0jBBgwFoAUZMeZ/TRzmh2PMq2aWbcSKSRD4L4wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgECQ0CGZq1wXAW1OS0UtIusBSj3+sP4LD2gE9qfI7vPICIDdOeTwrJpCE\nq+QlQHCXC/6D8ngxHOrWdHXpxwh/F9VS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUVMDwvgh0/rKbgLAvUQAXu5HLE60wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNJDcmLWzOLZMgAl4aIl97a1bmu3UbIqg+rABb\nDCmV3J28FYfjBZFxDllAGkCyvWYEbELY2Yftb3gTTX712p7co3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQ7CHEIWDyj3Zh59gHyc7au68+ipzAdBgNVHQ4EFgQUOwhx\nCFg8o92YefYB8nO2ruvPoqcwCgYIKoZIzj0EAwIDSAAwRQIgOotsuMNabpjn8va5\neY1kmEol/Jw9nfsiMHmnDPBHLhwCIQCeBww0do8oSJELOQWUtMn7YcAbi6W9CTHL\nGhc8m6M9ng==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUJRw2rehFeK6ivJ3ApFTwOQ7ysjEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQa0VYF2PcBy8wo0Fi8Rwnl9R6eKMVPNNcQcqC/\n2I/OKt+ziozSDby85DQXXNUygT074PwdvQL0p/KVvgOFsnt5o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRyaLINtaQnckDTcLsTfOy/NeaW3DAdBgNVHQ4EFgQUcmiy\nDbWkJ3JA03C7E3zsvzXmltwwCgYIKoZIzj0EAwIDSAAwRQIgQ4suVbVZuefAHD71\n7dLFp6PupDGGiiLfhsfezw9wfpMCIQCXTlqUhABVZsXdsvvniubnuuoUFFix2kgd\n1dg+rhlCHA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZ2iUgbQbPnHV9S32ffb/UFacqlcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEq2hap23RAbjOpJ0XhVRCaT5bbSW9rpbhqO93OgvX\nn8+vQadtBmVg9LhmrT0UfArn9+IT0bUK3uns2NJhmisJUaNyMHAwHQYDVR0OBBYE\nFJ5p82rfkqnAobc2KgMV5rzD+1jSMB8GA1UdIwQYMBaAFDsIcQhYPKPdmHn2AfJz\ntq7rz6KnMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEPuhDLFuAYfjGE6w0zGJkJYy/sDDBAv\n94t+UOoF/BKIAiEAo1EXh//sRHXU90TsoYP/kXVAplivFu198z54QhVrREo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUPEcwisCYs1iq5YkGthNydtqlNk8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAED271lBacsAv4WCy1CZuxHx6XSkR+yzL3xh2AzZxk\nUkZhl7cxAzz+XeExJw8vC3rXiOSi7e7vMo5au0tKJK5YR6NyMHAwHQYDVR0OBBYE\nFH5Ct0Zb43mu1jpFjbdMc04nan4nMB8GA1UdIwQYMBaAFHJosg21pCdyQNNwuxN8\n7L815pbcMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC5w/aYAfXM4NQe5gZlgjUSzjqQFkX2\nl9MHBNah3etKKQIhANXyJZsu+cF1LCyOtGQ7XeI0qZnO3YsLOCyISdQLdFAW\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfv4u8UPFM1OQXfhdZcsgyuylo7QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASz/+/ZmOQwjT9WIC6sXdOM2Wr/TwD5mUjjJ7EM\nDqcBt79r3qoN8nizPQgYkoykT9woHygoCPPsPpSWirOSelGxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXTfqQVZmy9QgEf++jJGyLunclAowCgYIKoZIzj0EAwIDSAAwRQIg\nMPM/mkyZY6KLRMVrobavgX+hOLnf6R0HzbOQKEyktLYCIQDFnySjlW7VSyQSesAW\nRDu1FvYEmJ83ImsgVyQhyFSD7g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBqtdUtR17g2rDtTKr8CXlno7++kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQE6oo1qQjtjXYcW5uz9mfYZyFlcP4Q5xLk2osd\nFKmT1YSXaz7MCf/DG9t3b4ZV1BhOr/ez+2ip9JbihnoRMWWio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhbcztLzDsqoXNRBwjiq/CkTr+/QwCgYIKoZIzj0EAwIDRwAwRAIg\nXTDG96pjTlDuAoC6Z87TNzXD2rmTjChKWB1NaZVENF8CIChdOE2CIaLy2LPfTyic\nypApM6WkmrFzUq54GlxYoGFJ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUCtf6+UZdMljw491JGxpB0Lhwht0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEGtAXrMdh7Cq3VACnRzZjZwvS7kkZMFExl1/9/Rpe\nECeEd5WkChWTOYGKglLN5eU06BpG2u1v+ZWA/dbhB8uIlKNyMHAwHQYDVR0OBBYE\nFBZWDJ8Xi9Pwt9j2/EMwsqXgEfoZMB8GA1UdIwQYMBaAFF036kFWZsvUIBH/voyR\nsi7p3JQKMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCdxI4B/hmwYF5dgMhmA+xcWb4v2xoX\nm8uiCc8ItTHkxwIhAOoFWdlAO+DnQzjPfdlkm3MHSSi5EWZ0GpHszbOkoqRX\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUfuI5uF0ZHcjeP4yDYvp9KPkHT/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3ctcxDb7RxO1rXumNfOohjvd+BHqjo4fDAXlGSon\njwe7yl7kI7kW6Yuh0WAMQP+wrmXbL0nkA1eKKn7ZZfNu8aNyMHAwHQYDVR0OBBYE\nFMDxQjLxxoITgPYDK582mPKxDBU3MB8GA1UdIwQYMBaAFIW3M7S8w7KqFzUQcI4q\nvwpE6/v0MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDK8vyQGNCPbmrmkaspa67Euo2JtL/P\nzgLX5gXM7sVLOQIhAIgKhI5xkWjVoe8nroxZjL+9uAa4MuASNcgVnErLmunS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUedMDqoabQ9/iPt+23R31wceHw5owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTU2OTE1OTE0Mzc0MTI3MDMyMjUy\nMDUzMjU4NzU3MzQwMDcyODIwMDY3OTYzNTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHIKemQ681HQg0UNyrQoI3EetnoEOAGVV8/QjE+DcP+YI56xiNxSg8x0Tm27ciVN\nvZPRXADzw6nYW8VA/xCvohejWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSiKYWZsMJa\nG+wMlmYU2kJtA6XpFDAKBggqhkjOPQQDAgNJADBGAiEAkVz12Ize5yLqX2bDOIc8\n/ClaSS5hmlHvurzpqJukPywCIQD3m9sfHcz4TtkQRW//B+dThMbgj+81Fbj6CEu0\nCUUGwQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUJ6mtSWU/Xmpc415UBpj0PzQUBugwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTM0NzM4NDg2NzMyMjg4MTUzMTgz\nOTg3OTUwMDcxMjg2MTQ4OTQ1MzYzNTA2NzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPHJrttZx8tZv9NVNeyWwYaCJ3/kqCuTlNFWlYANGGPoRAhTz09/VrJeQ5J4T8vh\nCZ5C5weaBvkdXgz/b99uI2qjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRQo9aN7eX9\nrBjfarvboqqr+jfSWTAKBggqhkjOPQQDAgNIADBFAiBh1ubBj5uWn85XpyvsTEJj\n2BrMU8xFDGcpqmLHUIe9IAIhAMkU0FTrDLHHq6Nb9dIF9w/xq87qyWhWteujxFJF\n3uKm\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUZ324pVePpxsSZuYIxRX5bpqUDDEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDk1NjkxNTkxNDM3NDEyNzAzMjI1MjA1MzI1ODc1NzM0MDA3\nMjgyMDA2Nzk2MzU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASl\nd7sAoo+kyzbXp75FX5qrUF4Zi7SBMHhksj8GQqLplC9GSIQFMf7slsS/30x/do7r\n/ZgeJcX9YUbeSmYIpg5/o3IwcDAdBgNVHQ4EFgQUI6y3kAj4glfho9LnIkouE2cH\nq4IwHwYDVR0jBBgwFoAUoimFmbDCWhvsDJZmFNpCbQOl6RQwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgJjnlKdpCjMtyZytblBsjksxcJ3raQpRm1+mtw8ou/soCIQCMQvPxt6E+\nfHf0ZhgCyZWkez20foBkSTk8oV8sP0DnbA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUQ2D/UYEOPa3f4PVkUzBOt2UdcSMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkzNDczODQ4NjczMjI4ODE1MzE4Mzk4Nzk1MDA3MTI4NjE0\nODk0NTM2MzUwNjcwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARa\npyzQI5HqCZFzJ7n4ErQpTHMPV+qKLevxIUpHZfG8G65EAVoCHdQi1aMMuuoWl61B\n1Ptj91CoManReQJu7V8Qo3IwcDAdBgNVHQ4EFgQU0fTBDbDliOFmVkoNZicX24Ao\nxFowHwYDVR0jBBgwFoAUUKPWje3l/awY32q726Kqq/o30lkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAKziplKyByPJbza3bvwpW4PYSb8L0+/PGaBxCFVUayfJAiEAteoFdHWX\nf6NHWcX4K5pl6Hgwmzo2KBFwdYufuBccMA4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPqUTIHZVZTUf+3P3IWYVMqEgnXEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFRAf+jwPrVlAM1+cYR/3WIIIrSVshNT449tYd\nJJR8aftl/FWbpUfzNbqW71dPlC0oxgO1JCTlCVsIGeclDHmio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUW7MweaJTzBOsoPaDfv8WkL/Kw5QwCgYIKoZIzj0EAwIDSAAwRQIg\nHFLMF89PA6JIvu+z6RUQaAzx7QHgag33UCkh7p0vmFcCIQCMQHGatcVB6lr86rjx\nxr90D1UtDMXDKI5wkSJvT+1PqQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWcbeAruAMvPWQXILEnpT8EUPphswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT2bpcFOWQ4858ytfN4lsVh547yAhEOC34o5se1\nIYpK/WP0hsaPLiGAmSCkiBUTs2AqmzS9g/TkYj6kxJ/uryvAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkQmvOezF4W72rt+eEhjWRiv9M64wCgYIKoZIzj0EAwIDSAAwRQIg\nPKk1cDdLFhoftR8hOB8eJ+o80cvpZT/ACppU7vuTVGUCIQC7xFoozoRMeZrqa3HW\nngH7oqsECQrkDGfOAjt5HJqD5w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUN7UrbAufoojA0XpjA9Sh9D0g7TIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzNTc2Mzg3MTY5Mjg1OTYzNDk3MDM0\nODE1NjkzNjI0MTk3MTU0NjY2OTUwNTY3NTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCJmzRcHeD4GpQ7qRMVTfpomLrj6rrwVN5Y+ng7IvXvt9VijdF98Ei9ebhovZbXW\ncZr9WW7uXKvJDKuibenKbTajWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRYspp1UF1t\nfANSy9FiN7M9A4/gezAKBggqhkjOPQQDAgNJADBGAiEAnrDtn9v3Z33y0r2oh83H\nfVdojLi15tgUjTjpacXifh0CIQCOTOZziTWottwHUtLeql92lKM/xF+T8k9U6P3E\nJ8JX3A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUUmPnjhpmWb3bXgWE5UePx2gfSd0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MTI1MzUwNjYwMDk5MDM2NDgzMDQz\nMTA2NjUzMjc3Mjk5NzQxMjYzNTY0NDA2MDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKRwKbKCJkc12YP+2gI9PV4oNbGDlh/LHo4YE5/5KZMxTIEDE3yP4ULtEeYS255Q\nso7BDyxDt5P3B4OK1UAtx3WjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQosMvz9EYO\nId9GmpgIdVVQbFYY3zAKBggqhkjOPQQDAgNJADBGAiEAvE8nAp7rRvWkq8X1SZYZ\nYfVOmLnPx0VUbsM8akg/RfMCIQD4EFwjveFilLSqv9+S8c+Z+btap5j40w3V5kXn\nOPXYPg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUCrpMMjo/Ym8U0Ga8vl0PcCo70powCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzU3NjM4NzE2OTI4NTk2MzQ5NzAzNDgxNTY5MzYyNDE5NzE1\nNDY2Njk1MDU2NzUzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARM\nogD5EH1f6hYshQHGMxqVywBY0LGpeIiRzdgHaohok2b/6zStRXoXyYR5lERmkA6e\nx5AigPFkQzDtsZgQx0nOo3IwcDAdBgNVHQ4EFgQUlr+N1oDq629G8IdpmlNKdQn6\n+cMwHwYDVR0jBBgwFoAUWLKadVBdbXwDUsvRYjezPQOP4HswCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAIbut9tPrmraE/9KqGsdn892HA6xVsCFEvfcfx2ybymLAiEAkzHqWrtp\nNfhKHOUTotxmeiZ/rTRi+sD1PStTGvdQdVI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUOrl1pRrDWvkj4+plqYq7/74flZ4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTEyNTM1MDY2MDA5OTAzNjQ4MzA0MzEwNjY1MzI3NzI5OTc0\nMTI2MzU2NDQwNjAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ2\nLopnaBSjMVgiMH8wPJSbShCin+/CwuA9nAxbJ3tCIpzrb+eHSQFOMKWEloyJsLxQ\n6fsh5Dmm0RhoQFN6UsNCo3IwcDAdBgNVHQ4EFgQUqXVE+MrDXCny4fDjVdYvYzNf\n3WAwHwYDVR0jBBgwFoAUKLDL8/RGDiHfRpqYCHVVUGxWGN8wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhANDpvERJ9ckmPgz9C8REB/lgrPmp5/psSxvvFlXxi9KwAiEAmSw0f7fq\nnEnDPJbEzYE2tTaDz6Mfo4RodnEYl2aOE7s=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGYcqC1A3dW/SqfJ2uOaJKlN5Ra4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMDzXt7hjWrN6JG5xRzEch3tJo8G85ky+qLGxn\n5xVVRZtPc/0aPEsZLVUNu7PNJClzk9p4agaWxyxTHHCH1hbqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz5zuiT8JxUkFhKHd9AJs0HmCBoMwCgYIKoZIzj0EAwIDSAAwRQIh\nALQPOYwwdNxasRacioh2pRdV1zWtC0kh2t1ihm4WZpFPAiBnXYgnBHxV4g468D5X\nxf/foCJmpG5GEBSIUthkaeIr6Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZpL36h+iZZQ192T090tF5nXZHpcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASl1xXYfFpg9ZhuIOxlNM33Ek5xDf0J8xOKPXbU\npusdh5apd3fyyl8YN2uwMBm8Q7UyIaNOaWt7ZKOg0FFmGnPXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrAjVoz5TI0w85FWiN62v1H8iJGswCgYIKoZIzj0EAwIDSQAwRgIh\nALTMmzGqWqP/lDG/LSugnXxF+M3YKYJfbTxF6DDSdYgjAiEAs9enU1fZFx3xy/bV\npX2Yb3zgfzfZzh1yXSBZAOaGoGE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhzCCAS2gAwIBAgIUSRjGg6zgfRyGXaZ3oe8D9WrJPP8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE7fkRDkC1oGr7hIjN73iw9LNRb3Lj6jie4wvo90wp\n/VAwtjRWUImSzY+AofraU2Ks2hV0nNjh8IZtYBnbmupdcqNRME8wHQYDVR0OBBYE\nFDstfE17TpUcYQo4Cytr1TR4e3rnMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCVj+u4rbH3\nc8f7V3Vn4KsrOyoe0asJ2ECQSY5B/a0/XgIgbjFnWEriw7fAbYyFO5rYmnYBbiH+\nyMhz9XaGyowTB7Q=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhzCCAS2gAwIBAgIUazc4Q9kwsvsu9pWiX4kPXTxCjpgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAErDrfNCsoMCdz1hRoVxcug0cnwPebkAFw6XK3Ydcw\nqjYEmmC4M90HhavUssinqO/qi8JqdOsUtbOpimu3YmDk0aNRME8wHQYDVR0OBBYE\nFLD6NYX++wtGY72mVPW/GhY0CF4wMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCwkMhFJKSr\nj3PXIdiIUwqR8TWiTPKAa77clBOK+r9T4gIgDic0P9aOcTlMhp4kA1SvAPImxCHy\nlNuPGCc4WW8Lzo8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUZvFDgi/0P9YtXNUCc9ovLoQ6qnswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVhem8KkkNw3b44MxBjDDVlLQpQugAMUUyaloE\nnr0pdqNQxfsA9ngIgv7EjZ+5a59jtzZtKcYRFctdpPSbAEwvo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUSojPWer5d0w2S1Q0MgaiZSFqcv0wCgYIKoZIzj0EAwIDSAAw\nRQIgSHBVoJkNvBg1gJzbpc0coGjM0YYKvCxOFFtE/wmo7iQCIQC9MbtN4xVzpWF0\nWhjUHpDRvNwydGGNkZhR+XUmWn17lw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATigAwIBAgIUMENidDOgid0ZY1/Oyq3C1Hl6NdIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATdDJCCzsdQTdT27aG1fJOBZxJlkf1TnjFDTT/Y\nqSbGgamabRTQfp7H4k8K11YvNKhUk9iZky8p1rVFAc/PsjSIo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQU8x8zCXRFR+vEFcQBY+AGCMRBAmwwCgYIKoZIzj0EAwIDSQAw\nRgIhANvNFok9H1IStb1wO5OSpryQ0HbaMvJdI+VOLC1fx1+xAiEAo7ZWe+a5RfL+\n2FVswO8bmZfd3eLG64bpPXFbsUn19DQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUB5OpCrSwP58DGbCIK/MXmt0jkskwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEzzVg8PM0Yw+7nk+liOPEtezI/O4pYThc+bMttcLF\n/ZDqkmN8/EPBt5mUhNxKiQd6yOGgrWB1tEQbQNECqPFqoaNyMHAwHQYDVR0OBBYE\nFKO/ArfEIPqyOWFHWLwireqvOrizMB8GA1UdIwQYMBaAFPmolT8XD+UtcQs+/k99\nvPjrpPG4MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDneus7VcK7WeJOeZiI/WmFQH3YYZx8\ndhgSWbjED9QM9AIhAMIUVSKo9gLZxG/twuSExIotN1EbYWASsZLlN57Gdo0m\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUUuPnKSOLakA8J9I0NQTixohEDlMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZgqmIOgMPuCbBnSYNegYOkrQRzfEnQgL5Iz+puiZ\nU+SlmZjiipFxh1bCb/bP8q7AmIXvhCQ5SMJ/0ZZYLYAVWKNyMHAwHQYDVR0OBBYE\nFM2zlGmU+Xoi1nfucdAo2EhwwFgFMB8GA1UdIwQYMBaAFJQY+zqVc7ue3B3JZVGX\nKa70GjE0MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFOZYHZoZFOlEjOaHLSK5+G66itLjzaR\nCQACp2SiBvuEAiEAyOsaNVnCV6PxF2e9gwXj2skS/jzSEJdppTaymhGLwWM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUHuhlZaEwQTn05YQTEXo8TGFNy6cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhTSrPvCrX2vxMrQw3IFMi8MvWwVMcsTHfdoGH\nng65AOD4OCY31noKJh8CtvvDiQllSnD2dj5dJ9RSfr7w/NTzozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEA9cvkKxpU97YiUM2kR31fjsN8K0udev5FEyPtI0C/\niHkCIGjfL1Bt8oBTv4yGdc6Q94vRw9+tlD5CUAoCluB4z7Pj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUDIoyY2z5dsxtFVITgrIvFCBhXd8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0mbSOipu8s/c3VTF29YmYaD+KxgI9tCuwUgAa\nXioBlIfzVO9e909m02EF4ldqhY3D+OvQB9ArQaEms5iuKVi5ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiB2Z3bwx2aAE+QdpgsGi5ugdWqFytEKseBIBXu/XYPW\nmQIhAPH9UKMBh6FtdRJp+7KQHvAjXcCxc2DfovaOhCznO5mM\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUKj8uIzvoDzgrWz2Jf01tqpCDSEAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEP5Y0jN6/oUY5b1un0zA5CIhqrgsulPECguyk4T6Y\nWB1wWCLyAWOTKPfZ46BrwIY0Vq+mmvjh8Ck7TPssdD8EKKNyMHAwHQYDVR0OBBYE\nFD14DMsF4I0Gdd7WiIEw8E/CqOW8MB8GA1UdIwQYMBaAFBCOyI0943zrJyrm/2Zg\nm5itkPLZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIC0QH2k3suXan5AlysnQ2e1TAOjoFAQY\nhxgkW/9PbNZQAiA7MBtgWNO6hFBnFkIimaSBuE6ytbq36BVW0TkblPI+qw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUNNxBftBu2tdBHqB29is+dd+2rS8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEn6wH073k3EjqFpA3AJm0D/nb+4V6Mm/q5YI9dSQO\nxMs+zOwilJECjeJwtlh5Q/WQix6heT/l/iXPKcVrByYzBqNyMHAwHQYDVR0OBBYE\nFJr3iMRKpdwu31622wjBi2IlkWrKMB8GA1UdIwQYMBaAFK1FH5j41KrhMAzfWCDQ\nOTGghR9KMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEHY+2yT9LLBnOn7AHDpUD7gsXjMLTlw\nC/5fE3rvpurnAiBH2pbcMgwCm8YbxWVU4kOR+ElzxiNRPgteZzT3aZVMvQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDikRryepoIIUGHwsdTdN60ACWkcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRSyNeBA9niq8dIC9KYP/CDIdjNem/acc0flVW\nCkN8MHF7lZ8JKheLxfd8qjedMzAoGujjQQIDBJ0kPLu+8urQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUA5IV+lcoZOYfXv+s+5aq0jYCOq4wCgYIKoZIzj0EAwIDSAAwRQIh\nAIhcwlGvDf9wjWnq1aOd66eogYahx0t/gWutefjxmPcbAiAlHfBLYSEChP4wtIqK\nr1j55KMzs+FK2jRHzuk2tHffPw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUCpafwHFy2Evy6eGIxycQXdcIJbwwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcTduyp136HeUUlm42Vdkl2LdMd5AbM0j\nkq0usxNIlZrr0X/68qa7DjK1iMR+3r/K8nojJCnyLRCvLbHuMr80o6NXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFD2hZ21y8NMbE6McezdyjEvNphfqMAoGCCqGSM49BAMCA0gA\nMEUCIFSSlss+PB/xtkVKb+IZJfhKBA+xtGoI/3w1ncxUzuFQAiEAsl8bRXjpu71P\no2QUYNeHiy807Gu6zFN0SRYkTUI4gXw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAtvrBlUHB2BGZh4KNWjFniBXhzMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATR7t5hd1SQhWqSudgjbzZ24zlhsCF2pkqXcAO6\nKUr+EEtDRb0PWeOdB2djfe98hVrrU+u9g4DdnHskfWRR7Hp0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIkypTOoo1rVE8fBuVTaAf2MnVp8wCgYIKoZIzj0EAwIDRwAwRAIg\nI+o2FMcMD3ovZf+8tmO32J180p6gGs/oWytcQPQzkHMCIHMKITjNGGABvNxF1v+l\n9GEiC0qFFQoUAa0ZXkjUd+v2\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUOMZOjI/NHk0nVJgtd1INEckM5eMwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvED81zPBmJEZgSwLE5D5lcSqP8dBiVZm\nr1lV+mmOYO/KuFAYgGxnEjXcflhZudjF0iUPhd67RdBeHweo3EUsIKNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFKRuQfiyEd3OMAh8OWZ76EeNenHkMAoGCCqGSM49BAMCA0gA\nMEUCIB3U8QpFsdeIJcQ0t2FaH3HupB5ImVlBBhQg7lobBcLcAiEAn0OA8nVjyLuo\nknoVUV0YnQSZcFGe+pdI/5+zbobBg70=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIURu9sOOmXDs2fpjPSJx9d3uRLt3gwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRSyNeBA9niq8dIC9KYP/CDIdjNem/acc0flVW\nCkN8MHF7lZ8JKheLxfd8qjedMzAoGujjQQIDBJ0kPLu+8urQo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBQ9oWdtcvDTGxOjHHs3coxLzaYX6jAdBgNVHQ4EFgQUA5IV\n+lcoZOYfXv+s+5aq0jYCOq4wCgYIKoZIzj0EAwIDSAAwRQIhAOCgnlbKqxFD5D2o\nE2srYa+195RQ63RuqsWi03/OGw9nAiA60XHN2K1/BM3Q2dvPCwRSdcL+kvsRm/hv\ns9FxEs43rA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUSPAor58MGFAmN/7xWs/9L6EsN/QwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATR7t5hd1SQhWqSudgjbzZ24zlhsCF2pkqXcAO6\nKUr+EEtDRb0PWeOdB2djfe98hVrrU+u9g4DdnHskfWRR7Hp0o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBSkbkH4shHdzjAIfDlme+hHjXpx5DAdBgNVHQ4EFgQUIkyp\nTOoo1rVE8fBuVTaAf2MnVp8wCgYIKoZIzj0EAwIDRwAwRAIgFdGpIQ3LcInZFIwC\nL0dUiKDELcjfAFU9IovtDncn82sCIBWZXW3CrfOGA8GwI/GXEnR1VRZ/DSTHjjud\nrkKSELBO\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUJKF9jH4wmxjGDrMZT9i4v/jo/ZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE5queJojuzFMd8rpoPBI9kGg38EoF0KsDuLBkYBfK\nrDfNJMgEkSLqDM7rFjLh0KVHiOMKhOJl4DXHGfm+3wvdCqNyMHAwHQYDVR0OBBYE\nFOdCWOrPbdQE64mMG4lBCerZ9InZMB8GA1UdIwQYMBaAFAOSFfpXKGTmH17/rPuW\nqtI2AjquMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDdcyAbguX+nwKX0nLdI9oFKhuYE2ZN\ngscWPnS6c5L+WQIhAOifVbtwb5aEpjGOUyalzWvycBOT38Pbxgq/PwNfy/Z0\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUIR2Vp4hkAgWtIq/7+M45nsg5EZkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3xpvjMvo5J0uaPgCA13rtetlr4SuXJc2TlLlwxJy\nIQwxh/vFFLDHcCZvMoO7L8EyajOdH4jIZ28URxYkIeQ/J6NyMHAwHQYDVR0OBBYE\nFJgYJU8Gk7Vy0h57+RL6MCgyUWyFMB8GA1UdIwQYMBaAFCJMqUzqKNa1RPHwblU2\ngH9jJ1afMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCYHjrx7597ppaV8bjSYuN16CXcPr12\nktMaVRkWxUaaWQIhAK880bEFVBzP3ww2pbl/DsIK0llaB2pPzhw+9vs5/3fF\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUeXHnp0he3l/Sg29rz9wwu3Rzu6MwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNbVQTxHzL5F\nA3PGkdBcrS6zBx9yA4/pIklOpqmGsEXIVFsRakJdZ+DunWuS2EAl603w62nYp06A\nh+3hySQiYCajVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBStuhyayBVfmY0h1SbXbmwYyv2z\nPjAKBggqhkjOPQQDAgNHADBEAiBYT9EVW1AMgIDAMLlusJSBras/8OvVT+Eeg5Sh\nhSi4SwIgT4PQfMFX6FyX0ydbsLRX6rsgHdu40R7lA6sF011jqk0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUOUmqM8ZLIsg8+TuAE4WcMnEqw/8wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKcf1V2JXGDj\nxWuk0WH1VENeTceElDSV69xtJKYWJTPV9mQMMjtkEZj2a+dlm2xvft840zheYcoB\nu9IYsCoLMAujVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTwyzIWWVL44GHpT5FGgiVlcwip\n8DAKBggqhkjOPQQDAgNIADBFAiAtgm5AnKCFjpCPU+4stmCs8MrF1DsLToPaJAjR\nKd536wIhAKkaMVHrZpx5MN1tjBstV/7/45iN5R0AJs1EFJtsmBOp\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWZwEKpymEyB8fZE7tUZOCeKspkYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASH33HsNhKtdVsNLevQeTNBxwXo4fpHwFPIRZzY\n7f9vPbhTmiCltb5FjDI73r6+rLMWBt+7RSfOz65NG5qXBINQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvoOMxZaC3++l7Ycz/UNq/IJEb6UwCgYIKoZIzj0EAwIDSAAwRQIh\nAOB5v2ELtrAbdJkMX1a2AfW38Gyvdcb7xL+EudheGhhcAiBtfIyJotLdHixgiaf+\nOmeYHvkue96yYdAkqwj4ww0rSA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUacJxT9C9BcoY/A4wa0ikPQr3ziwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MTE1Nzk0NTc4MDM1MTc1MDkxNDc4\nMDY2OTkzMTkyNzA1MDQxODczOTkyODQyOTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJx6luav6DRFNO3jbziabyZWZh9V7X21b4bp8uISbHQvJHPpZcVWdnUO3oQbBV04\nzip6laxSarAjn9VoriDWqKijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFL6DjMWW\ngt/vpe2HM/1DavyCRG+lMB0GA1UdDgQWBBQjyuX6DgQAUvSsk069XzhM5ARLQDAK\nBggqhkjOPQQDAgNIADBFAiACFvF2bzqOorV/B+hy8cYeIjwhVk5h+BvX9lgBT+xl\nOAIhANmRfjaJK5taTZoMRQ6Q8ijEvJAMeG4JDqjsxt0aIcbO\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVhXjxWxDe/w9piTkiCERxKRIpGYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQGujMk9ISkHjRPHjZtiMU+0s+Ii1TmCxIZF7Hn\ncSVkYYY/CCf420PH6bitDi4DWTYzACCkf5CCf52Fsf0Ch3koo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUukUGg9HRPdQ05wtzK+LRebXYICAwCgYIKoZIzj0EAwIDSAAwRQIg\nIcHS4L2fYvzDGtPsNVc2G1r1qz2r276Jq8T6aMaKe0UCIQCg75hU9UI87308dUH3\nX3Mp32u7kgMyupdiPXwUXts05g==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUSfrmDkiz57iKMgJjxsEVUh1O1gcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTE0NjEzNjM2MDg0NTkxNTczMjYx\nMzkxMDE0NjUxNTI4NTcwNzcxMjYzMDg5NjYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBK/OZop9EMT7lbHUofifXlfgtADce6XrqBnkj0D80/e3l1egnO/NbaM4d0zKv0u+\nXbxzJHziRYg/9oy+CJ7CiW6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLpFBoPR\n0T3UNOcLcyvi0Xm12CAgMB0GA1UdDgQWBBTc5G/gPD8dLmz4RibvrmhndIxxlDAK\nBggqhkjOPQQDAgNHADBEAiBhpJVKlHFj5VcbMKskPQMEhyrs11wNIEbFQCyZ5KIY\nXQIgJx8qww8g4XvADJWU4MECz+bJST0YAABS+Ua2SJU6PbY=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUZSRffMeoL59/hK22atvn2KrOeRswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTExNTc5NDU3ODAzNTE3NTA5MTQ3ODA2Njk5MzE5MjcwNTA0\nMTg3Mzk5Mjg0Mjk0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATl\nboCESNu24Cj+9CCdGIdxlM3JiVeNSBC40TH0ANKneNoUY2n3WT41mZZVG99EWTS1\nwuYMw8t/GWxsanXOK7R5o3IwcDAdBgNVHQ4EFgQU8O7Uw1lw8dmfMl0FPwtAbeKm\nVYkwHwYDVR0jBBgwFoAUI8rl+g4EAFL0rJNOvV84TOQES0AwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAMaYd5isoRJR1f5rbkGRKfE27U/4HVWJvDjbStf/Kr48AiEAj8P2axWk\ng//to22/3vgA8uzaKt8HjwNOvI2Upb9g/t0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUYFQJdrIcFNTtbwqVp3TA9QUDsQMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDkxNDYxMzYzNjA4NDU5MTU3MzI2MTM5MTAxNDY1MTUyODU3\nMDc3MTI2MzA4OTY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/\nIpKECdAIwv9RXO3VMo4Kn8npgtBuDPBWFBy9x70R1q0sIg4BpkFwmUeMAADgXine\nzpFm/AuEgH+vIMC7wPDko3IwcDAdBgNVHQ4EFgQUCaTs5suWWSnGMxrinG0vhDeX\nma4wHwYDVR0jBBgwFoAU3ORv4Dw/HS5s+EYm765oZ3SMcZQwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAMYZHginQrFpFZD5OF/5ny66wibU2w0dt39zLJYqlwPPAiEAqhjbAAVi\n5t3e+wAuspkaQa99gTZXDbsUnhAUr5vziH4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbO57cAVB3tefeCrXtUEVL+sFSkYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQKjDjTVzO7OyaB7eu7JtAGV3R/dErPGEkHTR7x\n1xonTSWJWqkT+e3gvMRctq9JtmJg6520B4HYwkiDCXss7Q9mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpKkSiAKTrCCvFLBC+Y0+OsvHHN8wCgYIKoZIzj0EAwIDSAAwRQIg\nYcvtTPloPlZnUGhOjNIRdXO/2zB/42vAb5REl4MQ84gCIQD8LQEa5K+RYzM0skUc\nhf6wnOmh5xxsqelnGxZa4nfHww==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURJNVTkK/qQ5HtJ2PTCkMpD3KQZMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS02AN8N1r+bZKwL+y9y9qSMylSmLyZ7G7kq6dG\nQKFWTPK+UVirxfMS8Y1gfCb4PwtQwRnSfykFMDyS1h1te/2Uo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUinGtgfyc1Gti4kTqXknI0UUdYmEwCgYIKoZIzj0EAwIDSAAwRQIg\nOaSHwPzurUi60I1zlDOg4rVu/R12ENmvX1ZkXK9f8EkCIQDy5pCmGBQ3mS3uXJHU\nwaHiUxl2osb1tnzQmh5mubIGdg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUcVNpPXIOhmvsawfAtxuHCeg5ukowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDA2MjE4ODkzMzM1MzYwMDc4MTc2MzMz\nODAxNjY3NjUxNTc4OTA3ODY1NDcwMjY1MDIxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABEHnpL4Ox6MxUTz4qqH2SUvf36kdxsKcK4eyCbvTqAVSj5BWp3Tpo6eL+K+H\nwagFRN1SUS5ru6LxvMwhlAxONQejdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKSpEogCk6wg\nrxSwQvmNPjrLxxzfMB0GA1UdDgQWBBSXh2LLugY75k+Sn7hnfeDPpF7SjTAKBggq\nhkjOPQQDAgNJADBGAiEAy/vUZNWdEUXK6nrZZ4p2eOHjvrHdnrBBxCc2CGmsct8C\nIQDKSjiqzZC9hK9HZN1kY9r7/6H0c2bj3Lu5+GDvIpskKQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUQ/7dLMGbmLFIruocNHaPHvNo0skwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDAzOTE0OTcwMTMxMzUyNTgxMTM5ODQy\nMTgzMjU4NzE0NzgzMjMwOTAzMDM4OTM5MDcxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABGYh6xykQS9poZtqqlGeNE8dy+m1jKgLQurVMjkADOtbfT6juehl0sK3Xb9q\nyiaWbKYXG9aKUP9RLqIVw8EySKujdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIpxrYH8nNRr\nYuJE6l5JyNFFHWJhMB0GA1UdDgQWBBTQr43JptSW+/6h+wpi+zvmAUmI0DAKBggq\nhkjOPQQDAgNJADBGAiEA3y6A9WOt58yh5QJIsOzLSY1j2Iv7B+e/gB4wt7eV9wkC\nIQD8hXUI/FVSQt04SCP01Ezx5y9hTT/ijnryDdKi3zr/sg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+DCCAZ6gAwIBAgIUGCQ4MZYpATeBkfOctTtrj+9a6cowCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNjIxODg5MzMzNTM2MDA3ODE3NjMzMzgwMTY2NzY1MTU3ODkw\nNzg2NTQ3MDI2NTAyMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAS45Iejq006v4o3O9g3jhbG9/07SmIUnG/TYacbdgNnrcXXIb8S+APG6Fjd1dWX\n+j0IxCpTRhB5jSMICe/T/WjQo3IwcDAdBgNVHQ4EFgQU5O5JN9Y0LBl1shn81WPZ\nL61QPkQwHwYDVR0jBBgwFoAUl4diy7oGO+ZPkp+4Z33gz6Re0o0wCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhALd5nEptbRtJtCh3soRDG94kc5a4ITY2OXH4LGedo/rrAiAFxCIl\nBAjl2prBmYHr77ye77iIHBVYUBx8CwOh1EcWTw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+TCCAZ6gAwIBAgIUJqTiAWiKNbpouokxJszOHsr/Gf0wCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMzkxNDk3MDEzMTM1MjU4MTEzOTg0MjE4MzI1ODcxNDc4MzIz\nMDkwMzAzODkzOTA3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAATsp9q8Fm2Wx9rcba6aza6wRS5GimtXjpTBaiYK4YilTVa7kOCFvnwirddzEIrM\nf7tBepJG5hEo1aQmS/DwJMMxo3IwcDAdBgNVHQ4EFgQUs1x3OcvHg2YYvJK7D8ib\nNxH9HYswHwYDVR0jBBgwFoAU0K+NyabUlvv+ofsKYvs75gFJiNAwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSQAwRgIhAP+l/hspeDB+NZzSesqek6uCz25jz3pmGfPDcii9fnRhAiEAjq9W\n/VZ/Y5REDcOgQzx1sghDpHfLsdfKW24czs2Ht0o=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUA859vWLnSWXEn1B8VnlV6jJfyD4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASDqr+Q5Avqpe+6StH4YW+IDNG7pWSjkkFBbypI\nbXTaz6YkcrIWTzZqsV9KGKjz1dYXdzJ7qNDetqrdLqqBBQEpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiadP2djeKvrGMquicc/aXu8EGOowCgYIKoZIzj0EAwIDRwAwRAIg\nDzNSvQ/kggIysVJ6YZbq1Q/VOevLkPA4ZgHCme0XVGoCIBlL0DLI978J+X+s4WCe\nVII8ZXBt9O5sUxMHqJ1EABqu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZlXVBtixqmuT+3lTUtKBYVDOV8QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0arB6ackNbDMe0PeN5TFbCA5dIIPgo0HrzlMW\ncbRNItqWFPCm7vEzQshZNDkjP6gg0chIvtA3U6knUajX7rylo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEnUSn05NcaK/poEwYK6caXeskBcwCgYIKoZIzj0EAwIDSAAwRQIg\ncgyFL1RRdOOJ142XTCwLzEA9Oy7G49tFf7dh70x4fcwCIQD/N5GBqbL10dFdwhxd\noK7YCWnk0CslyR8FZIHwnxNC/g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZ2gAwIBAgIUZPgSaFVCRG2HHCJN6h99VJdMkPswCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvMjE3MzE4NzkzMDM5NDI4OTc4NjgwOTY2NTQ2MTU0NDkxNjcx\nOTQ4MjY0NTkxOTgxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowGDEW\nMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBA7aHXcYev9kJcbGJePayzJ1y1dLAh18DUiwQrhZOaqo1KyUlQ7SokHrl67jecsD\ntmohQhX0Xx/tQQT+KSFQXHijcjBwMB0GA1UdDgQWBBSs2V5+0yBifTNBcVdNho+q\nJi1N6DAfBgNVHSMEGDAWgBS6c3lNz1wUlVGMo/8V6eZ49b/w1jAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNIADBFAiBZubtq4se6osKtLkcIH2gQfjA7fQQ2BDdIFdjyd9UMTgIhAKULEesu\nVTo/eMgl7kJmduUNLGs7NBjVTBnif0xl3v0X\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+TCCAZ6gAwIBAgIUPYrBQluY2RHjrO3LCkHzhMY9sCgwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTg0MjMxMTc5MjEyNTQwMTQxMDYzMzI0NTM1ODc0OTkyMzgz\nOTE0MTA0NzM5NzgwMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAQBCBI6Agpt4WuZvVazNFZPZR9PQviRhhWD8+4YbOzyI/mPDFV9FzkpIXF3AbAc\nLoSKkzxNkdatp+9ICRVFxFOjo3IwcDAdBgNVHQ4EFgQU8O0MmfRgYI/EfJDRae2x\naRZBbSwwHwYDVR0jBBgwFoAUDpjYyqPR6Em/G95nrVJP8zytGLMwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSQAwRgIhAPL1uap3KJMm5icAdjCl926a+js/f6b46XzK4Ws6nvR+AiEA6GEe\nDoP6jnTx4WfD3Icgbk1s+EWIZUGjBIxMZu9pHXE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUIq3Jr35TeMIYuXJ+K3b0snrTFP8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgxuIjB/zRCaPAWuitZ0oNrBAIyo8YsnE62lLG\nXkXdLLbgCFaZ/Gowd4dtaFdOkwSO30f3qxCq2BfYpkXfs/vXo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCLt+CxpGJL/\nEwt4N4Wb+QrfVBLDMAoGCCqGSM49BAMCA0gAMEUCIQDnkTfFGKcKLU/K3uAlB2hD\n8vyT3T1bYyBdhZIvHTahOAIgEi5PJ1jTsOOPcUEBrzqk6muslD6xZ1G2GqXK9uSj\nUd0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfzCCASSgAwIBAgIUJGz4m8hFYyF+MRvuabf8WbZQszkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXwNP6DbsKWXXt4VGlaf3gESQyy/AUhIMRYvCS\n5UhOyQbbV1vCjU8nPfdsBejSmTf5Aq3JMVUYvtDVR9xS5lzuo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFIrVa/KLOkPC\nOHSwooAKtmyei4pSMAoGCCqGSM49BAMCA0kAMEYCIQDAJ3o1CozFsLMo6s/JaNTy\nJqXWcO95b0eO+DFrR2R9EwIhANBA6uJCzt/OlfL9nUswUlj12/Z4EQO8KWhPnC6Z\nDAxn\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUBOCrlr+rlU+U7AtDzbPo0vEFWocwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE+9WPgESh8QjnUR/RH09LUa3LdwTpqU8GFsDgrfbC\ngEn5sNdPwwkkPvVu0swOBzSkEDk6sOAjGIzWDRB1J+UBUaNyMHAwHQYDVR0OBBYE\nFPyoKYo5xEeJ7hQPgz/FYzNDPhqQMB8GA1UdIwQYMBaAFCLt+CxpGJL/Ewt4N4Wb\n+QrfVBLDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBN28pRnHoJFDA+kGoA0u1O1qJbSa4Ca\neoGK9sEICZiIAiEArFrFJB7vbBRBTA0yYo1UTsG4m80/Q9hQeuYJ55IYjb0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUeWIAhAdhaaopfdIHSzeubU1vuXgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZJkA1h0QYYTrmFWyOLbDDkXbVpfgqtCZ/ngjmRvM\no/q9YP2SfwlrUwA8Nhvls34554bsFODQkT4v7YmmYfUdtKNyMHAwHQYDVR0OBBYE\nFGdCrbDIMVS/1xr86pwn4lpkjbH3MB8GA1UdIwQYMBaAFIrVa/KLOkPCOHSwooAK\ntmyei4pSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIB28rvAjGVc0M7IRegeP6GDm761IzStQ\ngWTBtWMnH6aAAiEA9krBtwG8A23BGcIH8m6lkh0vHa1YvzMAqkSwH8YnKAg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUOsIP15na04R06sXH21FQNmGHsPwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+i74DSB17pxuql9RpUQ7Ez/LpMaYT6D+xOixl\npjeovfuzWkq02RIPS97H2ovziefb9V5FCqx+S2pCKkEFKlRwo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUOVssD2h4UGG9sQuWohjNHMw52W0wCgYIKoZIzj0EAwIDSAAwRQIgLs/G\n+600kA4rwAKiBPhjT+Psin3LBBegLZWpHFj770MCIQC3+m9YhLs1OppISP95VXPB\nN+Vy0Y5aULiIITDae8HCSQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjTCCATKgAwIBAgIUWkvd465ZONBmEb07rcal1NjQuCQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATT1VG49EEjQ+9ODitneBGeVKzKWVfXtpM0LVwm\no1TCK7POlVHHQnNiaMiCk1hXI9z22xpQXIwiOloQYlrmnbjlo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUHzKLoiDteajnCd8GA42LkiVXFgcwCgYIKoZIzj0EAwIDSQAwRgIhAMt9\nFyOTkT3Rw2/wZv3lNGensfVlCUGn9A6QkI3FfsACAiEA+x7GqIN8Qnf7S6O2YwsL\noPXGIDaZfPISgUXmRmZmCeY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUFzWadWeAis/9AVXHH2CZM/U5FZcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE2YLFFhvVNb/0djZItnh9+JRZv210e0Q6BRFcTyR4\nZOVn2XC+/GRWvlrtkMBPzCsQ09nG2JRWJGhFBmAvaD7pmKNyMHAwHQYDVR0OBBYE\nFBNtCJ0FYnmcpoTXfAjV4VXxK29tMB8GA1UdIwQYMBaAFDlbLA9oeFBhvbELlqIY\nzRzMOdltMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCFjf8Jo/a7J6bMHs2El4X6ydzdtD4g\nH0UR6gxFyc/JLwIhAI+SA2TNGQotr8fxxXkSchcLo+UQVnFX65zO0KcbNTG9\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIURMCrzs+qmDEgC+EOq3WM+JkIWOEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE+8Zhf2YrxMH3uWaaNCBAO8nIb0OzZfcOH+YDXCwZ\nznIWK9QFsqN0gHw19tIt92Wiog6eUSoY8/ir9YXDh+vCXaNyMHAwHQYDVR0OBBYE\nFEBlYGWUp5CjedhhDSzMN3REsbM8MB8GA1UdIwQYMBaAFB8yi6Ig7Xmo5wnfBgON\ni5IlVxYHMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDTlgOJW+jBhtkdXjDHt/OEujbiba1U5\nf38iliyqOqUiAiAnKLtV2ryfM+0+mxnm2O7ZPXIlwR0FQr27fp2IaLkzeA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUXVE8zr98rmgNCy4a3hytVR3hwsIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLlUJHVkDjUJMFsrOvWI1P7HrVK1nIYiIsFSzA\nTHFyFMKtPcqynNgiU3kTwlRrmfeYn5t9vI4X9J/htotwPpVWo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQk8FDujSgkW/Cef7nGN/6yE05VtTAKBggqhkjOPQQDAgNIADBFAiEA\n+0jtJKjlWw2Jmw3K7wUSZEzj/Om5W0S4L4ubRjhbbSICIAE3nY+cWbCopz8/wnnd\nvonzOhLs4VApB4zTZsXYKnSG\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUaow7UUIV3SBLGI7HU3tSFhMCC3MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbJTA9BX6N8hiRQSh0t68B8DpJWSX+OFA5AqNx\n1YeBJH3o7QHYzu/kS3gAH5y7s/SvckGYOJvPb+A/Q0f86xbBo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBTztwyjo3LwQhuGLDEo5BmjI5/PQjAKBggqhkjOPQQDAgNJADBGAiEA\nnfNzPyTtuedd4awgXdtuFdgxiBRmpI7bwd3bavD8wG0CIQD2mpyD11ST6y2MXmIm\nCYINa/LfIlo9DoNKmxFxvUmCnw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUU+w4GBedV4xkmUn5HDJJNPiTfDAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXQTNoGcr2smU2oNzMp7HafaaDRt5LW9yopfX7g7p\nVkVaR5wwhV297bpWE386otGNIE4qcI6EzhriL7YAvQM/9aNyMHAwHQYDVR0OBBYE\nFPS1F/JUAjRGfTaweTRYqFHZQFrtMB8GA1UdIwQYMBaAFCTwUO6NKCRb8J5/ucY3\n/rITTlW1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD9YjvM57f/PTMn7nty9pvFxQfJL7Lw\nM3wqLXstN0Dr0gIhAPJvPCZFmLE7NeuppLKbEFlKecnOwqmn1edKhx+te9iO\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUfgbT2VdUYQmt1B3lxANhvO1Dp0IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEHi2L6mbUV1BnO97i9RlToY/7/rdTxA517TyYUd8g\n9UvbsqxoegFge8v+0IK0O35wC5A6u70IotYnS9NgXf/e/qNyMHAwHQYDVR0OBBYE\nFIf4Zx5ThcgkevfzhkQp6I9A4CVEMB8GA1UdIwQYMBaAFPO3DKOjcvBCG4YsMSjk\nGaMjn89CMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCOTeRT81kZR4aon7LYP2CFDmuW8k92\npnIalKvB5RJ3/AIhAMvHJn1Thuj+yJ38MJeV7EUNntq5on8HyWb9jSEOd4sQ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSKN3JFkq7hsbchgmcNM6+HHV4BQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2OgquiI9qe76oRqt0AgrUhl7rU8nrDlRObvkU\nWtrMOaUT+OkVmMYKxIUBRr7snHxxBHyVWHqHJq/pigJSFEkqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7eTpYOfOUWkAWemGCpNhkxpGgFswCgYIKoZIzj0EAwIDSAAwRQIg\nLiD/WcVkHtCFF//XWuWVq6O0cJ5Hi1oAK2t6uH7/7f0CIQDpVwwpczGS9zt6vP3A\n7V2bJqoHgaSBq+tJgBc+G3Iihg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYgh2SrS/JHeaMtMW1bCN+XqArm8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASIT6T7rW1ZSzD/7WKO1uRCO0QznJD6iVB2i9md\nXdkqZCKv6tT6NszhVFNsHXoVHR8RgvH+L3rm+gl9emma2OBCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoMUIGSMiuioABzaq/LxJJTbz+BAwCgYIKoZIzj0EAwIDSAAwRQIh\nANfvF+SBFt2f94FSsyyhg1YLXTMfo7eqBM5i3Q1RqjekAiBwkVsEpizA0LxOZDh4\nuoIG3O+fBOi+3w+vP9TEwN0lug==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUAzDaKH3yzz9CCo/r9Iw5p7f8StEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDE0NjkyNzM1Njk3MzkyMjIzMzk0MDQ4MzczNDkxNDcyMjI5\nNjYxNDI5NTg3OTg4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATy\nT8OdlXPuscCxdXOPV0+gbWw+Bb6cAYhtwsvFF2/hpf/v1qjHmtYxW69lpGS4dr/L\nCe2NpzeW7paqPzlIK929o3IwcDAdBgNVHQ4EFgQUVEFEy6MKZVaVoNxty+ZVont6\nwc0wHwYDVR0jBBgwFoAUQb1tL0vyug93cJmQIJhrKAiw2K0wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgPUB5eyLGH32KArMTSXb3P50Oz2USTQ7qfNww+DvZuR4CIHi6P2DTPsrJ\nDmtrWr1jyCYS7Y0FZaiWk5ml2syqSMyt\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUXOp0PSolv6yy5Nz6qWekuqiRJXAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTU5NjY5ODA2MTczMjEzMTI1ODAyNDE1MTk4MTgxNTkzNjUw\nOTI4OTA2NDQ4NDk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARn\n3nI5mgKKbkZDim6D5RRB6VIZhs7IxxqjHsly9ydY4vmekqfOPr+te9Fu0C5A0jUB\nTZKgNaRxoLAg8vw2Nsxro3IwcDAdBgNVHQ4EFgQUJ5daavX3T2VP8fL9F1lPdq31\nBBcwHwYDVR0jBBgwFoAUv9vEt0YJbOwYQbLXhxkXDm6qfxcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhALZZbM6uF19YDlovxGHZeCFrMJ2bolc49xSXcgBZlvthAiEA41JZx4ge\n+ubqYFO6ovVxR6gCmfJOjQw/HoscC2V3+co=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCS7gnF6YgHTO/V5NE3guI2E1izgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATmblmk8N6OFTh873kYgdPw0MdtUO7nsZr8x/Mh\n2tBzemIsAnot1nP4DH/vPK/qSvlwj/eqjGIryw/m/bB8pfDvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQ2o/fq25VoNGZmNIJBu/L3YMK+wwCgYIKoZIzj0EAwIDSQAwRgIh\nAMXS5StN+2u9NVwZl2B+Y3OCQs/obXS96ewzkL+kZq6XAiEA/9BnkyihFs76LH5w\nd1tZpFo1IsEk2OSH3L5N5D2QTPg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHhIrcYdr4gtNVZnfO42gcY32WwgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyhATp7Ar+7qr8Zeu3Dns2RM+RHgz8wzUvJVRT\n6j9Rj3bvanWrGDRzpjr3IxUXGbDXW9UPzy5QXofWskHpt3kMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+Oen39GGgjh2+gMawQmV0BTx1sUwCgYIKoZIzj0EAwIDSQAwRgIh\nALHoDCqNbO8Lo02pB9GQYk+P8TEpVZ9d0sroKbhcVjwqAiEA84TtnjkS8nuTGSKT\nN8+mDngJ4PMmRdcA8WpdmnCYCSk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUCF36XFuc44Ys0kWUaKH8BFSqdk4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETuqgLFtrwH9YlPIXpQ7BQ6MIyczX6gvFnJc2ZGnc\nRfHZ72uQCK+fT9PgTDA/pSFJi6etIQls0m4tPe1S/w1IwqNyMHAwHQYDVR0OBBYE\nFLvLCLEsQH1nBMS9wYKXcxkS51xVMB8GA1UdIwQYMBaAFENqP36tuVaDRmZjSCQb\nvy92DCvsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDzVdmW9ff7x27MQW2+XmagjYbq3J0F\nmTnx/2Wqseh1CAIhAJxA/dZRItekdJ5hB08HTOXee2ef73B9a9/1vCulNhfn\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUQevromQs+7SkBrdRGOidoF5ftMQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEgXTe6BGzqBdZ4T+BSaGrJiDq28AIFdIWsYGFllI2\nVYUF05rb8pjIPo/u2HbtnghXPpLTp2ZJalM4ubdVbmiMKKNyMHAwHQYDVR0OBBYE\nFK8AnQh0/akESEJZLwXKVJ0ZodD0MB8GA1UdIwQYMBaAFPjnp9/RhoI4dvoDGsEJ\nldAU8dbFMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDpUHcx048JMaukjo5ar6eDsrzQ4atP\nlY1q/ilqQl+flAIhAI4w9AjL4ceuJFGBoof33oqbrAdKKLCPfnEhsKbPyWrx\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIULVy1UMfZ6nfyCM9llsaWAu/gA/gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToJjUmo0P8117VwJ0hJiaKEwNAYRfwnAypJOdx\n3rd18LgOCS1k30aysMhyHxaqNwx1pbYzmWg7GFd0PKyxtpsTo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUza5f7dRAE5LY5bDFv+2fq5Hd3+swHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCJYEBzkRUpQpyhZIctbw/2\nkg4DzxgrwKX8ksg6ItBfJgIgZyIucJOQgTxdc1NHrUBKx9Z2I2XnIBzdx7N/qpaG\nHOg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUdZ6nDuhCBz3ViMDqlu6/htvH/b4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8qmhi0d2U5yhbUtx7yvBxGbca1OHgPfS42AEv\nABy/bYfqPD6ywDDhPLEzbh0E0xByo5YGjPdX3EQMFNVxbxCXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9kiQ+Yu62iYmDXhXtOGC5Tz46oEwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIE7bQOEeMvODYKk23FUh6PRe\nXthyk07DxretHusiSkJwAiB9ww4Af5arTtIG+ai1/gwf6WsaMbeoiBwz6/wZ+41i\niA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUIt9acl+QOpohXR6+mp1dM+RuC7AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZkyYoRlLZmBR6IJ3TynUFtNAqegMHJZ++ujjb1ng\neH66D3ggvDgB5HaT7A5wYh5nkdzCPnYtVlN33ArENnNtmqN2MHQwHQYDVR0OBBYE\nFMjfDgJ9JN1hiGk4OyhQJ54rRn1tMB8GA1UdIwQYMBaAFM2uX+3UQBOS2OWwxb/t\nn6uR3d/rMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAn5zngn40b1nVpB7fx2YBO8j5\nWvzN7idLs6uLfwX7DFkCIHwQyWiOqDUWy1TLLetG6NYuYT3esLpEd9pZTEvjNtFy\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUBuLS9Pl/rqjyP5e9garzJISZrAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETJGr1xANW0tU2mbq9uhGdXjq+nM5W2vqrD9hO/9b\niOZLDJbbABmK5i22xk+BLcc7eJwl4+IdtOEkX3WZ8im+PKN2MHQwHQYDVR0OBBYE\nFCboBwP0SJdc/+zqkV20ieeCKo4tMB8GA1UdIwQYMBaAFPZIkPmLutomJg14V7Th\nguU8+OqBMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAj+BuscJvk737GC/5EhSTC5Xv\n1Ua+R1OZVXoD7EqjAUECIFCvLkHuv8mKN2MMAbO1UMSLsEf+przKrcc41sEvCJo4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUHKWrBEx+jKwQxm4PoUy9IV7OMvQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARv6AJAxvGgvAZIy4xFb4jzzrmunSTZ63Pfjhtt\nEqbZ6CgFJniDPBViG5RDL5eB7BBTgxZ0tYIXxsxI+4a63Ylpo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfCMSMA0CZxGnTKKdXitM5eMqrD4wHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDjDK8QOveILQpdoxYrH2ns\n2Ezz1CEAb2T4f+7KRilq5QIhAM5+CS0H5G7b4jHrTpP5ysNtmNk6FvlSnlcF5twr\n+019\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUGntny5d8Ot9+dWxi3VtNlrgIVaYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQqCiBIGwpDIVb/ETxMB1jJP70oru+FC6hbB6h1\nbKX/heSrE1PaDEkuVME1lxzbsq7/NgrZjyqTx7sWbGdRkXTZo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURvBftBQFSKO3ROMsC+C3xaU6sZswHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIAV5AS3dwajLK4OwrhTXHy9o\nid+1lkyG5FFotCv36p7HAiEAvN92QAOcfVMXFNHAqxMaW+uCoKqEn3ntEYIgXdKQ\nrq4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUYOwNiYRyDk1Lx8b6yU1M7uPaM/swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE0M9x19J8RJaPOX+8rPNGl0hDK7TGQxdHl2CpP7Jl\nKAHJpkX+CuNkFToFucswpH9eft/TVHPKzO0i/lI5PPYNF6NyMHAwHQYDVR0OBBYE\nFB+Y4ij/efHzjmgTS5z85WP5oNxCMB8GA1UdIwQYMBaAFHwjEjANAmcRp0yinV4r\nTOXjKqw+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD01ORC7BXl6osxfY/gstHODaj6HjvJ\nj5uexg9i8e0WEwIhAJdrN5SMWg2od4GhqIWm4ixqkLXbUNwkwh/RG4YcS9K2\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUcUxC/PUaMHR17LpamuIvA2CT4yAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBjKhpsXdanD7V96Dizs6qTYKU0CsxVmDPFCtmbLM\n0k/6cq4vxxnWKWIYeXPsf+KOcKT/Lrdr75XP6Qw4F1imWKNyMHAwHQYDVR0OBBYE\nFHgGyZGznZArIqABec5IeqD1cEvKMB8GA1UdIwQYMBaAFEbwX7QUBUijt0TjLAvg\nt8WlOrGbMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGsqG4IMmnS6DsSGmgvpIOFgCG+gXT7g\nAv+lckTeGKLbAiB2eGPoTSiYj+ucW7nVWTPkUu2hWVqRn8Yn01+qmg9GTA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUQ5dqjw+LFrQQJqlFAjyo6pO+3m0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQl433N7DCN9CqLaVKAUsMCUuStrLIUrXZ8aeUX\naPmgO4MF8t+RUCy2tzL+mJB/CjNAsEWB6ZCkEjS2+64uFd8eo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0nJGSMnHI/qkDFdq3xSapVd0S68wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC3HodaraFcNiWZve2ZAgcl\nGsDCmngoRPnfV+W6vY3gKQIgEZSPYl7EUw0cvBgNFn0h3AH1/k0+Q5rrzAn2uFUi\n3GE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUGPIhZHREq4CLwQg1dZZp+mAPBDswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxRBvxauY82YtNDBLuURvIzBUxEjrjBdpOnNhf\n+GCUn9vA7tDeNhBYlG+fiAq31yutPwCFTR947mHMzP442v5qo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUo/9eetID1aVbFL3MyZX/4rf/bQUwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIH2VVVXyPZeLxlvodnRJ7eeS\nGGup/nmIpI9wiwuoXW5xAiAFYZ6gSRv5uOn1Uf+KzaMuUAwdFwvX4oiNSEi/ECmA\nyQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUFTF5Ll6H18miRRGbJ5+1aEL5ZoUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEND/9CVBZ4l9GhfUIaTNSocTRCmDn9wQgno1i7Jtp\nkNKuVasC7mrbX3WPGzJ5XPw4OIiKSze4ETuOqMpEiPfNX6NyMHAwHQYDVR0OBBYE\nFDBAHV5QsQStsweR+iVda8YwB6UnMB8GA1UdIwQYMBaAFNJyRkjJxyP6pAxXat8U\nmqVXdEuvMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGACjkK3IY6a/ggTn2Nn8WVgFFPqYIm/\nVac/qpDDsS4NAiEAyJ1CbYZLENTMTpBo/OAzuYO39DfUShtMo7YIyqUaddk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIURCTY6ny+zKYT65VFQ/WRt9rj3UAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEKuZDsyjzta+Uof0EiiVpR5iup8wa9JzeN/BkV4Z4\nlueIYhtIXLTBg+hnL3UJwAecQebJ637JBjQgcqO2fn/i56NyMHAwHQYDVR0OBBYE\nFGigNwOSAaPXA2vXb1JaK8FpO5F+MB8GA1UdIwQYMBaAFKP/XnrSA9WlWxS9zMmV\n/+K3/20FMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBy5cCgfPGg3g77wmAD6fuZNjb5O7tIB\nM+/iwvVpaN0TAiB8YkC3MP+Ou+aK0bq/mXt3XbvEVRM/jTkH9dhSoqxWFQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUGYlVz6H+HHbU9C02Qq76zkEUzowwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ7PMYeQ+A14VNZfEsJ9qpikuYk9GIXin/rA+BS\nrh2tEle7TbZFjwKtTHdc0EQeYTtaLOPxbeAYzD6tIOu2FHGAo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIQ0XcxQFuxTtJLJwQRxPHYkg/LgwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICp8sPphgyYy9YrN+h48zxGi\nCjVs9Cjhdl5h6UdyWLFsAiBSP68G27zM2do39ZeEvV3wv3SDYLqvpIIra4MyfdB8\nBg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUIc3uiOHARGIiZZojmcdD00H91i8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASdxME2eF5E0VAFoxXTnxPVsHTnYgxllKOHyTwi\nOs9SrJuDdMeGe5Fb/Sov7IQQSK6HWy3qANIEnd0+6i8cjY6Qo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSIrZpPF514pSOp3Sekcs9yibbeYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCY9nZattjna4f8x6vLBpaC\npkxsXtNLc1RCcxJ4HHj64gIhAL08HyvAWS2a6HdZbWo6jXBpUhk+Y7jmZNEri5Kd\n+ak6\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUbJYtAhlJmeFTQSMcF3jKIFlIWGowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE2oZFz6YuvEdE0//ALgL5Vg6auqLeQbpUHRvbmKip\nivuwd5z5DpT1ia6kREq6/olUj8j7QDmgUtla5moeQNasoKN6MHgwHQYDVR0OBBYE\nFIj9ZzH5VO9w5rVJ59SvXYNImWe1MB8GA1UdIwQYMBaAFCENF3MUBbsU7SSycEEc\nTx2JIPy4MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgArmvpJxE9uZjx8ftRc3W\nNKgfVrov5+BAD1BsUnTsSvcCIQDh6bvWdfNkd+xFE18EFJ1/qQkYOJ6hXGfyuzRL\n/m8hDQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUSI+CHx1wTOxoyh3t6TXTM2NiIx4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEd+84N5G4YXNUNvcT8bwjzzFCG8PsjA4Pfdm3157E\naApWYFqHtfdF8zAJOxwQMG5lb4Z0tlkXxYhhqq6tcMMGDKN6MHgwHQYDVR0OBBYE\nFMMyLn8//wGDL277xEpdPCMWXNbbMB8GA1UdIwQYMBaAFEiK2aTxedeKUjqd0npH\nLPcom23mMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAOb1af5TJO/1Xehjd0e7\nWAzAxq2WO1Kt70dVKkHDcV1fAiEAq8Z7n5EaZhfDuljLBUpD/7v163wqUtbABmeP\nhfP+h/Q=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUSWSZWbWkrV3n+0+ysILWeBV4YwUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARojgbV/2bUbKaX7Ypbb4WIVLf2IlfMVLVC3hbZ\nRy8WFTAaaGp9fR9BGNKRhwm83r3Nk3gyaQ9l/UL0RomSFHGOo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRFtwxncR5E8JKQBzHZoLhMq/WyKjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgdCJU\nqT4+XUnOY/qCvDKK0zapUis9XtXbugkjMqLsQXsCIQD579EqvGj6EhKil/E+JsuY\n/WzANB6gJ6ChCNJmqV0Tlg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUbUXBpFuR3xCwfPkd4nOZ4BSOyrswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASAiEw7/X1uLc8VlSXMxGFIsrLkn6OXhc2nrMyM\njLVmUZ8Ed4eHSG8nkaFAA+yy4FKnAWH7QToGeAmdcNqGsTSMo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTpWxSL0Ip3H4vQsdsjmOdKI6y3JjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgfO5z\nNoQ/yejwyqK814IlyhUqHXHAcR8DLKk1kKnSUS0CIF1vB7zMpf35+/gCF3JSlxaD\nA+mF7VGlP6Kezvla3g2s\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUcLjKFUTbFJLe/4UcHgeRUm6k6P4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEYFjxRUbY0C86Ae8rDGxOwvWGccJf06dM9+g0pV/A\n1zUXozBxA3bdp1KK1UgssHqv+d7Z0O/TIX+q1RGnFzGE36OBjDCBiTAdBgNVHQ4E\nFgQUze2E5UtFtaF9QTR5KxuRgd3ySoIwHwYDVR0jBBgwFoAURbcMZ3EeRPCSkAcx\n2aC4TKv1siowCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCdwpa37MkDyLjzR9A8oreJeL/mt3RWCH8hzJcz0PLrCgIhAIE1QYe2Nv7z\nsPCO1jVJYcG9gQli3JvCFD+FwMkL3EdP\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWmgAwIBAgIUSLiqgYucFXD9969hyh/X9im4R8gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEPc7FPGZJlz4UxuNTX4lhxC/tW9utfPg7IWlws03o\nYo2U21Me7Kcym6Jsm1AMgkfzgv1+7g5Pck7v+m/VC4eo56OBjDCBiTAdBgNVHQ4E\nFgQUojevBEIPTag4D2kZNLRTVBrEjjAwHwYDVR0jBBgwFoAU6VsUi9CKdx+L0LHb\nI5jnSiOstyYwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIGs5efpyhf86MdVK/4xWRf8JvmxtX24XywAXXF3ssugMAiBz7x6ikbSCOggQ\nv3SzHYgVQanldg2pq8nJmkk2Fg9zmQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUAWLLWFbnh6RyL4adqcXSRZuW9yowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASY/Ii5o2KwKQ5yFc8gyUXSX0DZHPKDKMAEWMHq\nloRmDf1W+UEIKUdnCJR8+Zzaj/Vg0WQjXm/n85uxgzOwPEQ/o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjzLMZMT0H8/9sKhsa5oma1m0WjYwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIH4eSLST6D5D8r4K2hAV09QnBlMP\narosuQqH25IkfykaAiEA/3pRkoo1+Qc+JzoCl9L1TXnb+v2TEjJjrYFXgIFGAHY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUX5Za+N043eqCtZIL8aJRNHeMyiowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASM8ovLZQlubqxA8QfUqFgK9UPmOnoi/AVH7e82\nQHivm1A9Q0/M9tFsgPQiRo4gdNxMWTFRMRGprGHsgZr2birKo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYTq65LsSNaD1hYnoHL6peN3pT3UwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDpC5Dw6WhuPsHSHSpT3yfoF+z4\nVlMPJcPKOYT03WZlCgIgNlb2+fmO34/qplGSvzLxaR/ilzfJKXCM8azDQ7LjGEE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUI9CxympDNedMqQF76Mnlz8w2togwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdJjPIr0Ya83S1YfHhy+OMSsci3pvYfluga6Zz2Nh\nuuIsE6BRSctBXE3saIjm73XSHB0LN9TJlY4xDMO4+XU336NrMGkwHQYDVR0OBBYE\nFBUEqw2I6D3kEjdYsUpi9tAjue82MB8GA1UdIwQYMBaAFI8yzGTE9B/P/bCobGua\nJmtZtFo2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDSAAwRQIhAMgCED3CeStIF/tFpQweTzgljK/LgaXJHXhjFxTg\nKyXsAiBv28Sdc6XA6kQB2AXHQpHSyufb+NOZ1cNAj9agUSYK5A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUCooGxedj9fV9ZWZnIzPRJf7ZKSgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEPuvTlI9kzRY8oYAlp2IMsbEYesVJBQXn2m6+dDHY\nBOv1thIAyWOcwmaU4Cg7HRteBoTXSD2Zo9AH8OAxl9qFSaNrMGkwHQYDVR0OBBYE\nFAD8p8yv9UPj46UhFpUtufrPiikHMB8GA1UdIwQYMBaAFGE6uuS7EjWg9YWJ6By+\nqXjd6U91MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDSAAwRQIhALrmTe1la4fodB+XbX9rzHro7THsgenYcDnU7jlP\nmzx9AiB1DnefmU+MeiC9Fjx/8D6wmfmeCwJeJbq2nHQFUkys4g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUUSIUW3NEPLeNBvg8vQyIAgZ4JZcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQw4LpEb6jGdRgrElm+Y5tg3bBKVcpYbV9/3WWN\noHiL+4yiHfxu1wrOdkxQcrneRKFqKXRlrDi2u6C+RaRR6SEdo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmmw65b3qurDzXAQ4hgaElxHH9x4wGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIFITGrCYp4awi1ApMN+FymusYnNd\n6azSsuwPNU+m46tkAiEA0orPK7idRX3vetzbIdeHynvArwffajdlJTFSrf5MqcE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUOIjD23qzNMVAOAHIj+f02wORP7EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQRGsrhwSUE0HgWKjfYcM/5fwimRbH94+ZjMvYr\nQ4NwFaOqK5TUolSvQndabVJvAzdR+gQNcnRt0vwDfpk9yOCVo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjYM3DMuH6kSMXL1lE27UE053XBMwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIBulXOPJmFoAiYdY7Wia/kqDNnze\nBa4UFmtdgADOVFnoAiAXSR+9w/6G6uGOFayQoK0BGwP0UvF8415w5lkIwH7qOA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUPdeN+cYID9RNIIVIxq7dEfh3KuEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEDHaNFEKHNt6nleQrchZk/N8L3Cbn4RZTfsn+piDg\nf4D0TcGG3mYQwpC/EaVjXA0QhcXCRFMLSoOyt9NVshLGDqNrMGkwHQYDVR0OBBYE\nFKjrOcijAZ+9tMB1STQUF/gzZnmbMB8GA1UdIwQYMBaAFJpsOuW96rqw81wEOIYG\nhJcRx/ceMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIgQ/BPx5WXqK4wAp8/sBo2O50uKmqqcMAH2BUQsVKZ\nZeMCIQD6D51a0X4LyJDHYLVp1zXC9BbBk/M6n7f0AzsF1R7aCA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUGi07WuerxYEZ84BSQ7SkFBOukRQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/bur/1xfJhJQ/op23rspQP4W6sI46/3GjQQzzorI\nMhz9iUySJt7Eu961UCqeBdWROAIn9VTsIb7Wrt/tulBxeaNrMGkwHQYDVR0OBBYE\nFP5ak3wl3s0vDkjmpvvksXY7AjbvMB8GA1UdIwQYMBaAFI2DNwzLh+pEjFy9ZRNu\n1BNOd1wTMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIhAOpMC/5RoNA0kKkJKo4oUvgZgPu3fi1wKxu0vwsU\naXSKAiBxFCn/Oe4B1v7U+ljURuVs3oAK1kfNjt0tUe2OcVpTfQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUShjUPueNBDpNsUHvTEUarFbRMfUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/B/STst+jLSDKn5oMtmraU41l9doCi3zSEH/B\nl+A9guHHOZAfQdPzaLjlVC0ek+LizUJkRjUyj+Yg5LIodKs2o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbp6+b2+FZX0+ZiTmxK6X2+AiPyAwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCQ5Ldvpl07vZ263RiYuvqDkvsy\nCpK9s7CBC3aTEXOodgIhAIRnX/CLzG1rAiXV04YFkMYf/KA7zSWPIHfunlZeM5J7\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUG7ZP453OGlu6Y8YwbNqAbbGNBwIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASlMJf1TrM2S4MF83dPH7qIEuqXgiswtHVSUaj9\nT7dTj0PfCm5ltNNET0HyFFMZIZRGPsrZLZv0+jbSnOPpdX9No3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhkQjgHLNpymC70RiaU65ghHEw1EwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQD28tOn8Kfd1dawlpQlRmyz7e9q\nourImR/k3Jg5Omw1IAIgVBPKKHpIR88BoLYHiD0we+dbzrE4NWBY9NdQoGViE4g=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUfCrcVmbHgo6W7y9gMXy8JQwQJw4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpVtyhPQnYILqlVBOI9wFar4QAVwPDC0ZvG4PPaoP\nUc1YMLLvqbdMumc6/jr6aMly9CEuQEGQpNaJe7MAbP+1dKNrMGkwHQYDVR0OBBYE\nFHC/zXuaId4cnqnhvri9aUNpyS7fMB8GA1UdIwQYMBaAFG6evm9vhWV9PmYk5sSu\nl9vgIj8gMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIgW0rLsHsnqwdpAGhmqcU6qC1LZxSmlKXAw/u/UPrM\nUhoCIQCl7a1TlqSCcgZmE2xx515n0VpJMy+h2wrmDdusVObgTg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUZDGenulxtVCUMu5KkeYsZlTcv2YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE1zF10zhGCcWOVc3Xa6ADNZC2hIjrz9UPb5HbjPCM\nZ929+6AZqxYM9RZm4E5Q3v16BWaMU74B483kGcPO9icfj6NrMGkwHQYDVR0OBBYE\nFO806gdftAr0UO/pEnDMSDO8rUPwMB8GA1UdIwQYMBaAFIZEI4Byzacpgu9EYmlO\nuYIRxMNRMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIhANfqXArxZb69t7c4a42VqQsaawcnGXPP4ipkkkPn\n3xdjAiAWz5ZrTR/8O3R+USNbWi+35i+Co6kPA/qO/LAzdPsuVA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUb5ByrUT0dUHH8IcNCk5l9fDI584wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASw7peTufhC+H1+PHNd+LHfu1wDWWbEm+9jzojX\nUG0AzdAQxvgFFAqN3vL1VUM047DreLqhFUrn9pGu++8IMhGBo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2ri2O/R/yOaXjUGFmpsHWgGPdmMwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhANlYdjSGDUXftGcl\n0VHiM/rBoenfCNQlmX1GseUbdKy3AiA61pjOPhZ+N6XXaMMD7wsA0UcU32RB89yw\nAbOHAkTG1A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUcq3WHT1NBvGwdpPZcC7WRhm6hd0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASuaLjKlFmT+8DOEmkRX8BpLbVjByp9smCPSHSj\nBIVmJmBH3V4oyQSkCe/cWCoUDJFccrU2ZmOR/9nZUOkc6AHAo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULvlOj35Rosu3r8sEApQHGbuwuUgwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALQQPFyeUljXNj1I\ntX3C39Js8c03OX9ti2HcPiEySE21AiBMiTYU0MtrrzIhwieSCYLenYsjJULLkHNI\nguFy5YC3zQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUOx1PKjP3eFyFsc1+5Om5eak6GGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEfLpLaNMRDLrzlUiDLtsWjTA/EDZobxKcO7HLzVSbeFcM3Cej\nk2tJMKm1hAZq0v+CLVkFSHMC+IZM8EfTtpEm9aN7MHkwHQYDVR0OBBYEFEzxG4t8\nvTpYjXVkfId7TnQJaBBnMB8GA1UdIwQYMBaAFNq4tjv0f8jml41BhZqbB1oBj3Zj\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0kAMEYCIQDJ7nyQdeBWwdmGzYRcww5ywdXE\n4ivdhUkJtRohiM9oKwIhAO5CvmTclsecQnG0DqjOGb3hE28I1w2sADkoYEVvza6G\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIURWK3YjmQKwnyQoeUgJsLQM7eGA4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEJ2ALHAK2wbheJidAugKjsVe5KkGKHqFMKwT35TeSBf/vgthz\nR4g4uwbSoDRP0A11Ljk8bDuQjRsKxQd/GftbIKN7MHkwHQYDVR0OBBYEFOvGzwpV\nG/A8GqFgUh8AcJHRzEq0MB8GA1UdIwQYMBaAFC75To9+UaLLt6/LBAKUBxm7sLlI\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIGQRiBeU1sWFAC2lFie7N3ZLdSE0\n2VoOPu2/DJAuM0KQAiEAjpSnlhLLTggUvPBvioqOTkxBDsoNgGTbxLVjJ/zRQXc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIURP6+ancWM5IQTyTcI7dIvxsUFVgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBiWHaIGZebJjkZ1fr+kUXaryI+FPf+RasKb6W\n5sWcZWB65yQ2E7eEIG+UBC9/B8UUATpQdQ1p1PDPqFOTzcRto3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUK+ygSPH1VRzHC6y2sHEZhDL5Hz4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAJKeP3PFWOO4TbUT\n7NL0mdsm4aJHiCdk7PoavuajydDoAiBbYQ5rWKCOFkSgBuiAtozvaDl1nWwQtP7T\nTOL+hJWlmA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUD6c47s393RF2j6I7eB405BVHAjQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARhBsgztsQWJfqA+8vqVNiDc0o3tfN4A24UxFqB\naAe5ViYqHktfY6gKuidQpgAaTXGkaMz9OG1hTVwbYeYidWC7o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqFFBFy5whuveVMgyqsojRjgztmQwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAKo7QJeYCY2xjJwn\nfbyjhPFW/pW9KvySGmqIFKUEBNjtAiA0STqkG61KTMWLXSWxbWFlWUT4T/uiVCM/\nsYD15Y4dYA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUQezmOAOMJUArTEnYv6JTjWWFWmwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATOkvN1te3Ct6cBVBMUXUjh2JXtvQe28JwEQ0TDxnrO86TDSlbF6uxP\n7reYyc9/xhkRYRAiERe9YBeKiQMp9GDzo3cwdTAdBgNVHQ4EFgQUNZczL2EuIGvz\ncNUrrBSPIk9k2bQwHwYDVR0jBBgwFoAUK+ygSPH1VRzHC6y2sHEZhDL5Hz4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNJADBGAiEAlGN9QC/sUOWIGkxnIsL7qCaau850b4wBStyR\nxCujYlICIQDljwWyewnolkOEr8SaxFnfKvQIMgMEbk5jYS7Lh0ipQQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUWqVDkcXMw65J0tB2M8hbd+CR9SwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQxnB8/JgjN1sW7NHPUFzYNbQdbb3q+TY6WSk4Nw6Nvji5dbPcRXdJl\n5Og4mpniNmqh31oy8oLmgEddQvOReNqOo3cwdTAdBgNVHQ4EFgQUgE0PWQvTyKoL\n7nOZChbA8N8inMgwHwYDVR0jBBgwFoAUqFFBFy5whuveVMgyqsojRjgztmQwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEAj4fwk5CDRjyNaJKFE4JnEGn3hVGMavrTjJL5\nsggnLB0CIEbk+RZ2vIt5vOhLb1TfsX+j3iCYQvMQw897hhkM0Bh4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUbkBJftUzUG9cZSWqENyNz1dJa6swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAREbdvIfywp/jGTmecHQW9wadvSFvGnygSIY8Kj\ngKoazDNbJKESH1khAo5Yxp59AKSVSMuOQum6T3ly1Xlz+iSFo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyD66+nJpQwQ3EmNSBXS0pJMHY7EwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgMF2B9+k3OjvvKNnV\nwi+2iTbSiEDc14hdgRfoReAqGU8CIGb42k4N5F6oMznOegdV6jNqQi0U0V1gIjjR\nmUqFqF2X\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUCFiin9d8GMfFXV2qkBtxulSaURkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASG1QZQuGTOvyO9pWCj4/Ol5i0ns5Ngkap5/AGr\np6y03ikOcbaO3RtDOR8Hf1IiYx+VjPx6YDdGZMyOIDl/L2hxo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUn80vVeS7HLUjkKtyoRjghHGyKe8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALstJcyJytPRRmnX\nymXgQCMQhrar/3V7cFvXwnjsRdleAiBuhC9HmejX7/uizkMC+akXkAZ6HMhuRD+x\nugRnmiqIFg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUYcvKW7zs+UScx7DeDUmNDXZQXygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARmBga1ygKTJwRBpjbKEK71ocTLJZJ6WjiYyXk7v5ly8fO0JQvZmIKz\nx8yiplcLbwf0cvGN4xErr+H5la0+rQVTo3cwdTAdBgNVHQ4EFgQUbnugLN2slwGi\nOBsf18eqiekAY/MwHwYDVR0jBBgwFoAUyD66+nJpQwQ3EmNSBXS0pJMHY7EwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNHADBEAiAGDGINt1HPCWZx7Z49jj8bA8L4jb9bASB4eJK8\n6ufrDAIgLsWpl9NDS97EXOTCdqL2v5dAZMVwac+FzBty8lutTcE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUNvU1HkiGZIu4yxSSuPVGdPRXJQUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAReM5zjuOV21W7hYSWnFK3EXScDLq5E+4NZl5ZEEzQIkZtvH1KwLYxg\nKCjfz1TTRjnVmKhw/PBIq9O2LvR2Igy3o3cwdTAdBgNVHQ4EFgQUtioT7eatxRKp\nSe5W22UxFqpVZDkwHwYDVR0jBBgwFoAUn80vVeS7HLUjkKtyoRjghHGyKe8wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNJADBGAiEA2EHdUs27K+dmGF3ZhP1B733ExrK/3mAU6dO7\nVJznN+4CIQCvB4MzIMcpBRcER+dT/HeoIfZ+5Y617Lbav6eAS6aWCA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUAhhykAPeI4VKYu7SXpQ/D2SY2eYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASnLCLPLxu8H3E2Nw2gFVRu+0fNX3m8k8osA1gK\nUvVnMxLCRiU3GgOFwDqZkjNLUSwfh/iIkMAc5KAHTC14fE7Ao3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUf+BOKGw2xKzvggaYz0rVdaFJb4QwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgXPEJRhiFTldrEVpy\nAbtpbctew9b5NwEAAMN1h5Q7ZU0CIQCAfTc4aTvocGy9sLdyifqZfhlcw43/lKnN\nT+Rt68PdZg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUSx1UE2A7XVIgUh+YsMQmxc9o7nUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpIu81nJxemCdSpL2x1SOp6khOTQAJrdsa8UMy\nLItlM1aAOm5NEDRcF3jfAC+m7Hr3uaM9/fPFe+d7qXFRMHW2o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtegB/IBtiJnPuoqIk8/ALyY4+LowIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgBoRr7n2eJkFhdQBB\nHis3XA09QVoSwpRMtrpdk7HzS/QCIQCFApTtpnwqOpkXzsnxb3JbaK54UhJnNX28\nTKPx00DvLQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUBmKJ4FvnplORCcGwQSWoCGPcKAMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE0zB0e/6PooT/8/dMajIduhrbcOJcfkyWWyRjjcTGSesYvRqe\n7CMZMSjOuXDD72gE69oQjvic+H6eNWxr53wMNaN3MHUwHQYDVR0OBBYEFFfnK/lD\n8nZSRpKcwOVohT5GVFldMB8GA1UdIwQYMBaAFH/gTihsNsSs74IGmM9K1XWhSW+E\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAPjNKswmw5aEIsCLTO0B3WOJvwkN5KtR\nAbWDcXycvJAAAiEAk8eCP51j4qaphOZsbVoBBzXEjvQ84tYWYN5l8lL1ZQU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUBkkawGRuP/OsnJi5dRJHkyRVw0owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEptBUtSsXYKRv6Fb07AwLsLrwQsMhlXxIXZyjFv8BCTZ+gEEX\nO1zZ/RbxB934SsnRryRRHp0M8faKKkJWgwiQsqN3MHUwHQYDVR0OBBYEFNPRn3Jk\nbHJ+YhJZBaw1kF+AiqWYMB8GA1UdIwQYMBaAFLXoAfyAbYiZz7qKiJPPwC8mOPi6\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgAPsruX4Ox7WWPV4u2Wg/SctSn7+rneW4\nynczxR+GpXECIEhngQTDhpVJf1HN9qdApjxwusVJgcuJFSrFS9Ll51n4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIURqYkk7pqDuoe8L/fl8w0Caih77owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASqbE1rIHLv9ya/X5vXEp35FF5hGeeB6TL6Es9O\nebQ9BGVghGz5Idc2HyXxzRBFMwYtENDeDrVBJIldpRAy2UQSo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULlfFBusJ9FQs7xKEubqSxx+hKm4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAIHcpZAO/Y47y0ee\nw8Bqkpp0K4k/eVrM1ByRmgYW9eoAAiBSE2sLb4VmOIB3y8PWrk+WZbbxgyIIFhqo\nKFBZsUKhYg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUWvxl+C0Ox/2Hs7LECd4UlaxbB3YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ4NgnF31wfHCweH23FJxKmGiqPFcqnka7tQPb8\nTtSzJ+GYUCgNHa5suUs/ml7W+pg4YXgwmjS10aAZCYYX3uG+o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrPscoXdbfshOwz9DJzccnc57At4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAK821ELL0DSTxSZt\naS/PJL8F+ZszOfNoWT0Hze+x5oOYAiEA2O9d4vZh6gOdRUSTCPeFYF5WreGRMOoD\n68fV3S/p07Q=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUBdaJa0nBXwJLSYCBuOm+83831oowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARURKkD1jwupsL+oh2GD6/Uu8s9Q7O8tqiUlgT1F017ck/MrYmhSML4\nvBxsM6uOpDT2wrdgzKDSZNl5W0PdHiD1o3sweTAdBgNVHQ4EFgQUD4yk0m3XX1gp\ntyhYrhbrpPYhQiYwHwYDVR0jBBgwFoAULlfFBusJ9FQs7xKEubqSxx+hKm4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAOTIsHHKAgWlrxDgW9bKl40Gyx1r75//\nvmS4GaBDghYyAiEArfXsmtkk+X2m1Sdz+siBy1bPwoaaOiVPLpECw0iFMvc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUOkOjNAL7EPe5/LN8hyT6hzFd4/YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQNlEP2tQeG1NgO2NiQDh7nw5MKyjzdp4NynEWj6QAJq8k9esLrEPlZ\nZUm3aerL9FSAWW+q05WWo4eVGTUadC9ko3sweTAdBgNVHQ4EFgQUnprmGnI5gtMf\nNjtl+c+C7gEfXFMwHwYDVR0jBBgwFoAUrPscoXdbfshOwz9DJzccnc57At4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSAAwRQIhAOEZw2/5obfg3jcvsVPsN7AWfB3lCVrD\n3mmPxM5KNzBWAiA7stp9TjKwZhMHA1iiXUQfP3dGF3Yh/IDyINkFonn7kA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUIbVPY2OJB7MVdMpBK/7ulcw0pW0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASk23SGrb3ylNZmthVagtmz2q2B2qTuNosaPKlT\n4GmNj/Dbdvzz9QbEJ1MP0KVRp+ytG+4v5DQlgGWpoBFjNjNDo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFFAR5ViTNgfKvcx3e/84zPQri+CJMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAnGucl50FgqBkcjos\ntt5c6ASrDP5Ljh+xCm1fMRRcjLACIQC0ANKjoulGqEvNnoEuz14X9joe1T81Wq1F\n1ZlKWp2jVw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUWQ40+YiVqj2FiVaz5Hdez4BMVJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARh8ENbLzhsHna9nknJXpO1yiKOgjYE6/fd3pVV\n909LgCHdNQNKpExGoACNSu+UiGnplqFNtTk7cVd2UZyBr9Qto3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFKv7GGzcc8zKEnXL4ujj502bx8dmMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA69pw5WiTyihH+PuE\nBRlINVv4RJTFC8sVu9CJek8jH7gCIQC6mgMtydUj5X7HBkNwbriQBWhY4IMsuNRI\n+DURu5YAEw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUK4VAfM3f/myh533FpyFnMEUUh4UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQlpNLQLyX+bo7ePdm0skrzahqMIzhkE0E32KP\njtBCtJGJh2fO3ztxwlO/8BORtxsc9qX3l70drUiwBQ9LE+kho3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUUBHlWJM2B8q9zHd7/zjM9CuL4IkwHQYDVR0OBBYEFFDm\nBiZMWmbiL4s7aDMxuajQu2kaMAoGCCqGSM49BAMCA0kAMEYCIQD6KIbkN9GZSvYk\nBCKcRCT7Y5hFtCL8jYqgraS7d5Zo1QIhAPQ1YkRpQcobK+tZ0+3kFNvMVFzQFg2n\nOTQLyL4DY6T2\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUcZobqc7bxnlK5sLeWrNAl+H1N/owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnOX/mzuTx81uNTMmQ43enwwUPeIjGo81aPSQH\njXQo2ZX+LiY4NMcZG8bf1wzqr8JKE5i6C1iauSvnzlgODWCro3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUq/sYbNxzzMoSdcvi6OPnTZvHx2YwHQYDVR0OBBYEFHFi\nQlR++oyPPmyzhqgEcWj1THcpMAoGCCqGSM49BAMCA0gAMEUCIQCoe+ERZzTa26bQ\nja7jmhY5ad88DqJ6T+Se5lMmneXkbwIgUofTxbbuB+Y5cKwjYekBZEQ0pPWlMddK\nYhG16GyNvi8=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUE3bExB2DMNvXFnDsaxe8UVAs/30wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEN9YUyhhoKYeBYQRUdd1oF4XuhEMMqJBYedse3WJk\ndQBH5AjMYFD+trK5zKpuMPb3XXCSwcCb5mkhA5EsKyEdtaNyMHAwHQYDVR0OBBYE\nFJ0kWgPQx9EDT1KSZybTdsddOrVyMB8GA1UdIwQYMBaAFFDmBiZMWmbiL4s7aDMx\nuajQu2kaMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDhZt6SiMmZpidP9JIl2F2kfzRB2wv3\noHkHI1ejRe6UcwIgBJOTn4LSyXcPyvRMGXFwiZEApYnR8exDMQvK6lvkPYE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUPv7KtAm6c2khyzJ59OQIfj9W1ygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE+MoAFalhRlfelDVw6q2gy9TIPW/3m6N9I4kGlF0S\nUKOPPURLmeaNDjmZm9C5mB5KtfXfftDYCOrT/d63JIx+uqNyMHAwHQYDVR0OBBYE\nFLbqvtOQAkWNZOHnqb+0SO2LoeCMMB8GA1UdIwQYMBaAFHFiQlR++oyPPmyzhqgE\ncWj1THcpMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCETGHUFOwN3CQ33LrtfskoAn60k075\n5v/4khV7u29tcgIhAPK6/glbiSu6MNtX5t4T6gAFK2GKpMEy9ZGzB2kbYzKn\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUWyUFw3IpllRe2Y/ScI4TfMESJWwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATqCERV67FkzKoFLErFFWosaItsqGnJbp6huE4d\nWTnPiKZPudM+tYSTwFjSpQ08S/XyGaH670uU1n9DusRG2bklo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUV4mtlpg2xEar2Yabg/tLwTDSPU8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICzB7NZeEUFLym1i3L8HM8SQ\nKUZK1mBPIT+9jfDXj8c/AiEAq4iShV8ivF9W/J2pKNotGcNCg2Z7n3tJkbAvW5jy\nl4A=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUULJxIv9zLUC3PYehraVFZuHDMS4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATdrQOub3DV7p/tOUNIg6eBuGtFQVWurkw4WOvK\ny4Hru0FDTvB+rPDpz43aTDGHxRfwDqLWjURO/zWW2ZccoN2ao3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUl/8KrWbK6Z4wIO6mlx2YOQLvxnUwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEqG0jtRIgWSU8ZB8F8ZbZx3\n/nZ9gIHRdYGPWceVWsVVAiArbMWStYT2fy2tj2zkGvxuKgr74VEY2l50gmlaWogk\npw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUTZkg8wlKBRJneYLuC0wjySJ/H1cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARIbvF6SK5o9VtHqflKYn5eN2j+Od2aX6D9Te37\nDD/EMqk8rNAhfi5w4455MGnufeXLFXlopLMLSQW2ldzWyX8Uo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUV4mtlpg2xEar2Yabg/tLwTDSPU8wHQYDVR0OBBYEFOiE\nlVHoeU1GG13AGa7kQV2ZjDXIMAoGCCqGSM49BAMCA0cAMEQCIDY9lAGqTYbO4Dji\nrZbJBrxbsRkbUVUgnW+BWDP24iDmAiBYCdx6LQAi5eP9e8Hoxbp9+KK2q3bu7CgC\nur31seYLPA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUesJN1RP4LGIEP5nkKgLUwH/n0uowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASDw6QN0UC4079esimgCH41flFxlyIFywpZZxZk\nCRDpplKH28/LxZFwSjX/gmtYBhuqtjE2/NbNYJ/3YJ+tQMl/o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUl/8KrWbK6Z4wIO6mlx2YOQLvxnUwHQYDVR0OBBYEFG8N\nhpxAb/VfOYTOV5Q8kq8g0YdUMAoGCCqGSM49BAMCA0gAMEUCIBBG9lbAdAup1hOh\ntWkzsd3PF4mQ3KD1PBlgiF8OipmuAiEAwZJo7b0U4cRFnWjPMMPnMjjKhDZtbjoq\nbAEH5Jalna0=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUX0FCGPG3fZyz17qlim7Loc9sYa4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8MkuprOsz64hXgPEGjtOiWXzYAv3O03WYHzcr\npWySrjqBEeoe5O+vraKDnGNKu8pRz8UgCTV4x9+hsI4tQoaCo3YwdDAdBgNVHQ4E\nFgQUWHOdLfEs9d5AAfa4Ymr6aOLxwJ4wHwYDVR0jBBgwFoAU6ISVUeh5TUYbXcAZ\nruRBXZmMNcgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCFMOP0hcWpiYyR0VaJKbaa\ni3zGQTq0DEkVgBCWPXdu4wIgH/YLeYmhUY8ok8vZJVKbr3UCDGzSBilK0Y+Cnsc0\nzW4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUBqkED6TciEeFR344evgY/zArksMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhn1fCs5HqUXhgLasiIEgHL+4/KdwxYNuJbIkX\nk9jgOmNIrY1pADPfgJM7C9ckImXoB3XTfq3eYWs9WTDeXf5Wo3YwdDAdBgNVHQ4E\nFgQUooj2KOFFF/+qpHou1R7JlaL+PG0wHwYDVR0jBBgwFoAUbw2GnEBv9V85hM5X\nlDySryDRh1QwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCUPnkwd35XH2gsIhhGjUKY\n6Uurnq0prnckLYVa5bkL4QIhAP3vGgAhZORCtzlMaUM8SxI6LNVBVg2c+e3+8QAx\nxSWH\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUOxNknRkB3g2NknZgf6NZfHBI8m4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASC1SgMSOs89NMcJjQpkifDHvJrWU+1uP1QF3iD\nAMLCR6vRe0w11CdfYnjxdwv4BnfRof2uIvXsuGg9W3pFNQpco4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRFZCSY9vaoppwkV8eD7M3MWjsWqTAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBoUGRV8OZphos1TDr9NbkP56tmphBGSYTkNxwu4RWE9QIgX7ZscrMmBRUtj8px\n2VmYCXJY/OjIpYjsb5F59Du9zVs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUdah6fIr55I2pfABlEeWHwqvaw/cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQu1Nthb37ieJFuWWEsz3/w5iH9D/Z1EhNI2lid\nXm0zHlD5qhmsh/9pshKqiVU4EFWF6pAzcuwYn0ydt39mMY1Co4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBT3tzY2oXpInhT9UUxdA++UKdOuATAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEAq8YDrWrVloUhEScCFSbx1u78Z/GW4mQiL+tB0PuRg8QCIDkCeOgoI5memO2A\n6uM1MmsVL4vMFZRxXgUvEZVPKSSJ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUFXD3RcWfTlcBZIbCuz0tG9q8JvwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEKYJE26AiLXy6adIfBOk7UJ9raIXdOVRiEVBATiCy\nXrYhvYRXpBgG1jjwQyZnwP5T777QIAr+UWW9yoD9+Q5uHaNyMHAwHQYDVR0OBBYE\nFCQKmR8INOyOGtq5gXZTpzHtI0+dMB8GA1UdIwQYMBaAFEVkJJj29qimnCRXx4Ps\nzcxaOxapMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIB0oYq6pHy7TmvP+8MPlIQDopJ9wC8Cq\ny1nR7gog92jpAiEA9GCgEIk87qLfRmmRygCqQzYsHte84+RQpjFAh5tMZFE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUaEoU2H8HKSXnswWEgctc4Yf6fVAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEvqIFpI2iyWuLfDDKp8TUEME+qZIFa/+tgh8W3ONV\ncU+UEEwdSBoiFeFh+T7JK+6TjwDhfb/XFjqlSA+6XqYgiKNyMHAwHQYDVR0OBBYE\nFH38jlw2pWdGPJ5DKz5lLQUtv+/mMB8GA1UdIwQYMBaAFPe3NjahekieFP1RTF0D\n75Qp064BMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBxqrZdmNn4Vri5ewRY3wfk0tMWZf4PX\nIMnr617iOMTNAiEAhYp+9rywRBpQTCvwSiEw3jaKEfqeHhlMbnWYH80oS9c=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUEtoJpq6CAeejDqxskU11AMJnK8IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQ7rVdyDRleygCm1n19dTl6cu8VxZ1s/+aYCuu\nxQbusWGgbirpXMPNKq58NMNRiDhEKb2U4dDnp+jDNv9ThqlJo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUweUivU098FjRR+utqY83iGyAppkwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIByOh7oPfmvrgbEwVVl8MlX5d9Yn\notP+TZR87I5X/IA5AiEAj0SzNrXvj+Ix3SesPcx3Yi+ypR0+6n/Wv8SVQrTeJVA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUc1ysPf3H8MflFoN1mzWn/Pwywd8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATi9KPZrtLHP6EmR6BuABbn8uza71O2G0qwYopw\ndiypdsXIXZc+YThHhefxz+RG7+NHyiTgricjFdczauHG+ngwo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCrYPCeL4/7bptNmZavOgmKQm+iIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQDEYZUrWlR7yffjrs8885K8Zy6q\nEeE6E583qGiHKkN4BwIhAPho8R/prAGbiL319qTHAi9GbuXTBRXfIlBS/XdcW1/V\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUWCJs3XC4O8dA9RaiGgCaYM6aVNcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEp8AsUFRpxF4290mVvc25ivlmzpqtLbXDmkPvpkxR\nXQUxP3dsPp0LwXiPu+8rng2Z5AIlWGMJtU3Gpkc1vRK5aaNyMHAwHQYDVR0OBBYE\nFHdLS6jTBjK2tJnvWBKcubzIZ391MB8GA1UdIwQYMBaAFMHlIr1NPfBY0UfrramP\nN4hsgKaZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDPChlZAW17jcdQPUGGUCiWTboN01l3\ns8uIzyRXfBhBJAIgWjf5LUpN3S3fvN+EaTCZ4lCc7/q2AfkM2y2a2ND7w3w=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUI//eknrdDiLoCoeKTh0n8tDpcrgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3bnwFTW4zVy/wv4oJUhlEGeisscdvK8SYvSzRBWk\nOFxy9h3s42R7i+UrURAsRRtap0yApFWP+xQo9a0ve7s9zaNyMHAwHQYDVR0OBBYE\nFJNsjaJt0S3n5zuPP71CmH/JvP2XMB8GA1UdIwQYMBaAFAq2Dwni+P+26bTZmWrz\noJikJvoiMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDJcVHmUYp2ovMfHdpkz68PcqVhTTbv\nA3BlJI2AtYCyXgIgVWER2xQc5muEi6GejbuicUJacR8FfgiZqEGQz3QCOZo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUEYFUoMSYuiaO5BULZI/VUCclb14wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2nT4dEMRyuau3+IwZ7PP+tHL2aShGxP+s1wo/\nvCmD3pPDVGWu2uCCgYlDweC/4xl2ZKYMfVP1DF/4IRqgC6Llo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUniNq+RF08G/jhmjgQQEu7tdKY0MwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgb7ICiwR5sqxnwpg57Oit\nknS89Uf/eceLKdvLT2vtXv0CICsyWPXFYi+5z7vtJV38An8ybFYWVv2j6D8QSc0/\nDz/a\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUOkpVFzG2YOxqqxmijMVerTRDaFcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrzAKy3GoJ+qVxtzNFSvDh/jAsDltsFaI3WFNq\nJtcUUaiTa5V8BNrxS0w7qKmbc1pTOK4u/xxqXpQ0rg2/xx/Mo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwJ8Lz/+yTfmXeuhaR2zZwueG8pcwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgJupYl0Ozr8uVkWUaVk08\nkmpgh4WqkQX/dXiltDCjXPICICLVPrnpJKKKrbmvObpIdA/HDV/kOA/+c84ZTfob\nhYyQ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUCiTsKQszyPPWM4ab80Lu6CzoVsUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE0rkfUNADk469+uePBEqZ+csY+johlap1B3zMKpMQ\nGwJuljVhq+09m3cEoCX3BtFata4shLLBuGli6/+uQpXhnaN2MHQwHQYDVR0OBBYE\nFOg9VoJbxop6L4tDCHe4ycJ+yZI3MB8GA1UdIwQYMBaAFJ4javkRdPBv44Zo4EEB\nLu7XSmNDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2Zvby5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAw8ONQPgbCHfa2SGpoZH6J8xZ\nmjNyZWXdPK4ZEyk3awYCIDkDArEOhD4L8h9Fipuose2bQ/HkM2IPap97xgzv+yN6\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUMq+WAd2HjnKoAJ2aCXLO5ET27OgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXbRSvcIjM1HWHgPhGKqZKuCxkOdjcnXcuzbh8+IM\nHXPyXFHigohNFQJvzuWnEMlCM7FdLo/agBWpy2xx0X/E/qN2MHQwHQYDVR0OBBYE\nFJ1RX6rJCRhwEmoFzRy43zj5d1yHMB8GA1UdIwQYMBaAFMCfC8//sk35l3roWkds\n2cLnhvKXMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2Zvby5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA+zzgthdo4zTVte0aHKwNxGNx\ngmQ1jMTeokSDr1dI1uICIEI3G0lAl98R4VPcUZSEXd51NAQdMZhDY4Lxdd+tIM3d\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUB3U4O0XDOWkMEJxrgC/F6wqVDmEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKldcpz7NEZxcSLPheHeJqgHk23Bo1ND4zb/li\n5uAkFEnfYjiNn5Owcr0Msgene9NA4B26Ak+JNTu7W6fFPifbo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUI8plBJ5bzkgtYOhuyo2CFn0q9mwwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgPXRDmuE6Qfm41q2r60IjqJfz+QmlL0GS\nxr16BIrL3iwCIBEi4S7+BXG2yazdsSW1rfLyXDzzg8TngOqi0iQxqH1J\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUSvZNxwc7HPR5levo2+6HSDt6v5IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR26cinohfXDsBNTFnH+rH8uSJPPVRphvrig+Tc\nO1705omQ4f1Kx4/nwAqdWqTqvTM5r+TFCTFHAr+xYHfA38Ffo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbUJnDmDxjKsx/IXrWGOm5mRwZAowFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgIbZBdecDbpYH6deyF60lDibYpDPmLm3z\n24vX2YWFQS8CIQCxuWkAYJ98AREeWhvVFu1sbT2Eps0QiAP0QwiSd5GnQw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUEUTW0rEqmY3Ox3HCksHqYq7ZtIAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEGdczDWVjroA/hjowFQPqEncH5t1jYfKH5MbdkrYB\nuVyaEHNqMerkx4Kw7woRrZbEhRx3HW6j/C0Tsi3+2j1kN6NrMGkwHQYDVR0OBBYE\nFMI74ptjBCFEDYMEsOztgPUJLl/YMB8GA1UdIwQYMBaAFCPKZQSeW85ILWDobsqN\nghZ9KvZsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBH8AAAEw\nCgYIKoZIzj0EAwIDSAAwRQIgDkDrZEG3KLbfQfwDoSryiX/UxwENX7igymdf98kE\nbWICIQDWOvzbcCSHVQDZ5oj9fvkDaSPKKlUv+RTFbLVl6rAXqg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUZp0BkeLWoc7wo+w5FmCdmTwlduYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEepBidwkpKLoNeN1rTqpLMtnnUN8VgP696woIe6jG\nFREVAzORguA3atkc+VX4K67Mt+g4DtCJOygO/ZWVu4+iSKNrMGkwHQYDVR0OBBYE\nFAE1NkATt/Drye7DcISm5fGprRlBMB8GA1UdIwQYMBaAFG1CZw5g8YyrMfyF61hj\npuZkcGQKMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBH8AAAEw\nCgYIKoZIzj0EAwIDSAAwRQIhAIrJFyYtzIJXFT3lmt1D8aFLau6xrLRIT6KiAJ9N\nlZZ5AiBEiEI0ffvJlZUUyNzwUySOPgzCazuiNzCZWhqvaClIWw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUL2DZk0nAgwzm2jPEZ/77bTSrcGcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmgE2gicycSkjppGz6/MfPqyovqLQh8zmhyYee\nYhqdadg+c7hpBR/XnHBtkyDnYxCYj071RbI6VFYX4Obz3W+ao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4O853HWZJ6iu5sF3dzjP9szUQyUwCgYIKoZIzj0EAwIDRwAwRAIg\nIPc4A9/+ZEAY+Da3HKhmPeAcBNtnHCO/+LziYP1gBtUCIFfVCJuhw/WOHXFKhAcH\nDDFUdHKwkyZTEHhbpyj1fyvF\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUW5/Mx0Mv1XUjLa2ClLib7TyI36AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARj2kdPhjwaFzqdwr0KYplqJnucCQOBU+qQ5Gte\nU9yQ8Nnchdhm3ZrAbcFE9BDFaAT9/EN8DMmriRnjT26eYzKvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrTjjXzGHOk903V/IDAFCkrABmQ4wCgYIKoZIzj0EAwIDRwAwRAIg\naQvlt8eRmycUGIeEyUceWbR1+L6pBzNTQIVs+K4bdXwCIDhdYuU29ny/hbCe3RZ/\nHVrhwoh6pg0CQ8P1k2gl20ai\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0jCCAXmgAwIBAgIUNVnKnrjaWn87qqDMhVmg/G96o2swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVdLCgJlIX/Tn8B2P/RAihGPcg/8aiuJpPU1Mr6Wa\n6uVghBtlJK4/2RC2tsV7f+DBYty8wW4mlCKsNHHIIRsQGqOBnDCBmTAdBgNVHQ4E\nFgQUEllIhWRv2lBXPzyKpWLaimv8yB0wHwYDVR0jBBgwFoAU4O853HWZJ6iu5sF3\ndzjP9szUQyUwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNHADBEAiBqHgK/9TQ3xGWfi6UcFP2p9SJrNKjZ/NL6aFh5\nPgx4pQIgEXPxeqafyygzZ6MOMbiTSsAFO4f71N1PBuBLhZ/Jdns=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1DCCAXmgAwIBAgIUKp4gzvkrqG80WYkiKBbT7CH5M8swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE8e6Kk+eLQxUIID8Qw2Pzj165zvRBZickAB6j0l8w\nbiVx3fxR793Tt7hFp+RzuvCFGnK9pcTxgPKV05LLMiyrlKOBnDCBmTAdBgNVHQ4E\nFgQUpoSJ4MiQSdC3gL2sqKVIscHtOe4wHwYDVR0jBBgwFoAUrTjjXzGHOk903V/I\nDAFCkrABmQ4wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEArmzHJK8yLRvWPpTuu2aJ2tjyV7TxEYxZhcB0\n7scHSzcCIQCA1AcTJFm3dTP4jwkPLkwtDWjsBwzuFKnejj0yIugXkA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUU3oVxRgwUAalAOkZEzmjnHNeGfswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARG/b9Kme9JY9wQvvpYBLf3LsoROtKpAj4bvVV3\nWPDy6C9NwE4dsUCXjE8maJ4+0LkJTjcAxhFfuhoCw/Sa+yz5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5K8YjxjlDWnRXEFBVyK3AAq0SG4wCgYIKoZIzj0EAwIDSQAwRgIh\nAPnbMU4sNKYkvVJ29UirMVFTaVkchj8NSwteRC+n9NF/AiEAvSW4mLBg7SEQNQVs\nO/GPyipjsWaqd1B6ARpuIPXOoqo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQJwFZCEHEps3QcaVcPP7mtzOTy4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARsH7K5plQE0xDhukENo7sSNL9KL1wHesKvqjJ5\nDwLX4LRyycVeZQ0+ryfLY7wg+PDZ557HYzjgG2g/Ff7a8Eobo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfEIQnLwVW/sNZBEhrF7Dm0mMq7YwCgYIKoZIzj0EAwIDRwAwRAIg\nBYK/sqz50VHlhLfab9+vXQPmWXK/dAuOyLVd1658m2wCIGqhzJ24tHhzCkAGjWMo\ny7vVqwysmt0Ri01yHpnHFlAP\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXygAwIBAgIUCnHvC3XUwuoPScqd63RgGUMNCbUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXGnWazolqmodbj7IU+NF6HJd5dcS7pexi0Mr6oRT\nbUgClxQQtq444GJpo+JyrC9rB4wlxrc0Uy1C5CLra9dRD6OBnzCBnDAdBgNVHQ4E\nFgQUHWZ1TyeJPOAkHl0beV31h/q2JfkwHwYDVR0jBBgwFoAU5K8YjxjlDWnRXEFB\nVyK3AAq0SG4wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBZR5Q3GzBusiotHytUUVK3/tHKgZ2XCP9y\nNsFTuZdTFQIgRmXWft/V5BHiQYZY3MPUA0APT3WCr9LqtfsV6xmFE9k=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1zCCAXygAwIBAgIUKKTa1HzEf9BZ61O+Ckay6JIHb90wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEJnx8MHBqGimpXXzUOe0zdff6JX8xjIodaSmRzwAZ\ndaUCc3+17TKEFB0w7Zzyr/mIMZyiSPo/phJ3lzqQl8nd+KOBnzCBnDAdBgNVHQ4E\nFgQUwhi87zsXwKom+ktn5qFwIB8moBIwHwYDVR0jBBgwFoAUfEIQnLwVW/sNZBEh\nrF7Dm0mMq7YwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA8TDPbRB8Cbl9IXiHjxHAzipQwjqkkoYL\nuzICAC+FuIYCIQDZwRK6Hk77KX1LSqVWd1Zo5ZYizWyjOpyJdhDDTDiTCA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,56 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUFkvoUj4nDntgR7sW/NTLDAuHNRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASPPBp3uFnpjPB9CXP09GXdGsjFj5pglE0OvP7X\nDmj6peCL+qAXBySt6CKz64TSx5xTY4eS5a8o6XA4h0BoeQ6Bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxVgHxJ+Br6lqUEitWAjL9MDcUUUwCgYIKoZIzj0EAwIDSQAwRgIh\nAMA49x385gVyijvzJFs3yzkdF8Ii8sUKsICYQAmjkoPRAiEA8ZvkETmVHoNP61vR\nQfqeSTIH/c6dPRWHBqRMBVfDbGY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbB4tyTsOtYywha04jq7acZn0RecwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDSzzzVeW0IdbyRegkd9FruSVPbfBo+z930GF5\ncq8F8TpjD2dR6AaeO4UetIooL/QQWXpIOypxETbgZqTbU+bvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4Kt1Ki00EAsAHchUyvELsVr9uikwCgYIKoZIzj0EAwIDSAAwRQIh\nAP3MpSpT3FkCAaUpSXZBBA67HcMacPZMq6mQzPBGdmQHAiBsU/bW8epJsMWxMgli\nIMaxIpjL+RU7qQzGq5UBHxYE0Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkDCCATagAwIBAgIURcMzCmpjt1RmwBnUVdaxBiGnwYwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeubdQOm3\nbw0PrksR5Z49stXQmcVNDCsjd1MsN9ZE8C37I7QgyNrGPDKXFOUzUB+yzsxHGaCs\ny6IAsI4tAub1tqNyMHAwHQYDVR0OBBYEFHRMrI42n9+YYa1L9IiKLTmWpU4KMB8G\nA1UdIwQYMBaAFMVYB8Sfga+palBIrVgIy/TA3FFFMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIBPMesJldlJRMJ1O6iidTEEpyt7naMV5ICpMKCrRQ/IcAiEA3KdlZzqUk49CRKfN\nfBF2G1xYCjggkiMePwYRDadBK1I=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkTCCATagAwIBAgIUBj4Hteni3z53sFKu1te40/pZceAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIJPwcXs/\nlWIbJCLVO1NQNIeiDqwfQvUlmnwa01iDx/EjHJgBv806OZf7CWGDob9LqZ26AQcs\nGVpwR+d9kCLyoaNyMHAwHQYDVR0OBBYEFNw80oeyO4+IG3+i1mbrLJCwQWc6MB8G\nA1UdIwQYMBaAFOCrdSotNBALAB3IVMrxC7Fa/bopMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQCuPkGDWB+xO/4KPBOGuQfUYWExFFF095kMVL148ELQxwIhAJ+eAe8imlfud3+/\ni9kpn8vqh1ByJLkAhi/yHnbwVVqk\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::serial-number-too-long", + "features": [ + "pedantic-serial-number" + ], + "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUaLmVxLb40TUnmzAium8ATjMnG0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARhpiIIIF1TQzIfq7V0N7muZWReVpr7bw4x+NdP\nZplCAI7cYaPY+VlDqkqM9dce0U3fIrriPukMmu8d1xBQrNs7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUH4U18vfVx/Sii9RdiF2xDlkfwUIwCgYIKoZIzj0EAwIDSQAwRgIh\nAKE75NG6wWJw/xm8/V0J0xwXKGnnE6UJ/wko5z349UrOAiEAtEilS9d2BBSXLLrX\nwIB0ewMpaYaPzhGBzTECVHhsDoE=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIXALdIpF88+JgstJMMrxY3/cAhGH5PlPAwCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY\nDzI5NjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEkMKD7TCzLslqKMHuE/9AFgjTu9nKKFec92sD\nlP3q78t5hrMxxjIkY5k/C/ZcVWD/CSs5VtDnLuXfzZdT9MngAqNyMHAwHQYDVR0O\nBBYEFIXGBpmoDKX20+/9eRU8JUTgjuhuMB8GA1UdIwQYMBaAFB+FNfL31cf0oovU\nXYhdsQ5ZH8FCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIH/kMgVkfMPWAo8PnTU5USEWxdVC\n/53dwOvNn6wmd6RhAiBRrtgcOgIqIbvgLhFNxL2swL0uwvRqHyJf1uYrGUh82Q==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::serial-number-zero", + "features": [ + "pedantic-serial-number" + ], + "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVuFxalLQdRYq2Xm70ynJMtnDc5EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS+QoQ1gavLPcIQnv9BTfKxYz+xDn5f89xpNqkW\nftuFB0cdhXP5DZ+UtkLfrEvQDXuMdhC9A+u/NEXVbrgN+6bxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUr6fxwhXG6njEYXYWqj5Mx8b0cOUwCgYIKoZIzj0EAwIDRwAwRAIg\nW4MJgKbLsDidqpIFXKVUolAziU7zaNTOB3EzMiFNMw0CIFjEh4VaLF5GltRw/dkv\n31jQ54SSSt8osXt9L7h0yhtY\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATugAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATi\nmVdieALrrbL0Vm5XlwseAAip4o3Aefau4tcL6BowGfNmNEjcaPDdF4AMP3oYt+uS\nAn/y5HTw3V3MXa20s2buo3IwcDAdBgNVHQ4EFgQUbXaFfYLenG2cI8kVW5gfBt7p\nAsIwHwYDVR0jBBgwFoAUr6fxwhXG6njEYXYWqj5Mx8b0cOUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAMObSATfxBkr3elONK/ijtczmZo0vDUEWcMYSi+HBO9oAiEAj8bgVl8J\nqUi2MerrdyQbIHgJCjTLyS/zK2xAcQtmgg0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1174,10 +1220,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCJhLV0HWIqFpHmluAQC+qi5lDuAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARCT0E9aZW06sMW/fAD9Ys6vTw3VL5Zy1q/bhnD\nc2T4fWUUKTc+hgUcDrEHVPwcW6hMxmUJ7cVk/ReEEcOWSzhRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUljbuY+c6+huxT0uJvGeJtpvl1aEwCgYIKoZIzj0EAwIDSQAwRgIh\nANQVez50aTzq4nG7XarIMUv5ZRQ+WFigeLKEPzejkxe8AiEA/PzPwiahXMzS8scA\nN61cGERivbqweT+xhDrLBd+dQYM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQF1v/9dcX8xvz9stIt3pvBDlONgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARusl54v3aQdaEwpTOVgiWboWUZKKxDWm8owfao\nZguLac24AJQBND7LYyFSLYgxQs9Y6g6/QV9vKdgSzeW7rc1eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYcNwnh1/TyreGDT2uXaPU53iUNQwCgYIKoZIzj0EAwIDSAAwRQIh\nAIR0+osEiOwkZ51FXBO4AkQvqvoTYwLWsj+/Ep4n8DKLAiBSzgvnJLthTz5odLh3\nAHfiq+PYCG9OKEuXKEkPeyq5SQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUPIe1uc8p9JGOfApbd62KmoMXK0UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpizKJsYvrROwdmmQcZLnpVDV63TMITnusX1YQ5+T\nv3OxIK0LXfi/Xxjs8JAtID43NxgNYYbXM88ilKxQCxODbKNyMHAwHQYDVR0OBBYE\nFCCa938/Twumf8rgJFDFAvei8Mf5MB8GA1UdIwQYMBaAFJY27mPnOvobsU9Libxn\nibab5dWhMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGnLeqYF6+s+MRIfEVgErUm5dVLLgVCe\nMqqC7NtVEW7AAiBaEIltx35XSZ89mrSnlTknubH10ppvj7sii5qZCNSbPA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUL0rDGUHPUNAaKAjtSByazhtWAIIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpFULyqYONxu/akgs/5YAVa1qKYp+6PhNSrOmHcu8\npHNX1xJ8LKNt+t25EBFRZpfIEJq52+ep4doa2EAnsdHHJqNyMHAwHQYDVR0OBBYE\nFAQQZDMIa/SCHDetvjRVr3cmvJxVMB8GA1UdIwQYMBaAFGHDcJ4df08q3hg09rl2\nj1Od4lDUMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBn1LqvF/ZsN7FYXEVoHXxypPbjAAqO0\nDV+UerXlnhGQAiEA6mmF7ZigZHH8LOdlwFSMhsJD2bBBzADsLOWZWa6TRNo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1195,10 +1241,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeCG4c6nEcWkwuPc++u+RxjUZhBUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiBGBLi7jXZF2iLs5vs6IBVIJ+yYk8HSoyJUdE\nYPcaLIqgNco4isTqeSSXR+J3DDsllzHFNc7HscPCTanImUHFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqDhoZqtkjgcYrNMy3RMT4OJxEzAwCgYIKoZIzj0EAwIDSAAwRQIg\nMTPiwnTON9o5ehTO9G4Z+wrbsUHW+ujhAPmzYD2QFtcCIQDPZKDAqes7wMW+GeKX\nhCULCC+SJkeipZirAVnATgw1aQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVk2TYUXDnv7FTcqN7aH2ELWIvfswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfVOPb8CBNIcq3oozwu4fDHST1lOi04FWRxBSF\nj3hSr4E23UEzqxbK1rEmeyLXxPGKNjVlbh3N1HGCHTv0MhX6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYp+BthW59hhoO2BBmz/J1EitxhAwCgYIKoZIzj0EAwIDSAAwRQIh\nAMEVuDPTzUKTjcc2NcWWpelskeeo/B+0NGSFyUezpSMGAiAbj6pSPDo/loG0bbvr\ntu/O3qJmVCV4pgws1S2FHhbfJA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUWbzbyODwOTcHxs56i/y8Wuv5RHMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/iBo8FULqNuJT9zjTQHMLuSXiYTiPUjBVfinM4Ee\nw6V+fGs5n1Q9N8C68JqVUpDOJ6GJMn5hA2QTyqkxIKVVCqNyMHAwHQYDVR0OBBYE\nFOW+czlMvVmMXIik4iUvsX7MMqYRMB8GA1UdIwQYMBaAFKg4aGarZI4HGKzTMt0T\nE+DicRMwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC5kC4Vc0uDvCnTcc3siwXah8j8p1p7\nBdwS7buWfmM2YwIhAJE4oMIr8p0g82aBCzvpAEym++8CBtLqpGC4Dr4SIPgV\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUWGGaottBxPRT+HlBs6uEgzxZlAowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE4Xi1GxPLGHlegfSBx7aa3Oxwv4YLH8NMU3FZhCgc\nSk+9/5XLl6tm3mZqLHIyjeXS7UllCAtDqN5tuR31zvBHVqNyMHAwHQYDVR0OBBYE\nFBKfjixw9UZXouh/H77u3NF5/Sw8MB8GA1UdIwQYMBaAFGKfgbYVufYYaDtgQZs/\nydRIrcYQMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDLWD/Et3eWB7dAGDK/sizTrIY4E+WB\ni5hTKC5k0mEW5QIgWZERsKsBp2y9NQhnR5rCaHmzPZBBjEcVt0AJEV3uS30=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1216,10 +1262,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOGmPlYIIxIJMMCLWjtvCZMal1/YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT79MH3jKtwdp3Ed2mQ6O6/HvyiIHFmNOYNS+6O\n+Cq6P/KMLykZfkNmekBUYg6UsAN35On3eYtPTw7Lg6qAZlU5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVfhpEQSPm6l8+q1L0DAVXAKMatcwCgYIKoZIzj0EAwIDRwAwRAIg\nacaVDePHwwqxBiHmXLRmR5BhEgOJjEWH6sU1gdttHwQCID1N5zLP6m4V/N89ccmL\nHCruCW1r+GVJ8naUCPnk4ogu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAaAgspevIuW8hv6h486BK13gLaswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRbSvodDHpJHp9g34G5hQYfTe9XLTVCMAqG8RH\nZFzFb9lGADOs0xze91DeIqE0B8NMRNceb2Qgm73IFKfrl+6Ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmPh4DCXyrIFEm/tpwoR7SKtMpbYwCgYIKoZIzj0EAwIDSAAwRQIg\nPcMH2DpVllH9Hk3uyqrnDIgTL4GKqEChkuwOmpueZwACIQCVqHxdd2/u1UWH3rXr\nUPbMJsU7upGObY3qG9S8ohVkRQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUabgJ2oJA5BCnD6Qw3J+ZDq29FiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEKSRRA4u0ScGvjcSDQ+V/U+fHtHEs9sViYYfZYAal\nBEgCDToijwyJxZM65eqU3pIepF1iOzcC01EDmZ1qXPjxr6N2MHQwHQYDVR0OBBYE\nFDv5J31g+pbYQMq8lUlI1+h13hDRMB8GA1UdIwQYMBaAFFX4aREEj5upfPqtS9Aw\nFVwCjGrXMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA9h/4THSmp/+7wohOSfYUdYRE\nxGUpQUsoyEVntI/ge/oCIEYDs24QtVBTojBbC7LJOOjiqXCW5/A473DjBl0VlMGp\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUK3DdE4PKVOori041Ps5K6K1gCAEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZmuQeRnVLLgdbvnCDKFmhb33FwS/s5V+KHUxpIR7\nCcuD/Pp2+MtaQ3FaY+2utv+k1ZAPSqHtkxziNLt5lOGaqqN2MHQwHQYDVR0OBBYE\nFDqouf5JXFbRePg6aIGrbCQo/fpAMB8GA1UdIwQYMBaAFJj4eAwl8qyBRJv7acKE\ne0irTKW2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA7qkRePp90y+87T24+IhYwElN\nofbh3rrAjj+FoePkW0wCIQDa5Or43N/QYkpw6QQ8A2diAncEifkbkgLaZjhRACOq\niQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1237,10 +1283,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUThohgt8Xz2P0CDqY3Hkjrxf4CiswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATAqrmg/y+z1tRUZ/ulVoNV9LIACtrOoe/1tp6T\nTsfQXpv7TMAO3scWXQkkCqkDAle86IgrD3s07sO/Oy7qtRYHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkd+XBeRZXwgkKzt7Ei7iJBGP/7cwCgYIKoZIzj0EAwIDSAAwRQIg\nPjCmHmcg4sj5UHn/qfrU4oMo1+PZ1cezB+5liT7hOA0CIQC7Rc2yt/CWg/gGh+c/\ncHMZbMnBrO3khh7S35dAAehYfQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQicRDY+pUvMPDkGXTTD1T4bJ35MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/wImXzXKF3t3C7AFl2YDBxW5Y0O9oquz/KnDM\n9ahB/tTdIhLLQ29X4v8lPKD85h96Tl8Lnbuk2rdMVA3CKp+No1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuIriSz+LZ1+SSTVEHyOAFYm0VMIwCgYIKoZIzj0EAwIDSAAwRQIg\nWVVG4esXBXJb6Y4lAtpXeQy83prf8DEJASw8lo2cj5UCIQCTNFyJHS7F9iVjP2V5\nGtv7DsrvDccjKm39yxNsi8rBmg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUfYh31CnCdzI9mnPut9Gaa1EGaq0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEYf0NTQ1KFIP6Xda2U8c8Sg6XVRUP8f4sNSsK5Z94\nI/BDFmQTaIyBmLrPfc1CbbS6k+mWfS8s36gatJi0w8WVJ6NyMHAwHQYDVR0OBBYE\nFA/JjqVPO/s5gWllhL7/bLwl1uB6MB8GA1UdIwQYMBaAFJHflwXkWV8IJCs7exIu\n4iQRj/+3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIQDCXX6thqfiDd4LYvYjYGiWkbxOVxhM\ndZOPpCldoYwXDwIfFK56cet12ILpbcTLp5tZnZ+AfGvsLmoouHXKDLDl4Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUcDlGwevs52Tkj8U1JbWvbExaBpUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE1EgmZugwqVBB3ikUOmEinlXgTp3akyMJD9Z3j204\ng3Caabx5A7YtfplfqPX9zECpWjSAl6+OleDR/DXKHmhX2qNyMHAwHQYDVR0OBBYE\nFLhM9YZ9s2fNgihbAUkYL8//ON5FMB8GA1UdIwQYMBaAFLiK4ks/i2dfkkk1RB8j\ngBWJtFTCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCyCJtv+HY+j+BiSjtdH0a9XcOcbRBk\n1w/ndnfP2QOrqQIhAIW2/eCXRrXGY3znbhnsMSXpgUHBzhve+liNREoaXhHw\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1258,10 +1304,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUC/IWlMOYevPFCQBvRfVcmAQzMLwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR0Kh0/PRkY9l2RquvfdEuZt/HsPKcg8gaseVIg\nj0vhXaZMFYh88hTFNp6d/z07X1x4qVSjO0iGEm2nLWpVCoU3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUScTZyj5bpCz1JS2L+k6qjuPLtPEwCgYIKoZIzj0EAwIDSQAwRgIh\nAIov1SRvSBeJTP6U3zpBmtbezuaK4djOyAqOMGy5Ia3ZAiEAr5AZ6KwpfCg+sZnG\n3BjU3QMGeHbtrbGckLIlU7A63xo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUAUNhcRiwqR71HVb0m2ZIodbh7YowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2Hv7qbRBLaQudOhlnnMev5FE1LhmE42uHVTKF\nSjsV11nQpK1vjylQhEsHfKCoHJ05fReYu9BwLlD1UbpTAKAPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAhD+B0Er8WE84nI2Ot2NOadY2vcwCgYIKoZIzj0EAwIDSQAwRgIh\nAMgEuvfkMBWpTmgVuFGUl01nE97trThxV2sGlWU4QDS0AiEA6J3MmZZlibvb7oL3\nBMiuLifI7Kdbb78DdRqtRILt6KI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUY/thXtqgBYK83RuX7VYVc6qzTyUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/QO1yNt1LgB/gDHY+Rr9V40C+7MtMkx0w+rYl/8A\nsNV6ogDdyIYUPXo/dkfwKOZAy/FF1a1LFlhLlL8SuA2faaN2MHQwHQYDVR0OBBYE\nFOlrwkxqJ9Ar+yi9iO7P3fj2WLwAMB8GA1UdIwQYMBaAFEnE2co+W6Qs9SUti/pO\nqo7jy7TxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBVJfmC5gcR4HocneeMV2J0FEkJ\netRqxuqUW6gmV7+iMQIhAJgy3voSMdoc69JEfETj2lYB2GSN1rhUar6HG4fVFTuB\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUcKY76Hz72Y/I0h837dLrHmUEGkEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE4nBIJvYnZCb3xWagkffmLbvmdqluPCSmHofqRk8L\njkSNftXmhMVePycESKqzIztukZtTiv6y23XWt4WHbWVwAKN2MHQwHQYDVR0OBBYE\nFPegbXRAjCle/oStuxK7jof8dsk+MB8GA1UdIwQYMBaAFAIQ/gdBK/FhPOJyNjrd\njTmnWNr3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAvBTj+EIrF+OKzNT78HEJ5V1T\nZ6H2x1Hkbjm5bE1WD3ECIQDSVRA1u6eqw0/2kPG3J+taFrqjvgiDHAWFPJRzupe4\new==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1281,10 +1327,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUE1Ez+G8Fp5IIHRQk91BUj25aTNAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASv9OBC50OmFJYoOcc8xoKMQFcT/PCQ1zYKNSoS\nNQADuBPPweR24/8WuqG01WUMi4e0r9sEUTkUDvTK0u6atIl3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnUI6eWBtmFLmPfar+Qgvi/SraQgwCgYIKoZIzj0EAwIDSAAwRQIg\nTxhTgIi5SSjqQEqp1I8Q0g0m9YdciiQIWFX+mMqxxG4CIQD2xa3n8k7G5HX6qXou\nJY4JkiHwKDUCvpLC2q8X/nj3Sw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVgYTxqbCylvAthB1HkxJkmz4GjcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrUSciHP1ClYowVKHnYfNANo9R1ETdhT2jQLTs\nXjERbxYdqiYejs7fimYwTssUNnP25QnVtKbzu3mas4cDaBPlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU84EEFINdgyFPabgSPUmhGvCyTdEwCgYIKoZIzj0EAwIDSAAwRQIg\nYlgIogX2rgXxJmHpghUZxCvCu4DziVubR4jiUhRl1VECIQDgyfwq0F0nwPDijgfh\neHqdH0584XcQLPMc43arXpQTEg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUigAwIBAgIUPGCQe9O3ObeQrwbf4uFrdZyn5QswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEJ8MP02FUodQSmPSXd6RiIK1RgTbGtff4G5qhkGvu\nAK0Japjdw8IOetDQSIEkZgte25TNrsLHjEHAE8LaPGE4VqNsMGowHQYDVR0OBBYE\nFJ/+w3raWjQ6ms3D98uGRGWzPRSqMB8GA1UdIwQYMBaAFJ1COnlgbZhS5j32q/kI\nL4v0q2kIMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0cAMEQCIH6EpdhXCV/G8ydQqMj2r0yuqQCG2BheJ/X/m5UE\nGofsAiBp2r+huPgj506hTxCAVWtaypGH5Hrgt2ivjJgfh53ZXw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUigAwIBAgIUT7WlbnpeXo8Owhj9fl+zbVCVDxIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE79U2OH+K5Re9m/izsr8u+fZxZnFtNu/FnVCPTgOh\nlP5tqOn5D76JbKKWCFNBvGuA912xl6a8x6cwZC5bUssgDqNsMGowHQYDVR0OBBYE\nFHWi/fQ9ViUKlp98NaJfMronjujtMB8GA1UdIwQYMBaAFPOBBBSDXYMhT2m4Ej1J\noRrwsk3RMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0kAMEYCIQDKLna+ApmXR4lvJXXcYjDh9iOnH7/9ucMQcOrT\nUjZ+PAIhAIMMBa7ao+XyDZIHbpVnHfEM5VO881Q5KFlanIzYN1V9\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1302,10 +1348,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWCw02c1ZByJeHj3nm4VskmRa2XAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYvKtsA351jw2podUbGuf1zURI5nq8P7+RQGNl\nwvYgkJx4DkyJIPsYhKLEQRbR8sjY18ceaZhj0rtkHDIygtjOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXufc55zdfkxGdOsUunelnyuBP+QwCgYIKoZIzj0EAwIDSAAwRQIg\nGrPzVL06H6nHRXPViXZpG/6g47hBLfITYNxc4OZNB2MCIQDc6Hzd+lS0sCekXNBg\nmRbKG6ox/VYn6Zna9mPGTXXtYA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOo1m+qD4vhjoZaV/t8rKQUWT1lUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATq2I8ES6Rwzzn/oTyOb7bdkwH6Bym59N6Bs0zz\nUYR7SftTMx3SsvZb/2rDDYhzAu1INWFoCU0rWAS5zWK11iuqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjk1wTOIdEdvqts+RXGuqYrksXRswCgYIKoZIzj0EAwIDRwAwRAIg\nNOFmQtXZnMil5AWIwpXLJvXTTt9o5lwlHAmpb/x0WJ4CIHZqw5b4cHB/FBnj0mzG\nyUufLoCXCyeCed6rTKo9oGRD\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUecT+6PlepK8VHquHuN6HzYsOV2owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAES5ArpZKvuim+xw7hbjGglRsbjRwEQNC6iH1WoqTb\nQ+pOHG3FcFn2tVCjIOJf/0fSXgy6Ae112wg6NAumP/b3BKN0MHIwHQYDVR0OBBYE\nFJreUnk13r8j9PLNqZm85zLwJerXMB8GA1UdIwQYMBaAFF7n3Oec3X5MRnTrFLp3\npZ8rgT/kMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPaoZiHniIfgOWIzFuFwV+89Vg7P\nNk9sXgU7xgh7a3FjAiB87TqziRz6jDDxuHK7PaKSQJfdgmHBrJCEzEUCK43WUQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUULhgX88BbwTVXs77VEhmIeQzV+swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAET/1sDVvq011MLgzrzUwts5R398/lZZ2J1s5uflHJ\nkuchnCzDEwhcNhDbTQGUFo4vtA1pIZWb/Xqhb/LijUwAO6N0MHIwHQYDVR0OBBYE\nFIOQDq9awa/17pU9oXzb5zvyXktpMB8GA1UdIwQYMBaAFI5NcEziHRHb6rbPkVxr\nqmK5LF0bMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgOYqIlwJ/Hh9kI1e/0/kjexcAYHzA\ncLzznpD3xK3scRcCIBdEQVh+OPRWUHtupeN3Fe4mi3LdmVjQ5fxYac2v5A/2\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1323,10 +1369,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEh7Jh3bIUr3XsnLFdoRkxk16gJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQvebXjF5ENvFw++u0jirrm9Kr7KqHA+7F6zlin\nDmDwb/j/9eJLKN8HwzbWQ6JhsnE7lC+wzan1XMb3VblFUXaFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmkpe3vdND4GvOAQuCpmQIoiS/3YwCgYIKoZIzj0EAwIDRwAwRAIg\nBioe8oaUfjnXn942pTXI4Ompn8KqGcuyF9A+q90QcfkCIAnVzdWQpBvgLv31a5uI\nl2y+xIEfvl2Xl0C8NSqBXnxF\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSSdRAIQZIrXhYWsM4pTGcNifwUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+w7B096Qlaz1n1T/HwmxOZ9k53liC9RxphOsv\nV6hIPWxbFiyx4L24C8+51/P2ueLu1J+4BeN+TijTHKF/7wqoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUemLU5cZxiorxF137kMYZ0aS9WTwwCgYIKoZIzj0EAwIDSQAwRgIh\nALralzEceIg5pN6Flohh76l3zVLvE35HwtLeFxVX9QWuAiEAhQutC8vW38HtxT/8\nz1JSEwbsz+PiN4pgUBJDjScnNIc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUAueeQUXasWyJ+Id5zi55y7+NmYwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEt6rMI5v1JzNbcqrhCA9yHS8LqlAYWhiuMaZ4QDgA\n/xo+F1DEXU2vm1n9zw6QquJA2YLhvKnYF8N8pPjRChTj/aN2MHQwHQYDVR0OBBYE\nFKuzQVJr+MbOHIPSYDv7lDJ8dkZ5MB8GA1UdIwQYMBaAFJpKXt73TQ+BrzgELgqZ\nkCKIkv92MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAtP+23lAx1P0q3qmwEq9WNZqo\nU5Lnar6MTbTunlba2WkCIQC85ba8dkdJ9f6wB0OehDo424f+ckWLHDhdmgXhWDEK\nnQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUCtUSA5y3+LFOyrZAnSzmAhtqLdMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEqgREOVYbBNXcTfsZNq2e3s1Q2Y9b7LlGEcEl+TdT\nRKuVJAGI7nnQeSjdPyhx+fioa1K4YB0aYPfTkBWgBqse+qN2MHQwHQYDVR0OBBYE\nFJlTqMX/RFV6vjzzB8kU8pKymRoRMB8GA1UdIwQYMBaAFHpi1OXGcYqK8Rdd+5DG\nGdGkvVk8MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAzG0Iw8s1n10OJmPc/tQlQ1EE\n5CoaTgyFjuVkxYapXusCIQC12NGDZDUBOKtcHqPIQAvTM1AQY5eoClrvHVNbCaOR\nvw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1344,10 +1390,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULvYmlsUZDi1JltJq7dMpElEdFpEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEqU5MtxoNt3amrt5DL6+y3cwo/jS7eGYDGlzG\nsHCDAUsxvoEEKRAfxXLv3eZNYZfu2b1E/bo+6D2fcbkUiAywo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuBt8ikoYh+C+eTnY7VwZv7eHBfcwCgYIKoZIzj0EAwIDSAAwRQIg\nE66jnyrOFeLGEK8VdgeajnWiMGcZ6z47ycnzF8gKTl4CIQCfrCNXlSF46FcZiLKi\nt16LRugZnzneYj9Wv6nHVpz6vQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUa9v4mlUtNK/jY77ffRC+aO7534swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARKfEPit77/5P/gC0DNPiQV53SuJgnT8ijXHcKJ\nIbfVUm+/41Id76vv2AMPn4Pmsuf5yL0SQgZOFwRjWlaxxoDko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0pm/4M9yK4fsbLgwCrB8b67Mez8wCgYIKoZIzj0EAwIDSAAwRQIg\nBcv53Mg5nxVofa1Cw5C0rNbyk2ugUMTA2HwBiByXEpYCIQC1b8fyXGHhFIUDt4Oq\noTM3jfpd69Bh5prYcL0tzwtAgA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUd6EwEtSpVNqZlzZ8wW4KxAvJTS4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAERDNmdcT/H3Ni9uIezY9NQMTQj3cHP23g73Xoexl3\nU72wtLd7FNqmjRRLivVO6QV4vVBcxMXZcTZbwHG/35IWhaN4MHYwHQYDVR0OBBYE\nFFZDUHHs/YSjeUIOiq3PRuYfVKomMB8GA1UdIwQYMBaAFLgbfIpKGIfgvnk52O1c\nGb+3hwX3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD7410AbwKLkt3kFUH91G+9\nEXCCJeX2wpcHBnclSTWBLwIhAL2jMHTWlIovRltF6dNn4Gbb+JiycCKBpvq9+rAc\nsyS1\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUblLB+ZgGPUPXRWtBTVXngzXesREwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEycXIMa9HG/LDCh5nRjVHv2CYUKnqt8Mry9XHoIoX\niQPE9l/Lpfta4CUC9+KwgmCUAoTazLFU5yn4x/QfUIR/ZKN4MHYwHQYDVR0OBBYE\nFGsH0WyIwQtgkTcopTJCaH/+nhHYMB8GA1UdIwQYMBaAFNKZv+DPciuH7Gy4MAqw\nfG+uzHs/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBEaAyYnEkYH19QXDAU5K+lb\nOfz7UHnnqDnNwsJXBvAEAiBGxstkTCaKhrAdBg/aDOOgQkZTrXvcda1DBxknTP6I\nGQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1365,10 +1411,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQWw7sgVkrQIdw4fME0vInkMLlmQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1blFe2dYlsRrZR9Thu5nEM77FQkx0BpQmP/bz\nuTa6RI+/OFLPDUDk6pRQQ3YXKnuMvio+kBa68yjWLqudy6pJo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULfWgwQxuLxSvdW+jW40Bc5AwEXAwCgYIKoZIzj0EAwIDRwAwRAIg\nD1vbuKAQU4KvYDVFZUj7XLwyfkm4/fbiJaEF+lm8fhICIDNJNMExQgFu5RTNFMbS\n/EHaA9JVaW+1tO7ODPvZKuIj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQLsEFKsY55i0NkQZ6P/KrjBYAtkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARKDcAMCS/HrAUewTgP9F021XF/s3oZVV+ee1nt\nz42pYuK/5KR46Qg7ZXED6B5XXJ5pkzZrFQnT454gmK0xyuySo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzyYwYmszcHEAJVBD1+r07juqXgIwCgYIKoZIzj0EAwIDSAAwRQIh\nAKfqihzYjNG6gmrf+IVq5qDZG5Ij4B/EvAkX06vYCijnAiBLZ2ipzFzjL1WjzW78\n+zHpom2pKXkBC7NflF8h4SyUuQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUfQ/sQP+V9d7UkwIL6Fxc94ycgGowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEvQzm+EDMvyCnCm9MMUExEyPNmmIVKyubbD4bvqph\nfg3aJ6Fc22FqF45WAz700nVjREzoCag0f6kD0GNybHpAZqN0MHIwHQYDVR0OBBYE\nFDgg7onMsX+T00h5bU4h6lYbRxCqMB8GA1UdIwQYMBaAFC31oMEMbi8Ur3Vvo1uN\nAXOQMBFwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgY2j276lwwP5MG+NR2zfoCtRXv9Kq\nGfnqzyg2ltT93H0CIAi4ORIUedv5xuj5UEP1e0+6Y3C5G9YC5Wima/V1vLJb\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUBy/ZFXxcDIpCu0uDnmcxCKqsFrAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEfAb04D65gUpdzyijRCCzpB0VPlSqQAVHcunGHJQu\nsn2TU2veu1HNtxPCNC7B0Kyj2aCAnmG6v3BJZMiuKRq14aN0MHIwHQYDVR0OBBYE\nFPxstF7ezMRsbiltnn7Upke4D3hAMB8GA1UdIwQYMBaAFM8mMGJrM3BxACVQQ9fq\n9O47ql4CMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgKQhlCAIq5loGHD7ZG5Z1jMHzocLr\nIB5INV2iDfP4Xk8CIHcI170Hk/1nmQEIl9p8t36kqCMiL7xGYfuBxRWYs0w5\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1386,10 +1432,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUGQR4qDrlxzk6dfMF04vk2pLvDJEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT145MhXl1QOr+QfDvkkJY42mTASugsqjz2FIAq\noms/DdaNZ0UHBHaW2mzrbvOR4tzpnL5heyP6L+Ht7cpjXwM6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiavTbKz03U3ueVUQaF5Ebi33EkUwCgYIKoZIzj0EAwIDRwAwRAIg\nWQDRPxnDdkvtYFuoSSPdPyZgRR1V1kIew3t31e79XUYCIHgcRZTDJyjLlHS9Tnby\n1Y2eOk2bHjH+LtuMXZGj4swW\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKb876o2LgRFJv1Hy1WPC6PD1ctUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjO/lSNt+RMda+4u9lYGCKghU4GGjpegkv0O3N\nm62yv88dzA1BBd8PRZNsvsMKWNMm069R6ihf5KsBcmIEdB+3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4QnxsoG7w9WXvgBbvXcWGr6BOhwwCgYIKoZIzj0EAwIDSAAwRQIh\nALyk0Ar96LahOeZUxI070kZzC5rAg29kxH8HTW6DfXNhAiBgJ3olGsMwxfS/M6EV\nDNfjvQ1eBcZOptycMuPAJ54VyA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUXi56JvHLGvD+cDp0zGQ658FBIJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXlQ1x1rfF5Q6ZbR3qTsAc6/hci4nES4Z725Rdyjy\nk86ifH31QjdzOUTPfCr9FKMjXMVOsP/0rUgvrsH79Tem7aOBgTB/MB0GA1UdDgQW\nBBRiM3sNkEV0n3273XpPSjKdSvqdRjAfBgNVHSMEGDAWgBSJq9NsrPTdTe55VRBo\nXkRuLfcSRTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA2x62LTXT\n+qHDajGk/gYABC7rtIokKR4jdAWGoH6H0dYCIFz1KlHRX/l7g5x4sK9/zzCRkxSb\ncZtuZgnwJYGJnWF0\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUCVwh8jTljDlA0qyls9I/pXl3FHQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETNi/VXFB+hc2tjF0oNoWsKdVe57l4q+zKF0W/e9U\n81kkWoT8XCw1Z3yFgddUChc0twzM4OlOoVnlv4NSNM30VqOBgTB/MB0GA1UdDgQW\nBBQ7GXlxF67HXSlEMxsyoOv7spU93DAfBgNVHSMEGDAWgBThCfGygbvD1Ze+AFu9\ndxYavoE6HDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBEs+paNl2b\n7e08d4YqRv/yP/tKwLov78oQGfcZ8/W2ZwIhAIfcycFVEAsW7zTQzySjhXZDy78R\nUzLLLA0c5p1u6vY0\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1407,10 +1453,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQGKph2+Jn60mb9iCTG+Mh62PXsgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARI+dZ1FuhrS4UFMmMnLcH+jrpsA5wwa+Vfzzf9\ny9FY53qlqVfv476zhXOrgkKKYfeGQXVymmC9ZxPsDY4m4WOho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSQgvZACc56M3MRShbM/Gy7Nr3pYwCgYIKoZIzj0EAwIDSAAwRQIg\nbeW9fH54ngLLQ0AyiZHi2adu6DwME8x+pj6ARWkFMCECIQDBlyzZJTNk7BmArvf2\ncjOhXw4yizz86jfLJWqZVi3wzw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUOEDt1GFzsyJDkGxXL3gBaqixGK0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT3iFuKmSPqgmzDn5R5ESMsqNnRnf1iNNZEGBlW\n2Vg2dnyBN8ZVPHIZKihlHiJya6BcU0Q3mOkfgX6HxKBtXS/do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4b85cCQxlrpjwL86m7k2EHK4A7MwCgYIKoZIzj0EAwIDSQAwRgIh\nAKM3YTl02q5eg8HKiM2H+SRvJHMNpUxln45V++vndJdQAiEA6BVMooOCWj2tyF67\n7zZZj1bD0gwJ1pF9+/qpQ4T2uX8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVOgAwIBAgIUJXTbUN8K8a4Qxnq9WS1eMp/rDm8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEr0366OijQhhFBt4wkU22d9Tv8VJT11BB9W19yY1+\nSMdYC0PakcAtXXEgzAMqsZRXMU0HqqXPkQHiq0Kdcz7FSqN3MHUwHQYDVR0OBBYE\nFMZekNIpEq8NwJCT4i/jDeXv7vkaMB8GA1UdIwQYMBaAFEkIL2QAnOejNzEUoWzP\nxsuza96WMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgaAxnJtr9nRyvnUpxqZjM5E2z\nU1uPku3mLXIH14jNnTgCIEywKIZheoW39yt8GA8MDBFL1YAynqgxDl/tsdQxJzCv\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUSSSSEOMXkLnyLVgr2NHGLsBs7DUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE8eULKsOmfaNJhKguix8/+LTCIQALFzSWk+WyuRey\n/bGabRNUVmKoIMQDiib5s4J5jZjXDllgGPv7QiUP1IB9/aN3MHUwHQYDVR0OBBYE\nFNd8wjUXoDrJeL1epIXax7capXgrMB8GA1UdIwQYMBaAFOG/OXAkMZa6Y8C/Opu5\nNhByuAOzMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAMLXLOIx8wI7oaMOHc1BdZve\nBvycyP6p3HM2te+sITKcAiAFBD78+JAn1qdnr+EgqBnsBWJsknhSSnTcXnItVVrA\n4w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1428,10 +1474,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUYxSw0EJeCGPh+E+MtcG7WnOST0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAThNmJcG+GpBqEONFHGVFGIrKKBqhbBGO1MJcmn\nZ87pusX6ICvBBxpB8NI4aPiuqknXokNhV+ysUHirBO7T7sKNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdppeynOXynJmYDNXYDro7TOAaa0wCgYIKoZIzj0EAwIDSAAwRQIh\nAJ+pE5hE7lCpWr4w96q+Brfo1W7A4CSqyWq22Gy/Wb6EAiBFJYAFaX3/8EKS6hbs\nFBpGVCDLFLbq2PfrauwRXlF9vA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUP8UlwCrgw6sRNlp/P6Ip5e6+sTkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJYEfaMVt5Y+qZnc3G1+m3czbRBjWUde4MqfRv\nj3zWbBs3hlMfrluXkvxTTRaW/FBqJZ2hLTFZRlIz5Lj/Zvzvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZjzz9++e7BP9nY/fXbPqjBnGbNswCgYIKoZIzj0EAwIDRwAwRAIg\nFGeZ4vc8+EXy7XUmIRuCQ3N9t61IFW0Sm1pQfhfZ60cCIBMHUgywthknBOt3mmCm\nBfIFAXiEAYRaBOn7mduKg2vs\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUEL/kHwIN2bbot7QOTNHssA/BIzUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEky1VHgjaHYQJjZNJpjbiEEQmA8gvk9PtJzvDDn5z\nIwiHPpameMJ9zp3mQjE7Hk0I4ntrSXj5SYoKAm+GRwMGIaOBijCBhzAdBgNVHQ4E\nFgQUc4HRO61zOgzaofi873m4aEL5qDEwHwYDVR0jBBgwFoAUdppeynOXynJmYDNX\nYDro7TOAaa0wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNIADBF\nAiEAzQWAERojryBIkLm5SZwdDDsafllEZsiE8rjcT4jYu18CIA6qad5u6Kk597Ll\n+TbAAnU+0Jpt5Kf8YGgcI9CqxmFv\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUMQBT18dsWFJBAY+fbhTvOZDob1swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEafloo/r8396djbL6PyvQ0pBX6vthjcPCkws1EI7i\na6pIzhXvyDTEEa7cCJGODcrQvHERmb4jKCywoN5sIIA+O6OBijCBhzAdBgNVHQ4E\nFgQU2yHuP4LJUMrrkShM3kum1Deo/X8wHwYDVR0jBBgwFoAUZjzz9++e7BP9nY/f\nXbPqjBnGbNswCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNJADBG\nAiEA8wATQl+pV4Vy6WRCXLwFvh7eZMJ3KU70preMm5cdS6cCIQDkrMP4OZJ3zcW6\nACzL06cCsO/cr3cqL11tahO4Pdxbuw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1451,10 +1497,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUqgAwIBAgIUe7DvZjoR3bEeI6ltWO3dEqMy4WAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARsyodOIMDtznW+IHWNR7SxrZMsaMNJgGQFwrpo\nd9OfPYuieynNJvEymN8id7W+NOc6P9zDvQP0ko0p2ju9msDDo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM5TkY5+XivHskHf7FbjyvLQ3xbYwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSQAwRgIhAK61M6M6bj8F3Li7ugAo269tEM1MNxiHVFbq\nxeJNbsqbAiEAkPDqKQyuP3f+eGmlyhqER0hjuSmBBsYCtokeCFhVnn8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUfh0NLINM7tp7zVvHxXETV7wTev8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATjfom6Dk8cgv9Lfpm+YHQV2/tiJAD3vtdFmnlh\nwRIj84GKj6N7roihX26sIsBLINdEi8XYopuqLPqOIa+92milo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeDJ13lFUBxeYpH3w/AH05fUmjUUwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAJgxSNqRoLQXVcs3rEc10dM183Gt7z74Ak5y\n7nQ/YjH+AiBRfE9tOWw+hwuVR0xf/0aCnakNHHhfAsxAVwA3Pf4x7w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUVj41MJHVr5n26MCqlCwXF9c3JbowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEGXuZ0t6XIHSwezPtuXTItq8aStRdkvo+PpgopdEV\n7z/LyBbS774TUQbXF9YG9Ar4gb+InaLmZ24BzsUs0AqX0KNyMHAwHQYDVR0OBBYE\nFMW1Up/VoM6rIcmqd1hDLqxsVipNMB8GA1UdIwQYMBaAFDOU5GOfl4rx7JB3+xW4\n8ry0N8W2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCID9VEN9EJmnFyan1+uGH6OPrzRmnhXJP\nQ3+T2mfn0OIXAiB3D39ge6Cn/k3PunVj32LQiAbVtHSnlJ3wL7mv9Hw4KA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUe99184DvbOMae8DgHxqmJEvyCdIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEm0UV4EOiZfKVChScFIwk2cLXDXsHBFMTS3zAGH8Y\neUmXwOQBCFWC2TLTeX8HNuug1jF+0WGHz+j+zZRI+0wYSKNyMHAwHQYDVR0OBBYE\nFDoKD7zBiww8QgemvWHr4gOxXy5QMB8GA1UdIwQYMBaAFHgydd5RVAcXmKR98PwB\n9OX1Jo1FMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDhQ1yBGpYz5hRWHCCtseMa9D3F2NZN\nH84qwafTVaEFTwIgD4RClbABj1qA7XHvritLE2yVPFIyoU6YIgPiACYqvfI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1474,10 +1520,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUQoG0JyM7V5rKuJSlyxlcv5bVnR8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWecFkkPCP67wNgR4VR95crye1HDh1VFhcHQP0\nQxqAkxBzvSHMTFJM19W1V8CuAzorhKge7QqtZZqUXEM59fYRo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFJTUhqum/j1KpvpzkaQ6TxRo8dlyoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBSU1Iarpv49Sqb6c5GkOk8UaPHZcjAKBggqhkjOPQQD\nAgNIADBFAiEA/irM8e53RvJPurwi4JEZAyTlEx44sxrfW/NcjazY9MkCIB9dbnOI\nURHiuWGICI+jQiYRaewlMunYomqBuM7XlLfI\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUaJ0a0DRUpJqIwNU0jruBkvzmqYcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARoNYYyjiRKcW25JIG8vuqxSEe/HtLwcLwHG7aN\nuMSVBkEGNDqMVyEdxoG9K4esn1tvXIGjyaptAoV7ViJPKLFBo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFHLAENKrMkPMjP5Ry+Fv6vvL5m7PoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBRywBDSqzJDzIz+Ucvhb+r7y+ZuzzAKBggqhkjOPQQD\nAgNJADBGAiEA3uRD8L5uskHGuhMdKASAqUkEe4Exf8LS8b4v2IzewwUCIQCLLpcY\nLab8McRTx3G+I5W9AHzJZz3DxXcKRon5+CUk2g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUVzLDfm5PfP77uD/5GpXkqacRn1YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEJKBGtb5ALYZAmExsDoDjIUXTxRzvbYHXEzTgmds6\no/j1PtLq13sKqdID7hKKXCE8b1nVZrI+OPMRZHGZBIv1z6NyMHAwHQYDVR0OBBYE\nFGNUuNtww49xchGsoGrKOcE01ibrMB8GA1UdIwQYMBaAFJTUhqum/j1KpvpzkaQ6\nTxRo8dlyMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIA0r4p0oNGSjZ2ye388p6Fhpoot/3rwq\ns30VCa2G6MAgAiEAvt5zzRjNh1qnHLb7U/UMNkeJUkiM8vfwBTLDfXdSgTM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUcJsigmSaVGX1x/5InKu4hxaomRUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEfM+x0AuAtzSWMrf25OsP3HahzCK5hpntpGCC7JTg\nDdTxmwBGskh2Z/jb+6C0+yAooBldSy79iH0wVxlUSCPw/qNyMHAwHQYDVR0OBBYE\nFNMXAiBSDNOjoUVpSVRzazyUHfwOMB8GA1UdIwQYMBaAFHLAENKrMkPMjP5Ry+Fv\n6vvL5m7PMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCsTAVbBo2sUGQIABzTbVIJ694u00Wg\nQyXY3+OX24DBDgIgdzjd6Z7h0hAf4tAyFn+OQdpjoKjzQnmL1GiIF0GMT+w=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1495,10 +1541,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUU83NDVmgs+vTZnsGIuo1YbWOmnEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARISdaAXMy0FyZRsUu1qkbBgeAlrX9L01LQ4n93\nvMtoirKkuYIodJR/W9hu5ovKPxKnvKKWujKESojqrDSOT8ceo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBTZwEZIbylu2qTzNI0gune4XqO9O4ICBNIwHQYDVR0OBBYEFNnA\nRkhvKW7apPM0jSC6d7heo707MAoGCCqGSM49BAMCA0cAMEQCICARaIJircI2NNEE\nLP7RJ86qU6Z+lzMNG+phJTKbgGKaAiAoofoaWsbF0DAeKb9xth7qZ2lPVLPHILtF\nki8D0zYQug==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUT3gs07irUf9IW2FEM8ugSibsFw8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARHB23ZR1Lsb4Q5BmCCMOe3pQIb16A3lTA1PQ76\nlq0pH/3tkYsbyfp5RwKrttQaqKpzH+Emkb2wCzSSYPhvI8FDo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBQKgmhHifxaHNBIdmzfcBcem+VMUoICBNIwHQYDVR0OBBYEFAqC\naEeJ/Foc0Eh2bN9wFx6b5UxSMAoGCCqGSM49BAMCA0gAMEUCICa50OIlBNjGC2C8\nUJ6TJnbRbIejM8AQsUHHoPrlUcAqAiEAxDc6r53Xxi8E3ei+0krdbz1rLJbdSjpm\n696xRNSKj5Y=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZ+gsjOuUOpyyHd1oA1HDhjMivVswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEhtId9YKaI8J+GGO0PnusxZPSHKaNwxBzP7NkGwN4\nT94gX2cxhQ0K73+4Fa7+6UkApvSMn4uvyu75Mf0CgOh0DaNyMHAwHQYDVR0OBBYE\nFAXNDaGQUdPwhVHAkv8Rm+ZgWAikMB8GA1UdIwQYMBaAFNnARkhvKW7apPM0jSC6\nd7heo707MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHDx5rPKIXqD3whJAzqvWIRtuBJEN2w4\ns/fBJaTmS9ouAiEAmVjUNuBwQ4GHqU8/u9cXex7mEgwgtL71cOBxMW+Y1Zo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZtPz8mu+rlfyAV6ITfifaKdcBk4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEyX7dZAOB7gXRhNSvemg/aAJcS92Ow5pRqSYyctbz\nd4H8UCC0+zQd7ESoHwvSLDnwjDZTekimMfR9oLrzCe+53qNyMHAwHQYDVR0OBBYE\nFAzYC+LlYezPBWg8TLLla+u9NIK+MB8GA1UdIwQYMBaAFAqCaEeJ/Foc0Eh2bN9w\nFx6b5UxSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHPcvvHJHmlKs8GwtAzSxJUc6puYJcW9\nCiQsXc6MjiV5AiEAjwX0lep6REv4h3qv+h6MpwRMAKKY6TTLzzUsO6Hm6M8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1516,10 +1562,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUPwRKGZdexwyHcS2JrTe5iJONnoEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQNC6huK059wZ6d/RPAvbEZL165p8xQ5r9SvyxI\nTwNqrvUz2Bbw+Bs3v+lr0w2XE0ERhDFkplBV/aIA+rtetrm8o4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFKONxNUNBB0shAe5sQHgBsy41EG1oROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUo43E1Q0EHSyEB7mxAeAGzLjUQbUwCgYIKoZI\nzj0EAwIDSAAwRQIhAPDY+aCz39IKTUzw7DJTVGov97D1dBx3w+XC5Y9bKvHvAiB1\n5ormQ1XjCpCUh8BR9unV/TXMeP+7gTI/IgsRncTv9Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIUP7o6+7wjkooklhdnlEGflbqxDYMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARJvZvrnn8Cs7OeAq3k2OkNQlEmFtOXKDvB0j2G\nHdhNQT/5/gX+XsVQ3h2eHNDVKU5RFFLDSnx33IVAazHGJAg9o4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFAGJGvs+5esdBlovUHy1KL0429S9oROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUAYka+z7l6x0GWi9QfLUovTjb1L0wCgYIKoZI\nzj0EAwIDRwAwRAIgS/bd5M0+86C+PPrRP02JYTdYR4Vw4B0dFjBVFlITLG4CIGWR\nIT+aX6p2QNrq202KkHqpffB/CqDbjXARUAPivg+5\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUM0DqajKrtJWrannkDZmbVpgLXjMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVjM5Jydzd2frt3ep4CWweq0U+e3aYOzM0kLgZH/s\nCM28KEcNuabeTCHJG56O3/c9kW0iXuhInRekxQpYKCM5yKNyMHAwHQYDVR0OBBYE\nFAZGvtqwIM442pczS42gC6IqJjDEMB8GA1UdIwQYMBaAFKONxNUNBB0shAe5sQHg\nBsy41EG1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCKkV4PW31o3yC7+1TGr6BB+jcZNFA7\nQI8xTOYpLuaGgwIgeQMPEdGPLeAtPaVg/2sZOjkRiMf2Zo93Ro4zKjrp8rk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUCkKgE2yLMTUGliiXZfW0u7Q5FYowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEHUpOODhvC+/GqDepzAliTGXSjJp3SV4o0Qn6LWmx\nEWUfMsZ18mHwKwt9Z9Yxq8l4DQekPQ3TdZ9H5IwOJRh/aqNyMHAwHQYDVR0OBBYE\nFPsu+gp4xyHhQbAoX7AV/L87DkDLMB8GA1UdIwQYMBaAFAGJGvs+5esdBlovUHy1\nKL0429S9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC+B4Zim4+ozJZuwHASWCr3Xw17hN/D\n1Fuqlry4lBNs6gIgFBmC4i0vmtqZ4PCYh9LMj43bBlr+nGKQZ0zpVwpcG3g=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1537,10 +1583,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUP3OCey6tHn/Ki7lSaI++Bxd/86wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCVRtcNAXtxue2RIfDp/RRgRK44KuZXJra5Nab\n5HZHjlQPSgCc9oc3YdU3lw83HNgOGVt1LT8AvZZqfwwKL+mZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTnw0/N7dqJgr0VbGM+Lft1cLoPUwCgYIKoZIzj0EAwIDSQAwRgIh\nAI74Wf5/uPNWdW1qKqUHK/jKZfTjgyCN0BlXZIFTqopcAiEA7LKwgQ5q7hF7BEY6\nHxQJOqXWmkIoso/UlfbECz676Wk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIKGeS8uyPVrb/y/HA3mcznx6QIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ8VPYYCV5w7Vv57o5R829xPe90lm094wafEevj\n9Q3UBzjqspYWmhhcIRXk5dvz61JLwZ6C1G2i9wJU6UIDORcVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUX6zTgwAluxqiBn7+8/W5aza6kWcwCgYIKoZIzj0EAwIDSAAwRQIg\nL9p9aJN6b1z7oZbyEQvPMKSqfxIl1wLek57MT8K4VKwCIQDTBQbPWs98Bpjaxmse\nqLndx4Fnjx7Ps+kjD1eryWYMYQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVKgAwIBAgIULd66vd36K9Mj5PHPi85OUlBCy8IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABFWoQYvZq19o0IIqtfqOTg+galn0F8+BgqkXPqnp\ntpYmT+3ijZ4Ba1+AODnFZ2JW/5Lt+2VVGm3LnIsFZaVF1LWjdTBzMB0GA1UdDgQW\nBBQmal8B5mQh2gg6/kLyd+BzKBTuLDAfBgNVHSMEGDAWgBROfDT83t2omCvRVsYz\n4t+3Vwug9TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAumG5UwOJnsbtHvoZ4jwLdHQ1m\nDpySvvILOGATVWtcJQIgNS6TbrA+9Sp8B+QO0NKAvBzecVZMN8AzL+He4hnbi7I=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUU++hYgj8JOirkDSQRtYaLTVNyXUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABP/CKXK4PutYFRWL9nGsIeNjHQGDtigKPiwobSkx\nKnFjsbU07kH6MQxTRGyQL4yH4QsZjlpxQpGrFsuvIBW2PeKjdTBzMB0GA1UdDgQW\nBBRF3Qja4Erms66qezfj4HK2AFBi1DAfBgNVHSMEGDAWgBRfrNODACW7GqIGfv7z\n9blrNrqRZzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAsqPnzVEgABFzw7I7D5QF2Axg\nzvmQjRnp28spk/VN5SQCIQCdx9HdBNIuXICLZpi0mqX/ThJRDv0BexTM62t5egFJ\nog==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1558,10 +1604,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUT6dm5sedu912UHzApT3g2z3YLu0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASy8VulTXBF5J7vDjGDp8rgR3tMvnMRKhziDrt+\noUZWjFIFmCDLjpzGZxPounVXvVzgOSa+2LVok+p6ZRziFYmNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEDZfEObMOQDmrKQAUR0qhU5qbCUwCgYIKoZIzj0EAwIDSQAwRgIh\nAJY/baCOUUvzYtnC42Dsuei73ol1yQPwO2DTJPGYxbT0AiEA2vs+Wx14F/T0YnDl\nJkko8jIef81UpJEP2qxQz5njS/s=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUf9tRkIYc/dxu3wiYGw/0S/jJ+aAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATcrA+ccSngdg5w3gZnNfHYHocvlFk78At19YEG\nbBkP4lvw5PRuoQXf5MtKfrSTcVXXJI22rks8LRFYCiDHTbNPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUl9GHignU2qhiB6W5oxRiZZx7toIwCgYIKoZIzj0EAwIDSAAwRQIh\nAPuPkHsE/xQzG0DCPiDu5gzXuRLDUroDSmHWIaUfV705AiAtVBpoEZlT2ZFrsCW3\ns6ou549TeWP+3lJNcDxU1m3NRQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUEXvvFrXpUKdEVtEHS+5tYkXcRtwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMEkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQEDMgAEse5FohEGEmibimAFO62DaEFmmnio9saEXh2tPSly\nDO5SRGSF+c8CzXE+I4CmZipbo3IwcDAdBgNVHQ4EFgQUqzd5AoMAYm+n1DmnXyej\nlO0/JpIwHwYDVR0jBBgwFoAUEDZfEObMOQDmrKQAUR0qhU5qbCUwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhAPQ1oEUP3Ydq2C+7Ln+jEG0+dNQi5Qs4t7TU6T1GAi3uAiBv/pzz\nHIXNuJOofePXIWkApI62Cziukeh8F5DwilSwyg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUWlLn6XBCcK9M8ZU5nc6iHipwbLowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMEkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQEDMgAEc7nLsqlMcc+0Q0cdXE+7eRhzUTnzoZw9ulMITFje\nu4KCdn0hSI8tIevvGSR3aO40o3IwcDAdBgNVHQ4EFgQUd5q4QrqF7ATEwWcsTVzQ\np1wHfaEwHwYDVR0jBBgwFoAUl9GHignU2qhiB6W5oxRiZZx7toIwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhAOf58+/ZkXfTjXC5uqGJYTybmcu1gtDOcYH49P7V4XczAiAsy5p0\npFpCld78W2JnkMQ3E0d1TsvI+mMicYK/wHyUhQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1579,10 +1625,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUo1Iz5z7wRqM0C90DRmJkHQjWd8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjyVxqwx+rrtD6BxB3dw556gQN7Uf3nikWFLvX\n0YcWB4k6jBJmz1f2djWh7tf4ixSUg+LMiIIj9bKhjuWtXDGMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+qRaoexOGHAjWLzJmbLK8k4Lz3YwCgYIKoZIzj0EAwIDRwAwRAIg\nMBSxeJxqmCE/BgqBWLArtrLjc04Cx5OQB7Lo44dtt2ECIBB3DmX4lgiMioNwM6dA\nDviZYqIOSW9dFs1RIgh2nP8+\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdMcv8RFCBNQEV5f+VzwwcAyWiRwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARf22Lo1BfEQK+NBiRLk8ALuGcs4tHFz86LO+cF\nJ3G5KKTvh/vwJS/lpoCpV/4PkpIWjv9DaYAbPZno72OdlOfHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWI7p0SbK4Asm5YCA3sCRUo4YGC8wCgYIKoZIzj0EAwIDRwAwRAIg\nU7q6onauvB2eqX1Rz9JavP9mOQOKS48F1USSGU5WzrMCIDZypEkKzuxj/qkYMpfH\nDICrp3uKikg4P2X9IqF+B7zr\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFjCCBb2gAwIBAgIUD4YIWlO3QO6vMiYHon45WJG8Q58wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExjCCAzkG\nByqGSM44BAEwggMsAoIBgQCJpziEj4iKi843hzrt1ZfdM2lwNMAs4MRsXx3j5Z9t\njaRnKQ8h+ohXs4lk77lviZhuVNaN5D5osJj3MwKqNAm4fy/5gsaUIkCQ7/9u3tlB\nLgSkUlTuHuE6xhMUaJDWkr6AzjHgqhkmEeeyayuOs3MAnp5hyXdIobsICD7xV9VY\nwR2xuBl6NdGb6u3i8VZAz5QHIH4MKYzi8XRUnnlVp3Z+Ir6UZMLZPrVPPVrlUKSd\nN5ZuK8WGW/VqXGrYQ9z1QvQ70GIddGOc85mNAFj+DcjCtUQC7dymRW9Xk0+7ZJGj\nLTIwo/zMNLpd308oNEY01mc+bkHCglPVYThNiEuVQj41e7BrfzCv5BMw1ZH7Yh33\nxIcpmTeS4U5e/bX9iDkwx2AktjIdVJ//VhF71pG34PWccneCcikNGJr4iTeEHm4q\n7q0g8x7GpMIKKUiKNoE+SYcxgAXbHYGPDzzBuIhORd/b2grz62tnL3neS9J9rglm\nJunIMsXJ9r44kIP+YuJjv6sCIQCfFEjEWtXX4OORxP2aTmtccEUGu/kGjNy27CmM\ncWy+KwKCAYBpTgIJTJpalOwkY6Lge/Aqjef9eQP5ucv7shdtpG2Qt/OfXbzI64X4\nu8arDwds+B0YeXW2ZCCYhIMqKZ2nde4dWpg9fEjcqathlJOx/4sGwSaD2Kfn6EuS\nZ22GPXmPBaXvF2mcBEkiiIx5kAGhaP4hapmAOKdGkHP2lPi2dNCEIt1R+zR6n9Rn\nGID0lvRsoydwEutezVOZKO3qhqxgpiUgFBjvs67AkhBKpaiM55m72ALWtMkl4J0z\nVYrGu67YYJu4rQlUux1/RIdRMuZJhwMKDf8UVle7MPdHwtsy+jZacCEWB3I94PnN\nrXwKV9tN0G6TXLF5GPWK30dDRot5LcstRBuPPOKnPiKIItwD602CDFb/KgVdzTmY\n3TZUh615QuIKghCUdvkhhLl3qHaRrFEs9reW5dWEk8PqMb6D5nzHSesLL6Lj6hYD\nPx5yaxqFuOAlOkbUV08NebaXg8/vZoUGlbN+Ule3gSYvgED9PPUiRXZbWAgOpjxA\nacQuS6cfqXADggGFAAKCAYBhP96OxtDS9jzTtORiItqgj/I6hXr9wh4DbMSEIEq5\nd0VicaonxQ1+j2EJtFMy9x0PLHASOiTjU1ba3g4bpXAZUmAaNqWbaQ8VOo10sMOy\nv8LSzaxsdK32sqh5MLmblai0e06CU7yIExMVbd2KwARnEPLhkh2vcQcE8tmXF/k/\npe4cQqQzZ7p9jZEbHf7MZNNLSUWHhJ9a5dfXcy3ImkvF40sRbxMXu3x4aB5CiBlK\n4Us6CZVJYf8hUff2obqW/JloAckWg9U9K6nkUfxhuRhrgw3Z68CSjkWmQEXpReSM\nQVajMK8DYg3INWUkBjPxbXgrCYPb5dSuW/Jrl9KUqDKl/vwWGn2NrNfXmjIlN6Jw\ngkpIkYwuV+lctHtg9lbMV36aDUAWx71INliU6dgm71nfsTApems3Y+ULi3cjg8YE\naaF578815uvmLVr0oB59FVb1Ptzkqbc25+iYoThzAs+2SWolomT1scsvh5msj6Gm\nn/fWgjrciiH7XhSDNi+b79ujcjBwMB0GA1UdDgQWBBTxCD0i3EFpS5hxO18dSpUJ\ntAZ9rjAfBgNVHSMEGDAWgBT6pFqh7E4YcCNYvMmZssryTgvPdjAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNHADBEAiAKCrNn1kSLIcmPrnGDVQ3nSjdVZ4HH+lhUf3eDHxZ/WgIgHYjElSku\nnB4FG8hTqcGmkIWQpNVrU+RLA4357YwwJ5Y=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFzCCBb2gAwIBAgIUBOENTQ9NfwRjYN+SD1XkbjuiS9YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExjCCAzkG\nByqGSM44BAEwggMsAoIBgQCk5hJvPU4YlrU9p4o/FE+mQ5TDnMfSXKcXyD4pzao0\nBscfMWi1ICYlDbkxftwx5UqvpZPpD9NqcfgPhXIiesoPhEq6J8yECYnUNSZFFCst\nB8D7cDjn3epw0vkdvfkeP+DmOW/0DI1/mFGxfMLkTE0dFr0RwnCsOD4bO5A3ZGoL\nFoVBY64V06vKiDZ5ZuvQ4ceMCiD6wCXBg7dSwzZfqExkoIntbtqTmzd30aWzll3v\nCVDU7wE+K+z048DsPhqKtEPbZh9sSP8/dUwh10bG8EaI0NEYmUECtbwj7vIwsaZi\nn2wFyL0iArOafvOkjeM65HZFYGxlPAu0SjwFHqR5dBW+IRVt98tFIvR4VUuQo/Pg\nXaoRUHzP+QT6m0rqiUkPjENgmdrXlur4rkUQzsbJlCZ2IedPDTApaqYLj7Cm0icL\nWyKtAneJR5cSpQdmh2gV5qYsmgYQDxFQ7dY1dWuONioia0Hro/X1VadBNMgTmM9r\noHdihJS5zQZNO5YaZK04ZgECIQCdmQ/ySWyqIQHK/oKbykPcjbkFRmVKOb3CIQjj\nQTg0EQKCAYBUSRjUDrn2znwk/bi57TCbEVXWa2HP7BCBA0YPOtCUky84ENnTlzht\nxZuUbw7UmXfFqhWlX7UBCLGw+IjMk5nSpFKftsWd/n4sDmj7YvUEHbmD+zsvhqgK\nAXxYT6dyvGCNo+cs6AOtqnreLSTpLyfnqwKGfpzqkGSizyIMccePLyO8yEEVAhQo\nu+el59T6k7HXNX3XxFkSv051IXRkuBHjYfC+T0xjoJlKAZzXff0hLit7TTEwxnHI\npUniVOodK9K1J4zmuOCAq2SUjUx+yjUqIXWci3z7YJAa58oGQ/jc/dqudOvOuRu0\nduaTfHUnNDnAb0MbUQsD7tT0oHJToTBoQLHPjcTU/LzZhg+ervpdsw8imJ6EX9J5\nLT/jdyMCOK/1dHbuaFzMFiEEhbOQdLWMqaGXiW40HxA4O4Hw+rAI4maHAWwP0BJn\no/i4fmjZfFokffo88TBQIGHT0MjbXJZPm9+i2vEaOy0UddCt/qb4qhm436K1bgJj\nuK3E+zr3UyoDggGFAAKCAYAn8DrYk8drFjGDgsQoPPL0TDM68ETvXsr747dwZL5g\nLm9thUq2BIH1QJm2wzveTSYWKohovI4hPWxFyeZ21kM3fbstv0M8IjOzuOc5rTvO\nHyYOn8ezxoriP6TQYibraaJMktpJa2d2zlWZfiUHmPBBMdyZjbhM6IyTlKuMjdaB\nGKk+eWZfKek5Xw3GO6lXdOJhzih/PeVSiN3AWErpzRWK/QeORABUBnix3D+fcGN0\n0mgAj6LRSHfgwxZjg9/Xq3YbmENdtRxLUUr42gusy4t1JPHpvnGDIMQOrzPBDUz8\nkAciIdqySnMFy8MbZ4idQ5a6QfQCt8e2mc2NnVEbEl8tdK+zVZORpTgeU9F3g2Hw\nXePRWyJIY2yVBxjWyUro1y7+OBkefj0BJ/+H0X6DwkZ7XlOC5Wmr86mY8lJytXM+\nd9UkZgp8uBQb1dEXBd6FyLzCUhowhsSiIUR+8xa/du9ghhzntfakTHBf0B9QCHw3\naWcsv2JaN6DQvbYsuUW2xv6jcjBwMB0GA1UdDgQWBBQxb4J68QC/dG9xP9wnE2Jr\nHtwpbDAfBgNVHSMEGDAWgBRYjunRJsrgCyblgIDewJFSjhgYLzAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNIADBFAiEAuzDedUSPpx6DxjcpyS/N1dY8/kWhD9BQBc6PQdQ338oCIHudmhOE\nVclIZ1tZfhJybOw4qDi/cLXeEk9N3gtn59au\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1600,10 +1646,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGAjCCBaegAwIBAgIUdqPR1tjYGDoK/IUyIWNkgpHDgtEwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIEyDCC\nAzoGByqGSM44BAEwggMtAoIBgQDkPSZfnFfpEKuuxFT0vI2wxzTFhGQw98vjLei7\n+VCZgiJFiMOXwd22YuPcNaK/7Ix0FfUB9f0eX7hQVWP1YSqDTPvhUpSRzgkd5Fgb\njeSs3nrFcaLhPO3FVcsTvyZ4iUKOBZQZsOmtX1/3361QsPe5B5JtU7rn1avlkyI7\n2YkgM/IP0/V+iGE4y64YPN4A1v+cNnaVRA+uvWcrpB16T34n/hmFiiqzyVHPZvba\nCAiSI7r2cy45vZmu8e7N+oTObvGyiaYu5v7B27u/9d9/iuDg2Hs7Jn1qDY0sJ7GU\nFpIn3/W5Wc1yXC2FZL0MvAqmhnLTCcVSIBjzw1dIFjDw8nHG8T+gPO6ILjWgR9Oc\nxXyKbmXjUpAKezaWKuxQV9ICPQxs8FBLh4onc4vfWjYAlC+kT8rlhdTgtSvOBIBy\nm2u4OJw4FkSizRQjXfFChmy1u8FAjti7KlJ7XZJCqVwwrtkQQ13FwBLX3s1PR5nh\nJyvLQ+OtrnL5dLIxq7tU+aH3u1MCIQD1sYhmQi/fgV2U2AVTVAYqq7bcFCf/sCyP\n8KrVzTbSCQKCAYEAwf85TwKAS/iyBgRJE6EIT6fbs9n/z+Is4Jn3ePd1yl7j9cEW\n8K1BsSCSnc3WpJOcrRQB2dfWm6MUDQm9Mi8EPZMzw4m3iQIRJJs3/CnDrGCwBbAh\nRR+/8e7xFC387hDJlmXm3LUJ5vK61nVvCf45XUofmXnIamSaq+03aahqNhf8l5oT\nO+2ndUZDjDr+bR34eAM0dlcLJOunoAojivbPiu4HBD2z1x9IFVXpJ28icU1wbfhU\ns4Y8F/w0sTasSzEGsGhP7QqTAFgAlX9SlyElterd1bnkTAXF5WJk7Y7euWnCXU0p\ncUTOJpvoaTD7KKN5lE7DVUKVm12fldIsNqKGM6WZZHFPGGimGV96wkrOricbvPwB\nDlQNwImvk3BK31v0LcggswB8HM1tVrndb0TZM4rCQhiZXhXymVab2TkaT8bI3kau\nGjV8pG9E1g22aKzTuR+/oXbFg+6hHeVyCX/uMOUov9SrWjGcYXPK83uwyGlW2fdg\nnwLIANP+4FAzz9a8A4IBhgACggGBAIZdydjbzpPw7LssT5pvQ2V70iUwKojqJEKv\nViL/Rg6JJnP4n+4KzUNmdkDTxSXZNQD/xNh9e/jdpnZ7BeeNIe/yZxU3xY9lkcCH\nKlpH8TO+QCb0RwhrjQT9kQ/JKYalr4JoXj4VvToGnsELxIMcszp6xlORgiguaH4j\nRETG5zMQX3AOLNwhDnCqS2k374iGfWDs+uDGhvg9Oi8VRW0Kj93sO9tLfSHVfUCS\nSArCgK0Lhm9DNwTBjPXHqK7Kw4G8MAyeel5MkDv7stH+YDtiyLFnX+2kBFqjLcQG\njDUL3+khrktJ737v4yJg3Q/WoYzEbspXFkfnEJbxmbdGiriy21j1Mhqx8ZYYkq1/\nFnQGjjbyd2mH3b0EEd8sqDSCVRhz9DJfCngFDVvLtCMiOCvvTkrO07qwyx02z8l3\nAev/xvRE1okE1WxVUSEZO9yvGiha+ELSFyceuxkKh7XraecBwEoFJ64YmC5A9/X0\nVW3sBSnDZ6DLNS38nHPJ8zdTq51186NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFLlqlXIL\nkIDQewGSLLbPlluDaltCMAsGCWCGSAFlAwQDAgNIADBFAiA4Nt5QuCmYESDZ84VD\n6WDEmGsIBYzEPocnqGKzyKngrwIhAOp9qk512RYrZEWwCI0MqP3gDZ3Lvxl4NacS\nkznTL5eC\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGATCCBaagAwIBAgIUPdNwiPm0wse+T6mt8ytm2N5ytgowCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzkGByqGSM44BAEwggMsAoIBgQDzXk0xIYe6aqIbFPDXXAE2Jduk/ZJ4+qtve8sD\nxp2G7H2YK5feUSYVFXKIVbVXcMnGAUSZxqjOL2IwaFzAF7ifYeb7FJTGYiu7RSrG\nwvJKuD+gMEijBqbT+dSPZp3mIIqftmNeXiyrhXUKJawDpcwxq8DRynWPLS2otaLA\nQvmQAIzMv9+id0zlEjqIvlQoK9niRlt/dlowbyeOD2QxJfKckrgTnDVwRk6KUroS\nNRCnu7WH3BWZcvsXTg++pKC/n2kWQBLO9e96aCqO/cwXMaKikBGNu8h4nnENyLe5\nU6dLvOseC9BzUY1Q5ZIecL4GJdO35fE4taUZ/XClKsIUgfX0q4pYlzPGdCCNDPJV\nRZB+KzU3ot9XUvq8OMwRj3i2f7dr0tt/IsdeGWhZTsiJkfrrHH2y9ebrLlbFascJ\n19eY4GX7ErguZABlzK2V1chPjAy0iTLdPaMxtEuNFYq9OX4iBsVLSZ3E83QuM3IJ\n/DInnXGXdCBMFzTlfjfnY0GdqBsCIQCK/dXBVKdgVkYX1032jRkC8SMUlC/qLM1D\nEtaZno1wQQKCAYBiD0GFn7OPzyqulgtetWk/ma0/IW84vW6rDm7qTGjZyeV66BWU\nrSDi5hRlQCdt3nPn9vy7poHDBtQ4+3IJzsiNMy5ObeS0ZrNVbyx57j5EDhudpTkp\nqe3pl1q2FvydhOczmnCqDumGehzoC6k7Rpg9RioN4f8EU7OSy+ZgEW/JcKhSOqp7\nvd0/R18aaxxsvBzeAuYMHU9jPUSGtXA4fb0Hnd1ACsEiWCjWk2qgJrsm3WaT1Hh/\nYN9xIkB9zuT/YwLLRSnGExQjoEjlSc9lyJuK9bueiuxiwORBGY8aOmJREwwvYV68\n4YabIWprtEH8fBkLnfoHrzQXag5+dfOiR9R5dZfx6/FirbDDpsl6+bxfg9+lex+Q\nX7RYqqalCjYRCVlKo8OZcCwi927670t/YvW/KkOOBimxKuTtSKItwJNPUgZAd4mc\n4uDLNvSBFhlg/kSIQuJG+pcAr+yVBQ282f3oKKiy/Z0XfUaWQhcWmLs0u3CmLknw\nYTJgX3kAEQqioTwDggGGAAKCAYEAlt2hXb2d6fyliy4XB+iJ4eQA0p0ULX33+yps\n9YheLqaPUVU7PdC6DfqROJDSdoRS/T+ROvlxyOl/NOPW3uxVVfOPcWqdcCRPZRJo\nkCxZI7agmWq9GUzi6+EeBzULchEe5pcMNaVVMmrafzHZcDjQIRBUywPoUUxzi7qM\nOvBmqjqjXFgWXcUezWOeYQuTCun5xVh/oT7G92ImOgzZyosgsjmQlqyC11rXfoOR\nVcqX+86Q5izQTb/+wpDa25dZnnlIY5c8d4jV+cCMHquq3l6kFtknY///d9uewIVn\nfiiAYiQP72WXE31HLd50Pl/zJDnEeibl1bVzGrsre0keL0DD8cOTrlrZubENZwGc\nGkpMwNUtfx1WFZoePxF1wmtHpfofdAEvMzVsZivPRt8uQxro7Fzvy7M4ooghmwYH\nIMRjo/YnwR8I8QrG8BPzMFsi5sV7APRJqx+YlVp+V8IiLw5YjDPqAkwR2qKNxvIT\nkJdeGBxGk8aB2NJpJ3yJa1jzRH16o1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUgvgQi1YU\n7XenURkFKopQW890UBIwCwYJYIZIAWUDBAMCA0gAMEUCICyuDYon7MOKP+c7y3ee\nllaYkzuGrh7xow/Zn+pSf00HAiEAir6w02nR2p5fMysYYkQGm0raaSOXNZU97DAH\nGFgiCY0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUJSa6BHZgOfU/KXuE7UAFldAS2f4wCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGDEWMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABKDWHClg3k9inDvNOwE0uOTR8Y9XkP7dxvPbzqJN\nn8ePIgvamOmc3ltw6M6FrqQeQCVyVzhc8f5d0+4TlwMRHeqjcjBwMB0GA1UdDgQW\nBBSkk2kR6PJF4+nBsqVYWHzf73pxqTAfBgNVHSMEGDAWgBS5apVyC5CA0HsBkiy2\nz5Zbg2pbQjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTALBglghkgBZQMEAwIDRwAwRAIgHZJGGK72d+SBz9wz9rmBFyMXRZJj\nN4h9TasQSdfdzJICIAkoLPdvRuJ16nbpDF0O/cDrWrcpfmBnPCQQPsreFNdK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUWJ47cSC3jtZdFK9d7PfVbZrLgAMwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGDEWMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABEOdC6ssyDhu0cUW+w3pDe355sTG8mDHLIdNueLW\nIwFMkn8IbTRZR2YIz5tSUQQClgcQQdpV+jKc3WTA9tL4A3yjcjBwMB0GA1UdDgQW\nBBS6O//Ss9soci9BY9WbQU56HJAb5TAfBgNVHSMEGDAWgBSC+BCLVhTtd6dRGQUq\nilBbz3RQEjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTALBglghkgBZQMEAwIDRwAwRAIgTowDDnyuWvYu9Y2Gjgi6sAVJExs3\ncPza20DESmfEaEICIGRXdU7OmJoxJjgnUM5caWSWbCLfuSqXYWVb1NwcmeDV\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1623,10 +1669,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUd5HqXJ7iI8xrkX+o3o7nCMCMJ/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYX38Gj23R9mwnTO1Xf+IvAFHFIXqUD0Gaa1gn\nechyzKL0UAFaohCSkc5zs3T4xFUOCBlfiVZqEwYlwCG6T1meo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkIeef4K7wZrsuzlaW2IHXIRWvzcwCgYIKoZIzj0EAwIDRwAwRAIg\nF+cF+BFXJI49ogDQAUvPTb+xOfZQQ+UmB4AarQ/VYNMCIHXrpHsAKotibojq7+Zy\nr6bWmfTh6YNk2JHl3PR8Cz5F\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXkhBf1ySwv+3ttHFHZbKwvwHsucwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARcpGa4Wf/h6cc2ovTItz0uKmUEMwUtOcH/qWly\nfBLG1IOU5cYr+6LBfFcJ5lH/21hprBD6LJ9fqfSikAtPlVFoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpOsG4JSj6uxs0iyFAi4UnoNaZjYwCgYIKoZIzj0EAwIDSAAwRQIh\nAJLmgn1wT7jvc1Yc/9ndLOddi61wwIDQF/TpGQCaA0cEAiBGOUC9QwZfVhuwUXkQ\n/lJ+A1D7tNCJ/lpjP0+qHKOjFQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGGTCCBb+gAwIBAgIUdeR6mvhb0Wq3uGcQtKfPqYDN3PswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIEyDCCAzoG\nByqGSM44BAEwggMtAoIBgQDpNooXkmxcF7t92tgnldf8emwmmtMo5P4YN5tSfMXF\n0X2kYa0X7lrCxAUAeQvRr8VeC7OxpcWfceUQkZRX6aj8IKXPrDWQEFUCgymH7/xc\nnW0fMaSt9sXhilUUfH0uVfWBcbU6t5Ig2zwsehadApyPkDnR85tU1mQuxZ7wvwwM\nZCIAXL4xFt0iVYMouGweUlzIlD6lg7BHcroBGr4+WqTuHghfEEUFNmLokWQadVFo\n4JMqy11LtcslytvZYEK60ZA7epvwGR3flrhQLHjCts9JMPLYKZPB++0i/+IHSQrY\nWZ1k8z7ze+VeqB+hHrBWD6X6hGo0idSlJdTfaKhZ2tcDR4Jf+ZxnjCa4qxTVcuOB\nUhgyvaqCOB9dp6pwjSLmQSG4O8kNi7Ifgrtf52r9rLahX1SSQ8cyuGfWuLf55ZhV\n0pGAWdt5Sl3p+P6NA/eyoLuyH4mBMzD0kHoZCTZbawMFq+nhgpcfcIj36iBuCvR1\nGvMg4rIDk4M+wtJ4IPoeaKsCIQD1+/dHuyoA6h/eit3QzirEpWLykThtXO+id51Q\nIGs4ewKCAYEAt/Ki7eSKEATE/baJztwNodJfR20ACJLf0dchptwMkWf6lwBI3QTM\n4m0S2nW5vEnkaR66bxloUs/1A/6SEn0YDIZwiVdLJyLECTJeWKiPDeddfCrZIusI\nFWpX+l072mz652T0XnrtTV+fVxMbXQf8VPTmY/aqPzLQR9yh5BF6IK6UmfFrZT7q\nWb3gPyOar1RRocvOgeTaTbwtm+nWCdM8ZEt7HBP7dMqOLgAoyfgEiCV5ap7OG8nH\nQKTx6AYqc1PX+WW67UPToUdfCy5FoZ3FxNPUA92aQ18tSlCx8iqVmtzdtlLvJoT7\nYTJclIAZjIxNgbawuACUVtBQBuzVnV3cgtx6gH9siqQrVSCs/6wLzM1tTXzsT1wI\n8vmt3uFvvOPBl+9WEWmR6QbfNqvQlgxhJ65aMIZPyVsh66Jd/J5uGiNcMHMpIAsl\nwYkdWvkh5yiCoR6ejwP9Jg2mw/uDGY8/rlQ8IOK2h7umsQ3wxSJLUWhOyvT3WUtg\nnLVh9zlODf3sA4IBhgACggGBAKlK0GDzir5nVhTZZdSf0aUUk40ybYcFEJ0gqriy\nfJSrLlGsi5EIXih5krMjJ0kX4iRA5hL1ol1rurvVFbGl9VZ85MaS0BRJFawa9tsg\nk9mcGocJV08ogYHVEqNJHsDhrQg6xGu1hOf7lA4UWYJcjVDSYM9VobvucPs2oIA2\nqijkDGlxG6AggUT+klMGtmhxDyW3wynHczWAZs7Yqgenhd3ueENK+qszjxR112PF\nc7A9oOX14wSPti58Jst8DDRZatTrPMnu6Pkwk+9zhS6to/u3Ac6VnoOzs/c7XTI2\nbCkCY4rgPK0kT23c14QY/gddTZnc30FLj+Dzt8ny9BWY5Cg4Z2A60tUmDICGANAY\nhCoOEzOO2g5caqPzjXwpjwXrnOiwQpKjY7Pn3q+SfoxbDnGyOcIP+X8x3qHiw8j+\n9mWE+QFAcW/CfI7mWFqUVayVZfaXMfTigTxx0aR6K7FFv5gGkJLQTpJo/jfIf65n\n16E51OEZOEZ5huGiENeX9Hl/UKNyMHAwHQYDVR0OBBYEFF8y93eKUEsqDBKgvXrx\nyNi61RAqMB8GA1UdIwQYMBaAFJCHnn+Cu8Ga7Ls5WltiB1yEVr83MAkGA1UdEwQC\nMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49\nBAMCA0gAMEUCIQDwlclxHNVg/Fc406pMjxC6QEHDMWSTwsgj7zOxR+fPegIgaFFl\n5Vgv9fZYNB+cOsSzzzdvYZ6OpMqI/pJ/ZJPMKSo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGGDCCBb6gAwIBAgIUXrPMvhwnLbHdEKdJUem/gaqQJgowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExzCCAzoG\nByqGSM44BAEwggMtAoIBgQD5JTfiQ9cDByf5nZvKI8oHR0R819fAaoGOhpiOk9qo\nm1AlNK+f2YxbCUc+Hf++isI6g2o0Lc5Ulo+tn+TCqm155KrSavoHjDCXgM6hS/ZV\n2aEzbCgIpZf8mvRNNb4N8Mk8RnWIY49FlK+VjRv3podXC8ojtRzcCQPOvjSsdsqN\nLjIJmjLHCstMkSV954dd4f6C7X/5KNgAoyOcYKIIfJlCg13JQKGGD8Ao9V7P8rpQ\n7cqfI087bSUuB0i4fuvpY4W6kfhy8Q9VJGdScMwm9LsXSn0qutZ1eYx6QWi3E8ZU\nlzkON4lMoa+5khoGbWgWpPwmpkDln839+9pFdpXnCwn3aqEYA0izRcES9TDUjVE2\nCX9dnP+NQunAlASK+57FUzLsL5O9e0YUFGZL/yjWcJe0MJwEvIz4axL7EAKSjjvS\nvuawcwSQnq5GSNlmqywpR+7nhzdDG204VgvItHh6YqktAWM72Io04E30Ei9iNsDG\nqoXd0a+BFl5LJJ3/gnzfVKUCIQCOcMe+jtoWV2Jog98fxgjLxvdQL9Wx4v1cJrId\nh+DydQKCAYEAiJMBqTkAUVw/BHNGpkA9rHLi2/6f3/roq4s45/tKqgpuog2MY8eH\nc2RejdC72/7xL2i2D0tXT43fiZB7RllJmNAfW84SMWJqAjhgIaW6lDz5+ApCxjnb\n/uFVnPoEbaZ2aj0dBO/0y8HFx5k0zF4H4Moj+usQzlvFbZoBXRLfoanq1j2fjs1T\nlzdAQgseWPIEYCeSRhmkpcoYV5O1hYjzHHAO3nCBYVhIXPT2eiHgs9lIrBKOC/Yp\nzEFssaI++bVVYiYhm0R64ARNUj2sbKlgfVC06tJtdDjbUlHZf4K+a+W097XX4e3S\nPFcqJwGjqoc6dRC3U9dzP5wBJYQZGLuaHlUH8Z6TZALW78kf2mQJK2umW5CnRu/h\nFxwPRADOBy88VXai7KGtQfiqg7w45J0dZVgPolcKhOtbHTJwHBwnOnLGubQL4abz\n4yvtE5kq4MWevNudYrSs/tX8hGYslGdzg+oUR2Y485Umy9jpqwnKXd4VdKIPxmhD\nVbDFQmK/DBB+A4IBhQACggGAO+gDG6xWT7T8btYuGn8V3dG80ywcs/tB7T48tzWC\nQMAzXkMf2sM6Uw/KdZ0mkUfvuKtjnPPznTAuasMbW69Sv68wCgq7ilxJJsS6a3zJ\nV+XFPaznf5/MX79jrQtat9/PmiMR7SnuWBbLg+nUR56cl5JjFK+hrPlOO5mnSNAA\ntzW/2nnYtTpSD0bajh6duXgopaw6DpLJSsTYSfqhFWi1tJhX4NLxA3SwSyuk3I3H\nx7nAstTx4cawvwnNk0U9sW7Ks7Mdb5ssnL56UJLi1+Mq10pavAu9jvfOwvKpEie0\nqGlDPy1nORwbmnlG/YE3RvMLvDpSGF++wSC428rYvsiyPoAYhM98aVmmADWGdmSB\nzQCbQMEzTMc4zoKmfUdMDhDRDKCikmmLakDbGGR/MxZkHNUhwjdh+OF0VBKQTIO8\nKN3yGJlZXmMPQasiEleRUe3WGTRxA/bM8jSewKMl4T+PlE/33DfimAcGldTzYiPV\nUSlw7E2I9Weo5Sl2BU5q82RBo3IwcDAdBgNVHQ4EFgQUGke8dl1ot95PzXdWNx3Z\nLDly9z8wHwYDVR0jBBgwFoAUpOsG4JSj6uxs0iyFAi4UnoNaZjYwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhAPcayTRfHxg7dkybh6kuqPAo+9bdp0azdqSLXDtECt+FAiAE6wLH\nOoUORc8KvC8csHAcyyhLRkQUOo5naOPhd9Uv7A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From c91e13f41135c2c480d1e66a572fdc73a2cfce56 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 31 Oct 2023 13:51:56 -0400 Subject: [PATCH 031/155] WIP docs Signed-off-by: William Woodruff --- docs/x509/verification.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 3964e4384bc6..206c2b0b71c8 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -57,6 +57,19 @@ chain building, etc. The verifier's validation time. + .. method:: verify(leaf, intermediates, store) + + Performs path validation on ``leaf``, returning a valid path + if one exists. + + :param leaf: The leaf :class:`~cryptography.x509.Certificate` to validate + :param intermediates: A :class:`list` of intermediate :class:`~cryptography.x509.Certificate` to attempt to use + :param store: A :class:`Store` of trusted certificates + + :returns: A list containing a valid chain from ``leaf`` to a member of ``store``. + + :raises ValueError: If a valid chain cannot be constructed + .. class:: PolicyBuilder .. versionadded:: 42.0.0 From e8b4fbc8f10468ea61f91cbfd95c7b54d9f5a905 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 31 Oct 2023 15:27:26 -0400 Subject: [PATCH 032/155] verification: fixup docs Signed-off-by: William Woodruff --- docs/x509/verification.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index dce1667f7cae..09e8220733e7 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -63,7 +63,7 @@ chain building, etc. The verifier's trust store. - .. method:: verify(leaf, intermediates, store) + .. method:: verify(leaf, intermediates) Performs path validation on ``leaf``, returning a valid path if one exists. From 7aefd2af1c6d5b7657d6b121c3ee3beabda10829 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 2 Nov 2023 10:35:10 -0400 Subject: [PATCH 033/155] validation: make subject non-optional (#7) Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 8 ++--- .../src/policy/extension.rs | 33 +++++++++++++++---- .../src/policy/mod.rs | 17 +++------- src/rust/src/x509/verify.rs | 6 ++-- 4 files changed, 36 insertions(+), 28 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 18e65896e609..cdfb5aeac9b9 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -442,9 +442,7 @@ emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= let time = asn1::DateTime::new(2023, 7, 10, 0, 0, 0).unwrap(); let policy: Policy<'_, _> = Policy::new( ops, - Some(policy::Subject::DNS( - DNSName::new("cryptography.io").unwrap(), - )), + policy::Subject::DNS(DNSName::new("cryptography.io").unwrap()), time, ); @@ -532,9 +530,7 @@ nLRbwHOoq7hHwg== let time = asn1::DateTime::new(2023, 7, 10, 0, 0, 0).unwrap(); let policy: Policy<'_, _> = Policy::new( ops, - Some(policy::Subject::DNS( - DNSName::new("cryptography.io").unwrap(), - )), + policy::Subject::DNS(DNSName::new("cryptography.io").unwrap()), time, ); assert_eq!( diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 184764b1a5cd..8f3ee77b239b 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -334,7 +334,8 @@ mod tests { use super::{Criticality, ExtensionPolicy}; use crate::ops::tests::{cert, v1_cert_pem, NullOps}; use crate::ops::CryptoOps; - use crate::policy::{Policy, PolicyError}; + use crate::policy::{Policy, PolicyError, Subject}; + use crate::types::DNSName; use asn1::{ObjectIdentifier, SimpleAsn1Writable}; use cryptography_x509::certificate::Certificate; use cryptography_x509::extensions::{BasicConstraints, Extension, Extensions}; @@ -394,7 +395,11 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch()); + let policy = Policy::new( + ops, + Subject::DNS(DNSName::new("example.com").unwrap()), + epoch(), + ); // Test a policy that stipulates that a given extension MUST be present. let extension_policy = ExtensionPolicy::present( @@ -438,7 +443,11 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch()); + let policy = Policy::new( + ops, + Subject::DNS(DNSName::new("example.com").unwrap()), + epoch(), + ); // Test a policy that stipulates that a given extension CAN be present. let extension_policy = ExtensionPolicy::maybe_present( @@ -474,7 +483,11 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch()); + let policy = Policy::new( + ops, + Subject::DNS(DNSName::new("example.com").unwrap()), + epoch(), + ); // Test a policy that stipulates that a given extension MUST NOT be present. let extension_policy = ExtensionPolicy::not_present(BASIC_CONSTRAINTS_OID); @@ -506,7 +519,11 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch()); + let policy = Policy::new( + ops, + Subject::DNS(DNSName::new("example.com").unwrap()), + epoch(), + ); // Test a present policy that stipulates that a given extension MUST be critical. let extension_policy = ExtensionPolicy::present( @@ -534,7 +551,11 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch()); + let policy = Policy::new( + ops, + Subject::DNS(DNSName::new("example.com").unwrap()), + epoch(), + ); // Test a maybe present policy that stipulates that a given extension MUST be critical. let extension_policy = ExtensionPolicy::maybe_present( diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 53069a319c95..89963d004a2f 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -229,8 +229,7 @@ pub struct Policy<'a, B: CryptoOps> { /// A subject (i.e. DNS name or other name format) that any EE certificates /// validated by this policy must match. - /// If `None`, the EE certificate must not contain a SAN. - pub subject: Option>, + pub subject: Subject<'a>, /// The validation time. All certificates validated by this policy must /// be valid at this time. @@ -265,7 +264,7 @@ pub struct Policy<'a, B: CryptoOps> { impl<'a, B: CryptoOps> Policy<'a, B> { /// Create a new policy with defaults for the certificate profile defined in /// the CA/B Forum's Basic Requirements. - pub fn new(ops: B, subject: Option>, time: asn1::DateTime) -> Self { + pub fn new(ops: B, subject: Subject<'a>, time: asn1::DateTime) -> Self { Self { ops, max_chain_depth: 8, @@ -449,26 +448,18 @@ impl<'a, B: CryptoOps> Policy<'a, B> { match (&self.subject, san_ext) { // If we're given both an expected name and the cert has a SAN, // then we attempt to match them. - (Some(sub), Some(san)) => { + (sub, Some(san)) => { let san: SubjectAlternativeName<'_> = san.value()?; match sub.matches(&san) { true => Ok(()), false => Err(PolicyError::Other("EE cert has no matching SAN")), } } - // If we aren't given a name but the cert contains a SAN, - // we complain loudly (under the theory that the user has misused - // our API and actually intended to match against the SAN). - (None, Some(_)) => Err(PolicyError::Other( - "EE cert has subjectAltName but no expected name given to match against", - )), // If we're given an expected name but the cert doesn't contain a // SAN, we error. - (Some(_), None) => Err(PolicyError::Other( + (_, None) => Err(PolicyError::Other( "EE cert has no subjectAltName but expected name given", )), - // No expected name and no SAN, no problem. - (None, None) => Ok(()), } } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 1961d557623f..1325c6d4b585 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -174,19 +174,19 @@ fn build_subject_owner( fn build_subject<'a>( py: pyo3::Python<'_>, subject: &'a SubjectOwner, -) -> pyo3::PyResult>> { +) -> pyo3::PyResult> { match subject { SubjectOwner::DNSName(dns_name) => { let dns_name = DNSName::new(dns_name) .ok_or_else(|| pyo3::exceptions::PyValueError::new_err("invalid domain name"))?; - Ok(Some(Subject::DNS(dns_name))) + Ok(Subject::DNS(dns_name)) } SubjectOwner::IPAddress(ip_addr) => { let ip_addr = IPAddress::from_bytes(ip_addr.as_bytes(py)) .ok_or_else(|| pyo3::exceptions::PyValueError::new_err("invalid IP address"))?; - Ok(Some(Subject::IP(ip_addr))) + Ok(Subject::IP(ip_addr)) } } } From 34202c4a9a017032b96c9640173d2b2b95f9f238 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 2 Nov 2023 10:52:01 -0400 Subject: [PATCH 034/155] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 367 ++++++++++--------- 1 file changed, 194 insertions(+), 173 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index bafa0cd9437c..d120589fff54 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCNkAEvn4nqchsV9r+1zuPz3YFIEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNggMNt78KY6Fcaig/NaFFGHokgD86wVeexUPr\nM5e6OWmpz1C3rhsMaNiRz9C31+iQcLBsmcppKKGM8QZmZDnDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5uRBEeRt2/4UQ7YHr0IvX9yJuAAwCgYIKoZIzj0EAwIDSAAwRQIh\nAMUzRvc2zzrRBw8+JLJkOsh3Cwz/H5lJtz0jGyA+w5HuAiBYbPhbQq8uSmNtBnTC\n6BHuW4FZXZRn+Xt9tQl+eSfaKA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbTqupLDr1qzVSRNTvZNKfwBHbBUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS6jwRFqsB9Zd7ICFntZkobq3MDSDuqiEVKUQo6\nk/S2/v646pvge3ppp3lhFYv/epFELr2dERHOArZUFdBVNzSIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPMxz9lmlvRg5AE42BWHWv2V2GNowCgYIKoZIzj0EAwIDSAAwRQIh\nAP1Bt/XM4Qi8HBbJ+extl/BUUuxFf24JwM0oAk0O48eCAiA4mlvXfGqirk403HAA\n40TJGCj3XTmPDsZ8oDxiJYihug==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIUSDtkiyYNZXvAy53X6dT6ljlRViswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC81MDUxMTE5NDMzMjAyMzE0NDQyNjA3\nOTM4NjQ5MDE5MjYzNDM2MTY5MjAzNDE3NzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nVi1hYSE6b254aQDd6+aLBPIqshRiJvFVKxMu9HOk7d4LnsNcQA711WkNpXQFEtJH\nT8vkOCMJ/wG8zQAVSt2C7qN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5uRBEeRt\n2/4UQ7YHr0IvX9yJuAAwHQYDVR0OBBYEFOyf2MVaHiUa1Zq3SU/CCeep8TAUMAoG\nCCqGSM49BAMCA0cAMEQCIHfYPq11XMYVeuY8HOIp3UmJr94vqUGE4AdNrpz7IjjH\nAiAA36phw8jOqDX9FVHv+W/x8kXSFho3c+ZkqMV8WYsYFw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUdfzteg0mVMzwso5gZE1LZNfG4C0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MjM1ODg2NTA4MjA1NDIyNTY3NDky\nNTQ5MzY4NzI5MzU2ODgxODQ4MTg3ODkzOTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCqBtvaHsZso7EoOukUlfZ0yvvrQaVygyj0jUwaZIwzIDyzoSbYV4vlqKwNNpljC\nj+yJ4PexK29fiADJDngS3tqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDzMc/ZZ\npb0YOQBONgVh1r9ldhjaMB0GA1UdDgQWBBR4F3jRhB8jqz6ad+QTQTL0hH2woDAK\nBggqhkjOPQQDAgNIADBFAiEAmyxK2XaH0EqfVTauvrk/046Z9Xcv9KKGYS9Hn7VP\n4+oCIFQXScqszqHe/jf5MynMUIon0+N0Qkw8gAqdYtEreHKl\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZqgAwIBAgIUQarisIzt5mEUQeM0L9kPaSiLWs4wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNTA1MTExOTQzMzIwMjMxNDQ0MjYwNzkzODY0OTAxOTI2MzQz\nNjE2OTIwMzQxNzcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOFi\nv2J/0rYjngo2eRsABmYWMF0Im90DbLquSj1KzNN26VzfbRyLJ6ns7j4hwI8Eq9EA\n0aAV5eHbEqA6DCnHTnSjcjBwMB0GA1UdDgQWBBRt2jGf+NnsCl4XQO14dOhAd/qp\nOzAfBgNVHSMEGDAWgBTsn9jFWh4lGtWat0lPwgnnqfEwFDAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNI\nADBFAiB2phz9x7qs/l0Abc8G0klbgTOXG+YPBNuHBD3qQcj0sgIhAM2itlsRdArY\n3Zk3F6yaj1/OGc5yX3S0LbXHpsGitnsN\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUGWGwPQaLifpT9Xy4jAGnPQZyc90wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjIzNTg4NjUwODIwNTQyMjU2NzQ5MjU0OTM2ODcyOTM1Njg4\nMTg0ODE4Nzg5Mzk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIh+z\nYt/zvnEEHpG8Zfx6gsd8lW07VwRAQMQpetGZZ0NSA1q69QWSg9PfCK1dP+Xqder3\nU90zjNoYGUvo2Wrh46NyMHAwHQYDVR0OBBYEFAoEHGyiDUEtNZYWBmsBbBSQc03a\nMB8GA1UdIwQYMBaAFHgXeNGEHyOrPpp35BNBMvSEfbCgMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDKPYaV8NJwtuXpcOYYDWT/Hj5LyRC6PLQVaZ1B8LRE+AIhAMpzQfOlyiwf\nVEv3iLrS9J7tivy5UTJCeuz8TALPKuH4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGtrRM6zc6UKa9khx5cW4PTJL+swwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpJB/pgY2pr/Bzp9irEDudPXJyrE9jUWcnrPhb\n4LblKVLhZ25zG8vX53bvh9AV+VAZjbiPIiq+s+qkXdMwxwtmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzD6V5By0EMTyuwVLkoCKVyhAoz0wCgYIKoZIzj0EAwIDSAAwRQIg\nMCnu4GEwWy4pqFSMR8eCdY63XVZ/2heleY71Oe9NFw0CIQDwTF8kOFyenGtLlM1I\nhWRxjRv2gW8NEmASrEOBfnRu8g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUc+5hRYMTOJhJIce2BQ4PJBALmDQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQF+ea6JEwFPK/hIHpFX/+bCO2TANsVaHCU4qCu\n2fzKCntflS47X+pnhwAMSD0RmxC9mVPFsO6CxpAsLOS7+l2ko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgaNwC2qdnbdN/CIFMbfgBfx0YrAwCgYIKoZIzj0EAwIDSAAwRQIg\nZPtGM1sgJ58M3Ts85hKzazii++8/oBNxJVbw+3SpqesCIQCE8873Txw7bOBCEgHV\ndLzLU9LjXAzIm0nDBGNQz/x5Dw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUY7BSJmPFDnx004/8FM5vkEZ5e0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNTMzMTM1NDY1NDY2MzQyMDU5OTY2\nNjUzMDY4MDcyMTA0NTgyNjUwNzQ1MzEwMjAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBK4vR0CY5acoNh7VeSHcPzi6y5j/R+JzHTKryGBtcby+vaUKO/OkZybRdxgwfWOM\nssjae1IWx3FXW61HiKoB3zKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMw+leQc\ntBDE8rsFS5KAilcoQKM9MB0GA1UdDgQWBBSj7a6eLzpOzQ+UYnQOKjLURSt75DAK\nBggqhkjOPQQDAgNJADBGAiEAk2hEJiL8ehBHOQvX7eMWk7tXI5qH82HW8YNsO1KO\ngYkCIQClkH7gH0vyCu38WUjwox5J+6nP2ChpvU18jL8nkYx3UA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUcsU3E0m2yZcl0aO19MYhx1+BCu4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NjE4NDk5ODk1NDc0MzkyMDA4NTE1\nNjM2Mzk1MDE0Mjg4MjEzNDgwODkzMDUxNDAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMBMf6+Q0wViKxrZJH9idYUtLVPP7C8lGDtWZEj+jS3O6xGeHPn85FwwZRhbwaUd\n+cTPR8VPeYINgu85lk4ecBqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIGjcAtq\nnZ23TfwiBTG34AX8dGKwMB0GA1UdDgQWBBSnIHc8mUoxtSXK/q6zKK/sFm6okTAK\nBggqhkjOPQQDAgNIADBFAiEA3+6jlqPtaSNwYmMZ7SDSOgIp2JwbdnfM3bWM12pN\n6cwCIHN+40VZJQzbE80fvEqE9ulWd58V9EtyQjf5KjDwv4cL\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUYrwyPWhoX6uTbYbsTRa1G3KqCagwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTUzMzEzNTQ2NTQ2NjM0MjA1OTk2NjY1MzA2ODA3MjEwNDU4\nMjY1MDc0NTMxMDIwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ0\nJlwGzfaCuGjw5hEfzK1NRQaMtuS0u20d5ON4Joc7kqeyjACV+lx7oYV2zz3t/V5g\nsaxppne0rWHVqTRMr2dYo3IwcDAdBgNVHQ4EFgQUtIp4PWF92V4G3FE+JZlSGO/z\nxN4wHwYDVR0jBBgwFoAUo+2uni86Ts0PlGJ0Dioy1EUre+QwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAODZ8f0WIJZMEA3u8bXIwAXkqjOI59MnAXvuVAwBCdTfAiEA/YWdA+JS\nVIgj+HRm2Q2YgGUcoK2U6d6RX5DlqEmjj9M=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUR9w6bBkGFWvp3zyNG8ZL/b/8MPcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjYxODQ5OTg5NTQ3NDM5MjAwODUxNTYzNjM5NTAxNDI4ODIx\nMzQ4MDg5MzA1MTQwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdxMF\nIAJcAIxpWWQf2RZoB2iaNGhKFe2Z9kwbd/bCImGOVk2Aevro0z2O3VP+HTaZBZB+\nfehezGCf0b7HKKDR7KNyMHAwHQYDVR0OBBYEFFt00+RPHLeazNEvEP8YeK3hszES\nMB8GA1UdIwQYMBaAFKcgdzyZSjG1Jcr+rrMor+wWbqiRMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIHkx9XdXX0gE5L0OMZZo2SgbJ687jMUXLDgf90a25KMwAiEArtxYjP2Sb/eY\nJqxu2nJU1QH3IQYF1kHXd8PisN0/r3A=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNdedzaqSb+yXV2weymeakfAFPlUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8E3kUlo7ofENLxn4Dv9mGxxQ5NpU9OsoDW7uH\nqO/apCO++C5jGYYVGOc8qg4XEpfnyAnCy2ThB/pZ1ROwKx/ao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWdHGgdjgBvStwiPaZbuADVDsc4UwCgYIKoZIzj0EAwIDSAAwRQIg\nOmBYqJFhtLWiaxMA7+25VP1EuSs+AHj4E75BY7UEbuECIQD8x8yUzvOVGiMDsAmW\niY3uwQnLku/KadUFJRkHytObwQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUXZxs/zc63Xj3oL1EjAl20/p+iLQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZVc2SbAD9Gji+sDYt20e43jRHSTeX8SRmv2YX\nI5NcmwTa3vn4H8qIAW3Mux1txIfHn3FZ2B5te8vtZ7hU5siDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1Oyrzd6zdjTqSUxyD2ppjWfMLn4wCgYIKoZIzj0EAwIDRwAwRAIg\nGdRN3TQBxcl/uMcmlD4gEpoj+jWUQwOHPGDmkAuHpHECIF8UYBd/iQ+WcEnYUSgT\nzyp3EMoGc1qPPrGcFIDpZ9FE\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUf9Ct102DjZlFlUmVBgkbfjU73uYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMDczODQ5MTc2ODQ4NTMxODg2Mjc4\nMjc0MDA0MzgwMzkwMTY4Mjg4MTc0NTY3MjUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKHJ0CCMTErGh/3hrxSxBF4G+xmqa9+3UcgXBR7+G/f2PuImBPvK7wnU+/RxHrsW\nuCFSCXEVa1ExI7/w0w01w1WjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFnRxoHY\n4Ab0rcIj2mW7gA1Q7HOFMB0GA1UdDgQWBBQ5nkJBJ1y30hiksavEgtrN9ufMFjAK\nBggqhkjOPQQDAgNIADBFAiEAn6hvWe+uiBk6grutCibgtL8RvI8vJJornmzHY9x8\nW78CIAcJRi8nZAAIxuZh7rvb6TqY9Rh+ycjCbedMx7aLHDSM\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUKGV7Lettg6yN4q8XSXRyuengUOkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MzQ0MjQ1NTI5MDk4ODUyMzI4OTIy\nMTIzOTIzMTkyMTAwMjM1MzkxMjI4MDA4MjAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNanc/GtgRAJ+8w17h9N957aKiBhPFkFK+r8RSFxzdQe3vAiqBZRDeW4bbVr+MMD\n6wm13iv/XTN5Brh1zb5TFWyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNTsq83e\ns3Y06klMcg9qaY1nzC5+MB0GA1UdDgQWBBT5sXn/MTa3La84qFrvz95Ew1IJWjAK\nBggqhkjOPQQDAgNHADBEAiArRq/GDmvbslOKRKuHX97lDfpz2yhSBFMYwNmlmsCC\nzwIgDsa2gx9OgEIfgvEh7GIJncv+IZ6DpQ6B8GPaDndDWWY=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUAXsnaTuCto8KFaUbjFbjfyayaNMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzA3Mzg0OTE3Njg0ODUzMTg4NjI3ODI3NDAwNDM4MDM5MDE2\nODI4ODE3NDU2NzI1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATH\nDotgwRCEN3kaVNQbGORQlvgmFCJoNXJry1sN54p2D2mWxv4NwH5f7YnG+k1iuRiq\nAUCSzu8MVLjiIMhRf27ko3IwcDAdBgNVHQ4EFgQUkDP3YMc3lSG5Dc1wZfM7ZC2C\nABwwHwYDVR0jBBgwFoAUOZ5CQSdct9IYpLGrxILazfbnzBYwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgD/956a8EThJYT1XHka5r46K7RnPH/EUEU9qSl6iafIgCIBhKYbdI8IEB\nOrdfUv6l4+ibp+s6IOLUITv3KI2mGM0a\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUDRyhJBOfiJnWUnzCwAncCGthqVYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTM0NDI0NTUyOTA5ODg1MjMyODkyMjEyMzkyMzE5MjEwMDIz\nNTM5MTIyODAwODIwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYhvS\nvZQ0SdqIlJtyI0mFwGGslfd9xPcglTwu62sKRn5noFzE9RbngUAIYPlJbHuB8yOx\nzhd3chCmfAgPCwBbuaNyMHAwHQYDVR0OBBYEFL5pjZb6hDL66cOzDRRAvtSb9QrL\nMB8GA1UdIwQYMBaAFPmxef8xNrctrzioWu/P3kTDUglaMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDWtLCARPj4ErQinWQ/tffwftTqWRtSawGg2FrT+8ZGzQIgVjVCHERWh++L\nL9AknO8gy0GL2cdbjSTSIK/CpmbWatQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUaTIhsFabLLdSSFdh+pAWSu6miA4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASoMx5t95Hs/y3wXUbejn2YVImt/8EJTdGRezG9\nLxE2rFHhxtTCmNfi16cW+pSbY6rQgr9kJXhlbzH8+zETI5NWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgPmdaCAKsQ2SdISJvSWLVm00g0owCgYIKoZIzj0EAwIDRwAwRAIg\nXvhOds9wdvQw4r/kKWxtdH575OhVeQ8MP2/O+gJS2BACICI195loKbsLFVh7SGi0\ntYAJtOvgzIoiQPUQR82XdIW5\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdYbukv3hjXO5VgtE2KSKku2tEZkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASXSlpakohdkIfU+HZCgIYqedJ/2hf4Z+PmTfWj\n7qxQ4MDeBQAxWYWuXUdBtMRHoGvJkE5rxOHyUhOoKw3UlVngo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUW8rl5YbmNBw56tu8cUpDINlTTCUwCgYIKoZIzj0EAwIDSAAwRQIh\nALNhLfMKtuQc61wUW5Q2hQ1P++71zMLLs6NQ83HlLwDMAiBq+WwZsxO4aImu6fue\nprPwZ8UwqPKPahJ5QiMsG92FsQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUfx9MviWtxMsVuqieltLOwq+LsEgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MDA1NjIwMDI5MDY2ODEzMjc5NzU2\nODI5OTE0Nzg2OTI2MjM1MDAwMzMwMzQyNTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFjZJyhu/QIg3kkSxh8Lsfs1hYj2r6688CHNHsX7MiKeJQJ6wb0BuvfUT9MpOr+g\nYckTbBvMsP1I16Pb0eo8V1qjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFID5nWgg\nCrENknSEib0li1ZtNINKMB0GA1UdDgQWBBSB6RYlNaGAKiXCe+It9+GYBFhvkDAK\nBggqhkjOPQQDAgNJADBGAiEAgTAEX2+JyZ23aNHBz6J0LkYWlRHXECRD3gAem2M2\nqhcCIQDHFh0JqHTHafCtM5XIMtpTufhDqrL0A+0kdtd2UFydsA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUU6VUCmeAzKtnS+Zx58bRWyGs/JUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NzA5NjEwMDI3ODU3MzU0NzU5NDcw\nNjY3ODU4MzIxNDAzOTg3OTkxNDcwNDUyNzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBBqu2hwWlEBdsBZfzJOcCesK5F90MgQrJHQyFt3AGqzOwvtQqD/zVNQ4Ii6rNKRe\nSup5relrC5PB+jPnJJZc5RGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFvK5eWG\n5jQcOerbvHFKQyDZU0wlMB0GA1UdDgQWBBS39Kk+kGPl4okaDJVWncZWfECVxTAK\nBggqhkjOPQQDAgNJADBGAiEAgZKdccMBEAS6XgONmtARGYsATb0bUPM/kLDnmZ/N\nuecCIQCC0IbWsFE+5BAno3g3ank5r+X1g8eMeRkuKFePKw27rQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUDXr2K5rx3SSjp7pxAUSLtBq4CjQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAwNTYyMDAyOTA2NjgxMzI3OTc1NjgyOTkxNDc4NjkyNjIz\nNTAwMDMzMDM0MjU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDcyNTczOTgzNjIzMzI0NjI5MjI5NDk0MjY0MTQ5NjI5MjcyNDY1NTk4\nODEyNTc2ODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWhjyfemHyMcWwHqKLejeGMlx\nhm1o3fF/Vt/ahxGimqcClPHuRgK/mu4W33gaq83o/q2I3Ch5x0DPJVRJw80gm6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUgekWJTWhgColwnviLffhmARYb5AwHQYD\nVR0OBBYEFPtesNQPeNxTrd4TtQ5kXOl0AGzwMAoGCCqGSM49BAMCA0gAMEUCIEp1\nwxyujkkDa27Eggs1P+pa2DKUmpEqAO4PdQv3KH36AiEAgd9hZkTe2glwgBsby5Zp\nXclb1aQcniut3MmmRXoUzeQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUCcuVv2UH9elbSHykDsmsBRhx2ugwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjcwOTYxMDAyNzg1NzM1NDc1OTQ3MDY2Nzg1ODMyMTQwMzk4\nNzk5MTQ3MDQ1MjczMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ3NzUzMzE3NzkwODU1NzQxOTE1NTA4OTcyNzgzMjU3OTk0MjUzNDk3\nNDYwMjM4OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+Mjb4Grk6BV7uch6T8iwo386\nJohLC7xe6mukwIsRGU92CICaNiYH+aFyW9GIUrHA5RLq2lcSpPu2k8VmLOAUN6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUt/SpPpBj5eKJGgyVVp3GVnxAlcUwHQYD\nVR0OBBYEFCuObxtNv7n/rXlTeabes9tgLlQlMAoGCCqGSM49BAMCA0kAMEYCIQCO\nidUzjBh/5cFjxkNbT5HLSvkdhFTILOrr5NfDiJZ4eAIhAM0cLh9kRQxJXKmRiflx\nDXBZ9NfTEcVRtO4Txsou0r6g\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUaKBrmdai/A+uPJFAIae8NoO678wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ+mmWDbYiuDiRrZ7sAE6G0SpobZM5hHn5QAlZ4\nDeGV8iRbX39Se0lRX0Nqk5AFeuoJ7ywRHox8JEbBlJefWS5Lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqiV9cR2FkOBP+1R1r+tfz8IUoqowCgYIKoZIzj0EAwIDRwAwRAIg\nQUYoPb0KvCsSTVujDtYqFMHLLgnQlW/lk9xaxeMazAACIDT7LFbdytdRf156jZSv\nJ8xBI8G40Ws8KX/JMTvZrUHk\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBqU1xWpOmXtOyaxBDe0p57ajmkUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQD92ge/U1Ypjnr2SXn/RntAECr1V8+Z5kk5Zfg\n12PvjszoIwof8gKvC2t01q0sZd3wVX8Rk6H8+nZj5xaazzyso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFg0VHlqkEnDrc4rgLRo0yTbIQbAwCgYIKoZIzj0EAwIDRwAwRAIg\nT/i05eyWloK3ytMj2euVDgcCOUo3UEOFCoHFj0bMg8wCICTiGeglpP2Ts/8SG1Oq\neOUTdupD2rudTJKTNW77LJ9X\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUKAlCDwMjfJJmKRJnqO+fgrFWk94wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0NjYwNTIyNjk5OTAyOTA2MzIyOTkx\nNDM1MzUwMTg1OTczNzU1NjMzOTQ5MDI5NzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDd0nx49BGSjubB5NYW2ylMBuquO2vJ25PMsCPAny+Ipl/nEY2YWjMqXTPJemMU4\nY5IaWP5D5CnJseoU5QSTMBCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKolfXEd\nhZDgT/tUda/rX8/CFKKqMB0GA1UdDgQWBBQyggvQ+OW3jUYnKDsy0ho/86TcZDAK\nBggqhkjOPQQDAgNIADBFAiAviTAZeC/PwTrbr8Q/QUjPzGZovX5ZGabl0DJri9/u\nkgIhAMBftKsTGT01H22TEGgOMrmaiSGUIozUUPMIXN9SGeGJ\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUZEcBqrZBOARxDKMZ+SGkn2W8P5YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDY2MDUyMjY5OTkwMjkwNjMyMjk5MTQzNTM1MDE4NTk3Mzc1\nNTYzMzk0OTAyOTc1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIyODU2NjA5MjA1OTAxOTI5NzU2MzA3ODM3NjA1NDk2MTAzNDEyOTIy\nMDk5ODExMDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKnu5tkzGSo0Guw7deWny1x34\navCf2uKPqSJA4MOqHJA+sPVOWQk0D2ZRXTGUhOdGdAAR2wnhws55MJVlH9g6X6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUMoIL0Pjlt41GJyg7MtIaP/Ok3GQwHQYD\nVR0OBBYEFFl3wq9HgB8OtRf/NPVg7BtH23n9MAoGCCqGSM49BAMCA0kAMEYCIQDi\njtK5wG7vaMN38Fta/i+KuJDNxzWzA238VoOHtOu2gwIhAKpLJVz5xB9sflyqxgBa\ntDgrUUJmuR9chPEH+nl8Rnbq\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIUCx82PbewIoMPfgFwGy+/ZY8qWAMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC8zNzkzODI1MTcxMDc4NzUzNjM2Nzk4\nNTYxNTQ3OTA0Nzg1NDgxMTc1MDA0NjI3NzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\ne2lR3+4/R1AWNAp/kORNv5Ec1Ny5tRlu/P4I0DmRigHadJ5OiSmk96FVQZ+US2LL\naIgg4llTwlQAZYiNiOKiiKN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUFg0VHlqk\nEnDrc4rgLRo0yTbIQbAwHQYDVR0OBBYEFIHs128pkU160J5UI1xTqBeb17S2MAoG\nCCqGSM49BAMCA0cAMEQCIAD0WCCCOl/5+ccnZCuY0SEsKyLVyw0iYDE7/a7eVIq8\nAiA46pQ3BkkLnNBz5ZWs9XUWLL4QhhHazyEIxXsMK2VJ7A==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSzCCAfGgAwIBAgIUA8SEa4oSYrlYn94MFrJDG0o4AwIwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMzc5MzgyNTE3MTA3ODc1MzYzNjc5ODU2MTU0NzkwNDc4NTQ4\nMTE3NTAwNDYyNzcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZjE4MDYG\nA1UECwwvNjM0OTQ5NDY2NDUwNDQ2NDg3NzU4Njk1MzMzOTkwNDcyMDY4OTMwMzI5\nODY2MjcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBUqx5rnwm5cxWwcnxI24FlK4njz\nKICSd6UWUKDOM3dbkRQex4Zw40fg9VVgm7U3XCznxiIFmaV3VYciPDrpLMejezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFIHs128pkU160J5UI1xTqBeb17S2MB0GA1Ud\nDgQWBBQfb373awFSZszr4M/2CHaZB1huxzAKBggqhkjOPQQDAgNIADBFAiBsoq0X\nrS03T2ieHfniE8W8PDmFt9nOD2FOSEOARf2zRgIhAPtTI40gmooI1Q+ZE2ZRq8hL\nC5aY4HbSotFZoVww7Elu\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUVZjUcJZP5evuzb+B5aWxKrAmkwUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjI4NTY2MDkyMDU5MDE5Mjk3NTYzMDc4Mzc2MDU0OTYxMDM0\nMTI5MjIwOTk4MTEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQA\n6TesGeLq+CNbUaIjFbpp0M0RxGffwF2BYTccVsF3nebcZ10w7l8v9JX8kPuY0BBb\nyamLL3xwTnitQvu0lAguo3IwcDAdBgNVHQ4EFgQU6tKWwuCZYTBIm5lg92e1Isaf\nKJ0wHwYDVR0jBBgwFoAUWXfCr0eAHw61F/809WDsG0fbef0wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAN/0i0vVE8wvtMByqm1ZdZ0iQpy1A3SLLi8F+z3ibl1AAiEApGtV5Hnf\n5W42YAPoNkI8Ud1JCRFgQZInV02x/2RICdw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZigAwIBAgIUSv8TB0nC8MLXUxyfCOr7Kn+22WswCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNjM0OTQ5NDY2NDUwNDQ2NDg3NzU4Njk1MzMzOTkwNDcyMDY4\nOTMwMzI5ODY2MjcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS3wpJk\nAPJb2h1wEAkm2IYljeErxhbqjjTRAVVy5UyftpO5yEMGLpdX3tSz7J/4FrhhmenO\nC+1SXePbw64tLrgao3IwcDAdBgNVHQ4EFgQUC+3yP6AsJzJ8fpdkzO+wvk127wQw\nHwYDVR0jBBgwFoAUH29+92sBUmbM6+DP9gh2mQdYbscwCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAw\nRQIgGHBx0aKfHr3S1d+Qr5t8/OQsdwzn5h8bYKXEUjAxRpYCIQCzydrNMRjLKnaA\n7oNn9YWoxHeAuYfy+TH+cj1LCVYjZw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZhppNZLcbrGcIeJaNI2PCBLYQhEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6scFInXz63TSRKRlCEnTsKZo5LPayLqLlVhLI\n1+OTB6H81lc3dRjx+QCwVt6nQZ6fXpLG8QY8PXL2ky6WgMGGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlSjsRzoyD+3ByOAYrOh20arRuRQwCgYIKoZIzj0EAwIDRwAwRAIg\nVaVgIoGgESMRoHjrffq4Fscgg6eSzdXAjWkJgJw1WCACIBFZ2CEKwprMNddZ6/sq\ntLaiQcEVV2egY5NOJVCf7uDY\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdAatMnZs6LbIGgPbq618XuyG7uEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQppGD6FEgCL/xxFLsplofkFY6u2rnhnMuQ8H27\n4sy9JNW0YMwnolJh1AYNZd81sQ8vCYpWPsOUiueajUKEVIpho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAjvLgXbHjogWN3alUohYSFnh5hswCgYIKoZIzj0EAwIDSAAwRQIh\nAIFUWWo+Qbhmk6g/DHe8FFlpfRQ5obUs/3ds+plZHbjzAiBqozbEyLrhj0U49BlP\nDg8kImj197LBRVFyqoqskbF3rQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHJxht/lrZLA+1Xm2yV8vb/y9ArEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1ODI5MDYwNDMwMTkzOTM1NDcxMzkz\nMzQyMzQ1MTI1NDc4MDk4ODg4NzA4NzU2NjUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBA2N20Yj2c9dDYOEKTVVpKtF6bpKHUZKgDjR1XrID7Xe8ZRMJpZ/fVrGWAdRLGv1\n5wWncaPIJZocuFK5sSWFGuyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJUo7Ec6\nMg/twcjgGKzodtGq0bkUMB0GA1UdDgQWBBRIhShIrXHROJjVZu1ALDhiAw+PHDAK\nBggqhkjOPQQDAgNIADBFAiAXJjtd9Xf49oHvcVUlbB40aiLRR2dZMX5NCbvCv2xW\nTwIhALBkaUvHuMoexC4b43OLNK8JPJuozLl+2w+t+sFHuYvU\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUOZn4NBi++kszHmL0UTuhRhY2pI0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTgyOTA2MDQzMDE5MzkzNTQ3MTM5MzM0MjM0NTEyNTQ3ODA5\nODg4ODcwODc1NjY1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE2MzMzOTE3MDMyODk4MjIwMDA4MzE0MTUzMDExODIxMTU2NTI1NzMw\nMzU4OTU1MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExqTWD8RfDBmq49S0i/mZYeSn\ngqkzoSI0JW6NNJ2it0qkjKqYpI5wMLT4Po4zHz79jQs00D1i9EaYKazXAeDlIaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUSIUoSK1x0TiY1WbtQCw4YgMPjxwwHQYD\nVR0OBBYEFG+rQZku39qgeuDjBD9np5uhxGIbMAoGCCqGSM49BAMCA0cAMEQCIHnl\n2OmXBGZMlv1+dOPqUwtS1QqsEozCnkdkQeQkmb0fAiA0qlQ6SpXtosVckSmXZydN\nuyhajAdjV1WLQ4Ga88FELg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUOJ3As560sCQzDquFpg9xMiVeuMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NjIzOTE4MjE0ODM3NTU1MDA2ODMz\nMTA4NTQ2NjI2MTAzNDMwNDY5NDMyNzI2NzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAG52H3cdYGwjGjDZbnUq6F+wg4/TXLyi72g2Vp63D4cnIUFybj2hICi3xQL+fAF\nExWPnMcpAbLqeZZ1RnKQq/2jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAI7y4F2\nx46IFjd2pVKIWEhZ4eYbMB0GA1UdDgQWBBSPEAFoq68AsDxIIPe7KEbjWf1K1DAK\nBggqhkjOPQQDAgNHADBEAiBGQo0Chs3xu97t+gCSyIJz5EkgqdACau4+nskMb9lo\nJwIgGEhU7Hr5yQZ5PBx5OnQk84fUlArOFh8JR+52ytoHbxU=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUNZtiifhS65e2Zmm1zrsqmKwFvowwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjYyMzkxODIxNDgzNzU1NTAwNjgzMzEwODU0NjYyNjEwMzQz\nMDQ2OTQzMjcyNjczMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMyMzIyMTQ4Njg0MjcwMzEwNzM0NjI3NjgxNzIxMDExNDMzNTgzMjQy\nMzcwODg3NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJZFITrGeXqeUlk+ae4vKsumx\nYBhzpSbxfYuGCug7yv/KL2yaKzxOsCuzLDft87oCwOOxSOWq/mAEzC+ux2KZJaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUjxABaKuvALA8SCD3uyhG41n9StQwHQYD\nVR0OBBYEFAWjj1Yfkn2EHNt9fGBY+HNs7FKQMAoGCCqGSM49BAMCA0cAMEQCIDHr\ni5cSwjf/AvqTzaY+gm9vA2aKl6DPKQGe7q0mlSUDAiAMzyoQhajSWPCZ5PpxoJ+M\nvCaNP9h6WZB12rCrpYgVdw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIURqxWMnqIRfRNqLRfBeFSsLd72wYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTYzMzM5MTcwMzI4OTgyMjAwMDgzMTQxNTMwMTE4MjExNTY1\nMjU3MzAzNTg5NTUzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATF\nI4Ag0YojqVtawrbO7aLJH7rTdpWDYBCZqReJRu4dXgyNFgePcnMAG23cqDWmDPf9\nUPdf/7Jpj5O1bp8YV2yFo3IwcDAdBgNVHQ4EFgQUtBFyjH0L2bzb0Xs9bSEpYkg1\n+jAwHwYDVR0jBBgwFoAUb6tBmS7f2qB64OMEP2enm6HEYhswCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgNwdoQUaRSWFK7oKXfMP551TBNvhRrL60+eXYnQHRfjUCIGVMw0ut2gmC\nUOdP5RS1UUYFJWtcqXvzbSt4FQvm9TlZ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUZ7FInVwSWrKxfAiNK9+iAkexBa0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzIzMjIxNDg2ODQyNzAzMTA3MzQ2Mjc2ODE3MjEwMTE0MzM1\nODMyNDIzNzA4ODc2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/kOV\nPHtiajDtg2hzl21xU2L/lpOyGsLggdH9gghqn/F/UmfpneVWWC7CnCgTgbnqITvF\nTLRuVnrL48rEeNsj3KNyMHAwHQYDVR0OBBYEFNQgkDeyW39mKmCGgD6aCV987Fdx\nMB8GA1UdIwQYMBaAFAWjj1Yfkn2EHNt9fGBY+HNs7FKQMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCsutTDAO/b/as48ZfBayWU7o8DmURK8xvmoX/jz75lnQIhAPXTOcMG/Hqn\nlNDPbdbYaLJZ7+n4kGOFoQZUxy854CNb\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCBjK4eGm3OwwYUOIp8gbyLI5zSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYLPzXwrPhUrXJi08t4AR4AWnezhFHttfyJFFJ\np0ILZm6mSxIQG/TKfvqj+77GpMJ16XTPIgYXJSNJJjksZDMGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUb9knBBocZB7fGu9qy8qugeiKEmQwCgYIKoZIzj0EAwIDSAAwRQIh\nAJr65fotujRkKZFoJVsDfxch3hcHaKfoQpXXn2y5b5PSAiBdW9Q71UvUNO6I/jtK\npC3JfA2E92SmZ2/1nTFQxUzpLA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYkIH6HyTtasMvtYkW9u2/xmMy04wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATNjlipPof7dUF5uVRvfQp+6clTy1Jw/tg+c8d5\nXPG0ReKRjXBF6rMJTMEsyhKLcu+PX/X9CD5pquDgLk0+TPwio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8e+ofhiXtF36v6aJ5LGmDte3QVIwCgYIKoZIzj0EAwIDSQAwRgIh\nAPzv/Aayj7TUxLPSUeHiG7eT6m326oYj1wPKfdXOfRXNAiEA5tQ3hWyfOLnbyg1e\nXkAMR9c18Y0yUbWGVUEQFCNF+K4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUfOB8Ssygzh836H3u58FOOqziUHgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC80NjIyNDgxNzU5NjU4ODkyNTEwMzI5\nMzc4MDI2NjgxMTg1MjU3OTMxMTA0NTkyOTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nXYC1qvHHAYdCSX+My+J/7qWkFXgEfM4Hj9EhWMX5SCglmd6pk9O6CpHxC63toO6a\nKjr3pO0wn863sAWV04xxHaN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUb9knBBoc\nZB7fGu9qy8qugeiKEmQwHQYDVR0OBBYEFAp9z0vwUxeerxjtwBTtSxoKmboMMAoG\nCCqGSM49BAMCA0gAMEUCIFD+66QaNuhQ1DLTcIIO52YECBeIM6YG7cuv55NozPnQ\nAiEArTH6aDojEd2ckX2958BCFZ9+c5FCzcxQFZeApDujarc=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIUaPmW4Q9tcXfy7l3m5O3htVNn0h0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDYyMjQ4MTc1OTY1ODg5MjUxMDMyOTM3ODAyNjY4MTE4NTI1\nNzkzMTEwNDU5MjkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwNzEyOTIxMDQ5ODgyOTc1MTEwMjk1ODg2ODYxMTA1Njg1MTM4NzcxNzI4\nODE0MjAwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpusCOWd9KnwWahutw7wyF5Sn1\n9A+5JRihW1OECYuMjmDLOTIZhdtMS4+CjOktdzsH+X+cz8PAsH9h70AMDumXo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBQKfc9L8FMXnq8Y7cAU7UsaCpm6DDAdBgNV\nHQ4EFgQUZ2uWOdmcjFBTpxPdXpYDtMadPm4wCgYIKoZIzj0EAwIDSQAwRgIhAIRO\nFAZk1bilGhjKSRtelVt09tSDs+Swo23XWvUBj5rmAiEA+rB05EakmtU0mjDT1FhM\npzBOuV2Gncs0bNo5/HAlcEU=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUey3dLn9+amxnkbHvxUrp4Jj6b6MwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzEyOTIxMDQ5ODgyOTc1MTEwMjk1ODg2ODYxMTA1Njg1MTM4\nNzcxNzI4ODE0MjAwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDU5OTMwMTA2OTE0NzA0MjQzODY0MDYxNDc1NjI4NzUzNjQwMTg1Njgw\nNjI0NDg5MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0OU557b+Z4lXHqHtKlGikElQ\nMzeJra0ZCQOXVeoJ8VfvlQDu/WFN0XX/Rl/z6Zysn21e8O9U8pHTSuzPSpdpU6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUZ2uWOdmcjFBTpxPdXpYDtMadPm4wHQYD\nVR0OBBYEFCyCoceOvRxS2+gnELJYbIjQHBrVMAoGCCqGSM49BAMCA0gAMEUCIH+t\ntHe1iCg8wAXwyoUVCefpqDwA1UgonGC5LMHHFkj5AiEAl0/BEdI/xogQl0X27av9\nodlRXK956RphkNj4j1apIUo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUF4x8kNV5O8FmL9BC0K4l4jADERYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1NjA5NTM2MzM2MjA5NDExNjYyNjUy\nNzIyNzMzNzQxMjg5NzUwMTM1NzE1MTMxNjYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHfiSZcMy0ga4ZIyVT31L494dkY3OnmDnEx08mYPi/jy6Psd01t7/wV2o/LoOxNC\nr8IdpYdWWZi4yOhi9+1wHtajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPHvqH4Y\nl7Rd+r+mieSxpg7Xt0FSMB0GA1UdDgQWBBSp4Mo2PflzZzpnFMjqWPW02jtH7jAK\nBggqhkjOPQQDAgNHADBEAiBgxp/JB8nAGOTKb9SNUlgFiQ6VGCpPKbLz5KS74PKo\nHAIgBUXrbieEIuWDMoDTSSOUy/217aQTVPcZuS5IfVd2+b8=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUZKW06B1lKmCkTwKncq6yHr90RO0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTYwOTUzNjMzNjIwOTQxMTY2MjY1MjcyMjczMzc0MTI4OTc1\nMDEzNTcxNTEzMTY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDEzNDQzOTc0MzI2NDYxNDAxNDE4OTc5NzI3OTYxMDE5MDk5NzkxMTU0\nMjg5NDg3MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEm7U0UfhoAOMCD8i8Y7TLHuFp\nVXpYYql9VQCjMDMOj68p0GSUskkEy1FQrQYqUmS/8wd/fLBKwxMa328FsO94haN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUqeDKNj35c2c6ZxTI6lj1tNo7R+4wHQYD\nVR0OBBYEFBQ20+fQntDWal3FSig2cxLeyOtuMAoGCCqGSM49BAMCA0cAMEQCIDRi\nXj9Auo/BHOhBgyA388ym3/plIUC6W0al+M6GmgiLAiB1OLiuo8UOUW4KdI/dlZyv\n4M5O9qbk6njdTMxfULpQeQ==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUDf7YzrIU0HT+r1L5UhXk/I5bD0QwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTM0NDM5NzQzMjY0NjE0MDE0MTg5Nzk3Mjc5NjEwMTkwOTk3\nOTExNTQyODk0ODcwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDU3NDU5NDQ1OTIzNjE5MTI0MTEyMjIyMDI4OTAyNzg4MzcyNTEyOTAw\nMjUzNDEyNTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnqTOoS+VRfVQQ1YjTy8tH9PB\n8QeUnF/4Uw0YXm2XFAxHyzUvkUjC9NmW2gFsT3OOumdHUpNRY2ERvGOS0NPlWKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUFDbT59Ce0NZqXcVKKDZzEt7I624wHQYD\nVR0OBBYEFC9DnHOfE4c7Lpe3QlX6XJLZ7qagMAoGCCqGSM49BAMCA0cAMEQCIGVv\n0Xbl2CV0KVaz9hZetFbPNwAOaLPzb1ItoI5ts/W8AiBDu5KqM8eRhw0r7cY0pZ7L\nSfk1CuBljVdhNUYKR3bdPQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUdFhlIvu8yYJhueesmPhiu+qmdbgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTk5MzAxMDY5MTQ3MDQyNDM4NjQwNjE0NzU2Mjg3NTM2NDAx\nODU2ODA2MjQ0ODkzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATG\n1VWfEuIPyiJMGieW4Kgv0N//fUemt5Q4wBoFEy2edU+JnfvWxrQeBkId4L8phRKF\nbk8Sw3x8KmUfp9U/67mIo3IwcDAdBgNVHQ4EFgQUGjKOOF/gWnETIKxLiBhB4m/k\nepIwHwYDVR0jBBgwFoAULIKhx469HFLb6CcQslhsiNAcGtUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAKpuuN7+pfwZ2CmTVgL8wHL09AlDxkCBS4sOsw3PLrD6AiBAfh0yzIX4\nRxeEYhkHylOiN/6xriFFWx+qPkBChYIASQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUdxtQB5k69E6e0+FU77YGWXhkT4wwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTc0NTk0NDU5MjM2MTkxMjQxMTIyMjIwMjg5MDI3ODgzNzI1\nMTI5MDAyNTM0MTI1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEb9mJ\n5NhazMJ6JvM1eN8ZsrCIrtgUC70rM2/z32RSO6ClXmNlg1njWuI+7JH5cKny9u3o\ndbUoIDp2j/QWP2A2B6NyMHAwHQYDVR0OBBYEFILHz+JssK4yFOa07+Ihh2C8CRjC\nMB8GA1UdIwQYMBaAFC9DnHOfE4c7Lpe3QlX6XJLZ7qagMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCICP4zv7G0ye2LFLOxTSSRzMzrF2xsr0uAObrqySEOt8SAiEAtXPaYWRJG1H9\nNXmNJKVjSDuCYE9YlMoOEZh2zPR9+hk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGxCUX0Kgg80o5UhihVX+I6NKx0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6qVL1UN7Zf6n8Oh033viPI427VJOE68G+5Kdo\nSH5Nk+FqvJv8ikV9OKBwhydP2jBJOqB7rbkjfe5ccE6Z65IVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOnuul4z8icAwQb/gJ0Cz4bkjI9AwCgYIKoZIzj0EAwIDSQAwRgIh\nAJxvWF4CivKlcZ+B4YBK4aOhRF9AmMLxT5MTTpf0P82CAiEA4Hsv0UKuEvSfYkQ6\nmHfrY/kPHR3Q7vrjix25AgdP6pQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKnBMzL4GAdsBKVtWu1/LZe+JAjQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ5Cag/4oq0Lxoy3vbrheaEwKs1Ud3J1qyGhdfu\nwIe2r2wxM3cp3Z0/W3hZQeZ8D6ZFiynBAdiGK0SyN3Qvf5Jno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0QISazXC+7jwKIsMuR8bM43zSikwCgYIKoZIzj0EAwIDSAAwRQIh\nAORGzj52nHU5F9F6XEUTe65KTNxsq606b4OkVQ/ZNsYaAiAvtbGhaSHh+2WNx/7r\nGpKnQCuV6rUtuGGI33JP9SFEJA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUFKviETWHZiMkB9/rH5W+Cmk/2TwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNTQ1MTI0ODc3NjkxMjU0MDM1OTk0\nNzUxODU2MDkxNzM5MjIwMDAwODY0MTkyNjQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKx0DjrwMSIoA1MV+KI/NjRkSsIeCzhJKXmSYfnjm9vIQNnVhxr+FnHGL32oQuhF\n7NPqD/ydZUj2OAdaGNdiEiqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDp7rpeM\n/InAMEG/4CdAs+G5IyPQMB0GA1UdDgQWBBSft/+GpdzI4X2eB6WG73M1f8PUETAK\nBggqhkjOPQQDAgNJADBGAiEA77CtYDOnp8yWGHcD/ebi1+c0cwcy6rBaKHqJeQ3q\nLHUCIQCyLqwTkQeA0ipA7BfWEN2JLpXjM+4ay9Qz7MAg6IcZPw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIURNCDi9snbNvflWLBGmwy9ziBUZowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTU0NTEyNDg3NzY5MTI1NDAzNTk5NDc1MTg1NjA5MTczOTIy\nMDAwMDg2NDE5MjY0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE1NDUxMjQ4Nzc2OTEyNTQwMzU5OTQ3NTE4NTYwOTE3MzkyMjAwMDA4\nNjQxOTI2NDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWE7DgOr0N0fR8AcO7fLbYbwn\nRCre1VzQ3naOGMZKeHQg2JTzTeLkqwHCbmTw7k+tjva7Vx73B9YwJvaTX326RqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUn7f/hqXcyOF9ngelhu9zNX/D1BEwHQYD\nVR0OBBYEFP/DiZqNQjh5pXXydqF5rdBjA3xuMAoGCCqGSM49BAMCA0kAMEYCIQD7\nwJoNaGb59DyRwOwD4S4DCRwAphaK62DS8l59xY0bAgIhAOzrD000WTngfLkV4INs\n8jg4ho+Z5dJ4XyjWpfQCDWbP\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUd08HRMWrrdIaslsidGzBuCyGBsIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTU0NTEyNDg3NzY5MTI1NDAzNTk5NDc1MTg1NjA5MTczOTIy\nMDAwMDg2NDE5MjY0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM5Mjg2MTM4NjcxNzMyNzE1ODQzODgzMDMxNTE2OTk0NDM2NjIzNTA1\nOTgzNTI5MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ZXab3JX/Odrq63GcAXxPnro\n6EnJy0pxm67TiEYBwo2RTyJotmXgpB0kAAU+VFS0ip/Wu/C2+Sd3V4JuqcwQFqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU/8OJmo1COHmldfJ2oXmt0GMDfG4wHQYD\nVR0OBBYEFA4UwjHxCpAznWEQG7ousgIOwTE5MAoGCCqGSM49BAMCA0kAMEYCIQCG\n/eQUldkgplGhnYKR0oGn9MLQXHrqrC3d2e55HDY6kQIhAKjoBhTDF1DUrTgTIMQd\n9GCdtU8ykOysBlSqD0H+RFxA\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUGNXBkwSB9nZkTgo7Nu6otmWh7QgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNDIyODE5ODYwNDA3NTQ4NjYwNzM4\nNTc2MzQ2NTU1ODU5OTk1MTY4MDAxODg5ODAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOStpyutj26rMiFpjYs4nNOdDemnilBtzxkNFBvXjKpely241ssckqtk42ATAO3Q\nMsWPuuIZUrDLTNAQudNAjMijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNECEms1\nwvu48CiLDLkfGzON80opMB0GA1UdDgQWBBT2YYe/cftfXSgklKBearQjJpg+IzAK\nBggqhkjOPQQDAgNJADBGAiEA8PMI+0w9E/MsOPggvFZinyIG8izK2ATTWBpgwtfr\nKIwCIQDtS8njFFy+uCjpfV45SofqwhGXRE3PPZBapxzM8BsKgw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUElfA871Vl2snipZewI/8TJUFz0YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjQyMjgxOTg2MDQwNzU0ODY2MDczODU3NjM0NjU1NTg1OTk5\nNTE2ODAwMTg4OTgwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDI0MjI4MTk4NjA0MDc1NDg2NjA3Mzg1NzYzNDY1NTU4NTk5OTUxNjgw\nMDE4ODk4MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt4CIpipiO+0YVJc+VvVTY90z\nAXml5oHEX1gk1kwrJF8u0lSuYmkp8PjKF64SD5VWm5RcXF2jbEmk76+tW/hhlqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU9mGHv3H7X10oJJSgXmq0IyaYPiMwHQYD\nVR0OBBYEFLZyWITdfFuyd76Fi+g6HVsAitfsMAoGCCqGSM49BAMCA0kAMEYCIQC5\na5+9p0hTIMhmg8fcfCMtjyXfukWWZq+99IrfF9CW8gIhAOYFYqHT5wrLWbo1SJ2T\nBGzUWkSEnH75c+PZlkKGLKw7\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUXSwgRd0h6YDrufQYJsdUsUIvr9EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjQyMjgxOTg2MDQwNzU0ODY2MDczODU3NjM0NjU1NTg1OTk5\nNTE2ODAwMTg4OTgwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDEwNDcxODgwNzIwNjI4Mzg0Mjk3NDczODUyODY4MzU2MjE1MDg1MTE1\nNDEzNjkwMjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPtK8vEjy6jSy3yGB0qxrzdIV\nmPymscS9ltnTjwXjvyiinhlIMqNg6ATPfKevZkf60HfHAoM/p2AZNiLy/HnVyqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtnJYhN18W7J3voWL6DodWwCK1+wwHQYD\nVR0OBBYEFAFOqFwSCEHA7B8Ciysxdo3M4rClMAoGCCqGSM49BAMCA0gAMEUCIQDz\nmb0zW5mILvVVDpgt7VM0bdrcoF5byVGKY72xYx1ujgIgPKhSFwH0DkCQvV67NNeG\nNs/XbUNFknQTdBhCSornNCo=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUKQy3aYO38dm5obV4Rnc4Hrg+G3EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkyODYxMzg2NzE3MzI3MTU4NDM4ODMwMzE1MTY5OTQ0MzY2\nMjM1MDU5ODM1MjkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQs\n5je9ywlWVtPOvUTLP/G4DANwsZ3mmvmrOspOGDXhrVtYf8Xjvc46xob/OR2LtYNF\nGMivzlWcBtOg41Mw8yGzo3IwcDAdBgNVHQ4EFgQUHHQX3Q5Y15UKuJnCxTjrp+JZ\nNDIwHwYDVR0jBBgwFoAUDhTCMfEKkDOdYRAbui6yAg7BMTkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgf82rJL4rJMBSEk4rGykWquZhwq/SvLMPWN6EUJYmoM0CIETnvKVjBE/2\nSWAiQ3XBffUsGT7rMo/G6OI1R1A2paRc\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUMD8Rc5g/nuUbHQ1VSLnzThHQ8NIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTA0NzE4ODA3MjA2MjgzODQyOTc0NzM4NTI4NjgzNTYyMTUw\nODUxMTU0MTM2OTAyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0pO2\nHMn/3uhpe3sOXTu1+BpOHEznccb5EO/a0cjaUy5wfYQzlG81gmbj3O/IhQRBBCvz\n9EwF52gl8Qz8NaAnGKNyMHAwHQYDVR0OBBYEFN4cu8RKFSCXWk2JdI7AYjaPJw/C\nMB8GA1UdIwQYMBaAFAFOqFwSCEHA7B8Ciysxdo3M4rClMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQD2VdsMlt1+vF0HDV3aAxrgPl3yVfHApdzq0LuIh9hSBwIgdQbf8WTJ+sCU\ndebwiuXjtiQQCTMKDUHxL1ln3xX0ADY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcTCCARigAwIBAgIURupFSypEutLP/4Fey25UuSoZhOYwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECWGTw34b8GG6\no03HCarTFrxkRoMOjdsfcFfDWecaxRzoGqtwoH5wFku7mTNcnVq7P9Zc1ugrMxdC\nt25eLK0pA6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCkoMeLcfoIt1jTuyZdcsRRUmisk\nMAoGCCqGSM49BAMCA0cAMEQCICQUq6iLH12vMX1S7/b+RK1KjCFi+DnmyhGbG3+k\nYyAEAiBiUAqTIRfK37TzeeaXFLiDbkpcZUIhcd4eebx9Y8fwZg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUBCdJEgY+A2N4c6rm/CDxSL4SGKIwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsE/YtKgnT/u0\nEZ36ikOZrMOyQaf/HNZwizPcsDd9o/P10bC3NHm01UkRWqYimWrtlzIvGggHG4X2\nmiWXaQR7hqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFKc31TQbJQanJFI/na7WjWjVkT/0\nMAoGCCqGSM49BAMCA0kAMEYCIQCNwfqE23tUHdk+pLIhx38nF88aL3AaIcrCEyjx\n+J2GFwIhAOch3W+0lLGnJeL6ylLW1rnola/ErF6l9uLuT1OxDv7D\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUugAwIBAgIUamTDLkkn0cPJZCLbl/niJre6Jg0wCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEzSd+IWdSN8/YFxaAnKtQQRRIQnB0sPxp3+cbp0C9BwNO\nST3gPoUbrmmZyBuhlvWisM0ZWetODF+k3RQQFi/3aaNyMHAwHQYDVR0OBBYEFEoF\nrUVgteYQBWMKe/TOAsDz2Yc3MB8GA1UdIwQYMBaAFCkoMeLcfoIt1jTuyZdcsRRU\nmiskMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIFA59IJflAbWgdhWY9+GbWf8CEquAABA1Ua2\nOiQNRmZZAiEAvfu0/uXy3EEzQmfeqBN18cGaqLrqES4XqMuVQeZA7Oc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUPlOPcXOnEEwHpBphR1uV93k2kQEwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABGt780ZXb+Y6B0j+VpMstslRCLEfw7gQ7L79eXLMNRCNsykZ\nIDGSG0cucz8ZwDEWyUpEdOcyEAXB8jwZCx+Vt3+jcjBwMB0GA1UdDgQWBBSrRzbP\nZJHGTKK8uEipeJPO+Fq3ETAfBgNVHSMEGDAWgBSnN9U0GyUGpyRSP52u1o1o1ZE/\n9DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiEA1/+ty82vliq8q1UK8zS6s1/AKX0zPK9wJiq/\n2wWDeDUCIGdelIqtEqfT+D5ZJPTtUfARxRgU2wD3Gj+l44TMrbuP\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUFNwpYyA+pv3cVb5ByzGJcGGDz0YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIiC5oXmu\nTvuIudJyAnK2rdGDVClfPmxvdAUIR9iLtL4UAXbHWRMCdDpL98ftQ/GDVCzmVPvX\nF497usxCUmeU9KNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFFwR2TkA+nvWmx4/s8NsWAa1\nIJCeMAoGCCqGSM49BAMCA0gAMEUCIQCnOukxe6FzEGziyV89gyhH/9SvqDTtUsSG\n7iEVFyUGpQIgMW6f78TuFbv2cP33FZi7EryjlcVbUopuZCoCqD9LKXY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUMR8nGHs9n1eBhnIRogKRzzxdjukwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFna20pHG\nJkJyt7izzyhALueJ4A9LtQgIpGx4+DY95wnbj2oSZaHNncqkfdZI1U1PEmDmQqBP\ns7aJrB9y/loQVqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFF47fHhZitPIwj+TsXMyzpLo\n/iL1MAoGCCqGSM49BAMCA0gAMEUCID7jMu4nvc1bwOmlnJ1Cb2CF0UndJqbdNTZX\nWwIWHt4sAiEAzXojQJMtS2lsSUTj0nBuGSdDdXdX68rqlEeUek/6v/s=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUUW+N8TznPhGpFaWQ3BBTiTmokY8wCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowGDEWMBQGA1UEAwwN\neDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI9huiINvUUB\nZntni5W56fJs/ajw9+D4jQ5/YxaNmRiTccsuk/+VPGS85W8RcHP7UdH+yf4lrxxn\na1tSo5E5AJqjcjBwMB0GA1UdDgQWBBR8MyC8YbVIytvlT79c4ZUKdk0y9jAfBgNV\nHSMEGDAWgBRcEdk5APp71pseP7PDbFgGtSCQnjAJBgNVHRMEAjAAMAsGA1UdDwQE\nAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA\n3PwiOVbKWfEhihTvyy09JUO9fn/YdqGylKz/W/rNAFECIQDr1K+RlLupUCy/FARv\nDYwRIB6WMpbO7l0PbiLCJR8Akw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUcvSmbThUiA/WRKs3T/Y+IT7JyFwwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARwakMmtG+T61jX\n+lCd7TkGX/N11Dje6qKamKdi17Zrhn90S26TzM+EcCAsQz/xFuHN3dVzhMP9/q9F\nOugYbRPIo3IwcDAdBgNVHQ4EFgQU3QMguNDaRWlQECSIxxz7fhyxz+MwHwYDVR0j\nBBgwFoAUXjt8eFmK08jCP5OxczLOkuj+IvUwCQYDVR0TBAIwADALBgNVHQ8EBAMC\nB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOen\nVrId92FMHQsBhvkVzxcxt3QwEFgT0QsoOyoSA6MsAiBUwOHiJEcTlKDmoUK71hhZ\nxdiDzhn8IKPJ+GbngELSmw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUT2zYJ00Cm3JOnSYpVybz2u0JrG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWKnGG+sgoA6PyyhT90Uibq3FcHnHhbzMAKEgm\n6jxQSmyKmrJI1iX2Vkd2UNCId/B2Y007shDTLS7Pe22XPQAQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUuCbYL5aCM1/FgeE7dTWOZUgEGowCgYIKoZIzj0EAwIDSAAwRQIh\nAKZBAa7pOw93mb9YPXmA1OaDR4RnfZ955d1avVEo2cAoAiBfBWJTu8WmCysYWEjT\nu5FduXLRKk2lIBNUgl1V/2bXrg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOyEkkpx9vbtnVQ7CTZbhXEZT1wEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKd+dJouaKb+xZ7Xh09Lg11GGmqX/ctf1ojElT\ngOhiD8EmsdhtBvblFnsExRmhFFZpGgtHoqvmn87n2Gh+ujBmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCmYxhJEtYz7wjNqOxWrN6KdoyCgwCgYIKoZIzj0EAwIDRwAwRAIg\nRTN5z+lNPkBFO0YwtkO/aZ+Do7wxFYa6ZNrp52M/5dECIFz7h+bA1+k905gi4L9n\n+cG/EhWbo1Ho5v43MVI/n50T\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWSgAwIBAgIUcOCa7aX68Bj73/+7obB3n9MQzQMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEPnb3AqK3kml/1U1Z/8wQvQlgMqFk6Gf1xiGEkc72\nIgU3TtJW0XyDZPqE6pFNxX1L9567R1KwzRy26awLRFZs/KOBhzCBhDAdBgNVHQ4E\nFgQU8bO8Kwdf8IyYNO2Ir9c0JtdacRAwHwYDVR0jBBgwFoAUUuCbYL5aCM1/FgeE\n7dTWOZUgEGowCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNHADBEAiBn\nGNjXRc/P5d8YjQTuFTxZwPDXp7fvebBbNO0V4uLzOwIgbGfV3J/rxAMZJdxcySvY\nsFGOG3RzejWk7KFFdWWc8NI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUPy0Oa/n+G0mRd/P4Zrux460PDyswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABClX857r7dwyiCqX3WtIXh+5vENQaPwbpouVRUM/t7tC\nMFTTYb/h6DVW+Jv8qrdJLFGbhP/kd5u1PcXiRpGLGEejgYcwgYQwHQYDVR0OBBYE\nFLWMgAZFjQHcPxCJcM8+NIcoMypoMB8GA1UdIwQYMBaAFApmMYSRLWM+8IzajsVq\nzeinaMgoMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDRwAwRAIgePcX\nkM/bgv911bVDrbz3mjcU/0rduxCFbqU4B0iWvFACIDWpb8OMHY157T+zLw2hqIhB\n0/rd/cg+5nFJ//Wx3GGE\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIURx6+zlfX4qS3ivYdPkvAxB8gGvEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ08QYMaTe777Oi8MM5EBkhFC2eLKo8JbSx2SfC\nQSan8n9/1jERWlntBfv1peO9r5RfTejicV83kr9/2CixTBrwo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+i3HgZbPITucjUNiHl4yT2JU4/8wEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNHADBEAiA8rKpxxtEjMRM5Yvd2V9QxrFbMK07VU6YMyt/L\nMqY9KwIgU09PqU0ScVwhNgqrPDBIct9Ep86YbM76Hml9jQl4SJg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUVig4F0xuuLBlVuoGSdKH2ZiNtVIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLPLRp3MFfUqTuuw+XrVOjaR4rYiA0z0QaS5wA\nsanwpMs7epilAii4A9ZJbRibR/iK4wmqxTD7KcnX94fi4npto2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsTs9BEmF6BKx/npxhqp+7YcD2ckwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEA9Ap73xfTMR9kNEE0VFuhe+yihkDPcgiPHNRf\noRFHGccCIAXEIOwgW0qjtQ2I/g7IPhUJkR8ZaCdpKhiMLkCQ3T7K\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUCfG/EypnYzY24sJDzLW4ahyVsUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEs20YznzEWieWw1j74EPKWNM5B/M8l4nralauyOx8\n4XZ2/L3aUQla3GeRwqX2tgQYd37vcVE1Q4ivsCooU1EhO6NyMHAwHQYDVR0OBBYE\nFPSBK68aKjLeAEARzdmsDCVni+hOMB8GA1UdIwQYMBaAFPotx4GWzyE7nI1DYh5e\nMk9iVOP/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQD6gcyx8f+DqFQNimGIGkz9LgpaC5Tm\nDnWrL99H41DewgIgXf06HTR+WZg4fqAMxnE+dzKMTMUajzF7z7LsqDXZF2A=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUTHavEZYju6hay5ztMwSb4fG4PIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOVNxcMcZx+6+1UYSa2mfKNfjr5pqU/SYksCie8OBSPR\nrc0WzBNDHEgW4/2/YwADPNDcQ7VKHnrjY9B1HjhL6OujcjBwMB0GA1UdDgQWBBTI\nULPH6KtGjAfop+7ktX2oOJ1fUTAfBgNVHSMEGDAWgBSxOz0ESYXoErH+enGGqn7t\nhwPZyTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAviqGQsNYuxj8mzuN9DUX/sZY14HPGWrG\n/KHHfIrY2lsCIQD5evtS+UDAEceQAuO69iPne31KXgWEJubsZmLBM2zbdw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUU6g/plnim2o39xHc4dyfFwVA2qkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASndtTAYmFVRvtoUAGVJNR2m5+yovGxBszqFTxN\nqoVsO6PcHw6uxbWsvzlt6Em+MrMtU7Y3bTgLraV3DzoaT5BAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUs0+tMChlhAmulBGIvC8lpJvSdNcwCgYIKoZIzj0EAwIDRwAwRAIg\ndag169ToehIImGW0GZlPc+LHsaVv+Np5VKQg83LHPpkCIDNCFx/v4KqRuTYVu3HY\nIe3q4/DHHO3Jb0mmCz9z3J9I\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUCSPSOODk/rnOuVNjyk2xbtZC2fswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrjA6ZN7LaSk2By4XFg8N0Uee6t+vlBmUxpg5S\n4A4caQUwlsfzbD/ioOAD0xA1LV5THsLY99EjVm39jBFK+Kjpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkmFyMxr5X8IklVBu++kiIEMDmCgwCgYIKoZIzj0EAwIDRwAwRAIg\nKkUekD1t5OxgZw+DhQ3m2iWTum9Cih0ySZVTqrUR2OwCIBWOTpoezMgeWwR4nEPv\nIu9oDgsMkimoTm/5Oln/v8Aq\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFzCCAbygAwIBAgIUNzxsbv/lF+9v7lG3wGXzgBdJaUAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0Nzc1OTgzMDM4NTIwOTYzMzc4NzQz\nMzMxNTU1Nzg3MjA3NzU3Nzg5OTMyMzI1NTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHhZJ5uCteEkat6mDNYI3FWSn6LW/MhZMToPEOHogGb4CyC+edw2sbyLmipBQd+h\nUV8sa4T9TKn3GXgOhHi3iZmjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUs0+t\nMChlhAmulBGIvC8lpJvSdNcwHQYDVR0OBBYEFGTHmf00c5odjzKtmlm3EikkQ+C+\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAM697vGb7LLo\nL7wXW+OW0MvbpkwSL9eNDIz/knatt9QMAiEAhdsZDjjJLS9ZjkQlHAI//+jWXWuJ\nmsl+7/CQ33CNvtQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFTCCAbugAwIBAgIUfhb788tchG88YPAi7jY4d5XfsG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC81MjE3OTc1NTk1NDE1NzQyNTk0NTE5\nNjIzNTk5NzU5NDk3MjM2NDc2NDAxMTAwMzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n9kX7vsBck902uMIDvwaJlerXqq4USVGzd3fiABoWzFVf5G6a7RxnveQ/6tgBZ/Ly\n52OJxYVIL0+gyKGj7sby9KOBkDCBjTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSSYXIz\nGvlfwiSVUG776SIgQwOYKDAdBgNVHQ4EFgQUpNZ0/fH5BAa9OgXOsrbGMkTh348w\nEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNIADBFAiAXtzOr3/12kCBr\na8DcVRnknIFFbjDsW+9CQyx+MuxhUwIhAMjQRKyg+X7o3L1GSBvhTDPeN/vZDzX8\naeTdFEsMTolV\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUNMMTPLzhXksY2eTG6ZzIv6NwVuUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDc3NTk4MzAzODUyMDk2MzM3ODc0MzMzMTU1NTc4NzIwNzc1\nNzc4OTkzMjMyNTUzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASN\n7HqyETNFOE8/hkOSq0RFOdQcnyISCAc0B2qBKaYbiRQkJ624069XJCcFGKOjVZhg\n2XLefaNWSOVqxqvOCOr+o3IwcDAdBgNVHQ4EFgQUAliZGMBsSpSwn0GSx/YUZePU\nsfMwHwYDVR0jBBgwFoAUZMeZ/TRzmh2PMq2aWbcSKSRD4L4wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgECQ0CGZq1wXAW1OS0UtIusBSj3+sP4LD2gE9qfI7vPICIDdOeTwrJpCE\nq+QlQHCXC/6D8ngxHOrWdHXpxwh/F9VS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8TCCAZigAwIBAgIUcH8OXCLSbp41k+/Lrlbd9lgpqh4wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNTIxNzk3NTU5NTQxNTc0MjU5NDUxOTYyMzU5OTc1OTQ5NzIz\nNjQ3NjQwMTEwMDMxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQxO7Qy\nYFYghhRtseeRWNvKXKlQPJ3qdWQ9TPxQWFHJ4YPQ7rFgyCcnXbQfi7VoDUERkNfX\nhfTjLizZVdqibzWno3IwcDAdBgNVHQ4EFgQUXCUbVKpzyvyL+04aJ/yyTCNT/IAw\nHwYDVR0jBBgwFoAUpNZ0/fH5BAa9OgXOsrbGMkTh348wCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAw\nRAIgFS1zH/g+noGOmBhgj4YTsea6ZlHeQdQJ0CKwdfQjBhYCIDvrCzsQQhCoFwt8\n7MaMWj2o+WxUsh+yfbh92o0g5ran\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUJRw2rehFeK6ivJ3ApFTwOQ7ysjEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQa0VYF2PcBy8wo0Fi8Rwnl9R6eKMVPNNcQcqC/\n2I/OKt+ziozSDby85DQXXNUygT074PwdvQL0p/KVvgOFsnt5o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRyaLINtaQnckDTcLsTfOy/NeaW3DAdBgNVHQ4EFgQUcmiy\nDbWkJ3JA03C7E3zsvzXmltwwCgYIKoZIzj0EAwIDSAAwRQIgQ4suVbVZuefAHD71\n7dLFp6PupDGGiiLfhsfezw9wfpMCIQCXTlqUhABVZsXdsvvniubnuuoUFFix2kgd\n1dg+rhlCHA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUAIbmCPsbnnSrxLdj5ifNq3FIBp8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATO0upR8N/lCrQ+SPdQUX1zB/b9wGmGudIZatHW\nY7vbME689lo75CVIcblz6jpz6vq08PwZVOwHTsN+W+nUOJk5o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBTJ+JqZfdrvsS7C3rid3kqqqHDKMjAdBgNVHQ4EFgQUyfia\nmX3a77Euwt64nd5KqqhwyjIwCgYIKoZIzj0EAwIDRwAwRAIgFdRpFWkCsQ+jMS6/\neTvvMiYi5Pez3sk6ZKVPyVPV+VkCICZ/GB/BMB30PlBCRi7drzoLWyJ0ex9ebzet\nm1mFKLYc\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUPEcwisCYs1iq5YkGthNydtqlNk8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAED271lBacsAv4WCy1CZuxHx6XSkR+yzL3xh2AzZxk\nUkZhl7cxAzz+XeExJw8vC3rXiOSi7e7vMo5au0tKJK5YR6NyMHAwHQYDVR0OBBYE\nFH5Ct0Zb43mu1jpFjbdMc04nan4nMB8GA1UdIwQYMBaAFHJosg21pCdyQNNwuxN8\n7L815pbcMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC5w/aYAfXM4NQe5gZlgjUSzjqQFkX2\nl9MHBNah3etKKQIhANXyJZsu+cF1LCyOtGQ7XeI0qZnO3YsLOCyISdQLdFAW\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUL7uGVInIqBAxwJf+fwU8mQYEm2owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAGwpOzK2De+GVdSKK8AURHHSlQ0a+IH/SjSfKm5jR5R\njDz9CD28+cFbdja02dpX3Bg513rRlOksC8PjpEVyu5ujcjBwMB0GA1UdDgQWBBT2\nXaitVQBKeaIN9QVshp/6/KQTzjAfBgNVHSMEGDAWgBTJ+JqZfdrvsS7C3rid3kqq\nqHDKMjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAiHzmmewHMZdEAr5n3n0ORDxANPnz35si\nS3Z/fxzo17UCIAPCFHa4zzQATEqDdHnlhrSrs8hDyrIjBR1F0iIsleyq\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBqtdUtR17g2rDtTKr8CXlno7++kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQE6oo1qQjtjXYcW5uz9mfYZyFlcP4Q5xLk2osd\nFKmT1YSXaz7MCf/DG9t3b4ZV1BhOr/ez+2ip9JbihnoRMWWio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhbcztLzDsqoXNRBwjiq/CkTr+/QwCgYIKoZIzj0EAwIDRwAwRAIg\nXTDG96pjTlDuAoC6Z87TNzXD2rmTjChKWB1NaZVENF8CIChdOE2CIaLy2LPfTyic\nypApM6WkmrFzUq54GlxYoGFJ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUFOsUPW2wS1VuK9VMCa7VBeeNOcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFs3lryYd+49rTs660g7qKPidWcSAuOOSNzVZK\nRrWEvhKssTYyN+ASEjNiaAynoWpJQCDIs9E+V5reMRpzWOA2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9l5g4JCoTRX1zpP4D6Unb5p3eOcwCgYIKoZIzj0EAwIDSAAwRQIh\nAOMwTU0zm707ujwrJYQSKKI+ADnDLGXDlo+tXdrbgBvAAiBQv84MdhDmXX+pKOfO\n3lfMJd6nacnZ2ytqY0h/z/w9/Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUfuI5uF0ZHcjeP4yDYvp9KPkHT/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3ctcxDb7RxO1rXumNfOohjvd+BHqjo4fDAXlGSon\njwe7yl7kI7kW6Yuh0WAMQP+wrmXbL0nkA1eKKn7ZZfNu8aNyMHAwHQYDVR0OBBYE\nFMDxQjLxxoITgPYDK582mPKxDBU3MB8GA1UdIwQYMBaAFIW3M7S8w7KqFzUQcI4q\nvwpE6/v0MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDK8vyQGNCPbmrmkaspa67Euo2JtL/P\nzgLX5gXM7sVLOQIhAIgKhI5xkWjVoe8nroxZjL+9uAa4MuASNcgVnErLmunS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUe58eSDXeXUoYejidfzu4AjmhoZwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOuPL5yDuP4tXRQQyTbbduXb5lgUbU2757tNPBoRVMIg\nHXCTzBm6nx3FojJL0LwVTuajZJGBkV0g+tGNGSQhfAijcjBwMB0GA1UdDgQWBBTt\n7XpGTI2PXBNbQs41PjPRKVv2mzAfBgNVHSMEGDAWgBT2XmDgkKhNFfXOk/gPpSdv\nmnd45zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAgJCXEFE29lqmRw913AdpjUhDw1QZuS9s\nio+bzQICIBICIQDrbVpeElK+9ZRB3N3fg/cMeE8PbG84CB3ZDXZrPeGyEw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUJ6mtSWU/Xmpc415UBpj0PzQUBugwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTM0NzM4NDg2NzMyMjg4MTUzMTgz\nOTg3OTUwMDcxMjg2MTQ4OTQ1MzYzNTA2NzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPHJrttZx8tZv9NVNeyWwYaCJ3/kqCuTlNFWlYANGGPoRAhTz09/VrJeQ5J4T8vh\nCZ5C5weaBvkdXgz/b99uI2qjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRQo9aN7eX9\nrBjfarvboqqr+jfSWTAKBggqhkjOPQQDAgNIADBFAiBh1ubBj5uWn85XpyvsTEJj\n2BrMU8xFDGcpqmLHUIe9IAIhAMkU0FTrDLHHq6Nb9dIF9w/xq87qyWhWteujxFJF\n3uKm\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUGCiBpGmqlB4jVib/t196fmDP/mgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MTg0ODQ5NzkzNzg4MDA1NDY5Mjkz\nNzIxMDgxNzkwNjE1NzExOTQ4ODkxMjY1ODkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJStXp4F59FWf8Y0AMFwVEQeYLFFOl59fdLZUsVK1DDG0ksBeDuDmhJUwuh6sWMl\nEUFXdoOklLTmfIRuq9qsb0SjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTNzTUJRxhF\nLk+0ZhpfM77NxP3oSTAKBggqhkjOPQQDAgNHADBEAiAKxBPbLTiWG15hAVcwxG7v\nSypBX5KCSwRqgoI67QauHQIgMLFe1qP9Un83QHU8j6m/p0HaFMYjMppRg0nUpL5J\n2wc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUQ2D/UYEOPa3f4PVkUzBOt2UdcSMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkzNDczODQ4NjczMjI4ODE1MzE4Mzk4Nzk1MDA3MTI4NjE0\nODk0NTM2MzUwNjcwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARa\npyzQI5HqCZFzJ7n4ErQpTHMPV+qKLevxIUpHZfG8G65EAVoCHdQi1aMMuuoWl61B\n1Ptj91CoManReQJu7V8Qo3IwcDAdBgNVHQ4EFgQU0fTBDbDliOFmVkoNZicX24Ao\nxFowHwYDVR0jBBgwFoAUUKPWje3l/awY32q726Kqq/o30lkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAKziplKyByPJbza3bvwpW4PYSb8L0+/PGaBxCFVUayfJAiEAteoFdHWX\nf6NHWcX4K5pl6Hgwmzo2KBFwdYufuBccMA4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUDNDGDZZ4h1JUKFHvAVfcHv8V7akwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDE4NDg0OTc5Mzc4ODAwNTQ2OTI5MzcyMTA4MTc5MDYxNTcx\nMTk0ODg5MTI2NTg5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYEWJ\nm7gUeh5+iojRPr+HgMGEDgTMGCpKe6bDXr/pu/KfeTQ0WKrfhPV/1frxmAeROFab\nYhZStZ+D9v/5RHDqFqNyMHAwHQYDVR0OBBYEFBEORxudTmxHvdqXT24f0DJqPy9l\nMB8GA1UdIwQYMBaAFM3NNQlHGEUuT7RmGl8zvs3E/ehJMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIBbVEa85Z18KsIov8rAkHpknyob0AxtGnSqwqZsjEyWeAiBE9arMU34R7o95\nxClMBSpUXLfDmD2Y0EnlOw7YFSO7mQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWcbeAruAMvPWQXILEnpT8EUPphswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT2bpcFOWQ4858ytfN4lsVh547yAhEOC34o5se1\nIYpK/WP0hsaPLiGAmSCkiBUTs2AqmzS9g/TkYj6kxJ/uryvAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkQmvOezF4W72rt+eEhjWRiv9M64wCgYIKoZIzj0EAwIDSAAwRQIg\nPKk1cDdLFhoftR8hOB8eJ+o80cvpZT/ACppU7vuTVGUCIQC7xFoozoRMeZrqa3HW\nngH7oqsECQrkDGfOAjt5HJqD5w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUc5dxohNm3wNrbGspDPMISv4mNaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQYhyHyNU5RChGXeeToE5s24MDYW6UokUhVEDVx\nAr0PgrAvRsT+dIC3VnU6gdByHJ0qWvuVJaikuyLO6ZnTu///o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOaCw96K8rQAR13QS3cwrLp/xGmkwCgYIKoZIzj0EAwIDSQAwRgIh\nAJVf3iVVONu0Tj3tTXfuQwhHNWSWU87VMWP+WmdJYriEAiEAsuWOnioMOHDpMl7a\neNjroirB4CcagUnBd4KhvTiwZB8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUUmPnjhpmWb3bXgWE5UePx2gfSd0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MTI1MzUwNjYwMDk5MDM2NDgzMDQz\nMTA2NjUzMjc3Mjk5NzQxMjYzNTY0NDA2MDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKRwKbKCJkc12YP+2gI9PV4oNbGDlh/LHo4YE5/5KZMxTIEDE3yP4ULtEeYS255Q\nso7BDyxDt5P3B4OK1UAtx3WjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQosMvz9EYO\nId9GmpgIdVVQbFYY3zAKBggqhkjOPQQDAgNJADBGAiEAvE8nAp7rRvWkq8X1SZYZ\nYfVOmLnPx0VUbsM8akg/RfMCIQD4EFwjveFilLSqv9+S8c+Z+btap5j40w3V5kXn\nOPXYPg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUOpl/Mghk3kgow/2o+oC+hSM/0XkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NTk5MTEyNTAwMDk1NjI4Njg5Mjg4\nNDE2MTA5MzE3MTM0MjgyOTM4NDMwMzk2NDgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOONg/Qz5xftRL7tc+YOB2jbNOQ9ZQlTLOyZNVfMJgkbtteXQwn0GhGgvelujMk5\nfH0pHtNMSzvEIm41kDwC64ajWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBToMMYt1KlP\nYrxB1UQ9EaKUaKIq1jAKBggqhkjOPQQDAgNIADBFAiBMLGDGNfY3+Mz9rr6fnM95\nS62tnlwcppb33FW9q4ptGAIhAM2Zm3UjvivlNLRmoACq88XR9/Rk9oJWx2cNZvX+\niPyp\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUOrl1pRrDWvkj4+plqYq7/74flZ4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTEyNTM1MDY2MDA5OTAzNjQ4MzA0MzEwNjY1MzI3NzI5OTc0\nMTI2MzU2NDQwNjAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ2\nLopnaBSjMVgiMH8wPJSbShCin+/CwuA9nAxbJ3tCIpzrb+eHSQFOMKWEloyJsLxQ\n6fsh5Dmm0RhoQFN6UsNCo3IwcDAdBgNVHQ4EFgQUqXVE+MrDXCny4fDjVdYvYzNf\n3WAwHwYDVR0jBBgwFoAUKLDL8/RGDiHfRpqYCHVVUGxWGN8wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhANDpvERJ9ckmPgz9C8REB/lgrPmp5/psSxvvFlXxi9KwAiEAmSw0f7fq\nnEnDPJbEzYE2tTaDz6Mfo4RodnEYl2aOE7s=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUBLazpDZLANutGM9oV78Yn18BjDowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjU5OTExMjUwMDA5NTYyODY4OTI4ODQxNjEwOTMxNzEzNDI4\nMjkzODQzMDM5NjQ4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUM4j\nsJb9jVewhT3DCsro6PItm4MnaVc7k9PziTqHjk2F4IoPsC0NS7qC+LK9x5Z+nwd9\n4fuJswa/V0nX2h6qUqNyMHAwHQYDVR0OBBYEFH7XxSI6f3qFVeOUiKVSEUuWo8JG\nMB8GA1UdIwQYMBaAFOgwxi3UqU9ivEHVRD0RopRooirWMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCICqAkB9+1woRl+iwjrg5hBcuy7ATJuGcdY46A/VAk2TQAiBBbqFDqZ2lM0W4\ncIMQwIdjajcqMdWFtEFHcrYNdd8B7g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZpL36h+iZZQ192T090tF5nXZHpcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASl1xXYfFpg9ZhuIOxlNM33Ek5xDf0J8xOKPXbU\npusdh5apd3fyyl8YN2uwMBm8Q7UyIaNOaWt7ZKOg0FFmGnPXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrAjVoz5TI0w85FWiN62v1H8iJGswCgYIKoZIzj0EAwIDSQAwRgIh\nALTMmzGqWqP/lDG/LSugnXxF+M3YKYJfbTxF6DDSdYgjAiEAs9enU1fZFx3xy/bV\npX2Yb3zgfzfZzh1yXSBZAOaGoGE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeG7oKXCieBWngvab4BDxY2vySiMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARsqOEx/Ox65YR3+NdKTm35qJXSfiSoLS+qiMBM\nHtght5SpYwAWeUp3xkWK2nSgqERXUX0piNQuOBgaxErsFVfxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNbPr9Nou4lS2vg2cI1DVl1aCYdgwCgYIKoZIzj0EAwIDSAAwRQIg\nebY06jnOghG0k7yXoRDSibrDH5sQ929CyhqTXmumGPgCIQC7M6LSCTks1XWm7SxS\najeeBfLEkUnMnGDUDdFzMRYMYw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhzCCAS2gAwIBAgIUazc4Q9kwsvsu9pWiX4kPXTxCjpgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAErDrfNCsoMCdz1hRoVxcug0cnwPebkAFw6XK3Ydcw\nqjYEmmC4M90HhavUssinqO/qi8JqdOsUtbOpimu3YmDk0aNRME8wHQYDVR0OBBYE\nFLD6NYX++wtGY72mVPW/GhY0CF4wMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCwkMhFJKSr\nj3PXIdiIUwqR8TWiTPKAa77clBOK+r9T4gIgDic0P9aOcTlMhp4kA1SvAPImxCHy\nlNuPGCc4WW8Lzo8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhDCCASugAwIBAgIUNAvZm2JoOmxHsJOfSgS0lmOf6gowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF/2b9DkTyY3V9ScLmH1429WoH6+e9lMbL9KPz/hxdUa\noOli0s7gJj4UJRMGZ98AhDYA6M+Btj4VVmXLSfPEQ/mjUTBPMB0GA1UdDgQWBBTI\n2lK+sbg94NVatvTowMi3+H2ocDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNV\nHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBTNiF9AttwX+mx\nnuLihMtk3lhMPYuHIooAV8TVTYb/XAIgZHh44l26UfubYBvMhVeHboAI4F0QrsN/\nYmXQuqyiLO4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkzCCATigAwIBAgIUMENidDOgid0ZY1/Oyq3C1Hl6NdIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATdDJCCzsdQTdT27aG1fJOBZxJlkf1TnjFDTT/Y\nqSbGgamabRTQfp7H4k8K11YvNKhUk9iZky8p1rVFAc/PsjSIo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQU8x8zCXRFR+vEFcQBY+AGCMRBAmwwCgYIKoZIzj0EAwIDSQAw\nRgIhANvNFok9H1IStb1wO5OSpryQ0HbaMvJdI+VOLC1fx1+xAiEAo7ZWe+a5RfL+\n2FVswO8bmZfd3eLG64bpPXFbsUn19DQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUP2q4NGBtkloM+6gOGV3ywjvhRP4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6VtSyswtDuiSSTds2CfVoe0aiKz5V5Sj9H9Nn\nYzAjWif1CjJ2Hgrp2x+mO1vXBj++2kXPm3tJ2MGNRsr8USnpo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUMzozFVc3aJDH7JMWSA9OF5mc7cwwCgYIKoZIzj0EAwIDRwAw\nRAIgR/Cgmnqk5feK7UHLjHiMTK6B7wFJnH7UXoAOghLxLVcCIH3K3aISx3pElZgf\nmCHYonTYS7KH+dFAeumAEomh92pD\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUUuPnKSOLakA8J9I0NQTixohEDlMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZgqmIOgMPuCbBnSYNegYOkrQRzfEnQgL5Iz+puiZ\nU+SlmZjiipFxh1bCb/bP8q7AmIXvhCQ5SMJ/0ZZYLYAVWKNyMHAwHQYDVR0OBBYE\nFM2zlGmU+Xoi1nfucdAo2EhwwFgFMB8GA1UdIwQYMBaAFJQY+zqVc7ue3B3JZVGX\nKa70GjE0MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFOZYHZoZFOlEjOaHLSK5+G66itLjzaR\nCQACp2SiBvuEAiEAyOsaNVnCV6PxF2e9gwXj2skS/jzSEJdppTaymhGLwWM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUE5v96HsgIdPm3msuZ14WJ8ZuVUQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGbzb3DjBA0BZya+Vdj4EKAQqaUyOsCCjhVnYrp6xUkh\nnO9nF5+G4CSMvhm88DYei08ZnVzV4U2wqRc4z5VsGiejcjBwMB0GA1UdDgQWBBQd\nXfVbGPZSH6bKKfzC5xk38fVweTAfBgNVHSMEGDAWgBSBneojsI+n63Q2EqxNyBLb\nxWVQLDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiAJPT/jhgkTThjmqB7sv9bEGfp47Rp54lCI\nurcio34bfQIgUzOKlzLqL/M+hk9ktzBgGtb/UfxmatEDnQL/BnXK/+A=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUDIoyY2z5dsxtFVITgrIvFCBhXd8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0mbSOipu8s/c3VTF29YmYaD+KxgI9tCuwUgAa\nXioBlIfzVO9e909m02EF4ldqhY3D+OvQB9ArQaEms5iuKVi5ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiB2Z3bwx2aAE+QdpgsGi5ugdWqFytEKseBIBXu/XYPW\nmQIhAPH9UKMBh6FtdRJp+7KQHvAjXcCxc2DfovaOhCznO5mM\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcTCCARagAwIBAgIUC6xhShS1BudX0iADBHpbRQm1U2UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxoJMkiiCaMvRSQJPtWUJN1fPFruZO7+zvaipC\nXSeioZFjoJjbjNXefZcz1PP2uSnkhZYn22rRSS3kAVsRVqfwozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA3pDTFPZo/11ojrPaB45XyUypVIHqW69jdgx+pyLq\n8B0CIQCaQfqWeNzq536RCZWaQYAzWFZz8r83KHVf1mywVxVchg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUNNxBftBu2tdBHqB29is+dd+2rS8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEn6wH073k3EjqFpA3AJm0D/nb+4V6Mm/q5YI9dSQO\nxMs+zOwilJECjeJwtlh5Q/WQix6heT/l/iXPKcVrByYzBqNyMHAwHQYDVR0OBBYE\nFJr3iMRKpdwu31622wjBi2IlkWrKMB8GA1UdIwQYMBaAFK1FH5j41KrhMAzfWCDQ\nOTGghR9KMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEHY+2yT9LLBnOn7AHDpUD7gsXjMLTlw\nC/5fE3rvpurnAiBH2pbcMgwCm8YbxWVU4kOR+ElzxiNRPgteZzT3aZVMvQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUAV8o/R/F5wKd0OpNpQzLl56LxVIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABP/S32WOIrb/X9r3REX2ocvYfZi0fQx06IUQj+8qtuKw\nJ2mHzNOW/bewjHmdwaDwALOjI1QGRaeW2SybsMfQhyyjcjBwMB0GA1UdDgQWBBRO\nQAoC1DOrRqgYQITV9vbECFxtxDAfBgNVHSMEGDAWgBT/B53zHK7niJJazo9y9TL/\n6lHjkjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA8PTk0ifw47kSyDzsTfVETv++wk+8Mszk\nkltWdEZIk3oCIH4eF0TB9jJGms4Lmo3pJeycFvpWN8upSOrZTI1gZH16\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAtvrBlUHB2BGZh4KNWjFniBXhzMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATR7t5hd1SQhWqSudgjbzZ24zlhsCF2pkqXcAO6\nKUr+EEtDRb0PWeOdB2djfe98hVrrU+u9g4DdnHskfWRR7Hp0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIkypTOoo1rVE8fBuVTaAf2MnVp8wCgYIKoZIzj0EAwIDRwAwRAIg\nI+o2FMcMD3ovZf+8tmO32J180p6gGs/oWytcQPQzkHMCIHMKITjNGGABvNxF1v+l\n9GEiC0qFFQoUAa0ZXkjUd+v2\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUOMZOjI/NHk0nVJgtd1INEckM5eMwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvED81zPBmJEZgSwLE5D5lcSqP8dBiVZm\nr1lV+mmOYO/KuFAYgGxnEjXcflhZudjF0iUPhd67RdBeHweo3EUsIKNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFKRuQfiyEd3OMAh8OWZ76EeNenHkMAoGCCqGSM49BAMCA0gA\nMEUCIB3U8QpFsdeIJcQ0t2FaH3HupB5ImVlBBhQg7lobBcLcAiEAn0OA8nVjyLuo\nknoVUV0YnQSZcFGe+pdI/5+zbobBg70=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTt5DepfB+7ZH4gPfGd8e+cxUs6EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxbExSzdhXqHu3ojFboHGB1I274bkM4qEF1xfx\nhyE+JTAxSFknc24Gw9+EPThpHEJMLJzVhBFI3Y2FdprE+Vpuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvbzFuNkcY8GAalYCxBG8Nx4L9sUwCgYIKoZIzj0EAwIDSAAwRQIh\nAPe9QLqBN8KbVnux7M7V91GKd5b2bC82TjxPZiAT5I4TAiAklXKkOqnMlx4BRNU6\npIrqt4er/MMi2XAV/8ue37NEkw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUWhS+Oh9RtKgdZzZDFCx5C0ck5x8wCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfgK15yyw7wsNNG5yfhYvrHgayIrEuLY7\nWWnXBy1ZV8tZeGi2z5bnrxWcf0X5OdJLWX+YFajnLOp0bTTkM55w3qNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFMQegcMC374yaYm+llHqwXBTuwDnMAoGCCqGSM49BAMCA0gA\nMEUCIQC8yNTnwZR67RH9LUYk15UJpe7HPSYX0XAyZFWvC00DRgIgIcZFH3K2Ku1S\nBR3HBHaeV6LfbNeMsWt3I2HQhpyqpsg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUSPAor58MGFAmN/7xWs/9L6EsN/QwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATR7t5hd1SQhWqSudgjbzZ24zlhsCF2pkqXcAO6\nKUr+EEtDRb0PWeOdB2djfe98hVrrU+u9g4DdnHskfWRR7Hp0o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBSkbkH4shHdzjAIfDlme+hHjXpx5DAdBgNVHQ4EFgQUIkyp\nTOoo1rVE8fBuVTaAf2MnVp8wCgYIKoZIzj0EAwIDRwAwRAIgFdGpIQ3LcInZFIwC\nL0dUiKDELcjfAFU9IovtDncn82sCIBWZXW3CrfOGA8GwI/GXEnR1VRZ/DSTHjjud\nrkKSELBO\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUNLvLXnXpXRGJRnVlf1zjiicVUcswCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxbExSzdhXqHu3ojFboHGB1I274bkM4qEF1xfx\nhyE+JTAxSFknc24Gw9+EPThpHEJMLJzVhBFI3Y2FdprE+Vpuo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBTEHoHDAt++MmmJvpZR6sFwU7sA5zAdBgNVHQ4EFgQUvbzF\nuNkcY8GAalYCxBG8Nx4L9sUwCgYIKoZIzj0EAwIDSQAwRgIhAO/IgCB8RG9ZHVmh\nIi9qrKioBZUDXMjGvwhmidBsFlA8AiEAmmAsjdf2QlrOjURZhTMm3INrc5Ahg97u\npkLl1Rrut+I=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUIR2Vp4hkAgWtIq/7+M45nsg5EZkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3xpvjMvo5J0uaPgCA13rtetlr4SuXJc2TlLlwxJy\nIQwxh/vFFLDHcCZvMoO7L8EyajOdH4jIZ28URxYkIeQ/J6NyMHAwHQYDVR0OBBYE\nFJgYJU8Gk7Vy0h57+RL6MCgyUWyFMB8GA1UdIwQYMBaAFCJMqUzqKNa1RPHwblU2\ngH9jJ1afMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCYHjrx7597ppaV8bjSYuN16CXcPr12\nktMaVRkWxUaaWQIhAK880bEFVBzP3ww2pbl/DsIK0llaB2pPzhw+9vs5/3fF\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUHibc+M/EtDAoYqRhdQeM9gqRh7QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDlVU+/a9INc/nYpyPNCf9Hwn2cZdR5obbsscd//jxPV\n/pQe4xEFWXS3tOFviu2hTrUrJVApWBM8XyRzx/ymvfyjcjBwMB0GA1UdDgQWBBSx\nL9FR03IsbZD9d1Bxmf++o2xEGjAfBgNVHSMEGDAWgBS9vMW42RxjwYBqVgLEEbw3\nHgv2xTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiB/L7LlEOxHcihMSzFou51nPX0Up0Rd2pvv\ntN1cQxgFqwIhAOvs2t5tEmbHmFgcvUP/iUUmfuRN0ybTdhKCiCtmWsqe\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUOUmqM8ZLIsg8+TuAE4WcMnEqw/8wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKcf1V2JXGDj\nxWuk0WH1VENeTceElDSV69xtJKYWJTPV9mQMMjtkEZj2a+dlm2xvft840zheYcoB\nu9IYsCoLMAujVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTwyzIWWVL44GHpT5FGgiVlcwip\n8DAKBggqhkjOPQQDAgNIADBFAiAtgm5AnKCFjpCPU+4stmCs8MrF1DsLToPaJAjR\nKd536wIhAKkaMVHrZpx5MN1tjBstV/7/45iN5R0AJs1EFJtsmBOp\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUfBsGkOiudIQYV5aDVi0cDk4Fr28wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD1Z7woUUZXy\nSklAKxALxx0YVFvIxQTcH6K0ttXPhAiGiLH/ZDOwnHrdDlPaCdJXVrEXSS+5z+lY\nQc3UDmwA9ICjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBT9PdEgglf0c52LXpWWlgq+rsy0\nbDAKBggqhkjOPQQDAgNJADBGAiEAlgkxxhm/ecpQrhgla/Si96lokHZNOijMidar\nytNEI4oCIQDannc5PG+44Jfd87i6zQlS8wpkxmnHFzh9EubYYxoC+w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVhXjxWxDe/w9piTkiCERxKRIpGYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQGujMk9ISkHjRPHjZtiMU+0s+Ii1TmCxIZF7Hn\ncSVkYYY/CCf420PH6bitDi4DWTYzACCkf5CCf52Fsf0Ch3koo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUukUGg9HRPdQ05wtzK+LRebXYICAwCgYIKoZIzj0EAwIDSAAwRQIg\nIcHS4L2fYvzDGtPsNVc2G1r1qz2r276Jq8T6aMaKe0UCIQCg75hU9UI87308dUH3\nX3Mp32u7kgMyupdiPXwUXts05g==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUSfrmDkiz57iKMgJjxsEVUh1O1gcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTE0NjEzNjM2MDg0NTkxNTczMjYx\nMzkxMDE0NjUxNTI4NTcwNzcxMjYzMDg5NjYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBK/OZop9EMT7lbHUofifXlfgtADce6XrqBnkj0D80/e3l1egnO/NbaM4d0zKv0u+\nXbxzJHziRYg/9oy+CJ7CiW6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLpFBoPR\n0T3UNOcLcyvi0Xm12CAgMB0GA1UdDgQWBBTc5G/gPD8dLmz4RibvrmhndIxxlDAK\nBggqhkjOPQQDAgNHADBEAiBhpJVKlHFj5VcbMKskPQMEhyrs11wNIEbFQCyZ5KIY\nXQIgJx8qww8g4XvADJWU4MECz+bJST0YAABS+Ua2SJU6PbY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUCHwmXIe4b/CKvqcfSjiVhWxmrBQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATnSsCjewx3qqf8KsMRQt7xHMv+oLK7VEfpd8LD\nBlEKl61OY/Upd76GH6jjs2nMX2Y/eL0h1ZDjQVWXkvlRfQeIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU21T9eVf9ZGwm1m36qF6ch+qF60EwCgYIKoZIzj0EAwIDRwAwRAIg\nX++3kVAAEAwJy441OrURPo7DKN8d1251spV/1UZw6HECID1CiUcU/IsQZL7S2hwX\ngo/e7sKLahzdYs3/uDK1ulji\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIUbqwMb9Qbody963XMcHFATH4cQ0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC80ODQ0MDU2MDMyNDQ1NTEwOTUzNzIy\nNTI2Njc4NDgzMTE1OTcxMzQzNDg3Mjg1MjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n8LAa4cPe3ID+m/c7F67cLVpiOi+0/A4uB95W5/WQjbF25u8uv+uTkdhTN1spfXuF\ncscpNojgDUqC3n+t//dHHaN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU21T9eVf9\nZGwm1m36qF6ch+qF60EwHQYDVR0OBBYEFNXmvwwTQnijRpGZrdQLc9c2rbhIMAoG\nCCqGSM49BAMCA0cAMEQCIGCgY6INoPQhBn/51eFzHDnhAda35254UOVExdo0Ep2u\nAiBzBnYXPUlV9YLVgFTkNQYlqr0lZhHyFB5x/VJgjQ7O7g==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUYFQJdrIcFNTtbwqVp3TA9QUDsQMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDkxNDYxMzYzNjA4NDU5MTU3MzI2MTM5MTAxNDY1MTUyODU3\nMDc3MTI2MzA4OTY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/\nIpKECdAIwv9RXO3VMo4Kn8npgtBuDPBWFBy9x70R1q0sIg4BpkFwmUeMAADgXine\nzpFm/AuEgH+vIMC7wPDko3IwcDAdBgNVHQ4EFgQUCaTs5suWWSnGMxrinG0vhDeX\nma4wHwYDVR0jBBgwFoAU3ORv4Dw/HS5s+EYm765oZ3SMcZQwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAMYZHginQrFpFZD5OF/5ny66wibU2w0dt39zLJYqlwPPAiEAqhjbAAVi\n5t3e+wAuspkaQa99gTZXDbsUnhAUr5vziH4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZigAwIBAgIUQsDH8vo/dIPLklER3JD6IyHMyd0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDg0NDA1NjAzMjQ0NTUxMDk1MzcyMjUyNjY3ODQ4MzExNTk3\nMTM0MzQ4NzI4NTIxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3NsuS\nGGQT8tJT38mcviadjIXJ/TPm/aTtQAiK4njOgOW5Dnt9RcpwSZ4KfSxCxCitXcwL\nNlbm/3fV2vsJn/meo3IwcDAdBgNVHQ4EFgQUoM/WaB0mziy8y60L+snsfLZP29gw\nHwYDVR0jBBgwFoAU1ea/DBNCeKNGkZmt1Atz1zatuEgwCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAw\nRQIgaDL9fj4bK3CP6uQy5rsmLdxBNcxULxcSexEd0hIcN88CIQD0aydVfJPZnTuZ\nTw6i5Xep1eSTblfIAKG6LCvmn8nylg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURJNVTkK/qQ5HtJ2PTCkMpD3KQZMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS02AN8N1r+bZKwL+y9y9qSMylSmLyZ7G7kq6dG\nQKFWTPK+UVirxfMS8Y1gfCb4PwtQwRnSfykFMDyS1h1te/2Uo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUinGtgfyc1Gti4kTqXknI0UUdYmEwCgYIKoZIzj0EAwIDSAAwRQIg\nOaSHwPzurUi60I1zlDOg4rVu/R12ENmvX1ZkXK9f8EkCIQDy5pCmGBQ3mS3uXJHU\nwaHiUxl2osb1tnzQmh5mubIGdg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSed/v+FazOKx9zEI3LuyDpOViD8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVwidcIcbGgbdgON4d1b1Df0eim49EM2agYCZg\ndmi+I08x2/5G6U+tZ+TiDoPEPe6BnpXtShHHOr+d90WZnljLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUT+JQslhe5+YBFu0bejMNsy1XIZEwCgYIKoZIzj0EAwIDSAAwRQIh\nAN2IrgH+BP9YzkaRSK5QShDeXHci7JwNb9j8EQ+GOSv7AiBSgOwGuPS1L8L04FHp\nf1NesA1TvBGvLTTzZcy520JxGA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUQ/7dLMGbmLFIruocNHaPHvNo0skwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDAzOTE0OTcwMTMxMzUyNTgxMTM5ODQy\nMTgzMjU4NzE0NzgzMjMwOTAzMDM4OTM5MDcxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABGYh6xykQS9poZtqqlGeNE8dy+m1jKgLQurVMjkADOtbfT6juehl0sK3Xb9q\nyiaWbKYXG9aKUP9RLqIVw8EySKujdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIpxrYH8nNRr\nYuJE6l5JyNFFHWJhMB0GA1UdDgQWBBTQr43JptSW+/6h+wpi+zvmAUmI0DAKBggq\nhkjOPQQDAgNJADBGAiEA3y6A9WOt58yh5QJIsOzLSY1j2Iv7B+e/gB4wt7eV9wkC\nIQD8hXUI/FVSQt04SCP01Ezx5y9hTT/ijnryDdKi3zr/sg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUV6rILhnPgFgYYBSk5FniKvCmFl0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDA0MjE5MTg5MjY5NjQ3OTQwMzYwMDYz\nNjA2NTg3Njk3MTIzMTMxMTc3NjAxMjkwODcxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABCGRyNFEwJFr3Te+Ge4f4ROmffWQBZTWeTiz4W+munDg4b2jwOOULs4uK5Pa\nvj0HLROobrHFOGXC28JiEz+mWaWjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFE/iULJYXufm\nARbtG3ozDbMtVyGRMB0GA1UdDgQWBBSc9W+X0MBYK9nSL/WYN6Sjv5weFDAKBggq\nhkjOPQQDAgNHADBEAiAM2WpOirADuPDSM7HM7f0lz6h8E/8qTchqsM2aSFhc9wIg\neGcdrceb0rvPlGUnEJxkJQh5sZM7PlLL+DSaKk0jCVo=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+TCCAZ6gAwIBAgIUJqTiAWiKNbpouokxJszOHsr/Gf0wCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMzkxNDk3MDEzMTM1MjU4MTEzOTg0MjE4MzI1ODcxNDc4MzIz\nMDkwMzAzODkzOTA3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAATsp9q8Fm2Wx9rcba6aza6wRS5GimtXjpTBaiYK4YilTVa7kOCFvnwirddzEIrM\nf7tBepJG5hEo1aQmS/DwJMMxo3IwcDAdBgNVHQ4EFgQUs1x3OcvHg2YYvJK7D8ib\nNxH9HYswHwYDVR0jBBgwFoAU0K+NyabUlvv+ofsKYvs75gFJiNAwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSQAwRgIhAP+l/hspeDB+NZzSesqek6uCz25jz3pmGfPDcii9fnRhAiEAjq9W\n/VZ/Y5REDcOgQzx1sghDpHfLsdfKW24czs2Ht0o=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZygAwIBAgIUUhsfHxULV3SywQ5t8CXzmRzPgScwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDIxOTE4OTI2OTY0Nzk0MDM2MDA2MzYwNjU4NzY5NzEyMzEz\nMTE3NzYwMTI5MDg3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nbVRVSEjjBG8rt7418UzsqfyNYDCsO2IrVK2cvPp9aArDDlDFfNU3xX635Oc5mlFY\nfrvldU8ZBC5dVkOTZZEPZqNyMHAwHQYDVR0OBBYEFNF1cmSaSNFqaMWsQu/HNb/T\nRHj1MB8GA1UdIwQYMBaAFJz1b5fQwFgr2dIv9Zg3pKO/nB4UMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0cAMEQCIAkpyrBD12UpMUCyFAOLpQZemTfflQqM7lAHD7sAfCYFAiBqczarSNkj\n4R2gNgLftWaywMkdMwTZ/DpnxejR8jJXuw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZlXVBtixqmuT+3lTUtKBYVDOV8QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0arB6ackNbDMe0PeN5TFbCA5dIIPgo0HrzlMW\ncbRNItqWFPCm7vEzQshZNDkjP6gg0chIvtA3U6knUajX7rylo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEnUSn05NcaK/poEwYK6caXeskBcwCgYIKoZIzj0EAwIDSAAwRQIg\ncgyFL1RRdOOJ142XTCwLzEA9Oy7G49tFf7dh70x4fcwCIQD/N5GBqbL10dFdwhxd\noK7YCWnk0CslyR8FZIHwnxNC/g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUMhH13xSTCAZiIvK4L/VJHlgquTYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASw7pJGgZyfWIJHz28tpOnIJw2XwQjnWsJG1yij\nnycrdjXJRfUNSE3L9l+e/eXAJLumGbhXLcu+gVyMN5iTVKt4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKOLHG6QMxY7SRd1aV5kS5ZyZTsAwCgYIKoZIzj0EAwIDRwAwRAIg\nCrHUqlp0gNq/9mfGf6P2TCT050IFaQnXxBfH7a7SKAgCIF+1fA0ukYrXyPObpxlO\nZiKDTBeZng0ls416pSSxJtvE\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+TCCAZ6gAwIBAgIUPYrBQluY2RHjrO3LCkHzhMY9sCgwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTg0MjMxMTc5MjEyNTQwMTQxMDYzMzI0NTM1ODc0OTkyMzgz\nOTE0MTA0NzM5NzgwMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAQBCBI6Agpt4WuZvVazNFZPZR9PQviRhhWD8+4YbOzyI/mPDFV9FzkpIXF3AbAc\nLoSKkzxNkdatp+9ICRVFxFOjo3IwcDAdBgNVHQ4EFgQU8O0MmfRgYI/EfJDRae2x\naRZBbSwwHwYDVR0jBBgwFoAUDpjYyqPR6Em/G95nrVJP8zytGLMwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSQAwRgIhAPL1uap3KJMm5icAdjCl926a+js/f6b46XzK4Ws6nvR+AiEA6GEe\nDoP6jnTx4WfD3Icgbk1s+EWIZUGjBIxMZu9pHXE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZygAwIBAgIUSZ9ehKFIOH97fonfsUQ7aexJ7RkwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjg1ODUwMDY5NjI5OTM2MDkxNzUzNjg5NTk4MzU3NTczMzk1\nMzQxMzgyNDMzMDc4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nYCQnFSkNogFwPe4m7cqepbYrQwQmUN/5Ir3cmBGddrQdzFYZGC++/ubavqugIJbR\nmPmmOC2Eggf8kS10u/5f86NyMHAwHQYDVR0OBBYEFPKZdmbjkrM3SFdZ31qAB67D\nQqk8MB8GA1UdIwQYMBaAFLtmyWW/uaP1/lo4ChCdFBlNvEAdMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0kAMEYCIQCcVLrSkvLUFxFKo7HKRTTousKZvNKw/oqkQNkSTH0FYwIhANFO2fmm\n/9+LwfoQJsA7VVTN+I30wANpkbQ6PEwdPnoF\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfzCCASSgAwIBAgIUJGz4m8hFYyF+MRvuabf8WbZQszkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXwNP6DbsKWXXt4VGlaf3gESQyy/AUhIMRYvCS\n5UhOyQbbV1vCjU8nPfdsBejSmTf5Aq3JMVUYvtDVR9xS5lzuo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFIrVa/KLOkPC\nOHSwooAKtmyei4pSMAoGCCqGSM49BAMCA0kAMEYCIQDAJ3o1CozFsLMo6s/JaNTy\nJqXWcO95b0eO+DFrR2R9EwIhANBA6uJCzt/OlfL9nUswUlj12/Z4EQO8KWhPnC6Z\nDAxn\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUO/OoZrfhp2BIMfxw7Rc18diTlh8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATnU2gViCrn7enyFDVpxOvGNu5MACh2wXkb5OYq\ncmf2nYdklSXUDQ/pdBPmLGdjOrXx/MC8jw/boISR8kOrDYzuo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFEalwf48D9SC\naQbHVCWKWIu1333TMAoGCCqGSM49BAMCA0gAMEUCIQDT7d8LOVCwUZSCc01aRhfi\nguqRrb68gFWrTmnX6IEoFwIgMBJ+ZIWgzOuV4p/RF9ck1y9fFOsuF92z4pFtj+51\nTGE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUeWIAhAdhaaopfdIHSzeubU1vuXgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZJkA1h0QYYTrmFWyOLbDDkXbVpfgqtCZ/ngjmRvM\no/q9YP2SfwlrUwA8Nhvls34554bsFODQkT4v7YmmYfUdtKNyMHAwHQYDVR0OBBYE\nFGdCrbDIMVS/1xr86pwn4lpkjbH3MB8GA1UdIwQYMBaAFIrVa/KLOkPCOHSwooAK\ntmyei4pSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIB28rvAjGVc0M7IRegeP6GDm761IzStQ\ngWTBtWMnH6aAAiEA9krBtwG8A23BGcIH8m6lkh0vHa1YvzMAqkSwH8YnKAg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUJ8+n3xfm/q+hODLr0tXR/EKKSdwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABM5uSNoI7NBQ5aDIGBpjL6YKGIREFCW29vPJZ+4XTLFJ\nu3+5N/2BnPx5oDftthnwZin09Rl/nzkcukXyAk4qBiejcjBwMB0GA1UdDgQWBBRu\n9vEXWA5tjojuObLMN9oA1f41CTAfBgNVHSMEGDAWgBRGpcH+PA/UgmkGx1QliliL\ntd990zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiATFcL3c0v/42jhRSg1OSjXDNNJXTHEV++3\nhjRWK4z9WQIhAI1Ds7PJrYQzSCELGjSoQFFgq8C56fF6rfIYMCbnKKLA\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjTCCATKgAwIBAgIUWkvd465ZONBmEb07rcal1NjQuCQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATT1VG49EEjQ+9ODitneBGeVKzKWVfXtpM0LVwm\no1TCK7POlVHHQnNiaMiCk1hXI9z22xpQXIwiOloQYlrmnbjlo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUHzKLoiDteajnCd8GA42LkiVXFgcwCgYIKoZIzj0EAwIDSQAwRgIhAMt9\nFyOTkT3Rw2/wZv3lNGensfVlCUGn9A6QkI3FfsACAiEA+x7GqIN8Qnf7S6O2YwsL\noPXGIDaZfPISgUXmRmZmCeY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUTQT+8owoyoEBxWUGc0z5GWUw73IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9OdZ28TOLSKOY8YEvBrhKPIbWnQBU0pIkERVR\n6hkK4INIiM8uFSNVoE/R0VtGOJFXaimLsQdZ+ogQqBtOuLq4o1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQURLVH03tXeH9HdG1hCT9N8utureEwCgYIKoZIzj0EAwIDSAAwRQIgVMMS\nC3slxbMPkhktj4pdjGFpkdbnQHK8TdpSPY76PmYCIQDfVeL/BhEngMogNFpv0NYT\noinc7EyL2r3O2JDbdJyktw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIURMCrzs+qmDEgC+EOq3WM+JkIWOEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE+8Zhf2YrxMH3uWaaNCBAO8nIb0OzZfcOH+YDXCwZ\nznIWK9QFsqN0gHw19tIt92Wiog6eUSoY8/ir9YXDh+vCXaNyMHAwHQYDVR0OBBYE\nFEBlYGWUp5CjedhhDSzMN3REsbM8MB8GA1UdIwQYMBaAFB8yi6Ig7Xmo5wnfBgON\ni5IlVxYHMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDTlgOJW+jBhtkdXjDHt/OEujbiba1U5\nf38iliyqOqUiAiAnKLtV2ryfM+0+mxnm2O7ZPXIlwR0FQr27fp2IaLkzeA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUNiO1emV5pxSdH4pEBG7LJWTagJkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFgfW/Eqw8jq/xBP5qH0LuFrdmvRbD/tkDpxDto4Rdfy\ndEJYeo5P20h+WF6H7tfV1FJESbpULQ2PzOgvzzM4cE+jcjBwMB0GA1UdDgQWBBRA\nHsgmxx9294JQfsGIGdowINzd8DAfBgNVHSMEGDAWgBREtUfTe1d4f0d0bWEJP03y\n626t4TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBx05yr/2pb/PZWPy0sbKjCUVjSs+XPXDAC\nd2byaezo7QIgefhE7JZZed+1FRFIcgWmICG968jJn3UFkMFCcSOVc4c=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUaow7UUIV3SBLGI7HU3tSFhMCC3MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbJTA9BX6N8hiRQSh0t68B8DpJWSX+OFA5AqNx\n1YeBJH3o7QHYzu/kS3gAH5y7s/SvckGYOJvPb+A/Q0f86xbBo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBTztwyjo3LwQhuGLDEo5BmjI5/PQjAKBggqhkjOPQQDAgNJADBGAiEA\nnfNzPyTtuedd4awgXdtuFdgxiBRmpI7bwd3bavD8wG0CIQD2mpyD11ST6y2MXmIm\nCYINa/LfIlo9DoNKmxFxvUmCnw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUaBezQCsJdxrQLKmtg1l0OsoRP8AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARBt7n+qn2HM3VDxy4LpYU7AT011sly++wWlu/0\n2WLiwlttE1cSTdI8qyrQdgwiysRCtd1Rzljs9C/W5qfCof8/o1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBSJfPV2ky6cDhOdIvcgvGDASMDgwjAKBggqhkjOPQQDAgNHADBEAiBW\nY9HrI0rj5Ka3YNlUfS452ntEwa0KyT9KV0QStF7YlAIgUikOD7Xmashie+O8DIrt\npgbhUT6P6F/qnicv0ie0sww=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUfgbT2VdUYQmt1B3lxANhvO1Dp0IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEHi2L6mbUV1BnO97i9RlToY/7/rdTxA517TyYUd8g\n9UvbsqxoegFge8v+0IK0O35wC5A6u70IotYnS9NgXf/e/qNyMHAwHQYDVR0OBBYE\nFIf4Zx5ThcgkevfzhkQp6I9A4CVEMB8GA1UdIwQYMBaAFPO3DKOjcvBCG4YsMSjk\nGaMjn89CMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCOTeRT81kZR4aon7LYP2CFDmuW8k92\npnIalKvB5RJ3/AIhAMvHJn1Thuj+yJ38MJeV7EUNntq5on8HyWb9jSEOd4sQ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUbmYqYBcMfS7MCWf6CA9h4p+u2fswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNXyvmwQHOgAJUBOODv2nmcjdR0dZJ6Mwu8wHGyVH629\nBFQOWvzHNXT8cC6MxO89rUYaXVqyu8iWoTIXy5PF4j6jcjBwMB0GA1UdDgQWBBTu\njtibnX7TCOKE5mjsP++YBrJhjTAfBgNVHSMEGDAWgBSJfPV2ky6cDhOdIvcgvGDA\nSMDgwjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAxjcvZJ8/MyMnaUjyfUjg1Qn1RlHLXyhE\n7lAMPP96DD0CICkcBBsbaAZC/ip7+OJ396/aQy4hEyJ7g9YBXsQ8krt2\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYgh2SrS/JHeaMtMW1bCN+XqArm8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASIT6T7rW1ZSzD/7WKO1uRCO0QznJD6iVB2i9md\nXdkqZCKv6tT6NszhVFNsHXoVHR8RgvH+L3rm+gl9emma2OBCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoMUIGSMiuioABzaq/LxJJTbz+BAwCgYIKoZIzj0EAwIDSAAwRQIh\nANfvF+SBFt2f94FSsyyhg1YLXTMfo7eqBM5i3Q1RqjekAiBwkVsEpizA0LxOZDh4\nuoIG3O+fBOi+3w+vP9TEwN0lug==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIyLdG8M1I0nT40wlFLKqKxtczUEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATOYerTpA0schn32XAJOk76w51LzbiUhzaOtT0u\njbd/Rmut0aSoJ71SXac+MVz4YdWUUE+pYQcvUVzv1hGG5hOXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5wnu1Ic7vv6j35UUgWvNMNaRb70wCgYIKoZIzj0EAwIDSAAwRQIg\nSJyyc8+Iwh2dqX45Y/QaQRoDVUILMzoSO4mUJgjyVHoCIQCCI1UJxi20D0kMt4xM\n5E7s0UPHOD/EfG1mFgqVutt/8Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUXOp0PSolv6yy5Nz6qWekuqiRJXAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTU5NjY5ODA2MTczMjEzMTI1ODAyNDE1MTk4MTgxNTkzNjUw\nOTI4OTA2NDQ4NDk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARn\n3nI5mgKKbkZDim6D5RRB6VIZhs7IxxqjHsly9ydY4vmekqfOPr+te9Fu0C5A0jUB\nTZKgNaRxoLAg8vw2Nsxro3IwcDAdBgNVHQ4EFgQUJ5daavX3T2VP8fL9F1lPdq31\nBBcwHwYDVR0jBBgwFoAUv9vEt0YJbOwYQbLXhxkXDm6qfxcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhALZZbM6uF19YDlovxGHZeCFrMJ2bolc49xSXcgBZlvthAiEA41JZx4ge\n+ubqYFO6ovVxR6gCmfJOjQw/HoscC2V3+co=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUQbgJrE/9y8larOZ5aaGi+4ilCWMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjAwNTkyMTYzNTc3ODc0NjE3MDU5OTQ4NzIyNzg0NjQ5Nzk5\nOTc2MDg5MzQxMjQ5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf4Jq\nZqFcFmAulq0vQ1Xyl9REnSZL60Go2xZZmIewJO6rNPdOdZLkgyjLSh++e3byE9qi\npQThMhKxLbvTeniSAqNyMHAwHQYDVR0OBBYEFMGtAE5Ue089O/VYgz3NwCYItv+w\nMB8GA1UdIwQYMBaAFIIyDogUV/ai0SaRSUE1yQl/a0EBMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCyPD0rWcfRMiGBmy+edi0+s7whec6dl9UlwQmkyOwRFwIgbzl6rRwlOh0V\n6BUHynUW5/+31/G/GqUlXWxUz3/mUsw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHhIrcYdr4gtNVZnfO42gcY32WwgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyhATp7Ar+7qr8Zeu3Dns2RM+RHgz8wzUvJVRT\n6j9Rj3bvanWrGDRzpjr3IxUXGbDXW9UPzy5QXofWskHpt3kMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+Oen39GGgjh2+gMawQmV0BTx1sUwCgYIKoZIzj0EAwIDSQAwRgIh\nALHoDCqNbO8Lo02pB9GQYk+P8TEpVZ9d0sroKbhcVjwqAiEA84TtnjkS8nuTGSKT\nN8+mDngJ4PMmRdcA8WpdmnCYCSk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULS0srRLBXZyfBexu2BJjD4QzkJQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATp+7JpTbwULeF6CDqpn/iFK/8oBG/esfYyZxEw\ncf1JKBHvArRtpbSxbnMGAf9rgvKAc8kjqDyu+y9iv9AbPvzMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0Cn6h7/q4mN53T0uOk7xCcy0ixwwCgYIKoZIzj0EAwIDSAAwRQIh\nALZomcpzwGwdFLAQPbBrwpXIlk1e1qor5TCoyh/KsuM/AiBG9tbyh9R82iB7iyFl\nGSeZJ/EtCCAG4yqmeIM6AZGSRg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUQevromQs+7SkBrdRGOidoF5ftMQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEgXTe6BGzqBdZ4T+BSaGrJiDq28AIFdIWsYGFllI2\nVYUF05rb8pjIPo/u2HbtnghXPpLTp2ZJalM4ubdVbmiMKKNyMHAwHQYDVR0OBBYE\nFK8AnQh0/akESEJZLwXKVJ0ZodD0MB8GA1UdIwQYMBaAFPjnp9/RhoI4dvoDGsEJ\nldAU8dbFMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDpUHcx048JMaukjo5ar6eDsrzQ4atP\nlY1q/ilqQl+flAIhAI4w9AjL4ceuJFGBoof33oqbrAdKKLCPfnEhsKbPyWrx\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUIa6nGV04/G/lpYS3LlIHRazTtD4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKTmTcAt178OePUPPPx6fTUxgW5lEEdVINTX5BrL5cUq\n79+spC0+MQEPPmqTWoMDKZ0FRvX7P9vzIFTKdkxdeiejcjBwMB0GA1UdDgQWBBTq\nGYDs6UpJbjvml+34/iGeRPACgTAfBgNVHSMEGDAWgBTQKfqHv+riY3ndPS46TvEJ\nzLSLHDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIChDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiA0u2gt1iIMCFLl5VorB+RmzU/jmkTfEGt7\n8u3Q8RKVjQIgRiCIGZH5ESLnD8MMZG+zhPz5meNetk86h5czqUs3cmg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUdZ6nDuhCBz3ViMDqlu6/htvH/b4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8qmhi0d2U5yhbUtx7yvBxGbca1OHgPfS42AEv\nABy/bYfqPD6ywDDhPLEzbh0E0xByo5YGjPdX3EQMFNVxbxCXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9kiQ+Yu62iYmDXhXtOGC5Tz46oEwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIE7bQOEeMvODYKk23FUh6PRe\nXthyk07DxretHusiSkJwAiB9ww4Af5arTtIG+ai1/gwf6WsaMbeoiBwz6/wZ+41i\niA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUQ3MCvL314e4gjXnzdJms1b5a6tIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjzL28CKmjwlEotxPJHRXsSPcFhqpslcZt/snH\nFeE1tgCcBqX20Lia7VIUhgLVyJINBmrEd0XawyVtJB8dCs7Co3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvQw1pAb7N05N0ax8f+aza34CTgYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHv+KOsq8x9E7dChdiLJ37QW\n2pKvwcKiVkP2jxBIQsFNAiBsRvpUFn6XffAmcIBXlwMjFrWWneP+rS82KC1zxkez\nyQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUBuLS9Pl/rqjyP5e9garzJISZrAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETJGr1xANW0tU2mbq9uhGdXjq+nM5W2vqrD9hO/9b\niOZLDJbbABmK5i22xk+BLcc7eJwl4+IdtOEkX3WZ8im+PKN2MHQwHQYDVR0OBBYE\nFCboBwP0SJdc/+zqkV20ieeCKo4tMB8GA1UdIwQYMBaAFPZIkPmLutomJg14V7Th\nguU8+OqBMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAj+BuscJvk737GC/5EhSTC5Xv\n1Ua+R1OZVXoD7EqjAUECIFCvLkHuv8mKN2MMAbO1UMSLsEf+przKrcc41sEvCJo4\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUJgcwc4w72GQxm/Bz87ZEGH/Bg4AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOM5C1aSlhraeNINwTvXPV3wUAKzMrivi0HxS3njXwJU\nZsVs313frpJZkqFVmXP8E3sKkhOTshBlPH4mBST6po2jdjB0MB0GA1UdDgQWBBTv\nLipwld0CCcklaOxAkZy0580ltTAfBgNVHSMEGDAWgBS9DDWkBvs3Tk3RrHx/5rNr\nfgJOBjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9ub3QtZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgN+9929IXwhojjYnXqV9rxy2DVgHN\nq9dHNecfD5XQD6QCIQDD6/1YEuJ3lRnzTo9czG6DRpUCtF4rwQSpuM0hiQFvdw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUGntny5d8Ot9+dWxi3VtNlrgIVaYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQqCiBIGwpDIVb/ETxMB1jJP70oru+FC6hbB6h1\nbKX/heSrE1PaDEkuVME1lxzbsq7/NgrZjyqTx7sWbGdRkXTZo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURvBftBQFSKO3ROMsC+C3xaU6sZswHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIAV5AS3dwajLK4OwrhTXHy9o\nid+1lkyG5FFotCv36p7HAiEAvN92QAOcfVMXFNHAqxMaW+uCoKqEn3ntEYIgXdKQ\nrq4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUTWPBYw6B8c4fsHIFxx+bKbTn3QwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATo6HqNj9+osyp/TA+YoHCmLH3KWLEKqGfjkBmH\n2ibqN9hdJJuz2yI5DRvZg6fMbxSKQfSysXrr06A3znzw86wbo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOJEqHUND0fX/nLsLYEB619vhYGAwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFAKR+GlpBu3g/Omqm5bANor\nRNvRw9ITRVfZ5qM4wF0PAiEA2y5C2ShauwA/T6f8zCKxRegnXDGq1sAQ3hGHLaCU\n2bI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUcUxC/PUaMHR17LpamuIvA2CT4yAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBjKhpsXdanD7V96Dizs6qTYKU0CsxVmDPFCtmbLM\n0k/6cq4vxxnWKWIYeXPsf+KOcKT/Lrdr75XP6Qw4F1imWKNyMHAwHQYDVR0OBBYE\nFHgGyZGznZArIqABec5IeqD1cEvKMB8GA1UdIwQYMBaAFEbwX7QUBUijt0TjLAvg\nt8WlOrGbMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGsqG4IMmnS6DsSGmgvpIOFgCG+gXT7g\nAv+lckTeGKLbAiB2eGPoTSiYj+ucW7nVWTPkUu2hWVqRn8Yn01+qmg9GTA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUPt5d4ySqFwkro5YowxSPTBvlLvEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCm33HlF7tFL1jVuq8xc3eQQb8UPC+vtjXc3spijlW7F\ncjn14TCTQ35fzOfdm48kTJOv+OWccRQX+9VlilUAaiWjcjBwMB0GA1UdDgQWBBSi\nUuEPu6M/XrJYMhvnAuinWolnzzAfBgNVHSMEGDAWgBQ4kSodQ0PR9f+cuwtgQHrX\n2+FgYDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAYkwro5EcETh2ytlV643fDvYGBIKelrr0K\nWRG/Q5ztgwIhANk9TN4SZO47lLTLAJmQEbgDIHjWb18xNGCD7S9B6TjH\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUGPIhZHREq4CLwQg1dZZp+mAPBDswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxRBvxauY82YtNDBLuURvIzBUxEjrjBdpOnNhf\n+GCUn9vA7tDeNhBYlG+fiAq31yutPwCFTR947mHMzP442v5qo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUo/9eetID1aVbFL3MyZX/4rf/bQUwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIH2VVVXyPZeLxlvodnRJ7eeS\nGGup/nmIpI9wiwuoXW5xAiAFYZ6gSRv5uOn1Uf+KzaMuUAwdFwvX4oiNSEi/ECmA\nyQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUDTbPMN7eKYJqU0RiDuuuDiY2RqMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARu0rmcgcCEkQsDADArzQ+tsRtU//t5wOSnKGuZ\nC7qAt9O/OJhpNAuz9nFd/nBPXOX2Cx1At5yls/+QFxP2kiNzo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU57rZYJkl8shCmpsnpuV0d7tOuVwwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCFzAYV+VeXvVkUBEOANGJ+\nmKhKKv9+cQTHL75sqaMg3gIhAOBBGEss8xaDsWHKPdQ7z9yFygP7Q5Tqc0Rc5M5N\nQLLk\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIURCTY6ny+zKYT65VFQ/WRt9rj3UAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEKuZDsyjzta+Uof0EiiVpR5iup8wa9JzeN/BkV4Z4\nlueIYhtIXLTBg+hnL3UJwAecQebJ637JBjQgcqO2fn/i56NyMHAwHQYDVR0OBBYE\nFGigNwOSAaPXA2vXb1JaK8FpO5F+MB8GA1UdIwQYMBaAFKP/XnrSA9WlWxS9zMmV\n/+K3/20FMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBy5cCgfPGg3g77wmAD6fuZNjb5O7tIB\nM+/iwvVpaN0TAiB8YkC3MP+Ou+aK0bq/mXt3XbvEVRM/jTkH9dhSoqxWFQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUa7LlZM4k3LBuQPHpkugrq2gLtk4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABK5cj58pdYXfZDfcL126YjiX00tX/ytRLUP/gTH5V0Ip\nNBKbv0vuq7XFXKPn4sfrMYhmezNtZvkKcnnjSskq3oajcjBwMB0GA1UdDgQWBBRD\n8A3icO3RqNcGq1qH42nMM9+aNDAfBgNVHSMEGDAWgBTnutlgmSXyyEKamyem5XR3\nu065XDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA9RHRJilm/w8zG6XMpuFFlqGHalnKRB9b\nQKGXdF32Dv0CIBckJsCl86E37Y9zMhNz1qUf9u1I72xvSZTZBBZa7JFC\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUIc3uiOHARGIiZZojmcdD00H91i8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASdxME2eF5E0VAFoxXTnxPVsHTnYgxllKOHyTwi\nOs9SrJuDdMeGe5Fb/Sov7IQQSK6HWy3qANIEnd0+6i8cjY6Qo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSIrZpPF514pSOp3Sekcs9yibbeYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCY9nZattjna4f8x6vLBpaC\npkxsXtNLc1RCcxJ4HHj64gIhAL08HyvAWS2a6HdZbWo6jXBpUhk+Y7jmZNEri5Kd\n+ak6\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUbOLgB2thL7nmK3vov6E3BALuoYgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCwW5n8rt1d8JBz+QZnLa1glevjOYJPCBSvq8l\nGONhpat7i4WXSVJczqoKH+KNDvOuqruqRwNXbvN4adwjWklto3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBrS4gayd+6cFCYwvRfOrslOOpcswHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC10oX18pdIkLkCxZvfyZOS\nt3jAUtBFr7OTzSIJclRvqQIgSmCrR/P7kRBGrQb9cumh0nmLO/GJsJGnkkmSYDGO\nf58=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUSI+CHx1wTOxoyh3t6TXTM2NiIx4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEd+84N5G4YXNUNvcT8bwjzzFCG8PsjA4Pfdm3157E\naApWYFqHtfdF8zAJOxwQMG5lb4Z0tlkXxYhhqq6tcMMGDKN6MHgwHQYDVR0OBBYE\nFMMyLn8//wGDL277xEpdPCMWXNbbMB8GA1UdIwQYMBaAFEiK2aTxedeKUjqd0npH\nLPcom23mMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAOb1af5TJO/1Xehjd0e7\nWAzAxq2WO1Kt70dVKkHDcV1fAiEAq8Z7n5EaZhfDuljLBUpD/7v163wqUtbABmeP\nhfP+h/Q=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUaeI+mTdzdT9GCHODnfHzGHDkF7UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKRjIbZ5HU1Yi5iFT+kLNt+AU0A0gZA2muocOT4/MInb\nczqLNcTYVhfeYv3iUgMUzc5OGeHNwstZZ90tOQKCVbCjejB4MB0GA1UdDgQWBBSi\nAjclNVsopK0goFMqQ1gmyi0BTjAfBgNVHSMEGDAWgBQGtLiBrJ37pwUJjC9F86uy\nU46lyzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAeBgNVHREEFzAVghNmb28uYmFy\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDRDcFTbpL+Wi3GMv1DwaVLi\ng2/k2An8h4qzdJupxQ7jAiBrNLR4R+7xZPM3nucnwwrYn+h8BCgh1tcJo6+gHBlG\nkg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUbUXBpFuR3xCwfPkd4nOZ4BSOyrswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASAiEw7/X1uLc8VlSXMxGFIsrLkn6OXhc2nrMyM\njLVmUZ8Ed4eHSG8nkaFAA+yy4FKnAWH7QToGeAmdcNqGsTSMo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTpWxSL0Ip3H4vQsdsjmOdKI6y3JjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgfO5z\nNoQ/yejwyqK814IlyhUqHXHAcR8DLKk1kKnSUS0CIF1vB7zMpf35+/gCF3JSlxaD\nA+mF7VGlP6Kezvla3g2s\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUQKK5V5irgXDQPB5y4qPQwQYU3CswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQVH+MYt9lYZzt0wy2EcH3iNZhkuQflK8UFI63e\nK97rUzzrABaE6GKZC2OerMdOclw5qDEzUuVKHxsM0vyWdP6jo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRAWu85S26XTRAPgYjx2SQPFVPw6DApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgTQn/\nVq7c3QGXdWEpcHLKoXRlnlmAFwwBUWEoXClIvcQCIQCA7whGrtWKIeNlnCndg3lO\nxT81Jpcxdhx3NVTO7PkweA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWmgAwIBAgIUSLiqgYucFXD9969hyh/X9im4R8gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEPc7FPGZJlz4UxuNTX4lhxC/tW9utfPg7IWlws03o\nYo2U21Me7Kcym6Jsm1AMgkfzgv1+7g5Pck7v+m/VC4eo56OBjDCBiTAdBgNVHQ4E\nFgQUojevBEIPTag4D2kZNLRTVBrEjjAwHwYDVR0jBBgwFoAU6VsUi9CKdx+L0LHb\nI5jnSiOstyYwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIGs5efpyhf86MdVK/4xWRf8JvmxtX24XywAXXF3ssugMAiBz7x6ikbSCOggQ\nv3SzHYgVQanldg2pq8nJmkk2Fg9zmQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUAyrqyAzuka7wO36bG+yLzkRckgAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGljT7a0RxfIgPkrDcn+EleiB2z80VcbOKUi2zEbRfq3\n1B4K3av6FSbC2KoJ2ndAQrepc79Ed/wajwrpOcdMQEGjgYwwgYkwHQYDVR0OBBYE\nFBld4SzMcnm5ITcy7RfTiDzgDRRCMB8GA1UdIwQYMBaAFEBa7zlLbpdNEA+BiPHZ\nJA8VU/DoMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMC8GA1UdEQQoMCaCC2V4YW1w\nbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEA+/Dx7hpNraLmuo7A3xDOgaUPKhzSLK/h69dJSAbi4FACIQC74FYKjg7Kp9SI\nl7jAkT4vDqKR5i1IRnkLjQHAv1Gqkw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUX5Za+N043eqCtZIL8aJRNHeMyiowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASM8ovLZQlubqxA8QfUqFgK9UPmOnoi/AVH7e82\nQHivm1A9Q0/M9tFsgPQiRo4gdNxMWTFRMRGprGHsgZr2birKo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYTq65LsSNaD1hYnoHL6peN3pT3UwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDpC5Dw6WhuPsHSHSpT3yfoF+z4\nVlMPJcPKOYT03WZlCgIgNlb2+fmO34/qplGSvzLxaR/ilzfJKXCM8azDQ7LjGEE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUHcdDCGpJ+UZKFP0jziyBKa1mFGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARhP9HzrwJJlV2VxMsbkNusH7ro8K3BN+QpWizY\nX1YYkXhqh5oP3LYQ+uKOg3DxuzbKMRrRfx2u4dql0bnSYUtNo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURd0QkQnIfX3q4LRKyWkqhf6hUtswGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIGGjH+OT/ipYMjGHEhPN9fl66XYm\nMuw/lx1LQoIr3jbkAiB73+kRBVZPQ5sj3X2Qsa9e3HGDzMOH1xbpprE1bdncoQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUCooGxedj9fV9ZWZnIzPRJf7ZKSgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEPuvTlI9kzRY8oYAlp2IMsbEYesVJBQXn2m6+dDHY\nBOv1thIAyWOcwmaU4Cg7HRteBoTXSD2Zo9AH8OAxl9qFSaNrMGkwHQYDVR0OBBYE\nFAD8p8yv9UPj46UhFpUtufrPiikHMB8GA1UdIwQYMBaAFGE6uuS7EjWg9YWJ6By+\nqXjd6U91MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDSAAwRQIhALrmTe1la4fodB+XbX9rzHro7THsgenYcDnU7jlP\nmzx9AiB1DnefmU+MeiC9Fjx/8D6wmfmeCwJeJbq2nHQFUkys4g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUZN+XpZE9SWhQOHWwoSQ80WSTnuYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO2AibSdpFfQb0uHc7OYIuNlSQKBcqQWcmiN4GlFZT00\ndvHYZiBr4ec8uzkP9NnwaUA5JDEiZCVGLrQQ02oRThWjazBpMB0GA1UdDgQWBBTO\nzei5Wx/l8nW3hGPgRqokal3JyzAfBgNVHSMEGDAWgBRF3RCRCch9fergtErJaSqF\n/qFS2zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAMBMAoG\nCCqGSM49BAMCA0gAMEUCIFy6DpGW+AXJD00flJqszW0/oWmjTVWjFCtcI3VUd4Tq\nAiEAxc8YWCef3w9Lcp5/9eRSfs9jauNF7Kxsur2tip21cIA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUOIjD23qzNMVAOAHIj+f02wORP7EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQRGsrhwSUE0HgWKjfYcM/5fwimRbH94+ZjMvYr\nQ4NwFaOqK5TUolSvQndabVJvAzdR+gQNcnRt0vwDfpk9yOCVo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjYM3DMuH6kSMXL1lE27UE053XBMwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIBulXOPJmFoAiYdY7Wia/kqDNnze\nBa4UFmtdgADOVFnoAiAXSR+9w/6G6uGOFayQoK0BGwP0UvF8415w5lkIwH7qOA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUDXT6wB7yr2wh+3i+SVnh0a8vlcswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQl1Bp2Bl3cVXzUc4aVbSei1hYOxEkrLgJLldye\nc3vr4vda1shfdXFWYVl2ScY3BnlrBi3sxwX8GAh8qWx009g5o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqeilIw45ogI40tzfkXjDMnybvNAwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCbbL/AKu8zf9ofehtUvSxxlAhw\nkeVEwiwNUq79SHq9PAIhAIbJZ5CekegV30lcv4oYpapB+u6CRxk36qpxnxTND37y\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUGi07WuerxYEZ84BSQ7SkFBOukRQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/bur/1xfJhJQ/op23rspQP4W6sI46/3GjQQzzorI\nMhz9iUySJt7Eu961UCqeBdWROAIn9VTsIb7Wrt/tulBxeaNrMGkwHQYDVR0OBBYE\nFP5ak3wl3s0vDkjmpvvksXY7AjbvMB8GA1UdIwQYMBaAFI2DNwzLh+pEjFy9ZRNu\n1BNOd1wTMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIhAOpMC/5RoNA0kKkJKo4oUvgZgPu3fi1wKxu0vwsU\naXSKAiBxFCn/Oe4B1v7U+ljURuVs3oAK1kfNjt0tUe2OcVpTfQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUWgAwIBAgIUETqxWmNU6ItuQ5vfRGdC2359ZSswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCD6EzhDufEeJ/dgs311HpUl8pWbA5Y1XFGE2eDKfiKe\nNmapUpvt5AvhhgIJxlurHXg12bZt6pkANoHF+JKSN+yjazBpMB0GA1UdDgQWBBQ/\n0np9LtruRQvKLYlehCvozM95OTAfBgNVHSMEGDAWgBSp6KUjDjmiAjjS3N+ReMMy\nfJu80DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0kAMEYCIQCE3/ZxUCzaG0C53SgWqa3vVYCiXf1zRGtI13M54vEa\nKQIhAOSGrd48LFIZl/t/hJsefq7hy2dr8IBJbC/DysiLsx9E\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUG7ZP453OGlu6Y8YwbNqAbbGNBwIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASlMJf1TrM2S4MF83dPH7qIEuqXgiswtHVSUaj9\nT7dTj0PfCm5ltNNET0HyFFMZIZRGPsrZLZv0+jbSnOPpdX9No3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhkQjgHLNpymC70RiaU65ghHEw1EwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQD28tOn8Kfd1dawlpQlRmyz7e9q\nourImR/k3Jg5Omw1IAIgVBPKKHpIR88BoLYHiD0we+dbzrE4NWBY9NdQoGViE4g=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUcvKp/fXuick5JZcCPR+9ytHbeRUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARD0/fJ48le2iPXk/EdQtvYPzAn3aUquK8pbhJn\nR3EcHaUtP0T6sGSuyOlr4Jm501xkOvnk/wREjxpDEPqjeE8Ho3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhmYpg/HjP2RO5Im20gyjCukpj9YwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDBoHOncIVyCEGH99fbXpjJiLJl\nZ+lFuEsqxjajd+HEfgIgNAK3M+xdwtTeOhU5HxVp1G+WTZOhFyM58tXlh7fy8Ds=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUZDGenulxtVCUMu5KkeYsZlTcv2YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE1zF10zhGCcWOVc3Xa6ADNZC2hIjrz9UPb5HbjPCM\nZ929+6AZqxYM9RZm4E5Q3v16BWaMU74B483kGcPO9icfj6NrMGkwHQYDVR0OBBYE\nFO806gdftAr0UO/pEnDMSDO8rUPwMB8GA1UdIwQYMBaAFIZEI4Byzacpgu9EYmlO\nuYIRxMNRMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIhANfqXArxZb69t7c4a42VqQsaawcnGXPP4ipkkkPn\n3xdjAiAWz5ZrTR/8O3R+USNbWi+35i+Co6kPA/qO/LAzdPsuVA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUZYAvbwhYKrGKXORIEHR6DCx2il4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKnosEZUlXrxbjnn/jlM4X2ThZI0sCsmJKafpkIUV86g\nBQJ4TPC8JpdZwTo8u/YH1sxznyFF12AmHd3PUu//e0ijazBpMB0GA1UdDgQWBBSh\neKdGHZITxW6U1Hl9oGylW8AzqDAfBgNVHSMEGDAWgBSGZimD8eM/ZE7kibbSDKMK\n6SmP1jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0gAMEUCICgGUPpgmpZhRES1Xj6Fw1MC96BFJfVkfz0sK6ruDLJa\nAiEAqnBiUPWUcpIJFkjJ9GOqMZwnNH7wjmz/QhQOyOWbHoE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUcq3WHT1NBvGwdpPZcC7WRhm6hd0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASuaLjKlFmT+8DOEmkRX8BpLbVjByp9smCPSHSj\nBIVmJmBH3V4oyQSkCe/cWCoUDJFccrU2ZmOR/9nZUOkc6AHAo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULvlOj35Rosu3r8sEApQHGbuwuUgwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALQQPFyeUljXNj1I\ntX3C39Js8c03OX9ti2HcPiEySE21AiBMiTYU0MtrrzIhwieSCYLenYsjJULLkHNI\nguFy5YC3zQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUEbA5lgAWG9hFDI2T/d4mTn/CA7swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBNs4rmkLihUwX+657EMrYmeQyZIBvqtXypBcj\n+XTTB8u5MH8xWMFPpQXtBuSpd7sxJqZwQu66c6TGgCQjE1m0o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaJFrs6Mx/MnhUV34duE6vp1zAk8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKUJTuIVLPXbGM+f\n8NoqzjJqJtCsn5Usr0jhv9kQVQmCAiEAnI4lxDD7HpqZEYyiIEcTAUhqYfe1v9S4\nrcPTXNvAM9Q=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIURWK3YjmQKwnyQoeUgJsLQM7eGA4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEJ2ALHAK2wbheJidAugKjsVe5KkGKHqFMKwT35TeSBf/vgthz\nR4g4uwbSoDRP0A11Ljk8bDuQjRsKxQd/GftbIKN7MHkwHQYDVR0OBBYEFOvGzwpV\nG/A8GqFgUh8AcJHRzEq0MB8GA1UdIwQYMBaAFC75To9+UaLLt6/LBAKUBxm7sLlI\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIGQRiBeU1sWFAC2lFie7N3ZLdSE0\n2VoOPu2/DJAuM0KQAiEAjpSnlhLLTggUvPBvioqOTkxBDsoNgGTbxLVjJ/zRQXc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIULViA4d690KmjrJAVOe8PkqzIMg4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE4sV2Gp2u2CHxtVLCB+JkY5x5xULOrZMfSaK1ft3+wx0ecWpO\nEJ9VkC1qvW8l701fXqjvsBk+/kSTZE+tVhXzhqN7MHkwHQYDVR0OBBYEFJ0m5gTz\nH7rVb8rtPqUa8a67FUL4MB8GA1UdIwQYMBaAFGiRa7OjMfzJ4VFd+HbhOr6dcwJP\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0cAMEQCIAlQ0rJK9J2Cof1lPuGr3ODNGNO2\nxrx+tp5+i9+3wW5IAiBYOYz56JhhHq0ikc+Xq1goEz3rgXGarpQctqU4WJsi4A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUD6c47s393RF2j6I7eB405BVHAjQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARhBsgztsQWJfqA+8vqVNiDc0o3tfN4A24UxFqB\naAe5ViYqHktfY6gKuidQpgAaTXGkaMz9OG1hTVwbYeYidWC7o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqFFBFy5whuveVMgyqsojRjgztmQwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAKo7QJeYCY2xjJwn\nfbyjhPFW/pW9KvySGmqIFKUEBNjtAiA0STqkG61KTMWLXSWxbWFlWUT4T/uiVCM/\nsYD15Y4dYA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUSQ9rCvwZIPGlq86Oog9wKndQqnEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARb5QUuRrPWrTkFQyNOYlJ/48MM0UOOduoVE+A2\nEPz1n1ARdnGlaCyA+swtAbY0NDr1RtlUU/qT5lxtOkI8rMO9o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8JLJ4RaoQV2xvIJ32bROIBpEFsEwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgeHALl6Vug6v66ql6\nw7H8tkrbdLdwwOBDGqzgEIrCcccCIQCfhHQlg7lLBtvOKaJBZxgb1xVhxvLFW0RM\ncO40eo/yKw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUWqVDkcXMw65J0tB2M8hbd+CR9SwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQxnB8/JgjN1sW7NHPUFzYNbQdbb3q+TY6WSk4Nw6Nvji5dbPcRXdJl\n5Og4mpniNmqh31oy8oLmgEddQvOReNqOo3cwdTAdBgNVHQ4EFgQUgE0PWQvTyKoL\n7nOZChbA8N8inMgwHwYDVR0jBBgwFoAUqFFBFy5whuveVMgyqsojRjgztmQwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEAj4fwk5CDRjyNaJKFE4JnEGn3hVGMavrTjJL5\nsggnLB0CIEbk+RZ2vIt5vOhLb1TfsX+j3iCYQvMQw897hhkM0Bh4\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUV28xBqja2I3/LYTNyofWQDocqA0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAR5Scn+4zu0AmFGOiBZSieLaG4ANvz/4mjGRfo5W6iS/CDF4Sh6Jh6z\ngiVENDJde6lv2yBwHhLhbPtNi/lZfseOo3cwdTAdBgNVHQ4EFgQU+GRNTV2i0jxn\nx+FjS13kB+2AdHcwHwYDVR0jBBgwFoAU8JLJ4RaoQV2xvIJ32bROIBpEFsEwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNHADBEAiA2rLyy6YQ8UU8C/2Bd7ahSnnPcSAqrG5zrd5Gb\nXBFrXQIgeACjY23VarCtLJLrJ+9XIYZ149tlvSoK3EIfa6qHFjI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUCFiin9d8GMfFXV2qkBtxulSaURkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASG1QZQuGTOvyO9pWCj4/Ol5i0ns5Ngkap5/AGr\np6y03ikOcbaO3RtDOR8Hf1IiYx+VjPx6YDdGZMyOIDl/L2hxo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUn80vVeS7HLUjkKtyoRjghHGyKe8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALstJcyJytPRRmnX\nymXgQCMQhrar/3V7cFvXwnjsRdleAiBuhC9HmejX7/uizkMC+akXkAZ6HMhuRD+x\nugRnmiqIFg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUSMG817kJmwrsn/M5Qi1c/HSOX2YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwjFBngc9ByxtWAAqgraJOlWbqTsUEeKeWkFx7\naRQAWimkj6G+S1lbVtj0m6AZPUN90h8Uh0r4rE2VM3u9B3Tho3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfcgoDa3q1coWkHPvdCTU0usPlD4wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgDjAWGfjpuUc7ITAj\n9iTgg17V5WRKAuQFwb4W2xL9lSUCIH2IG/0ZSFz6i34NMjKjNFKFQtkWWpY5jaJi\nbMllhGN1\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUNvU1HkiGZIu4yxSSuPVGdPRXJQUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAReM5zjuOV21W7hYSWnFK3EXScDLq5E+4NZl5ZEEzQIkZtvH1KwLYxg\nKCjfz1TTRjnVmKhw/PBIq9O2LvR2Igy3o3cwdTAdBgNVHQ4EFgQUtioT7eatxRKp\nSe5W22UxFqpVZDkwHwYDVR0jBBgwFoAUn80vVeS7HLUjkKtyoRjghHGyKe8wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNJADBGAiEA2EHdUs27K+dmGF3ZhP1B733ExrK/3mAU6dO7\nVJznN+4CIQCvB4MzIMcpBRcER+dT/HeoIfZ+5Y617Lbav6eAS6aWCA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUftnm3U1YnwyRSoJwo3P+KfQjF2gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAT4R7TRqaCRclinDEZ5HXXRjT0eWJK1VhHoMhIO6rKZVwu3sbnTcs5F\naNyizWChh4yF2Bc89gQlrMkWUtZCmVIqo3cwdTAdBgNVHQ4EFgQUHizx1Ae6yA5d\n1iY1lr126Z4MWYUwHwYDVR0jBBgwFoAUfcgoDa3q1coWkHPvdCTU0usPlD4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiA1qaUH3rJifUFN59mg+fm+/lYCEpupS6/YgwmJ\nhCazVAIhAP8CEEOLhCYa39e6XBWr6S7xL2wRSjVEPFYZDLYmWJoH\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUSx1UE2A7XVIgUh+YsMQmxc9o7nUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpIu81nJxemCdSpL2x1SOp6khOTQAJrdsa8UMy\nLItlM1aAOm5NEDRcF3jfAC+m7Hr3uaM9/fPFe+d7qXFRMHW2o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtegB/IBtiJnPuoqIk8/ALyY4+LowIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgBoRr7n2eJkFhdQBB\nHis3XA09QVoSwpRMtrpdk7HzS/QCIQCFApTtpnwqOpkXzsnxb3JbaK54UhJnNX28\nTKPx00DvLQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUTN4UwJZYixuXisWd5HNm92f4B+YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQVOUmaAUCwGKZNY0Al4Q2uE4CRLnLORL/dyWDU\nkygJG+Q30INNNroAJ8qvj36F/95s4RNJZngApKXAgydSJRQdo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJzaX9aEOJGhuSRILut5oEaOciYswIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALD0vxU9r/WRcFpE\necW/b2qvgECphFOQ1dLN4xzQGeaDAiAjLR2A2f+x4lqT2bA7pXT5Z8zWm6inc5hG\nmR14N+iPCg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUBkkawGRuP/OsnJi5dRJHkyRVw0owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEptBUtSsXYKRv6Fb07AwLsLrwQsMhlXxIXZyjFv8BCTZ+gEEX\nO1zZ/RbxB934SsnRryRRHp0M8faKKkJWgwiQsqN3MHUwHQYDVR0OBBYEFNPRn3Jk\nbHJ+YhJZBaw1kF+AiqWYMB8GA1UdIwQYMBaAFLXoAfyAbYiZz7qKiJPPwC8mOPi6\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgAPsruX4Ox7WWPV4u2Wg/SctSn7+rneW4\nynczxR+GpXECIEhngQTDhpVJf1HN9qdApjxwusVJgcuJFSrFS9Ll51n4\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUQa1cSJUIR0D99qkq/5o6jP4Qnv0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEbKNtzQBrZRTM6B62prcZDDu5+OeQ+HfdD2YTOP8xYElF9SLW\nbOooAo1O9rUpgaOqnrOem769YEkgmty5+J0Ug6N3MHUwHQYDVR0OBBYEFA6GJsw8\nUa8L4/JupXevGYaL3Rd2MB8GA1UdIwQYMBaAFCc2l/WhDiRobkkSC7reaBGjnImL\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhALOUnFSn/sOL49dzHuF+qAaqZZg/5huT\n03lzYh8lGhV2AiEArxiC7btKU3GhZBSoxC1ETsIfoO5psQNaJES4dzyysRU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUWvxl+C0Ox/2Hs7LECd4UlaxbB3YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ4NgnF31wfHCweH23FJxKmGiqPFcqnka7tQPb8\nTtSzJ+GYUCgNHa5suUs/ml7W+pg4YXgwmjS10aAZCYYX3uG+o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrPscoXdbfshOwz9DJzccnc57At4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAK821ELL0DSTxSZt\naS/PJL8F+ZszOfNoWT0Hze+x5oOYAiEA2O9d4vZh6gOdRUSTCPeFYF5WreGRMOoD\n68fV3S/p07Q=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUMI/NT3khred+fdm1aLJiupX/hGAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT9AsRQz4KGibwHd/79W6bunhOmDp/Wgj0ee5pm\nAxV52SespF/8z974SB7LpXfWb8TDcb1WeAXDbV+4xtI6uH8bo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcK3+iO8W8f8XbgSGI+xiZr50dEQwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhANzLlWl+uZHeLLqL\nOcOk/0sq9jRGxW8zfQ9JlJln5GjWAiAMYpmaDMcj7DGQEsnswq9l57TgYxSXtr/s\nS2Eglv/aqA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUOkOjNAL7EPe5/LN8hyT6hzFd4/YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQNlEP2tQeG1NgO2NiQDh7nw5MKyjzdp4NynEWj6QAJq8k9esLrEPlZ\nZUm3aerL9FSAWW+q05WWo4eVGTUadC9ko3sweTAdBgNVHQ4EFgQUnprmGnI5gtMf\nNjtl+c+C7gEfXFMwHwYDVR0jBBgwFoAUrPscoXdbfshOwz9DJzccnc57At4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSAAwRQIhAOEZw2/5obfg3jcvsVPsN7AWfB3lCVrD\n3mmPxM5KNzBWAiA7stp9TjKwZhMHA1iiXUQfP3dGF3Yh/IDyINkFonn7kA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUat1gcwu0PfzeUGljCaSp5f2/LygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASrGXwRZDQdKnzRPYE63s7h/Ya57PGwdrH2EMVACWf1Ia/zgznsJcXp\ngkAa3CaFP+qDFs4hb82hJ2t+9tdjeFMGo3sweTAdBgNVHQ4EFgQUDOJvuF4cRGOo\ncmRN56QnoxMjps8wHwYDVR0jBBgwFoAUcK3+iO8W8f8XbgSGI+xiZr50dEQwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDRwAwRAIgEEWLYQNL8S92jr7Onin7ZGEahQju4rZn\n3LJNySU+vYgCIEhQ5y1mgIoNM6zRxQj+fhjfDrBc04ctz1gltfMZBy9U\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUWQ40+YiVqj2FiVaz5Hdez4BMVJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARh8ENbLzhsHna9nknJXpO1yiKOgjYE6/fd3pVV\n909LgCHdNQNKpExGoACNSu+UiGnplqFNtTk7cVd2UZyBr9Qto3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFKv7GGzcc8zKEnXL4ujj502bx8dmMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA69pw5WiTyihH+PuE\nBRlINVv4RJTFC8sVu9CJek8jH7gCIQC6mgMtydUj5X7HBkNwbriQBWhY4IMsuNRI\n+DURu5YAEw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUYMxKn9d5PUJBv7+Rve0hCokI2T0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARz4tG+IGfiTSQczrNeMMDdnFKh0X73du4s3ZMn\n6eusWMayeLWWHT3nC2VAdhOEKkN/G23q1hXkR6YVe+JqqOkSo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFDYF6/oIoCINWM4Zm/N60IsczKt1MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAz/M9rU8WWdPt+YtR\nnLdCSrYeM2vQdtzyoIr7osCl0U4CIE1SAJwXevvMFu45BPAfY1spYORwdCoNq6/E\newkAggPw\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUcZobqc7bxnlK5sLeWrNAl+H1N/owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnOX/mzuTx81uNTMmQ43enwwUPeIjGo81aPSQH\njXQo2ZX+LiY4NMcZG8bf1wzqr8JKE5i6C1iauSvnzlgODWCro3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUq/sYbNxzzMoSdcvi6OPnTZvHx2YwHQYDVR0OBBYEFHFi\nQlR++oyPPmyzhqgEcWj1THcpMAoGCCqGSM49BAMCA0gAMEUCIQCoe+ERZzTa26bQ\nja7jmhY5ad88DqJ6T+Se5lMmneXkbwIgUofTxbbuB+Y5cKwjYekBZEQ0pPWlMddK\nYhG16GyNvi8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUP8QJFqMnFf+Xsy3wzr6GihaE/LowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbiYWbNmlPStmwewK15XLpludsJW7v1txEAqpI\noXiZhDAHSP0a4n7sN/KvhtwjBKdoPpmefZ1QY7fkJSoLZ815o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUNgXr+gigIg1Yzhmb83rQixzMq3UwHQYDVR0OBBYEFNyu\n8uOo1jb9pOzVBLIJKd1vSaOPMAoGCCqGSM49BAMCA0kAMEYCIQC1IFX+ZjyUgDUV\nskfd/V4VVgYmBxd4J6b+PObLJmzNiwIhALH/clgQNZMlI+rpztZHU8RxJM8a96Wi\n3clfmq6i1u4v\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUPv7KtAm6c2khyzJ59OQIfj9W1ygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE+MoAFalhRlfelDVw6q2gy9TIPW/3m6N9I4kGlF0S\nUKOPPURLmeaNDjmZm9C5mB5KtfXfftDYCOrT/d63JIx+uqNyMHAwHQYDVR0OBBYE\nFLbqvtOQAkWNZOHnqb+0SO2LoeCMMB8GA1UdIwQYMBaAFHFiQlR++oyPPmyzhqgE\ncWj1THcpMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCETGHUFOwN3CQ33LrtfskoAn60k075\n5v/4khV7u29tcgIhAPK6/glbiSu6MNtX5t4T6gAFK2GKpMEy9ZGzB2kbYzKn\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUL8XaQN8FVrJ/d0TFR9QVFxSKvr8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIrnfw0H4r7ZUkjjRUHdOJt8Foex0rQgahoDbFEIhMNx\nP3dC42vWNEh2YKLrqGGCIe0fQCIJep2Z9m/D7HY4aN6jcjBwMB0GA1UdDgQWBBSt\nwi1LCjO2dW7+SJhswyt8KT3buTAfBgNVHSMEGDAWgBTcrvLjqNY2/aTs1QSyCSnd\nb0mjjzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBoG8ukMfh/4GYtB42VuY2xCDprwucYNT5k\nK7brstbX+wIhAOghUD0dt1zmp6HPT2tXQegZlxWZ9Yohykz6xy3QntVj\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUULJxIv9zLUC3PYehraVFZuHDMS4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATdrQOub3DV7p/tOUNIg6eBuGtFQVWurkw4WOvK\ny4Hru0FDTvB+rPDpz43aTDGHxRfwDqLWjURO/zWW2ZccoN2ao3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUl/8KrWbK6Z4wIO6mlx2YOQLvxnUwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEqG0jtRIgWSU8ZB8F8ZbZx3\n/nZ9gIHRdYGPWceVWsVVAiArbMWStYT2fy2tj2zkGvxuKgr74VEY2l50gmlaWogk\npw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUGAafTRHdf8QNxWSq35Q1UWKfZZUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASWJI5257VTzkL27GaFdYFBXME1nWDwpyj2zpgA\ndkJpSZ27DGlT96HvcY0OeI/8XpcJLvLrnxGJZ3avzL7AWN2Qo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwzn0GAj1GNjKp1uKiTqNrDB3GY4wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIDkdCGyJUPE8ZVR/Ucboqskl\nbOcig/y8Zx21lgMfPTIxAiEAmCNPfTJoXEi5XzLulPmUJB7vdGJq17jACddwiHLm\nhSM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUesJN1RP4LGIEP5nkKgLUwH/n0uowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASDw6QN0UC4079esimgCH41flFxlyIFywpZZxZk\nCRDpplKH28/LxZFwSjX/gmtYBhuqtjE2/NbNYJ/3YJ+tQMl/o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUl/8KrWbK6Z4wIO6mlx2YOQLvxnUwHQYDVR0OBBYEFG8N\nhpxAb/VfOYTOV5Q8kq8g0YdUMAoGCCqGSM49BAMCA0gAMEUCIBBG9lbAdAup1hOh\ntWkzsd3PF4mQ3KD1PBlgiF8OipmuAiEAwZJo7b0U4cRFnWjPMMPnMjjKhDZtbjoq\nbAEH5Jalna0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUWcHi309ThnNdY7ndho3jJO5StBEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATjMbfPqqzgb4wpHhr0bNtlQYvnlzrIZfeSz+Va\ncLyrMSiu/PrYvrG/cJ66gogvE5sjPDuJSzpY2tjLhJz0oVK1o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUwzn0GAj1GNjKp1uKiTqNrDB3GY4wHQYDVR0OBBYEFKeu\nP56Dy9/d9GAcrXaYuJKc7GTUMAoGCCqGSM49BAMCA0kAMEYCIQDP9945PdsQn/3H\nPbz3CFFr7oPvi97mqU06J9IoHL8ncgIhAM3l48E+mrJmN8c5Oj2P/Ng0Vyb8JObj\nu27Tit6KVIf0\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUBqkED6TciEeFR344evgY/zArksMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhn1fCs5HqUXhgLasiIEgHL+4/KdwxYNuJbIkX\nk9jgOmNIrY1pADPfgJM7C9ckImXoB3XTfq3eYWs9WTDeXf5Wo3YwdDAdBgNVHQ4E\nFgQUooj2KOFFF/+qpHou1R7JlaL+PG0wHwYDVR0jBBgwFoAUbw2GnEBv9V85hM5X\nlDySryDRh1QwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCUPnkwd35XH2gsIhhGjUKY\n6Uurnq0prnckLYVa5bkL4QIhAP3vGgAhZORCtzlMaUM8SxI6LNVBVg2c+e3+8QAx\nxSWH\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUP4JdI41dCooWDp2jqfuf8gOYz9IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARIbIvO4QDQP7L1U9TzDbysRzSGPK/LOamuAv6y\nycscIkc27uSlCjSXIYJJA4yLS1n9zPSJEN3TtNu1YVzxCmEBo3YwdDAdBgNVHQ4E\nFgQU5pit7E0UxeuJVdpW2bWKn5C2FS8wHwYDVR0jBBgwFoAUp64/noPL3930YByt\ndpi4kpzsZNQwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEYP+3OugGz5msSB4B94cc/a\nbTsPIIjRdnTC/Lw2o1ckAiB9M/eReaaF9iWO9IYfGizjuZ9sT6AldLEz1NQW7OWo\nUA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUdah6fIr55I2pfABlEeWHwqvaw/cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQu1Nthb37ieJFuWWEsz3/w5iH9D/Z1EhNI2lid\nXm0zHlD5qhmsh/9pshKqiVU4EFWF6pAzcuwYn0ydt39mMY1Co4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBT3tzY2oXpInhT9UUxdA++UKdOuATAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEAq8YDrWrVloUhEScCFSbx1u78Z/GW4mQiL+tB0PuRg8QCIDkCeOgoI5memO2A\n6uM1MmsVL4vMFZRxXgUvEZVPKSSJ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUIGWFwkll8+/1aCoHPjZTJTFbbcEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLpbG++AJnqOHyGLZtaS+kvsaDH/tDoaHdC2ZH\nb+udrAHmPRI2iNWol7JUfWHC1rDrbPVTd5uKEvCU1tAOL6nCo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQSld28QDrmt7gikRDzb1gLPYarTzAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEAt7vQRLATeRb+AxTvpDgvdlA33uTeCHvy5HnLNKGxgH4CIQDjYdm8DCLjLP2h\n1nzY7cVMV7EKj+J0ZZDxbFiVvkBT1A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUaEoU2H8HKSXnswWEgctc4Yf6fVAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEvqIFpI2iyWuLfDDKp8TUEME+qZIFa/+tgh8W3ONV\ncU+UEEwdSBoiFeFh+T7JK+6TjwDhfb/XFjqlSA+6XqYgiKNyMHAwHQYDVR0OBBYE\nFH38jlw2pWdGPJ5DKz5lLQUtv+/mMB8GA1UdIwQYMBaAFPe3NjahekieFP1RTF0D\n75Qp064BMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBxqrZdmNn4Vri5ewRY3wfk0tMWZf4PX\nIMnr617iOMTNAiEAhYp+9rywRBpQTCvwSiEw3jaKEfqeHhlMbnWYH80oS9c=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUdoDWUjESnPffNqzJFvjt9PubIrowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABK7lXrVFwJSFasfALa4/DVmfBugWw3me4bxdGmWrELHz\n36dvMseWyk30+vu+yT4CJ4x6iv2G7Gh3JJJH7/dyRQGjcjBwMB0GA1UdDgQWBBSF\ni3IhRKyysWbfiM4SAcQgouQGPjAfBgNVHSMEGDAWgBQSld28QDrmt7gikRDzb1gL\nPYarTzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAirSC6YRg5si0HJ6np41UoWAiKepycrAJ\nbIZ29SgRsKoCIAZmQmYi4TIzYqgBHBQB9wUj7io6oZ9CBpoo2TW6S/dJ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUc1ysPf3H8MflFoN1mzWn/Pwywd8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATi9KPZrtLHP6EmR6BuABbn8uza71O2G0qwYopw\ndiypdsXIXZc+YThHhefxz+RG7+NHyiTgricjFdczauHG+ngwo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCrYPCeL4/7bptNmZavOgmKQm+iIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQDEYZUrWlR7yffjrs8885K8Zy6q\nEeE6E583qGiHKkN4BwIhAPho8R/prAGbiL319qTHAi9GbuXTBRXfIlBS/XdcW1/V\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUArg2M/GKtUU7l12GM8S0Ocin9k4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATB101ArAAx9MP36NtWG4XbgFW0Tu3NdAhtSlHf\nIZyJ4mPrLKgoyUnOA8JfWcUDj25qucovtawuTCPxemrQS5B7o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxAhRrNY1FllPbBlQE8kEeAL+5qMwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCICqmFw6HVdlifhyAXHXd6bKNJY7P\nHBcvFwkB/Q70GtKRAiEA237AlNi7zI0CA/aaPscTl9yePXvICif6z7vthhxuxAE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUI//eknrdDiLoCoeKTh0n8tDpcrgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3bnwFTW4zVy/wv4oJUhlEGeisscdvK8SYvSzRBWk\nOFxy9h3s42R7i+UrURAsRRtap0yApFWP+xQo9a0ve7s9zaNyMHAwHQYDVR0OBBYE\nFJNsjaJt0S3n5zuPP71CmH/JvP2XMB8GA1UdIwQYMBaAFAq2Dwni+P+26bTZmWrz\noJikJvoiMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDJcVHmUYp2ovMfHdpkz68PcqVhTTbv\nA3BlJI2AtYCyXgIgVWER2xQc5muEi6GejbuicUJacR8FfgiZqEGQz3QCOZo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUPPpzIJur4xnEQiijGfqxxqDi4icwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFablnuBGD4ycGXnZSX0LMVTdF7h2+RsUTweTfG/Kc2e\nFf9ZB9X4R/ls1TlD2aVCv9qA3PbNWt6+iJ2003RvilyjcjBwMB0GA1UdDgQWBBSK\nqLKFawz6R2Oqi9Eongo11WNmlzAfBgNVHSMEGDAWgBTECFGs1jUWWU9sGVATyQR4\nAv7mozAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiB/iO8ia77mu69nY73TWYUzHtv6M/TYvRWn\nIGpFtdwpBAIga/GbNMr9jMJND4n0Gn/K2/bT6fE1PY3DWkHeArEzxMA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUOkpVFzG2YOxqqxmijMVerTRDaFcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrzAKy3GoJ+qVxtzNFSvDh/jAsDltsFaI3WFNq\nJtcUUaiTa5V8BNrxS0w7qKmbc1pTOK4u/xxqXpQ0rg2/xx/Mo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwJ8Lz/+yTfmXeuhaR2zZwueG8pcwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgJupYl0Ozr8uVkWUaVk08\nkmpgh4WqkQX/dXiltDCjXPICICLVPrnpJKKKrbmvObpIdA/HDV/kOA/+c84ZTfob\nhYyQ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUTYsWVRBOdVaM6swBIVcwxSan940wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASiL/P7KbDLHkxPmSrXDnEYlMeXVhZ4DX6r8lIi\nOpncXbtFV6/Rs/SJB7Nm+Vi+/x2aP+OaAglgrXqkm0c7x5gRo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkqlNNXXWqgsTgkapU045yjvn/lYwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSyZRPr8IeIVCnpwAU1o/\nNoz8JJKfCW5h8VcR1fRnZ8kCICaDtsKVTur7HHcY/eBj9k6XdXEv6KNWUcJ8d4re\nA5/2\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUMq+WAd2HjnKoAJ2aCXLO5ET27OgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXbRSvcIjM1HWHgPhGKqZKuCxkOdjcnXcuzbh8+IM\nHXPyXFHigohNFQJvzuWnEMlCM7FdLo/agBWpy2xx0X/E/qN2MHQwHQYDVR0OBBYE\nFJ1RX6rJCRhwEmoFzRy43zj5d1yHMB8GA1UdIwQYMBaAFMCfC8//sk35l3roWkds\n2cLnhvKXMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2Zvby5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA+zzgthdo4zTVte0aHKwNxGNx\ngmQ1jMTeokSDr1dI1uICIEI3G0lAl98R4VPcUZSEXd51NAQdMZhDY4Lxdd+tIM3d\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUadsRQE6jRJeWvcmbmUIGQ0VzFZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKcw/WSz9BV+UQGqRIdVzUSfhQzxkkQOAHPNaCiuhPwI\n1UFVJJWCfd4GqCqVqnOCgeYDWuAjWNTUOd7lO6cjuYGjdjB0MB0GA1UdDgQWBBTO\nMOTkFGLOTfyHp+fFramTpsq2ZTAfBgNVHSMEGDAWgBSSqU01ddaqCxOCRqlTTjnK\nO+f+VjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9mb28uZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPypI9XWcsqCF0jCexRu5OlonzfY\n6zTtxdPYEWVWpiskAiAWKxT+Dy2uxFA5oGqx0KakuXRe5QtYsTE6++jtK+b0Hw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUSvZNxwc7HPR5levo2+6HSDt6v5IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR26cinohfXDsBNTFnH+rH8uSJPPVRphvrig+Tc\nO1705omQ4f1Kx4/nwAqdWqTqvTM5r+TFCTFHAr+xYHfA38Ffo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbUJnDmDxjKsx/IXrWGOm5mRwZAowFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgIbZBdecDbpYH6deyF60lDibYpDPmLm3z\n24vX2YWFQS8CIQCxuWkAYJ98AREeWhvVFu1sbT2Eps0QiAP0QwiSd5GnQw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUF/L9DhzYL+KeNtGrBGNefQFBkOQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9/WBrG9u0CvFKhaSu+RGg0ooTFraemZ8QDEB9\nQGD7szo5BhRmAbzc58qBUK/Xn8+0o89qti7a5onaT1coValJo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnkMtiFgFbDH3B2Jm8wtqoyBXVi8wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgZueR2byB8b3VDyiM3xwELvwgbSuFaqlw\nOUZnURFIUh8CIDCRtWj9y3O5NSlU1uq3O+x9/NyAYm0AU+DKgiROpRT4\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUZp0BkeLWoc7wo+w5FmCdmTwlduYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEepBidwkpKLoNeN1rTqpLMtnnUN8VgP696woIe6jG\nFREVAzORguA3atkc+VX4K67Mt+g4DtCJOygO/ZWVu4+iSKNrMGkwHQYDVR0OBBYE\nFAE1NkATt/Drye7DcISm5fGprRlBMB8GA1UdIwQYMBaAFG1CZw5g8YyrMfyF61hj\npuZkcGQKMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBH8AAAEw\nCgYIKoZIzj0EAwIDSAAwRQIhAIrJFyYtzIJXFT3lmt1D8aFLau6xrLRIT6KiAJ9N\nlZZ5AiBEiEI0ffvJlZUUyNzwUySOPgzCazuiNzCZWhqvaClIWw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnjCCAUWgAwIBAgIUfbtIIf3aF0oOv87t7UB+6Lxjps8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBktk7RoQLJUF/bcqKN78hO3zatbY4bq3KHoUxgwg8gu\n7bFAnXAWnNWa+7neUJg7fnqZeUDmqRCUJNFWKtaogo+jazBpMB0GA1UdDgQWBBRM\nPm0lEeKlA75HeXyfe66jYuVCTTAfBgNVHSMEGDAWgBSeQy2IWAVsMfcHYmbzC2qj\nIFdWLzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwR/AAABMAoG\nCCqGSM49BAMCA0cAMEQCICopDrL0AkCQoWrL5rxwNyUif+LJdZToInmQdIwyWTbP\nAiB87Wx7GiqdSLXqfxZ1EIBRyYnzeyPREpqzt9tTpy8zMw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUW5/Mx0Mv1XUjLa2ClLib7TyI36AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARj2kdPhjwaFzqdwr0KYplqJnucCQOBU+qQ5Gte\nU9yQ8Nnchdhm3ZrAbcFE9BDFaAT9/EN8DMmriRnjT26eYzKvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrTjjXzGHOk903V/IDAFCkrABmQ4wCgYIKoZIzj0EAwIDRwAwRAIg\naQvlt8eRmycUGIeEyUceWbR1+L6pBzNTQIVs+K4bdXwCIDhdYuU29ny/hbCe3RZ/\nHVrhwoh6pg0CQ8P1k2gl20ai\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJHzibaJpvhYjDKwVkuucbz+Bsn8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASzhIQUCe7hDeKi0h5oocLr0gDZMT7vXQHXIu+T\nzutviYMuUkHkVMVMNA+wcSTNaxyGkP7yaUQSbHlx646vn95/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWxEgIWT3P0PzA1rPw6CL0VBQgEYwCgYIKoZIzj0EAwIDRwAwRAIg\nQuFWxrD4lWH8Z0zrBWBOriiuVVr4zTn5WeA2EPV1No0CIFVPXEWwyhx1VHW9O5Gn\n2NAp/OIS61KbcmDGzIDJNtTR\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1DCCAXmgAwIBAgIUKp4gzvkrqG80WYkiKBbT7CH5M8swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE8e6Kk+eLQxUIID8Qw2Pzj165zvRBZickAB6j0l8w\nbiVx3fxR793Tt7hFp+RzuvCFGnK9pcTxgPKV05LLMiyrlKOBnDCBmTAdBgNVHQ4E\nFgQUpoSJ4MiQSdC3gL2sqKVIscHtOe4wHwYDVR0jBBgwFoAUrTjjXzGHOk903V/I\nDAFCkrABmQ4wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEArmzHJK8yLRvWPpTuu2aJ2tjyV7TxEYxZhcB0\n7scHSzcCIQCA1AcTJFm3dTP4jwkPLkwtDWjsBwzuFKnejj0yIugXkA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0DCCAXegAwIBAgIUToIyja+lsT8xjCe1fzm196Q5LnkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIP/1vvhqwlI9L3k2LvNEmyCIpbJrWiRFuD6BW8+Lw+i\nBER5Y1fB2VnPq5vdx7H55rmx3ul4gQ2T257j6C57AUqjgZwwgZkwHQYDVR0OBBYE\nFLE6M60oRh7rCXXyGKM1tamWYdeoMB8GA1UdIwQYMBaAFFsRICFk9z9D8wNaz8Og\ni9FQUIBGMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDRwAwRAIgG7G/siF7mVgqcraWOWWM8ry54/VFr0ZThcqzaxJY\no+8CIF/7a8zUIQZYzemuKfjQyEgxToL7KPiXpjSLBY8avidT\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQJwFZCEHEps3QcaVcPP7mtzOTy4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARsH7K5plQE0xDhukENo7sSNL9KL1wHesKvqjJ5\nDwLX4LRyycVeZQ0+ryfLY7wg+PDZ557HYzjgG2g/Ff7a8Eobo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfEIQnLwVW/sNZBEhrF7Dm0mMq7YwCgYIKoZIzj0EAwIDRwAwRAIg\nBYK/sqz50VHlhLfab9+vXQPmWXK/dAuOyLVd1658m2wCIGqhzJ24tHhzCkAGjWMo\ny7vVqwysmt0Ri01yHpnHFlAP\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUM+y69b3fdtrOOFoviKq/9EgSOicwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATAifka3bBMHScPqJydlJOpS+MmFFBuv55UhTXR\nmSd+Jk2+/v5xkJo+aVxI3JB9EM3NaCe9qxCzITAAeVL8jyOdo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHLsxFWAf1m1xqhmUQLs+MqHEBewwCgYIKoZIzj0EAwIDRwAwRAIg\nNBSexkBEKvGvkFKRCOWWg9iHJwWwYaPMuu7Xjid+8kgCIByYjDJhm7RJztSJNq0W\nNDHRkmwHPh4ClUWUXtijCe2e\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1zCCAXygAwIBAgIUKKTa1HzEf9BZ61O+Ckay6JIHb90wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEJnx8MHBqGimpXXzUOe0zdff6JX8xjIodaSmRzwAZ\ndaUCc3+17TKEFB0w7Zzyr/mIMZyiSPo/phJ3lzqQl8nd+KOBnzCBnDAdBgNVHQ4E\nFgQUwhi87zsXwKom+ktn5qFwIB8moBIwHwYDVR0jBBgwFoAUfEIQnLwVW/sNZBEh\nrF7Dm0mMq7YwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA8TDPbRB8Cbl9IXiHjxHAzipQwjqkkoYL\nuzICAC+FuIYCIQDZwRK6Hk77KX1LSqVWd1Zo5ZYizWyjOpyJdhDDTDiTCA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXqgAwIBAgIUc0h5+iMmgp9jg0nNWxV2W4PcGaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKTn95DsY5aaUQFT40kvcTHWJ2Wp/K9QJEXm4a3zuZYI\n/VDW5FHX4L/u/YqW7XvBCSeN3Ku2r1ztY97gaGUEODCjgZ8wgZwwHQYDVR0OBBYE\nFG+MStkoOIdj78RQ9802oR+R++XaMB8GA1UdIwQYMBaAFBy7MRVgH9ZtcaoZlEC7\nPjKhxAXsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5j\nb20wCgYIKoZIzj0EAwIDSQAwRgIhAK7QWfLveaF1SyQePheoAs8FeBzbw6EIuZ7P\nEMXPzuctAiEA4oTStT1Ax9ZgIlebTz+P+TjWAjKmfxeYPNc9AURXGP4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbB4tyTsOtYywha04jq7acZn0RecwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDSzzzVeW0IdbyRegkd9FruSVPbfBo+z930GF5\ncq8F8TpjD2dR6AaeO4UetIooL/QQWXpIOypxETbgZqTbU+bvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4Kt1Ki00EAsAHchUyvELsVr9uikwCgYIKoZIzj0EAwIDSAAwRQIh\nAP3MpSpT3FkCAaUpSXZBBA67HcMacPZMq6mQzPBGdmQHAiBsU/bW8epJsMWxMgli\nIMaxIpjL+RU7qQzGq5UBHxYE0Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQ++JSjA37E1KeK6vccF+0aV9Sb4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATq0gNnHvWfjGVEmmRuANz4Fbl3wu/XWFKYi7ve\nT1PtJCfpszhuS6opfiLbLLZAHQErWFDgeQTgblDC3CkHGCODo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg0/893pkbkEIk5ly3QpAGoqyfgIwCgYIKoZIzj0EAwIDSAAwRQIh\nAJdhc8s0R8hg14sGnyf+dOEs7XYAcxviwKdEmMUNoZdHAiBP+ensSneLUr27sPcB\nrqUOP2x6mRQrGkwK50vTAfjmvA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkTCCATagAwIBAgIUBj4Hteni3z53sFKu1te40/pZceAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIJPwcXs/\nlWIbJCLVO1NQNIeiDqwfQvUlmnwa01iDx/EjHJgBv806OZf7CWGDob9LqZ26AQcs\nGVpwR+d9kCLyoaNyMHAwHQYDVR0OBBYEFNw80oeyO4+IG3+i1mbrLJCwQWc6MB8G\nA1UdIwQYMBaAFOCrdSotNBALAB3IVMrxC7Fa/bopMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQCuPkGDWB+xO/4KPBOGuQfUYWExFFF095kMVL148ELQxwIhAJ+eAe8imlfud3+/\ni9kpn8vqh1ByJLkAhi/yHnbwVVqk\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkTCCATagAwIBAgIUMxr4+2bBPpKuK6yhFQi5xGa8UzkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBbcPBP4h\nTwmtqSVGMyqqhQAFTz/RNpo80G9v3obqgotYg9GwDpK5YAS2X0/e6HYXqAKLTZGf\n3bNLqgYoeNCF/6NyMHAwHQYDVR0OBBYEFLBMgTi6kdFxty4E8TswFwg3gwvjMB8G\nA1UdIwQYMBaAFINP/Pd6ZG5BCJOZct0KQBqKsn4CMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQCVbCRR/KdBQtiekL8hT1pfv6gtvRMKS8/laWp4F4FWSwIhAM2OMsetHm9dazUM\nPQNpHsTLBFtXW7/4yHwkeVnTp+QY\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1128,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUaLmVxLb40TUnmzAium8ATjMnG0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARhpiIIIF1TQzIfq7V0N7muZWReVpr7bw4x+NdP\nZplCAI7cYaPY+VlDqkqM9dce0U3fIrriPukMmu8d1xBQrNs7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUH4U18vfVx/Sii9RdiF2xDlkfwUIwCgYIKoZIzj0EAwIDSQAwRgIh\nAKE75NG6wWJw/xm8/V0J0xwXKGnnE6UJ/wko5z349UrOAiEAtEilS9d2BBSXLLrX\nwIB0ewMpaYaPzhGBzTECVHhsDoE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXdwl1IxMYGnxDWf849LYDyoVVPcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ/M8BoKG3V69DFtFCUgiucOhgVTjxFLUwUm8yR\nMUEuNbT1RoddCFW0yjVIH7uB8lQRKNm5aXFktsD5AlFDaiBFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsIM657MEuKsuxwQfYD2nDqsmncEwCgYIKoZIzj0EAwIDSQAwRgIh\nAPUqcAAkrV9nOpJ1sST1Z4LrjoJX1A5uXQZ8WzRHP5tWAiEA/reOfuZWiYIy2NCc\n46f2wKMq1guJ6DsgD8nS8h2zdcI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIXALdIpF88+JgstJMMrxY3/cAhGH5PlPAwCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY\nDzI5NjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEkMKD7TCzLslqKMHuE/9AFgjTu9nKKFec92sD\nlP3q78t5hrMxxjIkY5k/C/ZcVWD/CSs5VtDnLuXfzZdT9MngAqNyMHAwHQYDVR0O\nBBYEFIXGBpmoDKX20+/9eRU8JUTgjuhuMB8GA1UdIwQYMBaAFB+FNfL31cf0oovU\nXYhdsQ5ZH8FCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIH/kMgVkfMPWAo8PnTU5USEWxdVC\n/53dwOvNn6wmd6RhAiBRrtgcOgIqIbvgLhFNxL2swL0uwvRqHyJf1uYrGUh82Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIWAddUrZmkQcqAwFMvI9MS2Ov+ZBie8DAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEjZwZCrHINRvmbQHyz4VlUlkuqEtOXeF+wRDZBOKO\nPy+uLwZ+7/0k14ap59xOi22BQ990YyRBRA95h5IpkXS8taNyMHAwHQYDVR0OBBYE\nFJpwdygmqeVHFu+uzVrEnm4phrFhMB8GA1UdIwQYMBaAFLCDOuezBLirLscEH2A9\npw6rJp3BMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDnp6aO8WA/wIshcPYEeZIG3ZAGb8M+\nSYs0CP+unwDvyQIgJU3t0rq2Xz0qPIqElN2FIGPxOikxTU49JTERCj4/Ia4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1151,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVuFxalLQdRYq2Xm70ynJMtnDc5EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS+QoQ1gavLPcIQnv9BTfKxYz+xDn5f89xpNqkW\nftuFB0cdhXP5DZ+UtkLfrEvQDXuMdhC9A+u/NEXVbrgN+6bxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUr6fxwhXG6njEYXYWqj5Mx8b0cOUwCgYIKoZIzj0EAwIDRwAwRAIg\nW4MJgKbLsDidqpIFXKVUolAziU7zaNTOB3EzMiFNMw0CIFjEh4VaLF5GltRw/dkv\n31jQ54SSSt8osXt9L7h0yhtY\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAtd3V8rK4hLKT9fu1419AZKpF9swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQwqkscK8C0q/o3mIPIewHcEZhhngSWV3gP023\ndFbzPphH3lMEaoNZKV9UJx37OsQ0hcJCqSpIfBoVyDnnhqMio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEZUiodRGIYcCj2jMnjH2RTQEkwEwCgYIKoZIzj0EAwIDRwAwRAIg\nZVfge06JAcN1d3dgQttU+shEj7WK9Em370NB1bitIgICIFPELEFrs89R08Q7LkgC\noHfsQjLkKM2QBu6cP8Udm010\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATugAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATi\nmVdieALrrbL0Vm5XlwseAAip4o3Aefau4tcL6BowGfNmNEjcaPDdF4AMP3oYt+uS\nAn/y5HTw3V3MXa20s2buo3IwcDAdBgNVHQ4EFgQUbXaFfYLenG2cI8kVW5gfBt7p\nAsIwHwYDVR0jBBgwFoAUr6fxwhXG6njEYXYWqj5Mx8b0cOUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAMObSATfxBkr3elONK/ijtczmZo0vDUEWcMYSi+HBO9oAiEAj8bgVl8J\nqUi2MerrdyQbIHgJCjTLyS/zK2xAcQtmgg0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ948\nXOxCSNYOHPdc/KJSWlXG52K2/DM9fFM/W0wDmrVl8YOmYpHPHj+0WGvbv2XOPf6F\nMmo+r6UFRz0cEz8daqNyMHAwHQYDVR0OBBYEFPDJkejCxNBRgDIrR+RjI2QItl9V\nMB8GA1UdIwQYMBaAFBGVIqHURiGHAo9ozJ4x9kU0BJMBMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCID1zIQhJZ75uR8YJ0+L9T351DE1HLm6XtTe/2IHjYY81AiEA4qefu+feTvcO\nXSVjqV+umkkaPQu/G5bd+Utk9F/lkK4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1220,10 +1220,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQF1v/9dcX8xvz9stIt3pvBDlONgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARusl54v3aQdaEwpTOVgiWboWUZKKxDWm8owfao\nZguLac24AJQBND7LYyFSLYgxQs9Y6g6/QV9vKdgSzeW7rc1eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYcNwnh1/TyreGDT2uXaPU53iUNQwCgYIKoZIzj0EAwIDSAAwRQIh\nAIR0+osEiOwkZ51FXBO4AkQvqvoTYwLWsj+/Ep4n8DKLAiBSzgvnJLthTz5odLh3\nAHfiq+PYCG9OKEuXKEkPeyq5SQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMIVjNgU7dmYFxwqu3FLJSLJT0howCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQKIfdkSyMlheRPM7P2ovNbV6dBy9y140InUZI\nkCrMlL9Ku+plB0BNzyOGXP10TdpeN0woIkEGW9ngx3o0hU37o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZqgJIKZMSTv/g//k+9zdmQwC5UgwCgYIKoZIzj0EAwIDSAAwRQIh\nAJeSMVbHxanP45bcOav9CgBFJ36uUEZo2SeZ7RiQ5eLgAiBlapduWOtRyQj2oWBy\nSdujgfkncDgvOL0BhxnqCI6+2Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUL0rDGUHPUNAaKAjtSByazhtWAIIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpFULyqYONxu/akgs/5YAVa1qKYp+6PhNSrOmHcu8\npHNX1xJ8LKNt+t25EBFRZpfIEJq52+ep4doa2EAnsdHHJqNyMHAwHQYDVR0OBBYE\nFAQQZDMIa/SCHDetvjRVr3cmvJxVMB8GA1UdIwQYMBaAFGHDcJ4df08q3hg09rl2\nj1Od4lDUMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBn1LqvF/ZsN7FYXEVoHXxypPbjAAqO0\nDV+UerXlnhGQAiEA6mmF7ZigZHH8LOdlwFSMhsJD2bBBzADsLOWZWa6TRNo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUBRmbmhf78g8U1LvqXzAq599ikrUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABP9csw+i+5W1klB+w12Lv7TdqzTdXAo3TYbKpVHVGpbw\niR8aTvGbC+vLWMZ6tDcJyx1D6aeNF2TFF4a5SX/A+16jcjBwMB0GA1UdDgQWBBRU\nWY+qviX739xc2T9/LkaS48T6nDAfBgNVHSMEGDAWgBRmqAkgpkxJO/+D/+T73N2Z\nDALlSDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA+8hmobA5lVgg6jW83ih6nOvRM+/6Fbk/\nrtDyNHUtRu8CIFU9Vnq/MgA+JxF5TBF89jGxEzEU4nyyakM+fbhcCf4g\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1241,10 +1241,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVk2TYUXDnv7FTcqN7aH2ELWIvfswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfVOPb8CBNIcq3oozwu4fDHST1lOi04FWRxBSF\nj3hSr4E23UEzqxbK1rEmeyLXxPGKNjVlbh3N1HGCHTv0MhX6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYp+BthW59hhoO2BBmz/J1EitxhAwCgYIKoZIzj0EAwIDSAAwRQIh\nAMEVuDPTzUKTjcc2NcWWpelskeeo/B+0NGSFyUezpSMGAiAbj6pSPDo/loG0bbvr\ntu/O3qJmVCV4pgws1S2FHhbfJA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUXzwppqXPqNCJdnwoWC+NpI4WA4wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpVKyaVIXxJYycjnm2Wb8t6OJfUyfofq7gZdew\nEPIYfvqt1DryePLs27tHGdJhCrqB7y39H9mWl+uPKrJOj64Do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFdqQeOTfVS1OYf6mBn9k23Hw2WwwCgYIKoZIzj0EAwIDRwAwRAIg\nY9Y1lm1ryD817ZJmmzEGN6mdwHvrp6lkhQxP1m0ujaUCIA4yDwJxBdh/Amx8BO92\nprHot6b4Oc3WO/ggx2yU0/0t\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUWGGaottBxPRT+HlBs6uEgzxZlAowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE4Xi1GxPLGHlegfSBx7aa3Oxwv4YLH8NMU3FZhCgc\nSk+9/5XLl6tm3mZqLHIyjeXS7UllCAtDqN5tuR31zvBHVqNyMHAwHQYDVR0OBBYE\nFBKfjixw9UZXouh/H77u3NF5/Sw8MB8GA1UdIwQYMBaAFGKfgbYVufYYaDtgQZs/\nydRIrcYQMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDLWD/Et3eWB7dAGDK/sizTrIY4E+WB\ni5hTKC5k0mEW5QIgWZERsKsBp2y9NQhnR5rCaHmzPZBBjEcVt0AJEV3uS30=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUfocQbUDFIqN5HIA7T8En9AUleGEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLF6xAR7RgpzhM3Fx/jmRZESg9AVeqV9kl+aumblvtNB\nmPa7TqVlmLKGZDgQVc4ahK4jLiJlOSEzjmJK3irS6lWjcjBwMB0GA1UdDgQWBBTU\n+PDHAZJrBWPn9JmMgxLp/i1/LDAfBgNVHSMEGDAWgBQV2pB45N9VLU5h/qYGf2Tb\ncfDZbDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAuuXHCCK4CvVonK42jE833EGEH9gb4gVh\n1z22OsoF6EECIQD7zuoqOKzZRzd0qiSPBepXXZDrIoJMAuGI5d0rVOBurw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1262,10 +1262,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAaAgspevIuW8hv6h486BK13gLaswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRbSvodDHpJHp9g34G5hQYfTe9XLTVCMAqG8RH\nZFzFb9lGADOs0xze91DeIqE0B8NMRNceb2Qgm73IFKfrl+6Ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmPh4DCXyrIFEm/tpwoR7SKtMpbYwCgYIKoZIzj0EAwIDSAAwRQIg\nPcMH2DpVllH9Hk3uyqrnDIgTL4GKqEChkuwOmpueZwACIQCVqHxdd2/u1UWH3rXr\nUPbMJsU7upGObY3qG9S8ohVkRQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUD63Uz+sOxBqNBiOKRmsMMsnT2WYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATxCu/jjXcQofBdMVmr3dwUe4E7F4Dwfppl3FwP\nyAnZ5m1ZOG4GaGIDtC7hDseCZhE08R4xlxxfh5qIKiYymvaZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOCVh8dgGLwUd4mEBMupYONUSN3IwCgYIKoZIzj0EAwIDRwAwRAIg\nNBLRBrp0SowSSVs+dCozp3rv0A4oIuyPmhquHhY0Yo4CIHcOjJTQz95UGY6EI9GZ\nclWFt9NJdE0Vmvnum5YgTKN8\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUK3DdE4PKVOori041Ps5K6K1gCAEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZmuQeRnVLLgdbvnCDKFmhb33FwS/s5V+KHUxpIR7\nCcuD/Pp2+MtaQ3FaY+2utv+k1ZAPSqHtkxziNLt5lOGaqqN2MHQwHQYDVR0OBBYE\nFDqouf5JXFbRePg6aIGrbCQo/fpAMB8GA1UdIwQYMBaAFJj4eAwl8qyBRJv7acKE\ne0irTKW2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA7qkRePp90y+87T24+IhYwElN\nofbh3rrAjj+FoePkW0wCIQDa5Or43N/QYkpw6QQ8A2diAncEifkbkgLaZjhRACOq\niQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUA+x0qV/vv9pjo/VHIc4ZmAoEWmEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMUPOyXyFHeqilvocAOE8baxrZyZWrBTooVAkPmfofA8\naImlbA1y1OoWPKdZOIzmMEw9qJh+Q+95ABnnQhpEAxijdjB0MB0GA1UdDgQWBBTa\nG8EFe2G8XjsZfXlvlbFFzroo6TAfBgNVHSMEGDAWgBQ4JWHx2AYvBR3iYQEy6lg4\n1RI3cjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJGv/kUfTghjAblbsi6/EKMPIq9k\nQ1BKjvBZIdCwRPUgAiEAvLA5+UOSDqaPU5Ke4k8QXnWjIDE0VX+YGxsTQl5U31U=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1283,10 +1283,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQicRDY+pUvMPDkGXTTD1T4bJ35MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/wImXzXKF3t3C7AFl2YDBxW5Y0O9oquz/KnDM\n9ahB/tTdIhLLQ29X4v8lPKD85h96Tl8Lnbuk2rdMVA3CKp+No1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuIriSz+LZ1+SSTVEHyOAFYm0VMIwCgYIKoZIzj0EAwIDSAAwRQIg\nWVVG4esXBXJb6Y4lAtpXeQy83prf8DEJASw8lo2cj5UCIQCTNFyJHS7F9iVjP2V5\nGtv7DsrvDccjKm39yxNsi8rBmg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfVObq9C/Ontpyp+Xi/s6y0QDxk0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVcfmUIKJdg9qb/RTYBRxsJYpzZxmC1CPB8mwm\n6oUwcgA0fzjGxjWbPDVnbNCDy2ubW/p2LrKtF8je5ICvLTRjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfBAvaITZ5awyotnl2mRB9yU8/sQwCgYIKoZIzj0EAwIDRwAwRAIg\nCJG8fRgj8igF7Z7/3x9EaTRhDhlStBCDqjrBMvGVZtYCIGFbNYz9eDZITbuAw3+Z\nB0pZSQCqhQ7P8lUTaDW6Ka5m\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUcDlGwevs52Tkj8U1JbWvbExaBpUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE1EgmZugwqVBB3ikUOmEinlXgTp3akyMJD9Z3j204\ng3Caabx5A7YtfplfqPX9zECpWjSAl6+OleDR/DXKHmhX2qNyMHAwHQYDVR0OBBYE\nFLhM9YZ9s2fNgihbAUkYL8//ON5FMB8GA1UdIwQYMBaAFLiK4ks/i2dfkkk1RB8j\ngBWJtFTCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCyCJtv+HY+j+BiSjtdH0a9XcOcbRBk\n1w/ndnfP2QOrqQIhAIW2/eCXRrXGY3znbhnsMSXpgUHBzhve+liNREoaXhHw\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUT08X9XPcNuTHSabGwxLFXzyIOSAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCnwjG4JcfKU2SPBeNyRJyvI8vh8WHiwPCx8vPOR46mW\njx3Gojo6NBZXWHklnjd7EtP8Or0MEo0dX40kbZjxzRejcjBwMB0GA1UdDgQWBBRy\nG3i4OBDQOsxrpwu+x2TlYGa2PTAfBgNVHSMEGDAWgBR8EC9ohNnlrDKi2eXaZEH3\nJTz+xDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBRohIlQQjfsaC4m7qQWj9cfNlX71BDYXjH\nvJW5XqW+qwIgSxko1AMHI1Wd6ksfzrgcQjCX7P44mT5NVtJp6xow9A4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1304,10 +1304,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUAUNhcRiwqR71HVb0m2ZIodbh7YowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2Hv7qbRBLaQudOhlnnMev5FE1LhmE42uHVTKF\nSjsV11nQpK1vjylQhEsHfKCoHJ05fReYu9BwLlD1UbpTAKAPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAhD+B0Er8WE84nI2Ot2NOadY2vcwCgYIKoZIzj0EAwIDSQAwRgIh\nAMgEuvfkMBWpTmgVuFGUl01nE97trThxV2sGlWU4QDS0AiEA6J3MmZZlibvb7oL3\nBMiuLifI7Kdbb78DdRqtRILt6KI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUdO+CKUSf4BoDKcd8NPbu0306poswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2fXVZCIF64bWHm/TyBxnxOZ0P505UNZ38D4t3\npfqTbZVl4wntpDMgmXCsKFE6G2LD1jZ+fnQ0Y25vp+m6arl0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVd8pKxOgbPrjtLj+XoGXonn7RDYwCgYIKoZIzj0EAwIDSQAwRgIh\nAM+E3p4XpXN1c1Gag01ynF2oRVa56wxkhIG2dL0JFwQtAiEAinByUtpxfagE9EnH\n3qdd3Tw0si/Kxl2vQ5X/3J59rj4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUcKY76Hz72Y/I0h837dLrHmUEGkEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE4nBIJvYnZCb3xWagkffmLbvmdqluPCSmHofqRk8L\njkSNftXmhMVePycESKqzIztukZtTiv6y23XWt4WHbWVwAKN2MHQwHQYDVR0OBBYE\nFPegbXRAjCle/oStuxK7jof8dsk+MB8GA1UdIwQYMBaAFAIQ/gdBK/FhPOJyNjrd\njTmnWNr3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAvBTj+EIrF+OKzNT78HEJ5V1T\nZ6H2x1Hkbjm5bE1WD3ECIQDSVRA1u6eqw0/2kPG3J+taFrqjvgiDHAWFPJRzupe4\new==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUaRfQ1xPZU0gsCPb2IaPRGmF6nMYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGPff53wTqaLQVJqeK9tbVSiJkj9ds9kUHW5sPnZaDiC\nwt8dJ97XssTf9KCvgX4BklI4+mLQRuUyG028975VpaGjdjB0MB0GA1UdDgQWBBQz\nlZ/IM/Kkig8I+M5zdwCqb+TnUjAfBgNVHSMEGDAWgBRV3ykrE6Bs+uO0uP5egZei\neftENjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgaBUD2gX4y/57almwKh4U4uTB8ilD\nnqb08+QehSV5DyMCICUTq94LH0S/ftRRA4TqmdM+UoduoosQNc0kAVfw9Uo2\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1327,10 +1327,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVgYTxqbCylvAthB1HkxJkmz4GjcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrUSciHP1ClYowVKHnYfNANo9R1ETdhT2jQLTs\nXjERbxYdqiYejs7fimYwTssUNnP25QnVtKbzu3mas4cDaBPlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU84EEFINdgyFPabgSPUmhGvCyTdEwCgYIKoZIzj0EAwIDSAAwRQIg\nYlgIogX2rgXxJmHpghUZxCvCu4DziVubR4jiUhRl1VECIQDgyfwq0F0nwPDijgfh\neHqdH0584XcQLPMc43arXpQTEg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcU6M7IRmAr2eKsonGwMfRz4uuRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQfzaTP+bfY6d1GhWJMwNPqiDXZxO0uqLkJgtyw\nKfvHc23i9sOHed6yKxdGS4seSkL53sTdxIC1faOr4Z9kceUAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUP6KHzIifWbaHwBP1bzsAc0a3kwowCgYIKoZIzj0EAwIDSAAwRQIh\nAL3S5s6Oyn69jUs2P4QDV32o6aHehIlQZ4YtYo9bElw/AiBHkZG21ItHVHCz0Xbj\nFAFqnRw8PdbGf7dSBMPBd80rkQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUigAwIBAgIUT7WlbnpeXo8Owhj9fl+zbVCVDxIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE79U2OH+K5Re9m/izsr8u+fZxZnFtNu/FnVCPTgOh\nlP5tqOn5D76JbKKWCFNBvGuA912xl6a8x6cwZC5bUssgDqNsMGowHQYDVR0OBBYE\nFHWi/fQ9ViUKlp98NaJfMronjujtMB8GA1UdIwQYMBaAFPOBBBSDXYMhT2m4Ej1J\noRrwsk3RMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0kAMEYCIQDKLna+ApmXR4lvJXXcYjDh9iOnH7/9ucMQcOrT\nUjZ+PAIhAIMMBa7ao+XyDZIHbpVnHfEM5VO881Q5KFlanIzYN1V9\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUagAwIBAgIUZQFL2zM1D13rnEzlIV/nWYlaoeQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHATvzvUZT0mHsn8pBkifa+JZLqp8dEMXGpbW+N8hQjm\njVzpDWxuJK1Lahsavn6ozZ6w63WTS53DcfErY3fh1n6jbDBqMB0GA1UdDgQWBBQX\nolXMTL5DPcbohISmQ4G1XLkMTjAfBgNVHSMEGDAWgBQ/oofMiJ9ZtofAE/VvOwBz\nRreTCjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAQBgNVHREECTAHggUqLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBJuhfqU4ihnGWI0aS7D+RhOFLp++YC0JA7Vh/D8RMC\nNwIgCD1RTJBdld4WHOMk2fK5++APDaY0oZynAXeaY1k2tDc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1348,10 +1348,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOo1m+qD4vhjoZaV/t8rKQUWT1lUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATq2I8ES6Rwzzn/oTyOb7bdkwH6Bym59N6Bs0zz\nUYR7SftTMx3SsvZb/2rDDYhzAu1INWFoCU0rWAS5zWK11iuqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjk1wTOIdEdvqts+RXGuqYrksXRswCgYIKoZIzj0EAwIDRwAwRAIg\nNOFmQtXZnMil5AWIwpXLJvXTTt9o5lwlHAmpb/x0WJ4CIHZqw5b4cHB/FBnj0mzG\nyUufLoCXCyeCed6rTKo9oGRD\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJYNHx3jhjVzSdV668Uc/OpeSaKUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXBFksmabsyWd3SbTGr135QaWb2zwywVIzUYcU\nNpytnjTqTfMaHBEBtwz6s7AfBk7/TzoyKgpCDBY9mIKAGzpto1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy4e8fa72vP9VH4YxmXzGz8VS3bkwCgYIKoZIzj0EAwIDRwAwRAIg\nBwea16w/sUduzd7/i3mVis6y5vH7L+xj95lDNjpSaawCIHSF8axfwoMe0dzqR4pr\nIh7jMtBpSWzvDf0d4TMVmr2v\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUULhgX88BbwTVXs77VEhmIeQzV+swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAET/1sDVvq011MLgzrzUwts5R398/lZZ2J1s5uflHJ\nkuchnCzDEwhcNhDbTQGUFo4vtA1pIZWb/Xqhb/LijUwAO6N0MHIwHQYDVR0OBBYE\nFIOQDq9awa/17pU9oXzb5zvyXktpMB8GA1UdIwQYMBaAFI5NcEziHRHb6rbPkVxr\nqmK5LF0bMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgOYqIlwJ/Hh9kI1e/0/kjexcAYHzA\ncLzznpD3xK3scRcCIBdEQVh+OPRWUHtupeN3Fe4mi3LdmVjQ5fxYac2v5A/2\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUYDhhq7urGug9EbSxDbrEXH0u0gMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGZ+pY8ysYPN7ORCXNpRo73ItpttC+3SeUYJl5sxOVGl\nkyorHBa9PSawAoKG/y6KXck/NHHGyT5kMe/lrxA05FWjdDByMB0GA1UdDgQWBBRq\nPeFopa2vw5NPs8MDDysgu/rEhjAfBgNVHSMEGDAWgBTLh7x9rva8/1UfhjGZfMbP\nxVLduTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDDYLt8FODr39xwmnzvhHK6RwWuJykN1\nCdf8WgKLemJ3AiBRz+aRGU/f3pBX6eSDJhvm8nMg08Oa1HuaHT4vkfmEXg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1369,10 +1369,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSSdRAIQZIrXhYWsM4pTGcNifwUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+w7B096Qlaz1n1T/HwmxOZ9k53liC9RxphOsv\nV6hIPWxbFiyx4L24C8+51/P2ueLu1J+4BeN+TijTHKF/7wqoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUemLU5cZxiorxF137kMYZ0aS9WTwwCgYIKoZIzj0EAwIDSQAwRgIh\nALralzEceIg5pN6Flohh76l3zVLvE35HwtLeFxVX9QWuAiEAhQutC8vW38HtxT/8\nz1JSEwbsz+PiN4pgUBJDjScnNIc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJl2R6II4zLHQsvbsxf8GcqguC1swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvJzdkZLLBS8FfnFIvIlbGg6Tnso452+JPDsTi\noV9dQ5voH1XISWxqaxukKCVV3SF0lsm+Nbui8Xb+OCwtetbvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlPYasgGV+0FeoZ37fbPMRiyB1QkwCgYIKoZIzj0EAwIDSAAwRQIh\nAIjvnbgTJ7wSXcp2Iy4DndVcYJt78aJZOEBJeSP+3ujQAiAz6iOpHnRsVWx2ld89\n4etcp0G39FVY2uWP1uMQuvDYoQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUCtUSA5y3+LFOyrZAnSzmAhtqLdMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEqgREOVYbBNXcTfsZNq2e3s1Q2Y9b7LlGEcEl+TdT\nRKuVJAGI7nnQeSjdPyhx+fioa1K4YB0aYPfTkBWgBqse+qN2MHQwHQYDVR0OBBYE\nFJlTqMX/RFV6vjzzB8kU8pKymRoRMB8GA1UdIwQYMBaAFHpi1OXGcYqK8Rdd+5DG\nGdGkvVk8MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAzG0Iw8s1n10OJmPc/tQlQ1EE\n5CoaTgyFjuVkxYapXusCIQC12NGDZDUBOKtcHqPIQAvTM1AQY5eoClrvHVNbCaOR\nvw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUWZuQgShD+L8HEsIb3S6nDdKIqiUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHAvm4u35D6I4SeLYRSojXBTbm8ZAXl4s3gof9YjFgoM\nBd5P5WRueYTNlooxzf7gktphZTskzfoAO4cF4AsRnGejdjB0MB0GA1UdDgQWBBSg\nYJ2ZOzjJQYaTlUfEPN9K7RKz3DAfBgNVHSMEGDAWgBSU9hqyAZX7QV6hnft9s8xG\nLIHVCTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9iYSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAK932bzhtuL8hCAUkUSjBZCMOXtj\nUn9952HKpagvo7+rAiEA9ee3OyQsGlqIK0dYyK4SIajJXLePfMICQJGz0XrNLm8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1390,10 +1390,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUa9v4mlUtNK/jY77ffRC+aO7534swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARKfEPit77/5P/gC0DNPiQV53SuJgnT8ijXHcKJ\nIbfVUm+/41Id76vv2AMPn4Pmsuf5yL0SQgZOFwRjWlaxxoDko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0pm/4M9yK4fsbLgwCrB8b67Mez8wCgYIKoZIzj0EAwIDSAAwRQIg\nBcv53Mg5nxVofa1Cw5C0rNbyk2ugUMTA2HwBiByXEpYCIQC1b8fyXGHhFIUDt4Oq\noTM3jfpd69Bh5prYcL0tzwtAgA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUN/GuPp5Siomn62KjlCLZKuJVrFMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWuWKAHCa2yyNm+Jz/mU6Bg7lfgTu8/Wm3pe6m\nhsL8T+r4BYB1NyxPsl0EbpWuOVwB0yFy81lhOoaew4oW0k40o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKZzPczC9n23coaBYZI38Is/qNR4wCgYIKoZIzj0EAwIDRwAwRAIg\nVFh917wUizKVWorVfFYqHwFxnBexAZf8c92qA9pMnVsCIDqIOFYvrkob//Uwj2pw\n9daGXrnS14h/bfdRjykILio3\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUblLB+ZgGPUPXRWtBTVXngzXesREwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEycXIMa9HG/LDCh5nRjVHv2CYUKnqt8Mry9XHoIoX\niQPE9l/Lpfta4CUC9+KwgmCUAoTazLFU5yn4x/QfUIR/ZKN4MHYwHQYDVR0OBBYE\nFGsH0WyIwQtgkTcopTJCaH/+nhHYMB8GA1UdIwQYMBaAFNKZv+DPciuH7Gy4MAqw\nfG+uzHs/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBEaAyYnEkYH19QXDAU5K+lb\nOfz7UHnnqDnNwsJXBvAEAiBGxstkTCaKhrAdBg/aDOOgQkZTrXvcda1DBxknTP6I\nGQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVKgAwIBAgIUTQdPw9I2PdNUP2aT+YI7qMKbgs4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCT+mpa5y8KERbay308yH52LkMu8lN8yjXaB8IiuNQLm\n//Lze/tdUF/yr26MVSDoB/GO+KW3WgeHAR+ml+TpyuqjeDB2MB0GA1UdDgQWBBRE\nM9bqm+doQZ4hZXBpZsyyJVZ/MDAfBgNVHSMEGDAWgBQpnM9zML2fbdyhoFhkjfwi\nz+o1HjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAcBgNVHREEFTATghFmb28uKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBANGDoRukDeYYYSEqPHd2/fsuN\nys1pnTM1vCfTzZzPPwIgBgwI1Tozw8euDw3U0R0zCgvnWNIxfTDV6qXwc2AZoS0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1411,10 +1411,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQLsEFKsY55i0NkQZ6P/KrjBYAtkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARKDcAMCS/HrAUewTgP9F021XF/s3oZVV+ee1nt\nz42pYuK/5KR46Qg7ZXED6B5XXJ5pkzZrFQnT454gmK0xyuySo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzyYwYmszcHEAJVBD1+r07juqXgIwCgYIKoZIzj0EAwIDSAAwRQIh\nAKfqihzYjNG6gmrf+IVq5qDZG5Ij4B/EvAkX06vYCijnAiBLZ2ipzFzjL1WjzW78\n+zHpom2pKXkBC7NflF8h4SyUuQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfw4Oft1dZvwk1u0VhMbIjXxUGcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARe5q06eYCJix8SuXogLLHGkJ39fek4WgD6LcHv\nX6y3yvpEFCHTEqGFv5jBah0wuuRsp/pg0V19UUhKhfRZzZAjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBOfgmzy9nIYUiGsZ7Iai/ljF4bkwCgYIKoZIzj0EAwIDSAAwRQIh\nAJWIIPbyejy+4yaFxi5CnhtL0W1OEK1oWbtQtPXeVFppAiAQlG90nxiFE99mFh6k\nXK57CIF3QQ4dWzquVjLCuM+29Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUBy/ZFXxcDIpCu0uDnmcxCKqsFrAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEfAb04D65gUpdzyijRCCzpB0VPlSqQAVHcunGHJQu\nsn2TU2veu1HNtxPCNC7B0Kyj2aCAnmG6v3BJZMiuKRq14aN0MHIwHQYDVR0OBBYE\nFPxstF7ezMRsbiltnn7Upke4D3hAMB8GA1UdIwQYMBaAFM8mMGJrM3BxACVQQ9fq\n9O47ql4CMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgKQhlCAIq5loGHD7ZG5Z1jMHzocLr\nIB5INV2iDfP4Xk8CIHcI170Hk/1nmQEIl9p8t36kqCMiL7xGYfuBxRWYs0w5\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgITRa51UN1APHUQl7Yyde5tqowVbDAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2\nOTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEbh3yXV/K1wSnXiAvFxoLK4wlfMfTY+36DtzkKWVMukxz\nNltUazpNcYm2PuAQm6qzv1vl2DP8WkJ9peAQ+t+VjaN0MHIwHQYDVR0OBBYEFAw9\n2Gy0hb1pAohiDiDA1IFyoeV5MB8GA1UdIwQYMBaAFATn4Js8vZyGFIhrGeyGov5Y\nxeG5MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhhbXBs\nZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgcpkQ0KOpZKkTIdoWUqvIKqGC3057cApf\np0Xqf4uDxscCIBORGisFEFvavF3bt2Zb/DlwWli5L+/T2NCV/6HBsKc7\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1432,10 +1432,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKb876o2LgRFJv1Hy1WPC6PD1ctUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjO/lSNt+RMda+4u9lYGCKghU4GGjpegkv0O3N\nm62yv88dzA1BBd8PRZNsvsMKWNMm069R6ihf5KsBcmIEdB+3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4QnxsoG7w9WXvgBbvXcWGr6BOhwwCgYIKoZIzj0EAwIDSAAwRQIh\nALyk0Ar96LahOeZUxI070kZzC5rAg29kxH8HTW6DfXNhAiBgJ3olGsMwxfS/M6EV\nDNfjvQ1eBcZOptycMuPAJ54VyA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUK0aSf+jfPUBXx4+unbis72J3toowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBWNJXsCQ/w1o+r/MV6V4sEaCHuV9kNs1mkj9v\nkkWHsC72TT94ZUWvdIxmKThOfNhfCq85ykuKZ31dgEIiU4DBo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOy1LWqUcGTHjCTYagMSFFMlCkjwwCgYIKoZIzj0EAwIDSAAwRQIh\nAP+8owtHk591PSZnzPE6h2/g6gQ84N0YnFS1jisbLWT6AiASF9T2W1qFBIEkjdpd\npNPYT2ProBRaSI/p/DKdF5YA3Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUCVwh8jTljDlA0qyls9I/pXl3FHQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETNi/VXFB+hc2tjF0oNoWsKdVe57l4q+zKF0W/e9U\n81kkWoT8XCw1Z3yFgddUChc0twzM4OlOoVnlv4NSNM30VqOBgTB/MB0GA1UdDgQW\nBBQ7GXlxF67HXSlEMxsyoOv7spU93DAfBgNVHSMEGDAWgBThCfGygbvD1Ze+AFu9\ndxYavoE6HDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBEs+paNl2b\n7e08d4YqRv/yP/tKwLov78oQGfcZ8/W2ZwIhAIfcycFVEAsW7zTQzySjhXZDy78R\nUzLLLA0c5p1u6vY0\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUTKpE10rhRez5DHFjXQOd+ANSEDEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPzNFr69V2wWF4d5nGeAleOMEIAVsWKhNTF9t0lwtpWp\nlSrLUuv0b752QYERjGhmmgWe5tN/RWp7OzAvs3G1DmajgYEwfzAdBgNVHQ4EFgQU\nRD0NcLE+lJO9CbTI95lQDXosgmUwHwYDVR0jBBgwFoAUOy1LWqUcGTHjCTYagMSF\nFMlCkjwwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwJQYDVR0RBB4wHIIaeG4tLSot\nMWIzYzE0OGEuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKYKthGP9wO2\nXkf2nNOG+e9MQV6XtfARzo5BYZyzItSCAiB9hMOfE92JxZ1Cew5lhSX+3emoWuKd\neIxe3R0ou1Tnew==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1453,10 +1453,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUOEDt1GFzsyJDkGxXL3gBaqixGK0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT3iFuKmSPqgmzDn5R5ESMsqNnRnf1iNNZEGBlW\n2Vg2dnyBN8ZVPHIZKihlHiJya6BcU0Q3mOkfgX6HxKBtXS/do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4b85cCQxlrpjwL86m7k2EHK4A7MwCgYIKoZIzj0EAwIDSQAwRgIh\nAKM3YTl02q5eg8HKiM2H+SRvJHMNpUxln45V++vndJdQAiEA6BVMooOCWj2tyF67\n7zZZj1bD0gwJ1pF9+/qpQ4T2uX8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA8fMUkkTKRTsx6wlZH40zJ6XQP0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATTaN/h8+96nO80c4sQuWi2NWhisCzfdVG/l5ly\nW9fg50fEEYGScXS0pxB2A5G0SFzLYcZ6evHMFDvQjs7z0W+Eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbLCea7G/GLquxQ7KLiRJDkbeAe4wCgYIKoZIzj0EAwIDSAAwRQIg\nAhlYXHWNKgTNIf6n5T1Z+/nurTxc+rYraTiLCq2sbKoCIQDSv/WysAbQvfBHcKZZ\nrb7jkZB0NQCi6/Bw6Mw4JCMymA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUSSSSEOMXkLnyLVgr2NHGLsBs7DUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE8eULKsOmfaNJhKguix8/+LTCIQALFzSWk+WyuRey\n/bGabRNUVmKoIMQDiib5s4J5jZjXDllgGPv7QiUP1IB9/aN3MHUwHQYDVR0OBBYE\nFNd8wjUXoDrJeL1epIXax7capXgrMB8GA1UdIwQYMBaAFOG/OXAkMZa6Y8C/Opu5\nNhByuAOzMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAMLXLOIx8wI7oaMOHc1BdZve\nBvycyP6p3HM2te+sITKcAiAFBD78+JAn1qdnr+EgqBnsBWJsknhSSnTcXnItVVrA\n4w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUNppR5X2RvjcQx3vp5pQ6b+abqYcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPqcBmx5f4zdvzbo21UM4m23/yu8tWf/nNtiEFJy60Kl\nwX97tB2iVWi1lYyAifMQVYVVbzXuI6q6fM04hWF6G4WjdzB1MB0GA1UdDgQWBBTb\n753M6jaPj8X94geWhilGotZLOTAfBgNVHSMEGDAWgBRssJ5rsb8Yuq7FDsouJEkO\nRt4B7jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAbBgNVHREEFDASghDwn5icLmV4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBrlD6rjw+01Nhc8reAIPvuTZ4VI\nFXj56O9GwfihzZkuAiEA230n6CxZWPLwn0gwdF80/h+O08Yet9ROd6rmOMZrJ00=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1474,10 +1474,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUP8UlwCrgw6sRNlp/P6Ip5e6+sTkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJYEfaMVt5Y+qZnc3G1+m3czbRBjWUde4MqfRv\nj3zWbBs3hlMfrluXkvxTTRaW/FBqJZ2hLTFZRlIz5Lj/Zvzvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZjzz9++e7BP9nY/fXbPqjBnGbNswCgYIKoZIzj0EAwIDRwAwRAIg\nFGeZ4vc8+EXy7XUmIRuCQ3N9t61IFW0Sm1pQfhfZ60cCIBMHUgywthknBOt3mmCm\nBfIFAXiEAYRaBOn7mduKg2vs\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUW85C/gszYd5XwrmWXRpti/+a6i0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASngt6lgJ0MiQ5Tx4Iz9fm2iFAx6mNzG9oEa2Xv\nuSNkzGGuHo0rXmHO+gzaLOMOvV8l0gion5hgNI3UPawhLLOyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz9Cl7W4+8aGbzlmi259snQrumuUwCgYIKoZIzj0EAwIDSAAwRQIh\nALNuSU0hNHVVEgCvrqz0NrhYQiNnv08iHAtPfmn+uFhBAiBrt1gz9wC0VGzDmHkc\n8LG7fE8FAwBvREmUPV9lPrdc5A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUMQBT18dsWFJBAY+fbhTvOZDob1swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEafloo/r8396djbL6PyvQ0pBX6vthjcPCkws1EI7i\na6pIzhXvyDTEEa7cCJGODcrQvHERmb4jKCywoN5sIIA+O6OBijCBhzAdBgNVHQ4E\nFgQU2yHuP4LJUMrrkShM3kum1Deo/X8wHwYDVR0jBBgwFoAUZjzz9++e7BP9nY/f\nXbPqjBnGbNswCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNJADBG\nAiEA8wATQl+pV4Vy6WRCXLwFvh7eZMJ3KU70preMm5cdS6cCIQDkrMP4OZJ3zcW6\nACzL06cCsO/cr3cqL11tahO4Pdxbuw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWWgAwIBAgIUZ428rxX3VbhDPQ9KL/yPRasQb5cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJVAFG+pI7jgP+cqas39LAehiFRkDOPhii75DXVHvJX5\n/Ior0mRRhOTD+PtHJCK/90CZMaPamGtthYnWbtj7aX+jgYowgYcwHQYDVR0OBBYE\nFMLqksqn+sDnMoRBmJ7n9fKznj/oMB8GA1UdIwQYMBaAFM/Qpe1uPvGhm85Zotuf\nbJ0K7prlMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3JtZWQwCgYIKoZIzj0EAwIDRwAwRAIg\nEPkUki/oe/+ot2VLHfzq+RhypVQX5vI2UrJnCy88bKMCIDD+9DrQuSOikTdYuX/o\ng2JbylaKgWGlDKY6VTNLMvc6\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1497,10 +1497,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUfh0NLINM7tp7zVvHxXETV7wTev8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATjfom6Dk8cgv9Lfpm+YHQV2/tiJAD3vtdFmnlh\nwRIj84GKj6N7roihX26sIsBLINdEi8XYopuqLPqOIa+92milo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeDJ13lFUBxeYpH3w/AH05fUmjUUwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAJgxSNqRoLQXVcs3rEc10dM183Gt7z74Ak5y\n7nQ/YjH+AiBRfE9tOWw+hwuVR0xf/0aCnakNHHhfAsxAVwA3Pf4x7w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUegjOGDLimQZZHsuxghhrJi4GU5owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATFZdA0fpnGkibzWeiHTjwQMNpRmIk9Z7vDAqXA\n60VXwyX/7zTV62574RZJHma43PF5eNPQWrA07w2sg9K4Kp15o2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy+Q6UwoXmP4m7M4w2E92fIuTfDUwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIgMB4LkV2GPUp+ymgNOEZkLK/Tg2a0IfCeTLuL\nH+InSTsCIQCZKOQbeCc1thZkBKS/hsfh4x4Fud2TPo2tZvbsjXr8Pg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUe99184DvbOMae8DgHxqmJEvyCdIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEm0UV4EOiZfKVChScFIwk2cLXDXsHBFMTS3zAGH8Y\neUmXwOQBCFWC2TLTeX8HNuug1jF+0WGHz+j+zZRI+0wYSKNyMHAwHQYDVR0OBBYE\nFDoKD7zBiww8QgemvWHr4gOxXy5QMB8GA1UdIwQYMBaAFHgydd5RVAcXmKR98PwB\n9OX1Jo1FMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDhQ1yBGpYz5hRWHCCtseMa9D3F2NZN\nH84qwafTVaEFTwIgD4RClbABj1qA7XHvritLE2yVPFIyoU6YIgPiACYqvfI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUFrUmxS++OA5bvHpp5NX+6Fceac8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPA+czOXoYAkfXdIhqp7d7X6NxfeaesmlTgiwODOpUqD\nBlsKxZ8brDlDogUwALyqiYz8ZZaBUrmK52ykf7Iy/uejcjBwMB0GA1UdDgQWBBSs\nKCzDBit5tUp6+P6fsSOXy49pxzAfBgNVHSMEGDAWgBTL5DpTCheY/ibszjDYT3Z8\ni5N8NTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA2Q7PZPJUDjBGxPxBzuCP+2MDlyVkVHTv\nhGPhpq1B3PwCIQCMhnYQYvvaD17cXlOucxj6F5JNu7qb8QXqBVALKXXtDA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1520,10 +1520,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUaJ0a0DRUpJqIwNU0jruBkvzmqYcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARoNYYyjiRKcW25JIG8vuqxSEe/HtLwcLwHG7aN\nuMSVBkEGNDqMVyEdxoG9K4esn1tvXIGjyaptAoV7ViJPKLFBo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFHLAENKrMkPMjP5Ry+Fv6vvL5m7PoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBRywBDSqzJDzIz+Ucvhb+r7y+ZuzzAKBggqhkjOPQQD\nAgNJADBGAiEA3uRD8L5uskHGuhMdKASAqUkEe4Exf8LS8b4v2IzewwUCIQCLLpcY\nLab8McRTx3G+I5W9AHzJZz3DxXcKRon5+CUk2g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUNHwmn6cpicKzHp3NnjHTtMntszkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATJFdImSQH6kpbjWqtyzPKOONYQ7bHNQm3oZdD2\niOEE+LPZRsoXEiIy7K8Sam/fB6LVX9GldFF0m86S4wDCaB1jo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFABLiBZlO2dQAj88f3JUbBwv1grqoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBQAS4gWZTtnUAI/PH9yVGwcL9YK6jAKBggqhkjOPQQD\nAgNIADBFAiBKebjygeXYyD8aA1bme5UnYaCXsLNxdRHynTk43xF0IAIhAOZhhJM1\n/25D/3x5byxgTJ54X3U7jzOidlmH8xA5LNSL\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUcJsigmSaVGX1x/5InKu4hxaomRUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEfM+x0AuAtzSWMrf25OsP3HahzCK5hpntpGCC7JTg\nDdTxmwBGskh2Z/jb+6C0+yAooBldSy79iH0wVxlUSCPw/qNyMHAwHQYDVR0OBBYE\nFNMXAiBSDNOjoUVpSVRzazyUHfwOMB8GA1UdIwQYMBaAFHLAENKrMkPMjP5Ry+Fv\n6vvL5m7PMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCsTAVbBo2sUGQIABzTbVIJ694u00Wg\nQyXY3+OX24DBDgIgdzjd6Z7h0hAf4tAyFn+OQdpjoKjzQnmL1GiIF0GMT+w=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUbCs98lDLFvcigc3QqNt7yvrX1qkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABK3fH/RuZiHbxwwnDsQ1pXjiDClg34gYUe5UIgaB+gux\n6T7wgV/H75f849EtFtymhEKR4rVgEbx/dfKe6j1z2aGjcjBwMB0GA1UdDgQWBBTk\nRFsVYUFwbfVddwvVr2L6PT9O8zAfBgNVHSMEGDAWgBQAS4gWZTtnUAI/PH9yVGwc\nL9YK6jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBV0+T9hEeG0f7i+IaTKr1I10LDUPgwVnCK\nfSo1vB38wgIgbiGqSLHFsouOwNT8WZfW4Dkxi1w4Wj7MSJdyy42sWRw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1541,10 +1541,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUT3gs07irUf9IW2FEM8ugSibsFw8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARHB23ZR1Lsb4Q5BmCCMOe3pQIb16A3lTA1PQ76\nlq0pH/3tkYsbyfp5RwKrttQaqKpzH+Emkb2wCzSSYPhvI8FDo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBQKgmhHifxaHNBIdmzfcBcem+VMUoICBNIwHQYDVR0OBBYEFAqC\naEeJ/Foc0Eh2bN9wFx6b5UxSMAoGCCqGSM49BAMCA0gAMEUCICa50OIlBNjGC2C8\nUJ6TJnbRbIejM8AQsUHHoPrlUcAqAiEAxDc6r53Xxi8E3ei+0krdbz1rLJbdSjpm\n696xRNSKj5Y=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUIZNZsA7qD9ou+72Z8WODusOHSZ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARmgU4oGdYvEPbciR155zYOkjy17zaz4ukfvvX6\nxOfCvvY7JrhC1AUHVps8bS9FxSKQooFgkkUHYHzjcrAoJ8MHo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBSgFrieHcQ1Xwvop2RHe/S857zatoICBNIwHQYDVR0OBBYEFKAW\nuJ4dxDVfC+inZEd79LznvNq2MAoGCCqGSM49BAMCA0gAMEUCIQCd33hVsPjgdakb\n/RB2hN8+5RnmEbpzSef5cmKLxxsqFAIgAqb6NsXO0pAwMDFUlMWsWZZDmD3p0G2y\nVLhOBoQQBRM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZtPz8mu+rlfyAV6ITfifaKdcBk4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEyX7dZAOB7gXRhNSvemg/aAJcS92Ow5pRqSYyctbz\nd4H8UCC0+zQd7ESoHwvSLDnwjDZTekimMfR9oLrzCe+53qNyMHAwHQYDVR0OBBYE\nFAzYC+LlYezPBWg8TLLla+u9NIK+MB8GA1UdIwQYMBaAFAqCaEeJ/Foc0Eh2bN9w\nFx6b5UxSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHPcvvHJHmlKs8GwtAzSxJUc6puYJcW9\nCiQsXc6MjiV5AiEAjwX0lep6REv4h3qv+h6MpwRMAKKY6TTLzzUsO6Hm6M8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIULLjy6JWPUCCI6fem2oDb6H/e9ZswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLjlNoEhrfxI91PkX13jJn8WMptcwqGtQuW08vXC7DiL\nGBmlU6qCeLXTfdMSK+/V10vyTuEguiE4c8M8/77bVxKjcjBwMB0GA1UdDgQWBBT+\nOEx0s0QFwsqjul848dcXaJklvjAfBgNVHSMEGDAWgBSgFrieHcQ1Xwvop2RHe/S8\n57zatjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBG9PsQRWtfyVIXeO21HR8scHgHdKxUgPAx\ntzGyvEdvhAIhAObKUBuNntwy2dfRq1J5qlgmn9Qv607G0o2wEytsW8IT\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1562,10 +1562,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIUP7o6+7wjkooklhdnlEGflbqxDYMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARJvZvrnn8Cs7OeAq3k2OkNQlEmFtOXKDvB0j2G\nHdhNQT/5/gX+XsVQ3h2eHNDVKU5RFFLDSnx33IVAazHGJAg9o4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFAGJGvs+5esdBlovUHy1KL0429S9oROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUAYka+z7l6x0GWi9QfLUovTjb1L0wCgYIKoZI\nzj0EAwIDRwAwRAIgS/bd5M0+86C+PPrRP02JYTdYR4Vw4B0dFjBVFlITLG4CIGWR\nIT+aX6p2QNrq202KkHqpffB/CqDbjXARUAPivg+5\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIUEOhxjsDu5aJoqMJBOdl/Nq1Cj+4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrByPPq4CXWSs9XSRf/I+ds4BbCZWmUTi+aRV/\nwIwYCS1/erEADkJ/RejoX+MhtCXsHRf0KbQtdE4lxRktoi1+o4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFB/1KTqptDxSCA3i96KJhiir/LeKoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUH/UpOqm0PFIIDeL3oomGKKv8t4owCgYIKoZI\nzj0EAwIDRwAwRAIgIo49E7ZBX+QXILJZbgNjk43trbWy1FkKHPEvfFdXLK0CICw/\n8yIHEs9nxwreKznWF1LpeKV4oz2lC5HGfzU5PRjO\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUCkKgE2yLMTUGliiXZfW0u7Q5FYowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEHUpOODhvC+/GqDepzAliTGXSjJp3SV4o0Qn6LWmx\nEWUfMsZ18mHwKwt9Z9Yxq8l4DQekPQ3TdZ9H5IwOJRh/aqNyMHAwHQYDVR0OBBYE\nFPsu+gp4xyHhQbAoX7AV/L87DkDLMB8GA1UdIwQYMBaAFAGJGvs+5esdBlovUHy1\nKL0429S9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC+B4Zim4+ozJZuwHASWCr3Xw17hN/D\n1Fuqlry4lBNs6gIgFBmC4i0vmtqZ4PCYh9LMj43bBlr+nGKQZ0zpVwpcG3g=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUUtlufhI+0XlMEMeBIb+uGtEFrKkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFyrISUxHhOeoOcPj0CbAzL+gtpiM2ZskdqYRWg6U4ou\nz7sUkeC7w9kmrEsTCjO5Cb5Bv1vd2Xtd8bDfr0H0D16jcjBwMB0GA1UdDgQWBBQq\n5EDoClVyT79zqHIk5lG20CaJPzAfBgNVHSMEGDAWgBQf9Sk6qbQ8UggN4veiiYYo\nq/y3ijAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBGAJCOLnOvRpxX8Vvqe/8U4o1ydVwkYQdA\neaFi53eQaAIgWMEIfryQuAvIEyHjAamZ0uAQIdi9P8tKcMKCB0GINYQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1583,10 +1583,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIKGeS8uyPVrb/y/HA3mcznx6QIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ8VPYYCV5w7Vv57o5R829xPe90lm094wafEevj\n9Q3UBzjqspYWmhhcIRXk5dvz61JLwZ6C1G2i9wJU6UIDORcVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUX6zTgwAluxqiBn7+8/W5aza6kWcwCgYIKoZIzj0EAwIDSAAwRQIg\nL9p9aJN6b1z7oZbyEQvPMKSqfxIl1wLek57MT8K4VKwCIQDTBQbPWs98Bpjaxmse\nqLndx4Fnjx7Ps+kjD1eryWYMYQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfDh7GHVvHh2H9cvHKUY79mYYUYMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARwukLuHr6EvPABseNBTCBd1br+h02gMrXywmL2\ny4aK8t587MB+bG0Um+l+RF3dz3tpnPU3wD8e9TQNE1RTVo0Oo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSI52ECd7UYP3e8sJfcKqa/Jm5jMwCgYIKoZIzj0EAwIDSAAwRQIh\nAK9ys6R0z0PLAUX8ECTBX8eKIB4Ju+gC6SsxbuqFsE16AiAOv8PMczYqUvfXU2rD\nEbstOUIsFewMXbTZax1Sx9ZyFw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUU++hYgj8JOirkDSQRtYaLTVNyXUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABP/CKXK4PutYFRWL9nGsIeNjHQGDtigKPiwobSkx\nKnFjsbU07kH6MQxTRGyQL4yH4QsZjlpxQpGrFsuvIBW2PeKjdTBzMB0GA1UdDgQW\nBBRF3Qja4Erms66qezfj4HK2AFBi1DAfBgNVHSMEGDAWgBRfrNODACW7GqIGfv7z\n9blrNrqRZzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAsqPnzVEgABFzw7I7D5QF2Axg\nzvmQjRnp28spk/VN5SQCIQCdx9HdBNIuXICLZpi0mqX/ThJRDv0BexTM62t5egFJ\nog==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVKgAwIBAgIUQdMUfBTCQbSEGW4CE37Zz4tpdnMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABCaPFPRzYatpBseF/+RtTy9S0hX1VvYLfSLtQPdT\nu8HTXzoGVdWLptct6+H7iYpskK0mjS5cbJzXELeHVQGWtxCjdTBzMB0GA1UdDgQW\nBBQOVEPqkYIo1954aS8TnUVF4oP/0zAfBgNVHSMEGDAWgBRIjnYQJ3tRg/d7ywl9\nwqpr8mbmMzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAeAzpZ0pz5uuupXdLieMaNmp1v\n47XKoSqCpIKvJe4gDwIgceWPncTP+fK73/ZWpyMEqaTnZm+dOmMjpvL2Qnzux5o=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1604,10 +1604,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUf9tRkIYc/dxu3wiYGw/0S/jJ+aAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATcrA+ccSngdg5w3gZnNfHYHocvlFk78At19YEG\nbBkP4lvw5PRuoQXf5MtKfrSTcVXXJI22rks8LRFYCiDHTbNPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUl9GHignU2qhiB6W5oxRiZZx7toIwCgYIKoZIzj0EAwIDSAAwRQIh\nAPuPkHsE/xQzG0DCPiDu5gzXuRLDUroDSmHWIaUfV705AiAtVBpoEZlT2ZFrsCW3\ns6ou549TeWP+3lJNcDxU1m3NRQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUY2chkMB869ttJx5forZOlIoxvZQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQIvMhiFZWzh5Rw/4dANBlKVyMXzILzcOcH6nbq\nq6uF1HdqR+ivgGLwjueNQJQfGcPJkvw4lm+lhZHTvR2ml9yqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/WC8dJgVSibr3v+BoxXBC6xEgSswCgYIKoZIzj0EAwIDSAAwRQIh\nAIiLxdjw4VhqTC1hCu9NT1B6dLFtx3C4L4DptI+lWjxkAiAJ7H4883cirT8pXHGX\nBI5Tcg1IMUPxPCY9QDMyTrgUEg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUWlLn6XBCcK9M8ZU5nc6iHipwbLowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMEkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQEDMgAEc7nLsqlMcc+0Q0cdXE+7eRhzUTnzoZw9ulMITFje\nu4KCdn0hSI8tIevvGSR3aO40o3IwcDAdBgNVHQ4EFgQUd5q4QrqF7ATEwWcsTVzQ\np1wHfaEwHwYDVR0jBBgwFoAUl9GHignU2qhiB6W5oxRiZZx7toIwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhAOf58+/ZkXfTjXC5uqGJYTybmcu1gtDOcYH49P7V4XczAiAsy5p0\npFpCld78W2JnkMQ3E0d1TsvI+mMicYK/wHyUhQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIULw5ABd8NtWzfqVOxt3IbLxP9X6MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABFoWXk8VwNxqeEwp0U6jQDlr/0Q4bdARIGaXo4QxlDtX\n+gN0QvMTVv0Pu4MUJeDf66NyMHAwHQYDVR0OBBYEFMV3BV4sOAsDrF/4LFyL1ShX\nnuYSMB8GA1UdIwQYMBaAFP1gvHSYFUom697/gaMVwQusRIErMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIH313KZDA0Mcdyol2sLNIMh/7QC0snZIKrgV0PPDE8krAiEArGoxk98/\nhowBCwsJxdw3LvFHEh6qhsEpJo+b3+fsft4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1625,10 +1625,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdMcv8RFCBNQEV5f+VzwwcAyWiRwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARf22Lo1BfEQK+NBiRLk8ALuGcs4tHFz86LO+cF\nJ3G5KKTvh/vwJS/lpoCpV/4PkpIWjv9DaYAbPZno72OdlOfHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWI7p0SbK4Asm5YCA3sCRUo4YGC8wCgYIKoZIzj0EAwIDRwAwRAIg\nU7q6onauvB2eqX1Rz9JavP9mOQOKS48F1USSGU5WzrMCIDZypEkKzuxj/qkYMpfH\nDICrp3uKikg4P2X9IqF+B7zr\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJG9yhqVD5dmR8cb82TtPnJG8FdQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS22iVuQ9Dd5LLnUoIjqzrPnSxXFeCCkxXqXhN4\nLMX2fanXtEYTG4y0LDrr4PRgz/jQrNrOGdMc3Ftj1YHHy9qTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUh7YG7JgX8gj6pxgVMx+72fDFSnIwCgYIKoZIzj0EAwIDRwAwRAIg\nC+PsZs8zs1deQIuc+47mhTPFe+1u1R4GBEUT6XBwlSoCIFcfvnlkD986vRL06fYu\n4DO3+WQyxow0zDmv5vLrj+mu\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFzCCBb2gAwIBAgIUBOENTQ9NfwRjYN+SD1XkbjuiS9YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExjCCAzkG\nByqGSM44BAEwggMsAoIBgQCk5hJvPU4YlrU9p4o/FE+mQ5TDnMfSXKcXyD4pzao0\nBscfMWi1ICYlDbkxftwx5UqvpZPpD9NqcfgPhXIiesoPhEq6J8yECYnUNSZFFCst\nB8D7cDjn3epw0vkdvfkeP+DmOW/0DI1/mFGxfMLkTE0dFr0RwnCsOD4bO5A3ZGoL\nFoVBY64V06vKiDZ5ZuvQ4ceMCiD6wCXBg7dSwzZfqExkoIntbtqTmzd30aWzll3v\nCVDU7wE+K+z048DsPhqKtEPbZh9sSP8/dUwh10bG8EaI0NEYmUECtbwj7vIwsaZi\nn2wFyL0iArOafvOkjeM65HZFYGxlPAu0SjwFHqR5dBW+IRVt98tFIvR4VUuQo/Pg\nXaoRUHzP+QT6m0rqiUkPjENgmdrXlur4rkUQzsbJlCZ2IedPDTApaqYLj7Cm0icL\nWyKtAneJR5cSpQdmh2gV5qYsmgYQDxFQ7dY1dWuONioia0Hro/X1VadBNMgTmM9r\noHdihJS5zQZNO5YaZK04ZgECIQCdmQ/ySWyqIQHK/oKbykPcjbkFRmVKOb3CIQjj\nQTg0EQKCAYBUSRjUDrn2znwk/bi57TCbEVXWa2HP7BCBA0YPOtCUky84ENnTlzht\nxZuUbw7UmXfFqhWlX7UBCLGw+IjMk5nSpFKftsWd/n4sDmj7YvUEHbmD+zsvhqgK\nAXxYT6dyvGCNo+cs6AOtqnreLSTpLyfnqwKGfpzqkGSizyIMccePLyO8yEEVAhQo\nu+el59T6k7HXNX3XxFkSv051IXRkuBHjYfC+T0xjoJlKAZzXff0hLit7TTEwxnHI\npUniVOodK9K1J4zmuOCAq2SUjUx+yjUqIXWci3z7YJAa58oGQ/jc/dqudOvOuRu0\nduaTfHUnNDnAb0MbUQsD7tT0oHJToTBoQLHPjcTU/LzZhg+ervpdsw8imJ6EX9J5\nLT/jdyMCOK/1dHbuaFzMFiEEhbOQdLWMqaGXiW40HxA4O4Hw+rAI4maHAWwP0BJn\no/i4fmjZfFokffo88TBQIGHT0MjbXJZPm9+i2vEaOy0UddCt/qb4qhm436K1bgJj\nuK3E+zr3UyoDggGFAAKCAYAn8DrYk8drFjGDgsQoPPL0TDM68ETvXsr747dwZL5g\nLm9thUq2BIH1QJm2wzveTSYWKohovI4hPWxFyeZ21kM3fbstv0M8IjOzuOc5rTvO\nHyYOn8ezxoriP6TQYibraaJMktpJa2d2zlWZfiUHmPBBMdyZjbhM6IyTlKuMjdaB\nGKk+eWZfKek5Xw3GO6lXdOJhzih/PeVSiN3AWErpzRWK/QeORABUBnix3D+fcGN0\n0mgAj6LRSHfgwxZjg9/Xq3YbmENdtRxLUUr42gusy4t1JPHpvnGDIMQOrzPBDUz8\nkAciIdqySnMFy8MbZ4idQ5a6QfQCt8e2mc2NnVEbEl8tdK+zVZORpTgeU9F3g2Hw\nXePRWyJIY2yVBxjWyUro1y7+OBkefj0BJ/+H0X6DwkZ7XlOC5Wmr86mY8lJytXM+\nd9UkZgp8uBQb1dEXBd6FyLzCUhowhsSiIUR+8xa/du9ghhzntfakTHBf0B9QCHw3\naWcsv2JaN6DQvbYsuUW2xv6jcjBwMB0GA1UdDgQWBBQxb4J68QC/dG9xP9wnE2Jr\nHtwpbDAfBgNVHSMEGDAWgBRYjunRJsrgCyblgIDewJFSjhgYLzAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNIADBFAiEAuzDedUSPpx6DxjcpyS/N1dY8/kWhD9BQBc6PQdQ338oCIHudmhOE\nVclIZ1tZfhJybOw4qDi/cLXeEk9N3gtn59au\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFDCCBbugAwIBAgIUc5Mc6noW9hW1l9wJJbUow4n6hbIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAxPSYRBqnzSxor7u3uiAYWJKtJf/vKymefrm0cC1iL4uh\nITyeXQPbg4sj+tRc5qLaTPwGiIS9Zav+1dx6568+IuENcnKn/VLnYeI9XfOGkYxC\nCvRohNgBPcjlAmCu4HY1xEzPyFv84hnadY7dEdZMzsm/JveKAptkLWvgsIpJ5ulV\n8hYBmMY96PoMXJz3ADC8fLub9Sun5ra70EYsI7mdVhZxhUGo1/4nr4Oiy/vT0F5h\njLBHCkLK7oZh/NlkYUx590L5DjsFW9pki529EoQqdo5PxyFsrAia97mKrF6x1J7x\nfcABVmM2DAGeDrJ8bg4q42lp1vGDtN6hlK/223Hi36cwrFxO0ShJe5xwD4FteouQ\nOaZi6R1YS1zGMZYupLJndjQHMiCCOKPvLUrCjBq/4KgKa70tcWY7vHdf/EoDZQI/\nFTr0kX++7LE9IPXM58en455DBilDbI4D4Kal1aeXh1ABePF8GIF+zlJnnyUVl7YM\nUH9EeSJlC5dc7uztWd/TAiEA4EVYxtuo9aOUsCvXp+HaZiPn45C+LavO0tzPz1Os\n8qsCggGAFokduo7q7psLXpTpyIzFo/INsr5M5TAyf951i6ra3VAC68/DcExmlp3d\nkEFcXUTZv49o0z02CnANZj5lDECl4iN2s5ng7vTw8/x3fNsOYfRrrmdkIv228pqt\nuozLEhxTo2rS9U+uSzgitZgpKIwauwapaswTiTZY5Hz0BuKFmfvJoPGAI+mn5whA\neaUC6dcPPY+Agqpozvdfp69iG9M4lYQZq3q/ClU42dZaP1VCwU9bx1GQwuQ8IvlT\n78U3NEGwKLJmWgURDWdHYDeWxXaIh5/Okr1ZIkFNLiE2DkaQDbK83sHcMBIEbWa1\nyofy6i/BfmyqsaT0GzhOHMtFGUThtmTrhiCbuVRNdgF63cvXWfUenDRl6G2Bx/c3\nSMsLydBnWTBLDKsdthLYtMhy66JTOyibz8oT4gFIOleWWFdl97aTvfzU5OgW5/hX\nKFOKm9HePjyuJe2Ji7pQm5kTOb/mg2YZsgfPmShzK5vTzl3VNmq1Hm1zV3Xawm6g\n7LPBQmUOA4IBhQACggGAUfQYlo9PcHcMofrLzdMCS5wiLwWtenM079USIDSI9uwK\n8dWBV3j2CqHEoODTpRO0ZXYhHTgW3HotkASDMFuidRONNJbzvNW7olbPRXHy5dFL\nS+yrslg6wfzK8NRjY7xHko25T6q6wZSkqWWB+R9tKimiCw1D6HTzpCiBUUOlUhXd\n4reEIQ1z7aHvzXLrGbNVT+kK7poOTWe+bcUuGCMi4mOsDtyjh9p5vQdrTih3RFmt\nsDMsc/8gfbQSfz7FMjGN490I6j3VeJZhpSGd1Kv59jq7FyzTVaegAcdg3RH3uhkn\nKyqsFwU6gCJYTkSvd0TYbVjcJPp1oLjSNuE6A66pAviLRt2gHu5pFNaGFXU0uGYk\n2ODd2sOY9HvP3LOYamXVrC3ICThXQJCMGn4bHHh0MMo4WMH2RH8azelm5wR5Maan\n1Bf0e/64SqyYkxkpIvYlpcFlqT2EihR5ktjIn8It9eQGeKPkfB7bRjylkIhqANCc\ndnwJwLR2ADDN+UWNgcrSo3IwcDAdBgNVHQ4EFgQUdYBGJZgH2pP5LOPBQKw9/ofr\nnu4wHwYDVR0jBBgwFoAUh7YG7JgX8gj6pxgVMx+72fDFSnIwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgDdlx425bCl7gSCRrQLySGWqIUj4X1HasrhhGaFBK+7QCIA6HlQRCv/ER\nsGRSvwFNqdzQAu8kFEyFHMtdALUKhlNx\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1646,10 +1646,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGATCCBaagAwIBAgIUPdNwiPm0wse+T6mt8ytm2N5ytgowCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzkGByqGSM44BAEwggMsAoIBgQDzXk0xIYe6aqIbFPDXXAE2Jduk/ZJ4+qtve8sD\nxp2G7H2YK5feUSYVFXKIVbVXcMnGAUSZxqjOL2IwaFzAF7ifYeb7FJTGYiu7RSrG\nwvJKuD+gMEijBqbT+dSPZp3mIIqftmNeXiyrhXUKJawDpcwxq8DRynWPLS2otaLA\nQvmQAIzMv9+id0zlEjqIvlQoK9niRlt/dlowbyeOD2QxJfKckrgTnDVwRk6KUroS\nNRCnu7WH3BWZcvsXTg++pKC/n2kWQBLO9e96aCqO/cwXMaKikBGNu8h4nnENyLe5\nU6dLvOseC9BzUY1Q5ZIecL4GJdO35fE4taUZ/XClKsIUgfX0q4pYlzPGdCCNDPJV\nRZB+KzU3ot9XUvq8OMwRj3i2f7dr0tt/IsdeGWhZTsiJkfrrHH2y9ebrLlbFascJ\n19eY4GX7ErguZABlzK2V1chPjAy0iTLdPaMxtEuNFYq9OX4iBsVLSZ3E83QuM3IJ\n/DInnXGXdCBMFzTlfjfnY0GdqBsCIQCK/dXBVKdgVkYX1032jRkC8SMUlC/qLM1D\nEtaZno1wQQKCAYBiD0GFn7OPzyqulgtetWk/ma0/IW84vW6rDm7qTGjZyeV66BWU\nrSDi5hRlQCdt3nPn9vy7poHDBtQ4+3IJzsiNMy5ObeS0ZrNVbyx57j5EDhudpTkp\nqe3pl1q2FvydhOczmnCqDumGehzoC6k7Rpg9RioN4f8EU7OSy+ZgEW/JcKhSOqp7\nvd0/R18aaxxsvBzeAuYMHU9jPUSGtXA4fb0Hnd1ACsEiWCjWk2qgJrsm3WaT1Hh/\nYN9xIkB9zuT/YwLLRSnGExQjoEjlSc9lyJuK9bueiuxiwORBGY8aOmJREwwvYV68\n4YabIWprtEH8fBkLnfoHrzQXag5+dfOiR9R5dZfx6/FirbDDpsl6+bxfg9+lex+Q\nX7RYqqalCjYRCVlKo8OZcCwi927670t/YvW/KkOOBimxKuTtSKItwJNPUgZAd4mc\n4uDLNvSBFhlg/kSIQuJG+pcAr+yVBQ282f3oKKiy/Z0XfUaWQhcWmLs0u3CmLknw\nYTJgX3kAEQqioTwDggGGAAKCAYEAlt2hXb2d6fyliy4XB+iJ4eQA0p0ULX33+yps\n9YheLqaPUVU7PdC6DfqROJDSdoRS/T+ROvlxyOl/NOPW3uxVVfOPcWqdcCRPZRJo\nkCxZI7agmWq9GUzi6+EeBzULchEe5pcMNaVVMmrafzHZcDjQIRBUywPoUUxzi7qM\nOvBmqjqjXFgWXcUezWOeYQuTCun5xVh/oT7G92ImOgzZyosgsjmQlqyC11rXfoOR\nVcqX+86Q5izQTb/+wpDa25dZnnlIY5c8d4jV+cCMHquq3l6kFtknY///d9uewIVn\nfiiAYiQP72WXE31HLd50Pl/zJDnEeibl1bVzGrsre0keL0DD8cOTrlrZubENZwGc\nGkpMwNUtfx1WFZoePxF1wmtHpfofdAEvMzVsZivPRt8uQxro7Fzvy7M4ooghmwYH\nIMRjo/YnwR8I8QrG8BPzMFsi5sV7APRJqx+YlVp+V8IiLw5YjDPqAkwR2qKNxvIT\nkJdeGBxGk8aB2NJpJ3yJa1jzRH16o1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUgvgQi1YU\n7XenURkFKopQW890UBIwCwYJYIZIAWUDBAMCA0gAMEUCICyuDYon7MOKP+c7y3ee\nllaYkzuGrh7xow/Zn+pSf00HAiEAir6w02nR2p5fMysYYkQGm0raaSOXNZU97DAH\nGFgiCY0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGADCCBaWgAwIBAgIUBtLPpn3c2/H9tEd5yQaDN/w7Co8wCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQDA0L4eD08S0AcZYZadfeHCmEGG4/uQpGe0NIzV\nJM8v9p58LiHH6z+LahhhyS7HXBFS5s+n5ab6Q2NFJ4z6eJHaHZqRyd1oUrx1LWh1\nThCyKWGl8y98Xp2YzfGCSjQMRALhVmmricCf/DS3nHKRzBLJ7yDvSeyzOL7V+SjR\nh9ODzXPAgveTIcQjLyg5JY7th14aQd+G8NPWXrHlZFa4LYzqWKdjQG5Hjf7H7y/o\nH45KOQzPDRNrwrrw7aRuEIuojxKWLVgvR9UF1hP4UjzGDxh4eI10tJCKrE7U9XXV\nCJENi9lLDSUk0zR5vPEGuLYmwdF5HmG/VqlUI0baGjdjI5dl/hHRzPJBG7OrFFp5\nXwd3+S0t37XpMItOEnTsZbM1SpggPsRL2WihT+lSSqrC0YxaO5SayC044WdzXQbe\nt5aNUtESLNjHhCHWY78ILLmzAWdLNpERy4mc4hbEdVHMLARvTr9R6WHBFvaSI46M\nOLomUdeL8wyop+dZqd1/C6Xr2MkCIQDQuVWIqarX9j/6Nuzd591JsGZXjuANJ6Af\ntIPvxeh1UwKCAYByivRikxAfjsDTOk9PgNjQ6FPsrHsyiYKZMAd2NwSVbn9nZXU7\nuiY9Pdkk/azwg7QLrOprW0/YDbbZu66EGyHdAEPEo1TRzqASfbBohAJeWOPD/dwl\nT180LYkvBaTWoZcB6OTt2ET17f29YmRyZ7IAlBE0Fd6QCG1A85wH0f5H0ZqKJ1gB\nn5V3xHh1MtanXv4Y+PicNzBKAXMRFvwtFpvIuurC307opJWFEsjyZApdRzh4Yi4u\nFct/wpo8kSXUExyrVo0N5yIsZJhvjP3N2W9Sq2vC48biHvuDx0qr8TjUL2zcLY3x\nIlVcgEPae4ZFZ0yQL7J7IVysTIbBjN02T66vCGTtM/dnCUwhqf/DgcMxIN9IeWIy\n3l29LTlMTInuB47VlI4cEvwbLx5K4kDU4w2aY5QkMAvUmZmQACDrCwALqF+HF81m\nfKMW9hFcoxoTMqvvMcfK4S3T2GUSk2qCu6r6+ajdAMc/HvY2g6VJyomLLdXdRDQ8\nfluJMG1127m6Y6cDggGFAAKCAYAKtswQcX2P0t+vz66EvjPu1I9HsBWG4i91t/0B\nHuYZHyLpSgOcN4ZVr2UiSYWh813iHFnKr2cjpn3ucsrQZNq+/LLbAynUBW3/P28T\nVPg19Nla076NIuklMPO5I86151/bpMWBc2m0PQS0zAKeWycL/EhkjG6RsaX5eWzb\nxQb1+8L9UH/JbjzG1iYMHDOTZRGMyqvvyKb+KJmJn5uhfSjn5ZLcm4wC1cFInmFs\nXzqged/v1jT4Mb+c1iVXDt0lODi4LL6eSruWCb3QfWckqc10gEwRCP2BdhUXL1Cj\ncqA25/Etq7Fcm9XfEV7cFvKNeJKDs3FJ27YyQkgxvWzXQIkVOQQWMWp1bsuu3QPy\naUqCmIxN0BYJkfkvo8RP9Y/tW343HAfm/V/OCgn8O05/B9ISVVOrY5y5hZpfhdjr\nZWUA/aWI6C1gQUc581bODQokLCwnYxb7Jpl33eRyzBKG+7LnoxsuTB+dih1ldqFw\nD0+bWdF9ysv+OLTjCpyNABQbAJKjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBScC7XJFVVW\nq9I2mgholhTNr/pULDALBglghkgBZQMEAwIDSAAwRQIhAJBHCvOdHmbGqiH0RzHh\npPYbJfxmdNOUUAQpgfpv0WRAAiBhZ08kontzByJUccPgBljXzOiznMwT3raeiPkt\nKW17jg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUWJ47cSC3jtZdFK9d7PfVbZrLgAMwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGDEWMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABEOdC6ssyDhu0cUW+w3pDe355sTG8mDHLIdNueLW\nIwFMkn8IbTRZR2YIz5tSUQQClgcQQdpV+jKc3WTA9tL4A3yjcjBwMB0GA1UdDgQW\nBBS6O//Ss9soci9BY9WbQU56HJAb5TAfBgNVHSMEGDAWgBSC+BCLVhTtd6dRGQUq\nilBbz3RQEjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTALBglghkgBZQMEAwIDRwAwRAIgTowDDnyuWvYu9Y2Gjgi6sAVJExs3\ncPza20DESmfEaEICIGRXdU7OmJoxJjgnUM5caWSWbCLfuSqXYWVb1NwcmeDV\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUeywCPG5hkUOmAGX/kygFNsy+cNwwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAARyvT4drqQ1fBhfX+vFVTBH2sSHiv+pYPbkwDY4tRne\ntLwyZv5YQ9+fZVe7PdK0ZHUDUvHzKp8K6itPz9HjyZhAo3IwcDAdBgNVHQ4EFgQU\nwnmJB6ZgFgj0DUc6nI8YC3GPbSgwHwYDVR0jBBgwFoAUnAu1yRVVVqvSNpoIaJYU\nza/6VCwwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCwYJYIZIAWUDBAMCA0cAMEQCID/07uTcFffdRbhfXkEMRTg7BIoIUtw0\ni//Qphg3okNvAiBbkVT6AxtxJUytFOtb3WmG7WkNRWMfCCs/MwivFSyD1g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1669,10 +1669,31 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXkhBf1ySwv+3ttHFHZbKwvwHsucwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARcpGa4Wf/h6cc2ovTItz0uKmUEMwUtOcH/qWly\nfBLG1IOU5cYr+6LBfFcJ5lH/21hprBD6LJ9fqfSikAtPlVFoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpOsG4JSj6uxs0iyFAi4UnoNaZjYwCgYIKoZIzj0EAwIDSAAwRQIh\nAJLmgn1wT7jvc1Yc/9ndLOddi61wwIDQF/TpGQCaA0cEAiBGOUC9QwZfVhuwUXkQ\n/lJ+A1D7tNCJ/lpjP0+qHKOjFQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAMnrf4sPOSdxIcADWBB1JI8HOg4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbZcq5ej/AzmRxgEh2mMxaqcdULPd1K0HtsPpY\nvMDZYRPQBdMuxSUVe0za7kfpw+R+wa2hJFyjXPWX051XN00Bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwofIT6ViSW8KtzLPp6M3g8IBGeswCgYIKoZIzj0EAwIDSAAwRQIh\nAM9+fEtgEKR6CwYhFpBCQPa0gTOIQb+IHa5l9fY4gzZSAiAqZPIMicvBZqq82dyh\nKYPHNuW2yXTquGXuZ6o+864YeQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGGDCCBb6gAwIBAgIUXrPMvhwnLbHdEKdJUem/gaqQJgowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExzCCAzoG\nByqGSM44BAEwggMtAoIBgQD5JTfiQ9cDByf5nZvKI8oHR0R819fAaoGOhpiOk9qo\nm1AlNK+f2YxbCUc+Hf++isI6g2o0Lc5Ulo+tn+TCqm155KrSavoHjDCXgM6hS/ZV\n2aEzbCgIpZf8mvRNNb4N8Mk8RnWIY49FlK+VjRv3podXC8ojtRzcCQPOvjSsdsqN\nLjIJmjLHCstMkSV954dd4f6C7X/5KNgAoyOcYKIIfJlCg13JQKGGD8Ao9V7P8rpQ\n7cqfI087bSUuB0i4fuvpY4W6kfhy8Q9VJGdScMwm9LsXSn0qutZ1eYx6QWi3E8ZU\nlzkON4lMoa+5khoGbWgWpPwmpkDln839+9pFdpXnCwn3aqEYA0izRcES9TDUjVE2\nCX9dnP+NQunAlASK+57FUzLsL5O9e0YUFGZL/yjWcJe0MJwEvIz4axL7EAKSjjvS\nvuawcwSQnq5GSNlmqywpR+7nhzdDG204VgvItHh6YqktAWM72Io04E30Ei9iNsDG\nqoXd0a+BFl5LJJ3/gnzfVKUCIQCOcMe+jtoWV2Jog98fxgjLxvdQL9Wx4v1cJrId\nh+DydQKCAYEAiJMBqTkAUVw/BHNGpkA9rHLi2/6f3/roq4s45/tKqgpuog2MY8eH\nc2RejdC72/7xL2i2D0tXT43fiZB7RllJmNAfW84SMWJqAjhgIaW6lDz5+ApCxjnb\n/uFVnPoEbaZ2aj0dBO/0y8HFx5k0zF4H4Moj+usQzlvFbZoBXRLfoanq1j2fjs1T\nlzdAQgseWPIEYCeSRhmkpcoYV5O1hYjzHHAO3nCBYVhIXPT2eiHgs9lIrBKOC/Yp\nzEFssaI++bVVYiYhm0R64ARNUj2sbKlgfVC06tJtdDjbUlHZf4K+a+W097XX4e3S\nPFcqJwGjqoc6dRC3U9dzP5wBJYQZGLuaHlUH8Z6TZALW78kf2mQJK2umW5CnRu/h\nFxwPRADOBy88VXai7KGtQfiqg7w45J0dZVgPolcKhOtbHTJwHBwnOnLGubQL4abz\n4yvtE5kq4MWevNudYrSs/tX8hGYslGdzg+oUR2Y485Umy9jpqwnKXd4VdKIPxmhD\nVbDFQmK/DBB+A4IBhQACggGAO+gDG6xWT7T8btYuGn8V3dG80ywcs/tB7T48tzWC\nQMAzXkMf2sM6Uw/KdZ0mkUfvuKtjnPPznTAuasMbW69Sv68wCgq7ilxJJsS6a3zJ\nV+XFPaznf5/MX79jrQtat9/PmiMR7SnuWBbLg+nUR56cl5JjFK+hrPlOO5mnSNAA\ntzW/2nnYtTpSD0bajh6duXgopaw6DpLJSsTYSfqhFWi1tJhX4NLxA3SwSyuk3I3H\nx7nAstTx4cawvwnNk0U9sW7Ks7Mdb5ssnL56UJLi1+Mq10pavAu9jvfOwvKpEie0\nqGlDPy1nORwbmnlG/YE3RvMLvDpSGF++wSC428rYvsiyPoAYhM98aVmmADWGdmSB\nzQCbQMEzTMc4zoKmfUdMDhDRDKCikmmLakDbGGR/MxZkHNUhwjdh+OF0VBKQTIO8\nKN3yGJlZXmMPQasiEleRUe3WGTRxA/bM8jSewKMl4T+PlE/33DfimAcGldTzYiPV\nUSlw7E2I9Weo5Sl2BU5q82RBo3IwcDAdBgNVHQ4EFgQUGke8dl1ot95PzXdWNx3Z\nLDly9z8wHwYDVR0jBBgwFoAUpOsG4JSj6uxs0iyFAi4UnoNaZjYwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhAPcayTRfHxg7dkybh6kuqPAo+9bdp0azdqSLXDtECt+FAiAE6wLH\nOoUORc8KvC8csHAcyyhLRkQUOo5naOPhd9Uv7A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFTCCBbygAwIBAgIUIWg09kuVxpiQfA3IvjSCSXKqxY8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA9Q8ydEiH2wFip3xLJBePif1jd2+UwWiU1aDxeY/w2REK\nKhjoEAhkhGPnodkI6spvRuRZDz+C/Yb41NUhfDZ0PzBwT3tPnRw++JJVB+30VynZ\n/B4U1CBSebtPFNp73Nhb+E8xVuxkXjivqTJ/CiL1A18NExwBisqTJyqYjD+9DQ+N\nJ4i/NQN4iJzC17yl1IHSQry6bfozMmTuUo3NsZNh7OluFF0A+OP96CtIu49aZDwA\n+hschUN6hU4+gIg3NWuTMFw5sfCrWq38NvpNe8b+OFaOWiaICQmtsPEF1JMce8V1\nyZMOzVCtK9oanS+G4/BoGmA18kHnDWLfahuM+acyGW72GiKXdA5iY8KKoVb3bqbz\nJWtMlSF6piu+9hbIihZ0bsWmnlAdyzQ9edSmA0S7Xgj4AOrmpDgezFOWmGKB8e4P\nHZATr3xA1116aqYh+ZyirgGuCfzh/Y2xkVloxQGvSPDZdwyWA4tC5r2tCJFJP9VJ\n2Y1+zm1A9xXwv08ZQqyvAiEA1PQFwsY7lJHO22Sm+1/o72W7RmvAw21YjeuRgQrR\nha0CggGBALUF3MTxDKYJWN/qY42xKblrQmlLnb2swOxjETRO7+Eev1EMu7WDQ/vr\nuAlTYTx6NufnemHJI5eYl4EZVEfG7fMnH291+31FZFsLtpXLCmkhbJcWWnM37xon\nuc1VY/Sk87xzpAh2v/VhwyWRn/y+dEk0cEx266W+6xut+smCm9ZEe+GdawtVe8cg\nDXOxJlwBMlSfIK4APCkLSeHwd4AcZN+jwmEviPdNAOw1f8kV8wmD6hM7vuvWERS6\nmZ86awsB2mlIm467QOQ7CIiptehQOFkCxtRL6phnc8OZXO7vnhKuZESbGKxn65lc\nEjd4k/yqeejfxlenF03Vck5ifwrYxqGex7nruSRu100XflnARjGMCWslRQoWYb9S\n71CwBPBOD9wmXAVSvw+iQkASMZwiP915B/bKXLwMdGVnff/AMq8pr/cn09O0MVvg\no/wbIjyU6WNhLdq1gZnhY5NTX/nC3dAwTRJMPsoCsnAtRemn94HJ7PAA9ACl6gTE\nN9L6Xh3xjwOCAYUAAoIBgHGEJ4BPloBDk3Jsb7fb9JNc4JNMQphD9cdelXB9hjhl\niYACHHDcVi3DNYupMfzWTwJvQQNUW4GVaPURf+QryFe9X5jjPSi+Lj+53bt/SsdL\nb/XBS+SIRJzM1agp/nS/IEzxsOTELwzqJQpB1WNOZXfjO8xM1hkthVvHaTVOm2YQ\nu6fhqLYAkJzq+upLc1OT3LJ+dBiueuslkqTsyQW1HtTU57UXUZf7Ek9LWCab2asX\n+rsObp08361WUEDuWtKslQJ60M2fWnAr3Bnh9VGWVDXW9mzCk0DH1Nf5w+Ldwn52\nIuNWCNn5Q8E05rtqV0Szr1/oQsxg/5LUwWhzC9qWWUE3+ZwtHVCXB/R5MWbEjv8o\nhC43iOnrv3JNkDVVoRj3Cq+rE9VnFZALuDTziSKhDdJMqtaS+Wcg9kQ5FJb2wv33\nR5+xqXruj7WeMDLPCI7a4kIrL5zX0HMs+9/xxEsiUWwM/HTVzZ7iLGlxXR4XKjAS\nyTnr1nEEJfko6m3z4xpeCaNyMHAwHQYDVR0OBBYEFEpfefUnnecc26bhzwju4rUF\nggM9MB8GA1UdIwQYMBaAFMKHyE+lYklvCrcyz6ejN4PCARnrMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0cAMEQCIEGYOZHtNexP2J4h6hoJuFpyBiDgg+vo23hnPj7L2i6cAiAUckwmJPaN\nEXf+oLEIPY5UO8Dy4xI0hyo/1IXRsIb2tg==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::no-san", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKmTzbnlUyM5UMMxaxiYpIBt6mecwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxIQyy0GAxaEmZYVXwVl30Nv3XDhr7TtHQIkPL\nrz9AFvoz086Ltvf1WwEWYuTjw1cwp4dafVwRtAp+JrcM1ftbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU37FuTMuW+jgZTRfuSbpLzGXktrowCgYIKoZIzj0EAwIDSAAwRQIh\nALkAfhjrhhN/Brs3RoLxw1IoDyzI+JC6Og2p3UGVn4ZwAiAO/2RmikkMN/gIJhUx\n+M+XIeASrMQ3MxwHeGd41GM/Ww==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUax53c3G/6lfaXOcLyNbXoyKF+qswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFor42XIdIDPz5IXEGA+8ycQokuLJxLJzc+Ht3uHkia1\nljCBjeFl/z9WAeRrCMEsObtDHlWZRbl17LLplngnjH2jWjBYMB0GA1UdDgQWBBQi\nZmS3ZHSoEizTZjj5BER+IzjnizAfBgNVHSMEGDAWgBTfsW5My5b6OBlNF+5JukvM\nZeS2ujAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNHADBEAiAz\nSBgJwtsAM0IznkD6rPk0G1yLEDrRAS5XSowWTeavHwIgXnyNURnJJ/ZLuHubFgML\nbVbz/LVhkOjTLzyHQ8tuxQs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From fb362bd9b3cf9c67c599390906b018392e4bb4e4 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 2 Nov 2023 13:29:38 -0400 Subject: [PATCH 035/155] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 371 ++++++++++--------- 1 file changed, 196 insertions(+), 175 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index d120589fff54..3d2cb4734d9f 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbTqupLDr1qzVSRNTvZNKfwBHbBUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS6jwRFqsB9Zd7ICFntZkobq3MDSDuqiEVKUQo6\nk/S2/v646pvge3ppp3lhFYv/epFELr2dERHOArZUFdBVNzSIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPMxz9lmlvRg5AE42BWHWv2V2GNowCgYIKoZIzj0EAwIDSAAwRQIh\nAP1Bt/XM4Qi8HBbJ+extl/BUUuxFf24JwM0oAk0O48eCAiA4mlvXfGqirk403HAA\n40TJGCj3XTmPDsZ8oDxiJYihug==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSqgxbmMurxPMsbmT92Ge9Knnp3UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAART0rERRktLZoAyE01efxjmUq7eKrU8vFtF3aAX\nRlmOfkmg5IfRGjVRV0ITAUWaXk+ncgGjCYaOYpr2IGL7UmZlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAnsB+Kluki/L2hreENs+hq4pJtMwCgYIKoZIzj0EAwIDSQAwRgIh\nAMcE/GmKfvdVzUrUeiSbu5y7Hf7hkF2g+BAJ464jGyWzAiEA/nZJxAUpK5B1GSkZ\n19ukkkwidz2A8M3ur84JRbIeGtM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUdfzteg0mVMzwso5gZE1LZNfG4C0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MjM1ODg2NTA4MjA1NDIyNTY3NDky\nNTQ5MzY4NzI5MzU2ODgxODQ4MTg3ODkzOTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCqBtvaHsZso7EoOukUlfZ0yvvrQaVygyj0jUwaZIwzIDyzoSbYV4vlqKwNNpljC\nj+yJ4PexK29fiADJDngS3tqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDzMc/ZZ\npb0YOQBONgVh1r9ldhjaMB0GA1UdDgQWBBR4F3jRhB8jqz6ad+QTQTL0hH2woDAK\nBggqhkjOPQQDAgNIADBFAiEAmyxK2XaH0EqfVTauvrk/046Z9Xcv9KKGYS9Hn7VP\n4+oCIFQXScqszqHe/jf5MynMUIon0+N0Qkw8gAqdYtEreHKl\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUGthsCsqRK9eJtmQKsTScwkoWjf8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0MjYyMTYxNDgyOTkyMjQyNTUyNjQ5\nMTIxMTE3MTE3OTY0MzAyMTk2Njk2NDUxNzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBBuhoXfLte5W7Dfr5Cn4j7sKPt4b4po9ZNKutldzFy/SAQIQn36ESi4WowszVvW8\nwQ6XRUFvZUAkUswbg7tMuvSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAJ7Afip\nbpIvy9oa3hDbPoauKSbTMB0GA1UdDgQWBBRCAJMVQLoqFs5Mp6SmsFI2QGGg5DAK\nBggqhkjOPQQDAgNIADBFAiAPxk8v4Ip2NDaGXTOAIjC1Uf3Kw7D1tk0tOZ8fpYmA\nJQIhANGUKo5QX+HHy0/dabMe1ExSdYdCVuwwQznN71fLeggD\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUGWGwPQaLifpT9Xy4jAGnPQZyc90wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjIzNTg4NjUwODIwNTQyMjU2NzQ5MjU0OTM2ODcyOTM1Njg4\nMTg0ODE4Nzg5Mzk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIh+z\nYt/zvnEEHpG8Zfx6gsd8lW07VwRAQMQpetGZZ0NSA1q69QWSg9PfCK1dP+Xqder3\nU90zjNoYGUvo2Wrh46NyMHAwHQYDVR0OBBYEFAoEHGyiDUEtNZYWBmsBbBSQc03a\nMB8GA1UdIwQYMBaAFHgXeNGEHyOrPpp35BNBMvSEfbCgMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDKPYaV8NJwtuXpcOYYDWT/Hj5LyRC6PLQVaZ1B8LRE+AIhAMpzQfOlyiwf\nVEv3iLrS9J7tivy5UTJCeuz8TALPKuH4\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUKm4OwKQ569Dgjyagp4gE8ifmE5YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI2MjE2MTQ4Mjk5MjI0MjU1MjY0OTEyMTExNzExNzk2NDMw\nMjE5NjY5NjQ1MTczMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt45J\nQXtrq34jDYB/XFz76d6Q0FnjDtFCl/+2erhOwgUFbd6pBvwXLNFiOAHJgBey0sjW\nLm+FCU06jKZNl1D2DKNyMHAwHQYDVR0OBBYEFEWxkq2dSVvZIyjDmEKvzZEu+JAr\nMB8GA1UdIwQYMBaAFEIAkxVAuioWzkynpKawUjZAYaDkMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDGn8UMAY/fewJXp5nb6ig5oqDzHgxzoaPY1R+t1+bC9wIhAO1QL1cY+su4\n04cizPzcq9Yx1y4KxDVFyiQ+z+ewpn2x\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUc+5hRYMTOJhJIce2BQ4PJBALmDQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQF+ea6JEwFPK/hIHpFX/+bCO2TANsVaHCU4qCu\n2fzKCntflS47X+pnhwAMSD0RmxC9mVPFsO6CxpAsLOS7+l2ko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgaNwC2qdnbdN/CIFMbfgBfx0YrAwCgYIKoZIzj0EAwIDSAAwRQIg\nZPtGM1sgJ58M3Ts85hKzazii++8/oBNxJVbw+3SpqesCIQCE8873Txw7bOBCEgHV\ndLzLU9LjXAzIm0nDBGNQz/x5Dw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUejQfWPoyvtkyb5fhhSq+aEcV8yMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARL/jo/mLwtCHBdgf4AbCat7IdVoTO+reNvsjiE\nopV8HXI+GSCyO9zMZQTgmPFZisdApy2pBVLImlE22pih4Qawo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlmXCCKTvejMnh/cVEexx+6VwynYwCgYIKoZIzj0EAwIDSAAwRQIg\nN+gCWzp+VCcY1l7JwdZbYIC2MayIkgoB1RlZa50yDbsCIQDSY+odhPjeuTL5GYZC\ned1HNF5AUEgA6xDykF5SacEI6g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUcsU3E0m2yZcl0aO19MYhx1+BCu4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NjE4NDk5ODk1NDc0MzkyMDA4NTE1\nNjM2Mzk1MDE0Mjg4MjEzNDgwODkzMDUxNDAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMBMf6+Q0wViKxrZJH9idYUtLVPP7C8lGDtWZEj+jS3O6xGeHPn85FwwZRhbwaUd\n+cTPR8VPeYINgu85lk4ecBqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIGjcAtq\nnZ23TfwiBTG34AX8dGKwMB0GA1UdDgQWBBSnIHc8mUoxtSXK/q6zKK/sFm6okTAK\nBggqhkjOPQQDAgNIADBFAiEA3+6jlqPtaSNwYmMZ7SDSOgIp2JwbdnfM3bWM12pN\n6cwCIHN+40VZJQzbE80fvEqE9ulWd58V9EtyQjf5KjDwv4cL\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUW9r0+Z9IGkqo0u2+HvZ7uITyzXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2OTc2NTkyNDM1NDkxMTQ2NzI2MjUx\nMzUwNjgwNzM5OTc5NzAwMTE0MDEzNTE5NzExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCUvv+UUCqu5tkLE6rwHYUYkOeFfyyv5pKOTlEKoK7NLyxNKyTzi3KBQRCQ93vNH\nAzReAk4JCwRp3sZgBST7P2qjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJZlwgik\n73ozJ4f3FRHscfulcMp2MB0GA1UdDgQWBBTsGIKXd4PcFYC19uEcDLyw9ZRWsjAK\nBggqhkjOPQQDAgNIADBFAiEAsAHLtng0+Ik/DL5URYcw7qYWwS9/XLuojRgxdsTM\n+g8CIE7mCgw9E9HUCdUne0NG16nxQp6RZq4SC5xmPgE4krtU\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUR9w6bBkGFWvp3zyNG8ZL/b/8MPcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjYxODQ5OTg5NTQ3NDM5MjAwODUxNTYzNjM5NTAxNDI4ODIx\nMzQ4MDg5MzA1MTQwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdxMF\nIAJcAIxpWWQf2RZoB2iaNGhKFe2Z9kwbd/bCImGOVk2Aevro0z2O3VP+HTaZBZB+\nfehezGCf0b7HKKDR7KNyMHAwHQYDVR0OBBYEFFt00+RPHLeazNEvEP8YeK3hszES\nMB8GA1UdIwQYMBaAFKcgdzyZSjG1Jcr+rrMor+wWbqiRMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIHkx9XdXX0gE5L0OMZZo2SgbJ687jMUXLDgf90a25KMwAiEArtxYjP2Sb/eY\nJqxu2nJU1QH3IQYF1kHXd8PisN0/r3A=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUAeM+PMOELrElFrPwX1Cv9P4YkJIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjk3NjU5MjQzNTQ5MTE0NjcyNjI1MTM1MDY4MDczOTk3OTcw\nMDExNDAxMzUxOTcxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJe1p\n+wttDXsRU3fZ4Ky2iUlVNL3O112IbuJLPaWEeY6HIEYT0G2SovKDRuFuXI4XmEwU\nUMbng7XRfAA4lECHyqNyMHAwHQYDVR0OBBYEFPXmpHK9tTZEZ/nmRXS+qAIWQY3E\nMB8GA1UdIwQYMBaAFOwYgpd3g9wVgLX24RwMvLD1lFayMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIHRWwvfXKIBqsIrsBLutn0bOUHz7s9vFro7tmBMYC7rSAiEAmRIOBmWD4rLy\nq5GzQq6iBxchj0BryWV/0SZ54lCyAGo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUXZxs/zc63Xj3oL1EjAl20/p+iLQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZVc2SbAD9Gji+sDYt20e43jRHSTeX8SRmv2YX\nI5NcmwTa3vn4H8qIAW3Mux1txIfHn3FZ2B5te8vtZ7hU5siDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1Oyrzd6zdjTqSUxyD2ppjWfMLn4wCgYIKoZIzj0EAwIDRwAwRAIg\nGdRN3TQBxcl/uMcmlD4gEpoj+jWUQwOHPGDmkAuHpHECIF8UYBd/iQ+WcEnYUSgT\nzyp3EMoGc1qPPrGcFIDpZ9FE\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUeZSWgjxueV7XO2Uw1aw7cXMi1t8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQuoBG58R5CHH7vpzvlcLcaY0IAfLkEGAgXuV80\nxV9O7IfytIp/UZdWvv59xq92kyjSfmlZlVaqTzu/AZWbARX4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4r3YGkvkWwB8BP83JSkDQ+zJ44AwCgYIKoZIzj0EAwIDSQAwRgIh\nANNm4IoOhDqoOYWSUPp+teuYGPohzu7QP+YtN+bUB3oVAiEA+JDU0nK7nLpFeYU4\nTaIBANCY8R/3uZSnbKjmdc74gh8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUKGV7Lettg6yN4q8XSXRyuengUOkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MzQ0MjQ1NTI5MDk4ODUyMzI4OTIy\nMTIzOTIzMTkyMTAwMjM1MzkxMjI4MDA4MjAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNanc/GtgRAJ+8w17h9N957aKiBhPFkFK+r8RSFxzdQe3vAiqBZRDeW4bbVr+MMD\n6wm13iv/XTN5Brh1zb5TFWyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNTsq83e\ns3Y06klMcg9qaY1nzC5+MB0GA1UdDgQWBBT5sXn/MTa3La84qFrvz95Ew1IJWjAK\nBggqhkjOPQQDAgNHADBEAiArRq/GDmvbslOKRKuHX97lDfpz2yhSBFMYwNmlmsCC\nzwIgDsa2gx9OgEIfgvEh7GIJncv+IZ6DpQ6B8GPaDndDWWY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUD9fLra58UKyhbCNLQVcKnHeLD68wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2OTQxMDE1MDQ3MTg5OTE4NzI1MDMz\nMDkxMjI1NDI2Njk0NDQwMTg3NzYyMzM2OTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKbTGvdTP6363I1/2Tj8JwEKWSZcalNyH+gLbpD7dJP8Ye5r4vysmkhMmUVmvTjO\n4Oo1XT3FHqFz5r30Uzbbg8WjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOK92BpL\n5FsAfAT/NyUpA0PsyeOAMB0GA1UdDgQWBBSfTky5YaSw3ctWhxptnaCnM+dI9zAK\nBggqhkjOPQQDAgNIADBFAiAynL3uv74hscGZbqrPwxMZUhxVearYEQ/HZ/xJf8AK\ntAIhAJMfbmT1d8qXEkGgiknx9ZQWdrJWT2W7qxcdfSeLO1SX\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUDRyhJBOfiJnWUnzCwAncCGthqVYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTM0NDI0NTUyOTA5ODg1MjMyODkyMjEyMzkyMzE5MjEwMDIz\nNTM5MTIyODAwODIwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYhvS\nvZQ0SdqIlJtyI0mFwGGslfd9xPcglTwu62sKRn5noFzE9RbngUAIYPlJbHuB8yOx\nzhd3chCmfAgPCwBbuaNyMHAwHQYDVR0OBBYEFL5pjZb6hDL66cOzDRRAvtSb9QrL\nMB8GA1UdIwQYMBaAFPmxef8xNrctrzioWu/P3kTDUglaMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDWtLCARPj4ErQinWQ/tffwftTqWRtSawGg2FrT+8ZGzQIgVjVCHERWh++L\nL9AknO8gy0GL2cdbjSTSIK/CpmbWatQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUdPa6TcFLqyM8TUADVnn4MqQB5aEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjk0MTAxNTA0NzE4OTkxODcyNTAzMzA5MTIyNTQyNjY5NDQ0\nMDE4Nzc2MjMzNjk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfcjy\noC7zTXmj1O53MA/kGczTHVAmpq6F2J7B7qxLlqraprh2p/xyh9HKy70NP/gVcaqm\n8LoJzDpbmlwGDf6A46NyMHAwHQYDVR0OBBYEFEFpE+9ixuUYpr0DPrlll0k94bpV\nMB8GA1UdIwQYMBaAFJ9OTLlhpLDdy1aHGm2doKcz50j3MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCRpPvOOrUzP84/0N9T8YyPkVIzsmNf8WyIDADexgl1ygIhAMh0l95/b1sU\nlIQmsHrazFsKcYb+xUUrxGMj6Cqi7NQY\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdYbukv3hjXO5VgtE2KSKku2tEZkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASXSlpakohdkIfU+HZCgIYqedJ/2hf4Z+PmTfWj\n7qxQ4MDeBQAxWYWuXUdBtMRHoGvJkE5rxOHyUhOoKw3UlVngo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUW8rl5YbmNBw56tu8cUpDINlTTCUwCgYIKoZIzj0EAwIDSAAwRQIh\nALNhLfMKtuQc61wUW5Q2hQ1P++71zMLLs6NQ83HlLwDMAiBq+WwZsxO4aImu6fue\nprPwZ8UwqPKPahJ5QiMsG92FsQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdbFVwLpEv6nAOJitNSwlxoQTx2EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlIy3F/RCOSp3Nj72/shoO4exc2CsXTlPBebTe\nME9CJGt6tdo6nT24PQlMWVUmVkCD0F5tPSicGF9pKJw+LLQTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURZakLZLwqC0i5Mt5+QTYK2VtlU0wCgYIKoZIzj0EAwIDRwAwRAIg\nSNDPitis7hLmT5iUlJBb1bgUSgcKIxAnQ47PUUFgdMICIH9e+L2CJiWRmARQvLeS\n7HqTfuLsmeJNQemGx0V1ZQJu\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUU6VUCmeAzKtnS+Zx58bRWyGs/JUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NzA5NjEwMDI3ODU3MzU0NzU5NDcw\nNjY3ODU4MzIxNDAzOTg3OTkxNDcwNDUyNzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBBqu2hwWlEBdsBZfzJOcCesK5F90MgQrJHQyFt3AGqzOwvtQqD/zVNQ4Ii6rNKRe\nSup5relrC5PB+jPnJJZc5RGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFvK5eWG\n5jQcOerbvHFKQyDZU0wlMB0GA1UdDgQWBBS39Kk+kGPl4okaDJVWncZWfECVxTAK\nBggqhkjOPQQDAgNJADBGAiEAgZKdccMBEAS6XgONmtARGYsATb0bUPM/kLDnmZ/N\nuecCIQCC0IbWsFE+5BAno3g3ank5r+X1g8eMeRkuKFePKw27rQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUAS5n2MwLDXGhAqrxy+OC397tA4swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2NzE5MDY2MjIyMTI2NDExNjM4NjQx\nMzc2Mjk1ODA5OTczMTI0NzAyMTc2Mzk3NzcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKiDqNDoZ5iHfF4d4KBsAr0FLi73A0blt4GwePGiL0sn9zyWNSiE34xPmYyYcKUR\nTxEtTWV1aXcBtH4Lcg1uZ2CjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEWWpC2S\n8KgtIuTLefkE2CtlbZVNMB0GA1UdDgQWBBTTU9Gj/QVEH+9dP5Mp+phgMqGmXDAK\nBggqhkjOPQQDAgNHADBEAiBYRMTwJKUM+4jytnAsUMe0EiFpBs2uMzrmRn5bCavH\n+QIgEkcqtM8CfwH8SkFn+LLhrzjEzaMlADMj+AsrpuhKL0E=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUCcuVv2UH9elbSHykDsmsBRhx2ugwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjcwOTYxMDAyNzg1NzM1NDc1OTQ3MDY2Nzg1ODMyMTQwMzk4\nNzk5MTQ3MDQ1MjczMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ3NzUzMzE3NzkwODU1NzQxOTE1NTA4OTcyNzgzMjU3OTk0MjUzNDk3\nNDYwMjM4OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+Mjb4Grk6BV7uch6T8iwo386\nJohLC7xe6mukwIsRGU92CICaNiYH+aFyW9GIUrHA5RLq2lcSpPu2k8VmLOAUN6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUt/SpPpBj5eKJGgyVVp3GVnxAlcUwHQYD\nVR0OBBYEFCuObxtNv7n/rXlTeabes9tgLlQlMAoGCCqGSM49BAMCA0kAMEYCIQCO\nidUzjBh/5cFjxkNbT5HLSvkdhFTILOrr5NfDiJZ4eAIhAM0cLh9kRQxJXKmRiflx\nDXBZ9NfTEcVRtO4Txsou0r6g\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICSzCCAfGgAwIBAgIUGGTviDcy/GEDwvLYSEZIKvWpUuIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjcxOTA2NjIyMjEyNjQxMTYzODY0MTM3NjI5NTgwOTk3MzEy\nNDcwMjE3NjM5Nzc3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGUxNzA1\nBgNVBAsMLjY3NDM4NzEzODc2MTgzNzM0OTYzNjA3NDE3MjQzMTQ4MzE2NzY2NTM3\nNjU1MTUxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCagu3qxi5vOqHNsH0Kf+LE9QQ6w\nRgShtcTgIrmpstS4F8DLjmUJUJwLP/qs0PuTrTnaGUKHavn/CUb00Js2ULujezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFNNT0aP9BUQf710/kyn6mGAyoaZcMB0GA1Ud\nDgQWBBSheHD5AHT07tB5DLxDfmHrtqpvFzAKBggqhkjOPQQDAgNIADBFAiEAyr6D\nP9JxZGXPqQgNWch8FQtghYTHMI6my8c7dlLXVJsCIGC/1jziF+ooMe35UBVccM0G\npJLTjBDgIWcweP/zPimD\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBqU1xWpOmXtOyaxBDe0p57ajmkUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQD92ge/U1Ypjnr2SXn/RntAECr1V8+Z5kk5Zfg\n12PvjszoIwof8gKvC2t01q0sZd3wVX8Rk6H8+nZj5xaazzyso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFg0VHlqkEnDrc4rgLRo0yTbIQbAwCgYIKoZIzj0EAwIDRwAwRAIg\nT/i05eyWloK3ytMj2euVDgcCOUo3UEOFCoHFj0bMg8wCICTiGeglpP2Ts/8SG1Oq\neOUTdupD2rudTJKTNW77LJ9X\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfbPrRmk09laIxnSRf7Ht49Zq0c8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6r5NdpMapIur3+95/N14S7rip2kaJeiV6COaG\nvZ38oww4wNDYfsGEpp8pHnEut5oLRvIEjQOQDQD4SYo4QHaro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcoSbd/ys1OVksNHz/R7SzFQkgbUwCgYIKoZIzj0EAwIDSAAwRQIh\nAMlIWh0lrqBdQWrNmOf4Po2yO0z0MTUu69qG1+M07Bx1AiAA8jxRW9sd7iLIgFpd\n92AOMJWo0X9ATNHKfCH5/RscEA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIUCx82PbewIoMPfgFwGy+/ZY8qWAMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC8zNzkzODI1MTcxMDc4NzUzNjM2Nzk4\nNTYxNTQ3OTA0Nzg1NDgxMTc1MDA0NjI3NzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\ne2lR3+4/R1AWNAp/kORNv5Ec1Ny5tRlu/P4I0DmRigHadJ5OiSmk96FVQZ+US2LL\naIgg4llTwlQAZYiNiOKiiKN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUFg0VHlqk\nEnDrc4rgLRo0yTbIQbAwHQYDVR0OBBYEFIHs128pkU160J5UI1xTqBeb17S2MAoG\nCCqGSM49BAMCA0cAMEQCIAD0WCCCOl/5+ccnZCuY0SEsKyLVyw0iYDE7/a7eVIq8\nAiA46pQ3BkkLnNBz5ZWs9XUWLL4QhhHazyEIxXsMK2VJ7A==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSzCCAfGgAwIBAgIUA8SEa4oSYrlYn94MFrJDG0o4AwIwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMzc5MzgyNTE3MTA3ODc1MzYzNjc5ODU2MTU0NzkwNDc4NTQ4\nMTE3NTAwNDYyNzcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZjE4MDYG\nA1UECwwvNjM0OTQ5NDY2NDUwNDQ2NDg3NzU4Njk1MzMzOTkwNDcyMDY4OTMwMzI5\nODY2MjcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBUqx5rnwm5cxWwcnxI24FlK4njz\nKICSd6UWUKDOM3dbkRQex4Zw40fg9VVgm7U3XCznxiIFmaV3VYciPDrpLMejezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFIHs128pkU160J5UI1xTqBeb17S2MB0GA1Ud\nDgQWBBQfb373awFSZszr4M/2CHaZB1huxzAKBggqhkjOPQQDAgNIADBFAiBsoq0X\nrS03T2ieHfniE8W8PDmFt9nOD2FOSEOARf2zRgIhAPtTI40gmooI1Q+ZE2ZRq8hL\nC5aY4HbSotFZoVww7Elu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUGFCVV1Pt4s8AUs1LIbwirQ95wOUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA3MTc2MzYxNzUwOTAzMjA1MDU1MTc5\nMDY2MDg3MDM4NzU4MTgwNzM4Njg2NTMwMDcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFf3bfsSLrPJwxEHuUJAUhEdCjoYQHSv39Dit5n2MxqGlmr9av30KQ3kOSRaFWPW\nNX7QKOZ8MHBY3quqL2p08r6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFHKEm3f8\nrNTlZLDR8/0e0sxUJIG1MB0GA1UdDgQWBBQj8M+kyRS0+goEetgEAv8fKLz4ATAK\nBggqhkjOPQQDAgNHADBEAiBmMwtLSuTwVMIkiD/Sjg34XLW/M9SX0HrJjm6zQAQm\n0AIgOyYa+pMORr+LpBJY7OzEUYQmrZuiDB9tk5ixJBRmTLQ=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUXfrqeIXh3RcRWDwk3kZ4hvi9TsEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzE3NjM2MTc1MDkwMzIwNTA1NTE3OTA2NjA4NzAzODc1ODE4\nMDczODY4NjUzMDA3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDEzODgxMjg0NzU2MjM4NTQ1MTA2MTgzNTkxNzUyMTA2NTU4Mjk0Mjc2\nNTAzOTg0NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErBFvYQfoWV0XlExkhBZyvfHs\n3XPT835BO2bfUPltmZ1v7Ka1MCGEKjTpHC8/UWcV1GjYpprHEG6peedLhuldQKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUI/DPpMkUtPoKBHrYBAL/Hyi8+AEwHQYD\nVR0OBBYEFJq1J0d3GXrzCjTXsB0jKm+GuqDGMAoGCCqGSM49BAMCA0cAMEQCIE6r\nmhGWiySiNjJBKaaA3qMLhSZNulwR1w7TTOV28jd+AiAF0d6TcWhSJcyn43+xRHDw\neqamyiMgBeCzVefSeJ1Wog==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZigAwIBAgIUSv8TB0nC8MLXUxyfCOr7Kn+22WswCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNjM0OTQ5NDY2NDUwNDQ2NDg3NzU4Njk1MzMzOTkwNDcyMDY4\nOTMwMzI5ODY2MjcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS3wpJk\nAPJb2h1wEAkm2IYljeErxhbqjjTRAVVy5UyftpO5yEMGLpdX3tSz7J/4FrhhmenO\nC+1SXePbw64tLrgao3IwcDAdBgNVHQ4EFgQUC+3yP6AsJzJ8fpdkzO+wvk127wQw\nHwYDVR0jBBgwFoAUH29+92sBUmbM6+DP9gh2mQdYbscwCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAw\nRQIgGHBx0aKfHr3S1d+Qr5t8/OQsdwzn5h8bYKXEUjAxRpYCIQCzydrNMRjLKnaA\n7oNn9YWoxHeAuYfy+TH+cj1LCVYjZw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUVL48JwKX3HH8I0N96/3SoexwStgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTM4ODEyODQ3NTYyMzg1NDUxMDYxODM1OTE3NTIxMDY1NTgy\nOTQyNzY1MDM5ODQ1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjzQm\nFlsaGCl4RF7E9yA8R3FmSZHqWjJXuQfD4QumVlta4KzXYn+w/1ZS4SyQey1IXmh5\nfzLUg5/Aywi/2ofPfKNyMHAwHQYDVR0OBBYEFK+xjaD7Fc461tkdt7XsX1TA4quQ\nMB8GA1UdIwQYMBaAFJq1J0d3GXrzCjTXsB0jKm+GuqDGMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIBTlGzcEkBMLjjf2beFtZSc3478lQbF0As4fMRZu7ReZAiEAyc+QpIU5GF27\nmiwfzW5poLgX1WaXNk0Hf6YrR/VD+Ig=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdAatMnZs6LbIGgPbq618XuyG7uEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQppGD6FEgCL/xxFLsplofkFY6u2rnhnMuQ8H27\n4sy9JNW0YMwnolJh1AYNZd81sQ8vCYpWPsOUiueajUKEVIpho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAjvLgXbHjogWN3alUohYSFnh5hswCgYIKoZIzj0EAwIDSAAwRQIh\nAIFUWWo+Qbhmk6g/DHe8FFlpfRQ5obUs/3ds+plZHbjzAiBqozbEyLrhj0U49BlP\nDg8kImj197LBRVFyqoqskbF3rQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYc6wrRipgqneW0pvYb9UReTyA3wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS6B0nqBEmqzAQYc9hqG5FQSgWZfuWKSzEou7hm\n7MkTO9+WOzhO5nlJDxAflsh9Ycg0msXxtk6EP3MxtdByW6f5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOj0KdZ+leNMClby2sRHEN82lGMwwCgYIKoZIzj0EAwIDSAAwRQIg\nFqfgBHLLZm2GFsAhdlkZvrtPmja53KbbVGmF/2HxL2gCIQCHTBA/TBlSkm3LY6Jg\nV+IosHUShhOuLQjFoQDn8hRGmw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUOJ3As560sCQzDquFpg9xMiVeuMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NjIzOTE4MjE0ODM3NTU1MDA2ODMz\nMTA4NTQ2NjI2MTAzNDMwNDY5NDMyNzI2NzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAG52H3cdYGwjGjDZbnUq6F+wg4/TXLyi72g2Vp63D4cnIUFybj2hICi3xQL+fAF\nExWPnMcpAbLqeZZ1RnKQq/2jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAI7y4F2\nx46IFjd2pVKIWEhZ4eYbMB0GA1UdDgQWBBSPEAFoq68AsDxIIPe7KEbjWf1K1DAK\nBggqhkjOPQQDAgNHADBEAiBGQo0Chs3xu97t+gCSyIJz5EkgqdACau4+nskMb9lo\nJwIgGEhU7Hr5yQZ5PBx5OnQk84fUlArOFh8JR+52ytoHbxU=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUNZtiifhS65e2Zmm1zrsqmKwFvowwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjYyMzkxODIxNDgzNzU1NTAwNjgzMzEwODU0NjYyNjEwMzQz\nMDQ2OTQzMjcyNjczMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMyMzIyMTQ4Njg0MjcwMzEwNzM0NjI3NjgxNzIxMDExNDMzNTgzMjQy\nMzcwODg3NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJZFITrGeXqeUlk+ae4vKsumx\nYBhzpSbxfYuGCug7yv/KL2yaKzxOsCuzLDft87oCwOOxSOWq/mAEzC+ux2KZJaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUjxABaKuvALA8SCD3uyhG41n9StQwHQYD\nVR0OBBYEFAWjj1Yfkn2EHNt9fGBY+HNs7FKQMAoGCCqGSM49BAMCA0cAMEQCIDHr\ni5cSwjf/AvqTzaY+gm9vA2aKl6DPKQGe7q0mlSUDAiAMzyoQhajSWPCZ5PpxoJ+M\nvCaNP9h6WZB12rCrpYgVdw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUA9deDrY3T8k0Hr3GYRrPPVsqu0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1NTgzODE0NDg5NDQ3NjQ4Mjk1ODMw\nODk2NDE0NjcxMDU2OTg2NTc4NDE4NDEwMjAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFrtanVoW9d61YI/y5isY85FTfEefSZuCpLV37suLR1Qu6lxE/OZmg6AXQKTbNnT\nngzINDbl3Hwu/PzhYvcLCZajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDo9CnWf\npXjTApW8trERxDfNpRjMMB0GA1UdDgQWBBRxFuuQFufrtvAIeXApB2NpKUrntzAK\nBggqhkjOPQQDAgNHADBEAiAHWkUHLvnXdyIpKaqbsPvj0tcbSDrl6C81HcJwAjRd\nEwIgWlC31zWGWciTHlt7KKTCymESIFBFDaXwsnMs6rG4Org=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUTm+74DpifZgvmEKoeOuzFdSdq38wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTU4MzgxNDQ4OTQ0NzY0ODI5NTgzMDg5NjQxNDY3MTA1Njk4\nNjU3ODQxODQxMDIwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzIxOTI5ODI2MDkxMTkzMDE0NzE1ODc2NzI0OTA0OTg0NTk2MTE5NTU4\nOTk0NzYzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT5gMIcaLcAA+bRM5p8FsR2Z6LG\nNWczENBYKI2ZuV60TvVSDPpj3z8FRK/KRQBCOl0XdxMltmMRD1bNsfeqSIBxo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgECMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRxFuuQFufrtvAIeXApB2NpKUrntzAdBgNV\nHQ4EFgQUHqQYP/QGn2y+sykzcydqOa5+9+4wCgYIKoZIzj0EAwIDSAAwRQIhAJ09\nJYhcsPcQQLiUnuxJJVpQkv4aCJRPHtwVamYgYE09AiBszIPiQaj9e8eJbG2frapK\nwRdfH3uiidoB5gnDz/WuMw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUZ7FInVwSWrKxfAiNK9+iAkexBa0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzIzMjIxNDg2ODQyNzAzMTA3MzQ2Mjc2ODE3MjEwMTE0MzM1\nODMyNDIzNzA4ODc2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/kOV\nPHtiajDtg2hzl21xU2L/lpOyGsLggdH9gghqn/F/UmfpneVWWC7CnCgTgbnqITvF\nTLRuVnrL48rEeNsj3KNyMHAwHQYDVR0OBBYEFNQgkDeyW39mKmCGgD6aCV987Fdx\nMB8GA1UdIwQYMBaAFAWjj1Yfkn2EHNt9fGBY+HNs7FKQMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCsutTDAO/b/as48ZfBayWU7o8DmURK8xvmoX/jz75lnQIhAPXTOcMG/Hqn\nlNDPbdbYaLJZ7+n4kGOFoQZUxy854CNb\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZigAwIBAgIUaM/Qhz3lVt2B/YeUgMkoLsWsjW0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjE5Mjk4MjYwOTExOTMwMTQ3MTU4NzY3MjQ5MDQ5ODQ1OTYx\nMTk1NTg5OTQ3NjMxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMjAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATTZWM3\n9zvLCXqAC3E3z1/XAPG7LazG1HWZdPt41IZC0EzE6QWN2pSoqAE664kJXAeiz4M2\nqgiFV8I+9TuzswOto3IwcDAdBgNVHQ4EFgQUmcnSkE8Rwjk8Hd8fYW8ZzyyHUUkw\nHwYDVR0jBBgwFoAUHqQYP/QGn2y+sykzcydqOa5+9+4wCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAw\nRQIgU92f0HL4kfmnoBsRW04tQ/B2C2da/mVCIp3qiYStCEYCIQDEVVKG0VdQ/SGD\ngTFz5+cY3Jaw0NRreiQXqgGFTHeEaQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYkIH6HyTtasMvtYkW9u2/xmMy04wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATNjlipPof7dUF5uVRvfQp+6clTy1Jw/tg+c8d5\nXPG0ReKRjXBF6rMJTMEsyhKLcu+PX/X9CD5pquDgLk0+TPwio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8e+ofhiXtF36v6aJ5LGmDte3QVIwCgYIKoZIzj0EAwIDSQAwRgIh\nAPzv/Aayj7TUxLPSUeHiG7eT6m326oYj1wPKfdXOfRXNAiEA5tQ3hWyfOLnbyg1e\nXkAMR9c18Y0yUbWGVUEQFCNF+K4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWRCsGRla2h/Jsf6QAPyzyYpsPVwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQeGr337gtOppU9TTflQYI05S3NmXSqKiIrZRLO\nGnNCX2FajAbgE6QPehuPeLll6txv7BTFG3MRcCYPMKE2W1Ano1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnsqiKF+0X0TnVvgbplno7KPiXxUwCgYIKoZIzj0EAwIDSAAwRQIh\nAJjM83pJCJDYI+lv7iQoxWVX6L9+h1WpWVv5cUMSRvx6AiB8VtEhVrfOdvltJgoe\nVZCSVEVDl4vjVPbAQdO9wbWvfg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUF4x8kNV5O8FmL9BC0K4l4jADERYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1NjA5NTM2MzM2MjA5NDExNjYyNjUy\nNzIyNzMzNzQxMjg5NzUwMTM1NzE1MTMxNjYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHfiSZcMy0ga4ZIyVT31L494dkY3OnmDnEx08mYPi/jy6Psd01t7/wV2o/LoOxNC\nr8IdpYdWWZi4yOhi9+1wHtajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPHvqH4Y\nl7Rd+r+mieSxpg7Xt0FSMB0GA1UdDgQWBBSp4Mo2PflzZzpnFMjqWPW02jtH7jAK\nBggqhkjOPQQDAgNHADBEAiBgxp/JB8nAGOTKb9SNUlgFiQ6VGCpPKbLz5KS74PKo\nHAIgBUXrbieEIuWDMoDTSSOUy/217aQTVPcZuS5IfVd2+b8=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUZKW06B1lKmCkTwKncq6yHr90RO0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTYwOTUzNjMzNjIwOTQxMTY2MjY1MjcyMjczMzc0MTI4OTc1\nMDEzNTcxNTEzMTY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDEzNDQzOTc0MzI2NDYxNDAxNDE4OTc5NzI3OTYxMDE5MDk5NzkxMTU0\nMjg5NDg3MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEm7U0UfhoAOMCD8i8Y7TLHuFp\nVXpYYql9VQCjMDMOj68p0GSUskkEy1FQrQYqUmS/8wd/fLBKwxMa328FsO94haN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUqeDKNj35c2c6ZxTI6lj1tNo7R+4wHQYD\nVR0OBBYEFBQ20+fQntDWal3FSig2cxLeyOtuMAoGCCqGSM49BAMCA0cAMEQCIDRi\nXj9Auo/BHOhBgyA388ym3/plIUC6W0al+M6GmgiLAiB1OLiuo8UOUW4KdI/dlZyv\n4M5O9qbk6njdTMxfULpQeQ==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUDf7YzrIU0HT+r1L5UhXk/I5bD0QwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTM0NDM5NzQzMjY0NjE0MDE0MTg5Nzk3Mjc5NjEwMTkwOTk3\nOTExNTQyODk0ODcwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDU3NDU5NDQ1OTIzNjE5MTI0MTEyMjIyMDI4OTAyNzg4MzcyNTEyOTAw\nMjUzNDEyNTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnqTOoS+VRfVQQ1YjTy8tH9PB\n8QeUnF/4Uw0YXm2XFAxHyzUvkUjC9NmW2gFsT3OOumdHUpNRY2ERvGOS0NPlWKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUFDbT59Ce0NZqXcVKKDZzEt7I624wHQYD\nVR0OBBYEFC9DnHOfE4c7Lpe3QlX6XJLZ7qagMAoGCCqGSM49BAMCA0cAMEQCIGVv\n0Xbl2CV0KVaz9hZetFbPNwAOaLPzb1ItoI5ts/W8AiBDu5KqM8eRhw0r7cY0pZ7L\nSfk1CuBljVdhNUYKR3bdPQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUDLoOypfDyecn56mqUwetAUhFxvUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MDg0NzE5ODIzODA0NDAwNzQxMDg1\nNzg1MTY4MDg2MjMxNDM4Nzk3MTM3NjY3NDgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBC41KnlG1h6VY/5MIGre+bCUkSH3SMADJJi3HqWdNYqWLBKgcMkE3y1WHwGuSxwS\nCqMuEsuLnYr0204H00LfilajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJ7Koihf\ntF9E51b4G6ZZ6Oyj4l8VMB0GA1UdDgQWBBRVDoVZnqUEeLS4+P0DeVGBUUo8tjAK\nBggqhkjOPQQDAgNIADBFAiEAsw1TxT1rmwjviuo9pQ4IfQGd3WtwypUzF8vCprgO\nga0CIFIuSP3KFBbnPp+bfsLfUu3C80g/V6JGJK5czuVDy5mY\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUWSSMNhDcdgE2I3dJcBdy963I6CIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTA4NDcxOTgyMzgwNDQwMDc0MTA4NTc4NTE2ODA4NjIzMTQz\nODc5NzEzNzY2NzQ4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzcyNjU3MTE2MzY3NTgzOTUzMTk3NDY4NDgzOTE0NjM2MDg0MjI0OTE2\nMzA5NzQ5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdHC9T7CfBuRyDqSqmtBEk9ETW\nrT9pyxX6IuyURaAekh7KBST3IZIOcVSkeFc7WIQ6A+TtRj0v3howUFHskUEto3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRVDoVZnqUEeLS4+P0DeVGBUUo8tjAdBgNV\nHQ4EFgQUVaddBh9sfNYtgDvg6F/4D7M6EbIwCgYIKoZIzj0EAwIDSAAwRQIgdFcJ\nXyEtoGPojOmREIiEcL6pxniG7Uvx3ET9MKRSCqcCIQCLo8oaf9zDocvajfwB3OGi\nMMrP5D7ZV84H/sAsDv6qWA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUXq0387iP/U9f2+GredfuRVUkdhgwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNzI2NTcxMTYzNjc1ODM5NTMxOTc0Njg0ODM5MTQ2MzYwODQy\nMjQ5MTYzMDk3NDkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowZzE5MDcG\nA1UECwwwNTA4OTE1MjE5NTQ4MTU5NDI2OTE2ODA1NDIxMDU2NDQ2NzI2NDQ2NDA1\nNzA3ODEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQV5eTz9B9OZ5kGxAY0EucY67Tx\n/8nXMNWE129fSuV1Lhy2qQVtYPY65kqsXSkPt1MoGhGTbwHxp3sn+45UrolUo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRVp10GH2x81i2AO+DoX/gPszoRsjAdBgNV\nHQ4EFgQU/5qcg0UsDapOSr22Ictdr6A67M4wCgYIKoZIzj0EAwIDSAAwRQIhAMo2\nSMMS2XfB16v5I4ZIUVyLs5tOtX0qaFPH0DclD5MNAiBdBPJqC+bz2KIfQTrjHAdt\nd7UEfnm6FIFeTuMMIb4q5A==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUdxtQB5k69E6e0+FU77YGWXhkT4wwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTc0NTk0NDU5MjM2MTkxMjQxMTIyMjIwMjg5MDI3ODgzNzI1\nMTI5MDAyNTM0MTI1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEb9mJ\n5NhazMJ6JvM1eN8ZsrCIrtgUC70rM2/z32RSO6ClXmNlg1njWuI+7JH5cKny9u3o\ndbUoIDp2j/QWP2A2B6NyMHAwHQYDVR0OBBYEFILHz+JssK4yFOa07+Ihh2C8CRjC\nMB8GA1UdIwQYMBaAFC9DnHOfE4c7Lpe3QlX6XJLZ7qagMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCICP4zv7G0ye2LFLOxTSSRzMzrF2xsr0uAObrqySEOt8SAiEAtXPaYWRJG1H9\nNXmNJKVjSDuCYE9YlMoOEZh2zPR9+hk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUNGuNkGrfnITRjWO0/SRAKPWsF08wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTA4OTE1MjE5NTQ4MTU5NDI2OTE2ODA1NDIxMDU2NDQ2NzI2\nNDQ2NDA1NzA3ODEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7Wy8\ngo35ufFHFrVZyfvWFceIHCyhZd2/1Aqtcf869KZ1CgY/wm2K1NpwMOqDDKASoi2U\nvs0gFhTGcOfY0dR+rqNyMHAwHQYDVR0OBBYEFL6VpzEFVEwiwVwQ0XWIXZdwud/V\nMB8GA1UdIwQYMBaAFP+anINFLA2qTkq9tiHLXa+gOuzOMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDnvMhuswqiNm5NN7YZvlDSu3om4M/7hzwVXSI2Zbq67QIhAMUWcFlIHMuB\nwEr+s+aJE+Su78BkBh3GTqKY4/9TLoBL\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKnBMzL4GAdsBKVtWu1/LZe+JAjQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ5Cag/4oq0Lxoy3vbrheaEwKs1Ud3J1qyGhdfu\nwIe2r2wxM3cp3Z0/W3hZQeZ8D6ZFiynBAdiGK0SyN3Qvf5Jno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0QISazXC+7jwKIsMuR8bM43zSikwCgYIKoZIzj0EAwIDSAAwRQIh\nAORGzj52nHU5F9F6XEUTe65KTNxsq606b4OkVQ/ZNsYaAiAvtbGhaSHh+2WNx/7r\nGpKnQCuV6rUtuGGI33JP9SFEJA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOP8Wpet6mRk5sQggfRMoozq7RvAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATjOuBf+YEsJzBGxuyD96Tdc0CF8+nMvUwTKjVe\nUSGoL+WAakdDcpFYi3xNgBu6+yyDQnOKKEODTjjuwHbCyTHSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYf42qIV6Vvchner5p8POaLHWwgMwCgYIKoZIzj0EAwIDSAAwRQIg\necy/5PHKk02QLyK9Wk9Luyv1DfkTcICn6pYv5MXDuboCIQDhbVu448BadjlU8ocM\n/SaZi7AeRbyrIsopwJiuCMAS0Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUGNXBkwSB9nZkTgo7Nu6otmWh7QgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNDIyODE5ODYwNDA3NTQ4NjYwNzM4\nNTc2MzQ2NTU1ODU5OTk1MTY4MDAxODg5ODAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOStpyutj26rMiFpjYs4nNOdDemnilBtzxkNFBvXjKpely241ssckqtk42ATAO3Q\nMsWPuuIZUrDLTNAQudNAjMijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNECEms1\nwvu48CiLDLkfGzON80opMB0GA1UdDgQWBBT2YYe/cftfXSgklKBearQjJpg+IzAK\nBggqhkjOPQQDAgNJADBGAiEA8PMI+0w9E/MsOPggvFZinyIG8izK2ATTWBpgwtfr\nKIwCIQDtS8njFFy+uCjpfV45SofqwhGXRE3PPZBapxzM8BsKgw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUElfA871Vl2snipZewI/8TJUFz0YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjQyMjgxOTg2MDQwNzU0ODY2MDczODU3NjM0NjU1NTg1OTk5\nNTE2ODAwMTg4OTgwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDI0MjI4MTk4NjA0MDc1NDg2NjA3Mzg1NzYzNDY1NTU4NTk5OTUxNjgw\nMDE4ODk4MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt4CIpipiO+0YVJc+VvVTY90z\nAXml5oHEX1gk1kwrJF8u0lSuYmkp8PjKF64SD5VWm5RcXF2jbEmk76+tW/hhlqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU9mGHv3H7X10oJJSgXmq0IyaYPiMwHQYD\nVR0OBBYEFLZyWITdfFuyd76Fi+g6HVsAitfsMAoGCCqGSM49BAMCA0kAMEYCIQC5\na5+9p0hTIMhmg8fcfCMtjyXfukWWZq+99IrfF9CW8gIhAOYFYqHT5wrLWbo1SJ2T\nBGzUWkSEnH75c+PZlkKGLKw7\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUXSwgRd0h6YDrufQYJsdUsUIvr9EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjQyMjgxOTg2MDQwNzU0ODY2MDczODU3NjM0NjU1NTg1OTk5\nNTE2ODAwMTg4OTgwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDEwNDcxODgwNzIwNjI4Mzg0Mjk3NDczODUyODY4MzU2MjE1MDg1MTE1\nNDEzNjkwMjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPtK8vEjy6jSy3yGB0qxrzdIV\nmPymscS9ltnTjwXjvyiinhlIMqNg6ATPfKevZkf60HfHAoM/p2AZNiLy/HnVyqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtnJYhN18W7J3voWL6DodWwCK1+wwHQYD\nVR0OBBYEFAFOqFwSCEHA7B8Ciysxdo3M4rClMAoGCCqGSM49BAMCA0gAMEUCIQDz\nmb0zW5mILvVVDpgt7VM0bdrcoF5byVGKY72xYx1ujgIgPKhSFwH0DkCQvV67NNeG\nNs/XbUNFknQTdBhCSornNCo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUY8ddN3z5E86RCvHHdSvNyekpR94wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMjUzOTIxNDYxMjE2NDY1MDczNzE4\nNDQ5MjY5NzIxOTg5MzE3MzgxMDQ5MDc1MDQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBBe/briclze10LNPom1OVs/7JEVIPgXghjbmFRD6Yb6AeSQa3JBL/jXRFCu9IN3X\njaUjm/UNQNCDGoNi73W5yS6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGH+NqiF\nelb3IZ3q+afDzmix1sIDMB0GA1UdDgQWBBSU4VslqakDMCD0wwH5rDx0wh0ccjAK\nBggqhkjOPQQDAgNHADBEAiAw71sndDXqaZU8WnWkgjncB9oSsZmhwLa8TidB5Yq6\nYgIgU90Bv+8Y6VZJ+J7AVkyVfdvL51qiQgUiiwRWTX1fO8M=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUFisGgxidP/Nst/pfb8sxYCn9vM4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzI1MzkyMTQ2MTIxNjQ2NTA3MzcxODQ0OTI2OTcyMTk4OTMx\nNzM4MTA0OTA3NTA0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDMyNTM5MjE0NjEyMTY0NjUwNzM3MTg0NDkyNjk3MjE5ODkzMTczODEw\nNDkwNzUwNDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEr91xqwT54bg03j8RvqN6oSfZ\n/3drxt9bl3pZzzgm12JOQy4pAXD37prqOfYPPs6tFMbMuFVJNm5IXwpiZCGhYKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUlOFbJampAzAg9MMB+aw8dMIdHHIwHQYD\nVR0OBBYEFCOwYSHyTj9q6mGHnSz73vOVscBUMAoGCCqGSM49BAMCA0gAMEUCIQDV\ndHA8IHXTPHjOBkiq2lFAme7dq68D1HBW9Rozs41HUAIgTSyXb//UK+VJiwXU2EJN\ntmNXXiIp9Gc4IuQ22c1CWlA=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUfX+4TDmf56Lu4YJik3AFI030FFYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzI1MzkyMTQ2MTIxNjQ2NTA3MzcxODQ0OTI2OTcyMTk4OTMx\nNzM4MTA0OTA3NTA0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDEyNjU1NzI5NjI4NTA4NDkwMzExNjE1NzA2MTM4OTQwMzE3NzIwNTAw\nNTkyNTU4MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0epL1sdAuSrz165D9/H6HWjQ\ndcC1M8wiD8beDQc9mF4yS0e4j6OxkMdLyWfOvjMJzUTHQo1mDz70m6yOMYz9PaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUI7BhIfJOP2rqYYedLPve85WxwFQwHQYD\nVR0OBBYEFEN4bx8BWOiSz/Fob7IR0i7Q32c9MAoGCCqGSM49BAMCA0gAMEUCIH+J\nno9UIr0unoQ/cLEETGmbLGLDdP3R6aQ1wK5w7sv9AiEAu1eXOyGqSPYO22YVMYZB\nShw1Z7DGLXHy7Pkf97KSX14=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUMD8Rc5g/nuUbHQ1VSLnzThHQ8NIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTA0NzE4ODA3MjA2MjgzODQyOTc0NzM4NTI4NjgzNTYyMTUw\nODUxMTU0MTM2OTAyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0pO2\nHMn/3uhpe3sOXTu1+BpOHEznccb5EO/a0cjaUy5wfYQzlG81gmbj3O/IhQRBBCvz\n9EwF52gl8Qz8NaAnGKNyMHAwHQYDVR0OBBYEFN4cu8RKFSCXWk2JdI7AYjaPJw/C\nMB8GA1UdIwQYMBaAFAFOqFwSCEHA7B8Ciysxdo3M4rClMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQD2VdsMlt1+vF0HDV3aAxrgPl3yVfHApdzq0LuIh9hSBwIgdQbf8WTJ+sCU\ndebwiuXjtiQQCTMKDUHxL1ln3xX0ADY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUYMGJPROKUApk96hbLZ9F1Pesd9wwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTI2NTU3Mjk2Mjg1MDg0OTAzMTE2MTU3MDYxMzg5NDAzMTc3\nMjA1MDA1OTI1NTgyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEA+yh\nMdreNQOZlrjJsXtSoPv+YGTex172YbZQfmWhRRZErIUHehYr8j2gGcGzFOCkYT5b\nDqjO4L1FmktNkKJA8qNyMHAwHQYDVR0OBBYEFFmJ7h1nUgev+jCKuYE/4rvmQqLo\nMB8GA1UdIwQYMBaAFEN4bx8BWOiSz/Fob7IR0i7Q32c9MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIQCYcNQowWxhBjx7GldwJNsBaX4lwNKYGiPRvsV5bFv8lAIfEgufKHSSnwAo\nDXkv0qj8LfGcmgt1u8ZPmRWH3HQctw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUBCdJEgY+A2N4c6rm/CDxSL4SGKIwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsE/YtKgnT/u0\nEZ36ikOZrMOyQaf/HNZwizPcsDd9o/P10bC3NHm01UkRWqYimWrtlzIvGggHG4X2\nmiWXaQR7hqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFKc31TQbJQanJFI/na7WjWjVkT/0\nMAoGCCqGSM49BAMCA0kAMEYCIQCNwfqE23tUHdk+pLIhx38nF88aL3AaIcrCEyjx\n+J2GFwIhAOch3W+0lLGnJeL6ylLW1rnola/ErF6l9uLuT1OxDv7D\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUeAdMmCAbgnA7zTsNxWCdEkrmhYowCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0DpjmReWSh0i\n3MeVbZ/yBRgRTD+5vsJuJcBfoaZpz/h2oDjIyyTGo66uo4RI9rA796UH54ZzDOht\nsDAHeynDYaNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFOCbc2+AxiED43O7x8OnLbiBF+HD\nMAoGCCqGSM49BAMCA0kAMEYCIQCJ7+jK6oq3OdPjAKZWjxYa3tpcPwg+Es/LEVXh\nTWPmswIhAIlhSXpkTgc/MD6Hv7uuKHQthMYtdnRQc0AaSpD9PaEG\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUPlOPcXOnEEwHpBphR1uV93k2kQEwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABGt780ZXb+Y6B0j+VpMstslRCLEfw7gQ7L79eXLMNRCNsykZ\nIDGSG0cucz8ZwDEWyUpEdOcyEAXB8jwZCx+Vt3+jcjBwMB0GA1UdDgQWBBSrRzbP\nZJHGTKK8uEipeJPO+Fq3ETAfBgNVHSMEGDAWgBSnN9U0GyUGpyRSP52u1o1o1ZE/\n9DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiEA1/+ty82vliq8q1UK8zS6s1/AKX0zPK9wJiq/\n2wWDeDUCIGdelIqtEqfT+D5ZJPTtUfARxRgU2wD3Gj+l44TMrbuP\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUVsKPFXPp7VGhmFg0VUEIeyUEFx4wCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABJRNqyWP63fHsOZsdfV740KIQVgTZ8+TngQYT/2TQOrXzwYQ\n4fnR81Sspovg0rwaZp78PzKwH2OftK03WD9FnK2jcjBwMB0GA1UdDgQWBBQ8gKsV\nzU5G/P8gbGEr9AWxEjo6dDAfBgNVHSMEGDAWgBTgm3NvgMYhA+Nzu8fDpy24gRfh\nwzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEAtKfyDh8iDPErd37/pMAF0dF/AtI5LwOUq5ZF\nnwacxw8CIQDLYqdLcvuvJ8zqcoZwUhYPWt7w5g8XiR8cJUvKeIxphg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUMR8nGHs9n1eBhnIRogKRzzxdjukwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFna20pHG\nJkJyt7izzyhALueJ4A9LtQgIpGx4+DY95wnbj2oSZaHNncqkfdZI1U1PEmDmQqBP\ns7aJrB9y/loQVqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFF47fHhZitPIwj+TsXMyzpLo\n/iL1MAoGCCqGSM49BAMCA0gAMEUCID7jMu4nvc1bwOmlnJ1Cb2CF0UndJqbdNTZX\nWwIWHt4sAiEAzXojQJMtS2lsSUTj0nBuGSdDdXdX68rqlEeUek/6v/s=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUFJlQ1curjZPEz+ofwukP+rYqZnkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtG0nptae\nROnlREUGc15l0cs/QfomyCSZ3j+YpVCBs1fiO82wgesgM8npvOr1q4NDYG2Hs1od\ne+2ws1GH0Tim+aNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFBD1Bqf3ACRwri/CGN2nR7qb\n31zjMAoGCCqGSM49BAMCA0gAMEUCIHSnIHr1kV04OAi/tFGrM+/kzudLKKT0ZHbR\npSdMnmfSAiEAopnAXYToqBd5ayOz/2uwg7nBvS1iCg8Sw2LRvTF3NS8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUcvSmbThUiA/WRKs3T/Y+IT7JyFwwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARwakMmtG+T61jX\n+lCd7TkGX/N11Dje6qKamKdi17Zrhn90S26TzM+EcCAsQz/xFuHN3dVzhMP9/q9F\nOugYbRPIo3IwcDAdBgNVHQ4EFgQU3QMguNDaRWlQECSIxxz7fhyxz+MwHwYDVR0j\nBBgwFoAUXjt8eFmK08jCP5OxczLOkuj+IvUwCQYDVR0TBAIwADALBgNVHQ8EBAMC\nB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOen\nVrId92FMHQsBhvkVzxcxt3QwEFgT0QsoOyoSA6MsAiBUwOHiJEcTlKDmoUK71hhZ\nxdiDzhn8IKPJ+GbngELSmw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUScsItb4OgAq2jAl7uBgStfq2sjgwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/2GnnGkhHYN4v\n7HuPmR6rnjBEoZh2ixEJ7JVZ43UikqefjRqtaeWpzN0zfCnWdxu2dxRaYhIk7BHF\nq2zO6E33o3IwcDAdBgNVHQ4EFgQUItpLrH9g9srJAg+/6hA9HgO4Rz8wHwYDVR0j\nBBgwFoAUEPUGp/cAJHCuL8IY3adHupvfXOMwCQYDVR0TBAIwADALBgNVHQ8EBAMC\nB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgMS9m\nAJByFKSp2xNnV7bHlG9QnqgNxmm5sYPySQC43t0CIQDJZTHe7sSvb5OyW/ZLaqki\nvLoJiH01gbF9jTRckjt7Pg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOyEkkpx9vbtnVQ7CTZbhXEZT1wEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKd+dJouaKb+xZ7Xh09Lg11GGmqX/ctf1ojElT\ngOhiD8EmsdhtBvblFnsExRmhFFZpGgtHoqvmn87n2Gh+ujBmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCmYxhJEtYz7wjNqOxWrN6KdoyCgwCgYIKoZIzj0EAwIDRwAwRAIg\nRTN5z+lNPkBFO0YwtkO/aZ+Do7wxFYa6ZNrp52M/5dECIFz7h+bA1+k905gi4L9n\n+cG/EhWbo1Ho5v43MVI/n50T\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfMpy+aidRm5DlBO4uCjYx5D6I6AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATBM2+5+i33LDP/8KnSwRut26+DCj4A6qSTRdSi\nTiUKakgRv+Te5jl4JqfiqvetwNpaqCLLUA4q0dZwmPoSPNM0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5XRjUbxVB6Or4FRrmJZwV8cUDSswCgYIKoZIzj0EAwIDSAAwRQIh\nAOHjVkJ8ypC6gE6xE/vb9KLRlms9cHX6JP4+EvFMvVYLAiAtC88HY5KDlRjWqjdM\nWfs5X5tvoXti5+kDuziRDTLGmQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUPy0Oa/n+G0mRd/P4Zrux460PDyswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABClX857r7dwyiCqX3WtIXh+5vENQaPwbpouVRUM/t7tC\nMFTTYb/h6DVW+Jv8qrdJLFGbhP/kd5u1PcXiRpGLGEejgYcwgYQwHQYDVR0OBBYE\nFLWMgAZFjQHcPxCJcM8+NIcoMypoMB8GA1UdIwQYMBaAFApmMYSRLWM+8IzajsVq\nzeinaMgoMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDRwAwRAIgePcX\nkM/bgv911bVDrbz3mjcU/0rduxCFbqU4B0iWvFACIDWpb8OMHY157T+zLw2hqIhB\n0/rd/cg+5nFJ//Wx3GGE\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUKgzjxW4Gf/sqnvBXwUfgl86tb/owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNuKCl5BoPb0lgo4aEdVpxvNcPxPWoqhHttBmd+8hvdg\nUkHoJft4Cj7iq1/m+Gnj/YlfdN3zr8kesoer1Lw5SFOjgYcwgYQwHQYDVR0OBBYE\nFGY9Pc2WEoyghcYUO2bhrdD2m0+1MB8GA1UdIwQYMBaAFOV0Y1G8VQejq+BUa5iW\ncFfHFA0rMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIhAMoH\nnEXk71Im7dub4/ROrH22eGlFmzhINsDKJBN1QBJtAiBxmEb+mJOimXMTA8tq3slH\nE1GCC3F6AGxU4dvazFvUjQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUVig4F0xuuLBlVuoGSdKH2ZiNtVIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLPLRp3MFfUqTuuw+XrVOjaR4rYiA0z0QaS5wA\nsanwpMs7epilAii4A9ZJbRibR/iK4wmqxTD7KcnX94fi4npto2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsTs9BEmF6BKx/npxhqp+7YcD2ckwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEA9Ap73xfTMR9kNEE0VFuhe+yihkDPcgiPHNRf\noRFHGccCIAXEIOwgW0qjtQ2I/g7IPhUJkR8ZaCdpKhiMLkCQ3T7K\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUS3a5Q/ghfbV409VdBlrubuJGfz0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9cAad+KUJTMtOEI0n99BLYvgXPC/SUQiB5xmJ\nA3nbRuVRWCEUvfJ/AY9Tk+GddWVj0IbsOa1ZgRPnHYPsn1Ero2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeL5MZT1G/bIkWiWG+TnzcC2zYCwwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEAqs4NWMkn06WDK4+2QDgm3uvD849p2Fct11o6\nnqcS9CsCIDLfjkf80ex5LJgRo4S+8tMEKPdMBZcTCww2zzsPqECL\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUTHavEZYju6hay5ztMwSb4fG4PIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOVNxcMcZx+6+1UYSa2mfKNfjr5pqU/SYksCie8OBSPR\nrc0WzBNDHEgW4/2/YwADPNDcQ7VKHnrjY9B1HjhL6OujcjBwMB0GA1UdDgQWBBTI\nULPH6KtGjAfop+7ktX2oOJ1fUTAfBgNVHSMEGDAWgBSxOz0ESYXoErH+enGGqn7t\nhwPZyTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAviqGQsNYuxj8mzuN9DUX/sZY14HPGWrG\n/KHHfIrY2lsCIQD5evtS+UDAEceQAuO69iPne31KXgWEJubsZmLBM2zbdw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUPZXU5v2d1l0YI1dbn/4XKR5dWlgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGEEFMkJf/HAq3828jIcHB0X/SzylNN6DYRX7xC4Awbp\n07i6SZTWDSJhfZguJTyB6rGtGlkHiMrgD6CX6ROKxayjcjBwMB0GA1UdDgQWBBSW\ncUPySf8cHnv5ypHqFvRiH4S4jDAfBgNVHSMEGDAWgBR4vkxlPUb9siRaJYb5OfNw\nLbNgLDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAP4nQ/ztmSKFAWllOvA4YFqIozmrH/gcOc\nfSrQQC62hAIhAKD8uOmT+kh/bebB+DM85LTBNOuhXwe4g0NHqlyKftXJ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUCSPSOODk/rnOuVNjyk2xbtZC2fswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrjA6ZN7LaSk2By4XFg8N0Uee6t+vlBmUxpg5S\n4A4caQUwlsfzbD/ioOAD0xA1LV5THsLY99EjVm39jBFK+Kjpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkmFyMxr5X8IklVBu++kiIEMDmCgwCgYIKoZIzj0EAwIDRwAwRAIg\nKkUekD1t5OxgZw+DhQ3m2iWTum9Cih0ySZVTqrUR2OwCIBWOTpoezMgeWwR4nEPv\nIu9oDgsMkimoTm/5Oln/v8Aq\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWaBoTFMuRZ67RcX+xUJHfeBr6ZswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARn7EgOTPM+5ABnH5FwbsmwHqTy1v9UUcEKKGCb\n4dwRhtpwNdqHTmuJBtsj1EtntAHitliCSJd5ocpbIV7RiMJno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvF1N/JdcO2UhGTJ4tJrX0foGobUwCgYIKoZIzj0EAwIDSAAwRQIh\nAOpjeA9/XCwM8Z6nlW4M4Z4+elNy/pWs+vpw0mK5duDRAiAyubp6csZIYjbJ+X81\n1q8NjNeycVGtTGi9FOg6gya1Ew==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFTCCAbugAwIBAgIUfhb788tchG88YPAi7jY4d5XfsG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC81MjE3OTc1NTk1NDE1NzQyNTk0NTE5\nNjIzNTk5NzU5NDk3MjM2NDc2NDAxMTAwMzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n9kX7vsBck902uMIDvwaJlerXqq4USVGzd3fiABoWzFVf5G6a7RxnveQ/6tgBZ/Ly\n52OJxYVIL0+gyKGj7sby9KOBkDCBjTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSSYXIz\nGvlfwiSVUG776SIgQwOYKDAdBgNVHQ4EFgQUpNZ0/fH5BAa9OgXOsrbGMkTh348w\nEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNIADBFAiAXtzOr3/12kCBr\na8DcVRnknIFFbjDsW+9CQyx+MuxhUwIhAMjQRKyg+X7o3L1GSBvhTDPeN/vZDzX8\naeTdFEsMTolV\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUQP8y4C+Q5Ym3tj2thcmOTTtSRowwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MTE2NzczODM0ODQ4NDk1ODc3ODQy\nODA5ODg2MTQ2NDQ0NzQ4NjU5NzQ1MDM4MzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHtn7tj2klEs9Eq8rLsd+O3hd0PdQxdCjDPVqESDi97mjI/oBL2edcunikrDpES/\nUQUWfYWq9TlQzdxLvsASwxujgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUvF1N\n/JdcO2UhGTJ4tJrX0foGobUwHQYDVR0OBBYEFNa6+fXADzNQLkx11TRCq7PQ4vOS\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgFNQUNVtUa2zf\nseTvdGEzKbfBSGXsb8V02HsEaNsvezkCIQDf3exQmqk/GsyLzpNScd4X8CAb3UHk\nPEKM+zywnE8SVQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8TCCAZigAwIBAgIUcH8OXCLSbp41k+/Lrlbd9lgpqh4wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNTIxNzk3NTU5NTQxNTc0MjU5NDUxOTYyMzU5OTc1OTQ5NzIz\nNjQ3NjQwMTEwMDMxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQxO7Qy\nYFYghhRtseeRWNvKXKlQPJ3qdWQ9TPxQWFHJ4YPQ7rFgyCcnXbQfi7VoDUERkNfX\nhfTjLizZVdqibzWno3IwcDAdBgNVHQ4EFgQUXCUbVKpzyvyL+04aJ/yyTCNT/IAw\nHwYDVR0jBBgwFoAUpNZ0/fH5BAa9OgXOsrbGMkTh348wCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAw\nRAIgFS1zH/g+noGOmBhgj4YTsea6ZlHeQdQJ0CKwdfQjBhYCIDvrCzsQQhCoFwt8\n7MaMWj2o+WxUsh+yfbh92o0g5ran\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUf1ElzInnLNL+f4RksYrSecfpOfkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTExNjc3MzgzNDg0ODQ5NTg3Nzg0MjgwOTg4NjE0NjQ0NDc0\nODY1OTc0NTAzODM1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfM+s\n7YTg82y/CmM1LWkCCA5mL5t5E5btYiGsvowwRxETm7GgoQkD2L3wibSSkVgC+RoP\nn7S8xJWB9ydxwFL/fqNyMHAwHQYDVR0OBBYEFHzkxlblyiodYOpnrfWImlmGbx8M\nMB8GA1UdIwQYMBaAFNa6+fXADzNQLkx11TRCq7PQ4vOSMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCC6tfqLKT6hFSFBGk5aj+5NlVH5hHz6Qm1+6AQpRXuPAIhAOB53dmGSBgI\nuimJZDLDdTmq9wK983ga/KpHhw8gdqBq\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUAIbmCPsbnnSrxLdj5ifNq3FIBp8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATO0upR8N/lCrQ+SPdQUX1zB/b9wGmGudIZatHW\nY7vbME689lo75CVIcblz6jpz6vq08PwZVOwHTsN+W+nUOJk5o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBTJ+JqZfdrvsS7C3rid3kqqqHDKMjAdBgNVHQ4EFgQUyfia\nmX3a77Euwt64nd5KqqhwyjIwCgYIKoZIzj0EAwIDRwAwRAIgFdRpFWkCsQ+jMS6/\neTvvMiYi5Pez3sk6ZKVPyVPV+VkCICZ/GB/BMB30PlBCRi7drzoLWyJ0ex9ebzet\nm1mFKLYc\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUa0uPLOVZ7trU5xmjd1Gw6i5N3aEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATKfKdPvrFicDN+wAQuw9C8bWoIbbr3LdTpcv/f\n6u023mSrwTCk6OCT9I1KghsS7IT7vhpQR1kfNHOis2UOyuAuo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRZqhOCdkDmO+CvQJmjf1MlxQjKpDAdBgNVHQ4EFgQUWaoT\ngnZA5jvgr0CZo39TJcUIyqQwCgYIKoZIzj0EAwIDSQAwRgIhAOaPQ1inBsmbQsgt\nQiQufCICzwskXFSSqn6wBCjfjjZzAiEAohB3jAlGrYfyJkHgzdYlQSB7bVE25t4L\nzGhRHqchIVI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUL7uGVInIqBAxwJf+fwU8mQYEm2owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAGwpOzK2De+GVdSKK8AURHHSlQ0a+IH/SjSfKm5jR5R\njDz9CD28+cFbdja02dpX3Bg513rRlOksC8PjpEVyu5ujcjBwMB0GA1UdDgQWBBT2\nXaitVQBKeaIN9QVshp/6/KQTzjAfBgNVHSMEGDAWgBTJ+JqZfdrvsS7C3rid3kqq\nqHDKMjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAiHzmmewHMZdEAr5n3n0ORDxANPnz35si\nS3Z/fxzo17UCIAPCFHa4zzQATEqDdHnlhrSrs8hDyrIjBR1F0iIsleyq\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUugAwIBAgITZ396CUIkSJq+toEg44xVGYFX1TAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2\nOTA1MDMwMTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAE0409kK7agm+JlECnznqcunIvxonh3lsQN9+6CyYtHPRp\naRA/uKkE1b8YzygSQTUnceYe35qeVd+K/EST5Hx1vKNyMHAwHQYDVR0OBBYEFIBh\n/R77N14ACv5vds2zM7fHYQNCMB8GA1UdIwQYMBaAFFmqE4J2QOY74K9AmaN/UyXF\nCMqkMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIE18oYsxavodr2NSoovILTAikYh/Hfwm9TVU\n3ZwUrwljAiEA5LHeCsDONjOpOPsZMdLJSit9wM0XI9ppi7kZANfE8k4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUFOsUPW2wS1VuK9VMCa7VBeeNOcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFs3lryYd+49rTs660g7qKPidWcSAuOOSNzVZK\nRrWEvhKssTYyN+ASEjNiaAynoWpJQCDIs9E+V5reMRpzWOA2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9l5g4JCoTRX1zpP4D6Unb5p3eOcwCgYIKoZIzj0EAwIDSAAwRQIh\nAOMwTU0zm707ujwrJYQSKKI+ADnDLGXDlo+tXdrbgBvAAiBQv84MdhDmXX+pKOfO\n3lfMJd6nacnZ2ytqY0h/z/w9/Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUcwL3evJmwclOdWu3HVhFym8rLukwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARB6EKpDZaWxX5UNHG7dtrIPc51TL7O9m26dmdF\n2d/tF5sG0ViEsnoIBN3nFDR76AZO3CWSICMxaVUPgv911wEio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjJkFR3TohlUOYSGuLIeDvzhyUWEwCgYIKoZIzj0EAwIDRwAwRAIg\neM4GoR4Enyl0E5JKBZ0W5YdPKSJ0aRtjQZlZcqYCDaACIFbWk8yzo3EveGwJmw9G\nErGgQqHr+x22I7GL3BgvqI4D\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUe58eSDXeXUoYejidfzu4AjmhoZwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOuPL5yDuP4tXRQQyTbbduXb5lgUbU2757tNPBoRVMIg\nHXCTzBm6nx3FojJL0LwVTuajZJGBkV0g+tGNGSQhfAijcjBwMB0GA1UdDgQWBBTt\n7XpGTI2PXBNbQs41PjPRKVv2mzAfBgNVHSMEGDAWgBT2XmDgkKhNFfXOk/gPpSdv\nmnd45zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAgJCXEFE29lqmRw913AdpjUhDw1QZuS9s\nio+bzQICIBICIQDrbVpeElK+9ZRB3N3fg/cMeE8PbG84CB3ZDXZrPeGyEw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUNa7Wssy9bCVOhfu3y6dawiSHqF8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGhXKcqMh6OrgiBhbwTci4z624QjpWZx5NB/Z1YFd+8a\nY2nJatGGDg3sXmSM9j8FaX21mVcwz7iIwJ3uDXmlLLOjcjBwMB0GA1UdDgQWBBSg\nn2lSTAYfdnvmqQAqsqaUuO/ywjAfBgNVHSMEGDAWgBSMmQVHdOiGVQ5hIa4sh4O/\nOHJRYTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAxr0FVby+PXaanphipxtb9BcN0xsA5lCD\niCSnR+B/OSMCIApGuP5meSSKEW6+ir4QhMdk962DWvl+0A2UY4EtmTej\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUGCiBpGmqlB4jVib/t196fmDP/mgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MTg0ODQ5NzkzNzg4MDA1NDY5Mjkz\nNzIxMDgxNzkwNjE1NzExOTQ4ODkxMjY1ODkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJStXp4F59FWf8Y0AMFwVEQeYLFFOl59fdLZUsVK1DDG0ksBeDuDmhJUwuh6sWMl\nEUFXdoOklLTmfIRuq9qsb0SjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTNzTUJRxhF\nLk+0ZhpfM77NxP3oSTAKBggqhkjOPQQDAgNHADBEAiAKxBPbLTiWG15hAVcwxG7v\nSypBX5KCSwRqgoI67QauHQIgMLFe1qP9Un83QHU8j6m/p0HaFMYjMppRg0nUpL5J\n2wc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUWKTQo7csE+3ZvqBY2NnVopHFNpEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0MzY0Mjk1MDEyNDU2NjQ3NDI5NDYy\nODYwMjA3MTMxNTMzMDc5Mjg2MzI5OTY5NzIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJdJFyeAaWcbhWBxA487RFrrc9B+QNmdy9CxRe1sJgYbnktFwp/NneJYJLVQtOO+\njUCTWF5vhUVoFnNQNVZo4u2jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRJAY/8u9I5\nHPFX0Ze75JrzKhNwkDAKBggqhkjOPQQDAgNIADBFAiBVyX8uha3oOIWyRWFtM4Fk\nm/aqA+LkLGfNj5UgrTRH8wIhANXfa+olN0VWOt7KPXXNIaf/S4POQSypdjpgvMXb\naAKw\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUDNDGDZZ4h1JUKFHvAVfcHv8V7akwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDE4NDg0OTc5Mzc4ODAwNTQ2OTI5MzcyMTA4MTc5MDYxNTcx\nMTk0ODg5MTI2NTg5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYEWJ\nm7gUeh5+iojRPr+HgMGEDgTMGCpKe6bDXr/pu/KfeTQ0WKrfhPV/1frxmAeROFab\nYhZStZ+D9v/5RHDqFqNyMHAwHQYDVR0OBBYEFBEORxudTmxHvdqXT24f0DJqPy9l\nMB8GA1UdIwQYMBaAFM3NNQlHGEUuT7RmGl8zvs3E/ehJMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIBbVEa85Z18KsIov8rAkHpknyob0AxtGnSqwqZsjEyWeAiBE9arMU34R7o95\nxClMBSpUXLfDmD2Y0EnlOw7YFSO7mQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUXSsMoBA5EeTJQ1C3wbJ7BsxDlH4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDM2NDI5NTAxMjQ1NjY0NzQyOTQ2Mjg2MDIwNzEzMTUzMzA3\nOTI4NjMyOTk2OTcyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0tkA\nVM663zL8bHNbJoP+KF0JCL2OCOrBpisV2u+F8BitBwpfPjH330VQASGSNGO3BHaB\nHdenUSv2E28GScb0IqNyMHAwHQYDVR0OBBYEFJV7YQYugy9+EjxrjoDqDKDCpFsU\nMB8GA1UdIwQYMBaAFEkBj/y70jkc8VfRl7vkmvMqE3CQMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCID3GlaMIrmZX0soNCZ6msxncOO8ozmSfjzB/GzQSIMRnAiEA26DJor4gpXiS\nH1dxeC+2zkAmK0O41G+xal/gcR4uHuQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUc5dxohNm3wNrbGspDPMISv4mNaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQYhyHyNU5RChGXeeToE5s24MDYW6UokUhVEDVx\nAr0PgrAvRsT+dIC3VnU6gdByHJ0qWvuVJaikuyLO6ZnTu///o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOaCw96K8rQAR13QS3cwrLp/xGmkwCgYIKoZIzj0EAwIDSQAwRgIh\nAJVf3iVVONu0Tj3tTXfuQwhHNWSWU87VMWP+WmdJYriEAiEAsuWOnioMOHDpMl7a\neNjroirB4CcagUnBd4KhvTiwZB8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZpo18WW+Tqbw6XGObx0ibn4M0n8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQFhjy7ISil13bGfa3ypjEF2oUOfo8twQJGEKuc\nJgjEKKmBR9zElxmW9ut9QLpZIOw7KdOx6mqtXA74nouYn3l7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgqdhVkzD6ynh9F8mc1S1evJbjFMwCgYIKoZIzj0EAwIDRwAwRAIg\nYlqHfK+yFpEWfza2u4vvlKmt3eNXIMZiN8MW+JTryK8CICJFo/0qWWAtxtzn/+kT\ntOI+y6k7Vt5xoPaasQmiBxqE\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUOpl/Mghk3kgow/2o+oC+hSM/0XkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NTk5MTEyNTAwMDk1NjI4Njg5Mjg4\nNDE2MTA5MzE3MTM0MjgyOTM4NDMwMzk2NDgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOONg/Qz5xftRL7tc+YOB2jbNOQ9ZQlTLOyZNVfMJgkbtteXQwn0GhGgvelujMk5\nfH0pHtNMSzvEIm41kDwC64ajWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBToMMYt1KlP\nYrxB1UQ9EaKUaKIq1jAKBggqhkjOPQQDAgNIADBFAiBMLGDGNfY3+Mz9rr6fnM95\nS62tnlwcppb33FW9q4ptGAIhAM2Zm3UjvivlNLRmoACq88XR9/Rk9oJWx2cNZvX+\niPyp\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUGiMpDHXuv7NukYsIz3HsACtzWyAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1ODU3NTYwNzI0NzkwNTAzMTc5MDY1\nOTk5NDI4MjgxNjQxNDU4MDY4ODY4ODM5NjcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMAAmQhbr0KkyRomSrq8X3g0AE3wStbac9skJAWQRo8YPW2sXfOnJriZvLC+df2e\noabEX6NRBRsylk6XbDu6/HqjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBREzrqId4PH\n8lhXTSQQxDYQAONZKjAKBggqhkjOPQQDAgNIADBFAiEAgeojxYag+IZt+7C0tOXk\nsx6NXFJcjCv+5EYKaIAB4/4CID5kVEqZ2HWfwqJBeGJNNe1kk/3LgfEvwtezT/Ld\nusgC\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUBLazpDZLANutGM9oV78Yn18BjDowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjU5OTExMjUwMDA5NTYyODY4OTI4ODQxNjEwOTMxNzEzNDI4\nMjkzODQzMDM5NjQ4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUM4j\nsJb9jVewhT3DCsro6PItm4MnaVc7k9PziTqHjk2F4IoPsC0NS7qC+LK9x5Z+nwd9\n4fuJswa/V0nX2h6qUqNyMHAwHQYDVR0OBBYEFH7XxSI6f3qFVeOUiKVSEUuWo8JG\nMB8GA1UdIwQYMBaAFOgwxi3UqU9ivEHVRD0RopRooirWMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCICqAkB9+1woRl+iwjrg5hBcuy7ATJuGcdY46A/VAk2TQAiBBbqFDqZ2lM0W4\ncIMQwIdjajcqMdWFtEFHcrYNdd8B7g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUTNj6P2uApRXfd/9MUuFH17ykjBswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTg1NzU2MDcyNDc5MDUwMzE3OTA2NTk5OTQyODI4MTY0MTQ1\nODA2ODg2ODgzOTY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7THR\n5L/1PDOHNwy6X6QV/QL3ozvKrZACKsggCmfxuBmspgl7WkV3UxCFNUZI41KuzkYn\ntlONgsZY/iEsB869qaNyMHAwHQYDVR0OBBYEFPz3D/TU5W9GHNwQSJZJ+GzHOz1L\nMB8GA1UdIwQYMBaAFETOuoh3g8fyWFdNJBDENhAA41kqMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCICLDgIzKScfjREpqr7e7/kAje6jo8q3sBzGh1DAeTO/SAiBYa8uGbvycjCRt\nj0ARQD/6PgTy/e4LNOxIddQj5R/AVw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeG7oKXCieBWngvab4BDxY2vySiMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARsqOEx/Ox65YR3+NdKTm35qJXSfiSoLS+qiMBM\nHtght5SpYwAWeUp3xkWK2nSgqERXUX0piNQuOBgaxErsFVfxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNbPr9Nou4lS2vg2cI1DVl1aCYdgwCgYIKoZIzj0EAwIDSAAwRQIg\nebY06jnOghG0k7yXoRDSibrDH5sQ929CyhqTXmumGPgCIQC7M6LSCTks1XWm7SxS\najeeBfLEkUnMnGDUDdFzMRYMYw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOdMZblsKZv+A8WzPNPMfBPDePdMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQF9miHACfb5sGafwtTtAgThy+qbIPkcfBwvzmO\n8E+VGSFb7F8SmtSzqrrFLoWgBpK5QFyQCSLU1NnefQMueuo1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSubof7NrC7rKivxaGs3unHn9G4owCgYIKoZIzj0EAwIDSAAwRQIh\nAPPEmHkjLaDV9OUe04kgWnl1y0CTCfHnBaY4XJ5xiNAkAiBGRk6hJWe9g+mtfCvP\nY498LzyZEnXIRcLm6yEo4wKFdg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhDCCASugAwIBAgIUNAvZm2JoOmxHsJOfSgS0lmOf6gowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF/2b9DkTyY3V9ScLmH1429WoH6+e9lMbL9KPz/hxdUa\noOli0s7gJj4UJRMGZ98AhDYA6M+Btj4VVmXLSfPEQ/mjUTBPMB0GA1UdDgQWBBTI\n2lK+sbg94NVatvTowMi3+H2ocDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNV\nHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBTNiF9AttwX+mx\nnuLihMtk3lhMPYuHIooAV8TVTYb/XAIgZHh44l26UfubYBvMhVeHboAI4F0QrsN/\nYmXQuqyiLO4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhjCCASugAwIBAgIUagUGQGWsj/Ks9AUfikZL4ov6t/8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKRqG3FvPlxbMTQttiDcPepMnZ1H+ex/tfnV1kK8tYVM\n6MxziSfegDiAx69P2S9NmdK0uhOYQNVmcA3f8OnhqqCjUTBPMB0GA1UdDgQWBBRc\nDnb4hHmj8LLbgPOqaLR2AizULjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNV\nHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAg9K6dihq7+FN\nUzwHq+842uDFNOxTyDx84Rg9iz3tSFQCIQDz/cIoB1J0wS0d+Vk7GJXU1RwJ7Thl\nqjyIeJWhA8wvgw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUP2q4NGBtkloM+6gOGV3ywjvhRP4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6VtSyswtDuiSSTds2CfVoe0aiKz5V5Sj9H9Nn\nYzAjWif1CjJ2Hgrp2x+mO1vXBj++2kXPm3tJ2MGNRsr8USnpo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUMzozFVc3aJDH7JMWSA9OF5mc7cwwCgYIKoZIzj0EAwIDRwAw\nRAIgR/Cgmnqk5feK7UHLjHiMTK6B7wFJnH7UXoAOghLxLVcCIH3K3aISx3pElZgf\nmCHYonTYS7KH+dFAeumAEomh92pD\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUD4Kvi5YF15JqAruPuGvDU3qpJCkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBrtrIA2KNccmABf3FL002NczOpzkmavLwPCzl\nfQq5d07NIM0LTbfJtgMGKaB5ErNlAjkO6hHG5yVRF4XKSRqSo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUwj2jOoWnwlPWVKTnK5XifrWOv78wCgYIKoZIzj0EAwIDRwAw\nRAIgYGgdnuCEYVnvH0IYWojcPbj6P882FwyPYY+mkOE8i1kCIHzl5xNH2VdKLvR4\nvzwFiGhmXL7X5xh6vtJniBPpkuck\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUE5v96HsgIdPm3msuZ14WJ8ZuVUQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGbzb3DjBA0BZya+Vdj4EKAQqaUyOsCCjhVnYrp6xUkh\nnO9nF5+G4CSMvhm88DYei08ZnVzV4U2wqRc4z5VsGiejcjBwMB0GA1UdDgQWBBQd\nXfVbGPZSH6bKKfzC5xk38fVweTAfBgNVHSMEGDAWgBSBneojsI+n63Q2EqxNyBLb\nxWVQLDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiAJPT/jhgkTThjmqB7sv9bEGfp47Rp54lCI\nurcio34bfQIgUzOKlzLqL/M+hk9ktzBgGtb/UfxmatEDnQL/BnXK/+A=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUEMSjZRaO8xjBud0s/HWbNmn1BWgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABD5dKC1WcB7v1sX01C3BkvIcnjjDkhIAzCUgIR0xP00Z\nfVvVza2JhJHS++7C5bz1d5A9sQ5Xn3KLqcD1eODk8BajcjBwMB0GA1UdDgQWBBQm\nRfGcmEyQ3Cg/ehxUwSR2hBGEMTAfBgNVHSMEGDAWgBQ9ShPftaGO2kBa2yZOjBjw\nOT2SjjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA/W+i5NCbRCwKaui3hq2bfJxI3TDPsjuo\nD1d2uvYZu0gCIHu5/tlCRZYerWq4tEgcRfqP8Q/2CE0w3FFV7+MeP6mH\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcTCCARagAwIBAgIUC6xhShS1BudX0iADBHpbRQm1U2UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxoJMkiiCaMvRSQJPtWUJN1fPFruZO7+zvaipC\nXSeioZFjoJjbjNXefZcz1PP2uSnkhZYn22rRSS3kAVsRVqfwozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA3pDTFPZo/11ojrPaB45XyUypVIHqW69jdgx+pyLq\n8B0CIQCaQfqWeNzq536RCZWaQYAzWFZz8r83KHVf1mywVxVchg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUMSlkL87hWKXqmSk2MeIXKcRViHcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATN8XZQQsHSYT9wZ6vC42sf7v6DoXsE1wlMMn+C\nTtUk+Q8B8noTy+V6Ynny5hiYkQjk5Yzkz+UiMYQdRixO0FkbozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiA7B2u0MHFlCkYF1KNhg6WBPsNlnreLfUpkzQEvoSxm\nygIhAPBvUPeu4jvzg/Gj2UmV8WgaBrchGCx9uZYRSOnVxEW+\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUAV8o/R/F5wKd0OpNpQzLl56LxVIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABP/S32WOIrb/X9r3REX2ocvYfZi0fQx06IUQj+8qtuKw\nJ2mHzNOW/bewjHmdwaDwALOjI1QGRaeW2SybsMfQhyyjcjBwMB0GA1UdDgQWBBRO\nQAoC1DOrRqgYQITV9vbECFxtxDAfBgNVHSMEGDAWgBT/B53zHK7niJJazo9y9TL/\n6lHjkjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA8PTk0ifw47kSyDzsTfVETv++wk+8Mszk\nkltWdEZIk3oCIH4eF0TB9jJGms4Lmo3pJeycFvpWN8upSOrZTI1gZH16\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUYJR3D0MZEfDUZT4cjJjXnQPJ2uIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDh/Yhuq3Zf1LEreR64wDo0ScWECwZLLmbqjlsxB+EJ3\nXB7u45naYRJVzRsfyIdFZSebE6fag0E7Asu/ahfgZcmjcjBwMB0GA1UdDgQWBBQ4\nJ41v7DlJBs915DuXteKF32R8hjAfBgNVHSMEGDAWgBTA0Uw/gIZDW1j28gqjz7QX\nhBInWDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAoeDz5K559Z59faZ6isQjDO8NdbGqHiYW\nHFgAf71/kZoCIQDDN+CtmO+DaVtDsBDCpWupzQkckqJWPp2qGNiI6BmPng==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTt5DepfB+7ZH4gPfGd8e+cxUs6EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxbExSzdhXqHu3ojFboHGB1I274bkM4qEF1xfx\nhyE+JTAxSFknc24Gw9+EPThpHEJMLJzVhBFI3Y2FdprE+Vpuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvbzFuNkcY8GAalYCxBG8Nx4L9sUwCgYIKoZIzj0EAwIDSAAwRQIh\nAPe9QLqBN8KbVnux7M7V91GKd5b2bC82TjxPZiAT5I4TAiAklXKkOqnMlx4BRNU6\npIrqt4er/MMi2XAV/8ue37NEkw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUWhS+Oh9RtKgdZzZDFCx5C0ck5x8wCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfgK15yyw7wsNNG5yfhYvrHgayIrEuLY7\nWWnXBy1ZV8tZeGi2z5bnrxWcf0X5OdJLWX+YFajnLOp0bTTkM55w3qNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFMQegcMC374yaYm+llHqwXBTuwDnMAoGCCqGSM49BAMCA0gA\nMEUCIQC8yNTnwZR67RH9LUYk15UJpe7HPSYX0XAyZFWvC00DRgIgIcZFH3K2Ku1S\nBR3HBHaeV6LfbNeMsWt3I2HQhpyqpsg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTnyIN3Szfz6l9RSSel0YajUrq0kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQToIFRfCOK2tR1eSvEK8GAQtWwRLS2ir58jjQM\nCbTmjbvPN2FnekKDtCAStcFkaVWBOS0ZHtq3Zg6o8dTkAzS0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUorUdtUwX63GtRM+QnRhbJzw1CW4wCgYIKoZIzj0EAwIDSAAwRQIg\nNr0uSa+b5gPQcbfbb7B0PikSDb2hlI0bGJkh7i/XTGACIQDgda2ELuv6+1Rx1y+y\nA6rZH3xZXNJ6zx0K8vxQhQkvCg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUJneGuaLqjLYnfxeXV1xsi5NfN/EwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWB78UdecvTc9QXy5IbJymPpGA32s2/30\nicGlgtbV+/lmLL93AmDThaj8YNuTTKW0ANmY8wBXaA5gXjzFmvzzJaNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFPnkkZ6rEMWMXq7tpaGlb2aOhjPmMAoGCCqGSM49BAMCA0gA\nMEUCIQCDTXVv2/wsIBXECF4+Ay7VQQxl1lTI4yWvfgWgHHqZtAIgF0GsUJ7xPDyv\n5gRX/rCs6hOGsv5dhoZQ54iiS0srxts=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUNLvLXnXpXRGJRnVlf1zjiicVUcswCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxbExSzdhXqHu3ojFboHGB1I274bkM4qEF1xfx\nhyE+JTAxSFknc24Gw9+EPThpHEJMLJzVhBFI3Y2FdprE+Vpuo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBTEHoHDAt++MmmJvpZR6sFwU7sA5zAdBgNVHQ4EFgQUvbzF\nuNkcY8GAalYCxBG8Nx4L9sUwCgYIKoZIzj0EAwIDSQAwRgIhAO/IgCB8RG9ZHVmh\nIi9qrKioBZUDXMjGvwhmidBsFlA8AiEAmmAsjdf2QlrOjURZhTMm3INrc5Ahg97u\npkLl1Rrut+I=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUY+esZUcm4heJRwpzwNodNa64RngwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQToIFRfCOK2tR1eSvEK8GAQtWwRLS2ir58jjQM\nCbTmjbvPN2FnekKDtCAStcFkaVWBOS0ZHtq3Zg6o8dTkAzS0o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBT55JGeqxDFjF6u7aWhpW9mjoYz5jAdBgNVHQ4EFgQUorUd\ntUwX63GtRM+QnRhbJzw1CW4wCgYIKoZIzj0EAwIDSAAwRQIhANb+8QYKR45umGin\n0VVwz0f1LXKXj7CH0NLwuLOjekNZAiB8rNZ6ABgWRPoFEq0A/8q57dJuuPYMSsPd\nfb5mSi8kGA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUHibc+M/EtDAoYqRhdQeM9gqRh7QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDlVU+/a9INc/nYpyPNCf9Hwn2cZdR5obbsscd//jxPV\n/pQe4xEFWXS3tOFviu2hTrUrJVApWBM8XyRzx/ymvfyjcjBwMB0GA1UdDgQWBBSx\nL9FR03IsbZD9d1Bxmf++o2xEGjAfBgNVHSMEGDAWgBS9vMW42RxjwYBqVgLEEbw3\nHgv2xTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiB/L7LlEOxHcihMSzFou51nPX0Up0Rd2pvv\ntN1cQxgFqwIhAOvs2t5tEmbHmFgcvUP/iUUmfuRN0ybTdhKCiCtmWsqe\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUSS/Mj/EyS4JT4nx22kNODU30jgEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPJMjAAxwHAuAiyPShHqlOIVUpP26rTE/ZI4EW7oCTlz\nahK41sZeYYfDaX6xtZV8TfZ90Pen3ltWl6VIg4J1pXWjcjBwMB0GA1UdDgQWBBT2\ncisgMdpb6+kTq/aysPKOZjy9JjAfBgNVHSMEGDAWgBSitR21TBfrca1Ez5CdGFsn\nPDUJbjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA92WWcXYGephMlRUNuKJns0Ovs6Go0yCR\nCKb98AEVf/MCIEn/y0RhkLBlZwcQQBdmgL3hJITBD0h1YrXQwbNrVa/D\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUfBsGkOiudIQYV5aDVi0cDk4Fr28wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD1Z7woUUZXy\nSklAKxALxx0YVFvIxQTcH6K0ttXPhAiGiLH/ZDOwnHrdDlPaCdJXVrEXSS+5z+lY\nQc3UDmwA9ICjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBT9PdEgglf0c52LXpWWlgq+rsy0\nbDAKBggqhkjOPQQDAgNJADBGAiEAlgkxxhm/ecpQrhgla/Si96lokHZNOijMidar\nytNEI4oCIQDannc5PG+44Jfd87i6zQlS8wpkxmnHFzh9EubYYxoC+w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUURihrwZEVapcgyb3GTLNsJIYyCAwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH7s7sbwJPHC\nzHom04iCLgiQ35dN555JlOd6uQsw7mpFz39HojtPkN7cGkcS+fvSLjjpJC2ItdTj\nC+fMhKMqA8qjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRmH1r7sundB8Ebk61wnIyo+54K\nYDAKBggqhkjOPQQDAgNHADBEAiAYIpTYt6MbDrY5/Utq6pF1xoPksyeo4FLiSyWB\nRpmgvQIgdtWyyVUk/mYqHRd/Y5XYd16S0z50UtTsrVxxDN4nNlg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUCHwmXIe4b/CKvqcfSjiVhWxmrBQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATnSsCjewx3qqf8KsMRQt7xHMv+oLK7VEfpd8LD\nBlEKl61OY/Upd76GH6jjs2nMX2Y/eL0h1ZDjQVWXkvlRfQeIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU21T9eVf9ZGwm1m36qF6ch+qF60EwCgYIKoZIzj0EAwIDRwAwRAIg\nX++3kVAAEAwJy441OrURPo7DKN8d1251spV/1UZw6HECID1CiUcU/IsQZL7S2hwX\ngo/e7sKLahzdYs3/uDK1ulji\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIUbqwMb9Qbody963XMcHFATH4cQ0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC80ODQ0MDU2MDMyNDQ1NTEwOTUzNzIy\nNTI2Njc4NDgzMTE1OTcxMzQzNDg3Mjg1MjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n8LAa4cPe3ID+m/c7F67cLVpiOi+0/A4uB95W5/WQjbF25u8uv+uTkdhTN1spfXuF\ncscpNojgDUqC3n+t//dHHaN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU21T9eVf9\nZGwm1m36qF6ch+qF60EwHQYDVR0OBBYEFNXmvwwTQnijRpGZrdQLc9c2rbhIMAoG\nCCqGSM49BAMCA0cAMEQCIGCgY6INoPQhBn/51eFzHDnhAda35254UOVExdo0Ep2u\nAiBzBnYXPUlV9YLVgFTkNQYlqr0lZhHyFB5x/VJgjQ7O7g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUScvAodR7SYRsIzojrXXAf29KFfowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQVbHj2xzCLnw9+1zjPrISDQ14Q+sgvnYjfgyKG\nGMxd+JMRUErPQM4FTmphaBEgZKrDQFzzNOKN4msdKH+ZJGBdo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKnROm7nX2qmaeZlV/DXERb8HUeowCgYIKoZIzj0EAwIDRwAwRAIg\nLzXWOdG9s4XcFEayuFOT8fBJNOyQrt7z0kMyMi00tdwCIH6hoL3Pc055Agw/Ttmu\nj8G9SRbqZiwrVdlk/5IoTaCn\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUSV9QhnCHZwTYJThebMdIeTJEgLUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0MjEzMDAxNTgxNzIyMzg0NTI3MzI2\nODc0NTg2MDkxNDkyNzQ3Nzc0MDQ5NzA0OTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPIP/EPXE5jrep473bDhGX1/azbOauGGoed5CQWOW4ytH+Te2w1+G4z1uhUYhwfq\n/cwMU8DN8NpS9yTualnW0ZejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCp0Tpu5\n19qpmnmZVfw1xEW/B1HqMB0GA1UdDgQWBBRURFlrVf/FySeiI/8PJSGr5micFzAK\nBggqhkjOPQQDAgNIADBFAiAh2i3L5PYJt2tOsAAGLnBObY2u/2coDb/E7Px3lQNG\nqQIhAJlNytoSbZAXJ32G+ymPo4wDZklBOKPreB/1HpWS+/fM\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZigAwIBAgIUQsDH8vo/dIPLklER3JD6IyHMyd0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDg0NDA1NjAzMjQ0NTUxMDk1MzcyMjUyNjY3ODQ4MzExNTk3\nMTM0MzQ4NzI4NTIxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3NsuS\nGGQT8tJT38mcviadjIXJ/TPm/aTtQAiK4njOgOW5Dnt9RcpwSZ4KfSxCxCitXcwL\nNlbm/3fV2vsJn/meo3IwcDAdBgNVHQ4EFgQUoM/WaB0mziy8y60L+snsfLZP29gw\nHwYDVR0jBBgwFoAU1ea/DBNCeKNGkZmt1Atz1zatuEgwCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAw\nRQIgaDL9fj4bK3CP6uQy5rsmLdxBNcxULxcSexEd0hIcN88CIQD0aydVfJPZnTuZ\nTw6i5Xep1eSTblfIAKG6LCvmn8nylg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUDMlsmTlQWJGbHv9JLe2tPiRwBp8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDIxMzAwMTU4MTcyMjM4NDUyNzMyNjg3NDU4NjA5MTQ5Mjc0\nNzc3NDA0OTcwNDkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELB6F\n1b8bBdvxk+yTXsAdirE/n3Q6+gEoz7OpbtthK2q270mv2ZFJYqxq3mr+xnsnavdk\nyYxLH8kNmHWtptiWBqNyMHAwHQYDVR0OBBYEFMCcezVHQV5bt5D9QxwJGGBVOtBK\nMB8GA1UdIwQYMBaAFFREWWtV/8XJJ6Ij/w8lIavmaJwXMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIESLAT/4aWawLey8rdVfv1kgqLAGGKieQoeTh/WOF2BhAiA7vmHTNznxWlnO\nBu2XvN7crOns4se7Mq4AhZ4HgNsMIQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSed/v+FazOKx9zEI3LuyDpOViD8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVwidcIcbGgbdgON4d1b1Df0eim49EM2agYCZg\ndmi+I08x2/5G6U+tZ+TiDoPEPe6BnpXtShHHOr+d90WZnljLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUT+JQslhe5+YBFu0bejMNsy1XIZEwCgYIKoZIzj0EAwIDSAAwRQIh\nAN2IrgH+BP9YzkaRSK5QShDeXHci7JwNb9j8EQ+GOSv7AiBSgOwGuPS1L8L04FHp\nf1NesA1TvBGvLTTzZcy520JxGA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGJ0z7ZRjADytWKM0Gh17+3oliUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2kVHaP2nhKjyMhVbNuNHqqdsnU+659wjrHv33\njfybkXWIHt+MKh8MpNtDfh6am/S6+tIiYtJscwRftzDW2eRWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+v1Juq66soe/mGOWZ1WVKXz8Kc4wCgYIKoZIzj0EAwIDSAAwRQIh\nAN8U8t7xT/U2X0Ssh+ctzIbugmm2vl5kZTd+XFQzkRpPAiAruZDFl8EQuGPbH3rK\niiYt0l2jDikUTwWTAxKhAD7VOA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUV6rILhnPgFgYYBSk5FniKvCmFl0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDA0MjE5MTg5MjY5NjQ3OTQwMzYwMDYz\nNjA2NTg3Njk3MTIzMTMxMTc3NjAxMjkwODcxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABCGRyNFEwJFr3Te+Ge4f4ROmffWQBZTWeTiz4W+munDg4b2jwOOULs4uK5Pa\nvj0HLROobrHFOGXC28JiEz+mWaWjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFE/iULJYXufm\nARbtG3ozDbMtVyGRMB0GA1UdDgQWBBSc9W+X0MBYK9nSL/WYN6Sjv5weFDAKBggq\nhkjOPQQDAgNHADBEAiAM2WpOirADuPDSM7HM7f0lz6h8E/8qTchqsM2aSFhc9wIg\neGcdrceb0rvPlGUnEJxkJQh5sZM7PlLL+DSaKk0jCVo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUUu/Z8K41XnPCyfPSkLsL8L2cnQwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDAxNDA1MjE1MTkwNjY2ODQ3MjIwMjIz\nMTE2OTAzMzM1MzAxMTYzOTU4OTMwOTg4MTgxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABKOYNFQyurCv5G7Ymgt899QPuzCR6y0h7uoUB7ghWarYvdiz5FyhwuYMlLvw\nEU7jhscDxD20TkVeWoEqvBRwpuSjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPr9SbquurKH\nv5hjlmdVlSl8/CnOMB0GA1UdDgQWBBRMKG5m15iloZMLTpBQIpoJ7JomITAKBggq\nhkjOPQQDAgNJADBGAiEA5IgymEjCH2u4Q9sAgZQ1gxaesa0tKTgbSKh702wg3jsC\nIQDXEE8m4eMmjOYA/gQJo93e5NCxjLcckira7Dp9NX+iSw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZygAwIBAgIUUhsfHxULV3SywQ5t8CXzmRzPgScwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDIxOTE4OTI2OTY0Nzk0MDM2MDA2MzYwNjU4NzY5NzEyMzEz\nMTE3NzYwMTI5MDg3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nbVRVSEjjBG8rt7418UzsqfyNYDCsO2IrVK2cvPp9aArDDlDFfNU3xX635Oc5mlFY\nfrvldU8ZBC5dVkOTZZEPZqNyMHAwHQYDVR0OBBYEFNF1cmSaSNFqaMWsQu/HNb/T\nRHj1MB8GA1UdIwQYMBaAFJz1b5fQwFgr2dIv9Zg3pKO/nB4UMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0cAMEQCIAkpyrBD12UpMUCyFAOLpQZemTfflQqM7lAHD7sAfCYFAiBqczarSNkj\n4R2gNgLftWaywMkdMwTZ/DpnxejR8jJXuw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZygAwIBAgIUfQKWyo5h9qPcq29k2uS1JD7mwSAwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTQwNTIxNTE5MDY2Njg0NzIyMDIyMzExNjkwMzMzNTMwMTE2\nMzk1ODkzMDk4ODE4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n9jL1StDq7na3kBjadY4VJst9QSVEUbuHuwvtmx7Lil2F7i73tfBqUHCx/aLaWdZW\nSppLviKeacsZxxUPD65HuKNyMHAwHQYDVR0OBBYEFIRALsn5LwV+GGRk0uuNbp2Q\n9R0CMB8GA1UdIwQYMBaAFEwobmbXmKWhkwtOkFAimgnsmiYhMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIQDqzAZkrJvIZBhlqVi6tu/zPvC/GxOOi01UXiJDSLtcHAIgUSUzd/Eh\ne7ExyR7jNfW6LdC4f3ijvyBFBcoUEW+Gnok=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUMhH13xSTCAZiIvK4L/VJHlgquTYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASw7pJGgZyfWIJHz28tpOnIJw2XwQjnWsJG1yij\nnycrdjXJRfUNSE3L9l+e/eXAJLumGbhXLcu+gVyMN5iTVKt4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKOLHG6QMxY7SRd1aV5kS5ZyZTsAwCgYIKoZIzj0EAwIDRwAwRAIg\nCrHUqlp0gNq/9mfGf6P2TCT050IFaQnXxBfH7a7SKAgCIF+1fA0ukYrXyPObpxlO\nZiKDTBeZng0ls416pSSxJtvE\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUDm7IfRUsMBJtVKS9ZDkgOr1k7/8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASWDzKcfkm7/K3mcvLWgdQ9IjjVnRxk9HkhirbS\n5bb3ICR9MeeNa9pnj2R1HQbpb34V1yQRjp8we4/AufXZJyDMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUS64Kebyv2fqoohm/8xS/8M2sunQwCgYIKoZIzj0EAwIDRwAwRAIg\nO+0nDKuNdbkQhbqns8NZB/ZyIekU/Y5tQLgWUZScBVkCIAvpgpEEASUgGivMQLym\nSP83GeXRYbp0mYe1+XdYvXbG\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZygAwIBAgIUSZ9ehKFIOH97fonfsUQ7aexJ7RkwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjg1ODUwMDY5NjI5OTM2MDkxNzUzNjg5NTk4MzU3NTczMzk1\nMzQxMzgyNDMzMDc4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nYCQnFSkNogFwPe4m7cqepbYrQwQmUN/5Ir3cmBGddrQdzFYZGC++/ubavqugIJbR\nmPmmOC2Eggf8kS10u/5f86NyMHAwHQYDVR0OBBYEFPKZdmbjkrM3SFdZ31qAB67D\nQqk8MB8GA1UdIwQYMBaAFLtmyWW/uaP1/lo4ChCdFBlNvEAdMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0kAMEYCIQCcVLrSkvLUFxFKo7HKRTTousKZvNKw/oqkQNkSTH0FYwIhANFO2fmm\n/9+LwfoQJsA7VVTN+I30wANpkbQ6PEwdPnoF\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUdp1dLpuXnKVUkDrddusNDt4NKIAwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvODIzOTY0MTc3ODM5OTc1NjMwNDAzMzMwNjEwODU1OTcwOTk5\nNzE0OTAxNDgzNTExLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEU\nMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZ\nT5yzgO1du13oyIQn9HaaS3nGEmmMAiU98SrTDIIBS6A04bnjFZHhJ/flRFHhjce1\nHCz9frDqfJs/6aBWPQ1Go3IwcDAdBgNVHQ4EFgQU/ibXm+lvd40X/OD3sRqQWWey\nSVUwHwYDVR0jBBgwFoAUhQ2Dpjq9I7TK4paHt5kkBDIuPnMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhANC5aVDJQXUuoUw6/Fm3UuVGuLRWkLik6G6xd2qHGM38AiBIoXJbielk\nSq8kIuKzaLQE0wGanrkjVKT9L7mL3Cr/4w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUO/OoZrfhp2BIMfxw7Rc18diTlh8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATnU2gViCrn7enyFDVpxOvGNu5MACh2wXkb5OYq\ncmf2nYdklSXUDQ/pdBPmLGdjOrXx/MC8jw/boISR8kOrDYzuo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFEalwf48D9SC\naQbHVCWKWIu1333TMAoGCCqGSM49BAMCA0gAMEUCIQDT7d8LOVCwUZSCc01aRhfi\nguqRrb68gFWrTmnX6IEoFwIgMBJ+ZIWgzOuV4p/RF9ck1y9fFOsuF92z4pFtj+51\nTGE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfTCCASSgAwIBAgIUJbNEiDdOYmuqXc5U75ooG3LjmLcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ5nhvtxdfOZQx2xfZFuCMrEm8TmaIUjho3j2+y\nZHLOesqsDstOmA9hsmqqsCHHtHThKsqj3PgWs2SV0jjOQIY+o0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFP92lLdCRr9t\nvOmVQak0rIrF5hT5MAoGCCqGSM49BAMCA0cAMEQCIGbPbrlwtfcyDbrQN2p6UlcV\nQ344IeBMuwHkTDRRAMhzAiBunXGT16MeyKpzCxtG1nJ7AZI9PW6oA4xLzWcgQ0Fm\nyg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUJ8+n3xfm/q+hODLr0tXR/EKKSdwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABM5uSNoI7NBQ5aDIGBpjL6YKGIREFCW29vPJZ+4XTLFJ\nu3+5N/2BnPx5oDftthnwZin09Rl/nzkcukXyAk4qBiejcjBwMB0GA1UdDgQWBBRu\n9vEXWA5tjojuObLMN9oA1f41CTAfBgNVHSMEGDAWgBRGpcH+PA/UgmkGx1QliliL\ntd990zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiATFcL3c0v/42jhRSg1OSjXDNNJXTHEV++3\nhjRWK4z9WQIhAI1Ds7PJrYQzSCELGjSoQFFgq8C56fF6rfIYMCbnKKLA\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUTVANrzYSYhH0RYXIERIpm+mAbFQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABID/TP0n/6RoPO4aZBMw9GsmyvJabqM7lUm49glw06rD\n31m+M3HERCaLYNkPb2DPw2R55UZjk8/99w82DJ+jWdyjcjBwMB0GA1UdDgQWBBQF\n/mxkxVs/zcaovF7a1iRgfVqBCDAfBgNVHSMEGDAWgBT/dpS3Qka/bbzplUGpNKyK\nxeYU+TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiB9BvIfJRG20T8LEL5R1uxkKf0OoTdanDov\nr3w2pWbdRwIhAKc9L+2adFiPdyfcWQ0fIytcFWvH2Eg+0s0TeYF052z3\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUTQT+8owoyoEBxWUGc0z5GWUw73IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9OdZ28TOLSKOY8YEvBrhKPIbWnQBU0pIkERVR\n6hkK4INIiM8uFSNVoE/R0VtGOJFXaimLsQdZ+ogQqBtOuLq4o1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQURLVH03tXeH9HdG1hCT9N8utureEwCgYIKoZIzj0EAwIDSAAwRQIgVMMS\nC3slxbMPkhktj4pdjGFpkdbnQHK8TdpSPY76PmYCIQDfVeL/BhEngMogNFpv0NYT\noinc7EyL2r3O2JDbdJyktw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUMBfdDIZ58hT57EyoVijxwhutfhUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASzZoXbspNiABzUoLDEBfxwDc4xd6N7Qchw7DW8\nyfj6/xGGIyyUWG+atgaHiDtgnrbqLa7W1FeGV8kzDtnN3i49o1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUryh3g0PIpKHTbO+OeJpcEE/DEKYwCgYIKoZIzj0EAwIDSAAwRQIhAJ8h\n+krPTyWKvhrmAJ5H037tXuGt0WdQgyr0PSScZY1JAiAFo7SL8+MewdZv3Nv8/v3f\n8SGY2uHbYqlpy5oLGDG12g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUNiO1emV5pxSdH4pEBG7LJWTagJkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFgfW/Eqw8jq/xBP5qH0LuFrdmvRbD/tkDpxDto4Rdfy\ndEJYeo5P20h+WF6H7tfV1FJESbpULQ2PzOgvzzM4cE+jcjBwMB0GA1UdDgQWBBRA\nHsgmxx9294JQfsGIGdowINzd8DAfBgNVHSMEGDAWgBREtUfTe1d4f0d0bWEJP03y\n626t4TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBx05yr/2pb/PZWPy0sbKjCUVjSs+XPXDAC\nd2byaezo7QIgefhE7JZZed+1FRFIcgWmICG968jJn3UFkMFCcSOVc4c=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUabHfVho94JqnfOa8MFHoy3G14PAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIm0FwWQxVfADdAYYeXQBbRBpl2U4Uh+L2N547HlHQjy\nkIuEHHVp6jwwxmxgjfhFKkHE3FK8BkGMkik2i7t9QLWjcjBwMB0GA1UdDgQWBBRX\n5t15ZPKjHl8OPnMGZitT9+L5RDAfBgNVHSMEGDAWgBSvKHeDQ8ikodNs7454mlwQ\nT8MQpjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAlirGh/YCpvsObqfKxfua4WohZfwTqLgD\nE8qfgfRRDkkCIQD3p43vRpuY1UWxEVaMtKB38IMEp5vHu6rN5DyXKk5Zgg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUaBezQCsJdxrQLKmtg1l0OsoRP8AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARBt7n+qn2HM3VDxy4LpYU7AT011sly++wWlu/0\n2WLiwlttE1cSTdI8qyrQdgwiysRCtd1Rzljs9C/W5qfCof8/o1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBSJfPV2ky6cDhOdIvcgvGDASMDgwjAKBggqhkjOPQQDAgNHADBEAiBW\nY9HrI0rj5Ka3YNlUfS452ntEwa0KyT9KV0QStF7YlAIgUikOD7Xmashie+O8DIrt\npgbhUT6P6F/qnicv0ie0sww=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUIMMBeLur5PX/fUmUbqOnNgV8I/YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHljg3aMbiR6atmL6jMx0oZ9lg7Jr2A/z1pe+s\nrJI/sDHnKnqz+xYF+Vm2cFUxlXQPObEVlP834JE7HNMyJCgTo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQVwwRalTx5CJF9cQK4tZsb2zeN8TAKBggqhkjOPQQDAgNIADBFAiBw\nMOKH8A7Wg+CoJ+xKU3wAJW9iS3UQc2oqZin0jPOd8AIhAOvcwQ29hMj5Pm1I2dHI\n5Mkg5OeG+SHKY3w0aBxmCRdi\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUbmYqYBcMfS7MCWf6CA9h4p+u2fswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNXyvmwQHOgAJUBOODv2nmcjdR0dZJ6Mwu8wHGyVH629\nBFQOWvzHNXT8cC6MxO89rUYaXVqyu8iWoTIXy5PF4j6jcjBwMB0GA1UdDgQWBBTu\njtibnX7TCOKE5mjsP++YBrJhjTAfBgNVHSMEGDAWgBSJfPV2ky6cDhOdIvcgvGDA\nSMDgwjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAxjcvZJ8/MyMnaUjyfUjg1Qn1RlHLXyhE\n7lAMPP96DD0CICkcBBsbaAZC/ip7+OJ396/aQy4hEyJ7g9YBXsQ8krt2\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUQyuWHIOOcMfbvqyTedfrWIHuGskwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAbnlzObJsNVW5iFCXYXQLwlTC7QeTYAWp0JbSJpSweO\nmGG8BsmmPys/9mLdnVmNCiMU2i7nDLIccdEqqa7fmE2jcjBwMB0GA1UdDgQWBBQx\nLY+Ekabpo1VsWMsRDD2apOGphDAfBgNVHSMEGDAWgBQVwwRalTx5CJF9cQK4tZsb\n2zeN8TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAlZSYyILJnO+/Je3iUwZEJeVMg+GF0Can\nTwKbFCY43uQCIC0AXZcGKbMLl+NaffH07oe3KyD3marqSsj7Jtea7msV\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIyLdG8M1I0nT40wlFLKqKxtczUEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATOYerTpA0schn32XAJOk76w51LzbiUhzaOtT0u\njbd/Rmut0aSoJ71SXac+MVz4YdWUUE+pYQcvUVzv1hGG5hOXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5wnu1Ic7vv6j35UUgWvNMNaRb70wCgYIKoZIzj0EAwIDSAAwRQIg\nSJyyc8+Iwh2dqX45Y/QaQRoDVUILMzoSO4mUJgjyVHoCIQCCI1UJxi20D0kMt4xM\n5E7s0UPHOD/EfG1mFgqVutt/8Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfOXdAopxNSbYlUcVJ9drAvXHt14wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARWgxzUWoh2r8ZtScCma/9i3b9VKhl+NapnNQ4V\npn00EUvJ07dNYJ84Et6zgEMlBZu3Mavv/SVkOfakhf3DkyY0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSKt2I94MLTHE0LQgRcGeDuosAyUwCgYIKoZIzj0EAwIDRwAwRAIg\nHaKoTPViDUhUp3SKdiJN3AmFcACSIbGYzqh2tzUuv6sCIHMM9FnvWi3N0lH+rquY\nhUM7LaCOEkDI3jMwgCfO4vPL\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUQbgJrE/9y8larOZ5aaGi+4ilCWMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjAwNTkyMTYzNTc3ODc0NjE3MDU5OTQ4NzIyNzg0NjQ5Nzk5\nOTc2MDg5MzQxMjQ5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf4Jq\nZqFcFmAulq0vQ1Xyl9REnSZL60Go2xZZmIewJO6rNPdOdZLkgyjLSh++e3byE9qi\npQThMhKxLbvTeniSAqNyMHAwHQYDVR0OBBYEFMGtAE5Ue089O/VYgz3NwCYItv+w\nMB8GA1UdIwQYMBaAFIIyDogUV/ai0SaRSUE1yQl/a0EBMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCyPD0rWcfRMiGBmy+edi0+s7whec6dl9UlwQmkyOwRFwIgbzl6rRwlOh0V\n6BUHynUW5/+31/G/GqUlXWxUz3/mUsw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUR6WqgoxmwO13PQCNQXWh01GdfiwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzEzMDQwOTc4OTEyMzk2NTM3NTY5NDQ4NTczOTUwMDU3ODYw\nMDA3NjgxNTcwNjU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETX5P\nXWfaqxl3Xr7LirKP9uxwQ05iB6hCDUW5sGe3heH9fn3oG90cx0z6ht7ISoRCdTWM\ncVnO1fsOkQ6DQC+tb6NyMHAwHQYDVR0OBBYEFAcBqQfZXPYc5NXxybEuhif5dZ8u\nMB8GA1UdIwQYMBaAFPWbRAvniJAHfftDq4z7KbZoVLdrMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIFWsRzc3cJmKuz43fTYaUzhtlb4l35/VkSQ5jSIAVT2ZAiApbf4Joo04tAuZ\nlXAUKdcoWkd8WfcutEkq8TLVsuEeMQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULS0srRLBXZyfBexu2BJjD4QzkJQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATp+7JpTbwULeF6CDqpn/iFK/8oBG/esfYyZxEw\ncf1JKBHvArRtpbSxbnMGAf9rgvKAc8kjqDyu+y9iv9AbPvzMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0Cn6h7/q4mN53T0uOk7xCcy0ixwwCgYIKoZIzj0EAwIDSAAwRQIh\nALZomcpzwGwdFLAQPbBrwpXIlk1e1qor5TCoyh/KsuM/AiBG9tbyh9R82iB7iyFl\nGSeZJ/EtCCAG4yqmeIM6AZGSRg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDl/ST1dq2KAI/nTGbupFVIPQaWkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZQrI05/UqSjhXQCU97tEEBkBLR0ALFOZBcX4P\nVZGFrhoI0rEby2fkzyIMwoKJ4f0xDZxvuJVhdtduP7JRaIN1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEM7iuTKsAavX+JTUeY/ESlTvQg0wCgYIKoZIzj0EAwIDSAAwRQIh\nAPynNe9Vk6jNWnt4REV2gCcu2jSLExu+unZ3wTqOooU4AiBWqb7Y45EQmsRudzqX\nLLjcGofmWRmO4LXm/5E4/eh3ow==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUIa6nGV04/G/lpYS3LlIHRazTtD4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKTmTcAt178OePUPPPx6fTUxgW5lEEdVINTX5BrL5cUq\n79+spC0+MQEPPmqTWoMDKZ0FRvX7P9vzIFTKdkxdeiejcjBwMB0GA1UdDgQWBBTq\nGYDs6UpJbjvml+34/iGeRPACgTAfBgNVHSMEGDAWgBTQKfqHv+riY3ndPS46TvEJ\nzLSLHDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIChDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiA0u2gt1iIMCFLl5VorB+RmzU/jmkTfEGt7\n8u3Q8RKVjQIgRiCIGZH5ESLnD8MMZG+zhPz5meNetk86h5czqUs3cmg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUZ+pZukPm3FhmMjzK4nhkinLakrEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLrOwxby8Z48y2KGN5rMgLqbd9eq0f9/iS0wyc7rKeH9\n0QXKpduOl8s8y45Vg6osb/XuQJKAoWgtis7PMklPlrKjcjBwMB0GA1UdDgQWBBQk\n5PDBoIj+nPM52oNltEsyYD4uuDAfBgNVHSMEGDAWgBQQzuK5MqwBq9f4lNR5j8RK\nVO9CDTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIChDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA9DRubbWk/z7OVJDc0wwS5XJXr0pYzEQ8\nZdhzdAcZLVICIEEoegMuPF704SY/7v8jpO5HjcEFYR6PCDXXDQQkJ746\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUQ3MCvL314e4gjXnzdJms1b5a6tIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjzL28CKmjwlEotxPJHRXsSPcFhqpslcZt/snH\nFeE1tgCcBqX20Lia7VIUhgLVyJINBmrEd0XawyVtJB8dCs7Co3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvQw1pAb7N05N0ax8f+aza34CTgYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHv+KOsq8x9E7dChdiLJ37QW\n2pKvwcKiVkP2jxBIQsFNAiBsRvpUFn6XffAmcIBXlwMjFrWWneP+rS82KC1zxkez\nyQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUQJlfK73P6zmzVR9yhaHY0zEGuZQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwseqJYRf5pcXm65ebOgiSUB1BlqVEkwTbj4p7\nao4Gr9RQViSBbFeyewiIgwg/U/wZHaDvOI41qmwl/iLOjU7vo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlb+prhpOe4am817y9AV18PHokKwwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEBx3NUDM0iL6amJQFuZKsvl\nQy+u8JipCrvFLwZiPzZfAiB8/C31FiGXZrWnrvwy8ho75pq4p3YDTE3ZA5kIG/J5\nkQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUJgcwc4w72GQxm/Bz87ZEGH/Bg4AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOM5C1aSlhraeNINwTvXPV3wUAKzMrivi0HxS3njXwJU\nZsVs313frpJZkqFVmXP8E3sKkhOTshBlPH4mBST6po2jdjB0MB0GA1UdDgQWBBTv\nLipwld0CCcklaOxAkZy0580ltTAfBgNVHSMEGDAWgBS9DDWkBvs3Tk3RrHx/5rNr\nfgJOBjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9ub3QtZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgN+9929IXwhojjYnXqV9rxy2DVgHN\nq9dHNecfD5XQD6QCIQDD6/1YEuJ3lRnzTo9czG6DRpUCtF4rwQSpuM0hiQFvdw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUURTF9wQYSbb3c0pfq0iovDFknbkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBzl0jHh/qg2VIFP5PDw7qQrztZBKnYciZTNS8lKHGmX\nYLRr64vnArGZ0jEB/g3sS702N0jyWO5ArJMt5C7WHe6jdjB0MB0GA1UdDgQWBBSo\nJHIzaZwyqN7xQLb6UWg6PpZM0DAfBgNVHSMEGDAWgBSVv6muGk57hqbzXvL0BXXw\n8eiQrDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9ub3QtZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgOhYytJyaWQtFVybYWj0yj9OLKF7M\nVB8y2Q0Z7mM2yocCIQC1pSYhsfH2fz4kU6f/pZMJs/ik15FB/gHkUcEEuR5NrQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUTWPBYw6B8c4fsHIFxx+bKbTn3QwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATo6HqNj9+osyp/TA+YoHCmLH3KWLEKqGfjkBmH\n2ibqN9hdJJuz2yI5DRvZg6fMbxSKQfSysXrr06A3znzw86wbo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOJEqHUND0fX/nLsLYEB619vhYGAwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFAKR+GlpBu3g/Omqm5bANor\nRNvRw9ITRVfZ5qM4wF0PAiEA2y5C2ShauwA/T6f8zCKxRegnXDGq1sAQ3hGHLaCU\n2bI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUXgOdL9+bixIZzqXWqW5xQC3PXtEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATgSrU2mEFYs/xOr2NpgFTyO5hx3SYbpzGiJ4Sh\n6q0usoEUWkdgQOrknxeJHVkoUyf6eYtXGU6TxONxBMXHEjvwo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOXPPerU7WcgGb1MNYGoqBs1npIwwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDodWuCwggtPM8oEE21n7wGx\nq71mYEz3ETAPMJ24uMWrAiBJnQM6qpsiSJxAM+jN+ZPX9ce+G5hFIu7LJ3wUoR0C\n4Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUPt5d4ySqFwkro5YowxSPTBvlLvEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCm33HlF7tFL1jVuq8xc3eQQb8UPC+vtjXc3spijlW7F\ncjn14TCTQ35fzOfdm48kTJOv+OWccRQX+9VlilUAaiWjcjBwMB0GA1UdDgQWBBSi\nUuEPu6M/XrJYMhvnAuinWolnzzAfBgNVHSMEGDAWgBQ4kSodQ0PR9f+cuwtgQHrX\n2+FgYDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAYkwro5EcETh2ytlV643fDvYGBIKelrr0K\nWRG/Q5ztgwIhANk9TN4SZO47lLTLAJmQEbgDIHjWb18xNGCD7S9B6TjH\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUbqRpJX5fwqWVnEpuK66ZN70DzukwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEN38v54lfwboaxUg13D1+JQ3uk6ZXU3DLN9DHR6Nq4Q\n3tSoMvBqfl0shWFMNd62vTPHdrgLwUoASPU9r8wSXR6jcjBwMB0GA1UdDgQWBBR+\nuQgNrYkKqCcbOu+we+jLCAcqljAfBgNVHSMEGDAWgBQ5c896tTtZyAZvUw1gaioG\nzWekjDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAxYTu3vQLvXlOe38y/s9dL2tkkPT35K6p\nRvvrhiMq/Q4CIEXrzQhbmHNvu079mc9Sly9N1xkbFt/xP/4B7DGW4vQT\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUDTbPMN7eKYJqU0RiDuuuDiY2RqMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARu0rmcgcCEkQsDADArzQ+tsRtU//t5wOSnKGuZ\nC7qAt9O/OJhpNAuz9nFd/nBPXOX2Cx1At5yls/+QFxP2kiNzo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU57rZYJkl8shCmpsnpuV0d7tOuVwwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCFzAYV+VeXvVkUBEOANGJ+\nmKhKKv9+cQTHL75sqaMg3gIhAOBBGEss8xaDsWHKPdQ7z9yFygP7Q5Tqc0Rc5M5N\nQLLk\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUQgqVd3ZMvVmblMqlfkFBMAd2FpEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARgDFvIspDO6YCQCRQM6TuC7AmgdPZOYgQrQFuz\nU9fUsV0gZumos1ujZmnuZHTnvp5Aym+rGfIgUYRY3C5HXLfNo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURxbp1RQwdeynEZh9hk2XGQpBd78wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICqWvEdN1/r4HOjb1mn2W27o\nATQlam1p4hOfFzt5dRa3AiABAlnSDZw1hS3WNYKWTYV1HkiRtjsUSgMfS7HfyOgq\nWw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUa7LlZM4k3LBuQPHpkugrq2gLtk4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABK5cj58pdYXfZDfcL126YjiX00tX/ytRLUP/gTH5V0Ip\nNBKbv0vuq7XFXKPn4sfrMYhmezNtZvkKcnnjSskq3oajcjBwMB0GA1UdDgQWBBRD\n8A3icO3RqNcGq1qH42nMM9+aNDAfBgNVHSMEGDAWgBTnutlgmSXyyEKamyem5XR3\nu065XDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA9RHRJilm/w8zG6XMpuFFlqGHalnKRB9b\nQKGXdF32Dv0CIBckJsCl86E37Y9zMhNz1qUf9u1I72xvSZTZBBZa7JFC\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUG2k+YGiENnRtvJoNp0Lf30Bz9LIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMcyXZdKMwxBmGCcrVIAYURFJOVLHbhqmtjLZ7X70aGO\naPgpgBCaTg5pJSHYnwWm9vj28v89Wzn9bHTzFh37jYWjcjBwMB0GA1UdDgQWBBRV\nbeWqcz7BxaSHtaEqFbo7dJbHyzAfBgNVHSMEGDAWgBRHFunVFDB17KcRmH2GTZcZ\nCkF3vzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBdsF60zhNuDNPOyaUammTTZXqlRQmbZVJk\nEtTu8Fg/EQIhANZAFOnC+j1ZzTtVndireqAqjY7le1Ic6NBke+f2SQqY\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUbOLgB2thL7nmK3vov6E3BALuoYgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCwW5n8rt1d8JBz+QZnLa1glevjOYJPCBSvq8l\nGONhpat7i4WXSVJczqoKH+KNDvOuqruqRwNXbvN4adwjWklto3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBrS4gayd+6cFCYwvRfOrslOOpcswHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC10oX18pdIkLkCxZvfyZOS\nt3jAUtBFr7OTzSIJclRvqQIgSmCrR/P7kRBGrQb9cumh0nmLO/GJsJGnkkmSYDGO\nf58=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUb8o+WfK/nBKxzkVE0i97GCJN7oEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASDRGj8Xa068jVLlouY7b835eBNScRiruQDYw3p\nG52EB2nlhfElcLq/HgH9+oBN1DqhKwa8JPBqwFf/JudIJlFao3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKSU4R/sOMYRAUS+BdLyF8s9NbM4wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEBtOa8tkDVHsWg3AHe+Qcyj\nkLBAeTFr4q1qt5ZQFYNFAiEA216V3Hq90C/xfYHQPv90aDwpNX+iznKzQ2V7V7pM\np18=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUaeI+mTdzdT9GCHODnfHzGHDkF7UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKRjIbZ5HU1Yi5iFT+kLNt+AU0A0gZA2muocOT4/MInb\nczqLNcTYVhfeYv3iUgMUzc5OGeHNwstZZ90tOQKCVbCjejB4MB0GA1UdDgQWBBSi\nAjclNVsopK0goFMqQ1gmyi0BTjAfBgNVHSMEGDAWgBQGtLiBrJ37pwUJjC9F86uy\nU46lyzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAeBgNVHREEFzAVghNmb28uYmFy\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDRDcFTbpL+Wi3GMv1DwaVLi\ng2/k2An8h4qzdJupxQ7jAiBrNLR4R+7xZPM3nucnwwrYn+h8BCgh1tcJo6+gHBlG\nkg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUZyQaVHrhn0JtqCxLL9BZNNb7koEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEyxgILRMbqIxNj+MIE+hRDu8JkdYHnzsJvg+dx3aa0K\nqB7n7BmkT9V0hA8BhUukcy7oCnJ4zB4qTCzPXR+gmcajejB4MB0GA1UdDgQWBBTV\nhGzcszzvJzKMM3uN1CY7RY2XYzAfBgNVHSMEGDAWgBQpJThH+w4xhEBRL4F0vIXy\nz01szjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAeBgNVHREEFzAVghNmb28uYmFy\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIG4esx7/Aiu0dqdaN7uavwT9\n+TA7qxtPTC7382d1q3NAAiEA0pPTU31yspyqavG//Q8CAGv1SIVs21xu5AaMjasB\nsbQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUQKK5V5irgXDQPB5y4qPQwQYU3CswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQVH+MYt9lYZzt0wy2EcH3iNZhkuQflK8UFI63e\nK97rUzzrABaE6GKZC2OerMdOclw5qDEzUuVKHxsM0vyWdP6jo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRAWu85S26XTRAPgYjx2SQPFVPw6DApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgTQn/\nVq7c3QGXdWEpcHLKoXRlnlmAFwwBUWEoXClIvcQCIQCA7whGrtWKIeNlnCndg3lO\nxT81Jpcxdhx3NVTO7PkweA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUPQ21MpvnBbJGy1vlwdvbA1Lie3YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASeRalXViwHFZGK+vm0+rgfoKYaZy87KGSw1c42\nH8xQRkS3VRm0CKcAufWKUajJo01jJ/bsMThQxFbe0KsMz73Bo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBT1l2AOOUUZPU5U57xbg/SZ8E+oZDApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALvz\nFb74xvI0pYdVd9B6Xpvqi7zEW9UEpxbQ45aWk3l3AiBjh2IMqfFIBjlqhtyXnDHx\n8+MCBqJKaAaHy3LDP/ZLmw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUAyrqyAzuka7wO36bG+yLzkRckgAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGljT7a0RxfIgPkrDcn+EleiB2z80VcbOKUi2zEbRfq3\n1B4K3av6FSbC2KoJ2ndAQrepc79Ed/wajwrpOcdMQEGjgYwwgYkwHQYDVR0OBBYE\nFBld4SzMcnm5ITcy7RfTiDzgDRRCMB8GA1UdIwQYMBaAFEBa7zlLbpdNEA+BiPHZ\nJA8VU/DoMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMC8GA1UdEQQoMCaCC2V4YW1w\nbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEA+/Dx7hpNraLmuo7A3xDOgaUPKhzSLK/h69dJSAbi4FACIQC74FYKjg7Kp9SI\nl7jAkT4vDqKR5i1IRnkLjQHAv1Gqkw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUEP3Uq/+DLknWZ2QuepKRUlGnqdcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDr2EIFNUdMYPji2R4U9g3dNE/348uagoKVGXOxkYRmF\no7SP3N7Ypz0RslHF1YFyMlruhkBfydsESGYoDIctaNmjgYwwgYkwHQYDVR0OBBYE\nFHSptFIe6IXxbPbRNb8gYbhAjNH1MB8GA1UdIwQYMBaAFPWXYA45RRk9TlTnvFuD\n9JnwT6hkMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMC8GA1UdEQQoMCaCC2V4YW1w\nbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiBJbrk33wjuTIZ2+cFdydnEsPBmStSTEK0vDBH8B0hHdgIhANTecjkh21wJ23RL\nyGhR7OxTSchPH4iAfNiMcACZBa9K\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUHcdDCGpJ+UZKFP0jziyBKa1mFGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARhP9HzrwJJlV2VxMsbkNusH7ro8K3BN+QpWizY\nX1YYkXhqh5oP3LYQ+uKOg3DxuzbKMRrRfx2u4dql0bnSYUtNo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURd0QkQnIfX3q4LRKyWkqhf6hUtswGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIGGjH+OT/ipYMjGHEhPN9fl66XYm\nMuw/lx1LQoIr3jbkAiB73+kRBVZPQ5sj3X2Qsa9e3HGDzMOH1xbpprE1bdncoQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUFbBLaQ13Ow7697GUIRShPTTq3vAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQDiR6Yw88/Rx8vGFi7xyqHp+lj7Qee8EIf0qRz\nTru0xvOhkmUfdurH+Pqs+oNbxCux5CjhaW6Q7CCQStJA+QqHo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCjO5GoE9OkVGZMT/JGMFwRVMtGwwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQDNnCt52z6i/6WdLZ1vjJJx9CzM\ntiogs2JcBJW840ZqKQIhAIplga4BDO1Pe3fJUSX4owNL/xsH5CeeSzQQdxJO2CfR\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUZN+XpZE9SWhQOHWwoSQ80WSTnuYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO2AibSdpFfQb0uHc7OYIuNlSQKBcqQWcmiN4GlFZT00\ndvHYZiBr4ec8uzkP9NnwaUA5JDEiZCVGLrQQ02oRThWjazBpMB0GA1UdDgQWBBTO\nzei5Wx/l8nW3hGPgRqokal3JyzAfBgNVHSMEGDAWgBRF3RCRCch9fergtErJaSqF\n/qFS2zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAMBMAoG\nCCqGSM49BAMCA0gAMEUCIFy6DpGW+AXJD00flJqszW0/oWmjTVWjFCtcI3VUd4Tq\nAiEAxc8YWCef3w9Lcp5/9eRSfs9jauNF7Kxsur2tip21cIA=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUWgAwIBAgIUNQqaUq8+B0+h+q7bcLQnzF7qsBcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKNk6UDRPDrjuf4f1+Je8c77aD0t1cTiX2YFcPSDWxNH\ng8Bk+Q72gcsUZc2Be0VM9iTrIzjV+swqHfiZLcLFka2jazBpMB0GA1UdDgQWBBTx\nryNUQSajMLkrGHow6qQ978VlsTAfBgNVHSMEGDAWgBQKM7kagT06RUZkxP8kYwXB\nFUy0bDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAMBMAoG\nCCqGSM49BAMCA0kAMEYCIQCgzL67nj+HpK+2L/xYFK5Y9UgEmKnI7epcbeLMEiX3\n1QIhALpfauUUkcPs4tpeh4XZw5Fab2ViIV9Y+2CRipCHz61b\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUDXT6wB7yr2wh+3i+SVnh0a8vlcswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQl1Bp2Bl3cVXzUc4aVbSei1hYOxEkrLgJLldye\nc3vr4vda1shfdXFWYVl2ScY3BnlrBi3sxwX8GAh8qWx009g5o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqeilIw45ogI40tzfkXjDMnybvNAwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCbbL/AKu8zf9ofehtUvSxxlAhw\nkeVEwiwNUq79SHq9PAIhAIbJZ5CekegV30lcv4oYpapB+u6CRxk36qpxnxTND37y\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIULdRX6Srup1YAy8qkQi/u1GjtsmkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARAfZfuOjAS+FRURbjuCFTigbz32KtqMJhbmmHF\nL5exTk0cAz1TCuP4cqAcOSn/ZHzNQqkSgJthL9xjhOo3Cd/xo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmXNEw1SjpH0X8V0i31ei5txWvVYwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIFFRgFX3ksfCb0TTGt8RrVu7XbBD\n40fK4RdWm73qMpmZAiEAhDLfkwrGaQn0BQ6UoNwhwbTm1NYo/0TP7MqJRWOhAAo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUWgAwIBAgIUETqxWmNU6ItuQ5vfRGdC2359ZSswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCD6EzhDufEeJ/dgs311HpUl8pWbA5Y1XFGE2eDKfiKe\nNmapUpvt5AvhhgIJxlurHXg12bZt6pkANoHF+JKSN+yjazBpMB0GA1UdDgQWBBQ/\n0np9LtruRQvKLYlehCvozM95OTAfBgNVHSMEGDAWgBSp6KUjDjmiAjjS3N+ReMMy\nfJu80DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0kAMEYCIQCE3/ZxUCzaG0C53SgWqa3vVYCiXf1zRGtI13M54vEa\nKQIhAOSGrd48LFIZl/t/hJsefq7hy2dr8IBJbC/DysiLsx9E\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUWgAwIBAgIUcDETKBrgdNlKQQ/1jR26okn9PlUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBQTXn0ZG+K/WJoldBGQBwD9oMMEg+PTZTpPlXHExvQ5\nWw4Os9lfqeCOwd64xlGyDYG/EoQi4kLgxjxp1fbaqfejazBpMB0GA1UdDgQWBBQJ\nKcI0VJEDVt/SObyfVXfEE4ifyzAfBgNVHSMEGDAWgBSZc0TDVKOkfRfxXSLfV6Lm\n3Fa9VjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0kAMEYCIQCpumSxVspGuW4L/4YQ6UhhuQNh+io9SVRolHAoCHbB\npAIhANPyiSyoSkD2ZNXXbrdz/TIDd85jCYMY5d2ALkchxoS7\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUcvKp/fXuick5JZcCPR+9ytHbeRUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARD0/fJ48le2iPXk/EdQtvYPzAn3aUquK8pbhJn\nR3EcHaUtP0T6sGSuyOlr4Jm501xkOvnk/wREjxpDEPqjeE8Ho3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhmYpg/HjP2RO5Im20gyjCukpj9YwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDBoHOncIVyCEGH99fbXpjJiLJl\nZ+lFuEsqxjajd+HEfgIgNAK3M+xdwtTeOhU5HxVp1G+WTZOhFyM58tXlh7fy8Ds=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUSPFbjjmKt3Q+DZU2Kc+al1xNBlkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZyCIEwyB/kvjUHpO60DxN4/ym3waBVal653ph\nL2VKtBrQBRE2t983hxbBDLnUSdEclEYwKzVXn6anFPI3uEIno3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtoZZzrFY0EnLzXqoAVBlxqDng3EwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQDvMnmwQkygI670fF84ZBLBKY6d\nApA3Ao8WhQzv5Z/z/gIhALAWWfFbOx27ZHsqVSvmL+iEPZKqX7lOBXDTqt6B8IsU\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUZYAvbwhYKrGKXORIEHR6DCx2il4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKnosEZUlXrxbjnn/jlM4X2ThZI0sCsmJKafpkIUV86g\nBQJ4TPC8JpdZwTo8u/YH1sxznyFF12AmHd3PUu//e0ijazBpMB0GA1UdDgQWBBSh\neKdGHZITxW6U1Hl9oGylW8AzqDAfBgNVHSMEGDAWgBSGZimD8eM/ZE7kibbSDKMK\n6SmP1jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0gAMEUCICgGUPpgmpZhRES1Xj6Fw1MC96BFJfVkfz0sK6ruDLJa\nAiEAqnBiUPWUcpIJFkjJ9GOqMZwnNH7wjmz/QhQOyOWbHoE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUILlAqH3R5rClhAKDKWZL613+4NswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJC7yf7pIrd9hOCjD6C5CGNqsTwBaOXttzw2zDSGla72\nI2cZrgx3AIWdk7kJewcxSzmtsufwh26ItPmC0OUQ8umjazBpMB0GA1UdDgQWBBSK\nzvYb025ZxGtvg/pkjz69K1OMmTAfBgNVHSMEGDAWgBS2hlnOsVjQScvNeqgBUGXG\noOeDcTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0gAMEUCIQCtXsIwoioKtIpOx9D4K7yHfUURfwzAxN2Kh0wYZUE6\nBgIgTDg/Txqs65zFT5Dk0+YAxd8H1GsG7ybrJbEI7DAnt58=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUEbA5lgAWG9hFDI2T/d4mTn/CA7swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBNs4rmkLihUwX+657EMrYmeQyZIBvqtXypBcj\n+XTTB8u5MH8xWMFPpQXtBuSpd7sxJqZwQu66c6TGgCQjE1m0o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaJFrs6Mx/MnhUV34duE6vp1zAk8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKUJTuIVLPXbGM+f\n8NoqzjJqJtCsn5Usr0jhv9kQVQmCAiEAnI4lxDD7HpqZEYyiIEcTAUhqYfe1v9S4\nrcPTXNvAM9Q=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUNdbtwkL76paQEBDu5yF1g3/L2GUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXdjajQFOVDeTC7nzSO+c8C9v4yvpd/j6gI9zV\nvFYWSb/J+UGhTUxr4SjjKorYOhUO0eAxpUjZzZ8+yvU7hUuio3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9FH4ig0PBHWLXLwH+s6pzIJ+8LYwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAO+dDCnlu4XwlXoC\n19/WgjQorwNSEPFPePG58lFhUqD6AiB+D2AyAXyoP7hNlFaUc5506UrsKvc64+g+\nHu+HNCtUNw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIULViA4d690KmjrJAVOe8PkqzIMg4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE4sV2Gp2u2CHxtVLCB+JkY5x5xULOrZMfSaK1ft3+wx0ecWpO\nEJ9VkC1qvW8l701fXqjvsBk+/kSTZE+tVhXzhqN7MHkwHQYDVR0OBBYEFJ0m5gTz\nH7rVb8rtPqUa8a67FUL4MB8GA1UdIwQYMBaAFGiRa7OjMfzJ4VFd+HbhOr6dcwJP\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0cAMEQCIAlQ0rJK9J2Cof1lPuGr3ODNGNO2\nxrx+tp5+i9+3wW5IAiBYOYz56JhhHq0ikc+Xq1goEz3rgXGarpQctqU4WJsi4A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUPAJ6vJ5Ngw5/VEKQ7y6Ec2ichxswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEehbAra1hjfOQ5wfw0vax13fE5XOVhXggZ08ZlSdcaYP+yAO5\nDKhjdjDfruObc4F5YL3W/njSO/metFhlyanyiaN7MHkwHQYDVR0OBBYEFPf4Hquj\nErzC64TAyZiv3u6R2eAHMB8GA1UdIwQYMBaAFPRR+IoNDwR1i1y8B/rOqcyCfvC2\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0cAMEQCIAspntNlhi/iqaAXHPeTTrHyZhi+\nbCwTMDxU3ji2ToVrAiAtMX44Ni3DfUbWPEV3n3Mp1F9uEzztLG/br7JTuzxzvQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUSQ9rCvwZIPGlq86Oog9wKndQqnEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARb5QUuRrPWrTkFQyNOYlJ/48MM0UOOduoVE+A2\nEPz1n1ARdnGlaCyA+swtAbY0NDr1RtlUU/qT5lxtOkI8rMO9o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8JLJ4RaoQV2xvIJ32bROIBpEFsEwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgeHALl6Vug6v66ql6\nw7H8tkrbdLdwwOBDGqzgEIrCcccCIQCfhHQlg7lLBtvOKaJBZxgb1xVhxvLFW0RM\ncO40eo/yKw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUdwbP746Wt5CgfZlZhhuE1zbpImkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQNJ01DoTCS/Efx4F+wdL4OKe1zGPidDO6nhhQ/\nEjtKjWODxOg8/Wlq/rlsNDf2TC6HjJjb+lcv5T3EIUJyywo6o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEs/uVDjtEhQxo+s2iln/MfOIzN8wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAPjjAOeF245Kd/mL\nW3UE51DUoVWPC6AN1Ks1/6V1wGJgAiBf8O6TeRtFGBErBvkX1OGPfDsYgVyBQNHk\nfa9prZ3ofg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUV28xBqja2I3/LYTNyofWQDocqA0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAR5Scn+4zu0AmFGOiBZSieLaG4ANvz/4mjGRfo5W6iS/CDF4Sh6Jh6z\ngiVENDJde6lv2yBwHhLhbPtNi/lZfseOo3cwdTAdBgNVHQ4EFgQU+GRNTV2i0jxn\nx+FjS13kB+2AdHcwHwYDVR0jBBgwFoAU8JLJ4RaoQV2xvIJ32bROIBpEFsEwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNHADBEAiA2rLyy6YQ8UU8C/2Bd7ahSnnPcSAqrG5zrd5Gb\nXBFrXQIgeACjY23VarCtLJLrJ+9XIYZ149tlvSoK3EIfa6qHFjI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUEnu6s7ufnTV+82zhok4M+Ny3CaYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARQE+gwFcyK7HyZxGD2uBIXdPA/r5QBhG/6wXprigY1AMJR2O80iE5g\nyEfMxopqx1twRYoj/ffMtcpgNtjtstulo3cwdTAdBgNVHQ4EFgQU+//AOKusFDDf\nblYuivtzFfnprvkwHwYDVR0jBBgwFoAUEs/uVDjtEhQxo+s2iln/MfOIzN8wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEAigb7sTySbGWaDWlWm0iMGpCrTeTkSNUMmtZ0\nG8o8mp4CIF1b2iOJUdLvugRW/beOf9NZ1MdI3+xz3O+MbX0Z+1A8\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUSMG817kJmwrsn/M5Qi1c/HSOX2YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwjFBngc9ByxtWAAqgraJOlWbqTsUEeKeWkFx7\naRQAWimkj6G+S1lbVtj0m6AZPUN90h8Uh0r4rE2VM3u9B3Tho3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfcgoDa3q1coWkHPvdCTU0usPlD4wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgDjAWGfjpuUc7ITAj\n9iTgg17V5WRKAuQFwb4W2xL9lSUCIH2IG/0ZSFz6i34NMjKjNFKFQtkWWpY5jaJi\nbMllhGN1\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUJqqQGtZKxTblY/OOAt4aZguRtwAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQmS0VU9PnFR26+pPuaBvGCgDIgSxIYrXUWUIk9\n0gu3xU6ocGUsfGVmfyPg1qBS0NQq5/gPntRmXcuYn2Vi2TQpo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9o/XHvxkJ91uy6J0ompnkmpDmQ0wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhANMjXLgCpDh+I/7C\nmU/nO8J3/SlJ1yVb5EVErr3f1PX7AiEA4xTsNe6Gm/LoXnmasLL2Ve8i+8D9iLTd\nqEShKxyUXbo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUftnm3U1YnwyRSoJwo3P+KfQjF2gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAT4R7TRqaCRclinDEZ5HXXRjT0eWJK1VhHoMhIO6rKZVwu3sbnTcs5F\naNyizWChh4yF2Bc89gQlrMkWUtZCmVIqo3cwdTAdBgNVHQ4EFgQUHizx1Ae6yA5d\n1iY1lr126Z4MWYUwHwYDVR0jBBgwFoAUfcgoDa3q1coWkHPvdCTU0usPlD4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiA1qaUH3rJifUFN59mg+fm+/lYCEpupS6/YgwmJ\nhCazVAIhAP8CEEOLhCYa39e6XBWr6S7xL2wRSjVEPFYZDLYmWJoH\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUCJxScdgvm+Q3xiTaf1kU9n6GoX0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASta73OJwf8z9iYk5ywK42adDtOdkcie3kOS1Cz4ZmgCFPQtxVtharj\nEnjY/+pTAE+YoHzPtG6SMl/Rwo7HASqwo3cwdTAdBgNVHQ4EFgQUnzk7ch93ZHwq\npqHabSqiKAWQj8swHwYDVR0jBBgwFoAU9o/XHvxkJ91uy6J0ompnkmpDmQ0wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEAk8iL+jPncmCfc8W4vPaIZxG7pCulkKMLsW5K\nUbs22RsCIAWrgWwej7AMSg0l5RzE9qgY84fdufPPNpAFQ+KoMuIt\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUTN4UwJZYixuXisWd5HNm92f4B+YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQVOUmaAUCwGKZNY0Al4Q2uE4CRLnLORL/dyWDU\nkygJG+Q30INNNroAJ8qvj36F/95s4RNJZngApKXAgydSJRQdo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJzaX9aEOJGhuSRILut5oEaOciYswIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALD0vxU9r/WRcFpE\necW/b2qvgECphFOQ1dLN4xzQGeaDAiAjLR2A2f+x4lqT2bA7pXT5Z8zWm6inc5hG\nmR14N+iPCg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUdtZl6DnoLMJQRxoyqwNkk5uPpswwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwedjjKy4EQJjWJoygE8RFCRogQtlre0r5GEKk\nITAfj8N8slJr+aeGvvfu+ss5jRIMgNG8kjOjujthrK5HGV/co3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0FGb5QU/yuc5QeJ33nJI2LJ7sGkwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgXl6uu2BUN/XjYygD\ngfTi+IRbA2VGgzoaZdPiIKq8mYgCIBIgChWzpZpYhz9WenS6ajvB8gR5zXoZksnq\nWtuuvEPi\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUQa1cSJUIR0D99qkq/5o6jP4Qnv0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEbKNtzQBrZRTM6B62prcZDDu5+OeQ+HfdD2YTOP8xYElF9SLW\nbOooAo1O9rUpgaOqnrOem769YEkgmty5+J0Ug6N3MHUwHQYDVR0OBBYEFA6GJsw8\nUa8L4/JupXevGYaL3Rd2MB8GA1UdIwQYMBaAFCc2l/WhDiRobkkSC7reaBGjnImL\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhALOUnFSn/sOL49dzHuF+qAaqZZg/5huT\n03lzYh8lGhV2AiEArxiC7btKU3GhZBSoxC1ETsIfoO5psQNaJES4dzyysRU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUcqp2NVqmgpHcKWhwALo6YgF8/2gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEtL7prW6gPzSWV3q8a/1ZUfmXCpkklb4dfpL1dCo5gQc8/2Rd\nDV1RSzuPrVVxd0oI47PaiLr964lJEz7tbRMnWqN3MHUwHQYDVR0OBBYEFEY7xaTE\nsCMcmpeqO1gWpBrOQDt6MB8GA1UdIwQYMBaAFNBRm+UFP8rnOUHid95ySNiye7Bp\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgQhCKwmyUUp4bzgzCw4hPb/H1hf+hKwAc\nDPlQnHhfe14CID7/WFY/lrcgSGOtT/QA5plTsbmbtD2x2R4mbzG2yi4l\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUMI/NT3khred+fdm1aLJiupX/hGAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT9AsRQz4KGibwHd/79W6bunhOmDp/Wgj0ee5pm\nAxV52SespF/8z974SB7LpXfWb8TDcb1WeAXDbV+4xtI6uH8bo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcK3+iO8W8f8XbgSGI+xiZr50dEQwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhANzLlWl+uZHeLLqL\nOcOk/0sq9jRGxW8zfQ9JlJln5GjWAiAMYpmaDMcj7DGQEsnswq9l57TgYxSXtr/s\nS2Eglv/aqA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUKjpbU/ol5BmjiKwl0EyBgPyF8ugwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQnD5l87k9ZjTka8NNyZoMqFXVnQcENK3TbECXS\n11ZE8PzRyD85K2E/u9ZJ7ON7SvjIbpS8oT8GQni616p6xgoUo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM7hIXJ36PxCAQhh8OTHDPwE9KrUwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKmNXrX/r4fpRbtt\njSqTWF1PYiFz04Oy6ZGl+3hc4UaJAiEAia9eHP9OBhy0deRxR1QpSs7QSNE6sLIv\nl9lOwGfSRNc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUat1gcwu0PfzeUGljCaSp5f2/LygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASrGXwRZDQdKnzRPYE63s7h/Ya57PGwdrH2EMVACWf1Ia/zgznsJcXp\ngkAa3CaFP+qDFs4hb82hJ2t+9tdjeFMGo3sweTAdBgNVHQ4EFgQUDOJvuF4cRGOo\ncmRN56QnoxMjps8wHwYDVR0jBBgwFoAUcK3+iO8W8f8XbgSGI+xiZr50dEQwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDRwAwRAIgEEWLYQNL8S92jr7Onin7ZGEahQju4rZn\n3LJNySU+vYgCIEhQ5y1mgIoNM6zRxQj+fhjfDrBc04ctz1gltfMZBy9U\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUfz9//RZI5WBjQzGJ+P5nDRhiPGcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASptWttWLfHKEI65NwXG35dFxkvXoR5dWrSSonRsVwGICLykC48AEbk\nHT2cgLn+18uJs8x6ElQYTOtckRlk5TF9o3sweTAdBgNVHQ4EFgQUQk9yuA8b9OUq\nr9vscwSN1ABuTk0wHwYDVR0jBBgwFoAUM7hIXJ36PxCAQhh8OTHDPwE9KrUwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAOwckhZ9rZzHB8eIMxMWJ8PJ2VPjZRzR\n6pf7F3Cms3UEAiEAhWi7zcG02bkqXMZSdI5jXjGdy/SQauvpsflan6khYcM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUYMxKn9d5PUJBv7+Rve0hCokI2T0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARz4tG+IGfiTSQczrNeMMDdnFKh0X73du4s3ZMn\n6eusWMayeLWWHT3nC2VAdhOEKkN/G23q1hXkR6YVe+JqqOkSo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFDYF6/oIoCINWM4Zm/N60IsczKt1MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAz/M9rU8WWdPt+YtR\nnLdCSrYeM2vQdtzyoIr7osCl0U4CIE1SAJwXevvMFu45BPAfY1spYORwdCoNq6/E\newkAggPw\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUXgWDI1lMBCyrsbNTdhL6855ckvAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAROJU/qK87tvQ5IZjUl80yxtX5rfxA2AKKSrWRk\n24YJwTw5NxeZAreoXKvGwBl7PB7gSpkRK78mpgqCmq00RtBio3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFPGlrL6Uz4svkgYTiaMXp8yteOqBMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAp+QGgJo+J/SSqyJPg\nxbvYnsqJT1Zffhv44nsO8bRsugIgTBOpYCZLdIcZXvuRU45VCxPbhJBVhxhjG6u6\ngGy8dBM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUP8QJFqMnFf+Xsy3wzr6GihaE/LowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbiYWbNmlPStmwewK15XLpludsJW7v1txEAqpI\noXiZhDAHSP0a4n7sN/KvhtwjBKdoPpmefZ1QY7fkJSoLZ815o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUNgXr+gigIg1Yzhmb83rQixzMq3UwHQYDVR0OBBYEFNyu\n8uOo1jb9pOzVBLIJKd1vSaOPMAoGCCqGSM49BAMCA0kAMEYCIQC1IFX+ZjyUgDUV\nskfd/V4VVgYmBxd4J6b+PObLJmzNiwIhALH/clgQNZMlI+rpztZHU8RxJM8a96Wi\n3clfmq6i1u4v\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUWHr+BuWOV7m5K7nLRd4C0hD1Vw4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASccs/uRZBnyiwoJuIQdc/fLL4NMt8vtvF3oqTa\niX0iYRDaUDWX8T3FisPaEzuamLGDvJACIyIOD00SsEGoEKu0o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU8aWsvpTPiy+SBhOJoxenzK146oEwHQYDVR0OBBYEFPpx\naZfCge0HEqv7MkBQgOAWXfRrMAoGCCqGSM49BAMCA0kAMEYCIQD18ixj5hTQSVk4\nl//r8OOM7THb6ugH+P0ebVd7m7BN0gIhANYa8iWQvQQnkc9RYU3OkIZAAYnaoEjh\n+H7UQiy9a6ac\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUL8XaQN8FVrJ/d0TFR9QVFxSKvr8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIrnfw0H4r7ZUkjjRUHdOJt8Foex0rQgahoDbFEIhMNx\nP3dC42vWNEh2YKLrqGGCIe0fQCIJep2Z9m/D7HY4aN6jcjBwMB0GA1UdDgQWBBSt\nwi1LCjO2dW7+SJhswyt8KT3buTAfBgNVHSMEGDAWgBTcrvLjqNY2/aTs1QSyCSnd\nb0mjjzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBoG8ukMfh/4GYtB42VuY2xCDprwucYNT5k\nK7brstbX+wIhAOghUD0dt1zmp6HPT2tXQegZlxWZ9Yohykz6xy3QntVj\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUUn2YamsgEFVMD/qYJSWm3iW3Cr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFRuRDZHmriwPQb6iRW1GcAdUGGkKnUbWLF91HHpjQbW\nRsTnzUPGgculVpxk4oI2H0twVEacfX917kyfQpuU8POjcjBwMB0GA1UdDgQWBBQP\n+niwAuQ5UvyLkJ4996A+f+tHBTAfBgNVHSMEGDAWgBT6cWmXwoHtBxKr+zJAUIDg\nFl30azAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA+FKCXqdAU8LsUAnfkOtS3pZvJTwmLEtl\nFcBKvVhrMk8CIEUZjrsS/lQwgecuT96JzGTfF6fkc/jpnca7apVTn89A\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUGAafTRHdf8QNxWSq35Q1UWKfZZUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASWJI5257VTzkL27GaFdYFBXME1nWDwpyj2zpgA\ndkJpSZ27DGlT96HvcY0OeI/8XpcJLvLrnxGJZ3avzL7AWN2Qo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwzn0GAj1GNjKp1uKiTqNrDB3GY4wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIDkdCGyJUPE8ZVR/Ucboqskl\nbOcig/y8Zx21lgMfPTIxAiEAmCNPfTJoXEi5XzLulPmUJB7vdGJq17jACddwiHLm\nhSM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUa1n0NE2SMGPuouvbRerr0elxCoswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATlWt1NUDJHVlhMsZedFzeROUh0FfcyjQMKcjzI\nqDfHwxEGbbVlWXRcE1iSqbR8O0O0w/p9UGtdXFLOePXr5H3To3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBQJkLDUwOHXoJiUJKyKHspUvUpkwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIF5+v95dkcc0gBafPZCv4yQe\n+r2zIXG6H2uZ1RjZXxYaAiEA55rVi7S/3byVEPT2XJL2THNvw9YfeK4KTHDAqsyg\nFoo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUWcHi309ThnNdY7ndho3jJO5StBEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATjMbfPqqzgb4wpHhr0bNtlQYvnlzrIZfeSz+Va\ncLyrMSiu/PrYvrG/cJ66gogvE5sjPDuJSzpY2tjLhJz0oVK1o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUwzn0GAj1GNjKp1uKiTqNrDB3GY4wHQYDVR0OBBYEFKeu\nP56Dy9/d9GAcrXaYuJKc7GTUMAoGCCqGSM49BAMCA0kAMEYCIQDP9945PdsQn/3H\nPbz3CFFr7oPvi97mqU06J9IoHL8ncgIhAM3l48E+mrJmN8c5Oj2P/Ng0Vyb8JObj\nu27Tit6KVIf0\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUKlNbwY//vUp6KusJ8sHY4ZhXf+kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARfl4eA3a8rREN32zwjdS5Gbwa4fqDVcpHkE/Jd\n9C5mmIqSduKFWFPRNDmEbXfpdZIjItBchc1Tz5U1TvAARVYfo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUBQJkLDUwOHXoJiUJKyKHspUvUpkwHQYDVR0OBBYEFMB3\nCSM9S+dhZGnLIIitNpWAj9LLMAoGCCqGSM49BAMCA0gAMEUCIDCMOgQMZ44aIZuJ\nKRN0TfokRCrAJ3DJXwbyKLfHAmpuAiEA2IuJ35UUxy91tWNk1HTuxKEhxS9KAW8X\nUiXRlskWOSA=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUP4JdI41dCooWDp2jqfuf8gOYz9IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARIbIvO4QDQP7L1U9TzDbysRzSGPK/LOamuAv6y\nycscIkc27uSlCjSXIYJJA4yLS1n9zPSJEN3TtNu1YVzxCmEBo3YwdDAdBgNVHQ4E\nFgQU5pit7E0UxeuJVdpW2bWKn5C2FS8wHwYDVR0jBBgwFoAUp64/noPL3930YByt\ndpi4kpzsZNQwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEYP+3OugGz5msSB4B94cc/a\nbTsPIIjRdnTC/Lw2o1ckAiB9M/eReaaF9iWO9IYfGizjuZ9sT6AldLEz1NQW7OWo\nUA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUYi7VnYgGsVoToB0qKZ8NU3LkOK8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7xz3ehnJtZ27JTRkSLL7iCwpcLy6bkDoS+DzP\nbiy+gyzFY9S9DZzXlblloa4Yc9ykFO7tovkaLaisaP6LCL/4o3YwdDAdBgNVHQ4E\nFgQUmaxfC8hwSGZcaH0rF+Agkju7GxswHwYDVR0jBBgwFoAUwHcJIz1L52Fkacsg\niK02lYCP0sswCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIA5Ubm3lPhzqmel081FMCNPu\naH+yV2lphKW8VavWDjdTAiAjfDS7s4QdnoZVF62Ec9ji7Arljgo37MV6nmE2P5qA\ndQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUIGWFwkll8+/1aCoHPjZTJTFbbcEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLpbG++AJnqOHyGLZtaS+kvsaDH/tDoaHdC2ZH\nb+udrAHmPRI2iNWol7JUfWHC1rDrbPVTd5uKEvCU1tAOL6nCo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQSld28QDrmt7gikRDzb1gLPYarTzAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEAt7vQRLATeRb+AxTvpDgvdlA33uTeCHvy5HnLNKGxgH4CIQDjYdm8DCLjLP2h\n1nzY7cVMV7EKj+J0ZZDxbFiVvkBT1A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUFlbJ06AQGr2gmIrc0ovzit+LSX8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT58pW3NY4ugfwOl4PEex2qmEpxJaun4/5nRfVS\n5FG1ss3JN1H/9TGJ7EixBxzijPnRTmN4n9IismrYK+pwgCaao4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTqionIgJkMJZJJrvQOY6JY26w7SjAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiAzL/1n0Iv/Q3etv+8saS/kOXeev9Yl36yg6AO14StFJwIhAIvKk7NVbSMc6aqE\n9KYj7dRX4h1EioI+KsCNSiBUNHnj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUdoDWUjESnPffNqzJFvjt9PubIrowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABK7lXrVFwJSFasfALa4/DVmfBugWw3me4bxdGmWrELHz\n36dvMseWyk30+vu+yT4CJ4x6iv2G7Gh3JJJH7/dyRQGjcjBwMB0GA1UdDgQWBBSF\ni3IhRKyysWbfiM4SAcQgouQGPjAfBgNVHSMEGDAWgBQSld28QDrmt7gikRDzb1gL\nPYarTzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAirSC6YRg5si0HJ6np41UoWAiKepycrAJ\nbIZ29SgRsKoCIAZmQmYi4TIzYqgBHBQB9wUj7io6oZ9CBpoo2TW6S/dJ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUCNw+HWKgtD4Szb+Vqk3Qg5HnDmgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJlCIwVJcNN0d0/rvFK4BnMGJbEhrXOBpH3hPlDqOeRp\nTKb5NdX16HydtD1PhakVdU5WmM+k3+9BQe2TlKHZNvujcjBwMB0GA1UdDgQWBBTd\n77L6MFqqKZSn1/pbjhpFlNpqJTAfBgNVHSMEGDAWgBTqionIgJkMJZJJrvQOY6JY\n26w7SjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBjvvgX/4ogSxGLqxrr/T+K6RRSJkilZGfz\nVRJ13v1IxQIhAMnrK7DGFcZkdHhlFruSbClaUaYdhgaZmOVeVqdqPyTo\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUArg2M/GKtUU7l12GM8S0Ocin9k4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATB101ArAAx9MP36NtWG4XbgFW0Tu3NdAhtSlHf\nIZyJ4mPrLKgoyUnOA8JfWcUDj25qucovtawuTCPxemrQS5B7o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxAhRrNY1FllPbBlQE8kEeAL+5qMwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCICqmFw6HVdlifhyAXHXd6bKNJY7P\nHBcvFwkB/Q70GtKRAiEA237AlNi7zI0CA/aaPscTl9yePXvICif6z7vthhxuxAE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUXAdpkTvPDDb3Cct2dfypm1R0keIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZTMrSloi9eCMNcI5+FleciSP2TPEtQeUYRVEU\nQNaJXLZ9rKtOJIXzEty0TpZ/+aBqDK0FrLpMLsTakCkFrHvqo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUw8X828Cp5OX+vIZEmPfZBsfRSb0wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIGfEY7ExC960ZCA65uh2n4Oct3ml\nfh7QDJ/kccx3flftAiAt7k6RuxuYLrjPN21O6ZxzW3zRUudOxVGvuh5pEEiyDQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUPPpzIJur4xnEQiijGfqxxqDi4icwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFablnuBGD4ycGXnZSX0LMVTdF7h2+RsUTweTfG/Kc2e\nFf9ZB9X4R/ls1TlD2aVCv9qA3PbNWt6+iJ2003RvilyjcjBwMB0GA1UdDgQWBBSK\nqLKFawz6R2Oqi9Eongo11WNmlzAfBgNVHSMEGDAWgBTECFGs1jUWWU9sGVATyQR4\nAv7mozAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiB/iO8ia77mu69nY73TWYUzHtv6M/TYvRWn\nIGpFtdwpBAIga/GbNMr9jMJND4n0Gn/K2/bT6fE1PY3DWkHeArEzxMA=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUK/qzXApkwnTKavLyVp4kr6ApVwIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPFnigdukoCIx0MWmRLs3ewHhCJkhd6DaxpYDFp3fVog\npenju8EmXQIBDaUKPguE7kVFO+WkxBeVtJG9Y5GbpFujcjBwMB0GA1UdDgQWBBR3\n5poy465W+YomX5D0M/U97TWiQTAfBgNVHSMEGDAWgBTDxfzbwKnk5f68hkSY99kG\nx9FJvTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAwTKWw3X+VIIMtlNr+sOumOhtLhkGSzEZ\nWoM1GHfExiQCIQDTNFvQ40XuzV5pVyY6Suuq1EVMFZgzbEJhQSeiO7a8Kg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUTYsWVRBOdVaM6swBIVcwxSan940wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASiL/P7KbDLHkxPmSrXDnEYlMeXVhZ4DX6r8lIi\nOpncXbtFV6/Rs/SJB7Nm+Vi+/x2aP+OaAglgrXqkm0c7x5gRo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkqlNNXXWqgsTgkapU045yjvn/lYwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSyZRPr8IeIVCnpwAU1o/\nNoz8JJKfCW5h8VcR1fRnZ8kCICaDtsKVTur7HHcY/eBj9k6XdXEv6KNWUcJ8d4re\nA5/2\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUTd/Jo/c9JAdC3BC70TP5q2X6k1UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLFeFDjduYShJA7XOLRE7hIt6tLGqqyO8hRqY5\nUlNz5YIRyy7xXDV1tsNlcVizEzdCxtP2CWtck9hzRDpgWCg0o3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9FWgoKT83Ph7gkAX6TpRUR7iZ10wHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgDYRMhZDmVps+aoNMnjyi\nVKl7FYhPfurk1rCsN8EnS6MCIETSsIRQ1ob5vB4if/AiXUAB6zbiPB1W3tLRbj+N\nL8y0\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUadsRQE6jRJeWvcmbmUIGQ0VzFZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKcw/WSz9BV+UQGqRIdVzUSfhQzxkkQOAHPNaCiuhPwI\n1UFVJJWCfd4GqCqVqnOCgeYDWuAjWNTUOd7lO6cjuYGjdjB0MB0GA1UdDgQWBBTO\nMOTkFGLOTfyHp+fFramTpsq2ZTAfBgNVHSMEGDAWgBSSqU01ddaqCxOCRqlTTjnK\nO+f+VjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9mb28uZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPypI9XWcsqCF0jCexRu5OlonzfY\n6zTtxdPYEWVWpiskAiAWKxT+Dy2uxFA5oGqx0KakuXRe5QtYsTE6++jtK+b0Hw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUGRSp35BZcDxw8KwcD1bGL5kfe8owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO+E79I+X8qJUftE5Qt1pt7H0G2O1rNzBESttWXGyuZ3\nA6N7S3OqUu+FTXsqhGgLa1E3EPaVwZkJYL/Lzyi5+1ijdjB0MB0GA1UdDgQWBBTT\nNf/CA2rD2bZJtalhmc6wbh1xvzAfBgNVHSMEGDAWgBT0VaCgpPzc+HuCQBfpOlFR\nHuJnXTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9mb28uZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPrmwZ4lxXft/psIJYadETMd7byQ\neXNcn3QgjzpPRJcTAiASS2qL/s2QvYYfar3lVRJuC9MakugFs+qtUaDxGQ4zvg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUF/L9DhzYL+KeNtGrBGNefQFBkOQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9/WBrG9u0CvFKhaSu+RGg0ooTFraemZ8QDEB9\nQGD7szo5BhRmAbzc58qBUK/Xn8+0o89qti7a5onaT1coValJo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnkMtiFgFbDH3B2Jm8wtqoyBXVi8wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgZueR2byB8b3VDyiM3xwELvwgbSuFaqlw\nOUZnURFIUh8CIDCRtWj9y3O5NSlU1uq3O+x9/NyAYm0AU+DKgiROpRT4\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUKX3dRm8G3adDEnSlPu/EIA13rXcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQMp18ytxDRxrYIyAVZGD3KcYEBodVQx4gwFlbh\nhe+uzBPn6eE+QZkuWb2pSUReP31bjmzblx9VSbpQU6w6IKCso28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQQpROlF5pVjX/3ZTCYyRctnzppYwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgXLXdpjYWXc5NT398fjoyYLCSyXlz9aYA\nv5jZ4XVY4o0CIHTQL6Da807l7U3SKohbrEuv1Jifr49bs/Iy95DhRQbS\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnjCCAUWgAwIBAgIUfbtIIf3aF0oOv87t7UB+6Lxjps8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBktk7RoQLJUF/bcqKN78hO3zatbY4bq3KHoUxgwg8gu\n7bFAnXAWnNWa+7neUJg7fnqZeUDmqRCUJNFWKtaogo+jazBpMB0GA1UdDgQWBBRM\nPm0lEeKlA75HeXyfe66jYuVCTTAfBgNVHSMEGDAWgBSeQy2IWAVsMfcHYmbzC2qj\nIFdWLzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwR/AAABMAoG\nCCqGSM49BAMCA0cAMEQCICopDrL0AkCQoWrL5rxwNyUif+LJdZToInmQdIwyWTbP\nAiB87Wx7GiqdSLXqfxZ1EIBRyYnzeyPREpqzt9tTpy8zMw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUAo1Z8AxvrLZpCZ67mfXKBgpim6UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKuEsJk+SEGAGaXUdivjwLr37JJu7QfPLiMt+iPqmc5Q\nhZGQckTWdLv8ko+TdfGKd176K0M0dGjv+11L7fadzNSjazBpMB0GA1UdDgQWBBTG\nMWx+tICBsNmPXpNtnpeZJDMbpDAfBgNVHSMEGDAWgBRBClE6UXmlWNf/dlMJjJFy\n2fOmljAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwR/AAABMAoG\nCCqGSM49BAMCA0gAMEUCIQC/WvkJbFI/in6+nWJ2Gj8mbkZBSzfz5FkqJXyF/yku\n1QIgVrYkUqGU/90SSrnjjvLK7KH8+DeBRshbPHixNHem0Jw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJHzibaJpvhYjDKwVkuucbz+Bsn8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASzhIQUCe7hDeKi0h5oocLr0gDZMT7vXQHXIu+T\nzutviYMuUkHkVMVMNA+wcSTNaxyGkP7yaUQSbHlx646vn95/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWxEgIWT3P0PzA1rPw6CL0VBQgEYwCgYIKoZIzj0EAwIDRwAwRAIg\nQuFWxrD4lWH8Z0zrBWBOriiuVVr4zTn5WeA2EPV1No0CIFVPXEWwyhx1VHW9O5Gn\n2NAp/OIS61KbcmDGzIDJNtTR\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHmhZD1aYmeonpWrVTFGlg4olyJQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATqYf92YbXYSNy8lZHanOVPb+peDq+bqVN8/q/W\n4aMycedhOPznSwpbE30MfizQA65RuOdsoa3CLeBxkDQZH4n+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURagitO4xVKJeOD8hP3rX9epG99swCgYIKoZIzj0EAwIDSQAwRgIh\nAJnx+IiYKYzuI0fA9CYU1C3M7bzZTgSGZmO0dG9DN/rHAiEAlCsu34YreRjaudtV\n3Oz38zRW0mJua2sIyOvNX8hVlkg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0DCCAXegAwIBAgIUToIyja+lsT8xjCe1fzm196Q5LnkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIP/1vvhqwlI9L3k2LvNEmyCIpbJrWiRFuD6BW8+Lw+i\nBER5Y1fB2VnPq5vdx7H55rmx3ul4gQ2T257j6C57AUqjgZwwgZkwHQYDVR0OBBYE\nFLE6M60oRh7rCXXyGKM1tamWYdeoMB8GA1UdIwQYMBaAFFsRICFk9z9D8wNaz8Og\ni9FQUIBGMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDRwAwRAIgG7G/siF7mVgqcraWOWWM8ry54/VFr0ZThcqzaxJY\no+8CIF/7a8zUIQZYzemuKfjQyEgxToL7KPiXpjSLBY8avidT\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0DCCAXegAwIBAgIUTjRf+BdB5MUeOv62roLe5vmJtaowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI8wQyP3D68/iZ6FX8qEgRgS2/MtH6ltaWGj6LPZ5tgx\nk2rnaZQW3ZcpC/Wo1v3C+viJC/+8+V+pQuv8mqAPb+WjgZwwgZkwHQYDVR0OBBYE\nFD1HKzi6jMaMsZQsimGFcVfwMIP6MB8GA1UdIwQYMBaAFEWoIrTuMVSiXjg/IT96\n1/XqRvfbMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDRwAwRAIgD1iBWWCb34/gJ3ZsFJF+3YaZnqW/VTSD+TlyV1bq\nWwsCIEoOtydVLL0t5VvtQZ5Emc5kDvqx3EPJQnQtIaPTjK+R\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUM+y69b3fdtrOOFoviKq/9EgSOicwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATAifka3bBMHScPqJydlJOpS+MmFFBuv55UhTXR\nmSd+Jk2+/v5xkJo+aVxI3JB9EM3NaCe9qxCzITAAeVL8jyOdo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHLsxFWAf1m1xqhmUQLs+MqHEBewwCgYIKoZIzj0EAwIDRwAwRAIg\nNBSexkBEKvGvkFKRCOWWg9iHJwWwYaPMuu7Xjid+8kgCIByYjDJhm7RJztSJNq0W\nNDHRkmwHPh4ClUWUXtijCe2e\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZ6jEFxppWXbwgNguvl9M+YAdcEEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLqG/F9IvzprFw+AZCCoOfZR4eBew9NB9rWV/H\nH5lxoTCEihmirBL4At9T0RUyEEQn/8+qe5Y2PJLTRdcN/m1+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHg0LXiw9wkJKgCJgTPSUqPoNcRQwCgYIKoZIzj0EAwIDSQAwRgIh\nAIxL8ltdpHvpzCZQ5fBuMZ4z+6Xj3KPKjh6mOPI5oyfYAiEAzn58i7x0YwR1yfw3\n1/XdUcLMAdDxVpTHfb5WoN2sCmI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXqgAwIBAgIUc0h5+iMmgp9jg0nNWxV2W4PcGaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKTn95DsY5aaUQFT40kvcTHWJ2Wp/K9QJEXm4a3zuZYI\n/VDW5FHX4L/u/YqW7XvBCSeN3Ku2r1ztY97gaGUEODCjgZ8wgZwwHQYDVR0OBBYE\nFG+MStkoOIdj78RQ9802oR+R++XaMB8GA1UdIwQYMBaAFBy7MRVgH9ZtcaoZlEC7\nPjKhxAXsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5j\nb20wCgYIKoZIzj0EAwIDSQAwRgIhAK7QWfLveaF1SyQePheoAs8FeBzbw6EIuZ7P\nEMXPzuctAiEA4oTStT1Ax9ZgIlebTz+P+TjWAjKmfxeYPNc9AURXGP4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAXqgAwIBAgIUBjdbrvc1Mx7upFSntY0izRdybqMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGdqj+LHFHs7fmBuBvgUfUyTDtF7MweolJlYOJVYZSgx\nzcAtMv/qHyakIOWFqDSpeFbMiM2jQxc4an+mPo2YNRSjgZ8wgZwwHQYDVR0OBBYE\nFL7vTIg1STV43VkRYohs9lFFnYk2MB8GA1UdIwQYMBaAFB4NC14sPcJCSoAiYEz0\nlKj6DXEUMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5j\nb20wCgYIKoZIzj0EAwIDRwAwRAIgRd9kqxTtGwZJgSHvs+Z3DCnFRoGAIIxSTsfF\n6nh6zCwCIAv8g3X+otvzkVe1fBRssCXyKM7XJan0eqeQxpn/pXAD\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQ++JSjA37E1KeK6vccF+0aV9Sb4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATq0gNnHvWfjGVEmmRuANz4Fbl3wu/XWFKYi7ve\nT1PtJCfpszhuS6opfiLbLLZAHQErWFDgeQTgblDC3CkHGCODo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg0/893pkbkEIk5ly3QpAGoqyfgIwCgYIKoZIzj0EAwIDSAAwRQIh\nAJdhc8s0R8hg14sGnyf+dOEs7XYAcxviwKdEmMUNoZdHAiBP+ensSneLUr27sPcB\nrqUOP2x6mRQrGkwK50vTAfjmvA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPlL+4HYpT6erguYlhQ+ORASN+uIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmM5sxEPe4thfULFP+6rpBC13H0Ai4P3MUaZyb\nxPGdz0m5QXpDLYUYnRzhG7U08UrJ1pLt2nAkoxaUvR1wBAToo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSjDPX/eKNjJm35ag90+wlMW/EjUwCgYIKoZIzj0EAwIDSAAwRQIg\nFp9otRSwOOr/o3RCHUyyGVCiLesroR67NgxIOVUkhGwCIQCbJ3Z44ygEcl1Bjq3l\nyQEps2NF2Px7KHRIP0kG4+c1UQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkTCCATagAwIBAgIUMxr4+2bBPpKuK6yhFQi5xGa8UzkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBbcPBP4h\nTwmtqSVGMyqqhQAFTz/RNpo80G9v3obqgotYg9GwDpK5YAS2X0/e6HYXqAKLTZGf\n3bNLqgYoeNCF/6NyMHAwHQYDVR0OBBYEFLBMgTi6kdFxty4E8TswFwg3gwvjMB8G\nA1UdIwQYMBaAFINP/Pd6ZG5BCJOZct0KQBqKsn4CMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQCVbCRR/KdBQtiekL8hT1pfv6gtvRMKS8/laWp4F4FWSwIhAM2OMsetHm9dazUM\nPQNpHsTLBFtXW7/4yHwkeVnTp+QY\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkTCCATagAwIBAgIUFa2hYlCY3RpR30qYPgGN4Wn9AK0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE28VXFoD5\nGsKHIAtqSe6CM5RBWAbAqj8rTSjVzaTgguyzgD4j1zYhw7dosbXjwNY0cCyfBgMF\nFqCmmRwMxKx8xaNyMHAwHQYDVR0OBBYEFFLBsCvxGvuz0bxk3dOQbyLYPH/oMB8G\nA1UdIwQYMBaAFEowz1/3ijYyZt+WoPdPsJTFvxI1MAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQC4buh5GgPkYhboSjpbI2mMafn4hzpo/brlIM4nqOvNQwIhAImuO1TbOnwrOPc6\nyW+W5BUBbnzAVehesmPxgrlFyzge\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1128,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXdwl1IxMYGnxDWf849LYDyoVVPcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ/M8BoKG3V69DFtFCUgiucOhgVTjxFLUwUm8yR\nMUEuNbT1RoddCFW0yjVIH7uB8lQRKNm5aXFktsD5AlFDaiBFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsIM657MEuKsuxwQfYD2nDqsmncEwCgYIKoZIzj0EAwIDSQAwRgIh\nAPUqcAAkrV9nOpJ1sST1Z4LrjoJX1A5uXQZ8WzRHP5tWAiEA/reOfuZWiYIy2NCc\n46f2wKMq1guJ6DsgD8nS8h2zdcI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURetieI2JuWqclD4jxssgxZDGWMUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATedMXSl+vFRLvvi3MjKnOTKUy1BzJ3eUCXuSl8\nSQyBzDSHCnxq1B3ozRokdM8QFJiHRbAEE8VEWOW6+KDwNP9So1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjTrUxOO8zH3hHB7iHG8JOqPVjawwCgYIKoZIzj0EAwIDSAAwRQIh\nALCMp4Yd3vk8fp4gfDxRuA8nc0ZMXC7qDPVUtFEn+DyUAiBFEZQ+tQWdEdexhad8\nurk9T9lDwdoqqr+0OmUQYXCMZw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIWAddUrZmkQcqAwFMvI9MS2Ov+ZBie8DAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEjZwZCrHINRvmbQHyz4VlUlkuqEtOXeF+wRDZBOKO\nPy+uLwZ+7/0k14ap59xOi22BQ990YyRBRA95h5IpkXS8taNyMHAwHQYDVR0OBBYE\nFJpwdygmqeVHFu+uzVrEnm4phrFhMB8GA1UdIwQYMBaAFLCDOuezBLirLscEH2A9\npw6rJp3BMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDnp6aO8WA/wIshcPYEeZIG3ZAGb8M+\nSYs0CP+unwDvyQIgJU3t0rq2Xz0qPIqElN2FIGPxOikxTU49JTERCj4/Ia4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIWQHb2ew3AiMPHGQqHkPYJ2rXGKwVa1jAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEbjYRbG/imLbQySA9yGSouxWjTyKj1GjSII9w17n9\nkogo2BcEn4ATWkGRn/RDwl+TNRVIvdeAYMVm8iRHpK0CzaNyMHAwHQYDVR0OBBYE\nFG9ZVSqqq/HqC9gKkAnRr0yW+ClYMB8GA1UdIwQYMBaAFI061MTjvMx94Rwe4hxv\nCTqj1Y2sMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC1WYYi3N8BywmnnqTlTUxWAV5nthYr\nVZDGAm6Phy0CSQIgc4gpeeRAms5tWFyRn+nwX2yDHxXV0mZjxDtixEmoxZk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1151,31 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAtd3V8rK4hLKT9fu1419AZKpF9swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQwqkscK8C0q/o3mIPIewHcEZhhngSWV3gP023\ndFbzPphH3lMEaoNZKV9UJx37OsQ0hcJCqSpIfBoVyDnnhqMio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEZUiodRGIYcCj2jMnjH2RTQEkwEwCgYIKoZIzj0EAwIDRwAwRAIg\nZVfge06JAcN1d3dgQttU+shEj7WK9Em370NB1bitIgICIFPELEFrs89R08Q7LkgC\noHfsQjLkKM2QBu6cP8Udm010\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOZ2Zpv0Ilu5GVVV5WbfTfgy30TwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS15auIg5/wAmV5GJyrScdhe/CcV+GGtsOPLDV9\n4T2wfbGpkRAlAx7MqUpM89FzQfZSePBfOf+0lSonbPxjY+aqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNX8NI/Xp7toDFN2sG+zDo3y5F7swCgYIKoZIzj0EAwIDSAAwRQIg\nDmISFEt/2WWCoBjZJrEYk3/wnsfTyT8DRg/Oa46F7iECIQCNz4G1Bp1FfL85CZa4\n0NsyQMtoRLzQscZSzw/NG794Yw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ948\nXOxCSNYOHPdc/KJSWlXG52K2/DM9fFM/W0wDmrVl8YOmYpHPHj+0WGvbv2XOPf6F\nMmo+r6UFRz0cEz8daqNyMHAwHQYDVR0OBBYEFPDJkejCxNBRgDIrR+RjI2QItl9V\nMB8GA1UdIwQYMBaAFBGVIqHURiGHAo9ozJ4x9kU0BJMBMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCID1zIQhJZ75uR8YJ0+L9T351DE1HLm6XtTe/2IHjYY81AiEA4qefu+feTvcO\nXSVjqV+umkkaPQu/G5bd+Utk9F/lkK4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEW03Q\n7NygG2MZGZqTHWGDG+6gDG82y37t8HOn5D4439MnXs1l1tasohicquG2sois7OT6\n0yMcEJSOKD/uTmRtXqNyMHAwHQYDVR0OBBYEFA2lKD2qleZJmLJsJzK3UG+WPORg\nMB8GA1UdIwQYMBaAFDV/DSP16e7aAxTdrBvsw6N8uRe7MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCzxyEXR531QsQDKirdtqfZ1M+n2tHBz/K74Rlo2nFv2QIgKRShMeZKVlvs\nGitXDsVQ96xvyPS3s4Rv/gx87QuMLdY=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::duplicate-extensions", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUTA9KS7KHTqewCe3w8chnYl59z1cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATaiJt8dwzpu4DeiA/MA3WXH/n+kY1TRmp6WlHW\nirc59wa3NNAnsmKkzl3qURJ4KvSwDXYFDWQyWLslWXTRnZHho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoaYHqC7wEVPoNdyBOjKp9u5sktgwCgYIKoZIzj0EAwIDSQAwRgIh\nAPswwRBZL76E0zllS2R7tb4ciKfbd3Cc+V4Hsn14nqsPAiEA4ELM7lHbWzQtGqq0\nbf9sNYgqhKIbV1Pb/Ct+tebpOsc=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1zCCAX6gAwIBAgIUJiXozw6zCsMAEVIUX2nlTBXIR60wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIm1rVHNKDg+P+x1C64QkEsuam+S534IOcLS2tYDjfk0\nG0C60vRbO5GyHfhf8/zzV61+8rMLfFYiK2/hRQCdweajgaMwgaAwHQYDVR0OBBYE\nFB+65bo/Ccb1JIpKPg9aYOYPkAOMMB8GA1UdIwQYMBaAFKGmB6gu8BFT6DXcgToy\nqfbubJLYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIETrMy6gQAl/3FFtxJz0aRt5NSpBJMDU\nqM6TpyTiVc0XAiAjsd+3eosOARCC0qZrBMW+ldWcMfSmMPS7rr9rWvcS4w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1220,10 +1241,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMIVjNgU7dmYFxwqu3FLJSLJT0howCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQKIfdkSyMlheRPM7P2ovNbV6dBy9y140InUZI\nkCrMlL9Ku+plB0BNzyOGXP10TdpeN0woIkEGW9ngx3o0hU37o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZqgJIKZMSTv/g//k+9zdmQwC5UgwCgYIKoZIzj0EAwIDSAAwRQIh\nAJeSMVbHxanP45bcOav9CgBFJ36uUEZo2SeZ7RiQ5eLgAiBlapduWOtRyQj2oWBy\nSdujgfkncDgvOL0BhxnqCI6+2Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfbF+7Xe93vtJYB5+j62c2jy4eY8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEQ6gTBr2QMrFkuq/PxoIyIRrr3uYZNcUZ77AR\nzguMIE/vd3XblkIZWs+RJ5hxgMQN5cInNcFkm5jkELIBQKqEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaVhnbBiyFvn/yAY+JZtNovHSQ0gwCgYIKoZIzj0EAwIDSAAwRQIh\nAKMbgwcYLmuTVTXJiUQPJdlcXwyyf1BpZYIl+f3d5MWxAiATjgaKHAu8bZ9Ge44R\nua1zIInMQLklAxPDvKjg+VCgQg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUBRmbmhf78g8U1LvqXzAq599ikrUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABP9csw+i+5W1klB+w12Lv7TdqzTdXAo3TYbKpVHVGpbw\niR8aTvGbC+vLWMZ6tDcJyx1D6aeNF2TFF4a5SX/A+16jcjBwMB0GA1UdDgQWBBRU\nWY+qviX739xc2T9/LkaS48T6nDAfBgNVHSMEGDAWgBRmqAkgpkxJO/+D/+T73N2Z\nDALlSDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA+8hmobA5lVgg6jW83ih6nOvRM+/6Fbk/\nrtDyNHUtRu8CIFU9Vnq/MgA+JxF5TBF89jGxEzEU4nyyakM+fbhcCf4g\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUEhmfufjH8fM7siJfAtXbCbeaTpswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFVITLjN6wK60iEtcNvSX3DQ5XkM3iiMU7SnZBz7rjzT\nvLhJ/Mhw8UnrRglEjQ8iGmX6/7qH1r7cJIfyuxOemyyjcjBwMB0GA1UdDgQWBBSJ\nMlHXcfkHbgqi7UU4rIkL5hAG1jAfBgNVHSMEGDAWgBRpWGdsGLIW+f/IBj4lm02i\n8dJDSDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBewt5cOLEma6idfbbioE1/vBjQQWBeP8Xs\nDX7tvefatQIhAKIbaaai3M80J/iQp4xPRAeG1VscE8i38UiVwN3vz5b1\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1241,10 +1262,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUXzwppqXPqNCJdnwoWC+NpI4WA4wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpVKyaVIXxJYycjnm2Wb8t6OJfUyfofq7gZdew\nEPIYfvqt1DryePLs27tHGdJhCrqB7y39H9mWl+uPKrJOj64Do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFdqQeOTfVS1OYf6mBn9k23Hw2WwwCgYIKoZIzj0EAwIDRwAwRAIg\nY9Y1lm1ryD817ZJmmzEGN6mdwHvrp6lkhQxP1m0ujaUCIA4yDwJxBdh/Amx8BO92\nprHot6b4Oc3WO/ggx2yU0/0t\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUkiyzpmfLE5ve+uC0vDTYkOHWr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATJ9QBFnFIcI7sdLyeBo2+wT26qNrlNfoqamAxH\noQLaDbqfWBhbeGHivtPJF50rGvpC/McPgUzH7XyHHbyk2/bNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6iYxWyMkegnoZ+5MqOgXzffI0DMwCgYIKoZIzj0EAwIDSAAwRQIg\nMsNotX1ptca6etbLPEPzHOdVSSy6Z2/iVrvgYqwpBsICIQDkxw+qW2svjMBo5t9v\nZTUlHcD8f8uN6iyuhNQh69Fh/w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUfocQbUDFIqN5HIA7T8En9AUleGEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLF6xAR7RgpzhM3Fx/jmRZESg9AVeqV9kl+aumblvtNB\nmPa7TqVlmLKGZDgQVc4ahK4jLiJlOSEzjmJK3irS6lWjcjBwMB0GA1UdDgQWBBTU\n+PDHAZJrBWPn9JmMgxLp/i1/LDAfBgNVHSMEGDAWgBQV2pB45N9VLU5h/qYGf2Tb\ncfDZbDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAuuXHCCK4CvVonK42jE833EGEH9gb4gVh\n1z22OsoF6EECIQD7zuoqOKzZRzd0qiSPBepXXZDrIoJMAuGI5d0rVOBurw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUBljtBAAUlx9wUSOva7+aE6owd+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLLlJsFlwSs8Yr/08ZtaKy4M4I+aOwI6VsI8ltEjn07T\nyWxkSE/g5dvVwL8Tfl5EfQaZtxWQLvDGmu9uPqR+MN6jcjBwMB0GA1UdDgQWBBQL\noiGUmlvl+nYus0DLdn5/O0qn7jAfBgNVHSMEGDAWgBTqJjFbIyR6Cehn7kyo6BfN\n98jQMzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAm5IoMx0OvOVddscnutXRwbsjwDSULihy\nQ7Bzwe5u2JgCIQCk8767ZjCc/ldxPrCOEV/JKYHfLQY53eUK4olFDX5yPA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1262,10 +1283,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUD63Uz+sOxBqNBiOKRmsMMsnT2WYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATxCu/jjXcQofBdMVmr3dwUe4E7F4Dwfppl3FwP\nyAnZ5m1ZOG4GaGIDtC7hDseCZhE08R4xlxxfh5qIKiYymvaZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOCVh8dgGLwUd4mEBMupYONUSN3IwCgYIKoZIzj0EAwIDRwAwRAIg\nNBLRBrp0SowSSVs+dCozp3rv0A4oIuyPmhquHhY0Yo4CIHcOjJTQz95UGY6EI9GZ\nclWFt9NJdE0Vmvnum5YgTKN8\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYhFA4DdTtdrFT7HH5cmPVfbgZiswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/ND2ocFSoHyrxP1C35b08Uy97D6i32GFbLLt8\njCdzlJlWOhZgrqIKmLsDAsY7HvhrbWwccOP/1hV2Rm+7+2yho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjVQWdcXuBDNrV8i5PCusTfxyYZMwCgYIKoZIzj0EAwIDSQAwRgIh\nALXVVzIouES6NZBA7UBXdVEneqfLxh6HSxEh+7YzKGRoAiEAo1gfwIGdqoSfclPW\nAcG+CAKoDDRIlNH+HpBA1rbE3qs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUA+x0qV/vv9pjo/VHIc4ZmAoEWmEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMUPOyXyFHeqilvocAOE8baxrZyZWrBTooVAkPmfofA8\naImlbA1y1OoWPKdZOIzmMEw9qJh+Q+95ABnnQhpEAxijdjB0MB0GA1UdDgQWBBTa\nG8EFe2G8XjsZfXlvlbFFzroo6TAfBgNVHSMEGDAWgBQ4JWHx2AYvBR3iYQEy6lg4\n1RI3cjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJGv/kUfTghjAblbsi6/EKMPIq9k\nQ1BKjvBZIdCwRPUgAiEAvLA5+UOSDqaPU5Ke4k8QXnWjIDE0VX+YGxsTQl5U31U=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUJUpI+SZBe5NRV9msFZeoDEdGqBkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAVmsVxO4FJ+Et7s50QM1VheL3lVtpqmTkqa/CqfZeZv\nvaJEBcI5/KqlfG6Wp7XtrCcmXeKYjinWNxKJOybKYXajdjB0MB0GA1UdDgQWBBQz\ntDk6cwy2u+hAHGiP8qkbOx/OKjAfBgNVHSMEGDAWgBSNVBZ1xe4EM2tXyLk8K6xN\n/HJhkzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgKLuIbdIGkH65HlKp5ypgWRpQNAhp\nbmN/byYcMbdaX7oCIQDRcq7PAN7hkXMz/cioWSEmTlBc3bmgxzF4eaWorfo8dw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1283,10 +1304,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfVObq9C/Ontpyp+Xi/s6y0QDxk0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVcfmUIKJdg9qb/RTYBRxsJYpzZxmC1CPB8mwm\n6oUwcgA0fzjGxjWbPDVnbNCDy2ubW/p2LrKtF8je5ICvLTRjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfBAvaITZ5awyotnl2mRB9yU8/sQwCgYIKoZIzj0EAwIDRwAwRAIg\nCJG8fRgj8igF7Z7/3x9EaTRhDhlStBCDqjrBMvGVZtYCIGFbNYz9eDZITbuAw3+Z\nB0pZSQCqhQ7P8lUTaDW6Ka5m\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHq65/aV2kMXr1PuBbsv+o6SmSmQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrHvvi/0aIYJ73LHRllorvXyXwR0FXPal0ded9\nLwD082fsd3zof4sw+QBpb62VbzY6fQi5npffUZG9RjFbtGeuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDicqs7rm/q+9TkZUqodEwHZt9AMwCgYIKoZIzj0EAwIDSAAwRQIg\nFA1SPHiC/PjrVjnSxvEVFD2AJG6ja7Kv6PYQi7FUl8QCIQCkZpURH5XZjmxg2sVe\npn3SegvVa2FiSzBspxP2m+s+fA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUT08X9XPcNuTHSabGwxLFXzyIOSAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCnwjG4JcfKU2SPBeNyRJyvI8vh8WHiwPCx8vPOR46mW\njx3Gojo6NBZXWHklnjd7EtP8Or0MEo0dX40kbZjxzRejcjBwMB0GA1UdDgQWBBRy\nG3i4OBDQOsxrpwu+x2TlYGa2PTAfBgNVHSMEGDAWgBR8EC9ohNnlrDKi2eXaZEH3\nJTz+xDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBRohIlQQjfsaC4m7qQWj9cfNlX71BDYXjH\nvJW5XqW+qwIgSxko1AMHI1Wd6ksfzrgcQjCX7P44mT5NVtJp6xow9A4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUDm7svMa+2pAtsLfBySDYil2nF+UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG5rij+BYMGu5+7LBPxxMX4sOmegrtK7aQ+XRILriNia\nYReYxiUBToJdD5r76Pj45lW1qmvGX1GBfbPU8bG3xnijcjBwMB0GA1UdDgQWBBSB\nRAJlnbR9/lQdaDxSf5qUW28GljAfBgNVHSMEGDAWgBQOJyqzuub+r71ORlSqh0TA\ndm30AzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA1WYAE9Li0XX/Zc46wqImK739XROg2VFz\nOYPMfMR4SSMCIQDicSFERBveXI/hNybd8BWpDV0I+efwui0792vVaVRBWg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1304,10 +1325,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUdO+CKUSf4BoDKcd8NPbu0306poswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2fXVZCIF64bWHm/TyBxnxOZ0P505UNZ38D4t3\npfqTbZVl4wntpDMgmXCsKFE6G2LD1jZ+fnQ0Y25vp+m6arl0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVd8pKxOgbPrjtLj+XoGXonn7RDYwCgYIKoZIzj0EAwIDSQAwRgIh\nAM+E3p4XpXN1c1Gag01ynF2oRVa56wxkhIG2dL0JFwQtAiEAinByUtpxfagE9EnH\n3qdd3Tw0si/Kxl2vQ5X/3J59rj4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSBF27mM8pMLG8X7xkRdPF/4gF64wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAScrzJZmzp8t5SOHHGTKroPgMbC5z7M+yaxtc+U\nRx2Li6VME5QBoBY0BiM94VfkKds+v8XiTa9M1s6qw1loOZK/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/LUNxu9UH+b0YFySspbn3m/Cx6YwCgYIKoZIzj0EAwIDRwAwRAIg\nZIYt4DFx0Y/pprY5ii5z/J2YrQOCb4S3S1bwOohdOU0CIDQ/dKX+GLCbryAiMt7/\neQ6NggMQfyoquwU2Wb6fUrIK\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUaRfQ1xPZU0gsCPb2IaPRGmF6nMYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGPff53wTqaLQVJqeK9tbVSiJkj9ds9kUHW5sPnZaDiC\nwt8dJ97XssTf9KCvgX4BklI4+mLQRuUyG028975VpaGjdjB0MB0GA1UdDgQWBBQz\nlZ/IM/Kkig8I+M5zdwCqb+TnUjAfBgNVHSMEGDAWgBRV3ykrE6Bs+uO0uP5egZei\neftENjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgaBUD2gX4y/57almwKh4U4uTB8ilD\nnqb08+QehSV5DyMCICUTq94LH0S/ftRRA4TqmdM+UoduoosQNc0kAVfw9Uo2\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUezgj57uhK3CJ+PKhY2YjcuRLj38wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHHvqUc711hQelrtnYtDl+oAqAo7aCpBewy8i9zhAVnO\nYh7zX3RNwO0kRMdYyW0WnEjcJKN272vYw8MMWWk2p12jdjB0MB0GA1UdDgQWBBQZ\n2vBdXNZQZJEcDEawyXX5uYsmhDAfBgNVHSMEGDAWgBT8tQ3G71Qf5vRgXJKylufe\nb8LHpjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgE3Z/wTeIcyBJ9lkv8G/AeZu0vv8Q\nF6hTuSuujUhU71UCICnjI6H/4TsjEiGx3uM/tlTsPZ8BfE0NiISYZi4aOhRE\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1327,10 +1348,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcU6M7IRmAr2eKsonGwMfRz4uuRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQfzaTP+bfY6d1GhWJMwNPqiDXZxO0uqLkJgtyw\nKfvHc23i9sOHed6yKxdGS4seSkL53sTdxIC1faOr4Z9kceUAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUP6KHzIifWbaHwBP1bzsAc0a3kwowCgYIKoZIzj0EAwIDSAAwRQIh\nAL3S5s6Oyn69jUs2P4QDV32o6aHehIlQZ4YtYo9bElw/AiBHkZG21ItHVHCz0Xbj\nFAFqnRw8PdbGf7dSBMPBd80rkQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUblvtBxadNet8wdU9Yvfz2cFGsHIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwaUMPKoibp0PUdgRIkipKZtEvg53Hi8DHlbHT\nepsXZOcuvUbWpm0VASTTRn9pMhV9b65SKVKRzdwhPm5QxoAMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhM+Rx628TPT8B6Wodj+pdbU3EZQwCgYIKoZIzj0EAwIDSQAwRgIh\nANXOphBIoPxceU00bGODI+BavMOff9jGVzzTYldG3eW1AiEAwrhm5aSmsk+NGexp\n5mSSBsz1mxVmjJep/NmAw7bpQSE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUagAwIBAgIUZQFL2zM1D13rnEzlIV/nWYlaoeQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHATvzvUZT0mHsn8pBkifa+JZLqp8dEMXGpbW+N8hQjm\njVzpDWxuJK1Lahsavn6ozZ6w63WTS53DcfErY3fh1n6jbDBqMB0GA1UdDgQWBBQX\nolXMTL5DPcbohISmQ4G1XLkMTjAfBgNVHSMEGDAWgBQ/oofMiJ9ZtofAE/VvOwBz\nRreTCjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAQBgNVHREECTAHggUqLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBJuhfqU4ihnGWI0aS7D+RhOFLp++YC0JA7Vh/D8RMC\nNwIgCD1RTJBdld4WHOMk2fK5++APDaY0oZynAXeaY1k2tDc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUagAwIBAgIUNZbRfiwlqk0MCUaqPVsPEIED8QgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFGzJyJdDyv+nB+aw6XEJemI5AlPMrnM3CkpFLGM3zvB\nMVsYCdvIcl06ia/kpDU2pbMyYiT8hJlDeUtjivU5rlWjbDBqMB0GA1UdDgQWBBQJ\nb/47CdrMHpHLuUzEcBIbxdPbCDAfBgNVHSMEGDAWgBSEz5HHrbxM9PwHpah2P6l1\ntTcRlDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAQBgNVHREECTAHggUqLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBq8R3XW5WnpWmD+MZRNVeGwcBX19cHVawbJMkQrild\nnAIgMUKTExOh5nytlttJDzG6YXMhhVlTlUp91wjESnj3o2M=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1348,10 +1369,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJYNHx3jhjVzSdV668Uc/OpeSaKUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXBFksmabsyWd3SbTGr135QaWb2zwywVIzUYcU\nNpytnjTqTfMaHBEBtwz6s7AfBk7/TzoyKgpCDBY9mIKAGzpto1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy4e8fa72vP9VH4YxmXzGz8VS3bkwCgYIKoZIzj0EAwIDRwAwRAIg\nBwea16w/sUduzd7/i3mVis6y5vH7L+xj95lDNjpSaawCIHSF8axfwoMe0dzqR4pr\nIh7jMtBpSWzvDf0d4TMVmr2v\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIURHAwtxgybfiR0pLeqjDETt4zb5MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATt8OMuAyLjkbVMTbms+YQohl0Oa6ECHXfvzlua\nA6+MRO5KOcJ4XResH4vVFZyvyAi+ZzFS+a3BPTU6xavcJpLoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8ggOLimxIVY1JhJ3rPKdiIIIfPIwCgYIKoZIzj0EAwIDRwAwRAIg\nGaBHjFqe6kybjCiEoLiR3e6Ks4AAK5TBKyhcnNPE3U4CIFUuvblbkCxgWv0YIU66\n3MoXXPhnOyKua+SG4LPJd6sc\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUYDhhq7urGug9EbSxDbrEXH0u0gMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGZ+pY8ysYPN7ORCXNpRo73ItpttC+3SeUYJl5sxOVGl\nkyorHBa9PSawAoKG/y6KXck/NHHGyT5kMe/lrxA05FWjdDByMB0GA1UdDgQWBBRq\nPeFopa2vw5NPs8MDDysgu/rEhjAfBgNVHSMEGDAWgBTLh7x9rva8/1UfhjGZfMbP\nxVLduTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDDYLt8FODr39xwmnzvhHK6RwWuJykN1\nCdf8WgKLemJ3AiBRz+aRGU/f3pBX6eSDJhvm8nMg08Oa1HuaHT4vkfmEXg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUQ3WeFC3HBb3gEHAYbKEdLax5nFkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIDcKPkzPc4dvBkf/nCSWEITwcMpY5xrBOis6vOhTNUQ\nzBzAw98TlbJuTPIqXIXSdhnv+t+rYdkWLzwWt8YFlOCjdDByMB0GA1UdDgQWBBS1\n0dcVAxlarichQW9eS05kpmk3OzAfBgNVHSMEGDAWgBTyCA4uKbEhVjUmEnes8p2I\nggh88jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDAdCuRLcKS6Ah8epQiIwwkrpu8V2AD\nUwxQfsUSicLLKQIhAMXvwCnTzZTQlP8nDGVWxDJlObnPK7d0FakGYMbniOwd\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1369,10 +1390,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJl2R6II4zLHQsvbsxf8GcqguC1swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvJzdkZLLBS8FfnFIvIlbGg6Tnso452+JPDsTi\noV9dQ5voH1XISWxqaxukKCVV3SF0lsm+Nbui8Xb+OCwtetbvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlPYasgGV+0FeoZ37fbPMRiyB1QkwCgYIKoZIzj0EAwIDSAAwRQIh\nAIjvnbgTJ7wSXcp2Iy4DndVcYJt78aJZOEBJeSP+3ujQAiAz6iOpHnRsVWx2ld89\n4etcp0G39FVY2uWP1uMQuvDYoQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUak5BhDU3iMMUaUta1A1ouaEBwOowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQoA/XlMI9yOXHFkWSl/dn+rqumSvLi6Va27yac\nXBhfWFIHCzBS2oTp/WhTTMpk98AhUsri64iwaepKIl1d2EmGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVVODuE8rrUT80OnoGqq0VDv2ucMwCgYIKoZIzj0EAwIDSAAwRQIg\nN/WHs6xu3x1lcY8H4/jVPWpDe9DIfqFhaNz1ssH9TGkCIQC3MTGHzkaEyl9EoZh+\ntF/571rsMI8AIjv4/o8QFDN/pw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUWZuQgShD+L8HEsIb3S6nDdKIqiUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHAvm4u35D6I4SeLYRSojXBTbm8ZAXl4s3gof9YjFgoM\nBd5P5WRueYTNlooxzf7gktphZTskzfoAO4cF4AsRnGejdjB0MB0GA1UdDgQWBBSg\nYJ2ZOzjJQYaTlUfEPN9K7RKz3DAfBgNVHSMEGDAWgBSU9hqyAZX7QV6hnft9s8xG\nLIHVCTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9iYSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAK932bzhtuL8hCAUkUSjBZCMOXtj\nUn9952HKpagvo7+rAiEA9ee3OyQsGlqIK0dYyK4SIajJXLePfMICQJGz0XrNLm8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUGm3l6vMuZAYQeL3UscAaV+/swWowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJV8fWwb1guzDp7zFAvQk7kX7nN3B/Lt1Hwtd2z1QS7n\nMNVoCoDz52I8JNuCw3tNM/58B/XelE02Z0tuHuRVvNyjdjB0MB0GA1UdDgQWBBTw\nTQJCSiAvV4IbyRwvW0Esv8+CcjAfBgNVHSMEGDAWgBRVU4O4TyutRPzQ6egaqrRU\nO/a5wzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9iYSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ7VCha22P/FMwZLdikR7BzMcyPD\nGKg6KCKvcxxxtFmcAiEAtjBVlwH/bsQEWQu2BFi53WZM2KAdqzTnpGswZy1Yp0Y=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1390,10 +1411,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUN/GuPp5Siomn62KjlCLZKuJVrFMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWuWKAHCa2yyNm+Jz/mU6Bg7lfgTu8/Wm3pe6m\nhsL8T+r4BYB1NyxPsl0EbpWuOVwB0yFy81lhOoaew4oW0k40o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKZzPczC9n23coaBYZI38Is/qNR4wCgYIKoZIzj0EAwIDRwAwRAIg\nVFh917wUizKVWorVfFYqHwFxnBexAZf8c92qA9pMnVsCIDqIOFYvrkob//Uwj2pw\n9daGXrnS14h/bfdRjykILio3\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBCXTf0qF7Ja/sFMdikCiW3pC7GcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASo0So3SUKsm0KVR+604huilm0zu2Nj3CmR+ROD\nVF4G3u7kJfGw7R0mA/SkQzqfI6eF5RCC1ahPyy5j14HEAdlko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjJqlK7ezer4zHy7fWws5nlGARecwCgYIKoZIzj0EAwIDSAAwRQIh\nAKaAPZ1R2kaQHBDSRmTG84fbcCXWJcwf4EEuJJWyKu7yAiAofCsb8FBOqnUimtex\nY9qa3H/+oWUKOwS17LU6qpBw1g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVKgAwIBAgIUTQdPw9I2PdNUP2aT+YI7qMKbgs4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCT+mpa5y8KERbay308yH52LkMu8lN8yjXaB8IiuNQLm\n//Lze/tdUF/yr26MVSDoB/GO+KW3WgeHAR+ml+TpyuqjeDB2MB0GA1UdDgQWBBRE\nM9bqm+doQZ4hZXBpZsyyJVZ/MDAfBgNVHSMEGDAWgBQpnM9zML2fbdyhoFhkjfwi\nz+o1HjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAcBgNVHREEFTATghFmb28uKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBANGDoRukDeYYYSEqPHd2/fsuN\nys1pnTM1vCfTzZzPPwIgBgwI1Tozw8euDw3U0R0zCgvnWNIxfTDV6qXwc2AZoS0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUMF7qZqOjWLmJwEtYiJnSniX5hE8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMeSFYr280AwOatoP3GvkLi1Hu8Sw4n4DkNFpYZcj2EM\nVrjDj5srWltBeGKnYLbuPjjHQs0oEqH0wvZhVURWjgGjeDB2MB0GA1UdDgQWBBTe\nQLiiHCfFTqjUJ0R6ek20pc4yUDAfBgNVHSMEGDAWgBSMmqUrt7N6vjMfLt9bCzme\nUYBF5zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAcBgNVHREEFTATghFmb28uKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA76Gb525UEElZVQgtZeq+1mmP\nXGi/9nk0wcFfjq8QPgkCIF6S3onh4TllBkNTRNENUPNZctwoEbdgh1b7jILieh0v\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1411,10 +1432,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfw4Oft1dZvwk1u0VhMbIjXxUGcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARe5q06eYCJix8SuXogLLHGkJ39fek4WgD6LcHv\nX6y3yvpEFCHTEqGFv5jBah0wuuRsp/pg0V19UUhKhfRZzZAjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBOfgmzy9nIYUiGsZ7Iai/ljF4bkwCgYIKoZIzj0EAwIDSAAwRQIh\nAJWIIPbyejy+4yaFxi5CnhtL0W1OEK1oWbtQtPXeVFppAiAQlG90nxiFE99mFh6k\nXK57CIF3QQ4dWzquVjLCuM+29Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYhBYBp4Ofgp38/PwvAwDi/LSsp4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASyZPCDZCriZcoNC70bsvFR+wULjSJZT7LOsH0b\nnsfz7xWoY0Bt553H9DbJX82FmXF+TMsFmfa8NG9rABUCediao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7QGUajKeuISEqcC2CYWGjUrrJLEwCgYIKoZIzj0EAwIDSAAwRQIg\nM/tMS1Hi8LIQNFCjRaZXJ4bX/aQm2XRUmBwTwhobHjICIQCGLmDX834a1KjLSjXD\nZEa2lkwGG1OgD3aczp4lL4o3VA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgITRa51UN1APHUQl7Yyde5tqowVbDAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2\nOTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEbh3yXV/K1wSnXiAvFxoLK4wlfMfTY+36DtzkKWVMukxz\nNltUazpNcYm2PuAQm6qzv1vl2DP8WkJ9peAQ+t+VjaN0MHIwHQYDVR0OBBYEFAw9\n2Gy0hb1pAohiDiDA1IFyoeV5MB8GA1UdIwQYMBaAFATn4Js8vZyGFIhrGeyGov5Y\nxeG5MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhhbXBs\nZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgcpkQ0KOpZKkTIdoWUqvIKqGC3057cApf\np0Xqf4uDxscCIBORGisFEFvavF3bt2Zb/DlwWli5L+/T2NCV/6HBsKc7\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUFsrV4qvGlobCAdummzphqhY7YSowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNyIJaoCx+SHqHnM7A7LIoNjDTVlwvpFVeBzkAKUSNnL\nm7pNkcmEZSscbJXLGrY9C5UZIlj1BkFFMOJlCuwGV3ijdDByMB0GA1UdDgQWBBS7\ntxP8kBeG57OhQGFJOOy9VsWlzTAfBgNVHSMEGDAWgBTtAZRqMp64hISpwLYJhYaN\nSusksTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIA+fucwnMHgIgfZ67X1VBUAwQHnWMDfx\ngalNUDuKIbp/AiAIJkdGbBroDn7B5DH0thMgnJrqKKs0gJj+XH0zzrThLw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1432,10 +1453,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUK0aSf+jfPUBXx4+unbis72J3toowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBWNJXsCQ/w1o+r/MV6V4sEaCHuV9kNs1mkj9v\nkkWHsC72TT94ZUWvdIxmKThOfNhfCq85ykuKZ31dgEIiU4DBo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOy1LWqUcGTHjCTYagMSFFMlCkjwwCgYIKoZIzj0EAwIDSAAwRQIh\nAP+8owtHk591PSZnzPE6h2/g6gQ84N0YnFS1jisbLWT6AiASF9T2W1qFBIEkjdpd\npNPYT2ProBRaSI/p/DKdF5YA3Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUY1ZChA/nDRCNGE0mdQm+6O1PbYAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQkZ8BLIqkHVwoDmLm+h7LPuzOLBya8srDeTAue\n41GBwbBnyT8vf51bC477Qi1ZWP6mbWyj6Gla9GL04hxYGd9to1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBUBsQ4eTI6wL5Pcx/tOzA3uOT5swCgYIKoZIzj0EAwIDSAAwRQIg\nGlc88lofBhueeROFPassZ83jyqT68InuVjpXAFNHK+oCIQC1tcOUelva0XJPd0Gs\nB+B+6Us2ZdC1oFp6TdUiQMMLYQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUTKpE10rhRez5DHFjXQOd+ANSEDEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPzNFr69V2wWF4d5nGeAleOMEIAVsWKhNTF9t0lwtpWp\nlSrLUuv0b752QYERjGhmmgWe5tN/RWp7OzAvs3G1DmajgYEwfzAdBgNVHQ4EFgQU\nRD0NcLE+lJO9CbTI95lQDXosgmUwHwYDVR0jBBgwFoAUOy1LWqUcGTHjCTYagMSF\nFMlCkjwwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwJQYDVR0RBB4wHIIaeG4tLSot\nMWIzYzE0OGEuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKYKthGP9wO2\nXkf2nNOG+e9MQV6XtfARzo5BYZyzItSCAiB9hMOfE92JxZ1Cew5lhSX+3emoWuKd\neIxe3R0ou1Tnew==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUZeEBaojB1aLhxMRx/JYP+MCnjKIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNa9lX0API42E/OK54/OntCOt70nFghVU4e3xSi459Vt\n6hCASj+X4jGg7ZOA0JS5rXPUo8oMuu5ZHACKDapOho6jgYEwfzAdBgNVHQ4EFgQU\ncHUFwiNPy+PMryx8cHpi28fHzlswHwYDVR0jBBgwFoAUBUBsQ4eTI6wL5Pcx/tOz\nA3uOT5swCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwJQYDVR0RBB4wHIIaeG4tLSot\nMWIzYzE0OGEuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgEzNveuidm6n2\n0/g75Uh/41ue4CcyRxsnf/wUxDp4gTcCIADvdBAP261HsPnmi21JRTC/XpQkgsVr\nK4BxJNV8Ccj+\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1453,10 +1474,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA8fMUkkTKRTsx6wlZH40zJ6XQP0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATTaN/h8+96nO80c4sQuWi2NWhisCzfdVG/l5ly\nW9fg50fEEYGScXS0pxB2A5G0SFzLYcZ6evHMFDvQjs7z0W+Eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbLCea7G/GLquxQ7KLiRJDkbeAe4wCgYIKoZIzj0EAwIDSAAwRQIg\nAhlYXHWNKgTNIf6n5T1Z+/nurTxc+rYraTiLCq2sbKoCIQDSv/WysAbQvfBHcKZZ\nrb7jkZB0NQCi6/Bw6Mw4JCMymA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULhqEC+PFblLQ4SLEhU2ftOPvfiIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhJX9+3ikkBqzYIXok65Y5FeXwljlJrYk6RXJZ\nNnr560pxyUwaJ0G/wBbi4qkEjVY88XwiJ9SbzT4XMPM9H9ivo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZ8TD4HPt6DBi7y1DbK2ISWavSQgwCgYIKoZIzj0EAwIDRwAwRAIg\nNSZFvUonc/x6wsY/i8+26LfQR6FquYpcheTwySRqfzgCIAjCBqf5r9SVNiEzJNB+\nUR5riq06hxBUu/RlwIArYaEM\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUNppR5X2RvjcQx3vp5pQ6b+abqYcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPqcBmx5f4zdvzbo21UM4m23/yu8tWf/nNtiEFJy60Kl\nwX97tB2iVWi1lYyAifMQVYVVbzXuI6q6fM04hWF6G4WjdzB1MB0GA1UdDgQWBBTb\n753M6jaPj8X94geWhilGotZLOTAfBgNVHSMEGDAWgBRssJ5rsb8Yuq7FDsouJEkO\nRt4B7jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAbBgNVHREEFDASghDwn5icLmV4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBrlD6rjw+01Nhc8reAIPvuTZ4VI\nFXj56O9GwfihzZkuAiEA230n6CxZWPLwn0gwdF80/h+O08Yet9ROd6rmOMZrJ00=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUO9gv4h4Tfb+OhfkuEj2s4XvvISwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB8MBt5BMgjJvUpZc9CAXax47kCLEX5ZDwqk+nI0ve4Z\n5jRFsywRVBy6P8ekDPRKRJbFIYZjHb0OgtrY8lYSCDWjdzB1MB0GA1UdDgQWBBRR\nLndknEKKSsRIRrvq5CBit+UMJjAfBgNVHSMEGDAWgBRnxMPgc+3oMGLvLUNsrYhJ\nZq9JCDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAbBgNVHREEFDASghDwn5icLmV4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDdb5XRvP+Icjit94VkvQqykaM3\nmFwESql5tyr42v8yXwIgMJtPOqvFoig2nYrWz1ApgNesn02AncdtrsIMip8/RoQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1474,10 +1495,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUW85C/gszYd5XwrmWXRpti/+a6i0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASngt6lgJ0MiQ5Tx4Iz9fm2iFAx6mNzG9oEa2Xv\nuSNkzGGuHo0rXmHO+gzaLOMOvV8l0gion5hgNI3UPawhLLOyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz9Cl7W4+8aGbzlmi259snQrumuUwCgYIKoZIzj0EAwIDSAAwRQIh\nALNuSU0hNHVVEgCvrqz0NrhYQiNnv08iHAtPfmn+uFhBAiBrt1gz9wC0VGzDmHkc\n8LG7fE8FAwBvREmUPV9lPrdc5A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUEIF6W1DxbeA0+wlktJhZleDzOK8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASvp2uAAxbJkHeCOSpe3MZshCec0/99xJh58xfH\n4CriIxJOdVl5JaOqTmwHnd2uQqoRbK7a+ACTVVL0jxCqBgHYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVQ27wMXVwJL9L6xlz2Ydgb0QJOswCgYIKoZIzj0EAwIDSQAwRgIh\nANX/Co34zBEm0yWLnVlzywfM4GyvNoP+A3j1EoOOE3XxAiEAgr1M5PxFvjyZN1Pc\nVuOHaGj4vDyyh0RsJu6ABdWmsCM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWWgAwIBAgIUZ428rxX3VbhDPQ9KL/yPRasQb5cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJVAFG+pI7jgP+cqas39LAehiFRkDOPhii75DXVHvJX5\n/Ior0mRRhOTD+PtHJCK/90CZMaPamGtthYnWbtj7aX+jgYowgYcwHQYDVR0OBBYE\nFMLqksqn+sDnMoRBmJ7n9fKznj/oMB8GA1UdIwQYMBaAFM/Qpe1uPvGhm85Zotuf\nbJ0K7prlMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3JtZWQwCgYIKoZIzj0EAwIDRwAwRAIg\nEPkUki/oe/+ot2VLHfzq+RhypVQX5vI2UrJnCy88bKMCIDD+9DrQuSOikTdYuX/o\ng2JbylaKgWGlDKY6VTNLMvc6\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWWgAwIBAgIUcixCsi+JFba9YmEV2hTkH4c8a+QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDLmyVDI0iljwvovZo/cj+i40mNK6vbe8ZmfQjhVcqPA\nniitjMdDur71IvFPMHZ8HhJ8S86nBnaT3JnR9zqpB+ijgYowgYcwHQYDVR0OBBYE\nFH3Qtcwx1pzwTb/ZAMtZreZbtnwJMB8GA1UdIwQYMBaAFFUNu8DF1cCS/S+sZc9m\nHYG9ECTrMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3JtZWQwCgYIKoZIzj0EAwIDSQAwRgIh\nAIU+JIieQl5kygaE3wl3lLbO1VGFP3CjmwcvgRQn+18nAiEAiR+6APEUuizbzxe8\nVbPrgh4wQoi2DPKq+O6NcOO0gVk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1497,10 +1518,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUegjOGDLimQZZHsuxghhrJi4GU5owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATFZdA0fpnGkibzWeiHTjwQMNpRmIk9Z7vDAqXA\n60VXwyX/7zTV62574RZJHma43PF5eNPQWrA07w2sg9K4Kp15o2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy+Q6UwoXmP4m7M4w2E92fIuTfDUwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIgMB4LkV2GPUp+ymgNOEZkLK/Tg2a0IfCeTLuL\nH+InSTsCIQCZKOQbeCc1thZkBKS/hsfh4x4Fud2TPo2tZvbsjXr8Pg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUqgAwIBAgIUSJudXI1NIXnjlq1n08dhN5gixrEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6CAEVJQFuznZJMAfjk78iNUrX3OXpeo4dJBZ7\n+UxVM0AoxOrvK7UNUb+VM7JaMIn6n/NpgSWaXs3zetp8LgImo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUobFVB1C0RH0NynHyO5OJUCufBlQwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSQAwRgIhANYWcioOhAjxpVE191VV/tpKQov7fXppk7d1\nibyc2MA3AiEA2Vz3YPPTxzEQ1U0ZQVkZ5Q+/sAn41soVno+v7m9aIvA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUFrUmxS++OA5bvHpp5NX+6Fceac8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPA+czOXoYAkfXdIhqp7d7X6NxfeaesmlTgiwODOpUqD\nBlsKxZ8brDlDogUwALyqiYz8ZZaBUrmK52ykf7Iy/uejcjBwMB0GA1UdDgQWBBSs\nKCzDBit5tUp6+P6fsSOXy49pxzAfBgNVHSMEGDAWgBTL5DpTCheY/ibszjDYT3Z8\ni5N8NTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA2Q7PZPJUDjBGxPxBzuCP+2MDlyVkVHTv\nhGPhpq1B3PwCIQCMhnYQYvvaD17cXlOucxj6F5JNu7qb8QXqBVALKXXtDA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUTVWlAVHeDH+0GfI+OjuifVOi514wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLXKJwElIshEnaKDyKMP4KFqRcg88kU5e4fiwNh5x0mw\nIQeAqZ4XbI4EesFI2tNYywmpP6wuba6AzAp4cXWkELGjcjBwMB0GA1UdDgQWBBSw\n96WXBI0plyeP0jULQ/oEoKY5qjAfBgNVHSMEGDAWgBShsVUHULREfQ3KcfI7k4lQ\nK58GVDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAm9+ArecWiWuWPn7s94cUAC9/RwO8z5kf\nd54g83L0ULICIQCSkx+0INlAMurtlqGhiYIKmU0IAEb1VdVYvFtJoJAg+Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1520,10 +1541,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUNHwmn6cpicKzHp3NnjHTtMntszkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATJFdImSQH6kpbjWqtyzPKOONYQ7bHNQm3oZdD2\niOEE+LPZRsoXEiIy7K8Sam/fB6LVX9GldFF0m86S4wDCaB1jo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFABLiBZlO2dQAj88f3JUbBwv1grqoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBQAS4gWZTtnUAI/PH9yVGwcL9YK6jAKBggqhkjOPQQD\nAgNIADBFAiBKebjygeXYyD8aA1bme5UnYaCXsLNxdRHynTk43xF0IAIhAOZhhJM1\n/25D/3x5byxgTJ54X3U7jzOidlmH8xA5LNSL\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUIvDGNA6YDQ9yElr5uZYwtyNuOuYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMSnRK3wkfukBH2SRjC2s1px59kZ+1yZNEWul+\ntLHcbvBMPawnBRaTwbwxj3RmMoJphUxnxNhgJUzcyKivTkvMo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFLdvSlU+cy4hyfV975QHRE/+abheoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBS3b0pVPnMuIcn1fe+UB0RP/mm4XjAKBggqhkjOPQQD\nAgNIADBFAiEA6M/tTumiLNzaaBnuG98cT7MDkCTzCHDpkPmLzgiPCq8CIBHiNSQg\nJccwryBPGcPGHFqGCQceRH9CBt2AGzJuUHoj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUbCs98lDLFvcigc3QqNt7yvrX1qkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABK3fH/RuZiHbxwwnDsQ1pXjiDClg34gYUe5UIgaB+gux\n6T7wgV/H75f849EtFtymhEKR4rVgEbx/dfKe6j1z2aGjcjBwMB0GA1UdDgQWBBTk\nRFsVYUFwbfVddwvVr2L6PT9O8zAfBgNVHSMEGDAWgBQAS4gWZTtnUAI/PH9yVGwc\nL9YK6jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBV0+T9hEeG0f7i+IaTKr1I10LDUPgwVnCK\nfSo1vB38wgIgbiGqSLHFsouOwNT8WZfW4Dkxi1w4Wj7MSJdyy42sWRw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUOI5VtGGfvdqkS8vHxJfxn3hGURAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHBTfKrUJDkjLY64FXABhhYnch7QVTxw9q6FedlZp0xt\n07P+0XpN+L13czaYvnORyDXsttxoKiwiPSZNSW+CKmijcjBwMB0GA1UdDgQWBBST\n0LsaNZE2X66EddQFO/DCbAQGCDAfBgNVHSMEGDAWgBS3b0pVPnMuIcn1fe+UB0RP\n/mm4XjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiAoIPoLlMTLJyCTN+lY3f/DnR7zv1xg4xuR\ntCOaVKti6wIgDOxrH8MdauGg+lLrGZBvHJxyhF/MQFGzqdPNtNK7n0E=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1541,10 +1562,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUIZNZsA7qD9ou+72Z8WODusOHSZ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARmgU4oGdYvEPbciR155zYOkjy17zaz4ukfvvX6\nxOfCvvY7JrhC1AUHVps8bS9FxSKQooFgkkUHYHzjcrAoJ8MHo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBSgFrieHcQ1Xwvop2RHe/S857zatoICBNIwHQYDVR0OBBYEFKAW\nuJ4dxDVfC+inZEd79LznvNq2MAoGCCqGSM49BAMCA0gAMEUCIQCd33hVsPjgdakb\n/RB2hN8+5RnmEbpzSef5cmKLxxsqFAIgAqb6NsXO0pAwMDFUlMWsWZZDmD3p0G2y\nVLhOBoQQBRM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUch5do0sHJXrGkkWI5rVkz/7UJXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQlxlMHqV31/JtX5h2WNWUWmrqH/c9SEH6M1gxv\nTRUyyb8dAz05MeeBwqwGnTG9P40oirVOoXqnWkupFVrkBkdoo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBQu/Bkq42HFq0H9iBMDngYASPg3MIICBNIwHQYDVR0OBBYEFC78\nGSrjYcWrQf2IEwOeBgBI+DcwMAoGCCqGSM49BAMCA0gAMEUCID8zFSKBYs7No2tt\nYV9YhvO2SZYOBCS/3EZ8EDFTreDgAiEAntHLGulQzvgvzmVCEUJddxcq2Ce2DI8s\nd/ETIdAdGl0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIULLjy6JWPUCCI6fem2oDb6H/e9ZswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLjlNoEhrfxI91PkX13jJn8WMptcwqGtQuW08vXC7DiL\nGBmlU6qCeLXTfdMSK+/V10vyTuEguiE4c8M8/77bVxKjcjBwMB0GA1UdDgQWBBT+\nOEx0s0QFwsqjul848dcXaJklvjAfBgNVHSMEGDAWgBSgFrieHcQ1Xwvop2RHe/S8\n57zatjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBG9PsQRWtfyVIXeO21HR8scHgHdKxUgPAx\ntzGyvEdvhAIhAObKUBuNntwy2dfRq1J5qlgmn9Qv607G0o2wEytsW8IT\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUbvhNADJx+FUN74irN/IYDcKg/yUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFWyZL6+Sg7lPYCnC+XBcgcg6N+EiML2zj6nTFWeWu90\nbPay0og4RpGO4TSnuTX4cYnG/3isfQMkYEkAoOi3wNmjcjBwMB0GA1UdDgQWBBTK\nJNJk5GE0f+a11B9zZEm/Np1ugDAfBgNVHSMEGDAWgBQu/Bkq42HFq0H9iBMDngYA\nSPg3MDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA3clDyqokEH8UgvGeb1Cw3V/fCyJ8GZib\nPqBi15UnFbYCIQDRz5sNImM+K3sYVVL2XpN7WCC3C4/vh0oF9bdfRzmBxw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1562,10 +1583,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIUEOhxjsDu5aJoqMJBOdl/Nq1Cj+4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrByPPq4CXWSs9XSRf/I+ds4BbCZWmUTi+aRV/\nwIwYCS1/erEADkJ/RejoX+MhtCXsHRf0KbQtdE4lxRktoi1+o4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFB/1KTqptDxSCA3i96KJhiir/LeKoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUH/UpOqm0PFIIDeL3oomGKKv8t4owCgYIKoZI\nzj0EAwIDRwAwRAIgIo49E7ZBX+QXILJZbgNjk43trbWy1FkKHPEvfFdXLK0CICw/\n8yIHEs9nxwreKznWF1LpeKV4oz2lC5HGfzU5PRjO\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUAyU40oFVBh+vk8qH4X7JoJwFlIYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASspHUuX+hI8aX6C9vP0574JIJOu3gnNyt1a1mo\noGk9QUaObSD5WJWqZJND5m7aQEByrU6ybwwEHGDLWmTZnl6Ao4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFFqE7g4Hy/zTYCIECNmVRcrHRs+eoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUWoTuDgfL/NNgIgQI2ZVFysdGz54wCgYIKoZI\nzj0EAwIDSAAwRQIgE/fIgduk9uIU0KkYqynPZpn54GU4BuZAaV9q/3DtgWACIQCQ\nICRx8bMH3EnDhGRT+OnPW98pqo+G40A82dAwV6PpJA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUUtlufhI+0XlMEMeBIb+uGtEFrKkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFyrISUxHhOeoOcPj0CbAzL+gtpiM2ZskdqYRWg6U4ou\nz7sUkeC7w9kmrEsTCjO5Cb5Bv1vd2Xtd8bDfr0H0D16jcjBwMB0GA1UdDgQWBBQq\n5EDoClVyT79zqHIk5lG20CaJPzAfBgNVHSMEGDAWgBQf9Sk6qbQ8UggN4veiiYYo\nq/y3ijAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBGAJCOLnOvRpxX8Vvqe/8U4o1ydVwkYQdA\neaFi53eQaAIgWMEIfryQuAvIEyHjAamZ0uAQIdi9P8tKcMKCB0GINYQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUPjHwStN8OtaBbzvMAc/JeKzurF0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC9AGCVqRwdxcazR4s3w2ZYuRRpK1TjLkypsSrD/P1r8\nb4J1je2+g8fzQn+Ui5fPksSMHJVyJ5Daug9P9i8bLbejcjBwMB0GA1UdDgQWBBTm\nh7U9XSlXo61B0GMpUBYFiWt9yDAfBgNVHSMEGDAWgBRahO4OB8v802AiBAjZlUXK\nx0bPnjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBR7NsE2X/pgaoJOaEwy58etAYAhTni2W8h\nWMmiTRmT5AIhAIo7z0fJBLdiuiolkCLoj7KKknN6389RIEkScXQUdEZR\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1583,10 +1604,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfDh7GHVvHh2H9cvHKUY79mYYUYMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARwukLuHr6EvPABseNBTCBd1br+h02gMrXywmL2\ny4aK8t587MB+bG0Um+l+RF3dz3tpnPU3wD8e9TQNE1RTVo0Oo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSI52ECd7UYP3e8sJfcKqa/Jm5jMwCgYIKoZIzj0EAwIDSAAwRQIh\nAK9ys6R0z0PLAUX8ECTBX8eKIB4Ju+gC6SsxbuqFsE16AiAOv8PMczYqUvfXU2rD\nEbstOUIsFewMXbTZax1Sx9ZyFw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUH6OSfrNIIjaloQIPR5z3iWdGv6EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARgGDQ7O2Tz26RZ0aVURH6A1f89ZmLVWQ3R7L2U\nDt3E7EcZdHEECVslZprVP/z08B287gByzX3zvq2iK17JNo9So1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVi1SGQEfHaTX2qoM+Wmz2cf4zYYwCgYIKoZIzj0EAwIDSQAwRgIh\nAJOibcbiJyQooXumUL2w04cfMhrQ79f1oMhl82KXAd5zAiEArwPBjE4rJgFaBqdT\nzGKFxd8i9mRWS+ZpAkLj0u9sIZ8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVKgAwIBAgIUQdMUfBTCQbSEGW4CE37Zz4tpdnMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABCaPFPRzYatpBseF/+RtTy9S0hX1VvYLfSLtQPdT\nu8HTXzoGVdWLptct6+H7iYpskK0mjS5cbJzXELeHVQGWtxCjdTBzMB0GA1UdDgQW\nBBQOVEPqkYIo1954aS8TnUVF4oP/0zAfBgNVHSMEGDAWgBRIjnYQJ3tRg/d7ywl9\nwqpr8mbmMzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAeAzpZ0pz5uuupXdLieMaNmp1v\n47XKoSqCpIKvJe4gDwIgceWPncTP+fK73/ZWpyMEqaTnZm+dOmMjpvL2Qnzux5o=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUJOgAdxMTQQ02AUcjyT1JDOWvAMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABEhYOg8zXoGGjbRPc72jjTd5PvpQpB6aUE4bXmXi\nSU5r/vXUho+I4vM87kMmrgHl1+9LICEg1yS8loqjSpoJifujdTBzMB0GA1UdDgQW\nBBSLXj5z2SvE4TLsobw3fdkyVzeb5zAfBgNVHSMEGDAWgBRWLVIZAR8dpNfaqgz5\nabPZx/jNhjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBh9qbBtJZnroEnqZlv5HHilJU/\nN1LtK5CjZAuL8gkyRgIhAKXddxZD1/YnykjZz6jkkorglVtHrKCbE8F9dMlKc/C2\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1604,10 +1625,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUY2chkMB869ttJx5forZOlIoxvZQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQIvMhiFZWzh5Rw/4dANBlKVyMXzILzcOcH6nbq\nq6uF1HdqR+ivgGLwjueNQJQfGcPJkvw4lm+lhZHTvR2ml9yqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/WC8dJgVSibr3v+BoxXBC6xEgSswCgYIKoZIzj0EAwIDSAAwRQIh\nAIiLxdjw4VhqTC1hCu9NT1B6dLFtx3C4L4DptI+lWjxkAiAJ7H4883cirT8pXHGX\nBI5Tcg1IMUPxPCY9QDMyTrgUEg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQEoyjllyO82pZsIqsHa/0OlifVYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQsbpdC8vcVFpFNdFEADBPeZc4lYL9Qx4S5WzRS\nQnEeSddIY+1+tk0V0HwQ+gTQGh/aIRHbCdYLAPy9vfsk+++ko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwBycaft6PTa8BAjYETiYw/nKYKwwCgYIKoZIzj0EAwIDSAAwRQIg\nPLbqsTXkj2W8ibjNRoaDSrBDjtI2wnRwgCETnzyyJ7oCIQDkA7cpCI9x19GRH6m4\n9BsnnGtPniNfLpfifMnI0f4iyQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIULw5ABd8NtWzfqVOxt3IbLxP9X6MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABFoWXk8VwNxqeEwp0U6jQDlr/0Q4bdARIGaXo4QxlDtX\n+gN0QvMTVv0Pu4MUJeDf66NyMHAwHQYDVR0OBBYEFMV3BV4sOAsDrF/4LFyL1ShX\nnuYSMB8GA1UdIwQYMBaAFP1gvHSYFUom697/gaMVwQusRIErMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIH313KZDA0Mcdyol2sLNIMh/7QC0snZIKrgV0PPDE8krAiEArGoxk98/\nhowBCwsJxdw3LvFHEh6qhsEpJo+b3+fsft4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUGEZFnBYIQZ7EjR0T8nDhVyk41SYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABG8RuS/z+Hd46jL/WPPQZIV/uvXTb9hhEkfOK2s3sE5h\nFj5w0hRjjRAk43nYndqw06NyMHAwHQYDVR0OBBYEFH2TeTaUsyvHRMI8iImtm8n8\nXfWQMB8GA1UdIwQYMBaAFMAcnGn7ej02vAQI2BE4mMP5ymCsMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIGLHCE824vMWttKFYAdUSARcn2Nct+a4OG/nv3tl1pyyAiEAneM6I0S9\nhwJE/gUExzHUCFFuM6iurlwfbuaqfl0si+c=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1625,10 +1646,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJG9yhqVD5dmR8cb82TtPnJG8FdQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS22iVuQ9Dd5LLnUoIjqzrPnSxXFeCCkxXqXhN4\nLMX2fanXtEYTG4y0LDrr4PRgz/jQrNrOGdMc3Ftj1YHHy9qTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUh7YG7JgX8gj6pxgVMx+72fDFSnIwCgYIKoZIzj0EAwIDRwAwRAIg\nC+PsZs8zs1deQIuc+47mhTPFe+1u1R4GBEUT6XBwlSoCIFcfvnlkD986vRL06fYu\n4DO3+WQyxow0zDmv5vLrj+mu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBl1unUzYzkwlIUBo0jwL3qyfbhIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASWrOkX56OfrYT2WAMP+1mc8I1Qv6Cf1RYPg0dO\ntjo9doomagVbFsU9mzbvxoDXzDki+gejN/61CxehUhi7dBUZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUknWVDRzXPZavC6ZaQovPKL1WEv0wCgYIKoZIzj0EAwIDRwAwRAIg\nVA+xyLcdUbPNHiSHOr0LSQ5vmitYzHMfRZ6onr+V5uECIH/V/zUeaNkhqs8mDL0B\nfcqYfEfMgfuasyj9diG4CC3p\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFDCCBbugAwIBAgIUc5Mc6noW9hW1l9wJJbUow4n6hbIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAxPSYRBqnzSxor7u3uiAYWJKtJf/vKymefrm0cC1iL4uh\nITyeXQPbg4sj+tRc5qLaTPwGiIS9Zav+1dx6568+IuENcnKn/VLnYeI9XfOGkYxC\nCvRohNgBPcjlAmCu4HY1xEzPyFv84hnadY7dEdZMzsm/JveKAptkLWvgsIpJ5ulV\n8hYBmMY96PoMXJz3ADC8fLub9Sun5ra70EYsI7mdVhZxhUGo1/4nr4Oiy/vT0F5h\njLBHCkLK7oZh/NlkYUx590L5DjsFW9pki529EoQqdo5PxyFsrAia97mKrF6x1J7x\nfcABVmM2DAGeDrJ8bg4q42lp1vGDtN6hlK/223Hi36cwrFxO0ShJe5xwD4FteouQ\nOaZi6R1YS1zGMZYupLJndjQHMiCCOKPvLUrCjBq/4KgKa70tcWY7vHdf/EoDZQI/\nFTr0kX++7LE9IPXM58en455DBilDbI4D4Kal1aeXh1ABePF8GIF+zlJnnyUVl7YM\nUH9EeSJlC5dc7uztWd/TAiEA4EVYxtuo9aOUsCvXp+HaZiPn45C+LavO0tzPz1Os\n8qsCggGAFokduo7q7psLXpTpyIzFo/INsr5M5TAyf951i6ra3VAC68/DcExmlp3d\nkEFcXUTZv49o0z02CnANZj5lDECl4iN2s5ng7vTw8/x3fNsOYfRrrmdkIv228pqt\nuozLEhxTo2rS9U+uSzgitZgpKIwauwapaswTiTZY5Hz0BuKFmfvJoPGAI+mn5whA\neaUC6dcPPY+Agqpozvdfp69iG9M4lYQZq3q/ClU42dZaP1VCwU9bx1GQwuQ8IvlT\n78U3NEGwKLJmWgURDWdHYDeWxXaIh5/Okr1ZIkFNLiE2DkaQDbK83sHcMBIEbWa1\nyofy6i/BfmyqsaT0GzhOHMtFGUThtmTrhiCbuVRNdgF63cvXWfUenDRl6G2Bx/c3\nSMsLydBnWTBLDKsdthLYtMhy66JTOyibz8oT4gFIOleWWFdl97aTvfzU5OgW5/hX\nKFOKm9HePjyuJe2Ji7pQm5kTOb/mg2YZsgfPmShzK5vTzl3VNmq1Hm1zV3Xawm6g\n7LPBQmUOA4IBhQACggGAUfQYlo9PcHcMofrLzdMCS5wiLwWtenM079USIDSI9uwK\n8dWBV3j2CqHEoODTpRO0ZXYhHTgW3HotkASDMFuidRONNJbzvNW7olbPRXHy5dFL\nS+yrslg6wfzK8NRjY7xHko25T6q6wZSkqWWB+R9tKimiCw1D6HTzpCiBUUOlUhXd\n4reEIQ1z7aHvzXLrGbNVT+kK7poOTWe+bcUuGCMi4mOsDtyjh9p5vQdrTih3RFmt\nsDMsc/8gfbQSfz7FMjGN490I6j3VeJZhpSGd1Kv59jq7FyzTVaegAcdg3RH3uhkn\nKyqsFwU6gCJYTkSvd0TYbVjcJPp1oLjSNuE6A66pAviLRt2gHu5pFNaGFXU0uGYk\n2ODd2sOY9HvP3LOYamXVrC3ICThXQJCMGn4bHHh0MMo4WMH2RH8azelm5wR5Maan\n1Bf0e/64SqyYkxkpIvYlpcFlqT2EihR5ktjIn8It9eQGeKPkfB7bRjylkIhqANCc\ndnwJwLR2ADDN+UWNgcrSo3IwcDAdBgNVHQ4EFgQUdYBGJZgH2pP5LOPBQKw9/ofr\nnu4wHwYDVR0jBBgwFoAUh7YG7JgX8gj6pxgVMx+72fDFSnIwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgDdlx425bCl7gSCRrQLySGWqIUj4X1HasrhhGaFBK+7QCIA6HlQRCv/ER\nsGRSvwFNqdzQAu8kFEyFHMtdALUKhlNx\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFzCCBbygAwIBAgIUcSSJbcQIjbuOYwpnX2plfC07NFUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA2SzTVs1O29PkbcY1h8C0BxqBx2+qGQuux7BFvsXc2Ckz\nYwbQa0OjHz7/lr5w7dZubo9KdVpp96QhAyjD+U/+kXWdbdgiOEP0VJ2wydYwCbqp\nkLjIp9QJBpAGGORUCboWLtAapM4PhMuM9QKdUzOM6tN1Qa2gMUfNkvzPtnh8Xr4w\nimVdY21+JKlJc2hyhSK7oATewWwJeV2ZUYTkSjYljYd+tChfLrJUV/Mz4MZtP2oh\n7mgkyAYOVBC7YrHc9qg6midsadoOHf0BF3XkNyzzUkL8CsuqK71FqRN++elKzXYa\nEcLpYQsNnRt4ANxUa9UTpKaAOvB9c5Jmiin+8+495eN5boOFcufbk/XEeorpLkFi\n3n37DsnhqBDMywzl8MnlTRrJABX2ew/uZEjmgWHo6EnkXQtdlBwtS02NlViiVgvT\nc9z5rCN3P6U3UJ9CP5PZnhMiMd7omvNJzx6JVtn7CbEi6EYONm4BuC98wo5lcvTY\nlqL74tR9IODp0+vYWkvrAiEAh3tJl4lbf928+IpKNW8R8DEI208gXVFvFjjyuzy7\nR5ECggGBANfTl++nrDDGUZ+jUQTJzr8t7pWYonUi0iCJtFIxfTCRWt6Y7LD0zgQX\ncaUeqeTq6CBkx2Rjoo6VKvMDyHuf7y6XwOrLRxtn0Gd9+eKI8wAuLRSxpjwapxOH\nvL5VOfBjKDKsyGTmFrbtVGimp0hINiv/6oBLxCFo8EduA5Zvu4akyLL075pVMOJe\n0+T0cBkWwMtWX/rv0kSjuTQJwHzBAsMA1H2JyxES1ETz3cQ76o8v5S/4vkTw1X3o\n1lA1XuCXh6Uvova/+oAHMvVbDbtlpj1gtjqJCOL3PdeDYicN9uK0k07Ikap+jEs0\nhdelHuRfqefNRiFqccdME3Jofd/0ltxmJh3uwGDz3PEWV9Me4EeBtuBK6tTxEqAs\nTrWaA5Axg8WuJI2tyWGQTKRPv2/DFgmslN1vnaW109GKpTMZEZkQFNS7VH67P8qP\n60cQ8OrolmosXVsKAq8dTsQFKnFtTfp75ovwnNcCGPu8yYTVEaROZoGqz2Ob6M77\nn5ecxXgqWAOCAYUAAoIBgDPGvZpvlt4tljH/TaoNYEu2ufXM+zei57ggmlJm03rc\nvrgmipp1rWMpI2SSnmy0Jt237vMf+1rTQMoYsjf8oizGK4iVg4X0LIoh5qoVUKrg\nAa99L6deEnt74aZHwDY4kC8E+5SfBNvVqOSfZQ54l/iZHdavtt+FoPdMpFTY1Ia+\n7n6qjlgbEN5KSQ0CxbfE6NZhp4+ObS7VCd8rCqjgHMm0/4jcUuFFufEcZt0uCl9m\nnfuPyRYLmk1AFuBFE3FQry0lxn32j2+afvf8sbphupxcZIuK5QxWORBCpO92lLbS\nTdLpryn9DC3Q98X3DWhG23OkjWGkxOR/cfRI1ktFYY7r/Ukf83h6smypCQJ8+/f9\nlussWrYahg+nIAuG69kGJjaK4VVdgPNPqN/MVCqT4X3PZK8X0PlnKE+1fxGcK/Ci\newc5TBrqD4TdVjyIFa91/2ldFGRJCl9s1QWkUg3LmpfkubeFEKpC6e+v154+L/d1\nexVvwu0kF2UTeAnayoHtGqNyMHAwHQYDVR0OBBYEFLkiUTiInizcyWdfFg2/cbNU\n9kZMMB8GA1UdIwQYMBaAFJJ1lQ0c1z2WrwumWkKLzyi9VhL9MAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0kAMEYCIQC8gwXtF9v8G/oHafCRhNiP+ihgR1F9PaJIZpxmrRH2uQIhAPGggsct\nXfSeSGa07dBD/bGOhlHy6FKriO0i1rHel5I9\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1646,10 +1667,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGADCCBaWgAwIBAgIUBtLPpn3c2/H9tEd5yQaDN/w7Co8wCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQDA0L4eD08S0AcZYZadfeHCmEGG4/uQpGe0NIzV\nJM8v9p58LiHH6z+LahhhyS7HXBFS5s+n5ab6Q2NFJ4z6eJHaHZqRyd1oUrx1LWh1\nThCyKWGl8y98Xp2YzfGCSjQMRALhVmmricCf/DS3nHKRzBLJ7yDvSeyzOL7V+SjR\nh9ODzXPAgveTIcQjLyg5JY7th14aQd+G8NPWXrHlZFa4LYzqWKdjQG5Hjf7H7y/o\nH45KOQzPDRNrwrrw7aRuEIuojxKWLVgvR9UF1hP4UjzGDxh4eI10tJCKrE7U9XXV\nCJENi9lLDSUk0zR5vPEGuLYmwdF5HmG/VqlUI0baGjdjI5dl/hHRzPJBG7OrFFp5\nXwd3+S0t37XpMItOEnTsZbM1SpggPsRL2WihT+lSSqrC0YxaO5SayC044WdzXQbe\nt5aNUtESLNjHhCHWY78ILLmzAWdLNpERy4mc4hbEdVHMLARvTr9R6WHBFvaSI46M\nOLomUdeL8wyop+dZqd1/C6Xr2MkCIQDQuVWIqarX9j/6Nuzd591JsGZXjuANJ6Af\ntIPvxeh1UwKCAYByivRikxAfjsDTOk9PgNjQ6FPsrHsyiYKZMAd2NwSVbn9nZXU7\nuiY9Pdkk/azwg7QLrOprW0/YDbbZu66EGyHdAEPEo1TRzqASfbBohAJeWOPD/dwl\nT180LYkvBaTWoZcB6OTt2ET17f29YmRyZ7IAlBE0Fd6QCG1A85wH0f5H0ZqKJ1gB\nn5V3xHh1MtanXv4Y+PicNzBKAXMRFvwtFpvIuurC307opJWFEsjyZApdRzh4Yi4u\nFct/wpo8kSXUExyrVo0N5yIsZJhvjP3N2W9Sq2vC48biHvuDx0qr8TjUL2zcLY3x\nIlVcgEPae4ZFZ0yQL7J7IVysTIbBjN02T66vCGTtM/dnCUwhqf/DgcMxIN9IeWIy\n3l29LTlMTInuB47VlI4cEvwbLx5K4kDU4w2aY5QkMAvUmZmQACDrCwALqF+HF81m\nfKMW9hFcoxoTMqvvMcfK4S3T2GUSk2qCu6r6+ajdAMc/HvY2g6VJyomLLdXdRDQ8\nfluJMG1127m6Y6cDggGFAAKCAYAKtswQcX2P0t+vz66EvjPu1I9HsBWG4i91t/0B\nHuYZHyLpSgOcN4ZVr2UiSYWh813iHFnKr2cjpn3ucsrQZNq+/LLbAynUBW3/P28T\nVPg19Nla076NIuklMPO5I86151/bpMWBc2m0PQS0zAKeWycL/EhkjG6RsaX5eWzb\nxQb1+8L9UH/JbjzG1iYMHDOTZRGMyqvvyKb+KJmJn5uhfSjn5ZLcm4wC1cFInmFs\nXzqged/v1jT4Mb+c1iVXDt0lODi4LL6eSruWCb3QfWckqc10gEwRCP2BdhUXL1Cj\ncqA25/Etq7Fcm9XfEV7cFvKNeJKDs3FJ27YyQkgxvWzXQIkVOQQWMWp1bsuu3QPy\naUqCmIxN0BYJkfkvo8RP9Y/tW343HAfm/V/OCgn8O05/B9ISVVOrY5y5hZpfhdjr\nZWUA/aWI6C1gQUc581bODQokLCwnYxb7Jpl33eRyzBKG+7LnoxsuTB+dih1ldqFw\nD0+bWdF9ysv+OLTjCpyNABQbAJKjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBScC7XJFVVW\nq9I2mgholhTNr/pULDALBglghkgBZQMEAwIDSAAwRQIhAJBHCvOdHmbGqiH0RzHh\npPYbJfxmdNOUUAQpgfpv0WRAAiBhZ08kontzByJUccPgBljXzOiznMwT3raeiPkt\nKW17jg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIF/zCCBaWgAwIBAgIUA3wWwt69gDGImhSyjKO9f9fXNTAwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQC3yMwMbYCc2MctU/dR+hr2BGzzWTRyDCqQJ/Jo\nPsDM7QwQYLudb1biMvTxYb3LoJpAfHpRK6x9qa9+Ex7sldNEsn00DWxqPLZ4K+va\nCH/fvjAfNwMIAx5z1heVvnCUmIOCceAOE+qUf7vxiEdaelZKsAqYfJiP84Oh4Rpj\nL/dQbLVMFhSVjJNzVqElEMglXByHXSH043IMN4eSyiFskLOG9ib/4/NKNQ/ZlHHH\ncHK2Y+C6zdOIMeJs8bT6zAxFNPRu2tVcsxF7GwDbmmraYJSkjTcfyQ002XlTEiVa\n/gUG6+X1llhLe/RBw+/L1qIiNQj2BR0ez9W/EPCSMPSRWsGmcVVcQDPEY4M43YR9\nwZ6iIDx+Ub1Ca+/uLUoGgM7ddzAuXh9ioYSAOTPL2wFAY1R6LY9DUsaQ/ng6cI17\nHKlOcGz55PENDi2AP+5FZLPCNJUaPh9ZTz5mLrhcZIPTZqw9VQm/TLsJ+PzbPrJ9\ndt7XOtfxyQHmcMMS0VqMNN1J3KUCIQDRLV0Hpk8TwtfH+w3PJ4N74INXYv6/P3d9\neRwHUG/RjQKCAYBA4EZAzMyK7XQEo3cf+TpYQ3YqG2ruro/JFYCbst/6Rtgsp+NV\nZhQ6y/6IM9naQE02xOdYUPB9pfxCsoVwWyUNLhX1c2DUpCPWi696ffIlqTF4X2Jg\ndkRPpLo/1NqtZkHrRIV3e4W0Ha42kgSSqkgo9U+1eAJX9GUWimpIDE5h1DMdY3sK\nzCkaopq3dOulrcxDR479AMHD6zOv+24o4mVyPDnxm+zUdIF+E1IveAVIW3f/Ged3\nvdxiCbo3LgMgMj3a98jDxh3oDwEQlyKrksBsi6nVLeOgNMHMW7zCZORcjGIpxtSX\n0sGPzLvlwfBE+sP6U2BEGrY5Y9YzgQKfd2fFNGUZqDgmgQtjICCdoeEGzKeDkrkD\nImZRAwavLwO5qnnO/+hHLiyf9m+InFJEKVddkFYYuhhqTyWjic9D78d2OiqdroPu\nEq2ieBbABw4ThlkG+K35Jc5P4fy88Ee4dhwdE/X+/UyxO6bNCwBo4JjKJ+ZEqw+O\nLQr4GUj51XkfLWcDggGFAAKCAYB4OemRVeXudBxlaRcdnjFSmW9dhPY6HbWCdma5\nmoh6ID9mOfS6JCPgLGNb9ZgDSOA035JJvZ/tPOuKdjHd916dizGfga4vj21wmNnY\nx77kDXdZOpJQhV1PR2h6VbZFWEKTucgebe388+kGr7r8hkrKVfIRcaHMrHlJT0tm\n3SdKB2EflCDc+IFuaDs1IVVbWVdcd+vb7Bod8zizcNU3YubSXcR/dmMkGzv+aobG\nwEIkr8WuH98RgiRNLxf2qPrAfhlwHy42vOuR5g//GtzilQ7ybZkgVr/V2nJE/mH8\nVAmeUn+cLjPWugRn+IBnpSNIfvI/8xVItJQcrj0jETpDlSuK4FOZZQrQmdHckrfd\nJQZ2xfYvvlMv6oWf27kxJYfGRDrseHHkP3Nur3SucyN5waeWnL2kuPZNjw12iTak\nN3yrWugGwuNMNKlJwB7HgBAY2zjgc4Tf4fAFF7gzJ0D71EjS+sTyyhGRtFTDYO+N\nY/Gfk2RrWVN5TmjoCmn4c3QK3bGjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQ7k2JUUauT\nLlJY25dKrs9X4O5NFzALBglghkgBZQMEAwIDRwAwRAIgI+Ph5DlcRvu5WV3ST0RB\nscaWpno8axuXHgKl4sLZiw0CIAr27qHqHCYy3DD7fYzZJWsqPqCy46a0DZo/vu0o\nwuX2\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUeywCPG5hkUOmAGX/kygFNsy+cNwwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAARyvT4drqQ1fBhfX+vFVTBH2sSHiv+pYPbkwDY4tRne\ntLwyZv5YQ9+fZVe7PdK0ZHUDUvHzKp8K6itPz9HjyZhAo3IwcDAdBgNVHQ4EFgQU\nwnmJB6ZgFgj0DUc6nI8YC3GPbSgwHwYDVR0jBBgwFoAUnAu1yRVVVqvSNpoIaJYU\nza/6VCwwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCwYJYIZIAWUDBAMCA0cAMEQCID/07uTcFffdRbhfXkEMRTg7BIoIUtw0\ni//Qphg3okNvAiBbkVT6AxtxJUytFOtb3WmG7WkNRWMfCCs/MwivFSyD1g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUZlUNcUj/jg/V11+Hdc02BCLF1mswCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAATucXWTHDYbhBHq9mVt2WMwVDCq8huxt+xD9sxG1rZQ\ngV+GDf4CyJs8JDB+Ogg97J0jBdoaKIR0BX184XvOa6hio3IwcDAdBgNVHQ4EFgQU\n5JBsGbdcsIgUPBI9TIygbLErH6AwHwYDVR0jBBgwFoAUO5NiVFGrky5SWNuXSq7P\nV+DuTRcwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCwYJYIZIAWUDBAMCA0gAMEUCIEY1cBZBsc+e3NlNoabPseiKGT0G4Xzp\nx/ZJkQQ2I7CcAiEAlEoz3kGTynRQ7TKHitJMNFtVP4qgewbDPaAWpc9pLZk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1669,10 +1690,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAMnrf4sPOSdxIcADWBB1JI8HOg4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbZcq5ej/AzmRxgEh2mMxaqcdULPd1K0HtsPpY\nvMDZYRPQBdMuxSUVe0za7kfpw+R+wa2hJFyjXPWX051XN00Bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwofIT6ViSW8KtzLPp6M3g8IBGeswCgYIKoZIzj0EAwIDSAAwRQIh\nAM9+fEtgEKR6CwYhFpBCQPa0gTOIQb+IHa5l9fY4gzZSAiAqZPIMicvBZqq82dyh\nKYPHNuW2yXTquGXuZ6o+864YeQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUe5t5aE4HfsRmbLft43PjmRQEme4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/pfZox4ltfW1WaWPIZymvPnw1eV3cdaZ/sSTk\n54CV43uAeuK36YwxYvAO6vgvMH+D6cDOX8LZLn5Iss1fzG/eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnihJgd8pGzxFIcbu1J88TZPmIYQwCgYIKoZIzj0EAwIDSQAwRgIh\nAPOpzelDe5OIABz6KjZ6Jer1yE0Dt1cC7sUg6vrz4RjcAiEAnbq7UQuPLyUd8+5G\n4dSh9RYzmjoQrV7eitOtETipuMc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFTCCBbygAwIBAgIUIWg09kuVxpiQfA3IvjSCSXKqxY8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA9Q8ydEiH2wFip3xLJBePif1jd2+UwWiU1aDxeY/w2REK\nKhjoEAhkhGPnodkI6spvRuRZDz+C/Yb41NUhfDZ0PzBwT3tPnRw++JJVB+30VynZ\n/B4U1CBSebtPFNp73Nhb+E8xVuxkXjivqTJ/CiL1A18NExwBisqTJyqYjD+9DQ+N\nJ4i/NQN4iJzC17yl1IHSQry6bfozMmTuUo3NsZNh7OluFF0A+OP96CtIu49aZDwA\n+hschUN6hU4+gIg3NWuTMFw5sfCrWq38NvpNe8b+OFaOWiaICQmtsPEF1JMce8V1\nyZMOzVCtK9oanS+G4/BoGmA18kHnDWLfahuM+acyGW72GiKXdA5iY8KKoVb3bqbz\nJWtMlSF6piu+9hbIihZ0bsWmnlAdyzQ9edSmA0S7Xgj4AOrmpDgezFOWmGKB8e4P\nHZATr3xA1116aqYh+ZyirgGuCfzh/Y2xkVloxQGvSPDZdwyWA4tC5r2tCJFJP9VJ\n2Y1+zm1A9xXwv08ZQqyvAiEA1PQFwsY7lJHO22Sm+1/o72W7RmvAw21YjeuRgQrR\nha0CggGBALUF3MTxDKYJWN/qY42xKblrQmlLnb2swOxjETRO7+Eev1EMu7WDQ/vr\nuAlTYTx6NufnemHJI5eYl4EZVEfG7fMnH291+31FZFsLtpXLCmkhbJcWWnM37xon\nuc1VY/Sk87xzpAh2v/VhwyWRn/y+dEk0cEx266W+6xut+smCm9ZEe+GdawtVe8cg\nDXOxJlwBMlSfIK4APCkLSeHwd4AcZN+jwmEviPdNAOw1f8kV8wmD6hM7vuvWERS6\nmZ86awsB2mlIm467QOQ7CIiptehQOFkCxtRL6phnc8OZXO7vnhKuZESbGKxn65lc\nEjd4k/yqeejfxlenF03Vck5ifwrYxqGex7nruSRu100XflnARjGMCWslRQoWYb9S\n71CwBPBOD9wmXAVSvw+iQkASMZwiP915B/bKXLwMdGVnff/AMq8pr/cn09O0MVvg\no/wbIjyU6WNhLdq1gZnhY5NTX/nC3dAwTRJMPsoCsnAtRemn94HJ7PAA9ACl6gTE\nN9L6Xh3xjwOCAYUAAoIBgHGEJ4BPloBDk3Jsb7fb9JNc4JNMQphD9cdelXB9hjhl\niYACHHDcVi3DNYupMfzWTwJvQQNUW4GVaPURf+QryFe9X5jjPSi+Lj+53bt/SsdL\nb/XBS+SIRJzM1agp/nS/IEzxsOTELwzqJQpB1WNOZXfjO8xM1hkthVvHaTVOm2YQ\nu6fhqLYAkJzq+upLc1OT3LJ+dBiueuslkqTsyQW1HtTU57UXUZf7Ek9LWCab2asX\n+rsObp08361WUEDuWtKslQJ60M2fWnAr3Bnh9VGWVDXW9mzCk0DH1Nf5w+Ldwn52\nIuNWCNn5Q8E05rtqV0Szr1/oQsxg/5LUwWhzC9qWWUE3+ZwtHVCXB/R5MWbEjv8o\nhC43iOnrv3JNkDVVoRj3Cq+rE9VnFZALuDTziSKhDdJMqtaS+Wcg9kQ5FJb2wv33\nR5+xqXruj7WeMDLPCI7a4kIrL5zX0HMs+9/xxEsiUWwM/HTVzZ7iLGlxXR4XKjAS\nyTnr1nEEJfko6m3z4xpeCaNyMHAwHQYDVR0OBBYEFEpfefUnnecc26bhzwju4rUF\nggM9MB8GA1UdIwQYMBaAFMKHyE+lYklvCrcyz6ejN4PCARnrMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0cAMEQCIEGYOZHtNexP2J4h6hoJuFpyBiDgg+vo23hnPj7L2i6cAiAUckwmJPaN\nEXf+oLEIPY5UO8Dy4xI0hyo/1IXRsIb2tg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFjCCBb2gAwIBAgIUWyx34zYRnDx+05ORxLtj7VGM+60wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMgwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA70BVRPQ56JDIUbyoqJA+S7j/NdQL76ww9WzeThyZoP5F\nJpipIMv57i1ldJodi5cU1L85tYhQDBA9IzIwsyTjiDNJudZLkRtooJVLr5jLkE/k\nKGU9IEEct6TtKs7quBNkqhdkJuxRWmawt5+AZgNrc9bgD5CKO6pa5lJpLrIgeKDG\nPbh2bQy5VtZicyw0x8Oly2/DSIlFy8bl1JsFHmcBp5HPGn3crOtyVGpsHkhyYPwb\n0EbO7DwLlpwwqosZTZolMpdaScjuHiJZ50QU6nCVPv2mxbMzoxwGhi0aKZEbzipc\nYukVqB3U6S+zkdfNTFZSGw9BMCg6gsWaVmlUXFo03cGO9n8B/oBYbm+aORoJBQwA\nhxMCfwQhgvVCF8MQkLXg97m/ap3BovQGSK/Ix8qdLyaCkelNiAMT6U2onID50thf\nPNC1DT6ODAlgfYU/rhEupB4qU9a8dKqdxwATdxITinmb1DftNfFSonWHHzPMpgWh\nbx2v85vneKj7EJ2WC+ALAiEA0xKeecNXWdmTByG1d1BQcMLkqG4qtQgyiE2mI1CV\nXJcCggGBAN1+AEubccFbjQlF410EMOZfvvsRkEFcd92EiIRGwyxuQXUIFL6yjW5v\niLlWeOwua2j7QxG5ercifPliWxSUebaFzPPywjZiTAC4QfRFhiR8Ei4rhSRhl1YW\nVaC7NLhfFs6ilX/SOUpwamQAPPXG6t4/Cen1XGzl+bVyXNdgMLCavxGRYEL9LA35\nB9d+Gaq8mGmzFP/nJ7YxMxzG4KatQAXZDQvvALFVoeV9fW8vuCwQTJ+6iuLW2qEv\nmOPsAO3A8EZBDvGckOyDR8dHe5Q0XpHOwbjqUzbamjCC/iy57ENOEclmLN+5L7iV\nGI5G2CyJjU4XCTcapJnJ1gcj2cHPC81kEACuCAm2io8U4iuWlU//9mmtb9h4fbV8\nTq9MLuDTKXpO8jXWQ6pjeTz6NYitsOkHtpMBtyRsuPOgKKxROX9fXoMG6Kv0R4B6\nh3y+WOHliNq3G7VBuMFinCmJhRIesgNSsvVumUw7rPOcpEB2M5N8tJGjhaZ6BXe1\nfpOVmtJm2QOCAYYAAoIBgQDopprWWG5RA4/e0qwGXQenMpFIQ2H0MBZEjVweIVBa\nAm47zVNvtSVvv1hI+BMwwmZ2VmQmW+KoVMZq2WNRIOLfkIr7NiqKyY0dmm1MRXlz\ndNEMxz87813ik7Lyf7nOxASBSxj1D5padssHs7zdcK8qDjmRfCSQc4GAOlIwH0aY\n4+O6XcB+B/K84igxLgzOoG9FQkrnBYm3OlYRwzQvp6hjO66k1PiAbeyN2rnRdxn0\ncU22NLvvx9tgBlIRL0S3yCq8RQkoCQcY7cNszG9a2Mt+o0g8ZQ7ZO8ZU+gQ9CZwo\n38LoQ1RLj9vc25ryVDLNplzqx4WHRC+GaqUTtxD6a3c4PkH/5u/bGBWtD1q3sj5h\nPWPx1aTU7tYOD+zRWhKrLTpuzSAC3fyF8sz/TsK8zuFteS0NEfcl4/+w3utQ4U8k\nqqWrLW54TiQlnmWIPm/yNH3YOZQW9kwiU49t7/RVSJ2qqpsT3uixk3yvEfefiz3b\nlmGzItWZv/rom7qIhkLTqsejcjBwMB0GA1UdDgQWBBT8Z9Butya+Xi4AkD2UJCdp\nE8PJ9DAfBgNVHSMEGDAWgBSeKEmB3ykbPEUhxu7UnzxNk+YhhDAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNHADBEAiArV4edeINcK26LYdB3803lpKP/aRfF7GjR3l1zixXt/gIgBLMv8rgB\n3CRmD9MU1IB7XsJRfgQZ/DQDjQQTjV/KnLw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1690,10 +1711,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKmTzbnlUyM5UMMxaxiYpIBt6mecwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxIQyy0GAxaEmZYVXwVl30Nv3XDhr7TtHQIkPL\nrz9AFvoz086Ltvf1WwEWYuTjw1cwp4dafVwRtAp+JrcM1ftbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU37FuTMuW+jgZTRfuSbpLzGXktrowCgYIKoZIzj0EAwIDSAAwRQIh\nALkAfhjrhhN/Brs3RoLxw1IoDyzI+JC6Og2p3UGVn4ZwAiAO/2RmikkMN/gIJhUx\n+M+XIeASrMQ3MxwHeGd41GM/Ww==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAS4j55nuWbcZHzijDgzMw1mq0pAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXM9kdR3l3TQeqGYa+toxL4BQpgC3QnKZj8VoY\nqtH3alXcCUiyZFkxSe2yeBAThWUPaigGuhfm/flNxzVncM7/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4qYQw1JfRrT1U2xHdV5CcfWkKaEwCgYIKoZIzj0EAwIDRwAwRAIg\nbsWa+CrtLQlTaScLRhri0m2Pn9lJngzlS0/KSewxbTkCIHLVmcAAAEMwurl+Do6h\nA1Y6xAZaVts34kz005vs0nDz\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUax53c3G/6lfaXOcLyNbXoyKF+qswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFor42XIdIDPz5IXEGA+8ycQokuLJxLJzc+Ht3uHkia1\nljCBjeFl/z9WAeRrCMEsObtDHlWZRbl17LLplngnjH2jWjBYMB0GA1UdDgQWBBQi\nZmS3ZHSoEizTZjj5BER+IzjnizAfBgNVHSMEGDAWgBTfsW5My5b6OBlNF+5JukvM\nZeS2ujAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNHADBEAiAz\nSBgJwtsAM0IznkD6rPk0G1yLEDrRAS5XSowWTeavHwIgXnyNURnJJ/ZLuHubFgML\nbVbz/LVhkOjTLzyHQ8tuxQs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUc3JLItxcXBIYpXSXp1MhQ1lPDr4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI95tBiAa6J+3TCDB1u0rkXLBFv9y9nWbI4gWxaQtmon\nWWIdqkKkJapup6MhXVmNrH3QGnam10EHJhOxwCsPFL+jWjBYMB0GA1UdDgQWBBSX\n8x+xODWxhTNKvoWBWFfD2kCYDTAfBgNVHSMEGDAWgBTiphDDUl9GtPVTbEd1XkJx\n9aQpoTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNIADBFAiEA\n3gjTypNWqSnPmx4uUlNsuK5k/5VQVP4uKUQ2sFZjGvgCIHLrC4YQQjPImZp0Iwad\nxCPawtlHVb5Nd/zxlYTiqQkF\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From ce4e9079d844a2def0de2a299df054406811e124 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 2 Nov 2023 15:29:17 -0400 Subject: [PATCH 036/155] validation/policies: turn permits_san into an extension validator (#8) Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 14 +++++------ .../src/policy/mod.rs | 24 ------------------- 2 files changed, 7 insertions(+), 31 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 8f3ee77b239b..1d378f8e2654 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -174,7 +174,7 @@ impl ExtensionPolicy { pub(crate) mod ee { use cryptography_x509::{ certificate::Certificate, - extensions::{BasicConstraints, Extension}, + extensions::{BasicConstraints, Extension, SubjectAlternativeName}, }; use crate::{ @@ -199,7 +199,7 @@ pub(crate) mod ee { } pub(crate) fn subject_alternative_name( - _policy: &Policy<'_, B>, + policy: &Policy<'_, B>, cert: &Certificate<'_>, extn: &Extension<'_>, ) -> Result<(), PolicyError> { @@ -217,11 +217,11 @@ pub(crate) mod ee { _ => (), }; - // For Subscriber Certificates, the Subject Alternative Name MUST be present and MUST contain at - // least one dNSName or iPAddress GeneralName. See below for further requirements about the - // permitted fields and their validation requirements - - Ok(()) + let san: SubjectAlternativeName<'_> = extn.value()?; + match policy.subject.matches(&san) { + true => Ok(()), + false => Err(PolicyError::Other("EE cert has no matching SAN")), + } } } diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 89963d004a2f..312dc16ce7f0 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -441,28 +441,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { Ok(()) } - fn permits_san(&self, san_ext: Option>) -> Result<(), PolicyError> { - // TODO: Check if the underlying profile requires a SAN here; - // if it does and `name` is `None`, then fail. - - match (&self.subject, san_ext) { - // If we're given both an expected name and the cert has a SAN, - // then we attempt to match them. - (sub, Some(san)) => { - let san: SubjectAlternativeName<'_> = san.value()?; - match sub.matches(&san) { - true => Ok(()), - false => Err(PolicyError::Other("EE cert has no matching SAN")), - } - } - // If we're given an expected name but the cert doesn't contain a - // SAN, we error. - (_, None) => Err(PolicyError::Other( - "EE cert has no subjectAltName but expected name given", - )), - } - } - fn permits_eku(&self, eku_ext: Option>) -> Result<(), PolicyError> { if let Some(ext) = eku_ext { let mut ekus: ExtendedKeyUsage<'_> = ext.value()?; @@ -539,8 +517,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ext_policy.permits(self, cert, &extensions)?; } - // TODO: These should become extension policies. - self.permits_san(extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID))?; self.permits_eku(extensions.get_extension(&EXTENDED_KEY_USAGE_OID))?; // TODO: Policy-level checks here for KUs, etc. From daa512dbe3afd63b60927fd07bde0655c37f7501 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 2 Nov 2023 17:08:24 -0400 Subject: [PATCH 037/155] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 375 ++++++++++--------- 1 file changed, 198 insertions(+), 177 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 3d2cb4734d9f..343d2d75f65f 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSqgxbmMurxPMsbmT92Ge9Knnp3UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAART0rERRktLZoAyE01efxjmUq7eKrU8vFtF3aAX\nRlmOfkmg5IfRGjVRV0ITAUWaXk+ncgGjCYaOYpr2IGL7UmZlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAnsB+Kluki/L2hreENs+hq4pJtMwCgYIKoZIzj0EAwIDSQAwRgIh\nAMcE/GmKfvdVzUrUeiSbu5y7Hf7hkF2g+BAJ464jGyWzAiEA/nZJxAUpK5B1GSkZ\n19ukkkwidz2A8M3ur84JRbIeGtM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBuwjHGr9HsDXfNSW2hQAoh8FSP8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvEx+OB7/Ip5JwqDubTfuTqKfinAKW+Z5D5b73\n0vlFXIagYTPfdTDlDvQONdwEPagsFggh56SBQLRyv3Kv9Ewvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIkORErFoRhbyP6Asi9RTv3uCrhwwCgYIKoZIzj0EAwIDRwAwRAIg\naK3phfT2tQ6V8LI4tvYlxtPKF1UKFNiy2xDiW6iTuDgCIE6gr8hRD3immQf9MZSD\nJM/1SDh3VtiikgSjVEcggSXQ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUGthsCsqRK9eJtmQKsTScwkoWjf8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0MjYyMTYxNDgyOTkyMjQyNTUyNjQ5\nMTIxMTE3MTE3OTY0MzAyMTk2Njk2NDUxNzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBBuhoXfLte5W7Dfr5Cn4j7sKPt4b4po9ZNKutldzFy/SAQIQn36ESi4WowszVvW8\nwQ6XRUFvZUAkUswbg7tMuvSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAJ7Afip\nbpIvy9oa3hDbPoauKSbTMB0GA1UdDgQWBBRCAJMVQLoqFs5Mp6SmsFI2QGGg5DAK\nBggqhkjOPQQDAgNIADBFAiAPxk8v4Ip2NDaGXTOAIjC1Uf3Kw7D1tk0tOZ8fpYmA\nJQIhANGUKo5QX+HHy0/dabMe1ExSdYdCVuwwQznN71fLeggD\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUVp1BFGlYETWdltmP7n+4cRKDeXAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC8zOTUxOTk3OTA5MTkyMjU5MjAxMDkw\nNjc5NTYzNDQzMzM2MjU3MTA4NTMwMjAxNTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n2+qGdhsf3aHKlBtYgH4XFH1X2WoIIoLHP9EJBFk08pzah39mGcwTdpMt0+YbdzhW\nK/qZqWoDBuypDevABaWLXaN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUIkORErFo\nRhbyP6Asi9RTv3uCrhwwHQYDVR0OBBYEFPmW3jD3SxZDnZgtfkfNImdayPm9MAoG\nCCqGSM49BAMCA0gAMEUCIQD5YAj/TLo7tDaTlAtcmIWzBG0jxq5zuT69xuGUbeBX\nmAIgYkrSnuJOnlV6X1rluIqDbr750j4hfeP1/WHzhBlTKnQ=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUKm4OwKQ569Dgjyagp4gE8ifmE5YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI2MjE2MTQ4Mjk5MjI0MjU1MjY0OTEyMTExNzExNzk2NDMw\nMjE5NjY5NjQ1MTczMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt45J\nQXtrq34jDYB/XFz76d6Q0FnjDtFCl/+2erhOwgUFbd6pBvwXLNFiOAHJgBey0sjW\nLm+FCU06jKZNl1D2DKNyMHAwHQYDVR0OBBYEFEWxkq2dSVvZIyjDmEKvzZEu+JAr\nMB8GA1UdIwQYMBaAFEIAkxVAuioWzkynpKawUjZAYaDkMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDGn8UMAY/fewJXp5nb6ig5oqDzHgxzoaPY1R+t1+bC9wIhAO1QL1cY+su4\n04cizPzcq9Yx1y4KxDVFyiQ+z+ewpn2x\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZigAwIBAgIUdC7wrt73rPagSy/4X/8PyO7lhnYwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMzk1MTk5NzkwOTE5MjI1OTIwMTA5MDY3OTU2MzQ0MzMzNjI1\nNzEwODUzMDIwMTUxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASgjvJN\nkn3np4hHpStl74QJFSqX+P0lwIA07+R8tgYPlbZFx9isoEWxWPCmOsZoA1ueyEmu\nah+kLsXyUdLVX/dFo3IwcDAdBgNVHQ4EFgQUq6CYyfW0XdUvMnOAhUAoeCr/pZQw\nHwYDVR0jBBgwFoAU+ZbeMPdLFkOdmC1+R80iZ1rI+b0wCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAw\nRgIhAKwhcri/4a0A3aQV78TfxDismNyusaIXKUlXdjSIn/d/AiEAwqMfR7k0wp2H\nO12EAqeKI3xPRaQHz2aWVArmFfw3tR4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUejQfWPoyvtkyb5fhhSq+aEcV8yMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARL/jo/mLwtCHBdgf4AbCat7IdVoTO+reNvsjiE\nopV8HXI+GSCyO9zMZQTgmPFZisdApy2pBVLImlE22pih4Qawo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlmXCCKTvejMnh/cVEexx+6VwynYwCgYIKoZIzj0EAwIDSAAwRQIg\nN+gCWzp+VCcY1l7JwdZbYIC2MayIkgoB1RlZa50yDbsCIQDSY+odhPjeuTL5GYZC\ned1HNF5AUEgA6xDykF5SacEI6g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSZV6NDan20+iwA8lr90U03N3DSAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQy+hd82pm+GR90cIYP+RktfJm4t8XWxSWIgkjm\nA5SRirX/hPBjftHEvWiWLkOfeocOQVR8UTihwgOdSToaxoAHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMcX7D450QlA4E8IKskI3uc0UeMEwCgYIKoZIzj0EAwIDRwAwRAIg\nWoqw/KLjAQ3Cupd8/KK6smwVnZaXbVkJNwh9/H04J/sCIB81sH3ebT6DtF+m3LWz\nNH21h+AQbOk9S6q7aO97WRGv\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUW9r0+Z9IGkqo0u2+HvZ7uITyzXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2OTc2NTkyNDM1NDkxMTQ2NzI2MjUx\nMzUwNjgwNzM5OTc5NzAwMTE0MDEzNTE5NzExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCUvv+UUCqu5tkLE6rwHYUYkOeFfyyv5pKOTlEKoK7NLyxNKyTzi3KBQRCQ93vNH\nAzReAk4JCwRp3sZgBST7P2qjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJZlwgik\n73ozJ4f3FRHscfulcMp2MB0GA1UdDgQWBBTsGIKXd4PcFYC19uEcDLyw9ZRWsjAK\nBggqhkjOPQQDAgNIADBFAiEAsAHLtng0+Ik/DL5URYcw7qYWwS9/XLuojRgxdsTM\n+g8CIE7mCgw9E9HUCdUne0NG16nxQp6RZq4SC5xmPgE4krtU\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUMpQX8eT9Fjo1SY3blzXwMeErxTcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MjAwODk3ODI3NzA5Mzc5NzYyNjA4\nNTY4ODE4ODU2OTQ3NjExMzY3OTAzNzU3MTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMWw58IhiId10u3xtgL1M/tKCpmtqKusYdKYMNTQFuj630FUkLXLW31c7jh7JU+f\noJO8ca0j6aKGAJDsaAerYJyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDHF+w+O\ndEJQOBPCCrJCN7nNFHjBMB0GA1UdDgQWBBTu4s3yyMnh/V8eCpP061+HnuDBoDAK\nBggqhkjOPQQDAgNIADBFAiEAraxkyEdPYJhk8WiwLgdPro7Z980jYiIEt9ZCU+oE\ngYkCIB+RMfEMEbsJzEPyiAHK3vwIqPjjeLlgEWrzcQ1WjPZg\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUAeM+PMOELrElFrPwX1Cv9P4YkJIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjk3NjU5MjQzNTQ5MTE0NjcyNjI1MTM1MDY4MDczOTk3OTcw\nMDExNDAxMzUxOTcxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJe1p\n+wttDXsRU3fZ4Ky2iUlVNL3O112IbuJLPaWEeY6HIEYT0G2SovKDRuFuXI4XmEwU\nUMbng7XRfAA4lECHyqNyMHAwHQYDVR0OBBYEFPXmpHK9tTZEZ/nmRXS+qAIWQY3E\nMB8GA1UdIwQYMBaAFOwYgpd3g9wVgLX24RwMvLD1lFayMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIHRWwvfXKIBqsIrsBLutn0bOUHz7s9vFro7tmBMYC7rSAiEAmRIOBmWD4rLy\nq5GzQq6iBxchj0BryWV/0SZ54lCyAGo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUZYjo3LtwNYSaKfiqDIgRBBZrZr4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDIwMDg5NzgyNzcwOTM3OTc2MjYwODU2ODgxODg1Njk0NzYx\nMTM2NzkwMzc1NzEyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWciw\nwUzu+Mogbfq4PbqWPUk1gLcvs1a4xvFZ382SfLVGgzF1T/3B0cXKeZPZKiRYcvnM\nYk7PVA8Ku4Y6bDU9vKNyMHAwHQYDVR0OBBYEFNQH/qTPkspq0RzZIxvewHJMz+u0\nMB8GA1UdIwQYMBaAFO7izfLIyeH9Xx4Kk/TrX4ee4MGgMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCCxTJ//OKlnzQ1T/DH3dneXQ0ULVbyv5xahEDbjyiiSwIhAM66j85x05vl\nDqzo0Lkowo+aylommmDi/L1E+aS9ugLL\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUeZSWgjxueV7XO2Uw1aw7cXMi1t8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQuoBG58R5CHH7vpzvlcLcaY0IAfLkEGAgXuV80\nxV9O7IfytIp/UZdWvv59xq92kyjSfmlZlVaqTzu/AZWbARX4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4r3YGkvkWwB8BP83JSkDQ+zJ44AwCgYIKoZIzj0EAwIDSQAwRgIh\nANNm4IoOhDqoOYWSUPp+teuYGPohzu7QP+YtN+bUB3oVAiEA+JDU0nK7nLpFeYU4\nTaIBANCY8R/3uZSnbKjmdc74gh8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIm/RdWZfITAemBrLwnlrxL6R0QQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToFzkUTj2zc62J91mmhGdv4l1EDQAXpjRcsrXA\nFIp7QhB0fcClppj2epJtF8v/n5Q7yVyr74LN3PyGpYEihZCqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmDdO9lPxdxdFR8xcygwn0n1zyIowCgYIKoZIzj0EAwIDSAAwRQIh\nAOJArR/hJJG7OiO2bPx3+IcAkQPnI3D+8dvaGsEql4dbAiB5XkEmOM66FFq+N181\nhLmVFCnip0XoNAoFzXdEivP6Og==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUD9fLra58UKyhbCNLQVcKnHeLD68wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2OTQxMDE1MDQ3MTg5OTE4NzI1MDMz\nMDkxMjI1NDI2Njk0NDQwMTg3NzYyMzM2OTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKbTGvdTP6363I1/2Tj8JwEKWSZcalNyH+gLbpD7dJP8Ye5r4vysmkhMmUVmvTjO\n4Oo1XT3FHqFz5r30Uzbbg8WjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOK92BpL\n5FsAfAT/NyUpA0PsyeOAMB0GA1UdDgQWBBSfTky5YaSw3ctWhxptnaCnM+dI9zAK\nBggqhkjOPQQDAgNIADBFAiAynL3uv74hscGZbqrPwxMZUhxVearYEQ/HZ/xJf8AK\ntAIhAJMfbmT1d8qXEkGgiknx9ZQWdrJWT2W7qxcdfSeLO1SX\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUFdlYy7ArNQNkPXSwep8e7JM9scEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxOTY1OTkzMTUzNDE5MTkzMDc1Mzc1\nNDYxMDg1OTMzODQwNDUwNDYxNjUyNjI1OTYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIJKquHEsqZbPnTJHSG3LCvWxkMzXp5BVyEnq240pJ29bqdWgc3HiouZAjBrrCWq\nFbUWxG/EzOh/ZAT6DvP+nvyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJg3TvZT\n8XcXRUfMXMoMJ9J9c8iKMB0GA1UdDgQWBBQ+z9rDCRXhkTLGOh5n/dDQAeT+iTAK\nBggqhkjOPQQDAgNIADBFAiAUuE7ojUhICgh/2DJTH3QXWr/3Y9wvjPvk7UpMf2PG\nRQIhANjzhyovaaU0a8yUL9QeV1ih1EGiDJhC10SCScqDDUF7\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUdPa6TcFLqyM8TUADVnn4MqQB5aEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjk0MTAxNTA0NzE4OTkxODcyNTAzMzA5MTIyNTQyNjY5NDQ0\nMDE4Nzc2MjMzNjk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfcjy\noC7zTXmj1O53MA/kGczTHVAmpq6F2J7B7qxLlqraprh2p/xyh9HKy70NP/gVcaqm\n8LoJzDpbmlwGDf6A46NyMHAwHQYDVR0OBBYEFEFpE+9ixuUYpr0DPrlll0k94bpV\nMB8GA1UdIwQYMBaAFJ9OTLlhpLDdy1aHGm2doKcz50j3MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCRpPvOOrUzP84/0N9T8YyPkVIzsmNf8WyIDADexgl1ygIhAMh0l95/b1sU\nlIQmsHrazFsKcYb+xUUrxGMj6Cqi7NQY\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUdAwRl6cmUTwqkUkaudFCWtXOODAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTk2NTk5MzE1MzQxOTE5MzA3NTM3NTQ2MTA4NTkzMzg0MDQ1\nMDQ2MTY1MjYyNTk2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1y+6\n5WMPKLZElQlY3HG1+L4lApbdvQB4x/KtUkcTex27SjDMWD88lQ654hH8qqTxgS/I\n4TxK7+f+SYJifLe2DaNyMHAwHQYDVR0OBBYEFHYNe/vpZzkvPHMoWdZKTDK0CpGl\nMB8GA1UdIwQYMBaAFD7P2sMJFeGRMsY6Hmf90NAB5P6JMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIE2wJLGKjUavvPf4u9RSopAgvJhE+6HZPCV2hCNfHO/TAiAYnY5oOM9rMDna\nIfw7v/izHD/xC0llb/GZqxhfwSbovg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdbFVwLpEv6nAOJitNSwlxoQTx2EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlIy3F/RCOSp3Nj72/shoO4exc2CsXTlPBebTe\nME9CJGt6tdo6nT24PQlMWVUmVkCD0F5tPSicGF9pKJw+LLQTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURZakLZLwqC0i5Mt5+QTYK2VtlU0wCgYIKoZIzj0EAwIDRwAwRAIg\nSNDPitis7hLmT5iUlJBb1bgUSgcKIxAnQ47PUUFgdMICIH9e+L2CJiWRmARQvLeS\n7HqTfuLsmeJNQemGx0V1ZQJu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULA+j/mhmMxq8/F45CJ3Jiro174gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQWT8uUJ5+g6KgCv9zNGTCXGBsqyNZvFEeTJmZE\n349PI2hv9FQccgEVH5qW/KiEaQZ9KW3UK8JpgaLctowqw7Txo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtD1ORebBu0kmZpI+Jjvo5w6mQFQwCgYIKoZIzj0EAwIDSAAwRQIg\nP6NI/JtUotGwLDICGz5b0kNmDxCad5oE1QlRwT6nWToCIQDcLf8hY76zhhE0978d\natt81a78VH9yNZVm6Vmbws+BQg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUAS5n2MwLDXGhAqrxy+OC397tA4swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2NzE5MDY2MjIyMTI2NDExNjM4NjQx\nMzc2Mjk1ODA5OTczMTI0NzAyMTc2Mzk3NzcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKiDqNDoZ5iHfF4d4KBsAr0FLi73A0blt4GwePGiL0sn9zyWNSiE34xPmYyYcKUR\nTxEtTWV1aXcBtH4Lcg1uZ2CjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEWWpC2S\n8KgtIuTLefkE2CtlbZVNMB0GA1UdDgQWBBTTU9Gj/QVEH+9dP5Mp+phgMqGmXDAK\nBggqhkjOPQQDAgNHADBEAiBYRMTwJKUM+4jytnAsUMe0EiFpBs2uMzrmRn5bCavH\n+QIgEkcqtM8CfwH8SkFn+LLhrzjEzaMlADMj+AsrpuhKL0E=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUbyXtyO2KO+xeCpOVuVz/hVte1LswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNTE1NDQzOTA5NjczMjUzMzU2MTQ0\nNjY1NzY3MDM2MzA5NDg4OTczOTQxMjY3MjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHXn9p3Y9QElq7xE24MroU6xwNpM1YaHAFQ+AEp6XHYzTWaRc3ZQo/WsfSifz9M5\nTzZWVTXJaH45w8KwFRROnVKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLQ9TkXm\nwbtJJmaSPiY76OcOpkBUMB0GA1UdDgQWBBQvkF7h9co0ju+wT/bj4U9mj6Tr9zAK\nBggqhkjOPQQDAgNIADBFAiEA+WOF5K9YjuutUs5WL5OKUKESbNYeIp+ZMg77Grva\nEowCICvEDF5cl5RVJGJ0+956zGZskqW8kObblOx3prtZvRqh\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICSzCCAfGgAwIBAgIUGGTviDcy/GEDwvLYSEZIKvWpUuIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjcxOTA2NjIyMjEyNjQxMTYzODY0MTM3NjI5NTgwOTk3MzEy\nNDcwMjE3NjM5Nzc3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGUxNzA1\nBgNVBAsMLjY3NDM4NzEzODc2MTgzNzM0OTYzNjA3NDE3MjQzMTQ4MzE2NzY2NTM3\nNjU1MTUxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCagu3qxi5vOqHNsH0Kf+LE9QQ6w\nRgShtcTgIrmpstS4F8DLjmUJUJwLP/qs0PuTrTnaGUKHavn/CUb00Js2ULujezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFNNT0aP9BUQf710/kyn6mGAyoaZcMB0GA1Ud\nDgQWBBSheHD5AHT07tB5DLxDfmHrtqpvFzAKBggqhkjOPQQDAgNIADBFAiEAyr6D\nP9JxZGXPqQgNWch8FQtghYTHMI6my8c7dlLXVJsCIGC/1jziF+ooMe35UBVccM0G\npJLTjBDgIWcweP/zPimD\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIULXIDUxvjQz66jJC8D9hz2IxgY6cwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjUxNTQ0MzkwOTY3MzI1MzM1NjE0NDY2NTc2NzAzNjMwOTQ4\nODk3Mzk0MTI2NzI4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDYzNDU0MzgxNzExNzc3NTgxODk2ODg4Mzk0ODU4Nzg0Mjg0NjM4Mzg0\nOTUyNjQ1OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtYmQSShDZ0F4keVXfF6odPjJ\nBSZoyEH7DyKRW3cgugacmUH2tdM0ODKkzdokNeL7GsbXbvwkLMqrKmkWqRSfM6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUL5Be4fXKNI7vsE/24+FPZo+k6/cwHQYD\nVR0OBBYEFBTafAudjTF4jyRdOROeeJcR3G/iMAoGCCqGSM49BAMCA0cAMEQCIHt3\n1hRsr6YKZVAEHyvq6lTJp8OW4AbU2JqV4kkymsnJAiA9sxpy9AxusKPk5mIRGic5\nvYI+KCyPlk26tX44/CfClQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfbPrRmk09laIxnSRf7Ht49Zq0c8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6r5NdpMapIur3+95/N14S7rip2kaJeiV6COaG\nvZ38oww4wNDYfsGEpp8pHnEut5oLRvIEjQOQDQD4SYo4QHaro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcoSbd/ys1OVksNHz/R7SzFQkgbUwCgYIKoZIzj0EAwIDSAAwRQIh\nAMlIWh0lrqBdQWrNmOf4Po2yO0z0MTUu69qG1+M07Bx1AiAA8jxRW9sd7iLIgFpd\n92AOMJWo0X9ATNHKfCH5/RscEA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUQPAp9K4exWBr+RQALBUebgYQwK0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATNT+DpDdnV+ooBsAJ6No8+nIm+rQrobhHXEjXz\npykTqwYmDXpEycA90zjqwSfQH0CO6oeXHgEWexAAYWUuHjumo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAvO5xocCwLz5LNC7jELTs2f505gwCgYIKoZIzj0EAwIDSQAwRgIh\nAMmawD5gm5MtlwFE6ADCB5hs7naIZEcyJIWMuo5juIUXAiEAr3LDP3mboQEeBBbA\nz++8qWStOcGzQ8MUmgn8DQ4GqKo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUGFCVV1Pt4s8AUs1LIbwirQ95wOUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA3MTc2MzYxNzUwOTAzMjA1MDU1MTc5\nMDY2MDg3MDM4NzU4MTgwNzM4Njg2NTMwMDcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFf3bfsSLrPJwxEHuUJAUhEdCjoYQHSv39Dit5n2MxqGlmr9av30KQ3kOSRaFWPW\nNX7QKOZ8MHBY3quqL2p08r6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFHKEm3f8\nrNTlZLDR8/0e0sxUJIG1MB0GA1UdDgQWBBQj8M+kyRS0+goEetgEAv8fKLz4ATAK\nBggqhkjOPQQDAgNHADBEAiBmMwtLSuTwVMIkiD/Sjg34XLW/M9SX0HrJjm6zQAQm\n0AIgOyYa+pMORr+LpBJY7OzEUYQmrZuiDB9tk5ixJBRmTLQ=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUXfrqeIXh3RcRWDwk3kZ4hvi9TsEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzE3NjM2MTc1MDkwMzIwNTA1NTE3OTA2NjA4NzAzODc1ODE4\nMDczODY4NjUzMDA3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDEzODgxMjg0NzU2MjM4NTQ1MTA2MTgzNTkxNzUyMTA2NTU4Mjk0Mjc2\nNTAzOTg0NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErBFvYQfoWV0XlExkhBZyvfHs\n3XPT835BO2bfUPltmZ1v7Ka1MCGEKjTpHC8/UWcV1GjYpprHEG6peedLhuldQKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUI/DPpMkUtPoKBHrYBAL/Hyi8+AEwHQYD\nVR0OBBYEFJq1J0d3GXrzCjTXsB0jKm+GuqDGMAoGCCqGSM49BAMCA0cAMEQCIE6r\nmhGWiySiNjJBKaaA3qMLhSZNulwR1w7TTOV28jd+AiAF0d6TcWhSJcyn43+xRHDw\neqamyiMgBeCzVefSeJ1Wog==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUURgQJxFvm+5RFxoVkbhQFZUs8IMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzNzA3MzEyNDMwNDQ0MzkyNTM0MzAz\nMzAzMTc3MDA4MzI1NDk4MTQ0MjMwNDQyNjkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOQItwRSBWtxWtq6MsGek6/SRmNDMvTyL4edgyGyhu8QK6ITVFyA8Q/fppLbOmwc\nIeirmaE73ogUAVWEPAze9JajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFALzucaH\nAsC8+SzQu4xC07Nn+dOYMB0GA1UdDgQWBBTmNO3ZJwyMdKhdrutA3N5JYgbifDAK\nBggqhkjOPQQDAgNHADBEAiAaFFdgFRVTjyPSqgnmYnBXVifeI6VlV1ECnf/dMjUC\nlQIgZBGnHD5sIx8HfEdnvLvB7069T7t8b+XY8l4rTdKC9L8=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUH1MbIy/vfupfjK0PldQj6OA98sYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzcwNzMxMjQzMDQ0NDM5MjUzNDMwMzMwMzE3NzAwODMyNTQ5\nODE0NDIzMDQ0MjY5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ2Mjk2NDg3NzQxMjI1OTMzODAzMzM1NjMyNjc3MjkzMTg3NzIxMTY2\nOTg1MjI5MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE73p5Ifz7E6UDlclHUeT6Di1j\n0qGjOTxkRc8Wxvzp/1GuKFsgUqg8S7laUVrwVj7Dt3gwAN5nxq5giSsir6WSI6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5jTt2ScMjHSoXa7rQNzeSWIG4nwwHQYD\nVR0OBBYEFIQRvNva2rQmY8jy42zpQm/qJtD7MAoGCCqGSM49BAMCA0gAMEUCIQCY\ns+rnK88ca+WXHbALSfZwJ/NgzT4S/nkI64pSHLS+DgIgH0cKZZgb6BHD7S7Nqlsc\nFGBSn/l/bR3NS2abD+ZbfQY=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUVL48JwKX3HH8I0N96/3SoexwStgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTM4ODEyODQ3NTYyMzg1NDUxMDYxODM1OTE3NTIxMDY1NTgy\nOTQyNzY1MDM5ODQ1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjzQm\nFlsaGCl4RF7E9yA8R3FmSZHqWjJXuQfD4QumVlta4KzXYn+w/1ZS4SyQey1IXmh5\nfzLUg5/Aywi/2ofPfKNyMHAwHQYDVR0OBBYEFK+xjaD7Fc461tkdt7XsX1TA4quQ\nMB8GA1UdIwQYMBaAFJq1J0d3GXrzCjTXsB0jKm+GuqDGMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIBTlGzcEkBMLjjf2beFtZSc3478lQbF0As4fMRZu7ReZAiEAyc+QpIU5GF27\nmiwfzW5poLgX1WaXNk0Hf6YrR/VD+Ig=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUalvetAPm9sgHJJgMnFQYvTSg6iIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDYyOTY0ODc3NDEyMjU5MzM4MDMzMzU2MzI2NzcyOTMxODc3\nMjExNjY5ODUyMjkxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErABc\n4G05714WoLQz3qllGGotGJDZjvG1/WChrip+E18xIx2RUJCrbbRwLUm7KR8oxXch\n2Jb328Px2er3lBr3+6NyMHAwHQYDVR0OBBYEFIu5ntnzDIA1OqO+xCkZRx3ZXOzc\nMB8GA1UdIwQYMBaAFIQRvNva2rQmY8jy42zpQm/qJtD7MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIAIVHf8q+YQzt7VeJUsUXSZcjF18PyCa31cH8j7ZYmMiAiAzbtTip100iUf4\nnQs2wFHLQPbkatOx2yNfbPe+dlBVqg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYc6wrRipgqneW0pvYb9UReTyA3wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS6B0nqBEmqzAQYc9hqG5FQSgWZfuWKSzEou7hm\n7MkTO9+WOzhO5nlJDxAflsh9Ycg0msXxtk6EP3MxtdByW6f5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOj0KdZ+leNMClby2sRHEN82lGMwwCgYIKoZIzj0EAwIDSAAwRQIg\nFqfgBHLLZm2GFsAhdlkZvrtPmja53KbbVGmF/2HxL2gCIQCHTBA/TBlSkm3LY6Jg\nV+IosHUShhOuLQjFoQDn8hRGmw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCMfqw4LpoGgpkBgSojW0apgbeL8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT9z3gtiFIyGz/zUoVh2zAAzWqK4yeNvWmTxoV7\nsr2uKFWVZCJJq6j+YIFYg1vI9eNpiEyrfixJzMEyp+tzZg4go1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUX/kibNVDRfY9cBIw4eLjVSKrSZcwCgYIKoZIzj0EAwIDSQAwRgIh\nAItbsnG6/cNe+Ce3y8Tg1e9it9YlyQr5SBOlDoKiiCOdAiEAkLhahmozpwPuzR5M\nnkbdYwjNuO+RIMDCPsy7+h6QsNw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUA9deDrY3T8k0Hr3GYRrPPVsqu0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1NTgzODE0NDg5NDQ3NjQ4Mjk1ODMw\nODk2NDE0NjcxMDU2OTg2NTc4NDE4NDEwMjAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFrtanVoW9d61YI/y5isY85FTfEefSZuCpLV37suLR1Qu6lxE/OZmg6AXQKTbNnT\nngzINDbl3Hwu/PzhYvcLCZajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDo9CnWf\npXjTApW8trERxDfNpRjMMB0GA1UdDgQWBBRxFuuQFufrtvAIeXApB2NpKUrntzAK\nBggqhkjOPQQDAgNHADBEAiAHWkUHLvnXdyIpKaqbsPvj0tcbSDrl6C81HcJwAjRd\nEwIgWlC31zWGWciTHlt7KKTCymESIFBFDaXwsnMs6rG4Org=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUTm+74DpifZgvmEKoeOuzFdSdq38wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTU4MzgxNDQ4OTQ0NzY0ODI5NTgzMDg5NjQxNDY3MTA1Njk4\nNjU3ODQxODQxMDIwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzIxOTI5ODI2MDkxMTkzMDE0NzE1ODc2NzI0OTA0OTg0NTk2MTE5NTU4\nOTk0NzYzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT5gMIcaLcAA+bRM5p8FsR2Z6LG\nNWczENBYKI2ZuV60TvVSDPpj3z8FRK/KRQBCOl0XdxMltmMRD1bNsfeqSIBxo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgECMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRxFuuQFufrtvAIeXApB2NpKUrntzAdBgNV\nHQ4EFgQUHqQYP/QGn2y+sykzcydqOa5+9+4wCgYIKoZIzj0EAwIDSAAwRQIhAJ09\nJYhcsPcQQLiUnuxJJVpQkv4aCJRPHtwVamYgYE09AiBszIPiQaj9e8eJbG2frapK\nwRdfH3uiidoB5gnDz/WuMw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUWh6+fl32dDXo1QTB/dGiyp94kXIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC81MDEzMDIyNTI2NTA4MDU4OTczNzk1\nMjY5Mjc3NjA5OTQ1ODMwNjU2MDE5NDc1MTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nyjP3ROFs7YcLBS7r8uYlebKnWqxMe9chhfYgpJCkcTe7XOsVLX7t+U9sUahPPD5+\nryMo3oselZRR/ZAXLQ/ukqN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUX/kibNVD\nRfY9cBIw4eLjVSKrSZcwHQYDVR0OBBYEFK8qdZxrtqmJes/Tj0b2DRk73HFWMAoG\nCCqGSM49BAMCA0gAMEUCIBsPVCUJHael+PGrkpi3s5ARWQhdP2kxMJmkX3h8w9Ky\nAiEAhOElcuqyfVVsr5bxIqO+ugdBJnT480n8VpxQKlgt36c=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUQi/cSGwSd06xxCf2NUqP4FHqKdEwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNTAxMzAyMjUyNjUwODA1ODk3Mzc5NTI2OTI3NzYwOTk0NTgz\nMDY1NjAxOTQ3NTExKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwNTE0NDk0Nzg2MDY0OTA0NjA4MDI2MTk5NzAyMDQ4NjYyNDM0ODA5MzYz\nNTk5NzMwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQXrIWyq6YBgdmq8YiS6KeBTz3H\nj4l4qiwb4F1aJKahKrFlIa3V11uAyp9/55yEEWVXHcVD6PIDzhZD912qXz/7o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgECMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSvKnWca7apiXrP049G9g0ZO9xxVjAdBgNV\nHQ4EFgQUzkHm6YWMOj8oSSaGNIDhtCfRm5UwCgYIKoZIzj0EAwIDSAAwRQIhAK/Z\nAc8XJ21D0QUoSle8l+/8txKkkjLcbUL+G40+QjoeAiB8ALm6Waf3UPYyIu2bnfeO\nSXsVUUibHebgE0R1i1dUwQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZigAwIBAgIUaM/Qhz3lVt2B/YeUgMkoLsWsjW0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjE5Mjk4MjYwOTExOTMwMTQ3MTU4NzY3MjQ5MDQ5ODQ1OTYx\nMTk1NTg5OTQ3NjMxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMjAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATTZWM3\n9zvLCXqAC3E3z1/XAPG7LazG1HWZdPt41IZC0EzE6QWN2pSoqAE664kJXAeiz4M2\nqgiFV8I+9TuzswOto3IwcDAdBgNVHQ4EFgQUmcnSkE8Rwjk8Hd8fYW8ZzyyHUUkw\nHwYDVR0jBBgwFoAUHqQYP/QGn2y+sykzcydqOa5+9+4wCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAw\nRQIgU92f0HL4kfmnoBsRW04tQ/B2C2da/mVCIp3qiYStCEYCIQDEVVKG0VdQ/SGD\ngTFz5+cY3Jaw0NRreiQXqgGFTHeEaQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUfDU8oLHPcloFDSkr94emppG7KQcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTE0NDk0Nzg2MDY0OTA0NjA4MDI2MTk5NzAyMDQ4NjYyNDM0\nODA5MzYzNTk5NzMwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMCPo\nCXrJwbjFxekm3iLYciyQTahflYwVbX5OnQG/ZFGUSHSRfqlW6LGPi4J/jy7T2PnW\nqjoSE7R/6foswgaObqNyMHAwHQYDVR0OBBYEFNbk4qvjCwIo/pxWqenfn6hh5gcF\nMB8GA1UdIwQYMBaAFM5B5umFjDo/KEkmhjSA4bQn0ZuVMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCakuDVnUqBSlwGiJ5kYpNYEOV4Ya0/VEcrF+eTwwdlqwIgFgZiKnCivaVo\nRn6t7LLQ8TWb7SECSWTh4nGM1ni59bY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWRCsGRla2h/Jsf6QAPyzyYpsPVwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQeGr337gtOppU9TTflQYI05S3NmXSqKiIrZRLO\nGnNCX2FajAbgE6QPehuPeLll6txv7BTFG3MRcCYPMKE2W1Ano1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnsqiKF+0X0TnVvgbplno7KPiXxUwCgYIKoZIzj0EAwIDSAAwRQIh\nAJjM83pJCJDYI+lv7iQoxWVX6L9+h1WpWVv5cUMSRvx6AiB8VtEhVrfOdvltJgoe\nVZCSVEVDl4vjVPbAQdO9wbWvfg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUeVNUUBS3C4+9AbjB9H/Y6I/+JZIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVguUoUZr3+fzCD8iGqOjcwXnxByTG0VkWOqFO\ncUekT80Q+Rszy2igGke75fh6+3Yxx8xHjhmmsyoTS5h+GHrHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjRjB0Bjmclh4wNeRgxBEvmtQu/YwCgYIKoZIzj0EAwIDSQAwRgIh\nAORDNlFiW3ZBrLw0U599CNSSQPb0ulBgTQ5YzGulKv2uAiEA63EW9iaOl628MVqH\nBXZVWXT83HVUedAAyozEHVNB+a8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUDLoOypfDyecn56mqUwetAUhFxvUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MDg0NzE5ODIzODA0NDAwNzQxMDg1\nNzg1MTY4MDg2MjMxNDM4Nzk3MTM3NjY3NDgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBC41KnlG1h6VY/5MIGre+bCUkSH3SMADJJi3HqWdNYqWLBKgcMkE3y1WHwGuSxwS\nCqMuEsuLnYr0204H00LfilajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJ7Koihf\ntF9E51b4G6ZZ6Oyj4l8VMB0GA1UdDgQWBBRVDoVZnqUEeLS4+P0DeVGBUUo8tjAK\nBggqhkjOPQQDAgNIADBFAiEAsw1TxT1rmwjviuo9pQ4IfQGd3WtwypUzF8vCprgO\nga0CIFIuSP3KFBbnPp+bfsLfUu3C80g/V6JGJK5czuVDy5mY\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUWSSMNhDcdgE2I3dJcBdy963I6CIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTA4NDcxOTgyMzgwNDQwMDc0MTA4NTc4NTE2ODA4NjIzMTQz\nODc5NzEzNzY2NzQ4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzcyNjU3MTE2MzY3NTgzOTUzMTk3NDY4NDgzOTE0NjM2MDg0MjI0OTE2\nMzA5NzQ5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdHC9T7CfBuRyDqSqmtBEk9ETW\nrT9pyxX6IuyURaAekh7KBST3IZIOcVSkeFc7WIQ6A+TtRj0v3howUFHskUEto3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRVDoVZnqUEeLS4+P0DeVGBUUo8tjAdBgNV\nHQ4EFgQUVaddBh9sfNYtgDvg6F/4D7M6EbIwCgYIKoZIzj0EAwIDSAAwRQIgdFcJ\nXyEtoGPojOmREIiEcL6pxniG7Uvx3ET9MKRSCqcCIQCLo8oaf9zDocvajfwB3OGi\nMMrP5D7ZV84H/sAsDv6qWA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUXq0387iP/U9f2+GredfuRVUkdhgwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNzI2NTcxMTYzNjc1ODM5NTMxOTc0Njg0ODM5MTQ2MzYwODQy\nMjQ5MTYzMDk3NDkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowZzE5MDcG\nA1UECwwwNTA4OTE1MjE5NTQ4MTU5NDI2OTE2ODA1NDIxMDU2NDQ2NzI2NDQ2NDA1\nNzA3ODEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQV5eTz9B9OZ5kGxAY0EucY67Tx\n/8nXMNWE129fSuV1Lhy2qQVtYPY65kqsXSkPt1MoGhGTbwHxp3sn+45UrolUo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRVp10GH2x81i2AO+DoX/gPszoRsjAdBgNV\nHQ4EFgQU/5qcg0UsDapOSr22Ictdr6A67M4wCgYIKoZIzj0EAwIDSAAwRQIhAMo2\nSMMS2XfB16v5I4ZIUVyLs5tOtX0qaFPH0DclD5MNAiBdBPJqC+bz2KIfQTrjHAdt\nd7UEfnm6FIFeTuMMIb4q5A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUPaEZPm92SezX+8A5XMizz1YjHU4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2OTI2NDYxODk4MDMzMDUyMzA0MjQx\nOTEwODYyMDUzMTA3NTQyNDkyMDI2MDc1MDYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPUS6PF5JXgypVn12+I+MvlYucYz5Wa0UciIgYuPU0kGxtOye6GbRGdl4g8QaoVI\nFH39ixaFDydva+Hs98rdqLOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFI0YwdAY\n5nJYeMDXkYMQRL5rULv2MB0GA1UdDgQWBBR3VvINBpHYMuYccPM1BaTB6CeqOjAK\nBggqhkjOPQQDAgNJADBGAiEAnilHjPAVlUXCVUIQ6CcBU79ilkpFnXUI+Pp62Ctr\nsx8CIQDZC/8wnZ1Njgmf2dE5JUIXRbEY6JbUOeR4JfZNK8C9QA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUfuqep0WSp61kFLrhHtP3twn3JMswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjkyNjQ2MTg5ODAzMzA1MjMwNDI0MTkxMDg2MjA1MzEwNzU0\nMjQ5MjAyNjA3NTA2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM1MTg0MTA1NjA1MDAzMTE4MjM1MDM4Mzc0NDI0OTkyNzYwMjI3MTYz\nODcyMzkxODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBAw7chUDuvq9LqWLV3Oex03s\nsPTq52ihdxXVb+5OPd9jJP4TZ2NjEdPPdrCwlMABHnnuNs2Ec9gkmehOy58A+KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUd1byDQaR2DLmHHDzNQWkwegnqjowHQYD\nVR0OBBYEFHVA+eUe+9j8GmUe45xT4xBqkD/2MAoGCCqGSM49BAMCA0cAMEQCIEev\nHDis+2bF0rgvvU5EyOG2sBSrFijNhJKGlX5JqdxuAiAW+j9q/mpFZUV63n/Q6fob\nCtGlCD7EzMvAzjE2kkQabg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUAL974nSbAF+Ry5xVtWdpw/TmDmkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzUxODQxMDU2MDUwMDMxMTgyMzUwMzgzNzQ0MjQ5OTI3NjAy\nMjcxNjM4NzIzOTE4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDcyNDU2NTAzMjE2MTA3MDY0NzczNDU0MzgxODUxMDI3Njg3MDI5NDA2\nMzIyODEwNzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+aRmUh6Att48HLJUk1GNbl2z\nHpX304egMOVH5pMRTlJSI3yJyORP3sE43kBBYG++65FS+vTf1wMwhzmA9XGE5aN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUdUD55R772PwaZR7jnFPjEGqQP/YwHQYD\nVR0OBBYEFMg33Au3UOzk4S6gm4rdNAEvnBLLMAoGCCqGSM49BAMCA0cAMEQCIE8u\n9+Chd2PuyLEyMXBKvSc1zGlUUbzGybhznCL7JtK3AiAJLufupBttt94ejGDio76c\n3M12vVhGM+vdrqyNsEoaWA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUNGuNkGrfnITRjWO0/SRAKPWsF08wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTA4OTE1MjE5NTQ4MTU5NDI2OTE2ODA1NDIxMDU2NDQ2NzI2\nNDQ2NDA1NzA3ODEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7Wy8\ngo35ufFHFrVZyfvWFceIHCyhZd2/1Aqtcf869KZ1CgY/wm2K1NpwMOqDDKASoi2U\nvs0gFhTGcOfY0dR+rqNyMHAwHQYDVR0OBBYEFL6VpzEFVEwiwVwQ0XWIXZdwud/V\nMB8GA1UdIwQYMBaAFP+anINFLA2qTkq9tiHLXa+gOuzOMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDnvMhuswqiNm5NN7YZvlDSu3om4M/7hzwVXSI2Zbq67QIhAMUWcFlIHMuB\nwEr+s+aJE+Su78BkBh3GTqKY4/9TLoBL\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIULxmIVflelnehSJ4h09VB86C0LV0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzI0NTY1MDMyMTYxMDcwNjQ3NzM0NTQzODE4NTEwMjc2ODcw\nMjk0MDYzMjI4MTA3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbwx2\nVdRcGIVbz1enPOghIHeCGQJiQVdqRD1G/dNO/lYXRoTtXDOqjf+sr0zY0jvUB2rU\n54uG0AajQhLIIapQF6NyMHAwHQYDVR0OBBYEFKDmRskCONcS3XrmUiW1G/AU+u3X\nMB8GA1UdIwQYMBaAFMg33Au3UOzk4S6gm4rdNAEvnBLLMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCnnpFsiZsfzZSNV2VhOVWlOGxfhyCNwvJEfL1qXqGIngIgC/c+LUvbgrvy\nK7skA/IhJfefcoYvYogM+N64AESbv+g=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOP8Wpet6mRk5sQggfRMoozq7RvAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATjOuBf+YEsJzBGxuyD96Tdc0CF8+nMvUwTKjVe\nUSGoL+WAakdDcpFYi3xNgBu6+yyDQnOKKEODTjjuwHbCyTHSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYf42qIV6Vvchner5p8POaLHWwgMwCgYIKoZIzj0EAwIDSAAwRQIg\necy/5PHKk02QLyK9Wk9Luyv1DfkTcICn6pYv5MXDuboCIQDhbVu448BadjlU8ocM\n/SaZi7AeRbyrIsopwJiuCMAS0Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUNovEiEUeUEec7G21k8/B24jUlxwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATszGFAZjOxrMOG/GghGjpdaKDUHYDQkBt3dvPs\nrrjNilKGWoo4JsiAF+bne5JedL9tug6XVsGZlcobOGAHJdNjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9FoPHlBvOrmSDe/IQDdE43Kkt+UwCgYIKoZIzj0EAwIDRwAwRAIg\nbi6gvEsQVcfub/TUJjRL0Ymg+nCHj0zDuJtYNG6+aJ4CIEHw0p0rvdv/+TNztkK/\nL4sPlemrqK54ZoGaZHGVGBz9\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUY8ddN3z5E86RCvHHdSvNyekpR94wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMjUzOTIxNDYxMjE2NDY1MDczNzE4\nNDQ5MjY5NzIxOTg5MzE3MzgxMDQ5MDc1MDQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBBe/briclze10LNPom1OVs/7JEVIPgXghjbmFRD6Yb6AeSQa3JBL/jXRFCu9IN3X\njaUjm/UNQNCDGoNi73W5yS6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGH+NqiF\nelb3IZ3q+afDzmix1sIDMB0GA1UdDgQWBBSU4VslqakDMCD0wwH5rDx0wh0ccjAK\nBggqhkjOPQQDAgNHADBEAiAw71sndDXqaZU8WnWkgjncB9oSsZmhwLa8TidB5Yq6\nYgIgU90Bv+8Y6VZJ+J7AVkyVfdvL51qiQgUiiwRWTX1fO8M=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUFisGgxidP/Nst/pfb8sxYCn9vM4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzI1MzkyMTQ2MTIxNjQ2NTA3MzcxODQ0OTI2OTcyMTk4OTMx\nNzM4MTA0OTA3NTA0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDMyNTM5MjE0NjEyMTY0NjUwNzM3MTg0NDkyNjk3MjE5ODkzMTczODEw\nNDkwNzUwNDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEr91xqwT54bg03j8RvqN6oSfZ\n/3drxt9bl3pZzzgm12JOQy4pAXD37prqOfYPPs6tFMbMuFVJNm5IXwpiZCGhYKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUlOFbJampAzAg9MMB+aw8dMIdHHIwHQYD\nVR0OBBYEFCOwYSHyTj9q6mGHnSz73vOVscBUMAoGCCqGSM49BAMCA0gAMEUCIQDV\ndHA8IHXTPHjOBkiq2lFAme7dq68D1HBW9Rozs41HUAIgTSyXb//UK+VJiwXU2EJN\ntmNXXiIp9Gc4IuQ22c1CWlA=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUfX+4TDmf56Lu4YJik3AFI030FFYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzI1MzkyMTQ2MTIxNjQ2NTA3MzcxODQ0OTI2OTcyMTk4OTMx\nNzM4MTA0OTA3NTA0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDEyNjU1NzI5NjI4NTA4NDkwMzExNjE1NzA2MTM4OTQwMzE3NzIwNTAw\nNTkyNTU4MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0epL1sdAuSrz165D9/H6HWjQ\ndcC1M8wiD8beDQc9mF4yS0e4j6OxkMdLyWfOvjMJzUTHQo1mDz70m6yOMYz9PaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUI7BhIfJOP2rqYYedLPve85WxwFQwHQYD\nVR0OBBYEFEN4bx8BWOiSz/Fob7IR0i7Q32c9MAoGCCqGSM49BAMCA0gAMEUCIH+J\nno9UIr0unoQ/cLEETGmbLGLDdP3R6aQ1wK5w7sv9AiEAu1eXOyGqSPYO22YVMYZB\nShw1Z7DGLXHy7Pkf97KSX14=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUV7NOQ7cW9rzFJnACeC3cXoJSH+gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMTE0MDI0MjU1ODU0MDE3NDYwNjI2\nODU1NjAzNjI4NzU4MDM5MzI2NDg4Mzg5NDAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBALbfyx/Ks9MYOTdCGmSWu/zmDX04etAyaL6V9U2wYE3BKrtVENrWGRH00pCUhCe\nXlUdC+mlFIvgH/fXDzavmIyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPRaDx5Q\nbzq5kg3vyEA3RONypLflMB0GA1UdDgQWBBSOiEadPtgHawC8bRgcNdZL4GC8FzAK\nBggqhkjOPQQDAgNHADBEAiB++Y4CPQ2taY/Wt0eRpZ+Kl9XEZ4jKqf1b0aovNmym\nVgIgPoF+5QnrvkMdRfLzB3rlPkucaLEBcqNmsYulGPCH7EI=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUTslUuLISB54BdRs6zf53PGHdcKEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzExNDAyNDI1NTg1NDAxNzQ2MDYyNjg1NTYwMzYyODc1ODAz\nOTMyNjQ4ODM4OTQwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMxMTQwMjQyNTU4NTQwMTc0NjA2MjY4NTU2MDM2Mjg3NTgwMzkzMjY0\nODgzODk0MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErioJNrskOrD/HGd06hlgOCXN\nkSCBzngzzcweHwtdHLet8Et0yREPjtXkGw+Nibn3oZbS/dr0kQZQeAjv501MX6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUjohGnT7YB2sAvG0YHDXWS+BgvBcwHQYD\nVR0OBBYEFC+7kTuePK0nCEv6AtfMKb1OZrERMAoGCCqGSM49BAMCA0kAMEYCIQDQ\nyNxB7/+Yne5oP6ZWaQ2fVdtmOctSbYzFZkDTmNn2IQIhAJdNcl6fOiBk50Cl4U0U\nwCWwOW1ai4bJc3PYnPJ3E1uP\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUdBTX2prrD/EmEoCUVPG04q+axJ4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzExNDAyNDI1NTg1NDAxNzQ2MDYyNjg1NTYwMzYyODc1ODAz\nOTMyNjQ4ODM4OTQwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ0OTc5MTExMDE4OTgzNDExODU0MzU2NjEwODUxODU0NjE3OTQzODQ0\nMzA2NTUwNTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEr44HPV87EFzfeY/k82X5k4bI\nbKmiWOtYQHgaRSc9th9IZWNmhpWA9cvSlAEDIXR9XKUcgZ2Q6bC2xCXunFUnSaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUL7uRO548rScIS/oC18wpvU5msREwHQYD\nVR0OBBYEFMliBS6GbBp3xnXPfS/BUuEiyy4VMAoGCCqGSM49BAMCA0kAMEYCIQDE\n9Uu7uxyO1JSF9rE9vk7g6Qf3fZ6ZzqDLZusJJrybzgIhAInBFT0mU1k1vcc0Ewvh\npN3WHAfPOSWCJ1D/9IwQamz5\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUYMGJPROKUApk96hbLZ9F1Pesd9wwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTI2NTU3Mjk2Mjg1MDg0OTAzMTE2MTU3MDYxMzg5NDAzMTc3\nMjA1MDA1OTI1NTgyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEA+yh\nMdreNQOZlrjJsXtSoPv+YGTex172YbZQfmWhRRZErIUHehYr8j2gGcGzFOCkYT5b\nDqjO4L1FmktNkKJA8qNyMHAwHQYDVR0OBBYEFFmJ7h1nUgev+jCKuYE/4rvmQqLo\nMB8GA1UdIwQYMBaAFEN4bx8BWOiSz/Fob7IR0i7Q32c9MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIQCYcNQowWxhBjx7GldwJNsBaX4lwNKYGiPRvsV5bFv8lAIfEgufKHSSnwAo\nDXkv0qj8LfGcmgt1u8ZPmRWH3HQctw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUX149AXWUi2v68AAm8xubC+1pLAQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDQ5NzkxMTEwMTg5ODM0MTE4NTQzNTY2MTA4NTE4NTQ2MTc5\nNDM4NDQzMDY1NTA1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+uSS\n5dbPy6g2ccfvU+CjAXFa7ytP4tU9lx5F93tWx3unuFLQcjbit4BF1zzXatpAfyKo\ndTEfEY5SeU6gjGMasaNyMHAwHQYDVR0OBBYEFLLXCuDlkJiXP515D20JQY5JfT5M\nMB8GA1UdIwQYMBaAFMliBS6GbBp3xnXPfS/BUuEiyy4VMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDoM4syIe+zYtnQugO9n3L6v3uX9ZhsKmn09wCfO4GgqgIgb3vRMlmACmuE\nuefgFVAZuG1VZ3yOe4TFtkP+JREdbAg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUeAdMmCAbgnA7zTsNxWCdEkrmhYowCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0DpjmReWSh0i\n3MeVbZ/yBRgRTD+5vsJuJcBfoaZpz/h2oDjIyyTGo66uo4RI9rA796UH54ZzDOht\nsDAHeynDYaNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFOCbc2+AxiED43O7x8OnLbiBF+HD\nMAoGCCqGSM49BAMCA0kAMEYCIQCJ7+jK6oq3OdPjAKZWjxYa3tpcPwg+Es/LEVXh\nTWPmswIhAIlhSXpkTgc/MD6Hv7uuKHQthMYtdnRQc0AaSpD9PaEG\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUIlKcuDETvUvtj4/7R6GtLyPxPuwwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZq3hO3y9LWGv\nxvrrNtCZRp8Y9nmmB9NrkLFhi5nK6Z//UklriHxcwC4NyXm42cUKMBrHSDEHVn+1\nyxuxe4K0faNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFHi9E82bEF0hELAhQ1+pT8byqdlm\nMAoGCCqGSM49BAMCA0gAMEUCIQDmeTB+4WZG1+PLFf643dJY5+08VnxHfm/QzkJu\naBGuYAIgMP1u5oQRy7opI3ObbO/l/kzay7dGJpyz5Kmpue0PMPo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUVsKPFXPp7VGhmFg0VUEIeyUEFx4wCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABJRNqyWP63fHsOZsdfV740KIQVgTZ8+TngQYT/2TQOrXzwYQ\n4fnR81Sspovg0rwaZp78PzKwH2OftK03WD9FnK2jcjBwMB0GA1UdDgQWBBQ8gKsV\nzU5G/P8gbGEr9AWxEjo6dDAfBgNVHSMEGDAWgBTgm3NvgMYhA+Nzu8fDpy24gRfh\nwzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEAtKfyDh8iDPErd37/pMAF0dF/AtI5LwOUq5ZF\nnwacxw8CIQDLYqdLcvuvJ8zqcoZwUhYPWt7w5g8XiR8cJUvKeIxphg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUDD0mWk55f5qCmxLubnxjZnFQ+x0wCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABLgmjobP20OJiI5SMuY1T+QbsgtLbi7kzWoiTap/OBaABnZk\nb0Atp6AgNnqqos3YkHonQRcQapCdfopo27w5DXGjcjBwMB0GA1UdDgQWBBTWMs+g\nxOhoRs0LIosi4uneJJXPzDAfBgNVHSMEGDAWgBR4vRPNmxBdIRCwIUNfqU/G8qnZ\nZjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNHADBEAiAduDjLsio5R6lWU6aw4a8u+tYOKDPdNG0Ja18w\nypnFfgIgdWWQYghMSDY1C5vUCyKZpQ9+izDr/fdJKVbP17LryUE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUFJlQ1curjZPEz+ofwukP+rYqZnkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtG0nptae\nROnlREUGc15l0cs/QfomyCSZ3j+YpVCBs1fiO82wgesgM8npvOr1q4NDYG2Hs1od\ne+2ws1GH0Tim+aNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFBD1Bqf3ACRwri/CGN2nR7qb\n31zjMAoGCCqGSM49BAMCA0gAMEUCIHSnIHr1kV04OAi/tFGrM+/kzudLKKT0ZHbR\npSdMnmfSAiEAopnAXYToqBd5ayOz/2uwg7nBvS1iCg8Sw2LRvTF3NS8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUfzhmN4pelEcobk1JI92RwF5M+LcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+JD/PFy8\nRIHWjftE+EtDFyaReFNyh4Gwa+vGeFAHMDdn/S4yxIZ2IifJQtFRvcCsPBrbDrc9\n5rBRpj06p3JacKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJeLrhUy7lyWIS6kcPhaLzgR\ncfcdMAoGCCqGSM49BAMCA0gAMEUCIFDud0PLg1QA1sNQZj/zN7MIKbNgjCWVTk4b\n/h1VRkeZAiEA5h1m8dQSjByX4N1RMoAGx1M+ljkt1r7mvG8SLB2s1v4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUScsItb4OgAq2jAl7uBgStfq2sjgwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/2GnnGkhHYN4v\n7HuPmR6rnjBEoZh2ixEJ7JVZ43UikqefjRqtaeWpzN0zfCnWdxu2dxRaYhIk7BHF\nq2zO6E33o3IwcDAdBgNVHQ4EFgQUItpLrH9g9srJAg+/6hA9HgO4Rz8wHwYDVR0j\nBBgwFoAUEPUGp/cAJHCuL8IY3adHupvfXOMwCQYDVR0TBAIwADALBgNVHQ8EBAMC\nB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgMS9m\nAJByFKSp2xNnV7bHlG9QnqgNxmm5sYPySQC43t0CIQDJZTHe7sSvb5OyW/ZLaqki\nvLoJiH01gbF9jTRckjt7Pg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUbnZorA+4s7gtmbhE+PCtvDbEYEMwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASl+YwpKq7qsSvo\nTj1XwH2ztT/2v9NDXpWIQvu2iuSVj43K6Sh62SkO2PEJ0xFy1FDLFuGH6dTR8s/V\n1rrcfY++o3IwcDAdBgNVHQ4EFgQUimVrg6+Fpez42IgWROYjiWSgIA0wHwYDVR0j\nBBgwFoAUl4uuFTLuXJYhLqRw+FovOBFx9x0wCQYDVR0TBAIwADALBgNVHQ8EBAMC\nB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPAW\nZHqIRfU5R6zAYmbzyOYfLrm+fVG75V12Sc8al+xtAiB8f7o7C6OdtaUeRp1vsUIZ\nfceHnfpZbcBtkYURTqNeEA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfMpy+aidRm5DlBO4uCjYx5D6I6AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATBM2+5+i33LDP/8KnSwRut26+DCj4A6qSTRdSi\nTiUKakgRv+Te5jl4JqfiqvetwNpaqCLLUA4q0dZwmPoSPNM0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5XRjUbxVB6Or4FRrmJZwV8cUDSswCgYIKoZIzj0EAwIDSAAwRQIh\nAOHjVkJ8ypC6gE6xE/vb9KLRlms9cHX6JP4+EvFMvVYLAiAtC88HY5KDlRjWqjdM\nWfs5X5tvoXti5+kDuziRDTLGmQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDm49LrCGGMhsZBwtqbPaEoyImwUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASeQSOwQJ/GJQ6/1MdZWs1BuAOuDWALqcQpqrbr\nA7zbJOQiayuAy+Q+MPy4/ODo3sulHuPJo0DHi+lw1Cr92W6Vo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU20lQypn/nH8WHHYebIt0byNj66EwCgYIKoZIzj0EAwIDSAAwRQIg\nKCVh18QK124iBgYzxEIck0cqfmhMdZmU9tsL04lzl3sCIQCfW9vU9zd2X2Udzvma\nr4t0kCXnedOQtBj7aQgiwPJwkg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUKgzjxW4Gf/sqnvBXwUfgl86tb/owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNuKCl5BoPb0lgo4aEdVpxvNcPxPWoqhHttBmd+8hvdg\nUkHoJft4Cj7iq1/m+Gnj/YlfdN3zr8kesoer1Lw5SFOjgYcwgYQwHQYDVR0OBBYE\nFGY9Pc2WEoyghcYUO2bhrdD2m0+1MB8GA1UdIwQYMBaAFOV0Y1G8VQejq+BUa5iW\ncFfHFA0rMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIhAMoH\nnEXk71Im7dub4/ROrH22eGlFmzhINsDKJBN1QBJtAiBxmEb+mJOimXMTA8tq3slH\nE1GCC3F6AGxU4dvazFvUjQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUaeardGwR13/7Txrv3djTf0quTbEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKRFfhEcYNGiMj+QvnHfnkwDpmOxaEINYYu5H46OmEIx\ndvOfzOtZS1X7mCUnS0kzid3FOvcA50PMb25vOpx3DyujgYcwgYQwHQYDVR0OBBYE\nFGOBxStm6wXwFZTUgyKxdsYwejQ+MB8GA1UdIwQYMBaAFNtJUMqZ/5x/Fhx2HmyL\ndG8jY+uhMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDRwAwRAIgMW3z\nTIFiSO6NS4thQ7DdwmhJwp+OMKhDuMP5zsmsGdUCIF3wMByUt6pKnayLX15tsbDZ\ngIUulsuBOkAhjbHqbnH4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUS3a5Q/ghfbV409VdBlrubuJGfz0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9cAad+KUJTMtOEI0n99BLYvgXPC/SUQiB5xmJ\nA3nbRuVRWCEUvfJ/AY9Tk+GddWVj0IbsOa1ZgRPnHYPsn1Ero2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeL5MZT1G/bIkWiWG+TnzcC2zYCwwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEAqs4NWMkn06WDK4+2QDgm3uvD849p2Fct11o6\nnqcS9CsCIDLfjkf80ex5LJgRo4S+8tMEKPdMBZcTCww2zzsPqECL\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUdI2jpAJ4Sg9MMNnqJtD6q3joqEUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQW5sG8NAoA6mUW8qjfwialkIpjA2WKYkgtMkCU\nn0xDvj4X8PT2ljjwhnfzsXc8pGI/81YUXIDBUVnXAzr6k97No2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU102AFl0TsldjhYkZ56m4pbkfg44wEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiBQowlxS2a7Wop3kUsKmmfRctzXa/Z4gBBIii+Y\nwxOcGAIhAK6Lm/NEiLwy066xP0jbFHt41nS1pnJe+ATmwLpBbQf1\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUPZXU5v2d1l0YI1dbn/4XKR5dWlgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGEEFMkJf/HAq3828jIcHB0X/SzylNN6DYRX7xC4Awbp\n07i6SZTWDSJhfZguJTyB6rGtGlkHiMrgD6CX6ROKxayjcjBwMB0GA1UdDgQWBBSW\ncUPySf8cHnv5ypHqFvRiH4S4jDAfBgNVHSMEGDAWgBR4vkxlPUb9siRaJYb5OfNw\nLbNgLDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAP4nQ/ztmSKFAWllOvA4YFqIozmrH/gcOc\nfSrQQC62hAIhAKD8uOmT+kh/bebB+DM85LTBNOuhXwe4g0NHqlyKftXJ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIULP/zhb7td8Kjaf77Vbuu+u/Ep9QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAxeGd8COt1zF7Q5yCis1/D8DqkB/ZmVm/lp+Yeg090W\n7+V3/4EjuJ4ZZyhPB0OKBu3l4E4qnU7L9Ql7dtGbqEOjcjBwMB0GA1UdDgQWBBRD\nieSGweNcjb/yqdsdjizyRIGBaTAfBgNVHSMEGDAWgBTXTYAWXROyV2OFiRnnqbil\nuR+DjjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAx2f+596/RtNzqja7YwjoLHNA+pLgLTzB\nnUwcqu1VVbcCIA/u0Q2+HtCgQ/9qpyR1ek+1L14BIJELlB364lMqZQSD\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWaBoTFMuRZ67RcX+xUJHfeBr6ZswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARn7EgOTPM+5ABnH5FwbsmwHqTy1v9UUcEKKGCb\n4dwRhtpwNdqHTmuJBtsj1EtntAHitliCSJd5ocpbIV7RiMJno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvF1N/JdcO2UhGTJ4tJrX0foGobUwCgYIKoZIzj0EAwIDSAAwRQIh\nAOpjeA9/XCwM8Z6nlW4M4Z4+elNy/pWs+vpw0mK5duDRAiAyubp6csZIYjbJ+X81\n1q8NjNeycVGtTGi9FOg6gya1Ew==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVffsdDU0VEVC3uV3FbKQBnKd+BcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6787wsvxrz/hug6bWJqSjslqqNaX8kHALQIMk\nyTezMBEO4OcPvjaOSO4fv95MhGCTVsTH9xHQJFK5hhlWVgGFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbEy7e5N3Z/PCsVzybYulUYTYaNgwCgYIKoZIzj0EAwIDRwAwRAIg\nXXUABWDXzbskSbc1I6YG83f5s/3TRuKKZONFVVhsYIcCID2S8pwoy8nJRFWFB0i2\nLlQkLNeE2TvgofYdcyLCA0qs\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUQP8y4C+Q5Ym3tj2thcmOTTtSRowwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MTE2NzczODM0ODQ4NDk1ODc3ODQy\nODA5ODg2MTQ2NDQ0NzQ4NjU5NzQ1MDM4MzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHtn7tj2klEs9Eq8rLsd+O3hd0PdQxdCjDPVqESDi97mjI/oBL2edcunikrDpES/\nUQUWfYWq9TlQzdxLvsASwxujgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUvF1N\n/JdcO2UhGTJ4tJrX0foGobUwHQYDVR0OBBYEFNa6+fXADzNQLkx11TRCq7PQ4vOS\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgFNQUNVtUa2zf\nseTvdGEzKbfBSGXsb8V02HsEaNsvezkCIQDf3exQmqk/GsyLzpNScd4X8CAb3UHk\nPEKM+zywnE8SVQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUcy9vyOIXha95IUlh1lKKM6K5UmcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTA3OTMwOTc2MjcwMTg2NzQxNDU5\nMzY2NjUzNDE4NjM2MzE0OTM5MzQyMTcyMzkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFr7/BcUviSczhvE5QgajTSBaQyVYmXU0+BJj/YlSEHv1O8+C7JBrp964N4vurBY\nnURwLLP7YaU2WAIUB0/0TOKjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUbEy7\ne5N3Z/PCsVzybYulUYTYaNgwHQYDVR0OBBYEFJpt8LSn/oG9FynKcWnAWTX3L196\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgFOjdHUj+8071\naVVu89/Pr/fLaO3LZdmNuxYpcslAYO8CIQCKm6/ZWg2BlS8MMjHLEJLnpDzXi+Xn\nxV4kw/HLs6l2FA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUf1ElzInnLNL+f4RksYrSecfpOfkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTExNjc3MzgzNDg0ODQ5NTg3Nzg0MjgwOTg4NjE0NjQ0NDc0\nODY1OTc0NTAzODM1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfM+s\n7YTg82y/CmM1LWkCCA5mL5t5E5btYiGsvowwRxETm7GgoQkD2L3wibSSkVgC+RoP\nn7S8xJWB9ydxwFL/fqNyMHAwHQYDVR0OBBYEFHzkxlblyiodYOpnrfWImlmGbx8M\nMB8GA1UdIwQYMBaAFNa6+fXADzNQLkx11TRCq7PQ4vOSMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCC6tfqLKT6hFSFBGk5aj+5NlVH5hHz6Qm1+6AQpRXuPAIhAOB53dmGSBgI\nuimJZDLDdTmq9wK983ga/KpHhw8gdqBq\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUB1R8BAeuIjdFs+mT1XkaDM9pTeAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDkwNzkzMDk3NjI3MDE4Njc0MTQ1OTM2NjY1MzQxODYzNjMx\nNDkzOTM0MjE3MjM5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkqa3\nTzFSsnUFVYaGSnKMy7gpq6R+zRicIsHb+XTHIWV2Eaeq1uUv73pWleqmJ8M3Ny+1\neJtd3Bz/ydfsruSd1qNyMHAwHQYDVR0OBBYEFA4DNgprJO4v04sL6hOc6QzOnZpZ\nMB8GA1UdIwQYMBaAFJpt8LSn/oG9FynKcWnAWTX3L196MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIHzq1RZIS8P3v00tM6l5ZQo9TMLLJr2Zhlc6qt5uj0LZAiA57h5oqBhE0/g4\nY1fvsIqUXVDwTR/vKGHWIqXj3R7U8A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUa0uPLOVZ7trU5xmjd1Gw6i5N3aEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATKfKdPvrFicDN+wAQuw9C8bWoIbbr3LdTpcv/f\n6u023mSrwTCk6OCT9I1KghsS7IT7vhpQR1kfNHOis2UOyuAuo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRZqhOCdkDmO+CvQJmjf1MlxQjKpDAdBgNVHQ4EFgQUWaoT\ngnZA5jvgr0CZo39TJcUIyqQwCgYIKoZIzj0EAwIDSQAwRgIhAOaPQ1inBsmbQsgt\nQiQufCICzwskXFSSqn6wBCjfjjZzAiEAohB3jAlGrYfyJkHgzdYlQSB7bVE25t4L\nzGhRHqchIVI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUPalcRw1Si2W42zOM0TGAlt/MiakwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATigAYIFm3NIfqFi2iQ2GxNR0KV70rzM1z7Gy8u\n34s+olYWCchnseWKXlboUJ+r4BM1DegHo6oc66Yu7TOneiPgo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQmtU/vqtghew/8Z6TpcFzUs4aOzDAdBgNVHQ4EFgQUJrVP\n76rYIXsP/Gek6XBc1LOGjswwCgYIKoZIzj0EAwIDRwAwRAIgNdJQatcIasRqLve2\noIk2upTFIJ0L+BxqcLTdt9AExYoCIFAfeBAkWtvwoJXwxk54tqcfQk1nIIXvNx3W\nM1KGtG9i\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUugAwIBAgITZ396CUIkSJq+toEg44xVGYFX1TAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2\nOTA1MDMwMTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAE0409kK7agm+JlECnznqcunIvxonh3lsQN9+6CyYtHPRp\naRA/uKkE1b8YzygSQTUnceYe35qeVd+K/EST5Hx1vKNyMHAwHQYDVR0OBBYEFIBh\n/R77N14ACv5vds2zM7fHYQNCMB8GA1UdIwQYMBaAFFmqE4J2QOY74K9AmaN/UyXF\nCMqkMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIE18oYsxavodr2NSoovILTAikYh/Hfwm9TVU\n3ZwUrwljAiEA5LHeCsDONjOpOPsZMdLJSit9wM0XI9ppi7kZANfE8k4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUBMso/hrzSPKYnkSNO7WDUYDn8qQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAUiIa60wQ4stbs1LErw5CCdtaVP5FIXS6MPUJE0a6/2\nC7eplsE8/4RakRjXAGI9wYlXuwDMgiFFNSKuu4g+ZdWjcjBwMB0GA1UdDgQWBBQ6\n3Wt2Jz7Vzesg8JKRcM73//L78DAfBgNVHSMEGDAWgBQmtU/vqtghew/8Z6TpcFzU\ns4aOzDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiA0d/fuBafBoMLgJHahQYUsQtY2fxFdPAYT\n9ivaBoqGawIhAPYu2XMv/OyoTHjfF5j0fctZxKNGwnF7+Z5sLvFAcS9m\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUcwL3evJmwclOdWu3HVhFym8rLukwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARB6EKpDZaWxX5UNHG7dtrIPc51TL7O9m26dmdF\n2d/tF5sG0ViEsnoIBN3nFDR76AZO3CWSICMxaVUPgv911wEio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjJkFR3TohlUOYSGuLIeDvzhyUWEwCgYIKoZIzj0EAwIDRwAwRAIg\neM4GoR4Enyl0E5JKBZ0W5YdPKSJ0aRtjQZlZcqYCDaACIFbWk8yzo3EveGwJmw9G\nErGgQqHr+x22I7GL3BgvqI4D\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEMi/v2BazkIRp3eumcC6/+LfP3wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATx8vVytdgVNZmnjJeGVWQUCkeLkUZ7VmoTyaOT\n38hWmH3GB0827oa2yleZUEUOjd9k5pDMHAN1X+xdATQtZoi/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6UcPNL/750tCzhuoh94Ho6wI/nEwCgYIKoZIzj0EAwIDRwAwRAIg\nDYaqwP1q1QdTj/cNOnIzykkZ6y//OKzMVPWw3Vz8CGICIEcKCl9iCF8Bj7yQgLni\nUh41vSLpXwfVsg86S4SpNEye\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUNa7Wssy9bCVOhfu3y6dawiSHqF8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGhXKcqMh6OrgiBhbwTci4z624QjpWZx5NB/Z1YFd+8a\nY2nJatGGDg3sXmSM9j8FaX21mVcwz7iIwJ3uDXmlLLOjcjBwMB0GA1UdDgQWBBSg\nn2lSTAYfdnvmqQAqsqaUuO/ywjAfBgNVHSMEGDAWgBSMmQVHdOiGVQ5hIa4sh4O/\nOHJRYTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAxr0FVby+PXaanphipxtb9BcN0xsA5lCD\niCSnR+B/OSMCIApGuP5meSSKEW6+ir4QhMdk962DWvl+0A2UY4EtmTej\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUIaFlFOymm5eLjEe4VfN7DUEQNMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMBlHPxvF0jJshxpdd2I8k80mFN9spt2YoAVGyC+Ckww\no/MIKcl7Wp5RkSUQkhn62+XXD8uY8e3j8PWsAiyEibGjcjBwMB0GA1UdDgQWBBTW\nxYUy5mi/jZiYfyRX5wtjUlRLyTAfBgNVHSMEGDAWgBTpRw80v/vnS0LOG6iH3gej\nrAj+cTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBKs0MXx2rHZmJcP60A4AoXegeRnqx9ygOe\nocB3V2UbggIgOzoZnd57mhVKZzIErExzZYkTnrvlNWt9adl9Hq/hDHo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUWKTQo7csE+3ZvqBY2NnVopHFNpEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0MzY0Mjk1MDEyNDU2NjQ3NDI5NDYy\nODYwMjA3MTMxNTMzMDc5Mjg2MzI5OTY5NzIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJdJFyeAaWcbhWBxA487RFrrc9B+QNmdy9CxRe1sJgYbnktFwp/NneJYJLVQtOO+\njUCTWF5vhUVoFnNQNVZo4u2jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRJAY/8u9I5\nHPFX0Ze75JrzKhNwkDAKBggqhkjOPQQDAgNIADBFAiBVyX8uha3oOIWyRWFtM4Fk\nm/aqA+LkLGfNj5UgrTRH8wIhANXfa+olN0VWOt7KPXXNIaf/S4POQSypdjpgvMXb\naAKw\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUdJ3gcHjmbu4LNo5cPmZCbEYZDEgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNjc3NTM3NDQwODQ4MzIwNjY4OTQy\nNzc0NDQwNzk4MTUyNTgyMDEzNDc4NDM4MTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFj5iUe+n6xLQ8c2tSirgy7htXUHLSUn1C/bNsSBIx8fnnyuyJHErfqBtluYl14h\nHkdZZK0jTO6ScztZZE0r4KmjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSHa0CTClUM\nwAcfFjiZ9Icj4GckDDAKBggqhkjOPQQDAgNHADBEAiAtEaIEMTTdG2sHwlXIqHh+\nhgnd92ifDaANNXIRg865NgIgawAlRZ0biJv4LpaOMwKO4RdlDSYNGnq5L4IZfTpn\nLV8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUXSsMoBA5EeTJQ1C3wbJ7BsxDlH4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDM2NDI5NTAxMjQ1NjY0NzQyOTQ2Mjg2MDIwNzEzMTUzMzA3\nOTI4NjMyOTk2OTcyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0tkA\nVM663zL8bHNbJoP+KF0JCL2OCOrBpisV2u+F8BitBwpfPjH330VQASGSNGO3BHaB\nHdenUSv2E28GScb0IqNyMHAwHQYDVR0OBBYEFJV7YQYugy9+EjxrjoDqDKDCpFsU\nMB8GA1UdIwQYMBaAFEkBj/y70jkc8VfRl7vkmvMqE3CQMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCID3GlaMIrmZX0soNCZ6msxncOO8ozmSfjzB/GzQSIMRnAiEA26DJor4gpXiS\nH1dxeC+2zkAmK0O41G+xal/gcR4uHuQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUTxz2zXgSpC5I3O1cP3cLgslTaYEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjY3NzUzNzQ0MDg0ODMyMDY2ODk0Mjc3NDQ0MDc5ODE1MjU4\nMjAxMzQ3ODQzODE1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErhgF\n8KSPYbAGeffcqkQlUcmP/cHQvVcxcnKSG0BJpVgZr41YWrcftMUdUm7UzEN1Zjtj\noMIxe9ni2coTZ725aKNyMHAwHQYDVR0OBBYEFGR56UWXAlv9ZZZPU3HsRsJXhPLK\nMB8GA1UdIwQYMBaAFIdrQJMKVQzABx8WOJn0hyPgZyQMMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIGVgVdk+uf88KafYdhaBzjkIJkxyT2bClF0lYEM0ZzXGAiEAs+o3L6BnhZQu\nnWaUTGqQV3o1YMeCUyuoCs6yFh5WOZA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZpo18WW+Tqbw6XGObx0ibn4M0n8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQFhjy7ISil13bGfa3ypjEF2oUOfo8twQJGEKuc\nJgjEKKmBR9zElxmW9ut9QLpZIOw7KdOx6mqtXA74nouYn3l7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgqdhVkzD6ynh9F8mc1S1evJbjFMwCgYIKoZIzj0EAwIDRwAwRAIg\nYlqHfK+yFpEWfza2u4vvlKmt3eNXIMZiN8MW+JTryK8CICJFo/0qWWAtxtzn/+kT\ntOI+y6k7Vt5xoPaasQmiBxqE\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMPUwm1wt4s1TT7YrEX6MXR/pd1MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYc37GfzI8r128b+mM++PkeMvrCUdgtpcwhjXm\npEtSenS6OR3Phzd38I/rWZYGPpIhTBy8w1tVqLiIpvO0XquEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoWRq1IYkdk6q3Ya45UuFpMzMEiYwCgYIKoZIzj0EAwIDSAAwRQIg\nJF03UHxlb2XQR62finj0LHOqT0fZ6k9PNeCbunf5K4kCIQC/jVbVTa0MGCuPxTJB\n/aQVNpJIMLWxdgxCJtwGSmdgxw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUGiMpDHXuv7NukYsIz3HsACtzWyAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1ODU3NTYwNzI0NzkwNTAzMTc5MDY1\nOTk5NDI4MjgxNjQxNDU4MDY4ODY4ODM5NjcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMAAmQhbr0KkyRomSrq8X3g0AE3wStbac9skJAWQRo8YPW2sXfOnJriZvLC+df2e\noabEX6NRBRsylk6XbDu6/HqjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBREzrqId4PH\n8lhXTSQQxDYQAONZKjAKBggqhkjOPQQDAgNIADBFAiEAgeojxYag+IZt+7C0tOXk\nsx6NXFJcjCv+5EYKaIAB4/4CID5kVEqZ2HWfwqJBeGJNNe1kk/3LgfEvwtezT/Ld\nusgC\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUEqNWGtIGlROobZMx8BJ/StBG49AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNzk0OTk0NzM4MjkyMDMxMjYxMzMx\nNDE3MjEzNTM1NzMwMDIwMTM0MTg1NTExMjMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMVGfEJ1YilIXAVSLru2cMrAgQ4krRelzMjNoiCoCDNvZLF5q76qxWg2QNdswlal\nS0BiNdaJFFq1nyPWMZP6TDijWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRCazNHq9OF\n6gi9QRWBJHwXrgmxMDAKBggqhkjOPQQDAgNHADBEAiAZ3a3oPbh3aW0Bctv9P5ZD\nvPDmqrBwZhmRk3MmmwYETAIgfaFH2yhQomhKnBDIg0Jll9Nj3FW+UOhujG3gUsOJ\nm2g=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUTNj6P2uApRXfd/9MUuFH17ykjBswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTg1NzU2MDcyNDc5MDUwMzE3OTA2NTk5OTQyODI4MTY0MTQ1\nODA2ODg2ODgzOTY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7THR\n5L/1PDOHNwy6X6QV/QL3ozvKrZACKsggCmfxuBmspgl7WkV3UxCFNUZI41KuzkYn\ntlONgsZY/iEsB869qaNyMHAwHQYDVR0OBBYEFPz3D/TU5W9GHNwQSJZJ+GzHOz1L\nMB8GA1UdIwQYMBaAFETOuoh3g8fyWFdNJBDENhAA41kqMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCICLDgIzKScfjREpqr7e7/kAje6jo8q3sBzGh1DAeTO/SAiBYa8uGbvycjCRt\nj0ARQD/6PgTy/e4LNOxIddQj5R/AVw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUdZgRUVzFVT8n38w88VX4+XMmSVMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjc5NDk5NDczODI5MjAzMTI2MTMzMTQxNzIxMzUzNTczMDAy\nMDEzNDE4NTUxMTIzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERLIT\nzdwhSCr6Uk0oVjeTzEMY5kBcENV57BPpYHuOtiCtDryAahwhU84ygbwUPLLHBpiw\ngVi5F8aLKWQHhGqw7aNyMHAwHQYDVR0OBBYEFPtMkd/9BlYd4I0idYYT4xobjTu/\nMB8GA1UdIwQYMBaAFEJrM0er04XqCL1BFYEkfBeuCbEwMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCICkLZOvd0pz/doP1eC/20OdxanjPaE3TH6Ot9agv3G81AiEA0E7ZESQd4Klz\npxr+jJIgTM7Z51DDqAmIGwMJp4KzZfY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOdMZblsKZv+A8WzPNPMfBPDePdMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQF9miHACfb5sGafwtTtAgThy+qbIPkcfBwvzmO\n8E+VGSFb7F8SmtSzqrrFLoWgBpK5QFyQCSLU1NnefQMueuo1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSubof7NrC7rKivxaGs3unHn9G4owCgYIKoZIzj0EAwIDSAAwRQIh\nAPPEmHkjLaDV9OUe04kgWnl1y0CTCfHnBaY4XJ5xiNAkAiBGRk6hJWe9g+mtfCvP\nY498LzyZEnXIRcLm6yEo4wKFdg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUB/nj5DxN/7+n/z6z7fO0bSCeE48wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQPs27Bl+Lt1R64rYytrKJZiUTaqVt3R9XL2M8r\nv9lEpP3gESZqsc7K9rHupwDtQY/V3JnG1y/7LrFVC7kvTPfgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKjxMBgl3SEIKqNMb7WZYUsk0Oy0wCgYIKoZIzj0EAwIDRwAwRAIg\ndlTcVuYVGFY8qf9TcR5evqqxH2UuAtMFEL+LxCu2iVwCIB+5xzF+oREHZI19+9CZ\nU84b5kb7OS0asu4jN/r0WUYH\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhjCCASugAwIBAgIUagUGQGWsj/Ks9AUfikZL4ov6t/8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKRqG3FvPlxbMTQttiDcPepMnZ1H+ex/tfnV1kK8tYVM\n6MxziSfegDiAx69P2S9NmdK0uhOYQNVmcA3f8OnhqqCjUTBPMB0GA1UdDgQWBBRc\nDnb4hHmj8LLbgPOqaLR2AizULjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNV\nHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAg9K6dihq7+FN\nUzwHq+842uDFNOxTyDx84Rg9iz3tSFQCIQDz/cIoB1J0wS0d+Vk7GJXU1RwJ7Thl\nqjyIeJWhA8wvgw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhDCCASugAwIBAgIUP5DlkbY7b+K+FT39yJmzsNTfOrIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKEW1dgSMk0CjhAFsAjygkjW0N0qUf4mWjtl9gshClQ+\nXPci65eu5urDQ/EiE9MVi0sKi9WeqCVLiVVs/hIUo/6jUTBPMB0GA1UdDgQWBBSs\nBfIRlE6sQ8j036mTDmvzUlSDHzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNV\nHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAqU/+8bgdyhnIR\nuSSMtzRM0WV8doC1xTmIVGLL7Ry37QIgf3EDmXFmn7beCgTAFR3YJHKjWB3tJeSN\nxfjttOv55bE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUD4Kvi5YF15JqAruPuGvDU3qpJCkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBrtrIA2KNccmABf3FL002NczOpzkmavLwPCzl\nfQq5d07NIM0LTbfJtgMGKaB5ErNlAjkO6hHG5yVRF4XKSRqSo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUwj2jOoWnwlPWVKTnK5XifrWOv78wCgYIKoZIzj0EAwIDRwAw\nRAIgYGgdnuCEYVnvH0IYWojcPbj6P882FwyPYY+mkOE8i1kCIHzl5xNH2VdKLvR4\nvzwFiGhmXL7X5xh6vtJniBPpkuck\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUMMlzt79Dcyr5C2a8/56PRZ4waXYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATTXK6ROmdMwgGulgs4Be5otfGMtaoSxOMp7W92\n3XAmzDjo9Z8/TXluGxGwjAFz5QGVnb6VpNsX9LJnwyvLZoD5o1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUdmHkq1TBHLXXGZ7ssqlYbEvLs0wwCgYIKoZIzj0EAwIDRwAw\nRAIgEVA4FxEzDAwwmtLHAO03UqqqEmYgDE8G3EmY7Md2gaYCIGpkUG4PoxToW5me\nvt2OXxf4tviij8sqVyFxhd7vxJf2\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUEMSjZRaO8xjBud0s/HWbNmn1BWgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABD5dKC1WcB7v1sX01C3BkvIcnjjDkhIAzCUgIR0xP00Z\nfVvVza2JhJHS++7C5bz1d5A9sQ5Xn3KLqcD1eODk8BajcjBwMB0GA1UdDgQWBBQm\nRfGcmEyQ3Cg/ehxUwSR2hBGEMTAfBgNVHSMEGDAWgBQ9ShPftaGO2kBa2yZOjBjw\nOT2SjjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA/W+i5NCbRCwKaui3hq2bfJxI3TDPsjuo\nD1d2uvYZu0gCIHu5/tlCRZYerWq4tEgcRfqP8Q/2CE0w3FFV7+MeP6mH\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUbb42BYE+TwkYWdOh/V7l3byyqxMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNvieNmvfe9zTE7GGODVlX/ICQ2RTqebeERZ0h//22TK\nFc+bfD7jU5ushbcpoSvbBU8Pk8w4mAX/yglODlj1cwejcjBwMB0GA1UdDgQWBBQ1\nlegZkHJ7WdR8N7ok2G+oJfoFwDAfBgNVHSMEGDAWgBTKXNrOwZT6+WaxQeizTza6\nR1htujAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAkllOq4awWb8FgN5N2OTrnuAtFaU+elPW\nG1mflzyCKbECIQCxPPiufNSgeKO+v3WiJDcTYzHPAEHiS1FlZpqKnb0Qeg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUMSlkL87hWKXqmSk2MeIXKcRViHcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATN8XZQQsHSYT9wZ6vC42sf7v6DoXsE1wlMMn+C\nTtUk+Q8B8noTy+V6Ynny5hiYkQjk5Yzkz+UiMYQdRixO0FkbozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiA7B2u0MHFlCkYF1KNhg6WBPsNlnreLfUpkzQEvoSxm\nygIhAPBvUPeu4jvzg/Gj2UmV8WgaBrchGCx9uZYRSOnVxEW+\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBbzCCARagAwIBAgIUDGDQXuVJ91n1uQJcokjuQnFEGOAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+AgFY7JaotQ6VrQgG7CJybCSPTYrUf59v1cUD\nM41+aOCmpVF9r6q2yFLhQD7QmV86vKA86QKveRkFAGuts+W2ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiAx9FJo3MnMi0oS3ZIRObsZSj8XsUEG9wi+86PSHi5K\nUAIgLhnbO8Zlt6nWoXcr4OgJIAOtBul1pdrOoYijll5+8Xk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUYJR3D0MZEfDUZT4cjJjXnQPJ2uIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDh/Yhuq3Zf1LEreR64wDo0ScWECwZLLmbqjlsxB+EJ3\nXB7u45naYRJVzRsfyIdFZSebE6fag0E7Asu/ahfgZcmjcjBwMB0GA1UdDgQWBBQ4\nJ41v7DlJBs915DuXteKF32R8hjAfBgNVHSMEGDAWgBTA0Uw/gIZDW1j28gqjz7QX\nhBInWDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAoeDz5K559Z59faZ6isQjDO8NdbGqHiYW\nHFgAf71/kZoCIQDDN+CtmO+DaVtDsBDCpWupzQkckqJWPp2qGNiI6BmPng==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUbJWIiZM5NAoExW9U3iQi068gU0QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKutkNr/EszyewLnLralWb+smORNRyGjmbl8q9pQEEwt\ndInvHmr++uUeHrZajVIltlqwhe3QX4n5/9egnBHcubujcjBwMB0GA1UdDgQWBBR4\nDz7BTfTGFkIpB9T1lAK97DBb3zAfBgNVHSMEGDAWgBQ7Xedgx2AZBzhk1+KYkmUj\nj3x4pjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAia6c4p4F+Y9mRPHMVQnBAfzyq2k45nWW\niTC15QjNo84CIDVzZSbw/l8BY3Gy3ML+NJs29RVQyjDOzLGJcUfu03U6\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTnyIN3Szfz6l9RSSel0YajUrq0kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQToIFRfCOK2tR1eSvEK8GAQtWwRLS2ir58jjQM\nCbTmjbvPN2FnekKDtCAStcFkaVWBOS0ZHtq3Zg6o8dTkAzS0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUorUdtUwX63GtRM+QnRhbJzw1CW4wCgYIKoZIzj0EAwIDSAAwRQIg\nNr0uSa+b5gPQcbfbb7B0PikSDb2hlI0bGJkh7i/XTGACIQDgda2ELuv6+1Rx1y+y\nA6rZH3xZXNJ6zx0K8vxQhQkvCg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUJneGuaLqjLYnfxeXV1xsi5NfN/EwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWB78UdecvTc9QXy5IbJymPpGA32s2/30\nicGlgtbV+/lmLL93AmDThaj8YNuTTKW0ANmY8wBXaA5gXjzFmvzzJaNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFPnkkZ6rEMWMXq7tpaGlb2aOhjPmMAoGCCqGSM49BAMCA0gA\nMEUCIQCDTXVv2/wsIBXECF4+Ay7VQQxl1lTI4yWvfgWgHHqZtAIgF0GsUJ7xPDyv\n5gRX/rCs6hOGsv5dhoZQ54iiS0srxts=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUAJNInBFpDDr+TFyJVY6eyUKWpPIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1qeAZ5YLidtHCCJUbdSJ6GFXIfAplcHPyyt1M\nw3kOOJyDoRAlxQ+Jqn2pDboHOej9Am0zG8Quh7eMFvnc1u38o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9k997J9iGMaRfY9LD5oTGbhPa1owCgYIKoZIzj0EAwIDSQAwRgIh\nAOX1i8BaPmG5vcoPptcQ+3fsQheAX3qUMk2kgUBlkc8IAiEAgb9yKcL95tg8Pwu7\n+0W4ahnDl5C2Jg7MZPKMDXwf6wI=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUK+VsvIlSuDZykxteLUakyZbg2dEwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqGO3wgdeHBAoLV7Ro2Pn1hZKJyu+0hVg\nBMSPJQb+bZaVIXM7q1HEMGz9vMmBHXBT0cYPQQ5/kMaPvHXP+TmNyaNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFAxK2jmsmVEQ8US/uF/8uqA6ISCiMAoGCCqGSM49BAMCA0cA\nMEQCIH7W/Up/QzBk4aOPsM5PBxIj7oepVxX9irAr3mHsWqvIAiAvLjfhJPqP+q+k\nNAOVd4hcAWeEIcCA6dmBfSAXSOSpBg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUY+esZUcm4heJRwpzwNodNa64RngwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQToIFRfCOK2tR1eSvEK8GAQtWwRLS2ir58jjQM\nCbTmjbvPN2FnekKDtCAStcFkaVWBOS0ZHtq3Zg6o8dTkAzS0o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBT55JGeqxDFjF6u7aWhpW9mjoYz5jAdBgNVHQ4EFgQUorUd\ntUwX63GtRM+QnRhbJzw1CW4wCgYIKoZIzj0EAwIDSAAwRQIhANb+8QYKR45umGin\n0VVwz0f1LXKXj7CH0NLwuLOjekNZAiB8rNZ6ABgWRPoFEq0A/8q57dJuuPYMSsPd\nfb5mSi8kGA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUflERK7g0YPtRznhlPOEcZyT5GYwwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1qeAZ5YLidtHCCJUbdSJ6GFXIfAplcHPyyt1M\nw3kOOJyDoRAlxQ+Jqn2pDboHOej9Am0zG8Quh7eMFvnc1u38o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBQMSto5rJlREPFEv7hf/LqgOiEgojAdBgNVHQ4EFgQU9k99\n7J9iGMaRfY9LD5oTGbhPa1owCgYIKoZIzj0EAwIDRwAwRAIgIhqSBeR6MMmJDqty\nnDj+8lozjCi9CoMNKhr6cZKIdwYCIBeP5t6ffsOTHULC37E0Ih1pI0DVGqhXezj8\nK2Jad75b\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUSS/Mj/EyS4JT4nx22kNODU30jgEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPJMjAAxwHAuAiyPShHqlOIVUpP26rTE/ZI4EW7oCTlz\nahK41sZeYYfDaX6xtZV8TfZ90Pen3ltWl6VIg4J1pXWjcjBwMB0GA1UdDgQWBBT2\ncisgMdpb6+kTq/aysPKOZjy9JjAfBgNVHSMEGDAWgBSitR21TBfrca1Ez5CdGFsn\nPDUJbjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA92WWcXYGephMlRUNuKJns0Ovs6Go0yCR\nCKb98AEVf/MCIEn/y0RhkLBlZwcQQBdmgL3hJITBD0h1YrXQwbNrVa/D\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUb5KrBR7dwitSW9tnmHC7yHN0WaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNy0vbqynxj0Jf5VO3+Pg/bmLguIwNRlou4ZIu93Uh5R\nfCq0f888tmG8ZCVh1Tld+Tus0Gx/9vmtxg0OZL16zEGjcjBwMB0GA1UdDgQWBBTi\nURLkwQ3CW218g01SoURfxcLiCDAfBgNVHSMEGDAWgBT2T33sn2IYxpF9j0sPmhMZ\nuE9rWjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBnKGZ0wkijM7M4JPPXB+1uMtrVc25oO2cQ\nfF3AWpsmPAIhAIHI3+/yFNpK5wa3CLOu+NvuVkoLdcgN4ufhlhkifHSz\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUURihrwZEVapcgyb3GTLNsJIYyCAwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH7s7sbwJPHC\nzHom04iCLgiQ35dN555JlOd6uQsw7mpFz39HojtPkN7cGkcS+fvSLjjpJC2ItdTj\nC+fMhKMqA8qjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRmH1r7sundB8Ebk61wnIyo+54K\nYDAKBggqhkjOPQQDAgNHADBEAiAYIpTYt6MbDrY5/Utq6pF1xoPksyeo4FLiSyWB\nRpmgvQIgdtWyyVUk/mYqHRd/Y5XYd16S0z50UtTsrVxxDN4nNlg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUXsHSfSPBryrvQVzGihuYuurxYGIwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD4cp1vgcZYw\nAr8saAtOD1V6FaClfPQ62gTjt+RBcOXfZkQ0KdMN4BbHvON+4hqE/uDK1uGhgaii\np4onu57oBqejVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRRyoTNiIvxER/CG0pXgb9P31jJ\nzzAKBggqhkjOPQQDAgNHADBEAiB1RiJdx0BHr6pN+/oiVrjdG/8wxyUvjfJ+8G9r\nX+4ulwIgWrThcu7y1DOKAnHHSYlGlWEqWvFXYlqS9kgfknoN7DQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUScvAodR7SYRsIzojrXXAf29KFfowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQVbHj2xzCLnw9+1zjPrISDQ14Q+sgvnYjfgyKG\nGMxd+JMRUErPQM4FTmphaBEgZKrDQFzzNOKN4msdKH+ZJGBdo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKnROm7nX2qmaeZlV/DXERb8HUeowCgYIKoZIzj0EAwIDRwAwRAIg\nLzXWOdG9s4XcFEayuFOT8fBJNOyQrt7z0kMyMi00tdwCIH6hoL3Pc055Agw/Ttmu\nj8G9SRbqZiwrVdlk/5IoTaCn\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUSV9QhnCHZwTYJThebMdIeTJEgLUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0MjEzMDAxNTgxNzIyMzg0NTI3MzI2\nODc0NTg2MDkxNDkyNzQ3Nzc0MDQ5NzA0OTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPIP/EPXE5jrep473bDhGX1/azbOauGGoed5CQWOW4ytH+Te2w1+G4z1uhUYhwfq\n/cwMU8DN8NpS9yTualnW0ZejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCp0Tpu5\n19qpmnmZVfw1xEW/B1HqMB0GA1UdDgQWBBRURFlrVf/FySeiI/8PJSGr5micFzAK\nBggqhkjOPQQDAgNIADBFAiAh2i3L5PYJt2tOsAAGLnBObY2u/2coDb/E7Px3lQNG\nqQIhAJlNytoSbZAXJ32G+ymPo4wDZklBOKPreB/1HpWS+/fM\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUJ0nyKzrFguRwGSeRmqJ/Ay+qBOcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS3778H4a+aJ1sU0K9E7btxukmWx0s9yNw40ZfY\n2YF5sJrmmkU/z55CMkWFvP6NQEoNN2HBInQNAT97UoN3DXubo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUV+YkasdoVd3vUyuHSAnulu21ChcwCgYIKoZIzj0EAwIDSQAwRgIh\nAO+yhK77x9RPvIfIVkEf8OdWFXTIT4K2vBKCTrsEtNVCAiEA8AkQxn4dEtVbwLph\nMxKS7GpBLY1sxBT4eFayqACP/rE=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUXuyMj31qwPZzRhbCIDQrPusPsmIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyMjQyOTk2OTAzNDUwODA1MDE1NjMw\nODU4NzEzMjExNzIwNDk5OTAwMzkyNDE5NTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDNt5idQ5Pwop8UX6nR15/q1tKqPF6y5lb06GCh+cFxIcgMtOow1nRDqlkwJ+1ox\n9gpCEcxsX6+hUzh+HryGU16jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFfmJGrH\naFXd71Mrh0gJ7pbttQoXMB0GA1UdDgQWBBSyFDiPdtKr9f3yMqPq5TDiaMLfDjAK\nBggqhkjOPQQDAgNIADBFAiB5xCfzgIaeyHo9ouTF23VUNZzsq2iYmhokuw+YN+Bv\njwIhAIar9pCcu+vRcOAjlljRwOQaZnXLzw37WnFpXGvh8NRx\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUDMlsmTlQWJGbHv9JLe2tPiRwBp8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDIxMzAwMTU4MTcyMjM4NDUyNzMyNjg3NDU4NjA5MTQ5Mjc0\nNzc3NDA0OTcwNDkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELB6F\n1b8bBdvxk+yTXsAdirE/n3Q6+gEoz7OpbtthK2q270mv2ZFJYqxq3mr+xnsnavdk\nyYxLH8kNmHWtptiWBqNyMHAwHQYDVR0OBBYEFMCcezVHQV5bt5D9QxwJGGBVOtBK\nMB8GA1UdIwQYMBaAFFREWWtV/8XJJ6Ij/w8lIavmaJwXMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIESLAT/4aWawLey8rdVfv1kgqLAGGKieQoeTh/WOF2BhAiA7vmHTNznxWlnO\nBu2XvN7crOns4se7Mq4AhZ4HgNsMIQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUFUiisrA24qAaVnGj7t1vGCUJ/e8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjI0Mjk5NjkwMzQ1MDgwNTAxNTYzMDg1ODcxMzIxMTcyMDQ5\nOTkwMDM5MjQxOTU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErtvu\nutQC8ZS8JgKJEumNcmr9I8xaBpCy1bQpIHqQ7YXryCDdKzvZ/pnOTfQUnSqYRvGK\nMxQRT7f82pP6vmd95KNyMHAwHQYDVR0OBBYEFB+FlrjZy0Ys/+XPB0RknhqSy3VR\nMB8GA1UdIwQYMBaAFLIUOI920qv1/fIyo+rlMOJowt8OMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDlXwGJoAeZYZlhQlyYWGMJy2JEAS7ZatZWt/MpGzhnPgIhAIpudy9lIjoA\n/JmKI+8/wMjRIwrR57P58NF116FRuZPl\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGJ0z7ZRjADytWKM0Gh17+3oliUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2kVHaP2nhKjyMhVbNuNHqqdsnU+659wjrHv33\njfybkXWIHt+MKh8MpNtDfh6am/S6+tIiYtJscwRftzDW2eRWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+v1Juq66soe/mGOWZ1WVKXz8Kc4wCgYIKoZIzj0EAwIDSAAwRQIh\nAN8U8t7xT/U2X0Ssh+ctzIbugmm2vl5kZTd+XFQzkRpPAiAruZDFl8EQuGPbH3rK\niiYt0l2jDikUTwWTAxKhAD7VOA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAunlP18SCD7t3YU1qoWP5YNlBNMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxXVzvuVQppIfrm1mdqO/m9gLsUdoSH7cbdCRd\n3ik0mT5XqAwHaboHDOdqiaPrCVmkJbe6FABGBuF+h9UCSrtNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHFZaSClgKLePhvPJGQfmHlk8cWMwCgYIKoZIzj0EAwIDRwAwRAIg\nKnfNS1wZlZv9aRHTT8OQ9+sSZJVUmCkL4hbNfsEiaKACIGWez8oHnQb+lHoqTiDP\nzbRPe0OSrohM1OuXJha1JuhE\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUUu/Z8K41XnPCyfPSkLsL8L2cnQwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDAxNDA1MjE1MTkwNjY2ODQ3MjIwMjIz\nMTE2OTAzMzM1MzAxMTYzOTU4OTMwOTg4MTgxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABKOYNFQyurCv5G7Ymgt899QPuzCR6y0h7uoUB7ghWarYvdiz5FyhwuYMlLvw\nEU7jhscDxD20TkVeWoEqvBRwpuSjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPr9SbquurKH\nv5hjlmdVlSl8/CnOMB0GA1UdDgQWBBRMKG5m15iloZMLTpBQIpoJ7JomITAKBggq\nhkjOPQQDAgNJADBGAiEA5IgymEjCH2u4Q9sAgZQ1gxaesa0tKTgbSKh702wg3jsC\nIQDXEE8m4eMmjOYA/gQJo93e5NCxjLcckira7Dp9NX+iSw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB+zCCAaKgAwIBAgIUbu6a9oQkf4a/mWIza9z13Y6Yy2owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBpMTgwNgYDVQQLDC8xNjYzNDAyNTQ1MDU0MzA5MTU0NDEw\nODY3NDA5ODEzNzU3NjgyMDM0Mjg1MDc3MTEtMCsGA1UEAwwkeDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\nQgAEWXeV2rGJrXuo2UeeuKpB/yej+eICFjuNO1xioTrPmSNHjg4Vg2t5G24GceF2\n19+M0PP6iBg+SQEZdOUaJjaQ5KN1MHMwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMC\nAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUHFZaSClgKLeP\nhvPJGQfmHlk8cWMwHQYDVR0OBBYEFMx6oeTr+rwd9iM1+CQldL6NViyLMAoGCCqG\nSM49BAMCA0cAMEQCIC12HowmMgQLnQ/snEuWE3FSaEPH2ways59QHyYwfYaQAiBS\nRBc+8dOmlMQ9BDjc4Byeqk2jtrN5rPTogVvCtjUA2g==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZygAwIBAgIUfQKWyo5h9qPcq29k2uS1JD7mwSAwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTQwNTIxNTE5MDY2Njg0NzIyMDIyMzExNjkwMzMzNTMwMTE2\nMzk1ODkzMDk4ODE4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n9jL1StDq7na3kBjadY4VJst9QSVEUbuHuwvtmx7Lil2F7i73tfBqUHCx/aLaWdZW\nSppLviKeacsZxxUPD65HuKNyMHAwHQYDVR0OBBYEFIRALsn5LwV+GGRk0uuNbp2Q\n9R0CMB8GA1UdIwQYMBaAFEwobmbXmKWhkwtOkFAimgnsmiYhMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIQDqzAZkrJvIZBhlqVi6tu/zPvC/GxOOi01UXiJDSLtcHAIgUSUzd/Eh\ne7ExyR7jNfW6LdC4f3ijvyBFBcoUEW+Gnok=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUSXdCfsktKQjYzHcbQvCtZEz8df0wCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvMTY2MzQwMjU0NTA1NDMwOTE1NDQxMDg2NzQwOTgxMzc1NzY4\nMjAzNDI4NTA3NzExLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEU\nMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARz\nh3L1yyvPaY7fbg0QAqs0poM6QDc5cyir/cixSTjmHXCP3aljjhvrUBUTJ+ez+kfe\nv687ZD5+ZaSBknREYLYRo3IwcDAdBgNVHQ4EFgQUKlLE6TmFXDUQ/6PwyfBGw8+o\nDT4wHwYDVR0jBBgwFoAUzHqh5Ov6vB32IzX4JCV0vo1WLIswCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhANw7f6bE5ynR3XpmOqCwX3Bs8Nv+00VkQAJeFLGl4ih1AiEA8iwEywyU\nJa7yFrbtbOvB04pEWYqJsEdOBjjHtMPRBnw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUDm7IfRUsMBJtVKS9ZDkgOr1k7/8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASWDzKcfkm7/K3mcvLWgdQ9IjjVnRxk9HkhirbS\n5bb3ICR9MeeNa9pnj2R1HQbpb34V1yQRjp8we4/AufXZJyDMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUS64Kebyv2fqoohm/8xS/8M2sunQwCgYIKoZIzj0EAwIDRwAwRAIg\nO+0nDKuNdbkQhbqns8NZB/ZyIekU/Y5tQLgWUZScBVkCIAvpgpEEASUgGivMQLym\nSP83GeXRYbp0mYe1+XdYvXbG\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUbfQGjvVaG+pcwS1gyKbxQJ3r6B0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnxKQY+hBY1+yCEcErAS++ttJb1FG/JPgdiXdN\nkEsiOQLWIEw+MKKksS7DqOy19RYoup+3XIVpvGIN534gYTGLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULw8VlnbGoWZgPPOeVICHpdtn6XMwCgYIKoZIzj0EAwIDSQAwRgIh\nAIVEPHKXYASrOPedXxfeUH+TiyNs1atOzVK2qa5v+nqYAiEA8svevkrBp7I+DTlo\nQyG2Lr3TbM7CZD0vpBjccSOdQDo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUdp1dLpuXnKVUkDrddusNDt4NKIAwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvODIzOTY0MTc3ODM5OTc1NjMwNDAzMzMwNjEwODU1OTcwOTk5\nNzE0OTAxNDgzNTExLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEU\nMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZ\nT5yzgO1du13oyIQn9HaaS3nGEmmMAiU98SrTDIIBS6A04bnjFZHhJ/flRFHhjce1\nHCz9frDqfJs/6aBWPQ1Go3IwcDAdBgNVHQ4EFgQU/ibXm+lvd40X/OD3sRqQWWey\nSVUwHwYDVR0jBBgwFoAUhQ2Dpjq9I7TK4paHt5kkBDIuPnMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhANC5aVDJQXUuoUw6/Fm3UuVGuLRWkLik6G6xd2qHGM38AiBIoXJbielk\nSq8kIuKzaLQE0wGanrkjVKT9L7mL3Cr/4w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZygAwIBAgIUWm13xBeZ5Upjjxkv2eZm+dYpmMIwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNjI3NzIxOTQ3MTY4MTgwNDA1NDAwNDE3MDk3NjQwNjQxMzA2\nOTU3ODc3ODY0NDc3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nTCz+Nr4LVNe8MXqy7JQMfeOl88g7M3MA/2HyJYlnHyeA/o4s9NBi9cHjFERnDJoi\nCu1lwkN+UTk9BxMcGuARdqNyMHAwHQYDVR0OBBYEFKq7uFZrhhLSMZd5BA1IOfBe\nsEORMB8GA1UdIwQYMBaAFAex+I89h5mBLeWW2MNVtBl4NusiMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0kAMEYCIQD+TCp9Ur8nJQkg7Hbt9KFfqupdL4E1pbR2CQpr0zIpVwIhAN4eeoBG\n72Cddr2FuDusEWYZQhXN2LKW6HoaWb11Owz3\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfTCCASSgAwIBAgIUJbNEiDdOYmuqXc5U75ooG3LjmLcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ5nhvtxdfOZQx2xfZFuCMrEm8TmaIUjho3j2+y\nZHLOesqsDstOmA9hsmqqsCHHtHThKsqj3PgWs2SV0jjOQIY+o0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFP92lLdCRr9t\nvOmVQak0rIrF5hT5MAoGCCqGSM49BAMCA0cAMEQCIGbPbrlwtfcyDbrQN2p6UlcV\nQ344IeBMuwHkTDRRAMhzAiBunXGT16MeyKpzCxtG1nJ7AZI9PW6oA4xLzWcgQ0Fm\nyg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfTCCASSgAwIBAgIUSNK4QGR51V5HJ8Jjyv6moYaL5zkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHc4emMKUdz9N9+08CTi7yulf8hqPV+MFHdswH\nSEljafxQbdfs66z5GuM5a68JvKqSth+lbUsx65572Tg7BV9Wo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCuXkxMVugAc\nt9cUkdCEdEPrbpNtMAoGCCqGSM49BAMCA0cAMEQCIC0VlQacSjvmXIJHXPlWkP4Q\nHiCr4cEyxzfjXDs9fLG5AiAqwMCjCPfxwQ99LtHPCeiT1BAI1QSU1tLmwQwt3cBv\n2A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUTVANrzYSYhH0RYXIERIpm+mAbFQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABID/TP0n/6RoPO4aZBMw9GsmyvJabqM7lUm49glw06rD\n31m+M3HERCaLYNkPb2DPw2R55UZjk8/99w82DJ+jWdyjcjBwMB0GA1UdDgQWBBQF\n/mxkxVs/zcaovF7a1iRgfVqBCDAfBgNVHSMEGDAWgBT/dpS3Qka/bbzplUGpNKyK\nxeYU+TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiB9BvIfJRG20T8LEL5R1uxkKf0OoTdanDov\nr3w2pWbdRwIhAKc9L+2adFiPdyfcWQ0fIytcFWvH2Eg+0s0TeYF052z3\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUNPPxFk+Yl6BDwjmACzBFH8jnR7wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJFDaouHHEDOpJi7AijT+G/EmBUZwpAyZRZQzHuNYRpn\n68KJeBCrO0KOefd3n2VszUx0IUrbt3j4Y/JOVdkm/fWjcjBwMB0GA1UdDgQWBBSS\nSUdf/4EzCFA42LkRkLnqs9D42TAfBgNVHSMEGDAWgBQrl5MTFboAHLfXFJHQhHRD\n626TbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiB451tnxsKX8+zawVj3H0RHKj7kqKI60zCo\nVtOZInOPlgIgD9s7o4yJmMlKvZ2QOl7ED5+kux/DwvinsngCKHWpjmQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUMBfdDIZ58hT57EyoVijxwhutfhUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASzZoXbspNiABzUoLDEBfxwDc4xd6N7Qchw7DW8\nyfj6/xGGIyyUWG+atgaHiDtgnrbqLa7W1FeGV8kzDtnN3i49o1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUryh3g0PIpKHTbO+OeJpcEE/DEKYwCgYIKoZIzj0EAwIDSAAwRQIhAJ8h\n+krPTyWKvhrmAJ5H037tXuGt0WdQgyr0PSScZY1JAiAFo7SL8+MewdZv3Nv8/v3f\n8SGY2uHbYqlpy5oLGDG12g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUIskXxDMTdbcJUCpdACO1nHloFJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQk0ETCM6QgoRJiieFmgDvSm5P3WSLWfaCFVui6\nxzVhNeDbrpkYM65KZfM8jiY6f3tvGJWQQnpETj+oMhcn0n6Xo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUquz3P6OuZD4nqihQt5oTMI554rYwCgYIKoZIzj0EAwIDSAAwRQIhAMjD\nwmVAK/lDyocLitriHFtAJjz0fAU6ko48J4cJKkQpAiB29QlAlLlevkHEvOAp8tgU\nCw+IdEj0y2y99oUVRRBn/w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUabHfVho94JqnfOa8MFHoy3G14PAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIm0FwWQxVfADdAYYeXQBbRBpl2U4Uh+L2N547HlHQjy\nkIuEHHVp6jwwxmxgjfhFKkHE3FK8BkGMkik2i7t9QLWjcjBwMB0GA1UdDgQWBBRX\n5t15ZPKjHl8OPnMGZitT9+L5RDAfBgNVHSMEGDAWgBSvKHeDQ8ikodNs7454mlwQ\nT8MQpjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAlirGh/YCpvsObqfKxfua4WohZfwTqLgD\nE8qfgfRRDkkCIQD3p43vRpuY1UWxEVaMtKB38IMEp5vHu6rN5DyXKk5Zgg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUR6koLnFCyZYdQvYJ/1oxpYF6iOswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF0Ou0n+5lXwuKTonjRxPwr4Ofnw5VOGLcGRBeTbizCj\nk1OtPw1KfnMDWZFcXFXtDJ6bcEnKrCWi+D57lTPXvrejcjBwMB0GA1UdDgQWBBRp\nOxH7/3Wqb/9a8M+t4vvJ85sv4zAfBgNVHSMEGDAWgBSq7Pc/o65kPieqKFC3mhMw\njnnitjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAwOmt0ksW6MDFGlfC6SG5cQ3hB8Oz+5iaN\nkQWG+Hfr7gIhAKKbbCAuR1nyF1CuW9UhLP8MfrZ9t+CNOTOPE1vPLc8N\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUIMMBeLur5PX/fUmUbqOnNgV8I/YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHljg3aMbiR6atmL6jMx0oZ9lg7Jr2A/z1pe+s\nrJI/sDHnKnqz+xYF+Vm2cFUxlXQPObEVlP834JE7HNMyJCgTo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQVwwRalTx5CJF9cQK4tZsb2zeN8TAKBggqhkjOPQQDAgNIADBFAiBw\nMOKH8A7Wg+CoJ+xKU3wAJW9iS3UQc2oqZin0jPOd8AIhAOvcwQ29hMj5Pm1I2dHI\n5Mkg5OeG+SHKY3w0aBxmCRdi\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUFqYvj9zusee1tQFSrbOMavFiLlUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARTRO18cT/DcwlycXySLs+425N2tbKbGsnVkWUR\n+P4Wp6PGZ3gz8SagKc1103skt6+oze/peDpB00vnl5qfQm3Eo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBTaGbmJjX9mweN2OaZAHGIXGKkTNTAKBggqhkjOPQQDAgNIADBFAiBJ\nz71I+Gg6/fmZcFG3pcEI3jNi6tX5L9mTAriDdwRdKwIhAI7vuiyr90Rl/2v/aEgT\nV0P8FBeH17p3JxnIy+KxkxhU\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUQyuWHIOOcMfbvqyTedfrWIHuGskwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAbnlzObJsNVW5iFCXYXQLwlTC7QeTYAWp0JbSJpSweO\nmGG8BsmmPys/9mLdnVmNCiMU2i7nDLIccdEqqa7fmE2jcjBwMB0GA1UdDgQWBBQx\nLY+Ekabpo1VsWMsRDD2apOGphDAfBgNVHSMEGDAWgBQVwwRalTx5CJF9cQK4tZsb\n2zeN8TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAlZSYyILJnO+/Je3iUwZEJeVMg+GF0Can\nTwKbFCY43uQCIC0AXZcGKbMLl+NaffH07oe3KyD3marqSsj7Jtea7msV\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUAaw651la+kVsmgRLMi1+Gq16dKgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMrIJkffr8D/AO1bskDpBcyf5B1p4mC2PFgl5S2Z6GQV\nO1omhQuMh2JSmGL7zzsiQSmb1Ih76jQ8tq+MKgPufc+jcjBwMB0GA1UdDgQWBBR/\ngTIW9mak+2m3WKpJtI9fHWv7BTAfBgNVHSMEGDAWgBTaGbmJjX9mweN2OaZAHGIX\nGKkTNTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAv5LWcyQ9DXADfO9gHU4vq+njuSnM7stXh\nUgl8gcBX9QIhAPeYn3fDHmp/JBMOamjhxjagqClvN2QfP41lYA4ni1FJ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfOXdAopxNSbYlUcVJ9drAvXHt14wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARWgxzUWoh2r8ZtScCma/9i3b9VKhl+NapnNQ4V\npn00EUvJ07dNYJ84Et6zgEMlBZu3Mavv/SVkOfakhf3DkyY0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSKt2I94MLTHE0LQgRcGeDuosAyUwCgYIKoZIzj0EAwIDRwAwRAIg\nHaKoTPViDUhUp3SKdiJN3AmFcACSIbGYzqh2tzUuv6sCIHMM9FnvWi3N0lH+rquY\nhUM7LaCOEkDI3jMwgCfO4vPL\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIULD1q+6NAop5V1KeVaZilYB0MIwkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASp9VtseXcAVH/MSVBUJMaat8amtEo5emAyjNRg\nHZffVgOKc2eVqzFKuZBRl2MKeTD3FRHBmADOT7V/gldblnOVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZZUPrZ5GtTKmAhrzNZPYDJMe5pYwCgYIKoZIzj0EAwIDSQAwRgIh\nAPOH9qK5rZa91Fxc9MG8dE31hxrWm814sNF7peNBLBGdAiEA2EWIc6mrQAYMyOwg\nEnnwg5KQ983wLodx9XcP/pdbOPg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUR6WqgoxmwO13PQCNQXWh01GdfiwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzEzMDQwOTc4OTEyMzk2NTM3NTY5NDQ4NTczOTUwMDU3ODYw\nMDA3NjgxNTcwNjU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETX5P\nXWfaqxl3Xr7LirKP9uxwQ05iB6hCDUW5sGe3heH9fn3oG90cx0z6ht7ISoRCdTWM\ncVnO1fsOkQ6DQC+tb6NyMHAwHQYDVR0OBBYEFAcBqQfZXPYc5NXxybEuhif5dZ8u\nMB8GA1UdIwQYMBaAFPWbRAvniJAHfftDq4z7KbZoVLdrMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIFWsRzc3cJmKuz43fTYaUzhtlb4l35/VkSQ5jSIAVT2ZAiApbf4Joo04tAuZ\nlXAUKdcoWkd8WfcutEkq8TLVsuEeMQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUP5MhFxo8gicsOUlILbBKRWAPENkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjUyNTY1MjU4OTAzNTQxOTM5NDI2NDQ3MTc1NDUzOTg2MTAx\nNTU5NDM3MzA0NTg1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7ZNU\n76ZmpXFoh1YBMCw4FrjTucLEYNuBSMjpmm0UJ0RMUU9AEkf4Z+cE4/XdK3X4Suxb\n7yzVwPVgG78cV5NL56NyMHAwHQYDVR0OBBYEFCSqDGk0P2eBNXLzZrV3QnaM7gz/\nMB8GA1UdIwQYMBaAFFDF25n6YnaM3bdframqm1kMwDz9MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIHgAJw4l7R+H6C1juyOlNd1TNexDon/ataoZFdFfL8NAAiEA5JBt76kK6rGn\nL6aTGl36Ca5W5xBu69FdkB4+g2U4im4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDl/ST1dq2KAI/nTGbupFVIPQaWkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZQrI05/UqSjhXQCU97tEEBkBLR0ALFOZBcX4P\nVZGFrhoI0rEby2fkzyIMwoKJ4f0xDZxvuJVhdtduP7JRaIN1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEM7iuTKsAavX+JTUeY/ESlTvQg0wCgYIKoZIzj0EAwIDSAAwRQIh\nAPynNe9Vk6jNWnt4REV2gCcu2jSLExu+unZ3wTqOooU4AiBWqb7Y45EQmsRudzqX\nLLjcGofmWRmO4LXm/5E4/eh3ow==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUR/qPdbo/VwU+zvdqET8Y8QYKyxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQtmMizzJXlR7SIu0scNTK9DZUmhlukBLjmUJm\n7mdjakYtdlq1QLmanf6kD9MS11IW3IY9k/rVTsrHxxHiuxoho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCQD1/7IKDzzTswL9uyQoR9/zjwEwCgYIKoZIzj0EAwIDSQAwRgIh\nAIaak6OLgkXeWQJJfea9XJb/QX3ZzghvfqR998hEMujEAiEA3HXzCpUUSILj/qbX\nD6d41hrMon4HJOQa3nuPsT7rAwY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUZ+pZukPm3FhmMjzK4nhkinLakrEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLrOwxby8Z48y2KGN5rMgLqbd9eq0f9/iS0wyc7rKeH9\n0QXKpduOl8s8y45Vg6osb/XuQJKAoWgtis7PMklPlrKjcjBwMB0GA1UdDgQWBBQk\n5PDBoIj+nPM52oNltEsyYD4uuDAfBgNVHSMEGDAWgBQQzuK5MqwBq9f4lNR5j8RK\nVO9CDTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIChDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA9DRubbWk/z7OVJDc0wwS5XJXr0pYzEQ8\nZdhzdAcZLVICIEEoegMuPF704SY/7v8jpO5HjcEFYR6PCDXXDQQkJ746\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUJu5o+Kl0+5Pokn6KeFSLnimj7xwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFfbOkBxgpF25IIap/ct68KAQrJiIy0+nU9uDrgmbXny\nrKfh5Hj93gFTqAzrAJN/kVJDOIt/PjKEJE7QlRPQOGujcjBwMB0GA1UdDgQWBBSB\nCqAPvxM55y4Mmr/EQ1Dvg0VLGzAfBgNVHSMEGDAWgBQJAPX/sgoPPNOzAv27JChH\n3/OPATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIChDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA3TJJ4aF3mTSCqI2Bbdz++MH9MBoNL/mV\nn1MbHWXegZUCIHdxmcx+s3+sLJj7xZSCD7aZXwzRAEHDZmv7PeoB1Ut6\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUQJlfK73P6zmzVR9yhaHY0zEGuZQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwseqJYRf5pcXm65ebOgiSUB1BlqVEkwTbj4p7\nao4Gr9RQViSBbFeyewiIgwg/U/wZHaDvOI41qmwl/iLOjU7vo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlb+prhpOe4am817y9AV18PHokKwwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEBx3NUDM0iL6amJQFuZKsvl\nQy+u8JipCrvFLwZiPzZfAiB8/C31FiGXZrWnrvwy8ho75pq4p3YDTE3ZA5kIG/J5\nkQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUepZqiecqgxUt3Fi4sZR0Z+5eWwUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARkk3sBYMOW6rS3SDIaDD/pF0zi1rRrUZpUL9Zy\n9q7sfA/Pys/f1iG1xD3/S7pqNECaQnOQq6BMMnf5p7jo2XHYo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQPcniJ+moZj1iLzVCkuEOmuklBEwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDnGhtLqRNf6Xxuf2jl9Vc8\nQihNJ4UCf1TE4Gss2CLirwIgbCHyeeSxL6kcvM7Rr6cKhnNu0tkcqvmqaOzrG4CS\nIYE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUURTF9wQYSbb3c0pfq0iovDFknbkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBzl0jHh/qg2VIFP5PDw7qQrztZBKnYciZTNS8lKHGmX\nYLRr64vnArGZ0jEB/g3sS702N0jyWO5ArJMt5C7WHe6jdjB0MB0GA1UdDgQWBBSo\nJHIzaZwyqN7xQLb6UWg6PpZM0DAfBgNVHSMEGDAWgBSVv6muGk57hqbzXvL0BXXw\n8eiQrDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9ub3QtZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgOhYytJyaWQtFVybYWj0yj9OLKF7M\nVB8y2Q0Z7mM2yocCIQC1pSYhsfH2fz4kU6f/pZMJs/ik15FB/gHkUcEEuR5NrQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUANgyxEPyXRn41wRv/aORsPzF2M4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMTMEu4Oaagiy7SSeXRNebqpuGWamUXmHWfWS9ptOtZj\nQ1LQUoEzE87XHT+L8ZqDE/XHiTSmMx7VDQ926FN6Uy+jdjB0MB0GA1UdDgQWBBS3\nubE61Z3x0pof7h/l8V4VCN+0pTAfBgNVHSMEGDAWgBRA9yeIn6ahmPWIvNUKS4Q6\na6SUETAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9ub3QtZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKVZfeJI7zOCwuU8EjReSgH5zuhJ\nNTmSK6oGtB7L/9OQAiEAzeYLvc7332tcdRwWNz2h3iJX7IMQ1mJknzm0HnU4mPY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUXgOdL9+bixIZzqXWqW5xQC3PXtEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATgSrU2mEFYs/xOr2NpgFTyO5hx3SYbpzGiJ4Sh\n6q0usoEUWkdgQOrknxeJHVkoUyf6eYtXGU6TxONxBMXHEjvwo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOXPPerU7WcgGb1MNYGoqBs1npIwwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDodWuCwggtPM8oEE21n7wGx\nq71mYEz3ETAPMJ24uMWrAiBJnQM6qpsiSJxAM+jN+ZPX9ce+G5hFIu7LJ3wUoR0C\n4Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUSQGxSPf86OZyKhD5DvS29gYfOBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQzEeZYdUGBstGE8PC4teFU6D97pnLN73y2yCAE\nOdHz2WQWiD+nggRfYGiTqIFxA/gFZd6oOgpZPxHhWLWwTmWOo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJoJgdX//IzxDinx6p0Fpm6GZGpAwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCeD/aH6Db6WSp4I7gRzi09\neeUXVcYJQgr9qV507DdZRAIgBUcGwYpZOKq4Wch2Tcmk5YajXiSGRYOrZM4c3mWo\n1nU=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUbqRpJX5fwqWVnEpuK66ZN70DzukwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEN38v54lfwboaxUg13D1+JQ3uk6ZXU3DLN9DHR6Nq4Q\n3tSoMvBqfl0shWFMNd62vTPHdrgLwUoASPU9r8wSXR6jcjBwMB0GA1UdDgQWBBR+\nuQgNrYkKqCcbOu+we+jLCAcqljAfBgNVHSMEGDAWgBQ5c896tTtZyAZvUw1gaioG\nzWekjDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAxYTu3vQLvXlOe38y/s9dL2tkkPT35K6p\nRvvrhiMq/Q4CIEXrzQhbmHNvu079mc9Sly9N1xkbFt/xP/4B7DGW4vQT\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUQGDVGCLUaGPom/DDIdMvHErimbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGCV/bLPzf4dlk6q2fKBijtdWBL6EXDoFG2Dxq9iCjHo\nQERxUyKPz7RgopaPn1pQA8Ne9qi6wXOIySn4F+g8K02jcjBwMB0GA1UdDgQWBBT4\nXVr5XmixZQcNQYzVGc94fpvs+jAfBgNVHSMEGDAWgBQmgmB1f/8jPEOKfHqnQWmb\noZkakDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiARXNs2ap7U5Mu3UAowv/eCYMpKpIaZQRjB\nOBFJkWXJCgIhAN/Fsa/vG6FrUcTJ3FR4Em16VXobDatikjgWfcjbBW0o\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUQgqVd3ZMvVmblMqlfkFBMAd2FpEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARgDFvIspDO6YCQCRQM6TuC7AmgdPZOYgQrQFuz\nU9fUsV0gZumos1ujZmnuZHTnvp5Aym+rGfIgUYRY3C5HXLfNo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURxbp1RQwdeynEZh9hk2XGQpBd78wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICqWvEdN1/r4HOjb1mn2W27o\nATQlam1p4hOfFzt5dRa3AiABAlnSDZw1hS3WNYKWTYV1HkiRtjsUSgMfS7HfyOgq\nWw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUQVuwiqraiVbewigrliYmSbwXBZgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT3epOhVXyrv0KnhZFthzYccj93I5lF1wDFhIR/\n7G5kLYgqhATTRQJ/tWoCJnT1w2VE+JUpmxwVWRDixNfja++jo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9k2BU2esAR8Z8PDcPgzvoD8IW4swHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCpSPabVwcTRiiTadRVKNyL\nIZ5Yrg2wEMR6t2s4EAtRHAIhAMbMyd9DKAIEoUy578OqYUHxnCViOXa8nnny4e10\nTHKt\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUG2k+YGiENnRtvJoNp0Lf30Bz9LIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMcyXZdKMwxBmGCcrVIAYURFJOVLHbhqmtjLZ7X70aGO\naPgpgBCaTg5pJSHYnwWm9vj28v89Wzn9bHTzFh37jYWjcjBwMB0GA1UdDgQWBBRV\nbeWqcz7BxaSHtaEqFbo7dJbHyzAfBgNVHSMEGDAWgBRHFunVFDB17KcRmH2GTZcZ\nCkF3vzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBdsF60zhNuDNPOyaUammTTZXqlRQmbZVJk\nEtTu8Fg/EQIhANZAFOnC+j1ZzTtVndireqAqjY7le1Ic6NBke+f2SQqY\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUJPoJF68D+yYlm3A0pnzY30WXe9AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOk5jEZinjlP6Iz9vrQIEkO1uEM2ZqHelkXni3hEIVGe\nbMvJXI3k+/eNM0w+AzqoYUgkz4P2q4etxa6vjZgRG3ujcjBwMB0GA1UdDgQWBBTl\nQ06aPRvHpx3+8nhLtKp3/HwxijAfBgNVHSMEGDAWgBT2TYFTZ6wBHxnw8Nw+DO+g\nPwhbizAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA9D4H05EEKA8q8nUQbkIsmRvKV4TbyeRH\n276YB1JNRKsCIHUoLW3CjaRFo+53poMTJxGmCqpADRGB9P6eOB+1SvVX\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUb8o+WfK/nBKxzkVE0i97GCJN7oEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASDRGj8Xa068jVLlouY7b835eBNScRiruQDYw3p\nG52EB2nlhfElcLq/HgH9+oBN1DqhKwa8JPBqwFf/JudIJlFao3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKSU4R/sOMYRAUS+BdLyF8s9NbM4wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEBtOa8tkDVHsWg3AHe+Qcyj\nkLBAeTFr4q1qt5ZQFYNFAiEA216V3Hq90C/xfYHQPv90aDwpNX+iznKzQ2V7V7pM\np18=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUIXkChjX5otkbx2y8ec/PcN0uVmEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQF1OpN7rLk9V3DgSjqwH29FihunuLQR1mN6oMN\n52OTe9mYAde/6+wpowiTGMNMkJtv9lmAzswMulj/7FOx/0gTo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9B9X+N5MEOniu9hFpF85D/1qGNgwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDJ4uga6h0DzCbLn7kByz6y\na+i+WVOphlw8I4C/IrxBAAIhAIB1J+Gou09lk61krbXJC2RXv2h3+eJiuD8Zslc1\nkXcj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUZyQaVHrhn0JtqCxLL9BZNNb7koEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEyxgILRMbqIxNj+MIE+hRDu8JkdYHnzsJvg+dx3aa0K\nqB7n7BmkT9V0hA8BhUukcy7oCnJ4zB4qTCzPXR+gmcajejB4MB0GA1UdDgQWBBTV\nhGzcszzvJzKMM3uN1CY7RY2XYzAfBgNVHSMEGDAWgBQpJThH+w4xhEBRL4F0vIXy\nz01szjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAeBgNVHREEFzAVghNmb28uYmFy\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIG4esx7/Aiu0dqdaN7uavwT9\n+TA7qxtPTC7382d1q3NAAiEA0pPTU31yspyqavG//Q8CAGv1SIVs21xu5AaMjasB\nsbQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUJvmde3FC6f+b8XcsrxPvWfanDRgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABP8UX5edvVRVG4qZQP1v11IA1oEoXyDQYz63YYS8U+0+\n+6SrZLkxLOkNxoxLTsYD+1fN2nrF8dqAOeuI1ONc4FSjejB4MB0GA1UdDgQWBBRj\n2hDtJDTTixf5BcXQIQ3+PsrhqzAfBgNVHSMEGDAWgBT0H1f43kwQ6eK72EWkXzkP\n/WoY2DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAeBgNVHREEFzAVghNmb28uYmFy\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCHczT1RZhbJzV/tmG0E7LL\nza7ymzY/JqPsHADsaPZ44gIgGdcfto8HlZHqbfaCLY27Rev+ETHGt/tyL2N8LW6L\negM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUPQ21MpvnBbJGy1vlwdvbA1Lie3YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASeRalXViwHFZGK+vm0+rgfoKYaZy87KGSw1c42\nH8xQRkS3VRm0CKcAufWKUajJo01jJ/bsMThQxFbe0KsMz73Bo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBT1l2AOOUUZPU5U57xbg/SZ8E+oZDApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALvz\nFb74xvI0pYdVd9B6Xpvqi7zEW9UEpxbQ45aWk3l3AiBjh2IMqfFIBjlqhtyXnDHx\n8+MCBqJKaAaHy3LDP/ZLmw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUAlm+zvM4KHBMY53aX1ejI9Ov0i4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQ/TcJGiaQZUBt61DRkJZKI7VDGNk17eGdwNUt\nvheF1n2/p4CE7AFTGfdRTv63DcUSADEoeGJYfDqKtqwAijsKo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQI4bkrLFyKIxQVCc3rMyr1ti1NvjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgPvoR\nx27qqMKnBp8yxgcsZ7zwrMyZmc7sN3WHtaiTwrMCIG4Dm4Hst+bQbod6E+1LQtP2\nS7b0ZVbw4Bvoa93Jb9VE\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUEP3Uq/+DLknWZ2QuepKRUlGnqdcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDr2EIFNUdMYPji2R4U9g3dNE/348uagoKVGXOxkYRmF\no7SP3N7Ypz0RslHF1YFyMlruhkBfydsESGYoDIctaNmjgYwwgYkwHQYDVR0OBBYE\nFHSptFIe6IXxbPbRNb8gYbhAjNH1MB8GA1UdIwQYMBaAFPWXYA45RRk9TlTnvFuD\n9JnwT6hkMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMC8GA1UdEQQoMCaCC2V4YW1w\nbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiBJbrk33wjuTIZ2+cFdydnEsPBmStSTEK0vDBH8B0hHdgIhANTecjkh21wJ23RL\nyGhR7OxTSchPH4iAfNiMcACZBa9K\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUf81nEQMf1HCPjSnhF74kWvG/kWMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFsDX8wvK8kmSSv5xEWmmZ0hWWWlZ6bt8DwM9ol2rq5g\nzssJV4h+AJm6C+/tx7YkrYWYjQUGrgKX2pM8FgIyRMWjgYwwgYkwHQYDVR0OBBYE\nFO00yH3Y/QDYah+hZFHSP9o0qvJ1MB8GA1UdIwQYMBaAFAjhuSssXIojFBUJzesz\nKvW2LU2+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMC8GA1UdEQQoMCaCC2V4YW1w\nbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAc8xs1GRoSbeytMOwLE0AFzWJuAG4tHwdMRn1Gob+yAwIgW3+FiuMTK5KFoojx\nR2kHfVj7w3w/Mly3JrSX5UGNUSE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUFbBLaQ13Ow7697GUIRShPTTq3vAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQDiR6Yw88/Rx8vGFi7xyqHp+lj7Qee8EIf0qRz\nTru0xvOhkmUfdurH+Pqs+oNbxCux5CjhaW6Q7CCQStJA+QqHo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCjO5GoE9OkVGZMT/JGMFwRVMtGwwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQDNnCt52z6i/6WdLZ1vjJJx9CzM\ntiogs2JcBJW840ZqKQIhAIplga4BDO1Pe3fJUSX4owNL/xsH5CeeSzQQdxJO2CfR\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUVWJ/4N1IgSXGAu10qro9bHVSrYswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATsIJoNCAaQ534imtEzUz89Frng+fz1AHjwMqBS\nnWgVMgzT+Kq2oRrmv9E1cAmsNOfseNVj2yhCfl0tdzxtbuiuo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7wk5MgBS5LviccZIPg5u0YLETBQwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIEKmTPiBVnaJI8nfqWchhkJQ/bFh\ne/0nmh/KqezNhG/UAiEA8ZBeSB1Crk0C2lzk5vqx9CE6TxWluiwUC8021LuNQzk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUWgAwIBAgIUNQqaUq8+B0+h+q7bcLQnzF7qsBcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKNk6UDRPDrjuf4f1+Je8c77aD0t1cTiX2YFcPSDWxNH\ng8Bk+Q72gcsUZc2Be0VM9iTrIzjV+swqHfiZLcLFka2jazBpMB0GA1UdDgQWBBTx\nryNUQSajMLkrGHow6qQ978VlsTAfBgNVHSMEGDAWgBQKM7kagT06RUZkxP8kYwXB\nFUy0bDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAMBMAoG\nCCqGSM49BAMCA0kAMEYCIQCgzL67nj+HpK+2L/xYFK5Y9UgEmKnI7epcbeLMEiX3\n1QIhALpfauUUkcPs4tpeh4XZw5Fab2ViIV9Y+2CRipCHz61b\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUFXQvSxq/ayFdGlxr/WR79BCu91MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABD4Mv5MfNkoS6xRIEAXZLBy7W/4GhuNUoKWuo5ensX+p\nzc1ISJMOgZ7rjfCkdhmPTdCyISkqLIsZ6QZsMLiGNdmjazBpMB0GA1UdDgQWBBRF\n5LrLN/rIQ2kFXhKOShRmTBDTYDAfBgNVHSMEGDAWgBTvCTkyAFLku+Jxxkg+Dm7R\ngsRMFDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAMBMAoG\nCCqGSM49BAMCA0gAMEUCIELUtYzkc5g9bKsZup0v0H5xqZSZgPYFNnb1XtRFpe+E\nAiEAiDhljddufDoNAyMni5bcGjehHfnkLxVqievwOl46T5w=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIULdRX6Srup1YAy8qkQi/u1GjtsmkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARAfZfuOjAS+FRURbjuCFTigbz32KtqMJhbmmHF\nL5exTk0cAz1TCuP4cqAcOSn/ZHzNQqkSgJthL9xjhOo3Cd/xo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmXNEw1SjpH0X8V0i31ei5txWvVYwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIFFRgFX3ksfCb0TTGt8RrVu7XbBD\n40fK4RdWm73qMpmZAiEAhDLfkwrGaQn0BQ6UoNwhwbTm1NYo/0TP7MqJRWOhAAo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUDbloteFu5mYVc+/m6cSNrseQcEkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASO5lLpHL/OGX8X536nP1rqbRJxnUIB87rQGwSV\nU3o7AohaNM7IJq9YW821k946unQe1+Kb8K7mq23SMjwyMJR0o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbz1teANbfCKHKemecYxzD/cCvggwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIGinkPFJJ8CFy90qL3JFq5IwMi0E\nFUWiaEDcF8XsYjKVAiEAzlDKz5wtJODPZoxPy41GaFRlcCbbGAOj7T8Iy9/vMx8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUWgAwIBAgIUcDETKBrgdNlKQQ/1jR26okn9PlUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBQTXn0ZG+K/WJoldBGQBwD9oMMEg+PTZTpPlXHExvQ5\nWw4Os9lfqeCOwd64xlGyDYG/EoQi4kLgxjxp1fbaqfejazBpMB0GA1UdDgQWBBQJ\nKcI0VJEDVt/SObyfVXfEE4ifyzAfBgNVHSMEGDAWgBSZc0TDVKOkfRfxXSLfV6Lm\n3Fa9VjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0kAMEYCIQCpumSxVspGuW4L/4YQ6UhhuQNh+io9SVRolHAoCHbB\npAIhANPyiSyoSkD2ZNXXbrdz/TIDd85jCYMY5d2ALkchxoS7\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnjCCAUWgAwIBAgIUXQDO6N8ib/zQdSYVvTnvkK9AA/swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKLHBKquFoF30ZEEigO6HdHBIvNjDUpbvx/ZRmrK4KtK\ng7qirJGu/IgabnacFTqR0rKJxTpLN0jsSX7ZTJY6IC2jazBpMB0GA1UdDgQWBBSl\nmCIOYtuZXZB5SmVpQ6ina3KlpjAfBgNVHSMEGDAWgBRvPW14A1t8Iocp6Z5xjHMP\n9wK+CDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0cAMEQCIDq5yp5ipvKe2U/Os6uoNfnsy8KJKZ3rjESzjKsHzFfR\nAiBjLQeHpS3PstbfKqs9gGI518C6cCsQUj6Vsi1Ai9E4Sg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUSPFbjjmKt3Q+DZU2Kc+al1xNBlkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZyCIEwyB/kvjUHpO60DxN4/ym3waBVal653ph\nL2VKtBrQBRE2t983hxbBDLnUSdEclEYwKzVXn6anFPI3uEIno3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtoZZzrFY0EnLzXqoAVBlxqDng3EwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQDvMnmwQkygI670fF84ZBLBKY6d\nApA3Ao8WhQzv5Z/z/gIhALAWWfFbOx27ZHsqVSvmL+iEPZKqX7lOBXDTqt6B8IsU\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUOxQjz6tMTbz4ZbB8OkJDJNVEEQ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASPDyUm7Y+VX1RSPipmo2L5Rnn/jHcsiGWZvtTE\nYbO3B/77aYZgHO3tzQf4ohCFWzAh/1lCeoVp0E25Wm5RTswUo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJ2eMOhJDOaQr+yIgklCCmQr6NPkwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCaOfk3vf8dXiQbG1u6vGmhkNEB\nsla9pgag81QQqqTdbAIhAPRdmeXcsuoOUShA+XKdc9vrYgDLYKR7CrV8IXeF52Gy\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUILlAqH3R5rClhAKDKWZL613+4NswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJC7yf7pIrd9hOCjD6C5CGNqsTwBaOXttzw2zDSGla72\nI2cZrgx3AIWdk7kJewcxSzmtsufwh26ItPmC0OUQ8umjazBpMB0GA1UdDgQWBBSK\nzvYb025ZxGtvg/pkjz69K1OMmTAfBgNVHSMEGDAWgBS2hlnOsVjQScvNeqgBUGXG\noOeDcTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0gAMEUCIQCtXsIwoioKtIpOx9D4K7yHfUURfwzAxN2Kh0wYZUE6\nBgIgTDg/Txqs65zFT5Dk0+YAxd8H1GsG7ybrJbEI7DAnt58=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnjCCAUWgAwIBAgIUFRTDsiMlgU3DMk92Ry/ZlUZb6oIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBZyx/Fk0B1irEg7es5TbcdlPBDTCmSfcYifUcefmIFc\ngPo6KD1uLLY/1CMJroyCaEnd2AjJwGLCFVWJczWz21CjazBpMB0GA1UdDgQWBBQN\nMZTwyECDqXafrFzLU/UKQGm7azAfBgNVHSMEGDAWgBQnZ4w6EkM5pCv7IiCSUIKZ\nCvo0+TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0cAMEQCIHEwVh7Bmd9PWpVh+fkUmL6NOMMYaXACzfsua2Ak5yeh\nAiBCIrUlsa75SJHc14WJ0hoxKvUhgS6LyVqk+D8cWvncWw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUNdbtwkL76paQEBDu5yF1g3/L2GUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXdjajQFOVDeTC7nzSO+c8C9v4yvpd/j6gI9zV\nvFYWSb/J+UGhTUxr4SjjKorYOhUO0eAxpUjZzZ8+yvU7hUuio3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9FH4ig0PBHWLXLwH+s6pzIJ+8LYwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAO+dDCnlu4XwlXoC\n19/WgjQorwNSEPFPePG58lFhUqD6AiB+D2AyAXyoP7hNlFaUc5506UrsKvc64+g+\nHu+HNCtUNw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUYzhPxqIDXRHTYP2KctO61zSP3tswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR4bJ1n+6LK+3C2PmzMYr/ddHv1xbcoFYwD/ohb\nOV1gzUK6oH1620XmHsYV9c/X3rIO1TDNvVnLQ0FKkpWgV5ZYo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUx3TPlAQqGiAc7A5G7ekri6fmpKYwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgHnkT0P8bS2N8SXmf\nLxgdZiGBU7PnaJnIyTAZitwBdj4CIENPUrKTiivRjrODBnfJHfhWNb4+pFZtoQBv\n8mPIp1IH\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUPAJ6vJ5Ngw5/VEKQ7y6Ec2ichxswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEehbAra1hjfOQ5wfw0vax13fE5XOVhXggZ08ZlSdcaYP+yAO5\nDKhjdjDfruObc4F5YL3W/njSO/metFhlyanyiaN7MHkwHQYDVR0OBBYEFPf4Hquj\nErzC64TAyZiv3u6R2eAHMB8GA1UdIwQYMBaAFPRR+IoNDwR1i1y8B/rOqcyCfvC2\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0cAMEQCIAspntNlhi/iqaAXHPeTTrHyZhi+\nbCwTMDxU3ji2ToVrAiAtMX44Ni3DfUbWPEV3n3Mp1F9uEzztLG/br7JTuzxzvQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUc5UjncK7+xSIxo7FXReEzSCnYOswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEQs+ZBK5Ji8XIN7g3RYj3QkJN9QIKz4RYfGsjBkJ/uEvQsr40\nt9a77F4XishdR74NlwZRNaCAjJfeN8priD0696N7MHkwHQYDVR0OBBYEFPbSsgb2\nhxJLhwPNj/X7NQuosFjiMB8GA1UdIwQYMBaAFMd0z5QEKhogHOwORu3pK4un5qSm\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0cAMEQCIGwTUN6fuU+CHjqmw5iv9i7aX1iZ\ny1ts0KVX1s7dxkAcAiBxIL8C7Ev7r3F/2DPBVOe2u9A69vQww4JbSisd/pNDAQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUdwbP746Wt5CgfZlZhhuE1zbpImkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQNJ01DoTCS/Efx4F+wdL4OKe1zGPidDO6nhhQ/\nEjtKjWODxOg8/Wlq/rlsNDf2TC6HjJjb+lcv5T3EIUJyywo6o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEs/uVDjtEhQxo+s2iln/MfOIzN8wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAPjjAOeF245Kd/mL\nW3UE51DUoVWPC6AN1Ks1/6V1wGJgAiBf8O6TeRtFGBErBvkX1OGPfDsYgVyBQNHk\nfa9prZ3ofg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUZNoZO9ET8HamsLxnSUBe9JyFVgEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATAZVl634ea7NMsOlS8PT1rDMqYzMHdnkEU7KqI\nyWbRSH9bz6dV18IjhhCPEL+D8dPOeT36vsLHatnT0tknNA9co3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcCB5mdVJUyLZ52+drZnEK0WgOEYwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKrMXPVeydATKW1A\nWhcV0RyBba+NXuTGicBjysY7WtzFAiEAsDxgtLf/El+Gc3wtrJx2gY8x2vTDvj+q\nSePSrX5pDs0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUEnu6s7ufnTV+82zhok4M+Ny3CaYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARQE+gwFcyK7HyZxGD2uBIXdPA/r5QBhG/6wXprigY1AMJR2O80iE5g\nyEfMxopqx1twRYoj/ffMtcpgNtjtstulo3cwdTAdBgNVHQ4EFgQU+//AOKusFDDf\nblYuivtzFfnprvkwHwYDVR0jBBgwFoAUEs/uVDjtEhQxo+s2iln/MfOIzN8wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEAigb7sTySbGWaDWlWm0iMGpCrTeTkSNUMmtZ0\nG8o8mp4CIF1b2iOJUdLvugRW/beOf9NZ1MdI3+xz3O+MbX0Z+1A8\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUigAwIBAgITGgwzGn50PYUiHT+2Z9RExRtPLjAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2\nOTA1MDIxOTAwMDBaMA4xDDAKBgNVBAMMA2ZvbzBZMBMGByqGSM49AgEGCCqGSM49\nAwEHA0IABJ+9qUVrx+8XC+K7Hm0ThTDO98tb0Jlx0bxT//DDO9CHGl9XvkzFoIAp\nqcxMRXBA3fTVRypU+GtgPd30BEqaZh+jdzB1MB0GA1UdDgQWBBTYtexlVe3KsAmv\nI6IzNhRZnHtmFDAfBgNVHSMEGDAWgBRwIHmZ1UlTItnnb52tmcQrRaA4RjAJBgNV\nHRMEAjAAMAsGA1UdDwQEAwIHgDAbBgNVHREEFDASpBAwDjEMMAoGA1UEAwwDZm9v\nMAoGCCqGSM49BAMCA0cAMEQCIAi7kMAh3qJhSoQHCmXtJO/t1Xa/zdOLklYWyr2c\np66CAiBe+dK7LiuxvqcvVsVQVzi7XNRIM8cqoZEIx6ysEEbANQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUJqqQGtZKxTblY/OOAt4aZguRtwAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQmS0VU9PnFR26+pPuaBvGCgDIgSxIYrXUWUIk9\n0gu3xU6ocGUsfGVmfyPg1qBS0NQq5/gPntRmXcuYn2Vi2TQpo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9o/XHvxkJ91uy6J0ompnkmpDmQ0wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhANMjXLgCpDh+I/7C\nmU/nO8J3/SlJ1yVb5EVErr3f1PX7AiEA4xTsNe6Gm/LoXnmasLL2Ve8i+8D9iLTd\nqEShKxyUXbo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUG8bdioBQ2t7oBtkVYALrS4NyU/8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1eRhAI7dvEXgrh9OkNXxjvXBj/80ESmFdtqZ3\nSpxDc6eRv1mW9Y65DSeTC1itPTAdIuaxbgmRL3YGoegSnjEDo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUE8/1Q6o9W1qwGYd6Bk1YbBrHHtYwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAK5yz1NLfTE5gqp5\nCzvZY6+WUXtxxEriaQoX2sQcb4aMAiA3AYHtjh4186LFIz7rGABgZU28/Hz8ahS+\nk0+MN7JDtA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUCJxScdgvm+Q3xiTaf1kU9n6GoX0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASta73OJwf8z9iYk5ywK42adDtOdkcie3kOS1Cz4ZmgCFPQtxVtharj\nEnjY/+pTAE+YoHzPtG6SMl/Rwo7HASqwo3cwdTAdBgNVHQ4EFgQUnzk7ch93ZHwq\npqHabSqiKAWQj8swHwYDVR0jBBgwFoAU9o/XHvxkJ91uy6J0ompnkmpDmQ0wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEAk8iL+jPncmCfc8W4vPaIZxG7pCulkKMLsW5K\nUbs22RsCIAWrgWwej7AMSg0l5RzE9qgY84fdufPPNpAFQ+KoMuIt\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUQuycvK0lO9DHpEmmBLuXsSQzjOkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASjsLfFr/wEOwkE2GcWRcS4VtDme5XePRTh/2EsGNs6IRc59g9dSIg1\nsrCHs6I8X/UFwVxK38nEY9ckoeJAMZQYo3cwdTAdBgNVHQ4EFgQUNlcwmXWxSOVs\n46nT11WtQxJAGG0wHwYDVR0jBBgwFoAUE8/1Q6o9W1qwGYd6Bk1YbBrHHtYwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiBH+cYuhtdQWiMU+X1kLWbBAiK2YObm+vEZtSG5\noexbnQIhAO84aSlyofBMEvNYgNk13tAbXo5Lf2gMBPPqYXozsOeV\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUdtZl6DnoLMJQRxoyqwNkk5uPpswwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwedjjKy4EQJjWJoygE8RFCRogQtlre0r5GEKk\nITAfj8N8slJr+aeGvvfu+ss5jRIMgNG8kjOjujthrK5HGV/co3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0FGb5QU/yuc5QeJ33nJI2LJ7sGkwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgXl6uu2BUN/XjYygD\ngfTi+IRbA2VGgzoaZdPiIKq8mYgCIBIgChWzpZpYhz9WenS6ajvB8gR5zXoZksnq\nWtuuvEPi\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUGWQNcUgzpHHq9SUk+REM8UjuN7UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASvEZEaVhxyqTo5xWn/DWBjov+pVbI4JI4t7nvN\nmZiBS4PFE0QbpEz5Lio9B+ZIb2AyYzoIBBIoClD0WrRlCOGTo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxAnkeHzzp8k0r6dxIE8pLvjMsfUwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgUm8/SnpU/TmBzLrk\n06n6iF0ZA2/hkoP6yvd8hwpbodsCIHyvNuDJdL4LqeDaLfvintCTygE5GnaL6mon\nzd0l1fIE\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUcqp2NVqmgpHcKWhwALo6YgF8/2gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEtL7prW6gPzSWV3q8a/1ZUfmXCpkklb4dfpL1dCo5gQc8/2Rd\nDV1RSzuPrVVxd0oI47PaiLr964lJEz7tbRMnWqN3MHUwHQYDVR0OBBYEFEY7xaTE\nsCMcmpeqO1gWpBrOQDt6MB8GA1UdIwQYMBaAFNBRm+UFP8rnOUHid95ySNiye7Bp\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgQhCKwmyUUp4bzgzCw4hPb/H1hf+hKwAc\nDPlQnHhfe14CID7/WFY/lrcgSGOtT/QA5plTsbmbtD2x2R4mbzG2yi4l\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUco5bruo3DNCZeiRvgDVX19dP3QwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEXVIyexGX+voCI5wJQXGLd7jLnzNaWkPL9hZnKy2kgVH63Imt\nsE39J0irUjmFQdmeJTY5AUqHhMmU5FQYFUTalKN3MHUwHQYDVR0OBBYEFCGhI9Go\nP0q0M8KbfvAY+jyRhAfBMB8GA1UdIwQYMBaAFMQJ5Hh886fJNK+ncSBPKS74zLH1\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKg3dElUOiFg0ETttJaOwWrcOKkMG3jo\nSUsa/HV4rxhPAiEAweZ70uvKk9ItAkTcdemOxiReqFjfwbeQwp+59V3r8Zo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUKjpbU/ol5BmjiKwl0EyBgPyF8ugwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQnD5l87k9ZjTka8NNyZoMqFXVnQcENK3TbECXS\n11ZE8PzRyD85K2E/u9ZJ7ON7SvjIbpS8oT8GQni616p6xgoUo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM7hIXJ36PxCAQhh8OTHDPwE9KrUwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKmNXrX/r4fpRbtt\njSqTWF1PYiFz04Oy6ZGl+3hc4UaJAiEAia9eHP9OBhy0deRxR1QpSs7QSNE6sLIv\nl9lOwGfSRNc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUXP1wkTVQNEqXX0caSiBz5axQi5kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQES5+TChMH51+TGCaBlzGUqfL9FUO7Z/x8KSpo\n8FxGaPfrAC5KLNsvUwsRXP1ahHfxX9O0A43Nk4fiKLcR4W7Eo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7waEsfgju2OTjGcBvKJrivkVYHIwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgdnGcLiFa9gFFixIB\nOzNIsa4UQrdNp+7m6btmB66tLXkCIA2tGKQ7C0HCotGUldjV0ZNBlusKV9ocV7bK\nhnrMrVwi\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUfz9//RZI5WBjQzGJ+P5nDRhiPGcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASptWttWLfHKEI65NwXG35dFxkvXoR5dWrSSonRsVwGICLykC48AEbk\nHT2cgLn+18uJs8x6ElQYTOtckRlk5TF9o3sweTAdBgNVHQ4EFgQUQk9yuA8b9OUq\nr9vscwSN1ABuTk0wHwYDVR0jBBgwFoAUM7hIXJ36PxCAQhh8OTHDPwE9KrUwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAOwckhZ9rZzHB8eIMxMWJ8PJ2VPjZRzR\n6pf7F3Cms3UEAiEAhWi7zcG02bkqXMZSdI5jXjGdy/SQauvpsflan6khYcM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUJH2kAF84vX0ykMZwHu2Ugtuyk84wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQrd3FiGvkdWlzpuk7JhHioML3zac8lYiYnCJsF3t+Io0DbBl4jG9dj\nKR9G9slUGkL260829RsjS/uT2kvZqc7bo3sweTAdBgNVHQ4EFgQUPFXAemq5/1qz\nxFPXeI+aN3YGDZMwHwYDVR0jBBgwFoAU7waEsfgju2OTjGcBvKJrivkVYHIwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSAAwRQIgVQPGUdCqoXzfADQNhra6kUXaHWRLFQD9\n6i/y59TJSQUCIQDiViuZWf9kdd0EFHi4GDxIPKVjLTR0pc3JW6rBAAr8Wg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUXgWDI1lMBCyrsbNTdhL6855ckvAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAROJU/qK87tvQ5IZjUl80yxtX5rfxA2AKKSrWRk\n24YJwTw5NxeZAreoXKvGwBl7PB7gSpkRK78mpgqCmq00RtBio3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFPGlrL6Uz4svkgYTiaMXp8yteOqBMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAp+QGgJo+J/SSqyJPg\nxbvYnsqJT1Zffhv44nsO8bRsugIgTBOpYCZLdIcZXvuRU45VCxPbhJBVhxhjG6u6\ngGy8dBM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUMq0XF85iRpAO51B1EELbpJnc8EQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATGZPlzinVuzUcNJ8EYVId9R5gnGyedy44KEMsx\nRhA46ezV4f/yQf1NRj9GqQvWRN0HUiVGowUQ8vHBWqJgDKaio3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFJsPQzrytpVa2/4XJBT4WAcllf7mMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAdx6JuuvoPnDTYAwTM\nls9KVQvT69EXL7doKptRCF+mcAIhAL89JvjfJXqBaW53u6B2JjyG+2IDbUz0zIpL\nDQhHVH++\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUWHr+BuWOV7m5K7nLRd4C0hD1Vw4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASccs/uRZBnyiwoJuIQdc/fLL4NMt8vtvF3oqTa\niX0iYRDaUDWX8T3FisPaEzuamLGDvJACIyIOD00SsEGoEKu0o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU8aWsvpTPiy+SBhOJoxenzK146oEwHQYDVR0OBBYEFPpx\naZfCge0HEqv7MkBQgOAWXfRrMAoGCCqGSM49BAMCA0kAMEYCIQD18ixj5hTQSVk4\nl//r8OOM7THb6ugH+P0ebVd7m7BN0gIhANYa8iWQvQQnkc9RYU3OkIZAAYnaoEjh\n+H7UQiy9a6ac\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUMs4fs8wdo1QaRxAWMiHWOUSyM+MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATUYEi4txm3FNUeKgf72O6aplD6lhwaY4Qw19Vp\nXMzz7xdnrGHD0QDONR/5OgNs2QGM4WI0JOjVd0dGC/vledSso3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUmw9DOvK2lVrb/hckFPhYByWV/uYwHQYDVR0OBBYEFHL6\n2QSr3DYiPuf9RmClXd/FypdjMAoGCCqGSM49BAMCA0cAMEQCICWD0xtr7/pzer9N\nvzWKEh9ZeCsESMVGXbpgpyACjL+WAiB01/r/78cIbDv+85rNlef+f9E2DQr5j3Xt\nhrcgFkUjQg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUUn2YamsgEFVMD/qYJSWm3iW3Cr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFRuRDZHmriwPQb6iRW1GcAdUGGkKnUbWLF91HHpjQbW\nRsTnzUPGgculVpxk4oI2H0twVEacfX917kyfQpuU8POjcjBwMB0GA1UdDgQWBBQP\n+niwAuQ5UvyLkJ4996A+f+tHBTAfBgNVHSMEGDAWgBT6cWmXwoHtBxKr+zJAUIDg\nFl30azAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA+FKCXqdAU8LsUAnfkOtS3pZvJTwmLEtl\nFcBKvVhrMk8CIEUZjrsS/lQwgecuT96JzGTfF6fkc/jpnca7apVTn89A\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUSYkq7BJAGA4lfqHXs1WJEH+y108wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIWm0NuswvUlzl+ISb2N0WTIXOMey7y/NftW0/Y2leLu\n95I45yXl/OqUD8+1NPTZcY4mK3+fbb5BSrHsgW83Vn+jcjBwMB0GA1UdDgQWBBSc\nKZL+IkTMb7LGV5YNpFELZ7Ht2jAfBgNVHSMEGDAWgBRy+tkEq9w2Ij7n/UZgpV3f\nxcqXYzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAl5wRSCM7WL7ad0w83Ut5rFZihmrBRTQT\nr0vJx+9q7nICIHv6hoNH/q+osyig91oh9dGN1bPjmMlJeLX/u9lpJlUz\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUa1n0NE2SMGPuouvbRerr0elxCoswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATlWt1NUDJHVlhMsZedFzeROUh0FfcyjQMKcjzI\nqDfHwxEGbbVlWXRcE1iSqbR8O0O0w/p9UGtdXFLOePXr5H3To3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBQJkLDUwOHXoJiUJKyKHspUvUpkwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIF5+v95dkcc0gBafPZCv4yQe\n+r2zIXG6H2uZ1RjZXxYaAiEA55rVi7S/3byVEPT2XJL2THNvw9YfeK4KTHDAqsyg\nFoo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUCV+aPkeTnmMfonUcI8XSjAfhGgUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASWiDZ6b3f7JybkyA4aB6bZdPLLbVn/zZoEtanJ\ndrfE5iGTZkcmrgv5HRhKtfP2rXR/su+I8UUhrbxnovwB2b4io3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURzEWPaBYENYJOXFbLzLf8xYFG2kwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDUWjlrojmNq9dsEQC5xgB7\nfU64AihntCMeJVuc8TL3SgIgYKPdpF6sz8nR/ZbVdeckjuMTL2xzQyq7Gf9N1hIE\nURE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUKlNbwY//vUp6KusJ8sHY4ZhXf+kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARfl4eA3a8rREN32zwjdS5Gbwa4fqDVcpHkE/Jd\n9C5mmIqSduKFWFPRNDmEbXfpdZIjItBchc1Tz5U1TvAARVYfo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUBQJkLDUwOHXoJiUJKyKHspUvUpkwHQYDVR0OBBYEFMB3\nCSM9S+dhZGnLIIitNpWAj9LLMAoGCCqGSM49BAMCA0gAMEUCIDCMOgQMZ44aIZuJ\nKRN0TfokRCrAJ3DJXwbyKLfHAmpuAiEA2IuJ35UUxy91tWNk1HTuxKEhxS9KAW8X\nUiXRlskWOSA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUbDmFkBwYf1SfkYlZ8BDMR3YG5powCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzhZDQQ64HqZp1QIWS/7fHW8fZnqkchZk+kAH8\nX42R58R4QqczdBmPrm7DtNcvl16uLt5NbTzfcw4sG8ukyoZCo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAURzEWPaBYENYJOXFbLzLf8xYFG2kwHQYDVR0OBBYEFNQV\nJ0/oZfF+o/x5HVN7s/q6yjKVMAoGCCqGSM49BAMCA0kAMEYCIQC/PuywChyM0u7/\nne4nlsa3PUeS+JVExYL4YGh9EGGQBwIhAI5FTpMhQcIJOlhxGvvxXO5GywUGVlHS\nQohIf8UadE/c\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUYi7VnYgGsVoToB0qKZ8NU3LkOK8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7xz3ehnJtZ27JTRkSLL7iCwpcLy6bkDoS+DzP\nbiy+gyzFY9S9DZzXlblloa4Yc9ykFO7tovkaLaisaP6LCL/4o3YwdDAdBgNVHQ4E\nFgQUmaxfC8hwSGZcaH0rF+Agkju7GxswHwYDVR0jBBgwFoAUwHcJIz1L52Fkacsg\niK02lYCP0sswCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIA5Ubm3lPhzqmel081FMCNPu\naH+yV2lphKW8VavWDjdTAiAjfDS7s4QdnoZVF62Ec9ji7Arljgo37MV6nmE2P5qA\ndQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUadD1Z4nOMNcnpE+TZ6JRGnHkoyMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATluum10rSJvh0sppVWHeiGpEP7l0eT/hpyCFio\nhw7vwcKQBS/frGfqX0VuFEEVveE8/LhRQEai83qBT19AwLBSo3YwdDAdBgNVHQ4E\nFgQUzBhUAKUpHwOnlPu6PoA4/Tf2ae8wHwYDVR0jBBgwFoAU1BUnT+hl8X6j/Hkd\nU3uz+rrKMpUwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIAfw0qf1qL4f8s0WImlbnaYf\n8VdI2Czc9/arqVgDFe5RAiBaVV0dwQyflDg5C3oCTZ0WZYKUHKQS8KaHpdhwPATN\niQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUFlbJ06AQGr2gmIrc0ovzit+LSX8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT58pW3NY4ugfwOl4PEex2qmEpxJaun4/5nRfVS\n5FG1ss3JN1H/9TGJ7EixBxzijPnRTmN4n9IismrYK+pwgCaao4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTqionIgJkMJZJJrvQOY6JY26w7SjAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiAzL/1n0Iv/Q3etv+8saS/kOXeev9Yl36yg6AO14StFJwIhAIvKk7NVbSMc6aqE\n9KYj7dRX4h1EioI+KsCNSiBUNHnj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUY0DVBoYYLvXIGrGL9X7Ohysj/OwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT5Ki6qoG3W8adI4FXXtKxAjs4HWisdP7Bomc/8\nPBm4CBnj9ako+ADmNom3wBQBQpTxGMzj0c9CpnDLlAZmi7CWo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQprw/03ZX/288m5uR261UOTitlFjAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiA6HnroEriAv7J5XI4zLB4spry8fTJR/qZ4144Ca8luGgIgMgtz9dbjft5Z2Afl\nw9SZPD2Jzc0l0feerR99A2nt0T8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUCNw+HWKgtD4Szb+Vqk3Qg5HnDmgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJlCIwVJcNN0d0/rvFK4BnMGJbEhrXOBpH3hPlDqOeRp\nTKb5NdX16HydtD1PhakVdU5WmM+k3+9BQe2TlKHZNvujcjBwMB0GA1UdDgQWBBTd\n77L6MFqqKZSn1/pbjhpFlNpqJTAfBgNVHSMEGDAWgBTqionIgJkMJZJJrvQOY6JY\n26w7SjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBjvvgX/4ogSxGLqxrr/T+K6RRSJkilZGfz\nVRJ13v1IxQIhAMnrK7DGFcZkdHhlFruSbClaUaYdhgaZmOVeVqdqPyTo\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIURhbL1Gqho4H/x5JgT6iSNiX7W80wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABP49579z2Bvz84Llxm9S5DD8iS57KHfe8Vc98eQzQoMe\nbWuNB+WeIQ+QSXwgPEwF08S5mwSsTn49wQokKn6IOj6jcjBwMB0GA1UdDgQWBBSN\nnASa19SHdhe5zy7LvKCpS7Xo2jAfBgNVHSMEGDAWgBQprw/03ZX/288m5uR261UO\nTitlFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiA04xiIYh2t3cxsrx7tLZYPVgii9VHnxVC4\nSea3Tyg9VgIhALGwrbvRLEslZ4vsM77nUnNAV2I7gcdhN+bqJ1MOmUOo\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUXAdpkTvPDDb3Cct2dfypm1R0keIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZTMrSloi9eCMNcI5+FleciSP2TPEtQeUYRVEU\nQNaJXLZ9rKtOJIXzEty0TpZ/+aBqDK0FrLpMLsTakCkFrHvqo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUw8X828Cp5OX+vIZEmPfZBsfRSb0wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIGfEY7ExC960ZCA65uh2n4Oct3ml\nfh7QDJ/kccx3flftAiAt7k6RuxuYLrjPN21O6ZxzW3zRUudOxVGvuh5pEEiyDQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUCyKIf5136fCtWIO3Ecn4CzZ54EYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQe494I/Gyki0DPLobMpsjVucnBYWmIy3ohvXPB\nDTu9IT8Fzr6V9d3GTav4NSUkFkieJfbY7OD9DG01wbu7QJuho3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvm0vbvJHl5P3XNPlE1FPKpqq5dgwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIFJ0kvtTQNwypsiA+XE35JqCxJEQ\nvKjVAD/Pax2/15r4AiEAzE4NQPlYOv2qSgWeXQHme9o/czBl/3OmCTxHsilX3sA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUK/qzXApkwnTKavLyVp4kr6ApVwIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPFnigdukoCIx0MWmRLs3ewHhCJkhd6DaxpYDFp3fVog\npenju8EmXQIBDaUKPguE7kVFO+WkxBeVtJG9Y5GbpFujcjBwMB0GA1UdDgQWBBR3\n5poy465W+YomX5D0M/U97TWiQTAfBgNVHSMEGDAWgBTDxfzbwKnk5f68hkSY99kG\nx9FJvTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAwTKWw3X+VIIMtlNr+sOumOhtLhkGSzEZ\nWoM1GHfExiQCIQDTNFvQ40XuzV5pVyY6Suuq1EVMFZgzbEJhQSeiO7a8Kg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUTw9h5omhUdI7LfhxygboFLWmcwcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA1aaBtyn5ojun7srCaMvqgR+qf/ksR8jCxby4IPDnjm\nhvg9fy8w9G/6n0bY1cfKbS/eWx+kWeOeUsrh8IPHjzujcjBwMB0GA1UdDgQWBBQu\nQX9CLrergJKeN5fLvST+1IBDQTAfBgNVHSMEGDAWgBS+bS9u8keXk/dc0+UTUU8q\nmqrl2DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiB0YSVUE2qPwVx21vXZP/kMu2AEu1UshJng\nZD5+ax54hwIhAOsU4voZdFAoSEU/84eRD8trFtacV85BFYtI05v70dMq\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUTd/Jo/c9JAdC3BC70TP5q2X6k1UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLFeFDjduYShJA7XOLRE7hIt6tLGqqyO8hRqY5\nUlNz5YIRyy7xXDV1tsNlcVizEzdCxtP2CWtck9hzRDpgWCg0o3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9FWgoKT83Ph7gkAX6TpRUR7iZ10wHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgDYRMhZDmVps+aoNMnjyi\nVKl7FYhPfurk1rCsN8EnS6MCIETSsIRQ1ob5vB4if/AiXUAB6zbiPB1W3tLRbj+N\nL8y0\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUftUOF061aB0v3pF3+bgENbJ4/AkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR1aSzjZKiRKf/kNQ0CMpKdIlX0sYgT1HYNRqX1\noRW5kfnYpLevbL4ku1i1XiBsqpumkFf26r7BAxgMonsaErFGo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4T4ootpEkBpyTY5n/BEnAKpMiHowHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPXUbXZ7ZgCrNgtI9mI5\nd8EfkHWekaoHfwTXglSrcWyfAiA5feJD2M2Zgc3tmeSOLZgPm9beRBTLWl0/MKWj\n/sCx/w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUGRSp35BZcDxw8KwcD1bGL5kfe8owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO+E79I+X8qJUftE5Qt1pt7H0G2O1rNzBESttWXGyuZ3\nA6N7S3OqUu+FTXsqhGgLa1E3EPaVwZkJYL/Lzyi5+1ijdjB0MB0GA1UdDgQWBBTT\nNf/CA2rD2bZJtalhmc6wbh1xvzAfBgNVHSMEGDAWgBT0VaCgpPzc+HuCQBfpOlFR\nHuJnXTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9mb28uZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPrmwZ4lxXft/psIJYadETMd7byQ\neXNcn3QgjzpPRJcTAiASS2qL/s2QvYYfar3lVRJuC9MakugFs+qtUaDxGQ4zvg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUTYibZrmpm+3EKYN5jwbIbnXajAkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOy9oufYOsOr40BG5WXzhw7a26mzTtHhNR+52eEdksQf\nLwzspfpQVCulAQljxcYCXhvzC/08sUdr3uaX5eFtaLSjdjB0MB0GA1UdDgQWBBRk\n7ZWjYVSeEHL2tcBWKGrz4AM9KTAfBgNVHSMEGDAWgBThPiii2kSQGnJNjmf8EScA\nqkyIejAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9mb28uZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAN3+R2MWpeRfCweSDtVYtEj7Yw98\nOhtOY1V+kfRoKuLDAiEAnTKh5398qiO+Vqtyo6U+1HG1DErUXHvwi3PxwGDPO4E=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUKX3dRm8G3adDEnSlPu/EIA13rXcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQMp18ytxDRxrYIyAVZGD3KcYEBodVQx4gwFlbh\nhe+uzBPn6eE+QZkuWb2pSUReP31bjmzblx9VSbpQU6w6IKCso28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQQpROlF5pVjX/3ZTCYyRctnzppYwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgXLXdpjYWXc5NT398fjoyYLCSyXlz9aYA\nv5jZ4XVY4o0CIHTQL6Da807l7U3SKohbrEuv1Jifr49bs/Iy95DhRQbS\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIURmfff5UWrSk3yM586C6Yr0Qe62kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATg/yWBrw3KUa5ldFr/Oc9ssT0TjNcGz2NVrEHO\nHocFpdjqW5GOnELQ5Er7WenAy96bSaiL9OXPr+/VjFuMYmUPo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxeHqiYa6oU7yPy2OFZWp47WO2OgwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgRSp+IJDDX/PbdSQMpJASn6x/piEBsHVV\nw6p/v6Pr2FMCIQCWqSIsrUtp83I3BbDooRpJ9N8ckXfhEsjt7xtstkljwA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUAo1Z8AxvrLZpCZ67mfXKBgpim6UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKuEsJk+SEGAGaXUdivjwLr37JJu7QfPLiMt+iPqmc5Q\nhZGQckTWdLv8ko+TdfGKd176K0M0dGjv+11L7fadzNSjazBpMB0GA1UdDgQWBBTG\nMWx+tICBsNmPXpNtnpeZJDMbpDAfBgNVHSMEGDAWgBRBClE6UXmlWNf/dlMJjJFy\n2fOmljAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwR/AAABMAoG\nCCqGSM49BAMCA0gAMEUCIQC/WvkJbFI/in6+nWJ2Gj8mbkZBSzfz5FkqJXyF/yku\n1QIgVrYkUqGU/90SSrnjjvLK7KH8+DeBRshbPHixNHem0Jw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUOkiW5TRghZEpmPxOENEflWX+JuAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLjyAfgBd6oYU7JP+37fu4PeUqnU0tOvVKr+TVbUft9d\nRATiwtpuiP/YIbzbPyXa5odykxBWZoyVMWlSxKmAkwSjazBpMB0GA1UdDgQWBBT8\nqyyhqCSx7dvPlJzjXcohiYEDxTAfBgNVHSMEGDAWgBTF4eqJhrqhTvI/LY4Vlanj\ntY7Y6DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwR/AAABMAoG\nCCqGSM49BAMCA0gAMEUCIB4YjDJhW+UXBAj8yYQ4ZY9Nw/wWcsmUyi41SC33g1Hy\nAiEAh+dsv78w9ICoWOjVaKkO5h3NlGaqJy11Ka34FW3fbkY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHmhZD1aYmeonpWrVTFGlg4olyJQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATqYf92YbXYSNy8lZHanOVPb+peDq+bqVN8/q/W\n4aMycedhOPznSwpbE30MfizQA65RuOdsoa3CLeBxkDQZH4n+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURagitO4xVKJeOD8hP3rX9epG99swCgYIKoZIzj0EAwIDSQAwRgIh\nAJnx+IiYKYzuI0fA9CYU1C3M7bzZTgSGZmO0dG9DN/rHAiEAlCsu34YreRjaudtV\n3Oz38zRW0mJua2sIyOvNX8hVlkg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUOpkkFvNLloqd5zTSpX+of96Q/GkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARzaeALn8JvX57S9oO+vb/1QFo1e577jrnQL0TT\n2gWSnd+vTGTrWLiDTyFyKH+aqXNd3FZznIB2B7rtuzv0F5bAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUko24TAnJe/eUkghj36eD3vkjdz0wCgYIKoZIzj0EAwIDSQAwRgIh\nAIFvB10PRmi9nI7NdLTy5JOMe3tIIVdsuarCV5hw4F2wAiEAxn8isF9KOWXACpQe\nP+GTLzi1Kc47nm+FruVrT1vw4Xc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0DCCAXegAwIBAgIUTjRf+BdB5MUeOv62roLe5vmJtaowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI8wQyP3D68/iZ6FX8qEgRgS2/MtH6ltaWGj6LPZ5tgx\nk2rnaZQW3ZcpC/Wo1v3C+viJC/+8+V+pQuv8mqAPb+WjgZwwgZkwHQYDVR0OBBYE\nFD1HKzi6jMaMsZQsimGFcVfwMIP6MB8GA1UdIwQYMBaAFEWoIrTuMVSiXjg/IT96\n1/XqRvfbMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDRwAwRAIgD1iBWWCb34/gJ3ZsFJF+3YaZnqW/VTSD+TlyV1bq\nWwsCIEoOtydVLL0t5VvtQZ5Emc5kDvqx3EPJQnQtIaPTjK+R\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0DCCAXegAwIBAgIURUaBCThzJvcZ3IOwO9NtAbzbbe8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLxsgyaJ8z3gfBdtKBtnQ41yLjrQc0AZLMvqB9poLtJ6\nXP5Jm1Lcqr/0zw79JxwdX403fQRWj/h5cLloVljOLTKjgZwwgZkwHQYDVR0OBBYE\nFIbp7Vgo1+32z420BNDlrg2FRGz4MB8GA1UdIwQYMBaAFJKNuEwJyXv3lJIIY9+n\ng975I3c9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDRwAwRAIgePzlB9niulNS+Z5Cm7tg/25VMpM4ODD3EI5GBAQ1\nuF4CIH/FirwJEFOd3wTvHGRmlf0Czliamgl0dAL9mRBB4m8V\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZ6jEFxppWXbwgNguvl9M+YAdcEEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLqG/F9IvzprFw+AZCCoOfZR4eBew9NB9rWV/H\nH5lxoTCEihmirBL4At9T0RUyEEQn/8+qe5Y2PJLTRdcN/m1+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHg0LXiw9wkJKgCJgTPSUqPoNcRQwCgYIKoZIzj0EAwIDSQAwRgIh\nAIxL8ltdpHvpzCZQ5fBuMZ4z+6Xj3KPKjh6mOPI5oyfYAiEAzn58i7x0YwR1yfw3\n1/XdUcLMAdDxVpTHfb5WoN2sCmI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUf7aJKtZCaLwRMnNpkaoQKc/158cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDYk1NgeopnP9gbVM3uCqkktbt1mFHfwslyicL\nhX/R6TeGTU+cWFqeaHqxS+HmdGYRUu32c/2vvqQOdT80BO1ho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHPdjvej1VBWBC+iR7FAasx5Hn0kwCgYIKoZIzj0EAwIDSQAwRgIh\nAP0bR6ojgTDSPXMrLXGwFj70kZZT1yZPxIISIscwZQpYAiEAzqINh6SPf/UeCfIz\na6fzyYaTAczZIlv5g9Tw33ufQeA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAXqgAwIBAgIUBjdbrvc1Mx7upFSntY0izRdybqMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGdqj+LHFHs7fmBuBvgUfUyTDtF7MweolJlYOJVYZSgx\nzcAtMv/qHyakIOWFqDSpeFbMiM2jQxc4an+mPo2YNRSjgZ8wgZwwHQYDVR0OBBYE\nFL7vTIg1STV43VkRYohs9lFFnYk2MB8GA1UdIwQYMBaAFB4NC14sPcJCSoAiYEz0\nlKj6DXEUMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5j\nb20wCgYIKoZIzj0EAwIDRwAwRAIgRd9kqxTtGwZJgSHvs+Z3DCnFRoGAIIxSTsfF\n6nh6zCwCIAv8g3X+otvzkVe1fBRssCXyKM7XJan0eqeQxpn/pXAD\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAXqgAwIBAgIUJJKmIWmFTIsMJZI5UzksAAFWVEkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGWBrP+kTVD1qHwW/r9fHf3XRXqElMNvYBR6/DswDzTL\n8Brblrn8MM+wocerqAJ3j0hHoqeS3W2CYHP1pia/GxijgZ8wgZwwHQYDVR0OBBYE\nFOL68Nw1TQyTQLKTnVdo9MEaeUbUMB8GA1UdIwQYMBaAFBz3Y73o9VQVgQvokexQ\nGrMeR59JMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5j\nb20wCgYIKoZIzj0EAwIDRwAwRAIgGaTtOwMPXpntVWPMtKBm/C9S0DhzYpLJFjmf\nrUHy1WgCIAc82LsOggR340XCKmH8/+lz2gNWlZAFtnRn9LnNr/Kr\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPlL+4HYpT6erguYlhQ+ORASN+uIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmM5sxEPe4thfULFP+6rpBC13H0Ai4P3MUaZyb\nxPGdz0m5QXpDLYUYnRzhG7U08UrJ1pLt2nAkoxaUvR1wBAToo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSjDPX/eKNjJm35ag90+wlMW/EjUwCgYIKoZIzj0EAwIDSAAwRQIg\nFp9otRSwOOr/o3RCHUyyGVCiLesroR67NgxIOVUkhGwCIQCbJ3Z44ygEcl1Bjq3l\nyQEps2NF2Px7KHRIP0kG4+c1UQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIURcQFrP/Ftn6hEdODkLcgnMUjcjYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASiJLp9OKFwi0r1te69nuSWTHN0gK51gLTSr2BS\nttYuHMUmJtanW5pZPsQ7H8h/0gEyFivgDPsZSMHniGRbffgto1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2rDGgOZu5fgECF3IF57yjJhVa74wCgYIKoZIzj0EAwIDRwAwRAIg\nAtVE/Bk6zMXIp3TqFxdvPXnybBkaGxdnAKTcFQr94VICIC8Yh9Reckwjh9eQU9ry\nu9Tfl2rRDKo1qY4mZT8qhw+c\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkTCCATagAwIBAgIUFa2hYlCY3RpR30qYPgGN4Wn9AK0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE28VXFoD5\nGsKHIAtqSe6CM5RBWAbAqj8rTSjVzaTgguyzgD4j1zYhw7dosbXjwNY0cCyfBgMF\nFqCmmRwMxKx8xaNyMHAwHQYDVR0OBBYEFFLBsCvxGvuz0bxk3dOQbyLYPH/oMB8G\nA1UdIwQYMBaAFEowz1/3ijYyZt+WoPdPsJTFvxI1MAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQC4buh5GgPkYhboSjpbI2mMafn4hzpo/brlIM4nqOvNQwIhAImuO1TbOnwrOPc6\nyW+W5BUBbnzAVehesmPxgrlFyzge\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATagAwIBAgIUXwM2rJoFAl4gydF77MXRJj+JqcUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwq5Ch/nl\nvSN4KqqkPR0tbKJyA2j4sNw4EOTK5rv05Wb23r8iQ0Cxufolc7qyWR5f7k5T3VRg\n5LK2sgBY/mfM46NyMHAwHQYDVR0OBBYEFFhuMsTrCqCf10Z8jFArUNcFH8ehMB8G\nA1UdIwQYMBaAFNqwxoDmbuX4BAhdyBee8oyYVWu+MAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQC\nIDaKSi2fda+h5cylgAkuorf+uLdreESwb+ibEvjiG3ScAiBpAhmESws/Qn2kqaeG\nenHKeUx/iM1Xg9XoWI0+f3x0sQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1128,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURetieI2JuWqclD4jxssgxZDGWMUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATedMXSl+vFRLvvi3MjKnOTKUy1BzJ3eUCXuSl8\nSQyBzDSHCnxq1B3ozRokdM8QFJiHRbAEE8VEWOW6+KDwNP9So1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjTrUxOO8zH3hHB7iHG8JOqPVjawwCgYIKoZIzj0EAwIDSAAwRQIh\nALCMp4Yd3vk8fp4gfDxRuA8nc0ZMXC7qDPVUtFEn+DyUAiBFEZQ+tQWdEdexhad8\nurk9T9lDwdoqqr+0OmUQYXCMZw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeZwFS7Tf4xOVZIk0Saw2P3F6sGgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATj6714EIwKzMnh6STtMB+6KJQejXszG/4R1aEb\n7GI3eDkQ3SD9S4OUNxGqrmbhf2mF4IQ3suc+1bhmxCYKHVT0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyvSXBHA2PXpmG6/QFk/TzAebTTAwCgYIKoZIzj0EAwIDRwAwRAIg\nXIVjXSWutu4L99ezcetR241/9RAZG1fVj1miuxxokDACIBoENw61lVUHMW8a5oX2\nqyS2hci158lK3UsWDsYDr5Fe\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIWQHb2ew3AiMPHGQqHkPYJ2rXGKwVa1jAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEbjYRbG/imLbQySA9yGSouxWjTyKj1GjSII9w17n9\nkogo2BcEn4ATWkGRn/RDwl+TNRVIvdeAYMVm8iRHpK0CzaNyMHAwHQYDVR0OBBYE\nFG9ZVSqqq/HqC9gKkAnRr0yW+ClYMB8GA1UdIwQYMBaAFI061MTjvMx94Rwe4hxv\nCTqj1Y2sMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC1WYYi3N8BywmnnqTlTUxWAV5nthYr\nVZDGAm6Phy0CSQIgc4gpeeRAms5tWFyRn+nwX2yDHxXV0mZjxDtixEmoxZk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIWJOz55EzOyIfUDQvtakoyxFvS7amiZTAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBaSgix445i2/D+PzWBDr8lXfPiS7148elk1hdkoQ\nLe1uaDy2w9baTqzL+v66e7CxWLv7dJ7iNkclX27ooFHPaKNyMHAwHQYDVR0OBBYE\nFIF6aWjU2eWOy4cAmyN150aGpmvQMB8GA1UdIwQYMBaAFMr0lwRwNj16Zhuv0BZP\n08wHm00wMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCUTm4j3tWy1KAIKp6Ie0hzvg0mg3Zn\njLPGT2FDrWmmlAIga6tGQgZuO0SBKqF+21qMppnukgks0693BrFPFcOvTPM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1151,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOZ2Zpv0Ilu5GVVV5WbfTfgy30TwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS15auIg5/wAmV5GJyrScdhe/CcV+GGtsOPLDV9\n4T2wfbGpkRAlAx7MqUpM89FzQfZSePBfOf+0lSonbPxjY+aqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNX8NI/Xp7toDFN2sG+zDo3y5F7swCgYIKoZIzj0EAwIDSAAwRQIg\nDmISFEt/2WWCoBjZJrEYk3/wnsfTyT8DRg/Oa46F7iECIQCNz4G1Bp1FfL85CZa4\n0NsyQMtoRLzQscZSzw/NG794Yw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULrYU29AgKggtgHTwmzQVKgCS3jcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxxQL3JOq+BVZsYxT6Ysn43R5F5hzLu2ujP9uK\ndj2avwCWyk/9u+Tt5t3nTKZhNm7FR2BQFCV7xQ244+WFVoGfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7O3uMQDU+Nn3s/zwGGc9ZMfBbeowCgYIKoZIzj0EAwIDSAAwRQIh\nAJfQUNhqVEJKH0IrJU2ghNx+WZb/KDaTsn6DJCQtJHWWAiACM5NL2K1oI9AsBOJf\nCDGqzzvz4wTqzotNFmekkOdlrg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEW03Q\n7NygG2MZGZqTHWGDG+6gDG82y37t8HOn5D4439MnXs1l1tasohicquG2sois7OT6\n0yMcEJSOKD/uTmRtXqNyMHAwHQYDVR0OBBYEFA2lKD2qleZJmLJsJzK3UG+WPORg\nMB8GA1UdIwQYMBaAFDV/DSP16e7aAxTdrBvsw6N8uRe7MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCzxyEXR531QsQDKirdtqfZ1M+n2tHBz/K74Rlo2nFv2QIgKRShMeZKVlvs\nGitXDsVQ96xvyPS3s4Rv/gx87QuMLdY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkTCCATmgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvX85\neBHCOMJb0KxMdQno5R0p8yUHvdcY3HIjvoMQyE+OyWxlYcVkeaUC+7x8SgnM9pIf\nvY62PyG7zrB0OHm/RKNyMHAwHQYDVR0OBBYEFFbqRmems0pYQY+YyP82MF7hCD3V\nMB8GA1UdIwQYMBaAFOzt7jEA1PjZ97P88BhnPWTHwW3qMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0YA\nMEMCHxRmdz8K4rpyen9MIH/vxIi1Ow9WTYdxhoZq9xFow7gCICRRRXOHL5zvJ1ve\n7EVG44xnQc/OkejXuhYAmXnJ2jUw\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1172,10 +1172,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUTA9KS7KHTqewCe3w8chnYl59z1cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATaiJt8dwzpu4DeiA/MA3WXH/n+kY1TRmp6WlHW\nirc59wa3NNAnsmKkzl3qURJ4KvSwDXYFDWQyWLslWXTRnZHho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoaYHqC7wEVPoNdyBOjKp9u5sktgwCgYIKoZIzj0EAwIDSQAwRgIh\nAPswwRBZL76E0zllS2R7tb4ciKfbd3Cc+V4Hsn14nqsPAiEA4ELM7lHbWzQtGqq0\nbf9sNYgqhKIbV1Pb/Ct+tebpOsc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfCKEryxgAFSzStfxrflv8cm6fbwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASdDFbOnKzbzJSYyW5AVwt4sVGwKF5QADMby8Az\n2c41MYhNW+Gy1DAJcnog4pWoaUI+dO1dcohStUSF678my6Ivo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIxPngcWKtQEvtWWAIFqZ+qlXLbMwCgYIKoZIzj0EAwIDSAAwRQIg\nXJl/GyHLsiDipgnvnwogVcaD9XZF30PoCvswnqit/ekCIQCpoZeqdOMH/prn22ac\nWwLn79EzT1A5H9vsYCOmy7wPYg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1zCCAX6gAwIBAgIUJiXozw6zCsMAEVIUX2nlTBXIR60wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIm1rVHNKDg+P+x1C64QkEsuam+S534IOcLS2tYDjfk0\nG0C60vRbO5GyHfhf8/zzV61+8rMLfFYiK2/hRQCdweajgaMwgaAwHQYDVR0OBBYE\nFB+65bo/Ccb1JIpKPg9aYOYPkAOMMB8GA1UdIwQYMBaAFKGmB6gu8BFT6DXcgToy\nqfbubJLYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIETrMy6gQAl/3FFtxJz0aRt5NSpBJMDU\nqM6TpyTiVc0XAiAjsd+3eosOARCC0qZrBMW+ldWcMfSmMPS7rr9rWvcS4w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUCeBopRBqYcXTdBjY68yaguggfWkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMQm47w7GzvfvQP8/mgKYLV0UBIgKuKKgdqm/29U6FMA\nQXNea591eGnFOSZ7/Ismeu+bdoKjM8J+MiGqgSPI4JajgYswgYgwHQYDVR0OBBYE\nFAwdOrCS83agXjZ639VZm0IkDO96MB8GA1UdIwQYMBaAFCMT54HFirUBL7VlgCBa\nmfqpVy2zMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQCFUWQJ186pK+FIrGQg84DABl/JZxHHaEQR9oHWtUBzCgIgDAtIFCIr8niuVCUg\nCKyiF4SRrRM6Cjo5dhc0QGlpg2o=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1187,6 +1187,27 @@ }, "expected_peer_names": null }, + { + "id": "rfc5280::no-keyusage", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSEWy0Px8skZMKWwWujW3+MAE6oUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbJ5se83qeKDJuyI+kuHJRKkLTGxUMxOdY762X\nM20qiDxof5UcGqDXz1u73+Wzhs6dohzVjiGauDh4vQ53w2cRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6/sCwxnqF0cN65kIXizUojv5yNEwCgYIKoZIzj0EAwIDSAAwRQIg\nSiN3C04cwjT3F4r+1xlr+f1j/y2kogaGSDwgYusg3tQCIQC0qNKmBVzHmyRwdBPY\nne0nl5WwwMIfZDgX19DNAIleww==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAT+gAwIBAgIUeaafI6lFY9Qx4JCEorSw0t2+D90wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHwxBAGhufYWuiMK9vOQaJwH1K1it6xYlJFDzTWqiWzE\nrhlaBbKWZ8BSHhUNgDnF0NGBdbYCZEekrc2c4xJNA4mjZTBjMB0GA1UdDgQWBBRR\nGaAFEKAJxrjvsuxPBNmy64CL6DAfBgNVHSMEGDAWgBTr+wLDGeoXRw3rmQheLNSi\nO/nI0TAJBgNVHRMEAjAAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49\nBAMCA0kAMEYCIQDZNBbGLs8zT97aVFTzT7wBFLMrn5aIKnGFcuvvLp/rmAIhAJ6L\nl5LGz/Tva6lfUxVSj972Ino5us3YjEUl0cjeviZL\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, { "id": "webpki::cryptographydotio-chain", "features": null, @@ -1241,10 +1262,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfbF+7Xe93vtJYB5+j62c2jy4eY8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEQ6gTBr2QMrFkuq/PxoIyIRrr3uYZNcUZ77AR\nzguMIE/vd3XblkIZWs+RJ5hxgMQN5cInNcFkm5jkELIBQKqEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaVhnbBiyFvn/yAY+JZtNovHSQ0gwCgYIKoZIzj0EAwIDSAAwRQIh\nAKMbgwcYLmuTVTXJiUQPJdlcXwyyf1BpZYIl+f3d5MWxAiATjgaKHAu8bZ9Ge44R\nua1zIInMQLklAxPDvKjg+VCgQg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUBgwhs3oqT8mgvzQhiTLZPlSKEpQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQv40zpuF8C3NeZZdsobG6KA0oDRWohcK9NfpnS\nUGn3zWoXP9ZKlaCjnAE2HO+w0MFu2DKSndZC50FVg3EwYA8xo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnBAt87oe5krOhSlSlhlqsswhOm8wCgYIKoZIzj0EAwIDSQAwRgIh\nAO34eNEWVOB10DVSzIbq8Lr7j03Nfyp8FyKd4FTWOOpTAiEAswFFjxhIpABGTYm8\nbFSmDpvaiLcTitVDB6Fg9D+H4x4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUEhmfufjH8fM7siJfAtXbCbeaTpswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFVITLjN6wK60iEtcNvSX3DQ5XkM3iiMU7SnZBz7rjzT\nvLhJ/Mhw8UnrRglEjQ8iGmX6/7qH1r7cJIfyuxOemyyjcjBwMB0GA1UdDgQWBBSJ\nMlHXcfkHbgqi7UU4rIkL5hAG1jAfBgNVHSMEGDAWgBRpWGdsGLIW+f/IBj4lm02i\n8dJDSDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBewt5cOLEma6idfbbioE1/vBjQQWBeP8Xs\nDX7tvefatQIhAKIbaaai3M80J/iQp4xPRAeG1VscE8i38UiVwN3vz5b1\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUYOwoLW/MEBfsNpufvU7tHjiX7AEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJA2M+rbsgRTTDQt6fDSwIG0Vabmxc3hQ2xkCt6MOp7l\nF07ZeBuyacp76mii6ydVr3MqLoGAu/5oqCjXEWCCjXCjcjBwMB0GA1UdDgQWBBQG\nMSNRkFpdoza+KUkdiWhf0vqhFzAfBgNVHSMEGDAWgBScEC3zuh7mSs6FKVKWGWqy\nzCE6bzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmbHMYcDX56yHJh5tDxXnCcCzMAICLUlz\n5GbozQQPFkECIQDZwLFDhZ1C2xt34Y7MELjsFBwSkRiCb6c2b0/m61QGFg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1262,10 +1283,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUkiyzpmfLE5ve+uC0vDTYkOHWr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATJ9QBFnFIcI7sdLyeBo2+wT26qNrlNfoqamAxH\noQLaDbqfWBhbeGHivtPJF50rGvpC/McPgUzH7XyHHbyk2/bNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6iYxWyMkegnoZ+5MqOgXzffI0DMwCgYIKoZIzj0EAwIDSAAwRQIg\nMsNotX1ptca6etbLPEPzHOdVSSy6Z2/iVrvgYqwpBsICIQDkxw+qW2svjMBo5t9v\nZTUlHcD8f8uN6iyuhNQh69Fh/w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUF6Q8R5uHN/Tid0korG/Y0TtDEHYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARschWsQW7tAiyr71hTxSprM8W2U78grC52aw0y\nHPyZLC6QxetqB6gH4hR1F9Ut14xPASBTcDrl2pKxXTU6vA7jo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUY03OlwubulvccD9rXMg2AicXGAkwCgYIKoZIzj0EAwIDSAAwRQIh\nAIrjGb3QyztLaT7krtZQKOeDTwuMeMj0v1A2Ki5DklGbAiBCzND4uyOD1LR5Osy/\njUHcEHBdZRlEWHUQXz6llLKrAg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUBljtBAAUlx9wUSOva7+aE6owd+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLLlJsFlwSs8Yr/08ZtaKy4M4I+aOwI6VsI8ltEjn07T\nyWxkSE/g5dvVwL8Tfl5EfQaZtxWQLvDGmu9uPqR+MN6jcjBwMB0GA1UdDgQWBBQL\noiGUmlvl+nYus0DLdn5/O0qn7jAfBgNVHSMEGDAWgBTqJjFbIyR6Cehn7kyo6BfN\n98jQMzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAm5IoMx0OvOVddscnutXRwbsjwDSULihy\nQ7Bzwe5u2JgCIQCk8767ZjCc/ldxPrCOEV/JKYHfLQY53eUK4olFDX5yPA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUG+9zvP86SPzPAoCisiawl5XrTswwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHFnySE7UJc0rQoa9taA5WW/hOPBP+oyY2H0e4rtzL+i\ngu+h7J+UFfyez5pNwG6UXjdzbXjYXQqb6ePSExInawSjcjBwMB0GA1UdDgQWBBRl\nAK/bJgnTvO0/q3BbWBSXyXP1gDAfBgNVHSMEGDAWgBRjTc6XC5u6W9xwP2tcyDYC\nJxcYCTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBTTeLijHMzMTVPTGqpGFqONVpxMQUkUUFu\njEoN6uc5XwIhALFH0jYfcCGxS0fCQq638PbaOWcVpFIq/QujQGwMI01T\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1283,10 +1304,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYhFA4DdTtdrFT7HH5cmPVfbgZiswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/ND2ocFSoHyrxP1C35b08Uy97D6i32GFbLLt8\njCdzlJlWOhZgrqIKmLsDAsY7HvhrbWwccOP/1hV2Rm+7+2yho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjVQWdcXuBDNrV8i5PCusTfxyYZMwCgYIKoZIzj0EAwIDSQAwRgIh\nALXVVzIouES6NZBA7UBXdVEneqfLxh6HSxEh+7YzKGRoAiEAo1gfwIGdqoSfclPW\nAcG+CAKoDDRIlNH+HpBA1rbE3qs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUPoclelSsqazN4tTBwYpEmBAKGmUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASrZI9fOt3OA5H4AuHQBaRqQ/XVgp4hklFfoddR\nHSW0dIQsOP/MdKVIcsB8KU6KfpU9zmBweDBF9sl5e3qaKFado1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSuvG+Xw/Gbd0WHRF8xm9ZueQGuMwCgYIKoZIzj0EAwIDSQAwRgIh\nAKVCZDvnqevmLn/+DGCqqFUF6+cJ1r6At25vPfKm6CDZAiEAzxlx7HUqX2Lgg+JP\nFGq/qlRjkTseksr0R236NXyem5M=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUJUpI+SZBe5NRV9msFZeoDEdGqBkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAVmsVxO4FJ+Et7s50QM1VheL3lVtpqmTkqa/CqfZeZv\nvaJEBcI5/KqlfG6Wp7XtrCcmXeKYjinWNxKJOybKYXajdjB0MB0GA1UdDgQWBBQz\ntDk6cwy2u+hAHGiP8qkbOx/OKjAfBgNVHSMEGDAWgBSNVBZ1xe4EM2tXyLk8K6xN\n/HJhkzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgKLuIbdIGkH65HlKp5ypgWRpQNAhp\nbmN/byYcMbdaX7oCIQDRcq7PAN7hkXMz/cioWSEmTlBc3bmgxzF4eaWorfo8dw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUOa/Hr54dB3tVQKgry+Lk+s8dGL4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPs1JnfzEEk5BsyrQJ3OFofDNchkHF2PNMOsozKEZyXW\ndhGJQe90ap8JfUXQ1NUe1uOkIEGyR4sbqVDB2xXD35mjdjB0MB0GA1UdDgQWBBQx\nK7WGC0Iw8uByHmLtucfFptEigTAfBgNVHSMEGDAWgBRK68b5fD8Zt3RYdEXzGb1m\n55Aa4zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgDhQKN+oTTEmMTd9vw+dUb/7Mu7Ny\nnJL6gS8iBShpSFgCIHWXUbivBF3rogmr3Rw6YVdHc/oxgQ48jE4ewbrCYSsq\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1304,10 +1325,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHq65/aV2kMXr1PuBbsv+o6SmSmQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrHvvi/0aIYJ73LHRllorvXyXwR0FXPal0ded9\nLwD082fsd3zof4sw+QBpb62VbzY6fQi5npffUZG9RjFbtGeuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDicqs7rm/q+9TkZUqodEwHZt9AMwCgYIKoZIzj0EAwIDSAAwRQIg\nFA1SPHiC/PjrVjnSxvEVFD2AJG6ja7Kv6PYQi7FUl8QCIQCkZpURH5XZjmxg2sVe\npn3SegvVa2FiSzBspxP2m+s+fA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKApwFXfPk5zuwYN1Wgvfv4cPsm4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfrBBAlECQ9hwOEDQzJ6EUzKf6xnXwJQ7iy30D\nXJIczc7urJyRRwi+Lghm7x/gAxJIXKZ9OsirA6ZgDCknk17po1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8MqH64afrGnIivUOSVDH3M0g9KgwCgYIKoZIzj0EAwIDSAAwRQIh\nAOCzQWJpGG+1wDqWCYMw9OsEFr1YuK3nUTwOKsKKoDRxAiADoH2AsfvOa4Ckrh7F\nSRiUtI49qWw7i+f9rHFKQCIspA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUDm7svMa+2pAtsLfBySDYil2nF+UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG5rij+BYMGu5+7LBPxxMX4sOmegrtK7aQ+XRILriNia\nYReYxiUBToJdD5r76Pj45lW1qmvGX1GBfbPU8bG3xnijcjBwMB0GA1UdDgQWBBSB\nRAJlnbR9/lQdaDxSf5qUW28GljAfBgNVHSMEGDAWgBQOJyqzuub+r71ORlSqh0TA\ndm30AzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA1WYAE9Li0XX/Zc46wqImK739XROg2VFz\nOYPMfMR4SSMCIQDicSFERBveXI/hNybd8BWpDV0I+efwui0792vVaVRBWg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUPbjWLqWoZDLQLtjnUhJ2IqDe/zYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEZepLnqzdoNFlInZN4dR4P0suhQmLTq72CUFWaiwjQ0\nOebiqi8W7RkjgjfaA62UAydcRw0eiXCUtkjf2aYmea6jcjBwMB0GA1UdDgQWBBSc\npvPvAcEAIlPvSnCoMta9qiR6PDAfBgNVHSMEGDAWgBTwyofrhp+saciK9Q5JUMfc\nzSD0qDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiB7FtouLSaAGldFl72QCVC8vsQxQwmVrqS+\nVjFApIj4IgIgGSxBhWDO1Js5iYPs1wEW1yfIqmWJ1Gz90A/SP1yJ72E=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1325,10 +1346,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSBF27mM8pMLG8X7xkRdPF/4gF64wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAScrzJZmzp8t5SOHHGTKroPgMbC5z7M+yaxtc+U\nRx2Li6VME5QBoBY0BiM94VfkKds+v8XiTa9M1s6qw1loOZK/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/LUNxu9UH+b0YFySspbn3m/Cx6YwCgYIKoZIzj0EAwIDRwAwRAIg\nZIYt4DFx0Y/pprY5ii5z/J2YrQOCb4S3S1bwOohdOU0CIDQ/dKX+GLCbryAiMt7/\neQ6NggMQfyoquwU2Wb6fUrIK\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUJQB8lgmqRNeR6w0qKq7tfPQj6uwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiujw1vuzI9cZc3rs6HZf8xYXhCIKOfBcLVJsu\npuxZRWCtokyAiuM7SxHjqMk3SrxK1Z6mHQW8lHF+FqvP2XXfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUV4j6xRTeEwG47RRGujeqZylh3YkwCgYIKoZIzj0EAwIDSQAwRgIh\nAKOn1QVNtgcWa+T/bWDsFUX1EGY5ioAOri15OQl6z5yOAiEAg4sr6g1bnsR2LMz8\n2epb4o8wGX9cve15NYx6PtkOylo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUezgj57uhK3CJ+PKhY2YjcuRLj38wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHHvqUc711hQelrtnYtDl+oAqAo7aCpBewy8i9zhAVnO\nYh7zX3RNwO0kRMdYyW0WnEjcJKN272vYw8MMWWk2p12jdjB0MB0GA1UdDgQWBBQZ\n2vBdXNZQZJEcDEawyXX5uYsmhDAfBgNVHSMEGDAWgBT8tQ3G71Qf5vRgXJKylufe\nb8LHpjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgE3Z/wTeIcyBJ9lkv8G/AeZu0vv8Q\nF6hTuSuujUhU71UCICnjI6H/4TsjEiGx3uM/tlTsPZ8BfE0NiISYZi4aOhRE\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUJeMSYnFimf+F7UktLitKJgHAJVgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMBpVZ6TIUVlk6noCU+xZORyvrxoiJDuuUWnQq0TGzs8\nZkUnZG4q3OIOEXy/qSvkp307XoO3sBgeLp+sRwwBUxujdjB0MB0GA1UdDgQWBBS2\nDcr26UFaMnYiI2m4LUAlN4xf1DAfBgNVHSMEGDAWgBRXiPrFFN4TAbjtFEa6N6pn\nKWHdiTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAOd1I6av2jXh3tUnpKvtZ8e9eddY\nN4riE1eYqt/ywPPHAiEAm+UOEmIKulOn+0OlIhShglh6JisjBhE7/jpsmf6sTB0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1348,10 +1369,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUblvtBxadNet8wdU9Yvfz2cFGsHIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwaUMPKoibp0PUdgRIkipKZtEvg53Hi8DHlbHT\nepsXZOcuvUbWpm0VASTTRn9pMhV9b65SKVKRzdwhPm5QxoAMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhM+Rx628TPT8B6Wodj+pdbU3EZQwCgYIKoZIzj0EAwIDSQAwRgIh\nANXOphBIoPxceU00bGODI+BavMOff9jGVzzTYldG3eW1AiEAwrhm5aSmsk+NGexp\n5mSSBsz1mxVmjJep/NmAw7bpQSE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdEDS784SEBVAJX1dgdOGL5OenxgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrVDOB5+uqQ1FLuTRhtemOKMjSWsabmSYY85Fq\nxJp0oPRz2IdMlzR+lQfoDkJ+r89PGTR+L87omrwnzuneqamBo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUukU8kr7yfgD4Q7yAcOllJQNO+0cwCgYIKoZIzj0EAwIDSAAwRQIh\nAMwL3s3ahksog4nln0X4opoJUqQv/oytp4RpXXtpSUKfAiBGVHcEWwtvN1AI9rqn\neUKrAJdVESpvXiyx9J85Xhisag==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUagAwIBAgIUNZbRfiwlqk0MCUaqPVsPEIED8QgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFGzJyJdDyv+nB+aw6XEJemI5AlPMrnM3CkpFLGM3zvB\nMVsYCdvIcl06ia/kpDU2pbMyYiT8hJlDeUtjivU5rlWjbDBqMB0GA1UdDgQWBBQJ\nb/47CdrMHpHLuUzEcBIbxdPbCDAfBgNVHSMEGDAWgBSEz5HHrbxM9PwHpah2P6l1\ntTcRlDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAQBgNVHREECTAHggUqLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBq8R3XW5WnpWmD+MZRNVeGwcBX19cHVawbJMkQrild\nnAIgMUKTExOh5nytlttJDzG6YXMhhVlTlUp91wjESnj3o2M=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUagAwIBAgIUDe+t53RrZPvUHQQezTxy7jArOjEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEthguru8K0G77lxkJsRKRNQTnNfYfrjQ0YawtNt3+GB\n5Sgns0X0srld/tZxdWxAkyScZcO0Rinacz2oWFeHn+qjbDBqMB0GA1UdDgQWBBTT\n0lFuEZnBR5VWZgrDxmK72vczYzAfBgNVHSMEGDAWgBS6RTySvvJ+APhDvIBw6WUl\nA077RzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAQBgNVHREECTAHggUqLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA/EMjYXjwDrxBNsee02UKyHRAuI5n8em6fsTG9Fya\nCjsCIQDbbPmnwzLD9pHXP+98cn2nPSAXhv+hT+dgUKyfoQ2KQg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1369,10 +1390,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIURHAwtxgybfiR0pLeqjDETt4zb5MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATt8OMuAyLjkbVMTbms+YQohl0Oa6ECHXfvzlua\nA6+MRO5KOcJ4XResH4vVFZyvyAi+ZzFS+a3BPTU6xavcJpLoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8ggOLimxIVY1JhJ3rPKdiIIIfPIwCgYIKoZIzj0EAwIDRwAwRAIg\nGaBHjFqe6kybjCiEoLiR3e6Ks4AAK5TBKyhcnNPE3U4CIFUuvblbkCxgWv0YIU66\n3MoXXPhnOyKua+SG4LPJd6sc\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUExVnX4T5vve1+0LcLH9ZJ2NK7AIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQtzZcxDIkkvw46RNsKc7etyAz2pWyuhMDlovZ2\nkO7uIYNr5+Gn14H6o94q7vF5L8+9FCDbsNEhrrX1IL8V2zwyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUq9QweaXn2RKcdr1FqPWYaLcoYhUwCgYIKoZIzj0EAwIDSQAwRgIh\nAMK61tgaXseeSAmchx/nkOXElZU36MD2D0QhpoSREYdOAiEAt+HS53LMiQFlIUK2\nqK3J7vUsDiN2s+9iCmYeuWWYMIM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUQ3WeFC3HBb3gEHAYbKEdLax5nFkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIDcKPkzPc4dvBkf/nCSWEITwcMpY5xrBOis6vOhTNUQ\nzBzAw98TlbJuTPIqXIXSdhnv+t+rYdkWLzwWt8YFlOCjdDByMB0GA1UdDgQWBBS1\n0dcVAxlarichQW9eS05kpmk3OzAfBgNVHSMEGDAWgBTyCA4uKbEhVjUmEnes8p2I\nggh88jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDAdCuRLcKS6Ah8epQiIwwkrpu8V2AD\nUwxQfsUSicLLKQIhAMXvwCnTzZTQlP8nDGVWxDJlObnPK7d0FakGYMbniOwd\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUSzbWDbI0fnAod+ryasW1xnDvWH4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKLSc3DiRoqdhrrA8l8CUM/3WkZuGTqgNAyz3cYrawfX\n56I7UCDP6KPALqvE06ChUwteQ3/z3OM7kz7Z0SuOIg+jdDByMB0GA1UdDgQWBBQX\nhO0vG/EBl2f363T9dlTOqCydjDAfBgNVHSMEGDAWgBSr1DB5pefZEpx2vUWo9Zho\ntyhiFTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIARaCCOFciQyRZe/FeYMXQHOg5w1Rb0a\nuDolpnTtBRfsAiEAh7Xx1M65WaSIwZU2u/Uys88aXhySX4lN+QJq+GZ3VmI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1390,10 +1411,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUak5BhDU3iMMUaUta1A1ouaEBwOowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQoA/XlMI9yOXHFkWSl/dn+rqumSvLi6Va27yac\nXBhfWFIHCzBS2oTp/WhTTMpk98AhUsri64iwaepKIl1d2EmGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVVODuE8rrUT80OnoGqq0VDv2ucMwCgYIKoZIzj0EAwIDSAAwRQIg\nN/WHs6xu3x1lcY8H4/jVPWpDe9DIfqFhaNz1ssH9TGkCIQC3MTGHzkaEyl9EoZh+\ntF/571rsMI8AIjv4/o8QFDN/pw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUM5sqiUD1D8GxrxotXcgnoi65ZPwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQj7Y+/SdEmw1ZcqYNlf/anog2jpHyA7fH9G6NJ\nQYATmNQvwkmHvwMUl71xWCzqni5iPEpIQBEr2wmau1bxqZWBo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU94mkOhVbUtNYygbx5dmBwoLDLCwwCgYIKoZIzj0EAwIDSQAwRgIh\nAPQAO44yjuLlatMHjMB3vuwvtmjSlTFOYceY7mHpSj+uAiEA7HWGHx9+kFoR3xOS\nSyZN9XYOQWjsvNIHNhQch+jvifM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUGm3l6vMuZAYQeL3UscAaV+/swWowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJV8fWwb1guzDp7zFAvQk7kX7nN3B/Lt1Hwtd2z1QS7n\nMNVoCoDz52I8JNuCw3tNM/58B/XelE02Z0tuHuRVvNyjdjB0MB0GA1UdDgQWBBTw\nTQJCSiAvV4IbyRwvW0Esv8+CcjAfBgNVHSMEGDAWgBRVU4O4TyutRPzQ6egaqrRU\nO/a5wzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9iYSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ7VCha22P/FMwZLdikR7BzMcyPD\nGKg6KCKvcxxxtFmcAiEAtjBVlwH/bsQEWQu2BFi53WZM2KAdqzTnpGswZy1Yp0Y=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUCkAQ4biaOxFHgwdadW4miIWLQxUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKOw5U7Qo2sbkpfiAtNXt7M3yC5PS7BIqLV44jR6Mwfj\nCs3dAZj8bAhESg+rww7EOmTdLlp3qUhtuZGpkERJeLyjdjB0MB0GA1UdDgQWBBSw\nhTL6mZBcU5Jk0UpLllMpGx0S5zAfBgNVHSMEGDAWgBT3iaQ6FVtS01jKBvHl2YHC\ngsMsLDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9iYSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgKHNbQV+bSbDVWP/CmpUtnF9oLEry\nSEw+y04I6rHpe8wCIGZnW10h80ghWEVZD+QukBq4srMV0bayXcVY8BtYv8vz\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1411,10 +1432,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBCXTf0qF7Ja/sFMdikCiW3pC7GcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASo0So3SUKsm0KVR+604huilm0zu2Nj3CmR+ROD\nVF4G3u7kJfGw7R0mA/SkQzqfI6eF5RCC1ahPyy5j14HEAdlko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjJqlK7ezer4zHy7fWws5nlGARecwCgYIKoZIzj0EAwIDSAAwRQIh\nAKaAPZ1R2kaQHBDSRmTG84fbcCXWJcwf4EEuJJWyKu7yAiAofCsb8FBOqnUimtex\nY9qa3H/+oWUKOwS17LU6qpBw1g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAn6uCgQHYzhxsr63DNc5hpCsoqUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQN/N+1Knqg75eU+KabMzorMMHjVpeyG1LmYLDJ\n3ISfVw5GEwYRJYHHzdzAT8aDhhFrt488yEG4vT6+qZStDy15o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBagO4nALNX0619rbo+f2e0ceRLIwCgYIKoZIzj0EAwIDRwAwRAIg\nJy53z4yBdHZ2Paz33mBX41rJ8EgHFYDEw2rrtFo01LICIA4Dzka9xzj1nLLtAX/U\nR3J0AtYdmgLMistc7Cx/z69O\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUMF7qZqOjWLmJwEtYiJnSniX5hE8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMeSFYr280AwOatoP3GvkLi1Hu8Sw4n4DkNFpYZcj2EM\nVrjDj5srWltBeGKnYLbuPjjHQs0oEqH0wvZhVURWjgGjeDB2MB0GA1UdDgQWBBTe\nQLiiHCfFTqjUJ0R6ek20pc4yUDAfBgNVHSMEGDAWgBSMmqUrt7N6vjMfLt9bCzme\nUYBF5zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAcBgNVHREEFTATghFmb28uKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA76Gb525UEElZVQgtZeq+1mmP\nXGi/9nk0wcFfjq8QPgkCIF6S3onh4TllBkNTRNENUPNZctwoEbdgh1b7jILieh0v\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUP9TqBIUYBz9ZIN+N0KpgqdVgFuswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABISCjJq/TAUBlp4wV6Bl4T5XWUEAdQ0TM+Ed77XOQuUr\n5XkCj0dZXVBJe6u+pmM0I10NouOS3eYtL+i1IT1PRCijeDB2MB0GA1UdDgQWBBTQ\nRfKhBN7Q9cro5MAs4DCNpnxrtDAfBgNVHSMEGDAWgBQFqA7icAs1fTrX2tuj5/Z7\nRx5EsjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAcBgNVHREEFTATghFmb28uKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA47hfPNrPXb/06/LYz9tEKbdi\n2MqtvgvJ/OYlYtwu0A8CIA1EOF48K0LXVFSJeikTBMCfpfIUifpUof2azeo1EHs3\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1432,10 +1453,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYhBYBp4Ofgp38/PwvAwDi/LSsp4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASyZPCDZCriZcoNC70bsvFR+wULjSJZT7LOsH0b\nnsfz7xWoY0Bt553H9DbJX82FmXF+TMsFmfa8NG9rABUCediao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7QGUajKeuISEqcC2CYWGjUrrJLEwCgYIKoZIzj0EAwIDSAAwRQIg\nM/tMS1Hi8LIQNFCjRaZXJ4bX/aQm2XRUmBwTwhobHjICIQCGLmDX834a1KjLSjXD\nZEa2lkwGG1OgD3aczp4lL4o3VA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURVW1oBbUz7O+ats8HoRY05qSEDcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6iUEKH3wMzX9UwREoikZPbvHQ3WY6T9tlF9Li\nbJRsK6QSM71yj5z85CgYPdsBqLLxL4lW3i8voRUZH3OS8ktCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaUjs4TTJXk/9bmSsKo11mWMIi+8wCgYIKoZIzj0EAwIDSAAwRQIg\nCW7el/56Az8aUEr7Lhiq8p23mZDCySGreISQznaemEwCIQDUF9zUShY7JFZ/8vup\nU7TinYlTAcSJSW+WhN3BrFT5yw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUFsrV4qvGlobCAdummzphqhY7YSowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNyIJaoCx+SHqHnM7A7LIoNjDTVlwvpFVeBzkAKUSNnL\nm7pNkcmEZSscbJXLGrY9C5UZIlj1BkFFMOJlCuwGV3ijdDByMB0GA1UdDgQWBBS7\ntxP8kBeG57OhQGFJOOy9VsWlzTAfBgNVHSMEGDAWgBTtAZRqMp64hISpwLYJhYaN\nSusksTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIA+fucwnMHgIgfZ67X1VBUAwQHnWMDfx\ngalNUDuKIbp/AiAIJkdGbBroDn7B5DH0thMgnJrqKKs0gJj+XH0zzrThLw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZOidngEYjYZ+EIY7nKFTLYRDV+gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO47QL8gYrmTu66VjQPks5AXToOGq6NyWAwWTWEp5h1C\nHi1yaCYACxtD/pAi3f9KLAxNtcqQuNKB7OiLsE/wPNajdDByMB0GA1UdDgQWBBT8\n3ndYukAUyUmZJraPR28Sy0y9BzAfBgNVHSMEGDAWgBRpSOzhNMleT/1uZKwqjXWZ\nYwiL7zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC9IjZRxWom74MMbE7iaUsDtt5krW9q\n8eOgoKVlV8VHGgIgPvJ9gzZktWLPGi73GoYBzma09Zg7zOcNbIioBXrYIAY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1453,10 +1474,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUY1ZChA/nDRCNGE0mdQm+6O1PbYAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQkZ8BLIqkHVwoDmLm+h7LPuzOLBya8srDeTAue\n41GBwbBnyT8vf51bC477Qi1ZWP6mbWyj6Gla9GL04hxYGd9to1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBUBsQ4eTI6wL5Pcx/tOzA3uOT5swCgYIKoZIzj0EAwIDSAAwRQIg\nGlc88lofBhueeROFPassZ83jyqT68InuVjpXAFNHK+oCIQC1tcOUelva0XJPd0Gs\nB+B+6Us2ZdC1oFp6TdUiQMMLYQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQN7WnjxInHyNYmBUCaVvdMAR0UEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyCLAkIhYkuPR5JlNSOrjC8EF0AszBKwGK0Kog\nxPQxDn/oy7slzd3KdXT15aZIe9b1a04f1QanEMwAGqz9nYEqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuQIefoTgVfPfdUVXiHJNWUe+y8gwCgYIKoZIzj0EAwIDSAAwRQIh\nALsL81NQuLgfTDsghtRw9Zgmw4clzYcQ/ANkPg4uS0SoAiAGFtvLWh8Caqf/3YgF\nDA1AxmzsYplH/Yvtlv/wykDjjg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUZeEBaojB1aLhxMRx/JYP+MCnjKIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNa9lX0API42E/OK54/OntCOt70nFghVU4e3xSi459Vt\n6hCASj+X4jGg7ZOA0JS5rXPUo8oMuu5ZHACKDapOho6jgYEwfzAdBgNVHQ4EFgQU\ncHUFwiNPy+PMryx8cHpi28fHzlswHwYDVR0jBBgwFoAUBUBsQ4eTI6wL5Pcx/tOz\nA3uOT5swCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwJQYDVR0RBB4wHIIaeG4tLSot\nMWIzYzE0OGEuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgEzNveuidm6n2\n0/g75Uh/41ue4CcyRxsnf/wUxDp4gTcCIADvdBAP261HsPnmi21JRTC/XpQkgsVr\nK4BxJNV8Ccj+\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUZ6YkMipd1MJmhHWUDOkDqvgYLUowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOwplMgBhP8kBtYtMAEYutuKAimAcb4rQlNbX1+6lvo9\nhhNzBOKRjKiljO3zhIsQ9RkWY4pFWGVs64eqep8qL3OjgYEwfzAdBgNVHQ4EFgQU\n6QQ2Rkc5a3Q+0xpiI62RxGEUFQUwHwYDVR0jBBgwFoAUuQIefoTgVfPfdUVXiHJN\nWUe+y8gwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwJQYDVR0RBB4wHIIaeG4tLSot\nMWIzYzE0OGEuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAIvdfr6imho6\nB1aGeXnjCaNWwtzOvQ1MiBdfue9W1qGbAiAnPH4ROavcqNLmhZA1FjPoSC+Pkqz4\nfJzve4rZI8CRCA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1474,10 +1495,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULhqEC+PFblLQ4SLEhU2ftOPvfiIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhJX9+3ikkBqzYIXok65Y5FeXwljlJrYk6RXJZ\nNnr560pxyUwaJ0G/wBbi4qkEjVY88XwiJ9SbzT4XMPM9H9ivo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZ8TD4HPt6DBi7y1DbK2ISWavSQgwCgYIKoZIzj0EAwIDRwAwRAIg\nNSZFvUonc/x6wsY/i8+26LfQR6FquYpcheTwySRqfzgCIAjCBqf5r9SVNiEzJNB+\nUR5riq06hxBUu/RlwIArYaEM\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeQt9DsBtrT72prgYDnDjhDDkqVowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQibXuf/9ZsCryimivyen0XmuwOM62ldIXb8eu9\n3GjJQgFaG3e8tL5+RaekMu/M5ObAxs5tpEvOH8FvmQQzLWlEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZrz9AvU1u4GBZXkFxAsqlycSvnMwCgYIKoZIzj0EAwIDSAAwRQIg\nMm1fvoGNTaUn9Meq3XFN3WE3hzbqM9bU4LML0tEkgVoCIQDvf3bOpVXcwX1YOYsU\n9dveKDfWNQc55vTDgGvZxH28hA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUO9gv4h4Tfb+OhfkuEj2s4XvvISwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB8MBt5BMgjJvUpZc9CAXax47kCLEX5ZDwqk+nI0ve4Z\n5jRFsywRVBy6P8ekDPRKRJbFIYZjHb0OgtrY8lYSCDWjdzB1MB0GA1UdDgQWBBRR\nLndknEKKSsRIRrvq5CBit+UMJjAfBgNVHSMEGDAWgBRnxMPgc+3oMGLvLUNsrYhJ\nZq9JCDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAbBgNVHREEFDASghDwn5icLmV4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDdb5XRvP+Icjit94VkvQqykaM3\nmFwESql5tyr42v8yXwIgMJtPOqvFoig2nYrWz1ApgNesn02AncdtrsIMip8/RoQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUKiTiQJyr0OkwbWjkxBI9CRYdUKwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHBPOXOycg6U4g5c6Ca5nviTECYzqiSZ5jv6/znh44Cp\nnDEeow1p0gAt9FUYfwdZyceT9T0VF+9UAcl8zh6cxPWjdzB1MB0GA1UdDgQWBBS2\nNrP7Rty81Oc99d/LF/ihERFr7jAfBgNVHSMEGDAWgBRmvP0C9TW7gYFleQXECyqX\nJxK+czAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAbBgNVHREEFDASghDwn5icLmV4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICNyUxb9bdmCXN8Q5LT0M7IY89Jz\ndL3a0CxJzLfDAs25AiApSjeIo+VO5CYblWXjg/UVnFBUTHgPMniWS31boGSkAQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1495,10 +1516,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUEIF6W1DxbeA0+wlktJhZleDzOK8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASvp2uAAxbJkHeCOSpe3MZshCec0/99xJh58xfH\n4CriIxJOdVl5JaOqTmwHnd2uQqoRbK7a+ACTVVL0jxCqBgHYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVQ27wMXVwJL9L6xlz2Ydgb0QJOswCgYIKoZIzj0EAwIDSQAwRgIh\nANX/Co34zBEm0yWLnVlzywfM4GyvNoP+A3j1EoOOE3XxAiEAgr1M5PxFvjyZN1Pc\nVuOHaGj4vDyyh0RsJu6ABdWmsCM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKfgRVu61jPjWtZ3jA9xPV8yhXkkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEsSeF1BYujoK7aM14U8ue0+nHuRjEXfNyWdVk\ncT9jTmb+U4WeQJO7lT4n04yPJwF0P+TeT59K/lDd1WzHq/t7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU83BI3VMuUVzzUEoPJwKIPayqNeYwCgYIKoZIzj0EAwIDSAAwRQIh\nAMh/ePsmgKFeyFB2gbdgOelwtcbmLQdCHAQPLk5TH2QSAiAzXK+GLTbgVrtUzHhk\nralqR/oQShkErdpeCyCjqhUx0Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWWgAwIBAgIUcixCsi+JFba9YmEV2hTkH4c8a+QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDLmyVDI0iljwvovZo/cj+i40mNK6vbe8ZmfQjhVcqPA\nniitjMdDur71IvFPMHZ8HhJ8S86nBnaT3JnR9zqpB+ijgYowgYcwHQYDVR0OBBYE\nFH3Qtcwx1pzwTb/ZAMtZreZbtnwJMB8GA1UdIwQYMBaAFFUNu8DF1cCS/S+sZc9m\nHYG9ECTrMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3JtZWQwCgYIKoZIzj0EAwIDSQAwRgIh\nAIU+JIieQl5kygaE3wl3lLbO1VGFP3CjmwcvgRQn+18nAiEAiR+6APEUuizbzxe8\nVbPrgh4wQoi2DPKq+O6NcOO0gVk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWWgAwIBAgIUYrSnTy6Iii/r2DrUFnVxIUjvW2swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGP6dDNoYvmbY+meIHGHk2N21SCDRz9niQOpXpco8Bvg\nbmC0FiboW1cQ/tF6xj0wNU6Eay42DFauBKXvkKPiONmjgYowgYcwHQYDVR0OBBYE\nFFPeYb+ZUIl2+aomX8DnCN/2zpmUMB8GA1UdIwQYMBaAFPNwSN1TLlFc81BKDycC\niD2sqjXmMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3JtZWQwCgYIKoZIzj0EAwIDRwAwRAIg\nU0cCX8rTfZrgi62BpsgZkqtb4jqLc/4O7Rp0FrzTszACICLPXXIS9ezsFc2N5OSG\ndH7rpfuspyiE1BNoiXsgWNXY\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1518,10 +1539,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUqgAwIBAgIUSJudXI1NIXnjlq1n08dhN5gixrEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6CAEVJQFuznZJMAfjk78iNUrX3OXpeo4dJBZ7\n+UxVM0AoxOrvK7UNUb+VM7JaMIn6n/NpgSWaXs3zetp8LgImo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUobFVB1C0RH0NynHyO5OJUCufBlQwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSQAwRgIhANYWcioOhAjxpVE191VV/tpKQov7fXppk7d1\nibyc2MA3AiEA2Vz3YPPTxzEQ1U0ZQVkZ5Q+/sAn41soVno+v7m9aIvA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUbKqxxBnfCc2DoHAQ+mODbMG17mwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASdHKKl2weCzZZcy6rx21mFt6iDswtKbycyzA9U\nswJsnLGsjXKYUaL/ijB3gycaKdZaBMT21ipvcp75ll1P0h+Bo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZUN4/3kTaFcb9HSRq3/TAPDLV3cwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIgRrO7ZaRbZ88IqIh4Iyj4e6Ff4iS6zM6uIB7r\npLLjdXQCIQCC9/tyVTRPJC0dCNHRRdL9dct8FOcL82ujgUUYyYmD8g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUTVWlAVHeDH+0GfI+OjuifVOi514wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLXKJwElIshEnaKDyKMP4KFqRcg88kU5e4fiwNh5x0mw\nIQeAqZ4XbI4EesFI2tNYywmpP6wuba6AzAp4cXWkELGjcjBwMB0GA1UdDgQWBBSw\n96WXBI0plyeP0jULQ/oEoKY5qjAfBgNVHSMEGDAWgBShsVUHULREfQ3KcfI7k4lQ\nK58GVDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAm9+ArecWiWuWPn7s94cUAC9/RwO8z5kf\nd54g83L0ULICIQCSkx+0INlAMurtlqGhiYIKmU0IAEb1VdVYvFtJoJAg+Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUTAhjjpRtsy4oC5AUaoEKxQaW0PMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLIBHIP+OISLE0eh04IkpD3l90Z2kqiwIUF9qpNzIOTd\n0gHhPJdneK45WLPrEdgo2eGXVNbe+EVEM0aIGUt468qjcjBwMB0GA1UdDgQWBBSp\nrmWnsVODj75N2R5Lnrp/EajkajAfBgNVHSMEGDAWgBRlQ3j/eRNoVxv0dJGrf9MA\n8MtXdzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBQZdy3jwJ5/Bq6ZnrKbUMFPXV61sjGCHft\nU4rxssxWeQIhAJ0gPqrQYvOtvGfzdj5NS1LWTwebxZ8CKORwYJJBuwIi\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1541,10 +1562,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUIvDGNA6YDQ9yElr5uZYwtyNuOuYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMSnRK3wkfukBH2SRjC2s1px59kZ+1yZNEWul+\ntLHcbvBMPawnBRaTwbwxj3RmMoJphUxnxNhgJUzcyKivTkvMo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFLdvSlU+cy4hyfV975QHRE/+abheoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBS3b0pVPnMuIcn1fe+UB0RP/mm4XjAKBggqhkjOPQQD\nAgNIADBFAiEA6M/tTumiLNzaaBnuG98cT7MDkCTzCHDpkPmLzgiPCq8CIBHiNSQg\nJccwryBPGcPGHFqGCQceRH9CBt2AGzJuUHoj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUcJWvuhVMGn4bM5toNg4ZpgbtBI4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS9UcmLeJZ5whgkaCTd3sYV8n4rQB9s7W+F5h/i\nTg98nH/EIBDhWyEG9jy/gtM4PagB8o+Fetv1jU7Y8IND8UYqo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFNi0YfrhDgTRLolqbshz4BD0pzXEoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBTYtGH64Q4E0S6Jam7Ic+AQ9Kc1xDAKBggqhkjOPQQD\nAgNJADBGAiEA28KzXFLPIj+c7fsKNQuhB9ODgcD/tgc3LQLx2b6RJ5ECIQDrO+6j\nyNwNoIbhZsGUhp3ltLjDoONAUgohVL25fBCIew==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUOI5VtGGfvdqkS8vHxJfxn3hGURAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHBTfKrUJDkjLY64FXABhhYnch7QVTxw9q6FedlZp0xt\n07P+0XpN+L13czaYvnORyDXsttxoKiwiPSZNSW+CKmijcjBwMB0GA1UdDgQWBBST\n0LsaNZE2X66EddQFO/DCbAQGCDAfBgNVHSMEGDAWgBS3b0pVPnMuIcn1fe+UB0RP\n/mm4XjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiAoIPoLlMTLJyCTN+lY3f/DnR7zv1xg4xuR\ntCOaVKti6wIgDOxrH8MdauGg+lLrGZBvHJxyhF/MQFGzqdPNtNK7n0E=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIURkpU6i9hCftduQw5jKkULO+s0iwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHoD7E+4VUSjxZT9WHpa/RklK0v8vQcqtbN7QeFoZv1t\nI6ntAWOsQ86hT90ybXcAsaMy4vhSpSd6Bl9Vv5vBfSqjcjBwMB0GA1UdDgQWBBTq\noY+A+DypYbdlBlGxwTvFSjDRnTAfBgNVHSMEGDAWgBTYtGH64Q4E0S6Jam7Ic+AQ\n9Kc1xDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAwzANmqVdLL1+9e2zNlvLpUZYnWkdB+mqT\nEl5xBBjF0QIhALfgWRclGPFgyzZ9a2pTSe9fz8P1+Z1qTPr3/VJwLV9H\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1562,10 +1583,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUch5do0sHJXrGkkWI5rVkz/7UJXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQlxlMHqV31/JtX5h2WNWUWmrqH/c9SEH6M1gxv\nTRUyyb8dAz05MeeBwqwGnTG9P40oirVOoXqnWkupFVrkBkdoo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBQu/Bkq42HFq0H9iBMDngYASPg3MIICBNIwHQYDVR0OBBYEFC78\nGSrjYcWrQf2IEwOeBgBI+DcwMAoGCCqGSM49BAMCA0gAMEUCID8zFSKBYs7No2tt\nYV9YhvO2SZYOBCS/3EZ8EDFTreDgAiEAntHLGulQzvgvzmVCEUJddxcq2Ce2DI8s\nd/ETIdAdGl0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUCVRsAvkCgwOatvuWDCe8NY4K7RswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXhY430I1fdr5c+/7Q3krMMMYsVjZ0bKWsNGU/\nnL355r05eGPeiXV7hVWzCfs0yi8BQB8Nq6r9JR5gV1idVnqfo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBTJwWRZKMrxSX4XTKmiVwVPwNxw+YICBNIwHQYDVR0OBBYEFMnB\nZFkoyvFJfhdMqaJXBU/A3HD5MAoGCCqGSM49BAMCA0cAMEQCIAN10KhJ8Im4L2ND\nQ4/Wd3BZQ0JPBS/vD9mpdJ/c3ub8AiAdPFiVKDkSLCLg3EBPpSMqnfpTH6jL2leH\n7wPbce2uuw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUbvhNADJx+FUN74irN/IYDcKg/yUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFWyZL6+Sg7lPYCnC+XBcgcg6N+EiML2zj6nTFWeWu90\nbPay0og4RpGO4TSnuTX4cYnG/3isfQMkYEkAoOi3wNmjcjBwMB0GA1UdDgQWBBTK\nJNJk5GE0f+a11B9zZEm/Np1ugDAfBgNVHSMEGDAWgBQu/Bkq42HFq0H9iBMDngYA\nSPg3MDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA3clDyqokEH8UgvGeb1Cw3V/fCyJ8GZib\nPqBi15UnFbYCIQDRz5sNImM+K3sYVVL2XpN7WCC3C4/vh0oF9bdfRzmBxw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUArD9b0VXsVa1LpdVAhcEL31i+TMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH+dv7s0VL7PZxIvIHN3orgJffAGkvYBl+GJp2DB5sg8\nLH6iqAXT+U+wf398BYDGFummrbUqibb9JhfLCor1Js+jcjBwMB0GA1UdDgQWBBT3\nhs/1/vpVRGk0KTWcQ+GKSaaAPDAfBgNVHSMEGDAWgBTJwWRZKMrxSX4XTKmiVwVP\nwNxw+TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAir+nsqCzQcdB+NV5+SuqIZEyu8/omN5Z\n9YJvs8+dOE0CIC+Q6yd3FOXcR2PfnM0sHdMFWZ6x764RG+MvgopdCW7J\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1583,10 +1604,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUAyU40oFVBh+vk8qH4X7JoJwFlIYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASspHUuX+hI8aX6C9vP0574JIJOu3gnNyt1a1mo\noGk9QUaObSD5WJWqZJND5m7aQEByrU6ybwwEHGDLWmTZnl6Ao4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFFqE7g4Hy/zTYCIECNmVRcrHRs+eoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUWoTuDgfL/NNgIgQI2ZVFysdGz54wCgYIKoZI\nzj0EAwIDSAAwRQIgE/fIgduk9uIU0KkYqynPZpn54GU4BuZAaV9q/3DtgWACIQCQ\nICRx8bMH3EnDhGRT+OnPW98pqo+G40A82dAwV6PpJA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIURb8mt//icF5WuijtDjcboJHbgd0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgg2Kl+UvAwBacWe65bvthVk0D1n+9+t4Gs3wX\nsUupFnA44cpdr9dKazECXB4TAUWzUpOUMtOjbmtib+iWT8JPo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFHMO7g8iLkJ4SqGeIcQP4NDJQRFhoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUcw7uDyIuQnhKoZ4hxA/g0MlBEWEwCgYIKoZI\nzj0EAwIDRwAwRAIgRcZOJTLCTTxOpYaJreYjrJOhbkN/Lafta1H4LUIrW4QCIDSf\nLZiRsVAkynfMdIEITFt+E7Y7aVnglNSEE9dsyvA+\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUPjHwStN8OtaBbzvMAc/JeKzurF0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC9AGCVqRwdxcazR4s3w2ZYuRRpK1TjLkypsSrD/P1r8\nb4J1je2+g8fzQn+Ui5fPksSMHJVyJ5Daug9P9i8bLbejcjBwMB0GA1UdDgQWBBTm\nh7U9XSlXo61B0GMpUBYFiWt9yDAfBgNVHSMEGDAWgBRahO4OB8v802AiBAjZlUXK\nx0bPnjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBR7NsE2X/pgaoJOaEwy58etAYAhTni2W8h\nWMmiTRmT5AIhAIo7z0fJBLdiuiolkCLoj7KKknN6389RIEkScXQUdEZR\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUQYCvxJkl+iFumb+V95tL8W0DXjswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBuWvnr20jmwEcqhLjfU5c2yEcqY8MZf2KoYuRLtNARn\nON0H0XMIXkZwfBTlcb1jBJ+ozihRGpq64ZA9DU9yICGjcjBwMB0GA1UdDgQWBBRs\ndu9mkslbYG/Tq+lJWFA8AqUExjAfBgNVHSMEGDAWgBRzDu4PIi5CeEqhniHED+DQ\nyUERYTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiA0DM/OSnOb6QvcyX5VKC9HZV/0qsQ+zBpR\nLqjRZsbS/QIgHhfHFqKeHAtw46iZMbxFABVWb7+aD+SClC8W4EGE1rg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1604,10 +1625,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUH6OSfrNIIjaloQIPR5z3iWdGv6EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARgGDQ7O2Tz26RZ0aVURH6A1f89ZmLVWQ3R7L2U\nDt3E7EcZdHEECVslZprVP/z08B287gByzX3zvq2iK17JNo9So1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVi1SGQEfHaTX2qoM+Wmz2cf4zYYwCgYIKoZIzj0EAwIDSQAwRgIh\nAJOibcbiJyQooXumUL2w04cfMhrQ79f1oMhl82KXAd5zAiEArwPBjE4rJgFaBqdT\nzGKFxd8i9mRWS+ZpAkLj0u9sIZ8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfmo8drjnd1nEJrUIw+1wLNDv0cQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ755idiYAD0Hj/43zUTHh0GMy2R2MW6Prc8QAe\nAtS9aHeLDOuV6ckaA3CZre001Sd7Ms1dXvSfDZO/yGDot4Wwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnLJdxbEQRAFy77HYU5Co5tJaVpowCgYIKoZIzj0EAwIDSQAwRgIh\nAOWARsLC80bB4vgWYwFVLome6z15L6/DJ3NX7JBL0JHmAiEA+uDhN3AuKSXuR1FG\nX/dbqn0Gc6wF1DWTWCZpDFLTH64=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUJOgAdxMTQQ02AUcjyT1JDOWvAMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABEhYOg8zXoGGjbRPc72jjTd5PvpQpB6aUE4bXmXi\nSU5r/vXUho+I4vM87kMmrgHl1+9LICEg1yS8loqjSpoJifujdTBzMB0GA1UdDgQW\nBBSLXj5z2SvE4TLsobw3fdkyVzeb5zAfBgNVHSMEGDAWgBRWLVIZAR8dpNfaqgz5\nabPZx/jNhjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBh9qbBtJZnroEnqZlv5HHilJU/\nN1LtK5CjZAuL8gkyRgIhAKXddxZD1/YnykjZz6jkkorglVtHrKCbE8F9dMlKc/C2\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUYZbduBqi3+O9AKgpfFql1Zk1PmIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABJumls7E186SIK4Rd6aSTKVp9Vhw1WDUl1xANll3\nPvZitL5eX+w8dSO9dwLfXA1U2jRpTJQ4dJhMNcotfr49+3GjdTBzMB0GA1UdDgQW\nBBRrfRVIpwG1bFM0jqBEP2a+kdhRLDAfBgNVHSMEGDAWgBScsl3FsRBEAXLvsdhT\nkKjm0lpWmjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBPGKLRzd80ow4tzAYdNI+c+rr1\nL0JtnadDjpjG/l4XFgIhAIcHUqBvaw/PB2fw/1WxW4E1qtm8qlKmLY+Zmm/iPS39\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1625,10 +1646,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQEoyjllyO82pZsIqsHa/0OlifVYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQsbpdC8vcVFpFNdFEADBPeZc4lYL9Qx4S5WzRS\nQnEeSddIY+1+tk0V0HwQ+gTQGh/aIRHbCdYLAPy9vfsk+++ko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwBycaft6PTa8BAjYETiYw/nKYKwwCgYIKoZIzj0EAwIDSAAwRQIg\nPLbqsTXkj2W8ibjNRoaDSrBDjtI2wnRwgCETnzyyJ7oCIQDkA7cpCI9x19GRH6m4\n9BsnnGtPniNfLpfifMnI0f4iyQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUMqBFOMlTXAsYc6KAF8Lwk3noIPwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATte2aE+EZRfwUKppA37b/eSCl7MD95TQH+UxeA\nmtRJPvwML8Qkc3JpkG9g6LIzp644j2ahsjqY/22o6pzHob/lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZlUoj7RMxGZTUMuJdZnIAQE+KC4wCgYIKoZIzj0EAwIDRwAwRAIg\nGXDhFb3f02Rt5YBequgp25PD5d4irbTZsuCSfV6MvhUCIH5q/NWz8iBH6dLWhlrK\n8p9g/cxMq+n0Gxv4/4bR/7En\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUGEZFnBYIQZ7EjR0T8nDhVyk41SYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABG8RuS/z+Hd46jL/WPPQZIV/uvXTb9hhEkfOK2s3sE5h\nFj5w0hRjjRAk43nYndqw06NyMHAwHQYDVR0OBBYEFH2TeTaUsyvHRMI8iImtm8n8\nXfWQMB8GA1UdIwQYMBaAFMAcnGn7ej02vAQI2BE4mMP5ymCsMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIGLHCE824vMWttKFYAdUSARcn2Nct+a4OG/nv3tl1pyyAiEAneM6I0S9\nhwJE/gUExzHUCFFuM6iurlwfbuaqfl0si+c=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBlzCCATygAwIBAgIUUSoL0RVvGn7UgK8TvlR3DrKbws4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABBmiWPtvZYj9byQR8D3n7NK7Qr5hONJ6u4wzaKqP1LJW\nH1qdcuv7lv2y+pmL0T/0b6NyMHAwHQYDVR0OBBYEFNqHd+Jqkb6ez2EHN5Wq9l1+\nDmkgMB8GA1UdIwQYMBaAFGZVKI+0TMRmU1DLiXWZyAEBPiguMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0kAMEYCIQC8sd1Yd/6gjomf+8qCCVyRMzcpHS9jFTF/9i9jeM+lkQIhAKJ0sz7J\ndwhXeRdrZ6o/wnRE1Y54meBki0d3mhVHfrbc\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1646,10 +1667,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBl1unUzYzkwlIUBo0jwL3qyfbhIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASWrOkX56OfrYT2WAMP+1mc8I1Qv6Cf1RYPg0dO\ntjo9doomagVbFsU9mzbvxoDXzDki+gejN/61CxehUhi7dBUZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUknWVDRzXPZavC6ZaQovPKL1WEv0wCgYIKoZIzj0EAwIDRwAwRAIg\nVA+xyLcdUbPNHiSHOr0LSQ5vmitYzHMfRZ6onr+V5uECIH/V/zUeaNkhqs8mDL0B\nfcqYfEfMgfuasyj9diG4CC3p\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA/kBU3AmVFH0dhoy2vcsUnaHnokwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQIkUrz2xLEb8PqG63LYmM+YlDMZVHr4mFOLQp6\njEe+bk/11Jad+9YoKkjNyuVZw2544/XgPAyGYVT5fY6Z356Fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEqTOrRCuyC29VARPHALlqeVQNtYwCgYIKoZIzj0EAwIDSAAwRQIh\nAKbhi7FgaDH73RvTvSsbB919hA33gRz+GwHMzwthQ16iAiBgeHPioNFo+KrxfOvn\n3j2Tg5WELCqPbbPNg/1lCVILRA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFzCCBbygAwIBAgIUcSSJbcQIjbuOYwpnX2plfC07NFUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA2SzTVs1O29PkbcY1h8C0BxqBx2+qGQuux7BFvsXc2Ckz\nYwbQa0OjHz7/lr5w7dZubo9KdVpp96QhAyjD+U/+kXWdbdgiOEP0VJ2wydYwCbqp\nkLjIp9QJBpAGGORUCboWLtAapM4PhMuM9QKdUzOM6tN1Qa2gMUfNkvzPtnh8Xr4w\nimVdY21+JKlJc2hyhSK7oATewWwJeV2ZUYTkSjYljYd+tChfLrJUV/Mz4MZtP2oh\n7mgkyAYOVBC7YrHc9qg6midsadoOHf0BF3XkNyzzUkL8CsuqK71FqRN++elKzXYa\nEcLpYQsNnRt4ANxUa9UTpKaAOvB9c5Jmiin+8+495eN5boOFcufbk/XEeorpLkFi\n3n37DsnhqBDMywzl8MnlTRrJABX2ew/uZEjmgWHo6EnkXQtdlBwtS02NlViiVgvT\nc9z5rCN3P6U3UJ9CP5PZnhMiMd7omvNJzx6JVtn7CbEi6EYONm4BuC98wo5lcvTY\nlqL74tR9IODp0+vYWkvrAiEAh3tJl4lbf928+IpKNW8R8DEI208gXVFvFjjyuzy7\nR5ECggGBANfTl++nrDDGUZ+jUQTJzr8t7pWYonUi0iCJtFIxfTCRWt6Y7LD0zgQX\ncaUeqeTq6CBkx2Rjoo6VKvMDyHuf7y6XwOrLRxtn0Gd9+eKI8wAuLRSxpjwapxOH\nvL5VOfBjKDKsyGTmFrbtVGimp0hINiv/6oBLxCFo8EduA5Zvu4akyLL075pVMOJe\n0+T0cBkWwMtWX/rv0kSjuTQJwHzBAsMA1H2JyxES1ETz3cQ76o8v5S/4vkTw1X3o\n1lA1XuCXh6Uvova/+oAHMvVbDbtlpj1gtjqJCOL3PdeDYicN9uK0k07Ikap+jEs0\nhdelHuRfqefNRiFqccdME3Jofd/0ltxmJh3uwGDz3PEWV9Me4EeBtuBK6tTxEqAs\nTrWaA5Axg8WuJI2tyWGQTKRPv2/DFgmslN1vnaW109GKpTMZEZkQFNS7VH67P8qP\n60cQ8OrolmosXVsKAq8dTsQFKnFtTfp75ovwnNcCGPu8yYTVEaROZoGqz2Ob6M77\nn5ecxXgqWAOCAYUAAoIBgDPGvZpvlt4tljH/TaoNYEu2ufXM+zei57ggmlJm03rc\nvrgmipp1rWMpI2SSnmy0Jt237vMf+1rTQMoYsjf8oizGK4iVg4X0LIoh5qoVUKrg\nAa99L6deEnt74aZHwDY4kC8E+5SfBNvVqOSfZQ54l/iZHdavtt+FoPdMpFTY1Ia+\n7n6qjlgbEN5KSQ0CxbfE6NZhp4+ObS7VCd8rCqjgHMm0/4jcUuFFufEcZt0uCl9m\nnfuPyRYLmk1AFuBFE3FQry0lxn32j2+afvf8sbphupxcZIuK5QxWORBCpO92lLbS\nTdLpryn9DC3Q98X3DWhG23OkjWGkxOR/cfRI1ktFYY7r/Ukf83h6smypCQJ8+/f9\nlussWrYahg+nIAuG69kGJjaK4VVdgPNPqN/MVCqT4X3PZK8X0PlnKE+1fxGcK/Ci\newc5TBrqD4TdVjyIFa91/2ldFGRJCl9s1QWkUg3LmpfkubeFEKpC6e+v154+L/d1\nexVvwu0kF2UTeAnayoHtGqNyMHAwHQYDVR0OBBYEFLkiUTiInizcyWdfFg2/cbNU\n9kZMMB8GA1UdIwQYMBaAFJJ1lQ0c1z2WrwumWkKLzyi9VhL9MAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0kAMEYCIQC8gwXtF9v8G/oHafCRhNiP+ihgR1F9PaJIZpxmrRH2uQIhAPGggsct\nXfSeSGa07dBD/bGOhlHy6FKriO0i1rHel5I9\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFTCCBbygAwIBAgIUZ5IPCHQa4dLqQKrRa6WRPuA/J4owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAoVDZV3r+CjbZsRIry5g33yMtjVRazHbt6Nv8KLRQ4Xvm\nF6G9mwEo8dBpmvugQVle5bX0QEstKDMFYu6gMnOaO/2mOBpQv+cdK9TqMge2uQMC\n1LXNYNPu5042SjsCic+1gY+SPk///F86Q0bEOe5l0bHHWob3YrIRdX5nqejbtr8g\nN/FLvhyU9n6xISHMTsx8QtYpt+tPZA6CWOk3LauQAT5Hpdho6huhPk6GWw0xvOA9\nt7XUAE2np4R9+zhg+wiTEyHYPaWiK2B/tKFIa0cXJIcArQXFttZmCdrLFwN3lvz7\njMaRusL7gW34MW3K6qwO++X9Da12SCVQbbqQvi3B9/XLmYSFrlPxPdP7T3zdlgvB\nKmMoVPWBgRhqwuvf+5GqvLbfcNE7KG2CzanjbjDEeGG5uAeqjjWV+98hl5YIaXJa\nynZ2rtCDyVN9GMDAzvQdqIOpFbzPuO4EEsgNNFmnaGwKKPCd9gcImvZ81G7gugWZ\n1dZSruu3lfc4kidFiF2HAiEA2/ye6cUJgUo9dKOZ/cHL3uZvPSG2Lt8brPwmo/Qa\no2kCggGASCcWHxMkl2m3gTMhf3fjFsBBm+gqBpZN4NFcAcfKnn/9b/2tdqb5MTxa\nEYc2gaPU4etOJtTcm/46f12MSZ8Qkf7QGd5c0dqNjb0EwXl83fmnGz/cpz7NVg6S\niqPlPGj+Ew3ilcmMJKJ84l6xrr9yJ5Trw5Rt5VPgBCxaLKHaLiFegJnslGrDGXII\ncwxdwfw9lvT7zIMocSw7yAEa/3rq5HIla9nK9I63tjeLz8ygoaVUDxGsBs+4RbBk\nrUTbJhBQ6TipyycecoGMQX6NbSGFlmgPWSS7ZMszR3idjCelmJStMMXTWmCTU2Ru\nsNZer4mcw4SyLCmsIzBvi/OmQ/TUy8syRd7u1GeOMT/3VtH4it1rfZVYh1eO2dxl\nV2v12DVW7R5bYIALmpHAvHXOuyt/MlHRJkxBbSFtJs8nXfkbO72Gdf46cTVAp831\nGjkw4Ua/FKM1JH6Xdx5B+gZJYG2OajDWnpN0oTlkbvUjA8gyUaLgvb596BY6jNUj\nV6Mtikj4A4IBhgACggGBAJe1/QfghWWjJ80tlLruz30tUt0ZPc+07S7nQPdqqpls\n0xTnz96omenHk0h4ATOWskr04+2q7mPbPA+6Nt3+k4kayDiFwyrvaCJrvNuBRUwB\nBOA/n4JnrPQv+7uGyDSz4u8QBuM9jQawi+KW5hLFK69g8LmyTYdmBf7Wr6fsvUvg\n2O3EiaSa5paZV4r7x2xzk4enoRITQVF5F1rFaXBz0LcpnLoC/kJ7Tz0nZD4o5FQu\nY4QrYq6oFcqBUaQ/G4FMFDbQSr/Q3VvZpNLxo9JDoRuBkIz3cqkFctSSRyUGQK6P\nwQtrc171FDOK3QCLA4g9x9eZyJydd2zp+f8KU0xVXxM0kgxAG/5sUpGJxwPh78sx\nXv+YFVeqMygm2z1OdVaU9pwCtdakIXOQw7JaPt7YhTGxrCH5hpNeo/dyLblyuGZM\nxyESW+Du3EB7UDCIGu07U7EGmVaDGSgCixDjK8VZvHw6PR1ZqT0fZlEcSxB9LEmE\nPgK+6w5w1i3wIZhdk234U6NyMHAwHQYDVR0OBBYEFG6i2/MgqRGzWedlE1aEcBCb\nncc7MB8GA1UdIwQYMBaAFBKkzq0QrsgtvVQETxwC5anlUDbWMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0cAMEQCIHKL9QES4GJGG5IMTBWFwLm4FsxaaHaHkPZF+fAyxpibAiBYAjmvDi9p\n0QMjhXr3WnwxQeatvji1zvFhxKfKloMZuQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1667,10 +1688,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIF/zCCBaWgAwIBAgIUA3wWwt69gDGImhSyjKO9f9fXNTAwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQC3yMwMbYCc2MctU/dR+hr2BGzzWTRyDCqQJ/Jo\nPsDM7QwQYLudb1biMvTxYb3LoJpAfHpRK6x9qa9+Ex7sldNEsn00DWxqPLZ4K+va\nCH/fvjAfNwMIAx5z1heVvnCUmIOCceAOE+qUf7vxiEdaelZKsAqYfJiP84Oh4Rpj\nL/dQbLVMFhSVjJNzVqElEMglXByHXSH043IMN4eSyiFskLOG9ib/4/NKNQ/ZlHHH\ncHK2Y+C6zdOIMeJs8bT6zAxFNPRu2tVcsxF7GwDbmmraYJSkjTcfyQ002XlTEiVa\n/gUG6+X1llhLe/RBw+/L1qIiNQj2BR0ez9W/EPCSMPSRWsGmcVVcQDPEY4M43YR9\nwZ6iIDx+Ub1Ca+/uLUoGgM7ddzAuXh9ioYSAOTPL2wFAY1R6LY9DUsaQ/ng6cI17\nHKlOcGz55PENDi2AP+5FZLPCNJUaPh9ZTz5mLrhcZIPTZqw9VQm/TLsJ+PzbPrJ9\ndt7XOtfxyQHmcMMS0VqMNN1J3KUCIQDRLV0Hpk8TwtfH+w3PJ4N74INXYv6/P3d9\neRwHUG/RjQKCAYBA4EZAzMyK7XQEo3cf+TpYQ3YqG2ruro/JFYCbst/6Rtgsp+NV\nZhQ6y/6IM9naQE02xOdYUPB9pfxCsoVwWyUNLhX1c2DUpCPWi696ffIlqTF4X2Jg\ndkRPpLo/1NqtZkHrRIV3e4W0Ha42kgSSqkgo9U+1eAJX9GUWimpIDE5h1DMdY3sK\nzCkaopq3dOulrcxDR479AMHD6zOv+24o4mVyPDnxm+zUdIF+E1IveAVIW3f/Ged3\nvdxiCbo3LgMgMj3a98jDxh3oDwEQlyKrksBsi6nVLeOgNMHMW7zCZORcjGIpxtSX\n0sGPzLvlwfBE+sP6U2BEGrY5Y9YzgQKfd2fFNGUZqDgmgQtjICCdoeEGzKeDkrkD\nImZRAwavLwO5qnnO/+hHLiyf9m+InFJEKVddkFYYuhhqTyWjic9D78d2OiqdroPu\nEq2ieBbABw4ThlkG+K35Jc5P4fy88Ee4dhwdE/X+/UyxO6bNCwBo4JjKJ+ZEqw+O\nLQr4GUj51XkfLWcDggGFAAKCAYB4OemRVeXudBxlaRcdnjFSmW9dhPY6HbWCdma5\nmoh6ID9mOfS6JCPgLGNb9ZgDSOA035JJvZ/tPOuKdjHd916dizGfga4vj21wmNnY\nx77kDXdZOpJQhV1PR2h6VbZFWEKTucgebe388+kGr7r8hkrKVfIRcaHMrHlJT0tm\n3SdKB2EflCDc+IFuaDs1IVVbWVdcd+vb7Bod8zizcNU3YubSXcR/dmMkGzv+aobG\nwEIkr8WuH98RgiRNLxf2qPrAfhlwHy42vOuR5g//GtzilQ7ybZkgVr/V2nJE/mH8\nVAmeUn+cLjPWugRn+IBnpSNIfvI/8xVItJQcrj0jETpDlSuK4FOZZQrQmdHckrfd\nJQZ2xfYvvlMv6oWf27kxJYfGRDrseHHkP3Nur3SucyN5waeWnL2kuPZNjw12iTak\nN3yrWugGwuNMNKlJwB7HgBAY2zjgc4Tf4fAFF7gzJ0D71EjS+sTyyhGRtFTDYO+N\nY/Gfk2RrWVN5TmjoCmn4c3QK3bGjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQ7k2JUUauT\nLlJY25dKrs9X4O5NFzALBglghkgBZQMEAwIDRwAwRAIgI+Ph5DlcRvu5WV3ST0RB\nscaWpno8axuXHgKl4sLZiw0CIAr27qHqHCYy3DD7fYzZJWsqPqCy46a0DZo/vu0o\nwuX2\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIF/zCCBaWgAwIBAgIUH616bZgtdOc+u+q/i41NcTz4crIwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQDp1hiZwgIeqoLxLmWGFf36hiPgZ4caKzq4ob9i\nHcnkAsJIV2LxjbCa5FATEYpYaBZGzcTUHTm9s5e2Dqydfesg5In497UbI7p5AqgS\nku/4WqE1ESCWLkd3PWIoP2vLT2mSnIEVgPyUMt1tTNZd/q12zBUb7ffJmrYy2kua\nkrsWHMV2zEalWqow9CN1Efyh7BF+JXdR5JcIOUApp4gdke8x/+u6PmhH8ic8pc6B\nU0a8NTTAYUQhcFuTnx3A/Nr5bC3d4O3YH7wDO72vhXi4wBAFg/m1RruAmkGXQOGr\nXLq0VSaN5MJAIrdrrajs7hIv1XA+vNINpmBl2rFiIpxEtguOnBPCzJ+rCEy1mYy2\nSKL7NF+XOC12156a8wt35dH+cSNd84dBVqFK+ES7SwYR9nEa8Xn5RIHsrn4vGDFh\nQ75kOYneEHUT167yaNp5dhbJpSI+nDnctrw+dXXBdSdfuUkeYW7qpVIjp6K1HsFP\nuYomUK28igOdtA6lgiwjp8Zwc/sCIQCMaFbUNdoESMi3i55+ujTozegPdViF8phU\ngiugRKIQLQKCAYAR3iDf2j1y/CoG9GR2WXvdekJ4E1UGY++PDNg7ZnUA844fWfXz\nQa3JVLrBzdQn68xH37yoxZUwep8ueYQ5Uoe7+0AV6XljC746GG17FxuTI+EnHMq8\nNxyWtXAckH5GFELR3d4UsGmhezrzVk9kmnl0tXGidhtpYm08LrwLDncDuf/JB5mE\n1QLwHmrHTQ7PF0mjm/eSd3yLc02wUIFzhhfQjNqol+X0sCzEZxHhuT2Jz8QufR0g\nvBFWG5a33OdWN3dzS0DIb6ov3ipRpPbHbuUSl1UQOxDn8XT5OaNJUDRlrnT/wXDX\n2cN/W+A5dhjznCA7yVQ2j6ViPra/10h8nBvWPXRt4nDRpyafG1+Dq1sAGjXuLcxY\n5R7u1SkCILDvY+6H0IeXeAxlHL20RPN5TAUEj7WS8Zqm+tB3mtZw1KL6+ejhBPIJ\n1pfbz3eJCegEsQY3Gbyxo5JOwNJV0o/NtxqKgxe6I4Cr0zZreuPhHZfmE3WT83/z\nyhQCQRawM8k7BdADggGFAAKCAYB6WO9CM98r5uV8L9mqYp93Ruaui6dbIEVRdsvN\nIeUo4SJNaserbJoewQUb2lM3lfrtQFJkSaJvfs85MmtW4RwNrertPhYb6+j019Om\nRTWPvWdy4ER5zBF5O01Cgcu5ttoNMDcqpj8V7z0zcUA7Ien8oIdNJGPe9IO5QfrY\n8y0BzFwTco6Wp97voz7QxVhA6xNY/BpJqqh/4xrD7oSDvCLrRA5DYy0M/8n26uLE\nHVmWYbPpcTfBo5eYTLHILA2TmIYNDluezIZGlJVG7ExaMnCHIlcTqUC5bqiAQ3DE\nIDk5t0AC85DXafkzDpw+CNmVGZV0fTe9We25BpxujRWFjSCRrr9YdUhzVWrkH8J3\n1IB/sTErNPMBfRM+Z6cdnDuSxZTheYYKAGUVp+xrhTg/+kM/7aE0wgaEH8JgYls3\nFOm3wcrHFtI3sy/CGEh7d9ghQsI/Q8zidV4COsajn/0H+V3T8Nh2JGB6wZ43hMzP\n7dXb6P+tLeGf694ddNzOKlbAz4KjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBT1gxaIibFZ\nYNXtthELxnWxF/FO3jALBglghkgBZQMEAwIDRwAwRAIgL6ePqHmQ9Y+9oR4aOecX\nQJ97dIhYt06DQC0mNNmLlRwCIADTlOlzYcPmbLsSX4VP/GdolpHk46QU6bQcLECk\njl9f\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUZlUNcUj/jg/V11+Hdc02BCLF1mswCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAATucXWTHDYbhBHq9mVt2WMwVDCq8huxt+xD9sxG1rZQ\ngV+GDf4CyJs8JDB+Ogg97J0jBdoaKIR0BX184XvOa6hio3IwcDAdBgNVHQ4EFgQU\n5JBsGbdcsIgUPBI9TIygbLErH6AwHwYDVR0jBBgwFoAUO5NiVFGrky5SWNuXSq7P\nV+DuTRcwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCwYJYIZIAWUDBAMCA0gAMEUCIEY1cBZBsc+e3NlNoabPseiKGT0G4Xzp\nx/ZJkQQ2I7CcAiEAlEoz3kGTynRQ7TKHitJMNFtVP4qgewbDPaAWpc9pLZk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUFQZYdBPB5FdM2g4jYNkCrKbqDuYwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAQPrSnFgcHvfcYBf7WQCVt/1iyCqJJ79wnXYqob/bQ8\nlbCv6/SoPlE0SwWFhkeb8y2dfH0Cce1+zJwxX19tBzxjo3IwcDAdBgNVHQ4EFgQU\nJ+3pKSIuiYbNMTXWKm7gaoWl+s8wHwYDVR0jBBgwFoAU9YMWiImxWWDV7bYRC8Z1\nsRfxTt4wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCwYJYIZIAWUDBAMCA0cAMEQCIAv8UzkZLITn9r0covz50QaslNTrsR8P\nb8jKfs4hunJuAiA6/X6rL05/zDLKdp2hEhCwcYbh09X6ogESwoEP/cCnww==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1690,10 +1711,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUe5t5aE4HfsRmbLft43PjmRQEme4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/pfZox4ltfW1WaWPIZymvPnw1eV3cdaZ/sSTk\n54CV43uAeuK36YwxYvAO6vgvMH+D6cDOX8LZLn5Iss1fzG/eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnihJgd8pGzxFIcbu1J88TZPmIYQwCgYIKoZIzj0EAwIDSQAwRgIh\nAPOpzelDe5OIABz6KjZ6Jer1yE0Dt1cC7sUg6vrz4RjcAiEAnbq7UQuPLyUd8+5G\n4dSh9RYzmjoQrV7eitOtETipuMc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUes5gJEtH8Zl01CE6Oon9h/9ZbZswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrWfdirdPUhy/qRI7DzJ8inaxg+U8BqS19A+86\nIX73K9STJ2Nc7QkXZ9wWNoOXUljHOGt8bx/8yCZrbCl7ihk7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkUHcPcYO3BRKyUrsFgl3O3whu80wCgYIKoZIzj0EAwIDSQAwRgIh\nANbhMw5g8CkzE+4qWqJKP60MuEVHOKpSGTC4E55vOcIwAiEAnJEX9CblXhc0H0k+\nmq76ISTcWhFvEdQZQFYN5eku7Zg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFjCCBb2gAwIBAgIUWyx34zYRnDx+05ORxLtj7VGM+60wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMgwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA70BVRPQ56JDIUbyoqJA+S7j/NdQL76ww9WzeThyZoP5F\nJpipIMv57i1ldJodi5cU1L85tYhQDBA9IzIwsyTjiDNJudZLkRtooJVLr5jLkE/k\nKGU9IEEct6TtKs7quBNkqhdkJuxRWmawt5+AZgNrc9bgD5CKO6pa5lJpLrIgeKDG\nPbh2bQy5VtZicyw0x8Oly2/DSIlFy8bl1JsFHmcBp5HPGn3crOtyVGpsHkhyYPwb\n0EbO7DwLlpwwqosZTZolMpdaScjuHiJZ50QU6nCVPv2mxbMzoxwGhi0aKZEbzipc\nYukVqB3U6S+zkdfNTFZSGw9BMCg6gsWaVmlUXFo03cGO9n8B/oBYbm+aORoJBQwA\nhxMCfwQhgvVCF8MQkLXg97m/ap3BovQGSK/Ix8qdLyaCkelNiAMT6U2onID50thf\nPNC1DT6ODAlgfYU/rhEupB4qU9a8dKqdxwATdxITinmb1DftNfFSonWHHzPMpgWh\nbx2v85vneKj7EJ2WC+ALAiEA0xKeecNXWdmTByG1d1BQcMLkqG4qtQgyiE2mI1CV\nXJcCggGBAN1+AEubccFbjQlF410EMOZfvvsRkEFcd92EiIRGwyxuQXUIFL6yjW5v\niLlWeOwua2j7QxG5ercifPliWxSUebaFzPPywjZiTAC4QfRFhiR8Ei4rhSRhl1YW\nVaC7NLhfFs6ilX/SOUpwamQAPPXG6t4/Cen1XGzl+bVyXNdgMLCavxGRYEL9LA35\nB9d+Gaq8mGmzFP/nJ7YxMxzG4KatQAXZDQvvALFVoeV9fW8vuCwQTJ+6iuLW2qEv\nmOPsAO3A8EZBDvGckOyDR8dHe5Q0XpHOwbjqUzbamjCC/iy57ENOEclmLN+5L7iV\nGI5G2CyJjU4XCTcapJnJ1gcj2cHPC81kEACuCAm2io8U4iuWlU//9mmtb9h4fbV8\nTq9MLuDTKXpO8jXWQ6pjeTz6NYitsOkHtpMBtyRsuPOgKKxROX9fXoMG6Kv0R4B6\nh3y+WOHliNq3G7VBuMFinCmJhRIesgNSsvVumUw7rPOcpEB2M5N8tJGjhaZ6BXe1\nfpOVmtJm2QOCAYYAAoIBgQDopprWWG5RA4/e0qwGXQenMpFIQ2H0MBZEjVweIVBa\nAm47zVNvtSVvv1hI+BMwwmZ2VmQmW+KoVMZq2WNRIOLfkIr7NiqKyY0dmm1MRXlz\ndNEMxz87813ik7Lyf7nOxASBSxj1D5padssHs7zdcK8qDjmRfCSQc4GAOlIwH0aY\n4+O6XcB+B/K84igxLgzOoG9FQkrnBYm3OlYRwzQvp6hjO66k1PiAbeyN2rnRdxn0\ncU22NLvvx9tgBlIRL0S3yCq8RQkoCQcY7cNszG9a2Mt+o0g8ZQ7ZO8ZU+gQ9CZwo\n38LoQ1RLj9vc25ryVDLNplzqx4WHRC+GaqUTtxD6a3c4PkH/5u/bGBWtD1q3sj5h\nPWPx1aTU7tYOD+zRWhKrLTpuzSAC3fyF8sz/TsK8zuFteS0NEfcl4/+w3utQ4U8k\nqqWrLW54TiQlnmWIPm/yNH3YOZQW9kwiU49t7/RVSJ2qqpsT3uixk3yvEfefiz3b\nlmGzItWZv/rom7qIhkLTqsejcjBwMB0GA1UdDgQWBBT8Z9Butya+Xi4AkD2UJCdp\nE8PJ9DAfBgNVHSMEGDAWgBSeKEmB3ykbPEUhxu7UnzxNk+YhhDAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNHADBEAiArV4edeINcK26LYdB3803lpKP/aRfF7GjR3l1zixXt/gIgBLMv8rgB\n3CRmD9MU1IB7XsJRfgQZ/DQDjQQTjV/KnLw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFjCCBbygAwIBAgIUeh8Ts1RoLwMPlPf1/FPwLde8SzswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA+lG1PNdnN8RZbIqpabtFZYWckhgbdWkHwxBywErAUM6d\n0XRj4jI0pONePwN7usxlVWMK72OPI5nsMEfhRdNLtVQYr4drv4mmyz/+04xpwpVX\n5MMBOtkPeUZZ/d7B6NX9sjPd8TO/zLT9CFOWeQvhYbOBcic8F/GerQ5S4/6+7+tg\n3VZz90PUVccUWHbBMBAUCyCtQQBgHrHdIMgszICxjmwJSvbLNoQDQ+ujb5FbWxuQ\n7n2YKVsaUfUkK9k4bUYMsdIWNdCoEXb3YxYhKb3dw3di6FrP0TPdXO6g5ufozaiX\nbH6tpe0AcEyBdFu8C8UkB2Em1jMSrnBhk8y07sqtdXu+M4mlbyhnNh/ZtF3BxHZd\nDzqF1Hg3KPE5kbuFUltIVLEU666ctH8oO3MH6PU3pp+eZVspwqLDYzrBEhouyfLT\n65Obqgp8Ar+v2KYpHeuSwd2+gtJ57FSB39rsW26DmUWSoozeBqpWmIFSQZIAmbck\nepfSNF1/YNI5nsGWeXpZAiEAqOmwFNuFtjLmkfyi3+mkItHDEawFy33PF0R7nXZz\n0/cCggGBAJxf2N9Jxc1M5pavX6vifdF6VtFpsjpL32zOW8sNPkysgIw0esV9M9OI\nhy0PSG4QH2WkInrfHKlfkHgfJlWm8xhN5dCzJa2Kug/ptLp60/r5UoVJf6lvRc19\na6NoAeDUbfe5qXRXwnNsxHxF7tyahBUfSltlruUaeiXqDdL8HBqqJxz28KrKVXh4\nV11D5S+T90DIB7KyNKbGHbdVdQw2LaCHYZftSHablBn9p+2SODYGVlzZK32qszkJ\nv6g2GrqXQVdHlksdzLRw108m1tRlB3Ug4/RwKZkAme7kSgZRjaXboJ71YiApmJu2\nwkjsYWRZg2iIMuZ+fAVYFPv4yrIZaJ0MKOOcUfrJAk+hqUTZk1o2Dk5mC1SiZSll\niEFQGGYYubGqnb9FWwUouguNMXHBvAUhFTTLPrF5yBNV6Pa8tRl5+r9HqNhF7TWY\nLgOtwYnljBnIlU17FciPWohWMly7jp+kb5ajGEz8o5lXPMpqemDpeJjAOpIFz6C+\n5pn2u/mj/gOCAYUAAoIBgD7q83XbJkByHvpKxo8fN57/6CSmm/66/tKX+Qt4O5BE\nYdFmDMgAkkWa24AsBVAwxPXch38aFio56C95kkAp8TWXl+0CwjVOQsu8BgBlvs6N\nRXn2k6OLgSo/NdJRvEpZMSgFTYTy0eUp77Ks8eH3Msx+j2B3U+9SeSD+AV523IJn\nzzeQ6wwakwi05C6B2FKDdluO8N3qHarJqkWFP5xUONXqYGDHUsZHwkdQUO9/7s8A\nSjvZbs6NR7Av1/VhOtlwwy2dqVO8rA0mtNamn/XpEvP7VfVD5wv+82FLT+JXVI/5\nn2M7Qyq30sqMBIvWK+qlQwG7CPlqNfU92Mm41u8n32Dt+qI5dl7wGqmyReJu3sBW\nGcRECRSxIOCRWsMZQXIpuStWvhKYzA8GbCSPNnAbrpLrK2qtgljf03P6GCJhy8zD\nwvPKDZSIAa7hmhC1p0pp4wdSesRnIRCKMr79IcJFzvvFQSi50VSEJK/Wp8zOTIaL\ngtbzphs1E1nRDBKwAY43WKNyMHAwHQYDVR0OBBYEFG3ZBf57xThUPcIoGISYBBPE\nr5p5MB8GA1UdIwQYMBaAFJFB3D3GDtwUSslK7BYJdzt8IbvNMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIQDleJUVITM+6o02PeoNAK8Sy2As4ntmWuHjDRdHX4xRPAIgY8sPmgTp\nuDZ2sBowYmQnCioXY602hyMwtvl3Zsn2WM4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1711,10 +1732,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAS4j55nuWbcZHzijDgzMw1mq0pAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXM9kdR3l3TQeqGYa+toxL4BQpgC3QnKZj8VoY\nqtH3alXcCUiyZFkxSe2yeBAThWUPaigGuhfm/flNxzVncM7/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4qYQw1JfRrT1U2xHdV5CcfWkKaEwCgYIKoZIzj0EAwIDRwAwRAIg\nbsWa+CrtLQlTaScLRhri0m2Pn9lJngzlS0/KSewxbTkCIHLVmcAAAEMwurl+Do6h\nA1Y6xAZaVts34kz005vs0nDz\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKoroliHe9MZaJVs8oy0PMyuSHkEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjJxh9Zl/uPmeQDBfVFiXUxxYCDK3FNJBX79hc\nTZb/cKZD1OssYsb+2ov/ccmTdcyM93iCH0HD/XXAZsF+Onmeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUecDYN1XYcYgHJshV0COG5B0Of0wCgYIKoZIzj0EAwIDSAAwRQIh\nAKusOHxo+X9UvFstOpGMEqFqBar6KyFwTlc95KOkUCIFAiBUedL6Q/DaPAY1DuU/\nr6swPV2SY39OIfbSXUmt6mVO5g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUc3JLItxcXBIYpXSXp1MhQ1lPDr4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI95tBiAa6J+3TCDB1u0rkXLBFv9y9nWbI4gWxaQtmon\nWWIdqkKkJapup6MhXVmNrH3QGnam10EHJhOxwCsPFL+jWjBYMB0GA1UdDgQWBBSX\n8x+xODWxhTNKvoWBWFfD2kCYDTAfBgNVHSMEGDAWgBTiphDDUl9GtPVTbEd1XkJx\n9aQpoTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNIADBFAiEA\n3gjTypNWqSnPmx4uUlNsuK5k/5VQVP4uKUQ2sFZjGvgCIHLrC4YQQjPImZp0Iwad\nxCPawtlHVb5Nd/zxlYTiqQkF\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUJnd3Sa98HUWXfu4m0XfuoW/xYzcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL4WKrs3SxxjWpZlb28z8pAi0QFyCyNb4L6MHYF6J9xG\na35kxHKHDytx34oee7k2TrmtBqmsu3xhPOesdOEjwdWjWjBYMB0GA1UdDgQWBBR3\nmkx4M0NLv1LIHYlMsIZLfoKSHjAfBgNVHSMEGDAWgBRR5wNg3VdhxiAcmyFXQI4b\nkHQ5/TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNJADBGAiEA\n1fHp4l2UYp1r2vHGJmTlVpsWHDoY3WJmr7/6BUp5K6kCIQCtvnv0STxvrl1UGaNK\nygEbPm+3n5oXac9qqctaUHAvmg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From 53e6761d0e365363bb1586d2589957065b5c6895 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 2 Nov 2023 17:25:09 -0400 Subject: [PATCH 038/155] validation: move v3 check to permits_basic CABF asserts this for all certs, not just CA certs. Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/policy/mod.rs | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 312dc16ce7f0..3f5eb7c94c72 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -355,6 +355,12 @@ impl<'a, B: CryptoOps> Policy<'a, B> { fn permits_basic(&self, cert: &Certificate<'_>) -> Result<(), PolicyError> { let extensions = cert.extensions()?; + // CA/B 7.1.1: + // Certificates MUST be of type X.509 v3. + if cert.tbs_cert.version != 2 { + return Err("certificate must be an X509v3 certificate".into()); + } + // 5280 4.1.1.2 / 4.1.2.3: signatureAlgorithm / TBS Certificate Signature // The top-level signatureAlgorithm and TBSCert signature algorithm // MUST match. @@ -487,14 +493,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // and `ChainBuilder::potential_issuers` enforces subject/issuer matching, // meaning that an CA with an empty subject cannot occur in a built chain. - // 5280 4.2: - // CA certificates must contain a few core extensions. This implies - // that the CA certificate must be a v3 certificate, since earlier - // versions lack extensions entirely. - if cert.tbs_cert.version != 2 { - return Err("CA certificate must be an X509v3 certificate".into()); - } - let extensions = cert.extensions()?; for ext_policy in self.ca_extension_policies.iter() { ext_policy.permits(self, cert, &extensions)?; From 02590308c044d9ffb76084d890fac13878229ab4 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 2 Nov 2023 18:26:04 -0400 Subject: [PATCH 039/155] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 379 ++++++++++--------- 1 file changed, 200 insertions(+), 179 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 343d2d75f65f..26dd8bc91b17 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBuwjHGr9HsDXfNSW2hQAoh8FSP8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvEx+OB7/Ip5JwqDubTfuTqKfinAKW+Z5D5b73\n0vlFXIagYTPfdTDlDvQONdwEPagsFggh56SBQLRyv3Kv9Ewvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIkORErFoRhbyP6Asi9RTv3uCrhwwCgYIKoZIzj0EAwIDRwAwRAIg\naK3phfT2tQ6V8LI4tvYlxtPKF1UKFNiy2xDiW6iTuDgCIE6gr8hRD3immQf9MZSD\nJM/1SDh3VtiikgSjVEcggSXQ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGJ+PgphO0JDxSBe4QTV4kHZGQXMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATergOakVpDefnRpYDvBUCYYHzJSoen5QsAbdl0\nRY0a4tCuE2hsEfhx/6XoKotorSy3FYJ9WQ2trYQVkFoOagK/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzllxvBM+5GnpcDNe0aEqHB1flCgwCgYIKoZIzj0EAwIDSAAwRQIg\nUHQjqIkg4uA+1/H7snUwLaaww90GtJtBBRPveT9iuwoCIQCQm9CAu3pO+oZjCHqE\niJCTiujEP/XQNg1HKmJZjuRQxw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUVp1BFGlYETWdltmP7n+4cRKDeXAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC8zOTUxOTk3OTA5MTkyMjU5MjAxMDkw\nNjc5NTYzNDQzMzM2MjU3MTA4NTMwMjAxNTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n2+qGdhsf3aHKlBtYgH4XFH1X2WoIIoLHP9EJBFk08pzah39mGcwTdpMt0+YbdzhW\nK/qZqWoDBuypDevABaWLXaN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUIkORErFo\nRhbyP6Asi9RTv3uCrhwwHQYDVR0OBBYEFPmW3jD3SxZDnZgtfkfNImdayPm9MAoG\nCCqGSM49BAMCA0gAMEUCIQD5YAj/TLo7tDaTlAtcmIWzBG0jxq5zuT69xuGUbeBX\nmAIgYkrSnuJOnlV6X1rluIqDbr750j4hfeP1/WHzhBlTKnQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUDCMe1OH4M6tS4xQcBqSRJepmzzowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNDA1NzQwOTg0ODIzODYzNDM4Mzcz\nNjkyODI2MDYwMzI1MjIwMjMzNjkzMjY5NjMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBC+mBR4lKM4nTwWa3JTTZ0DKdfGIlMzZb73CtcX0q8IxWljp9RgdjS94Vkp4cCE+\nH0VCgqJJp9gKMO/Z5vuoLnWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFM5ZcbwT\nPuRp6XAzXtGhKhwdX5QoMB0GA1UdDgQWBBRcG3anmvUSfkB9U7iFrG7EvwQ6czAK\nBggqhkjOPQQDAgNJADBGAiEAtBIGYcacmp3MZde77MSc2yB1dir0/FiENSCesOVP\nPJICIQCTIZ8FA5s2vdQsxDZ9pNZl98HY2rOuRcqq7x/52RB4pA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZigAwIBAgIUdC7wrt73rPagSy/4X/8PyO7lhnYwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMzk1MTk5NzkwOTE5MjI1OTIwMTA5MDY3OTU2MzQ0MzMzNjI1\nNzEwODUzMDIwMTUxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASgjvJN\nkn3np4hHpStl74QJFSqX+P0lwIA07+R8tgYPlbZFx9isoEWxWPCmOsZoA1ueyEmu\nah+kLsXyUdLVX/dFo3IwcDAdBgNVHQ4EFgQUq6CYyfW0XdUvMnOAhUAoeCr/pZQw\nHwYDVR0jBBgwFoAU+ZbeMPdLFkOdmC1+R80iZ1rI+b0wCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAw\nRgIhAKwhcri/4a0A3aQV78TfxDismNyusaIXKUlXdjSIn/d/AiEAwqMfR7k0wp2H\nO12EAqeKI3xPRaQHz2aWVArmFfw3tR4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUKQHU7vhRwBrMwH32lTytEREyUg0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQwNTc0MDk4NDgyMzg2MzQzODM3MzY5MjgyNjA2MDMyNTIy\nMDIzMzY5MzI2OTYzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtASX\nhYpi9et9v0UKNsSoVieajAlGh8Hm8uN58jnLbOGozC7A3BuJL+wv/gwRKDT6Dmv0\nXWwLWWtJK4w9FmfWx6NyMHAwHQYDVR0OBBYEFF6Dkkqucoe6cqidu2lXZUwuEBKg\nMB8GA1UdIwQYMBaAFFwbdqea9RJ+QH1TuIWsbsS/BDpzMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDOuNPCGBQZZC+idjKBebVQS73VTnX3B4mM1DvuARS0NQIgNeKontUZRI+n\nwuc7tzGbd8DcrUm1u3UeOOcNU0eEF7c=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSZV6NDan20+iwA8lr90U03N3DSAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQy+hd82pm+GR90cIYP+RktfJm4t8XWxSWIgkjm\nA5SRirX/hPBjftHEvWiWLkOfeocOQVR8UTihwgOdSToaxoAHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMcX7D450QlA4E8IKskI3uc0UeMEwCgYIKoZIzj0EAwIDRwAwRAIg\nWoqw/KLjAQ3Cupd8/KK6smwVnZaXbVkJNwh9/H04J/sCIB81sH3ebT6DtF+m3LWz\nNH21h+AQbOk9S6q7aO97WRGv\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUT9QGKOQEa0VHgbksbTQZSVhmCe0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKew3JHcHTuLWK8foeT3FrVUXmiaISFX7e0znh\nSPKmQjPKAUKpHGTsDLuDt7SmFiOUV+GI6QVNRE8eDjEB3OQyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUh7kKdJ0DZJRi+5dbPiVbgvh291UwCgYIKoZIzj0EAwIDSQAwRgIh\nAMQ+MDqiBAXh1Eo1J7fDcLbKrSo13l9KDF3Em7Di4c7FAiEAl6DrH8JGG7E6ApjC\n9YLGxCSIIBiMJCYiY8onOlut/Rg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUMpQX8eT9Fjo1SY3blzXwMeErxTcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MjAwODk3ODI3NzA5Mzc5NzYyNjA4\nNTY4ODE4ODU2OTQ3NjExMzY3OTAzNzU3MTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMWw58IhiId10u3xtgL1M/tKCpmtqKusYdKYMNTQFuj630FUkLXLW31c7jh7JU+f\noJO8ca0j6aKGAJDsaAerYJyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDHF+w+O\ndEJQOBPCCrJCN7nNFHjBMB0GA1UdDgQWBBTu4s3yyMnh/V8eCpP061+HnuDBoDAK\nBggqhkjOPQQDAgNIADBFAiEAraxkyEdPYJhk8WiwLgdPro7Z980jYiIEt9ZCU+oE\ngYkCIB+RMfEMEbsJzEPyiAHK3vwIqPjjeLlgEWrzcQ1WjPZg\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUPgU154etPVyb9Kp5/Qf+tQwmAi4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0NTU3Mzg1NjU0NjUyNjkwMDk4NTI1\nMzgzODEwMjkxNTA4MTU2NjQ4ODM1MDE1NDkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLV3QfDfRGIIIzbzog2YYhSLNvNbCw2KtZQHVz/UHAvdwGorrKwlL6DeMoiwjZm6\no57fBt5xUUwHj3o7+3FmjlOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIe5CnSd\nA2SUYvuXWz4lW4L4dvdVMB0GA1UdDgQWBBQXvJqyr0HOnpAP+3x+mBQSqGg/oDAK\nBggqhkjOPQQDAgNIADBFAiEAvwFJWPGVI/dQJaIRxhozHcMds6yQiXw/DPRu3FpM\nBe4CIGaEDytlMtuOu2hISYaiLLLMD9DV+lqLMGPRr/dwjfME\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUZYjo3LtwNYSaKfiqDIgRBBZrZr4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDIwMDg5NzgyNzcwOTM3OTc2MjYwODU2ODgxODg1Njk0NzYx\nMTM2NzkwMzc1NzEyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWciw\nwUzu+Mogbfq4PbqWPUk1gLcvs1a4xvFZ382SfLVGgzF1T/3B0cXKeZPZKiRYcvnM\nYk7PVA8Ku4Y6bDU9vKNyMHAwHQYDVR0OBBYEFNQH/qTPkspq0RzZIxvewHJMz+u0\nMB8GA1UdIwQYMBaAFO7izfLIyeH9Xx4Kk/TrX4ee4MGgMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCCxTJ//OKlnzQ1T/DH3dneXQ0ULVbyv5xahEDbjyiiSwIhAM66j85x05vl\nDqzo0Lkowo+aylommmDi/L1E+aS9ugLL\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUDh5r5gGJ/xrHX+eZn4BElgn3rPwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDU1NzM4NTY1NDY1MjY5MDA5ODUyNTM4MzgxMDI5MTUwODE1\nNjY0ODgzNTAxNTQ5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqYm5\nyAltJPNtUzTOLNAE3nI+ZvAtu1Z54rfuKEAoeiFSPFoQyAHEF9k1UdN0fIlZaThh\nihDCX88QutvSLOvP8KNyMHAwHQYDVR0OBBYEFFAarM1zyQ69vftQRBJ41QEJjV+b\nMB8GA1UdIwQYMBaAFBe8mrKvQc6ekA/7fH6YFBKoaD+gMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCl1HRBraEY0xFw/do2AcNUhUQv+fnUdbaWkiMJGvq1SAIhAJ5xhUHLkp26\nnTmY2uhR5y/ZTnRF+KPLV9OHNGS8xWq7\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIm/RdWZfITAemBrLwnlrxL6R0QQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToFzkUTj2zc62J91mmhGdv4l1EDQAXpjRcsrXA\nFIp7QhB0fcClppj2epJtF8v/n5Q7yVyr74LN3PyGpYEihZCqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmDdO9lPxdxdFR8xcygwn0n1zyIowCgYIKoZIzj0EAwIDSAAwRQIh\nAOJArR/hJJG7OiO2bPx3+IcAkQPnI3D+8dvaGsEql4dbAiB5XkEmOM66FFq+N181\nhLmVFCnip0XoNAoFzXdEivP6Og==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUbdwfKGsLNqad1hIa/zJSaat1ezAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR7oTXS2RbtiAZpXY+EI3GOJiRVpxBNPxkPtKgs\nx/+1kUVKxuTUdoXqfLNLtOqKK7mV9XvYlefdCHRwA7Bjnm6Jo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKLNp097+JBI/PasWq7xAxN85Vb8wCgYIKoZIzj0EAwIDSQAwRgIh\nAOtk5odLU35ZI6MyWjCSfF94Mla2wTqDbWuG2YRRjcorAiEA13KHgSNt8PTeoYpK\n61VjgUGA2A0+1SzKi7EezPDRb8s=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUFdlYy7ArNQNkPXSwep8e7JM9scEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxOTY1OTkzMTUzNDE5MTkzMDc1Mzc1\nNDYxMDg1OTMzODQwNDUwNDYxNjUyNjI1OTYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIJKquHEsqZbPnTJHSG3LCvWxkMzXp5BVyEnq240pJ29bqdWgc3HiouZAjBrrCWq\nFbUWxG/EzOh/ZAT6DvP+nvyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJg3TvZT\n8XcXRUfMXMoMJ9J9c8iKMB0GA1UdDgQWBBQ+z9rDCRXhkTLGOh5n/dDQAeT+iTAK\nBggqhkjOPQQDAgNIADBFAiAUuE7ojUhICgh/2DJTH3QXWr/3Y9wvjPvk7UpMf2PG\nRQIhANjzhyovaaU0a8yUL9QeV1ih1EGiDJhC10SCScqDDUF7\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUNdc5fNNBzJJvkniBzBzb2BVLCBkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MjcxODg4NzIxOTc5MTk0MjU5MDMw\nMDY1MjI4MDY0ODUxMTQyMTI0ODAwMjMzNDQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJVHb+RAv8mHQzdrpzB1xiocjn4powCZuhLwlkwd+BmTCNOiDLC9bvHqlFS1T+rL\nTIHJD4zE7U6qvaio5UKFd1CjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCizadPe\n/iQSPz2rFqu8QMTfOVW/MB0GA1UdDgQWBBQeVhIwvWGvBBdSJi97ycJQ07LJ3DAK\nBggqhkjOPQQDAgNIADBFAiAyKONOAiR3X4RyZ6POYYXkGFO48G/MiSRuXS+108SM\nnAIhAIpO3opCB7HdQC1y6XRJ5xUsHGSJJhP7k+E7qwtb941g\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUdAwRl6cmUTwqkUkaudFCWtXOODAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTk2NTk5MzE1MzQxOTE5MzA3NTM3NTQ2MTA4NTkzMzg0MDQ1\nMDQ2MTY1MjYyNTk2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1y+6\n5WMPKLZElQlY3HG1+L4lApbdvQB4x/KtUkcTex27SjDMWD88lQ654hH8qqTxgS/I\n4TxK7+f+SYJifLe2DaNyMHAwHQYDVR0OBBYEFHYNe/vpZzkvPHMoWdZKTDK0CpGl\nMB8GA1UdIwQYMBaAFD7P2sMJFeGRMsY6Hmf90NAB5P6JMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIE2wJLGKjUavvPf4u9RSopAgvJhE+6HZPCV2hCNfHO/TAiAYnY5oOM9rMDna\nIfw7v/izHD/xC0llb/GZqxhfwSbovg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUfpcorFKUu+Ufyp6d1zJQqyhsHkIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjI3MTg4ODcyMTk3OTE5NDI1OTAzMDA2NTIyODA2NDg1MTE0\nMjEyNDgwMDIzMzQ0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPfZ2\nfxwwmhCRqq+AslJMX5iAUC6UvTpPvfPWSXJbbeHySBOvZRTGkDzZcTTyfZmSua+n\n8lA2Ezxvu1fCYH7YNqNyMHAwHQYDVR0OBBYEFLeJObypBSv3owZiFIkHWz3RQkiQ\nMB8GA1UdIwQYMBaAFB5WEjC9Ya8EF1ImL3vJwlDTssncMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIDjzN1m1xMfi0TQ4Uqa4QQwOAmhCYuaP4Apvvg9YYFmOAiAkts3t+zd4d93p\nkJVBU42qdqVt6QxU6ehvUkfT8L3Y/Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULA+j/mhmMxq8/F45CJ3Jiro174gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQWT8uUJ5+g6KgCv9zNGTCXGBsqyNZvFEeTJmZE\n349PI2hv9FQccgEVH5qW/KiEaQZ9KW3UK8JpgaLctowqw7Txo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtD1ORebBu0kmZpI+Jjvo5w6mQFQwCgYIKoZIzj0EAwIDSAAwRQIg\nP6NI/JtUotGwLDICGz5b0kNmDxCad5oE1QlRwT6nWToCIQDcLf8hY76zhhE0978d\natt81a78VH9yNZVm6Vmbws+BQg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQu+WfM66O4HXyZpyUSBG/EYCCo8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATvSCE9aDnGtwvfTV1H4Qq8BIkbpm19N5F9LxN2\nfaKw/GGM5/aEKPbxHy/nzyd5ZVIaMuYoWu4Vsx5CoEr3GK/vo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvl42rvpBbjxq9hEGBjgsIc97OhswCgYIKoZIzj0EAwIDSAAwRQIh\nANot23b62xYFqwi7a3yMPzPxeRSB4YPIzc6/WBmNzrcKAiBFxznPaNrvjYUAL0JH\noOjVh3NS+YLITJc3jMFbp7QXgA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUbyXtyO2KO+xeCpOVuVz/hVte1LswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNTE1NDQzOTA5NjczMjUzMzU2MTQ0\nNjY1NzY3MDM2MzA5NDg4OTczOTQxMjY3MjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHXn9p3Y9QElq7xE24MroU6xwNpM1YaHAFQ+AEp6XHYzTWaRc3ZQo/WsfSifz9M5\nTzZWVTXJaH45w8KwFRROnVKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLQ9TkXm\nwbtJJmaSPiY76OcOpkBUMB0GA1UdDgQWBBQvkF7h9co0ju+wT/bj4U9mj6Tr9zAK\nBggqhkjOPQQDAgNIADBFAiEA+WOF5K9YjuutUs5WL5OKUKESbNYeIp+ZMg77Grva\nEowCICvEDF5cl5RVJGJ0+956zGZskqW8kObblOx3prtZvRqh\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUFWqfPu+mY1v+4ym+y4fKue9VkxAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzODIxMzYzNzgyODk1MTM0MzEwNjAz\nNDM3MjM3NDU0OTY1MzE5NjczNzY3NTUzNDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLJE5RM62L+ARTBUGYb7EN1wkXFELdiR+PItrlGq9Vh3Pw1zQOKZwfwmEi3Pczuh\njLT6rP8/yqomwcTRF1nJq8ijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFL5eNq76\nQW48avYRBgY4LCHPezobMB0GA1UdDgQWBBTQmJkt8qV105QfHxLyX8QMFgAztDAK\nBggqhkjOPQQDAgNIADBFAiEAiKA/QvVbLzrFN8yBDOjDxmLKGtlWKgL53jG459IQ\nfb4CICyYYDeRLgVjhrTZ4E3V7KfBt8yODjjItR5eQCFEqr1h\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIULXIDUxvjQz66jJC8D9hz2IxgY6cwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjUxNTQ0MzkwOTY3MzI1MzM1NjE0NDY2NTc2NzAzNjMwOTQ4\nODk3Mzk0MTI2NzI4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDYzNDU0MzgxNzExNzc3NTgxODk2ODg4Mzk0ODU4Nzg0Mjg0NjM4Mzg0\nOTUyNjQ1OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtYmQSShDZ0F4keVXfF6odPjJ\nBSZoyEH7DyKRW3cgugacmUH2tdM0ODKkzdokNeL7GsbXbvwkLMqrKmkWqRSfM6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUL5Be4fXKNI7vsE/24+FPZo+k6/cwHQYD\nVR0OBBYEFBTafAudjTF4jyRdOROeeJcR3G/iMAoGCCqGSM49BAMCA0cAMEQCIHt3\n1hRsr6YKZVAEHyvq6lTJp8OW4AbU2JqV4kkymsnJAiA9sxpy9AxusKPk5mIRGic5\nvYI+KCyPlk26tX44/CfClQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUeqc3MCVO9PQGKVV+dhBbewpgfDQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzgyMTM2Mzc4Mjg5NTEzNDMxMDYwMzQzNzIzNzQ1NDk2NTMx\nOTY3Mzc2NzU1MzQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDEyMjI2NjU1NzQ0Nzg2NDIwMjU1NzYwOTM5NjYxNTkyNDc3NjM3NzIz\nMjIzMzIzMjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzXL+TcVdatZxZknjDs/9Eb9O\n2SiMwViokEcRp5sp72SOg16QWY2bq+A1DDrSBJlYA+0oJug4YlrxpknXCG+326N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU0JiZLfKlddOUHx8S8l/EDBYAM7QwHQYD\nVR0OBBYEFLCagyJamBZ2YrCsQItEyDKbKuqVMAoGCCqGSM49BAMCA0gAMEUCIFzV\nJOSuKzWAPYngl8wkXcrK7sPQqq5FUHkyULVAS2cDAiEAkQ0IyA3GHGv04Nym0fBE\nRlsZ5znCITMrXZXrxLm0GQs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUQPAp9K4exWBr+RQALBUebgYQwK0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATNT+DpDdnV+ooBsAJ6No8+nIm+rQrobhHXEjXz\npykTqwYmDXpEycA90zjqwSfQH0CO6oeXHgEWexAAYWUuHjumo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAvO5xocCwLz5LNC7jELTs2f505gwCgYIKoZIzj0EAwIDSQAwRgIh\nAMmawD5gm5MtlwFE6ADCB5hs7naIZEcyJIWMuo5juIUXAiEAr3LDP3mboQEeBBbA\nz++8qWStOcGzQ8MUmgn8DQ4GqKo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUbnrPBBYlmJfEoVc3198UiGnqFCcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ0QMVy5h6IKBX0p3knf+86RrLiJ0HE58RZmIrt\nPUBCyL1Zq4FpxJ8HyQdt9K7VB6TlstGTMPUktRaHL4tDtCGvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfgCiP38mImKKL+rFO82G741Kw+EwCgYIKoZIzj0EAwIDSQAwRgIh\nAIQiX3WBFXynvwxgcNNUbcqL6OyamMKQhgphDNWTd0ZIAiEA85gIPSOowuA5r1Mw\nEIU5fE0B6zvrnYGJaP9NB/aBZ1A=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUURgQJxFvm+5RFxoVkbhQFZUs8IMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzNzA3MzEyNDMwNDQ0MzkyNTM0MzAz\nMzAzMTc3MDA4MzI1NDk4MTQ0MjMwNDQyNjkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOQItwRSBWtxWtq6MsGek6/SRmNDMvTyL4edgyGyhu8QK6ITVFyA8Q/fppLbOmwc\nIeirmaE73ogUAVWEPAze9JajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFALzucaH\nAsC8+SzQu4xC07Nn+dOYMB0GA1UdDgQWBBTmNO3ZJwyMdKhdrutA3N5JYgbifDAK\nBggqhkjOPQQDAgNHADBEAiAaFFdgFRVTjyPSqgnmYnBXVifeI6VlV1ECnf/dMjUC\nlQIgZBGnHD5sIx8HfEdnvLvB7069T7t8b+XY8l4rTdKC9L8=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUH1MbIy/vfupfjK0PldQj6OA98sYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzcwNzMxMjQzMDQ0NDM5MjUzNDMwMzMwMzE3NzAwODMyNTQ5\nODE0NDIzMDQ0MjY5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ2Mjk2NDg3NzQxMjI1OTMzODAzMzM1NjMyNjc3MjkzMTg3NzIxMTY2\nOTg1MjI5MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE73p5Ifz7E6UDlclHUeT6Di1j\n0qGjOTxkRc8Wxvzp/1GuKFsgUqg8S7laUVrwVj7Dt3gwAN5nxq5giSsir6WSI6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5jTt2ScMjHSoXa7rQNzeSWIG4nwwHQYD\nVR0OBBYEFIQRvNva2rQmY8jy42zpQm/qJtD7MAoGCCqGSM49BAMCA0gAMEUCIQCY\ns+rnK88ca+WXHbALSfZwJ/NgzT4S/nkI64pSHLS+DgIgH0cKZZgb6BHD7S7Nqlsc\nFGBSn/l/bR3NS2abD+ZbfQY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUBA5Gpw7i3Ddcuc1LkEm/lHw8JFAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MzA3Mjc3MDkzMzg1OTg2NTE1ODUz\nMjMyMzI1Nzk2NDY5MTEwOTIzODI4OTcxOTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIwdQ2xTyLFvYIXfncXe6BClihyc6KaEtGH2dS2ekk7tIyfX9dduGrl7IWOFLMR3\nx9vPwG4ZHbboM0XugQX23YOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFH4Aoj9/\nJiJiii/qxTvNhu+NSsPhMB0GA1UdDgQWBBSG7wGTLGXljazMjXM7MLLTTbtoQDAK\nBggqhkjOPQQDAgNIADBFAiEAsMci9UPZPqXCKaXNFRX3TsasEHEKJl9+pIBJRNgR\nNngCIBvjUk1pJ4KuvPWkfarATbjIOV0SJsCXHd8v8AufzvhS\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIUUuj5L51e2Htr2emJz9M0hlQ67cIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMwNzI3NzA5MzM4NTk4NjUxNTg1MzIzMjMyNTc5NjQ2OTEx\nMDkyMzgyODk3MTkxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGYxODA2\nBgNVBAsMLzIzMTU0MzI4MjIzMDMyNDAzMzgyMjc5NDE0MTk5NDkwOTQzMDc0MDg0\nNTk0NzY4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQDF0LILdgvSVYIjAu7ewhkbqxI\ntvdcWBQGnboHw1Px+DeDf6tpKeSNlZSwYCg/tcVKM2uL0wivyDP022OMMr2vo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSG7wGTLGXljazMjXM7MLLTTbtoQDAdBgNV\nHQ4EFgQURvJjXehC0l/OdULF3tFJMP0rIBUwCgYIKoZIzj0EAwIDRwAwRAIgSs14\nHtCwEjO6+ChZPIvGig1wNK1/xqGLXc8bUOGW18ECICAI15JFSqevYox1RoaCUXAF\nmAs+YgkGsz7kKKI02ZDh\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUalvetAPm9sgHJJgMnFQYvTSg6iIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDYyOTY0ODc3NDEyMjU5MzM4MDMzMzU2MzI2NzcyOTMxODc3\nMjExNjY5ODUyMjkxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErABc\n4G05714WoLQz3qllGGotGJDZjvG1/WChrip+E18xIx2RUJCrbbRwLUm7KR8oxXch\n2Jb328Px2er3lBr3+6NyMHAwHQYDVR0OBBYEFIu5ntnzDIA1OqO+xCkZRx3ZXOzc\nMB8GA1UdIwQYMBaAFIQRvNva2rQmY8jy42zpQm/qJtD7MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIAIVHf8q+YQzt7VeJUsUXSZcjF18PyCa31cH8j7ZYmMiAiAzbtTip100iUf4\nnQs2wFHLQPbkatOx2yNfbPe+dlBVqg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZigAwIBAgIUDBX3cBMzGVjxkEA8HY2C1WmQFIIwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjMxNTQzMjgyMjMwMzI0MDMzODIyNzk0MTQxOTk0OTA5NDMw\nNzQwODQ1OTQ3NjgxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASWtp9I\nQfboJiXZA83GjYzB0qbtsry10vPb253N0c4RHbSoxSguXRMGij804cGSVPATtxc5\nGVDbWLu6RWBFwkSxo3IwcDAdBgNVHQ4EFgQUoFaYzewseSsaZWEIr4HDOgFN50kw\nHwYDVR0jBBgwFoAURvJjXehC0l/OdULF3tFJMP0rIBUwCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAw\nRgIhANj2CSa3peARruRUqU3Ov5QTK3ECGijOnfalCVzeyqNAAiEAhPgiFVSzxLHY\n1g8pKCi/yYkwd2OQ7Vpw4/HpWN5Bnak=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCMfqw4LpoGgpkBgSojW0apgbeL8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT9z3gtiFIyGz/zUoVh2zAAzWqK4yeNvWmTxoV7\nsr2uKFWVZCJJq6j+YIFYg1vI9eNpiEyrfixJzMEyp+tzZg4go1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUX/kibNVDRfY9cBIw4eLjVSKrSZcwCgYIKoZIzj0EAwIDSQAwRgIh\nAItbsnG6/cNe+Ce3y8Tg1e9it9YlyQr5SBOlDoKiiCOdAiEAkLhahmozpwPuzR5M\nnkbdYwjNuO+RIMDCPsy7+h6QsNw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdtDjmLAhmRTRVHf4EVCXmoiOAfkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARwf3pigTRxDVwzc7nHl8EoMDNbzQOoN7y0cgVr\nb6tq/aD/bh+HlhVBhA0cy8W3WCHY5wvVatVjUPSo9mFGyTpLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOUzYDhLocxqF94xilhQXGAlXq+MwCgYIKoZIzj0EAwIDRwAwRAIg\nYWVvn9Oz4mphL/fdwykxy8PxtU4IBU13XQ1HvFtxS/QCIGgq0iiuSCGzIeUbYDwy\nXsVGRHLJXhRywwwsk3jJWeqn\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUWh6+fl32dDXo1QTB/dGiyp94kXIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC81MDEzMDIyNTI2NTA4MDU4OTczNzk1\nMjY5Mjc3NjA5OTQ1ODMwNjU2MDE5NDc1MTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nyjP3ROFs7YcLBS7r8uYlebKnWqxMe9chhfYgpJCkcTe7XOsVLX7t+U9sUahPPD5+\nryMo3oselZRR/ZAXLQ/ukqN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUX/kibNVD\nRfY9cBIw4eLjVSKrSZcwHQYDVR0OBBYEFK8qdZxrtqmJes/Tj0b2DRk73HFWMAoG\nCCqGSM49BAMCA0gAMEUCIBsPVCUJHael+PGrkpi3s5ARWQhdP2kxMJmkX3h8w9Ky\nAiEAhOElcuqyfVVsr5bxIqO+ugdBJnT480n8VpxQKlgt36c=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUQi/cSGwSd06xxCf2NUqP4FHqKdEwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNTAxMzAyMjUyNjUwODA1ODk3Mzc5NTI2OTI3NzYwOTk0NTgz\nMDY1NjAxOTQ3NTExKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwNTE0NDk0Nzg2MDY0OTA0NjA4MDI2MTk5NzAyMDQ4NjYyNDM0ODA5MzYz\nNTk5NzMwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQXrIWyq6YBgdmq8YiS6KeBTz3H\nj4l4qiwb4F1aJKahKrFlIa3V11uAyp9/55yEEWVXHcVD6PIDzhZD912qXz/7o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgECMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSvKnWca7apiXrP049G9g0ZO9xxVjAdBgNV\nHQ4EFgQUzkHm6YWMOj8oSSaGNIDhtCfRm5UwCgYIKoZIzj0EAwIDSAAwRQIhAK/Z\nAc8XJ21D0QUoSle8l+/8txKkkjLcbUL+G40+QjoeAiB8ALm6Waf3UPYyIu2bnfeO\nSXsVUUibHebgE0R1i1dUwQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHeTP3mC4vKCIDeNTCwjPY5WI2qMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NzgzMTkyOTI0MDQ0NTIyOTI5NDQw\nNzk1NzIzMzE4MzM1MzY2NjYxNjA0NjQzNzcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBBXRgOdDQdfKlcgxwxnthtR0UsOWKRX/dvjyRHgHwWTHdm7D8wDZZs8DgG5EegYl\nW3nM9am4G3rPJc5svmL4NQOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDlM2A4S\n6HMahfeMYpYUFxgJV6vjMB0GA1UdDgQWBBTMWacumfUt/dF3/CEddj0Eg7CEdDAK\nBggqhkjOPQQDAgNIADBFAiEAt7M9yAv+Bj3yTYhYzFDdex0wS+ZB+rQj7fdDEfCg\nMqgCID//rFYtBaRGSs1F12344XEJ06Uqdkgaz7bwuLZWcUR0\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUKDFtiXpH5J9KFfRdu7DU9aQF+bUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjc4MzE5MjkyNDA0NDUyMjkyOTQ0MDc5NTcyMzMxODMzNTM2\nNjY2MTYwNDY0Mzc3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE3MDY2MzQxMDE3MzU5NDc1NTEyNzM2NjYyNzk5NzgzODM0NDkzMzE3\nNjA0MDA5OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUtcJ7QSpK2yuAHXIaOm4Gm4d\n4UPBiwCZ+oX03d5LlSGCRSNQmytl3n83latR60ZI4+NndN0w0TjJjB60NIgmeqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUzFmnLpn1Lf3Rd/whHXY9BIOwhHQwHQYD\nVR0OBBYEFNcsdiyfO3ZJoLlRUtGHoK+LSqTyMAoGCCqGSM49BAMCA0gAMEUCIFqB\n0yKrymVC8Gb+ByrhTBsG8RAUSfzFAQd7sr5XRue2AiEA4co37Cwi+C2C/PY/1zjg\n5SLUhj6T7nUPX5IyY5m/vg4=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUfDU8oLHPcloFDSkr94emppG7KQcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTE0NDk0Nzg2MDY0OTA0NjA4MDI2MTk5NzAyMDQ4NjYyNDM0\nODA5MzYzNTk5NzMwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMCPo\nCXrJwbjFxekm3iLYciyQTahflYwVbX5OnQG/ZFGUSHSRfqlW6LGPi4J/jy7T2PnW\nqjoSE7R/6foswgaObqNyMHAwHQYDVR0OBBYEFNbk4qvjCwIo/pxWqenfn6hh5gcF\nMB8GA1UdIwQYMBaAFM5B5umFjDo/KEkmhjSA4bQn0ZuVMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCakuDVnUqBSlwGiJ5kYpNYEOV4Ya0/VEcrF+eTwwdlqwIgFgZiKnCivaVo\nRn6t7LLQ8TWb7SECSWTh4nGM1ni59bY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUZCLQ9RE/7VyuMC0mAH7L43anp9YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTcwNjYzNDEwMTczNTk0NzU1MTI3MzY2NjI3OTk3ODM4MzQ0\nOTMzMTc2MDQwMDk5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5Gqq\nJ2PsOKxtuPTFTrqIYoEp1NU81WQVZf0rMhBXa2YUa/zO1vyxbmqm66KilZHI8spX\n7kTKMn0hsbii7HpoKqNyMHAwHQYDVR0OBBYEFNQ0A3M3x9TyVKKXUMCornkZh3sM\nMB8GA1UdIwQYMBaAFNcsdiyfO3ZJoLlRUtGHoK+LSqTyMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIHqxQGbcJ8DRoWK/vxuCw8JJ9w3ni0P2GRfTbyeUgqufAiAcKaXHIoawuuFk\nRppaaJC9n5dZnT+3D3c3rrFF1qq4QQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUeVNUUBS3C4+9AbjB9H/Y6I/+JZIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVguUoUZr3+fzCD8iGqOjcwXnxByTG0VkWOqFO\ncUekT80Q+Rszy2igGke75fh6+3Yxx8xHjhmmsyoTS5h+GHrHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjRjB0Bjmclh4wNeRgxBEvmtQu/YwCgYIKoZIzj0EAwIDSQAwRgIh\nAORDNlFiW3ZBrLw0U599CNSSQPb0ulBgTQ5YzGulKv2uAiEA63EW9iaOl628MVqH\nBXZVWXT83HVUedAAyozEHVNB+a8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDHl6q8/ASvpvC2HETg6Z4jptFJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQsILZBQa4r5J53wj3r1Z5bLHgSDb/pKTeI+KxJ\nri2gLjhQptDpbFBQpIBkOQQDfOmDWHSZT84CXfz4QkCwSJ83o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUelSCkLkinFopPbZfgWJgffQaz40wCgYIKoZIzj0EAwIDSAAwRQIh\nAOQc8EY8fKBoBNm/9hCLqe56iNZK1cS/eZk3KZgJRttiAiA5BaGwrmshse/quqg9\nLKBRWowwgfxBvnpTtvUYsIaEEw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUPaEZPm92SezX+8A5XMizz1YjHU4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2OTI2NDYxODk4MDMzMDUyMzA0MjQx\nOTEwODYyMDUzMTA3NTQyNDkyMDI2MDc1MDYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPUS6PF5JXgypVn12+I+MvlYucYz5Wa0UciIgYuPU0kGxtOye6GbRGdl4g8QaoVI\nFH39ixaFDydva+Hs98rdqLOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFI0YwdAY\n5nJYeMDXkYMQRL5rULv2MB0GA1UdDgQWBBR3VvINBpHYMuYccPM1BaTB6CeqOjAK\nBggqhkjOPQQDAgNJADBGAiEAnilHjPAVlUXCVUIQ6CcBU79ilkpFnXUI+Pp62Ctr\nsx8CIQDZC/8wnZ1Njgmf2dE5JUIXRbEY6JbUOeR4JfZNK8C9QA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUfuqep0WSp61kFLrhHtP3twn3JMswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjkyNjQ2MTg5ODAzMzA1MjMwNDI0MTkxMDg2MjA1MzEwNzU0\nMjQ5MjAyNjA3NTA2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM1MTg0MTA1NjA1MDAzMTE4MjM1MDM4Mzc0NDI0OTkyNzYwMjI3MTYz\nODcyMzkxODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBAw7chUDuvq9LqWLV3Oex03s\nsPTq52ihdxXVb+5OPd9jJP4TZ2NjEdPPdrCwlMABHnnuNs2Ec9gkmehOy58A+KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUd1byDQaR2DLmHHDzNQWkwegnqjowHQYD\nVR0OBBYEFHVA+eUe+9j8GmUe45xT4xBqkD/2MAoGCCqGSM49BAMCA0cAMEQCIEev\nHDis+2bF0rgvvU5EyOG2sBSrFijNhJKGlX5JqdxuAiAW+j9q/mpFZUV63n/Q6fob\nCtGlCD7EzMvAzjE2kkQabg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUAL974nSbAF+Ry5xVtWdpw/TmDmkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzUxODQxMDU2MDUwMDMxMTgyMzUwMzgzNzQ0MjQ5OTI3NjAy\nMjcxNjM4NzIzOTE4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDcyNDU2NTAzMjE2MTA3MDY0NzczNDU0MzgxODUxMDI3Njg3MDI5NDA2\nMzIyODEwNzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+aRmUh6Att48HLJUk1GNbl2z\nHpX304egMOVH5pMRTlJSI3yJyORP3sE43kBBYG++65FS+vTf1wMwhzmA9XGE5aN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUdUD55R772PwaZR7jnFPjEGqQP/YwHQYD\nVR0OBBYEFMg33Au3UOzk4S6gm4rdNAEvnBLLMAoGCCqGSM49BAMCA0cAMEQCIE8u\n9+Chd2PuyLEyMXBKvSc1zGlUUbzGybhznCL7JtK3AiAJLufupBttt94ejGDio76c\n3M12vVhGM+vdrqyNsEoaWA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaWgAwIBAgIUBz+okIWKL0IFuhSFlwDFHHry6fwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC83MTIxNjk2NTU4MjIyNTMzNDc4NTUy\nNTg1NjE0Nzc0NTQyNzg5NTE0ODY4MDM0NzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n1D1eYdk07d9u79HmrWCHpNamgbGPFLpgjPYa8yYvaeQ/lxKCQkg+LeHqx0elagPg\n3wZ/glTFl+zVCzCZkGIhG6N7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUelSCkLki\nnFopPbZfgWJgffQaz40wHQYDVR0OBBYEFJvbJDM37oOPfGpPMRyWPa3ms63xMAoG\nCCqGSM49BAMCA0kAMEYCIQCo41azx3IkB74AduYsXfr6Hl/xIhHmyP3DIGTtuHZ/\ncgIhAM7OyKa77MIdHMujypQx4j8o7gmL3P8jYb4yafgewcXx\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSjCCAfGgAwIBAgIUE7S/RFNiPrFD+wHTbir/Hu5PUEUwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNzEyMTY5NjU1ODIyMjUzMzQ3ODU1MjU4NTYxNDc3NDU0Mjc4\nOTUxNDg2ODAzNDcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZjE4MDYG\nA1UECwwvNDEzODI1NjYzODU0NzY0OTcxNzQwNzgyMjU5Nzg5MDQ5Mzk0NTMxMTcy\nOTUxMDAxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEqvHFk5dLs06Ir0UwV55B2UTCwW\nKGyOAdqMSOhkBMHWkocEpVB0f2kJa2jqPu4QRnwNOEM4rHFBU9A29tA6gVmjezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFJvbJDM37oOPfGpPMRyWPa3ms63xMB0GA1Ud\nDgQWBBRX3eYDnADUZUpwwJuZuvTqj8m9wTAKBggqhkjOPQQDAgNHADBEAiBOaAWO\nVVwCmC/53hmUzlXOyFtNsqDtSLT7jyYZER7tGAIgN1pW9xFGfqCkAL//LUGjbUCa\npWExMbVkD6IdhSqHuwM=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIUejWJHakqM8Gxao/3bMr/KA5qRYwwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDEzODI1NjYzODU0NzY0OTcxNzQwNzgyMjU5Nzg5MDQ5Mzk0\nNTMxMTcyOTUxMDAxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwMTEyNTAxNjIwNDc4MDM4NDIwMjUyOTM0NzUwMjg5ODAzOTQ5NzE2NTQw\nNDQ0NzQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT7uNSpUng9y58W85lTggWWOfbn\nHm1skEcPsYoCKXfP2/BhT85mUPf+IRJ8r/hy/ANzTCyuHv5Z43HQzNEag5Cmo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRX3eYDnADUZUpwwJuZuvTqj8m9wTAdBgNV\nHQ4EFgQUsIs31tt6HJ6CaEhHMw5ILUWSoMAwCgYIKoZIzj0EAwIDRwAwRAIgWvQp\nef4BQ77zFM31q2tQDAqQbBmrd1ckIuiiqKVuegoCIAuABQomkuXtWTSfHlPOtplO\n4xZv2V0MGBeKbRdMGrtt\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIULxmIVflelnehSJ4h09VB86C0LV0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzI0NTY1MDMyMTYxMDcwNjQ3NzM0NTQzODE4NTEwMjc2ODcw\nMjk0MDYzMjI4MTA3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbwx2\nVdRcGIVbz1enPOghIHeCGQJiQVdqRD1G/dNO/lYXRoTtXDOqjf+sr0zY0jvUB2rU\n54uG0AajQhLIIapQF6NyMHAwHQYDVR0OBBYEFKDmRskCONcS3XrmUiW1G/AU+u3X\nMB8GA1UdIwQYMBaAFMg33Au3UOzk4S6gm4rdNAEvnBLLMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCnnpFsiZsfzZSNV2VhOVWlOGxfhyCNwvJEfL1qXqGIngIgC/c+LUvbgrvy\nK7skA/IhJfefcoYvYogM+N64AESbv+g=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUZvtF5+s+Ro1xoG/q5n/mvLzBbwgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTEyNTAxNjIwNDc4MDM4NDIwMjUyOTM0NzUwMjg5ODAzOTQ5\nNzE2NTQwNDQ0NzQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbU3R\n3BsyCp5cAJALr3vnzkHrAgz0mRK2FAj4SZ8Qjk8Zwd7vr9p0PDir+5sdipYXp3SO\nRAjyqkdBvPdvM1pFdqNyMHAwHQYDVR0OBBYEFHHIG4R8/C2fA1ZKpuowUxJ/KKcr\nMB8GA1UdIwQYMBaAFLCLN9bbehyegmhIRzMOSC1FkqDAMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCiG+jFIg08YFzecx8dSk0pi8VrF0cX8Ns/RpQ9h+7y4AIhAJXwf5MjHl9a\n33zJDV4JLojXf2YVwB5HdwXRfnppydYy\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUNovEiEUeUEec7G21k8/B24jUlxwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATszGFAZjOxrMOG/GghGjpdaKDUHYDQkBt3dvPs\nrrjNilKGWoo4JsiAF+bne5JedL9tug6XVsGZlcobOGAHJdNjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9FoPHlBvOrmSDe/IQDdE43Kkt+UwCgYIKoZIzj0EAwIDRwAwRAIg\nbi6gvEsQVcfub/TUJjRL0Ymg+nCHj0zDuJtYNG6+aJ4CIEHw0p0rvdv/+TNztkK/\nL4sPlemrqK54ZoGaZHGVGBz9\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUbTbNvurPl8GSzjHWSCWTfQGyWGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASY0lbJ6DzVlRBUWtm83nPSmDM5mfbxtlS4OKsE\nevn7PUYW+ekMugOpI9WPPzNwTQRxNReHWTGxG2R2eSlGgx6yo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNY97ut+8AqFRCvsIL5AoYtVG/ewwCgYIKoZIzj0EAwIDSQAwRgIh\nANVmmCgG1KDmP1OTU5Sl+gCdFfq51PmgtL0O5buRstx6AiEArEL1rsNoYgVeF6dW\nBKzgHB2tHe0lIsfvf34EINclWD8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUV7NOQ7cW9rzFJnACeC3cXoJSH+gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMTE0MDI0MjU1ODU0MDE3NDYwNjI2\nODU1NjAzNjI4NzU4MDM5MzI2NDg4Mzg5NDAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBALbfyx/Ks9MYOTdCGmSWu/zmDX04etAyaL6V9U2wYE3BKrtVENrWGRH00pCUhCe\nXlUdC+mlFIvgH/fXDzavmIyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPRaDx5Q\nbzq5kg3vyEA3RONypLflMB0GA1UdDgQWBBSOiEadPtgHawC8bRgcNdZL4GC8FzAK\nBggqhkjOPQQDAgNHADBEAiB++Y4CPQ2taY/Wt0eRpZ+Kl9XEZ4jKqf1b0aovNmym\nVgIgPoF+5QnrvkMdRfLzB3rlPkucaLEBcqNmsYulGPCH7EI=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUTslUuLISB54BdRs6zf53PGHdcKEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzExNDAyNDI1NTg1NDAxNzQ2MDYyNjg1NTYwMzYyODc1ODAz\nOTMyNjQ4ODM4OTQwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMxMTQwMjQyNTU4NTQwMTc0NjA2MjY4NTU2MDM2Mjg3NTgwMzkzMjY0\nODgzODk0MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErioJNrskOrD/HGd06hlgOCXN\nkSCBzngzzcweHwtdHLet8Et0yREPjtXkGw+Nibn3oZbS/dr0kQZQeAjv501MX6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUjohGnT7YB2sAvG0YHDXWS+BgvBcwHQYD\nVR0OBBYEFC+7kTuePK0nCEv6AtfMKb1OZrERMAoGCCqGSM49BAMCA0kAMEYCIQDQ\nyNxB7/+Yne5oP6ZWaQ2fVdtmOctSbYzFZkDTmNn2IQIhAJdNcl6fOiBk50Cl4U0U\nwCWwOW1ai4bJc3PYnPJ3E1uP\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUdBTX2prrD/EmEoCUVPG04q+axJ4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzExNDAyNDI1NTg1NDAxNzQ2MDYyNjg1NTYwMzYyODc1ODAz\nOTMyNjQ4ODM4OTQwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ0OTc5MTExMDE4OTgzNDExODU0MzU2NjEwODUxODU0NjE3OTQzODQ0\nMzA2NTUwNTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEr44HPV87EFzfeY/k82X5k4bI\nbKmiWOtYQHgaRSc9th9IZWNmhpWA9cvSlAEDIXR9XKUcgZ2Q6bC2xCXunFUnSaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUL7uRO548rScIS/oC18wpvU5msREwHQYD\nVR0OBBYEFMliBS6GbBp3xnXPfS/BUuEiyy4VMAoGCCqGSM49BAMCA0kAMEYCIQDE\n9Uu7uxyO1JSF9rE9vk7g6Qf3fZ6ZzqDLZusJJrybzgIhAInBFT0mU1k1vcc0Ewvh\npN3WHAfPOSWCJ1D/9IwQamz5\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUfb/GTI9Eixk+Jv3XFlB15Yec8xEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MjM1MDIxNTcyNDQ5MDIxMjIwNjM2\nMzI4NTMxNDI2NDA3NjgxOTA4MTg0NDEzMTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAPWBy8gYMelFPOGkNHetS7YfrVB7hL5J1tIv/mPxhl75RG3mMPsSARnEHiTpu/1\nnd8XmdERD6Uswo84py+244yjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDWPe7rf\nvAKhUQr7CC+QKGLVRv3sMB0GA1UdDgQWBBTeQug+tTQR8gGbO7VaqNyYeka1sTAK\nBggqhkjOPQQDAgNIADBFAiBXDCWsba12T6qczrMZkM9lEdhy55Ebj3AV64xgCcV6\nnQIhAOXN/L3XObQWNhXy6zgZu7jddm4aJCBna5PjC+5EKkFy\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIULdtkjvIJgyh9wACCM3iPTaERwNYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjIzNTAyMTU3MjQ0OTAyMTIyMDYzNjMyODUzMTQyNjQwNzY4\nMTkwODE4NDQxMzE1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDYyMzUwMjE1NzI0NDkwMjEyMjA2MzYzMjg1MzE0MjY0MDc2ODE5MDgx\nODQ0MTMxNTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAHa2b/1jtAZe2omRAIHB/a1z\nJ6AMoNHLKLMaePxzWpwSK7VQeBPuaY1Qv28UKIPsk6CCrQ9kuC+zIDj2bsvG3qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU3kLoPrU0EfIBmzu1WqjcmHpGtbEwHQYD\nVR0OBBYEFCtvo42g3QntZ91oGc3S2prJ+n9DMAoGCCqGSM49BAMCA0gAMEUCIAeZ\nAJhTbYbLIup06h6LDpETB/W3hgAFRJI578w+0YF3AiEAiF6YuXKd10jcfH6ZMV8M\n0GRE01gL0c0JSP/EGVffkZM=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUDPBjXMdHF+CioG4AHpQChbFk7PowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjIzNTAyMTU3MjQ0OTAyMTIyMDYzNjMyODUzMTQyNjQwNzY4\nMTkwODE4NDQxMzE1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDI2MTc5NzIwNzc1NTk2MjgyOTcxMTc5MzA0NzAwOTM2MDQ5MjAxMzU4\nNjMzMzkxMDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYv+aPMLdyDtOZd75YZvINCH1\nRjytCWrkHti1wBE5zvEDtzMR1lp2uZ51TK/VE+3IUsNhIx77LZhpCULt6WxQWaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUK2+jjaDdCe1n3WgZzdLamsn6f0MwHQYD\nVR0OBBYEFJdOOnWcEQA8x+jwksnqd2GtTdfvMAoGCCqGSM49BAMCA0gAMEUCICX2\nntAwg/mDe7C9Twwt1ZqUG2UddUeYSCH4faAprQa8AiEAgdMS+B003vh/8JyzoNgf\nM5VpVbbhFPAk0I+iDVbKghQ=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUX149AXWUi2v68AAm8xubC+1pLAQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDQ5NzkxMTEwMTg5ODM0MTE4NTQzNTY2MTA4NTE4NTQ2MTc5\nNDM4NDQzMDY1NTA1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+uSS\n5dbPy6g2ccfvU+CjAXFa7ytP4tU9lx5F93tWx3unuFLQcjbit4BF1zzXatpAfyKo\ndTEfEY5SeU6gjGMasaNyMHAwHQYDVR0OBBYEFLLXCuDlkJiXP515D20JQY5JfT5M\nMB8GA1UdIwQYMBaAFMliBS6GbBp3xnXPfS/BUuEiyy4VMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDoM4syIe+zYtnQugO9n3L6v3uX9ZhsKmn09wCfO4GgqgIgb3vRMlmACmuE\nuefgFVAZuG1VZ3yOe4TFtkP+JREdbAg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUdok/yGbVjfCE2IMr2W3yu1FL+I8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjYxNzk3MjA3NzU1OTYyODI5NzExNzkzMDQ3MDA5MzYwNDky\nMDEzNTg2MzMzOTEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiSRV\n22ayTrUilBkNOZnt7eYEMXTnM3kPeQCXm99LX0emD5QOPty4mRwsjF86uQUqKdLX\n8bIRMwmj6aTF8gjgjaNyMHAwHQYDVR0OBBYEFPDGjOV8DIbMCJrLLEj70xRKl9v/\nMB8GA1UdIwQYMBaAFJdOOnWcEQA8x+jwksnqd2GtTdfvMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCaYCEIiKcT49et6bjT0dlio6204sz9cKrR+KdATeE8WgIhAKYVulwh2qtr\nnzf2r2loLHRFx0K35+AyS8c7up27OzBU\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUIlKcuDETvUvtj4/7R6GtLyPxPuwwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZq3hO3y9LWGv\nxvrrNtCZRp8Y9nmmB9NrkLFhi5nK6Z//UklriHxcwC4NyXm42cUKMBrHSDEHVn+1\nyxuxe4K0faNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFHi9E82bEF0hELAhQ1+pT8byqdlm\nMAoGCCqGSM49BAMCA0gAMEUCIQDmeTB+4WZG1+PLFf643dJY5+08VnxHfm/QzkJu\naBGuYAIgMP1u5oQRy7opI3ObbO/l/kzay7dGJpyz5Kmpue0PMPo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUW3t0Q1HwFPeMmbfcBCo2wM9ekdQwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERHv2kPlDINJM\ngUUW+ztI90Uht1R6RX0Hw8eOj8wfYuZ/j19GpJmzSzxTcoSuN2T104tHizcBzMJf\nXsPAFskjQqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCClIIvffTdB2HzSjQhkbEz/8RVH\nMAoGCCqGSM49BAMCA0gAMEUCIHWhlFosHNa5RjqvyrQToYFnEpJ2l9m2MvpGcy8d\ndrQEAiEArH2E4Mh5Vbo94a224ZFpkY2pf8AH0WT8ogbN1iynoEo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUDD0mWk55f5qCmxLubnxjZnFQ+x0wCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABLgmjobP20OJiI5SMuY1T+QbsgtLbi7kzWoiTap/OBaABnZk\nb0Atp6AgNnqqos3YkHonQRcQapCdfopo27w5DXGjcjBwMB0GA1UdDgQWBBTWMs+g\nxOhoRs0LIosi4uneJJXPzDAfBgNVHSMEGDAWgBR4vRPNmxBdIRCwIUNfqU/G8qnZ\nZjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNHADBEAiAduDjLsio5R6lWU6aw4a8u+tYOKDPdNG0Ja18w\nypnFfgIgdWWQYghMSDY1C5vUCyKZpQ9+izDr/fdJKVbP17LryUE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUUO8B+2agfNtIkEw5cGdkfXY2h1gwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABJjJ+ZcKnfCcU83GSLoHOAtjow3TOiuz21VIZICNw4oVPPDl\nD9bFEyVHvP1pgk+ic3awhG5vuwSptRQXwDln3ZijcjBwMB0GA1UdDgQWBBRChgxe\nkeiF7GxXlq1asqEG/ClsdDAfBgNVHSMEGDAWgBQgpSCL3303Qdh80o0IZGxM//EV\nRzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEA9k6UbMQfTX8XNJEUyGPRQMkk2+JSyvARRZRi\npG/6jK8CIQCLeWWtOSi6LPuP2eAcTIgFtS1z+0hD5gis95v5ZXLKJA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUfzhmN4pelEcobk1JI92RwF5M+LcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+JD/PFy8\nRIHWjftE+EtDFyaReFNyh4Gwa+vGeFAHMDdn/S4yxIZ2IifJQtFRvcCsPBrbDrc9\n5rBRpj06p3JacKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJeLrhUy7lyWIS6kcPhaLzgR\ncfcdMAoGCCqGSM49BAMCA0gAMEUCIFDud0PLg1QA1sNQZj/zN7MIKbNgjCWVTk4b\n/h1VRkeZAiEA5h1m8dQSjByX4N1RMoAGx1M+ljkt1r7mvG8SLB2s1v4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdjCCARugAwIBAgIUKItLjyOuB/ikS4ffjmNQfP3e5nkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9VO2pHe0\nGN4Icd0f5ButhFCPD0hEpJf2kEFp+0mNYdE1QiPty7hEb5dL5CBunOyVW9vhUAOV\nkeRSzaIDNOdxraNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJgX+EuGGH362QBj34EX/bFV\nQXpFMAoGCCqGSM49BAMCA0kAMEYCIQDzyglYblKqu6u3fKlIyTZV9r7cmecjRa4O\nwW5NdOWlyQIhAI+wQOuomvaxOMVISFXnUuI7q/CL7IzAhAHSgu65KkTl\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUbnZorA+4s7gtmbhE+PCtvDbEYEMwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASl+YwpKq7qsSvo\nTj1XwH2ztT/2v9NDXpWIQvu2iuSVj43K6Sh62SkO2PEJ0xFy1FDLFuGH6dTR8s/V\n1rrcfY++o3IwcDAdBgNVHQ4EFgQUimVrg6+Fpez42IgWROYjiWSgIA0wHwYDVR0j\nBBgwFoAUl4uuFTLuXJYhLqRw+FovOBFx9x0wCQYDVR0TBAIwADALBgNVHQ8EBAMC\nB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPAW\nZHqIRfU5R6zAYmbzyOYfLrm+fVG75V12Sc8al+xtAiB8f7o7C6OdtaUeRp1vsUIZ\nfceHnfpZbcBtkYURTqNeEA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjTCCATKgAwIBAgIUIbwNN8mH08KI7vY2iIhD0n2J+pQwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT4R8IWcK1HpFua\nfORD4OQKU12i+W0rPwIlS3on4Pp4McOWAp6glaIOUBjYHjHSEuHFIWBjD8pSdTeH\n3ApuAXcJo3IwcDAdBgNVHQ4EFgQUXXls6TgcOX84hrJJcfolPwMiIXAwHwYDVR0j\nBBgwFoAUmBf4S4YYffrZAGPfgRf9sVVBekUwCQYDVR0TBAIwADALBgNVHQ8EBAMC\nB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAL6O\nefdMtHkgMfbpGHgciT2OcZjMARa19MWrI6uRqhz0AiEApycpObBbSL5kgC92dKdA\nxux95JsY4DOJXs2MwTg6Ahc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDm49LrCGGMhsZBwtqbPaEoyImwUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASeQSOwQJ/GJQ6/1MdZWs1BuAOuDWALqcQpqrbr\nA7zbJOQiayuAy+Q+MPy4/ODo3sulHuPJo0DHi+lw1Cr92W6Vo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU20lQypn/nH8WHHYebIt0byNj66EwCgYIKoZIzj0EAwIDSAAwRQIg\nKCVh18QK124iBgYzxEIck0cqfmhMdZmU9tsL04lzl3sCIQCfW9vU9zd2X2Udzvma\nr4t0kCXnedOQtBj7aQgiwPJwkg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUHPbJm6zXt+UUdpBYT79muf/cfs8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQDw268ZOnWc4o6skJRrjT2wUZcGaD5pjZXehxm\nVgFx9xviGpdppzZFL8HTXoOVj3CEZy65j96dOZzx3B1xux6Po1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz7rvnJebqmyGD5gvBqbpA4dWPy4wCgYIKoZIzj0EAwIDRwAwRAIg\nWl7G5qB2W8wbg0DHASs3dw8LdjuSaqUZ6YFsknKOzTECIB2d4VvbQM26/t8UOsTU\n6quLp7GXetKu9kuR6B/G+VTd\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUaeardGwR13/7Txrv3djTf0quTbEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKRFfhEcYNGiMj+QvnHfnkwDpmOxaEINYYu5H46OmEIx\ndvOfzOtZS1X7mCUnS0kzid3FOvcA50PMb25vOpx3DyujgYcwgYQwHQYDVR0OBBYE\nFGOBxStm6wXwFZTUgyKxdsYwejQ+MB8GA1UdIwQYMBaAFNtJUMqZ/5x/Fhx2HmyL\ndG8jY+uhMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDRwAwRAIgMW3z\nTIFiSO6NS4thQ7DdwmhJwp+OMKhDuMP5zsmsGdUCIF3wMByUt6pKnayLX15tsbDZ\ngIUulsuBOkAhjbHqbnH4\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUPTsGsU+54Yobhve0tZSiyszvcbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFdGbrMhGfZz+MVtTkbb89T/fFlECcrX0JoCoyQcLXcX\n6ENm5bmD3Y/V4+TTCXywyFeQlBbOj+o8SenpIQ4wXf6jgYcwgYQwHQYDVR0OBBYE\nFJg0vhsXRmZTgDvPlz9BKx9GmdqRMB8GA1UdIwQYMBaAFM+675yXm6pshg+YLwam\n6QOHVj8uMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAIrg\nuaX6WJ/Q89XpueyzImzIAas4FaD0Tf+fDp7Xy8Y5AiEAuxD/az6AWjXgOdUUyZzp\nvXbftnlTu651I8TH11/xyv0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUdI2jpAJ4Sg9MMNnqJtD6q3joqEUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQW5sG8NAoA6mUW8qjfwialkIpjA2WKYkgtMkCU\nn0xDvj4X8PT2ljjwhnfzsXc8pGI/81YUXIDBUVnXAzr6k97No2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU102AFl0TsldjhYkZ56m4pbkfg44wEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiBQowlxS2a7Wop3kUsKmmfRctzXa/Z4gBBIii+Y\nwxOcGAIhAK6Lm/NEiLwy066xP0jbFHt41nS1pnJe+ATmwLpBbQf1\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUGACJtzl98fpI7Bb3/3WVErZeHlgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARI2JH6y3rKxxm/a0ypF9RHy8qMIh43wmhP3dew\ntQrIsMNqGhoig87IqdGTFSp9/TbDMZELK1HnsTRpWK1Luac3o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlanuWH06AcDotTw+Bh7FIh1+mBUwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiBarzMmObvbtRMknxJWg4rdHEShKf7OhO1wEs3e\nkdjvCAIhAPaMAW/v6P918W81JKynrxHevFnNZQV4UuZZuX5prg39\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIULP/zhb7td8Kjaf77Vbuu+u/Ep9QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAxeGd8COt1zF7Q5yCis1/D8DqkB/ZmVm/lp+Yeg090W\n7+V3/4EjuJ4ZZyhPB0OKBu3l4E4qnU7L9Ql7dtGbqEOjcjBwMB0GA1UdDgQWBBRD\nieSGweNcjb/yqdsdjizyRIGBaTAfBgNVHSMEGDAWgBTXTYAWXROyV2OFiRnnqbil\nuR+DjjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAx2f+596/RtNzqja7YwjoLHNA+pLgLTzB\nnUwcqu1VVbcCIA/u0Q2+HtCgQ/9qpyR1ek+1L14BIJELlB364lMqZQSD\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUYFH/ZGyQ3JxqO9pqqv08mmEUA9cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOvLm8Mp6YdDPw7bwTceLXHtGBP9TOAe25n656cMINhV\nH1lLPejdSz3Zl6OlsMrmo3MTB7T7etKsNFUfRy5hm9KjcjBwMB0GA1UdDgQWBBTx\n7vw6KOwdiAHFd5nqnSXOnulhRTAfBgNVHSMEGDAWgBSVqe5YfToBwOi1PD4GHsUi\nHX6YFTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA/gG/npfloPGmBP6LyX7yXxAj831SlSK3\nkqrcnUOIKkACIQC9u2RDhJXioixypkzUVXoA3h3dPKsOowC3rJ4oOvLbBw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVffsdDU0VEVC3uV3FbKQBnKd+BcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6787wsvxrz/hug6bWJqSjslqqNaX8kHALQIMk\nyTezMBEO4OcPvjaOSO4fv95MhGCTVsTH9xHQJFK5hhlWVgGFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbEy7e5N3Z/PCsVzybYulUYTYaNgwCgYIKoZIzj0EAwIDRwAwRAIg\nXXUABWDXzbskSbc1I6YG83f5s/3TRuKKZONFVVhsYIcCID2S8pwoy8nJRFWFB0i2\nLlQkLNeE2TvgofYdcyLCA0qs\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcdEssSZDJOozsVAVipGYRulRQJQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQWm9FaiKVoO+v2FSfNUXl8PQrOBODOYgUg6Tkt\nQ+Kcs6ypSYUJEnMf0CP2w2Zkd2S97nqXk6K9y7mDrmtB8Cplo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtTlcmCT4VDmWZ7zAUQoMvZWKxe0wCgYIKoZIzj0EAwIDSAAwRQIh\nAIMnNMFJJQbRcgI74/kjhgo+Ezudl4xLt2gcuuvaJHzjAiAzuaCUN1wtRn5NwEW/\nm4l1m6NxoZ8XFqIxau2UpY4jxA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUcy9vyOIXha95IUlh1lKKM6K5UmcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTA3OTMwOTc2MjcwMTg2NzQxNDU5\nMzY2NjUzNDE4NjM2MzE0OTM5MzQyMTcyMzkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFr7/BcUviSczhvE5QgajTSBaQyVYmXU0+BJj/YlSEHv1O8+C7JBrp964N4vurBY\nnURwLLP7YaU2WAIUB0/0TOKjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUbEy7\ne5N3Z/PCsVzybYulUYTYaNgwHQYDVR0OBBYEFJpt8LSn/oG9FynKcWnAWTX3L196\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgFOjdHUj+8071\naVVu89/Pr/fLaO3LZdmNuxYpcslAYO8CIQCKm6/ZWg2BlS8MMjHLEJLnpDzXi+Xn\nxV4kw/HLs6l2FA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFzCCAbygAwIBAgIUFpGlfUg5zxBFHQzsq9DJxcu1tjAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NDk3ODA3MDYwNzEwMDYwMDUzODMz\nNjkxOTc3NTYxMzA5Nzg4NjI0OTEzMjA0NjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMZv7fCTEoAXFW0DFbiv5ojtH4kpXZgwxE8ffh1zKtzio29Lc9JVVYcVo9YD05Kp\nkaGoOzPk8GadkxCOzD2bLXGjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtTlc\nmCT4VDmWZ7zAUQoMvZWKxe0wHQYDVR0OBBYEFMnwt/2t3HGgvntQ7ICK7KjgBK0n\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAIozT/eovaSk\nBRrCwbes6X5jx0+VqJoZocaTzgPBeHaAAiEA91vVl5xsz68FWJTg06cdfWAdetpA\nwgpal/GcF8vfysU=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUB1R8BAeuIjdFs+mT1XkaDM9pTeAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDkwNzkzMDk3NjI3MDE4Njc0MTQ1OTM2NjY1MzQxODYzNjMx\nNDkzOTM0MjE3MjM5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkqa3\nTzFSsnUFVYaGSnKMy7gpq6R+zRicIsHb+XTHIWV2Eaeq1uUv73pWleqmJ8M3Ny+1\neJtd3Bz/ydfsruSd1qNyMHAwHQYDVR0OBBYEFA4DNgprJO4v04sL6hOc6QzOnZpZ\nMB8GA1UdIwQYMBaAFJpt8LSn/oG9FynKcWnAWTX3L196MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIHzq1RZIS8P3v00tM6l5ZQo9TMLLJr2Zhlc6qt5uj0LZAiA57h5oqBhE0/g4\nY1fvsIqUXVDwTR/vKGHWIqXj3R7U8A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUM2ex+VrYaGjNaEvXljDyTTUxwnwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjQ5NzgwNzA2MDcxMDA2MDA1MzgzMzY5MTk3NzU2MTMwOTc4\nODYyNDkxMzIwNDY4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVK/t\n0nK6MxoC5e0W5WTDXs8IsZWSzGhCqzjfABhiyfFsrHbypd2n3MY9thxQo2Y2ukqb\nxU4fa5MS0sg+OwO+VaNyMHAwHQYDVR0OBBYEFGIBm9Ymg5ENmThkMAQnd8IHGFOD\nMB8GA1UdIwQYMBaAFMnwt/2t3HGgvntQ7ICK7KjgBK0nMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIDiCiLeQaTJgiNqu9MyDjBKoYXCg2sTep4tbayvLkQuQAiEA03iRztxCLxbD\nXcs0w6Zstkxe2Jcwo3lkCXiYldPIR+U=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUPalcRw1Si2W42zOM0TGAlt/MiakwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATigAYIFm3NIfqFi2iQ2GxNR0KV70rzM1z7Gy8u\n34s+olYWCchnseWKXlboUJ+r4BM1DegHo6oc66Yu7TOneiPgo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQmtU/vqtghew/8Z6TpcFzUs4aOzDAdBgNVHQ4EFgQUJrVP\n76rYIXsP/Gek6XBc1LOGjswwCgYIKoZIzj0EAwIDRwAwRAIgNdJQatcIasRqLve2\noIk2upTFIJ0L+BxqcLTdt9AExYoCIFAfeBAkWtvwoJXwxk54tqcfQk1nIIXvNx3W\nM1KGtG9i\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUJsu2tMzuN2sb81Xxcnb785B6SWMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATOHvTDjUBFCMAxQHBFWBBv6cP8yPFpQ2tmy4zS\nZwKppZTeUQfubYZmcLIov4S6TtuTtUjtM7kvinh27HirtNUpo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRVMp7gLvR/FTg9J793XNpGZF1stjAdBgNVHQ4EFgQUVTKe\n4C70fxU4PSe/d1zaRmRdbLYwCgYIKoZIzj0EAwIDRwAwRAIgCGGuPUvSdw+SrUlw\n+HCcHab6+44Ym8A1yXE+l6Qz/lgCIGl6C4Id7bFv+3PsIR1jPvaaxDrtCb4vRS6a\nZdyEHC4J\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUBMso/hrzSPKYnkSNO7WDUYDn8qQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAUiIa60wQ4stbs1LErw5CCdtaVP5FIXS6MPUJE0a6/2\nC7eplsE8/4RakRjXAGI9wYlXuwDMgiFFNSKuu4g+ZdWjcjBwMB0GA1UdDgQWBBQ6\n3Wt2Jz7Vzesg8JKRcM73//L78DAfBgNVHSMEGDAWgBQmtU/vqtghew/8Z6TpcFzU\ns4aOzDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiA0d/fuBafBoMLgJHahQYUsQtY2fxFdPAYT\n9ivaBoqGawIhAPYu2XMv/OyoTHjfF5j0fctZxKNGwnF7+Z5sLvFAcS9m\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUU8zKGE02Z6pEJhvosm0iZ9hLFhUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJfqzwiJWsLoN5HmqH5d3WVkAJfKBM34lszngEJZVFSF\naWASrRw7hECFPJBOw0Oh07cd9K521DFU4WMSmr+aQx6jcjBwMB0GA1UdDgQWBBRu\n0g1+/k/xFixaVIK1gxie9nUmWDAfBgNVHSMEGDAWgBRVMp7gLvR/FTg9J793XNpG\nZF1stjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEArZ0ZxnF+ktZbymXCs2+qa8PEapPAXTJk\n3u1kl0/ZIKACIQDkB0r+RnWYS5gaSnLv3tXe3cWVIDvYx3WvjWpZbb6Fxw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEMi/v2BazkIRp3eumcC6/+LfP3wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATx8vVytdgVNZmnjJeGVWQUCkeLkUZ7VmoTyaOT\n38hWmH3GB0827oa2yleZUEUOjd9k5pDMHAN1X+xdATQtZoi/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6UcPNL/750tCzhuoh94Ho6wI/nEwCgYIKoZIzj0EAwIDRwAwRAIg\nDYaqwP1q1QdTj/cNOnIzykkZ6y//OKzMVPWw3Vz8CGICIEcKCl9iCF8Bj7yQgLni\nUh41vSLpXwfVsg86S4SpNEye\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOp4lH2ap9Qiz+ye3MXpAqrvkwaIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARevT2FSAHZvoaNtCmAOaV4C8caaviZtSIQyXDy\nmIh6jtbfp4KAM7IeRDevcgAJxxW+ezHFcPiFN8mDU/uBsC4yo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIn2dzDjpW0JLsDOePVSUu7pfEWQwCgYIKoZIzj0EAwIDRwAwRAIg\nftT7pCClmIXr4ZIlzzxkce1XV3h51j/rP9EZpWFRFyECID2c3MREYN0y8sAPFRfw\njDC68th0/Hz+YzVd+/IApxfG\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUIaFlFOymm5eLjEe4VfN7DUEQNMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMBlHPxvF0jJshxpdd2I8k80mFN9spt2YoAVGyC+Ckww\no/MIKcl7Wp5RkSUQkhn62+XXD8uY8e3j8PWsAiyEibGjcjBwMB0GA1UdDgQWBBTW\nxYUy5mi/jZiYfyRX5wtjUlRLyTAfBgNVHSMEGDAWgBTpRw80v/vnS0LOG6iH3gej\nrAj+cTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBKs0MXx2rHZmJcP60A4AoXegeRnqx9ygOe\nocB3V2UbggIgOzoZnd57mhVKZzIErExzZYkTnrvlNWt9adl9Hq/hDHo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUQ17Nac8EEVFvG8MBN2GSpYNORuowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPFuGm3dWTatmdV7FoFJf4dk5CHep4ji7MhNXw4Bh1zu\n9qOFKwTk/0GU7udK+ayU+T7ESN91XmF4sIvo5HqkoZijcjBwMB0GA1UdDgQWBBSw\n2EgHhXWIISwyyjb5/jnYWvv1CTAfBgNVHSMEGDAWgBQifZ3MOOlbQkuwM549VJS7\nul8RZDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA3SlWK+t/1L6cxdmZXeyA1zfpevYTlsRI\n4wSew9DI0wsCIESnNMYHL/X60rM895JqD1NycLGpFqU+xKNRH/7tO9fh\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUdJ3gcHjmbu4LNo5cPmZCbEYZDEgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNjc3NTM3NDQwODQ4MzIwNjY4OTQy\nNzc0NDQwNzk4MTUyNTgyMDEzNDc4NDM4MTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFj5iUe+n6xLQ8c2tSirgy7htXUHLSUn1C/bNsSBIx8fnnyuyJHErfqBtluYl14h\nHkdZZK0jTO6ScztZZE0r4KmjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSHa0CTClUM\nwAcfFjiZ9Icj4GckDDAKBggqhkjOPQQDAgNHADBEAiAtEaIEMTTdG2sHwlXIqHh+\nhgnd92ifDaANNXIRg865NgIgawAlRZ0biJv4LpaOMwKO4RdlDSYNGnq5L4IZfTpn\nLV8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUMAxM3xB1pdIbQTaUnh6R1/k5XjkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA3MTIxNDMxMjk2NjQxMTk5NTU0NTYz\nOTU4MDI5OTkzODA1OTExNzA1MDcxMzAwODcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPEbKATE+VDiWAyPBtjpxK7yvahlxyE2j6PWpCK2QgLtcZl+MdjIOSgWX5zklwO6\nXgukj0lKrRG06238IdwZuk+jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQ8y9StYHdX\nqDUJLzptBlpDjE+kUzAKBggqhkjOPQQDAgNHADBEAiBCNH6m0hltW5rjPl/Bsa9h\npbyLlu1QwEV9MGzcwzD7eAIgIkcTCfXBP7ewhmBXyue4p1UUCwaenDVBDk01yW+P\n7Dc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUTxz2zXgSpC5I3O1cP3cLgslTaYEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjY3NzUzNzQ0MDg0ODMyMDY2ODk0Mjc3NDQ0MDc5ODE1MjU4\nMjAxMzQ3ODQzODE1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErhgF\n8KSPYbAGeffcqkQlUcmP/cHQvVcxcnKSG0BJpVgZr41YWrcftMUdUm7UzEN1Zjtj\noMIxe9ni2coTZ725aKNyMHAwHQYDVR0OBBYEFGR56UWXAlv9ZZZPU3HsRsJXhPLK\nMB8GA1UdIwQYMBaAFIdrQJMKVQzABx8WOJn0hyPgZyQMMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIGVgVdk+uf88KafYdhaBzjkIJkxyT2bClF0lYEM0ZzXGAiEAs+o3L6BnhZQu\nnWaUTGqQV3o1YMeCUyuoCs6yFh5WOZA=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUb3t0fyvtdlCRU2QpwZqPbu/WX6UwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzEyMTQzMTI5NjY0MTE5OTU1NDU2Mzk1ODAyOTk5MzgwNTkx\nMTcwNTA3MTMwMDg3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC7+X\n1IWZVfVBx7HGXOdQPDdVHWylu16BVq4d9xx+PaLiwm0nEmHlEXs6xOsgNyq9XkSV\nsCtAwSpXU95om6YqHKNyMHAwHQYDVR0OBBYEFM7L2lKoCX8jeRAz51wPuRdr+bpZ\nMB8GA1UdIwQYMBaAFDzL1K1gd1eoNQkvOm0GWkOMT6RTMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDw1qEXtPNCVdGIdmM0cCuDjHUonjmtohjEqpkJgvih8AIhANRzq0eoCxi6\nZMyCMpVz+ey0goZwzHAr3k2K2PA9Rfup\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMPUwm1wt4s1TT7YrEX6MXR/pd1MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYc37GfzI8r128b+mM++PkeMvrCUdgtpcwhjXm\npEtSenS6OR3Phzd38I/rWZYGPpIhTBy8w1tVqLiIpvO0XquEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoWRq1IYkdk6q3Ya45UuFpMzMEiYwCgYIKoZIzj0EAwIDSAAwRQIg\nJF03UHxlb2XQR62finj0LHOqT0fZ6k9PNeCbunf5K4kCIQC/jVbVTa0MGCuPxTJB\n/aQVNpJIMLWxdgxCJtwGSmdgxw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURagk4nkPmgAuYdl2+LGEjMfPa8UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR0mwX1qMKj4s+arl8mA3KbfIw7zUxh2Pn0kAAB\nQkUa8eRr63wFDXrPjw+7OJPSnVGqhQquxeSngODQB7t3sMzCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0mbU33OcQ24yNni/GHWag3zLthkwCgYIKoZIzj0EAwIDSAAwRQIh\nAMnsgE2yOKEO3yxkdpp3Mx0YDx6DQJYNQREDTF8GihPzAiAW2h1yOvhb3vjHxaZy\nEa2yo6Kf9iDk3mzmEW5S1m3x6g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUEqNWGtIGlROobZMx8BJ/StBG49AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNzk0OTk0NzM4MjkyMDMxMjYxMzMx\nNDE3MjEzNTM1NzMwMDIwMTM0MTg1NTExMjMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMVGfEJ1YilIXAVSLru2cMrAgQ4krRelzMjNoiCoCDNvZLF5q76qxWg2QNdswlal\nS0BiNdaJFFq1nyPWMZP6TDijWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRCazNHq9OF\n6gi9QRWBJHwXrgmxMDAKBggqhkjOPQQDAgNHADBEAiAZ3a3oPbh3aW0Bctv9P5ZD\nvPDmqrBwZhmRk3MmmwYETAIgfaFH2yhQomhKnBDIg0Jll9Nj3FW+UOhujG3gUsOJ\nm2g=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUc+of630Lr2VaO07cxvBiGWf9cbMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTc2NzAxMDE0ODcyMjQxMzQ4MDkx\nMjMzNTgwMTgzOTAxNzg0ODAxNDQ3MzkyNjkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDkefBWk+wHh/DMycUrchzoPzlEYz0wAuNW0j2vtJir1skzg6ZiHjX6fmLYcrA0R\nxHhv6IGw8R5j96/3GHv4lcyjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRfpUGThv6h\nO9EVFq/d5NswjIORNTAKBggqhkjOPQQDAgNIADBFAiAqfD2pCJPhlOBJeaIZ3BZm\netpRZj71PD0HjH81Ou9vmAIhAMmD/RhacYsGyffZCfhujXtwIu2QffVoAi19+4TM\ncWQp\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUdZgRUVzFVT8n38w88VX4+XMmSVMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjc5NDk5NDczODI5MjAzMTI2MTMzMTQxNzIxMzUzNTczMDAy\nMDEzNDE4NTUxMTIzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERLIT\nzdwhSCr6Uk0oVjeTzEMY5kBcENV57BPpYHuOtiCtDryAahwhU84ygbwUPLLHBpiw\ngVi5F8aLKWQHhGqw7aNyMHAwHQYDVR0OBBYEFPtMkd/9BlYd4I0idYYT4xobjTu/\nMB8GA1UdIwQYMBaAFEJrM0er04XqCL1BFYEkfBeuCbEwMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCICkLZOvd0pz/doP1eC/20OdxanjPaE3TH6Ot9agv3G81AiEA0E7ZESQd4Klz\npxr+jJIgTM7Z51DDqAmIGwMJp4KzZfY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUZuKRmmDcNMC2O8eoDRbFeDj1/SUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzk3NjcwMTAxNDg3MjI0MTM0ODA5MTIzMzU4MDE4MzkwMTc4\nNDgwMTQ0NzM5MjY5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEK9s7\nmUBe0osPS8OBZuEqbSTgT6i1yGTFCVzPX+pmHd563BUOeMI6OcozbPnUJ7gsd7r1\nnNjB1XT92YFNl4K7TqNyMHAwHQYDVR0OBBYEFAPZEn9XC0GnbI1dZh8kNqkUx93Q\nMB8GA1UdIwQYMBaAFF+lQZOG/qE70RUWr93k2zCMg5E1MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCID0+WTw+lb8ZcCuMJQMEKN851rgzVTSjZ1ib1LRXLMmbAiEAw1fl1tC3gy/G\nrDkF4aGNERcj344JwsC5Ph7qfLYUXDA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUB/nj5DxN/7+n/z6z7fO0bSCeE48wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQPs27Bl+Lt1R64rYytrKJZiUTaqVt3R9XL2M8r\nv9lEpP3gESZqsc7K9rHupwDtQY/V3JnG1y/7LrFVC7kvTPfgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKjxMBgl3SEIKqNMb7WZYUsk0Oy0wCgYIKoZIzj0EAwIDRwAwRAIg\ndlTcVuYVGFY8qf9TcR5evqqxH2UuAtMFEL+LxCu2iVwCIB+5xzF+oREHZI19+9CZ\nU84b5kb7OS0asu4jN/r0WUYH\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUd8etNa/6QNfB11PSOuE5NElrtNQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnqxWy3NoKghgE6ZmjlxTZQsjn5LAP3NKzvcKI\nqkhY5mpAnRtDQ2alNZFyzCcwhvYsaUC1Xe6dGAJ8OKuy8Zzro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkTemwqjSELhL68Fotxg+GWD43qgwCgYIKoZIzj0EAwIDSAAwRQIh\nAMUKVRNI+aIDEKOOVeh0I7wKy+MFqq/PMOyYhrwGf6v5AiAGunIEac4xCA6tiF5w\n0q+VsqmpHSq22KnT2xw5tTrOvQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhDCCASugAwIBAgIUP5DlkbY7b+K+FT39yJmzsNTfOrIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKEW1dgSMk0CjhAFsAjygkjW0N0qUf4mWjtl9gshClQ+\nXPci65eu5urDQ/EiE9MVi0sKi9WeqCVLiVVs/hIUo/6jUTBPMB0GA1UdDgQWBBSs\nBfIRlE6sQ8j036mTDmvzUlSDHzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNV\nHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAqU/+8bgdyhnIR\nuSSMtzRM0WV8doC1xTmIVGLL7Ry37QIgf3EDmXFmn7beCgTAFR3YJHKjWB3tJeSN\nxfjttOv55bE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhjCCASugAwIBAgIUBOimXId4LVSj2GUjSqjTHT6eUa0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEcmQ9rfrdB4PvnQLfK076RZn3GEQqUkdL07yAY5kpB5\nw3Es5VjoKcP1OKARWMMrH/3b5vpTV9wjKnzXmsjvBlKjUTBPMB0GA1UdDgQWBBQ4\nxN3CAKz4CYPvWk8FGKQ8wjWBVDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNV\nHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA6LGffMgcwqCR\ne1PXeVop3SaiBi5HQQQt+wRZVpQBZ8wCIQCv/YmGskc9vkJPiogf9fX8Yn7hXjGR\nso5K7F9AWzRKPw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUMMlzt79Dcyr5C2a8/56PRZ4waXYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATTXK6ROmdMwgGulgs4Be5otfGMtaoSxOMp7W92\n3XAmzDjo9Z8/TXluGxGwjAFz5QGVnb6VpNsX9LJnwyvLZoD5o1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUdmHkq1TBHLXXGZ7ssqlYbEvLs0wwCgYIKoZIzj0EAwIDRwAw\nRAIgEVA4FxEzDAwwmtLHAO03UqqqEmYgDE8G3EmY7Md2gaYCIGpkUG4PoxToW5me\nvt2OXxf4tviij8sqVyFxhd7vxJf2\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUdn4GK75xN1yFfUp/1DJPuY1ZlbgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASHkMJx3RadrjJgwRhYE3wMc/m+KlelrccyQkFR\n+64RAkkK2gLCllZOZHkAUxXyi36BAIccnrbVDyZwlPPYkWlYo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUKl4D0+AaR6RFjl+3XoMwZAD5mDAwCgYIKoZIzj0EAwIDSAAw\nRQIgeMv5vGRdA6PT70cpvOLbvutCotIsSgJIS7l9VQ40v3ACIQCZcbL7cDJJll7g\nzOGVLmk79KphmmF51lI/dprdmoev5g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUbb42BYE+TwkYWdOh/V7l3byyqxMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNvieNmvfe9zTE7GGODVlX/ICQ2RTqebeERZ0h//22TK\nFc+bfD7jU5ushbcpoSvbBU8Pk8w4mAX/yglODlj1cwejcjBwMB0GA1UdDgQWBBQ1\nlegZkHJ7WdR8N7ok2G+oJfoFwDAfBgNVHSMEGDAWgBTKXNrOwZT6+WaxQeizTza6\nR1htujAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAkllOq4awWb8FgN5N2OTrnuAtFaU+elPW\nG1mflzyCKbECIQCxPPiufNSgeKO+v3WiJDcTYzHPAEHiS1FlZpqKnb0Qeg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUEYR7NXA5ZneDQYptmiDk6ODnEsEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMwadEpVeKYvmOyjb5cWKp16LSrvYmTbU9BRz5DXZD9v\njbr250qxhSvnADoMNVSepQTCDQyAbHfagN1UOocHD0SjcjBwMB0GA1UdDgQWBBQ0\nIJY2hYNAW0mP1dJcKoNtYGFnZDAfBgNVHSMEGDAWgBRwmIF/TXJtyMuvfMC3STBf\nfOB9KDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiALwVk62N0nwXaFn2VoI4ov/jshAX71+2S+\n8ga1nBefNgIhALoroS/+zaI99XBjmvtLFyzOIY60398JmvdYOipriEeu\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBbzCCARagAwIBAgIUDGDQXuVJ91n1uQJcokjuQnFEGOAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+AgFY7JaotQ6VrQgG7CJybCSPTYrUf59v1cUD\nM41+aOCmpVF9r6q2yFLhQD7QmV86vKA86QKveRkFAGuts+W2ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiAx9FJo3MnMi0oS3ZIRObsZSj8XsUEG9wi+86PSHi5K\nUAIgLhnbO8Zlt6nWoXcr4OgJIAOtBul1pdrOoYijll5+8Xk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcTCCARagAwIBAgIUHMF1aLv/qCJDmR4fte+61/Z6w2IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARYyD7cWYUhPjxDe+zdrmG+OCTvG10Up7E1syQf\n45dQZgNqvN0hlI62bpZdPIKFyCeTmJRSvO/ypoLT0bTw0IRRozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA4CL3OUAeo26jZxTmVZVshprp67NNDm2IiQBfXkbY\nycoCIQCqufYDJtWQSr71NK81wugGp1eyEgTkQEvR3qDezrddvA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUbJWIiZM5NAoExW9U3iQi068gU0QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKutkNr/EszyewLnLralWb+smORNRyGjmbl8q9pQEEwt\ndInvHmr++uUeHrZajVIltlqwhe3QX4n5/9egnBHcubujcjBwMB0GA1UdDgQWBBR4\nDz7BTfTGFkIpB9T1lAK97DBb3zAfBgNVHSMEGDAWgBQ7Xedgx2AZBzhk1+KYkmUj\nj3x4pjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAia6c4p4F+Y9mRPHMVQnBAfzyq2k45nWW\niTC15QjNo84CIDVzZSbw/l8BY3Gy3ML+NJs29RVQyjDOzLGJcUfu03U6\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUR1yi9+jHCdLEPwEOFwjsOL21a8EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL2T+nPvzMJXafNAfqqCidWEZoDx3v2cwt55GXY0JVRE\nS5OMHZRXxnMmlORpmK3h9iM1eTloEjkhIRFfRTb25k6jcjBwMB0GA1UdDgQWBBQu\n0nATs0EQVWVXY3TpvwWGNpUldjAfBgNVHSMEGDAWgBQYZ+9pM9lI6GqcWhv2ZwN8\nRl9bJTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBOpXsIgNUxjB1Ig8PNVUtL1UIdtMszHxF6\nr60KdwI6MAIhAMSVgrDWgWpVX1fw/9Vc2v58oKTrR/HyC4RE9agGL6h/\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUAJNInBFpDDr+TFyJVY6eyUKWpPIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1qeAZ5YLidtHCCJUbdSJ6GFXIfAplcHPyyt1M\nw3kOOJyDoRAlxQ+Jqn2pDboHOej9Am0zG8Quh7eMFvnc1u38o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9k997J9iGMaRfY9LD5oTGbhPa1owCgYIKoZIzj0EAwIDSQAwRgIh\nAOX1i8BaPmG5vcoPptcQ+3fsQheAX3qUMk2kgUBlkc8IAiEAgb9yKcL95tg8Pwu7\n+0W4ahnDl5C2Jg7MZPKMDXwf6wI=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUK+VsvIlSuDZykxteLUakyZbg2dEwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqGO3wgdeHBAoLV7Ro2Pn1hZKJyu+0hVg\nBMSPJQb+bZaVIXM7q1HEMGz9vMmBHXBT0cYPQQ5/kMaPvHXP+TmNyaNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFAxK2jmsmVEQ8US/uF/8uqA6ISCiMAoGCCqGSM49BAMCA0cA\nMEQCIH7W/Up/QzBk4aOPsM5PBxIj7oepVxX9irAr3mHsWqvIAiAvLjfhJPqP+q+k\nNAOVd4hcAWeEIcCA6dmBfSAXSOSpBg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDjCSuZyU9z9Y1vRkC7bJJEydk88wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgWAyhUOiTwkBB45lBA0Oft99k6DC03toH+2y8\nu5FuIp08NCSa8QAvMsPYzRueBESR3m+Ahy793pMikT47ciwyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUa5pcCl0B7XPeIRf8OBgO8OVV8AwwCgYIKoZIzj0EAwIDSAAwRQIg\nRPyLm2EaHQgS0vDvMmHOXPq9EVih4JUIR/l7JbVMh8ICIQC6YzRlQSMpqmQ7aUHU\nMBI52otHWgfAFNlXMNCM/NLKBA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBlDCCATmgAwIBAgIUN9aUJWo/HeWegnQkByUq0v7a+CYwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEs67hqIdxwz/OQgabZ3rPhsqXo3VqV+zC\nIeU9+2Y8neLellOMQq+rMUWJpHRaEreAWROlyN0JZpQsTlMadBP2hKNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFK77/b0ZiIYBNClz0c4DpcrCQh6sMAoGCCqGSM49BAMCA0kA\nMEYCIQCZinmNQfZVGQNnEGmreMLiYbU4+vjA/S6Q+NTVVyUigwIhALkQVp8RMecI\nm0MzrBO/cjCORUxTcG+IUonEu/0hq3+3\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUflERK7g0YPtRznhlPOEcZyT5GYwwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1qeAZ5YLidtHCCJUbdSJ6GFXIfAplcHPyyt1M\nw3kOOJyDoRAlxQ+Jqn2pDboHOej9Am0zG8Quh7eMFvnc1u38o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBQMSto5rJlREPFEv7hf/LqgOiEgojAdBgNVHQ4EFgQU9k99\n7J9iGMaRfY9LD5oTGbhPa1owCgYIKoZIzj0EAwIDRwAwRAIgIhqSBeR6MMmJDqty\nnDj+8lozjCi9CoMNKhr6cZKIdwYCIBeP5t6ffsOTHULC37E0Ih1pI0DVGqhXezj8\nK2Jad75b\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUBfJ+neinALTQy2wBjZ1VrNAL+uEwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgWAyhUOiTwkBB45lBA0Oft99k6DC03toH+2y8\nu5FuIp08NCSa8QAvMsPYzRueBESR3m+Ahy793pMikT47ciwyo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBSu+/29GYiGATQpc9HOA6XKwkIerDAdBgNVHQ4EFgQUa5pc\nCl0B7XPeIRf8OBgO8OVV8AwwCgYIKoZIzj0EAwIDSQAwRgIhAPRTr28gfpJcePvd\n6+ERu6vxRWM5QIMjL0cPbP+/WFjUAiEAofeXR4jU/ypVvRnETcaYQUpMsrBSfmZ9\nWlAZ0goRbwU=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUb5KrBR7dwitSW9tnmHC7yHN0WaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNy0vbqynxj0Jf5VO3+Pg/bmLguIwNRlou4ZIu93Uh5R\nfCq0f888tmG8ZCVh1Tld+Tus0Gx/9vmtxg0OZL16zEGjcjBwMB0GA1UdDgQWBBTi\nURLkwQ3CW218g01SoURfxcLiCDAfBgNVHSMEGDAWgBT2T33sn2IYxpF9j0sPmhMZ\nuE9rWjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBnKGZ0wkijM7M4JPPXB+1uMtrVc25oO2cQ\nfF3AWpsmPAIhAIHI3+/yFNpK5wa3CLOu+NvuVkoLdcgN4ufhlhkifHSz\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUaH9oNtsjD/5iX/M7Kv7bzDWYrxkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAn4628dFWR3/I4bMdAvJGdB4aedzqiPDll6r5+fKkd3\n43Y4K8yIujS8m6TKqT2un5Su799TY9iqHZ2kGziMAYejcjBwMB0GA1UdDgQWBBT8\nEGmlTFcr5hIl2ckFhdxStUGNEDAfBgNVHSMEGDAWgBRrmlwKXQHtc94hF/w4GA7w\n5VXwDDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAjhzCNqm8/N7Mb86dY6Mp6M9/5LfuiDZn\n/ZMpi26BACwCIQDn1m/E0GQREn9w2hXbKp5b35uEqfbaS86n9HAm4xJkRQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUXsHSfSPBryrvQVzGihuYuurxYGIwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD4cp1vgcZYw\nAr8saAtOD1V6FaClfPQ62gTjt+RBcOXfZkQ0KdMN4BbHvON+4hqE/uDK1uGhgaii\np4onu57oBqejVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRRyoTNiIvxER/CG0pXgb9P31jJ\nzzAKBggqhkjOPQQDAgNHADBEAiB1RiJdx0BHr6pN+/oiVrjdG/8wxyUvjfJ+8G9r\nX+4ulwIgWrThcu7y1DOKAnHHSYlGlWEqWvFXYlqS9kgfknoN7DQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIULiq0kgsGuNhWyO5yVUUmx1U+vLIwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI0xphL6BA9d\n1FyWFyX1K2A5k0RkL7FCcZSWtxkwaKMlzp79d5oP323vMr4JGz3Ns+MejT8MmZzg\nH5hqPYUkxpWjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSij5lTS7CYPDN5ipnZIEkHcsjq\n5jAKBggqhkjOPQQDAgNIADBFAiBfmh6RTar+jYg2d+K3wiwb37MVWW20zB7AFVzX\njqhWcgIhAKJkcSZyaRQDM8+pheXRWLdf5EhAePWPjaQU4oiV0Zqz\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUJ0nyKzrFguRwGSeRmqJ/Ay+qBOcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS3778H4a+aJ1sU0K9E7btxukmWx0s9yNw40ZfY\n2YF5sJrmmkU/z55CMkWFvP6NQEoNN2HBInQNAT97UoN3DXubo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUV+YkasdoVd3vUyuHSAnulu21ChcwCgYIKoZIzj0EAwIDSQAwRgIh\nAO+yhK77x9RPvIfIVkEf8OdWFXTIT4K2vBKCTrsEtNVCAiEA8AkQxn4dEtVbwLph\nMxKS7GpBLY1sxBT4eFayqACP/rE=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUXuyMj31qwPZzRhbCIDQrPusPsmIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyMjQyOTk2OTAzNDUwODA1MDE1NjMw\nODU4NzEzMjExNzIwNDk5OTAwMzkyNDE5NTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDNt5idQ5Pwop8UX6nR15/q1tKqPF6y5lb06GCh+cFxIcgMtOow1nRDqlkwJ+1ox\n9gpCEcxsX6+hUzh+HryGU16jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFfmJGrH\naFXd71Mrh0gJ7pbttQoXMB0GA1UdDgQWBBSyFDiPdtKr9f3yMqPq5TDiaMLfDjAK\nBggqhkjOPQQDAgNIADBFAiB5xCfzgIaeyHo9ouTF23VUNZzsq2iYmhokuw+YN+Bv\njwIhAIar9pCcu+vRcOAjlljRwOQaZnXLzw37WnFpXGvh8NRx\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJvc/FQ4Eyg46Tj0r9w8z8oudysUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWAQCSTybU9FjZyZ4DlDZ7Zk4gpUZrZAOQo8Qg\n5Dk7UorwnjbFc0H/NEGFWIydq50riuR67FnRhNv+rB+Dn5Ugo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfOUGpzdZwEqNPZwqYstoEk/MaxwwCgYIKoZIzj0EAwIDSAAwRQIh\nAPM5p8SwmE2qBo1HU5sSZ1r09ofxLkxn/WcJb6wGyyCZAiBRXUbGU7ArVLATC6aD\nTmhI2iaMBS3OvI1UVVAyChvDdw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUFDd+WsweVMAG0U8rHmVBpVWGlQgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyMjI0NTU0Mjg1OTM5MjA0MzEzNzQ0\nNjcxNDk4MzM0MzI1MTYzNzg5ODc3MTExNzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBA+rDjn4en3c+h7fsCzj0Ed60IZZAxbjsadmmyjpD97KcDn7bCp5BWqOO87t8HC9\nLoMqtjlnJAKdKkBbHGPBqEGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFHzlBqc3\nWcBKjT2cKmLLaBJPzGscMB0GA1UdDgQWBBRQKg/XRDtsh8no4Y+5vejl5+fbZDAK\nBggqhkjOPQQDAgNHADBEAiBk2T58QEnEPUfpPM/REme4xn1uiUMlvv7+PJQfmDnR\ntgIgaOalregRFyAE16dSYY9ZS9p/YCubDeKMOXzJgslAu9Y=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUFUiisrA24qAaVnGj7t1vGCUJ/e8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjI0Mjk5NjkwMzQ1MDgwNTAxNTYzMDg1ODcxMzIxMTcyMDQ5\nOTkwMDM5MjQxOTU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErtvu\nutQC8ZS8JgKJEumNcmr9I8xaBpCy1bQpIHqQ7YXryCDdKzvZ/pnOTfQUnSqYRvGK\nMxQRT7f82pP6vmd95KNyMHAwHQYDVR0OBBYEFB+FlrjZy0Ys/+XPB0RknhqSy3VR\nMB8GA1UdIwQYMBaAFLIUOI920qv1/fIyo+rlMOJowt8OMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDlXwGJoAeZYZlhQlyYWGMJy2JEAS7ZatZWt/MpGzhnPgIhAIpudy9lIjoA\n/JmKI+8/wMjRIwrR57P58NF116FRuZPl\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUJ13C4uvK9VetspxHgulJUDo0f8AwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjIyNDU1NDI4NTkzOTIwNDMxMzc0NDY3MTQ5ODMzNDMyNTE2\nMzc4OTg3NzExMTczMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhiGt\nVOeyDAuMQcXLlmRZ2vFmcO+hOCTEAGicznuzdSwx6oVNqDsleTYNbFFJE3opK0oi\nTVF47vfS0nKcNgeNaKNyMHAwHQYDVR0OBBYEFBlixUdwnNAHmfVtGEI+mjFIdyBD\nMB8GA1UdIwQYMBaAFFAqD9dEO2yHyejhj7m96OXn59tkMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCR/amxRByUoTlaawWLgPshNcZJJhjPL16Z2LkB8sW9vwIgBFT4NrDxp8E5\ncVPx+hFj1DsB5ClmVrluIojbxlD6mcQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAunlP18SCD7t3YU1qoWP5YNlBNMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxXVzvuVQppIfrm1mdqO/m9gLsUdoSH7cbdCRd\n3ik0mT5XqAwHaboHDOdqiaPrCVmkJbe6FABGBuF+h9UCSrtNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHFZaSClgKLePhvPJGQfmHlk8cWMwCgYIKoZIzj0EAwIDRwAwRAIg\nKnfNS1wZlZv9aRHTT8OQ9+sSZJVUmCkL4hbNfsEiaKACIGWez8oHnQb+lHoqTiDP\nzbRPe0OSrohM1OuXJha1JuhE\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYHeqTbnfmPykzvfQCHsWKoI1sPYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ8sOfGdQUek9PkJYj66wFOJvEL3y/ZPWucXW2G\nwWPt3mvOvtIg8IvU1rbHSjgIwgqQmH6HhXa9aCeV5Z+w/pbjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSaHZ38V2gNZOJSnAF2VWrIBEup4wCgYIKoZIzj0EAwIDSAAwRQIh\nAK43JGh3aey+viz+R/W4BqkAAWtuaHQBHYPNvv2nk1ZuAiBNaElGIw1pMK7fOTGs\nyw97nRLVYz6EmCrDq3q7QjFPLw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB+zCCAaKgAwIBAgIUbu6a9oQkf4a/mWIza9z13Y6Yy2owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBpMTgwNgYDVQQLDC8xNjYzNDAyNTQ1MDU0MzA5MTU0NDEw\nODY3NDA5ODEzNzU3NjgyMDM0Mjg1MDc3MTEtMCsGA1UEAwwkeDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\nQgAEWXeV2rGJrXuo2UeeuKpB/yej+eICFjuNO1xioTrPmSNHjg4Vg2t5G24GceF2\n19+M0PP6iBg+SQEZdOUaJjaQ5KN1MHMwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMC\nAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUHFZaSClgKLeP\nhvPJGQfmHlk8cWMwHQYDVR0OBBYEFMx6oeTr+rwd9iM1+CQldL6NViyLMAoGCCqG\nSM49BAMCA0cAMEQCIC12HowmMgQLnQ/snEuWE3FSaEPH2ways59QHyYwfYaQAiBS\nRBc+8dOmlMQ9BDjc4Byeqk2jtrN5rPTogVvCtjUA2g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIURj301nCfG7tzjCSdNlF7CSGu87gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDA1NTA3MzE3MzgyMTUxMzI1NTQ5OTY4\nNDEzMzc3NzQyOTE5NTgxMzg1Mjc5MjAzNzQxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABPxmhOfzTn6TCyxLVLJ+Fhy1HEPNWpcgurn0jQpalAV1l2y1gc+pWF7VDrn0\nQrebId1arCTukds4sREyzCDYwSOjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEmh2d/FdoDW\nTiUpwBdlVqyARLqeMB0GA1UdDgQWBBQIt1ucgu27io+dnRGMygja8ur59DAKBggq\nhkjOPQQDAgNIADBFAiBBwLGzpWtJTsTRPgOqrytzHi7VVwY4V8jfjZG6ciCu0wIh\nAP0ibOUId3VzZIYCwSbeX9i7FzYm+pVn8inGyRjSOEJk\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUSXdCfsktKQjYzHcbQvCtZEz8df0wCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvMTY2MzQwMjU0NTA1NDMwOTE1NDQxMDg2NzQwOTgxMzc1NzY4\nMjAzNDI4NTA3NzExLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEU\nMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARz\nh3L1yyvPaY7fbg0QAqs0poM6QDc5cyir/cixSTjmHXCP3aljjhvrUBUTJ+ez+kfe\nv687ZD5+ZaSBknREYLYRo3IwcDAdBgNVHQ4EFgQUKlLE6TmFXDUQ/6PwyfBGw8+o\nDT4wHwYDVR0jBBgwFoAUzHqh5Ov6vB32IzX4JCV0vo1WLIswCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhANw7f6bE5ynR3XpmOqCwX3Bs8Nv+00VkQAJeFLGl4ih1AiEA8iwEywyU\nJa7yFrbtbOvB04pEWYqJsEdOBjjHtMPRBnw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZygAwIBAgIUaqYG3Sayiz3vIGXmmV9EqAWBKNowCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTUwNzMxNzM4MjE1MTMyNTU0OTk2ODQxMzM3Nzc0MjkxOTU4\nMTM4NTI3OTIwMzc0MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nI+0MVGF7AnpQm2qpbuPJqxYBSrGmtoT2wlyGBcW6FXhGpZjYBS795SYiIFEgZSez\nGp6XldAHi50lwBQhwGWlMaNyMHAwHQYDVR0OBBYEFEbegeiU9ZznFPrOTyoy7y+C\nO2OmMB8GA1UdIwQYMBaAFAi3W5yC7buKj52dEYzKCNry6vn0MAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0kAMEYCIQDTV5lxvBeQTajps57/0FOO9EwOJhdYk/KVTM/R1exF3wIhAK5deshb\nos9zw6Jzyo8JvARuyPFSCj2vhOB1z0t9FZON\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUbfQGjvVaG+pcwS1gyKbxQJ3r6B0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnxKQY+hBY1+yCEcErAS++ttJb1FG/JPgdiXdN\nkEsiOQLWIEw+MKKksS7DqOy19RYoup+3XIVpvGIN534gYTGLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULw8VlnbGoWZgPPOeVICHpdtn6XMwCgYIKoZIzj0EAwIDSQAwRgIh\nAIVEPHKXYASrOPedXxfeUH+TiyNs1atOzVK2qa5v+nqYAiEA8svevkrBp7I+DTlo\nQyG2Lr3TbM7CZD0vpBjccSOdQDo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQivwncyAIHkIUVsifpZfFJSydxYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATaGibfbX3k8Qx3JY2wILDEvbuy5Cw2LnBmD7kh\n0hC8pkg5SEWi+qYakBvB8iRNy29LQQz8uY2HuZNdh0sBMtAvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCfN0yYW/DcRl3MqsGMstILnkTIcwCgYIKoZIzj0EAwIDSAAwRQIg\nM46X1zxsg69tfPnkhmFbWNK7cOK/fT8LfZjL9cy3GtECIQCjGdodwiGrnL/cGC4v\n655FfNwh9dPwD8JScBbwZ4W7wg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZygAwIBAgIUWm13xBeZ5Upjjxkv2eZm+dYpmMIwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNjI3NzIxOTQ3MTY4MTgwNDA1NDAwNDE3MDk3NjQwNjQxMzA2\nOTU3ODc3ODY0NDc3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nTCz+Nr4LVNe8MXqy7JQMfeOl88g7M3MA/2HyJYlnHyeA/o4s9NBi9cHjFERnDJoi\nCu1lwkN+UTk9BxMcGuARdqNyMHAwHQYDVR0OBBYEFKq7uFZrhhLSMZd5BA1IOfBe\nsEORMB8GA1UdIwQYMBaAFAex+I89h5mBLeWW2MNVtBl4NusiMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0kAMEYCIQD+TCp9Ur8nJQkg7Hbt9KFfqupdL4E1pbR2CQpr0zIpVwIhAN4eeoBG\n72Cddr2FuDusEWYZQhXN2LKW6HoaWb11Owz3\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZygAwIBAgIUVtfPppkyAlKF8QLYnLkB5+6Q4IwwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMzc3NzczMjgzNTYyNjkzMjM4MjA1MzExOTk1ODM1OTcxODk2\nOTI4NTg1ODA3NjM4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nB+6DD40xRjW45a2guYoDV+6vZkEhxHe4JocryNpXOiRDD/ZvzBF22hba/6N4atCC\n1LBRviiMp9RhpQBShyW8/aNyMHAwHQYDVR0OBBYEFFpawAB7ifzBtCAfSk0KD+MY\njpELMB8GA1UdIwQYMBaAFCypmERWOvzOFuWhsLCnlYDrhwEfMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIQCG2Uk5aMR5NwOFenFAfmLulCnxM1xUuAbV3Jjpao49QAIgIKkbpi30\nh5tr0MYUrH04vAvNez6h0Cz03JJFuNYJmyk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfTCCASSgAwIBAgIUSNK4QGR51V5HJ8Jjyv6moYaL5zkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHc4emMKUdz9N9+08CTi7yulf8hqPV+MFHdswH\nSEljafxQbdfs66z5GuM5a68JvKqSth+lbUsx65572Tg7BV9Wo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCuXkxMVugAc\nt9cUkdCEdEPrbpNtMAoGCCqGSM49BAMCA0cAMEQCIC0VlQacSjvmXIJHXPlWkP4Q\nHiCr4cEyxzfjXDs9fLG5AiAqwMCjCPfxwQ99LtHPCeiT1BAI1QSU1tLmwQwt3cBv\n2A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUZR4thzFDetIlf+E+bGGtM9EcJq4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ4OR7OsIx4VOgA94psEc4R9G4oEvrRtdgeWumG\nzKVIw9SV/jNYO3QztC9P1Guea5R/UE5KOzXo5SW6Ind4UCuIo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFPTcYGTVEgg7\nROmpFPOCmfm7lYjNMAoGCCqGSM49BAMCA0gAMEUCIBM5N12bZOhIJlajoAG/4lKj\nXduEM3qstEpM/BxiTnIVAiEA9QR36ZF1X3j+yjI7DZJwhRQTXHvuddUef5c7Wiuz\nLe4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUNPPxFk+Yl6BDwjmACzBFH8jnR7wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJFDaouHHEDOpJi7AijT+G/EmBUZwpAyZRZQzHuNYRpn\n68KJeBCrO0KOefd3n2VszUx0IUrbt3j4Y/JOVdkm/fWjcjBwMB0GA1UdDgQWBBSS\nSUdf/4EzCFA42LkRkLnqs9D42TAfBgNVHSMEGDAWgBQrl5MTFboAHLfXFJHQhHRD\n626TbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiB451tnxsKX8+zawVj3H0RHKj7kqKI60zCo\nVtOZInOPlgIgD9s7o4yJmMlKvZ2QOl7ED5+kux/DwvinsngCKHWpjmQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUB9pI9AaYpk7oIfkwIgDYIlOa4SUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLHK3aErdn9fcAMQJQbhu3AN21xF68uOAkZWgW+YRVcZ\nrb2T7n59gaEYlKJeAvi1/akI5xplmvtI6Ya5wfpLGFOjcjBwMB0GA1UdDgQWBBTW\nV9yLmwxC+uTZr6YOBw8D07EJ9DAfBgNVHSMEGDAWgBT03GBk1RIIO0TpqRTzgpn5\nu5WIzTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAjWKDHkq+NeHusBO+VQim/ALR9UB8ZN/T\nu3fy/T7FWjYCIQDFM6dV7Lc4PO8yKidteQTlIezJCHAX8xemy+c2qmt6yQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUIskXxDMTdbcJUCpdACO1nHloFJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQk0ETCM6QgoRJiieFmgDvSm5P3WSLWfaCFVui6\nxzVhNeDbrpkYM65KZfM8jiY6f3tvGJWQQnpETj+oMhcn0n6Xo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUquz3P6OuZD4nqihQt5oTMI554rYwCgYIKoZIzj0EAwIDSAAwRQIhAMjD\nwmVAK/lDyocLitriHFtAJjz0fAU6ko48J4cJKkQpAiB29QlAlLlevkHEvOAp8tgU\nCw+IdEj0y2y99oUVRRBn/w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjTCCATKgAwIBAgIUY96tg83gQLkjs8deilc/ibsJyVowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS8ZZfBCb4DVcCa8zz493tHobtQKPwUYcUl8XVw\nACWXzuYRD09OEygnqzcwXgtAaAA22OjZRugfzvLqXoIZuaJgo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUhrP8IgHirWmzVFMCd0v/s5uOclAwCgYIKoZIzj0EAwIDSQAwRgIhAKig\noPs7nRWATF/gTobYRX7mnoRP+wX5EGg51+cSNpF/AiEAiGpMTru46XjEKCNgr3ip\nQXuUEBSb7mo+hyoKq/t9wnc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUR6koLnFCyZYdQvYJ/1oxpYF6iOswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF0Ou0n+5lXwuKTonjRxPwr4Ofnw5VOGLcGRBeTbizCj\nk1OtPw1KfnMDWZFcXFXtDJ6bcEnKrCWi+D57lTPXvrejcjBwMB0GA1UdDgQWBBRp\nOxH7/3Wqb/9a8M+t4vvJ85sv4zAfBgNVHSMEGDAWgBSq7Pc/o65kPieqKFC3mhMw\njnnitjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAwOmt0ksW6MDFGlfC6SG5cQ3hB8Oz+5iaN\nkQWG+Hfr7gIhAKKbbCAuR1nyF1CuW9UhLP8MfrZ9t+CNOTOPE1vPLc8N\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIULh6nyRpOtwW66UAD4wOGGZrbFhwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPAzBM+a4muwG2C3mcsQ0eCgNne2LJpCqnpfb22AoAAJ\nUDIceqiBdncL2OYdZqAmUVXi6ZOVuq14w2Sj0D4FbByjcjBwMB0GA1UdDgQWBBSO\nFB2mgf/QCZnlthShTmtVS2PJBTAfBgNVHSMEGDAWgBSGs/wiAeKtabNUUwJ3S/+z\nm45yUDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiAms8mZxHT4rCN/jfyzQfNjA23mxY7vmDgo\nUc4cgom22QIgb4CUiGxLq39iGDMYmugUjCyDEuwTOLqDQ91D6/h8c/I=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUFqYvj9zusee1tQFSrbOMavFiLlUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARTRO18cT/DcwlycXySLs+425N2tbKbGsnVkWUR\n+P4Wp6PGZ3gz8SagKc1103skt6+oze/peDpB00vnl5qfQm3Eo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBTaGbmJjX9mweN2OaZAHGIXGKkTNTAKBggqhkjOPQQDAgNIADBFAiBJ\nz71I+Gg6/fmZcFG3pcEI3jNi6tX5L9mTAriDdwRdKwIhAI7vuiyr90Rl/2v/aEgT\nV0P8FBeH17p3JxnIy+KxkxhU\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUI3rcDAODF6u6RYKb2qbCept7/NEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATDGmk/LpeDx182Cx+H5x5KaiIR7dS6U6I06hP7\nsCTwfB+Nu8xshCu6ku1I6ROyRRJm0Tr5TajOoM4W6qhpUoMho1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBRwpD1YNhAj0babxCbx3jy+zyyMKTAKBggqhkjOPQQDAgNHADBEAiAZ\nLNMLAMTR1RTkm/5Ifu0Pa5f3Q7UGQwL4XuhinCTKjQIgJHiT0A9qQRKoNmENjPqK\n+yrOSDWEkYF+2MyvQxC4uhA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUAaw651la+kVsmgRLMi1+Gq16dKgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMrIJkffr8D/AO1bskDpBcyf5B1p4mC2PFgl5S2Z6GQV\nO1omhQuMh2JSmGL7zzsiQSmb1Ih76jQ8tq+MKgPufc+jcjBwMB0GA1UdDgQWBBR/\ngTIW9mak+2m3WKpJtI9fHWv7BTAfBgNVHSMEGDAWgBTaGbmJjX9mweN2OaZAHGIX\nGKkTNTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAv5LWcyQ9DXADfO9gHU4vq+njuSnM7stXh\nUgl8gcBX9QIhAPeYn3fDHmp/JBMOamjhxjagqClvN2QfP41lYA4ni1FJ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUFJRQ106n1qSKg5/mVrRbgq28BAYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCk6urTSDAleLoS9ZW9wyzYYEc2XVVImyQuDOWxq82p0\nrBrdRMtAWJ4XfxWMjIUvn6vO0cXAnvEA9EnkU5eXZcWjcjBwMB0GA1UdDgQWBBQP\nTanF7YaDUVt+a3Mt85yfvJmqgDAfBgNVHSMEGDAWgBRwpD1YNhAj0babxCbx3jy+\nzyyMKTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA5hGFouAIM839hrIY5aOwfV5q04ts0fUg\nWMyhvy/SgpoCIQCK35Uxf7MbpGO+qy+2nC6QP6qwA+RVTh32lg2dJTzKxg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIULD1q+6NAop5V1KeVaZilYB0MIwkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASp9VtseXcAVH/MSVBUJMaat8amtEo5emAyjNRg\nHZffVgOKc2eVqzFKuZBRl2MKeTD3FRHBmADOT7V/gldblnOVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZZUPrZ5GtTKmAhrzNZPYDJMe5pYwCgYIKoZIzj0EAwIDSQAwRgIh\nAPOH9qK5rZa91Fxc9MG8dE31hxrWm814sNF7peNBLBGdAiEA2EWIc6mrQAYMyOwg\nEnnwg5KQ983wLodx9XcP/pdbOPg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCNN0PNBboD5FRjj9l9qijb3xcqYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYvURMBLCnYcdMqTeO/2E631e9ng22xMYAwEQJ\nAuz843qyyOrMZhUKLFxLbEm59IcMNJSxzVN+WUrFO1686pTGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQ5KOf0CK4qD37r5ae7iArebMHSAwCgYIKoZIzj0EAwIDSQAwRgIh\nAPOaYWqQ72ppghqKr2guIlg/FsSzifw94ZnLGcRRbOz6AiEA6i5EO3wIXLWQ+doJ\ng5CT+4UxJXE7Uc1hOtqQVOz39A4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUP5MhFxo8gicsOUlILbBKRWAPENkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjUyNTY1MjU4OTAzNTQxOTM5NDI2NDQ3MTc1NDUzOTg2MTAx\nNTU5NDM3MzA0NTg1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7ZNU\n76ZmpXFoh1YBMCw4FrjTucLEYNuBSMjpmm0UJ0RMUU9AEkf4Z+cE4/XdK3X4Suxb\n7yzVwPVgG78cV5NL56NyMHAwHQYDVR0OBBYEFCSqDGk0P2eBNXLzZrV3QnaM7gz/\nMB8GA1UdIwQYMBaAFFDF25n6YnaM3bdframqm1kMwDz9MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIHgAJw4l7R+H6C1juyOlNd1TNexDon/ataoZFdFfL8NAAiEA5JBt76kK6rGn\nL6aTGl36Ca5W5xBu69FdkB4+g2U4im4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZigAwIBAgIUWMgJ2UqlvKh+ujpi7dPe9WtGNYcwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNTAzODc1MDkxMjI1NDU5NDkzNzgxNTkxOTQzOTgxMTM2NTY1\nMDgzMDk5MjY1NjYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlChMU\nMYZUe1utt8c2UXKt3BtF3K3FoN+wyGA1nFws+GU4pk684+Wdt3dVKt9avXd6OYRQ\n428P1nOy/KY32aubo3IwcDAdBgNVHQ4EFgQU7SJycV9SH4DP4xb+yGLXqk8hRa4w\nHwYDVR0jBBgwFoAUdofftuGMn3ck6j24sduex8Rqh0EwCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAw\nRgIhAIe3G18wPjpBva0QjDDihSD3g/fNzHSrIe4VIgT3C3W+AiEAjlxdwigrSNZr\n4T0XdugGgPqK1eT+GybkTwLos86vMWs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUR/qPdbo/VwU+zvdqET8Y8QYKyxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQtmMizzJXlR7SIu0scNTK9DZUmhlukBLjmUJm\n7mdjakYtdlq1QLmanf6kD9MS11IW3IY9k/rVTsrHxxHiuxoho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCQD1/7IKDzzTswL9uyQoR9/zjwEwCgYIKoZIzj0EAwIDSQAwRgIh\nAIaak6OLgkXeWQJJfea9XJb/QX3ZzghvfqR998hEMujEAiEA3HXzCpUUSILj/qbX\nD6d41hrMon4HJOQa3nuPsT7rAwY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXiEDJDk3CHKcvlJfvbboLVaRML8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS6jGON6pDa02j/QcPqW9ufCsqgi8o9ykHQGXIb\n96D4A0EF5ZfVtnLg5nizfd1pKs4hWHQpLINjAiDkFmX8WNwIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKfD5OISP+pJxzJwoHL/1fMlJ/Z4wCgYIKoZIzj0EAwIDSAAwRQIh\nAN3aZlEm4E62Zwc3iqmTBZmsAs7A/yPqoTLrQ8ddcZaoAiADPg3c6CyTh/FsPbzm\nb6n5qhOWEeCw5DOADDzeSNeQBQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUJu5o+Kl0+5Pokn6KeFSLnimj7xwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFfbOkBxgpF25IIap/ct68KAQrJiIy0+nU9uDrgmbXny\nrKfh5Hj93gFTqAzrAJN/kVJDOIt/PjKEJE7QlRPQOGujcjBwMB0GA1UdDgQWBBSB\nCqAPvxM55y4Mmr/EQ1Dvg0VLGzAfBgNVHSMEGDAWgBQJAPX/sgoPPNOzAv27JChH\n3/OPATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIChDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA3TJJ4aF3mTSCqI2Bbdz++MH9MBoNL/mV\nn1MbHWXegZUCIHdxmcx+s3+sLJj7xZSCD7aZXwzRAEHDZmv7PeoB1Ut6\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUTxIrhleJa5ubpzvMaoepk6oWFDIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIB0UUfk+iUHvH+cfzScI5BNuH535KI2vYNl9pnuqTy6\naOsLr2oIJjnHZpgHoiGp8N5aS2xnvD+AWelMjEvkGLujcjBwMB0GA1UdDgQWBBRD\n7ddxQknL5ayFQziRyDHy2PYxhjAfBgNVHSMEGDAWgBQp8Pk4hI/6knHMnCgcv/V8\nyUn9njAJBgNVHRMEAjAAMAsGA1UdDwQEAwIChDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAm046wn2fLX31p2NgdrCPUJ/VfsiHFLA5\naGgCfxIhOH0CIEjRdt/9qV4FRgULpFshr9n+CSTXkBGwofmeV3YIkhSP\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUepZqiecqgxUt3Fi4sZR0Z+5eWwUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARkk3sBYMOW6rS3SDIaDD/pF0zi1rRrUZpUL9Zy\n9q7sfA/Pys/f1iG1xD3/S7pqNECaQnOQq6BMMnf5p7jo2XHYo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQPcniJ+moZj1iLzVCkuEOmuklBEwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDnGhtLqRNf6Xxuf2jl9Vc8\nQihNJ4UCf1TE4Gss2CLirwIgbCHyeeSxL6kcvM7Rr6cKhnNu0tkcqvmqaOzrG4CS\nIYE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUPlyGCxFunkM7DxM6yzhQv1foZ2gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWQ7VaiJvJr/dK1ytHSIqw9mNR5jD8obuqk5+U\nCBRIfqC6sQwJ7NJqooX8cqLIPfrhtc5HTxPWzK59eBr+yFwJo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1NHCgc7HuoJ9dbFLuixLOEoT0PcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCUlqi35LXr82R2c2UnD/Kn\n7nREHTTUi1hEZHpfkMa1AgIgIYClEhjoK0DErjjoI6BCjMxbiJ/E+tKMFcAzzZiZ\nbrY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUANgyxEPyXRn41wRv/aORsPzF2M4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMTMEu4Oaagiy7SSeXRNebqpuGWamUXmHWfWS9ptOtZj\nQ1LQUoEzE87XHT+L8ZqDE/XHiTSmMx7VDQ926FN6Uy+jdjB0MB0GA1UdDgQWBBS3\nubE61Z3x0pof7h/l8V4VCN+0pTAfBgNVHSMEGDAWgBRA9yeIn6ahmPWIvNUKS4Q6\na6SUETAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9ub3QtZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKVZfeJI7zOCwuU8EjReSgH5zuhJ\nNTmSK6oGtB7L/9OQAiEAzeYLvc7332tcdRwWNz2h3iJX7IMQ1mJknzm0HnU4mPY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUMPrXQ+rU1aS/Eaw+TL2Ma+Ion9gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLKtLHghSA9YXvNzlajI2hxYsh2T1uozx5cACyGwGVI2\nNrWpzogxrei1ni4wl4LZBCnJfqLmqRrAdMdunwaBequjdjB0MB0GA1UdDgQWBBSa\nENOl+3sv3tuA0SY4KRLzkPFKtjAfBgNVHSMEGDAWgBTU0cKBzse6gn11sUu6LEs4\nShPQ9zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9ub3QtZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALKk2Ao4kGPmOOxyBtTOTgCtb5Tw\nqal1VZQOPACc8wuHAiAK0/GBhyFeSyre850v58HZ79CcRZyipWHZ4tv/NAb4pw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUSQGxSPf86OZyKhD5DvS29gYfOBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQzEeZYdUGBstGE8PC4teFU6D97pnLN73y2yCAE\nOdHz2WQWiD+nggRfYGiTqIFxA/gFZd6oOgpZPxHhWLWwTmWOo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJoJgdX//IzxDinx6p0Fpm6GZGpAwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCeD/aH6Db6WSp4I7gRzi09\neeUXVcYJQgr9qV507DdZRAIgBUcGwYpZOKq4Wch2Tcmk5YajXiSGRYOrZM4c3mWo\n1nU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUSIcXTe7nvxaP8v6ZR1VyIJUkjIAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpiuON6G7z8Bn15ju1+Qy3fpCOOrtW2rEZ1f3i\necKHsIAzs7PJNnFENB2jWR6+OGRWWSPRSFEVc4+AKbRC6OlVo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6rBnC1qAbs2Igl3qy+blBldeRCswHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCUz1koHkLWeU/IqsPmZTt6\n2rbzdTcPRhceBWaP8Qy5+AIhAPVLoxo/clZQWjW/xIvbxt9ms5zyL7ORe3PPVy4r\nKD4C\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUQGDVGCLUaGPom/DDIdMvHErimbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGCV/bLPzf4dlk6q2fKBijtdWBL6EXDoFG2Dxq9iCjHo\nQERxUyKPz7RgopaPn1pQA8Ne9qi6wXOIySn4F+g8K02jcjBwMB0GA1UdDgQWBBT4\nXVr5XmixZQcNQYzVGc94fpvs+jAfBgNVHSMEGDAWgBQmgmB1f/8jPEOKfHqnQWmb\noZkakDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiARXNs2ap7U5Mu3UAowv/eCYMpKpIaZQRjB\nOBFJkWXJCgIhAN/Fsa/vG6FrUcTJ3FR4Em16VXobDatikjgWfcjbBW0o\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUdT/Lpnso/vOARt4MlH6cs0n9o/MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAE4oMMWLgkzxmfjcqMw1vMrxFGEYMShsPQ5U213sJ6Z\nuj0/ygAqxNm86sfDN8HSCZMmcT1Ajo9FRi39Yvnks0ijcjBwMB0GA1UdDgQWBBQu\ns6tgjOA8wdmybDidE2akWdEBfTAfBgNVHSMEGDAWgBTqsGcLWoBuzYiCXerL5uUG\nV15EKzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBdthiN76bRKop6hE5sAEzjKKJ7/VW9fZwm\n/o+X6XoZ6gIgQinJtQfAo+vLToSP7JnAHHbajea1X4+SJboQ2tsWjD8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUQVuwiqraiVbewigrliYmSbwXBZgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT3epOhVXyrv0KnhZFthzYccj93I5lF1wDFhIR/\n7G5kLYgqhATTRQJ/tWoCJnT1w2VE+JUpmxwVWRDixNfja++jo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9k2BU2esAR8Z8PDcPgzvoD8IW4swHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCpSPabVwcTRiiTadRVKNyL\nIZ5Yrg2wEMR6t2s4EAtRHAIhAMbMyd9DKAIEoUy578OqYUHxnCViOXa8nnny4e10\nTHKt\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUG72UssxhM7nTbDeAnpY9eGmW0FgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARt6PqKxvqMuxLsDZ3hElk0iyWBOsqGUQEiKmqv\nOgGgYv7XKGtw+fqfcE9IOil6L/XxsDO6LmdtP2sc5Ng0wkj4o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJFYOUqMrOjv6jDkTff08tI+Q1tYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDMcrqtGYVoF1fvpr3E/3kX\n5HZN/j7SQIC+pviBsZm6kQIgel7tWZ9Xo2q3QM5YCJX5F82iZNxk1vZJcCJ8/Ic4\n8SI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUJPoJF68D+yYlm3A0pnzY30WXe9AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOk5jEZinjlP6Iz9vrQIEkO1uEM2ZqHelkXni3hEIVGe\nbMvJXI3k+/eNM0w+AzqoYUgkz4P2q4etxa6vjZgRG3ujcjBwMB0GA1UdDgQWBBTl\nQ06aPRvHpx3+8nhLtKp3/HwxijAfBgNVHSMEGDAWgBT2TYFTZ6wBHxnw8Nw+DO+g\nPwhbizAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA9D4H05EEKA8q8nUQbkIsmRvKV4TbyeRH\n276YB1JNRKsCIHUoLW3CjaRFo+53poMTJxGmCqpADRGB9P6eOB+1SvVX\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUOUuSCjyO10hFFppnyo3iB/D455MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKamw67vrCcwHfbJRgDeRJe1MlhqwvRV9Pe7wW//OGX6\nWYV1iQ+T7sWJUvCnhya/aZS6CQJX0wCjx3kH82CRELOjcjBwMB0GA1UdDgQWBBTf\npVgcRMJYdfEL3uBuF2vAbYtTtTAfBgNVHSMEGDAWgBQkVg5Soys6O/qMORN9/Ty0\nj5DW1jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBMBLLBVwztZKK94qZ8gJtN7kIoIoyf20Jl\nHWiUXU93awIgOsP2cLYc0KeiUXNSO4fonMU4jXsTgoVJTIvb0ZPhQQ4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUIXkChjX5otkbx2y8ec/PcN0uVmEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQF1OpN7rLk9V3DgSjqwH29FihunuLQR1mN6oMN\n52OTe9mYAde/6+wpowiTGMNMkJtv9lmAzswMulj/7FOx/0gTo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9B9X+N5MEOniu9hFpF85D/1qGNgwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDJ4uga6h0DzCbLn7kByz6y\na+i+WVOphlw8I4C/IrxBAAIhAIB1J+Gou09lk61krbXJC2RXv2h3+eJiuD8Zslc1\nkXcj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUYmXdhkG2RY1cyu254ADhLn4GURgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQaD5SjUhd333K6NwGl89MIjkG5sLw91+dj2x+\nQmdSsUhFRNsRoFqwh3F2EMmauWLoMMrWcoqtKlui0b3+jiPno3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGw/5PuhjIBq6E9ZqI/QAIRhgMWMwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFxGOaHkYUArFikISjiXLkDC\nTH2iNAVjF4+OIk2EyavMAiAtnS9wMtc+sg5+R56cFxhVciqsw0ys5t/m4JB33hp+\nMg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUJvmde3FC6f+b8XcsrxPvWfanDRgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABP8UX5edvVRVG4qZQP1v11IA1oEoXyDQYz63YYS8U+0+\n+6SrZLkxLOkNxoxLTsYD+1fN2nrF8dqAOeuI1ONc4FSjejB4MB0GA1UdDgQWBBRj\n2hDtJDTTixf5BcXQIQ3+PsrhqzAfBgNVHSMEGDAWgBT0H1f43kwQ6eK72EWkXzkP\n/WoY2DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAeBgNVHREEFzAVghNmb28uYmFy\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCHczT1RZhbJzV/tmG0E7LL\nza7ymzY/JqPsHADsaPZ44gIgGdcfto8HlZHqbfaCLY27Rev+ETHGt/tyL2N8LW6L\negM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUGGw2+QegKKy66KjZtgXVoLQRbQYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIpuHmgJQeZQp1bOJeb4x1FDE6ic/mkal/mAXlJDNi6e\nZQ6QbP9JFvd1F7fJ301c7hK6fjtewhRoAVzFzwegktWjejB4MB0GA1UdDgQWBBTd\nI1dlsqG2nujRtVRyOIRII5fg7TAfBgNVHSMEGDAWgBQbD/k+6GMgGroT1moj9AAh\nGGAxYzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAeBgNVHREEFzAVghNmb28uYmFy\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC5QZCg1CV4S2aTEQP7Xgxo\npPxP62pUNvNYRQVRPM2Y2wIhAJp/g+9ZIKrpXbYAfrl5m/p/kGc7c4uUActD95i+\nOUOR\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUAlm+zvM4KHBMY53aX1ejI9Ov0i4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQ/TcJGiaQZUBt61DRkJZKI7VDGNk17eGdwNUt\nvheF1n2/p4CE7AFTGfdRTv63DcUSADEoeGJYfDqKtqwAijsKo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQI4bkrLFyKIxQVCc3rMyr1ti1NvjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgPvoR\nx27qqMKnBp8yxgcsZ7zwrMyZmc7sN3WHtaiTwrMCIG4Dm4Hst+bQbod6E+1LQtP2\nS7b0ZVbw4Bvoa93Jb9VE\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUJCgZcyKDkWVXDXqV5rX+6zOJzAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARsxDXYNzks6UR0kMiE4Lh6wZWz0meCEMuoW4g1\nHT9Ri9f+rjrVMyp0kE+ggJ95hJFQ7PMt58+lN6+8PYP8AT7zo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQraammB7GqScQLzr3nBzb8PdwKcDApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAIEj\nfIuDOnSmYfBi2ao4sEZC+37ETqjq/dSSxpSH0HKZAiEAl5itmJCqZAEMqG6/DbcN\nVKJ087AYNZxHHuRlYr8OROQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUf81nEQMf1HCPjSnhF74kWvG/kWMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFsDX8wvK8kmSSv5xEWmmZ0hWWWlZ6bt8DwM9ol2rq5g\nzssJV4h+AJm6C+/tx7YkrYWYjQUGrgKX2pM8FgIyRMWjgYwwgYkwHQYDVR0OBBYE\nFO00yH3Y/QDYah+hZFHSP9o0qvJ1MB8GA1UdIwQYMBaAFAjhuSssXIojFBUJzesz\nKvW2LU2+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMC8GA1UdEQQoMCaCC2V4YW1w\nbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAc8xs1GRoSbeytMOwLE0AFzWJuAG4tHwdMRn1Gob+yAwIgW3+FiuMTK5KFoojx\nR2kHfVj7w3w/Mly3JrSX5UGNUSE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUDJuzz/7FQUre9AMXZOXjLrqwfIMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCIQQr3YFxCqn8BlCe66hSx3fKnnV2jf1ApLAR9kgO8J\ntL5IIbcq8ensnsCU39WTB6w6GIux7qv94N1vrIV6vSmjgYwwgYkwHQYDVR0OBBYE\nFFOhG2x5Sysrg0uLnO8TVyRQ/W+3MB8GA1UdIwQYMBaAFCtpqaYHsapJxAvOvecH\nNvw93ApwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMC8GA1UdEQQoMCaCC2V4YW1w\nbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiAqf83gTcq5AW4MSsPmAMxqzJH0ooT9qLfPJNyglzZ0zQIhAO84CnsYIdzd2QzX\nARiRuhQuRWVtDDZC+Hc1wsTl1J1S\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUVWJ/4N1IgSXGAu10qro9bHVSrYswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATsIJoNCAaQ534imtEzUz89Frng+fz1AHjwMqBS\nnWgVMgzT+Kq2oRrmv9E1cAmsNOfseNVj2yhCfl0tdzxtbuiuo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7wk5MgBS5LviccZIPg5u0YLETBQwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIEKmTPiBVnaJI8nfqWchhkJQ/bFh\ne/0nmh/KqezNhG/UAiEA8ZBeSB1Crk0C2lzk5vqx9CE6TxWluiwUC8021LuNQzk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUajBRiMI6VJ+0rjC0d1Ar8OTY2vkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ/Zqd64qCWuB2bJTAzTRthXlRKVmQ2UzSlYJdM\nFjtHEjFHVabTA9qQlfH23jBTe5zM5suAEeLOPMlspzoOZZvNo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUognyp2k3bYvCe0DABUvEBge/yBwwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIGtOZiWOJ2JXtKnsJi7u2D1XpT38\nCodt9rS85/pPpHp0AiEAm8/w2G6CwP8KHaKp07WqK3e8x2uNy42jHuxzsnyYbdM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUFXQvSxq/ayFdGlxr/WR79BCu91MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABD4Mv5MfNkoS6xRIEAXZLBy7W/4GhuNUoKWuo5ensX+p\nzc1ISJMOgZ7rjfCkdhmPTdCyISkqLIsZ6QZsMLiGNdmjazBpMB0GA1UdDgQWBBRF\n5LrLN/rIQ2kFXhKOShRmTBDTYDAfBgNVHSMEGDAWgBTvCTkyAFLku+Jxxkg+Dm7R\ngsRMFDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAMBMAoG\nCCqGSM49BAMCA0gAMEUCIELUtYzkc5g9bKsZup0v0H5xqZSZgPYFNnb1XtRFpe+E\nAiEAiDhljddufDoNAyMni5bcGjehHfnkLxVqievwOl46T5w=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUSuKjHC0VhWLF9NLlHSH0a2d4oewwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDoZrz1tl7KWBxFP4F0ZVCYmPqTwPJpUPPMvJfASIiEE\n1il33ATM8B1ekyDb4i7UuONiLzYib7gqmkV/AtKAm5WjazBpMB0GA1UdDgQWBBS6\nesDbGqebvKYcxerZ3NCkYt0fizAfBgNVHSMEGDAWgBSiCfKnaTdti8J7QMAFS8QG\nB7/IHDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAMBMAoG\nCCqGSM49BAMCA0gAMEUCIHIcltjlOd4HRR2fm5NQxp+Vmzh0xDrRKhAzhqrLnNz6\nAiEAsuSusM6jrPWTd6prUlnTxUl7mYfcHpE6ehd2PJ8glsg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUDbloteFu5mYVc+/m6cSNrseQcEkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASO5lLpHL/OGX8X536nP1rqbRJxnUIB87rQGwSV\nU3o7AohaNM7IJq9YW821k946unQe1+Kb8K7mq23SMjwyMJR0o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbz1teANbfCKHKemecYxzD/cCvggwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIGinkPFJJ8CFy90qL3JFq5IwMi0E\nFUWiaEDcF8XsYjKVAiEAzlDKz5wtJODPZoxPy41GaFRlcCbbGAOj7T8Iy9/vMx8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUUaVYMrxhfergNGM+9Gw7lAwHFHowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrVDdEiEQyy//5VnO0YlounNXd47oenr80LjdG\n67ddjuA1eUrW8CHhn8x8TJiKO0c22MoLW+noTkOb2SCtST5lo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUu+Fq24PUKsyYc2s6xQ8YX6r9eGQwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCQXsMUQ0fZrjSYnuPFCV9SidVX\nBGdpnrsaEiJAGrhktQIgQWZsrY7G1ah/nHya3jpSXkzW8P4gora3yUyTVj50Gn8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnjCCAUWgAwIBAgIUXQDO6N8ib/zQdSYVvTnvkK9AA/swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKLHBKquFoF30ZEEigO6HdHBIvNjDUpbvx/ZRmrK4KtK\ng7qirJGu/IgabnacFTqR0rKJxTpLN0jsSX7ZTJY6IC2jazBpMB0GA1UdDgQWBBSl\nmCIOYtuZXZB5SmVpQ6ina3KlpjAfBgNVHSMEGDAWgBRvPW14A1t8Iocp6Z5xjHMP\n9wK+CDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0cAMEQCIDq5yp5ipvKe2U/Os6uoNfnsy8KJKZ3rjESzjKsHzFfR\nAiBjLQeHpS3PstbfKqs9gGI518C6cCsQUj6Vsi1Ai9E4Sg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUTsWPYA1FmAuNDnBci6r6QwJYP/4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFzkcnpECk7vW5Omm/iPjIeL0fjxwLPyf24mOV6736E+\n3FKcS6hKLoDo/HMZTlWNftWzkuarF6HcOxQ89cWl1v+jazBpMB0GA1UdDgQWBBTR\nvNpHxrpIzshvpxFdZEcIpw4sTzAfBgNVHSMEGDAWgBS74Wrbg9QqzJhzazrFDxhf\nqv14ZDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0gAMEUCIQCaFpy4GlO6Fn04FDWCqu8o2wP++EEWjS0huiqrBNKE\nFwIgFNko3cM9iEyzB5k3KpMWZryNs1moJKSuEJiyOluT5Fc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUOxQjz6tMTbz4ZbB8OkJDJNVEEQ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASPDyUm7Y+VX1RSPipmo2L5Rnn/jHcsiGWZvtTE\nYbO3B/77aYZgHO3tzQf4ohCFWzAh/1lCeoVp0E25Wm5RTswUo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJ2eMOhJDOaQr+yIgklCCmQr6NPkwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCaOfk3vf8dXiQbG1u6vGmhkNEB\nsla9pgag81QQqqTdbAIhAPRdmeXcsuoOUShA+XKdc9vrYgDLYKR7CrV8IXeF52Gy\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUKxYSl7N55N3OmhCXXtUwLdWYExowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR5+s68XG8IMqT/ffEf9WkEUisTqG/O4R9yLSST\nD1ZQrl4gGYbsrir7DGsaeQdZZa/D7scBF4/h8DF/5/P4fvRso3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUN3Xj5jvmY1L9aHf+YlWYWso1rHEwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQC5C7D1nL5tmsQO4UrUXy4PKNuY\nBikw/jR4KpkldcRK2QIhAIcApcMNJRVR6j+tYTKnL0xhf/BgpkZHLtf5WcHREEBi\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnjCCAUWgAwIBAgIUFRTDsiMlgU3DMk92Ry/ZlUZb6oIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBZyx/Fk0B1irEg7es5TbcdlPBDTCmSfcYifUcefmIFc\ngPo6KD1uLLY/1CMJroyCaEnd2AjJwGLCFVWJczWz21CjazBpMB0GA1UdDgQWBBQN\nMZTwyECDqXafrFzLU/UKQGm7azAfBgNVHSMEGDAWgBQnZ4w6EkM5pCv7IiCSUIKZ\nCvo0+TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0cAMEQCIHEwVh7Bmd9PWpVh+fkUmL6NOMMYaXACzfsua2Ak5yeh\nAiBCIrUlsa75SJHc14WJ0hoxKvUhgS6LyVqk+D8cWvncWw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnjCCAUWgAwIBAgIUYVxwk8pgHSHcQ7w/Cg9RKU13idYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHCUa3RUCMUgD/j3NpqZlfelNdVleU+Cuam1X7wt2Ldl\n35KApL+x2A4I1GHjBQqvzJ2I5DloSSMUJBNyUAE+n8WjazBpMB0GA1UdDgQWBBTM\n3ztUqQGztBfd65z3o9RUxmpCWjAfBgNVHSMEGDAWgBQ3dePmO+ZjUv1od/5iVZha\nyjWscTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0cAMEQCICAZ0DZiqC+u+DfbiFQrxsIMyGGy2sBoAUcbvlLB7Jfi\nAiB3tozwUduRM7qu4AgVfSf0H+HwjF1bcPQIk5v0UjzRCw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUYzhPxqIDXRHTYP2KctO61zSP3tswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR4bJ1n+6LK+3C2PmzMYr/ddHv1xbcoFYwD/ohb\nOV1gzUK6oH1620XmHsYV9c/X3rIO1TDNvVnLQ0FKkpWgV5ZYo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUx3TPlAQqGiAc7A5G7ekri6fmpKYwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgHnkT0P8bS2N8SXmf\nLxgdZiGBU7PnaJnIyTAZitwBdj4CIENPUrKTiivRjrODBnfJHfhWNb4+pFZtoQBv\n8mPIp1IH\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUYh54Undcu5AIM7Pducr9BnyQcMgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNkBAJGSQaSHgbycF3HW7RU+OQv+5ExE/WP3Rq\nxtSg6rD0q41SzLr/4+UMzaVfECVNAkrfmOFO4oAfjxDwYHnIo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOxqxU3D+kXWK5gRmeqM4ahAA/p8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKp0PR/tXafuAHv5\n/Wf00f6xe9nWz+LvzromsDFwTjDxAiEA9paSJB5YgpACR2TFHT046+fVxOJOrgUn\n6ATWgjVWa50=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUc5UjncK7+xSIxo7FXReEzSCnYOswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEQs+ZBK5Ji8XIN7g3RYj3QkJN9QIKz4RYfGsjBkJ/uEvQsr40\nt9a77F4XishdR74NlwZRNaCAjJfeN8priD0696N7MHkwHQYDVR0OBBYEFPbSsgb2\nhxJLhwPNj/X7NQuosFjiMB8GA1UdIwQYMBaAFMd0z5QEKhogHOwORu3pK4un5qSm\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0cAMEQCIGwTUN6fuU+CHjqmw5iv9i7aX1iZ\ny1ts0KVX1s7dxkAcAiBxIL8C7Ev7r3F/2DPBVOe2u9A69vQww4JbSisd/pNDAQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUCVc4tB1rfr/Xr55wP9pdy8/NIL8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEuoLCUHnFhvq/JqLY2OerI7OgTzGRd/1ccBDdv4ZFlnNK6Qfv\nVdl5ALoJITV1aTTVrMd3qtAME5j/YKOGTIfjEqN7MHkwHQYDVR0OBBYEFBi6dtaZ\nH6qyQixVr2R6MKsFUppYMB8GA1UdIwQYMBaAFDsasVNw/pF1iuYEZnqjOGoQAP6f\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIGFFqLnp/sW8NgtSGCJQOtEt4xxo\nEhrfUeGpHFq5bQ7KAiEA4Ww9z4OFO/MFURp7LkgFD1U+pBciiIFNlQxPLhBxT28=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUZNoZO9ET8HamsLxnSUBe9JyFVgEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATAZVl634ea7NMsOlS8PT1rDMqYzMHdnkEU7KqI\nyWbRSH9bz6dV18IjhhCPEL+D8dPOeT36vsLHatnT0tknNA9co3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcCB5mdVJUyLZ52+drZnEK0WgOEYwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKrMXPVeydATKW1A\nWhcV0RyBba+NXuTGicBjysY7WtzFAiEAsDxgtLf/El+Gc3wtrJx2gY8x2vTDvj+q\nSePSrX5pDs0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUX79AGxOrRh3v2Nd2C1Do+cAAPmIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiacHDbANLBFDYSEnckbHSuNkXmfyg8bJmvfPm\nhGE1UaeiIig0jrEJqrUZ2WiDxYyCXG1qIJPhdw58Wa5tuNo/o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOv4j99L+5lYqGcUBfYo0y0I7R9wwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhANpwPusYvg1tuaYM\n1yytY3zpnPe8sgZBsr0I06jjPzzHAiEAp38BFPAlchOxJGby4rnwf49c/1MZBLD6\nQ9Gking0g1A=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUigAwIBAgITGgwzGn50PYUiHT+2Z9RExRtPLjAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2\nOTA1MDIxOTAwMDBaMA4xDDAKBgNVBAMMA2ZvbzBZMBMGByqGSM49AgEGCCqGSM49\nAwEHA0IABJ+9qUVrx+8XC+K7Hm0ThTDO98tb0Jlx0bxT//DDO9CHGl9XvkzFoIAp\nqcxMRXBA3fTVRypU+GtgPd30BEqaZh+jdzB1MB0GA1UdDgQWBBTYtexlVe3KsAmv\nI6IzNhRZnHtmFDAfBgNVHSMEGDAWgBRwIHmZ1UlTItnnb52tmcQrRaA4RjAJBgNV\nHRMEAjAAMAsGA1UdDwQEAwIHgDAbBgNVHREEFDASpBAwDjEMMAoGA1UEAwwDZm9v\nMAoGCCqGSM49BAMCA0cAMEQCIAi7kMAh3qJhSoQHCmXtJO/t1Xa/zdOLklYWyr2c\np66CAiBe+dK7LiuxvqcvVsVQVzi7XNRIM8cqoZEIx6ysEEbANQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUasKSiXQab0mKNeQ0KdVsHndfPlwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAReLQd5W2tGKNc0vBOvozLF0QpABzl+8AsST3JuOURuTZgcOhPHtPZG\n6n7MQ2w5ho1UgGWsTgXbhLJCCqjZZt+jo3cwdTAdBgNVHQ4EFgQUvX3hM0fS1kA0\nnGkeH9aPn5r7VC8wHwYDVR0jBBgwFoAUOv4j99L+5lYqGcUBfYo0y0I7R9wwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEA/eqQ3vwi2k2Hb0ikCB8h3d+fsG+6BZuG+bZw\n+joL5PwCIDNy9Bb5j4K+prFOH5N87uvnrT0cDf3RMzvrGocsANt2\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUG8bdioBQ2t7oBtkVYALrS4NyU/8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1eRhAI7dvEXgrh9OkNXxjvXBj/80ESmFdtqZ3\nSpxDc6eRv1mW9Y65DSeTC1itPTAdIuaxbgmRL3YGoegSnjEDo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUE8/1Q6o9W1qwGYd6Bk1YbBrHHtYwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAK5yz1NLfTE5gqp5\nCzvZY6+WUXtxxEriaQoX2sQcb4aMAiA3AYHtjh4186LFIz7rGABgZU28/Hz8ahS+\nk0+MN7JDtA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUZ/3H0Edsx5xUWQX+ot1TZCWwFp0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQsN21YKMR0EbnCiXKHrd6HvKCKetdYQ7jIBUYk\ngd/UXmHV/0W3MMqaUnzccsZ5kRj2joK4j0y5e4ZeeCQne0sNo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz4TKfsYlHDP8bvcZPjOmz825H7swIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgTXkcyZljy2zKSRjB\nY7+9bRJxRIgvU5gJkcUvCFtKCToCIQDD5AsPwD94LrJsplCoThbdSlHtdZnBo6XP\nnE1zY2QC1A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUQuycvK0lO9DHpEmmBLuXsSQzjOkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASjsLfFr/wEOwkE2GcWRcS4VtDme5XePRTh/2EsGNs6IRc59g9dSIg1\nsrCHs6I8X/UFwVxK38nEY9ckoeJAMZQYo3cwdTAdBgNVHQ4EFgQUNlcwmXWxSOVs\n46nT11WtQxJAGG0wHwYDVR0jBBgwFoAUE8/1Q6o9W1qwGYd6Bk1YbBrHHtYwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiBH+cYuhtdQWiMU+X1kLWbBAiK2YObm+vEZtSG5\noexbnQIhAO84aSlyofBMEvNYgNk13tAbXo5Lf2gMBPPqYXozsOeV\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUGfkl+zaNOKXO6omZzenYCayfAR8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARKMoEU9+VnC0bRFL56Ia6aytta/KVIwROVl93TigCGXZBZv+ugoUv0\npZxSmV/fyK+0FUKp8cEZT8+7flF/ExaOo3cwdTAdBgNVHQ4EFgQUVRyT184bxj1u\nnEt67fmhY6rSfAgwHwYDVR0jBBgwFoAUz4TKfsYlHDP8bvcZPjOmz825H7swCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEAg3bgdZfvCAuzfwdHZFFWCFJPS1t3dIGjTMeH\nbsW6zxkCIHxNBDRLejyxvb6JjnrLK8+67DcHkHX57NlKUeQAAmZS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUGWQNcUgzpHHq9SUk+REM8UjuN7UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASvEZEaVhxyqTo5xWn/DWBjov+pVbI4JI4t7nvN\nmZiBS4PFE0QbpEz5Lio9B+ZIb2AyYzoIBBIoClD0WrRlCOGTo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxAnkeHzzp8k0r6dxIE8pLvjMsfUwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgUm8/SnpU/TmBzLrk\n06n6iF0ZA2/hkoP6yvd8hwpbodsCIHyvNuDJdL4LqeDaLfvintCTygE5GnaL6mon\nzd0l1fIE\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUD9urlQo1S+59La8h0OiTQ9C+j6QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARBFmvMzZzBSprxLVXjXYC0O187gjxw4/JWuieT\nvV4dthS0H3uQVcCdojV4v3jOxH84t73Erhjb1oCauEes4vbso3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCc+T/TEGTBZ7csVB3N/ujjsB9NswIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgHRdKXvhFOhR0j/Yw\n5QvBOvEghV7jae0qobEGOLsgDZUCIQCgLOSscqIxBfRGad26yj95a+Im8k2p8mME\nuGIFf7Bz0Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUco5bruo3DNCZeiRvgDVX19dP3QwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEXVIyexGX+voCI5wJQXGLd7jLnzNaWkPL9hZnKy2kgVH63Imt\nsE39J0irUjmFQdmeJTY5AUqHhMmU5FQYFUTalKN3MHUwHQYDVR0OBBYEFCGhI9Go\nP0q0M8KbfvAY+jyRhAfBMB8GA1UdIwQYMBaAFMQJ5Hh886fJNK+ncSBPKS74zLH1\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKg3dElUOiFg0ETttJaOwWrcOKkMG3jo\nSUsa/HV4rxhPAiEAweZ70uvKk9ItAkTcdemOxiReqFjfwbeQwp+59V3r8Zo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUGtrIwwAqVIZQh+fw+KgaGbEBQJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEw+4CR7AOdK503WJiCXKHNCgr/S6l1ir4cL5fPKuLEwgr+uuz\nsoSAbxFPq+2NYzluBcwi6p6NuZQFSjEJ44Fla6N3MHUwHQYDVR0OBBYEFM5zcFI8\nKye9wpzq4lxyQRz5LFTBMB8GA1UdIwQYMBaAFAnPk/0xBkwWe3LFQdzf7o47AfTb\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgcgihQq9DCfb59y71JTPzCW9i/WFoPNtu\nB2X+hbzN5pQCIQCPGx8cwkWAShDTTDLKLSS9M/rM5N/74cp9gJFwMFqciw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUXP1wkTVQNEqXX0caSiBz5axQi5kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQES5+TChMH51+TGCaBlzGUqfL9FUO7Z/x8KSpo\n8FxGaPfrAC5KLNsvUwsRXP1ahHfxX9O0A43Nk4fiKLcR4W7Eo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7waEsfgju2OTjGcBvKJrivkVYHIwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgdnGcLiFa9gFFixIB\nOzNIsa4UQrdNp+7m6btmB66tLXkCIA2tGKQ7C0HCotGUldjV0ZNBlusKV9ocV7bK\nhnrMrVwi\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUfW1aHiHN2npHqMOldYNJjWU6LRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8RlI5l/zJZvtZJKJqwDks8W1VhWt4jxLydWq+\ngZk7eZ9AmJ1loshgQ2W7BgHi3JRYjAnq/0+b2CpzgJ8M1OqVo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVdbbTAF5MgJkJHZoxssvlVEoeoQwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgPOStVLvcT70k5OBT\npOOyDJrEAzQiPEIlpl72PHLofpYCIQDaEHzfSlfBcFTuZi4vfEUHI9FrsWHSNKiU\nXMZvMEogmg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUJH2kAF84vX0ykMZwHu2Ugtuyk84wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQrd3FiGvkdWlzpuk7JhHioML3zac8lYiYnCJsF3t+Io0DbBl4jG9dj\nKR9G9slUGkL260829RsjS/uT2kvZqc7bo3sweTAdBgNVHQ4EFgQUPFXAemq5/1qz\nxFPXeI+aN3YGDZMwHwYDVR0jBBgwFoAU7waEsfgju2OTjGcBvKJrivkVYHIwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSAAwRQIgVQPGUdCqoXzfADQNhra6kUXaHWRLFQD9\n6i/y59TJSQUCIQDiViuZWf9kdd0EFHi4GDxIPKVjLTR0pc3JW6rBAAr8Wg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUHHPUJuOjuJgdMIwJznqjDapfMlQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATcecX3BZSr3bFFLsvYzvdchBZeqPT0CWQfZQxPFcdmzK5ho+07KP3M\n0sw1eqCk6EWFwJgztsfHlv/D2FwSaC7ho3sweTAdBgNVHQ4EFgQUESmM1SOBzqx9\nF+YOk/F8W04xBhIwHwYDVR0jBBgwFoAUVdbbTAF5MgJkJHZoxssvlVEoeoQwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAL9/tI+tUrnF4b2iVdjJgVgqCeNHqhKK\nLDtaW5Q7aSv9AiEA7QKK9bPr+rqlt3O0JRc6CdLM7HphYrLjbbrFPqx5gFY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUMq0XF85iRpAO51B1EELbpJnc8EQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATGZPlzinVuzUcNJ8EYVId9R5gnGyedy44KEMsx\nRhA46ezV4f/yQf1NRj9GqQvWRN0HUiVGowUQ8vHBWqJgDKaio3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFJsPQzrytpVa2/4XJBT4WAcllf7mMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAdx6JuuvoPnDTYAwTM\nls9KVQvT69EXL7doKptRCF+mcAIhAL89JvjfJXqBaW53u6B2JjyG+2IDbUz0zIpL\nDQhHVH++\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUKxweSe3aMXNa02fcpGlbBveq4OowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpjkkPrmaFMQ0S06IMWXNb9+K7t7nWPTwnQh62\n7nDaVN5RIHqhDfQ18s/tkxTm/8RDrTXlZzGU0Zgz7vKsE249o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFH+Me/pxaz0WGf2spczsy+RPp1fKMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA7fZvGWACjZKAdaSd\nO6gFAcyj1pCYVkbA49qa/5/Dk/oCIQCrDIm5C7bZQxboj0e59/gyyatZIErNtHE0\nzgpFZ6XIIA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUMs4fs8wdo1QaRxAWMiHWOUSyM+MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATUYEi4txm3FNUeKgf72O6aplD6lhwaY4Qw19Vp\nXMzz7xdnrGHD0QDONR/5OgNs2QGM4WI0JOjVd0dGC/vledSso3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUmw9DOvK2lVrb/hckFPhYByWV/uYwHQYDVR0OBBYEFHL6\n2QSr3DYiPuf9RmClXd/FypdjMAoGCCqGSM49BAMCA0cAMEQCICWD0xtr7/pzer9N\nvzWKEh9ZeCsESMVGXbpgpyACjL+WAiB01/r/78cIbDv+85rNlef+f9E2DQr5j3Xt\nhrcgFkUjQg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIULKdLwAbduPwTI1q0dWhNq9YDhLYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATqe83ky+K5nCCZUdhg/Y3Jwku8svtxAABb1KMO\nIBCT2HHCZg+GDAHtCXgOQhfz/a/EAlYXAak0FCt+oSxpHFPyo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUf4x7+nFrPRYZ/aylzOzL5E+nV8owHQYDVR0OBBYEFCZ/\nEV3LecJJ4m26/ypBpj0emVvQMAoGCCqGSM49BAMCA0gAMEUCIC7Vv+eI/DiVA5q9\nCyPWos7uU+iSyQLRERdQQNXAFnr1AiEAirZC7mThN6dURG1fu5YBlTOTW4DiKmck\ne0q9wOWRoWg=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUSYkq7BJAGA4lfqHXs1WJEH+y108wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIWm0NuswvUlzl+ISb2N0WTIXOMey7y/NftW0/Y2leLu\n95I45yXl/OqUD8+1NPTZcY4mK3+fbb5BSrHsgW83Vn+jcjBwMB0GA1UdDgQWBBSc\nKZL+IkTMb7LGV5YNpFELZ7Ht2jAfBgNVHSMEGDAWgBRy+tkEq9w2Ij7n/UZgpV3f\nxcqXYzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAl5wRSCM7WL7ad0w83Ut5rFZihmrBRTQT\nr0vJx+9q7nICIHv6hoNH/q+osyig91oh9dGN1bPjmMlJeLX/u9lpJlUz\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUaqpEYqIKcZTTDTNHNFgpVdHPMnQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAWj6n6icR2gyg4PTGqq+eicPZexbTblGcg9T+GvXDWo\npO9qZOC9XgnH7MKbqIXHtKtLHqgmoZ5Nplqv7HMWG4SjcjBwMB0GA1UdDgQWBBS1\nrldZJK4RQlFCkZb2W4FxtQVJzzAfBgNVHSMEGDAWgBQmfxFdy3nCSeJtuv8qQaY9\nHplb0DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBD9tMIf+ntaP1lhIz7CCOf5h0/JLJcHSUf\nzX5BKFANUAIhAPwCKQODkRvjzx2d8OUsMCzbA4SESex/7JxWTLro/WqC\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUCV+aPkeTnmMfonUcI8XSjAfhGgUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASWiDZ6b3f7JybkyA4aB6bZdPLLbVn/zZoEtanJ\ndrfE5iGTZkcmrgv5HRhKtfP2rXR/su+I8UUhrbxnovwB2b4io3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURzEWPaBYENYJOXFbLzLf8xYFG2kwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDUWjlrojmNq9dsEQC5xgB7\nfU64AihntCMeJVuc8TL3SgIgYKPdpF6sz8nR/ZbVdeckjuMTL2xzQyq7Gf9N1hIE\nURE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUVDhOKaVSF7APYX6f1yMUoGVBsvwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+fky20S7n1XSY2bZHOmPp6Wu2vBRgqqBlqNWv\nNHOv2601imZxWuLuV6R6iXaXWMHCcdOhcWMVZ5nNeKND+Wqyo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfyBLGqpGp8yDyrguQYUnS6O4vOIwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDHrr+eGsawqRBpWfHqk45Q\nflZrT1sd/3reFt48XKS4uwIhAIGKFYZP/UvYOoloXlJdsXKtELs4YM3vUzBwso2f\nZ+g4\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUbDmFkBwYf1SfkYlZ8BDMR3YG5powCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzhZDQQ64HqZp1QIWS/7fHW8fZnqkchZk+kAH8\nX42R58R4QqczdBmPrm7DtNcvl16uLt5NbTzfcw4sG8ukyoZCo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAURzEWPaBYENYJOXFbLzLf8xYFG2kwHQYDVR0OBBYEFNQV\nJ0/oZfF+o/x5HVN7s/q6yjKVMAoGCCqGSM49BAMCA0kAMEYCIQC/PuywChyM0u7/\nne4nlsa3PUeS+JVExYL4YGh9EGGQBwIhAI5FTpMhQcIJOlhxGvvxXO5GywUGVlHS\nQohIf8UadE/c\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUHFKyT7VghgWkzBMOBEklwQxzXbIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRk0gRIwT2VCtwmRmQ+G/J24KFI0Dv74xY56Rq\nYoGB0zDYJR9PlIgj9ctniVbzgptImjvSLAzT6/oA2l9KKVdQo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUfyBLGqpGp8yDyrguQYUnS6O4vOIwHQYDVR0OBBYEFAdP\n35R5Z5cGJ73GmXolXYb551sZMAoGCCqGSM49BAMCA0gAMEUCIEnRY+vNj2Tuaz8e\nBfpvb5Wgg/IQHdvMxW42DEkDmg+5AiEA5DrUlWEbK0oc2sZkA4urRqkcnwsBPr8Q\nnchhwawDJnA=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUadD1Z4nOMNcnpE+TZ6JRGnHkoyMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATluum10rSJvh0sppVWHeiGpEP7l0eT/hpyCFio\nhw7vwcKQBS/frGfqX0VuFEEVveE8/LhRQEai83qBT19AwLBSo3YwdDAdBgNVHQ4E\nFgQUzBhUAKUpHwOnlPu6PoA4/Tf2ae8wHwYDVR0jBBgwFoAU1BUnT+hl8X6j/Hkd\nU3uz+rrKMpUwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIAfw0qf1qL4f8s0WImlbnaYf\n8VdI2Czc9/arqVgDFe5RAiBaVV0dwQyflDg5C3oCTZ0WZYKUHKQS8KaHpdhwPATN\niQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUBVrHKt4pD62ugWvl4+0RcUCTjuUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXbddnkoIjVcRMEY4Eh1+KIJAJQ+kEMoyhRKQx\nQNeiPXoxn3HaW2JW22UnuYQGWNELM6JvR1KSGcJCwYjUZaZro3YwdDAdBgNVHQ4E\nFgQUxIKikXy2FfkENPQFX/5QvcjftvowHwYDVR0jBBgwFoAUB0/flHlnlwYnvcaZ\neiVdhvnnWxkwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDynuHLMF5xPzw2B9KzNxvFc\nZrkl29/cl18F+kvcrpKhAiA0SXLqp5trWR1n2F/C+/b+O6/XVTaNH0M/yg3BQmj1\n+g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUY0DVBoYYLvXIGrGL9X7Ohysj/OwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT5Ki6qoG3W8adI4FXXtKxAjs4HWisdP7Bomc/8\nPBm4CBnj9ako+ADmNom3wBQBQpTxGMzj0c9CpnDLlAZmi7CWo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQprw/03ZX/288m5uR261UOTitlFjAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiA6HnroEriAv7J5XI4zLB4spry8fTJR/qZ4144Ca8luGgIgMgtz9dbjft5Z2Afl\nw9SZPD2Jzc0l0feerR99A2nt0T8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUTGecbb2JxcX+VdvyKHcD3i5cgH0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQggMjKe82LfzII87XRtnognGjLKuMsRMuhmuqv\niM1sa3IsMVbNU/FdDQIO4Stsh3qAFOkDdrWXcLwg5TUcR+aJo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBT1vme9BDldwK/3cW053pzA5DLgGjAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiArFG2XdU7/2Nsc0bWtP4oIhlTJ2dArda4LSSN/jNWvlwIhAK4HNTyzXOIQSViT\nboBuYaK8aHhdvIMbxp3LUWNN96kL\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIURhbL1Gqho4H/x5JgT6iSNiX7W80wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABP49579z2Bvz84Llxm9S5DD8iS57KHfe8Vc98eQzQoMe\nbWuNB+WeIQ+QSXwgPEwF08S5mwSsTn49wQokKn6IOj6jcjBwMB0GA1UdDgQWBBSN\nnASa19SHdhe5zy7LvKCpS7Xo2jAfBgNVHSMEGDAWgBQprw/03ZX/288m5uR261UO\nTitlFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiA04xiIYh2t3cxsrx7tLZYPVgii9VHnxVC4\nSea3Tyg9VgIhALGwrbvRLEslZ4vsM77nUnNAV2I7gcdhN+bqJ1MOmUOo\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIULdOhATP5neSwtvcb45237LNK6BgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPpcF8PmRG3LX5ym+vKDpGQiV2rthLzh9ffA7Fqk4Pw1\ng0DBpPqX9YxY2yf4oysTYoAKqAK9xNvmRg6Dig7X1yajcjBwMB0GA1UdDgQWBBRF\nfhREskMTxSXpI45pzUPuFM63TDAfBgNVHSMEGDAWgBT1vme9BDldwK/3cW053pzA\n5DLgGjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAjsJOd2q8nC4T/EwN4MTbPKRnzKFhmssI\nMrg3JchLFFECIGHsZEmHNwHiZqIgAAHYq2z8n3ERuBp/TEprXeOAcYNV\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUCyKIf5136fCtWIO3Ecn4CzZ54EYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQe494I/Gyki0DPLobMpsjVucnBYWmIy3ohvXPB\nDTu9IT8Fzr6V9d3GTav4NSUkFkieJfbY7OD9DG01wbu7QJuho3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvm0vbvJHl5P3XNPlE1FPKpqq5dgwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIFJ0kvtTQNwypsiA+XE35JqCxJEQ\nvKjVAD/Pax2/15r4AiEAzE4NQPlYOv2qSgWeXQHme9o/czBl/3OmCTxHsilX3sA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUSq4sfeXIS1uXlx3pJbTcDqqxIbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBN0Stf69i/KHKT9H8RETyK72I8Pjc/uv0wzDz\n0/v27yHF1mnwaWO2fP7iULTi7u30+wByO7RLOMa1gOaFjLnno3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqITtVn+FE/kCLtGYwjIZQIn1qLUwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIDLU4wXe3zuFLFJQcH6HBlY148fs\nFB7vPYcIyMlfnrDWAiBBl3xgII10h9GC2mdEBm0oMGRKAUHRPduKnMB2PYhrPA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUTw9h5omhUdI7LfhxygboFLWmcwcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA1aaBtyn5ojun7srCaMvqgR+qf/ksR8jCxby4IPDnjm\nhvg9fy8w9G/6n0bY1cfKbS/eWx+kWeOeUsrh8IPHjzujcjBwMB0GA1UdDgQWBBQu\nQX9CLrergJKeN5fLvST+1IBDQTAfBgNVHSMEGDAWgBS+bS9u8keXk/dc0+UTUU8q\nmqrl2DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiB0YSVUE2qPwVx21vXZP/kMu2AEu1UshJng\nZD5+ax54hwIhAOsU4voZdFAoSEU/84eRD8trFtacV85BFYtI05v70dMq\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUSmR11hTHH4ItJ0/c5fkwKB6iwCEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHvUbdUH3j8ZynBnbTAZrkkY0MBdSodFSgZoNhFy8qi2\nkfAmnMPMNtm0Bqh7UQCs4Sj4Ndpd5c1k4OLcnfF/liejcjBwMB0GA1UdDgQWBBR1\nwZfOGuiR9W0k375IF/rlIiFiUzAfBgNVHSMEGDAWgBSohO1Wf4UT+QIu0ZjCMhlA\nifWotTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAz8xAl068WSRm23V+SV8oQEXRuSnqDs/qe\n6zbdgQyNiQIhALTK5NCo7jjLqe7EghS6wKz8OgammyrTgTlbROq/em2G\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUftUOF061aB0v3pF3+bgENbJ4/AkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR1aSzjZKiRKf/kNQ0CMpKdIlX0sYgT1HYNRqX1\noRW5kfnYpLevbL4ku1i1XiBsqpumkFf26r7BAxgMonsaErFGo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4T4ootpEkBpyTY5n/BEnAKpMiHowHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPXUbXZ7ZgCrNgtI9mI5\nd8EfkHWekaoHfwTXglSrcWyfAiA5feJD2M2Zgc3tmeSOLZgPm9beRBTLWl0/MKWj\n/sCx/w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUfKt1vYiZDCSP/LbWKhlea41wvvswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQV/Ym0awK/WBDX+d0ITx31XoolAE4xI93w8AGE\nbfvwIOnVyOus66rtQl4j/ZUOnea7rCxZmkwe6sMrKmQiqyJho3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJ7RqGcCw3Pbb7jOOsVIFuLvUGMAwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMeyrjMMc978sglhQrM/\nksljSpA1vMjOOjZN+ZWrGf3vAiEAsXATgFGrKLyLai/Hgby46m9FbaKB8niHmQ+k\nt2fQxDY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUTYibZrmpm+3EKYN5jwbIbnXajAkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOy9oufYOsOr40BG5WXzhw7a26mzTtHhNR+52eEdksQf\nLwzspfpQVCulAQljxcYCXhvzC/08sUdr3uaX5eFtaLSjdjB0MB0GA1UdDgQWBBRk\n7ZWjYVSeEHL2tcBWKGrz4AM9KTAfBgNVHSMEGDAWgBThPiii2kSQGnJNjmf8EScA\nqkyIejAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9mb28uZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAN3+R2MWpeRfCweSDtVYtEj7Yw98\nOhtOY1V+kfRoKuLDAiEAnTKh5398qiO+Vqtyo6U+1HG1DErUXHvwi3PxwGDPO4E=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUYw13cWhzHVxrR41uS7Wdf0gwSMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJLdEFToqVW6rbgmSd1gzNZ0R+FKgqxotP5H3hEHpVpf\nV/rgr9E4Jwp2D1oFrmP0NNbgHdT4U/ko6cijLe64ysujdjB0MB0GA1UdDgQWBBTo\n+iQqHapyibGW1ZscXCvKnmV5BDAfBgNVHSMEGDAWgBQntGoZwLDc9tvuM46xUgW4\nu9QYwDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9mb28uZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAL139wwSkPzTj+i0BS6vOS6dkqB7\nmy/tRmNZENHPaOrsAiAAqWo/Am4htGe/O5qFhu1si1Ifmccz6yMNYR0AJdVQSA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIURmfff5UWrSk3yM586C6Yr0Qe62kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATg/yWBrw3KUa5ldFr/Oc9ssT0TjNcGz2NVrEHO\nHocFpdjqW5GOnELQ5Er7WenAy96bSaiL9OXPr+/VjFuMYmUPo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxeHqiYa6oU7yPy2OFZWp47WO2OgwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgRSp+IJDDX/PbdSQMpJASn6x/piEBsHVV\nw6p/v6Pr2FMCIQCWqSIsrUtp83I3BbDooRpJ9N8ckXfhEsjt7xtstkljwA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIULdnAVPlY/ynEQDwAnT462hFcxKYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8m92qE2SMgNVjd4c72OorsqvQt4cxIT9haVAA\nolQzgu2AyRyOz2DGt3IwrqhbnRZOwzfB6BICofrd2Dx+T1mMo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUo0szsi2GJsnjd5VwBlap5u4CXfowFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgNxHmM4absuhFOXgV74eai9X2RP/ufE1f\nalLznaZoKpsCIH74Ff65myKZO6oIXVoy8N72pQHxI9CgkpS1JIPpUfsg\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUOkiW5TRghZEpmPxOENEflWX+JuAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLjyAfgBd6oYU7JP+37fu4PeUqnU0tOvVKr+TVbUft9d\nRATiwtpuiP/YIbzbPyXa5odykxBWZoyVMWlSxKmAkwSjazBpMB0GA1UdDgQWBBT8\nqyyhqCSx7dvPlJzjXcohiYEDxTAfBgNVHSMEGDAWgBTF4eqJhrqhTvI/LY4Vlanj\ntY7Y6DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwR/AAABMAoG\nCCqGSM49BAMCA0gAMEUCIB4YjDJhW+UXBAj8yYQ4ZY9Nw/wWcsmUyi41SC33g1Hy\nAiEAh+dsv78w9ICoWOjVaKkO5h3NlGaqJy11Ka34FW3fbkY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnjCCAUWgAwIBAgIUTZMLR4EyVAcq8Ikv576bBHkeC94wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNe58Zf1cZpZlBjwcG29XaaSpr60dbLHQm6rxOaBlQVn\nDNwVuboi5bds1+mlUC/GJwZVBkfroc3IlL/LEbWm1I2jazBpMB0GA1UdDgQWBBQq\nEPIXtGQaIG74YCEjrSfkxQPt+TAfBgNVHSMEGDAWgBSjSzOyLYYmyeN3lXAGVqnm\n7gJd+jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwR/AAABMAoG\nCCqGSM49BAMCA0cAMEQCIElz3BiAr1uhOFTTF4RKte+6Befio/GDUbK8pzeAqROy\nAiA20fFH6ZkPit9HZqtVLn99rNyEH655BI0pOmMTpW3jGg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUOpkkFvNLloqd5zTSpX+of96Q/GkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARzaeALn8JvX57S9oO+vb/1QFo1e577jrnQL0TT\n2gWSnd+vTGTrWLiDTyFyKH+aqXNd3FZznIB2B7rtuzv0F5bAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUko24TAnJe/eUkghj36eD3vkjdz0wCgYIKoZIzj0EAwIDSQAwRgIh\nAIFvB10PRmi9nI7NdLTy5JOMe3tIIVdsuarCV5hw4F2wAiEAxn8isF9KOWXACpQe\nP+GTLzi1Kc47nm+FruVrT1vw4Xc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURpX1AcT4lhWmoSeHLy1geICQrbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQdpiRg/XA6Xyn9058KUQ03T4gYpn3q7fBkL+p\nxBqQ69/9HpgtTRNYRM+sY4bzmLSCvE5UtbeTSgjoMT3YaIGIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYjDYT0sKyQDPGXUvPU+cIvdqsxUwCgYIKoZIzj0EAwIDSAAwRQIh\nAJR/fO1ACqzu7R4baGWAXwNJWSLAXNG0XdxWEzIkYrB/AiADWevNcYif+OlQpLQP\ncB6Jix+aJAbF1JeO/WKafFWb1g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0DCCAXegAwIBAgIURUaBCThzJvcZ3IOwO9NtAbzbbe8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLxsgyaJ8z3gfBdtKBtnQ41yLjrQc0AZLMvqB9poLtJ6\nXP5Jm1Lcqr/0zw79JxwdX403fQRWj/h5cLloVljOLTKjgZwwgZkwHQYDVR0OBBYE\nFIbp7Vgo1+32z420BNDlrg2FRGz4MB8GA1UdIwQYMBaAFJKNuEwJyXv3lJIIY9+n\ng975I3c9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDRwAwRAIgePzlB9niulNS+Z5Cm7tg/25VMpM4ODD3EI5GBAQ1\nuF4CIH/FirwJEFOd3wTvHGRmlf0Czliamgl0dAL9mRBB4m8V\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0DCCAXegAwIBAgIUTPPaasY0jVahH5e2/acEgHuHxAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFmsWbfksjELTZ+BEdRQCISR2dwOprOGbOIGkWSwP5TP\npyP9APT8Fx/3eHFJyl3+IYEVz0mzgYPUAMKYWTUsBc6jgZwwgZkwHQYDVR0OBBYE\nFEZLk6AIy9S3KUZNweer29TEkuPnMB8GA1UdIwQYMBaAFGIw2E9LCskAzxl1Lz1P\nnCL3arMVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDRwAwRAIgRjeCxeb1R6BNYd6qs3vcJtp5D6FO25lEDveV1lVG\nSJgCICuf2A7q9YEvA3OFQOTzUodJeHg7oSxlAbilW/OhwDYZ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUf7aJKtZCaLwRMnNpkaoQKc/158cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDYk1NgeopnP9gbVM3uCqkktbt1mFHfwslyicL\nhX/R6TeGTU+cWFqeaHqxS+HmdGYRUu32c/2vvqQOdT80BO1ho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHPdjvej1VBWBC+iR7FAasx5Hn0kwCgYIKoZIzj0EAwIDSQAwRgIh\nAP0bR6ojgTDSPXMrLXGwFj70kZZT1yZPxIISIscwZQpYAiEAzqINh6SPf/UeCfIz\na6fzyYaTAczZIlv5g9Tw33ufQeA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdoWxn8o9o6Oi02TTMgE85Ola7TIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATJ1aaeZLPL/VAqxMF/Vok7US/KWG0z1quyNrCb\nl/Ba2D0A1ugd/8CRyISK4PxVG2hw5fQqeNdQzlCSaS0tSEYPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUw1uQWn/OlLQs9mLQs0R+NDBzZ6kwCgYIKoZIzj0EAwIDSAAwRQIg\nY+AAcpHFNm6LV/Srk2e+tPmy9+pmGD3fjdhy0ZXqpvwCIQC7hiSCqTmaiFmzdMYa\nsL8mw2VV+3yG/lpreojrztHZ7A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAXqgAwIBAgIUJJKmIWmFTIsMJZI5UzksAAFWVEkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGWBrP+kTVD1qHwW/r9fHf3XRXqElMNvYBR6/DswDzTL\n8Brblrn8MM+wocerqAJ3j0hHoqeS3W2CYHP1pia/GxijgZ8wgZwwHQYDVR0OBBYE\nFOL68Nw1TQyTQLKTnVdo9MEaeUbUMB8GA1UdIwQYMBaAFBz3Y73o9VQVgQvokexQ\nGrMeR59JMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5j\nb20wCgYIKoZIzj0EAwIDRwAwRAIgGaTtOwMPXpntVWPMtKBm/C9S0DhzYpLJFjmf\nrUHy1WgCIAc82LsOggR340XCKmH8/+lz2gNWlZAFtnRn9LnNr/Kr\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1DCCAXqgAwIBAgIUAQcKeereGoPXHQj/hvg11ZK1mKswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFmYyZOzrvhoGixMuu5X4oiDmlkAvEOJsc9LX6dqUL/+\nfoEa4PSRo2bSTcn1paZK3JBk7Xiq7s72Oy+6/HP0wD2jgZ8wgZwwHQYDVR0OBBYE\nFFEbEK+WkttOelG5Nexkt/Ir0o4+MB8GA1UdIwQYMBaAFMNbkFp/zpS0LPZi0LNE\nfjQwc2epMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5j\nb20wCgYIKoZIzj0EAwIDSAAwRQIgejDw/pwhzPX1uHGU5nbsJ8FX4rX6V3VvqafD\n0Jco4+sCIQDlfOzpJfNC12N2DvP8/p4b8y2ZcfseURhlx5NkCDSWOw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIURcQFrP/Ftn6hEdODkLcgnMUjcjYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASiJLp9OKFwi0r1te69nuSWTHN0gK51gLTSr2BS\nttYuHMUmJtanW5pZPsQ7H8h/0gEyFivgDPsZSMHniGRbffgto1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2rDGgOZu5fgECF3IF57yjJhVa74wCgYIKoZIzj0EAwIDRwAwRAIg\nAtVE/Bk6zMXIp3TqFxdvPXnybBkaGxdnAKTcFQr94VICIC8Yh9Reckwjh9eQU9ry\nu9Tfl2rRDKo1qY4mZT8qhw+c\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZKKQ9FM0SrzJPAgo97qoqXnv2QswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASHSBlVrsR+Ek7CZiA94tnO6Nd0vUeBeO5p95Ma\nsK/g60PIYnw4D83QHdK+XhHTdXvOAE+vKz4OjGcuT+HodMU8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUosIn8I2P2mgik3JWVPNFxQ86NBYwCgYIKoZIzj0EAwIDSAAwRQIg\neklSKD2z8Uey4GZtCyhyEjTf5y3dxpevcwnoQubfF+gCIQDsgUu37pwnClFS4UNx\nmCXZDmWfjJDx75vE3UjJNfe5PA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATagAwIBAgIUXwM2rJoFAl4gydF77MXRJj+JqcUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwq5Ch/nl\nvSN4KqqkPR0tbKJyA2j4sNw4EOTK5rv05Wb23r8iQ0Cxufolc7qyWR5f7k5T3VRg\n5LK2sgBY/mfM46NyMHAwHQYDVR0OBBYEFFhuMsTrCqCf10Z8jFArUNcFH8ehMB8G\nA1UdIwQYMBaAFNqwxoDmbuX4BAhdyBee8oyYVWu+MAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQC\nIDaKSi2fda+h5cylgAkuorf+uLdreESwb+ibEvjiG3ScAiBpAhmESws/Qn2kqaeG\nenHKeUx/iM1Xg9XoWI0+f3x0sQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkDCCATagAwIBAgIUPBMeaH56XIEVbZv0H6Jx4A/2siswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt3ZbB10+\n5DLd1yS6H9yUou9oIf5Lfvx2/i7iB7k8lYPSzXl0NTQgXm79lO59UeaMKBdvI/r9\nYluihlwAH/SOr6NyMHAwHQYDVR0OBBYEFHxZYeKUKexRxVG+hGXXUy5fy6K5MB8G\nA1UdIwQYMBaAFKLCJ/CNj9poIpNyVlTzRcUPOjQWMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQD1Vfswgv089jjFDUNS4Inat/uXKtWmUEkJGF/yeTYLKAIgHpkWrY1WpXnKdq6E\nGvnKq/0/2HUhGP5SDk5LqNq2DgE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1128,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeZwFS7Tf4xOVZIk0Saw2P3F6sGgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATj6714EIwKzMnh6STtMB+6KJQejXszG/4R1aEb\n7GI3eDkQ3SD9S4OUNxGqrmbhf2mF4IQ3suc+1bhmxCYKHVT0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyvSXBHA2PXpmG6/QFk/TzAebTTAwCgYIKoZIzj0EAwIDRwAwRAIg\nXIVjXSWutu4L99ezcetR241/9RAZG1fVj1miuxxokDACIBoENw61lVUHMW8a5oX2\nqyS2hci158lK3UsWDsYDr5Fe\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUbqFu/YoVbOaZv4FtnwpSwQSiF2cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASoAHOFujeOnXPnyRrJS20CshwthywhCUugmWOq\nG42pOt8neHLs2jozM75ZfnU2mopKTJn+xgPltdlm1j7IFenDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU732LA01nLC8BvSd/+yIbhGrxpHowCgYIKoZIzj0EAwIDSQAwRgIh\nAM0SlDiL7JrRllbTp9/lhJa04r8d+Sf4p34DLimUhQkaAiEAoo9YSfEGt0Rg92Ec\n8pRfQ3OWvCD18xpu4C4oi+XmG28=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIWJOz55EzOyIfUDQvtakoyxFvS7amiZTAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBaSgix445i2/D+PzWBDr8lXfPiS7148elk1hdkoQ\nLe1uaDy2w9baTqzL+v66e7CxWLv7dJ7iNkclX27ooFHPaKNyMHAwHQYDVR0OBBYE\nFIF6aWjU2eWOy4cAmyN150aGpmvQMB8GA1UdIwQYMBaAFMr0lwRwNj16Zhuv0BZP\n08wHm00wMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCUTm4j3tWy1KAIKp6Ie0hzvg0mg3Zn\njLPGT2FDrWmmlAIga6tGQgZuO0SBKqF+21qMppnukgks0693BrFPFcOvTPM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIXANrJMWAbcg8aIB3cwYUMNKraLSeHZYQwCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY\nDzI5NjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABParH8N5DY5nAW7S+Ecp/GIIhyPguzkpJN1dDtDK\n3dnijXh42CK/2POGK73pXHcX2OOJR7rb/muv1nIs9213qd2jcjBwMB0GA1UdDgQW\nBBTbYx+Me1vVsBocaDpL+/+pFv1jWjAfBgNVHSMEGDAWgBTvfYsDTWcsLwG9J3/7\nIhuEavGkejAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA/na9pD+/kWCUJauqJf5CCW7hgtO8\nciidyEqniT42/8YCIQDO/XUZoOy6L9ygpWW3OssC3cZ6Ksc0s1mx/ANWCn45Eg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1151,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULrYU29AgKggtgHTwmzQVKgCS3jcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxxQL3JOq+BVZsYxT6Ysn43R5F5hzLu2ujP9uK\ndj2avwCWyk/9u+Tt5t3nTKZhNm7FR2BQFCV7xQ244+WFVoGfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7O3uMQDU+Nn3s/zwGGc9ZMfBbeowCgYIKoZIzj0EAwIDSAAwRQIh\nAJfQUNhqVEJKH0IrJU2ghNx+WZb/KDaTsn6DJCQtJHWWAiACM5NL2K1oI9AsBOJf\nCDGqzzvz4wTqzotNFmekkOdlrg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULl1FHCskooDIZ/YaHNgAsqu9BQkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASX7geBFQ01NuaUWFDeMi2MDSGKmAjLPYcVuys0\nPv1zrCP19YHdk4IjckXjqtF/fK4ILUQfMv0BSwPIHXQv34oco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4dt8MrjLDWBHVE9psRKTA7neyLUwCgYIKoZIzj0EAwIDSAAwRQIh\nAOYCwZNLd1bOApyAxASIvJ+TIn1k00/SplEaxdXG0ZqbAiBEI7vOuCea/zjs4cgS\nemhMeeH6rDqcwwzwnRuFMquCMA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkTCCATmgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvX85\neBHCOMJb0KxMdQno5R0p8yUHvdcY3HIjvoMQyE+OyWxlYcVkeaUC+7x8SgnM9pIf\nvY62PyG7zrB0OHm/RKNyMHAwHQYDVR0OBBYEFFbqRmems0pYQY+YyP82MF7hCD3V\nMB8GA1UdIwQYMBaAFOzt7jEA1PjZ97P88BhnPWTHwW3qMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0YA\nMEMCHxRmdz8K4rpyen9MIH/vxIi1Ow9WTYdxhoZq9xFow7gCICRRRXOHL5zvJ1ve\n7EVG44xnQc/OkejXuhYAmXnJ2jUw\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQqSu\nTDazNnr+ziB+PUSyEzk2xbrVszO4kYDk/3HlFe0wMY4UERrdmhvTe6x3qYyNtlUr\nHDuObeI8Nghpn6aUyKNyMHAwHQYDVR0OBBYEFBkXMJBQpQVw05Z71Q6v22Dsg4Ef\nMB8GA1UdIwQYMBaAFOHbfDK4yw1gR1RPabESkwO53si1MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIBZ0ntYaVvaNaUx2OMMgG+x0pKphPOAyKpwGJjugqErFAiALnt+Ms18/zHkT\nLU8GjyjR9GxJO12eJYiJfN+BM/ezNQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1172,10 +1172,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfCKEryxgAFSzStfxrflv8cm6fbwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASdDFbOnKzbzJSYyW5AVwt4sVGwKF5QADMby8Az\n2c41MYhNW+Gy1DAJcnog4pWoaUI+dO1dcohStUSF678my6Ivo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIxPngcWKtQEvtWWAIFqZ+qlXLbMwCgYIKoZIzj0EAwIDSAAwRQIg\nXJl/GyHLsiDipgnvnwogVcaD9XZF30PoCvswnqit/ekCIQCpoZeqdOMH/prn22ac\nWwLn79EzT1A5H9vsYCOmy7wPYg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIcdlWh1dgRk9Qj/pOWCdDzlQkEMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7pPWNwbM0AugvJEzHRmf0qpHnp2FKLO5SO3UU\nhQpZCaeH1dRog5Y9uyu0/FoFDA2XF+BlpGSkydWjySOVj140o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+hUP3lsT9OasYBaaAplaPf98T40wCgYIKoZIzj0EAwIDSAAwRQIh\nANLF21YPDjw/5ikW8WjE9faMx8qH2Hq43N79794pbMNiAiABWybJSBl6m0UDjuv8\nyrCB2KMc7MFYXvcy7JJMBeqqJA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUCeBopRBqYcXTdBjY68yaguggfWkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMQm47w7GzvfvQP8/mgKYLV0UBIgKuKKgdqm/29U6FMA\nQXNea591eGnFOSZ7/Ismeu+bdoKjM8J+MiGqgSPI4JajgYswgYgwHQYDVR0OBBYE\nFAwdOrCS83agXjZ639VZm0IkDO96MB8GA1UdIwQYMBaAFCMT54HFirUBL7VlgCBa\nmfqpVy2zMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQCFUWQJ186pK+FIrGQg84DABl/JZxHHaEQR9oHWtUBzCgIgDAtIFCIr8niuVCUg\nCKyiF4SRrRM6Cjo5dhc0QGlpg2o=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUfOXmEJySP2n3K7Iy+9LqcTQXixcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEUO5dzIhf9eNmJp0YiFvGoN4LOP1l+/qFoGjkuE9fWR\nxcvyPX7+nHGi0Uf9NAW8NHIPNyG9EKfRIN8MjJ6bnzajgYswgYgwHQYDVR0OBBYE\nFEvtp+tfp+eFfxgK86Ech1QH50Z4MB8GA1UdIwQYMBaAFPoVD95bE/TmrGAWmgKZ\nWj3/fE+NMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nICIhH7WVGedolloRJTvtx00JFKlv/Dh3VZX6Zih/lmlFAiEA4kY9MPVyWLYrzGyA\nVzm8BO88aIIBfd2w+XVS6RqL+bs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1193,10 +1193,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSEWy0Px8skZMKWwWujW3+MAE6oUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbJ5se83qeKDJuyI+kuHJRKkLTGxUMxOdY762X\nM20qiDxof5UcGqDXz1u73+Wzhs6dohzVjiGauDh4vQ53w2cRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6/sCwxnqF0cN65kIXizUojv5yNEwCgYIKoZIzj0EAwIDSAAwRQIg\nSiN3C04cwjT3F4r+1xlr+f1j/y2kogaGSDwgYusg3tQCIQC0qNKmBVzHmyRwdBPY\nne0nl5WwwMIfZDgX19DNAIleww==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFRLJy4XgaCMnuU01gPkAsdR1pM4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASrd/f/mIWLlmWp6ns2bV6mszUrcn5Rrd41CBxz\nGyGxrdaZIkxi6AfECXnoJ05PdCiUtgPJZ5JyluMF87UlYYQLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUh6xanfrfDOw3i1FJ/acvl8l/wncwCgYIKoZIzj0EAwIDRwAwRAIg\neWXAF/wPWKJ1xeAVi2AWnipi3sSeCdTzzL84c/sfzb0CIEYGov9Dx1hETkcX9Xy6\nFXmP/ztGP7h0G4ykcu3d+kDB\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAT+gAwIBAgIUeaafI6lFY9Qx4JCEorSw0t2+D90wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHwxBAGhufYWuiMK9vOQaJwH1K1it6xYlJFDzTWqiWzE\nrhlaBbKWZ8BSHhUNgDnF0NGBdbYCZEekrc2c4xJNA4mjZTBjMB0GA1UdDgQWBBRR\nGaAFEKAJxrjvsuxPBNmy64CL6DAfBgNVHSMEGDAWgBTr+wLDGeoXRw3rmQheLNSi\nO/nI0TAJBgNVHRMEAjAAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49\nBAMCA0kAMEYCIQDZNBbGLs8zT97aVFTzT7wBFLMrn5aIKnGFcuvvLp/rmAIhAJ6L\nl5LGz/Tva6lfUxVSj972Ino5us3YjEUl0cjeviZL\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT+gAwIBAgIUBsJH+TFKEs4gTad4kTiBjuYmpegwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO2QH5cQL0xk7afD1/cRdEDK1NAM8HjyAoU5y+409Y4I\nSDEizxRluEWEmiX6krnNcJ9MnJjpJnDGQIHyVxKdiHKjZTBjMB0GA1UdDgQWBBRQ\nlD4NsG6QdDXKB84pmnHPFN1+1DAfBgNVHSMEGDAWgBSHrFqd+t8M7DeLUUn9py+X\nyX/CdzAJBgNVHRMEAjAAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49\nBAMCA0cAMEQCIEvmvCVWDVKp/YMsBiobM9A/rLRj6mu+zPyX83uQQcyFAiB/BAnG\nb7k2/h/wsfO1HM2ppCgP65r9doOleFiYMWD7fw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1262,10 +1262,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUBgwhs3oqT8mgvzQhiTLZPlSKEpQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQv40zpuF8C3NeZZdsobG6KA0oDRWohcK9NfpnS\nUGn3zWoXP9ZKlaCjnAE2HO+w0MFu2DKSndZC50FVg3EwYA8xo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnBAt87oe5krOhSlSlhlqsswhOm8wCgYIKoZIzj0EAwIDSQAwRgIh\nAO34eNEWVOB10DVSzIbq8Lr7j03Nfyp8FyKd4FTWOOpTAiEAswFFjxhIpABGTYm8\nbFSmDpvaiLcTitVDB6Fg9D+H4x4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaybQizcmqaQsO85wzn+oj++8YiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQGggpmEXeEuqZcfhrBbus1PBfMY77PHhta4OJC\nK2Mt+HOFOH4LRLZdbzZgAB6r00A1vREVcwq3Ykyz9krSGAjfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJxqDntw5R+eGug3TR6zqSmh6OOowCgYIKoZIzj0EAwIDSAAwRQIh\nAIoPTGXhCLaS+QewG7/n+bjeZkAF+FQ0mD4d3lDctolYAiBHYSUkHiPM39uQwq8P\nJCNXKKBWEznjFIN6Ms4mpF+Z6A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUYOwoLW/MEBfsNpufvU7tHjiX7AEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJA2M+rbsgRTTDQt6fDSwIG0Vabmxc3hQ2xkCt6MOp7l\nF07ZeBuyacp76mii6ydVr3MqLoGAu/5oqCjXEWCCjXCjcjBwMB0GA1UdDgQWBBQG\nMSNRkFpdoza+KUkdiWhf0vqhFzAfBgNVHSMEGDAWgBScEC3zuh7mSs6FKVKWGWqy\nzCE6bzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmbHMYcDX56yHJh5tDxXnCcCzMAICLUlz\n5GbozQQPFkECIQDZwLFDhZ1C2xt34Y7MELjsFBwSkRiCb6c2b0/m61QGFg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUGAMb5eqDIFuE7rFicz+3LxkuXIMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHQPCWqsrZbe3GFwa4jhmv7R4ZYvNB/8TivI90pgkymv\np4bskxH80Ft0h1CNSbBPFxpBEcsZ2G3xEPih/Wt4yGujcjBwMB0GA1UdDgQWBBRR\nLtLtBAHRxvldN7bqgddJQ5zfyDAfBgNVHSMEGDAWgBQnGoOe3DlH54a6DdNHrOpK\naHo46jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAg/9S658ZL65eUaCtQLo/1AfcyI8AhDuH\nG8mDy3VmbkgCIQCcXO/JzcPwhepek50LbHsBA9c22Y2NeGS+PV8LmkKfdw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1283,10 +1283,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUF6Q8R5uHN/Tid0korG/Y0TtDEHYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARschWsQW7tAiyr71hTxSprM8W2U78grC52aw0y\nHPyZLC6QxetqB6gH4hR1F9Ut14xPASBTcDrl2pKxXTU6vA7jo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUY03OlwubulvccD9rXMg2AicXGAkwCgYIKoZIzj0EAwIDSAAwRQIh\nAIrjGb3QyztLaT7krtZQKOeDTwuMeMj0v1A2Ki5DklGbAiBCzND4uyOD1LR5Osy/\njUHcEHBdZRlEWHUQXz6llLKrAg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGM39IHBC9ZEJFXYQXLp4LSgdzC8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6gx2XlumaTty/B6qKhKm4fSt1B5qpP+N4YMUe\naK2CCfWIxoFo9U/HtQbI/nrPWD2MvUtyf30FTI+HIuZ0tYsxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/VDYZjA5awDHC8Zo6LKzkqzMas8wCgYIKoZIzj0EAwIDSQAwRgIh\nAPOoDdCt63zvynoDqnplMy4UtPt1rr+n28gnfi/WyHTcAiEA6vrhhl5fBVg2sMyB\nrC31QGV/6M9s2eykVpQ0tvifyV4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUG+9zvP86SPzPAoCisiawl5XrTswwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHFnySE7UJc0rQoa9taA5WW/hOPBP+oyY2H0e4rtzL+i\ngu+h7J+UFfyez5pNwG6UXjdzbXjYXQqb6ePSExInawSjcjBwMB0GA1UdDgQWBBRl\nAK/bJgnTvO0/q3BbWBSXyXP1gDAfBgNVHSMEGDAWgBRjTc6XC5u6W9xwP2tcyDYC\nJxcYCTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBTTeLijHMzMTVPTGqpGFqONVpxMQUkUUFu\njEoN6uc5XwIhALFH0jYfcCGxS0fCQq638PbaOWcVpFIq/QujQGwMI01T\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUb7mbgSXkNWp4J68nlrKubiLzm1EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO9brjvaup3vFa4sFz3zBQ6v4erCdOFjo4EhQmoSjNwr\nn/NjGiCoiPPBr4NDDA/gozxMVSKTLtzeJE2geLcPqaCjcjBwMB0GA1UdDgQWBBQr\nsz2pYr9poCgjU0DWbFjvMt7zoTAfBgNVHSMEGDAWgBT9UNhmMDlrAMcLxmjosrOS\nrMxqzzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAPFFCoZwlvUCoGlmqo4rjsSasK6OkSwIjO\nH5QeefffsQIhALNszb5fr0j3BBa3+aZhGD1mcdrCoP9OniObX83yCXfc\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1304,10 +1304,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUPoclelSsqazN4tTBwYpEmBAKGmUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASrZI9fOt3OA5H4AuHQBaRqQ/XVgp4hklFfoddR\nHSW0dIQsOP/MdKVIcsB8KU6KfpU9zmBweDBF9sl5e3qaKFado1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSuvG+Xw/Gbd0WHRF8xm9ZueQGuMwCgYIKoZIzj0EAwIDSQAwRgIh\nAKVCZDvnqevmLn/+DGCqqFUF6+cJ1r6At25vPfKm6CDZAiEAzxlx7HUqX2Lgg+JP\nFGq/qlRjkTseksr0R236NXyem5M=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVAif1Hyo5wcJtgcSReER2Oh8720wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASuxXSILDKGh7kBC2GrWCk3JUUuM7tp88ydfTwf\n+kN23WEO5RRHbDOv5l7KSEvVctY4c8KOl/E0ejljFDPOBlIho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUC8kqh5I8YOP3KH/yQQiNYYjH11wwCgYIKoZIzj0EAwIDSAAwRQIh\nAPcW37xmM4H2E2Tk0wks7KNm7D+kbmIYz0v3iHuvP1ePAiB0Y+xUwK5I58ZK6vTs\nRxlHiaAROhKVE9XnEEklYT6M3A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUOa/Hr54dB3tVQKgry+Lk+s8dGL4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPs1JnfzEEk5BsyrQJ3OFofDNchkHF2PNMOsozKEZyXW\ndhGJQe90ap8JfUXQ1NUe1uOkIEGyR4sbqVDB2xXD35mjdjB0MB0GA1UdDgQWBBQx\nK7WGC0Iw8uByHmLtucfFptEigTAfBgNVHSMEGDAWgBRK68b5fD8Zt3RYdEXzGb1m\n55Aa4zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgDhQKN+oTTEmMTd9vw+dUb/7Mu7Ny\nnJL6gS8iBShpSFgCIHWXUbivBF3rogmr3Rw6YVdHc/oxgQ48jE4ewbrCYSsq\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUdRYvzwi7BtWhH3wVtRJ07OLjhFYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLTHFl3ogCesWYWxGmiBGsH2ZSLpFKHWQrJEvWWVfTNU\nMspqcHBlbXZmw2TTbllxA2bEGgL1sWo5FG7FyBfm+kKjdjB0MB0GA1UdDgQWBBSV\ndgBc1+GjxfG1qIwlLNFnxKeHDzAfBgNVHSMEGDAWgBQLySqHkjxg4/cof/JBCI1h\niMfXXDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgGKnT4XGsb0iOO1whVJow0qhokx6w\nFe5wxVUYZJHJTuUCIAlMyik+L9dGprDWYddL7C1ubc/m9nEiGb0bxxBVK63O\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1325,10 +1325,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKApwFXfPk5zuwYN1Wgvfv4cPsm4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfrBBAlECQ9hwOEDQzJ6EUzKf6xnXwJQ7iy30D\nXJIczc7urJyRRwi+Lghm7x/gAxJIXKZ9OsirA6ZgDCknk17po1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8MqH64afrGnIivUOSVDH3M0g9KgwCgYIKoZIzj0EAwIDSAAwRQIh\nAOCzQWJpGG+1wDqWCYMw9OsEFr1YuK3nUTwOKsKKoDRxAiADoH2AsfvOa4Ckrh7F\nSRiUtI49qWw7i+f9rHFKQCIspA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUT4pRYovW09xf1dUanmBXFX6hy1IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhyQJGxbWLkCWPLJwZmfIubq23K2mop4gsrh6G\nS32kA7JxJDmpvn+qcQTsxTUzkRuQMacP0mAmfM7nYlaXoFHvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdgstFkjuZwZ6L8KuMxIQ7bJj8rMwCgYIKoZIzj0EAwIDSAAwRQIh\nAN8wut0vh3m4B0jCcUoI50rUaRXInN35ZIkvMRZ3DV++AiB9+87q5mGW/d8asWNI\nXdW/NRGeTJT9s3ZrUhd7BhGDxA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUPbjWLqWoZDLQLtjnUhJ2IqDe/zYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEZepLnqzdoNFlInZN4dR4P0suhQmLTq72CUFWaiwjQ0\nOebiqi8W7RkjgjfaA62UAydcRw0eiXCUtkjf2aYmea6jcjBwMB0GA1UdDgQWBBSc\npvPvAcEAIlPvSnCoMta9qiR6PDAfBgNVHSMEGDAWgBTwyofrhp+saciK9Q5JUMfc\nzSD0qDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiB7FtouLSaAGldFl72QCVC8vsQxQwmVrqS+\nVjFApIj4IgIgGSxBhWDO1Js5iYPs1wEW1yfIqmWJ1Gz90A/SP1yJ72E=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUUzhfhok3Iek0IXnF9NCT0wPu53IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIqPfYQ8s0/Q2j8OmBOiLtaP/LDjRlYlkM+Q1P1uYoVu\nRFf4W9Eh65mZ4xtF5WM8o6a3smrsgjpdrtkneo0AatKjcjBwMB0GA1UdDgQWBBQw\n98RMlzj5R6W9cIGm9iNOl+uw4zAfBgNVHSMEGDAWgBR2Cy0WSO5nBnovwq4zEhDt\nsmPyszAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBBZccHIALHt0itTW3Qb6NqMl4/QMACgvMN\nKiJprwCppQIgVVsUcytK5G8507K8q7Y2zWkHHrgM/pEKBbKyefzyNiI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1346,10 +1346,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUJQB8lgmqRNeR6w0qKq7tfPQj6uwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiujw1vuzI9cZc3rs6HZf8xYXhCIKOfBcLVJsu\npuxZRWCtokyAiuM7SxHjqMk3SrxK1Z6mHQW8lHF+FqvP2XXfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUV4j6xRTeEwG47RRGujeqZylh3YkwCgYIKoZIzj0EAwIDSQAwRgIh\nAKOn1QVNtgcWa+T/bWDsFUX1EGY5ioAOri15OQl6z5yOAiEAg4sr6g1bnsR2LMz8\n2epb4o8wGX9cve15NYx6PtkOylo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgITGZHvuih+tcv4ZXvTDpJc6i+BzDAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2\nOTA1MDIxOTAwMDBaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABNzn7XDpEZt+V6aMBMEn8i6XGQl4tsKu88JP5zx5\nBK+aaf3PrvoA6tjyCSM5xEUKB4/oiS8yXwQwkejg3JYb5b2jVzBVMA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBR3v7l0FDTmfWJgQeCvzmgcn5V8pDAKBggqhkjOPQQDAgNJADBGAiEA\npco50mp3I4FW72XyGyIR4uDiyzexJ2FbZEb4nKWrBNoCIQDOuH/3H704KtI4LuGa\nh81biNz9K9gh5QNLTCfPrpoLTQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUJeMSYnFimf+F7UktLitKJgHAJVgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMBpVZ6TIUVlk6noCU+xZORyvrxoiJDuuUWnQq0TGzs8\nZkUnZG4q3OIOEXy/qSvkp307XoO3sBgeLp+sRwwBUxujdjB0MB0GA1UdDgQWBBS2\nDcr26UFaMnYiI2m4LUAlN4xf1DAfBgNVHSMEGDAWgBRXiPrFFN4TAbjtFEa6N6pn\nKWHdiTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAOd1I6av2jXh3tUnpKvtZ8e9eddY\nN4riE1eYqt/ywPPHAiEAm+UOEmIKulOn+0OlIhShglh6JisjBhE7/jpsmf6sTB0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUDvPkqAzwITJ8SI81rXQ7BDe9BQ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEABMsDuPRErLeoDzufRlY7cZFLGpXo+fQF6Q/ipcNBx\nISEep8NBS7OTGZL9A5+W8EQVSbSINEydwuwgJSsDaX6jdjB0MB0GA1UdDgQWBBSz\nmJBdVNTsCzEJiXQu1m5Pp5owHjAfBgNVHSMEGDAWgBR3v7l0FDTmfWJgQeCvzmgc\nn5V8pDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgCNQMmLATY51qBal49z0C+GgBB7wA\nqAAa3QmUNrTWWfcCIQCevF7LWC/csinllkfxMPVvmFizecd/36QRW6Dcl0Z1Iw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1369,10 +1369,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdEDS784SEBVAJX1dgdOGL5OenxgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrVDOB5+uqQ1FLuTRhtemOKMjSWsabmSYY85Fq\nxJp0oPRz2IdMlzR+lQfoDkJ+r89PGTR+L87omrwnzuneqamBo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUukU8kr7yfgD4Q7yAcOllJQNO+0cwCgYIKoZIzj0EAwIDSAAwRQIh\nAMwL3s3ahksog4nln0X4opoJUqQv/oytp4RpXXtpSUKfAiBGVHcEWwtvN1AI9rqn\neUKrAJdVESpvXiyx9J85Xhisag==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUeV3a2FipB4GngQHlZz5+Q36xGAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvHGIjl/sjHB/KArM42Sr8wVPzNZjej5EBa7Xr\nInfcraYzsUrFV0zSMkoZ2oCJAHf+PjYbcnII/jjB1NEdv/l5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAOqr++1rNAwdsbyUF6tTLs1qwbUwCgYIKoZIzj0EAwIDSQAwRgIh\nAIFJ7qYtmEMg4HtXuGUu1mcN7Pm8lJTCytU59laOV9pXAiEAxYzYJLyBkpBrNrZb\nohutEnMy8VxUaCc4uvo3Otn7oLA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUagAwIBAgIUDe+t53RrZPvUHQQezTxy7jArOjEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEthguru8K0G77lxkJsRKRNQTnNfYfrjQ0YawtNt3+GB\n5Sgns0X0srld/tZxdWxAkyScZcO0Rinacz2oWFeHn+qjbDBqMB0GA1UdDgQWBBTT\n0lFuEZnBR5VWZgrDxmK72vczYzAfBgNVHSMEGDAWgBS6RTySvvJ+APhDvIBw6WUl\nA077RzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAQBgNVHREECTAHggUqLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA/EMjYXjwDrxBNsee02UKyHRAuI5n8em6fsTG9Fya\nCjsCIQDbbPmnwzLD9pHXP+98cn2nPSAXhv+hT+dgUKyfoQ2KQg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUagAwIBAgIUdItqWOh0bOn4nJL2bS4dMcC39FAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMJQxwFR+gyGrUOrA2depR0UqVQaqoXEVOSz5ZTxyVLY\nczxezSUkGOxy9ziYj5TTM7TxlqOQZ2TaiOPwCD9+Nx6jbDBqMB0GA1UdDgQWBBTV\n6ZmOa6SKNw/UBr4yxhgdhdMdeDAfBgNVHSMEGDAWgBQA6qv77Ws0DB2xvJQXq1Mu\nzWrBtTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAQBgNVHREECTAHggUqLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA7qRLmhtREM1a7BpZlsEPdPLwTRSCs2tc6UlLc7zU\n9TYCIQC7WZwh8/E58K04J/PrfTfabgJe2FR9zKVHEsWarvUDeQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1390,10 +1390,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUExVnX4T5vve1+0LcLH9ZJ2NK7AIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQtzZcxDIkkvw46RNsKc7etyAz2pWyuhMDlovZ2\nkO7uIYNr5+Gn14H6o94q7vF5L8+9FCDbsNEhrrX1IL8V2zwyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUq9QweaXn2RKcdr1FqPWYaLcoYhUwCgYIKoZIzj0EAwIDSQAwRgIh\nAMK61tgaXseeSAmchx/nkOXElZU36MD2D0QhpoSREYdOAiEAt+HS53LMiQFlIUK2\nqK3J7vUsDiN2s+9iCmYeuWWYMIM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXaMCpg9dCzpBQg/lCmA9DKgreh4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASZ4QYDU6CRnTmDJJwYnC1TPd3LvUkOz2pbwwm5\nda0/DlLgo/LLH5L0EXyrm/XoOgoQtXjjFz3vWUlWrLec7Lx2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy0SC+qAD2EsOEp2KumMS4si9+/wwCgYIKoZIzj0EAwIDSAAwRQIh\nALVUwAyMl1xAtqFv0UGrjWD3Dypy+d6ek7/U1JWVL0NbAiA2w/pkC1Jf8gZyhByh\n5eDraROqumg/4OSt065Av8hV6w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUSzbWDbI0fnAod+ryasW1xnDvWH4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKLSc3DiRoqdhrrA8l8CUM/3WkZuGTqgNAyz3cYrawfX\n56I7UCDP6KPALqvE06ChUwteQ3/z3OM7kz7Z0SuOIg+jdDByMB0GA1UdDgQWBBQX\nhO0vG/EBl2f363T9dlTOqCydjDAfBgNVHSMEGDAWgBSr1DB5pefZEpx2vUWo9Zho\ntyhiFTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIARaCCOFciQyRZe/FeYMXQHOg5w1Rb0a\nuDolpnTtBRfsAiEAh7Xx1M65WaSIwZU2u/Uys88aXhySX4lN+QJq+GZ3VmI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUKSuL3wPh6kJQDfAMqpiquqOwUvwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIiiRWEb+O69EGCUzty60ayVyXKx59hTaG4SqQuXmtUO\niOsJQccmL6mPbyO2MYLI68s5bWcF/3/ljD+YOUyRZcujdDByMB0GA1UdDgQWBBST\nDO8JUa4rQro6MQxFG5CBQ8JtRzAfBgNVHSMEGDAWgBTLRIL6oAPYSw4SnYq6YxLi\nyL37/DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICnTBeVu0//khAqi6Ybu1TqrANYCHWuy\nmvsGJTCc9nxoAiBCI0yJCM+9ScCULzVe+VtPsClxfUw/DP2EcfBBWAEwig==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1411,10 +1411,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUM5sqiUD1D8GxrxotXcgnoi65ZPwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQj7Y+/SdEmw1ZcqYNlf/anog2jpHyA7fH9G6NJ\nQYATmNQvwkmHvwMUl71xWCzqni5iPEpIQBEr2wmau1bxqZWBo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU94mkOhVbUtNYygbx5dmBwoLDLCwwCgYIKoZIzj0EAwIDSQAwRgIh\nAPQAO44yjuLlatMHjMB3vuwvtmjSlTFOYceY7mHpSj+uAiEA7HWGHx9+kFoR3xOS\nSyZN9XYOQWjsvNIHNhQch+jvifM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUR16jGIBTnaO+rY4tn04jt1GDaF0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbPdCWnP7H/f62BoAOdShQ1tsCn55zI2ICOohe\nDgEAbJz4hSPRv+X+n9IUQv5Am3J3huApcf69XKUKwyhtnRoRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUf1Y0+yFfgzcGyZ9PaZFiRahb6g0wCgYIKoZIzj0EAwIDSAAwRQIh\nAID2Y5Y3Idzh9VrzlGAEBrSdlJ7I8aHMNOGkUwRU9PgsAiAKgSQcoxKzZYgGPu0I\noKXRvq/Qzer814GrJmF2WfMJCQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUCkAQ4biaOxFHgwdadW4miIWLQxUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKOw5U7Qo2sbkpfiAtNXt7M3yC5PS7BIqLV44jR6Mwfj\nCs3dAZj8bAhESg+rww7EOmTdLlp3qUhtuZGpkERJeLyjdjB0MB0GA1UdDgQWBBSw\nhTL6mZBcU5Jk0UpLllMpGx0S5zAfBgNVHSMEGDAWgBT3iaQ6FVtS01jKBvHl2YHC\ngsMsLDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9iYSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgKHNbQV+bSbDVWP/CmpUtnF9oLEry\nSEw+y04I6rHpe8wCIGZnW10h80ghWEVZD+QukBq4srMV0bayXcVY8BtYv8vz\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUDzrkPu/E3RI/AfH0jj2dbAxQP4AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFGbuBl0ZUMp9nkKoRIP5AqA447ZER4SKHslwHflIfDw\nOwlYdP7Xf5m+IoQTO0KXJfEBqf9F2ZIcC2Y8pFlPftOjdjB0MB0GA1UdDgQWBBTL\naaswN9JY+w07Z0vwQz6VvGUZzjAfBgNVHSMEGDAWgBR/VjT7IV+DNwbJn09pkWJF\nqFvqDTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9iYSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANrNEhqSp7gfZro8suEXav30kZzz\no9NRWsF52kl2cVz4AiEAguPtSraF2IkyC0OhGyIX7CssFbbIUu2YbLC6de3Nvko=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1432,10 +1432,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAn6uCgQHYzhxsr63DNc5hpCsoqUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQN/N+1Knqg75eU+KabMzorMMHjVpeyG1LmYLDJ\n3ISfVw5GEwYRJYHHzdzAT8aDhhFrt488yEG4vT6+qZStDy15o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBagO4nALNX0619rbo+f2e0ceRLIwCgYIKoZIzj0EAwIDRwAwRAIg\nJy53z4yBdHZ2Paz33mBX41rJ8EgHFYDEw2rrtFo01LICIA4Dzka9xzj1nLLtAX/U\nR3J0AtYdmgLMistc7Cx/z69O\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAlO7XHXgJZ78rK/U53TYnUEWzwMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARBOyS+GMDzswD8q0uURmw8i/h/cfYoNq/Klf4n\nIE8MIwbx7tVHw/y0NJhb5Tt5E+X7zdkGMFL084OZLjv4+Ta3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7yYItYgx81z8b3vVo2CIa3NgZoowCgYIKoZIzj0EAwIDSAAwRQIh\nAO27uJzziA7HoRxf9CA305BQNMO1/oX2ix0gxWKV8l6DAiB3XXNsai+7NzvqVrPz\nmIBW7BSzDmVDSro9wxRa4n8oPg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUP9TqBIUYBz9ZIN+N0KpgqdVgFuswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABISCjJq/TAUBlp4wV6Bl4T5XWUEAdQ0TM+Ed77XOQuUr\n5XkCj0dZXVBJe6u+pmM0I10NouOS3eYtL+i1IT1PRCijeDB2MB0GA1UdDgQWBBTQ\nRfKhBN7Q9cro5MAs4DCNpnxrtDAfBgNVHSMEGDAWgBQFqA7icAs1fTrX2tuj5/Z7\nRx5EsjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAcBgNVHREEFTATghFmb28uKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA47hfPNrPXb/06/LYz9tEKbdi\n2MqtvgvJ/OYlYtwu0A8CIA1EOF48K0LXVFSJeikTBMCfpfIUifpUof2azeo1EHs3\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUT3Qapz+cotN499vK9Tft+i87iKMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPi2/7KmMbVfd2wOGNb1UV4nmN3kwU2f9dbWJuglXaC5\nhGDcJk0kwCe0If9cliSibvKBn0XeGSuWkkJfvPs5RoqjeDB2MB0GA1UdDgQWBBRw\n7veKgbM/ZOZB19ENLS/jibLbozAfBgNVHSMEGDAWgBTvJgi1iDHzXPxve9WjYIhr\nc2BmijAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAcBgNVHREEFTATghFmb28uKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAzN3DaUPb4G0HlgPpejlMDk2r\ngOoWwmmtpCMbWGWibLYCIQC/IJPxlQnNiAQifOPUmnAgnJF93C6JeJC8wc3ocn5L\n7w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1453,10 +1453,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURVW1oBbUz7O+ats8HoRY05qSEDcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6iUEKH3wMzX9UwREoikZPbvHQ3WY6T9tlF9Li\nbJRsK6QSM71yj5z85CgYPdsBqLLxL4lW3i8voRUZH3OS8ktCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaUjs4TTJXk/9bmSsKo11mWMIi+8wCgYIKoZIzj0EAwIDSAAwRQIg\nCW7el/56Az8aUEr7Lhiq8p23mZDCySGreISQznaemEwCIQDUF9zUShY7JFZ/8vup\nU7TinYlTAcSJSW+WhN3BrFT5yw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIURmeXMELZOCs+Laxqh0CdV5krLbAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZoyL8ifpKSw8wWgFp+5PrCt/MDKqT91LIqNgv\nOKlQBtDlBZ8aTcOTD8PSEUoSULOTuJYzXfsAnPR3CIU0Mg04o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUugVHUJ4NfFDvUduKyULkgY1ISdowCgYIKoZIzj0EAwIDRwAwRAIg\nE9CFQAv47b7Jg80Mj00PuW26R1ACjARNhZyW5Cj/s7sCIG69Gpjfsa1q8Ym2E5yS\n2qpi2dtI3w0MIQ5H3xvV9ztL\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZOidngEYjYZ+EIY7nKFTLYRDV+gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO47QL8gYrmTu66VjQPks5AXToOGq6NyWAwWTWEp5h1C\nHi1yaCYACxtD/pAi3f9KLAxNtcqQuNKB7OiLsE/wPNajdDByMB0GA1UdDgQWBBT8\n3ndYukAUyUmZJraPR28Sy0y9BzAfBgNVHSMEGDAWgBRpSOzhNMleT/1uZKwqjXWZ\nYwiL7zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC9IjZRxWom74MMbE7iaUsDtt5krW9q\n8eOgoKVlV8VHGgIgPvJ9gzZktWLPGi73GoYBzma09Zg7zOcNbIioBXrYIAY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUKfpcPhg17e3H5bCkvlb6j5/axB8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPjbYZWKedDqs78OY29b1rndPvb61jXoaFTfv3PujmYA\nnt7Dabl3pZ9NmuWiZmEBMV1zoMJjeb9yYRqonMUgb5+jdDByMB0GA1UdDgQWBBQY\nyFeJHg+M3jvs+o0jn9fqv64DPTAfBgNVHSMEGDAWgBS6BUdQng18UO9R24rJQuSB\njUhJ2jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDxN0I7GnyyaGsvNicA1rHPhBst9hZp\ng+EV0xDwBKBtzwIhAKss4QC7m96e4YKDUyuCYxCny6kx250e5pHjJTZm4ze8\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1474,10 +1474,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQN7WnjxInHyNYmBUCaVvdMAR0UEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyCLAkIhYkuPR5JlNSOrjC8EF0AszBKwGK0Kog\nxPQxDn/oy7slzd3KdXT15aZIe9b1a04f1QanEMwAGqz9nYEqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuQIefoTgVfPfdUVXiHJNWUe+y8gwCgYIKoZIzj0EAwIDSAAwRQIh\nALsL81NQuLgfTDsghtRw9Zgmw4clzYcQ/ANkPg4uS0SoAiAGFtvLWh8Caqf/3YgF\nDA1AxmzsYplH/Yvtlv/wykDjjg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfhochA5ynBZl1qfQ4+cQ8MOPpnQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATvR/Jkr1BA5acKyKaRnenvkjk7X/ytP0a1vF9c\nHOZtqPnoqyCB0Pu3hb3aoY/cxiK4DPRsw6defCi6x5PO6Yelo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHbpNkwYs7/Q6hfA9C92mwA01ZR4wCgYIKoZIzj0EAwIDSAAwRQIh\nAJBzILRKJ1yakoWWsjmOs0AgULr1a9EwoNx1pZ4Hov6DAiAC3onYNzxYkMnho5S9\n8VdKLCqLkZzdS7Z9LBpqfanHrg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUZ6YkMipd1MJmhHWUDOkDqvgYLUowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOwplMgBhP8kBtYtMAEYutuKAimAcb4rQlNbX1+6lvo9\nhhNzBOKRjKiljO3zhIsQ9RkWY4pFWGVs64eqep8qL3OjgYEwfzAdBgNVHQ4EFgQU\n6QQ2Rkc5a3Q+0xpiI62RxGEUFQUwHwYDVR0jBBgwFoAUuQIefoTgVfPfdUVXiHJN\nWUe+y8gwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwJQYDVR0RBB4wHIIaeG4tLSot\nMWIzYzE0OGEuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAIvdfr6imho6\nB1aGeXnjCaNWwtzOvQ1MiBdfue9W1qGbAiAnPH4ROavcqNLmhZA1FjPoSC+Pkqz4\nfJzve4rZI8CRCA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUf0VAiNDMgIl/LsmmpYCPI5btmi4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPC3BAV647e5bPdTaBwXe45fCTfOkMXraXeaVqi8n5X4\nI9ucP4pK+Tjimh/f3kAdbvXqSrA7aOeduLoR03SzLgWjgYEwfzAdBgNVHQ4EFgQU\nr212L8iin83qQpeuP4GPEXa+RXQwHwYDVR0jBBgwFoAUHbpNkwYs7/Q6hfA9C92m\nwA01ZR4wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwJQYDVR0RBB4wHIIaeG4tLSot\nMWIzYzE0OGEuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgFsqH6GydRflJ\ngAsgY269E/xHsNv9wQ9wpi7zAmm9KyUCIQCiJlPubV6OtuGuxLQl6SAJQxKZztaS\nL29ofKNB4v4wgw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1495,10 +1495,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeQt9DsBtrT72prgYDnDjhDDkqVowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQibXuf/9ZsCryimivyen0XmuwOM62ldIXb8eu9\n3GjJQgFaG3e8tL5+RaekMu/M5ObAxs5tpEvOH8FvmQQzLWlEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZrz9AvU1u4GBZXkFxAsqlycSvnMwCgYIKoZIzj0EAwIDSAAwRQIg\nMm1fvoGNTaUn9Meq3XFN3WE3hzbqM9bU4LML0tEkgVoCIQDvf3bOpVXcwX1YOYsU\n9dveKDfWNQc55vTDgGvZxH28hA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUbA6A5JT5bG1xdr2Di773oI7BXJgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHTHBXPwcKevE4IxkaSIM5xuyFmKuFS6wdX2YX\ngWywRe8cpVyfekSehQGEpD6nkgq9S8KYnFuK9XZOVvD4rz6no1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBDsH1NvBvueSootBeBqetJaHWkowCgYIKoZIzj0EAwIDRwAwRAIg\nSbKiF9X65NRpfiQRjuOuwfiGbxWHpFuwS+xj+wPRZbcCIC1pIEpHXRAH0Gtjx3Jz\nmkgqnPQDWAb7rjcs21WX2uWV\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUKiTiQJyr0OkwbWjkxBI9CRYdUKwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHBPOXOycg6U4g5c6Ca5nviTECYzqiSZ5jv6/znh44Cp\nnDEeow1p0gAt9FUYfwdZyceT9T0VF+9UAcl8zh6cxPWjdzB1MB0GA1UdDgQWBBS2\nNrP7Rty81Oc99d/LF/ihERFr7jAfBgNVHSMEGDAWgBRmvP0C9TW7gYFleQXECyqX\nJxK+czAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAbBgNVHREEFDASghDwn5icLmV4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICNyUxb9bdmCXN8Q5LT0M7IY89Jz\ndL3a0CxJzLfDAs25AiApSjeIo+VO5CYblWXjg/UVnFBUTHgPMniWS31boGSkAQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUZtK4Cfe5WZiiRaTRAXH0p2slDtswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBShVuUaF6Lbphh9F/qZZK8b4vz23Xx5zBMRj3fNfBWN\nytwHY/QFMeKIh0euZMeRu283KqeT7vSAFhgf2qK+5vqjdzB1MB0GA1UdDgQWBBTV\nfRerD3uMQMFLFG1npyBxIK+yJDAfBgNVHSMEGDAWgBQEOwfU28G+55Kii0F4Gp60\nlodaSjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAbBgNVHREEFDASghDwn5icLmV4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCG1e5OWU2vr7Ah32PoApPCPQBB\ndwQrMcTH88pqJjkgFQIhAJQw1F2ecx4nhCxq+a0ugUdj3hHtrRsIVTyasSpJc/l4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1516,10 +1516,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKfgRVu61jPjWtZ3jA9xPV8yhXkkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEsSeF1BYujoK7aM14U8ue0+nHuRjEXfNyWdVk\ncT9jTmb+U4WeQJO7lT4n04yPJwF0P+TeT59K/lDd1WzHq/t7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU83BI3VMuUVzzUEoPJwKIPayqNeYwCgYIKoZIzj0EAwIDSAAwRQIh\nAMh/ePsmgKFeyFB2gbdgOelwtcbmLQdCHAQPLk5TH2QSAiAzXK+GLTbgVrtUzHhk\nralqR/oQShkErdpeCyCjqhUx0Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUWlaarGhkdPU8ag3nASYT+HdyE0MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASgc44/Tr1oz6VjABas/h18Z49is2BsPyNOFylM\nUFOG2RHnT3ILSPUoybm029vkXMTUzXtiC1pxUHANlA6/9bNDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhX7tpJ9yRijBPjvyzfwx0MnsdrgwCgYIKoZIzj0EAwIDRwAwRAIg\nDGKCQ1Ii7Gkx4lskLkb3rf0Qerb9j11wNG/YMgN1CgUCIBpoktnGYdd9zpllY+uI\n5gVHrIN5oXsVgC3FPV+rFYvD\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWWgAwIBAgIUYrSnTy6Iii/r2DrUFnVxIUjvW2swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGP6dDNoYvmbY+meIHGHk2N21SCDRz9niQOpXpco8Bvg\nbmC0FiboW1cQ/tF6xj0wNU6Eay42DFauBKXvkKPiONmjgYowgYcwHQYDVR0OBBYE\nFFPeYb+ZUIl2+aomX8DnCN/2zpmUMB8GA1UdIwQYMBaAFPNwSN1TLlFc81BKDycC\niD2sqjXmMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3JtZWQwCgYIKoZIzj0EAwIDRwAwRAIg\nU0cCX8rTfZrgi62BpsgZkqtb4jqLc/4O7Rp0FrzTszACICLPXXIS9ezsFc2N5OSG\ndH7rpfuspyiE1BNoiXsgWNXY\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWWgAwIBAgIUDwhhI5PE4fI9qDN9IILEZtGdq5MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOPO/fZst8ogPjk8h0sNCPgDzUOI1+tRq3xA4BJCFqBh\nXWsSLhpn4zUZ46+q45ACENJxQJA1H0jp/UsR7qvuGgijgYowgYcwHQYDVR0OBBYE\nFGkzmT9l+0iKm55c1dDaEg0wfycjMB8GA1UdIwQYMBaAFIV+7aSfckYowT478s38\nMdDJ7Ha4MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3JtZWQwCgYIKoZIzj0EAwIDSAAwRQIg\nA5v8M03WkQefGQfZCmZ6BRRVtzLLQpVSad6QuplBXS8CIQDQyteDlA8LNez8UOL3\nUaXjb+gWQSvoTg5EnPC2wSi6Yw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1539,10 +1539,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUbKqxxBnfCc2DoHAQ+mODbMG17mwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASdHKKl2weCzZZcy6rx21mFt6iDswtKbycyzA9U\nswJsnLGsjXKYUaL/ijB3gycaKdZaBMT21ipvcp75ll1P0h+Bo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZUN4/3kTaFcb9HSRq3/TAPDLV3cwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIgRrO7ZaRbZ88IqIh4Iyj4e6Ff4iS6zM6uIB7r\npLLjdXQCIQCC9/tyVTRPJC0dCNHRRdL9dct8FOcL82ujgUUYyYmD8g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUqgAwIBAgIUZi3vKxwOwuEx9TFGpA77tyurfbYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYObF9/YcXEaxlo0WtoP0bmu1wLnIL7NVk+IP1\n6aQbsDA4OiOsIR1IrmhW/tsyhyGbfy3xFmwNZhiUoXykchUAo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPe4Q80JxOs58u+52n5U/ZIr4bPwwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDRwAwRAIgP72Kg2qb4pXAReSAXFXX9uzjgsU+sWmOc8ze\nqHRfXegCIEXF9P3xFSGb0RaYAfzEyM1J9Bb+wVAPFPq/JXEXfNLx\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUTAhjjpRtsy4oC5AUaoEKxQaW0PMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLIBHIP+OISLE0eh04IkpD3l90Z2kqiwIUF9qpNzIOTd\n0gHhPJdneK45WLPrEdgo2eGXVNbe+EVEM0aIGUt468qjcjBwMB0GA1UdDgQWBBSp\nrmWnsVODj75N2R5Lnrp/EajkajAfBgNVHSMEGDAWgBRlQ3j/eRNoVxv0dJGrf9MA\n8MtXdzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBQZdy3jwJ5/Bq6ZnrKbUMFPXV61sjGCHft\nU4rxssxWeQIhAJ0gPqrQYvOtvGfzdj5NS1LWTwebxZ8CKORwYJJBuwIi\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUBZBhGyPEArWSwsAVCmvFNSnDdzMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLScJkYbvZHcaqPHikaWc83nAhwrEjhKYNl7QLRzqfRc\njLQVKLgWkLJhWmgLKq2tA/09CMgxc38/+UXhh2yPm7ejcjBwMB0GA1UdDgQWBBRd\nUYKfBN2IiQug4rlsOrq+y0A2ATAfBgNVHSMEGDAWgBQ97hDzQnE6zny77naflT9k\nivhs/DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAo1NNX2HpOfMEhO/bREHp3jg31gcL4Cds\nBHxeop1RLnwCIQD2RX6q7C6kU6fUnI9W7j71cw80/xLNoHb87QpRWXUlpg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1562,10 +1562,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUcJWvuhVMGn4bM5toNg4ZpgbtBI4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS9UcmLeJZ5whgkaCTd3sYV8n4rQB9s7W+F5h/i\nTg98nH/EIBDhWyEG9jy/gtM4PagB8o+Fetv1jU7Y8IND8UYqo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFNi0YfrhDgTRLolqbshz4BD0pzXEoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBTYtGH64Q4E0S6Jam7Ic+AQ9Kc1xDAKBggqhkjOPQQD\nAgNJADBGAiEA28KzXFLPIj+c7fsKNQuhB9ODgcD/tgc3LQLx2b6RJ5ECIQDrO+6j\nyNwNoIbhZsGUhp3ltLjDoONAUgohVL25fBCIew==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxjCCAW2gAwIBAgIUZ6jnCH6Rpb4pKjEhupjUKsD35QwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARcYPlYfgB4uKAsmodhPWD+afTIphboHGegacal\nxJyzPeyVAOOuxx1D+JzkuoT9LATb74syhzTTQa+UATexnWjGo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFJu7Y4eqgjw1MviOxprs3DakOfNcoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBSbu2OHqoI8NTL4jsaa7Nw2pDnzXDAKBggqhkjOPQQD\nAgNHADBEAiAkBxgazBp2pDkido1Uq1Lv01SN7hNP1/Pmib+/IN/SoQIgAz3gKq/o\n1Evthra1FI250BdRaEANKqFInU+Uz57v8L8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIURkpU6i9hCftduQw5jKkULO+s0iwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHoD7E+4VUSjxZT9WHpa/RklK0v8vQcqtbN7QeFoZv1t\nI6ntAWOsQ86hT90ybXcAsaMy4vhSpSd6Bl9Vv5vBfSqjcjBwMB0GA1UdDgQWBBTq\noY+A+DypYbdlBlGxwTvFSjDRnTAfBgNVHSMEGDAWgBTYtGH64Q4E0S6Jam7Ic+AQ\n9Kc1xDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAwzANmqVdLL1+9e2zNlvLpUZYnWkdB+mqT\nEl5xBBjF0QIhALfgWRclGPFgyzZ9a2pTSe9fz8P1+Z1qTPr3/VJwLV9H\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUZQ2GC19d6jQsYa7Gj1fYUjajAjYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDJ/VWRDvnfYzviDxvKfenXPaDlNtNfJ95iy2F9wAOmo\nmHboPvr9qdJUqZrSpc+S5y+wc96N9m0LcPK4uX9Nj6KjcjBwMB0GA1UdDgQWBBQq\nQznpsQxyW4k0mDQbvR9QtGGxRTAfBgNVHSMEGDAWgBSbu2OHqoI8NTL4jsaa7Nw2\npDnzXDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA6ipspRM/v93G2hHG72M0T0D1kUhWP60D\nUlMyKpEzarACIQDQM3AvtIBgY/dVSwgmZPHeeM9lq3ChC0G79kIsyjQ7mA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1583,10 +1583,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUCVRsAvkCgwOatvuWDCe8NY4K7RswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXhY430I1fdr5c+/7Q3krMMMYsVjZ0bKWsNGU/\nnL355r05eGPeiXV7hVWzCfs0yi8BQB8Nq6r9JR5gV1idVnqfo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBTJwWRZKMrxSX4XTKmiVwVPwNxw+YICBNIwHQYDVR0OBBYEFMnB\nZFkoyvFJfhdMqaJXBU/A3HD5MAoGCCqGSM49BAMCA0cAMEQCIAN10KhJ8Im4L2ND\nQ4/Wd3BZQ0JPBS/vD9mpdJ/c3ub8AiAdPFiVKDkSLCLg3EBPpSMqnfpTH6jL2leH\n7wPbce2uuw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUZcp68bJhtdHPmsXSR+5Y9ey+3WgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARC8dISKdPcXX1HnJmOQ4C2/3snvseiQMjjbEBS\nyoFoYnspetsXDbVGp88sC3s248jE+rFP3vh/GX7f+Jw19wSbo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBROFHtkHsclIeKrQkmkOn0M1O3cz4ICBNIwHQYDVR0OBBYEFE4U\ne2QexyUh4qtCSaQ6fQzU7dzPMAoGCCqGSM49BAMCA0gAMEUCIDDx/zKd9EOGVU9v\nQlKUwkf59XLHy4vycD2AUl6vfxaUAiEArH3vMiu+h08MUm4o+E+DjPvzY7Vy/qe/\nnLOPz40jkP8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUArD9b0VXsVa1LpdVAhcEL31i+TMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH+dv7s0VL7PZxIvIHN3orgJffAGkvYBl+GJp2DB5sg8\nLH6iqAXT+U+wf398BYDGFummrbUqibb9JhfLCor1Js+jcjBwMB0GA1UdDgQWBBT3\nhs/1/vpVRGk0KTWcQ+GKSaaAPDAfBgNVHSMEGDAWgBTJwWRZKMrxSX4XTKmiVwVP\nwNxw+TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAir+nsqCzQcdB+NV5+SuqIZEyu8/omN5Z\n9YJvs8+dOE0CIC+Q6yd3FOXcR2PfnM0sHdMFWZ6x764RG+MvgopdCW7J\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUSP3vHbmLh8bvwKAHquvS+/GPYTYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAj5iDGnce0KQ4SH0z0F5KPmavnUFcloBUgdBxWvpNKk\nFGakAQs6LHZx0KNcbUxidfoQwqv+l9RqBGwfPKZ/oP6jcjBwMB0GA1UdDgQWBBTY\nkMrP2mSu2NjAaMduaRi/oksKkzAfBgNVHSMEGDAWgBROFHtkHsclIeKrQkmkOn0M\n1O3czzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA37k1CLxVU09oZ+z9089EAJ7VXdtz6T6m\nWKXzFwgh71YCIC2UiYjQLL6HioPR4aFK9K8o/SzBNxleMgzVlR8vPAoW\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1604,10 +1604,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIURb8mt//icF5WuijtDjcboJHbgd0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgg2Kl+UvAwBacWe65bvthVk0D1n+9+t4Gs3wX\nsUupFnA44cpdr9dKazECXB4TAUWzUpOUMtOjbmtib+iWT8JPo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFHMO7g8iLkJ4SqGeIcQP4NDJQRFhoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUcw7uDyIuQnhKoZ4hxA/g0MlBEWEwCgYIKoZI\nzj0EAwIDRwAwRAIgRcZOJTLCTTxOpYaJreYjrJOhbkN/Lafta1H4LUIrW4QCIDSf\nLZiRsVAkynfMdIEITFt+E7Y7aVnglNSEE9dsyvA+\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUB9pUxkTTb2xzLW04GdbGXoPg/ZUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR/GtJsjwWRmloQneuvnlft+Ns5qA4UiTt8vYzB\nCzMBfv99gxFfEnaDiG3FtNjGFyFFyj5kuSRh2THqH+xuMU3Co4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFA3wuHSnco6IViSqim68jBVbBVcLoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUDfC4dKdyjohWJKqKbryMFVsFVwswCgYIKoZI\nzj0EAwIDSAAwRQIhANjwhHMO6O9YpvKgZUG2ehEVkg8j+W7D4OVNZQaII3SYAiBJ\nJ3y2hufbVUp/8oBDRrsrbknOcvowc7maMo/nXx9OSg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUQYCvxJkl+iFumb+V95tL8W0DXjswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBuWvnr20jmwEcqhLjfU5c2yEcqY8MZf2KoYuRLtNARn\nON0H0XMIXkZwfBTlcb1jBJ+ozihRGpq64ZA9DU9yICGjcjBwMB0GA1UdDgQWBBRs\ndu9mkslbYG/Tq+lJWFA8AqUExjAfBgNVHSMEGDAWgBRzDu4PIi5CeEqhniHED+DQ\nyUERYTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiA0DM/OSnOb6QvcyX5VKC9HZV/0qsQ+zBpR\nLqjRZsbS/QIgHhfHFqKeHAtw46iZMbxFABVWb7+aD+SClC8W4EGE1rg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUcUjqZbf+K8qpJ6qbDfIYiuuGJNQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLKRalNPWdvTVZ5HT0dsutEgAzR3aQMuY/QeLAO4afSJ\nTAjhnkJJGgRtou9JQXevd8KpRfKF6PLZaCbcK7sFN62jcjBwMB0GA1UdDgQWBBRZ\n8uJyDegvLxn8RDmm8uFnSLCf5DAfBgNVHSMEGDAWgBQN8Lh0p3KOiFYkqopuvIwV\nWwVXCzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAponBQjtPsDHvjdrYm3lUeY6RfEUTt4CY\nZ/NXPBXY7E4CIQDmVDAISWP9WD7VBGmDFo1gzE1HBICUHjsoRYnxj8mCWQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1625,10 +1625,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfmo8drjnd1nEJrUIw+1wLNDv0cQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ755idiYAD0Hj/43zUTHh0GMy2R2MW6Prc8QAe\nAtS9aHeLDOuV6ckaA3CZre001Sd7Ms1dXvSfDZO/yGDot4Wwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnLJdxbEQRAFy77HYU5Co5tJaVpowCgYIKoZIzj0EAwIDSQAwRgIh\nAOWARsLC80bB4vgWYwFVLome6z15L6/DJ3NX7JBL0JHmAiEA+uDhN3AuKSXuR1FG\nX/dbqn0Gc6wF1DWTWCZpDFLTH64=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSPwwEOPYxVvbGQPvXWwQOS2wIFowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbHNGc3t7ApYl0rJmYhMrICUhqPuy5zrFY6qr7\nu2t/lCAPhR2acraAQL/gsDs453yv87I/M3f0GJmZM6jC2Sbio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUztHIGhVb7AxTzHQigGTrhjvC0Y0wCgYIKoZIzj0EAwIDRwAwRAIg\ncWGV61BHrUinZxT0E4eM/HiB49vUjRl6C43i9iTCUYgCIAEoZ1r8M1RAjmc13/hF\nLPlThsKM/q0xqPzuNhcTq0Jn\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUYZbduBqi3+O9AKgpfFql1Zk1PmIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABJumls7E186SIK4Rd6aSTKVp9Vhw1WDUl1xANll3\nPvZitL5eX+w8dSO9dwLfXA1U2jRpTJQ4dJhMNcotfr49+3GjdTBzMB0GA1UdDgQW\nBBRrfRVIpwG1bFM0jqBEP2a+kdhRLDAfBgNVHSMEGDAWgBScsl3FsRBEAXLvsdhT\nkKjm0lpWmjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBPGKLRzd80ow4tzAYdNI+c+rr1\nL0JtnadDjpjG/l4XFgIhAIcHUqBvaw/PB2fw/1WxW4E1qtm8qlKmLY+Zmm/iPS39\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUYI6aan6UOqe1zvFdK69FKBqfJhIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABIIJzuzU70FqQNfCUB3xyI8pkQDBr4oxTvP9luji\nr/Khx1jY78ZS60U0MiJonTHZ3dFxVimat3HQ0FxNIFeHlQajdTBzMB0GA1UdDgQW\nBBSkLj5wdHHWvhx4C1L6Pycnq9ahczAfBgNVHSMEGDAWgBTO0cgaFVvsDFPMdCKA\nZOuGO8LRjTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmEI0tE9aVL9AdYRZWJviXVd3\nKUIoriDx0vqYVICakFMCIQDCVYlS73Mw2gjpMnZGaTOK6f+jaWFEqD6rpu6qjN1t\nBQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1646,10 +1646,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUMqBFOMlTXAsYc6KAF8Lwk3noIPwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATte2aE+EZRfwUKppA37b/eSCl7MD95TQH+UxeA\nmtRJPvwML8Qkc3JpkG9g6LIzp644j2ahsjqY/22o6pzHob/lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZlUoj7RMxGZTUMuJdZnIAQE+KC4wCgYIKoZIzj0EAwIDRwAwRAIg\nGXDhFb3f02Rt5YBequgp25PD5d4irbTZsuCSfV6MvhUCIH5q/NWz8iBH6dLWhlrK\n8p9g/cxMq+n0Gxv4/4bR/7En\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUJsI8QGpf1bnN0SBPOh7EclDXUM8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRzgqaTTSRb+qqdneIPPHst6cmGu+AvY/cR7JT\nwdKClek2HDq/1uU9ko5WRZvUfhG1E7UfOAEAQZXLcyGcEKj3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy24t/M+mTdYmK+p7Du9AlUl422gwCgYIKoZIzj0EAwIDSQAwRgIh\nAKAb+RWVb5kRJqumpIIro4ZaWoEjqmQlBa/Ilofy69RZAiEA1l2p77Vu9Og/5429\nBHFvW5m106gAks4eROB8RqoDYa8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBlzCCATygAwIBAgIUUSoL0RVvGn7UgK8TvlR3DrKbws4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABBmiWPtvZYj9byQR8D3n7NK7Qr5hONJ6u4wzaKqP1LJW\nH1qdcuv7lv2y+pmL0T/0b6NyMHAwHQYDVR0OBBYEFNqHd+Jqkb6ez2EHN5Wq9l1+\nDmkgMB8GA1UdIwQYMBaAFGZVKI+0TMRmU1DLiXWZyAEBPiguMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0kAMEYCIQC8sd1Yd/6gjomf+8qCCVyRMzcpHS9jFTF/9i9jeM+lkQIhAKJ0sz7J\ndwhXeRdrZ6o/wnRE1Y54meBki0d3mhVHfrbc\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBlTCCATygAwIBAgIUWGsaxq88TWrTdySjO9RWr5zEeRgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABOTU0l0W6y/+jv1yW3sFT5KV39Blrjb6qiy0LOqLUIdR\nJSNtBFkIgw2tZ4Y5J5gtXqNyMHAwHQYDVR0OBBYEFHMMHt3sJSTSw+FL6Jx8wRXD\nFueHMB8GA1UdIwQYMBaAFMtuLfzPpk3WJivqew7vQJVJeNtoMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0cAMEQCIHFSGOXYMmLATKl1uTXxjrFawDlj7ENvelRkiHMz+mprAiB2FQ2HA/bq\ndjYnKkiRwTMp47Re6uzddttY0Uhf9QYfWw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1667,10 +1667,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA/kBU3AmVFH0dhoy2vcsUnaHnokwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQIkUrz2xLEb8PqG63LYmM+YlDMZVHr4mFOLQp6\njEe+bk/11Jad+9YoKkjNyuVZw2544/XgPAyGYVT5fY6Z356Fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEqTOrRCuyC29VARPHALlqeVQNtYwCgYIKoZIzj0EAwIDSAAwRQIh\nAKbhi7FgaDH73RvTvSsbB919hA33gRz+GwHMzwthQ16iAiBgeHPioNFo+KrxfOvn\n3j2Tg5WELCqPbbPNg/1lCVILRA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAckcthZfcP0G+dALTEx/vATPG7owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYevw+X/xO/4goWers8qbhBizTfNz8+3gFVoLV\nJs/20LEmgT3VwQpkReGNKOEkpJR1tFXt6h6wnFdRbiGZ6TBgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVC4iepPreG0FOx+DJcCRjn47JhUwCgYIKoZIzj0EAwIDSAAwRQIg\nV3DokhP/+m4C0+L/A+QWpN9dmXyTmbZMAxY3tD3zttICIQC8dPVuviuaRxBTk4ue\nIMMKy6UlrkIugjR77hUuvA2n8A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFTCCBbygAwIBAgIUZ5IPCHQa4dLqQKrRa6WRPuA/J4owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAoVDZV3r+CjbZsRIry5g33yMtjVRazHbt6Nv8KLRQ4Xvm\nF6G9mwEo8dBpmvugQVle5bX0QEstKDMFYu6gMnOaO/2mOBpQv+cdK9TqMge2uQMC\n1LXNYNPu5042SjsCic+1gY+SPk///F86Q0bEOe5l0bHHWob3YrIRdX5nqejbtr8g\nN/FLvhyU9n6xISHMTsx8QtYpt+tPZA6CWOk3LauQAT5Hpdho6huhPk6GWw0xvOA9\nt7XUAE2np4R9+zhg+wiTEyHYPaWiK2B/tKFIa0cXJIcArQXFttZmCdrLFwN3lvz7\njMaRusL7gW34MW3K6qwO++X9Da12SCVQbbqQvi3B9/XLmYSFrlPxPdP7T3zdlgvB\nKmMoVPWBgRhqwuvf+5GqvLbfcNE7KG2CzanjbjDEeGG5uAeqjjWV+98hl5YIaXJa\nynZ2rtCDyVN9GMDAzvQdqIOpFbzPuO4EEsgNNFmnaGwKKPCd9gcImvZ81G7gugWZ\n1dZSruu3lfc4kidFiF2HAiEA2/ye6cUJgUo9dKOZ/cHL3uZvPSG2Lt8brPwmo/Qa\no2kCggGASCcWHxMkl2m3gTMhf3fjFsBBm+gqBpZN4NFcAcfKnn/9b/2tdqb5MTxa\nEYc2gaPU4etOJtTcm/46f12MSZ8Qkf7QGd5c0dqNjb0EwXl83fmnGz/cpz7NVg6S\niqPlPGj+Ew3ilcmMJKJ84l6xrr9yJ5Trw5Rt5VPgBCxaLKHaLiFegJnslGrDGXII\ncwxdwfw9lvT7zIMocSw7yAEa/3rq5HIla9nK9I63tjeLz8ygoaVUDxGsBs+4RbBk\nrUTbJhBQ6TipyycecoGMQX6NbSGFlmgPWSS7ZMszR3idjCelmJStMMXTWmCTU2Ru\nsNZer4mcw4SyLCmsIzBvi/OmQ/TUy8syRd7u1GeOMT/3VtH4it1rfZVYh1eO2dxl\nV2v12DVW7R5bYIALmpHAvHXOuyt/MlHRJkxBbSFtJs8nXfkbO72Gdf46cTVAp831\nGjkw4Ua/FKM1JH6Xdx5B+gZJYG2OajDWnpN0oTlkbvUjA8gyUaLgvb596BY6jNUj\nV6Mtikj4A4IBhgACggGBAJe1/QfghWWjJ80tlLruz30tUt0ZPc+07S7nQPdqqpls\n0xTnz96omenHk0h4ATOWskr04+2q7mPbPA+6Nt3+k4kayDiFwyrvaCJrvNuBRUwB\nBOA/n4JnrPQv+7uGyDSz4u8QBuM9jQawi+KW5hLFK69g8LmyTYdmBf7Wr6fsvUvg\n2O3EiaSa5paZV4r7x2xzk4enoRITQVF5F1rFaXBz0LcpnLoC/kJ7Tz0nZD4o5FQu\nY4QrYq6oFcqBUaQ/G4FMFDbQSr/Q3VvZpNLxo9JDoRuBkIz3cqkFctSSRyUGQK6P\nwQtrc171FDOK3QCLA4g9x9eZyJydd2zp+f8KU0xVXxM0kgxAG/5sUpGJxwPh78sx\nXv+YFVeqMygm2z1OdVaU9pwCtdakIXOQw7JaPt7YhTGxrCH5hpNeo/dyLblyuGZM\nxyESW+Du3EB7UDCIGu07U7EGmVaDGSgCixDjK8VZvHw6PR1ZqT0fZlEcSxB9LEmE\nPgK+6w5w1i3wIZhdk234U6NyMHAwHQYDVR0OBBYEFG6i2/MgqRGzWedlE1aEcBCb\nncc7MB8GA1UdIwQYMBaAFBKkzq0QrsgtvVQETxwC5anlUDbWMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0cAMEQCIHKL9QES4GJGG5IMTBWFwLm4FsxaaHaHkPZF+fAyxpibAiBYAjmvDi9p\n0QMjhXr3WnwxQeatvji1zvFhxKfKloMZuQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFjCCBbugAwIBAgIUHy1jAlg/aFvRWQao+sSm8LUouvQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAqLJbJAfg3Y9uyT5Z4k5lwJpDl9DO+kZNID1Zjc3AHeBx\nlENQIQbmWkuhRE5t3npCVhWs2/IWs9/WdMSg8qu8BJhHWlWUkt+xEJ/YC2rP3ZRg\nuUprDMXXa9OGVh37dz2SoNQP6O041E6zi9ynNV+QjFahfJC4SELFwe2zES//7Orw\nH6KNpu57VhnsxizaSiOiZWQ2C5hatUSc0Q715JPPyJk/81Wg7dFKWVhu5xJLErBu\njj9Wnen7a0bKKZEthN559Vc9gSJwA2xQC+dH1b16Ti2Z+a2VFtZccLpxA9KtAL1T\nPptOxKwW/6CmgI7Q0txXKOonZM5Iko+paU6Td926C0JnWU1s6qqsxd6nOOCyxojF\n+aBPGfBSUivt+8R8gAaWF8K9US4H0zNz+WTKiIOEKKcjDHwTKYrQvfrKtFi9vI9b\nOPHFseNH//wfjVFWfTFY82GZD5R8BtfcqwILtzt2qdKuIS1dQnqAf5QWeyVu5t8l\nDvDxMb6yD6QAn2rssEYHAiEAmp2P8gyMGKsNSCzkQrUBkHyKifHKsmmVpWSqdUnL\nQq0CggGAfkHDN0R+DAwkV6N2ffmMsyHVbe/8FoRJmvvxLIrq12AzrH3cr+OCbLcQ\n3/TP7TG5Oh8S7CqiY0xpG7Iwj6UtlhYO/rFYreIWC+yxiSO1a6tn0YSxZXPIxoGO\n5cbLjgiqG4Ur3XW29cCSqbBWOM31ROjLNl2caFoeoZ0uflSQl6DlvObXJ3YzEftG\n0+Bqz2Z7z9PiUJfiI0qlhB3x5+tt+hSK2tiGIPMIvDXBga1E5IeuKTDvhKTFB5M+\nFsIkapBlMF1HLgtpxhJOSpIzuc5WaHHkREDuUPo6kaswkWhNrFVeLjX54YqI1K5/\nN33iJsuIgFOpyrCaSrzBm7IwrY2xrhTsmHGhUf/FgYhP3fMbgGiIc8YNCjD03lwB\ndrC4u9T02UQqpItUkQ2c3fVv8TbjEaCgAGV1PBS2n4r4jqJGdk0d8RuTjbVwm6pY\n4Gt5DKfiNEFD143LBSqsjIKJ/8aRWeBv4XgCi79Ku1yGidtHs7z7hcBWTYLcz1Fj\npzAuEO7JA4IBhQACggGAWlQcmTF4PpcWkgY/96f6z50laW4BbgeLh6KjafHmUMYY\nKrKIdeOjmno2bJ0ms5s0SeWfpsk5nx5TbJqU3zSvJUbJFoXu1sIXtbiL7WfQAsP5\nW+vXJWYwFGDKgOFu9nv4hP8znqWCrx/rcbYYNYwxSqxoymb+Oz6d+nAicpAErc97\nz0hRHv8HOOWZhDPgj610U9396nbKdYLunZNVCK+KLO5tnxxxdV1qeQLtXOOsvJjT\nvChYy10WNq1K+w4XcrA6C716NOy3H12rRDITAdDvqhsx9FEf1P9gIDN1153Zso2f\nH3I29PipMPM4o7/UrKd7cJf0x5w/ozXtSXXLJP/DIqr5omfl3oGr/0iLl4CQHC9P\ntyyzYLtx4HFhjg3ugpTATAHxUsZpaYJk19uu4b32JoVsKRglUwvWtamSE75qPoEQ\nCwXG8NpaG/o3A5/ymL9atmyq66++hYo36qtALSfHtF/H0sjbjqwLoGmYm8jzR1Uj\n3ykfYczTzlPvGka8vsD8o3IwcDAdBgNVHQ4EFgQU3Y+Ky0yqltYwoOWMvZjhlQdI\nx9IwHwYDVR0jBBgwFoAUVC4iepPreG0FOx+DJcCRjn47JhUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhALlhjv0T1/ajGYQ14fVLoGZaoZrdaaxUx/dFVQIiIHhNAiEA5ZuGJ9Sh\nZXge8APCJIpiy8zNTp5CrnjdGVVRE6OMAGc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1688,10 +1688,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIF/zCCBaWgAwIBAgIUH616bZgtdOc+u+q/i41NcTz4crIwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQDp1hiZwgIeqoLxLmWGFf36hiPgZ4caKzq4ob9i\nHcnkAsJIV2LxjbCa5FATEYpYaBZGzcTUHTm9s5e2Dqydfesg5In497UbI7p5AqgS\nku/4WqE1ESCWLkd3PWIoP2vLT2mSnIEVgPyUMt1tTNZd/q12zBUb7ffJmrYy2kua\nkrsWHMV2zEalWqow9CN1Efyh7BF+JXdR5JcIOUApp4gdke8x/+u6PmhH8ic8pc6B\nU0a8NTTAYUQhcFuTnx3A/Nr5bC3d4O3YH7wDO72vhXi4wBAFg/m1RruAmkGXQOGr\nXLq0VSaN5MJAIrdrrajs7hIv1XA+vNINpmBl2rFiIpxEtguOnBPCzJ+rCEy1mYy2\nSKL7NF+XOC12156a8wt35dH+cSNd84dBVqFK+ES7SwYR9nEa8Xn5RIHsrn4vGDFh\nQ75kOYneEHUT167yaNp5dhbJpSI+nDnctrw+dXXBdSdfuUkeYW7qpVIjp6K1HsFP\nuYomUK28igOdtA6lgiwjp8Zwc/sCIQCMaFbUNdoESMi3i55+ujTozegPdViF8phU\ngiugRKIQLQKCAYAR3iDf2j1y/CoG9GR2WXvdekJ4E1UGY++PDNg7ZnUA844fWfXz\nQa3JVLrBzdQn68xH37yoxZUwep8ueYQ5Uoe7+0AV6XljC746GG17FxuTI+EnHMq8\nNxyWtXAckH5GFELR3d4UsGmhezrzVk9kmnl0tXGidhtpYm08LrwLDncDuf/JB5mE\n1QLwHmrHTQ7PF0mjm/eSd3yLc02wUIFzhhfQjNqol+X0sCzEZxHhuT2Jz8QufR0g\nvBFWG5a33OdWN3dzS0DIb6ov3ipRpPbHbuUSl1UQOxDn8XT5OaNJUDRlrnT/wXDX\n2cN/W+A5dhjznCA7yVQ2j6ViPra/10h8nBvWPXRt4nDRpyafG1+Dq1sAGjXuLcxY\n5R7u1SkCILDvY+6H0IeXeAxlHL20RPN5TAUEj7WS8Zqm+tB3mtZw1KL6+ejhBPIJ\n1pfbz3eJCegEsQY3Gbyxo5JOwNJV0o/NtxqKgxe6I4Cr0zZreuPhHZfmE3WT83/z\nyhQCQRawM8k7BdADggGFAAKCAYB6WO9CM98r5uV8L9mqYp93Ruaui6dbIEVRdsvN\nIeUo4SJNaserbJoewQUb2lM3lfrtQFJkSaJvfs85MmtW4RwNrertPhYb6+j019Om\nRTWPvWdy4ER5zBF5O01Cgcu5ttoNMDcqpj8V7z0zcUA7Ien8oIdNJGPe9IO5QfrY\n8y0BzFwTco6Wp97voz7QxVhA6xNY/BpJqqh/4xrD7oSDvCLrRA5DYy0M/8n26uLE\nHVmWYbPpcTfBo5eYTLHILA2TmIYNDluezIZGlJVG7ExaMnCHIlcTqUC5bqiAQ3DE\nIDk5t0AC85DXafkzDpw+CNmVGZV0fTe9We25BpxujRWFjSCRrr9YdUhzVWrkH8J3\n1IB/sTErNPMBfRM+Z6cdnDuSxZTheYYKAGUVp+xrhTg/+kM/7aE0wgaEH8JgYls3\nFOm3wcrHFtI3sy/CGEh7d9ghQsI/Q8zidV4COsajn/0H+V3T8Nh2JGB6wZ43hMzP\n7dXb6P+tLeGf694ddNzOKlbAz4KjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBT1gxaIibFZ\nYNXtthELxnWxF/FO3jALBglghkgBZQMEAwIDRwAwRAIgL6ePqHmQ9Y+9oR4aOecX\nQJ97dIhYt06DQC0mNNmLlRwCIADTlOlzYcPmbLsSX4VP/GdolpHk46QU6bQcLECk\njl9f\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGAjCCBaegAwIBAgIUWs+K0WmUrwuDc3AIrDtErr91wSAwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIEyDCC\nAzoGByqGSM44BAEwggMtAoIBgQDPSKGjUM+WzoxEHs1Uo34J8TCx4HZJzsXLO2Ft\nZ68fcpsvWjiujGxDoPVo7f5k6/QzKSK8k4eR6doCiIFK1t+KMsbxSbDlHSWLx5Gf\nlY+y4CHbBcMU8bAN3VJvRzaXIOzPOW6bhqYzJweZS0GrXG6oJBA0A/N89E1Fb01A\nNN4TfOo/Upo6C8+CFQXQZGITb6+DUUrOtI9HSXZ+kxEIsIQW3nanKHreIyJQ9R8k\ntaHOaEhlHPAVJb+rtM647prwlZvC/RPB8U+Nu2nNCMPL8rGa4vsYkHBieANzsBBZ\nyt4zLztLSag7FCM1yOT2baRajqhStMj0cIdqbCM5y4a+K22sDC2tTSKQv+nONJSz\nINrO24+nzzpCClb7HbFDrFyeUmavkbKupeaJZ5QfentJaifmne/tCvPOQmU8O48G\nntbgFY74J2uJ8J5GXM8wOvdx9KuTXLzRTQ8y0zS+Jn++B32wIdDO0XuO+HKBjOrU\nc3i8zY4xGUHX2hgG5UQ8iS05Wm8CIQDqBv/5M9LhdikhOylMmJjxClP1PSA+eOxB\n8DCAyvJNqQKCAYEArncmTrWli88gQZsHRGt/fNrltNvUurnT+AfMRfXIB3IqxfGo\n2YSXuLuEnf3/sfvpKtQbwCXgKZqWcXNU2jGjGDOMHjziaR45ClSTUSPng+xiUTXz\nb8xuz0UqcwJYKLON5BtJwDZFjbW8b2YoWx0K4Uasw8k/IcOgmiuBoXtFv2Clpfgf\nrhq9ns5QaPhGk6+y4wTpHvaVBxqkVOy12iiREfAxGMt7XhEVsK8mC8yIcgmYVCCO\n5jb1xEfQGlXXHf4CtVloe7oSssRnLsyAh4Ji487TTa8b1Hb0gjdXpTD9rSdIRcMw\n8Btj5VzAE+xL2azrtO4RqtJfz0FcYo2C49aNl3j3am2yJDlGUouYdUX4Lx7RF//a\n34zx8k+ljNtnHUg4y3yI2uhpEqPwqozOzGCP6eT3NDnDSJTaqlmKgcm6yiLb73Tl\nUyBSagCTYyh3tWGxogilVPfV4N+/39uuEAwMsGWVCT1dTw0PWJ4U5j+dmW+QB7ae\n43o7H2dxIt6inw4+A4IBhgACggGBAMfFoqSgijeYF5fkgljUOO3EaA2AVsoGfobu\n4OTtOi7i5/GOrDNEC1AKnGstVhOwydd2dDELlgXy4O9XV9u8wx6Z9NotBAfH8Yfi\nO6szdxruYIUCBCk1b+DdR4a2bN4vHRHn+4mjz/Hj18z2+4uwmi2jlNtuix0vQj1d\nHVGfIBQvVRxs0PA/FhCAKY1MET95TAtJ1pvMXRbUdoPJYSqJJq4iX7ggEG3zZXTB\n+nY4Lx8y4dEk2P7z7GlCbkZzY3jb1ttwdMS9NFlJCttZpTbK5XJHYoWkbERxIaZ/\nnOXU9/n7WGrt99bo99s5wI3y9zP0U3CWlR2yRKfCJmhfOoLew5WybRlVape7hLVN\n7NVIIQMQpsZzWCt7Yajei3uumBQov7027C9o6VRBDkgoiPHOg0qpxf8h3EQTV0dJ\nDtncHbpRlZBa6WtcSp/5fUoT0rZENLSaYoh1CRChgNVtCoh+r6YSRmQgb7SUwRFH\niyjJ7fRm3uT0EtIVuLANBpAefBznVKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFNgQMrpp\nNaFG1EmpUdt8PQvfWBd3MAsGCWCGSAFlAwQDAgNIADBFAiBsYj9nWGAf8c4rOh3J\nyfNE7Ct7n8jR4jTGCwCeijwuxgIhAL0ihSIFiB4oVkydeORzW56+Q56J1cA+plct\nYrQFn7XU\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUFQZYdBPB5FdM2g4jYNkCrKbqDuYwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAQPrSnFgcHvfcYBf7WQCVt/1iyCqJJ79wnXYqob/bQ8\nlbCv6/SoPlE0SwWFhkeb8y2dfH0Cce1+zJwxX19tBzxjo3IwcDAdBgNVHQ4EFgQU\nJ+3pKSIuiYbNMTXWKm7gaoWl+s8wHwYDVR0jBBgwFoAU9YMWiImxWWDV7bYRC8Z1\nsRfxTt4wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCwYJYIZIAWUDBAMCA0cAMEQCIAv8UzkZLITn9r0covz50QaslNTrsR8P\nb8jKfs4hunJuAiA6/X6rL05/zDLKdp2hEhCwcYbh09X6ogESwoEP/cCnww==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUXZeFEgDtWW7/tNmECUi1pvUgz5UwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAARx/Ulf6RS07aJ62JGvM3biVMzj3A+A4LSQSS8uaE9+\nPhC4iR2I8dn5YHiwlzld4asey640Avn4pwnoqAanf6gMo3IwcDAdBgNVHQ4EFgQU\nZdIVcGijiOwhxjUcEeJwEJNxfm8wHwYDVR0jBBgwFoAU2BAyumk1oUbUSalR23w9\nC99YF3cwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCwYJYIZIAWUDBAMCA0gAMEUCID1d33kFdBy/cs1//+1DiQboZGtqpDrx\nBpUJ8lqTmt3+AiEA1DsqrWSEkDyDcphCTmGMQNSFPUGqLtrkl4GSaD8fH2Y=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1711,10 +1711,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUes5gJEtH8Zl01CE6Oon9h/9ZbZswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrWfdirdPUhy/qRI7DzJ8inaxg+U8BqS19A+86\nIX73K9STJ2Nc7QkXZ9wWNoOXUljHOGt8bx/8yCZrbCl7ihk7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkUHcPcYO3BRKyUrsFgl3O3whu80wCgYIKoZIzj0EAwIDSQAwRgIh\nANbhMw5g8CkzE+4qWqJKP60MuEVHOKpSGTC4E55vOcIwAiEAnJEX9CblXhc0H0k+\nmq76ISTcWhFvEdQZQFYN5eku7Zg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUcEfLSmikwOit6p4nljCjW/35T20wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR7uIL4qmKc1SF292Ky0giY4gMDJ13DLbQFvK+t\n9827zUknEfxSIcftOPrM8Yqx+jyKXTdmpljQjBi3Pwxpsz2so1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1OS54bHEv07GIB1oiSDMmqArcN4wCgYIKoZIzj0EAwIDSQAwRgIh\nAJyhUAdg+edkeQvcI8PWJzle3am2KVK89uydo6QEZnZHAiEAj7oa1mQIS1NE3dpv\nEIwggtFJU9k7Ne9T0kYAoQGrjJY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFjCCBbygAwIBAgIUeh8Ts1RoLwMPlPf1/FPwLde8SzswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA+lG1PNdnN8RZbIqpabtFZYWckhgbdWkHwxBywErAUM6d\n0XRj4jI0pONePwN7usxlVWMK72OPI5nsMEfhRdNLtVQYr4drv4mmyz/+04xpwpVX\n5MMBOtkPeUZZ/d7B6NX9sjPd8TO/zLT9CFOWeQvhYbOBcic8F/GerQ5S4/6+7+tg\n3VZz90PUVccUWHbBMBAUCyCtQQBgHrHdIMgszICxjmwJSvbLNoQDQ+ujb5FbWxuQ\n7n2YKVsaUfUkK9k4bUYMsdIWNdCoEXb3YxYhKb3dw3di6FrP0TPdXO6g5ufozaiX\nbH6tpe0AcEyBdFu8C8UkB2Em1jMSrnBhk8y07sqtdXu+M4mlbyhnNh/ZtF3BxHZd\nDzqF1Hg3KPE5kbuFUltIVLEU666ctH8oO3MH6PU3pp+eZVspwqLDYzrBEhouyfLT\n65Obqgp8Ar+v2KYpHeuSwd2+gtJ57FSB39rsW26DmUWSoozeBqpWmIFSQZIAmbck\nepfSNF1/YNI5nsGWeXpZAiEAqOmwFNuFtjLmkfyi3+mkItHDEawFy33PF0R7nXZz\n0/cCggGBAJxf2N9Jxc1M5pavX6vifdF6VtFpsjpL32zOW8sNPkysgIw0esV9M9OI\nhy0PSG4QH2WkInrfHKlfkHgfJlWm8xhN5dCzJa2Kug/ptLp60/r5UoVJf6lvRc19\na6NoAeDUbfe5qXRXwnNsxHxF7tyahBUfSltlruUaeiXqDdL8HBqqJxz28KrKVXh4\nV11D5S+T90DIB7KyNKbGHbdVdQw2LaCHYZftSHablBn9p+2SODYGVlzZK32qszkJ\nv6g2GrqXQVdHlksdzLRw108m1tRlB3Ug4/RwKZkAme7kSgZRjaXboJ71YiApmJu2\nwkjsYWRZg2iIMuZ+fAVYFPv4yrIZaJ0MKOOcUfrJAk+hqUTZk1o2Dk5mC1SiZSll\niEFQGGYYubGqnb9FWwUouguNMXHBvAUhFTTLPrF5yBNV6Pa8tRl5+r9HqNhF7TWY\nLgOtwYnljBnIlU17FciPWohWMly7jp+kb5ajGEz8o5lXPMpqemDpeJjAOpIFz6C+\n5pn2u/mj/gOCAYUAAoIBgD7q83XbJkByHvpKxo8fN57/6CSmm/66/tKX+Qt4O5BE\nYdFmDMgAkkWa24AsBVAwxPXch38aFio56C95kkAp8TWXl+0CwjVOQsu8BgBlvs6N\nRXn2k6OLgSo/NdJRvEpZMSgFTYTy0eUp77Ks8eH3Msx+j2B3U+9SeSD+AV523IJn\nzzeQ6wwakwi05C6B2FKDdluO8N3qHarJqkWFP5xUONXqYGDHUsZHwkdQUO9/7s8A\nSjvZbs6NR7Av1/VhOtlwwy2dqVO8rA0mtNamn/XpEvP7VfVD5wv+82FLT+JXVI/5\nn2M7Qyq30sqMBIvWK+qlQwG7CPlqNfU92Mm41u8n32Dt+qI5dl7wGqmyReJu3sBW\nGcRECRSxIOCRWsMZQXIpuStWvhKYzA8GbCSPNnAbrpLrK2qtgljf03P6GCJhy8zD\nwvPKDZSIAa7hmhC1p0pp4wdSesRnIRCKMr79IcJFzvvFQSi50VSEJK/Wp8zOTIaL\ngtbzphs1E1nRDBKwAY43WKNyMHAwHQYDVR0OBBYEFG3ZBf57xThUPcIoGISYBBPE\nr5p5MB8GA1UdIwQYMBaAFJFB3D3GDtwUSslK7BYJdzt8IbvNMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIQDleJUVITM+6o02PeoNAK8Sy2As4ntmWuHjDRdHX4xRPAIgY8sPmgTp\nuDZ2sBowYmQnCioXY602hyMwtvl3Zsn2WM4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFTCCBbugAwIBAgIURwgtmQqBg+mq8mzJnNsho5TOc+kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEA8PhnmpfJW1DjTwmbQYtif3nRUDvWwzhqVnswRN7ig+Oo\nob2OsZpY5jenGHeMKubgbENtLMyif8QJlArrq9SMhSLTU9Pz+dXDZ2WxOSYPZ6Ot\noDffm09hlNtffdDSnkG4D3f6qGSeBJZn+1+AcQcIVhkk2VkEyekY1t37hrS6ov0s\n05j8fp6HewzxWgKDB2aARu2CTemGzQ9W7WHaA6NRaIkhYiO5vVV0uujeqMhNJSzM\nWJ6i1sybhOUq3jygFGoLLZ8a6yivXE9oAEqh5HLrk9R7xPz3IvbuFpprKIrlKNON\nE2bbdxw3+mfeUaXljM+QahJDGPnHbYEfk0DwiBYoj4flA+YEgcUaqcklz2RMgsEp\n9e2D5BnxdIDiDfcibe0eWUgawgRkFYMepZbb+fhItLVgUSUo4ZryvgEOrGZRtAND\n/jblEkMbm9JsYzXMp6Dx0Y5hqGVRXxnPQnO1lkD1Om9Icu3/GKynPSJdLg1cCo2G\nzMc0WFzFUsDqR9YLHykpAiEA8pCDl/X95KLoX/XugRFrCDBIQNZCjYoyzEDnyAJd\nSU0CggGAVBqTaLBlaTAJMCUEIUfJ5RFaCAJvzZ4VYt4N5+eJM/H5wFShDGN+gZ0s\ne2/+IMU4zJBpiEnXJQd9TA7ZYL7YJOmcECc0oBpGCngiP42zDHMbcNnB15WaGFMi\nZ81T0IB4Kit7hfu1zQHuv7OPMRh5Ii1nhX/jwdglMPBoo+QBhIB7WmfaLP7ZzLeN\nkaurGF7OOcM27UFSSpHy5wlDnsnRAGWlNpBRCkhsMy/0Z/9RN95YtiZYc9R0ZyuC\nbFpj85Ghq2IIgfzYxKyP55W7VsR/MJjhBZUUcBeibnPsT1wL8rhEbRwaU22gntCq\n5aae7Cw/hfUGhwZlHyUOhD/ECFXgdKWmWxM/d1D+aXUYj/QviHuRCS44X0l0y0L2\nsZhwk/TdiKJEX2VDW0U4DyN/tjd85Q68wzs+uOwE+9T/X9bcMb1qolcrP3FPoBbv\nQ3jOiNFt9QhWdDsRFgye7WnaPfbHcErC48n+JKG5MKrT1Iigr1EtlDvlXJ+DsY+y\nGabEqGsQA4IBhQACggGAZQ9pIyiaCyoayUe322AMM3nvgB9O9y77ttplFRYhKwjL\nv2Qsb3Eh4PMJvCLMK7SES/SOSDiJablAZe+XLi9xBjf6hBglxbUMVtmhwPEfznJB\nxIkzTYK5IB5i1TmT2VI9bgct2knEgVsgQ+GQ81y9FidceSUDO3sNRAqbhOnaHIrM\nKO5dpxQCwHAZtPJoH7aPYz+M32yEG/53wZshT3d3y82tFxHniKLS0629BgRRbeAt\n+yrfI0fH69lTidCDx9OwRSNXTa5YNn6QeA6alZCcGxeSAOKnzRsZwcY9L5yZwroN\nK3/Vc92TD9HFepqk7Fv7DH/HhJC52qAMzYVRRJwgRZSOR6kFwkrE26xIGuV+ju6V\n04iNrcCIvMSz3kH6K4MzkxHVm7ZAb5silfmxYn/HOC9S3x8peThUu3jkPrueaXgZ\nMf0gvdiXw+O5zp0W/05Dfq/q6CqhDwAbajey8IaJmbVr6kgKTSeZAq1Sugu6IDw1\ntc5rnr+E1tya5HJKJKQ4o3IwcDAdBgNVHQ4EFgQUy6W6PxZDKUzsU58gXO6ab403\nkCYwHwYDVR0jBBgwFoAU1OS54bHEv07GIB1oiSDMmqArcN4wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAIMbW5/8hJZCoNJVzEfJKkuErVW7+FfWLWvJrLtfTcKYAiAGpa4v8BKH\nz/mVOrWEZiLlZE/QxEzP/HyqpXxBO0hu8Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1732,10 +1732,31 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKoroliHe9MZaJVs8oy0PMyuSHkEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjJxh9Zl/uPmeQDBfVFiXUxxYCDK3FNJBX79hc\nTZb/cKZD1OssYsb+2ov/ccmTdcyM93iCH0HD/XXAZsF+Onmeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUecDYN1XYcYgHJshV0COG5B0Of0wCgYIKoZIzj0EAwIDSAAwRQIh\nAKusOHxo+X9UvFstOpGMEqFqBar6KyFwTlc95KOkUCIFAiBUedL6Q/DaPAY1DuU/\nr6swPV2SY39OIfbSXUmt6mVO5g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIcXi/hXozoZGg9OvKl0m2r56UEowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/CuKKaqW5NYUE22rZCwZdeEfMnOmrd5S5Vt+S\n21WL8b2bxOZlvmEi7Y/DlAu0hDDFI6TRhZ/BzJsZdUh8SBT1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAZlD/hKCfiUoR5uKWdbUSJk+o/8wCgYIKoZIzj0EAwIDSAAwRQIg\nL+P3IO44+miC4JENtAHnmzllwk++FbolkEcpstXgbqICIQDr/COcFvxnDx+OxlVU\n9yNOl+F/K/gdVyZfjdfY/5btyQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUJnd3Sa98HUWXfu4m0XfuoW/xYzcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL4WKrs3SxxjWpZlb28z8pAi0QFyCyNb4L6MHYF6J9xG\na35kxHKHDytx34oee7k2TrmtBqmsu3xhPOesdOEjwdWjWjBYMB0GA1UdDgQWBBR3\nmkx4M0NLv1LIHYlMsIZLfoKSHjAfBgNVHSMEGDAWgBRR5wNg3VdhxiAcmyFXQI4b\nkHQ5/TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNJADBGAiEA\n1fHp4l2UYp1r2vHGJmTlVpsWHDoY3WJmr7/6BUp5K6kCIQCtvnv0STxvrl1UGaNK\nygEbPm+3n5oXac9qqctaUHAvmg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUO9/oYkmEpZpTYX3ISa1Bk3e6vZkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBLAAvUJ4QzejyUqhEkdGaFaH5p+m4ZHyc2wuOSGvke7\navUltWzHXIM8J8tJcZeESs0nZ/4/Fh4BaQQ1AOCbI7mjWjBYMB0GA1UdDgQWBBT1\nvwUqIgbZ5xdbOa0M74tY3i3eGzAfBgNVHSMEGDAWgBQBmUP+EoJ+JShHm4pZ1tRI\nmT6j/zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNIADBFAiBS\nw+U3tV+vla37Ln6HNcLhgMwkUlNS8kJzkh6SXiy9QAIhAKJfjMWuqq/fxX1gLWcb\nmI6GAGRCoxDMvLAvN7Su8J2j\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "webpki::v1-cert", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUf9XytbKSKI/9gOdOGihaw7d0DbwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgfaWBUnSCJEAOAYtAND9PxSq9n59PeKyz9wSB\nKjhZtfa4rs+iyUKNWtcfKcoN4UBMOZkQTMlgU/c9Fj6f8Xs9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXPWXCBb049WAyLV7JdFEGDfUheQwCgYIKoZIzj0EAwIDRwAwRAIg\nZYEIL/4jjWuViSjaQQbBfoxM+PgxTlNCgzEwOrw60r4CIFjWcJ6nLc+H3/7/HPs4\nzWxN1XXVFtJqiF6tft5+0uMI\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBKzCB0wIUDxQGKSrTYDpzckiZhAUe26dEs2QwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABGdtmfFX4DEDysxG2a46RirMzczh1KyikYPACXvQeazmgASlZJ94\nNjSThtdJ1Uw0dx9zRrwrH+qjXvIPreGDxm4wCgYIKoZIzj0EAwIDRwAwRAIge8Zc\n+/ZXwnKVi8cbBAdbOsz24BPlvkaNp6aFw+v78skCICdAgZv/C3ZdA5AL31odZ6Vt\nimUXTLQhbfQN83HZdPAY\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From a9a380fb9c1abd510d439b5152ccf0f9745de734 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 2 Nov 2023 19:42:11 -0400 Subject: [PATCH 040/155] validation: put EKU handling under ext handling Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 18 +++++++++- .../src/policy/mod.rs | 36 ++++--------------- 2 files changed, 24 insertions(+), 30 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 1d378f8e2654..6433e9a4b386 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -174,7 +174,7 @@ impl ExtensionPolicy { pub(crate) mod ee { use cryptography_x509::{ certificate::Certificate, - extensions::{BasicConstraints, Extension, SubjectAlternativeName}, + extensions::{BasicConstraints, ExtendedKeyUsage, Extension, SubjectAlternativeName}, }; use crate::{ @@ -223,6 +223,20 @@ pub(crate) mod ee { false => Err(PolicyError::Other("EE cert has no matching SAN")), } } + + pub(crate) fn extended_key_usage( + policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: &Extension<'_>, + ) -> Result<(), PolicyError> { + let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; + + if ekus.any(|eku| eku == policy.extended_key_usage) { + Ok(()) + } else { + Err(PolicyError::Other("required EKU not found")) + } + } } pub(crate) mod ca { @@ -301,6 +315,8 @@ pub(crate) mod ca { Ok(()) } + + // TODO: Validate EKUs for non-root CAs as well. } pub(crate) mod common { diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 3f5eb7c94c72..3f1f1b4d813e 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -16,8 +16,7 @@ use cryptography_x509::common::{ PSS_SHA512_MASK_GEN_ALG, }; use cryptography_x509::extensions::{ - BasicConstraints, DuplicateExtensionsError, ExtendedKeyUsage, Extension, KeyUsage, - SubjectAlternativeName, + BasicConstraints, DuplicateExtensionsError, KeyUsage, SubjectAlternativeName, }; use cryptography_x509::name::GeneralName; use cryptography_x509::oid::{ @@ -348,6 +347,12 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ), // 5280 4.2.1.10: Name Constraints ExtensionPolicy::not_present(NAME_CONSTRAINTS_OID), + // CA/B 7.1.2.7.10 Subscriber Certificate Extended Key Usage + ExtensionPolicy::present( + EXTENDED_KEY_USAGE_OID, + Criticality::NonCritical, + Some(ee::extended_key_usage), + ), ]), } } @@ -447,24 +452,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { Ok(()) } - fn permits_eku(&self, eku_ext: Option>) -> Result<(), PolicyError> { - if let Some(ext) = eku_ext { - let mut ekus: ExtendedKeyUsage<'_> = ext.value()?; - - if ekus.any(|eku| eku == self.extended_key_usage) { - Ok(()) - } else { - Err(PolicyError::Other("required EKU not found")) - } - } else { - // If our cert doesn't specify an EKU, then we have nothing to check. - // This is consistent with the CA/B BRs: a root CA MUST NOT contain - // an EKU extension. - // See: CA/B Baseline Requirements v2.0.0: 7.1.2.1.2 - Ok(()) - } - } - /// Checks whether the given "leaf" certificate is compatible with this policy. /// /// A "leaf" certificate is just the certificate in the leaf position during @@ -498,11 +485,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ext_policy.permits(self, cert, &extensions)?; } - // CA certificates must also adhere to the expected EKU. - self.permits_eku(extensions.get_extension(&EXTENDED_KEY_USAGE_OID))?; - - // TODO: Policy-level checks for EKUs, algorthms, etc. - Ok(()) } @@ -515,10 +497,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ext_policy.permits(self, cert, &extensions)?; } - self.permits_eku(extensions.get_extension(&EXTENDED_KEY_USAGE_OID))?; - - // TODO: Policy-level checks here for KUs, etc. - Ok(()) } From a9d8dc95c3d3455f96dee51431d8b789fea5b66d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 2 Nov 2023 19:42:33 -0400 Subject: [PATCH 041/155] tests, vectors: bump limbo Signed-off-by: William Woodruff --- tests/x509/test_verification.py | 18 +- vectors/cryptography_vectors/x509/limbo.json | 412 +++++++++++-------- 2 files changed, 238 insertions(+), 192 deletions(-) diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index a7f47726532b..0d4436afcde6 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -8,16 +8,13 @@ from functools import lru_cache from ipaddress import IPv4Address +import cryptography_vectors import pytest -import cryptography_vectors from cryptography import x509 from cryptography.x509 import load_pem_x509_certificate from cryptography.x509.general_name import DNSName, IPAddress -from cryptography.x509.verification import ( - PolicyBuilder, - Store, -) +from cryptography.x509.verification import PolicyBuilder, Store from tests.x509.test_x509 import _load_cert @@ -43,8 +40,9 @@ def _get_limbo_peer(expected_peer, testcase_id): "pedantic-public-suffix-wildcard", # TODO: We don't support Distinguished Name Constraints yet. "name-constraint-dn", - # TODO: We don't support Extended Key Usage yet. - "eku", + # Our support for custom EKUs is limited, and we (like most impls.) don't + # handle all EKU conditions under CABF. + "pedantic-webpki-eku", } @@ -61,9 +59,9 @@ def _limbo_testcase(testcase): assert ( testcase["signature_algorithms"] is None ), f"{testcase_id}: signature_algorithms not supported yet" - assert ( - testcase["extended_key_usage"] is None - ), f"{testcase_id}: extended_key_usage not supported yet" + assert testcase["extended_key_usage"] is None or testcase[ + "extended_key_usage" + ] == ["serverAuth"], f"{testcase_id}: extended_key_usage not supported yet" assert ( testcase["expected_peer_names"] is None ), f"{testcase_id}: expected_peer_names not supported yet" diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 26dd8bc91b17..1a1664c4a427 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGJ+PgphO0JDxSBe4QTV4kHZGQXMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATergOakVpDefnRpYDvBUCYYHzJSoen5QsAbdl0\nRY0a4tCuE2hsEfhx/6XoKotorSy3FYJ9WQ2trYQVkFoOagK/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzllxvBM+5GnpcDNe0aEqHB1flCgwCgYIKoZIzj0EAwIDSAAwRQIg\nUHQjqIkg4uA+1/H7snUwLaaww90GtJtBBRPveT9iuwoCIQCQm9CAu3pO+oZjCHqE\niJCTiujEP/XQNg1HKmJZjuRQxw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUICV+r4qi4PYxZGoXPeC0opkfBuswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSelDwaFVo4ldXqZmYRUXMI3XnFxLeWvuZCnVm\nsOKljlo1jAWToBMLOacUVvJszYMF2BiMROCRH6B8iQAK+addo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYj0AsdK/HpnI3YlTpgUklZOUpLAwCgYIKoZIzj0EAwIDRwAwRAIg\nGvYOpiyIEun0N9y+F/x6IhhSQyvH3TfUctk1rXv+Ah0CIC7Y2oCbQ/BjTD7UNYUc\nrfyJijUBFJoCtXCdf6yIJoWq\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUDCMe1OH4M6tS4xQcBqSRJepmzzowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNDA1NzQwOTg0ODIzODYzNDM4Mzcz\nNjkyODI2MDYwMzI1MjIwMjMzNjkzMjY5NjMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBC+mBR4lKM4nTwWa3JTTZ0DKdfGIlMzZb73CtcX0q8IxWljp9RgdjS94Vkp4cCE+\nH0VCgqJJp9gKMO/Z5vuoLnWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFM5ZcbwT\nPuRp6XAzXtGhKhwdX5QoMB0GA1UdDgQWBBRcG3anmvUSfkB9U7iFrG7EvwQ6czAK\nBggqhkjOPQQDAgNJADBGAiEAtBIGYcacmp3MZde77MSc2yB1dir0/FiENSCesOVP\nPJICIQCTIZ8FA5s2vdQsxDZ9pNZl98HY2rOuRcqq7x/52RB4pA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUIVqUt9tRo8hkd37Uu7OndBAzMh0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxODM1MjM4NjgxMjA0MjkyODkwNjE1\nNzIzOTQ0NTAwNTQ3NDQ4MzE5NDAyOTg0NzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGQd0mnX3Wzw3NRzYgxsHAtb2CP5FfeYbLavqJk2sQt8abaUhFpUBOt/5XoDAkvi\ngiQQyr1GB2Jz60xBZbJmpuejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGI9ALHS\nvx6ZyN2JU6YFJJWTlKSwMB0GA1UdDgQWBBRu1qCnUJ27U2WNNZcSC1SQzpLf7jAK\nBggqhkjOPQQDAgNHADBEAiAx54+G82D7UgAdznyJ5psiLl7Q1YdFzMvLw3LwQUGZ\nJAIgSeeIf218A7KJ+MZajDaZS/2pfaQE/Xxzkcj+hLJH0xA=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUKQHU7vhRwBrMwH32lTytEREyUg0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQwNTc0MDk4NDgyMzg2MzQzODM3MzY5MjgyNjA2MDMyNTIy\nMDIzMzY5MzI2OTYzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtASX\nhYpi9et9v0UKNsSoVieajAlGh8Hm8uN58jnLbOGozC7A3BuJL+wv/gwRKDT6Dmv0\nXWwLWWtJK4w9FmfWx6NyMHAwHQYDVR0OBBYEFF6Dkkqucoe6cqidu2lXZUwuEBKg\nMB8GA1UdIwQYMBaAFFwbdqea9RJ+QH1TuIWsbsS/BDpzMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDOuNPCGBQZZC+idjKBebVQS73VTnX3B4mM1DvuARS0NQIgNeKontUZRI+n\nwuc7tzGbd8DcrUm1u3UeOOcNU0eEF7c=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUc+XrzjNiGrRL0PpnfE59z1fYdeYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgzNTIzODY4MTIwNDI5Mjg5MDYxNTcyMzk0NDUwMDU0NzQ0\nODMxOTQwMjk4NDc1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqjlM\nXkPQr+8uCQ9H7lE7+GUj0MJFubE02FuyBa6zDtzBIQJ7HTWwG80//qBRcpJb+3yE\nLjypaSo5kXDBC6oV3qOBiDCBhTAdBgNVHQ4EFgQUZURmtBbGvSzk9tQcFWcXvYUS\nthIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRu1qCnUJ27U2WNNZcSC1SQzpLf7jAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAO0jrZEf1kLg8nFvLrB3Fkx5Tjy0\n3jyB/gNLmS4euODHAiEA1VCAUSZc7Z3luUy1bzB25Zw/Wivp+6FgJQePKL5FkE4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUT9QGKOQEa0VHgbksbTQZSVhmCe0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKew3JHcHTuLWK8foeT3FrVUXmiaISFX7e0znh\nSPKmQjPKAUKpHGTsDLuDt7SmFiOUV+GI6QVNRE8eDjEB3OQyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUh7kKdJ0DZJRi+5dbPiVbgvh291UwCgYIKoZIzj0EAwIDSQAwRgIh\nAMQ+MDqiBAXh1Eo1J7fDcLbKrSo13l9KDF3Em7Di4c7FAiEAl6DrH8JGG7E6ApjC\n9YLGxCSIIBiMJCYiY8onOlut/Rg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUer9iOYRFrNKEdcTqOv29FUJXLF0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASwSCSiC7Zr1uKmLUKjFQG807Rej4r+xSS3avVw\nH4yD2sMaFHDZ5yvyaP4ugjRKFtal7DziJRkR6LChiOQr40t8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9eaKTDsdqSSwIyR/bXKyyU8vigAwCgYIKoZIzj0EAwIDRwAwRAIg\nfJwhVJwbfVfN7uJC9JkUP5cgDwFM+2gtRNOhyxpUs1cCIA+I9O2cZ/EMKiQTcH8x\nl5/gmfOmhK7pj+Nw8B0wWfmU\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUPgU154etPVyb9Kp5/Qf+tQwmAi4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0NTU3Mzg1NjU0NjUyNjkwMDk4NTI1\nMzgzODEwMjkxNTA4MTU2NjQ4ODM1MDE1NDkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLV3QfDfRGIIIzbzog2YYhSLNvNbCw2KtZQHVz/UHAvdwGorrKwlL6DeMoiwjZm6\no57fBt5xUUwHj3o7+3FmjlOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIe5CnSd\nA2SUYvuXWz4lW4L4dvdVMB0GA1UdDgQWBBQXvJqyr0HOnpAP+3x+mBQSqGg/oDAK\nBggqhkjOPQQDAgNIADBFAiEAvwFJWPGVI/dQJaIRxhozHcMds6yQiXw/DPRu3FpM\nBe4CIGaEDytlMtuOu2hISYaiLLLMD9DV+lqLMGPRr/dwjfME\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUH82MYurVO3Oh85MxZmuX1E7lSGcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA3MDA3NjQ4NzI5NDkzNjM4NjcxNTQz\nNDg4MTE3NzAzNjAyNjMwOTUxOTMzODE5ODExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCNspPigivbJH8NIsh+MAiJUuCEKNXRvDZ1ZGXlWxzWEWMagleYXFQpWPVebkP5M\nT/fdnMIO6O8CZV+ilU7oDWCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPXmikw7\nHakksCMkf21ysslPL4oAMB0GA1UdDgQWBBSY0Af5WK8l+6XJZLVgP9bvP1Z36DAK\nBggqhkjOPQQDAgNIADBFAiEAvy+TbLMnM6fo5LSl2eoQ/oc2+oJCc8sYPItcQJ8T\nCNoCIFT57OavgRiFywKJG81CzI9VTU1W8tBMVMmkNroUx7ni\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUDh5r5gGJ/xrHX+eZn4BElgn3rPwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDU1NzM4NTY1NDY1MjY5MDA5ODUyNTM4MzgxMDI5MTUwODE1\nNjY0ODgzNTAxNTQ5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqYm5\nyAltJPNtUzTOLNAE3nI+ZvAtu1Z54rfuKEAoeiFSPFoQyAHEF9k1UdN0fIlZaThh\nihDCX88QutvSLOvP8KNyMHAwHQYDVR0OBBYEFFAarM1zyQ69vftQRBJ41QEJjV+b\nMB8GA1UdIwQYMBaAFBe8mrKvQc6ekA/7fH6YFBKoaD+gMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCl1HRBraEY0xFw/do2AcNUhUQv+fnUdbaWkiMJGvq1SAIhAJ5xhUHLkp26\nnTmY2uhR5y/ZTnRF+KPLV9OHNGS8xWq7\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUPykfFVV+roTsW/2vQbjKTJWYJukwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzAwNzY0ODcyOTQ5MzYzODY3MTU0MzQ4ODExNzcwMzYwMjYz\nMDk1MTkzMzgxOTgxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOa5F\nyhujvcwixkeC8A54qeMcOK02dZcPbakdfiofW+J61I/OgdoitAgeAhftUtF/ab7A\nQcSd0gTaYma8c/6t5aOBiDCBhTAdBgNVHQ4EFgQUs6ZqZ9m9el+DWZm3S3DJ5rd8\nyf0wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSY0Af5WK8l+6XJZLVgP9bvP1Z36DAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgXza40v2MHRNaMgPkojENXt6wGcjo\nU8atnhkdIZdx9lcCIQCmr5eQf/mlmwJ1qho+o+PVoggSr5Ifh4aJ/YCOU1g1NA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUbdwfKGsLNqad1hIa/zJSaat1ezAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR7oTXS2RbtiAZpXY+EI3GOJiRVpxBNPxkPtKgs\nx/+1kUVKxuTUdoXqfLNLtOqKK7mV9XvYlefdCHRwA7Bjnm6Jo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKLNp097+JBI/PasWq7xAxN85Vb8wCgYIKoZIzj0EAwIDSQAwRgIh\nAOtk5odLU35ZI6MyWjCSfF94Mla2wTqDbWuG2YRRjcorAiEA13KHgSNt8PTeoYpK\n61VjgUGA2A0+1SzKi7EezPDRb8s=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULnwNyshQTGpGhcaLiEbjQhSl4rswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbXl6rsDmX0K9XwoT8gfdzogwYBDPztNr1ypni\nFwSEYg6lfrX43Mi//z1UE7TsEh/j8bgBoLMzgOnRSF/ySzXHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhIrYuRu64yI5Ogj9yujoGn4sgeswCgYIKoZIzj0EAwIDSAAwRQIh\nANLREAWnb40rVVGu5CJpACyujru6Nz51WL7pXbUTLOdAAiBMlWiPJQzH5TkpV2pR\nuRovZpGB/zG+qpUKizSdzZUhuQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUNdc5fNNBzJJvkniBzBzb2BVLCBkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MjcxODg4NzIxOTc5MTk0MjU5MDMw\nMDY1MjI4MDY0ODUxMTQyMTI0ODAwMjMzNDQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJVHb+RAv8mHQzdrpzB1xiocjn4powCZuhLwlkwd+BmTCNOiDLC9bvHqlFS1T+rL\nTIHJD4zE7U6qvaio5UKFd1CjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCizadPe\n/iQSPz2rFqu8QMTfOVW/MB0GA1UdDgQWBBQeVhIwvWGvBBdSJi97ycJQ07LJ3DAK\nBggqhkjOPQQDAgNIADBFAiAyKONOAiR3X4RyZ6POYYXkGFO48G/MiSRuXS+108SM\nnAIhAIpO3opCB7HdQC1y6XRJ5xUsHGSJJhP7k+E7qwtb941g\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUVZx4AZBhC7mD5npFYi7/diN+H0owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNjUzODAwNjkzMjU1MzIxNzkwODU4\nNTc4MTM0MTA4NzkzMTM1Njg5NDg2NzUyNTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIqlSWVknuZruJP/dGyWClDaRm0z1c5G13yocB0PwVw7sTgm+PgPU5IsTuq72Ghs\nDfniGmgdJ4+M/irHpNqbgV+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFISK2Lkb\nuuMiOToI/cro6Bp+LIHrMB0GA1UdDgQWBBRqor5b7i1hReFVXy39eYhKA0tueDAK\nBggqhkjOPQQDAgNIADBFAiAoBVCK340NHLOyPmDMHjVxN1Gz8+NU6oQpSfi/mgnW\nVAIhAIzMV55EMKeMVFIFMJ7cnwUuoVuouRhyGWBs9w+PoEpB\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUfpcorFKUu+Ufyp6d1zJQqyhsHkIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjI3MTg4ODcyMTk3OTE5NDI1OTAzMDA2NTIyODA2NDg1MTE0\nMjEyNDgwMDIzMzQ0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPfZ2\nfxwwmhCRqq+AslJMX5iAUC6UvTpPvfPWSXJbbeHySBOvZRTGkDzZcTTyfZmSua+n\n8lA2Ezxvu1fCYH7YNqNyMHAwHQYDVR0OBBYEFLeJObypBSv3owZiFIkHWz3RQkiQ\nMB8GA1UdIwQYMBaAFB5WEjC9Ya8EF1ImL3vJwlDTssncMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIDjzN1m1xMfi0TQ4Uqa4QQwOAmhCYuaP4Apvvg9YYFmOAiAkts3t+zd4d93p\nkJVBU42qdqVt6QxU6ehvUkfT8L3Y/Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUSYcVgTh/3np6WaIPsf5NwXz66wcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjY1MzgwMDY5MzI1NTMyMTc5MDg1ODU3ODEzNDEwODc5MzEz\nNTY4OTQ4Njc1MjU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpF7L\nPfbD6dmKnNAKD30U6nWOhzftxwTgbpicmG01irreCOVQX55LjznO+rIAVKmTwP+P\ndNFeF2Y09hcZz3+BTqOBiDCBhTAdBgNVHQ4EFgQU+4pI1RXRgeEBy111gtNxwKI6\nkGEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRqor5b7i1hReFVXy39eYhKA0tueDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgX+7m2ZGZxkmkG9cW4gDQ3YBtY/lz\nk4DlfVv9i0KcjFYCIDNblgI27lQEiAc9dL/pD5W01SxZRAOKxXdNkPVNhmzS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQu+WfM66O4HXyZpyUSBG/EYCCo8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATvSCE9aDnGtwvfTV1H4Qq8BIkbpm19N5F9LxN2\nfaKw/GGM5/aEKPbxHy/nzyd5ZVIaMuYoWu4Vsx5CoEr3GK/vo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvl42rvpBbjxq9hEGBjgsIc97OhswCgYIKoZIzj0EAwIDSAAwRQIh\nANot23b62xYFqwi7a3yMPzPxeRSB4YPIzc6/WBmNzrcKAiBFxznPaNrvjYUAL0JH\noOjVh3NS+YLITJc3jMFbp7QXgA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUP1JM4mPdm/i259MifZP9kn6T/6MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpENx9qm+C1EAufWup9stTE5+Gp02HHyXxjm+d\nHMOMRdqzN79Ttc8QsBHgs4rpKq/659h6Vfy216hhw9xvsHkLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVeSgVvypVQW79WcLlplvA7w0IGEwCgYIKoZIzj0EAwIDRwAwRAIg\nLiSVDQzV+vL/SnqAKkKJYw/lP9iDr5CFLRI3mBoadVQCIACmWKCr9hX5BWVmOOc8\nUwkz0+mWQzdvcMd4Ip1fjfV5\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUFWqfPu+mY1v+4ym+y4fKue9VkxAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzODIxMzYzNzgyODk1MTM0MzEwNjAz\nNDM3MjM3NDU0OTY1MzE5NjczNzY3NTUzNDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLJE5RM62L+ARTBUGYb7EN1wkXFELdiR+PItrlGq9Vh3Pw1zQOKZwfwmEi3Pczuh\njLT6rP8/yqomwcTRF1nJq8ijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFL5eNq76\nQW48avYRBgY4LCHPezobMB0GA1UdDgQWBBTQmJkt8qV105QfHxLyX8QMFgAztDAK\nBggqhkjOPQQDAgNIADBFAiEAiKA/QvVbLzrFN8yBDOjDxmLKGtlWKgL53jG459IQ\nfb4CICyYYDeRLgVjhrTZ4E3V7KfBt8yODjjItR5eQCFEqr1h\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUaQgw0BMyXffZc4tEVHz/0mhlUAUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzNjE1MDE3NzcyMzg0NzEzNzE3MDIy\nNTQxNDc5MTU4ODg4MDY0ODM3MjE0NTM0NzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOdea4flMjdgPI+D8bTC+REM34M1oCXd0T40rhnyq9Py1Ees3e4y9WH42cliyWLt\nGHDmPBbTyzyEiohPyUdcFPKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFXkoFb8\nqVUFu/VnC5aZbwO8NCBhMB0GA1UdDgQWBBR34m+23b2+LVV+8qY9B5zbO5jNgTAK\nBggqhkjOPQQDAgNIADBFAiAD7/VsyudjlDsnEHYsFfk8YOnDHqKqT5f3dN3+y89+\ntAIhALa2vsr4CxEUMqAJKOZMBOH9PD4j33CkjlsjYaZrC1S5\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUeqc3MCVO9PQGKVV+dhBbewpgfDQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzgyMTM2Mzc4Mjg5NTEzNDMxMDYwMzQzNzIzNzQ1NDk2NTMx\nOTY3Mzc2NzU1MzQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDEyMjI2NjU1NzQ0Nzg2NDIwMjU1NzYwOTM5NjYxNTkyNDc3NjM3NzIz\nMjIzMzIzMjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzXL+TcVdatZxZknjDs/9Eb9O\n2SiMwViokEcRp5sp72SOg16QWY2bq+A1DDrSBJlYA+0oJug4YlrxpknXCG+326N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU0JiZLfKlddOUHx8S8l/EDBYAM7QwHQYD\nVR0OBBYEFLCagyJamBZ2YrCsQItEyDKbKuqVMAoGCCqGSM49BAMCA0gAMEUCIFzV\nJOSuKzWAPYngl8wkXcrK7sPQqq5FUHkyULVAS2cDAiEAkQ0IyA3GHGv04Nym0fBE\nRlsZ5znCITMrXZXrxLm0GQs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUFbUxRyV4ABmrrrEGGTlxWy/zzJAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzYxNTAxNzc3MjM4NDcxMzcxNzAyMjU0MTQ3OTE1ODg4ODA2\nNDgzNzIxNDUzNDc1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDU5OTYyNjY4OTA5MjA2NTI5MTc0MDIzOTE4NjEwOTE5ODU4MzQ0NjY0\nNTMyOTkyNTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/e/K18qytUUQNzDe2i/9s0W\na5fPW1iaF+41IR0Y0r0g5H3HmxoU0kw+lVdpPHlLbr1fOjrfJ0HdO/Zr17cJqKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUd+Jvtt29vi1VfvKmPQec2zuYzYEwHQYD\nVR0OBBYEFBWQgyMKVzc68V2c4d3PAvLusR3/MAoGCCqGSM49BAMCA0cAMEQCIDTP\nn/rSlGuJhhe08eA1cQd6kDnWlvZcwZhvTaz/DWejAiBI8ODmcS59MonRtXBZRxcC\nSE7nSdUy1Z9VjgydLnQb/g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUbnrPBBYlmJfEoVc3198UiGnqFCcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ0QMVy5h6IKBX0p3knf+86RrLiJ0HE58RZmIrt\nPUBCyL1Zq4FpxJ8HyQdt9K7VB6TlstGTMPUktRaHL4tDtCGvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfgCiP38mImKKL+rFO82G741Kw+EwCgYIKoZIzj0EAwIDSQAwRgIh\nAIQiX3WBFXynvwxgcNNUbcqL6OyamMKQhgphDNWTd0ZIAiEA85gIPSOowuA5r1Mw\nEIU5fE0B6zvrnYGJaP9NB/aBZ1A=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULPN4cTrMNpi1e7bEhifxFMbpRdYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRXih9OSn4/EIDKiM5AiEJ3+iOmzvUCRLfFW4F\nas7qyZKQYLifp0w9IZ13DRrrunQfn/nfLpH2k5OVs98rY8sro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeZRer2LKECZlsxkon57iquYUf1swCgYIKoZIzj0EAwIDRwAwRAIg\nJ/CjzS5vBmbVXrdVk92ydL9Gl+K9bv5uartK+G6ho9ECIG5lzDAJ2midhVRhYEHf\nLCm8o7LnApe8JSQ6hMDryqob\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUBA5Gpw7i3Ddcuc1LkEm/lHw8JFAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MzA3Mjc3MDkzMzg1OTg2NTE1ODUz\nMjMyMzI1Nzk2NDY5MTEwOTIzODI4OTcxOTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIwdQ2xTyLFvYIXfncXe6BClihyc6KaEtGH2dS2ekk7tIyfX9dduGrl7IWOFLMR3\nx9vPwG4ZHbboM0XugQX23YOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFH4Aoj9/\nJiJiii/qxTvNhu+NSsPhMB0GA1UdDgQWBBSG7wGTLGXljazMjXM7MLLTTbtoQDAK\nBggqhkjOPQQDAgNIADBFAiEAsMci9UPZPqXCKaXNFRX3TsasEHEKJl9+pIBJRNgR\nNngCIBvjUk1pJ4KuvPWkfarATbjIOV0SJsCXHd8v8AufzvhS\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIUUuj5L51e2Htr2emJz9M0hlQ67cIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMwNzI3NzA5MzM4NTk4NjUxNTg1MzIzMjMyNTc5NjQ2OTEx\nMDkyMzgyODk3MTkxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGYxODA2\nBgNVBAsMLzIzMTU0MzI4MjIzMDMyNDAzMzgyMjc5NDE0MTk5NDkwOTQzMDc0MDg0\nNTk0NzY4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQDF0LILdgvSVYIjAu7ewhkbqxI\ntvdcWBQGnboHw1Px+DeDf6tpKeSNlZSwYCg/tcVKM2uL0wivyDP022OMMr2vo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSG7wGTLGXljazMjXM7MLLTTbtoQDAdBgNV\nHQ4EFgQURvJjXehC0l/OdULF3tFJMP0rIBUwCgYIKoZIzj0EAwIDRwAwRAIgSs14\nHtCwEjO6+ChZPIvGig1wNK1/xqGLXc8bUOGW18ECICAI15JFSqevYox1RoaCUXAF\nmAs+YgkGsz7kKKI02ZDh\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUMiqfCQEih7pq/QiqawGWm/latXkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNTY2MjUxNjcwMDM4NjY3MTM0NDg5\nMjczNDg5NjUwNjM2MTU0MjMxMzkzNjYzNTgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPX7+qGFxZWS3UlY+wOGj0+E7vy1DErD25fCdaQPUtAj/Y0CUa0X7JlVHQuF+zh4\nfpTKMSRx88iO+FpaM0+AqOajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFHmUXq9i\nyhAmZbMZKJ+e4qrmFH9bMB0GA1UdDgQWBBTkOFoHhdcyUTSsus4I0cz33ogvUjAK\nBggqhkjOPQQDAgNHADBEAiAq53F5cNpNQi8ltqIuIKMj3PQV5gcbANJXojyPPdwa\nmQIgbdFh0WJApgZcNSRTZuQXW731CXCauul4ymmuKhQgjEc=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUGaoTYSJJWBeiJyp/I3uIuI9mdzkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjU2NjI1MTY3MDAzODY2NzEzNDQ4OTI3MzQ4OTY1MDYzNjE1\nNDIzMTM5MzY2MzU4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDI4NjQwMDAyMzc1NzA0MzIzMzUzNTA4NTgwOTI2NDcwNDU0MDg0MDA2\nMTIyMDIxNzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEazl6xOYtfL7mJCvojTK3q6Y1\nLBqNRqoc6X4vaOzp3Nmb7Bd3Bg3RYBACc0RxRwp2nxj3o76VcXbxrQU2hKXWTKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5DhaB4XXMlE0rLrOCNHM996IL1IwHQYD\nVR0OBBYEFA7zrXngokKkwYFtVi6IR/ElYpIdMAoGCCqGSM49BAMCA0cAMEQCIEMk\nHsVyN6cMcKa6u9fBXh/UOlJOjK2y25fv2c2mq2keAiAJxQuCFegPqsCn+qYD2GG9\nW3fyhhNS+BFhRhoC3lMkBQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZigAwIBAgIUDBX3cBMzGVjxkEA8HY2C1WmQFIIwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjMxNTQzMjgyMjMwMzI0MDMzODIyNzk0MTQxOTk0OTA5NDMw\nNzQwODQ1OTQ3NjgxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASWtp9I\nQfboJiXZA83GjYzB0qbtsry10vPb253N0c4RHbSoxSguXRMGij804cGSVPATtxc5\nGVDbWLu6RWBFwkSxo3IwcDAdBgNVHQ4EFgQUoFaYzewseSsaZWEIr4HDOgFN50kw\nHwYDVR0jBBgwFoAURvJjXehC0l/OdULF3tFJMP0rIBUwCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAw\nRgIhANj2CSa3peARruRUqU3Ov5QTK3ECGijOnfalCVzeyqNAAiEAhPgiFVSzxLHY\n1g8pKCi/yYkwd2OQ7Vpw4/HpWN5Bnak=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUX7f5cfYUnSYS4RfEztc8f6S2m/owCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjg2NDAwMDIzNzU3MDQzMjMzNTM1MDg1ODA5MjY0NzA0NTQw\nODQwMDYxMjIwMjE3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUixO\nGESnPmj4KLxAGEWq+yLLKVpGPUICpLYWdfdPJ4gZ6r1tBm9MF4ZKOx29AQgygkLi\nIkAvZXRT9BtfZU1MfaOBiDCBhTAdBgNVHQ4EFgQU32lk8TJ+hxsQ/yZFWXhAMjPC\nzGEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQO86154KJCpMGBbVYuiEfxJWKSHTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKRQCw4RFQVs6Ty3MGelZ3ekjHaY\nEFEZ0Ms/g8yMssmgAiEA7VRbDu9UyyQXBXLB1tpbxEUlhEG0CZqfUyOKUj25J+U=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdtDjmLAhmRTRVHf4EVCXmoiOAfkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARwf3pigTRxDVwzc7nHl8EoMDNbzQOoN7y0cgVr\nb6tq/aD/bh+HlhVBhA0cy8W3WCHY5wvVatVjUPSo9mFGyTpLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOUzYDhLocxqF94xilhQXGAlXq+MwCgYIKoZIzj0EAwIDRwAwRAIg\nYWVvn9Oz4mphL/fdwykxy8PxtU4IBU13XQ1HvFtxS/QCIGgq0iiuSCGzIeUbYDwy\nXsVGRHLJXhRywwwsk3jJWeqn\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUazWhnbHsPB4dM6e5KhJfODslQt8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+RKigBCo1E40XxHgOhcdryrWeIa9xyn+OTWg2\nMvStfIUOn+m+DTzLrB/J70a8ewjNM7YkF9ilYdZsDdbWlgV8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUagkTepHxXxwRJbvkh2HhKv8ZzhswCgYIKoZIzj0EAwIDRwAwRAIg\nA218BGmDuu6IhhUOz3wwARJxdgdN/8xBCIhiuFu/DK8CIBUrgRlSI4fQzBlB4q00\nWx6EzqxPz+N0eh5B2my78JEN\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHeTP3mC4vKCIDeNTCwjPY5WI2qMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NzgzMTkyOTI0MDQ0NTIyOTI5NDQw\nNzk1NzIzMzE4MzM1MzY2NjYxNjA0NjQzNzcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBBXRgOdDQdfKlcgxwxnthtR0UsOWKRX/dvjyRHgHwWTHdm7D8wDZZs8DgG5EegYl\nW3nM9am4G3rPJc5svmL4NQOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDlM2A4S\n6HMahfeMYpYUFxgJV6vjMB0GA1UdDgQWBBTMWacumfUt/dF3/CEddj0Eg7CEdDAK\nBggqhkjOPQQDAgNIADBFAiEAt7M9yAv+Bj3yTYhYzFDdex0wS+ZB+rQj7fdDEfCg\nMqgCID//rFYtBaRGSs1F12344XEJ06Uqdkgaz7bwuLZWcUR0\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUKDFtiXpH5J9KFfRdu7DU9aQF+bUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjc4MzE5MjkyNDA0NDUyMjkyOTQ0MDc5NTcyMzMxODMzNTM2\nNjY2MTYwNDY0Mzc3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE3MDY2MzQxMDE3MzU5NDc1NTEyNzM2NjYyNzk5NzgzODM0NDkzMzE3\nNjA0MDA5OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUtcJ7QSpK2yuAHXIaOm4Gm4d\n4UPBiwCZ+oX03d5LlSGCRSNQmytl3n83latR60ZI4+NndN0w0TjJjB60NIgmeqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUzFmnLpn1Lf3Rd/whHXY9BIOwhHQwHQYD\nVR0OBBYEFNcsdiyfO3ZJoLlRUtGHoK+LSqTyMAoGCCqGSM49BAMCA0gAMEUCIFqB\n0yKrymVC8Gb+ByrhTBsG8RAUSfzFAQd7sr5XRue2AiEA4co37Cwi+C2C/PY/1zjg\n5SLUhj6T7nUPX5IyY5m/vg4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUPawB64nW639TtZeTNCyvKmqcHLYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MTIwNTgwMzA3MTI1Mzk1Mjg3NDk0\nOTk1OTQwOTU0MzE0MDM2NjQ3OTI5NjE3NTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLdlwkUl13x6Yh0JrDMasKpAkfUToLpj3mnY4Hm+HpA3xpX95PSjgYl8pj1Ya98R\nqZZbecMW2YKVhWwDoonFLTejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGoJE3qR\n8V8cESW75Idh4Sr/Gc4bMB0GA1UdDgQWBBTVTvPnSMWXYv1II6u2T3HXKQggezAK\nBggqhkjOPQQDAgNJADBGAiEAg2urdg+u6s3xwIeBGGHAdF1H4IeARRMcpNJSJO4p\n0IgCIQDQVaEimQir3sxNNd2cKjsuBmMrRmgcLhToMXux9egE8Q==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUbuZuUCwOyIMl/8JNM23aO1pUgrgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjEyMDU4MDMwNzEyNTM5NTI4NzQ5NDk5NTk0MDk1NDMxNDAz\nNjY0NzkyOTYxNzU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM1MjA4NDMzMjQ1NjI2Mzc5OTc0Mzc1MTY5Mjk0MTI0MzkyOTAzMzc3\nNDQ3MjM3NDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqwxmSokbLJne4VK7t8mBeOkp\nI+axmoUwvP08l4tUJajJDPfOVQ6EsfRrqUo/Mip3oV0xlcdFMQx2tmDRNCpHg6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU1U7z50jFl2L9SCOrtk9x1ykIIHswHQYD\nVR0OBBYEFAZzlv4Ly2yqjh5Icx3t5/p7HYp8MAoGCCqGSM49BAMCA0gAMEUCIQCc\nBW2F+Nh647jY+P6Aa5/nOnP2qZWIB8Z58fArMVRhewIgdqt18P5ynQ6UWWKFdPYM\nvdiPCBTQNs3FH3Z4do1QUuU=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAZmgAwIBAgIUZCLQ9RE/7VyuMC0mAH7L43anp9YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTcwNjYzNDEwMTczNTk0NzU1MTI3MzY2NjI3OTk3ODM4MzQ0\nOTMzMTc2MDQwMDk5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5Gqq\nJ2PsOKxtuPTFTrqIYoEp1NU81WQVZf0rMhBXa2YUa/zO1vyxbmqm66KilZHI8spX\n7kTKMn0hsbii7HpoKqNyMHAwHQYDVR0OBBYEFNQ0A3M3x9TyVKKXUMCornkZh3sM\nMB8GA1UdIwQYMBaAFNcsdiyfO3ZJoLlRUtGHoK+LSqTyMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIHqxQGbcJ8DRoWK/vxuCw8JJ9w3ni0P2GRfTbyeUgqufAiAcKaXHIoawuuFk\nRppaaJC9n5dZnT+3D3c3rrFF1qq4QQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUYdTxgqvS2c/KXkjCjFkkHJdWasUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzUyMDg0MzMyNDU2MjYzNzk5NzQzNzUxNjkyOTQxMjQzOTI5\nMDMzNzc0NDcyMzc0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZp+6\n1sRkP0T8Cb+BlA7qr2seOjVA2ZCSfsz160ejFde17w6cJ3Lur5nud6QMXhhkZOjH\nfAS9RusBcn2VOyHtiaOBiDCBhTAdBgNVHQ4EFgQUluXTNnf9SIRoxwXWqgevUHX/\nc54wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQGc5b+C8tsqo4eSHMd7ef6ex2KfDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAIQHAzWZGTnW7cCPcm5DBmtM2p5y\ncoQwoGX9WfkUydj3AiBahaTaCEEiVZc6LuF181Fvt0hN2X43dl3clWnYRtbnfA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDHl6q8/ASvpvC2HETg6Z4jptFJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQsILZBQa4r5J53wj3r1Z5bLHgSDb/pKTeI+KxJ\nri2gLjhQptDpbFBQpIBkOQQDfOmDWHSZT84CXfz4QkCwSJ83o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUelSCkLkinFopPbZfgWJgffQaz40wCgYIKoZIzj0EAwIDSAAwRQIh\nAOQc8EY8fKBoBNm/9hCLqe56iNZK1cS/eZk3KZgJRttiAiA5BaGwrmshse/quqg9\nLKBRWowwgfxBvnpTtvUYsIaEEw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUMibIkatGFpzEETgDbD888aBYSWgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiV/JDLMwYZUy/udeVPIjvwbzzYAQleGmgI94V\n8Ua65NitmbPQJ9wH0FU3v+AcCATzwb6iyT5t0Rh0rF+qxXBAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZ9V/LAIQP6KYYn8WOQF1C5SwX3EwCgYIKoZIzj0EAwIDSQAwRgIh\nANmwT2I+bhdz7Y/VkArs21kbuX5m5jjtdfkU/HQUNhSwAiEA09sLYYyK7BgugH1s\nKYW3ODCqoo3eeqL5jawIRVwtE8U=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaWgAwIBAgIUBz+okIWKL0IFuhSFlwDFHHry6fwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC83MTIxNjk2NTU4MjIyNTMzNDc4NTUy\nNTg1NjE0Nzc0NTQyNzg5NTE0ODY4MDM0NzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n1D1eYdk07d9u79HmrWCHpNamgbGPFLpgjPYa8yYvaeQ/lxKCQkg+LeHqx0elagPg\n3wZ/glTFl+zVCzCZkGIhG6N7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUelSCkLki\nnFopPbZfgWJgffQaz40wHQYDVR0OBBYEFJvbJDM37oOPfGpPMRyWPa3ms63xMAoG\nCCqGSM49BAMCA0kAMEYCIQCo41azx3IkB74AduYsXfr6Hl/xIhHmyP3DIGTtuHZ/\ncgIhAM7OyKa77MIdHMujypQx4j8o7gmL3P8jYb4yafgewcXx\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSjCCAfGgAwIBAgIUE7S/RFNiPrFD+wHTbir/Hu5PUEUwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNzEyMTY5NjU1ODIyMjUzMzQ3ODU1MjU4NTYxNDc3NDU0Mjc4\nOTUxNDg2ODAzNDcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZjE4MDYG\nA1UECwwvNDEzODI1NjYzODU0NzY0OTcxNzQwNzgyMjU5Nzg5MDQ5Mzk0NTMxMTcy\nOTUxMDAxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEqvHFk5dLs06Ir0UwV55B2UTCwW\nKGyOAdqMSOhkBMHWkocEpVB0f2kJa2jqPu4QRnwNOEM4rHFBU9A29tA6gVmjezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFJvbJDM37oOPfGpPMRyWPa3ms63xMB0GA1Ud\nDgQWBBRX3eYDnADUZUpwwJuZuvTqj8m9wTAKBggqhkjOPQQDAgNHADBEAiBOaAWO\nVVwCmC/53hmUzlXOyFtNsqDtSLT7jyYZER7tGAIgN1pW9xFGfqCkAL//LUGjbUCa\npWExMbVkD6IdhSqHuwM=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIUejWJHakqM8Gxao/3bMr/KA5qRYwwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDEzODI1NjYzODU0NzY0OTcxNzQwNzgyMjU5Nzg5MDQ5Mzk0\nNTMxMTcyOTUxMDAxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwMTEyNTAxNjIwNDc4MDM4NDIwMjUyOTM0NzUwMjg5ODAzOTQ5NzE2NTQw\nNDQ0NzQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT7uNSpUng9y58W85lTggWWOfbn\nHm1skEcPsYoCKXfP2/BhT85mUPf+IRJ8r/hy/ANzTCyuHv5Z43HQzNEag5Cmo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRX3eYDnADUZUpwwJuZuvTqj8m9wTAdBgNV\nHQ4EFgQUsIs31tt6HJ6CaEhHMw5ILUWSoMAwCgYIKoZIzj0EAwIDRwAwRAIgWvQp\nef4BQ77zFM31q2tQDAqQbBmrd1ckIuiiqKVuegoCIAuABQomkuXtWTSfHlPOtplO\n4xZv2V0MGBeKbRdMGrtt\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUU9i1txtmr1EzKLr+HexzqAQQ1UkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyODYzMTQ0Mzg4ODQ1Mjc2MDIxNjkw\nNDQ2NDEwOTU1OTI3NTc4MTEzNTQyOTA1MzYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCBeP3DCW8Lf2xDfEaeKFwko+QW4pR3kvw141+XP/CPBYv87l97gUDzrGeFD3ego\nxhlxf2Qg74byXkAfO5fzF9+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGfVfywC\nED+imGJ/FjkBdQuUsF9xMB0GA1UdDgQWBBSP/NJW/ZrxPJPkQ6MoWkWnEfO9qTAK\nBggqhkjOPQQDAgNJADBGAiEAjPQMH4Wlg4gh0UE7pL4bDGF19OMqtZZC9zjMHo0A\nGUwCIQC5up0/0zHojmZIZRX5qQLCabh2zD3QSodkXqB7IbfyiA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUD8AvnOHLBjS+R4xfvtb8MyWVI6MwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjg2MzE0NDM4ODg0NTI3NjAyMTY5MDQ0NjQxMDk1NTkyNzU3\nODExMzU0MjkwNTM2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ3ODY3OTAyNDU3MzExMDQxNjI2NzA2MjU2ODk5MzIwNDIwNDUyNDIy\nODYyOTgzMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGAZKaRklqhUG3rj+nYavBTUw\nu1z0vre0dvpp5O1tHZ5jdXQ1adnSYFeNqzhJ0qu1icogWrXH080dtcuVWal9T6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUj/zSVv2a8TyT5EOjKFpFpxHzvakwHQYD\nVR0OBBYEFDpRW/QJ+7CLE3aKfOpYx1+lLkeHMAoGCCqGSM49BAMCA0gAMEUCIAEE\n3+rfgXKeV0Qtx0ccc45qM5bH7iktjo9jrYiaHJD1AiEA7rwcQns0atFCbgNA1zeu\n5OWwFM47jMGWLfpEoxsPlkU=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIUYi1VGZSES7Z3B4LuKy7MuQwtLpMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDc4Njc5MDI0NTczMTEwNDE2MjY3MDYyNTY4OTkzMjA0MjA0\nNTI0MjI4NjI5ODMzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGYxODA2\nBgNVBAsMLzg5OTIwNzUyMzAyMDkzOTY2MDkxNzY0MDcwMjQ1NDk3ODk2MTM5NDUy\nOTE2NjQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASMXlzse8n4BQXkna3qbZVXRKAa\nIYYJ5JYnL9WjT72zQ/NMO7Jf0scTdnZG80qAPbbXpmW9HwBx7++J46RqV27eo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBQ6UVv0CfuwixN2inzqWMdfpS5HhzAdBgNV\nHQ4EFgQUmhdUI3pdr+PagWQspNp0m2aV+x4wCgYIKoZIzj0EAwIDRwAwRAIgMKss\nUAK9IwuyMQHiD/6NHyLoSCgfLZGK6quvZtoIlPQCIBw2aiCB434tEMgD/HcVAZQ/\ngrFZlDAOUY/z0OfrfK7d\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUZvtF5+s+Ro1xoG/q5n/mvLzBbwgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTEyNTAxNjIwNDc4MDM4NDIwMjUyOTM0NzUwMjg5ODAzOTQ5\nNzE2NTQwNDQ0NzQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbU3R\n3BsyCp5cAJALr3vnzkHrAgz0mRK2FAj4SZ8Qjk8Zwd7vr9p0PDir+5sdipYXp3SO\nRAjyqkdBvPdvM1pFdqNyMHAwHQYDVR0OBBYEFHHIG4R8/C2fA1ZKpuowUxJ/KKcr\nMB8GA1UdIwQYMBaAFLCLN9bbehyegmhIRzMOSC1FkqDAMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCiG+jFIg08YFzecx8dSk0pi8VrF0cX8Ns/RpQ9h+7y4AIhAJXwf5MjHl9a\n33zJDV4JLojXf2YVwB5HdwXRfnppydYy\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAa+gAwIBAgIUZ+DIU05QPBaoUHrKcs4oNADEk1owCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvODk5MjA3NTIzMDIwOTM5NjYwOTE3NjQwNzAyNDU0OTc4OTYx\nMzk0NTI5MTY2NDMxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATr/ZW1\nwGwc4QpRFSGT4CWS62thz65ynt50jFZLgsijfKZnifhk1cXSCpMv+Q+YnJNKKyYV\npVDbA65ZhERr6x82o4GIMIGFMB0GA1UdDgQWBBR9molDeCzmmBZovEx0qewdD8Mt\nYzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFJoXVCN6Xa/j2oFkLKTadJtmlfseMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBxsPbYYoHXvO6/gicTkSo4ulL4v6jC\n9roD8+S+tWd8NAIhAPVh6Dn9KrIjuAvkDc20ZQjCw9tC4aiO78jso+91CbSL\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUbTbNvurPl8GSzjHWSCWTfQGyWGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASY0lbJ6DzVlRBUWtm83nPSmDM5mfbxtlS4OKsE\nevn7PUYW+ekMugOpI9WPPzNwTQRxNReHWTGxG2R2eSlGgx6yo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNY97ut+8AqFRCvsIL5AoYtVG/ewwCgYIKoZIzj0EAwIDSQAwRgIh\nANVmmCgG1KDmP1OTU5Sl+gCdFfq51PmgtL0O5buRstx6AiEArEL1rsNoYgVeF6dW\nBKzgHB2tHe0lIsfvf34EINclWD8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUHKPSe9+ARZft0erGisjRH6h4xNcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASGGmMGBufmKZTfb45js8HhxAk98i+fa00Ahp2W\nRNONTfZLBHJ76DtCXP8ETB0vMR/0sv/Wn3YCJGh4dppd78HAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUppGYjWbO6znWO1HQX1qXwC5z4gowCgYIKoZIzj0EAwIDRwAwRAIg\nVVR0jY5wyBcAjCrCAsWi344WC3H1Ys5QK/JEleAwm1ECIER+sO6wilbR5w347VCj\n4Rkbgg08boZ1kLInVv8ZeThy\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUfb/GTI9Eixk+Jv3XFlB15Yec8xEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MjM1MDIxNTcyNDQ5MDIxMjIwNjM2\nMzI4NTMxNDI2NDA3NjgxOTA4MTg0NDEzMTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAPWBy8gYMelFPOGkNHetS7YfrVB7hL5J1tIv/mPxhl75RG3mMPsSARnEHiTpu/1\nnd8XmdERD6Uswo84py+244yjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDWPe7rf\nvAKhUQr7CC+QKGLVRv3sMB0GA1UdDgQWBBTeQug+tTQR8gGbO7VaqNyYeka1sTAK\nBggqhkjOPQQDAgNIADBFAiBXDCWsba12T6qczrMZkM9lEdhy55Ebj3AV64xgCcV6\nnQIhAOXN/L3XObQWNhXy6zgZu7jddm4aJCBna5PjC+5EKkFy\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIULdtkjvIJgyh9wACCM3iPTaERwNYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjIzNTAyMTU3MjQ0OTAyMTIyMDYzNjMyODUzMTQyNjQwNzY4\nMTkwODE4NDQxMzE1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDYyMzUwMjE1NzI0NDkwMjEyMjA2MzYzMjg1MzE0MjY0MDc2ODE5MDgx\nODQ0MTMxNTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAHa2b/1jtAZe2omRAIHB/a1z\nJ6AMoNHLKLMaePxzWpwSK7VQeBPuaY1Qv28UKIPsk6CCrQ9kuC+zIDj2bsvG3qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU3kLoPrU0EfIBmzu1WqjcmHpGtbEwHQYD\nVR0OBBYEFCtvo42g3QntZ91oGc3S2prJ+n9DMAoGCCqGSM49BAMCA0gAMEUCIAeZ\nAJhTbYbLIup06h6LDpETB/W3hgAFRJI578w+0YF3AiEAiF6YuXKd10jcfH6ZMV8M\n0GRE01gL0c0JSP/EGVffkZM=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUDPBjXMdHF+CioG4AHpQChbFk7PowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjIzNTAyMTU3MjQ0OTAyMTIyMDYzNjMyODUzMTQyNjQwNzY4\nMTkwODE4NDQxMzE1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDI2MTc5NzIwNzc1NTk2MjgyOTcxMTc5MzA0NzAwOTM2MDQ5MjAxMzU4\nNjMzMzkxMDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYv+aPMLdyDtOZd75YZvINCH1\nRjytCWrkHti1wBE5zvEDtzMR1lp2uZ51TK/VE+3IUsNhIx77LZhpCULt6WxQWaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUK2+jjaDdCe1n3WgZzdLamsn6f0MwHQYD\nVR0OBBYEFJdOOnWcEQA8x+jwksnqd2GtTdfvMAoGCCqGSM49BAMCA0gAMEUCICX2\nntAwg/mDe7C9Twwt1ZqUG2UddUeYSCH4faAprQa8AiEAgdMS+B003vh/8JyzoNgf\nM5VpVbbhFPAk0I+iDVbKghQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUU1s+NM0nwGJiEqMJMHSoErWYV/kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNjM1MDUwOTg3ODIyODg2Njc3NTkw\nNzA3NTg0MDQxMDM1MjA5MDgyNDczNTI1MzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPyG/78d6zyhHRfaQk35reHpHcr+SAEXL92tyAa6nuODmsxDGyWySf3rvOOu+mxS\nEGLEcbBLsjpdAVXmACs0vcGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKaRmI1m\nzus51jtR0F9al8Auc+IKMB0GA1UdDgQWBBQZezCQwzAWXh7E+5aR3SE8hT6LajAK\nBggqhkjOPQQDAgNJADBGAiEAlV/65w3CPzXxVl4H//tL+sZOBZr+JbtIz6Sq/2Iz\n84MCIQCApQr4A3LTPVmYgHbCE20OyLlRpcnJhMscLr3lZ+8KmQ==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUQPE9bTHSoYfx/Uu632/7yY+AcdswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTYzNTA1MDk4NzgyMjg4NjY3NzU5MDcwNzU4NDA0MTAzNTIw\nOTA4MjQ3MzUyNTM1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE2MzUwNTA5ODc4MjI4ODY2Nzc1OTA3MDc1ODQwNDEwMzUyMDkwODI0\nNzM1MjUzNTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIk07Oh+M3ruU7FebUuap+6Mp\nbW+5o/4GPeFaStsBBcM3nwdSV7bvmYbsuUPrZXgFi6n4/516JxG1Vro4mdEdZqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUGXswkMMwFl4exPuWkd0hPIU+i2owHQYD\nVR0OBBYEFCTU/v7dnzEcHwKdTCr3k57bGCpCMAoGCCqGSM49BAMCA0gAMEUCIQDD\naZXD3hJXawXi4cEHwEO0JkGweX5bAM86axUhX04exAIgVzkuBDefeKSdPPqV1x/L\n1nfk5iowxmrmroU0HvWnPVU=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUSbYCkn62b90KpBbMODagfy8TSGMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTYzNTA1MDk4NzgyMjg4NjY3NzU5MDcwNzU4NDA0MTAzNTIw\nOTA4MjQ3MzUyNTM1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM3MDc1NTIzOTkzMjAxNzI3MTg1Nzc2MjY5OTk5MTM3MDI5NTEyNDA0\nMDkwNTE3OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEK4BNQkmLyE7yhDixyGPuXOKF\nNlcrGZQdFf54EPVkj1Sq3LWDP2Ja17bYOV7c5LAnU2m+FR9G584wCp6cTwaDV6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUJNT+/t2fMRwfAp1MKveTntsYKkIwHQYD\nVR0OBBYEFJbPS/O7NqngoslVvAGLmxb/pgnwMAoGCCqGSM49BAMCA0gAMEUCIQDf\ncIV0ygkleR3zSXl1Fflp7fX6sX1VSZGSt6q3xhvQ1wIgCEhezb51IH56b6BUw9Kj\nHb8X3NtJ22h9034VpgkAkkc=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUdok/yGbVjfCE2IMr2W3yu1FL+I8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjYxNzk3MjA3NzU1OTYyODI5NzExNzkzMDQ3MDA5MzYwNDky\nMDEzNTg2MzMzOTEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiSRV\n22ayTrUilBkNOZnt7eYEMXTnM3kPeQCXm99LX0emD5QOPty4mRwsjF86uQUqKdLX\n8bIRMwmj6aTF8gjgjaNyMHAwHQYDVR0OBBYEFPDGjOV8DIbMCJrLLEj70xRKl9v/\nMB8GA1UdIwQYMBaAFJdOOnWcEQA8x+jwksnqd2GtTdfvMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCaYCEIiKcT49et6bjT0dlio6204sz9cKrR+KdATeE8WgIhAKYVulwh2qtr\nnzf2r2loLHRFx0K35+AyS8c7up27OzBU\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUX2FyFfTItd+cVJnvMV/JY7f/jIwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzcwNzU1MjM5OTMyMDE3MjcxODU3NzYyNjk5OTkxMzcwMjk1\nMTI0MDQwOTA1MTc5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFIcs\nRTGFnQmDmebTRwVrTGeqbIFiCQf1fhKXP5CqlXKRSTv2VhO0fXC2cpd+xTiWeHAn\nM1dlJr4jFzZ6R7iQnaOBiDCBhTAdBgNVHQ4EFgQUKFRhY6M+HF49jyBDNX5j/BH+\njgwwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSWz0vzuzap4KLJVbwBi5sW/6YJ8DAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAN0lRPg7/SwRSGWMYtRnsMuL8i/Q\nBWn7C+EVPZVv2806AiAldO6Cm47QixvORgRmAlTYmaJ7h/KHa6veVFe3yyVFDQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUW3t0Q1HwFPeMmbfcBCo2wM9ekdQwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERHv2kPlDINJM\ngUUW+ztI90Uht1R6RX0Hw8eOj8wfYuZ/j19GpJmzSzxTcoSuN2T104tHizcBzMJf\nXsPAFskjQqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCClIIvffTdB2HzSjQhkbEz/8RVH\nMAoGCCqGSM49BAMCA0gAMEUCIHWhlFosHNa5RjqvyrQToYFnEpJ2l9m2MvpGcy8d\ndrQEAiEArH2E4Mh5Vbo94a224ZFpkY2pf8AH0WT8ogbN1iynoEo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUbfMyMY43hDrMfHczH+k4h9pqQLUwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz1zAv4/Bwxet\nXz2d67K4qAOeruF2VqxV1cEPn94+vS9hp1rfKy+IePZDMzD685QWT0w9swxLv60K\nt73g0Y4rqKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFBP5RpaCRQwqWRl7kqfQuYnVC5is\nMAoGCCqGSM49BAMCA0gAMEUCIQDwPW3MKqzQUej5gSguLy4TW/NwiSHB3jHKxz6R\n6CujaAIgATGyRidhW9Fb3uE28bFamamzEmsh5Qr0AkWBSYVI8A0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUUO8B+2agfNtIkEw5cGdkfXY2h1gwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABJjJ+ZcKnfCcU83GSLoHOAtjow3TOiuz21VIZICNw4oVPPDl\nD9bFEyVHvP1pgk+ic3awhG5vuwSptRQXwDln3ZijcjBwMB0GA1UdDgQWBBRChgxe\nkeiF7GxXlq1asqEG/ClsdDAfBgNVHSMEGDAWgBQgpSCL3303Qdh80o0IZGxM//EV\nRzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEA9k6UbMQfTX8XNJEUyGPRQMkk2+JSyvARRZRi\npG/6jK8CIQCLeWWtOSi6LPuP2eAcTIgFtS1z+0hD5gis95v5ZXLKJA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUCuevmaMdxGxC5ZUPkQiVfbLHjzgwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABEa6LdgoMXak9YBrLY8lX/WcKKI+yF9WLCC/CySDwcH4zi21\nDr1UNSJGaXTxhJzgHyRten4fpePyPqx8tOCurtGjgYgwgYUwHQYDVR0OBBYEFOqV\nwjlpOt9shn/N1NJvQnz/PHLnMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUE/lGloJF\nDCpZGXuSp9C5idULmKwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB\nMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDaYgMe\nADo/4YRAI6l9l+hwVniAtdHk3XLHOjQ31dPFwAIgalKL3wQ38buA1q+Dmn+XoJdS\nt9BGd5ZwQjEZkin4vsk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdjCCARugAwIBAgIUKItLjyOuB/ikS4ffjmNQfP3e5nkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9VO2pHe0\nGN4Icd0f5ButhFCPD0hEpJf2kEFp+0mNYdE1QiPty7hEb5dL5CBunOyVW9vhUAOV\nkeRSzaIDNOdxraNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJgX+EuGGH362QBj34EX/bFV\nQXpFMAoGCCqGSM49BAMCA0kAMEYCIQDzyglYblKqu6u3fKlIyTZV9r7cmecjRa4O\nwW5NdOWlyQIhAI+wQOuomvaxOMVISFXnUuI7q/CL7IzAhAHSgu65KkTl\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUaFhLmcJGwALe2HQOA5UJhl9VcxAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBeuMMnLQ\n98mi8+jYbNpB8cunQ72AwyRq0AwP5cHIDjkusJiLUURrc2KKxH8223zLJ4aPzPsA\ngLJsEY3ZKXcPn6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFKYQsJmV1g/AMyfK03yjsomN\np8e2MAoGCCqGSM49BAMCA0gAMEUCIG98uRnCEzWv/ZWAhlLKP9It8KwHvZw67Cwc\nd6HxLYtAAiEAiexpoNnZRhkgHLt6TPXbMXBuYX4K+rgaio0vVVr7Hd8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjTCCATKgAwIBAgIUIbwNN8mH08KI7vY2iIhD0n2J+pQwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT4R8IWcK1HpFua\nfORD4OQKU12i+W0rPwIlS3on4Pp4McOWAp6glaIOUBjYHjHSEuHFIWBjD8pSdTeH\n3ApuAXcJo3IwcDAdBgNVHQ4EFgQUXXls6TgcOX84hrJJcfolPwMiIXAwHwYDVR0j\nBBgwFoAUmBf4S4YYffrZAGPfgRf9sVVBekUwCQYDVR0TBAIwADALBgNVHQ8EBAMC\nB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAL6O\nefdMtHkgMfbpGHgciT2OcZjMARa19MWrI6uRqhz0AiEApycpObBbSL5kgC92dKdA\nxux95JsY4DOJXs2MwTg6Ahc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUDww3yrV1WnuWUm1+r7hzamKhN9YwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASv+6sg1llcDYEO\nhnv7i2jAr0TWnwMlzgbeA5QAWRr+BR1C5MyGXC36go3Z/QUzkmLHyrM7V3T3WyAD\nznrMK9neo4GIMIGFMB0GA1UdDgQWBBSI2jcNoyA5i40EvWnoEDxWM2TGqDAJBgNV\nHRMEAjAAMB8GA1UdIwQYMBaAFKYQsJmV1g/AMyfK03yjsomNp8e2MAsGA1UdDwQE\nAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEAzWdW7AKb+HQBVkXPYljRXehlwW0J7ixhDcJF\nNw5hr1kCIQDv7689XIPvFL1AeU9jjlZHcSao+35WO3dH/4W4bCLIYA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUHPbJm6zXt+UUdpBYT79muf/cfs8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQDw268ZOnWc4o6skJRrjT2wUZcGaD5pjZXehxm\nVgFx9xviGpdppzZFL8HTXoOVj3CEZy65j96dOZzx3B1xux6Po1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz7rvnJebqmyGD5gvBqbpA4dWPy4wCgYIKoZIzj0EAwIDRwAwRAIg\nWl7G5qB2W8wbg0DHASs3dw8LdjuSaqUZ6YFsknKOzTECIB2d4VvbQM26/t8UOsTU\n6quLp7GXetKu9kuR6B/G+VTd\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUCzI8YgTMg9Hwg0sBU9Y03OXVmLMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARTu2db23l4fYqDMwMDxjMuOq29uZaOfDSJ/FVg\nbOx9ysvNPhz27NxJvPGjwCJiyqkwINm+AzEHVOlL7mku/8u6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2UuM93npTz4DaQa11seH1b+1K/QwCgYIKoZIzj0EAwIDRwAwRAIg\nc5KMmisT9TW5Y+Wl4ksfk5/AByNTSfchhApODBV68AsCIC9I2vIiPfGYJ+cbJF/1\nUPizh6qVzHk3bdkIj5XYo8Jv\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUPTsGsU+54Yobhve0tZSiyszvcbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFdGbrMhGfZz+MVtTkbb89T/fFlECcrX0JoCoyQcLXcX\n6ENm5bmD3Y/V4+TTCXywyFeQlBbOj+o8SenpIQ4wXf6jgYcwgYQwHQYDVR0OBBYE\nFJg0vhsXRmZTgDvPlz9BKx9GmdqRMB8GA1UdIwQYMBaAFM+675yXm6pshg+YLwam\n6QOHVj8uMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAIrg\nuaX6WJ/Q89XpueyzImzIAas4FaD0Tf+fDp7Xy8Y5AiEAuxD/az6AWjXgOdUUyZzp\nvXbftnlTu651I8TH11/xyv0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0jCCAXegAwIBAgIUUL7K8Le3Xix1NaQ/KHH3Pb6gXaUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJRCuGyXT2chUFQ8BoXXTMZjqREct6dp6mBJuZBaZj9i\nHIwaB9y+8MX4gbkbgp5uygMayprTxHWVaH+vxeM8+jWjgZwwgZkwHQYDVR0OBBYE\nFMtLmY+VrB867zAE+iArJBjgv5RGMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU2UuM\n93npTz4DaQa11seH1b+1K/QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAw\nCgYIKoZIzj0EAwIDSQAwRgIhALoKLYMk6g6EMFH93zW+iN4tRlBIqVHIVws+cChv\nzee+AiEAxe+w+FW2sX7/teXkk/kDwzdqHhtvGuYkdaq3q5hqnlA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUGACJtzl98fpI7Bb3/3WVErZeHlgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARI2JH6y3rKxxm/a0ypF9RHy8qMIh43wmhP3dew\ntQrIsMNqGhoig87IqdGTFSp9/TbDMZELK1HnsTRpWK1Luac3o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlanuWH06AcDotTw+Bh7FIh1+mBUwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiBarzMmObvbtRMknxJWg4rdHEShKf7OhO1wEs3e\nkdjvCAIhAPaMAW/v6P918W81JKynrxHevFnNZQV4UuZZuX5prg39\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUQK5uHJKs1dWTWS8rZubOvyTLcWcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1198/JIaJsU2nR9vWgXrPrsGK3c8N3Ujv/1kl\nuckD1oeu7mNE0OIV5IGCBw1I4WETu8zrZZyqSuHAnQM0OFmVo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULO089iy2nlvZs16Xxsd0K3Wgs9kwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNHADBEAiB4cYZtyqig/jsAf+dR+17G/MY91J/S6R28i6fH\nbSuJcwIgSKDonf4BMSPlw7b4NE0RUGBpOLHwtcu9vbsspt4kC78=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUYFH/ZGyQ3JxqO9pqqv08mmEUA9cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOvLm8Mp6YdDPw7bwTceLXHtGBP9TOAe25n656cMINhV\nH1lLPejdSz3Zl6OlsMrmo3MTB7T7etKsNFUfRy5hm9KjcjBwMB0GA1UdDgQWBBTx\n7vw6KOwdiAHFd5nqnSXOnulhRTAfBgNVHSMEGDAWgBSVqe5YfToBwOi1PD4GHsUi\nHX6YFTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA/gG/npfloPGmBP6LyX7yXxAj831SlSK3\nkqrcnUOIKkACIQC9u2RDhJXioixypkzUVXoA3h3dPKsOowC3rJ4oOvLbBw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUTNqHfLvdjg1Xk1MUgMqMuAEQo54wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI3NvampwgP+20q6boTzeXO5BUgpzNM5inpPy+gNWpE2\nda2vkt4wdWLzAXRc0G7TR2CQJqDVzMOUoI4oDNiwuJOjgYgwgYUwHQYDVR0OBBYE\nFFGQ9tnsI3UaBg57BlbEx5iE0NtHMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAULO08\n9iy2nlvZs16Xxsd0K3Wgs9kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCf\nHSVCyOm+FuRVb9SPmQJkfqEjnma+KnHkykSU1HMywAIgWaYygOk6GZKw1n3vVpm6\nTTgnWiOvZZE/b2pO96hGNVg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcdEssSZDJOozsVAVipGYRulRQJQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQWm9FaiKVoO+v2FSfNUXl8PQrOBODOYgUg6Tkt\nQ+Kcs6ypSYUJEnMf0CP2w2Zkd2S97nqXk6K9y7mDrmtB8Cplo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtTlcmCT4VDmWZ7zAUQoMvZWKxe0wCgYIKoZIzj0EAwIDSAAwRQIh\nAIMnNMFJJQbRcgI74/kjhgo+Ezudl4xLt2gcuuvaJHzjAiAzuaCUN1wtRn5NwEW/\nm4l1m6NxoZ8XFqIxau2UpY4jxA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbWDWWB5VFRQ6T2EVctqcad0uqnkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAShgHB4kaeYUnFX2iL6z05GB5Fb2bVoYqF8EyDM\nNxBzRi1i2vPyBBPLtxDosE11Oq7W+Udpv2Xxf/PfXH6Ntoxco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUB1tTwjRm28XX/jIeFx7Svm3tBYMwCgYIKoZIzj0EAwIDSAAwRQIh\nAN9boC0bL20jkMGS3nvzUS4T0JK1mC7x4ZumItxpEOCMAiAH68unyxLSB4tS/NHG\nSmofARKINsyNTySo7HR/dlN2qQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFzCCAbygAwIBAgIUFpGlfUg5zxBFHQzsq9DJxcu1tjAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NDk3ODA3MDYwNzEwMDYwMDUzODMz\nNjkxOTc3NTYxMzA5Nzg4NjI0OTEzMjA0NjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMZv7fCTEoAXFW0DFbiv5ojtH4kpXZgwxE8ffh1zKtzio29Lc9JVVYcVo9YD05Kp\nkaGoOzPk8GadkxCOzD2bLXGjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtTlc\nmCT4VDmWZ7zAUQoMvZWKxe0wHQYDVR0OBBYEFMnwt/2t3HGgvntQ7ICK7KjgBK0n\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAIozT/eovaSk\nBRrCwbes6X5jx0+VqJoZocaTzgPBeHaAAiEA91vVl5xsz68FWJTg06cdfWAdetpA\nwgpal/GcF8vfysU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFzCCAbygAwIBAgIUL+Uj58BwRVXBGxoHAgQwpnWHD34wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MjQ0Mzk1Mzc1NzMyMTM3NDYzMzgx\nMDEyMzE2MDYxMTIyMDk3NTAzNjkxNTE2MDkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEAwWsftzSFlDAPS/R/WIgaA7bs2Hagm241vgUMEp9pT5HzDroAaS9fuQTp+to0y\nmCnInqhGOoGYxBEEPrTC0t2jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUB1tT\nwjRm28XX/jIeFx7Svm3tBYMwHQYDVR0OBBYEFPmDqbCAoAiEw+bURM46G3cEyNDZ\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAPvryFUusljo\nLt0COjM+/7Oc5+fiH0D/j4tEroo6fs8pAiEAzFYuJMao72UQ2Wu+wEq/uFpHmRp9\n5A7t1J21PjWOAOQ=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUM2ex+VrYaGjNaEvXljDyTTUxwnwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjQ5NzgwNzA2MDcxMDA2MDA1MzgzMzY5MTk3NzU2MTMwOTc4\nODYyNDkxMzIwNDY4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVK/t\n0nK6MxoC5e0W5WTDXs8IsZWSzGhCqzjfABhiyfFsrHbypd2n3MY9thxQo2Y2ukqb\nxU4fa5MS0sg+OwO+VaNyMHAwHQYDVR0OBBYEFGIBm9Ymg5ENmThkMAQnd8IHGFOD\nMB8GA1UdIwQYMBaAFMnwt/2t3HGgvntQ7ICK7KjgBK0nMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIDiCiLeQaTJgiNqu9MyDjBKoYXCg2sTep4tbayvLkQuQAiEA03iRztxCLxbD\nXcs0w6Zstkxe2Jcwo3lkCXiYldPIR+U=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUaO/Xeigw1k9BQWceKlnubdvKyDkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjI0NDM5NTM3NTczMjEzNzQ2MzM4MTAxMjMxNjA2MTEyMjA5\nNzUwMzY5MTUxNjA5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE67r5\nCwWRkkIYLKojry36QCiPU3S2oVXYbIATWLePEXQdIx6EQNTCwOvcmNe/+Z3P6pqL\nDlyl/ktPDjhaY3+uBaOBiDCBhTAdBgNVHQ4EFgQU6ow3yGJaLSdRM8l6MYtQK2RO\nHmIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBT5g6mwgKAIhMPm1ETOOht3BMjQ2TAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgVmsnh/zAoERvkZZqL4epEP1rsXOK\nI/x4h+BvS+85anwCIQDKwV88n4eOiRRusMq0hueHY9qsq62OEajYA17N6Phikg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUJsu2tMzuN2sb81Xxcnb785B6SWMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATOHvTDjUBFCMAxQHBFWBBv6cP8yPFpQ2tmy4zS\nZwKppZTeUQfubYZmcLIov4S6TtuTtUjtM7kvinh27HirtNUpo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRVMp7gLvR/FTg9J793XNpGZF1stjAdBgNVHQ4EFgQUVTKe\n4C70fxU4PSe/d1zaRmRdbLYwCgYIKoZIzj0EAwIDRwAwRAIgCGGuPUvSdw+SrUlw\n+HCcHab6+44Ym8A1yXE+l6Qz/lgCIGl6C4Id7bFv+3PsIR1jPvaaxDrtCb4vRS6a\nZdyEHC4J\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUYAoDu/o7xLBn9DKrl2hlo1jRLUEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQfvOW2lCw4A2hAxkrMgZzsiAIZQIz5dnOGEs4p\n4SXGsO9S9AFuWt9GM5a2l6Qb8p0TaJheHZkOfZaAk2lNdolno3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRq7i10jfnQPjjsaTaZWvyw0CNl3jAdBgNVHQ4EFgQUau4t\ndI350D447Gk2mVr8sNAjZd4wCgYIKoZIzj0EAwIDRwAwRAIgAfIOZPY77H5+f/Da\nja/5fBAY6KwKJylcxjNlkZbg5YcCIHgudYDEFzwCv63FpzxHnrZKoDUlLii1Urgr\n1cnumvH9\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUU8zKGE02Z6pEJhvosm0iZ9hLFhUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJfqzwiJWsLoN5HmqH5d3WVkAJfKBM34lszngEJZVFSF\naWASrRw7hECFPJBOw0Oh07cd9K521DFU4WMSmr+aQx6jcjBwMB0GA1UdDgQWBBRu\n0g1+/k/xFixaVIK1gxie9nUmWDAfBgNVHSMEGDAWgBRVMp7gLvR/FTg9J793XNpG\nZF1stjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEArZ0ZxnF+ktZbymXCs2+qa8PEapPAXTJk\n3u1kl0/ZIKACIQDkB0r+RnWYS5gaSnLv3tXe3cWVIDvYx3WvjWpZbb6Fxw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUbE1YWq6NVVlQ+vOsmTVTnrCJBlwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABM2u/g6XwxOap1Alg7U+4s0jpP2BW20R9/7VEA+nl9b0\nVKjdgvHfkbdHZ1ypy6crk0GhCuyxP55ZLsX+C6mk/p2jgYgwgYUwHQYDVR0OBBYE\nFDqkjfTu5/Yp1YiRhUggG1ilH1LEMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUau4t\ndI350D447Gk2mVr8sNAjZd4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDE\nD3irsTXKbMkNaY5nDVcM8hBXnybu4o0LoWxiFNh6qgIhAPvaIITKbl5AeA8V9Cyj\nCskH3tDtWh0e3ywrEGPtjvvZ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOp4lH2ap9Qiz+ye3MXpAqrvkwaIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARevT2FSAHZvoaNtCmAOaV4C8caaviZtSIQyXDy\nmIh6jtbfp4KAM7IeRDevcgAJxxW+ezHFcPiFN8mDU/uBsC4yo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIn2dzDjpW0JLsDOePVSUu7pfEWQwCgYIKoZIzj0EAwIDRwAwRAIg\nftT7pCClmIXr4ZIlzzxkce1XV3h51j/rP9EZpWFRFyECID2c3MREYN0y8sAPFRfw\njDC68th0/Hz+YzVd+/IApxfG\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGqWxD56dcGX4qVE1VTzc9cELz+QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS4MjEZFwLr8Rxy22IZBmXBKzn22a3D9beGwAQZ\nXPO87TZ9kVBmJadsh3dQlurTqYBj6bo7FjmNOxIJWk0vaY0ko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUql5WWcyYuDuoizcZmyV1kMVdpI0wCgYIKoZIzj0EAwIDSQAwRgIh\nAL/4gYIh5Bjlyu2I2lvOdBmVVRsCBAAC6AcXHBtf1kmLAiEA3mgcD6zNZv6+kD/S\ntym0xc5rYPOIwcOKK43YjGwG1oE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUQ17Nac8EEVFvG8MBN2GSpYNORuowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPFuGm3dWTatmdV7FoFJf4dk5CHep4ji7MhNXw4Bh1zu\n9qOFKwTk/0GU7udK+ayU+T7ESN91XmF4sIvo5HqkoZijcjBwMB0GA1UdDgQWBBSw\n2EgHhXWIISwyyjb5/jnYWvv1CTAfBgNVHSMEGDAWgBQifZ3MOOlbQkuwM549VJS7\nul8RZDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA3SlWK+t/1L6cxdmZXeyA1zfpevYTlsRI\n4wSew9DI0wsCIESnNMYHL/X60rM895JqD1NycLGpFqU+xKNRH/7tO9fh\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUM/PVwFVuP97kbJmMAz086249wnswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIG+xbPsHufuCbSU1HTLECJuF6LxDLvDKiLOH4QCrZ3N\nFye4CRHKGtV0PFVw5jeHLP1sfFMByce/EJQx6q25e3ujgYgwgYUwHQYDVR0OBBYE\nFDzHJFf4x0PtO+kl9UVTxI0p2Rj7MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUql5W\nWcyYuDuoizcZmyV1kMVdpI0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCE\nw8DBxrHoO6vznPo8H/OnNOsu45qHa2vU0v4P+RZYVQIhALXc1+BLfbDauTgTaAbH\nEm1Ir9vbo0aiwXrSoLGoeio7\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUMAxM3xB1pdIbQTaUnh6R1/k5XjkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA3MTIxNDMxMjk2NjQxMTk5NTU0NTYz\nOTU4MDI5OTkzODA1OTExNzA1MDcxMzAwODcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPEbKATE+VDiWAyPBtjpxK7yvahlxyE2j6PWpCK2QgLtcZl+MdjIOSgWX5zklwO6\nXgukj0lKrRG06238IdwZuk+jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQ8y9StYHdX\nqDUJLzptBlpDjE+kUzAKBggqhkjOPQQDAgNHADBEAiBCNH6m0hltW5rjPl/Bsa9h\npbyLlu1QwEV9MGzcwzD7eAIgIkcTCfXBP7ewhmBXyue4p1UUCwaenDVBDk01yW+P\n7Dc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUFRNNOWH1MByUHfJZ1+p+xC3KU8AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMjEzMzA1NjIyNDY0MjczODcwNTQ0\nMDg1NTI1NTc0Mjc4MDg5MDY5MTgxMjc3MDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBBB5JOqOR+s4Qnns7zF44syS1MXz2L8blBSJCuJKXk5N1o2s2SBpTeYCH+qbjygj\nhitCymlw+tp4YYcKjGWQdLKjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRBJmb8gl/p\nmoV4WZCZviQ3gPbJyDAKBggqhkjOPQQDAgNIADBFAiEAr0A8xEtZ+Syzk4I5GoeN\n4e70YaYzQV72zxCIk52XKbECICJ4eRR1gg881PeB9C159+tHuajHWRlyI19wUMPK\n+PK3\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZmgAwIBAgIUb3t0fyvtdlCRU2QpwZqPbu/WX6UwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzEyMTQzMTI5NjY0MTE5OTU1NDU2Mzk1ODAyOTk5MzgwNTkx\nMTcwNTA3MTMwMDg3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC7+X\n1IWZVfVBx7HGXOdQPDdVHWylu16BVq4d9xx+PaLiwm0nEmHlEXs6xOsgNyq9XkSV\nsCtAwSpXU95om6YqHKNyMHAwHQYDVR0OBBYEFM7L2lKoCX8jeRAz51wPuRdr+bpZ\nMB8GA1UdIwQYMBaAFDzL1K1gd1eoNQkvOm0GWkOMT6RTMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDw1qEXtPNCVdGIdmM0cCuDjHUonjmtohjEqpkJgvih8AIhANRzq0eoCxi6\nZMyCMpVz+ey0goZwzHAr3k2K2PA9Rfup\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUCY4F/3J+HrbRl5ihU4vUzi8IxoAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzIxMzMwNTYyMjQ2NDI3Mzg3MDU0NDA4NTUyNTU3NDI3ODA4\nOTA2OTE4MTI3NzAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvoZl\nHe6KkM9nkl5Tw2w4FQ/eMUd7NC/Zb5/AMOCh1zXhbnUJLUeDjUrWRM44Rzl4Yqwq\nPrQNgaBKizDQDcJzSKOBiDCBhTAdBgNVHQ4EFgQUvsT4HNVXRSjJX8p0dhp+S4B7\ne9QwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRBJmb8gl/pmoV4WZCZviQ3gPbJyDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgIs6oz+DUT8SmCh7/cdxMzwd3cUbD\n2cQulejsM3DWk5kCIQDPB66/MgdfqCMu9sHIo4ux2GYADsQQUDC03L59Q7BLNQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURagk4nkPmgAuYdl2+LGEjMfPa8UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR0mwX1qMKj4s+arl8mA3KbfIw7zUxh2Pn0kAAB\nQkUa8eRr63wFDXrPjw+7OJPSnVGqhQquxeSngODQB7t3sMzCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0mbU33OcQ24yNni/GHWag3zLthkwCgYIKoZIzj0EAwIDSAAwRQIh\nAMnsgE2yOKEO3yxkdpp3Mx0YDx6DQJYNQREDTF8GihPzAiAW2h1yOvhb3vjHxaZy\nEa2yo6Kf9iDk3mzmEW5S1m3x6g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUYNp/Z0NowestF5z7QVr4inOJWLowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASv4DJ0/0ycbw8V6nS5aRfOhlefCpDGcNv/Bu2G\nf0tM9zmuUteDz3+7tmX1eEysX0C6KI2F/ewZ7201dFsxu0KOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrl//FLMSdTNTkKXeYagAqHjSVf4wCgYIKoZIzj0EAwIDRwAwRAIg\nINfi7u7SGrwPlUAD98h2R/kA5J8HLHptpnfw2OQYz84CIBk9fGss+UNlW/hw3MT2\nlD7PmV1awTJ2nMcg6gRyqq35\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUc+of630Lr2VaO07cxvBiGWf9cbMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTc2NzAxMDE0ODcyMjQxMzQ4MDkx\nMjMzNTgwMTgzOTAxNzg0ODAxNDQ3MzkyNjkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDkefBWk+wHh/DMycUrchzoPzlEYz0wAuNW0j2vtJir1skzg6ZiHjX6fmLYcrA0R\nxHhv6IGw8R5j96/3GHv4lcyjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRfpUGThv6h\nO9EVFq/d5NswjIORNTAKBggqhkjOPQQDAgNIADBFAiAqfD2pCJPhlOBJeaIZ3BZm\netpRZj71PD0HjH81Ou9vmAIhAMmD/RhacYsGyffZCfhujXtwIu2QffVoAi19+4TM\ncWQp\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIULaWGJi13w73d3buAj71O2/ifTZkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1NTI5MzU3NzQ4NTEzNjc2MDQzMDc3\nMjY1MTAwNTcxMjMzNjc2MjIxMjQ1OTEyOTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNWDBx6KQoxu1HlrDZy1UkUWeOrW6y4bCNQJVo/jbf9KiWJ6Lk4APcGuCHLwX5Bd\nvJYa+U0Z7MBcCzJ+zmxDPdejWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSP7VzwmzFf\n7JNN3yD6dqbsPOx8SzAKBggqhkjOPQQDAgNJADBGAiEA7hlITJ9GuH8lK3rqgzJo\nNONggPitKpB6ma7E1jcM5e4CIQDuV3oGLLjG8MigEaaxgkinXafndewBhzOfs9Xe\nzBA4cg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUZuKRmmDcNMC2O8eoDRbFeDj1/SUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzk3NjcwMTAxNDg3MjI0MTM0ODA5MTIzMzU4MDE4MzkwMTc4\nNDgwMTQ0NzM5MjY5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEK9s7\nmUBe0osPS8OBZuEqbSTgT6i1yGTFCVzPX+pmHd563BUOeMI6OcozbPnUJ7gsd7r1\nnNjB1XT92YFNl4K7TqNyMHAwHQYDVR0OBBYEFAPZEn9XC0GnbI1dZh8kNqkUx93Q\nMB8GA1UdIwQYMBaAFF+lQZOG/qE70RUWr93k2zCMg5E1MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCID0+WTw+lb8ZcCuMJQMEKN851rgzVTSjZ1ib1LRXLMmbAiEAw1fl1tC3gy/G\nrDkF4aGNERcj344JwsC5Ph7qfLYUXDA=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUadcwWPQP9khqyxfDLUPpFcMI4Z0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTUyOTM1Nzc0ODUxMzY3NjA0MzA3NzI2NTEwMDU3MTIzMzY3\nNjIyMTI0NTkxMjkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEr9EP\nbMhnCusxaPIMwAwwUdVKflJs3Pp+FwDqIv0UX3rX57GmsLnI50cgn6RbsHwzyBkm\nNkeINM6Y6riHNA+N0qOBiDCBhTAdBgNVHQ4EFgQUQiHWOeZrzlAeP9cpWiM9/DYZ\nk0wwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSP7VzwmzFf7JNN3yD6dqbsPOx8SzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJGBCVkIwQDJ3/ll3H1QrVBxeVsS\nCwXwKIczZTUGLkSVAiEAu1o/AM6QagWKzB0gTqECTEf4LgWNjPbp8kMaCUC3CUk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUd8etNa/6QNfB11PSOuE5NElrtNQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnqxWy3NoKghgE6ZmjlxTZQsjn5LAP3NKzvcKI\nqkhY5mpAnRtDQ2alNZFyzCcwhvYsaUC1Xe6dGAJ8OKuy8Zzro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkTemwqjSELhL68Fotxg+GWD43qgwCgYIKoZIzj0EAwIDSAAwRQIh\nAMUKVRNI+aIDEKOOVeh0I7wKy+MFqq/PMOyYhrwGf6v5AiAGunIEac4xCA6tiF5w\n0q+VsqmpHSq22KnT2xw5tTrOvQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCITSUJh9S+ExQysz05vwLM/e73MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxQdv2UxKo820FrAAsT47vd3Ke+Tob2wpM0i5t\nJhUbjOJSXkcQgyFPmfBUJKLhw4wYVA5ytgdJGONa7B7gl7Pyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCtZI1IcFgAY3OxKMwBCPzGeDwhYwCgYIKoZIzj0EAwIDSAAwRQIh\nANz1gZq8K5WFDEDatkayq0c+BV97Z3phSMmKP1Pcpsn0AiAqpJzl7icQjQG1eiwW\nNJlJIvVlei38myyuNQ7yylRaww==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhjCCASugAwIBAgIUBOimXId4LVSj2GUjSqjTHT6eUa0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEcmQ9rfrdB4PvnQLfK076RZn3GEQqUkdL07yAY5kpB5\nw3Es5VjoKcP1OKARWMMrH/3b5vpTV9wjKnzXmsjvBlKjUTBPMB0GA1UdDgQWBBQ4\nxN3CAKz4CYPvWk8FGKQ8wjWBVDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNV\nHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA6LGffMgcwqCR\ne1PXeVop3SaiBi5HQQQt+wRZVpQBZ8wCIQCv/YmGskc9vkJPiogf9fX8Yn7hXjGR\nso5K7F9AWzRKPw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUYYjIUxJQPYhsgqcnQESCpUTQQowwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA2FrBjBuJ8s/9CqVUhNDmTSlXFFp7ITZYrnlQLuv72t\ny9UG92SB79J0vGJE6CTJviSuH8vfSeWFNf6GLRDecfijZjBkMB0GA1UdDgQWBBR3\nHX/MhjF9kBLYyFFjMTR8+rgx1DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiArX7mwfrd6tu8+Qnvi/QVw81CrXiOXUak2HHZL+f3xYgIhANJX\n86ahM7DzaN1soezVk16BqFU7V7cOldxbiSpy9Pz3\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUdn4GK75xN1yFfUp/1DJPuY1ZlbgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASHkMJx3RadrjJgwRhYE3wMc/m+KlelrccyQkFR\n+64RAkkK2gLCllZOZHkAUxXyi36BAIccnrbVDyZwlPPYkWlYo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUKl4D0+AaR6RFjl+3XoMwZAD5mDAwCgYIKoZIzj0EAwIDSAAw\nRQIgeMv5vGRdA6PT70cpvOLbvutCotIsSgJIS7l9VQ40v3ACIQCZcbL7cDJJll7g\nzOGVLmk79KphmmF51lI/dprdmoev5g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUBBVZSkLaXKumTr4sFZ7hmGp3B/4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxwU/9129V8ges+ZetUZ6aUGakEhgEoymGzAXg\nPSB+pGp5ufl+oa5ZoOM/aKh1n7rL2ZDLVlfhno4e7D8LsJvEo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUf+OrB/ydwTnGiqorwXQKShSYetUwCgYIKoZIzj0EAwIDSAAw\nRQIgRhDBKJmbF80nfh6GQNy7EcTA81q7sP6tot/uBkymQmkCIQC3C3aDrRlOilNH\nh0CvhYEwNPEJJ9oH0/fOGwrdluyAEQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUEYR7NXA5ZneDQYptmiDk6ODnEsEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMwadEpVeKYvmOyjb5cWKp16LSrvYmTbU9BRz5DXZD9v\njbr250qxhSvnADoMNVSepQTCDQyAbHfagN1UOocHD0SjcjBwMB0GA1UdDgQWBBQ0\nIJY2hYNAW0mP1dJcKoNtYGFnZDAfBgNVHSMEGDAWgBRwmIF/TXJtyMuvfMC3STBf\nfOB9KDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiALwVk62N0nwXaFn2VoI4ov/jshAX71+2S+\n8ga1nBefNgIhALoroS/+zaI99XBjmvtLFyzOIY60398JmvdYOipriEeu\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUTE0jKTtOv9sh3exb4AtEDcqPHLAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMOHcFLVfBTNvzh2nVf08Sj4Rclzoeb++Nu8LIwYmodA\nCYwVVtqHllQ9DfYWjEDQnpsoKAXPvjUko8aC8widTLKjgYgwgYUwHQYDVR0OBBYE\nFD2hyQAshIhcz0dpkwyHRvjx4yC9MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU/Npu\nz1oClyZkNYlbZnWrloj8pUgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDd\npvPYiKAIStiYusAtVgZcPcNiBcg7bJQDVEXFkQsDwQIhAIZuZibJSHNgNc7I5sHp\nfJNue/HQ+/bRUv3ui7K/DPsO\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcTCCARagAwIBAgIUHMF1aLv/qCJDmR4fte+61/Z6w2IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARYyD7cWYUhPjxDe+zdrmG+OCTvG10Up7E1syQf\n45dQZgNqvN0hlI62bpZdPIKFyCeTmJRSvO/ypoLT0bTw0IRRozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA4CL3OUAeo26jZxTmVZVshprp67NNDm2IiQBfXkbY\nycoCIQCqufYDJtWQSr71NK81wugGp1eyEgTkQEvR3qDezrddvA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUemk2MsZ6Q9XUgvK96xh5fTeg60UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXQQ1dg7A93sEpXS1zq1ieblHhUXm2/0uPVMXV\nmP2AgoDxlTH1RM7Q2/U3JAANWr4dpMnLxfjsLokqyA24T78WozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiBWtMTLW9yX6U8oP4XbU1fA2tHL/ZdoMZm22ZKmUCuG\nrQIhAIGvnKpILI1d36JB6ZiPeKU4dAshIF6WvMPtZC2StBe7\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUR1yi9+jHCdLEPwEOFwjsOL21a8EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL2T+nPvzMJXafNAfqqCidWEZoDx3v2cwt55GXY0JVRE\nS5OMHZRXxnMmlORpmK3h9iM1eTloEjkhIRFfRTb25k6jcjBwMB0GA1UdDgQWBBQu\n0nATs0EQVWVXY3TpvwWGNpUldjAfBgNVHSMEGDAWgBQYZ+9pM9lI6GqcWhv2ZwN8\nRl9bJTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBOpXsIgNUxjB1Ig8PNVUtL1UIdtMszHxF6\nr60KdwI6MAIhAMSVgrDWgWpVX1fw/9Vc2v58oKTrR/HyC4RE9agGL6h/\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUdejHdO1f4Ko+9ek/K6HOPwe90kMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHZScR2fbGslhaDmM5WZ8hTlhpOy1Co/7o2tp7ScjIJc\nQOxzKP//6QT9Vzosfki01F0ZJ3vTSB6e/f76YkOFFeajgYgwgYUwHQYDVR0OBBYE\nFA1wPtWHxr38SqgVk31RHPV8/JVOMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUv2bd\neVMkqm9n4lfbuFBg8X+EdW8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDQ2\nkPRoqmvUs8pgdaWuUl722C5uIWQqeQWRfoJGrjT9AiBSI9qvfAHC+SANLP9XyvmY\n2bNAeq4fl5dX5p7gDMsE+Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDjCSuZyU9z9Y1vRkC7bJJEydk88wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgWAyhUOiTwkBB45lBA0Oft99k6DC03toH+2y8\nu5FuIp08NCSa8QAvMsPYzRueBESR3m+Ahy793pMikT47ciwyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUa5pcCl0B7XPeIRf8OBgO8OVV8AwwCgYIKoZIzj0EAwIDSAAwRQIg\nRPyLm2EaHQgS0vDvMmHOXPq9EVih4JUIR/l7JbVMh8ICIQC6YzRlQSMpqmQ7aUHU\nMBI52otHWgfAFNlXMNCM/NLKBA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBlDCCATmgAwIBAgIUN9aUJWo/HeWegnQkByUq0v7a+CYwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEs67hqIdxwz/OQgabZ3rPhsqXo3VqV+zC\nIeU9+2Y8neLellOMQq+rMUWJpHRaEreAWROlyN0JZpQsTlMadBP2hKNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFK77/b0ZiIYBNClz0c4DpcrCQh6sMAoGCCqGSM49BAMCA0kA\nMEYCIQCZinmNQfZVGQNnEGmreMLiYbU4+vjA/S6Q+NTVVyUigwIhALkQVp8RMecI\nm0MzrBO/cjCORUxTcG+IUonEu/0hq3+3\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA4DMRLkpS5cKS4b5ihdSCiQ+7o8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASi5vF3WIcmCwu2xMxCzmf5Vyb8beSHIYyNJyCL\nSgqhEeE5WPr6PLfmojSMsguQFQDhKdc6CfIkjyY7kVd9I6ERo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpBHGDctKUQjXrix8Gy+Q0iTSowgwCgYIKoZIzj0EAwIDSAAwRQIh\nAMZkJv+Mcj/HXWrn1VS+Sqreo9UvBAFeT9AqZ54W1v9rAiB3GDvzQK7kXjsprOl7\nx70QzH7TPbaeGYUVZoLeZHX+sg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUQ7KvkYpQwIxL9J/4pTfhZtNjKfowCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzfT55CWIF0faE+dUPzeEeOZy3Oc8otxh\nlAiVkNdAwyjSNQQWCOP/moAZU+EL3rndfMerm3JCB3V6/vFURYYVoqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFDS6j9BmxhuPzjgaBLIGQT+ta+WMMAoGCCqGSM49BAMCA0gA\nMEUCIQD1rejUoVrVQv7TtE0+TRW6v393bEEgYi0/59DOkh+y2AIgKw6esxrlDcwp\nXOR6NPPDJu7hOgQbT+FQX3OCRayt6uY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUBfJ+neinALTQy2wBjZ1VrNAL+uEwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgWAyhUOiTwkBB45lBA0Oft99k6DC03toH+2y8\nu5FuIp08NCSa8QAvMsPYzRueBESR3m+Ahy793pMikT47ciwyo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBSu+/29GYiGATQpc9HOA6XKwkIerDAdBgNVHQ4EFgQUa5pc\nCl0B7XPeIRf8OBgO8OVV8AwwCgYIKoZIzj0EAwIDSQAwRgIhAPRTr28gfpJcePvd\n6+ERu6vxRWM5QIMjL0cPbP+/WFjUAiEAofeXR4jU/ypVvRnETcaYQUpMsrBSfmZ9\nWlAZ0goRbwU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUU87a2NxDxdqEPmALJY48649h6swwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASi5vF3WIcmCwu2xMxCzmf5Vyb8beSHIYyNJyCL\nSgqhEeE5WPr6PLfmojSMsguQFQDhKdc6CfIkjyY7kVd9I6ERo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBQ0uo/QZsYbj844GgSyBkE/rWvljDAdBgNVHQ4EFgQUpBHG\nDctKUQjXrix8Gy+Q0iTSowgwCgYIKoZIzj0EAwIDRwAwRAIgWDO749KofpFzU+Yw\nwCFXpGWldygjrGb6BHpnht5/QhQCICIFVfeCWNM7C88STFONg00icuyt4yzT4dQu\n9XO4J4UO\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUaH9oNtsjD/5iX/M7Kv7bzDWYrxkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAn4628dFWR3/I4bMdAvJGdB4aedzqiPDll6r5+fKkd3\n43Y4K8yIujS8m6TKqT2un5Su799TY9iqHZ2kGziMAYejcjBwMB0GA1UdDgQWBBT8\nEGmlTFcr5hIl2ckFhdxStUGNEDAfBgNVHSMEGDAWgBRrmlwKXQHtc94hF/w4GA7w\n5VXwDDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAjhzCNqm8/N7Mb86dY6Mp6M9/5LfuiDZn\n/ZMpi26BACwCIQDn1m/E0GQREn9w2hXbKp5b35uEqfbaS86n9HAm4xJkRQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUHQ4ILkh3Nzbarv1mUTxu6RkGouwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABABKQHPEmvfP/8QP6yzZhQoyqgqXu3FY8kCTxnJhlDPZ\nuGAWuSpHNunsmCVgUhqs+rC1X8DD2PR7qbuYt0G7bVWjgYgwgYUwHQYDVR0OBBYE\nFCo7I8BJuofvuxsCVeu9FaUL/KfhMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUpBHG\nDctKUQjXrix8Gy+Q0iTSowgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBki\nedz928jlFBh6jMIMze85zAW7O0SdDluXwJ1f1ThRAiA4R67nnP9EGf4+Eg4sadEA\nf/pGTgqy15xmW4cP803UPg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIULiq0kgsGuNhWyO5yVUUmx1U+vLIwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI0xphL6BA9d\n1FyWFyX1K2A5k0RkL7FCcZSWtxkwaKMlzp79d5oP323vMr4JGz3Ns+MejT8MmZzg\nH5hqPYUkxpWjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSij5lTS7CYPDN5ipnZIEkHcsjq\n5jAKBggqhkjOPQQDAgNIADBFAiBfmh6RTar+jYg2d+K3wiwb37MVWW20zB7AFVzX\njqhWcgIhAKJkcSZyaRQDM8+pheXRWLdf5EhAePWPjaQU4oiV0Zqz\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUI01JU8Hdf5NfyailWL8BWKpxiK0wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOsFlew/uq/M\nj236giz3o1sH5xbbY39QRWkM0s/LPrPwWRx6KGsmlbpnuyBKDA8vrfdRJoBeMxva\nBCow/YHnLtujVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSPTvK0VEqgJ/leVYCDGgjIZVz1\n4DAKBggqhkjOPQQDAgNJADBGAiEAjZfkwYtpVP4lRJw/ZmVo5UA7R+kRFb2YQ03e\nmB9GG/8CIQCpdNcTsjmNE7WSUu/EOUZgsnc7j8W4RMLnWZXlj0YUEw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJvc/FQ4Eyg46Tj0r9w8z8oudysUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWAQCSTybU9FjZyZ4DlDZ7Zk4gpUZrZAOQo8Qg\n5Dk7UorwnjbFc0H/NEGFWIydq50riuR67FnRhNv+rB+Dn5Ugo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfOUGpzdZwEqNPZwqYstoEk/MaxwwCgYIKoZIzj0EAwIDSAAwRQIh\nAPM5p8SwmE2qBo1HU5sSZ1r09ofxLkxn/WcJb6wGyyCZAiBRXUbGU7ArVLATC6aD\nTmhI2iaMBS3OvI1UVVAyChvDdw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUFDd+WsweVMAG0U8rHmVBpVWGlQgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyMjI0NTU0Mjg1OTM5MjA0MzEzNzQ0\nNjcxNDk4MzM0MzI1MTYzNzg5ODc3MTExNzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBA+rDjn4en3c+h7fsCzj0Ed60IZZAxbjsadmmyjpD97KcDn7bCp5BWqOO87t8HC9\nLoMqtjlnJAKdKkBbHGPBqEGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFHzlBqc3\nWcBKjT2cKmLLaBJPzGscMB0GA1UdDgQWBBRQKg/XRDtsh8no4Y+5vejl5+fbZDAK\nBggqhkjOPQQDAgNHADBEAiBk2T58QEnEPUfpPM/REme4xn1uiUMlvv7+PJQfmDnR\ntgIgaOalregRFyAE16dSYY9ZS9p/YCubDeKMOXzJgslAu9Y=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZj1SaJX1LeFWEjeIhclUUYfBCvcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARiYQRFjktifpxjb4ClFEKzQElw/nTluQVJQopj\nRJlhnLTkZfM7ZPTXLhEf2L28eez27rw1uIUKy2TEPSm7Uf5lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5Z6lzPIG/4rc3TyMCaETcEyEzP0wCgYIKoZIzj0EAwIDSQAwRgIh\nAKzHTOHF2gBd/s/5oNcb8MM3HyXaN7KhFDXnAQ/aCkE2AiEAyaAfAxWXGs37BDAV\niKg73vj29Wyci8Ydo/YNz4XfNlc=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUVaCENK2UjMfJvm0VAn7yB3vwYJwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1ODM2ODQ1ODI4NzcyODI1NzgyNjQ5\nMzk1MzkzMjQ5ODkwMjYzMTEzMTI4MzczNjcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBN62fko004ax2TIlrRxLXvy43kkP5CfrudiG6A3sLh9Dl67oLY5wXRdgt2eHXbhE\nV6UMmiYQG6bB92Vvt2F5KICjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOWepczy\nBv+K3N08jAmhE3BMhMz9MB0GA1UdDgQWBBQjFk9l+jBOo/X/PyFpDDe1ouBacDAK\nBggqhkjOPQQDAgNJADBGAiEAqTJwX0mkpiPzXUje8kTZkwcIzdsfZ2mFcRNFKxQ8\nJj8CIQCj6ZmJ34h+xo/+TE20FEdyM+V1B0ZYzAs00970ZApwgw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZmgAwIBAgIUJ13C4uvK9VetspxHgulJUDo0f8AwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjIyNDU1NDI4NTkzOTIwNDMxMzc0NDY3MTQ5ODMzNDMyNTE2\nMzc4OTg3NzExMTczMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhiGt\nVOeyDAuMQcXLlmRZ2vFmcO+hOCTEAGicznuzdSwx6oVNqDsleTYNbFFJE3opK0oi\nTVF47vfS0nKcNgeNaKNyMHAwHQYDVR0OBBYEFBlixUdwnNAHmfVtGEI+mjFIdyBD\nMB8GA1UdIwQYMBaAFFAqD9dEO2yHyejhj7m96OXn59tkMAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCR/amxRByUoTlaawWLgPshNcZJJhjPL16Z2LkB8sW9vwIgBFT4NrDxp8E5\ncVPx+hFj1DsB5ClmVrluIojbxlD6mcQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUFCDJ9VzUMOmygu3d51i9gbcbtagwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTgzNjg0NTgyODc3MjgyNTc4MjY0OTM5NTM5MzI0OTg5MDI2\nMzExMzEyODM3MzY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbd51\nLmYm3lFxsi3fm33CX+Y4cFSJ8DrS52mP9IW00tPGdT32AvEUZPvM3dktCkpYs8sH\nRNL8fmqj9XWy3eyDR6OBiDCBhTAdBgNVHQ4EFgQUPN07mK7zWom+5i5FjvwFwGga\nwS8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQjFk9l+jBOo/X/PyFpDDe1ouBacDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAK1LWo9gZ7S3MPB//DRt+YkAAPG2\nfv8wBTh/HE5FFz3cAiB6nPhUaGWNzTzFxzft3hzPnheyEnhodPqy91/3DxpnzA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYHeqTbnfmPykzvfQCHsWKoI1sPYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ8sOfGdQUek9PkJYj66wFOJvEL3y/ZPWucXW2G\nwWPt3mvOvtIg8IvU1rbHSjgIwgqQmH6HhXa9aCeV5Z+w/pbjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSaHZ38V2gNZOJSnAF2VWrIBEup4wCgYIKoZIzj0EAwIDSAAwRQIh\nAK43JGh3aey+viz+R/W4BqkAAWtuaHQBHYPNvv2nk1ZuAiBNaElGIw1pMK7fOTGs\nyw97nRLVYz6EmCrDq3q7QjFPLw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUTDSjmiUBAsP3YrGlf2FgEfy2BfowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQC7qrlG8Za7KXgQbk2Oo8jMpJQGfBFsyLjkLpr\nWRO/mLeWRoseMU/A43nIdQSEOvR5DjJQoiTxn+THYx93fsJzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1V68rGfe8JSQR8pOuJcip6MVNQYwCgYIKoZIzj0EAwIDSQAwRgIh\nAM82lld5VhUB/2kUcmWcPQAUDta+FfW9ERRe2afY+1cvAiEAoScbSUc/azGUfCe+\ntoaoG5x9Ak+yGVIK0OB/EzrInb4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIURj301nCfG7tzjCSdNlF7CSGu87gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDA1NTA3MzE3MzgyMTUxMzI1NTQ5OTY4\nNDEzMzc3NzQyOTE5NTgxMzg1Mjc5MjAzNzQxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABPxmhOfzTn6TCyxLVLJ+Fhy1HEPNWpcgurn0jQpalAV1l2y1gc+pWF7VDrn0\nQrebId1arCTukds4sREyzCDYwSOjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEmh2d/FdoDW\nTiUpwBdlVqyARLqeMB0GA1UdDgQWBBQIt1ucgu27io+dnRGMygja8ur59DAKBggq\nhkjOPQQDAgNIADBFAiBBwLGzpWtJTsTRPgOqrytzHi7VVwY4V8jfjZG6ciCu0wIh\nAP0ibOUId3VzZIYCwSbeX9i7FzYm+pVn8inGyRjSOEJk\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUc0SNKGRF1T8wX2LDWytsWApLxN0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDA0MzUwNTcxODkwODgyMTM0NjMyMjE1\nNzg5OTU4OTYwNDIxOTI4MDY1MjIyNTg5MzgxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABFUpWaty0rNMaaNboEKEPwDvQoVl66U0HigaV3erIIjbAoRVzSPpbG9jhHZD\nfTDwwe1ebVgGEuPFynZidEQGSkijdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNVevKxn3vCU\nkEfKTriXIqejFTUGMB0GA1UdDgQWBBTUt01qkj20owUKmxpuurmvEIRATDAKBggq\nhkjOPQQDAgNIADBFAiEA3pnwmGPFTzcuEI4zkBUmvAUoLqL1B/6owl6rg1hvirAC\nIGcJQ8RV88OU3tMjNsNFqRRddOkLsSf+YKa6n8T+mdO0\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZygAwIBAgIUaqYG3Sayiz3vIGXmmV9EqAWBKNowCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTUwNzMxNzM4MjE1MTMyNTU0OTk2ODQxMzM3Nzc0MjkxOTU4\nMTM4NTI3OTIwMzc0MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nI+0MVGF7AnpQm2qpbuPJqxYBSrGmtoT2wlyGBcW6FXhGpZjYBS795SYiIFEgZSez\nGp6XldAHi50lwBQhwGWlMaNyMHAwHQYDVR0OBBYEFEbegeiU9ZznFPrOTyoy7y+C\nO2OmMB8GA1UdIwQYMBaAFAi3W5yC7buKj52dEYzKCNry6vn0MAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0kAMEYCIQDTV5lxvBeQTajps57/0FOO9EwOJhdYk/KVTM/R1exF3wIhAK5deshb\nos9zw6Jzyo8JvARuyPFSCj2vhOB1z0t9FZON\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDTCCAbOgAwIBAgIUIk66ieO1MNi8DPcYSMmi9amxu6AwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDM1MDU3MTg5MDg4MjEzNDYzMjIxNTc4OTk1ODk2MDQyMTky\nODA2NTIyMjU4OTM4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nJ3G2rHvc/MSxFD88kIHZzxHA1IPvy81yXx/PnXiqVy9Zkbwds/QT+eNhHZg0S1Y/\nd01oogdRLQejUVESTccBh6OBiDCBhTAdBgNVHQ4EFgQUUsTC7qBQgfHu6K0ZpqR0\nA8rpiRwwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTUt01qkj20owUKmxpuurmvEIRA\nTDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgKwwb4lKFpxL5VQo7Y635J828\nrO6Yhr+nX9aPgl7KrWUCIQDdp+qA/gbDxrtIBaCOjTrGWXK8+Ye0KeNi8+G4NDfN\n5A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQivwncyAIHkIUVsifpZfFJSydxYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATaGibfbX3k8Qx3JY2wILDEvbuy5Cw2LnBmD7kh\n0hC8pkg5SEWi+qYakBvB8iRNy29LQQz8uY2HuZNdh0sBMtAvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCfN0yYW/DcRl3MqsGMstILnkTIcwCgYIKoZIzj0EAwIDSAAwRQIg\nM46X1zxsg69tfPnkhmFbWNK7cOK/fT8LfZjL9cy3GtECIQCjGdodwiGrnL/cGC4v\n655FfNwh9dPwD8JScBbwZ4W7wg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCl+AHE4ygMjDRBHurZcP/ZaBbL8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNRBS0j33DZqcMZrWjzo3XS0AOQekRSkn1ioLq\n4rTzuGbW7EScrOSbZaHgcIOXtdH2vlaC8USGe6xv8j0ifWeEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjyqzVLT5LuKtTinxQZrOKAiy0pkwCgYIKoZIzj0EAwIDSQAwRgIh\nALnLBA9n09Me9/qzhH/pbl0kPTtjfzzP5r8wFKIJ1PALAiEA7wY6RAHIqA+eUPVT\nJw53bzN0a+Cb6J6/tYNwceoWOzI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZygAwIBAgIUVtfPppkyAlKF8QLYnLkB5+6Q4IwwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMzc3NzczMjgzNTYyNjkzMjM4MjA1MzExOTk1ODM1OTcxODk2\nOTI4NTg1ODA3NjM4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nB+6DD40xRjW45a2guYoDV+6vZkEhxHe4JocryNpXOiRDD/ZvzBF22hba/6N4atCC\n1LBRviiMp9RhpQBShyW8/aNyMHAwHQYDVR0OBBYEFFpawAB7ifzBtCAfSk0KD+MY\njpELMB8GA1UdIwQYMBaAFCypmERWOvzOFuWhsLCnlYDrhwEfMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIQCG2Uk5aMR5NwOFenFAfmLulCnxM1xUuAbV3Jjpao49QAIgIKkbpi30\nh5tr0MYUrH04vAvNez6h0Cz03JJFuNYJmyk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDDCCAbKgAwIBAgIUSnxBWZQcx/zyk8UFsX5y6N8YSaUwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvNTkyMTk2Mzg1MDY1NDYzNTQxMDcyNjg4OTUxMzYwNzE4NTcx\nMjc4NDg3NjY2NTUxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEU\nMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT8\nnZ5N8eYBoIEzFY548SPmK01r00VMtlhzjI7LOR28WJjSZGQM2ekXiD0VmTHjc0G5\n4coIqcH9p4OanB4VGKSbo4GIMIGFMB0GA1UdDgQWBBTe/qJugpbvNOKnUPuVwKHi\npTgb1DAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFLaKkIo8O1tkyoPk2Q5bQOUETdyB\nMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAHQZKEKWhzuZ+R7laf8gmRTAG0\nMTx9r6YAUYZVRizobwIhAKx7yc0ljeKZDUnIC54YCIT1/hUcxU9oBAkRZtRGgTWb\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUZR4thzFDetIlf+E+bGGtM9EcJq4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ4OR7OsIx4VOgA94psEc4R9G4oEvrRtdgeWumG\nzKVIw9SV/jNYO3QztC9P1Guea5R/UE5KOzXo5SW6Ind4UCuIo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFPTcYGTVEgg7\nROmpFPOCmfm7lYjNMAoGCCqGSM49BAMCA0gAMEUCIBM5N12bZOhIJlajoAG/4lKj\nXduEM3qstEpM/BxiTnIVAiEA9QR36ZF1X3j+yjI7DZJwhRQTXHvuddUef5c7Wiuz\nLe4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUbjZHXx6MGrYFPWqpkjgbjkWWoHcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATF9oSWiOShmrI7Ycy2CQWkF7FHVmjoLyeMn3TM\nwUKfOy3GBTYTZls+23umtyIiMI4lQmNv0Q/mDmYInmqIBkj2o0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFD3UkfF+O4op\n5/2D5VRVMEyS2HwdMAoGCCqGSM49BAMCA0gAMEUCIGDCoCf+CDRzIJGIzuByfQKp\nCAeGpJ+aRGpg+81QhVLnAiEAw5ukEUUiFrdw/NH7uTCRBeUWYm3vmAHNA9d9PDCM\n0zg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUB9pI9AaYpk7oIfkwIgDYIlOa4SUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLHK3aErdn9fcAMQJQbhu3AN21xF68uOAkZWgW+YRVcZ\nrb2T7n59gaEYlKJeAvi1/akI5xplmvtI6Ya5wfpLGFOjcjBwMB0GA1UdDgQWBBTW\nV9yLmwxC+uTZr6YOBw8D07EJ9DAfBgNVHSMEGDAWgBT03GBk1RIIO0TpqRTzgpn5\nu5WIzTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAjWKDHkq+NeHusBO+VQim/ALR9UB8ZN/T\nu3fy/T7FWjYCIQDFM6dV7Lc4PO8yKidteQTlIezJCHAX8xemy+c2qmt6yQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUMvRGHDx8ikTtrNWrXJjsZzFBREAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEUaymwGqTIzmW2LuL+xdodyS7FuMpeEl3/rZF5X61W4\nGO4MSpJM7EIMUY8WblqXTDa9H+lKnIXBdm0DtvXXiTijgYgwgYUwHQYDVR0OBBYE\nFOcEEC8r1ZIR4Jh6yRtgLA9T9WNcMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUPdSR\n8X47iinn/YPlVFUwTJLYfB0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDq\nfoBwStPB8mADQceh7FM5vkZ3SE4UujdkaAnqGO8rbQIhAPPlJ9lpfBApB2jpKkZU\nTdls0glg6hSPkUg/bH3PnS4l\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjTCCATKgAwIBAgIUY96tg83gQLkjs8deilc/ibsJyVowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS8ZZfBCb4DVcCa8zz493tHobtQKPwUYcUl8XVw\nACWXzuYRD09OEygnqzcwXgtAaAA22OjZRugfzvLqXoIZuaJgo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUhrP8IgHirWmzVFMCd0v/s5uOclAwCgYIKoZIzj0EAwIDSQAwRgIhAKig\noPs7nRWATF/gTobYRX7mnoRP+wX5EGg51+cSNpF/AiEAiGpMTru46XjEKCNgr3ip\nQXuUEBSb7mo+hyoKq/t9wnc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUFva5MCdnHTaK4+bNU9UXRCYesUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYHvfnJ8GTwNGHq4PRgdcFDZ3X7qYOOyMnTerS\ndFbIhFeDmCfKVF1eZr7bB14Ru7cmn6zlLyEEiZr0w74bqTx4o1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUwe/r6/Ub5jkkQzczoD9ZpXoIoOwwCgYIKoZIzj0EAwIDSAAwRQIhAIWD\nxNz8kGMxVMQnkQ93Fw2miyNTIgkwIJQizXhDKiuZAiBGwqFIjtrzcZ2sHCwvJrji\nDY0KyuptMUeyujXocRB23w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIULh6nyRpOtwW66UAD4wOGGZrbFhwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPAzBM+a4muwG2C3mcsQ0eCgNne2LJpCqnpfb22AoAAJ\nUDIceqiBdncL2OYdZqAmUVXi6ZOVuq14w2Sj0D4FbByjcjBwMB0GA1UdDgQWBBSO\nFB2mgf/QCZnlthShTmtVS2PJBTAfBgNVHSMEGDAWgBSGs/wiAeKtabNUUwJ3S/+z\nm45yUDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiAms8mZxHT4rCN/jfyzQfNjA23mxY7vmDgo\nUc4cgom22QIgb4CUiGxLq39iGDMYmugUjCyDEuwTOLqDQ91D6/h8c/I=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUbYQu6MU20C0QJnn+zTw1rHvN5DQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDKCPPGvFQUAqfqYnJZL8mF+yByECAF8LB3u65XZ61F2\nXU6n6Ev1y6PpXpcTVlXVLnlEdKNSZqu0aGz44xRkrKujgYgwgYUwHQYDVR0OBBYE\nFICCvWqeEMgsSH2dVZUnap0EIFa+MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUwe/r\n6/Ub5jkkQzczoD9ZpXoIoOwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDS\nFj6KoQsDel6nQg0X7FJ+nQWrym+eyu69x6a2WZjbnwIgIdji968oJoVtEB1e66cW\nxYOtgqqAPK5QzXIo+cGjfPM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUI3rcDAODF6u6RYKb2qbCept7/NEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATDGmk/LpeDx182Cx+H5x5KaiIR7dS6U6I06hP7\nsCTwfB+Nu8xshCu6ku1I6ROyRRJm0Tr5TajOoM4W6qhpUoMho1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBRwpD1YNhAj0babxCbx3jy+zyyMKTAKBggqhkjOPQQDAgNHADBEAiAZ\nLNMLAMTR1RTkm/5Ifu0Pa5f3Q7UGQwL4XuhinCTKjQIgJHiT0A9qQRKoNmENjPqK\n+yrOSDWEkYF+2MyvQxC4uhA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUfDO5IkNbmb5iUGOMMlDdubbJd94wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8JK4gGHZNgGjRNVnqdy3LJQA7OgABY8tvItvS\nhEEsjmQ2rJytMbgOfOFRxplIgtImUxXUQhSEQG+aAXieZC1Uo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBRwRHxbdjCoZbgLwLn3M2ooghadkjAKBggqhkjOPQQDAgNIADBFAiB3\nU/01hy4JjpLGH9fZPHcZ+mecNu4rDUCJ/SZyCPCBwwIhAIVR93+R/vvPXNfkdCz+\nubqwLQyEmz0xyrueJQNTzckC\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUFJRQ106n1qSKg5/mVrRbgq28BAYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCk6urTSDAleLoS9ZW9wyzYYEc2XVVImyQuDOWxq82p0\nrBrdRMtAWJ4XfxWMjIUvn6vO0cXAnvEA9EnkU5eXZcWjcjBwMB0GA1UdDgQWBBQP\nTanF7YaDUVt+a3Mt85yfvJmqgDAfBgNVHSMEGDAWgBRwpD1YNhAj0babxCbx3jy+\nzyyMKTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA5hGFouAIM839hrIY5aOwfV5q04ts0fUg\nWMyhvy/SgpoCIQCK35Uxf7MbpGO+qy+2nC6QP6qwA+RVTh32lg2dJTzKxg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUOZKbkn0qBJrqwDbcVh3Nt+k4atcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOXASFJpm/tzTlkOGH/iQfnAfeiIpEvVuXLLrPgA5Ckt\nwjmvbPukbNb4gKrH56/pIMlVg0BHqSk6z085zToQiuajgYgwgYUwHQYDVR0OBBYE\nFOMkK0dx8ppuPCPMHNP58iRU2VPlMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUcER8\nW3YwqGW4C8C59zNqKIIWnZIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIAru\nwSr8dvYnYSO/d9/5E3SB4qma/cBbxOk0KddoNbJZAiEA2Ty3BWmd5V55nc+47yKQ\n9BWHdk3hEbuob5ieE05tir0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCNN0PNBboD5FRjj9l9qijb3xcqYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYvURMBLCnYcdMqTeO/2E631e9ng22xMYAwEQJ\nAuz843qyyOrMZhUKLFxLbEm59IcMNJSxzVN+WUrFO1686pTGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQ5KOf0CK4qD37r5ae7iArebMHSAwCgYIKoZIzj0EAwIDSQAwRgIh\nAPOaYWqQ72ppghqKr2guIlg/FsSzifw94ZnLGcRRbOz6AiEA6i5EO3wIXLWQ+doJ\ng5CT+4UxJXE7Uc1hOtqQVOz39A4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUTwAjoC676LWOdcvMLPjeKDouf0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATGErgz9Vh4P1zYjwx0xWZ0STDJw5+3YUIy1CkP\n6XAXT9y52qd3z0FIx0bVK1x9OLvqIA93f1iv8hDwhvthDCcjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqB0ahly0Ngz+0ZSwGX1kcFM6u6owCgYIKoZIzj0EAwIDRwAwRAIg\ncqsv/0hS3jGx8hRDyh+X//O5lM22TTFVgqPEXwC/isoCIEM28dPCaEZn6UnnlNhm\nCR84+ET5N6497Ena0XyIPYo0\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB8zCCAZigAwIBAgIUWMgJ2UqlvKh+ujpi7dPe9WtGNYcwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNTAzODc1MDkxMjI1NDU5NDkzNzgxNTkxOTQzOTgxMTM2NTY1\nMDgzMDk5MjY1NjYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlChMU\nMYZUe1utt8c2UXKt3BtF3K3FoN+wyGA1nFws+GU4pk684+Wdt3dVKt9avXd6OYRQ\n428P1nOy/KY32aubo3IwcDAdBgNVHQ4EFgQU7SJycV9SH4DP4xb+yGLXqk8hRa4w\nHwYDVR0jBBgwFoAUdofftuGMn3ck6j24sduex8Rqh0EwCQYDVR0TBAIwADALBgNV\nHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAw\nRgIhAIe3G18wPjpBva0QjDDihSD3g/fNzHSrIe4VIgT3C3W+AiEAjlxdwigrSNZr\n4T0XdugGgPqK1eT+GybkTwLos86vMWs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUWalxXz8wn1BNeiABvqyR2lGOdw0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDUxMDEzMzc0MzMyMzg5ODA4NTk1MjcyMDM1NjM0MjUyMzM3\nNzQ2NTg1NDg1MTMxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0kja\nwubADNW4rbctwFWJjIH+npKxacosbtMUrMdzb2yamgogs/Yn5kaKpaxgLb9zHn6h\nxKbfA/rX1CT9WLP7saOBiDCBhTAdBgNVHQ4EFgQUj7HydPEV1/zJY9d6HcX0WrgR\nDuQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQbSb1vjEx9AgaPGdyssVK8pPl+RjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ4wLpaRK7K3btWNb7TjL/5nAXZR\n/N3jR13Mz+66R2ZiAiEA02tDdy4wbWtUtGvh0yJ87OPnCl3LfDawAeKNjjKbsaI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXiEDJDk3CHKcvlJfvbboLVaRML8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS6jGON6pDa02j/QcPqW9ufCsqgi8o9ykHQGXIb\n96D4A0EF5ZfVtnLg5nizfd1pKs4hWHQpLINjAiDkFmX8WNwIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKfD5OISP+pJxzJwoHL/1fMlJ/Z4wCgYIKoZIzj0EAwIDSAAwRQIh\nAN3aZlEm4E62Zwc3iqmTBZmsAs7A/yPqoTLrQ8ddcZaoAiADPg3c6CyTh/FsPbzm\nb6n5qhOWEeCw5DOADDzeSNeQBQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUBQKo5danyDcUxlsRT8FhnS7CKMEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxmg2aoYDEj+/Dlz9Hua0aCHQbtFTIWpZKWvFK\nkET91TlaZBXISU8pOvOzQNrEJMy2VKwu8u6ALDCy+eQIi1wEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUMU8iu29I3RbhAbORiPFGspQj/IwCgYIKoZIzj0EAwIDSQAwRgIh\nAKyPOQYLwB8+Ymu/7+nxNwjoAhTNdrOU+90ev9nsb0hlAiEAtH4LB2kSpvWDfY8x\nhBOwylu4JsSsXYYcB0UQOlF2uf0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUTxIrhleJa5ubpzvMaoepk6oWFDIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIB0UUfk+iUHvH+cfzScI5BNuH535KI2vYNl9pnuqTy6\naOsLr2oIJjnHZpgHoiGp8N5aS2xnvD+AWelMjEvkGLujcjBwMB0GA1UdDgQWBBRD\n7ddxQknL5ayFQziRyDHy2PYxhjAfBgNVHSMEGDAWgBQp8Pk4hI/6knHMnCgcv/V8\nyUn9njAJBgNVHRMEAjAAMAsGA1UdDwQEAwIChDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAm046wn2fLX31p2NgdrCPUJ/VfsiHFLA5\naGgCfxIhOH0CIEjRdt/9qV4FRgULpFshr9n+CSTXkBGwofmeV3YIkhSP\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUGsZQL/LVrWq9I+5aAbrWmntz+xowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMGj3JG0/GMlNLvsi5UcA0z8KcHYjZcxUyGkz9M7edlf\ni7zOnaM4vzt8cCS5+eWlnLInWdO60RnE824PMPLBgi+jgYswgYgwHQYDVR0OBBYE\nFLAuen/bcBzfAL5Ew2ZNvbqLoIwnMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nUMU8iu29I3RbhAbORiPFGspQj/IwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIFDoS9X/1n6lcz62c+VEPIigBPFY8Xam63l6g/yyzSjzAiEAr7+DWrfjmNvInGM8\nZL5hecz7euKMNR4DfYbwypD1kCk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUPlyGCxFunkM7DxM6yzhQv1foZ2gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWQ7VaiJvJr/dK1ytHSIqw9mNR5jD8obuqk5+U\nCBRIfqC6sQwJ7NJqooX8cqLIPfrhtc5HTxPWzK59eBr+yFwJo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1NHCgc7HuoJ9dbFLuixLOEoT0PcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCUlqi35LXr82R2c2UnD/Kn\n7nREHTTUi1hEZHpfkMa1AgIgIYClEhjoK0DErjjoI6BCjMxbiJ/E+tKMFcAzzZiZ\nbrY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUWdsCIToVmoZYl6kQJmxsea4zsRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT3MARs4YfnFCKJfkAgj/uwyVNHNpBInW5aOv85\nH6UTmmKOTPUdaPLwx2DpKi+wgXrxtJQ5qFyoCKIozwnlHqbXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUE7Y+YF2TjxjTY1wTqfoHy+N4eoAwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDu+kEVedvKju/Aybc0Uav5\nBc92Wf+aDCqVLp3q3Hz35AIgZt85u1FsQvCQqZHHfa/btXu7NcE6wpl/7JA4JMHP\n91c=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUMPrXQ+rU1aS/Eaw+TL2Ma+Ion9gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLKtLHghSA9YXvNzlajI2hxYsh2T1uozx5cACyGwGVI2\nNrWpzogxrei1ni4wl4LZBCnJfqLmqRrAdMdunwaBequjdjB0MB0GA1UdDgQWBBSa\nENOl+3sv3tuA0SY4KRLzkPFKtjAfBgNVHSMEGDAWgBTU0cKBzse6gn11sUu6LEs4\nShPQ9zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9ub3QtZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALKk2Ao4kGPmOOxyBtTOTgCtb5Tw\nqal1VZQOPACc8wuHAiAK0/GBhyFeSyre850v58HZ79CcRZyipWHZ4tv/NAb4pw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIURji75Ve9gw4ds/f6uLy9JS+OOnUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKimy4fIxCmAKoAldq2Q1BLcWVa9UzZSVdGUBvu8/qbc\nGzbO87tP14pmxYJWYFcFlNfpDEW1NgxNssb7cYQOzhCjgYwwgYkwHQYDVR0OBBYE\nFND4BRh04n8hq/ANn/NPVBqe9CAJMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUE7Y+\nYF2TjxjTY1wTqfoHy+N4eoAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEA7V6HotAmnbBDg/y1C5Iw9ASpt4xJPz9R21AiuMxSM70CIQCoOqKoTGvgcvXH\namVzOUz9r3ELv9eSVwPWns0FXOeRRQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUSIcXTe7nvxaP8v6ZR1VyIJUkjIAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpiuON6G7z8Bn15ju1+Qy3fpCOOrtW2rEZ1f3i\necKHsIAzs7PJNnFENB2jWR6+OGRWWSPRSFEVc4+AKbRC6OlVo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6rBnC1qAbs2Igl3qy+blBldeRCswHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCUz1koHkLWeU/IqsPmZTt6\n2rbzdTcPRhceBWaP8Qy5+AIhAPVLoxo/clZQWjW/xIvbxt9ms5zyL7ORe3PPVy4r\nKD4C\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUPdPzjM0QVWY8vQHjhkKnorgcj04wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASqM5YcVqq8rR3FaXAnRJoRWYKDiuJevQ3O6KTq\nW8s+cenr2BHFjxawL/BWKCZL/kjBQFDNOGEFnXuFamaoT3+Uo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEsZnsbWYpUzu8TY4muvf6FINL3wwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIERDxVvyNXla7W/l1ABcv8D6\n/sywT5RXl396jM1nvzH6AiB4oONDn693sWC5pPSULVElCN+y9o9Dhew0n5g69wXQ\neA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUdT/Lpnso/vOARt4MlH6cs0n9o/MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAE4oMMWLgkzxmfjcqMw1vMrxFGEYMShsPQ5U213sJ6Z\nuj0/ygAqxNm86sfDN8HSCZMmcT1Ajo9FRi39Yvnks0ijcjBwMB0GA1UdDgQWBBQu\ns6tgjOA8wdmybDidE2akWdEBfTAfBgNVHSMEGDAWgBTqsGcLWoBuzYiCXerL5uUG\nV15EKzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBdthiN76bRKop6hE5sAEzjKKJ7/VW9fZwm\n/o+X6XoZ6gIgQinJtQfAo+vLToSP7JnAHHbajea1X4+SJboQ2tsWjD8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUMlXVbo47rpbEMM2CAgQ5osok3gAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCwURj1q4YW/lGQoGxenKp8Aq9K8UmO8WNUP6APANRDo\nUe0zX5pKELY3lk+9RGQpWRQGpPYWl6oTgbLlL7yBQkGjgYgwgYUwHQYDVR0OBBYE\nFIgiBJiRvs+6sAlVWUrorlrAzIMZMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUEsZn\nsbWYpUzu8TY4muvf6FINL3wwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQD5\nzwqiCv676vtdClVaUnX4tfgCtsj0vsqP5UHW63h9fAIgEa97t2L2hHGrPVZHONU9\ni3c0IROkyAHqZb7aREpMthU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUG72UssxhM7nTbDeAnpY9eGmW0FgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARt6PqKxvqMuxLsDZ3hElk0iyWBOsqGUQEiKmqv\nOgGgYv7XKGtw+fqfcE9IOil6L/XxsDO6LmdtP2sc5Ng0wkj4o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJFYOUqMrOjv6jDkTff08tI+Q1tYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDMcrqtGYVoF1fvpr3E/3kX\n5HZN/j7SQIC+pviBsZm6kQIgel7tWZ9Xo2q3QM5YCJX5F82iZNxk1vZJcCJ8/Ic4\n8SI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUeaGG9Jiuhk/Os4Mg1prGtVY0rpgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARiGgdnbpcX7wWWoV8yzEM0WproUsDnMdIq0NDN\nQeoYY2XdI8dZIytZ7v2z4Al+b0gNSBRXKSvHXj6jlEwtj2t6o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbE4XB/Xc6/WlFI6iYxsUnbChS2wwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEDQ5m7mq2O5TL97pi00YAJR\nK5LmYHXV1bsjCHXkcqbvAiBqldL8h6jThZdL/ciFnvC6CD/PU/iHcYu2sPkdz2Kq\nTw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUOUuSCjyO10hFFppnyo3iB/D455MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKamw67vrCcwHfbJRgDeRJe1MlhqwvRV9Pe7wW//OGX6\nWYV1iQ+T7sWJUvCnhya/aZS6CQJX0wCjx3kH82CRELOjcjBwMB0GA1UdDgQWBBTf\npVgcRMJYdfEL3uBuF2vAbYtTtTAfBgNVHSMEGDAWgBQkVg5Soys6O/qMORN9/Ty0\nj5DW1jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBMBLLBVwztZKK94qZ8gJtN7kIoIoyf20Jl\nHWiUXU93awIgOsP2cLYc0KeiUXNSO4fonMU4jXsTgoVJTIvb0ZPhQQ4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUbj8Iam8HQfDuAv8cdfpA3qFMhhYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPrLfmg3JHk0SYrS3oimLNZiVdNmAZ8G8VMO2evnD8Rq\nbQMIuHx6GASjDORLNZYVzRPcu8WuXItq/IEy+4ppqV2jgYgwgYUwHQYDVR0OBBYE\nFFI57vdGQhRbXDCJUa8ouXnkvxfoMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUbE4X\nB/Xc6/WlFI6iYxsUnbChS2wwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIDwk\nDcHcpV6F8Xh4fN8kzzdLkLtrTpUrRixCVA1koYtdAiEAsPAIc9u7gvJHuSSEWafo\nBC69EwxgqzL9AAxLoG8/oZ4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUYmXdhkG2RY1cyu254ADhLn4GURgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQaD5SjUhd333K6NwGl89MIjkG5sLw91+dj2x+\nQmdSsUhFRNsRoFqwh3F2EMmauWLoMMrWcoqtKlui0b3+jiPno3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGw/5PuhjIBq6E9ZqI/QAIRhgMWMwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFxGOaHkYUArFikISjiXLkDC\nTH2iNAVjF4+OIk2EyavMAiAtnS9wMtc+sg5+R56cFxhVciqsw0ys5t/m4JB33hp+\nMg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUb2xZYZUlkvkubYlqJtnhOEpTMogwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAThsnrayu4mtx5JNKJh+3wZMqlIkeEbPPKp2zHr\nD6bqPAr0Yfz8LPFUax7i8FPhJ7q6fUaGjenFg6/Ry857hJ3Lo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNWFtBDDJFHIu6miaLnuFLqwJLEIwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICj8ue3AastAqtWIlJ+Z3HkB\nuMdZmoYDId5AJf2Q0zlSAiEAlHG1vLw+yFCq/tpff4jIzk2guBlK08gYaMwlnZh1\nplc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUGGw2+QegKKy66KjZtgXVoLQRbQYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIpuHmgJQeZQp1bOJeb4x1FDE6ic/mkal/mAXlJDNi6e\nZQ6QbP9JFvd1F7fJ301c7hK6fjtewhRoAVzFzwegktWjejB4MB0GA1UdDgQWBBTd\nI1dlsqG2nujRtVRyOIRII5fg7TAfBgNVHSMEGDAWgBQbD/k+6GMgGroT1moj9AAh\nGGAxYzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAeBgNVHREEFzAVghNmb28uYmFy\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC5QZCg1CV4S2aTEQP7Xgxo\npPxP62pUNvNYRQVRPM2Y2wIhAJp/g+9ZIKrpXbYAfrl5m/p/kGc7c4uUActD95i+\nOUOR\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWugAwIBAgIUOeuZAy1i09AGyinhKzU9XnwLX+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO3940QH0IxCnXBmD85efFmMyWcylJacQTJlrD+oYRQQ\njA/F/elP9R8gGZ5e2s6Uhdgetuqms5j/mKlfivpdTn+jgZAwgY0wHQYDVR0OBBYE\nFC2MqJdxKBNRJ5fKiOqz6TtLxh1sMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUNWFt\nBDDJFHIu6miaLnuFLqwJLEIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMB4GA1UdEQQXMBWCE2Zvby5iYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAOdqbBd7y+iysTChK84x3gYKh5PEaBpW+SxqYLcq4ibnAiEAqgvy828/\nV5T7z9I6p45fnaqjV9TBzqdVsj+wO7RWSyM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUJCgZcyKDkWVXDXqV5rX+6zOJzAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARsxDXYNzks6UR0kMiE4Lh6wZWz0meCEMuoW4g1\nHT9Ri9f+rjrVMyp0kE+ggJ95hJFQ7PMt58+lN6+8PYP8AT7zo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQraammB7GqScQLzr3nBzb8PdwKcDApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAIEj\nfIuDOnSmYfBi2ao4sEZC+37ETqjq/dSSxpSH0HKZAiEAl5itmJCqZAEMqG6/DbcN\nVKJ087AYNZxHHuRlYr8OROQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUJTg7NhZV0vCSHu5r0g8s9B/bvZ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYuCn7h2rLoePlnkfsJgwPiL5fscdmIqfBevwv\nvUNJepciziHAexsmSyo1HIFW22Is9vgSvUq9DAZWUo9No7b9o4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBS3aG07x/eCvmf/oOlgIErHzwqUPzApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgHSBg\nXjWRRYR2QyBlc3HFb81B9t/flhwICQCrlwUAASYCIQCm5wIDi6ewgk6iZ5KgXA1M\n14fmn9RjRO3sKsOojbWQtA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUDJuzz/7FQUre9AMXZOXjLrqwfIMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCIQQr3YFxCqn8BlCe66hSx3fKnnV2jf1ApLAR9kgO8J\ntL5IIbcq8ensnsCU39WTB6w6GIux7qv94N1vrIV6vSmjgYwwgYkwHQYDVR0OBBYE\nFFOhG2x5Sysrg0uLnO8TVyRQ/W+3MB8GA1UdIwQYMBaAFCtpqaYHsapJxAvOvecH\nNvw93ApwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMC8GA1UdEQQoMCaCC2V4YW1w\nbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiAqf83gTcq5AW4MSsPmAMxqzJH0ooT9qLfPJNyglzZ0zQIhAO84CnsYIdzd2QzX\nARiRuhQuRWVtDDZC+Hc1wsTl1J1S\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1zCCAXygAwIBAgIURjWWkROhzyAS1FBU4cmY80PfTD8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHqSJ68S/8QdaBFSK69StbaNm/nFAJR9qcbJeGYQf61h\nCD6qOH5YZL3EbwNfXb+V/6e+JdZrlGWVQsVQhnpS/umjgaEwgZ4wHQYDVR0OBBYE\nFCQYmseWpRiGeANTXVaQe5vwBtH2MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUt2ht\nO8f3gr5n/6DpYCBKx88KlD8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMC8GA1UdEQQoMCaCC2V4YW1wbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAhdhasZuencgH2crqVtDjEASS/kAvjP2v\nEe6AUtYGPD4CIQCCAEKcyEzQfTYCn373BNjkTdeWzgE9I9KKKNUDM4LU8g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUajBRiMI6VJ+0rjC0d1Ar8OTY2vkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ/Zqd64qCWuB2bJTAzTRthXlRKVmQ2UzSlYJdM\nFjtHEjFHVabTA9qQlfH23jBTe5zM5suAEeLOPMlspzoOZZvNo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUognyp2k3bYvCe0DABUvEBge/yBwwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIGtOZiWOJ2JXtKnsJi7u2D1XpT38\nCodt9rS85/pPpHp0AiEAm8/w2G6CwP8KHaKp07WqK3e8x2uNy42jHuxzsnyYbdM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUUwvjMPyG5brNMLgwcxsLdxUdXYQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQlfc78CV1xoKxbYKreMuHizNDfIwAkaRLN70is\nBrEJi5pg5Odz6EXJuTXS+1u1lxZAMzcGF289ijr6+ItQG8DYo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUraHMt+QPG5eB+m5XCs5/w8a4k5kwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDv9m1rbLmBakveb6+9mh5ODh5p\nV7/JZE5STHcyMhFd2QIgQADdZWsaVaNRxlkJhsqaFuGUeI8bEuIwoDgGDF7gBeQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUSuKjHC0VhWLF9NLlHSH0a2d4oewwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDoZrz1tl7KWBxFP4F0ZVCYmPqTwPJpUPPMvJfASIiEE\n1il33ATM8B1ekyDb4i7UuONiLzYib7gqmkV/AtKAm5WjazBpMB0GA1UdDgQWBBS6\nesDbGqebvKYcxerZ3NCkYt0fizAfBgNVHSMEGDAWgBSiCfKnaTdti8J7QMAFS8QG\nB7/IHDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAMBMAoG\nCCqGSM49BAMCA0gAMEUCIHIcltjlOd4HRR2fm5NQxp+Vmzh0xDrRKhAzhqrLnNz6\nAiEAsuSusM6jrPWTd6prUlnTxUl7mYfcHpE6ehd2PJ8glsg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUOuNSTSDtSr4bTGuBPHpioc/8SM0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ458Ifi7JBPWrMAX4KD8fcbAU4QLzyf2RhzDgMHBom3\nmXgl2mgrpqem2zykLBxGspwfY+7VJDkcFvfmjAbnWPijgYAwfjAdBgNVHQ4EFgQU\noX5dgJyFX0TJs1bjFAputZi6kLMwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBStocy3\n5A8bl4H6blcKzn/DxriTmTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAADATAKBggqhkjOPQQDAgNHADBEAiBoRphu9sRNfapo\nemN5APxTkq5DzxIm9wwwc3SuqLa+MQIgJA8cGl7JkgCTo07gPeq5U/OcDvGpSQxa\nllGmultCjOc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUUaVYMrxhfergNGM+9Gw7lAwHFHowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrVDdEiEQyy//5VnO0YlounNXd47oenr80LjdG\n67ddjuA1eUrW8CHhn8x8TJiKO0c22MoLW+noTkOb2SCtST5lo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUu+Fq24PUKsyYc2s6xQ8YX6r9eGQwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCQXsMUQ0fZrjSYnuPFCV9SidVX\nBGdpnrsaEiJAGrhktQIgQWZsrY7G1ah/nHya3jpSXkzW8P4gora3yUyTVj50Gn8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUW+xGBmk7m1YqiXEji2Y3Rx2mFbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATOF4AfZorpdrBa7CSBxQHGEDc8XwXG9Bl/dOos\nzwvepoGeVwL2frXZozboDL10niBeE6TW+bV/GluzP7zwRgEko3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBVKQ9dVxqNXR5xRh7fKQAzkhgBIwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCrBsy0qY1boTMl93RunqeiA53o\nmIjKC67M9S/LXoP7tAIhAJ7XYmqxNYCLLE0pGcH5ksegFczz8v4VkqmcV5OBxtcp\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUWgAwIBAgIUTsWPYA1FmAuNDnBci6r6QwJYP/4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFzkcnpECk7vW5Omm/iPjIeL0fjxwLPyf24mOV6736E+\n3FKcS6hKLoDo/HMZTlWNftWzkuarF6HcOxQ89cWl1v+jazBpMB0GA1UdDgQWBBTR\nvNpHxrpIzshvpxFdZEcIpw4sTzAfBgNVHSMEGDAWgBS74Wrbg9QqzJhzazrFDxhf\nqv14ZDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0gAMEUCIQCaFpy4GlO6Fn04FDWCqu8o2wP++EEWjS0huiqrBNKE\nFwIgFNko3cM9iEyzB5k3KpMWZryNs1moJKSuEJiyOluT5Fc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUYFjGWwH7JB5931KFnK1UYbdz2dAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBdpRUA/EkVAtydbYQjoWePIrn14F6yTTEcofJMypZPo\nGO821ccgvZo53TOGeGCZgyULTZpmUpAm67PkEucKmPSjgYAwfjAdBgNVHQ4EFgQU\nPcZhz54SlqauJMEd0pj27+El5PQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQFUpD1\n1XGo1dHnFGHt8pADOSGAEjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNJADBGAiEAomYsGo8rk3Lo\nbYDFOO3+pbvS4KlE3U+cNLO+kVgm37gCIQCNkbUATfRMtu+Uk5gIsdIQSPapUlHJ\ntBcSwMft6qcUnw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUKxYSl7N55N3OmhCXXtUwLdWYExowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR5+s68XG8IMqT/ffEf9WkEUisTqG/O4R9yLSST\nD1ZQrl4gGYbsrir7DGsaeQdZZa/D7scBF4/h8DF/5/P4fvRso3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUN3Xj5jvmY1L9aHf+YlWYWso1rHEwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQC5C7D1nL5tmsQO4UrUXy4PKNuY\nBikw/jR4KpkldcRK2QIhAIcApcMNJRVR6j+tYTKnL0xhf/BgpkZHLtf5WcHREEBi\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUGJE8Tg7u8gvkJNrmWfXDGKsARlAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQY6ugSs5Bq1Jh6N4vH8C27j7cyFFYVCYpTG1dx\n7SYStQXcXqTQ7i5JVjwyliO8PRXNMaujZyW3PUfClwiCoCkTo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwRQ3wsWkiieXwsIAUaCVwR5xdQQwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCa9lZJGlvy/Im3fyjZpfmPDK4M\n5UkqEalnCM/iP2UJXgIgabelTWnL46EeQtH1WrsRWfyv9Vm6KZy1ORBUGYR8oZI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnjCCAUWgAwIBAgIUYVxwk8pgHSHcQ7w/Cg9RKU13idYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHCUa3RUCMUgD/j3NpqZlfelNdVleU+Cuam1X7wt2Ldl\n35KApL+x2A4I1GHjBQqvzJ2I5DloSSMUJBNyUAE+n8WjazBpMB0GA1UdDgQWBBTM\n3ztUqQGztBfd65z3o9RUxmpCWjAfBgNVHSMEGDAWgBQ3dePmO+ZjUv1od/5iVZha\nyjWscTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwTAAAIBMAoG\nCCqGSM49BAMCA0cAMEQCICAZ0DZiqC+u+DfbiFQrxsIMyGGy2sBoAUcbvlLB7Jfi\nAiB3tozwUduRM7qu4AgVfSf0H+HwjF1bcPQIk5v0UjzRCw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUAn/nIfSHqK+CLvBX2eY5HSEN/gYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAHmXWwRYUIuIgaOWbzzIQ6+5jlj77m89GGbFxennH4t\nbooDaD3dSJmy6XkjIxDFBUGBnjwinenTye5Rf5vGG1ijgYAwfjAdBgNVHQ4EFgQU\nBOZHECwLTnb7o/dUKvuKTDkegcYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTBFDfC\nxaSKJ5fCwgBRoJXBHnF1BDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEA9FqqW/ZMcPmS\noYMV3Q9R0wRLpTHDTrPhG4IUcTgz1hwCIDIzttu4PMOeqFwQ+P9XkRIgkb903V+Q\nIJQyI0WQgVOd\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUYh54Undcu5AIM7Pducr9BnyQcMgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNkBAJGSQaSHgbycF3HW7RU+OQv+5ExE/WP3Rq\nxtSg6rD0q41SzLr/4+UMzaVfECVNAkrfmOFO4oAfjxDwYHnIo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOxqxU3D+kXWK5gRmeqM4ahAA/p8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKp0PR/tXafuAHv5\n/Wf00f6xe9nWz+LvzromsDFwTjDxAiEA9paSJB5YgpACR2TFHT046+fVxOJOrgUn\n6ATWgjVWa50=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIULbww1sR7NjP7iBcefS8Wca0C9wowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARqhToQdDpD4TuX6z9GYnFx1lmqWYHzRBneo3Zm\n7cq0jzw2Qc4IT0yfLW1iFEkGxOsFp7bBjqz0oXoUIDhKMJCBo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyo1E0elEaZtRRSmPKD4nFr9x/K8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgcOmHe8JdwS2CIDiE\nQB+aU1j1/qpTcQczq/YbwDu0AS0CICnTyhJljbQphQuk+Ri2x1oQXImpCVYIRvhQ\nt29DXSzq\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUCVc4tB1rfr/Xr55wP9pdy8/NIL8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEuoLCUHnFhvq/JqLY2OerI7OgTzGRd/1ccBDdv4ZFlnNK6Qfv\nVdl5ALoJITV1aTTVrMd3qtAME5j/YKOGTIfjEqN7MHkwHQYDVR0OBBYEFBi6dtaZ\nH6qyQixVr2R6MKsFUppYMB8GA1UdIwQYMBaAFDsasVNw/pF1iuYEZnqjOGoQAP6f\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIGFFqLnp/sW8NgtSGCJQOtEt4xxo\nEhrfUeGpHFq5bQ7KAiEA4Ww9z4OFO/MFURp7LkgFD1U+pBciiIFNlQxPLhBxT28=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWigAwIBAgIUGxsw81WLYr3Rq+GdDsv0Vl3ukEUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEOR/z9M7ilU60PZ/QdpP88no/rlMGPBsuyjqMPuQIyFP6hQJA\n30D44s6RY4GhWIpMpOq0/XvryfYz5e0MXefCBaOBkTCBjjAdBgNVHQ4EFgQUFAfJ\nGNy7Wx5wirNa6K6SafyYtwkwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTKjUTR6URp\nm1FFKY8oPicWv3H8rzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSQAw\nRgIhAOfOETP/MVHTcgt8kSgeMyMUzNq/9Rz444gmZsLlb84rAiEAm/NnSGqGAuoh\nXlaODQYiLKN3UuZuTZRN6tAR4CJA1kk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUX79AGxOrRh3v2Nd2C1Do+cAAPmIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiacHDbANLBFDYSEnckbHSuNkXmfyg8bJmvfPm\nhGE1UaeiIig0jrEJqrUZ2WiDxYyCXG1qIJPhdw58Wa5tuNo/o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOv4j99L+5lYqGcUBfYo0y0I7R9wwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhANpwPusYvg1tuaYM\n1yytY3zpnPe8sgZBsr0I06jjPzzHAiEAp38BFPAlchOxJGby4rnwf49c/1MZBLD6\nQ9Gking0g1A=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUKddMmpRAs0lwZlyi9j0T+geP32owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiUEDkyNp8zlhjVEDA2rwb9z3i3iemuI2BvCXp\n90YJF5xR29wJBaejXBagUHRBEj4k4QvbbOeSkLHetkww6seho3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcdbceD1t7bF+GqoXY5BxwFydr38wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgdRnCdg2eYwFbZSUE\ny03JdpYK0bBUHOntsqguUVl1AKECIG6yvJuAfaHk9MstkUCTz1dVo8hAEuvIvk8E\nwiI/OUqy\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUasKSiXQab0mKNeQ0KdVsHndfPlwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAReLQd5W2tGKNc0vBOvozLF0QpABzl+8AsST3JuOURuTZgcOhPHtPZG\n6n7MQ2w5ho1UgGWsTgXbhLJCCqjZZt+jo3cwdTAdBgNVHQ4EFgQUvX3hM0fS1kA0\nnGkeH9aPn5r7VC8wHwYDVR0jBBgwFoAUOv4j99L+5lYqGcUBfYo0y0I7R9wwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEA/eqQ3vwi2k2Hb0ikCB8h3d+fsG+6BZuG+bZw\n+joL5PwCIDNy9Bb5j4K+prFOH5N87uvnrT0cDf3RMzvrGocsANt2\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWCgAwIBAgIUcYRMbSqqgj1tZhavnZiyVzErhFUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASlUMgvf1zUQ2pY+kMR1865rmVmukLMy2WW0Oine4przkh6+uu0wpEH\nTKKuO2fPXne91MWZMuyuqV1brn2W8i3go4GNMIGKMB0GA1UdDgQWBBS0qsEjyIBn\nQ3KC/59QctW2TRv4iTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFHHW3Hg9be2xfhqq\nF2OQccBcna9/MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQCbvAFo\nWb6jwJTNUHz9CW0WYcNV/mTm77HOVPkqf2X/IwIhALgwRm8MQKo02bG7n7H5SLxq\nuPZhDCMQT4atxFWxMvUp\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUZ/3H0Edsx5xUWQX+ot1TZCWwFp0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQsN21YKMR0EbnCiXKHrd6HvKCKetdYQ7jIBUYk\ngd/UXmHV/0W3MMqaUnzccsZ5kRj2joK4j0y5e4ZeeCQne0sNo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz4TKfsYlHDP8bvcZPjOmz825H7swIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgTXkcyZljy2zKSRjB\nY7+9bRJxRIgvU5gJkcUvCFtKCToCIQDD5AsPwD94LrJsplCoThbdSlHtdZnBo6XP\nnE1zY2QC1A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUR8grjS4JHsw7br+DpbXby3DJJsowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7ZunYTd0QyTngEfG53VvPOOUz4FxkHOIzf8S9\nMBHmB+URIajdDOvXGPZmlYK56H7MGFVa6a8TgO9t0kUcL5JVo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUF8L6lmRMbSwG85CRMyN9zWJmk4MwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgAtL4SRyeYBePlrSd\nw8BKq3qtDfjbmIV83WYpV0iuQokCIDhYX7G9jDShT23Bz+DdWxnekFyK+QDQkPbJ\ncRDa7XmG\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUGfkl+zaNOKXO6omZzenYCayfAR8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARKMoEU9+VnC0bRFL56Ia6aytta/KVIwROVl93TigCGXZBZv+ugoUv0\npZxSmV/fyK+0FUKp8cEZT8+7flF/ExaOo3cwdTAdBgNVHQ4EFgQUVRyT184bxj1u\nnEt67fmhY6rSfAgwHwYDVR0jBBgwFoAUz4TKfsYlHDP8bvcZPjOmz825H7swCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEAg3bgdZfvCAuzfwdHZFFWCFJPS1t3dIGjTMeH\nbsW6zxkCIHxNBDRLejyxvb6JjnrLK8+67DcHkHX57NlKUeQAAmZS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUYxYRbv8jMMqnUJYqEPv32lsHQ2AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAS8LLJLgRTJr9uMiSG9sU0QHjkXk/OE7TUkR7j6WGsUX8IA8pgVt/1v\nnf+ZZPC2IWJk0EzG64l1Ys1e2pMPFq5Fo4GNMIGKMB0GA1UdDgQWBBQjqg240jvV\nWGH7RIE1Pk/+9jhOZzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFBfC+pZkTG0sBvOQ\nkTMjfc1iZpODMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIQD11nSJ\nh8BJ6Ir9TytElxUOtm4WPuSzc+iRzIPcDH/4fgIgOOccCLxj2Ti5oWtb/AcQ0SLV\nd3Eh3frvwlxou+/r56A=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUD9urlQo1S+59La8h0OiTQ9C+j6QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARBFmvMzZzBSprxLVXjXYC0O187gjxw4/JWuieT\nvV4dthS0H3uQVcCdojV4v3jOxH84t73Erhjb1oCauEes4vbso3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCc+T/TEGTBZ7csVB3N/ujjsB9NswIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgHRdKXvhFOhR0j/Yw\n5QvBOvEghV7jae0qobEGOLsgDZUCIQCgLOSscqIxBfRGad26yj95a+Im8k2p8mME\nuGIFf7Bz0Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUcLrJ40Di4sKADr5EUdB7VcoRNCkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS5FBMZrHQ583T7psCKY9KOq0ap2FPD+guUWn9j\nE71Hjc5OTgxgi5aAzjz4nNxnzY4P+dxTL+57JoJYLDeN1vZ1o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZzHd8ONC+g2ArEe7jylQSFVh64MwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAOXb1XAi/GUen5Ix\n3uJ4wqYt8ZJSdjWXAy6kRSqd4bBBAiA9iP3BBCbTInP9xeTEswA5u7fxMwJO+uEH\ndRSGVt4ODw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUGtrIwwAqVIZQh+fw+KgaGbEBQJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEw+4CR7AOdK503WJiCXKHNCgr/S6l1ir4cL5fPKuLEwgr+uuz\nsoSAbxFPq+2NYzluBcwi6p6NuZQFSjEJ44Fla6N3MHUwHQYDVR0OBBYEFM5zcFI8\nKye9wpzq4lxyQRz5LFTBMB8GA1UdIwQYMBaAFAnPk/0xBkwWe3LFQdzf7o47AfTb\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgcgihQq9DCfb59y71JTPzCW9i/WFoPNtu\nB2X+hbzN5pQCIQCPGx8cwkWAShDTTDLKLSS9M/rM5N/74cp9gJFwMFqciw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWSgAwIBAgIUYjdCGA7TY3M0sWSVhDpC781HkqgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEYmrQuZGeam6RmC5kyHo/6FxKzMVt3w7CqMxfn0KBtm+FsM1c\nN1IZDJBuUdU4SFlNgcTHV6fgZ/YLB/QrtV4nEqOBjTCBijAdBgNVHQ4EFgQUDX+K\ntDBJKqeJJXYpwREecSq9iSkwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRnMd3w40L6\nDYCsR7uPKVBIVWHrgzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNHADBEAiA8\nqrkMPjXNDHR47Ff1mWOMfXg9rB3CDBhIltDw+IHPFwIgeabo4SOiLQdQZEQm90ix\nyBzMHMxBvzxLeB5p9vKNPlQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUfW1aHiHN2npHqMOldYNJjWU6LRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8RlI5l/zJZvtZJKJqwDks8W1VhWt4jxLydWq+\ngZk7eZ9AmJ1loshgQ2W7BgHi3JRYjAnq/0+b2CpzgJ8M1OqVo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVdbbTAF5MgJkJHZoxssvlVEoeoQwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgPOStVLvcT70k5OBT\npOOyDJrEAzQiPEIlpl72PHLofpYCIQDaEHzfSlfBcFTuZi4vfEUHI9FrsWHSNKiU\nXMZvMEogmg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUeaI3gwzATw99yiPTYm6Vy4gVlJMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR/J5ry9jcxlsZXE5ZJTDRpAUxQKsgI0grrnD3X\nzY+mNBH4KglezWnsZEhE/YqIKj10QdDlSGNg/EoU/TpilThmo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUA229CWImCkHl1gdPu7ChfzOeNKAwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgRB9o7H8YfaK7lUNi\nrhJHRxQU0UTnW5MMCGQZST5EtFYCIQChJVjVtHQTXgFuzliZzO0PzaSHNAfqgo2e\nM/3+40Bw+A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUHHPUJuOjuJgdMIwJznqjDapfMlQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATcecX3BZSr3bFFLsvYzvdchBZeqPT0CWQfZQxPFcdmzK5ho+07KP3M\n0sw1eqCk6EWFwJgztsfHlv/D2FwSaC7ho3sweTAdBgNVHQ4EFgQUESmM1SOBzqx9\nF+YOk/F8W04xBhIwHwYDVR0jBBgwFoAUVdbbTAF5MgJkJHZoxssvlVEoeoQwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAL9/tI+tUrnF4b2iVdjJgVgqCeNHqhKK\nLDtaW5Q7aSv9AiEA7QKK9bPr+rqlt3O0JRc6CdLM7HphYrLjbbrFPqx5gFY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUTOQNDv+JEYJoeXuExOwLNIlZkMQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARjpQRTIpVcfdkV5uLsZeR2RiN4KHVFn3HaE+Os/oa4qRo+Fhfb2+6N\nqcSzx0rI1AMqVO3RyU/vu8h6ZnbdRkJMo4GRMIGOMB0GA1UdDgQWBBS4GC3pIrdB\neg+oEBWmTey5P7CmyjAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFANtvQliJgpB5dYH\nT7uwoX8znjSgMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNV\nHREEGDAWpBQwEjEQMA4GA1UEAwwHbm90LWZvbzAKBggqhkjOPQQDAgNIADBFAiB3\nXIAPHQOxvZFAIE1/iA5ceFFq+e3b2GxziUuiGH2KuAIhAPQ8H2okHc1xhEVsl5lZ\nscub5geAWhWCz9H0lpgTToGX\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUKxweSe3aMXNa02fcpGlbBveq4OowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpjkkPrmaFMQ0S06IMWXNb9+K7t7nWPTwnQh62\n7nDaVN5RIHqhDfQ18s/tkxTm/8RDrTXlZzGU0Zgz7vKsE249o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFH+Me/pxaz0WGf2spczsy+RPp1fKMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA7fZvGWACjZKAdaSd\nO6gFAcyj1pCYVkbA49qa/5/Dk/oCIQCrDIm5C7bZQxboj0e59/gyyatZIErNtHE0\nzgpFZ6XIIA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUVMQ8ZY/E2nQrNOho8Ox8HEdIzikwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARy9pssee6TpBwUMhJfrpQ6+VDJJQR8yYH4shUC\nBZnGjXrVHYbwpKV32mc08sUZY+2Xjz28Luvftvgf8G3RpDr4o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFHIaTmBk8coZux0JKpLv78ICy4E0MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAvwi5KT/FeXxM0NRJ\nC3N0LyBLUDO+x0V6oqRRAf6X52gCIQC+NTtIrv9Keiyj/95OcRSoybuOu1YSz0c0\nsDhV8RFEWA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIULKdLwAbduPwTI1q0dWhNq9YDhLYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATqe83ky+K5nCCZUdhg/Y3Jwku8svtxAABb1KMO\nIBCT2HHCZg+GDAHtCXgOQhfz/a/EAlYXAak0FCt+oSxpHFPyo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUf4x7+nFrPRYZ/aylzOzL5E+nV8owHQYDVR0OBBYEFCZ/\nEV3LecJJ4m26/ypBpj0emVvQMAoGCCqGSM49BAMCA0gAMEUCIC7Vv+eI/DiVA5q9\nCyPWos7uU+iSyQLRERdQQNXAFnr1AiEAirZC7mThN6dURG1fu5YBlTOTW4DiKmck\ne0q9wOWRoWg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUF4T8tDPrCPLz3DAg1IB0ZAiSW3YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmYLCTCmyH4mPgJOwrNPM3DYBDdPtCeLwMKdcc\nVBYZZkDGjWi7nlyt2QpuJ/BF/gnHz2bUw4TxA2djeqNpLp8Oo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUchpOYGTxyhm7HQkqku/vwgLLgTQwHQYDVR0OBBYEFGC5\nZiVk5IbMnwK/fontEs93vIiKMAoGCCqGSM49BAMCA0gAMEUCICcHV1yQc95Wdg6+\nYTgoMSWrZ1D9MxA7Ur1ZjkcEzqrqAiEAvRiGBVlbzcKCGPGbEDKoGo7AI7CwgIc6\n794r/cKQEd8=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUaqpEYqIKcZTTDTNHNFgpVdHPMnQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAWj6n6icR2gyg4PTGqq+eicPZexbTblGcg9T+GvXDWo\npO9qZOC9XgnH7MKbqIXHtKtLHqgmoZ5Nplqv7HMWG4SjcjBwMB0GA1UdDgQWBBS1\nrldZJK4RQlFCkZb2W4FxtQVJzzAfBgNVHSMEGDAWgBQmfxFdy3nCSeJtuv8qQaY9\nHplb0DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiBD9tMIf+ntaP1lhIz7CCOf5h0/JLJcHSUf\nzX5BKFANUAIhAPwCKQODkRvjzx2d8OUsMCzbA4SESex/7JxWTLro/WqC\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUP17zc6MJDQ5Su/bnNfON+tQHdG4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL4Omj3kRREUwwiD7vtCid7nhA9gv1QgKuvylBhOEwPE\nroc+xBnNqAsFBA9t/P6e9zA8J7dkc8zN9j6rfS9K7OqjgYgwgYUwHQYDVR0OBBYE\nFMHRdfOR4dNy4CpolwJgqe/UjGJhMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUYLlm\nJWTkhsyfAr9+ie0Sz3e8iIowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHsg\ng6YlCxZAM8ri3PuoS5Kgwd7iN643QYDic2ziW27tAiEAtMIz9EHoanFkw92ILuQX\n6nCGdxoLdXSx5VdUBo8/l+4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUVDhOKaVSF7APYX6f1yMUoGVBsvwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+fky20S7n1XSY2bZHOmPp6Wu2vBRgqqBlqNWv\nNHOv2601imZxWuLuV6R6iXaXWMHCcdOhcWMVZ5nNeKND+Wqyo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfyBLGqpGp8yDyrguQYUnS6O4vOIwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDHrr+eGsawqRBpWfHqk45Q\nflZrT1sd/3reFt48XKS4uwIhAIGKFYZP/UvYOoloXlJdsXKtELs4YM3vUzBwso2f\nZ+g4\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUGnuRQdcgkKRB7fyA9WNkRgqIBsUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS39Nmqxzd2aZQ6AR0malgBjQ6pYMbxcFuG1pJ4\nYxXfGVLvYpjRqr4RgsN2nzJOjbd0/nZ3sP+XcWdUEnh7WPnCo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU89P/lPoK0bc5kJc1ZK5IqIoGnK0wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC4vZyDDdspC7GeOEtO7PUN\n/k9oUncqGMnmlAiGUx/57gIhAP62FTe9/x0dqbeM3s1AYGtW8V2PQxSkgUetj3lY\nH1yz\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUHFKyT7VghgWkzBMOBEklwQxzXbIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRk0gRIwT2VCtwmRmQ+G/J24KFI0Dv74xY56Rq\nYoGB0zDYJR9PlIgj9ctniVbzgptImjvSLAzT6/oA2l9KKVdQo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUfyBLGqpGp8yDyrguQYUnS6O4vOIwHQYDVR0OBBYEFAdP\n35R5Z5cGJ73GmXolXYb551sZMAoGCCqGSM49BAMCA0gAMEUCIEnRY+vNj2Tuaz8e\nBfpvb5Wgg/IQHdvMxW42DEkDmg+5AiEA5DrUlWEbK0oc2sZkA4urRqkcnwsBPr8Q\nnchhwawDJnA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUKbcV+E9OA/0gIBhQ+pZi+XSq6MIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQADmonUoDeQznu6F2hEw/I8zXt92RkJntvFxsa\nqMttLzTasP5fwmx1nb0LtzunlN+hT4BzbhHyHOz+w5raK7vyo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU89P/lPoK0bc5kJc1ZK5IqIoGnK0wHQYDVR0OBBYEFEpo\n0s3K2Gz5w4Xal3HtyHXdHNcqMAoGCCqGSM49BAMCA0cAMEQCIC25gx6d9P6nEXnY\nywqoCbcjjM8zuYTacBj+WCappyPEAiAQbeI3+5Ppen2lYKkQ9KC5FOZ0LPoPXx26\ngEiE/pZztg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUBVrHKt4pD62ugWvl4+0RcUCTjuUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXbddnkoIjVcRMEY4Eh1+KIJAJQ+kEMoyhRKQx\nQNeiPXoxn3HaW2JW22UnuYQGWNELM6JvR1KSGcJCwYjUZaZro3YwdDAdBgNVHQ4E\nFgQUxIKikXy2FfkENPQFX/5QvcjftvowHwYDVR0jBBgwFoAUB0/flHlnlwYnvcaZ\neiVdhvnnWxkwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDynuHLMF5xPzw2B9KzNxvFc\nZrkl29/cl18F+kvcrpKhAiA0SXLqp5trWR1n2F/C+/b+O6/XVTaNH0M/yg3BQmj1\n+g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxTCCAWugAwIBAgIUFqhUkfPeJ7EmeEdYOWmNzaCirCwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQKxo2vQNGSEAUDxFZQ5OOj8hvBnkpd9j3/KkTj\nUDE/Mi/eS6NIGChECe+hQVJCvQgpiH+KeDFsGwcLHpBSW6NWo4GMMIGJMB0GA1Ud\nDgQWBBQFq9ryY2I4p/1sOJ06fehoDRbPEDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaA\nFEpo0s3K2Gz5w4Xal3HtyHXdHNcqMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggr\nBgEFBQcDATAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgfCyCK4cgIyS7Lo4y5OMhQjTm2plw5MBQ+SlhPs3uo3kCIQC2NXZOCJk4\nWVw3nwBYP5Zkv6mf3FHm1HdquiBE7p1qFw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUTGecbb2JxcX+VdvyKHcD3i5cgH0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQggMjKe82LfzII87XRtnognGjLKuMsRMuhmuqv\niM1sa3IsMVbNU/FdDQIO4Stsh3qAFOkDdrWXcLwg5TUcR+aJo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBT1vme9BDldwK/3cW053pzA5DLgGjAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiArFG2XdU7/2Nsc0bWtP4oIhlTJ2dArda4LSSN/jNWvlwIhAK4HNTyzXOIQSViT\nboBuYaK8aHhdvIMbxp3LUWNN96kL\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUB64olPOSnkUix5oQdyeltgGotwMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1XxN6ScavCqudiLufgS8xerdmzhsEnVmZuIrS\nqNp99Ks1nbAqaaYHMyk09jCVHsKxtVtnYh7ROgw+uQuRiE1go4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRVgv6hKFsL8WiaZXmdfQlKd6btJjAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEA4sFsLy7UYIRjnRCxoyh5JkafDWjksao7bBP2Tw7Y96UCIAaMnQUv2G22meZm\nP5Ii4TkKEWmvaejitHmctQm156Mp\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIULdOhATP5neSwtvcb45237LNK6BgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPpcF8PmRG3LX5ym+vKDpGQiV2rthLzh9ffA7Fqk4Pw1\ng0DBpPqX9YxY2yf4oysTYoAKqAK9xNvmRg6Dig7X1yajcjBwMB0GA1UdDgQWBBRF\nfhREskMTxSXpI45pzUPuFM63TDAfBgNVHSMEGDAWgBT1vme9BDldwK/3cW053pzA\n5DLgGjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAjsJOd2q8nC4T/EwN4MTbPKRnzKFhmssI\nMrg3JchLFFECIGHsZEmHNwHiZqIgAAHYq2z8n3ERuBp/TEprXeOAcYNV\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUB2HSPQS9rHAwVPGQ/Tx3aCyF3EswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNT7KrGeRIlJm1JJd87oo2TghTEmxHKctBIDX03+hFjs\nqmQVZW9LsyPQ4lIf9FQihPxErrL/QsQ4W9ABWpo2WbujgYgwgYUwHQYDVR0OBBYE\nFD+3FIcP0lFIrL5ZB3osBrvASQSCMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUVYL+\noShbC/FommV5nX0JSnem7SYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDG\nwuhNY+sxsv+kMO597pSPCxSWQTAqKCtXk/tLeMcavgIhAMe/3j0k5Bjlx99f7y3k\nc0yvfTeRDamCvVm+guBAi8VG\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUSq4sfeXIS1uXlx3pJbTcDqqxIbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBN0Stf69i/KHKT9H8RETyK72I8Pjc/uv0wzDz\n0/v27yHF1mnwaWO2fP7iULTi7u30+wByO7RLOMa1gOaFjLnno3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqITtVn+FE/kCLtGYwjIZQIn1qLUwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIDLU4wXe3zuFLFJQcH6HBlY148fs\nFB7vPYcIyMlfnrDWAiBBl3xgII10h9GC2mdEBm0oMGRKAUHRPduKnMB2PYhrPA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUF+6rFVSyuTOtRxF7EjEEYe2OeS0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQMyO428rmQJUXr9y4Fy98UiWsqaCcK2QLJmRkD\n5vziQa5PKewWc8HeTon3J3n6i1A5fjaOWQ5Xw38BVEAsN+jKo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJN7xQB5Hp7N+Qz4pposDvK7NP3UwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDwOgOyq626ZKNs/qcet7I8caRz\nJoAit8NqyuzyPA60ewIgW+RwWqlyRnjBp9irwnxGJ1sdaIYsuAzyOdmhhmGUVIQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUSmR11hTHH4ItJ0/c5fkwKB6iwCEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHvUbdUH3j8ZynBnbTAZrkkY0MBdSodFSgZoNhFy8qi2\nkfAmnMPMNtm0Bqh7UQCs4Sj4Ndpd5c1k4OLcnfF/liejcjBwMB0GA1UdDgQWBBR1\nwZfOGuiR9W0k375IF/rlIiFiUzAfBgNVHSMEGDAWgBSohO1Wf4UT+QIu0ZjCMhlA\nifWotTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAz8xAl068WSRm23V+SV8oQEXRuSnqDs/qe\n6zbdgQyNiQIhALTK5NCo7jjLqe7EghS6wKz8OgammyrTgTlbROq/em2G\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUZFv28UDkFHoT/3taA9vkjI3SAuwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC0LvLs+rNe0YCEJFb9Z3e4D3dYUxSWIX0eu44tYG59A\nL/uAABgp5jRmCoTsiGDBKi2WIXHuZLk/Hq3nLqIQCpWjgYgwgYUwHQYDVR0OBBYE\nFKhhEwJTVyWGZW/A05pU6FnHKpU7MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUJN7x\nQB5Hp7N+Qz4pposDvK7NP3UwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBAF\ndG1GsHUk/cuuT6cf9NIjhGkkrlz//2O/y+d/g9u9AiBJxij49Rmbm/z4IB3B/j+w\n5YQ03IrFecNC25v0WOlc4w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUfKt1vYiZDCSP/LbWKhlea41wvvswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQV/Ym0awK/WBDX+d0ITx31XoolAE4xI93w8AGE\nbfvwIOnVyOus66rtQl4j/ZUOnea7rCxZmkwe6sMrKmQiqyJho3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJ7RqGcCw3Pbb7jOOsVIFuLvUGMAwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMeyrjMMc978sglhQrM/\nksljSpA1vMjOOjZN+ZWrGf3vAiEAsXATgFGrKLyLai/Hgby46m9FbaKB8niHmQ+k\nt2fQxDY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUVYvYrzKLQ0w8npAlNoI/6BUkGLAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATFPn4DPax/4lh3CCSL8u/GQCoLHuXRdMZNA67L\ns69aWNqMRCzUh2sc8RlCmTi08KPr69iGOLlIsZJBiC6XdSCQo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYQ0/+y1w8DIs5ptUc8Olhz9MOdswHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgPN+ND9clmJLjF8GcV0hX\nkbput9DgX6L6XA8pUTutK+YCIQDN24BCD6ooIvHg0ZsWr0GJRXRR6lZP9jEhFxsL\nX/MF6Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUYw13cWhzHVxrR41uS7Wdf0gwSMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJLdEFToqVW6rbgmSd1gzNZ0R+FKgqxotP5H3hEHpVpf\nV/rgr9E4Jwp2D1oFrmP0NNbgHdT4U/ko6cijLe64ysujdjB0MB0GA1UdDgQWBBTo\n+iQqHapyibGW1ZscXCvKnmV5BDAfBgNVHSMEGDAWgBQntGoZwLDc9tvuM46xUgW4\nu9QYwDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9mb28uZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAL139wwSkPzTj+i0BS6vOS6dkqB7\nmy/tRmNZENHPaOrsAiAAqWo/Am4htGe/O5qFhu1si1Ifmccz6yMNYR0AJdVQSA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUTlYAw7u/7a3b+1GxIgg+8/eCnEkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNdzh9O60CGC5pZmlG0uN4ihn8mlRFaYXLrxXIdURBDK\nph9b5RTUgHNlRuZzCf6liWS3I9v7LJ8PCNKNPtZcF+CjgYwwgYkwHQYDVR0OBBYE\nFK7bQCEWdvy7tti1j8Mk2yjJMxjxMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUYQ0/\n+y1w8DIs5ptUc8Olhz9MOdswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEA5rmqgJI+Ncr1kWdEQxxHFPe3aMZqycO0xO5oYIUoiL0CIFlR5navaJk7vMwr\nBv9mYl386h20m5e07RpK+QlNBoQC\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIULdnAVPlY/ynEQDwAnT462hFcxKYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8m92qE2SMgNVjd4c72OorsqvQt4cxIT9haVAA\nolQzgu2AyRyOz2DGt3IwrqhbnRZOwzfB6BICofrd2Dx+T1mMo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUo0szsi2GJsnjd5VwBlap5u4CXfowFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgNxHmM4absuhFOXgV74eai9X2RP/ufE1f\nalLznaZoKpsCIH74Ff65myKZO6oIXVoy8N72pQHxI9CgkpS1JIPpUfsg\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUDgd9s8nScFlMczBB3rFgs1UsOkwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpwVrtV0Fpm1jDqwoCNNZMsNwcJckzj8XyFQgP\nl9uii6d6bY5QaI9nBRbsFKQ4dvGFV131g6YPyDrvc8Ctk4Bro28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQrRyUKjjJTl3KC/pm/EX3JbiVJ4wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIhAJDXxogWlKuhpRBO0Bs0vno/ZZooPQCf\nQNYMIBFBFoRPAiA8jrC0zOK2CRzJNhh/K2566Rv+CyiY2LuOQ9w/I/e7tg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnjCCAUWgAwIBAgIUTZMLR4EyVAcq8Ikv576bBHkeC94wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNe58Zf1cZpZlBjwcG29XaaSpr60dbLHQm6rxOaBlQVn\nDNwVuboi5bds1+mlUC/GJwZVBkfroc3IlL/LEbWm1I2jazBpMB0GA1UdDgQWBBQq\nEPIXtGQaIG74YCEjrSfkxQPt+TAfBgNVHSMEGDAWgBSjSzOyLYYmyeN3lXAGVqnm\n7gJd+jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgNVHREECDAGhwR/AAABMAoG\nCCqGSM49BAMCA0cAMEQCIElz3BiAr1uhOFTTF4RKte+6Befio/GDUbK8pzeAqROy\nAiA20fFH6ZkPit9HZqtVLn99rNyEH655BI0pOmMTpW3jGg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUJjspcEaziGVnyO/CpP6O5EYI/zwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKgAPnuyW84SCToVHFJuZiuieKA3SnhtA2THzpLo10lg\nGeV4yHPsIDmILvPDIZjOQm/UN8Qz2AQyu0htrpWuiSqjgYAwfjAdBgNVHQ4EFgQU\nUyOkSRw/vMCTszM5FM/aehbaZuYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRCtHJQ\nqOMlOXcoL+mb8RfcluJUnjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEfwAAATAKBggqhkjOPQQDAgNIADBFAiBNCwd5rGVehSnv\nwmhQ1/fPwBHlmza1ixc88Id2QD+/6QIhAJYo9sdBH4rpFh6/dvmW9LfJm0CcyUFo\n6BJO7j7fjvpS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURpX1AcT4lhWmoSeHLy1geICQrbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQdpiRg/XA6Xyn9058KUQ03T4gYpn3q7fBkL+p\nxBqQ69/9HpgtTRNYRM+sY4bzmLSCvE5UtbeTSgjoMT3YaIGIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYjDYT0sKyQDPGXUvPU+cIvdqsxUwCgYIKoZIzj0EAwIDSAAwRQIh\nAJR/fO1ACqzu7R4baGWAXwNJWSLAXNG0XdxWEzIkYrB/AiADWevNcYif+OlQpLQP\ncB6Jix+aJAbF1JeO/WKafFWb1g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJUmWeW5l3GK0xHMzqL89ewytfhowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQAAUdUZMKc/dri4KBeWfDymdDBQTv1sg/ENZj3\nAcobpetsHxaorevfCmdy7Q4KFrtcHy1UoZbwaG/PL5VuqLcao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8XLxWZZNuOoZDozq0dS++iq0gi0wCgYIKoZIzj0EAwIDRwAwRAIg\nFvGD72XinYT0QfhstUftqYmqP+yn7s69bCEYKHD0XAoCIAqRp3Y2KwI8V+pX8yw1\ncRPyoM4AlF66e42Pa0CY91gz\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0DCCAXegAwIBAgIUTPPaasY0jVahH5e2/acEgHuHxAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFmsWbfksjELTZ+BEdRQCISR2dwOprOGbOIGkWSwP5TP\npyP9APT8Fx/3eHFJyl3+IYEVz0mzgYPUAMKYWTUsBc6jgZwwgZkwHQYDVR0OBBYE\nFEZLk6AIy9S3KUZNweer29TEkuPnMB8GA1UdIwQYMBaAFGIw2E9LCskAzxl1Lz1P\nnCL3arMVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDRwAwRAIgRjeCxeb1R6BNYd6qs3vcJtp5D6FO25lEDveV1lVG\nSJgCICuf2A7q9YEvA3OFQOTzUodJeHg7oSxlAbilW/OhwDYZ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB5jCCAYygAwIBAgIUdj5DBTk1ZWsouEnYq1EBb2khPBYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHvlesjDrgW0qBjoH8V9ontCV0nfyrqAqABumHPbyypd\nm3aRgKMQ9jwyiBercOnHhgprLfTDOcNWpv/prYZmPZOjgbEwga4wHQYDVR0OBBYE\nFJ/L9x0erlHiaH110V+Z+3YXJyAtMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU8XLx\nWZZNuOoZDozq0dS++iq0gi0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggr\nBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgC8PHmp0taPJH\n7Eiq6hFk6qwF1RSCoceu5vaY9BprwAwCIQCXgtgLIzTDU2nCtEWYUS8JjXOc05K/\nisKrK3LuTkceXg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdoWxn8o9o6Oi02TTMgE85Ola7TIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATJ1aaeZLPL/VAqxMF/Vok7US/KWG0z1quyNrCb\nl/Ba2D0A1ugd/8CRyISK4PxVG2hw5fQqeNdQzlCSaS0tSEYPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUw1uQWn/OlLQs9mLQs0R+NDBzZ6kwCgYIKoZIzj0EAwIDSAAwRQIg\nY+AAcpHFNm6LV/Srk2e+tPmy9+pmGD3fjdhy0ZXqpvwCIQC7hiSCqTmaiFmzdMYa\nsL8mw2VV+3yG/lpreojrztHZ7A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBfUaTGGN9IwZf5bxwedJsUY/pi0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASg7fbxfrqJNKSUDDgPFc5aEMBX2y44APbkJLsN\noTsFCbBQSjhuUK6g+hpyWBWPJ+jLevCLPr6ii/9seYaGqjxIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+12F8f29gU617hYjwN+RNOvpP6kwCgYIKoZIzj0EAwIDRwAwRAIg\nTqipf8PDTFLYbdf9sbXQmN2JLgCFJfY2prAnV9ibNqcCIGvySedSpCaS1v0Rbjx/\nDbyO8z7ewHRBt+rcdm5XssYr\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1DCCAXqgAwIBAgIUAQcKeereGoPXHQj/hvg11ZK1mKswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFmYyZOzrvhoGixMuu5X4oiDmlkAvEOJsc9LX6dqUL/+\nfoEa4PSRo2bSTcn1paZK3JBk7Xiq7s72Oy+6/HP0wD2jgZ8wgZwwHQYDVR0OBBYE\nFFEbEK+WkttOelG5Nexkt/Ir0o4+MB8GA1UdIwQYMBaAFMNbkFp/zpS0LPZi0LNE\nfjQwc2epMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAXBggrBgEFBQcwAoILZXhhbXBsZS5j\nb20wCgYIKoZIzj0EAwIDSAAwRQIgejDw/pwhzPX1uHGU5nbsJ8FX4rX6V3VvqafD\n0Jco4+sCIQDlfOzpJfNC12N2DvP8/p4b8y2ZcfseURhlx5NkCDSWOw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB6DCCAY+gAwIBAgIUQITRtsoQ8TNPWDjKRznXMCdvlUYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABILC39r7exoMUMAzQQkqH8gYO3spyPY8El++uS0ydrwS\nikDvPxwLPOHi27b5kjQ8bh95+BSrq80yBhcYxKF0Z4ejgbQwgbEwHQYDVR0OBBYE\nFFCZsQMZ3P5LpNkl/hku46E7ueTHMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU+12F\n8f29gU617hYjwN+RNOvpP6kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAX\nBggrBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgNzCwHHb1\ncUmUy2c/IOZxW2imIsUaWB+mJXcsYb1VTa4CIDBwjoVnmehP9m9paD0j7c85YBfE\ngj/pmRDqNxKlTXNi\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZKKQ9FM0SrzJPAgo97qoqXnv2QswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASHSBlVrsR+Ek7CZiA94tnO6Nd0vUeBeO5p95Ma\nsK/g60PIYnw4D83QHdK+XhHTdXvOAE+vKz4OjGcuT+HodMU8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUosIn8I2P2mgik3JWVPNFxQ86NBYwCgYIKoZIzj0EAwIDSAAwRQIg\neklSKD2z8Uey4GZtCyhyEjTf5y3dxpevcwnoQubfF+gCIQDsgUu37pwnClFS4UNx\nmCXZDmWfjJDx75vE3UjJNfe5PA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUI23NHRi+vUaUeeqPs7xrfkVShWAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASnFSwNOC/cNB7ebDWOepzr7MSnzdrmWceoKhXc\nb3GSTPPTFUWqYb3qObNQq1qbe4vIZeXWIPTMoKHQ3PPbBoZZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4gqYya080V9x5aRtitMatUyEOPwwCgYIKoZIzj0EAwIDSAAwRQIg\nQrkMzuk+LsiQYnPD9VbGI7rEFxmDANUim/cVsP4kDmsCIQCBr8j1rh3hQi6Ri02O\nBUpDPtqEC3AI8Eb7cd/yp2eNGw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkDCCATagAwIBAgIUPBMeaH56XIEVbZv0H6Jx4A/2siswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt3ZbB10+\n5DLd1yS6H9yUou9oIf5Lfvx2/i7iB7k8lYPSzXl0NTQgXm79lO59UeaMKBdvI/r9\nYluihlwAH/SOr6NyMHAwHQYDVR0OBBYEFHxZYeKUKexRxVG+hGXXUy5fy6K5MB8G\nA1UdIwQYMBaAFKLCJ/CNj9poIpNyVlTzRcUPOjQWMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQD1Vfswgv089jjFDUNS4Inat/uXKtWmUEkJGF/yeTYLKAIgHpkWrY1WpXnKdq6E\nGvnKq/0/2HUhGP5SDk5LqNq2DgE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUclla84sRlOW9RNNG8D5ItBZG7iQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgtLdkc1U\nz6k+mqojOB3Xly1gAKZ1o6SjYycEgUWGi90kuAZyX4dOMAS04HYQBl+SjWamUjRC\nQoI08aVcSrq7uKOBiDCBhTAdBgNVHQ4EFgQUzo5k7C6RRhl8LPrEnniCHIvXsU4w\nCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTiCpjJrTzRX3HlpG2K0xq1TIQ4/DALBgNV\nHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOMP7Mf7nd/p2azueBSLRcGHwWbV8f9V\nCSfd2QmnTL6wAiAuv1X91Wzb5crXU2RGyAhDScZgi0gFL9ej/Rs79aTtzQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1128,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUbqFu/YoVbOaZv4FtnwpSwQSiF2cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASoAHOFujeOnXPnyRrJS20CshwthywhCUugmWOq\nG42pOt8neHLs2jozM75ZfnU2mopKTJn+xgPltdlm1j7IFenDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU732LA01nLC8BvSd/+yIbhGrxpHowCgYIKoZIzj0EAwIDSQAwRgIh\nAM0SlDiL7JrRllbTp9/lhJa04r8d+Sf4p34DLimUhQkaAiEAoo9YSfEGt0Rg92Ec\n8pRfQ3OWvCD18xpu4C4oi+XmG28=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSI7hxv+BcsnAg5/mObyC8PiYpcYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARB2qiy+EwJTm8Zh5usJXauq1i4rFaPWUyqf9YW\njvgPM0ghXuDqCH+TRMQMq8rVkdFo/D0yt4SEfzbKst1rp5+Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZawbx7X5VlVNnIksR59glBNjGqAwCgYIKoZIzj0EAwIDSAAwRQIg\nDjCpM4jgc9BsaC2pHiZCJkr7jBRZT5puu49QKSpf9CcCIQCOwH5x01Gf+A7MWyl0\n8Hzr5HysEVdJTHPnVTWeAYM6dA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIXANrJMWAbcg8aIB3cwYUMNKraLSeHZYQwCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY\nDzI5NjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABParH8N5DY5nAW7S+Ecp/GIIhyPguzkpJN1dDtDK\n3dnijXh42CK/2POGK73pXHcX2OOJR7rb/muv1nIs9213qd2jcjBwMB0GA1UdDgQW\nBBTbYx+Me1vVsBocaDpL+/+pFv1jWjAfBgNVHSMEGDAWgBTvfYsDTWcsLwG9J3/7\nIhuEavGkejAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA/na9pD+/kWCUJauqJf5CCW7hgtO8\nciidyEqniT42/8YCIQDO/XUZoOy6L9ygpWW3OssC3cZ6Ksc0s1mx/ANWCn45Eg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWWgAwIBAgIWW/YuEO8MDcZaShk0QAl/FcKv1uTeMDAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE6bzVNpuFW7s0ZhnKU0pKpUAZqg7y4f3BK3MWJROe\nJZT6/hl+QoQ1HIrYMnzlkc1quFq0jo0zQjMCsB43XejfzKOBiDCBhTAdBgNVHQ4E\nFgQUP9DWZzQy+y9ay/bGZsJBb46opmQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRl\nrBvHtflWVU2ciSxHn2CUE2MaoDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIh\nAOzu2Jih2O4a62J8oz1o/IDNzkkMaxJiFAragLwagwVtAiEAoeO0omGngGPdXs2D\nWqX1k5VO3bnQ/zUirQ3CgspfY20=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1151,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULl1FHCskooDIZ/YaHNgAsqu9BQkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASX7geBFQ01NuaUWFDeMi2MDSGKmAjLPYcVuys0\nPv1zrCP19YHdk4IjckXjqtF/fK4ILUQfMv0BSwPIHXQv34oco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4dt8MrjLDWBHVE9psRKTA7neyLUwCgYIKoZIzj0EAwIDSAAwRQIh\nAOYCwZNLd1bOApyAxASIvJ+TIn1k00/SplEaxdXG0ZqbAiBEI7vOuCea/zjs4cgS\nemhMeeH6rDqcwwzwnRuFMquCMA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHmc3q1JtylmKymk8WECtcjL8658wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpBuU+x7bhRyrGXOOGTthwVpKuSyu/8j/iR7Ei\n8hj9L6JOj60rYESr61m7PRr+FyBt2yuCozEi6ctO5FdgaPQ9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEYfJPtOq0AQNESlLq7vQaUunnTAwCgYIKoZIzj0EAwIDSAAwRQIg\nDgYGBfVduXUC1wX3+0F71DEYC9kZpMvRwrVG4xUJ5qUCIQD1VyDbWbVJl4h0lBqF\nQ2KPpAu7v1dv7orJtu9oWGZihA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQqSu\nTDazNnr+ziB+PUSyEzk2xbrVszO4kYDk/3HlFe0wMY4UERrdmhvTe6x3qYyNtlUr\nHDuObeI8Nghpn6aUyKNyMHAwHQYDVR0OBBYEFBkXMJBQpQVw05Z71Q6v22Dsg4Ef\nMB8GA1UdIwQYMBaAFOHbfDK4yw1gR1RPabESkwO53si1MAkGA1UdEwQCMAAwCwYD\nVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIBZ0ntYaVvaNaUx2OMMgG+x0pKphPOAyKpwGJjugqErFAiALnt+Ms18/zHkT\nLU8GjyjR9GxJO12eJYiJfN+BM/ezNQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFUk7\nEmnq7Z/moC7/6Kng0cuqkznK7yuRhd+Cka7fdQGQXTjmimKjbpiG2V6DJsQpQ8IB\nxdM5cQzl25q6Zw+enqOBiDCBhTAdBgNVHQ4EFgQUnP5OkQ6X0xChvUMc6RNu+x20\nI58wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQRh8k+06rQBA0RKUuru9BpS6edMDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgYY+3CnoMfqotdoqwiRrPAp5Jfm0V\nNm41zd3Viv9ntz0CIHCIJGqTpVn33g1hO1g8zWkcDas2uk9uf/te9xBdP5un\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1172,10 +1172,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIcdlWh1dgRk9Qj/pOWCdDzlQkEMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7pPWNwbM0AugvJEzHRmf0qpHnp2FKLO5SO3UU\nhQpZCaeH1dRog5Y9uyu0/FoFDA2XF+BlpGSkydWjySOVj140o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+hUP3lsT9OasYBaaAplaPf98T40wCgYIKoZIzj0EAwIDSAAwRQIh\nANLF21YPDjw/5ikW8WjE9faMx8qH2Hq43N79794pbMNiAiABWybJSBl6m0UDjuv8\nyrCB2KMc7MFYXvcy7JJMBeqqJA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUQbZQy0FZkPmZWqq23jmRUYxgni8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZV1GQ+QyPkd3E0dnVmFZcfmMqbMeX8RtIcMxU\n2TwrEa0wOXvFFmGU2jAX7PYq+YucicaqAQv+El0GX+nnEkOwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUT/HKHWW/JDXNIxpT8rNAvQVzO+QwCgYIKoZIzj0EAwIDSQAwRgIh\nAKDG9qkQPWnbi6P6pnvJFtk29tPHL4iJCUr0b1FpM8yUAiEA3RkV/O9kkJBkCoYd\nkhClg9tZuZTUlUfYMinGQccVYA8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUfOXmEJySP2n3K7Iy+9LqcTQXixcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEUO5dzIhf9eNmJp0YiFvGoN4LOP1l+/qFoGjkuE9fWR\nxcvyPX7+nHGi0Uf9NAW8NHIPNyG9EKfRIN8MjJ6bnzajgYswgYgwHQYDVR0OBBYE\nFEvtp+tfp+eFfxgK86Ech1QH50Z4MB8GA1UdIwQYMBaAFPoVD95bE/TmrGAWmgKZ\nWj3/fE+NMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nICIhH7WVGedolloRJTvtx00JFKlv/Dh3VZX6Zih/lmlFAiEA4kY9MPVyWLYrzGyA\nVzm8BO88aIIBfd2w+XVS6RqL+bs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXugAwIBAgIUYpU9DfKXKkjE/9z++kixHSczUa4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGQftdPnYfxlfuEzNqpkFGy9iDqUl6VoIl3U1h0Esm4d\nQhA3dHfQno0Uo5cB0TydRywuRq2lL/5EQJQSlpiW6JajgaAwgZ0wHQYDVR0OBBYE\nFBnBtRgeeDa9Y4ZN1x5lIX9jceBQMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUT/HK\nHWW/JDXNIxpT8rNAvQVzO+QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIQD+2V1p7tKrDkxjxx8LHsliSeOMqM036knH\nANyKTcIjXQIgG/aU+ntnhNZozszeLsv1+pws079bNHNf+tHqwdgA6kY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1193,10 +1193,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFRLJy4XgaCMnuU01gPkAsdR1pM4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASrd/f/mIWLlmWp6ns2bV6mszUrcn5Rrd41CBxz\nGyGxrdaZIkxi6AfECXnoJ05PdCiUtgPJZ5JyluMF87UlYYQLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUh6xanfrfDOw3i1FJ/acvl8l/wncwCgYIKoZIzj0EAwIDRwAwRAIg\neWXAF/wPWKJ1xeAVi2AWnipi3sSeCdTzzL84c/sfzb0CIEYGov9Dx1hETkcX9Xy6\nFXmP/ztGP7h0G4ykcu3d+kDB\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUFP64pH/7L78PUGH4fc4aeZIkm34wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ/VsAbrD93eqrZlBs+xcbF/YXg5Fe1Cdu5ULOb\ndTL3mA4PcpNIVe/4CIgq8x4kT1q/PML7Jfi44+yYzrLmm2Axo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUF9/1n9loKghBRQybDzWUdZTNJHEwCgYIKoZIzj0EAwIDSAAwRQIh\nAMZhJ3vtA6xzVU5qQ2rUwOZ0o/TSFajeBrRW4QZ4+6XGAiAxmJYFi6CxLtp3aWLS\nn+g3gl0phEaVRNC5HLAnbM54ew==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT+gAwIBAgIUBsJH+TFKEs4gTad4kTiBjuYmpegwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO2QH5cQL0xk7afD1/cRdEDK1NAM8HjyAoU5y+409Y4I\nSDEizxRluEWEmiX6krnNcJ9MnJjpJnDGQIHyVxKdiHKjZTBjMB0GA1UdDgQWBBRQ\nlD4NsG6QdDXKB84pmnHPFN1+1DAfBgNVHSMEGDAWgBSHrFqd+t8M7DeLUUn9py+X\nyX/CdzAJBgNVHRMEAjAAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49\nBAMCA0cAMEQCIEvmvCVWDVKp/YMsBiobM9A/rLRj6mu+zPyX83uQQcyFAiB/BAnG\nb7k2/h/wsfO1HM2ppCgP65r9doOleFiYMWD7fw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUYSlrFXdQVUsuUSzMDqGI9D6suSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNSjmTKH2HDyFdSG3Pao++qm5h8UD+GUB/PqbTABomiB\nF6ImFnlJHwiqNLZPsNFD40uqTkoxsFUVk4HcwdA+IOejejB4MB0GA1UdDgQWBBQU\nX5pc6rlntHkINjKNmWq6GY7y+DAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFBff9Z/Z\naCoIQUUMmw81lHWUzSRxMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCcTCT7TSCMx1MgFwRuXl93\nwBGmU6Sz3bnBtJOeur2jYQIgOh3PJlBgQLriLbNUZPlhExsKM1KRqFduML7kysuY\nEp0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1208,6 +1208,29 @@ }, "expected_peer_names": null }, + { + "id": "rfc5280::wrong-eku", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert contains\nan Extended Key Usage extension that contains just `id-kp-clientAuth`\nwhile the validator expects `id-kp-serverAuth`.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJN/PIl4eNI1JbUycNCSOxPM1kZswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATn/QjkOsFpoeSfqdNFUSh0Z0kD5UtgrRSOoShE\nheztWwKOZXhOccjTwZThtPzFWvTjOB2tJVoHHvkX9r5G+rUMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKtMToG/OYHWKUsusTkV5pbcN3CcwCgYIKoZIzj0EAwIDSAAwRQIg\nYBp6cXFaW/c9FcdnySrNSrtma4Myyq4IJ6wc1MN6XA4CIQCIEh8CG+JINncxmZFm\nWLcY9k3VteVWKh55nKgr5Db/1A==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUWlM1VEpbwPrG+Ejl33S5BZJLsTMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCDSiwNdYNTbU6PkNymW24GvjlFqUsou3QTXjrIDkUdn\nKoFxMzG/Uwf/4+/R1k61t7seTfUKQSL28p1pXY8BIIWjgYgwgYUwHQYDVR0OBBYE\nFNBHhpYcrcc78xDwzIgQEtYV7gZEMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUKtMT\noG/OYHWKUsusTkV5pbcN3CcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCU\nn5kBdRENbmFP/TGOx6rbQnsm8TK/ctIhVA3suf5ZWQIgdrS4F42Kt53QTRxI21mO\nP4x7BbV2Wr3MmkRqCIlGRMg=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": [ + "serverAuth" + ], + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, { "id": "webpki::cryptographydotio-chain", "features": null, @@ -1262,10 +1285,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaybQizcmqaQsO85wzn+oj++8YiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQGggpmEXeEuqZcfhrBbus1PBfMY77PHhta4OJC\nK2Mt+HOFOH4LRLZdbzZgAB6r00A1vREVcwq3Ykyz9krSGAjfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJxqDntw5R+eGug3TR6zqSmh6OOowCgYIKoZIzj0EAwIDSAAwRQIh\nAIoPTGXhCLaS+QewG7/n+bjeZkAF+FQ0mD4d3lDctolYAiBHYSUkHiPM39uQwq8P\nJCNXKKBWEznjFIN6Ms4mpF+Z6A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUF0JrxY1UmU5gTyyv4VducnXnD74wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARuqCV4ECGUk5Ja7JKl8DSYHOQFxxyWWTe7iRlW\nhKK0SbMtd/3qIYJkemJrRTl1/gN+8cJNrKyjCvmY297hZaSvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPAJdf1I5HxmmUNr4hmpcraIlZwowCgYIKoZIzj0EAwIDRwAwRAIg\nZGtZNsoGBsEPqP0bjEYttG/zk4+B9QqAgf3LVAP2hxsCIDaO7qNt9mPlOHBq26H1\nE/4fIbC8ZZut/KkiTmI0fSDv\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUGAMb5eqDIFuE7rFicz+3LxkuXIMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHQPCWqsrZbe3GFwa4jhmv7R4ZYvNB/8TivI90pgkymv\np4bskxH80Ft0h1CNSbBPFxpBEcsZ2G3xEPih/Wt4yGujcjBwMB0GA1UdDgQWBBRR\nLtLtBAHRxvldN7bqgddJQ5zfyDAfBgNVHSMEGDAWgBQnGoOe3DlH54a6DdNHrOpK\naHo46jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAg/9S658ZL65eUaCtQLo/1AfcyI8AhDuH\nG8mDy3VmbkgCIQCcXO/JzcPwhepek50LbHsBA9c22Y2NeGS+PV8LmkKfdw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUeKzZkE2UNlsLAxX9c++8/h50gY8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABESOrksmMy3vo0/+N67VaAK8hb2ZTr0Lf5CDGJYqSgUO\nxybCVLJD6De8lF3Y9y/v/9PjsYdUAc6406wAyq5A65mjgYgwgYUwHQYDVR0OBBYE\nFB9W2xXCjiUciiivrkJx8k3gcV0oMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUPAJd\nf1I5HxmmUNr4hmpcraIlZwowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDQ\nmDKXToTtHyyFuu24uew+CqfIIQ8kb6bXsyAEL2CJTQIhAN5uo6v0tnmw4PhlmKp0\njo0dFfP+oTHXdIsce4HCNOXX\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1283,10 +1306,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGM39IHBC9ZEJFXYQXLp4LSgdzC8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6gx2XlumaTty/B6qKhKm4fSt1B5qpP+N4YMUe\naK2CCfWIxoFo9U/HtQbI/nrPWD2MvUtyf30FTI+HIuZ0tYsxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/VDYZjA5awDHC8Zo6LKzkqzMas8wCgYIKoZIzj0EAwIDSQAwRgIh\nAPOoDdCt63zvynoDqnplMy4UtPt1rr+n28gnfi/WyHTcAiEA6vrhhl5fBVg2sMyB\nrC31QGV/6M9s2eykVpQ0tvifyV4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUE0THwfYVMhnx8kOomnbwX9c8AdcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARmszoStvz3osBgdqSWsBkyeZFDaAUiB3QbNwJN\ngEkjX3SB66D9J1JFjTvTTjKcO7igIVOHYprvemfR+XZjDS4ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFblFAjcoCTbplE0tlHp2m9Hun9swCgYIKoZIzj0EAwIDSQAwRgIh\nAJTFqPZ5DM+IHJtY1AV1wSivFaBigEuI971m3GLDhEgIAiEAi3y8myjfBheotEMB\nwLFiDsgG+odlxnTp9onoAEfBoPY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUb7mbgSXkNWp4J68nlrKubiLzm1EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO9brjvaup3vFa4sFz3zBQ6v4erCdOFjo4EhQmoSjNwr\nn/NjGiCoiPPBr4NDDA/gozxMVSKTLtzeJE2geLcPqaCjcjBwMB0GA1UdDgQWBBQr\nsz2pYr9poCgjU0DWbFjvMt7zoTAfBgNVHSMEGDAWgBT9UNhmMDlrAMcLxmjosrOS\nrMxqzzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAPFFCoZwlvUCoGlmqo4rjsSasK6OkSwIjO\nH5QeefffsQIhALNszb5fr0j3BBa3+aZhGD1mcdrCoP9OniObX83yCXfc\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUOKGVN8ZOskIaWr/VMepd6BB2tkAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBh4/5JI2Z+xFmmOCFsFzTqd1RM3DA0lRdLSEIcbZFsD\n3bAHKx8AYCvAahvVaWXlbk3XS7NhR/jrh5lQ0pyfcBqjgYgwgYUwHQYDVR0OBBYE\nFKvJqAB9qXGjfQ+cqTIbuFVEAFIeMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUFblF\nAjcoCTbplE0tlHp2m9Hun9swCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFeY\nQBnxqL8na6affAKd+uqJIZvi9MkoK//7Ox4nwcVDAiAFyaUrWZEtHlHrxEwzgKi5\nfdpuiadN8N/CM8NraDVITg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1304,10 +1327,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVAif1Hyo5wcJtgcSReER2Oh8720wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASuxXSILDKGh7kBC2GrWCk3JUUuM7tp88ydfTwf\n+kN23WEO5RRHbDOv5l7KSEvVctY4c8KOl/E0ejljFDPOBlIho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUC8kqh5I8YOP3KH/yQQiNYYjH11wwCgYIKoZIzj0EAwIDSAAwRQIh\nAPcW37xmM4H2E2Tk0wks7KNm7D+kbmIYz0v3iHuvP1ePAiB0Y+xUwK5I58ZK6vTs\nRxlHiaAROhKVE9XnEEklYT6M3A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUMXa0iOPZeVKiafdTU5fhWfRURyIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR3uYGI6VgRD3hURBdaVxPvBprA5y12U44ZOKEz\nw3F3nAwx5t8Udd2DO3LXb5uTZLjY3r3zNjws0Xt3Mhq1DO9mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULkgRXzDOdgTaFtwjPcHBpfpjVTQwCgYIKoZIzj0EAwIDSQAwRgIh\nAOh5Nt3r6RnV/CHSl+CQa+OSAYW8tsihzdi00BopqGMwAiEAgkeUTU+sk8Jp2A5J\noLqVl9xLG+kRuGgnDJFvrLn+Sw4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUdRYvzwi7BtWhH3wVtRJ07OLjhFYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLTHFl3ogCesWYWxGmiBGsH2ZSLpFKHWQrJEvWWVfTNU\nMspqcHBlbXZmw2TTbllxA2bEGgL1sWo5FG7FyBfm+kKjdjB0MB0GA1UdDgQWBBSV\ndgBc1+GjxfG1qIwlLNFnxKeHDzAfBgNVHSMEGDAWgBQLySqHkjxg4/cof/JBCI1h\niMfXXDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgGKnT4XGsb0iOO1whVJow0qhokx6w\nFe5wxVUYZJHJTuUCIAlMyik+L9dGprDWYddL7C1ubc/m9nEiGb0bxxBVK63O\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUf+uB3V/VGCEpQLS3cZLdGObmH9MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCO1QVaRfHNruy752TtjQ+lu+xQye8QddfLp9531mnYv\n+coHBWTc0nyJwqSucqnw9tuCrn96uiNMKFk6/JHypDqjgYwwgYkwHQYDVR0OBBYE\nFDAfZFpZsTvtUkuHmZyIwJZFRc8BMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAULkgR\nXzDOdgTaFtwjPcHBpfpjVTQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiBhund4/MMm1oyKIi4/LcvCo1tdjX23wa6VNZtF5WZS1wIhAO9Y6W89Ytb2dpw8\nc3kR60TZIObOaxJK8BmvZEdGlbYs\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1325,10 +1348,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUT4pRYovW09xf1dUanmBXFX6hy1IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhyQJGxbWLkCWPLJwZmfIubq23K2mop4gsrh6G\nS32kA7JxJDmpvn+qcQTsxTUzkRuQMacP0mAmfM7nYlaXoFHvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdgstFkjuZwZ6L8KuMxIQ7bJj8rMwCgYIKoZIzj0EAwIDSAAwRQIh\nAN8wut0vh3m4B0jCcUoI50rUaRXInN35ZIkvMRZ3DV++AiB9+87q5mGW/d8asWNI\nXdW/NRGeTJT9s3ZrUhd7BhGDxA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeFI4L16sfliZc3sbgByq7VSr9bAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ0pJAGII0uaKmu84PNgzrY9dTp4DcMVYV1nJzk\nRLgFQwazbfgTFhRdzbwu2yuvVXG70nIZDnZwTr2SqPYdvbOjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoDJXWXwCRh+Bo4UtsUHjChhHWWgwCgYIKoZIzj0EAwIDRwAwRAIg\nPDC6D9ivVheg8UoVVuXRsYWdtyzjqQ6h2kOVIJO/LBUCIAgMzY+y8WlYWtFF7r73\nVI6VEKRTqA0SXYEBVOgfHM3n\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUygAwIBAgIUUzhfhok3Iek0IXnF9NCT0wPu53IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIqPfYQ8s0/Q2j8OmBOiLtaP/LDjRlYlkM+Q1P1uYoVu\nRFf4W9Eh65mZ4xtF5WM8o6a3smrsgjpdrtkneo0AatKjcjBwMB0GA1UdDgQWBBQw\n98RMlzj5R6W9cIGm9iNOl+uw4zAfBgNVHSMEGDAWgBR2Cy0WSO5nBnovwq4zEhDt\nsmPyszAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBBZccHIALHt0itTW3Qb6NqMl4/QMACgvMN\nKiJprwCppQIgVVsUcytK5G8507K8q7Y2zWkHHrgM/pEKBbKyefzyNiI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUabbt9rXqi8MsJXMK5QWFbvJ8EmswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNgJNCD00rlATDkQZZ6gfOwTrGrp/QjxuerCgXdgcGQL\nELuSTvqTxMaeftQD36KN9oDC9XWVKrBAxuwCVvE8B16jgYgwgYUwHQYDVR0OBBYE\nFBJ+3ndyQX2R21hsO/lb42X1BWFEMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUoDJX\nWXwCRh+Bo4UtsUHjChhHWWgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEQZ\nEI2aSS99fm9fDFax6N3wU4Q9S1M1S4Yr3tHoSMIyAiBkbVcIPA26F5GB1Bm+uU6z\nFZnFgKLUmykGrDk16CMgLA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1346,10 +1369,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgITGZHvuih+tcv4ZXvTDpJc6i+BzDAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2\nOTA1MDIxOTAwMDBaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABNzn7XDpEZt+V6aMBMEn8i6XGQl4tsKu88JP5zx5\nBK+aaf3PrvoA6tjyCSM5xEUKB4/oiS8yXwQwkejg3JYb5b2jVzBVMA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBR3v7l0FDTmfWJgQeCvzmgcn5V8pDAKBggqhkjOPQQDAgNJADBGAiEA\npco50mp3I4FW72XyGyIR4uDiyzexJ2FbZEb4nKWrBNoCIQDOuH/3H704KtI4LuGa\nh81biNz9K9gh5QNLTCfPrpoLTQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURg5kPOV9i5f855oB1LOFU+hSiuowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATohsX+p7LC4ZuVbBqdkJeqAabR7W95PTZnnMcB\nsMpcS9uKLw6XQnYg8tdagHAWIe5GQjgROZGJL7H6hpFPvx6Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdz/XnteVxyeHHk7eL1sBKDc+TrQwCgYIKoZIzj0EAwIDSAAwRQIh\nAKdZl7IUB26zvl0nngqy+5BCpQD7FnfxOlNJ2k3dh8VhAiAiq1CYyidAqYa95Svs\nS/ZtSO3P3O75wwFe+y09iKttHw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUDvPkqAzwITJ8SI81rXQ7BDe9BQ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEABMsDuPRErLeoDzufRlY7cZFLGpXo+fQF6Q/ipcNBx\nISEep8NBS7OTGZL9A5+W8EQVSbSINEydwuwgJSsDaX6jdjB0MB0GA1UdDgQWBBSz\nmJBdVNTsCzEJiXQu1m5Pp5owHjAfBgNVHSMEGDAWgBR3v7l0FDTmfWJgQeCvzmgc\nn5V8pDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9hYmMuZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgCNQMmLATY51qBal49z0C+GgBB7wA\nqAAa3QmUNrTWWfcCIQCevF7LWC/csinllkfxMPVvmFizecd/36QRW6Dcl0Z1Iw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUe1oX8RKSIpm+5V6DgecAutplTHwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJCVkBMpLBLN56HZlgkffVho76YDdUW5oqOzH/ROskIN\nl5H3tyU0hW+mu45c9SdA5xQKdpLyff5Qfk5X5+65NVWjgYwwgYkwHQYDVR0OBBYE\nFCUZAkS7m2gSG8tpB3Rbw02g+XQkMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUdz/X\nnteVxyeHHk7eL1sBKDc+TrQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAEEvyHPIQPsqAx9puAAkDXkeSOxw3DWBQtn9FTH4z1iQIgHY24HU7LNRkJEQ/9\nfTeztXMeNW/QgMfOjark3sAekYw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1369,10 +1392,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUeV3a2FipB4GngQHlZz5+Q36xGAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvHGIjl/sjHB/KArM42Sr8wVPzNZjej5EBa7Xr\nInfcraYzsUrFV0zSMkoZ2oCJAHf+PjYbcnII/jjB1NEdv/l5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAOqr++1rNAwdsbyUF6tTLs1qwbUwCgYIKoZIzj0EAwIDSQAwRgIh\nAIFJ7qYtmEMg4HtXuGUu1mcN7Pm8lJTCytU59laOV9pXAiEAxYzYJLyBkpBrNrZb\nohutEnMy8VxUaCc4uvo3Otn7oLA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNFHrDaIFkQqzi4TRCFz6o6bwnaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbGSKUwOlS0KkpzKi6acS5DLP+LTeqO5Y7nn27\nIoWadrDfkIc+2uzAB4bJRvkkf8jvkD7AHEhj7rMVTixFs4d4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwUrG50BoCTT5/p0u+Z/KB8ojgoowCgYIKoZIzj0EAwIDSAAwRQIh\nAISoo5+83qOE+7KC+DsMoN/Am3fokekLT8MTt70CF0jAAiAzxKmfCVNmCOhWz4KE\ngtsfJQga92tD9vlqGVonSNERVA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUagAwIBAgIUdItqWOh0bOn4nJL2bS4dMcC39FAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMJQxwFR+gyGrUOrA2depR0UqVQaqoXEVOSz5ZTxyVLY\nczxezSUkGOxy9ziYj5TTM7TxlqOQZ2TaiOPwCD9+Nx6jbDBqMB0GA1UdDgQWBBTV\n6ZmOa6SKNw/UBr4yxhgdhdMdeDAfBgNVHSMEGDAWgBQA6qv77Ws0DB2xvJQXq1Mu\nzWrBtTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAQBgNVHREECTAHggUqLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA7qRLmhtREM1a7BpZlsEPdPLwTRSCs2tc6UlLc7zU\n9TYCIQC7WZwh8/E58K04J/PrfTfabgJe2FR9zKVHEsWarvUDeQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUOEi5rWq3TM8anOnJBr66l7KKgQswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJMuiTjKHLNphr/5xYqyq1gxSVbeBosYnG9HSBqVHAQW\nJAi3NJaQooyiGc+UOdjBxdz2xzvRgS4MxCtnEgvAb3CjgYEwfzAdBgNVHQ4EFgQU\nWG81S1jO+rZxh1OKLtgp1B900WUwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTBSsbn\nQGgJNPn+nS75n8oHyiOCijALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwEAYDVR0RBAkwB4IFKi5jb20wCgYIKoZIzj0EAwIDRwAwRAIgUi/9fYJ6e2d/\ncmVUOuKcdLxoSYX1hO7dSikXKPG7kzMCIGMMCGmIs1AqsQoeci3Gtf8TnAtlg87Z\nuwIew8sqdoMi\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1390,10 +1413,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXaMCpg9dCzpBQg/lCmA9DKgreh4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASZ4QYDU6CRnTmDJJwYnC1TPd3LvUkOz2pbwwm5\nda0/DlLgo/LLH5L0EXyrm/XoOgoQtXjjFz3vWUlWrLec7Lx2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy0SC+qAD2EsOEp2KumMS4si9+/wwCgYIKoZIzj0EAwIDSAAwRQIh\nALVUwAyMl1xAtqFv0UGrjWD3Dypy+d6ek7/U1JWVL0NbAiA2w/pkC1Jf8gZyhByh\n5eDraROqumg/4OSt065Av8hV6w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeBbRt3cbAi/GXi7+MTvg6HC/vbcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQ3rDFmGMpyz6G7j/8pDafzEZRRsvzOJJzll+C\nmUonagqx905kOo4IVdlYh3VQgJPLS7ttkxxX3oTjH38LBzndo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcZ029VFTOCRtuxz9dyQ+JDFuvBMwCgYIKoZIzj0EAwIDSAAwRQIg\nA6tfmcVN/8z9iwhfltAKT1rcAvCr7IdaTJgc6NE0wlwCIQDcpbyVzu+FhwZMwoTd\ndzV7EHQsSl+1IqBGe+x6Bm7T/A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUKSuL3wPh6kJQDfAMqpiquqOwUvwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIiiRWEb+O69EGCUzty60ayVyXKx59hTaG4SqQuXmtUO\niOsJQccmL6mPbyO2MYLI68s5bWcF/3/ljD+YOUyRZcujdDByMB0GA1UdDgQWBBST\nDO8JUa4rQro6MQxFG5CBQ8JtRzAfBgNVHSMEGDAWgBTLRIL6oAPYSw4SnYq6YxLi\nyL37/DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICnTBeVu0//khAqi6Ybu1TqrANYCHWuy\nmvsGJTCc9nxoAiBCI0yJCM+9ScCULzVe+VtPsClxfUw/DP2EcfBBWAEwig==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWWgAwIBAgIUdMB39QAF0jDu0TCddA9oarb+IbIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDjCy1kFaMGWwgxym+SRg5nuldnSlejuqt1WWdBkCMVE\ncoTWaiZpfLEDsLymKkuyzMICYWsJSAGzf6kRL2tXtiyjgYowgYcwHQYDVR0OBBYE\nFBYX0COu0n2vmcTL7duxK4NN24isMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUcZ02\n9VFTOCRtuxz9dyQ+JDFuvBMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIg\nSv4n4vLDcrm8dHqXSzdO9Tu1R6Y+GlXybP9nagRAAaYCIApPphIaoKLmPg6LyH2K\n6m0BHJACuNxh8rnjbXIPnJGB\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1411,10 +1434,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUR16jGIBTnaO+rY4tn04jt1GDaF0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbPdCWnP7H/f62BoAOdShQ1tsCn55zI2ICOohe\nDgEAbJz4hSPRv+X+n9IUQv5Am3J3huApcf69XKUKwyhtnRoRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUf1Y0+yFfgzcGyZ9PaZFiRahb6g0wCgYIKoZIzj0EAwIDSAAwRQIh\nAID2Y5Y3Idzh9VrzlGAEBrSdlJ7I8aHMNOGkUwRU9PgsAiAKgSQcoxKzZYgGPu0I\noKXRvq/Qzer814GrJmF2WfMJCQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSHfmXNloUIfYbl1udixYC00SiwowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlp4QLrjGS55swgkNDfhfVOElbeRPFKCQLcwO+\nQ06UroS3obyR7vFlvygNF2Ohh8/7RlUrCqjEAGbT13oGamSno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUp3m1dknXXRojwxutLqQxhqTaL78wCgYIKoZIzj0EAwIDSAAwRQIg\neTJz5qLD2ho/QQ7ssMdk4MqJKSCDhoR6dc40YPQ0KWECIQC1O9j63Wz/T2GIMqsm\nIa6U7MiwtwSTWZ45cgCL1Ue5qg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUDzrkPu/E3RI/AfH0jj2dbAxQP4AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFGbuBl0ZUMp9nkKoRIP5AqA447ZER4SKHslwHflIfDw\nOwlYdP7Xf5m+IoQTO0KXJfEBqf9F2ZIcC2Y8pFlPftOjdjB0MB0GA1UdDgQWBBTL\naaswN9JY+w07Z0vwQz6VvGUZzjAfBgNVHSMEGDAWgBR/VjT7IV+DNwbJn09pkWJF\nqFvqDTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgg9iYSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANrNEhqSp7gfZro8suEXav30kZzz\no9NRWsF52kl2cVz4AiEAguPtSraF2IkyC0OhGyIX7CssFbbIUu2YbLC6de3Nvko=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUR40UWzQb1CcN3TR/0CZeMCh1q6YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH3GwGb0Y/zZXZk3rfRUTL4GkHFmSJ+Yk4DJcsqeqHv4\nSOGjoyfm9Ew4aYqyY2gaslIRWIrMIaC191g1htAQwwqjgYwwgYkwHQYDVR0OBBYE\nFLQ7yMcmwqI+vfKQcQJYzEJJsxKiMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUp3m1\ndknXXRojwxutLqQxhqTaL78wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEAsUcJ18dYTnNBwsYTDBN5ctGPRmqv+M5GcfTWk2bVNQYCIBBs3V6IBxzWGFX3\nmUVe65fUdosHupwJJQc4+6LwJKwe\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1432,10 +1455,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAlO7XHXgJZ78rK/U53TYnUEWzwMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARBOyS+GMDzswD8q0uURmw8i/h/cfYoNq/Klf4n\nIE8MIwbx7tVHw/y0NJhb5Tt5E+X7zdkGMFL084OZLjv4+Ta3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7yYItYgx81z8b3vVo2CIa3NgZoowCgYIKoZIzj0EAwIDSAAwRQIh\nAO27uJzziA7HoRxf9CA305BQNMO1/oX2ix0gxWKV8l6DAiB3XXNsai+7NzvqVrPz\nmIBW7BSzDmVDSro9wxRa4n8oPg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGe+vXAvLUQJ6+sDRyvTP5yXpoTkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATeerpyaK3BApgFqHBkvJQK+8vhESpk7XpdnFJ6\nQ39zJvtaWvW2jsCK9Lx9JDCF1Qe5pSWIzu43cLkwUv/1RsEMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8GXEel0xUYQlkqD0/O90XxDepMcwCgYIKoZIzj0EAwIDSAAwRQIh\nAPA9v6KBGEUAYoxqWQwGE/faf+PYjCybDg63lIcjEKi3AiAclGr0JlLyvBkk/5Ew\nVa3KOma161LJKCDBj6qryDv1TA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUT3Qapz+cotN499vK9Tft+i87iKMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPi2/7KmMbVfd2wOGNb1UV4nmN3kwU2f9dbWJuglXaC5\nhGDcJk0kwCe0If9cliSibvKBn0XeGSuWkkJfvPs5RoqjeDB2MB0GA1UdDgQWBBRw\n7veKgbM/ZOZB19ENLS/jibLbozAfBgNVHSMEGDAWgBTvJgi1iDHzXPxve9WjYIhr\nc2BmijAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAcBgNVHREEFTATghFmb28uKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAzN3DaUPb4G0HlgPpejlMDk2r\ngOoWwmmtpCMbWGWibLYCIQC/IJPxlQnNiAQifOPUmnAgnJF93C6JeJC8wc3ocn5L\n7w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUUeaAbrwXixqJFAdhBae+R2DiqvMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMhaPeE8jmctJAeTEqtA0csCRb+i/OvTndzTeejdDiFT\n8YKwU13kPxFUbJClZfGeumS9uOM/7jdQaKRHpDcV4xGjgY4wgYswHQYDVR0OBBYE\nFDb+eyGGqwN31pFhlrICaRhWSa/6MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU8GXE\nel0xUYQlkqD0/O90XxDepMcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBwGA1UdEQQVMBOCEWZvby4qLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIEJGyzPS8Xo61+ajfTs8omrNo0ANwPjZ41EV2P2pV8T8AiEA1V6EhbLdkio+\n7Lpq1/iHMa2oC4V+Vhk9G5hugwkYMGw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1453,10 +1476,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIURmeXMELZOCs+Laxqh0CdV5krLbAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZoyL8ifpKSw8wWgFp+5PrCt/MDKqT91LIqNgv\nOKlQBtDlBZ8aTcOTD8PSEUoSULOTuJYzXfsAnPR3CIU0Mg04o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUugVHUJ4NfFDvUduKyULkgY1ISdowCgYIKoZIzj0EAwIDRwAwRAIg\nE9CFQAv47b7Jg80Mj00PuW26R1ACjARNhZyW5Cj/s7sCIG69Gpjfsa1q8Ym2E5yS\n2qpi2dtI3w0MIQ5H3xvV9ztL\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUenvjI9W1H99ZNSU7UR575obMP9YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARq/VzeWKkIH1qgI5LsmeLwhQ2nmiESKUU+eZZT\nPBLJxAgdtvMJxLB34ktEUXxUykiEcIETAXToE6O1cdPXvNzwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8/XmoOe2q+X4BMEouCQtuBRWrpAwCgYIKoZIzj0EAwIDSQAwRgIh\nAJVvD+Z5leBlnL5geg6v9a9NtNjphENZtXWTQf0hSzOhAiEAypulUy703p0ZTh77\ngr8hedE9ykaR7wlalSUYldt3xYQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUKfpcPhg17e3H5bCkvlb6j5/axB8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPjbYZWKedDqs78OY29b1rndPvb61jXoaFTfv3PujmYA\nnt7Dabl3pZ9NmuWiZmEBMV1zoMJjeb9yYRqonMUgb5+jdDByMB0GA1UdDgQWBBQY\nyFeJHg+M3jvs+o0jn9fqv64DPTAfBgNVHSMEGDAWgBS6BUdQng18UO9R24rJQuSB\njUhJ2jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAYBgNVHREEETAPgg0qLmV4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDxN0I7GnyyaGsvNicA1rHPhBst9hZp\ng+EV0xDwBKBtzwIhAKss4QC7m96e4YKDUyuCYxCny6kx250e5pHjJTZm4ze8\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWWgAwIBAgIUBaUo+mXn5npK3A2okSH36XmWqwgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPR3jqfVdbgyg7b6m5aFwbglid6vglYuSZa6g7RbfLwn\nd6haSmsPf1+93U+eXlIB8i7/2gCYr7Xo2IQ58uyRLwijgYowgYcwHQYDVR0OBBYE\nFEz5cMzcuhnCeWoDEU4TP3qQ066TMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU8/Xm\noOe2q+X4BMEouCQtuBRWrpAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIh\nAI/7ee4ZTqBrHVh91FS2vEKnk93aKuk5Cz/YwiEf9jEhAiEAks7lQUhNk3mkPbQS\n2RtVRdYozqJsA1YKNwZSJRD6i70=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1474,10 +1497,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfhochA5ynBZl1qfQ4+cQ8MOPpnQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATvR/Jkr1BA5acKyKaRnenvkjk7X/ytP0a1vF9c\nHOZtqPnoqyCB0Pu3hb3aoY/cxiK4DPRsw6defCi6x5PO6Yelo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHbpNkwYs7/Q6hfA9C92mwA01ZR4wCgYIKoZIzj0EAwIDSAAwRQIh\nAJBzILRKJ1yakoWWsjmOs0AgULr1a9EwoNx1pZ4Hov6DAiAC3onYNzxYkMnho5S9\n8VdKLCqLkZzdS7Z9LBpqfanHrg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUITPGLPjl8p8LBq/fmalmoBnPcy0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiyuyzraNGytQ6mz7SyZQ5zRMcinq8tfs5Zii0\nZeQVXuzOq+mSAOAlQgB6mMDdVMZW1FgMuPSST/O7bZCtUdUUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjX/VR5NGySQ5bpH7nduXC/cM3aUwCgYIKoZIzj0EAwIDSAAwRQIh\nAKY2Hd6a9CznQL08uqzwBVw4jZKnoDpHDMxKqTCEwGxvAiBgQIgqFA5puEniuP3N\nKn189OyheXONflucSI45pA+bWg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUf0VAiNDMgIl/LsmmpYCPI5btmi4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPC3BAV647e5bPdTaBwXe45fCTfOkMXraXeaVqi8n5X4\nI9ucP4pK+Tjimh/f3kAdbvXqSrA7aOeduLoR03SzLgWjgYEwfzAdBgNVHQ4EFgQU\nr212L8iin83qQpeuP4GPEXa+RXQwHwYDVR0jBBgwFoAUHbpNkwYs7/Q6hfA9C92m\nwA01ZR4wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwJQYDVR0RBB4wHIIaeG4tLSot\nMWIzYzE0OGEuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgFsqH6GydRflJ\ngAsgY269E/xHsNv9wQ9wpi7zAmm9KyUCIQCiJlPubV6OtuGuxLQl6SAJQxKZztaS\nL29ofKNB4v4wgw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByzCCAXKgAwIBAgIUeFdYwWnVeWV5RKnMC8LQ+ykxg+0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABINMzXDgJAN7l88fapcwSGfQd+ShpTNtaGLsSwEx5N5g\n33mEJv6ZgW8WlUc6KOlr0bcr9XUiNN/GzRTrqLE7aL2jgZcwgZQwHQYDVR0OBBYE\nFF/D9gQ37mk3PTJsdgyk63+crJpMMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUjX/V\nR5NGySQ5bpH7nduXC/cM3aUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMCUGA1UdEQQeMByCGnhuLS0qLTFiM2MxNDhhLmV4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0cAMEQCIDcYyBeIPnJhLfDN2NhZz1VBFPiFm26tmqPE0B41wQboAiBq\ngRTlVYflkmUdz5xS1gj0mhd512DznSPB4/NAahPjcg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1495,10 +1518,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUbA6A5JT5bG1xdr2Di773oI7BXJgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHTHBXPwcKevE4IxkaSIM5xuyFmKuFS6wdX2YX\ngWywRe8cpVyfekSehQGEpD6nkgq9S8KYnFuK9XZOVvD4rz6no1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBDsH1NvBvueSootBeBqetJaHWkowCgYIKoZIzj0EAwIDRwAwRAIg\nSbKiF9X65NRpfiQRjuOuwfiGbxWHpFuwS+xj+wPRZbcCIC1pIEpHXRAH0Gtjx3Jz\nmkgqnPQDWAb7rjcs21WX2uWV\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUblH8Cjf3bYJAqwkqhHoAk9+y+ZMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvmq/x7l7fo3EDqf6RD1qiBAdo88aqoxVhz9Kt\nIojBa0rzU9hZy/Ha1fZpGMRVwilAh62w7u/jSJGGJYwh0avFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUv6WTAGDmBc+OA8FJV48ERlyZqt8wCgYIKoZIzj0EAwIDRwAwRAIh\nANI2auV2PiilAeBJZwyG2ZPjCdTFLVol+Ab5G6tiC8McAh8Ltu6ayymoLNKrM1dr\ncNkM7UySBH2WmN3vZFlQVoWU\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUZtK4Cfe5WZiiRaTRAXH0p2slDtswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBShVuUaF6Lbphh9F/qZZK8b4vz23Xx5zBMRj3fNfBWN\nytwHY/QFMeKIh0euZMeRu283KqeT7vSAFhgf2qK+5vqjdzB1MB0GA1UdDgQWBBTV\nfRerD3uMQMFLFG1npyBxIK+yJDAfBgNVHSMEGDAWgBQEOwfU28G+55Kii0F4Gp60\nlodaSjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAbBgNVHREEFDASghDwn5icLmV4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCG1e5OWU2vr7Ah32PoApPCPQBB\ndwQrMcTH88pqJjkgFQIhAJQw1F2ecx4nhCxq+a0ugUdj3hHtrRsIVTyasSpJc/l4\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWigAwIBAgIUPeaf9jk5VoQe0sS/rbzgSZm9KWgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNZpC0XCFygxn2YXALlBl8ZY4UFGQBLpUZW+dFe3A1Vn\nMTj4rwzHjKi46YYIE02ooEMZHFGVxu+lC4dLGA5iU+mjgY0wgYowHQYDVR0OBBYE\nFOq19Wqoht8iV0eokOXUKCbf1QftMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUv6WT\nAGDmBc+OA8FJV48ERlyZqt8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBsGA1UdEQQUMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAw\nRgIhAPa7zbD/4Yq3a+puTZnEuQ0rkTzN4OTijlc8zx6aleuOAiEAwgdjTo/7WnwC\nLpYDKge0DjMjgiu9jYmXVO2ztPhlb5E=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1516,10 +1539,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUWlaarGhkdPU8ag3nASYT+HdyE0MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASgc44/Tr1oz6VjABas/h18Z49is2BsPyNOFylM\nUFOG2RHnT3ILSPUoybm029vkXMTUzXtiC1pxUHANlA6/9bNDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhX7tpJ9yRijBPjvyzfwx0MnsdrgwCgYIKoZIzj0EAwIDRwAwRAIg\nDGKCQ1Ii7Gkx4lskLkb3rf0Qerb9j11wNG/YMgN1CgUCIBpoktnGYdd9zpllY+uI\n5gVHrIN5oXsVgC3FPV+rFYvD\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOIUsHgtqxpSIbaCAwK5mrgeb7ykwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASdSNxIPjSTluFRYohjSAsJNAmd6dIF3lUK4l50\nLHbF3+Q1BILQH//U9p0ZM7tUaSD2St5ooHlgZeBaF6amkZAZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUa8qvFtRBF9JLblrlYWkuGXMmGLQwCgYIKoZIzj0EAwIDSAAwRQIh\nAKEPxtdR6t+u+jrQM1wYpmh8wcbUPv/7qFYCgqnSRFu7AiAsIo/fpJMnaEPxzM8y\n9yt32mUZZ+Lf+jmZMaE6DWB8Aw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWWgAwIBAgIUDwhhI5PE4fI9qDN9IILEZtGdq5MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOPO/fZst8ogPjk8h0sNCPgDzUOI1+tRq3xA4BJCFqBh\nXWsSLhpn4zUZ46+q45ACENJxQJA1H0jp/UsR7qvuGgijgYowgYcwHQYDVR0OBBYE\nFGkzmT9l+0iKm55c1dDaEg0wfycjMB8GA1UdIwQYMBaAFIV+7aSfckYowT478s38\nMdDJ7Ha4MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3JtZWQwCgYIKoZIzj0EAwIDSAAwRQIg\nA5v8M03WkQefGQfZCmZ6BRRVtzLLQpVSad6QuplBXS8CIQDQyteDlA8LNez8UOL3\nUaXjb+gWQSvoTg5EnPC2wSi6Yw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXqgAwIBAgIUa2rXAnadIr7ZnR8/o027xaO4tW8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBDiSBvqr7LsK0Mj7T2Ivdgz9PCryEJOa3tLQXRk0IDE\nG/QLp5BJzfXxBBPsD3HUXSzyx1zIE3K3XF+Jyr4RAXajgZ8wgZwwHQYDVR0OBBYE\nFBPf6PRUstBSWtXmLLKBp8hBYXlaMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUa8qv\nFtRBF9JLblrlYWkuGXMmGLQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3Jt\nZWQwCgYIKoZIzj0EAwIDSQAwRgIhAKMQzTZ1roXOWhkjDmzPWIYqemoVJQi7WXsJ\ngP7ZjuLtAiEAghv+Bzijvhds2583TOBWuMuOh9GgyOZH2lP7mw7XOZw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1534,15 +1557,15 @@ { "id": "webpki::root-with-extkeyusage", "features": [ - "eku" + "pedantic-webpki-eku" ], "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUqgAwIBAgIUZi3vKxwOwuEx9TFGpA77tyurfbYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYObF9/YcXEaxlo0WtoP0bmu1wLnIL7NVk+IP1\n6aQbsDA4OiOsIR1IrmhW/tsyhyGbfy3xFmwNZhiUoXykchUAo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPe4Q80JxOs58u+52n5U/ZIr4bPwwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDRwAwRAIgP72Kg2qb4pXAReSAXFXX9uzjgsU+sWmOc8ze\nqHRfXegCIEXF9P3xFSGb0RaYAfzEyM1J9Bb+wVAPFPq/JXEXfNLx\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUUGRJ9aaWrArJ2JTH7ENWRO9nJ0MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrco1HJl//yCeUJ8NWsMwUlLl9wc1SYXRwucy1\nOCKAc72dcFUdU69DYp+DM64vnXlQaWCKfxLvCcwFAjRl5tyHo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz521f2hiJ3TXg0Dg99Nd+1DPdqowEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAPv1XeMtLjMKInxl1J5BKgtASjT1hIz1eoOb\nxir3neGDAiBRJsnCs83X0y4Ghv4XTMcKMwvsLgYv4x9ALGIFH4g6Kw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUBZBhGyPEArWSwsAVCmvFNSnDdzMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLScJkYbvZHcaqPHikaWc83nAhwrEjhKYNl7QLRzqfRc\njLQVKLgWkLJhWmgLKq2tA/09CMgxc38/+UXhh2yPm7ejcjBwMB0GA1UdDgQWBBRd\nUYKfBN2IiQug4rlsOrq+y0A2ATAfBgNVHSMEGDAWgBQ97hDzQnE6zny77naflT9k\nivhs/DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAo1NNX2HpOfMEhO/bREHp3jg31gcL4Cds\nBHxeop1RLnwCIQD2RX6q7C6kU6fUnI9W7j71cw80/xLNoHb87QpRWXUlpg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUNz2Af1K/HXTbMxu6xvFIT0PVBFcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCjIQopMv2a25BenLUpdsZP1M0cFNJ6jgqCFdwHgx+u1\nbYZgFOh2DkVwxjC9MFN9aBfe4J1TmS/5fjescJSLuwijgYgwgYUwHQYDVR0OBBYE\nFAghrzUB4808OKeRYenCJCNCVGILMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUz521\nf2hiJ3TXg0Dg99Nd+1DPdqowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGYS\nmV6AMmWxnWzYZQ08YUHCnbkVXt4sbCOKqBumeLKVAiEAxnlxkDuFsLjHCjdkCTWY\nRD+5jifCIqW4ynZZJnbyyH4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1562,10 +1585,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxjCCAW2gAwIBAgIUZ6jnCH6Rpb4pKjEhupjUKsD35QwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARcYPlYfgB4uKAsmodhPWD+afTIphboHGegacal\nxJyzPeyVAOOuxx1D+JzkuoT9LATb74syhzTTQa+UATexnWjGo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFJu7Y4eqgjw1MviOxprs3DakOfNcoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBSbu2OHqoI8NTL4jsaa7Nw2pDnzXDAKBggqhkjOPQQD\nAgNHADBEAiAkBxgazBp2pDkido1Uq1Lv01SN7hNP1/Pmib+/IN/SoQIgAz3gKq/o\n1Evthra1FI250BdRaEANKqFInU+Uz57v8L8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUOkWyMsb06Eq9Md3rTSeymJe+8d0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEUTpcmq0318pQTcVAUWcmY2n0rjX8cWM0H7u9\nxS3fZjo4PYDy1LPPFdmNsAW77TmFyd9Ua/NtQjxwwrn6jhXwo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFKrgLGlETdxlq6fn64BpYF08ZAq8oROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBSq4CxpRE3cZaun5+uAaWBdPGQKvDAKBggqhkjOPQQD\nAgNJADBGAiEA2pd+BVwraO7yASMTZqwCMxKQTWaUrQiSSCdMeK/sxRYCIQD2xgTg\nhz5tkebrfqXN15NPa8ciOnhIl61uRZJXuniz+A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUZQ2GC19d6jQsYa7Gj1fYUjajAjYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDJ/VWRDvnfYzviDxvKfenXPaDlNtNfJ95iy2F9wAOmo\nmHboPvr9qdJUqZrSpc+S5y+wc96N9m0LcPK4uX9Nj6KjcjBwMB0GA1UdDgQWBBQq\nQznpsQxyW4k0mDQbvR9QtGGxRTAfBgNVHSMEGDAWgBSbu2OHqoI8NTL4jsaa7Nw2\npDnzXDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA6ipspRM/v93G2hHG72M0T0D1kUhWP60D\nUlMyKpEzarACIQDQM3AvtIBgY/dVSwgmZPHeeM9lq3ChC0G79kIsyjQ7mA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUb/4EtHEE6DuryG0+Osw9hmuezrYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKJpPy2ked/toyAcmbKtnDtRjVChXhdMcgUBuAMvWZIy\nFka9ZDqVOO53sX+tsSdp1usjQ6raEW8pAcWvSn7HpeSjgYgwgYUwHQYDVR0OBBYE\nFCTQkYHrXRehPeKVUrVUeOt0UanRMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUquAs\naURN3GWrp+frgGlgXTxkCrwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBsw\n0I4PhebrxYvlZnvmXYSyopcYuaOsuVOwmwtET7DIAiEAl6LrY7g88q3/NCvlnqMI\n+ljyuppuTt2RuGCsWPe4pUY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1583,10 +1606,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUZcp68bJhtdHPmsXSR+5Y9ey+3WgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARC8dISKdPcXX1HnJmOQ4C2/3snvseiQMjjbEBS\nyoFoYnspetsXDbVGp88sC3s248jE+rFP3vh/GX7f+Jw19wSbo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBROFHtkHsclIeKrQkmkOn0M1O3cz4ICBNIwHQYDVR0OBBYEFE4U\ne2QexyUh4qtCSaQ6fQzU7dzPMAoGCCqGSM49BAMCA0gAMEUCIDDx/zKd9EOGVU9v\nQlKUwkf59XLHy4vycD2AUl6vfxaUAiEArH3vMiu+h08MUm4o+E+DjPvzY7Vy/qe/\nnLOPz40jkP8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUdlMgV5G6UaVpSlQB3Kr86Gp9OOkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAST68BrwKEnURUBJk30KLpu0MBHz4I9d2Ptz/5s\nKd182wf7/OhW/PxlhHD12I0LdmJyPP1doeRvjHjMETfszmTGo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBSUGLcFgmcYXAzwhgcnC2+p47M7n4ICBNIwHQYDVR0OBBYEFJQY\ntwWCZxhcDPCGBycLb6njszufMAoGCCqGSM49BAMCA0kAMEYCIQCQng13NFkpUYnp\nvRmZY6ym5UBgD10ATNv2RbqEIB6REgIhAJvaCFX+0zOqxqnq+D2NGI/iKjdPKsoh\nmcavxfuOhXtr\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAUygAwIBAgIUSP3vHbmLh8bvwKAHquvS+/GPYTYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAj5iDGnce0KQ4SH0z0F5KPmavnUFcloBUgdBxWvpNKk\nFGakAQs6LHZx0KNcbUxidfoQwqv+l9RqBGwfPKZ/oP6jcjBwMB0GA1UdDgQWBBTY\nkMrP2mSu2NjAaMduaRi/oksKkzAfBgNVHSMEGDAWgBROFHtkHsclIeKrQkmkOn0M\n1O3czzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA37k1CLxVU09oZ+z9089EAJ7VXdtz6T6m\nWKXzFwgh71YCIC2UiYjQLL6HioPR4aFK9K8o/SzBNxleMgzVlR8vPAoW\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUXaG+Rz4PYmEty7yjhAeshMpzTmQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKDZdujVOmVp1pk/gpGQ4E05mOQzHs3AgLhQEyags8kh\nUXtlbeCNlBV3BNjv//uUlq6OmEmQlogyUbFyb13Um3qjgYgwgYUwHQYDVR0OBBYE\nFJ/WY21eZleR3dX8z3Qkk0c+q4XMMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUlBi3\nBYJnGFwM8IYHJwtvqeOzO58wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC0\nPnLPsA84kj1qxqIr4gtyUof38yG+Ji4tEC17O7v95wIhAPBs/gfFnUnn2Apei8d9\nSc0jyJm6LstKYl9psTKT+37b\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1604,10 +1627,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUB9pUxkTTb2xzLW04GdbGXoPg/ZUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR/GtJsjwWRmloQneuvnlft+Ns5qA4UiTt8vYzB\nCzMBfv99gxFfEnaDiG3FtNjGFyFFyj5kuSRh2THqH+xuMU3Co4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFA3wuHSnco6IViSqim68jBVbBVcLoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUDfC4dKdyjohWJKqKbryMFVsFVwswCgYIKoZI\nzj0EAwIDSAAwRQIhANjwhHMO6O9YpvKgZUG2ehEVkg8j+W7D4OVNZQaII3SYAiBJ\nJ3y2hufbVUp/8oBDRrsrbknOcvowc7maMo/nXx9OSg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXGgAwIBAgIUeo9Ir4igEQjbbHLMvz6FyTNclCIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlG1J/lkQQStsUetonFiAVrioSQk0rDpX1nn/4\n0rzMW6TM4YzcsfYMnVdPVb+ZRRObhivp4IDKVb2Xl2/nKIZNo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFMmHclwUZEr8+YuIZ6LEVfu7fBQOoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUyYdyXBRkSvz5i4hnosRV+7t8FA4wCgYIKoZI\nzj0EAwIDSQAwRgIhANl1HPI60UiPSE+vHTQ/YWvCgom974B36UqgPUeEYO3iAiEA\nhw3UwAm9+cGIY9jI40fbWE2uMkPdc628RRjVByVVDEQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAUygAwIBAgIUcUjqZbf+K8qpJ6qbDfIYiuuGJNQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLKRalNPWdvTVZ5HT0dsutEgAzR3aQMuY/QeLAO4afSJ\nTAjhnkJJGgRtou9JQXevd8KpRfKF6PLZaCbcK7sFN62jcjBwMB0GA1UdDgQWBBRZ\n8uJyDegvLxn8RDmm8uFnSLCf5DAfBgNVHSMEGDAWgBQN8Lh0p3KOiFYkqopuvIwV\nWwVXCzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAponBQjtPsDHvjdrYm3lUeY6RfEUTt4CY\nZ/NXPBXY7E4CIQDmVDAISWP9WD7VBGmDFo1gzE1HBICUHjsoRYnxj8mCWQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUTabTY5thZrKvOIKMeDdLwinW9UcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHM6OqjOFgahQOknFUZgaWFDKpzDf4k59VEhnCQN7tsM\nbnFkITbFYbjLIben6nHi5aeH6s4JxwALuJxHHb+nFD2jgYgwgYUwHQYDVR0OBBYE\nFGgg8aG2gAz6SbhVHr3yuLTQ8wxKMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUyYdy\nXBRkSvz5i4hnosRV+7t8FA4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCS\nAlccf/R+2zjLi5QkD1TmZphy0sqUWbwBdYF3EGLJIQIgfn7NXRA6IykFLpC/v76M\nDfty3SFtc5LSD/jaKqqnZew=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1625,10 +1648,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSPwwEOPYxVvbGQPvXWwQOS2wIFowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbHNGc3t7ApYl0rJmYhMrICUhqPuy5zrFY6qr7\nu2t/lCAPhR2acraAQL/gsDs453yv87I/M3f0GJmZM6jC2Sbio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUztHIGhVb7AxTzHQigGTrhjvC0Y0wCgYIKoZIzj0EAwIDRwAwRAIg\ncWGV61BHrUinZxT0E4eM/HiB49vUjRl6C43i9iTCUYgCIAEoZ1r8M1RAjmc13/hF\nLPlThsKM/q0xqPzuNhcTq0Jn\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSP1tObZpS0H/SV1W5S1IqcVpQUswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASsO+fyej3qStoRBUsdZq9iPo56VQehTDFx1ZmN\nJfKsazbx6sJrFNEYdVsqAhUgF371w9SgkabkkeBgrh3kSrQWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUr+yTqvLzP7JXSUg6o5j8kDQg4mYwCgYIKoZIzj0EAwIDRwAwRAIg\nKTTHDm6Tga/iIecCXz7MEmDHluM0b3m6EYfKCLZ2djUCICYDPIaNaZ+h+eERfWoa\nBmtz0nnIp28xT/GaAps1wBCU\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUYI6aan6UOqe1zvFdK69FKBqfJhIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABIIJzuzU70FqQNfCUB3xyI8pkQDBr4oxTvP9luji\nr/Khx1jY78ZS60U0MiJonTHZ3dFxVimat3HQ0FxNIFeHlQajdTBzMB0GA1UdDgQW\nBBSkLj5wdHHWvhx4C1L6Pycnq9ahczAfBgNVHSMEGDAWgBTO0cgaFVvsDFPMdCKA\nZOuGO8LRjTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmEI0tE9aVL9AdYRZWJviXVd3\nKUIoriDx0vqYVICakFMCIQDCVYlS73Mw2gjpMnZGaTOK6f+jaWFEqD6rpu6qjN1t\nBQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUPp3kHFDyPF39R6NFuwoj3NZlWD0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABADkkqYoPQUfgIpna2LWGWqP9AAZAFdaNMtC8fTq\n5nrRhNmY+/lDyQkY6IucjAKJvonVkWbAxjRPFTasyb8D1b+jgYswgYgwHQYDVR0O\nBBYEFMjL4eTTGU+7nPFXQgQ9MUaPxioQMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU\nr+yTqvLzP7JXSUg6o5j8kDQg4mYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBkGA1UdEQEB/wQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIGN6PQ14NQTjiNQw1/Sn9D2gbEI6c43e3lmekPjH4BeWAiEAp7VQDB1GZNSM\nFwSg4XSf8KbdoZnnn2dday6GTeX2rfs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1646,10 +1669,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUJsI8QGpf1bnN0SBPOh7EclDXUM8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRzgqaTTSRb+qqdneIPPHst6cmGu+AvY/cR7JT\nwdKClek2HDq/1uU9ko5WRZvUfhG1E7UfOAEAQZXLcyGcEKj3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy24t/M+mTdYmK+p7Du9AlUl422gwCgYIKoZIzj0EAwIDSQAwRgIh\nAKAb+RWVb5kRJqumpIIro4ZaWoEjqmQlBa/Ilofy69RZAiEA1l2p77Vu9Og/5429\nBHFvW5m106gAks4eROB8RqoDYa8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVcJ9Bi4cRB2hd8gRSvRzTS62xIgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATf0Vm5hGQAIGRm1Eh/YPxzoinJGQr8H7TFyLly\nC6OpP9KceET0b8vbcjj8ubGugrKaK6Ls1QCqTHdoNFfBR3sDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFGoKMoNDmki05wYPSwqCPKI66p4wCgYIKoZIzj0EAwIDRwAwRAIg\nEC3Xp00GNhhvijHc1WPxLiQNRW0XywT9UPWIs86TndMCIFbVRXJUtIIj5rWU526s\nxUBxR4ZTa10SjWyKu0jFom2W\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBlTCCATygAwIBAgIUWGsaxq88TWrTdySjO9RWr5zEeRgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABOTU0l0W6y/+jv1yW3sFT5KV39Blrjb6qiy0LOqLUIdR\nJSNtBFkIgw2tZ4Y5J5gtXqNyMHAwHQYDVR0OBBYEFHMMHt3sJSTSw+FL6Jx8wRXD\nFueHMB8GA1UdIwQYMBaAFMtuLfzPpk3WJivqew7vQJVJeNtoMAkGA1UdEwQCMAAw\nCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0cAMEQCIHFSGOXYMmLATKl1uTXxjrFawDlj7ENvelRkiHMz+mprAiB2FQ2HA/bq\ndjYnKkiRwTMp47Re6uzddttY0Uhf9QYfWw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUKBkyE74AGpARxQs3NGTFzs7p57owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABFgZcJZHiDteLHr6XY1yeul9ay6VRNjX9XkZSknAEIjW\n26bweyM7EnA64fb6YVE8mKOBiDCBhTAdBgNVHQ4EFgQUVu3C08VXAhN0W6MeDjmh\nUFmSghQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQUagoyg0OaSLTnBg9LCoI8ojrq\nnjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJMZbUOwk3w4QrGuF53VVvxT\n9WyjVdwMWC/TzYi08VIJAiAPGwVbnO4S1B1VHLGzejsImR8KhZoLD1XRczn2fTxP\nJw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1667,10 +1690,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAckcthZfcP0G+dALTEx/vATPG7owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYevw+X/xO/4goWers8qbhBizTfNz8+3gFVoLV\nJs/20LEmgT3VwQpkReGNKOEkpJR1tFXt6h6wnFdRbiGZ6TBgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVC4iepPreG0FOx+DJcCRjn47JhUwCgYIKoZIzj0EAwIDSAAwRQIg\nV3DokhP/+m4C0+L/A+QWpN9dmXyTmbZMAxY3tD3zttICIQC8dPVuviuaRxBTk4ue\nIMMKy6UlrkIugjR77hUuvA2n8A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMCTfPk8Ob92Ovag2AS5upjq1ZpcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDFWIWFlOufdlyBE6Z20IAVM8pexDCEt5s9LsC\nPn5flNJxCj+bBCBLmJnuae6+yXzzvSodYwOH1IIh/aefw/0Do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGMmOgHrGbUVqsD1rmOHij8dVJi8wCgYIKoZIzj0EAwIDSAAwRQIg\nLwGzO+Z1pu2uXMv0RHie+DlnN9P04VIpq1e8McDH7XoCIQDEBYhns7BmVxmarOxh\niyoF0jUM0m7FTvkBNAlMnz89Yg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFjCCBbugAwIBAgIUHy1jAlg/aFvRWQao+sSm8LUouvQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAqLJbJAfg3Y9uyT5Z4k5lwJpDl9DO+kZNID1Zjc3AHeBx\nlENQIQbmWkuhRE5t3npCVhWs2/IWs9/WdMSg8qu8BJhHWlWUkt+xEJ/YC2rP3ZRg\nuUprDMXXa9OGVh37dz2SoNQP6O041E6zi9ynNV+QjFahfJC4SELFwe2zES//7Orw\nH6KNpu57VhnsxizaSiOiZWQ2C5hatUSc0Q715JPPyJk/81Wg7dFKWVhu5xJLErBu\njj9Wnen7a0bKKZEthN559Vc9gSJwA2xQC+dH1b16Ti2Z+a2VFtZccLpxA9KtAL1T\nPptOxKwW/6CmgI7Q0txXKOonZM5Iko+paU6Td926C0JnWU1s6qqsxd6nOOCyxojF\n+aBPGfBSUivt+8R8gAaWF8K9US4H0zNz+WTKiIOEKKcjDHwTKYrQvfrKtFi9vI9b\nOPHFseNH//wfjVFWfTFY82GZD5R8BtfcqwILtzt2qdKuIS1dQnqAf5QWeyVu5t8l\nDvDxMb6yD6QAn2rssEYHAiEAmp2P8gyMGKsNSCzkQrUBkHyKifHKsmmVpWSqdUnL\nQq0CggGAfkHDN0R+DAwkV6N2ffmMsyHVbe/8FoRJmvvxLIrq12AzrH3cr+OCbLcQ\n3/TP7TG5Oh8S7CqiY0xpG7Iwj6UtlhYO/rFYreIWC+yxiSO1a6tn0YSxZXPIxoGO\n5cbLjgiqG4Ur3XW29cCSqbBWOM31ROjLNl2caFoeoZ0uflSQl6DlvObXJ3YzEftG\n0+Bqz2Z7z9PiUJfiI0qlhB3x5+tt+hSK2tiGIPMIvDXBga1E5IeuKTDvhKTFB5M+\nFsIkapBlMF1HLgtpxhJOSpIzuc5WaHHkREDuUPo6kaswkWhNrFVeLjX54YqI1K5/\nN33iJsuIgFOpyrCaSrzBm7IwrY2xrhTsmHGhUf/FgYhP3fMbgGiIc8YNCjD03lwB\ndrC4u9T02UQqpItUkQ2c3fVv8TbjEaCgAGV1PBS2n4r4jqJGdk0d8RuTjbVwm6pY\n4Gt5DKfiNEFD143LBSqsjIKJ/8aRWeBv4XgCi79Ku1yGidtHs7z7hcBWTYLcz1Fj\npzAuEO7JA4IBhQACggGAWlQcmTF4PpcWkgY/96f6z50laW4BbgeLh6KjafHmUMYY\nKrKIdeOjmno2bJ0ms5s0SeWfpsk5nx5TbJqU3zSvJUbJFoXu1sIXtbiL7WfQAsP5\nW+vXJWYwFGDKgOFu9nv4hP8znqWCrx/rcbYYNYwxSqxoymb+Oz6d+nAicpAErc97\nz0hRHv8HOOWZhDPgj610U9396nbKdYLunZNVCK+KLO5tnxxxdV1qeQLtXOOsvJjT\nvChYy10WNq1K+w4XcrA6C716NOy3H12rRDITAdDvqhsx9FEf1P9gIDN1153Zso2f\nH3I29PipMPM4o7/UrKd7cJf0x5w/ozXtSXXLJP/DIqr5omfl3oGr/0iLl4CQHC9P\ntyyzYLtx4HFhjg3ugpTATAHxUsZpaYJk19uu4b32JoVsKRglUwvWtamSE75qPoEQ\nCwXG8NpaG/o3A5/ymL9atmyq66++hYo36qtALSfHtF/H0sjbjqwLoGmYm8jzR1Uj\n3ykfYczTzlPvGka8vsD8o3IwcDAdBgNVHQ4EFgQU3Y+Ky0yqltYwoOWMvZjhlQdI\nx9IwHwYDVR0jBBgwFoAUVC4iepPreG0FOx+DJcCRjn47JhUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhALlhjv0T1/ajGYQ14fVLoGZaoZrdaaxUx/dFVQIiIHhNAiEA5ZuGJ9Sh\nZXge8APCJIpiy8zNTp5CrnjdGVVRE6OMAGc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLDCCBdKgAwIBAgIUEE/s1JzGj4VqvQXzNUwVTU/TU28wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAgJcqBszXiFMyellsozga47zmvamC+mfm+EKWZZKNo2Gj\n9iMfx9ZT7z/OeSBXKOyoaEljnHcR0KxIeGHlPj9YOJSPPpB0whS75hQ1PJOnLItV\nEcrjigw/8FtLdvENhJqQSQtQH6O/iAb+9Hf1sljqyCQ4CCBV8JoGgOQyN646JeRQ\nFufegVRs+htq8fgem7jythupLNlkPY1vnH0QJR97TmAVYhnYzsNPfdOVgrqR5ED3\ntd3If409XNMR1tka7rv0csKwRtz4VrL1ZkVr3nUgM23sDFU/VTM9zHs/4SVpqa/Q\nQ3LoG8mfQbGoJUYh7jdz4GecaYwaGZoTqwWSS8f+Zxflb8uiHJ48q9Wa927m6Qt2\nj0buwfxloxtN8ArfV3YlXJXlFeHDVzKzerwCLZD24nsQndyATCVurwoKeh3VpyID\n/NwlhVet92+PVlbzrYibhVr2GHyILYFUDWtnWJ3QypygkzT8RnbylI6S1EMT1Bii\n0R78MEhsEA30iDnL9CMLAiEAs8bYP1+9NqHVVCYEHg0gnHjYiEDGyPcTGI2o02lF\nU9MCggGAA/rtN1H8mcaE1U8Qfz1Go/GHIdhGdbGJ9vIF1s4I+kCDYAcph2uBuzHj\nJe+4Nd681l75IbmOuJ4KEjgISbattpkZpyNCvNcXwYJ6Q0imh+zdD7oUsSzopjJA\nEIX2pBZhxKzFD4L5WTuNK9ZKkKsE3js4sZ3DO54D0MbNRFstZHJh/ERcPWoAqM4d\nES0gD4C9v9GwF2vezcjfP7dA2y+u02l4B9DmA6bz6MHQ6gNVIbxSZR1DnWhA8/lf\nBqqv+dmbyPGdAxpdSUkdxvzZ4tZpzByX70qtLsiZ/ADIJ2NZONkyfpgA82WjK12o\nW8V30K86VTbqEy5FUPhgow+skZaOXSJ8xkwEwkz7kAtsgKZ6OtBCxfS4CIArNV86\n4TBLvwhs0UCP1ABweIAWi6CZ6AU5/Eig3KKXBXXyIyPxV6VXoyyv9XHWSND2e3pX\n73Hj/HGOtu8wne8a/B9Xgox8G/DONB4F7Rm37M/EwFt/b7pY1e1AQCfl9tUsCY/S\n/eaVUn2zA4IBhQACggGAYwPH75cGCHZrFTpgGpwl7rHvdfKercVPFRRgxEVkIuxk\niai15qN1ZXlkMqzzLZ2AY3aZv3PbH2PNsVGS2N0Om+dqBBoCwvdxz18GrgKsDL9U\nyNHJ8kifn3jZu3RYdfe9yG0dPENm89xVBisE+Hqr8C4kfL6b406rShwD5gwRO4/k\nXFGl0kOXkiaBzO8sQSwregbbySwyoIIrOCcSTOwksQ90kEticzPYZJt5kJB4PDUd\nGTcpknCJSUZ3LlEtoZMS3bnWyAMuzisx7+BEddnGEIEu9c2B3gVEQ3eoYeOd0Oax\nT3kzTxus4RBRtXQSSNSDg4aTURKibDaYBHy04gk6VC3EYzJbkmJq27pe6L6kvenG\na0RTGj6gFkp7rWsupFSTAMl0vhbZAh/5ONJX+iJhVlZvZ/LXfuWOlvx27Y8M8uwU\ngaiQGfV96tBFobfA7SJQe5tC2R+1D35iknnLHB6AIAJvi3ERBz3CrjusGuNO3QvN\nwxxqM0AvwYX1bMIN0hF6o4GIMIGFMB0GA1UdDgQWBBTmPlCAhshopyBF8wOJsFff\nkAjKzDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFBjJjoB6xm1FarA9a5jh4o/HVSYv\nMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAg0lAligYEYeGT+pm1/Dm3USn\nykZSBt68JlO5+LO4QXICICkHTXnlEYgTjEbQzOUiJ2xTvxtRHUdokL3UQA+r4d4t\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1688,10 +1711,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGAjCCBaegAwIBAgIUWs+K0WmUrwuDc3AIrDtErr91wSAwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIEyDCC\nAzoGByqGSM44BAEwggMtAoIBgQDPSKGjUM+WzoxEHs1Uo34J8TCx4HZJzsXLO2Ft\nZ68fcpsvWjiujGxDoPVo7f5k6/QzKSK8k4eR6doCiIFK1t+KMsbxSbDlHSWLx5Gf\nlY+y4CHbBcMU8bAN3VJvRzaXIOzPOW6bhqYzJweZS0GrXG6oJBA0A/N89E1Fb01A\nNN4TfOo/Upo6C8+CFQXQZGITb6+DUUrOtI9HSXZ+kxEIsIQW3nanKHreIyJQ9R8k\ntaHOaEhlHPAVJb+rtM647prwlZvC/RPB8U+Nu2nNCMPL8rGa4vsYkHBieANzsBBZ\nyt4zLztLSag7FCM1yOT2baRajqhStMj0cIdqbCM5y4a+K22sDC2tTSKQv+nONJSz\nINrO24+nzzpCClb7HbFDrFyeUmavkbKupeaJZ5QfentJaifmne/tCvPOQmU8O48G\nntbgFY74J2uJ8J5GXM8wOvdx9KuTXLzRTQ8y0zS+Jn++B32wIdDO0XuO+HKBjOrU\nc3i8zY4xGUHX2hgG5UQ8iS05Wm8CIQDqBv/5M9LhdikhOylMmJjxClP1PSA+eOxB\n8DCAyvJNqQKCAYEArncmTrWli88gQZsHRGt/fNrltNvUurnT+AfMRfXIB3IqxfGo\n2YSXuLuEnf3/sfvpKtQbwCXgKZqWcXNU2jGjGDOMHjziaR45ClSTUSPng+xiUTXz\nb8xuz0UqcwJYKLON5BtJwDZFjbW8b2YoWx0K4Uasw8k/IcOgmiuBoXtFv2Clpfgf\nrhq9ns5QaPhGk6+y4wTpHvaVBxqkVOy12iiREfAxGMt7XhEVsK8mC8yIcgmYVCCO\n5jb1xEfQGlXXHf4CtVloe7oSssRnLsyAh4Ji487TTa8b1Hb0gjdXpTD9rSdIRcMw\n8Btj5VzAE+xL2azrtO4RqtJfz0FcYo2C49aNl3j3am2yJDlGUouYdUX4Lx7RF//a\n34zx8k+ljNtnHUg4y3yI2uhpEqPwqozOzGCP6eT3NDnDSJTaqlmKgcm6yiLb73Tl\nUyBSagCTYyh3tWGxogilVPfV4N+/39uuEAwMsGWVCT1dTw0PWJ4U5j+dmW+QB7ae\n43o7H2dxIt6inw4+A4IBhgACggGBAMfFoqSgijeYF5fkgljUOO3EaA2AVsoGfobu\n4OTtOi7i5/GOrDNEC1AKnGstVhOwydd2dDELlgXy4O9XV9u8wx6Z9NotBAfH8Yfi\nO6szdxruYIUCBCk1b+DdR4a2bN4vHRHn+4mjz/Hj18z2+4uwmi2jlNtuix0vQj1d\nHVGfIBQvVRxs0PA/FhCAKY1MET95TAtJ1pvMXRbUdoPJYSqJJq4iX7ggEG3zZXTB\n+nY4Lx8y4dEk2P7z7GlCbkZzY3jb1ttwdMS9NFlJCttZpTbK5XJHYoWkbERxIaZ/\nnOXU9/n7WGrt99bo99s5wI3y9zP0U3CWlR2yRKfCJmhfOoLew5WybRlVape7hLVN\n7NVIIQMQpsZzWCt7Yajei3uumBQov7027C9o6VRBDkgoiPHOg0qpxf8h3EQTV0dJ\nDtncHbpRlZBa6WtcSp/5fUoT0rZENLSaYoh1CRChgNVtCoh+r6YSRmQgb7SUwRFH\niyjJ7fRm3uT0EtIVuLANBpAefBznVKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFNgQMrpp\nNaFG1EmpUdt8PQvfWBd3MAsGCWCGSAFlAwQDAgNIADBFAiBsYj9nWGAf8c4rOh3J\nyfNE7Ct7n8jR4jTGCwCeijwuxgIhAL0ihSIFiB4oVkydeORzW56+Q56J1cA+plct\nYrQFn7XU\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGADCCBaWgAwIBAgIUE8eRylRw6U7xLNbKQ8ZwFN1V7sowCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQCo9FKuDGPrkFZwndNBjhABN5WSHqULQmcn5Shn\naEbULo1K5173Q6ApLMLKWFt0B05DAQD1vhRWCzTDk5zqyD5gGx763nlBapaa5tpQ\nOXVGOM0P240s6kGOdLSzs6jZNiPbFx9633UOHJXv2r1qx5GRdbAuROcrBfuOlNND\nFip3LM9fzRNHKoLrM0nIKCo4TTMY7UeLZ5/if7moYD/5GW57OofdjUBx4Yigg3EN\n9FEscFHgVtUykvXwrfYUd5WAPaAgdmB32ALlr/EjkZeok7Ps4FLbfwLc1Ede8OeT\nx32fGN2cWDf+I5R8xkcPQleF8NU40Amaa9uIDZ9EOiBCWSXWPpEE00RUWIo6btcG\nZhVZzNTDf5My5IyEWs91piwew3y+CsbNJ7fGESlbDwVfX0d4J9KwjRk9iZrlRI0s\nylmzOC1+QG3FZsSK8/ihjOqkZN1kS5tEkfDYtYYPpA2XRkZLWFwY+QLbIkE+w0pB\nHG8OkZVOJHWpsNjE12YrxaTIVb8CIQC3oNNMujI5mrFPp14tYZkdb4KyLzXD3IUB\nQ4O7pi9wgwKCAYB+XeAAay4+Zd4RE3BbX9Yxw76ZE1+r42mibJ7kpY3sw9friqd1\nS+M1HFcp9E+SMi0VC1tDLAXcnPLSXKCPR510IHfLpYU5Ilvqhjnx+TZdsjyEvkDA\nrQNSXVe9qYUTA7tpqt/gk3v+HWIt9OQxyUzX4QWENiMfG6On0Vlgb3RNaCYN4/dv\nqQvGzZDWTq0bkEiaDFtitG142MKscI5DXZpfm68hNRl7FhbatvaOrDZQ20EUweMx\nx08WjyyHgscZHDiIYvSp5ls5II2wLvmtj346x9ec9xzQXahyoty2OM3RJ1e2P8+k\nFtK8Jyz/2NsYu0dCxw1JhLJnWrvtiXAxGws4OPQM52W1AaxvdJWexsP1F2K5N7hC\nay5j45jN57L+2D7QUm5N9oqZmheIr+jo4ykn/nTUJaTfedzFHsSU1G0TwPvChzkC\n+DdJcTe23xIf2n3nGAhv6IOWYgUf9E5mpdHmDPwjaSJ8RVPugUv2wrDFc3wLrtxg\nEFo8/Qihr+vwx+QDggGFAAKCAYA6ay/34/mwUgOcAraJvr3EJeP9jakJFVVyHAQt\nbKvKGL0gCl1ylYiIF/L5ChPOclVM3QmIFmgncQyaLMzRJY95iCccgBJvlZeWlIDs\nk9OFXCgrijyo0CtHyQTqLTzt633xLQZj1IwLP/a6XAV+lKnh0zBRk2sd+cN+aL52\nN0nskEdf2WI5oeaCsd8nXKrIUIuL1fIEQ/HLpGh6HxqVGzljgbjWFm3CQlnRTtuk\nU8kDNcEIuWvu7kv8iB8xclpUoLQYWXy9hLq88+T2yXkRfDh+/nXjQVEo50hkuF6e\nwaDJNdx4Ab43gptWpHE3VdD7TnOQHjEfchryyaVywcKx4Q0a7UpqYKwZYEiaHmlY\n6RGSUBXW/Jjrqs4gE/RYWovTRdVCp81lQk5zcAj+Czi4i+rGWQtGGatc1PRuh8rq\nSWlYqtmh+HVek6Ci1VMXuvhTesJtzLnKiR8Aqq7Tua7qqXGatIUfSFBmbTiS+lGQ\n2dGZvReRCShP8zUCyEGE8tNYwhijVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTRh6DlM63K\ngb8RRLQbUFjoLem5BjALBglghkgBZQMEAwIDSAAwRQIgY59xlRfslfM+hqAutebp\nsHI3HS4iANS9O3Rbi4lVbnwCIQCsp4eD7XQKtYTPTPxnL5gXKQAHiDe5HaxfI0sZ\nnHTAOg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUXZeFEgDtWW7/tNmECUi1pvUgz5UwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAARx/Ulf6RS07aJ62JGvM3biVMzj3A+A4LSQSS8uaE9+\nPhC4iR2I8dn5YHiwlzld4asey640Avn4pwnoqAanf6gMo3IwcDAdBgNVHQ4EFgQU\nZdIVcGijiOwhxjUcEeJwEJNxfm8wHwYDVR0jBBgwFoAU2BAyumk1oUbUSalR23w9\nC99YF3cwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCwYJYIZIAWUDBAMCA0gAMEUCID1d33kFdBy/cs1//+1DiQboZGtqpDrx\nBpUJ8lqTmt3+AiEA1DsqrWSEkDyDcphCTmGMQNSFPUGqLtrkl4GSaD8fH2Y=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIULouCU7yJwyCTSsFhdJAKaGDNNYwwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAQOHcOC0PFi9ryVfGYY1m7CkQnAfP9w6ukm29j81Udz\nT/Lt4umNROvTuxHINEPpsnxwiQ2vG58wTDcgd7IhnCQAo4GIMIGFMB0GA1UdDgQW\nBBRCBsU83d/JnbqdYUOGEQIIgox5pzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFNGH\noOUzrcqBvxFEtBtQWOgt6bkGMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF\nBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTALBglghkgBZQMEAwIDRwAwRAIg\necuy2ShvuUIc6QBMABq0Qwr/LHCS8AMoqYdLtPWCpPACIFNsSzHYGUGaP33WVR0z\n7DxE+qybA2h03t0oU113G+Dh\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1711,10 +1734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUcEfLSmikwOit6p4nljCjW/35T20wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR7uIL4qmKc1SF292Ky0giY4gMDJ13DLbQFvK+t\n9827zUknEfxSIcftOPrM8Yqx+jyKXTdmpljQjBi3Pwxpsz2so1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1OS54bHEv07GIB1oiSDMmqArcN4wCgYIKoZIzj0EAwIDSQAwRgIh\nAJyhUAdg+edkeQvcI8PWJzle3am2KVK89uydo6QEZnZHAiEAj7oa1mQIS1NE3dpv\nEIwggtFJU9k7Ne9T0kYAoQGrjJY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZgf5SZ9B1PKmIvHpCpCVSRr0Z2IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQy7MTX/DpEjZhUt3u5+u/v3nLdQBTVWPBfjxS\nZ+JbbK+smlKSofOugFFfcbirljZxhZrInO/fsBkx6Nle3A6Do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUC6HQompkDaD6iM7i7gTtOb1+SMMwCgYIKoZIzj0EAwIDSAAwRQIh\nAK4S4Cau3MUiEcDydHgPJwspSSIK+hpoOdqK14MEoubtAiACAbH08cAUoYMtKJb4\nAGy2y10Tedm+PK1al31hziDsUg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFTCCBbugAwIBAgIURwgtmQqBg+mq8mzJnNsho5TOc+kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEA8PhnmpfJW1DjTwmbQYtif3nRUDvWwzhqVnswRN7ig+Oo\nob2OsZpY5jenGHeMKubgbENtLMyif8QJlArrq9SMhSLTU9Pz+dXDZ2WxOSYPZ6Ot\noDffm09hlNtffdDSnkG4D3f6qGSeBJZn+1+AcQcIVhkk2VkEyekY1t37hrS6ov0s\n05j8fp6HewzxWgKDB2aARu2CTemGzQ9W7WHaA6NRaIkhYiO5vVV0uujeqMhNJSzM\nWJ6i1sybhOUq3jygFGoLLZ8a6yivXE9oAEqh5HLrk9R7xPz3IvbuFpprKIrlKNON\nE2bbdxw3+mfeUaXljM+QahJDGPnHbYEfk0DwiBYoj4flA+YEgcUaqcklz2RMgsEp\n9e2D5BnxdIDiDfcibe0eWUgawgRkFYMepZbb+fhItLVgUSUo4ZryvgEOrGZRtAND\n/jblEkMbm9JsYzXMp6Dx0Y5hqGVRXxnPQnO1lkD1Om9Icu3/GKynPSJdLg1cCo2G\nzMc0WFzFUsDqR9YLHykpAiEA8pCDl/X95KLoX/XugRFrCDBIQNZCjYoyzEDnyAJd\nSU0CggGAVBqTaLBlaTAJMCUEIUfJ5RFaCAJvzZ4VYt4N5+eJM/H5wFShDGN+gZ0s\ne2/+IMU4zJBpiEnXJQd9TA7ZYL7YJOmcECc0oBpGCngiP42zDHMbcNnB15WaGFMi\nZ81T0IB4Kit7hfu1zQHuv7OPMRh5Ii1nhX/jwdglMPBoo+QBhIB7WmfaLP7ZzLeN\nkaurGF7OOcM27UFSSpHy5wlDnsnRAGWlNpBRCkhsMy/0Z/9RN95YtiZYc9R0ZyuC\nbFpj85Ghq2IIgfzYxKyP55W7VsR/MJjhBZUUcBeibnPsT1wL8rhEbRwaU22gntCq\n5aae7Cw/hfUGhwZlHyUOhD/ECFXgdKWmWxM/d1D+aXUYj/QviHuRCS44X0l0y0L2\nsZhwk/TdiKJEX2VDW0U4DyN/tjd85Q68wzs+uOwE+9T/X9bcMb1qolcrP3FPoBbv\nQ3jOiNFt9QhWdDsRFgye7WnaPfbHcErC48n+JKG5MKrT1Iigr1EtlDvlXJ+DsY+y\nGabEqGsQA4IBhQACggGAZQ9pIyiaCyoayUe322AMM3nvgB9O9y77ttplFRYhKwjL\nv2Qsb3Eh4PMJvCLMK7SES/SOSDiJablAZe+XLi9xBjf6hBglxbUMVtmhwPEfznJB\nxIkzTYK5IB5i1TmT2VI9bgct2knEgVsgQ+GQ81y9FidceSUDO3sNRAqbhOnaHIrM\nKO5dpxQCwHAZtPJoH7aPYz+M32yEG/53wZshT3d3y82tFxHniKLS0629BgRRbeAt\n+yrfI0fH69lTidCDx9OwRSNXTa5YNn6QeA6alZCcGxeSAOKnzRsZwcY9L5yZwroN\nK3/Vc92TD9HFepqk7Fv7DH/HhJC52qAMzYVRRJwgRZSOR6kFwkrE26xIGuV+ju6V\n04iNrcCIvMSz3kH6K4MzkxHVm7ZAb5silfmxYn/HOC9S3x8peThUu3jkPrueaXgZ\nMf0gvdiXw+O5zp0W/05Dfq/q6CqhDwAbajey8IaJmbVr6kgKTSeZAq1Sugu6IDw1\ntc5rnr+E1tya5HJKJKQ4o3IwcDAdBgNVHQ4EFgQUy6W6PxZDKUzsU58gXO6ab403\nkCYwHwYDVR0jBBgwFoAU1OS54bHEv07GIB1oiSDMmqArcN4wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAIMbW5/8hJZCoNJVzEfJKkuErVW7+FfWLWvJrLtfTcKYAiAGpa4v8BKH\nz/mVOrWEZiLlZE/QxEzP/HyqpXxBO0hu8Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLDCCBdOgAwIBAgIUH3HHgwAy5jRmI0ntHns+7kB3bHUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEA4Z773wHnLbE41X4RDKWKVfRimP7EtAnXedH+bIlnuV+B\nFJNPkmAyWmVg0Bk8THS8efPRoaKeYCZP45pwsfE3XNc87W677u8B4ZWYAJs/21Jr\nqXzZpCP/dTHtJZonVd4yFL/l8rzi1zSMnFZ+loStWNUWspV+EW4P1LzU9BE+yN1G\nT3UQhxqDsR2/IqEgy9lQdfmI4kAoQP4rIu0a0bEM/drTbVZSvH7k7Wf77xJS3NEt\nD3A2DQnYzXNgtvs5yhG357I+OrP1Z9nmTo+wIBX8Fqnd7qnEMH5prMqI93KCb5WF\nnubjFvupziUHRo1vgNt8xM9AB+xL0bQ0IaScUScVot4U6liK6x71bHSvXK7Vl6u4\nzAUtVNnl4kk8GSxaLNYbz7AouLevhIbQs+d4SfstUhDU29/3n92Sdkiwz/el0nzX\nVeuFkEDyLyP5D0aqkaRrEruSNyL0JDyzgPX2O6Mww++XBPg5Lurwm8BMRrYB7NqH\nRuptAcyI7aDKj1aUiUUnAiEAnX6qn1/z8vvXzW+Beh9+lGeRF/eBL/MHtdZh8DYX\nwycCggGAUSGlOpvGyrsjtL5HJ3NmobJ5rDQDntNQMFn9RFsEjnCQ/IgzxNTbZfVJ\nf9H4MP8YbtPp0F3V05rgScMLxEuU5xM+T+eiWkIGPPGdaZ98UKhIcLR61gzuqjls\nDSjVSthETFghY6iewR/XNi5n9oYP43jIno0mS+5hzAXQawbIbzmcyhNcnDg4vjYO\nN/4vzhBefEN4A0N0wbYayFW68LYl20VYeeifZk2HKZlyzYSvesrjMYp6T0Ndjq8t\nBtLXdJS+QLTc8Ouz86Djw61qmb0cKcV/iW7waCzcxE1vK5uiqL/S2Mqx9OPMCgKx\njpiiihnMQXrmu82KvHjRH1VcwWAmFpnGlGXvBeupbSrfMosGfGHAgAZBO8AxBfyr\nW8Gg7FYUo8XKBzYYU9rC6FSY7Oa4mIkqjRaEWmnoZFm2eJCMedQWbGuSDKPAdv6a\nkYyguaFdmOi8Na7oRYodUyMqgAH0mYF4kVt/3u/w1C1GH+/gCOgNls8AWi78Mhx2\nkBe4RecEA4IBhgACggGBAMlLkYkAlbXTlbhFN17Ue+LUHShnpMuL+z7R/hI32g+t\n/rqmveoXoAB564mXqn/sPA6wQFe+fK+4kUw/aGkI1JH9fw22eg85q7Xm+7gKjE1u\nW3nHV/GD0SE7dYA0r7U4VllM/nenDS5XIlVBYBz8RzjbWcMhqcXosDy0/XBF+VPu\nBhEHXj+fGODruX/+AGcZhscu4pBUg9bjSguYk8TIegf79XrWdrTG5ELzogrWdzr/\n32WYX0DoNM5XLvKNz4CSMspBiOUP0DlE6s++46J55fqaI+ppOuXdivD4bMSmx2bl\nhcA7zReftpCt282/yvR2Q+8xCLtAyy9jluyAB1sUPRzsB2JPtuV1TfUFaTmUX1rd\n7+741FBAe36S2d9eFFzEdcXPM+c+suceBg8qQ7QVVW6P66IJfD2vyR1TDfJRv5Gv\n6P1js00rzVhpgM4Inq7tY/wKNu20zqaA31FsOAPa5lDZpqbzvZ6py+U9T35mr2tL\nX1qecqyws9czOL58z012VqOBiDCBhTAdBgNVHQ4EFgQUnNCmDXqpXoPCR7Ts/9F3\nWOxtrcwwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQLodCiamQNoPqIzuLuBO05vX5I\nwzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgCj/uGdjOBvwveu2G2GqbDRHg\nvcqkf+LFaZhoOWeYoKQCIE/tmFFolCvikpS44gbSNkdUfOrz/hHtopB79eSXpuZn\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1732,10 +1755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIcXi/hXozoZGg9OvKl0m2r56UEowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/CuKKaqW5NYUE22rZCwZdeEfMnOmrd5S5Vt+S\n21WL8b2bxOZlvmEi7Y/DlAu0hDDFI6TRhZ/BzJsZdUh8SBT1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAZlD/hKCfiUoR5uKWdbUSJk+o/8wCgYIKoZIzj0EAwIDSAAwRQIg\nL+P3IO44+miC4JENtAHnmzllwk++FbolkEcpstXgbqICIQDr/COcFvxnDx+OxlVU\n9yNOl+F/K/gdVyZfjdfY/5btyQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUJqZZgSchCKeaQAJP/JjBQYRgeXswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEz83ylCx1SOqvtrFqeQSE9WowRRz4aoq2Xjkh\nX1v8cKca5r7f3Wn76v4djUw258x0GKOh5HwEUPm0+RzP3uRko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPJvFR/LTTjLboFEU10NN1tC1mk8wCgYIKoZIzj0EAwIDSQAwRgIh\nAK+kb0Nr/a7LsN+z/+wo8y2Mb+FjXdVgAKyLR2aJSANsAiEA4pzTQlmd/BfjVJv3\nO7P0G0WyHD6uvhbaTLv8cb1PXqs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUO9/oYkmEpZpTYX3ISa1Bk3e6vZkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBLAAvUJ4QzejyUqhEkdGaFaH5p+m4ZHyc2wuOSGvke7\navUltWzHXIM8J8tJcZeESs0nZ/4/Fh4BaQQ1AOCbI7mjWjBYMB0GA1UdDgQWBBT1\nvwUqIgbZ5xdbOa0M74tY3i3eGzAfBgNVHSMEGDAWgBQBmUP+EoJ+JShHm4pZ1tRI\nmT6j/zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNIADBFAiBS\nw+U3tV+vla37Ln6HNcLhgMwkUlNS8kJzkh6SXiy9QAIhAKJfjMWuqq/fxX1gLWcb\nmI6GAGRCoxDMvLAvN7Su8J2j\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUFKqCpFXGsfQeyaN2fi0CB2TSJSgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGnjaePhJhFKiZ7IKFIwjoMInO86pH4NNIvojJSIHyL+\nHHKemq8+S/+fqkwA/CAsPcmObZJN+/OzMn8B1mD5Cj+jbzBtMB0GA1UdDgQWBBRa\n1hQykfRLai/whtHkb0GNoULJ3TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFDybxUfy\n004y26BRFNdDTdbQtZpPMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD\nATAKBggqhkjOPQQDAgNIADBFAiAU03Phh6XZq3QvJmqtbgwld/iZLa5GLlTalxFM\nvNG15AIhAOmAc6ZfqA5qi4rYThRBGsli5riSwlmT0Q+NQbL1eov/\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1753,10 +1776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUf9XytbKSKI/9gOdOGihaw7d0DbwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgfaWBUnSCJEAOAYtAND9PxSq9n59PeKyz9wSB\nKjhZtfa4rs+iyUKNWtcfKcoN4UBMOZkQTMlgU/c9Fj6f8Xs9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXPWXCBb049WAyLV7JdFEGDfUheQwCgYIKoZIzj0EAwIDRwAwRAIg\nZYEIL/4jjWuViSjaQQbBfoxM+PgxTlNCgzEwOrw60r4CIFjWcJ6nLc+H3/7/HPs4\nzWxN1XXVFtJqiF6tft5+0uMI\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZKWVSeNah7IeZoksECb1XYX8S18wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATIW5Ri4HB4+IwtCvNNPIhqjJf+wLD/CRtxoolR\n+psH/DV7xXCpDtszCfAcblKiFk+0TpqiFyIiWzlrsrWnTafRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpWfHwURTYLmpB1lRxzNOKhjmXgMwCgYIKoZIzj0EAwIDSQAwRgIh\nAJ6Y/+SPO5iWOSGAezBuW/Z+d880Sc1msLyyCp/SHYQfAiEA3vUzJJTZ5+jt2lEE\no1y8VDvC0HBOAWKAzuwWNeDQCA4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBKzCB0wIUDxQGKSrTYDpzckiZhAUe26dEs2QwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABGdtmfFX4DEDysxG2a46RirMzczh1KyikYPACXvQeazmgASlZJ94\nNjSThtdJ1Uw0dx9zRrwrH+qjXvIPreGDxm4wCgYIKoZIzj0EAwIDRwAwRAIge8Zc\n+/ZXwnKVi8cbBAdbOsz24BPlvkaNp6aFw+v78skCICdAgZv/C3ZdA5AL31odZ6Vt\nimUXTLQhbfQN83HZdPAY\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLDCB0wIURPPAPL8LOoUpY8F6ok4IhQbNKc0wCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABAcexNuVn9ZNc/gFgPAIudTLnPic3H64uGUTs0AXo/5k8vnMOlcC\n0bUikNQlQ3I/YfJbCVL2RhWADWoByBB9f9kwCgYIKoZIzj0EAwIDSAAwRQIhAJDR\nJ9Y543mXuRQR1hwIsTLn6dfJhySTyJd54Hxx5/XxAiBUauxnxdT+bEQqkido/xEY\n+mE7eoathtqzYC5CXCMIiA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1767,6 +1790,31 @@ "value": "example.com" }, "expected_peer_names": null + }, + { + "id": "webpki::eku-contains-anyeku", + "features": [ + "pedantic-webpki-eku" + ], + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert contains an\nExtended Key Usage extension that contains `anyExtendedKeyUsage`,\nwhich is explicitly forbidden under CA/B 7.1.2.7.10.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUU9aKithEhH/WR2TIK/u70JVWybowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATGG78EsW4XOlo9LvXWwjkqs3sz1V3bEcPBMdow\nV7dpZuYYusK6KhnoiLj5oLtwrtC5GEila2Xk287VOmEPrd9Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUY+uinHZXmY7r8yNVZGwzLWQ72j0wCgYIKoZIzj0EAwIDSAAwRQIh\nAL2Iy5Li598+yX1SFw/sHuWCsPxcO/xGolSgqBpln9VZAiAc5fTGwbKfxD5z57Y/\nLfXLmHVn/oHx3T/UMpkFNE9hQw==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUXqhNpFS2CRZuscpWvArfFYrxDUYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKAlVTmuWUAQ+rqa45FsTu1MQZBHs4o6LuQ1u0RiYiMI\nzChBjsrOdhQSuTKDzwoQYtyyO2TH8gku9TTqKlaSWayjgY4wgYswHQYDVR0OBBYE\nFDAFBrbGxvAZOj2fwDZRk9Owde29MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUY+ui\nnHZXmY7r8yNVZGwzLWQ72j0wCwYDVR0PBAQDAgeAMBkGA1UdJQQSMBAGCCsGAQUF\nBwMBBgRVHSUAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIB9Dd0wh1vt5O9jDZ3ElDH8z9tZpoHjc1plEbD0Gc7vnAiEAh1XT+Acc8TN0\n5WQnHa/pqsTl65egTYNgFTliS8jgWf0=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": [ + "serverAuth" + ], + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null } ] } From 199ba0d0f564812bd922881d202b4a565624e086 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 2 Nov 2023 19:47:14 -0400 Subject: [PATCH 042/155] fixup isort Signed-off-by: William Woodruff --- tests/x509/test_verification.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 0d4436afcde6..208868654da1 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -8,9 +8,9 @@ from functools import lru_cache from ipaddress import IPv4Address -import cryptography_vectors import pytest +import cryptography_vectors from cryptography import x509 from cryptography.x509 import load_pem_x509_certificate from cryptography.x509.general_name import DNSName, IPAddress From 52977bd8381780df3212c042c01b3750ff469dc2 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 3 Nov 2023 10:35:06 -0400 Subject: [PATCH 043/155] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 391 ++++++++++--------- 1 file changed, 206 insertions(+), 185 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 1a1664c4a427..00d7a3cd7737 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUICV+r4qi4PYxZGoXPeC0opkfBuswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSelDwaFVo4ldXqZmYRUXMI3XnFxLeWvuZCnVm\nsOKljlo1jAWToBMLOacUVvJszYMF2BiMROCRH6B8iQAK+addo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYj0AsdK/HpnI3YlTpgUklZOUpLAwCgYIKoZIzj0EAwIDRwAwRAIg\nGvYOpiyIEun0N9y+F/x6IhhSQyvH3TfUctk1rXv+Ah0CIC7Y2oCbQ/BjTD7UNYUc\nrfyJijUBFJoCtXCdf6yIJoWq\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMrk20EZo25kL+PnUMnqiGXhKTRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVzmavpXOkutvpwwe7BcfuDFqaKTQZcHXRQub6\nd2VIXrK3KwAJHjvIDx6FOEmV1Tmuk3oHY0+gb7yKcKnf4z5fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYVKjjJOx+Pz15U5lH7Gy6ucR+6kwCgYIKoZIzj0EAwIDSAAwRQIh\nAKL6H9Ue+LDIKce+z8MT0zbjKszH24dI4u3/vymXj06RAiBPw9j34SsLxrv9LDnQ\nLIKg7VUWEy1wAWd0VLAXQI8R7Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUIVqUt9tRo8hkd37Uu7OndBAzMh0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxODM1MjM4NjgxMjA0MjkyODkwNjE1\nNzIzOTQ0NTAwNTQ3NDQ4MzE5NDAyOTg0NzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGQd0mnX3Wzw3NRzYgxsHAtb2CP5FfeYbLavqJk2sQt8abaUhFpUBOt/5XoDAkvi\ngiQQyr1GB2Jz60xBZbJmpuejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGI9ALHS\nvx6ZyN2JU6YFJJWTlKSwMB0GA1UdDgQWBBRu1qCnUJ27U2WNNZcSC1SQzpLf7jAK\nBggqhkjOPQQDAgNHADBEAiAx54+G82D7UgAdznyJ5psiLl7Q1YdFzMvLw3LwQUGZ\nJAIgSeeIf218A7KJ+MZajDaZS/2pfaQE/Xxzkcj+hLJH0xA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUeWl0LDqwWmzY7K7uBW0yihSHyRQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyODk1Nzk5NTEzMzg2ODMxODg2NTI5\nMDk3NDU5MTI2MzEyMTg2NjM1MzE4OTE5OTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBI9FzWIBXA+5DGMC2kHwdU6WGtgah0YbmvIjFj7drvsL3h9BwD2wPTOiECQOfteB\nTZR4DITQGEpBYOl3HIAR8qmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGFSo4yT\nsfj89eVOZR+xsurnEfupMB0GA1UdDgQWBBQeDOtPd4ncVGlhSR/TjxeNl6FHwjAK\nBggqhkjOPQQDAgNIADBFAiAgtzphKjEdpjOR4Yt98NE9nM9NlUXa5owhfDHcXFZH\nrAIhAIWJSX0lAdQ2S7MmzGFzb7E6sJfSZY/PEbnaqIdF+YnF\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUc+XrzjNiGrRL0PpnfE59z1fYdeYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgzNTIzODY4MTIwNDI5Mjg5MDYxNTcyMzk0NDUwMDU0NzQ0\nODMxOTQwMjk4NDc1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqjlM\nXkPQr+8uCQ9H7lE7+GUj0MJFubE02FuyBa6zDtzBIQJ7HTWwG80//qBRcpJb+3yE\nLjypaSo5kXDBC6oV3qOBiDCBhTAdBgNVHQ4EFgQUZURmtBbGvSzk9tQcFWcXvYUS\nthIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRu1qCnUJ27U2WNNZcSC1SQzpLf7jAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAO0jrZEf1kLg8nFvLrB3Fkx5Tjy0\n3jyB/gNLmS4euODHAiEA1VCAUSZc7Z3luUy1bzB25Zw/Wivp+6FgJQePKL5FkE4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUe2B949acL6ETjfjcpKGxQrgs5ScwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjg5NTc5OTUxMzM4NjgzMTg4NjUyOTA5NzQ1OTEyNjMxMjE4\nNjYzNTMxODkxOTk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8/o1\n6pmpaveXCQq9N+Fr3x5noM2OWD/52MjlDRc4mZFroT+8LP/F4k6fdeL6/Ia3sNgG\nNW3hzo3/SP6Zrt2ZkKOBiDCBhTAdBgNVHQ4EFgQUxNybAzBlGl9yjhxIJy/f+m9I\nlVMwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQeDOtPd4ncVGlhSR/TjxeNl6FHwjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgQMHPR1vQWfMQraonWD3bQKxTfD6V\nIj/IUFZpDhv5yigCIEa/tokrC9tdkuT7O02Xhk10h5tboS06QpA6ZAD+lSeK\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUer9iOYRFrNKEdcTqOv29FUJXLF0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASwSCSiC7Zr1uKmLUKjFQG807Rej4r+xSS3avVw\nH4yD2sMaFHDZ5yvyaP4ugjRKFtal7DziJRkR6LChiOQr40t8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9eaKTDsdqSSwIyR/bXKyyU8vigAwCgYIKoZIzj0EAwIDRwAwRAIg\nfJwhVJwbfVfN7uJC9JkUP5cgDwFM+2gtRNOhyxpUs1cCIA+I9O2cZ/EMKiQTcH8x\nl5/gmfOmhK7pj+Nw8B0wWfmU\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURSMDjrQDIOJWzpL8SqN1U+Qm7UwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBTu9C1Cj2qj5uX3pAQq5vQwjzEeTkXPleES+f\nxKK2iGCzzPKk43e2RJh8zPakJR5i22Ogn0xgaUISGaJKiilyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxE97N9a5wp1e0EsxKB1HVGvVVEgwCgYIKoZIzj0EAwIDSQAwRgIh\nAJC2fCDZDmrtvetYUKTKxgq84SbMaybbkSFedEzcFkIMAiEAttW3s9sdxam515bu\nU+cMNrRWyLsfprFZFgpeqjU1XqY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUH82MYurVO3Oh85MxZmuX1E7lSGcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA3MDA3NjQ4NzI5NDkzNjM4NjcxNTQz\nNDg4MTE3NzAzNjAyNjMwOTUxOTMzODE5ODExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCNspPigivbJH8NIsh+MAiJUuCEKNXRvDZ1ZGXlWxzWEWMagleYXFQpWPVebkP5M\nT/fdnMIO6O8CZV+ilU7oDWCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPXmikw7\nHakksCMkf21ysslPL4oAMB0GA1UdDgQWBBSY0Af5WK8l+6XJZLVgP9bvP1Z36DAK\nBggqhkjOPQQDAgNIADBFAiEAvy+TbLMnM6fo5LSl2eoQ/oc2+oJCc8sYPItcQJ8T\nCNoCIFT57OavgRiFywKJG81CzI9VTU1W8tBMVMmkNroUx7ni\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUb8mu9hMgxcbWR2/df86jvd1VrKwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTQ3MDExOTkxNjUwMjQ2ODAxMzc0\nNDAzNzk3NDQyMDE0MDQ0NDIzNTMyNjU5OTYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNj7RynJOqRotciv7qOe8yS8YjE06EDsjfTfLZV2zL87o18GgifTzWXtl91MnwlS\n2sc8YEEc8UvD0k0lFMena5GjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMRPezfW\nucKdXtBLMSgdR1Rr1VRIMB0GA1UdDgQWBBRF/GdKLSrvo5M1S7BFZuOmv702kzAK\nBggqhkjOPQQDAgNIADBFAiBuM00AdSkS5nr9FsGe8aqNPmQIeUXVgIqAOJl5v98U\nxAIhANPc58h1csN7qC1uaaLe2vyfNpe1wYF5Ctp7WhQgiHNU\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUPykfFVV+roTsW/2vQbjKTJWYJukwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzAwNzY0ODcyOTQ5MzYzODY3MTU0MzQ4ODExNzcwMzYwMjYz\nMDk1MTkzMzgxOTgxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOa5F\nyhujvcwixkeC8A54qeMcOK02dZcPbakdfiofW+J61I/OgdoitAgeAhftUtF/ab7A\nQcSd0gTaYma8c/6t5aOBiDCBhTAdBgNVHQ4EFgQUs6ZqZ9m9el+DWZm3S3DJ5rd8\nyf0wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSY0Af5WK8l+6XJZLVgP9bvP1Z36DAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgXza40v2MHRNaMgPkojENXt6wGcjo\nU8atnhkdIZdx9lcCIQCmr5eQf/mlmwJ1qho+o+PVoggSr5Ifh4aJ/YCOU1g1NA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUa68ATvW23MTC1lhhlqsFeUhxPlwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzk0NzAxMTk5MTY1MDI0NjgwMTM3NDQwMzc5NzQ0MjAxNDA0\nNDQyMzUzMjY1OTk2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDyHq\nfVKKbjxf+dUxI1NM6pGou/45PFNWot42QsW65vZhFSBXFdI9qU6wTIqEpFxmx4Wl\nXGEvE67Sztx1XitbkaOBiDCBhTAdBgNVHQ4EFgQU1pNYsNxxJRJ8nbSyReujbi6D\nYuowCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRF/GdKLSrvo5M1S7BFZuOmv702kzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJz3yCkVPRzlaP4eBVuZ68LLzi0i\n3PmXYg90YUAWMY62AiBrQiQrr00p9TDIDcZ+0tT6uISS0NKFpOCDudk1XKd2hQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULnwNyshQTGpGhcaLiEbjQhSl4rswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbXl6rsDmX0K9XwoT8gfdzogwYBDPztNr1ypni\nFwSEYg6lfrX43Mi//z1UE7TsEh/j8bgBoLMzgOnRSF/ySzXHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhIrYuRu64yI5Ogj9yujoGn4sgeswCgYIKoZIzj0EAwIDSAAwRQIh\nANLREAWnb40rVVGu5CJpACyujru6Nz51WL7pXbUTLOdAAiBMlWiPJQzH5TkpV2pR\nuRovZpGB/zG+qpUKizSdzZUhuQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbvZPuw4/mOEZi5fCyneR8DC+moUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASFFNj2JtszZMNXWdWGfq/Ccn3FzLTJoR7pRmaG\nXl1VxhmB2qOcE535ZALidnnS6z9tcfRrdKkvgEqQQYZof69eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUn7D6rqPvBt5rxsdJYtp3mKII9HgwCgYIKoZIzj0EAwIDSAAwRQIh\nAKxgFT3GIey3lGWWQcAU2Ds58Yis47no4K2JUOYCVokSAiBCSgaduX9mSuPGkn2h\nnyRkUYKstf+R/uTNNIiGBgSpSQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUVZx4AZBhC7mD5npFYi7/diN+H0owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNjUzODAwNjkzMjU1MzIxNzkwODU4\nNTc4MTM0MTA4NzkzMTM1Njg5NDg2NzUyNTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIqlSWVknuZruJP/dGyWClDaRm0z1c5G13yocB0PwVw7sTgm+PgPU5IsTuq72Ghs\nDfniGmgdJ4+M/irHpNqbgV+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFISK2Lkb\nuuMiOToI/cro6Bp+LIHrMB0GA1UdDgQWBBRqor5b7i1hReFVXy39eYhKA0tueDAK\nBggqhkjOPQQDAgNIADBFAiAoBVCK340NHLOyPmDMHjVxN1Gz8+NU6oQpSfi/mgnW\nVAIhAIzMV55EMKeMVFIFMJ7cnwUuoVuouRhyGWBs9w+PoEpB\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUed7059bEGwcI6L4/mbW/NqyPjPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MzM0ODE5MTM2MzE3OTE1MTE2Mzcw\nMjAwODM5MjE2NDkzNzkxNzAyNjM2NjkzODExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCRDEwQbQHZ+ijH6Vlf/cKAmVI4NxwuxdiglsqV5ozRvAbsDLWsiXupovyW0wRjZ\n6NFfvoOzfor/aG3EaaizqQ6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJ+w+q6j\n7wbea8bHSWLad5iiCPR4MB0GA1UdDgQWBBRDNQP8MtlQhgH32exhOyaLq6UlSTAK\nBggqhkjOPQQDAgNHADBEAiAsWue7WZTCqxa90ql3Unlt/2+8jP7eqe8F3aYi8JU3\nEgIgI6SY/0etfLwrt0LbLGVrn0Tl2xVQ8A9Ys4a7+3VRrzk=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUSYcVgTh/3np6WaIPsf5NwXz66wcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjY1MzgwMDY5MzI1NTMyMTc5MDg1ODU3ODEzNDEwODc5MzEz\nNTY4OTQ4Njc1MjU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpF7L\nPfbD6dmKnNAKD30U6nWOhzftxwTgbpicmG01irreCOVQX55LjznO+rIAVKmTwP+P\ndNFeF2Y09hcZz3+BTqOBiDCBhTAdBgNVHQ4EFgQU+4pI1RXRgeEBy111gtNxwKI6\nkGEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRqor5b7i1hReFVXy39eYhKA0tueDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgX+7m2ZGZxkmkG9cW4gDQ3YBtY/lz\nk4DlfVv9i0KcjFYCIDNblgI27lQEiAc9dL/pD5W01SxZRAOKxXdNkPVNhmzS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUCw5NU+bJ4Yiv6gdWvqQLu5MEYuMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMzNDgxOTEzNjMxNzkxNTExNjM3MDIwMDgzOTIxNjQ5Mzc5\nMTcwMjYzNjY5MzgxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4SU4\noH4cUOYhoa7+c6Pz6b8j/+vh/S85O3tG8bWWf7nqkYyIvIXKpeHWgGfRbzKuYK6I\nNziyt5SIEZjnRpRV1aOBiDCBhTAdBgNVHQ4EFgQU5J1bH5NGoqE7sPUe+Q/P4ynB\nSOQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRDNQP8MtlQhgH32exhOyaLq6UlSTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgaWJu/AQGc9Bgb7I4n5Anfep0GXQZ\nnB9+TLHHyPknbAYCIQCRnhmtt6v1y0ujolRpbsgJaf1pXQafduR9754mSah2Nw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUP1JM4mPdm/i259MifZP9kn6T/6MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpENx9qm+C1EAufWup9stTE5+Gp02HHyXxjm+d\nHMOMRdqzN79Ttc8QsBHgs4rpKq/659h6Vfy216hhw9xvsHkLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVeSgVvypVQW79WcLlplvA7w0IGEwCgYIKoZIzj0EAwIDRwAwRAIg\nLiSVDQzV+vL/SnqAKkKJYw/lP9iDr5CFLRI3mBoadVQCIACmWKCr9hX5BWVmOOc8\nUwkz0+mWQzdvcMd4Ip1fjfV5\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKj+IYPLmr8yX7Yady4jKRRPdgA0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQaudEOhmQTE8B+zAgIgUTX3epXFamwf4GKTIB2\n24ndfXI1FIlZJJ47/TLM3U82tNnbddCszzwl0vs7km4pULbbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtUDg4VlOHA4jcCUF7hl+UA1I3MgwCgYIKoZIzj0EAwIDSAAwRQIh\nAPW9ZpRnO14QEeN5fZK876ft/XrSSF6CUj9CRhvPyh06AiAeO7kExo08jXs5Q3Np\nKJfjYDBzZ9UPu1nAGO7dbQWLLg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUaQgw0BMyXffZc4tEVHz/0mhlUAUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzNjE1MDE3NzcyMzg0NzEzNzE3MDIy\nNTQxNDc5MTU4ODg4MDY0ODM3MjE0NTM0NzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOdea4flMjdgPI+D8bTC+REM34M1oCXd0T40rhnyq9Py1Ees3e4y9WH42cliyWLt\nGHDmPBbTyzyEiohPyUdcFPKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFXkoFb8\nqVUFu/VnC5aZbwO8NCBhMB0GA1UdDgQWBBR34m+23b2+LVV+8qY9B5zbO5jNgTAK\nBggqhkjOPQQDAgNIADBFAiAD7/VsyudjlDsnEHYsFfk8YOnDHqKqT5f3dN3+y89+\ntAIhALa2vsr4CxEUMqAJKOZMBOH9PD4j33CkjlsjYaZrC1S5\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUanHqIHEDiI3IybcnmGvHkU2TBJ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNDExOTQ0Mzk1ODI5NzM2MDE5Njgw\nMDMwNTc2MTI3MDQ1NjEzNTU3NTM4ODE2MTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBM5aI5pnL/VbOg8u4stY2+EbF5ZP/lZA7HwCRDIRmNJW25uKLSVIOVEhCHL+lBhZ\n94+GTPBFABl8lGFsifPjKDyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLVA4OFZ\nThwOI3AlBe4ZflANSNzIMB0GA1UdDgQWBBRvGZ8RWdWnp9ZAqk4VaPxdThwGsjAK\nBggqhkjOPQQDAgNIADBFAiEA58SU9lamyHzDGTANJ8i8inqNnCAgFci6TBe+xf/9\n+DkCICMh4wx9nADGyBiLYwrQuJzGVXxOcw3DBz3kb67PRoWF\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUFbUxRyV4ABmrrrEGGTlxWy/zzJAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzYxNTAxNzc3MjM4NDcxMzcxNzAyMjU0MTQ3OTE1ODg4ODA2\nNDgzNzIxNDUzNDc1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDU5OTYyNjY4OTA5MjA2NTI5MTc0MDIzOTE4NjEwOTE5ODU4MzQ0NjY0\nNTMyOTkyNTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/e/K18qytUUQNzDe2i/9s0W\na5fPW1iaF+41IR0Y0r0g5H3HmxoU0kw+lVdpPHlLbr1fOjrfJ0HdO/Zr17cJqKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUd+Jvtt29vi1VfvKmPQec2zuYzYEwHQYD\nVR0OBBYEFBWQgyMKVzc68V2c4d3PAvLusR3/MAoGCCqGSM49BAMCA0cAMEQCIDTP\nn/rSlGuJhhe08eA1cQd6kDnWlvZcwZhvTaz/DWejAiBI8ODmcS59MonRtXBZRxcC\nSE7nSdUy1Z9VjgydLnQb/g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUYZZfgYgLDMSL8YYBaymTBHgib7AwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjQxMTk0NDM5NTgyOTczNjAxOTY4MDAzMDU3NjEyNzA0NTYx\nMzU1NzUzODgxNjEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDYwNzY5MzQwMTIyODkyNTgzMzQwNjc0MTg5ODI2ODgxNTMwOTcyNDQ5\nODE5OTcxMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENO/KrbUzCjQrX7FMfu7rRtQp\nyB4Joa8A5toerPE+LbZSVukjDD4rq8CXR49RVaYpJQsmpcq+9Uezj6aeZwQtPKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUbxmfEVnVp6fWQKpOFWj8XU4cBrIwHQYD\nVR0OBBYEFJrBA4h7M6088uEQ7E7boNjyEGDMMAoGCCqGSM49BAMCA0kAMEYCIQC8\nwFsnwqg2zAq5ADGihKF/APpFnT+VwOITr3hvlKTiNgIhAP3/b2uUkoxXI/iJhPh9\nBMkN427sjmzB6dWeJWzgF1Hp\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULPN4cTrMNpi1e7bEhifxFMbpRdYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRXih9OSn4/EIDKiM5AiEJ3+iOmzvUCRLfFW4F\nas7qyZKQYLifp0w9IZ13DRrrunQfn/nfLpH2k5OVs98rY8sro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeZRer2LKECZlsxkon57iquYUf1swCgYIKoZIzj0EAwIDRwAwRAIg\nJ/CjzS5vBmbVXrdVk92ydL9Gl+K9bv5uartK+G6ho9ECIG5lzDAJ2midhVRhYEHf\nLCm8o7LnApe8JSQ6hMDryqob\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULhP6W73Qz17Q/FuQUXqHVllHMj8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPpBAEQkbNIvfXVnRqx1b8epOb9ABtJjAq10Uw\nHbZWVrjFjVuy0HKa5REUZ2BdUEd4nh1c2vf19C3gvXNOfapZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhZ9IPtzyYUoO4E8qbPcT6kDMqQgwCgYIKoZIzj0EAwIDSAAwRQIh\nAOTNRWJ16pYSBmmCxsHFjcE+eZjAdlAEVIdJM7zOj3qHAiAkXN77mLQ6S+vD51F2\ngS6hwBGIh/h81w3RPpwXWqPPHw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUMiqfCQEih7pq/QiqawGWm/latXkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNTY2MjUxNjcwMDM4NjY3MTM0NDg5\nMjczNDg5NjUwNjM2MTU0MjMxMzkzNjYzNTgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPX7+qGFxZWS3UlY+wOGj0+E7vy1DErD25fCdaQPUtAj/Y0CUa0X7JlVHQuF+zh4\nfpTKMSRx88iO+FpaM0+AqOajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFHmUXq9i\nyhAmZbMZKJ+e4qrmFH9bMB0GA1UdDgQWBBTkOFoHhdcyUTSsus4I0cz33ogvUjAK\nBggqhkjOPQQDAgNHADBEAiAq53F5cNpNQi8ltqIuIKMj3PQV5gcbANJXojyPPdwa\nmQIgbdFh0WJApgZcNSRTZuQXW731CXCauul4ymmuKhQgjEc=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUGaoTYSJJWBeiJyp/I3uIuI9mdzkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjU2NjI1MTY3MDAzODY2NzEzNDQ4OTI3MzQ4OTY1MDYzNjE1\nNDIzMTM5MzY2MzU4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDI4NjQwMDAyMzc1NzA0MzIzMzUzNTA4NTgwOTI2NDcwNDU0MDg0MDA2\nMTIyMDIxNzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEazl6xOYtfL7mJCvojTK3q6Y1\nLBqNRqoc6X4vaOzp3Nmb7Bd3Bg3RYBACc0RxRwp2nxj3o76VcXbxrQU2hKXWTKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5DhaB4XXMlE0rLrOCNHM996IL1IwHQYD\nVR0OBBYEFA7zrXngokKkwYFtVi6IR/ElYpIdMAoGCCqGSM49BAMCA0cAMEQCIEMk\nHsVyN6cMcKa6u9fBXh/UOlJOjK2y25fv2c2mq2keAiAJxQuCFegPqsCn+qYD2GG9\nW3fyhhNS+BFhRhoC3lMkBQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUcL324euw0y6ldf0KVBHQWYKld+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNjMwNTkwOTg5MDYxNTUzMjQ3NDIz\nMTMxNjgyNzY5NjY2MDQzOTA5MjU4MDgxOTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBElCD3WUmHIW6fhR4SRFalV3dAtgkTehCshE83Y+OISK+05vlSBjo7rgBr1px1Zf\ngQw9EaiElioZlY0zhi54N+CjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIWfSD7c\n8mFKDuBPKmz3E+pAzKkIMB0GA1UdDgQWBBTie1UqI1RvKpM3ZRUZ83jjTcuXPTAK\nBggqhkjOPQQDAgNJADBGAiEAicQXpGM+Gyo5ut5JEzpEsGf67Ek470ww7zLphRhG\ndBYCIQDymL9SiAssl6xqXX2Hb4ZGKfLPHcmdrkbLrjznNXYw/Q==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUXKynOM89+nAEgBvQqb18oKwiOuowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjYzMDU5MDk4OTA2MTU1MzI0NzQyMzEzMTY4Mjc2OTY2NjA0\nMzkwOTI1ODA4MTkxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDY0MzY0MzMxMzY3Mzk1MDc5MTI2MDM3ODU4NTY0OTc2NTk3MjA2Njcx\nNjQ0ODc0MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4gbLAHCIC1/DSKSDrO6WTItN\nO++0PPJDOIsQcI4Ve1snVWSDf6gyEtfPDOASIdNDhWYPBTzfz/rsw/jSrWBte6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU4ntVKiNUbyqTN2UVGfN4403Llz0wHQYD\nVR0OBBYEFDPAWD9RzK4Cg4oNKq85vT/0dH0kMAoGCCqGSM49BAMCA0gAMEUCIQDR\nFxMrm4B1+hnYXXGJFeQflpva+2hAWogk7D8duhrCuAIgfqk9qrPli8NFi3/gN3PL\n3lRUrPZo0va9oSbyxnxpkjY=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUX7f5cfYUnSYS4RfEztc8f6S2m/owCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjg2NDAwMDIzNzU3MDQzMjMzNTM1MDg1ODA5MjY0NzA0NTQw\nODQwMDYxMjIwMjE3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUixO\nGESnPmj4KLxAGEWq+yLLKVpGPUICpLYWdfdPJ4gZ6r1tBm9MF4ZKOx29AQgygkLi\nIkAvZXRT9BtfZU1MfaOBiDCBhTAdBgNVHQ4EFgQU32lk8TJ+hxsQ/yZFWXhAMjPC\nzGEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQO86154KJCpMGBbVYuiEfxJWKSHTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKRQCw4RFQVs6Ty3MGelZ3ekjHaY\nEFEZ0Ms/g8yMssmgAiEA7VRbDu9UyyQXBXLB1tpbxEUlhEG0CZqfUyOKUj25J+U=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUGkAq24IYQo9uhq55cBBL7glz2J0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjQzNjQzMzEzNjczOTUwNzkxMjYwMzc4NTg1NjQ5NzY1OTcy\nMDY2NzE2NDQ4NzQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUUk3\nWeUSPXiACUUpkvX5uDwdmiSo+NuRBmFsmPi1ohd1hf1jZ8MVCY4LhnGNkOR8tvhi\nQ4dUsUdZ7t5A6p3NVqOBiDCBhTAdBgNVHQ4EFgQU6Pmq/56YY89hqeEUdymOu322\nJWIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQzwFg/UcyuAoOKDSqvOb0/9HR9JDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgOJvRS2kQDI/Ot6OBI3pU8F1W4LYI\n27n0eUlLj+C4ZvUCIQCavZN7WAx+yCBjN1Hy+PExh7Vq1GaOXjpS07ub9kexVg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUazWhnbHsPB4dM6e5KhJfODslQt8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+RKigBCo1E40XxHgOhcdryrWeIa9xyn+OTWg2\nMvStfIUOn+m+DTzLrB/J70a8ewjNM7YkF9ilYdZsDdbWlgV8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUagkTepHxXxwRJbvkh2HhKv8ZzhswCgYIKoZIzj0EAwIDRwAwRAIg\nA218BGmDuu6IhhUOz3wwARJxdgdN/8xBCIhiuFu/DK8CIBUrgRlSI4fQzBlB4q00\nWx6EzqxPz+N0eh5B2my78JEN\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXxJH/7icKoqwYsFnY4nqFLHnyHwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/cCLYhxzb1qCJLIO6Xy6UZjL3KkLvsIy+ge7t\naKgLIjuMgX+lG0dnmNyPkEYSZsg7xFgmc8JuPzTuXmyev/6ho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUR0QioAsgBiaJhclPkoXO4Q4N91AwCgYIKoZIzj0EAwIDSAAwRQIg\nCDOV7znj9Inatn0pExFprFkxKlQIILKqGVMt0uovPOsCIQDINnuTZqhNJdCo2OyP\ntnrlgGgZUgEBV3R3+r3iQb63rg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUPawB64nW639TtZeTNCyvKmqcHLYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MTIwNTgwMzA3MTI1Mzk1Mjg3NDk0\nOTk1OTQwOTU0MzE0MDM2NjQ3OTI5NjE3NTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLdlwkUl13x6Yh0JrDMasKpAkfUToLpj3mnY4Hm+HpA3xpX95PSjgYl8pj1Ya98R\nqZZbecMW2YKVhWwDoonFLTejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGoJE3qR\n8V8cESW75Idh4Sr/Gc4bMB0GA1UdDgQWBBTVTvPnSMWXYv1II6u2T3HXKQggezAK\nBggqhkjOPQQDAgNJADBGAiEAg2urdg+u6s3xwIeBGGHAdF1H4IeARRMcpNJSJO4p\n0IgCIQDQVaEimQir3sxNNd2cKjsuBmMrRmgcLhToMXux9egE8Q==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUbuZuUCwOyIMl/8JNM23aO1pUgrgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjEyMDU4MDMwNzEyNTM5NTI4NzQ5NDk5NTk0MDk1NDMxNDAz\nNjY0NzkyOTYxNzU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM1MjA4NDMzMjQ1NjI2Mzc5OTc0Mzc1MTY5Mjk0MTI0MzkyOTAzMzc3\nNDQ3MjM3NDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqwxmSokbLJne4VK7t8mBeOkp\nI+axmoUwvP08l4tUJajJDPfOVQ6EsfRrqUo/Mip3oV0xlcdFMQx2tmDRNCpHg6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU1U7z50jFl2L9SCOrtk9x1ykIIHswHQYD\nVR0OBBYEFAZzlv4Ly2yqjh5Icx3t5/p7HYp8MAoGCCqGSM49BAMCA0gAMEUCIQCc\nBW2F+Nh647jY+P6Aa5/nOnP2qZWIB8Z58fArMVRhewIgdqt18P5ynQ6UWWKFdPYM\nvdiPCBTQNs3FH3Z4do1QUuU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUVaz2FCQWDz9R7U+V2/l1I1Q8/eEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1NDI3NjE4MDg2MzE1MzE4MzgyMTkx\nNTA4ODg2MjI4OTAzNjc5MDk0Nzk1NjU0MzYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBE6rvMmy+5nGfZZB+ts/VQ5ufcbrSjp2bWlckAWlWV+YK1r4Y23nIKsAj5G5nggM\njTFRzS4VoA0SA3uEpcZcX9qjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEdEIqAL\nIAYmiYXJT5KFzuEODfdQMB0GA1UdDgQWBBSYUE8fxwE38oSV+7eQTopsfT65dDAK\nBggqhkjOPQQDAgNIADBFAiAs2G/L5tKLaquFLQn8SF4SpHYloTRZJaPdZXytn7rf\nPQIhANPCxZ1wDCZ2KHD7NpGyOLMhP+BQBj6oucyrF+GygHll\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUXzAYAA7/F/2cnxWTxKFvBFytEPgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTQyNzYxODA4NjMxNTMxODM4MjE5MTUwODg4NjIyODkwMzY3\nOTA5NDc5NTY1NDM2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ4OTEyMTM4MDE3MDEyNjkyNTgxMTYyMzkxOTc1NDcxMzQ0OTQzNDY5\nNzIzNTkzNzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbLhDbf/UOuFMBotEj031M149\nUpeyT4iYgpKw+0p7Ng8RAOz9ABFYUFCyr22Xrp/e61xou1c/6WLGQ4NEGgIZMaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUmFBPH8cBN/KElfu3kE6KbH0+uXQwHQYD\nVR0OBBYEFKrLH9h46Gy8Yt4K/PcY0t3OTW/YMAoGCCqGSM49BAMCA0gAMEUCIQD6\nRSNZ08Y0kW9HNJiI6h99pHSMUStn0/Bjisjf8uDeFAIgY5KAOS7qYq27/wtFQZVJ\nw0hoTuHEBZxl5DBaTkUDvoQ=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUYdTxgqvS2c/KXkjCjFkkHJdWasUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzUyMDg0MzMyNDU2MjYzNzk5NzQzNzUxNjkyOTQxMjQzOTI5\nMDMzNzc0NDcyMzc0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZp+6\n1sRkP0T8Cb+BlA7qr2seOjVA2ZCSfsz160ejFde17w6cJ3Lur5nud6QMXhhkZOjH\nfAS9RusBcn2VOyHtiaOBiDCBhTAdBgNVHQ4EFgQUluXTNnf9SIRoxwXWqgevUHX/\nc54wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQGc5b+C8tsqo4eSHMd7ef6ex2KfDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAIQHAzWZGTnW7cCPcm5DBmtM2p5y\ncoQwoGX9WfkUydj3AiBahaTaCEEiVZc6LuF181Fvt0hN2X43dl3clWnYRtbnfA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUEKKcEMoiT9c6zvGVSEcqew3xM6MwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDg5MTIxMzgwMTcwMTI2OTI1ODExNjIzOTE5NzU0NzEzNDQ5\nNDM0Njk3MjM1OTM3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/XwH\n1FxatIgoNR4GtWEbqmQ08ppxx8f5V0Le4m5cp3zmO+ZAIuNr6i3wa/e+NWZdpTjC\nydQDMVC6qLYxSQY6IaOBiDCBhTAdBgNVHQ4EFgQULiRn3r/L5SNxLtrxHRHfLsov\ngHwwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSqyx/YeOhsvGLeCvz3GNLdzk1v2DAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgJtE+MvcfeU0izpbDFf2JQJxV3zxn\nLR5d0oKqs5/8+/cCIQDL46sYFybvc+Kw8n9h6cR2iFhG8xtUaFX/umnCSKZ+iw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUMibIkatGFpzEETgDbD888aBYSWgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiV/JDLMwYZUy/udeVPIjvwbzzYAQleGmgI94V\n8Ua65NitmbPQJ9wH0FU3v+AcCATzwb6iyT5t0Rh0rF+qxXBAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZ9V/LAIQP6KYYn8WOQF1C5SwX3EwCgYIKoZIzj0EAwIDSQAwRgIh\nANmwT2I+bhdz7Y/VkArs21kbuX5m5jjtdfkU/HQUNhSwAiEA09sLYYyK7BgugH1s\nKYW3ODCqoo3eeqL5jawIRVwtE8U=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH/OQQBalFYRuWpTfxO3byV0xh98wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7k2YupOe4RUC0Hyatw3WFXzGa6YMB0cQZ9kYy\noDJF/Jrh3A/Dk8/85Kst34kFAWfI9cw8jM5Vva/LOfgDIOcyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUb1nNdpGik11JvmdRsnFvfOPmtB0wCgYIKoZIzj0EAwIDSAAwRQIh\nAPVfcXEPlh4i3v0TxAeFIwPA+5Ga8kO4HWkl2l1e0MoBAiBTAAbYUH9Y5aC2+6Aq\n0LYlVYN9sFHZpgFP1fXCSQrGTg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUU9i1txtmr1EzKLr+HexzqAQQ1UkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyODYzMTQ0Mzg4ODQ1Mjc2MDIxNjkw\nNDQ2NDEwOTU1OTI3NTc4MTEzNTQyOTA1MzYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCBeP3DCW8Lf2xDfEaeKFwko+QW4pR3kvw141+XP/CPBYv87l97gUDzrGeFD3ego\nxhlxf2Qg74byXkAfO5fzF9+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGfVfywC\nED+imGJ/FjkBdQuUsF9xMB0GA1UdDgQWBBSP/NJW/ZrxPJPkQ6MoWkWnEfO9qTAK\nBggqhkjOPQQDAgNJADBGAiEAjPQMH4Wlg4gh0UE7pL4bDGF19OMqtZZC9zjMHo0A\nGUwCIQC5up0/0zHojmZIZRX5qQLCabh2zD3QSodkXqB7IbfyiA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUD8AvnOHLBjS+R4xfvtb8MyWVI6MwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjg2MzE0NDM4ODg0NTI3NjAyMTY5MDQ0NjQxMDk1NTkyNzU3\nODExMzU0MjkwNTM2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ3ODY3OTAyNDU3MzExMDQxNjI2NzA2MjU2ODk5MzIwNDIwNDUyNDIy\nODYyOTgzMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGAZKaRklqhUG3rj+nYavBTUw\nu1z0vre0dvpp5O1tHZ5jdXQ1adnSYFeNqzhJ0qu1icogWrXH080dtcuVWal9T6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUj/zSVv2a8TyT5EOjKFpFpxHzvakwHQYD\nVR0OBBYEFDpRW/QJ+7CLE3aKfOpYx1+lLkeHMAoGCCqGSM49BAMCA0gAMEUCIAEE\n3+rfgXKeV0Qtx0ccc45qM5bH7iktjo9jrYiaHJD1AiEA7rwcQns0atFCbgNA1zeu\n5OWwFM47jMGWLfpEoxsPlkU=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIUYi1VGZSES7Z3B4LuKy7MuQwtLpMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDc4Njc5MDI0NTczMTEwNDE2MjY3MDYyNTY4OTkzMjA0MjA0\nNTI0MjI4NjI5ODMzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGYxODA2\nBgNVBAsMLzg5OTIwNzUyMzAyMDkzOTY2MDkxNzY0MDcwMjQ1NDk3ODk2MTM5NDUy\nOTE2NjQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASMXlzse8n4BQXkna3qbZVXRKAa\nIYYJ5JYnL9WjT72zQ/NMO7Jf0scTdnZG80qAPbbXpmW9HwBx7++J46RqV27eo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBQ6UVv0CfuwixN2inzqWMdfpS5HhzAdBgNV\nHQ4EFgQUmhdUI3pdr+PagWQspNp0m2aV+x4wCgYIKoZIzj0EAwIDRwAwRAIgMKss\nUAK9IwuyMQHiD/6NHyLoSCgfLZGK6quvZtoIlPQCIBw2aiCB434tEMgD/HcVAZQ/\ngrFZlDAOUY/z0OfrfK7d\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUTfhowqyU2v1Y2Pkus/sZytcmQOAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxODI0MTAzNjA5NTYxMjc4MDQ0MDE5\nOTc3OTcwMjIyMjM4NDg1NDM0Nzc2NjM3MTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIWzf2O5EogzXssO4hqC83Bt73ISL5VjQkeuBUJc31I8hGn5bhLPFmX7pQ6o/SJY\n9gzoy0mpelLVVnKagj0oMryjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFG9ZzXaR\nopNdSb5nUbJxb3zj5rQdMB0GA1UdDgQWBBTpfJbm9xwETGxD8DZhSgcqGyGyIjAK\nBggqhkjOPQQDAgNHADBEAiAgylJO51iUgh9Aza8Oh8PgudKACpFD8NXiQFsoiKwL\nxQIgNhe2vlw8PpJZY6s6gRwqsx/C2cy58gt2ZsbM/wHIQGw=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUSNBd1Y5sHwfZTu4CWuO6nbhpSXgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgyNDEwMzYwOTU2MTI3ODA0NDAxOTk3Nzk3MDIyMjIzODQ4\nNTQzNDc3NjYzNzExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ0NTEzMjAwMDA4NDU4NzQ0MDQ4MDM1MDQ3OTg3NTg3OTEzNjEwNDM0\nOTU4MTUzNjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgGnrmKAzOcaDCblmRRs7iqU8\nGLNacAjzl8bJ7QGcNn/ZOg5SuoCiJ1EnrzWH7q5wRisv1s00R0s7KJresNUUB6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU6XyW5vccBExsQ/A2YUoHKhshsiIwHQYD\nVR0OBBYEFAeSktzi6wSeGhzS2TXHwQOinb0UMAoGCCqGSM49BAMCA0cAMEQCIH43\nxW1ANyp3xBAEz9i1wxOc97/LnSAdx3PSmPgR4JC/AiB8xqDAP+TbqKzY930RjvvL\n+a4bshpNFGW5AGmdwNak0g==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUCeejJU9LdhX0mmre7Pb4rBJ3+REwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDQ1MTMyMDAwMDg0NTg3NDQwNDgwMzUwNDc5ODc1ODc5MTM2\nMTA0MzQ5NTgxNTM2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQxNTY5NDA2NDYxMjY1ODM5NjA1OTc4NDk3NTc3MzI5MzQ5NDI0MDIy\nMjQ2NDM3NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcSf1kafPDJZEHybcT2uEHAc+\nbOW00iaZ/Az4N9kztZeagEYwn67MJqgTfL4ADtep/Qd0tPAJgYQqIaIcPuUGM6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUB5KS3OLrBJ4aHNLZNcfBA6KdvRQwHQYD\nVR0OBBYEFEdJA5+/RY/3At2ohRtFXnQenkW7MAoGCCqGSM49BAMCA0kAMEYCIQDV\ncn7Twg+eon/Qt8k9jpKDDCSh6/hJ608DzqQ4YmpOZQIhAK++AP7Y1B58OwydQIZp\nVYgInZ3zL3LEXwMk94rNinC/\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAa+gAwIBAgIUZ+DIU05QPBaoUHrKcs4oNADEk1owCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvODk5MjA3NTIzMDIwOTM5NjYwOTE3NjQwNzAyNDU0OTc4OTYx\nMzk0NTI5MTY2NDMxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATr/ZW1\nwGwc4QpRFSGT4CWS62thz65ynt50jFZLgsijfKZnifhk1cXSCpMv+Q+YnJNKKyYV\npVDbA65ZhERr6x82o4GIMIGFMB0GA1UdDgQWBBR9molDeCzmmBZovEx0qewdD8Mt\nYzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFJoXVCN6Xa/j2oFkLKTadJtmlfseMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBxsPbYYoHXvO6/gicTkSo4ulL4v6jC\n9roD8+S+tWd8NAIhAPVh6Dn9KrIjuAvkDc20ZQjCw9tC4aiO78jso+91CbSL\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUSWYgIpAei1Z1HFrLel/HbgkRQpAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDE1Njk0MDY0NjEyNjU4Mzk2MDU5Nzg0OTc1NzczMjkzNDk0\nMjQwMjIyNDY0Mzc2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg5wL\n0Ldk+1MaY5BOvo1W2GdrpaD6gvUj953pZX+0/saJNL1SgHwWa9NcHSZPZPlodlwX\nNI2VC9X+8Hb7fnGGm6OBiDCBhTAdBgNVHQ4EFgQUoRIZL+D29FBG4nILvDFOqGTl\nZxYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRHSQOfv0WP9wLdqIUbRV50Hp5FuzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgLLD1RQHQnIeWiFcZ7l1O22pnFxC9\npOv16F4bWgsZn7YCIQC1TdmQsE5RQ9UYYQL9SE/pBm1RQaKtc7yEdUJBwWnx4g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUHKPSe9+ARZft0erGisjRH6h4xNcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASGGmMGBufmKZTfb45js8HhxAk98i+fa00Ahp2W\nRNONTfZLBHJ76DtCXP8ETB0vMR/0sv/Wn3YCJGh4dppd78HAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUppGYjWbO6znWO1HQX1qXwC5z4gowCgYIKoZIzj0EAwIDRwAwRAIg\nVVR0jY5wyBcAjCrCAsWi344WC3H1Ys5QK/JEleAwm1ECIER+sO6wilbR5w347VCj\n4Rkbgg08boZ1kLInVv8ZeThy\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEItuYroq2kiliXhr3VGtDMul5FgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQL+F2+jTqKOH6HSPEOCViyo5TWV5sKJMQ6o63R\nqfer+72cmvn77XepxUk2ZoXCDhYDnyI6RijB5sksHMQyBCZXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGLBzeWZ7vIUsOdQsBWeje5pQNQgwCgYIKoZIzj0EAwIDSAAwRQIh\nAOjJdTiERbK1dAV/KwS+yxRobamZb9EeFeRuHgKmFKZ2AiBBfmNogil82flpadQJ\na364qmgYecsQLg1E63dgSMt2Qw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUU1s+NM0nwGJiEqMJMHSoErWYV/kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNjM1MDUwOTg3ODIyODg2Njc3NTkw\nNzA3NTg0MDQxMDM1MjA5MDgyNDczNTI1MzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPyG/78d6zyhHRfaQk35reHpHcr+SAEXL92tyAa6nuODmsxDGyWySf3rvOOu+mxS\nEGLEcbBLsjpdAVXmACs0vcGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKaRmI1m\nzus51jtR0F9al8Auc+IKMB0GA1UdDgQWBBQZezCQwzAWXh7E+5aR3SE8hT6LajAK\nBggqhkjOPQQDAgNJADBGAiEAlV/65w3CPzXxVl4H//tL+sZOBZr+JbtIz6Sq/2Iz\n84MCIQCApQr4A3LTPVmYgHbCE20OyLlRpcnJhMscLr3lZ+8KmQ==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUQPE9bTHSoYfx/Uu632/7yY+AcdswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTYzNTA1MDk4NzgyMjg4NjY3NzU5MDcwNzU4NDA0MTAzNTIw\nOTA4MjQ3MzUyNTM1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE2MzUwNTA5ODc4MjI4ODY2Nzc1OTA3MDc1ODQwNDEwMzUyMDkwODI0\nNzM1MjUzNTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIk07Oh+M3ruU7FebUuap+6Mp\nbW+5o/4GPeFaStsBBcM3nwdSV7bvmYbsuUPrZXgFi6n4/516JxG1Vro4mdEdZqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUGXswkMMwFl4exPuWkd0hPIU+i2owHQYD\nVR0OBBYEFCTU/v7dnzEcHwKdTCr3k57bGCpCMAoGCCqGSM49BAMCA0gAMEUCIQDD\naZXD3hJXawXi4cEHwEO0JkGweX5bAM86axUhX04exAIgVzkuBDefeKSdPPqV1x/L\n1nfk5iowxmrmroU0HvWnPVU=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUSbYCkn62b90KpBbMODagfy8TSGMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTYzNTA1MDk4NzgyMjg4NjY3NzU5MDcwNzU4NDA0MTAzNTIw\nOTA4MjQ3MzUyNTM1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM3MDc1NTIzOTkzMjAxNzI3MTg1Nzc2MjY5OTk5MTM3MDI5NTEyNDA0\nMDkwNTE3OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEK4BNQkmLyE7yhDixyGPuXOKF\nNlcrGZQdFf54EPVkj1Sq3LWDP2Ja17bYOV7c5LAnU2m+FR9G584wCp6cTwaDV6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUJNT+/t2fMRwfAp1MKveTntsYKkIwHQYD\nVR0OBBYEFJbPS/O7NqngoslVvAGLmxb/pgnwMAoGCCqGSM49BAMCA0gAMEUCIQDf\ncIV0ygkleR3zSXl1Fflp7fX6sX1VSZGSt6q3xhvQ1wIgCEhezb51IH56b6BUw9Kj\nHb8X3NtJ22h9034VpgkAkkc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIURpl9xFrrc4pxDjxG6JoabAkkd+YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC85NDQ1MzI3MTg2MjM2MDU1MTg4ODUw\nOTY0NTI2NzU1MDE1Nzk4NDY5NzI3OTU3NjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n1sguvS33wm7diKIOpuLPE6Gn9hBxA5PiFR9JCEFNTTmw1rXIUBX/JWEpCy0tQ0Sf\nUd2SWsD9EKpiZlR265bEKKN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUGLBzeWZ7\nvIUsOdQsBWeje5pQNQgwHQYDVR0OBBYEFJZ6St3k8GBCC9uM5Fh8nofysQxSMAoG\nCCqGSM49BAMCA0cAMEQCIFV0MgOl4BWdP/Foeg3hGHhJ9gt2m2KrcQ/vsipidxhJ\nAiAMR1Mcdi+VIurKlvHWPksSf1IPO7ADM7Ve8xOTgNw1Mg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSzCCAfGgAwIBAgIUSadaxGVWFXiOfbedewGpqJ49RUcwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvOTQ0NTMyNzE4NjIzNjA1NTE4ODg1MDk2NDUyNjc1NTAxNTc5\nODQ2OTcyNzk1NzYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZjE4MDYG\nA1UECwwvOTQ0NTMyNzE4NjIzNjA1NTE4ODg1MDk2NDUyNjc1NTAxNTc5ODQ2OTcy\nNzk1NzYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBJV4G+pNnUS3z1lkC5Gt8X+9H6/\nzlnVc819EZhZvbhEWdeGSCHqSfd1mnBbVJBOkDfPxmk7iGRSMjI1c8Fr9/ujezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFJZ6St3k8GBCC9uM5Fh8nofysQxSMB0GA1Ud\nDgQWBBR4rXEMclD9DvUdOsB1BBuirWg3YzAKBggqhkjOPQQDAgNIADBFAiAargUh\nohebazVywi9NpRMP+kWov9fIepHiOKPEmRzzGwIhAKSO0CWu8NZIPO99cXGYyDi9\n58t+bmM92ZNy4pBeu2J7\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUH1P2/+K3g5rDw3wdV5InIOyyi+0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvOTQ0NTMyNzE4NjIzNjA1NTE4ODg1MDk2NDUyNjc1NTAxNTc5\nODQ2OTcyNzk1NzYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwNDIwNDg4NDU3NjU0MDcxNjc0ODQ1OTgzNTMzOTU5NDUyMjU1ODU4MTQ4\nMDY2NjMxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT4UKL1GHSRC1/afJoCbCzx4k+q\nCzAtr5r072WCDBgZWRCmlMZ15PLzwm//5c5n8/TFGB0khFURY+fKa9SQXI2so3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBR4rXEMclD9DvUdOsB1BBuirWg3YzAdBgNV\nHQ4EFgQUJSsUup4ihcfVeNU9COTvjQHc45QwCgYIKoZIzj0EAwIDSAAwRQIhAIYA\n+k4EGRI+uQxnAg2/k1mWeilvKBG/3cBeYGcTwkVWAiBGZyUww5ubLHh4ISMUqS9A\nWC278k5bP+h9aKO1PXRGNg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUX2FyFfTItd+cVJnvMV/JY7f/jIwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzcwNzU1MjM5OTMyMDE3MjcxODU3NzYyNjk5OTkxMzcwMjk1\nMTI0MDQwOTA1MTc5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFIcs\nRTGFnQmDmebTRwVrTGeqbIFiCQf1fhKXP5CqlXKRSTv2VhO0fXC2cpd+xTiWeHAn\nM1dlJr4jFzZ6R7iQnaOBiDCBhTAdBgNVHQ4EFgQUKFRhY6M+HF49jyBDNX5j/BH+\njgwwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSWz0vzuzap4KLJVbwBi5sW/6YJ8DAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAN0lRPg7/SwRSGWMYtRnsMuL8i/Q\nBWn7C+EVPZVv2806AiAldO6Cm47QixvORgRmAlTYmaJ7h/KHa6veVFe3yyVFDQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUNE4ybqxd7JXkdXc/xandV1KSBvIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDIwNDg4NDU3NjU0MDcxNjc0ODQ1OTgzNTMzOTU5NDUyMjU1\nODU4MTQ4MDY2NjMxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiD/d\nZDRtitMwI/gOHdBElAZ7j/Hd+kfmG+mZ42T0sVzHqn3p/wvgOpfA06GxucWSgyLu\nwRLzvJL5rVWqt2muzqOBiDCBhTAdBgNVHQ4EFgQU0IQhpNaMaOEuT4zYhqOftoCm\nQLIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQlKxS6niKFx9V41T0I5O+NAdzjlDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgW5K9P4p7YoGIK+qtbClNU1jTJgZp\nCXWhPrl8XZy1rJcCIGfdZ6yRA6QKz3zeVYENKXOPOiY0yvcCBCJ3YGrOXLjB\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUbfMyMY43hDrMfHczH+k4h9pqQLUwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz1zAv4/Bwxet\nXz2d67K4qAOeruF2VqxV1cEPn94+vS9hp1rfKy+IePZDMzD685QWT0w9swxLv60K\nt73g0Y4rqKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFBP5RpaCRQwqWRl7kqfQuYnVC5is\nMAoGCCqGSM49BAMCA0gAMEUCIQDwPW3MKqzQUej5gSguLy4TW/NwiSHB3jHKxz6R\n6CujaAIgATGyRidhW9Fb3uE28bFamamzEmsh5Qr0AkWBSYVI8A0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUDg6zS7TD+opViezqeREfeAf5o5EwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt/w98z3ANSpf\nN10lZQy+bru2bQaWQsVrACdxduEii+hyl3c8nTK5lRbOxT20055JIGhxu4ZnSseb\n+VDynCASaqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFG6RvBrETbHhYPAikv1/qUP/qSGu\nMAoGCCqGSM49BAMCA0gAMEUCIQCXCHnMh+g2+t8oqegRQa3cUOdmlqHy2tTBRcDE\neEgm9wIgPJPuS6Dn/CMwiOhMXisBm/y1HnTyCBjTv9cZ/rabw8w=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUCuevmaMdxGxC5ZUPkQiVfbLHjzgwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABEa6LdgoMXak9YBrLY8lX/WcKKI+yF9WLCC/CySDwcH4zi21\nDr1UNSJGaXTxhJzgHyRten4fpePyPqx8tOCurtGjgYgwgYUwHQYDVR0OBBYEFOqV\nwjlpOt9shn/N1NJvQnz/PHLnMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUE/lGloJF\nDCpZGXuSp9C5idULmKwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB\nMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDaYgMe\nADo/4YRAI6l9l+hwVniAtdHk3XLHOjQ31dPFwAIgalKL3wQ38buA1q+Dmn+XoJdS\nt9BGd5ZwQjEZkin4vsk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAWCgAwIBAgIUVlpC856GCWh9vY9h8tAUu0b7EtcwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABEJQuIcvP1MP3fbp9AUJbepi/2sL4Vnrngkw0kKr1Y7jPnO/\n13wvlb5pJ6TZVOhWkAia3wjvYu9D7hXPWJjpuGujgYgwgYUwHQYDVR0OBBYEFPSr\nv5KAZK6/BMIjI0DEkyI67LQmMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUbpG8GsRN\nseFg8CKS/X+pQ/+pIa4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB\nMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHm1cIdc\nWLusLrNFXkroyJhYf2Ody0QcJzv3kAOyZAxQAiAIt0Ug9sPLNx5wqE3eDJbL02Md\nL7zyl48cfF+HAstApw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUaFhLmcJGwALe2HQOA5UJhl9VcxAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBeuMMnLQ\n98mi8+jYbNpB8cunQ72AwyRq0AwP5cHIDjkusJiLUURrc2KKxH8223zLJ4aPzPsA\ngLJsEY3ZKXcPn6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFKYQsJmV1g/AMyfK03yjsomN\np8e2MAoGCCqGSM49BAMCA0gAMEUCIG98uRnCEzWv/ZWAhlLKP9It8KwHvZw67Cwc\nd6HxLYtAAiEAiexpoNnZRhkgHLt6TPXbMXBuYX4K+rgaio0vVVr7Hd8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUXKKexT0EuzfWm0IUJQu5a+M0OIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE1ZwgWC/\ngXkestM7x7Qv8RpIwSScyOIc0E+lnY4obsOvBQ8lVczV6AQSiHFdG4Av6so+Vd+N\nN2HsDxDb/QiOXaNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCeaw5f5ercnYgTyS6CCKOeu\nC07CMAoGCCqGSM49BAMCA0gAMEUCIQCz85q/rNKr8BMpYA3KKkc5DmW4giTFCWR6\nf9xPMOedpwIgWAlywrwtmdRccO2jN08HYA2WOnDqBiqMrw/jJPaVyOM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUDww3yrV1WnuWUm1+r7hzamKhN9YwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASv+6sg1llcDYEO\nhnv7i2jAr0TWnwMlzgbeA5QAWRr+BR1C5MyGXC36go3Z/QUzkmLHyrM7V3T3WyAD\nznrMK9neo4GIMIGFMB0GA1UdDgQWBBSI2jcNoyA5i40EvWnoEDxWM2TGqDAJBgNV\nHRMEAjAAMB8GA1UdIwQYMBaAFKYQsJmV1g/AMyfK03yjsomNp8e2MAsGA1UdDwQE\nAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEAzWdW7AKb+HQBVkXPYljRXehlwW0J7ixhDcJF\nNw5hr1kCIQDv7689XIPvFL1AeU9jjlZHcSao+35WO3dH/4W4bCLIYA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUaOnlEosBtrVE4LoUsd3IfxINfPUwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ2GwfPmbp+sUIa\nnutpievYFAe/OyNEE+tvhXWufri4YhwX1tUlp08HWOO0NOK3kZMrAJ2mE1l9ykIu\nCvSTCx8vo4GIMIGFMB0GA1UdDgQWBBS6Zdfd8X5JLKYssDhj8hSRVm6UGTAJBgNV\nHRMEAjAAMB8GA1UdIwQYMBaAFCeaw5f5ercnYgTyS6CCKOeuC07CMAsGA1UdDwQE\nAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEA/7g30OQeNNsJnayO5xfCAkKB/wuG91IBe7jf\npC78/Z4CIQC6hUKW+DVHjI+mNe0gRqonn6kb/7X0hE96qeQJuJlVJQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUCzI8YgTMg9Hwg0sBU9Y03OXVmLMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARTu2db23l4fYqDMwMDxjMuOq29uZaOfDSJ/FVg\nbOx9ysvNPhz27NxJvPGjwCJiyqkwINm+AzEHVOlL7mku/8u6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2UuM93npTz4DaQa11seH1b+1K/QwCgYIKoZIzj0EAwIDRwAwRAIg\nc5KMmisT9TW5Y+Wl4ksfk5/AByNTSfchhApODBV68AsCIC9I2vIiPfGYJ+cbJF/1\nUPizh6qVzHk3bdkIj5XYo8Jv\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUG846liYtqTyJEmV9MU0GIO2C1uQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6KPj4R07mV5tmm84PANT/puwEEQTmGRoLwALK\n4dK6Ri6AMSz84xV6f+/SNGFReWoie59dDh8f6zHH2y0SrCQjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWiNtgq1QbiTkQjcIYlM4F9E2a+QwCgYIKoZIzj0EAwIDSAAwRQIg\nGu7Ah0kCdlFxzMK6DYxc2Vn3GWEpYDxjbqsCZcOlpxgCIQC5oqdPtIn5w2rNei5Z\nYv/bpVE+l2arDg74FucCTT9GcA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0jCCAXegAwIBAgIUUL7K8Le3Xix1NaQ/KHH3Pb6gXaUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJRCuGyXT2chUFQ8BoXXTMZjqREct6dp6mBJuZBaZj9i\nHIwaB9y+8MX4gbkbgp5uygMayprTxHWVaH+vxeM8+jWjgZwwgZkwHQYDVR0OBBYE\nFMtLmY+VrB867zAE+iArJBjgv5RGMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU2UuM\n93npTz4DaQa11seH1b+1K/QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAw\nCgYIKoZIzj0EAwIDSQAwRgIhALoKLYMk6g6EMFH93zW+iN4tRlBIqVHIVws+cChv\nzee+AiEAxe+w+FW2sX7/teXkk/kDwzdqHhtvGuYkdaq3q5hqnlA=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0DCCAXegAwIBAgIUZDmWmqxXh6VfnHhuymFTI8e1F+wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG22gTo9efFs9JUYmBXrlQQQBHHkRVNcIPXDHINB2yo4\ndQ2PEGZTmVSuWqbe3jSoKt4tpSv2W1ZVuc2laFEbtIajgZwwgZkwHQYDVR0OBBYE\nFLlqQQbG990I9f5kGIB1Hmjhk+HeMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUWiNt\ngq1QbiTkQjcIYlM4F9E2a+QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAw\nCgYIKoZIzj0EAwIDRwAwRAIgYyWCYBR0rCRu5qoEisNKDas1zUtrQP9StLflGsdz\nsfUCIGpZIFJbRZzFRXFVFqaftVfrHgQrkS7lk/tSFwwr005e\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUQK5uHJKs1dWTWS8rZubOvyTLcWcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1198/JIaJsU2nR9vWgXrPrsGK3c8N3Ujv/1kl\nuckD1oeu7mNE0OIV5IGCBw1I4WETu8zrZZyqSuHAnQM0OFmVo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULO089iy2nlvZs16Xxsd0K3Wgs9kwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNHADBEAiB4cYZtyqig/jsAf+dR+17G/MY91J/S6R28i6fH\nbSuJcwIgSKDonf4BMSPlw7b4NE0RUGBpOLHwtcu9vbsspt4kC78=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUOkumbTVxWcn5tmXcUeITMEt4CF8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLO/LRIzULGU5SZ/V68yXDZlbR2Ucv/DzAwJXP\nVL0Wh9PMWu/bVMRBgbdnjzqYNKAw4UKKmpLe4wXw0LSf0Cxro2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoi9yIONsmF4o45kI7Eib62NRiwAwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNJADBGAiEA76cUvTsai3Jrn6oFFzpF1DfxC2VAmKUBn8pQ\nu9d+pngCIQCRUkPyBfs8vzfJE3YRny0pub8JiZ1GlfNwSSZDY1kqxQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUTNqHfLvdjg1Xk1MUgMqMuAEQo54wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI3NvampwgP+20q6boTzeXO5BUgpzNM5inpPy+gNWpE2\nda2vkt4wdWLzAXRc0G7TR2CQJqDVzMOUoI4oDNiwuJOjgYgwgYUwHQYDVR0OBBYE\nFFGQ9tnsI3UaBg57BlbEx5iE0NtHMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAULO08\n9iy2nlvZs16Xxsd0K3Wgs9kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCf\nHSVCyOm+FuRVb9SPmQJkfqEjnma+KnHkykSU1HMywAIgWaYygOk6GZKw1n3vVpm6\nTTgnWiOvZZE/b2pO96hGNVg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUeMm/8qkdyeucfv6N94BhggpfXqMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGbldFr5dHhcSTcTpNmlt6SWlZwt/ElnHmTgXMdz+hED\nAy4nNXrUiA2OQy2IstSobmwRsSw4fV1oxoJ0fhJsL1SjgYgwgYUwHQYDVR0OBBYE\nFFRnbvIjaYV5gPBkoZtaHLeP9T3JMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUoi9y\nIONsmF4o45kI7Eib62NRiwAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD9\nkQ5toszNZFmAgC075t29nsRJd2ZQZkCVItm2re+rJQIhANqVoqUbnx1QakknbNEe\nI5qZVYnURhwkPXjenh12A2YK\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbWDWWB5VFRQ6T2EVctqcad0uqnkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAShgHB4kaeYUnFX2iL6z05GB5Fb2bVoYqF8EyDM\nNxBzRi1i2vPyBBPLtxDosE11Oq7W+Udpv2Xxf/PfXH6Ntoxco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUB1tTwjRm28XX/jIeFx7Svm3tBYMwCgYIKoZIzj0EAwIDSAAwRQIh\nAN9boC0bL20jkMGS3nvzUS4T0JK1mC7x4ZumItxpEOCMAiAH68unyxLSB4tS/NHG\nSmofARKINsyNTySo7HR/dlN2qQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUN9r9mNNCXedhsW3gM9Hr0SaUeJMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASln2A5ShbIWzH76xCgr2VFj6+3SJVfwXdpX+1+\nxMmOpSlOoYJmfh91wxVW0VD+wkyW021OKN0PTsie5nSRVG2Mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtr120nb1xO3st9WXtNwKsHJAFNowCgYIKoZIzj0EAwIDRwAwRAIg\nKYMcfy1NJhACE1DLhsstbQFNUYkYLaDWBkgnH+t0SEsCIBwad92PsadJGzyQfdyp\nIILF0xYVKZFSMnn/tr9WfmyD\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFzCCAbygAwIBAgIUL+Uj58BwRVXBGxoHAgQwpnWHD34wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MjQ0Mzk1Mzc1NzMyMTM3NDYzMzgx\nMDEyMzE2MDYxMTIyMDk3NTAzNjkxNTE2MDkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEAwWsftzSFlDAPS/R/WIgaA7bs2Hagm241vgUMEp9pT5HzDroAaS9fuQTp+to0y\nmCnInqhGOoGYxBEEPrTC0t2jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUB1tT\nwjRm28XX/jIeFx7Svm3tBYMwHQYDVR0OBBYEFPmDqbCAoAiEw+bURM46G3cEyNDZ\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAPvryFUusljo\nLt0COjM+/7Oc5+fiH0D/j4tEroo6fs8pAiEAzFYuJMao72UQ2Wu+wEq/uFpHmRp9\n5A7t1J21PjWOAOQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFzCCAbygAwIBAgIUTnZ0Uaj5e9SBYtVP87Ck49njCEowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMTg4NzgxNDYyNjA2NjMwNjAzMDIw\nMzk1MTUwNDQ5MzIwNDgwNjY3ODg0ODkzNjMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPM2VleLPCgnTXmWQZlSB28h0QeUCeyS3960OPv1J6p4Z1ydPPWfLwZic5VVZWir\nKG+kwEY1ntyiG2larAOhwIyjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtr12\n0nb1xO3st9WXtNwKsHJAFNowHQYDVR0OBBYEFFfmx2hK0smq1JNThnNRgu4OTNnU\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAMv+PgIFNMsJ\nBi0IUwxgH60tWF9hxgjaxTJ/GuK7Dp6OAiEAnDHDJXjxCF2MYxLN5FlUkO2GFNAJ\nc8G4u4BXGY4EFa8=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUaO/Xeigw1k9BQWceKlnubdvKyDkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjI0NDM5NTM3NTczMjEzNzQ2MzM4MTAxMjMxNjA2MTEyMjA5\nNzUwMzY5MTUxNjA5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE67r5\nCwWRkkIYLKojry36QCiPU3S2oVXYbIATWLePEXQdIx6EQNTCwOvcmNe/+Z3P6pqL\nDlyl/ktPDjhaY3+uBaOBiDCBhTAdBgNVHQ4EFgQU6ow3yGJaLSdRM8l6MYtQK2RO\nHmIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBT5g6mwgKAIhMPm1ETOOht3BMjQ2TAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgVmsnh/zAoERvkZZqL4epEP1rsXOK\nI/x4h+BvS+85anwCIQDKwV88n4eOiRRusMq0hueHY9qsq62OEajYA17N6Phikg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUMZwRZ5C1/75hQUH0Y/Sf4j6O/UswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzE4ODc4MTQ2MjYwNjYzMDYwMzAyMDM5NTE1MDQ0OTMyMDQ4\nMDY2Nzg4NDg5MzYzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKMFn\nG6kqbLqpK0Fy+idxO46Aena+XcHwkzIebBbDiI4eauAfqUgNdqDO0RJVgEs4i6Aa\nuk/h+5laeR9qbtGwjqOBiDCBhTAdBgNVHQ4EFgQU9y4TxGeZck0xrErnOAVmbQJH\nsqswCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRX5sdoStLJqtSTU4ZzUYLuDkzZ1DAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBJQiYqWdd6YBb9eGQMrZ9uASwbcu\nFwYaztn6ZqGj/0sCIQC0dAv+pouDA8Hatm3zV6CvmdfmDeTQKp3Ouee7H21HJQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUYAoDu/o7xLBn9DKrl2hlo1jRLUEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQfvOW2lCw4A2hAxkrMgZzsiAIZQIz5dnOGEs4p\n4SXGsO9S9AFuWt9GM5a2l6Qb8p0TaJheHZkOfZaAk2lNdolno3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRq7i10jfnQPjjsaTaZWvyw0CNl3jAdBgNVHQ4EFgQUau4t\ndI350D447Gk2mVr8sNAjZd4wCgYIKoZIzj0EAwIDRwAwRAIgAfIOZPY77H5+f/Da\nja/5fBAY6KwKJylcxjNlkZbg5YcCIHgudYDEFzwCv63FpzxHnrZKoDUlLii1Urgr\n1cnumvH9\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUSgEk4JxyIw9/vKKNDndhRFFiGIswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQftooBgSde5Wdy3/9PxSvHxGWsREu5u5RJ0Xg\nFxh2bVdEwprZ6KKvI2et5blthgdrMuc8V8xOzCHwEqTj8ULIo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBTl1PtvqT6chIsAeWdgYJPee6v5STAdBgNVHQ4EFgQU5dT7\nb6k+nISLAHlnYGCT3nur+UkwCgYIKoZIzj0EAwIDSQAwRgIhAOErF4z8NjZP4j0b\nOHAL6DN+grfJMp++x6nUfC9q3oGZAiEA1jNhnaNHFE2QN0/fizNtkMj6JRFn/ZEZ\nrQPskplLjAk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUbE1YWq6NVVlQ+vOsmTVTnrCJBlwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABM2u/g6XwxOap1Alg7U+4s0jpP2BW20R9/7VEA+nl9b0\nVKjdgvHfkbdHZ1ypy6crk0GhCuyxP55ZLsX+C6mk/p2jgYgwgYUwHQYDVR0OBBYE\nFDqkjfTu5/Yp1YiRhUggG1ilH1LEMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUau4t\ndI350D447Gk2mVr8sNAjZd4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDE\nD3irsTXKbMkNaY5nDVcM8hBXnybu4o0LoWxiFNh6qgIhAPvaIITKbl5AeA8V9Cyj\nCskH3tDtWh0e3ywrEGPtjvvZ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUTYEEECdUEEwqGm7QlgBz6fDx900wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDrSRFa8C10pEbsWBGbAiqphB1YtUwByM/6eQ1bL5+6z\nURQCNz+bl29pQQT6lQqwyrnEYeG25mGlRAJ6K+Yei8ejgYgwgYUwHQYDVR0OBBYE\nFPaoGjPEPAldxeRRwfRIfU14Ls1pMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU5dT7\nb6k+nISLAHlnYGCT3nur+UkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFdd\nlQcVYWa1cy6ar3Hupmeh9gBn4AmUa73g1NBMQuxkAiAFcpfMLS375w5jlTmh9qC4\nuqnPTiDww2FEyxx4UcZfqg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGqWxD56dcGX4qVE1VTzc9cELz+QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS4MjEZFwLr8Rxy22IZBmXBKzn22a3D9beGwAQZ\nXPO87TZ9kVBmJadsh3dQlurTqYBj6bo7FjmNOxIJWk0vaY0ko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUql5WWcyYuDuoizcZmyV1kMVdpI0wCgYIKoZIzj0EAwIDSQAwRgIh\nAL/4gYIh5Bjlyu2I2lvOdBmVVRsCBAAC6AcXHBtf1kmLAiEA3mgcD6zNZv6+kD/S\ntym0xc5rYPOIwcOKK43YjGwG1oE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUC92dPkDKzEnSjB5YUuAjibCzZaIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARIdxm15t5g2YeIyTA72/NtVBTuQwPzJmrJeNiF\nrUUL0mFbjzEhfjOPjODnpQsITD4xth3Omgxm+IvuQhHpXB5zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsC3/8kA2v3lHDLzqQnAwaXXZ3sswCgYIKoZIzj0EAwIDSAAwRQIg\neofDK6/1gYdKzZbO5/3zjTlGY83I6dvq0VSPTspR4ewCIQCScJmBTIZEDKf4Pz7K\n24mhHXC0h2masy351RtEqGDRiA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUM/PVwFVuP97kbJmMAz086249wnswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIG+xbPsHufuCbSU1HTLECJuF6LxDLvDKiLOH4QCrZ3N\nFye4CRHKGtV0PFVw5jeHLP1sfFMByce/EJQx6q25e3ujgYgwgYUwHQYDVR0OBBYE\nFDzHJFf4x0PtO+kl9UVTxI0p2Rj7MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUql5W\nWcyYuDuoizcZmyV1kMVdpI0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCE\nw8DBxrHoO6vznPo8H/OnNOsu45qHa2vU0v4P+RZYVQIhALXc1+BLfbDauTgTaAbH\nEm1Ir9vbo0aiwXrSoLGoeio7\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUaEmvhsyn/tweWzEZJj3zVeRi5BswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDLpHhBej9jwtDf/9brXEJRkQZIFZTguV3LudxqQ8kLx\nCW2DNsbri1GXG5i5357i7hcbFGVtFvqneU57W8Ls5bSjgYgwgYUwHQYDVR0OBBYE\nFHJbOXnv4ddT8srhr4lp9JGvuSYpMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUsC3/\n8kA2v3lHDLzqQnAwaXXZ3sswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIAG8\nhMCDAn1TPBb3ZO1wZRZEZsy95Myj2C+Fx6wqS8JPAiBVD9EA9+7ljdRvrJJZOffd\nurfQAYUGg9kiLDwOdoDMbw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUFRNNOWH1MByUHfJZ1+p+xC3KU8AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMjEzMzA1NjIyNDY0MjczODcwNTQ0\nMDg1NTI1NTc0Mjc4MDg5MDY5MTgxMjc3MDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBBB5JOqOR+s4Qnns7zF44syS1MXz2L8blBSJCuJKXk5N1o2s2SBpTeYCH+qbjygj\nhitCymlw+tp4YYcKjGWQdLKjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRBJmb8gl/p\nmoV4WZCZviQ3gPbJyDAKBggqhkjOPQQDAgNIADBFAiEAr0A8xEtZ+Syzk4I5GoeN\n4e70YaYzQV72zxCIk52XKbECICJ4eRR1gg881PeB9C159+tHuajHWRlyI19wUMPK\n+PK3\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3TCCAYSgAwIBAgIUCHdgaOP7hg8jd1oRvGZY/wQ+Mo4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC80MTEwMjMyMTIyNjc3ODE4OTUxNzk0\nNjU3NTMwNTAzNDkyMTk1MzI1Njc3MDExNDEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nHZD0/6PhYNCxF4UJeRtVJ/bEumilnqShZGEpy1r3MjA0knKVuhm+mzuld1hl27d4\n2JzqX6ZMScj/Lq5w/N8hkqNaMFgwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFAKUwaM9nwAF\nHxdA9XCJ3wR1IfQ8MAoGCCqGSM49BAMCA0cAMEQCIDJnftzO722Q40mcBPyKD9R0\nZvCZDwddvzLeNt0eZW8aAiBt13jG0g1rn8HTS0WR3VWKPoczTryjH2SeCAX5S+N+\nOw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUCY4F/3J+HrbRl5ihU4vUzi8IxoAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzIxMzMwNTYyMjQ2NDI3Mzg3MDU0NDA4NTUyNTU3NDI3ODA4\nOTA2OTE4MTI3NzAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvoZl\nHe6KkM9nkl5Tw2w4FQ/eMUd7NC/Zb5/AMOCh1zXhbnUJLUeDjUrWRM44Rzl4Yqwq\nPrQNgaBKizDQDcJzSKOBiDCBhTAdBgNVHQ4EFgQUvsT4HNVXRSjJX8p0dhp+S4B7\ne9QwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRBJmb8gl/pmoV4WZCZviQ3gPbJyDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgIs6oz+DUT8SmCh7/cdxMzwd3cUbD\n2cQulejsM3DWk5kCIQDPB66/MgdfqCMu9sHIo4ux2GYADsQQUDC03L59Q7BLNQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCDCCAa+gAwIBAgIUHSBuATCx08wuQQlrC7G4uJUtZxwwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDExMDIzMjEyMjY3NzgxODk1MTc5NDY1NzUzMDUwMzQ5MjE5\nNTMyNTY3NzAxMTQxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUBJeF\nBjhGo5t5MIreE6dKUhIOrDk/R0ms5Hbeuhf/GmYrDExaxy1LBszLmeQbmJALfDvZ\ng43kvJ93V64Qwi4Vo4GIMIGFMB0GA1UdDgQWBBQcFXHfISkBDhGEu03zi5ZYGB46\nUDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFAKUwaM9nwAFHxdA9XCJ3wR1IfQ8MAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiA7DzBRRS7aHft0Qx9qnib9W7pBJqii\nkkTYaIwNm8IyFgIgeQzmgf0erbBZMpyH5C2ZTqelqePgM0EMdXwXLLbqH8k=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUYNp/Z0NowestF5z7QVr4inOJWLowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASv4DJ0/0ycbw8V6nS5aRfOhlefCpDGcNv/Bu2G\nf0tM9zmuUteDz3+7tmX1eEysX0C6KI2F/ewZ7201dFsxu0KOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrl//FLMSdTNTkKXeYagAqHjSVf4wCgYIKoZIzj0EAwIDRwAwRAIg\nINfi7u7SGrwPlUAD98h2R/kA5J8HLHptpnfw2OQYz84CIBk9fGss+UNlW/hw3MT2\nlD7PmV1awTJ2nMcg6gRyqq35\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKKhzPUpzcRYEgwdKm9CA4eYRPmMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASLYHAiWpehqzW7R7KEkmBiguI8gI76ks+k0KqP\ng2vXwV/+5fVxI6jxx01nNqcfrt4U1KrDhuU3M4OTXWP7w9yao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUrDP9F49d7XtZeNgg/UhDwlCs7wwCgYIKoZIzj0EAwIDSAAwRQIg\nYP2llMeUn8OW0VMMhmJwWbZX9z/MAiao2SVvPJd0RMYCIQDlqpf2koChI2pDfDY+\ni/AJ6aKrmwpifGqdAUoSJLMkgw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIULaWGJi13w73d3buAj71O2/ifTZkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1NTI5MzU3NzQ4NTEzNjc2MDQzMDc3\nMjY1MTAwNTcxMjMzNjc2MjIxMjQ1OTEyOTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNWDBx6KQoxu1HlrDZy1UkUWeOrW6y4bCNQJVo/jbf9KiWJ6Lk4APcGuCHLwX5Bd\nvJYa+U0Z7MBcCzJ+zmxDPdejWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSP7VzwmzFf\n7JNN3yD6dqbsPOx8SzAKBggqhkjOPQQDAgNJADBGAiEA7hlITJ9GuH8lK3rqgzJo\nNONggPitKpB6ma7E1jcM5e4CIQDuV3oGLLjG8MigEaaxgkinXafndewBhzOfs9Xe\nzBA4cg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUeOseYwj0St+oCtquEEf+ZduOkqowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyMzIxMTYxOTQ3OTUzNzU1Mzk3NDYy\nMzA4MDAyNzUyNjEwMDc2MDE3Nzc4NTIwMDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBL8pdhzHlY+2ZMYlq2uV0y2hA7RqcuM9piNrwirZ7BudEmHRFw+U1sgHRDyluTlK\nFQTfWuZXU8uzjO8P2g/nHTKjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTze5zFiPn0\nySkLPnDcmSzdznJAuzAKBggqhkjOPQQDAgNJADBGAiEA6TY7zRfZoqu1kps9CEof\nDgQdEj/x0crzQfbIaThxKykCIQCBCRS4pioEbnDIBFDmV06h60qn4RkoNhyr6ZzN\nq/Y6/g==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUadcwWPQP9khqyxfDLUPpFcMI4Z0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTUyOTM1Nzc0ODUxMzY3NjA0MzA3NzI2NTEwMDU3MTIzMzY3\nNjIyMTI0NTkxMjkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEr9EP\nbMhnCusxaPIMwAwwUdVKflJs3Pp+FwDqIv0UX3rX57GmsLnI50cgn6RbsHwzyBkm\nNkeINM6Y6riHNA+N0qOBiDCBhTAdBgNVHQ4EFgQUQiHWOeZrzlAeP9cpWiM9/DYZ\nk0wwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSP7VzwmzFf7JNN3yD6dqbsPOx8SzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJGBCVkIwQDJ3/ll3H1QrVBxeVsS\nCwXwKIczZTUGLkSVAiEAu1o/AM6QagWKzB0gTqECTEf4LgWNjPbp8kMaCUC3CUk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUH3NGUgnFtYeESG8WivvjNJpk75cwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjMyMTE2MTk0Nzk1Mzc1NTM5NzQ2MjMwODAwMjc1MjYxMDA3\nNjAxNzc3ODUyMDAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3siR\n3DjE7nRNci52tBN2gLKOWTPzEiVz4bUeO1Hm60wnUcP85H4zFWJwYDw+evIhCTnn\nZsR/EeS7bbF9W8mLZ6OBiDCBhTAdBgNVHQ4EFgQUqcTyU0+LWqAawR4YHK5ycwOc\nzzMwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTze5zFiPn0ySkLPnDcmSzdznJAuzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgKJylLgvG3Ii8ugGJaYEuQFYX3mOB\n3zoea5vrIH1bOi0CIQCpF++1I6jeKv8khqt8I4yTqml0JSz7R6OQY7+APlF2rQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCITSUJh9S+ExQysz05vwLM/e73MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxQdv2UxKo820FrAAsT47vd3Ke+Tob2wpM0i5t\nJhUbjOJSXkcQgyFPmfBUJKLhw4wYVA5ytgdJGONa7B7gl7Pyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCtZI1IcFgAY3OxKMwBCPzGeDwhYwCgYIKoZIzj0EAwIDSAAwRQIh\nANz1gZq8K5WFDEDatkayq0c+BV97Z3phSMmKP1Pcpsn0AiAqpJzl7icQjQG1eiwW\nNJlJIvVlei38myyuNQ7yylRaww==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVbFlcVsg5lH7cHRZdtxA+Wp3UV8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARuOngd1rmMa6Dwavb0xbuAm4Rg6e7h2xJZhR69\nHx3A1mdsU+eble6In6j2erHvbnasUHjNkp/4UZLJuo0tutvYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUA6YTfZSAb6ZHC2FKkIcUkkOP7l4wCgYIKoZIzj0EAwIDRwAwRAIg\nKfa84b5QsltnwrCeHCFl8Sq+z6oIGjfD0yO86OM6UgICIB4OLt0KjzHvXFERktGy\na0rxLCxRv0UIoBfVaLhoWeSC\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUYYjIUxJQPYhsgqcnQESCpUTQQowwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA2FrBjBuJ8s/9CqVUhNDmTSlXFFp7ITZYrnlQLuv72t\ny9UG92SB79J0vGJE6CTJviSuH8vfSeWFNf6GLRDecfijZjBkMB0GA1UdDgQWBBR3\nHX/MhjF9kBLYyFFjMTR8+rgx1DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiArX7mwfrd6tu8+Qnvi/QVw81CrXiOXUak2HHZL+f3xYgIhANJX\n86ahM7DzaN1soezVk16BqFU7V7cOldxbiSpy9Pz3\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmzCCAUCgAwIBAgIUD03S2bdzLSbXsWgwPSttmago8YIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHfujAJQtWnKVY9ZpI1xfySPoFh+A3DODNhOkfowKgqT\nALdVMw3bTW3lsQZNdrEMNhU4MieZu+zwATqNK2HSLROjZjBkMB0GA1UdDgQWBBTS\nwBlR4W4nf1uEBJHOllsNj7ljzTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNJADBGAiEA+TKpgaPYSyL3ruzsW+sQeCv7c7gLTV/bg/vpnNSo6FgCIQDT\nynshb7bFBDB4R1bLmmeOPEF+0WxrAUX0LRhcmTzKRQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUBBVZSkLaXKumTr4sFZ7hmGp3B/4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxwU/9129V8ges+ZetUZ6aUGakEhgEoymGzAXg\nPSB+pGp5ufl+oa5ZoOM/aKh1n7rL2ZDLVlfhno4e7D8LsJvEo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUf+OrB/ydwTnGiqorwXQKShSYetUwCgYIKoZIzj0EAwIDSAAw\nRQIgRhDBKJmbF80nfh6GQNy7EcTA81q7sP6tot/uBkymQmkCIQC3C3aDrRlOilNH\nh0CvhYEwNPEJJ9oH0/fOGwrdluyAEQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUWqMBhHO9d3LYhqZZHtI5VOMRbQQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbu4jowXE4v7uBvrl3//xMkcIPPEbd8aqUhjZR\nWAiy/YLnS3WG8lSTE+C8kg3Y6VpBhVmha9B0rdUkz7GPViolo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUDV1LtoTZWvgF1Jd0bwYZobnGsk0wCgYIKoZIzj0EAwIDRwAw\nRAIgL+U8grriFQh/HkE//LRB5sP4207KqDQe/YtVxs48z1oCIDBOFMV0LThsYSIk\nIY3JygyU+3qySOegkWtKGUthx3Ew\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUTE0jKTtOv9sh3exb4AtEDcqPHLAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMOHcFLVfBTNvzh2nVf08Sj4Rclzoeb++Nu8LIwYmodA\nCYwVVtqHllQ9DfYWjEDQnpsoKAXPvjUko8aC8widTLKjgYgwgYUwHQYDVR0OBBYE\nFD2hyQAshIhcz0dpkwyHRvjx4yC9MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU/Npu\nz1oClyZkNYlbZnWrloj8pUgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDd\npvPYiKAIStiYusAtVgZcPcNiBcg7bJQDVEXFkQsDwQIhAIZuZibJSHNgNc7I5sHp\nfJNue/HQ+/bRUv3ui7K/DPsO\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUNACIXmo+vVUIOWJgOhrC2j94cbIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHnVjE6L1rglMtMUyyc+74U35etsLEZo0fWRFO/OJEEH\nFMK0aDDq8Rqh7ZwyRHLpDyZLT6TPeLmkXgu3CkZtib2jgYgwgYUwHQYDVR0OBBYE\nFMiTBkAY6xkXOu99W5SsnKA9CLYTMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUBtnQ\n5fb6w1inYJZQuQGR9d9jg9YwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCK\nLtbwQfQ6FaKAarlBfWaGdEngTWzI+9wCm8cQX2cqWwIhAJscAPR5Q26iaTeRXyVZ\nGUrAigwCdcW3srUUBp25KTJY\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUemk2MsZ6Q9XUgvK96xh5fTeg60UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXQQ1dg7A93sEpXS1zq1ieblHhUXm2/0uPVMXV\nmP2AgoDxlTH1RM7Q2/U3JAANWr4dpMnLxfjsLokqyA24T78WozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiBWtMTLW9yX6U8oP4XbU1fA2tHL/ZdoMZm22ZKmUCuG\nrQIhAIGvnKpILI1d36JB6ZiPeKU4dAshIF6WvMPtZC2StBe7\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUXpxA/p62UKBkomTaSEvKt0PdNvkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCbrARnZwwsqernn5j1xXHnl4+yvhVFp6w2weq\nwl3ddC9jHgEBsReXtkwnJz2zPR9Kn8uX24iRNPBw9lau0YXaozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiAc1ioANtdIPBXdoRxsYNz90wUOQsvVNU51OnHHC1BP\nHQIhAJRYcEZ1we08QOImtF6mdrGxxuw+2puvTkYDC31CAgTg\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUdejHdO1f4Ko+9ek/K6HOPwe90kMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHZScR2fbGslhaDmM5WZ8hTlhpOy1Co/7o2tp7ScjIJc\nQOxzKP//6QT9Vzosfki01F0ZJ3vTSB6e/f76YkOFFeajgYgwgYUwHQYDVR0OBBYE\nFA1wPtWHxr38SqgVk31RHPV8/JVOMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUv2bd\neVMkqm9n4lfbuFBg8X+EdW8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDQ2\nkPRoqmvUs8pgdaWuUl722C5uIWQqeQWRfoJGrjT9AiBSI9qvfAHC+SANLP9XyvmY\n2bNAeq4fl5dX5p7gDMsE+Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIURPVtD+pqVPJP1MbrrHm3ieBmUbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMtBTIpZdZD8giCW/FcBpCJQw5i8pqzwXfFhReOH0ooE\ntQweqKkh6638dkR6o6y5a88jbVAEj7gsWzM9nk+kzEKjgYgwgYUwHQYDVR0OBBYE\nFA2wZRqGwPP9F+hAhMSGTj3HbBrqMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUUEZL\nEgz8v9EVe9Y2w0+CQ/2jVNQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHG6\nnGFUlym1nucNhi2Fe+VrUypUM8cejoC48wFs1wprAiEAkqmhtNTf6EahIlog5Gem\nHnxEjpQnPNUxAAUl4+xT+Sg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA4DMRLkpS5cKS4b5ihdSCiQ+7o8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASi5vF3WIcmCwu2xMxCzmf5Vyb8beSHIYyNJyCL\nSgqhEeE5WPr6PLfmojSMsguQFQDhKdc6CfIkjyY7kVd9I6ERo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpBHGDctKUQjXrix8Gy+Q0iTSowgwCgYIKoZIzj0EAwIDSAAwRQIh\nAMZkJv+Mcj/HXWrn1VS+Sqreo9UvBAFeT9AqZ54W1v9rAiB3GDvzQK7kXjsprOl7\nx70QzH7TPbaeGYUVZoLeZHX+sg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUQ7KvkYpQwIxL9J/4pTfhZtNjKfowCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzfT55CWIF0faE+dUPzeEeOZy3Oc8otxh\nlAiVkNdAwyjSNQQWCOP/moAZU+EL3rndfMerm3JCB3V6/vFURYYVoqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFDS6j9BmxhuPzjgaBLIGQT+ta+WMMAoGCCqGSM49BAMCA0gA\nMEUCIQD1rejUoVrVQv7TtE0+TRW6v393bEEgYi0/59DOkh+y2AIgKw6esxrlDcwp\nXOR6NPPDJu7hOgQbT+FQX3OCRayt6uY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHHyoANj5Y/lGWmVmMXgKDXpb/08wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHvATbBYBn0J0OONwKsoPqUIkqHQddyHcaf68u\n7AQ43/MXHCScpx641eLufU/dRsGN/hfA//811t/C/SiRanhXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzbFvoVVuJQyPEG4ucb9vy2klD7IwCgYIKoZIzj0EAwIDSAAwRQIh\nAIkc8gviBaQk6fkZjAHSshaS9x7R+82AvxoCcUZGgt/gAiAeM+heNDW883y32i1W\nGtRRFRNjizy0RvcvZqajwJamzA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUcx6OcB3EaO/U2A/PuBZlgPtZ1zYwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEw3vkpTDABj8eD5rcal/TItwSZ25LXz5m\nPUX+9saAXOc0KIq+NOrDvyjnWRLgiDl+dfBzHsefZfzWkvm8kbn41KNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFHeWHYiZx/51Af5/3c5KzhtGNqyTMAoGCCqGSM49BAMCA0gA\nMEUCIBNw+Rc0vfd6ZjJfFs+KYnQgYPG1oND7L+Lf1jvY1pkKAiEA7zE2xYINmOoA\nWQXfWM2xy6OiRv9/YPY8DXfLONxnj10=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUU87a2NxDxdqEPmALJY48649h6swwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASi5vF3WIcmCwu2xMxCzmf5Vyb8beSHIYyNJyCL\nSgqhEeE5WPr6PLfmojSMsguQFQDhKdc6CfIkjyY7kVd9I6ERo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBQ0uo/QZsYbj844GgSyBkE/rWvljDAdBgNVHQ4EFgQUpBHG\nDctKUQjXrix8Gy+Q0iTSowgwCgYIKoZIzj0EAwIDRwAwRAIgWDO749KofpFzU+Yw\nwCFXpGWldygjrGb6BHpnht5/QhQCICIFVfeCWNM7C88STFONg00icuyt4yzT4dQu\n9XO4J4UO\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUaNfdlwpExoHzf9Dyshx6wBdiR2wwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHvATbBYBn0J0OONwKsoPqUIkqHQddyHcaf68u\n7AQ43/MXHCScpx641eLufU/dRsGN/hfA//811t/C/SiRanhXo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBR3lh2Imcf+dQH+f93OSs4bRjaskzAdBgNVHQ4EFgQUzbFv\noVVuJQyPEG4ucb9vy2klD7IwCgYIKoZIzj0EAwIDSAAwRQIgJBx+C6dAdXph/fc6\nHPfR/pdt+CoJNwlG4lwb8GADfnECIQCTFHTwHHISCn3AUPM81NOC3wbIalfntKr3\nV8A/bQTKWw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUHQ4ILkh3Nzbarv1mUTxu6RkGouwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABABKQHPEmvfP/8QP6yzZhQoyqgqXu3FY8kCTxnJhlDPZ\nuGAWuSpHNunsmCVgUhqs+rC1X8DD2PR7qbuYt0G7bVWjgYgwgYUwHQYDVR0OBBYE\nFCo7I8BJuofvuxsCVeu9FaUL/KfhMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUpBHG\nDctKUQjXrix8Gy+Q0iTSowgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBki\nedz928jlFBh6jMIMze85zAW7O0SdDluXwJ1f1ThRAiA4R67nnP9EGf4+Eg4sadEA\nf/pGTgqy15xmW4cP803UPg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUfIjMUVLVXRVgMC/AOiny5Fd34WowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDZfyVhp4U6bUD8Zpboj314l09OJzfczQdsIuyzx2TVG\nU2F2Wehc5f1GRoMPfrkitiIMMl41ODmILGlPiY4W1+SjgYgwgYUwHQYDVR0OBBYE\nFG4dyxH+BXvRQUTOtv0/DJO3hud+MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUzbFv\noVVuJQyPEG4ucb9vy2klD7IwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDM\nER1JufaG9iMHEQd11Eks1GsNQ9PVy0itgHjh9K/42AIhALoS11To+u2ZPgtYR/w7\nU5BmyHnZe3R1mTAp7NjSSm6K\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUI01JU8Hdf5NfyailWL8BWKpxiK0wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOsFlew/uq/M\nj236giz3o1sH5xbbY39QRWkM0s/LPrPwWRx6KGsmlbpnuyBKDA8vrfdRJoBeMxva\nBCow/YHnLtujVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSPTvK0VEqgJ/leVYCDGgjIZVz1\n4DAKBggqhkjOPQQDAgNJADBGAiEAjZfkwYtpVP4lRJw/ZmVo5UA7R+kRFb2YQ03e\nmB9GG/8CIQCpdNcTsjmNE7WSUu/EOUZgsnc7j8W4RMLnWZXlj0YUEw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUPD0GkFFc8yI7DqgLZ/kpbHzmHK8wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOKNDLRkShTl\nt8mu8uiJqsjI74+rKuOkNeoVQQeXXaAVijkMxKWK70Z4V8fWTafmSsQPc9HImkWU\n20ePzeEGRjijVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQTpuAf/XhmgqI+qn+7JOx/3B7U\nvjAKBggqhkjOPQQDAgNIADBFAiBqRpfDr8UOcGEYcuEa1akvWuUWBsGDHUpgrYeo\n1dn/GgIhAJJ8SLTsWsdvwBuhRutZCBdO+SqrzWCbh1HojT5TMfME\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZj1SaJX1LeFWEjeIhclUUYfBCvcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARiYQRFjktifpxjb4ClFEKzQElw/nTluQVJQopj\nRJlhnLTkZfM7ZPTXLhEf2L28eez27rw1uIUKy2TEPSm7Uf5lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5Z6lzPIG/4rc3TyMCaETcEyEzP0wCgYIKoZIzj0EAwIDSQAwRgIh\nAKzHTOHF2gBd/s/5oNcb8MM3HyXaN7KhFDXnAQ/aCkE2AiEAyaAfAxWXGs37BDAV\niKg73vj29Wyci8Ydo/YNz4XfNlc=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUVaCENK2UjMfJvm0VAn7yB3vwYJwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1ODM2ODQ1ODI4NzcyODI1NzgyNjQ5\nMzk1MzkzMjQ5ODkwMjYzMTEzMTI4MzczNjcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBN62fko004ax2TIlrRxLXvy43kkP5CfrudiG6A3sLh9Dl67oLY5wXRdgt2eHXbhE\nV6UMmiYQG6bB92Vvt2F5KICjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOWepczy\nBv+K3N08jAmhE3BMhMz9MB0GA1UdDgQWBBQjFk9l+jBOo/X/PyFpDDe1ouBacDAK\nBggqhkjOPQQDAgNJADBGAiEAqTJwX0mkpiPzXUje8kTZkwcIzdsfZ2mFcRNFKxQ8\nJj8CIQCj6ZmJ34h+xo/+TE20FEdyM+V1B0ZYzAs00970ZApwgw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTieiNblTl/nrWoAy8z8gN7afDOowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBl4RsjbUffYoH17dFu1J6vE3Dl/Pf55CcAuxJ\nIIDrMRPzdSHu3fxLCRfEDKiM7xTj1cXxpngdNDmisITtfsUko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUszwx6CvLcBT8fDipIrG96iw9MOMwCgYIKoZIzj0EAwIDSAAwRQIg\nbeKTzDAJ67cO4jhlXVcdzvg3qOFwi5qmUBqTxAc9mI0CIQCExyLVsGYrFKOQyM/w\nrsw+OcVi4CfJ/yJFP9HDGNjPBg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUD50e8womdjcoRXf+slrsu6SHy0MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0NDYxODUxMzk2NTg2Mjk3OTE0NjYz\nNjkyNjI3ODA0MzE5Njk0NzQyMjgxOTQ1MzgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHBMAMFRr17u6eYGnVi7uvpLBkNLeeRCF6LJKWmL2EkKOE9MPtFg88wQedKECwnE\nbpzbnCcXqJD114a25gSWcmCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLM8Megr\ny3AU/Hw4qSKxveosPTDjMB0GA1UdDgQWBBSgbu9zKzEQu8dDf/DQmUkOaT42nTAK\nBggqhkjOPQQDAgNHADBEAiA7G83bw/k1o94CTBcc1ft43/CxPjQwilHQugxdHPFw\nBAIgJIM8sDTyHYvqId8bR25kzlkFhs8AlHUMiO2v1aR71TI=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUFCDJ9VzUMOmygu3d51i9gbcbtagwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTgzNjg0NTgyODc3MjgyNTc4MjY0OTM5NTM5MzI0OTg5MDI2\nMzExMzEyODM3MzY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbd51\nLmYm3lFxsi3fm33CX+Y4cFSJ8DrS52mP9IW00tPGdT32AvEUZPvM3dktCkpYs8sH\nRNL8fmqj9XWy3eyDR6OBiDCBhTAdBgNVHQ4EFgQUPN07mK7zWom+5i5FjvwFwGga\nwS8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQjFk9l+jBOo/X/PyFpDDe1ouBacDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAK1LWo9gZ7S3MPB//DRt+YkAAPG2\nfv8wBTh/HE5FFz3cAiB6nPhUaGWNzTzFxzft3hzPnheyEnhodPqy91/3DxpnzA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUEwWMEjGLWOqIyN/+7ey59+5bcXYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDQ2MTg1MTM5NjU4NjI5NzkxNDY2MzY5MjYyNzgwNDMxOTY5\nNDc0MjI4MTk0NTM4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErhBg\nhFr0v7HsiRXgfQLP4+622xO2UKvelqtSp5k2eze9Di+zzGKtA0WteK7N/qnLoXvf\nF0/nVC/f2m7atBoiRKOBiDCBhTAdBgNVHQ4EFgQUHgT9tgmljV96fCLbEH/G9pRk\n9S4wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSgbu9zKzEQu8dDf/DQmUkOaT42nTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ20m1DAci+TWuEikOusv65/vAAw\nCj9GC3wnQu7N/p6OAiEA4dK1TIyGDu51HVxk06cwL6FRYHamf8ylRrYT3klJW8o=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUTDSjmiUBAsP3YrGlf2FgEfy2BfowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQC7qrlG8Za7KXgQbk2Oo8jMpJQGfBFsyLjkLpr\nWRO/mLeWRoseMU/A43nIdQSEOvR5DjJQoiTxn+THYx93fsJzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1V68rGfe8JSQR8pOuJcip6MVNQYwCgYIKoZIzj0EAwIDSQAwRgIh\nAM82lld5VhUB/2kUcmWcPQAUDta+FfW9ERRe2afY+1cvAiEAoScbSUc/azGUfCe+\ntoaoG5x9Ak+yGVIK0OB/EzrInb4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMHlM2wK0bb8tYJK+RNmFZ9zMWHcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR4lGsC/QcSkTMbbGMl4jJ9IUllpWMdhN+PCYuK\nBc3fKQOOWihcOAs1a5xzb0+ieWj5rMj6M/UDEMNs/qwVduIjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOt03Lfz5VvkjRea6kfz1bcf/4yowCgYIKoZIzj0EAwIDSAAwRQIg\nTLW6xc0bfe3HGDtdimEqllz/cgHWaPvBzdOrQtmzLs0CIQD7MpjudrjFBAGL2U8J\nH77i1HVX6SzKa4BSJOxZ7qTb2A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUc0SNKGRF1T8wX2LDWytsWApLxN0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDA0MzUwNTcxODkwODgyMTM0NjMyMjE1\nNzg5OTU4OTYwNDIxOTI4MDY1MjIyNTg5MzgxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABFUpWaty0rNMaaNboEKEPwDvQoVl66U0HigaV3erIIjbAoRVzSPpbG9jhHZD\nfTDwwe1ebVgGEuPFynZidEQGSkijdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNVevKxn3vCU\nkEfKTriXIqejFTUGMB0GA1UdDgQWBBTUt01qkj20owUKmxpuurmvEIRATDAKBggq\nhkjOPQQDAgNIADBFAiEA3pnwmGPFTzcuEI4zkBUmvAUoLqL1B/6owl6rg1hvirAC\nIGcJQ8RV88OU3tMjNsNFqRRddOkLsSf+YKa6n8T+mdO0\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUHFqJgBnIlnphWlZjrcQaeuNmrT8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDAyNzY3MzY2NDIyMjc3MzA5NjczODI5\nNjA4ODQyMTIxOTUwODA2NTY0MzcxMzk1NzUxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABGHugDesOUjvX8N/WlIfi/m0c4FoFD+hVQGWQopLultkPis29tnIYJJnaapp\n9zoFEBOr+nLkD5jCYmiYY04xfIujdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDrdNy38+Vb5\nI0XmupH89W3H/+MqMB0GA1UdDgQWBBRctaspHDhWWAIU27ol3/eX36DhSzAKBggq\nhkjOPQQDAgNHADBEAiAq+ci1J9mT4wiltT093npO4fkxeI6zek4REB7YB5ayKQIg\nbQfSUdlI3oGdE6XaXbMVREMhV6gCquhYPhSItqvBhtY=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDTCCAbOgAwIBAgIUIk66ieO1MNi8DPcYSMmi9amxu6AwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDM1MDU3MTg5MDg4MjEzNDYzMjIxNTc4OTk1ODk2MDQyMTky\nODA2NTIyMjU4OTM4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nJ3G2rHvc/MSxFD88kIHZzxHA1IPvy81yXx/PnXiqVy9Zkbwds/QT+eNhHZg0S1Y/\nd01oogdRLQejUVESTccBh6OBiDCBhTAdBgNVHQ4EFgQUUsTC7qBQgfHu6K0ZpqR0\nA8rpiRwwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTUt01qkj20owUKmxpuurmvEIRA\nTDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgKwwb4lKFpxL5VQo7Y635J828\nrO6Yhr+nX9aPgl7KrWUCIQDdp+qA/gbDxrtIBaCOjTrGWXK8+Ye0KeNi8+G4NDfN\n5A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDDCCAbOgAwIBAgIUa78tFG7xbyZmeMsqF1zNO5x9fLwwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjc2NzM2NjQyMjI3NzMwOTY3MzgyOTYwODg0MjEyMTk1MDgw\nNjU2NDM3MTM5NTc1MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nWeNeYTmruy/D1Vs+yQj2Xhh/xMZ2utOzeC34NEgbzmCzzvf2sgZHU5FopYl9Gh0m\n1sgfjWjss1wexkZ1IkV5raOBiDCBhTAdBgNVHQ4EFgQUXMGsGc39a+AHzVELI5Ax\nXG0xD04wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRctaspHDhWWAIU27ol3/eX36Dh\nSzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgbia2z5/brerSmoLrf07QXFS/\ndfbezEhiWC0TuET6ou4CIEvmxBA0jQXX/3Q3h/wd2oDihWURgKq4+uLkcqiNv3Oe\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCl+AHE4ygMjDRBHurZcP/ZaBbL8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNRBS0j33DZqcMZrWjzo3XS0AOQekRSkn1ioLq\n4rTzuGbW7EScrOSbZaHgcIOXtdH2vlaC8USGe6xv8j0ifWeEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjyqzVLT5LuKtTinxQZrOKAiy0pkwCgYIKoZIzj0EAwIDSQAwRgIh\nALnLBA9n09Me9/qzhH/pbl0kPTtjfzzP5r8wFKIJ1PALAiEA7wY6RAHIqA+eUPVT\nJw53bzN0a+Cb6J6/tYNwceoWOzI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFK0qra/Yf3LY+7X9jkkNY4sDqwUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS3wiOEENb97eWHUefkn9IGJkBHFOQ1EMSv8YFC\nUb3AWfjnW1YthwOnfhOlYgQm2OVBvnPu+5cfE/0q5UDExvZyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEWHndgq73Nqc8ll+3vvMNgrgR+AwCgYIKoZIzj0EAwIDRwAwRAIg\nBvwl3oM4cKCc6OnyGW+heVqoN3ZhWvfPW+wQsFYzBFwCIBMCrGRbKcFiW1P6KwE5\nomTA0q3OKLQC1NbE/+KUHqRo\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDDCCAbKgAwIBAgIUSnxBWZQcx/zyk8UFsX5y6N8YSaUwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvNTkyMTk2Mzg1MDY1NDYzNTQxMDcyNjg4OTUxMzYwNzE4NTcx\nMjc4NDg3NjY2NTUxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEU\nMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT8\nnZ5N8eYBoIEzFY548SPmK01r00VMtlhzjI7LOR28WJjSZGQM2ekXiD0VmTHjc0G5\n4coIqcH9p4OanB4VGKSbo4GIMIGFMB0GA1UdDgQWBBTe/qJugpbvNOKnUPuVwKHi\npTgb1DAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFLaKkIo8O1tkyoPk2Q5bQOUETdyB\nMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAHQZKEKWhzuZ+R7laf8gmRTAG0\nMTx9r6YAUYZVRizobwIhAKx7yc0ljeKZDUnIC54YCIT1/hUcxU9oBAkRZtRGgTWb\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDTCCAbOgAwIBAgIUfxb68c8PeOACKG5Ig/rdoAfDg5MwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTE4MDQxNTYyMTU0NDIwMjE5ODg5ODQ4OTQ3MDI2NjY3MzE2\nODA5NTM1MDQwMjYxMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nj723s8qWbSwxxU10g1YwmEk1UwdG7sZcvFoK2hirXjBEbsZ/xuV3ORKeebN9dVKY\naFWZBi18VaCQvufADXACrKOBiDCBhTAdBgNVHQ4EFgQUmqNjo/Kbn0BFwxDPA5LN\ntxWNPLYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRsxYRatySLuXlLCa2k+ZkeUn8P\nLDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgfJK2kStJVFORy5VZmkxHaGTL\nm3A9WCTgA0/p2Cv/xuYCIQDRn9yki2A7cf3zlAxAUND+pTppwp9AJx5hfdFOK4RT\nsw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUbjZHXx6MGrYFPWqpkjgbjkWWoHcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATF9oSWiOShmrI7Ycy2CQWkF7FHVmjoLyeMn3TM\nwUKfOy3GBTYTZls+23umtyIiMI4lQmNv0Q/mDmYInmqIBkj2o0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFD3UkfF+O4op\n5/2D5VRVMEyS2HwdMAoGCCqGSM49BAMCA0gAMEUCIGDCoCf+CDRzIJGIzuByfQKp\nCAeGpJ+aRGpg+81QhVLnAiEAw5ukEUUiFrdw/NH7uTCRBeUWYm3vmAHNA9d9PDCM\n0zg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUDsNpwPz1mlz3Pby5Nnk2b3UpnUMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQkFHAHjWdXU5lcm0Sohc09chofylu0IEtPvyWA\nu6bOcxcFCiUro27tC2vrgVwR3hY5S3tIHxESpI0LrIbFMbv0o0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFHrk134PARQf\naemzxI1vFzXojDEPMAoGCCqGSM49BAMCA0gAMEUCIQDtBUEwYcNjb+kYdKsRiDF4\ngrfiy6icUwE9C8lEEUbQAwIgY9nowMJwBaHtPBNS7g8gKhLESbtwwFIZhD0PAFLi\nJng=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUMvRGHDx8ikTtrNWrXJjsZzFBREAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEUaymwGqTIzmW2LuL+xdodyS7FuMpeEl3/rZF5X61W4\nGO4MSpJM7EIMUY8WblqXTDa9H+lKnIXBdm0DtvXXiTijgYgwgYUwHQYDVR0OBBYE\nFOcEEC8r1ZIR4Jh6yRtgLA9T9WNcMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUPdSR\n8X47iinn/YPlVFUwTJLYfB0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDq\nfoBwStPB8mADQceh7FM5vkZ3SE4UujdkaAnqGO8rbQIhAPPlJ9lpfBApB2jpKkZU\nTdls0glg6hSPkUg/bH3PnS4l\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUP+1Kmf52ZGyJF1Hx1btqdDT5o3kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFG28qdvYpZYGHvP1qWmPN/dVcP3voonnhstVOstjIXm\nBjvfXq58I+l42l1OQp+K/zgQu2oDtyU839XxY6WYXOyjgYgwgYUwHQYDVR0OBBYE\nFLkStUEDZZFdlzGuJcHbIOcqJYkHMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUeuTX\nfg8BFB9p6bPEjW8XNeiMMQ8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDy\nde/7VHpCT/24i+SGqOGWRWK4EWhcgFmnEo25FMNl4gIhAOlnT8psrQHg4TPF+94K\nd/ucqAYG5ytQAG7JH4i0Eu0N\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUFva5MCdnHTaK4+bNU9UXRCYesUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYHvfnJ8GTwNGHq4PRgdcFDZ3X7qYOOyMnTerS\ndFbIhFeDmCfKVF1eZr7bB14Ru7cmn6zlLyEEiZr0w74bqTx4o1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUwe/r6/Ub5jkkQzczoD9ZpXoIoOwwCgYIKoZIzj0EAwIDSAAwRQIhAIWD\nxNz8kGMxVMQnkQ93Fw2miyNTIgkwIJQizXhDKiuZAiBGwqFIjtrzcZ2sHCwvJrji\nDY0KyuptMUeyujXocRB23w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBizCCATKgAwIBAgIUEUmLS9g61xLKFaa45jn99CZA4KkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQnZuEGgY7xir3nhMVOCzdqofLEVq85ZTiuNzgH\nA2KlbPGu2W73kXK9BlOG2YZcJrW59zxGd7ziSJL7toN1ZrXGo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUCoQUIFeRimSHQLheino8BxFmxKEwCgYIKoZIzj0EAwIDRwAwRAIgJr4q\nclx5esd6qftDDbnWIuR7t+8svnuYUIOiHHepRy4CIARPughKabszGWfk0kHBFLBg\nayVLxl0lvVFplrT+fOFv\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUbYQu6MU20C0QJnn+zTw1rHvN5DQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDKCPPGvFQUAqfqYnJZL8mF+yByECAF8LB3u65XZ61F2\nXU6n6Ev1y6PpXpcTVlXVLnlEdKNSZqu0aGz44xRkrKujgYgwgYUwHQYDVR0OBBYE\nFICCvWqeEMgsSH2dVZUnap0EIFa+MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUwe/r\n6/Ub5jkkQzczoD9ZpXoIoOwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDS\nFj6KoQsDel6nQg0X7FJ+nQWrym+eyu69x6a2WZjbnwIgIdji968oJoVtEB1e66cW\nxYOtgqqAPK5QzXIo+cGjfPM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUf3ef1F3UwK5NKYiIw6euVDMi1B4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAR9Z0XZkt8wwsz3p8jzEePgPY66kRBiBH7uh0i/fjtU\n8qQsHj+3ksnrEgfywJhs3jFHo5EOCn7Vp19sR1vzpxajgYgwgYUwHQYDVR0OBBYE\nFFcwhETxrDxCleoPT6jzAR7o9Yv7MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUCoQU\nIFeRimSHQLheino8BxFmxKEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEIC\nnRf9oGMdl8Mq1pA5IA5HS/2DTRacOeqNYVhbrBzgAiBgvnLqwHqRlgifV06r0OrM\ntAbJXG36JvBJy73pXypt6w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUfDO5IkNbmb5iUGOMMlDdubbJd94wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8JK4gGHZNgGjRNVnqdy3LJQA7OgABY8tvItvS\nhEEsjmQ2rJytMbgOfOFRxplIgtImUxXUQhSEQG+aAXieZC1Uo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBRwRHxbdjCoZbgLwLn3M2ooghadkjAKBggqhkjOPQQDAgNIADBFAiB3\nU/01hy4JjpLGH9fZPHcZ+mecNu4rDUCJ/SZyCPCBwwIhAIVR93+R/vvPXNfkdCz+\nubqwLQyEmz0xyrueJQNTzckC\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUD81TxGb66jcaNa2gG6uQFyl3JqswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEj+7W3gpE/ZPwZm9k/qOZj1gOhnMRV69YgREF\n0T26CPDuaIzYh8IrVdXXfQkth3jVSytjYHkZQDHwrccjMypao1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBT3Ey/ASkRY9/1T1JbYo9AxLhUz1DAKBggqhkjOPQQDAgNIADBFAiBw\nDVh1L+JkcCkdQz3sJr8JV+2UGSi+tILfJEavbOt1VQIhAJoD/1Q5mKnFdghmR7Hx\npxqEhKkOjbMqAdtEI8Q9+MYQ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUOZKbkn0qBJrqwDbcVh3Nt+k4atcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOXASFJpm/tzTlkOGH/iQfnAfeiIpEvVuXLLrPgA5Ckt\nwjmvbPukbNb4gKrH56/pIMlVg0BHqSk6z085zToQiuajgYgwgYUwHQYDVR0OBBYE\nFOMkK0dx8ppuPCPMHNP58iRU2VPlMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUcER8\nW3YwqGW4C8C59zNqKIIWnZIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIAru\nwSr8dvYnYSO/d9/5E3SB4qma/cBbxOk0KddoNbJZAiEA2Ty3BWmd5V55nc+47yKQ\n9BWHdk3hEbuob5ieE05tir0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUUgvVYp3VY22WXT2wD02Oy11DnnIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFQZ/QyHhENgnkxxut8pT3swkoZ91udTnIhoPtbaAl3e\nYSoSiSGqDDGugi6G726pEfxiSgO0HqLlKSKqd6dDqc6jgYgwgYUwHQYDVR0OBBYE\nFCWR6MqTlJ4KpOb3fCKJJxJd6fZQMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU9xMv\nwEpEWPf9U9SW2KPQMS4VM9QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCU\nfBgy8IMFVCj1qUfKOBd9MciBA1XNFa1fWiW3ZDPY/wIgJOtw6XQeUzUNHKBOsDH+\nJKYaaEZt60B5R6g27GiPXgE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUTwAjoC676LWOdcvMLPjeKDouf0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATGErgz9Vh4P1zYjwx0xWZ0STDJw5+3YUIy1CkP\n6XAXT9y52qd3z0FIx0bVK1x9OLvqIA93f1iv8hDwhvthDCcjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqB0ahly0Ngz+0ZSwGX1kcFM6u6owCgYIKoZIzj0EAwIDRwAwRAIg\ncqsv/0hS3jGx8hRDyh+X//O5lM22TTFVgqPEXwC/isoCIEM28dPCaEZn6UnnlNhm\nCR84+ET5N6497Ena0XyIPYo0\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQRuUaxYTQUXTtKSUwfbrwrK8zFcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARF0SLiUZHnAvslO3aSb1tTkWoIcxxxaa0RTaGN\nneU+KRhZBp7ETS4R3zqRXM3J01J0ZT3S2Exsjjxv3LcbslA3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUys+Bjh5aMwne4vOZGqutDStGLMcwCgYIKoZIzj0EAwIDRwAwRAIg\nP/J0oOnuNZE0wyGBYU2sdjP1mUEcRY9798y/gMsLyLkCIFGTrQUN1MNL76sQd/nX\nPEccX8JgkA/u+TkLisrm08Le\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUWalxXz8wn1BNeiABvqyR2lGOdw0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDUxMDEzMzc0MzMyMzg5ODA4NTk1MjcyMDM1NjM0MjUyMzM3\nNzQ2NTg1NDg1MTMxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0kja\nwubADNW4rbctwFWJjIH+npKxacosbtMUrMdzb2yamgogs/Yn5kaKpaxgLb9zHn6h\nxKbfA/rX1CT9WLP7saOBiDCBhTAdBgNVHQ4EFgQUj7HydPEV1/zJY9d6HcX0WrgR\nDuQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQbSb1vjEx9AgaPGdyssVK8pPl+RjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ4wLpaRK7K3btWNb7TjL/5nAXZR\n/N3jR13Mz+66R2ZiAiEA02tDdy4wbWtUtGvh0yJ87OPnCl3LfDawAeKNjjKbsaI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUMvqEoWJO/jgrKr+9sLNiMhy0ezEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzcxNjk5NDQ5MjgxNzg0MDUwMzkzMzYyNTkwMDcyMTE0Njcw\nNTMzOTA5MjA0MDU1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEp638\nGeR8mG05TNhHR+jWo3YI8/grsWmGQ4PurXy1SxWQYB+7TD+vuqyRVXCROQ/A9VaM\n9uejUvszWaOdo9ySIKOBiDCBhTAdBgNVHQ4EFgQUCuUn4EMeCgnKRIsTITqT1RZX\nEOowCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQqdvK946AP0oxsysWCOCLOGfgQMDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgT0hnQVWkIHS8ExIffoZ01EGDxZIH\nZZh16mEWS1RqftMCIEW55IHWW4WMHYI6+nf1xWr6C5gsPYaoKvh8QuT0rV2N\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUBQKo5danyDcUxlsRT8FhnS7CKMEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxmg2aoYDEj+/Dlz9Hua0aCHQbtFTIWpZKWvFK\nkET91TlaZBXISU8pOvOzQNrEJMy2VKwu8u6ALDCy+eQIi1wEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUMU8iu29I3RbhAbORiPFGspQj/IwCgYIKoZIzj0EAwIDSQAwRgIh\nAKyPOQYLwB8+Ymu/7+nxNwjoAhTNdrOU+90ev9nsb0hlAiEAtH4LB2kSpvWDfY8x\nhBOwylu4JsSsXYYcB0UQOlF2uf0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUS8uWpTaQjSYTFY/eMasiiS12ig0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARyamZoWWbjY2urpKfEyfI1DoF9DpkqO+oW+oVy\nNma+789oBitSiEcIaW7HKjjfTT+Gwv/mNzdOZLVzWri15XMjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy6zdwCCgSaTG/qJ/kWK0IwjnUnEwCgYIKoZIzj0EAwIDSAAwRQIg\nWec2znip4zITf/+KXxF3NHP4BjEVcHzUsFGA3PimYcsCIQC+2Cns5asjGdUwktBM\nNAI1YAxRpDvODcadcEpHfR9rYw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUGsZQL/LVrWq9I+5aAbrWmntz+xowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMGj3JG0/GMlNLvsi5UcA0z8KcHYjZcxUyGkz9M7edlf\ni7zOnaM4vzt8cCS5+eWlnLInWdO60RnE824PMPLBgi+jgYswgYgwHQYDVR0OBBYE\nFLAuen/bcBzfAL5Ew2ZNvbqLoIwnMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nUMU8iu29I3RbhAbORiPFGspQj/IwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIFDoS9X/1n6lcz62c+VEPIigBPFY8Xam63l6g/yyzSjzAiEAr7+DWrfjmNvInGM8\nZL5hecz7euKMNR4DfYbwypD1kCk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUZMQ+rdh7N68GBqTAzBrOyikCaIowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDSSsyiePzNP9wcVU+84NntmZ9E5x0hD4mMaOUeu1hjm\n3WT7sMq1RBpSVEDcBarP5Dxs1Ywy/JMlkHtC+O/dnxyjgYswgYgwHQYDVR0OBBYE\nFNLGumfArNzpTbxor+UVVY+3IaltMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\ny6zdwCCgSaTG/qJ/kWK0IwjnUnEwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQDH4ktenctG9WQnVomkvBtKRGwNS6W/BU713lFnckQGRAIgVfmJMGHcmrel8vLT\nSv75K7tyuAmmXniZo36kXuExoiY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUWdsCIToVmoZYl6kQJmxsea4zsRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT3MARs4YfnFCKJfkAgj/uwyVNHNpBInW5aOv85\nH6UTmmKOTPUdaPLwx2DpKi+wgXrxtJQ5qFyoCKIozwnlHqbXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUE7Y+YF2TjxjTY1wTqfoHy+N4eoAwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDu+kEVedvKju/Aybc0Uav5\nBc92Wf+aDCqVLp3q3Hz35AIgZt85u1FsQvCQqZHHfa/btXu7NcE6wpl/7JA4JMHP\n91c=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUb13J9WiWkLdp82NhsIk7JUafl7AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQbuhvtoBbVpglFuYlrrm+coNfqV75NDsGxD9RL\n4/tI6icTsSsEjCAWyCmIyrhgS0AVu+K/0fNnwiW0qUzHSOl6o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxg+W33umOt65zi/mE5Ou5xZp9jEwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIE1i55oeCLGCNyRoQ3m7zzDZ\nZRbQ1PKsFOaNbUx79TfbAiA7LplJRKvBSWEejlugNXkLKBBaw9muCEQ/7QIlGUTL\nRg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIURji75Ve9gw4ds/f6uLy9JS+OOnUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKimy4fIxCmAKoAldq2Q1BLcWVa9UzZSVdGUBvu8/qbc\nGzbO87tP14pmxYJWYFcFlNfpDEW1NgxNssb7cYQOzhCjgYwwgYkwHQYDVR0OBBYE\nFND4BRh04n8hq/ANn/NPVBqe9CAJMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUE7Y+\nYF2TjxjTY1wTqfoHy+N4eoAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEA7V6HotAmnbBDg/y1C5Iw9ASpt4xJPz9R21AiuMxSM70CIQCoOqKoTGvgcvXH\namVzOUz9r3ELv9eSVwPWns0FXOeRRQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUUbydIA61H1f+LB+eA5wqN/jZdDIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBh8CnI/cB3nibd8hHPqSzCLDBuvF0ogp0vIx0vO61/H\nI0PxGaxjQFL/3pIgIS/KqQe8bIEw7Tqz85P1LvTYeY2jgYwwgYkwHQYDVR0OBBYE\nFO2eaVnyDaYcwxRn4M7IEPup+ZiiMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUxg+W\n33umOt65zi/mE5Ou5xZp9jEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiB7Ba5s6i6Dd7NLe4S/OrDYc4dXzv+puF7A4jeup+q1HwIgIrjbwxwb4nZR2zI2\nT2FzAUwXBMqSvq9VIjJknlP3V3E=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUPdPzjM0QVWY8vQHjhkKnorgcj04wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASqM5YcVqq8rR3FaXAnRJoRWYKDiuJevQ3O6KTq\nW8s+cenr2BHFjxawL/BWKCZL/kjBQFDNOGEFnXuFamaoT3+Uo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEsZnsbWYpUzu8TY4muvf6FINL3wwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIERDxVvyNXla7W/l1ABcv8D6\n/sywT5RXl396jM1nvzH6AiB4oONDn693sWC5pPSULVElCN+y9o9Dhew0n5g69wXQ\neA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUCGSFqQKDIKi5vkBrKVv+gONsLxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiyD/FlEHS9BaFmuBoCHwOFzC5fJwpw9H4GKG7\nBHFxvy8NNxkWCr3i/+SbcpTNyExpiez6AhuisHkp8OGijvuUo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvDuzBr5QXL9WG5O1LFFB69LiVjkwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFP3TMnoDFmHkkQJxEa+EekF\neOllRlSSteN2yQY5kLHHAiBNHBgcPJI/zrzWDALbXpcZGCUKAvSqtPcD3B9qNECL\n1Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUMlXVbo47rpbEMM2CAgQ5osok3gAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCwURj1q4YW/lGQoGxenKp8Aq9K8UmO8WNUP6APANRDo\nUe0zX5pKELY3lk+9RGQpWRQGpPYWl6oTgbLlL7yBQkGjgYgwgYUwHQYDVR0OBBYE\nFIgiBJiRvs+6sAlVWUrorlrAzIMZMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUEsZn\nsbWYpUzu8TY4muvf6FINL3wwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQD5\nzwqiCv676vtdClVaUnX4tfgCtsj0vsqP5UHW63h9fAIgEa97t2L2hHGrPVZHONU9\ni3c0IROkyAHqZb7aREpMthU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUBYvT3H7op2wIQZm3yyx1a+2ID0EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI9e8szfTEEx0bwCGmUtIiVaZ30MN3AdCNjLZ/TvMTti\nY6FG6RJoMqTjRp/f/TX7H+aoipNE4Y2axatL6HrD3sGjgYgwgYUwHQYDVR0OBBYE\nFJ/phM9dqR3xhYv192iFmc0lOb2rMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUvDuz\nBr5QXL9WG5O1LFFB69LiVjkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCx\nTLX7JqKGYueYXxCaMPxWjti/uIKE2Fzm8TLwEHZaUgIgTansjqCEr+SRm4sT/FAe\nobJr5urB8ljrr9lpghUdnlc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUeaGG9Jiuhk/Os4Mg1prGtVY0rpgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARiGgdnbpcX7wWWoV8yzEM0WproUsDnMdIq0NDN\nQeoYY2XdI8dZIytZ7v2z4Al+b0gNSBRXKSvHXj6jlEwtj2t6o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbE4XB/Xc6/WlFI6iYxsUnbChS2wwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEDQ5m7mq2O5TL97pi00YAJR\nK5LmYHXV1bsjCHXkcqbvAiBqldL8h6jThZdL/ciFnvC6CD/PU/iHcYu2sPkdz2Kq\nTw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUbNErlQQeuHRMHzNP0gXJMTinAcAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMnNIazLUyUGJh/8l2YLWdixS2OOZnKl1DYdlA\nzhp/CT0Ja4bccw3AiNNxA4DiXbvh8zmNZMSWjLP7YdHUT/ifo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5JXoq9bAtVqQK6g6bcWvYoKn3DYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGhuSr9SUTv2EjgiX0D28uZu\nWPXwbpnzI7Fc+rlh3GVXAiBVi86GaoRNIlCGLswxdVVeFNlz1e13QLKnfsT4rWQV\n3w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUbj8Iam8HQfDuAv8cdfpA3qFMhhYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPrLfmg3JHk0SYrS3oimLNZiVdNmAZ8G8VMO2evnD8Rq\nbQMIuHx6GASjDORLNZYVzRPcu8WuXItq/IEy+4ppqV2jgYgwgYUwHQYDVR0OBBYE\nFFI57vdGQhRbXDCJUa8ouXnkvxfoMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUbE4X\nB/Xc6/WlFI6iYxsUnbChS2wwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIDwk\nDcHcpV6F8Xh4fN8kzzdLkLtrTpUrRixCVA1koYtdAiEAsPAIc9u7gvJHuSSEWafo\nBC69EwxgqzL9AAxLoG8/oZ4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUdam9dAr11MnUFffJ5HVFSLgMPoUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJmSIy990NT0KTsx6ohHd85PGDhu6Zx/UI2c3NvNLSuC\ndRm/wYEcw5dG6ONP28xNY/BpgRhtrdrblF45SA67aQujgYgwgYUwHQYDVR0OBBYE\nFIgK3LagEmbByqeV5LA8z+6QLJ8AMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU5JXo\nq9bAtVqQK6g6bcWvYoKn3DYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICyn\n+uFcwAAokvBF8ZRq20PF96M+9ujChNRZfhNZKPSUAiA9I9oNxw3WYMmQ5B0NjXGE\nCJU1+d7LsT3U0nJq+B4Fhg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUb2xZYZUlkvkubYlqJtnhOEpTMogwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAThsnrayu4mtx5JNKJh+3wZMqlIkeEbPPKp2zHr\nD6bqPAr0Yfz8LPFUax7i8FPhJ7q6fUaGjenFg6/Ry857hJ3Lo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNWFtBDDJFHIu6miaLnuFLqwJLEIwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICj8ue3AastAqtWIlJ+Z3HkB\nuMdZmoYDId5AJf2Q0zlSAiEAlHG1vLw+yFCq/tpff4jIzk2guBlK08gYaMwlnZh1\nplc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUGw2my1YlTxqGpvUK9XtisoXVNYcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQcDjYlWpSuVBpYD1eSoj99iDURcpMre+pM8GGk\ndHvdKJnBaXzCaUinjpMiwhaRuTqv718gO8A2aZyJ3q76cxeEo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgVNg5wbUtXMNXY6MQYmFQ30x4YUwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDEROV5cw8gc2iRgW9Vfuyr\nKek+Qd6V2l/Q3G0TQ5uyBQIgBB/7gcx6lW44PhBneTPzpq6iCXD/8f+w3qptD2Wc\n644=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWugAwIBAgIUOeuZAy1i09AGyinhKzU9XnwLX+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO3940QH0IxCnXBmD85efFmMyWcylJacQTJlrD+oYRQQ\njA/F/elP9R8gGZ5e2s6Uhdgetuqms5j/mKlfivpdTn+jgZAwgY0wHQYDVR0OBBYE\nFC2MqJdxKBNRJ5fKiOqz6TtLxh1sMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUNWFt\nBDDJFHIu6miaLnuFLqwJLEIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMB4GA1UdEQQXMBWCE2Zvby5iYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAOdqbBd7y+iysTChK84x3gYKh5PEaBpW+SxqYLcq4ibnAiEAqgvy828/\nV5T7z9I6p45fnaqjV9TBzqdVsj+wO7RWSyM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWugAwIBAgIUZEJ5I++dpWkZlJvn3FHXZBJ7KakwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEn1SkLUck7t6W2zLfA13yIzuENFuWqOLg4OJoJUKnGD\nH2KcihD85W6lFbWIS+C3dKGk86kwoSRvJD31gN12chGjgZAwgY0wHQYDVR0OBBYE\nFDyuT9e2zd/QtKLh/L52+Oi7KtflMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUgVNg\n5wbUtXMNXY6MQYmFQ30x4YUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMB4GA1UdEQQXMBWCE2Zvby5iYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgAjbty8OeZnvAgbOYAyTrj1cRLKwbal0HsWjvDGXZihUCIAM7iyrkDvnY\nDtV2lySxuTMQYoNBxqwxmc2tqHFbmdPJ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUJTg7NhZV0vCSHu5r0g8s9B/bvZ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYuCn7h2rLoePlnkfsJgwPiL5fscdmIqfBevwv\nvUNJepciziHAexsmSyo1HIFW22Is9vgSvUq9DAZWUo9No7b9o4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBS3aG07x/eCvmf/oOlgIErHzwqUPzApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgHSBg\nXjWRRYR2QyBlc3HFb81B9t/flhwICQCrlwUAASYCIQCm5wIDi6ewgk6iZ5KgXA1M\n14fmn9RjRO3sKsOojbWQtA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUMzoxwOmEAoc1py9GYlhCvHVJ2zowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASd7rV4J9k2JRaSQMGhWTD+Y3Id9XQ5IWZSQxfl\n67HAVOEz6nzbcodlYKVxgmG50iJYn+RgW0unxfhKsKKSsKhho4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSqgD1aZ0WYoW3kQRbzA8EESVq7ajApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgcDnK\nPB6K5305zMjCB3pD4uJK6XZgpFSqtMJFfZ6Q1C0CIQCXwR15HKRQ0cd27zKHTEHr\noGPJj4hrVP2pQV0kQobLFQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1zCCAXygAwIBAgIURjWWkROhzyAS1FBU4cmY80PfTD8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHqSJ68S/8QdaBFSK69StbaNm/nFAJR9qcbJeGYQf61h\nCD6qOH5YZL3EbwNfXb+V/6e+JdZrlGWVQsVQhnpS/umjgaEwgZ4wHQYDVR0OBBYE\nFCQYmseWpRiGeANTXVaQe5vwBtH2MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUt2ht\nO8f3gr5n/6DpYCBKx88KlD8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMC8GA1UdEQQoMCaCC2V4YW1wbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAhdhasZuencgH2crqVtDjEASS/kAvjP2v\nEe6AUtYGPD4CIQCCAEKcyEzQfTYCn373BNjkTdeWzgE9I9KKKNUDM4LU8g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXygAwIBAgIUYWiEwyZ/b8DrhOm5qPTX3DcX3gkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBK7H1mPSAPosxn+i+LMMnHf6E2a3cpkbn/ouzxbO1li\nCuqVqTTxSj7FDz9YzXdEGlYjvQtKW6L/VIVzd6OGNbKjgaEwgZ4wHQYDVR0OBBYE\nFHOaipwvgzsCtz2iliJ4pFSe7WEDMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUqoA9\nWmdFmKFt5EEW8wPBBElau2owCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMC8GA1UdEQQoMCaCC2V4YW1wbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAUFIrNmDZV+QjERu1V4yLPBEkL46dZHHRh\n5TqBc0xWEwIhAIoctGYDFJSiPZ24NG3PQdoyoZ9N1oOyDwl+tDrPuHCr\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUUwvjMPyG5brNMLgwcxsLdxUdXYQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQlfc78CV1xoKxbYKreMuHizNDfIwAkaRLN70is\nBrEJi5pg5Odz6EXJuTXS+1u1lxZAMzcGF289ijr6+ItQG8DYo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUraHMt+QPG5eB+m5XCs5/w8a4k5kwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDv9m1rbLmBakveb6+9mh5ODh5p\nV7/JZE5STHcyMhFd2QIgQADdZWsaVaNRxlkJhsqaFuGUeI8bEuIwoDgGDF7gBeQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUMPW1ySBtwEuDfTlCSf87r77Aic4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRTGGbx6dhHzFG2Yaky9N9L8DlYnsRAZ/u4mfv\nvD4gn16gd2+Y8aZlDZO64izYv7eR30DD6HL/7swaAE1MlbvKo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUu28JWWEwLzlDYbgvZq7KKvrFnQ4wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCCgKhpnsBoZYy6IH5/ibdyK8Gw\nyf0RwStAVUlUxKZcDgIgVqLrJ9xJeLtLdeYzXbqMZ0demH6j1DoHZcdc5/iIHDU=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUOuNSTSDtSr4bTGuBPHpioc/8SM0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ458Ifi7JBPWrMAX4KD8fcbAU4QLzyf2RhzDgMHBom3\nmXgl2mgrpqem2zykLBxGspwfY+7VJDkcFvfmjAbnWPijgYAwfjAdBgNVHQ4EFgQU\noX5dgJyFX0TJs1bjFAputZi6kLMwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBStocy3\n5A8bl4H6blcKzn/DxriTmTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAADATAKBggqhkjOPQQDAgNHADBEAiBoRphu9sRNfapo\nemN5APxTkq5DzxIm9wwwc3SuqLa+MQIgJA8cGl7JkgCTo07gPeq5U/OcDvGpSQxa\nllGmultCjOc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUT3T9/18w2zYOiJThdD7DXldHqHcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNTOzW39Ab88+d/gLP/FaIfY/XBZi6Y6LsBrzEMzwhex\nCz6L21Vh1fZaraul1H+R8DHxig7BApcuPR+IY15L4hCjgYAwfjAdBgNVHQ4EFgQU\nl3Oc9yOJpfuXP4HQNuv5XfM0vE0wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBS7bwlZ\nYTAvOUNhuC9mrsoq+sWdDjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAADATAKBggqhkjOPQQDAgNHADBEAiAiMydnUZ4mQoQI\n6PokAAoyrYV88CEKbSXe1WuyUz3D/AIgG5CSlpMZrbsHhPP3dwK1er7ZT8FU5Ml5\nRfNAosE8UDE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUW+xGBmk7m1YqiXEji2Y3Rx2mFbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATOF4AfZorpdrBa7CSBxQHGEDc8XwXG9Bl/dOos\nzwvepoGeVwL2frXZozboDL10niBeE6TW+bV/GluzP7zwRgEko3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBVKQ9dVxqNXR5xRh7fKQAzkhgBIwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCrBsy0qY1boTMl93RunqeiA53o\nmIjKC67M9S/LXoP7tAIhAJ7XYmqxNYCLLE0pGcH5ksegFczz8v4VkqmcV5OBxtcp\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUFQufvci0xwAUymDzUgFLUFOoeDcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6cm8w2b5Bgsl/en2vN8tJOa3Ck+8llbq6xWBu\nNqcVKmGq5DYE/g++tG0dHFmOtyPO+JtgyDxc9nfhYzpvBX3do3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4qxEUeFUpunIGlsVlBHWz/DkWzAwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCkXiEhjRG2jDtxC/XBd3/eq7Lc\nGmfWODpVF/1XLfAU5AIgI+b5FN+RhKHTLXovxivvzyfgtppAofGLapMKzsPVPrY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUYFjGWwH7JB5931KFnK1UYbdz2dAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBdpRUA/EkVAtydbYQjoWePIrn14F6yTTEcofJMypZPo\nGO821ccgvZo53TOGeGCZgyULTZpmUpAm67PkEucKmPSjgYAwfjAdBgNVHQ4EFgQU\nPcZhz54SlqauJMEd0pj27+El5PQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQFUpD1\n1XGo1dHnFGHt8pADOSGAEjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNJADBGAiEAomYsGo8rk3Lo\nbYDFOO3+pbvS4KlE3U+cNLO+kVgm37gCIQCNkbUATfRMtu+Uk5gIsdIQSPapUlHJ\ntBcSwMft6qcUnw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUXspyQiK8GqRWwMi3+3faIDSN/Y0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDdGmubn5aZhBY1osllDlmssluMcY1g6xGwBcbj6XNRO\nO/KiG+k70SnWjuqQBGJFOdi5NTZIvmqbWuqOEWsY+AGjgYAwfjAdBgNVHQ4EFgQU\nAJAYmdxB5ywhVRtdt9uP7e+ZS1AwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTirERR\n4VSm6cgaWxWUEdbP8ORbMDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEA1aT7odnYYKtL\nnpz+q1gH4PvmHmsqROuEOXfNWcmAJVQCIBYkOGXlkHeaPMOyOLFZmNv7KLb8qaEK\n5wrthWoZHA4f\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUGJE8Tg7u8gvkJNrmWfXDGKsARlAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQY6ugSs5Bq1Jh6N4vH8C27j7cyFFYVCYpTG1dx\n7SYStQXcXqTQ7i5JVjwyliO8PRXNMaujZyW3PUfClwiCoCkTo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwRQ3wsWkiieXwsIAUaCVwR5xdQQwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCa9lZJGlvy/Im3fyjZpfmPDK4M\n5UkqEalnCM/iP2UJXgIgabelTWnL46EeQtH1WrsRWfyv9Vm6KZy1ORBUGYR8oZI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUBHaYJUdqy0GAmXtl3Wq9PyS3FaswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARl2uJWPcmBx1LlbIWat0mTjgYSAizVsDrMLzss\nD6d4dOfaG+P/0INHB7JSYBFW9Jydzqrp+Gx3tT3ZP0/V0E8yo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9OAoRAkTLHJh7rGwgyzcPTnxh0wwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCICZSerKA4tSaGOQkLZTDNd/E2diq\nTl71KWiBYnobs5pfAiBZkDQ2OP7iQYTMusIo5omD6GIJ8LHXxDJX1de5uradxw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUAn/nIfSHqK+CLvBX2eY5HSEN/gYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAHmXWwRYUIuIgaOWbzzIQ6+5jlj77m89GGbFxennH4t\nbooDaD3dSJmy6XkjIxDFBUGBnjwinenTye5Rf5vGG1ijgYAwfjAdBgNVHQ4EFgQU\nBOZHECwLTnb7o/dUKvuKTDkegcYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTBFDfC\nxaSKJ5fCwgBRoJXBHnF1BDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEA9FqqW/ZMcPmS\noYMV3Q9R0wRLpTHDTrPhG4IUcTgz1hwCIDIzttu4PMOeqFwQ+P9XkRIgkb903V+Q\nIJQyI0WQgVOd\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUVJxWTQ5t68kWUr329xFTLK2OPwQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHlNlEsnLLAhP9nx+38dwVcN0b/7si5gPbeZTIqFCMlk\nxtrAZiVncp3n4+ntS2Vap7IwMiVboGxIHB5mH8KJDTOjgYAwfjAdBgNVHQ4EFgQU\nh2yWPmn3j9kID4ATKsGl1CgXS2EwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBT04ChE\nCRMscmHusbCDLNw9OfGHTDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNHADBEAiAkLnNzAvdnN0wd\nM+w5Tc8xQQzEVDdcBRCGEuNRQHiMTQIgaf6ebsBtt+AbuLYcyrDxbynwvtbzO1gk\nRB6v0Leo+8Q=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIULbww1sR7NjP7iBcefS8Wca0C9wowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARqhToQdDpD4TuX6z9GYnFx1lmqWYHzRBneo3Zm\n7cq0jzw2Qc4IT0yfLW1iFEkGxOsFp7bBjqz0oXoUIDhKMJCBo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyo1E0elEaZtRRSmPKD4nFr9x/K8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgcOmHe8JdwS2CIDiE\nQB+aU1j1/qpTcQczq/YbwDu0AS0CICnTyhJljbQphQuk+Ri2x1oQXImpCVYIRvhQ\nt29DXSzq\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUeo2T28sAh2NAQcXU0rNgX6EjW0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKa6Qw3EM5EERGXazmUWA0ZnZ1jUa9b1K1xJFU\n4FJl5IQYrTS4qCCsM8YKuhVcsZ3ZuboNbak60WmzZwX9HQxKo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiRjb5lRPULICdcmYofUwMwRShAwwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAK6tcIbZykhZHMX7\nUasfGgGx50keroIHiU9o0JY+9fqSAiEAvKZokFT5kiQSXu+XyLHJSHTc4uruo7fW\n3SxjkRoW4Ws=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWigAwIBAgIUGxsw81WLYr3Rq+GdDsv0Vl3ukEUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEOR/z9M7ilU60PZ/QdpP88no/rlMGPBsuyjqMPuQIyFP6hQJA\n30D44s6RY4GhWIpMpOq0/XvryfYz5e0MXefCBaOBkTCBjjAdBgNVHQ4EFgQUFAfJ\nGNy7Wx5wirNa6K6SafyYtwkwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTKjUTR6URp\nm1FFKY8oPicWv3H8rzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSQAw\nRgIhAOfOETP/MVHTcgt8kSgeMyMUzNq/9Rz444gmZsLlb84rAiEAm/NnSGqGAuoh\nXlaODQYiLKN3UuZuTZRN6tAR4CJA1kk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWigAwIBAgIUGFnNQJG7Zf/MK+rZG8BnasKLNhswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEii+nIS84kInP+DPavtIC1tO8U0EpUwOy+5MLOJfhsb02hceQ\n/S2QoZpscqoaZhpA/ucZn0sYJSnQUNJjKlGXaaOBkTCBjjAdBgNVHQ4EFgQU92/x\n4AjRtlh8ihgNoLTHfnu5ShUwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSJGNvmVE9Q\nsgJ1yZih9TAzBFKEDDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSAAw\nRQIhAJXheB4niqh2UGFK2nimM3hjGik/QWgq3v3djs6i3j9GAiBJnleTGPkWLbyP\ntgnJ8xiuCDOKpGhCC2MLqaxgPsdJUQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUKddMmpRAs0lwZlyi9j0T+geP32owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiUEDkyNp8zlhjVEDA2rwb9z3i3iemuI2BvCXp\n90YJF5xR29wJBaejXBagUHRBEj4k4QvbbOeSkLHetkww6seho3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcdbceD1t7bF+GqoXY5BxwFydr38wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgdRnCdg2eYwFbZSUE\ny03JdpYK0bBUHOntsqguUVl1AKECIG6yvJuAfaHk9MstkUCTz1dVo8hAEuvIvk8E\nwiI/OUqy\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUXTZhy8QP0zyE7iyeDx2uCHXkwFwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQizJWNhaNRjVGO5rqFtc+xWravA2zQ8YETNFPj\nmIG26kfLuFz5VnWwHys/+nBf2RKwQ/siFb+sIOPSaaUWYfZwo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSlEdJBXYheO5zuVRskq5mpSn/HMwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAIIP8QqlsDinhS7T\nOeI2XE8l0Uifcb95+foXlymaNVzuAiBwruf+RI9DLMRtTklRwudy/ZdBgCbNlrUk\nGbtstoA4ZA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWCgAwIBAgIUcYRMbSqqgj1tZhavnZiyVzErhFUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASlUMgvf1zUQ2pY+kMR1865rmVmukLMy2WW0Oine4przkh6+uu0wpEH\nTKKuO2fPXne91MWZMuyuqV1brn2W8i3go4GNMIGKMB0GA1UdDgQWBBS0qsEjyIBn\nQ3KC/59QctW2TRv4iTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFHHW3Hg9be2xfhqq\nF2OQccBcna9/MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQCbvAFo\nWb6jwJTNUHz9CW0WYcNV/mTm77HOVPkqf2X/IwIhALgwRm8MQKo02bG7n7H5SLxq\nuPZhDCMQT4atxFWxMvUp\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUI0SbnOlGzzVRZS6PEdyUaTeVFncwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARoed4d+hXvLji9+VVT0AHjsoSADvQD/7uozT3KlCZWA4m+cn1c0yZI\njUtjZkbiUpbwot2IvpEI7VHy+mwwdSk8o4GNMIGKMB0GA1UdDgQWBBShI5zMvaCK\njqIvQrxuCSzYm669PTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFEpRHSQV2IXjuc7l\nUbJKuZqUp/xzMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIQCVKp00\npMEDxSVtbpHyyZUiHFDOEOg62V1asqa5NwaUDQIgFa3ikf3Y1ntYlIbHXqw43I2B\nrJdfbPyep8MLtuYb6Vk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUR8grjS4JHsw7br+DpbXby3DJJsowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7ZunYTd0QyTngEfG53VvPOOUz4FxkHOIzf8S9\nMBHmB+URIajdDOvXGPZmlYK56H7MGFVa6a8TgO9t0kUcL5JVo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUF8L6lmRMbSwG85CRMyN9zWJmk4MwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgAtL4SRyeYBePlrSd\nw8BKq3qtDfjbmIV83WYpV0iuQokCIDhYX7G9jDShT23Bz+DdWxnekFyK+QDQkPbJ\ncRDa7XmG\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUAMVnwa/zfURgXEfvrOWBhKVlT60wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQAIZ9Ciumi94UegRPMtUnSh4n/90aB3/kGtbS\nZnlGRdRH4PvudFgLaraVMZMr37RxW/gUpd6lzC7S/AQNnNzCo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU15vx1+di+32pF9GzzpYH241TqCQwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgAkPbe7EajWUoGiox\nVP5NfemAWKxcr0fqTdkvol43YrACIGwijy73FkqBskSq7NEbo4LL9piDkm7d5N2I\n56mmgedU\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUYxYRbv8jMMqnUJYqEPv32lsHQ2AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAS8LLJLgRTJr9uMiSG9sU0QHjkXk/OE7TUkR7j6WGsUX8IA8pgVt/1v\nnf+ZZPC2IWJk0EzG64l1Ys1e2pMPFq5Fo4GNMIGKMB0GA1UdDgQWBBQjqg240jvV\nWGH7RIE1Pk/+9jhOZzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFBfC+pZkTG0sBvOQ\nkTMjfc1iZpODMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIQD11nSJ\nh8BJ6Ir9TytElxUOtm4WPuSzc+iRzIPcDH/4fgIgOOccCLxj2Ti5oWtb/AcQ0SLV\nd3Eh3frvwlxou+/r56A=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWCgAwIBAgIUKUkKGZUk0O9gslA7VBJwJVEJi+MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQAUI5hBvtmr0R0SoaChisYU1hdYRxfOyScKZQrZQJxIxwUlQwFSn05\nXTvpCYNOdjd/go0kTQWx/rjIY5sv+L0+o4GNMIGKMB0GA1UdDgQWBBSR3f0YxVoc\nT6BkDyp1msld1O1PzzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFNeb8dfnYvt9qRfR\ns86WB9uNU6gkMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQC8X1lU\nBnbLdWlurup1PxE1OmqU3HqKbwFu2V+lezNw4gIhAJUaKzySIKGPXpDnRJKnoMML\nMb6Pd8XpL+thjHC/V0R/\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUcLrJ40Di4sKADr5EUdB7VcoRNCkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS5FBMZrHQ583T7psCKY9KOq0ap2FPD+guUWn9j\nE71Hjc5OTgxgi5aAzjz4nNxnzY4P+dxTL+57JoJYLDeN1vZ1o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZzHd8ONC+g2ArEe7jylQSFVh64MwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAOXb1XAi/GUen5Ix\n3uJ4wqYt8ZJSdjWXAy6kRSqd4bBBAiA9iP3BBCbTInP9xeTEswA5u7fxMwJO+uEH\ndRSGVt4ODw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUDBR5ezu1Tt6YaVAO0ObiudlwVNcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASuHi8ruqEMSOrSIMxYGQwHxE0YqQ6gbENNmFWZ\ni95W5qomv6FWWBD3EwaT9xQ3wNwCOumE7joprnWRRAAQ/X9Lo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSKVVUt8MQyKe/faI5/QysRNA9cMwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgGMwZKEd3cV6zNISN\n3hePeja9X1FoYzCPQ9BwZaNXYBECIQCjciJMGKOP4RdH5YWBRr7sr/Ly3nJE7WwB\n1pZHR6SbZg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWSgAwIBAgIUYjdCGA7TY3M0sWSVhDpC781HkqgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEYmrQuZGeam6RmC5kyHo/6FxKzMVt3w7CqMxfn0KBtm+FsM1c\nN1IZDJBuUdU4SFlNgcTHV6fgZ/YLB/QrtV4nEqOBjTCBijAdBgNVHQ4EFgQUDX+K\ntDBJKqeJJXYpwREecSq9iSkwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRnMd3w40L6\nDYCsR7uPKVBIVWHrgzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNHADBEAiA8\nqrkMPjXNDHR47Ff1mWOMfXg9rB3CDBhIltDw+IHPFwIgeabo4SOiLQdQZEQm90ix\nyBzMHMxBvzxLeB5p9vKNPlQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUHIsxB2+upGhQ1Zhu0h93CJ3+sAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE8SKSh6+Q3bRs0ttWLerIFMHoBcoHZ87Pu98MoNgZ3ku4mZjd\nfdlsvstN4CEHwOhnU/1h1UO/m4AP335eQPCGlqOBjTCBijAdBgNVHQ4EFgQUBTSD\nos4sS6C1Ggnh/y/O7RKJxRQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRIpVVS3wxD\nIp799ojn9DKxE0D1wzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiEA\nm1JIgI/jGvu7ASojZ72tVy4Hnsf6Dqmo9Oa7zYw96iMCIFTZOdVFnQBkIa1WyEYQ\nC0/ZiUNGkRjPCmPES3nH+Vnf\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUeaI3gwzATw99yiPTYm6Vy4gVlJMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR/J5ry9jcxlsZXE5ZJTDRpAUxQKsgI0grrnD3X\nzY+mNBH4KglezWnsZEhE/YqIKj10QdDlSGNg/EoU/TpilThmo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUA229CWImCkHl1gdPu7ChfzOeNKAwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgRB9o7H8YfaK7lUNi\nrhJHRxQU0UTnW5MMCGQZST5EtFYCIQChJVjVtHQTXgFuzliZzO0PzaSHNAfqgo2e\nM/3+40Bw+A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUQ0SmAHY7jHNi+OS3kGji6+b0EQowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATAQqXc723YEhNw1xuAY1Qm0nUCh8ozuSnp6xEY\n/TZKtfqRa6iebtrAYqlXpjK1i7dW0FC+ndI6BgbM6yPqOFUlo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUK2PJH+BEcoq8IXS6QEHTp/kWPRowIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAMKDAA+fdTygOBqh\nu8sNmkvOh+DZuaY+DnDPYrsQbLvZAiAdaj1ILcSuu/JP5NlXS8LFKpf2lkVx9yMC\nUfYitzKvvA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUTOQNDv+JEYJoeXuExOwLNIlZkMQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARjpQRTIpVcfdkV5uLsZeR2RiN4KHVFn3HaE+Os/oa4qRo+Fhfb2+6N\nqcSzx0rI1AMqVO3RyU/vu8h6ZnbdRkJMo4GRMIGOMB0GA1UdDgQWBBS4GC3pIrdB\neg+oEBWmTey5P7CmyjAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFANtvQliJgpB5dYH\nT7uwoX8znjSgMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNV\nHREEGDAWpBQwEjEQMA4GA1UEAwwHbm90LWZvbzAKBggqhkjOPQQDAgNIADBFAiB3\nXIAPHQOxvZFAIE1/iA5ceFFq+e3b2GxziUuiGH2KuAIhAPQ8H2okHc1xhEVsl5lZ\nscub5geAWhWCz9H0lpgTToGX\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUWxu7q+sPsgkQbET4SgoX80Po80cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARUBY4NkSq/M1dA2StGqK/NH8WagyvtUf/C1APFOfa9r7NNyCkWQz2A\n7UtUq7U9uJGL7IR2bv8ueuroE94Cbxfvo4GRMIGOMB0GA1UdDgQWBBSOFmMiCPsv\nG+6zati/TKkhSj3nnTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFCtjyR/gRHKKvCF0\nukBB06f5Fj0aMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNV\nHREEGDAWpBQwEjEQMA4GA1UEAwwHbm90LWZvbzAKBggqhkjOPQQDAgNJADBGAiEA\n2EMlITuZ8laxbaLH4YGVomDQtjFivBMoLVyOllhbDj4CIQDnf6mlsoYyyEmTRRTz\nFQeOJUv2dhwyyKCB/NGkDBcSug==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUVMQ8ZY/E2nQrNOho8Ox8HEdIzikwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARy9pssee6TpBwUMhJfrpQ6+VDJJQR8yYH4shUC\nBZnGjXrVHYbwpKV32mc08sUZY+2Xjz28Luvftvgf8G3RpDr4o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFHIaTmBk8coZux0JKpLv78ICy4E0MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAvwi5KT/FeXxM0NRJ\nC3N0LyBLUDO+x0V6oqRRAf6X52gCIQC+NTtIrv9Keiyj/95OcRSoybuOu1YSz0c0\nsDhV8RFEWA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUQ1mwjFY4E8oJbWxJgbC2D4ooOggwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxDFQL6dlQMOEn1jTRbYeiyVY3SiFynrmggU/H\nPnaDBi9ayEtpmivVq5HgTulIRY65SiEonMBhBS+59tahemDvo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFBMoidK5pMFebzU977jZd9eQ5itQMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAH6MKnMGVV4arRtZgh\nfGp0M+Wa/fccC4XPtVv++mVvPwIgX8PJE1BPu5xQr+PsP6WXGwN/pnrWB9i8je+G\ndi9uUDA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUF4T8tDPrCPLz3DAg1IB0ZAiSW3YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmYLCTCmyH4mPgJOwrNPM3DYBDdPtCeLwMKdcc\nVBYZZkDGjWi7nlyt2QpuJ/BF/gnHz2bUw4TxA2djeqNpLp8Oo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUchpOYGTxyhm7HQkqku/vwgLLgTQwHQYDVR0OBBYEFGC5\nZiVk5IbMnwK/fontEs93vIiKMAoGCCqGSM49BAMCA0gAMEUCICcHV1yQc95Wdg6+\nYTgoMSWrZ1D9MxA7Ur1ZjkcEzqrqAiEAvRiGBVlbzcKCGPGbEDKoGo7AI7CwgIc6\n794r/cKQEd8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUQlL++b+j0pgpeg6w9i0NzAPdTNUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARylxr2XfvI19C1I/R6vOV/yUESfzgq6yLtxI0r\nEtn8BOBSQEO9sOfeYNhOv/P+JCBd+otaYbxA9+xN8J+1ZFT7o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUEyiJ0rmkwV5vNT3vuNl315DmK1AwHQYDVR0OBBYEFFiZ\nRDR4iY4YAFJWk1QCmJKzmd4sMAoGCCqGSM49BAMCA0gAMEUCIGvf/tCUiMgz6om3\nV73RKLHdAMWBA54ov1om/siG7epEAiEA7bxCcGaunHi97vefr09B9+xW+myZ+saX\n1q9F2Y9Sw5Y=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUP17zc6MJDQ5Su/bnNfON+tQHdG4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL4Omj3kRREUwwiD7vtCid7nhA9gv1QgKuvylBhOEwPE\nroc+xBnNqAsFBA9t/P6e9zA8J7dkc8zN9j6rfS9K7OqjgYgwgYUwHQYDVR0OBBYE\nFMHRdfOR4dNy4CpolwJgqe/UjGJhMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUYLlm\nJWTkhsyfAr9+ie0Sz3e8iIowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHsg\ng6YlCxZAM8ri3PuoS5Kgwd7iN643QYDic2ziW27tAiEAtMIz9EHoanFkw92ILuQX\n6nCGdxoLdXSx5VdUBo8/l+4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUM91/jTbs+7GYpKOn+I7eF+vrkg8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABES27FNjwGvccd0wOi2f92bwx5Yn3zvuRfBn0GPBXmuh\nEb3NcC4OELWEnPHC5tNsBAYVH7h4ajicmIpqe+yhfd6jgYgwgYUwHQYDVR0OBBYE\nFGP1sjzoNlyP8O5Eq7pnaH2PCLqjMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUWJlE\nNHiJjhgAUlaTVAKYkrOZ3iwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGnQ\nPmLHk35Npl2qsrmHouk8NC0CYzNYxJJ1fD1xoMG9AiB1O0/x7mLqKTSp7oo5GNNR\n3o+VOa6D/mlBDR4MCVznpQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUGnuRQdcgkKRB7fyA9WNkRgqIBsUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS39Nmqxzd2aZQ6AR0malgBjQ6pYMbxcFuG1pJ4\nYxXfGVLvYpjRqr4RgsN2nzJOjbd0/nZ3sP+XcWdUEnh7WPnCo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU89P/lPoK0bc5kJc1ZK5IqIoGnK0wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC4vZyDDdspC7GeOEtO7PUN\n/k9oUncqGMnmlAiGUx/57gIhAP62FTe9/x0dqbeM3s1AYGtW8V2PQxSkgUetj3lY\nH1yz\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUf453PVWdXJgSILY6qksqMB0rvPswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASZFwPo46COQEL+K9X88NBDOO0/oZWF56uI2R09\nFjkP7/ACtntNjQOg6gg3CzWjyU9ImH5psi4O+Vp7NdSsBNMzo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZGHOuL4nYZwhEGx124edGD4jkg0wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCMJxCTfqSdMf8GvHNyg4EI\nyWeRgdDA37UIjOGjZkpnHAIgDU8wruAWPsjSlyI6nbLs8JPQlc2kxjkXE+luMkQr\nGlc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUKbcV+E9OA/0gIBhQ+pZi+XSq6MIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQADmonUoDeQznu6F2hEw/I8zXt92RkJntvFxsa\nqMttLzTasP5fwmx1nb0LtzunlN+hT4BzbhHyHOz+w5raK7vyo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU89P/lPoK0bc5kJc1ZK5IqIoGnK0wHQYDVR0OBBYEFEpo\n0s3K2Gz5w4Xal3HtyHXdHNcqMAoGCCqGSM49BAMCA0cAMEQCIC25gx6d9P6nEXnY\nywqoCbcjjM8zuYTacBj+WCappyPEAiAQbeI3+5Ppen2lYKkQ9KC5FOZ0LPoPXx26\ngEiE/pZztg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUTHPJUXGerDYXM7zM9qAdTjYiXhAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQnX5PJzEsRr7KRHjpm+ztAEJnnYkmcPSSFTJUI\n51/URs2615xRxIoe6VZS4h5rvwamWMa8b/ICbFgYaZ/ddjNno3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUZGHOuL4nYZwhEGx124edGD4jkg0wHQYDVR0OBBYEFOZ/\nJVrXva6AOxuj7d/hXojH6y6OMAoGCCqGSM49BAMCA0kAMEYCIQCIpZ7tP9OkDxXt\nNl3aJ6ljCnBYC65d//B569RhzJEwrAIhAKpLkRq0wkId5Pl5E4gSwMc3pECCj4qX\nPCF/xKSPg6LT\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxTCCAWugAwIBAgIUFqhUkfPeJ7EmeEdYOWmNzaCirCwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQKxo2vQNGSEAUDxFZQ5OOj8hvBnkpd9j3/KkTj\nUDE/Mi/eS6NIGChECe+hQVJCvQgpiH+KeDFsGwcLHpBSW6NWo4GMMIGJMB0GA1Ud\nDgQWBBQFq9ryY2I4p/1sOJ06fehoDRbPEDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaA\nFEpo0s3K2Gz5w4Xal3HtyHXdHNcqMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggr\nBgEFBQcDATAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgfCyCK4cgIyS7Lo4y5OMhQjTm2plw5MBQ+SlhPs3uo3kCIQC2NXZOCJk4\nWVw3nwBYP5Zkv6mf3FHm1HdquiBE7p1qFw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxTCCAWugAwIBAgIUdb98YyCjlPvRr5qDryhbPVglLxowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQfYVwlBCqNmkqgArv4HNTFQHd82FPzCyIaFp3a\n2J9Jjo1qJgM9ahpzsudSjOtIVfpRwZZ7W28HvvWi/LRndujdo4GMMIGJMB0GA1Ud\nDgQWBBSrpYTopJ0yG5tH78K7e42Q99AgnjAJBgNVHRMEAjAAMB8GA1UdIwQYMBaA\nFOZ/JVrXva6AOxuj7d/hXojH6y6OMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggr\nBgEFBQcDATAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAIlWJuyJmc391++IEC3IasAamcl23QqUIaHz0PfnJsvQAiA93Utq+UaK\n179wXCJhJHziBFKoUqJFcQSS87cSDfwbUQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUB64olPOSnkUix5oQdyeltgGotwMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1XxN6ScavCqudiLufgS8xerdmzhsEnVmZuIrS\nqNp99Ks1nbAqaaYHMyk09jCVHsKxtVtnYh7ROgw+uQuRiE1go4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRVgv6hKFsL8WiaZXmdfQlKd6btJjAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEA4sFsLy7UYIRjnRCxoyh5JkafDWjksao7bBP2Tw7Y96UCIAaMnQUv2G22meZm\nP5Ii4TkKEWmvaejitHmctQm156Mp\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUQ0N6JhtKy/mOYEZWhlKSTdc+q5YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQRrvXdAPNeHk/9HftySQxYUkCIeFiD5/8SOkWv\nen/SJSPlkp6Jcl6wkR8pbNbXmLHLKQ2hIQtY3sdxwwGZMWyYo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBR9bqZAcbuD58DhExjSX0LNMZhv3DAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBMGki/LZIVfX7n1tlRuwTgkqD4okoKxE9stsQAb2PXFwIgIifgs8BC9QoYq1cq\nIP9N2gEoRPPDtDCHSoTpfh/VqiQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUB2HSPQS9rHAwVPGQ/Tx3aCyF3EswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNT7KrGeRIlJm1JJd87oo2TghTEmxHKctBIDX03+hFjs\nqmQVZW9LsyPQ4lIf9FQihPxErrL/QsQ4W9ABWpo2WbujgYgwgYUwHQYDVR0OBBYE\nFD+3FIcP0lFIrL5ZB3osBrvASQSCMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUVYL+\noShbC/FommV5nX0JSnem7SYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDG\nwuhNY+sxsv+kMO597pSPCxSWQTAqKCtXk/tLeMcavgIhAMe/3j0k5Bjlx99f7y3k\nc0yvfTeRDamCvVm+guBAi8VG\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUKVG68ePRscJLpbt5pLiBh7ROIFswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF0D22x9nFMQLiy7cvwDyv1AKzald1LL5nIQHxOC04hW\n0plVZO9fkrIpVxzygxvF5+SvG0ZF6sa/K0D2QmQZRbajgYgwgYUwHQYDVR0OBBYE\nFJJ52jtdVOCYNi8PGwOizAw+LaT3MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUfW6m\nQHG7g+fA4RMY0l9CzTGYb9wwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDk\nAqo3dei5ksNVTZsBMrW891db+EwLsJzJrYKq0Bwz8wIgVBBd9mfAfC2rnlBZ0ByE\n3rJ/R115GLHd3uFqhBBgwQ0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUF+6rFVSyuTOtRxF7EjEEYe2OeS0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQMyO428rmQJUXr9y4Fy98UiWsqaCcK2QLJmRkD\n5vziQa5PKewWc8HeTon3J3n6i1A5fjaOWQ5Xw38BVEAsN+jKo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJN7xQB5Hp7N+Qz4pposDvK7NP3UwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDwOgOyq626ZKNs/qcet7I8caRz\nJoAit8NqyuzyPA60ewIgW+RwWqlyRnjBp9irwnxGJ1sdaIYsuAzyOdmhhmGUVIQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUMstp8Qtk/G18VSyn9easuY3aYM0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASm7w3WRAutJijQpndOd4mMV7kcJuXsgCk1gU4m\n1SDc7RKgNyRNpHNZjVlxEAvm7w3DKsJv/jaBwK78dCCYfA/Uo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNl3xpCSjtt4bNos+BhIRUjNY7CswGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIFls4W6YGJIawDk90+yV6itCUWAT\nCzfSRra/7qpmyKg1AiBEIkrz4gmO2smEt64G3L9sn9vRjQxMALirmRIhEX9vrQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUZFv28UDkFHoT/3taA9vkjI3SAuwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC0LvLs+rNe0YCEJFb9Z3e4D3dYUxSWIX0eu44tYG59A\nL/uAABgp5jRmCoTsiGDBKi2WIXHuZLk/Hq3nLqIQCpWjgYgwgYUwHQYDVR0OBBYE\nFKhhEwJTVyWGZW/A05pU6FnHKpU7MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUJN7x\nQB5Hp7N+Qz4pposDvK7NP3UwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBAF\ndG1GsHUk/cuuT6cf9NIjhGkkrlz//2O/y+d/g9u9AiBJxij49Rmbm/z4IB3B/j+w\n5YQ03IrFecNC25v0WOlc4w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIURBVF8lMf0tiN3SjYbOLQWnuGG0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBgiiq8T6eH+7XD87zyZ6dUVdAu4ph3nnQABWrV1jHbG\nWhe2VwNqIkmlF8QCRhBVjKMU7gvynf12WTdrCRAOdYOjgYgwgYUwHQYDVR0OBBYE\nFL/lAjktchAGhQSDcXXFcQoWRM4wMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUNl3x\npCSjtt4bNos+BhIRUjNY7CswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIByo\nCKTAJZC0TOuLOyMjQp8yRUhrqu9MPK7KcW9fdt3bAiEAiOh0/jm8CydYq6VSXaA6\n3egYG/HjJHBZoV7RBa3aeP4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUVYvYrzKLQ0w8npAlNoI/6BUkGLAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATFPn4DPax/4lh3CCSL8u/GQCoLHuXRdMZNA67L\ns69aWNqMRCzUh2sc8RlCmTi08KPr69iGOLlIsZJBiC6XdSCQo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYQ0/+y1w8DIs5ptUc8Olhz9MOdswHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgPN+ND9clmJLjF8GcV0hX\nkbput9DgX6L6XA8pUTutK+YCIQDN24BCD6ooIvHg0ZsWr0GJRXRR6lZP9jEhFxsL\nX/MF6Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUezaa3EwsD32+OJ9nZZ2/YbmvPx8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARseJcz5zIEDUAaf1FaWmHV6WvLEq1QH5jvghz9\nm9u9NiP5Xyt+cDcNHvqWoH/aQFnfuBZbzSWe6MGQlDt1QEPbo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUx+KQfkkc07chC8WPyZbg37SKHhwwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAMuk3smh004Gpqy7DW3R\npj56wYyf0VcOze4HeRhYcbNnAiArdKQVVASvfJKT97Sa3QctA6EGrPtgk7QuvVUg\nzG2ghA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUTlYAw7u/7a3b+1GxIgg+8/eCnEkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNdzh9O60CGC5pZmlG0uN4ihn8mlRFaYXLrxXIdURBDK\nph9b5RTUgHNlRuZzCf6liWS3I9v7LJ8PCNKNPtZcF+CjgYwwgYkwHQYDVR0OBBYE\nFK7bQCEWdvy7tti1j8Mk2yjJMxjxMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUYQ0/\n+y1w8DIs5ptUc8Olhz9MOdswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEA5rmqgJI+Ncr1kWdEQxxHFPe3aMZqycO0xO5oYIUoiL0CIFlR5navaJk7vMwr\nBv9mYl386h20m5e07RpK+QlNBoQC\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUICOYw0DxrWV1oEOvdwx8sVljChAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJfDeuD1NTktVdLc7V+xNSXhwXAqMl4Nm3++YalDewu2\nx88vcv4SHhhGhTNR1azNJZQ+wNkoJ/u7xtccLovTuKyjgYwwgYkwHQYDVR0OBBYE\nFITTBdiifFY/Yoh9/nZEmKqGzdtJMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUx+KQ\nfkkc07chC8WPyZbg37SKHhwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEApiEYDoagmh1+aRO/oc/L9NvCQlE6bZ1Lz34uWRh3yBECIQCbt9utidXhQDsx\n76AQlPWO8FFiNYjUolwGIdDjPa03bQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUDgd9s8nScFlMczBB3rFgs1UsOkwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpwVrtV0Fpm1jDqwoCNNZMsNwcJckzj8XyFQgP\nl9uii6d6bY5QaI9nBRbsFKQ4dvGFV131g6YPyDrvc8Ctk4Bro28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQrRyUKjjJTl3KC/pm/EX3JbiVJ4wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIhAJDXxogWlKuhpRBO0Bs0vno/ZZooPQCf\nQNYMIBFBFoRPAiA8jrC0zOK2CRzJNhh/K2566Rv+CyiY2LuOQ9w/I/e7tg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUcbtKY5pgsIwtRSaUHYEFsFgu2xkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATCMnJ2v246GYvBSx2dkXLtgROnOU4tj4n3gzd1\nI7RuuSDz/OVACO+tjBcU1K7UQmJ8AEzAVi1g8z6QMX6JSM59o28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGWam2JQwDa07WirTzGvFCY9B+rswFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAIRmJixiWiRTTx1/jGNguRnu14FVOanR\niz+QT7VkiILcAiEA89RqIZJrX7rztot46ausD2NHZbhu66/5NK4SWZUknZE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUJjspcEaziGVnyO/CpP6O5EYI/zwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKgAPnuyW84SCToVHFJuZiuieKA3SnhtA2THzpLo10lg\nGeV4yHPsIDmILvPDIZjOQm/UN8Qz2AQyu0htrpWuiSqjgYAwfjAdBgNVHQ4EFgQU\nUyOkSRw/vMCTszM5FM/aehbaZuYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRCtHJQ\nqOMlOXcoL+mb8RfcluJUnjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEfwAAATAKBggqhkjOPQQDAgNIADBFAiBNCwd5rGVehSnv\nwmhQ1/fPwBHlmza1ixc88Id2QD+/6QIhAJYo9sdBH4rpFh6/dvmW9LfJm0CcyUFo\n6BJO7j7fjvpS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUa17Txhkn4O6Hf8F3A7VSQHRXcNowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKrhkx4NNmLMkg6hzi6bwsgVub7dWMYvSEf109mUY5+U\niTkOlUbGF/g0kuACGLeOy8aG3yCvwEneLrcq8FNaUlyjgYAwfjAdBgNVHQ4EFgQU\nEgrdL6d84PxFyRRPaq2xQ7fqHAkwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQZZqbY\nlDANrTtaKtPMa8UJj0H6uzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEfwAAATAKBggqhkjOPQQDAgNHADBEAiAc4GQTO9KQqiLY\nWlbBDTfboRboSwKnLvshixKmOSEf+QIgYOFPMZslMdEN/FVjPD4tNaN5+5GhtP+u\nZ2h4Czxvbic=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJUmWeW5l3GK0xHMzqL89ewytfhowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQAAUdUZMKc/dri4KBeWfDymdDBQTv1sg/ENZj3\nAcobpetsHxaorevfCmdy7Q4KFrtcHy1UoZbwaG/PL5VuqLcao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8XLxWZZNuOoZDozq0dS++iq0gi0wCgYIKoZIzj0EAwIDRwAwRAIg\nFvGD72XinYT0QfhstUftqYmqP+yn7s69bCEYKHD0XAoCIAqRp3Y2KwI8V+pX8yw1\ncRPyoM4AlF66e42Pa0CY91gz\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUNdYLI4VxwKc6GaPoGkpWezKPriswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMa3phtp3TetBKELFwkaevyKHYlABflg9qSsU4\nak1E77xKudDlg/xC1U1Fzol/chYmRDapARsMgaP5HFoGmn7fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU00IB7PXa3YUf5vDbBLWqDkAepe8wCgYIKoZIzj0EAwIDRwAwRAIg\nKAdB0yS0Hgst3lc75MWLSUVuwGnfuKh6s0q0mqED//sCICMIR6tsS8TWjOQeeiLq\nZie3ySkNoBrp5qIdg9gRdjhu\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB5jCCAYygAwIBAgIUdj5DBTk1ZWsouEnYq1EBb2khPBYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHvlesjDrgW0qBjoH8V9ontCV0nfyrqAqABumHPbyypd\nm3aRgKMQ9jwyiBercOnHhgprLfTDOcNWpv/prYZmPZOjgbEwga4wHQYDVR0OBBYE\nFJ/L9x0erlHiaH110V+Z+3YXJyAtMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU8XLx\nWZZNuOoZDozq0dS++iq0gi0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggr\nBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgC8PHmp0taPJH\n7Eiq6hFk6qwF1RSCoceu5vaY9BprwAwCIQCXgtgLIzTDU2nCtEWYUS8JjXOc05K/\nisKrK3LuTkceXg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB5zCCAYygAwIBAgIUVAPzPnH7ZhmcqECB9zXGcXG2tx8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ+OliQjgKcfmi6Bzv+lEZEcSJgBxJKmeeEu/BpYC5PE\nIvPzVYcFFAPhywB37qzWSWTqTiexOJDZusr3JbCTOiajgbEwga4wHQYDVR0OBBYE\nFK1FECpQQDYESm1dANB0e3fWEsdrMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU00IB\n7PXa3YUf5vDbBLWqDkAepe8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggr\nBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMEiFSBel37m\nL4MyS99r3IaQJfRmnvBblSJX7Adfo5ynAiEAt75aKjjp00iwr3JQfXm6TeW2crKL\n44zbaILVBzt8v+8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBfUaTGGN9IwZf5bxwedJsUY/pi0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASg7fbxfrqJNKSUDDgPFc5aEMBX2y44APbkJLsN\noTsFCbBQSjhuUK6g+hpyWBWPJ+jLevCLPr6ii/9seYaGqjxIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+12F8f29gU617hYjwN+RNOvpP6kwCgYIKoZIzj0EAwIDRwAwRAIg\nTqipf8PDTFLYbdf9sbXQmN2JLgCFJfY2prAnV9ibNqcCIGvySedSpCaS1v0Rbjx/\nDbyO8z7ewHRBt+rcdm5XssYr\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUTy+NRqzreoZN3z+9r2YXhSkLQ8EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQuASpr1S7UewtOzPlzI8DfZunk/93uRsERJbe4\nLGWDVerTv8Foq+EKfjh4XGMvjpeeqkbez9EW+cAiNIsfSE6Wo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBJ/a8Op4mOd+PiFwkRejCZRM+h4wCgYIKoZIzj0EAwIDSQAwRgIh\nAPIAeqCCKEWeV3sY5RtLCS/DqnY+2itOn68Spio96g9wAiEAiwMyOhSiW0QZnUz5\nYlFPIAJF7824pWZjbGh6OuYMDvY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB6DCCAY+gAwIBAgIUQITRtsoQ8TNPWDjKRznXMCdvlUYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABILC39r7exoMUMAzQQkqH8gYO3spyPY8El++uS0ydrwS\nikDvPxwLPOHi27b5kjQ8bh95+BSrq80yBhcYxKF0Z4ejgbQwgbEwHQYDVR0OBBYE\nFFCZsQMZ3P5LpNkl/hku46E7ueTHMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU+12F\n8f29gU617hYjwN+RNOvpP6kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAX\nBggrBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgNzCwHHb1\ncUmUy2c/IOZxW2imIsUaWB+mJXcsYb1VTa4CIDBwjoVnmehP9m9paD0j7c85YBfE\ngj/pmRDqNxKlTXNi\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB6TCCAY+gAwIBAgIUO5zBrau9Jj6Pqtj9N6INlxMwooIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIDjQyaDh/giijn8eV07KCGVwZ785DDyuTD9+JeisBH0\nFlVP7wAv4QZvW7DI0vJ/r8NzDIS540+aCfAT0t8nSSSjgbQwgbEwHQYDVR0OBBYE\nFNlwzBuaDqwO2xTNOa8i6szQdtbVMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUBJ/a\n8Op4mOd+PiFwkRejCZRM+h4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAX\nBggrBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgaw5k+BeV\nuOyukMdkXm8NxFD/+97GaTyeJfvtoYbkuGUCIQDrWgaKH3fYVWDbrC0uO34oUFAe\nqHG9bP7jk+R2XThdDg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUI23NHRi+vUaUeeqPs7xrfkVShWAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASnFSwNOC/cNB7ebDWOepzr7MSnzdrmWceoKhXc\nb3GSTPPTFUWqYb3qObNQq1qbe4vIZeXWIPTMoKHQ3PPbBoZZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4gqYya080V9x5aRtitMatUyEOPwwCgYIKoZIzj0EAwIDSAAwRQIg\nQrkMzuk+LsiQYnPD9VbGI7rEFxmDANUim/cVsP4kDmsCIQCBr8j1rh3hQi6Ri02O\nBUpDPtqEC3AI8Eb7cd/yp2eNGw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUULR+iuOb6y1SasngviZxE6GCkfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpxIyq2J1n+Ceo+A2IRhUpOl4RkIkRlkDqYDLL\n46XsFq2dEsG2xw72tdJT3CVDlpe4rgc4vlgbWuLopAGHbZO8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYZ38BntYz45y7D+eBk4jEqbKwmQwCgYIKoZIzj0EAwIDRwAwRAIg\nNtDd3AxOU21P2L7n9w+aMk0Kqbot2QYIyq+a8zN5RKQCIE9C/Vb2tyRcugwzzR9U\n1pQQXrNXPUjyl6HxaItaFLrP\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUclla84sRlOW9RNNG8D5ItBZG7iQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgtLdkc1U\nz6k+mqojOB3Xly1gAKZ1o6SjYycEgUWGi90kuAZyX4dOMAS04HYQBl+SjWamUjRC\nQoI08aVcSrq7uKOBiDCBhTAdBgNVHQ4EFgQUzo5k7C6RRhl8LPrEnniCHIvXsU4w\nCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTiCpjJrTzRX3HlpG2K0xq1TIQ4/DALBgNV\nHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOMP7Mf7nd/p2azueBSLRcGHwWbV8f9V\nCSfd2QmnTL6wAiAuv1X91Wzb5crXU2RGyAhDScZgi0gFL9ej/Rs79aTtzQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUWz4WNEwNiB0Qt5Xv+qeyX4C0KB8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiAaP47ne\nLsslY7ur/CC0f1lqcvfFPDVnfdLrID6My95Hl/V5oLGEmYxBrH4J2Oy+snntPenR\nxCEcvcU8gH+x2qOBiDCBhTAdBgNVHQ4EFgQU6xTU7p8GjB0xG7BCwowEhsgowkUw\nCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRhnfwGe1jPjnLsP54GTiMSpsrCZDALBgNV\nHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgGoqO2xLcypnHFuj2hPy/+nWWhKwS88s6\ngkcdbH7n2uoCIQCtPEbzUOoxMQbVDAMYR0+T3popL+eCHRs1ymrBy05EgQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1128,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSI7hxv+BcsnAg5/mObyC8PiYpcYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARB2qiy+EwJTm8Zh5usJXauq1i4rFaPWUyqf9YW\njvgPM0ghXuDqCH+TRMQMq8rVkdFo/D0yt4SEfzbKst1rp5+Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZawbx7X5VlVNnIksR59glBNjGqAwCgYIKoZIzj0EAwIDSAAwRQIg\nDjCpM4jgc9BsaC2pHiZCJkr7jBRZT5puu49QKSpf9CcCIQCOwH5x01Gf+A7MWyl0\n8Hzr5HysEVdJTHPnVTWeAYM6dA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIoTvT8RfEKA4ryYDk2ciElnPE/8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLjDtL6ape67qgvsiHMSMDO64mzdbTb+pzoQ5B\nkB7j/mZW66ZXX3Jnh1BJa2cHa2dkAYE7P4v+OBFEYITkiA5Wo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUE0rxt4k0o4LCnP2qc/h4z5H4RXAwCgYIKoZIzj0EAwIDSAAwRQIg\nDmVMnVm6IUdjzaGP16u9tw9rqLFVkw6tqOF4c7NX3C8CIQD5ft0mGbSxaBgRBspg\nRERRTck5UIPp3DM8OE94c8Mmhw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWWgAwIBAgIWW/YuEO8MDcZaShk0QAl/FcKv1uTeMDAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE6bzVNpuFW7s0ZhnKU0pKpUAZqg7y4f3BK3MWJROe\nJZT6/hl+QoQ1HIrYMnzlkc1quFq0jo0zQjMCsB43XejfzKOBiDCBhTAdBgNVHQ4E\nFgQUP9DWZzQy+y9ay/bGZsJBb46opmQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRl\nrBvHtflWVU2ciSxHn2CUE2MaoDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIh\nAOzu2Jih2O4a62J8oz1o/IDNzkkMaxJiFAragLwagwVtAiEAoeO0omGngGPdXs2D\nWqX1k5VO3bnQ/zUirQ3CgspfY20=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWWgAwIBAgIWdNSVMHesFzxkhr7JfDP6/515F6SvWjAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/jml0U6/zrF5WXPcbMW/46NcNf5QCco0zmO3kJaR\npLiwczPystphm20u68hMahJaEDzYp3YjbEuAaM2JG7mWM6OBiDCBhTAdBgNVHQ4E\nFgQU9S2Znkki4GSktpy+MpoO+znPVx8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQT\nSvG3iTSjgsKc/apz+HjPkfhFcDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIh\nAMM/HTD3JC72KCmWS19HV+lAOk0alRXSIPtr5wJh1HefAiBTvB2oaQZAa1yJR8Cv\nw7rLeC3aAdB5LhRigRfg8XXZgA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1151,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHmc3q1JtylmKymk8WECtcjL8658wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpBuU+x7bhRyrGXOOGTthwVpKuSyu/8j/iR7Ei\n8hj9L6JOj60rYESr61m7PRr+FyBt2yuCozEi6ctO5FdgaPQ9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEYfJPtOq0AQNESlLq7vQaUunnTAwCgYIKoZIzj0EAwIDSAAwRQIg\nDgYGBfVduXUC1wX3+0F71DEYC9kZpMvRwrVG4xUJ5qUCIQD1VyDbWbVJl4h0lBqF\nQ2KPpAu7v1dv7orJtu9oWGZihA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfQ50EXVVtGG89HzCVlLIGwhdZd8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEdQIh/zevJcCcx6ZCm6IOeeCja8NEhTi5U/pd\nrLgZJ5hknAV9t2/3mFbE8HQl9B5MR4y6VVD+2ZhZffpAbBl3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhc3ZhL+IO+KSzvzQQxT7r8aJI84wCgYIKoZIzj0EAwIDSQAwRgIh\nAMpTNO1b4ZT4JQJfnCccDfIoK2iQC5REVN1z7veZ0XDWAiEA6d5mfuELl2IqHpWV\nIGERNLCgPNSqXD+FTQ3s4myQT2I=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFUk7\nEmnq7Z/moC7/6Kng0cuqkznK7yuRhd+Cka7fdQGQXTjmimKjbpiG2V6DJsQpQ8IB\nxdM5cQzl25q6Zw+enqOBiDCBhTAdBgNVHQ4EFgQUnP5OkQ6X0xChvUMc6RNu+x20\nI58wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQRh8k+06rQBA0RKUuru9BpS6edMDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgYY+3CnoMfqotdoqwiRrPAp5Jfm0V\nNm41zd3Viv9ntz0CIHCIJGqTpVn33g1hO1g8zWkcDas2uk9uf/te9xBdP5un\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEd2mn\nlRtP8mv+ncJDKc+SCV+GiBQT7zoWwqofswJevHqVcYI1TP8lwaRTBP4WgNuMdnwh\nDE/zs38gIlQ8F6ChzaOBiDCBhTAdBgNVHQ4EFgQUDWQ+v8QeBojAxwA1Te2ZyiGG\npvgwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSFzdmEv4g74pLO/NBDFPuvxokjzjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgd3l19EE9eYuv6M770VX7GTNJWTdG\n+Z2vn+r7swV67egCIQC/k4IdOTXWnC671KFnbB3hAuv6xB7xB5liJfC1CzZo6Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1172,10 +1172,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUQbZQy0FZkPmZWqq23jmRUYxgni8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATZV1GQ+QyPkd3E0dnVmFZcfmMqbMeX8RtIcMxU\n2TwrEa0wOXvFFmGU2jAX7PYq+YucicaqAQv+El0GX+nnEkOwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUT/HKHWW/JDXNIxpT8rNAvQVzO+QwCgYIKoZIzj0EAwIDSQAwRgIh\nAKDG9qkQPWnbi6P6pnvJFtk29tPHL4iJCUr0b1FpM8yUAiEA3RkV/O9kkJBkCoYd\nkhClg9tZuZTUlUfYMinGQccVYA8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYi5PWm2YvxP1Z+F4tAMi7oN0COUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR7tyQWV5tKQzHDPa9WDjYCfVXphX/8hFPC+xpi\nGUBjjHLOFLeizKhFivLo+08ykFjqVfzcl6ArU5DpbgPV5Q2bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHoWBiCIsmo16VhQ4Fwg8mzKLZ5owCgYIKoZIzj0EAwIDSQAwRgIh\nAMuq55Oh2KMv59br4rEr/SeIw8cZAogHHjM05SLH7WoPAiEAkGOktxdww/1vOcUL\nDe/TgAnXiV7wJUs9hAwa/D9z6ZM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXugAwIBAgIUYpU9DfKXKkjE/9z++kixHSczUa4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGQftdPnYfxlfuEzNqpkFGy9iDqUl6VoIl3U1h0Esm4d\nQhA3dHfQno0Uo5cB0TydRywuRq2lL/5EQJQSlpiW6JajgaAwgZ0wHQYDVR0OBBYE\nFBnBtRgeeDa9Y4ZN1x5lIX9jceBQMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUT/HK\nHWW/JDXNIxpT8rNAvQVzO+QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIQD+2V1p7tKrDkxjxx8LHsliSeOMqM036knH\nANyKTcIjXQIgG/aU+ntnhNZozszeLsv1+pws079bNHNf+tHqwdgA6kY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXugAwIBAgIUPeEDP1bvY7jrDA/obc+RA46+uWQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDNpy5L5pExHnpDEQqkFugGE3LZWj+2WNxIAN8anM/9b\n3/Vqpzgzh7WI5VzEi6oMl+BG71da4Dd5asvTdsFYFLyjgaAwgZ0wHQYDVR0OBBYE\nFDlanprrQKaCxp1DMNilTnZnmKdmMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUHoWB\niCIsmo16VhQ4Fwg8mzKLZ5owCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0kAMEYCIQDX6hRib7GhnhMtt3UwvJTtzGTqTuokDHLE\nhEFYSgbcuQIhAKKCF+PHlScTEbR9EuZZubIkYR587cPtSGXyJSZA942c\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1193,10 +1193,31 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUFP64pH/7L78PUGH4fc4aeZIkm34wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ/VsAbrD93eqrZlBs+xcbF/YXg5Fe1Cdu5ULOb\ndTL3mA4PcpNIVe/4CIgq8x4kT1q/PML7Jfi44+yYzrLmm2Axo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUF9/1n9loKghBRQybDzWUdZTNJHEwCgYIKoZIzj0EAwIDSAAwRQIh\nAMZhJ3vtA6xzVU5qQ2rUwOZ0o/TSFajeBrRW4QZ4+6XGAiAxmJYFi6CxLtp3aWLS\nn+g3gl0phEaVRNC5HLAnbM54ew==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTSQ6RQquy8cqf9BdkJchM9mJgR4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQvNimU5smTIW2usxMqJ7VH8EQsFMKR/wPpoiu\nPV+MowiX+jlEDzKKVO7VSlknq9jM4cfB3uJbY6qE2junGExRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTjlTlhFeOkCc3hoTuvGHKzjPNBUwCgYIKoZIzj0EAwIDSAAwRQIg\nBytV4mkxb+RZZc/b28lpxnb/fHS+c0DGrBrxfD1AaSwCIQD22n7FZG0ZVTzRliZD\n+SBRdXFybWItcyBotHfCZZDGHg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUYSlrFXdQVUsuUSzMDqGI9D6suSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNSjmTKH2HDyFdSG3Pao++qm5h8UD+GUB/PqbTABomiB\nF6ImFnlJHwiqNLZPsNFD40uqTkoxsFUVk4HcwdA+IOejejB4MB0GA1UdDgQWBBQU\nX5pc6rlntHkINjKNmWq6GY7y+DAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFBff9Z/Z\naCoIQUUMmw81lHWUzSRxMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCcTCT7TSCMx1MgFwRuXl93\nwBGmU6Sz3bnBtJOeur2jYQIgOh3PJlBgQLriLbNUZPlhExsKM1KRqFduML7kysuY\nEp0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUFiicsFs8kuzJdE/j+b2tVGwelyQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCYLXjpDlJwLlWmTSX0QYk6AmEg0nmQPQWWc3ht43GMd\naE3WcOdOpj9R/KHr1djl42rLuOemtcfs78mipp9JYWujejB4MB0GA1UdDgQWBBQP\nQjySPnFkjA7g+lBqRakAKR5MtDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFE45U5YR\nXjpAnN4aE7rxhys4zzQVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEaQmNMBaaenrKhzXq3s75DX\n7zESdmGOCB5VMi95+kW6AiBK8pMQO7d8+QPJMtLSB1e3pkzM0UpCcam/YQXWDof6\nSg==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::no-basicconstraints", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Basic Constraints extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUE8UCLQgsU8maRgNI1Bvjv4/ghY4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7M03e8LThJ2mADxWk1axsbmHmoL55u1ioH9sf\n7p2hgzSbcIehndQXFhHBmFH04OQJTHrFm4UrQ2asuNw9GjAeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgyLXDX7nPhBrRS2SNR6ioJd5+YswCgYIKoZIzj0EAwIDSAAwRQIh\nAO/dR7GbHSxY8d0WixrTBmE+EOqMiEzqAi7Z6TfMHGDQAiAOtU+AlM9PhUQoeJPx\niaV3bjhG8RUyl7K4YYyibtcntA==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIULF+z/AHe6NpKVjawrlItgWBM2FswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB1to/RknUb/uMKGjULLJH4KYWo878neuj5cjRCzz/Wm\nqm4FsrtON/1JR+91N1w8kpJvk/M8tmQDNfya42oa3sOjgYgwgYUwHQYDVR0OBBYE\nFA6rQ7bR+Njp1VskRizXbpqDp9uZMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUgyLX\nDX7nPhBrRS2SNR6ioJd5+YswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDN\nRx1NT8lDuqm2c4FXUL2AD0ojBnqpKB9h7pfAjgzzSQIhAO/b+jUAyWJYh69CWQ/L\n5aIiMH9hOy+qnm3OImsJiqFi\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1214,10 +1235,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert contains\nan Extended Key Usage extension that contains just `id-kp-clientAuth`\nwhile the validator expects `id-kp-serverAuth`.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJN/PIl4eNI1JbUycNCSOxPM1kZswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATn/QjkOsFpoeSfqdNFUSh0Z0kD5UtgrRSOoShE\nheztWwKOZXhOccjTwZThtPzFWvTjOB2tJVoHHvkX9r5G+rUMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKtMToG/OYHWKUsusTkV5pbcN3CcwCgYIKoZIzj0EAwIDSAAwRQIg\nYBp6cXFaW/c9FcdnySrNSrtma4Myyq4IJ6wc1MN6XA4CIQCIEh8CG+JINncxmZFm\nWLcY9k3VteVWKh55nKgr5Db/1A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUawIB04/IHLsVv0GGNWDfjw24p2YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQ7qyKR5QrQO9irthZEfiG95KXJhgOEdluk1n5\n+ORfzdKV5czlmvfr+F2+L8bA+EmdihCbb1eL7Mx0NUeU4spZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbmeYZdQ7sAIBrZNi74YhRLx2iYswCgYIKoZIzj0EAwIDRwAwRAIg\nUF9Bxx9SUMLPDq/k/6ICeU3/W+OYI4xERRg4Rd+iYw4CIAjblEH9uHyb/QCdGO1x\nJq6cgRiM2P3jYFNn4Ch3ahpk\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUWlM1VEpbwPrG+Ejl33S5BZJLsTMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCDSiwNdYNTbU6PkNymW24GvjlFqUsou3QTXjrIDkUdn\nKoFxMzG/Uwf/4+/R1k61t7seTfUKQSL28p1pXY8BIIWjgYgwgYUwHQYDVR0OBBYE\nFNBHhpYcrcc78xDwzIgQEtYV7gZEMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUKtMT\noG/OYHWKUsusTkV5pbcN3CcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCU\nn5kBdRENbmFP/TGOx6rbQnsm8TK/ctIhVA3suf5ZWQIgdrS4F42Kt53QTRxI21mO\nP4x7BbV2Wr3MmkRqCIlGRMg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUN4fAITl9EyrJxACeGrGkq5eeeucwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNlN+dsW4vM8tTEoyhwf0IJB1bP/e67fVkpfCzYJbKEK\nDjwn6ZQ59ZyiMi5UVn887QEKQP3XMysGV9hBGVpmYr2jgYgwgYUwHQYDVR0OBBYE\nFLGPkCVfiH7uG61i1lEJQwpHBc1sMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUbmeY\nZdQ7sAIBrZNi74YhRLx2iYswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGKJ\niDWcG2Kwl3RcuX/3QpnSsoA6J4fGArZwjlRLerZAAiBbVfNnoAtf7+N+WWRgqTw7\ns5RY5yzVFDQ9dhIyRzJPqw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1285,10 +1306,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUF0JrxY1UmU5gTyyv4VducnXnD74wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARuqCV4ECGUk5Ja7JKl8DSYHOQFxxyWWTe7iRlW\nhKK0SbMtd/3qIYJkemJrRTl1/gN+8cJNrKyjCvmY297hZaSvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPAJdf1I5HxmmUNr4hmpcraIlZwowCgYIKoZIzj0EAwIDRwAwRAIg\nZGtZNsoGBsEPqP0bjEYttG/zk4+B9QqAgf3LVAP2hxsCIDaO7qNt9mPlOHBq26H1\nE/4fIbC8ZZut/KkiTmI0fSDv\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUYDVnKuaV/88xnabq0y2MVtuOlG8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASWqk+Si19fB3ny0V9SkULbAp64rz2F+ZZ2+OEu\nYEoom8n3b6uCkjBWL+EfaVRD4XjiiOoYZrUjCDEWdkPKcyy5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYsVhR7MSdAIXiuNWPhllM5y5788wCgYIKoZIzj0EAwIDRwAwRAIg\nNmG7xbEAurH+XADUtQNWcq1Tb2ngBLFtVXT8lSJtkeQCIBxnRIjBEMOerGXe4R28\ndGeHMz8OZIgMbgc9V4kYyh/X\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUeKzZkE2UNlsLAxX9c++8/h50gY8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABESOrksmMy3vo0/+N67VaAK8hb2ZTr0Lf5CDGJYqSgUO\nxybCVLJD6De8lF3Y9y/v/9PjsYdUAc6406wAyq5A65mjgYgwgYUwHQYDVR0OBBYE\nFB9W2xXCjiUciiivrkJx8k3gcV0oMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUPAJd\nf1I5HxmmUNr4hmpcraIlZwowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDQ\nmDKXToTtHyyFuu24uew+CqfIIQ8kb6bXsyAEL2CJTQIhAN5uo6v0tnmw4PhlmKp0\njo0dFfP+oTHXdIsce4HCNOXX\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUR1qiZZu7wXJ/K6834k6oktBxv3MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAjTI4vcWVpAWxA+ZITozxrarxMjShjPjb/rb6uvY0wC\nkpfzdWoedx5DD//aXQNCrXlw23Ez2qsCS4FsKfO+xfmjgYgwgYUwHQYDVR0OBBYE\nFE483zMsJCnFkbzKkopcIAv7yAqDMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUYsVh\nR7MSdAIXiuNWPhllM5y5788wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCo\nsj5iQKLQfXtR0iJa1o2h/QbQUtSpbUBKYTWyY/YIXQIgbvkNXD1UiROW0vFdXpHg\npw3dAmf/CGCraOGzFUc7f+k=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1306,10 +1327,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUE0THwfYVMhnx8kOomnbwX9c8AdcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARmszoStvz3osBgdqSWsBkyeZFDaAUiB3QbNwJN\ngEkjX3SB66D9J1JFjTvTTjKcO7igIVOHYprvemfR+XZjDS4ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFblFAjcoCTbplE0tlHp2m9Hun9swCgYIKoZIzj0EAwIDSQAwRgIh\nAJTFqPZ5DM+IHJtY1AV1wSivFaBigEuI971m3GLDhEgIAiEAi3y8myjfBheotEMB\nwLFiDsgG+odlxnTp9onoAEfBoPY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGrrAEuddVTw6o3Tkj8QLYiM72gkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWnrXcYjceQw8nPNcoIt2qracVCDQt7FGxbrrm\nKdqXN8nZZ1PPdBP+oB+CfAUfMCfspbydGjH2brFLTtcFpY7Oo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXrKReyVtXqe1jGZdbcvJx4otSvQwCgYIKoZIzj0EAwIDSAAwRQIh\nAPNMbqcP25vohgLU/53BHoyEr5WLLNtjf7gfTHmUl91yAiAd9BzQZOWkn63+CPzm\nc7rRxKKV3vYGn6Dlx0A5K/jJvg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUOKGVN8ZOskIaWr/VMepd6BB2tkAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBh4/5JI2Z+xFmmOCFsFzTqd1RM3DA0lRdLSEIcbZFsD\n3bAHKx8AYCvAahvVaWXlbk3XS7NhR/jrh5lQ0pyfcBqjgYgwgYUwHQYDVR0OBBYE\nFKvJqAB9qXGjfQ+cqTIbuFVEAFIeMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUFblF\nAjcoCTbplE0tlHp2m9Hun9swCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFeY\nQBnxqL8na6affAKd+uqJIZvi9MkoK//7Ox4nwcVDAiAFyaUrWZEtHlHrxEwzgKi5\nfdpuiadN8N/CM8NraDVITg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIURFJFs+l0O8pdWEhk2aIYtWtOwSUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAw0UfHwC3LcsrijCcH0WxuCUKpz074Qg1LM7h29lj3m\nSmGZlZBAElX2f7k3J9XXiNhbPt2mo3gjP+WmZgVk0QOjgYgwgYUwHQYDVR0OBBYE\nFIWpwlLMRTBIOSXBWKO477lpVJ3fMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUXrKR\neyVtXqe1jGZdbcvJx4otSvQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDO\nMvb2VytzY8iVtmRYAu9cXs0aQudLMTINDpCnSS/17AIgdC99uFyhCNcJdWxBQntZ\n1YsFw44i4Fn1EKeOSnXc0a4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1327,10 +1348,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUMXa0iOPZeVKiafdTU5fhWfRURyIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR3uYGI6VgRD3hURBdaVxPvBprA5y12U44ZOKEz\nw3F3nAwx5t8Udd2DO3LXb5uTZLjY3r3zNjws0Xt3Mhq1DO9mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULkgRXzDOdgTaFtwjPcHBpfpjVTQwCgYIKoZIzj0EAwIDSQAwRgIh\nAOh5Nt3r6RnV/CHSl+CQa+OSAYW8tsihzdi00BopqGMwAiEAgkeUTU+sk8Jp2A5J\noLqVl9xLG+kRuGgnDJFvrLn+Sw4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUf2nOXLXdWw7PXJoYXkE/rlCnYaYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtZN8iF4OoOSCIq7D0aby3xDWlAmFMEADv54u4\nDPPoFCwS+MXy14WszMhECw8iLM0eAx1XxqAPPQSnhrcEHBy0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1XuK6KGlsjLv3J0lhZ247v7DAUQwCgYIKoZIzj0EAwIDSAAwRQIh\nAIFB5IYymgwlKsSyiSwWMc/J3IAgOlwQJZMcavweSs/mAiA8AuYgTo25SiIGdEyN\nGcjLAJEYQ1qM8gA/L9kkonIUIQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUf+uB3V/VGCEpQLS3cZLdGObmH9MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCO1QVaRfHNruy752TtjQ+lu+xQye8QddfLp9531mnYv\n+coHBWTc0nyJwqSucqnw9tuCrn96uiNMKFk6/JHypDqjgYwwgYkwHQYDVR0OBBYE\nFDAfZFpZsTvtUkuHmZyIwJZFRc8BMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAULkgR\nXzDOdgTaFtwjPcHBpfpjVTQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiBhund4/MMm1oyKIi4/LcvCo1tdjX23wa6VNZtF5WZS1wIhAO9Y6W89Ytb2dpw8\nc3kR60TZIObOaxJK8BmvZEdGlbYs\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUf2HtK8BfucFp8eVXsenpAdyF66EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKPi0JM23P/2Tzsf70ohyw2vee5zR4lh6Th+D2cvgihk\nj5Bn8juIRasyxePzc7WG5mhqvsAWtz+1xnYbrL8FSamjgYwwgYkwHQYDVR0OBBYE\nFHMNzVnOWcHF/6fk3cNWC6Yca/9qMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU1XuK\n6KGlsjLv3J0lhZ247v7DAUQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiAFaqnsJynOEFk4mxytI3yA3aATl4kQ8ScOaoaOPiIT7gIhAJNB8tS8tdLvOrJE\n/RQkd8q7ccUBiNzwWNCCaTlmTJaj\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1348,10 +1369,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeFI4L16sfliZc3sbgByq7VSr9bAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ0pJAGII0uaKmu84PNgzrY9dTp4DcMVYV1nJzk\nRLgFQwazbfgTFhRdzbwu2yuvVXG70nIZDnZwTr2SqPYdvbOjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoDJXWXwCRh+Bo4UtsUHjChhHWWgwCgYIKoZIzj0EAwIDRwAwRAIg\nPDC6D9ivVheg8UoVVuXRsYWdtyzjqQ6h2kOVIJO/LBUCIAgMzY+y8WlYWtFF7r73\nVI6VEKRTqA0SXYEBVOgfHM3n\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBLnH0c/fppQ1NcrPCW/m6rGDnZkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6xSIqi59MJnXSDKYSPumpKkWtoCOy5KPbZTXR\n4YP2YKxygT00NNgD1HV6MThNwB5GaEK5A1WL2mjvCjMo0i72o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYiHLR0uMlfL3vAOgn+lGJ9lveMIwCgYIKoZIzj0EAwIDSAAwRQIh\nAL3W8A+HD3kYEA14CKd1az4CoEMolZQ8c9Gh0gdhrQERAiA+uioES2JwyE9wgESh\n2qe4gMtYcMFLURuyu0f9sJo5iA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUabbt9rXqi8MsJXMK5QWFbvJ8EmswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNgJNCD00rlATDkQZZ6gfOwTrGrp/QjxuerCgXdgcGQL\nELuSTvqTxMaeftQD36KN9oDC9XWVKrBAxuwCVvE8B16jgYgwgYUwHQYDVR0OBBYE\nFBJ+3ndyQX2R21hsO/lb42X1BWFEMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUoDJX\nWXwCRh+Bo4UtsUHjChhHWWgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEQZ\nEI2aSS99fm9fDFax6N3wU4Q9S1M1S4Yr3tHoSMIyAiBkbVcIPA26F5GB1Bm+uU6z\nFZnFgKLUmykGrDk16CMgLA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUESd7p6fjNIkbLikiAt9aOJSB6h0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLNgDpOtjVxfmtm6HwH8i+sqnUcsJ4PzX0PXlfyO0lb5\nH7e7JGeDK9EDpY4AF8z4jLAylhOyCBUcrHE4WM0TQNijgYgwgYUwHQYDVR0OBBYE\nFCxoCZA/BsAyZsMB6wn5IVrA8HdQMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUYiHL\nR0uMlfL3vAOgn+lGJ9lveMIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDv\nI/wK45cU/JtuqwTBfw1SYNs1nude36h8G1CqRADu9AIhAONwY0WtLHpyns4TJuKU\naIZQNXCjj7Qk1vShzgU5WWPh\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1369,10 +1390,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURg5kPOV9i5f855oB1LOFU+hSiuowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATohsX+p7LC4ZuVbBqdkJeqAabR7W95PTZnnMcB\nsMpcS9uKLw6XQnYg8tdagHAWIe5GQjgROZGJL7H6hpFPvx6Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdz/XnteVxyeHHk7eL1sBKDc+TrQwCgYIKoZIzj0EAwIDSAAwRQIh\nAKdZl7IUB26zvl0nngqy+5BCpQD7FnfxOlNJ2k3dh8VhAiAiq1CYyidAqYa95Svs\nS/ZtSO3P3O75wwFe+y09iKttHw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWC8Yi+K6SIOdY7aPUV82uHnbiSwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARfqnD9AwuGrLo8WI99yic/61rnJDBbHP+bkdFi\ncYWBolPHDJr5syt5vhwaEu291XrfSoZLTwpuOmhS8c2HHMoTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMFiJi553XWY0/xtx2oFwH/eVUUowCgYIKoZIzj0EAwIDSAAwRQIh\nAIsujX31pH5emvl5XeutADCIS6i/2/GAd2P8GC52NQeRAiAtnkghLxvkQnI/hdVi\n8UXGrkpRR8gpnAD8gJ4JBupqlg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUe1oX8RKSIpm+5V6DgecAutplTHwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJCVkBMpLBLN56HZlgkffVho76YDdUW5oqOzH/ROskIN\nl5H3tyU0hW+mu45c9SdA5xQKdpLyff5Qfk5X5+65NVWjgYwwgYkwHQYDVR0OBBYE\nFCUZAkS7m2gSG8tpB3Rbw02g+XQkMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUdz/X\nnteVxyeHHk7eL1sBKDc+TrQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAEEvyHPIQPsqAx9puAAkDXkeSOxw3DWBQtn9FTH4z1iQIgHY24HU7LNRkJEQ/9\nfTeztXMeNW/QgMfOjark3sAekYw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUHknhTGWL4BNLdzfEdgPrtpxuVqYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAsAgQt82jUo/Xtb0C/0WeNt+BZIF6r+su0KabIzAy8x\nym5a+p581mzd52+jZ284N7/fyy8CSngiC8RukJy3l+SjgYwwgYkwHQYDVR0OBBYE\nFC7dfSL14cXj+BUlounTdEQZXOOvMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUMFiJ\ni553XWY0/xtx2oFwH/eVUUowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiADpGsTkpij8u1qf0FnPIGWNRw9jcuppReLpSom+3LELwIgfCawJVAETQEjljta\njqhCkvEbEvbBJXQbZvtZj6iAcrw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1392,10 +1413,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNFHrDaIFkQqzi4TRCFz6o6bwnaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbGSKUwOlS0KkpzKi6acS5DLP+LTeqO5Y7nn27\nIoWadrDfkIc+2uzAB4bJRvkkf8jvkD7AHEhj7rMVTixFs4d4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwUrG50BoCTT5/p0u+Z/KB8ojgoowCgYIKoZIzj0EAwIDSAAwRQIh\nAISoo5+83qOE+7KC+DsMoN/Am3fokekLT8MTt70CF0jAAiAzxKmfCVNmCOhWz4KE\ngtsfJQga92tD9vlqGVonSNERVA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUahav5EecqiMaWiH1V8sJltK554wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNDYBqgr76FArgOBb8vOO1i3hvHdx9e3otnpvy\nEVAJ+FDMj4qt9jtrsNo7+gS+TUS4/UIeM3ORc8oyh1s979Mxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1MiqYOp6ITXxpRAu55Xblk9DClQwCgYIKoZIzj0EAwIDSAAwRQIg\nTVfl2h11ABN7NBCld+/ceGywAzu/AQINvow/l81IarUCIQD/WZdYmP6uLhsmZ0Ux\nc/gmXf2bbOuliLWW9BIFftboEg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUOEi5rWq3TM8anOnJBr66l7KKgQswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJMuiTjKHLNphr/5xYqyq1gxSVbeBosYnG9HSBqVHAQW\nJAi3NJaQooyiGc+UOdjBxdz2xzvRgS4MxCtnEgvAb3CjgYEwfzAdBgNVHQ4EFgQU\nWG81S1jO+rZxh1OKLtgp1B900WUwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTBSsbn\nQGgJNPn+nS75n8oHyiOCijALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwEAYDVR0RBAkwB4IFKi5jb20wCgYIKoZIzj0EAwIDRwAwRAIgUi/9fYJ6e2d/\ncmVUOuKcdLxoSYX1hO7dSikXKPG7kzMCIGMMCGmIs1AqsQoeci3Gtf8TnAtlg87Z\nuwIew8sqdoMi\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUeFAm6sYC7foiK+jxNNFbMxE/AJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL8ukacuMy0wKEALSC3yU9oXljRS1/x5C4OoxH5mKf9d\nijE6h6iR+FDnhmWOuHqpTLNVCUv3IRBQ6FICSe3uTcKjgYEwfzAdBgNVHQ4EFgQU\nLAzYh2vuPduoOXu8rbqeYhjJHhkwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTUyKpg\n6nohNfGlEC7nlduWT0MKVDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwEAYDVR0RBAkwB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIgSE2Y1nN+dUrX\nfmNW1VKZVdJblXLM+ByOdaCvwCe1pTgCIQCclSGViN4FZwHUib7N/J9ymxqW7ef/\nFtJorrTq7VwUiA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1413,10 +1434,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeBbRt3cbAi/GXi7+MTvg6HC/vbcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQ3rDFmGMpyz6G7j/8pDafzEZRRsvzOJJzll+C\nmUonagqx905kOo4IVdlYh3VQgJPLS7ttkxxX3oTjH38LBzndo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcZ029VFTOCRtuxz9dyQ+JDFuvBMwCgYIKoZIzj0EAwIDSAAwRQIg\nA6tfmcVN/8z9iwhfltAKT1rcAvCr7IdaTJgc6NE0wlwCIQDcpbyVzu+FhwZMwoTd\ndzV7EHQsSl+1IqBGe+x6Bm7T/A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYutlmZg4sCTlpEmat0rbPMKIFwgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATM7Llp6KUIToniCXpO1u3WSiuyeuTcw3hAIvHk\nPX/qx9tQSoo0tz9wr3lhbNa7k1EbOZOk7gcPQiLm/uzrmxsco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUERH9922cnMrE14Kgba842/U7NJEwCgYIKoZIzj0EAwIDSAAwRQIh\nALWfULvwYVZVLlC1BTKRzHIHXt31hiAEDXtVZZiZTMf0AiAETvLNVTcPELKfPd8/\nw79BGXR8mRljo+xNdoKoBXOw+Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWWgAwIBAgIUdMB39QAF0jDu0TCddA9oarb+IbIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDjCy1kFaMGWwgxym+SRg5nuldnSlejuqt1WWdBkCMVE\ncoTWaiZpfLEDsLymKkuyzMICYWsJSAGzf6kRL2tXtiyjgYowgYcwHQYDVR0OBBYE\nFBYX0COu0n2vmcTL7duxK4NN24isMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUcZ02\n9VFTOCRtuxz9dyQ+JDFuvBMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIg\nSv4n4vLDcrm8dHqXSzdO9Tu1R6Y+GlXybP9nagRAAaYCIApPphIaoKLmPg6LyH2K\n6m0BHJACuNxh8rnjbXIPnJGB\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWWgAwIBAgIUNZyFOUrSJnuWfMDrL0pSAeNpjXIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFVX1ORG0VqT14sR8kbs2YXc1yk0d2rb4Qo5La8XwUWh\nP4hsUZQtvqLy26+mobiajnNg9wf0qeNHm3E65954IeujgYowgYcwHQYDVR0OBBYE\nFNCUAWCSyFLx3D+5QxRJfMBc3xOZMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUERH9\n922cnMrE14Kgba842/U7NJEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIg\naDcBylCjxgqDvHW84SDBc8nPF2+vFZiAya9Tib1gfEQCIG752Ag/Xwr0dtdrqHTA\nAT6/e8pzrYgWzoW5j+yFw52H\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1434,10 +1455,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSHfmXNloUIfYbl1udixYC00SiwowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlp4QLrjGS55swgkNDfhfVOElbeRPFKCQLcwO+\nQ06UroS3obyR7vFlvygNF2Ohh8/7RlUrCqjEAGbT13oGamSno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUp3m1dknXXRojwxutLqQxhqTaL78wCgYIKoZIzj0EAwIDSAAwRQIg\neTJz5qLD2ho/QQ7ssMdk4MqJKSCDhoR6dc40YPQ0KWECIQC1O9j63Wz/T2GIMqsm\nIa6U7MiwtwSTWZ45cgCL1Ue5qg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURHlM/832V7zkw0X+m525NU8nyowwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtw6NWpTucQKZkQYL+tdMffI3pNJI/l89329We\n+R1l1lME5EU3CBPY2D6XhbIAMqDMp6oLcc5AEq+SX6qEZF5qo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZfYVktAmO3bST677cf6ChoMh4bYwCgYIKoZIzj0EAwIDSAAwRQIg\nYJzxYjvdFFgh0/CdH268stHa7Zodha2JGuGzOTSFmTUCIQD461PO2lWSTSex5zyG\nLmfNsiZSHRyZdD+K5ZuSVS0qsw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUR40UWzQb1CcN3TR/0CZeMCh1q6YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH3GwGb0Y/zZXZk3rfRUTL4GkHFmSJ+Yk4DJcsqeqHv4\nSOGjoyfm9Ew4aYqyY2gaslIRWIrMIaC191g1htAQwwqjgYwwgYkwHQYDVR0OBBYE\nFLQ7yMcmwqI+vfKQcQJYzEJJsxKiMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUp3m1\ndknXXRojwxutLqQxhqTaL78wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEAsUcJ18dYTnNBwsYTDBN5ctGPRmqv+M5GcfTWk2bVNQYCIBBs3V6IBxzWGFX3\nmUVe65fUdosHupwJJQc4+6LwJKwe\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUZ9e4rvWtoGuse7babUWXjRffKswwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFr1RGgRUAMbslpV5zO14N+KBYdR/PI5QBRhToz2Neg3\nOK1UVn7V5LEZfcsN48boNZi6pBUO5U7l6yyyfNd4MqCjgYwwgYkwHQYDVR0OBBYE\nFIuxSJ8/uweynuUXm7FSl7H8s28rMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUZfYV\nktAmO3bST677cf6ChoMh4bYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEA8QJBbHWBXMXvqBnRUuTwh83OWcc0VRBFpZtF3nvlslsCIDSo71PXW9nuAlLC\neVLuq2+MIK/qGtlQy7IBFC0W4q4a\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1455,10 +1476,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGe+vXAvLUQJ6+sDRyvTP5yXpoTkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATeerpyaK3BApgFqHBkvJQK+8vhESpk7XpdnFJ6\nQ39zJvtaWvW2jsCK9Lx9JDCF1Qe5pSWIzu43cLkwUv/1RsEMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8GXEel0xUYQlkqD0/O90XxDepMcwCgYIKoZIzj0EAwIDSAAwRQIh\nAPA9v6KBGEUAYoxqWQwGE/faf+PYjCybDg63lIcjEKi3AiAclGr0JlLyvBkk/5Ew\nVa3KOma161LJKCDBj6qryDv1TA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVOjQme+WqgKC6zGA7a1s9QY5jfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPL8X62Ykn9j1scOxEEu9r5ax+OVH8J6Ozik6V\nByDBQoNJ+hNCzt0dF9i7S9MIAodHN40iU36rscNSQCjgE/08o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoABKVNP1Fokoo3AzGgQQTX1XhuUwCgYIKoZIzj0EAwIDRwAwRAIg\nd899u0nKM48L4ZHT7CghJ2JfsKdUjSkxEpkZ6jZx2F4CIDoNUN2cNv1LWhhg+QbD\naEZn3cUbgnyWAmEnRHN8szSb\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUUeaAbrwXixqJFAdhBae+R2DiqvMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMhaPeE8jmctJAeTEqtA0csCRb+i/OvTndzTeejdDiFT\n8YKwU13kPxFUbJClZfGeumS9uOM/7jdQaKRHpDcV4xGjgY4wgYswHQYDVR0OBBYE\nFDb+eyGGqwN31pFhlrICaRhWSa/6MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU8GXE\nel0xUYQlkqD0/O90XxDepMcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBwGA1UdEQQVMBOCEWZvby4qLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIEJGyzPS8Xo61+ajfTs8omrNo0ANwPjZ41EV2P2pV8T8AiEA1V6EhbLdkio+\n7Lpq1/iHMa2oC4V+Vhk9G5hugwkYMGw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUWbEn0OvW9yRI+UwNzvlFSznp6bswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJt03hQGDNQAQeZ/Ujy/SNZU2ZywwMktditrCJm2u8hL\nR3HVlXVHBWXdxdT/va1DgkrsYH01Bvea0fVTd7kKnAajgY4wgYswHQYDVR0OBBYE\nFHFX46eWjdpeVa8fF9OK3vFDBkgvMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUoABK\nVNP1Fokoo3AzGgQQTX1XhuUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBwGA1UdEQQVMBOCEWZvby4qLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDvhXwfe9Uste4e0qfnAMd10Uy6KtpgIpT8R/3N5AOzUAIhAKQul9noCRpe\nf0tcGefII9dWqlpr5Y225f+EqlHDX1RO\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1476,10 +1497,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUenvjI9W1H99ZNSU7UR575obMP9YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARq/VzeWKkIH1qgI5LsmeLwhQ2nmiESKUU+eZZT\nPBLJxAgdtvMJxLB34ktEUXxUykiEcIETAXToE6O1cdPXvNzwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8/XmoOe2q+X4BMEouCQtuBRWrpAwCgYIKoZIzj0EAwIDSQAwRgIh\nAJVvD+Z5leBlnL5geg6v9a9NtNjphENZtXWTQf0hSzOhAiEAypulUy703p0ZTh77\ngr8hedE9ykaR7wlalSUYldt3xYQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUW6JGYTtMFeLg2giO5GxIE3y4VKMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARE3uiPgroGSXTruQu4QHi4K+3ljtkBp4ZzoXM+\ntXrwsG8XP9b/esYqElIp1VVk5pPCGcfOIg2tQ5MTMmFELcQFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWuf3znuecvLdQDImjvzZvMmCUOUwCgYIKoZIzj0EAwIDRwAwRAIg\nItRsyy0KUC6AjBqXL9qx/5jkTItmNki651nsXD9hPiECIDvR0fb2IKCdvowRMtHK\nHEYkNiEn5zWZRkdtjiGUNj84\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWWgAwIBAgIUBaUo+mXn5npK3A2okSH36XmWqwgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPR3jqfVdbgyg7b6m5aFwbglid6vglYuSZa6g7RbfLwn\nd6haSmsPf1+93U+eXlIB8i7/2gCYr7Xo2IQ58uyRLwijgYowgYcwHQYDVR0OBBYE\nFEz5cMzcuhnCeWoDEU4TP3qQ066TMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU8/Xm\noOe2q+X4BMEouCQtuBRWrpAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIh\nAI/7ee4ZTqBrHVh91FS2vEKnk93aKuk5Cz/YwiEf9jEhAiEAks7lQUhNk3mkPbQS\n2RtVRdYozqJsA1YKNwZSJRD6i70=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWWgAwIBAgIUOY3bl5GBCcit0VQ1vzlpofLSKTswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL0xOOdnBPhMYpslDrmD1LvdhH/4H43NNMPYAXJ4M8H6\nDK6a1K0kdvRpzdka/n4NnTRmCFCU+hK+cn9c0rFxQ4ujgYowgYcwHQYDVR0OBBYE\nFFR9n3w4t4FBiHzyh4SABsC+CLDOMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUWuf3\nznuecvLdQDImjvzZvMmCUOUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIg\ndmzqysugaS+QtY+CaASk7UDr3f3MSliky+B0KGwwXhICIAmkLbIjZ/HBNX3Eu6V6\nRdPIkYThVtJoIgCKE4nokJgy\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1497,10 +1518,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUITPGLPjl8p8LBq/fmalmoBnPcy0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiyuyzraNGytQ6mz7SyZQ5zRMcinq8tfs5Zii0\nZeQVXuzOq+mSAOAlQgB6mMDdVMZW1FgMuPSST/O7bZCtUdUUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjX/VR5NGySQ5bpH7nduXC/cM3aUwCgYIKoZIzj0EAwIDSAAwRQIh\nAKY2Hd6a9CznQL08uqzwBVw4jZKnoDpHDMxKqTCEwGxvAiBgQIgqFA5puEniuP3N\nKn189OyheXONflucSI45pA+bWg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTs3tLQkf+YdmD7Gtp2HNK+uevfkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQE2u7BC7a3jbrttcrIyXcf1cReKWvHSgK9M0ho\nYDkAUQh6VKjQ/lZA20tyC9PaucmCOZceV2KWe5U40QupKEL3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULsgdtqyKXOyVa/La7d81XsBhaaswCgYIKoZIzj0EAwIDSAAwRQIg\nbEVBzcTUUFfuX4b+dTUyPVEItVrKCbKwJVnZEKNy7mwCIQDk/V7CL0W7N/vGNJbI\nN8JKxlN67NBvqYiSN6yCp+jgtw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByzCCAXKgAwIBAgIUeFdYwWnVeWV5RKnMC8LQ+ykxg+0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABINMzXDgJAN7l88fapcwSGfQd+ShpTNtaGLsSwEx5N5g\n33mEJv6ZgW8WlUc6KOlr0bcr9XUiNN/GzRTrqLE7aL2jgZcwgZQwHQYDVR0OBBYE\nFF/D9gQ37mk3PTJsdgyk63+crJpMMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUjX/V\nR5NGySQ5bpH7nduXC/cM3aUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMCUGA1UdEQQeMByCGnhuLS0qLTFiM2MxNDhhLmV4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0cAMEQCIDcYyBeIPnJhLfDN2NhZz1VBFPiFm26tmqPE0B41wQboAiBq\ngRTlVYflkmUdz5xS1gj0mhd512DznSPB4/NAahPjcg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzTCCAXKgAwIBAgIUHIB9G+kcKmSpPavblEfu9IjkIpkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPcl2tYKUktMYCGPYRBjEXazLgMH35S4psWyiv8ZPu1Y\nMUShUp4BaWxF4ScKbD2jtbDW/Otg66cKRPP3vRQhEEejgZcwgZQwHQYDVR0OBBYE\nFEVQCQxWoaeVf9Vf1C0to+lAtxLyMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAULsgd\ntqyKXOyVa/La7d81XsBhaaswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMCUGA1UdEQQeMByCGnhuLS0qLTFiM2MxNDhhLmV4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0kAMEYCIQCvzKsRffgU7snfGJXKxWb5eaMcI1iz7ni4qJSc8349UAIh\nAPv63khyV2SygJqFIZ5yMZkJIOqf5YEO77d4nwhKcrex\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1518,10 +1539,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUblH8Cjf3bYJAqwkqhHoAk9+y+ZMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvmq/x7l7fo3EDqf6RD1qiBAdo88aqoxVhz9Kt\nIojBa0rzU9hZy/Ha1fZpGMRVwilAh62w7u/jSJGGJYwh0avFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUv6WTAGDmBc+OA8FJV48ERlyZqt8wCgYIKoZIzj0EAwIDRwAwRAIh\nANI2auV2PiilAeBJZwyG2ZPjCdTFLVol+Ab5G6tiC8McAh8Ltu6ayymoLNKrM1dr\ncNkM7UySBH2WmN3vZFlQVoWU\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUamxaNOVpswPgXI/iCMvgS1b1vMMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATA0ot0i/EH1n8hpKizLW77ySe5lImI9o+te4Ql\nyPEfFfQh91/mAFB2INiF1hX5Dqst7dwBR92YDrOvEQCcaEqXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG2qqDkokvsmQ9f0m5Ug21pbx2CMwCgYIKoZIzj0EAwIDRwAwRAIg\nc7igJ3kHg5LP7ly13PckWPYndjWn18q/+kPtWkWXvkcCIGyZqijnek4fGcjnXPiv\nseZAZ57mFPRCC7a7GWdnQki6\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWigAwIBAgIUPeaf9jk5VoQe0sS/rbzgSZm9KWgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNZpC0XCFygxn2YXALlBl8ZY4UFGQBLpUZW+dFe3A1Vn\nMTj4rwzHjKi46YYIE02ooEMZHFGVxu+lC4dLGA5iU+mjgY0wgYowHQYDVR0OBBYE\nFOq19Wqoht8iV0eokOXUKCbf1QftMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUv6WT\nAGDmBc+OA8FJV48ERlyZqt8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBsGA1UdEQQUMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAw\nRgIhAPa7zbD/4Yq3a+puTZnEuQ0rkTzN4OTijlc8zx6aleuOAiEAwgdjTo/7WnwC\nLpYDKge0DjMjgiu9jYmXVO2ztPhlb5E=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWigAwIBAgIUfB1ifWYavKyBnQY21Bee/ytbPuEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLRahnaKh9ux/UTeRjqgcBmS765BmL+VYEAgy/W38+Eg\nq8GOXitAVD87VREtVMeZ+JYBIcHrUswPtw8nlHmhH6WjgY0wgYowHQYDVR0OBBYE\nFLf8Ks1GfXkgYI0oYB/LW7XJ8oTyMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUG2qq\nDkokvsmQ9f0m5Ug21pbx2CMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBsGA1UdEQQUMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAw\nRQIgRPQaN57dXj+EPG1pQUUn5YQNVuByg0WTrdgyzfaV03ECIQDkxcPS6e1/rrnS\n7jggsESYSvy9BdrBJfesqn3rk+0emw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1539,10 +1560,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOIUsHgtqxpSIbaCAwK5mrgeb7ykwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASdSNxIPjSTluFRYohjSAsJNAmd6dIF3lUK4l50\nLHbF3+Q1BILQH//U9p0ZM7tUaSD2St5ooHlgZeBaF6amkZAZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUa8qvFtRBF9JLblrlYWkuGXMmGLQwCgYIKoZIzj0EAwIDSAAwRQIh\nAKEPxtdR6t+u+jrQM1wYpmh8wcbUPv/7qFYCgqnSRFu7AiAsIo/fpJMnaEPxzM8y\n9yt32mUZZ+Lf+jmZMaE6DWB8Aw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYKGh/CTMHe/3XK9AMeuZNisYEaMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2DYk2TTA1Y3HiubZ6IX8oVag/08XGPgfRnR9x\nv1taX5C+pgXZJevNu1xyIXwNuI9v/fiGR9yQkR6GtNB+hMl2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdM8hwy3TCdj1ddaSBVtfBbg2tTUwCgYIKoZIzj0EAwIDSQAwRgIh\nAI0cZI0wqEG9VIc28xwo9REFbBhcfOby0KUJeJ3+e99lAiEAyqQeIFNi2MhndK0r\n81A3klFmSROHpAyeFjGEEXROPVk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXqgAwIBAgIUa2rXAnadIr7ZnR8/o027xaO4tW8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBDiSBvqr7LsK0Mj7T2Ivdgz9PCryEJOa3tLQXRk0IDE\nG/QLp5BJzfXxBBPsD3HUXSzyx1zIE3K3XF+Jyr4RAXajgZ8wgZwwHQYDVR0OBBYE\nFBPf6PRUstBSWtXmLLKBp8hBYXlaMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUa8qv\nFtRBF9JLblrlYWkuGXMmGLQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3Jt\nZWQwCgYIKoZIzj0EAwIDSQAwRgIhAKMQzTZ1roXOWhkjDmzPWIYqemoVJQi7WXsJ\ngP7ZjuLtAiEAghv+Bzijvhds2583TOBWuMuOh9GgyOZH2lP7mw7XOZw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAXqgAwIBAgIUbczv9ezXFk90AGGHgndwyPbzVRgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOzM8fyvJ+joUgiG6lya/oLqR7XRHb5xBVtdPJTpCqCl\nVDi64qBJqLZ/8IU4Thgy32S04PWmna/Ayss9TuAIrtOjgZ8wgZwwHQYDVR0OBBYE\nFJOm6two0Op467/y+YwZb9+lxYzYMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUdM8h\nwy3TCdj1ddaSBVtfBbg2tTUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3Jt\nZWQwCgYIKoZIzj0EAwIDRwAwRAIgb/MlFyChdBu9BSR9xG1LTQ00VaUeva8K4IOg\ny3Y+uJ4CIDeVqOU9aKVnYjY2XHDwKtAiZRZ3edMrQ6LjLew4ZQ1C\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1562,10 +1583,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUUGRJ9aaWrArJ2JTH7ENWRO9nJ0MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrco1HJl//yCeUJ8NWsMwUlLl9wc1SYXRwucy1\nOCKAc72dcFUdU69DYp+DM64vnXlQaWCKfxLvCcwFAjRl5tyHo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz521f2hiJ3TXg0Dg99Nd+1DPdqowEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAPv1XeMtLjMKInxl1J5BKgtASjT1hIz1eoOb\nxir3neGDAiBRJsnCs83X0y4Ghv4XTMcKMwvsLgYv4x9ALGIFH4g6Kw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUSHjSROEZ5AAiJHT0luGHkSh1n/owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATk+tQNOsZf1/4gKa1oyJG4qtXwgqqJmlBDQG7D\nioo0Ch3JwxKodD6yonfuVPIJTeApDNIRKUi8pZcpKlMVP5BKo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUi8onPyo8yHEC7FVmsX8TzS8JWBcwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAIzqUSif/7fFtxj4PcP2L5e9cYriQH8BDNHR\n8CgUIWKWAiBl7HX53AOpD0nBJtiSlohzILAKCB8z4YdfPm3Tw6oGkA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUNz2Af1K/HXTbMxu6xvFIT0PVBFcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCjIQopMv2a25BenLUpdsZP1M0cFNJ6jgqCFdwHgx+u1\nbYZgFOh2DkVwxjC9MFN9aBfe4J1TmS/5fjescJSLuwijgYgwgYUwHQYDVR0OBBYE\nFAghrzUB4808OKeRYenCJCNCVGILMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUz521\nf2hiJ3TXg0Dg99Nd+1DPdqowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGYS\nmV6AMmWxnWzYZQ08YUHCnbkVXt4sbCOKqBumeLKVAiEAxnlxkDuFsLjHCjdkCTWY\nRD+5jifCIqW4ynZZJnbyyH4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUONnNDZEkHW3TkRUj3Y6kaIMgdM0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLR2QoK+pRCm3GbBR/rMlOPfK+BkxhPZLaoXCNMHiNZ9\n+hqs5wdWg+8MEdAaYgtid/dHIgH9i4phQQajWTctAhWjgYgwgYUwHQYDVR0OBBYE\nFEaDhPc3D7+dhsn0x6rZOAw0FwDaMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUi8on\nPyo8yHEC7FVmsX8TzS8JWBcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGQZ\nYvpSuAQ/nBuEsPVVdvkQct9NnFzioqjeOAIAjMjeAiAG4XSA5N43exi8BmHREjQz\n7EdnlYHPZyBaLxgt4p9uAg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1585,10 +1606,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUOkWyMsb06Eq9Md3rTSeymJe+8d0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEUTpcmq0318pQTcVAUWcmY2n0rjX8cWM0H7u9\nxS3fZjo4PYDy1LPPFdmNsAW77TmFyd9Ua/NtQjxwwrn6jhXwo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFKrgLGlETdxlq6fn64BpYF08ZAq8oROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBSq4CxpRE3cZaun5+uAaWBdPGQKvDAKBggqhkjOPQQD\nAgNJADBGAiEA2pd+BVwraO7yASMTZqwCMxKQTWaUrQiSSCdMeK/sxRYCIQD2xgTg\nhz5tkebrfqXN15NPa8ciOnhIl61uRZJXuniz+A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxjCCAW2gAwIBAgIUFr8VQ4ICEcIoXrXw0QGdYyObcJQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAREhjt4f3su3j3FBUv1Oi8/PPqkG49tKDC99W42\nqXb8/MdJXpHDK+ijWFPuHWrygBX+T9vZhepIxNy1XWAjPVjbo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFMUw4GYxRqay0LV5GyM1FiE8EUPQoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBTFMOBmMUamstC1eRsjNRYhPBFD0DAKBggqhkjOPQQD\nAgNHADBEAiADuk/NM+rw1unUTEZsWQF7Q+kIX0Z1v+EJ0hFqBwGbrwIgMQ5FQYRw\nVEC7eeJW+EBiAlfCeUYph6Y9kszvuDF6YOk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUb/4EtHEE6DuryG0+Osw9hmuezrYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKJpPy2ked/toyAcmbKtnDtRjVChXhdMcgUBuAMvWZIy\nFka9ZDqVOO53sX+tsSdp1usjQ6raEW8pAcWvSn7HpeSjgYgwgYUwHQYDVR0OBBYE\nFCTQkYHrXRehPeKVUrVUeOt0UanRMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUquAs\naURN3GWrp+frgGlgXTxkCrwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBsw\n0I4PhebrxYvlZnvmXYSyopcYuaOsuVOwmwtET7DIAiEAl6LrY7g88q3/NCvlnqMI\n+ljyuppuTt2RuGCsWPe4pUY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUd6YWRDYE151Y2Uj2Zqcoj0ZYpLYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCIAftOWqs2qh6HdYUqahmBFQecP81sMsxUrzvrTzgDD\nnhvXUFG/KO8S8ACBu+GbgnpQaZsf+D8kOOy9CZIL1S+jgYgwgYUwHQYDVR0OBBYE\nFMKisULInI7VZf4zkSjW5Ukq/mahMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUxTDg\nZjFGprLQtXkbIzUWITwRQ9AwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCk\nExT0L1/8pVIXBh7BvWTUDmyJAn6QSg+kIxDT7dFVnwIhALdBqAaRY2ArkZFDOApf\nklxsr2urS0j7Uo9nBAdxFR8Z\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1606,10 +1627,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUdlMgV5G6UaVpSlQB3Kr86Gp9OOkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAST68BrwKEnURUBJk30KLpu0MBHz4I9d2Ptz/5s\nKd182wf7/OhW/PxlhHD12I0LdmJyPP1doeRvjHjMETfszmTGo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBSUGLcFgmcYXAzwhgcnC2+p47M7n4ICBNIwHQYDVR0OBBYEFJQY\ntwWCZxhcDPCGBycLb6njszufMAoGCCqGSM49BAMCA0kAMEYCIQCQng13NFkpUYnp\nvRmZY6ym5UBgD10ATNv2RbqEIB6REgIhAJvaCFX+0zOqxqnq+D2NGI/iKjdPKsoh\nmcavxfuOhXtr\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUBL43lhCDzY6UQV+2Xxg6cvRMrdEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARx2AyrQYX427Kh5ryKyNcpa9/V5bqePfwh+p6E\nzzTGYHFeFTOvSOAjY976SsYy+Azmz6kNXU8zojgEPb4vvbdOo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBT68BjhYEGh98gsUTfrHJFfl+AWJoICBNIwHQYDVR0OBBYEFPrw\nGOFgQaH3yCxRN+sckV+X4BYmMAoGCCqGSM49BAMCA0gAMEUCIQDek3J0YYs4tcQy\nELzucihan/dklj3rMFhJflWJ7OCJPgIgQY3D0TjmDxnoQQCmF3xlxCoNC61r0zTt\nPLCbNSHfNco=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUXaG+Rz4PYmEty7yjhAeshMpzTmQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKDZdujVOmVp1pk/gpGQ4E05mOQzHs3AgLhQEyags8kh\nUXtlbeCNlBV3BNjv//uUlq6OmEmQlogyUbFyb13Um3qjgYgwgYUwHQYDVR0OBBYE\nFJ/WY21eZleR3dX8z3Qkk0c+q4XMMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUlBi3\nBYJnGFwM8IYHJwtvqeOzO58wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC0\nPnLPsA84kj1qxqIr4gtyUof38yG+Ji4tEC17O7v95wIhAPBs/gfFnUnn2Apei8d9\nSc0jyJm6LstKYl9psTKT+37b\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUN63Cdq89vfzKFDXC4ffjezG3FpEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBtK/0+TLO+YA5KXuZoypo2ykJ5VupR0YRxvmYUvmkUA\n0v6eVqMGMofktIxV41wGOqSa4kOW9VbnalL+9oGMwLWjgYgwgYUwHQYDVR0OBBYE\nFJJRTBs6vuC5qDCs4ucfc1SDR39wMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU+vAY\n4WBBoffILFE36xyRX5fgFiYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIQCb\nGeGpxmQBpxk3Gg/NsiNRR2Xr6rd7YbKzUmV0Y28n7gIfS24+OPwyZdCO+dsuoYsO\noj3jajoNFXzAjkUTCAZTpQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1627,10 +1648,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXGgAwIBAgIUeo9Ir4igEQjbbHLMvz6FyTNclCIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlG1J/lkQQStsUetonFiAVrioSQk0rDpX1nn/4\n0rzMW6TM4YzcsfYMnVdPVb+ZRRObhivp4IDKVb2Xl2/nKIZNo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFMmHclwUZEr8+YuIZ6LEVfu7fBQOoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUyYdyXBRkSvz5i4hnosRV+7t8FA4wCgYIKoZI\nzj0EAwIDSQAwRgIhANl1HPI60UiPSE+vHTQ/YWvCgom974B36UqgPUeEYO3iAiEA\nhw3UwAm9+cGIY9jI40fbWE2uMkPdc628RRjVByVVDEQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUfZULXuCarYr12zKxS7jEzEd8c6QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPnNJnnD+kzGMAurZjr+yHOnbGqZ2ybXlBT/pi\nHVtFJZrt3FsguTFfxnaGOSjcRQNWoJ5qu/6gM0JgTUF2Y4sCo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFDikz24b7XZZ96lhzMC5x+6iD01YoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUOKTPbhvtdln3qWHMwLnH7qIPTVgwCgYIKoZI\nzj0EAwIDSAAwRQIhAL0OyxExwDaUiJl1/E5Yw3yV5T3m6nbohaGW2PsnhkorAiBR\ncmzgvNGVXJmG8hI9IG1K8fl4+L+gTX2NtsptPDQ64w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUTabTY5thZrKvOIKMeDdLwinW9UcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHM6OqjOFgahQOknFUZgaWFDKpzDf4k59VEhnCQN7tsM\nbnFkITbFYbjLIben6nHi5aeH6s4JxwALuJxHHb+nFD2jgYgwgYUwHQYDVR0OBBYE\nFGgg8aG2gAz6SbhVHr3yuLTQ8wxKMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUyYdy\nXBRkSvz5i4hnosRV+7t8FA4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCS\nAlccf/R+2zjLi5QkD1TmZphy0sqUWbwBdYF3EGLJIQIgfn7NXRA6IykFLpC/v76M\nDfty3SFtc5LSD/jaKqqnZew=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUaIrnKm82VS2ftTP5wMQh/SugAMswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAn9jIbPHU5KXAKFatIjRBTVYWwwAnzA4FHIOQ9KhKsD\non4U9nzFQrYBVOElSJ5nbSx3OXetzK3bhdo+cMgzg4WjgYgwgYUwHQYDVR0OBBYE\nFIf4lEUrq4T8NKMVxgr2U0rzX41qMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUOKTP\nbhvtdln3qWHMwLnH7qIPTVgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDf\nCrV7Fca1t+tBYClF71GH/0VBnYxhjz0thZsdUG0ypgIhAM1A7H+v7jtSpzHpW+kh\nla1JkakcrH7RIMVxWHGrBR45\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1648,10 +1669,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSP1tObZpS0H/SV1W5S1IqcVpQUswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASsO+fyej3qStoRBUsdZq9iPo56VQehTDFx1ZmN\nJfKsazbx6sJrFNEYdVsqAhUgF371w9SgkabkkeBgrh3kSrQWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUr+yTqvLzP7JXSUg6o5j8kDQg4mYwCgYIKoZIzj0EAwIDRwAwRAIg\nKTTHDm6Tga/iIecCXz7MEmDHluM0b3m6EYfKCLZ2djUCICYDPIaNaZ+h+eERfWoa\nBmtz0nnIp28xT/GaAps1wBCU\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUezEG4Lb1Tpmk+o5MkAX7xYl+J8YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBlATyNgcWfnRL3Msa7tHcyY2Q5LgU5dQt3gar\nf54FJ6mDdjmfw8PJRlF4bG22w0BK2zk0q+FHX401EtKJ89Quo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0wTyhL9ku4fc//gNBMCpJSjOoK0wCgYIKoZIzj0EAwIDSQAwRgIh\nANUqSVRjLS58mBmADku5eokXpUil/bRsGWDfwL9Sdn8QAiEAjbUsidT8o7V5Uc6V\nfqSKJLKcO+eYZHlRM8bRNmkfg04=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUPp3kHFDyPF39R6NFuwoj3NZlWD0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABADkkqYoPQUfgIpna2LWGWqP9AAZAFdaNMtC8fTq\n5nrRhNmY+/lDyQkY6IucjAKJvonVkWbAxjRPFTasyb8D1b+jgYswgYgwHQYDVR0O\nBBYEFMjL4eTTGU+7nPFXQgQ9MUaPxioQMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU\nr+yTqvLzP7JXSUg6o5j8kDQg4mYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBkGA1UdEQEB/wQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIGN6PQ14NQTjiNQw1/Sn9D2gbEI6c43e3lmekPjH4BeWAiEAp7VQDB1GZNSM\nFwSg4XSf8KbdoZnnn2dday6GTeX2rfs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUVbjBOIvMJNszj1Hnz/7zFI1BwFIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABKWT4TvetWR//nf5ReHKW7Om2z1+H668ysAZthGB\nrY/kZdEZ8/J/5C1nbvUqyHFI5c32NLP/CiE0lJkOtBicMZSjgYswgYgwHQYDVR0O\nBBYEFMnJB6pyadZf46ALfuJqbzl7/H+nMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU\n0wTyhL9ku4fc//gNBMCpJSjOoK0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBkGA1UdEQEB/wQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDZr56LpeOI+HqeWSw3sYYLtDAguw1+3eCOuLw0DCV4mQIgSlryyN+89sK3\nXA0EXLFVAN31oaYHjEIIgBsYaB/qqCk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1669,10 +1690,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVcJ9Bi4cRB2hd8gRSvRzTS62xIgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATf0Vm5hGQAIGRm1Eh/YPxzoinJGQr8H7TFyLly\nC6OpP9KceET0b8vbcjj8ubGugrKaK6Ls1QCqTHdoNFfBR3sDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFGoKMoNDmki05wYPSwqCPKI66p4wCgYIKoZIzj0EAwIDRwAwRAIg\nEC3Xp00GNhhvijHc1WPxLiQNRW0XywT9UPWIs86TndMCIFbVRXJUtIIj5rWU526s\nxUBxR4ZTa10SjWyKu0jFom2W\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUaDoDPm2nysOM/3qGInLWB1SGoZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASEyPOv0sWQliXkr2peqR2bbgIwVz72T2+6MYaA\njbeaBsSWrCuL5SFbfi0DSfYsokId3FYcdk9X+QJNjzEWSVolo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiw2jdT5KzGSpecev+rGJO23wb40wCgYIKoZIzj0EAwIDRwAwRAIg\nCMGHbQlkGZrTED/dZCgiHFQp21PHUqOqn58MPH8wbYMCIAQ8WOHV/ELAlwJgmBON\nokKIMA6H0iOhol0s+gZppIgH\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUKBkyE74AGpARxQs3NGTFzs7p57owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABFgZcJZHiDteLHr6XY1yeul9ay6VRNjX9XkZSknAEIjW\n26bweyM7EnA64fb6YVE8mKOBiDCBhTAdBgNVHQ4EFgQUVu3C08VXAhN0W6MeDjmh\nUFmSghQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQUagoyg0OaSLTnBg9LCoI8ojrq\nnjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJMZbUOwk3w4QrGuF53VVvxT\n9WyjVdwMWC/TzYi08VIJAiAPGwVbnO4S1B1VHLGzejsImR8KhZoLD1XRczn2fTxP\nJw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUT6WSbZcGFkIFkgrkgCXEAka5N4YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABIeMz4F3BjfULnuIYzoYBzpNeGYbH50BFomusQ77YMs9\nqnYWtjgtqdA/FaDjsr516aOBiDCBhTAdBgNVHQ4EFgQUXPeS9zAHLNmGoHS5HWgH\nBctXNfgwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSLDaN1PkrMZKl5x6/6sYk7bfBv\njTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgI97LZDLH4bPOTm82pnsVcXbU\nICOtCMvzo4EmifSo9SACIQDfk3vWMcaoJjvdHhEgDuH95bOQutBDx8YzhBk3ayyA\nGg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1690,10 +1711,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMCTfPk8Ob92Ovag2AS5upjq1ZpcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDFWIWFlOufdlyBE6Z20IAVM8pexDCEt5s9LsC\nPn5flNJxCj+bBCBLmJnuae6+yXzzvSodYwOH1IIh/aefw/0Do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGMmOgHrGbUVqsD1rmOHij8dVJi8wCgYIKoZIzj0EAwIDSAAwRQIg\nLwGzO+Z1pu2uXMv0RHie+DlnN9P04VIpq1e8McDH7XoCIQDEBYhns7BmVxmarOxh\niyoF0jUM0m7FTvkBNAlMnz89Yg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZ+3nBb/Bc6cf8Qu8nK3Osu9+twswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARgBK/4TSZbpMQ7Mh459ko4XIGb3x7mukBu5OqN\nT9Ncynun4UBNnwHkIDRPgl9sI/nnnpU4uQ3b0xLITRdZ5TIvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUX8NZb/m37S6N5SJEZqh+8ycYIFowCgYIKoZIzj0EAwIDSAAwRQIh\nAMbl5gNUfnHs8LC66e86fza2p2l64W4m//xN2Hg3c7y2AiAmbIDM/ckYvI4d/6Xw\ncapmNRSuQ4iwp7wrDzvL4jmXEA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLDCCBdKgAwIBAgIUEE/s1JzGj4VqvQXzNUwVTU/TU28wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAgJcqBszXiFMyellsozga47zmvamC+mfm+EKWZZKNo2Gj\n9iMfx9ZT7z/OeSBXKOyoaEljnHcR0KxIeGHlPj9YOJSPPpB0whS75hQ1PJOnLItV\nEcrjigw/8FtLdvENhJqQSQtQH6O/iAb+9Hf1sljqyCQ4CCBV8JoGgOQyN646JeRQ\nFufegVRs+htq8fgem7jythupLNlkPY1vnH0QJR97TmAVYhnYzsNPfdOVgrqR5ED3\ntd3If409XNMR1tka7rv0csKwRtz4VrL1ZkVr3nUgM23sDFU/VTM9zHs/4SVpqa/Q\nQ3LoG8mfQbGoJUYh7jdz4GecaYwaGZoTqwWSS8f+Zxflb8uiHJ48q9Wa927m6Qt2\nj0buwfxloxtN8ArfV3YlXJXlFeHDVzKzerwCLZD24nsQndyATCVurwoKeh3VpyID\n/NwlhVet92+PVlbzrYibhVr2GHyILYFUDWtnWJ3QypygkzT8RnbylI6S1EMT1Bii\n0R78MEhsEA30iDnL9CMLAiEAs8bYP1+9NqHVVCYEHg0gnHjYiEDGyPcTGI2o02lF\nU9MCggGAA/rtN1H8mcaE1U8Qfz1Go/GHIdhGdbGJ9vIF1s4I+kCDYAcph2uBuzHj\nJe+4Nd681l75IbmOuJ4KEjgISbattpkZpyNCvNcXwYJ6Q0imh+zdD7oUsSzopjJA\nEIX2pBZhxKzFD4L5WTuNK9ZKkKsE3js4sZ3DO54D0MbNRFstZHJh/ERcPWoAqM4d\nES0gD4C9v9GwF2vezcjfP7dA2y+u02l4B9DmA6bz6MHQ6gNVIbxSZR1DnWhA8/lf\nBqqv+dmbyPGdAxpdSUkdxvzZ4tZpzByX70qtLsiZ/ADIJ2NZONkyfpgA82WjK12o\nW8V30K86VTbqEy5FUPhgow+skZaOXSJ8xkwEwkz7kAtsgKZ6OtBCxfS4CIArNV86\n4TBLvwhs0UCP1ABweIAWi6CZ6AU5/Eig3KKXBXXyIyPxV6VXoyyv9XHWSND2e3pX\n73Hj/HGOtu8wne8a/B9Xgox8G/DONB4F7Rm37M/EwFt/b7pY1e1AQCfl9tUsCY/S\n/eaVUn2zA4IBhQACggGAYwPH75cGCHZrFTpgGpwl7rHvdfKercVPFRRgxEVkIuxk\niai15qN1ZXlkMqzzLZ2AY3aZv3PbH2PNsVGS2N0Om+dqBBoCwvdxz18GrgKsDL9U\nyNHJ8kifn3jZu3RYdfe9yG0dPENm89xVBisE+Hqr8C4kfL6b406rShwD5gwRO4/k\nXFGl0kOXkiaBzO8sQSwregbbySwyoIIrOCcSTOwksQ90kEticzPYZJt5kJB4PDUd\nGTcpknCJSUZ3LlEtoZMS3bnWyAMuzisx7+BEddnGEIEu9c2B3gVEQ3eoYeOd0Oax\nT3kzTxus4RBRtXQSSNSDg4aTURKibDaYBHy04gk6VC3EYzJbkmJq27pe6L6kvenG\na0RTGj6gFkp7rWsupFSTAMl0vhbZAh/5ONJX+iJhVlZvZ/LXfuWOlvx27Y8M8uwU\ngaiQGfV96tBFobfA7SJQe5tC2R+1D35iknnLHB6AIAJvi3ERBz3CrjusGuNO3QvN\nwxxqM0AvwYX1bMIN0hF6o4GIMIGFMB0GA1UdDgQWBBTmPlCAhshopyBF8wOJsFff\nkAjKzDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFBjJjoB6xm1FarA9a5jh4o/HVSYv\nMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAg0lAligYEYeGT+pm1/Dm3USn\nykZSBt68JlO5+LO4QXICICkHTXnlEYgTjEbQzOUiJ2xTvxtRHUdokL3UQA+r4d4t\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLTCCBdOgAwIBAgIUGqXtmQuLQ/um1hYEJVIwmgcb020wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEApxA17aNBf8OK5GmrpnuJti/Kgqp8xe/GdMxgxL1zo3ht\nTNNxB2EjjpGcA1bpOuKOUTP9uZYaE3vft00LjLF+IlBFgwpRt6OAV7lBlUBAZY++\n8k5mqXpKaWhwS3wOfKkKdxfRAl+yp/EGe4+U1V2tfGY4WJh34QneYix1mtjNhyAa\n/nmEKMeaie8jy0fD7b+c5y331WwnywJyyapkaKlUoJGsnhg5Yg3zXE0BsVQW13qF\n5OfADauYzRUMXGVWt4gE+4izVTMzWdj8tf8b4ewtRKw1/cZxdQIPe1rtaRLmcCT4\nKbXH8q8HfEfj5RlX4hhFVngtCS1Qv/wiUO66LJ/B03mtBtJlkhe28qneEtTRt0EM\nW1pQ1HthSVT6HUAvZVMxwVln5eRGAzJ6RWut8X+23J+uLf3krQyLx/cHE2Khrsvv\nVFbXfYHCEF5sDNivF7avwfvn3o3MnjvnPLiZFJUltLEPv1Zpik483krAFbCl5TSR\npXHegBzh20DzYg4lWKLdAiEAvlBugqyS8hq/jtKznp6nwmDTudyWI4qM060/SLQM\nFZ8CggGAEOeFbTMn6wB/jmximFwmEbzTfip8mbVk537ptOmNxv+bFvKtRYNJ8cSI\nDdVJXC/OPG5m+B5yAjc6Ev5JZ3iflG+u1p7zb3YtBOQdlzJI8gClMLLefgcJ86xd\nHyeveX292oanvSrDygV0MkO/Pj7qwjVBUIAMck7pszE7MBn5vjIjS/9iA8+drCJk\n6fMp2Sqwrs7WsjQhD6RLWqun86taJn+ZZ6z4/Zt20V17DRWW33RoPIavS2SODMSK\n+wKFrBOs6D+lcay52+Irxh0J9qe7+SPz0ZI43ZJ32A8WyGUU8IVeEAkbV8hs6RrA\nJoOCszndLdGX2DQ9KqNHAOGxryYv5girVzWskcOur27uEBsg4sROHfn/zNru7LlT\nCu8DzOdxsdNOAmxlnrnW8O2PWVnvMvfpVR2TcwNjHXr2gpfdqmxibXihBTOEFH9I\ncXR8Brb4ktMoHzqzaMLKIBjGc0kyUtZ6q3oH2X1hoAeoHgLlCCHWnWaaa6scyxoN\nrsN6j/7BA4IBhgACggGBAKZyE/C+oF83XDhIl95vkmtdL9DsY/A/A0guFhGJBzNs\nvigQA59IgHqaGFE2dkIjdEA3ydLaeVHmE18scd10/j0nWV5VFndQ2cHLg/a0Xd5V\npNta6DylR8iOc+LWLO+UvuBmC2vYz4SnNsD7GiOmlCjxYXT3x3OvmU3mOfieLdXA\n0GwC0WfSsK/KoPnlJmrtKDapooNW49+/7zZo5BWu2CoItSy+TInjdaFq9ZeQUwJk\nKNLOIV1TtC/AL21cfmgcdA/7wBH6X7xIL43mIAP/jcMpMLAc5RGz1JwG5u7fbihE\nwr11cowwpUfWblbT8l3oBod/a8Ia3W0EKJDdyufP1D652C3HIvBU1aPq3DkQ4W5I\nz9RIIFIG9YO8F5hHkT/kG321KNeT8AVTL8NEcUY7yPE0v8bZ/Lxedj04Y9symcxr\nOIry9jzBNYbD1vdBR2epai6uukZOjSjpUGeSqez1l/TnB5N0uiOdwFByzowNMs4Z\nMuYXB7h1/+IW4sirrWTu3aOBiDCBhTAdBgNVHQ4EFgQUZOTc0IEksgzTUngaCZKK\nqopzpRIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRfw1lv+bftLo3lIkRmqH7zJxgg\nWjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgFymyrl2cvg+NbU5vw91mzzIJ\nf8u3XEwBWG1+5ZVM2fECIQD6lb3ZPGDJ62dFuy6rIkIkdeSeJObtbkfGbIXoEv2V\nCQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1711,10 +1732,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGADCCBaWgAwIBAgIUE8eRylRw6U7xLNbKQ8ZwFN1V7sowCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQCo9FKuDGPrkFZwndNBjhABN5WSHqULQmcn5Shn\naEbULo1K5173Q6ApLMLKWFt0B05DAQD1vhRWCzTDk5zqyD5gGx763nlBapaa5tpQ\nOXVGOM0P240s6kGOdLSzs6jZNiPbFx9633UOHJXv2r1qx5GRdbAuROcrBfuOlNND\nFip3LM9fzRNHKoLrM0nIKCo4TTMY7UeLZ5/if7moYD/5GW57OofdjUBx4Yigg3EN\n9FEscFHgVtUykvXwrfYUd5WAPaAgdmB32ALlr/EjkZeok7Ps4FLbfwLc1Ede8OeT\nx32fGN2cWDf+I5R8xkcPQleF8NU40Amaa9uIDZ9EOiBCWSXWPpEE00RUWIo6btcG\nZhVZzNTDf5My5IyEWs91piwew3y+CsbNJ7fGESlbDwVfX0d4J9KwjRk9iZrlRI0s\nylmzOC1+QG3FZsSK8/ihjOqkZN1kS5tEkfDYtYYPpA2XRkZLWFwY+QLbIkE+w0pB\nHG8OkZVOJHWpsNjE12YrxaTIVb8CIQC3oNNMujI5mrFPp14tYZkdb4KyLzXD3IUB\nQ4O7pi9wgwKCAYB+XeAAay4+Zd4RE3BbX9Yxw76ZE1+r42mibJ7kpY3sw9friqd1\nS+M1HFcp9E+SMi0VC1tDLAXcnPLSXKCPR510IHfLpYU5Ilvqhjnx+TZdsjyEvkDA\nrQNSXVe9qYUTA7tpqt/gk3v+HWIt9OQxyUzX4QWENiMfG6On0Vlgb3RNaCYN4/dv\nqQvGzZDWTq0bkEiaDFtitG142MKscI5DXZpfm68hNRl7FhbatvaOrDZQ20EUweMx\nx08WjyyHgscZHDiIYvSp5ls5II2wLvmtj346x9ec9xzQXahyoty2OM3RJ1e2P8+k\nFtK8Jyz/2NsYu0dCxw1JhLJnWrvtiXAxGws4OPQM52W1AaxvdJWexsP1F2K5N7hC\nay5j45jN57L+2D7QUm5N9oqZmheIr+jo4ykn/nTUJaTfedzFHsSU1G0TwPvChzkC\n+DdJcTe23xIf2n3nGAhv6IOWYgUf9E5mpdHmDPwjaSJ8RVPugUv2wrDFc3wLrtxg\nEFo8/Qihr+vwx+QDggGFAAKCAYA6ay/34/mwUgOcAraJvr3EJeP9jakJFVVyHAQt\nbKvKGL0gCl1ylYiIF/L5ChPOclVM3QmIFmgncQyaLMzRJY95iCccgBJvlZeWlIDs\nk9OFXCgrijyo0CtHyQTqLTzt633xLQZj1IwLP/a6XAV+lKnh0zBRk2sd+cN+aL52\nN0nskEdf2WI5oeaCsd8nXKrIUIuL1fIEQ/HLpGh6HxqVGzljgbjWFm3CQlnRTtuk\nU8kDNcEIuWvu7kv8iB8xclpUoLQYWXy9hLq88+T2yXkRfDh+/nXjQVEo50hkuF6e\nwaDJNdx4Ab43gptWpHE3VdD7TnOQHjEfchryyaVywcKx4Q0a7UpqYKwZYEiaHmlY\n6RGSUBXW/Jjrqs4gE/RYWovTRdVCp81lQk5zcAj+Czi4i+rGWQtGGatc1PRuh8rq\nSWlYqtmh+HVek6Ci1VMXuvhTesJtzLnKiR8Aqq7Tua7qqXGatIUfSFBmbTiS+lGQ\n2dGZvReRCShP8zUCyEGE8tNYwhijVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTRh6DlM63K\ngb8RRLQbUFjoLem5BjALBglghkgBZQMEAwIDSAAwRQIgY59xlRfslfM+hqAutebp\nsHI3HS4iANS9O3Rbi4lVbnwCIQCsp4eD7XQKtYTPTPxnL5gXKQAHiDe5HaxfI0sZ\nnHTAOg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGATCCBaegAwIBAgIULHTp5dMXqWNi3WfNcfyCAccjmx0wCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIEyDCC\nAzoGByqGSM44BAEwggMtAoIBgQDYVuUqP8sFBjTf9/Tc92O6VKj10owdPor3368J\n9dRNfeigZHK6ihJfTkawhM2i+UcrrHFNKjAydLK0Uxp2jUu+CRnmNRiArW3bt1kd\nr7wHmuylSlBGay9V3bxyC8r9WbhphFe2vFniuGWE9z6diDR8lTt0IO1tRv/q3P/Y\nWM/eU6Gj1lWHVBQ0BXxX5mbOVyXS2MpP1jrEx7toKjwkcrILNHW0A9tOXmHNnpDw\nmSXuGL5NZPTcc4fXmtmgUTmF4rzWW2bR7Hi18yCRK7E0lSlYR5O9K1WZPHDbX7pl\nUmPRDO7LHNXJuI69dAcTMQhjWB8yOnZfxVb/+v+HCegH1/wdUHP8YEVW9WKZPbAs\nC7QV9rqXPCUIX87p2uHjfz5VOh+XKz/kkZlEGevADB4PW0vsOmQmvUJ3MLSn1A9L\nBpsWBMkbNjLrJ1hr3anlTvPg+PavEi+pkVHvtGmOjdx94INCMTXVVJEakNpGvUYW\nAR/oPT4RtBUeMM6MIgl98lm8KNcCIQCrsYzsPRg50O+8cGTv/A/QHWj/Qzwwq3tT\nh7kZPA1qRwKCAYEAhpdK98B3kZNXgDpq81GBf7iNeXmVObE+TnDujtBpP6gMPcU+\nxVmW/Vr18mR0yOjcsOSe94auzg/VB4/d+wFmXOffqNKUt+61C+cMBp4RZCrWT9L5\nskLq6kj9OPGIaSvRC9hZUemm3p3TBzEUFV6BxIquPxXKhskXnBOQ8LaeHK1/czx4\nXJgYlqmdDjKxPZEroQI5nuYM7qF1rejH61xvUkfvbFt+XQacu7qqdLHORnBAnxgu\nNU0U0p60HE1x2RZN6QzfyihPyfQ/OE8i+bawir4llyZPGHo2Rf68aifzfmJLmRlc\n8a+AjMHbA7/Jk7BZ7JMi1xbot8v27PqlvgDCFLe/LXaBZnlbjLrBHwMJ9KH53jkD\nUR07iWR50r0bZmyBqNGQIYwOm+NXY26xahjDv4QtcxfvBXnfI9wmqrKLztJEmSPB\nFvAJNyL5RxPSZvMAbB07b9W/bxidrlYdJMbTRr2rClKd3GxRCQ41lDSRxUspKWlo\n/5K95S7BP9n4H/OPA4IBhgACggGBAKoB2ogV9rGqxS0XHBSoFQtw2rJwZLXMIYUJ\nXItBokeJU7IdP/1zTQ2XNPmwH49UTrM5c9Rx/KNusPqXwMSy6NjIQpmGgAr9z5MN\n5Hod4RZS1/5lElCTPYeMLGO+Ku4QI3/bto0zGBhTW6IVIjtjXAeZ+YkcPZ7sPkl0\nxigm+scfJ5N14UEuv+eLlKIoZBIpduIZLJBuggKlBau+f2E8aGsLSdym2uAMt4Hn\n2wGl+FsegPI7zqN5SsNucwN9wn4hFJrP8atedDQgXSh24Y8pbeurgDwpKHjlCTJN\nUMIcXZc7/6J8/N2zXnQQLv6L2+17a1DEecEyD0kO3lgUiQ1MN7V7vbzAJbTox/Ys\n8Gb7zfmaplDiX5JHq5UZGYUibcjaP1grDU72YBHUjgfnVgrTyeqhiGAV3grE7P18\ngGmEy0bncdq5f04OKLc6VJ6Zt8foFgBJxmY9Rkksuv9vZ+HSkL3tTFFQS2caNolI\nVvpqLoGMwUhr7PLvkiSNJFZQ2DNJ1aNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFGdISpVq\n9ZwP0pr8YGa1SirhzbcUMAsGCWCGSAFlAwQDAgNHADBEAiBKvxeOdv+SZSh96vHT\nIrvcOoSvQ9A+fE9iYZQBmqA9JgIgZ9UlDkDLzD3IGeXGYrcDC8vV4ACboqRVqK55\nE9apOMY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIULouCU7yJwyCTSsFhdJAKaGDNNYwwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAQOHcOC0PFi9ryVfGYY1m7CkQnAfP9w6ukm29j81Udz\nT/Lt4umNROvTuxHINEPpsnxwiQ2vG58wTDcgd7IhnCQAo4GIMIGFMB0GA1UdDgQW\nBBRCBsU83d/JnbqdYUOGEQIIgox5pzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFNGH\noOUzrcqBvxFEtBtQWOgt6bkGMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF\nBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTALBglghkgBZQMEAwIDRwAwRAIg\necuy2ShvuUIc6QBMABq0Qwr/LHCS8AMoqYdLtPWCpPACIFNsSzHYGUGaP33WVR0z\n7DxE+qybA2h03t0oU113G+Dh\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUDrk2a13NBIGYhUcwS2A6gtqH9YowCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAR5UcAMp1UPbKO97fMG57CWJMt6VR02d04kcPw0z8he\nvjRgTYHpRKob1lY4WYxTbe7fTDiIzNlBB0t4jfHqK/IEo4GIMIGFMB0GA1UdDgQW\nBBS3uASjf/qEGSK4jG7S6COvutpNHDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFGdI\nSpVq9ZwP0pr8YGa1SirhzbcUMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF\nBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTALBglghkgBZQMEAwIDRwAwRAIg\narpV0Z+le6yVDNCMDW7a/zBDAi7Z+3bibZ9AjNpTC+MCIFsPBJKeWCK4N49XgEQn\nTX3erGCwI1JuotmjY5cD2xxU\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1734,10 +1755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZgf5SZ9B1PKmIvHpCpCVSRr0Z2IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQy7MTX/DpEjZhUt3u5+u/v3nLdQBTVWPBfjxS\nZ+JbbK+smlKSofOugFFfcbirljZxhZrInO/fsBkx6Nle3A6Do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUC6HQompkDaD6iM7i7gTtOb1+SMMwCgYIKoZIzj0EAwIDSAAwRQIh\nAK4S4Cau3MUiEcDydHgPJwspSSIK+hpoOdqK14MEoubtAiACAbH08cAUoYMtKJb4\nAGy2y10Tedm+PK1al31hziDsUg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdLbDdvRMGajkgzdgi2j+jrTVW5kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASy5RGItk0QXlf2IvCwQU6dO62JBb6gCLwvm5IP\nqI3yWwYnGEqe+eWbrFwKWxX/fyvx/SGIV3RzFvHF8akL6WOyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPh6acR36yJDdkp+zNnVq0aqumwwwCgYIKoZIzj0EAwIDSAAwRQIg\nVD8hyKFdpSPnzLHNpH6A9CMfbBwUxIqIYIJDJLf1JuYCIQCTncQObz8TlW/ZL4lg\nIu5sguCx9MEVmOFKAuRUfzYBMg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLDCCBdOgAwIBAgIUH3HHgwAy5jRmI0ntHns+7kB3bHUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEA4Z773wHnLbE41X4RDKWKVfRimP7EtAnXedH+bIlnuV+B\nFJNPkmAyWmVg0Bk8THS8efPRoaKeYCZP45pwsfE3XNc87W677u8B4ZWYAJs/21Jr\nqXzZpCP/dTHtJZonVd4yFL/l8rzi1zSMnFZ+loStWNUWspV+EW4P1LzU9BE+yN1G\nT3UQhxqDsR2/IqEgy9lQdfmI4kAoQP4rIu0a0bEM/drTbVZSvH7k7Wf77xJS3NEt\nD3A2DQnYzXNgtvs5yhG357I+OrP1Z9nmTo+wIBX8Fqnd7qnEMH5prMqI93KCb5WF\nnubjFvupziUHRo1vgNt8xM9AB+xL0bQ0IaScUScVot4U6liK6x71bHSvXK7Vl6u4\nzAUtVNnl4kk8GSxaLNYbz7AouLevhIbQs+d4SfstUhDU29/3n92Sdkiwz/el0nzX\nVeuFkEDyLyP5D0aqkaRrEruSNyL0JDyzgPX2O6Mww++XBPg5Lurwm8BMRrYB7NqH\nRuptAcyI7aDKj1aUiUUnAiEAnX6qn1/z8vvXzW+Beh9+lGeRF/eBL/MHtdZh8DYX\nwycCggGAUSGlOpvGyrsjtL5HJ3NmobJ5rDQDntNQMFn9RFsEjnCQ/IgzxNTbZfVJ\nf9H4MP8YbtPp0F3V05rgScMLxEuU5xM+T+eiWkIGPPGdaZ98UKhIcLR61gzuqjls\nDSjVSthETFghY6iewR/XNi5n9oYP43jIno0mS+5hzAXQawbIbzmcyhNcnDg4vjYO\nN/4vzhBefEN4A0N0wbYayFW68LYl20VYeeifZk2HKZlyzYSvesrjMYp6T0Ndjq8t\nBtLXdJS+QLTc8Ouz86Djw61qmb0cKcV/iW7waCzcxE1vK5uiqL/S2Mqx9OPMCgKx\njpiiihnMQXrmu82KvHjRH1VcwWAmFpnGlGXvBeupbSrfMosGfGHAgAZBO8AxBfyr\nW8Gg7FYUo8XKBzYYU9rC6FSY7Oa4mIkqjRaEWmnoZFm2eJCMedQWbGuSDKPAdv6a\nkYyguaFdmOi8Na7oRYodUyMqgAH0mYF4kVt/3u/w1C1GH+/gCOgNls8AWi78Mhx2\nkBe4RecEA4IBhgACggGBAMlLkYkAlbXTlbhFN17Ue+LUHShnpMuL+z7R/hI32g+t\n/rqmveoXoAB564mXqn/sPA6wQFe+fK+4kUw/aGkI1JH9fw22eg85q7Xm+7gKjE1u\nW3nHV/GD0SE7dYA0r7U4VllM/nenDS5XIlVBYBz8RzjbWcMhqcXosDy0/XBF+VPu\nBhEHXj+fGODruX/+AGcZhscu4pBUg9bjSguYk8TIegf79XrWdrTG5ELzogrWdzr/\n32WYX0DoNM5XLvKNz4CSMspBiOUP0DlE6s++46J55fqaI+ppOuXdivD4bMSmx2bl\nhcA7zReftpCt282/yvR2Q+8xCLtAyy9jluyAB1sUPRzsB2JPtuV1TfUFaTmUX1rd\n7+741FBAe36S2d9eFFzEdcXPM+c+suceBg8qQ7QVVW6P66IJfD2vyR1TDfJRv5Gv\n6P1js00rzVhpgM4Inq7tY/wKNu20zqaA31FsOAPa5lDZpqbzvZ6py+U9T35mr2tL\nX1qecqyws9czOL58z012VqOBiDCBhTAdBgNVHQ4EFgQUnNCmDXqpXoPCR7Ts/9F3\nWOxtrcwwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQLodCiamQNoPqIzuLuBO05vX5I\nwzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgCj/uGdjOBvwveu2G2GqbDRHg\nvcqkf+LFaZhoOWeYoKQCIE/tmFFolCvikpS44gbSNkdUfOrz/hHtopB79eSXpuZn\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLTCCBdOgAwIBAgIUJB2KCdY0s1cEC4XF8v4GSMVOHu8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAqj/GjYjx6rrXPPZDM+PZlYJaFb/aQzC6AapYnSD+h5kj\nE6/hmcHGMGQznyY3k2Lrg01jWxC4UGOvdJjdJBPigzUqEPiJPobt/m+Va7k9l5+h\nB+EqkTi0ehX6A+2WOPemJn+BNUctXc3mr/7XDS4ExgKoA47Rj/dPXrHnNSiRu5bF\ndqLVkmVA8XmOoTPy6oEE5VyCZda00vH9mMWCL+RpilE2pCiVvzuIXPh0/SHZjxKd\n3SLaU+NZ0HvgWbqstMZn65drkvmx2VZSoXowuY+mREx0LhjWEseI/njuRzo8jQv6\nn6qLwOulroJsTx1IHTkPyC6NAZzzwkfLZzDc+6J7xogZlHkT9A3wZ6JFsSsGywji\n8HkEJYNL9YsiIxeBzuU2HlObY5VIwkxh5AzfyFlGG/azVkJoU4iFx1l1GS/sPSM4\nmTtZzYNRq0HtiOq7jl82cOkmlU6AAJbN0Sg1Vt/kP5hKveJIgdADV771AYsMbdD/\n8oUUeCC/kyV70e2zF+w1AiEArU+19dtbyxyoOo8cBBbgIs6g8q8B/RsWlIBNno/b\nNIMCggGAKQmns1X2pVpb7jdYVn9rIaNSpXN1zcvwL2aLSyRjdiyYJtUBQ9kCmtS9\nW4E0qy7WNrVeoDmF1DQUgY04zYindvgWc3p9TwhpU1DAXfFjy0NL/MekbaC5NU9v\nyrfrOSqBUim/Z83VfMr3L5hySKXqQctr0jmvr5Ih9hWbmNEQ+3Xzl0atyS8Bf1aa\niz7kEeNgOdULnYY3T4q2EOR5I10640RGEzIYAI8kNes8xJ1mBtVPCai5piAacekT\npvdLgcHC3Lim84KLnAfsWzijUNxlf59YJzXEDa5VGu8lN+fKDR8OTyIzzK1iaucr\no6LTaR5d6MqGK7VKAZzT1bdvWM2eJuxs9ZbIlvzQRjX0xDM+ZDODau+J2eChvhAG\nVJ6cJYiKrJKFhQ7qwDRfgSmGCkY8Z8UHpPKmMKgzkhySxhRfPnb2dl7TOx8j2R9F\nJjbaRkApZu4+1BP6i2ogVLkXd5uWQqWFWzajW2fuf6d+BKFN5M3rDCv3kLlbY/Xc\nu2PqLCewA4IBhgACggGBAIC2YMVD+Ln1xinTK4a0GbMys5lp5tm2B80fMraPaJ0j\nQeE7tQeh9Weu9r+/7TN0FCOek5Oij9IM6eXtAFj4J2Q2MJHQwyUbmXD4p1mv5mPj\n/kQk9VseFXPOwFPE/V8AY8U+ZTlRtsWt6c0b+PcvEJ2JGBDzSvZyyVz5fRtH945j\ng6V2SizzxtyGo2oBWJjZZh/aiuJlgBpGE/LGYJ3foXSYGtfcX1rGPz+eX5iJjKx5\nEJDfwJl+YoX7jsvHnzsIyOEfOA/aPZ1c685xahqhDUAG6J3mH1vQH8PZasBkJYyX\n3DOZwkZx1l8qs3EyhZs9YpDyPa9/22q8drxlkBs8IUucy+Kad+iqR22aSflovaAQ\n5tZULt2uQSKcr8H8qXK2LDANTUMNsxk9cEFrAls3RiMszfre6ACGJkE0BkDFzCVj\n5z3vlztJzAI3SWKy1XD2RWS0whh4OyZej/IPLfeHQHEekN9WWrnYnWmfFsUYX/Fq\ntXUgD5eU5ozbtmpY6Iw69aOBiDCBhTAdBgNVHQ4EFgQUAiI4tez5HA+LM9ZagKYS\nQaXVDpEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ+HppxHfrIkN2Sn7M2dWrRqq6b\nDDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAN9RM2SpWTTMJh+dQ36cYh1R\n9q+wXC2Ibtdleu/GZqSwAiBs0hv/d4GPox0Zf3NARmgaB5xrLrqnCQvv0T8/FNca\nQA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1755,10 +1776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUJqZZgSchCKeaQAJP/JjBQYRgeXswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEz83ylCx1SOqvtrFqeQSE9WowRRz4aoq2Xjkh\nX1v8cKca5r7f3Wn76v4djUw258x0GKOh5HwEUPm0+RzP3uRko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPJvFR/LTTjLboFEU10NN1tC1mk8wCgYIKoZIzj0EAwIDSQAwRgIh\nAK+kb0Nr/a7LsN+z/+wo8y2Mb+FjXdVgAKyLR2aJSANsAiEA4pzTQlmd/BfjVJv3\nO7P0G0WyHD6uvhbaTLv8cb1PXqs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUA61Sp6H5GsrFNWCr3U4fhAkJIy0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARerKl5Frl5bCvJd2JYWsyef3XKBf3kUEFc+amS\n+pR8UnnVryxQ2EdEbnhIfo6DvKNs9hdXAkKdIFxhNwGxcaVLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXK8+LaaD/LLlqULLHR61zwp5wzQwCgYIKoZIzj0EAwIDRwAwRAIg\nQuR+p3mivjbP9hqbFtLnl4d5bXh/BrLB554wszhjMFACIBgkqUGy/Z1FGkiGBOoA\ndDuDJNCpdYGCpO1a5xAeaEYX\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUFKqCpFXGsfQeyaN2fi0CB2TSJSgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGnjaePhJhFKiZ7IKFIwjoMInO86pH4NNIvojJSIHyL+\nHHKemq8+S/+fqkwA/CAsPcmObZJN+/OzMn8B1mD5Cj+jbzBtMB0GA1UdDgQWBBRa\n1hQykfRLai/whtHkb0GNoULJ3TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFDybxUfy\n004y26BRFNdDTdbQtZpPMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD\nATAKBggqhkjOPQQDAgNIADBFAiAU03Phh6XZq3QvJmqtbgwld/iZLa5GLlTalxFM\nvNG15AIhAOmAc6ZfqA5qi4rYThRBGsli5riSwlmT0Q+NQbL1eov/\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUDssZlEjicSXXX/ZAClmq2v5aWt8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOY1FzJUet2A7tyny3Wg+FnSWzM5/+BZkRWNKu95SgOl\nhm3JYwMcqIETdKykxh3DxRZ0ARJFvch/oHwwA+zsJo2jbzBtMB0GA1UdDgQWBBRT\n+lGDrkUywD49JENDqqPmVf3vxzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFFyvPi2m\ng/yy5alCyx0etc8KecM0MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD\nATAKBggqhkjOPQQDAgNIADBFAiBoOWnlFnfNxI/EJHUMdBT7Ps5LKt/gZ20oC94X\n9u08/wIhAI1BwCqctBxlrhDfZRYjsafN6X5EQU8dPtQW2qutvH2E\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1776,10 +1797,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZKWVSeNah7IeZoksECb1XYX8S18wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATIW5Ri4HB4+IwtCvNNPIhqjJf+wLD/CRtxoolR\n+psH/DV7xXCpDtszCfAcblKiFk+0TpqiFyIiWzlrsrWnTafRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpWfHwURTYLmpB1lRxzNOKhjmXgMwCgYIKoZIzj0EAwIDSQAwRgIh\nAJ6Y/+SPO5iWOSGAezBuW/Z+d880Sc1msLyyCp/SHYQfAiEA3vUzJJTZ5+jt2lEE\no1y8VDvC0HBOAWKAzuwWNeDQCA4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNG8WV9JgRdOWkt5B/zMaSf97MVQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASPnfZ3KdhJ6m5fgDcyMiAiZtRJBeKanG5bhDZQ\nMus8gkgAk9s/uI+1njjkROAFv1Okr2AnPJH/T7mq3eGd2zvfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU05TAGnpFQleITST6dT/XFV39BSowCgYIKoZIzj0EAwIDSAAwRQIh\nAME1ddNjCRR0mduDUnFT6AOkAh9gxQA+keInJWRAQnriAiBE1XhbESjPcXYX3qMp\noKo31VQaUuAjNnhvwH25Wb/uOg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLDCB0wIURPPAPL8LOoUpY8F6ok4IhQbNKc0wCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABAcexNuVn9ZNc/gFgPAIudTLnPic3H64uGUTs0AXo/5k8vnMOlcC\n0bUikNQlQ3I/YfJbCVL2RhWADWoByBB9f9kwCgYIKoZIzj0EAwIDSAAwRQIhAJDR\nJ9Y543mXuRQR1hwIsTLn6dfJhySTyJd54Hxx5/XxAiBUauxnxdT+bEQqkido/xEY\n+mE7eoathtqzYC5CXCMIiA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLDCB0wIUcg/yw09+Ki+o2GF0KpW4ByREcoMwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABK34kQ5GM8Mxv3hfCp4Az3S6sOxg/2PsSTNFERE7DaMpPZzNS0Xt\n+Z5ixE+7de3bivJhITX8D8HjiB8Uj8qge8swCgYIKoZIzj0EAwIDSAAwRQIhANd9\nrJjPqc47Zy+bkxlooUqczu96DACnF6i9U/JjkJV6AiA/ZFqXC7V/aC22gJDx7jFG\n8+nXLUl3NkWMk9qTPLReWg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1799,10 +1820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert contains an\nExtended Key Usage extension that contains `anyExtendedKeyUsage`,\nwhich is explicitly forbidden under CA/B 7.1.2.7.10.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUU9aKithEhH/WR2TIK/u70JVWybowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATGG78EsW4XOlo9LvXWwjkqs3sz1V3bEcPBMdow\nV7dpZuYYusK6KhnoiLj5oLtwrtC5GEila2Xk287VOmEPrd9Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUY+uinHZXmY7r8yNVZGwzLWQ72j0wCgYIKoZIzj0EAwIDSAAwRQIh\nAL2Iy5Li598+yX1SFw/sHuWCsPxcO/xGolSgqBpln9VZAiAc5fTGwbKfxD5z57Y/\nLfXLmHVn/oHx3T/UMpkFNE9hQw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKicwc8JDBlCxk6tLjyDypmRtVzswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT39h7u9EaiDwICrOeSKpqYsp0WT1Y++KpLCPfV\nlFGko1scQgfZKVcz3cIlE7FltNdFRslGVYmyCFk9N8vV87Vso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUS6fMR9AzVXBUVCliIPfzNrYMlAkwCgYIKoZIzj0EAwIDSAAwRQIg\nDUzqMhGxPt0HRcLy5lXKxgaeG6zRaBYTKyYXX0X98MoCIQC7jxNdDhn5nZMMqsUB\n1OkxLMbAVDVVOQOPiWscC9/Y5Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUXqhNpFS2CRZuscpWvArfFYrxDUYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKAlVTmuWUAQ+rqa45FsTu1MQZBHs4o6LuQ1u0RiYiMI\nzChBjsrOdhQSuTKDzwoQYtyyO2TH8gku9TTqKlaSWayjgY4wgYswHQYDVR0OBBYE\nFDAFBrbGxvAZOj2fwDZRk9Owde29MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUY+ui\nnHZXmY7r8yNVZGwzLWQ72j0wCwYDVR0PBAQDAgeAMBkGA1UdJQQSMBAGCCsGAQUF\nBwMBBgRVHSUAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIB9Dd0wh1vt5O9jDZ3ElDH8z9tZpoHjc1plEbD0Gc7vnAiEAh1XT+Acc8TN0\n5WQnHa/pqsTl65egTYNgFTliS8jgWf0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUJu+LCj4aFTR1/uo3CMXu1iIBuCowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAJ4D8l95zeXuM7BnZMl+vytIhDLf2SJHLWuVl6eUreg\nHJRgBmwU2/PJ/yxqLWL3B0tv2+b94F4xV+uKKnm0JROjgY4wgYswHQYDVR0OBBYE\nFNLhC22smvcIc/RI9BHWpEUMmMIGMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUS6fM\nR9AzVXBUVCliIPfzNrYMlAkwCwYDVR0PBAQDAgeAMBkGA1UdJQQSMBAGCCsGAQUF\nBwMBBgRVHSUAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDqL0eyvajjZJZZglACZkJkJxB+XAjG3c2b7N9uHaUWDAIgVjzPeZqtEkEc\nBt3EpNEiJi7s1Jq5TtMcFFAzeQSmKCQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From a1636766ed24d2c8fd876b2963c864138623fb03 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 3 Nov 2023 11:06:18 -0400 Subject: [PATCH 044/155] validation: refactor depth checks This should be easier to get coverage for. Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 51 +++++++++++-------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 5601dba8c309..867204488bae 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -452,14 +452,20 @@ impl<'a, B: CryptoOps> Policy<'a, B> { if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { let key_usage: KeyUsage<'_> = key_usage.value()?; if key_usage.key_cert_sign() { - return self.permits_ca(leaf); + // NOTE: Pass in a current depth of 1 here, since we're + // checking a CA in the leaf position. + return self.permits_ca(leaf, 1); } } self.permits_ee(leaf) } /// Checks whether the given CA certificate is compatible with this policy. - pub(crate) fn permits_ca(&self, cert: &Certificate<'_>) -> Result<(), PolicyError> { + pub(crate) fn permits_ca( + &self, + cert: &Certificate<'_>, + current_depth: u8, + ) -> Result<(), PolicyError> { self.permits_basic(cert)?; // 5280 4.1.2.6: Subject @@ -469,6 +475,25 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // meaning that an CA with an empty subject cannot occur in a built chain. let extensions = cert.extensions()?; + + // NOTE: This conceptually belongs in `valid_issuer`, but is easier + // to test here. + if let Some(bc) = extensions.get_extension(&BASIC_CONSTRAINTS_OID) { + let bc: BasicConstraints = bc + .value() + .map_err(|_| PolicyError::Other("issuer has malformed basicConstraints"))?; + + // NOTE: `current_depth` starts at 1, indicating the EE cert in the chain. + // Path length constraints only concern the intermediate portion of a chain, + // so we have to adjust by 1. + if bc + .path_length + .map_or(false, |len| (current_depth as u64) - 1 > len) + { + return Err(PolicyError::Other("path length constraint violated")); + } + } + for ext_policy in self.ca_extension_policies.iter() { ext_policy.permits(self, cert, &extensions)?; } @@ -504,26 +529,8 @@ impl<'a, B: CryptoOps> Policy<'a, B> { child: &Certificate<'_>, current_depth: u8, ) -> Result { - // The issuer needs to be a valid CA. - self.permits_ca(issuer)?; - - let issuer_extensions = issuer.extensions()?; - - if let Some(bc) = issuer_extensions.get_extension(&BASIC_CONSTRAINTS_OID) { - let bc: BasicConstraints = bc - .value() - .map_err(|_| PolicyError::Other("issuer has malformed basicConstraints"))?; - - // NOTE: `current_depth` starts at 1, indicating the EE cert in the chain. - // Path length constraints only concern the intermediate portion of a chain, - // so we have to adjust by 1. - if bc - .path_length - .map_or(false, |len| (current_depth as u64) - 1 > len) - { - return Err(PolicyError::Other("path length constraint violated")); - } - } + // The issuer needs to be a valid CA at the current depth. + self.permits_ca(issuer, current_depth)?; let pk = self .ops From b0d8477487e2997ab048371770025ac2f1a4df98 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 3 Nov 2023 11:17:54 -0400 Subject: [PATCH 045/155] mod: comment Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 867204488bae..e4ecf0252e88 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -477,7 +477,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { let extensions = cert.extensions()?; // NOTE: This conceptually belongs in `valid_issuer`, but is easier - // to test here. + // to test here. It's also conceptually an extension policy, but + // requires a bit of extra external state (`current_depth`) that isn't + // presently convenient to push into that layer. if let Some(bc) = extensions.get_extension(&BASIC_CONSTRAINTS_OID) { let bc: BasicConstraints = bc .value() From a4f4ea93397d7c1c5c1766117e275b416affc821 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 3 Nov 2023 11:18:00 -0400 Subject: [PATCH 046/155] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 397 ++++++++++--------- 1 file changed, 210 insertions(+), 187 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 00d7a3cd7737..1edab78559b5 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMrk20EZo25kL+PnUMnqiGXhKTRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVzmavpXOkutvpwwe7BcfuDFqaKTQZcHXRQub6\nd2VIXrK3KwAJHjvIDx6FOEmV1Tmuk3oHY0+gb7yKcKnf4z5fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYVKjjJOx+Pz15U5lH7Gy6ucR+6kwCgYIKoZIzj0EAwIDSAAwRQIh\nAKL6H9Ue+LDIKce+z8MT0zbjKszH24dI4u3/vymXj06RAiBPw9j34SsLxrv9LDnQ\nLIKg7VUWEy1wAWd0VLAXQI8R7Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfHELRsdvGVPB4JJxkiQyJP2m2jowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASqUJlRk+RNSKM8nR8DqCbTCzsh8jkH92Fh/XjG\nKoLZr7Irqw1EDJWU7kA/f4GvgjG1PgzTyDNc2vyeWBmC0spDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZBjQ7uQuuLk757PaHRu/rC0dPqAwCgYIKoZIzj0EAwIDRwAwRAIg\nbbUSn8xAdTAb33OL/PWDKXrnXAOxM83Gk3XjDspJ1z4CIFBPuuWqhjpanguiRwtm\nI8Gjpyx+9h2YNreXgl8Rcfd2\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUeWl0LDqwWmzY7K7uBW0yihSHyRQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyODk1Nzk5NTEzMzg2ODMxODg2NTI5\nMDk3NDU5MTI2MzEyMTg2NjM1MzE4OTE5OTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBI9FzWIBXA+5DGMC2kHwdU6WGtgah0YbmvIjFj7drvsL3h9BwD2wPTOiECQOfteB\nTZR4DITQGEpBYOl3HIAR8qmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGFSo4yT\nsfj89eVOZR+xsurnEfupMB0GA1UdDgQWBBQeDOtPd4ncVGlhSR/TjxeNl6FHwjAK\nBggqhkjOPQQDAgNIADBFAiAgtzphKjEdpjOR4Yt98NE9nM9NlUXa5owhfDHcXFZH\nrAIhAIWJSX0lAdQ2S7MmzGFzb7E6sJfSZY/PEbnaqIdF+YnF\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUZnbbFi1e4G8fxlIZ3HTdmqieuF4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA3MTA0MzU4MjIxMDk1OTQyMjUwNTY5\nODQyMzQ3MDA4MzM0NjEwNzIzOTA3MDc3NzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAFG7RkDmO5RguHg75B9S2JrUBWH4w8st86GRcHPc6waEOQh9hFRY85e5TzbsCez\nOwJBupYNO+NDN01ppdqGdQ+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGQY0O7k\nLri5O+ez2h0bv6wtHT6gMB0GA1UdDgQWBBQEq576lClyPiGOYaIIqbG128h/tjAK\nBggqhkjOPQQDAgNHADBEAiAXZ8Hu/ipo6+1gJNORHlVRsyz9Y/29w+ybL0qMVSNp\njQIgXQwvYAtkNL/q0jUBQ77IvqDlX7P6igld5NM2xzLggaE=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUe2B949acL6ETjfjcpKGxQrgs5ScwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjg5NTc5OTUxMzM4NjgzMTg4NjUyOTA5NzQ1OTEyNjMxMjE4\nNjYzNTMxODkxOTk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8/o1\n6pmpaveXCQq9N+Fr3x5noM2OWD/52MjlDRc4mZFroT+8LP/F4k6fdeL6/Ia3sNgG\nNW3hzo3/SP6Zrt2ZkKOBiDCBhTAdBgNVHQ4EFgQUxNybAzBlGl9yjhxIJy/f+m9I\nlVMwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQeDOtPd4ncVGlhSR/TjxeNl6FHwjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgQMHPR1vQWfMQraonWD3bQKxTfD6V\nIj/IUFZpDhv5yigCIEa/tokrC9tdkuT7O02Xhk10h5tboS06QpA6ZAD+lSeK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUL1uyRHovSZ1TnWuZ2csnLWiL/I0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzEwNDM1ODIyMTA5NTk0MjI1MDU2OTg0MjM0NzAwODMzNDYx\nMDcyMzkwNzA3NzcwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhY+Q\n8bovrbAbliatywCLwqEZBG/TGLKvd40akNTnGjGPvmd8sPkA2gmF0zZ8QXqddPw8\nRKPTjDU6H2OpDXQzGaOBiDCBhTAdBgNVHQ4EFgQUQgySwbBk4QpoWE5T+vxRALeE\nF+gwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQEq576lClyPiGOYaIIqbG128h/tjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMcsTnBNNqWm0+bYd/2rzx0xDiul\nf2dHLSF8u3rBko77AiEA8z3nTTdoTXXVE12mtucFXLRpXgITAgvpt7B89fK+dJ8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURSMDjrQDIOJWzpL8SqN1U+Qm7UwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBTu9C1Cj2qj5uX3pAQq5vQwjzEeTkXPleES+f\nxKK2iGCzzPKk43e2RJh8zPakJR5i22Ogn0xgaUISGaJKiilyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxE97N9a5wp1e0EsxKB1HVGvVVEgwCgYIKoZIzj0EAwIDSQAwRgIh\nAJC2fCDZDmrtvetYUKTKxgq84SbMaybbkSFedEzcFkIMAiEAttW3s9sdxam515bu\nU+cMNrRWyLsfprFZFgpeqjU1XqY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNzHkSNPfNuDCdO3Rvi8ugBXOiCkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6exB8mbH5qBNKAyAEiZDwESzJ8EyBYDJpxvLV\nXEHPrEcC+Cpn/Pa4H3ViGmSMlg4/rG34h6tyGmzgrlHGOmlIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFaY0k399JhxaL17kPGj6zNqOdrkwCgYIKoZIzj0EAwIDSAAwRQIh\nAKggACBKK2LP5Tu6TQL5lH8lpa9JIHUwIJ50CcXdP0NdAiBXEnBU3FUSWuEPanU5\nZabUSMwiITC/tpI16HWV+cYbBA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUb8mu9hMgxcbWR2/df86jvd1VrKwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTQ3MDExOTkxNjUwMjQ2ODAxMzc0\nNDAzNzk3NDQyMDE0MDQ0NDIzNTMyNjU5OTYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNj7RynJOqRotciv7qOe8yS8YjE06EDsjfTfLZV2zL87o18GgifTzWXtl91MnwlS\n2sc8YEEc8UvD0k0lFMena5GjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMRPezfW\nucKdXtBLMSgdR1Rr1VRIMB0GA1UdDgQWBBRF/GdKLSrvo5M1S7BFZuOmv702kzAK\nBggqhkjOPQQDAgNIADBFAiBuM00AdSkS5nr9FsGe8aqNPmQIeUXVgIqAOJl5v98U\nxAIhANPc58h1csN7qC1uaaLe2vyfNpe1wYF5Ctp7WhQgiHNU\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUbfmpUSFEcUKkzvmX1tUhTy94E8gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMTUxMDcxMTUyOTMxODgxMzYzNzgw\nNDE5Mjk1ODU5MzM1MzE5MDUxMTE1MjU0MTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKoxzeEie3WKL8GzQPIfu6lboasuARiwLV0miW7igolEuZjnYVKuMnrlh7UHj09t\noVYE2IsJxpDH/HzgiFy9e5ejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBWmNJN/\nfSYcWi9e5Dxo+szajna5MB0GA1UdDgQWBBSF1dVATQaSdVOTH7N6N0wCzBYONzAK\nBggqhkjOPQQDAgNIADBFAiEApYHRnSqZE2eprrrfZ24pc9eZTDssT8VErGZO6AKY\na6ECIH6NyX0oE2rde8tBk+RT+ViLZQFQWNdXr0JiolwvwLK6\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUa68ATvW23MTC1lhhlqsFeUhxPlwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzk0NzAxMTk5MTY1MDI0NjgwMTM3NDQwMzc5NzQ0MjAxNDA0\nNDQyMzUzMjY1OTk2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDyHq\nfVKKbjxf+dUxI1NM6pGou/45PFNWot42QsW65vZhFSBXFdI9qU6wTIqEpFxmx4Wl\nXGEvE67Sztx1XitbkaOBiDCBhTAdBgNVHQ4EFgQU1pNYsNxxJRJ8nbSyReujbi6D\nYuowCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRF/GdKLSrvo5M1S7BFZuOmv702kzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJz3yCkVPRzlaP4eBVuZ68LLzi0i\n3PmXYg90YUAWMY62AiBrQiQrr00p9TDIDcZ+0tT6uISS0NKFpOCDudk1XKd2hQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUJ4uGSbY9lfJSqJ7E74mYKJYeZhQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzE1MTA3MTE1MjkzMTg4MTM2Mzc4MDQxOTI5NTg1OTMzNTMx\nOTA1MTExNTI1NDE3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETHhY\nBaQ4rpFOI0nnWOMbWFG0BAAr/4fw24dwwd4I+Uz4/nmHGNEoUYRDf3ya1vA7uuN8\nBpeQRv+ElKcgxW8NoaOBiDCBhTAdBgNVHQ4EFgQUkMkA58QmiTGdRGmaV/4IN92o\nGXAwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSF1dVATQaSdVOTH7N6N0wCzBYONzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgQECbFxInSCFBrZevjMG00D5SaGE4\nyuhFXieaIyWKHRECIEclJ6LV/I7miYVcIEKa9DqK/PS0a54xwo/jD0CjVS1w\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbvZPuw4/mOEZi5fCyneR8DC+moUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASFFNj2JtszZMNXWdWGfq/Ccn3FzLTJoR7pRmaG\nXl1VxhmB2qOcE535ZALidnnS6z9tcfRrdKkvgEqQQYZof69eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUn7D6rqPvBt5rxsdJYtp3mKII9HgwCgYIKoZIzj0EAwIDSAAwRQIh\nAKxgFT3GIey3lGWWQcAU2Ds58Yis47no4K2JUOYCVokSAiBCSgaduX9mSuPGkn2h\nnyRkUYKstf+R/uTNNIiGBgSpSQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPB//3A4RblWIf6r7JKO5MZmcpQYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARoqA+C0b6QO00I0aRWY/fMKTIf2wZTA/9QD1HV\nwLclEylkPlp+bi3GB865wWmnfjeAE0lFNNpYU/dbqioWBetJo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoHwt2yntom94rv5xfahxoiF7r20wCgYIKoZIzj0EAwIDSAAwRQIh\nAJ+t+7rpJ+EflU0wv56LEwDYWyMBtN0mDUFbMqeuLzDKAiAQFld3eRzuPM2qzlj1\nmuADMErgpuPH2/tu/y0eRVJotg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUed7059bEGwcI6L4/mbW/NqyPjPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MzM0ODE5MTM2MzE3OTE1MTE2Mzcw\nMjAwODM5MjE2NDkzNzkxNzAyNjM2NjkzODExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCRDEwQbQHZ+ijH6Vlf/cKAmVI4NxwuxdiglsqV5ozRvAbsDLWsiXupovyW0wRjZ\n6NFfvoOzfor/aG3EaaizqQ6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJ+w+q6j\n7wbea8bHSWLad5iiCPR4MB0GA1UdDgQWBBRDNQP8MtlQhgH32exhOyaLq6UlSTAK\nBggqhkjOPQQDAgNHADBEAiAsWue7WZTCqxa90ql3Unlt/2+8jP7eqe8F3aYi8JU3\nEgIgI6SY/0etfLwrt0LbLGVrn0Tl2xVQ8A9Ys4a7+3VRrzk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUQKamVn4QTtErgZ3xNIMOnp9wwUcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzNDMyNTMwNTc4NjQzMTc4NDEwNzAw\nMTE1MjMwMDc1NDAzNTQ3MDg1ODY0MDcxNzQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLKZoaV3hOE2E/bF0jWnVL672OMWWJO9cR1pq44ayoydg8kywxw073BGaIUDgbY7\nfzFIJJt92+RSWP9cTgUCO7ajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKB8Ldsp\n7aJveK7+cX2ocaIhe69tMB0GA1UdDgQWBBRSgCYMxkTGARiOT0IGDsUqb2bDHDAK\nBggqhkjOPQQDAgNJADBGAiEAuuHDnXgnd0VeOs0ug4SjbhvmqcYeRO/U5NmsMomR\nybsCIQDd3Z6vJNFByz/j6CW9WMDAUdqyhYsGvh4jnCvPS/EdoA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUCw5NU+bJ4Yiv6gdWvqQLu5MEYuMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMzNDgxOTEzNjMxNzkxNTExNjM3MDIwMDgzOTIxNjQ5Mzc5\nMTcwMjYzNjY5MzgxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4SU4\noH4cUOYhoa7+c6Pz6b8j/+vh/S85O3tG8bWWf7nqkYyIvIXKpeHWgGfRbzKuYK6I\nNziyt5SIEZjnRpRV1aOBiDCBhTAdBgNVHQ4EFgQU5J1bH5NGoqE7sPUe+Q/P4ynB\nSOQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRDNQP8MtlQhgH32exhOyaLq6UlSTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgaWJu/AQGc9Bgb7I4n5Anfep0GXQZ\nnB9+TLHHyPknbAYCIQCRnhmtt6v1y0ujolRpbsgJaf1pXQafduR9754mSah2Nw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUeXXYUIitJEMBu3MtLVhJhQix+i4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzQzMjUzMDU3ODY0MzE3ODQxMDcwMDExNTIzMDA3NTQwMzU0\nNzA4NTg2NDA3MTc0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF0j\nfNLCdTQDQ5394wQhzwQeQv6VtcLnAWxt/l0ZnMdrvxEIA+HnkAPYRpDQ5JGxcPaY\nE3BVZve4+KliYGyRBqOBiDCBhTAdBgNVHQ4EFgQU7/SGBr4mPRmjn3KGkPqMWfR1\nvNwwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRSgCYMxkTGARiOT0IGDsUqb2bDHDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgXQd14vgEuPtE1UUB8Krw7hriz6ad\ncS2HxdX7jmLv9LsCIQCOdpZqPZJ3jllcmxfjHetOhWBgNG9aGxPRTkogWOqA3w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKj+IYPLmr8yX7Yady4jKRRPdgA0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQaudEOhmQTE8B+zAgIgUTX3epXFamwf4GKTIB2\n24ndfXI1FIlZJJ47/TLM3U82tNnbddCszzwl0vs7km4pULbbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtUDg4VlOHA4jcCUF7hl+UA1I3MgwCgYIKoZIzj0EAwIDSAAwRQIh\nAPW9ZpRnO14QEeN5fZK876ft/XrSSF6CUj9CRhvPyh06AiAeO7kExo08jXs5Q3Np\nKJfjYDBzZ9UPu1nAGO7dbQWLLg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdiImtcfVUQdFxjaRDg6WoHcTa4MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATvu0dTLWOfejzg9Fr465H0Onu6QThjmypx7SvU\n/nJ1pnuCE6BIQtN2jDMQYopzoAnTjAHLKMJAKZiZPAYAPnCUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfuoOwcaPleNWMwpOQsZ5nzaUEdQwCgYIKoZIzj0EAwIDRwAwRAIg\nJ08iiBE8EVwhrmLT2nFpvOxizvXd/jPFC7CwwjIqXGYCIFTbQ/a1emaNLKgMmajv\n01NjVgdyyBFR4rUEZ9rmWAlZ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUanHqIHEDiI3IybcnmGvHkU2TBJ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNDExOTQ0Mzk1ODI5NzM2MDE5Njgw\nMDMwNTc2MTI3MDQ1NjEzNTU3NTM4ODE2MTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBM5aI5pnL/VbOg8u4stY2+EbF5ZP/lZA7HwCRDIRmNJW25uKLSVIOVEhCHL+lBhZ\n94+GTPBFABl8lGFsifPjKDyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLVA4OFZ\nThwOI3AlBe4ZflANSNzIMB0GA1UdDgQWBBRvGZ8RWdWnp9ZAqk4VaPxdThwGsjAK\nBggqhkjOPQQDAgNIADBFAiEA58SU9lamyHzDGTANJ8i8inqNnCAgFci6TBe+xf/9\n+DkCICMh4wx9nADGyBiLYwrQuJzGVXxOcw3DBz3kb67PRoWF\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaagAwIBAgIUepd6lquwe+xpjIiiygjEIMBJDWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2NzQ0MjI1MDg0MTc1NjA4OTg0Njg5\nOTI5NTE2MzE4NDM0NzgyMDA2MTEyMDM5NzExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBINEV0eGZ0w3S4cz7qy+ZWmm3Byw7wKe+m9uryZlGzdXokhEU4tBexwrMHbdxMKg\n0CARdHwxEapA1aSvV5sqLJGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFH7qDsHG\nj5XjVjMKTkLGeZ82lBHUMB0GA1UdDgQWBBSSAInVFp51jjT/PSt59E868PdjCTAK\nBggqhkjOPQQDAgNGADBDAh83iiIYP3T0geIX2DWxnJf2RdaqXYIY3mQqCXvZobqU\nAiAv+Atm0h+j/1AhIHNtBJxwMROjeRZ8vPpza6XgbhgihA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUYZZfgYgLDMSL8YYBaymTBHgib7AwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjQxMTk0NDM5NTgyOTczNjAxOTY4MDAzMDU3NjEyNzA0NTYx\nMzU1NzUzODgxNjEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDYwNzY5MzQwMTIyODkyNTgzMzQwNjc0MTg5ODI2ODgxNTMwOTcyNDQ5\nODE5OTcxMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENO/KrbUzCjQrX7FMfu7rRtQp\nyB4Joa8A5toerPE+LbZSVukjDD4rq8CXR49RVaYpJQsmpcq+9Uezj6aeZwQtPKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUbxmfEVnVp6fWQKpOFWj8XU4cBrIwHQYD\nVR0OBBYEFJrBA4h7M6088uEQ7E7boNjyEGDMMAoGCCqGSM49BAMCA0kAMEYCIQC8\nwFsnwqg2zAq5ADGihKF/APpFnT+VwOITr3hvlKTiNgIhAP3/b2uUkoxXI/iJhPh9\nBMkN427sjmzB6dWeJWzgF1Hp\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUUSEKqAKtgvsD3wlLA+cjcOsuTGEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjc0NDIyNTA4NDE3NTYwODk4NDY4OTkyOTUxNjMxODQzNDc4\nMjAwNjExMjAzOTcxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDY5OTg3NDk2NTUzNDkzOTYwMzkzNDg5MjAyMTUxNDIzMTczNzA5NjAz\nMzg2NTA1ODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEc30Ou25JVYL4GgIBxPatEUmn\nIm1ApFCPI7MCabUPQSblknRyr2Tv2Mhg322XwcTqW0fDhz+m0sWu5/c9BAAl2KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUkgCJ1RaedY40/z0refRPOvD3YwkwHQYD\nVR0OBBYEFLStp+BAGkpZzz9BVIPchZwT5SguMAoGCCqGSM49BAMCA0gAMEUCICi+\nMfh0S/DHs3seqkBrk9RtADmwM3Yr3JJid201l18LAiEA5NPZvnPgjnn0Nkq6J7Za\nb5d9QXQ7JCt1tFqZJUptgGg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULhP6W73Qz17Q/FuQUXqHVllHMj8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPpBAEQkbNIvfXVnRqx1b8epOb9ABtJjAq10Uw\nHbZWVrjFjVuy0HKa5REUZ2BdUEd4nh1c2vf19C3gvXNOfapZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhZ9IPtzyYUoO4E8qbPcT6kDMqQgwCgYIKoZIzj0EAwIDSAAwRQIh\nAOTNRWJ16pYSBmmCxsHFjcE+eZjAdlAEVIdJM7zOj3qHAiAkXN77mLQ6S+vD51F2\ngS6hwBGIh/h81w3RPpwXWqPPHw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFJoKFtdEv3Hz7ErLdFxgpmyNPukwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4Goo1RJJ8tkT37xY3ksq5+shFivKCrdyqkHCA\nBqboyISrdnQVsqopotJ7f6IMf1phOJIveEGUxdK4rxVjIn3ho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUU+Pi1SoCHjiglTJUGC3i+jMcwqEwCgYIKoZIzj0EAwIDRwAwRAIg\nTBKzPs595tb54yyqMIMLboLXUrTCJ0bP6g9fk3phbe0CICdW7KC7RaDp/1aoro4i\nwwEy8A28OwyXH+SECed03KnD\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUcL324euw0y6ldf0KVBHQWYKld+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNjMwNTkwOTg5MDYxNTUzMjQ3NDIz\nMTMxNjgyNzY5NjY2MDQzOTA5MjU4MDgxOTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBElCD3WUmHIW6fhR4SRFalV3dAtgkTehCshE83Y+OISK+05vlSBjo7rgBr1px1Zf\ngQw9EaiElioZlY0zhi54N+CjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIWfSD7c\n8mFKDuBPKmz3E+pAzKkIMB0GA1UdDgQWBBTie1UqI1RvKpM3ZRUZ83jjTcuXPTAK\nBggqhkjOPQQDAgNJADBGAiEAicQXpGM+Gyo5ut5JEzpEsGf67Ek470ww7zLphRhG\ndBYCIQDymL9SiAssl6xqXX2Hb4ZGKfLPHcmdrkbLrjznNXYw/Q==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUXKynOM89+nAEgBvQqb18oKwiOuowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjYzMDU5MDk4OTA2MTU1MzI0NzQyMzEzMTY4Mjc2OTY2NjA0\nMzkwOTI1ODA4MTkxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDY0MzY0MzMxMzY3Mzk1MDc5MTI2MDM3ODU4NTY0OTc2NTk3MjA2Njcx\nNjQ0ODc0MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4gbLAHCIC1/DSKSDrO6WTItN\nO++0PPJDOIsQcI4Ve1snVWSDf6gyEtfPDOASIdNDhWYPBTzfz/rsw/jSrWBte6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU4ntVKiNUbyqTN2UVGfN4403Llz0wHQYD\nVR0OBBYEFDPAWD9RzK4Cg4oNKq85vT/0dH0kMAoGCCqGSM49BAMCA0gAMEUCIQDR\nFxMrm4B1+hnYXXGJFeQflpva+2hAWogk7D8duhrCuAIgfqk9qrPli8NFi3/gN3PL\n3lRUrPZo0va9oSbyxnxpkjY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUAynAW2+u9aUFr1Gzo4TEbl/gsaswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxMTc2MTUwMDkwNzIyNjI4NzQ1NjAy\nMTY1MDAyMjUzNzI5Mjc0OTA0ODIwNjEwMzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBApyYZmWOLgafmapceXzlK6zxMKCWr/ofRvdrSfwNNpsbKDKPGN/rFFpthXd8uGm\ndduTL/onLkrwN1+9jOIhl8SjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFPj4tUq\nAh44oJUyVBgt4vozHMKhMB0GA1UdDgQWBBSs9lGJH3Wrqq9mK0tOx11QA1muzzAK\nBggqhkjOPQQDAgNIADBFAiEAxdSjK1Zyz0o7B5leOFFWz8R5tgsLMD33CJfjBIUw\n+d8CIHRMFK8rX5gpsQ7fO7cqmHW/9BtvECyjYEPyApgLstYK\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIUWtJe9ZtOrUIYDARKacQ8Uvqkq54wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTE3NjE1MDA5MDcyMjYyODc0NTYwMjE2NTAwMjI1MzcyOTI3\nNDkwNDgyMDYxMDMzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzE4MDU4MDU5NTM4NjU4MzExMzQ0NTI4NTI3MzQzODk3MDkyNjcyMDA1\nOTEwOTU1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARkM2SSkRRVmqgf3zk5Q3AoWWPd\nbJgqnV95pwBfcjaf/f2bYPrAmzZMjtQv4UoijLSrDMyBt00YXiRzBVMoo4s9o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSs9lGJH3Wrqq9mK0tOx11QA1muzzAdBgNV\nHQ4EFgQUMqSaiMBvyv7c2D63XKKljjuHRcwwCgYIKoZIzj0EAwIDSQAwRgIhAIKQ\nHte9DrpusHZ+pMCwLNw0SUflxEhbuRjee+KxqbzGAiEA/5RQ44J+1C3YACJP7M4l\nbyL4BXmjna+opChYFfd+RPg=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUGkAq24IYQo9uhq55cBBL7glz2J0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjQzNjQzMzEzNjczOTUwNzkxMjYwMzc4NTg1NjQ5NzY1OTcy\nMDY2NzE2NDQ4NzQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUUk3\nWeUSPXiACUUpkvX5uDwdmiSo+NuRBmFsmPi1ohd1hf1jZ8MVCY4LhnGNkOR8tvhi\nQ4dUsUdZ7t5A6p3NVqOBiDCBhTAdBgNVHQ4EFgQU6Pmq/56YY89hqeEUdymOu322\nJWIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQzwFg/UcyuAoOKDSqvOb0/9HR9JDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgOJvRS2kQDI/Ot6OBI3pU8F1W4LYI\n27n0eUlLj+C4ZvUCIQCavZN7WAx+yCBjN1Hy+PExh7Vq1GaOXjpS07ub9kexVg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCDCCAa+gAwIBAgIUIOqUJJ5Z13qQ7OTU93Ve8YD4+08wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMTgwNTgwNTk1Mzg2NTgzMTEzNDQ1Mjg1MjczNDM4OTcwOTI2\nNzIwMDU5MTA5NTUxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARg7i3L\ne26ikMm/Q6+tSSWf7GePe67Kl8niziHqHK2FtefPrWmnxfByLPvJdL2cthC4ja6k\n8libmgUN/xj69tkKo4GIMIGFMB0GA1UdDgQWBBTqTMzEfagq3XRsWsC4xt4buSKH\n4TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFDKkmojAb8r+3Ng+t1yipY47h0XMMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBDbaHMHYBPNG8N4rL8y9R69ONANQO0\nsnK8iIJ2WKVIxQIgGBgaITgF3y7W4QvjOVpo1PNNtlZnOGbACqB4vtDfwLU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXxJH/7icKoqwYsFnY4nqFLHnyHwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/cCLYhxzb1qCJLIO6Xy6UZjL3KkLvsIy+ge7t\naKgLIjuMgX+lG0dnmNyPkEYSZsg7xFgmc8JuPzTuXmyev/6ho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUR0QioAsgBiaJhclPkoXO4Q4N91AwCgYIKoZIzj0EAwIDSAAwRQIg\nCDOV7znj9Inatn0pExFprFkxKlQIILKqGVMt0uovPOsCIQDINnuTZqhNJdCo2OyP\ntnrlgGgZUgEBV3R3+r3iQb63rg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAL6gynCZTtUbGIo6mQMd5Ft5vKEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATabf7L90IKE0v9nFnI/HF6sJBGHFSL5YNh8X/L\nft/WMT2mlmiciD/LFBQ+Ju0utx/BAOS+Qx1U3voIfN5Q88s7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdCrauMp+rOi+3P1QnbvxcV1Jml4wCgYIKoZIzj0EAwIDRwAwRAIg\nVaUU8ucqtK6W3Fkvo2nndEtgZ9XO1+aMiUt2ZhfO2esCIG6FsodfiISnsOXCRRA0\n0JW0I2cyMcdlzTu+j1HALF6b\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUVaz2FCQWDz9R7U+V2/l1I1Q8/eEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1NDI3NjE4MDg2MzE1MzE4MzgyMTkx\nNTA4ODg2MjI4OTAzNjc5MDk0Nzk1NjU0MzYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBE6rvMmy+5nGfZZB+ts/VQ5ufcbrSjp2bWlckAWlWV+YK1r4Y23nIKsAj5G5nggM\njTFRzS4VoA0SA3uEpcZcX9qjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEdEIqAL\nIAYmiYXJT5KFzuEODfdQMB0GA1UdDgQWBBSYUE8fxwE38oSV+7eQTopsfT65dDAK\nBggqhkjOPQQDAgNIADBFAiAs2G/L5tKLaquFLQn8SF4SpHYloTRZJaPdZXytn7rf\nPQIhANPCxZ1wDCZ2KHD7NpGyOLMhP+BQBj6oucyrF+GygHll\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUXzAYAA7/F/2cnxWTxKFvBFytEPgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTQyNzYxODA4NjMxNTMxODM4MjE5MTUwODg4NjIyODkwMzY3\nOTA5NDc5NTY1NDM2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ4OTEyMTM4MDE3MDEyNjkyNTgxMTYyMzkxOTc1NDcxMzQ0OTQzNDY5\nNzIzNTkzNzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbLhDbf/UOuFMBotEj031M149\nUpeyT4iYgpKw+0p7Ng8RAOz9ABFYUFCyr22Xrp/e61xou1c/6WLGQ4NEGgIZMaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUmFBPH8cBN/KElfu3kE6KbH0+uXQwHQYD\nVR0OBBYEFKrLH9h46Gy8Yt4K/PcY0t3OTW/YMAoGCCqGSM49BAMCA0gAMEUCIQD6\nRSNZ08Y0kW9HNJiI6h99pHSMUStn0/Bjisjf8uDeFAIgY5KAOS7qYq27/wtFQZVJ\nw0hoTuHEBZxl5DBaTkUDvoQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaSgAwIBAgIURYdPBEux030eMWXQ6l8VM25W3yEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBlMTcwNQYDVQQLDC40MjUxMTQ4NDQwMTc3NTczOTI1MTI0\nNzM0OTEwNzQxMzc2NTUwODAwMzA5NDA5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWlu\ndGVybWVkaWF0ZS1wYXRobGVuLTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS2\nv3R6nYFlM/MOvgt+8Rq22qqvFdwMYhFIOLpvI4prWfTzcUxedscpJvTUrnWKp7rk\nFEmfmMyyv2jqDUGKq7aPo3sweTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQE\nAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBR0Ktq4yn6s\n6L7c/VCdu/FxXUmaXjAdBgNVHQ4EFgQUNyYKec4JnokykjM8H0LHffX+tiwwCgYI\nKoZIzj0EAwIDSQAwRgIhAOXzlUr7UuSEusbUwKUj60MS0NvA8SsUghTVDBt6RSmD\nAiEAjQDw/gAaXBBhaen1G6DeryG2OixVcfCCjlqLVRMEpbc=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSzCCAfGgAwIBAgIUPDvICmVKxTZ/3HYe1RCSOwk3kWQwCgYIKoZIzj0EAwIw\nZTE3MDUGA1UECwwuNDI1MTE0ODQ0MDE3NzU3MzkyNTEyNDczNDkxMDc0MTM3NjU1\nMDgwMDMwOTQwOTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi0xMCAXDTcwMDEwMTAxMDAwMFoYDzI5NjkwNTAzMDEwMDAwWjBnMTkwNwYD\nVQQLDDAzOTY5Mzc4NDcxMjA5ODAwNjM3Njg1NTM0OTQ4OTI1OTE2NDIxODE5OTg0\nMDMzNjExKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHCultVC3kp6EJBh/zChxcUb4YSY\nsa7LCeRLWjzeIjamZDh0CgZ1Lbrw7ncKOynib40Oxz75pnnzhFgKJpJzNtyjezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFDcmCnnOCZ6JMpIzPB9Cx331/rYsMB0GA1Ud\nDgQWBBTyipELk9CHajGP4/srGOrup1FgZjAKBggqhkjOPQQDAgNIADBFAiA466R7\n4TLhvcNQruxCzHR6Ls4GbjzhiyIVo/1wxsSF4wIhAJmK6FcA2mZJWzv0/xWHXRSQ\nAas/xBqlbEqBj6RkDAyQ\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUEKKcEMoiT9c6zvGVSEcqew3xM6MwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDg5MTIxMzgwMTcwMTI2OTI1ODExNjIzOTE5NzU0NzEzNDQ5\nNDM0Njk3MjM1OTM3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/XwH\n1FxatIgoNR4GtWEbqmQ08ppxx8f5V0Le4m5cp3zmO+ZAIuNr6i3wa/e+NWZdpTjC\nydQDMVC6qLYxSQY6IaOBiDCBhTAdBgNVHQ4EFgQULiRn3r/L5SNxLtrxHRHfLsov\ngHwwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSqyx/YeOhsvGLeCvz3GNLdzk1v2DAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgJtE+MvcfeU0izpbDFf2JQJxV3zxn\nLR5d0oKqs5/8+/cCIQDL46sYFybvc+Kw8n9h6cR2iFhG8xtUaFX/umnCSKZ+iw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUOp42+0ncxe6IfRXxhs8bRM7rdhAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzk2OTM3ODQ3MTIwOTgwMDYzNzY4NTUzNDk0ODkyNTkxNjQy\nMTgxOTk4NDAzMzYxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPQfU\nodJeMqU6UUzAh8NpYDfBR/mLpVVNmSRLZ5lTa/3wWsCtOyLu+kSLD5qy6jHVQf+E\nWTxxNypR4YtMpPpIoaOBiDCBhTAdBgNVHQ4EFgQUazGemzqffOJ8BIfO5Ii2KQ0w\nAyEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTyipELk9CHajGP4/srGOrup1FgZjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgMW2lkefWqPb/KEyEsVK4yPuzeayH\nBWI3A+yZTYPZLSoCIQCZBxaRaFqxj+OdeLTpYl1gArLQxM8KVYanMKQ2YBYMBA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH/OQQBalFYRuWpTfxO3byV0xh98wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7k2YupOe4RUC0Hyatw3WFXzGa6YMB0cQZ9kYy\noDJF/Jrh3A/Dk8/85Kst34kFAWfI9cw8jM5Vva/LOfgDIOcyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUb1nNdpGik11JvmdRsnFvfOPmtB0wCgYIKoZIzj0EAwIDSAAwRQIh\nAPVfcXEPlh4i3v0TxAeFIwPA+5Ga8kO4HWkl2l1e0MoBAiBTAAbYUH9Y5aC2+6Aq\n0LYlVYN9sFHZpgFP1fXCSQrGTg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWBoGBd/do7SkYi2UkWvBuM/En6EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS9mi/IUvZWAW3hpfXAjoVfp61iVTuoBhWxHEP5\njRqMA6GRq7kZ551uXv1KANoNvRC0BgViRbu0qVGN4ROLH7Yjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzEvwAGeA+0gLWuenmTNn76L4M/owCgYIKoZIzj0EAwIDSAAwRQIg\nEy6ib5lZiuQ5FTRz3SRVg/EznwBBN/PneVYF+yoKJq0CIQCrtbhozDAb54BD+1Dx\nbaS00rDFquxE0w44d8rwZncWTw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUTfhowqyU2v1Y2Pkus/sZytcmQOAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxODI0MTAzNjA5NTYxMjc4MDQ0MDE5\nOTc3OTcwMjIyMjM4NDg1NDM0Nzc2NjM3MTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIWzf2O5EogzXssO4hqC83Bt73ISL5VjQkeuBUJc31I8hGn5bhLPFmX7pQ6o/SJY\n9gzoy0mpelLVVnKagj0oMryjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFG9ZzXaR\nopNdSb5nUbJxb3zj5rQdMB0GA1UdDgQWBBTpfJbm9xwETGxD8DZhSgcqGyGyIjAK\nBggqhkjOPQQDAgNHADBEAiAgylJO51iUgh9Aza8Oh8PgudKACpFD8NXiQFsoiKwL\nxQIgNhe2vlw8PpJZY6s6gRwqsx/C2cy58gt2ZsbM/wHIQGw=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUSNBd1Y5sHwfZTu4CWuO6nbhpSXgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgyNDEwMzYwOTU2MTI3ODA0NDAxOTk3Nzk3MDIyMjIzODQ4\nNTQzNDc3NjYzNzExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ0NTEzMjAwMDA4NDU4NzQ0MDQ4MDM1MDQ3OTg3NTg3OTEzNjEwNDM0\nOTU4MTUzNjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgGnrmKAzOcaDCblmRRs7iqU8\nGLNacAjzl8bJ7QGcNn/ZOg5SuoCiJ1EnrzWH7q5wRisv1s00R0s7KJresNUUB6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU6XyW5vccBExsQ/A2YUoHKhshsiIwHQYD\nVR0OBBYEFAeSktzi6wSeGhzS2TXHwQOinb0UMAoGCCqGSM49BAMCA0cAMEQCIH43\nxW1ANyp3xBAEz9i1wxOc97/LnSAdx3PSmPgR4JC/AiB8xqDAP+TbqKzY930RjvvL\n+a4bshpNFGW5AGmdwNak0g==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUCeejJU9LdhX0mmre7Pb4rBJ3+REwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDQ1MTMyMDAwMDg0NTg3NDQwNDgwMzUwNDc5ODc1ODc5MTM2\nMTA0MzQ5NTgxNTM2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQxNTY5NDA2NDYxMjY1ODM5NjA1OTc4NDk3NTc3MzI5MzQ5NDI0MDIy\nMjQ2NDM3NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcSf1kafPDJZEHybcT2uEHAc+\nbOW00iaZ/Az4N9kztZeagEYwn67MJqgTfL4ADtep/Qd0tPAJgYQqIaIcPuUGM6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUB5KS3OLrBJ4aHNLZNcfBA6KdvRQwHQYD\nVR0OBBYEFEdJA5+/RY/3At2ohRtFXnQenkW7MAoGCCqGSM49BAMCA0kAMEYCIQDV\ncn7Twg+eon/Qt8k9jpKDDCSh6/hJ608DzqQ4YmpOZQIhAK++AP7Y1B58OwydQIZp\nVYgInZ3zL3LEXwMk94rNinC/\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHZv6s3BwHda+lboRAXQZHe95aHUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MDI5NzE1MzE4ODAzNTU3NjA1MTA4\nNTAxMDI5MjMwMDY2NDEwNjIzODYzNzY2MDkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOW6u3Du9+pXC+alAFKh9ZSTp6slMopWUSgokxyPyRMSK4b3MpZsDfZhQSe1E9t1\nA0ULte3/CUaI5nLKAOLp3Y+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMxL8ABn\ngPtIC1rnp5kzZ++i+DP6MB0GA1UdDgQWBBRQd0X+dOgERSnIGSwmKrZesCWVczAK\nBggqhkjOPQQDAgNIADBFAiBaS6yeM2cRfMPsDQiW5gPMQtrZo/WgfxWBwnQGLmFV\nlAIhAOumC/08VDjHZ0A/ncUukYZkoW1mtS+EnZCVhesmIuPI\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUEnjP22ffBilu33ynNJZVskXyD5YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTAyOTcxNTMxODgwMzU1NzYwNTEwODUwMTAyOTIzMDA2NjQx\nMDYyMzg2Mzc2NjA5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE2OTAzOTE4Njk5MTE0NTg4OTY3OTEwMDc0NzYwNTAwNzk4MzI1NDM0\nMzA4NDE0OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEK4SThGvfA6g3oiMvwSzYBSSN\nyoMt/Uh7pNQe3lGMaqlYPlotZkI196LV91se6O9Na+oJmbZUvE4yiOkP6ehGV6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUUHdF/nToBEUpyBksJiq2XrAllXMwHQYD\nVR0OBBYEFFQQdhm5XjcQRVp/f4DSRI69Z+XlMAoGCCqGSM49BAMCA0gAMEUCIBwI\nSTdiNU910HF5Sw2Rqeg/1nkmisfq98EBK0S4nCBEAiEAwWESDcQJbX2Hxu0s3EmU\nIpg3c5PkpHZL1TiTX5iyqEA=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUBBU6bJeVdw+qWgly4vr2n/rlmBgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY5MDM5MTg2OTkxMTQ1ODg5Njc5MTAwNzQ3NjA1MDA3OTgz\nMjU0MzQzMDg0MTQ5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDEwNTQ1NjAzMDIwMTc0NzUwNzAxMjE4NTY0MjI4MDM5Mzc4NDI5OTUw\nODMzODU4MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFqGqcCdTY8WwrAMRSlmQQB7Y\nvyfT0TQKrKWw8gq0JfwTTvk1o7ILcUD649z7hFU66fr1NDCH2Y9stmguxJ/OJaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUVBB2GbleNxBFWn9/gNJEjr1n5eUwHQYD\nVR0OBBYEFAjPfeNH+dX7zdsaJDhBdDydshmpMAoGCCqGSM49BAMCA0gAMEUCIBKu\nVvhseKXtc2/xIVvgYgsMlZGrq9wbt6nQHgMbuiYdAiEAuPSdVv2b5cikbg2hWHFr\ncqNrmxet1CeYI0Cn0/Ggxgs=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUSWYgIpAei1Z1HFrLel/HbgkRQpAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDE1Njk0MDY0NjEyNjU4Mzk2MDU5Nzg0OTc1NzczMjkzNDk0\nMjQwMjIyNDY0Mzc2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg5wL\n0Ldk+1MaY5BOvo1W2GdrpaD6gvUj953pZX+0/saJNL1SgHwWa9NcHSZPZPlodlwX\nNI2VC9X+8Hb7fnGGm6OBiDCBhTAdBgNVHQ4EFgQUoRIZL+D29FBG4nILvDFOqGTl\nZxYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRHSQOfv0WP9wLdqIUbRV50Hp5FuzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgLLD1RQHQnIeWiFcZ7l1O22pnFxC9\npOv16F4bWgsZn7YCIQC1TdmQsE5RQ9UYYQL9SE/pBm1RQaKtc7yEdUJBwWnx4g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIURPv27CAPF5IKaetGGQlbVAQNfyswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTA1NDU2MDMwMjAxNzQ3NTA3MDEyMTg1NjQyMjgwMzkzNzg0\nMjk5NTA4MzM4NTgyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJJ6a\nA3mZeBhW+q3qITyvZWrcu6EwY2IM8thnxggcLIGi0zWOR4e27iel3XIIDDNx0TLJ\nX8d8mmWoKC8xQquCU6OBiDCBhTAdBgNVHQ4EFgQUSFo+9EBXoDV6eJWJvVmdM4uR\nnMgwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQIz33jR/nV+83bGiQ4QXQ8nbIZqTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAIxAi2E/kl79CMclgGfSsfTL6ex1\nZ9cw/ShMe2DHj+pBAiBgS7J/sk4WRbtSDNzw8Qrx4q6iwWyuKCfBoUYv5IK6+w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEItuYroq2kiliXhr3VGtDMul5FgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQL+F2+jTqKOH6HSPEOCViyo5TWV5sKJMQ6o63R\nqfer+72cmvn77XepxUk2ZoXCDhYDnyI6RijB5sksHMQyBCZXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGLBzeWZ7vIUsOdQsBWeje5pQNQgwCgYIKoZIzj0EAwIDSAAwRQIh\nAOjJdTiERbK1dAV/KwS+yxRobamZb9EeFeRuHgKmFKZ2AiBBfmNogil82flpadQJ\na364qmgYecsQLg1E63dgSMt2Qw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPChZ6glhTn3VcHUMNroE1ac7OG4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATm6RvY9ApusJN5R1X2vAQJzjB5VH7LiFZ+XUms\nAi0jEmt8+CXNwYd4VAbfi9hKEtJYump4JD68gmj7o7Tbk7O6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUj6WcR72u4+VUULYoyTxuHnMagsYwCgYIKoZIzj0EAwIDSAAwRQIh\nAMmnODJrA9O+c143U9E2tfSau9bb7wR4TwQqbnVcXRuEAiBkS6+DGAhHKptcwz5o\nAoh5mpITqjyvPBYQZNHCenTesA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIURpl9xFrrc4pxDjxG6JoabAkkd+YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC85NDQ1MzI3MTg2MjM2MDU1MTg4ODUw\nOTY0NTI2NzU1MDE1Nzk4NDY5NzI3OTU3NjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n1sguvS33wm7diKIOpuLPE6Gn9hBxA5PiFR9JCEFNTTmw1rXIUBX/JWEpCy0tQ0Sf\nUd2SWsD9EKpiZlR265bEKKN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUGLBzeWZ7\nvIUsOdQsBWeje5pQNQgwHQYDVR0OBBYEFJZ6St3k8GBCC9uM5Fh8nofysQxSMAoG\nCCqGSM49BAMCA0cAMEQCIFV0MgOl4BWdP/Foeg3hGHhJ9gt2m2KrcQ/vsipidxhJ\nAiAMR1Mcdi+VIurKlvHWPksSf1IPO7ADM7Ve8xOTgNw1Mg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSzCCAfGgAwIBAgIUSadaxGVWFXiOfbedewGpqJ49RUcwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvOTQ0NTMyNzE4NjIzNjA1NTE4ODg1MDk2NDUyNjc1NTAxNTc5\nODQ2OTcyNzk1NzYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZjE4MDYG\nA1UECwwvOTQ0NTMyNzE4NjIzNjA1NTE4ODg1MDk2NDUyNjc1NTAxNTc5ODQ2OTcy\nNzk1NzYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBJV4G+pNnUS3z1lkC5Gt8X+9H6/\nzlnVc819EZhZvbhEWdeGSCHqSfd1mnBbVJBOkDfPxmk7iGRSMjI1c8Fr9/ujezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFJZ6St3k8GBCC9uM5Fh8nofysQxSMB0GA1Ud\nDgQWBBR4rXEMclD9DvUdOsB1BBuirWg3YzAKBggqhkjOPQQDAgNIADBFAiAargUh\nohebazVywi9NpRMP+kWov9fIepHiOKPEmRzzGwIhAKSO0CWu8NZIPO99cXGYyDi9\n58t+bmM92ZNy4pBeu2J7\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUH1P2/+K3g5rDw3wdV5InIOyyi+0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvOTQ0NTMyNzE4NjIzNjA1NTE4ODg1MDk2NDUyNjc1NTAxNTc5\nODQ2OTcyNzk1NzYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwNDIwNDg4NDU3NjU0MDcxNjc0ODQ1OTgzNTMzOTU5NDUyMjU1ODU4MTQ4\nMDY2NjMxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT4UKL1GHSRC1/afJoCbCzx4k+q\nCzAtr5r072WCDBgZWRCmlMZ15PLzwm//5c5n8/TFGB0khFURY+fKa9SQXI2so3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBR4rXEMclD9DvUdOsB1BBuirWg3YzAdBgNV\nHQ4EFgQUJSsUup4ihcfVeNU9COTvjQHc45QwCgYIKoZIzj0EAwIDSAAwRQIhAIYA\n+k4EGRI+uQxnAg2/k1mWeilvKBG/3cBeYGcTwkVWAiBGZyUww5ubLHh4ISMUqS9A\nWC278k5bP+h9aKO1PXRGNg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUSZgJ9HpwbpF7MQFUPNIX5NvuuCQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzNDM0MzkzMDg2ODkzNjE2NzkyOTYw\nNjk4NDExMzA4NjE4NTI4NzYxODc4NDI2NzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBA0fs+uiBsneQUJ4ekaHEoMGkdN8GN/vyLE2LeNDuuQZ2f+DRLJKXyecZ/IUICfQ\n5/CT1zOw3tXcrnmeWs8tHRqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFI+lnEe9\nruPlVFC2KMk8bh5zGoLGMB0GA1UdDgQWBBSlMlSMSyu0HkIsONrOSgzp/1IvijAK\nBggqhkjOPQQDAgNHADBEAiBLKS6NinfnqaM4fggEWuLjz6bEYLg08OadbO8EyeM0\njwIgb3SC0lmjqaakyiwMf6D3xVXQ3GUFchR8VQT3bvQqAb4=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUBI7EyXgQn921ac8TRLhdkisDZ9EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzQzNDM5MzA4Njg5MzYxNjc5Mjk2MDY5ODQxMTMwODYxODUy\nODc2MTg3ODQyNjcwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDM0MzQzOTMwODY4OTM2MTY3OTI5NjA2OTg0MTEzMDg2MTg1Mjg3NjE4\nNzg0MjY3MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOTcezD5aBbYlY0vun1lEWZXf\n7zQxRFKlwAzQd8pBzCaYr89J3uOjP2ENrLaYiSKrV+/UIM+NNWdzhJQatjyFx6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUpTJUjEsrtB5CLDjazkoM6f9SL4owHQYD\nVR0OBBYEFGu0wS4EA8FnQJm8pNCKlIg3Z+RZMAoGCCqGSM49BAMCA0gAMEUCIByC\nz98wyHREURuMqNyadeG9TbMg9Ds8rg77ISwKpff1AiEA1uKvMdgi7vxgLVyhAALo\np4jYuKtW+UbMEFp6gcH1Wy8=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUZhisb8sLf+jENr8tYM1Ey2JXr8QwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzQzNDM5MzA4Njg5MzYxNjc5Mjk2MDY5ODQxMTMwODYxODUy\nODc2MTg3ODQyNjcwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzI2MDE5ODExNDY1ODc4NzYxNDEyNjI2NjAyMDYxMDYwODI2MjU2NDcw\nNDAzMDI1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARgxSMT4lk1kC33BRkx2tIAW6rH\n71hyopft97ADfffwHpO+nCXDa5Jl5zHstuZO0oGVFT9HL5g+ZWVeN6Cq+xlDo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRrtMEuBAPBZ0CZvKTQipSIN2fkWTAdBgNV\nHQ4EFgQUduEPHbm0V6MahyCLLrCbzV4/8vMwCgYIKoZIzj0EAwIDSAAwRQIgSm9B\nWdKYEDffOVcugnm615odNMI86OKBAs2iFfVuSU8CIQDZ4AvzHC/epk1wG41ddZ00\nMvRnryfDZQHKW/NCx1obsA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUNE4ybqxd7JXkdXc/xandV1KSBvIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDIwNDg4NDU3NjU0MDcxNjc0ODQ1OTgzNTMzOTU5NDUyMjU1\nODU4MTQ4MDY2NjMxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiD/d\nZDRtitMwI/gOHdBElAZ7j/Hd+kfmG+mZ42T0sVzHqn3p/wvgOpfA06GxucWSgyLu\nwRLzvJL5rVWqt2muzqOBiDCBhTAdBgNVHQ4EFgQU0IQhpNaMaOEuT4zYhqOftoCm\nQLIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQlKxS6niKFx9V41T0I5O+NAdzjlDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgW5K9P4p7YoGIK+qtbClNU1jTJgZp\nCXWhPrl8XZy1rJcCIGfdZ6yRA6QKz3zeVYENKXOPOiY0yvcCBCJ3YGrOXLjB\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAa+gAwIBAgIUFb8YTE/lmC4hUgDZpsAjHwsG/JAwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjYwMTk4MTE0NjU4Nzg3NjE0MTI2MjY2MDIwNjEwNjA4MjYy\nNTY0NzA0MDMwMjUxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRPFjZ\nGKVR1issQoPqkn4DKxeZG1gLwfoYMyNeIq7Op/T+8cuNQ6k8JJilhgLzf2gbPiLw\nteO9OkSIAwVCLegqo4GIMIGFMB0GA1UdDgQWBBSsGy0rFBvRg94i69+clY0JX9E9\niTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFHbhDx25tFejGocgiy6wm81eP/LzMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA/ihYaWtlROiHgLPPoiJsbuo4/CQG\nf4v3Qlo9L1hz7GYCIQD06p4Qp5CAJyfHK0QiGIA39Wob0zE7gOHHvAE3dMzgxA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUDg6zS7TD+opViezqeREfeAf5o5EwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt/w98z3ANSpf\nN10lZQy+bru2bQaWQsVrACdxduEii+hyl3c8nTK5lRbOxT20055JIGhxu4ZnSseb\n+VDynCASaqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFG6RvBrETbHhYPAikv1/qUP/qSGu\nMAoGCCqGSM49BAMCA0gAMEUCIQCXCHnMh+g2+t8oqegRQa3cUOdmlqHy2tTBRcDE\neEgm9wIgPJPuS6Dn/CMwiOhMXisBm/y1HnTyCBjTv9cZ/rabw8w=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUAZWaUav7X3VMFxS6vJI88rR7IxkwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoFrsvxRaJKh5\nD5sA0m18gnDgaFjS2nShnJ2P6exaTDX70PbhRxQFLrPtlImLbjEeOBwGQSdJDI7G\nj5QKFV2n5KNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCM+qaKS1fg23tjVJKQ4h7/D+bNN\nMAoGCCqGSM49BAMCA0kAMEYCIQDTS89vabKnGykh704l9EDzVfFnNONhrJ70LjmF\nd/TVTQIhAJadIfmRJeArZGbHR93t9fCpsXRUxHcyfpfy4EnhZN2B\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAWCgAwIBAgIUVlpC856GCWh9vY9h8tAUu0b7EtcwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABEJQuIcvP1MP3fbp9AUJbepi/2sL4Vnrngkw0kKr1Y7jPnO/\n13wvlb5pJ6TZVOhWkAia3wjvYu9D7hXPWJjpuGujgYgwgYUwHQYDVR0OBBYEFPSr\nv5KAZK6/BMIjI0DEkyI67LQmMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUbpG8GsRN\nseFg8CKS/X+pQ/+pIa4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB\nMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHm1cIdc\nWLusLrNFXkroyJhYf2Ody0QcJzv3kAOyZAxQAiAIt0Ug9sPLNx5wqE3eDJbL02Md\nL7zyl48cfF+HAstApw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUacaCV8DxRYKUhXW//wufxFiZAW4wCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABDqF7329CC/yojiLof345fDKXOgWloowBzLF0wfDomX653xz\nnIrn/GsQrNVVaNqs/654Thz1XvIvxNRsVdZP+8+jgYgwgYUwHQYDVR0OBBYEFGkw\nQ4eMgE9KXZwU69tGwfbgfso0MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUIz6popLV\n+Dbe2NUkpDiHv8P5s00wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB\nMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFYJph5X\nY9d/skM+MKD57Ye9bVkUX9u8o16hvBxMFYxVAiEAiGpdPAej1CtsMxRrfegpP2tD\nrbx5tmVMGVnAOfizL3I=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUXKKexT0EuzfWm0IUJQu5a+M0OIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE1ZwgWC/\ngXkestM7x7Qv8RpIwSScyOIc0E+lnY4obsOvBQ8lVczV6AQSiHFdG4Av6so+Vd+N\nN2HsDxDb/QiOXaNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCeaw5f5ercnYgTyS6CCKOeu\nC07CMAoGCCqGSM49BAMCA0gAMEUCIQCz85q/rNKr8BMpYA3KKkc5DmW4giTFCWR6\nf9xPMOedpwIgWAlywrwtmdRccO2jN08HYA2WOnDqBiqMrw/jJPaVyOM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUPMtm3umsTK6ApXP0dqMqGlTPliAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELvBlxwRf\nP8bq01ZJwMA1gLi4xpkR0ZmVzsfifM+jky/mC4dP93VhghcxpjZlwhh4Ytip9BfX\nhrF+xkoN5qy7pKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJ1Vk6SwWeoR53y9YsT6+oV7\ntGExMAoGCCqGSM49BAMCA0gAMEUCIBH7NxRIOmykqeTverEIHOeuCZkDFAuuKxhN\nUHp6P1YDAiEAue6r5ZExRXLpEgRZwQqX6VK4tPhuYZdT3WwlVfJ7LyU=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUaOnlEosBtrVE4LoUsd3IfxINfPUwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ2GwfPmbp+sUIa\nnutpievYFAe/OyNEE+tvhXWufri4YhwX1tUlp08HWOO0NOK3kZMrAJ2mE1l9ykIu\nCvSTCx8vo4GIMIGFMB0GA1UdDgQWBBS6Zdfd8X5JLKYssDhj8hSRVm6UGTAJBgNV\nHRMEAjAAMB8GA1UdIwQYMBaAFCeaw5f5ercnYgTyS6CCKOeuC07CMAsGA1UdDwQE\nAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEA/7g30OQeNNsJnayO5xfCAkKB/wuG91IBe7jf\npC78/Z4CIQC6hUKW+DVHjI+mNe0gRqonn6kb/7X0hE96qeQJuJlVJQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUedXdi/1bLOrgfoguIFr+/s9j8J4wCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS730BNTXZ5l2yU\nIymdfotIPntiRbvt/fnIbiqYTDGUIcpEYk/lpX5gRU900/tmEcWtLYtN3u5LtM1E\nDgGSPUaUo4GIMIGFMB0GA1UdDgQWBBSZ68uO8v9CCrWOBn6dBa1zoD48NDAJBgNV\nHRMEAjAAMB8GA1UdIwQYMBaAFJ1Vk6SwWeoR53y9YsT6+oV7tGExMAsGA1UdDwQE\nAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiBa7eDVMkfgez9E2050IWjzlLKFtnmOUsQKltG+\nhu3LmAIhANtnZGMFTkO9BvJjXo61JQ6D3NcAGskazO7qv3xdG6c4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUG846liYtqTyJEmV9MU0GIO2C1uQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6KPj4R07mV5tmm84PANT/puwEEQTmGRoLwALK\n4dK6Ri6AMSz84xV6f+/SNGFReWoie59dDh8f6zHH2y0SrCQjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWiNtgq1QbiTkQjcIYlM4F9E2a+QwCgYIKoZIzj0EAwIDSAAwRQIg\nGu7Ah0kCdlFxzMK6DYxc2Vn3GWEpYDxjbqsCZcOlpxgCIQC5oqdPtIn5w2rNei5Z\nYv/bpVE+l2arDg74FucCTT9GcA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUAy4asb4bemnOUiu7C1z2wZiIRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASIMgSz0p97zLM7uREKutTC2a9o1iameR6RrlMb\nmwrJxDy58HWBX3YFJHqU67J5LAQLWzjpuDxWaXfXVoOhA8IMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM7q928ZCv+P1IFoIm4y3/NRbh3UwCgYIKoZIzj0EAwIDRwAwRAIg\nPs/EoDTZ9UPSt5Jq0aXRqY4a4/5di8bA7x7zpOIp8O0CIBVrAZ/6BePpPLvI18G4\nd3YIS0VXdHHW5fd4VZaEla2z\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0DCCAXegAwIBAgIUZDmWmqxXh6VfnHhuymFTI8e1F+wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG22gTo9efFs9JUYmBXrlQQQBHHkRVNcIPXDHINB2yo4\ndQ2PEGZTmVSuWqbe3jSoKt4tpSv2W1ZVuc2laFEbtIajgZwwgZkwHQYDVR0OBBYE\nFLlqQQbG990I9f5kGIB1Hmjhk+HeMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUWiNt\ngq1QbiTkQjcIYlM4F9E2a+QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAw\nCgYIKoZIzj0EAwIDRwAwRAIgYyWCYBR0rCRu5qoEisNKDas1zUtrQP9StLflGsdz\nsfUCIGpZIFJbRZzFRXFVFqaftVfrHgQrkS7lk/tSFwwr005e\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0TCCAXegAwIBAgIUWbpfOTTibwlrdv3MKT18uUptTc0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJD01ZnczvcfRE4ve6Z5/uQr31Jb9xTpYWK+83ZOefRb\nWEWdFxWWaGyrpJHGiYWdURpdCBuK3+oy8kCxDFS3huCjgZwwgZkwHQYDVR0OBBYE\nFHrnwKnmNW469APlehrpDnJCVcj0MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUM7q9\n28ZCv+P1IFoIm4y3/NRbh3UwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAw\nCgYIKoZIzj0EAwIDSAAwRQIhALAvjmzpxpRHHADw0VrJZrDrL50ZWasWqywFhvvP\n1vFIAiBKbY/XpxZEVUI9amsL5ZO5VLThuoR/T6TebfzSnb4Pkg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUOkumbTVxWcn5tmXcUeITMEt4CF8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLO/LRIzULGU5SZ/V68yXDZlbR2Ucv/DzAwJXP\nVL0Wh9PMWu/bVMRBgbdnjzqYNKAw4UKKmpLe4wXw0LSf0Cxro2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoi9yIONsmF4o45kI7Eib62NRiwAwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNJADBGAiEA76cUvTsai3Jrn6oFFzpF1DfxC2VAmKUBn8pQ\nu9d+pngCIQCRUkPyBfs8vzfJE3YRny0pub8JiZ1GlfNwSSZDY1kqxQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUE8RU4xw9QanWH/aYcQmIyBLVDIAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATsr9X0W//xwHeVom2le7GtXsIMZ95lriiQsWC3\ng8n1RJEYPZ0qkUBdkOKLoPoXnLeVimiRkkyZugAbNFh4p7O6o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFV7CVj86lMWsDgaNZmyKvcwzntowEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNJADBGAiEAscaVbGW7Qem65rVbmWthpDCpPlI997y+L9ON\n7emRuUUCIQD1okHz401vgerR3mrIaTD9MrBY4AUmMJZVkI6VcQe1Wg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUeMm/8qkdyeucfv6N94BhggpfXqMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGbldFr5dHhcSTcTpNmlt6SWlZwt/ElnHmTgXMdz+hED\nAy4nNXrUiA2OQy2IstSobmwRsSw4fV1oxoJ0fhJsL1SjgYgwgYUwHQYDVR0OBBYE\nFFRnbvIjaYV5gPBkoZtaHLeP9T3JMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUoi9y\nIONsmF4o45kI7Eib62NRiwAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD9\nkQ5toszNZFmAgC075t29nsRJd2ZQZkCVItm2re+rJQIhANqVoqUbnx1QakknbNEe\nI5qZVYnURhwkPXjenh12A2YK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUX/kTsOCNqXSW6tbWANui3rRRGagwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLNlT5iINB8utGlo8qw/ruhLE026G47vjnIrXKK65WVO\n+uNI79yqCQ6RFqRRpj0719gDbc0AIHuqlDavBceboCmjgYgwgYUwHQYDVR0OBBYE\nFJQEYgJx2NGDnmgyiCUe2jSQaOcAMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUFV7C\nVj86lMWsDgaNZmyKvcwzntowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCb\njvY5NkjdblfeIlqve+8C8xNcdG1WbIU8TcY2yRv+qAIgW7yhAqSu60fCeVYM63gW\nEKr6lLTSYMPQtYLZibUbuug=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUN9r9mNNCXedhsW3gM9Hr0SaUeJMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASln2A5ShbIWzH76xCgr2VFj6+3SJVfwXdpX+1+\nxMmOpSlOoYJmfh91wxVW0VD+wkyW021OKN0PTsie5nSRVG2Mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtr120nb1xO3st9WXtNwKsHJAFNowCgYIKoZIzj0EAwIDRwAwRAIg\nKYMcfy1NJhACE1DLhsstbQFNUYkYLaDWBkgnH+t0SEsCIBwad92PsadJGzyQfdyp\nIILF0xYVKZFSMnn/tr9WfmyD\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFv121FBhYI+zAhW7EQJItXJtvn4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQyxh9dqHQZEqC5DUe5MQkItA8FY44T2WyTAqpS\nf0D9rpP/hjgoHSW1txSx5sZg1al/jMTEuC2HJ2t8mmxmXxH2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9vD3X1kg1127dP30aJtUU8xLI1cwCgYIKoZIzj0EAwIDRwAwRAIg\nOcdpz76BRKyt7vFKB7Ewp+VqScOWgLTeiSIEAxFePeICIFjpoml0Fv/i7OmXQUNI\n+UAmVsfIZaDrSQ6ovOOeJRoZ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFzCCAbygAwIBAgIUTnZ0Uaj5e9SBYtVP87Ck49njCEowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMTg4NzgxNDYyNjA2NjMwNjAzMDIw\nMzk1MTUwNDQ5MzIwNDgwNjY3ODg0ODkzNjMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPM2VleLPCgnTXmWQZlSB28h0QeUCeyS3960OPv1J6p4Z1ydPPWfLwZic5VVZWir\nKG+kwEY1ntyiG2larAOhwIyjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtr12\n0nb1xO3st9WXtNwKsHJAFNowHQYDVR0OBBYEFFfmx2hK0smq1JNThnNRgu4OTNnU\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAMv+PgIFNMsJ\nBi0IUwxgH60tWF9hxgjaxTJ/GuK7Dp6OAiEAnDHDJXjxCF2MYxLN5FlUkO2GFNAJ\nc8G4u4BXGY4EFa8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUU8N4X71wBNuQ0ZTrQcunE6hYgw8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxMzEyNTAyMzY5ODk3OTgzMDMwOTA0\nMTY5MzMzMzI2NDk1ODAyMzAwMjI2NDMzMjYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPZVURmqvkqIO0SjrbxxTc/yVbbNgqVlEnnLorde6ASHru8+qQ12fD30UI7Uftpp\nJtmotjwRThQPka1ufDd41XajgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU9vD3\nX1kg1127dP30aJtUU8xLI1cwHQYDVR0OBBYEFMM/kVcwwnbPpMgQNJKdkgyKdPBa\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgVEQjyopTqtZC\nS/79CWlRBDriRvfya5iXRzuzg93ExmUCIQCLMI6scW7Uy7WoS7Vj9FtBV6gLfalM\nrj/JcgZa0XYNQw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUMZwRZ5C1/75hQUH0Y/Sf4j6O/UswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzE4ODc4MTQ2MjYwNjYzMDYwMzAyMDM5NTE1MDQ0OTMyMDQ4\nMDY2Nzg4NDg5MzYzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKMFn\nG6kqbLqpK0Fy+idxO46Aena+XcHwkzIebBbDiI4eauAfqUgNdqDO0RJVgEs4i6Aa\nuk/h+5laeR9qbtGwjqOBiDCBhTAdBgNVHQ4EFgQU9y4TxGeZck0xrErnOAVmbQJH\nsqswCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRX5sdoStLJqtSTU4ZzUYLuDkzZ1DAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBJQiYqWdd6YBb9eGQMrZ9uASwbcu\nFwYaztn6ZqGj/0sCIQC0dAv+pouDA8Hatm3zV6CvmdfmDeTQKp3Ouee7H21HJQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUXX10r54GwaEqHOYrRGXBZ1polvswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTMxMjUwMjM2OTg5Nzk4MzAzMDkwNDE2OTMzMzMyNjQ5NTgw\nMjMwMDIyNjQzMzI2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyujs\nwTSP9syDQWDJAs8fHYMrHdJtZPf/RcSUtsn2Ikzz/kbw8x2ZqwrzsFvUjNIBcYJu\n3bqSKyah9f2aUr1erKOBiDCBhTAdBgNVHQ4EFgQUy1cmTCuSzyXdB98QR/Ww+77+\n6/EwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTDP5FXMMJ2z6TIEDSSnZIMinTwWjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOjchSct6ZeEW7SnzQ5Gqf/lC6p2\noSVO5cJFdaEjg54yAiA1YH5lACLloPGIgLADxq00wTUrdtUfLaWS9IXvkSWmrA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUSgEk4JxyIw9/vKKNDndhRFFiGIswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQftooBgSde5Wdy3/9PxSvHxGWsREu5u5RJ0Xg\nFxh2bVdEwprZ6KKvI2et5blthgdrMuc8V8xOzCHwEqTj8ULIo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBTl1PtvqT6chIsAeWdgYJPee6v5STAdBgNVHQ4EFgQU5dT7\nb6k+nISLAHlnYGCT3nur+UkwCgYIKoZIzj0EAwIDSQAwRgIhAOErF4z8NjZP4j0b\nOHAL6DN+grfJMp++x6nUfC9q3oGZAiEA1jNhnaNHFE2QN0/fizNtkMj6JRFn/ZEZ\nrQPskplLjAk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUXQEMdGe9Sna+k1AewelOPE+ylBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQDRIjT/umPzo2bOk4RbPRR5JYVhiDl8gWBqJAV\nONpDnf0eFAiOMSrusX3zx5nDpNPnqhuf8icDCsDKLOgBtdv3o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBTErU809ofK5JK1P8S4LUa8ikd0ZjAdBgNVHQ4EFgQUxK1P\nNPaHyuSStT/EuC1GvIpHdGYwCgYIKoZIzj0EAwIDSAAwRQIgLkVrW2t8bCfPjDB0\nJWazFhoAXTuHQx8yAoOdLTtAfpcCIQDjnhX2CSpLxf7ybjQjjtwWtmYPulcFkLjd\npzJNXeCXoA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUTYEEECdUEEwqGm7QlgBz6fDx900wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDrSRFa8C10pEbsWBGbAiqphB1YtUwByM/6eQ1bL5+6z\nURQCNz+bl29pQQT6lQqwyrnEYeG25mGlRAJ6K+Yei8ejgYgwgYUwHQYDVR0OBBYE\nFPaoGjPEPAldxeRRwfRIfU14Ls1pMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU5dT7\nb6k+nISLAHlnYGCT3nur+UkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFdd\nlQcVYWa1cy6ar3Hupmeh9gBn4AmUa73g1NBMQuxkAiAFcpfMLS375w5jlTmh9qC4\nuqnPTiDww2FEyxx4UcZfqg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUC1zBkIxRcRgZaj12xWwFOtIqb4swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABND65DAfWdS97Er1Z1I/VBe8LaM4yk7f+wWWT21GSoYB\n7kJknI0xfAc5Dsgjt9IeU6bHFyBdUPbh1QJe8Rb9mZajgYgwgYUwHQYDVR0OBBYE\nFLhRHOsDap1mfR2JOtSTks5d73eBMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUxK1P\nNPaHyuSStT/EuC1GvIpHdGYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCh\nFmIyjozf15iPYsJwEswOjHPVJ/l4qkMM8DCTSqjAUAIhAP/MxYdre3Qzd52bLr9Q\nDvXt23V9VEa20hhaOcJ2NbtE\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUC92dPkDKzEnSjB5YUuAjibCzZaIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARIdxm15t5g2YeIyTA72/NtVBTuQwPzJmrJeNiF\nrUUL0mFbjzEhfjOPjODnpQsITD4xth3Omgxm+IvuQhHpXB5zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsC3/8kA2v3lHDLzqQnAwaXXZ3sswCgYIKoZIzj0EAwIDSAAwRQIg\neofDK6/1gYdKzZbO5/3zjTlGY83I6dvq0VSPTspR4ewCIQCScJmBTIZEDKf4Pz7K\n24mhHXC0h2masy351RtEqGDRiA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUI1VUc3TuvMbF4Pxv8s7P83tZ97EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATTEdN9Ya+Ex2DerErCgyvdfw14aI+sMTxrqdOS\nNKMjrPhECmWjyQfSspXeH7RXRMSy7Ph5wKMEVC2OqKMWayCso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTKl68AYj8y5kjvfWKyArHSZWQrEwCgYIKoZIzj0EAwIDSAAwRQIg\nCVIdGe2cUMwNenu066MVcEYjyLIxPJ1LIXgGU9tvpZsCIQD/qCgX3o/ydSRq7Z0n\nPCWG7XM6HHnuxmLqHQXLa2S+AA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUaEmvhsyn/tweWzEZJj3zVeRi5BswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDLpHhBej9jwtDf/9brXEJRkQZIFZTguV3LudxqQ8kLx\nCW2DNsbri1GXG5i5357i7hcbFGVtFvqneU57W8Ls5bSjgYgwgYUwHQYDVR0OBBYE\nFHJbOXnv4ddT8srhr4lp9JGvuSYpMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUsC3/\n8kA2v3lHDLzqQnAwaXXZ3sswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIAG8\nhMCDAn1TPBb3ZO1wZRZEZsy95Myj2C+Fx6wqS8JPAiBVD9EA9+7ljdRvrJJZOffd\nurfQAYUGg9kiLDwOdoDMbw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIULWTCTsP3k/hdK1XArbRh4AMLi6gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAGQUm8v+xvXWqxeM+koFoo9S7+EoQYrL3EagD6lj0Sr\n769b0yalaMsuiRb5HXdkE0LPjtaOupSXUiAcCpCTJCCjgYgwgYUwHQYDVR0OBBYE\nFBbk4D9yfG8jPPFVam2Po6CRjre0MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUTKl6\n8AYj8y5kjvfWKyArHSZWQrEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDa\ndszGydyfYOzatB+Y9WJYHJlC6F3U8m+BVfr9ThATIQIgaHoSlfbWldl1ted88hzH\nIYBUBqQPmV6LKxCj6igqDeY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3TCCAYSgAwIBAgIUCHdgaOP7hg8jd1oRvGZY/wQ+Mo4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC80MTEwMjMyMTIyNjc3ODE4OTUxNzk0\nNjU3NTMwNTAzNDkyMTk1MzI1Njc3MDExNDEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nHZD0/6PhYNCxF4UJeRtVJ/bEumilnqShZGEpy1r3MjA0knKVuhm+mzuld1hl27d4\n2JzqX6ZMScj/Lq5w/N8hkqNaMFgwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFAKUwaM9nwAF\nHxdA9XCJ3wR1IfQ8MAoGCCqGSM49BAMCA0cAMEQCIDJnftzO722Q40mcBPyKD9R0\nZvCZDwddvzLeNt0eZW8aAiBt13jG0g1rn8HTS0WR3VWKPoczTryjH2SeCAX5S+N+\nOw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUAavmhN/DUXGJ95mGk/gdCEthOnkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyODczOTkyOTc2MTQyNTg4MjIxMDQz\nMDg3MTI0Mzg3OTkyMzg5NTk5NTM0MDMwODMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNNDsJeW7RcwrBXsJHQ/9FMzOus3YPBZyLAGBxLzqWHXtksZG/zn/eqGcgV5oyxT\nK0C1CXlq8K0K5aRQ+szA/t2jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQNJ5CtMaoN\nKOzZ4NWX+kkPHs5NNDAKBggqhkjOPQQDAgNIADBFAiEAnmdXsDu8k7mVvNFIez12\nhuWEQ3hEHOZP3LN9QFjmTHcCIAT38U5b//XVuU2seoBjK1EWjXImQyqsag2wqJRD\nRDM3\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCDCCAa+gAwIBAgIUHSBuATCx08wuQQlrC7G4uJUtZxwwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDExMDIzMjEyMjY3NzgxODk1MTc5NDY1NzUzMDUwMzQ5MjE5\nNTMyNTY3NzAxMTQxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUBJeF\nBjhGo5t5MIreE6dKUhIOrDk/R0ms5Hbeuhf/GmYrDExaxy1LBszLmeQbmJALfDvZ\ng43kvJ93V64Qwi4Vo4GIMIGFMB0GA1UdDgQWBBQcFXHfISkBDhGEu03zi5ZYGB46\nUDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFAKUwaM9nwAFHxdA9XCJ3wR1IfQ8MAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiA7DzBRRS7aHft0Qx9qnib9W7pBJqii\nkkTYaIwNm8IyFgIgeQzmgf0erbBZMpyH5C2ZTqelqePgM0EMdXwXLLbqH8k=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUApHJLRIOe46TYBZA38a039PuyuwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjg3Mzk5Mjk3NjE0MjU4ODIyMTA0MzA4NzEyNDM4Nzk5MjM4\nOTU5OTUzNDAzMDgzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjZa1\nHgZLDRJThIzyJ2SEhXZcJzPX2yC2el16sIBQGkb+g1s6EaEkn5aT1lsfKfOqe27B\nbS1MfpkYv/pHwzCbgaOBiDCBhTAdBgNVHQ4EFgQUOAAo0GumUSsoFVXaCZPgelZb\nzh0wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQNJ5CtMaoNKOzZ4NWX+kkPHs5NNDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgbyvnJEAzCP+hew+04esRkSz9Fbrt\nHGuNbfSqVn5Xen8CIHJ0KAJd/z9HIqQt1c5a+3kKj7H3Q0+TMiMIgtAW9wZA\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKKhzPUpzcRYEgwdKm9CA4eYRPmMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASLYHAiWpehqzW7R7KEkmBiguI8gI76ks+k0KqP\ng2vXwV/+5fVxI6jxx01nNqcfrt4U1KrDhuU3M4OTXWP7w9yao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUrDP9F49d7XtZeNgg/UhDwlCs7wwCgYIKoZIzj0EAwIDSAAwRQIg\nYP2llMeUn8OW0VMMhmJwWbZX9z/MAiao2SVvPJd0RMYCIQDlqpf2koChI2pDfDY+\ni/AJ6aKrmwpifGqdAUoSJLMkgw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURKny1LiAVxNKzLf9AUdV2703yVwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT67N2RhnVsyTP9a9GBUtQwvJnRh6RXfEEkeCga\nBY6LXOWvwClntBAzrVX61mvhZbe3/FSqEOihB+2CF1YmA91No1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQzcYA2+X5AV/Sc8qjF+oUizC5N0wCgYIKoZIzj0EAwIDSQAwRgIh\nAJfAv1WzMMZD2DhaQ2ViBM5YeTBEkUdHYrGC0bpUymTnAiEAz0bZV2KKbpMTkEjF\nuUmQVyLqiJg8BJXl/aRzhlUdfr4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUeOseYwj0St+oCtquEEf+ZduOkqowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyMzIxMTYxOTQ3OTUzNzU1Mzk3NDYy\nMzA4MDAyNzUyNjEwMDc2MDE3Nzc4NTIwMDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBL8pdhzHlY+2ZMYlq2uV0y2hA7RqcuM9piNrwirZ7BudEmHRFw+U1sgHRDyluTlK\nFQTfWuZXU8uzjO8P2g/nHTKjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTze5zFiPn0\nySkLPnDcmSzdznJAuzAKBggqhkjOPQQDAgNJADBGAiEA6TY7zRfZoqu1kps9CEof\nDgQdEj/x0crzQfbIaThxKykCIQCBCRS4pioEbnDIBFDmV06h60qn4RkoNhyr6ZzN\nq/Y6/g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUC0AKJ1Q955PDggfVrOhRxY7poNAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzOTIwMDEzNTE5MTI4NzQzNjc0OTc4\nNTMwMjE3Njg3MDQwMTA4OTAxNDQ4OTMyNzYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFAAKj1913f2ryVdshnKn2k7pqpZf8EhW8GDKlRQtgP1vMZlG6Jnq1ftFhCExfrT\nDUvQlmN3KEhB+aovK2w6ay2jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQIjR4eiqki\nTzKbZZvpA11roOK0jDAKBggqhkjOPQQDAgNIADBFAiEAsnwtGJ0qLsmPYQyehQzw\n3SvKnoQ4Lxfr+uCvAgH/aTwCIFf/9T0b0xHSD49d6L5JeOSjfRMIvobUjofHGJqV\nX/Yf\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUH3NGUgnFtYeESG8WivvjNJpk75cwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjMyMTE2MTk0Nzk1Mzc1NTM5NzQ2MjMwODAwMjc1MjYxMDA3\nNjAxNzc3ODUyMDAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3siR\n3DjE7nRNci52tBN2gLKOWTPzEiVz4bUeO1Hm60wnUcP85H4zFWJwYDw+evIhCTnn\nZsR/EeS7bbF9W8mLZ6OBiDCBhTAdBgNVHQ4EFgQUqcTyU0+LWqAawR4YHK5ycwOc\nzzMwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTze5zFiPn0ySkLPnDcmSzdznJAuzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgKJylLgvG3Ii8ugGJaYEuQFYX3mOB\n3zoea5vrIH1bOi0CIQCpF++1I6jeKv8khqt8I4yTqml0JSz7R6OQY7+APlF2rQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUZhAcCZpS9AGh6JdK9LlndBJ6UzYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkyMDAxMzUxOTEyODc0MzY3NDk3ODUzMDIxNzY4NzA0MDEw\nODkwMTQ0ODkzMjc2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEP6LU\nXqn/jXMU1vhZlF0bX8bdOihHSuW/Avm7rjC865quJoHSlqLXAbNZmQSRWEBXcmQo\nj8pUrmIXGSwAIOI7u6OBiDCBhTAdBgNVHQ4EFgQUSB9J1bM+86bclvmmRzLPAIjK\nytYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQIjR4eiqkiTzKbZZvpA11roOK0jDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgJG1PA/+k73tww0myBusDKvKi7zhc\nuoEC7Fun0AfbXgwCIQDSOxL8SU0K4qefhdyHujJpCi/0o3ulg7o8dMFlcxTN5A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVbFlcVsg5lH7cHRZdtxA+Wp3UV8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARuOngd1rmMa6Dwavb0xbuAm4Rg6e7h2xJZhR69\nHx3A1mdsU+eble6In6j2erHvbnasUHjNkp/4UZLJuo0tutvYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUA6YTfZSAb6ZHC2FKkIcUkkOP7l4wCgYIKoZIzj0EAwIDRwAwRAIg\nKfa84b5QsltnwrCeHCFl8Sq+z6oIGjfD0yO86OM6UgICIB4OLt0KjzHvXFERktGy\na0rxLCxRv0UIoBfVaLhoWeSC\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUWxNLK//fhLHNL59rtqtFFphoFfMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASoIkpverRUNeAS+vDQ0VNViL0UELWMMbOn364S\nfUARInsqdL+3rDfaTYzl5S/JoB8YBwi0/A0BAXRghCkmbqBjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9cVhvlncEmn/5Vfj0YdGidsC5HswCgYIKoZIzj0EAwIDSQAwRgIh\nAM7JiZtByLb5ZM0Bzs8TnIyFd/lx43zEmtywdM3QLMF6AiEA6UPG7lelrkQxnUx5\ncCc3wdFGomRM6CCUp/sntTUC42I=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmzCCAUCgAwIBAgIUD03S2bdzLSbXsWgwPSttmago8YIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHfujAJQtWnKVY9ZpI1xfySPoFh+A3DODNhOkfowKgqT\nALdVMw3bTW3lsQZNdrEMNhU4MieZu+zwATqNK2HSLROjZjBkMB0GA1UdDgQWBBTS\nwBlR4W4nf1uEBJHOllsNj7ljzTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNJADBGAiEA+TKpgaPYSyL3ruzsW+sQeCv7c7gLTV/bg/vpnNSo6FgCIQDT\nynshb7bFBDB4R1bLmmeOPEF+0WxrAUX0LRhcmTzKRQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUNRXK1zjoZYKS6SVwRCf2JAoC+5YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPgRwycd3DUyKYssecznUbcsKL116AfA/dpb+OuS35/e\nAKMd++nRNRXSDV1Kft5uIH89DBL9Ip6LG3+SJrw4Ew+jZjBkMB0GA1UdDgQWBBTz\n/eynk1Nav8I3QaoLCyVBPlZl0TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiEA7vPmwZ/k78QuGM53HVRMqmVdxBoPqji2xogoLPtwOMACICgu\ngEeNMg+wqgzAmVKivc9/SCRXJ/HaMoClFzpAK4Y0\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUWqMBhHO9d3LYhqZZHtI5VOMRbQQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbu4jowXE4v7uBvrl3//xMkcIPPEbd8aqUhjZR\nWAiy/YLnS3WG8lSTE+C8kg3Y6VpBhVmha9B0rdUkz7GPViolo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUDV1LtoTZWvgF1Jd0bwYZobnGsk0wCgYIKoZIzj0EAwIDRwAw\nRAIgL+U8grriFQh/HkE//LRB5sP4207KqDQe/YtVxs48z1oCIDBOFMV0LThsYSIk\nIY3JygyU+3qySOegkWtKGUthx3Ew\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUJraj8dHNr92SlhczVY8spW8LXNswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQOxtuZH47CFwtyJaqUArAFL+7nbab4DaiJ1YGl\n1NnPOvIRh8fK9iXccx9UqE2Jt7kuy533a1FW+bLHjNBvH8yho1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUr7A85sEScPxRYMXSh7Hc9Aw98XUwCgYIKoZIzj0EAwIDRwAw\nRAIgfOaBcAQ6USrMiBr8Vg9/dzjjCCN4Bs7QxXw1Y/TnyP4CIAjM+Caj9Z7NEiWX\noHGGpgJfuYRY1IzSkt8ggWrCLNH+\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUNACIXmo+vVUIOWJgOhrC2j94cbIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHnVjE6L1rglMtMUyyc+74U35etsLEZo0fWRFO/OJEEH\nFMK0aDDq8Rqh7ZwyRHLpDyZLT6TPeLmkXgu3CkZtib2jgYgwgYUwHQYDVR0OBBYE\nFMiTBkAY6xkXOu99W5SsnKA9CLYTMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUBtnQ\n5fb6w1inYJZQuQGR9d9jg9YwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCK\nLtbwQfQ6FaKAarlBfWaGdEngTWzI+9wCm8cQX2cqWwIhAJscAPR5Q26iaTeRXyVZ\nGUrAigwCdcW3srUUBp25KTJY\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUanszxVcG2cHXikd5WH67u1ccPKcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHPevZoMV21yJjCVlyyS0uuuoeWEeaQzOpnGL87D1Zc7\nLG2owUKXkEAca7iWgCcFK3QJZ/vUKjd8J0R9Ou0sv1mjgYgwgYUwHQYDVR0OBBYE\nFJZjPdQthyT1dXWDgwr0ACkrtnWCMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUZM7k\ncgvpfS4MtRMOr6uxQm0FdbEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCz\nYMBZjDORukOqH8PnpRtgBQjqUFBqP5EtfTBF0sH2DwIhAMOg90xtVqtsC3AeE32M\n8/z/9LY4tQxZFw0JTDJ0rSc9\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUXpxA/p62UKBkomTaSEvKt0PdNvkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCbrARnZwwsqernn5j1xXHnl4+yvhVFp6w2weq\nwl3ddC9jHgEBsReXtkwnJz2zPR9Kn8uX24iRNPBw9lau0YXaozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiAc1ioANtdIPBXdoRxsYNz90wUOQsvVNU51OnHHC1BP\nHQIhAJRYcEZ1we08QOImtF6mdrGxxuw+2puvTkYDC31CAgTg\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUbJfyeboMC4AHwv2TkzvL/Hix1YcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpTULLaDbFw5O1uV9DSlShkPzLq1yXDjTITNWT\nnEYraGRcGZUyEU7My2nJzS5q4IciLZOWzoyKWpcrT3ttCGy5ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAokunb2GuEgp4LoW5doltOm82XLrFG2DCtq+3v0Ba\n0NwCIBNJp6yrDwP0TZxothp2YmqInm9x8zDwwwc/vaHFykdc\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIURPVtD+pqVPJP1MbrrHm3ieBmUbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMtBTIpZdZD8giCW/FcBpCJQw5i8pqzwXfFhReOH0ooE\ntQweqKkh6638dkR6o6y5a88jbVAEj7gsWzM9nk+kzEKjgYgwgYUwHQYDVR0OBBYE\nFA2wZRqGwPP9F+hAhMSGTj3HbBrqMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUUEZL\nEgz8v9EVe9Y2w0+CQ/2jVNQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHG6\nnGFUlym1nucNhi2Fe+VrUypUM8cejoC48wFs1wprAiEAkqmhtNTf6EahIlog5Gem\nHnxEjpQnPNUxAAUl4+xT+Sg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUIg9TbDc6S729KWxFfN0T13iLEJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNZVLZwqUp2nhYauQthMLTYAqBghbu2AhOPZ2LhideCS\n4kCbRfbYiIC6GfPVsiltkcfj2FVo+V6mS96jDdZ8RNejgYgwgYUwHQYDVR0OBBYE\nFJzqNIpKXxdFDyEDe4KflbzGIgCMMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU2Ziz\nqABkNdsAPZFQu2csQc6obG8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEOb\nYRFd6XuojbWVhxx6a83O+syLVov9XicAdjYbKJXtAiEAlq69n221vSTr/0ODkfEp\nvQN496c+OcsuQ5O/GCDiB1g=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHHyoANj5Y/lGWmVmMXgKDXpb/08wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHvATbBYBn0J0OONwKsoPqUIkqHQddyHcaf68u\n7AQ43/MXHCScpx641eLufU/dRsGN/hfA//811t/C/SiRanhXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzbFvoVVuJQyPEG4ucb9vy2klD7IwCgYIKoZIzj0EAwIDSAAwRQIh\nAIkc8gviBaQk6fkZjAHSshaS9x7R+82AvxoCcUZGgt/gAiAeM+heNDW883y32i1W\nGtRRFRNjizy0RvcvZqajwJamzA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUcx6OcB3EaO/U2A/PuBZlgPtZ1zYwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEw3vkpTDABj8eD5rcal/TItwSZ25LXz5m\nPUX+9saAXOc0KIq+NOrDvyjnWRLgiDl+dfBzHsefZfzWkvm8kbn41KNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFHeWHYiZx/51Af5/3c5KzhtGNqyTMAoGCCqGSM49BAMCA0gA\nMEUCIBNw+Rc0vfd6ZjJfFs+KYnQgYPG1oND7L+Lf1jvY1pkKAiEA7zE2xYINmOoA\nWQXfWM2xy6OiRv9/YPY8DXfLONxnj10=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVRwyLdmbkWtYxOb9MbIHL3UZEpkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASiNxcsmmNJ0s/zd/PVrS2hAK2UHM11K1UsyXoP\nQnr/wT2ZIT15xaUfF2BpTbcMED2Gj6kwnHtjtRaRopTEDRl5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQGCU07J9hXeScn6HWC92n/YrA6IwCgYIKoZIzj0EAwIDSQAwRgIh\nAP2nRd8zYj9xXp0vwL28p/Zi6O4EQJgD01BtvEsw3EJkAiEA89Il9VzSRwJ+LV08\nh0yLU0UfKuoC/+0sr4sg8chHT54=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBlDCCATmgAwIBAgIUPCURmUn0ittHr2E/x05JhFCqkpkwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXl8YEbg+2fUvxyYUEK9Bud20a8JGLN61\nwczMwP5rVW3242ss14Mgv8xjtMtSGP/wu1Y3LSG4yvRpg7NKYeV3kqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFEmbv4RMN4QlAU0edHCmOtN09SbhMAoGCCqGSM49BAMCA0kA\nMEYCIQCw8nUmdGjB7mxJRwGDRZwQ/90gAfFOYfeB5gs9rB3/1QIhAN+12bvrl/x2\nAvAHhqUBqrjTSeE3G8piRlGvDCklU2E4\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUaNfdlwpExoHzf9Dyshx6wBdiR2wwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHvATbBYBn0J0OONwKsoPqUIkqHQddyHcaf68u\n7AQ43/MXHCScpx641eLufU/dRsGN/hfA//811t/C/SiRanhXo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBR3lh2Imcf+dQH+f93OSs4bRjaskzAdBgNVHQ4EFgQUzbFv\noVVuJQyPEG4ucb9vy2klD7IwCgYIKoZIzj0EAwIDSAAwRQIgJBx+C6dAdXph/fc6\nHPfR/pdt+CoJNwlG4lwb8GADfnECIQCTFHTwHHISCn3AUPM81NOC3wbIalfntKr3\nV8A/bQTKWw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUW0rxwUnlR7Qc9Ns2kEPBHFVqJ4kwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASiNxcsmmNJ0s/zd/PVrS2hAK2UHM11K1UsyXoP\nQnr/wT2ZIT15xaUfF2BpTbcMED2Gj6kwnHtjtRaRopTEDRl5o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBRJm7+ETDeEJQFNHnRwpjrTdPUm4TAdBgNVHQ4EFgQUQGCU\n07J9hXeScn6HWC92n/YrA6IwCgYIKoZIzj0EAwIDRwAwRAIgcFqmDCcwFO1P8uRG\n+AQs4/4w8ByFJY+gzpm+SQFr5DECIH5DluJZYCfcQB/PZ5ajWRIGDO7W4g+zmHUC\nwlths754\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUfIjMUVLVXRVgMC/AOiny5Fd34WowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDZfyVhp4U6bUD8Zpboj314l09OJzfczQdsIuyzx2TVG\nU2F2Wehc5f1GRoMPfrkitiIMMl41ODmILGlPiY4W1+SjgYgwgYUwHQYDVR0OBBYE\nFG4dyxH+BXvRQUTOtv0/DJO3hud+MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUzbFv\noVVuJQyPEG4ucb9vy2klD7IwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDM\nER1JufaG9iMHEQd11Eks1GsNQ9PVy0itgHjh9K/42AIhALoS11To+u2ZPgtYR/w7\nU5BmyHnZe3R1mTAp7NjSSm6K\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUEeicY1mY2XOiXwjN5Q4KDaIAU1EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE2oHem+iZIdZx+iJCZJJQurQpIZSoUtuWhlIomjIkxd\nCxs8HU1txNnEZ37B1D9xtm3tSOHiHZ62mdytMeyJllujgYgwgYUwHQYDVR0OBBYE\nFPP9YqI6BvAqrk8yIaMyzyj2EWFoMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUQGCU\n07J9hXeScn6HWC92n/YrA6IwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFNi\nGLyDXvH7zk3JWXTbKFSBTwVXqrwyTlsxlmhKutUkAiEAphPoc226eMaH67Ng+AL+\nddCSAkP9y/eQJNgNrlnDZA0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUPD0GkFFc8yI7DqgLZ/kpbHzmHK8wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOKNDLRkShTl\nt8mu8uiJqsjI74+rKuOkNeoVQQeXXaAVijkMxKWK70Z4V8fWTafmSsQPc9HImkWU\n20ePzeEGRjijVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQTpuAf/XhmgqI+qn+7JOx/3B7U\nvjAKBggqhkjOPQQDAgNIADBFAiBqRpfDr8UOcGEYcuEa1akvWuUWBsGDHUpgrYeo\n1dn/GgIhAJJ8SLTsWsdvwBuhRutZCBdO+SqrzWCbh1HojT5TMfME\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUOliynNNtvZ/Br4mCpl0ZQKN2MtswCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEDO7putMvPr\nrAlnkWP0eJXxfhGjAsxL5kc76/JXSjKJTdo0g/sc7R7TZFUTo/RnO1PeeezImNwe\n78ki8yGgrlOjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQwg5tcqII5WaUsBnPavUR/9sCg\naTAKBggqhkjOPQQDAgNJADBGAiEAquU5U2zq/3oObzEQg3ZEL1IoK9ebDnNaWAUA\nqWfMAjUCIQCe3uTj5z7JIRBmwdOa5cnmMS8YGyQ4IjIvDQXM4WwtlA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTieiNblTl/nrWoAy8z8gN7afDOowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBl4RsjbUffYoH17dFu1J6vE3Dl/Pf55CcAuxJ\nIIDrMRPzdSHu3fxLCRfEDKiM7xTj1cXxpngdNDmisITtfsUko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUszwx6CvLcBT8fDipIrG96iw9MOMwCgYIKoZIzj0EAwIDSAAwRQIg\nbeKTzDAJ67cO4jhlXVcdzvg3qOFwi5qmUBqTxAc9mI0CIQCExyLVsGYrFKOQyM/w\nrsw+OcVi4CfJ/yJFP9HDGNjPBg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUD50e8womdjcoRXf+slrsu6SHy0MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0NDYxODUxMzk2NTg2Mjk3OTE0NjYz\nNjkyNjI3ODA0MzE5Njk0NzQyMjgxOTQ1MzgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHBMAMFRr17u6eYGnVi7uvpLBkNLeeRCF6LJKWmL2EkKOE9MPtFg88wQedKECwnE\nbpzbnCcXqJD114a25gSWcmCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLM8Megr\ny3AU/Hw4qSKxveosPTDjMB0GA1UdDgQWBBSgbu9zKzEQu8dDf/DQmUkOaT42nTAK\nBggqhkjOPQQDAgNHADBEAiA7G83bw/k1o94CTBcc1ft43/CxPjQwilHQugxdHPFw\nBAIgJIM8sDTyHYvqId8bR25kzlkFhs8AlHUMiO2v1aR71TI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURNf17TQJvBjJUaru0yCfupACjCcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATatsm629u2SRYlquYyZwM/BIAS2HVAoZeH+xXD\ntvdldTynsXUfhus9FecueWpHMsdDEyRB9jDpnOKldr0tyHT9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUU9YMfE5UwT2b0pdtcFZ03p3xBcowCgYIKoZIzj0EAwIDSQAwRgIh\nAPshWKriNcdCWK3rnrPa4pjzLH/TScSXChSxPpn9FembAiEA8yj1h8s+HkYj8gdq\nFDOSctEbSgHl8DHPow3AOPUsFHo=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUW3804/i85gmrVKnLDAcddbtBOuswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzOTMwMjc0NTU4NTk4NDk4MTQ2NTU0\nNTcyNjk2NjM0MDAzNTg5MDUyOTcxNDQ4NzExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBITDIHn+uGKZqbHaag1M9fqrssU9U5wUvgw68Lf4NPv/1oKlmrFaWSlCG7EyByWY\nhFxIr1Y5gXdL3nywJVt3XOSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFPWDHxO\nVME9m9KXbXBWdN6d8QXKMB0GA1UdDgQWBBQQPu0LXE5YTJk2N7vA/7GdVPa50jAK\nBggqhkjOPQQDAgNIADBFAiEA8kxazKSUWfe4pFTox9NNflMWByob0FC7G/3mI8m9\nYTECIG8bG9BhFTGo8iIeIxHi0LnV71oihtucuedPvq3rWpWI\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUEwWMEjGLWOqIyN/+7ey59+5bcXYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDQ2MTg1MTM5NjU4NjI5NzkxNDY2MzY5MjYyNzgwNDMxOTY5\nNDc0MjI4MTk0NTM4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErhBg\nhFr0v7HsiRXgfQLP4+622xO2UKvelqtSp5k2eze9Di+zzGKtA0WteK7N/qnLoXvf\nF0/nVC/f2m7atBoiRKOBiDCBhTAdBgNVHQ4EFgQUHgT9tgmljV96fCLbEH/G9pRk\n9S4wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSgbu9zKzEQu8dDf/DQmUkOaT42nTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ20m1DAci+TWuEikOusv65/vAAw\nCj9GC3wnQu7N/p6OAiEA4dK1TIyGDu51HVxk06cwL6FRYHamf8ylRrYT3klJW8o=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUOlUPUQDecc/BzL9IhknsbUEwAMwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkzMDI3NDU1ODU5ODQ5ODE0NjU1NDU3MjY5NjYzNDAwMzU4\nOTA1Mjk3MTQ0ODcxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOALu\nFoJ4K8e7RjmX3B6LXSSX9r2c3w3ezpxjzPfpqPOt4Kw6CO/vyaeU7AdFRd3SeioD\n/jGggfvZrInoI8XOEKOBiDCBhTAdBgNVHQ4EFgQUsEFT5kqlPohMK0wJK0bHwdS2\nOM4wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQQPu0LXE5YTJk2N7vA/7GdVPa50jAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKwxqVCA9T68OzwIA46ZbogH4LNn\nmovk/FFwxXiv8vtbAiAjZMpg07eS8oHrrX9M40llq3VHQdbpal+q0gmqBBJoZw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMHlM2wK0bb8tYJK+RNmFZ9zMWHcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR4lGsC/QcSkTMbbGMl4jJ9IUllpWMdhN+PCYuK\nBc3fKQOOWihcOAs1a5xzb0+ieWj5rMj6M/UDEMNs/qwVduIjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOt03Lfz5VvkjRea6kfz1bcf/4yowCgYIKoZIzj0EAwIDSAAwRQIg\nTLW6xc0bfe3HGDtdimEqllz/cgHWaPvBzdOrQtmzLs0CIQD7MpjudrjFBAGL2U8J\nH77i1HVX6SzKa4BSJOxZ7qTb2A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeplm8C/OT3zlh1ZF8NYousA0B2UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASD2SdfwkcnLetgXp5CPUWK/nA/dEDi+tE4zWtu\nPdrn9c91gbMRlGbb4grV2MEje+432Ei1dEg6nEgrMr1kxO8Ao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUALyDVEGss+Zu1fvJsMdLeVcUslkwCgYIKoZIzj0EAwIDSAAwRQIg\nanysXOw7VVF1vYocv6P1kx4qRvTW9GqihfIEqO+Vim4CIQDY6JuFTZF1GluB+XfQ\nmTwm6TbIQ6/6pJcM/rl9tdAIbA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUHFqJgBnIlnphWlZjrcQaeuNmrT8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDAyNzY3MzY2NDIyMjc3MzA5NjczODI5\nNjA4ODQyMTIxOTUwODA2NTY0MzcxMzk1NzUxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABGHugDesOUjvX8N/WlIfi/m0c4FoFD+hVQGWQopLultkPis29tnIYJJnaapp\n9zoFEBOr+nLkD5jCYmiYY04xfIujdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDrdNy38+Vb5\nI0XmupH89W3H/+MqMB0GA1UdDgQWBBRctaspHDhWWAIU27ol3/eX36DhSzAKBggq\nhkjOPQQDAgNHADBEAiAq+ci1J9mT4wiltT093npO4fkxeI6zek4REB7YB5ayKQIg\nbQfSUdlI3oGdE6XaXbMVREMhV6gCquhYPhSItqvBhtY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUCAQEPCdVWVtjb8dbUDX185tL6SkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDA2OTk5MTc4NTUyNDAzNjE2NDkwMjc5\nMjM0NDUyNTE4NTQ0MDE4NzkwODA2OTk3NDkxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABKnAHf9bvy4NOmWYyWGH9PzSiuj3nOJnhze7W91XrJwi8KkBTHm+1F2Nwium\nN8YFtndrbeNC2lkDkYzd2KbjXRSjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAC8g1RBrLPm\nbtX7ybDHS3lXFLJZMB0GA1UdDgQWBBQDw2Cl0hwjakkWGf+LNDpDEe8tQzAKBggq\nhkjOPQQDAgNIADBFAiEAvNUcUkXV01yvZqhhshcgWc6gw1U6N73UIgGrdaN1X/gC\nIHZ/u9ZE3XuBCn/XggCiAffVaCbAE0aN5s3Nb3oBHgye\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDDCCAbOgAwIBAgIUa78tFG7xbyZmeMsqF1zNO5x9fLwwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjc2NzM2NjQyMjI3NzMwOTY3MzgyOTYwODg0MjEyMTk1MDgw\nNjU2NDM3MTM5NTc1MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nWeNeYTmruy/D1Vs+yQj2Xhh/xMZ2utOzeC34NEgbzmCzzvf2sgZHU5FopYl9Gh0m\n1sgfjWjss1wexkZ1IkV5raOBiDCBhTAdBgNVHQ4EFgQUXMGsGc39a+AHzVELI5Ax\nXG0xD04wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRctaspHDhWWAIU27ol3/eX36Dh\nSzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgbia2z5/brerSmoLrf07QXFS/\ndfbezEhiWC0TuET6ou4CIEvmxBA0jQXX/3Q3h/wd2oDihWURgKq4+uLkcqiNv3Oe\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbOgAwIBAgIUBcpv5/ltsnmpvTUvc7lNZYofHEQwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNjk5OTE3ODU1MjQwMzYxNjQ5MDI3OTIzNDQ1MjUxODU0NDAx\nODc5MDgwNjk5NzQ5MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nqUzAgRT48BO9FsxO0hlTzMUCR824SZgbUGRTygdb1Hi4pzeYWOnIz202c0XkzFH/\n0vwZYw5pNwcfdgE+5jXLcaOBiDCBhTAdBgNVHQ4EFgQUX/r2L+Ehoq5R93BnJfxO\nb3QdIJgwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQDw2Cl0hwjakkWGf+LNDpDEe8t\nQzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANf8Rn14f/bKoaslajsABdtI\njCa+SRZiwT0eVpmOF/VNAiEA5Op3KFdmXaOP56zd5uffD4hBgT0tYPnGmoGVAUzs\nqUQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFK0qra/Yf3LY+7X9jkkNY4sDqwUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS3wiOEENb97eWHUefkn9IGJkBHFOQ1EMSv8YFC\nUb3AWfjnW1YthwOnfhOlYgQm2OVBvnPu+5cfE/0q5UDExvZyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEWHndgq73Nqc8ll+3vvMNgrgR+AwCgYIKoZIzj0EAwIDRwAwRAIg\nBvwl3oM4cKCc6OnyGW+heVqoN3ZhWvfPW+wQsFYzBFwCIBMCrGRbKcFiW1P6KwE5\nomTA0q3OKLQC1NbE/+KUHqRo\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBdqoHv6tpX7+cyqpOOsswGZYviwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFMEyUCDT/rUR5t9gUg9jUoUdIINIu12kpcm/B\n+nDHlw0V1YphWQgB9AyV31LLzaMwSUWJYOb5ERP/0McEJIDyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDvuNNYP+ehSh1+uQof6d4JmIJS4wCgYIKoZIzj0EAwIDSAAwRQIg\nFlcMZaP/sLDukqztOZ25SvmGgXICPE2Wq0y+qHSrRnkCIQDLeJ85T93wvsYZs0i7\nIkzgcj+ujmcTkUed1V/IAIUA7g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDTCCAbOgAwIBAgIUfxb68c8PeOACKG5Ig/rdoAfDg5MwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTE4MDQxNTYyMTU0NDIwMjE5ODg5ODQ4OTQ3MDI2NjY3MzE2\nODA5NTM1MDQwMjYxMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nj723s8qWbSwxxU10g1YwmEk1UwdG7sZcvFoK2hirXjBEbsZ/xuV3ORKeebN9dVKY\naFWZBi18VaCQvufADXACrKOBiDCBhTAdBgNVHQ4EFgQUmqNjo/Kbn0BFwxDPA5LN\ntxWNPLYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRsxYRatySLuXlLCa2k+ZkeUn8P\nLDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgfJK2kStJVFORy5VZmkxHaGTL\nm3A9WCTgA0/p2Cv/xuYCIQDRn9yki2A7cf3zlAxAUND+pTppwp9AJx5hfdFOK4RT\nsw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDDCCAbKgAwIBAgIUdSzG8qG2JBNiBc9qLqLBE6yTw7kwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvMzM0MjExNjE3MTg0MzE5NTE3NjA1ODc2OTkzMzM4ODE5MzEx\nMTkxMTgwNDA2MjAxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEU\nMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ2\niRM1aiOSis2UQqlpWsppN8o004X/ToeHZfpd0jHIWBXkt3ch7V/WAE1bOh1N5kSi\nzU/uyVGuq/TwIRuW1oKOo4GIMIGFMB0GA1UdDgQWBBRZnmDVjD0qh+zna9sH1C07\nyVdm3DAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFKAv36evh8BGj3NXj6AEvblQFn5+\nMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA071Ehjnt4bq36gd8Y2lSEXTd\nT7SdGOmlMI924FXvdRMCIFans6RjSb4806dwBhiOFQxoFLicxbXmoVKMC8CZ97SV\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUDsNpwPz1mlz3Pby5Nnk2b3UpnUMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQkFHAHjWdXU5lcm0Sohc09chofylu0IEtPvyWA\nu6bOcxcFCiUro27tC2vrgVwR3hY5S3tIHxESpI0LrIbFMbv0o0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFHrk134PARQf\naemzxI1vFzXojDEPMAoGCCqGSM49BAMCA0gAMEUCIQDtBUEwYcNjb+kYdKsRiDF4\ngrfiy6icUwE9C8lEEUbQAwIgY9nowMJwBaHtPBNS7g8gKhLESbtwwFIZhD0PAFLi\nJng=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfzCCASSgAwIBAgIUI5hedBf+fPvufCfWMeAJPdDCK5UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARUt/Vo7UkCi682eQXwaNYse6scmmzgJZi2wZiz\nmQynYp5RabJyB0C6cx3ghAXnNS8M1WXBiLi1DV6UHI6dNQf+o0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFAyqp/FDgogn\nJixUZt/WvLz/bHhTMAoGCCqGSM49BAMCA0kAMEYCIQC34bgzGWycz++2ReY1X/8J\n8VQZu2ko/FcK7WoPJgeO+wIhAPReH8EIKt3lQcN4xkpDZyVmGoCFPfCIJ6sZTo0M\n3R+B\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUP+1Kmf52ZGyJF1Hx1btqdDT5o3kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFG28qdvYpZYGHvP1qWmPN/dVcP3voonnhstVOstjIXm\nBjvfXq58I+l42l1OQp+K/zgQu2oDtyU839XxY6WYXOyjgYgwgYUwHQYDVR0OBBYE\nFLkStUEDZZFdlzGuJcHbIOcqJYkHMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUeuTX\nfg8BFB9p6bPEjW8XNeiMMQ8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDy\nde/7VHpCT/24i+SGqOGWRWK4EWhcgFmnEo25FMNl4gIhAOlnT8psrQHg4TPF+94K\nd/ucqAYG5ytQAG7JH4i0Eu0N\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUS025pfNrU5Y58otFi7h1ogcTQwswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJRVu5O5pnP7Qw6pm7mJRRitkhx9PuySJ3FLpU0EkqSN\nVc5exYUtG+YSWXnhj1BFEsVIDWJb4Lz6SpJs2uQTLLWjgYgwgYUwHQYDVR0OBBYE\nFLyb/ASt5AEe9b78yzLZZ5teQX11MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUDKqn\n8UOCiCcmLFRm39a8vP9seFMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEU7\nhp1M2O6cGPMXj323I/8kiJJv7L916XTabYiCBmx0AiEAkiBI9aVa3rifbiP4j/lv\n8BS2X0kLQOUNprZ1otiQLnM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBizCCATKgAwIBAgIUEUmLS9g61xLKFaa45jn99CZA4KkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQnZuEGgY7xir3nhMVOCzdqofLEVq85ZTiuNzgH\nA2KlbPGu2W73kXK9BlOG2YZcJrW59zxGd7ziSJL7toN1ZrXGo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUCoQUIFeRimSHQLheino8BxFmxKEwCgYIKoZIzj0EAwIDRwAwRAIgJr4q\nclx5esd6qftDDbnWIuR7t+8svnuYUIOiHHepRy4CIARPughKabszGWfk0kHBFLBg\nayVLxl0lvVFplrT+fOFv\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUI1eKfeYYGp1tW0urXYunBPlcnwEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHt0ZKiFOTg6ZZh99D0XYp01JLjBkb6uNqRYrC\n68peqtOBGRhV4xasYL3J7CZpgH5idqOjQR0MUmhwNxN7NauQo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQU/0Tkldp8pKL/QWnN6h1V1MOOIV8wCgYIKoZIzj0EAwIDSAAwRQIgdKZy\nM/TEjynC7Fn6HVQ1q4XzPm8LWATv5Zrcv4fDKuICIQCpkfbuqr+q1vM8Ov9TpRsQ\n8OPodzCNxd6OWwGpola00g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUf3ef1F3UwK5NKYiIw6euVDMi1B4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAR9Z0XZkt8wwsz3p8jzEePgPY66kRBiBH7uh0i/fjtU\n8qQsHj+3ksnrEgfywJhs3jFHo5EOCn7Vp19sR1vzpxajgYgwgYUwHQYDVR0OBBYE\nFFcwhETxrDxCleoPT6jzAR7o9Yv7MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUCoQU\nIFeRimSHQLheino8BxFmxKEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEIC\nnRf9oGMdl8Mq1pA5IA5HS/2DTRacOeqNYVhbrBzgAiBgvnLqwHqRlgifV06r0OrM\ntAbJXG36JvBJy73pXypt6w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUIDi5FrTnnvNVpTqzcvW1HB0LpEwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIp2m4tGaLo99unbSrnBnFWPjvQwZxMKVXBprk7Dszl9\nV4Jricx+a8Aczbd/3AG4wOXiX8MdAUFGiCqDVQCOb7qjgYgwgYUwHQYDVR0OBBYE\nFDKwkMdO+dAPljnkojw7i2+li7AzMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU/0Tk\nldp8pKL/QWnN6h1V1MOOIV8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGdy\nAmc0RM0Ac4CE4ZUFi7XR7Xmgv8XMLbyMeoyeXqW3AiBQpouXamw87JPu2e22d09H\nobaUnQGqAF4ZOaEz9FkofA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUD81TxGb66jcaNa2gG6uQFyl3JqswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEj+7W3gpE/ZPwZm9k/qOZj1gOhnMRV69YgREF\n0T26CPDuaIzYh8IrVdXXfQkth3jVSytjYHkZQDHwrccjMypao1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBT3Ey/ASkRY9/1T1JbYo9AxLhUz1DAKBggqhkjOPQQDAgNIADBFAiBw\nDVh1L+JkcCkdQz3sJr8JV+2UGSi+tILfJEavbOt1VQIhAJoD/1Q5mKnFdghmR7Hx\npxqEhKkOjbMqAdtEI8Q9+MYQ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUAZG7ceHAst3pd+k/785R5sLY+PYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS6vN3BKxT2WbXocStaMcALRVGAAg1Turcz3JRz\nKzR3KpaWovo9Pgi3LYzESkvMgeZIIrsMLitrDcCXm1GknCmPo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBSXtaP3yijGyBdvH+4PqryiCBWbUDAKBggqhkjOPQQDAgNHADBEAiBV\nCoGSQ0m8Q/SvxNbZBNmvl9Sk9VjxK52FnRrcRMbD+wIgZez1aiU+R4X72AQt17EN\nSj/v/CAsZctdjeihjqxPHDg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUUgvVYp3VY22WXT2wD02Oy11DnnIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFQZ/QyHhENgnkxxut8pT3swkoZ91udTnIhoPtbaAl3e\nYSoSiSGqDDGugi6G726pEfxiSgO0HqLlKSKqd6dDqc6jgYgwgYUwHQYDVR0OBBYE\nFCWR6MqTlJ4KpOb3fCKJJxJd6fZQMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU9xMv\nwEpEWPf9U9SW2KPQMS4VM9QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCU\nfBgy8IMFVCj1qUfKOBd9MciBA1XNFa1fWiW3ZDPY/wIgJOtw6XQeUzUNHKBOsDH+\nJKYaaEZt60B5R6g27GiPXgE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIULNrn3JoFEAg/JCyGJj7ZkJtcKDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE8T1sY3RHSqLVqDKX2BT0OK0CHxZ7vjk0Ket+/xDva2\n0a2jwXwN5ELYW4DgyyLfxmTyvzyomzByb19dEAt8zemjgYgwgYUwHQYDVR0OBBYE\nFFVdTVvwspElpq/D5hjqXfV/pAZHMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUl7Wj\n98ooxsgXbx/uD6q8oggVm1AwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBca\n7ixhOboSmTuEhGH6B9S4NDZk49KT7Uea7uWwIYW3AiEAnHrmENbfFvZvhRLuVXHM\nlIGdlbmRrZJo3ZTQLVpONM0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQRuUaxYTQUXTtKSUwfbrwrK8zFcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARF0SLiUZHnAvslO3aSb1tTkWoIcxxxaa0RTaGN\nneU+KRhZBp7ETS4R3zqRXM3J01J0ZT3S2Exsjjxv3LcbslA3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUys+Bjh5aMwne4vOZGqutDStGLMcwCgYIKoZIzj0EAwIDRwAwRAIg\nP/J0oOnuNZE0wyGBYU2sdjP1mUEcRY9798y/gMsLyLkCIFGTrQUN1MNL76sQd/nX\nPEccX8JgkA/u+TkLisrm08Le\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdb6H8hSyBIJaSheuWPQVav43FCAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATlY74VHQKZxdokiUprC1XrefeF7qDEDyoDKFV6\nAbs7atNsRcy4v+vlerc4O2eQwjMmBcjn7M7EJiUUk6ewSfbZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUo+JluFJF3ZI1IFfZGrxWcQj6bcYwCgYIKoZIzj0EAwIDRwAwRAIg\nKrooR1s6j4V0xa53hMhXRBXeObmFBEbezwUbHOYvrZcCIGmWtp3Xp1N6xmA2xKC7\n08P3VvRDh+jKjE8EVxLVZOcI\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUMvqEoWJO/jgrKr+9sLNiMhy0ezEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzcxNjk5NDQ5MjgxNzg0MDUwMzkzMzYyNTkwMDcyMTE0Njcw\nNTMzOTA5MjA0MDU1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEp638\nGeR8mG05TNhHR+jWo3YI8/grsWmGQ4PurXy1SxWQYB+7TD+vuqyRVXCROQ/A9VaM\n9uejUvszWaOdo9ySIKOBiDCBhTAdBgNVHQ4EFgQUCuUn4EMeCgnKRIsTITqT1RZX\nEOowCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQqdvK946AP0oxsysWCOCLOGfgQMDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgT0hnQVWkIHS8ExIffoZ01EGDxZIH\nZZh16mEWS1RqftMCIEW55IHWW4WMHYI6+nf1xWr6C5gsPYaoKvh8QuT0rV2N\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIULVhfiPaShIzw/n248jzEuA7oPmEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjcyMjAwOTA0MzA4NTUyNTA1NDQ2MzM1MzUzOTk5Mzk5Nzkw\nNzAyODc0NzkyOTkyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEa2+q\nUaWmjdrXVCG5IAuKUPrW9IZaaOu5SlQEFXCmhFc0RtnXMmJHQl6/oSIE7ex5dQS4\nYpRkcb112xwmrpsx4KOBiDCBhTAdBgNVHQ4EFgQU0RqfVZUR7uhD+jYdLYMuXaRp\nqTkwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ+Ke6Kp9Wug0mQSK1lwRjmSm30KTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgRWyIIJto0SOWj5imrICc9E3PvLdK\n0SokTlu68y20PSUCIAkooZ3fdEgwSnWt9kuHQiMlV+Hp7Z6VTEHfWgZPEoLn\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUS8uWpTaQjSYTFY/eMasiiS12ig0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARyamZoWWbjY2urpKfEyfI1DoF9DpkqO+oW+oVy\nNma+789oBitSiEcIaW7HKjjfTT+Gwv/mNzdOZLVzWri15XMjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy6zdwCCgSaTG/qJ/kWK0IwjnUnEwCgYIKoZIzj0EAwIDSAAwRQIg\nWec2znip4zITf/+KXxF3NHP4BjEVcHzUsFGA3PimYcsCIQC+2Cns5asjGdUwktBM\nNAI1YAxRpDvODcadcEpHfR9rYw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUbH3YlMgu4WU6wJqRf+PXZnEDHg0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQoNmiYfUVadQbOYJ/SWFwXM4Aqbeoy21R/3xwT\nFLZh8PsaPgPVe7/ajBalWHQUUKrmqdnnKWVXWPzy5U4tUAPqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOypklikvR5nw8sEBTc0ivBzavyEwCgYIKoZIzj0EAwIDRwAwRAIg\nfuJxHt6tRhNe5gpxrwYXG2Gtzs7l2fky/NVz8rL9yVoCIH6fQM2mEXYOFXFmznmj\ngIjZDj6/cedJTMU6qLvKr6fV\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUZMQ+rdh7N68GBqTAzBrOyikCaIowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDSSsyiePzNP9wcVU+84NntmZ9E5x0hD4mMaOUeu1hjm\n3WT7sMq1RBpSVEDcBarP5Dxs1Ywy/JMlkHtC+O/dnxyjgYswgYgwHQYDVR0OBBYE\nFNLGumfArNzpTbxor+UVVY+3IaltMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\ny6zdwCCgSaTG/qJ/kWK0IwjnUnEwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQDH4ktenctG9WQnVomkvBtKRGwNS6W/BU713lFnckQGRAIgVfmJMGHcmrel8vLT\nSv75K7tyuAmmXniZo36kXuExoiY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUcKS+mjn/voCcuAEeQnrB1efvXQowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIo352obZ1R6UlPUE3kmpXCwSNjfIHK1atro35cTVdTH\n8I9C59fVlTjBrdEJtjqsn5rW3MSYJGHGw1Wfj27vSJ+jgYswgYgwHQYDVR0OBBYE\nFG42/qqx08z0IGSGCeYS7IBd4rLqMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nOypklikvR5nw8sEBTc0ivBzavyEwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIBtPprQf7RTunjbG7mrlfx9lbPqu4gHFjrQzKB4NvHvsAiEAz1v9VZUnPy9g87rz\nkrV9uk4RKTxRNe2mq3bkmYX+6Dg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUb13J9WiWkLdp82NhsIk7JUafl7AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQbuhvtoBbVpglFuYlrrm+coNfqV75NDsGxD9RL\n4/tI6icTsSsEjCAWyCmIyrhgS0AVu+K/0fNnwiW0qUzHSOl6o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxg+W33umOt65zi/mE5Ou5xZp9jEwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIE1i55oeCLGCNyRoQ3m7zzDZ\nZRbQ1PKsFOaNbUx79TfbAiA7LplJRKvBSWEejlugNXkLKBBaw9muCEQ/7QIlGUTL\nRg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUKfkQ1GE4rRg+Itnsq02YhO99MtkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNcAqv2rAy/v00Qmcn47yt4PTeLYYFZh8Zoa4G\nBsTatWZADOVXBEdD/fGWH2tiiaTfurrr/4h81ycMbWg8cTKfo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmMDYb8aAAlLP+Hf2rE7TYQDyksowHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCobmpunP0wu507XvCNAtIN\ncKUfVHUKzwcqSJOZKR+1jwIhAOQHp6yTw4mQrrJgCcTTfOrMD/TS0/9LiEyZMA+H\nG4dz\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUUbydIA61H1f+LB+eA5wqN/jZdDIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBh8CnI/cB3nibd8hHPqSzCLDBuvF0ogp0vIx0vO61/H\nI0PxGaxjQFL/3pIgIS/KqQe8bIEw7Tqz85P1LvTYeY2jgYwwgYkwHQYDVR0OBBYE\nFO2eaVnyDaYcwxRn4M7IEPup+ZiiMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUxg+W\n33umOt65zi/mE5Ou5xZp9jEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiB7Ba5s6i6Dd7NLe4S/OrDYc4dXzv+puF7A4jeup+q1HwIgIrjbwxwb4nZR2zI2\nT2FzAUwXBMqSvq9VIjJknlP3V3E=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUOdYx5u00Fl+AArVzarHAEzo97QwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABP7eCcNAx83Rl0+BCW984xHr3acdJffD7pDAXR7SP+av\n7LZf2adUpf7DUnZUp1uOBugORmrNmQMBGvdW6zf5hHijgYwwgYkwHQYDVR0OBBYE\nFB2AbHPuuoAMImuArXMJL4r86Qo+MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUmMDY\nb8aAAlLP+Hf2rE7TYQDyksowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAzuN7EGmLu8ieG1LgYe4c+uvTSDO22WMBWnW91oEwLkwIgWRLjIP5+UUUUbBFC\n24GlHzkLmxV2gQ0N1nhLK40weaQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUCGSFqQKDIKi5vkBrKVv+gONsLxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiyD/FlEHS9BaFmuBoCHwOFzC5fJwpw9H4GKG7\nBHFxvy8NNxkWCr3i/+SbcpTNyExpiez6AhuisHkp8OGijvuUo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvDuzBr5QXL9WG5O1LFFB69LiVjkwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFP3TMnoDFmHkkQJxEa+EekF\neOllRlSSteN2yQY5kLHHAiBNHBgcPJI/zrzWDALbXpcZGCUKAvSqtPcD3B9qNECL\n1Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUCTvJAWSif8wiWt8yVe1/qg9mbWQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKRUcuehlO1vbkpLugyPa1dXV88DjChwITtPxJ\nBlfiqO6UONoAWpQT3CrI1Ay4m6SEdsvT+iok3HbhwKYoWvzro3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgaVTByCUFjWy6YEp0lurBngITXYwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICo50J6LvIBdmxMXLB5HfjTG\nuxcobMuTC4dtIwLxdWbMAiEAtkJ8AOw4IsSbOYYRGq6znEzxSqhKuivqHdnDPHdS\ndIw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUBYvT3H7op2wIQZm3yyx1a+2ID0EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI9e8szfTEEx0bwCGmUtIiVaZ30MN3AdCNjLZ/TvMTti\nY6FG6RJoMqTjRp/f/TX7H+aoipNE4Y2axatL6HrD3sGjgYgwgYUwHQYDVR0OBBYE\nFJ/phM9dqR3xhYv192iFmc0lOb2rMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUvDuz\nBr5QXL9WG5O1LFFB69LiVjkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCx\nTLX7JqKGYueYXxCaMPxWjti/uIKE2Fzm8TLwEHZaUgIgTansjqCEr+SRm4sT/FAe\nobJr5urB8ljrr9lpghUdnlc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUbWZV0uQse7bLEkAfiVP8H9DtDQUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABILnKDIfrEjMG3wxrpvzwNL5qCuMJF2HNuFCb7o1FOWu\nGv9R1f/+Up2jldSid5lsXMGYQpwzCy7654Toob8l8mCjgYgwgYUwHQYDVR0OBBYE\nFAnWG4z8sH2Sb7wnHkcd0/F3b6NAMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUgaVT\nByCUFjWy6YEp0lurBngITXYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC7\nP6JJsLCG//BZfmvW2wu/UVyyvEEt/nnV5UQKUUgSWAIhALwqqkPjHFiKiOpblukC\nL7+YSKSeF3HcCOOm2h3QYz3L\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUbNErlQQeuHRMHzNP0gXJMTinAcAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMnNIazLUyUGJh/8l2YLWdixS2OOZnKl1DYdlA\nzhp/CT0Ja4bccw3AiNNxA4DiXbvh8zmNZMSWjLP7YdHUT/ifo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5JXoq9bAtVqQK6g6bcWvYoKn3DYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGhuSr9SUTv2EjgiX0D28uZu\nWPXwbpnzI7Fc+rlh3GVXAiBVi86GaoRNIlCGLswxdVVeFNlz1e13QLKnfsT4rWQV\n3w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUFWZ8tgi4flK23ckUWYiuCYdgCCMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASEV3dbVMtIzVtYyWP9W4OPCow8L/KqAEpVzolj\n1pJQ1aVmIilesAZzeyBdLIxwM9ojwrVR2i0mj8Cxh47GFHYqo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4ZL1AyEitqJ78suAwWGoSiAijW0wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBSF9P3rz3dzmHOTSiKA+mU9\nm0GoUAm39HLfqdAVG/puAiBqgaa10HhGKysHPAL8Ph7DwWPvIeegoE8XUcwbmX5n\nJg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUdam9dAr11MnUFffJ5HVFSLgMPoUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJmSIy990NT0KTsx6ohHd85PGDhu6Zx/UI2c3NvNLSuC\ndRm/wYEcw5dG6ONP28xNY/BpgRhtrdrblF45SA67aQujgYgwgYUwHQYDVR0OBBYE\nFIgK3LagEmbByqeV5LA8z+6QLJ8AMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU5JXo\nq9bAtVqQK6g6bcWvYoKn3DYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICyn\n+uFcwAAokvBF8ZRq20PF96M+9ujChNRZfhNZKPSUAiA9I9oNxw3WYMmQ5B0NjXGE\nCJU1+d7LsT3U0nJq+B4Fhg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUTBxbxOHT/1rGR5tbyGssMeFmMYYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMI8E4UuEY+AzifAFUSEVsKaCBjsAOU6HLvTHEOYA3CL\n0GTca3LGUcHxZYFtoxvFx/D/OZZpEO9KGL/CJy6anRKjgYgwgYUwHQYDVR0OBBYE\nFLaQV0b0b5+9IIhiAH7hlpra8NlCMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU4ZL1\nAyEitqJ78suAwWGoSiAijW0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDA\nM71jR9puvA0861A2Iip0OpqlZCToFZwbnm5FY8zO4AIhANfEhlFwnrQyu0D0fYYA\nEtEAd94vgjUeyJkG42QGo2iH\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUGw2my1YlTxqGpvUK9XtisoXVNYcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQcDjYlWpSuVBpYD1eSoj99iDURcpMre+pM8GGk\ndHvdKJnBaXzCaUinjpMiwhaRuTqv718gO8A2aZyJ3q76cxeEo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgVNg5wbUtXMNXY6MQYmFQ30x4YUwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDEROV5cw8gc2iRgW9Vfuyr\nKek+Qd6V2l/Q3G0TQ5uyBQIgBB/7gcx6lW44PhBneTPzpq6iCXD/8f+w3qptD2Wc\n644=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIULGJswpD85lVtpdXlEyMjN7U64XcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLxjTx26sjuUkAMNJcAjdeTynfDsommxYcWxIb\nxfYx+ntkYjWCLyOEoH4zjUZAZb+hsX7wJK8BjyU5oHOKvQkJo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUApdNuZeEWV0SYHD4UAf6pSgYC3swHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIA9/oxSYr/WgJlqQ0Z7TBVFX\nWFgrFneBVlefnmL0GGzCAiAVZeQyz5cZ3SORj4dlTsEEuNkd1PNFjJsYchsePUtH\nVQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWugAwIBAgIUZEJ5I++dpWkZlJvn3FHXZBJ7KakwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEn1SkLUck7t6W2zLfA13yIzuENFuWqOLg4OJoJUKnGD\nH2KcihD85W6lFbWIS+C3dKGk86kwoSRvJD31gN12chGjgZAwgY0wHQYDVR0OBBYE\nFDyuT9e2zd/QtKLh/L52+Oi7KtflMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUgVNg\n5wbUtXMNXY6MQYmFQ30x4YUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMB4GA1UdEQQXMBWCE2Zvby5iYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgAjbty8OeZnvAgbOYAyTrj1cRLKwbal0HsWjvDGXZihUCIAM7iyrkDvnY\nDtV2lySxuTMQYoNBxqwxmc2tqHFbmdPJ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWugAwIBAgIUBm4Rsvr3HKHyy7utAs7aIQP2MYEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH0/Fhi5c+1ghoOx3rQCN/SQlBsZcWoUpv6jOdyVQJSV\neCNW+oVA0hFA2mkRkYmkfIsdQQDQQbAapP7nyEj9dZujgZAwgY0wHQYDVR0OBBYE\nFNSMO2WQyKeLlPfg01OvTmEgDrvaMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUApdN\nuZeEWV0SYHD4UAf6pSgYC3swCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMB4GA1UdEQQXMBWCE2Zvby5iYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgBoO+aeyszTxwwwXvqAABspsMtfpw2jnUtCSXq77XY/YCIBMavFsuPZ58\njMkU3SOlccNW376mA7wY5S04kmWVu5Yt\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUMzoxwOmEAoc1py9GYlhCvHVJ2zowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASd7rV4J9k2JRaSQMGhWTD+Y3Id9XQ5IWZSQxfl\n67HAVOEz6nzbcodlYKVxgmG50iJYn+RgW0unxfhKsKKSsKhho4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSqgD1aZ0WYoW3kQRbzA8EESVq7ajApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgcDnK\nPB6K5305zMjCB3pD4uJK6XZgpFSqtMJFfZ6Q1C0CIQCXwR15HKRQ0cd27zKHTEHr\noGPJj4hrVP2pQV0kQobLFQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUK2FZoHRHd8e5/qygHJN60b1pwCIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT2HowKeK5Vsl8pndzunBh857k4CZVGX8wJTwAw\n0Tec7raHocNbzd0fTaaBzu6pmvHl0EV14exsR58IO8mEDXazo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSH+y8IFB8KTS1jzeAtioFRMrqjfjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPN8\nf6kFrrRu3+cZQ9XhMTb4CVhwe3/tWwO4eU5Myk9FAiEAut8OIMYb//aevxWxpOKg\ncfLE2+VPo4vZFi+NzvaMutU=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXygAwIBAgIUYWiEwyZ/b8DrhOm5qPTX3DcX3gkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBK7H1mPSAPosxn+i+LMMnHf6E2a3cpkbn/ouzxbO1li\nCuqVqTTxSj7FDz9YzXdEGlYjvQtKW6L/VIVzd6OGNbKjgaEwgZ4wHQYDVR0OBBYE\nFHOaipwvgzsCtz2iliJ4pFSe7WEDMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUqoA9\nWmdFmKFt5EEW8wPBBElau2owCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMC8GA1UdEQQoMCaCC2V4YW1wbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiAUFIrNmDZV+QjERu1V4yLPBEkL46dZHHRh\n5TqBc0xWEwIhAIoctGYDFJSiPZ24NG3PQdoyoZ9N1oOyDwl+tDrPuHCr\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXygAwIBAgIUHNMykwLZKbYnfX02GH8g+R92NLwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABP3ubAo8EcSkg0oKe4b9qDzO1XJ1lisEGpXZg7FhgzQY\n5hCs00cSuicZpSdptDKJNslj4aFQ+9mjJq4TotCU8iyjgaEwgZ4wHQYDVR0OBBYE\nFJoV0VKphlu3fStNQOGnQb2wj7VxMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUh/sv\nCBQfCk0tY83gLYqBUTK6o34wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMC8GA1UdEQQoMCaCC2V4YW1wbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiAVlHtY0pcoFYyM4SvSaNzi/xvN+QgkPFeh\np/6F7c8HngIgKNxGYkoIKr/JAygElseqAEhklcCWCPVAm2mpoMe24D0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUMPW1ySBtwEuDfTlCSf87r77Aic4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRTGGbx6dhHzFG2Yaky9N9L8DlYnsRAZ/u4mfv\nvD4gn16gd2+Y8aZlDZO64izYv7eR30DD6HL/7swaAE1MlbvKo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUu28JWWEwLzlDYbgvZq7KKvrFnQ4wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCCgKhpnsBoZYy6IH5/ibdyK8Gw\nyf0RwStAVUlUxKZcDgIgVqLrJ9xJeLtLdeYzXbqMZ0demH6j1DoHZcdc5/iIHDU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUAtOfg/TbpczFySWinN3twQMrGFswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQh8ghbNREdUNjHz34p5HX+gbBlYpruyTED5seN\nBBhB+Zb1vpW7nxOz7fhuZCuwjevG2Aq1lNgkLp9DHBSqM4Y/o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/mbgHfVbQwl+qKWTh/IULqjVH/4wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIE2LLgkAMliehGxemUYL+LYHS/Jo\nGFbLssLvbw4d2C5eAiBaOnkVuZDx5d9j/0oWAxR1uwhPJjDWVJZ3CJZqMyZgEg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUT3T9/18w2zYOiJThdD7DXldHqHcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNTOzW39Ab88+d/gLP/FaIfY/XBZi6Y6LsBrzEMzwhex\nCz6L21Vh1fZaraul1H+R8DHxig7BApcuPR+IY15L4hCjgYAwfjAdBgNVHQ4EFgQU\nl3Oc9yOJpfuXP4HQNuv5XfM0vE0wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBS7bwlZ\nYTAvOUNhuC9mrsoq+sWdDjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAADATAKBggqhkjOPQQDAgNHADBEAiAiMydnUZ4mQoQI\n6PokAAoyrYV88CEKbSXe1WuyUz3D/AIgG5CSlpMZrbsHhPP3dwK1er7ZT8FU5Ml5\nRfNAosE8UDE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUNOXws3w1FbS27FtQ4nuPaJbvGnAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJOCaKJO8xe9zjxG8aszD2TpJisMww3FLcly10K3kVg7\neueqb9NK8GBue9yUvvjRQVhXExOi2ahBexen9ld6aQqjgYAwfjAdBgNVHQ4EFgQU\nYJ1Ma5yqNROoLoCX865U0VpJoiIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBT+ZuAd\n9VtDCX6opZOH8hQuqNUf/jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAADATAKBggqhkjOPQQDAgNHADBEAiAdM9PsVHjFRJt2\nkm+CTyk1dl9WsUTZk53bZpq9kQvJhwIgYvYlSPf+UlhaS4QQ8XDK3RIivynWWNqE\n+hDDwjiFnGE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUFQufvci0xwAUymDzUgFLUFOoeDcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6cm8w2b5Bgsl/en2vN8tJOa3Ck+8llbq6xWBu\nNqcVKmGq5DYE/g++tG0dHFmOtyPO+JtgyDxc9nfhYzpvBX3do3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4qxEUeFUpunIGlsVlBHWz/DkWzAwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCkXiEhjRG2jDtxC/XBd3/eq7Lc\nGmfWODpVF/1XLfAU5AIgI+b5FN+RhKHTLXovxivvzyfgtppAofGLapMKzsPVPrY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgITG/kTRHPxKcew1Bn1fADFt8jpwzAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2\nOTA1MDMwMTAwMDBaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABF6nX3JMfll2zgzrSO1tzf6ooKskbKSRaLSdMPLr\nVhUsi5Bd4fNsu1GTAWD03392ebvaW9GEvPWOSA30F1rRD3OjczBxMA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBTRX2aNGP2mR29aU98ZrTD1LZdlwDAaBgNVHR4BAf8EEDAOoQwwCocI\nwAACAP///wAwCgYIKoZIzj0EAwIDSQAwRgIhAKHAya17qUO62TQNeuuA8X5KmDrz\n0dcPbtEs2G61q5QwAiEA7YSGSrQ8vL+iOCBF2oKZ9GQxubJPltPyEVO7TAvnICA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUXspyQiK8GqRWwMi3+3faIDSN/Y0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDdGmubn5aZhBY1osllDlmssluMcY1g6xGwBcbj6XNRO\nO/KiG+k70SnWjuqQBGJFOdi5NTZIvmqbWuqOEWsY+AGjgYAwfjAdBgNVHQ4EFgQU\nAJAYmdxB5ywhVRtdt9uP7e+ZS1AwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTirERR\n4VSm6cgaWxWUEdbP8ORbMDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEA1aT7odnYYKtL\nnpz+q1gH4PvmHmsqROuEOXfNWcmAJVQCIBYkOGXlkHeaPMOyOLFZmNv7KLb8qaEK\n5wrthWoZHA4f\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUboMo0qjy5Yv1teVHroYEELyqZJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMNSWBU0IISjF4UDZt/ci6i4bMoX1Fbl32T4KqDe5crZ\nh2Gd2dmbiK2cxU5RNoZVcDNMae8jPYGi75WFRdtrSkijgYAwfjAdBgNVHQ4EFgQU\nBcXmOu6WQEqU4mci7Zr1ZOyMYq4wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTRX2aN\nGP2mR29aU98ZrTD1LZdlwDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNIADBFAiBXbkBGmKHRyWGz\nqaPGWmkusGcHhS9TCWUdtkbp51X/CwIhAOWFKAwgeN8b7D3C0pa4272lgN6HmIUr\n2XffsLnvMBh6\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUBHaYJUdqy0GAmXtl3Wq9PyS3FaswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARl2uJWPcmBx1LlbIWat0mTjgYSAizVsDrMLzss\nD6d4dOfaG+P/0INHB7JSYBFW9Jydzqrp+Gx3tT3ZP0/V0E8yo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9OAoRAkTLHJh7rGwgyzcPTnxh0wwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCICZSerKA4tSaGOQkLZTDNd/E2diq\nTl71KWiBYnobs5pfAiBZkDQ2OP7iQYTMusIo5omD6GIJ8LHXxDJX1de5uradxw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUFW5PMsmwGZkd5ffNW48wr3hmXG8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/CAnFRVvn85o4tL6r8NRhZOkNXVDo06s4MBsJ\n4QTSO4b+bms/cxgEXtciCRHn3BvzPV0uBVVQk5ddl2rdvs3Fo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUF+15qhrK6/wiliV6wag0Of41R04wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIHEi1VLItHYa0UVtI91kUs2bWXp2\njQ7xxK6BXrqDMWY8AiEAzJOGyW02hlarmB/e86uBXDZhwkZ8mcW2UX+Ov6p/TiU=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUVJxWTQ5t68kWUr329xFTLK2OPwQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHlNlEsnLLAhP9nx+38dwVcN0b/7si5gPbeZTIqFCMlk\nxtrAZiVncp3n4+ntS2Vap7IwMiVboGxIHB5mH8KJDTOjgYAwfjAdBgNVHQ4EFgQU\nh2yWPmn3j9kID4ATKsGl1CgXS2EwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBT04ChE\nCRMscmHusbCDLNw9OfGHTDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNHADBEAiAkLnNzAvdnN0wd\nM+w5Tc8xQQzEVDdcBRCGEuNRQHiMTQIgaf6ebsBtt+AbuLYcyrDxbynwvtbzO1gk\nRB6v0Leo+8Q=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUAkIUub/OtlHm0BNjf9+IrdHi7awwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJDXQvLGIuUMWMf6mS6FkPcqChqMLrX26mVy6L9ghScW\ntCjwgl9ZSZTIqzUCiI28u/EuWJargZ1bpoEu1qJ/ppSjgYAwfjAdBgNVHQ4EFgQU\n+59GRZZqqKe/P4Iw+AfAiKvRj6EwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQX7Xmq\nGsrr/CKWJXrBqDQ5/jVHTjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNHADBEAiACXvkmKm+9k5qF\nGKkjPpd/pccsDEd9DWUhorXEcqXkAgIgED/Dc/QIoTH9GylQF0noPq7RxVmJHE1l\nPxW9c+OgWXM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUeo2T28sAh2NAQcXU0rNgX6EjW0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKa6Qw3EM5EERGXazmUWA0ZnZ1jUa9b1K1xJFU\n4FJl5IQYrTS4qCCsM8YKuhVcsZ3ZuboNbak60WmzZwX9HQxKo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiRjb5lRPULICdcmYofUwMwRShAwwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAK6tcIbZykhZHMX7\nUasfGgGx50keroIHiU9o0JY+9fqSAiEAvKZokFT5kiQSXu+XyLHJSHTc4uruo7fW\n3SxjkRoW4Ws=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUSbh/saCqBiu+rVJhDE9/BshI1OEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS9LyVJZlFcMhMGGPdbCazZJn5rRow2Yakn90EN\n36KJup3L0QQai5KTgsJ/8mGXMje+dMeMPYmhlVJE6lkdCZXJo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwVfxp98JVXwq3GqKrBeZiKat2u4wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgEQajZAO21nwx5jWu\nuHgk0+JUvSDWDY6718lQyzLsnqsCIDl165jNsxbtSFTkiP5p1CS7Zsqb3IhqP/JA\nCbfpvDMX\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWigAwIBAgIUGFnNQJG7Zf/MK+rZG8BnasKLNhswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEii+nIS84kInP+DPavtIC1tO8U0EpUwOy+5MLOJfhsb02hceQ\n/S2QoZpscqoaZhpA/ucZn0sYJSnQUNJjKlGXaaOBkTCBjjAdBgNVHQ4EFgQU92/x\n4AjRtlh8ihgNoLTHfnu5ShUwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSJGNvmVE9Q\nsgJ1yZih9TAzBFKEDDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSAAw\nRQIhAJXheB4niqh2UGFK2nimM3hjGik/QWgq3v3djs6i3j9GAiBJnleTGPkWLbyP\ntgnJ8xiuCDOKpGhCC2MLqaxgPsdJUQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWigAwIBAgIUSZcdfYOpv/FOWXaGfLwm2xWyXHYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEkYC6npCzoocJM52cJedohWyQ8bDxD5Wt8iCtDYrHCgNoVApY\nRGOWkurVM9FzHb8IV6JSWHhRXDmHHMyDEF2+2aOBkTCBjjAdBgNVHQ4EFgQUCDlq\ngylDjXKek21P39H4/VJXD+MwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTBV/Gn3wlV\nfCrcaoqsF5mIpq3a7jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSAAw\nRQIgMM8T6tJ9M3O+Vfbliuz4NMWT5Y/Xq8FKL9OV9f6t/FMCIQD6AVsa29mJSzsp\nqDEmmMUEZbv8k6ednQQWf1NsEqXNfw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUXTZhy8QP0zyE7iyeDx2uCHXkwFwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQizJWNhaNRjVGO5rqFtc+xWravA2zQ8YETNFPj\nmIG26kfLuFz5VnWwHys/+nBf2RKwQ/siFb+sIOPSaaUWYfZwo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSlEdJBXYheO5zuVRskq5mpSn/HMwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAIIP8QqlsDinhS7T\nOeI2XE8l0Uifcb95+foXlymaNVzuAiBwruf+RI9DLMRtTklRwudy/ZdBgCbNlrUk\nGbtstoA4ZA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUGucbRtlf29Ep/cfDXWZPgz22Nw4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQz7ylLX/LjkUz+eYzyqh2qSZ1hv1hXKOntdk0k\nlHJl/lXO1cMh1JfDDtDHVKMZLwPt9UxAElmc728OoFrth0kyo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhSAJCp5rODdevsUPiGf/ZB/anOkwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgNYkR+NRNfUHap4q8\nYO1hz9YKoEjaOBqot3IP+w1H37ICIQDVJT/6F7J/VbukmXKx5cRLDK3cNj8f3equ\nEkq5Icp3LA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUI0SbnOlGzzVRZS6PEdyUaTeVFncwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARoed4d+hXvLji9+VVT0AHjsoSADvQD/7uozT3KlCZWA4m+cn1c0yZI\njUtjZkbiUpbwot2IvpEI7VHy+mwwdSk8o4GNMIGKMB0GA1UdDgQWBBShI5zMvaCK\njqIvQrxuCSzYm669PTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFEpRHSQV2IXjuc7l\nUbJKuZqUp/xzMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIQCVKp00\npMEDxSVtbpHyyZUiHFDOEOg62V1asqa5NwaUDQIgFa3ikf3Y1ntYlIbHXqw43I2B\nrJdfbPyep8MLtuYb6Vk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAWCgAwIBAgIUZSeT7Hae38lTvdPwW+ssj4f+Wh4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASJ5DugOyF1N4DQpR68cYv3n+aGsdiV5oPicWVZtnw6wrddWmxWE7He\n27iiea7mSzkHBJ1RpiMSkmISEDPAAOs/o4GNMIGKMB0GA1UdDgQWBBTBZKWlRbJC\nPbSobctJYXLyioyHuDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFIUgCQqeazg3Xr7F\nD4hn/2Qf2pzpMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0cAMEQCIEPluwg9\nVtEJUm4JHbGd3Tga0hAsv6fJdiTzmKZQV3ehAiBD9aPv2FzeH7NEIEGOJNARLJpM\nUhwoPD7eB9bLt+koUw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUAMVnwa/zfURgXEfvrOWBhKVlT60wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQAIZ9Ciumi94UegRPMtUnSh4n/90aB3/kGtbS\nZnlGRdRH4PvudFgLaraVMZMr37RxW/gUpd6lzC7S/AQNnNzCo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU15vx1+di+32pF9GzzpYH241TqCQwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgAkPbe7EajWUoGiox\nVP5NfemAWKxcr0fqTdkvol43YrACIGwijy73FkqBskSq7NEbo4LL9piDkm7d5N2I\n56mmgedU\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIURRQbIvlf//U8Mp+gvCWTrBvtZE4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATGXN/1BVQbjjln26/JOTN0xPffWFCD8OWwoWES\ntJNEl65mvC56Qhb+9jLSynhoxJMCqbPR5bgNpnXzFISSwEFno3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUmb591dirv2/4lz5F6J4PmyIKggwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgNxMNORlQF5Ov9d7m\n3VK18tAoOuuYSvou8Fuiw9yfNMcCIQCotlpOPTdgtcMxLZ7pS2JPz2R6q5PD4uc4\nXgZjGHey1Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWCgAwIBAgIUKUkKGZUk0O9gslA7VBJwJVEJi+MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQAUI5hBvtmr0R0SoaChisYU1hdYRxfOyScKZQrZQJxIxwUlQwFSn05\nXTvpCYNOdjd/go0kTQWx/rjIY5sv+L0+o4GNMIGKMB0GA1UdDgQWBBSR3f0YxVoc\nT6BkDyp1msld1O1PzzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFNeb8dfnYvt9qRfR\ns86WB9uNU6gkMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQC8X1lU\nBnbLdWlurup1PxE1OmqU3HqKbwFu2V+lezNw4gIhAJUaKzySIKGPXpDnRJKnoMML\nMb6Pd8XpL+thjHC/V0R/\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUbc0Fx7S5dPrU52kpcahfO1goce4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQWfBOuDuf1Psz0bQglA8sIDLbaiVNKIWVV/vYNto3twIv9KmqAYQTJ\nygX4xwueSbFbvL3yp7pnsdavTtuhcQdOo4GNMIGKMB0GA1UdDgQWBBSslE5AIoY1\nM+a69P/mG3yf5tYrlDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFFJm+fdXYq79v+Jc\n+ReieD5siCoIMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIQDju3RF\nX8ZOaaHt0dzVz6d5iNuILL1nB4BX3VPXghdcigIgbZmft98+t429drYmOZ06grhj\nq00gObRtATneMNuQyTo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUDBR5ezu1Tt6YaVAO0ObiudlwVNcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASuHi8ruqEMSOrSIMxYGQwHxE0YqQ6gbENNmFWZ\ni95W5qomv6FWWBD3EwaT9xQ3wNwCOumE7joprnWRRAAQ/X9Lo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSKVVUt8MQyKe/faI5/QysRNA9cMwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgGMwZKEd3cV6zNISN\n3hePeja9X1FoYzCPQ9BwZaNXYBECIQCjciJMGKOP4RdH5YWBRr7sr/Ly3nJE7WwB\n1pZHR6SbZg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUTaYwz7uZ2pFHWFgqAXhcxiXKNQgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS8w78t6NpJyXOEg7ceo5kh71ZZ3JWhEGRpGAyi\nISlM7UKHhDKExRh3mZfbtX1H4ft+KdnDOIL6R/a4v4fP87Ogo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUO2LM+vzP5N4AH0JBScWqC9RJxL8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAJ9n0ilZ4VzX711F\nr23mWuATPBWxbnhX72Xcgjnmv85UAiEAqW71YwmL/JXGieQqClfyhi7uj9VLD05Y\nHa9h39OfL00=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUHIsxB2+upGhQ1Zhu0h93CJ3+sAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE8SKSh6+Q3bRs0ttWLerIFMHoBcoHZ87Pu98MoNgZ3ku4mZjd\nfdlsvstN4CEHwOhnU/1h1UO/m4AP335eQPCGlqOBjTCBijAdBgNVHQ4EFgQUBTSD\nos4sS6C1Ggnh/y/O7RKJxRQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRIpVVS3wxD\nIp799ojn9DKxE0D1wzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiEA\nm1JIgI/jGvu7ASojZ72tVy4Hnsf6Dqmo9Oa7zYw96iMCIFTZOdVFnQBkIa1WyEYQ\nC0/ZiUNGkRjPCmPES3nH+Vnf\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUb1thfr1jXtmHcJkFXuEc3cp48gQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEWaFlSxcZNVbPN31rUCvHK4/+YY0iBJakJWLonagdVkj/8Be3\neC7zOT2DZU2AtUGoMwQ68+OGcILndI4/guWTh6OBjTCBijAdBgNVHQ4EFgQUcw3c\nQXcpJlVqtlUE9gE83NnFczYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ7Ysz6/M/k\n3gAfQkFJxaoL1EnEvzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNJADBGAiEA\n/WJVTpHmbWusMnhD5VRLl4imsFTFGn8qe+QTtrCOFoQCIQCJF2VDbmkty2OcQDLw\nnCjZ4EiHRxw/OhgrUdQqu+WMzQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUQ0SmAHY7jHNi+OS3kGji6+b0EQowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATAQqXc723YEhNw1xuAY1Qm0nUCh8ozuSnp6xEY\n/TZKtfqRa6iebtrAYqlXpjK1i7dW0FC+ndI6BgbM6yPqOFUlo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUK2PJH+BEcoq8IXS6QEHTp/kWPRowIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAMKDAA+fdTygOBqh\nu8sNmkvOh+DZuaY+DnDPYrsQbLvZAiAdaj1ILcSuu/JP5NlXS8LFKpf2lkVx9yMC\nUfYitzKvvA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUIG5S++1zM+gW+kJOtiZ0mkAlqYswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwjl3fYyzaNKQR/yUDCg9YpvaPTMgLppKSUrbV\nEqD8T11jeGy0/ZLhMq5M9wV9LtJj2z0vKE4BhGBEtUKbXmRIo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzxMqGwq56cyJI9EnN9GQcH39PeMwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgAKLuCD85uDurZ4MD\nn6++2/PVkARcCvx0Alofy8MtO5MCIQDCMxcueSU/8TU5luoxN9riTK7Zr8UFtj9d\n7ZYwO5soIg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUWxu7q+sPsgkQbET4SgoX80Po80cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARUBY4NkSq/M1dA2StGqK/NH8WagyvtUf/C1APFOfa9r7NNyCkWQz2A\n7UtUq7U9uJGL7IR2bv8ueuroE94Cbxfvo4GRMIGOMB0GA1UdDgQWBBSOFmMiCPsv\nG+6zati/TKkhSj3nnTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFCtjyR/gRHKKvCF0\nukBB06f5Fj0aMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNV\nHREEGDAWpBQwEjEQMA4GA1UEAwwHbm90LWZvbzAKBggqhkjOPQQDAgNJADBGAiEA\n2EMlITuZ8laxbaLH4YGVomDQtjFivBMoLVyOllhbDj4CIQDnf6mlsoYyyEmTRRTz\nFQeOJUv2dhwyyKCB/NGkDBcSug==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUAi0iCIzw7z8Trz7SyCnRGYc46SQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATmaE6GhgILRNDjiroVjywQaKfOwTgfxm7hTHRC6wPZdB7FSrqbsp9C\nMmRpqlB/uOxvYtDYa0RwbLFr4wiS9m2Ho4GRMIGOMB0GA1UdDgQWBBSzz7p7dbcJ\nkYLY6vTDsf0L2EAY7zAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFM8TKhsKuenMiSPR\nJzfRkHB9/T3jMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNV\nHREEGDAWpBQwEjEQMA4GA1UEAwwHbm90LWZvbzAKBggqhkjOPQQDAgNJADBGAiEA\n5x5l2L4eMehgSWCVmq863Xrei59VuamgqN5RESz7WVUCIQDk8/iU3sAPd2xJxjtn\n1auK5dDD9hldmEBQwQmnVmWJeg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUQ1mwjFY4E8oJbWxJgbC2D4ooOggwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxDFQL6dlQMOEn1jTRbYeiyVY3SiFynrmggU/H\nPnaDBi9ayEtpmivVq5HgTulIRY65SiEonMBhBS+59tahemDvo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFBMoidK5pMFebzU977jZd9eQ5itQMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAH6MKnMGVV4arRtZgh\nfGp0M+Wa/fccC4XPtVv++mVvPwIgX8PJE1BPu5xQr+PsP6WXGwN/pnrWB9i8je+G\ndi9uUDA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUd0l7Gz/LfqKSJJoAyXZLGG7Bb24wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASP9dtfWNBndpeyzyVxe3C06qwf0SpeaOJTzIr3\nKcEGnSRJPpAzjAcIZCs2srLcVHHh2CwYufOeYHxwcQV6pNC5o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFCorSxlk8Xqli4HEEug/7hfaPMqqMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAZNO8JD4OvhoAdjyJX\nbvY5B7O6JFKoo1TKo4UkqxsYSAIhAJATXuRLlLr5dIX3iDvZI4A9dsYbQJ9JRo5G\nMejtpZWG\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUQlL++b+j0pgpeg6w9i0NzAPdTNUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARylxr2XfvI19C1I/R6vOV/yUESfzgq6yLtxI0r\nEtn8BOBSQEO9sOfeYNhOv/P+JCBd+otaYbxA9+xN8J+1ZFT7o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUEyiJ0rmkwV5vNT3vuNl315DmK1AwHQYDVR0OBBYEFFiZ\nRDR4iY4YAFJWk1QCmJKzmd4sMAoGCCqGSM49BAMCA0gAMEUCIGvf/tCUiMgz6om3\nV73RKLHdAMWBA54ov1om/siG7epEAiEA7bxCcGaunHi97vefr09B9+xW+myZ+saX\n1q9F2Y9Sw5Y=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUCEntLIJ4q/DlZzgG5bRyGi7hnfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7ZMjwQHQXu7nkikAgRYF29KVt1tMHd2Ush+JM\n2dOF5i0Pc6VD7+ifs5yj13qxSOCEl9zPvtNDhmmQd+aCNP1wo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUKitLGWTxeqWLgcQS6D/uF9o8yqowHQYDVR0OBBYEFNx3\nz1me+oo83LQ249N0Ga+gdsqBMAoGCCqGSM49BAMCA0kAMEYCIQCDGMDzNDaNJVUc\n7jyFH9ygzFz4BsWbJOXAd9KqdS8FZwIhAMs67C+tW8JX/XHwo7732jhKwpaPNNs9\nnJPL8jLjbRNu\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUM91/jTbs+7GYpKOn+I7eF+vrkg8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABES27FNjwGvccd0wOi2f92bwx5Yn3zvuRfBn0GPBXmuh\nEb3NcC4OELWEnPHC5tNsBAYVH7h4ajicmIpqe+yhfd6jgYgwgYUwHQYDVR0OBBYE\nFGP1sjzoNlyP8O5Eq7pnaH2PCLqjMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUWJlE\nNHiJjhgAUlaTVAKYkrOZ3iwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGnQ\nPmLHk35Npl2qsrmHouk8NC0CYzNYxJJ1fD1xoMG9AiB1O0/x7mLqKTSp7oo5GNNR\n3o+VOa6D/mlBDR4MCVznpQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUSyqz+02tK6yGv9dD4AY/Tx8DLkwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGzdXsWfUFCrbYw64u5v3wB8VPNne6Y0OfAXEDAc0VKE\nRG5PB6mn+YVEJnhThDkcWe+8UJqFEwMWvEdXQQhvkM+jgYgwgYUwHQYDVR0OBBYE\nFDiRN24Vx+lhbdhDCcEOhPgL/HMpMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU3HfP\nWZ76ijzctDbj03QZr6B2yoEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCY\neTV+sWMGuitBRq/8n7gsLNTNBARG6m4R4n0ccwjhcgIgJ+MG2qQL+40W+LF3uIQX\nl2PgNDo5uK7p5ZqEiEJFTbo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUf453PVWdXJgSILY6qksqMB0rvPswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASZFwPo46COQEL+K9X88NBDOO0/oZWF56uI2R09\nFjkP7/ACtntNjQOg6gg3CzWjyU9ImH5psi4O+Vp7NdSsBNMzo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZGHOuL4nYZwhEGx124edGD4jkg0wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCMJxCTfqSdMf8GvHNyg4EI\nyWeRgdDA37UIjOGjZkpnHAIgDU8wruAWPsjSlyI6nbLs8JPQlc2kxjkXE+luMkQr\nGlc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUPL8r9PHgsJOItwtMAmjHrk1GFtswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7Ub6FzX+dxgBboeTxRbDnrIUpsrPEdggI1ClZ\nm2owzpE4xQxPJDgru+KH5Ms3pscKR4yHgUKHh9qw+SmWgdf8o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUh073qYX0S+lj/X4x0o/qrIuhilMwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBCdXKX6Lv/hVDoM65fNf3a1\nhYy6qD3WxH0IeYOGL76pAiAHa2rt19dvXZ0uZOUdeImFcuTpSgPpnD/1bvvRT0Xf\ncA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUTHPJUXGerDYXM7zM9qAdTjYiXhAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQnX5PJzEsRr7KRHjpm+ztAEJnnYkmcPSSFTJUI\n51/URs2615xRxIoe6VZS4h5rvwamWMa8b/ICbFgYaZ/ddjNno3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUZGHOuL4nYZwhEGx124edGD4jkg0wHQYDVR0OBBYEFOZ/\nJVrXva6AOxuj7d/hXojH6y6OMAoGCCqGSM49BAMCA0kAMEYCIQCIpZ7tP9OkDxXt\nNl3aJ6ljCnBYC65d//B569RhzJEwrAIhAKpLkRq0wkId5Pl5E4gSwMc3pECCj4qX\nPCF/xKSPg6LT\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUYLKOR1OAcp2A233Ft1FbMzkH2/AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATDeSyVD2v9r0d6yNiSP/rOqH+A3iy/9Oy+a1WS\nVI6xyN2PnhxsuT+BUpGwS4PP7K1/MGasBHdbJNdi5OxIESzto3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUh073qYX0S+lj/X4x0o/qrIuhilMwHQYDVR0OBBYEFI4x\njpkE/El6II0l2ybBKI7Ua4hFMAoGCCqGSM49BAMCA0gAMEUCIQCKYmZWXscWrOrp\nkOU3sg5yKv7suyOGza6npHX+dTL9KwIgN/HlFOQuOywjZ8YQWkfKdrAcz4XIq5iN\n4WQWeaoLHrs=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxTCCAWugAwIBAgIUdb98YyCjlPvRr5qDryhbPVglLxowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQfYVwlBCqNmkqgArv4HNTFQHd82FPzCyIaFp3a\n2J9Jjo1qJgM9ahpzsudSjOtIVfpRwZZ7W28HvvWi/LRndujdo4GMMIGJMB0GA1Ud\nDgQWBBSrpYTopJ0yG5tH78K7e42Q99AgnjAJBgNVHRMEAjAAMB8GA1UdIwQYMBaA\nFOZ/JVrXva6AOxuj7d/hXojH6y6OMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggr\nBgEFBQcDATAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAIlWJuyJmc391++IEC3IasAamcl23QqUIaHz0PfnJsvQAiA93Utq+UaK\n179wXCJhJHziBFKoUqJFcQSS87cSDfwbUQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWugAwIBAgIUJ2shYKbi4qBgihj21TT6i000aJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATb0IVbAVDrUA3AcHtfHWvCC6pPZxuf0nlSGPH6\n73jcUT3BnH1JUkLz9DwX9+QKX6kkpA9FE9QF/My1yiHINzHpo4GMMIGJMB0GA1Ud\nDgQWBBSLBmFGTIt842Y1HKx16dJ91xKuXDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaA\nFI4xjpkE/El6II0l2ybBKI7Ua4hFMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggr\nBgEFBQcDATAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgXcBj7xQJJKuicNWdPdKr1HzgnggAiSlLnz0wOBdqe74CIE9JF97UPeXR\n8lvH9DBt1G9DsWCnAQIZ/aWZAUQW0gfM\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUQ0N6JhtKy/mOYEZWhlKSTdc+q5YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQRrvXdAPNeHk/9HftySQxYUkCIeFiD5/8SOkWv\nen/SJSPlkp6Jcl6wkR8pbNbXmLHLKQ2hIQtY3sdxwwGZMWyYo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBR9bqZAcbuD58DhExjSX0LNMZhv3DAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBMGki/LZIVfX7n1tlRuwTgkqD4okoKxE9stsQAb2PXFwIgIifgs8BC9QoYq1cq\nIP9N2gEoRPPDtDCHSoTpfh/VqiQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUIACpVPCp/q8VbP8T4Eya4L+dNSowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNdNK4razvzhJZK6kycNmGh9Te9kppItsmjOrj\nVIMbJYSqEB/qIDrlQnb52cmmucADH9VgAXoRn49iyqNLUTSRo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTUOtXLnYoPmT2S0cRNkmoFYHwkzjAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiB1yfh+OOmUExmVrD1O0XCzWwdP0NccHFhZ7s5+JV0PBQIgLOtyRKalYIVmV31O\nrlLlsQZ/6cIGI/eGglLJ2D3CIVw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUKVG68ePRscJLpbt5pLiBh7ROIFswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF0D22x9nFMQLiy7cvwDyv1AKzald1LL5nIQHxOC04hW\n0plVZO9fkrIpVxzygxvF5+SvG0ZF6sa/K0D2QmQZRbajgYgwgYUwHQYDVR0OBBYE\nFJJ52jtdVOCYNi8PGwOizAw+LaT3MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUfW6m\nQHG7g+fA4RMY0l9CzTGYb9wwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDk\nAqo3dei5ksNVTZsBMrW891db+EwLsJzJrYKq0Bwz8wIgVBBd9mfAfC2rnlBZ0ByE\n3rJ/R115GLHd3uFqhBBgwQ0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUMmju8UWIb1HCJn1OdTlg9Mq87aAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAMF7kzKO07V3sEcINFmVk14bIPB39YQWcNT+c3n+Yxo\nu+U7P2dFJN4DPACQ8HZ5F/RBwHoLKrAMytyklrdAUQajgYgwgYUwHQYDVR0OBBYE\nFKps4kGvZT2+asLq8PzyY1/04SzCMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU1DrV\ny52KD5k9ktHETZJqBWB8JM4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC0\nZolMlgeYbkT+VQnfMor4WzCKdlSaCRQZ9XUTYQNbHQIhAMnn21fItxW4lU8Wcj61\nfKIkViFoof/Cm4+eh06vc9rl\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUMstp8Qtk/G18VSyn9easuY3aYM0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASm7w3WRAutJijQpndOd4mMV7kcJuXsgCk1gU4m\n1SDc7RKgNyRNpHNZjVlxEAvm7w3DKsJv/jaBwK78dCCYfA/Uo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNl3xpCSjtt4bNos+BhIRUjNY7CswGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIFls4W6YGJIawDk90+yV6itCUWAT\nCzfSRra/7qpmyKg1AiBEIkrz4gmO2smEt64G3L9sn9vRjQxMALirmRIhEX9vrQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUcbpYOlDf91M+FTwLEIDC7SO3zMQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQfSFn3vStxslV2SW89e7xvR3n2h1WUNrI4OeTq\n+IWup0joehPov/5FQzSkAAoZF/8eQBx7/O/KZEKC/NviPGH1o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYsnOi0ib0tQ0gSHp2HF7D75igpowGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIEN5q3zfFb4p1WSDmcJio/rOC8fG\nzsxE8x+W0ztpqnqhAiADStWzTly/Gjbzw6RGrB4Oij2o2Mb9mD+HdOq0b/txng==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIURBVF8lMf0tiN3SjYbOLQWnuGG0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBgiiq8T6eH+7XD87zyZ6dUVdAu4ph3nnQABWrV1jHbG\nWhe2VwNqIkmlF8QCRhBVjKMU7gvynf12WTdrCRAOdYOjgYgwgYUwHQYDVR0OBBYE\nFL/lAjktchAGhQSDcXXFcQoWRM4wMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUNl3x\npCSjtt4bNos+BhIRUjNY7CswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIByo\nCKTAJZC0TOuLOyMjQp8yRUhrqu9MPK7KcW9fdt3bAiEAiOh0/jm8CydYq6VSXaA6\n3egYG/HjJHBZoV7RBa3aeP4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUIcFSnSW7nUeL6EjiAqqFBWwdjEcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMT0k5vzao6FbYf6ZMaa9DiLBjgFBYEKivSTrPzCFSoS\nD7nGFG+U+9QuWOmBjLjX/mK0UCee/7Lg5QqafaNe/5ajgYgwgYUwHQYDVR0OBBYE\nFO8a2Bme3stghifKcPWlZhwu5IgcMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUYsnO\ni0ib0tQ0gSHp2HF7D75igpowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDe\nAdxE0H3GZ4PWdZNlLnFvebMaFK4k3y0ohUa4AP64TgIgCwrd16N69Y5IIGRQ9W8V\nUKsI1cJsZEQVyV9TwiPwxD8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUezaa3EwsD32+OJ9nZZ2/YbmvPx8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARseJcz5zIEDUAaf1FaWmHV6WvLEq1QH5jvghz9\nm9u9NiP5Xyt+cDcNHvqWoH/aQFnfuBZbzSWe6MGQlDt1QEPbo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUx+KQfkkc07chC8WPyZbg37SKHhwwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAMuk3smh004Gpqy7DW3R\npj56wYyf0VcOze4HeRhYcbNnAiArdKQVVASvfJKT97Sa3QctA6EGrPtgk7QuvVUg\nzG2ghA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUCYo410itdno8YIp+C8SjU8XR9QIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT33Xme4OLEVotVHlfCnRciaLpSPqqRucOX/uCf\n/0XNeRZPIwbXuCFx8ZTd9pU9rSVRzbTzm2YHsqoEtrWuuW/Po3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU74oLRQ/zQ1x0sbqa4aFKQ79FzUIwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgCIZoP/qgMCyKVyVKy4zY\ndupPPKZwRdF0zhuupXaun3wCIQC6uH/OZ3SxjhgO05qICK/ie9RV6btvfJ69XW+z\nneClZg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUICOYw0DxrWV1oEOvdwx8sVljChAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJfDeuD1NTktVdLc7V+xNSXhwXAqMl4Nm3++YalDewu2\nx88vcv4SHhhGhTNR1azNJZQ+wNkoJ/u7xtccLovTuKyjgYwwgYkwHQYDVR0OBBYE\nFITTBdiifFY/Yoh9/nZEmKqGzdtJMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUx+KQ\nfkkc07chC8WPyZbg37SKHhwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEApiEYDoagmh1+aRO/oc/L9NvCQlE6bZ1Lz34uWRh3yBECIQCbt9utidXhQDsx\n76AQlPWO8FFiNYjUolwGIdDjPa03bQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUYoSfdr1AZ5yqpLT5mI0notsSJwEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO8JwQ+1k7hiLFLGToD8i4lGf2XmNRJTT3MKAX5mebio\nKx2Aop+t5kqrwMwbOg2Ewkrxnh9oN22klLHrjQNvA+KjgYwwgYkwHQYDVR0OBBYE\nFFV8hWJGsC0fCPCqVLyG6Lx+JG5aMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU74oL\nRQ/zQ1x0sbqa4aFKQ79FzUIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiAcB4C2KcG/DDSlU0GIoT09sgpbxpDCaYVsl8HDkHbE1AIhAIJFOWBQHQihEYim\nqOBYiTZ/o3wr/CNndIk2KgiQ6ztQ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUcbtKY5pgsIwtRSaUHYEFsFgu2xkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATCMnJ2v246GYvBSx2dkXLtgROnOU4tj4n3gzd1\nI7RuuSDz/OVACO+tjBcU1K7UQmJ8AEzAVi1g8z6QMX6JSM59o28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGWam2JQwDa07WirTzGvFCY9B+rswFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAIRmJixiWiRTTx1/jGNguRnu14FVOanR\niz+QT7VkiILcAiEA89RqIZJrX7rztot46ausD2NHZbhu66/5NK4SWZUknZE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUI2KDLvoYTanOvev6O9WbCu4Sps8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSRxg7iOkGpbKU1d3oK1BrMcg5zMp8gVnaKe3x\ne4AcQRu6hyycCZsc9OBxs/dH4Kw5Y/8/dEiEbvko92CevgEwo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbKw/csTnLh5FGTwwGI8LNi7ZOEwwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgP+oHwR/nro/ZywWDwYdi1lNmKlGsyrha\nPNOaPm1oeOsCIAT3c/srXQv62HVSvfT/rZ00azsIPkHoDA+6V7DEH6E8\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUa17Txhkn4O6Hf8F3A7VSQHRXcNowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKrhkx4NNmLMkg6hzi6bwsgVub7dWMYvSEf109mUY5+U\niTkOlUbGF/g0kuACGLeOy8aG3yCvwEneLrcq8FNaUlyjgYAwfjAdBgNVHQ4EFgQU\nEgrdL6d84PxFyRRPaq2xQ7fqHAkwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQZZqbY\nlDANrTtaKtPMa8UJj0H6uzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEfwAAATAKBggqhkjOPQQDAgNHADBEAiAc4GQTO9KQqiLY\nWlbBDTfboRboSwKnLvshixKmOSEf+QIgYOFPMZslMdEN/FVjPD4tNaN5+5GhtP+u\nZ2h4Czxvbic=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUepMMjUfenQqsbEY3vA4H4aupAQ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGlMh4UUUgWzvtbctJ6b89V84KWEeb3eVaK2Npw2mK9L\nIoBaVcRHlHqdqMo6R4Q812rBW94Q7PG5tIyZOScl+GujgYAwfjAdBgNVHQ4EFgQU\nCRIa7+/A2O6OO6MEyo/GcxrbyxowCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRsrD9y\nxOcuHkUZPDAYjws2Ltk4TDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEfwAAATAKBggqhkjOPQQDAgNIADBFAiEAjV9Vjvm75KTE\nbD8Hq5fTXbN9Pn0xUEHnlrB8v93Qn2ECIC6VPVsoRrntk5z6j+wuir/xl5WJh0PS\nuZUVA/vvroYa\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUNdYLI4VxwKc6GaPoGkpWezKPriswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMa3phtp3TetBKELFwkaevyKHYlABflg9qSsU4\nak1E77xKudDlg/xC1U1Fzol/chYmRDapARsMgaP5HFoGmn7fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU00IB7PXa3YUf5vDbBLWqDkAepe8wCgYIKoZIzj0EAwIDRwAwRAIg\nKAdB0yS0Hgst3lc75MWLSUVuwGnfuKh6s0q0mqED//sCICMIR6tsS8TWjOQeeiLq\nZie3ySkNoBrp5qIdg9gRdjhu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUMH/CaAwkLr4eUggiCl7yXMUbw68wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQbn46+g8+aWDu3xCBaOFVsVH6MvI71VEXsop0m\nBDxStvpwKvSSLIGiqFGhQyg1bMNhBkwzX4u1QYGhYHRB+Fl5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjJI47z7MkYn4Xn3BgeEX5vpwq4YwCgYIKoZIzj0EAwIDSQAwRgIh\nALe/tx4AVGehfavdGP0DCnmacY+RQgXXAoYZPO9yfbONAiEAsK1beSQLaP5S8vh6\nkXGEh+g13Wi3kg8CzpCzSEoikxw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB5zCCAYygAwIBAgIUVAPzPnH7ZhmcqECB9zXGcXG2tx8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ+OliQjgKcfmi6Bzv+lEZEcSJgBxJKmeeEu/BpYC5PE\nIvPzVYcFFAPhywB37qzWSWTqTiexOJDZusr3JbCTOiajgbEwga4wHQYDVR0OBBYE\nFK1FECpQQDYESm1dANB0e3fWEsdrMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU00IB\n7PXa3YUf5vDbBLWqDkAepe8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggr\nBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMEiFSBel37m\nL4MyS99r3IaQJfRmnvBblSJX7Adfo5ynAiEAt75aKjjp00iwr3JQfXm6TeW2crKL\n44zbaILVBzt8v+8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB5jCCAYygAwIBAgIUAupZ+BgOrp1rOvxGFgxnotGUny8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJICZkMP13bBLA6I+BQQtgaqURq9H13He5xEImcx5cKf\nnP37GTyXieRYU2jfgfGj8Uex1AnME17eBxJ2VlwUwnGjgbEwga4wHQYDVR0OBBYE\nFN7cmmBGLNkmnkDatsxzeMJym3fEMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUjJI4\n7z7MkYn4Xn3BgeEX5vpwq4YwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggr\nBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALP9mguDGZo9\nRDsMVbOoeC4tX7WNUK52dUDJYQzVYr0nAiA+9+9/DiLf3/2hsmSoKIw2LEBfNb64\nYc0aqEy4dj6j6g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUTy+NRqzreoZN3z+9r2YXhSkLQ8EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQuASpr1S7UewtOzPlzI8DfZunk/93uRsERJbe4\nLGWDVerTv8Foq+EKfjh4XGMvjpeeqkbez9EW+cAiNIsfSE6Wo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBJ/a8Op4mOd+PiFwkRejCZRM+h4wCgYIKoZIzj0EAwIDSQAwRgIh\nAPIAeqCCKEWeV3sY5RtLCS/DqnY+2itOn68Spio96g9wAiEAiwMyOhSiW0QZnUz5\nYlFPIAJF7824pWZjbGh6OuYMDvY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQf1x48YFkT9F+SvwIh+vX/2UTGEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQySgaSrEBUfDC76LOgCF/yHc0MlQX65/vPZxww\na1OW30H0vPKWqaGGKKOf4eLdQ0wokpU/8HoZ9VyAAG5S0XO7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUS9g5ZzN+s6ddk5+r4tx5e1SKSBYwCgYIKoZIzj0EAwIDSAAwRQIg\nMj60b+Ivm7PqrY7fH7Erwav8FgkVSLgkehpv/40HA8ICIQCbtdX90xH//PLfW0O5\nONgKidIeIIxyyYgmUMRyiyIZwQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB6TCCAY+gAwIBAgIUO5zBrau9Jj6Pqtj9N6INlxMwooIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIDjQyaDh/giijn8eV07KCGVwZ785DDyuTD9+JeisBH0\nFlVP7wAv4QZvW7DI0vJ/r8NzDIS540+aCfAT0t8nSSSjgbQwgbEwHQYDVR0OBBYE\nFNlwzBuaDqwO2xTNOa8i6szQdtbVMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUBJ/a\n8Op4mOd+PiFwkRejCZRM+h4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAX\nBggrBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgaw5k+BeV\nuOyukMdkXm8NxFD/+97GaTyeJfvtoYbkuGUCIQDrWgaKH3fYVWDbrC0uO34oUFAe\nqHG9bP7jk+R2XThdDg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB6TCCAY+gAwIBAgIUI8y2/ySLbGIQHkQvLY4gP9Lx2Z8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH6N0GGMcr8E5irTLNiIuJncXdna9vd4ktGp910fFlca\nMFTWSd/O/8XG8fjSFMSFV2JOJgTClCn3zdIvne6aromjgbQwgbEwHQYDVR0OBBYE\nFA02VDvbj6oZ7PXRj3BaSHOf4dT3MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUS9g5\nZzN+s6ddk5+r4tx5e1SKSBYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAX\nBggrBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALpyVBH4\nerQ44iPwSauuMJVxqmIxMR/6l+2zaijVW9SeAiAzBcbmuOG4rtYBPnmF+hgtdGIo\nwYV0U92V2RZ93uYk2Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUULR+iuOb6y1SasngviZxE6GCkfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpxIyq2J1n+Ceo+A2IRhUpOl4RkIkRlkDqYDLL\n46XsFq2dEsG2xw72tdJT3CVDlpe4rgc4vlgbWuLopAGHbZO8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYZ38BntYz45y7D+eBk4jEqbKwmQwCgYIKoZIzj0EAwIDRwAwRAIg\nNtDd3AxOU21P2L7n9w+aMk0Kqbot2QYIyq+a8zN5RKQCIE9C/Vb2tyRcugwzzR9U\n1pQQXrNXPUjyl6HxaItaFLrP\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEE0a+8vnJBuOVNzJKhZfurwxgCYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARB/7gAH7v61PLCeav3lqrraWIeQakuCkSE43aV\nIo08jFjkloKBp2EiJLRgsqsL+mssMMAFfXn4Zd6khsurtJ1Xo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTznOcCxnnfp+AxARJBW8EqQV55swCgYIKoZIzj0EAwIDRwAwRAIg\nMMBNqoDUIKbh8fk0x8ZQxjlNm1dVd0j3pwphZKOnKIgCIFLXvv+hoKSKQBId6pxm\nqO7hLXrR2RT+YfXXCVEmX6FT\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUWz4WNEwNiB0Qt5Xv+qeyX4C0KB8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiAaP47ne\nLsslY7ur/CC0f1lqcvfFPDVnfdLrID6My95Hl/V5oLGEmYxBrH4J2Oy+snntPenR\nxCEcvcU8gH+x2qOBiDCBhTAdBgNVHQ4EFgQU6xTU7p8GjB0xG7BCwowEhsgowkUw\nCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRhnfwGe1jPjnLsP54GTiMSpsrCZDALBgNV\nHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgGoqO2xLcypnHFuj2hPy/+nWWhKwS88s6\ngkcdbH7n2uoCIQCtPEbzUOoxMQbVDAMYR0+T3popL+eCHRs1ymrBy05EgQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUNVxqMVW+egGR5Yk8H9Tme8kTGPowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErx2ASURH\nyr/vDVgEUdIKo6vBAdNK2y/84PCFzLrLg7Xmb55DIV0TvFtraLTPoEJ4nlbMP7Kl\n6YOKFnC6Dcj7k6OBiDCBhTAdBgNVHQ4EFgQUWmsoK+nfwxMsa1zg9ffbZ3Ylpdcw\nCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRPOc5wLGed+n4DEBEkFbwSpBXnmzALBgNV\nHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOP5/Q1a8cqDvA8p+eoyv2XkktG42ut2\njdycf5uSKKAJAiBSaKZVsfYMgzt/9qPpUL4U/LPK9WWYFBTDs9zhJ8ynzw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1128,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIoTvT8RfEKA4ryYDk2ciElnPE/8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLjDtL6ape67qgvsiHMSMDO64mzdbTb+pzoQ5B\nkB7j/mZW66ZXX3Jnh1BJa2cHa2dkAYE7P4v+OBFEYITkiA5Wo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUE0rxt4k0o4LCnP2qc/h4z5H4RXAwCgYIKoZIzj0EAwIDSAAwRQIg\nDmVMnVm6IUdjzaGP16u9tw9rqLFVkw6tqOF4c7NX3C8CIQD5ft0mGbSxaBgRBspg\nRERRTck5UIPp3DM8OE94c8Mmhw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAjMsVI8yB0inBXnsRftyvHU98ckwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYgBHow/aD1QCdUrmB9bSZUzkN88D4SlD4bXEm\n2mtO4xtBHSrElIdkUgyiv/BHdEXjFsr1grvnqWCw1o+Q8ch5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWyHPFe4gtTX/esmIuXtLNwSCJ/wwCgYIKoZIzj0EAwIDRwAwRAIg\nMoofioMXeT5Y5spjYmDYm1yXPZhHjOPkDkzx+gZogt4CIBIqsfYbc8uAyvTyBpv3\n94EBf005iW1L5vE+YLqFVXLe\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWWgAwIBAgIWdNSVMHesFzxkhr7JfDP6/515F6SvWjAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/jml0U6/zrF5WXPcbMW/46NcNf5QCco0zmO3kJaR\npLiwczPystphm20u68hMahJaEDzYp3YjbEuAaM2JG7mWM6OBiDCBhTAdBgNVHQ4E\nFgQU9S2Znkki4GSktpy+MpoO+znPVx8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQT\nSvG3iTSjgsKc/apz+HjPkfhFcDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIh\nAMM/HTD3JC72KCmWS19HV+lAOk0alRXSIPtr5wJh1HefAiBTvB2oaQZAa1yJR8Cv\nw7rLeC3aAdB5LhRigRfg8XXZgA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWagAwIBAgIXAPUxrcFp2M3RLvqI1tBut302S9gUfnAwCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoY\nDzI5NjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABB10856P8wXZlwuwYe8MYyOMGBg/kxN3Mw6xAgG3\nkDEB1/u1hqV/KbgblUg8CBB5t7xsK2ttbJxbnPmfsU1GPKyjgYgwgYUwHQYDVR0O\nBBYEFC2a7h+yo9Qtp+Xm+w1UUPc+I4pAMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU\nWyHPFe4gtTX/esmIuXtLNwSCJ/wwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQDzkIUSWyq5L1gf03Dk+g77kJ663c1cutig8go6052+WgIhAPkqraNq47+zSKIT\nFk2N6iTSnj1NlOGkHSN0lClwJzBJ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1151,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfQ50EXVVtGG89HzCVlLIGwhdZd8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEdQIh/zevJcCcx6ZCm6IOeeCja8NEhTi5U/pd\nrLgZJ5hknAV9t2/3mFbE8HQl9B5MR4y6VVD+2ZhZffpAbBl3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhc3ZhL+IO+KSzvzQQxT7r8aJI84wCgYIKoZIzj0EAwIDSQAwRgIh\nAMpTNO1b4ZT4JQJfnCccDfIoK2iQC5REVN1z7veZ0XDWAiEA6d5mfuELl2IqHpWV\nIGERNLCgPNSqXD+FTQ3s4myQT2I=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKmPQ76xkycVypPpt+J7tIhD14HEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQv4lHBjtkwi+BA6fKCsGNjcX4bnaPwhizfHJOj\nJOZbSYUmely5Tps+hIMjORtw1fMoNLon3+Vs7hlOgK1/UsZqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUu48wq0AwxiPhxiwkWP/DzO6FCXUwCgYIKoZIzj0EAwIDSAAwRQIg\nYICOJJA0avFs4bNAuCmMEcw7j8nUa9/jHNR0puho06YCIQDqzqqxw0aR4ZwC5XCt\nHdk9a2zdLMQiRLbbLdSJpJxKCQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEd2mn\nlRtP8mv+ncJDKc+SCV+GiBQT7zoWwqofswJevHqVcYI1TP8lwaRTBP4WgNuMdnwh\nDE/zs38gIlQ8F6ChzaOBiDCBhTAdBgNVHQ4EFgQUDWQ+v8QeBojAxwA1Te2ZyiGG\npvgwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSFzdmEv4g74pLO/NBDFPuvxokjzjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgd3l19EE9eYuv6M770VX7GTNJWTdG\n+Z2vn+r7swV67egCIQC/k4IdOTXWnC671KFnbB3hAuv6xB7xB5liJfC1CzZo6Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzXlz\nGJKScVCy4UZjXAAJulatOpohKq8UgPGXwBTtTosiTcJgUS9ies+k0f690Ct4UwU7\nK3ybQDKkuRGK0whIw6OBiDCBhTAdBgNVHQ4EFgQUW0To4Zce2S/v/+cgovhFuyaR\n3t8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBS7jzCrQDDGI+HGLCRY/8PM7oUJdTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAM5YTMlByaqRxLDasZ9vcrWO28Kj\nVY28tVg2vw6bOC1rAiAgKXois6BPpqKmulpsWtWtDwNCkoO9Wok36+/a0QXWsA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1172,10 +1172,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYi5PWm2YvxP1Z+F4tAMi7oN0COUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR7tyQWV5tKQzHDPa9WDjYCfVXphX/8hFPC+xpi\nGUBjjHLOFLeizKhFivLo+08ykFjqVfzcl6ArU5DpbgPV5Q2bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHoWBiCIsmo16VhQ4Fwg8mzKLZ5owCgYIKoZIzj0EAwIDSQAwRgIh\nAMuq55Oh2KMv59br4rEr/SeIw8cZAogHHjM05SLH7WoPAiEAkGOktxdww/1vOcUL\nDe/TgAnXiV7wJUs9hAwa/D9z6ZM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGVvA/bIBbisYgZMkqe4t9CzBfXIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS421YQfNJlhbDpSqqP/zcHottISBfBcT5kTixK\nP44TPsoylcGENFmm1ObqubwInM08O1INnG7UlYg48069fdqzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFiVhmLKQ8Z0+5UGBpkTiZ+2yO5UwCgYIKoZIzj0EAwIDSQAwRgIh\nAIPEqrzaf8Ijmk5eZ6rD22o7O70wqQBk5lNsWfWoMmhIAiEA0UExfNHXFLCcpaxI\n93h97tpRm1dcIE1+5Y6A6YAfS6c=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXugAwIBAgIUPeEDP1bvY7jrDA/obc+RA46+uWQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDNpy5L5pExHnpDEQqkFugGE3LZWj+2WNxIAN8anM/9b\n3/Vqpzgzh7WI5VzEi6oMl+BG71da4Dd5asvTdsFYFLyjgaAwgZ0wHQYDVR0OBBYE\nFDlanprrQKaCxp1DMNilTnZnmKdmMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUHoWB\niCIsmo16VhQ4Fwg8mzKLZ5owCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0kAMEYCIQDX6hRib7GhnhMtt3UwvJTtzGTqTuokDHLE\nhEFYSgbcuQIhAKKCF+PHlScTEbR9EuZZubIkYR587cPtSGXyJSZA942c\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXugAwIBAgIURE5csqE0IqAeskDGspfcZneJDUkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAW5tyBfBemUx8K0BBYDR2qHv09TJqXOGP0mcdwzvdRQ\nAld5LD3BwXo5W6VF6TEQ5KVDsdYbnpfNkDxUgvZBuNejgaAwgZ0wHQYDVR0OBBYE\nFL+SYqBTP2jrff3BNVqMbdfj7A/3MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUFiVh\nmLKQ8Z0+5UGBpkTiZ+2yO5UwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIEGPGV/9GV3g199LroCbEvneogHY5Nki0Lat\n5WzMzE+gAiEAj7MmlW9VKwYNyL0zo16SDTvp1f/EuJh+c5Mn/Ma1QG0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1193,10 +1193,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTSQ6RQquy8cqf9BdkJchM9mJgR4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQvNimU5smTIW2usxMqJ7VH8EQsFMKR/wPpoiu\nPV+MowiX+jlEDzKKVO7VSlknq9jM4cfB3uJbY6qE2junGExRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTjlTlhFeOkCc3hoTuvGHKzjPNBUwCgYIKoZIzj0EAwIDSAAwRQIg\nBytV4mkxb+RZZc/b28lpxnb/fHS+c0DGrBrxfD1AaSwCIQD22n7FZG0ZVTzRliZD\n+SBRdXFybWItcyBotHfCZZDGHg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUftau9V3MPABQ0/9mi0Y4CalgCUgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS9tRQw6NkGQKwWV6pa+j/fRlLHh+H+ppNgtsw3\nKZ+WJpATtC47fulv6qcQrf+nVXOSph32i0hahKBBwaE4y5KYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0GG9RsFW7zIWz7tyDRmE+zjo7CEwCgYIKoZIzj0EAwIDSAAwRQIh\nAKDKovJBnuD/A2aE2hw9CQiiyzrItaZYixNGd1uDQimbAiBoXuXuGvv0+TZhp3rN\nopXFKscHrLgJYGDZdmHpxyX+3Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUFiicsFs8kuzJdE/j+b2tVGwelyQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCYLXjpDlJwLlWmTSX0QYk6AmEg0nmQPQWWc3ht43GMd\naE3WcOdOpj9R/KHr1djl42rLuOemtcfs78mipp9JYWujejB4MB0GA1UdDgQWBBQP\nQjySPnFkjA7g+lBqRakAKR5MtDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFE45U5YR\nXjpAnN4aE7rxhys4zzQVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEaQmNMBaaenrKhzXq3s75DX\n7zESdmGOCB5VMi95+kW6AiBK8pMQO7d8+QPJMtLSB1e3pkzM0UpCcam/YQXWDof6\nSg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUX5ejhWcJ+8rPG1aPJUhYTXn1fWMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBNxWeCNn3gsRb0gA+Msd77+wFFfR3T1pVVvAZWdLms/\n57ElQgv6HTI4h3FL+HqroOdhaqajruOEoLrRFGyp2SajejB4MB0GA1UdDgQWBBQ2\nM1L5ENJAaF9W1rl2F51LilCh4DAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFNBhvUbB\nVu8yFs+7cg0ZhPs46OwhMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBjh1RckA8NgW9Ztlod6UNRG\nwaQnqBWqHlToTAiQsyPqAiEAyLYn/Bb0A1qldgk48JYVPI5K2BpbZLtsxLUpkF5H\ngmk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1214,10 +1214,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Basic Constraints extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUE8UCLQgsU8maRgNI1Bvjv4/ghY4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7M03e8LThJ2mADxWk1axsbmHmoL55u1ioH9sf\n7p2hgzSbcIehndQXFhHBmFH04OQJTHrFm4UrQ2asuNw9GjAeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgyLXDX7nPhBrRS2SNR6ioJd5+YswCgYIKoZIzj0EAwIDSAAwRQIh\nAO/dR7GbHSxY8d0WixrTBmE+EOqMiEzqAi7Z6TfMHGDQAiAOtU+AlM9PhUQoeJPx\niaV3bjhG8RUyl7K4YYyibtcntA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUK8OXp0aQqoVgDA1pdWjHfoZqNs0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjvuCZfzwtWDyv4K269rAGXEBVvMggz6iCgDj6\nogq7iVMy+/RD4KGzfH3dPIsFufGxrVgmCs23TjkaGmpjDXVho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUP2eoCTgVLvfQYC3WB94WIPfTNhYwCgYIKoZIzj0EAwIDSAAwRQIh\nAOItrrs5hev6TWEMqOAIqbfZeZQYfLNOroxT0T08X+xGAiBSqf32yFPstlNQYtxs\nAjFoKxsP5QEUXhQ/PIJ8BgZ/SA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIULF+z/AHe6NpKVjawrlItgWBM2FswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB1to/RknUb/uMKGjULLJH4KYWo878neuj5cjRCzz/Wm\nqm4FsrtON/1JR+91N1w8kpJvk/M8tmQDNfya42oa3sOjgYgwgYUwHQYDVR0OBBYE\nFA6rQ7bR+Njp1VskRizXbpqDp9uZMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUgyLX\nDX7nPhBrRS2SNR6ioJd5+YswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDN\nRx1NT8lDuqm2c4FXUL2AD0ojBnqpKB9h7pfAjgzzSQIhAO/b+jUAyWJYh69CWQ/L\n5aIiMH9hOy+qnm3OImsJiqFi\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUMRekc5kcCt7s01oZn5pUbuA/M+gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEvgxwTokXVV494ntD/zTEXv71do+8vq99kul7lyRjUb\nOt6BoAXQvJAGHrWlvDI2qeV1fSo+QmXqYJHMvb3Dg+WjgYgwgYUwHQYDVR0OBBYE\nFAfTzz9ltuwik6liuo/XDrHCE4+6MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUP2eo\nCTgVLvfQYC3WB94WIPfTNhYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGrI\n1AQrTyeuxmgfDGh9yThFwvMvG8zaUiq/aEH4qZEwAiEAlLkLYRniZ2NpRk33I/Tx\nUcDvOC4wZaCt4R5SttS+f3s=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1235,10 +1235,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert contains\nan Extended Key Usage extension that contains just `id-kp-clientAuth`\nwhile the validator expects `id-kp-serverAuth`.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUawIB04/IHLsVv0GGNWDfjw24p2YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQ7qyKR5QrQO9irthZEfiG95KXJhgOEdluk1n5\n+ORfzdKV5czlmvfr+F2+L8bA+EmdihCbb1eL7Mx0NUeU4spZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbmeYZdQ7sAIBrZNi74YhRLx2iYswCgYIKoZIzj0EAwIDRwAwRAIg\nUF9Bxx9SUMLPDq/k/6ICeU3/W+OYI4xERRg4Rd+iYw4CIAjblEH9uHyb/QCdGO1x\nJq6cgRiM2P3jYFNn4Ch3ahpk\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbYbX5Qwfw4BzVjClxg44xNTqVA8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkhDL4ScvzDFWCOe0y/3rLZmSsK6/nk+NwkleC\ncMctF5e166rZrMoqWRdSsGTdJtiDtinZZ4WW1pTmiILJahcwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULhAeORAbfwLkLGD6uC76mUZLFOMwCgYIKoZIzj0EAwIDSAAwRQIh\nAO9+0zsw70rNFR5NugfqlvjYePEkZXAuMqed8o6H7X5jAiBS/kFxWgBOptoaOHYd\njhT8aGqOswUSmwBniDGy7q+NRg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUN4fAITl9EyrJxACeGrGkq5eeeucwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNlN+dsW4vM8tTEoyhwf0IJB1bP/e67fVkpfCzYJbKEK\nDjwn6ZQ59ZyiMi5UVn887QEKQP3XMysGV9hBGVpmYr2jgYgwgYUwHQYDVR0OBBYE\nFLGPkCVfiH7uG61i1lEJQwpHBc1sMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUbmeY\nZdQ7sAIBrZNi74YhRLx2iYswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGKJ\niDWcG2Kwl3RcuX/3QpnSsoA6J4fGArZwjlRLerZAAiBbVfNnoAtf7+N+WWRgqTw7\ns5RY5yzVFDQ9dhIyRzJPqw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUE3I/p26ntDRA+CNMQ19Xy+6DdecwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEj8KY1sRhNxALoqVnM6WfWrgR4NbKU/4Axx7y7ZWljp\nwLMXTxP1MLeKpRJTCxDyr6jy82IU+EF8tEsn+n3L4ECjgYgwgYUwHQYDVR0OBBYE\nFFa4rS5LvaWRd97O3vut6EjdmNggMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAULhAe\nORAbfwLkLGD6uC76mUZLFOMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDb\nfIuX+AKupjLD9loCTErr943paZMLTYViAjfyKR11JwIhAJfkshsVtLdFGeLhc/eD\nPIHvQeAl9qQwqdIude+49Zw2\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1252,6 +1252,29 @@ }, "expected_peer_names": null }, + { + "id": "rfc5280::mismatching-signature-algorithm", + "features": null, + "description": "Verifies against a saved copy of `cryptography.io`'s chain with\nthe root certificate modified to have mismatched `signatureAlgorithm`\nfields, which is prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\nWhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\nZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\nMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\nh77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\nA5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\nT8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\nB5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\nB5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\nKBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\nOlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\njh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\nqHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\nrU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\nhkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\nubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\nNFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\nORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\nTkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\njNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\noyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\nmRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\nemyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\nWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\nRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\nR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\nsxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\nNHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\nZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\nAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\nAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\nFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\nAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\nOi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\ngt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\nPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\nikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\nCkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\nlJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\navAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\nyJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\nyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\nhCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\nHlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\nMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\nnLRbwHOoq7hHwg==\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIFJDCCBAygAwIBAgISBCjrgR1TEHICklNpQDzj1PqPMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMzA1MjkxODQ0MDBaFw0yMzA4MjcxODQzNTlaMBoxGDAWBgNVBAMT\nD2NyeXB0b2dyYXBoeS5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAObo0GReSiFFL4eMlFHutcV+LpLDorPpzzFxxJsXhrm19GyWYHdr4ml7GIAEjqI7\nQZp0aYw1lmtHwgNnaRySU+aWj6LMWI/rIP5rXZYIZLyXSfLbHP0xlfYEvcrcprOm\nAu0YuQgy3TBO0qz6FKx5PtfbDc7p/LYD5tnG5NkbQ4o+7Ko361w787WSb8OV5NFd\nnPqSeIjwxqSy62G6oOHL4wRFDTCOdNjHeYJnPC0L3P9qkGeC6zjqt2h8Q+GE9zNQ\nenqaEOeBIZo46mti6Tvzzc7dqILw1ATqIXJdjwABzuT8Ob34/LsPorLQoRP1+YHF\n++D2JyyvYKM/aFpQI+HHfGUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd\nBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV\nHQ4EFgQUOtGXHs6fLoMQEwjlwSu88r4qLf0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu\nUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v\ncjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y\nZy8wGgYDVR0RBBMwEYIPY3J5cHRvZ3JhcGh5LmlvMEwGA1UdIARFMEMwCAYGZ4EM\nAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0\nc2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAtz77JN+cTbp1\n8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGIaQn30wAABAMASDBGAiEAglrQJj8G\na7/1upmZ2Is6AqPT9pQpSty0sH4PgnqyQxICIQDEpKnk6Rt6KzvEpIIIEtXgrYx+\ncrerlx4SQVQbnwfz0gB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS\nAAABiGkJ9+sAAAQDAEYwRAIgaLwFE4CfhV09wq5IR5zmo/90y5OQJ2MnW5gpRZZh\ns4YCICEAGxUN/f95xFmxOCfqXv3SEozwkrMHA33abVjCQiaGMA0GCSqGSIb3DQEB\nDQUAA4IBAQBSTN5U/3yp6cGMBXlS5WcrB/XOY6TtxPmeSvLM3vqNbpRGu1JOFFtn\n31eweHOTj66GWowSy9+uAhp1V9Uf0hoJMa/b+CkCelyJN4QZCcMfhKrPAD4prbHa\nGYFaLo5SQqkK1hYHo9LH+qhaOBx9hF5aLrGbEFWXQE9/W7KSeCzz6LBLw9xVrB2v\nNTLlXXt5tUiczOIzge5KGaSQr5wgc1viddcRsYuZjtgWlqJ5E5QcZxD8xLTfBe5W\n9vl/k1CB4CZ1IG8Sa9+n91Kxm3HTLL6TcrEOutChwMfZfrLH/piWoRQxezCpn82N\nRaeeHd1Bv3oH3SeVJUHLxgzUv/dh6GSi\n-----END CERTIFICATE-----\n", + "validation_time": "2023-07-10T00:00:00+00:00", + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "cryptography.io" + }, + "expected_peer_names": null + }, { "id": "webpki::cryptographydotio-chain", "features": null, @@ -1306,10 +1329,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUYDVnKuaV/88xnabq0y2MVtuOlG8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASWqk+Si19fB3ny0V9SkULbAp64rz2F+ZZ2+OEu\nYEoom8n3b6uCkjBWL+EfaVRD4XjiiOoYZrUjCDEWdkPKcyy5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYsVhR7MSdAIXiuNWPhllM5y5788wCgYIKoZIzj0EAwIDRwAwRAIg\nNmG7xbEAurH+XADUtQNWcq1Tb2ngBLFtVXT8lSJtkeQCIBxnRIjBEMOerGXe4R28\ndGeHMz8OZIgMbgc9V4kYyh/X\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUDK//NcJaLLrR09BvijHHG4uJsU4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDhxpVcV1+9LdoCQ1q2WN1aBNYrERQCLYXkeGK\nrvGFrcmvGtj5YxZ+meHJnJsB/2//CV518eWvpASres67pLOUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUE4viuELDIvIEQKwKfF5RJmwqmV8wCgYIKoZIzj0EAwIDSQAwRgIh\nAMOlzVtrYcJUxYt4ZfN7JwLflnrH/KBXWJx2S8Y/vsl7AiEAjpW3Nqmd4CPPhhL4\nad/YDlEzP2z8ZfKCoJU3SzdTBiw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUR1qiZZu7wXJ/K6834k6oktBxv3MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAjTI4vcWVpAWxA+ZITozxrarxMjShjPjb/rb6uvY0wC\nkpfzdWoedx5DD//aXQNCrXlw23Ez2qsCS4FsKfO+xfmjgYgwgYUwHQYDVR0OBBYE\nFE483zMsJCnFkbzKkopcIAv7yAqDMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUYsVh\nR7MSdAIXiuNWPhllM5y5788wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCo\nsj5iQKLQfXtR0iJa1o2h/QbQUtSpbUBKYTWyY/YIXQIgbvkNXD1UiROW0vFdXpHg\npw3dAmf/CGCraOGzFUc7f+k=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUXn8OHfIhDmec6kTaM6u0Ltk51iUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBszqM4xZsjrOG9/7hSQbWDAjvLGP86v0anVtS7yPmHG\nlJKjJ1FY+GTszELHVTVeEf1fjSF+mj2g3JISlOid5umjgYgwgYUwHQYDVR0OBBYE\nFO2+7DsXiZ3L0Eel1cDrRK/xVFzGMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUE4vi\nuELDIvIEQKwKfF5RJmwqmV8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIDQt\ny6iKQaLh2DN7P8my9w5qiOU7p/V/VHUotxNrVNytAiEAhzIv/HnfNjtjGG9JUgMl\nkoxYUTPVI1hqjCIoLdi4E40=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1327,10 +1350,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGrrAEuddVTw6o3Tkj8QLYiM72gkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWnrXcYjceQw8nPNcoIt2qracVCDQt7FGxbrrm\nKdqXN8nZZ1PPdBP+oB+CfAUfMCfspbydGjH2brFLTtcFpY7Oo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXrKReyVtXqe1jGZdbcvJx4otSvQwCgYIKoZIzj0EAwIDSAAwRQIh\nAPNMbqcP25vohgLU/53BHoyEr5WLLNtjf7gfTHmUl91yAiAd9BzQZOWkn63+CPzm\nc7rRxKKV3vYGn6Dlx0A5K/jJvg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUffI41fl+MPjZSfJFqi7/pp+jy5AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCsCULzDNlLPqi77jWvwWnN2ELQZ/4v7f2yiLr\nykidB4x0mdmqC144Ynjh3dC2dy00K1i226jHWi7ov0ctWLOeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvKyH1hKsQdlO/01Bf8lGxZw26KowCgYIKoZIzj0EAwIDSAAwRQIh\nAKHyJi8FK6MwB1Udmw41HXp3EoCJ4hWxgT/4S+YV6Ln3AiBrkOj5nL7xCNw6c8V2\ns9pjK/4XBTDY4q68mgbjrS0itQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIURFJFs+l0O8pdWEhk2aIYtWtOwSUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAw0UfHwC3LcsrijCcH0WxuCUKpz074Qg1LM7h29lj3m\nSmGZlZBAElX2f7k3J9XXiNhbPt2mo3gjP+WmZgVk0QOjgYgwgYUwHQYDVR0OBBYE\nFIWpwlLMRTBIOSXBWKO477lpVJ3fMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUXrKR\neyVtXqe1jGZdbcvJx4otSvQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDO\nMvb2VytzY8iVtmRYAu9cXs0aQudLMTINDpCnSS/17AIgdC99uFyhCNcJdWxBQntZ\n1YsFw44i4Fn1EKeOSnXc0a4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUW9JxxTj67n6aEEOxuPd+KIPHZCEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPsbqYRv4UKi/5P4QSSCNaHtI7mVhvDD5r8KbYbLms/F\ndeo7c1vIfT88Ujg6/a1Mxo/o67YbATiWXyCLXTJ9Ly6jgYgwgYUwHQYDVR0OBBYE\nFBkWlWyH1qNoLX6HqIAjJ2mq5DQ1MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUvKyH\n1hKsQdlO/01Bf8lGxZw26KowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIC18\nM2WdBqZU+PlxTHHmY/Lwtv38IjP1hWhmC+UtdIV8AiAFrh4JMIyPuDXe1O3AJUQ4\nFMbDm4exF76LyMwwIuB6iA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1348,10 +1371,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUf2nOXLXdWw7PXJoYXkE/rlCnYaYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtZN8iF4OoOSCIq7D0aby3xDWlAmFMEADv54u4\nDPPoFCwS+MXy14WszMhECw8iLM0eAx1XxqAPPQSnhrcEHBy0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1XuK6KGlsjLv3J0lhZ247v7DAUQwCgYIKoZIzj0EAwIDSAAwRQIh\nAIFB5IYymgwlKsSyiSwWMc/J3IAgOlwQJZMcavweSs/mAiA8AuYgTo25SiIGdEyN\nGcjLAJEYQ1qM8gA/L9kkonIUIQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXJNCxa+TKrzZopzuWr46lAMsVPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQ05Nh8NFKV6YmvDB0Fy0UjwniNLpFru5W8q1b\nSSh5n8EQ8WSJiQFoCmGyGUIVMNh+KrLdp1MqLcVamxGiTErxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUt0uhtDwi3HUMR1HMQUjR5yhbfuQwCgYIKoZIzj0EAwIDSAAwRQIg\nc+AjRHzmnFt0RSYGtCD8cRjm7WXo9QzSsNv+FvgDRMoCIQDc7ZUiH9p7t9ZyNaR0\nII0fOkcJfQl5AjU3D/7v9PGytw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUf2HtK8BfucFp8eVXsenpAdyF66EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKPi0JM23P/2Tzsf70ohyw2vee5zR4lh6Th+D2cvgihk\nj5Bn8juIRasyxePzc7WG5mhqvsAWtz+1xnYbrL8FSamjgYwwgYkwHQYDVR0OBBYE\nFHMNzVnOWcHF/6fk3cNWC6Yca/9qMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU1XuK\n6KGlsjLv3J0lhZ247v7DAUQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiAFaqnsJynOEFk4mxytI3yA3aATl4kQ8ScOaoaOPiIT7gIhAJNB8tS8tdLvOrJE\n/RQkd8q7ccUBiNzwWNCCaTlmTJaj\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUcIPJY98Ny08Yg30YHLF1CuTB1gQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLf2qg1UyiSevYc3lP7fE5kAmZgRoVZh2HVq3Q/OB40c\ngYIvLMDuboY37f4lxM5UCgA2VOV4k6YloLYuoS+TFGGjgYwwgYkwHQYDVR0OBBYE\nFPp7AgZWV5L7OUCl+tz+SVlYFuddMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUt0uh\ntDwi3HUMR1HMQUjR5yhbfuQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEAtE8TAnfJwZwSFj7LJu4xoqI//4dP/rPcN8b9os+eGTgCIB3GPYQ/PT5++6un\n/gIdhKEbzT5BJ2RJ2p3eeC9oxkqf\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1369,10 +1392,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBLnH0c/fppQ1NcrPCW/m6rGDnZkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6xSIqi59MJnXSDKYSPumpKkWtoCOy5KPbZTXR\n4YP2YKxygT00NNgD1HV6MThNwB5GaEK5A1WL2mjvCjMo0i72o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYiHLR0uMlfL3vAOgn+lGJ9lveMIwCgYIKoZIzj0EAwIDSAAwRQIh\nAL3W8A+HD3kYEA14CKd1az4CoEMolZQ8c9Gh0gdhrQERAiA+uioES2JwyE9wgESh\n2qe4gMtYcMFLURuyu0f9sJo5iA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAyMol3rKgjDzUnqd+qlsf1//6MwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQfG0ZU1gnX1chrsFFpQ/FG6hj6aNGVHYdO8qyq\niMX+elN+mIG8uYR8TWdqDy7mkJulABgnB43wdiOqNVi7UPH6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcVFHClPwLjc5iTV44Nn6eWXzNCYwCgYIKoZIzj0EAwIDSAAwRQIg\nbg9YDyB5wt4m2Z4XK/PKsMNiC+o/JVF47ZzQi88L9isCIQCJe/3ecuXjtISgSogg\nVmWJzZqWuSaXoD1J7+vK1x2ctg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUESd7p6fjNIkbLikiAt9aOJSB6h0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLNgDpOtjVxfmtm6HwH8i+sqnUcsJ4PzX0PXlfyO0lb5\nH7e7JGeDK9EDpY4AF8z4jLAylhOyCBUcrHE4WM0TQNijgYgwgYUwHQYDVR0OBBYE\nFCxoCZA/BsAyZsMB6wn5IVrA8HdQMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUYiHL\nR0uMlfL3vAOgn+lGJ9lveMIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDv\nI/wK45cU/JtuqwTBfw1SYNs1nude36h8G1CqRADu9AIhAONwY0WtLHpyns4TJuKU\naIZQNXCjj7Qk1vShzgU5WWPh\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUTp6MA2eXSL0Fki4gk9FhtHETqpYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBnKdpEm36dOxIyYfoO+g8fNNfrVYEmNwzDCey+/FFGt\nVM/gZGZPoFMR9OsJwWJA43QioalEqTEEZl+XuXsIi+yjgYgwgYUwHQYDVR0OBBYE\nFAttcWs6aExXb8hORGcOWqpm31XUMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUcVFH\nClPwLjc5iTV44Nn6eWXzNCYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHtH\nMCRl3DHGtAX0lpeKxQZ8w231ynqJAADOvBT5hMh2AiEA33otII7Kb0CuEq99mlAO\n9pe0pKgIEh0DCSGw1RasEnY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1390,10 +1413,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWC8Yi+K6SIOdY7aPUV82uHnbiSwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARfqnD9AwuGrLo8WI99yic/61rnJDBbHP+bkdFi\ncYWBolPHDJr5syt5vhwaEu291XrfSoZLTwpuOmhS8c2HHMoTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMFiJi553XWY0/xtx2oFwH/eVUUowCgYIKoZIzj0EAwIDSAAwRQIh\nAIsujX31pH5emvl5XeutADCIS6i/2/GAd2P8GC52NQeRAiAtnkghLxvkQnI/hdVi\n8UXGrkpRR8gpnAD8gJ4JBupqlg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdDyU9XdZ2LIoajreFBm0Lqz5dXAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARCmb3IENifXspX1S5hpBPnwOc4VvKKBb0UGomC\n0zX1+qfieKb50fiMft0oImDIhEQPKyaDF2btxkvoPL0DGoIro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvWY8iFUAXADYslhv9++fVuDSD6kwCgYIKoZIzj0EAwIDSAAwRQIg\nZK2W75VK8MD4TQN1SMdhN+1pXS8A1IswVbpoQWPIwncCIQD//okx+hRdY8N4B/cB\noaZzGfTNj7ngamfBkvqnIl7gCA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUHknhTGWL4BNLdzfEdgPrtpxuVqYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAsAgQt82jUo/Xtb0C/0WeNt+BZIF6r+su0KabIzAy8x\nym5a+p581mzd52+jZ284N7/fyy8CSngiC8RukJy3l+SjgYwwgYkwHQYDVR0OBBYE\nFC7dfSL14cXj+BUlounTdEQZXOOvMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUMFiJ\ni553XWY0/xtx2oFwH/eVUUowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiADpGsTkpij8u1qf0FnPIGWNRw9jcuppReLpSom+3LELwIgfCawJVAETQEjljta\njqhCkvEbEvbBJXQbZvtZj6iAcrw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUF88WTCA//wAR9qac+YBvDnaIUYYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKmz5Zp6CV3ysY9UgM/uFE3BhYdv8LVoOPwaDncMmsjB\nhSU8pSxnBXZDU5ZF0zxwTdzw6kANqWSzHwiyurqWWFOjgYwwgYkwHQYDVR0OBBYE\nFFOH57g+V1714+57jk/3Wyzgt2IDMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUvWY8\niFUAXADYslhv9++fVuDSD6kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiA2JQxg4nTpKtTNEptNZuUsJY7s+fRxNQMEM0YcpdaukwIhANIlYjnmqvDonC2C\n6fuDVIrCEzV59c2JWTe7vi8vn338\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1413,10 +1436,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUahav5EecqiMaWiH1V8sJltK554wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNDYBqgr76FArgOBb8vOO1i3hvHdx9e3otnpvy\nEVAJ+FDMj4qt9jtrsNo7+gS+TUS4/UIeM3ORc8oyh1s979Mxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1MiqYOp6ITXxpRAu55Xblk9DClQwCgYIKoZIzj0EAwIDSAAwRQIg\nTVfl2h11ABN7NBCld+/ceGywAzu/AQINvow/l81IarUCIQD/WZdYmP6uLhsmZ0Ux\nc/gmXf2bbOuliLWW9BIFftboEg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUa0B8vYHOlwWnwbENLjdp/ZkOW4YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASu9F/GQ98UeRZiXk4WzTfAP1h7rMfpY4BS5Eyv\nL44JM4xoWBBqtnPZQcZmPHzoQue38tRE9QKLNyMnCloZMxMlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnP+CUrE2gno8dZYrNziq2FyakLcwCgYIKoZIzj0EAwIDSAAwRQIh\nAKlG5d/YwlQ7bvxHQuI+KzoknquWtlJZ4D45EiHkY5n8AiBhwVI0/cshHqxjO/NJ\nX0I2Lee7vUmZtVHDzUvm7xqLsQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUeFAm6sYC7foiK+jxNNFbMxE/AJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL8ukacuMy0wKEALSC3yU9oXljRS1/x5C4OoxH5mKf9d\nijE6h6iR+FDnhmWOuHqpTLNVCUv3IRBQ6FICSe3uTcKjgYEwfzAdBgNVHQ4EFgQU\nLAzYh2vuPduoOXu8rbqeYhjJHhkwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTUyKpg\n6nohNfGlEC7nlduWT0MKVDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwEAYDVR0RBAkwB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIgSE2Y1nN+dUrX\nfmNW1VKZVdJblXLM+ByOdaCvwCe1pTgCIQCclSGViN4FZwHUib7N/J9ymxqW7ef/\nFtJorrTq7VwUiA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAVygAwIBAgIUYAOkMZxzwOqMjkymGyeoEaL/jw8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDBWKJj/33pjQqou7/9uUHbYS8nVBUqt4SREk9QYXC97\nKfEhvldyoHo2B2l4XO1fpzPVBGJTMME+EU4IfZCKp8SjgYEwfzAdBgNVHQ4EFgQU\nX+O5u5POq5HwhWi6aHwwT8mkixwwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSc/4JS\nsTaCejx1lis3OKrYXJqQtzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwEAYDVR0RBAkwB4IFKi5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ6KG9zuxuZC\nRsbucu5z/sNB3aZu9GOcIj4ETnWEo5LqAiEAuid3kQKYhVmpuu9dg64Hs+fJURhf\noJo1HbhHYJGqFD8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1434,10 +1457,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYutlmZg4sCTlpEmat0rbPMKIFwgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATM7Llp6KUIToniCXpO1u3WSiuyeuTcw3hAIvHk\nPX/qx9tQSoo0tz9wr3lhbNa7k1EbOZOk7gcPQiLm/uzrmxsco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUERH9922cnMrE14Kgba842/U7NJEwCgYIKoZIzj0EAwIDSAAwRQIh\nALWfULvwYVZVLlC1BTKRzHIHXt31hiAEDXtVZZiZTMf0AiAETvLNVTcPELKfPd8/\nw79BGXR8mRljo+xNdoKoBXOw+Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeC+E5cJiZtuFAuwCfuLT7Ey4bC4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS4yLANFLPjB99wxvxxtemA7XlDLz3fUmahhwdJ\nwxLtTaCVLTfVDY6D1c8Fnt0mhMZApG7p8Pawg+WhDpqb3V43o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUR2BmOHbcZyJhJB1lXCt/9PCnVfkwCgYIKoZIzj0EAwIDRwAwRAIg\nJ37uWrc+XnjMi7UlFtAnDXpTZw2S/W3Nr86IX9cA9ewCIGK/cD5gKUYz3kUcbJxB\ngZK9WzYripPsgHed1TJFrYlW\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWWgAwIBAgIUNZyFOUrSJnuWfMDrL0pSAeNpjXIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFVX1ORG0VqT14sR8kbs2YXc1yk0d2rb4Qo5La8XwUWh\nP4hsUZQtvqLy26+mobiajnNg9wf0qeNHm3E65954IeujgYowgYcwHQYDVR0OBBYE\nFNCUAWCSyFLx3D+5QxRJfMBc3xOZMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUERH9\n922cnMrE14Kgba842/U7NJEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIg\naDcBylCjxgqDvHW84SDBc8nPF2+vFZiAya9Tib1gfEQCIG752Ag/Xwr0dtdrqHTA\nAT6/e8pzrYgWzoW5j+yFw52H\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWWgAwIBAgIUVfwsemAn3UaFSTgA8ZSHARiIJtcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFY5lcfDOBjSRxrFkicj/6FTltCBfACGxtNdPWOkbRc2\niRUVrqiVlPirNbXsWKbNMXXVNomIIRkM7mo+Qf2DIcSjgYowgYcwHQYDVR0OBBYE\nFF5LhgyLO0/k/oba3rOtQ6JZJYdjMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUR2Bm\nOHbcZyJhJB1lXCt/9PCnVfkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIg\nDGs8hnUdN8hGenn7ZSn/igVrpAtNCb2OGZBa/7oQHBgCIGYrgJdUrAWpoWTOhYqc\nkK6xvBrXr5u6ES9UlGHvsmZz\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1455,10 +1478,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURHlM/832V7zkw0X+m525NU8nyowwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtw6NWpTucQKZkQYL+tdMffI3pNJI/l89329We\n+R1l1lME5EU3CBPY2D6XhbIAMqDMp6oLcc5AEq+SX6qEZF5qo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZfYVktAmO3bST677cf6ChoMh4bYwCgYIKoZIzj0EAwIDSAAwRQIg\nYJzxYjvdFFgh0/CdH268stHa7Zodha2JGuGzOTSFmTUCIQD461PO2lWSTSex5zyG\nLmfNsiZSHRyZdD+K5ZuSVS0qsw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAPZggVY9CG4nP8hUeXX8bAYJ4tkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCt3CMWBWPT1vl0hdCHcHqLRSuyAmwIcZeQxCw\nsch5WCYerEayZEQ+Bu4JBBhy2M8goyX0c2Oz4SC2gkdx9mrfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1TYQ2eAyvd5GHQ5nF+mKDVb+yGwwCgYIKoZIzj0EAwIDSAAwRQIh\nALa9HMybCL6R+vBomvgJtDKN2TINxGavv9QS8DpbHWLfAiBcogZb9TPeQRRcav/7\nngDhWH5Qo1xy+/GraGu7CKkdjA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUZ9e4rvWtoGuse7babUWXjRffKswwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFr1RGgRUAMbslpV5zO14N+KBYdR/PI5QBRhToz2Neg3\nOK1UVn7V5LEZfcsN48boNZi6pBUO5U7l6yyyfNd4MqCjgYwwgYkwHQYDVR0OBBYE\nFIuxSJ8/uweynuUXm7FSl7H8s28rMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUZfYV\nktAmO3bST677cf6ChoMh4bYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEA8QJBbHWBXMXvqBnRUuTwh83OWcc0VRBFpZtF3nvlslsCIDSo71PXW9nuAlLC\neVLuq2+MIK/qGtlQy7IBFC0W4q4a\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUVbSZNaaQJroCwKwoUQiJ2/8j0wMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF9UnBkApwFaunsRUF5v0qx00yhBzW0Fdy9JWbg0NRUX\nZ+e31LkgBlDZ6Z66ROlBq5Bpm7YYqke3N5UV0Va9XpWjgYwwgYkwHQYDVR0OBBYE\nFG8/XaIB9vj1H6GgtpPgCztMPnIaMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU1TYQ\n2eAyvd5GHQ5nF+mKDVb+yGwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEAvYs6ueEs8Ov+fqql5CClTGvUvtKKZ9mvWa/mVadA07oCIHFYpMSY63UiugFk\nJzAEzwsPNThnpmyd9bcqz9al0lSu\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1476,10 +1499,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVOjQme+WqgKC6zGA7a1s9QY5jfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPL8X62Ykn9j1scOxEEu9r5ax+OVH8J6Ozik6V\nByDBQoNJ+hNCzt0dF9i7S9MIAodHN40iU36rscNSQCjgE/08o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoABKVNP1Fokoo3AzGgQQTX1XhuUwCgYIKoZIzj0EAwIDRwAwRAIg\nd899u0nKM48L4ZHT7CghJ2JfsKdUjSkxEpkZ6jZx2F4CIDoNUN2cNv1LWhhg+QbD\naEZn3cUbgnyWAmEnRHN8szSb\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA1nmYPIbFVRSou6ybRawbEolXkkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNSY/ll3dd8ykEqgAB5WZpvu/YuLY3yPVjvlG1\nFed/pfy5etB2miOa/mPc64bdzw3WJSGb1xmT6ZaJuOQsBZsqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVeEx3z97RWXjL5Tb8u73pQROIrMwCgYIKoZIzj0EAwIDSAAwRQIg\nPnfOt5Sfjumg3w6vwXABi9CKzAKECn2DZ2XDoCQpgmUCIQDvkJSw7PN7rt2gS3B4\nNOmZ42s09rYT+9RHRKL/C8hYvw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUWbEn0OvW9yRI+UwNzvlFSznp6bswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJt03hQGDNQAQeZ/Ujy/SNZU2ZywwMktditrCJm2u8hL\nR3HVlXVHBWXdxdT/va1DgkrsYH01Bvea0fVTd7kKnAajgY4wgYswHQYDVR0OBBYE\nFHFX46eWjdpeVa8fF9OK3vFDBkgvMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUoABK\nVNP1Fokoo3AzGgQQTX1XhuUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBwGA1UdEQQVMBOCEWZvby4qLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDvhXwfe9Uste4e0qfnAMd10Uy6KtpgIpT8R/3N5AOzUAIhAKQul9noCRpe\nf0tcGefII9dWqlpr5Y225f+EqlHDX1RO\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIULYwPYlFCD26oXQX9A5ZBXbJuCWAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLekEDr2jdoI+g/I+AdEsgMU+BZJd7DXtxti3oxg76em\nUIYqP1jSDaQEFAQKh95X0DrWhlp4ARCqeVdGBeBRNcejgY4wgYswHQYDVR0OBBYE\nFPGlFjQ5IT+xVCvlDB9CzRhxpl/rMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUVeEx\n3z97RWXjL5Tb8u73pQROIrMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBwGA1UdEQQVMBOCEWZvby4qLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIAdx3WmYfbylhV++QfWRz2vlxJ9zPU01nT1QXqvLdg3IAiEAqk39n6pOjf2u\nkxy8+SNOTVZ77z6uv9fx8odTqq+H6FU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1497,10 +1520,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUW6JGYTtMFeLg2giO5GxIE3y4VKMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARE3uiPgroGSXTruQu4QHi4K+3ljtkBp4ZzoXM+\ntXrwsG8XP9b/esYqElIp1VVk5pPCGcfOIg2tQ5MTMmFELcQFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWuf3znuecvLdQDImjvzZvMmCUOUwCgYIKoZIzj0EAwIDRwAwRAIg\nItRsyy0KUC6AjBqXL9qx/5jkTItmNki651nsXD9hPiECIDvR0fb2IKCdvowRMtHK\nHEYkNiEn5zWZRkdtjiGUNj84\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUbo4KrDtETptBKr/zKetdnbOFpx4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8BIHSgzmQbc2W9V78zxYeSNsobWwDzgcjpnga\nt9xcMeZc5tZnEjGlXF31UIgNn58TO97PZKOf5elk6E7YRp4To1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZ1PylL6t7i3rLv+1946cmQ4rs4EwCgYIKoZIzj0EAwIDRwAwRAIg\ndUZQxtBFl0vNVhS8IO2S4VlMwjA3KZ9/Y867aNqV19UCICZI61noacmIEWgTf/05\nR+gjc4do0UMBDfnfNfn4KS2p\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWWgAwIBAgIUOY3bl5GBCcit0VQ1vzlpofLSKTswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL0xOOdnBPhMYpslDrmD1LvdhH/4H43NNMPYAXJ4M8H6\nDK6a1K0kdvRpzdka/n4NnTRmCFCU+hK+cn9c0rFxQ4ujgYowgYcwHQYDVR0OBBYE\nFFR9n3w4t4FBiHzyh4SABsC+CLDOMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUWuf3\nznuecvLdQDImjvzZvMmCUOUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIg\ndmzqysugaS+QtY+CaASk7UDr3f3MSliky+B0KGwwXhICIAmkLbIjZ/HBNX3Eu6V6\nRdPIkYThVtJoIgCKE4nokJgy\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWWgAwIBAgIUS9KR8bVrdt0N9yNB6z594eWlZIgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFhqx+/QEm7ppPyEJpSK1687A4kNW8MMQX/+4K0w0KbX\nGfSgsME/laaDA3cnKhOEHm5kX/mix0z5MXVaXaslIyCjgYowgYcwHQYDVR0OBBYE\nFKonDPLSEdsShZBa0NGER/GcuEDeMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUZ1Py\nlL6t7i3rLv+1946cmQ4rs4EwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIg\nFGl4UJCRIuULaU5WfjBzQ56Gr4Ya/1HtvmIbFcwrDW4CIQCeLdxi2Rz2Y8h3KSvo\nkBBiHvjy/LI2vi2EsrHvHjaDjA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1518,10 +1541,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTs3tLQkf+YdmD7Gtp2HNK+uevfkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQE2u7BC7a3jbrttcrIyXcf1cReKWvHSgK9M0ho\nYDkAUQh6VKjQ/lZA20tyC9PaucmCOZceV2KWe5U40QupKEL3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULsgdtqyKXOyVa/La7d81XsBhaaswCgYIKoZIzj0EAwIDSAAwRQIg\nbEVBzcTUUFfuX4b+dTUyPVEItVrKCbKwJVnZEKNy7mwCIQDk/V7CL0W7N/vGNJbI\nN8JKxlN67NBvqYiSN6yCp+jgtw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdFm+OLfThlmCShbxWGZrvrrNJ+swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ98ewhzoidsNKLyS7gtTCzmJFuIyfRg2V0dxYz\nBYoILgB6Cl9Zhkb4xLl4Kfy5H3xe4Y4fzHF80qMvY9Ttaxlzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2ASfCYTSJFc/XiKpGAvPA/zbTGswCgYIKoZIzj0EAwIDSAAwRQIg\ncuzpLP7hbcF4buNobPiuC398vhFJ5BLfkO2T0yfWChcCIQCgu3I8W3y+4W2jrdEg\n0GhiENLActqoAXE1xNXlCbjUeg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzTCCAXKgAwIBAgIUHIB9G+kcKmSpPavblEfu9IjkIpkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPcl2tYKUktMYCGPYRBjEXazLgMH35S4psWyiv8ZPu1Y\nMUShUp4BaWxF4ScKbD2jtbDW/Otg66cKRPP3vRQhEEejgZcwgZQwHQYDVR0OBBYE\nFEVQCQxWoaeVf9Vf1C0to+lAtxLyMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAULsgd\ntqyKXOyVa/La7d81XsBhaaswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMCUGA1UdEQQeMByCGnhuLS0qLTFiM2MxNDhhLmV4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0kAMEYCIQCvzKsRffgU7snfGJXKxWb5eaMcI1iz7ni4qJSc8349UAIh\nAPv63khyV2SygJqFIZ5yMZkJIOqf5YEO77d4nwhKcrex\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXKgAwIBAgIUUU3v70ASSyGfZxgPY8TznHCY3/owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAQdZPgGJGgKlpI/y9J2I5TXz4W4kvdsjFsqfEIXkFwf\nRr5TWvU6h6QDD2Fz4Y4jYeJcvAFenTive4o+TglStcijgZcwgZQwHQYDVR0OBBYE\nFJbzsQ2rywjdyifSvNpZhLFBf/BRMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU2ASf\nCYTSJFc/XiKpGAvPA/zbTGswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMCUGA1UdEQQeMByCGnhuLS0qLTFiM2MxNDhhLmV4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIF72VFQLOwzN7btieP3PYSyKq40FdyxArA5rJ/jN1OkAAiEA\n+8t+dO+HZwftDeHJinZwaIhdCK8U3yiM7Z9Xr17CduI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1539,10 +1562,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUamxaNOVpswPgXI/iCMvgS1b1vMMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATA0ot0i/EH1n8hpKizLW77ySe5lImI9o+te4Ql\nyPEfFfQh91/mAFB2INiF1hX5Dqst7dwBR92YDrOvEQCcaEqXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG2qqDkokvsmQ9f0m5Ug21pbx2CMwCgYIKoZIzj0EAwIDRwAwRAIg\nc7igJ3kHg5LP7ly13PckWPYndjWn18q/+kPtWkWXvkcCIGyZqijnek4fGcjnXPiv\nseZAZ57mFPRCC7a7GWdnQki6\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUOF6U5L68X/ULt71Rtf/IPK+c6lQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASbRiB+3J4Jxa483VE1jgLIsmpK0r0kLKwLn7Vd\n4lqVbr5SLvxd6+plShc3xes67+AN1mxyhw0Bcoyt3dr2E3PKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUa/S9Rczl9pxftws7f1em5euDfqgwCgYIKoZIzj0EAwIDSQAwRgIh\nAO6TzrQcjEXOzrnc/qylUc8KewOqK0RNj2+1RXmJkgYsAiEA518+Tib7jz8iIN1g\ng5Slf942kETLXgJUgG1p7Ssohdg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWigAwIBAgIUfB1ifWYavKyBnQY21Bee/ytbPuEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLRahnaKh9ux/UTeRjqgcBmS765BmL+VYEAgy/W38+Eg\nq8GOXitAVD87VREtVMeZ+JYBIcHrUswPtw8nlHmhH6WjgY0wgYowHQYDVR0OBBYE\nFLf8Ks1GfXkgYI0oYB/LW7XJ8oTyMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUG2qq\nDkokvsmQ9f0m5Ug21pbx2CMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBsGA1UdEQQUMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAw\nRQIgRPQaN57dXj+EPG1pQUUn5YQNVuByg0WTrdgyzfaV03ECIQDkxcPS6e1/rrnS\n7jggsESYSvy9BdrBJfesqn3rk+0emw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWigAwIBAgIUCIvcUYpbAOpfIWtetOhixYCKKnYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABM37/0BPi0xMmXrlIUTx3436+l82HDidSrE4F6ri2CGH\n9sG2pzMucKirAMEH9uVlZ59ZzcCfJmjM+MR9K+8+gL2jgY0wgYowHQYDVR0OBBYE\nFOPY1txmRnhogfldN/SgmlYTCDL2MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUa/S9\nRczl9pxftws7f1em5euDfqgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBsGA1UdEQQUMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAw\nRQIgKeyR6WzYY1lkWCY7SuGZ0IkwrjE+WzIurU3siPypMoMCIQDpv9K2UcvQ3m3r\nZYzBNv6oGhFJOHO3rIdopCOhUxaUUg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1560,10 +1583,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYKGh/CTMHe/3XK9AMeuZNisYEaMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2DYk2TTA1Y3HiubZ6IX8oVag/08XGPgfRnR9x\nv1taX5C+pgXZJevNu1xyIXwNuI9v/fiGR9yQkR6GtNB+hMl2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdM8hwy3TCdj1ddaSBVtfBbg2tTUwCgYIKoZIzj0EAwIDSQAwRgIh\nAI0cZI0wqEG9VIc28xwo9REFbBhcfOby0KUJeJ3+e99lAiEAyqQeIFNi2MhndK0r\n81A3klFmSROHpAyeFjGEEXROPVk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUPyab4Yu5q84TjkIDKeAzudTas0UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ64UeHPobl9AkfZKZvoC10P3HtDqWbjnrkU2e9\nOL7udU/ZEosN6atTZED+xOwN6haPtAkMd5WCpHUXcDkUb3f4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyB7m2RRrbjMSq6MqvATxtxylp50wCgYIKoZIzj0EAwIDSQAwRgIh\nAJVHn+BU8Enh1B69yNzCXHIhq3ZOc8PlydavY3Ha65N9AiEAi02t/wWGYgpmSnuf\ngCGVDpuGH9Y9QQgA8LjYigzUnRE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAXqgAwIBAgIUbczv9ezXFk90AGGHgndwyPbzVRgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOzM8fyvJ+joUgiG6lya/oLqR7XRHb5xBVtdPJTpCqCl\nVDi64qBJqLZ/8IU4Thgy32S04PWmna/Ayss9TuAIrtOjgZ8wgZwwHQYDVR0OBBYE\nFJOm6two0Op467/y+YwZb9+lxYzYMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUdM8h\nwy3TCdj1ddaSBVtfBbg2tTUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3Jt\nZWQwCgYIKoZIzj0EAwIDRwAwRAIgb/MlFyChdBu9BSR9xG1LTQ00VaUeva8K4IOg\ny3Y+uJ4CIDeVqOU9aKVnYjY2XHDwKtAiZRZ3edMrQ6LjLew4ZQ1C\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1DCCAXqgAwIBAgIUINFeKOY3zHc3ArcffPFHnvdAhBswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKGXnytMq1X1tq5LzcrBK2kltLALZUgizwILXcdXriST\npPZs7iYNdvjs9hKeymhEJpEh3FmraoVzRmXTyOk7fwmjgZ8wgZwwHQYDVR0OBBYE\nFKgRhHrfR2j91XME0t06hsZ7SODeMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUyB7m\n2RRrbjMSq6MqvATxtxylp50wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3Jt\nZWQwCgYIKoZIzj0EAwIDSAAwRQIhAPYjhkSkpmSzSYX+euwgc2FS5QDY7elYLdUN\nB309bwLrAiBdRXE6W4gM/2r73ztGFo1ZYsu1EKVlJtpZG8t8LRBdjw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1583,10 +1606,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUSHjSROEZ5AAiJHT0luGHkSh1n/owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATk+tQNOsZf1/4gKa1oyJG4qtXwgqqJmlBDQG7D\nioo0Ch3JwxKodD6yonfuVPIJTeApDNIRKUi8pZcpKlMVP5BKo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUi8onPyo8yHEC7FVmsX8TzS8JWBcwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAIzqUSif/7fFtxj4PcP2L5e9cYriQH8BDNHR\n8CgUIWKWAiBl7HX53AOpD0nBJtiSlohzILAKCB8z4YdfPm3Tw6oGkA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUqgAwIBAgIUamKF8YitqgvvoxDqqPdGQXvE3+kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASHEgi31EV8MTgWU5BcFQ6plFWsvsWJLn686su+\nTMEjaKPfK+XuWUv0hcmAPnRKD67hPfCgGpIO7koRsXvZ+Zw2o2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpa4Xlvwxwe2zF25rKMrO82Ro+icwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDRwAwRAIgU34Iuu9WZ+xh6gRsyJBFdS3T2ywK6/Fc/6AE\nFOArBeUCIHYmE2sO8I6AMeXVHuT5KE7KRUX+QRSumeY69XnsWGBW\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUONnNDZEkHW3TkRUj3Y6kaIMgdM0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLR2QoK+pRCm3GbBR/rMlOPfK+BkxhPZLaoXCNMHiNZ9\n+hqs5wdWg+8MEdAaYgtid/dHIgH9i4phQQajWTctAhWjgYgwgYUwHQYDVR0OBBYE\nFEaDhPc3D7+dhsn0x6rZOAw0FwDaMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUi8on\nPyo8yHEC7FVmsX8TzS8JWBcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGQZ\nYvpSuAQ/nBuEsPVVdvkQct9NnFzioqjeOAIAjMjeAiAG4XSA5N43exi8BmHREjQz\n7EdnlYHPZyBaLxgt4p9uAg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUcOeze+qUoWyrlKE6l2AumZUd8hAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJA4qkJlhnRyE2gmo/rBTvpJMIKO+noysm/wVWkKz13E\ndk/yjn6ldyV6kd1xr4ZNFRn8Hxfmgd2sttBzTWLOTo6jgYgwgYUwHQYDVR0OBBYE\nFMknbWuoqPX8JI/ZeB0AlaREimLQMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUpa4X\nlvwxwe2zF25rKMrO82Ro+icwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIASS\nWFda3vMirEQ/RSZYGJSp0VFDHNLG13AxbiIO68E9AiEA+amVPP895xohj+CorS9D\nKrrfDZnJyyNR+8A7DTwzdBI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1606,10 +1629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxjCCAW2gAwIBAgIUFr8VQ4ICEcIoXrXw0QGdYyObcJQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAREhjt4f3su3j3FBUv1Oi8/PPqkG49tKDC99W42\nqXb8/MdJXpHDK+ijWFPuHWrygBX+T9vZhepIxNy1XWAjPVjbo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFMUw4GYxRqay0LV5GyM1FiE8EUPQoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBTFMOBmMUamstC1eRsjNRYhPBFD0DAKBggqhkjOPQQD\nAgNHADBEAiADuk/NM+rw1unUTEZsWQF7Q+kIX0Z1v+EJ0hFqBwGbrwIgMQ5FQYRw\nVEC7eeJW+EBiAlfCeUYph6Y9kszvuDF6YOk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUJFyd/J9ROKnEUr4W7Ju1ugk8dFcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARl/AoN6Zd6CQR5v75WiSHVAjAMFP69ikt6jd2h\n0Y+m2KevQHLt3e+lc60st4vPVpa6muDyVwfizORxoYGj//pPo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFCOT1O2GunDFDi0OxxNxe4VNx/wUoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBQjk9TthrpwxQ4tDscTcXuFTcf8FDAKBggqhkjOPQQD\nAgNJADBGAiEAlp31IrCjLLUPt9kjw5TL0JIBnYsLxJsqDwMLEag3KhECIQDXz6tG\nSW7nfzyxGOD5FSXOiWk1UKYICKAjOssoVHyIHA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUd6YWRDYE151Y2Uj2Zqcoj0ZYpLYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCIAftOWqs2qh6HdYUqahmBFQecP81sMsxUrzvrTzgDD\nnhvXUFG/KO8S8ACBu+GbgnpQaZsf+D8kOOy9CZIL1S+jgYgwgYUwHQYDVR0OBBYE\nFMKisULInI7VZf4zkSjW5Ukq/mahMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUxTDg\nZjFGprLQtXkbIzUWITwRQ9AwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCk\nExT0L1/8pVIXBh7BvWTUDmyJAn6QSg+kIxDT7dFVnwIhALdBqAaRY2ArkZFDOApf\nklxsr2urS0j7Uo9nBAdxFR8Z\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUDpI3WLlJ4RbqdB1LGr4HlWFuFJIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAE6dnlgFDfCnbhQdutzG88MfTHjLCs0ABNvAEyI0CHN\n775gtWDRBUioIQOlaMlU1YrBtF1GX+D3LEw4efAJ2g6jgYgwgYUwHQYDVR0OBBYE\nFDli9P4QIeiPybAfKyV9X6akxtnAMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUI5PU\n7Ya6cMUOLQ7HE3F7hU3H/BQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC+\njHVPiSActTGY21nTNKxIXnkXqCKK11CUJ52MQPqTAgIgUUEFyIby3uCbyaUoFJ7o\nkVuDF+W/OOPWabLIzrzLH98=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1627,10 +1650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUBL43lhCDzY6UQV+2Xxg6cvRMrdEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARx2AyrQYX427Kh5ryKyNcpa9/V5bqePfwh+p6E\nzzTGYHFeFTOvSOAjY976SsYy+Azmz6kNXU8zojgEPb4vvbdOo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBT68BjhYEGh98gsUTfrHJFfl+AWJoICBNIwHQYDVR0OBBYEFPrw\nGOFgQaH3yCxRN+sckV+X4BYmMAoGCCqGSM49BAMCA0gAMEUCIQDek3J0YYs4tcQy\nELzucihan/dklj3rMFhJflWJ7OCJPgIgQY3D0TjmDxnoQQCmF3xlxCoNC61r0zTt\nPLCbNSHfNco=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUdp8EjpvZ0TlKd+82iMh7TcUdFbEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6dn3MXd7i1DFqMOudKMtEI4iWcgZC+uaNcs6K\nhs+R6vMnNj2T3byqslFpAaG9RdDy2RoK4W0g3XF1xds1PTXgo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBQPW8vQbqwn8hKQkM12PKQs5CIS94ICBNIwHQYDVR0OBBYEFA9b\ny9BurCfyEpCQzXY8pCzkIhL3MAoGCCqGSM49BAMCA0kAMEYCIQCm2JYzGsxqzEkW\nJeaZUeHzKoQ/1sLztw3wyzoQCl6IgQIhAPLxiRBbrNaGJSFvODIyFURuJtNvW34t\ns1uBh/Wgheh+\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUN63Cdq89vfzKFDXC4ffjezG3FpEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBtK/0+TLO+YA5KXuZoypo2ykJ5VupR0YRxvmYUvmkUA\n0v6eVqMGMofktIxV41wGOqSa4kOW9VbnalL+9oGMwLWjgYgwgYUwHQYDVR0OBBYE\nFJJRTBs6vuC5qDCs4ucfc1SDR39wMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU+vAY\n4WBBoffILFE36xyRX5fgFiYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIQCb\nGeGpxmQBpxk3Gg/NsiNRR2Xr6rd7YbKzUmV0Y28n7gIfS24+OPwyZdCO+dsuoYsO\noj3jajoNFXzAjkUTCAZTpQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUIoSRqrStGsBZdavx+eSj0dZu2d0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCdzLMc5D3KpVW3rbRipPtudy288AkswVDdfOjHXxTGs\ntgXF/NwnWIxhEwgpQLchv521ssO+z4Sg0Gd3oKdMMhyjgYgwgYUwHQYDVR0OBBYE\nFJgr5Gc+refUu7nDVY7ogWp99W+hMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUD1vL\n0G6sJ/ISkJDNdjykLOQiEvcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDE\ny/MFmmyfYagWOZCwl8Z68lUCNbNuIGV48h6KJej0zwIhAN1OmY6qXVEIsfoJzrR2\nICqb/7EOdaHXp2sny4jOKZNi\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1648,10 +1671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUfZULXuCarYr12zKxS7jEzEd8c6QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPnNJnnD+kzGMAurZjr+yHOnbGqZ2ybXlBT/pi\nHVtFJZrt3FsguTFfxnaGOSjcRQNWoJ5qu/6gM0JgTUF2Y4sCo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFDikz24b7XZZ96lhzMC5x+6iD01YoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUOKTPbhvtdln3qWHMwLnH7qIPTVgwCgYIKoZI\nzj0EAwIDSAAwRQIhAL0OyxExwDaUiJl1/E5Yw3yV5T3m6nbohaGW2PsnhkorAiBR\ncmzgvNGVXJmG8hI9IG1K8fl4+L+gTX2NtsptPDQ64w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIULnARm6EKV3DFbLuWQzNobHuYUl8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQYQqvxBIdiCRDI5dzf4KJLoB86x2GrBrDV2L9\nnRARQka4F1YjueFiHcCPdq9O04O+AYqgMdLKEzZjRC7YoKVko4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFFMzEY5vNxhMksaDGOSNhNRYJ8zsoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUUzMRjm83GEySxoMY5I2E1FgnzOwwCgYIKoZI\nzj0EAwIDRwAwRAIfDg6nYHV/FS4gfNi8UfrtQtoy8uxlr1C2AAAQOSsKRgIhAOh8\nPG/UR64VrIxazMyZxl3G3Wb4bzbcIl9vPzWwYGQe\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUaIrnKm82VS2ftTP5wMQh/SugAMswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAn9jIbPHU5KXAKFatIjRBTVYWwwAnzA4FHIOQ9KhKsD\non4U9nzFQrYBVOElSJ5nbSx3OXetzK3bhdo+cMgzg4WjgYgwgYUwHQYDVR0OBBYE\nFIf4lEUrq4T8NKMVxgr2U0rzX41qMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUOKTP\nbhvtdln3qWHMwLnH7qIPTVgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDf\nCrV7Fca1t+tBYClF71GH/0VBnYxhjz0thZsdUG0ypgIhAM1A7H+v7jtSpzHpW+kh\nla1JkakcrH7RIMVxWHGrBR45\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUNZeJlDFpU7giWKpzeqBemdhfcSowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFAxs9L7nqEqNjXW84Hq1Ol0QZZ+jMH1mtr63lrKKrBG\nh/OEMSHs0DhJEFky+eY+iH8+8a29/wVOThQc7OHj8QCjgYgwgYUwHQYDVR0OBBYE\nFJGCLiPcyvabIMyLQSjChHeHuFFSMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUUzMR\njm83GEySxoMY5I2E1FgnzOwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD5\nxYr9XSB0skE30VO59L5zO8EyPT8USIqMoNG9JFha6wIhAMA70kez6fABU9x82rox\n2mXBLoZLFTcfls4Ahkkto98y\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1669,10 +1692,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUezEG4Lb1Tpmk+o5MkAX7xYl+J8YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBlATyNgcWfnRL3Msa7tHcyY2Q5LgU5dQt3gar\nf54FJ6mDdjmfw8PJRlF4bG22w0BK2zk0q+FHX401EtKJ89Quo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0wTyhL9ku4fc//gNBMCpJSjOoK0wCgYIKoZIzj0EAwIDSQAwRgIh\nANUqSVRjLS58mBmADku5eokXpUil/bRsGWDfwL9Sdn8QAiEAjbUsidT8o7V5Uc6V\nfqSKJLKcO+eYZHlRM8bRNmkfg04=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUPxP5QS87QQQtz9PxqgVetsXHKMUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARkpDqv5u6odadv+psqXymruF+1KufVJME3LYot\ngZ/tSHCK7QsJSMDZ4zlLIELkRkY2YWGVhYLjSVOMZxCgjtiio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvs7ULa0Wm5BabIbWiiDF4K+w7zswCgYIKoZIzj0EAwIDRwAwRAIg\nSClujr7FeOCgjmoJf6vY7pF6jFMj37dvOnEAIXmYbo0CICBeKBs7pWG5wAe3b37l\nAMShRZAeq5FqcwK+Td/VEw6D\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUVbjBOIvMJNszj1Hnz/7zFI1BwFIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABKWT4TvetWR//nf5ReHKW7Om2z1+H668ysAZthGB\nrY/kZdEZ8/J/5C1nbvUqyHFI5c32NLP/CiE0lJkOtBicMZSjgYswgYgwHQYDVR0O\nBBYEFMnJB6pyadZf46ALfuJqbzl7/H+nMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU\n0wTyhL9ku4fc//gNBMCpJSjOoK0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBkGA1UdEQEB/wQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDZr56LpeOI+HqeWSw3sYYLtDAguw1+3eCOuLw0DCV4mQIgSlryyN+89sK3\nXA0EXLFVAN31oaYHjEIIgBsYaB/qqCk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUScgiOfN12bHE4GBLj0MBVYDHkMkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABDti8N2jESnEykdOO7troUVaaigvy1kEVD5MF11M\nU4C2/C5R6HXUdwyFJh2f0wD9AwjLOjXamQqHzwMdRzLulYWjgYswgYgwHQYDVR0O\nBBYEFLarzku3G4vcx79YsTNu3AUvAJJ/MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU\nvs7ULa0Wm5BabIbWiiDF4K+w7zswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBkGA1UdEQEB/wQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCSSP2P3pUTJpNXX4yMs7QGbGJOTmhKIspXXtMLIWub3gIhAMMv57PdG5sH\neNgS6YPSfIeXD4hDH8A2JUH2UixxjfhG\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1690,10 +1713,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUaDoDPm2nysOM/3qGInLWB1SGoZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASEyPOv0sWQliXkr2peqR2bbgIwVz72T2+6MYaA\njbeaBsSWrCuL5SFbfi0DSfYsokId3FYcdk9X+QJNjzEWSVolo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiw2jdT5KzGSpecev+rGJO23wb40wCgYIKoZIzj0EAwIDRwAwRAIg\nCMGHbQlkGZrTED/dZCgiHFQp21PHUqOqn58MPH8wbYMCIAQ8WOHV/ELAlwJgmBON\nokKIMA6H0iOhol0s+gZppIgH\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUX3w7bvQLw5V8w3/D3eF6mAxRMfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpv/MqdLW2SOw8PFEL0APzK1jxYN5vmveeQ+kn\nKoFm/ajfv1O9RA2Y+/aRZM5qt0F4lDG0iFk4eKWejp9WBdUYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjOKNwE4iI1IooTTr3ijXswaTbSIwCgYIKoZIzj0EAwIDRwAwRAIg\nBFuvp5NUIcFfUsxsLqS3OTjS7xsmpcg/f0aB16Vd5QcCIFgtCoX04cZcGEUwIfYH\no9i2UeMHoor9cy8hE3aXlYQR\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUT6WSbZcGFkIFkgrkgCXEAka5N4YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABIeMz4F3BjfULnuIYzoYBzpNeGYbH50BFomusQ77YMs9\nqnYWtjgtqdA/FaDjsr516aOBiDCBhTAdBgNVHQ4EFgQUXPeS9zAHLNmGoHS5HWgH\nBctXNfgwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSLDaN1PkrMZKl5x6/6sYk7bfBv\njTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgI97LZDLH4bPOTm82pnsVcXbU\nICOtCMvzo4EmifSo9SACIQDfk3vWMcaoJjvdHhEgDuH95bOQutBDx8YzhBk3ayyA\nGg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUVpuOWCcJcfar89/eIMaCMsWww3UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABF9ncjRBp21K2QCG2zyziRx2abqjR1KGi7NufwJX7ROe\nzZSqTJC+SMCVNHwXZGJxVKOBiDCBhTAdBgNVHQ4EFgQUvP4OU7maz2Sbhh31pnlq\nB+t0D94wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSM4o3ATiIjUiihNOveKNezBpNt\nIjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgKawecOQjla2Y7L3P+ugHSJHE\nLHIGYTEl4SJAK+V2BVkCIQDjS6aTq3HkTCuV1UgB9W+C0dejKvLOx3Mjq1CYuRKG\nOA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1711,10 +1734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZ+3nBb/Bc6cf8Qu8nK3Osu9+twswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARgBK/4TSZbpMQ7Mh459ko4XIGb3x7mukBu5OqN\nT9Ncynun4UBNnwHkIDRPgl9sI/nnnpU4uQ3b0xLITRdZ5TIvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUX8NZb/m37S6N5SJEZqh+8ycYIFowCgYIKoZIzj0EAwIDSAAwRQIh\nAMbl5gNUfnHs8LC66e86fza2p2l64W4m//xN2Hg3c7y2AiAmbIDM/ckYvI4d/6Xw\ncapmNRSuQ4iwp7wrDzvL4jmXEA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQNkzhTa2NxFQQkv+0xJrouLQYzowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASywlrQUYi9gpxwm46lv4x94Y87+oOBNguPT+OO\nj2CsSQBXgr/Z2rWYEKt14Fk978ArwnlA98pjYeBlFsdhNPRCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUT93RZyyTeBU/+C70MWcfpasV6TowCgYIKoZIzj0EAwIDSAAwRQIh\nAJWXMw5M7egY/EF1VVieFQCBvRk/n7JzssydlHrmULr0AiAA2nV2gv8vBiR2L7Ll\n9tDbuX7iewEVgYTMG10iQAsnWA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLTCCBdOgAwIBAgIUGqXtmQuLQ/um1hYEJVIwmgcb020wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEApxA17aNBf8OK5GmrpnuJti/Kgqp8xe/GdMxgxL1zo3ht\nTNNxB2EjjpGcA1bpOuKOUTP9uZYaE3vft00LjLF+IlBFgwpRt6OAV7lBlUBAZY++\n8k5mqXpKaWhwS3wOfKkKdxfRAl+yp/EGe4+U1V2tfGY4WJh34QneYix1mtjNhyAa\n/nmEKMeaie8jy0fD7b+c5y331WwnywJyyapkaKlUoJGsnhg5Yg3zXE0BsVQW13qF\n5OfADauYzRUMXGVWt4gE+4izVTMzWdj8tf8b4ewtRKw1/cZxdQIPe1rtaRLmcCT4\nKbXH8q8HfEfj5RlX4hhFVngtCS1Qv/wiUO66LJ/B03mtBtJlkhe28qneEtTRt0EM\nW1pQ1HthSVT6HUAvZVMxwVln5eRGAzJ6RWut8X+23J+uLf3krQyLx/cHE2Khrsvv\nVFbXfYHCEF5sDNivF7avwfvn3o3MnjvnPLiZFJUltLEPv1Zpik483krAFbCl5TSR\npXHegBzh20DzYg4lWKLdAiEAvlBugqyS8hq/jtKznp6nwmDTudyWI4qM060/SLQM\nFZ8CggGAEOeFbTMn6wB/jmximFwmEbzTfip8mbVk537ptOmNxv+bFvKtRYNJ8cSI\nDdVJXC/OPG5m+B5yAjc6Ev5JZ3iflG+u1p7zb3YtBOQdlzJI8gClMLLefgcJ86xd\nHyeveX292oanvSrDygV0MkO/Pj7qwjVBUIAMck7pszE7MBn5vjIjS/9iA8+drCJk\n6fMp2Sqwrs7WsjQhD6RLWqun86taJn+ZZ6z4/Zt20V17DRWW33RoPIavS2SODMSK\n+wKFrBOs6D+lcay52+Irxh0J9qe7+SPz0ZI43ZJ32A8WyGUU8IVeEAkbV8hs6RrA\nJoOCszndLdGX2DQ9KqNHAOGxryYv5girVzWskcOur27uEBsg4sROHfn/zNru7LlT\nCu8DzOdxsdNOAmxlnrnW8O2PWVnvMvfpVR2TcwNjHXr2gpfdqmxibXihBTOEFH9I\ncXR8Brb4ktMoHzqzaMLKIBjGc0kyUtZ6q3oH2X1hoAeoHgLlCCHWnWaaa6scyxoN\nrsN6j/7BA4IBhgACggGBAKZyE/C+oF83XDhIl95vkmtdL9DsY/A/A0guFhGJBzNs\nvigQA59IgHqaGFE2dkIjdEA3ydLaeVHmE18scd10/j0nWV5VFndQ2cHLg/a0Xd5V\npNta6DylR8iOc+LWLO+UvuBmC2vYz4SnNsD7GiOmlCjxYXT3x3OvmU3mOfieLdXA\n0GwC0WfSsK/KoPnlJmrtKDapooNW49+/7zZo5BWu2CoItSy+TInjdaFq9ZeQUwJk\nKNLOIV1TtC/AL21cfmgcdA/7wBH6X7xIL43mIAP/jcMpMLAc5RGz1JwG5u7fbihE\nwr11cowwpUfWblbT8l3oBod/a8Ia3W0EKJDdyufP1D652C3HIvBU1aPq3DkQ4W5I\nz9RIIFIG9YO8F5hHkT/kG321KNeT8AVTL8NEcUY7yPE0v8bZ/Lxedj04Y9symcxr\nOIry9jzBNYbD1vdBR2epai6uukZOjSjpUGeSqez1l/TnB5N0uiOdwFByzowNMs4Z\nMuYXB7h1/+IW4sirrWTu3aOBiDCBhTAdBgNVHQ4EFgQUZOTc0IEksgzTUngaCZKK\nqopzpRIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRfw1lv+bftLo3lIkRmqH7zJxgg\nWjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgFymyrl2cvg+NbU5vw91mzzIJ\nf8u3XEwBWG1+5ZVM2fECIQD6lb3ZPGDJ62dFuy6rIkIkdeSeJObtbkfGbIXoEv2V\nCQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLzCCBdSgAwIBAgIUDZr7Hw078O19ngKo6JTOhAjg2KEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMgwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA7hjQIztlQ0nvP5Fi1Ka9SEOBtvWWj042UejWmCFj7fx+\nZAIrogCy8BX7L1ehob+di667RaA7Bs4CBMNd4V1GcSIs7dGqtvNE41D4scmJ8a/q\naIwKvBIIdeVx1eXPrmKLlbmHXFJc4viaQYnnRStxZtmLOJcul7jxfHp47M5PhP5h\nDbs6S/6ULTlvZWADWpWk/VuKwI4MC35MmBbyHOu47crHiJIk1qJvEGWPa+HjTo9+\nGIvg1lrs1IlVI2UXuAz6c8QPmctRilQq+FbFCb6BvIrIfv0NZ/tTlYH/00d1i6Qb\nsR7jB9WQNZvg+HXF1gwUysRX3E/MfSz1Edn7mCwhm3a8X/nkxXGI1VdGJbLtzuaf\ns2k25u1GcBMCW14KeANLGtclqp4DI9WllVbJp19YsiZxw5MQRJ/wlLmCcnJfrqLc\ng3av2ydyZJFV6JEq4ZevaeZjuj8Riy/iNM6EhAQJV2WEzsxoFdUq0GWRQBfr40Pa\nxRM6JoCe7HCPOhrbxXMNAiEAyFco38o+fnEHBE2/EONaZLcE0e6Yg8GQ0AU6DvA5\nSL0CggGBAL9sAcSB5p2HD52z0bTkUy1eJh9AeVMnr/huyu1drvXsUt7/21/lpM5j\ncKHZlOSdp+eT/ygUInv+c1xMU0KC8lVlx50mMcDhj1v2BXLTfm/BdT0BuU3yoV9B\nVQXfNk/wtQpr7yFnF4WW/MO7c77sjtGLx+WN634L+L2hTCVs2ayngVg3+nR8a097\nhOftd5vN6w4/Dsg5CAOmWegyD2nh7JPKFOYdZR1u2/HeJQ1wDaqPO2VtWPZg/bYT\n+iF4251uiS/lYjm+4ae5MlaVM0aYZqGtnD81gz2gK0d6ZE479mGPt2W3Ak54y6zT\neI/IeMZ2T5gajcyNAm3IUChaQTVsZf8XQBKHSGRF8Ns6ANvzkJxTncrMdq1pgnoT\nMMU/+ABAJGsJH0jpEX7mLX186Ks1pxqU1Su3r02cI+cNLZ17AN1ZhpJakp5p19o3\nqZsQgjvtem7x7K6Opez2FsHx+BNe1aFytx1y/efNOxyo8gmiH7+9Nsy8FIaW3zcK\nzPiE17vdzQOCAYYAAoIBgQDXTufZ9CidpNjG6AjjybSlWMUSmZXh9PjwDSFnIj8w\n2UDvdlDo6/Ukbgc/Sv3D0sJCpiEPckRmxuYaFdZ6Ai/7QDb6umiS41v5E37N4OUG\nX5kEw3nEjrns48reiIXQWcwNUI9DBBb+sW/76VdBnKi2Cv8NlnNbmcpUcWfUqsWt\nCxE/fV1mkf+Iujx8ndJht+/NUiA4cLYbiiHnpCkmuQzh0mrBeL/DbmraKiw42kr6\nJQmifL0BKx2LgHGENykFXPQDS1L9XVbA+YQArFi6H45oMZwAfk3my8DvbU9136g7\nu0RRu8RXQuX2BbM7LSPzbx4mvETfEv5HWhKFlmDHjcbokTD+a3QlhOM2fltvcFn9\nf2TiBSn4MvEhuBE5z7GhrfdefSN83ZqM7TyvbhQCFNpLUVXu5sTEOcDWMdRCWkNq\nrgrwVrRd8kNVvSZeznmHO+Q1KksujkwiZOX0dcjsXtSGCiAllOh5QaPBk29S+8/U\nXlIaR+DSNoGZrKRxLqn1VtqjgYgwgYUwHQYDVR0OBBYEFM94QgMdjv7eWBWEPKWB\nUrxe1ZagMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUT93RZyyTeBU/+C70MWcfpasV\n6TowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDyOdD7r9PBiDEckK38mte+\nSzS7mtb+EDMislsUaSVT2gIhALJfM/YMdMDQIc71ZfCkNjP9IPegrnaYnWdgZ8er\n3xRZ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1732,10 +1755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGATCCBaegAwIBAgIULHTp5dMXqWNi3WfNcfyCAccjmx0wCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIEyDCC\nAzoGByqGSM44BAEwggMtAoIBgQDYVuUqP8sFBjTf9/Tc92O6VKj10owdPor3368J\n9dRNfeigZHK6ihJfTkawhM2i+UcrrHFNKjAydLK0Uxp2jUu+CRnmNRiArW3bt1kd\nr7wHmuylSlBGay9V3bxyC8r9WbhphFe2vFniuGWE9z6diDR8lTt0IO1tRv/q3P/Y\nWM/eU6Gj1lWHVBQ0BXxX5mbOVyXS2MpP1jrEx7toKjwkcrILNHW0A9tOXmHNnpDw\nmSXuGL5NZPTcc4fXmtmgUTmF4rzWW2bR7Hi18yCRK7E0lSlYR5O9K1WZPHDbX7pl\nUmPRDO7LHNXJuI69dAcTMQhjWB8yOnZfxVb/+v+HCegH1/wdUHP8YEVW9WKZPbAs\nC7QV9rqXPCUIX87p2uHjfz5VOh+XKz/kkZlEGevADB4PW0vsOmQmvUJ3MLSn1A9L\nBpsWBMkbNjLrJ1hr3anlTvPg+PavEi+pkVHvtGmOjdx94INCMTXVVJEakNpGvUYW\nAR/oPT4RtBUeMM6MIgl98lm8KNcCIQCrsYzsPRg50O+8cGTv/A/QHWj/Qzwwq3tT\nh7kZPA1qRwKCAYEAhpdK98B3kZNXgDpq81GBf7iNeXmVObE+TnDujtBpP6gMPcU+\nxVmW/Vr18mR0yOjcsOSe94auzg/VB4/d+wFmXOffqNKUt+61C+cMBp4RZCrWT9L5\nskLq6kj9OPGIaSvRC9hZUemm3p3TBzEUFV6BxIquPxXKhskXnBOQ8LaeHK1/czx4\nXJgYlqmdDjKxPZEroQI5nuYM7qF1rejH61xvUkfvbFt+XQacu7qqdLHORnBAnxgu\nNU0U0p60HE1x2RZN6QzfyihPyfQ/OE8i+bawir4llyZPGHo2Rf68aifzfmJLmRlc\n8a+AjMHbA7/Jk7BZ7JMi1xbot8v27PqlvgDCFLe/LXaBZnlbjLrBHwMJ9KH53jkD\nUR07iWR50r0bZmyBqNGQIYwOm+NXY26xahjDv4QtcxfvBXnfI9wmqrKLztJEmSPB\nFvAJNyL5RxPSZvMAbB07b9W/bxidrlYdJMbTRr2rClKd3GxRCQ41lDSRxUspKWlo\n/5K95S7BP9n4H/OPA4IBhgACggGBAKoB2ogV9rGqxS0XHBSoFQtw2rJwZLXMIYUJ\nXItBokeJU7IdP/1zTQ2XNPmwH49UTrM5c9Rx/KNusPqXwMSy6NjIQpmGgAr9z5MN\n5Hod4RZS1/5lElCTPYeMLGO+Ku4QI3/bto0zGBhTW6IVIjtjXAeZ+YkcPZ7sPkl0\nxigm+scfJ5N14UEuv+eLlKIoZBIpduIZLJBuggKlBau+f2E8aGsLSdym2uAMt4Hn\n2wGl+FsegPI7zqN5SsNucwN9wn4hFJrP8atedDQgXSh24Y8pbeurgDwpKHjlCTJN\nUMIcXZc7/6J8/N2zXnQQLv6L2+17a1DEecEyD0kO3lgUiQ1MN7V7vbzAJbTox/Ys\n8Gb7zfmaplDiX5JHq5UZGYUibcjaP1grDU72YBHUjgfnVgrTyeqhiGAV3grE7P18\ngGmEy0bncdq5f04OKLc6VJ6Zt8foFgBJxmY9Rkksuv9vZ+HSkL3tTFFQS2caNolI\nVvpqLoGMwUhr7PLvkiSNJFZQ2DNJ1aNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFGdISpVq\n9ZwP0pr8YGa1SirhzbcUMAsGCWCGSAFlAwQDAgNHADBEAiBKvxeOdv+SZSh96vHT\nIrvcOoSvQ9A+fE9iYZQBmqA9JgIgZ9UlDkDLzD3IGeXGYrcDC8vV4ACboqRVqK55\nE9apOMY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGATCCBaagAwIBAgIUce/5xMvl/BEyPNYE1Xkvcbu51dswCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzoGByqGSM44BAEwggMtAoIBgQDdMxNHsu8NFsi6vffn5dO6/cpky47Vjyafu2cm\nhU0ryVNtfOUn1bne+4CqLakUC4dnlqKgH6GvvEL8LPi/5QnGXa5jhDMYi5YrhGlQ\nzLz/1I61mW2arz37CjEJ5LuXsehfdVWtVh+EKTRS9gpS7olTMQawFBTpp+QN/D1v\nN/L0D4hXPD/IxGwhFPtHBz+hkhZn1fww32UJEDz5loHtY85khTI5RsBs4+1Nljem\nkE/Wx8e2GvnyZMLNstzevX6kEzW9Sa6guR4UynB3gLZFMzw5x0//R5RyBNXFxf5s\narmB7Flz+3aX5gX2wK5LX3aO8P1x+HPFRKuhCc2xkgqrIiMLShoR3fyMDe857kGL\nYnvNbR9lrcyD1Obt/r8FjfqlQu/gi4g4He9ccr4zsJkQLhW0VqN+1oVXStk73QbZ\nJu2lwMbEcNPYpQu1+e02XPZRW9MfF73wMMaE5yC44KFGNVKikv6Lp4a6ATYdPCVs\nNGiupcoJ675TINF1PRidiND49JMCIQC8cxfXB5Dugs3QfxbVz9Fed7B5padYACCu\n95TJT5uG7QKCAYEAtSvO5pBtXMKp6/acgAca/4YbzYqNCfzTXJ5ObHDx/y9oWPL5\n3hGvIO1AV2lkiOIYDwxYL6C5SW9xEsd9/SCl2CT6zbms5bMU+4DIzpwL65IIWvod\nbipgexQwGpS1Sr4u8QZv5wMtdGLABGl7n9pG69XWcy8NHjjpBIRTcquIoVIyvoaC\nq+x7q8CGmdjAQ/CsI43gUXjuzv16DtTtVLmpz7rx+b3BMtd0ysU3acOUqD0tM4xo\nYua2mgH70CkxUCAQsUeF9Witmyp6Su9UdlFth5JzArEHk4KeWCLCr+jBEXnQL84Q\ndhNwDVEjfaC0Zw4buaAQmtXNGnJM9ko1sWRrkopN69JxqpKsKqbySEsFNJ8WqW0d\n8piMjM90/TY4cGDg7BfkjX3jj1opGoIUHLwlo46/qkJR2aUl2rKcg9lrhsKDmj1u\nKuxkFE5r9OvTElnKv0jgWcZr8EAq+SKYoH+G37xSdu7CP1QWpmdp3ZOdzp61cJWm\nM2mF6rrYESPSF21UA4IBhQACggGAabvd271eWHJZqFQbFRqY4ntwGx51sR+sr03b\nluW8U1DXKgGSKmY85srWxH1M83G7XdTenpwPaYjsQukSV2dDqC915gsph1gF1hRc\nhgNZ6/BbkJcUCMK/JP9ZsxrSJKL/xmyMvWV7aJkD+UJAOAPhattz+fNksBiTu0xz\nxVRN6ZACTdm9Uc70PYs4DwHttwNVl9ETD0jNSoTDjo88heA/oAEZKKsuqcJ4sJz3\npgXLg8K69btBZlKtLOxjEpEyu/ptyRrV9/YrzgPlVrbKjS+cgDjNDum8k+JbkylF\nuu0UgViqE8/W4wdPfifuxNHhaE4kFRMcHTP0azrFb43pOhjhjb5Rk5XBggNHaEEx\nliMKv7pKiOjjiEw/9vSzl0tFEOh2TbkZnqA5pEFFbfozA0miQqPYLhNnH6ygyf0r\nMOIu0/sbz3iOj9eUl6E4yx9PDF0eFJAUabr0EFXVbdokFUxEokwNN+3mZWpz9LDr\nKxCCakODC2f9PDmf69iu+OM2elV0o1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUAnNXe5NI\nu2/XvouhLDLcM9Z5IWgwCwYJYIZIAWUDBAMCA0gAMEUCIQCzotTgzxE0PSjsuQDG\nrA47d/iQhvt+/NdLyA6lPOrOVwIgAQEb1s7kTLvOwTs7q0JBoM5cjX/YKprki/nP\nMyfwmas=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUDrk2a13NBIGYhUcwS2A6gtqH9YowCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAR5UcAMp1UPbKO97fMG57CWJMt6VR02d04kcPw0z8he\nvjRgTYHpRKob1lY4WYxTbe7fTDiIzNlBB0t4jfHqK/IEo4GIMIGFMB0GA1UdDgQW\nBBS3uASjf/qEGSK4jG7S6COvutpNHDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFGdI\nSpVq9ZwP0pr8YGa1SirhzbcUMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF\nBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTALBglghkgBZQMEAwIDRwAwRAIg\narpV0Z+le6yVDNCMDW7a/zBDAi7Z+3bibZ9AjNpTC+MCIFsPBJKeWCK4N49XgEQn\nTX3erGCwI1JuotmjY5cD2xxU\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUd0F5QvLpbW5QOlkf4+DgEpwTD+AwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAATFlAwF6WHsCaZmKoZ0LZVM9DnaKOWP9vUrkcY+xekZ\nqTLNfSsHyfIqJfAPBchtCHMQ+WkQvugx2+cAe7/Nazn4o4GIMIGFMB0GA1UdDgQW\nBBSG8DQ9iozDdJ2/KGJsq0kKrKA8sDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFAJz\nV3uTSLtv176LoSwy3DPWeSFoMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF\nBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTALBglghkgBZQMEAwIDSAAwRQIg\nGkqU+S3gHgyvMimecZNAwmwC9yI2QZ6E7wmH+m0/FDcCIQCv307+zvRhtwVUxXMf\n58RcfioXu14ZaZ2INgE9HY/XiA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1755,10 +1778,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdLbDdvRMGajkgzdgi2j+jrTVW5kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASy5RGItk0QXlf2IvCwQU6dO62JBb6gCLwvm5IP\nqI3yWwYnGEqe+eWbrFwKWxX/fyvx/SGIV3RzFvHF8akL6WOyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPh6acR36yJDdkp+zNnVq0aqumwwwCgYIKoZIzj0EAwIDSAAwRQIg\nVD8hyKFdpSPnzLHNpH6A9CMfbBwUxIqIYIJDJLf1JuYCIQCTncQObz8TlW/ZL4lg\nIu5sguCx9MEVmOFKAuRUfzYBMg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUMf81ODq41mF1K5h8m7fcfbZ8JKMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARWwXTZ84BDLkphZJNMZU70iO6hI2nfnkJj1I94\npWxLU/8QJz3cWwdqYHaR5wkYZoUam8FTHF9KWaxYJmnnFKJio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcJzbniVcxOEVLuuIt/43x8T4JyQwCgYIKoZIzj0EAwIDSQAwRgIh\nAM84ZLqzfnE6aM7il32E6vhewUUkCpuEzmXrUuEL1Z13AiEAmkIzvPgm6ytHyMcx\nmnZor2e9U+XhOFPh/n2/XiopKHw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLTCCBdOgAwIBAgIUJB2KCdY0s1cEC4XF8v4GSMVOHu8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAqj/GjYjx6rrXPPZDM+PZlYJaFb/aQzC6AapYnSD+h5kj\nE6/hmcHGMGQznyY3k2Lrg01jWxC4UGOvdJjdJBPigzUqEPiJPobt/m+Va7k9l5+h\nB+EqkTi0ehX6A+2WOPemJn+BNUctXc3mr/7XDS4ExgKoA47Rj/dPXrHnNSiRu5bF\ndqLVkmVA8XmOoTPy6oEE5VyCZda00vH9mMWCL+RpilE2pCiVvzuIXPh0/SHZjxKd\n3SLaU+NZ0HvgWbqstMZn65drkvmx2VZSoXowuY+mREx0LhjWEseI/njuRzo8jQv6\nn6qLwOulroJsTx1IHTkPyC6NAZzzwkfLZzDc+6J7xogZlHkT9A3wZ6JFsSsGywji\n8HkEJYNL9YsiIxeBzuU2HlObY5VIwkxh5AzfyFlGG/azVkJoU4iFx1l1GS/sPSM4\nmTtZzYNRq0HtiOq7jl82cOkmlU6AAJbN0Sg1Vt/kP5hKveJIgdADV771AYsMbdD/\n8oUUeCC/kyV70e2zF+w1AiEArU+19dtbyxyoOo8cBBbgIs6g8q8B/RsWlIBNno/b\nNIMCggGAKQmns1X2pVpb7jdYVn9rIaNSpXN1zcvwL2aLSyRjdiyYJtUBQ9kCmtS9\nW4E0qy7WNrVeoDmF1DQUgY04zYindvgWc3p9TwhpU1DAXfFjy0NL/MekbaC5NU9v\nyrfrOSqBUim/Z83VfMr3L5hySKXqQctr0jmvr5Ih9hWbmNEQ+3Xzl0atyS8Bf1aa\niz7kEeNgOdULnYY3T4q2EOR5I10640RGEzIYAI8kNes8xJ1mBtVPCai5piAacekT\npvdLgcHC3Lim84KLnAfsWzijUNxlf59YJzXEDa5VGu8lN+fKDR8OTyIzzK1iaucr\no6LTaR5d6MqGK7VKAZzT1bdvWM2eJuxs9ZbIlvzQRjX0xDM+ZDODau+J2eChvhAG\nVJ6cJYiKrJKFhQ7qwDRfgSmGCkY8Z8UHpPKmMKgzkhySxhRfPnb2dl7TOx8j2R9F\nJjbaRkApZu4+1BP6i2ogVLkXd5uWQqWFWzajW2fuf6d+BKFN5M3rDCv3kLlbY/Xc\nu2PqLCewA4IBhgACggGBAIC2YMVD+Ln1xinTK4a0GbMys5lp5tm2B80fMraPaJ0j\nQeE7tQeh9Weu9r+/7TN0FCOek5Oij9IM6eXtAFj4J2Q2MJHQwyUbmXD4p1mv5mPj\n/kQk9VseFXPOwFPE/V8AY8U+ZTlRtsWt6c0b+PcvEJ2JGBDzSvZyyVz5fRtH945j\ng6V2SizzxtyGo2oBWJjZZh/aiuJlgBpGE/LGYJ3foXSYGtfcX1rGPz+eX5iJjKx5\nEJDfwJl+YoX7jsvHnzsIyOEfOA/aPZ1c685xahqhDUAG6J3mH1vQH8PZasBkJYyX\n3DOZwkZx1l8qs3EyhZs9YpDyPa9/22q8drxlkBs8IUucy+Kad+iqR22aSflovaAQ\n5tZULt2uQSKcr8H8qXK2LDANTUMNsxk9cEFrAls3RiMszfre6ACGJkE0BkDFzCVj\n5z3vlztJzAI3SWKy1XD2RWS0whh4OyZej/IPLfeHQHEekN9WWrnYnWmfFsUYX/Fq\ntXUgD5eU5ozbtmpY6Iw69aOBiDCBhTAdBgNVHQ4EFgQUAiI4tez5HA+LM9ZagKYS\nQaXVDpEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ+HppxHfrIkN2Sn7M2dWrRqq6b\nDDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAN9RM2SpWTTMJh+dQ36cYh1R\n9q+wXC2Ibtdleu/GZqSwAiBs0hv/d4GPox0Zf3NARmgaB5xrLrqnCQvv0T8/FNca\nQA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLTCCBdKgAwIBAgIUE3+XVXtPKDdxdyurr5sYGNQoJPUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAgK+M7tM9qBxh2B5uPWxljGHmVwBnHK0F9IaQ0w23HW+Y\n/CyaWgoA3QXksLft//NoOVXe+8XGcsentZL3NfVMXaglnpTl2dPEjP9/WfYCTfsD\nBLsn6P6oYswM9yJkpraBle/sktoyAVoer879yGEj8QcFL6mLPzvgjx071bBkICC5\nfkBG2lzkina/zYnsUchkxmqOV+c7SPaaFx3jAql6U0X9GzRSUEvu3iI0PYWDibnY\n8LZr+f35kV5Ai/yI80FQVyGkDIJkTYGCt+X13xv1eoT4XOAGUepinC7Giivcp9bb\n3SooyqefxyihEiGX9/i5jo466chty+KFgHv7bUD0dR06DWsBvzplbczjeio0l+tl\nPLxanLTj598Ks+BzLARD++JfrByvGOHYzyM/aItX+Kb+bBaP1nmlCCMcwij1VgPf\nyMyLp7yRkACYdRQTFUX5QB4m6/O4nmME5IJMNxQY/sXu8YUK8AahfDKTLPRrqQHp\nAftQsfP/uH87meVPYXFXAiEA/2BPVgo50anGNYOD+YlPs+pZAaw3pbBCFEemJ5MA\nxJkCggGAAuPunKdfZHY7LwWkA2DtaalOe2IrBkbj0DbmE0DrTT5qY3jjbqSbyNHd\n24wL+w5dllauhpVftY14mrwSywdHqxvpOvaiYB4aPjW94jIREgET2QjPfqv1zNhx\nfBylLKpI9ylTlqkqAhAxGrXw9Qb2eSZhQRUuiRVJvPaJkMi8Tv+s20LUDbkL0qpW\nGstWVl/xz6J3OgwUrEJ1TxhdPRIodutWIL7ve4mfskWVC4jdNVcXUwnscRvYEUA8\nwEquT7jD9bN2qp8M+swF9bV0l6KxNbpzZVyqskHVycsjfMdUQj9uP1W1t1uwSFMG\nKSHfqFn6qRTXVqQRhaEKXfLfM0shukS4iv6nvFlNMF0WHBrK/hjqjB/Fy4sOTjaK\nJ6bkG1nsJaf/qeDEYtop/puAJWmE8I6TEPD6A3XNHIxBK0W9YkVjUWUmzH2KxRx7\n4F9TBwOCae7wDJ1ToGz5FAprI0PzA0Db7Q4N8upi0OmaOD0WvSg6XuAfpl1L+XQd\nqiieB8ZwA4IBhQACggGAdR5m8pKP8ywhezcAIgamy4GXs13/pJKRp8e0VBV33LHa\n29fwOGk7nGRfklGViiL4vGNcdshiwK4e4M/qpfkfoK0MKGgykcrSlf6cF8unUCR8\n2n4p3ygIT0Z8Y2HB0rLGZQJYj2kkS3P0y+nzMLRlJ/RHts9BgymWMMoGyTozywCH\n1oo5a+0zuHNzb3jID2QU7GjUA3KfV1cHtbbDS2IyqfaASGoSF/tFJ6SGaqMsdYe5\nGBpNHCwAG9ibWWkFUbVJZ+uJlKpnUpvirRhhoxm2eH20bTkM/5b8GSZCLs9NZUMA\nC3w0pAO0cUvdnwVd+iVZbDbmhyp9mNuCNz2Kw3rSy4Xob8ip1MFWgKmXwCHZ07hC\nzQ26kzMCVLDuFX/Bec6SrXcSqnBENrgoIc76zzV6cZGAHjsIT8xiLUq3OFdaS/yH\nWYdyrx1MOBhR62eFKoAZzzoOVt07U8Mg13imjMLmZI8xdk65lFbv/60E3x8V6I7J\n9gClpO9g7bA/cl+LnYomo4GIMIGFMB0GA1UdDgQWBBQ2UT2SBs07wQ9z0yD/8ma6\nKjuSYzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFHCc254lXMThFS7riLf+N8fE+Cck\nMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAuMlu+n8Wo4IQm8dOkzae/FGp\nfVPKhifXSeHaX5OWwZoCIQDaLX66M6b5UiJQOTYkPD273xOtQGeVFUi7XHyhfwqo\nyQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1776,10 +1799,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUA61Sp6H5GsrFNWCr3U4fhAkJIy0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARerKl5Frl5bCvJd2JYWsyef3XKBf3kUEFc+amS\n+pR8UnnVryxQ2EdEbnhIfo6DvKNs9hdXAkKdIFxhNwGxcaVLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXK8+LaaD/LLlqULLHR61zwp5wzQwCgYIKoZIzj0EAwIDRwAwRAIg\nQuR+p3mivjbP9hqbFtLnl4d5bXh/BrLB554wszhjMFACIBgkqUGy/Z1FGkiGBOoA\ndDuDJNCpdYGCpO1a5xAeaEYX\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIULcSnP9ht6g/awJsnVWxd+IaLrBMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ4xuF7sJNckotQ63q1VfbqL1fK56ygtLxiGMWR\nh6NBC0wWMKydvrfRzYSdT9jsY8wiF4PSEsRv/ebNbK0Hzl5ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBEAdoRfZu2oIH7IFv4horrAcHbQwCgYIKoZIzj0EAwIDSQAwRgIh\nAKHZUehz46yTUPpKp+MyrlI+w4wtQR+WrtJLwkaZK5hSAiEA8V8VECoTxaCjOqbs\nMASpDRHmVR/O3rFHty1G8Z+7Zq0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUDssZlEjicSXXX/ZAClmq2v5aWt8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOY1FzJUet2A7tyny3Wg+FnSWzM5/+BZkRWNKu95SgOl\nhm3JYwMcqIETdKykxh3DxRZ0ARJFvch/oHwwA+zsJo2jbzBtMB0GA1UdDgQWBBRT\n+lGDrkUywD49JENDqqPmVf3vxzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFFyvPi2m\ng/yy5alCyx0etc8KecM0MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD\nATAKBggqhkjOPQQDAgNIADBFAiBoOWnlFnfNxI/EJHUMdBT7Ps5LKt/gZ20oC94X\n9u08/wIhAI1BwCqctBxlrhDfZRYjsafN6X5EQU8dPtQW2qutvH2E\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUb15m/nQ7AD4MFAIWU+Vxx6ERLrAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDmhv4+58i90nQIawsaLriTCwlKVvsCt/3E1NT7XHJol\nUi2fcpDQ0hO6tyyrMnQgmblCYhczaY1OJAMURmi5DBqjbzBtMB0GA1UdDgQWBBTV\nho7lR3sqbGZePNLFo0z3l+5jEjAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFARAHaEX\n2btqCB+yBb+IaK6wHB20MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD\nATAKBggqhkjOPQQDAgNHADBEAiAlYdOUvQAHSJElUG2EGOCHe+Lovwqbb1PNX2eJ\nO/u/uQIgULMbOcD+m1KADRgQ/kbftCrtYqYw4TjxLdcFjrCD2DU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1797,10 +1820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNG8WV9JgRdOWkt5B/zMaSf97MVQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASPnfZ3KdhJ6m5fgDcyMiAiZtRJBeKanG5bhDZQ\nMus8gkgAk9s/uI+1njjkROAFv1Okr2AnPJH/T7mq3eGd2zvfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU05TAGnpFQleITST6dT/XFV39BSowCgYIKoZIzj0EAwIDSAAwRQIh\nAME1ddNjCRR0mduDUnFT6AOkAh9gxQA+keInJWRAQnriAiBE1XhbESjPcXYX3qMp\noKo31VQaUuAjNnhvwH25Wb/uOg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUapTKxWWnyr6zr5Op4aeTOPXnZl8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASoJXjkSmOr4uBZiyK9SSYa1eXMXJ1IK9b9HUUS\n59EhzMyYXO+vQ7ScdWWOX9levhpQlKnEeOHZOlZALU8rNziCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1sCIcYrFjO/gHoKUOAGJgxiWl/0wCgYIKoZIzj0EAwIDSQAwRgIh\nAI7brJmACRBgQS61sZQBwKql3+zGenLo9g+m1Hq6WLrhAiEAx025jmQ3kiw5V4Kq\nu89TGkHZPzi+wejdAvqO+qGWRSA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLDCB0wIUcg/yw09+Ki+o2GF0KpW4ByREcoMwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABK34kQ5GM8Mxv3hfCp4Az3S6sOxg/2PsSTNFERE7DaMpPZzNS0Xt\n+Z5ixE+7de3bivJhITX8D8HjiB8Uj8qge8swCgYIKoZIzj0EAwIDSAAwRQIhANd9\nrJjPqc47Zy+bkxlooUqczu96DACnF6i9U/JjkJV6AiA/ZFqXC7V/aC22gJDx7jFG\n8+nXLUl3NkWMk9qTPLReWg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBKzCB0wIUf7xdxYNfnRLvLVm7ODF5Y68lFVAwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5NjkwNTAz\nMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABM/YnTWL7Vu/lze5NzjrfzaGAlLZyohDt9QxO57zjUULWKMp04l9\nqdXdxZGJH1kvv7AN2BcQuCRKynvIHeAq/hkwCgYIKoZIzj0EAwIDRwAwRAIgDT3e\niv6ym0ucsKMm3H1juJNwao9u+qjmlQCB2khyIxMCIBbl4OyY9umbvmwyKnJJ/pmw\n5mAJS2osohoERUNZxXwX\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1820,10 +1843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert contains an\nExtended Key Usage extension that contains `anyExtendedKeyUsage`,\nwhich is explicitly forbidden under CA/B 7.1.2.7.10.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKicwc8JDBlCxk6tLjyDypmRtVzswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT39h7u9EaiDwICrOeSKpqYsp0WT1Y++KpLCPfV\nlFGko1scQgfZKVcz3cIlE7FltNdFRslGVYmyCFk9N8vV87Vso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUS6fMR9AzVXBUVCliIPfzNrYMlAkwCgYIKoZIzj0EAwIDSAAwRQIg\nDUzqMhGxPt0HRcLy5lXKxgaeG6zRaBYTKyYXX0X98MoCIQC7jxNdDhn5nZMMqsUB\n1OkxLMbAVDVVOQOPiWscC9/Y5Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKnMwhUM2X7KULU87IG0LVRX6GC4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATBcyDSj4WTocGegKoJKUEpL1qs5eXtwuYLvQcc\nDDA/Rw+qVE87rI5JK8ehqyBZaPruntWfO887tnLOswDj1KGro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaL3Io71N2ltQF8eWwjpZKGqQd3wwCgYIKoZIzj0EAwIDSAAwRQIh\nANmpDesDZIjDhstoOBtLoqWvkRvxuKQQpeUyTYmW0qY0AiAd1ewLGB6HOd+KLbiz\np9RdLeMf6N9bttKqS4UBpOzItQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUJu+LCj4aFTR1/uo3CMXu1iIBuCowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAJ4D8l95zeXuM7BnZMl+vytIhDLf2SJHLWuVl6eUreg\nHJRgBmwU2/PJ/yxqLWL3B0tv2+b94F4xV+uKKnm0JROjgY4wgYswHQYDVR0OBBYE\nFNLhC22smvcIc/RI9BHWpEUMmMIGMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUS6fM\nR9AzVXBUVCliIPfzNrYMlAkwCwYDVR0PBAQDAgeAMBkGA1UdJQQSMBAGCCsGAQUF\nBwMBBgRVHSUAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDqL0eyvajjZJZZglACZkJkJxB+XAjG3c2b7N9uHaUWDAIgVjzPeZqtEkEc\nBt3EpNEiJi7s1Jq5TtMcFFAzeQSmKCQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUMuBiEp+gPPcsiFfD5c9UIkeUItEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBB9YNbLJRIpTq4mmjdZ1BUVzCDBAx/euzTLjKpgSsjN\nVKeM4FszfXbEGLKhvqSF4Q4TR1C8m33tC9kZHNDvTFyjgY4wgYswHQYDVR0OBBYE\nFKeMWXHrH5Q53FakWDKhAHl86sJkMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUaL3I\no71N2ltQF8eWwjpZKGqQd3wwCwYDVR0PBAQDAgeAMBkGA1UdJQQSMBAGCCsGAQUF\nBwMBBgRVHSUAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIGMNmdd7073npJiUfen6dI/WMDkXlciRhhb+n1gc+UQHAiEAo722Rg/uXBKK\nqLb24kDQipUDZvnkGDIQToAsWpDadC8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From 58261a284e8dbc5ca230ce247281ba4bde33c87d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 3 Nov 2023 11:48:05 -0400 Subject: [PATCH 047/155] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 395 ++++++++++--------- 1 file changed, 208 insertions(+), 187 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 1edab78559b5..1b50e36a59b8 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfHELRsdvGVPB4JJxkiQyJP2m2jowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASqUJlRk+RNSKM8nR8DqCbTCzsh8jkH92Fh/XjG\nKoLZr7Irqw1EDJWU7kA/f4GvgjG1PgzTyDNc2vyeWBmC0spDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZBjQ7uQuuLk757PaHRu/rC0dPqAwCgYIKoZIzj0EAwIDRwAwRAIg\nbbUSn8xAdTAb33OL/PWDKXrnXAOxM83Gk3XjDspJ1z4CIFBPuuWqhjpanguiRwtm\nI8Gjpyx+9h2YNreXgl8Rcfd2\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURSrgm6lypPdbWjLPojRCfwzaInIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXVaqvZZHV7DeSdLLReLNDPptgEQI8R3pDSwWI\nsiuoPMk4euDxP/ebmsL9aMWE/TAiv8cTdk13c3bpt8w0N9q1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG1JWAwenfFYUYxOLTFgnX7CQ8mMwCgYIKoZIzj0EAwIDSQAwRgIh\nAN4id92rgag0yU5tY4Bt9/SHEtdJJ0IPN07MVKIFm19NAiEA1cwRV93l0H0WxWKg\nhqdi6Ik1Jg8j6bMljD5VZtI1dOw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUZnbbFi1e4G8fxlIZ3HTdmqieuF4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA3MTA0MzU4MjIxMDk1OTQyMjUwNTY5\nODQyMzQ3MDA4MzM0NjEwNzIzOTA3MDc3NzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAFG7RkDmO5RguHg75B9S2JrUBWH4w8st86GRcHPc6waEOQh9hFRY85e5TzbsCez\nOwJBupYNO+NDN01ppdqGdQ+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGQY0O7k\nLri5O+ez2h0bv6wtHT6gMB0GA1UdDgQWBBQEq576lClyPiGOYaIIqbG128h/tjAK\nBggqhkjOPQQDAgNHADBEAiAXZ8Hu/ipo6+1gJNORHlVRsyz9Y/29w+ybL0qMVSNp\njQIgXQwvYAtkNL/q0jUBQ77IvqDlX7P6igld5NM2xzLggaE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUNygNYLxotSV5WJb+vrm6/OodRUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTQ4NzY1NjA2MDYyMzM1OTk0Mjcw\nNjkxODAyNDU2OTczMTU0NTQ5NDk0MDEyMDIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLIm9o+NO9lG25qozQZvIxNWnr4MPqgDnDnEQm0XxKQs6VbHSZ17l2P7bGJdOq8h\nS/coJIi/PSZxRI6WLHz4xgijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBtSVgMH\np3xWFGMTi0xYJ1+wkPJjMB0GA1UdDgQWBBQhbycgmJUWLf58fflQltfVmslmsjAK\nBggqhkjOPQQDAgNHADBEAiBGbrJs8vFnpeM2gNmBSTkEOgJ1v60MkrDZmxIIA6L3\niQIgfjbwmA6j0DhS4hvXg8LlXUYi39ZHeSZHaOLcCUSB0UM=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUL1uyRHovSZ1TnWuZ2csnLWiL/I0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzEwNDM1ODIyMTA5NTk0MjI1MDU2OTg0MjM0NzAwODMzNDYx\nMDcyMzkwNzA3NzcwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhY+Q\n8bovrbAbliatywCLwqEZBG/TGLKvd40akNTnGjGPvmd8sPkA2gmF0zZ8QXqddPw8\nRKPTjDU6H2OpDXQzGaOBiDCBhTAdBgNVHQ4EFgQUQgySwbBk4QpoWE5T+vxRALeE\nF+gwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQEq576lClyPiGOYaIIqbG128h/tjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMcsTnBNNqWm0+bYd/2rzx0xDiul\nf2dHLSF8u3rBko77AiEA8z3nTTdoTXXVE12mtucFXLRpXgITAgvpt7B89fK+dJ8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUSLfp+GmWOevugjKmoh4jO64e5/AwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzk0ODc2NTYwNjA2MjMzNTk5NDI3MDY5MTgwMjQ1Njk3MzE1\nNDU0OTQ5NDAxMjAyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvbwb\nGaTpksrIcfrrIDnZ7JV445iIykjRCtizC7yRBHuEQFtd44xA4QwNjUuQA2feK3OI\nRsB4+UDUq9h+JVbGbKOBiDCBhTAdBgNVHQ4EFgQUaCfguLvlZIvVLEJTFCUsOeG1\nkFowCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQhbycgmJUWLf58fflQltfVmslmsjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgANHAbqhD7JPY6JgyokYaeNPCys4w\nDWVJHAHYMmLz4vICICL8wbMrN1/zBRQIDMMDJ+imKapQscSUbO1WC05Xli/S\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNzHkSNPfNuDCdO3Rvi8ugBXOiCkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6exB8mbH5qBNKAyAEiZDwESzJ8EyBYDJpxvLV\nXEHPrEcC+Cpn/Pa4H3ViGmSMlg4/rG34h6tyGmzgrlHGOmlIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFaY0k399JhxaL17kPGj6zNqOdrkwCgYIKoZIzj0EAwIDSAAwRQIh\nAKggACBKK2LP5Tu6TQL5lH8lpa9JIHUwIJ50CcXdP0NdAiBXEnBU3FUSWuEPanU5\nZabUSMwiITC/tpI16HWV+cYbBA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNSFCwYdaC+Hi60P0oDt7E0YsSH8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQGJwKH6tO2Ez4Z7OPGAk05nqnc9sfZiht8ux1\nWsf+lYbg4wNUaAO49QTAGbV7sr5koBQWHaSMwzvYFrMkTyiTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKzDVS7zM8ICInR4JH1fQysGBSKIwCgYIKoZIzj0EAwIDSAAwRQIh\nAPoR39+xS7CsSLc1c3BrlTmtUGh4d+2TBi536HUT9z2fAiBT8hjn318d5zdZYKLu\nQTFQol615O8duwYMH2qpwhrBGg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUbfmpUSFEcUKkzvmX1tUhTy94E8gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMTUxMDcxMTUyOTMxODgxMzYzNzgw\nNDE5Mjk1ODU5MzM1MzE5MDUxMTE1MjU0MTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKoxzeEie3WKL8GzQPIfu6lboasuARiwLV0miW7igolEuZjnYVKuMnrlh7UHj09t\noVYE2IsJxpDH/HzgiFy9e5ejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBWmNJN/\nfSYcWi9e5Dxo+szajna5MB0GA1UdDgQWBBSF1dVATQaSdVOTH7N6N0wCzBYONzAK\nBggqhkjOPQQDAgNIADBFAiEApYHRnSqZE2eprrrfZ24pc9eZTDssT8VErGZO6AKY\na6ECIH6NyX0oE2rde8tBk+RT+ViLZQFQWNdXr0JiolwvwLK6\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUELCDdARRL1Rkalekz8Y9oBudBdgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMDMzMTgyNTA3MTA0OTY2NDQ0MTY3\nMzE0NDM3Mzk3MjgzNzMxMzYwNTcxOTA1MjcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPStXLgt3zEYlhvLg+G+6+MK00c41uRjHued8GY5WCyPPU1NdqnG33mWfDH/vo6p\n6QNZEbwf2ICRE8CB8himDHejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCsw1Uu8\nzPCAiJ0eCR9X0MrBgUiiMB0GA1UdDgQWBBQrgUPlTTYP8urb7m2PXnFJf8jx3DAK\nBggqhkjOPQQDAgNJADBGAiEAoJR2o3csD0zcciVf4GCgIBMVaXjpIguUGS8eX0ne\nNCkCIQCz8Vd8UzR6bqTRIdvLIs0UXVf9j+SHdPgyjPM1ymvEzA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUJ4uGSbY9lfJSqJ7E74mYKJYeZhQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzE1MTA3MTE1MjkzMTg4MTM2Mzc4MDQxOTI5NTg1OTMzNTMx\nOTA1MTExNTI1NDE3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETHhY\nBaQ4rpFOI0nnWOMbWFG0BAAr/4fw24dwwd4I+Uz4/nmHGNEoUYRDf3ya1vA7uuN8\nBpeQRv+ElKcgxW8NoaOBiDCBhTAdBgNVHQ4EFgQUkMkA58QmiTGdRGmaV/4IN92o\nGXAwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSF1dVATQaSdVOTH7N6N0wCzBYONzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgQECbFxInSCFBrZevjMG00D5SaGE4\nyuhFXieaIyWKHRECIEclJ6LV/I7miYVcIEKa9DqK/PS0a54xwo/jD0CjVS1w\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUfHnnBcSULIfZ6b8bW/VO2w+KOMYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAzMzE4MjUwNzEwNDk2NjQ0NDE2NzMxNDQzNzM5NzI4Mzcz\nMTM2MDU3MTkwNTI3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4Ar3\nQmA5MSlVYqRC0OpRBll0AJpG/viH5i/U80ejRnULNSV6Se21PlrC8imFewNz6iif\nmuLO1twH9AWBOa6wlaOBiDCBhTAdBgNVHQ4EFgQUZfavfaaPga4WE7wdTMWAbPhU\ndh8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQrgUPlTTYP8urb7m2PXnFJf8jx3DAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKxvbXYRMnBCtbIs40KUyGse2mT7\nocD879eTk1E0Hsx3AiAQrsK18bbMYkZb9Cd51BxK7a4BJQ7V/Ir++YIcyqGqeA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPB//3A4RblWIf6r7JKO5MZmcpQYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARoqA+C0b6QO00I0aRWY/fMKTIf2wZTA/9QD1HV\nwLclEylkPlp+bi3GB865wWmnfjeAE0lFNNpYU/dbqioWBetJo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoHwt2yntom94rv5xfahxoiF7r20wCgYIKoZIzj0EAwIDSAAwRQIh\nAJ+t+7rpJ+EflU0wv56LEwDYWyMBtN0mDUFbMqeuLzDKAiAQFld3eRzuPM2qzlj1\nmuADMErgpuPH2/tu/y0eRVJotg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUYZSmpQ1QkHhCQdtkQJ4b07i9rk8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7qZwELKQtleg9pRULj96hx2Z9UiKKd9oC/xE+\nR5lCJFOf7UOOHhYUNT38BKX42RQAkQbdRSv/AYE42si23YRHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURrKAMIo4NGJ4xoLiBGCTw15Rw+4wCgYIKoZIzj0EAwIDRwAwRAIg\nNV487dG+LMORfkmHat9LXA7/Uim6LsotNDHDvf2Dsk0CIDNOAZWPyHsPSmnJ4I1R\nC1vY4mD2P4KbqqWv/LUg4qsj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUQKamVn4QTtErgZ3xNIMOnp9wwUcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzNDMyNTMwNTc4NjQzMTc4NDEwNzAw\nMTE1MjMwMDc1NDAzNTQ3MDg1ODY0MDcxNzQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLKZoaV3hOE2E/bF0jWnVL672OMWWJO9cR1pq44ayoydg8kywxw073BGaIUDgbY7\nfzFIJJt92+RSWP9cTgUCO7ajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKB8Ldsp\n7aJveK7+cX2ocaIhe69tMB0GA1UdDgQWBBRSgCYMxkTGARiOT0IGDsUqb2bDHDAK\nBggqhkjOPQQDAgNJADBGAiEAuuHDnXgnd0VeOs0ug4SjbhvmqcYeRO/U5NmsMomR\nybsCIQDd3Z6vJNFByz/j6CW9WMDAUdqyhYsGvh4jnCvPS/EdoA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUAOFv/EegygeLHxs1jkP+P+WZifcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1NTcwODcxMzE4NjMwNDg0NTgxMjAx\nMDY4MDA0NTkyNTEyNzkxMTg4NDg2MDE2NzkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNEQOza4T4HxoBUn/3e+P03R1XhCZ6ij5pbjMj3jbYfbq8+j+8LdgAUczDo3hFx9\n9DlVvQkhcOBxOVz7nL1y302jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEaygDCK\nODRieMaC4gRgk8NeUcPuMB0GA1UdDgQWBBSbKxwmBpDwwxwWXwWpl1qjLSRzLDAK\nBggqhkjOPQQDAgNHADBEAiAtbNjEQZUtnwDpcIThV8lp5SxPPLLXyCWR6Odo2Gth\nqQIgRejMUuOvNMuBdLjwUZ7t4FC3lCsPfnHsAQWwMpOdG9s=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUeXXYUIitJEMBu3MtLVhJhQix+i4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzQzMjUzMDU3ODY0MzE3ODQxMDcwMDExNTIzMDA3NTQwMzU0\nNzA4NTg2NDA3MTc0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF0j\nfNLCdTQDQ5394wQhzwQeQv6VtcLnAWxt/l0ZnMdrvxEIA+HnkAPYRpDQ5JGxcPaY\nE3BVZve4+KliYGyRBqOBiDCBhTAdBgNVHQ4EFgQU7/SGBr4mPRmjn3KGkPqMWfR1\nvNwwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRSgCYMxkTGARiOT0IGDsUqb2bDHDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgXQd14vgEuPtE1UUB8Krw7hriz6ad\ncS2HxdX7jmLv9LsCIQCOdpZqPZJ3jllcmxfjHetOhWBgNG9aGxPRTkogWOqA3w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUbE9OGA/0CyzlPnB7a3zQIi+N1XYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTU3MDg3MTMxODYzMDQ4NDU4MTIwMTA2ODAwNDU5MjUxMjc5\nMTE4ODQ4NjAxNjc5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEix6\n5ohBbnnx3yooDDBowi/IZojh0/QJt3hcIKRKuNaLDYwv3fVXlWr3KDHtexkAePTL\nrgqb2BsRljxyWkf1GqOBiDCBhTAdBgNVHQ4EFgQUm6vF9ZmwULktuWP6iLPZrZ2G\n8AcwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSbKxwmBpDwwxwWXwWpl1qjLSRzLDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPc7xsa3bY/v610Unc4EdzpHlNtK\nIkAnswkvsyBy4YUXAiEAgS5Tl07a7QNoxRE+0vMkv0rgdCd2wnifps9g8f0BOjo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdiImtcfVUQdFxjaRDg6WoHcTa4MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATvu0dTLWOfejzg9Fr465H0Onu6QThjmypx7SvU\n/nJ1pnuCE6BIQtN2jDMQYopzoAnTjAHLKMJAKZiZPAYAPnCUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfuoOwcaPleNWMwpOQsZ5nzaUEdQwCgYIKoZIzj0EAwIDRwAwRAIg\nJ08iiBE8EVwhrmLT2nFpvOxizvXd/jPFC7CwwjIqXGYCIFTbQ/a1emaNLKgMmajv\n01NjVgdyyBFR4rUEZ9rmWAlZ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUHtNY5u4P09rE7TrS29gaVvQrwY0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQdfFJqr3UAYPuiarN+/RsIVsfI8fxQFha6iyyu\nH3MImHrgXG7xxjk5gLMHrDj+pH6PhESkG9FsGT144/ujwLdOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUq7witEc5G9X/PJCuoLAk92/UoxYwCgYIKoZIzj0EAwIDRwAwRAIg\naPqVZhnonbBCmktDCqQBiA7YfO9uxIb7YVYY2RYMv0ECIAFkJ89L5UcFhQVPBHfj\n3ZnLTe5lHjK7oQxj8oHss7zm\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaagAwIBAgIUepd6lquwe+xpjIiiygjEIMBJDWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2NzQ0MjI1MDg0MTc1NjA4OTg0Njg5\nOTI5NTE2MzE4NDM0NzgyMDA2MTEyMDM5NzExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBINEV0eGZ0w3S4cz7qy+ZWmm3Byw7wKe+m9uryZlGzdXokhEU4tBexwrMHbdxMKg\n0CARdHwxEapA1aSvV5sqLJGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFH7qDsHG\nj5XjVjMKTkLGeZ82lBHUMB0GA1UdDgQWBBSSAInVFp51jjT/PSt59E868PdjCTAK\nBggqhkjOPQQDAgNGADBDAh83iiIYP3T0geIX2DWxnJf2RdaqXYIY3mQqCXvZobqU\nAiAv+Atm0h+j/1AhIHNtBJxwMROjeRZ8vPpza6XgbhgihA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUX8HQTrOYjrVKilIBf6jJ7pLeNXYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNzU5ODI5MjQ4MjQxNDk5NzgyOTgy\nMDk1MDYyNzc1NDkyNDIwMzE4NDMwMzM0ODUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDPnZ2kvuPLZ1E05uVFhylTLLgamgpU+MLBOwy0cUJIcSFbMeDW8tIdds6Kz2qri\n1dm+7ZmnFmghK7adiw8Jm8ujezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKu8IrRH\nORvV/zyQrqCwJPdv1KMWMB0GA1UdDgQWBBQfz6WhDdu3JWz2fq6cRIqV3EO8NTAK\nBggqhkjOPQQDAgNIADBFAiAbdyNSDxwe5HaTuGcU+M/tdtjezbUoCh4lIZ0oW6dx\nrAIhAP4ok/Ryj1Ix4M0byRz4+EEVo1PrifTTmQoUgtrt6p/J\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUUSEKqAKtgvsD3wlLA+cjcOsuTGEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjc0NDIyNTA4NDE3NTYwODk4NDY4OTkyOTUxNjMxODQzNDc4\nMjAwNjExMjAzOTcxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDY5OTg3NDk2NTUzNDkzOTYwMzkzNDg5MjAyMTUxNDIzMTczNzA5NjAz\nMzg2NTA1ODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEc30Ou25JVYL4GgIBxPatEUmn\nIm1ApFCPI7MCabUPQSblknRyr2Tv2Mhg322XwcTqW0fDhz+m0sWu5/c9BAAl2KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUkgCJ1RaedY40/z0refRPOvD3YwkwHQYD\nVR0OBBYEFLStp+BAGkpZzz9BVIPchZwT5SguMAoGCCqGSM49BAMCA0gAMEUCICi+\nMfh0S/DHs3seqkBrk9RtADmwM3Yr3JJid201l18LAiEA5NPZvnPgjnn0Nkq6J7Za\nb5d9QXQ7JCt1tFqZJUptgGg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUHQPm2w8K/YPxe+LDDay6y3yG6EIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTc1OTgyOTI0ODI0MTQ5OTc4Mjk4MjA5NTA2Mjc3NTQ5MjQy\nMDMxODQzMDMzNDg1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDU0NjY3NjMxMzE4NzgwMzUyNTg2NjQ5NTE4ODM1MTY5MjExMzgwMjg3\nMDc5NzY4NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8xvO+ZhEYV0EjWRHeoXipS+q\n7HPWQ38HNahgewe4jxCOEzgqsjgX4I+8/CIuoz72GnDl1Pbt3LTKtjD4pHEZcqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUH8+loQ3btyVs9n6unESKldxDvDUwHQYD\nVR0OBBYEFFyN6WizrQ6ByYfQ25LWuyssqiuHMAoGCCqGSM49BAMCA0gAMEUCIF1c\nQgS2CSeH18c3sgRxw8D84IDz5F8PK9TjHOZPdGEMAiEA/8GdjkQXacji4HQHS8Um\nkpPGk4v9q9V1kdFMb+O8e3Q=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFJoKFtdEv3Hz7ErLdFxgpmyNPukwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4Goo1RJJ8tkT37xY3ksq5+shFivKCrdyqkHCA\nBqboyISrdnQVsqopotJ7f6IMf1phOJIveEGUxdK4rxVjIn3ho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUU+Pi1SoCHjiglTJUGC3i+jMcwqEwCgYIKoZIzj0EAwIDRwAwRAIg\nTBKzPs595tb54yyqMIMLboLXUrTCJ0bP6g9fk3phbe0CICdW7KC7RaDp/1aoro4i\nwwEy8A28OwyXH+SECed03KnD\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAUYiz/1ZJhzVtbdx+icCKVKEIuowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASUlLaiEAox7mY9KRw2zAvUSQOyYMRCn61mZ9CO\n2fLmPZ4C7Pd1BgkCyhZWUcJ41R7FQ4sQ7MybcY3Qq5fyNLbPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3UcAF+gsWWGXAIo2VXgvUK2PZgkwCgYIKoZIzj0EAwIDSAAwRQIh\nAOhHAj5lQl16qkKnnpq0wK55HIvA9h105AJcR0PCGlD+AiBnuqATbYqqHXVe/v5e\nGZwIuQlN3K6tp1y1zXl73BcPKQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUAynAW2+u9aUFr1Gzo4TEbl/gsaswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxMTc2MTUwMDkwNzIyNjI4NzQ1NjAy\nMTY1MDAyMjUzNzI5Mjc0OTA0ODIwNjEwMzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBApyYZmWOLgafmapceXzlK6zxMKCWr/ofRvdrSfwNNpsbKDKPGN/rFFpthXd8uGm\ndduTL/onLkrwN1+9jOIhl8SjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFPj4tUq\nAh44oJUyVBgt4vozHMKhMB0GA1UdDgQWBBSs9lGJH3Wrqq9mK0tOx11QA1muzzAK\nBggqhkjOPQQDAgNIADBFAiEAxdSjK1Zyz0o7B5leOFFWz8R5tgsLMD33CJfjBIUw\n+d8CIHRMFK8rX5gpsQ7fO7cqmHW/9BtvECyjYEPyApgLstYK\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIUWtJe9ZtOrUIYDARKacQ8Uvqkq54wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTE3NjE1MDA5MDcyMjYyODc0NTYwMjE2NTAwMjI1MzcyOTI3\nNDkwNDgyMDYxMDMzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzE4MDU4MDU5NTM4NjU4MzExMzQ0NTI4NTI3MzQzODk3MDkyNjcyMDA1\nOTEwOTU1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARkM2SSkRRVmqgf3zk5Q3AoWWPd\nbJgqnV95pwBfcjaf/f2bYPrAmzZMjtQv4UoijLSrDMyBt00YXiRzBVMoo4s9o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSs9lGJH3Wrqq9mK0tOx11QA1muzzAdBgNV\nHQ4EFgQUMqSaiMBvyv7c2D63XKKljjuHRcwwCgYIKoZIzj0EAwIDSQAwRgIhAIKQ\nHte9DrpusHZ+pMCwLNw0SUflxEhbuRjee+KxqbzGAiEA/5RQ44J+1C3YACJP7M4l\nbyL4BXmjna+opChYFfd+RPg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaSgAwIBAgIUJqAbxN6ZprnZKxO7X/xRyDC7YnMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBlMTcwNQYDVQQLDC43MjczMDc1NTI3NjUwMTg1OTk2ODc1\nMzU5OTE1MzYwNzI0Nzc5ODE3NzcxNzU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWlu\ndGVybWVkaWF0ZS1wYXRobGVuLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASc\nuEPHwxcz/S3OxELu1vjziKKLQM9duUEw9pJ9QPWEya9IC66ArZnpZ56p7S3sXw/s\nDQIsapOrbh+mcH1Vdrnvo3sweTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQE\nAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTdRwAX6CxZ\nYZcAijZVeC9QrY9mCTAdBgNVHQ4EFgQUwbiIxyukGK0Eya9bGqNk8y4H3Z8wCgYI\nKoZIzj0EAwIDSQAwRgIhAK6W4SL/wYwx9cHFetmO2LcbtI/TPvmWTTsN8d3P7WP1\nAiEAovGVJLrfrRBmg7BD5Awg8hBoQP3ltcRBo5a8MVuM2dA=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfGgAwIBAgIUIU7u4Kf1Jvky87MlYM3CarA2CeMwCgYIKoZIzj0EAwIw\nZTE3MDUGA1UECwwuNzI3MzA3NTUyNzY1MDE4NTk5Njg3NTM1OTkxNTM2MDcyNDc3\nOTgxNzc3MTc1NDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi0wMCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAyMTkwMDAwWjBnMTkwNwYD\nVQQLDDAyMjA1MTIxODc1NDYwMjEyOTM3NDIxMjUyMjc3OTc1NTU5MDUyNzIyNTUw\nNDYyNTkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAwf59mdJ5hHMSUvhl2h7xb/wqy1\nOaMaXhZ2dkvsfs74T88mI/w5XgHm+KEdgARtOTWzSrLPkLta0yBQT9IrYMGjezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFMG4iMcrpBitBMmvWxqjZPMuB92fMB0GA1Ud\nDgQWBBSArIhozLSw1ZaXH0TsCgNQyIiLBjAKBggqhkjOPQQDAgNJADBGAiEAsKCc\nAu4j/FMKfivgU9cZeRuwGergJ0vjR4vdU8rHC7sCIQDLgvsrfHXWQWp6s8HSuf4q\niHLXa0Nm010zVQyR4plDfA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCDCCAa+gAwIBAgIUIOqUJJ5Z13qQ7OTU93Ve8YD4+08wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMTgwNTgwNTk1Mzg2NTgzMTEzNDQ1Mjg1MjczNDM4OTcwOTI2\nNzIwMDU5MTA5NTUxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARg7i3L\ne26ikMm/Q6+tSSWf7GePe67Kl8niziHqHK2FtefPrWmnxfByLPvJdL2cthC4ja6k\n8libmgUN/xj69tkKo4GIMIGFMB0GA1UdDgQWBBTqTMzEfagq3XRsWsC4xt4buSKH\n4TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFDKkmojAb8r+3Ng+t1yipY47h0XMMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBDbaHMHYBPNG8N4rL8y9R69ONANQO0\nsnK8iIJ2WKVIxQIgGBgaITgF3y7W4QvjOVpo1PNNtlZnOGbACqB4vtDfwLU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUWY/HFUCc4ol/FD+Ri5z9j+io2XYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjIwNTEyMTg3NTQ2MDIxMjkzNzQyMTI1MjI3Nzk3NTU1OTA1\nMjcyMjU1MDQ2MjU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfchb\nlcHha+kB+fYXcY8BZfor2lE8MekB/LXWoXIUWzl8AdHEZW/6uhhNYWgmQxMaYOIQ\nHatqix5EdcnJxiZSxqOBiDCBhTAdBgNVHQ4EFgQUYuhwnjxILDo9f65WYWXIA/d1\nFfgwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSArIhozLSw1ZaXH0TsCgNQyIiLBjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJXLga0uN4FQxdipjkwyu693m4Kt\ngxdjWnZUrSJGc7+BAiA42I83hoK+DkP9jRSZWTa3+3ZijkU+vwGL2iPkhixjEw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAL6gynCZTtUbGIo6mQMd5Ft5vKEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATabf7L90IKE0v9nFnI/HF6sJBGHFSL5YNh8X/L\nft/WMT2mlmiciD/LFBQ+Ju0utx/BAOS+Qx1U3voIfN5Q88s7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdCrauMp+rOi+3P1QnbvxcV1Jml4wCgYIKoZIzj0EAwIDRwAwRAIg\nVaUU8ucqtK6W3Fkvo2nndEtgZ9XO1+aMiUt2ZhfO2esCIG6FsodfiISnsOXCRRA0\n0JW0I2cyMcdlzTu+j1HALF6b\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUDzgfDMi9zK+PJM7vknwtyScqqlgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQ1eDHW773E1ul2bBfPewk0xXNiZat3k5dO727\nHAW0D3pR8mjoAsQ/dD8G2syxbnpxiz2DYVJMORwq0HqRccQmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5hiZicDAtd4PP46xeA57KkhjJOYwCgYIKoZIzj0EAwIDRwAwRAIg\nP/KU4cDp/Ms+eSmsgGpcKi809RvhU9EhqKFTAqkF5cUCIDmmKe0VHXB8pnR8+rC1\nXe40y0epgQN1tRRIFtNNb3WI\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaSgAwIBAgIURYdPBEux030eMWXQ6l8VM25W3yEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBlMTcwNQYDVQQLDC40MjUxMTQ4NDQwMTc3NTczOTI1MTI0\nNzM0OTEwNzQxMzc2NTUwODAwMzA5NDA5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWlu\ndGVybWVkaWF0ZS1wYXRobGVuLTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS2\nv3R6nYFlM/MOvgt+8Rq22qqvFdwMYhFIOLpvI4prWfTzcUxedscpJvTUrnWKp7rk\nFEmfmMyyv2jqDUGKq7aPo3sweTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQE\nAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBR0Ktq4yn6s\n6L7c/VCdu/FxXUmaXjAdBgNVHQ4EFgQUNyYKec4JnokykjM8H0LHffX+tiwwCgYI\nKoZIzj0EAwIDSQAwRgIhAOXzlUr7UuSEusbUwKUj60MS0NvA8SsUghTVDBt6RSmD\nAiEAjQDw/gAaXBBhaen1G6DeryG2OixVcfCCjlqLVRMEpbc=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSzCCAfGgAwIBAgIUPDvICmVKxTZ/3HYe1RCSOwk3kWQwCgYIKoZIzj0EAwIw\nZTE3MDUGA1UECwwuNDI1MTE0ODQ0MDE3NzU3MzkyNTEyNDczNDkxMDc0MTM3NjU1\nMDgwMDMwOTQwOTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi0xMCAXDTcwMDEwMTAxMDAwMFoYDzI5NjkwNTAzMDEwMDAwWjBnMTkwNwYD\nVQQLDDAzOTY5Mzc4NDcxMjA5ODAwNjM3Njg1NTM0OTQ4OTI1OTE2NDIxODE5OTg0\nMDMzNjExKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHCultVC3kp6EJBh/zChxcUb4YSY\nsa7LCeRLWjzeIjamZDh0CgZ1Lbrw7ncKOynib40Oxz75pnnzhFgKJpJzNtyjezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFDcmCnnOCZ6JMpIzPB9Cx331/rYsMB0GA1Ud\nDgQWBBTyipELk9CHajGP4/srGOrup1FgZjAKBggqhkjOPQQDAgNIADBFAiA466R7\n4TLhvcNQruxCzHR6Ls4GbjzhiyIVo/1wxsSF4wIhAJmK6FcA2mZJWzv0/xWHXRSQ\nAas/xBqlbEqBj6RkDAyQ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIURjwseXBgp7+PlH8Vu+I5uIB4Q48wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC84Njg4NjQwODEyNDU1ODY5MDE2MjM2\nNTQ2MjE5MTk3ODI2MjMwMjgzNzg3NzMzNjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nTg/bKCHST+0JhL++XymlAgZCe9wq8lIqtZ5d0zKWHLc4xT1ulohXGVwKDC1EA6tB\n5iLARSJNyYPKCP44vPt2b6N7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5hiZicDA\ntd4PP46xeA57KkhjJOYwHQYDVR0OBBYEFKF7KATBX/VG4Rtv17A9pyQTwPS2MAoG\nCCqGSM49BAMCA0gAMEUCIQCZcmsiZqdgF86Tzn2BNww3Yg2lz+iD1Rf2ecB8YmnP\nOwIgH3rTxA5yMHXXfLWpZUmUA1jBsKBiWcw8exCp3Lzeo4Q=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUCljVEm5tM+9DIRG022HGERSCRQ0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvODY4ODY0MDgxMjQ1NTg2OTAxNjIzNjU0NjIxOTE5NzgyNjIz\nMDI4Mzc4NzczMzYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwNDAwOTcxMjcyOTMzNzAzMzk3MzM0OTY3MzkzOTAwMzU2NDU1MzQ4MjQy\nNDk4NDQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRCuyI8Q/hBtMhojfmqHctBlZr\naT6J/femrVwK3rFgSxsR50TogB8cGsL70V0ltHZG1SuFB+TFc35iXFinkaneo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgECMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSheygEwV/1RuEbb9ewPackE8D0tjAdBgNV\nHQ4EFgQUxpFgmkky/ZiXkUSrLqwU49jaCJgwCgYIKoZIzj0EAwIDSAAwRQIgT2k/\nBR554WkMN3u39z1eA+H30CxnFrdH70wjdLYjPAwCIQCIl8lo9OIi6+o9zO9XoDKd\nTAT6ia4Yro1MrFOJ26UDhw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUOp42+0ncxe6IfRXxhs8bRM7rdhAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzk2OTM3ODQ3MTIwOTgwMDYzNzY4NTUzNDk0ODkyNTkxNjQy\nMTgxOTk4NDAzMzYxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPQfU\nodJeMqU6UUzAh8NpYDfBR/mLpVVNmSRLZ5lTa/3wWsCtOyLu+kSLD5qy6jHVQf+E\nWTxxNypR4YtMpPpIoaOBiDCBhTAdBgNVHQ4EFgQUazGemzqffOJ8BIfO5Ii2KQ0w\nAyEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTyipELk9CHajGP4/srGOrup1FgZjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgMW2lkefWqPb/KEyEsVK4yPuzeayH\nBWI3A+yZTYPZLSoCIQCZBxaRaFqxj+OdeLTpYl1gArLQxM8KVYanMKQ2YBYMBA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUS7o7o6S+o8U6ks2eSsZU+u3SnT8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDAwOTcxMjcyOTMzNzAzMzk3MzM0OTY3MzkzOTAwMzU2NDU1\nMzQ4MjQyNDk4NDQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeH67\nLrqneNHazJ4CJtB94xDc70XWkEjHuj4W9hnd3N3v66zdlAcZ3PjcjPliTWAjvEgm\nL0Yry5uGIahIjNZACqOBiDCBhTAdBgNVHQ4EFgQUYVYpxSk5FKLu6upW02wcDTzL\n7kMwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTGkWCaSTL9mJeRRKsurBTj2NoImDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgW0Hy3yKvq5PYGdAfGhoV45Y2/mwn\nkkANevkkyOBFrooCIQClPkmYEgDJ3AHzj5PqCE9qfF5/ol+9U5qB2rXFOAz/jQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWBoGBd/do7SkYi2UkWvBuM/En6EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS9mi/IUvZWAW3hpfXAjoVfp61iVTuoBhWxHEP5\njRqMA6GRq7kZ551uXv1KANoNvRC0BgViRbu0qVGN4ROLH7Yjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzEvwAGeA+0gLWuenmTNn76L4M/owCgYIKoZIzj0EAwIDSAAwRQIg\nEy6ib5lZiuQ5FTRz3SRVg/EznwBBN/PneVYF+yoKJq0CIQCrtbhozDAb54BD+1Dx\nbaS00rDFquxE0w44d8rwZncWTw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSIPq6GAQMu4gbNW0YUkIfbm2o9EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR5E8ofeaW2XHLUxKJ2se/MLzPo/2Q0T94Q9uXb\nuugnn9TGRtq8mTzFD1B8Yuc9uXW5ovCHUJeHdNZ+hMc3ujVEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkmUcbpiJKSn3Y6nd5+hKZ/t8XIYwCgYIKoZIzj0EAwIDSQAwRgIh\nAJsPL3MlNHKrhr+XesJsw7dGlCbmSWGNdsoA6drWjJoWAiEA5OHOHLPv5Tok8Lor\nH43p5he0xPhu5+dVXUsbB0V1EvQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHZv6s3BwHda+lboRAXQZHe95aHUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MDI5NzE1MzE4ODAzNTU3NjA1MTA4\nNTAxMDI5MjMwMDY2NDEwNjIzODYzNzY2MDkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOW6u3Du9+pXC+alAFKh9ZSTp6slMopWUSgokxyPyRMSK4b3MpZsDfZhQSe1E9t1\nA0ULte3/CUaI5nLKAOLp3Y+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMxL8ABn\ngPtIC1rnp5kzZ++i+DP6MB0GA1UdDgQWBBRQd0X+dOgERSnIGSwmKrZesCWVczAK\nBggqhkjOPQQDAgNIADBFAiBaS6yeM2cRfMPsDQiW5gPMQtrZo/WgfxWBwnQGLmFV\nlAIhAOumC/08VDjHZ0A/ncUukYZkoW1mtS+EnZCVhesmIuPI\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUEnjP22ffBilu33ynNJZVskXyD5YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTAyOTcxNTMxODgwMzU1NzYwNTEwODUwMTAyOTIzMDA2NjQx\nMDYyMzg2Mzc2NjA5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE2OTAzOTE4Njk5MTE0NTg4OTY3OTEwMDc0NzYwNTAwNzk4MzI1NDM0\nMzA4NDE0OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEK4SThGvfA6g3oiMvwSzYBSSN\nyoMt/Uh7pNQe3lGMaqlYPlotZkI196LV91se6O9Na+oJmbZUvE4yiOkP6ehGV6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUUHdF/nToBEUpyBksJiq2XrAllXMwHQYD\nVR0OBBYEFFQQdhm5XjcQRVp/f4DSRI69Z+XlMAoGCCqGSM49BAMCA0gAMEUCIBwI\nSTdiNU910HF5Sw2Rqeg/1nkmisfq98EBK0S4nCBEAiEAwWESDcQJbX2Hxu0s3EmU\nIpg3c5PkpHZL1TiTX5iyqEA=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUBBU6bJeVdw+qWgly4vr2n/rlmBgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY5MDM5MTg2OTkxMTQ1ODg5Njc5MTAwNzQ3NjA1MDA3OTgz\nMjU0MzQzMDg0MTQ5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDEwNTQ1NjAzMDIwMTc0NzUwNzAxMjE4NTY0MjI4MDM5Mzc4NDI5OTUw\nODMzODU4MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFqGqcCdTY8WwrAMRSlmQQB7Y\nvyfT0TQKrKWw8gq0JfwTTvk1o7ILcUD649z7hFU66fr1NDCH2Y9stmguxJ/OJaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUVBB2GbleNxBFWn9/gNJEjr1n5eUwHQYD\nVR0OBBYEFAjPfeNH+dX7zdsaJDhBdDydshmpMAoGCCqGSM49BAMCA0gAMEUCIBKu\nVvhseKXtc2/xIVvgYgsMlZGrq9wbt6nQHgMbuiYdAiEAuPSdVv2b5cikbg2hWHFr\ncqNrmxet1CeYI0Cn0/Ggxgs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUMmPP6vhXG9REXVftHzeCtNhyELowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MTM5ODkxOTY0Njg0MzExMTIyNjM2\nNzI4MDczMDQxMDU5MTIwODYxNTMzMDcwODkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEpXfmmMS/WwKZL3PUgKqpmSCDG63LSiiAsE0e/PrMbyY4wy7+5dvJI6fNnfNFmY\nnxh7eS7xu8AsixYPMJdIRL2jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJJlHG6Y\niSkp92Op3efoSmf7fFyGMB0GA1UdDgQWBBSsNz1ioTt+/l4Q3+Ma8z9S38mQlDAK\nBggqhkjOPQQDAgNHADBEAiAGSglBUgPGklaG47/R4owPYmziH0SNTuijROqkjDlB\nlwIgXK/io32rFLBEGTNFuwVCZqJo9m6FLvqGc67qC5KjuT8=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUIMNog8jjAdCgozd3G4qkQjm3PKQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDEzOTg5MTk2NDY4NDMxMTEyMjYzNjcyODA3MzA0MTA1OTEy\nMDg2MTUzMzA3MDg5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDI4NzY3NTQyNDUxNTIwOTA3ODk5NzI2NDc3NTY2NzgwMTA4OTQ2NDY5\nNjE4MDkyMjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElsin+FLPdEhmlqvswtOABfIV\nPsJTaqXf0Xe8nnc+PwcTkDnL5KurguqzLjEKOz5N9YxC/HjatBADIsS38zp/5KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUrDc9YqE7fv5eEN/jGvM/Ut/JkJQwHQYD\nVR0OBBYEFB4lrDiFizLujK1LAs+DGrC0cYoeMAoGCCqGSM49BAMCA0cAMEQCIGT/\nhmLVL8HgzCON7RIGNRBL2N1Y2pGAki03oXXfbCUfAiAcjTfTPnVYLxMPfzB00XnU\npsEoyf2exG39tHIrp0Pj3w==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUSd9fGPR0xoQypOo4TgkhHU0E3iMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjg3Njc1NDI0NTE1MjA5MDc4OTk3MjY0Nzc1NjY3ODAxMDg5\nNDY0Njk2MTgwOTIyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE4NzA0NTQ1NDUwMTgyNzU5MzM1MjEwMjkzNzIxODczMDIwMDM3OTg2\nODc4OTkyNDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERdAxC8e9QKBxdxLGSHEwMS9F\n7xOlsUPpE1sRVMMEgjsVy27kJtrLkHW5D5qiYL4/KWbSFsSj0TLqjLBDixDTx6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUHiWsOIWLMu6MrUsCz4MasLRxih4wHQYD\nVR0OBBYEFAfcewdm666lnUpN+uT+0dnDbWZFMAoGCCqGSM49BAMCA0cAMEQCIHnN\njt1JMlv+eQF53YCjUKtV1KOOiO48FJ00x3bfidRfAiAt7JeRb2NYsZvXjM1L6yor\nR9vrxOJ79fd3GcZrYGV6gA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIURPv27CAPF5IKaetGGQlbVAQNfyswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTA1NDU2MDMwMjAxNzQ3NTA3MDEyMTg1NjQyMjgwMzkzNzg0\nMjk5NTA4MzM4NTgyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJJ6a\nA3mZeBhW+q3qITyvZWrcu6EwY2IM8thnxggcLIGi0zWOR4e27iel3XIIDDNx0TLJ\nX8d8mmWoKC8xQquCU6OBiDCBhTAdBgNVHQ4EFgQUSFo+9EBXoDV6eJWJvVmdM4uR\nnMgwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQIz33jR/nV+83bGiQ4QXQ8nbIZqTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAIxAi2E/kl79CMclgGfSsfTL6ex1\nZ9cw/ShMe2DHj+pBAiBgS7J/sk4WRbtSDNzw8Qrx4q6iwWyuKCfBoUYv5IK6+w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUeneEixAaDg59SZgsV0nc3EE92TswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTg3MDQ1NDU0NTAxODI3NTkzMzUyMTAyOTM3MjE4NzMwMjAw\nMzc5ODY4Nzg5OTI0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdiy3\nZCRlMjw1bJWgbN6jI8hAfZlpaoa+EnvoO62S0fAKdvDXCZor6xSPcMM8cQjr8L4F\n8tdyHVxllGEhiKynaqOBiDCBhTAdBgNVHQ4EFgQU9b1rQVXrROJswwBR6Zaqigie\namowCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQH3HsHZuuupZ1KTfrk/tHZw21mRTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgZ4LifuxmwtHIgnP9+dGmtsS8re93\nstC/U1cDSegKTPUCIQDwfw2xpAyrTgWaD73GnpGdUIZ5rJe4Z3QS9JqWQbr5PA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPChZ6glhTn3VcHUMNroE1ac7OG4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATm6RvY9ApusJN5R1X2vAQJzjB5VH7LiFZ+XUms\nAi0jEmt8+CXNwYd4VAbfi9hKEtJYump4JD68gmj7o7Tbk7O6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUj6WcR72u4+VUULYoyTxuHnMagsYwCgYIKoZIzj0EAwIDSAAwRQIh\nAMmnODJrA9O+c143U9E2tfSau9bb7wR4TwQqbnVcXRuEAiBkS6+DGAhHKptcwz5o\nAoh5mpITqjyvPBYQZNHCenTesA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUITpkyrZ5rI4/kOm3OOq/axwVKcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4IlMxnaBTp5ggmP3g/5VEob8gzGdluYcqN2Ba\nVHKEFlgdHUFi2BX0R/hYF9BLFA0+PFnHvihf5PY1TEy+EsjKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYYbeGniIJ5S8f8d4cI303401l1QwCgYIKoZIzj0EAwIDSQAwRgIh\nAMr8WWACGjnpRhS8DWS4w1d0HXstR5t61CnO8MAEjst3AiEA5dZNi/eoiuG+WNiP\nst6lmhJS1oa80yFJbncgLQw1mxc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUSZgJ9HpwbpF7MQFUPNIX5NvuuCQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzNDM0MzkzMDg2ODkzNjE2NzkyOTYw\nNjk4NDExMzA4NjE4NTI4NzYxODc4NDI2NzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBA0fs+uiBsneQUJ4ekaHEoMGkdN8GN/vyLE2LeNDuuQZ2f+DRLJKXyecZ/IUICfQ\n5/CT1zOw3tXcrnmeWs8tHRqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFI+lnEe9\nruPlVFC2KMk8bh5zGoLGMB0GA1UdDgQWBBSlMlSMSyu0HkIsONrOSgzp/1IvijAK\nBggqhkjOPQQDAgNHADBEAiBLKS6NinfnqaM4fggEWuLjz6bEYLg08OadbO8EyeM0\njwIgb3SC0lmjqaakyiwMf6D3xVXQ3GUFchR8VQT3bvQqAb4=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUBI7EyXgQn921ac8TRLhdkisDZ9EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzQzNDM5MzA4Njg5MzYxNjc5Mjk2MDY5ODQxMTMwODYxODUy\nODc2MTg3ODQyNjcwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDM0MzQzOTMwODY4OTM2MTY3OTI5NjA2OTg0MTEzMDg2MTg1Mjg3NjE4\nNzg0MjY3MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOTcezD5aBbYlY0vun1lEWZXf\n7zQxRFKlwAzQd8pBzCaYr89J3uOjP2ENrLaYiSKrV+/UIM+NNWdzhJQatjyFx6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUpTJUjEsrtB5CLDjazkoM6f9SL4owHQYD\nVR0OBBYEFGu0wS4EA8FnQJm8pNCKlIg3Z+RZMAoGCCqGSM49BAMCA0gAMEUCIByC\nz98wyHREURuMqNyadeG9TbMg9Ds8rg77ISwKpff1AiEA1uKvMdgi7vxgLVyhAALo\np4jYuKtW+UbMEFp6gcH1Wy8=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUZhisb8sLf+jENr8tYM1Ey2JXr8QwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzQzNDM5MzA4Njg5MzYxNjc5Mjk2MDY5ODQxMTMwODYxODUy\nODc2MTg3ODQyNjcwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzI2MDE5ODExNDY1ODc4NzYxNDEyNjI2NjAyMDYxMDYwODI2MjU2NDcw\nNDAzMDI1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARgxSMT4lk1kC33BRkx2tIAW6rH\n71hyopft97ADfffwHpO+nCXDa5Jl5zHstuZO0oGVFT9HL5g+ZWVeN6Cq+xlDo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRrtMEuBAPBZ0CZvKTQipSIN2fkWTAdBgNV\nHQ4EFgQUduEPHbm0V6MahyCLLrCbzV4/8vMwCgYIKoZIzj0EAwIDSAAwRQIgSm9B\nWdKYEDffOVcugnm615odNMI86OKBAs2iFfVuSU8CIQDZ4AvzHC/epk1wG41ddZ00\nMvRnryfDZQHKW/NCx1obsA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUKSYFP/4mx2OIhuJT78q4c+2kn6cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0NTk2ODMzMDcyNzMyMDIyMjUwMjQ0\nODU4NTYzODU4ODgwODUzNzA4Mzg0NzE4NDcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOSxtKckIOrw6mCcQ7cuIUHua0Njk6hIzgCxCe4eWSCd5s341J1GEf4W4K7aSXXr\nzLYEyLhkjO6+s92jNhquWgCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGGG3hp4\niCeUvH/HeHCN9N+NNZdUMB0GA1UdDgQWBBSTSANWLAXEfeJODSspuOiNiT9UTzAK\nBggqhkjOPQQDAgNHADBEAiB3+/jb9PMvF+NNChft++OaMl7d7/tN/WjgFMqHW2EQ\nYwIgY4kCQeRpDnktfcpkRBly0+w7av2GeeI/WPAUTeBTQuA=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUPTn2rfb4nBsHCa4w9++2YPOJLFgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDU5NjgzMzA3MjczMjAyMjI1MDI0NDg1ODU2Mzg1ODg4MDg1\nMzcwODM4NDcxODQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ1OTY4MzMwNzI3MzIwMjIyNTAyNDQ4NTg1NjM4NTg4ODA4NTM3MDgz\nODQ3MTg0NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtZtJV14Oj4B8nMuMdoah7mT9\nozyIpa+23eaFluOauv1h3iCl+agYn7mrH/QKDn3AXDq52oPLdeEdt4ZfGUodYaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUk0gDViwFxH3iTg0rKbjojYk/VE8wHQYD\nVR0OBBYEFJ1JxtK2L0o6zkAvLCL2GyPQyIwKMAoGCCqGSM49BAMCA0gAMEUCIE5p\nzkWyEtC0TBKAUHSerJkShchr4oH6CbkosazR/ZNeAiEA0iUhgjUYo40HpYJ4b+WK\n1Q2jX1r2451qmRWn2OjUVSc=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUMhCPELmKHcyMxgWO4YU1beOISz4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDU5NjgzMzA3MjczMjAyMjI1MDI0NDg1ODU2Mzg1ODg4MDg1\nMzcwODM4NDcxODQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM0OTU0MTA2ODMxNjA0MDA4OTYyMTU2MTE1ODY1ODQ0MTIxMDEwMzgw\nNzQyMTUyODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGn5uEGmpXGYEAQSaLSgGolPo\nRehJAW6AT13fLOGNmAWrNzYXD8oLcm5ktnUHcLJbwgcIpftcG/G8AhUdZuGqqqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUnUnG0rYvSjrOQC8sIvYbI9DIjAowHQYD\nVR0OBBYEFDEISNFKGbNpN9xPtkrt0Mu3MvE/MAoGCCqGSM49BAMCA0cAMEQCIG+Q\ndKzCjlzWLZrPdmBB+wWu8cpAX8zLq3QbPFWYebfMAiATpO9S5Ux4ZRIro/D6YqWh\nfMPSXH7jTBMtjiehts4Krw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAa+gAwIBAgIUFb8YTE/lmC4hUgDZpsAjHwsG/JAwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjYwMTk4MTE0NjU4Nzg3NjE0MTI2MjY2MDIwNjEwNjA4MjYy\nNTY0NzA0MDMwMjUxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRPFjZ\nGKVR1issQoPqkn4DKxeZG1gLwfoYMyNeIq7Op/T+8cuNQ6k8JJilhgLzf2gbPiLw\nteO9OkSIAwVCLegqo4GIMIGFMB0GA1UdDgQWBBSsGy0rFBvRg94i69+clY0JX9E9\niTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFHbhDx25tFejGocgiy6wm81eP/LzMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA/ihYaWtlROiHgLPPoiJsbuo4/CQG\nf4v3Qlo9L1hz7GYCIQD06p4Qp5CAJyfHK0QiGIA39Wob0zE7gOHHvAE3dMzgxA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUI6hZc1S5wib/5h4s32EUNxH6M9EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzQ5NTQxMDY4MzE2MDQwMDg5NjIxNTYxMTU4NjU4NDQxMjEw\nMTAzODA3NDIxNTI4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEflKu\nXz7GJxiVrOCE9B/IzJUAlzdtLHRy15rfizL12zSLLza6OI9YFHEN85D2djM4UYhA\n41qYOCLY1CnmDFCoG6OBiDCBhTAdBgNVHQ4EFgQUCuuO1BPeWAgj540koHIobEs9\nMdMwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQxCEjRShmzaTfcT7ZK7dDLtzLxPzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgfAp4w7c6jOb1/Fox9kNQ9vfoJBQj\n9jLmCyYGbMSR1qoCIQDkJpy2ZTJqWtW2xy6H8n/uK0iXjSsMG5qpWiidj0yIHw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUAZWaUav7X3VMFxS6vJI88rR7IxkwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoFrsvxRaJKh5\nD5sA0m18gnDgaFjS2nShnJ2P6exaTDX70PbhRxQFLrPtlImLbjEeOBwGQSdJDI7G\nj5QKFV2n5KNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCM+qaKS1fg23tjVJKQ4h7/D+bNN\nMAoGCCqGSM49BAMCA0kAMEYCIQDTS89vabKnGykh704l9EDzVfFnNONhrJ70LjmF\nd/TVTQIhAJadIfmRJeArZGbHR93t9fCpsXRUxHcyfpfy4EnhZN2B\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUVwDDzkoO80vNe7eEEshH3WVzDXIwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6SiaEK+jPfBn\n+2jDGB9f/l74f0V2I0duwSjNAqFUpab29bnyrDdx4YLhsti6pQpaLFM3fzsBJ4fB\nP+/GiiYDrKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFKU9U3ybrW6QKQidJLK/PWUFGiZq\nMAoGCCqGSM49BAMCA0gAMEUCIHVn4U9l84KEvdzwf3/b2GwjxcdnJkNVVO8TxWSc\n7YRwAiEAqGmUVeAsKQwvpqNg5OPYx4DrdzBnT/EZCqfPUIsZaDk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUacaCV8DxRYKUhXW//wufxFiZAW4wCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABDqF7329CC/yojiLof345fDKXOgWloowBzLF0wfDomX653xz\nnIrn/GsQrNVVaNqs/654Thz1XvIvxNRsVdZP+8+jgYgwgYUwHQYDVR0OBBYEFGkw\nQ4eMgE9KXZwU69tGwfbgfso0MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUIz6popLV\n+Dbe2NUkpDiHv8P5s00wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB\nMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFYJph5X\nY9d/skM+MKD57Ye9bVkUX9u8o16hvBxMFYxVAiEAiGpdPAej1CtsMxRrfegpP2tD\nrbx5tmVMGVnAOfizL3I=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUaaZVFZg7OJiK7PKaQT/46iNDI4YwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABAkTSrGUmPXcLwejvxmOke+NoeT0Ba3qRSB4OSuERx8aRZe0\ngXB/tRIa29Lw3bD8I2eguF2Ph/P+uEt7loZkrOWjgYgwgYUwHQYDVR0OBBYEFMjL\ngz4fx5LLUrq3EbK03fd3d3zIMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUpT1TfJut\nbpApCJ0ksr89ZQUaJmowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB\nMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHhRUKAp\nagisuiO+Z3OeCCNFucZ85o+qg/hRNDhwMvJLAiEAw9sa/goreyEki92NknTap1us\nip1+cSg7vJEtahAdIiw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUPMtm3umsTK6ApXP0dqMqGlTPliAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELvBlxwRf\nP8bq01ZJwMA1gLi4xpkR0ZmVzsfifM+jky/mC4dP93VhghcxpjZlwhh4Ytip9BfX\nhrF+xkoN5qy7pKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJ1Vk6SwWeoR53y9YsT6+oV7\ntGExMAoGCCqGSM49BAMCA0gAMEUCIBH7NxRIOmykqeTverEIHOeuCZkDFAuuKxhN\nUHp6P1YDAiEAue6r5ZExRXLpEgRZwQqX6VK4tPhuYZdT3WwlVfJ7LyU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUVNwQxz0nbIDTL0SiDpI6bpf3moEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELOmj63PW\nXDVZzWYstv8Mrk0gfTCtanO4i1XQS7BADcxbUX0fR9FqY5x+1lAbDZ3gw4bnK/bf\nBQfTRbh/aju8gaNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFOzKytWdQ15JH4QrGLk+yHgF\niNWwMAoGCCqGSM49BAMCA0gAMEUCIBmnhRero5d+/iyc3nceWC1QofuLBG6EEe9F\npFdHPD8pAiEA6aqj4aazQzuVC6hpYoDt4wnxz1ecdzIcxBnV3RJONIc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUedXdi/1bLOrgfoguIFr+/s9j8J4wCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS730BNTXZ5l2yU\nIymdfotIPntiRbvt/fnIbiqYTDGUIcpEYk/lpX5gRU900/tmEcWtLYtN3u5LtM1E\nDgGSPUaUo4GIMIGFMB0GA1UdDgQWBBSZ68uO8v9CCrWOBn6dBa1zoD48NDAJBgNV\nHRMEAjAAMB8GA1UdIwQYMBaAFJ1Vk6SwWeoR53y9YsT6+oV7tGExMAsGA1UdDwQE\nAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiBa7eDVMkfgez9E2050IWjzlLKFtnmOUsQKltG+\nhu3LmAIhANtnZGMFTkO9BvJjXo61JQ6D3NcAGskazO7qv3xdG6c4\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUUtoa5cwt7s+jhs2BRpb+cq5PFJMwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcq+aWOOyO9vpw\nnZEfZ+noEndDUJZ7tGi7B+Ob1wspw+dVJKvNfmwUz/BuLdDV2yN6fxzfiqlBRL6+\nyhfY7iY6o4GIMIGFMB0GA1UdDgQWBBRtgD8C/dDCI1rsNiF1bMk9EXx9SjAJBgNV\nHRMEAjAAMB8GA1UdIwQYMBaAFOzKytWdQ15JH4QrGLk+yHgFiNWwMAsGA1UdDwQE\nAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiEAqg3pFyw+2c3F12sUtsc1RtTl8Gh1av900awb\nownENa0CIFcKxCBZA7TNGNg0h225UYYK8hfrTTYSKu9yQBQW7be7\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUAy4asb4bemnOUiu7C1z2wZiIRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASIMgSz0p97zLM7uREKutTC2a9o1iameR6RrlMb\nmwrJxDy58HWBX3YFJHqU67J5LAQLWzjpuDxWaXfXVoOhA8IMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM7q928ZCv+P1IFoIm4y3/NRbh3UwCgYIKoZIzj0EAwIDRwAwRAIg\nPs/EoDTZ9UPSt5Jq0aXRqY4a4/5di8bA7x7zpOIp8O0CIBVrAZ/6BePpPLvI18G4\nd3YIS0VXdHHW5fd4VZaEla2z\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDVJ27ifwYkQQsQlJ++9eVGUyB9wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMjVsbQLxc93iNap4OIXyItt1mOVy0lBNYq/07\nZROK7pgt/QOIi1NUXaHxgW4s/LfPzIRZNiM52nqcO1vaPIduo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQGO5dwh2q97k7OsxooVH02suggswCgYIKoZIzj0EAwIDSAAwRQIh\nAJCzAux+3iQhBkC7e5SYI6ThrdJ6bkQsIXwDVh2Hb87zAiBjo3Z6xtJ3z7fCZ2w9\nqFGoy/AsX28UqyLbD60xKsRTOw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0TCCAXegAwIBAgIUWbpfOTTibwlrdv3MKT18uUptTc0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJD01ZnczvcfRE4ve6Z5/uQr31Jb9xTpYWK+83ZOefRb\nWEWdFxWWaGyrpJHGiYWdURpdCBuK3+oy8kCxDFS3huCjgZwwgZkwHQYDVR0OBBYE\nFHrnwKnmNW469APlehrpDnJCVcj0MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUM7q9\n28ZCv+P1IFoIm4y3/NRbh3UwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAw\nCgYIKoZIzj0EAwIDSAAwRQIhALAvjmzpxpRHHADw0VrJZrDrL50ZWasWqywFhvvP\n1vFIAiBKbY/XpxZEVUI9amsL5ZO5VLThuoR/T6TebfzSnb4Pkg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0TCCAXegAwIBAgIUSIywaCDG662PUYJtUPPY5xpGytYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC1wW+oI9eihbHN3Nc+I53ZLiNv+kdgxpujsfjVRrhgd\n4q8KfOtK7iaSLXhDOjwPBSUlM0lq6KEFTbdxZQ8kKoqjgZwwgZkwHQYDVR0OBBYE\nFOfdRrZpgbLHFigVQc40hBMDTRVyMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUQGO5\ndwh2q97k7OsxooVH02suggswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAw\nCgYIKoZIzj0EAwIDSAAwRQIgLK5bDiWvBYsV4Rw9wByT2ewqdY2mEsKVjeY3BPre\n0P8CIQD7hG7/zQBygR8xDMPSkZIZe/epdvcfAPRko8J6Omg+Ig==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUE8RU4xw9QanWH/aYcQmIyBLVDIAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATsr9X0W//xwHeVom2le7GtXsIMZ95lriiQsWC3\ng8n1RJEYPZ0qkUBdkOKLoPoXnLeVimiRkkyZugAbNFh4p7O6o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFV7CVj86lMWsDgaNZmyKvcwzntowEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNJADBGAiEAscaVbGW7Qem65rVbmWthpDCpPlI997y+L9ON\n7emRuUUCIQD1okHz401vgerR3mrIaTD9MrBY4AUmMJZVkI6VcQe1Wg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUYQUkkMZwkjHw2NzXzPqKqrxDq0YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQRahheE8P/DYP+B3/DDQximUq/jVBQ8NcJ10wR\nlXd7I5zX0eyJw+ZdqjttVybcJplobRKBGGVYTAZ1TuWjjVL9o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfwdwtF5APRRDiWQFxhN7iagw9+UwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNHADBEAiAuvRXyENnlD0rAJtgWtKnfyRtPsH10ZJr5GXZ1\nBwsVuQIgV6FZzYCJ0XRtOVwJT/o/Uw6rfzlqlINhT9ocG7lIFhE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUX/kTsOCNqXSW6tbWANui3rRRGagwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLNlT5iINB8utGlo8qw/ruhLE026G47vjnIrXKK65WVO\n+uNI79yqCQ6RFqRRpj0719gDbc0AIHuqlDavBceboCmjgYgwgYUwHQYDVR0OBBYE\nFJQEYgJx2NGDnmgyiCUe2jSQaOcAMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUFV7C\nVj86lMWsDgaNZmyKvcwzntowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCb\njvY5NkjdblfeIlqve+8C8xNcdG1WbIU8TcY2yRv+qAIgW7yhAqSu60fCeVYM63gW\nEKr6lLTSYMPQtYLZibUbuug=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUOxyziBD4Ut4Y1nvDryMHx2r/l4UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNIjj6gkZxA/axIbCajJD2Kd4QAd6tVxcLoLJFhGxG3x\nWMtx8iEzvuXmtGQobusQrjNXufNRgV2X7nbrlUzbhrCjgYgwgYUwHQYDVR0OBBYE\nFAlR8o5SbxDsE54pPVML9Ea1lfoPMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUfwdw\ntF5APRRDiWQFxhN7iagw9+UwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICqh\nMbk9bNdmxVNmI/jV2vSp5TTdofI0RLIU8zOldNBfAiAbSWBIW3leflmoxNMuBz6+\nhWH7MWIbvO2wAL0HRVOxDg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFv121FBhYI+zAhW7EQJItXJtvn4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQyxh9dqHQZEqC5DUe5MQkItA8FY44T2WyTAqpS\nf0D9rpP/hjgoHSW1txSx5sZg1al/jMTEuC2HJ2t8mmxmXxH2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9vD3X1kg1127dP30aJtUU8xLI1cwCgYIKoZIzj0EAwIDRwAwRAIg\nOcdpz76BRKyt7vFKB7Ewp+VqScOWgLTeiSIEAxFePeICIFjpoml0Fv/i7OmXQUNI\n+UAmVsfIZaDrSQ6ovOOeJRoZ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULGtEiLhpwF0zWzWVdbUy2iztWkUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRfQeRqaRDGojt+31ZJkm2ydzhprEwQar1uwDY\nuOqc+/fHprPlxG9gPS353Nl9u6UiF5+9ffHHarF4FoDVrxUpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyfCgDosrrJoKZzLQLsRxssEPqQYwCgYIKoZIzj0EAwIDSAAwRQIg\nIVqVGwZqMpydX7P2tpiwYSC4g/DSa0n6j9V2tj9YQN4CIQCDL1SruxEqpGYt5biH\npftvDXrRC/6wP1AC1vSGFHC9Jw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUU8N4X71wBNuQ0ZTrQcunE6hYgw8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxMzEyNTAyMzY5ODk3OTgzMDMwOTA0\nMTY5MzMzMzI2NDk1ODAyMzAwMjI2NDMzMjYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPZVURmqvkqIO0SjrbxxTc/yVbbNgqVlEnnLorde6ASHru8+qQ12fD30UI7Uftpp\nJtmotjwRThQPka1ufDd41XajgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU9vD3\nX1kg1127dP30aJtUU8xLI1cwHQYDVR0OBBYEFMM/kVcwwnbPpMgQNJKdkgyKdPBa\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgVEQjyopTqtZC\nS/79CWlRBDriRvfya5iXRzuzg93ExmUCIQCLMI6scW7Uy7WoS7Vj9FtBV6gLfalM\nrj/JcgZa0XYNQw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFTCCAbygAwIBAgIUDZ+zfKak9ggWwKoqjfy8pCNG/wMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNTM1ODc3NDM4MTE0NjQwMjA2ODgx\nMzMzNDcxNzc5NDIwMjcxMjM2MzI3MjQ1NDkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBINSuiWDZyJfX8EHGJ1IoaPqxDnNd003V9c6bqGfExlgtZWyTBP5w/kajIXtIIiT\nVj1tV032NtWjk9kGdjidRuajgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUyfCg\nDosrrJoKZzLQLsRxssEPqQYwHQYDVR0OBBYEFJc5Tz7dohMpORAvQabFPxMFnJEj\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDRwAwRAIgQoqdxJVUIWZy\nKakryhb89c5PpFgZO4YT0V/yQCHbLf4CIDEz9j4g7R1FUSEHINgpSGoldQ/KpT5w\naoLH1tcEnIxt\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUXX10r54GwaEqHOYrRGXBZ1polvswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTMxMjUwMjM2OTg5Nzk4MzAzMDkwNDE2OTMzMzMyNjQ5NTgw\nMjMwMDIyNjQzMzI2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyujs\nwTSP9syDQWDJAs8fHYMrHdJtZPf/RcSUtsn2Ikzz/kbw8x2ZqwrzsFvUjNIBcYJu\n3bqSKyah9f2aUr1erKOBiDCBhTAdBgNVHQ4EFgQUy1cmTCuSzyXdB98QR/Ww+77+\n6/EwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTDP5FXMMJ2z6TIEDSSnZIMinTwWjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOjchSct6ZeEW7SnzQ5Gqf/lC6p2\noSVO5cJFdaEjg54yAiA1YH5lACLloPGIgLADxq00wTUrdtUfLaWS9IXvkSWmrA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUU/Tb3c8f3RccpDCKpSM06JTOGXYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjUzNTg3NzQzODExNDY0MDIwNjg4MTMzMzQ3MTc3OTQyMDI3\nMTIzNjMyNzI0NTQ5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGMk\n+cE5YZBgD3X+5rkHUVTeHPUW8fbqRQYnsbKByAkhGmSAbosRPbr9RBdNWtu/H674\ngSL9li7xLw1fgzX/m6OBiDCBhTAdBgNVHQ4EFgQUZNDFnXtdGoy5T8CP8/NopsCM\np6gwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSXOU8+3aITKTkQL0GmxT8TBZyRIzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSa86rxLEmninHVvyAopBpdJb+ODA\npBuM3M34/ByfF4kCIFLsfXEgTrW1evpqN4cibqh+02c/U1+f1xrRU199Lh+5\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUXQEMdGe9Sna+k1AewelOPE+ylBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQDRIjT/umPzo2bOk4RbPRR5JYVhiDl8gWBqJAV\nONpDnf0eFAiOMSrusX3zx5nDpNPnqhuf8icDCsDKLOgBtdv3o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBTErU809ofK5JK1P8S4LUa8ikd0ZjAdBgNVHQ4EFgQUxK1P\nNPaHyuSStT/EuC1GvIpHdGYwCgYIKoZIzj0EAwIDSAAwRQIgLkVrW2t8bCfPjDB0\nJWazFhoAXTuHQx8yAoOdLTtAfpcCIQDjnhX2CSpLxf7ybjQjjtwWtmYPulcFkLjd\npzJNXeCXoA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgITbp2suh13Qqz7pI0OlCjudCHb3jAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2\nOTA1MDIxOTAwMDBaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABDBfwepFCo3gkpSlRBdoIUbB1DKizZ26BdfY7R0V\n5D5vwmPnNTBfh4kySKOMGKDFzZuxoQyVHb2SedZyDBU+ldGjezB5MA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCIG\nA1UdIwEB/wQYMBaAFAFTFl1YTyb3yr4HgS6uWD71+R6hMB0GA1UdDgQWBBQBUxZd\nWE8m98q+B4Eurlg+9fkeoTAKBggqhkjOPQQDAgNHADBEAiB/vUs5sz2cOrNTkMNL\nCTVlA1HSzcxMEJUSIPsnhYLyHQIgYWkU090tCA64pxBUXh6WZm+Pw7lx/jM03o/1\nC5a7vMQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUC1zBkIxRcRgZaj12xWwFOtIqb4swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABND65DAfWdS97Er1Z1I/VBe8LaM4yk7f+wWWT21GSoYB\n7kJknI0xfAc5Dsgjt9IeU6bHFyBdUPbh1QJe8Rb9mZajgYgwgYUwHQYDVR0OBBYE\nFLhRHOsDap1mfR2JOtSTks5d73eBMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUxK1P\nNPaHyuSStT/EuC1GvIpHdGYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCh\nFmIyjozf15iPYsJwEswOjHPVJ/l4qkMM8DCTSqjAUAIhAP/MxYdre3Qzd52bLr9Q\nDvXt23V9VEa20hhaOcJ2NbtE\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUda+Ig+sckVlkBzdQ7mUtee9aWtgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG2q1ZWyi/+mfoM1qwhus5odIoo3JM1xSlxm9UQo7dnN\n34VBSDmPrjq60mt520zBR94FnvhDycmbVJPV/HJcgmujgYgwgYUwHQYDVR0OBBYE\nFGbGldzpNXaDO+TGP9bZs6ow5QPCMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUAVMW\nXVhPJvfKvgeBLq5YPvX5HqEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDU\n2jFzsaiQYUoO6KFnMW9ZllTENb/U+jIPfCDaUgNdjQIgIEw+RtjqGaKytp7fRvdC\nXEe0A4qbvbZou0AZBACFBTo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUI1VUc3TuvMbF4Pxv8s7P83tZ97EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATTEdN9Ya+Ex2DerErCgyvdfw14aI+sMTxrqdOS\nNKMjrPhECmWjyQfSspXeH7RXRMSy7Ph5wKMEVC2OqKMWayCso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTKl68AYj8y5kjvfWKyArHSZWQrEwCgYIKoZIzj0EAwIDSAAwRQIg\nCVIdGe2cUMwNenu066MVcEYjyLIxPJ1LIXgGU9tvpZsCIQD/qCgX3o/ydSRq7Z0n\nPCWG7XM6HHnuxmLqHQXLa2S+AA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUWT52IUKyJwBSxJSyY68zj59/+ZYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASVhmzF/StnJbV/3Z/SKdXBmW7FR74m9yC/M+70\ny3r9UVpOr4JRSJbMdLuvdCbQWrBcc+qvPXeXFqIlIq3YTWPro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNKTR0elN915MJBvi0oPYf8E/KYUwCgYIKoZIzj0EAwIDRwAwRAIg\nctJUbAG0ZtulDrrNEAVmo/10mzt93VkmTb1UKcTr/dUCICNd2GUREfIAfcZ+gVFv\nvaStTOaWo+3WuIDkMlWkby6n\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIULWTCTsP3k/hdK1XArbRh4AMLi6gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAGQUm8v+xvXWqxeM+koFoo9S7+EoQYrL3EagD6lj0Sr\n769b0yalaMsuiRb5HXdkE0LPjtaOupSXUiAcCpCTJCCjgYgwgYUwHQYDVR0OBBYE\nFBbk4D9yfG8jPPFVam2Po6CRjre0MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUTKl6\n8AYj8y5kjvfWKyArHSZWQrEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDa\ndszGydyfYOzatB+Y9WJYHJlC6F3U8m+BVfr9ThATIQIgaHoSlfbWldl1ted88hzH\nIYBUBqQPmV6LKxCj6igqDeY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIULQrg9tmtiFVJmp8RLv570ut+ryAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDbDMKWbTmpFnAz6aWvZSNIlj7oyu8xlp4dsGbg+flng\nSEC8RG/2lBt1AnawEKBWGhRMY60aazg+CU/gcBTRfyqjgYgwgYUwHQYDVR0OBBYE\nFJOt1OcXjknJAUq/oWGCYHl3y+kgMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUNKTR\n0elN915MJBvi0oPYf8E/KYUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIC5W\nJ65WKaC+ZuB9TCjTEYlEpjAuBdfCP7Mg9s3WslonAiA09juRFhFLr/5jS8aZQM8Z\ncSoFaUnNdaGUtaPHVt0Grg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUAavmhN/DUXGJ95mGk/gdCEthOnkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyODczOTkyOTc2MTQyNTg4MjIxMDQz\nMDg3MTI0Mzg3OTkyMzg5NTk5NTM0MDMwODMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNNDsJeW7RcwrBXsJHQ/9FMzOus3YPBZyLAGBxLzqWHXtksZG/zn/eqGcgV5oyxT\nK0C1CXlq8K0K5aRQ+szA/t2jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQNJ5CtMaoN\nKOzZ4NWX+kkPHs5NNDAKBggqhkjOPQQDAgNIADBFAiEAnmdXsDu8k7mVvNFIez12\nhuWEQ3hEHOZP3LN9QFjmTHcCIAT38U5b//XVuU2seoBjK1EWjXImQyqsag2wqJRD\nRDM3\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUM7in8DvcLZwJlilZCdgKXiFhkvowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNDAwMjE0MTMwNDc4OTk2MzExMzc1\nOTE3Mzc2NTkzOTk2NjQ5NTc1ODI1NDY2OTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPZ3Xp21hwo2PzNA5Nzs2b5oxccfoK3fnArXci50IcEA13SNglHTLdYPlmS340m2\nLu1f+PPMoLL3pVZJaQ/Tx6ajWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQ//z7cHcyj\nF+k0yutMVHznU0MTjTAKBggqhkjOPQQDAgNIADBFAiEA/OccKvowqRC1qbjVODsj\ngGGgcJDNtTenuALw79B42gQCIEKWGla9FAHBhTXnkOuffPdoJQlvyOUtT5x67/rD\n3h6/\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUApHJLRIOe46TYBZA38a039PuyuwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjg3Mzk5Mjk3NjE0MjU4ODIyMTA0MzA4NzEyNDM4Nzk5MjM4\nOTU5OTUzNDAzMDgzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjZa1\nHgZLDRJThIzyJ2SEhXZcJzPX2yC2el16sIBQGkb+g1s6EaEkn5aT1lsfKfOqe27B\nbS1MfpkYv/pHwzCbgaOBiDCBhTAdBgNVHQ4EFgQUOAAo0GumUSsoFVXaCZPgelZb\nzh0wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQNJ5CtMaoNKOzZ4NWX+kkPHs5NNDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgbyvnJEAzCP+hew+04esRkSz9Fbrt\nHGuNbfSqVn5Xen8CIHJ0KAJd/z9HIqQt1c5a+3kKj7H3Q0+TMiMIgtAW9wZA\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUPJg24xvZx9syT6BZxs1xA6Kj/40wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQwMDIxNDEzMDQ3ODk5NjMxMTM3NTkxNzM3NjU5Mzk5NjY0\nOTU3NTgyNTQ2NjkzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIPsz\nGxqFPLooL2kWwuCjurIuksB9cK4pzZdPytuLamBEeZTqxEZHJcrLB7Ac+KcslC/c\nRkEXFz8i3tOrbVEn6qOBiDCBhTAdBgNVHQ4EFgQUtPBFBqEiCUAJ4G6rHnE+FpeX\nkDUwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ//z7cHcyjF+k0yutMVHznU0MTjTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALBw00dC2p/oyyE8U3oflq04MZoo\nsvk2wO9BEARBxSgPAiB0mQGVQtyJNpUnsMAJpfj+SyhhKkuCTu3kT6wCQPde/A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURKny1LiAVxNKzLf9AUdV2703yVwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT67N2RhnVsyTP9a9GBUtQwvJnRh6RXfEEkeCga\nBY6LXOWvwClntBAzrVX61mvhZbe3/FSqEOihB+2CF1YmA91No1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQzcYA2+X5AV/Sc8qjF+oUizC5N0wCgYIKoZIzj0EAwIDSQAwRgIh\nAJfAv1WzMMZD2DhaQ2ViBM5YeTBEkUdHYrGC0bpUymTnAiEAz0bZV2KKbpMTkEjF\nuUmQVyLqiJg8BJXl/aRzhlUdfr4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUS5GnU0ealmFqp0heD0Xk2hYLCikwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToEN/MloS1kQSptlLfOFBV/ii48YKcI/Hmlm51\nDkuAK69kPaFbzYNFk+ji482Agttg7ZOHIQrbJpJze03iIra1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU36V7yh9a0LHPoFjBhghN02YRfJQwCgYIKoZIzj0EAwIDSAAwRQIg\nO5Vs11gHxHyRwpFM9t5kFEikMHnLThtVk1CjdLDnQT4CIQDUmc2jzxs4pyoOUuet\nysJM953u3Fl6L9BkX80XBhH/wA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUC0AKJ1Q955PDggfVrOhRxY7poNAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzOTIwMDEzNTE5MTI4NzQzNjc0OTc4\nNTMwMjE3Njg3MDQwMTA4OTAxNDQ4OTMyNzYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFAAKj1913f2ryVdshnKn2k7pqpZf8EhW8GDKlRQtgP1vMZlG6Jnq1ftFhCExfrT\nDUvQlmN3KEhB+aovK2w6ay2jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQIjR4eiqki\nTzKbZZvpA11roOK0jDAKBggqhkjOPQQDAgNIADBFAiEAsnwtGJ0qLsmPYQyehQzw\n3SvKnoQ4Lxfr+uCvAgH/aTwCIFf/9T0b0xHSD49d6L5JeOSjfRMIvobUjofHGJqV\nX/Yf\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUUJuyo9GhTdRF84DmaJG1rAlfNiAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MzE0MjI0OTE5NTU5Mzk4MTQ1Njg2\nMTQyNjkwOTkyNzk2OTY3MTAwMzEwNTEzMDUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBK6DEt9Tzpv8JGeb6FEljgArr8IIV3lqPqpK5wkXziq7MgXYL0eO3WbYUDYxg9Ot\n8fUhrJ6WylLrJteU1u4bVWijWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQbYSEgJhth\nQs6x93zPKgC5cft/GTAKBggqhkjOPQQDAgNIADBFAiAE/GIhbUGJw/6gYz3u8z4M\n4jzCyka/Lq86RULbX4Y2+QIhANiXUCHsNgcqEyhZ0S0zF33O6eHr/fQ5KQZOfdOE\nXsT6\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUZhAcCZpS9AGh6JdK9LlndBJ6UzYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkyMDAxMzUxOTEyODc0MzY3NDk3ODUzMDIxNzY4NzA0MDEw\nODkwMTQ0ODkzMjc2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEP6LU\nXqn/jXMU1vhZlF0bX8bdOihHSuW/Avm7rjC865quJoHSlqLXAbNZmQSRWEBXcmQo\nj8pUrmIXGSwAIOI7u6OBiDCBhTAdBgNVHQ4EFgQUSB9J1bM+86bclvmmRzLPAIjK\nytYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQIjR4eiqkiTzKbZZvpA11roOK0jDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgJG1PA/+k73tww0myBusDKvKi7zhc\nuoEC7Fun0AfbXgwCIQDSOxL8SU0K4qefhdyHujJpCi/0o3ulg7o8dMFlcxTN5A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUM2hRmhQ/VbJboZRFLCFU3E/MAg4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDMxNDIyNDkxOTU1OTM5ODE0NTY4NjE0MjY5MDk5Mjc5Njk2\nNzEwMDMxMDUxMzA1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdlV5\nIHAphabBYJVTY+0L9aHXzkVHJXBwNx5p+FjKDtvvmxZ+D5qhBg0Rf3E1Eew5MzFz\nTOdXf+DkTM/+OPpD/qOBiDCBhTAdBgNVHQ4EFgQUnaRdkMnBcYZlIx1x/uZULQEp\n50YwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQbYSEgJhthQs6x93zPKgC5cft/GTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgQTy3fvlKZDg8WpE31WGP8/tUCOhf\nAYM6Go5oW745EYQCIEfKXBsdbt/dKeroAAzBLhJfAeFaIMKW9lAwO5xM7zaU\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUWxNLK//fhLHNL59rtqtFFphoFfMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASoIkpverRUNeAS+vDQ0VNViL0UELWMMbOn364S\nfUARInsqdL+3rDfaTYzl5S/JoB8YBwi0/A0BAXRghCkmbqBjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9cVhvlncEmn/5Vfj0YdGidsC5HswCgYIKoZIzj0EAwIDSQAwRgIh\nAM7JiZtByLb5ZM0Bzs8TnIyFd/lx43zEmtywdM3QLMF6AiEA6UPG7lelrkQxnUx5\ncCc3wdFGomRM6CCUp/sntTUC42I=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUK6cs0oBtbPyCoXd0hPSWJQn5vjUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARmDc4ljsszYPP0jOPpdAOf+LlT3pEtv+RmEpfb\nQYugR+HdhErD31bvMFXNgwXMsy9ktzgc5LEOlHiaJn6zhgIso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy48k3va5WzNc97WSPvhNFOGo9EkwCgYIKoZIzj0EAwIDSAAwRQIg\nPR1KuM5BaWKkIbsKSiOJzHCLLWo92lz+vwEY90ngLXkCIQD79hIJ9irCsCatssbX\ndnBWET7c58zwXqYl3WUMry0iPg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUNRXK1zjoZYKS6SVwRCf2JAoC+5YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPgRwycd3DUyKYssecznUbcsKL116AfA/dpb+OuS35/e\nAKMd++nRNRXSDV1Kft5uIH89DBL9Ip6LG3+SJrw4Ew+jZjBkMB0GA1UdDgQWBBTz\n/eynk1Nav8I3QaoLCyVBPlZl0TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiEA7vPmwZ/k78QuGM53HVRMqmVdxBoPqji2xogoLPtwOMACICgu\ngEeNMg+wqgzAmVKivc9/SCRXJ/HaMoClFzpAK4Y0\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUB1d2cBRuAv4WEm9i/+Hx3XN1dxswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNQNDpHEnQ3TkhxivYD1vhGSIfRv66E/3j048UeNvYtS\nLY7XlxND0TqngaExKSJhZhCWHyfKLZjwRQ6UMh8gKn6jZjBkMB0GA1UdDgQWBBT0\nnNPM8nNmlWI1nC7k9NMH4Bhz8TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiAIPp5mVOSVkBLf8jJasqLJrLAyG4kG3R5cn6HkmnRTdgIhAMUz\n5Vd8tOQ6CGvQY0dbsfcoN7Ip+En2ysrVe0Xi8TrR\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUJraj8dHNr92SlhczVY8spW8LXNswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQOxtuZH47CFwtyJaqUArAFL+7nbab4DaiJ1YGl\n1NnPOvIRh8fK9iXccx9UqE2Jt7kuy533a1FW+bLHjNBvH8yho1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUr7A85sEScPxRYMXSh7Hc9Aw98XUwCgYIKoZIzj0EAwIDRwAw\nRAIgfOaBcAQ6USrMiBr8Vg9/dzjjCCN4Bs7QxXw1Y/TnyP4CIAjM+Caj9Z7NEiWX\noHGGpgJfuYRY1IzSkt8ggWrCLNH+\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUer4H9ngqLgJKevpj8AfShxrkqRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8HmEAZvteG4rNCq6TNKB6HlQwBqQknlGKtYOO\n0UvgzRmOE7Uf3BulEK9PTJQxzPRHp2zvqMpm/gQSI6/H1e8Ho1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQU1TwFcp8kGBUD3s/10ykZ9JT0JZwwCgYIKoZIzj0EAwIDRwAw\nRAIgHQei1EvDZQsAUKCXNTbh1B5rW4MMbJH+FAYW05W1xJMCIC8z4ADJu/evP5rZ\n3n3l1b4S7jn0tyhnPdV/ruM6WWUh\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUanszxVcG2cHXikd5WH67u1ccPKcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHPevZoMV21yJjCVlyyS0uuuoeWEeaQzOpnGL87D1Zc7\nLG2owUKXkEAca7iWgCcFK3QJZ/vUKjd8J0R9Ou0sv1mjgYgwgYUwHQYDVR0OBBYE\nFJZjPdQthyT1dXWDgwr0ACkrtnWCMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUZM7k\ncgvpfS4MtRMOr6uxQm0FdbEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCz\nYMBZjDORukOqH8PnpRtgBQjqUFBqP5EtfTBF0sH2DwIhAMOg90xtVqtsC3AeE32M\n8/z/9LY4tQxZFw0JTDJ0rSc9\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUdQIZ+sgUphIAxodC4zRgHtvSxpEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMta+8xwzUbqdWesdedWHNq121/RQkipKe9jInp1Hpkd\nBjjO+aQdfAMBAS19b/fmde3H+MXnQL290nMfORsVfZ6jgYgwgYUwHQYDVR0OBBYE\nFFSu3Tlw9jJz6b+Lkt9RXb5o+djWMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUqseQ\n/ikPLEL8miiS95BBMtaFtdkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDk\n934P6iKzKQ+BLum/r2afuY/IBT0dXl0jwiquSWrAEgIgT1cait+mFuQW+hpC7DZY\nXBflKdNz/ibtECFT0SlE/Bc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUbJfyeboMC4AHwv2TkzvL/Hix1YcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpTULLaDbFw5O1uV9DSlShkPzLq1yXDjTITNWT\nnEYraGRcGZUyEU7My2nJzS5q4IciLZOWzoyKWpcrT3ttCGy5ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAokunb2GuEgp4LoW5doltOm82XLrFG2DCtq+3v0Ba\n0NwCIBNJp6yrDwP0TZxothp2YmqInm9x8zDwwwc/vaHFykdc\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUFJDxyGYVTUMd60WgZ9KwplDaZeowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlcmQY9DSa06i3AycndzNFktQu5FwRT2Vmmcly\nCz09o2HUgcOdCY9FZyh5FdSPww0UziefQ7mNUWHwhEUWTQ35ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiBhCr+5nuOniwMTwu/aXkRcoc4X0M0+VKUkcnm8yRC/\nBQIhAI54MXnqd4hWD/JEafsmSCKorGl897a6Fr4ljMyWk4az\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUIg9TbDc6S729KWxFfN0T13iLEJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNZVLZwqUp2nhYauQthMLTYAqBghbu2AhOPZ2LhideCS\n4kCbRfbYiIC6GfPVsiltkcfj2FVo+V6mS96jDdZ8RNejgYgwgYUwHQYDVR0OBBYE\nFJzqNIpKXxdFDyEDe4KflbzGIgCMMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU2Ziz\nqABkNdsAPZFQu2csQc6obG8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEOb\nYRFd6XuojbWVhxx6a83O+syLVov9XicAdjYbKJXtAiEAlq69n221vSTr/0ODkfEp\nvQN496c+OcsuQ5O/GCDiB1g=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUabAJBnZ3Lpm5MQBKVvyYXBQQ6BkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJT5zgfaMObDg1xlN63cGMqKokJJrYmfyelbFDHG7vcd\nwChn+XhfIJHZQ0YRmJ3lcGGNEFzCwq8rxCePJTZEPamjgYgwgYUwHQYDVR0OBBYE\nFM11+jWvF1YQtqfQ5Q4sfChKUoimMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUsWcB\n2L7B9frEvICBngvd1WBTsEwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDi\nuHdF+o/We3BTq+wNJE674XMsxQ7iOIGsoNCZm75AHgIgUdh9zw3tzW9AX7g4NT1p\nLCTL3q7+JVTFBvTJnx4QMB4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVRwyLdmbkWtYxOb9MbIHL3UZEpkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASiNxcsmmNJ0s/zd/PVrS2hAK2UHM11K1UsyXoP\nQnr/wT2ZIT15xaUfF2BpTbcMED2Gj6kwnHtjtRaRopTEDRl5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQGCU07J9hXeScn6HWC92n/YrA6IwCgYIKoZIzj0EAwIDSQAwRgIh\nAP2nRd8zYj9xXp0vwL28p/Zi6O4EQJgD01BtvEsw3EJkAiEA89Il9VzSRwJ+LV08\nh0yLU0UfKuoC/+0sr4sg8chHT54=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBlDCCATmgAwIBAgIUPCURmUn0ittHr2E/x05JhFCqkpkwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXl8YEbg+2fUvxyYUEK9Bud20a8JGLN61\nwczMwP5rVW3242ss14Mgv8xjtMtSGP/wu1Y3LSG4yvRpg7NKYeV3kqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFEmbv4RMN4QlAU0edHCmOtN09SbhMAoGCCqGSM49BAMCA0kA\nMEYCIQCw8nUmdGjB7mxJRwGDRZwQ/90gAfFOYfeB5gs9rB3/1QIhAN+12bvrl/x2\nAvAHhqUBqrjTSeE3G8piRlGvDCklU2E4\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKmrel07yVJt3s2RzVLEc40m1LqAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASE7M3XxobhAoX3C9KqdolvM6WMsMN2H5cBzTOL\n0bRBX+R9Z47gRXxRApOv7cBHvr4G/sjge7bmW46ocWJMc+w/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgst7mKXe1DGvNsiFLXge9qRxF4MwCgYIKoZIzj0EAwIDSAAwRQIh\nAPpacWn7s8Bp+gIRcvJ3aeBcD6kz+qpng868AF8mfWOqAiBi+iTViAiOHdqOEFhv\n1ZXScdC/5deY1EO2CPCglGQIQw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUHaOltz3geHo8D6HUIqC+ug2c6vcwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2dkUbv9QlLBvX+OenRO8vNRjoZe7mULf\n+yQ3EX3z3W+hqiNzGIiK6o/OdlJHdrWTZQjJuMEfhgfmvgwWoTFwyqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFDwgC3ep1ECf/1qXvjukwMyqxjBiMAoGCCqGSM49BAMCA0cA\nMEQCIHg1f0qLFx08zoBoZVewaOjU1qGk8kcZs4tWfMXGspgEAiAqOKWlKBG2PL14\ny+eM8mD8sL5AdZKMBuVeKTrWTqyxfQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUW0rxwUnlR7Qc9Ns2kEPBHFVqJ4kwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASiNxcsmmNJ0s/zd/PVrS2hAK2UHM11K1UsyXoP\nQnr/wT2ZIT15xaUfF2BpTbcMED2Gj6kwnHtjtRaRopTEDRl5o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBRJm7+ETDeEJQFNHnRwpjrTdPUm4TAdBgNVHQ4EFgQUQGCU\n07J9hXeScn6HWC92n/YrA6IwCgYIKoZIzj0EAwIDRwAwRAIgcFqmDCcwFO1P8uRG\n+AQs4/4w8ByFJY+gzpm+SQFr5DECIH5DluJZYCfcQB/PZ5ajWRIGDO7W4g+zmHUC\nwlths754\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUSP2PRZWLlZyNTeblY9oiEOX29rIwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASE7M3XxobhAoX3C9KqdolvM6WMsMN2H5cBzTOL\n0bRBX+R9Z47gRXxRApOv7cBHvr4G/sjge7bmW46ocWJMc+w/o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBQ8IAt3qdRAn/9al747pMDMqsYwYjAdBgNVHQ4EFgQUgst7\nmKXe1DGvNsiFLXge9qRxF4MwCgYIKoZIzj0EAwIDSQAwRgIhAM461N4dRwP8vPNC\nFwn+dbiFYywTd1twMNv0AafcrKBwAiEA3EFPn1GkMd5VPbHb8ibb7ZnMLDqXF2G7\nGu2e80+Asuw=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUEeicY1mY2XOiXwjN5Q4KDaIAU1EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE2oHem+iZIdZx+iJCZJJQurQpIZSoUtuWhlIomjIkxd\nCxs8HU1txNnEZ37B1D9xtm3tSOHiHZ62mdytMeyJllujgYgwgYUwHQYDVR0OBBYE\nFPP9YqI6BvAqrk8yIaMyzyj2EWFoMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUQGCU\n07J9hXeScn6HWC92n/YrA6IwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFNi\nGLyDXvH7zk3JWXTbKFSBTwVXqrwyTlsxlmhKutUkAiEAphPoc226eMaH67Ng+AL+\nddCSAkP9y/eQJNgNrlnDZA0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIURtuIsxXk6YEqln9Oj7/sNC3EnW8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOVeZfj4L4g7lfN7Mfv7yZP4Y5bHkj/oNOGOkMAcSq4X\npkObIgn5a+c215KNPCphThoN7kukE1cQTDNowjQiWwKjgYgwgYUwHQYDVR0OBBYE\nFPe76BTwAJrBgGisiXywmQYswRDUMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUgst7\nmKXe1DGvNsiFLXge9qRxF4MwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCi\n/Ey3MEgVrow3qc2c5R79gc7kWx0xrfrpxT1DsiWw5gIhAK3DmX8zmi5DP/O1g31O\nWJjBU9+j481Hudwgkyom6Wtm\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUOliynNNtvZ/Br4mCpl0ZQKN2MtswCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEDO7putMvPr\nrAlnkWP0eJXxfhGjAsxL5kc76/JXSjKJTdo0g/sc7R7TZFUTo/RnO1PeeezImNwe\n78ki8yGgrlOjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQwg5tcqII5WaUsBnPavUR/9sCg\naTAKBggqhkjOPQQDAgNJADBGAiEAquU5U2zq/3oObzEQg3ZEL1IoK9ebDnNaWAUA\nqWfMAjUCIQCe3uTj5z7JIRBmwdOa5cnmMS8YGyQ4IjIvDQXM4WwtlA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUOoOGSi76eT3aCAy5l+42BXiZ1iYwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIEpL2xnT1yD\n+2dVljY+Zrk4zzhJhlf1EcvhGJfG+01HSofPCXFs09POadCWSKSZXayXODWQiULh\nPvNT36Rp7MejVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTodsEdKrgwc6G6ihdnuWIGEl0v\ncTAKBggqhkjOPQQDAgNIADBFAiAMR6aX6O2xCFdlXh7YE9asLvfRTiOO9KzfxAVh\nS+kJzQIhAOduMfNhgCaHwe0xVwM/01rV2F+7mabPE6Xk/Qk0I2Yc\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURNf17TQJvBjJUaru0yCfupACjCcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATatsm629u2SRYlquYyZwM/BIAS2HVAoZeH+xXD\ntvdldTynsXUfhus9FecueWpHMsdDEyRB9jDpnOKldr0tyHT9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUU9YMfE5UwT2b0pdtcFZ03p3xBcowCgYIKoZIzj0EAwIDSQAwRgIh\nAPshWKriNcdCWK3rnrPa4pjzLH/TScSXChSxPpn9FembAiEA8yj1h8s+HkYj8gdq\nFDOSctEbSgHl8DHPow3AOPUsFHo=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUW3804/i85gmrVKnLDAcddbtBOuswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzOTMwMjc0NTU4NTk4NDk4MTQ2NTU0\nNTcyNjk2NjM0MDAzNTg5MDUyOTcxNDQ4NzExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBITDIHn+uGKZqbHaag1M9fqrssU9U5wUvgw68Lf4NPv/1oKlmrFaWSlCG7EyByWY\nhFxIr1Y5gXdL3nywJVt3XOSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFPWDHxO\nVME9m9KXbXBWdN6d8QXKMB0GA1UdDgQWBBQQPu0LXE5YTJk2N7vA/7GdVPa50jAK\nBggqhkjOPQQDAgNIADBFAiEA8kxazKSUWfe4pFTox9NNflMWByob0FC7G/3mI8m9\nYTECIG8bG9BhFTGo8iIeIxHi0LnV71oihtucuedPvq3rWpWI\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcYBCTC60faWOnFnfVGIyvhM1/zAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+fcPADKmzGke0/opEbiofTdLCZ8xIwWUgFVWY\nAXSLjq3rMI8dmFMEwiGlov6m6s4wNQPg8MQc3fgGDv8Z3oIvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy8RBi3IZ26hJuDWILrA9r3wgu6gwCgYIKoZIzj0EAwIDSAAwRQIg\ncTNUxs0xPoPVXzZa0j1LDbYeuE6BDdz00uKGmhvl4nECIQCcx/i3QhQXuPJYQUCv\nyEBGvUiPCIb4VWvphZFLvkAJvA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUZyF6LQShxjAzD2r1G06mBoc5bo4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NDc5NzYyMjc4MjI5MTg4MTc4MjY2\nODkyODkxOTU4NDk2OTgzMjU4NDc5OTgyNTYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAs423sj6KMhx17B1I5DUfjuzDmD6Eu7aFwJ8gOwqZTtMPO0BvyaNki7UjXMB0ae\nvFiaiqfOa9k3PEEzaSVQ/u+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMvEQYty\nGduoSbg1iC6wPa98ILuoMB0GA1UdDgQWBBR5ZiJahmA04t/K+6/7/zs+IUKFBjAK\nBggqhkjOPQQDAgNIADBFAiEAzYSQ9Q+78KhsP+Pw2dH3MJDyvwrXSvJRXpAPvNJF\n4OkCIH/u+fRc1b5uZ5TKwjOfr+FhhE5hoKfBn0K2ynIkhMfK\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUOlUPUQDecc/BzL9IhknsbUEwAMwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkzMDI3NDU1ODU5ODQ5ODE0NjU1NDU3MjY5NjYzNDAwMzU4\nOTA1Mjk3MTQ0ODcxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOALu\nFoJ4K8e7RjmX3B6LXSSX9r2c3w3ezpxjzPfpqPOt4Kw6CO/vyaeU7AdFRd3SeioD\n/jGggfvZrInoI8XOEKOBiDCBhTAdBgNVHQ4EFgQUsEFT5kqlPohMK0wJK0bHwdS2\nOM4wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQQPu0LXE5YTJk2N7vA/7GdVPa50jAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKwxqVCA9T68OzwIA46ZbogH4LNn\nmovk/FFwxXiv8vtbAiAjZMpg07eS8oHrrX9M40llq3VHQdbpal+q0gmqBBJoZw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUcM4+7ccqvG8KTeQK8Vfran3K1NMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjQ3OTc2MjI3ODIyOTE4ODE3ODI2Njg5Mjg5MTk1ODQ5Njk4\nMzI1ODQ3OTk4MjU2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYX75\nDy8Q5SYX5mZIAp/HWkrkHn133EFM1FvRjWyPCxbMZQEnU6yHfj7oOp3ztCewWIfj\nPlYK8u/Wd3qGP10QUaOBiDCBhTAdBgNVHQ4EFgQUQivOnfaTvgV+1lWv4v1em7uO\nWbkwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBR5ZiJahmA04t/K+6/7/zs+IUKFBjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAO+OAlBMlFrcEaVIEVVD1pEeG42n\nlroXpW/r9YWGzThKAiAt5bB3BFGqk1v2axyMcG0+cUVdAk3+ePtbqVaK0QV/YA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeplm8C/OT3zlh1ZF8NYousA0B2UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASD2SdfwkcnLetgXp5CPUWK/nA/dEDi+tE4zWtu\nPdrn9c91gbMRlGbb4grV2MEje+432Ei1dEg6nEgrMr1kxO8Ao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUALyDVEGss+Zu1fvJsMdLeVcUslkwCgYIKoZIzj0EAwIDSAAwRQIg\nanysXOw7VVF1vYocv6P1kx4qRvTW9GqihfIEqO+Vim4CIQDY6JuFTZF1GluB+XfQ\nmTwm6TbIQ6/6pJcM/rl9tdAIbA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYl254eY3Xi6Aaxdubq+8UhMK4RQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATqEiGEGpAEZprEnHpaqJIDjPj5bvU0BYb9xxGr\nLjRfD7qPtth4xShkKo4mkInc393Zd+8oZ/Y9oYq8utv4FnEPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqBD9ifyCTb6bTXDROWJEV0Z+4r0wCgYIKoZIzj0EAwIDSAAwRQIg\nW3Wn5ECDDL63mxkITTHrkkZyq+FOY/V6BU9trQJr5G4CIQDS56rHe11yIrxBN7XM\nPlVS5v6HLp56wd8e+BZVB8hwgg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUCAQEPCdVWVtjb8dbUDX185tL6SkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDA2OTk5MTc4NTUyNDAzNjE2NDkwMjc5\nMjM0NDUyNTE4NTQ0MDE4NzkwODA2OTk3NDkxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABKnAHf9bvy4NOmWYyWGH9PzSiuj3nOJnhze7W91XrJwi8KkBTHm+1F2Nwium\nN8YFtndrbeNC2lkDkYzd2KbjXRSjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAC8g1RBrLPm\nbtX7ybDHS3lXFLJZMB0GA1UdDgQWBBQDw2Cl0hwjakkWGf+LNDpDEe8tQzAKBggq\nhkjOPQQDAgNIADBFAiEAvNUcUkXV01yvZqhhshcgWc6gw1U6N73UIgGrdaN1X/gC\nIHZ/u9ZE3XuBCn/XggCiAffVaCbAE0aN5s3Nb3oBHgye\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUeTIhRmehXNqf1gbv31IV1ka/HFwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDA1NjE1NzEyNTc0ODY2Mzk0Nzk3NzIy\nODY2NTg2NzYyNTQ5MDIwMzM4MDkzMzQ1NDgxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABFtZwZrlEXDmKhRAQBrDLCWby9gtLrEuCNmDfSXyWgifK1DV8U4KQDJuKZ8x\nVY7px9jSGODuRgtqFX26NQpU7cyjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKgQ/Yn8gk2+\nm01w0TliRFdGfuK9MB0GA1UdDgQWBBRyVmMvFnMzF5g0qm8+wkZrUgXKeDAKBggq\nhkjOPQQDAgNIADBFAiEAxgDLRi7swcMquDvYKsjD51OzA1Namb+ZtE7kYAZ5nUYC\nIHz2/Sy/GgArY/VGStVuytcEejkjnFoRJRcQprVQEUqI\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbOgAwIBAgIUBcpv5/ltsnmpvTUvc7lNZYofHEQwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNjk5OTE3ODU1MjQwMzYxNjQ5MDI3OTIzNDQ1MjUxODU0NDAx\nODc5MDgwNjk5NzQ5MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nqUzAgRT48BO9FsxO0hlTzMUCR824SZgbUGRTygdb1Hi4pzeYWOnIz202c0XkzFH/\n0vwZYw5pNwcfdgE+5jXLcaOBiDCBhTAdBgNVHQ4EFgQUX/r2L+Ehoq5R93BnJfxO\nb3QdIJgwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQDw2Cl0hwjakkWGf+LNDpDEe8t\nQzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANf8Rn14f/bKoaslajsABdtI\njCa+SRZiwT0eVpmOF/VNAiEA5Op3KFdmXaOP56zd5uffD4hBgT0tYPnGmoGVAUzs\nqUQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDTCCAbOgAwIBAgIUZPIO+CZqY3qjylCVK1hD5zrBovgwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTYxNTcxMjU3NDg2NjM5NDc5NzcyMjg2NjU4Njc2MjU0OTAy\nMDMzODA5MzM0NTQ4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nQgPmo8ImUzkUYqWof6iTQzKXrklGdiqMoInQfKtKbFjzLtCYTPM/Ua++W8/XRl1I\nRsRNhKms3L3kqE65ytjQtaOBiDCBhTAdBgNVHQ4EFgQU7U1+tXYSB3/bt78c3dZJ\nUfWr29IwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRyVmMvFnMzF5g0qm8+wkZrUgXK\neDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJUQQcgirEYIewq/Iq6lV+q8\nsaDEAhF8tMdXobVJUxEKAiBj+bXFXOrJudesBt3EBGBgZFNEvr/n/ePKoNamLoUZ\nHg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBdqoHv6tpX7+cyqpOOsswGZYviwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFMEyUCDT/rUR5t9gUg9jUoUdIINIu12kpcm/B\n+nDHlw0V1YphWQgB9AyV31LLzaMwSUWJYOb5ERP/0McEJIDyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDvuNNYP+ehSh1+uQof6d4JmIJS4wCgYIKoZIzj0EAwIDSAAwRQIg\nFlcMZaP/sLDukqztOZ25SvmGgXICPE2Wq0y+qHSrRnkCIQDLeJ85T93wvsYZs0i7\nIkzgcj+ujmcTkUed1V/IAIUA7g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOwzSSCK+33FqGynQsdqNewtkhDcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQSGJLElraGvHaPBh9BhWfwCKEoKPzwpD8huuBC\nRSRi/cRif+3ZC6ium23fD8tIroH6Dj2F7508aAf8hnrQQVKTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCUDnf7GOYg7x9wsjqoFDsG+Ov58wCgYIKoZIzj0EAwIDSAAwRQIg\ncG+1+OsbnImvnGbBdEm2YVRCiNUJeycBEc1JcRxX0ZcCIQD/Ds8BZQ5yY8jZNvKA\nx1lKECeUpZPc54cjaKVCcQfZcw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDDCCAbKgAwIBAgIUdSzG8qG2JBNiBc9qLqLBE6yTw7kwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvMzM0MjExNjE3MTg0MzE5NTE3NjA1ODc2OTkzMzM4ODE5MzEx\nMTkxMTgwNDA2MjAxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEU\nMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ2\niRM1aiOSis2UQqlpWsppN8o004X/ToeHZfpd0jHIWBXkt3ch7V/WAE1bOh1N5kSi\nzU/uyVGuq/TwIRuW1oKOo4GIMIGFMB0GA1UdDgQWBBRZnmDVjD0qh+zna9sH1C07\nyVdm3DAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFKAv36evh8BGj3NXj6AEvblQFn5+\nMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA071Ehjnt4bq36gd8Y2lSEXTd\nT7SdGOmlMI924FXvdRMCIFans6RjSb4806dwBhiOFQxoFLicxbXmoVKMC8CZ97SV\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDTCCAbOgAwIBAgIUddSq9QzV0B9nEoS7molATMsmvCgwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMzM3MTE2MzgyNTQ3NTQ5ODA3NTg5NTkwMDYyNjU4NzAxMjcw\nNjM5MTc3OTI1Njg3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nx5omdYlceH/QkAVZ1WKpemC8YQ+Lxm+/04a+WYiPVn3xwA/6G0if+DwhdtLdcgFY\nOmBY3GXelZwio76t6H2zz6OBiDCBhTAdBgNVHQ4EFgQUOxDotW1Mz0ijFyQ7QEnb\n8ryk15kwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRTw14pmHck3fgPXSczzzz3l0wp\nAzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgPr/6YpbLztqv7TEc23cZ1D1F\nyCFeKm1akV9mViWqd+gCIQDk9jYkG/jZdUVHL3GpasSKQ/DZ7CelVkr6Z2VQ0ktl\n8w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfzCCASSgAwIBAgIUI5hedBf+fPvufCfWMeAJPdDCK5UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARUt/Vo7UkCi682eQXwaNYse6scmmzgJZi2wZiz\nmQynYp5RabJyB0C6cx3ghAXnNS8M1WXBiLi1DV6UHI6dNQf+o0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFAyqp/FDgogn\nJixUZt/WvLz/bHhTMAoGCCqGSM49BAMCA0kAMEYCIQC34bgzGWycz++2ReY1X/8J\n8VQZu2ko/FcK7WoPJgeO+wIhAPReH8EIKt3lQcN4xkpDZyVmGoCFPfCIJ6sZTo0M\n3R+B\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfTCCASSgAwIBAgIUYQtTRQFLqIWH/4/MoRYlDBiZs6MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATKlpFIx6dI1YLVOq1HTbx149lfg9wHaMJdUp9k\ncgE/dYSu0MSc9PY6QGqTGiI/ve6W0/N1iWRb04kSE00J+3Vao0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFIWgFTnVH+ck\nE3mNjPj4FWXG5y83MAoGCCqGSM49BAMCA0cAMEQCIDQgLmCSUCkXPNzcggtxwA2T\nFqc+H/FLA5cpBSPxZSmRAiBjBhAqP96NR0AO78t1nIUezh91RdjekZUqIwgsl70k\n8w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUS025pfNrU5Y58otFi7h1ogcTQwswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJRVu5O5pnP7Qw6pm7mJRRitkhx9PuySJ3FLpU0EkqSN\nVc5exYUtG+YSWXnhj1BFEsVIDWJb4Lz6SpJs2uQTLLWjgYgwgYUwHQYDVR0OBBYE\nFLyb/ASt5AEe9b78yzLZZ5teQX11MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUDKqn\n8UOCiCcmLFRm39a8vP9seFMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEU7\nhp1M2O6cGPMXj323I/8kiJJv7L916XTabYiCBmx0AiEAkiBI9aVa3rifbiP4j/lv\n8BS2X0kLQOUNprZ1otiQLnM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUDvYPfcOAFNEnllRFxBLpjj4NTPAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEK3vOCNHLsynIta3drNmdQzW6BAvxkM8Pd1CJb/6+XE\n1orjYjW9Cl76LwxC2UxKZuZD85g82buOmqdkWKtNeCKjgYgwgYUwHQYDVR0OBBYE\nFFrXZ8oTq/6D+z8WBhufhZCm97v3MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUhaAV\nOdUf5yQTeY2M+PgVZcbnLzcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIG6B\niQb8xdT5c9JWWX/2zekBt95i/ufQFkqrzGim/B90AiAXyxprBcdO75GbA/fUhg1M\nsGp7khSyxqSiuPwwvRvrlA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUI1eKfeYYGp1tW0urXYunBPlcnwEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATHt0ZKiFOTg6ZZh99D0XYp01JLjBkb6uNqRYrC\n68peqtOBGRhV4xasYL3J7CZpgH5idqOjQR0MUmhwNxN7NauQo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQU/0Tkldp8pKL/QWnN6h1V1MOOIV8wCgYIKoZIzj0EAwIDSAAwRQIgdKZy\nM/TEjynC7Fn6HVQ1q4XzPm8LWATv5Zrcv4fDKuICIQCpkfbuqr+q1vM8Ov9TpRsQ\n8OPodzCNxd6OWwGpola00g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIULxeCLsOaFUHeVkNLht/mfXpsXsAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQF6Bw9gkRYlespPDB5FLm8gHAZQCmtw54twMf\na9IxYpITusEQD951dSBuHV1aBFypHDfzxMTlA29tO9FQFD3mo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUGfWDCXmI50rmKaaLq3X/H/V03zowCgYIKoZIzj0EAwIDSAAwRQIgKan+\nj0SbwgJbjAwWAfcZQTuRQfOHCW+LpKfXY+BgwOECIQCOhu2iD8J2MMxytPsZk1nK\nDaXfgf8Uk1Xn0GndGQzLpw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUIDi5FrTnnvNVpTqzcvW1HB0LpEwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIp2m4tGaLo99unbSrnBnFWPjvQwZxMKVXBprk7Dszl9\nV4Jricx+a8Aczbd/3AG4wOXiX8MdAUFGiCqDVQCOb7qjgYgwgYUwHQYDVR0OBBYE\nFDKwkMdO+dAPljnkojw7i2+li7AzMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU/0Tk\nldp8pKL/QWnN6h1V1MOOIV8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGdy\nAmc0RM0Ac4CE4ZUFi7XR7Xmgv8XMLbyMeoyeXqW3AiBQpouXamw87JPu2e22d09H\nobaUnQGqAF4ZOaEz9FkofA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUMSd5HIQiEyh0g6LmTTZfXffT6f8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFnkGRCgTHztFkcadu3iVeko50Do+FSBGd+Vlt3Asg+H\nP/BZKm/bwoXsFUg8hZjmy6rdT9BvXlS585Z5coM/1YijgYgwgYUwHQYDVR0OBBYE\nFPgNx2Wpt8HMCYSuBPxNg8cvdIcsMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUGfWD\nCXmI50rmKaaLq3X/H/V03zowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIG9O\ntQid+Pi9va1eoM4fIpQJv/LkZ1Mm4rrRsXMkBOjUAiEAtM9pB/R76swIKqKW0gBz\nhyTz6lUoKYPpaL4P5xSD6Hg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUAZG7ceHAst3pd+k/785R5sLY+PYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS6vN3BKxT2WbXocStaMcALRVGAAg1Turcz3JRz\nKzR3KpaWovo9Pgi3LYzESkvMgeZIIrsMLitrDcCXm1GknCmPo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBSXtaP3yijGyBdvH+4PqryiCBWbUDAKBggqhkjOPQQDAgNHADBEAiBV\nCoGSQ0m8Q/SvxNbZBNmvl9Sk9VjxK52FnRrcRMbD+wIgZez1aiU+R4X72AQt17EN\nSj/v/CAsZctdjeihjqxPHDg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUUpihnzC2iHINGby3s1nMIAozNzUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkE0BP8zbmC1e3m7Ylw2FWqTlSxS7l0mGgNost\nA5dJ+Dh9mo/gzWF+Gghwkf35T0xTQeoEM+DmCX1bRIAuLKO6o1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQbZ+Gj1FxKlz/Q323sYLOmxUORpDAKBggqhkjOPQQDAgNJADBGAiEA\njRgaZ4xHes/keb5CYqJichORLEW0XycbwNs9jIV1VBwCIQD/x8kHjWiX2YtTVCNl\nbTTeCvWfzd1a+8q908qcJaFC3g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIULNrn3JoFEAg/JCyGJj7ZkJtcKDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE8T1sY3RHSqLVqDKX2BT0OK0CHxZ7vjk0Ket+/xDva2\n0a2jwXwN5ELYW4DgyyLfxmTyvzyomzByb19dEAt8zemjgYgwgYUwHQYDVR0OBBYE\nFFVdTVvwspElpq/D5hjqXfV/pAZHMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUl7Wj\n98ooxsgXbx/uD6q8oggVm1AwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBca\n7ixhOboSmTuEhGH6B9S4NDZk49KT7Uea7uWwIYW3AiEAnHrmENbfFvZvhRLuVXHM\nlIGdlbmRrZJo3ZTQLVpONM0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUDEKAcQ09GJVwANoPEskJbLmNmggwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABN5CEknip9q2jmrtCwtWmyIIuU7/Mthju+we71nBMkED\nHnyrViNUx4Mj8hzygOLBGFHkzQ+PixF+dp5OXUdmTiOjgYgwgYUwHQYDVR0OBBYE\nFDXjQDNoHc1n8VL6pEUIz5aepFF/MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUG2fh\no9RcSpc/0N9t7GCzpsVDkaQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICrW\nej2Q6iMapT6RQlxrJvzszWioWioRJyDU0oGyBXj7AiBjMeeXb1JIpK0+R0bOfv2+\nkDsHp+R6JIk458iCujyDMA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdb6H8hSyBIJaSheuWPQVav43FCAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATlY74VHQKZxdokiUprC1XrefeF7qDEDyoDKFV6\nAbs7atNsRcy4v+vlerc4O2eQwjMmBcjn7M7EJiUUk6ewSfbZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUo+JluFJF3ZI1IFfZGrxWcQj6bcYwCgYIKoZIzj0EAwIDRwAwRAIg\nKrooR1s6j4V0xa53hMhXRBXeObmFBEbezwUbHOYvrZcCIGmWtp3Xp1N6xmA2xKC7\n08P3VvRDh+jKjE8EVxLVZOcI\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfgzZzCspU4rWzzSbZl3cV2MHbS8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgJPFtFfdloVlUJD0NDuYRYNVF8qLhzrnDXJyz\n699nrlfME61cGoAGp06p1NIITFAgftfZeXMwpky5oXwOqPk7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqN1izuT+ReJJAGA/oHZp7HU6kgowCgYIKoZIzj0EAwIDSAAwRQIg\nPr3zxRk7KQrGRn/nO93gB4iTmfmmVziG66Iz88uvZJQCIQC/jZKhsdpOWwPW+egO\nYJggJmZyaIBkNxXHsjSLsSDUbA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIULVhfiPaShIzw/n248jzEuA7oPmEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjcyMjAwOTA0MzA4NTUyNTA1NDQ2MzM1MzUzOTk5Mzk5Nzkw\nNzAyODc0NzkyOTkyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEa2+q\nUaWmjdrXVCG5IAuKUPrW9IZaaOu5SlQEFXCmhFc0RtnXMmJHQl6/oSIE7ex5dQS4\nYpRkcb112xwmrpsx4KOBiDCBhTAdBgNVHQ4EFgQU0RqfVZUR7uhD+jYdLYMuXaRp\nqTkwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ+Ke6Kp9Wug0mQSK1lwRjmSm30KTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgRWyIIJto0SOWj5imrICc9E3PvLdK\n0SokTlu68y20PSUCIAkooZ3fdEgwSnWt9kuHQiMlV+Hp7Z6VTEHfWgZPEoLn\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUClKPLR/g4LY/Nbi6V59J+yEvO1AwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzE5NjE5NDE4OTA3MjA3NTczODA1OTU4NTQ5ODM3MjkzMzMx\nODQxMjMyMTA0NzUxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDq6H\nuLydsZD+tw4aw5pq86F1TCaIO+yG4r3HUbPWtlV4ZL7X9sIofhfkzjbM2XzgkGOV\n/it+kmf75+RrIVGGUaOBiDCBhTAdBgNVHQ4EFgQU6s4NXfmJGgDvfPrrZQd5/iua\nixgwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSql6hWigiRQEji8iP/6BGtF/6PrTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgYTN63jVZoC2gtFFz0memaFoOVTx+\njiraImx2uy7aSmcCIAdLSurRwet7EIL+NXNWG3thXhGr9vuniQhQrUXi/lz+\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUbH3YlMgu4WU6wJqRf+PXZnEDHg0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQoNmiYfUVadQbOYJ/SWFwXM4Aqbeoy21R/3xwT\nFLZh8PsaPgPVe7/ajBalWHQUUKrmqdnnKWVXWPzy5U4tUAPqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOypklikvR5nw8sEBTc0ivBzavyEwCgYIKoZIzj0EAwIDRwAwRAIg\nfuJxHt6tRhNe5gpxrwYXG2Gtzs7l2fky/NVz8rL9yVoCIH6fQM2mEXYOFXFmznmj\ngIjZDj6/cedJTMU6qLvKr6fV\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUWG53YU0J+XbpeeCJ3SSZEl7cvaMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9ZUTlF/9Isvn/1MDzbeacqAwyPhRBo6SBsnrM\ngBNtkZdHJ5f/JmtfSPh3tLZ2HnabAd4Sp+6GDHip79YIsaL/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUaFpryPUNJCn7MB6IbeqA953at4wCgYIKoZIzj0EAwIDRwAwRAIg\naLMl94MpP6KyVCefkT2ojSmko8WcKp7TASMkw2iiIW4CIA+9OgHnyHcD8fsISP2H\nHsZbhSpwDgRZOcY4PWP9ph5g\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUcKS+mjn/voCcuAEeQnrB1efvXQowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIo352obZ1R6UlPUE3kmpXCwSNjfIHK1atro35cTVdTH\n8I9C59fVlTjBrdEJtjqsn5rW3MSYJGHGw1Wfj27vSJ+jgYswgYgwHQYDVR0OBBYE\nFG42/qqx08z0IGSGCeYS7IBd4rLqMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nOypklikvR5nw8sEBTc0ivBzavyEwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIBtPprQf7RTunjbG7mrlfx9lbPqu4gHFjrQzKB4NvHvsAiEAz1v9VZUnPy9g87rz\nkrV9uk4RKTxRNe2mq3bkmYX+6Dg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWagAwIBAgIUVXnxvTwnKr27edK/RN/wGbsvg9IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH0nDpkichmGPY3Td76hj4aY0DDtEglAmRdCl6bXPSAT\nqbKfOmmdBm4wyDi15LfLe19MANcgO9u/8Wi/pZGQKwejgYswgYgwHQYDVR0OBBYE\nFIl4ZqXBuZGSpRQRIrNjtAf1hHW8MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nUaFpryPUNJCn7MB6IbeqA953at4wCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQC\nIFWA8vbf/1efjDq482cQiSUEexvRtSx+C1FEP2B5K0K6AiAqrufakdYmqbAjsn/E\nrbVbO39cLcENCucm8E8VJTaaMg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUKfkQ1GE4rRg+Itnsq02YhO99MtkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNcAqv2rAy/v00Qmcn47yt4PTeLYYFZh8Zoa4G\nBsTatWZADOVXBEdD/fGWH2tiiaTfurrr/4h81ycMbWg8cTKfo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmMDYb8aAAlLP+Hf2rE7TYQDyksowHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCobmpunP0wu507XvCNAtIN\ncKUfVHUKzwcqSJOZKR+1jwIhAOQHp6yTw4mQrrJgCcTTfOrMD/TS0/9LiEyZMA+H\nG4dz\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUK3ed8Bpv7srLh69rEA1GYHgEWPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQJsEWe3yfDQzBsj3nPjZVTRmN7FJSakRvOY+xh\nB9XsZJw189t3argwKBh3LkrtRzsnobaHY7llSjL0Sxutt9YZo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSb5xCvvXhIrYl5GqxI23Qr0Cv4kwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEUrVFd2PfzacJp+aKaIGbLc\n4iZFtEuQLjoAfawtv4qvAiBVVgx1NZKlXMF5LeDOw+qejxtLkOcQmBoatkxAAof7\nyg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUOdYx5u00Fl+AArVzarHAEzo97QwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABP7eCcNAx83Rl0+BCW984xHr3acdJffD7pDAXR7SP+av\n7LZf2adUpf7DUnZUp1uOBugORmrNmQMBGvdW6zf5hHijgYwwgYkwHQYDVR0OBBYE\nFB2AbHPuuoAMImuArXMJL4r86Qo+MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUmMDY\nb8aAAlLP+Hf2rE7TYQDyksowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAzuN7EGmLu8ieG1LgYe4c+uvTSDO22WMBWnW91oEwLkwIgWRLjIP5+UUUUbBFC\n24GlHzkLmxV2gQ0N1nhLK40weaQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUaWJ0BwlZvtsVUM8Ua1CtIXeFLikwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG2IMxSUOMalwG99fUIfutdl3zCYoEXPn8fQtPLlN0Cd\nCOTGvxKI0L4k7UWZULV9ntP13+YbQYc80ohZPVBtu76jgYwwgYkwHQYDVR0OBBYE\nFLIv2XK6LDvtpDzjdECjraluF6SjMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUSb5x\nCvvXhIrYl5GqxI23Qr0Cv4kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiB0HCUTJ2q3MQJhnAA2wWaxGc+oXvRne2KCDn9hiyOt0wIgLTquwQlNgHL01x2s\nL7phmtV5XGkMq/7CEXtX1nXV9Ys=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUCTvJAWSif8wiWt8yVe1/qg9mbWQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKRUcuehlO1vbkpLugyPa1dXV88DjChwITtPxJ\nBlfiqO6UONoAWpQT3CrI1Ay4m6SEdsvT+iok3HbhwKYoWvzro3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgaVTByCUFjWy6YEp0lurBngITXYwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICo50J6LvIBdmxMXLB5HfjTG\nuxcobMuTC4dtIwLxdWbMAiEAtkJ8AOw4IsSbOYYRGq6znEzxSqhKuivqHdnDPHdS\ndIw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUC5D85tAhek1CW4QYQ/I7ZNQ0wtIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASEPAPufh6ZmZ6dvLAZi/WNMicDbK/Nff3GOqJq\n9mE+CHhoC9H5KcLuqNYvmEWanfS/oXE3/InEfPQ6h8aYop7No3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPmPTCLDKYpbGTjeIpnlRzFxAiXEwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC0UR8/C5zgPSRDFVZiu8gL\ni2prEDDegyswCAUyUcHReAIhAMhcLPqdKnXu3KiAG30N+eeE44GSADcn7lhYHvNe\ndnlf\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUbWZV0uQse7bLEkAfiVP8H9DtDQUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABILnKDIfrEjMG3wxrpvzwNL5qCuMJF2HNuFCb7o1FOWu\nGv9R1f/+Up2jldSid5lsXMGYQpwzCy7654Toob8l8mCjgYgwgYUwHQYDVR0OBBYE\nFAnWG4z8sH2Sb7wnHkcd0/F3b6NAMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUgaVT\nByCUFjWy6YEp0lurBngITXYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC7\nP6JJsLCG//BZfmvW2wu/UVyyvEEt/nnV5UQKUUgSWAIhALwqqkPjHFiKiOpblukC\nL7+YSKSeF3HcCOOm2h3QYz3L\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUe7TDZwZZ5I6A8xLZQX/B+rvTRfwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ+yy6UWaeu/WRGVXP28HP4e2VtIyLqGdhWkKs69eZI/\nPYLWFzsfYO+y56aoSRbYaroYWCqYrll586pdZNUL0wCjgYgwgYUwHQYDVR0OBBYE\nFHQKMwTewoFvYCZ/VxN+w9XQZoyiMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUPmPT\nCLDKYpbGTjeIpnlRzFxAiXEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD/\nlUAvq6N4gkZBP2x4Bb0fwhsJqajyY0bYhUv16MNKxQIhAM64f+C0sdF9jkVl1WRJ\nfOCrrpEthjMKkt/xHWHvmXvi\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUFWZ8tgi4flK23ckUWYiuCYdgCCMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASEV3dbVMtIzVtYyWP9W4OPCow8L/KqAEpVzolj\n1pJQ1aVmIilesAZzeyBdLIxwM9ojwrVR2i0mj8Cxh47GFHYqo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4ZL1AyEitqJ78suAwWGoSiAijW0wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBSF9P3rz3dzmHOTSiKA+mU9\nm0GoUAm39HLfqdAVG/puAiBqgaa10HhGKysHPAL8Ph7DwWPvIeegoE8XUcwbmX5n\nJg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUcsF+ZLAtPVzijxGGP2Pqj72MqZ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATis4Ag/uI5NwFSaEI606TbOewFVJMtdytNj5yI\nDTfoRleLPdAvN1sUmgRE4z+b5nOCnZbyORvZ5d0QAK0uMZXmo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeL3DOHuyegwW2vhtAZsCLIkKmPUwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDYFrTZMUrdpLKDGv7p8EdW\nGZp2KnlCwn3g83WzGYcoEwIgenYav9WH0dMb9OU8d9LBGUF5PmOIaFFXevGU6P1I\nYYM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUTBxbxOHT/1rGR5tbyGssMeFmMYYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMI8E4UuEY+AzifAFUSEVsKaCBjsAOU6HLvTHEOYA3CL\n0GTca3LGUcHxZYFtoxvFx/D/OZZpEO9KGL/CJy6anRKjgYgwgYUwHQYDVR0OBBYE\nFLaQV0b0b5+9IIhiAH7hlpra8NlCMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU4ZL1\nAyEitqJ78suAwWGoSiAijW0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDA\nM71jR9puvA0861A2Iip0OpqlZCToFZwbnm5FY8zO4AIhANfEhlFwnrQyu0D0fYYA\nEtEAd94vgjUeyJkG42QGo2iH\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUGY+9z4ge6FIFh9VqooE7qoVC9fUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCeGAWFFR7oCMnbllZWrV3Q7XRB2uZtZCl5KNAX0581E\n0NSaChHe0kUL4RNGVVikALSu6iYMxwD/5sU4c6gRQ5yjgYgwgYUwHQYDVR0OBBYE\nFIz2g7kYzPgO7Dz5K1RXBSEjTwxkMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUeL3D\nOHuyegwW2vhtAZsCLIkKmPUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCR\nA6qUPdYCSp4pnmWVtFMtDxBXiT0kF67v5bAFeMBEVQIgDFxacMoyfUwb26vAOk7r\nNAgv8SUPxUkmX/l+fMK+I/w=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIULGJswpD85lVtpdXlEyMjN7U64XcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLxjTx26sjuUkAMNJcAjdeTynfDsommxYcWxIb\nxfYx+ntkYjWCLyOEoH4zjUZAZb+hsX7wJK8BjyU5oHOKvQkJo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUApdNuZeEWV0SYHD4UAf6pSgYC3swHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIA9/oxSYr/WgJlqQ0Z7TBVFX\nWFgrFneBVlefnmL0GGzCAiAVZeQyz5cZ3SORj4dlTsEEuNkd1PNFjJsYchsePUtH\nVQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUfCfkvIyX7WSLe2RjNbmkHhACdEUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASw/6Y12wxcbV0fGi3fPswhSSgrmbMi4difovBS\n5+oF4zNzK/lpCj3wjfl1J8Qn4axgjS1Ojp8H2vJcJWypPLLzo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSIo1S7xib2KqnF0zcJ0t50pJJb8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDQs0XRWHwslHVmFk9szKdS\noIpPpt5qela8d8lBlNWdnwIhAOoVtYhvtcCnalt7um1d5qPGw6JVVOzSF0ZO0c/l\nUXjR\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWugAwIBAgIUBm4Rsvr3HKHyy7utAs7aIQP2MYEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH0/Fhi5c+1ghoOx3rQCN/SQlBsZcWoUpv6jOdyVQJSV\neCNW+oVA0hFA2mkRkYmkfIsdQQDQQbAapP7nyEj9dZujgZAwgY0wHQYDVR0OBBYE\nFNSMO2WQyKeLlPfg01OvTmEgDrvaMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUApdN\nuZeEWV0SYHD4UAf6pSgYC3swCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMB4GA1UdEQQXMBWCE2Zvby5iYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgBoO+aeyszTxwwwXvqAABspsMtfpw2jnUtCSXq77XY/YCIBMavFsuPZ58\njMkU3SOlccNW376mA7wY5S04kmWVu5Yt\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxTCCAWugAwIBAgIUIBtfWDsZsJs0k8yueZ/6j4MlG9EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPyXdEqXeYSDquj7Lop7bIaQ1fmP+7TST85hIDKHufq+\nQenzhwljLdONrYEg993UZWe/tt2P1fjizLqHMZ+3ZFCjgZAwgY0wHQYDVR0OBBYE\nFOAQTdoCOD/10F57+eA5m9xIfcSNMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUSIo1\nS7xib2KqnF0zcJ0t50pJJb8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMB4GA1UdEQQXMBWCE2Zvby5iYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgMo2wv9bBDGnzwiLrARDCxWES1J7tvaxekcBqJxfsNvwCIQCnJACA4WU9\n1NNgEuGfYcNvLq7aPNCib2G/SknAZkSQDA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUK2FZoHRHd8e5/qygHJN60b1pwCIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT2HowKeK5Vsl8pndzunBh857k4CZVGX8wJTwAw\n0Tec7raHocNbzd0fTaaBzu6pmvHl0EV14exsR58IO8mEDXazo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSH+y8IFB8KTS1jzeAtioFRMrqjfjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPN8\nf6kFrrRu3+cZQ9XhMTb4CVhwe3/tWwO4eU5Myk9FAiEAut8OIMYb//aevxWxpOKg\ncfLE2+VPo4vZFi+NzvaMutU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUTu0DpbpBtMrp4lrxfp6/5Z6bn6MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXWnrwfAjs1gIaCiaHGeyXIlMQ8iqLWM9Cw/j8\npkMICt3vzL9o01r8d+QhlWu0WUQHdHkd24hmVFeL86E+wkk+o4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQ/Hycj7hlsqQON3wRIC3/sg4kjWTApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAM0n\nQN2+LaFNNKCHJSPSUEVoskU0BnTYAS+wpqBSVXYaAiEA5+b0gVl8901YhrDso5ao\nsy0sGISrFnDJlMHBGEcSpho=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXygAwIBAgIUHNMykwLZKbYnfX02GH8g+R92NLwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABP3ubAo8EcSkg0oKe4b9qDzO1XJ1lisEGpXZg7FhgzQY\n5hCs00cSuicZpSdptDKJNslj4aFQ+9mjJq4TotCU8iyjgaEwgZ4wHQYDVR0OBBYE\nFJoV0VKphlu3fStNQOGnQb2wj7VxMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUh/sv\nCBQfCk0tY83gLYqBUTK6o34wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMC8GA1UdEQQoMCaCC2V4YW1wbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiAVlHtY0pcoFYyM4SvSaNzi/xvN+QgkPFeh\np/6F7c8HngIgKNxGYkoIKr/JAygElseqAEhklcCWCPVAm2mpoMe24D0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXygAwIBAgIUQIjv3YsBCfhLXvNm6nWGhuuZNM4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKBxYFcXMRlGlCpHuAZIKEEdLeUp+Cc62i2mC7SAHYW8\nx0/qmPSS8ExV/zK+MciBY+CvCFUwBlw5pTx/AJ5gHbKjgaEwgZ4wHQYDVR0OBBYE\nFIxRjtoNvtCAUUeehAZ7Qm6YAT74MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUPx8n\nI+4ZbKkDjd8ESAt/7IOJI1kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMC8GA1UdEQQoMCaCC2V4YW1wbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAua281q3WP2zjX/+j/pkhN7gJjbaH7ruM\nSbmzo31hYLcCIHG6w9IlDIoEE/FHTc2MOf3fAdavuDW9N75k7H2sy1Is\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUAtOfg/TbpczFySWinN3twQMrGFswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQh8ghbNREdUNjHz34p5HX+gbBlYpruyTED5seN\nBBhB+Zb1vpW7nxOz7fhuZCuwjevG2Aq1lNgkLp9DHBSqM4Y/o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/mbgHfVbQwl+qKWTh/IULqjVH/4wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIE2LLgkAMliehGxemUYL+LYHS/Jo\nGFbLssLvbw4d2C5eAiBaOnkVuZDx5d9j/0oWAxR1uwhPJjDWVJZ3CJZqMyZgEg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUTjzIpQofnu8GaUtIkDtTGTCT6ngwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT3yIojoEPXZMV7XF91DcliHzl5ZBcCQTj6SaDg\ne+9Q80JiSGiU8ZwxL8dvqpNegIbJGpKZJ5cMdjhUokZd1C3Do3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZeV5VdDbpg10TFEQshRUU3CfHkAwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIFqg0j4X4RiFVXikMUB+7Z3RejwS\n2IKIwcGwgJKTkSjGAiEA0Ie+in2FCBRcDNWGQI0Nm4gAIoCLpNWntNz/DlhlJy4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUNOXws3w1FbS27FtQ4nuPaJbvGnAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJOCaKJO8xe9zjxG8aszD2TpJisMww3FLcly10K3kVg7\neueqb9NK8GBue9yUvvjRQVhXExOi2ahBexen9ld6aQqjgYAwfjAdBgNVHQ4EFgQU\nYJ1Ma5yqNROoLoCX865U0VpJoiIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBT+ZuAd\n9VtDCX6opZOH8hQuqNUf/jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAADATAKBggqhkjOPQQDAgNHADBEAiAdM9PsVHjFRJt2\nkm+CTyk1dl9WsUTZk53bZpq9kQvJhwIgYvYlSPf+UlhaS4QQ8XDK3RIivynWWNqE\n+hDDwjiFnGE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUZ95z6G+ni0wRDMgfCYx/siBYKp4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLPinS5pzFmVt+Iis/Xbb60d0hh567Oh/iUSBUI7mUzW\nRIoSe4z636BwRUOggeq/zyPmavw2zdITxYfkJB3GouKjgYAwfjAdBgNVHQ4EFgQU\nzby7IAOavQ/acfN2k5M/mdRXfe8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRl5XlV\n0NumDXRMURCyFFRTcJ8eQDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAADATAKBggqhkjOPQQDAgNHADBEAiADYqqlghzQWZwp\n/9ntx1uh2bTN1v+wOVWIq96Q4DQmEAIgbwHuuIHTPLQ7BCeGce8db3MxOUifRr1l\nIOK/7qOgBeY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgITG/kTRHPxKcew1Bn1fADFt8jpwzAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2\nOTA1MDMwMTAwMDBaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABF6nX3JMfll2zgzrSO1tzf6ooKskbKSRaLSdMPLr\nVhUsi5Bd4fNsu1GTAWD03392ebvaW9GEvPWOSA30F1rRD3OjczBxMA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBTRX2aNGP2mR29aU98ZrTD1LZdlwDAaBgNVHR4BAf8EEDAOoQwwCocI\nwAACAP///wAwCgYIKoZIzj0EAwIDSQAwRgIhAKHAya17qUO62TQNeuuA8X5KmDrz\n0dcPbtEs2G61q5QwAiEA7YSGSrQ8vL+iOCBF2oKZ9GQxubJPltPyEVO7TAvnICA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUd8GbdkWP4bVcv2Hjr/In9IPhDKwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSQP4Xop8i+5nOVp4DHGTCxYGxr/CSRupQz1T9\ng2ozqtfpXqnmY0N5H2Jn4t4zNKvsnzF1kAxYEdDD8u831BN0o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVGRyJg9/uWun7toeR//10V4o82wwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIBdpbXV0r+/2UiRDkjphIxh7JcZ8\nFJfesRODG/Cmpy2uAiEAiC+gK9xscFJg6eK4hhcZtStjf/cgOdOPlhvIKzf9bO8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUboMo0qjy5Yv1teVHroYEELyqZJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMNSWBU0IISjF4UDZt/ci6i4bMoX1Fbl32T4KqDe5crZ\nh2Gd2dmbiK2cxU5RNoZVcDNMae8jPYGi75WFRdtrSkijgYAwfjAdBgNVHQ4EFgQU\nBcXmOu6WQEqU4mci7Zr1ZOyMYq4wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTRX2aN\nGP2mR29aU98ZrTD1LZdlwDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNIADBFAiBXbkBGmKHRyWGz\nqaPGWmkusGcHhS9TCWUdtkbp51X/CwIhAOWFKAwgeN8b7D3C0pa4272lgN6HmIUr\n2XffsLnvMBh6\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUdF7vPZY7lPWALHkJWWdTQIp8psQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGjTFbNlOUYrcInrGV6/kWLszX9vBJqqJs5BaNu9qKXp\nXnM8HI7og9dhNtTNymyUUDyEhP+dP0xDUlwxfMxEZJ2jgYAwfjAdBgNVHQ4EFgQU\nKXtiCRr4af/YWl0s8gTkyeXQJIUwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRUZHIm\nD3+5a6fu2h5H//XRXijzbDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNJADBGAiEA7Ea7uK+CkZ8z\nw3cTy7vLcpFuJkLyVUkCgv2XdK8OnWUCIQCNLRbiXW9FkHhEsvASazg2glmKqeAI\nBPjR3lNTWvdlUA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUFW5PMsmwGZkd5ffNW48wr3hmXG8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/CAnFRVvn85o4tL6r8NRhZOkNXVDo06s4MBsJ\n4QTSO4b+bms/cxgEXtciCRHn3BvzPV0uBVVQk5ddl2rdvs3Fo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUF+15qhrK6/wiliV6wag0Of41R04wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIHEi1VLItHYa0UVtI91kUs2bWXp2\njQ7xxK6BXrqDMWY8AiEAzJOGyW02hlarmB/e86uBXDZhwkZ8mcW2UX+Ov6p/TiU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUa6q5jfkSh4zVQ8a1vVXa3c0YnrAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQcOj4PrD7zmR6+i8JCuE6R9wf0vc1bq1qJpbKn\nfZDTshVte/SdTKjG1SyPSZqcdd4EsbAQnsktQim+j6KLyz2Yo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+AXybs1X4KQdBYVP3TY2Osp7tPEwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCJaDuoiwUv2bGPawppfxMCgzxQ\nHIwouANdBGNnBS9B+wIgJ6eWf+Z8WNb7FOGZvzEAdr9V/nIoCbHflw8UtGPX5o0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUAkIUub/OtlHm0BNjf9+IrdHi7awwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJDXQvLGIuUMWMf6mS6FkPcqChqMLrX26mVy6L9ghScW\ntCjwgl9ZSZTIqzUCiI28u/EuWJargZ1bpoEu1qJ/ppSjgYAwfjAdBgNVHQ4EFgQU\n+59GRZZqqKe/P4Iw+AfAiKvRj6EwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQX7Xmq\nGsrr/CKWJXrBqDQ5/jVHTjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNHADBEAiACXvkmKm+9k5qF\nGKkjPpd/pccsDEd9DWUhorXEcqXkAgIgED/Dc/QIoTH9GylQF0noPq7RxVmJHE1l\nPxW9c+OgWXM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUNniq2HQe4jruVCJddRBNdEUjfccwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNSnsV3/4E48fagoCYBn7bbJlVBJiLN/eMAHnsuV+Z9k\nTy7YBCFNzvd118XTj7ZQR2x5CbHWZ7wwlObsLvk8sWijgYAwfjAdBgNVHQ4EFgQU\nNTcD6SPWj0rrk0lwmEoB+RYhAmQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBT4BfJu\nzVfgpB0FhU/dNjY6ynu08TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEAjkp9fmJ6whMp\nTUfRp20WI+ELmwqFf6hvTSs4mQ9rR1ICIHjmuqHnfQlb1BActjopaIM4f+bxg+IP\njbIECzzs/41j\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUSbh/saCqBiu+rVJhDE9/BshI1OEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS9LyVJZlFcMhMGGPdbCazZJn5rRow2Yakn90EN\n36KJup3L0QQai5KTgsJ/8mGXMje+dMeMPYmhlVJE6lkdCZXJo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwVfxp98JVXwq3GqKrBeZiKat2u4wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgEQajZAO21nwx5jWu\nuHgk0+JUvSDWDY6718lQyzLsnqsCIDl165jNsxbtSFTkiP5p1CS7Zsqb3IhqP/JA\nCbfpvDMX\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUTmFsA29D6CL83TE2xJphh6t8Za8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARzJ3/h1bclqP1JSANAps1HyW0zAoLp3YRkG7+B\npa6Ba+1QZG2CrRaUqLTCTaH5g9mQhFDFDBc5u+GjF/29V0Clo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTZ5wxu2NkZno46HqYANY2PdpUOowIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgWcXmENqrAZo93EIj\nOky+1MNlM1Ba45egqBN8aQ0FwcoCIQDLIJQrW1thbY2mkjiNGdn+apOBLJ21GLwC\noLZBDDJ6bA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWigAwIBAgIUSZcdfYOpv/FOWXaGfLwm2xWyXHYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEkYC6npCzoocJM52cJedohWyQ8bDxD5Wt8iCtDYrHCgNoVApY\nRGOWkurVM9FzHb8IV6JSWHhRXDmHHMyDEF2+2aOBkTCBjjAdBgNVHQ4EFgQUCDlq\ngylDjXKek21P39H4/VJXD+MwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTBV/Gn3wlV\nfCrcaoqsF5mIpq3a7jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSAAw\nRQIgMM8T6tJ9M3O+Vfbliuz4NMWT5Y/Xq8FKL9OV9f6t/FMCIQD6AVsa29mJSzsp\nqDEmmMUEZbv8k6ednQQWf1NsEqXNfw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWigAwIBAgIUVPaRspJC82HvjW4ampFrUVyMwDwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEMNNkuVZQne+oWLMzYmwNZ92TugME+/BySDpSZCxxBYGhC7oq\n4Urz4SmxpEGr2BOxXXlt3CnT3jtB5ivS4YHLmaOBkTCBjjAdBgNVHQ4EFgQUYPKi\n3kpsfkd+6WCZZdOM3Mr8ISIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRNnnDG7Y2R\nmejjoepgA1jY92lQ6jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSAAw\nRQIgNFDj3W+d/YMKwZtE0Cz96lY/ntkV4AMnlKqyp6g5L9sCIQCjBXXU7QmCylnI\nkZgbUedPeAPYhzyfyZMv+6vdAuVlow==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUGucbRtlf29Ep/cfDXWZPgz22Nw4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQz7ylLX/LjkUz+eYzyqh2qSZ1hv1hXKOntdk0k\nlHJl/lXO1cMh1JfDDtDHVKMZLwPt9UxAElmc728OoFrth0kyo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhSAJCp5rODdevsUPiGf/ZB/anOkwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgNYkR+NRNfUHap4q8\nYO1hz9YKoEjaOBqot3IP+w1H37ICIQDVJT/6F7J/VbukmXKx5cRLDK3cNj8f3equ\nEkq5Icp3LA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUDPlPYIkp4MtnN69tzMUv+2ZxWLwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASTps0xNto1hLfzN2sIh9ran2DNBe2ags3jkfMD\ngNZK3HqnQa0QGZYp8BTQT0hAR+qoKGnYbyKtI/CtUo+xDlW3o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdgFJJj/fyUAUsxkv+mEACG+pUGwwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgEBPdr1aYLnsa4Mg9\n1ah2uCu29nF+E3Yw+pA0I5hJrF4CIQDvzFZqce5DshmNJs3kcsbADH/SLRr4ZunV\nslyy1AmoDA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAWCgAwIBAgIUZSeT7Hae38lTvdPwW+ssj4f+Wh4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASJ5DugOyF1N4DQpR68cYv3n+aGsdiV5oPicWVZtnw6wrddWmxWE7He\n27iiea7mSzkHBJ1RpiMSkmISEDPAAOs/o4GNMIGKMB0GA1UdDgQWBBTBZKWlRbJC\nPbSobctJYXLyioyHuDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFIUgCQqeazg3Xr7F\nD4hn/2Qf2pzpMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0cAMEQCIEPluwg9\nVtEJUm4JHbGd3Tga0hAsv6fJdiTzmKZQV3ehAiBD9aPv2FzeH7NEIEGOJNARLJpM\nUhwoPD7eB9bLt+koUw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUO7rfLvxb/auY4tI+7x01+LJMO+YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATsoiISjhDhD7SmJ5S+vrVAtlm/LgIESc5JpIaCurY1AqVC1s7lcFu5\nMylljIt78RVmYb5l8kauXrgvfVrUMg/Bo4GNMIGKMB0GA1UdDgQWBBQckY/fiOEY\n2mfcTDsvkH0oEPHAxzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFHYBSSY/38lAFLMZ\nL/phAAhvqVBsMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIBYGTlHz\nE6IXHhkHvxWJd6m1282B1g8K1j0P5i1h6Q+VAiEAuSY6VOgdOYt5QSRNN3xJBHfE\nB7/ZWVZaSLt/8VBR7QQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIURRQbIvlf//U8Mp+gvCWTrBvtZE4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATGXN/1BVQbjjln26/JOTN0xPffWFCD8OWwoWES\ntJNEl65mvC56Qhb+9jLSynhoxJMCqbPR5bgNpnXzFISSwEFno3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUmb591dirv2/4lz5F6J4PmyIKggwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgNxMNORlQF5Ov9d7m\n3VK18tAoOuuYSvou8Fuiw9yfNMcCIQCotlpOPTdgtcMxLZ7pS2JPz2R6q5PD4uc4\nXgZjGHey1Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUbgg/bqursAXajK/DpVeGZj0VwHkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARTKFT7Z9XXN37n/NQxim0MBvke3OdBnAxtt4BQ\nzX5ARG/td3IEuoLCwncEUE0QOxCVxCbeS2RIH3XcdDcYDBdjo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkGgbHNz7X3CwGCGJBiI0IDcJIuswIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAKQxDiiTxNN+XDe8\nD8pnDjP6cuCwqSvcc8NvapYxCx37AiB5eZbiPmkXa25XVdol1W0LKo4XQfvJhG18\nt8Kw5qVE7w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUbc0Fx7S5dPrU52kpcahfO1goce4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQWfBOuDuf1Psz0bQglA8sIDLbaiVNKIWVV/vYNto3twIv9KmqAYQTJ\nygX4xwueSbFbvL3yp7pnsdavTtuhcQdOo4GNMIGKMB0GA1UdDgQWBBSslE5AIoY1\nM+a69P/mG3yf5tYrlDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFFJm+fdXYq79v+Jc\n+ReieD5siCoIMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIQDju3RF\nX8ZOaaHt0dzVz6d5iNuILL1nB4BX3VPXghdcigIgbZmft98+t429drYmOZ06grhj\nq00gObRtATneMNuQyTo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWCgAwIBAgIUO43arolBtQYGVwQdsMS6PDOv8CowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARjg6nbi3NzhNeL8oyHSkmcNCYzCv6+MVAaoL8GZbpmEiDp5BTVum7Y\nPMktPz4Y4w7grx9WbAw+R4+5BeK+oucPo4GNMIGKMB0GA1UdDgQWBBQaMq1opxud\nGRBHYqUKaMKFtO+5cTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFJBoGxzc+19wsBgh\niQYiNCA3CSLrMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQCaMZQG\ns2dWPuEK+7VTdX8FED7pR+34D4MfoEIdKF5TqQIhAOYbrnumgsxGQ2dzPDxnLq5z\nkld0wrLq7Ja3maw8pYwZ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUTaYwz7uZ2pFHWFgqAXhcxiXKNQgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS8w78t6NpJyXOEg7ceo5kh71ZZ3JWhEGRpGAyi\nISlM7UKHhDKExRh3mZfbtX1H4ft+KdnDOIL6R/a4v4fP87Ogo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUO2LM+vzP5N4AH0JBScWqC9RJxL8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAJ9n0ilZ4VzX711F\nr23mWuATPBWxbnhX72Xcgjnmv85UAiEAqW71YwmL/JXGieQqClfyhi7uj9VLD05Y\nHa9h39OfL00=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUJ9QECXcml4UUfovNaDJzCfvzf90wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQor0Gcbudr2ucBoyNeDlCMtkOezLi1L9nNlPlW\nvpcfpv2ggpSeqPVy10pGUZKyD/vABf3D+NZCfUYNZbyMKIAWo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7kbKytiyS65bXz0PBoSh7RIdGEcwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAMbYLguctFT4urar\nlnI6NhVPZbjbUCSgPMT8kZ7SWHiaAiBxd2IjkDGzW0XluxfSug3L9c6/q1mUsPeT\nxqO4BbzDfw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUb1thfr1jXtmHcJkFXuEc3cp48gQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEWaFlSxcZNVbPN31rUCvHK4/+YY0iBJakJWLonagdVkj/8Be3\neC7zOT2DZU2AtUGoMwQ68+OGcILndI4/guWTh6OBjTCBijAdBgNVHQ4EFgQUcw3c\nQXcpJlVqtlUE9gE83NnFczYwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ7Ysz6/M/k\n3gAfQkFJxaoL1EnEvzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNJADBGAiEA\n/WJVTpHmbWusMnhD5VRLl4imsFTFGn8qe+QTtrCOFoQCIQCJF2VDbmkty2OcQDLw\nnCjZ4EiHRxw/OhgrUdQqu+WMzQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUda9YPPB89DBdxaAxHYbejkigZ2wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE430PlRrPoJA45J5gL8FC0LirokWcAlg5QOYc+FX+2fHFinzR\nH/O9F6/S+Y6m+HjMZ6mVSj3ZBrMFLMPc6mQy0KOBjTCBijAdBgNVHQ4EFgQU9INY\n0JlxlwwQZqmKRm7EhWQurFMwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTuRsrK2LJL\nrltfPQ8GhKHtEh0YRzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiEA\nux4L2TG8394KwgO+BTzvbxZyD11c85yZHy0wSV6SFbICIAkk9fNYsXJqtuAf2OCO\nzXSyqc5D2Te+hn1JCed2ltZ4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUIG5S++1zM+gW+kJOtiZ0mkAlqYswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwjl3fYyzaNKQR/yUDCg9YpvaPTMgLppKSUrbV\nEqD8T11jeGy0/ZLhMq5M9wV9LtJj2z0vKE4BhGBEtUKbXmRIo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzxMqGwq56cyJI9EnN9GQcH39PeMwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgAKLuCD85uDurZ4MD\nn6++2/PVkARcCvx0Alofy8MtO5MCIQDCMxcueSU/8TU5luoxN9riTK7Zr8UFtj9d\n7ZYwO5soIg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUKf68WXk7TvrbGffYIMehnquBaIEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpYM2Z2LkTbj/O36K3OPoHzPAwN7DhAdrfUbfh\nucTWZriQDnYtQ0G3DdT6XCnMFVp1mQMiCjqIIwXxo+1QXAVio3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFzjhWBN8NVKbVb7FIh9nAggN7Y0wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAINrwoL4TlhvzmPQ\n0IcBuenHNJH214Q5CvvcwXs67jR4AiEArcsKY17vdF4prTr8/x+BEqPZuVLPUL+l\nUNfeEsRknSo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUAi0iCIzw7z8Trz7SyCnRGYc46SQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATmaE6GhgILRNDjiroVjywQaKfOwTgfxm7hTHRC6wPZdB7FSrqbsp9C\nMmRpqlB/uOxvYtDYa0RwbLFr4wiS9m2Ho4GRMIGOMB0GA1UdDgQWBBSzz7p7dbcJ\nkYLY6vTDsf0L2EAY7zAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFM8TKhsKuenMiSPR\nJzfRkHB9/T3jMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNV\nHREEGDAWpBQwEjEQMA4GA1UEAwwHbm90LWZvbzAKBggqhkjOPQQDAgNJADBGAiEA\n5x5l2L4eMehgSWCVmq863Xrei59VuamgqN5RESz7WVUCIQDk8/iU3sAPd2xJxjtn\n1auK5dDD9hldmEBQwQmnVmWJeg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUM3umjGcWRX7bgozG8jwuX8XnvVIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQwUCYucllTjpigZ0rbr/lCIp4yeHEQJkJxzu6zzECgRFslFAn7HhwY\nS8kGbGk0uBx+M9AIsjYfrW86Dh/kbe6To4GRMIGOMB0GA1UdDgQWBBRpfMrfhqBV\ngdru4VyBhFERVI+7jDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFBc44VgTfDVSm1W+\nxSIfZwIIDe2NMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNV\nHREEGDAWpBQwEjEQMA4GA1UEAwwHbm90LWZvbzAKBggqhkjOPQQDAgNIADBFAiEA\nubbuH1pvHFWjnuDjI7rQhTjug8OvQH//fQU2BYlapoICIBNK2k+t3f+Av+B4Vmth\nAjHNEDj2okjZPCTdHK5xHVsK\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUd0l7Gz/LfqKSJJoAyXZLGG7Bb24wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASP9dtfWNBndpeyzyVxe3C06qwf0SpeaOJTzIr3\nKcEGnSRJPpAzjAcIZCs2srLcVHHh2CwYufOeYHxwcQV6pNC5o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFCorSxlk8Xqli4HEEug/7hfaPMqqMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAZNO8JD4OvhoAdjyJX\nbvY5B7O6JFKoo1TKo4UkqxsYSAIhAJATXuRLlLr5dIX3iDvZI4A9dsYbQJ9JRo5G\nMejtpZWG\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUaxMCjyJKUIdOrypS3U9A43sjkMEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASGCUwCNoQRIz2vFGrXm7vc66ySjq3QBMcSjb94\nwj8mBTu6vH0rMwv8mB5fInc7QwDcBxpky4iTGdSc1kWoPKkio3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFK5fzAQKjXUTo2n7KtOZ8wQHwef5MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAahgUws6PzwE3KHs3M\nZf84mbe+nwn+Nqzq7Jtv3nUfUAIhAMhj/QAc+rSq5psnPi/vM+Wz73JlSfbnHQPC\n/IqQr5qd\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUCEntLIJ4q/DlZzgG5bRyGi7hnfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7ZMjwQHQXu7nkikAgRYF29KVt1tMHd2Ush+JM\n2dOF5i0Pc6VD7+ifs5yj13qxSOCEl9zPvtNDhmmQd+aCNP1wo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUKitLGWTxeqWLgcQS6D/uF9o8yqowHQYDVR0OBBYEFNx3\nz1me+oo83LQ249N0Ga+gdsqBMAoGCCqGSM49BAMCA0kAMEYCIQCDGMDzNDaNJVUc\n7jyFH9ygzFz4BsWbJOXAd9KqdS8FZwIhAMs67C+tW8JX/XHwo7732jhKwpaPNNs9\nnJPL8jLjbRNu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUVjIBky4Zkrx6MtSm3lejAKBmNcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVQsWp7yd5vbPgTrsg8NQacbwf9nZCWwQoUEu+\n+BKeAbEEbz6i8rq9+fpZrEUzSRzb1jbNGVGklj5rrsMPaT0Oo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUrl/MBAqNdROjafsq05nzBAfB5/kwHQYDVR0OBBYEFGhu\nictjkOk2jG/62Z09EOWAS0vBMAoGCCqGSM49BAMCA0gAMEUCIFi5zkGZUbGVx93h\np78YKB2mP//VPhY6zXyCi1NXeHKHAiEAkthuJftjb2yF0wUjXng0xye2eXlmwYTN\n22cVdiPL15Y=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUSyqz+02tK6yGv9dD4AY/Tx8DLkwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGzdXsWfUFCrbYw64u5v3wB8VPNne6Y0OfAXEDAc0VKE\nRG5PB6mn+YVEJnhThDkcWe+8UJqFEwMWvEdXQQhvkM+jgYgwgYUwHQYDVR0OBBYE\nFDiRN24Vx+lhbdhDCcEOhPgL/HMpMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU3HfP\nWZ76ijzctDbj03QZr6B2yoEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCY\neTV+sWMGuitBRq/8n7gsLNTNBARG6m4R4n0ccwjhcgIgJ+MG2qQL+40W+LF3uIQX\nl2PgNDo5uK7p5ZqEiEJFTbo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUCAwpOxTVnJqmSYjHXmTwmfO6fBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPPNgAoR+kaz2JyqwrGcTopDeKZE3o/XCNG53uvwh25M\n/F2zHNgkwexGGBaBzJS3sQhaeXQLL9a2kpIuH1BrSwWjgYgwgYUwHQYDVR0OBBYE\nFI3doxQhoC5qi4KMu8F+Y0ctnkFjMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUaG6J\ny2OQ6TaMb/rZnT0Q5YBLS8EwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFmN\n0D4l86mRsLX0IqQm54iZipaKQf5vpd3hqAcv2zgeAiBmDuJtTG7sGpvZ+3LBG8mJ\njPrjTJwClcpcsFmNgbM11A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUPL8r9PHgsJOItwtMAmjHrk1GFtswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7Ub6FzX+dxgBboeTxRbDnrIUpsrPEdggI1ClZ\nm2owzpE4xQxPJDgru+KH5Ms3pscKR4yHgUKHh9qw+SmWgdf8o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUh073qYX0S+lj/X4x0o/qrIuhilMwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBCdXKX6Lv/hVDoM65fNf3a1\nhYy6qD3WxH0IeYOGL76pAiAHa2rt19dvXZ0uZOUdeImFcuTpSgPpnD/1bvvRT0Xf\ncA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUbvteRzi8JF/A/kqGYkgJmxh6XGUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfUZJIiOss+SyRCJo/6D4aSOsjlUlXp3KxLj0n\nSDQKR+tlPIIifrtxiG/tdiccoD9nO1pWj2b5fl4mvpB60e6Xo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9UjFAHmdHfszij267pOggXPOlp8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC01B7G8fon0GdSCa7/+0lw\nf0I69Sst2qOXeuGeDieoLQIhAIDIIuhL4sjFvF4oFma2MamWtdCXLgzNRl2g50bX\n380Q\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUYLKOR1OAcp2A233Ft1FbMzkH2/AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATDeSyVD2v9r0d6yNiSP/rOqH+A3iy/9Oy+a1WS\nVI6xyN2PnhxsuT+BUpGwS4PP7K1/MGasBHdbJNdi5OxIESzto3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUh073qYX0S+lj/X4x0o/qrIuhilMwHQYDVR0OBBYEFI4x\njpkE/El6II0l2ybBKI7Ua4hFMAoGCCqGSM49BAMCA0gAMEUCIQCKYmZWXscWrOrp\nkOU3sg5yKv7suyOGza6npHX+dTL9KwIgN/HlFOQuOywjZ8YQWkfKdrAcz4XIq5iN\n4WQWeaoLHrs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUYysSDl9bkkuVXKlFB5p47OaFxRcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASPRc77DKbxvs0fRN8DHj8H88di4+0CTdPxiKVl\nU7MkggiNzValSoGgXAzzavbWSFnrGKXHws32HzA5r2GvsMVmo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU9UjFAHmdHfszij267pOggXPOlp8wHQYDVR0OBBYEFJPo\n7zBDc5DDHhMlvodSMmj9gkQIMAoGCCqGSM49BAMCA0kAMEYCIQCltj2JXxTGP41K\nJ4czyoupvDz70mB6L0TlkXHMR1RWiAIhAOCpt/OGyKMGxrKCXBmOOjmnHl/DoE5W\n8hg1R+B1sTDE\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWugAwIBAgIUJ2shYKbi4qBgihj21TT6i000aJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATb0IVbAVDrUA3AcHtfHWvCC6pPZxuf0nlSGPH6\n73jcUT3BnH1JUkLz9DwX9+QKX6kkpA9FE9QF/My1yiHINzHpo4GMMIGJMB0GA1Ud\nDgQWBBSLBmFGTIt842Y1HKx16dJ91xKuXDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaA\nFI4xjpkE/El6II0l2ybBKI7Ua4hFMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggr\nBgEFBQcDATAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgXcBj7xQJJKuicNWdPdKr1HzgnggAiSlLnz0wOBdqe74CIE9JF97UPeXR\n8lvH9DBt1G9DsWCnAQIZ/aWZAUQW0gfM\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxTCCAWugAwIBAgIUWbzwiHe5asjshhZRgGNkEFRG4/AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhduropwtIqeqd6uWF6ac3OgmmF74tamk5w67g\nCSTfAprBeCwsg1ek3Gssb3vcTIUi2xFJ9a+JQqoB2TjrdVo9o4GMMIGJMB0GA1Ud\nDgQWBBS1T0cjJ5ug6A/1lzRdfT5t5uJAwzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaA\nFJPo7zBDc5DDHhMlvodSMmj9gkQIMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggr\nBgEFBQcDATAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAO64KsA3bVxhxwoi3+vlRszTS2UJBLHwgUD/tOZ0lPzVAiBp/o2oBxyJ\nd3bTlmIk+bYoluM6lG893EMnxVPBdjR3lA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUIACpVPCp/q8VbP8T4Eya4L+dNSowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNdNK4razvzhJZK6kycNmGh9Te9kppItsmjOrj\nVIMbJYSqEB/qIDrlQnb52cmmucADH9VgAXoRn49iyqNLUTSRo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTUOtXLnYoPmT2S0cRNkmoFYHwkzjAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiB1yfh+OOmUExmVrD1O0XCzWwdP0NccHFhZ7s5+JV0PBQIgLOtyRKalYIVmV31O\nrlLlsQZ/6cIGI/eGglLJ2D3CIVw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUesGJVYEBfzFzqlZxAL49H6QopiYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQDh0xllOIerhlQeqq1DdtdCYBnWsfR8qWOPDR1\n/TbwbKzkba9OEmuDySn0Tk34cOKWCBUJ7O8bokZQ7B6mehFTo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSx1X3V/BNEE38KIw919o5K+B/dAzAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAHAQ+eDPSBtv6Fit/WheyHRjatTUb3hJDMvJgwdh2ycAIgWfp8HLNQfLb0NFGm\nQ6gcWzZxnvoYGpeO/29UbeoqIRc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUMmju8UWIb1HCJn1OdTlg9Mq87aAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAMF7kzKO07V3sEcINFmVk14bIPB39YQWcNT+c3n+Yxo\nu+U7P2dFJN4DPACQ8HZ5F/RBwHoLKrAMytyklrdAUQajgYgwgYUwHQYDVR0OBBYE\nFKps4kGvZT2+asLq8PzyY1/04SzCMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU1DrV\ny52KD5k9ktHETZJqBWB8JM4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC0\nZolMlgeYbkT+VQnfMor4WzCKdlSaCRQZ9XUTYQNbHQIhAMnn21fItxW4lU8Wcj61\nfKIkViFoof/Cm4+eh06vc9rl\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUbDIbbdI6J8BM1+ZSqnkuyUM2IDwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHQ38wE4QMXprGAzeOZr+8EF75YOG67nDSgyfWvfa5FO\n53kHsG5XJhR8ZKxVuBj24knahPKXWX/UEIkHMJ13LEejgYgwgYUwHQYDVR0OBBYE\nFKTe5Y2l91sghqFCfWgPfYkobpnKMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUsdV9\n1fwTRBN/CiMPdfaOSvgf3QMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIB2X\nxKjmH5VJ6niB4MMhp5TgdfsoDYje9VRPBSKfjJgiAiBywFwXh03pyJ6E8TB/FVdK\nfmTpn47QMypQLLXT8njp9g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUcbpYOlDf91M+FTwLEIDC7SO3zMQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQfSFn3vStxslV2SW89e7xvR3n2h1WUNrI4OeTq\n+IWup0joehPov/5FQzSkAAoZF/8eQBx7/O/KZEKC/NviPGH1o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYsnOi0ib0tQ0gSHp2HF7D75igpowGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIEN5q3zfFb4p1WSDmcJio/rOC8fG\nzsxE8x+W0ztpqnqhAiADStWzTly/Gjbzw6RGrB4Oij2o2Mb9mD+HdOq0b/txng==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUQD7iMwPT+BAWbOjvp51kpI9WpZ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS3olEdAZvgyDmlFAustS5UGWg9/aqM9LIwDdgY\nQ61pmxwpP45JiEAmksJjAkNqp7msqFCFw5NNAWJKxDM+cIXUo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvR5AljS6h9qdpGGNnEYfkzEreDowGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDbaVblnijgEWnZD5eak7BApHXF\nAPlNnvIXtH5yd0IzEQIgcnGBb5iP/sd/SS+x5NMDNZrwuaH8q3nofUtvxt5jH/A=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUIcFSnSW7nUeL6EjiAqqFBWwdjEcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMT0k5vzao6FbYf6ZMaa9DiLBjgFBYEKivSTrPzCFSoS\nD7nGFG+U+9QuWOmBjLjX/mK0UCee/7Lg5QqafaNe/5ajgYgwgYUwHQYDVR0OBBYE\nFO8a2Bme3stghifKcPWlZhwu5IgcMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUYsnO\ni0ib0tQ0gSHp2HF7D75igpowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDe\nAdxE0H3GZ4PWdZNlLnFvebMaFK4k3y0ohUa4AP64TgIgCwrd16N69Y5IIGRQ9W8V\nUKsI1cJsZEQVyV9TwiPwxD8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUTWWFJBGnnyabML3UiEo0u9wwUOIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAiC6zL0JYh+sUOwJi/5vcEx+gLvyKG1HCXWRRH2l6Sl\nQARKLoTiLI65+DPQZ00CqRfzsF19maVbi8ubzvl1G2ajgYgwgYUwHQYDVR0OBBYE\nFF1G+gdxnOfVUUK2OFRrs0ORO7iEMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUvR5A\nljS6h9qdpGGNnEYfkzEreDowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCr\nTG5lSz4vBNDYl2+IopPsZDYT9ekf6puX1KUxfimSswIgZeElalNIYRmYgr18kuBb\nJZnnGFef8Zzf8rdQrXQ2Vy4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUCYo410itdno8YIp+C8SjU8XR9QIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT33Xme4OLEVotVHlfCnRciaLpSPqqRucOX/uCf\n/0XNeRZPIwbXuCFx8ZTd9pU9rSVRzbTzm2YHsqoEtrWuuW/Po3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU74oLRQ/zQ1x0sbqa4aFKQ79FzUIwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgCIZoP/qgMCyKVyVKy4zY\ndupPPKZwRdF0zhuupXaun3wCIQC6uH/OZ3SxjhgO05qICK/ie9RV6btvfJ69XW+z\nneClZg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUHSANFUuNxBT2MExTnczhZZIjGT0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARzDgiTuV9x9RxaS+SH3VBOuT2lT/JuEafgpfgp\nZZ7jbw17EbeQYIzVKKKrll7nayk2bjpw820ZxYuSa28uTczpo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU85heFbn7xRIHty03aY1XTphR4PIwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAO/o/v2SU17N2Uf+BESk\nXv8JBZ2DmFjGkHw3Q8+grJvGAiB3PjtGzpCwiVhfQjuiHFRtIRssZxWhHluFPclX\n6QB2kg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUYoSfdr1AZ5yqpLT5mI0notsSJwEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO8JwQ+1k7hiLFLGToD8i4lGf2XmNRJTT3MKAX5mebio\nKx2Aop+t5kqrwMwbOg2Ewkrxnh9oN22klLHrjQNvA+KjgYwwgYkwHQYDVR0OBBYE\nFFV8hWJGsC0fCPCqVLyG6Lx+JG5aMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU74oL\nRQ/zQ1x0sbqa4aFKQ79FzUIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiAcB4C2KcG/DDSlU0GIoT09sgpbxpDCaYVsl8HDkHbE1AIhAIJFOWBQHQihEYim\nqOBYiTZ/o3wr/CNndIk2KgiQ6ztQ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUc91c3CuRS8vCmzCasKXxwUPAuwQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIW2FA8mye3u8cDOR4euXKovJ/TECL18nV9AyUqSx1St\n5n2+FgMIpMmhJhHOxrAodgmlo5Yd99ZrLb8FJZ8tZ+2jgYwwgYkwHQYDVR0OBBYE\nFHDS35RjnFVAiGTTG64Es1PYI+8OMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU85he\nFbn7xRIHty03aY1XTphR4PIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiBzY1VSwUCKZ6x0sJEph09CCb88u5dT6abpiKYwcy2TkgIhAMOvD4jqmbiWOSDm\nkHY+/oT+A0mjmaZP0Sn92Y/kv6TN\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUI2KDLvoYTanOvev6O9WbCu4Sps8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSRxg7iOkGpbKU1d3oK1BrMcg5zMp8gVnaKe3x\ne4AcQRu6hyycCZsc9OBxs/dH4Kw5Y/8/dEiEbvko92CevgEwo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbKw/csTnLh5FGTwwGI8LNi7ZOEwwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgP+oHwR/nro/ZywWDwYdi1lNmKlGsyrha\nPNOaPm1oeOsCIAT3c/srXQv62HVSvfT/rZ00azsIPkHoDA+6V7DEH6E8\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUfrlH97iAB4WkYb5DantYtjUd2RMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQn3kHubwh6wPysf1kBkbJmlZ3bNFPOThllWbqi\n/p/PrNhQyp1fmjQoPXfsJpjuszpPTz41Z+yLehCMt4Qqk79Fo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOVTQXMHT55e1Fzkz6OHavSrPBC0wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAJjueNtLWBUHiYnB3LE7tsKsa6GgBtnf\nRE7QeL0O32exAiEAm09DBw6ZWi7kiJ6OnEvz71Rr9fF+E880PyfzQCa9wJI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUepMMjUfenQqsbEY3vA4H4aupAQ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGlMh4UUUgWzvtbctJ6b89V84KWEeb3eVaK2Npw2mK9L\nIoBaVcRHlHqdqMo6R4Q812rBW94Q7PG5tIyZOScl+GujgYAwfjAdBgNVHQ4EFgQU\nCRIa7+/A2O6OO6MEyo/GcxrbyxowCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRsrD9y\nxOcuHkUZPDAYjws2Ltk4TDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEfwAAATAKBggqhkjOPQQDAgNIADBFAiEAjV9Vjvm75KTE\nbD8Hq5fTXbN9Pn0xUEHnlrB8v93Qn2ECIC6VPVsoRrntk5z6j+wuir/xl5WJh0PS\nuZUVA/vvroYa\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUHVtE6nyGG9jzrEgC9X5GRP3ZigYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDKURchJZwC9IdnTFTTX6YP2HGDDNFkd3jzGcWarHR0E\nWBTxHbBxbxD7LcfvwgjFUQh6W45FhqpXf2/liAFk0nOjgYAwfjAdBgNVHQ4EFgQU\nJHOcj2rZ1x06PLqVPG+bAiBfd3EwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ5VNBc\nwdPnl7UXOTPo4dq9Ks8ELTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEfwAAATAKBggqhkjOPQQDAgNIADBFAiB2H0Ez7nFIwUps\n66AMkCLXKjjhzmTom8SXEb1PBPA52wIhAOPufopjhFemcwwidcIL266Xp6tVCD2B\n/oGdjFBzprt6\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUMH/CaAwkLr4eUggiCl7yXMUbw68wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQbn46+g8+aWDu3xCBaOFVsVH6MvI71VEXsop0m\nBDxStvpwKvSSLIGiqFGhQyg1bMNhBkwzX4u1QYGhYHRB+Fl5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjJI47z7MkYn4Xn3BgeEX5vpwq4YwCgYIKoZIzj0EAwIDSQAwRgIh\nALe/tx4AVGehfavdGP0DCnmacY+RQgXXAoYZPO9yfbONAiEAsK1beSQLaP5S8vh6\nkXGEh+g13Wi3kg8CzpCzSEoikxw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH4x0GZ1LQ8oRMfv2V4k/2kDT9jkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARMbeJRGvWgLR5K3tXEFX8hFgRQXnXmbALAJUFJ\nQjcKWEkgj7bMgS7YLf2Lzko+yARBTIjJuoGQ7T5cmsW94MGzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPr8GF3PybK1P/B5V5kK/B01M5eEwCgYIKoZIzj0EAwIDSAAwRQIh\nAJRhWUU5wXHlBzmo+JQQnyyqaBQTimRVioY69r9ZPRAOAiAxsWLcbttJqXW6yaS8\nPlkqt1JqPwDIOSAKtK6NWIbpTQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB5jCCAYygAwIBAgIUAupZ+BgOrp1rOvxGFgxnotGUny8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJICZkMP13bBLA6I+BQQtgaqURq9H13He5xEImcx5cKf\nnP37GTyXieRYU2jfgfGj8Uex1AnME17eBxJ2VlwUwnGjgbEwga4wHQYDVR0OBBYE\nFN7cmmBGLNkmnkDatsxzeMJym3fEMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUjJI4\n7z7MkYn4Xn3BgeEX5vpwq4YwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggr\nBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALP9mguDGZo9\nRDsMVbOoeC4tX7WNUK52dUDJYQzVYr0nAiA+9+9/DiLf3/2hsmSoKIw2LEBfNb64\nYc0aqEy4dj6j6g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB5jCCAYygAwIBAgIUbGZX4v54kmBGFwGYp+wKZ7wvxfkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDKd41U5VbhwARU7Ky/y7HxiT/N5ETUsYYVhcFLw4K3Y\nmGOeJsLI+Ej8z33Z3EC/KK7JSOMVBeI0rdx144MSgRqjgbEwga4wHQYDVR0OBBYE\nFNgckVrg5k3feY6e27QVKs44qh2gMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUPr8G\nF3PybK1P/B5V5kK/B01M5eEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggr\nBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgKYKJMIU01r29\nJ2iCj+BrcnL12Bp4Q0Naw5kOcNeIQkgCIQDCiDoA9vfkkmPC+C/mowYbrFAEYTRf\nEaHwtfdFuyqsCQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQf1x48YFkT9F+SvwIh+vX/2UTGEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQySgaSrEBUfDC76LOgCF/yHc0MlQX65/vPZxww\na1OW30H0vPKWqaGGKKOf4eLdQ0wokpU/8HoZ9VyAAG5S0XO7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUS9g5ZzN+s6ddk5+r4tx5e1SKSBYwCgYIKoZIzj0EAwIDSAAwRQIg\nMj60b+Ivm7PqrY7fH7Erwav8FgkVSLgkehpv/40HA8ICIQCbtdX90xH//PLfW0O5\nONgKidIeIIxyyYgmUMRyiyIZwQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUF0llLAqjXMav32HP8d8ZtcpiQ+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8WztwXIMsxDXf/JLLh+02L8JBYcT6PRruRR+v\ncCuf0QfzRTNKvY60mdJcCnCgDzuJeCwF/4JdG4nT8ElQwyMco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWee7l/G2HEB5BeK575TOP45UM8EwCgYIKoZIzj0EAwIDRwAwRAIg\nA9h1GZp/CGFWpmhirK8l6f/FUC5RzcGPRM2ph+YuwDQCIEXBtRxVFWjJzM2hGIhr\nuNwtfr6plzURsuenjaYzeIWW\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB6TCCAY+gAwIBAgIUI8y2/ySLbGIQHkQvLY4gP9Lx2Z8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH6N0GGMcr8E5irTLNiIuJncXdna9vd4ktGp910fFlca\nMFTWSd/O/8XG8fjSFMSFV2JOJgTClCn3zdIvne6aromjgbQwgbEwHQYDVR0OBBYE\nFA02VDvbj6oZ7PXRj3BaSHOf4dT3MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUS9g5\nZzN+s6ddk5+r4tx5e1SKSBYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAX\nBggrBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALpyVBH4\nerQ44iPwSauuMJVxqmIxMR/6l+2zaijVW9SeAiAzBcbmuOG4rtYBPnmF+hgtdGIo\nwYV0U92V2RZ93uYk2Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB6TCCAY+gAwIBAgIUW/Z8HKaMdtEKEQ6oc3M7qvwDtoYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMNuk7nlUBe5PJzk1zUNsk0O7NUt+ptF+vkbk5pafX50\nKFrdPM8QDEVzaGmc770dicfqvMRgRP022oVweTuQnY6jgbQwgbEwHQYDVR0OBBYE\nFIjnVy0uCnrXRCTru2NDX/skkSS2MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUWee7\nl/G2HEB5BeK575TOP45UM8EwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAX\nBggrBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgUN0SWnhH\nYkAaorKejFBlxuXZgJbmECxFhNT/R4Y+cWkCIQCAjdtObJaHk+nzd+gSs5tAy+o0\nWTXiTKqMhgF0vat4DQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEE0a+8vnJBuOVNzJKhZfurwxgCYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARB/7gAH7v61PLCeav3lqrraWIeQakuCkSE43aV\nIo08jFjkloKBp2EiJLRgsqsL+mssMMAFfXn4Zd6khsurtJ1Xo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTznOcCxnnfp+AxARJBW8EqQV55swCgYIKoZIzj0EAwIDRwAwRAIg\nMMBNqoDUIKbh8fk0x8ZQxjlNm1dVd0j3pwphZKOnKIgCIFLXvv+hoKSKQBId6pxm\nqO7hLXrR2RT+YfXXCVEmX6FT\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZY01Xipj5u8Xn/7ANNLNxqCJOdkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ2cpqsMZsFyrq7KFc4Va5LBu6T2yTSK1WOPkwp\nCTmCE0cbbVg9Lr9clYNHb8h71vLPzQo1zq/SjfLlJB53aZmTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsVSgIYZcUK5mJ56ZlSWRHx+HnkcwCgYIKoZIzj0EAwIDSAAwRQIh\nAM+f1NV5FW4/vW3feNecGniEKe7GqtdOn+g4ufNoBaqKAiAki5LxtNG+kyAFxplD\nCt9qZfckOeKEwrbZXaaMs+FuwA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUNVxqMVW+egGR5Yk8H9Tme8kTGPowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErx2ASURH\nyr/vDVgEUdIKo6vBAdNK2y/84PCFzLrLg7Xmb55DIV0TvFtraLTPoEJ4nlbMP7Kl\n6YOKFnC6Dcj7k6OBiDCBhTAdBgNVHQ4EFgQUWmsoK+nfwxMsa1zg9ffbZ3Ylpdcw\nCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRPOc5wLGed+n4DEBEkFbwSpBXnmzALBgNV\nHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOP5/Q1a8cqDvA8p+eoyv2XkktG42ut2\njdycf5uSKKAJAiBSaKZVsfYMgzt/9qPpUL4U/LPK9WWYFBTDs9zhJ8ynzw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUWvQugdM9as/N2Tnf2cXNIcNITDgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf+eje5rC\n5LlDDCBW/BVrr2WZpngkahPVgHzcVUVw1Tsi/sGBC5iyETrpA8tR2LDCvior7Ov9\nScG6bWOxy4SuzqOBiDCBhTAdBgNVHQ4EFgQUKTbbbCAD7jn9szO7Nmr+Z4Q86a4w\nCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSxVKAhhlxQrmYnnpmVJZEfH4eeRzALBgNV\nHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgbT44yeeXyg3WjLyqevixQyjw6IDak3vB\na96BSFhZkB8CIQD7V9GyAU03Xh2g61UZ6e7QvQ0TGRwOd9J4IlOupO3VEg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1128,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAjMsVI8yB0inBXnsRftyvHU98ckwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYgBHow/aD1QCdUrmB9bSZUzkN88D4SlD4bXEm\n2mtO4xtBHSrElIdkUgyiv/BHdEXjFsr1grvnqWCw1o+Q8ch5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWyHPFe4gtTX/esmIuXtLNwSCJ/wwCgYIKoZIzj0EAwIDRwAwRAIg\nMoofioMXeT5Y5spjYmDYm1yXPZhHjOPkDkzx+gZogt4CIBIqsfYbc8uAyvTyBpv3\n94EBf005iW1L5vE+YLqFVXLe\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUPwvozDoUbFIFHaUzXjKgI5Zx6xQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS8HLFAufUS0XHgXyMvVmT3VGS2kpDjvTAjVNPB\nrqO7LC48Tz06Kq/vclhVkwjqxbr46XH/LpbD8ryLATAKgKJbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXhgfTf1deuXG/URkcw76fHShWAgwCgYIKoZIzj0EAwIDRwAwRAIg\nPg7QamjFWar3YQuKlTTLLWHbumlG8Zuf5LH0gVTpAjUCIAqZ+RAyuc0nFoCB6IBy\nXByVd/IxHDFYPXMlE68SFEMh\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWagAwIBAgIXAPUxrcFp2M3RLvqI1tBut302S9gUfnAwCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoY\nDzI5NjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABB10856P8wXZlwuwYe8MYyOMGBg/kxN3Mw6xAgG3\nkDEB1/u1hqV/KbgblUg8CBB5t7xsK2ttbJxbnPmfsU1GPKyjgYgwgYUwHQYDVR0O\nBBYEFC2a7h+yo9Qtp+Xm+w1UUPc+I4pAMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU\nWyHPFe4gtTX/esmIuXtLNwSCJ/wwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQDzkIUSWyq5L1gf03Dk+g77kJ663c1cutig8go6052+WgIhAPkqraNq47+zSKIT\nFk2N6iTSnj1NlOGkHSN0lClwJzBJ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIXAPUOY4aK4VNzn6GXD/Y6MGIgDwN1KHowCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY\nDzI5NjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABJJlTwlEZWMPXhzXD1JtNNHA/Jh/t2kiJjji7G/R\nlSHdEbM/p1aD2sjoD7BIjqAJCDWR5dj5juJAC/QHSuPUDzKjgYgwgYUwHQYDVR0O\nBBYEFNAfK1LZvLEK5ZPpygsX0HrtYLDKMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU\nXhgfTf1deuXG/URkcw76fHShWAgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQDpDQTdH/MGOJjacDlH9d9Brj/qkhFBtr0XkbrBd+VNuwIgIKEfhCvKurRJ3Gxr\ng6Hzbv9mSUbb9n77gdAHcR3BpPs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1151,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKmPQ76xkycVypPpt+J7tIhD14HEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQv4lHBjtkwi+BA6fKCsGNjcX4bnaPwhizfHJOj\nJOZbSYUmely5Tps+hIMjORtw1fMoNLon3+Vs7hlOgK1/UsZqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUu48wq0AwxiPhxiwkWP/DzO6FCXUwCgYIKoZIzj0EAwIDSAAwRQIg\nYICOJJA0avFs4bNAuCmMEcw7j8nUa9/jHNR0puho06YCIQDqzqqxw0aR4ZwC5XCt\nHdk9a2zdLMQiRLbbLdSJpJxKCQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQNw47NXjtx+BmDpRnBZohfwPOkcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2B1HdAwztE2UFlECtcKnfSH+W7e63iss10n1I\n4Ty/sE7D/b0j0oBOm6wj6p87qnE0kyq+keUJWb8XmJ4CJgtzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU24oqD0tNqprCivXucFDAkvoBZmkwCgYIKoZIzj0EAwIDSAAwRQIg\nVmUBbY+l2pyfyGNogsEMJtF9yzaQfRhBLbxc2MVWqUwCIQC4f12W7P674v4fAv6A\n2pWIUEYtJzGRGce5gWmXxLYjuw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzXlz\nGJKScVCy4UZjXAAJulatOpohKq8UgPGXwBTtTosiTcJgUS9ies+k0f690Ct4UwU7\nK3ybQDKkuRGK0whIw6OBiDCBhTAdBgNVHQ4EFgQUW0To4Zce2S/v/+cgovhFuyaR\n3t8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBS7jzCrQDDGI+HGLCRY/8PM7oUJdTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAM5YTMlByaqRxLDasZ9vcrWO28Kj\nVY28tVg2vw6bOC1rAiAgKXois6BPpqKmulpsWtWtDwNCkoO9Wok36+/a0QXWsA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDwQl\nD9oQJ6Z4NMlEoQnuCVogl/hVf8xeUO5QlaFvvVxWCttSZ7w+ePwCUg1eB+PDJKGN\nw5iVg4mR8PeisyLdpqOBiDCBhTAdBgNVHQ4EFgQUZnv2tTCG/9mwcDyUUUuFcMmI\ny64wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTbiioPS02qmsKK9e5wUMCS+gFmaTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPekGwS4A8Fbyf/F+hoM60CCDq4r\nHW4KQn+Y+VN2J0juAiEAiJblC856ICkHref8fS2bVC9yL9kpMtPgGrKBJ+QazVc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1172,10 +1172,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGVvA/bIBbisYgZMkqe4t9CzBfXIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS421YQfNJlhbDpSqqP/zcHottISBfBcT5kTixK\nP44TPsoylcGENFmm1ObqubwInM08O1INnG7UlYg48069fdqzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFiVhmLKQ8Z0+5UGBpkTiZ+2yO5UwCgYIKoZIzj0EAwIDSQAwRgIh\nAIPEqrzaf8Ijmk5eZ6rD22o7O70wqQBk5lNsWfWoMmhIAiEA0UExfNHXFLCcpaxI\n93h97tpRm1dcIE1+5Y6A6YAfS6c=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNK4eqKqrV6eKXQbL1C0aPb8D9WAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQbsgAXDxgFJ9ioIDP8AnvhKNTT3tWTuBjNkF2D\nJ8dZyQGX6kq0+pHt6oZPn0TxrKfSCBT4q3JzGjuT7fPBfWJ5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOTnuq+LtPQ1EaBiMBolRzi++LU8wCgYIKoZIzj0EAwIDSAAwRQIh\nAIelaPazH9UDbgvA4lPP5JKEokM8Jg6j8YOLARmk41F4AiBENggVPcyLPTNCKgn+\nWGTnMOa+ituWSG8YQsC2aI3KxA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXugAwIBAgIURE5csqE0IqAeskDGspfcZneJDUkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAW5tyBfBemUx8K0BBYDR2qHv09TJqXOGP0mcdwzvdRQ\nAld5LD3BwXo5W6VF6TEQ5KVDsdYbnpfNkDxUgvZBuNejgaAwgZ0wHQYDVR0OBBYE\nFL+SYqBTP2jrff3BNVqMbdfj7A/3MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUFiVh\nmLKQ8Z0+5UGBpkTiZ+2yO5UwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIEGPGV/9GV3g199LroCbEvneogHY5Nki0Lat\n5WzMzE+gAiEAj7MmlW9VKwYNyL0zo16SDTvp1f/EuJh+c5Mn/Ma1QG0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXugAwIBAgIUEizUkhfcn5g5YywGcfXDyXbvS+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGw+kXEjEsIZT2nE5GV/H4c4mdg7Q3PRznMODW98o/wz\nTDJ7jLSjwW2e1gPljjPMKByv/xHRVAC5zHxs4mEj/sWjgaAwgZ0wHQYDVR0OBBYE\nFHfJ2TdN1okRVFJEgkbbgZJrrRMfMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUOTnu\nq+LtPQ1EaBiMBolRzi++LU8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0kAMEYCIQCGQNn4tqR0kByo02FVAziN4E6u14hU+wRj\nOtU13MNDbQIhAOr/yAJOrduhhRka5PzNLcokenSK2cgfQ61T3Hiu2t/t\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1193,10 +1193,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUftau9V3MPABQ0/9mi0Y4CalgCUgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS9tRQw6NkGQKwWV6pa+j/fRlLHh+H+ppNgtsw3\nKZ+WJpATtC47fulv6qcQrf+nVXOSph32i0hahKBBwaE4y5KYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0GG9RsFW7zIWz7tyDRmE+zjo7CEwCgYIKoZIzj0EAwIDSAAwRQIh\nAKDKovJBnuD/A2aE2hw9CQiiyzrItaZYixNGd1uDQimbAiBoXuXuGvv0+TZhp3rN\nopXFKscHrLgJYGDZdmHpxyX+3Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVEq5wzuWwUhf7BWv9SHMGvqgQg4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASeGsu8WREYkpu8PBUmfPRIeSu+Q6mkdagKsBB6\nn5wnlYofgcBoegcTVwkF7pnBz7iCjPEDzxwndeASiY8DesjPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNynWEL4Dh6RgAEqBOcUj2xMgKy8wCgYIKoZIzj0EAwIDRwAwRAIg\ncSgXi4XDRW22hq0zNrkokY+wyu7z5GLQSWawHjDAIwoCIEpMyQsy7Rd5SZrf4LKa\nWv+mvEkOmqeUW1CekJEirW/p\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUX5ejhWcJ+8rPG1aPJUhYTXn1fWMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBNxWeCNn3gsRb0gA+Msd77+wFFfR3T1pVVvAZWdLms/\n57ElQgv6HTI4h3FL+HqroOdhaqajruOEoLrRFGyp2SajejB4MB0GA1UdDgQWBBQ2\nM1L5ENJAaF9W1rl2F51LilCh4DAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFNBhvUbB\nVu8yFs+7cg0ZhPs46OwhMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBjh1RckA8NgW9Ztlod6UNRG\nwaQnqBWqHlToTAiQsyPqAiEAyLYn/Bb0A1qldgk48JYVPI5K2BpbZLtsxLUpkF5H\ngmk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUa9Z4TlP6mpaJ9sr+lLW2nBptd0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLfdLhQigZH3N9zL6UfEPd0TKoUglA29KYf3A9UXc2+m\ngOxHHj54JrcrBFgNubzq9OdOaJ96NmPcCvYEQlfPjJqjejB4MB0GA1UdDgQWBBSt\ndgR+20swWjUkcDPO1+58t7O4EzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFDcp1hC+\nA4ekYABKgTnFI9sTICsvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCR6NleByCvmbLYs10vdKbK\nY6Cw7BzLgvRUPDPCK6vejwIhAMuF+QZQMCczneOQcPCKHroohMLsSgFLQ+tE9qD3\nNJ1X\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1214,10 +1214,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Basic Constraints extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUK8OXp0aQqoVgDA1pdWjHfoZqNs0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjvuCZfzwtWDyv4K269rAGXEBVvMggz6iCgDj6\nogq7iVMy+/RD4KGzfH3dPIsFufGxrVgmCs23TjkaGmpjDXVho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUP2eoCTgVLvfQYC3WB94WIPfTNhYwCgYIKoZIzj0EAwIDSAAwRQIh\nAOItrrs5hev6TWEMqOAIqbfZeZQYfLNOroxT0T08X+xGAiBSqf32yFPstlNQYtxs\nAjFoKxsP5QEUXhQ/PIJ8BgZ/SA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbSb443ZIGxmqh2fcSZCPK5zV3MAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8mn1QGwA+ZoQykXTwVmosz/1b3vhfbTVpx4ST\nooUJhVoW8w8wekdxYZQiFp2LUiwkJwI8BD9kBPi5sP6KguMho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBqzvkElt+2UzSZhqrds4dOqfhnUwCgYIKoZIzj0EAwIDSAAwRQIg\nY/nr+qyGqHsLVRpsKzKTCMGleC0QNWr8M38AM+OHg6ECIQCeqpeViAT9A258P9jl\nW56lp/5fKxN03XSLwQtA+gqokQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUMRekc5kcCt7s01oZn5pUbuA/M+gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEvgxwTokXVV494ntD/zTEXv71do+8vq99kul7lyRjUb\nOt6BoAXQvJAGHrWlvDI2qeV1fSo+QmXqYJHMvb3Dg+WjgYgwgYUwHQYDVR0OBBYE\nFAfTzz9ltuwik6liuo/XDrHCE4+6MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUP2eo\nCTgVLvfQYC3WB94WIPfTNhYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGrI\n1AQrTyeuxmgfDGh9yThFwvMvG8zaUiq/aEH4qZEwAiEAlLkLYRniZ2NpRk33I/Tx\nUcDvOC4wZaCt4R5SttS+f3s=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUBxvptulsSXtnJe8BBpwrzD7o+OIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGRcsj9S2LtOA2RCKjQQssXlbz+CgzukB2z+Zw2l060B\nlO56E2pSRf29Oy327AZEMenQGtBuWhn5zTnKTqn9nT2jgYgwgYUwHQYDVR0OBBYE\nFCDS/7aIUFZIoYN0JzEmzPlnThBtMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUBqzv\nkElt+2UzSZhqrds4dOqfhnUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCi\n2mE/+XR7aGtxJfoSsxwQsAweJ5oroM2LKHzuriIjVAIhAOl1T1jr6fG41wikCp+D\n40B7qlU2exm+hi3JgKZQfPpS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1235,10 +1235,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert contains\nan Extended Key Usage extension that contains just `id-kp-clientAuth`\nwhile the validator expects `id-kp-serverAuth`.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbYbX5Qwfw4BzVjClxg44xNTqVA8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkhDL4ScvzDFWCOe0y/3rLZmSsK6/nk+NwkleC\ncMctF5e166rZrMoqWRdSsGTdJtiDtinZZ4WW1pTmiILJahcwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULhAeORAbfwLkLGD6uC76mUZLFOMwCgYIKoZIzj0EAwIDSAAwRQIh\nAO9+0zsw70rNFR5NugfqlvjYePEkZXAuMqed8o6H7X5jAiBS/kFxWgBOptoaOHYd\njhT8aGqOswUSmwBniDGy7q+NRg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUA5iqF+4CwSXqA87XC727y+vPC04wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATgbsYUbjBvSUl4dcXtkNzPC6Q8tFMAHEyceGBK\nFGM45uR43leVJqeygmKobcJ6ZznEU56kFAytF8D2aEAHg84co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmO4188Au1y829pToStY9Hisl1PAwCgYIKoZIzj0EAwIDSQAwRgIh\nAOv0ERyrP+hpz9eIH2Bi92YwFMd8v4ds0g42jelh/xFFAiEAqrKqx+Ok2Kq+3l/F\nJlPFAz/G1OjXS1gFXYRYjkQc5pg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUE3I/p26ntDRA+CNMQ19Xy+6DdecwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEj8KY1sRhNxALoqVnM6WfWrgR4NbKU/4Axx7y7ZWljp\nwLMXTxP1MLeKpRJTCxDyr6jy82IU+EF8tEsn+n3L4ECjgYgwgYUwHQYDVR0OBBYE\nFFa4rS5LvaWRd97O3vut6EjdmNggMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAULhAe\nORAbfwLkLGD6uC76mUZLFOMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDb\nfIuX+AKupjLD9loCTErr943paZMLTYViAjfyKR11JwIhAJfkshsVtLdFGeLhc/eD\nPIHvQeAl9qQwqdIude+49Zw2\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUAguLG44cXoUWswFopIaM4K8c8HowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHDWMmBsm59nvZOlEqiUFnmPqhBe5c2B2gHM4+3VYHph\nnGitO4D8BPsVCsOsOgNPTsdfwVTw3fks5bRZObA4al+jgYgwgYUwHQYDVR0OBBYE\nFOwUhVerSlWy6/5fn8crSzvk0Q+iMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUmO41\n88Au1y829pToStY9Hisl1PAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC+\ngjHTy+5gUaek5iCq6iejv8pMOSdOH8UE/4oZlFKMQQIhAKR+Xd5lLeDynLmhUJXZ\nR8Ne6hsoyGl6k7F38K9uUDkn\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1329,10 +1329,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUDK//NcJaLLrR09BvijHHG4uJsU4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDhxpVcV1+9LdoCQ1q2WN1aBNYrERQCLYXkeGK\nrvGFrcmvGtj5YxZ+meHJnJsB/2//CV518eWvpASres67pLOUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUE4viuELDIvIEQKwKfF5RJmwqmV8wCgYIKoZIzj0EAwIDSQAwRgIh\nAMOlzVtrYcJUxYt4ZfN7JwLflnrH/KBXWJx2S8Y/vsl7AiEAjpW3Nqmd4CPPhhL4\nad/YDlEzP2z8ZfKCoJU3SzdTBiw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUB1ZfJ/Hm9AnEkw0wAu6xPeq7X/0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjFdMFjAjNQpQtnR8B5VLhE+FBY3PO+XCe8S3v\nAZ91Awu1Gibu3HX1l7rp4+wsm+VSqSMFM5Gy41i8UIME9y9oo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyOIC7TWknaSqpf38WQIlBKu3GDAwCgYIKoZIzj0EAwIDSAAwRQIh\nAI2W6chZl8ApYD0L7AgZRNSCrWzDW+HFMkKiFZa3X+cHAiAAxCHVmHZo1JzlSnpN\nr1htRnBiFVgtCeaObrMTYpVqxw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUXn8OHfIhDmec6kTaM6u0Ltk51iUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBszqM4xZsjrOG9/7hSQbWDAjvLGP86v0anVtS7yPmHG\nlJKjJ1FY+GTszELHVTVeEf1fjSF+mj2g3JISlOid5umjgYgwgYUwHQYDVR0OBBYE\nFO2+7DsXiZ3L0Eel1cDrRK/xVFzGMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUE4vi\nuELDIvIEQKwKfF5RJmwqmV8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIDQt\ny6iKQaLh2DN7P8my9w5qiOU7p/V/VHUotxNrVNytAiEAhzIv/HnfNjtjGG9JUgMl\nkoxYUTPVI1hqjCIoLdi4E40=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUMDHzgjpCKky/9NuL/UNPC5FmTRQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFXLwLL5Yx76BYmVzTjckTpaWrbw+OPWpkg8VF9pTfe/\nNTnz3GiAHBWFRABIYXAvGhePc/Y9CHOIEzq5Mu2XuxijgYgwgYUwHQYDVR0OBBYE\nFFau/klp+z8ZFpIcuDF3VfK4GcxBMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUyOIC\n7TWknaSqpf38WQIlBKu3GDAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCL\nLxJQ1x0CvGBeAd8XXMX0tvInRHK0aBiZEFVUjN0fUAIhAI29l5hmyEY2gkzB015n\nlcKQPZW3vSi8hTZtELuyCLz8\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1350,10 +1350,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUffI41fl+MPjZSfJFqi7/pp+jy5AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCsCULzDNlLPqi77jWvwWnN2ELQZ/4v7f2yiLr\nykidB4x0mdmqC144Ynjh3dC2dy00K1i226jHWi7ov0ctWLOeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvKyH1hKsQdlO/01Bf8lGxZw26KowCgYIKoZIzj0EAwIDSAAwRQIh\nAKHyJi8FK6MwB1Udmw41HXp3EoCJ4hWxgT/4S+YV6Ln3AiBrkOj5nL7xCNw6c8V2\ns9pjK/4XBTDY4q68mgbjrS0itQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGOPlALxLgsAlTSw2w0LNvw2ONZIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiiYe0P/OzQFzi5ixTBJ+zFgNzmU6KFrBzUwMY\nk0jV+c4SX1pZc8NZ6reBURVRKib3MoN8P+5vQr7l2qvZ5Q/Go1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcEGkGvseh46a0xTOV/E9K9GFNdswCgYIKoZIzj0EAwIDSAAwRQIh\nAKhF8LI878u2vRB+w4rbdK3TCwKcxMcxDoGL/fKoVJlKAiBf03HQbiNlei8ya7pW\nmvWoZOYUXSZyms5hxGBcdvAtpw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUW9JxxTj67n6aEEOxuPd+KIPHZCEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPsbqYRv4UKi/5P4QSSCNaHtI7mVhvDD5r8KbYbLms/F\ndeo7c1vIfT88Ujg6/a1Mxo/o67YbATiWXyCLXTJ9Ly6jgYgwgYUwHQYDVR0OBBYE\nFBkWlWyH1qNoLX6HqIAjJ2mq5DQ1MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUvKyH\n1hKsQdlO/01Bf8lGxZw26KowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIC18\nM2WdBqZU+PlxTHHmY/Lwtv38IjP1hWhmC+UtdIV8AiAFrh4JMIyPuDXe1O3AJUQ4\nFMbDm4exF76LyMwwIuB6iA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUTMRqBx82ZbbH7wrZAXZmn3Nj4skwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC7I4VBqX3/YYcowpRG23/bbX1etVTjFvLcunmg2kU4c\nGEszfGyT2t177FzSJlrUZeHhq5msMowu9VOdePSm0JSjgYgwgYUwHQYDVR0OBBYE\nFJKcW9SHvAiiEAEkbQt4UdMpKMy9MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUcEGk\nGvseh46a0xTOV/E9K9GFNdswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBzk\nko49QX5GdRX0rLGbm8X7SMtlDs3E1w1ZORSi8BcWAiEAq23Ea009K41f+bPzhOaL\nErjiDlvNuO946A4i1jdw26M=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1371,10 +1371,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXJNCxa+TKrzZopzuWr46lAMsVPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQ05Nh8NFKV6YmvDB0Fy0UjwniNLpFru5W8q1b\nSSh5n8EQ8WSJiQFoCmGyGUIVMNh+KrLdp1MqLcVamxGiTErxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUt0uhtDwi3HUMR1HMQUjR5yhbfuQwCgYIKoZIzj0EAwIDSAAwRQIg\nc+AjRHzmnFt0RSYGtCD8cRjm7WXo9QzSsNv+FvgDRMoCIQDc7ZUiH9p7t9ZyNaR0\nII0fOkcJfQl5AjU3D/7v9PGytw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTl9iYf+Cr7pKeNIKuE8Gf65U2GswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT3/RUJeJ92vVuL4QExrP0GFTUn/M3gQ2i/UCEu\nMGa6Hm55nIoFkOJfmcMTPyW46qNkoChp0TUYaW4WKgCh08w/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUW+YLikaI7fprSepeY+BhflCusVgwCgYIKoZIzj0EAwIDSAAwRQIg\nW5ZFhTt9J4xHvP3oSDsmcN9iUITlCUU7Z8xNi5o2Y3YCIQDePT2zoDx08meHuzTT\ncSdslEKILze6Bof3jP+S/uSX9Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUcIPJY98Ny08Yg30YHLF1CuTB1gQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLf2qg1UyiSevYc3lP7fE5kAmZgRoVZh2HVq3Q/OB40c\ngYIvLMDuboY37f4lxM5UCgA2VOV4k6YloLYuoS+TFGGjgYwwgYkwHQYDVR0OBBYE\nFPp7AgZWV5L7OUCl+tz+SVlYFuddMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUt0uh\ntDwi3HUMR1HMQUjR5yhbfuQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEAtE8TAnfJwZwSFj7LJu4xoqI//4dP/rPcN8b9os+eGTgCIB3GPYQ/PT5++6un\n/gIdhKEbzT5BJ2RJ2p3eeC9oxkqf\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUcUMEG9FoklcIspf3Ag2vc9APYdQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABK1coDhg574yI8nGSpBRAGPGFSb1yjPRuyXdd2UPiaGU\nq+BViGZI9GTly2YLl/DTR2RjuEUmS4PJMmm4BirGRBKjgYwwgYkwHQYDVR0OBBYE\nFOJd/RI2cHez7Mj3CVgZxoRbRRvJMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUW+YL\nikaI7fprSepeY+BhflCusVgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBLqDDoC4EO2VmbUmsXrax4welE7y0RnsiRxCtuhA45lQIgduFpAuFRgL5pEy04\nErb6qpYnNsb2QOigWxpVHIPPEyQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1392,10 +1392,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAyMol3rKgjDzUnqd+qlsf1//6MwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQfG0ZU1gnX1chrsFFpQ/FG6hj6aNGVHYdO8qyq\niMX+elN+mIG8uYR8TWdqDy7mkJulABgnB43wdiOqNVi7UPH6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcVFHClPwLjc5iTV44Nn6eWXzNCYwCgYIKoZIzj0EAwIDSAAwRQIg\nbg9YDyB5wt4m2Z4XK/PKsMNiC+o/JVF47ZzQi88L9isCIQCJe/3ecuXjtISgSogg\nVmWJzZqWuSaXoD1J7+vK1x2ctg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXbRftJyqsOUaY20Qn8Am2M8LnbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpCD5W64CXspoJwlUo5Zp3IoKOEzXxYOGW02Rq\ndSK715rwr52nvgrpLf9EviDiTol3zF5pNd3w2owtT8VIwfzvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwneSxedMVwUR6yfu+PKwPwRwba8wCgYIKoZIzj0EAwIDSQAwRgIh\nANr6bkoyLuYwbQKeZs7XoU5dJ0bmefk1dZ5QcvBsCY1iAiEAwM8gTrsJs3ZZxS7U\nTgUrQ2ivwCfTjWnQI6lSGf65RHg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUTp6MA2eXSL0Fki4gk9FhtHETqpYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBnKdpEm36dOxIyYfoO+g8fNNfrVYEmNwzDCey+/FFGt\nVM/gZGZPoFMR9OsJwWJA43QioalEqTEEZl+XuXsIi+yjgYgwgYUwHQYDVR0OBBYE\nFAttcWs6aExXb8hORGcOWqpm31XUMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUcVFH\nClPwLjc5iTV44Nn6eWXzNCYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHtH\nMCRl3DHGtAX0lpeKxQZ8w231ynqJAADOvBT5hMh2AiEA33otII7Kb0CuEq99mlAO\n9pe0pKgIEh0DCSGw1RasEnY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUHN9Jg9vEFpbxf+EueRYIwOY2oN4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC7FUA0vMtltBq0n4fodsPeJVQagEvU0/4JJ/9x9FXBm\nmh/l6nYkO3cwCIl5O9AKpWKX0gtKFIOwTf98IuRFBZmjgYgwgYUwHQYDVR0OBBYE\nFA32fM1K+FDhyxOdOFLl8sM8lX0XMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUwneS\nxedMVwUR6yfu+PKwPwRwba8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCX\nTb3+kIydZsSat5p5JxOFHIsRJqI1pTlmiYtbc1+wTAIhAMnfrgRBFTp5q4CCpbbC\nuqYJZLgcLhWXIEPeX8NrTM7b\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1413,10 +1413,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdDyU9XdZ2LIoajreFBm0Lqz5dXAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARCmb3IENifXspX1S5hpBPnwOc4VvKKBb0UGomC\n0zX1+qfieKb50fiMft0oImDIhEQPKyaDF2btxkvoPL0DGoIro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvWY8iFUAXADYslhv9++fVuDSD6kwCgYIKoZIzj0EAwIDSAAwRQIg\nZK2W75VK8MD4TQN1SMdhN+1pXS8A1IswVbpoQWPIwncCIQD//okx+hRdY8N4B/cB\noaZzGfTNj7ngamfBkvqnIl7gCA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEw3lgIV5ffYstWqaS1Wb5M/Rub4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToyL2v8DfnPB8pQs1XErw/SOGX7PdLpCRoEwBI\nhkmO1AGtfCOTaAZeewFNTYyTae6PnIGo5jkS4JzKFtsGm+2no1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuxkdHd0IAITzWK7O56quikZpbO8wCgYIKoZIzj0EAwIDSAAwRQIh\nAM2HSdZMDV5v5htdUbyAetaXseZ5L1wd0bENx4TsS8ebAiAYvtlZvie/X+DTvwUs\n9iranYcebP4nvaM7LX0gttYsIA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUF88WTCA//wAR9qac+YBvDnaIUYYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKmz5Zp6CV3ysY9UgM/uFE3BhYdv8LVoOPwaDncMmsjB\nhSU8pSxnBXZDU5ZF0zxwTdzw6kANqWSzHwiyurqWWFOjgYwwgYkwHQYDVR0OBBYE\nFFOH57g+V1714+57jk/3Wyzgt2IDMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUvWY8\niFUAXADYslhv9++fVuDSD6kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiA2JQxg4nTpKtTNEptNZuUsJY7s+fRxNQMEM0YcpdaukwIhANIlYjnmqvDonC2C\n6fuDVIrCEzV59c2JWTe7vi8vn338\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUB/2NVFnbOl2xfRibuDsqdTV++4EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAGSU4GjJA5TBSTKCmmRR1vUU2SoAcf7Jgpy9PpQQl/T\nIF+jd8GJD3a4vvIBbasG0ZhkmNOzkFDGR0q8yAImksejgYwwgYkwHQYDVR0OBBYE\nFBJ9URCCnqeiUVmTRl5cvPg0v7mTMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUuxkd\nHd0IAITzWK7O56quikZpbO8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAYsYC/q/J+XkVCd0e4+66mOWZXJKswjYTSHIDUZqTKvgIgf6fniqzrkBcd+LZx\nydPlEt5BP4W+t0q+5YK6jyEzy8c=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1436,10 +1436,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUa0B8vYHOlwWnwbENLjdp/ZkOW4YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASu9F/GQ98UeRZiXk4WzTfAP1h7rMfpY4BS5Eyv\nL44JM4xoWBBqtnPZQcZmPHzoQue38tRE9QKLNyMnCloZMxMlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnP+CUrE2gno8dZYrNziq2FyakLcwCgYIKoZIzj0EAwIDSAAwRQIh\nAKlG5d/YwlQ7bvxHQuI+KzoknquWtlJZ4D45EiHkY5n8AiBhwVI0/cshHqxjO/NJ\nX0I2Lee7vUmZtVHDzUvm7xqLsQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWFK6faOhPH/t97sBdwNiwucMNf0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbV2nAZ/3rzpvbdg61cBhs69qXcZedVyZSvYD0\n+rOB0XxgKKupp7rTRH7GY+rt7vcx3wuiJIvijh8GvocfmZe9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSIySCWUuzrY/Mx+YO/WHHTRm5cIwCgYIKoZIzj0EAwIDSAAwRQIg\ndaulHc20MQRTeQN8O0lyH5V8eMsyIqfbJZR5zhwBsN4CIQDRMhF0crdoCKHbU9fj\nEQRngTqLKT/2+amxJ61aduQMVg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAVygAwIBAgIUYAOkMZxzwOqMjkymGyeoEaL/jw8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDBWKJj/33pjQqou7/9uUHbYS8nVBUqt4SREk9QYXC97\nKfEhvldyoHo2B2l4XO1fpzPVBGJTMME+EU4IfZCKp8SjgYEwfzAdBgNVHQ4EFgQU\nX+O5u5POq5HwhWi6aHwwT8mkixwwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSc/4JS\nsTaCejx1lis3OKrYXJqQtzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwEAYDVR0RBAkwB4IFKi5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ6KG9zuxuZC\nRsbucu5z/sNB3aZu9GOcIj4ETnWEo5LqAiEAuid3kQKYhVmpuu9dg64Hs+fJURhf\noJo1HbhHYJGqFD8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUQhJbdqA3ShLFNkASXQfgozteffkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPxhSTlO5fQa1uqgnt9ipkZu+BLKmhZHSVN1oK9JFvc8\ntSS2QUBVZNzPZZRMnotU0BGF+E4l3NL7tTLiNDsnlLWjgYEwfzAdBgNVHQ4EFgQU\nmu0G6RJcPkXv+SVx+CcEcyRLR74wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRIjJIJ\nZS7Otj8zH5g79YcdNGblwjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwEAYDVR0RBAkwB4IFKi5jb20wCgYIKoZIzj0EAwIDRwAwRAIgLMln/GsStXTb\nWPPqkoMF20tWYKZzKpu/sSdv4mLa0dsCIDbCxgHZ3n2YiwxSXF3PkKKiQtqi8UDH\nl/Eg79dV9xTx\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1457,10 +1457,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeC+E5cJiZtuFAuwCfuLT7Ey4bC4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS4yLANFLPjB99wxvxxtemA7XlDLz3fUmahhwdJ\nwxLtTaCVLTfVDY6D1c8Fnt0mhMZApG7p8Pawg+WhDpqb3V43o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUR2BmOHbcZyJhJB1lXCt/9PCnVfkwCgYIKoZIzj0EAwIDRwAwRAIg\nJ37uWrc+XnjMi7UlFtAnDXpTZw2S/W3Nr86IX9cA9ewCIGK/cD5gKUYz3kUcbJxB\ngZK9WzYripPsgHed1TJFrYlW\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUF68BD+OoI3FnCnqTuYsZZ/AS9o4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBCye4Nhwq6XNZakBAqTyxmmCRScIlagYWD9EY\n3usH1J444pe8gNkKA1rPKk8wPyzOJkgaEQMBNJ7/a68X5jSDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbaZOd9GYUVj2gTvBM68kEGsn7z8wCgYIKoZIzj0EAwIDSAAwRQIg\nLiO6D/WsfzyRg7pBgcRfDis1ujlIkNAsW9kiYupvu/MCIQCPYf+1E7v/o8Di61vs\nge8q0vYqUN19u0Ai2eGteKJ4sg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWWgAwIBAgIUVfwsemAn3UaFSTgA8ZSHARiIJtcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFY5lcfDOBjSRxrFkicj/6FTltCBfACGxtNdPWOkbRc2\niRUVrqiVlPirNbXsWKbNMXXVNomIIRkM7mo+Qf2DIcSjgYowgYcwHQYDVR0OBBYE\nFF5LhgyLO0/k/oba3rOtQ6JZJYdjMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUR2Bm\nOHbcZyJhJB1lXCt/9PCnVfkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIg\nDGs8hnUdN8hGenn7ZSn/igVrpAtNCb2OGZBa/7oQHBgCIGYrgJdUrAWpoWTOhYqc\nkK6xvBrXr5u6ES9UlGHvsmZz\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWWgAwIBAgIUBhCxzgpW1/deZfC5w5Q8fAFyG2IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO5LrVed/MkXFxkHjt52R8nxxNFE9rxQ38tKAEkwJ1uX\n3DxBlbFD0ffGroV0H6DFFLuXkvMDg/Bc7Z0Oq5aI9pejgYowgYcwHQYDVR0OBBYE\nFGSQPyqf3h8dXuX/Yl/7ge7XydDzMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUbaZO\nd9GYUVj2gTvBM68kEGsn7z8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIh\nAI6wmdeWoJhrZGnIL13BBOxpgohUYTMV1p29NFlI4aXCAiEA7MctLuzFT9f0W01V\n1GV+VviuYzZIeIwuc1CbtVRZcY0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1478,10 +1478,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAPZggVY9CG4nP8hUeXX8bAYJ4tkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCt3CMWBWPT1vl0hdCHcHqLRSuyAmwIcZeQxCw\nsch5WCYerEayZEQ+Bu4JBBhy2M8goyX0c2Oz4SC2gkdx9mrfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1TYQ2eAyvd5GHQ5nF+mKDVb+yGwwCgYIKoZIzj0EAwIDSAAwRQIh\nALa9HMybCL6R+vBomvgJtDKN2TINxGavv9QS8DpbHWLfAiBcogZb9TPeQRRcav/7\nngDhWH5Qo1xy+/GraGu7CKkdjA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBCAyc5BABMMtW0pauPE3s3cLf14wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATcPBY+oaTmIwQI+IZibWYgDwbBgpT5R/D6EZ/g\nlik1Kx47fP8E/7ezpr53I9EI1Qzi9XtQQF+xetRXOc3KoBJko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUulEHgncWBW49aPnzSmvSnqwORz8wCgYIKoZIzj0EAwIDRwAwRAIg\navco84GZTl+2R6lSmrLiKqf6SRaFZJoE2qI//EBObxwCIB1gvxvDDa7zCdK5PFtj\nGQxRIq7LQ7SPjbAiODSGQqtS\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUVbSZNaaQJroCwKwoUQiJ2/8j0wMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF9UnBkApwFaunsRUF5v0qx00yhBzW0Fdy9JWbg0NRUX\nZ+e31LkgBlDZ6Z66ROlBq5Bpm7YYqke3N5UV0Va9XpWjgYwwgYkwHQYDVR0OBBYE\nFG8/XaIB9vj1H6GgtpPgCztMPnIaMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU1TYQ\n2eAyvd5GHQ5nF+mKDVb+yGwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEAvYs6ueEs8Ov+fqql5CClTGvUvtKKZ9mvWa/mVadA07oCIHFYpMSY63UiugFk\nJzAEzwsPNThnpmyd9bcqz9al0lSu\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUMTAC34lfIqHpl0+U51QDGZdnkYYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDH/0BYNv6jhMsmbZILEubSZuJG+RLXAqGJmsGXtvbFS\nzMsRXBrgyZbTA366ShyUh33DdZ5yeesvASZnjCXqPkejgYwwgYkwHQYDVR0OBBYE\nFJI7fBAOh93UHY1NJcaHnz47U4EJMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUulEH\ngncWBW49aPnzSmvSnqwORz8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEA4ttVVaPMPccXXPmpTco8H14rCSWF4F1P8Q4GU/e6298CIE3K3q2r814R6ZYu\n5rawtQZGu4YsrGN10Te3QAIMSk8b\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1499,10 +1499,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA1nmYPIbFVRSou6ybRawbEolXkkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNSY/ll3dd8ykEqgAB5WZpvu/YuLY3yPVjvlG1\nFed/pfy5etB2miOa/mPc64bdzw3WJSGb1xmT6ZaJuOQsBZsqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVeEx3z97RWXjL5Tb8u73pQROIrMwCgYIKoZIzj0EAwIDSAAwRQIg\nPnfOt5Sfjumg3w6vwXABi9CKzAKECn2DZ2XDoCQpgmUCIQDvkJSw7PN7rt2gS3B4\nNOmZ42s09rYT+9RHRKL/C8hYvw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdDpLG+Ne+UmgNMAhupSvW1/w9MEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEvPKWb7jaR5gavXKcXHACea9xs1Rnh3QeZa34\nsgd+jBUWK7737HTLdZgTr94Qf6rsH4dhJGYEAqTH9r6EO0wmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKGXPZpi5nD4uoJnlv8OtjsNx+hYwCgYIKoZIzj0EAwIDSAAwRQIh\nAP/E4PfeGYiZstBRH7N8eOaEH+z5h+NYtC0flbt1AGi9AiBkYHjp5jG8TncqHVjD\nEmnZS/pOpgDi1GhvK7shp6kZmQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIULYwPYlFCD26oXQX9A5ZBXbJuCWAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLekEDr2jdoI+g/I+AdEsgMU+BZJd7DXtxti3oxg76em\nUIYqP1jSDaQEFAQKh95X0DrWhlp4ARCqeVdGBeBRNcejgY4wgYswHQYDVR0OBBYE\nFPGlFjQ5IT+xVCvlDB9CzRhxpl/rMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUVeEx\n3z97RWXjL5Tb8u73pQROIrMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBwGA1UdEQQVMBOCEWZvby4qLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIAdx3WmYfbylhV++QfWRz2vlxJ9zPU01nT1QXqvLdg3IAiEAqk39n6pOjf2u\nkxy8+SNOTVZ77z6uv9fx8odTqq+H6FU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUfwdSh8WoKK1Bdrwr1M/IjGINf10wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOP+d0xyraLv13V8O16T/9zmMEbO1i5LDjOtqEloIPYJ\ntrDSbj9mJU5rdP57A5ko/0huiGN0+VponrThXiHvX8+jgY4wgYswHQYDVR0OBBYE\nFK1Y0BonhJ9uEaruSy2K+MvjwAUXMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUKGXP\nZpi5nD4uoJnlv8OtjsNx+hYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBwGA1UdEQQVMBOCEWZvby4qLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCDtzxF36clV3HtevMY9/Ph8b0JXA+ve3+CPxw3PL1gngIge4DINIB//8np\nwL4QARYDAmys1nvdmoue+nqmMZ/+IkE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1520,10 +1520,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUbo4KrDtETptBKr/zKetdnbOFpx4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8BIHSgzmQbc2W9V78zxYeSNsobWwDzgcjpnga\nt9xcMeZc5tZnEjGlXF31UIgNn58TO97PZKOf5elk6E7YRp4To1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZ1PylL6t7i3rLv+1946cmQ4rs4EwCgYIKoZIzj0EAwIDRwAwRAIg\ndUZQxtBFl0vNVhS8IO2S4VlMwjA3KZ9/Y867aNqV19UCICZI61noacmIEWgTf/05\nR+gjc4do0UMBDfnfNfn4KS2p\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaXiEePtGO6TsjS91+lFHRri7BKwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASEQE3CzO42m3pPRAmFAeyQiiaURe9PaE7jZVEz\nY/Cx8nrM6BpajlKh6veSvtA76IeB8qhHZzVO7gTDAkr9OXqzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1xR/66yYY1f0Xc9dlcKbBIHhQWEwCgYIKoZIzj0EAwIDSAAwRQIh\nALdrIM55PoPgtvDO/O2DCnnYDFEWBqZWscY0TNiAbvQQAiAWaklE+VHxQnRam3zk\nqO0QS2GOeZU6ZbaX1kTblpaXoA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWWgAwIBAgIUS9KR8bVrdt0N9yNB6z594eWlZIgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFhqx+/QEm7ppPyEJpSK1687A4kNW8MMQX/+4K0w0KbX\nGfSgsME/laaDA3cnKhOEHm5kX/mix0z5MXVaXaslIyCjgYowgYcwHQYDVR0OBBYE\nFKonDPLSEdsShZBa0NGER/GcuEDeMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUZ1Py\nlL6t7i3rLv+1946cmQ4rs4EwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIg\nFGl4UJCRIuULaU5WfjBzQ56Gr4Ya/1HtvmIbFcwrDW4CIQCeLdxi2Rz2Y8h3KSvo\nkBBiHvjy/LI2vi2EsrHvHjaDjA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWWgAwIBAgIUJwKBegHKPHZDyCYJbdCQ5vlp15MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMeGJtlUxCaJOVZ4wpgy8xiyHTJJOLbiPEFZ42hFDFCi\nA0bjtR7Xq3i6bFeEzQCGDknKSejl40QJcscDmFKCeTOjgYowgYcwHQYDVR0OBBYE\nFHU4xD8hhu5r+S15CkjtnhMciAykMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU1xR/\n66yYY1f0Xc9dlcKbBIHhQWEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIg\nQqt9aFoos5L8OWgAHxUz6wX1LvRre7zgZAgoUmbyYeoCIQCxqA6yvckzMWwEh5ui\nqCc0dOj4Bi4K2LrSQbN6XHLVnQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1541,10 +1541,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdFm+OLfThlmCShbxWGZrvrrNJ+swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ98ewhzoidsNKLyS7gtTCzmJFuIyfRg2V0dxYz\nBYoILgB6Cl9Zhkb4xLl4Kfy5H3xe4Y4fzHF80qMvY9Ttaxlzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2ASfCYTSJFc/XiKpGAvPA/zbTGswCgYIKoZIzj0EAwIDSAAwRQIg\ncuzpLP7hbcF4buNobPiuC398vhFJ5BLfkO2T0yfWChcCIQCgu3I8W3y+4W2jrdEg\n0GhiENLActqoAXE1xNXlCbjUeg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUe+NmB69IAJ3wuaRWE7f4m1esWuwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhCYCtXikX4StjoiFy5nqVUS4vTsxVkfHc2Vs1\nFJMYFmUKkh1oU4O1/bMULk6rmJvpg4bscI3sjTf8JGb/bWtjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVCwrXGu5ihhcvkE+a08+zo0OH0IwCgYIKoZIzj0EAwIDRwAwRAIg\nfaL+f+EOJhR+ZnH7DJ+TJRjCuk5PVjOMoUx8FP3PprICIEqOsj5lv8/CfSFgKsNX\nF7pgNXLmS3Oz4RASnQwUFUU6\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXKgAwIBAgIUUU3v70ASSyGfZxgPY8TznHCY3/owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAQdZPgGJGgKlpI/y9J2I5TXz4W4kvdsjFsqfEIXkFwf\nRr5TWvU6h6QDD2Fz4Y4jYeJcvAFenTive4o+TglStcijgZcwgZQwHQYDVR0OBBYE\nFJbzsQ2rywjdyifSvNpZhLFBf/BRMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU2ASf\nCYTSJFc/XiKpGAvPA/zbTGswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMCUGA1UdEQQeMByCGnhuLS0qLTFiM2MxNDhhLmV4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIF72VFQLOwzN7btieP3PYSyKq40FdyxArA5rJ/jN1OkAAiEA\n+8t+dO+HZwftDeHJinZwaIhdCK8U3yiM7Z9Xr17CduI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXKgAwIBAgIUDTPTsdq+qbz0BPVcdOjz25PQS00wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBQnvm5CbuO2YKAECWM6d6K30kUiCRv1tjYAgpbL97rh\n0nXiYyHNI5XhhS8y0kLZwG/f7/Zg+Cr/NQuvobSgSvGjgZcwgZQwHQYDVR0OBBYE\nFCYxsZe3LBxkwjenucrtjjpRpEZQMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUVCwr\nXGu5ihhcvkE+a08+zo0OH0IwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMCUGA1UdEQQeMByCGnhuLS0qLTFiM2MxNDhhLmV4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIGnQa+C3lffp9MZSv3v1hyLwN+lHqZJikcw9eEkV4XAcAiEA\nvvtrNrNWQQOYvLg+3N7mo//1C12KapxFaw95SsbPdqs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1562,10 +1562,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUOF6U5L68X/ULt71Rtf/IPK+c6lQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASbRiB+3J4Jxa483VE1jgLIsmpK0r0kLKwLn7Vd\n4lqVbr5SLvxd6+plShc3xes67+AN1mxyhw0Bcoyt3dr2E3PKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUa/S9Rczl9pxftws7f1em5euDfqgwCgYIKoZIzj0EAwIDSQAwRgIh\nAO6TzrQcjEXOzrnc/qylUc8KewOqK0RNj2+1RXmJkgYsAiEA518+Tib7jz8iIN1g\ng5Slf942kETLXgJUgG1p7Ssohdg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUU2ip3/I70G6ALiLmlwdDGEbgdgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARs6FIjsJnp440U/3t72nbUxNZZbbU+roctCCCq\nYU1H+Nne4K9cCX7xUeJi+mDeoskVQbVTuwa4U1qslnlohCeDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUahihlcfOIbfwW1Y78R8omsjGxMwCgYIKoZIzj0EAwIDSQAwRgIh\nAJMl/s7bIw+dRG1wg5xWoeVfMb1ZD3RugHo0ysg4gEZWAiEA2kWEPK784k0oBXEl\nhwuMoSf4m3TXcbeO7hnRT/GiC6U=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWigAwIBAgIUCIvcUYpbAOpfIWtetOhixYCKKnYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABM37/0BPi0xMmXrlIUTx3436+l82HDidSrE4F6ri2CGH\n9sG2pzMucKirAMEH9uVlZ59ZzcCfJmjM+MR9K+8+gL2jgY0wgYowHQYDVR0OBBYE\nFOPY1txmRnhogfldN/SgmlYTCDL2MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUa/S9\nRczl9pxftws7f1em5euDfqgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBsGA1UdEQQUMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAw\nRQIgKeyR6WzYY1lkWCY7SuGZ0IkwrjE+WzIurU3siPypMoMCIQDpv9K2UcvQ3m3r\nZYzBNv6oGhFJOHO3rIdopCOhUxaUUg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWigAwIBAgIUYVNVxoyT/Lacqtlx8grSyFz4w80wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPA1mbmCPA30UDVJMwgBUFJfIc+gaQ33ib3mvEd2dpYh\nAADoer3RehTIg8JzUZYyM4YUazgzQDVcahaf8kgEvUujgY0wgYowHQYDVR0OBBYE\nFHkKh5JUHtSg2v+MA7p1q6zaFYqxMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUUahi\nhlcfOIbfwW1Y78R8omsjGxMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBsGA1UdEQQUMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAw\nRQIgHIY46HtdtvjlR5/uWqyqrhj5ZWQ93ppHfuUkQggHlNYCIQDNWXMawXm7nfxH\nvP1FezURNXEFZePazcKyQI5r9v0GeQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1583,10 +1583,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUPyab4Yu5q84TjkIDKeAzudTas0UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ64UeHPobl9AkfZKZvoC10P3HtDqWbjnrkU2e9\nOL7udU/ZEosN6atTZED+xOwN6haPtAkMd5WCpHUXcDkUb3f4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyB7m2RRrbjMSq6MqvATxtxylp50wCgYIKoZIzj0EAwIDSQAwRgIh\nAJVHn+BU8Enh1B69yNzCXHIhq3ZOc8PlydavY3Ha65N9AiEAi02t/wWGYgpmSnuf\ngCGVDpuGH9Y9QQgA8LjYigzUnRE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQ9AUDMYB0pccqW8y881Og9c4qsYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQDT9WsmZbuhYvDtkSB1xkSAox4yPuy7afwbNU\nO01YOEgrgp3GLWnpZuAlNYWkN2SYWKkt83skeXDvgEiaVnoKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnDZDeTlFYCytCLl2+/FqqQhSYd0wCgYIKoZIzj0EAwIDSAAwRQIh\nAN0wJm55qVNLNGfYMZV1zCd6RUQX25iUFuaNNK8j1WrbAiAfPW4Cte/YhKJF9fDH\nAhWTkoFSsFkzPBPSGyVFSf9uHQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1DCCAXqgAwIBAgIUINFeKOY3zHc3ArcffPFHnvdAhBswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKGXnytMq1X1tq5LzcrBK2kltLALZUgizwILXcdXriST\npPZs7iYNdvjs9hKeymhEJpEh3FmraoVzRmXTyOk7fwmjgZ8wgZwwHQYDVR0OBBYE\nFKgRhHrfR2j91XME0t06hsZ7SODeMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUyB7m\n2RRrbjMSq6MqvATxtxylp50wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3Jt\nZWQwCgYIKoZIzj0EAwIDSAAwRQIhAPYjhkSkpmSzSYX+euwgc2FS5QDY7elYLdUN\nB309bwLrAiBdRXE6W4gM/2r73ztGFo1ZYsu1EKVlJtpZG8t8LRBdjw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAXqgAwIBAgIUHT07TbxGny14xvx6jzj2XsQvvIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABApO+Jn1/zuLVTBeGWYKX3dPQkrN7UCZYMlia1gM2CKL\nckp82CeS4SBYplaoDLPK0Y0Z1bg7p6OERjJzfgIY7SijgZ8wgZwwHQYDVR0OBBYE\nFPfhb/cPjdJpssNV5qKe4CHEClqNMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUnDZD\neTlFYCytCLl2+/FqqQhSYd0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3Jt\nZWQwCgYIKoZIzj0EAwIDRwAwRAIgH0RhX3E8iKSIJgqtqQ2vljECGKuXxbm5pU8Q\nM+6KQN0CIFIeEn3VvVRA05j3dFjc6qGqRHLkJ6PZnvpYNB8UxbmY\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1606,10 +1606,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUqgAwIBAgIUamKF8YitqgvvoxDqqPdGQXvE3+kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASHEgi31EV8MTgWU5BcFQ6plFWsvsWJLn686su+\nTMEjaKPfK+XuWUv0hcmAPnRKD67hPfCgGpIO7koRsXvZ+Zw2o2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpa4Xlvwxwe2zF25rKMrO82Ro+icwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDRwAwRAIgU34Iuu9WZ+xh6gRsyJBFdS3T2ywK6/Fc/6AE\nFOArBeUCIHYmE2sO8I6AMeXVHuT5KE7KRUX+QRSumeY69XnsWGBW\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUUZK5xtZWp4hj/p9VXBu5irT03hMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwHf6L2jbjLEJPAhrYVGRWJBEZx11yEVeZq4lw\nXdSQzyyxVlkm6k4s41XXAbEMPpW5LROmjA1nSwm0ZVhnURtmo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrTAlVGRUVo+CewPmGYglEf5K0G4wEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAJhBU6sC03h3ACrPj998vgJoWQWEXjSVtcUS\nsoM/LoItAiACX1o5BOqP72vq6prOUYWmOraao0/agq9W9Qn6TAUm2A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUcOeze+qUoWyrlKE6l2AumZUd8hAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJA4qkJlhnRyE2gmo/rBTvpJMIKO+noysm/wVWkKz13E\ndk/yjn6ldyV6kd1xr4ZNFRn8Hxfmgd2sttBzTWLOTo6jgYgwgYUwHQYDVR0OBBYE\nFMknbWuoqPX8JI/ZeB0AlaREimLQMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUpa4X\nlvwxwe2zF25rKMrO82Ro+icwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIASS\nWFda3vMirEQ/RSZYGJSp0VFDHNLG13AxbiIO68E9AiEA+amVPP895xohj+CorS9D\nKrrfDZnJyyNR+8A7DTwzdBI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUb3xayz7yZfCL86orkNHRGncIzbAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJTj1nFZfCva2oxvDpcr2kYCaVfmvQPnt5BhMJmVYZey\nKVM2pPG7uICC+E7tjA2ICeTGjuxeJwx1u8rpYqNsgImjgYgwgYUwHQYDVR0OBBYE\nFBZgzygX40ZVG4Y1OdLyWVK4z4J9MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUrTAl\nVGRUVo+CewPmGYglEf5K0G4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGAo\nnnG4/rTBBsKh2DYvksHhlPDicg+ynHME+rKsLhz+AiEA2brWMQQ/g8P3p/3hPMI8\n8Tl4DtklfihEap40H3h4NHc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1629,10 +1629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUJFyd/J9ROKnEUr4W7Ju1ugk8dFcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARl/AoN6Zd6CQR5v75WiSHVAjAMFP69ikt6jd2h\n0Y+m2KevQHLt3e+lc60st4vPVpa6muDyVwfizORxoYGj//pPo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFCOT1O2GunDFDi0OxxNxe4VNx/wUoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBQjk9TthrpwxQ4tDscTcXuFTcf8FDAKBggqhkjOPQQD\nAgNJADBGAiEAlp31IrCjLLUPt9kjw5TL0JIBnYsLxJsqDwMLEag3KhECIQDXz6tG\nSW7nfzyxGOD5FSXOiWk1UKYICKAjOssoVHyIHA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUO4zl4p6uxoLw2xva4N4yOl/HGFcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATww9HAdK7/QXTTKDZNC8zfQP0h5UlNpSR2mtzr\nrMS5ji7AjD51dLZ150TD2eWyVnkwfMLO0Dn/GWbPKJmOhefjo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFJ6r7pGlMBtS6kaBzns029WEJMploROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBSeq+6RpTAbUupGgc57NNvVhCTKZTAKBggqhkjOPQQD\nAgNIADBFAiAPbjnECYBVdBQP8JoB8azly0soy2XUPj4QyaRey65TYQIhALVFKXFs\nYCZ+IX0nvy54QZdT3bZ+mY6vlvbYNjK3bgcR\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUDpI3WLlJ4RbqdB1LGr4HlWFuFJIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAE6dnlgFDfCnbhQdutzG88MfTHjLCs0ABNvAEyI0CHN\n775gtWDRBUioIQOlaMlU1YrBtF1GX+D3LEw4efAJ2g6jgYgwgYUwHQYDVR0OBBYE\nFDli9P4QIeiPybAfKyV9X6akxtnAMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUI5PU\n7Ya6cMUOLQ7HE3F7hU3H/BQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC+\njHVPiSActTGY21nTNKxIXnkXqCKK11CUJ52MQPqTAgIgUUEFyIby3uCbyaUoFJ7o\nkVuDF+W/OOPWabLIzrzLH98=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUFEfWCQR4TlckfElXw4JycJa/KDswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAQ1Ttrj3GtiQ/LgZiWc6qlNnzjXMzOgiZz2iFB8k1L9\nQHFRB5v4m4dFSUNKrTMkjYvlEQMlwRSWRYcvO/QamjCjgYgwgYUwHQYDVR0OBBYE\nFHckegGqMOaHK9q6U8RS9uSpWxklMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUnqvu\nkaUwG1LqRoHOezTb1YQkymUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCf\nVcPo1x1K3WhcMWoo2R6IetrczijMIt6e12ssXfTGSwIgB9A0SUewcWYTxHoaPpmP\nrbMtjwJh5TwbQXN7KYSHjxs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1650,10 +1650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUdp8EjpvZ0TlKd+82iMh7TcUdFbEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6dn3MXd7i1DFqMOudKMtEI4iWcgZC+uaNcs6K\nhs+R6vMnNj2T3byqslFpAaG9RdDy2RoK4W0g3XF1xds1PTXgo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBQPW8vQbqwn8hKQkM12PKQs5CIS94ICBNIwHQYDVR0OBBYEFA9b\ny9BurCfyEpCQzXY8pCzkIhL3MAoGCCqGSM49BAMCA0kAMEYCIQCm2JYzGsxqzEkW\nJeaZUeHzKoQ/1sLztw3wyzoQCl6IgQIhAPLxiRBbrNaGJSFvODIyFURuJtNvW34t\ns1uBh/Wgheh+\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUP45qtfstlKTBpbzb3jrC6TRau6YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQYSmBQ1UoaEuTqGXHmxBJS2/xpzSqHxPH4TRF\n5t0Ehowhp2mBWyOSC8yiaPif5pqO4+RDG0cGWaqYU2+wRiYho3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBS56gbQyQQfWZPdUt5H5ufhZTCkbIICBNIwHQYDVR0OBBYEFLnq\nBtDJBB9Zk91S3kfm5+FlMKRsMAoGCCqGSM49BAMCA0gAMEUCIQDilKrjfTLGq9Hm\nldwrGRmFtR79VP4TOAAZmYxcBGO4LAIgPiXKcSBUPBiva1Ns8bAiDR3WwH7rVgoQ\nFw8nnY1IbXc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUIoSRqrStGsBZdavx+eSj0dZu2d0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCdzLMc5D3KpVW3rbRipPtudy288AkswVDdfOjHXxTGs\ntgXF/NwnWIxhEwgpQLchv521ssO+z4Sg0Gd3oKdMMhyjgYgwgYUwHQYDVR0OBBYE\nFJgr5Gc+refUu7nDVY7ogWp99W+hMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUD1vL\n0G6sJ/ISkJDNdjykLOQiEvcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDE\ny/MFmmyfYagWOZCwl8Z68lUCNbNuIGV48h6KJej0zwIhAN1OmY6qXVEIsfoJzrR2\nICqb/7EOdaHXp2sny4jOKZNi\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIULYloVgFXjdriLVNBquBrc6Vo2PUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHFnmXRGdfIpXNdJa8krjzAc4RSEhPiuEuGr4DIzy2Cb\nARC+7Fm41fsOuEkykRjhcEc1CrXf0p/cAYgsd+eb1zujgYgwgYUwHQYDVR0OBBYE\nFD+UcFt7AIz1WMzIVP6OlSv63XZtMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUueoG\n0MkEH1mT3VLeR+bn4WUwpGwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCQ\nK3YOZmC6z0J+GJPIWsYOjXdKufVeKs/W7SSq0U2E2wIga7xtrw9n3GY/TeUZdf9R\nUFMDc2qkO28YcNnxIXX7rFU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1671,10 +1671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIULnARm6EKV3DFbLuWQzNobHuYUl8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQYQqvxBIdiCRDI5dzf4KJLoB86x2GrBrDV2L9\nnRARQka4F1YjueFiHcCPdq9O04O+AYqgMdLKEzZjRC7YoKVko4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFFMzEY5vNxhMksaDGOSNhNRYJ8zsoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUUzMRjm83GEySxoMY5I2E1FgnzOwwCgYIKoZI\nzj0EAwIDRwAwRAIfDg6nYHV/FS4gfNi8UfrtQtoy8uxlr1C2AAAQOSsKRgIhAOh8\nPG/UR64VrIxazMyZxl3G3Wb4bzbcIl9vPzWwYGQe\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUcSAL72rUq+yI1wWWl0zF06cC//gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkeuCavMhv901Aa88D39NFidOpmP9xDFeUvEcY\nsr5V6C4xZHSmIy/J03PDb/ve2djoGmv2aq+qMa6K/zu2L2VQo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFJN+uZjXlaZX5TNw9ha2WQmBpv5ToROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUk365mNeVplflM3D2FrZZCYGm/lMwCgYIKoZI\nzj0EAwIDSAAwRQIhAOokR1a7cdEQyBNYoWDhr0ZdHGJuuc2rguG5uLdnCT5cAiBo\nxtz29Kelaccjggngc+aXhAnjQ1YsFvm6l2OxYKi4xA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUNZeJlDFpU7giWKpzeqBemdhfcSowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFAxs9L7nqEqNjXW84Hq1Ol0QZZ+jMH1mtr63lrKKrBG\nh/OEMSHs0DhJEFky+eY+iH8+8a29/wVOThQc7OHj8QCjgYgwgYUwHQYDVR0OBBYE\nFJGCLiPcyvabIMyLQSjChHeHuFFSMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUUzMR\njm83GEySxoMY5I2E1FgnzOwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD5\nxYr9XSB0skE30VO59L5zO8EyPT8USIqMoNG9JFha6wIhAMA70kez6fABU9x82rox\n2mXBLoZLFTcfls4Ahkkto98y\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUIDcBNG0tZkgnKjq6d9ZJcTYdWT8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEsBTs4AD7qC5g2JuZ7kFPFdg9jLG8xFuA2z+FGRQNfT\n+sLCfPSzhUq1vkhweOt3EjEef4QxcazIZN2zfWSfnE+jgYgwgYUwHQYDVR0OBBYE\nFMZTO+Noxcn0K4PQILSLhW5q3zPHMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUk365\nmNeVplflM3D2FrZZCYGm/lMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDPL\nzXQWrfII/ih3SDPJo5lctPaFRSeWpOdUnychXzgfAiAifV4oKBhSGWhDPR2go7/8\nzhJWKZ6/KS52BmFOy5gYsg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1692,10 +1692,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUPxP5QS87QQQtz9PxqgVetsXHKMUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARkpDqv5u6odadv+psqXymruF+1KufVJME3LYot\ngZ/tSHCK7QsJSMDZ4zlLIELkRkY2YWGVhYLjSVOMZxCgjtiio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvs7ULa0Wm5BabIbWiiDF4K+w7zswCgYIKoZIzj0EAwIDRwAwRAIg\nSClujr7FeOCgjmoJf6vY7pF6jFMj37dvOnEAIXmYbo0CICBeKBs7pWG5wAe3b37l\nAMShRZAeq5FqcwK+Td/VEw6D\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA3TrDDi6V8iTT7fmEo4Kr9ff3fswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8KXeNaMGKfbj/PO7WZWobb+xSrTSJbn2XFEjh\n2BxgSPFchy4nnHeZt8kCkhHPdehDtytW17QU985m3huB0hpko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFLY2aJzJutg32G6aHxMKpTX6pJowCgYIKoZIzj0EAwIDSAAwRQIg\nMX1PZfW8MoNTeFWSFyxD0bfgPEY35F56gbaYwMTD7qoCIQCV/QozEPQKBolm1q8k\nOnpFYjEsdYW97reizxujErpY9Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUScgiOfN12bHE4GBLj0MBVYDHkMkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABDti8N2jESnEykdOO7troUVaaigvy1kEVD5MF11M\nU4C2/C5R6HXUdwyFJh2f0wD9AwjLOjXamQqHzwMdRzLulYWjgYswgYgwHQYDVR0O\nBBYEFLarzku3G4vcx79YsTNu3AUvAJJ/MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU\nvs7ULa0Wm5BabIbWiiDF4K+w7zswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBkGA1UdEQEB/wQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCSSP2P3pUTJpNXX4yMs7QGbGJOTmhKIspXXtMLIWub3gIhAMMv57PdG5sH\neNgS6YPSfIeXD4hDH8A2JUH2UixxjfhG\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUWlgcUnnN89z7at6rwS/sNfT6JMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABBlaff0fSjRnqk2eoJ0NQVa19eI9X6Hz/DVK8H3S\neiYzd6u4G+rOYmoKme473dhAMhPqjGR+L0p5B8w4n3mO1ZujgYswgYgwHQYDVR0O\nBBYEFFVyCqcgWxtKgUBmaDcHZUvTeESHMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU\nFLY2aJzJutg32G6aHxMKpTX6pJowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBkGA1UdEQEB/wQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDiQA4j1akiu7eie4EmJpsuv8Mayz2352Y2Y2tpgDKRBAIgWQ7ulYKEFgyq\nrwWugm2pY1biYl056GuFYrDCuKSI1Hs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1713,10 +1713,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUX3w7bvQLw5V8w3/D3eF6mAxRMfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpv/MqdLW2SOw8PFEL0APzK1jxYN5vmveeQ+kn\nKoFm/ajfv1O9RA2Y+/aRZM5qt0F4lDG0iFk4eKWejp9WBdUYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjOKNwE4iI1IooTTr3ijXswaTbSIwCgYIKoZIzj0EAwIDRwAwRAIg\nBFuvp5NUIcFfUsxsLqS3OTjS7xsmpcg/f0aB16Vd5QcCIFgtCoX04cZcGEUwIfYH\no9i2UeMHoor9cy8hE3aXlYQR\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHqjkmRd3mkZ8Ut/Y6ROoAe1X88AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMg6UVLI4j1WF+/zqjlPqldDNR4mNQzsR8GYpe\ntQb5sB+6EHhEGbj7RbiSP4KhpsT8OxpBCgs7OCbVU+PZ7ls+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5KriqO8VUCQiLpMX8yHv9T086jowCgYIKoZIzj0EAwIDSQAwRgIh\nALbI7tq9Yucc+ajas3RwsR4mgx+5+LX6/XTqdXBUdrJhAiEA9fUO86pXogrjaSwm\nmjHJ1g+f4/W/cPe+XkBPvauCYdg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUVpuOWCcJcfar89/eIMaCMsWww3UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABF9ncjRBp21K2QCG2zyziRx2abqjR1KGi7NufwJX7ROe\nzZSqTJC+SMCVNHwXZGJxVKOBiDCBhTAdBgNVHQ4EFgQUvP4OU7maz2Sbhh31pnlq\nB+t0D94wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSM4o3ATiIjUiihNOveKNezBpNt\nIjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgKawecOQjla2Y7L3P+ugHSJHE\nLHIGYTEl4SJAK+V2BVkCIQDjS6aTq3HkTCuV1UgB9W+C0dejKvLOx3Mjq1CYuRKG\nOA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVOgAwIBAgIUViPA7jdvhsvDL+LZRPFiJaRVUTwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABAb1+hZsANOJla26I6mEn+jHuPXO0GvzNv28TCcHTkt2\ncCT+DGs+9jGNdNxN8pwJHKOBiDCBhTAdBgNVHQ4EFgQU7PbiLyjX1SMnVziS5oLn\n+MiZnF8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTkquKo7xVQJCIukxfzIe/1PTzq\nOjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAIvoU6ifpG3gj8KJH8O8QJ7E\nRq3HSTsNatqcsWOlpoaMAiEApvQflT0BTzjbGTp4Uz/heWd6HLeJK+ksBVgFPl6K\n4uY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1734,10 +1734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQNkzhTa2NxFQQkv+0xJrouLQYzowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASywlrQUYi9gpxwm46lv4x94Y87+oOBNguPT+OO\nj2CsSQBXgr/Z2rWYEKt14Fk978ArwnlA98pjYeBlFsdhNPRCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUT93RZyyTeBU/+C70MWcfpasV6TowCgYIKoZIzj0EAwIDSAAwRQIh\nAJWXMw5M7egY/EF1VVieFQCBvRk/n7JzssydlHrmULr0AiAA2nV2gv8vBiR2L7Ll\n9tDbuX7iewEVgYTMG10iQAsnWA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTIgLqJ/xdGugvOcSYZjqk5OontEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzYRDKUUWOzEa78ygnJy8yz2Mvn1e5QYqtDIkF\nqG+rrkmDEVR+IPkiVvuZEwYxh6NxcmWe0Ti/6JYObVFVbsaLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUox5qlwB9SOnzghY/s9CTivhfu/IwCgYIKoZIzj0EAwIDSAAwRQIg\nWz9ycgJWc0bFVf2q7rPK/sGx9FaL8IKMukdPLZh4EC0CIQCcHTuMmLy754pWVhW7\nu+Oi3G3Lr+oZVZ/iqjJvWC8xpw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLzCCBdSgAwIBAgIUDZr7Hw078O19ngKo6JTOhAjg2KEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMgwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA7hjQIztlQ0nvP5Fi1Ka9SEOBtvWWj042UejWmCFj7fx+\nZAIrogCy8BX7L1ehob+di667RaA7Bs4CBMNd4V1GcSIs7dGqtvNE41D4scmJ8a/q\naIwKvBIIdeVx1eXPrmKLlbmHXFJc4viaQYnnRStxZtmLOJcul7jxfHp47M5PhP5h\nDbs6S/6ULTlvZWADWpWk/VuKwI4MC35MmBbyHOu47crHiJIk1qJvEGWPa+HjTo9+\nGIvg1lrs1IlVI2UXuAz6c8QPmctRilQq+FbFCb6BvIrIfv0NZ/tTlYH/00d1i6Qb\nsR7jB9WQNZvg+HXF1gwUysRX3E/MfSz1Edn7mCwhm3a8X/nkxXGI1VdGJbLtzuaf\ns2k25u1GcBMCW14KeANLGtclqp4DI9WllVbJp19YsiZxw5MQRJ/wlLmCcnJfrqLc\ng3av2ydyZJFV6JEq4ZevaeZjuj8Riy/iNM6EhAQJV2WEzsxoFdUq0GWRQBfr40Pa\nxRM6JoCe7HCPOhrbxXMNAiEAyFco38o+fnEHBE2/EONaZLcE0e6Yg8GQ0AU6DvA5\nSL0CggGBAL9sAcSB5p2HD52z0bTkUy1eJh9AeVMnr/huyu1drvXsUt7/21/lpM5j\ncKHZlOSdp+eT/ygUInv+c1xMU0KC8lVlx50mMcDhj1v2BXLTfm/BdT0BuU3yoV9B\nVQXfNk/wtQpr7yFnF4WW/MO7c77sjtGLx+WN634L+L2hTCVs2ayngVg3+nR8a097\nhOftd5vN6w4/Dsg5CAOmWegyD2nh7JPKFOYdZR1u2/HeJQ1wDaqPO2VtWPZg/bYT\n+iF4251uiS/lYjm+4ae5MlaVM0aYZqGtnD81gz2gK0d6ZE479mGPt2W3Ak54y6zT\neI/IeMZ2T5gajcyNAm3IUChaQTVsZf8XQBKHSGRF8Ns6ANvzkJxTncrMdq1pgnoT\nMMU/+ABAJGsJH0jpEX7mLX186Ks1pxqU1Su3r02cI+cNLZ17AN1ZhpJakp5p19o3\nqZsQgjvtem7x7K6Opez2FsHx+BNe1aFytx1y/efNOxyo8gmiH7+9Nsy8FIaW3zcK\nzPiE17vdzQOCAYYAAoIBgQDXTufZ9CidpNjG6AjjybSlWMUSmZXh9PjwDSFnIj8w\n2UDvdlDo6/Ukbgc/Sv3D0sJCpiEPckRmxuYaFdZ6Ai/7QDb6umiS41v5E37N4OUG\nX5kEw3nEjrns48reiIXQWcwNUI9DBBb+sW/76VdBnKi2Cv8NlnNbmcpUcWfUqsWt\nCxE/fV1mkf+Iujx8ndJht+/NUiA4cLYbiiHnpCkmuQzh0mrBeL/DbmraKiw42kr6\nJQmifL0BKx2LgHGENykFXPQDS1L9XVbA+YQArFi6H45oMZwAfk3my8DvbU9136g7\nu0RRu8RXQuX2BbM7LSPzbx4mvETfEv5HWhKFlmDHjcbokTD+a3QlhOM2fltvcFn9\nf2TiBSn4MvEhuBE5z7GhrfdefSN83ZqM7TyvbhQCFNpLUVXu5sTEOcDWMdRCWkNq\nrgrwVrRd8kNVvSZeznmHO+Q1KksujkwiZOX0dcjsXtSGCiAllOh5QaPBk29S+8/U\nXlIaR+DSNoGZrKRxLqn1VtqjgYgwgYUwHQYDVR0OBBYEFM94QgMdjv7eWBWEPKWB\nUrxe1ZagMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUT93RZyyTeBU/+C70MWcfpasV\n6TowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDyOdD7r9PBiDEckK38mte+\nSzS7mtb+EDMislsUaSVT2gIhALJfM/YMdMDQIc71ZfCkNjP9IPegrnaYnWdgZ8er\n3xRZ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLTCCBdOgAwIBAgIUac8NCoetJpeJtJ6qA9Jwav8hMZYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA9wmjuw+1rWbqcGO3OoPm4rl6CUfxFPyDwpsnbG0WbxLS\nWdctRM+L8nSY7IhivHYZCjHQ3s517XREfgngt8jTT4GbxWkbrJgJYDq7tl7sVT7F\n7h46Pp3Uc/Z+6UweJGK1LScjqhr0lHRRU29kiCZ8tHzH49RANvvayKf3seYFcN5h\nHYob63OBuzxqdAinsKY12Gip8lbUVe2KL7+Bii/D607wwtxcIj4RhOiI0WWL5kAU\nKuiZxJUNSpJ6sI4teqGiDoXsieodPUMmPf7byxD8fNmm0a4YrAL/CoiIz5PA53c6\nuehtsPJZUPwqTz+DCHQv+DZz0jV7naTjqRAZ3I/fpepDscQtWkHvC8VJWTi7Px4Z\nWJm5TWQb5BxEaDXtAtGitkxKcVBzJB0sNJIBnuCyKreBhn33X30PA3DF3DL98Zo/\nO2uZ0db5vxVaLEIkx3fmbDP0zVohQB0Vv8iKpF3bBM7QW8smidZuQeUd1C5HyAuj\n63Ue6GCnh83anaQTr/ubAiEA72nxR2VJIjfqr67iV+zZswfBMWgBNA9jPn5toGEE\nTt8CggGBAOhgCcpPlcGX5gbFDOp6EsdxLh2WpEgZ0t3koNDxkA38OYKwr5aZwr+l\nDO/gLKbioBnV3mUOu2fgW1KQw7FyaswwXjW7yrCPb639nJYC8w7GCwNLFmWmPunD\nRcUXiG8sZvszxznfEZWaTpV2IBWLAu82wAibLzVzNB2b+rp9gkhHi3YZCbQdpjyT\nJn6ALU9bkgl9lhdjbCqcsbDWqWTzGtBJSGIPvZLo3DCWtqvT6NFKUwWRxFlG8utq\nlLS2CdXkTbVXt6NcUxSjlVFh7CtrtYU3cyJSS9DXww5NHZPjr5LU3p7rFNeWjYNm\nZCFQ1zHXcQXHYQb/WP+0gJNw/yAEdQfWZxapFYqb8csqoWnf55X3cB3SqOJbAS4H\n1MJ2MiCnnAYREl/4tUKsRu1kjDVdQTdPbwHTc0+McD3P3AiGFvqSLv06Oo9+Ym92\nI1/W5uYXRx8eCcezWdwKzpvnivzDHByUBDsTHBOhpOgpGVyGiMo7R/vOeFkUFrQB\n7yo1rv/IFwOCAYUAAoIBgDx1xa0cyk6kVDL0hxARm94Y5E5NTIYNskmI0oANA/J9\n6wQAlkiAzAzLrUwuJsLV9KTinXCAyJVWGEpJcVrWxad94jC1VgL1aPuLSZj8P7og\n//oSn1jQrIKg+l61Gk1j9TIINVM1SZJ7GuYSioQR45gkWOLAClJ2mn37dknCbz9z\nNMzJ3LrDEeVYyr7EznhBR6qHfSwNwufrjPKq2Y/tP6q60oz1pdp02sz9p/89W/qo\nsrDIOq3k0jNp0nXLau0E9ZXma6IO4+akmFhB5B6Aw9q0eHn1a3fKXFPDS4upBYxx\n7WbLfxkA2NQXVF0QWZ0WIldvQVDFOyHcY6B9E25rXvA9p+s3o842gsWygFEoT5Qg\nwCa4BxBojiEjZ4gxDJFxwvcGuKsl5/iSqUhEa1FhHcRWmINLYvkNlCDl+XdNVtTn\nENeujACc89k6SGBoVRmneCHHcjDq01yLBpZaS/2AgEHjKFltiPykwtNJIjjr7EWF\nFCKlVZvmL7f/wWGT9aNC1KOBiDCBhTAdBgNVHQ4EFgQUKaor3YN1Ar9qczp8rZwh\nPAsJCI0wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSjHmqXAH1I6fOCFj+z0JOK+F+7\n8jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJz4/CVUe7Ad+lgOdPsFVFv+\n5qwj98icu2aD3PCC3Q9IAiAcmB366ws0gtnpAHL45+SN7R5TrrLx3ED9ORkt2Tx1\nkg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1755,10 +1755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGATCCBaagAwIBAgIUce/5xMvl/BEyPNYE1Xkvcbu51dswCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzoGByqGSM44BAEwggMtAoIBgQDdMxNHsu8NFsi6vffn5dO6/cpky47Vjyafu2cm\nhU0ryVNtfOUn1bne+4CqLakUC4dnlqKgH6GvvEL8LPi/5QnGXa5jhDMYi5YrhGlQ\nzLz/1I61mW2arz37CjEJ5LuXsehfdVWtVh+EKTRS9gpS7olTMQawFBTpp+QN/D1v\nN/L0D4hXPD/IxGwhFPtHBz+hkhZn1fww32UJEDz5loHtY85khTI5RsBs4+1Nljem\nkE/Wx8e2GvnyZMLNstzevX6kEzW9Sa6guR4UynB3gLZFMzw5x0//R5RyBNXFxf5s\narmB7Flz+3aX5gX2wK5LX3aO8P1x+HPFRKuhCc2xkgqrIiMLShoR3fyMDe857kGL\nYnvNbR9lrcyD1Obt/r8FjfqlQu/gi4g4He9ccr4zsJkQLhW0VqN+1oVXStk73QbZ\nJu2lwMbEcNPYpQu1+e02XPZRW9MfF73wMMaE5yC44KFGNVKikv6Lp4a6ATYdPCVs\nNGiupcoJ675TINF1PRidiND49JMCIQC8cxfXB5Dugs3QfxbVz9Fed7B5padYACCu\n95TJT5uG7QKCAYEAtSvO5pBtXMKp6/acgAca/4YbzYqNCfzTXJ5ObHDx/y9oWPL5\n3hGvIO1AV2lkiOIYDwxYL6C5SW9xEsd9/SCl2CT6zbms5bMU+4DIzpwL65IIWvod\nbipgexQwGpS1Sr4u8QZv5wMtdGLABGl7n9pG69XWcy8NHjjpBIRTcquIoVIyvoaC\nq+x7q8CGmdjAQ/CsI43gUXjuzv16DtTtVLmpz7rx+b3BMtd0ysU3acOUqD0tM4xo\nYua2mgH70CkxUCAQsUeF9Witmyp6Su9UdlFth5JzArEHk4KeWCLCr+jBEXnQL84Q\ndhNwDVEjfaC0Zw4buaAQmtXNGnJM9ko1sWRrkopN69JxqpKsKqbySEsFNJ8WqW0d\n8piMjM90/TY4cGDg7BfkjX3jj1opGoIUHLwlo46/qkJR2aUl2rKcg9lrhsKDmj1u\nKuxkFE5r9OvTElnKv0jgWcZr8EAq+SKYoH+G37xSdu7CP1QWpmdp3ZOdzp61cJWm\nM2mF6rrYESPSF21UA4IBhQACggGAabvd271eWHJZqFQbFRqY4ntwGx51sR+sr03b\nluW8U1DXKgGSKmY85srWxH1M83G7XdTenpwPaYjsQukSV2dDqC915gsph1gF1hRc\nhgNZ6/BbkJcUCMK/JP9ZsxrSJKL/xmyMvWV7aJkD+UJAOAPhattz+fNksBiTu0xz\nxVRN6ZACTdm9Uc70PYs4DwHttwNVl9ETD0jNSoTDjo88heA/oAEZKKsuqcJ4sJz3\npgXLg8K69btBZlKtLOxjEpEyu/ptyRrV9/YrzgPlVrbKjS+cgDjNDum8k+JbkylF\nuu0UgViqE8/W4wdPfifuxNHhaE4kFRMcHTP0azrFb43pOhjhjb5Rk5XBggNHaEEx\nliMKv7pKiOjjiEw/9vSzl0tFEOh2TbkZnqA5pEFFbfozA0miQqPYLhNnH6ygyf0r\nMOIu0/sbz3iOj9eUl6E4yx9PDF0eFJAUabr0EFXVbdokFUxEokwNN+3mZWpz9LDr\nKxCCakODC2f9PDmf69iu+OM2elV0o1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUAnNXe5NI\nu2/XvouhLDLcM9Z5IWgwCwYJYIZIAWUDBAMCA0gAMEUCIQCzotTgzxE0PSjsuQDG\nrA47d/iQhvt+/NdLyA6lPOrOVwIgAQEb1s7kTLvOwTs7q0JBoM5cjX/YKprki/nP\nMyfwmas=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGAjCCBaagAwIBAgIUHpsBfh+lJ2ibHlxCLIoe7UzNmxkwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzoGByqGSM44BAEwggMtAoIBgQDRoTv4SLrgfp09s3XDX9cSwno70KQFESGNUYQF\nJlffzmjKpjeau1U4UQkx1FKO0nqfEvnNYnO/UKM92gL9g34ADu9oXykZy+7Rvc/E\nH+Z2Nuo3W8ypNfPl1Ido5qzhevwEXYnaDMt3RCtjRFdVRB3jM53LkYRcFgXHLK02\nPpzB8QWBgkIUu5Z10GsnFmaC+zCorLgqrvYiMrhy2W/e7B5ZinFRe5qd9TOTnuZm\nD3xCT8gvqEI5tItH6r0ulReqfvgbg8c26uynRoQ93TEt6rhaAY3cCRljwWD1nrKR\nQci1A9zLF1M54JDylC638BSZ2+W5cL+Q/pTCHYuDQWZ+5BJUftGOAm5Ynn9ydwsf\nzV0Da8Iq6p9r1+IT7wXUp4QClEt5tOljuptRDPz/OQxUXkWj3qK5oO0/Ag5BkIgm\nlUKt0uiJRmShgnpt4yjaKjr9UUPEDWcecQyDhX6Jt2SYgHOX0RKzluidq2ewQAK+\nqFkVbD2DX9ONY8Hh6TyPF21XKIkCIQDzyKEEcJNpkfC4f/G7wD7px5Rfhr8Y1Dw/\n/pLSzFQeOwKCAYEAlPNiJBza65TfC37TjLhlQZQ5R7ybOgMvrztXmD8xEsefNu3W\nAjzRvM69WN4tNA445ZS+o1U09f/36fiAsTr6uPMfSAGxNPjnpI9M/x03UK1HlOh8\n3MeGo9cLGy0xT1I9qpEn2LBjVYmPUjArVt891B0nctLH0kXmFJ4MmeHRXn0XZVJi\nj8ZPbx1StrggS/C6a1btBwvE7YKOF5aIbCnf4nLrAk52YeZncTNlng914v1ApHkO\nmyIs4bu6jnKZU+3qwM7RAs69m/DmTLkaixI5oFsSbGgjrjENHnArmSIkRahEwzKn\nLKL7AWhJkmqdMqhQvVWXv8Mcm8pdt0XCJ8rkdM/cicCDbHzhvH8uDpEblMHrXvSS\n219oo+XAZU141JpsFfnbPhVj27lRN6nzCxRFVeSZdXIrRD1hb5wuozHr37d0zq00\nb0E5/ZMHfOr0N9JDf1SAJVLVljZSaBzinWWaXW4sRmfonbeqOgKdkEW2gBEId8Rr\n+cKInuNsxhvZTT+jA4IBhQACggGAAVhfMVpKhKmSk1+jsJID96v+kwduhhdL7f4f\njUJ9Gf4FHIJYkYCjxud3qB/wPTYBGgt9zok/NBP1MH2yZ++ZAFWMiy7OFtQ80RvK\nZ8mrIpP7xxOz00m4sVV73FOt1bH9pSlCf86LK0/GxKvs4A0dFtsU2F2avPy/8BV6\nRMmf4DxvMLjvTN2ls7EEU+By8M6E2dvHI5FsTWQRDamDGoO6F2clix+sgaeeyh/B\nBnTYfEiPIMey2yN/THTNjebFlLXKqTE2NK7jy4zsIIBIZiOBltRzOhOsAMtKDbsS\ngKoMH8g7SS9xjXbqtct3qhq907Vk6EoiYVHaw4i2JarjJP9yIaq2dGEdcy5O2dM+\ndIPHrCBtiJeGkC2lfRMtJrW1wsN7Z7D86TP61ueJwsJYBCSWICvdqyuAVVbKjeQM\nsZwUHRb3nZauanYGlKhSS2RrFkmnm8l6Lgbh78oBcV+6GPtYDW002PUTHwvhR/6s\nN9BHvf0U8a1HdyOsDdTt0G9N8+mdo1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQU5tlXLyYt\ninFPqGmVwBA9E3vIUC0wCwYJYIZIAWUDBAMCA0kAMEYCIQCX23Cz+P8Y9BoqAXmC\nC0QwvcaF6PHiq1XJHcBbA5+mVAIhAO8x8o8oIMxdYriVRRrZLQFOVCS4B3cK4BA7\nM+ehOEAt\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUd0F5QvLpbW5QOlkf4+DgEpwTD+AwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAATFlAwF6WHsCaZmKoZ0LZVM9DnaKOWP9vUrkcY+xekZ\nqTLNfSsHyfIqJfAPBchtCHMQ+WkQvugx2+cAe7/Nazn4o4GIMIGFMB0GA1UdDgQW\nBBSG8DQ9iozDdJ2/KGJsq0kKrKA8sDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFAJz\nV3uTSLtv176LoSwy3DPWeSFoMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF\nBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTALBglghkgBZQMEAwIDSAAwRQIg\nGkqU+S3gHgyvMimecZNAwmwC9yI2QZ6E7wmH+m0/FDcCIQCv307+zvRhtwVUxXMf\n58RcfioXu14ZaZ2INgE9HY/XiA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUemcbJecP2/zucpH5Eu7uDCXUiEUwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAQySo1ocMwhZbwGY9+qqAmYvfpKrC9ej2FCo/1dnkaC\ndMTQ5tC3/Mvan/KxkoqhohtwbZIJhvlK5Y/bkf5C6RE8o4GIMIGFMB0GA1UdDgQW\nBBRPqUl47cgksvTMSR/5y1BVnATbgTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFObZ\nVy8mLYpxT6hplcAQPRN7yFAtMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF\nBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTALBglghkgBZQMEAwIDSAAwRQIh\nAI2tCxYZfu+F4sV50ESqhdi881KLdKy2LPxJ6TBDy4zBAiAynuciwW7f8emnoUtf\nSgIXzsGsgUphyOJv9xBeiox8VA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1778,10 +1778,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUMf81ODq41mF1K5h8m7fcfbZ8JKMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARWwXTZ84BDLkphZJNMZU70iO6hI2nfnkJj1I94\npWxLU/8QJz3cWwdqYHaR5wkYZoUam8FTHF9KWaxYJmnnFKJio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcJzbniVcxOEVLuuIt/43x8T4JyQwCgYIKoZIzj0EAwIDSQAwRgIh\nAM84ZLqzfnE6aM7il32E6vhewUUkCpuEzmXrUuEL1Z13AiEAmkIzvPgm6ytHyMcx\nmnZor2e9U+XhOFPh/n2/XiopKHw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUFPbx/EEMvuSYfPLBgNRRU0VrqGcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQrSdNFtvqJGBxV2OaZarV581vJ3G+FfHRGkBXK\nD4iBAIBKLuKOaWJx3A5sSaEItyhEnewhsoIEOIw9hY2tlwSso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKIX/msLraIyBA2kMqYs4CHPJfVswCgYIKoZIzj0EAwIDSQAwRgIh\nAJEwqVLeqFOpGog0mOqMks02tuctJm8Bcr/dQzeDmVyhAiEAwJVVdQSMVT3umw/M\nRoHMLFCU3Ojaxi5Ir5jpVFBZI2k=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLTCCBdKgAwIBAgIUE3+XVXtPKDdxdyurr5sYGNQoJPUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAgK+M7tM9qBxh2B5uPWxljGHmVwBnHK0F9IaQ0w23HW+Y\n/CyaWgoA3QXksLft//NoOVXe+8XGcsentZL3NfVMXaglnpTl2dPEjP9/WfYCTfsD\nBLsn6P6oYswM9yJkpraBle/sktoyAVoer879yGEj8QcFL6mLPzvgjx071bBkICC5\nfkBG2lzkina/zYnsUchkxmqOV+c7SPaaFx3jAql6U0X9GzRSUEvu3iI0PYWDibnY\n8LZr+f35kV5Ai/yI80FQVyGkDIJkTYGCt+X13xv1eoT4XOAGUepinC7Giivcp9bb\n3SooyqefxyihEiGX9/i5jo466chty+KFgHv7bUD0dR06DWsBvzplbczjeio0l+tl\nPLxanLTj598Ks+BzLARD++JfrByvGOHYzyM/aItX+Kb+bBaP1nmlCCMcwij1VgPf\nyMyLp7yRkACYdRQTFUX5QB4m6/O4nmME5IJMNxQY/sXu8YUK8AahfDKTLPRrqQHp\nAftQsfP/uH87meVPYXFXAiEA/2BPVgo50anGNYOD+YlPs+pZAaw3pbBCFEemJ5MA\nxJkCggGAAuPunKdfZHY7LwWkA2DtaalOe2IrBkbj0DbmE0DrTT5qY3jjbqSbyNHd\n24wL+w5dllauhpVftY14mrwSywdHqxvpOvaiYB4aPjW94jIREgET2QjPfqv1zNhx\nfBylLKpI9ylTlqkqAhAxGrXw9Qb2eSZhQRUuiRVJvPaJkMi8Tv+s20LUDbkL0qpW\nGstWVl/xz6J3OgwUrEJ1TxhdPRIodutWIL7ve4mfskWVC4jdNVcXUwnscRvYEUA8\nwEquT7jD9bN2qp8M+swF9bV0l6KxNbpzZVyqskHVycsjfMdUQj9uP1W1t1uwSFMG\nKSHfqFn6qRTXVqQRhaEKXfLfM0shukS4iv6nvFlNMF0WHBrK/hjqjB/Fy4sOTjaK\nJ6bkG1nsJaf/qeDEYtop/puAJWmE8I6TEPD6A3XNHIxBK0W9YkVjUWUmzH2KxRx7\n4F9TBwOCae7wDJ1ToGz5FAprI0PzA0Db7Q4N8upi0OmaOD0WvSg6XuAfpl1L+XQd\nqiieB8ZwA4IBhQACggGAdR5m8pKP8ywhezcAIgamy4GXs13/pJKRp8e0VBV33LHa\n29fwOGk7nGRfklGViiL4vGNcdshiwK4e4M/qpfkfoK0MKGgykcrSlf6cF8unUCR8\n2n4p3ygIT0Z8Y2HB0rLGZQJYj2kkS3P0y+nzMLRlJ/RHts9BgymWMMoGyTozywCH\n1oo5a+0zuHNzb3jID2QU7GjUA3KfV1cHtbbDS2IyqfaASGoSF/tFJ6SGaqMsdYe5\nGBpNHCwAG9ibWWkFUbVJZ+uJlKpnUpvirRhhoxm2eH20bTkM/5b8GSZCLs9NZUMA\nC3w0pAO0cUvdnwVd+iVZbDbmhyp9mNuCNz2Kw3rSy4Xob8ip1MFWgKmXwCHZ07hC\nzQ26kzMCVLDuFX/Bec6SrXcSqnBENrgoIc76zzV6cZGAHjsIT8xiLUq3OFdaS/yH\nWYdyrx1MOBhR62eFKoAZzzoOVt07U8Mg13imjMLmZI8xdk65lFbv/60E3x8V6I7J\n9gClpO9g7bA/cl+LnYomo4GIMIGFMB0GA1UdDgQWBBQ2UT2SBs07wQ9z0yD/8ma6\nKjuSYzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFHCc254lXMThFS7riLf+N8fE+Cck\nMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAuMlu+n8Wo4IQm8dOkzae/FGp\nfVPKhifXSeHaX5OWwZoCIQDaLX66M6b5UiJQOTYkPD273xOtQGeVFUi7XHyhfwqo\nyQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGKzCCBdKgAwIBAgIUGGOB6XbLTWWAYlKUle4JbZaBFr8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEA+0O7AQX1CiT+WuJ5UKmBZ7QlQr4wGXmJ4/uS6e2tDHtd\nPlSZewYRsCE5XMvjkFf7t371MkUlCBjISkTxfesIQlUOI9kRs3/nOIV9WzlrVLL8\nuERI7cIz2uRFGvxvA6j8PJWTHSFE0NCBvKUZdfFyLqgsnh3oiWdtK6DrwAkAjcni\nMaXP1wit/WlxZLTAOQ8rcgFjfTRtuav1KAvYyjwJG1XU4ypAp1anGAeVh+Xf1pcc\npNeL7uMB20gkOuOofZa7LTDHSxltcfP0jvWM5l086kNeZoR0ywGff7brYwIJ+1Am\nbr5XR8Y+uJpkmJjNcC4IUP0G2z4ZF8i1GLb6/abXdqXy7gUruKvoBK05wi/OUiJx\njle9hLb+M4qynA8sK2QgdTTVKT80K2vln81yVSfAzrk7S4zw2lz9jSJQ1rX0DWsx\nUiFC1HEFlOg+vsEk5WIUb5QsMH+Yc0hmesejmQ6bpiPG1dR+Yp/gIjNV9ZqPmuQb\n5086n0S2tqdyHu4ulw3rAiEAro5RX2ZmZehzjkM8bHgD/gcoqifZTxrLKz6jSFVH\n71UCggGAWInjBk1CIL6KFREtG1UVmmtwcI+Zb3vgnlt+l+Gc4nZt9Z3VJRcSpEIp\nbotFPk7ZmQvE/TMxg4m95gjODcvAOxrKIO8pxOuzwYr0aDw//b+tMg0N8Rxrni4y\niIswy5/BFVhpf93l49v38CvzUnK4lX2v6+CcXtVsH3M+C4rBvZ7cmSPUiCOJckkb\n/m0Deq37bUE5/6ZfJEIgOf6YGsDvMUYOFnecVUvSKPUcQUC6ureZyp8rpCXI3MMy\naWawGSSn/UmMikiOFUHIAtU1J4w46hkgO9mjryTrbcqeUZ0l9Wz5EGHz1snCh0hb\nEtkXty2gKznGVgu60rEjmpWh2MNhwUg48LBdEypYIDzXYdHUgua2FQi/H1MnrNpd\nJNQwmkxgYMNrVk9ZnSJuM6mb281bnh9jEqCUq92cWHlUVVx2qsQtRDGtK9fj7Bge\nwbDAPQWYbMPbd441e3M3qFHgduRHuTI7vpcQH4x7grcZAJJWNZaoM0QJIKiPFhlj\nfsfzeIYTA4IBhQACggGAfUC/MQlcwVrXYQ+XJApGxPWyLXs93QuZzo0hpCOs8e5k\nSi1ZQJzneWmKVepCRfjQ3vVS4AUCcYxOtetB6HvY0AoAv7CEs5k3BpVBw2oQRbdr\ni6gkPnw7OVmz5y5OkJRsX6Xa9CG/mHeQOmFvfoXsoCJ5+7VUbLylhOVLvDvlhkzK\n+i88dl5AhPK9U7OOHUAUYzRmnRyez/5D+oqomoNpx6NCKSS9cM+qJpixLW1pth7a\nli+v/vYM/A5b+BevnaYBnjawRIn4sjygfqXMO7SrubWXQt4LVvrWWnO9HtHM7vaP\nQnwVbdWpA4GJlhq1wqbSbKKKG4prGh4ama0iSkQAXgs3BEjoP+oKSsTtSJyUwVds\nHCHQe1P3KnrQFK84QBXu2+H4jDSeFhStNRLhiBsdhiaqBzFZ+j1bdwiRUWxDY0AT\nssT4UV+BykJMblJfXEv8c8dDZgKc/qGcVSbkw34sMppc18+sxJeudZSeScfaViPX\nSOUsMY2NHR0rybMO+xUio4GIMIGFMB0GA1UdDgQWBBR9sdYgZQy4zPkmJXP6g3TH\n6I0n0jAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFCiF/5rC62iMgQNpDKmLOAhzyX1b\nMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBthtv32/cEzDw6qaeizP/38CUi\nGK7znBYokt+eqWTRtwIgGRSRVohY06vzfOxdL9osiUD7ov42FfRq1LaZI7X1G3o=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1799,10 +1799,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIULcSnP9ht6g/awJsnVWxd+IaLrBMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ4xuF7sJNckotQ63q1VfbqL1fK56ygtLxiGMWR\nh6NBC0wWMKydvrfRzYSdT9jsY8wiF4PSEsRv/ebNbK0Hzl5ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBEAdoRfZu2oIH7IFv4horrAcHbQwCgYIKoZIzj0EAwIDSQAwRgIh\nAKHZUehz46yTUPpKp+MyrlI+w4wtQR+WrtJLwkaZK5hSAiEA8V8VECoTxaCjOqbs\nMASpDRHmVR/O3rFHty1G8Z+7Zq0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUTvlL37JmAua/BORCXvkpHCgk3GowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxn2/1E7zVsevEEs+WdVYbwS/6qNPqFdYG6j8e\nkK7rJ4ydg0WwcdpxoCvx9kFmmAehM/oa1BQiEXfgoa6e3gXWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8y9nj6Z0n16jDI6RaiaDSWQ1OZUwCgYIKoZIzj0EAwIDRwAwRAIg\nH+wk5gaVVU6oa7SVWbPXYc2CBjofmvJAdpUGGGGXan8CICzW4AYuqk93QB9wZByW\nFcsZJG3d3JMKlXspsi4TfrzD\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUb15m/nQ7AD4MFAIWU+Vxx6ERLrAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDmhv4+58i90nQIawsaLriTCwlKVvsCt/3E1NT7XHJol\nUi2fcpDQ0hO6tyyrMnQgmblCYhczaY1OJAMURmi5DBqjbzBtMB0GA1UdDgQWBBTV\nho7lR3sqbGZePNLFo0z3l+5jEjAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFARAHaEX\n2btqCB+yBb+IaK6wHB20MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD\nATAKBggqhkjOPQQDAgNHADBEAiAlYdOUvQAHSJElUG2EGOCHe+Lovwqbb1PNX2eJ\nO/u/uQIgULMbOcD+m1KADRgQ/kbftCrtYqYw4TjxLdcFjrCD2DU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUGw9v0RkNSo7mbZFHSzYRNWBRJmAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLPkeRjkABKsQBwcrXNGsevrpgyhbtnzCBBVNNTqLuHu\nh+RZg/RvtBEflPjktccDZ2Lpiaz0GCsn1QVeJVLwi0ijbzBtMB0GA1UdDgQWBBSv\n2qsKCOiNnzoIvIBFwQ6is/MLBjAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFPMvZ4+m\ndJ9eowyOkWomg0lkNTmVMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD\nATAKBggqhkjOPQQDAgNIADBFAiBHlTdQPzkirS7B5IMH0jQSFgbTc9ErfocIk1Mm\nb+dKGAIhALcySchGygY3DW+G+b4j/k/JfcN2UknmAneWIpWyUCfu\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1820,10 +1820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUapTKxWWnyr6zr5Op4aeTOPXnZl8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASoJXjkSmOr4uBZiyK9SSYa1eXMXJ1IK9b9HUUS\n59EhzMyYXO+vQ7ScdWWOX9levhpQlKnEeOHZOlZALU8rNziCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1sCIcYrFjO/gHoKUOAGJgxiWl/0wCgYIKoZIzj0EAwIDSQAwRgIh\nAI7brJmACRBgQS61sZQBwKql3+zGenLo9g+m1Hq6WLrhAiEAx025jmQ3kiw5V4Kq\nu89TGkHZPzi+wejdAvqO+qGWRSA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUhiTUFc2Upc68jqehHaKBlCMzjYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARERZBtgAKl+hUlnMA2lgopkf4ISU1o+r12Nz8U\nWzNYBggTSg7/K5h9o+X4rErD/S39TwANAu2nkC6kG+QgKnSLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpr3I1jVAqkSTl4Zp32vrwmOf7IUwCgYIKoZIzj0EAwIDSAAwRQIg\nCyRsAaACHNKaKym/9M6gsldwV0SCDGbOimwseIvV7nQCIQCca6WdigrfpJ0bePdE\nIMoNnR1XXP+3pETk8MWiXLsFNw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBKzCB0wIUf7xdxYNfnRLvLVm7ODF5Y68lFVAwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5NjkwNTAz\nMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABM/YnTWL7Vu/lze5NzjrfzaGAlLZyohDt9QxO57zjUULWKMp04l9\nqdXdxZGJH1kvv7AN2BcQuCRKynvIHeAq/hkwCgYIKoZIzj0EAwIDRwAwRAIgDT3e\niv6ym0ucsKMm3H1juJNwao9u+qjmlQCB2khyIxMCIBbl4OyY9umbvmwyKnJJ/pmw\n5mAJS2osohoERUNZxXwX\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLDCB0wIUQkA+lPJio9+yaxEb/+gwn5jjVDgwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABH+q/v++FPWFu1HXi8ntAshz0yt7q4s4ZEThhCPj3yd6u9Ged9PZ\n1gUetsLYG6h0DLA9YvgfpwFVSEhkCZWBh68wCgYIKoZIzj0EAwIDSAAwRQIhALhk\nvmPp/AR0FTjBjd9qe3k+8lh4hOzwAH+EhF1y0bjXAiBBAm0N22ge+pPwYndskZ5j\nsj+wBmCJbOucamlmIh8zmQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1843,10 +1843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert contains an\nExtended Key Usage extension that contains `anyExtendedKeyUsage`,\nwhich is explicitly forbidden under CA/B 7.1.2.7.10.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKnMwhUM2X7KULU87IG0LVRX6GC4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATBcyDSj4WTocGegKoJKUEpL1qs5eXtwuYLvQcc\nDDA/Rw+qVE87rI5JK8ehqyBZaPruntWfO887tnLOswDj1KGro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaL3Io71N2ltQF8eWwjpZKGqQd3wwCgYIKoZIzj0EAwIDSAAwRQIh\nANmpDesDZIjDhstoOBtLoqWvkRvxuKQQpeUyTYmW0qY0AiAd1ewLGB6HOd+KLbiz\np9RdLeMf6N9bttKqS4UBpOzItQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUS8vMEl/gt5ZPDQZdSAuAzEgRFUgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6xNQVDVLnwhaVbZPpTCdPXZ3mkBgBSP0+dcgz\nEHah6FoCyObcF5yasO1XIo/LhAJ7CP+DwuYIMltD2+p4AEsZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnYb0lj2DccksWeceMO/AwkKL6fAwCgYIKoZIzj0EAwIDSAAwRQIh\nAPVBbKV2MusuCG9bq+m61fUTHBrq27c5wCo6D+gJnm2bAiATmHiAkkPfP4B+myK4\nVDagUWOKmTtSgtSV5fD1RMLQ9Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUMuBiEp+gPPcsiFfD5c9UIkeUItEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBB9YNbLJRIpTq4mmjdZ1BUVzCDBAx/euzTLjKpgSsjN\nVKeM4FszfXbEGLKhvqSF4Q4TR1C8m33tC9kZHNDvTFyjgY4wgYswHQYDVR0OBBYE\nFKeMWXHrH5Q53FakWDKhAHl86sJkMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUaL3I\no71N2ltQF8eWwjpZKGqQd3wwCwYDVR0PBAQDAgeAMBkGA1UdJQQSMBAGCCsGAQUF\nBwMBBgRVHSUAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIGMNmdd7073npJiUfen6dI/WMDkXlciRhhb+n1gc+UQHAiEAo722Rg/uXBKK\nqLb24kDQipUDZvnkGDIQToAsWpDadC8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUMjRVbhj2gXXchu+9WnRfb6x7NUEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDDq8bSI3uh3GpmXS3we/9kxvLkagbe4HpcBlDZIMlnk\ng+GIfYn4yhSaNerZqsjb1ImVfwZ4+sNF+NHJnbL3YQejgY4wgYswHQYDVR0OBBYE\nFPaO5z4N59WzDDBCA1QQSsUXBQJ1MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUnYb0\nlj2DccksWeceMO/AwkKL6fAwCwYDVR0PBAQDAgeAMBkGA1UdJQQSMBAGCCsGAQUF\nBwMBBgRVHSUAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQC7bCWH8jDFD9L9a6HyEQtewnNnm/oa4uOO0K3wxJ7+vwIgBre4t2IPub4k\nS+R2oaYUdTpFymKO4Q+O2TP/Xc2QD/8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1859,6 +1859,27 @@ "value": "example.com" }, "expected_peer_names": null + }, + { + "id": "webpki::ee-basicconstraints-ca", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE certificate has `keyUsage.keyCertSign=FALSE` but\n`basicConstraints.cA=TRUE`, which is explicitly forbidden under\nCA/B 7.1.2.7.8:\n\n> cA MUST be FALSE", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJJ7jjslC9kL9nH5IYRluNjEjXxIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQT+0A2kXr+gN04j7Q9F4kYDTSdUBNkX9pkabqs\nDsiFCdsnh05P4o0ruN1Codc886TSSCJQOUfaLOZZenAPOry7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAmNIB48840Ci164mAPD77WR9DokwCgYIKoZIzj0EAwIDSAAwRQIh\nALAmmaVyfjbRraMMc6mXZVRLOCHNlKihd4dh8lZbsAQsAiBZCBDDcpXS67NcfWFF\nNLhndXawZZxrDiGO/hpBLrMKhw==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUWdGbyDLN15wV/m7RQrJbdMHvYocwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFhVuylRC/6rdllnNfIGwSLhlOfIPNUiiVbvwBLfOu4v\nvnt6ya0aGBFP9CbdpMPAEOjz/QGSyReyuzWJcPyopySjgY4wgYswHQYDVR0OBBYE\nFLBngKx95JLQgHdOsj25+av2LbqRMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAUAmNIB48840Ci164mAPD77WR9DokwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDVQp9qMxG/JhL1fGmjE3uDW21IFVfuTMzd8khR7SGv2AIgKNlBtEdDdkIK\n3pxngWcfXrOrl+oIhYkfD6PFhmH9DKs=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null } ] } From 028223913e786ffa0e48e35ab6f345f5869dd704 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 3 Nov 2023 11:58:51 -0400 Subject: [PATCH 048/155] [WIP] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 378 +++++++++---------- 1 file changed, 189 insertions(+), 189 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 1b50e36a59b8..cd95f1c60dfe 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURSrgm6lypPdbWjLPojRCfwzaInIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXVaqvZZHV7DeSdLLReLNDPptgEQI8R3pDSwWI\nsiuoPMk4euDxP/ebmsL9aMWE/TAiv8cTdk13c3bpt8w0N9q1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG1JWAwenfFYUYxOLTFgnX7CQ8mMwCgYIKoZIzj0EAwIDSQAwRgIh\nAN4id92rgag0yU5tY4Bt9/SHEtdJJ0IPN07MVKIFm19NAiEA1cwRV93l0H0WxWKg\nhqdi6Ik1Jg8j6bMljD5VZtI1dOw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUG9QgbuEpNdTnqEJpdotnE0wlGAYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQdNcSXbzb+fWnemethqNDFrFnEPLH4aiR1pfsy\nVtKnXeq181IALRgOXjQ4BpYG3z6VUytIMxkCb/xzy6fGGmPlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcbmvwFsuq/5kLEewU/ZwmUM/7UQwCgYIKoZIzj0EAwIDSAAwRQIh\nAMW3Y3+ZfAqNNvBR+lyFOEWYl+/bYDtXwGXVZ0ro45fEAiBttSd+7LM0niImQXJe\n6ImpEdaVbOFwMBpdtsTmEmWNuw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUNygNYLxotSV5WJb+vrm6/OodRUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTQ4NzY1NjA2MDYyMzM1OTk0Mjcw\nNjkxODAyNDU2OTczMTU0NTQ5NDk0MDEyMDIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLIm9o+NO9lG25qozQZvIxNWnr4MPqgDnDnEQm0XxKQs6VbHSZ17l2P7bGJdOq8h\nS/coJIi/PSZxRI6WLHz4xgijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBtSVgMH\np3xWFGMTi0xYJ1+wkPJjMB0GA1UdDgQWBBQhbycgmJUWLf58fflQltfVmslmsjAK\nBggqhkjOPQQDAgNHADBEAiBGbrJs8vFnpeM2gNmBSTkEOgJ1v60MkrDZmxIIA6L3\niQIgfjbwmA6j0DhS4hvXg8LlXUYi39ZHeSZHaOLcCUSB0UM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUYnpSf2f00Y3CcRF4Ztav6+IhbywwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNTg4NzMzMzQxMTc4MzI2MTE5NTAw\nMDQwMjYyMzcxMDAyMDQwMjAxODcwNzY2MTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGQcTuUXU/KDPsF9nCojMunoJHy3gsjEnoDXrZz/pKN+Kw1cc34tVIvRkW1HSq/V\nm6rBpkJf7l+mHKZJ6nf5KN6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFHG5r8Bb\nLqv+ZCxHsFP2cJlDP+1EMB0GA1UdDgQWBBQzWmNo0+H2P4k/yxO9ZoT4L6sRpDAK\nBggqhkjOPQQDAgNHADBEAiAShN6Dh/+1DyniA5N6xZgo7Jy/MVM5HB4jc134K942\nxgIgWahn9nhD2CHMLH9C+Mbx8nVt/FEYO8J1RwqywWuh2tQ=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUSLfp+GmWOevugjKmoh4jO64e5/AwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzk0ODc2NTYwNjA2MjMzNTk5NDI3MDY5MTgwMjQ1Njk3MzE1\nNDU0OTQ5NDAxMjAyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvbwb\nGaTpksrIcfrrIDnZ7JV445iIykjRCtizC7yRBHuEQFtd44xA4QwNjUuQA2feK3OI\nRsB4+UDUq9h+JVbGbKOBiDCBhTAdBgNVHQ4EFgQUaCfguLvlZIvVLEJTFCUsOeG1\nkFowCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQhbycgmJUWLf58fflQltfVmslmsjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgANHAbqhD7JPY6JgyokYaeNPCys4w\nDWVJHAHYMmLz4vICICL8wbMrN1/zBRQIDMMDJ+imKapQscSUbO1WC05Xli/S\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUVHtX7+EkbyDma2+VczMbbUsX2e4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTU4ODczMzM0MTE3ODMyNjExOTUwMDA0MDI2MjM3MTAwMjA0\nMDIwMTg3MDc2NjE0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEduhY\nM3m3wb6wv2VMkFJtOfJKx1KPHd29lFyKb8GUQYxfjRmSsNIDQ7IZvSn9oR11K5rl\npr0izKbQcFP0fm+43KN8MHowHQYDVR0OBBYEFOszmMx3vmOgdWVO53NclrH36cxI\nMB8GA1UdIwQYMBaAFDNaY2jT4fY/iT/LE71mhPgvqxGkMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEA6S/NEhEe3NtV7E4rjN2VdMUev+yN+tbXC3nT+krp0J4C\nIHhsjlJNAqAiOXaXx5MqX3WB4LQ2eQRGXkdZD8J7+Rj3\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNSFCwYdaC+Hi60P0oDt7E0YsSH8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQGJwKH6tO2Ez4Z7OPGAk05nqnc9sfZiht8ux1\nWsf+lYbg4wNUaAO49QTAGbV7sr5koBQWHaSMwzvYFrMkTyiTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKzDVS7zM8ICInR4JH1fQysGBSKIwCgYIKoZIzj0EAwIDSAAwRQIh\nAPoR39+xS7CsSLc1c3BrlTmtUGh4d+2TBi536HUT9z2fAiBT8hjn318d5zdZYKLu\nQTFQol615O8duwYMH2qpwhrBGg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMW43AAp5KzvtTbsfgachPqLQ5g0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQ1NDRmyWoQdnKqX89eiMaQX53dNQ8G+MvtUVU\nSx3gyA1O8AFEgQ95VOUbUVYwrFXNoYraubSFUHQq8VUgLZ4Uo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEyN53qCysXHFyyMb8IOOD/P6JjswCgYIKoZIzj0EAwIDSAAwRQIg\nbNGgjlLn6AcXtRUPtxy3jaw37vlfd5HG/x+527guW60CIQClsEuplwzPvX4jfLxz\nhJSMF2VlCZkoMJjL0+Ba4E6uUw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUELCDdARRL1Rkalekz8Y9oBudBdgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMDMzMTgyNTA3MTA0OTY2NDQ0MTY3\nMzE0NDM3Mzk3MjgzNzMxMzYwNTcxOTA1MjcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPStXLgt3zEYlhvLg+G+6+MK00c41uRjHued8GY5WCyPPU1NdqnG33mWfDH/vo6p\n6QNZEbwf2ICRE8CB8himDHejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCsw1Uu8\nzPCAiJ0eCR9X0MrBgUiiMB0GA1UdDgQWBBQrgUPlTTYP8urb7m2PXnFJf8jx3DAK\nBggqhkjOPQQDAgNJADBGAiEAoJR2o3csD0zcciVf4GCgIBMVaXjpIguUGS8eX0ne\nNCkCIQCz8Vd8UzR6bqTRIdvLIs0UXVf9j+SHdPgyjPM1ymvEzA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHcdKLDZB8LXGHrA/oNVZT40pILQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyODIxOTg0MjA5MzE4NTQxNzY4MTU4\nMDY4Nzk4NTE1NzIzNTczNTA0MTQxNDkxMzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFzocd150hKhqCjwHOi1/IJuhRMH6klpnvEG3c71E0qY/vHuOoESwekydonKrqnS\nBdDRgX3GMRrX0f26KAhkyaejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBMjed6g\nsrFxxcsjG/CDjg/z+iY7MB0GA1UdDgQWBBQfac0EqL6yHatC7XghOtK3p+7vTDAK\nBggqhkjOPQQDAgNIADBFAiEA+m4y8b486C2UZPRQsOYUKQSqnGCclcPY9hwDinTo\n+hsCIHVrIhw0GSTv1pRZW0/rgv+hJieK22WJ1F4El55fj27a\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUfHnnBcSULIfZ6b8bW/VO2w+KOMYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAzMzE4MjUwNzEwNDk2NjQ0NDE2NzMxNDQzNzM5NzI4Mzcz\nMTM2MDU3MTkwNTI3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4Ar3\nQmA5MSlVYqRC0OpRBll0AJpG/viH5i/U80ejRnULNSV6Se21PlrC8imFewNz6iif\nmuLO1twH9AWBOa6wlaOBiDCBhTAdBgNVHQ4EFgQUZfavfaaPga4WE7wdTMWAbPhU\ndh8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQrgUPlTTYP8urb7m2PXnFJf8jx3DAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKxvbXYRMnBCtbIs40KUyGse2mT7\nocD879eTk1E0Hsx3AiAQrsK18bbMYkZb9Cd51BxK7a4BJQ7V/Ir++YIcyqGqeA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUJx8VoSz8/pJPet/fC7ZDKfJEl9YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjgyMTk4NDIwOTMxODU0MTc2ODE1ODA2ODc5ODUxNTcyMzU3\nMzUwNDE0MTQ5MTMzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgTiA\nNbLBI5bYVPP2C+vLYsdqn5fHGZmSwBvL2whx1KkcNvyDYehOosea2OUbpH+0+Fd2\nb/IxCg28CiAqhyRUGqN8MHowHQYDVR0OBBYEFN0gr9jUsxuTAIUTBss4FTFeAQuz\nMB8GA1UdIwQYMBaAFB9pzQSovrIdq0LteCE60ren7u9MMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBh4+6Tx4JiK0q59uS460BzvHyfha113SpnX8J8N7iIbwIg\nFEjmEhHeR/Mjmv/BF/GYGyApg2UWwziVNfRc/Vu8M70=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUYZSmpQ1QkHhCQdtkQJ4b07i9rk8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7qZwELKQtleg9pRULj96hx2Z9UiKKd9oC/xE+\nR5lCJFOf7UOOHhYUNT38BKX42RQAkQbdRSv/AYE42si23YRHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURrKAMIo4NGJ4xoLiBGCTw15Rw+4wCgYIKoZIzj0EAwIDRwAwRAIg\nNV487dG+LMORfkmHat9LXA7/Uim6LsotNDHDvf2Dsk0CIDNOAZWPyHsPSmnJ4I1R\nC1vY4mD2P4KbqqWv/LUg4qsj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbwID7CrBZRzSSh6Djhh31xNrawkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+DI/aPv0knTx7tmaIxZ0ketPGDU9A1vx+6Nrd\nhwy4wYm7tSteJ/az6moZBSMyoMfgub4jwxI6ZwUN+yrqPN1io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzW5v41LYx3YO1G3UWZZDTH6j064wCgYIKoZIzj0EAwIDSAAwRQIg\naFzBBTE1jK5KpqzKSEYjS6OtnvRSIzOLbO9vGPuUJLQCIQCquLr6sAv1QVS6n+Yj\nKMZHqpeQQALvCwk5YDltuVZ4vw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUAOFv/EegygeLHxs1jkP+P+WZifcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1NTcwODcxMzE4NjMwNDg0NTgxMjAx\nMDY4MDA0NTkyNTEyNzkxMTg4NDg2MDE2NzkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNEQOza4T4HxoBUn/3e+P03R1XhCZ6ij5pbjMj3jbYfbq8+j+8LdgAUczDo3hFx9\n9DlVvQkhcOBxOVz7nL1y302jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEaygDCK\nODRieMaC4gRgk8NeUcPuMB0GA1UdDgQWBBSbKxwmBpDwwxwWXwWpl1qjLSRzLDAK\nBggqhkjOPQQDAgNHADBEAiAtbNjEQZUtnwDpcIThV8lp5SxPPLLXyCWR6Odo2Gth\nqQIgRejMUuOvNMuBdLjwUZ7t4FC3lCsPfnHsAQWwMpOdG9s=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUZyUfRBk799MZekPmw3I98AVL89QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MzM3NDI5MTg3NTIxNzEzNzY5ODE4\nODMwMjMzODM0OTg1MjQ2NDIwNTQ0NjYzMTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOyCwbigSkxCm0Uu0KBWyKTtXrYa0H4XE27R8Ol0wDPpJtY67M1tAf21J5jPlXRw\nLPsibdXoHQwODLOi5gXuWBmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFM1ub+NS\n2Md2DtRt1FmWQ0x+o9OuMB0GA1UdDgQWBBTGZd9njf65k7eCUcxyKQgg6twdsTAK\nBggqhkjOPQQDAgNIADBFAiAAqjEOwywL/96enPv02FlsY4RxtJWLdQj42W67aymd\npgIhANsF9oazYh/VPusQDkB8RXU9laAJ9cV1lJ9ysdNa1/gc\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCzCCAbCgAwIBAgIUbE9OGA/0CyzlPnB7a3zQIi+N1XYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTU3MDg3MTMxODYzMDQ4NDU4MTIwMTA2ODAwNDU5MjUxMjc5\nMTE4ODQ4NjAxNjc5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEix6\n5ohBbnnx3yooDDBowi/IZojh0/QJt3hcIKRKuNaLDYwv3fVXlWr3KDHtexkAePTL\nrgqb2BsRljxyWkf1GqOBiDCBhTAdBgNVHQ4EFgQUm6vF9ZmwULktuWP6iLPZrZ2G\n8AcwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSbKxwmBpDwwxwWXwWpl1qjLSRzLDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPc7xsa3bY/v610Unc4EdzpHlNtK\nIkAnswkvsyBy4YUXAiEAgS5Tl07a7QNoxRE+0vMkv0rgdCd2wnifps9g8f0BOjo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUC/+O1rQRqAh6hVHIicgixKkkJ84wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMzNzQyOTE4NzUyMTcxMzc2OTgxODgzMDIzMzgzNDk4NTI0\nNjQyMDU0NDY2MzEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbbh9\no2/lv4rlar3nENLszLkUjGTf+8WMKJbfBAQHNCM8f7zob0HsgiznUavmf2cFSS60\nfjrWkCSfC7DS5PLW4KN8MHowHQYDVR0OBBYEFOf/aJ9iDeKOO/ogBQrzD/xK7lo8\nMB8GA1UdIwQYMBaAFMZl32eN/rmTt4JRzHIpCCDq3B2xMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAvHeUEbCuVHK7R+DIMpHYKF3RcvFfhCOoP418gUsiZmIC\nIQDeK4UaVSjv+SqtzGL6upxs4I09b+yn8Dr0t4uTVB3OzA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUHtNY5u4P09rE7TrS29gaVvQrwY0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQdfFJqr3UAYPuiarN+/RsIVsfI8fxQFha6iyyu\nH3MImHrgXG7xxjk5gLMHrDj+pH6PhESkG9FsGT144/ujwLdOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUq7witEc5G9X/PJCuoLAk92/UoxYwCgYIKoZIzj0EAwIDRwAwRAIg\naPqVZhnonbBCmktDCqQBiA7YfO9uxIb7YVYY2RYMv0ECIAFkJ89L5UcFhQVPBHfj\n3ZnLTe5lHjK7oQxj8oHss7zm\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIURpNe0/SAqQWEVYVgpHvp+ux7SB8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMdfj32CehjqHWaovGaFNUwGcgikakpuZzsnaT\nyTl2sk/Kelx6B5cqJOu7MpTv+fXsQMmY3yxrT5Zs2gdPxGLPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqzR1TLrMvqPV7ykIhhouCduD338wCgYIKoZIzj0EAwIDRwAwRAIg\nKt6fnHaVAElIwFHdLB3u0COmy2LA/ctSp2DLGkgwwrYCIHISkOYD33ZfKCExdUyp\nJVsMHbyLRjnot0f0+u/cDJEC\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUX8HQTrOYjrVKilIBf6jJ7pLeNXYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNzU5ODI5MjQ4MjQxNDk5NzgyOTgy\nMDk1MDYyNzc1NDkyNDIwMzE4NDMwMzM0ODUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDPnZ2kvuPLZ1E05uVFhylTLLgamgpU+MLBOwy0cUJIcSFbMeDW8tIdds6Kz2qri\n1dm+7ZmnFmghK7adiw8Jm8ujezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKu8IrRH\nORvV/zyQrqCwJPdv1KMWMB0GA1UdDgQWBBQfz6WhDdu3JWz2fq6cRIqV3EO8NTAK\nBggqhkjOPQQDAgNIADBFAiAbdyNSDxwe5HaTuGcU+M/tdtjezbUoCh4lIZ0oW6dx\nrAIhAP4ok/Ryj1Ix4M0byRz4+EEVo1PrifTTmQoUgtrt6p/J\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUDDz6rJhncf57BWlKS8sWjkuMBXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MDI5MTU4MjQxODEzMDk0NDcyMTMw\nNTc1NjU5Mjc3MDQyODQxOTIzMzgyOTg5MTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBM+9YKDy5LM76Ug4CFE11V+F6a/6GRU8dYC7XtpEoFx9+iPxESvvua8FFCq/yuXy\nsZO6GNyzLZFPbArzn7vNmpOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKs0dUy6\nzL6j1e8pCIYaLgnbg99/MB0GA1UdDgQWBBRQzsF7/fjyGR2bD0D5fQJbEH2xCzAK\nBggqhkjOPQQDAgNHADBEAiAsAru9oA2Z5Uxrco76t65MS7gCVzw8RLlrt7FdkCIW\npwIgXSubpFtHASM1GY2VEwYnwD6lUgtbtSwxJpob4Vjns/o=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUHQPm2w8K/YPxe+LDDay6y3yG6EIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTc1OTgyOTI0ODI0MTQ5OTc4Mjk4MjA5NTA2Mjc3NTQ5MjQy\nMDMxODQzMDMzNDg1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDU0NjY3NjMxMzE4NzgwMzUyNTg2NjQ5NTE4ODM1MTY5MjExMzgwMjg3\nMDc5NzY4NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8xvO+ZhEYV0EjWRHeoXipS+q\n7HPWQ38HNahgewe4jxCOEzgqsjgX4I+8/CIuoz72GnDl1Pbt3LTKtjD4pHEZcqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUH8+loQ3btyVs9n6unESKldxDvDUwHQYD\nVR0OBBYEFFyN6WizrQ6ByYfQ25LWuyssqiuHMAoGCCqGSM49BAMCA0gAMEUCIF1c\nQgS2CSeH18c3sgRxw8D84IDz5F8PK9TjHOZPdGEMAiEA/8GdjkQXacji4HQHS8Um\nkpPGk4v9q9V1kdFMb+O8e3Q=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIUeGLYlhN0vqk9sEF/cZADD64lZSYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDAyOTE1ODI0MTgxMzA5NDQ3MjEzMDU3NTY1OTI3NzA0Mjg0\nMTkyMzM4Mjk4OTExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGYxODA2\nBgNVBAsMLzY5ODY3NzcwNzY0NDI3NzM2MTUyNDE1MjMwNTUwMzg0NTExODkwMjc4\nMzE5NDg0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATl7dQlxxjOoODnUoQUpzXkIp8P\nINrXiJ9KqBQ0YYhpobLDJbKgdXu4dulfy3topDVBaxhsT4WEHqwcmvSi5FY6o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRQzsF7/fjyGR2bD0D5fQJbEH2xCzAdBgNV\nHQ4EFgQUGHTUGDj3XqVLufhXt92s3rs92C8wCgYIKoZIzj0EAwIDSQAwRgIhALDs\nARKMXHbhMOFHB6Eiv4qnGQlr5HLFqQ8yRZY3BCQ/AiEA7C4YllSQ9LNblQqSxKTc\nIHn0VJTz602N/DFWFg8IVuo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAUYiz/1ZJhzVtbdx+icCKVKEIuowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASUlLaiEAox7mY9KRw2zAvUSQOyYMRCn61mZ9CO\n2fLmPZ4C7Pd1BgkCyhZWUcJ41R7FQ4sQ7MybcY3Qq5fyNLbPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3UcAF+gsWWGXAIo2VXgvUK2PZgkwCgYIKoZIzj0EAwIDSAAwRQIh\nAOhHAj5lQl16qkKnnpq0wK55HIvA9h105AJcR0PCGlD+AiBnuqATbYqqHXVe/v5e\nGZwIuQlN3K6tp1y1zXl73BcPKQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWlTyKZd5M9YqPeMzJAsBoV3jp/swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEQ/kXacxzBCE85CFnMRfPEqqNTR+AEdcxpoZ5\n1ZqSCWibE0WHOZ80alxWrBfLULVWQ14LSNp+zM/GGjL55tKTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwpGYTRmK4UhkAySF7u3W3DEzdcEwCgYIKoZIzj0EAwIDSAAwRQIh\nALMv8DZmEVa93Ju+8JXzjQReMSe6ya1AxUq/30lipTpjAiAN2yMO87UzxqzBTNJE\nU4kAVobw2tETNiHyRuWqjXYahg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaSgAwIBAgIUJqAbxN6ZprnZKxO7X/xRyDC7YnMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBlMTcwNQYDVQQLDC43MjczMDc1NTI3NjUwMTg1OTk2ODc1\nMzU5OTE1MzYwNzI0Nzc5ODE3NzcxNzU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWlu\ndGVybWVkaWF0ZS1wYXRobGVuLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASc\nuEPHwxcz/S3OxELu1vjziKKLQM9duUEw9pJ9QPWEya9IC66ArZnpZ56p7S3sXw/s\nDQIsapOrbh+mcH1Vdrnvo3sweTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQE\nAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTdRwAX6CxZ\nYZcAijZVeC9QrY9mCTAdBgNVHQ4EFgQUwbiIxyukGK0Eya9bGqNk8y4H3Z8wCgYI\nKoZIzj0EAwIDSQAwRgIhAK6W4SL/wYwx9cHFetmO2LcbtI/TPvmWTTsN8d3P7WP1\nAiEAovGVJLrfrRBmg7BD5Awg8hBoQP3ltcRBo5a8MVuM2dA=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfGgAwIBAgIUIU7u4Kf1Jvky87MlYM3CarA2CeMwCgYIKoZIzj0EAwIw\nZTE3MDUGA1UECwwuNzI3MzA3NTUyNzY1MDE4NTk5Njg3NTM1OTkxNTM2MDcyNDc3\nOTgxNzc3MTc1NDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi0wMCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAyMTkwMDAwWjBnMTkwNwYD\nVQQLDDAyMjA1MTIxODc1NDYwMjEyOTM3NDIxMjUyMjc3OTc1NTU5MDUyNzIyNTUw\nNDYyNTkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAwf59mdJ5hHMSUvhl2h7xb/wqy1\nOaMaXhZ2dkvsfs74T88mI/w5XgHm+KEdgARtOTWzSrLPkLta0yBQT9IrYMGjezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFMG4iMcrpBitBMmvWxqjZPMuB92fMB0GA1Ud\nDgQWBBSArIhozLSw1ZaXH0TsCgNQyIiLBjAKBggqhkjOPQQDAgNJADBGAiEAsKCc\nAu4j/FMKfivgU9cZeRuwGergJ0vjR4vdU8rHC7sCIQDLgvsrfHXWQWp6s8HSuf4q\niHLXa0Nm010zVQyR4plDfA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUNNi+nSNAzti3L6NGatWQagLwqdkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MTU3MDM1MjcyOTY5Mzc0MDU5MTcy\nMzIxOTczNjYxMTE4NjczOTQ4NDY4NjEzMDcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCKg4QNlt5YF/07Qq7bZPxtKwaWsLpIjnLwMFpo15Ly0LWs/kaR5GnipqdcOUl7k\n0osaXXrmeBoItme9jjzV9sKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMKRmE0Z\niuFIZAMkhe7t1twxM3XBMB0GA1UdDgQWBBTlleQ2l+AnqbYIIF3hPw3fN26zLjAK\nBggqhkjOPQQDAgNHADBEAiAdeE1scrwrR28Kt+kxnCxwSZpdlW6B2ib5EvkrjjuY\nQQIgYhl8pAchAcIQVlXvhuaRYJRHzEfaUs5aw3VVVz9Cxwc=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUBeG/QKd1NKOsr4r36fBsoLQmgw0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTE1NzAzNTI3Mjk2OTM3NDA1OTE3MjMyMTk3MzY2MTExODY3\nMzk0ODQ2ODYxMzA3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMwMTcwMTA4NTg1MTI0MDM5MzA5MDY2OTkwNjI4MzcwNDM4MDY0MzE5\nMjM4Mzk2MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEw8lekLCU7+nM+/edGvfq+aLL\nviL5HsG81NzuZWkahLy268nAEPCKUUfECFSktrJwuimKqh7Wvs3Au4pimhUq0qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5ZXkNpfgJ6m2CCBd4T8N3zdusy4wHQYD\nVR0OBBYEFE9adMVijHkq+jHoHUSaV29ZDKNLMAoGCCqGSM49BAMCA0gAMEUCIBVA\n1UDzO9gpbkmIca+AgmxjHnDK+4JCmVMRwfwQeNABAiEAgMLPV8GfnGq0roMxy6zx\n10waTGngIyktbuD8HTRty8k=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUWY/HFUCc4ol/FD+Ri5z9j+io2XYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjIwNTEyMTg3NTQ2MDIxMjkzNzQyMTI1MjI3Nzk3NTU1OTA1\nMjcyMjU1MDQ2MjU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfchb\nlcHha+kB+fYXcY8BZfor2lE8MekB/LXWoXIUWzl8AdHEZW/6uhhNYWgmQxMaYOIQ\nHatqix5EdcnJxiZSxqOBiDCBhTAdBgNVHQ4EFgQUYuhwnjxILDo9f65WYWXIA/d1\nFfgwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSArIhozLSw1ZaXH0TsCgNQyIiLBjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJXLga0uN4FQxdipjkwyu693m4Kt\ngxdjWnZUrSJGc7+BAiA42I83hoK+DkP9jRSZWTa3+3ZijkU+vwGL2iPkhixjEw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUfefM6OLcO5yC6ufFFyFyBmt3MRIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAxNzAxMDg1ODUxMjQwMzkzMDkwNjY5OTA2MjgzNzA0Mzgw\nNjQzMTkyMzgzOTYxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsg2T\nfHGB3tMxWcEKt09btgnZUcfQAYZ85DCRrtBRuR5w7oGCZJUxlWkX6MOWApdyrNtL\nolDVQyAXFMjxXGQNGKN8MHowHQYDVR0OBBYEFKRkNjdk+cYuKpuV6P79K3lQpvfv\nMB8GA1UdIwQYMBaAFE9adMVijHkq+jHoHUSaV29ZDKNLMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAml8jcgR8kcbZCsTGQ1gn2JnsihBfhqIlo1tqxBgc28sC\nIBECrqqrPJ1T7NzcVfe5zkbbF4d1rIVcwYFFO65u58dR\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUDzgfDMi9zK+PJM7vknwtyScqqlgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQ1eDHW773E1ul2bBfPewk0xXNiZat3k5dO727\nHAW0D3pR8mjoAsQ/dD8G2syxbnpxiz2DYVJMORwq0HqRccQmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5hiZicDAtd4PP46xeA57KkhjJOYwCgYIKoZIzj0EAwIDRwAwRAIg\nP/KU4cDp/Ms+eSmsgGpcKi809RvhU9EhqKFTAqkF5cUCIDmmKe0VHXB8pnR8+rC1\nXe40y0epgQN1tRRIFtNNb3WI\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGLGVVUK0XDowgBKYHBjAf2kxQVAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEJZbzht/QWAJeYR5IYdMg35nReOtM0tM0H/yj\nM+6lA9XYvigEJK4CfipmzRLpphUjErfJq8dG5XF94o+q2Rduo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBq79P5Y384f54xk9C0Czx4L1LdEwCgYIKoZIzj0EAwIDSAAwRQIg\nKe2CYh16zgZn84i17CJeMWxguIpPpwSSf6FQulbSkgICIQDdKbw0eec8U9QYhxfv\nW1McO2LaUbfn6KXTcT/9JRQFug==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIURjwseXBgp7+PlH8Vu+I5uIB4Q48wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC84Njg4NjQwODEyNDU1ODY5MDE2MjM2\nNTQ2MjE5MTk3ODI2MjMwMjgzNzg3NzMzNjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nTg/bKCHST+0JhL++XymlAgZCe9wq8lIqtZ5d0zKWHLc4xT1ulohXGVwKDC1EA6tB\n5iLARSJNyYPKCP44vPt2b6N7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5hiZicDA\ntd4PP46xeA57KkhjJOYwHQYDVR0OBBYEFKF7KATBX/VG4Rtv17A9pyQTwPS2MAoG\nCCqGSM49BAMCA0gAMEUCIQCZcmsiZqdgF86Tzn2BNww3Yg2lz+iD1Rf2ecB8YmnP\nOwIgH3rTxA5yMHXXfLWpZUmUA1jBsKBiWcw8exCp3Lzeo4Q=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUCljVEm5tM+9DIRG022HGERSCRQ0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvODY4ODY0MDgxMjQ1NTg2OTAxNjIzNjU0NjIxOTE5NzgyNjIz\nMDI4Mzc4NzczMzYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwNDAwOTcxMjcyOTMzNzAzMzk3MzM0OTY3MzkzOTAwMzU2NDU1MzQ4MjQy\nNDk4NDQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRCuyI8Q/hBtMhojfmqHctBlZr\naT6J/femrVwK3rFgSxsR50TogB8cGsL70V0ltHZG1SuFB+TFc35iXFinkaneo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgECMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSheygEwV/1RuEbb9ewPackE8D0tjAdBgNV\nHQ4EFgQUxpFgmkky/ZiXkUSrLqwU49jaCJgwCgYIKoZIzj0EAwIDSAAwRQIgT2k/\nBR554WkMN3u39z1eA+H30CxnFrdH70wjdLYjPAwCIQCIl8lo9OIi6+o9zO9XoDKd\nTAT6ia4Yro1MrFOJ26UDhw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUKBTSM7r7QjVu6lx3ZaOVhecd4QwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNDA5NzYwMTkxNDMxODI2MjExODI0\nMzQ4MDU2OTk5MzY3NDc0MTMyNjY1Nzk3OTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJqlZqa8jC1EGbJVd9l7qEHHH9Hn4Z14a3s8FdcTXvq3RcZamL6/zhTG12nKNGyO\nucW0dbDkMqrJoYF89MruGf6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAau/T+W\nN/OH+eMZPQtAs8eC9S3RMB0GA1UdDgQWBBR1nl6VA6xRkXLZ67XIDa99inrIczAK\nBggqhkjOPQQDAgNIADBFAiEAuD4PNjxL2toUdm989YA2IdWzspal2X31/RqIcZR8\nQX0CIFoU+IAS/m/fRcFOUQU0Q35Ds7aUiCz4OcffdTQMz2n6\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUEjpgsvAEudN0yZ5fQUfVJzEc8YowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQwOTc2MDE5MTQzMTgyNjIxMTgyNDM0ODA1Njk5OTM2NzQ3\nNDEzMjY2NTc5NzkyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIyODgyMzk1NjkxOTkxMTU5MjY1MTc1MzYyMTg3MTg0MDQ1MjA4NDU1\nNzAxMzI2MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsHnzUi9ZfoZ3Zv9huF/fjhAu\nXTAG2L1Vks8AJ1ysw4UvOFGqf9q8i+ctYQIXqit0HDd8catu2GZhodJXWQKK26N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUdZ5elQOsUZFy2eu1yA2vfYp6yHMwHQYD\nVR0OBBYEFBOVSNTvf4AB84e25A9m0tIPiIROMAoGCCqGSM49BAMCA0gAMEUCIQCQ\nlIc08PIiAMdfbqZFzlhzJ33psmumwErMsLH8AIRZYAIgI/+OR99fKoutp+dUDbiR\nZb6GpL1GUoxC2UqAsa9zkzk=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUS7o7o6S+o8U6ks2eSsZU+u3SnT8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDAwOTcxMjcyOTMzNzAzMzk3MzM0OTY3MzkzOTAwMzU2NDU1\nMzQ4MjQyNDk4NDQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeH67\nLrqneNHazJ4CJtB94xDc70XWkEjHuj4W9hnd3N3v66zdlAcZ3PjcjPliTWAjvEgm\nL0Yry5uGIahIjNZACqOBiDCBhTAdBgNVHQ4EFgQUYVYpxSk5FKLu6upW02wcDTzL\n7kMwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTGkWCaSTL9mJeRRKsurBTj2NoImDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgW0Hy3yKvq5PYGdAfGhoV45Y2/mwn\nkkANevkkyOBFrooCIQClPkmYEgDJ3AHzj5PqCE9qfF5/ol+9U5qB2rXFOAz/jQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUNtrRyMQQrfdcQ2+n38mwHDcANlswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjI4ODIzOTU2OTE5OTExNTkyNjUxNzUzNjIxODcxODQwNDUy\nMDg0NTU3MDEzMjYwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEX7qy\ncxl1DuHObGUGJrucO4D+jDbRe0p85TeEIn/FfsZcVgrttcmME+wvhlFtDrXYWrGR\nr+U0OQrgG0IToLR606N8MHowHQYDVR0OBBYEFMwZCuMxGzZWwfcx2w14sEIGBLtx\nMB8GA1UdIwQYMBaAFBOVSNTvf4AB84e25A9m0tIPiIROMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEA9yWx1KIaLlPgNsQBS3k7jE14E2zkZtsjsrXtZM3AV+YC\nIQDVRZ5djCWSLKKXK7hFAiGoeHDnTG2CwFsATh6mEdszLg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSIPq6GAQMu4gbNW0YUkIfbm2o9EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR5E8ofeaW2XHLUxKJ2se/MLzPo/2Q0T94Q9uXb\nuugnn9TGRtq8mTzFD1B8Yuc9uXW5ovCHUJeHdNZ+hMc3ujVEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkmUcbpiJKSn3Y6nd5+hKZ/t8XIYwCgYIKoZIzj0EAwIDSQAwRgIh\nAJsPL3MlNHKrhr+XesJsw7dGlCbmSWGNdsoA6drWjJoWAiEA5OHOHLPv5Tok8Lor\nH43p5he0xPhu5+dVXUsbB0V1EvQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIwKfFLDdyKE187OeFdQjJK8BOqgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrbKj9nUw7wCpB20IMlUGx8npGkX1tai8AicOA\n9rpRvqWWODrm+gtcKl8JnPOepFW8UdtpXrh8Kkg2rUhZjk29o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg3vdB4zIRvk85ZO0mCyTzclP2XcwCgYIKoZIzj0EAwIDSAAwRQIg\nE4Im77lyXutys8dIcHasXUghRaXrbT5+2xfMoWvwXcgCIQCItctH0RjEQwxYLNrh\n280VFDGS6Zx4b36ysOFI/QB2xw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUMmPP6vhXG9REXVftHzeCtNhyELowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MTM5ODkxOTY0Njg0MzExMTIyNjM2\nNzI4MDczMDQxMDU5MTIwODYxNTMzMDcwODkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEpXfmmMS/WwKZL3PUgKqpmSCDG63LSiiAsE0e/PrMbyY4wy7+5dvJI6fNnfNFmY\nnxh7eS7xu8AsixYPMJdIRL2jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJJlHG6Y\niSkp92Op3efoSmf7fFyGMB0GA1UdDgQWBBSsNz1ioTt+/l4Q3+Ma8z9S38mQlDAK\nBggqhkjOPQQDAgNHADBEAiAGSglBUgPGklaG47/R4owPYmziH0SNTuijROqkjDlB\nlwIgXK/io32rFLBEGTNFuwVCZqJo9m6FLvqGc67qC5KjuT8=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUIMNog8jjAdCgozd3G4qkQjm3PKQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDEzOTg5MTk2NDY4NDMxMTEyMjYzNjcyODA3MzA0MTA1OTEy\nMDg2MTUzMzA3MDg5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDI4NzY3NTQyNDUxNTIwOTA3ODk5NzI2NDc3NTY2NzgwMTA4OTQ2NDY5\nNjE4MDkyMjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElsin+FLPdEhmlqvswtOABfIV\nPsJTaqXf0Xe8nnc+PwcTkDnL5KurguqzLjEKOz5N9YxC/HjatBADIsS38zp/5KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUrDc9YqE7fv5eEN/jGvM/Ut/JkJQwHQYD\nVR0OBBYEFB4lrDiFizLujK1LAs+DGrC0cYoeMAoGCCqGSM49BAMCA0cAMEQCIGT/\nhmLVL8HgzCON7RIGNRBL2N1Y2pGAki03oXXfbCUfAiAcjTfTPnVYLxMPfzB00XnU\npsEoyf2exG39tHIrp0Pj3w==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUSd9fGPR0xoQypOo4TgkhHU0E3iMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjg3Njc1NDI0NTE1MjA5MDc4OTk3MjY0Nzc1NjY3ODAxMDg5\nNDY0Njk2MTgwOTIyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE4NzA0NTQ1NDUwMTgyNzU5MzM1MjEwMjkzNzIxODczMDIwMDM3OTg2\nODc4OTkyNDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERdAxC8e9QKBxdxLGSHEwMS9F\n7xOlsUPpE1sRVMMEgjsVy27kJtrLkHW5D5qiYL4/KWbSFsSj0TLqjLBDixDTx6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUHiWsOIWLMu6MrUsCz4MasLRxih4wHQYD\nVR0OBBYEFAfcewdm666lnUpN+uT+0dnDbWZFMAoGCCqGSM49BAMCA0cAMEQCIHnN\njt1JMlv+eQF53YCjUKtV1KOOiO48FJ00x3bfidRfAiAt7JeRb2NYsZvXjM1L6yor\nR9vrxOJ79fd3GcZrYGV6gA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUXyPxlduFYO8VmpdIO1IOHeD0Gm4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxOTk4NzMxMzYzNjM0Mzc2MjcwMTA2\nNjI3OTgwMDkwNjI2NTMxMDg5NjE3NTM3NjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDc+LmHsbfYbwEhpsgSi3uhvh+zf5N+zQIwQWxeY0Hp5ly/v25p1tliyF4eYmw8h\n5e2bpMxtl3OJjUzd4eFIo+CjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIN73QeM\nyEb5POWTtJgsk83JT9l3MB0GA1UdDgQWBBTfgkeLrwtLsmsi6SsoJ6/cKxDuxjAK\nBggqhkjOPQQDAgNIADBFAiBG/jZQiMwZkg/k9nxSFHI7i8Wua5q57howe3qC0xYu\nEwIhAN+C3SBKwUE5/FwKuNQqv7qbJcZHpEmwi4lYM3ZoWhvH\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUJMS+7is7Tq3Re995hS/rJIPCLDMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTk5ODczMTM2MzYzNDM3NjI3MDEwNjYyNzk4MDA5MDYyNjUz\nMTA4OTYxNzUzNzY4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDU0MzE1NTY5NDM2NDk4OTAyNDY2Mzk5NTg4NDgzNTI2MTAyODY2Njk1\nODk0NDg3ODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHI5GEpgXpIaQSMj7a7morzvw\n44/8Q9drDqfvQZO6sUS8tPAPf5gsPyGoysiTC83t0jeBYFgsgbO/6lZcfBRET6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU34JHi68LS7JrIukrKCev3CsQ7sYwHQYD\nVR0OBBYEFNQoRohX2TlAC1aV7+DpQwjknoafMAoGCCqGSM49BAMCA0gAMEUCIQC9\nF76+SLMs58WnCjtuki7ualVBbIkGVB5ZWFfJQq+K9wIgeMWkw9/zLjykWzKvuHMb\nAIQaNBM+YVsi/gvVrYdhWlM=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUMlcV0ca9lbSrMCZNQX8+TQNAxU4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTQzMTU1Njk0MzY0OTg5MDI0NjYzOTk1ODg0ODM1MjYxMDI4\nNjY2OTU4OTQ0ODc4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIwOTkxMTI0NjE4NzU2NTMzMTc3MTAwOTYwMDYyNzA1MTQ4MjM3OTgy\nNzk0ODU5NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7HOIc200pD6tOimk1RA9InA/\nNZagJxngcbHxPT4TnH0Vi9FKRV53kx39/Kc1AIGP8oOClHPtVRsymm5I69lKOqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU1ChGiFfZOUALVpXv4OlDCOSehp8wHQYD\nVR0OBBYEFHY9F9xOUJK0avL2miPihQ3eyAALMAoGCCqGSM49BAMCA0cAMEQCICZz\nLQ36Cf2jVk1z0MC7HzlVPqK8G1Q0LxSv1kQ4Zl37AiACMKTGASS14Hw0tLr+0Ha/\nHcH7tYsygdyNiYkQkPUhEA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUeneEixAaDg59SZgsV0nc3EE92TswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTg3MDQ1NDU0NTAxODI3NTkzMzUyMTAyOTM3MjE4NzMwMjAw\nMzc5ODY4Nzg5OTI0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdiy3\nZCRlMjw1bJWgbN6jI8hAfZlpaoa+EnvoO62S0fAKdvDXCZor6xSPcMM8cQjr8L4F\n8tdyHVxllGEhiKynaqOBiDCBhTAdBgNVHQ4EFgQU9b1rQVXrROJswwBR6Zaqigie\namowCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQH3HsHZuuupZ1KTfrk/tHZw21mRTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgZ4LifuxmwtHIgnP9+dGmtsS8re93\nstC/U1cDSegKTPUCIQDwfw2xpAyrTgWaD73GnpGdUIZ5rJe4Z3QS9JqWQbr5PA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUaLQO+b8a2/BtxW86zC61iE9+l2swCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjA5OTExMjQ2MTg3NTY1MzMxNzcxMDA5NjAwNjI3MDUxNDgy\nMzc5ODI3OTQ4NTk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENX8C\nzMbPgtNg06jrbDvRIcEfsknckrSxyoRIHiSKXBioueqfaU7TUykfXh5/6sfmDz1L\nULNtKzZAJyJteYS5maN8MHowHQYDVR0OBBYEFHjV3BV8Nnnduh3uM4NVP07pzYPF\nMB8GA1UdIwQYMBaAFHY9F9xOUJK0avL2miPihQ3eyAALMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBlnCLNYyd048D7zioVI1+VYawiwnIsMlkldF7wPz2GVgIh\nAIRillM7/oUXmnV7L+HItFyl319KChhvfbMt3vwhqkdc\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUITpkyrZ5rI4/kOm3OOq/axwVKcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4IlMxnaBTp5ggmP3g/5VEob8gzGdluYcqN2Ba\nVHKEFlgdHUFi2BX0R/hYF9BLFA0+PFnHvihf5PY1TEy+EsjKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYYbeGniIJ5S8f8d4cI303401l1QwCgYIKoZIzj0EAwIDSQAwRgIh\nAMr8WWACGjnpRhS8DWS4w1d0HXstR5t61CnO8MAEjst3AiEA5dZNi/eoiuG+WNiP\nst6lmhJS1oa80yFJbncgLQw1mxc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUabpeuW3tElKoPeRQugnj19/RNDkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQVK4OiMBJTBJxdKlnceacFvfJqhEc0oljkwUdo\nY0AQtcdWnLuJ9S2nikUfaBWjgfF1vu4CWFZuM/jCL6Z2jUo+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCy7w9f2RgEujPUX8HTXtBbAr1BAwCgYIKoZIzj0EAwIDSAAwRQIh\nAPgVdjP7G/A7KWkhaPsBDZ3X2/jS6nIiYi2hxWyrNqwcAiAqdTkuAqt8/FOD/Ph+\nEFUAXuxxqHhEaxMbjW8f1Q4yxQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUKSYFP/4mx2OIhuJT78q4c+2kn6cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0NTk2ODMzMDcyNzMyMDIyMjUwMjQ0\nODU4NTYzODU4ODgwODUzNzA4Mzg0NzE4NDcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOSxtKckIOrw6mCcQ7cuIUHua0Njk6hIzgCxCe4eWSCd5s341J1GEf4W4K7aSXXr\nzLYEyLhkjO6+s92jNhquWgCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGGG3hp4\niCeUvH/HeHCN9N+NNZdUMB0GA1UdDgQWBBSTSANWLAXEfeJODSspuOiNiT9UTzAK\nBggqhkjOPQQDAgNHADBEAiB3+/jb9PMvF+NNChft++OaMl7d7/tN/WjgFMqHW2EQ\nYwIgY4kCQeRpDnktfcpkRBly0+w7av2GeeI/WPAUTeBTQuA=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUPTn2rfb4nBsHCa4w9++2YPOJLFgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDU5NjgzMzA3MjczMjAyMjI1MDI0NDg1ODU2Mzg1ODg4MDg1\nMzcwODM4NDcxODQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ1OTY4MzMwNzI3MzIwMjIyNTAyNDQ4NTg1NjM4NTg4ODA4NTM3MDgz\nODQ3MTg0NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtZtJV14Oj4B8nMuMdoah7mT9\nozyIpa+23eaFluOauv1h3iCl+agYn7mrH/QKDn3AXDq52oPLdeEdt4ZfGUodYaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUk0gDViwFxH3iTg0rKbjojYk/VE8wHQYD\nVR0OBBYEFJ1JxtK2L0o6zkAvLCL2GyPQyIwKMAoGCCqGSM49BAMCA0gAMEUCIE5p\nzkWyEtC0TBKAUHSerJkShchr4oH6CbkosazR/ZNeAiEA0iUhgjUYo40HpYJ4b+WK\n1Q2jX1r2451qmRWn2OjUVSc=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUMhCPELmKHcyMxgWO4YU1beOISz4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDU5NjgzMzA3MjczMjAyMjI1MDI0NDg1ODU2Mzg1ODg4MDg1\nMzcwODM4NDcxODQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM0OTU0MTA2ODMxNjA0MDA4OTYyMTU2MTE1ODY1ODQ0MTIxMDEwMzgw\nNzQyMTUyODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGn5uEGmpXGYEAQSaLSgGolPo\nRehJAW6AT13fLOGNmAWrNzYXD8oLcm5ktnUHcLJbwgcIpftcG/G8AhUdZuGqqqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUnUnG0rYvSjrOQC8sIvYbI9DIjAowHQYD\nVR0OBBYEFDEISNFKGbNpN9xPtkrt0Mu3MvE/MAoGCCqGSM49BAMCA0cAMEQCIG+Q\ndKzCjlzWLZrPdmBB+wWu8cpAX8zLq3QbPFWYebfMAiATpO9S5Ux4ZRIro/D6YqWh\nfMPSXH7jTBMtjiehts4Krw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUB3Kvl+kYmSvLsRA4QWpMMf6d6aYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MDM2MDAyMjExOTY2NjIxMDkzMTM3\nODUzNTQ2NDYyNjE3NTY3NzMzODU5NzQ4NDExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPg9bWc1RNG7TmQtHOPJsAORch/NyhiN30rnzk7O7jKDE3b+E/RQSKTl5TELoEnn\nwWfeiVShqaiYnag5tQ+M1lOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAsu8PX9\nkYBLoz1F/B017QWwK9QQMB0GA1UdDgQWBBSuZu3ViynETjoBGQsFk5gPyNyoTTAK\nBggqhkjOPQQDAgNIADBFAiEA2pMFa5TuCcP2Ri0UCWEbW9i0kH5pA4fbfMbbP10X\nzpsCIEU51SVaphi+0mDHAo+FiNOLkUJWr08UMoBlVH32bc8C\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUTzBBQkoa1sYm8T4BczSKTAxkpfgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAzNjAwMjIxMTk2NjYyMTA5MzEzNzg1MzU0NjQ2MjYxNzU2\nNzczMzg1OTc0ODQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDYwMzYwMDIyMTE5NjY2MjEwOTMxMzc4NTM1NDY0NjI2MTc1Njc3MzM4\nNTk3NDg0MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY+V86ZcqFUeO96CrZTo5zGx2\nWmzGi0VVoC2YJSMOvziGlMiv80kf1tIzsr3ONo9asctUhEO433JROCXJM1ZgE6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUrmbt1YspxE46ARkLBZOYD8jcqE0wHQYD\nVR0OBBYEFNu1hud1erh2jQdRsS/DjEaVst68MAoGCCqGSM49BAMCA0cAMEQCICyu\n9KR5AxYXWkD3AGOtBwhRMhmHWjdXlkq50XK3bUL5AiBPnsZkoe879ibD4bIwTRAN\nWo+qMa9D/FoLqEt8sZMl2g==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUQ8O6VMh1+1kQjSP6pFjE5WiAUGEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAzNjAwMjIxMTk2NjYyMTA5MzEzNzg1MzU0NjQ2MjYxNzU2\nNzczMzg1OTc0ODQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ1MjA4NjM5MTUyMDMzNjgwMTA2NDQ3MTgxMzY2MzU2MDc1NTQ3NDQ5\nNzU3ODQ4ODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4EfbDeC6irOua0y0NDYVNVbB\neCdoyGNjsdr/HkOCEqox54nV8oQRGU/heLpSTZ6rM/exrzxNtF8vZpiWxSLiYqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU27WG53V6uHaNB1GxL8OMRpWy3rwwHQYD\nVR0OBBYEFDq4HnQeYXPFiOW1OM2fUdecD1a6MAoGCCqGSM49BAMCA0gAMEUCIFjV\nekzI6v/MVdEOLU2eYaC635NeJVUw0lg/fa2KdXYEAiEAlAaHIN0qbsCQs9vQCUCe\nLtu0nfkbAnWs1OJOyVEJy2o=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUI6hZc1S5wib/5h4s32EUNxH6M9EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzQ5NTQxMDY4MzE2MDQwMDg5NjIxNTYxMTU4NjU4NDQxMjEw\nMTAzODA3NDIxNTI4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEflKu\nXz7GJxiVrOCE9B/IzJUAlzdtLHRy15rfizL12zSLLza6OI9YFHEN85D2djM4UYhA\n41qYOCLY1CnmDFCoG6OBiDCBhTAdBgNVHQ4EFgQUCuuO1BPeWAgj540koHIobEs9\nMdMwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQxCEjRShmzaTfcT7ZK7dDLtzLxPzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgfAp4w7c6jOb1/Fox9kNQ9vfoJBQj\n9jLmCyYGbMSR1qoCIQDkJpy2ZTJqWtW2xy6H8n/uK0iXjSsMG5qpWiidj0yIHw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUaG2RTSUBIo9UMT74YNbCk79Z1AAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDUyMDg2MzkxNTIwMzM2ODAxMDY0NDcxODEzNjYzNTYwNzU1\nNDc0NDk3NTc4NDg4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8LSK\nzJdrmseSWDR4Nxh4l6YpPiDoyTgJP6a7d/Zs04TX9Hk+BCoZaSncHhl0JklW5MzA\n5EX5eGQ1l/lqf/WSxaN8MHowHQYDVR0OBBYEFC7cbuI9r3bjRs5SjJGxtGCLynEy\nMB8GA1UdIwQYMBaAFDq4HnQeYXPFiOW1OM2fUdecD1a6MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEA86PYYj1IHQa2o6vKWDOGsPiJz2pzSjrsCY98NHP6bXYC\nIQDQygmeUN3a2RR9L5BTorhXOwzHoCQf1ZJCAC5XZfM9yA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUVwDDzkoO80vNe7eEEshH3WVzDXIwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6SiaEK+jPfBn\n+2jDGB9f/l74f0V2I0duwSjNAqFUpab29bnyrDdx4YLhsti6pQpaLFM3fzsBJ4fB\nP+/GiiYDrKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFKU9U3ybrW6QKQidJLK/PWUFGiZq\nMAoGCCqGSM49BAMCA0gAMEUCIHVn4U9l84KEvdzwf3/b2GwjxcdnJkNVVO8TxWSc\n7YRwAiEAqGmUVeAsKQwvpqNg5OPYx4DrdzBnT/EZCqfPUIsZaDk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUDTSucafyRx9MccL9R+IVKk+b6GgwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEH8c+EK0MFLPC\nyZxYmbTflUNK+Zng+UYGZhbEtjKsgilz9T8W6gszJ+l8s9YqOZ1jAQGClG4Rkl6F\nbeBglNnc86NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCyEW7gYvnEkzahi5vDTwbwSjzl6\nMAoGCCqGSM49BAMCA0gAMEUCIQC2/KsLAo6egx3Hk6XMJ6qsd6EgKweNFUnWXUno\nq1KR4gIgOaT60QB2p4NSO9pg8+mp3mABsp51DTyH5lFB0AdNups=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUaaZVFZg7OJiK7PKaQT/46iNDI4YwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABAkTSrGUmPXcLwejvxmOke+NoeT0Ba3qRSB4OSuERx8aRZe0\ngXB/tRIa29Lw3bD8I2eguF2Ph/P+uEt7loZkrOWjgYgwgYUwHQYDVR0OBBYEFMjL\ngz4fx5LLUrq3EbK03fd3d3zIMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUpT1TfJut\nbpApCJ0ksr89ZQUaJmowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB\nMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHhRUKAp\nagisuiO+Z3OeCCNFucZ85o+qg/hRNDhwMvJLAiEAw9sa/goreyEki92NknTap1us\nip1+cSg7vJEtahAdIiw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVOgAwIBAgIUaQdFQbADG1ZTsZnPYF5MB6SfT1QwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABB8C7cPfyXq1mnddZ6ROu9XEZpwI1zFSf/gPqaT+OojpstzV\n3HQXdceZQh3S9j4HAjOJylT8Xjtmd1u28i0W/FCjfDB6MB0GA1UdDgQWBBStT666\n3vJH2RddfgiHL13iKQ3YNzAfBgNVHSMEGDAWgBQshFu4GL5xJM2oYubw08G8Eo85\nejALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSay5vwrgJ1c3fsw3rg/PDtHS\n+p/ja4HTayJqvwrYeaUCIFy/tYO8SqtxgZMM6isJXqcKDhefBTOs4jdfsMIw45BY\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUVNwQxz0nbIDTL0SiDpI6bpf3moEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELOmj63PW\nXDVZzWYstv8Mrk0gfTCtanO4i1XQS7BADcxbUX0fR9FqY5x+1lAbDZ3gw4bnK/bf\nBQfTRbh/aju8gaNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFOzKytWdQ15JH4QrGLk+yHgF\niNWwMAoGCCqGSM49BAMCA0gAMEUCIBmnhRero5d+/iyc3nceWC1QofuLBG6EEe9F\npFdHPD8pAiEA6aqj4aazQzuVC6hpYoDt4wnxz1ecdzIcxBnV3RJONIc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdjCCARugAwIBAgIUUfPC1BtakQSswicsa5SRuBq7s/gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEU2VeVzYD\n2RUUsldQq7eBMUFSUROsi0WhFyscCidma5D/FkEUNspbFLr05EVhKjlyOMV81yMV\nMmg3vKKf0s3vJ6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFF/NyFfAJonewVlMjbPOTPT2\nsCYfMAoGCCqGSM49BAMCA0kAMEYCIQC185XiPsHy+XxoI6xOHCOKYCp+zklZOtDi\nJbSHwbBivgIhAKerL7na0UzvyhJDI5yKvqpS94JUy6G+rAIu2b8nFcEO\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUUtoa5cwt7s+jhs2BRpb+cq5PFJMwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcq+aWOOyO9vpw\nnZEfZ+noEndDUJZ7tGi7B+Ob1wspw+dVJKvNfmwUz/BuLdDV2yN6fxzfiqlBRL6+\nyhfY7iY6o4GIMIGFMB0GA1UdDgQWBBRtgD8C/dDCI1rsNiF1bMk9EXx9SjAJBgNV\nHRMEAjAAMB8GA1UdIwQYMBaAFOzKytWdQ15JH4QrGLk+yHgFiNWwMAsGA1UdDwQE\nAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiEAqg3pFyw+2c3F12sUtsc1RtTl8Gh1av900awb\nownENa0CIFcKxCBZA7TNGNg0h225UYYK8hfrTTYSKu9yQBQW7be7\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBlzCCATygAwIBAgIUBrGm04Odr11cAN8URnxc6OvLv4owCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARV7DKT23yQTwuf\nYoBBKLLOtOM9ucXJWm7x8SnKFY9yPdMURpiOPO76netEBtUMn/IIqNAGGHjeWRdP\na8vOJUqCo3wwejAdBgNVHQ4EFgQU7vvmJRUx8kQNv/82TFLbJJCpxcswHwYDVR0j\nBBgwFoAUX83IV8Amid7BWUyNs85M9PawJh8wCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0kAMEYCIQDY2BjV29aYYdK7dEWFXJi0MIi3Oltdn09XC8FmNRlBawIhAPZRD4nB\nmh6zPQ6G4f2BolcjHLsvIp1rqDuKgWsErm9t\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDVJ27ifwYkQQsQlJ++9eVGUyB9wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMjVsbQLxc93iNap4OIXyItt1mOVy0lBNYq/07\nZROK7pgt/QOIi1NUXaHxgW4s/LfPzIRZNiM52nqcO1vaPIduo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQGO5dwh2q97k7OsxooVH02suggswCgYIKoZIzj0EAwIDSAAwRQIh\nAJCzAux+3iQhBkC7e5SYI6ThrdJ6bkQsIXwDVh2Hb87zAiBjo3Z6xtJ3z7fCZ2w9\nqFGoy/AsX28UqyLbD60xKsRTOw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFrTas7uwansA08zsdQSuCtrDe8kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATFQps8BYJF+xujnR+bRx9Lp/UH/mn66YD0xbeb\ntqfxY2aXHkzE+0WpFGI3XXfnUKFKS2yew4iyzDCcajT2eKLvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhw1qRmcekTjusCdH8bjNDYut444wCgYIKoZIzj0EAwIDRwAwRAIg\nRLPdHaGpuMAoqk4ZVh+FPCddapCKZLDvqjNnYsQXaYkCID7Nr0r5un7ANK9ymgFE\ni6/zHC7ArVk4fElUTRjp9XUd\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0TCCAXegAwIBAgIUSIywaCDG662PUYJtUPPY5xpGytYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC1wW+oI9eihbHN3Nc+I53ZLiNv+kdgxpujsfjVRrhgd\n4q8KfOtK7iaSLXhDOjwPBSUlM0lq6KEFTbdxZQ8kKoqjgZwwgZkwHQYDVR0OBBYE\nFOfdRrZpgbLHFigVQc40hBMDTRVyMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUQGO5\ndwh2q97k7OsxooVH02suggswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGCysGAQQBg7M6hRoBAQH/BAAw\nCgYIKoZIzj0EAwIDSAAwRQIgLK5bDiWvBYsV4Rw9wByT2ewqdY2mEsKVjeY3BPre\n0P8CIQD7hG7/zQBygR8xDMPSkZIZe/epdvcfAPRko8J6Omg+Ig==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxzCCAWygAwIBAgIUKPIj9W2Lp1/bn7DkzSs95XuiBt0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBEDub8njqbxb76WUl0aK7ijfxFg9gu5lv8kXwqht8wi\nhDRjWi+hugkKnIrsBfaCkftxXFhv4qCNNNHE7ni8lNujgZEwgY4wHQYDVR0OBBYE\nFAfhwJEG0Zsp9KnDdMZKx7rfV2BYMB8GA1UdIwQYMBaAFIcNakZnHpE47rAnR/G4\nzQ2LreOOMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0kAMEYCIQCYddqcGjYgjVNjC8G4omzgrKoC+Fh0fefss25iIKGwgQIhAMa5Yxju\nJ8fA5KDi3atbuwaVPwkWB5bJPw2bhuuPKUdu\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUYQUkkMZwkjHw2NzXzPqKqrxDq0YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQRahheE8P/DYP+B3/DDQximUq/jVBQ8NcJ10wR\nlXd7I5zX0eyJw+ZdqjttVybcJplobRKBGGVYTAZ1TuWjjVL9o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfwdwtF5APRRDiWQFxhN7iagw9+UwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNHADBEAiAuvRXyENnlD0rAJtgWtKnfyRtPsH10ZJr5GXZ1\nBwsVuQIgV6FZzYCJ0XRtOVwJT/o/Uw6rfzlqlINhT9ocG7lIFhE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUXGF3tqZpLkWWHXpcBziRd6BkK3AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDrXa4bmxWPzVFvWxotWl8gdj2Mjf18jrfLIWj\nNj/Il5FaLGnd+VzolTYBuqwwH8lU4vQX1gr5Us+Ir8wWs1M/o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg7gosP2ekjbTU/29v31f62qhiyMwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiAqeoBwsnhnjUUTpTakUcZh1898c2OFAlBX6Lqr\nDk3eCQIhAOE6aMeMUlsOyVeVNH35lUT2Fbgcccc8eVrInTFcrMuB\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUOxyziBD4Ut4Y1nvDryMHx2r/l4UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNIjj6gkZxA/axIbCajJD2Kd4QAd6tVxcLoLJFhGxG3x\nWMtx8iEzvuXmtGQobusQrjNXufNRgV2X7nbrlUzbhrCjgYgwgYUwHQYDVR0OBBYE\nFAlR8o5SbxDsE54pPVML9Ea1lfoPMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUfwdw\ntF5APRRDiWQFxhN7iagw9+UwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICqh\nMbk9bNdmxVNmI/jV2vSp5TTdofI0RLIU8zOldNBfAiAbSWBIW3leflmoxNMuBz6+\nhWH7MWIbvO2wAL0HRVOxDg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUbTFE76YVEjguBTakCc/pVDPm9m4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKM5ixbXmbSxNSr027Wwxe2KYSEBpK+iX+5/+uxuSMBD\nplcsuCcbk7OtHel+0mQU353jEGSeeHShgpX9IS4kJZejfDB6MB0GA1UdDgQWBBSO\nnhZSiM+lok8CHpUH/H7ENPMVzzAfBgNVHSMEGDAWgBSDuCiw/Z6SNtNT/b2/fV/r\naqGLIzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAK/T2z1ozm2lICFlntxJ\nTPkX+S5RPaV+rln8Wlg8RIuFAiBWoXEtHXZPqqaZeG5hqOHUWSgeu5VXfrAkvSHP\nAtJP8A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULGtEiLhpwF0zWzWVdbUy2iztWkUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRfQeRqaRDGojt+31ZJkm2ydzhprEwQar1uwDY\nuOqc+/fHprPlxG9gPS353Nl9u6UiF5+9ffHHarF4FoDVrxUpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyfCgDosrrJoKZzLQLsRxssEPqQYwCgYIKoZIzj0EAwIDSAAwRQIg\nIVqVGwZqMpydX7P2tpiwYSC4g/DSa0n6j9V2tj9YQN4CIQCDL1SruxEqpGYt5biH\npftvDXrRC/6wP1AC1vSGFHC9Jw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHWLkvNHLQaIBD9xvApODTOH3XiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQsazGYm2FnCcB9nP8PY4bRnw526b995UDecAe\nO2imRgSaHnfl4MxrdnL7eZTHC4ApJqK5t6KF8UriwrD2betmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUamTx2EBFRwy65cETUDY/TTSZPbgwCgYIKoZIzj0EAwIDSAAwRQIg\nd9HvnPOXDj94VWtCfTG3JkPtTch0MRVaVPcAPAzG8YQCIQDmMEwEgSw9ahqUJbGE\nfHQvxUKrZ6ltVYHz+dBbZMNxyw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFTCCAbygAwIBAgIUDZ+zfKak9ggWwKoqjfy8pCNG/wMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyNTM1ODc3NDM4MTE0NjQwMjA2ODgx\nMzMzNDcxNzc5NDIwMjcxMjM2MzI3MjQ1NDkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBINSuiWDZyJfX8EHGJ1IoaPqxDnNd003V9c6bqGfExlgtZWyTBP5w/kajIXtIIiT\nVj1tV032NtWjk9kGdjidRuajgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUyfCg\nDosrrJoKZzLQLsRxssEPqQYwHQYDVR0OBBYEFJc5Tz7dohMpORAvQabFPxMFnJEj\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDRwAwRAIgQoqdxJVUIWZy\nKakryhb89c5PpFgZO4YT0V/yQCHbLf4CIDEz9j4g7R1FUSEHINgpSGoldQ/KpT5w\naoLH1tcEnIxt\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUXwlWUPlfgdOIdMZ0DcHsOYfDQAEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNjc3NjYxMzEyMzY0ODg3ODgzMTY1\nNDM0NDYxOTA3NzczODczMzIxODg3MjQ3ODAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLHYHQpyBIfMGkUzni/hoMoznq7KEdYwmkDlbbKxrb0pkhr1lYe+WAYvM5HuehB5\ncEWaa3we2l87pMuZbeh6E2ijgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUamTx\n2EBFRwy65cETUDY/TTSZPbgwHQYDVR0OBBYEFDKccDJOHFDNS5AyqjZuflVLmqXS\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIga2wghgkjNgLZ\nNWA4J0hAXFIiFYyq4TZnH6JMD7M9t7ICIQD5FjYvkQmeHAdDyDwtWTBSatkGVAyG\nL0piaxnfCJg6bw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUU/Tb3c8f3RccpDCKpSM06JTOGXYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjUzNTg3NzQzODExNDY0MDIwNjg4MTMzMzQ3MTc3OTQyMDI3\nMTIzNjMyNzI0NTQ5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYGMk\n+cE5YZBgD3X+5rkHUVTeHPUW8fbqRQYnsbKByAkhGmSAbosRPbr9RBdNWtu/H674\ngSL9li7xLw1fgzX/m6OBiDCBhTAdBgNVHQ4EFgQUZNDFnXtdGoy5T8CP8/NopsCM\np6gwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSXOU8+3aITKTkQL0GmxT8TBZyRIzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSa86rxLEmninHVvyAopBpdJb+ODA\npBuM3M34/ByfF4kCIFLsfXEgTrW1evpqN4cibqh+02c/U1+f1xrRU199Lh+5\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUObQWTsviOZuKlxDTlkP+KL0RbFQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY3NzY2MTMxMjM2NDg4Nzg4MzE2NTQzNDQ2MTkwNzc3Mzg3\nMzMyMTg4NzI0NzgwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Fj4\nwKDU0difIMC8hHeN3J5ibbSqTdGJWnQPGrv0OtQgbt3d5dahQ/1qzKNA3WfcjVj8\nQT6zZWi6ArlW+P2shaN8MHowHQYDVR0OBBYEFBGfpvXNUiwaNTy0jYuMPKB7NaOP\nMB8GA1UdIwQYMBaAFDKccDJOHFDNS5AyqjZuflVLmqXSMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAliKvBPUq348pjiLvMLUO4yBdne1WqtZgAgeiGvGimLgC\nIFMh8Za2R8jyw7oYWkGZlDkVcM4rS3nC973vcTVujDTk\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgITbp2suh13Qqz7pI0OlCjudCHb3jAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2\nOTA1MDIxOTAwMDBaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABDBfwepFCo3gkpSlRBdoIUbB1DKizZ26BdfY7R0V\n5D5vwmPnNTBfh4kySKOMGKDFzZuxoQyVHb2SedZyDBU+ldGjezB5MA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCIG\nA1UdIwEB/wQYMBaAFAFTFl1YTyb3yr4HgS6uWD71+R6hMB0GA1UdDgQWBBQBUxZd\nWE8m98q+B4Eurlg+9fkeoTAKBggqhkjOPQQDAgNHADBEAiB/vUs5sz2cOrNTkMNL\nCTVlA1HSzcxMEJUSIPsnhYLyHQIgYWkU090tCA64pxBUXh6WZm+Pw7lx/jM03o/1\nC5a7vMQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUc9P9Q6t2NvW1pdxbZNO6Fme6VHEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNHNiZDyx+C8tnmGqAXzirLMe7BQwCxc3dXg13\n03Tbp01k1P6jvPXJu6Q/IOhVTbqjZWmfxtF3UDsHZip52cabo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRnaGd4KECjxxGgPogA6VwYEABSHjAdBgNVHQ4EFgQUZ2hn\neChAo8cRoD6IAOlcGBAAUh4wCgYIKoZIzj0EAwIDRwAwRAIgDbZ4XyWe2jOPSbhb\ne2FC/IbnUP7FU/nMeXl+cKgbbuUCIDK9GL2Vgom+yNZSqm70DFl/T9N4GH/ImEfi\nGEHtePBy\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUda+Ig+sckVlkBzdQ7mUtee9aWtgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG2q1ZWyi/+mfoM1qwhus5odIoo3JM1xSlxm9UQo7dnN\n34VBSDmPrjq60mt520zBR94FnvhDycmbVJPV/HJcgmujgYgwgYUwHQYDVR0OBBYE\nFGbGldzpNXaDO+TGP9bZs6ow5QPCMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUAVMW\nXVhPJvfKvgeBLq5YPvX5HqEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDU\n2jFzsaiQYUoO6KFnMW9ZllTENb/U+jIPfCDaUgNdjQIgIEw+RtjqGaKytp7fRvdC\nXEe0A4qbvbZou0AZBACFBTo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUfYT9Wx8rzldUprdX1HE0xThtLzQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPBLEFziufMVtF+bTtd7+gUZP5Fc8uZPCYPG6SMBIlxz\nVvFLnKQAxdwd0VUGI/ePxKXtsIBlnKPK5qqTVSuzZP2jfDB6MB0GA1UdDgQWBBTR\nlj6LzyvLjugsHgbidXAKn3jlKDAfBgNVHSMEGDAWgBRnaGd4KECjxxGgPogA6VwY\nEABSHjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgWHLZd57Dz7DNSCy4l8Yg\nf21vTDmNcVl8piqqTNl4qSUCIHh8DcbuBeZoKFrVfvfobur4e5WNIJ0DYT9ZqTpl\nKIiK\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUWT52IUKyJwBSxJSyY68zj59/+ZYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASVhmzF/StnJbV/3Z/SKdXBmW7FR74m9yC/M+70\ny3r9UVpOr4JRSJbMdLuvdCbQWrBcc+qvPXeXFqIlIq3YTWPro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNKTR0elN915MJBvi0oPYf8E/KYUwCgYIKoZIzj0EAwIDRwAwRAIg\nctJUbAG0ZtulDrrNEAVmo/10mzt93VkmTb1UKcTr/dUCICNd2GUREfIAfcZ+gVFv\nvaStTOaWo+3WuIDkMlWkby6n\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUAo+S0R61j+viQdwC38L919Wr/YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQAj9t7NAyXs2qPcNJ4jAbwgujgcOtrsKynB7Hb\nshzOeYO6WD4OEpA+q4ZiJMifcQ2YrB+/DcGVYvGvdd81uOrro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8QvIckAmigrqQiId+QVB4Fx+3oQwCgYIKoZIzj0EAwIDSAAwRQIh\nALEMQn4/BA1VrjT36Cz3Bc9rnXnD5hRTSjcM0FY4F4LAAiAIc2Xmpx4f3cU9uC1N\nElcjy1eWbSPhHvXVEOycqPYqYA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIULQrg9tmtiFVJmp8RLv570ut+ryAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDbDMKWbTmpFnAz6aWvZSNIlj7oyu8xlp4dsGbg+flng\nSEC8RG/2lBt1AnawEKBWGhRMY60aazg+CU/gcBTRfyqjgYgwgYUwHQYDVR0OBBYE\nFJOt1OcXjknJAUq/oWGCYHl3y+kgMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUNKTR\n0elN915MJBvi0oPYf8E/KYUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIC5W\nJ65WKaC+ZuB9TCjTEYlEpjAuBdfCP7Mg9s3WslonAiA09juRFhFLr/5jS8aZQM8Z\ncSoFaUnNdaGUtaPHVt0Grg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUHz5Gwl95JLR1yXeijnRsCO5Zpn4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHQMlBz35xZqZou099dYBv1t3Mxobf49EoaduUF1XaDX\nZ6eh6cR9RVsEfYHBSavWYqYkXqL4Ke5zeksIvPG2oiCjfDB6MB0GA1UdDgQWBBRb\n79XrH225//afb74RBCRaWKIpVzAfBgNVHSMEGDAWgBTxC8hyQCaKCupCIh35BUHg\nXH7ehDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJdtWjHt+TWn8MhOY+b0\nehievKyGeQbTEzK/qjpvnHr2AiEA7KkwdmI1+/+dUiTs+aEPzcj1zrAO5ww+oVtC\nizTZ5wE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUM7in8DvcLZwJlilZCdgKXiFhkvowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNDAwMjE0MTMwNDc4OTk2MzExMzc1\nOTE3Mzc2NTkzOTk2NjQ5NTc1ODI1NDY2OTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPZ3Xp21hwo2PzNA5Nzs2b5oxccfoK3fnArXci50IcEA13SNglHTLdYPlmS340m2\nLu1f+PPMoLL3pVZJaQ/Tx6ajWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQ//z7cHcyj\nF+k0yutMVHznU0MTjTAKBggqhkjOPQQDAgNIADBFAiEA/OccKvowqRC1qbjVODsj\ngGGgcJDNtTenuALw79B42gQCIEKWGla9FAHBhTXnkOuffPdoJQlvyOUtT5x67/rD\n3h6/\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUBK6m06nCHdILTIUP7s87MeL6hpYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTkzOTk5Mzk0MzMxMTgzMDk2OTgz\nNDMyOTM5NjM1NjUxNTQzNTY4MjkwNzQ2MzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAZSWn7wyyoaFSGLS5yDDt+lNuWZpcbjgBXwoR9mR+wmmUkF0uQJiOS9l59oWJgw\nXK1A4mZ5j7UJ02gz50vL8lGjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBT2uxf8wZZP\nOBRVaHyU557eSN1diTAKBggqhkjOPQQDAgNIADBFAiEAvcpHYD2fEkPSihZ/lFqu\nPMNGGkYLjPGcdv8hIISAawcCICxLIFbjTKF9tW5nyn3BmMUhbeZP06z55gUDi4W1\nK5zu\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUPJg24xvZx9syT6BZxs1xA6Kj/40wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQwMDIxNDEzMDQ3ODk5NjMxMTM3NTkxNzM3NjU5Mzk5NjY0\nOTU3NTgyNTQ2NjkzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIPsz\nGxqFPLooL2kWwuCjurIuksB9cK4pzZdPytuLamBEeZTqxEZHJcrLB7Ac+KcslC/c\nRkEXFz8i3tOrbVEn6qOBiDCBhTAdBgNVHQ4EFgQUtPBFBqEiCUAJ4G6rHnE+FpeX\nkDUwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ//z7cHcyjF+k0yutMVHznU0MTjTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALBw00dC2p/oyyE8U3oflq04MZoo\nsvk2wO9BEARBxSgPAiB0mQGVQtyJNpUnsMAJpfj+SyhhKkuCTu3kT6wCQPde/A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUSa1FWXaI7WTUJt4134+As1MJVSYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDk5Mzk5OTM5NDMzMTE4MzA5Njk4MzQzMjkzOTYzNTY1MTU0\nMzU2ODI5MDc0NjMzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBR30\nfEoh+T+8M9xoGscaUuOuwFbCc0c+wrwJZdl7FQ9oLbuxWHhutTzODVNe68tSF7P+\n+qCVZgra6RVOoCwAU6N8MHowHQYDVR0OBBYEFEbM01FQxOBWr47dJsq0u4y8AjqA\nMB8GA1UdIwQYMBaAFPa7F/zBlk84FFVofJTnnt5I3V2JMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAuP3yKtz4adE89D4or43zyGPHXGtR1MAcuS3Djc0IJowC\nIF5hz0kmrWHDIw/LLx5l/wlTkZ8Qjm3Qr9yKxzz8lAAc\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUS5GnU0ealmFqp0heD0Xk2hYLCikwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToEN/MloS1kQSptlLfOFBV/ii48YKcI/Hmlm51\nDkuAK69kPaFbzYNFk+ji482Agttg7ZOHIQrbJpJze03iIra1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU36V7yh9a0LHPoFjBhghN02YRfJQwCgYIKoZIzj0EAwIDSAAwRQIg\nO5Vs11gHxHyRwpFM9t5kFEikMHnLThtVk1CjdLDnQT4CIQDUmc2jzxs4pyoOUuet\nysJM953u3Fl6L9BkX80XBhH/wA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQ/Kb+NEXdKvfjXE5EkKRdQUy39EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkFAZYOV8TAAJeiMioTCGwOk+yvxmOzqBsp8pz\nO3pUtRmk7gyI5FJHcdnBWnSi5hiJyyD4LZAuX2qfoK/QJHrMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoIzaY7OHPiAbnWGlNwVTH5nOvuwwCgYIKoZIzj0EAwIDSAAwRQIh\nANBTynLr137B0PwpCEoxlkt5D0xgGqjgPmdgTzBuzhQIAiAahwaMO7fcSrk74OM8\nDVv3J/HO9zDdseS1pyb4k8C5fw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUUJuyo9GhTdRF84DmaJG1rAlfNiAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MzE0MjI0OTE5NTU5Mzk4MTQ1Njg2\nMTQyNjkwOTkyNzk2OTY3MTAwMzEwNTEzMDUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBK6DEt9Tzpv8JGeb6FEljgArr8IIV3lqPqpK5wkXziq7MgXYL0eO3WbYUDYxg9Ot\n8fUhrJ6WylLrJteU1u4bVWijWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQbYSEgJhth\nQs6x93zPKgC5cft/GTAKBggqhkjOPQQDAgNIADBFAiAE/GIhbUGJw/6gYz3u8z4M\n4jzCyka/Lq86RULbX4Y2+QIhANiXUCHsNgcqEyhZ0S0zF33O6eHr/fQ5KQZOfdOE\nXsT6\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUViPmWjgnlorwFCs6AHTzfY07EPQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzODc5MTI3NDkwNTU1MTg1MTg0Nzgz\nNTExMzE2NzIwMTIyODI1NTEwNDI0OTg1MTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHtHO/r4+yjJbubTaYJOOSyCVxXOGRyImy+ic771eT+ucWscwPkZXv2gIKiQE2zt\nUj+tBGuxew2cklG5n8x2Au2jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSnPsmwGTW1\nWMwieMg/W7NceQFSZjAKBggqhkjOPQQDAgNIADBFAiEA/RSxDdO9T7uJ+ho8uUOV\n43MgRAIkFnRCg/7PoaELl+ACIDS89eW0lcGlUlea7CoOv3eWCa/L97QMUjgEifMy\nxMOF\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUM2hRmhQ/VbJboZRFLCFU3E/MAg4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDMxNDIyNDkxOTU1OTM5ODE0NTY4NjE0MjY5MDk5Mjc5Njk2\nNzEwMDMxMDUxMzA1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdlV5\nIHAphabBYJVTY+0L9aHXzkVHJXBwNx5p+FjKDtvvmxZ+D5qhBg0Rf3E1Eew5MzFz\nTOdXf+DkTM/+OPpD/qOBiDCBhTAdBgNVHQ4EFgQUnaRdkMnBcYZlIx1x/uZULQEp\n50YwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQbYSEgJhthQs6x93zPKgC5cft/GTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgQTy3fvlKZDg8WpE31WGP8/tUCOhf\nAYM6Go5oW745EYQCIEfKXBsdbt/dKeroAAzBLhJfAeFaIMKW9lAwO5xM7zaU\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUJyaC2UdSk4yxVGVPetne0C/cejEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzg3OTEyNzQ5MDU1NTE4NTE4NDc4MzUxMTMxNjcyMDEyMjgy\nNTUxMDQyNDk4NTEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIj9R\nDSKdPjyOjL58mhKC0ELGS3IHPABEO4rDo6fNqSCyRKV5aC18l3ycDg86rJLeElUd\ndUPBULktgiWDgnSV9qN8MHowHQYDVR0OBBYEFEqWnazXDWmFPRdeBj1dCnONEAIN\nMB8GA1UdIwQYMBaAFKc+ybAZNbVYzCJ4yD9bs1x5AVJmMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAt/KlzRlN/4INEg6ey5hYIDReggwo9K09yuFYWYLLSxQC\nIQC7Lb28aA13jVTmZWmvwVEWcjBtKDcEH845u797kNG6ow==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUK6cs0oBtbPyCoXd0hPSWJQn5vjUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARmDc4ljsszYPP0jOPpdAOf+LlT3pEtv+RmEpfb\nQYugR+HdhErD31bvMFXNgwXMsy9ktzgc5LEOlHiaJn6zhgIso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy48k3va5WzNc97WSPvhNFOGo9EkwCgYIKoZIzj0EAwIDSAAwRQIg\nPR1KuM5BaWKkIbsKSiOJzHCLLWo92lz+vwEY90ngLXkCIQD79hIJ9irCsCatssbX\ndnBWET7c58zwXqYl3WUMry0iPg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH9ACvcI87AI5csIqzTdaerDHk+gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR7mq3mPsKCvfkk5wDNyA0nS52bsQW3En/FXeVY\nRELey+q0uE6kQUf3TSkiOjUwFh/T6ZKKj4w+dUbhx7PLRsXWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSWfx3syoYS2y3AccVc/FC/fTdIcwCgYIKoZIzj0EAwIDSAAwRQIh\nAItYFL7yY8VQzI0uiScGh7lZ+z2tMYkunye7U1YpRO6sAiB7VVExidzOufOwt5YM\njyAyldZr9LgB8k0hNJsBuMXosw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUB1d2cBRuAv4WEm9i/+Hx3XN1dxswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNQNDpHEnQ3TkhxivYD1vhGSIfRv66E/3j048UeNvYtS\nLY7XlxND0TqngaExKSJhZhCWHyfKLZjwRQ6UMh8gKn6jZjBkMB0GA1UdDgQWBBT0\nnNPM8nNmlWI1nC7k9NMH4Bhz8TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiAIPp5mVOSVkBLf8jJasqLJrLAyG4kG3R5cn6HkmnRTdgIhAMUz\n5Vd8tOQ6CGvQY0dbsfcoN7Ip+En2ysrVe0Xi8TrR\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA++c1qUdj0i94OzNzLmP3uOZFoUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBuNrjqTcN2qFlG0ARqEfsnHf1h1t1NkoNahwK4prOyV\nOeA+dHqWy7OOX3eGGC/uyjyS4C2EEhqxbv7xYjGaM3OjWzBZMB0GA1UdDgQWBBRM\nK6QDXeqaTrGtFlXfGJSd0BhhCjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIh\nAIqJQNJBpRPRzL/KBIyeImdXd+3mmgfoqESViLcX+SjCAiA3XUak9slm/drVAxrQ\nmjUej8x34/QPve5ZrsdMgL8bMQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUer4H9ngqLgJKevpj8AfShxrkqRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8HmEAZvteG4rNCq6TNKB6HlQwBqQknlGKtYOO\n0UvgzRmOE7Uf3BulEK9PTJQxzPRHp2zvqMpm/gQSI6/H1e8Ho1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQU1TwFcp8kGBUD3s/10ykZ9JT0JZwwCgYIKoZIzj0EAwIDRwAw\nRAIgHQei1EvDZQsAUKCXNTbh1B5rW4MMbJH+FAYW05W1xJMCIC8z4ADJu/evP5rZ\n3n3l1b4S7jn0tyhnPdV/ruM6WWUh\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUe0rjb/pdypmALQ0fbL1HI8f8ErswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASz/3/+gPrC0XOejiC01qxWGb12+DVGHzWo0RCw\nqYdY+TXf0Zcwqx8tHCnkMuc1Az09O8yijeaJgEdClNIi8oDco1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUGkl50B2yQN+rvHzajomY07Z0kmswCgYIKoZIzj0EAwIDRwAw\nRAIgaHkHMs+XANerRX2YNmfckNQtLE+24dLE7J6DLaHoRAwCIEhypogFHOMBpvvx\nAiNrGpBLWQGXA7/kD2qRJZX14hPs\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUdQIZ+sgUphIAxodC4zRgHtvSxpEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMta+8xwzUbqdWesdedWHNq121/RQkipKe9jInp1Hpkd\nBjjO+aQdfAMBAS19b/fmde3H+MXnQL290nMfORsVfZ6jgYgwgYUwHQYDVR0OBBYE\nFFSu3Tlw9jJz6b+Lkt9RXb5o+djWMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUqseQ\n/ikPLEL8miiS95BBMtaFtdkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDk\n934P6iKzKQ+BLum/r2afuY/IBT0dXl0jwiquSWrAEgIgT1cait+mFuQW+hpC7DZY\nXBflKdNz/ibtECFT0SlE/Bc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUCvSVAIZOClK7sy6CacJXDAZiEHMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNtyDn4Cdm6ZDKNDDIwIqHBa1aTHnoB9KulD2XYir03B\nHkSuZiZs98r8yVAP1WXjojhTEImG4Ec1+5ieQ/irN/mjfDB6MB0GA1UdDgQWBBR7\noRjdd2eCVDGiJoBele1DQR7PSDAfBgNVHSMEGDAWgBTUsQGGhBKYf5GCrBkssANr\nnWz3EjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANBo85JHfgcXz6eZ0b+f\nXqk9hYWCbcfq1lI52BCUzBJOAiEA766xbCOourCk2blEQ9uXpYVRqOk5SmyGYGBk\nswVO8hA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUFJDxyGYVTUMd60WgZ9KwplDaZeowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlcmQY9DSa06i3AycndzNFktQu5FwRT2Vmmcly\nCz09o2HUgcOdCY9FZyh5FdSPww0UziefQ7mNUWHwhEUWTQ35ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiBhCr+5nuOniwMTwu/aXkRcoc4X0M0+VKUkcnm8yRC/\nBQIhAI54MXnqd4hWD/JEafsmSCKorGl897a6Fr4ljMyWk4az\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBbzCCARagAwIBAgIUD1ijKmaq8+72Smmcvq625TUaiEIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASaWqvuV1tFkqdlkLNfQO+qOShFdclxU8ZLnnrG\n/tfPd9Rwks1AJkNC8/ZtaFqn5DszJNDBp7R/A3A7BVvUL+4QozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBogeS2wr2OA7vZybfDxkMy5zCSc03AylnourWjiaVp\n4AIgaXj+5ghMuC2NAgMkgAxjUMHmG7I6O+Dfqg0SspCGZBc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUabAJBnZ3Lpm5MQBKVvyYXBQQ6BkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJT5zgfaMObDg1xlN63cGMqKokJJrYmfyelbFDHG7vcd\nwChn+XhfIJHZQ0YRmJ3lcGGNEFzCwq8rxCePJTZEPamjgYgwgYUwHQYDVR0OBBYE\nFM11+jWvF1YQtqfQ5Q4sfChKUoimMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUsWcB\n2L7B9frEvICBngvd1WBTsEwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDi\nuHdF+o/We3BTq+wNJE674XMsxQ7iOIGsoNCZm75AHgIgUdh9zw3tzW9AX7g4NT1p\nLCTL3q7+JVTFBvTJnx4QMB4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUcHx32rRMQjDTh8L05ssbnyyKNdowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEWHgwiFEuMqBaDgLbaiQicuCaXSttsv4mwcdrh14lqH\n+XYs4VJpITkzkK2YFCSZTA3VEnFR/OCnFXEXOpLCiAqjfDB6MB0GA1UdDgQWBBRA\na3DLYH7med18xFrVoHCY1RxC5zAfBgNVHSMEGDAWgBRMS4AL3V9M8KKSX5ijCiau\nY8twLTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgEmF60So5y5Q9EGdE6vAR\nVwAgWA3wfrtVfYylUkeQs5wCIQDEMw2W6GPgqVACQlVwskmjQgfCsbQYVlcJlVb3\ncfDKfQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKmrel07yVJt3s2RzVLEc40m1LqAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASE7M3XxobhAoX3C9KqdolvM6WMsMN2H5cBzTOL\n0bRBX+R9Z47gRXxRApOv7cBHvr4G/sjge7bmW46ocWJMc+w/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgst7mKXe1DGvNsiFLXge9qRxF4MwCgYIKoZIzj0EAwIDSAAwRQIh\nAPpacWn7s8Bp+gIRcvJ3aeBcD6kz+qpng868AF8mfWOqAiBi+iTViAiOHdqOEFhv\n1ZXScdC/5deY1EO2CPCglGQIQw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUHaOltz3geHo8D6HUIqC+ug2c6vcwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2dkUbv9QlLBvX+OenRO8vNRjoZe7mULf\n+yQ3EX3z3W+hqiNzGIiK6o/OdlJHdrWTZQjJuMEfhgfmvgwWoTFwyqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFDwgC3ep1ECf/1qXvjukwMyqxjBiMAoGCCqGSM49BAMCA0cA\nMEQCIHg1f0qLFx08zoBoZVewaOjU1qGk8kcZs4tWfMXGspgEAiAqOKWlKBG2PL14\ny+eM8mD8sL5AdZKMBuVeKTrWTqyxfQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfUEP8tDAz1AN7AMFoYcGHWajKgAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASb5zai8Q4Ps+4JeloKWRx5ov5eCM+v/NDew4g5\nyACF/snfY0SUlkwk/Qc8YwiM8iCRxNyK8gwIit8GYQI6lN/0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUblr/7hQS52nFErwHsqQlL/DPJ6owCgYIKoZIzj0EAwIDRwAwRAIg\nQK80BAFcH3KmrZQJBnZKysTyQSl67G/CmkKgqPUq3DkCIAp7d5FwHMVpX12GVlCh\nHRyfWmn9YDOd/xOkj2PII8gM\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUNyNIMm8JB6PyxWxcOrDPfwnNxKowCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEi7dDBml1o10fehGOEVOftvy6ppGmbEtz\nJZrKfhdmZels/a7zsbr9YPjWqH9+tn2k1X64SHReBne9kuvquwCFRqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFFoyg5OCEl9WuwnibAL2u+/XS98WMAoGCCqGSM49BAMCA0gA\nMEUCIB1ZXY6VoQFGWO+sKSmnZ3MSd15dQ5VQrnepMHlGqrqaAiEAtELwchdjgIA6\nT1E4y/zBR4VvBzcRMY+aR7G2Wdb8ffQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUSP2PRZWLlZyNTeblY9oiEOX29rIwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASE7M3XxobhAoX3C9KqdolvM6WMsMN2H5cBzTOL\n0bRBX+R9Z47gRXxRApOv7cBHvr4G/sjge7bmW46ocWJMc+w/o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBQ8IAt3qdRAn/9al747pMDMqsYwYjAdBgNVHQ4EFgQUgst7\nmKXe1DGvNsiFLXge9qRxF4MwCgYIKoZIzj0EAwIDSQAwRgIhAM461N4dRwP8vPNC\nFwn+dbiFYywTd1twMNv0AafcrKBwAiEA3EFPn1GkMd5VPbHb8ibb7ZnMLDqXF2G7\nGu2e80+Asuw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUPAdxZBuFXf3Mi5ftlRhKduZN8XEwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASb5zai8Q4Ps+4JeloKWRx5ov5eCM+v/NDew4g5\nyACF/snfY0SUlkwk/Qc8YwiM8iCRxNyK8gwIit8GYQI6lN/0o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBRaMoOTghJfVrsJ4mwC9rvv10vfFjAdBgNVHQ4EFgQUblr/\n7hQS52nFErwHsqQlL/DPJ6owCgYIKoZIzj0EAwIDSAAwRQIhALEMuMLo+7qjN3dO\n+u9KmtEM/B5wk/C2gNAE2qmnrJYcAiAhpA46MkA+MbG21HtW/bdxOCrXiIldQNut\nwuBCEX23xQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIURtuIsxXk6YEqln9Oj7/sNC3EnW8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOVeZfj4L4g7lfN7Mfv7yZP4Y5bHkj/oNOGOkMAcSq4X\npkObIgn5a+c215KNPCphThoN7kukE1cQTDNowjQiWwKjgYgwgYUwHQYDVR0OBBYE\nFPe76BTwAJrBgGisiXywmQYswRDUMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUgst7\nmKXe1DGvNsiFLXge9qRxF4MwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCi\n/Ey3MEgVrow3qc2c5R79gc7kWx0xrfrpxT1DsiWw5gIhAK3DmX8zmi5DP/O1g31O\nWJjBU9+j481Hudwgkyom6Wtm\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUB5lhYe3ayw8MAtud7VAPOHURrDAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABASpzK1n5eHzLsAp1y3R0XvNI11qUFDx7jx14OrRIZmt\nACwowrGdHiYgJjfSfDs4/eERVrHi2BpYw0FYwddUZBmjfDB6MB0GA1UdDgQWBBQf\nQBPdVq0d4V2um09wQaXD82m7pjAfBgNVHSMEGDAWgBRuWv/uFBLnacUSvAeypCUv\n8M8nqjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgLgv7Ta8vx1YxNXXOA6ZQ\nQAyps8hVmqX8Ib+TMf2TUKcCICZULf9Lc9JvWCGcVqaBYOaux3QwLfGRaYD/zurN\nYQe8\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUOoOGSi76eT3aCAy5l+42BXiZ1iYwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIEpL2xnT1yD\n+2dVljY+Zrk4zzhJhlf1EcvhGJfG+01HSofPCXFs09POadCWSKSZXayXODWQiULh\nPvNT36Rp7MejVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTodsEdKrgwc6G6ihdnuWIGEl0v\ncTAKBggqhkjOPQQDAgNIADBFAiAMR6aX6O2xCFdlXh7YE9asLvfRTiOO9KzfxAVh\nS+kJzQIhAOduMfNhgCaHwe0xVwM/01rV2F+7mabPE6Xk/Qk0I2Yc\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUDgzmA9++dIQefHZNjkU02jUKoAkwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFp1/bIccMjT\nV/9aPKRqmmVawkVpCwPCgcUGybOMNbWH8jJAvQiqTmEY1r512Mulx9ctj0QGzwrN\nUFFhoLR5sn6jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBT79h8AfYBkThFDJsYMoXcfqbZ1\nvjAKBggqhkjOPQQDAgNIADBFAiEApewNP9op3b4tAiR2gIe8OfYB0+5OTIDopmdO\nORnY0nICIC1fTixrtfZQEI6GqxdJpjaHiRkRdEU1pAVlZh0h47B5\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcYBCTC60faWOnFnfVGIyvhM1/zAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+fcPADKmzGke0/opEbiofTdLCZ8xIwWUgFVWY\nAXSLjq3rMI8dmFMEwiGlov6m6s4wNQPg8MQc3fgGDv8Z3oIvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy8RBi3IZ26hJuDWILrA9r3wgu6gwCgYIKoZIzj0EAwIDSAAwRQIg\ncTNUxs0xPoPVXzZa0j1LDbYeuE6BDdz00uKGmhvl4nECIQCcx/i3QhQXuPJYQUCv\nyEBGvUiPCIb4VWvphZFLvkAJvA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUZyF6LQShxjAzD2r1G06mBoc5bo4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2NDc5NzYyMjc4MjI5MTg4MTc4MjY2\nODkyODkxOTU4NDk2OTgzMjU4NDc5OTgyNTYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAs423sj6KMhx17B1I5DUfjuzDmD6Eu7aFwJ8gOwqZTtMPO0BvyaNki7UjXMB0ae\nvFiaiqfOa9k3PEEzaSVQ/u+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMvEQYty\nGduoSbg1iC6wPa98ILuoMB0GA1UdDgQWBBR5ZiJahmA04t/K+6/7/zs+IUKFBjAK\nBggqhkjOPQQDAgNIADBFAiEAzYSQ9Q+78KhsP+Pw2dH3MJDyvwrXSvJRXpAPvNJF\n4OkCIH/u+fRc1b5uZ5TKwjOfr+FhhE5hoKfBn0K2ynIkhMfK\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEk5/aCEyufeeIhRzvpCaTK1EHpYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT84bnvb2Xbu0oO0Vu7lVLTwsKG0y92Zswbvz9q\nDsFLJy6N7vf2JKjBsSuT19pcmaAJKngPgsA5KHhD/zlfDBsTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUO9Orkw3Z5PcabBxA7whipWypHTgwCgYIKoZIzj0EAwIDSAAwRQIh\nAMQHr2RpHSmUQ62NNHQ8srw+dRlnNKFqiVATK/cntzTFAiBb6D6kEPqtS38oYW8P\nAETca/P4+SVNzjjUuqe/vDYlgg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUTpQkmNFmkJ4WYBQPKNp7IykZDAMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxMDQ1MTIzOTA2OTQxMjE5MDM5Mzgw\nNjIzMTA2MzM0NzQ0NzkyNTk0OTA5ODM1NzQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBG2KHjb5gP5DZ+w85ycq6FEGnnOLrJnpgXYEhFoZ2BjQabidlPZpgeWn6JPodZgU\n63FRrY66Y6wSZbHr9MB45KWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDvTq5MN\n2eT3GmwcQO8IYqVsqR04MB0GA1UdDgQWBBQ+WhiyOo7KNwR7C1UHCkaE5U5BgDAK\nBggqhkjOPQQDAgNIADBFAiB1BgE58bC+35MUchNEE9tSPbYOOaa0DYQ3szjE6Wex\njQIhALoE6JtVl/TNo9hNeqq2cjS9MX627VhTtwtQ9uWCJzqM\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCjCCAbCgAwIBAgIUcM4+7ccqvG8KTeQK8Vfran3K1NMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjQ3OTc2MjI3ODIyOTE4ODE3ODI2Njg5Mjg5MTk1ODQ5Njk4\nMzI1ODQ3OTk4MjU2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYX75\nDy8Q5SYX5mZIAp/HWkrkHn133EFM1FvRjWyPCxbMZQEnU6yHfj7oOp3ztCewWIfj\nPlYK8u/Wd3qGP10QUaOBiDCBhTAdBgNVHQ4EFgQUQivOnfaTvgV+1lWv4v1em7uO\nWbkwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBR5ZiJahmA04t/K+6/7/zs+IUKFBjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAO+OAlBMlFrcEaVIEVVD1pEeG42n\nlroXpW/r9YWGzThKAiAt5bB3BFGqk1v2axyMcG0+cUVdAk3+ePtbqVaK0QV/YA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUbduLy5q5vo2B56fhSm5WdRGNU4UwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTA0NTEyMzkwNjk0MTIxOTAzOTM4MDYyMzEwNjMzNDc0NDc5\nMjU5NDkwOTgzNTc0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDgw4\nTHlCbryJoFxaoSfdNixtbLbdPho2o38IJXMK68fKzDc2aRyszdvb8QEzQEJMWR2H\nJVRnluuGbevVF3j4eaN8MHowHQYDVR0OBBYEFIRA6kK6Op5KwWH/5HpSNtiQLst7\nMB8GA1UdIwQYMBaAFD5aGLI6jso3BHsLVQcKRoTlTkGAMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAjPiSy6vXpKkIEj1bz7FTy7LdbH5LhbByK1cSNJi/3mAIg\nQembeTqNaE+4IkLU1c9itmDeIZVV/vciVATR1YFsM5Y=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYl254eY3Xi6Aaxdubq+8UhMK4RQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATqEiGEGpAEZprEnHpaqJIDjPj5bvU0BYb9xxGr\nLjRfD7qPtth4xShkKo4mkInc393Zd+8oZ/Y9oYq8utv4FnEPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqBD9ifyCTb6bTXDROWJEV0Z+4r0wCgYIKoZIzj0EAwIDSAAwRQIg\nW3Wn5ECDDL63mxkITTHrkkZyq+FOY/V6BU9trQJr5G4CIQDS56rHe11yIrxBN7XM\nPlVS5v6HLp56wd8e+BZVB8hwgg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQ3hNi+t6Td4xpaPtEyYS3GEu7IYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASERE20GOcZ4q0tSzhfqcXskDCbQTy7hdO9T5qJ\n0lBpvKz4ZyAYAEqB1DeHsQoBwuChVtp5qpQwOfqPZcwR7Ntbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUU1c+iHA9qXdi6epWCAeMEn13PfQwCgYIKoZIzj0EAwIDSAAwRQIg\nFXdE+GEK5KEycxfUWkncDJD2yVfDnUbSZLn8WET9VPECIQCeRX+u8lo37+yguenO\npESH/QED1IauEVP+DuAEhR4O9Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUeTIhRmehXNqf1gbv31IV1ka/HFwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDA1NjE1NzEyNTc0ODY2Mzk0Nzk3NzIy\nODY2NTg2NzYyNTQ5MDIwMzM4MDkzMzQ1NDgxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABFtZwZrlEXDmKhRAQBrDLCWby9gtLrEuCNmDfSXyWgifK1DV8U4KQDJuKZ8x\nVY7px9jSGODuRgtqFX26NQpU7cyjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKgQ/Yn8gk2+\nm01w0TliRFdGfuK9MB0GA1UdDgQWBBRyVmMvFnMzF5g0qm8+wkZrUgXKeDAKBggq\nhkjOPQQDAgNIADBFAiEAxgDLRi7swcMquDvYKsjD51OzA1Namb+ZtE7kYAZ5nUYC\nIHz2/Sy/GgArY/VGStVuytcEejkjnFoRJRcQprVQEUqI\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUOmXRbEN2cbCA1HT4hsezsZ1aYfIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDAzODUxODUyMjYzMjcyOTAyODkwMjU3\nOTYxODgyNjMzNzI3ODM4NjE0NTM3NDUyODYxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABLZpVr7QdA2GT/GeYMaJw2MxhxaMs2RYB5lCRsEc/Dcx/LFZ0QklvgK0C6MZ\n9J/6mw4XxowwbliB4E88DfO5VdSjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFNXPohwPal3\nYunqVggHjBJ9dz30MB0GA1UdDgQWBBTDoBvCKMhsWL/o2dTK1Mh8GdAQnTAKBggq\nhkjOPQQDAgNIADBFAiEAspY8DNQ7xfqK5f45vi6v/feKTrlaZXOy0NrvcZ3GqFkC\nIFrb6u6E0Bos3RWweUFnxc7dFpVl6XJdnAFvapWDb5Y2\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDTCCAbOgAwIBAgIUZPIO+CZqY3qjylCVK1hD5zrBovgwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTYxNTcxMjU3NDg2NjM5NDc5NzcyMjg2NjU4Njc2MjU0OTAy\nMDMzODA5MzM0NTQ4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nQgPmo8ImUzkUYqWof6iTQzKXrklGdiqMoInQfKtKbFjzLtCYTPM/Ua++W8/XRl1I\nRsRNhKms3L3kqE65ytjQtaOBiDCBhTAdBgNVHQ4EFgQU7U1+tXYSB3/bt78c3dZJ\nUfWr29IwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRyVmMvFnMzF5g0qm8+wkZrUgXK\neDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJUQQcgirEYIewq/Iq6lV+q8\nsaDEAhF8tMdXobVJUxEKAiBj+bXFXOrJudesBt3EBGBgZFNEvr/n/ePKoNamLoUZ\nHg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUb7bdENBLDnP+ezzTPBJPYAcWBecwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMzg1MTg1MjI2MzI3MjkwMjg5MDI1Nzk2MTg4MjYzMzcyNzgz\nODYxNDUzNzQ1Mjg2MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n7Xml2j0nzXGuIWbtOfxPyLEyB+7qOa+i5muNghmsMYr65oRGyIlHc+Po+Rofi6te\nrhkwyerhFrrFJhGbLyaZfqN8MHowHQYDVR0OBBYEFEKx6IkyvKj490xgiOqAnRI3\nlxreMB8GA1UdIwQYMBaAFMOgG8IoyGxYv+jZ1MrUyHwZ0BCdMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAsNWJ7o3uYQMGa44mXb7HmWJgA/JeSj4aFb0orI81\nUB4CIDTaGKcvbCot7H5wv4sUlB0mFEJORbCl5iEOpiD3gTBP\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOwzSSCK+33FqGynQsdqNewtkhDcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQSGJLElraGvHaPBh9BhWfwCKEoKPzwpD8huuBC\nRSRi/cRif+3ZC6ium23fD8tIroH6Dj2F7508aAf8hnrQQVKTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCUDnf7GOYg7x9wsjqoFDsG+Ov58wCgYIKoZIzj0EAwIDSAAwRQIg\ncG+1+OsbnImvnGbBdEm2YVRCiNUJeycBEc1JcRxX0ZcCIQD/Ds8BZQ5yY8jZNvKA\nx1lKECeUpZPc54cjaKVCcQfZcw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfG/eIYOqhsMyn3COUpzkzDrKg7EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATku0T245jg7CvGnAR9uNEv9TJufh66BYh8IpWc\n7qqS0pvRfpvkMitfLSEP3RmjGIxJ41I1Kcycx8R4EJTpHCNSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUm5vdFu944BRxKL7bQKa3e5EhHrMwCgYIKoZIzj0EAwIDSQAwRgIh\nAKJ10lElycOOtaMGY6ha0xPnGOjHkMqJchivjKzTR3JOAiEAxEHocVYoIbPQB4hQ\nAK37l+AudO2K7deMFRWMU2aGD2g=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICDTCCAbOgAwIBAgIUddSq9QzV0B9nEoS7molATMsmvCgwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMzM3MTE2MzgyNTQ3NTQ5ODA3NTg5NTkwMDYyNjU4NzAxMjcw\nNjM5MTc3OTI1Njg3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nx5omdYlceH/QkAVZ1WKpemC8YQ+Lxm+/04a+WYiPVn3xwA/6G0if+DwhdtLdcgFY\nOmBY3GXelZwio76t6H2zz6OBiDCBhTAdBgNVHQ4EFgQUOxDotW1Mz0ijFyQ7QEnb\n8ryk15kwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRTw14pmHck3fgPXSczzzz3l0wp\nAzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgPr/6YpbLztqv7TEc23cZ1D1F\nyCFeKm1akV9mViWqd+gCIQDk9jYkG/jZdUVHL3GpasSKQ/DZ7CelVkr6Z2VQ0ktl\n8w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUbKnXuRghsnAkKZV97TvQTCZTQzkwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNzEwNDA5NTg4NjMxMDAyMjUwNTYxMTY1NjMxMjUxNzE5MzE1\nOTMzMTExMTU3NjgxMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nug8sF/UIc+JQQBK6hPkPvaojPkzvra+ISh4XaAuk0n9hOFEo1HQ4ovhrvG+SKVq1\neHXuH80MlcOdOOABDCu8xaN8MHowHQYDVR0OBBYEFIdV0hi5xhCwcQ8WgMAc2Odt\n5aMqMB8GA1UdIwQYMBaAFNJqvKbS4e4W1+4yYmEkdyNES4laMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiAjJntQx3zx0NwiHb7M9OUN/3dFlZ8z8LZhX4Fj3WPm\nvwIgeFm0afNkOSkZua/lN8C7o1u2XKaoAennRHrCm2xqg5s=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfTCCASSgAwIBAgIUYQtTRQFLqIWH/4/MoRYlDBiZs6MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATKlpFIx6dI1YLVOq1HTbx149lfg9wHaMJdUp9k\ncgE/dYSu0MSc9PY6QGqTGiI/ve6W0/N1iWRb04kSE00J+3Vao0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFIWgFTnVH+ck\nE3mNjPj4FWXG5y83MAoGCCqGSM49BAMCA0cAMEQCIDQgLmCSUCkXPNzcggtxwA2T\nFqc+H/FLA5cpBSPxZSmRAiBjBhAqP96NR0AO78t1nIUezh91RdjekZUqIwgsl70k\n8w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUMr6n/6YuISebeUA4zBlvat2DA44wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATCdwTbyOuogc0IdURaPxSHODYb08bVoT9TK52z\nZlsTyrcZJY0gVDkWNyin+O0WUv240mHOAUMswFUZ0b2j72HGo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCNLhvKfOrQp\nuSfaYcKUDGpPp7OcMAoGCCqGSM49BAMCA0gAMEUCIQDrn1rzPAUUQzETmBg1YUVJ\nuI6Fzyg4pJ1/JVlNqmTVMQIgNnEioYiv6MkWelh1QUkbZRZSpxxePR8M+qryr3P1\nC1U=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUDvYPfcOAFNEnllRFxBLpjj4NTPAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEK3vOCNHLsynIta3drNmdQzW6BAvxkM8Pd1CJb/6+XE\n1orjYjW9Cl76LwxC2UxKZuZD85g82buOmqdkWKtNeCKjgYgwgYUwHQYDVR0OBBYE\nFFrXZ8oTq/6D+z8WBhufhZCm97v3MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUhaAV\nOdUf5yQTeY2M+PgVZcbnLzcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIG6B\niQb8xdT5c9JWWX/2zekBt95i/ufQFkqrzGim/B90AiAXyxprBcdO75GbA/fUhg1M\nsGp7khSyxqSiuPwwvRvrlA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUaAmthUXt+SupY3FGxmuPJlQZhyowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIM2qEsMFP/Qc3NGniy+5nZ0rTKGxq1zQCkcrLk+Eeg0\nUmkFLZAv5Cjy8Etsz7Zt8VWIvjueXx4nCmkkBoZDEaGjfDB6MB0GA1UdDgQWBBTW\n2+r+0zivQ7RSeS4i0ySgF6vZEjAfBgNVHSMEGDAWgBQjS4bynzq0Kbkn2mHClAxq\nT6eznDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSQMYl7C22Jno1jD2jW8e\nMbj8dn7vm2S7l4E/dQCGcjgCIAxPdkVF8YuybqgWVgcFeL28SsXz59MnAO1hCijQ\n0VL8\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIULxeCLsOaFUHeVkNLht/mfXpsXsAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQF6Bw9gkRYlespPDB5FLm8gHAZQCmtw54twMf\na9IxYpITusEQD951dSBuHV1aBFypHDfzxMTlA29tO9FQFD3mo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUGfWDCXmI50rmKaaLq3X/H/V03zowCgYIKoZIzj0EAwIDSAAwRQIgKan+\nj0SbwgJbjAwWAfcZQTuRQfOHCW+LpKfXY+BgwOECIQCOhu2iD8J2MMxytPsZk1nK\nDaXfgf8Uk1Xn0GndGQzLpw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjTCCATKgAwIBAgIUBzIfZ/dbOU253oUY9daIz/3wp/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7ZtNV2u2CQdglPvMEqkdBeYCt1nGYGWkuj84i\nqloBuskK+Roa3p8EWmGTWWApUGKDO62hOMpSxfvy+myADyTlo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUvpo+eW3ZTQ2kCW5IALTzrLaYwJwwCgYIKoZIzj0EAwIDSQAwRgIhAJFI\nI1gBmSbeZxbdFRp8KTV9GPeBJewqdO4c9mFVfL3FAiEAiDDGyVbUyBCs8jIpLPO9\n3Js3S7uJIoviqa9oxbde7s8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUMSd5HIQiEyh0g6LmTTZfXffT6f8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFnkGRCgTHztFkcadu3iVeko50Do+FSBGd+Vlt3Asg+H\nP/BZKm/bwoXsFUg8hZjmy6rdT9BvXlS585Z5coM/1YijgYgwgYUwHQYDVR0OBBYE\nFPgNx2Wpt8HMCYSuBPxNg8cvdIcsMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUGfWD\nCXmI50rmKaaLq3X/H/V03zowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIG9O\ntQid+Pi9va1eoM4fIpQJv/LkZ1Mm4rrRsXMkBOjUAiEAtM9pB/R76swIKqKW0gBz\nhyTz6lUoKYPpaL4P5xSD6Hg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUeAFlhC4imz8Nq5sP3d/TgD9AyzQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIfMqByegsGZJItxyyZ3F0U5HW5Awnr9zPQezDC3afnZ\nQhQflXbLs0S3eGjwRyMUg+JqQUtJ8MEZO8uHHiDvwYqjfDB6MB0GA1UdDgQWBBTW\n7Ftun9Gzmu1Gir3vqNjSsrjh3zAfBgNVHSMEGDAWgBS+mj55bdlNDaQJbkgAtPOs\ntpjAnDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgbwj7kg+dGCGJ2E98dlOF\ntxmQmP8ZwmWigScxpGCVYg4CIQDEke1g63miuiBVtbOjNYzYNXk1kKlJZ6cOyb7e\nFrEgtA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUUpihnzC2iHINGby3s1nMIAozNzUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkE0BP8zbmC1e3m7Ylw2FWqTlSxS7l0mGgNost\nA5dJ+Dh9mo/gzWF+Gghwkf35T0xTQeoEM+DmCX1bRIAuLKO6o1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQbZ+Gj1FxKlz/Q323sYLOmxUORpDAKBggqhkjOPQQDAgNJADBGAiEA\njRgaZ4xHes/keb5CYqJichORLEW0XycbwNs9jIV1VBwCIQD/x8kHjWiX2YtTVCNl\nbTTeCvWfzd1a+8q908qcJaFC3g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUSGJJREpPQHno5Woo/zO7DEJ3zQAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1hp3GOVbkf+hJ2tZFJ+Bj7EgIYuPKI48enXc5\nI3zWMQKVqyTgar4w7FucUhbvKn/3ThAfuLeNfsHeVcGgCPW+o1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQgXrqmC02JKoBZ/QXaVpganussEzAKBggqhkjOPQQDAgNHADBEAiB2\nO/ROP2sYFCWP/6mGPZWMCDH/3Ra66Or/4atvwv+NYQIgUDaSE9NbY2QT8f14xbZ0\naVrx4kNHIcDzmm5qSAjz/FI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUDEKAcQ09GJVwANoPEskJbLmNmggwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABN5CEknip9q2jmrtCwtWmyIIuU7/Mthju+we71nBMkED\nHnyrViNUx4Mj8hzygOLBGFHkzQ+PixF+dp5OXUdmTiOjgYgwgYUwHQYDVR0OBBYE\nFDXjQDNoHc1n8VL6pEUIz5aepFF/MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUG2fh\no9RcSpc/0N9t7GCzpsVDkaQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICrW\nej2Q6iMapT6RQlxrJvzszWioWioRJyDU0oGyBXj7AiBjMeeXb1JIpK0+R0bOfv2+\nkDsHp+R6JIk458iCujyDMA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUcSnQWmLA1zm9C9B7nN4zXznrJJIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGK7q1oHfTIR20sQTWMkQlnB/lrBKpilbWk9kgbg31YJ\nTuFUpgOsDNVQrV8tnqVKmJS2iK9y320LCHyTRAjCe3qjfDB6MB0GA1UdDgQWBBSi\n98aF2NzscHBxC5JDiRXcaiKuwTAfBgNVHSMEGDAWgBQgXrqmC02JKoBZ/QXaVpga\nnussEzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgY0GzMIONWVOMiVRehGcK\nDxwFVcAEkunWG2XSTHMewzMCIBOFy8n7ckh/lsznLn0u4cirFhtnQUCflcvtIzh6\nM4hU\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfgzZzCspU4rWzzSbZl3cV2MHbS8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgJPFtFfdloVlUJD0NDuYRYNVF8qLhzrnDXJyz\n699nrlfME61cGoAGp06p1NIITFAgftfZeXMwpky5oXwOqPk7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqN1izuT+ReJJAGA/oHZp7HU6kgowCgYIKoZIzj0EAwIDSAAwRQIg\nPr3zxRk7KQrGRn/nO93gB4iTmfmmVziG66Iz88uvZJQCIQC/jZKhsdpOWwPW+egO\nYJggJmZyaIBkNxXHsjSLsSDUbA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUdFERwvW2n5w020nItdW1tyaBbswwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjZc+vB7WGT8LsaOjUcImhoLYOSexIM9v/+6S/\nMDbSLUfs/NAfwwTLxswUOYnekEU2/PPrXWN78E4/Zfp9r0TOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKmyHIs+wO31VEszUo8GDN2ne5xEwCgYIKoZIzj0EAwIDSQAwRgIh\nANIzKaxZMmBBnr1Eq7OfzmlqQFU/YepkTn/vU0NerVQKAiEA+jFnGDffFatiCg85\nlUtw1pbD3BGIjrafFX5kv6kWKSM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICCTCCAbCgAwIBAgIUClKPLR/g4LY/Nbi6V59J+yEvO1AwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzE5NjE5NDE4OTA3MjA3NTczODA1OTU4NTQ5ODM3MjkzMzMx\nODQxMjMyMTA0NzUxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDq6H\nuLydsZD+tw4aw5pq86F1TCaIO+yG4r3HUbPWtlV4ZL7X9sIofhfkzjbM2XzgkGOV\n/it+kmf75+RrIVGGUaOBiDCBhTAdBgNVHQ4EFgQU6s4NXfmJGgDvfPrrZQd5/iua\nixgwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSql6hWigiRQEji8iP/6BGtF/6PrTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgYTN63jVZoC2gtFFz0memaFoOVTx+\njiraImx2uy7aSmcCIAdLSurRwet7EIL+NXNWG3thXhGr9vuniQhQrUXi/lz+\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUUg7BBbvflwzDB0RsDhsgsVUD/qowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjY0MDUwODM3MDI2ODk1NDgyMTQ2NDAwMzcxNTM2Njg1MTg3\nNzY2Mzc1NTA5NzA4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz2UD\n7zfW/0vk2fRjuOiN0kgECmNG42db+0I/xXw6FctoCfZI6NCZO5+63g1fgIRzbucj\nKmqJarMyjmUmsz1ksqN8MHowHQYDVR0OBBYEFMtj4KLxVuSmOr8SqZJp8Bh/2g9H\nMB8GA1UdIwQYMBaAFCcqNwj0xMvzdv0YeBGUsR7RCeRjMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBErLE+RUBGJtjUxPT2GkzR+KscMNixSaTBwS7YTkAxjwIg\nZFIq1+Nn7abO3X5CdtWmpVYJPj4QteWAniYO/p/xzWM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUWG53YU0J+XbpeeCJ3SSZEl7cvaMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9ZUTlF/9Isvn/1MDzbeacqAwyPhRBo6SBsnrM\ngBNtkZdHJ5f/JmtfSPh3tLZ2HnabAd4Sp+6GDHip79YIsaL/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUaFpryPUNJCn7MB6IbeqA953at4wCgYIKoZIzj0EAwIDRwAwRAIg\naLMl94MpP6KyVCefkT2ojSmko8WcKp7TASMkw2iiIW4CIA+9OgHnyHcD8fsISP2H\nHsZbhSpwDgRZOcY4PWP9ph5g\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA3M0cJ9rjynblCZCCi8/ph7g/SIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASN9Og5/ToIfMsc7Fs2pDSta8UnjdWvTdJzJpSY\ndfsUmI+eNRaVtOkmgFkcL1UjIW69ptVnw4M5ulZ+8FXgRwQ9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAzOerirMhYu72YOevYBvk6iMx6owCgYIKoZIzj0EAwIDSAAwRQIh\nAOaT8P7imNKKPPDr5QCQT2ghl858SB5xVZf+ODsN4gSbAiAHFKCTMeNUCfIbxQyo\nouI+hMDtggJ1oSWjdLMbRe0Odw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWagAwIBAgIUVXnxvTwnKr27edK/RN/wGbsvg9IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH0nDpkichmGPY3Td76hj4aY0DDtEglAmRdCl6bXPSAT\nqbKfOmmdBm4wyDi15LfLe19MANcgO9u/8Wi/pZGQKwejgYswgYgwHQYDVR0OBBYE\nFIl4ZqXBuZGSpRQRIrNjtAf1hHW8MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nUaFpryPUNJCn7MB6IbeqA953at4wCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQC\nIFWA8vbf/1efjDq482cQiSUEexvRtSx+C1FEP2B5K0K6AiAqrufakdYmqbAjsn/E\nrbVbO39cLcENCucm8E8VJTaaMg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUcTtumB26SZw7mLG0qCj8Xw2bWMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDIAaeD6ADnrJeaigBt6yh8SNWSDUsldjCIl3jDSoBUv\nhAA9sPDZmdtjHY/X/naQKL6zXHxOHF1TVgV823JKE/ijgYswgYgwHQYDVR0OBBYE\nFKMkeoGXxPfTdwb9ZZriyr/pAli5MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nAzOerirMhYu72YOevYBvk6iMx6owCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQCUEFGv/kmHTbkZ9lRvriYFVWQDOEizTn8y6s+ZAkYj5gIgQz9bTnbk0SICD2Fr\nAi7EHVuuB491c93ieob7xbvUXLI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUK3ed8Bpv7srLh69rEA1GYHgEWPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQJsEWe3yfDQzBsj3nPjZVTRmN7FJSakRvOY+xh\nB9XsZJw189t3argwKBh3LkrtRzsnobaHY7llSjL0Sxutt9YZo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSb5xCvvXhIrYl5GqxI23Qr0Cv4kwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEUrVFd2PfzacJp+aKaIGbLc\n4iZFtEuQLjoAfawtv4qvAiBVVgx1NZKlXMF5LeDOw+qejxtLkOcQmBoatkxAAof7\nyg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUf8uXerqLawIuYvyQbw1/iFbqPSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQH++4r+erNcp8l9zZ8vACB3Pv3R7vByfRv/VvT\nDYccPyOQL44Dl1ZHmIrWotviG2wcOdR27hPlU/Kpx/VGCow5o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUq3PWoG40ciNnDxg14JWNRInWiWowHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGbik/wuGjXkwYssTRcOthat\n4KhMBqFl/jHs7Yqr54kzAiBCruYjF5s/PrHaaBmbuyAFqHwOvfTSEp3wLzwwL2TY\n0w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUaWJ0BwlZvtsVUM8Ua1CtIXeFLikwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG2IMxSUOMalwG99fUIfutdl3zCYoEXPn8fQtPLlN0Cd\nCOTGvxKI0L4k7UWZULV9ntP13+YbQYc80ohZPVBtu76jgYwwgYkwHQYDVR0OBBYE\nFLIv2XK6LDvtpDzjdECjraluF6SjMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUSb5x\nCvvXhIrYl5GqxI23Qr0Cv4kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiB0HCUTJ2q3MQJhnAA2wWaxGc+oXvRne2KCDn9hiyOt0wIgLTquwQlNgHL01x2s\nL7phmtV5XGkMq/7CEXtX1nXV9Ys=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUK6IPqNEl7W9v+O1tWz3tQCjTxO4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLCNJHNygWvmN9AmdXa5PIbj+FUueJZdVKpmns53bjZn\n7p+D0kcWnzu1UyVRFYapEXBj7GlnmxQwgBeu68+Oq9GjgYAwfjAdBgNVHQ4EFgQU\nKsnsugaBem1mBbJuIaKbyKydu+swHwYDVR0jBBgwFoAUq3PWoG40ciNnDxg14JWN\nRInWiWowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAwwYXViLzRUAM\noP4pS6JgMY5BGnzjgDFq0E6nLXYSxUoCIGE87AWqYT6BJ5qnpT0XPiEpnZNafBot\nGIrLqWyI3Sul\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUC5D85tAhek1CW4QYQ/I7ZNQ0wtIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASEPAPufh6ZmZ6dvLAZi/WNMicDbK/Nff3GOqJq\n9mE+CHhoC9H5KcLuqNYvmEWanfS/oXE3/InEfPQ6h8aYop7No3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPmPTCLDKYpbGTjeIpnlRzFxAiXEwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC0UR8/C5zgPSRDFVZiu8gL\ni2prEDDegyswCAUyUcHReAIhAMhcLPqdKnXu3KiAG30N+eeE44GSADcn7lhYHvNe\ndnlf\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUBJ1DOpQgu5mYBF0gNFMGPD69dHwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQTn1+I5t/t5YfnlyCCNc2Y0sKbpX8lW+miq5Gm\ntJouHM+xEY1HNZLvz4T+B7HBWnAyZPvccaYKtFcSRVqZBaS5o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvNA367+f+GeipM1ArBO18dx37dkwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDiQ4s3ffY76QeEyjqnD5Ps\ntQciDFOqyUy6uy4ql1Ey9AIgRsQ8gsXJPr6invZSb2AC9vlwOdrpQtA5VGdIcwdD\nw1I=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUe7TDZwZZ5I6A8xLZQX/B+rvTRfwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ+yy6UWaeu/WRGVXP28HP4e2VtIyLqGdhWkKs69eZI/\nPYLWFzsfYO+y56aoSRbYaroYWCqYrll586pdZNUL0wCjgYgwgYUwHQYDVR0OBBYE\nFHQKMwTewoFvYCZ/VxN+w9XQZoyiMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUPmPT\nCLDKYpbGTjeIpnlRzFxAiXEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD/\nlUAvq6N4gkZBP2x4Bb0fwhsJqajyY0bYhUv16MNKxQIhAM64f+C0sdF9jkVl1WRJ\nfOCrrpEthjMKkt/xHWHvmXvi\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUJ6NePI0D9rry5+WF/qUNqyft65cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGgBkwbMexkEmR/GFmcRvbLZWBwpJPXmKTWsrJNKZlTJ\na7+4HMa9m1imwkBLfKiQk1LNGt+tsBMEmOf3RQGe6FijfDB6MB0GA1UdDgQWBBSH\ngb84w895uS2AlwKy0mflXTGuuDAfBgNVHSMEGDAWgBS80Dfrv5/4Z6KkzUCsE7Xx\n3Hft2TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAISSCcuPKl+2Es6+3ZQ0\npRUdkz8Y799rmcBIiYvbIoMcAiB+JNVVyGiU4eoZN+xS2SifcGPUtoyHfOixjt6l\ns1DWPw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUcsF+ZLAtPVzijxGGP2Pqj72MqZ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATis4Ag/uI5NwFSaEI606TbOewFVJMtdytNj5yI\nDTfoRleLPdAvN1sUmgRE4z+b5nOCnZbyORvZ5d0QAK0uMZXmo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeL3DOHuyegwW2vhtAZsCLIkKmPUwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDYFrTZMUrdpLKDGv7p8EdW\nGZp2KnlCwn3g83WzGYcoEwIgenYav9WH0dMb9OU8d9LBGUF5PmOIaFFXevGU6P1I\nYYM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUIhem1FTTWMG+4iBXQs5DFv9YH7UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQMRhPxoRrUsm3dxB+jSjTvJuCjfhpoHpVkY/U7\nBbgkptYglxr8aC9oYeJjNEQmCTk5hXmXJPfzAdsV1RVh1MQ0o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwJBVgN3gtRUOaS09PIY3JKeyOsAwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIH6JcCroilK8Vb/RwIyc5Yno\ngw3NCHu1OMuVRs0LqsTNAiEA0ynciYvjURREbpjiR3vhxjLncwsyNziUJKOuv51u\nVh0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUGY+9z4ge6FIFh9VqooE7qoVC9fUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCeGAWFFR7oCMnbllZWrV3Q7XRB2uZtZCl5KNAX0581E\n0NSaChHe0kUL4RNGVVikALSu6iYMxwD/5sU4c6gRQ5yjgYgwgYUwHQYDVR0OBBYE\nFIz2g7kYzPgO7Dz5K1RXBSEjTwxkMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUeL3D\nOHuyegwW2vhtAZsCLIkKmPUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCR\nA6qUPdYCSp4pnmWVtFMtDxBXiT0kF67v5bAFeMBEVQIgDFxacMoyfUwb26vAOk7r\nNAgv8SUPxUkmX/l+fMK+I/w=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUShNvQTd1k2KF4FbyhtWiivgbIIowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGfKHHWfWCv6av9q+uOCW5O4iSrl3aoEu/dwn+2ckIzy\nu/T/+ObzWySCFK/FOl3pVi2q3+G5w5G99dL7SmOR7eSjfDB6MB0GA1UdDgQWBBS+\nOmN6+TX7ez8JS18u9el+cWJULDAfBgNVHSMEGDAWgBTAkFWA3eC1FQ5pLT08hjck\np7I6wDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgb8nTwxNRfweFkuAbiFBB\n7p7IZYLVgKLVQNc+vTJ7HqsCIQDLFj8vZ4VR6pRYMahbQgMoRNEaFgs3cnP58+vq\nQu50xA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUfCfkvIyX7WSLe2RjNbmkHhACdEUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASw/6Y12wxcbV0fGi3fPswhSSgrmbMi4difovBS\n5+oF4zNzK/lpCj3wjfl1J8Qn4axgjS1Ojp8H2vJcJWypPLLzo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSIo1S7xib2KqnF0zcJ0t50pJJb8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDQs0XRWHwslHVmFk9szKdS\noIpPpt5qela8d8lBlNWdnwIhAOoVtYhvtcCnalt7um1d5qPGw6JVVOzSF0ZO0c/l\nUXjR\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIULf4y08KbqX3lNU1WfCrYX93KxwcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKShNDTudcibGr9WPZ3fhvkzNwV2aiqKwae759\nLI+P3NemK/4XJxIOyEiK8/1v8hrb3cgTHUfBhjGZHSsg9gh9o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiYA2iuqBC47x3ovl0KjbfVBvnlwwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDmqmtg2iK4rS0hRjZ04y46\n+hmvSNa0gM7oU3dRFoI1YAIgJc3AcJrzKpNI6B27wJ0CLHqLxzW8tJnMuHxoBFLc\nrxE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxTCCAWugAwIBAgIUIBtfWDsZsJs0k8yueZ/6j4MlG9EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPyXdEqXeYSDquj7Lop7bIaQ1fmP+7TST85hIDKHufq+\nQenzhwljLdONrYEg993UZWe/tt2P1fjizLqHMZ+3ZFCjgZAwgY0wHQYDVR0OBBYE\nFOAQTdoCOD/10F57+eA5m9xIfcSNMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUSIo1\nS7xib2KqnF0zcJ0t50pJJb8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMB4GA1UdEQQXMBWCE2Zvby5iYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgMo2wv9bBDGnzwiLrARDCxWES1J7tvaxekcBqJxfsNvwCIQCnJACA4WU9\n1NNgEuGfYcNvLq7aPNCib2G/SknAZkSQDA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWCgAwIBAgIUXNtbmAYy8p3CZTebDdeonxX9frkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG/UvBq8jq3XaFQUCTI0cP7PmdCqMrgsT33YEf/EHQyS\nhLSZ2EF/ld50RcCYluJJ9LnmlLh9sqckKIOap0PqQ2KjgYUwgYIwHQYDVR0OBBYE\nFAaE76mCeGUreh+XkAwBX33+aNGYMB8GA1UdIwQYMBaAFImANorqgQuO8d6L5dCo\n231Qb55cMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDHq+jN\nX5kx2Rb6awEZNqtQQyT5DFbHbYLzTSPdIgiPAQIhAKyORsBmkOlCbG2uZmdUJrHK\nEZB8PA8ZqAc3cW57m408\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUTu0DpbpBtMrp4lrxfp6/5Z6bn6MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXWnrwfAjs1gIaCiaHGeyXIlMQ8iqLWM9Cw/j8\npkMICt3vzL9o01r8d+QhlWu0WUQHdHkd24hmVFeL86E+wkk+o4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQ/Hycj7hlsqQON3wRIC3/sg4kjWTApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAM0n\nQN2+LaFNNKCHJSPSUEVoskU0BnTYAS+wpqBSVXYaAiEA5+b0gVl8901YhrDso5ao\nsy0sGISrFnDJlMHBGEcSpho=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUURFumDfRMDbpQJwSLHJqag46XYIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ2lMdgEh6BF1AjZUVCxcjoZq6l0mpIwX/CUbgU\nbRV8f+SZOzgyUyltUGl93xLD06r6sjLoIKN9MCW/BGGPMUiCo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRvxsVo4Ihj5SW45I4QSXp6mbYoBjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgNkUw\nubkGtiqFl9yINyuNK+leB1z/9n9HilChybsKJL8CIQCUB1h1GU4VEijKv0xgt0tR\nv8YkDfbRGdOC8ZUdPT9nsw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXygAwIBAgIUQIjv3YsBCfhLXvNm6nWGhuuZNM4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKBxYFcXMRlGlCpHuAZIKEEdLeUp+Cc62i2mC7SAHYW8\nx0/qmPSS8ExV/zK+MciBY+CvCFUwBlw5pTx/AJ5gHbKjgaEwgZ4wHQYDVR0OBBYE\nFIxRjtoNvtCAUUeehAZ7Qm6YAT74MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUPx8n\nI+4ZbKkDjd8ESAt/7IOJI1kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMC8GA1UdEQQoMCaCC2V4YW1wbGUuY29tghdub3QtYWxsb3dlZC5leGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAua281q3WP2zjX/+j/pkhN7gJjbaH7ruM\nSbmzo31hYLcCIHG6w9IlDIoEE/FHTc2MOf3fAdavuDW9N75k7H2sy1Is\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXGgAwIBAgIUNj3xWq2o2aR0dSp8LWc7lhEiytwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABD3wuOypxOtMfPDqM8rtV5IMzvOijkFKJWo0hHV9PzWD\n7TEiMI7nopM1eTuEj3IefPO625p8FkdOk+pC4KoaVOejgZYwgZMwHQYDVR0OBBYE\nFIjyb617snJ71MJP5eB0MthWGCypMB8GA1UdIwQYMBaAFG/GxWjgiGPlJbjkjhBJ\nenqZtigGMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSQAwRgIhAOdiC6o4csJ+Ou4M1B9HhjspRb/y97qjfRxZxhG8Nv2UAiEA\n2tFR6KS15q6FnQ/wrdfJestLcOShDlO2ZcYLb0Cw1YM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUTjzIpQofnu8GaUtIkDtTGTCT6ngwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT3yIojoEPXZMV7XF91DcliHzl5ZBcCQTj6SaDg\ne+9Q80JiSGiU8ZwxL8dvqpNegIbJGpKZJ5cMdjhUokZd1C3Do3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZeV5VdDbpg10TFEQshRUU3CfHkAwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIFqg0j4X4RiFVXikMUB+7Z3RejwS\n2IKIwcGwgJKTkSjGAiEA0Ie+in2FCBRcDNWGQI0Nm4gAIoCLpNWntNz/DlhlJy4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUQjLH9taFDHyurNcC47VAiviwYJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARPIDqRy8kD97qZYgPjMk+xJeEP/YGZRq2IToI/\nybNnYLu3FBeXtmCMkAgFwMM0OiOsdQvMRZEdSQ1pKozlk2Tvo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU83A232kuz+9Ag5hW/2tqR6Zqq20wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDiY2rlb8vTACLqJbB/MzJ9RXQ8\n4dd92gkyB7+G1xjUpgIgZMyMuf9p9gq1u/6IptavyAHYK8/voq03IgXngU463sU=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUZ95z6G+ni0wRDMgfCYx/siBYKp4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLPinS5pzFmVt+Iis/Xbb60d0hh567Oh/iUSBUI7mUzW\nRIoSe4z636BwRUOggeq/zyPmavw2zdITxYfkJB3GouKjgYAwfjAdBgNVHQ4EFgQU\nzby7IAOavQ/acfN2k5M/mdRXfe8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRl5XlV\n0NumDXRMURCyFFRTcJ8eQDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAADATAKBggqhkjOPQQDAgNHADBEAiADYqqlghzQWZwp\n/9ntx1uh2bTN1v+wOVWIq96Q4DQmEAIgbwHuuIHTPLQ7BCeGce8db3MxOUifRr1l\nIOK/7qOgBeY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUcEoKLku0rTP4mo2WOo1eu9asgaowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPShWPRjfQz092eIfJBy6Jb5MK5WWj9lZCHXBPRR+Ejx\n+ZFEzyYOlqUJEeWChpTXwgNZkONLhUI1EQ3ELSt73kyjdTBzMB0GA1UdDgQWBBRW\nq22icebZ1K8JUTLqyNdN+rLXcDAfBgNVHSMEGDAWgBTzcDbfaS7P70CDmFb/a2pH\npmqrbTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNHADBEAiB8HuBgDgQAHORjCf1NDycVoFry700V\ntrvSafzRNElgeQIgW+zlqzqqI1eCjzl14fCxAZH1S70AfTbo+DM3sYRt58Y=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUd8GbdkWP4bVcv2Hjr/In9IPhDKwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSQP4Xop8i+5nOVp4DHGTCxYGxr/CSRupQz1T9\ng2ozqtfpXqnmY0N5H2Jn4t4zNKvsnzF1kAxYEdDD8u831BN0o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVGRyJg9/uWun7toeR//10V4o82wwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIBdpbXV0r+/2UiRDkjphIxh7JcZ8\nFJfesRODG/Cmpy2uAiEAiC+gK9xscFJg6eK4hhcZtStjf/cgOdOPlhvIKzf9bO8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUacwF612uE4aMApirPPN15/a+TpowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBl+cgPKT3PJZCr30RrhsoqK3qy53l3yGIkRyk\nR4X+IQq4vGlRY1H5Zh2DNNOWEVCGgcDG2KU8pgevE5evjdTTo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUp1/dRdnzWstS5KPttK2ukBiLNQwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDVOf0taA6dSfm/cqmLh8XuU2wO\nfe2AGmiZBh89LkqhnwIgc3xZ50oTXSobwoQdFMDxf9FN9S+rjQld297+sPLCi+4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUdF7vPZY7lPWALHkJWWdTQIp8psQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGjTFbNlOUYrcInrGV6/kWLszX9vBJqqJs5BaNu9qKXp\nXnM8HI7og9dhNtTNymyUUDyEhP+dP0xDUlwxfMxEZJ2jgYAwfjAdBgNVHQ4EFgQU\nKXtiCRr4af/YWl0s8gTkyeXQJIUwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRUZHIm\nD3+5a6fu2h5H//XRXijzbDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNJADBGAiEA7Ea7uK+CkZ8z\nw3cTy7vLcpFuJkLyVUkCgv2XdK8OnWUCIQCNLRbiXW9FkHhEsvASazg2glmKqeAI\nBPjR3lNTWvdlUA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUFzrNMlbsgxfM2o/foxqRKnG3ld0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHBJLBZmKULr3iKTeNSUvUCjE5fHzHnnWv1yX8CCLv6n\nvC1qBWwoutsrWlfZVIOBjH7B++WEbvwwhpoEaFHBoMijdTBzMB0GA1UdDgQWBBQ2\njzEF13/iIWitkxStWW4oB8y5LTAfBgNVHSMEGDAWgBRSnX91F2fNay1Lko+20ra6\nQGIs1DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiBB1CFz69/dO3zLS2G751+Rqa9vhxRe\nMbzKb8yHFHs99wIhAOUdOPV0lhYXLqPT6OfNlJeNao8pw143Kwd0hL3HPOZ3\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUa6q5jfkSh4zVQ8a1vVXa3c0YnrAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQcOj4PrD7zmR6+i8JCuE6R9wf0vc1bq1qJpbKn\nfZDTshVte/SdTKjG1SyPSZqcdd4EsbAQnsktQim+j6KLyz2Yo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+AXybs1X4KQdBYVP3TY2Osp7tPEwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCJaDuoiwUv2bGPawppfxMCgzxQ\nHIwouANdBGNnBS9B+wIgJ6eWf+Z8WNb7FOGZvzEAdr9V/nIoCbHflw8UtGPX5o0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUOwyxDmKPDfLifX5A+bgb1XzFZjEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR0+ZzEE6dNfdNUe2URc5IfNGAxXCW9PW1ZAwUf\n0mQfirF+IsqP3yhwM5vjCct218hfLpLtGf9tFRms14SWSQ9oo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUOowqcHvOCjVmdgqMPpZkVioTrowGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIHX6FuJRH2SQDuHtBgh06lRv0THf\nHswt1XLfxu0pZYytAiEAlaJD4Z8tbVscM1zVdKTF8V58HjhIMqvrhvLCku1t2+Y=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUNniq2HQe4jruVCJddRBNdEUjfccwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNSnsV3/4E48fagoCYBn7bbJlVBJiLN/eMAHnsuV+Z9k\nTy7YBCFNzvd118XTj7ZQR2x5CbHWZ7wwlObsLvk8sWijgYAwfjAdBgNVHQ4EFgQU\nNTcD6SPWj0rrk0lwmEoB+RYhAmQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBT4BfJu\nzVfgpB0FhU/dNjY6ynu08TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEAjkp9fmJ6whMp\nTUfRp20WI+ELmwqFf6hvTSs4mQ9rR1ICIHjmuqHnfQlb1BActjopaIM4f+bxg+IP\njbIECzzs/41j\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUFVYyCdip4O5Isl7Qhlgxk7DzjtAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGcG8wQD67Sz2ohu2oXrxvyKIhomF9AtIfzW2ZNAxpAi\nqTKjASdjqIMp7XqgCZLT0Ic54QF7Oh4FUha3Iji5zymjdTBzMB0GA1UdDgQWBBQN\nr3WsZ0DSDtEu3lzqkcgpK/7tATAfBgNVHSMEGDAWgBRQ6jCpwe84KNWZ2Cow+lmR\nWKhOujALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiAtlpE15OWl2h41yGPoM+rqkCb1Pbef\nxgaht1BtxFC2pwIhAKo69yOwEyYzZNpWHbYmf3IGCq73EkZgAEdUgz92XWxf\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUTmFsA29D6CL83TE2xJphh6t8Za8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARzJ3/h1bclqP1JSANAps1HyW0zAoLp3YRkG7+B\npa6Ba+1QZG2CrRaUqLTCTaH5g9mQhFDFDBc5u+GjF/29V0Clo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTZ5wxu2NkZno46HqYANY2PdpUOowIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgWcXmENqrAZo93EIj\nOky+1MNlM1Ba45egqBN8aQ0FwcoCIQDLIJQrW1thbY2mkjiNGdn+apOBLJ21GLwC\noLZBDDJ6bA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUZk6ZJ5QEOC6oniboc40qIZ0d8VcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVU5Dksot17uhP2KIfRJYb/D50yeQMwIdgGkMd\n9oO/rZcn+dLgH0ttidMfDne3m6nQ8TPCm3v37GSE9w1byICbo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/P/81j0/jN7dmPF5Rb0dMiKd7lswIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKgy+J8tvaY6ldPH\nKuTWcLJd72ikbs3iCLW7obmSvJRUAiEA3/h3BbmfN18JkM/Lzv3GI1hnh9gX8si+\nVn3rKYhLhd8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWigAwIBAgIUVPaRspJC82HvjW4ampFrUVyMwDwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEMNNkuVZQne+oWLMzYmwNZ92TugME+/BySDpSZCxxBYGhC7oq\n4Urz4SmxpEGr2BOxXXlt3CnT3jtB5ivS4YHLmaOBkTCBjjAdBgNVHQ4EFgQUYPKi\n3kpsfkd+6WCZZdOM3Mr8ISIwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRNnnDG7Y2R\nmejjoepgA1jY92lQ6jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSAAw\nRQIgNFDj3W+d/YMKwZtE0Cz96lY/ntkV4AMnlKqyp6g5L9sCIQCjBXXU7QmCylnI\nkZgbUedPeAPYhzyfyZMv+6vdAuVlow==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAV2gAwIBAgIUdE1qVnM42O67cRBJdZzd9kTI31wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEz5IW9sRrqZeYIazF26qsS3DrRpgpdBs9zU9/H44rYkYy31um\nHsOHanTDK3aqpQvFBaDTOrBRxaVO6bdJ407MDqOBhjCBgzAdBgNVHQ4EFgQUHSYz\njfZwryqp9YdYdSNjRaXpsu4wHwYDVR0jBBgwFoAU/P/81j0/jN7dmPF5Rb0dMiKd\n7lswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0cAMEQCIBpisYVlo+lV\nnwJdbBVvJG3GVF8jH/yTDLUBErsc7lU8AiAOow2bfE0MDO8TREQwZ4JEYz8JVuw6\njxGLIOEcPo/qMg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUDPlPYIkp4MtnN69tzMUv+2ZxWLwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASTps0xNto1hLfzN2sIh9ran2DNBe2ags3jkfMD\ngNZK3HqnQa0QGZYp8BTQT0hAR+qoKGnYbyKtI/CtUo+xDlW3o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdgFJJj/fyUAUsxkv+mEACG+pUGwwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgEBPdr1aYLnsa4Mg9\n1ah2uCu29nF+E3Yw+pA0I5hJrF4CIQDvzFZqce5DshmNJs3kcsbADH/SLRr4ZunV\nslyy1AmoDA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUcSZeOTHiVtlM5KCV3QBu4EvR2zQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkWljLM3ws+k4ZMo8FjKEESPKTyiZs/fO4YMXr\ngVYroswbOhWbk+VrsNcAW9dcQFiTsJLxQQ0BquziFGmpeERAo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAwgv00VvYQrwvCHBIri3evm/O6QwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAO8cWDeJLT2qTPBH\nvCcvD26Tj9ITvitsMMf1Hv8obKipAiAlUDAnYuNfyEsXQ4QBiM1H1UdQxm0p0luX\nfUn7NqbiZA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUO7rfLvxb/auY4tI+7x01+LJMO+YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATsoiISjhDhD7SmJ5S+vrVAtlm/LgIESc5JpIaCurY1AqVC1s7lcFu5\nMylljIt78RVmYb5l8kauXrgvfVrUMg/Bo4GNMIGKMB0GA1UdDgQWBBQckY/fiOEY\n2mfcTDsvkH0oEPHAxzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFHYBSSY/38lAFLMZ\nL/phAAhvqVBsMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIBYGTlHz\nE6IXHhkHvxWJd6m1282B1g8K1j0P5i1h6Q+VAiEAuSY6VOgdOYt5QSRNN3xJBHfE\nB7/ZWVZaSLt/8VBR7QQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUE6zp7cRifMhN/YfmbKDeAu2y0vwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQ0GmlmBFUoaekpI0Gs+BKvY3hM3cHxYDmf3irLZtlX4tQMCr4xaEjz\nu9rAFWNw6EXXf+WI1uiGQ2Xp63HPPeYwo4GBMH8wHQYDVR0OBBYEFPQfKek7v6Wd\nWo4AQC6NeIrMY1dSMB8GA1UdIwQYMBaAFAMIL9NFb2EK8LwhwSK4t3r5vzukMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQCXF5kpS6wmgPDvZyP3q/x7\nrpWRyjN5XhHkNymfxIYhIwIhAKqXNpJWuDQBcScsaTpzd+pyWYPsa8MuiS3F8PEm\ng850\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUbgg/bqursAXajK/DpVeGZj0VwHkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARTKFT7Z9XXN37n/NQxim0MBvke3OdBnAxtt4BQ\nzX5ARG/td3IEuoLCwncEUE0QOxCVxCbeS2RIH3XcdDcYDBdjo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkGgbHNz7X3CwGCGJBiI0IDcJIuswIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAKQxDiiTxNN+XDe8\nD8pnDjP6cuCwqSvcc8NvapYxCx37AiB5eZbiPmkXa25XVdol1W0LKo4XQfvJhG18\nt8Kw5qVE7w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUDKdd2socAiBSODTmFzhCMajL4vAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAShnSAbJPxlWDN+CW3u40GsIonUG/cgXurngUBy\ngXHW8/GQQGi3WVjMI/3f6D5tWVd0Kz3Vgklz1r0CX9LVlg4Do3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfqMj+Ioh8vNjsG2M3gjykHQATkcwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAMRby6TUK7WfW0zA\nzKxKsIaQhmlHMDmLetOS+FoM7obTAiEA3ZNzFsfeCE8FUnD+VgGCpjYfuwpzoO5l\nHvHxNLXU4KY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWCgAwIBAgIUO43arolBtQYGVwQdsMS6PDOv8CowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARjg6nbi3NzhNeL8oyHSkmcNCYzCv6+MVAaoL8GZbpmEiDp5BTVum7Y\nPMktPz4Y4w7grx9WbAw+R4+5BeK+oucPo4GNMIGKMB0GA1UdDgQWBBQaMq1opxud\nGRBHYqUKaMKFtO+5cTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFJBoGxzc+19wsBgh\niQYiNCA3CSLrMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNV\nHREEFDASpBAwDjEMMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQCaMZQG\ns2dWPuEK+7VTdX8FED7pR+34D4MfoEIdKF5TqQIhAOYbrnumgsxGQ2dzPDxnLq5z\nkld0wrLq7Ja3maw8pYwZ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUHuhxglUiMtrXUPIlk0LPuILXiJEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQdrQjUCMM77+jUoGveXOaswrKzRmY6ipeLepG0pd597shrOPV4OGOh\nhNFSTzc/ErFt430mDZYo/GCWS0IshYK3o4GBMH8wHQYDVR0OBBYEFMIIx9ICt2FY\nDW9dNhVlIaoyXZYxMB8GA1UdIwQYMBaAFH6jI/iKIfLzY7BtjN4I8pB0AE5HMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIHlxml2W2iodCu4qQFUOtOyy\nm8ZJL5yxZiJQqxVO70ogAiEA5vT91l7NMrsoYlCWDSr0W9UVG+5Y0Gkqs7jp5ywX\nnKI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUJ9QECXcml4UUfovNaDJzCfvzf90wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQor0Gcbudr2ucBoyNeDlCMtkOezLi1L9nNlPlW\nvpcfpv2ggpSeqPVy10pGUZKyD/vABf3D+NZCfUYNZbyMKIAWo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7kbKytiyS65bXz0PBoSh7RIdGEcwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAMbYLguctFT4urar\nlnI6NhVPZbjbUCSgPMT8kZ7SWHiaAiBxd2IjkDGzW0XluxfSug3L9c6/q1mUsPeT\nxqO4BbzDfw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUbhYWcz/7dxDP4W++6Bk3OLbV9KwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxP6VxI/pqMHlKRynGU3rGprqDp1zjQX20nfp5\n4uRCnE6fTTLdIt23xKsNswTfN04ihRts3AYjx0xfDtRQLek9o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbYV3LUd3sQdfCRXYkxuI8Q8tlzIwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgGA7ZORktIsIph2en\nVKGtak+hw7w7kromuAhykTDo77gCIQDoYzamrMxasueN3Pnk3C+A4gaF/0CREaQt\nZVp+ef3amw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUda9YPPB89DBdxaAxHYbejkigZ2wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE430PlRrPoJA45J5gL8FC0LirokWcAlg5QOYc+FX+2fHFinzR\nH/O9F6/S+Y6m+HjMZ6mVSj3ZBrMFLMPc6mQy0KOBjTCBijAdBgNVHQ4EFgQU9INY\n0JlxlwwQZqmKRm7EhWQurFMwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTuRsrK2LJL\nrltfPQ8GhKHtEh0YRzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiEA\nux4L2TG8394KwgO+BTzvbxZyD11c85yZHy0wSV6SFbICIAkk9fNYsXJqtuAf2OCO\nzXSyqc5D2Te+hn1JCed2ltZ4\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUHDkjnDQAH/605GQzUn6AxHYvEPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEEPMMn7SZ6vnPl3uiaxIJUIg1/OKKUHOTWWt9V7migHr6AU/r\noSMvJ5x8nZE7owQmaFMw94Is78gZxoVKgf4zyKOBgTB/MB0GA1UdDgQWBBSAZEqf\n80SrH9sVLUHtdRaLOa4MPzAfBgNVHSMEGDAWgBRthXctR3exB18JFdiTG4jxDy2X\nMjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiA3zVtWWdW2WAB723ZE\n0kKSwnAoLFzpYqu9hOX7sBfnIQIhAIH9qXQufrvMaNLs79F5fcW79uWhQvy3XXh6\nVRCHqWJr\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUKf68WXk7TvrbGffYIMehnquBaIEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpYM2Z2LkTbj/O36K3OPoHzPAwN7DhAdrfUbfh\nucTWZriQDnYtQ0G3DdT6XCnMFVp1mQMiCjqIIwXxo+1QXAVio3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFzjhWBN8NVKbVb7FIh9nAggN7Y0wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAINrwoL4TlhvzmPQ\n0IcBuenHNJH214Q5CvvcwXs67jR4AiEArcsKY17vdF4prTr8/x+BEqPZuVLPUL+l\nUNfeEsRknSo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUK4ZWDgR1KVVL9f7foWhbo9wWCwgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+WjymFEJyoWogcWm0fBTyGvquRFA2cIP7/DVQ\nlC9WqGLsn4dq8dPjF2FXSKwnUZCCzsOcx+QpTWYTXhK6Vfpto3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQgwAfvMaeWT1m3WODdZ1j2n1xoswIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAJUT5azNtm290QQ1\nVTc5u1c9vCJULbZlGnyLugfFpSZuAiB1PciJlfgV2UqqUYPYJ2D/gYdN9R51AQZe\n8NnUUChh+Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWSgAwIBAgIUM3umjGcWRX7bgozG8jwuX8XnvVIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQwUCYucllTjpigZ0rbr/lCIp4yeHEQJkJxzu6zzECgRFslFAn7HhwY\nS8kGbGk0uBx+M9AIsjYfrW86Dh/kbe6To4GRMIGOMB0GA1UdDgQWBBRpfMrfhqBV\ngdru4VyBhFERVI+7jDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFBc44VgTfDVSm1W+\nxSIfZwIIDe2NMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNV\nHREEGDAWpBQwEjEQMA4GA1UEAwwHbm90LWZvbzAKBggqhkjOPQQDAgNIADBFAiEA\nubbuH1pvHFWjnuDjI7rQhTjug8OvQH//fQU2BYlapoICIBNK2k+t3f+Av+B4Vmth\nAjHNEDj2okjZPCTdHK5xHVsK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUQ3fJvqXfnFQyFzPMMaYIriyMl0UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARogikfDcoUvhIlx2mGlh7r/QJZn+hcMngPh+Fdiq3Jw016ENb3OS+n\n/I3Fs1kF4Xc6YzKjv3qfkV9z3a3F/mUYo4GGMIGDMB0GA1UdDgQWBBTFaWVSb01o\nNCuLuzfGJU+s3zO0SDAfBgNVHSMEGDAWgBRCDAB+8xp5ZPWbdY4N1nWPafXGizAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAPioDQ9445DrlAm/\nT2QmH24La84jrIZ8ftjqDdl5PWFhAiEA78rJTmrvD2b4uQkdNnosq0FlGCwhG/yw\nbt9g8HncQlA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUaxMCjyJKUIdOrypS3U9A43sjkMEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASGCUwCNoQRIz2vFGrXm7vc66ySjq3QBMcSjb94\nwj8mBTu6vH0rMwv8mB5fInc7QwDcBxpky4iTGdSc1kWoPKkio3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFK5fzAQKjXUTo2n7KtOZ8wQHwef5MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAahgUws6PzwE3KHs3M\nZf84mbe+nwn+Nqzq7Jtv3nUfUAIhAMhj/QAc+rSq5psnPi/vM+Wz73JlSfbnHQPC\n/IqQr5qd\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUBpUPlM/QdHWp3VJstw1/Lv9gc1MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATc1/VQC7uRiLJaP3JokuFl1oQG2lmdroAvhWCj\nQ2uB1NYUY1Oa30Mfuodd+xUk3az0dSSf0H7RR4s8hSygIBs4o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFLH2h0P3l/yLi9tt5GZvJMVntLSxMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAZN0S5yhkQXlmBks+Y\n2gUgFAaNcRymsrSap1YFzsLNtgIhAK7d4R1qJdw7hsTv7cQy0cuYVqd0CUayKAr9\nbdZsjCEa\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUVjIBky4Zkrx6MtSm3lejAKBmNcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVQsWp7yd5vbPgTrsg8NQacbwf9nZCWwQoUEu+\n+BKeAbEEbz6i8rq9+fpZrEUzSRzb1jbNGVGklj5rrsMPaT0Oo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUrl/MBAqNdROjafsq05nzBAfB5/kwHQYDVR0OBBYEFGhu\nictjkOk2jG/62Z09EOWAS0vBMAoGCCqGSM49BAMCA0gAMEUCIFi5zkGZUbGVx93h\np78YKB2mP//VPhY6zXyCi1NXeHKHAiEAkthuJftjb2yF0wUjXng0xye2eXlmwYTN\n22cVdiPL15Y=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUO+Ol4I6hqtXmPvFeqzFfSUuy4rMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATD6r8DPi7e1kuo0uFgcgfiUrIGkpO4WUYRingz\njtFBSgbnxWJjdW6ftSJky4LR7KKZ3g2++ayNt5/3cWbpNGr0o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUsfaHQ/eX/IuL223kZm8kxWe0tLEwHQYDVR0OBBYEFCFE\nFNjwApRivKk2JgTiUBAHM5v8MAoGCCqGSM49BAMCA0kAMEYCIQDY9YlVPh766G4y\n1ecDgJupcPsxVYWoA4S5kvWfRZvUqQIhAPrPK8CCYyEI3Y7QZwq0NRPeP8yevOQG\npM7I6ad6nZY4\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUCAwpOxTVnJqmSYjHXmTwmfO6fBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPPNgAoR+kaz2JyqwrGcTopDeKZE3o/XCNG53uvwh25M\n/F2zHNgkwexGGBaBzJS3sQhaeXQLL9a2kpIuH1BrSwWjgYgwgYUwHQYDVR0OBBYE\nFI3doxQhoC5qi4KMu8F+Y0ctnkFjMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUaG6J\ny2OQ6TaMb/rZnT0Q5YBLS8EwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFmN\n0D4l86mRsLX0IqQm54iZipaKQf5vpd3hqAcv2zgeAiBmDuJtTG7sGpvZ+3LBG8mJ\njPrjTJwClcpcsFmNgbM11A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUQ3kK3SdbMigRq5SzUrZNwc1/FEUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAFj9zknhMSGUSfMT/p9/c1QPKEdTYJmlpCwj4o+8txq\n6u6UMnCSxsvMCA/yPAJIhpJ7IvYvXT4W6rml8RsIlDijfDB6MB0GA1UdDgQWBBQi\nliY686skqx/acggEG3pSYYw2rDAfBgNVHSMEGDAWgBQhRBTY8AKUYrypNiYE4lAQ\nBzOb/DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgHvo+yoNmrcD3NHNXzrqN\nPCavDtV4jWbFeYoC8lIiGgUCIHNGiXpxGHrONcry404KEBksu5kf3SjZEb7u6Hz2\nAbrH\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUbvteRzi8JF/A/kqGYkgJmxh6XGUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfUZJIiOss+SyRCJo/6D4aSOsjlUlXp3KxLj0n\nSDQKR+tlPIIifrtxiG/tdiccoD9nO1pWj2b5fl4mvpB60e6Xo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9UjFAHmdHfszij267pOggXPOlp8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC01B7G8fon0GdSCa7/+0lw\nf0I69Sst2qOXeuGeDieoLQIhAIDIIuhL4sjFvF4oFma2MamWtdCXLgzNRl2g50bX\n380Q\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUETwwvrbYwVBhPiEwvYg8GxaN1gYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASwzK+1RylGlUW95EPYNAAeK8dKnWxrRu7TJnt6\nWzsdytwB1sCtskci/5uz/D93SbtvejYqcmcKgVIIc0tqeryio3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlUmadV4KY7cD7ySA8Q7OiXdLITgwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHXS41wSAZlBfZR7fufDZDfw\nk1iQSGS1himpIP/PTHXDAiEAkMxWPCIwNsrUudHAPx9B/H42ryLfYW2kCGbUHXKP\nl4I=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUYysSDl9bkkuVXKlFB5p47OaFxRcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASPRc77DKbxvs0fRN8DHj8H88di4+0CTdPxiKVl\nU7MkggiNzValSoGgXAzzavbWSFnrGKXHws32HzA5r2GvsMVmo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU9UjFAHmdHfszij267pOggXPOlp8wHQYDVR0OBBYEFJPo\n7zBDc5DDHhMlvodSMmj9gkQIMAoGCCqGSM49BAMCA0kAMEYCIQCltj2JXxTGP41K\nJ4czyoupvDz70mB6L0TlkXHMR1RWiAIhAOCpt/OGyKMGxrKCXBmOOjmnHl/DoE5W\n8hg1R+B1sTDE\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUKgvR0NcG44k8tQp+97vBPFXNdFAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATgoiOFIDgapnr+ZZF1OSZFKmJmqO2qDI26UcA2\nQrVh2qkOl5jsVbZeJ8xfkMx3KxFEu0PUwiQO0rrqen/hZFSho3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUlUmadV4KY7cD7ySA8Q7OiXdLITgwHQYDVR0OBBYEFG6b\npM6GbWq2DzbArj9QYc8DohS7MAoGCCqGSM49BAMCA0gAMEUCIQCwXe8QYBndEIWg\nleOX7F4IjidyM3RPcfW9h+awdm7XHgIgLWXqZ/AMKOhPgSB4zd9zQLQmUxumDHoR\nsdqdkG+SbqA=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxTCCAWugAwIBAgIUWbzwiHe5asjshhZRgGNkEFRG4/AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhduropwtIqeqd6uWF6ac3OgmmF74tamk5w67g\nCSTfAprBeCwsg1ek3Gssb3vcTIUi2xFJ9a+JQqoB2TjrdVo9o4GMMIGJMB0GA1Ud\nDgQWBBS1T0cjJ5ug6A/1lzRdfT5t5uJAwzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaA\nFJPo7zBDc5DDHhMlvodSMmj9gkQIMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggr\nBgEFBQcDATAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAO64KsA3bVxhxwoi3+vlRszTS2UJBLHwgUD/tOZ0lPzVAiBp/o2oBxyJ\nd3bTlmIk+bYoluM6lG893EMnxVPBdjR3lA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAV+gAwIBAgIUagGmvWrZpdjHud0pfbVvoQHfzXYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARUo8nvcKbeIdhX9yrj7nVJX8/YBz6bcJtxhkOO\nGMbATEVX95m7HXVviGXtB5BfPRtE3GvGxXibTWlG9RQtEvjZo4GAMH4wHQYDVR0O\nBBYEFM5Ijh8uZ06ZAI15IXz5Que+maohMB8GA1UdIwQYMBaAFG6bpM6GbWq2DzbA\nrj9QYc8DohS7MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAOlxf1w7\nhPcKgkX6XYv8STEKDGShpvIVK5yx1O5RsDOhAiEA/y9yCGbVNPLbmoWsORsrqOtM\nBqkiesnpdskTEDSfOgI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUesGJVYEBfzFzqlZxAL49H6QopiYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQDh0xllOIerhlQeqq1DdtdCYBnWsfR8qWOPDR1\n/TbwbKzkba9OEmuDySn0Tk34cOKWCBUJ7O8bokZQ7B6mehFTo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSx1X3V/BNEE38KIw919o5K+B/dAzAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAHAQ+eDPSBtv6Fit/WheyHRjatTUb3hJDMvJgwdh2ycAIgWfp8HLNQfLb0NFGm\nQ6gcWzZxnvoYGpeO/29UbeoqIRc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUdW2xaKzLZxKrC65j09An2t+/ITcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVskFFCqZkXFu6eEMoAV6r6m2bJw5+h+M5Lodv\nZFeqiDZ6Sdz+6/9E9Z45BEdRcpxDxtSzPCDJpLHJHsy4Tr5ho4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRdKt1tmmyiKgKUW96BBhUuZpLPkzAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiAlHVTuBTcmac8WPKiq09nfV6Mh0PqhgFP7+Z95QZMyTgIhAL3kqKDl+C2dK1sV\ntorcMYqkQZjfu/r76ZCoicVXQktT\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUbDIbbdI6J8BM1+ZSqnkuyUM2IDwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHQ38wE4QMXprGAzeOZr+8EF75YOG67nDSgyfWvfa5FO\n53kHsG5XJhR8ZKxVuBj24knahPKXWX/UEIkHMJ13LEejgYgwgYUwHQYDVR0OBBYE\nFKTe5Y2l91sghqFCfWgPfYkobpnKMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUsdV9\n1fwTRBN/CiMPdfaOSvgf3QMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIB2X\nxKjmH5VJ6niB4MMhp5TgdfsoDYje9VRPBSKfjJgiAiBywFwXh03pyJ6E8TB/FVdK\nfmTpn47QMypQLLXT8njp9g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUYTxDqQK7aok0yZjU2QnsCtU2QMMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJQSQPY9p6gePuyfv3oFR0QF8DmFgFryQbVwRkslp+gD\nI4C0vtnNiYsy0ejJUc6H1gdwXe7Tgd6zArSN/dhrsZKjfDB6MB0GA1UdDgQWBBQ6\nlUjVw3WAhrU66quUCM0bfq9TTjAfBgNVHSMEGDAWgBRdKt1tmmyiKgKUW96BBhUu\nZpLPkzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgbjKlhAEazwyylykpDNKC\nKQ1O3IrB6PJWCaYPAP3HuuQCIQDyrOGdm6Ef2WkB/4gsBOmax7JF7Herycj8s9vV\nEk5swg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUQD7iMwPT+BAWbOjvp51kpI9WpZ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS3olEdAZvgyDmlFAustS5UGWg9/aqM9LIwDdgY\nQ61pmxwpP45JiEAmksJjAkNqp7msqFCFw5NNAWJKxDM+cIXUo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvR5AljS6h9qdpGGNnEYfkzEreDowGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDbaVblnijgEWnZD5eak7BApHXF\nAPlNnvIXtH5yd0IzEQIgcnGBb5iP/sd/SS+x5NMDNZrwuaH8q3nofUtvxt5jH/A=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUKD9BCWb5xw0M1TfKBh6L3YBsBCEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR3DUQ7DI+rHZlzsdfT/KYP0C8M//dPbcYspE6Y\nAG9arEEGrm3qkJ43ZK94KrxDROclT7YmVMlyX0DANQHf5T+Xo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1Nt5EhVpyJbz+mVisvdBJuU+8OIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDdQoI4Y7gALmVDt35kLiX4Hr87\n5n+NAHIR0+AwVOhgJQIgB1ltHHwqlBRfmj98YFNACEebCTCljd72VCti12p9w00=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUTWWFJBGnnyabML3UiEo0u9wwUOIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAiC6zL0JYh+sUOwJi/5vcEx+gLvyKG1HCXWRRH2l6Sl\nQARKLoTiLI65+DPQZ00CqRfzsF19maVbi8ubzvl1G2ajgYgwgYUwHQYDVR0OBBYE\nFF1G+gdxnOfVUUK2OFRrs0ORO7iEMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUvR5A\nljS6h9qdpGGNnEYfkzEreDowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCr\nTG5lSz4vBNDYl2+IopPsZDYT9ekf6puX1KUxfimSswIgZeElalNIYRmYgr18kuBb\nJZnnGFef8Zzf8rdQrXQ2Vy4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUSnzsRcymyNo0uqI2jicG7y5c4u0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMLVUM2p+/mvd6S6CBuaIRl7IXhBfOc2YJygr4tsLsGU\njAXI1hhQ/n/aXzKyvLZKZIzb7k80JUKwf8nvnKW+QBOjfDB6MB0GA1UdDgQWBBRn\nIs7QYHD1Gc7qsEvM5DVnbgjRVzAfBgNVHSMEGDAWgBTU23kSFWnIlvP6ZWKy90Em\n5T7w4jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgJFNWaLQZ4CI0pqUOsYO1\nPj0WpbkxA9cND9f3uB4aBI0CIGcgoxhpPPlewl0DgNBsv0nrx8HdHKWYIrAokt6m\niH1P\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUHSANFUuNxBT2MExTnczhZZIjGT0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARzDgiTuV9x9RxaS+SH3VBOuT2lT/JuEafgpfgp\nZZ7jbw17EbeQYIzVKKKrll7nayk2bjpw820ZxYuSa28uTczpo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU85heFbn7xRIHty03aY1XTphR4PIwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAO/o/v2SU17N2Uf+BESk\nXv8JBZ2DmFjGkHw3Q8+grJvGAiB3PjtGzpCwiVhfQjuiHFRtIRssZxWhHluFPclX\n6QB2kg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUNaS2v/iM49VSh6SlzSvupaPSaNMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCj/X8itiCG09j2lMcZSm6+XPsN0NhuvGjY274\nJwzflDV9xMeF/ZLrGrAhfFckUElxJlSiYrvX50tYJG97OS2Uo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURDsqX3mHQZdNcGZlIiG7ibYMCDkwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgJ6/ktCv6bQRxlAklMH+Y\nSYRZ68gft7sKnDEwEqnrQIICIGZWjNZuKLMT+1undwH0ccMNqHUMPRLe8MqSF9F7\nHGhT\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUc91c3CuRS8vCmzCasKXxwUPAuwQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIW2FA8mye3u8cDOR4euXKovJ/TECL18nV9AyUqSx1St\n5n2+FgMIpMmhJhHOxrAodgmlo5Yd99ZrLb8FJZ8tZ+2jgYwwgYkwHQYDVR0OBBYE\nFHDS35RjnFVAiGTTG64Es1PYI+8OMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU85he\nFbn7xRIHty03aY1XTphR4PIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiBzY1VSwUCKZ6x0sJEph09CCb88u5dT6abpiKYwcy2TkgIhAMOvD4jqmbiWOSDm\nkHY+/oT+A0mjmaZP0Sn92Y/kv6TN\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUbdz5h2c/hRWDsqfnRDOoakc5v/EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMRMPOxOKbpDOZTGLI9LpWaov4WyHlXu0LOvfp8CIItW\nqMn0DMqeaEjJX7Whdk4/vvmznBTC174NvoOZ6Hv7bY2jgYAwfjAdBgNVHQ4EFgQU\nP56i9fBQCfSC8xJhdHHVAgr5pCwwHwYDVR0jBBgwFoAURDsqX3mHQZdNcGZlIiG7\nibYMCDkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiALkNpZP5ZySt8k\nNnwhd/sVCqz+Jz/NSZlZAqdIGFLiWgIhAOQOF4/aXxMesE0urd5kPrK+tGFUMKZC\n9AnRR3P+Cbr6\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUfrlH97iAB4WkYb5DantYtjUd2RMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQn3kHubwh6wPysf1kBkbJmlZ3bNFPOThllWbqi\n/p/PrNhQyp1fmjQoPXfsJpjuszpPTz41Z+yLehCMt4Qqk79Fo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOVTQXMHT55e1Fzkz6OHavSrPBC0wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAJjueNtLWBUHiYnB3LE7tsKsa6GgBtnf\nRE7QeL0O32exAiEAm09DBw6ZWi7kiJ6OnEvz71Rr9fF+E880PyfzQCa9wJI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUUrMb54RxzBUr2fomSWW2CLZ/LmwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXccFfYrBclMtYxZFkTwtPWfwZLWnCIli3ZCm5\n21WPu0FXKeTMD8Wmap/TBsyg6Njq4HcWU1gk7OrH3aBDU4R3o28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURi3Qo3rqRLHVyGtboZV7K/5MAD8wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgF/kOabr36n91bs831cj60gqznpX9rE0Q\nqVfXxO2s40QCIQCQ0w2a//4/hSFcKuiBVaaBSwiMTEd61BLUUT5NzIrXwg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUHVtE6nyGG9jzrEgC9X5GRP3ZigYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDKURchJZwC9IdnTFTTX6YP2HGDDNFkd3jzGcWarHR0E\nWBTxHbBxbxD7LcfvwgjFUQh6W45FhqpXf2/liAFk0nOjgYAwfjAdBgNVHQ4EFgQU\nJHOcj2rZ1x06PLqVPG+bAiBfd3EwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ5VNBc\nwdPnl7UXOTPo4dq9Ks8ELTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDwYDVR0RBAgwBocEfwAAATAKBggqhkjOPQQDAgNIADBFAiB2H0Ez7nFIwUps\n66AMkCLXKjjhzmTom8SXEb1PBPA52wIhAOPufopjhFemcwwidcIL266Xp6tVCD2B\n/oGdjFBzprt6\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUH+VQ6xBGtKpvnQi3aICBON/bUPowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFcFLT5WkQ7BSJ4+pevsTAR8Yt43oBBCxl0+90wTvRIx\ntPWYAOjPAxkjiQkf8eZujJ7oYmKvLWkvSLYmIdUTmUajdTBzMB0GA1UdDgQWBBTM\n2h/bumFzedXdWEM/BOHBy2ka2jAfBgNVHSMEGDAWgBRGLdCjeupEsdXIa1uhlXsr\n/kwAPzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNHADBEAiBPc7FKuGByM6UemPv1wdgtRpMnz3To\nHv8qZ8LdKDEkGAIgFKNL2aBaZOyobN8t3PTrfLkjdEIthIDrmZH7CvAJ2sk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH4x0GZ1LQ8oRMfv2V4k/2kDT9jkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARMbeJRGvWgLR5K3tXEFX8hFgRQXnXmbALAJUFJ\nQjcKWEkgj7bMgS7YLf2Lzko+yARBTIjJuoGQ7T5cmsW94MGzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPr8GF3PybK1P/B5V5kK/B01M5eEwCgYIKoZIzj0EAwIDSAAwRQIh\nAJRhWUU5wXHlBzmo+JQQnyyqaBQTimRVioY69r9ZPRAOAiAxsWLcbttJqXW6yaS8\nPlkqt1JqPwDIOSAKtK6NWIbpTQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVLiSGg06crsVsI792EM0s+popbkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyCNDslkqZ68Vd2QoOorgrl3ygSwo/gJhWhHZf\ne1WpDdeszVLPHwFen97Y4nVfKNJtaH0+xiUMGohlgf0J1Ffoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/j3XUg3AJSfYXuwgFkP51Zn1bDgwCgYIKoZIzj0EAwIDSQAwRgIh\nALWmINPKq8gfNP48d9cfQ88t0fb5kqq8aveoubdEZSvFAiEAgsI+NLk7d9SHfSgc\nk7h6ONH0rO5GMcVyC+YK8TKc15Y=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB5jCCAYygAwIBAgIUbGZX4v54kmBGFwGYp+wKZ7wvxfkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDKd41U5VbhwARU7Ky/y7HxiT/N5ETUsYYVhcFLw4K3Y\nmGOeJsLI+Ej8z33Z3EC/KK7JSOMVBeI0rdx144MSgRqjgbEwga4wHQYDVR0OBBYE\nFNgckVrg5k3feY6e27QVKs44qh2gMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUPr8G\nF3PybK1P/B5V5kK/B01M5eEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCcGCCsGAQUFBwEBBBswGTAXBggr\nBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgKYKJMIU01r29\nJ2iCj+BrcnL12Bp4Q0Naw5kOcNeIQkgCIQDCiDoA9vfkkmPC+C/mowYbrFAEYTRf\nEaHwtfdFuyqsCQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB2zCCAYGgAwIBAgIUTfW1MpDt0db6TcYrBRez1vk5fwwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNvg6G1jhVyIb8/rqMUrd7NwEj1X//RPWkafZeV5taTF\nrIb+N6FQ3LBj1gGRhg+2ayf5eYjKqzg5LpvwRjLdJrCjgaYwgaMwHQYDVR0OBBYE\nFITn5LO+c7I4NOP2la+jIJYN1IrYMB8GA1UdIwQYMBaAFP4911INwCUn2F7sIBZD\n+dWZ9Ww4MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCID1xR2STJwxQZ/NRn18gplceI9Tj\nSoctzBPciwOuIw5GAiEAmoZaqyZVUrs6RJO7aFOeMVPTO2BvgDsl2IqTwPCjHvE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUF0llLAqjXMav32HP8d8ZtcpiQ+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8WztwXIMsxDXf/JLLh+02L8JBYcT6PRruRR+v\ncCuf0QfzRTNKvY60mdJcCnCgDzuJeCwF/4JdG4nT8ElQwyMco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWee7l/G2HEB5BeK575TOP45UM8EwCgYIKoZIzj0EAwIDRwAwRAIg\nA9h1GZp/CGFWpmhirK8l6f/FUC5RzcGPRM2ph+YuwDQCIEXBtRxVFWjJzM2hGIhr\nuNwtfr6plzURsuenjaYzeIWW\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUPFuQxWUBlspeqRWNoX7cuBWTngAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATTJedMAip1tuBQl0PzOxKCnXXccKSHOKh35pag\na4hG/8JpVG8W1IHWW3tJCAwoo0rnH2LrhTsYbemMSLvMpHJlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8xVZKPYnKYmQF0lY1j974OPMJgkwCgYIKoZIzj0EAwIDRwAwRAIg\nRPkG9vL0URV0NBIvN4dsKcztitQicZjbGSe64VJwHesCIEjCS8uGUIKppQCzrWad\nk/8kTRpAdzIHrD/xPslBCcJO\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB6TCCAY+gAwIBAgIUW/Z8HKaMdtEKEQ6oc3M7qvwDtoYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMNuk7nlUBe5PJzk1zUNsk0O7NUt+ptF+vkbk5pafX50\nKFrdPM8QDEVzaGmc770dicfqvMRgRP022oVweTuQnY6jgbQwgbEwHQYDVR0OBBYE\nFIjnVy0uCnrXRCTru2NDX/skkSS2MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUWee7\nl/G2HEB5BeK575TOP45UM8EwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMCoGCCsGAQUFBwEBAQH/BBswGTAX\nBggrBgEFBQcwAoILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgUN0SWnhH\nYkAaorKejFBlxuXZgJbmECxFhNT/R4Y+cWkCIQCAjdtObJaHk+nzd+gSs5tAy+o0\nWTXiTKqMhgF0vat4DQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3TCCAYSgAwIBAgIUKpgugmXTdjjfd7ktVugETrhUpUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABN0Ei62vYDC9o5TtfP0bN1ft0lULNG3j2B3Yx1xhEnl+\n5c6opPKrK5G4XulUNGy3oSMOjknM7oyR4LT65ohOWWGjgakwgaYwHQYDVR0OBBYE\nFO5YdJrZkO/PCLeSYAsg/gQLL3/wMB8GA1UdIwQYMBaAFPMVWSj2JymJkBdJWNY/\ne+DjzCYJMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGshgtFgq1ZYf3ZSQwaprLTB\nPQupL09M98Hkutz82LRfAiA9CwxHesQey048mNdCYE/OHxMX4FWl+dxyG2e4xeth\n8w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZY01Xipj5u8Xn/7ANNLNxqCJOdkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ2cpqsMZsFyrq7KFc4Va5LBu6T2yTSK1WOPkwp\nCTmCE0cbbVg9Lr9clYNHb8h71vLPzQo1zq/SjfLlJB53aZmTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsVSgIYZcUK5mJ56ZlSWRHx+HnkcwCgYIKoZIzj0EAwIDSAAwRQIh\nAM+f1NV5FW4/vW3feNecGniEKe7GqtdOn+g4ufNoBaqKAiAki5LxtNG+kyAFxplD\nCt9qZfckOeKEwrbZXaaMs+FuwA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCRuIYD0Jd0zYgADKvoQ7K3goRVAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS009bp85xPlc/fZ+528Q0Es4XeohLJJ4u3lpNL\nqWCu4IntAFOB9RiKNVp7iJIccAgnoChXeA+FQfw9XuAte2BNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1r+cg9tiUhcw3MBbMmpZhiAWAoUwCgYIKoZIzj0EAwIDSAAwRQIh\nAJOg+wlrgsM4X6kaBj/lYci74xZqEmYoXyUkM5UFPvr3AiBeKTtP/tQ8+T/a+Bda\nrOWT/RGmV4mfsbm6de1VWKPZpw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUWvQugdM9as/N2Tnf2cXNIcNITDgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf+eje5rC\n5LlDDCBW/BVrr2WZpngkahPVgHzcVUVw1Tsi/sGBC5iyETrpA8tR2LDCvior7Ov9\nScG6bWOxy4SuzqOBiDCBhTAdBgNVHQ4EFgQUKTbbbCAD7jn9szO7Nmr+Z4Q86a4w\nCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSxVKAhhlxQrmYnnpmVJZEfH4eeRzALBgNV\nHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBs\nZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgbT44yeeXyg3WjLyqevixQyjw6IDak3vB\na96BSFhZkB8CIQD7V9GyAU03Xh2g61UZ6e7QvQ0TGRwOd9J4IlOupO3VEg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUE8Mfv2wqUP+EWNw+cDH9J9wtCJYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmr45/u63\nerseG2o9DxK/lYg1puOVB/wayGc0dvU+dY9kX+KAv9eQ99WwODl9QzVRqHPFyaFU\ntqPtzgMpAC6lMaN8MHowHQYDVR0OBBYEFGcPLRGJZjX2hoXQ515YyV0q9y35MB8G\nA1UdIwQYMBaAFNa/nIPbYlIXMNzAWzJqWYYgFgKFMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiEA+eeMT0n8CY/whdrVtFsTGXWqhPo9Pg2qvrMNx17VIIACICJL\n6b5bdQU3uW7pc8uHIVZx+Le787P3UAW4kIfkU+Yg\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1128,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUPwvozDoUbFIFHaUzXjKgI5Zx6xQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS8HLFAufUS0XHgXyMvVmT3VGS2kpDjvTAjVNPB\nrqO7LC48Tz06Kq/vclhVkwjqxbr46XH/LpbD8ryLATAKgKJbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXhgfTf1deuXG/URkcw76fHShWAgwCgYIKoZIzj0EAwIDRwAwRAIg\nPg7QamjFWar3YQuKlTTLLWHbumlG8Zuf5LH0gVTpAjUCIAqZ+RAyuc0nFoCB6IBy\nXByVd/IxHDFYPXMlE68SFEMh\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUWGPPxntvFA4c7+Sry37boDnT47AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwaKeUSnMfKq1FXRJ78QGfsyDKto/09S4RpTy+\nfpnBJRap6i1JBj/XLCXvFRiAuAgSQN7fwFqw852zVBZAXBpSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZd66BwDFii46cDgqjfpjknK80u0wCgYIKoZIzj0EAwIDRwAwRAIg\nUdYGUHofABu0bJBPtDN261/zoSuusfzpO4L+BMdMo/4CIDTpeW93zxMkHqXGoqcH\nFgM6WjWnmxZ1O1JH+VT+JT/M\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIXAPUOY4aK4VNzn6GXD/Y6MGIgDwN1KHowCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY\nDzI5NjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABJJlTwlEZWMPXhzXD1JtNNHA/Jh/t2kiJjji7G/R\nlSHdEbM/p1aD2sjoD7BIjqAJCDWR5dj5juJAC/QHSuPUDzKjgYgwgYUwHQYDVR0O\nBBYEFNAfK1LZvLEK5ZPpygsX0HrtYLDKMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU\nXhgfTf1deuXG/URkcw76fHShWAgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQDpDQTdH/MGOJjacDlH9d9Brj/qkhFBtr0XkbrBd+VNuwIgIKEfhCvKurRJ3Gxr\ng6Hzbv9mSUbb9n77gdAHcR3BpPs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIXAPX+ILuQYIagZ+uvwYxoIWoRqHOfYrYwCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY\nDzI5NjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABK7A3V52q0sJlUYES9f+d9XTfysUB03K5B2WRcDu\nIZfjhWAsz5d/L2s1uVcxBYpKDJ+Aa4KVUFvXzNonUM5Bw0qjfDB6MB0GA1UdDgQW\nBBQS+kQaRTWqwEjQDbrN/FH1F+meajAfBgNVHSMEGDAWgBRl3roHAMWKLjpwOCqN\n+mOScrzS7TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgTf1D5LiQwWnOlyaw\nma+ZB/M2HDKklcwkCB6M30AIYIYCIHHIekHtveX1Ng7jZ3INUy0TU84pD7it05w0\nR+p880RK\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1151,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQNw47NXjtx+BmDpRnBZohfwPOkcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2B1HdAwztE2UFlECtcKnfSH+W7e63iss10n1I\n4Ty/sE7D/b0j0oBOm6wj6p87qnE0kyq+keUJWb8XmJ4CJgtzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU24oqD0tNqprCivXucFDAkvoBZmkwCgYIKoZIzj0EAwIDSAAwRQIg\nVmUBbY+l2pyfyGNogsEMJtF9yzaQfRhBLbxc2MVWqUwCIQC4f12W7P674v4fAv6A\n2pWIUEYtJzGRGce5gWmXxLYjuw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaU31CvSTic1ABgJrlh5laZP1fnwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJrFDlU88Hi0YomxvVkyX3JsOgZDlpPNi63z4p\nBhsXtLknOGcghGJy7z6VF3Kh/mleC6i+CnEWHo3dGohtX530o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwN98Rfh29De285UswN3flUqDriwwCgYIKoZIzj0EAwIDSAAwRQIh\nAObO8kMs0xxBnIpngkHkBITGZiD5FX8Cm9Cby2dlCv+xAiAFAuoaiJb3snNR/atp\neOZSKx7YkX5hs4g7mH75qRVXOg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDwQl\nD9oQJ6Z4NMlEoQnuCVogl/hVf8xeUO5QlaFvvVxWCttSZ7w+ePwCUg1eB+PDJKGN\nw5iVg4mR8PeisyLdpqOBiDCBhTAdBgNVHQ4EFgQUZnv2tTCG/9mwcDyUUUuFcMmI\ny64wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTbiioPS02qmsKK9e5wUMCS+gFmaTAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPekGwS4A8Fbyf/F+hoM60CCDq4r\nHW4KQn+Y+VN2J0juAiEAiJblC856ICkHref8fS2bVC9yL9kpMtPgGrKBJ+QazVc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6Xpk\ny3EijFBj7nVRpulBWeQYIES5WheAa7niaHLKvU3IZrhF/tw6AaY8wISgf+9wLN7m\nzqgKF/ZZuKfsHUTeBKN8MHowHQYDVR0OBBYEFPmLooNDAwAMt0J81yvPtKedbr1B\nMB8GA1UdIwQYMBaAFMDffEX4dvQ3tvOVLMDd35VKg64sMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEA9FhX7/cxE2gh/B/pbLYX+BQbR+FfEXP10ucDo7mU5SAC\nIFzFR6G1+PrpJc74J04x2TuTLQaHq6oHyjwxbeWCgrPM\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1172,10 +1172,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNK4eqKqrV6eKXQbL1C0aPb8D9WAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQbsgAXDxgFJ9ioIDP8AnvhKNTT3tWTuBjNkF2D\nJ8dZyQGX6kq0+pHt6oZPn0TxrKfSCBT4q3JzGjuT7fPBfWJ5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOTnuq+LtPQ1EaBiMBolRzi++LU8wCgYIKoZIzj0EAwIDSAAwRQIh\nAIelaPazH9UDbgvA4lPP5JKEokM8Jg6j8YOLARmk41F4AiBENggVPcyLPTNCKgn+\nWGTnMOa+ituWSG8YQsC2aI3KxA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEd2ItaxT7TLPVpqbJeXuoXCKaC8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNeynYMHn2gFxp3Jese7gTbg6b7jcsFkv4zAwz\nTenP7M32iqnlDV0TtrRzDbvEyRy1FENywWRISVI5G6dk5nMDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7glm25BWd3v/IEcfr4M62lYpTB0wCgYIKoZIzj0EAwIDSAAwRQIg\nM0Pwfqlnl3nGyY7twgs2osm7yPSxrCPMlAhWbaRaoc8CIQColH+wWW74puvEThJd\nXT3rXmdtY2krht0/Pi9D6pmF8g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1jCCAXugAwIBAgIUEizUkhfcn5g5YywGcfXDyXbvS+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGw+kXEjEsIZT2nE5GV/H4c4mdg7Q3PRznMODW98o/wz\nTDJ7jLSjwW2e1gPljjPMKByv/xHRVAC5zHxs4mEj/sWjgaAwgZ0wHQYDVR0OBBYE\nFHfJ2TdN1okRVFJEgkbbgZJrrRMfMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUOTnu\nq+LtPQ1EaBiMBolRzi++LU8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0kAMEYCIQCGQNn4tqR0kByo02FVAziN4E6u14hU+wRj\nOtU13MNDbQIhAOr/yAJOrduhhRka5PzNLcokenSK2cgfQ61T3Hiu2t/t\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAXCgAwIBAgIUE5iMsgGqhaSVZnDP1q1Uql/tzBcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDdLxMPilhMzN6oBev5AUxSCTZ/kXChMAdH9MepAavuS\n6bKwWgoGPoF0he8ng2nIeluJFEBWnwux8IYxtlUJMr2jgZUwgZIwHQYDVR0OBBYE\nFAz/+1xKUR7kVEuejG8ddc4C1cDuMB8GA1UdIwQYMBaAFO4JZtuQVnd7/yBHH6+D\nOtpWKUwdMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiBJqk04rbn7SnDSk7Gft80Y0cV4kfL18zFY2N+S2o8HyAIhAIQm\nDzciAlXNo6rYRjr1MMSM+K7ASrPYPWdoIL0hlimQ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1193,10 +1193,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVEq5wzuWwUhf7BWv9SHMGvqgQg4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASeGsu8WREYkpu8PBUmfPRIeSu+Q6mkdagKsBB6\nn5wnlYofgcBoegcTVwkF7pnBz7iCjPEDzxwndeASiY8DesjPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNynWEL4Dh6RgAEqBOcUj2xMgKy8wCgYIKoZIzj0EAwIDRwAwRAIg\ncSgXi4XDRW22hq0zNrkokY+wyu7z5GLQSWawHjDAIwoCIEpMyQsy7Rd5SZrf4LKa\nWv+mvEkOmqeUW1CekJEirW/p\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXoFWU6j00qA9j4t1n5+Bb3k1xHcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQYdL7XPLKW3xnX2GJ50qYeNOELiTAZa4x31ti4\n1P3uLbPubu4W80M6RSU3MBRLyWf+QvpMUAR0LFf85yB6GjqPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZWiTXeNaKfJyBsY2Pj9y9KXUitMwCgYIKoZIzj0EAwIDSAAwRQIg\nfz93WEsiUsCf6/dPucbm697iXcdxwYnm8/0Bvg/0c00CIQDuHNGsOHbcD9o8n6X+\n5x4XgJX4jqLCaf91ECn3JRwSdA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUa9Z4TlP6mpaJ9sr+lLW2nBptd0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLfdLhQigZH3N9zL6UfEPd0TKoUglA29KYf3A9UXc2+m\ngOxHHj54JrcrBFgNubzq9OdOaJ96NmPcCvYEQlfPjJqjejB4MB0GA1UdDgQWBBSt\ndgR+20swWjUkcDPO1+58t7O4EzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFDcp1hC+\nA4ekYABKgTnFI9sTICsvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCR6NleByCvmbLYs10vdKbK\nY6Cw7BzLgvRUPDPCK6vejwIhAMuF+QZQMCczneOQcPCKHroohMLsSgFLQ+tE9qD3\nNJ1X\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUDfNeykdLNWCNDH7gbp3QjpTgKiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNM3M6V/L7oCV1uef2rrSMMA0WC5+DleXhlEfiMsuFlH\nCPSLC7DYX1cKImAktig+xbc8KB4PxZ6m8yiEZ3XuFhqjbzBtMB0GA1UdDgQWBBRn\neLUFtFDFHa1bAlAn6WKve8qOMzAfBgNVHSMEGDAWgBRlaJNd41op8nIGxjY+P3L0\npdSK0zATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNHADBEAiAlRM+3AI/R4QObU9hvtsCqikihsAvGXcclTMCz\nwsLqKgIgSAV0j6ys8099I7E/dVuPIiuyD/vFMqURXaRjrq7Uezo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1214,10 +1214,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Basic Constraints extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbSb443ZIGxmqh2fcSZCPK5zV3MAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8mn1QGwA+ZoQykXTwVmosz/1b3vhfbTVpx4ST\nooUJhVoW8w8wekdxYZQiFp2LUiwkJwI8BD9kBPi5sP6KguMho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBqzvkElt+2UzSZhqrds4dOqfhnUwCgYIKoZIzj0EAwIDSAAwRQIg\nY/nr+qyGqHsLVRpsKzKTCMGleC0QNWr8M38AM+OHg6ECIQCeqpeViAT9A258P9jl\nW56lp/5fKxN03XSLwQtA+gqokQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfDvlL5wDDvWmEGQ8j54u+ErhATIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATS+IsvqSzgiLA+c26TirLrIt/hcA5hG7u96a4z\nQkdpg72syMwpOooubQ8en9HevrEuzwicBrkDw/z8o3sM7Oi9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQ/JEmuRGsrhnepkIZga9gVZaq+UwCgYIKoZIzj0EAwIDSQAwRgIh\nAKlWY3V0edty07CwE9GvIR1PlBA9GI4PkU6b1+b9mNB7AiEA6zyd1jO4VNQh4dTg\nq97ZoGWjQpNF0zxrvtR1Wqe7aos=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUBxvptulsSXtnJe8BBpwrzD7o+OIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGRcsj9S2LtOA2RCKjQQssXlbz+CgzukB2z+Zw2l060B\nlO56E2pSRf29Oy327AZEMenQGtBuWhn5zTnKTqn9nT2jgYgwgYUwHQYDVR0OBBYE\nFCDS/7aIUFZIoYN0JzEmzPlnThBtMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUBqzv\nkElt+2UzSZhqrds4dOqfhnUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCi\n2mE/+XR7aGtxJfoSsxwQsAweJ5oroM2LKHzuriIjVAIhAOl1T1jr6fG41wikCp+D\n40B7qlU2exm+hi3JgKZQfPpS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUWmCmOR8fihfnLxGFwINf2T8E1uswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAlUmPagWgrD7JJKTAvOn3WJmDwpNVT6ojzEG6tDBfW2\nZONXGjdHbxNo1WyhK666fdYieVCrjlctUjKTAjoDPZmjfDB6MB0GA1UdDgQWBBSW\nEtFVQSdVTTK+3u1omWgd5J8Q6jAfBgNVHSMEGDAWgBRD8kSa5EayuGd6mQhmBr2B\nVlqr5TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgAPsKrE7eDNw7OnlRcfQC\noy5eRXLskC1UOHKvNmYubocCIHGRecqv+LeYEvVmGNgJ0rpujATSjZdw2ZQhB3yT\nMolZ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1235,10 +1235,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert contains\nan Extended Key Usage extension that contains just `id-kp-clientAuth`\nwhile the validator expects `id-kp-serverAuth`.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUA5iqF+4CwSXqA87XC727y+vPC04wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATgbsYUbjBvSUl4dcXtkNzPC6Q8tFMAHEyceGBK\nFGM45uR43leVJqeygmKobcJ6ZznEU56kFAytF8D2aEAHg84co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmO4188Au1y829pToStY9Hisl1PAwCgYIKoZIzj0EAwIDSQAwRgIh\nAOv0ERyrP+hpz9eIH2Bi92YwFMd8v4ds0g42jelh/xFFAiEAqrKqx+Ok2Kq+3l/F\nJlPFAz/G1OjXS1gFXYRYjkQc5pg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYs9SR1KS6h6aP0jAz3YnFtrdBcYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARC0t93X8Sj+PD7Z2sA2ZwbOxiBG7Pb3RhD5vdg\nOVQLlsNQP2CsNRxjFaSGVJYBqpiAVhmdSODpH6sgWZI1nBngo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU56C1yoBCYZj7hegKxbNGhDvEH8gwCgYIKoZIzj0EAwIDSAAwRQIg\nZD8LtFHMKFfv5XTDt/1FcIaM7KAVsKthO585os1Y0wQCIQCCWQ8ecZwKdnob0WK6\nA4+7oaHf5XbqXCeSYTeQTeWTrA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUAguLG44cXoUWswFopIaM4K8c8HowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHDWMmBsm59nvZOlEqiUFnmPqhBe5c2B2gHM4+3VYHph\nnGitO4D8BPsVCsOsOgNPTsdfwVTw3fks5bRZObA4al+jgYgwgYUwHQYDVR0OBBYE\nFOwUhVerSlWy6/5fn8crSzvk0Q+iMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUmO41\n88Au1y829pToStY9Hisl1PAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC+\ngjHTy+5gUaek5iCq6iejv8pMOSdOH8UE/4oZlFKMQQIhAKR+Xd5lLeDynLmhUJXZ\nR8Ne6hsoyGl6k7F38K9uUDkn\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUanEE4+Cx93k1zGQSD9PQ+zsA/x8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHtLB94jB49AbCuvoykI9A0U7DvRf+6NMvLX5E7ve8c1\nXblO9y4S9r66/ktnyhhSTmKy9vqnuU8iEVGyV8HFhSGjfDB6MB0GA1UdDgQWBBRz\nWZPcFGux2bGsz8hhZ2mbvfD7kTAfBgNVHSMEGDAWgBTnoLXKgEJhmPuF6ArFs0aE\nO8QfyDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgLgJ0EC4kgcLeia0EMXwK\nhqvGuVwQiytY49H4utBYGQICIHVRHazwzyiyaOWjpQfHjj+ThCERXX5rcc3LMOgT\nfDqL\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1329,10 +1329,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUB1ZfJ/Hm9AnEkw0wAu6xPeq7X/0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjFdMFjAjNQpQtnR8B5VLhE+FBY3PO+XCe8S3v\nAZ91Awu1Gibu3HX1l7rp4+wsm+VSqSMFM5Gy41i8UIME9y9oo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyOIC7TWknaSqpf38WQIlBKu3GDAwCgYIKoZIzj0EAwIDSAAwRQIh\nAI2W6chZl8ApYD0L7AgZRNSCrWzDW+HFMkKiFZa3X+cHAiAAxCHVmHZo1JzlSnpN\nr1htRnBiFVgtCeaObrMTYpVqxw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUirOXPNQZ86mlez81GyTTjT+n0owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQUK7NqtzxlbrrzCoa3MDgFFbee16cjkhYSgvmA\nCCZVHJabAWVdl0cKbNXzqodOYgSI+aJNzosFuK76UFWu3+Mvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU41ohGyGiG7BchOyeuo8Q7/VLeqUwCgYIKoZIzj0EAwIDSAAwRQIh\nAMDAQynGIenKhsBE67nrs/oAF4GjGi844OViB7LI2KFwAiAjD0h7XMa+nFE6IIHp\n/XhuPqBPnwHL21rdTRsMD4izpA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUMDHzgjpCKky/9NuL/UNPC5FmTRQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFXLwLL5Yx76BYmVzTjckTpaWrbw+OPWpkg8VF9pTfe/\nNTnz3GiAHBWFRABIYXAvGhePc/Y9CHOIEzq5Mu2XuxijgYgwgYUwHQYDVR0OBBYE\nFFau/klp+z8ZFpIcuDF3VfK4GcxBMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUyOIC\n7TWknaSqpf38WQIlBKu3GDAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCL\nLxJQ1x0CvGBeAd8XXMX0tvInRHK0aBiZEFVUjN0fUAIhAI29l5hmyEY2gkzB015n\nlcKQPZW3vSi8hTZtELuyCLz8\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUSM2n4Yz+RMsYQPhwtWhQmxG8HnwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIjmS7s+wHaFeCXDEiXiSL4JofNLpKU72YMezroIPqWY\nVOyXStxi41P3qEjNUonyoBGBNrd7r8UcEpOxCj01feujfDB6MB0GA1UdDgQWBBSJ\nYFltt6kVQIlTEFN2ReJ3jNQ1TDAfBgNVHSMEGDAWgBTjWiEbIaIbsFyE7J66jxDv\n9Ut6pTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgY6JPW0xhSZyTAh3eEVIM\n3lEHMudHx914C1kl6SMJxzsCIE50Diw/jqpLJbVpzscCM8rgCkikMB1DFCQDOMI0\ndUjG\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1350,10 +1350,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGOPlALxLgsAlTSw2w0LNvw2ONZIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiiYe0P/OzQFzi5ixTBJ+zFgNzmU6KFrBzUwMY\nk0jV+c4SX1pZc8NZ6reBURVRKib3MoN8P+5vQr7l2qvZ5Q/Go1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcEGkGvseh46a0xTOV/E9K9GFNdswCgYIKoZIzj0EAwIDSAAwRQIh\nAKhF8LI878u2vRB+w4rbdK3TCwKcxMcxDoGL/fKoVJlKAiBf03HQbiNlei8ya7pW\nmvWoZOYUXSZyms5hxGBcdvAtpw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaj+CQwTs7AHCbwlgh+R+lIZY72gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASqCVBpsndf9MdZkhHI8uqqC7oHKDr/1MsNiprL\nI5cZ1ejuvnz85+o4IaWh6eO2x/uJlkQWtWeB55ixD/buDhuRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3iNvwAJ3VaIhC4GOSImVJXXPC1QwCgYIKoZIzj0EAwIDSAAwRQIg\nIurHmzNas5t9kSJ3soWfXUzDldsJE+uHqUkiibZg0+4CIQCDpwpKrdUKfimeHhZt\nmDR2MQ4EQG5642z3KGud4fxLJg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUTMRqBx82ZbbH7wrZAXZmn3Nj4skwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC7I4VBqX3/YYcowpRG23/bbX1etVTjFvLcunmg2kU4c\nGEszfGyT2t177FzSJlrUZeHhq5msMowu9VOdePSm0JSjgYgwgYUwHQYDVR0OBBYE\nFJKcW9SHvAiiEAEkbQt4UdMpKMy9MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUcEGk\nGvseh46a0xTOV/E9K9GFNdswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBzk\nko49QX5GdRX0rLGbm8X7SMtlDs3E1w1ZORSi8BcWAiEAq23Ea009K41f+bPzhOaL\nErjiDlvNuO946A4i1jdw26M=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUUpLlLxMj4Ms/8IfMCrz/IFucLYIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBq+d/qMcbidnx07yaxk5LHfGLODMDOVHrNOsOwSOP8Y\nxzVi76B3NjeMTmLE4wguqbLB9K1WxXW1LFSkphsyUQ6jfDB6MB0GA1UdDgQWBBQ4\n8xKtZW10egVWnRme8EDnFLE0WjAfBgNVHSMEGDAWgBTeI2/AAndVoiELgY5IiZUl\ndc8LVDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhANPGdPZLw/UdYmUu0p4+\nLgsl+GPB3RwmfMYoVNWy5c/gAiBl/hoJE5Mz9ESTAmiwtMi8858EeIOqYP4jNQkO\n4NireA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1371,10 +1371,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTl9iYf+Cr7pKeNIKuE8Gf65U2GswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT3/RUJeJ92vVuL4QExrP0GFTUn/M3gQ2i/UCEu\nMGa6Hm55nIoFkOJfmcMTPyW46qNkoChp0TUYaW4WKgCh08w/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUW+YLikaI7fprSepeY+BhflCusVgwCgYIKoZIzj0EAwIDSAAwRQIg\nW5ZFhTt9J4xHvP3oSDsmcN9iUITlCUU7Z8xNi5o2Y3YCIQDePT2zoDx08meHuzTT\ncSdslEKILze6Bof3jP+S/uSX9Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKk8f5OB4IQgmsIrsr6MDH7DeoN4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkmm01jdgm3cZWZumhZEFB1/tR+mKfT5g/W6rT\nWC/mD5kuq1rbZ7a+2Ht5SCh3gTB311Lf+w6Q5JsKuvTOsjeEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8ItsSIcVsU4ReXvwwnywIo+HVuowCgYIKoZIzj0EAwIDSAAwRQIg\nGNUloiyqX80BI7XIMQYHjGALMLHhPMDfPDXJ0SNNZbsCIQDjmKB2Yr9Uk80Z8Q4g\n7K6WvcU5GW8+JwQm4ZU5MOJ2lQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUcUMEG9FoklcIspf3Ag2vc9APYdQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABK1coDhg574yI8nGSpBRAGPGFSb1yjPRuyXdd2UPiaGU\nq+BViGZI9GTly2YLl/DTR2RjuEUmS4PJMmm4BirGRBKjgYwwgYkwHQYDVR0OBBYE\nFOJd/RI2cHez7Mj3CVgZxoRbRRvJMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUW+YL\nikaI7fprSepeY+BhflCusVgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBLqDDoC4EO2VmbUmsXrax4welE7y0RnsiRxCtuhA45lQIgduFpAuFRgL5pEy04\nErb6qpYnNsb2QOigWxpVHIPPEyQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUTIYwbIj/J7McnyS9Pd4pmjeEjbEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNmR5qRgtgMC2ii09P0X03+F19R+GGeEPhlattdwCg/9\nEBbD4ilsO7OyI/h1bdzBlcx7LbB3FQhuZs1VgErEZ9ijgYAwfjAdBgNVHQ4EFgQU\n/0x6QHRlxSiTWkpo3wYGm0U2Qq0wHwYDVR0jBBgwFoAU8ItsSIcVsU4ReXvwwnyw\nIo+HVuowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiB8JF/ajQqNCLao\nEnZXirOXlYobptwRCJX3Z1FPvUp8LwIhAJ2xTEold+IJyk37NtQQgWdPDe0hJDjP\n2CT6e+XGopOl\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1392,10 +1392,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXbRftJyqsOUaY20Qn8Am2M8LnbswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpCD5W64CXspoJwlUo5Zp3IoKOEzXxYOGW02Rq\ndSK715rwr52nvgrpLf9EviDiTol3zF5pNd3w2owtT8VIwfzvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwneSxedMVwUR6yfu+PKwPwRwba8wCgYIKoZIzj0EAwIDSQAwRgIh\nANr6bkoyLuYwbQKeZs7XoU5dJ0bmefk1dZ5QcvBsCY1iAiEAwM8gTrsJs3ZZxS7U\nTgUrQ2ivwCfTjWnQI6lSGf65RHg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJii+WyvAgPA7fF0bRGN8/iNlY+0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1CPfaPY+r0/XQXzdQBS6cuH9lqXXPlPzgFcP5\noGztGNKKx1Zn6+c8EJ4rR5VFo75C1PmlbVLYBQF+PfMi5xuuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEDSwIVaAlwmlNa93XZiA2sgV/MYwCgYIKoZIzj0EAwIDSAAwRQIh\nAPIWF8slU0uWCWnO+UYJuJce1N8v8A06kKPoNS3x3WEfAiBCrGJagvSa5x+S8H3g\n1eh2hbf3NEYAOTE08amuw9PU2g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvjCCAWOgAwIBAgIUHN9Jg9vEFpbxf+EueRYIwOY2oN4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC7FUA0vMtltBq0n4fodsPeJVQagEvU0/4JJ/9x9FXBm\nmh/l6nYkO3cwCIl5O9AKpWKX0gtKFIOwTf98IuRFBZmjgYgwgYUwHQYDVR0OBBYE\nFA32fM1K+FDhyxOdOFLl8sM8lX0XMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUwneS\nxedMVwUR6yfu+PKwPwRwba8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCX\nTb3+kIydZsSat5p5JxOFHIsRJqI1pTlmiYtbc1+wTAIhAMnfrgRBFTp5q4CCpbbC\nuqYJZLgcLhWXIEPeX8NrTM7b\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUI37MTJVyJsySsQPq0tO16WJddccwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBHoWfsdDwFAFo2UUk2TsSCkY6wssXHQtNPGnXzVC0ZH\nuuEYiQN+eQior9sJxAKk2iU+I3z50cvgkZoza5jxUoyjfDB6MB0GA1UdDgQWBBTT\nh7vrur5JoTe3jHd3oFEqS9dv/zAfBgNVHSMEGDAWgBQQNLAhVoCXCaU1r3ddmIDa\nyBX8xjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAK4DorP0On6CFel0qbt/\ndNSaqvKofjIjIcLkDZ/FMw8AAiAdDq+06DJQkg6xkAaN/dtfiAXfx1NK3ESrzPPq\nyYfq4w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1413,10 +1413,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEw3lgIV5ffYstWqaS1Wb5M/Rub4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToyL2v8DfnPB8pQs1XErw/SOGX7PdLpCRoEwBI\nhkmO1AGtfCOTaAZeewFNTYyTae6PnIGo5jkS4JzKFtsGm+2no1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuxkdHd0IAITzWK7O56quikZpbO8wCgYIKoZIzj0EAwIDSAAwRQIh\nAM2HSdZMDV5v5htdUbyAetaXseZ5L1wd0bENx4TsS8ebAiAYvtlZvie/X+DTvwUs\n9iranYcebP4nvaM7LX0gttYsIA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVEuV+1htqjfdMzImxe2KTmfYn9kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQFKViDney0YkjmocCUSTJFA+3oJnvZ+rQ+c3nh\nLVt4fUpvy5bykGyEiMwQd1hU//onjGVIK7hyJb815ZJ1v7gQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2ai+aQSN9ahynXLF49ZpLX+9Z64wCgYIKoZIzj0EAwIDSAAwRQIh\nAPXkWl/lTg/sSSaMNWJQHYmMcWgdZFH39vrVksAGTyvpAiBc24ghB/f0AS0HxJAP\nIQ5PRF9zm0MXx50I1FnQsyVdBw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUB/2NVFnbOl2xfRibuDsqdTV++4EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAGSU4GjJA5TBSTKCmmRR1vUU2SoAcf7Jgpy9PpQQl/T\nIF+jd8GJD3a4vvIBbasG0ZhkmNOzkFDGR0q8yAImksejgYwwgYkwHQYDVR0OBBYE\nFBJ9URCCnqeiUVmTRl5cvPg0v7mTMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUuxkd\nHd0IAITzWK7O56quikZpbO8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAYsYC/q/J+XkVCd0e4+66mOWZXJKswjYTSHIDUZqTKvgIgf6fniqzrkBcd+LZx\nydPlEt5BP4W+t0q+5YK6jyEzy8c=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUJMDrYaeIvRYOGeSVqobzyreqINMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAtKzrJ2ZSvgdS+5dmNmoxChPmDLl05lCxME9o6HBHGX\n1uPjyIKwTbjsb8rjxtv6nnZKD9iiNVlL0neL7OdsVQmjgYAwfjAdBgNVHQ4EFgQU\ngoDy2kwd9L+i/RFvWOLVrxaa1wMwHwYDVR0jBBgwFoAU2ai+aQSN9ahynXLF49Zp\nLX+9Z64wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBKXeWFzFk1T7sG\nsDXBlKsYxwhvIGWVn6t5loSvSZomFwIgW8NYl3gYjAZ9A6vsnF/1McRQli3JEubL\n9odudJhHXjw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1436,10 +1436,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWFK6faOhPH/t97sBdwNiwucMNf0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbV2nAZ/3rzpvbdg61cBhs69qXcZedVyZSvYD0\n+rOB0XxgKKupp7rTRH7GY+rt7vcx3wuiJIvijh8GvocfmZe9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSIySCWUuzrY/Mx+YO/WHHTRm5cIwCgYIKoZIzj0EAwIDSAAwRQIg\ndaulHc20MQRTeQN8O0lyH5V8eMsyIqfbJZR5zhwBsN4CIQDRMhF0crdoCKHbU9fj\nEQRngTqLKT/2+amxJ61aduQMVg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUdjcYSh1jbAZN09vL1AlZ4QYDZ7wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARdxR+rUVtNRKCZ3czBDRLfSZEfmwvEusvaSsLy\nEBb9qR45FsvzMBIkyCZOKqdcdsHA4OUIr8TsjqsBwwku9RPeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxVScRv8HE95bwbdV35N4PrVrJGkwCgYIKoZIzj0EAwIDSQAwRgIh\nANgqXNLLvWh+47zILLV2ZuhjEKe3RQc6VeMF/a3vofIyAiEA98YIzztPzewq+nhg\ngXei1pvyl18V10trsuemMLChPno=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUQhJbdqA3ShLFNkASXQfgozteffkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPxhSTlO5fQa1uqgnt9ipkZu+BLKmhZHSVN1oK9JFvc8\ntSS2QUBVZNzPZZRMnotU0BGF+E4l3NL7tTLiNDsnlLWjgYEwfzAdBgNVHQ4EFgQU\nmu0G6RJcPkXv+SVx+CcEcyRLR74wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRIjJIJ\nZS7Otj8zH5g79YcdNGblwjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwEAYDVR0RBAkwB4IFKi5jb20wCgYIKoZIzj0EAwIDRwAwRAIgLMln/GsStXTb\nWPPqkoMF20tWYKZzKpu/sSdv4mLa0dsCIDbCxgHZ3n2YiwxSXF3PkKKiQtqi8UDH\nl/Eg79dV9xTx\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUeQpP+ok/GSeW0dgoF8VZT58iF8IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNBmUbGBQAbermk1Wlui2M/SbyTIzS48GsEpVeX1Xr4J\nXsAQA6W6QtxPSJ06o6hbNumCDD3c/Tc/7/htcZeH1umjdjB0MB0GA1UdDgQWBBQa\nmXQaee6wjEdraZaZWHiPs+zOWDAfBgNVHSMEGDAWgBTFVJxG/wcT3lvBt1Xfk3g+\ntWskaTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIgPI1t2jCnOBHXB3uXbFPqgu9UlZwa\nJbKwDw/XY6T+KisCIQDp/ulpOEmBD70vDqUbL2NOzj6qgWeJ36SFdWt0rBWnVQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1457,10 +1457,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUF68BD+OoI3FnCnqTuYsZZ/AS9o4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBCye4Nhwq6XNZakBAqTyxmmCRScIlagYWD9EY\n3usH1J444pe8gNkKA1rPKk8wPyzOJkgaEQMBNJ7/a68X5jSDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbaZOd9GYUVj2gTvBM68kEGsn7z8wCgYIKoZIzj0EAwIDSAAwRQIg\nLiO6D/WsfzyRg7pBgcRfDis1ujlIkNAsW9kiYupvu/MCIQCPYf+1E7v/o8Di61vs\nge8q0vYqUN19u0Ai2eGteKJ4sg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUY5CzM8NyoV1UP40Bc3S/rTpJrPEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkcIrVozT/IwugZBM0KSfAhYsSmNXlkjMJwzCF\nA2v27RfZmEoXugQXkcczOV6n/vSm4kpDT7dMUZfcW5BH4CAzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbEYsNQxiazef18gsQZs6Ej9N+dIwCgYIKoZIzj0EAwIDRwAwRAIg\nPCvgWlzh2PA/lRVHdzldsUFowqwsmASR01xp3vZW7ysCICrLj4+OLFWmIrOTvpnh\nZ3NIHbbn6RYdKsqvKWkVedoo\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWWgAwIBAgIUBhCxzgpW1/deZfC5w5Q8fAFyG2IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO5LrVed/MkXFxkHjt52R8nxxNFE9rxQ38tKAEkwJ1uX\n3DxBlbFD0ffGroV0H6DFFLuXkvMDg/Bc7Z0Oq5aI9pejgYowgYcwHQYDVR0OBBYE\nFGSQPyqf3h8dXuX/Yl/7ge7XydDzMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUbaZO\nd9GYUVj2gTvBM68kEGsn7z8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIh\nAI6wmdeWoJhrZGnIL13BBOxpgohUYTMV1p29NFlI4aXCAiEA7MctLuzFT9f0W01V\n1GV+VviuYzZIeIwuc1CbtVRZcY0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUUlbJrWp9dBjmJaIluO2Io4xld7kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEQNSJZjMsoPNSU4SexhETr/tsHhHB7kKpHliaDHukJN\nsNnaqS9RnO0sCGAtqkHHp/+ysVBnP/uwhpjYE4yDdtKjfjB8MB0GA1UdDgQWBBTe\nzCymlIvAGLXeTkii3sAOO2OeczAfBgNVHSMEGDAWgBRsRiw1DGJrN5/XyCxBmzoS\nP0350jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBK/SuNHUicWTVP+oFt\na8N9Za8mxgZuOOTWLSLgf9s9wAIgViuvAwJY4ORPlEy3Rjcq+3J1QWzwwlBtjf/8\n0D66GFg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1478,10 +1478,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBCAyc5BABMMtW0pauPE3s3cLf14wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATcPBY+oaTmIwQI+IZibWYgDwbBgpT5R/D6EZ/g\nlik1Kx47fP8E/7ezpr53I9EI1Qzi9XtQQF+xetRXOc3KoBJko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUulEHgncWBW49aPnzSmvSnqwORz8wCgYIKoZIzj0EAwIDRwAwRAIg\navco84GZTl+2R6lSmrLiKqf6SRaFZJoE2qI//EBObxwCIB1gvxvDDa7zCdK5PFtj\nGQxRIq7LQ7SPjbAiODSGQqtS\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUNSa5vdujpBzmfiX5r+PGcW2jUkowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgrWeXIR1p1eNGgsCNMUwXz2Ya+Ee73YKed354\nQBgpfjjkIzsHv7KWIrohuJryGXFjSDRV4ph5k8cZWgKn0eRAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7eOy+SMwUuFn8jX2orkuvBmJUr8wCgYIKoZIzj0EAwIDRwAwRAIg\nAlk5aUiq9zuK0yMQxmZ8tzJfw/gnI8zeaFgob4IaQIkCIFTySCi+vVZOwS6sP42B\nUn1BZEHHjFcRnKwY/AEmwqLG\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUMTAC34lfIqHpl0+U51QDGZdnkYYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDH/0BYNv6jhMsmbZILEubSZuJG+RLXAqGJmsGXtvbFS\nzMsRXBrgyZbTA366ShyUh33DdZ5yeesvASZnjCXqPkejgYwwgYkwHQYDVR0OBBYE\nFJI7fBAOh93UHY1NJcaHnz47U4EJMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUulEH\ngncWBW49aPnzSmvSnqwORz8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBoGA1UdEQQTMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEA4ttVVaPMPccXXPmpTco8H14rCSWF4F1P8Q4GU/e6298CIE3K3q2r814R6ZYu\n5rawtQZGu4YsrGN10Te3QAIMSk8b\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUDMMYTVHY7Ow9Tq0GHLZma34OApMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMVfPFNXeA0lmqVY7IurtEU2EwXz3bD2qlOhnl3xBIjr\nT+83zg+a7z7hrWAvUY3k6NFm4qlJxo1km9ZfcSqiOVejgYAwfjAdBgNVHQ4EFgQU\nrJ3F8eApHdot9WjJRRoGqXTSgZQwHwYDVR0jBBgwFoAU7eOy+SMwUuFn8jX2orku\nvBmJUr8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAuNn9tzeZv0Rh\nARQ+x9T8CsiNvq7bOeTVQOS87+AbvJgCIQCB9K+kqG5nCncLok2wKQSjIB2Fv8VI\nmCdmhh3Xa8Fspg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1499,10 +1499,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdDpLG+Ne+UmgNMAhupSvW1/w9MEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEvPKWb7jaR5gavXKcXHACea9xs1Rnh3QeZa34\nsgd+jBUWK7737HTLdZgTr94Qf6rsH4dhJGYEAqTH9r6EO0wmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKGXPZpi5nD4uoJnlv8OtjsNx+hYwCgYIKoZIzj0EAwIDSAAwRQIh\nAP/E4PfeGYiZstBRH7N8eOaEH+z5h+NYtC0flbt1AGi9AiBkYHjp5jG8TncqHVjD\nEmnZS/pOpgDi1GhvK7shp6kZmQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUNwd//46HaVQaYbQfA/C5q1bzpDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR9vbmmmt8eBQUSdWM2Dwt/ydUWKpbWlGhQU6wH\n50srpH2+5R+ARqnCZqrKLmDc7HRV9briL/x9qRrzEYQdNff5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHlUgbUyU4eAq1mLIKaQtnmXqepYwCgYIKoZIzj0EAwIDSQAwRgIh\nAKTtATGTHjar/PVte2oZlEhPTSVWx+onQebEFRUc5BOEAiEA3S8yUAGLn/tNZ/sy\nVzuoEzQWGetrKDMN2IbkFJAT+ww=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUfwdSh8WoKK1Bdrwr1M/IjGINf10wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOP+d0xyraLv13V8O16T/9zmMEbO1i5LDjOtqEloIPYJ\ntrDSbj9mJU5rdP57A5ko/0huiGN0+VponrThXiHvX8+jgY4wgYswHQYDVR0OBBYE\nFK1Y0BonhJ9uEaruSy2K+MvjwAUXMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUKGXP\nZpi5nD4uoJnlv8OtjsNx+hYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBwGA1UdEQQVMBOCEWZvby4qLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCDtzxF36clV3HtevMY9/Ph8b0JXA+ve3+CPxw3PL1gngIge4DINIB//8np\nwL4QARYDAmys1nvdmoue+nqmMZ/+IkE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUA6vRz0NVkuGPGHqA4R+lOKS75g0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJgtFrJSLhSd5NZrQ8HWxkJrFSwoRbySBwFPWG//eGCV\nWtP/DWMTlr6YFKLXLUGXFx4q2yUUuactobJi72HKB06jgYMwgYAwHQYDVR0OBBYE\nFESHNxMYZGkNm13p0UVhQIhiEdn4MB8GA1UdIwQYMBaAFB5VIG1MlOHgKtZiyCmk\nLZ5l6nqWMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBGwqvL/jSn\nETG1qAO17dAaplxCSGNIWIa2jrovniQ0MQIhAJV4UJ8efIKWnGCPghSxJA1gALnx\nmNkzTGt6whA7BazS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1520,10 +1520,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaXiEePtGO6TsjS91+lFHRri7BKwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASEQE3CzO42m3pPRAmFAeyQiiaURe9PaE7jZVEz\nY/Cx8nrM6BpajlKh6veSvtA76IeB8qhHZzVO7gTDAkr9OXqzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1xR/66yYY1f0Xc9dlcKbBIHhQWEwCgYIKoZIzj0EAwIDSAAwRQIh\nALdrIM55PoPgtvDO/O2DCnnYDFEWBqZWscY0TNiAbvQQAiAWaklE+VHxQnRam3zk\nqO0QS2GOeZU6ZbaX1kTblpaXoA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAkFFv1JNarpVvy5etBkaksr+l04wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxNsNQTh2dN4CoNd13H14lmNoxd/la/Ft2WROG\nsYs4BzFjKtgi8Pfok/fgE21XxeVFXFI56dKBwZXvyplSYXqTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJXnE6kYv6xluzznvWAQFsVej6EowCgYIKoZIzj0EAwIDRwAwRAIg\nUN5RIXnVQ2xs9YQeALbQthrzdkzrGbLoAbq4WYW7IwMCIBZDub0UfxUU8YhnIRvJ\nMF52VSvmQtHOVLDcJk2WpKIU\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWWgAwIBAgIUJwKBegHKPHZDyCYJbdCQ5vlp15MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMeGJtlUxCaJOVZ4wpgy8xiyHTJJOLbiPEFZ42hFDFCi\nA0bjtR7Xq3i6bFeEzQCGDknKSejl40QJcscDmFKCeTOjgYowgYcwHQYDVR0OBBYE\nFHU4xD8hhu5r+S15CkjtnhMciAykMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU1xR/\n66yYY1f0Xc9dlcKbBIHhQWEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIg\nQqt9aFoos5L8OWgAHxUz6wX1LvRre7zgZAgoUmbyYeoCIQCxqA6yvckzMWwEh5ui\nqCc0dOj4Bi4K2LrSQbN6XHLVnQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUTEMbKd7WaZq/dWVw2XXRVl9DafswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKe1sOoKo+AdthtpWnHv/fj32KlftAg/x7IxaqkhDDNv\n+dTTE/k62Hj/9+GCmeVUi4grCRY0iJPJvWlJo+gIoyijfjB8MB0GA1UdDgQWBBSW\nuPkUz/pcX2ZUocLd7G0gbnkQtTAfBgNVHSMEGDAWgBQlecTqRi/rGW7POe9YBAWx\nV6PoSjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBawyjlQ8XmFjq5k7zy\nu5cVZ+TZ1MdnFCf9phkEM9SQ3QIgZHMVpIjewdU2DelA3iaQrgnQKh19zKIWCW+f\ndDl24Ak=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1541,10 +1541,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUe+NmB69IAJ3wuaRWE7f4m1esWuwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhCYCtXikX4StjoiFy5nqVUS4vTsxVkfHc2Vs1\nFJMYFmUKkh1oU4O1/bMULk6rmJvpg4bscI3sjTf8JGb/bWtjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVCwrXGu5ihhcvkE+a08+zo0OH0IwCgYIKoZIzj0EAwIDRwAwRAIg\nfaL+f+EOJhR+ZnH7DJ+TJRjCuk5PVjOMoUx8FP3PprICIEqOsj5lv8/CfSFgKsNX\nF7pgNXLmS3Oz4RASnQwUFUU6\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcbDbFEuoNxxrUG92XhsdT0XQD3EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQDsj9nXj9Dd5LOPbq2WWomWH7aNBJ6epYsWkV/\nJeYytN2iLtOir/4W6hRCj5aeNI2I1yqsh/ENOGOSz2vRe9BHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSBAtF0eFNFvCs6M5Hgc2PHurDB0wCgYIKoZIzj0EAwIDSAAwRQIg\nLX/1dZfqgGE/OeyeRMx1v0v0ww8soSen9Iz6KP9ARLgCIQDzgyVvK1Og50NB/h1N\niemMw0mciT9aGC8vdVX4+TboJw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXKgAwIBAgIUDTPTsdq+qbz0BPVcdOjz25PQS00wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBQnvm5CbuO2YKAECWM6d6K30kUiCRv1tjYAgpbL97rh\n0nXiYyHNI5XhhS8y0kLZwG/f7/Zg+Cr/NQuvobSgSvGjgZcwgZQwHQYDVR0OBBYE\nFCYxsZe3LBxkwjenucrtjjpRpEZQMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUVCwr\nXGu5ihhcvkE+a08+zo0OH0IwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMCUGA1UdEQQeMByCGnhuLS0qLTFiM2MxNDhhLmV4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIGnQa+C3lffp9MZSv3v1hyLwN+lHqZJikcw9eEkV4XAcAiEA\nvvtrNrNWQQOYvLg+3N7mo//1C12KapxFaw95SsbPdqs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUFlpBZToHMOqRWI36bOSxnIHJ7YgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABD6U+6Blsg1n3Dr4mdEUziHn6B2Ao/DAlgeo7/2KAK+d\naCsaepK5MbfYq0E5Ef/pqLJKAbhDdJ/89HvUtEdpzBijgYwwgYkwHQYDVR0OBBYE\nFAqbzPQK6jPSiRHnEj+WA6mIFZK4MB8GA1UdIwQYMBaAFEgQLRdHhTRbwrOjOR4H\nNjx7qwwdMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiA9OPBs5O4910ku+rxXn6P/yl91VspnfRK5TUF6wINnUQIhANENTd6hS/hG+PjF\nvcsWcf2Taqed+rC6eGSxJzbp78zV\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1562,10 +1562,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUU2ip3/I70G6ALiLmlwdDGEbgdgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARs6FIjsJnp440U/3t72nbUxNZZbbU+roctCCCq\nYU1H+Nne4K9cCX7xUeJi+mDeoskVQbVTuwa4U1qslnlohCeDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUahihlcfOIbfwW1Y78R8omsjGxMwCgYIKoZIzj0EAwIDSQAwRgIh\nAJMl/s7bIw+dRG1wg5xWoeVfMb1ZD3RugHo0ysg4gEZWAiEA2kWEPK784k0oBXEl\nhwuMoSf4m3TXcbeO7hnRT/GiC6U=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZi6RWvVUsaSx7fcOKqPVpsZWnO0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkL5g0AVeM7DghNuwFoMfoNE5KQ9dixetiIZEj\ntAelzQi4oW8P8dLzIYpuWUregmlXgo5MHxApEt6sOkZoDA5Lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0/tbrRzPTe9qldbJ1vDKTmO3U3UwCgYIKoZIzj0EAwIDSAAwRQIg\nC8VmZHFTwhbQRZoMFiWgtFnYAdxvKJujHs4nbjtLjLECIQCfSIzzoOlqbY4ZWwDy\n+280YUN8AoYJLxFYvAKLF0+qzw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWigAwIBAgIUYVNVxoyT/Lacqtlx8grSyFz4w80wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPA1mbmCPA30UDVJMwgBUFJfIc+gaQ33ib3mvEd2dpYh\nAADoer3RehTIg8JzUZYyM4YUazgzQDVcahaf8kgEvUujgY0wgYowHQYDVR0OBBYE\nFHkKh5JUHtSg2v+MA7p1q6zaFYqxMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUUahi\nhlcfOIbfwW1Y78R8omsjGxMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBsGA1UdEQQUMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAw\nRQIgHIY46HtdtvjlR5/uWqyqrhj5ZWQ93ppHfuUkQggHlNYCIQDNWXMawXm7nfxH\nvP1FezURNXEFZePazcKyQI5r9v0GeQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUcOuT4tJiirM23z0xnvsH4eIbQV8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPDUJtkkKDC9Gil0yChW1ma0Vp/Xy1UkW7jmMHSH7I9G\nTXdNG//NzW5ZjQ0OKuIJeaCwHlU3jDGdWmI2h8jCyy+jgYEwfzAdBgNVHQ4EFgQU\nrcSuPOIabBuL9SDZa1JTuFX1rdAwHwYDVR0jBBgwFoAU0/tbrRzPTe9qldbJ1vDK\nTmO3U3UwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJQlrFNWz5zC\n/oN9Y0i39dfRJXllSBfA5VCqxXH+xc+lAiAhuzQIuGgCNwFBbBvY3dSwain0dwFp\nIURMdJFcBGE0Gw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1583,10 +1583,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQ9AUDMYB0pccqW8y881Og9c4qsYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQDT9WsmZbuhYvDtkSB1xkSAox4yPuy7afwbNU\nO01YOEgrgp3GLWnpZuAlNYWkN2SYWKkt83skeXDvgEiaVnoKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnDZDeTlFYCytCLl2+/FqqQhSYd0wCgYIKoZIzj0EAwIDSAAwRQIh\nAN0wJm55qVNLNGfYMZV1zCd6RUQX25iUFuaNNK8j1WrbAiAfPW4Cte/YhKJF9fDH\nAhWTkoFSsFkzPBPSGyVFSf9uHQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcTirYd+MqGWzJHZzme+U0zjhs4QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQaGERjnkI1kVeZSx9PcTZvD8+r6DPM2M/JvLnL\n5wh3zHQ19A8Cu1Fuu6rpUyPXIOs+2GSTpZu6fZYjR7qjdx9mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPgWqw4dFlLsIKw+cZ+YvO0rk0b8wCgYIKoZIzj0EAwIDSAAwRQIh\nAPiy4gjpEC4/KBRw6BEO8U9u3vDo6i1wqhaYh1hYxTtBAiAMaTlWUToqxkyr3vpV\n+JTUDWpG+nBFJP8cSmXJ33dXMQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAXqgAwIBAgIUHT07TbxGny14xvx6jzj2XsQvvIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABApO+Jn1/zuLVTBeGWYKX3dPQkrN7UCZYMlia1gM2CKL\nckp82CeS4SBYplaoDLPK0Y0Z1bg7p6OERjJzfgIY7SijgZ8wgZwwHQYDVR0OBBYE\nFPfhb/cPjdJpssNV5qKe4CHEClqNMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUnDZD\neTlFYCytCLl2+/FqqQhSYd0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBUGCCsGAQUFBwEBBAltYWxmb3Jt\nZWQwCgYIKoZIzj0EAwIDRwAwRAIgH0RhX3E8iKSIJgqtqQ2vljECGKuXxbm5pU8Q\nM+6KQN0CIFIeEn3VvVRA05j3dFjc6qGqRHLkJ6PZnvpYNB8UxbmY\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAW+gAwIBAgIUa5oOxZhTll/fTSKfJson7p1O4NwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMFDi/uL8OpfTuploZufTFc5GpwyZYHPyQHBYPHVvLhs\nokfK7byorQsTekT9eFyrKRKexMCf6nUiWFspJ6K/c02jgZQwgZEwHQYDVR0OBBYE\nFHQ0C0Ln+bgicgX+xUWc+k8k9qJBMB8GA1UdIwQYMBaAFD4FqsOHRZS7CCsPnGfm\nLztK5NG/MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0gAMEUCIFaNlndNQ0PVCAz7+38GkgAQq8rPJI7DR484IqHXONPZAiEApbYM\nlqQdhYDRBeUUx2iMCT5sWNoFGFDw8kWTXJhHqBw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1606,10 +1606,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUUZK5xtZWp4hj/p9VXBu5irT03hMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwHf6L2jbjLEJPAhrYVGRWJBEZx11yEVeZq4lw\nXdSQzyyxVlkm6k4s41XXAbEMPpW5LROmjA1nSwm0ZVhnURtmo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrTAlVGRUVo+CewPmGYglEf5K0G4wEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAJhBU6sC03h3ACrPj998vgJoWQWEXjSVtcUS\nsoM/LoItAiACX1o5BOqP72vq6prOUYWmOraao0/agq9W9Qn6TAUm2A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUe8OCt6rzdSAd7hgt+P9UNsQenNYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATk9U8BR0ldfNeJuhvG/TP5TU2iyXiV/OCe7TEb\nMPdxdKibjQ+QniKMFUCzLSY5iZQvw5qL0Dm9wjr/abBlf1ERo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKtm/z0X/cnNUJ+61smGS83US9kcwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAKnRTEebABIoqVm47ivg6INer28idLTvq8vN\nsr9fT7CYAiA/J+b8dIWK4rs32U7Ynf1gPJdnofDJ9vh1BN0o4MfuNw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUb3xayz7yZfCL86orkNHRGncIzbAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJTj1nFZfCva2oxvDpcr2kYCaVfmvQPnt5BhMJmVYZey\nKVM2pPG7uICC+E7tjA2ICeTGjuxeJwx1u8rpYqNsgImjgYgwgYUwHQYDVR0OBBYE\nFBZgzygX40ZVG4Y1OdLyWVK4z4J9MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUrTAl\nVGRUVo+CewPmGYglEf5K0G4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGAo\nnnG4/rTBBsKh2DYvksHhlPDicg+ynHME+rKsLhz+AiEA2brWMQQ/g8P3p/3hPMI8\n8Tl4DtklfihEap40H3h4NHc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUIFcnLS3qUHarFCd7QKCG2oEaUVAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKsRgHPTsdm//SRYG6UaASY9KVMbCrKmAxY3tNQEbOoR\nd+u6YDYw3Zg3ZoNVpO8MSpCawdJxoC1hDT2dGm8HhBSjfDB6MB0GA1UdDgQWBBRZ\n6hPBK1Q0opU1GMxu+BT7o7Fd4jAfBgNVHSMEGDAWgBQq2b/PRf9yc1Qn7rWyYZLz\ndRL2RzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgMxwNO4PqfaUApKfjyUuy\nAwu/uVxv82i5XdIFKp8vpLUCIH22YyXYlnLoSTBOYUtPUuNA1QMiTxN+fbPxuPSn\nsfZU\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1629,10 +1629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUO4zl4p6uxoLw2xva4N4yOl/HGFcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATww9HAdK7/QXTTKDZNC8zfQP0h5UlNpSR2mtzr\nrMS5ji7AjD51dLZ150TD2eWyVnkwfMLO0Dn/GWbPKJmOhefjo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFJ6r7pGlMBtS6kaBzns029WEJMploROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBSeq+6RpTAbUupGgc57NNvVhCTKZTAKBggqhkjOPQQD\nAgNIADBFAiAPbjnECYBVdBQP8JoB8azly0soy2XUPj4QyaRey65TYQIhALVFKXFs\nYCZ+IX0nvy54QZdT3bZ+mY6vlvbYNjK3bgcR\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUEiTSyDhkkVOClJYPsa+ucF8Ht5QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATa/+nMH8M0ylvvLMO3veEljM3ovvnE0Rb8zorp\nDQ/nGLaDW+4G/NmOcgTNJVrFiRcacvYRXQwU7HCCPXZAsq2vo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFPdYbAruIGRIj9GkC55jv2XF3PbFoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBT3WGwK7iBkSI/RpAueY79lxdz2xTAKBggqhkjOPQQD\nAgNJADBGAiEAj2ZA5FcxMTxDFIGCyZ7Qxy0vrQvVZosEuH58JXp7bR8CIQDfHC3x\nVeYg9KoMPbM1f3dDVELRrurujLaf77cwT3XYfQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIUFEfWCQR4TlckfElXw4JycJa/KDswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAQ1Ttrj3GtiQ/LgZiWc6qlNnzjXMzOgiZz2iFB8k1L9\nQHFRB5v4m4dFSUNKrTMkjYvlEQMlwRSWRYcvO/QamjCjgYgwgYUwHQYDVR0OBBYE\nFHckegGqMOaHK9q6U8RS9uSpWxklMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUnqvu\nkaUwG1LqRoHOezTb1YQkymUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCf\nVcPo1x1K3WhcMWoo2R6IetrczijMIt6e12ssXfTGSwIgB9A0SUewcWYTxHoaPpmP\nrbMtjwJh5TwbQXN7KYSHjxs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUW447bRcxPR3WCp9zA8lzJp5CDMAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEbhW0WK8DPrhdz7Y7+SE96IVchbA2usk8j4kktj3KSW\n2R5WqxXe0dU4PSieZH/XH7sNUY3r/xsdlI7j1m3memqjfDB6MB0GA1UdDgQWBBQe\nmZdfluTOhoEZA7ujO4Bc32DWxzAfBgNVHSMEGDAWgBT3WGwK7iBkSI/RpAueY79l\nxdz2xTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMZPPQARjGMHlQrqbW3k\nhDy/FcSsDRbQa6FVIImb1C0zAiEAh2x6PJSnsfEAEj3JQiOZHGidDitkdOkE/CqG\nnIDV4ME=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1650,10 +1650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUP45qtfstlKTBpbzb3jrC6TRau6YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQYSmBQ1UoaEuTqGXHmxBJS2/xpzSqHxPH4TRF\n5t0Ehowhp2mBWyOSC8yiaPif5pqO4+RDG0cGWaqYU2+wRiYho3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBS56gbQyQQfWZPdUt5H5ufhZTCkbIICBNIwHQYDVR0OBBYEFLnq\nBtDJBB9Zk91S3kfm5+FlMKRsMAoGCCqGSM49BAMCA0gAMEUCIQDilKrjfTLGq9Hm\nldwrGRmFtR79VP4TOAAZmYxcBGO4LAIgPiXKcSBUPBiva1Ns8bAiDR3WwH7rVgoQ\nFw8nnY1IbXc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUPs6c4H1dMJN/JtgzlstsY+5k/VEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASG7FMKk2VzdloQBZl1vuGrnQK3IhPxP7CHCB44\n3SBhZFAyz6xUB6ukfE0hq+gCpk9y6DjtcqFomjDjvCTjD5Zco3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBS9uk4wk0lJtJ12ItvZmHuP82/2f4ICBNIwHQYDVR0OBBYEFL26\nTjCTSUm0nXYi29mYe4/zb/Z/MAoGCCqGSM49BAMCA0gAMEUCIHitleDdgAA1DITE\nwDfe1Zj8+6tjPRb+KiYUsQ5tNuqcAiEApnxL2bG+wa/4nYelEKY7fe1PnhGzxYOE\n/BmznadsDIQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWOgAwIBAgIULYloVgFXjdriLVNBquBrc6Vo2PUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHFnmXRGdfIpXNdJa8krjzAc4RSEhPiuEuGr4DIzy2Cb\nARC+7Fm41fsOuEkykRjhcEc1CrXf0p/cAYgsd+eb1zujgYgwgYUwHQYDVR0OBBYE\nFD+UcFt7AIz1WMzIVP6OlSv63XZtMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUueoG\n0MkEH1mT3VLeR+bn4WUwpGwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCQ\nK3YOZmC6z0J+GJPIWsYOjXdKufVeKs/W7SSq0U2E2wIga7xtrw9n3GY/TeUZdf9R\nUFMDc2qkO28YcNnxIXX7rFU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUSJZAspcfd4ZRm/WTkESg77K9qMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH/KdgC461ruXGGWew7jzN2VrKTTNZC0qYidVeh9aQXa\nE9A3i275Guz6JI4ZEx3RCayxHIxd95E6BPyFdh0gZx2jfDB6MB0GA1UdDgQWBBQm\nsd2iz1ZXmKZ0XjdFpXoLOsnEVTAfBgNVHSMEGDAWgBS9uk4wk0lJtJ12ItvZmHuP\n82/2fzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgYWAZ7+U1XpVu2c9pBivc\ntq63lcLxwFOVHqbiKJ2cgLACIC4NXgfGpF0NBSEZvRF/MOGC7gywJplQw2U4yNj2\nD+Yx\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1671,10 +1671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUcSAL72rUq+yI1wWWl0zF06cC//gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkeuCavMhv901Aa88D39NFidOpmP9xDFeUvEcY\nsr5V6C4xZHSmIy/J03PDb/ve2djoGmv2aq+qMa6K/zu2L2VQo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFJN+uZjXlaZX5TNw9ha2WQmBpv5ToROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUk365mNeVplflM3D2FrZZCYGm/lMwCgYIKoZI\nzj0EAwIDSAAwRQIhAOokR1a7cdEQyBNYoWDhr0ZdHGJuuc2rguG5uLdnCT5cAiBo\nxtz29Kelaccjggngc+aXhAnjQ1YsFvm6l2OxYKi4xA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUWBZbv93Zb0joQm98mAnzi52P6FwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjtHEbSSFGVl9j1aEHzc0GfPyuMNh2eU+Ty9Ve\n/vpM2lOBx+140sAW4p8+aVcBJ5xr8hx+17TpQJGib8mJd2vyo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFO0BoCbRMxg+JHzdnLZJlf9iAjExoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQU7QGgJtEzGD4kfN2ctkmV/2ICMTEwCgYIKoZI\nzj0EAwIDSAAwRQIhAODl6mQepyuLZZ6HtUjq2aJ4kfspbKfOYFgVrQHJDyYvAiAM\n0r2sdgsholHqCsdQnAqHqVsOx6SQfSSyErTD+AkFzQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWOgAwIBAgIUIDcBNG0tZkgnKjq6d9ZJcTYdWT8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEsBTs4AD7qC5g2JuZ7kFPFdg9jLG8xFuA2z+FGRQNfT\n+sLCfPSzhUq1vkhweOt3EjEef4QxcazIZN2zfWSfnE+jgYgwgYUwHQYDVR0OBBYE\nFMZTO+Noxcn0K4PQILSLhW5q3zPHMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUk365\nmNeVplflM3D2FrZZCYGm/lMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDPL\nzXQWrfII/ih3SDPJo5lctPaFRSeWpOdUnychXzgfAiAifV4oKBhSGWhDPR2go7/8\nzhJWKZ6/KS52BmFOy5gYsg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUX/Hh+NqN/VhawH2CmApoy6LpHUkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKJZjd9CNXZFaWWEvV8kqvlcTePLCAEd8yUXL5G0/hBF\nm+/aLGks2ukPOmsReQ1LuV/GTcSSVhLW813WZ71Z8N+jfDB6MB0GA1UdDgQWBBQY\n5/b1FI8GZFvGz0K3wUg3OmlNwjAfBgNVHSMEGDAWgBTtAaAm0TMYPiR83Zy2SZX/\nYgIxMTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgQzH7qG9sA2oyJlIfEljR\nEHdqPV5uFeftv1pUJOdngHkCIH6Q1d192Y1+V1OG27FWiRB6WKjAjpWo8OtfxafU\n10hz\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1692,10 +1692,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA3TrDDi6V8iTT7fmEo4Kr9ff3fswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8KXeNaMGKfbj/PO7WZWobb+xSrTSJbn2XFEjh\n2BxgSPFchy4nnHeZt8kCkhHPdehDtytW17QU985m3huB0hpko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFLY2aJzJutg32G6aHxMKpTX6pJowCgYIKoZIzj0EAwIDSAAwRQIg\nMX1PZfW8MoNTeFWSFyxD0bfgPEY35F56gbaYwMTD7qoCIQCV/QozEPQKBolm1q8k\nOnpFYjEsdYW97reizxujErpY9Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHrUyG7H55NN1tnMilU7Eq1sW/MQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEBjLXS+yrtvA2I0bAVEuOffKeIjLhjLcLz1t1\ni94vDmqsyGak2wL13RzT5xgqX1EnEldtE+pMgy35NfTUiEFFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrEK5iAjw8bxskbCi/kKAQWOZmJkwCgYIKoZIzj0EAwIDSAAwRQIh\nAKBX5ZWiEY+cnh5+dma08OkC/WYkAysY4f6PDbYN/o7UAiAPVI5mmyJ71AWiZ0y7\nezRYBe3GipyWoU2tkN2k4eFXLQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUWlgcUnnN89z7at6rwS/sNfT6JMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABBlaff0fSjRnqk2eoJ0NQVa19eI9X6Hz/DVK8H3S\neiYzd6u4G+rOYmoKme473dhAMhPqjGR+L0p5B8w4n3mO1ZujgYswgYgwHQYDVR0O\nBBYEFFVyCqcgWxtKgUBmaDcHZUvTeESHMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAU\nFLY2aJzJutg32G6aHxMKpTX6pJowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBkGA1UdEQEB/wQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDiQA4j1akiu7eie4EmJpsuv8Mayz2352Y2Y2tpgDKRBAIgWQ7ulYKEFgyq\nrwWugm2pY1biYl056GuFYrDCuKSI1Hs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAVygAwIBAgIUXXKLaLtrZtIM3tZ+wO5wcuZW2G4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABMPefzWUss7GuM66UnbBdAhALs5XAzotLtOaRpnF\nPWvtfYWxkvLtjdRE8VhG992dSBn94PFVWKvnc3mc/GqLLXujfzB9MB0GA1UdDgQW\nBBR+eII5hsz2SVhcsFG0tJUUWF5b5jAfBgNVHSMEGDAWgBSsQrmICPDxvGyRsKL+\nQoBBY5mYmTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhALm/efT/OEpR\nUKW52Pg9K9hF6z2OSkGIeORHoe0hSTrKAiEAm5g0GgpIbwuuL+eI3RQsn4tbnPgQ\nN8T7YGjnLfXlYew=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1713,10 +1713,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHqjkmRd3mkZ8Ut/Y6ROoAe1X88AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMg6UVLI4j1WF+/zqjlPqldDNR4mNQzsR8GYpe\ntQb5sB+6EHhEGbj7RbiSP4KhpsT8OxpBCgs7OCbVU+PZ7ls+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5KriqO8VUCQiLpMX8yHv9T086jowCgYIKoZIzj0EAwIDSQAwRgIh\nALbI7tq9Yucc+ajas3RwsR4mgx+5+LX6/XTqdXBUdrJhAiEA9fUO86pXogrjaSwm\nmjHJ1g+f4/W/cPe+XkBPvauCYdg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUF8RCpTC9w52yGW8gthspxz83k1AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWAh0zTjZSjbLY38wK5mbkqr9WR3wnzyvpSL7N\nC0h+0De5w3hCa7sIY6IcwGZGkQcRzHcZOyTmj2NCNgJTBoi/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzBgh435qNLzdsXX7BS4zRD7a5UUwCgYIKoZIzj0EAwIDSQAwRgIh\nAM2mRlnufVK2EFngwT0iJmtVa0VZSNU6pCFFd9cGaiIkAiEAsojLAHEMR530tXoo\nrfquIKJ5EapMZfatFBNUZLrvCm8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVOgAwIBAgIUViPA7jdvhsvDL+LZRPFiJaRVUTwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABAb1+hZsANOJla26I6mEn+jHuPXO0GvzNv28TCcHTkt2\ncCT+DGs+9jGNdNxN8pwJHKOBiDCBhTAdBgNVHQ4EFgQU7PbiLyjX1SMnVziS5oLn\n+MiZnF8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTkquKo7xVQJCIukxfzIe/1PTzq\nOjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAIvoU6ifpG3gj8KJH8O8QJ7E\nRq3HSTsNatqcsWOlpoaMAiEApvQflT0BTzjbGTp4Uz/heWd6HLeJK+ksBVgFPl6K\n4uY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUagAwIBAgIUAxR8i2Lgd8YdKhxLuOyycIb7MtswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABGjBXbvcYuBepLZLVl+KSzgHve/qnStWW1aE8btBBJ4B\nEXFN8fpy3MWAUa2KJ1BKUaN8MHowHQYDVR0OBBYEFBroCfAirWDW0bOGntWjU//4\nR3/jMB8GA1UdIwQYMBaAFMwYIeN+ajS83bF1+wUuM0Q+2uVFMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAvBUtsDj+5ALldOooIg2VXMvwZeoy7ObSdQ9ha7Ll\nyjYCIGOHmSIkeLmtcXjLI8ng418OYoESY253/DxBqAT15n1F\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1734,10 +1734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTIgLqJ/xdGugvOcSYZjqk5OontEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzYRDKUUWOzEa78ygnJy8yz2Mvn1e5QYqtDIkF\nqG+rrkmDEVR+IPkiVvuZEwYxh6NxcmWe0Ti/6JYObVFVbsaLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUox5qlwB9SOnzghY/s9CTivhfu/IwCgYIKoZIzj0EAwIDSAAwRQIg\nWz9ycgJWc0bFVf2q7rPK/sGx9FaL8IKMukdPLZh4EC0CIQCcHTuMmLy754pWVhW7\nu+Oi3G3Lr+oZVZ/iqjJvWC8xpw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUE3SaNvQxrjZK3ypwDLogpoAXQKgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQGmEX5IkdhdvO3CyJrgyrTvFoXNfCqBgDHc9OI\n4+PLFyAdyznfM7YciZNhWqqOHIoeBSreik0UfxPZgRgE3RdFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0L7wukol3aQBEXqI+iFA9XhMgIkwCgYIKoZIzj0EAwIDSAAwRQIh\nAK/idF8zzGb8XeVbzj196/KGfJCvql8Wnth4GcHqSgXBAiAe/UbtkjNLzVaSStuv\nGrWqGEvQjmxgzEvvupMSPo2jOw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGLTCCBdOgAwIBAgIUac8NCoetJpeJtJ6qA9Jwav8hMZYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA9wmjuw+1rWbqcGO3OoPm4rl6CUfxFPyDwpsnbG0WbxLS\nWdctRM+L8nSY7IhivHYZCjHQ3s517XREfgngt8jTT4GbxWkbrJgJYDq7tl7sVT7F\n7h46Pp3Uc/Z+6UweJGK1LScjqhr0lHRRU29kiCZ8tHzH49RANvvayKf3seYFcN5h\nHYob63OBuzxqdAinsKY12Gip8lbUVe2KL7+Bii/D607wwtxcIj4RhOiI0WWL5kAU\nKuiZxJUNSpJ6sI4teqGiDoXsieodPUMmPf7byxD8fNmm0a4YrAL/CoiIz5PA53c6\nuehtsPJZUPwqTz+DCHQv+DZz0jV7naTjqRAZ3I/fpepDscQtWkHvC8VJWTi7Px4Z\nWJm5TWQb5BxEaDXtAtGitkxKcVBzJB0sNJIBnuCyKreBhn33X30PA3DF3DL98Zo/\nO2uZ0db5vxVaLEIkx3fmbDP0zVohQB0Vv8iKpF3bBM7QW8smidZuQeUd1C5HyAuj\n63Ue6GCnh83anaQTr/ubAiEA72nxR2VJIjfqr67iV+zZswfBMWgBNA9jPn5toGEE\nTt8CggGBAOhgCcpPlcGX5gbFDOp6EsdxLh2WpEgZ0t3koNDxkA38OYKwr5aZwr+l\nDO/gLKbioBnV3mUOu2fgW1KQw7FyaswwXjW7yrCPb639nJYC8w7GCwNLFmWmPunD\nRcUXiG8sZvszxznfEZWaTpV2IBWLAu82wAibLzVzNB2b+rp9gkhHi3YZCbQdpjyT\nJn6ALU9bkgl9lhdjbCqcsbDWqWTzGtBJSGIPvZLo3DCWtqvT6NFKUwWRxFlG8utq\nlLS2CdXkTbVXt6NcUxSjlVFh7CtrtYU3cyJSS9DXww5NHZPjr5LU3p7rFNeWjYNm\nZCFQ1zHXcQXHYQb/WP+0gJNw/yAEdQfWZxapFYqb8csqoWnf55X3cB3SqOJbAS4H\n1MJ2MiCnnAYREl/4tUKsRu1kjDVdQTdPbwHTc0+McD3P3AiGFvqSLv06Oo9+Ym92\nI1/W5uYXRx8eCcezWdwKzpvnivzDHByUBDsTHBOhpOgpGVyGiMo7R/vOeFkUFrQB\n7yo1rv/IFwOCAYUAAoIBgDx1xa0cyk6kVDL0hxARm94Y5E5NTIYNskmI0oANA/J9\n6wQAlkiAzAzLrUwuJsLV9KTinXCAyJVWGEpJcVrWxad94jC1VgL1aPuLSZj8P7og\n//oSn1jQrIKg+l61Gk1j9TIINVM1SZJ7GuYSioQR45gkWOLAClJ2mn37dknCbz9z\nNMzJ3LrDEeVYyr7EznhBR6qHfSwNwufrjPKq2Y/tP6q60oz1pdp02sz9p/89W/qo\nsrDIOq3k0jNp0nXLau0E9ZXma6IO4+akmFhB5B6Aw9q0eHn1a3fKXFPDS4upBYxx\n7WbLfxkA2NQXVF0QWZ0WIldvQVDFOyHcY6B9E25rXvA9p+s3o842gsWygFEoT5Qg\nwCa4BxBojiEjZ4gxDJFxwvcGuKsl5/iSqUhEa1FhHcRWmINLYvkNlCDl+XdNVtTn\nENeujACc89k6SGBoVRmneCHHcjDq01yLBpZaS/2AgEHjKFltiPykwtNJIjjr7EWF\nFCKlVZvmL7f/wWGT9aNC1KOBiDCBhTAdBgNVHQ4EFgQUKaor3YN1Ar9qczp8rZwh\nPAsJCI0wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSjHmqXAH1I6fOCFj+z0JOK+F+7\n8jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJz4/CVUe7Ad+lgOdPsFVFv+\n5qwj98icu2aD3PCC3Q9IAiAcmB366ws0gtnpAHL45+SN7R5TrrLx3ED9ORkt2Tx1\nkg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGITCCBcagAwIBAgIUPkxwZA/EO72l3DwoOM95woOIlfAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA5tt2rwpetS5d57cGqgeJqCNRFLmIPYiM5cf+kaT9Y0CX\nyTBKm5CT6kMWbBcg1hNZ3WNfsQvka/lX/9qjoqHIJn+fpHyMXG31gIRV4S3WAR0B\nc24WKG0zpIDGD9Wr3A8tgk0Y5xMqIoQAt86UzN46drMd4wdu4Fc95LRtzXTCcP16\nIG+HGAbrko6E4Ms06itY6RoNUNsUS+E3Vt+L2RNOM3xZdAoodbrzB3a2pCT+TZzh\nqurCMPiravrQGKKPkuCv/rwuc/wKTV8JFEh6p+w/WqQToQQHSrMW1ay8Z66X042T\niJ9Ow/QRSxTTCBZxkbEau7IzeY6j6upODhRRKmYXBjjm93dve0v1BeUCUbMFd68r\nuuBVYl6YDV3L4OjRDlGgEgEPG2KaePWvMtRhLlWZqjFpPwjLcyLdK2LDWjfyulW8\nFrLQAnz4E3aalJinGvSaLvj0KYvAsJQyDQZUMpxSlhy5Qmi1MoD+9Gj6mJbBOjAb\nVJtiOGNr4djTUdnvBu8hAiEA+GzbyAW6YoF29yCOqe6N978wKRmHf2JK1L+C3ilj\nTu8CggGBAL3XvBSPttD8iY559nT0YLGYCQQ6fXvmoxSe1j6oAPAlBpovWjslT0wj\nQ4sg/+CdevgkBnDojRqelYn0KEiH/w+Djgm8nNEwWAYog+ywFYGyK837AD4pBhN6\ne0KgX7/cHpNX6T6wmHC6KpooFw1p7woc9x0MVOGj+dTXI3M5YrickXsuv67qAFpb\nCLO/hrwIeXZxEsb9wDPeNWlicJOYZX2oC6iiIedKCsUNAGL6VIi6fXY+fnSqJQHQ\nW4aQ04UNWfoZpiUNDvneNqVGrKUGlOQx8RJG2A6nC0TmqckTZflKRF04ixLWXhir\nDhJNxh7dxeuGoOTEHcIx53vnrICY0GVxFKzEt15MX2cD/ZbIDHz3QarCFrfgtWkk\nb8kHvQg6HadR9w8CUYN1Ao4JgmOlErJtnWWUPmEdgGssIygBIDSGHQGqnjXU8E9A\n8PY3AODMmYs3ZUYBpMLaT75PGIuTdOAmGnzaslz581QpeENsaJ8ftPAAqCVswB09\npUqTGozQjwOCAYUAAoIBgDPXM6qRs1uPcxz+2BNspnLOCEXYXAr7Qw0wXEkEJmEV\noYozOKYurMxdJU4hj2DA/yJ4/Gc2ufcatnnTGGtZB0Xjbxdc2aJNXbNUCnofvIaD\nIcgJzRJ3TGIuC0qaa9mA/4qwFeNLnJWPmxYZ5ob6sQbhRBfncMVhgLKU9lwnqixw\nTT5HNkBECAxFeY1Hag1VGDToJw5kQ0sxdK28L+C9E8HqmW87B5ni4AqHMdSz/3ao\ns5BQ7X+N3DDm073OWBYK4h73D41LpmeFMJm/ygmPiEBv/yFAelY6ssg4n8/0BYxp\n1ZQeLwohqa0IYwWMSdxzMltvnnnErUBOhhFFbyP1Yapv2FZwjoJqGxw0C64YLZAj\nnxlOPyGwVOiv8lG9ghKEWAliVaHGT1y4rUbvxXlGylrBHBEXfs9eAyi5pTx09dol\nMOk37E0pQ8+OvM7AbPqPRQcCW5Lew5Nj99SuRoV9n1aZjVKtCyww79BzjvwRZQNe\n19eiY0O3IfgukIFHBwu5G6N8MHowHQYDVR0OBBYEFGojNg5j5oCth0vObabBjkTA\nkC8AMB8GA1UdIwQYMBaAFNC+8LpKJd2kARF6iPohQPV4TICJMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEAm95i0kWr+0mzUxDla8o/QnJkISNqt/mI57yr7Sdv\nv7UCIQC+eT/+Ig2KRrpnO4LbPsMWdnBuYf5mDMHSlcFqSi8yxA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1755,10 +1755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGAjCCBaagAwIBAgIUHpsBfh+lJ2ibHlxCLIoe7UzNmxkwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzoGByqGSM44BAEwggMtAoIBgQDRoTv4SLrgfp09s3XDX9cSwno70KQFESGNUYQF\nJlffzmjKpjeau1U4UQkx1FKO0nqfEvnNYnO/UKM92gL9g34ADu9oXykZy+7Rvc/E\nH+Z2Nuo3W8ypNfPl1Ido5qzhevwEXYnaDMt3RCtjRFdVRB3jM53LkYRcFgXHLK02\nPpzB8QWBgkIUu5Z10GsnFmaC+zCorLgqrvYiMrhy2W/e7B5ZinFRe5qd9TOTnuZm\nD3xCT8gvqEI5tItH6r0ulReqfvgbg8c26uynRoQ93TEt6rhaAY3cCRljwWD1nrKR\nQci1A9zLF1M54JDylC638BSZ2+W5cL+Q/pTCHYuDQWZ+5BJUftGOAm5Ynn9ydwsf\nzV0Da8Iq6p9r1+IT7wXUp4QClEt5tOljuptRDPz/OQxUXkWj3qK5oO0/Ag5BkIgm\nlUKt0uiJRmShgnpt4yjaKjr9UUPEDWcecQyDhX6Jt2SYgHOX0RKzluidq2ewQAK+\nqFkVbD2DX9ONY8Hh6TyPF21XKIkCIQDzyKEEcJNpkfC4f/G7wD7px5Rfhr8Y1Dw/\n/pLSzFQeOwKCAYEAlPNiJBza65TfC37TjLhlQZQ5R7ybOgMvrztXmD8xEsefNu3W\nAjzRvM69WN4tNA445ZS+o1U09f/36fiAsTr6uPMfSAGxNPjnpI9M/x03UK1HlOh8\n3MeGo9cLGy0xT1I9qpEn2LBjVYmPUjArVt891B0nctLH0kXmFJ4MmeHRXn0XZVJi\nj8ZPbx1StrggS/C6a1btBwvE7YKOF5aIbCnf4nLrAk52YeZncTNlng914v1ApHkO\nmyIs4bu6jnKZU+3qwM7RAs69m/DmTLkaixI5oFsSbGgjrjENHnArmSIkRahEwzKn\nLKL7AWhJkmqdMqhQvVWXv8Mcm8pdt0XCJ8rkdM/cicCDbHzhvH8uDpEblMHrXvSS\n219oo+XAZU141JpsFfnbPhVj27lRN6nzCxRFVeSZdXIrRD1hb5wuozHr37d0zq00\nb0E5/ZMHfOr0N9JDf1SAJVLVljZSaBzinWWaXW4sRmfonbeqOgKdkEW2gBEId8Rr\n+cKInuNsxhvZTT+jA4IBhQACggGAAVhfMVpKhKmSk1+jsJID96v+kwduhhdL7f4f\njUJ9Gf4FHIJYkYCjxud3qB/wPTYBGgt9zok/NBP1MH2yZ++ZAFWMiy7OFtQ80RvK\nZ8mrIpP7xxOz00m4sVV73FOt1bH9pSlCf86LK0/GxKvs4A0dFtsU2F2avPy/8BV6\nRMmf4DxvMLjvTN2ls7EEU+By8M6E2dvHI5FsTWQRDamDGoO6F2clix+sgaeeyh/B\nBnTYfEiPIMey2yN/THTNjebFlLXKqTE2NK7jy4zsIIBIZiOBltRzOhOsAMtKDbsS\ngKoMH8g7SS9xjXbqtct3qhq907Vk6EoiYVHaw4i2JarjJP9yIaq2dGEdcy5O2dM+\ndIPHrCBtiJeGkC2lfRMtJrW1wsN7Z7D86TP61ueJwsJYBCSWICvdqyuAVVbKjeQM\nsZwUHRb3nZauanYGlKhSS2RrFkmnm8l6Lgbh78oBcV+6GPtYDW002PUTHwvhR/6s\nN9BHvf0U8a1HdyOsDdTt0G9N8+mdo1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQU5tlXLyYt\ninFPqGmVwBA9E3vIUC0wCwYJYIZIAWUDBAMCA0kAMEYCIQCX23Cz+P8Y9BoqAXmC\nC0QwvcaF6PHiq1XJHcBbA5+mVAIhAO8x8o8oIMxdYriVRRrZLQFOVCS4B3cK4BA7\nM+ehOEAt\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGADCCBaagAwIBAgIUI4WjqBHTRwr/vcFsWwv3G41s8sEwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzoGByqGSM44BAEwggMtAoIBgQDROrRQZf4VBmfUOVD3SwT7kxsDknJXELR3g3o/\niQPrzCupk1QYT5H6rm9VAz8MpJ++OeDrftqV4K1jw7h2zWdCh6DhsYe1IEju2sQ0\n5gehpfEPzqoV4bgNsmFrwhal0/vz8VEoo4LqzJVZmKUzWsym1fJUn3+2EGAYFNbY\nARIccqoNWDbBDsMeEWmyNvUihEIwXF/Wf7QDQiF50OiL+bT/PdQNnuOAqM73C2l0\nAJbbL/V2PNM49o6WAL1b0eMbFkW9XrMSlfnJzmea9KYOf+EYyur7nNJfyIbu19z/\nHA/NVj/2ucE7J7kWI3R2KaVDaQIycayfGzpN8frGK7SiTW2kf3onmml/MxecqxPU\nD4p6lk2vAHDmGVaWiCd9FLJ7YjSRCimdZAvT8GhwBoPkleY1KG+N1gj/oGlxSueV\noLMcqB+qwXtJUimD3pJxRxuSIlj2tKzLKgUOVnTygVO58vvg4RnNKLyeK+uTaZbj\nFHxHEfaIQ+QHUqy74l0ejF9aDeMCIQDX+NT9qRXQqcyK9uL+6JVa8FVShiSXwQO8\nPe7O0Pdj3QKCAYEAkd36BrpxFSz3MHWh+ufxcvkAjStO4ERDo+mXkLC5Ca1FrZ7N\naYNaY1lDRRny1kQJSzHuhtxN2o7Hhgov6lqRvIQ4byBautDiun+86PD2/BangrKl\nKpskGrxN4pYqulwSxWcGCimXBwPFASotGofokiCQ5ScDTOD8oIom/7SS1CKF2oLf\nzouGS4M5B8Gi8zu4ldMSFvpUBnwBeJB1TnJGdBxAA/46XgSOphv5niCl14Mfea4t\nOR5ZwQ3dfwgdohO0K3TYdlV43AiKToAOo47XMRBmQBGAG9pARElHUYq7JrvY8+h2\nD7/LruYFOUPWPnrNeCxjjXgH8wbErr4dUB+FRqvoIH5Ho4q2KpRRwc4uoyaxWuVV\nqszquXwa+hfjDqh4swYH/JzW2kktmdaaqoW7QpMX2SdVCqmTI1vipyKYwRu1w6wB\nW/9tyDx4Dmko3xgY5n6xlqWNbDkwb/gUbWcNZEod2oFputgf1PbgNVEP/YqGnQvD\nE9ID45n60CvEh01kA4IBhQACggGAUrJ+JN2UqqvRbHSFNqsgO5wTH24diwTnkCIY\nm5fI8/FKY64bWp2oGuX+FsznouW4rIxn/Mjaa2k1MAIFJ3YuTRvx51WUbcJE+s1n\nD3/6BtvCqCRV0aJ5wPq2t/xHBEcscP6/MhNd5WiI4BNyuRtnK0Qi768A5wbuSjof\noEqcxtM+7PHHOwarHQVxiXSVl2SnYrOAeDXs86uHWOemWfSEzoCyXNXcMr5t/nlg\nGJettmdzvU1GEdPmk1opKiJqQOXdAh7R6jJpyMrHF+oo+uWdAg8k3jaaXyF8lx1X\nUoFSJT/oFfpDQ3frpBKZ3m+nPX6XGlKgeUgd7VTtsLptT/CZQviLKtkjUJdJeDnm\n4GlGslW8P0iYGb2NW3mcAJlfD2xDBHcdjT39Z9ico8NFKGUC/tnhjHh6561eJ9MJ\nQnvEH9VHljJsDfmlRv/IwUyXPl8EBHf58v0QKul+8JVVjz9Eu93nB4qlUCKn1OcN\nuY9FYJTeC1bZMEV8xk6cqx17fo9Ao1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUiRS0FjMw\nBwbVCUIqve5M2lKGsV4wCwYJYIZIAWUDBAMCA0cAMEQCIDE9Zs/f8Qoz5Gqh3qGs\nRUwgNIpKTlbSiqe+wBspySgWAiBebTq30CoOwnG73c/Q2hUQcXl5Ilw1vob3MfQA\nSqnIKg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUemcbJecP2/zucpH5Eu7uDCXUiEUwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAQySo1ocMwhZbwGY9+qqAmYvfpKrC9ej2FCo/1dnkaC\ndMTQ5tC3/Mvan/KxkoqhohtwbZIJhvlK5Y/bkf5C6RE8o4GIMIGFMB0GA1UdDgQW\nBBRPqUl47cgksvTMSR/5y1BVnATbgTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFObZ\nVy8mLYpxT6hplcAQPRN7yFAtMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF\nBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTALBglghkgBZQMEAwIDSAAwRQIh\nAI2tCxYZfu+F4sV50ESqhdi881KLdKy2LPxJ6TBDy4zBAiAynuciwW7f8emnoUtf\nSgIXzsGsgUphyOJv9xBeiox8VA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVegAwIBAgIUU9AgPmVsEYGUFk1oL+oDEWqRKEgwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAT8JVtPf8WzZJhp0cS4hBM1W82u+X0jWh7bsQ8O9xxz\nrAy//QRxOhYfa5MAWjMb6QwwCa8LUkOyHLzvUMH47+0Do3wwejAdBgNVHQ4EFgQU\nlp54wEDUuHxQM62Lqs8MYS6HTaowHwYDVR0jBBgwFoAUiRS0FjMwBwbVCUIqve5M\n2lKGsV4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNIADBFAiAwYmW5r4ZzzkXgBnd9\n32VoCT6szTvjTDiGrYnEXihbJAIhAKtz/6eVtMDL1qQav2L67p1x/D3hG2aW9mMU\nZG01DruN\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1778,10 +1778,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUFPbx/EEMvuSYfPLBgNRRU0VrqGcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQrSdNFtvqJGBxV2OaZarV581vJ3G+FfHRGkBXK\nD4iBAIBKLuKOaWJx3A5sSaEItyhEnewhsoIEOIw9hY2tlwSso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKIX/msLraIyBA2kMqYs4CHPJfVswCgYIKoZIzj0EAwIDSQAwRgIh\nAJEwqVLeqFOpGog0mOqMks02tuctJm8Bcr/dQzeDmVyhAiEAwJVVdQSMVT3umw/M\nRoHMLFCU3Ojaxi5Ir5jpVFBZI2k=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHFO1B07I5xY7x8sHtghYb4MjLsAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQP/2ahS2N6Uw0A6Y/mzduTPat74BM9vfZgbJNG\nSOS6YOsMsrMQZrthXfd2FYP7lnGYLCzaLgGplwf5u3wdLrXno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUngWAwwoRF5JViA91gU53xgm311EwCgYIKoZIzj0EAwIDSQAwRgIh\nAI2BLbOLX5bjMAeOnXxCzZTZxDr4IgoGa8MQlVNI3UNOAiEAg0QoefdFMX1ArolK\n4xyRojTnJ+3h0zFEWQZNcBuMdCY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGKzCCBdKgAwIBAgIUGGOB6XbLTWWAYlKUle4JbZaBFr8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEA+0O7AQX1CiT+WuJ5UKmBZ7QlQr4wGXmJ4/uS6e2tDHtd\nPlSZewYRsCE5XMvjkFf7t371MkUlCBjISkTxfesIQlUOI9kRs3/nOIV9WzlrVLL8\nuERI7cIz2uRFGvxvA6j8PJWTHSFE0NCBvKUZdfFyLqgsnh3oiWdtK6DrwAkAjcni\nMaXP1wit/WlxZLTAOQ8rcgFjfTRtuav1KAvYyjwJG1XU4ypAp1anGAeVh+Xf1pcc\npNeL7uMB20gkOuOofZa7LTDHSxltcfP0jvWM5l086kNeZoR0ywGff7brYwIJ+1Am\nbr5XR8Y+uJpkmJjNcC4IUP0G2z4ZF8i1GLb6/abXdqXy7gUruKvoBK05wi/OUiJx\njle9hLb+M4qynA8sK2QgdTTVKT80K2vln81yVSfAzrk7S4zw2lz9jSJQ1rX0DWsx\nUiFC1HEFlOg+vsEk5WIUb5QsMH+Yc0hmesejmQ6bpiPG1dR+Yp/gIjNV9ZqPmuQb\n5086n0S2tqdyHu4ulw3rAiEAro5RX2ZmZehzjkM8bHgD/gcoqifZTxrLKz6jSFVH\n71UCggGAWInjBk1CIL6KFREtG1UVmmtwcI+Zb3vgnlt+l+Gc4nZt9Z3VJRcSpEIp\nbotFPk7ZmQvE/TMxg4m95gjODcvAOxrKIO8pxOuzwYr0aDw//b+tMg0N8Rxrni4y\niIswy5/BFVhpf93l49v38CvzUnK4lX2v6+CcXtVsH3M+C4rBvZ7cmSPUiCOJckkb\n/m0Deq37bUE5/6ZfJEIgOf6YGsDvMUYOFnecVUvSKPUcQUC6ureZyp8rpCXI3MMy\naWawGSSn/UmMikiOFUHIAtU1J4w46hkgO9mjryTrbcqeUZ0l9Wz5EGHz1snCh0hb\nEtkXty2gKznGVgu60rEjmpWh2MNhwUg48LBdEypYIDzXYdHUgua2FQi/H1MnrNpd\nJNQwmkxgYMNrVk9ZnSJuM6mb281bnh9jEqCUq92cWHlUVVx2qsQtRDGtK9fj7Bge\nwbDAPQWYbMPbd441e3M3qFHgduRHuTI7vpcQH4x7grcZAJJWNZaoM0QJIKiPFhlj\nfsfzeIYTA4IBhQACggGAfUC/MQlcwVrXYQ+XJApGxPWyLXs93QuZzo0hpCOs8e5k\nSi1ZQJzneWmKVepCRfjQ3vVS4AUCcYxOtetB6HvY0AoAv7CEs5k3BpVBw2oQRbdr\ni6gkPnw7OVmz5y5OkJRsX6Xa9CG/mHeQOmFvfoXsoCJ5+7VUbLylhOVLvDvlhkzK\n+i88dl5AhPK9U7OOHUAUYzRmnRyez/5D+oqomoNpx6NCKSS9cM+qJpixLW1pth7a\nli+v/vYM/A5b+BevnaYBnjawRIn4sjygfqXMO7SrubWXQt4LVvrWWnO9HtHM7vaP\nQnwVbdWpA4GJlhq1wqbSbKKKG4prGh4ama0iSkQAXgs3BEjoP+oKSsTtSJyUwVds\nHCHQe1P3KnrQFK84QBXu2+H4jDSeFhStNRLhiBsdhiaqBzFZ+j1bdwiRUWxDY0AT\nssT4UV+BykJMblJfXEv8c8dDZgKc/qGcVSbkw34sMppc18+sxJeudZSeScfaViPX\nSOUsMY2NHR0rybMO+xUio4GIMIGFMB0GA1UdDgQWBBR9sdYgZQy4zPkmJXP6g3TH\n6I0n0jAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFCiF/5rC62iMgQNpDKmLOAhzyX1b\nMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBthtv32/cEzDw6qaeizP/38CUi\nGK7znBYokt+eqWTRtwIgGRSRVohY06vzfOxdL9osiUD7ov42FfRq1LaZI7X1G3o=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcagAwIBAgIUM44dgE6pgyfhu8+VDU3KX+pxTPowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA+fQX4Ld7HjrjfRCp7fWD0tAjxwcFKlg+IGl/gzLFEvxd\nnpuukwFYacFgPk+itNx8blFI5em253MUYjbH9TPnnzHeB26BmW6T9EIG//jaHp28\nOncHdeUb1utEfyVxCOdlOXbJDN98oxrmV4jpxwKxf7wCU5hjOHUMydv2AzH8YqWv\n8H1yhSew+YPiEeeprYaTOtBT77yDjQtUzyuCruNJe7agrNyXRTQ6SXq0/VMV24WD\nkCyc7Z7FxOzUg3MrDVyTvaoI207bBOjIuANzvj3jVg0wGICutBWEcKqZRDmJ7Wsb\nZv6wgcQ6AVhNyuBXKQSYUdwqRi/BQsO8dA7oV+Sz6TnBmzFUYy90WZRwHFkNggix\nwED9GcxaE5pmqcAh7X9LYmf8H554ac7OnG3KAGK9J/oDIx53GYHvJMb9dxqAj6jQ\nhM0xyIkelvLFHbMbzePDj9qYV+RcCig5UtWj5zh4PDt2UN9rZC/0hFI9xj2hJZ05\n1WE/MYcgPi5bEz3rWy0hAiEAvDeSmutlhK+QPumEKtWIiSBTUYWEqZKi0O1S2kCp\nI0MCggGBALOFCpk8/6cABldsi1jduADL78vR6e+TspJE0sPRtLgPbLo8c629sqQV\nVqzluCnpKjn2gmJuAkp4GB47V19iqlhHLCiDbhz3wWkMn8M2yhqP+TjzTo7RJZQM\np7c04YSVWtQ8WfeEb3+I4Xg0qpTBRHat6NSWKKhIwMZk7hN/p55zOTYkBW2TVmgB\nD3K1bGrfTv34fRKzvqXKnU4oUGzQCPUm7pQISzEhNFeDKhYwG4MUpkwfbjFPr7L/\nPLdqk0Z+WysbWLeWH67wvhETOvfzemTfR1cxD4ONlX/AMXK6Kx1GeEcUgH30htxW\nZC+1A3EyBmRw4v33F8TpgXQTAk01LBZumyoNQyNbX5bPpQViy7MerLtH94Ga79ql\nOLMGb8IFh3hhdE/TI4G/rSa0mZs9fzjKqE/8FhdsLyicprHBX+5RN2siH9EhKZ9Z\n9FNhk3h58UodsaIiwUKoOrx3em46iCWv4Nr3o1HGmgVLEh3N2+U+si025LyEf0PM\n92VTKPF1sgOCAYUAAoIBgFwD9ahW8r3e9B4EvdHEpaK3KPNkGGasi0HZDq1oTA60\nMOphZ9vVQa/vABLJsBm7wToGjFj34BCxHojCicnVlbOSnEpGsQstfLgX3TMD7Cnx\nvTTuKwes/nxmhUbOPoQ6veH1WJME/1qYPzpYtMbA/24Yi+0nqBG1XPlIoqJNGSa6\nFzWFRdFXrbIq0Z1quZrBviv1+8LbxGYseguLZCnnRBeZovgyvvLkXPoSszEJIFUN\n55MPp2bdOCiMhg+6ueF6U8lKopRdgjMg6KGCikykikNV2Ez1c2U8TFuRSMur7tEi\nneBL+VomM1TA5d+CsHpjgtUctCW+A+n0FP6q+kk9ESXbdjwH8iA6L+6MTeZcgUer\nTzfs+UAvx1rTaZwh0bv5Y5C8lyHjSHvzPq9l9kqLjsSg4A1i/u3JHmrUZyU9aGzS\nNW7pVUYqONmZJdN4MOxX6YQPs9I0147wtjdTu8/ISRJ9j1CmenVHb0BlhdDwdYfg\n5v7xA+E0Zkfa6K1iw+xvJqN8MHowHQYDVR0OBBYEFPLAF+Y3wMrlQ10uK+DH0G0g\nVSiuMB8GA1UdIwQYMBaAFJ4FgMMKEReSVYgPdYFOd8YJt9dRMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiBvPp8Vg+z5JuCaHVds/4MjVuY5SYdizpaiCjLwHBQg\nsAIhAJk4Z7pmPM8fAitobB5pJBeZh4sgtK8/+SI6AV2Ui/s+\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1799,10 +1799,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUTvlL37JmAua/BORCXvkpHCgk3GowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxn2/1E7zVsevEEs+WdVYbwS/6qNPqFdYG6j8e\nkK7rJ4ydg0WwcdpxoCvx9kFmmAehM/oa1BQiEXfgoa6e3gXWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8y9nj6Z0n16jDI6RaiaDSWQ1OZUwCgYIKoZIzj0EAwIDRwAwRAIg\nH+wk5gaVVU6oa7SVWbPXYc2CBjofmvJAdpUGGGGXan8CICzW4AYuqk93QB9wZByW\nFcsZJG3d3JMKlXspsi4TfrzD\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUDnG6RS31xcAeeAND8kUUFXQ3IE0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4YnALmTJ4tMs+EAFhpQjbrt1/woxt8JOBydvW\nY6QqWpjAYHPPccUVzvgLzU4njP2ZN9pNZ3k4hjnLC3q8Elhbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyPIJy2hWu8/hkdrsqA4Y2ieEiEQwCgYIKoZIzj0EAwIDRwAwRAIg\nPqijv3dyWbwoOwJzpTZcunsqnRa/WTB1rUAQgdvCXoUCIH4/gbg/qcZaBhXMVGMn\nQ/6dRnRf+nWvXmWIbm9LnpOl\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUGw9v0RkNSo7mbZFHSzYRNWBRJmAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLPkeRjkABKsQBwcrXNGsevrpgyhbtnzCBBVNNTqLuHu\nh+RZg/RvtBEflPjktccDZ2Lpiaz0GCsn1QVeJVLwi0ijbzBtMB0GA1UdDgQWBBSv\n2qsKCOiNnzoIvIBFwQ6is/MLBjAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFPMvZ4+m\ndJ9eowyOkWomg0lkNTmVMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD\nATAKBggqhkjOPQQDAgNIADBFAiBHlTdQPzkirS7B5IMH0jQSFgbTc9ErfocIk1Mm\nb+dKGAIhALcySchGygY3DW+G+b4j/k/JfcN2UknmAneWIpWyUCfu\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUVU5dlPW9OP9z5GkHyC+QWjQSBJYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFAZvC4ze7XsHmYcAzI7FYW8DZGXIuJVEtv43ijrqFZ1\nZOgEuk4DPgq9vyScMbR0ok/u8BH0ONoaMDwlvEN9RoKjZDBiMB0GA1UdDgQWBBTv\nY6TTX12GgiTs7Xx2cVQuEWJDjTAfBgNVHSMEGDAWgBTI8gnLaFa7z+GR2uyoDhja\nJ4SIRDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSAAwRQIhAMg3EP5aMOEaf6/QTj3dnd01eIaGmElci+f7VJpDHcbWAiBSFIGB\ndRYNzVpB3dawGkrj3KlF/cqueyu0Nj3+Cf6vbw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1820,10 +1820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUhiTUFc2Upc68jqehHaKBlCMzjYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARERZBtgAKl+hUlnMA2lgopkf4ISU1o+r12Nz8U\nWzNYBggTSg7/K5h9o+X4rErD/S39TwANAu2nkC6kG+QgKnSLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpr3I1jVAqkSTl4Zp32vrwmOf7IUwCgYIKoZIzj0EAwIDSAAwRQIg\nCyRsAaACHNKaKym/9M6gsldwV0SCDGbOimwseIvV7nQCIQCca6WdigrfpJ0bePdE\nIMoNnR1XXP+3pETk8MWiXLsFNw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURvnRbYN24Cr2Xqlg1LL1N3tH1ekwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATdvRWUIYFONs2edYPIl4TXl/iLWNpqk/gsdMu8\nvxvbkls1oGp64bU/oWqK0ILwQFp0iEyFBGlwomiPZiXouuQYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWvTHaHjJypbe1FJ0YLM/9r7+VEAwCgYIKoZIzj0EAwIDSAAwRQIh\nAItTIzfvpcx7nkOngM/zSjfj6RJCBQnYvybUyenSZ2tBAiB/HJl/tu71jccZvgGl\nqec/64FmMTSloxKQ++U3+3G15Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLDCB0wIUQkA+lPJio9+yaxEb/+gwn5jjVDgwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABH+q/v++FPWFu1HXi8ntAshz0yt7q4s4ZEThhCPj3yd6u9Ged9PZ\n1gUetsLYG6h0DLA9YvgfpwFVSEhkCZWBh68wCgYIKoZIzj0EAwIDSAAwRQIhALhk\nvmPp/AR0FTjBjd9qe3k+8lh4hOzwAH+EhF1y0bjXAiBBAm0N22ge+pPwYndskZ5j\nsj+wBmCJbOucamlmIh8zmQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLTCB0wIUNzpD4Qri6VvNyvEz/a+sUeV4VDswCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABIxLdPg24Js1yIohieuJyfRyW+np+IGdKp47mAQdDaQbei1pKpmZ\nBTPX8okiz1H3hdBvFvPz2yN03fxUnIDMYJ0wCgYIKoZIzj0EAwIDSQAwRgIhAL51\nmftb7htAgnubwAzo14bAWDOljHD2MUpi2H02pMYuAiEApROtDZ2ojwvKx8P+ecYK\n6O1u7Jt/yZ1g1i0CUCOPhE4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1843,10 +1843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert contains an\nExtended Key Usage extension that contains `anyExtendedKeyUsage`,\nwhich is explicitly forbidden under CA/B 7.1.2.7.10.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUS8vMEl/gt5ZPDQZdSAuAzEgRFUgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6xNQVDVLnwhaVbZPpTCdPXZ3mkBgBSP0+dcgz\nEHah6FoCyObcF5yasO1XIo/LhAJ7CP+DwuYIMltD2+p4AEsZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnYb0lj2DccksWeceMO/AwkKL6fAwCgYIKoZIzj0EAwIDSAAwRQIh\nAPVBbKV2MusuCG9bq+m61fUTHBrq27c5wCo6D+gJnm2bAiATmHiAkkPfP4B+myK4\nVDagUWOKmTtSgtSV5fD1RMLQ9Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBam+D5hyJidLyBJ6G00SxtRVhJowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASTx+fUFyKP36+WVW7nlPcJYPK+R/J1WK+Br0IB\nBcx/7zFCMxOR3pyncgqsPmxYJp3fI7FKFMZS5J0WnX0qwG/Wo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFNNVYFqewUTokEcwS6nYlBiGrIMwCgYIKoZIzj0EAwIDSAAwRQIh\nAL47HA6OEceBm6dFxbiYhAixD6WiYVWjVqiPd7iKBBFdAiBW7LUEzwVye/lgfTym\nul4JhxhHu22ykyzx/oP6DWLFUw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUMjRVbhj2gXXchu+9WnRfb6x7NUEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDDq8bSI3uh3GpmXS3we/9kxvLkagbe4HpcBlDZIMlnk\ng+GIfYn4yhSaNerZqsjb1ImVfwZ4+sNF+NHJnbL3YQejgY4wgYswHQYDVR0OBBYE\nFPaO5z4N59WzDDBCA1QQSsUXBQJ1MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUnYb0\nlj2DccksWeceMO/AwkKL6fAwCwYDVR0PBAQDAgeAMBkGA1UdJQQSMBAGCCsGAQUF\nBwMBBgRVHSUAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQC7bCWH8jDFD9L9a6HyEQtewnNnm/oa4uOO0K3wxJ7+vwIgBre4t2IPub4k\nS+R2oaYUdTpFymKO4Q+O2TP/Xc2QD/8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUc04OKresHny+YlWqNS9dgk2TgAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEt4F7jsQsMm0RvhLgTTyfXdeJGLdo7/Z5E9GL4ws1Xu\nc+jaxDjkvuTaHwdVJatUbdQcDseHD5oPmvqzGdOW6mmjgYMwgYAwHQYDVR0OBBYE\nFDdv7maDJueIf9uz+xQJkxxxuNY7MB8GA1UdIwQYMBaAFBTTVWBansFE6JBHMEup\n2JQYhqyDMAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAoTUe8bdc\nU20rwlJMA29wcaa//SCoWY6t/ynC/mHFesACIFg3XWvBiuSbuKCGKEDZEnwJU2V/\nSAJLOBqz7LVRRlvi\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1866,10 +1866,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE certificate has `keyUsage.keyCertSign=FALSE` but\n`basicConstraints.cA=TRUE`, which is explicitly forbidden under\nCA/B 7.1.2.7.8:\n\n> cA MUST be FALSE", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJJ7jjslC9kL9nH5IYRluNjEjXxIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQT+0A2kXr+gN04j7Q9F4kYDTSdUBNkX9pkabqs\nDsiFCdsnh05P4o0ruN1Codc886TSSCJQOUfaLOZZenAPOry7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAmNIB48840Ci164mAPD77WR9DokwCgYIKoZIzj0EAwIDSAAwRQIh\nALAmmaVyfjbRraMMc6mXZVRLOCHNlKihd4dh8lZbsAQsAiBZCBDDcpXS67NcfWFF\nNLhndXawZZxrDiGO/hpBLrMKhw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGyWxGAjcTt4+ECgvkElWofdgoZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZ7VtVcZKmaZWXtE0eIRbupReDI9SBzJEM3eaE\nAbb57eS4sR2I/ngWypbwekGPWWM4xcBCdTvnc7tfYnUALDvLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsVwtvbb2ZZ7icQR5csE1l93O0UEwCgYIKoZIzj0EAwIDSAAwRQIh\nAKw/q+BB2/O4sk1HJMzf8cMBsHuTgjOE9usI0T70cCtAAiAq2r4NAqxBRFaeZrdH\n+FwR2LaEo7CmyWr1KRphOGwIRg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUWdGbyDLN15wV/m7RQrJbdMHvYocwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFhVuylRC/6rdllnNfIGwSLhlOfIPNUiiVbvwBLfOu4v\nvnt6ya0aGBFP9CbdpMPAEOjz/QGSyReyuzWJcPyopySjgY4wgYswHQYDVR0OBBYE\nFLBngKx95JLQgHdOsj25+av2LbqRMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAUAmNIB48840Ci164mAPD77WR9DokwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQDVQp9qMxG/JhL1fGmjE3uDW21IFVfuTMzd8khR7SGv2AIgKNlBtEdDdkIK\n3pxngWcfXrOrl+oIhYkfD6PFhmH9DKs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUU1iehTcEf8Bg1W4y4sEXz+yIN2gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH5uahQI8QLFaox7rY9bB/O8jslx6iJj4iIVLgYCQeBE\ndb+bY6aAkz5agR0PKoel0T4IgROL0I9aKZTDMkIXbEKjgY4wgYswHQYDVR0OBBYE\nFAI/Zf4bJzmftVW52+X7mRagpuB4MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAUsVwtvbb2ZZ7icQR5csE1l93O0UEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIFQrLz7J8YqcSAJDXucahywVcuzTMkbR7F4xNMiWoW/wAiEA5ZbazcYzdmbC\nMDM2dYBevVw3mTVmvTbUm660OKM6tI0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From c0863936f3280931dcb2b5c351002146f28f7dc6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 3 Nov 2023 12:52:21 -0400 Subject: [PATCH 049/155] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 399 ++++++++++--------- 1 file changed, 210 insertions(+), 189 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index cd95f1c60dfe..60d6248132ca 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUG9QgbuEpNdTnqEJpdotnE0wlGAYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQdNcSXbzb+fWnemethqNDFrFnEPLH4aiR1pfsy\nVtKnXeq181IALRgOXjQ4BpYG3z6VUytIMxkCb/xzy6fGGmPlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcbmvwFsuq/5kLEewU/ZwmUM/7UQwCgYIKoZIzj0EAwIDSAAwRQIh\nAMW3Y3+ZfAqNNvBR+lyFOEWYl+/bYDtXwGXVZ0ro45fEAiBttSd+7LM0niImQXJe\n6ImpEdaVbOFwMBpdtsTmEmWNuw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeDOfH6TQd6lrwbDqdm1gvWRDyjYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQFoctIyWe6+s5WyDf3zRyHCrQpL3EzYUEvhFac\n7C2Ka4XWFZy+MtrZIL2nYhUs7h8p5SQAXiGskrX1M3bn0Ymzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUunJOY2B6qHcejeNU4g3aq9HV7KIwCgYIKoZIzj0EAwIDRwAwRAIg\nH1hBVCXT55J5czXAmnoVwcsM2UtGAkm9xDTKiJREYeQCIAu5q++8d7qQ+u04aIho\nl4e3/8cDfZFiKpxsWX4SWxFD\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUYnpSf2f00Y3CcRF4Ztav6+IhbywwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNTg4NzMzMzQxMTc4MzI2MTE5NTAw\nMDQwMjYyMzcxMDAyMDQwMjAxODcwNzY2MTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGQcTuUXU/KDPsF9nCojMunoJHy3gsjEnoDXrZz/pKN+Kw1cc34tVIvRkW1HSq/V\nm6rBpkJf7l+mHKZJ6nf5KN6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFHG5r8Bb\nLqv+ZCxHsFP2cJlDP+1EMB0GA1UdDgQWBBQzWmNo0+H2P4k/yxO9ZoT4L6sRpDAK\nBggqhkjOPQQDAgNHADBEAiAShN6Dh/+1DyniA5N6xZgo7Jy/MVM5HB4jc134K942\nxgIgWahn9nhD2CHMLH9C+Mbx8nVt/FEYO8J1RwqywWuh2tQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUe7YRR2chSV2zaBz4hx3pG7mvsAYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2ODYyMzAwOTIxMjUyNzgxNDUyMDE0\nNTc1Njg0OTAzNTA4OTY0NTgyNDg3MzUyODYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJ8DrnsyiXqrM6AmyUx4qV4lyogiNSAa3GN3lzkdUSBEkJez32142GnaSL1FxcQr\nvdlFr2VNcqYuYQQnVKWJUVGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLpyTmNg\neqh3Ho3jVOIN2qvR1eyiMB0GA1UdDgQWBBRHx94AaTGw9WYmsNA/olG1KI9M4zAK\nBggqhkjOPQQDAgNHADBEAiBW1Ysfoyc30OX10qgVOFqpQoEiiPBmfZV27q4Gr5Lz\nCgIgEUY0MqP8YkQ/5Q0+xQUEUSeJ+QlRjoz6Cu7t5/g2yqA=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUVHtX7+EkbyDma2+VczMbbUsX2e4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTU4ODczMzM0MTE3ODMyNjExOTUwMDA0MDI2MjM3MTAwMjA0\nMDIwMTg3MDc2NjE0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEduhY\nM3m3wb6wv2VMkFJtOfJKx1KPHd29lFyKb8GUQYxfjRmSsNIDQ7IZvSn9oR11K5rl\npr0izKbQcFP0fm+43KN8MHowHQYDVR0OBBYEFOszmMx3vmOgdWVO53NclrH36cxI\nMB8GA1UdIwQYMBaAFDNaY2jT4fY/iT/LE71mhPgvqxGkMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEA6S/NEhEe3NtV7E4rjN2VdMUev+yN+tbXC3nT+krp0J4C\nIHhsjlJNAqAiOXaXx5MqX3WB4LQ2eQRGXkdZD8J7+Rj3\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUA8n6iMCfjp80DCxbpdeOYFcQ9K8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjg2MjMwMDkyMTI1Mjc4MTQ1MjAxNDU3NTY4NDkwMzUwODk2\nNDU4MjQ4NzM1Mjg2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/BeY\njjPekxZXDNM23xNWaGAe0hxgay2I086thMlHLlxWyp1e+KRXOQsGbNkbDro1Sm0T\nrcRRAbbyjgiJJqZUdaN8MHowHQYDVR0OBBYEFLKq8Ka8v2VIIaCvTZqmQAiRIa0v\nMB8GA1UdIwQYMBaAFEfH3gBpMbD1Ziaw0D+iUbUoj0zjMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAuo6Wrmfw8XZObLTNtRp5WXYsdF+sldBK43Y5oYaebocC\nIQCxBGBUUW8uufwN0uSL8dmaagKA5rFEM1BgLPUzQd4/0Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMW43AAp5KzvtTbsfgachPqLQ5g0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQ1NDRmyWoQdnKqX89eiMaQX53dNQ8G+MvtUVU\nSx3gyA1O8AFEgQ95VOUbUVYwrFXNoYraubSFUHQq8VUgLZ4Uo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEyN53qCysXHFyyMb8IOOD/P6JjswCgYIKoZIzj0EAwIDSAAwRQIg\nbNGgjlLn6AcXtRUPtxy3jaw37vlfd5HG/x+527guW60CIQClsEuplwzPvX4jfLxz\nhJSMF2VlCZkoMJjL0+Ba4E6uUw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUD9A8eU5+Veqz8CPSFaEBTNwijccwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATTNPQfeZHFQ+Kb8Pe1Gj5jnWy7cImvRxFNj9Ty\nOn22nlNUU4yF+lOU3wELfQCryxD4lKADSWtJCvnIpG4J1RYYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYQgSxyQhtslHtGl9IEmAVRAbAMAwCgYIKoZIzj0EAwIDSAAwRQIh\nAORPJFjtbmoVdjARJSLdRoggTBf+t22n+0qfCBSfj9W5AiBej0krYaG5d2JoWZqq\nvp09xvkH1rN9ncs2GmgaVefTvw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHcdKLDZB8LXGHrA/oNVZT40pILQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAyODIxOTg0MjA5MzE4NTQxNzY4MTU4\nMDY4Nzk4NTE1NzIzNTczNTA0MTQxNDkxMzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFzocd150hKhqCjwHOi1/IJuhRMH6klpnvEG3c71E0qY/vHuOoESwekydonKrqnS\nBdDRgX3GMRrX0f26KAhkyaejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBMjed6g\nsrFxxcsjG/CDjg/z+iY7MB0GA1UdDgQWBBQfac0EqL6yHatC7XghOtK3p+7vTDAK\nBggqhkjOPQQDAgNIADBFAiEA+m4y8b486C2UZPRQsOYUKQSqnGCclcPY9hwDinTo\n+hsCIHVrIhw0GSTv1pRZW0/rgv+hJieK22WJ1F4El55fj27a\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUClFpbA+k+KwSlJagYKp6B0rudXcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC85MDI3ODY4NDU3OTMxMDAyMTIwMDU4\nMjc1NzI4MDQ0MTAwNjgyMDgwNTQ3OTg3OTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nDcAGLb1HrYj5r8wwOJBsyGa3ggMfFjWVlZ4h6M9rPbmdSoT+5R/Y4OO0fAImejUO\njZMKxuPM2DmqtWkgFV98/qN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUYQgSxyQh\ntslHtGl9IEmAVRAbAMAwHQYDVR0OBBYEFCtq7TS9zrwwTXSLi98eAmMIGp8eMAoG\nCCqGSM49BAMCA0gAMEUCIQDIDL4EWi4xP09E2Q0vu0s+IxSDQLg3MOJ+yfRlrQ2d\n2QIgbPjOEZ9Tw7SZrGthqHFnaWneyBNJ44wPQKyJpuShKLA=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUJx8VoSz8/pJPet/fC7ZDKfJEl9YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjgyMTk4NDIwOTMxODU0MTc2ODE1ODA2ODc5ODUxNTcyMzU3\nMzUwNDE0MTQ5MTMzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgTiA\nNbLBI5bYVPP2C+vLYsdqn5fHGZmSwBvL2whx1KkcNvyDYehOosea2OUbpH+0+Fd2\nb/IxCg28CiAqhyRUGqN8MHowHQYDVR0OBBYEFN0gr9jUsxuTAIUTBss4FTFeAQuz\nMB8GA1UdIwQYMBaAFB9pzQSovrIdq0LteCE60ren7u9MMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBh4+6Tx4JiK0q59uS460BzvHyfha113SpnX8J8N7iIbwIg\nFEjmEhHeR/Mjmv/BF/GYGyApg2UWwziVNfRc/Vu8M70=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUColWjp9YKqsliG03fbjPWf6ovSkwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvOTAyNzg2ODQ1NzkzMTAwMjEyMDA1ODI3NTcyODA0NDEwMDY4\nMjA4MDU0Nzk4NzkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASWyx/2\nAtSYNoo2eBiJBwE8jPopJVlLJ7jdV/7orkkG1y0WLBoNDMI2UGeA3na86OIJfUMz\nE3ejIHgCku6SXWZTo3wwejAdBgNVHQ4EFgQU2OsnpCvdLMNO39qvL4JWQSAlfRAw\nHwYDVR0jBBgwFoAUK2rtNL3OvDBNdIuL3x4CYwganx4wCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIEu/gygHEfgs1y+3lD9j+CdY4qpjqOx41/FWQG2E7+4CAiEA\n8ggiNU1wCyBeE8H0YaELtA2+GKwjp8Ntdoc84PoK7us=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbwID7CrBZRzSSh6Djhh31xNrawkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+DI/aPv0knTx7tmaIxZ0ketPGDU9A1vx+6Nrd\nhwy4wYm7tSteJ/az6moZBSMyoMfgub4jwxI6ZwUN+yrqPN1io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzW5v41LYx3YO1G3UWZZDTH6j064wCgYIKoZIzj0EAwIDSAAwRQIg\naFzBBTE1jK5KpqzKSEYjS6OtnvRSIzOLbO9vGPuUJLQCIQCquLr6sAv1QVS6n+Yj\nKMZHqpeQQALvCwk5YDltuVZ4vw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNMD8eU3r5hqvFAcUkaT70uFKZkowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASSsLC8mZUoEGwgBxPaTvxqEe15ptGXaZstNXV6\nKEqwls3Cel0RMKkKKFUIGYeVmQgmLoemSokLZ2s4OzPh7d7Do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGKvf23q3fPCgK3gBQj/sglQsS9UwCgYIKoZIzj0EAwIDSAAwRQIh\nAJF7sm0XYXYPsf4RjLz0m26KHewiyjcE8DKtZSKYtjZnAiBMTmNQrISKmGgd2RyU\nt+Xq2lDsfMlFZdAhZbqWeVVMfA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUZyUfRBk799MZekPmw3I98AVL89QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MzM3NDI5MTg3NTIxNzEzNzY5ODE4\nODMwMjMzODM0OTg1MjQ2NDIwNTQ0NjYzMTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOyCwbigSkxCm0Uu0KBWyKTtXrYa0H4XE27R8Ol0wDPpJtY67M1tAf21J5jPlXRw\nLPsibdXoHQwODLOi5gXuWBmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFM1ub+NS\n2Md2DtRt1FmWQ0x+o9OuMB0GA1UdDgQWBBTGZd9njf65k7eCUcxyKQgg6twdsTAK\nBggqhkjOPQQDAgNIADBFAiAAqjEOwywL/96enPv02FlsY4RxtJWLdQj42W67aymd\npgIhANsF9oazYh/VPusQDkB8RXU9laAJ9cV1lJ9ysdNa1/gc\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUXlBUUinGoG7qPZCS1tA89/uDNcUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMDExNzEyNTY3MzQ3NTQxNDg0MjQ1\nMjY3Mjg0NzczMzY0Mzc5MTczMjIyMDg4NDIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOdBhjI7RdSSTCqgr8Bi2TGqsUkd7hUb6kXURsEyGkfeksValuVVavcoZSdnzOd9\nPudWZHy1dK2B61NUQXUbg0ejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBir39t6\nt3zwoCt4AUI/7IJULEvVMB0GA1UdDgQWBBSxpvcwJ8hLNRuO1j5Kp153iPDVLjAK\nBggqhkjOPQQDAgNIADBFAiEA4cuBBRt3ninIrTlszg2uxJmW/GNqgO0/RuAy5Piq\nH0ICIEL9Ek4lNxuQF+FXtDOxMM/Dz0rjBfXl7OHMBuM6fsx+\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUC/+O1rQRqAh6hVHIicgixKkkJ84wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMzNzQyOTE4NzUyMTcxMzc2OTgxODgzMDIzMzgzNDk4NTI0\nNjQyMDU0NDY2MzEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbbh9\no2/lv4rlar3nENLszLkUjGTf+8WMKJbfBAQHNCM8f7zob0HsgiznUavmf2cFSS60\nfjrWkCSfC7DS5PLW4KN8MHowHQYDVR0OBBYEFOf/aJ9iDeKOO/ogBQrzD/xK7lo8\nMB8GA1UdIwQYMBaAFMZl32eN/rmTt4JRzHIpCCDq3B2xMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAvHeUEbCuVHK7R+DIMpHYKF3RcvFfhCOoP418gUsiZmIC\nIQDeK4UaVSjv+SqtzGL6upxs4I09b+yn8Dr0t4uTVB3OzA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUCF/9A8GCqSG/43mNfBbhjmjnAbowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAxMTcxMjU2NzM0NzU0MTQ4NDI0NTI2NzI4NDc3MzM2NDM3\nOTE3MzIyMjA4ODQyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8cmZ\nanI+5MIFen0rOyQOyUDHSwXTRdf6E2JUz7aRyP3zPdL1i1BdPXeFu/yM2VW5K0TO\nUoXoQZYyF2uQQEJlraN8MHowHQYDVR0OBBYEFHuzWTaOfjGVOMX2dVXxyQbWIYN0\nMB8GA1UdIwQYMBaAFLGm9zAnyEs1G47WPkqnXneI8NUuMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAFEMoX/70fG8WeCrxsf43JdbUaaTNPNuiCCUmU9WojYgIg\nWMZUpCFeTmTGtXf7/fC5UBYwzXRuawGMx1JZkVtWICU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIURpNe0/SAqQWEVYVgpHvp+ux7SB8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMdfj32CehjqHWaovGaFNUwGcgikakpuZzsnaT\nyTl2sk/Kelx6B5cqJOu7MpTv+fXsQMmY3yxrT5Zs2gdPxGLPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqzR1TLrMvqPV7ykIhhouCduD338wCgYIKoZIzj0EAwIDRwAwRAIg\nKt6fnHaVAElIwFHdLB3u0COmy2LA/ctSp2DLGkgwwrYCIHISkOYD33ZfKCExdUyp\nJVsMHbyLRjnot0f0+u/cDJEC\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH52oBPt5N+2xZ9WVNfa56DNbrRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASVDkXA+JqBEBJ0HsxisWoltw8PaUmT+wX0/wCN\nCPzoCHVPSQSggtx4KU3/eBE7UTJldW6Rhr87sHsaFrDftKPzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG0Gy6Kli3Pf+R2uEYQTQIEFLvwowCgYIKoZIzj0EAwIDSAAwRQIh\nAMK3scRFUaQttTf1MDXESgs2PAqLRgcTuiyxVf4ma0z5AiBs8ZiGrc8eV3QycSqI\nt0ryRHo9xJwDlawLaa9hGmO8zA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUDDz6rJhncf57BWlKS8sWjkuMBXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MDI5MTU4MjQxODEzMDk0NDcyMTMw\nNTc1NjU5Mjc3MDQyODQxOTIzMzgyOTg5MTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBM+9YKDy5LM76Ug4CFE11V+F6a/6GRU8dYC7XtpEoFx9+iPxESvvua8FFCq/yuXy\nsZO6GNyzLZFPbArzn7vNmpOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKs0dUy6\nzL6j1e8pCIYaLgnbg99/MB0GA1UdDgQWBBRQzsF7/fjyGR2bD0D5fQJbEH2xCzAK\nBggqhkjOPQQDAgNHADBEAiAsAru9oA2Z5Uxrco76t65MS7gCVzw8RLlrt7FdkCIW\npwIgXSubpFtHASM1GY2VEwYnwD6lUgtbtSwxJpob4Vjns/o=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUO2Za463NQ/HSAagZQmLu4U9E878wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxODA0OTQ1Njc0NTExMzk5NjU3MTYw\nNDI3NDQzMjc4OTk3MzU3NTg4MTA2MjMyNTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJSjp/y2/6m66sMkth4FuZET3x+VzVAm3DmSQJG2FFq5ye++mik3ZDz1Io/WF6z2\nz2SlZb4GO6mnAokx96Dycj6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBtBsuip\nYtz3/kdrhGEE0CBBS78KMB0GA1UdDgQWBBQvGYH33Q094WtRLOQJ7LlpIW62ojAK\nBggqhkjOPQQDAgNHADBEAiAkcihlcjf6TW4BXFmhwBAs1sjsNBAn4zXJdTPUdEc7\n3wIgbWMfs93M++SqfNR6IIElsCh8Z+M5lmo8wvvZ9saAh7A=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIUeGLYlhN0vqk9sEF/cZADD64lZSYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDAyOTE1ODI0MTgxMzA5NDQ3MjEzMDU3NTY1OTI3NzA0Mjg0\nMTkyMzM4Mjk4OTExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGYxODA2\nBgNVBAsMLzY5ODY3NzcwNzY0NDI3NzM2MTUyNDE1MjMwNTUwMzg0NTExODkwMjc4\nMzE5NDg0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATl7dQlxxjOoODnUoQUpzXkIp8P\nINrXiJ9KqBQ0YYhpobLDJbKgdXu4dulfy3topDVBaxhsT4WEHqwcmvSi5FY6o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRQzsF7/fjyGR2bD0D5fQJbEH2xCzAdBgNV\nHQ4EFgQUGHTUGDj3XqVLufhXt92s3rs92C8wCgYIKoZIzj0EAwIDSQAwRgIhALDs\nARKMXHbhMOFHB6Eiv4qnGQlr5HLFqQ8yRZY3BCQ/AiEA7C4YllSQ9LNblQqSxKTc\nIHn0VJTz602N/DFWFg8IVuo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUD96wVQvo2MsK5N0VvGaF//IqFRwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgwNDk0NTY3NDUxMTM5OTY1NzE2MDQyNzQ0MzI3ODk5NzM1\nNzU4ODEwNjIzMjU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMzOTExMzA0OTA2OTcxMDA0NzE3MjYzNjA4NTQ3ODUzNjY4OTEwNzAz\nMTM1NjM1MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErMPSuxA3nKLwSwyBy4l1D/+4\nnfNTdFXropfJ2YGRdQamxWk8UnlJNhANjLTM1VdwhC5DMtKFTkkJ/525n65A0KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAULxmB990NPeFrUSzkCey5aSFutqIwHQYD\nVR0OBBYEFHz5Mmszc3jtYocxKB/64mUMLmhIMAoGCCqGSM49BAMCA0cAMEQCIEZY\ngKDE/gN5VG/KmQQSQ7skd1wKNqn/3ueEvsOIWnPHAiAqkhRBQhD1VM+wb/HF4Cfa\nhrQ/lQN14G/yApSzpWR+iQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWlTyKZd5M9YqPeMzJAsBoV3jp/swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEQ/kXacxzBCE85CFnMRfPEqqNTR+AEdcxpoZ5\n1ZqSCWibE0WHOZ80alxWrBfLULVWQ14LSNp+zM/GGjL55tKTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwpGYTRmK4UhkAySF7u3W3DEzdcEwCgYIKoZIzj0EAwIDSAAwRQIh\nALMv8DZmEVa93Ju+8JXzjQReMSe6ya1AxUq/30lipTpjAiAN2yMO87UzxqzBTNJE\nU4kAVobw2tETNiHyRuWqjXYahg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHOgOT7CrTGnTllQNvQs1/yjuqacwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwf3bNt9SV78TcEdFlTL2aY/DU7NCbzagTbfJJ\nVSeGZzR7hcl0JcP4NfU1P/BBn36ZWpWF1Cd0oc0qkleLxWKTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHLl9gOpBReM9UkhjpC77xU3EBBQwCgYIKoZIzj0EAwIDSAAwRQIh\nANG4apbrPgi8g90thdZvf1olgDibxWfINrG5fFxoFPO6AiBWa/2i5FYPTrtracUD\nSg3uB8cI9FGvSI8eCquFa7PPUA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUNNi+nSNAzti3L6NGatWQagLwqdkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MTU3MDM1MjcyOTY5Mzc0MDU5MTcy\nMzIxOTczNjYxMTE4NjczOTQ4NDY4NjEzMDcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCKg4QNlt5YF/07Qq7bZPxtKwaWsLpIjnLwMFpo15Ly0LWs/kaR5GnipqdcOUl7k\n0osaXXrmeBoItme9jjzV9sKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMKRmE0Z\niuFIZAMkhe7t1twxM3XBMB0GA1UdDgQWBBTlleQ2l+AnqbYIIF3hPw3fN26zLjAK\nBggqhkjOPQQDAgNHADBEAiAdeE1scrwrR28Kt+kxnCxwSZpdlW6B2ib5EvkrjjuY\nQQIgYhl8pAchAcIQVlXvhuaRYJRHzEfaUs5aw3VVVz9Cxwc=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUBeG/QKd1NKOsr4r36fBsoLQmgw0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTE1NzAzNTI3Mjk2OTM3NDA1OTE3MjMyMTk3MzY2MTExODY3\nMzk0ODQ2ODYxMzA3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMwMTcwMTA4NTg1MTI0MDM5MzA5MDY2OTkwNjI4MzcwNDM4MDY0MzE5\nMjM4Mzk2MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEw8lekLCU7+nM+/edGvfq+aLL\nviL5HsG81NzuZWkahLy268nAEPCKUUfECFSktrJwuimKqh7Wvs3Au4pimhUq0qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5ZXkNpfgJ6m2CCBd4T8N3zdusy4wHQYD\nVR0OBBYEFE9adMVijHkq+jHoHUSaV29ZDKNLMAoGCCqGSM49BAMCA0gAMEUCIBVA\n1UDzO9gpbkmIca+AgmxjHnDK+4JCmVMRwfwQeNABAiEAgMLPV8GfnGq0roMxy6zx\n10waTGngIyktbuD8HTRty8k=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUKHn4I7IY1oR0HzZXcy9Q44MPqIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNjUwMjY3NjExNTgyNzAyMDI1MTM0\nODA2NDUxMTY1MDE2MDEyNTk1NTIxNTYwNzExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBP5WtCIP7pSWFnUPQ1RMyFeCHbxWEq8E9ieoH5FKhx5fAQ30HVkWRcLEtABgmTF9\nGKwNyYxJDLzFzGwb7aCzfMajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBy5fYDq\nQUXjPVJIY6Qu+8VNxAQUMB0GA1UdDgQWBBT/PRRK5gRO8ri38K0PG2BHeFbCQTAK\nBggqhkjOPQQDAgNIADBFAiBJycwW9wxuF+X60QECdrRnkUPw56M1wsha8A4GOMY8\nUgIhANY7AiRY8vCI/y5FNyY/h21WknoWTBuzwLfHUMbFTHqZ\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUOyuzm2KGuHjiEzYBb8l28LtABO4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY1MDI2NzYxMTU4MjcwMjAyNTEzNDgwNjQ1MTE2NTAxNjAx\nMjU5NTUyMTU2MDcxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIzMTA3OTYzNjk5NTUwMTI1NDQ0NzQ5NjY1MDAwOTA2NDA2OTkwMzM1\nNTQ1NTYyMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu5X0t0KSysSmh6j0Xo3+IUYZ\nauYlVCz+qwsmy5CqyOx78q99BvQLOx4hRKRjERz0onzIAlPIwhJAjLKfPbRG5KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU/z0USuYETvK4t/CtDxtgR3hWwkEwHQYD\nVR0OBBYEFJ5FrsDdGaAyAcdEhtNzpAtFTqlzMAoGCCqGSM49BAMCA0gAMEUCIQDa\nEyOffyasA5OIPgAyEI8DfuMNaHtozZ9zVAWnRQb4yAIgJj8awEdUh/Y2W5RfC7J6\ns7bjnX2saYUyF0n7RD6bdcM=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUfefM6OLcO5yC6ufFFyFyBmt3MRIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAxNzAxMDg1ODUxMjQwMzkzMDkwNjY5OTA2MjgzNzA0Mzgw\nNjQzMTkyMzgzOTYxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsg2T\nfHGB3tMxWcEKt09btgnZUcfQAYZ85DCRrtBRuR5w7oGCZJUxlWkX6MOWApdyrNtL\nolDVQyAXFMjxXGQNGKN8MHowHQYDVR0OBBYEFKRkNjdk+cYuKpuV6P79K3lQpvfv\nMB8GA1UdIwQYMBaAFE9adMVijHkq+jHoHUSaV29ZDKNLMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAml8jcgR8kcbZCsTGQ1gn2JnsihBfhqIlo1tqxBgc28sC\nIBECrqqrPJ1T7NzcVfe5zkbbF4d1rIVcwYFFO65u58dR\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUIwupQexDqdJvfuBFw7oVTJveQGUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjMxMDc5NjM2OTk1NTAxMjU0NDQ3NDk2NjUwMDA5MDY0MDY5\nOTAzMzU1NDU1NjIxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWfXI\nOcC4w0U8m68y1tXJJBnk1pnyxGt/3jq+3ORz6GTEd9BsqE+wSdJbpSdDCgvS1F5R\nH5GsMdMxDAgMkPV4+aN8MHowHQYDVR0OBBYEFJOggKZ2aliGzDnPp51PjHtj4Y7q\nMB8GA1UdIwQYMBaAFJ5FrsDdGaAyAcdEhtNzpAtFTqlzMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAo1qMHU2jh+/i4prRsVQwRt4BVYlh1c8GdaUGIEhEmRUC\nIE1QfuqhqXxGTf72QkRW186//D3gqQwUwOo5bRBY9NB3\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGLGVVUK0XDowgBKYHBjAf2kxQVAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEJZbzht/QWAJeYR5IYdMg35nReOtM0tM0H/yj\nM+6lA9XYvigEJK4CfipmzRLpphUjErfJq8dG5XF94o+q2Rduo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBq79P5Y384f54xk9C0Czx4L1LdEwCgYIKoZIzj0EAwIDSAAwRQIg\nKe2CYh16zgZn84i17CJeMWxguIpPpwSSf6FQulbSkgICIQDdKbw0eec8U9QYhxfv\nW1McO2LaUbfn6KXTcT/9JRQFug==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVyl1U6Myw90up4XuE0dfNu2iwRowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1rMqpXvpFXqPvocF5KdGnFIh9iriuG1mU+DVk\nctBKFE7cIm1w3Lfq9QLx9gChq5nxUnkrv4O0izZsiKZzRBoGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwPS758gTgwUXow5PRHmZ7kRDEdswCgYIKoZIzj0EAwIDSAAwRQIh\nAIgrc5l/Dkef9y6BHXRkN9lz3Q13iDNFcZr3oUyQYeJlAiBabxkJlKKkpWiWfbol\ngekgCAvHlHulayOkYUoqOi/tuA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUKBTSM7r7QjVu6lx3ZaOVhecd4QwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNDA5NzYwMTkxNDMxODI2MjExODI0\nMzQ4MDU2OTk5MzY3NDc0MTMyNjY1Nzk3OTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJqlZqa8jC1EGbJVd9l7qEHHH9Hn4Z14a3s8FdcTXvq3RcZamL6/zhTG12nKNGyO\nucW0dbDkMqrJoYF89MruGf6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAau/T+W\nN/OH+eMZPQtAs8eC9S3RMB0GA1UdDgQWBBR1nl6VA6xRkXLZ67XIDa99inrIczAK\nBggqhkjOPQQDAgNIADBFAiEAuD4PNjxL2toUdm989YA2IdWzspal2X31/RqIcZR8\nQX0CIFoU+IAS/m/fRcFOUQU0Q35Ds7aUiCz4OcffdTQMz2n6\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUEjpgsvAEudN0yZ5fQUfVJzEc8YowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQwOTc2MDE5MTQzMTgyNjIxMTgyNDM0ODA1Njk5OTM2NzQ3\nNDEzMjY2NTc5NzkyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIyODgyMzk1NjkxOTkxMTU5MjY1MTc1MzYyMTg3MTg0MDQ1MjA4NDU1\nNzAxMzI2MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsHnzUi9ZfoZ3Zv9huF/fjhAu\nXTAG2L1Vks8AJ1ysw4UvOFGqf9q8i+ctYQIXqit0HDd8catu2GZhodJXWQKK26N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUdZ5elQOsUZFy2eu1yA2vfYp6yHMwHQYD\nVR0OBBYEFBOVSNTvf4AB84e25A9m0tIPiIROMAoGCCqGSM49BAMCA0gAMEUCIQCQ\nlIc08PIiAMdfbqZFzlhzJ33psmumwErMsLH8AIRZYAIgI/+OR99fKoutp+dUDbiR\nZb6GpL1GUoxC2UqAsa9zkzk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUW9D4QwIae4yEsn1WnPwamY6u0F4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTc2MDY3NDgyMTI2MzIwMTUyOTM0\nNDAwOTQxOTY5NDk0NjgxMDkzMzI0NjM4OTgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBP0odA2GGEONW/eI5r5c/ZhCo9Xny4B0DjSgMiwuk+hE0w/D08qi7/pIoKqirTui\nRhseutrcWvC5kO4ZD61wk9+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMD0u+fI\nE4MFF6MOT0R5me5EQxHbMB0GA1UdDgQWBBSQIAjyqewu0SQ8pMfA9EuNEE1OoDAK\nBggqhkjOPQQDAgNJADBGAiEAraYJUH2OHjBXYLqnd1gfNIeiu6WXh68hbCrRGckL\n9sYCIQC0b7G8dUlGKcEgcs0KP1IpNhxu9HOilpdIzkOEfL/NOw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUMrhn/Sv3KDxDWBVbUwdgu22lDOwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDk3NjA2NzQ4MjEyNjMyMDE1MjkzNDQwMDk0MTk2OTQ5NDY4\nMTA5MzMyNDYzODk4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDUyNDE3ODM0MTc5NDg4OTM4ODE0MTk4NDQ3NzQ1NTk3MjQ3ODIxODc0\nMDM1NTE2NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEx/wbQt/pO7R9LwvshPTWdUWv\ndCACgdoHynJVTkHmUKEZ7uKkW2bSXkfdGadEh81mAaZZdXoaz3ls0Jg9M1TJlaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUkCAI8qnsLtEkPKTHwPRLjRBNTqAwHQYD\nVR0OBBYEFNXxyL5LVoEruuzzykoGDPHbpN3oMAoGCCqGSM49BAMCA0gAMEUCIQCG\nu1XCB2JCcIWZiFbtDgdZWGpIHWppk67STPlIJmgouwIgLd6/2BDmDLcmsquqnmE4\na5VUp8R0T/aavJ/cyt/xVnc=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUNtrRyMQQrfdcQ2+n38mwHDcANlswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjI4ODIzOTU2OTE5OTExNTkyNjUxNzUzNjIxODcxODQwNDUy\nMDg0NTU3MDEzMjYwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEX7qy\ncxl1DuHObGUGJrucO4D+jDbRe0p85TeEIn/FfsZcVgrttcmME+wvhlFtDrXYWrGR\nr+U0OQrgG0IToLR606N8MHowHQYDVR0OBBYEFMwZCuMxGzZWwfcx2w14sEIGBLtx\nMB8GA1UdIwQYMBaAFBOVSNTvf4AB84e25A9m0tIPiIROMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEA9yWx1KIaLlPgNsQBS3k7jE14E2zkZtsjsrXtZM3AV+YC\nIQDVRZ5djCWSLKKXK7hFAiGoeHDnTG2CwFsATh6mEdszLg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUZU3MSgUyYwM+Xg6w4KnBMWHNBD8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTI0MTc4MzQxNzk0ODg5Mzg4MTQxOTg0NDc3NDU1OTcyNDc4\nMjE4NzQwMzU1MTY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqgzm\n15VRC45+GcDbYS/eI4Np//mH9J8kWTYJ/U+Mc1aMoupx/sEKPVtTDzCgf1tWY3Ja\nBT4GhOWZeYD9t7QCG6N8MHowHQYDVR0OBBYEFBzEQLOtyc+aypb5A5IOHKiwdOMn\nMB8GA1UdIwQYMBaAFNXxyL5LVoEruuzzykoGDPHbpN3oMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAymsn3vMuUYOCq7jIASlp3CWiYFb1/XpAlQA5Mbv3/JwIg\nfFUmHlQXQLUEk+K2w81159EHm/SNu97pHAYffEudeRw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIwKfFLDdyKE187OeFdQjJK8BOqgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrbKj9nUw7wCpB20IMlUGx8npGkX1tai8AicOA\n9rpRvqWWODrm+gtcKl8JnPOepFW8UdtpXrh8Kkg2rUhZjk29o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg3vdB4zIRvk85ZO0mCyTzclP2XcwCgYIKoZIzj0EAwIDSAAwRQIg\nE4Im77lyXutys8dIcHasXUghRaXrbT5+2xfMoWvwXcgCIQCItctH0RjEQwxYLNrh\n280VFDGS6Zx4b36ysOFI/QB2xw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXf1lO893NfA0vWiRAQJtBApWGykwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT0hBOOOv3U1NKMw0KS+LvX5+YqR6QNd7aVd/ZN\nYB8qHjRxmMmwWeYifjsQLoFTx6xNdU9whK/kRmcoBx9BZP5Zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZTwaXJ4Y55BTTppyRzqa5WggBLswCgYIKoZIzj0EAwIDSQAwRgIh\nAIjHB0OWHC/o+pSsZinEWw2Mde8vw6BTJQDa9xAFOmn5AiEA9aSkwGjPBtsy0sZ+\nL4RIKBumt+8Mt8meBNMJLckQPrk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUXyPxlduFYO8VmpdIO1IOHeD0Gm4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxOTk4NzMxMzYzNjM0Mzc2MjcwMTA2\nNjI3OTgwMDkwNjI2NTMxMDg5NjE3NTM3NjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDc+LmHsbfYbwEhpsgSi3uhvh+zf5N+zQIwQWxeY0Hp5ly/v25p1tliyF4eYmw8h\n5e2bpMxtl3OJjUzd4eFIo+CjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIN73QeM\nyEb5POWTtJgsk83JT9l3MB0GA1UdDgQWBBTfgkeLrwtLsmsi6SsoJ6/cKxDuxjAK\nBggqhkjOPQQDAgNIADBFAiBG/jZQiMwZkg/k9nxSFHI7i8Wua5q57howe3qC0xYu\nEwIhAN+C3SBKwUE5/FwKuNQqv7qbJcZHpEmwi4lYM3ZoWhvH\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUJMS+7is7Tq3Re995hS/rJIPCLDMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTk5ODczMTM2MzYzNDM3NjI3MDEwNjYyNzk4MDA5MDYyNjUz\nMTA4OTYxNzUzNzY4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDU0MzE1NTY5NDM2NDk4OTAyNDY2Mzk5NTg4NDgzNTI2MTAyODY2Njk1\nODk0NDg3ODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHI5GEpgXpIaQSMj7a7morzvw\n44/8Q9drDqfvQZO6sUS8tPAPf5gsPyGoysiTC83t0jeBYFgsgbO/6lZcfBRET6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU34JHi68LS7JrIukrKCev3CsQ7sYwHQYD\nVR0OBBYEFNQoRohX2TlAC1aV7+DpQwjknoafMAoGCCqGSM49BAMCA0gAMEUCIQC9\nF76+SLMs58WnCjtuki7ualVBbIkGVB5ZWFfJQq+K9wIgeMWkw9/zLjykWzKvuHMb\nAIQaNBM+YVsi/gvVrYdhWlM=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUMlcV0ca9lbSrMCZNQX8+TQNAxU4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTQzMTU1Njk0MzY0OTg5MDI0NjYzOTk1ODg0ODM1MjYxMDI4\nNjY2OTU4OTQ0ODc4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIwOTkxMTI0NjE4NzU2NTMzMTc3MTAwOTYwMDYyNzA1MTQ4MjM3OTgy\nNzk0ODU5NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7HOIc200pD6tOimk1RA9InA/\nNZagJxngcbHxPT4TnH0Vi9FKRV53kx39/Kc1AIGP8oOClHPtVRsymm5I69lKOqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU1ChGiFfZOUALVpXv4OlDCOSehp8wHQYD\nVR0OBBYEFHY9F9xOUJK0avL2miPihQ3eyAALMAoGCCqGSM49BAMCA0cAMEQCICZz\nLQ36Cf2jVk1z0MC7HzlVPqK8G1Q0LxSv1kQ4Zl37AiACMKTGASS14Hw0tLr+0Ha/\nHcH7tYsygdyNiYkQkPUhEA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUVJTbyxe5O4c7fnP+YlkmZoap2oEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MzY1ODcwNDg5MTUxNTMyNTE5ODEy\nMDQ5OTkxNDM1ODI0NjA2OTE0NzY3ODE4NjUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBORGW88mFHQ3f3+hC5qURNTyvVGF98XG+Q/vYkHW5WuIg6D0DBIM2DHA6EEApNFy\nZEfNjZJzvjst1vlFbU/aDUqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGU8Glye\nGOeQU06ackc6muVoIAS7MB0GA1UdDgQWBBRclgmXP1CI5uFts2MPsTfscCa8uTAK\nBggqhkjOPQQDAgNJADBGAiEAzRFh1pf41Q0j/7ce1NdsSBNy5HlLCtuuxd0rANcH\nNgwCIQDFzvvcyrTQ1+qZdGr9Wrr+VTEhdlJhCSojFDZJ1MUvqA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUKU+SKKvMTaZlK3zQGJMakn4d6eIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTM2NTg3MDQ4OTE1MTUzMjUxOTgxMjA0OTk5MTQzNTgyNDYw\nNjkxNDc2NzgxODY1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ4Mjg3NDg4MTczODA1ODYxODkwMzMxODExNjc5ODE2MTA0MzYyNTY4\nNzUwNTUzNzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcTlQghcAnW4TU0OOEfeY66o9\nNxScf+fy2JbWKOYKL+rCfupIeevge9e0fxh/H9W6TMHtDHbH2Jrw6czhyQMLlaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUXJYJlz9QiObhbbNjD7E37HAmvLkwHQYD\nVR0OBBYEFDVrVdWwNcCt8DYuaX3CuJCqnYwDMAoGCCqGSM49BAMCA0kAMEYCIQDv\nRqo//ZzkEQ+iJe9T/x9zKFYPmBqQB6w5eXuxV2tAegIhAKqnnN3lwDuumwHBTv0g\niCL9tt8Lr+wzPQBhAfxzbPRU\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUGzMX9tZYF8qLvPxjZZlKFAFZfLIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDgyODc0ODgxNzM4MDU4NjE4OTAzMzE4MTE2Nzk4MTYxMDQz\nNjI1Njg3NTA1NTM3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIzNTg0MzExMjcwNzg2MDg0NDMyMjM3NTkwMzIyMTE3ODcxNTQ0OTE2\nNTk5ODU2MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExsYohK7U1vSuDjWd0yzeDA+6\nWuUXv/7HjALSl+E0A3sgWJAv6pEhQvK6iPX/hbWAE+FqXS5TDARtYVSGXKu+4aN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUNWtV1bA1wK3wNi5pfcK4kKqdjAMwHQYD\nVR0OBBYEFAc7mMNetCrIrLsrPs77H6ZxpKj9MAoGCCqGSM49BAMCA0gAMEUCIFJ5\nbFT2IGGLgbREtpe3lCZp257+X7vDQNIat8mqqV28AiEAzXnxGd0tCn0Jb3Euen3w\nyr6+SXOapmfnhm4oaYmWE30=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUaLQO+b8a2/BtxW86zC61iE9+l2swCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjA5OTExMjQ2MTg3NTY1MzMxNzcxMDA5NjAwNjI3MDUxNDgy\nMzc5ODI3OTQ4NTk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENX8C\nzMbPgtNg06jrbDvRIcEfsknckrSxyoRIHiSKXBioueqfaU7TUykfXh5/6sfmDz1L\nULNtKzZAJyJteYS5maN8MHowHQYDVR0OBBYEFHjV3BV8Nnnduh3uM4NVP07pzYPF\nMB8GA1UdIwQYMBaAFHY9F9xOUJK0avL2miPihQ3eyAALMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBlnCLNYyd048D7zioVI1+VYawiwnIsMlkldF7wPz2GVgIh\nAIRillM7/oUXmnV7L+HItFyl319KChhvfbMt3vwhqkdc\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUQzwSULVMw1IkyBu9nMS+/dm+SBQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjM1ODQzMTEyNzA3ODYwODQ0MzIyMzc1OTAzMjIxMTc4NzE1\nNDQ5MTY1OTk4NTYyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDYW+\nK5omze/ZLH55gDnjmjaXpsZQmyDCNRrvk9djC9dlTUAb+nqwokxEKZlEMfkJRwVs\n4TB25lSdacToiMGpnqN8MHowHQYDVR0OBBYEFJyXJoNPZO1M6pHxRfo/wXrqdnBh\nMB8GA1UdIwQYMBaAFAc7mMNetCrIrLsrPs77H6ZxpKj9MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiA6vpEh7qqGiW995kHfYfi4Jut/jRcbojBLuCezYurCtQIh\nAP9q5oIgWVNt+ARbt0mgH9yZ23C7VMdQZzsXsBzerQ+N\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUabpeuW3tElKoPeRQugnj19/RNDkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQVK4OiMBJTBJxdKlnceacFvfJqhEc0oljkwUdo\nY0AQtcdWnLuJ9S2nikUfaBWjgfF1vu4CWFZuM/jCL6Z2jUo+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCy7w9f2RgEujPUX8HTXtBbAr1BAwCgYIKoZIzj0EAwIDSAAwRQIh\nAPgVdjP7G/A7KWkhaPsBDZ3X2/jS6nIiYi2hxWyrNqwcAiAqdTkuAqt8/FOD/Ph+\nEFUAXuxxqHhEaxMbjW8f1Q4yxQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSlT/EOI6Mg96fMfBq9fC2pQT1ycwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPq0oeww6p3Nwq81l5eHcqhKnzevYM8lDz3sEg\nlnxAsy9tsj/nd4xavDFS1clvfjfWvaN0u7gG1S5522a/mNr+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZzyqOorA2UmJ0P5Znbt52CQWQ+IwCgYIKoZIzj0EAwIDSQAwRgIh\nAKO4EFbzGdRN+aiYYQNbcYEub++ry4l8pG6plUuiCa+gAiEA0kovVgVXRxyLhPev\np+5DdR2VEWERMRW0jnb3rrQOj7s=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUB3Kvl+kYmSvLsRA4QWpMMf6d6aYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MDM2MDAyMjExOTY2NjIxMDkzMTM3\nODUzNTQ2NDYyNjE3NTY3NzMzODU5NzQ4NDExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPg9bWc1RNG7TmQtHOPJsAORch/NyhiN30rnzk7O7jKDE3b+E/RQSKTl5TELoEnn\nwWfeiVShqaiYnag5tQ+M1lOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAsu8PX9\nkYBLoz1F/B017QWwK9QQMB0GA1UdDgQWBBSuZu3ViynETjoBGQsFk5gPyNyoTTAK\nBggqhkjOPQQDAgNIADBFAiEA2pMFa5TuCcP2Ri0UCWEbW9i0kH5pA4fbfMbbP10X\nzpsCIEU51SVaphi+0mDHAo+FiNOLkUJWr08UMoBlVH32bc8C\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUTzBBQkoa1sYm8T4BczSKTAxkpfgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAzNjAwMjIxMTk2NjYyMTA5MzEzNzg1MzU0NjQ2MjYxNzU2\nNzczMzg1OTc0ODQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDYwMzYwMDIyMTE5NjY2MjEwOTMxMzc4NTM1NDY0NjI2MTc1Njc3MzM4\nNTk3NDg0MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY+V86ZcqFUeO96CrZTo5zGx2\nWmzGi0VVoC2YJSMOvziGlMiv80kf1tIzsr3ONo9asctUhEO433JROCXJM1ZgE6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUrmbt1YspxE46ARkLBZOYD8jcqE0wHQYD\nVR0OBBYEFNu1hud1erh2jQdRsS/DjEaVst68MAoGCCqGSM49BAMCA0cAMEQCICyu\n9KR5AxYXWkD3AGOtBwhRMhmHWjdXlkq50XK3bUL5AiBPnsZkoe879ibD4bIwTRAN\nWo+qMa9D/FoLqEt8sZMl2g==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUQ8O6VMh1+1kQjSP6pFjE5WiAUGEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAzNjAwMjIxMTk2NjYyMTA5MzEzNzg1MzU0NjQ2MjYxNzU2\nNzczMzg1OTc0ODQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ1MjA4NjM5MTUyMDMzNjgwMTA2NDQ3MTgxMzY2MzU2MDc1NTQ3NDQ5\nNzU3ODQ4ODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4EfbDeC6irOua0y0NDYVNVbB\neCdoyGNjsdr/HkOCEqox54nV8oQRGU/heLpSTZ6rM/exrzxNtF8vZpiWxSLiYqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU27WG53V6uHaNB1GxL8OMRpWy3rwwHQYD\nVR0OBBYEFDq4HnQeYXPFiOW1OM2fUdecD1a6MAoGCCqGSM49BAMCA0gAMEUCIFjV\nekzI6v/MVdEOLU2eYaC635NeJVUw0lg/fa2KdXYEAiEAlAaHIN0qbsCQs9vQCUCe\nLtu0nfkbAnWs1OJOyVEJy2o=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUOMY47r+XminfO+SH1Q9TxclftRAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MjQzNjA3OTkwMTU3Nzg4NjIzNDcw\nNDg2MDA2OTk4OTE5MDI3ODEwNTYwNzk2NTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNFTAS4rv91qu04F6cXMIqRb87MlXKZVQNufBa1gHOfhHAft+cM1tuPigb6s24dR\n0f3Tnq/KDsRBZMhStKNWZBSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGc8qjqK\nwNlJidD+WZ27edgkFkPiMB0GA1UdDgQWBBSnntPolmKPEaDOZIRcAuU+Tk9lxTAK\nBggqhkjOPQQDAgNHADBEAiBHLVjHQin4E5lbJDJfvriiwB73YJ5K0ueUSFEFVysV\nzQIgJ2GU1ncjqdRW5vuyPl3IhgWg26+68Jyj+aEUq3c77IU=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUbqjEgxGYY1N70QHuaDh6BA+yQdcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI0MzYwNzk5MDE1Nzc4ODYyMzQ3MDQ4NjAwNjk5ODkxOTAy\nNzgxMDU2MDc5NjU1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQyNDM2MDc5OTAxNTc3ODg2MjM0NzA0ODYwMDY5OTg5MTkwMjc4MTA1\nNjA3OTY1NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5spBjnPuLgVb7SLgz64mD9HH\nhpjF4uJJxgbtk2LvX+Gqw+Lzg+lghqshMTwOO5a47NFrw1PCi1XnUoq3JmbmX6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUp57T6JZijxGgzmSEXALlPk5PZcUwHQYD\nVR0OBBYEFHeGUMQqZ/28dbn+/tZ0MmQLAnUxMAoGCCqGSM49BAMCA0gAMEUCIQCR\nyAHKmoznsxq+CnSKmXyHkwbKz5gqtaXGdTawgUj3dgIgJutQdthLDBNZzScllv2t\nLnA0LHr52QoXHWuHkbWZb7Y=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUY0sxeexT2ypEQMNFWAjjT8O5wGUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI0MzYwNzk5MDE1Nzc4ODYyMzQ3MDQ4NjAwNjk5ODkxOTAy\nNzgxMDU2MDc5NjU1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDYzMTc1MjYyODU5MjM5NjMwMzYyODM1MzcyMzg3NjY5ODU2MTExMzM0\nMTcwNjcxMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMrvqALvaYZ6dXGsm8SMoR1KB\niI/SDPz62dEH/i244JV/H0g24ftHeUYrP1NpEWzLgZB65nXiHmLA3kJstqQ+96N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUd4ZQxCpn/bx1uf7+1nQyZAsCdTEwHQYD\nVR0OBBYEFNrWFF/9lZ4CZ3A1/SHqOh8rAUVlMAoGCCqGSM49BAMCA0cAMEQCIGGu\nVMrfjH0JdhhJeb1iqv6FDA5Hz3vM4/ZdtK10GDrWAiAYVO4W7GWY0BRxI+HrRss6\nx35GMU/N7GP+2CzvKe4hKg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUaG2RTSUBIo9UMT74YNbCk79Z1AAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDUyMDg2MzkxNTIwMzM2ODAxMDY0NDcxODEzNjYzNTYwNzU1\nNDc0NDk3NTc4NDg4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8LSK\nzJdrmseSWDR4Nxh4l6YpPiDoyTgJP6a7d/Zs04TX9Hk+BCoZaSncHhl0JklW5MzA\n5EX5eGQ1l/lqf/WSxaN8MHowHQYDVR0OBBYEFC7cbuI9r3bjRs5SjJGxtGCLynEy\nMB8GA1UdIwQYMBaAFDq4HnQeYXPFiOW1OM2fUdecD1a6MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEA86PYYj1IHQa2o6vKWDOGsPiJz2pzSjrsCY98NHP6bXYC\nIQDQygmeUN3a2RR9L5BTorhXOwzHoCQf1ZJCAC5XZfM9yA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUZho6Xr5Pf+yKrXEHEja9J1rnNk4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMxNzUyNjI4NTkyMzk2MzAzNjI4MzUzNzIzODc2Njk4NTYx\nMTEzMzQxNzA2NzExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkeDh\nrXLKovu0GzcJq16cPQjcNJ9kpeJTDzbxZ3sdDj2nPulhNXCqdWa0rOdHnA3M+z1L\nspjhEOL6H972MKiJXKN8MHowHQYDVR0OBBYEFJzIsTyY8rmw60piGaqV+DWshq5J\nMB8GA1UdIwQYMBaAFNrWFF/9lZ4CZ3A1/SHqOh8rAUVlMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEA1nB9LAWZKDcsyau3xLIXJMCThtcNwTGFGao4ocmASGIC\nICw8RaUjijt47g61xYeOuqfGh0RMVAgxU2LrpI0vlt74\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUDTSucafyRx9MccL9R+IVKk+b6GgwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEH8c+EK0MFLPC\nyZxYmbTflUNK+Zng+UYGZhbEtjKsgilz9T8W6gszJ+l8s9YqOZ1jAQGClG4Rkl6F\nbeBglNnc86NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCyEW7gYvnEkzahi5vDTwbwSjzl6\nMAoGCCqGSM49BAMCA0gAMEUCIQC2/KsLAo6egx3Hk6XMJ6qsd6EgKweNFUnWXUno\nq1KR4gIgOaT60QB2p4NSO9pg8+mp3mABsp51DTyH5lFB0AdNups=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUeh7oeei8lfFL/5y6J574kuOYB6EwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvuEZjj+jH4RJ\n0vQmO7958Ui0HNLz++1sUmLE1/uJKbZ+oYZkjG/2M2qk0QhbiZ0aRcblnSlv0Rf8\nh5Hl6NlZiKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFONz2cBYXp6+ZPsW8hIIXzd5HPke\nMAoGCCqGSM49BAMCA0gAMEUCIBuMccD8kiiXx2VShiM/mJAqhLImrP2gCcPXDat4\nBu4xAiEAzVfXSAyPFEu7ckXakI0EJPRSgG2ILEEUGvaih2M26Jo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVOgAwIBAgIUaQdFQbADG1ZTsZnPYF5MB6SfT1QwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABB8C7cPfyXq1mnddZ6ROu9XEZpwI1zFSf/gPqaT+OojpstzV\n3HQXdceZQh3S9j4HAjOJylT8Xjtmd1u28i0W/FCjfDB6MB0GA1UdDgQWBBStT666\n3vJH2RddfgiHL13iKQ3YNzAfBgNVHSMEGDAWgBQshFu4GL5xJM2oYubw08G8Eo85\nejALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSay5vwrgJ1c3fsw3rg/PDtHS\n+p/ja4HTayJqvwrYeaUCIFy/tYO8SqtxgZMM6isJXqcKDhefBTOs4jdfsMIw45BY\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUbnBADWk2jlxXJvrhO4ubJwGfUrUwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABMSNt84+n59V6go70z+YuMlEmDFOs0xR1eFUd9j19HwFvaIi\nehRdmtT5HE+Zuf/2r3gzpIIg6Ns9rVqey3uy6gGjfDB6MB0GA1UdDgQWBBQgEXeg\n5xc0IrE9HlP9A5yZSTzYiTAfBgNVHSMEGDAWgBTjc9nAWF6evmT7FvISCF83eRz5\nHjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPc6bxeK5pI63fD2ej5DP+Vy\naux5eRLjki1Yd+3gKbw/AiB5Fhr3MSIq+ECvzOEvCeOn5UsOG/WMHrinLNeclqEF\nZQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdjCCARugAwIBAgIUUfPC1BtakQSswicsa5SRuBq7s/gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEU2VeVzYD\n2RUUsldQq7eBMUFSUROsi0WhFyscCidma5D/FkEUNspbFLr05EVhKjlyOMV81yMV\nMmg3vKKf0s3vJ6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFF/NyFfAJonewVlMjbPOTPT2\nsCYfMAoGCCqGSM49BAMCA0kAMEYCIQC185XiPsHy+XxoI6xOHCOKYCp+zklZOtDi\nJbSHwbBivgIhAKerL7na0UzvyhJDI5yKvqpS94JUy6G+rAIu2b8nFcEO\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUGxPsAAiRDw43OsppKw+mC3CJmvwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6Se2RXIP\nd1n0ProOyzpo+14Qx8ZnWolGoMmJoxQ06yBxcu0MXwt3YDmZD/FU21WMo5e7SYS9\nYVZnNk/gVREOf6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJi5WSufyY8ZxyAqxHKrs28+\ny5G4MAoGCCqGSM49BAMCA0gAMEUCIQD58otb0BXNlb1tebdj2kGr5woFH9ove4tY\nAbRXxBVkHwIgMdcc8/V5u6xUpty3TynHyECizZruWT5dRAFw4aJy8dE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBlzCCATygAwIBAgIUBrGm04Odr11cAN8URnxc6OvLv4owCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARV7DKT23yQTwuf\nYoBBKLLOtOM9ucXJWm7x8SnKFY9yPdMURpiOPO76netEBtUMn/IIqNAGGHjeWRdP\na8vOJUqCo3wwejAdBgNVHQ4EFgQU7vvmJRUx8kQNv/82TFLbJJCpxcswHwYDVR0j\nBBgwFoAUX83IV8Amid7BWUyNs85M9PawJh8wCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0kAMEYCIQDY2BjV29aYYdK7dEWFXJi0MIi3Oltdn09XC8FmNRlBawIhAPZRD4nB\nmh6zPQ6G4f2BolcjHLsvIp1rqDuKgWsErm9t\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUMoT/bEFSUls71Pn0m/VKzze9omgwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ78WO5K2JRVbm1\nCW2R/yOGVuYu6eDZIOV7tT8dF5+ylnzKFzpFFhuNI9eOEEPdSyvYvgX19HdyJYJA\n0XnJJZ8vo3wwejAdBgNVHQ4EFgQUDJceQpM236IIPSbhEQ7sFOAJqP0wHwYDVR0j\nBBgwFoAUmLlZK5/JjxnHICrEcquzbz7LkbgwCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIHqWhdB/SDFMgXpsVFkXOUk2bQW8xWoaKsjSd8rljwbCAiEA8VOasyQP\nhfOBrvIDxdQk9HXZkLEt1qbJXPcwGkYHjG0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFrTas7uwansA08zsdQSuCtrDe8kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATFQps8BYJF+xujnR+bRx9Lp/UH/mn66YD0xbeb\ntqfxY2aXHkzE+0WpFGI3XXfnUKFKS2yew4iyzDCcajT2eKLvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhw1qRmcekTjusCdH8bjNDYut444wCgYIKoZIzj0EAwIDRwAwRAIg\nRLPdHaGpuMAoqk4ZVh+FPCddapCKZLDvqjNnYsQXaYkCID7Nr0r5un7ANK9ymgFE\ni6/zHC7ArVk4fElUTRjp9XUd\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYvV+KHA0xXxu6E1T54fqmBSZGmwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQr0Q5Pd/uePS2foFjdQcs/wAnWP5O+k5G1c2U\nFiQ4ggIz8d2jCRRhYKyHba3fOky85Ckg2zXn2S8m7PaMPbNTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULJZCtkNxfV3+2kfyRl19SOqS4XswCgYIKoZIzj0EAwIDSQAwRgIh\nAMMG75J/rdq7FH5xrDv9mn2S2x9uQEJm+9KkMOdx+luuAiEA76MJTYoePfYo8Ams\nNnRzju+LVSmN0e4ZKAXMQQ+YaM8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxzCCAWygAwIBAgIUKPIj9W2Lp1/bn7DkzSs95XuiBt0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBEDub8njqbxb76WUl0aK7ijfxFg9gu5lv8kXwqht8wi\nhDRjWi+hugkKnIrsBfaCkftxXFhv4qCNNNHE7ni8lNujgZEwgY4wHQYDVR0OBBYE\nFAfhwJEG0Zsp9KnDdMZKx7rfV2BYMB8GA1UdIwQYMBaAFIcNakZnHpE47rAnR/G4\nzQ2LreOOMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0kAMEYCIQCYddqcGjYgjVNjC8G4omzgrKoC+Fh0fefss25iIKGwgQIhAMa5Yxju\nJ8fA5KDi3atbuwaVPwkWB5bJPw2bhuuPKUdu\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWygAwIBAgIUcIOykTLhevd2z1rtWIStHfNVyJMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF6de5Xkgaj9wDbQ7b/MCsl+CO8UN4357l/zK9InVgkN\nQY9IgipKcea4dF0fKJ6ukaXvRq7XZwgqD8qZq5/vqj6jgZEwgY4wHQYDVR0OBBYE\nFFanwjEN6n0FOovP+QAcZGQjqiqmMB8GA1UdIwQYMBaAFCyWQrZDcX1d/tpH8kZd\nfUjqkuF7MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0gAMEUCIQCcJNRqtpNCAYIc4NFLe9IHkTCabHRMocW8MHAY/rZEowIgBtdK+N1P\ng5t7srsdMdpY3G0xqzwI/VK7KcH9J3X5PvE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUXGF3tqZpLkWWHXpcBziRd6BkK3AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDrXa4bmxWPzVFvWxotWl8gdj2Mjf18jrfLIWj\nNj/Il5FaLGnd+VzolTYBuqwwH8lU4vQX1gr5Us+Ir8wWs1M/o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg7gosP2ekjbTU/29v31f62qhiyMwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiAqeoBwsnhnjUUTpTakUcZh1898c2OFAlBX6Lqr\nDk3eCQIhAOE6aMeMUlsOyVeVNH35lUT2Fbgcccc8eVrInTFcrMuB\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUPePdIh1++CxbhUDZAOdlsjKsUnQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASFV4zcuHOVdMvrmYbIGtiJ0WndgrhtFfUNm84o\nreUOZYi7F1/Uc1TppyGwh+5HzF7XBdD0EzwOq1dgGkAQpZDbo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgzMkwsc6D6vq3/DIkOzlZkNx6PEwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNJADBGAiEAnBInHCmOVmHAa322WYvzuPQmu5K5nRrPMSah\n1/3buWECIQDG9E1wJj5IMorIZ20O6OaTILgVcsUc38fbjIX/CusH4g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUbTFE76YVEjguBTakCc/pVDPm9m4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKM5ixbXmbSxNSr027Wwxe2KYSEBpK+iX+5/+uxuSMBD\nplcsuCcbk7OtHel+0mQU353jEGSeeHShgpX9IS4kJZejfDB6MB0GA1UdDgQWBBSO\nnhZSiM+lok8CHpUH/H7ENPMVzzAfBgNVHSMEGDAWgBSDuCiw/Z6SNtNT/b2/fV/r\naqGLIzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAK/T2z1ozm2lICFlntxJ\nTPkX+S5RPaV+rln8Wlg8RIuFAiBWoXEtHXZPqqaZeG5hqOHUWSgeu5VXfrAkvSHP\nAtJP8A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUX6lYytxllc2GjBjbcBn1RGvPbPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDF86vDuy9wngvTNht6LFfbnauEtmJZFV/OG/vtDw3f6\nsSFgqAKhjQgvzIqFo+DPbTKXYijK8Vj5FjoIiJjhsXCjfDB6MB0GA1UdDgQWBBSV\nDUUBklgfdKtOBdWE5Ksm3XQBizAfBgNVHSMEGDAWgBSDMyTCxzoPq+rf8MiQ7OVm\nQ3Ho8TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPoQUvTJk+YAE1GbSRk7\nCoDfAtxvk8oj3PWFGfaFk0pYAiBPg37IRO967dJyqzhLTHnGcxzVHZ5FOmA22jRX\nwLwRtg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHWLkvNHLQaIBD9xvApODTOH3XiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQsazGYm2FnCcB9nP8PY4bRnw526b995UDecAe\nO2imRgSaHnfl4MxrdnL7eZTHC4ApJqK5t6KF8UriwrD2betmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUamTx2EBFRwy65cETUDY/TTSZPbgwCgYIKoZIzj0EAwIDSAAwRQIg\nd9HvnPOXDj94VWtCfTG3JkPtTch0MRVaVPcAPAzG8YQCIQDmMEwEgSw9ahqUJbGE\nfHQvxUKrZ6ltVYHz+dBbZMNxyw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHQh9/o+XxBwaPl7Xa818SeO1FtIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDG1qGA0B5lJ7PCy+X460g0AF7F4OyXqoPkVWI\nsGoquQvDqoxbmJU7t/5HHyQGq5aQFBTDz8ORhtaV+YK85rvHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8gv8HwUQ6Z3VJMAd5e6fT8zL8b8wCgYIKoZIzj0EAwIDSAAwRQIg\nJY8siBSuuNC0P4G7h5lLbfTdTE9cnZbYwJYPoTh4gzgCIQDLcS6JEIJByjzk4+J0\nBNaDifvTxNy8YSZfNqe395L11g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUXwlWUPlfgdOIdMZ0DcHsOYfDQAEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNjc3NjYxMzEyMzY0ODg3ODgzMTY1\nNDM0NDYxOTA3NzczODczMzIxODg3MjQ3ODAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLHYHQpyBIfMGkUzni/hoMoznq7KEdYwmkDlbbKxrb0pkhr1lYe+WAYvM5HuehB5\ncEWaa3we2l87pMuZbeh6E2ijgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUamTx\n2EBFRwy65cETUDY/TTSZPbgwHQYDVR0OBBYEFDKccDJOHFDNS5AyqjZuflVLmqXS\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIga2wghgkjNgLZ\nNWA4J0hAXFIiFYyq4TZnH6JMD7M9t7ICIQD5FjYvkQmeHAdDyDwtWTBSatkGVAyG\nL0piaxnfCJg6bw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUSnruJRfuDB0ypRn+pi/e2FjD0SEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNjU3NTAxMTM5NzM4MDk4NzY5Mzg3\nNjg2MTIzNDMzMDYyMzM3ODk1ODE0MzI1MzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFKNlRLgASFct/GMqhoY+l418JmugeJRxEIeNud360ZusqwRwBo3Gev7vovqiZ4h\nMPWx1wuzv+xWbitJ3qfgsr6jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU8gv8\nHwUQ6Z3VJMAd5e6fT8zL8b8wHQYDVR0OBBYEFP8uk8UsTOZUKDy4eq3GxFEqSXCi\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgHqYrcUpNRIHu\nHL8vn9GK5kKWOuC0fvFI4CwtcCiaTT4CIQCDCTnRiJBrVDy0uK6Gml05Zwpx68B4\nMzNOoQp0k84HWQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUObQWTsviOZuKlxDTlkP+KL0RbFQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY3NzY2MTMxMjM2NDg4Nzg4MzE2NTQzNDQ2MTkwNzc3Mzg3\nMzMyMTg4NzI0NzgwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Fj4\nwKDU0difIMC8hHeN3J5ibbSqTdGJWnQPGrv0OtQgbt3d5dahQ/1qzKNA3WfcjVj8\nQT6zZWi6ArlW+P2shaN8MHowHQYDVR0OBBYEFBGfpvXNUiwaNTy0jYuMPKB7NaOP\nMB8GA1UdIwQYMBaAFDKccDJOHFDNS5AyqjZuflVLmqXSMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAliKvBPUq348pjiLvMLUO4yBdne1WqtZgAgeiGvGimLgC\nIFMh8Za2R8jyw7oYWkGZlDkVcM4rS3nC973vcTVujDTk\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUdazbHNWSTZycGqLPVVmT6tz8+qcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY1NzUwMTEzOTczODA5ODc2OTM4NzY4NjEyMzQzMzA2MjMz\nNzg5NTgxNDMyNTMwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7UZx\nLQyV8b3udfh0ZcjmYaVxvpZOc9OKLKiWnM/Uua4oZK3qaCyCf6G6/20wpytLqeYZ\n8nO173iKSjFAOMX1xaN8MHowHQYDVR0OBBYEFKTVOVIgQStW6nP82Ft//gYGq3hY\nMB8GA1UdIwQYMBaAFP8uk8UsTOZUKDy4eq3GxFEqSXCiMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiA4r1fAmmMxxBZC1SHZEPk1AftA57K0SfIjn8EapX8AIQIh\nAID44pfz9QTuduyfQMJEmnK/NLyGS/GYuowzv2nlu6CA\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUc9P9Q6t2NvW1pdxbZNO6Fme6VHEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNHNiZDyx+C8tnmGqAXzirLMe7BQwCxc3dXg13\n03Tbp01k1P6jvPXJu6Q/IOhVTbqjZWmfxtF3UDsHZip52cabo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRnaGd4KECjxxGgPogA6VwYEABSHjAdBgNVHQ4EFgQUZ2hn\neChAo8cRoD6IAOlcGBAAUh4wCgYIKoZIzj0EAwIDRwAwRAIgDbZ4XyWe2jOPSbhb\ne2FC/IbnUP7FU/nMeXl+cKgbbuUCIDK9GL2Vgom+yNZSqm70DFl/T9N4GH/ImEfi\nGEHtePBy\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUT2+4tBpzchlbrFti0H2K6KUf+oAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATW99woL5i9kq6uTkLow4giCO+aTQA1n8P3I7zl\n3H+21UQTVNfOPEr4dAXshWR8dQkmtBFy9XiucVb1ut61iqrMo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQ/Y57vXFCQilDUuyPHMFiJg41kvTAdBgNVHQ4EFgQUP2Oe\n71xQkIpQ1LsjxzBYiYONZL0wCgYIKoZIzj0EAwIDSAAwRQIhANCeAUAAfo3bh967\nV8yHMbActi8xQFRJciACL+rrSchxAiA+tRzjfu6rMOvoMG3+oEqthe1rbJ2Ps2r1\nD//B9QRozA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUfYT9Wx8rzldUprdX1HE0xThtLzQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPBLEFziufMVtF+bTtd7+gUZP5Fc8uZPCYPG6SMBIlxz\nVvFLnKQAxdwd0VUGI/ePxKXtsIBlnKPK5qqTVSuzZP2jfDB6MB0GA1UdDgQWBBTR\nlj6LzyvLjugsHgbidXAKn3jlKDAfBgNVHSMEGDAWgBRnaGd4KECjxxGgPogA6VwY\nEABSHjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgWHLZd57Dz7DNSCy4l8Yg\nf21vTDmNcVl8piqqTNl4qSUCIHh8DcbuBeZoKFrVfvfobur4e5WNIJ0DYT9ZqTpl\nKIiK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUDKSj3vmiXuWPGtrPFnmKQ0jAStEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHd2rzI1Qdb/2ll+PbsPeOp6Gdj6w/edo6Idl8XW/P2X\nFcZ7/IhFNkb+vegcXwCy9w22MTBegciC208IFvVh7n+jfDB6MB0GA1UdDgQWBBRS\nZU06n8S4iTG99T5nw4hZTkGqzTAfBgNVHSMEGDAWgBQ/Y57vXFCQilDUuyPHMFiJ\ng41kvTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPj1DmTdznncdKrZcnME\n3Wb2Gap+Odu11rjnbXORITDpAiAPccJK5wVsIJBTrm8licJb0BkyEgbJK3jBXFeK\nrELyBA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUAo+S0R61j+viQdwC38L919Wr/YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQAj9t7NAyXs2qPcNJ4jAbwgujgcOtrsKynB7Hb\nshzOeYO6WD4OEpA+q4ZiJMifcQ2YrB+/DcGVYvGvdd81uOrro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8QvIckAmigrqQiId+QVB4Fx+3oQwCgYIKoZIzj0EAwIDSAAwRQIh\nALEMQn4/BA1VrjT36Cz3Bc9rnXnD5hRTSjcM0FY4F4LAAiAIc2Xmpx4f3cU9uC1N\nElcjy1eWbSPhHvXVEOycqPYqYA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGxvzpd1uXNukshMP8tB+wl/fY9wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjyri71HeLPk+5LJRp8/cKkPSGkBHATeMGt9nq\nL2QAhNZxCNxdFblpVFrog1xFpD6PM0wtMuoXQiUXwjESGYXVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmRPdDjKJVbTfEXdnXHbe1vXQ9agwCgYIKoZIzj0EAwIDSAAwRQIh\nAJXHX7NWTLwhiGtePFCQIvDbInh8820TwfSwDewaeTqnAiA+zkFccf+s/Gc+Nm9x\nnO3bYBc4GHWji1o7magZAMMOzA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUHz5Gwl95JLR1yXeijnRsCO5Zpn4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHQMlBz35xZqZou099dYBv1t3Mxobf49EoaduUF1XaDX\nZ6eh6cR9RVsEfYHBSavWYqYkXqL4Ke5zeksIvPG2oiCjfDB6MB0GA1UdDgQWBBRb\n79XrH225//afb74RBCRaWKIpVzAfBgNVHSMEGDAWgBTxC8hyQCaKCupCIh35BUHg\nXH7ehDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJdtWjHt+TWn8MhOY+b0\nehievKyGeQbTEzK/qjpvnHr2AiEA7KkwdmI1+/+dUiTs+aEPzcj1zrAO5ww+oVtC\nizTZ5wE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQiKFHJz5Vk/ZEf+42AZnYRq6mh0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF/5IU5Pd2u2Sp8tn6UikZQ8dvHWt3bBnAW1hNA5wJUR\n7BD+NT8KQEz6lmkELfgPYhVK2n7EcNKOWu7QOBpJH0OjfDB6MB0GA1UdDgQWBBQn\nMr2zik5lbLrLrFW6Orb+8hjs1DAfBgNVHSMEGDAWgBSZE90OMolVtN8Rd2dcdt7W\n9dD1qDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAO85K1sWbq8Fx++GjAio\nPkPOTij0d5XCH52stPfyYPEaAiBsqe62bOBGcTQKkUIKPyykmQPuOyEP69ZbRoWt\nxfKqQA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUBK6m06nCHdILTIUP7s87MeL6hpYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTkzOTk5Mzk0MzMxMTgzMDk2OTgz\nNDMyOTM5NjM1NjUxNTQzNTY4MjkwNzQ2MzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAZSWn7wyyoaFSGLS5yDDt+lNuWZpcbjgBXwoR9mR+wmmUkF0uQJiOS9l59oWJgw\nXK1A4mZ5j7UJ02gz50vL8lGjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBT2uxf8wZZP\nOBRVaHyU557eSN1diTAKBggqhkjOPQQDAgNIADBFAiEAvcpHYD2fEkPSihZ/lFqu\nPMNGGkYLjPGcdv8hIISAawcCICxLIFbjTKF9tW5nyn3BmMUhbeZP06z55gUDi4W1\nK5zu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUI+0+eM6z0489ByJe/iOdBC1dnuAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzNzU0ODkyODc3MTY0MjQ0NTc2NTE1\nNDk4OTI2ODc0NDM5NjU2MDYzNDEwNzEwMjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPt+palKY1UXOrnc4cn3kqF1ooEsIgX01PIpMCcFXjvX32Yj3Zr4AmlfXpfw4jDz\nw4Ttrz93jhcpeKGO6TAFr3yjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSGQaPTL5wK\nhJIcrPJUfrcBxbfA1TAKBggqhkjOPQQDAgNIADBFAiBoBe0EG13ZcEzlZfeJFJej\nADrVybWurM1WjYmK9qMlGgIhAMw6984H12lPPlug0IqvlyVcXNcdByuRG/+BwU9I\nVTD6\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUSa1FWXaI7WTUJt4134+As1MJVSYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDk5Mzk5OTM5NDMzMTE4MzA5Njk4MzQzMjkzOTYzNTY1MTU0\nMzU2ODI5MDc0NjMzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBR30\nfEoh+T+8M9xoGscaUuOuwFbCc0c+wrwJZdl7FQ9oLbuxWHhutTzODVNe68tSF7P+\n+qCVZgra6RVOoCwAU6N8MHowHQYDVR0OBBYEFEbM01FQxOBWr47dJsq0u4y8AjqA\nMB8GA1UdIwQYMBaAFPa7F/zBlk84FFVofJTnnt5I3V2JMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAuP3yKtz4adE89D4or43zyGPHXGtR1MAcuS3Djc0IJowC\nIF5hz0kmrWHDIw/LLx5l/wlTkZ8Qjm3Qr9yKxzz8lAAc\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUMSdYAAyRI/OoNpQM1hSpF/EvaKMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzc1NDg5Mjg3NzE2NDI0NDU3NjUxNTQ5ODkyNjg3NDQzOTY1\nNjA2MzQxMDcxMDI4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOWVQ\nAQvJNuILrwFY9ArrrHV1tNCXpTNrpoLfcqqA5rjp/S3fo16dll4UmF6fFW8SoVfO\njGKjUhAohJB1tUofM6N8MHowHQYDVR0OBBYEFEuvjDY6gRQiyYx18TzbF1xZkNye\nMB8GA1UdIwQYMBaAFIZBo9MvnAqEkhys8lR+twHFt8DVMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAlzzIG3Cha5+A2hx2do9ah+RzNhZltG6siwPKHuyPNmsC\nICsokkuSIMic5OIgcY6IsYAnVR8xNw3e5CDMp1qW/N2O\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQ/Kb+NEXdKvfjXE5EkKRdQUy39EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkFAZYOV8TAAJeiMioTCGwOk+yvxmOzqBsp8pz\nO3pUtRmk7gyI5FJHcdnBWnSi5hiJyyD4LZAuX2qfoK/QJHrMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoIzaY7OHPiAbnWGlNwVTH5nOvuwwCgYIKoZIzj0EAwIDSAAwRQIh\nANBTynLr137B0PwpCEoxlkt5D0xgGqjgPmdgTzBuzhQIAiAahwaMO7fcSrk74OM8\nDVv3J/HO9zDdseS1pyb4k8C5fw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUS7LkPVZRsJ2Z6Viq21FlwpNz1CUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1zFubCJ4LQAuAtbY4OIc5dIFAJl7V2gJEIn4J\nETXSM9on/0DMDknRecADiqrKAsPXUPXiFfszIJHt1LCaLhBoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUET5JS1C7AvH58BwtHebnVcVttAIwCgYIKoZIzj0EAwIDSQAwRgIh\nALAFlHuPMf4rA2N4se+CWSUHtlm66DueSBpQz4tMFpD2AiEAlRTzk41QXCc49+r4\nYK0+Up58qln03FKreXY2iwC7reg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUViPmWjgnlorwFCs6AHTzfY07EPQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzODc5MTI3NDkwNTU1MTg1MTg0Nzgz\nNTExMzE2NzIwMTIyODI1NTEwNDI0OTg1MTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHtHO/r4+yjJbubTaYJOOSyCVxXOGRyImy+ic771eT+ucWscwPkZXv2gIKiQE2zt\nUj+tBGuxew2cklG5n8x2Au2jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSnPsmwGTW1\nWMwieMg/W7NceQFSZjAKBggqhkjOPQQDAgNIADBFAiEA/RSxDdO9T7uJ+ho8uUOV\n43MgRAIkFnRCg/7PoaELl+ACIDS89eW0lcGlUlea7CoOv3eWCa/L97QMUjgEifMy\nxMOF\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUYrwDwvK4S2l9nTIt/Pq/uXm6310wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MzIxNjM3MjI5MzAyODEwMDQ2MjM3\nNDk5OTg2ODIwODgwODc5NjI5MTA5NzA5MTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOz/4IEcydmjjcl+AMc+NCLJewlXCGMAK+V4zC3hBH/rYZrEDzLgWiXc4KHQYH9v\nE+C5d8UUd3RSsqDvvn57oHOjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTIWQVmAOxm\nzCBE2nNdRCrN9XyMtjAKBggqhkjOPQQDAgNHADBEAiAZkPuM5pUWAW6ZDCfPkoDn\n0v8pSkU0BlhXZldYbCzLEQIgZAskyzoGJS2qQKDAypAnGRXWl6l/l8g5uvWjVCSZ\nOpg=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUJyaC2UdSk4yxVGVPetne0C/cejEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzg3OTEyNzQ5MDU1NTE4NTE4NDc4MzUxMTMxNjcyMDEyMjgy\nNTUxMDQyNDk4NTEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIj9R\nDSKdPjyOjL58mhKC0ELGS3IHPABEO4rDo6fNqSCyRKV5aC18l3ycDg86rJLeElUd\ndUPBULktgiWDgnSV9qN8MHowHQYDVR0OBBYEFEqWnazXDWmFPRdeBj1dCnONEAIN\nMB8GA1UdIwQYMBaAFKc+ybAZNbVYzCJ4yD9bs1x5AVJmMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAt/KlzRlN/4INEg6ey5hYIDReggwo9K09yuFYWYLLSxQC\nIQC7Lb28aA13jVTmZWmvwVEWcjBtKDcEH845u797kNG6ow==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUPN84JqikijGo/0VvQb/FgOb6/ucwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDMyMTYzNzIyOTMwMjgxMDA0NjIzNzQ5OTk4NjgyMDg4MDg3\nOTYyOTEwOTcwOTE3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErLM4\nGiGAssWcsBJAqSwjpwCw8d4vSD/t2cWAVl3Y1eDcesQJOjQ2Eldi1awCHa3vnTSu\nvd2/TKpKL4Qykc3b06N8MHowHQYDVR0OBBYEFEqEtUPa0vM1pKsqd6EOprNcEXfK\nMB8GA1UdIwQYMBaAFMhZBWYA7GbMIETac11EKs31fIy2MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAtzjD3bgfqmmfhzBr/7piF9fwjWak3zZ8K7pfEF0+5M8C\nIQDnq51P4vKRv6o3aEEViGsU3cNkjcU7A+aZltGlAkVLhA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH9ACvcI87AI5csIqzTdaerDHk+gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR7mq3mPsKCvfkk5wDNyA0nS52bsQW3En/FXeVY\nRELey+q0uE6kQUf3TSkiOjUwFh/T6ZKKj4w+dUbhx7PLRsXWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSWfx3syoYS2y3AccVc/FC/fTdIcwCgYIKoZIzj0EAwIDSAAwRQIh\nAItYFL7yY8VQzI0uiScGh7lZ+z2tMYkunye7U1YpRO6sAiB7VVExidzOufOwt5YM\njyAyldZr9LgB8k0hNJsBuMXosw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUaHtVaLyq4OXjnWZrmcn95rV7xtkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR/V5wKCmbs8SsMgcyuiuSewPUYvNdwKExSTjpc\nR918gBIbQ7xJiy26motjLPGOg8Gptq7MYArJEPn+6utJ7dmco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhE5eEnxuRfOukEXS0/OvrrWk5L4wCgYIKoZIzj0EAwIDRwAwRAIg\nfFAFw0YuHsW3x1LEDf8+bcGBh7nhHvky94j4ctLqeGwCIDsVaJ/tPHfOUY6RU0gw\nqCWRSU4bQ759bvqh+5pjL4a4\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA++c1qUdj0i94OzNzLmP3uOZFoUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBuNrjqTcN2qFlG0ARqEfsnHf1h1t1NkoNahwK4prOyV\nOeA+dHqWy7OOX3eGGC/uyjyS4C2EEhqxbv7xYjGaM3OjWzBZMB0GA1UdDgQWBBRM\nK6QDXeqaTrGtFlXfGJSd0BhhCjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIh\nAIqJQNJBpRPRzL/KBIyeImdXd+3mmgfoqESViLcX+SjCAiA3XUak9slm/drVAxrQ\nmjUej8x34/QPve5ZrsdMgL8bMQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUabkV8PoIpn5fGjhWgh4+WuGQXO0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG3IAddetBhQnSNepHYC/RIA3EzgQ5OwXfpENovMD1j+\nWva901eFhz/ly0zXwmx59kAiSDEuikdBhTP4tc3p8M6jWzBZMB0GA1UdDgQWBBRS\nlChXcN0uw6jZo68Dwvab0TQncDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIh\nAMbLUtKZXSUTB1M10EzZHA1nVAfYWiBEyPaRkFAgEHcBAiBWKMPOTZs9mLBhpJyz\n5fjTv/Lp3wRrfRA+6uG2sXnpog==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUe0rjb/pdypmALQ0fbL1HI8f8ErswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASz/3/+gPrC0XOejiC01qxWGb12+DVGHzWo0RCw\nqYdY+TXf0Zcwqx8tHCnkMuc1Az09O8yijeaJgEdClNIi8oDco1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUGkl50B2yQN+rvHzajomY07Z0kmswCgYIKoZIzj0EAwIDRwAw\nRAIgaHkHMs+XANerRX2YNmfckNQtLE+24dLE7J6DLaHoRAwCIEhypogFHOMBpvvx\nAiNrGpBLWQGXA7/kD2qRJZX14hPs\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUUQiBu7VjCb7Vd0ip9acdZHPSQyIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARuKOQRuE6cCqjvarekOI6J3a2rwk3npZIENDd/\nMxyZdgOnYL/7qfjtegXip80gEwXaaNERdaosWQhAvNdv6HWco1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUkx0qQsdu1V+BtzWoeTpyInr5r2cwCgYIKoZIzj0EAwIDSAAw\nRQIgek7Ish5B1b+X/0ncGMFyWaK6lk9yeGYb5++rf0QapJwCIQCrpRdYJck2n6ro\nvIDDViABO650kKYxfIa+yRGd2yf+bg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUCvSVAIZOClK7sy6CacJXDAZiEHMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNtyDn4Cdm6ZDKNDDIwIqHBa1aTHnoB9KulD2XYir03B\nHkSuZiZs98r8yVAP1WXjojhTEImG4Ec1+5ieQ/irN/mjfDB6MB0GA1UdDgQWBBR7\noRjdd2eCVDGiJoBele1DQR7PSDAfBgNVHSMEGDAWgBTUsQGGhBKYf5GCrBkssANr\nnWz3EjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANBo85JHfgcXz6eZ0b+f\nXqk9hYWCbcfq1lI52BCUzBJOAiEA766xbCOourCk2blEQ9uXpYVRqOk5SmyGYGBk\nswVO8hA=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUUT8m9vzouwYngxBhuw8z3uv13RowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABN2a1CSHpxJ6aoLE0Hwv14Vhsa0TbzzZT+k6xrntVMbP\n9bHJlHMum19wQHye4MIiU67Hpb6kU+CpMvF+nHPtIo+jfDB6MB0GA1UdDgQWBBRg\nsSMwuS8hu8dNlEwSzg8RmODaoDAfBgNVHSMEGDAWgBRTEQRUeUJ5u6Qn6tLY8gIt\nEocjmTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJp22Huay9ofQbgbVrcn\n7Wa+E/eg61By3nRANhTtjpZhAiB8GlzlFcuUInPAcGmCOGmogdpd2U/UyO9fewaM\nh6L3fA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBbzCCARagAwIBAgIUD1ijKmaq8+72Smmcvq625TUaiEIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASaWqvuV1tFkqdlkLNfQO+qOShFdclxU8ZLnnrG\n/tfPd9Rwks1AJkNC8/ZtaFqn5DszJNDBp7R/A3A7BVvUL+4QozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBogeS2wr2OA7vZybfDxkMy5zCSc03AylnourWjiaVp\n4AIgaXj+5ghMuC2NAgMkgAxjUMHmG7I6O+Dfqg0SspCGZBc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUPf776Z/CFwARK77gSJPyB0DhJAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASr4QgU8v0AZRmX1cKPflxp2MoNik39C46bk9Ie\n6fC56Lj8JPtJ1qhcpqon85kI8P5bDCV3FIzcU8Y1F2A8HbA0ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAyEazV/ZBVaee49N8R4+SrqR4PVVTX65ewD2X40zv\nqpUCIHdm5QkvNJF+nXZNHjZJ5Xj2nFohZCgOLCSLbKoVEAtY\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUcHx32rRMQjDTh8L05ssbnyyKNdowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEWHgwiFEuMqBaDgLbaiQicuCaXSttsv4mwcdrh14lqH\n+XYs4VJpITkzkK2YFCSZTA3VEnFR/OCnFXEXOpLCiAqjfDB6MB0GA1UdDgQWBBRA\na3DLYH7med18xFrVoHCY1RxC5zAfBgNVHSMEGDAWgBRMS4AL3V9M8KKSX5ijCiau\nY8twLTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgEmF60So5y5Q9EGdE6vAR\nVwAgWA3wfrtVfYylUkeQs5wCIQDEMw2W6GPgqVACQlVwskmjQgfCsbQYVlcJlVb3\ncfDKfQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUXPPEWXTD1z1KvBVpLvS4olfQHH4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGm9jbB3e13Y59FjfkkJDcc33OtAJVzWB2NtDjsD3zzy\nM5qPjx8iYQY8YaiSEExGBYRqT9HM+YXMjIPCpTKVEQ6jfDB6MB0GA1UdDgQWBBSV\n0hhAPkb0Tmc/jk2gcGifo3w/+TAfBgNVHSMEGDAWgBT3PyUwcDGxrJTF4LyziGfZ\nC1ZOkDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAN/CqwXpIIriXvbNOHBw\nMKA54eu500FsHoNX6gVFEmCDAiEAhgNh4HavtkUT67J1Ls7090d+k8r5MPomUzqh\nTrRaRyY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfUEP8tDAz1AN7AMFoYcGHWajKgAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASb5zai8Q4Ps+4JeloKWRx5ov5eCM+v/NDew4g5\nyACF/snfY0SUlkwk/Qc8YwiM8iCRxNyK8gwIit8GYQI6lN/0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUblr/7hQS52nFErwHsqQlL/DPJ6owCgYIKoZIzj0EAwIDRwAwRAIg\nQK80BAFcH3KmrZQJBnZKysTyQSl67G/CmkKgqPUq3DkCIAp7d5FwHMVpX12GVlCh\nHRyfWmn9YDOd/xOkj2PII8gM\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUNyNIMm8JB6PyxWxcOrDPfwnNxKowCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEi7dDBml1o10fehGOEVOftvy6ppGmbEtz\nJZrKfhdmZels/a7zsbr9YPjWqH9+tn2k1X64SHReBne9kuvquwCFRqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFFoyg5OCEl9WuwnibAL2u+/XS98WMAoGCCqGSM49BAMCA0gA\nMEUCIB1ZXY6VoQFGWO+sKSmnZ3MSd15dQ5VQrnepMHlGqrqaAiEAtELwchdjgIA6\nT1E4y/zBR4VvBzcRMY+aR7G2Wdb8ffQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaddfGPDENHPnOK1p0KaMR2kE8oUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASldZvVysFsV9MFtBBn7jLeo2vgdzp3gfjOnUSH\nqvAoKF6uObzMCYiLzSx75OyJYbIZk7dBO4kVvS3HLZAb4/n/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMlYLE9JUE+agK9JxVQ3+WknHrQ4wCgYIKoZIzj0EAwIDSAAwRQIg\nQDJHGMEX3zno48cT3K8vEouNQ17zGf3nhdEY8odYl+0CIQDjM+ej2UqyKcC5o8zi\nuchGOZUqoQTJ43oSIlS1TMeRTw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUenakj273C8IsHiNoepr4LyiM8gkwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEo0YfrN1+mFuWXR0321pO9Zo9Gmb13SQe\nu5x4xH+FJf9YLzCeKscHsmVbh8pFNrAQKzsYqqplWFoDMNcb4dCAg6NXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFHr3JIAzi2PZbeAIpWChaYLUXrOBMAoGCCqGSM49BAMCA0cA\nMEQCIAD99h0QoXj2g2sbzawicF+RXxl8+EJN5Pm302OKjblKAiA25fzpJdkm/2oP\nZwk1nX19jSKncz6W+/3SwTTa8Sxlsw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUPAdxZBuFXf3Mi5ftlRhKduZN8XEwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASb5zai8Q4Ps+4JeloKWRx5ov5eCM+v/NDew4g5\nyACF/snfY0SUlkwk/Qc8YwiM8iCRxNyK8gwIit8GYQI6lN/0o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBRaMoOTghJfVrsJ4mwC9rvv10vfFjAdBgNVHQ4EFgQUblr/\n7hQS52nFErwHsqQlL/DPJ6owCgYIKoZIzj0EAwIDSAAwRQIhALEMuMLo+7qjN3dO\n+u9KmtEM/B5wk/C2gNAE2qmnrJYcAiAhpA46MkA+MbG21HtW/bdxOCrXiIldQNut\nwuBCEX23xQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUPaYLwkAUvnwZ0pWtC0L1B/v3lRkwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASldZvVysFsV9MFtBBn7jLeo2vgdzp3gfjOnUSH\nqvAoKF6uObzMCYiLzSx75OyJYbIZk7dBO4kVvS3HLZAb4/n/o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBR69ySAM4tj2W3gCKVgoWmC1F6zgTAdBgNVHQ4EFgQUMlYL\nE9JUE+agK9JxVQ3+WknHrQ4wCgYIKoZIzj0EAwIDSAAwRQIgQticCATV4NOu0hF4\ncC8Epcy7ZkQel2ZSsNHBXsP8XtUCIQCa0mP95rWMEOl5VpSofoCaWHrJwVCojpO3\nIAepvtbQkw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUB5lhYe3ayw8MAtud7VAPOHURrDAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABASpzK1n5eHzLsAp1y3R0XvNI11qUFDx7jx14OrRIZmt\nACwowrGdHiYgJjfSfDs4/eERVrHi2BpYw0FYwddUZBmjfDB6MB0GA1UdDgQWBBQf\nQBPdVq0d4V2um09wQaXD82m7pjAfBgNVHSMEGDAWgBRuWv/uFBLnacUSvAeypCUv\n8M8nqjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgLgv7Ta8vx1YxNXXOA6ZQ\nQAyps8hVmqX8Ib+TMf2TUKcCICZULf9Lc9JvWCGcVqaBYOaux3QwLfGRaYD/zurN\nYQe8\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUKfePJR6NwKoQeP29B5OdK4xOLG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPB5ZduIGvivUxB5KCC0pzSTpdLbulOzXPFoyVBNDhFt\nVsdzIF4zsYGTc/BkAeFHwlTgABZTc+w9V6dmXF4xyXSjfDB6MB0GA1UdDgQWBBT7\n95sCeBtZVuww5WYyfBIaRK3guDAfBgNVHSMEGDAWgBQyVgsT0lQT5qAr0nFVDf5a\nScetDjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJXpmeSNkN6DzN2eEfbB\nckZGiY4vkYQT6MC5vuXannACAiAA05CSN468aU0H51u8L8+WHz0tLAIwc0MMHU+K\nyQACUw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUDgzmA9++dIQefHZNjkU02jUKoAkwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFp1/bIccMjT\nV/9aPKRqmmVawkVpCwPCgcUGybOMNbWH8jJAvQiqTmEY1r512Mulx9ctj0QGzwrN\nUFFhoLR5sn6jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBT79h8AfYBkThFDJsYMoXcfqbZ1\nvjAKBggqhkjOPQQDAgNIADBFAiEApewNP9op3b4tAiR2gIe8OfYB0+5OTIDopmdO\nORnY0nICIC1fTixrtfZQEI6GqxdJpjaHiRkRdEU1pAVlZh0h47B5\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUTKoE8ibggclHVzvJvDZ1kNLTIBMwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPRFcn6Fygyj\nRqnSEKxovYdx1TDXsvcXeXjH3w7ZHldBqGwPXU8GCzOBb1U2D2Pq0yDp9FBI6FVO\nFFT8GzQbp52jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSibqNKswPa3Vws9SwQUmzqYX+7\nSzAKBggqhkjOPQQDAgNHADBEAiAidqujuzhv//aK8gUYolJT4hZhEmDOBap8O1Ui\nmg68egIgGQ9PUUr7S99D3s8LC/QVsLBfxivWpddsOCrkaJq4FFs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEk5/aCEyufeeIhRzvpCaTK1EHpYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT84bnvb2Xbu0oO0Vu7lVLTwsKG0y92Zswbvz9q\nDsFLJy6N7vf2JKjBsSuT19pcmaAJKngPgsA5KHhD/zlfDBsTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUO9Orkw3Z5PcabBxA7whipWypHTgwCgYIKoZIzj0EAwIDSAAwRQIh\nAMQHr2RpHSmUQ62NNHQ8srw+dRlnNKFqiVATK/cntzTFAiBb6D6kEPqtS38oYW8P\nAETca/P4+SVNzjjUuqe/vDYlgg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUTpQkmNFmkJ4WYBQPKNp7IykZDAMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxMDQ1MTIzOTA2OTQxMjE5MDM5Mzgw\nNjIzMTA2MzM0NzQ0NzkyNTk0OTA5ODM1NzQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBG2KHjb5gP5DZ+w85ycq6FEGnnOLrJnpgXYEhFoZ2BjQabidlPZpgeWn6JPodZgU\n63FRrY66Y6wSZbHr9MB45KWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDvTq5MN\n2eT3GmwcQO8IYqVsqR04MB0GA1UdDgQWBBQ+WhiyOo7KNwR7C1UHCkaE5U5BgDAK\nBggqhkjOPQQDAgNIADBFAiB1BgE58bC+35MUchNEE9tSPbYOOaa0DYQ3szjE6Wex\njQIhALoE6JtVl/TNo9hNeqq2cjS9MX627VhTtwtQ9uWCJzqM\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURMplJoxJYX+9CQM7e4cYqd5Do78wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBJKKPmql2B1CeD4kNRQDQTZkz7V8Ll1W9t5WS\nhk6rxjkDS1gFEMmIJQ4CPpGp5Blk+b6QhN1w72+c4Y2nBEcho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYnpQR+eUenPNOeq108E6zmfbMsowCgYIKoZIzj0EAwIDSAAwRQIh\nAOpyDLh230ebeig6vcEhfDG4d63a4QKvNK9WF7YtlDZNAiBDUG85RXyKrtvWeRaE\nIxexabXBMOFErOvdk1inf4pP7Q==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUeGEDsnn9v+mYufNc/f0VTC4B0iEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTI3MjQ5MzQ0MDQyMDYyNTg4OTc3\nODk5NDAwMDM0MDk0MDUxNzY4NTQwNjIwMTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAPTqCjhXggIN1eU6tHJr6Ex+ofQSFY/5ltoh3jxComdFDTPLD2E6swtl9/osEb4\nXZEXniVrXvyIxvAjzniyFWCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGJ6UEfn\nlHpzzTnqtdPBOs5n2zLKMB0GA1UdDgQWBBQxZLapl+W1VUpQ9xJb8cETEw6EpjAK\nBggqhkjOPQQDAgNIADBFAiBHe65VBpWkngvAYKGBmPkalQ2b3AAreCe3KWG3z9V1\nxAIhAMBCngJ+0zeUeyn6aDP/O1cc2m8RXRHCipmiIhQoHAYM\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUbduLy5q5vo2B56fhSm5WdRGNU4UwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTA0NTEyMzkwNjk0MTIxOTAzOTM4MDYyMzEwNjMzNDc0NDc5\nMjU5NDkwOTgzNTc0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDgw4\nTHlCbryJoFxaoSfdNixtbLbdPho2o38IJXMK68fKzDc2aRyszdvb8QEzQEJMWR2H\nJVRnluuGbevVF3j4eaN8MHowHQYDVR0OBBYEFIRA6kK6Op5KwWH/5HpSNtiQLst7\nMB8GA1UdIwQYMBaAFD5aGLI6jso3BHsLVQcKRoTlTkGAMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAjPiSy6vXpKkIEj1bz7FTy7LdbH5LhbByK1cSNJi/3mAIg\nQembeTqNaE+4IkLU1c9itmDeIZVV/vciVATR1YFsM5Y=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUT5TbDXCIQ46Oe41Rg9wGCXjBYcowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkyNzI0OTM0NDA0MjA2MjU4ODk3Nzg5OTQwMDAzNDA5NDA1\nMTc2ODU0MDYyMDE1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWJjO\nn/m6Xh5UCaUIIAdifpcrZyCx2mqvfJCC49cIz/TPx4BOW5SzgPqx04PtV3cHlpx9\nOJ0a+NRQV6oOsM4B4aN8MHowHQYDVR0OBBYEFIIxzlJoW0Ud5opfIDbIicXR7U80\nMB8GA1UdIwQYMBaAFDFktqmX5bVVSlD3ElvxwRMTDoSmMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAg7KO3wYL40dAl2CWhvoHgAC8oK7XqKcN/KeNioHwi2oC\nIQCQkk3nf9bZl/vniKEnaD8ytgO3YXw8QOq25/RJJyK/kg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQ3hNi+t6Td4xpaPtEyYS3GEu7IYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASERE20GOcZ4q0tSzhfqcXskDCbQTy7hdO9T5qJ\n0lBpvKz4ZyAYAEqB1DeHsQoBwuChVtp5qpQwOfqPZcwR7Ntbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUU1c+iHA9qXdi6epWCAeMEn13PfQwCgYIKoZIzj0EAwIDSAAwRQIg\nFXdE+GEK5KEycxfUWkncDJD2yVfDnUbSZLn8WET9VPECIQCeRX+u8lo37+yguenO\npESH/QED1IauEVP+DuAEhR4O9Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGAVUoY0c22m9MsXQleEVXRz9zK8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASLbkHdbN+QOdTbgQFAGR8Dc24lKUquKWBsnTSf\nCNQJ2zOkg+Lh7bCl/lZiuK14uh5G7JD69hrc+HBaXE3MLzzNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCc1oByTavztrd+lqecBvNNm95nIwCgYIKoZIzj0EAwIDSAAwRQIg\nGEBWRktMBOi+QVtZF7eenxnF4eA/7JadqlvP5alohT8CIQDt7IUwn3SZdg4+iWDZ\nFibJ8f8hxOPtPhvZXpXJi8B41w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUOmXRbEN2cbCA1HT4hsezsZ1aYfIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDAzODUxODUyMjYzMjcyOTAyODkwMjU3\nOTYxODgyNjMzNzI3ODM4NjE0NTM3NDUyODYxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABLZpVr7QdA2GT/GeYMaJw2MxhxaMs2RYB5lCRsEc/Dcx/LFZ0QklvgK0C6MZ\n9J/6mw4XxowwbliB4E88DfO5VdSjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFNXPohwPal3\nYunqVggHjBJ9dz30MB0GA1UdDgQWBBTDoBvCKMhsWL/o2dTK1Mh8GdAQnTAKBggq\nhkjOPQQDAgNIADBFAiEAspY8DNQ7xfqK5f45vi6v/feKTrlaZXOy0NrvcZ3GqFkC\nIFrb6u6E0Bos3RWweUFnxc7dFpVl6XJdnAFvapWDb5Y2\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUOCHEjYDiubR/V7KrtvTObxcd2BYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDAxMzcxMzQ2NTQ2MzA4MTUxMjU3NzIw\nNDA0ODk5MzcxMzM1MDQyOTU5NTQ0MDI0NzkxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABBvDucVWAw8bIT/O0W0q6/dDetPxWhPykHES5YAyLndbHmncd3XOMdadTnXz\nsGqMN9Ph7PPMTJVlbRgxOiFY4v+jdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAnNaAck2r87\na3fpannAbzTZveZyMB0GA1UdDgQWBBRxi303P3orJBG8SmEY3FXBHq61DjAKBggq\nhkjOPQQDAgNIADBFAiAGqi/vFSmQ9TFcOkkkY/rrU+b8WPqWAUsPb2n7zD9p9AIh\nAL3j3hLporCETLPqdOxWu/cQHqThssEbXvaUA+yOWCDN\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUb7bdENBLDnP+ezzTPBJPYAcWBecwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMzg1MTg1MjI2MzI3MjkwMjg5MDI1Nzk2MTg4MjYzMzcyNzgz\nODYxNDUzNzQ1Mjg2MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n7Xml2j0nzXGuIWbtOfxPyLEyB+7qOa+i5muNghmsMYr65oRGyIlHc+Po+Rofi6te\nrhkwyerhFrrFJhGbLyaZfqN8MHowHQYDVR0OBBYEFEKx6IkyvKj490xgiOqAnRI3\nlxreMB8GA1UdIwQYMBaAFMOgG8IoyGxYv+jZ1MrUyHwZ0BCdMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAsNWJ7o3uYQMGa44mXb7HmWJgA/JeSj4aFb0orI81\nUB4CIDTaGKcvbCot7H5wv4sUlB0mFEJORbCl5iEOpiD3gTBP\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUWq5oKq3UMCLoTIyqj7PE1YsY2AAwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTM3MTM0NjU0NjMwODE1MTI1NzcyMDQwNDg5OTM3MTMzNTA0\nMjk1OTU0NDAyNDc5MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nqOTZAKnRDNovoCRaSt1MtKXEG3gnjVrci32vQUUYK7FlsthmyxAQ9ROGAWJE7XOL\n5GgPKDQkSO4Xiz5FuNKCX6N8MHowHQYDVR0OBBYEFEv3gT+mklzjNJqmxTgbuNyf\nbX/mMB8GA1UdIwQYMBaAFHGLfTc/eiskEbxKYRjcVcEerrUOMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAwIiX8A1Bl98ZiTUE2bp4oA9IbzBMSwqwOnkKSawP\nRrgCIACXXIyeuF9TnwTrvnqU2bvPRoqZiOv+9B0/8WbrXoRK\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfG/eIYOqhsMyn3COUpzkzDrKg7EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATku0T245jg7CvGnAR9uNEv9TJufh66BYh8IpWc\n7qqS0pvRfpvkMitfLSEP3RmjGIxJ41I1Kcycx8R4EJTpHCNSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUm5vdFu944BRxKL7bQKa3e5EhHrMwCgYIKoZIzj0EAwIDSQAwRgIh\nAKJ10lElycOOtaMGY6ha0xPnGOjHkMqJchivjKzTR3JOAiEAxEHocVYoIbPQB4hQ\nAK37l+AudO2K7deMFRWMU2aGD2g=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXbE+qWs3VS/y+EM3sesQQYLFx+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFW+x/GDJs2WYWNyy7Tbl7VBmlPRkJpt3+JWrm\nb2y2F6eV3kVJiXIWiNDtoG3mXnhOPK6EjnnpITICs+awhcY7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+l5llhIbczmII4gr6qfSKYB2itcwCgYIKoZIzj0EAwIDSAAwRQIg\nR64Yqs77AStArBvuA7g9AhV91Pu+j7QATjC6TJPsYZICIQDd3KvPbSfVEPBXkgIG\nqKcNtHYlWLjokxB5Qhg8FT4JYg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUbKnXuRghsnAkKZV97TvQTCZTQzkwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNzEwNDA5NTg4NjMxMDAyMjUwNTYxMTY1NjMxMjUxNzE5MzE1\nOTMzMTExMTU3NjgxMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nug8sF/UIc+JQQBK6hPkPvaojPkzvra+ISh4XaAuk0n9hOFEo1HQ4ovhrvG+SKVq1\neHXuH80MlcOdOOABDCu8xaN8MHowHQYDVR0OBBYEFIdV0hi5xhCwcQ8WgMAc2Odt\n5aMqMB8GA1UdIwQYMBaAFNJqvKbS4e4W1+4yYmEkdyNES4laMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiAjJntQx3zx0NwiHb7M9OUN/3dFlZ8z8LZhX4Fj3WPm\nvwIgeFm0afNkOSkZua/lN8C7o1u2XKaoAennRHrCm2xqg5s=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUFcFMO5LYAB7uRw33q+5pvc6PmLQwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTM0ODg4ODMyMTk4NzE5NDc0NTAzNTY3NDg0NjUwMjEwNzY4\nNTAwNjIxMTY2NTY3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\npOKvkXzmaWEJ8YjTobBOLlr+h6pRPgS2FDSgoeZVs7MgBOr8c6ZFJFoWweFQDW19\nJ7el5vqCDRkU+iYKPOUBoqN8MHowHQYDVR0OBBYEFCmyKN7NBFMAFIlKldJ73SjL\nDnzWMB8GA1UdIwQYMBaAFIJEPK9CLN0OuhDFxhdbsxgkug1MMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA6iS0c4RaU1/l4ld+KziMp5yJWZj7L40ctQJVbRxi\nTJICIQDR3FkeI09GacsO8Inozyp/nApHi+AGLYko8M++72DwcA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUMr6n/6YuISebeUA4zBlvat2DA44wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATCdwTbyOuogc0IdURaPxSHODYb08bVoT9TK52z\nZlsTyrcZJY0gVDkWNyin+O0WUv240mHOAUMswFUZ0b2j72HGo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCNLhvKfOrQp\nuSfaYcKUDGpPp7OcMAoGCCqGSM49BAMCA0gAMEUCIQDrn1rzPAUUQzETmBg1YUVJ\nuI6Fzyg4pJ1/JVlNqmTVMQIgNnEioYiv6MkWelh1QUkbZRZSpxxePR8M+qryr3P1\nC1U=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfzCCASSgAwIBAgIUeOcc9Goc0HxMM6uwGN68ERuKbygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXB9MdVcWt1ii752rKBhhJorDDCArjw7wfReSU\nQJ7xZ8YiSe5Bp6Fh3xp9RjEAlQxS0fgSno1XBJcTKDsCZTkuo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCKJcBokxtmr\naHHESSW9zt7e0GDgMAoGCCqGSM49BAMCA0kAMEYCIQCoxVuBUnkzViFjSXlsLieg\nYeFF0EJcucE1SE5nd8ezigIhAMwC2t1dRbcdrn76AsiayDiN44giP8jyj8lw4fMj\nzDWc\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUaAmthUXt+SupY3FGxmuPJlQZhyowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIM2qEsMFP/Qc3NGniy+5nZ0rTKGxq1zQCkcrLk+Eeg0\nUmkFLZAv5Cjy8Etsz7Zt8VWIvjueXx4nCmkkBoZDEaGjfDB6MB0GA1UdDgQWBBTW\n2+r+0zivQ7RSeS4i0ySgF6vZEjAfBgNVHSMEGDAWgBQjS4bynzq0Kbkn2mHClAxq\nT6eznDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSQMYl7C22Jno1jD2jW8e\nMbj8dn7vm2S7l4E/dQCGcjgCIAxPdkVF8YuybqgWVgcFeL28SsXz59MnAO1hCijQ\n0VL8\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUGXIO+uBrt/U4TSSEVPM8P27gfVkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOA3V2VFmTRLvCNJsVtK1NBehLKZZ8wOuKSm23tWv4ss\nfbn0aAOy4/7aDhPIB/dSAZ3s25tIzXNtY2DbgK0f+1qjfDB6MB0GA1UdDgQWBBSd\nrWrOIHrvr/aradmx07uf6bPQ8DAfBgNVHSMEGDAWgBQiiXAaJMbZq2hxxEklvc7e\n3tBg4DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPhYkItNXb0zK7IKnK+3\nk45DSrYU+qSW/MB0cZdXMslAAiBFGH3oyFFYQUn+Uw9SWzgMwQcExxnB3aGED3dk\nLO18EA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjTCCATKgAwIBAgIUBzIfZ/dbOU253oUY9daIz/3wp/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7ZtNV2u2CQdglPvMEqkdBeYCt1nGYGWkuj84i\nqloBuskK+Roa3p8EWmGTWWApUGKDO62hOMpSxfvy+myADyTlo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUvpo+eW3ZTQ2kCW5IALTzrLaYwJwwCgYIKoZIzj0EAwIDSQAwRgIhAJFI\nI1gBmSbeZxbdFRp8KTV9GPeBJewqdO4c9mFVfL3FAiEAiDDGyVbUyBCs8jIpLPO9\n3Js3S7uJIoviqa9oxbde7s8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBizCCATKgAwIBAgIUZv6Ru2Sc/S72sshFEXNcXESzacYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATUEzok7aAzL7DSSWmUGQcWzZy/2GnyR7FRFsd1\nscr2DROZzx3G/zIznGQCKb5WEfTvNJlT8kkwI0Shqgzhd4jmo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUws99bIhrMaszGG/URWh9iVVGnWswCgYIKoZIzj0EAwIDRwAwRAIgAdP6\n1lLBmWzOz8634ptLK7Y+fkz3nZx0Q1Hf6UtN/N4CICpRc/PykjO/2yPKV5Ek6tcg\n9sjYBHq3Lolc/jLO9Ka4\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUeAFlhC4imz8Nq5sP3d/TgD9AyzQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIfMqByegsGZJItxyyZ3F0U5HW5Awnr9zPQezDC3afnZ\nQhQflXbLs0S3eGjwRyMUg+JqQUtJ8MEZO8uHHiDvwYqjfDB6MB0GA1UdDgQWBBTW\n7Ftun9Gzmu1Gir3vqNjSsrjh3zAfBgNVHSMEGDAWgBS+mj55bdlNDaQJbkgAtPOs\ntpjAnDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgbwj7kg+dGCGJ2E98dlOF\ntxmQmP8ZwmWigScxpGCVYg4CIQDEke1g63miuiBVtbOjNYzYNXk1kKlJZ6cOyb7e\nFrEgtA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUO0GZvPHlBEMcbRBYTLaW5mMRHM0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNDITjwDCxFybWkBt1iD/EN+bfSy0wtlXS93lNffMaAd\nm20tl5ACZyUAgmQV2LvDLfTOI/kEkB1xZRw0afYmkWujfDB6MB0GA1UdDgQWBBS1\nG9noG8bir9JBR+LttRn5V+W0vTAfBgNVHSMEGDAWgBTCz31siGsxqzMYb9RFaH2J\nVUadazALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOnZ0xVPTrUlAm+P2JSA\nP8m7OHFJt2QPnf13t2pzihk9AiBQJN4JfQAnhSUN/7T+gig+vRwbUhKyyKH+FI7c\nSMdkhA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUSGJJREpPQHno5Woo/zO7DEJ3zQAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1hp3GOVbkf+hJ2tZFJ+Bj7EgIYuPKI48enXc5\nI3zWMQKVqyTgar4w7FucUhbvKn/3ThAfuLeNfsHeVcGgCPW+o1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQgXrqmC02JKoBZ/QXaVpganussEzAKBggqhkjOPQQDAgNHADBEAiB2\nO/ROP2sYFCWP/6mGPZWMCDH/3Ra66Or/4atvwv+NYQIgUDaSE9NbY2QT8f14xbZ0\naVrx4kNHIcDzmm5qSAjz/FI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUbR4gZ37OTgH32OnAcdKkHYM/pwMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAStDeEfg1ZS9dMYr2hFVX0NCklI93VLOCCgfEL3\ndtIVVFcbdoH+wbC+dv1fgnkjcp9ksZrPQAhrIY5+R0D4e0OGo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBRZcQO9AmT/QziYnZVFQ6AUlOAXNTAKBggqhkjOPQQDAgNIADBFAiEA\nr5fU1CNRcWZuTpXfRI9IceZT1DWvY1L8fvrX10nl4NoCIBKOqdKth6x1hdFlA0z/\nLVE1cLQdGBM4uhPNDX1y3k7C\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUcSnQWmLA1zm9C9B7nN4zXznrJJIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGK7q1oHfTIR20sQTWMkQlnB/lrBKpilbWk9kgbg31YJ\nTuFUpgOsDNVQrV8tnqVKmJS2iK9y320LCHyTRAjCe3qjfDB6MB0GA1UdDgQWBBSi\n98aF2NzscHBxC5JDiRXcaiKuwTAfBgNVHSMEGDAWgBQgXrqmC02JKoBZ/QXaVpga\nnussEzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgY0GzMIONWVOMiVRehGcK\nDxwFVcAEkunWG2XSTHMewzMCIBOFy8n7ckh/lsznLn0u4cirFhtnQUCflcvtIzh6\nM4hU\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUPGkmvWrieOP+TxHsZywG4LuzWr8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMgu+Jlh4ck3RcsR4qwQBTJIZb17dOLACm/MNGLQlFSS\nE7Zo99ualEBNLaMcxCpQJwWCGV43COcCgUGqQXC+gzajfDB6MB0GA1UdDgQWBBR4\nZESB4RAdKTq1Ep+CyW/5naKbeTAfBgNVHSMEGDAWgBRZcQO9AmT/QziYnZVFQ6AU\nlOAXNTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgMkFmn+n/vJapkwwUb/Tf\nONqXZWLUU2b+wZpFHU+alMoCIQDTT46cUlGWdzi5EnWTYFkpr74HhsEngNgalL5I\n6DEzqQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUdFERwvW2n5w020nItdW1tyaBbswwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjZc+vB7WGT8LsaOjUcImhoLYOSexIM9v/+6S/\nMDbSLUfs/NAfwwTLxswUOYnekEU2/PPrXWN78E4/Zfp9r0TOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKmyHIs+wO31VEszUo8GDN2ne5xEwCgYIKoZIzj0EAwIDSQAwRgIh\nANIzKaxZMmBBnr1Eq7OfzmlqQFU/YepkTn/vU0NerVQKAiEA+jFnGDffFatiCg85\nlUtw1pbD3BGIjrafFX5kv6kWKSM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUE0yauC+v7Fm/+hIdCV3Czsdha3cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASsh6qyuQPXl0V/t5BciPpxrKYHcIedoMycfI4w\nOzxR6f6NI9tCS72LRxKKvz3sJU3fByzlwPioaw60UD2A6ASio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHLOm9X5r6Tmv28RUVdKHsEU0R50wCgYIKoZIzj0EAwIDSAAwRQIh\nAIyyn1NQcqaGcfH1j09Dr3NdMrZ3hT1oXrQbX8RDDrafAiAOTlz/euKqFUFXSrfx\ncq5j8yFBAXWLb2XDKPyi7hgBbQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUUg7BBbvflwzDB0RsDhsgsVUD/qowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjY0MDUwODM3MDI2ODk1NDgyMTQ2NDAwMzcxNTM2Njg1MTg3\nNzY2Mzc1NTA5NzA4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz2UD\n7zfW/0vk2fRjuOiN0kgECmNG42db+0I/xXw6FctoCfZI6NCZO5+63g1fgIRzbucj\nKmqJarMyjmUmsz1ksqN8MHowHQYDVR0OBBYEFMtj4KLxVuSmOr8SqZJp8Bh/2g9H\nMB8GA1UdIwQYMBaAFCcqNwj0xMvzdv0YeBGUsR7RCeRjMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBErLE+RUBGJtjUxPT2GkzR+KscMNixSaTBwS7YTkAxjwIg\nZFIq1+Nn7abO3X5CdtWmpVYJPj4QteWAniYO/p/xzWM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUEPnYE/uriB3AMcB0pWNlSkoUT98wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTEwMTc5MTU5MjQ4MTE3NDQ0MzYxMzY4ODI1OTAyNTU5Njc0\nMzA2MjA3NTA5MzY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUrfR\nU8ylIuvmB7/3ncjcs15+g5EvpdJhKelND5J5GRf1DqWbsqHCoSArf7BZsaMV+QOC\nJ9SOhQhS2jOAF4HmVqN8MHowHQYDVR0OBBYEFC06/ZWQUB9lpU+KDjU1lgCPZJea\nMB8GA1UdIwQYMBaAFC1sLzBD3bv1yl/pYg4rqrbS2+KDMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiAWuJd0PuXbFMR1YDsLzNndAczzC8JGWfOeXGS6GnPu3QIh\nAIDcJZiMr7sVnb6iWyEcYQ2mHeq8dDJKMvp6EKPfjtAC\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA3M0cJ9rjynblCZCCi8/ph7g/SIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASN9Og5/ToIfMsc7Fs2pDSta8UnjdWvTdJzJpSY\ndfsUmI+eNRaVtOkmgFkcL1UjIW69ptVnw4M5ulZ+8FXgRwQ9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAzOerirMhYu72YOevYBvk6iMx6owCgYIKoZIzj0EAwIDSAAwRQIh\nAOaT8P7imNKKPPDr5QCQT2ghl858SB5xVZf+ODsN4gSbAiAHFKCTMeNUCfIbxQyo\nouI+hMDtggJ1oSWjdLMbRe0Odw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSGtnaGK2zXFGFe25qt0PgUd4IqswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATveGW04aq4JPFnaqUYnocYdx/iN9MGzQ69GxMS\nS2xCdCNqrl2jwFsKoU2kYExnuz76QFsrWZZKUsynUcmSDVxGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1IRE6Ee/SEtM9g7Y9YQkQteeXGUwCgYIKoZIzj0EAwIDRwAwRAIg\nIiIJ/C2DyflGfUC/lNfVzXLYb7vBFcBsb1GxCcQU50ACIET4LxQ3kPgF2PeP5Z6i\nz8YVGfhyaBj+6PIDZ2GMIFYe\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUcTtumB26SZw7mLG0qCj8Xw2bWMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDIAaeD6ADnrJeaigBt6yh8SNWSDUsldjCIl3jDSoBUv\nhAA9sPDZmdtjHY/X/naQKL6zXHxOHF1TVgV823JKE/ijgYswgYgwHQYDVR0OBBYE\nFKMkeoGXxPfTdwb9ZZriyr/pAli5MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nAzOerirMhYu72YOevYBvk6iMx6owCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQCUEFGv/kmHTbkZ9lRvriYFVWQDOEizTn8y6s+ZAkYj5gIgQz9bTnbk0SICD2Fr\nAi7EHVuuB491c93ieob7xbvUXLI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWagAwIBAgIUT6xywdTY/qgH7v0sEau82Zdx2q0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBuQr6KTw1WoG5zGbOHp6kOhWWV2ismK29WmPwK8Vf4Y\ncPq03OSLm0HLVRShBnsgtczehFgphTAmb8skxTnBd2ujgYswgYgwHQYDVR0OBBYE\nFHUNYxOOhxLmA5Lld8ckm52m5QRXMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\n1IRE6Ee/SEtM9g7Y9YQkQteeXGUwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQD9kHyx+UPnUU+tawOAuiB5fCX6m2YT0/wBWd3FLDNV2QIhAP/qFCaoVBQ/gIXK\n+ut4G2f5RZ6EDltC8FRPxG37Dra+\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUf8uXerqLawIuYvyQbw1/iFbqPSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQH++4r+erNcp8l9zZ8vACB3Pv3R7vByfRv/VvT\nDYccPyOQL44Dl1ZHmIrWotviG2wcOdR27hPlU/Kpx/VGCow5o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUq3PWoG40ciNnDxg14JWNRInWiWowHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGbik/wuGjXkwYssTRcOthat\n4KhMBqFl/jHs7Yqr54kzAiBCruYjF5s/PrHaaBmbuyAFqHwOvfTSEp3wLzwwL2TY\n0w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUfOcviViK6WXKql4oUCWDgUK1rlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjv/QllcMdUrrYzwNi0hy7URM0YhOkSlIpT25o\no+AogPCOLRZatNsslxQS5SjKAZAJLANXwjkNgs9BvASBdF6To3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWRsQ4knZayUNLlcMr5Tmp0eGZggwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDTo+n5aF0zzSwAi2DFif+8\nMOhJq4jOjdZulZyIezfrYwIgYYMv9T2CZBANiONPA95GwZj5wyL0e+NeAxqAgSLV\nMrM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUK6IPqNEl7W9v+O1tWz3tQCjTxO4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLCNJHNygWvmN9AmdXa5PIbj+FUueJZdVKpmns53bjZn\n7p+D0kcWnzu1UyVRFYapEXBj7GlnmxQwgBeu68+Oq9GjgYAwfjAdBgNVHQ4EFgQU\nKsnsugaBem1mBbJuIaKbyKydu+swHwYDVR0jBBgwFoAUq3PWoG40ciNnDxg14JWN\nRInWiWowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAwwYXViLzRUAM\noP4pS6JgMY5BGnzjgDFq0E6nLXYSxUoCIGE87AWqYT6BJ5qnpT0XPiEpnZNafBot\nGIrLqWyI3Sul\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUFDHI7DE1OmuVHvFfW5wKeB2Ph/swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAKoSCMvIuX2G4jgEeulDw9TjBP4XP9Bak3KHX0din41\nQs2uu4yWmLfJ4vjNVVEHxkTsNNL6GBrUpkz52juNlNCjgYAwfjAdBgNVHQ4EFgQU\nl97wvMWV7FvB5UgrjbvJgBHwc48wHwYDVR0jBBgwFoAUWRsQ4knZayUNLlcMr5Tm\np0eGZggwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA4IMNCsEk/H/X\nvfQymHMTIX67Nv8H5lyXmseFqccHGwECIQCPU9u58ofO2KA+cGc4QewNMYj3nlfA\nmm2kuAQzVSpyWw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUBJ1DOpQgu5mYBF0gNFMGPD69dHwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQTn1+I5t/t5YfnlyCCNc2Y0sKbpX8lW+miq5Gm\ntJouHM+xEY1HNZLvz4T+B7HBWnAyZPvccaYKtFcSRVqZBaS5o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvNA367+f+GeipM1ArBO18dx37dkwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDiQ4s3ffY76QeEyjqnD5Ps\ntQciDFOqyUy6uy4ql1Ey9AIgRsQ8gsXJPr6invZSb2AC9vlwOdrpQtA5VGdIcwdD\nw1I=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUObqoFXf0EAAZC5epLVKM6gYOWjwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2lRAuO4gbDTrOYj+hQZQywoOcDPE2drkqqs2S\n3GkivXs77g33o48hIJ44pYU3TmOf8AO8Ra0dVvn3+z4LcBrXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUp4v8jtoPQHeG4gd2zqxJQOWyNzwwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIC0EO5zmgfUIRZICv/UmzTTw\nGP1fIvkRvt1yhwzJAQn0AiEAymH6oiuQ5YGEnt+bAsf2Zwr1jKbhEPrepJaoOaAm\nSso=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUJ6NePI0D9rry5+WF/qUNqyft65cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGgBkwbMexkEmR/GFmcRvbLZWBwpJPXmKTWsrJNKZlTJ\na7+4HMa9m1imwkBLfKiQk1LNGt+tsBMEmOf3RQGe6FijfDB6MB0GA1UdDgQWBBSH\ngb84w895uS2AlwKy0mflXTGuuDAfBgNVHSMEGDAWgBS80Dfrv5/4Z6KkzUCsE7Xx\n3Hft2TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAISSCcuPKl+2Es6+3ZQ0\npRUdkz8Y799rmcBIiYvbIoMcAiB+JNVVyGiU4eoZN+xS2SifcGPUtoyHfOixjt6l\ns1DWPw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOQOeAPl/oPw1GvI7aitQT5Sb41AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABONcfxRzbxFLil1ccqWaKa1f63ytKeZl5LCLwg1s6oJE\nLqmwBiZXBr3arFgKtzVAToRF1igAPYE0l4myHaiLhWKjfDB6MB0GA1UdDgQWBBSZ\nnoGefUIT1eMhVP00zvJsfz543TAfBgNVHSMEGDAWgBSni/yO2g9Ad4biB3bOrElA\n5bI3PDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgRD98gLEDN3ws/EMyHNHl\n+MFZqcI+zVOL5yIPgJblCHICIQDbpa6rHnRv6dtMeanacWyRs3EBVOLR9WYaMyf9\nDKDVHw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUIhem1FTTWMG+4iBXQs5DFv9YH7UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQMRhPxoRrUsm3dxB+jSjTvJuCjfhpoHpVkY/U7\nBbgkptYglxr8aC9oYeJjNEQmCTk5hXmXJPfzAdsV1RVh1MQ0o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwJBVgN3gtRUOaS09PIY3JKeyOsAwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIH6JcCroilK8Vb/RwIyc5Yno\ngw3NCHu1OMuVRs0LqsTNAiEA0ynciYvjURREbpjiR3vhxjLncwsyNziUJKOuv51u\nVh0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUa/G/KuQcv+2gEKvajr+Db3p7gS8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxwMa8eA/AX760pQxTHMFY3laTS8M/EpNLRDvk\n36QFcSr3ccssbq6V4OCevON2FXS6OaViGaftbXaCIC1uYEV6o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUImPrTIZfm77b8Y1W7VXV9OeMDGcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEP+uMYV5vCcMqoSjKyegFgA\nGiFSKlfS4nuF9AZ7+1mfAiBPylpmVyd5rvS30ajAxCTu+I8XXM77nvVK+29QNw4y\nmA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUShNvQTd1k2KF4FbyhtWiivgbIIowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGfKHHWfWCv6av9q+uOCW5O4iSrl3aoEu/dwn+2ckIzy\nu/T/+ObzWySCFK/FOl3pVi2q3+G5w5G99dL7SmOR7eSjfDB6MB0GA1UdDgQWBBS+\nOmN6+TX7ez8JS18u9el+cWJULDAfBgNVHSMEGDAWgBTAkFWA3eC1FQ5pLT08hjck\np7I6wDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgb8nTwxNRfweFkuAbiFBB\n7p7IZYLVgKLVQNc+vTJ7HqsCIQDLFj8vZ4VR6pRYMahbQgMoRNEaFgs3cnP58+vq\nQu50xA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQYlfz+dNBezDlMUcBxMDLqry1TgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFP2lbYlvnUNgrtBg3mi5ncqEnOEkMLGX8TB8EdNjBYh\nXefT5aD06YfODJiZVJPPGsTgiC4hgbULm5qaN5+IKbWjfDB6MB0GA1UdDgQWBBRg\n0GsZF4Xhim3Fb968Jh4HFSA8yDAfBgNVHSMEGDAWgBQiY+tMhl+bvtvxjVbtVdX0\n54wMZzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgHzgIes3P6VrVteH2TbHJ\nLOv69wZ3Xwy2wmTICAyEo9oCIQCHKkvYWo4n17t11K5bbdNIVujifZKWe2tAz5MA\nua2jsw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIULf4y08KbqX3lNU1WfCrYX93KxwcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKShNDTudcibGr9WPZ3fhvkzNwV2aiqKwae759\nLI+P3NemK/4XJxIOyEiK8/1v8hrb3cgTHUfBhjGZHSsg9gh9o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiYA2iuqBC47x3ovl0KjbfVBvnlwwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDmqmtg2iK4rS0hRjZ04y46\n+hmvSNa0gM7oU3dRFoI1YAIgJc3AcJrzKpNI6B27wJ0CLHqLxzW8tJnMuHxoBFLc\nrxE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUITPmaoRhvZa5cMni63j6Zk0MG1owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYk+8jfe4p94kA+lrbr4tZRfIdK6OJbWYMN8KR\nFVFZIB5cBX2xfU9VxuE0bth/BMBIgb2fSjj4Q0zL+xasEjUeo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUekiGzBxW+Al3oPGpdO06yRzcefYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC42zv6ezSBFK3sfIRI4dWq\nosBw9LJ+LZoI4608NDIajgIgZ3OnqhRhJPdhSuBKdNuUP7B0Al0DEL+CXZcIjzo+\nWsE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWCgAwIBAgIUXNtbmAYy8p3CZTebDdeonxX9frkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG/UvBq8jq3XaFQUCTI0cP7PmdCqMrgsT33YEf/EHQyS\nhLSZ2EF/ld50RcCYluJJ9LnmlLh9sqckKIOap0PqQ2KjgYUwgYIwHQYDVR0OBBYE\nFAaE76mCeGUreh+XkAwBX33+aNGYMB8GA1UdIwQYMBaAFImANorqgQuO8d6L5dCo\n231Qb55cMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDHq+jN\nX5kx2Rb6awEZNqtQQyT5DFbHbYLzTSPdIgiPAQIhAKyORsBmkOlCbG2uZmdUJrHK\nEZB8PA8ZqAc3cW57m408\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAWCgAwIBAgIUGGq4FDHSs2icclPcOEHrYYaDsvUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPDXJULye3lQBk731vHJu0JxF911usWf5FYSjSo3W5LH\nfuGWUQ8QOzf1XOA3NtSnkm0qWcpyZOCVoU0RD1WsbP6jgYUwgYIwHQYDVR0OBBYE\nFIN7rrWJlmuC3GTMM1KuYoPkUlRaMB8GA1UdIwQYMBaAFHpIhswcVvgJd6DxqXTt\nOskc3Hn2MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHYLKMqK\nW4gp5VMiIdI2ssw+mgXsSOnVEhl65cFaMVjVAiBzGBVXlr32jNTo+CMbLTRhZwCG\nFNGfG4Jsu0JUITVEbw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUURFumDfRMDbpQJwSLHJqag46XYIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ2lMdgEh6BF1AjZUVCxcjoZq6l0mpIwX/CUbgU\nbRV8f+SZOzgyUyltUGl93xLD06r6sjLoIKN9MCW/BGGPMUiCo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRvxsVo4Ihj5SW45I4QSXp6mbYoBjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgNkUw\nubkGtiqFl9yINyuNK+leB1z/9n9HilChybsKJL8CIQCUB1h1GU4VEijKv0xgt0tR\nv8YkDfbRGdOC8ZUdPT9nsw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUSP9iCrl/fZ7wRFXMbG7NbKYQXO8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATX59HLpG2K/K0QX77XO0Mb78zmCrA/akoIPbwD\nQgre+c/7a5zAAZlBKYdQ2naEPTIU1oOkc3sJo/A4LUSOxg32o4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSCxBR4hm/1t+UEu85W5kZ2Wlm4VDApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgFvJS\n9HUZB7IKli+4ygSgbzeA/5OzBd5Dn2fMNhMVeSsCIDBBIAk1N3pjl3HXG8QgHeKs\ngL1joOwsrpjdxCLH/E+X\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXGgAwIBAgIUNj3xWq2o2aR0dSp8LWc7lhEiytwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABD3wuOypxOtMfPDqM8rtV5IMzvOijkFKJWo0hHV9PzWD\n7TEiMI7nopM1eTuEj3IefPO625p8FkdOk+pC4KoaVOejgZYwgZMwHQYDVR0OBBYE\nFIjyb617snJ71MJP5eB0MthWGCypMB8GA1UdIwQYMBaAFG/GxWjgiGPlJbjkjhBJ\nenqZtigGMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSQAwRgIhAOdiC6o4csJ+Ou4M1B9HhjspRb/y97qjfRxZxhG8Nv2UAiEA\n2tFR6KS15q6FnQ/wrdfJestLcOShDlO2ZcYLb0Cw1YM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUBhc6olZ8KdzARsZ1IFrY5sf804AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMi9VYkA3EX0TWsThokN/FNsUoW5L64aWOFSYbA/w+2A\nC510H6BfqgvInP6qoZksmZksxVD0pVMb974BSqrFhhKjgZYwgZMwHQYDVR0OBBYE\nFK0OhUf687o7FSb9ZeKPjnGPBIZPMB8GA1UdIwQYMBaAFILEFHiGb/W35QS7zlbm\nRnZaWbhUMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSAAwRQIgKPDK4p+1HVSxEqgmYgdNWJMWAfdqVxFHyR+NhorcHk0CIQCh\nEyBgL6lEZS1ZGsHI+LdOW5Cq1yl1lx1TNanynHuKXQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUQjLH9taFDHyurNcC47VAiviwYJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARPIDqRy8kD97qZYgPjMk+xJeEP/YGZRq2IToI/\nybNnYLu3FBeXtmCMkAgFwMM0OiOsdQvMRZEdSQ1pKozlk2Tvo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU83A232kuz+9Ag5hW/2tqR6Zqq20wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDiY2rlb8vTACLqJbB/MzJ9RXQ8\n4dd92gkyB7+G1xjUpgIgZMyMuf9p9gq1u/6IptavyAHYK8/voq03IgXngU463sU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUOzWCL7on1OMrhy7T3R4KkGPhqJkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlheUSq/fcBtOkNExLGHbDCjIlF9ODFr8rA2tR\nuuFVy69nFTdtjMlvD0Ue8mc8gC8rFh+czJuQlI5j6VSmbC9Zo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+lgWf3x65Qe5GqoimUlOjcbH9x0wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIHLqgeg3j0Q2Rw4Cbz8W5PVhHLnK\n1PhIGlOex2KHstEhAiAkt4KZQW8GxTKqXjn433OEf+Z5swvseK6PJmUu28L2ug==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUcEoKLku0rTP4mo2WOo1eu9asgaowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPShWPRjfQz092eIfJBy6Jb5MK5WWj9lZCHXBPRR+Ejx\n+ZFEzyYOlqUJEeWChpTXwgNZkONLhUI1EQ3ELSt73kyjdTBzMB0GA1UdDgQWBBRW\nq22icebZ1K8JUTLqyNdN+rLXcDAfBgNVHSMEGDAWgBTzcDbfaS7P70CDmFb/a2pH\npmqrbTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNHADBEAiB8HuBgDgQAHORjCf1NDycVoFry700V\ntrvSafzRNElgeQIgW+zlqzqqI1eCjzl14fCxAZH1S70AfTbo+DM3sYRt58Y=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUT60P+6ysU7yyrtPbrztaw9BLFTgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPKjNNO8E7XYZHtpCK64t6mF+GVvWoLMchL4ooCQRMvv\na6omxPoCt5RRz+RLnQKx0PRXzkvL9CXAghu2DDY/SHijdTBzMB0GA1UdDgQWBBQZ\nm89R/DLNQ0WYci014HecAkAv0jAfBgNVHSMEGDAWgBT6WBZ/fHrlB7kaqiKZSU6N\nxsf3HTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNJADBGAiEAldp/u+yzvUe94J8ijX8LpZyfJJ++\no/V/EtaiKzhblzMCIQClcac3mnEvHs5N2V32qfom5voc91DgrNhYeCQYctdi0Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUacwF612uE4aMApirPPN15/a+TpowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBl+cgPKT3PJZCr30RrhsoqK3qy53l3yGIkRyk\nR4X+IQq4vGlRY1H5Zh2DNNOWEVCGgcDG2KU8pgevE5evjdTTo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUp1/dRdnzWstS5KPttK2ukBiLNQwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDVOf0taA6dSfm/cqmLh8XuU2wO\nfe2AGmiZBh89LkqhnwIgc3xZ50oTXSobwoQdFMDxf9FN9S+rjQld297+sPLCi+4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUa1uRFMu9yRc9QJncetvN/TGUBNYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARj399gPzFi7I8jcwR/90Slvpks68FHNAQLgEgn\nYNVTEka38hGKVdII0SwT05FWw9iOkx8Tr2tjZfgSBImzDN20o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7jD6i8sQiKFgj1uipTdlqZQwzMAwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIEwgiNxKf9Z6G7nm7vEFn4gGy29n\nsBVthslPhLXVb2dLAiEA1CqivoH44zLuR6wDdG5Aku5WuezfvfmR8IM5PzM7Xxw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUFzrNMlbsgxfM2o/foxqRKnG3ld0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHBJLBZmKULr3iKTeNSUvUCjE5fHzHnnWv1yX8CCLv6n\nvC1qBWwoutsrWlfZVIOBjH7B++WEbvwwhpoEaFHBoMijdTBzMB0GA1UdDgQWBBQ2\njzEF13/iIWitkxStWW4oB8y5LTAfBgNVHSMEGDAWgBRSnX91F2fNay1Lko+20ra6\nQGIs1DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiBB1CFz69/dO3zLS2G751+Rqa9vhxRe\nMbzKb8yHFHs99wIhAOUdOPV0lhYXLqPT6OfNlJeNao8pw143Kwd0hL3HPOZ3\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUaPTA2wXJpe5LnYe3moRDXnQDw+8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH1CRjQq15szDiDsTXz0oYBkkUomhfbuOsmUZRDAab+9\nt/+u5DxefxrYESHKIMmakieov+umwrf5b5GpzhpN43OjdTBzMB0GA1UdDgQWBBQi\nr9egyQNoSEnycvWypJ4EWy6BGzAfBgNVHSMEGDAWgBTuMPqLyxCIoWCPW6KlN2Wp\nlDDMwDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNJADBGAiEAkuj7FFcuiuadDbXFcxDH5oqlnbAA\nj5TV4Wu3Ley8E6wCIQDSuFTE4JoFufe9XFfoXDOzCJAf2w85dFhxUHuNRMZVzA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUOwyxDmKPDfLifX5A+bgb1XzFZjEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR0+ZzEE6dNfdNUe2URc5IfNGAxXCW9PW1ZAwUf\n0mQfirF+IsqP3yhwM5vjCct218hfLpLtGf9tFRms14SWSQ9oo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUOowqcHvOCjVmdgqMPpZkVioTrowGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIHX6FuJRH2SQDuHtBgh06lRv0THf\nHswt1XLfxu0pZYytAiEAlaJD4Z8tbVscM1zVdKTF8V58HjhIMqvrhvLCku1t2+Y=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUbRf8U8jhtc1j8NNwZeIhImys6ugwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2VhDWjJvKS2LeLHHE+XB57DuGnNgyv1p5Gs4Y\nck4vGl82+W2igHlDN2/LEDfkKJ1XnQHe7ms8esCIsputksuPo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUknhtzmndgMVxv1YLXO41giHAp8IwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIHLpv2PlXbNmVfFaACD8YIZaO9Gf\n1S0eaOQub5wKRLWbAiEAqzuZt0QP3qpeeMQali9SLXtRMu6YH5tx6eZ2SLVSPxs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUFVYyCdip4O5Isl7Qhlgxk7DzjtAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGcG8wQD67Sz2ohu2oXrxvyKIhomF9AtIfzW2ZNAxpAi\nqTKjASdjqIMp7XqgCZLT0Ic54QF7Oh4FUha3Iji5zymjdTBzMB0GA1UdDgQWBBQN\nr3WsZ0DSDtEu3lzqkcgpK/7tATAfBgNVHSMEGDAWgBRQ6jCpwe84KNWZ2Cow+lmR\nWKhOujALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiAtlpE15OWl2h41yGPoM+rqkCb1Pbef\nxgaht1BtxFC2pwIhAKo69yOwEyYzZNpWHbYmf3IGCq73EkZgAEdUgz92XWxf\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUVTBQQAG8nle5/r9Z3y+yGORGwb4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGP+J613J/34OAAdLq+Eh2+uytOcSisz1aXsPJ1UPD7C\nLcfJS1ot64WqPy4EZjRl2Y6zo2mGRDwqImsUD2xLj2CjdTBzMB0GA1UdDgQWBBQa\nZa+Y9F4OM7Lr517fsTDoCdNqRzAfBgNVHSMEGDAWgBSSeG3Oad2AxXG/Vgtc7jWC\nIcCnwjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNHADBEAiAyCagKVlsbS1ChQNA+La9Qr2y+IrIB\nwlGYpksgnkO4kQIgbsZx8gvsVuju8FU3E1LApSNQeJOe0/OIcSfU3KZbhyc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUZk6ZJ5QEOC6oniboc40qIZ0d8VcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVU5Dksot17uhP2KIfRJYb/D50yeQMwIdgGkMd\n9oO/rZcn+dLgH0ttidMfDne3m6nQ8TPCm3v37GSE9w1byICbo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/P/81j0/jN7dmPF5Rb0dMiKd7lswIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKgy+J8tvaY6ldPH\nKuTWcLJd72ikbs3iCLW7obmSvJRUAiEA3/h3BbmfN18JkM/Lzv3GI1hnh9gX8si+\nVn3rKYhLhd8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUVv98Y4ytxBQigNuQOil6px2D+FMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARB4SReVF8FaRzGa5KWk+JBnt6ZAkGquIpVjhfC\nuqE12RKtkqYJCMDq6g8BK2LwjRxZ7eBwAfV3avT0cHhfobb1o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg10WlG6754eoU9A+TRKlhZ5YksIwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAOqCSasz3gn7e33u\niAKtlkw/cZYEAKKBQBWEAQ4dzjwqAiAmaO/NXwSgm3PjzOANUwp98NLXOnHaayRt\n9rXCDOYJIA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAV2gAwIBAgIUdE1qVnM42O67cRBJdZzd9kTI31wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEz5IW9sRrqZeYIazF26qsS3DrRpgpdBs9zU9/H44rYkYy31um\nHsOHanTDK3aqpQvFBaDTOrBRxaVO6bdJ407MDqOBhjCBgzAdBgNVHQ4EFgQUHSYz\njfZwryqp9YdYdSNjRaXpsu4wHwYDVR0jBBgwFoAU/P/81j0/jN7dmPF5Rb0dMiKd\n7lswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0cAMEQCIBpisYVlo+lV\nnwJdbBVvJG3GVF8jH/yTDLUBErsc7lU8AiAOow2bfE0MDO8TREQwZ4JEYz8JVuw6\njxGLIOEcPo/qMg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV2gAwIBAgIUbR5Sh0kZKWZ4qKDFy37zXOCQBMQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEMTDp2OaboNpvObK9XjyOK0KKMx+UL8w+sapwVUIto7vtHiXx\nJJOgUtM3rG+L7EIjQdhdOp2CoAy8YcgybyGTMKOBhjCBgzAdBgNVHQ4EFgQUZRtY\niw1SwdmpqKpT8k3SxaAgtwIwHwYDVR0jBBgwFoAUg10WlG6754eoU9A+TRKlhZ5Y\nksIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIDzJvcSqQacZ\nkkUHpC/oiVq4wh0YcaSBNrC0oHuHzoDNAiEApG5tj++3W9BIGJDOY7MkEh5zUgfF\nAjWbqXt/7Osj4nM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUcSZeOTHiVtlM5KCV3QBu4EvR2zQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkWljLM3ws+k4ZMo8FjKEESPKTyiZs/fO4YMXr\ngVYroswbOhWbk+VrsNcAW9dcQFiTsJLxQQ0BquziFGmpeERAo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAwgv00VvYQrwvCHBIri3evm/O6QwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAO8cWDeJLT2qTPBH\nvCcvD26Tj9ITvitsMMf1Hv8obKipAiAlUDAnYuNfyEsXQ4QBiM1H1UdQxm0p0luX\nfUn7NqbiZA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUNESjZkpqzDz7KMW7h9bKoJ2NZzMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNSpZT9Ekiw23L/MDdCuDag2ntYFmN+DzTnMGb\njeXSHyZaaduq9GPeCHmSHd985Nh3JMLmL2NHZSZHx2eBfW53o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7ONeirkVP85Qhc89o8ggWBsi1TIwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgTXMyW7QCCebAClJ8\ndbAfWSAHESghg+8QR163WNgiJGgCIEkiKxLYgA53iVIm5L/zruRkFbQa2w7uFUf9\nd1bvtnbC\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUE6zp7cRifMhN/YfmbKDeAu2y0vwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQ0GmlmBFUoaekpI0Gs+BKvY3hM3cHxYDmf3irLZtlX4tQMCr4xaEjz\nu9rAFWNw6EXXf+WI1uiGQ2Xp63HPPeYwo4GBMH8wHQYDVR0OBBYEFPQfKek7v6Wd\nWo4AQC6NeIrMY1dSMB8GA1UdIwQYMBaAFAMIL9NFb2EK8LwhwSK4t3r5vzukMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQCXF5kpS6wmgPDvZyP3q/x7\nrpWRyjN5XhHkNymfxIYhIwIhAKqXNpJWuDQBcScsaTpzd+pyWYPsa8MuiS3F8PEm\ng850\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUUxD+OV9klYiuMzzwino1MfzRI+UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQTngZVLnBK8osB7wu3kwdHJ5Vc9xHtTAoCcJUB90A5U40ZZbuLCKUl\nJ1Z1LbXuZRYK4NNB5ccXPnSM5H4kHsD3o4GBMH8wHQYDVR0OBBYEFGko4dglNAvh\n/tyNy+YfYdCucHIKMB8GA1UdIwQYMBaAFOzjXoq5FT/OUIXPPaPIIFgbItUyMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQDwlWTShaF8m25D7U4Np4FO\natBUAZKrQW51J4s1LLDojwIhANXAXivLGr9C2+r+Svv+5JDeAGqL22MygTkHLEq8\ng9j8\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUDKdd2socAiBSODTmFzhCMajL4vAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAShnSAbJPxlWDN+CW3u40GsIonUG/cgXurngUBy\ngXHW8/GQQGi3WVjMI/3f6D5tWVd0Kz3Vgklz1r0CX9LVlg4Do3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfqMj+Ioh8vNjsG2M3gjykHQATkcwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAMRby6TUK7WfW0zA\nzKxKsIaQhmlHMDmLetOS+FoM7obTAiEA3ZNzFsfeCE8FUnD+VgGCpjYfuwpzoO5l\nHvHxNLXU4KY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUFBXazDOsZtDi5mWZR1I6zrolqf8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLnqd/E83N9QuZ/Zyhl/Z0LBqsH2TqTzILkoxk\nk3ECFVtJdM9q1YRlMwOa/motEkXCTrgvR81To1Qn+akfaZiQo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUUa0Tq6HtWD3VxFDyi8S7NJ+7Y8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgECVFlKAiCHToMtdo\nIMmpLFv4WF2Pp5C0iHsi9+jwSw4CIEMrxtcCQ3sDu15Y6jc4w1UhRDOftNwXaYuS\nsrhsJkXB\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUHuhxglUiMtrXUPIlk0LPuILXiJEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQdrQjUCMM77+jUoGveXOaswrKzRmY6ipeLepG0pd597shrOPV4OGOh\nhNFSTzc/ErFt430mDZYo/GCWS0IshYK3o4GBMH8wHQYDVR0OBBYEFMIIx9ICt2FY\nDW9dNhVlIaoyXZYxMB8GA1UdIwQYMBaAFH6jI/iKIfLzY7BtjN4I8pB0AE5HMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIHlxml2W2iodCu4qQFUOtOyy\nm8ZJL5yxZiJQqxVO70ogAiEA5vT91l7NMrsoYlCWDSr0W9UVG+5Y0Gkqs7jp5ywX\nnKI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIURLuOxUr8D3tTxDRpGb3Opcy8QcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQzOk/35lIXblddlK1/+Kuq66MBjyGOFmxU6bBkGdTLdjtfdGDb4mPh\nF1B9uIhzt+FeUPt84ZTGjPFR99s+kmGLo4GBMH8wHQYDVR0OBBYEFCqdbozEypYL\n114nlFSkzgXUHyHLMB8GA1UdIwQYMBaAFFFGtE6uh7Vg91cRQ8ovEuzSfu2PMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIFwEFzOd/z+7/C8tYqbLSWJB\nSWpNoAhkL39RYG4NzhMpAiEAuy2K+dhtR0N+KlR8WKo3g8v9G9SpHaNoZDjvCgbV\nr8I=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUbhYWcz/7dxDP4W++6Bk3OLbV9KwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxP6VxI/pqMHlKRynGU3rGprqDp1zjQX20nfp5\n4uRCnE6fTTLdIt23xKsNswTfN04ihRts3AYjx0xfDtRQLek9o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbYV3LUd3sQdfCRXYkxuI8Q8tlzIwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgGA7ZORktIsIph2en\nVKGtak+hw7w7kromuAhykTDo77gCIQDoYzamrMxasueN3Pnk3C+A4gaF/0CREaQt\nZVp+ef3amw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUCEhly4ESRdU6W2drKiQK5IGBu4IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWw2m6uTxN9XN7eXNbE7oghr06gD+Ntp0AVeZS\nLcvcinmE/i5U9TM8RWgt69/ptVUr2Fj2TRnEwTPmGsS7Z/k5o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUs1TXAtxSEOiWOeViqEzR/2qN4IowIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhALJznOwIRtLmnRGP\nVo4pXpaYJxeD1dz4Vr1s07iv2hdQAiEAz1PDFhLM1kUBJ5En9vzuKz5iMI24F/gC\nJvBY9ppcp5M=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUHDkjnDQAH/605GQzUn6AxHYvEPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEEPMMn7SZ6vnPl3uiaxIJUIg1/OKKUHOTWWt9V7migHr6AU/r\noSMvJ5x8nZE7owQmaFMw94Is78gZxoVKgf4zyKOBgTB/MB0GA1UdDgQWBBSAZEqf\n80SrH9sVLUHtdRaLOa4MPzAfBgNVHSMEGDAWgBRthXctR3exB18JFdiTG4jxDy2X\nMjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiA3zVtWWdW2WAB723ZE\n0kKSwnAoLFzpYqu9hOX7sBfnIQIhAIH9qXQufrvMaNLs79F5fcW79uWhQvy3XXh6\nVRCHqWJr\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUfFsbeOtusXSqDP4hB3qWI/yhYPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEVGmeAlFDqBC/y3ZjlM9Ffj/XLvEEuQskAvAeqPAMr3OXSBQ8\nuzFMs0xdnqLx7VS0oaF5FXewu8aXdc0evbObI6OBgTB/MB0GA1UdDgQWBBTL7p2s\nkYrgM2CNOqUjEb5wqadwjjAfBgNVHSMEGDAWgBSzVNcC3FIQ6JY55WKoTNH/ao3g\nijALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiB8loqJ4wH18h8JLJrY\nU7toFG/2aFvAGi+eQzN6dgcxfAIhAMTcu9OBRn9Hd+wFxhe5zfBoWUon9bPAcein\ne2TxLvfw\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUK4ZWDgR1KVVL9f7foWhbo9wWCwgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+WjymFEJyoWogcWm0fBTyGvquRFA2cIP7/DVQ\nlC9WqGLsn4dq8dPjF2FXSKwnUZCCzsOcx+QpTWYTXhK6Vfpto3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQgwAfvMaeWT1m3WODdZ1j2n1xoswIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAJUT5azNtm290QQ1\nVTc5u1c9vCJULbZlGnyLugfFpSZuAiB1PciJlfgV2UqqUYPYJ2D/gYdN9R51AQZe\n8NnUUChh+Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUHGX52aF+5Fz/srYk+toKkePV12UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAREad7rXEmrxUelXjyRoQgmfKFz1BobmXm5rVUk\nsZfHBEXVcCmJLscGhDo6lL0HZdDuy9DYrOhyp4OO2wdYj0Mlo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU86VyrAxZ7XOy8iEJ8zU4Qmt4DnAwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAP2yRErDUEF97B77\nT0HjX+j7KHP+rupVu84jnQFxDF4aAiBoWvZ9iQG9wnYqPkTppnqlXvIOXSJ+k9AY\nBBpXIGpQeg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUQ3fJvqXfnFQyFzPMMaYIriyMl0UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARogikfDcoUvhIlx2mGlh7r/QJZn+hcMngPh+Fdiq3Jw016ENb3OS+n\n/I3Fs1kF4Xc6YzKjv3qfkV9z3a3F/mUYo4GGMIGDMB0GA1UdDgQWBBTFaWVSb01o\nNCuLuzfGJU+s3zO0SDAfBgNVHSMEGDAWgBRCDAB+8xp5ZPWbdY4N1nWPafXGizAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAPioDQ9445DrlAm/\nT2QmH24La84jrIZ8ftjqDdl5PWFhAiEA78rJTmrvD2b4uQkdNnosq0FlGCwhG/yw\nbt9g8HncQlA=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUSQoe1u5Vk7lcQCXINjxYRpo+gF8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASV52DIEVKbcsgw/1GJGJfk8Zcwre9RSvAswnyK66e+sbrQ/UmfqLdC\nhOTXF5vEOiK6oZ2VTvju2yRYKkzlHObjo4GGMIGDMB0GA1UdDgQWBBRJjF3Stcw8\nonfQlSw0xoU8ZbUcBzAfBgNVHSMEGDAWgBTzpXKsDFntc7LyIQnzNThCa3gOcDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDRwAwRAIgB2OzDjDg/otSxlK6\n5E7RY3SLz00Uq5/MQbfBbrGlNGACICYojWPsKyMmjaHoEgHSN54VerBmPuC53fz7\njnxwUDhK\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUBpUPlM/QdHWp3VJstw1/Lv9gc1MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATc1/VQC7uRiLJaP3JokuFl1oQG2lmdroAvhWCj\nQ2uB1NYUY1Oa30Mfuodd+xUk3az0dSSf0H7RR4s8hSygIBs4o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFLH2h0P3l/yLi9tt5GZvJMVntLSxMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAZN0S5yhkQXlmBks+Y\n2gUgFAaNcRymsrSap1YFzsLNtgIhAK7d4R1qJdw7hsTv7cQy0cuYVqd0CUayKAr9\nbdZsjCEa\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUNiJ1bBkOCHQRsMZnl39q2jBtGDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLq9w5iLa7ED5+ZgkKM+qSjY8302o4LeVIDTvi\nRWgUFyDVYZzW/DvvgARhP0vdPsdARRxTsaHT5X0JZe3f48vHo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFG0qAytaB34LxpBL/yemEZ0fbVg+MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAxQzoC4wGVm5II8hRp\nB70FUGOVTmT0/w272U27pZg+gQIhAKLBC9//wlb34GQI8yO3LTXQvKLFFPxqdZXt\ntfYFJX1D\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUO+Ol4I6hqtXmPvFeqzFfSUuy4rMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATD6r8DPi7e1kuo0uFgcgfiUrIGkpO4WUYRingz\njtFBSgbnxWJjdW6ftSJky4LR7KKZ3g2++ayNt5/3cWbpNGr0o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUsfaHQ/eX/IuL223kZm8kxWe0tLEwHQYDVR0OBBYEFCFE\nFNjwApRivKk2JgTiUBAHM5v8MAoGCCqGSM49BAMCA0kAMEYCIQDY9YlVPh766G4y\n1ecDgJupcPsxVYWoA4S5kvWfRZvUqQIhAPrPK8CCYyEI3Y7QZwq0NRPeP8yevOQG\npM7I6ad6nZY4\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUJJfkAWG5D2ozePJSQ0h3/YFQiWwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQzeyS5RROXyL0P5Fb5kyD1Fogwa4J6Yop48Efw\nKLWdBEtQklSK7uq+f4wfxydVQsIkiK65g9AYXbCUcdF9MGqco3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUbSoDK1oHfgvGkEv/J6YRnR9tWD4wHQYDVR0OBBYEFDqM\nQLk+nrW3gpQHTbHyrGKVPv6GMAoGCCqGSM49BAMCA0cAMEQCIEZ5GNcKQBeSn64J\n3akgjN2oZKmhIZL2EllqkD0zhIsVAiAMXBAkr722MC8SgdNaqHZrKTPcCK2CghEY\nCQ3lpbDdUQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUQ3kK3SdbMigRq5SzUrZNwc1/FEUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAFj9zknhMSGUSfMT/p9/c1QPKEdTYJmlpCwj4o+8txq\n6u6UMnCSxsvMCA/yPAJIhpJ7IvYvXT4W6rml8RsIlDijfDB6MB0GA1UdDgQWBBQi\nliY686skqx/acggEG3pSYYw2rDAfBgNVHSMEGDAWgBQhRBTY8AKUYrypNiYE4lAQ\nBzOb/DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgHvo+yoNmrcD3NHNXzrqN\nPCavDtV4jWbFeYoC8lIiGgUCIHNGiXpxGHrONcry404KEBksu5kf3SjZEb7u6Hz2\nAbrH\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUBXYmU6/Q+JYcupIrBeS+qIPOvPowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEfBgxSQ0SRMSu9VpOhviSIwGyV+litTHkJksBeG/5pS\nc0dNZN2x0iz8xEGec0nrPUq1t6Ur7JxXh8rnrtzxoSOjfDB6MB0GA1UdDgQWBBRH\nQZe9Hc6M6WBycaaXxvPJf0mmlTAfBgNVHSMEGDAWgBQ6jEC5Pp61t4KUB02x8qxi\nlT7+hjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJDrHtyZMcnwE/IUf+0I\nnbUp/IPJtVPmrIBuy4sJaN+KAiEAmDzbR6fXmZiJdq134miT2DwQI5bwbcaTB1QY\n3Lz5wcE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUETwwvrbYwVBhPiEwvYg8GxaN1gYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASwzK+1RylGlUW95EPYNAAeK8dKnWxrRu7TJnt6\nWzsdytwB1sCtskci/5uz/D93SbtvejYqcmcKgVIIc0tqeryio3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlUmadV4KY7cD7ySA8Q7OiXdLITgwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHXS41wSAZlBfZR7fufDZDfw\nk1iQSGS1himpIP/PTHXDAiEAkMxWPCIwNsrUudHAPx9B/H42ryLfYW2kCGbUHXKP\nl4I=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUORHkweURVwBnwmQqKZ5CE1UQ7R4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATpTbSXg8FAusF6cUIGiLTbOv1rG7niAfAoNuMy\n3IOHDhVINEU7NKxhCmHVI3fUMgNgXtJYGYKrCT8TCCmhM/DXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQT/bX9evigKdETcO9EjnOKMaEScwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIF8XDAlcVaMEOmeFKT0VlThQ\nAwUJE5jIbUGs8aGp2TLbAiEAkolbBJ0w5ctZ3dBlG1rGY9l8aR8H77yMg3LQpxhS\nFBc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUKgvR0NcG44k8tQp+97vBPFXNdFAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATgoiOFIDgapnr+ZZF1OSZFKmJmqO2qDI26UcA2\nQrVh2qkOl5jsVbZeJ8xfkMx3KxFEu0PUwiQO0rrqen/hZFSho3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUlUmadV4KY7cD7ySA8Q7OiXdLITgwHQYDVR0OBBYEFG6b\npM6GbWq2DzbArj9QYc8DohS7MAoGCCqGSM49BAMCA0gAMEUCIQCwXe8QYBndEIWg\nleOX7F4IjidyM3RPcfW9h+awdm7XHgIgLWXqZ/AMKOhPgSB4zd9zQLQmUxumDHoR\nsdqdkG+SbqA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUWN9wCPWSuxR12tWvmslezWiulN0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQU54KPrMeDZh+NKExJ5bEi2+jxM+dYmnxHTmlA\nRj6cVPsccTCR2/vZ4b0WZNBTt43iP0zkaFoC10fNJjoD+zvNo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUQT/bX9evigKdETcO9EjnOKMaEScwHQYDVR0OBBYEFNoh\nNnobouVyJbPjeN2xRzNXlt4IMAoGCCqGSM49BAMCA0gAMEUCIQC3tFCRmZI6GTsY\n8Ze1+85eSnpEtVevkaY+qjuoFhzk5AIgZEpaULj441Uy9+RyPGkEXCRUKFo0BDyb\nXpLIzXO99t8=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAV+gAwIBAgIUagGmvWrZpdjHud0pfbVvoQHfzXYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARUo8nvcKbeIdhX9yrj7nVJX8/YBz6bcJtxhkOO\nGMbATEVX95m7HXVviGXtB5BfPRtE3GvGxXibTWlG9RQtEvjZo4GAMH4wHQYDVR0O\nBBYEFM5Ijh8uZ06ZAI15IXz5Que+maohMB8GA1UdIwQYMBaAFG6bpM6GbWq2DzbA\nrj9QYc8DohS7MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAOlxf1w7\nhPcKgkX6XYv8STEKDGShpvIVK5yx1O5RsDOhAiEA/y9yCGbVNPLbmoWsORsrqOtM\nBqkiesnpdskTEDSfOgI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV+gAwIBAgIUUOQq0i55B0gWBt4gORFDxdigregwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4eBJ5hNcAao93RFSMPmvtlNlTjIDhAjg+buyo\n3ZoHlfZQsCpabitbhuA7Mx8IXEFF45I9H4zPDKsrCUCPqbf9o4GAMH4wHQYDVR0O\nBBYEFDLsStQb8DnM/SbPgs3hMClTOOpdMB8GA1UdIwQYMBaAFNohNnobouVyJbPj\neN2xRzNXlt4IMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSavc6dma\na1Q0yhMl2FcVPa6tahD4BwCBd8v9orfahq0CICyHZqewZuQqzj96LgunU1CILF4w\nw1xtA1L/F7sSZUST\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUdW2xaKzLZxKrC65j09An2t+/ITcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVskFFCqZkXFu6eEMoAV6r6m2bJw5+h+M5Lodv\nZFeqiDZ6Sdz+6/9E9Z45BEdRcpxDxtSzPCDJpLHJHsy4Tr5ho4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRdKt1tmmyiKgKUW96BBhUuZpLPkzAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiAlHVTuBTcmac8WPKiq09nfV6Mh0PqhgFP7+Z95QZMyTgIhAL3kqKDl+C2dK1sV\ntorcMYqkQZjfu/r76ZCoicVXQktT\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUbkYpoe0BPTaOYK1EsUhNEEwVWdEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARoL/ia1jhCOxMwM54MLeB5KIttJAsvufB822Tq\n6mJGWnkNaR/hcXwzcHCjEOgJ7tuQaEqr6+sKleCTnC13M4sLo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSYeC1/XhnkDRyqAxZzA7RqtGzc2DAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiA4/mKTZ89FoCYnLfSPijQ5fkJDTWw25mPkAtUHPuQWAwIgJz1tlnq/IqKZJZ8u\nw6XvoZy2ZPWgzwhgAdNVdmJBzGU=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUYTxDqQK7aok0yZjU2QnsCtU2QMMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJQSQPY9p6gePuyfv3oFR0QF8DmFgFryQbVwRkslp+gD\nI4C0vtnNiYsy0ejJUc6H1gdwXe7Tgd6zArSN/dhrsZKjfDB6MB0GA1UdDgQWBBQ6\nlUjVw3WAhrU66quUCM0bfq9TTjAfBgNVHSMEGDAWgBRdKt1tmmyiKgKUW96BBhUu\nZpLPkzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgbjKlhAEazwyylykpDNKC\nKQ1O3IrB6PJWCaYPAP3HuuQCIQDyrOGdm6Ef2WkB/4gsBOmax7JF7Herycj8s9vV\nEk5swg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUX5pD2+HC3Spav6xM4x7nBCmAyrwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPXCwOcfcQhRXV9o+1SMO7GKLH9EI0bcKD6knc4Rv9PL\nXm57AVd3OLHumGlLv8paqOrqaMl/ijqmYLRc6eAB2FajfDB6MB0GA1UdDgQWBBQb\nXwEGaI+JMR6FpcolybgHS9pt8TAfBgNVHSMEGDAWgBSYeC1/XhnkDRyqAxZzA7Rq\ntGzc2DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgN91ldSQnSbEmqwY6eri2\nWiYKz/+eqkHSMwFAUkg8eg8CIQD1k0Ez7rvh2l9BPmCi6+KRJxAYeeeQZuyOL5tL\n7XX0AA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUKD9BCWb5xw0M1TfKBh6L3YBsBCEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR3DUQ7DI+rHZlzsdfT/KYP0C8M//dPbcYspE6Y\nAG9arEEGrm3qkJ43ZK94KrxDROclT7YmVMlyX0DANQHf5T+Xo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1Nt5EhVpyJbz+mVisvdBJuU+8OIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDdQoI4Y7gALmVDt35kLiX4Hr87\n5n+NAHIR0+AwVOhgJQIgB1ltHHwqlBRfmj98YFNACEebCTCljd72VCti12p9w00=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUSEKvCLyXevWhLJBJCi+Zc+OAMC8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATy+HexOz1PFdbojNgCZOsOJ8Y7ZBGBQrWycAqs\ny8/LF5d1YB9uMDweu8kksvAZQSCnZnBg9JJkIAA2uZIRh7W4o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUobd8RTycyA4ynZEerlz7LvXgMrQwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQC8vSx6+y4yQ0pPNjeStWqBnB3b\n4YcCW3QtKXO6/vuc+QIhAK23lNfZ7kRhmiwTKgp1RocoOj4FpV4gteNE5ZNaxMKu\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUSnzsRcymyNo0uqI2jicG7y5c4u0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMLVUM2p+/mvd6S6CBuaIRl7IXhBfOc2YJygr4tsLsGU\njAXI1hhQ/n/aXzKyvLZKZIzb7k80JUKwf8nvnKW+QBOjfDB6MB0GA1UdDgQWBBRn\nIs7QYHD1Gc7qsEvM5DVnbgjRVzAfBgNVHSMEGDAWgBTU23kSFWnIlvP6ZWKy90Em\n5T7w4jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgJFNWaLQZ4CI0pqUOsYO1\nPj0WpbkxA9cND9f3uB4aBI0CIGcgoxhpPPlewl0DgNBsv0nrx8HdHKWYIrAokt6m\niH1P\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUXV58i4cBLaQDYqk4gxMXzTBQRPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF1fRCwTopzeD9SngHRLMoSBkzItmsiPj5bbGSgFUnXt\nkYBeY48i0Wbf41U3BiusP4ZcFzs0OA4TpI6sKEisSDOjfDB6MB0GA1UdDgQWBBQV\nZbw/6pJ6Szg/+Cs4A7HwKckf1zAfBgNVHSMEGDAWgBSht3xFPJzIDjKdkR6uXPsu\n9eAytDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgBY6N/2oEAIONV0FLm23E\nXT7Qp7ZoGU6XxY5SEhzindMCIAIlZzcacjRHStK6k4T3ZsVSIwA2pcpaa70WkCrd\nDGNR\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUNaS2v/iM49VSh6SlzSvupaPSaNMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCj/X8itiCG09j2lMcZSm6+XPsN0NhuvGjY274\nJwzflDV9xMeF/ZLrGrAhfFckUElxJlSiYrvX50tYJG97OS2Uo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURDsqX3mHQZdNcGZlIiG7ibYMCDkwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgJ6/ktCv6bQRxlAklMH+Y\nSYRZ68gft7sKnDEwEqnrQIICIGZWjNZuKLMT+1undwH0ccMNqHUMPRLe8MqSF9F7\nHGhT\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUDGxL/0EcbW0tE86+rQHtaUf4rDUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQiO6JTak7oLpiLc5gv/cPr7c4myiBl+eBbGyVM\nC8m3rDlSQnGy/pUNatUnhAAqCYr4qjmLM8xyL4a7qRwf/nNDo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUU1MW8Vv4WLejYi3BZU8GXXY2ygswHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBcP5H6UQ75kmXlCKSi0+\n/g/0YyyVKxX5UYGWVlN37GsCIQCzE8JSuo5EzAykYjci+JLjdbEr8Tj9TzarSVqS\nqwUDNg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUbdz5h2c/hRWDsqfnRDOoakc5v/EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMRMPOxOKbpDOZTGLI9LpWaov4WyHlXu0LOvfp8CIItW\nqMn0DMqeaEjJX7Whdk4/vvmznBTC174NvoOZ6Hv7bY2jgYAwfjAdBgNVHQ4EFgQU\nP56i9fBQCfSC8xJhdHHVAgr5pCwwHwYDVR0jBBgwFoAURDsqX3mHQZdNcGZlIiG7\nibYMCDkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiALkNpZP5ZySt8k\nNnwhd/sVCqz+Jz/NSZlZAqdIGFLiWgIhAOQOF4/aXxMesE0urd5kPrK+tGFUMKZC\n9AnRR3P+Cbr6\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUAxRA/uE+uO1e++Ur0zAQWYfrcIcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNdqwvYVkMSdXSSnutBtVD+RxYZFllY+hJvZLxxFXn8y\n0jfXWpl4oOhkmRikrzOjl9Y/k1DH0tHpNIhSRHQADEijgYAwfjAdBgNVHQ4EFgQU\nvwbc+aeC4z90B10gmaZmiLZgFuQwHwYDVR0jBBgwFoAUU1MW8Vv4WLejYi3BZU8G\nXXY2ygswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiA/kzKt7xAzkNeS\n4ViNfg9Omdkk/ucBlaCkJuLjG/jNJQIgQS7rCUSYQNqWjFfl9TwMexI9lSti5I29\n8Jtv6geAnUQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUUrMb54RxzBUr2fomSWW2CLZ/LmwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXccFfYrBclMtYxZFkTwtPWfwZLWnCIli3ZCm5\n21WPu0FXKeTMD8Wmap/TBsyg6Njq4HcWU1gk7OrH3aBDU4R3o28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURi3Qo3rqRLHVyGtboZV7K/5MAD8wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgF/kOabr36n91bs831cj60gqznpX9rE0Q\nqVfXxO2s40QCIQCQ0w2a//4/hSFcKuiBVaaBSwiMTEd61BLUUT5NzIrXwg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUMizJKjrF0w+9M4cerJClHoun59swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQj1L1/2KoCrJ/bc5y53gtl2xduSvQuNMHv/PiY\nHI6IMRWpK5c+oivoh0weOgdskfw4rbZngNk2F6nlt0k3QMU8o28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXrDcAUiEANnpMuqigwXRRkUCxt8wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAMlHI1LHGXdAltbfItFPBUSyuChb+Fr0\nxg65L0gIAdteAiEAsqioSpGqgcRWFkwhQfvBJ6X8ER0+xT4cxtXnNUZrFjw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUH+VQ6xBGtKpvnQi3aICBON/bUPowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFcFLT5WkQ7BSJ4+pevsTAR8Yt43oBBCxl0+90wTvRIx\ntPWYAOjPAxkjiQkf8eZujJ7oYmKvLWkvSLYmIdUTmUajdTBzMB0GA1UdDgQWBBTM\n2h/bumFzedXdWEM/BOHBy2ka2jAfBgNVHSMEGDAWgBRGLdCjeupEsdXIa1uhlXsr\n/kwAPzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNHADBEAiBPc7FKuGByM6UemPv1wdgtRpMnz3To\nHv8qZ8LdKDEkGAIgFKNL2aBaZOyobN8t3PTrfLkjdEIthIDrmZH7CvAJ2sk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUfCO0lQHH8ALR/B8ewXx5OC+wJGIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJL3Nx/cj+ngSMEIQqRGrpBW2xElrejW8FbfnX1hnQ4L\nRayaQLiq96Ikv0rRQL5NBRdWnxZwMTWEDFsw44tRdUyjdTBzMB0GA1UdDgQWBBSh\napyQB4K2FqZp3YfVEVLfrTO7TTAfBgNVHSMEGDAWgBResNwBSIQA2eky6qKDBdFG\nRQLG3zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNHADBEAiEAtYKYluoLYfAjctfwg5Ixw4eXSKUP\nT79ANGWaLCC2870CHy0Ys1SEYWnTD4tzf6jyVDDbjSbl99L9Ofg1m6FIWHs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVLiSGg06crsVsI792EM0s+popbkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyCNDslkqZ68Vd2QoOorgrl3ygSwo/gJhWhHZf\ne1WpDdeszVLPHwFen97Y4nVfKNJtaH0+xiUMGohlgf0J1Ffoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/j3XUg3AJSfYXuwgFkP51Zn1bDgwCgYIKoZIzj0EAwIDSQAwRgIh\nALWmINPKq8gfNP48d9cfQ88t0fb5kqq8aveoubdEZSvFAiEAgsI+NLk7d9SHfSgc\nk7h6ONH0rO5GMcVyC+YK8TKc15Y=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBY/7/TJand9QGWPHmx5DIiScgpswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQO9Br/dPPi/rrCWMq2e3TLFrgSXVTo57pICX5c\n7UFO+wGMBmnLwNIx5lQkci4fWwJDyatEHSSejOgOxGBuDQTUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSRaeZOmEMigrEA1NyPJhYMXa6v8wCgYIKoZIzj0EAwIDRwAwRAIg\nNXq7kUrwKZ7ahfp7adq02Li/Ieo1xjrB2/MapA+9GesCICqXMJ0ajm7bARSEVZyr\n74iyhOPzsJp0xiwOqPYOReAx\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB2zCCAYGgAwIBAgIUTfW1MpDt0db6TcYrBRez1vk5fwwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNvg6G1jhVyIb8/rqMUrd7NwEj1X//RPWkafZeV5taTF\nrIb+N6FQ3LBj1gGRhg+2ayf5eYjKqzg5LpvwRjLdJrCjgaYwgaMwHQYDVR0OBBYE\nFITn5LO+c7I4NOP2la+jIJYN1IrYMB8GA1UdIwQYMBaAFP4911INwCUn2F7sIBZD\n+dWZ9Ww4MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCID1xR2STJwxQZ/NRn18gplceI9Tj\nSoctzBPciwOuIw5GAiEAmoZaqyZVUrs6RJO7aFOeMVPTO2BvgDsl2IqTwPCjHvE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3DCCAYGgAwIBAgIUUUX2ik7HTIq7ZiHN3OtYyl9Bxu8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAql/OzIonKJlRxqwzAit49SiK9YTyf1+sAPBQTCOjFh\n1TfdS2CMW4u50/FYOTneCN0Lg5na4Tl/PBdT4jURpA+jgaYwgaMwHQYDVR0OBBYE\nFBIir6eZzZ9fdMb3IxOiKrCVuu+fMB8GA1UdIwQYMBaAFEkWnmTphDIoKxANTcjy\nYWDF2ur/MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCC1E6Dec/6o8wYrcbUvMYG1XS6\nCUVSAdslECRnVFg2cwIhAIPMepihmtxH64SKGBNQuzQgvBBtl3CI0cuNrQyoOVeb\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUPFuQxWUBlspeqRWNoX7cuBWTngAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATTJedMAip1tuBQl0PzOxKCnXXccKSHOKh35pag\na4hG/8JpVG8W1IHWW3tJCAwoo0rnH2LrhTsYbemMSLvMpHJlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8xVZKPYnKYmQF0lY1j974OPMJgkwCgYIKoZIzj0EAwIDRwAwRAIg\nRPkG9vL0URV0NBIvN4dsKcztitQicZjbGSe64VJwHesCIEjCS8uGUIKppQCzrWad\nk/8kTRpAdzIHrD/xPslBCcJO\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaPTKWkDZ38e3dGNe2IbS/zp5YEIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0oBthpDgMzWaqiOLLAetOJN2aXLYKt5bPdKuR\naQC8FHejQ/wTt+hsi9CtpVrvAcEavBN+LgcTFAvfMaE2/8MHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz+hbJp9EiMdbI+8HsPSUVTssgEowCgYIKoZIzj0EAwIDSAAwRQIh\nAKoYZFbr+DWnPpASYxYbT/9SExEZ9iEdeznkvocrdWDYAiBOn7I6nGF0QpmMUmFY\nXqM5Ob3DFdvp8O7TF3vbLIFtpw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3TCCAYSgAwIBAgIUKpgugmXTdjjfd7ktVugETrhUpUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABN0Ei62vYDC9o5TtfP0bN1ft0lULNG3j2B3Yx1xhEnl+\n5c6opPKrK5G4XulUNGy3oSMOjknM7oyR4LT65ohOWWGjgakwgaYwHQYDVR0OBBYE\nFO5YdJrZkO/PCLeSYAsg/gQLL3/wMB8GA1UdIwQYMBaAFPMVWSj2JymJkBdJWNY/\ne+DjzCYJMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGshgtFgq1ZYf3ZSQwaprLTB\nPQupL09M98Hkutz82LRfAiA9CwxHesQey048mNdCYE/OHxMX4FWl+dxyG2e4xeth\n8w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYSgAwIBAgIUMZiCgA/md218q0b+4Fc9+WDyyDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL2zzucsf4utxNviFd58DTj46+ujPDICG/lnsUMFWak9\njZYdx1rOWjxjnYGu2pdq3nizkSWIjC6v8LzrQHiF5O2jgakwgaYwHQYDVR0OBBYE\nFP3nKSnAf3cXFLg8I0dFQ7q/6WFhMB8GA1UdIwQYMBaAFM/oWyafRIjHWyPvB7D0\nlFU7LIBKMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCUSJA5suqb7N8CwHJWn0AJ\n2dX8oq71a2PxBrMhSzp0RQIgSoK1ICMK4E/qLASdcxCsnjXRugSqOfjZckjMhN4j\nr10=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCRuIYD0Jd0zYgADKvoQ7K3goRVAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS009bp85xPlc/fZ+528Q0Es4XeohLJJ4u3lpNL\nqWCu4IntAFOB9RiKNVp7iJIccAgnoChXeA+FQfw9XuAte2BNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1r+cg9tiUhcw3MBbMmpZhiAWAoUwCgYIKoZIzj0EAwIDSAAwRQIh\nAJOg+wlrgsM4X6kaBj/lYci74xZqEmYoXyUkM5UFPvr3AiBeKTtP/tQ8+T/a+Bda\nrOWT/RGmV4mfsbm6de1VWKPZpw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQq+pcHwZIXuISNO9p8Q9IojIQKgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbHJdseRhCKrB51VagduIOZYIPgAYd8a2upXsX\nkWqZ+/TOiv3c0pFRPUFguY8Om179q6H76Iz/BiJB0liMz+7Ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiLPqP86dZ7/utt2aVUfKj69SycowCgYIKoZIzj0EAwIDRwAwRAIg\nEygEP1xdYYAbPTW5V6YWwOTTefNdB/cQ0YFae3pibTcCIFyvqyx711O+Fwwitzar\nd9lymzrnVf/DsxyDPCzvBoY4\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUE8Mfv2wqUP+EWNw+cDH9J9wtCJYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmr45/u63\nerseG2o9DxK/lYg1puOVB/wayGc0dvU+dY9kX+KAv9eQ99WwODl9QzVRqHPFyaFU\ntqPtzgMpAC6lMaN8MHowHQYDVR0OBBYEFGcPLRGJZjX2hoXQ515YyV0q9y35MB8G\nA1UdIwQYMBaAFNa/nIPbYlIXMNzAWzJqWYYgFgKFMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiEA+eeMT0n8CY/whdrVtFsTGXWqhPo9Pg2qvrMNx17VIIACICJL\n6b5bdQU3uW7pc8uHIVZx+Le787P3UAW4kIfkU+Yg\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUbzsVmLavPrbL5lPoKTFoLD2MguAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwQRRvhNf\nmFaTgCXxgFCi6dio0bP+veBdN5+U167cxINA/82KvWUm1WWUrM6xCm4LH67n29mi\nFUqY1OAErPlHuKN8MHowHQYDVR0OBBYEFBJC+KbsPDjnCvWjOcpbue2V3pqBMB8G\nA1UdIwQYMBaAFIiz6j/OnWe/7rbdmlVHyo+vUsnKMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiBumGihBjnavKvElAS+EtkeJkBJYx/X6IC6Ved8Ejo/JgIhAI5z\niGEGZBSvgwyB8tzli7KgWygKRGRVWkDF794+WW4m\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1128,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUWGPPxntvFA4c7+Sry37boDnT47AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwaKeUSnMfKq1FXRJ78QGfsyDKto/09S4RpTy+\nfpnBJRap6i1JBj/XLCXvFRiAuAgSQN7fwFqw852zVBZAXBpSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZd66BwDFii46cDgqjfpjknK80u0wCgYIKoZIzj0EAwIDRwAwRAIg\nUdYGUHofABu0bJBPtDN261/zoSuusfzpO4L+BMdMo/4CIDTpeW93zxMkHqXGoqcH\nFgM6WjWnmxZ1O1JH+VT+JT/M\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfh1acSHM5OLNfiw9lVCm05N6PWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAST5YKKh299WyGEfxV7KjF7A8VD5DLpCpFKsm96\nG6PzihCTU6NXlPGxoHVHvDv0W+9lBrxLQD3IS6cwSt0Wrp/bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqgpzUt8eMZBXv0K/vlY68mfYET0wCgYIKoZIzj0EAwIDSAAwRQIh\nAN1KxV5CRSOy3OdoBImslOJMUb+s0PmTuakcOiPYyr3cAiB2Ny9rZxyc5HbZurOq\n+P94O2/tpSuEu1J2xRNnMqDgmg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIXAPX+ILuQYIagZ+uvwYxoIWoRqHOfYrYwCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY\nDzI5NjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABK7A3V52q0sJlUYES9f+d9XTfysUB03K5B2WRcDu\nIZfjhWAsz5d/L2s1uVcxBYpKDJ+Aa4KVUFvXzNonUM5Bw0qjfDB6MB0GA1UdDgQW\nBBQS+kQaRTWqwEjQDbrN/FH1F+meajAfBgNVHSMEGDAWgBRl3roHAMWKLjpwOCqN\n+mOScrzS7TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgTf1D5LiQwWnOlyaw\nma+ZB/M2HDKklcwkCB6M30AIYIYCIHHIekHtveX1Ng7jZ3INUy0TU84pD7it05w0\nR+p880RK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIWMd384V+U2g8Sj1qPcVEhT3DOOnkxhDAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEtnspHa+Thb93oINgsXwA8ePyC7CG0dy/oqyYtiD2\n9uheK/m7qU3kG0eOGjWIXrGoWECF0Vkq1mtew9/SDu/xtaN8MHowHQYDVR0OBBYE\nFI99kW+82PWUihbOHt9AR3khFIxUMB8GA1UdIwQYMBaAFKoKc1LfHjGQV79Cv75W\nOvJn2BE9MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAx5wici1mJU3blled\n7BsK8bk3Vb1aZqvvr2cmtizwm+MCIQCl9l1EFv3knWILRt5fFNyem6f3WN8ChmlI\ndvn3ZljD0A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1151,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaU31CvSTic1ABgJrlh5laZP1fnwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJrFDlU88Hi0YomxvVkyX3JsOgZDlpPNi63z4p\nBhsXtLknOGcghGJy7z6VF3Kh/mleC6i+CnEWHo3dGohtX530o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwN98Rfh29De285UswN3flUqDriwwCgYIKoZIzj0EAwIDSAAwRQIh\nAObO8kMs0xxBnIpngkHkBITGZiD5FX8Cm9Cby2dlCv+xAiAFAuoaiJb3snNR/atp\neOZSKx7YkX5hs4g7mH75qRVXOg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOkYOfYCb9gWqw4pRgZNr+t3MV9UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQK7c7Xy+qpDOdoJ/clJHrh1lT3gnwdnT2JwCVo\n+56E8MRm8UgU/DwOZRU6ZUnktXeVFIWiAYuI4imTEeQBWBhso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0LmlT4nsFeuMTEK7AAoYU2dQdIwwCgYIKoZIzj0EAwIDSAAwRQIh\nAKXRzTJzGnP/nq0JUTlhoa5mZ6f7b9D8fp7jGh1UmZrkAiAwHxIX7L5K+K79sVYO\nClbbolrpSHbNG+X8AbWd5FB08g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6Xpk\ny3EijFBj7nVRpulBWeQYIES5WheAa7niaHLKvU3IZrhF/tw6AaY8wISgf+9wLN7m\nzqgKF/ZZuKfsHUTeBKN8MHowHQYDVR0OBBYEFPmLooNDAwAMt0J81yvPtKedbr1B\nMB8GA1UdIwQYMBaAFMDffEX4dvQ3tvOVLMDd35VKg64sMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEA9FhX7/cxE2gh/B/pbLYX+BQbR+FfEXP10ucDo7mU5SAC\nIFzFR6G1+PrpJc74J04x2TuTLQaHq6oHyjwxbeWCgrPM\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE72RX\n9IIYMQvKJCkE13qUYw4FmlCHwWgPNeJCAjJeGkLYTpacqAYYrbHKpJNghxR+eT5Y\nVx1gKuAoXePVQEHJjKN8MHowHQYDVR0OBBYEFG2y9AHm6WsM5jLECjp0KsnSix5F\nMB8GA1UdIwQYMBaAFNC5pU+J7BXrjExCuwAKGFNnUHSMMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBN989SSYyk4nuHm1Z/9FfoUh3hMrRSG9X1UPBEYmZjAQIh\nAPB4/+d2evQM93xc4W5vS5erydHApt3ue9yyd42rxlrS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1172,10 +1172,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEd2ItaxT7TLPVpqbJeXuoXCKaC8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNeynYMHn2gFxp3Jese7gTbg6b7jcsFkv4zAwz\nTenP7M32iqnlDV0TtrRzDbvEyRy1FENywWRISVI5G6dk5nMDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7glm25BWd3v/IEcfr4M62lYpTB0wCgYIKoZIzj0EAwIDSAAwRQIg\nM0Pwfqlnl3nGyY7twgs2osm7yPSxrCPMlAhWbaRaoc8CIQColH+wWW74puvEThJd\nXT3rXmdtY2krht0/Pi9D6pmF8g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcZ+OeLvcrj3LOXaNqWA5LYK5euUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATv9ng+zVkD465caNHnY3tVl3p7EKiq3U3aFawl\no68v68DFMQxtbxB4uR8EI7xtFPmXq+LxpR4VH5OxYY30qWt0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkbapRNk0uYT2RPTGkPXUbaWNKb8wCgYIKoZIzj0EAwIDSAAwRQIh\nAJwKnJfBcylmqcMP9vfkhpqnnCeJ6GyAwMSAV8EU5qCFAiBiecsKVtXq4vFplNnI\n5wbhBmMgvKTw0z7G8rnFxbMEJw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAXCgAwIBAgIUE5iMsgGqhaSVZnDP1q1Uql/tzBcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDdLxMPilhMzN6oBev5AUxSCTZ/kXChMAdH9MepAavuS\n6bKwWgoGPoF0he8ng2nIeluJFEBWnwux8IYxtlUJMr2jgZUwgZIwHQYDVR0OBBYE\nFAz/+1xKUR7kVEuejG8ddc4C1cDuMB8GA1UdIwQYMBaAFO4JZtuQVnd7/yBHH6+D\nOtpWKUwdMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiBJqk04rbn7SnDSk7Gft80Y0cV4kfL18zFY2N+S2o8HyAIhAIQm\nDzciAlXNo6rYRjr1MMSM+K7ASrPYPWdoIL0hlimQ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAXCgAwIBAgIUPFffShT9gwvsWRGRdJgzJPnxbsQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGIkrg5CiSCwlsotdIs8h3XaUGEcql8tyJFZd2sk1rKh\nZNq31dTunM0hv24/cq4GowlSYv2PQhkdEMc+3QUwkMGjgZUwgZIwHQYDVR0OBBYE\nFFg94M1OLeKMiA5I5sgI85MvBhqfMB8GA1UdIwQYMBaAFJG2qUTZNLmE9kT0xpD1\n1G2ljSm/MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNHADBEAiAfgFoI+lf3MYq/nuGI8pZ7xul+/H9G8gmHqV6bbJ0C4gIgV/eD\nXFA++WOUaSD9y633OhlYcEoo48K+HOYdpUqp8FI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1193,10 +1193,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXoFWU6j00qA9j4t1n5+Bb3k1xHcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQYdL7XPLKW3xnX2GJ50qYeNOELiTAZa4x31ti4\n1P3uLbPubu4W80M6RSU3MBRLyWf+QvpMUAR0LFf85yB6GjqPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZWiTXeNaKfJyBsY2Pj9y9KXUitMwCgYIKoZIzj0EAwIDSAAwRQIg\nfz93WEsiUsCf6/dPucbm697iXcdxwYnm8/0Bvg/0c00CIQDuHNGsOHbcD9o8n6X+\n5x4XgJX4jqLCaf91ECn3JRwSdA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUw57ad6sElzkmrmODAF6vwgvemwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASO8zkY+VgO/1oSsGwFu2JirkfVu2doiwWVAd8V\nzDyeHtGvSpY2Hxf6IX2FVc0D6DLGTpXMvAbeA4V0LcEo4OI6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxc3s7LW9Afw5MKI4e7Ex07t4od8wCgYIKoZIzj0EAwIDRwAwRAIg\nDrzMH5viQbDBUq/oCkjxZGCxJTf48fm0XTw4laWtDpsCIGB3FcQ9KsAg6RybbmL7\nHRrgbVvbkIhjeUTrdVRKrfD1\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUDfNeykdLNWCNDH7gbp3QjpTgKiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNM3M6V/L7oCV1uef2rrSMMA0WC5+DleXhlEfiMsuFlH\nCPSLC7DYX1cKImAktig+xbc8KB4PxZ6m8yiEZ3XuFhqjbzBtMB0GA1UdDgQWBBRn\neLUFtFDFHa1bAlAn6WKve8qOMzAfBgNVHSMEGDAWgBRlaJNd41op8nIGxjY+P3L0\npdSK0zATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNHADBEAiAlRM+3AI/R4QObU9hvtsCqikihsAvGXcclTMCz\nwsLqKgIgSAV0j6ys8099I7E/dVuPIiuyD/vFMqURXaRjrq7Uezo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUA/WIBMG+r3se2/e/UvNLx804GT8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHxQmtkbBR2K0h7T61IPNuCdAN763pGCWMupYO1BkwRi\nTCt46zacARKXd5SL7D2I/yOcFJP/vkojSULLgDzDVvOjbzBtMB0GA1UdDgQWBBS5\ng5k1e+coI9r3mwN9jvleJS/coDAfBgNVHSMEGDAWgBTFzezstb0B/Dkwojh7sTHT\nu3ih3zATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEA9AUmnWbvCOO5jI6GhxvZYI75fk2xf5gXobPV\nH1dcU4UCIQDeHzcv7IdYZf53zCs6IR4JSBi2hCmukVDxPR0KdUsGbw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1214,10 +1214,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Basic Constraints extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfDvlL5wDDvWmEGQ8j54u+ErhATIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATS+IsvqSzgiLA+c26TirLrIt/hcA5hG7u96a4z\nQkdpg72syMwpOooubQ8en9HevrEuzwicBrkDw/z8o3sM7Oi9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQ/JEmuRGsrhnepkIZga9gVZaq+UwCgYIKoZIzj0EAwIDSQAwRgIh\nAKlWY3V0edty07CwE9GvIR1PlBA9GI4PkU6b1+b9mNB7AiEA6zyd1jO4VNQh4dTg\nq97ZoGWjQpNF0zxrvtR1Wqe7aos=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZ+e5p2r38+FNW34nsw8j2cAOJFUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASXzSLUfiWMc1ADCXjhZx7JdZAnDi/ysxZXTm+i\nZ4YCMabtH6Qv2J5MPbCDTx7dQIC23nTrvdh0N6M0TIV5ZD6fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPK4zHF1KSFBqAWAjalgDFIQadgQwCgYIKoZIzj0EAwIDRwAwRAIg\neQyX7UC+rx1lyo5fKT0iKO3ARYWwgPbFJyexzOraZdoCIGAJsmU77hIwdcFe25LZ\n9fylp2hyFgU3RDQMZ5EUY5iV\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUWmCmOR8fihfnLxGFwINf2T8E1uswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAlUmPagWgrD7JJKTAvOn3WJmDwpNVT6ojzEG6tDBfW2\nZONXGjdHbxNo1WyhK666fdYieVCrjlctUjKTAjoDPZmjfDB6MB0GA1UdDgQWBBSW\nEtFVQSdVTTK+3u1omWgd5J8Q6jAfBgNVHSMEGDAWgBRD8kSa5EayuGd6mQhmBr2B\nVlqr5TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgAPsKrE7eDNw7OnlRcfQC\noy5eRXLskC1UOHKvNmYubocCIHGRecqv+LeYEvVmGNgJ0rpujATSjZdw2ZQhB3yT\nMolZ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUML1XhuoYUHMajssJOCejZIQ0BG8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNYT0z4LW71cgo+fmhu3mhuNljfc/jdEPWMSlNYJSSsi\nIZBk8kdnY59EgEA2Hr9RAtolCXq1eGwmjvzb1isJChejfDB6MB0GA1UdDgQWBBS2\nzu1PITCFLGilhR8pWSBGmWnMNzAfBgNVHSMEGDAWgBQ8rjMcXUpIUGoBYCNqWAMU\nhBp2BDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOykbhTvymm0B/XwLN2p\n62O9nQ4AC5gcd7Xv6XPJ2NByAiBZwAhque10skTS9E48ICFMPSIfMl5nXrukJTGt\nLHKiwQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1235,10 +1235,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert contains\nan Extended Key Usage extension that contains just `id-kp-clientAuth`\nwhile the validator expects `id-kp-serverAuth`.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYs9SR1KS6h6aP0jAz3YnFtrdBcYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARC0t93X8Sj+PD7Z2sA2ZwbOxiBG7Pb3RhD5vdg\nOVQLlsNQP2CsNRxjFaSGVJYBqpiAVhmdSODpH6sgWZI1nBngo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU56C1yoBCYZj7hegKxbNGhDvEH8gwCgYIKoZIzj0EAwIDSAAwRQIg\nZD8LtFHMKFfv5XTDt/1FcIaM7KAVsKthO585os1Y0wQCIQCCWQ8ecZwKdnob0WK6\nA4+7oaHf5XbqXCeSYTeQTeWTrA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBIjoiao57gXzF4LlDOrrrMrapJIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ7fLOubQJL+7fmUg6cmEs6k+CuyEPKHtcH4Z5T\n8Ypa5q1QGA2qrgZXms0toFcZrvjyL5z/RMasjLL3p6m1sLe4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUXr8epvAatBNaWp/Y997QRxgFI0wCgYIKoZIzj0EAwIDSAAwRQIg\nMNeiOmc4+o6DUdtS12U6kIdAX6JbH9/7eRmsEw/ir3ICIQC25//gHeLbYNCMKNVR\noec9X803AgZX3k6XDlj9AGdXkA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUanEE4+Cx93k1zGQSD9PQ+zsA/x8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHtLB94jB49AbCuvoykI9A0U7DvRf+6NMvLX5E7ve8c1\nXblO9y4S9r66/ktnyhhSTmKy9vqnuU8iEVGyV8HFhSGjfDB6MB0GA1UdDgQWBBRz\nWZPcFGux2bGsz8hhZ2mbvfD7kTAfBgNVHSMEGDAWgBTnoLXKgEJhmPuF6ArFs0aE\nO8QfyDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgLgJ0EC4kgcLeia0EMXwK\nhqvGuVwQiytY49H4utBYGQICIHVRHazwzyiyaOWjpQfHjj+ThCERXX5rcc3LMOgT\nfDqL\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUKGL+PWvPpScZGREU9UtzTUPm6A8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJmJKPKQL6Gw1g7tNWpK90BhMaNYVQZT5Aqt5/ovKmSC\nknUdRfR90yoHGxm48IZGO8d8j/4O5izULy9dJBHdKYCjfDB6MB0GA1UdDgQWBBT4\nZRwD0m9jMeedSyC5ZOlZrz7+zjAfBgNVHSMEGDAWgBRRevx6m8Bq0E1pan9j33tB\nHGAUjTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgEVlti17vzTpeC2Sd24Hy\nO8UInsqFsg5ZYpXJdeh4suUCIE95YJ9e2HUOagM4mMN4zqBarU8iyyc/3EoFBHz1\nYBGT\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1275,6 +1275,27 @@ }, "expected_peer_names": null }, + { + "id": "rfc5280::malformed-subject-alternative-name", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has a SubjectAlternativeName with a value in ASCII bytes, rather\nthan in the expected DER encoding.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJnttr4Zzhnr5JDkQQkRos/1CWJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARO9Ny7hdlFge3jF0gO3o0ncBKTMbQNGzR07mZj\ngGPNi+UBy33z9OBCxv5c5ikWE7yatB1zRzvABrs/4gYxSR6bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQ61W5tky2dHGO3YOw0cfXcmnOC4wCgYIKoZIzj0EAwIDRwAwRAIg\nenDYQWqf3kz2uZA+MgsJO0NLdrpatfFm0XhQ8SId96UCIHduRiUPMvuviCg2kvuB\npWBGG+3Dd7Irz5PoucZcdU17\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUE+G9ylCuT/HdPLc7AdU31ErnEgAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNBk8udN5nRhLnLJ05SpEbo8OhrXcs0TihQD630fI/NX\nDoj/m0ehnV/HwPZl11m/jq9ZOd+eZlJisJ0YFIMs3KijeDB2MB0GA1UdDgQWBBT5\nLvtbRgNBMxKlb6P4Cbobe9hDOTAfBgNVHSMEGDAWgBRDrVbm2TLZ0cY7dg7DRx9d\nyac4LjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0RBAtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAk8/b1D97cco266p2PkA9iCUZ\nP7Nvt1n8PahhvXOIF18CIGIb0FfyRwbSiKFiJX3Q9EdFbddedmdtyebZnNmo/iBM\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, { "id": "webpki::cryptographydotio-chain", "features": null, @@ -1329,10 +1350,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUirOXPNQZ86mlez81GyTTjT+n0owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQUK7NqtzxlbrrzCoa3MDgFFbee16cjkhYSgvmA\nCCZVHJabAWVdl0cKbNXzqodOYgSI+aJNzosFuK76UFWu3+Mvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU41ohGyGiG7BchOyeuo8Q7/VLeqUwCgYIKoZIzj0EAwIDSAAwRQIh\nAMDAQynGIenKhsBE67nrs/oAF4GjGi844OViB7LI2KFwAiAjD0h7XMa+nFE6IIHp\n/XhuPqBPnwHL21rdTRsMD4izpA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHfpodbLNRqV8YGLyEy6zAK14ecowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAScRzsh1n2TeLHopkPqolONMiBxzUd10RMu7qdb\nunq00hbPdVg3XJ0pnhwPXhIg0dcI8Dh5ySPHzMjswplBu3+co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdlDkO5Nd4Vij3xOpnTZtkSzKEm8wCgYIKoZIzj0EAwIDSAAwRQIg\nC6+cfIYBe3ybVZS4BWXuRaelL4pdjmat3JBgsqTLR78CIQCEmcTdErsE4MPeZqx9\niZqgs6iuN4MS8fH923zbLj+Jeg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUSM2n4Yz+RMsYQPhwtWhQmxG8HnwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIjmS7s+wHaFeCXDEiXiSL4JofNLpKU72YMezroIPqWY\nVOyXStxi41P3qEjNUonyoBGBNrd7r8UcEpOxCj01feujfDB6MB0GA1UdDgQWBBSJ\nYFltt6kVQIlTEFN2ReJ3jNQ1TDAfBgNVHSMEGDAWgBTjWiEbIaIbsFyE7J66jxDv\n9Ut6pTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgY6JPW0xhSZyTAh3eEVIM\n3lEHMudHx914C1kl6SMJxzsCIE50Diw/jqpLJbVpzscCM8rgCkikMB1DFCQDOMI0\ndUjG\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUZ9XC8wm9xyPBF1kj+Q2Y3FGBwy8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBLcULccL09xv+2Fj+ASdln/znWdsUn4Qv0uSeROJUvv\nXOU/dmDDkuG9K1a2fKeHcbBs8KXXNfL0UpcS1ihn/9SjfDB6MB0GA1UdDgQWBBQV\nf0AGjj8L+02buuYgyujZYiDHijAfBgNVHSMEGDAWgBR2UOQ7k13hWKPfE6mdNm2R\nLMoSbzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgOv076BGQvwFYhbPH2//U\nfd7IX/iLaYXwZ+tWth8RmuMCIQD4tQbdG2TC9zGfKSa++FZdbB/24wV92I6MYPaT\nBC6htg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1350,10 +1371,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaj+CQwTs7AHCbwlgh+R+lIZY72gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASqCVBpsndf9MdZkhHI8uqqC7oHKDr/1MsNiprL\nI5cZ1ejuvnz85+o4IaWh6eO2x/uJlkQWtWeB55ixD/buDhuRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3iNvwAJ3VaIhC4GOSImVJXXPC1QwCgYIKoZIzj0EAwIDSAAwRQIg\nIurHmzNas5t9kSJ3soWfXUzDldsJE+uHqUkiibZg0+4CIQCDpwpKrdUKfimeHhZt\nmDR2MQ4EQG5642z3KGud4fxLJg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUR2Z2HZVytXbmP2ftELFH+JvAlsAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzmNjE63G3r3uIUM+sr0mY0fIWnl20YIPHgHx2\n50bmMD05qi0v5BbB+iSkL8QtnQvKqqw/7NcAY/MFwW7RGSFQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSk+w4Sm3h5hv3heLYlanYeRUCS0wCgYIKoZIzj0EAwIDSQAwRgIh\nANbCMXCq4IcL6aypDJCuZqJex3rlG9AV/EeGMVt6XotOAiEA20W6YRdDNWB7OTAM\nLCDcmKtZ1Get9Iydhqui+PfXdMI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUUpLlLxMj4Ms/8IfMCrz/IFucLYIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBq+d/qMcbidnx07yaxk5LHfGLODMDOVHrNOsOwSOP8Y\nxzVi76B3NjeMTmLE4wguqbLB9K1WxXW1LFSkphsyUQ6jfDB6MB0GA1UdDgQWBBQ4\n8xKtZW10egVWnRme8EDnFLE0WjAfBgNVHSMEGDAWgBTeI2/AAndVoiELgY5IiZUl\ndc8LVDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhANPGdPZLw/UdYmUu0p4+\nLgsl+GPB3RwmfMYoVNWy5c/gAiBl/hoJE5Mz9ESTAmiwtMi8858EeIOqYP4jNQkO\n4NireA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOTGXNCRuQsufSxGKrDswI9FMwAkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMLTwKOHYHb3xfGuu8FjXvtTPIuTvWrpITPTGT4pUdNr\ntDOHLv3iyaVCW1ozqs/iMocjERyMA6uLnbZS48xMvUCjfDB6MB0GA1UdDgQWBBQr\nqP5/4MOv0c6BP5oVtHu04ODTbzAfBgNVHSMEGDAWgBRKT7DhKbeHmG/eF4tiVqdh\n5FQJLTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgVQ+FYTXWoGCZrITQUHN1\nZdKd59YELe7E/zldSRH7Nr4CIQDzTQ59Xq6hUUpYS37HZbKCLQesUxGN20hY0vL5\nB8dwmQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1371,10 +1392,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKk8f5OB4IQgmsIrsr6MDH7DeoN4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkmm01jdgm3cZWZumhZEFB1/tR+mKfT5g/W6rT\nWC/mD5kuq1rbZ7a+2Ht5SCh3gTB311Lf+w6Q5JsKuvTOsjeEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8ItsSIcVsU4ReXvwwnywIo+HVuowCgYIKoZIzj0EAwIDSAAwRQIg\nGNUloiyqX80BI7XIMQYHjGALMLHhPMDfPDXJ0SNNZbsCIQDjmKB2Yr9Uk80Z8Q4g\n7K6WvcU5GW8+JwQm4ZU5MOJ2lQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUDZ1kinaUqTDcDHQUjuTFZ5QIBJ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7rVuGwxjRw9T7kji83e5rm0qUNzM5sTk9VFGP\n5IpeCf4jY8YNknUqN4glK6LR27zLArJINFR4anoDja1kKhDUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcMHuupabydaIZjW8svLpvg+D4/kwCgYIKoZIzj0EAwIDRwAwRAIg\nZoFzLne05uza5cmELD/wjcqCFcvwn0R8dl/S9blf8+cCIBIN/MuWMyokjL7+Fmgg\ngMCiJpb39eqVapo258aKjmzs\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUTIYwbIj/J7McnyS9Pd4pmjeEjbEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNmR5qRgtgMC2ii09P0X03+F19R+GGeEPhlattdwCg/9\nEBbD4ilsO7OyI/h1bdzBlcx7LbB3FQhuZs1VgErEZ9ijgYAwfjAdBgNVHQ4EFgQU\n/0x6QHRlxSiTWkpo3wYGm0U2Qq0wHwYDVR0jBBgwFoAU8ItsSIcVsU4ReXvwwnyw\nIo+HVuowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiB8JF/ajQqNCLao\nEnZXirOXlYobptwRCJX3Z1FPvUp8LwIhAJ2xTEold+IJyk37NtQQgWdPDe0hJDjP\n2CT6e+XGopOl\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUNC8YMhemCn8CpK8XmfL3RlkOCaIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH7Sl6FKGA7tS+BtVI8qntD19i03ZfMMQDsvZqXmohSW\nS6NG9ueNo3lkJFtw4UuKp6dQKbkwX+HioPs1zieW1zSjgYAwfjAdBgNVHQ4EFgQU\nYGIZtjspynbnMWEm/INmKV//R/0wHwYDVR0jBBgwFoAUcMHuupabydaIZjW8svLp\nvg+D4/kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAL3sVFZCAC9wnb\nx2sczRxtpSq5OVGOBb3fUzH5RA2L8wIhAO1iDVlPsqYixOXlmBc8ein4sAhMduY5\nphQ46fLE25pX\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1392,10 +1413,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJii+WyvAgPA7fF0bRGN8/iNlY+0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1CPfaPY+r0/XQXzdQBS6cuH9lqXXPlPzgFcP5\noGztGNKKx1Zn6+c8EJ4rR5VFo75C1PmlbVLYBQF+PfMi5xuuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEDSwIVaAlwmlNa93XZiA2sgV/MYwCgYIKoZIzj0EAwIDSAAwRQIh\nAPIWF8slU0uWCWnO+UYJuJce1N8v8A06kKPoNS3x3WEfAiBCrGJagvSa5x+S8H3g\n1eh2hbf3NEYAOTE08amuw9PU2g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUM70/XVnErRVQU5yNLP03I04X/6YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARAfMBmTS4yx7dL3uR0S9vzdTDuxqwhGhsQATdd\nWx9Fe4H6NXayGh4vWithhGDc322z6U//YyOgUE39A0mhXXlRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7HqFDirOzMQI2144eP2w4GLXvTQwCgYIKoZIzj0EAwIDRwAwRAIg\nPk+7Iu3Hp1M2YxQBUKHuMmgvOr1JouEmOW7wNuL0wsgCICBWWOhTVNRQUxLYUH0n\nCZg57Bh/H2t6flQoj6fydnsS\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUI37MTJVyJsySsQPq0tO16WJddccwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBHoWfsdDwFAFo2UUk2TsSCkY6wssXHQtNPGnXzVC0ZH\nuuEYiQN+eQior9sJxAKk2iU+I3z50cvgkZoza5jxUoyjfDB6MB0GA1UdDgQWBBTT\nh7vrur5JoTe3jHd3oFEqS9dv/zAfBgNVHSMEGDAWgBQQNLAhVoCXCaU1r3ddmIDa\nyBX8xjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAK4DorP0On6CFel0qbt/\ndNSaqvKofjIjIcLkDZ/FMw8AAiAdDq+06DJQkg6xkAaN/dtfiAXfx1NK3ESrzPPq\nyYfq4w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUKhFTaPbTAzpNEG9f16/FO1ooERUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA+mAsQhfgiENkTY5vLkivJA323IJaikelIQJlLoGeMX\nZ7/VX7Bv8LwTKxO6//Rs5JXgywi96dSsgT/JQbSAo6SjfDB6MB0GA1UdDgQWBBSx\nJv/yI6O7ZN11dOZCfAAxFUg+QDAfBgNVHSMEGDAWgBTseoUOKs7MxAjbXjh4/bDg\nYte9NDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJfaX1ws0VQVgZA6+ChZ\n7EPCE9FWO43Vix7RavmpvG1nAiEA6hSoSAUeNlpSDres4bt2Kkj+O641RvdBmjWg\ndkoyax0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1413,10 +1434,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVEuV+1htqjfdMzImxe2KTmfYn9kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQFKViDney0YkjmocCUSTJFA+3oJnvZ+rQ+c3nh\nLVt4fUpvy5bykGyEiMwQd1hU//onjGVIK7hyJb815ZJ1v7gQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2ai+aQSN9ahynXLF49ZpLX+9Z64wCgYIKoZIzj0EAwIDSAAwRQIh\nAPXkWl/lTg/sSSaMNWJQHYmMcWgdZFH39vrVksAGTyvpAiBc24ghB/f0AS0HxJAP\nIQ5PRF9zm0MXx50I1FnQsyVdBw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUWcH71LjeG7RVxAlWHu9VR47sScwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQyXK4vXPe66ZfhIr0Dysd0a1oWODhTkukWMA/m\nLECDF5mSoXDypZe6K66AVRhgoByLSkEToy8vOVsBilHyRmd+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkiDNa0QJMwfDthsickRymvFgEk8wCgYIKoZIzj0EAwIDSQAwRgIh\nAL26GMUuejQcyW/ZsGdHXmHYISpHkN4aUb3juFX4462HAiEAocg7irqpZLUrN+GM\nJzw4YMt0pF1B9cgvPFX3lKO/RpI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUJMDrYaeIvRYOGeSVqobzyreqINMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAtKzrJ2ZSvgdS+5dmNmoxChPmDLl05lCxME9o6HBHGX\n1uPjyIKwTbjsb8rjxtv6nnZKD9iiNVlL0neL7OdsVQmjgYAwfjAdBgNVHQ4EFgQU\ngoDy2kwd9L+i/RFvWOLVrxaa1wMwHwYDVR0jBBgwFoAU2ai+aQSN9ahynXLF49Zp\nLX+9Z64wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBKXeWFzFk1T7sG\nsDXBlKsYxwhvIGWVn6t5loSvSZomFwIgW8NYl3gYjAZ9A6vsnF/1McRQli3JEubL\n9odudJhHXjw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUF7A/I2gUOHfQFyywoIKkOU44wQEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA2wTPGyzMMcfHUUuao5hONbma9Ao96XXM9s0uHAhJgr\no/qN7ij0Zd+xxZAyHcFQr5IYcSqeXNL4H/AMclPP+AyjgYAwfjAdBgNVHQ4EFgQU\nRFoa+dtIewJ6lKtLLGBM27ucbQMwHwYDVR0jBBgwFoAUkiDNa0QJMwfDthsickRy\nmvFgEk8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAjVxi7f15yB8T\nkyAxyvjK12SiRRLGBl+voyn7ueJP8+UCIQCJyIXYYltLWwaNKxXATDpNmB9WYZIG\n/DwPV059YK7ANA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1436,10 +1457,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUdjcYSh1jbAZN09vL1AlZ4QYDZ7wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARdxR+rUVtNRKCZ3czBDRLfSZEfmwvEusvaSsLy\nEBb9qR45FsvzMBIkyCZOKqdcdsHA4OUIr8TsjqsBwwku9RPeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxVScRv8HE95bwbdV35N4PrVrJGkwCgYIKoZIzj0EAwIDSQAwRgIh\nANgqXNLLvWh+47zILLV2ZuhjEKe3RQc6VeMF/a3vofIyAiEA98YIzztPzewq+nhg\ngXei1pvyl18V10trsuemMLChPno=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUenC9QkoKjUDRHQSDiM/wtBZzNmcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATW3+APfXpF74UQSM8jdWbYpJ+2yYR1LJXfXJr8\nNyYxTonVC08IX/wmBSlkBSyGK+cZ4mWTNJhdLEPzUmcVd+cco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpwOTfKi/l7j7R7VFKitwYaW+lm0wCgYIKoZIzj0EAwIDSQAwRgIh\nAP6BHbfJ6mjZGzXCuB195HYZkyTYlEw9b5gDq/iqA/9EAiEA9JP9JF6CPFJi+pFA\ntaB2wkT1Z9ByLs8KwENhVFQ/cK0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUeQpP+ok/GSeW0dgoF8VZT58iF8IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNBmUbGBQAbermk1Wlui2M/SbyTIzS48GsEpVeX1Xr4J\nXsAQA6W6QtxPSJ06o6hbNumCDD3c/Tc/7/htcZeH1umjdjB0MB0GA1UdDgQWBBQa\nmXQaee6wjEdraZaZWHiPs+zOWDAfBgNVHSMEGDAWgBTFVJxG/wcT3lvBt1Xfk3g+\ntWskaTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIgPI1t2jCnOBHXB3uXbFPqgu9UlZwa\nJbKwDw/XY6T+KisCIQDp/ulpOEmBD70vDqUbL2NOzj6qgWeJ36SFdWt0rBWnVQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIULYyJArBUmABu9jTCOd2deygmy9IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHZ4gu7knzho6dnSP4t9xR6ZawEGGy2CTly8D64t2hM8\nQq/L3bJXfwtmn4bdU17hclM2OlxGajBFjE7wJZYTNpujdjB0MB0GA1UdDgQWBBSW\n8yLFecN4m4Ogk691WBODlry1ojAfBgNVHSMEGDAWgBSnA5N8qL+XuPtHtUUqK3Bh\npb6WbTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBHvEV2Qdybqag1Q69J2RFgPOpUSh\n+WLxzCr5/MNXEukCIQDeYa//NwBlr6lApjQUfo3iTb55/qbGnXNRt7d4Boi4Bg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1457,10 +1478,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUY5CzM8NyoV1UP40Bc3S/rTpJrPEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkcIrVozT/IwugZBM0KSfAhYsSmNXlkjMJwzCF\nA2v27RfZmEoXugQXkcczOV6n/vSm4kpDT7dMUZfcW5BH4CAzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbEYsNQxiazef18gsQZs6Ej9N+dIwCgYIKoZIzj0EAwIDRwAwRAIg\nPCvgWlzh2PA/lRVHdzldsUFowqwsmASR01xp3vZW7ysCICrLj4+OLFWmIrOTvpnh\nZ3NIHbbn6RYdKsqvKWkVedoo\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcIN1+X6Evkf0nKKr7TWEcT3c+/AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASG/NM38NzuAXApXecVdfki5coQ/m/skWdC65Jl\nQM6n4eDKDbeb/gwjqEDq9stWKEfslMD/HJ5iCdsg2o/OG0n9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG9F8cvqSBPk3KkFDZQL18Vny/lwwCgYIKoZIzj0EAwIDSAAwRQIh\nAPnje6EAubO2B3Vm63vEpqM9jIdfHncGSN6QDV0ugeWWAiAyg5p1yKavimAxyYs1\n86uPYcGsl2iMmq2hzg35vnPMOg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUUlbJrWp9dBjmJaIluO2Io4xld7kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEQNSJZjMsoPNSU4SexhETr/tsHhHB7kKpHliaDHukJN\nsNnaqS9RnO0sCGAtqkHHp/+ysVBnP/uwhpjYE4yDdtKjfjB8MB0GA1UdDgQWBBTe\nzCymlIvAGLXeTkii3sAOO2OeczAfBgNVHSMEGDAWgBRsRiw1DGJrN5/XyCxBmzoS\nP0350jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBK/SuNHUicWTVP+oFt\na8N9Za8mxgZuOOTWLSLgf9s9wAIgViuvAwJY4ORPlEy3Rjcq+3J1QWzwwlBtjf/8\n0D66GFg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUEjsYlDT2JMqL8rEr7bzJp2YRl6owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHBSwXwKOzyeLde/komzZzb/TDSmLvmHcVrmkGyZpVuP\nqfFhCllmhl54SshymCfz6h2rsV+wkpQD2kXrfOOaaFWjfjB8MB0GA1UdDgQWBBRh\nrUQaZ4f5cD7lRD/rVwYhP/3AyjAfBgNVHSMEGDAWgBQb0Xxy+pIE+TcqQUNlAvXx\nWfL+XDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAjVjAdiyq6UTSkDdtp\nCtTMovd3R3Ha0ud5gjmBXnw23AIhALQy8/aDcg9iCtrawFTMHbIhLy2pQMXECb2n\nSZh+U+1Z\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1478,10 +1499,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUNSa5vdujpBzmfiX5r+PGcW2jUkowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgrWeXIR1p1eNGgsCNMUwXz2Ya+Ee73YKed354\nQBgpfjjkIzsHv7KWIrohuJryGXFjSDRV4ph5k8cZWgKn0eRAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7eOy+SMwUuFn8jX2orkuvBmJUr8wCgYIKoZIzj0EAwIDRwAwRAIg\nAlk5aUiq9zuK0yMQxmZ8tzJfw/gnI8zeaFgob4IaQIkCIFTySCi+vVZOwS6sP42B\nUn1BZEHHjFcRnKwY/AEmwqLG\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXfJKys8nheMPRbP5FJXwCRUEl2kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2ZQu1zsdDP6VaZ9+0wGJac1h/jO3PqUwWu/CI\nqkSbzmq/7EDlsyi1xCagbQBUx69uZJaOv0pGmlL/uV3xWT8Lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaRCt4C5uuR5sRPU/hc3k6CLJazIwCgYIKoZIzj0EAwIDSQAwRgIh\nAJY0dRWwS4lCNMPiuPp2PmqJqZJtrr+vk0n9ahnDope7AiEA8vUBofSPePNRFPGF\nKPSSzBw6BR8NbELKf137Ojg3yTs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUDMMYTVHY7Ow9Tq0GHLZma34OApMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMVfPFNXeA0lmqVY7IurtEU2EwXz3bD2qlOhnl3xBIjr\nT+83zg+a7z7hrWAvUY3k6NFm4qlJxo1km9ZfcSqiOVejgYAwfjAdBgNVHQ4EFgQU\nrJ3F8eApHdot9WjJRRoGqXTSgZQwHwYDVR0jBBgwFoAU7eOy+SMwUuFn8jX2orku\nvBmJUr8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAuNn9tzeZv0Rh\nARQ+x9T8CsiNvq7bOeTVQOS87+AbvJgCIQCB9K+kqG5nCncLok2wKQSjIB2Fv8VI\nmCdmhh3Xa8Fspg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUV/Mbwbso0vcXLepLHphWEW9j6vUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOa4KdOW8kCha2wswMrfSE/sf/EeIYGvnc38vtkphvVC\nPJwW2HMjJryvuvuMskTOKxXu6aeIKBjwZm4n7QTG2VmjgYAwfjAdBgNVHQ4EFgQU\nb8tkxaZDiPKtOt92RYg8LNgb87cwHwYDVR0jBBgwFoAUaRCt4C5uuR5sRPU/hc3k\n6CLJazIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA+OdvbcX+9loL\nNMPXMeVMcigaP8euXdtjA7AQLwd8D68CIQDVtqqN6gwW8uzVf3/8XlCYZqVr7tJ4\nF9wQqkz7TWzYvg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1499,10 +1520,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUNwd//46HaVQaYbQfA/C5q1bzpDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR9vbmmmt8eBQUSdWM2Dwt/ydUWKpbWlGhQU6wH\n50srpH2+5R+ARqnCZqrKLmDc7HRV9briL/x9qRrzEYQdNff5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHlUgbUyU4eAq1mLIKaQtnmXqepYwCgYIKoZIzj0EAwIDSQAwRgIh\nAKTtATGTHjar/PVte2oZlEhPTSVWx+onQebEFRUc5BOEAiEA3S8yUAGLn/tNZ/sy\nVzuoEzQWGetrKDMN2IbkFJAT+ww=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIwKaGBEyEFT5gkq15VBGXE7CTo0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+Sk7Tb01TGpOzqAiWyYuIuX5p09oLm+mDetgh\nI4WoIrmt/ZeVJS8W6biL1UtK6x2J7NeA/kEJoCMeThs1jY9wo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkFhFinzqmIklUypchgbE9NPPZhYwCgYIKoZIzj0EAwIDSAAwRQIg\nYEjgyI9uthVODVy8v6J+y/7kOWbgDvp4JGbjGhT1aGwCIQDwFAoQSCY5H9+u7isP\ntzoR6lwUM8ZpgKROQG+g+e78dg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUA6vRz0NVkuGPGHqA4R+lOKS75g0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJgtFrJSLhSd5NZrQ8HWxkJrFSwoRbySBwFPWG//eGCV\nWtP/DWMTlr6YFKLXLUGXFx4q2yUUuactobJi72HKB06jgYMwgYAwHQYDVR0OBBYE\nFESHNxMYZGkNm13p0UVhQIhiEdn4MB8GA1UdIwQYMBaAFB5VIG1MlOHgKtZiyCmk\nLZ5l6nqWMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBGwqvL/jSn\nETG1qAO17dAaplxCSGNIWIa2jrovniQ0MQIhAJV4UJ8efIKWnGCPghSxJA1gALnx\nmNkzTGt6whA7BazS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUGwVluRFwnwi6aIztU2SZKBEKpJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLEGWCPyGzW3Gd1pHsOBWfCm6dTLJfM8TGBeryMBkKC+\navIjI96qnhBITNBWQZkhajWDn/RAshh5B600rmsXm5ejgYMwgYAwHQYDVR0OBBYE\nFAZ1Uc2m+vvxywsQLXHRlQ/sbfXAMB8GA1UdIwQYMBaAFJBYRYp86piJJVMqXIYG\nxPTTz2YWMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA0A4cw14k\nxj7vgr9oCUT4D0uxs6Sl86Eu5SVqq+uB9iECIC2KxW+yHIAX18wug5JAXMDx8Oej\nCumjAzEqs8ILCjL5\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1520,10 +1541,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAkFFv1JNarpVvy5etBkaksr+l04wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxNsNQTh2dN4CoNd13H14lmNoxd/la/Ft2WROG\nsYs4BzFjKtgi8Pfok/fgE21XxeVFXFI56dKBwZXvyplSYXqTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJXnE6kYv6xluzznvWAQFsVej6EowCgYIKoZIzj0EAwIDRwAwRAIg\nUN5RIXnVQ2xs9YQeALbQthrzdkzrGbLoAbq4WYW7IwMCIBZDub0UfxUU8YhnIRvJ\nMF52VSvmQtHOVLDcJk2WpKIU\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUDiNUzXZVgmcViBL8Ve7VFf97CWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS17gUkN9A1v/6AChCKoBkKux//0xU5CPdC4bNN\n5EB9NAsJjYLliMbCKksk4oFMk9V46/sY8n+Kst42yuLHIbXIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUESTzrhGgqxw41HI28YYOpiwn20wCgYIKoZIzj0EAwIDSQAwRgIh\nAPnZj6aINLFJ6SEf4Ls989rQK6N2xeH83vlsS1nxKVXmAiEA7/axMpmFpKZqKEZi\nqqjAvVjwqzG+nqW+lWyeB7lSV/c=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUTEMbKd7WaZq/dWVw2XXRVl9DafswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKe1sOoKo+AdthtpWnHv/fj32KlftAg/x7IxaqkhDDNv\n+dTTE/k62Hj/9+GCmeVUi4grCRY0iJPJvWlJo+gIoyijfjB8MB0GA1UdDgQWBBSW\nuPkUz/pcX2ZUocLd7G0gbnkQtTAfBgNVHSMEGDAWgBQlecTqRi/rGW7POe9YBAWx\nV6PoSjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBawyjlQ8XmFjq5k7zy\nu5cVZ+TZ1MdnFCf9phkEM9SQ3QIgZHMVpIjewdU2DelA3iaQrgnQKh19zKIWCW+f\ndDl24Ak=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUEOxOkSPYbzK7S9Zj6a5lJzxWARYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPSZ1A4zrCBCswKvlcjmZT7D5aEhjbfJlPxkdtgt9E8H\nnYj8FfSrc5Tht7og10B1smsdulKMvFECru2QkUtT+12jfjB8MB0GA1UdDgQWBBR9\nAN/QtE22ByZe7vmqo94B6+CvqzAfBgNVHSMEGDAWgBRQRJPOuEaCrHDjUcjbxhg6\nmLCfbTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBQIBQhScqg/6Mjn2Bm\n8yO6Rt4bh98uFCbR32DFDT7fzgIgRsYDxQosp3iUl84reW4VtNO452x66duDW7ZQ\nESduZ8k=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1541,10 +1562,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcbDbFEuoNxxrUG92XhsdT0XQD3EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQDsj9nXj9Dd5LOPbq2WWomWH7aNBJ6epYsWkV/\nJeYytN2iLtOir/4W6hRCj5aeNI2I1yqsh/ENOGOSz2vRe9BHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSBAtF0eFNFvCs6M5Hgc2PHurDB0wCgYIKoZIzj0EAwIDSAAwRQIg\nLX/1dZfqgGE/OeyeRMx1v0v0ww8soSen9Iz6KP9ARLgCIQDzgyVvK1Og50NB/h1N\niemMw0mciT9aGC8vdVX4+TboJw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUcP3Jed5wHO9OHlq3Eo/E7a62tgQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQWeesNKoZBOIIHcaIoUWTZkW8h4tjW5TgVUZlb\nsqM2aolrx3VRHh4ZmdqVs+yrB5uRsS34x03hCrkULXaVUM2Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwKGvph6w0SnxXgJo/59WRILlf5IwCgYIKoZIzj0EAwIDSQAwRgIh\nAKntphzAiAYg+WRMUGHaTr8dNliGgOKC0gLQ5SvucwEuAiEA+FgBkO075PNIQzPX\nVxruzmglLb621Yv+0/nrBVQ/3Jg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUFlpBZToHMOqRWI36bOSxnIHJ7YgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABD6U+6Blsg1n3Dr4mdEUziHn6B2Ao/DAlgeo7/2KAK+d\naCsaepK5MbfYq0E5Ef/pqLJKAbhDdJ/89HvUtEdpzBijgYwwgYkwHQYDVR0OBBYE\nFAqbzPQK6jPSiRHnEj+WA6mIFZK4MB8GA1UdIwQYMBaAFEgQLRdHhTRbwrOjOR4H\nNjx7qwwdMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiA9OPBs5O4910ku+rxXn6P/yl91VspnfRK5TUF6wINnUQIhANENTd6hS/hG+PjF\nvcsWcf2Taqed+rC6eGSxJzbp78zV\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIURFoBUhfNtqsA6RnQHH0IQtPhlzwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMBvjl4GPTnFU+IfEFY6mTvZ/0jHAXUFqAUjaXctrGT+\nvRdAgOKS3HrfpPuqA0DWrRGtzNJUvgk3857y9tWmWQujgYwwgYkwHQYDVR0OBBYE\nFM8ULIKi6mdI1ehfZBkpeKCU076lMB8GA1UdIwQYMBaAFMChr6YesNEp8V4CaP+f\nVkSC5X+SMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBQ2DtLLiaJqpP2elcnDkEehwNxHifx4PrD8COoK5XE3wIgVi/Nb3QF28qmB/y3\nofVfqm8ThF9FWnTDTnoXKbN3ZNU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1562,10 +1583,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZi6RWvVUsaSx7fcOKqPVpsZWnO0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkL5g0AVeM7DghNuwFoMfoNE5KQ9dixetiIZEj\ntAelzQi4oW8P8dLzIYpuWUregmlXgo5MHxApEt6sOkZoDA5Lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0/tbrRzPTe9qldbJ1vDKTmO3U3UwCgYIKoZIzj0EAwIDSAAwRQIg\nC8VmZHFTwhbQRZoMFiWgtFnYAdxvKJujHs4nbjtLjLECIQCfSIzzoOlqbY4ZWwDy\n+280YUN8AoYJLxFYvAKLF0+qzw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBR3pdWWoRl5choOIMCOb56ijOqIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATo+On9XFonsV1VO9eNhIjg+1fgJ8kR935bRvxs\nuqm5xsywIzQ3Z1sz6oCW/4RiqpEVenVC+VOL87bzLPtfnE6Eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8p9ykQ2N8e2j35Tdm4y/tVSA8bMwCgYIKoZIzj0EAwIDRwAwRAIg\nQ9HXLF8hxINy5Ge7ipjRHqvSegDxBpJXYXqkPOmgftMCIBjZU+hyedq5puJWElze\n0u1a38rA7r/QIAvI2n3yS6FT\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUcOuT4tJiirM23z0xnvsH4eIbQV8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPDUJtkkKDC9Gil0yChW1ma0Vp/Xy1UkW7jmMHSH7I9G\nTXdNG//NzW5ZjQ0OKuIJeaCwHlU3jDGdWmI2h8jCyy+jgYEwfzAdBgNVHQ4EFgQU\nrcSuPOIabBuL9SDZa1JTuFX1rdAwHwYDVR0jBBgwFoAU0/tbrRzPTe9qldbJ1vDK\nTmO3U3UwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJQlrFNWz5zC\n/oN9Y0i39dfRJXllSBfA5VCqxXH+xc+lAiAhuzQIuGgCNwFBbBvY3dSwain0dwFp\nIURMdJFcBGE0Gw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUKOzbdaAYDQsLB7ixVj0grb7wLE4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH0RkbanghRrOguWvrY0JPZbR1Yaba24Jc/bUkzS35T9\nuLjrzN9ouHHyb8V9uA+4hAHzfZ3OOLVn2D2G0fiii5ujgYEwfzAdBgNVHQ4EFgQU\n2R8WnjZAhxsxTslMWhcAzUcYmrowHwYDVR0jBBgwFoAU8p9ykQ2N8e2j35Tdm4y/\ntVSA8bMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgAnkmen7aHLhp\n0e/cEHxGhU1OIGV27h90QtaB6gydXmoCIDJ80tSOU4fEeHZpiFgY1lN3m6vfW5HX\nUMsmSNlh8DtS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1583,10 +1604,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcTirYd+MqGWzJHZzme+U0zjhs4QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQaGERjnkI1kVeZSx9PcTZvD8+r6DPM2M/JvLnL\n5wh3zHQ19A8Cu1Fuu6rpUyPXIOs+2GSTpZu6fZYjR7qjdx9mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPgWqw4dFlLsIKw+cZ+YvO0rk0b8wCgYIKoZIzj0EAwIDSAAwRQIh\nAPiy4gjpEC4/KBRw6BEO8U9u3vDo6i1wqhaYh1hYxTtBAiAMaTlWUToqxkyr3vpV\n+JTUDWpG+nBFJP8cSmXJ33dXMQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZHfrBXIGHEdmxTYmNJtCIjUhVxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBSvJgqraySnLTETEnxwRCovmsas03XcmppsRx\ny3xHO662iOmhtQDvmzplJD+1pWgRcdM94H+yH/1i4obgD5QWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/E9BlbBi9wkPeFcSN2P1Utajn1wwCgYIKoZIzj0EAwIDSAAwRQIh\nAKOlfATnBr2Z9d3gE6iAngeB0Xn8jND4ZL4GP9OkcNeIAiAw5zshObkVXn/umRul\nMaz0M3vD/JPvl6wbmfCjDeDNsg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAW+gAwIBAgIUa5oOxZhTll/fTSKfJson7p1O4NwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMFDi/uL8OpfTuploZufTFc5GpwyZYHPyQHBYPHVvLhs\nokfK7byorQsTekT9eFyrKRKexMCf6nUiWFspJ6K/c02jgZQwgZEwHQYDVR0OBBYE\nFHQ0C0Ln+bgicgX+xUWc+k8k9qJBMB8GA1UdIwQYMBaAFD4FqsOHRZS7CCsPnGfm\nLztK5NG/MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0gAMEUCIFaNlndNQ0PVCAz7+38GkgAQq8rPJI7DR484IqHXONPZAiEApbYM\nlqQdhYDRBeUUx2iMCT5sWNoFGFDw8kWTXJhHqBw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAW+gAwIBAgIUBlxjsBXb/pfrmrTfIGAxUphflTkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI+sQobE3AWUkNMGq/w2ZBiqLusUqbBR7oILlvuys4Bl\nRJ0swRvQX0NYL414Se83jTSggcThGSV1o+XKaX0yKqWjgZQwgZEwHQYDVR0OBBYE\nFNaxhQF7okbUVhi7U9+Ap2eNv++iMB8GA1UdIwQYMBaAFPxPQZWwYvcJD3hXEjdj\n9VLWo59cMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0kAMEYCIQCTXMd8NlgYG7y1CsI3XICnn0qINxIIgYsvoct/kPijawIhAMTs\nbRBPShmXlDkyLJGcyLe5m5rm1XemHcmKE8/SvW8q\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1606,10 +1627,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUe8OCt6rzdSAd7hgt+P9UNsQenNYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATk9U8BR0ldfNeJuhvG/TP5TU2iyXiV/OCe7TEb\nMPdxdKibjQ+QniKMFUCzLSY5iZQvw5qL0Dm9wjr/abBlf1ERo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKtm/z0X/cnNUJ+61smGS83US9kcwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAKnRTEebABIoqVm47ivg6INer28idLTvq8vN\nsr9fT7CYAiA/J+b8dIWK4rs32U7Ynf1gPJdnofDJ9vh1BN0o4MfuNw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUWVg94dSh6HpC9BBl26KJSK9DVEMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSfQiD8+UG0LaHLDrax4iOf+VNN98DyfsLOc0W\n6wv0Q7evD4ji0vMYR6YW9sSO952UlTGO+0HB4x/UiZ6Hcgrko2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzIWhf44fwVLZRYctw4rP2f0od68wEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIgIvxPG8wc8Nx0VJocOVMQLOcybQypzcFspe34\n+CT9+KsCIQDdPZg+Bni/SqxMQnoOuHXZvqc3DbI+noQtX7/Sx+9XoA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUIFcnLS3qUHarFCd7QKCG2oEaUVAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKsRgHPTsdm//SRYG6UaASY9KVMbCrKmAxY3tNQEbOoR\nd+u6YDYw3Zg3ZoNVpO8MSpCawdJxoC1hDT2dGm8HhBSjfDB6MB0GA1UdDgQWBBRZ\n6hPBK1Q0opU1GMxu+BT7o7Fd4jAfBgNVHSMEGDAWgBQq2b/PRf9yc1Qn7rWyYZLz\ndRL2RzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgMxwNO4PqfaUApKfjyUuy\nAwu/uVxv82i5XdIFKp8vpLUCIH22YyXYlnLoSTBOYUtPUuNA1QMiTxN+fbPxuPSn\nsfZU\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQUMyj01tH6emkgC38e9dRR+boxIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHTSfhdW05mM0PPpeXy8LGzp3LNoZ0sQlhBBWAba4D/v\nILPDJNNcbyTF1WwkTZ98gxVq5lmUHJ1lDDsx+P59AZOjfDB6MB0GA1UdDgQWBBRc\noXlSnSoHbju0owwHpEeC8VdDZzAfBgNVHSMEGDAWgBTMhaF/jh/BUtlFhy3Dis/Z\n/Sh3rzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgX91+tGdFtfn8jyFjy0mb\nu8e+3nbNbbEBp6iiLnb9ZJsCIQCJGtmM17X33rgVYMfRvWxvwMfaItWdqpODSWqw\n7zqpXQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1629,10 +1650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUEiTSyDhkkVOClJYPsa+ucF8Ht5QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATa/+nMH8M0ylvvLMO3veEljM3ovvnE0Rb8zorp\nDQ/nGLaDW+4G/NmOcgTNJVrFiRcacvYRXQwU7HCCPXZAsq2vo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFPdYbAruIGRIj9GkC55jv2XF3PbFoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBT3WGwK7iBkSI/RpAueY79lxdz2xTAKBggqhkjOPQQD\nAgNJADBGAiEAj2ZA5FcxMTxDFIGCyZ7Qxy0vrQvVZosEuH58JXp7bR8CIQDfHC3x\nVeYg9KoMPbM1f3dDVELRrurujLaf77cwT3XYfQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxjCCAW2gAwIBAgIUYjj3hmjaeZUMe7qwZacKZD7rsvcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKE4UrWqiOgBwu3PoAT3/EugXZXzneB7EAqX4/\neL8M+7uIC5CklU19j2RDJr7F/+NZIBtg+A7cW6jxA7V/7n0Go4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFG28alFX7uJPJDtunFmbRyiQkFKMoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBRtvGpRV+7iTyQ7bpxZm0cokJBSjDAKBggqhkjOPQQD\nAgNHADBEAiBQDyoebi6rguDKNzAGmNLcQclKiGhX4sdBEvr+hdGwWAIgcQuN2AaS\nB6JSt9yn0BNgFSA7ssLpFkHRvfVsh6Jhkw8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUW447bRcxPR3WCp9zA8lzJp5CDMAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEbhW0WK8DPrhdz7Y7+SE96IVchbA2usk8j4kktj3KSW\n2R5WqxXe0dU4PSieZH/XH7sNUY3r/xsdlI7j1m3memqjfDB6MB0GA1UdDgQWBBQe\nmZdfluTOhoEZA7ujO4Bc32DWxzAfBgNVHSMEGDAWgBT3WGwK7iBkSI/RpAueY79l\nxdz2xTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMZPPQARjGMHlQrqbW3k\nhDy/FcSsDRbQa6FVIImb1C0zAiEAh2x6PJSnsfEAEj3JQiOZHGidDitkdOkE/CqG\nnIDV4ME=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUT/nwI+1fTAZcR6pGK16mWTCRix4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKLfOgrBG9IrdeWV0c5CZILUTI4VVAc0o+JYPGgFICmK\nccIQUYTPGvYPQ0ftbvIuMojqu0QOH/umYdov8KoZZ2ijfDB6MB0GA1UdDgQWBBQ3\nLnQQSEl3wv3fWZkqF1VB/RxlaTAfBgNVHSMEGDAWgBRtvGpRV+7iTyQ7bpxZm0co\nkJBSjDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPIFsOc+PMyhNBjtnaNS\nXlSP9zqMSd/Yw96V2nCyB6HqAiBONgEENSR2Nib5xlViDLElO62a68tunYc48sNR\nQAr4+g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1650,10 +1671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUPs6c4H1dMJN/JtgzlstsY+5k/VEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASG7FMKk2VzdloQBZl1vuGrnQK3IhPxP7CHCB44\n3SBhZFAyz6xUB6ukfE0hq+gCpk9y6DjtcqFomjDjvCTjD5Zco3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBS9uk4wk0lJtJ12ItvZmHuP82/2f4ICBNIwHQYDVR0OBBYEFL26\nTjCTSUm0nXYi29mYe4/zb/Z/MAoGCCqGSM49BAMCA0gAMEUCIHitleDdgAA1DITE\nwDfe1Zj8+6tjPRb+KiYUsQ5tNuqcAiEApnxL2bG+wa/4nYelEKY7fe1PnhGzxYOE\n/BmznadsDIQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUAct9ZLasFfS0DUZnhs7fte3BGn0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQTtMNmvtY3Uua9iEVTsg69faRpAQ6n1P2gdhsN\nueY5uxlmQmRCgWTNhbvyBBe19XtRAhg7DH2e23ds0BLFs8LQo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBQEMnR7QI71mKXA5KDRooGYNK1kJIICBNIwHQYDVR0OBBYEFAQy\ndHtAjvWYpcDkoNGigZg0rWQkMAoGCCqGSM49BAMCA0gAMEUCICTvCa+a+bXLb6dy\ntdC8EMc51fegjlgxhPuDuNEe4FGVAiEAiVhjB8XLrq+Kv0iYAtiM2HdgY4idedqq\nBFhrgxeQ+J8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUSJZAspcfd4ZRm/WTkESg77K9qMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH/KdgC461ruXGGWew7jzN2VrKTTNZC0qYidVeh9aQXa\nE9A3i275Guz6JI4ZEx3RCayxHIxd95E6BPyFdh0gZx2jfDB6MB0GA1UdDgQWBBQm\nsd2iz1ZXmKZ0XjdFpXoLOsnEVTAfBgNVHSMEGDAWgBS9uk4wk0lJtJ12ItvZmHuP\n82/2fzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgYWAZ7+U1XpVu2c9pBivc\ntq63lcLxwFOVHqbiKJ2cgLACIC4NXgfGpF0NBSEZvRF/MOGC7gywJplQw2U4yNj2\nD+Yx\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUKPS5jGjYi7n4mFnyRfjc/LDJadQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOCyi+wRKCao9u1oy8BZdrpThw2GDJBmOnN51JpwUy1L\no9G07P/EnXFVMYqGrWbFB4bldlclJH7k5DDuuHchJhGjfDB6MB0GA1UdDgQWBBRe\nstGyOrYLAyUWpSA2XFAyRTWqYTAfBgNVHSMEGDAWgBQEMnR7QI71mKXA5KDRooGY\nNK1kJDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMIuv9/eOxpAEd5HVbcj\nJiAqp8I392nEGVCQqgvTaJVGAiEAiUfVRbvCY4Nb9Jc1GJ4k8kcWdiW5lOeRwEyK\nM6qmpRY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1671,10 +1692,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUWBZbv93Zb0joQm98mAnzi52P6FwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjtHEbSSFGVl9j1aEHzc0GfPyuMNh2eU+Ty9Ve\n/vpM2lOBx+140sAW4p8+aVcBJ5xr8hx+17TpQJGib8mJd2vyo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFO0BoCbRMxg+JHzdnLZJlf9iAjExoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQU7QGgJtEzGD4kfN2ctkmV/2ICMTEwCgYIKoZI\nzj0EAwIDSAAwRQIhAODl6mQepyuLZZ6HtUjq2aJ4kfspbKfOYFgVrQHJDyYvAiAM\n0r2sdgsholHqCsdQnAqHqVsOx6SQfSSyErTD+AkFzQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXGgAwIBAgIUPXOD++WPomK2Sim103IvoxN/GsswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiw4Z/is+4NQZztaNXHKDUe/uaotEHt+LvmPpc\nJeM7QmE8K3HQD3OvastieGqJHIvlcaf4+L5HoeWA/z8/Y8Muo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFAZMD3YfKNHDGa4M6ciYaRmW5TKSoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUBkwPdh8o0cMZrgzpyJhpGZblMpIwCgYIKoZI\nzj0EAwIDSQAwRgIhALuV6YH2IwI31WSRcD6x+9ThpsPN1S5LMuwzK44ipgo7AiEA\nlH5NRxT6fLM6PmMiQPySsWOx0JTkfRZvE0xYmE3fvA4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUX/Hh+NqN/VhawH2CmApoy6LpHUkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKJZjd9CNXZFaWWEvV8kqvlcTePLCAEd8yUXL5G0/hBF\nm+/aLGks2ukPOmsReQ1LuV/GTcSSVhLW813WZ71Z8N+jfDB6MB0GA1UdDgQWBBQY\n5/b1FI8GZFvGz0K3wUg3OmlNwjAfBgNVHSMEGDAWgBTtAaAm0TMYPiR83Zy2SZX/\nYgIxMTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgQzH7qG9sA2oyJlIfEljR\nEHdqPV5uFeftv1pUJOdngHkCIH6Q1d192Y1+V1OG27FWiRB6WKjAjpWo8OtfxafU\n10hz\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUD9tSu1oBDvMwhkUdq4mOGHYuEWAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA+F/AW1qzRQOYleOFYAjH3rRP6Mu9WJtl3G2XeVaj1D\nPCh76+rhSGqYUmUfIEWG4l16pFJhKixcxOdLyenlJrGjfDB6MB0GA1UdDgQWBBTK\nDglkWVMxnvIqPr+pktzpvSs03TAfBgNVHSMEGDAWgBQGTA92HyjRwxmuDOnImGkZ\nluUykjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBUIak94kx1X1cnKSMWyQ\nTRT4YWYy9m1YXCYqiQxKIlQCIQDFO6uKnky17WKy5puIfob+DBnnVb4V4DvvIw5T\nLNkm0g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1692,10 +1713,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHrUyG7H55NN1tnMilU7Eq1sW/MQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEBjLXS+yrtvA2I0bAVEuOffKeIjLhjLcLz1t1\ni94vDmqsyGak2wL13RzT5xgqX1EnEldtE+pMgy35NfTUiEFFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrEK5iAjw8bxskbCi/kKAQWOZmJkwCgYIKoZIzj0EAwIDSAAwRQIh\nAKBX5ZWiEY+cnh5+dma08OkC/WYkAysY4f6PDbYN/o7UAiAPVI5mmyJ71AWiZ0y7\nezRYBe3GipyWoU2tkN2k4eFXLQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGT5QLJfpbD0OZ0EZytZDN50s61IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKinAXl0tGwluOmPW9cEAf8NaGJUDQ5FXytJ49\nvSnU4yrYOzM0BEcpav23QWRt3G1pFIxi/Jw/znQ2/3UP0UkMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEJFoQBgVrv+pFJQA04YhZdK7p1MwCgYIKoZIzj0EAwIDSQAwRgIh\nAKfnb153xST+A7oF/sjfNWKo0MATJyIGXF7y/Fzhd6vtAiEApI75wwdl9jJAcXC3\nhpT2z9FzJkKQbW77mVqUoFqowwU=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAVygAwIBAgIUXXKLaLtrZtIM3tZ+wO5wcuZW2G4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABMPefzWUss7GuM66UnbBdAhALs5XAzotLtOaRpnF\nPWvtfYWxkvLtjdRE8VhG992dSBn94PFVWKvnc3mc/GqLLXujfzB9MB0GA1UdDgQW\nBBR+eII5hsz2SVhcsFG0tJUUWF5b5jAfBgNVHSMEGDAWgBSsQrmICPDxvGyRsKL+\nQoBBY5mYmTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhALm/efT/OEpR\nUKW52Pg9K9hF6z2OSkGIeORHoe0hSTrKAiEAm5g0GgpIbwuuL+eI3RQsn4tbnPgQ\nN8T7YGjnLfXlYew=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUfrUWl5p2j3pykdsqusGWB864v3MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABDiC/mVqA/xb6c1gGARkbCcWL/2wPsgjCwD1GVcx\n0yk6ICiUnYUwcCIjRD3DPtpMJ/X3rxut9Yiq59nfB1qUKzejfzB9MB0GA1UdDgQW\nBBT7AKYCvjAOKcnqYQAdyDKpBm1JIDAfBgNVHSMEGDAWgBQQkWhAGBWu/6kUlADT\nhiFl0runUzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPoSVlTXa3qr\nKHfD5H+Ebk8cwe1ubOqUFYsUQ4KAcrljAiBgjxBd2wmqkIpl+0EtVd6tPN2COqfs\nLO/0s/NjfWX5fg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1713,10 +1734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUF8RCpTC9w52yGW8gthspxz83k1AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWAh0zTjZSjbLY38wK5mbkqr9WR3wnzyvpSL7N\nC0h+0De5w3hCa7sIY6IcwGZGkQcRzHcZOyTmj2NCNgJTBoi/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzBgh435qNLzdsXX7BS4zRD7a5UUwCgYIKoZIzj0EAwIDSQAwRgIh\nAM2mRlnufVK2EFngwT0iJmtVa0VZSNU6pCFFd9cGaiIkAiEAsojLAHEMR530tXoo\nrfquIKJ5EapMZfatFBNUZLrvCm8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUCtD3myeO9znDuMjOr/7Gh7lQIywwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATl4FbRbFqdDvzqPVfS6riOc7Kb+6i7MSxilFls\n0++EsASQJmhS/jwhmsrJJhBwf9eGetKbkMDftHgQakF/cMrzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxUlehvKIbZzGRCTwWY10fTScqSgwCgYIKoZIzj0EAwIDRwAwRAIg\nbNbkiGrZZvjzJ3iWVWyBGYGjFibiIFTcDxc0O2zVDwoCICoKkKLEJiKRXbM9uMtK\n6Ml6dkiEzjOw1Y7x0R6ROXNj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUagAwIBAgIUAxR8i2Lgd8YdKhxLuOyycIb7MtswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABGjBXbvcYuBepLZLVl+KSzgHve/qnStWW1aE8btBBJ4B\nEXFN8fpy3MWAUa2KJ1BKUaN8MHowHQYDVR0OBBYEFBroCfAirWDW0bOGntWjU//4\nR3/jMB8GA1UdIwQYMBaAFMwYIeN+ajS83bF1+wUuM0Q+2uVFMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAvBUtsDj+5ALldOooIg2VXMvwZeoy7ObSdQ9ha7Ll\nyjYCIGOHmSIkeLmtcXjLI8ng418OYoESY253/DxBqAT15n1F\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUagAwIBAgIUFCBJpjC3npQkebZ6cIkrH+LDHsgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABADMcIeafv/YxjEKcphixDODmAJH/9h4tqHXI5jYts1C\nWsuMHHjTR45+T4YPvAue56N8MHowHQYDVR0OBBYEFPJQirisCmmOsrijIOWsgJC8\nWDhqMB8GA1UdIwQYMBaAFMVJXobyiG2cxkQk8FmNdH00nKkoMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiApcy5LT3QKCnOSrbXdWSAZhWMH5VpKsXBSempVL3zx\nRgIhAKWOedFFEzH43jdp7xJVopzaYNEcOH/thBg8dB4LIofC\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1734,10 +1755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUE3SaNvQxrjZK3ypwDLogpoAXQKgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQGmEX5IkdhdvO3CyJrgyrTvFoXNfCqBgDHc9OI\n4+PLFyAdyznfM7YciZNhWqqOHIoeBSreik0UfxPZgRgE3RdFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0L7wukol3aQBEXqI+iFA9XhMgIkwCgYIKoZIzj0EAwIDSAAwRQIh\nAK/idF8zzGb8XeVbzj196/KGfJCvql8Wnth4GcHqSgXBAiAe/UbtkjNLzVaSStuv\nGrWqGEvQjmxgzEvvupMSPo2jOw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSQlhtkmN+KjzTALaB+xKq58qMfAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATS80xuzA0xfw+6tZlY4TjTBk/b68XIFJfHJUxt\nH55y3fwkszm2q1w5ipz6u6g2I9kGcCVjsPT/nz67mw2i0PAOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpSShG66ADe6To7C4zUsgfD9X2DowCgYIKoZIzj0EAwIDRwAwRAIg\nFjsy57s5UODRt+gs83J9v5nP7tCWECFw7EJZit5AC0gCICq6DdCijyO5TPVRuiYX\nRPn7hyeVmOwK0O3Iv6InJYo9\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGITCCBcagAwIBAgIUPkxwZA/EO72l3DwoOM95woOIlfAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA5tt2rwpetS5d57cGqgeJqCNRFLmIPYiM5cf+kaT9Y0CX\nyTBKm5CT6kMWbBcg1hNZ3WNfsQvka/lX/9qjoqHIJn+fpHyMXG31gIRV4S3WAR0B\nc24WKG0zpIDGD9Wr3A8tgk0Y5xMqIoQAt86UzN46drMd4wdu4Fc95LRtzXTCcP16\nIG+HGAbrko6E4Ms06itY6RoNUNsUS+E3Vt+L2RNOM3xZdAoodbrzB3a2pCT+TZzh\nqurCMPiravrQGKKPkuCv/rwuc/wKTV8JFEh6p+w/WqQToQQHSrMW1ay8Z66X042T\niJ9Ow/QRSxTTCBZxkbEau7IzeY6j6upODhRRKmYXBjjm93dve0v1BeUCUbMFd68r\nuuBVYl6YDV3L4OjRDlGgEgEPG2KaePWvMtRhLlWZqjFpPwjLcyLdK2LDWjfyulW8\nFrLQAnz4E3aalJinGvSaLvj0KYvAsJQyDQZUMpxSlhy5Qmi1MoD+9Gj6mJbBOjAb\nVJtiOGNr4djTUdnvBu8hAiEA+GzbyAW6YoF29yCOqe6N978wKRmHf2JK1L+C3ilj\nTu8CggGBAL3XvBSPttD8iY559nT0YLGYCQQ6fXvmoxSe1j6oAPAlBpovWjslT0wj\nQ4sg/+CdevgkBnDojRqelYn0KEiH/w+Djgm8nNEwWAYog+ywFYGyK837AD4pBhN6\ne0KgX7/cHpNX6T6wmHC6KpooFw1p7woc9x0MVOGj+dTXI3M5YrickXsuv67qAFpb\nCLO/hrwIeXZxEsb9wDPeNWlicJOYZX2oC6iiIedKCsUNAGL6VIi6fXY+fnSqJQHQ\nW4aQ04UNWfoZpiUNDvneNqVGrKUGlOQx8RJG2A6nC0TmqckTZflKRF04ixLWXhir\nDhJNxh7dxeuGoOTEHcIx53vnrICY0GVxFKzEt15MX2cD/ZbIDHz3QarCFrfgtWkk\nb8kHvQg6HadR9w8CUYN1Ao4JgmOlErJtnWWUPmEdgGssIygBIDSGHQGqnjXU8E9A\n8PY3AODMmYs3ZUYBpMLaT75PGIuTdOAmGnzaslz581QpeENsaJ8ftPAAqCVswB09\npUqTGozQjwOCAYUAAoIBgDPXM6qRs1uPcxz+2BNspnLOCEXYXAr7Qw0wXEkEJmEV\noYozOKYurMxdJU4hj2DA/yJ4/Gc2ufcatnnTGGtZB0Xjbxdc2aJNXbNUCnofvIaD\nIcgJzRJ3TGIuC0qaa9mA/4qwFeNLnJWPmxYZ5ob6sQbhRBfncMVhgLKU9lwnqixw\nTT5HNkBECAxFeY1Hag1VGDToJw5kQ0sxdK28L+C9E8HqmW87B5ni4AqHMdSz/3ao\ns5BQ7X+N3DDm073OWBYK4h73D41LpmeFMJm/ygmPiEBv/yFAelY6ssg4n8/0BYxp\n1ZQeLwohqa0IYwWMSdxzMltvnnnErUBOhhFFbyP1Yapv2FZwjoJqGxw0C64YLZAj\nnxlOPyGwVOiv8lG9ghKEWAliVaHGT1y4rUbvxXlGylrBHBEXfs9eAyi5pTx09dol\nMOk37E0pQ8+OvM7AbPqPRQcCW5Lew5Nj99SuRoV9n1aZjVKtCyww79BzjvwRZQNe\n19eiY0O3IfgukIFHBwu5G6N8MHowHQYDVR0OBBYEFGojNg5j5oCth0vObabBjkTA\nkC8AMB8GA1UdIwQYMBaAFNC+8LpKJd2kARF6iPohQPV4TICJMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEAm95i0kWr+0mzUxDla8o/QnJkISNqt/mI57yr7Sdv\nv7UCIQC+eT/+Ig2KRrpnO4LbPsMWdnBuYf5mDMHSlcFqSi8yxA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcagAwIBAgIUYeVppUmvj58kYoOijWmTKfAHcxEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAtTsZOivm1IIHcqRedfOyokTIjG/UjDZoja7QNrNQ+fQ7\nEReFpjEMt3sRi82IoUM2U4d789CnfizxQ7k/9M4MgUm6u6LCGuSbfLGT79cLpWqh\noJNN+3WHdWeE9ceYXyh1IwhXP2byCRamoxmuQsn9KZNXTd/jMfGnavxX8+2L0zYR\nZbTmQJB8V4+YfbsTpF92IkYZCXJlL29cqcRxXAOFzO+2W6d8RRDAqgC4lkfROTAj\ntbZXLShbsPxgVdhzADZhJFKBk2eP3TvEWtjGjJ6Nb1ZOFtqPJ6wpQNMQvk21QA7z\nHlPCWJMb9lBvnXrj9oT203cP46ZcnibW5AplaFbZGpqLLBXdr66eP7+2QQmgEGKa\n0QPqfiGVDr2TOS/1Q9UMTn1v7DCPrePT3n3Nee4IlTgxOtnUxS5IfipF997dBYDN\npXYg6XDPuwihxMDBG/yujF1Oc3B11804TI0RSF3++9IqcvmbC3XsfHwwOFif0grX\nxkRB7ieXB45sxMHlvR5lAiEAxnnPqxGKqNpps4SKHJ2iFCX70zH3wda16U7iYz6G\n4GkCggGAYd7PGpGh7tMMJdU16NzYQ8hnLgm/aHuG8PDQF1R1HZ4wvdd6wSXXgmHm\nV31mQJAIU4UaOv+8YQow/nrirMFHTIZp2DkV/3d3xY8k6hDRBoR3Vo8Vm/7qq1UC\nwKqJEHIR+qE4ivV0FdmFFgrn6SGbAUhKC3PBtZkzClrclFXVhxkCnbscWQ2OECnP\ndEpPaJcMxvIT5Fit1EmrMSH708/DaPtGSL97Z50OEOma9cokfpXXHkti/WNGphMG\nNmkZ9a7KsZ6b9HfiV6heDhSUev8Cf4zRxwALW8D0exEdDKvkvl+zrH9NG8SR1R9+\nyhV07N6VtmRnk4LU8oMjGEqW82Ape5V1N1JDSR5i98XhcE4hoYomRGTJAoHl/qND\nCHrU1qN6xPQZbfB1x2bt5taiQPJaN38OHnkvAzan5UMP7KzYJxC29NpOBBBJp8X1\nUsx3FDW9l31eG0DL88XnzClL9x7wONu1uXEaD+uBgvZOdk9lRK6ZpYCoJu8qUsc/\n9YVCqEbcA4IBhgACggGBAIQcz2P4qY+Stav9EaPmtJJF8IsAuJxD4RneAGaINl8G\nX6BqWZBUBRUTTS/8RxI7L5rPPTlrWpfowKU2MvAxHL+TOgfVIJLUbF0+FqiI5+jq\nWRZnGumjPQn9ibLxD0qc6kAysK9cdT4r1lc5Q2kpBVH/qqQZb5lPNxv58AeDGywP\nL27Id9BXzIPTL4XsGRM4lD9UoZ/rpimYIiy2AkJAPXHaYnWJzZnBXzn2lQzLSRCv\nGxTH13QYK4fX3CREbTS6TxICA4RYk330NLS5X5xmkyEpyFtrhyhacbzS9HqsmkED\niQsEJ6wQXchV7uujuWNzPdCGYWpS45vG/UrWRMgQa4EO3pmelSftunMYGs/Pr6SF\nDuWXe+79dHESoAWum+91fYp+LnCs6XyvFMZRYhFR9vQeFIi9ZTy3CXYqqfpyXxEy\nc0eGbDg577N1iCl0WZGN19DuSCDckyrzmC3lpiZefjbFbyWiTeSRM6h1no2Vz3W5\nuXS0quQUXgdzv+2qmMiU96N8MHowHQYDVR0OBBYEFNNtW5WSJaNBbSokV/w1/5T/\n6EDcMB8GA1UdIwQYMBaAFKUkoRuugA3uk6OwuM1LIHw/V9g6MAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEApHLbPr1kd3njuUdPm1S4Ev2y06fPZ6oxaSmva4if\nlq8CIE7kWEkOwAA+XZO9wAiI58IrYLejKnfxDv38g6NJ/AvN\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1755,10 +1776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGADCCBaagAwIBAgIUI4WjqBHTRwr/vcFsWwv3G41s8sEwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzoGByqGSM44BAEwggMtAoIBgQDROrRQZf4VBmfUOVD3SwT7kxsDknJXELR3g3o/\niQPrzCupk1QYT5H6rm9VAz8MpJ++OeDrftqV4K1jw7h2zWdCh6DhsYe1IEju2sQ0\n5gehpfEPzqoV4bgNsmFrwhal0/vz8VEoo4LqzJVZmKUzWsym1fJUn3+2EGAYFNbY\nARIccqoNWDbBDsMeEWmyNvUihEIwXF/Wf7QDQiF50OiL+bT/PdQNnuOAqM73C2l0\nAJbbL/V2PNM49o6WAL1b0eMbFkW9XrMSlfnJzmea9KYOf+EYyur7nNJfyIbu19z/\nHA/NVj/2ucE7J7kWI3R2KaVDaQIycayfGzpN8frGK7SiTW2kf3onmml/MxecqxPU\nD4p6lk2vAHDmGVaWiCd9FLJ7YjSRCimdZAvT8GhwBoPkleY1KG+N1gj/oGlxSueV\noLMcqB+qwXtJUimD3pJxRxuSIlj2tKzLKgUOVnTygVO58vvg4RnNKLyeK+uTaZbj\nFHxHEfaIQ+QHUqy74l0ejF9aDeMCIQDX+NT9qRXQqcyK9uL+6JVa8FVShiSXwQO8\nPe7O0Pdj3QKCAYEAkd36BrpxFSz3MHWh+ufxcvkAjStO4ERDo+mXkLC5Ca1FrZ7N\naYNaY1lDRRny1kQJSzHuhtxN2o7Hhgov6lqRvIQ4byBautDiun+86PD2/BangrKl\nKpskGrxN4pYqulwSxWcGCimXBwPFASotGofokiCQ5ScDTOD8oIom/7SS1CKF2oLf\nzouGS4M5B8Gi8zu4ldMSFvpUBnwBeJB1TnJGdBxAA/46XgSOphv5niCl14Mfea4t\nOR5ZwQ3dfwgdohO0K3TYdlV43AiKToAOo47XMRBmQBGAG9pARElHUYq7JrvY8+h2\nD7/LruYFOUPWPnrNeCxjjXgH8wbErr4dUB+FRqvoIH5Ho4q2KpRRwc4uoyaxWuVV\nqszquXwa+hfjDqh4swYH/JzW2kktmdaaqoW7QpMX2SdVCqmTI1vipyKYwRu1w6wB\nW/9tyDx4Dmko3xgY5n6xlqWNbDkwb/gUbWcNZEod2oFputgf1PbgNVEP/YqGnQvD\nE9ID45n60CvEh01kA4IBhQACggGAUrJ+JN2UqqvRbHSFNqsgO5wTH24diwTnkCIY\nm5fI8/FKY64bWp2oGuX+FsznouW4rIxn/Mjaa2k1MAIFJ3YuTRvx51WUbcJE+s1n\nD3/6BtvCqCRV0aJ5wPq2t/xHBEcscP6/MhNd5WiI4BNyuRtnK0Qi768A5wbuSjof\noEqcxtM+7PHHOwarHQVxiXSVl2SnYrOAeDXs86uHWOemWfSEzoCyXNXcMr5t/nlg\nGJettmdzvU1GEdPmk1opKiJqQOXdAh7R6jJpyMrHF+oo+uWdAg8k3jaaXyF8lx1X\nUoFSJT/oFfpDQ3frpBKZ3m+nPX6XGlKgeUgd7VTtsLptT/CZQviLKtkjUJdJeDnm\n4GlGslW8P0iYGb2NW3mcAJlfD2xDBHcdjT39Z9ico8NFKGUC/tnhjHh6561eJ9MJ\nQnvEH9VHljJsDfmlRv/IwUyXPl8EBHf58v0QKul+8JVVjz9Eu93nB4qlUCKn1OcN\nuY9FYJTeC1bZMEV8xk6cqx17fo9Ao1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUiRS0FjMw\nBwbVCUIqve5M2lKGsV4wCwYJYIZIAWUDBAMCA0cAMEQCIDE9Zs/f8Qoz5Gqh3qGs\nRUwgNIpKTlbSiqe+wBspySgWAiBebTq30CoOwnG73c/Q2hUQcXl5Ilw1vob3MfQA\nSqnIKg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGADCCBaagAwIBAgIUVoOB0g7uezvnDUYVR/GqoOnPj6AwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzkGByqGSM44BAEwggMsAoIBgQCf872e32Zq7o6ZuNWwhpLZe5x/gzHzgujTlasE\nEmyWfdBOCFUX3kq7BbWD64VK67UzEsyQsnKmrkFol859NcjkKV3NzvuFOgCN091O\nJheWmKbusgnPZqXtp9e/VSczcC/MPGFzrhLBECn2YFSfeVSzFazbhRtcsEFTzyQ0\neSkaSg9WBAmdZhA56Fer045udcr5RUwDgVptj4PKgqIX4msRKfddNh15rOF5POCQ\nIJ9+KA6O6yfrSuYkujSQdcPPIBsLQxLzYIqObIHVrOEOxJ31DrEVNOOwe5Wmo539\nzAHZWv6akCRBnZlf/cpXVAPl+fzGUInKHpC6i8FhyGXEYmPIWlRPCTyBYIy+OQhw\noh66/3WJscZ7zN6rOSd0PDM4J74RLELxNdylImm3oY/x6tqRdKy7US61IiNO9gts\nZbQFXEkeUAh3LmoH1+MogHGU6aqM/t8VnEIJQKhgNB3T+9TkafCbqTUoxg0qPKv0\nrwEHhxdDN82r0PO81ujbOdOkOYsCIQCp3EBwjt8HPcSzSm1yqgYWxinhsIvtXgtV\nfmJvMapwdQKCAYA5HXdUF824FBAmC8wg8MWXzeYdHRdW5aUheDX5C4Ri4eFtxNqo\nJlf0dl0aT/WokcX5Z4ymo+PV7z0EMJ7YWBbpLtmau53EmzdGpnbIH3OHwjwlg5kf\nQJIMqVs/4ke6QiJzgPrUpQc0NQ2xZlXqlume64o/uN/MlP9noD8MFq79VRb2hF50\n6ddH/xDPr3VyW9HG5pRKVawDclg+0wvYMBjbgrkjRJ5kEQKRqkapDHIgARZeOGmO\nKH89nyABMXckC57f6FpZydM3ukdz30JrxhyjbTWmuDLRiCdQP5b5ISAiZ1RGk8xH\n/W1GobBRDKxYkNUMeUB8QXB2yFvz0+bTM8FZrBEylU/zP5IUOX2rj6m+9iQ5wvfB\nDvA9a3c4ICvVzBIEK0S4kBXqvfVS7h9c0RGmQVOVsglIyBCtJKJTSpw70WL1tek/\nYhpGTKV5ZNuLBY9lanp92z9ZbsfV3etR/klZQQR8XmK7RKzxod4Ar/65+9kAkPIg\n3OkHD32LTBI7+iYDggGGAAKCAYEAmC/nATqWafbTyMpVEP06lUHoLx8YYHLtrjLl\ncz+CQ9ufSVUkdqcYXpqjJyd800AX9gJOIK1vehuFP6JrHrBH6Ya9sm1+3rbMgF4s\nThlii0DYEKr3fJmwrECiCdSPNiS7HUxMWoA++yuNI2Oblq8mEpiLLpQcYLWwyxD5\nERaoFJWMorNo0Zz3x+fxt6Fo56yvKerIDu2L2MriucCYlR+DYHAQGDPojIffQijd\nwLGsm/FMxHi8xJceJw0zLpacEX2IParD/kSmKssq7K4GGHnkVYAMHCc2gfFnujDs\n9dCPpDwBvtKy6nYV7k+sEC7fnZcg9onm0nRXwnmylnyeQJYoJPbSSR9IlZi5XsIS\nt4snBywxNoPQP5VmZG6KntMq+uc6vXOnvx32xAZf+DougjhcsgkvbEG+JusL528S\n604VoUF2ydM7i8hnQSqpwMIo3yt8h2EvHOQcHzjffNyb/jMyuoejqkm/ajr/KM+y\nvb+jpTajSBVSdyP4P7nQUtD2COgwo1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUzLi90u5W\nzJQsjkhTU1Gd87xHZc8wCwYJYIZIAWUDBAMCA0cAMEQCIF9WtJ02UtETgCGpzVH7\nSECT3GX0ZW/NnhYkEE7nOUPAAiAWNf7ETdfc9N2M1E+4PadoK1WD1MasLf0B69yU\nseodzw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVegAwIBAgIUU9AgPmVsEYGUFk1oL+oDEWqRKEgwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAT8JVtPf8WzZJhp0cS4hBM1W82u+X0jWh7bsQ8O9xxz\nrAy//QRxOhYfa5MAWjMb6QwwCa8LUkOyHLzvUMH47+0Do3wwejAdBgNVHQ4EFgQU\nlp54wEDUuHxQM62Lqs8MYS6HTaowHwYDVR0jBBgwFoAUiRS0FjMwBwbVCUIqve5M\n2lKGsV4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNIADBFAiAwYmW5r4ZzzkXgBnd9\n32VoCT6szTvjTDiGrYnEXihbJAIhAKtz/6eVtMDL1qQav2L67p1x/D3hG2aW9mMU\nZG01DruN\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVegAwIBAgIUViMOAzk3g7VM2Q28cqBLHBXRrjkwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAQQve+ypm4ALnKncVzhBCsNS+IAkcYHUL8p8svyOYvm\nEETkzWQds01gJOs/K9xdQnsamgYe3OQqajeGFCtVWUYto3wwejAdBgNVHQ4EFgQU\nWpK3bX4rAdwsH7BFD0LOSllcQWAwHwYDVR0jBBgwFoAUzLi90u5WzJQsjkhTU1Gd\n87xHZc8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNHADBEAiAaj0FPNnN8W2sUdgA4\n1kBMl43zh5YklDixgExPHiNNwQIgD/CyV7Ysuonq8ZTkpvWLSxdJ/BpC1cch3YlF\nEnbAI90=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1778,10 +1799,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHFO1B07I5xY7x8sHtghYb4MjLsAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQP/2ahS2N6Uw0A6Y/mzduTPat74BM9vfZgbJNG\nSOS6YOsMsrMQZrthXfd2FYP7lnGYLCzaLgGplwf5u3wdLrXno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUngWAwwoRF5JViA91gU53xgm311EwCgYIKoZIzj0EAwIDSQAwRgIh\nAI2BLbOLX5bjMAeOnXxCzZTZxDr4IgoGa8MQlVNI3UNOAiEAg0QoefdFMX1ArolK\n4xyRojTnJ+3h0zFEWQZNcBuMdCY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUawRJxKPs2G/CHK5kQ5K7MVDgwacwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7cK6l5qY/677aeAZouMTAdz2vbiE3mfxoCm6S\nqpZRqjueWsmsO88UQqp5+WzMVK3FP1m+gX2T2XM2VvnbXlRXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoGl6QrvA13ung9a66JKWvk9KCQgwCgYIKoZIzj0EAwIDSAAwRQIg\nExlRCdMVhbHUtG37ZgzrEJdaXNMnpAjDT/eRQezV56UCIQDTjY/5a9q6niT4Rffz\noxgSjHlK3oa1lk+DngZM2KZ7fA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcagAwIBAgIUM44dgE6pgyfhu8+VDU3KX+pxTPowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA+fQX4Ld7HjrjfRCp7fWD0tAjxwcFKlg+IGl/gzLFEvxd\nnpuukwFYacFgPk+itNx8blFI5em253MUYjbH9TPnnzHeB26BmW6T9EIG//jaHp28\nOncHdeUb1utEfyVxCOdlOXbJDN98oxrmV4jpxwKxf7wCU5hjOHUMydv2AzH8YqWv\n8H1yhSew+YPiEeeprYaTOtBT77yDjQtUzyuCruNJe7agrNyXRTQ6SXq0/VMV24WD\nkCyc7Z7FxOzUg3MrDVyTvaoI207bBOjIuANzvj3jVg0wGICutBWEcKqZRDmJ7Wsb\nZv6wgcQ6AVhNyuBXKQSYUdwqRi/BQsO8dA7oV+Sz6TnBmzFUYy90WZRwHFkNggix\nwED9GcxaE5pmqcAh7X9LYmf8H554ac7OnG3KAGK9J/oDIx53GYHvJMb9dxqAj6jQ\nhM0xyIkelvLFHbMbzePDj9qYV+RcCig5UtWj5zh4PDt2UN9rZC/0hFI9xj2hJZ05\n1WE/MYcgPi5bEz3rWy0hAiEAvDeSmutlhK+QPumEKtWIiSBTUYWEqZKi0O1S2kCp\nI0MCggGBALOFCpk8/6cABldsi1jduADL78vR6e+TspJE0sPRtLgPbLo8c629sqQV\nVqzluCnpKjn2gmJuAkp4GB47V19iqlhHLCiDbhz3wWkMn8M2yhqP+TjzTo7RJZQM\np7c04YSVWtQ8WfeEb3+I4Xg0qpTBRHat6NSWKKhIwMZk7hN/p55zOTYkBW2TVmgB\nD3K1bGrfTv34fRKzvqXKnU4oUGzQCPUm7pQISzEhNFeDKhYwG4MUpkwfbjFPr7L/\nPLdqk0Z+WysbWLeWH67wvhETOvfzemTfR1cxD4ONlX/AMXK6Kx1GeEcUgH30htxW\nZC+1A3EyBmRw4v33F8TpgXQTAk01LBZumyoNQyNbX5bPpQViy7MerLtH94Ga79ql\nOLMGb8IFh3hhdE/TI4G/rSa0mZs9fzjKqE/8FhdsLyicprHBX+5RN2siH9EhKZ9Z\n9FNhk3h58UodsaIiwUKoOrx3em46iCWv4Nr3o1HGmgVLEh3N2+U+si025LyEf0PM\n92VTKPF1sgOCAYUAAoIBgFwD9ahW8r3e9B4EvdHEpaK3KPNkGGasi0HZDq1oTA60\nMOphZ9vVQa/vABLJsBm7wToGjFj34BCxHojCicnVlbOSnEpGsQstfLgX3TMD7Cnx\nvTTuKwes/nxmhUbOPoQ6veH1WJME/1qYPzpYtMbA/24Yi+0nqBG1XPlIoqJNGSa6\nFzWFRdFXrbIq0Z1quZrBviv1+8LbxGYseguLZCnnRBeZovgyvvLkXPoSszEJIFUN\n55MPp2bdOCiMhg+6ueF6U8lKopRdgjMg6KGCikykikNV2Ez1c2U8TFuRSMur7tEi\nneBL+VomM1TA5d+CsHpjgtUctCW+A+n0FP6q+kk9ESXbdjwH8iA6L+6MTeZcgUer\nTzfs+UAvx1rTaZwh0bv5Y5C8lyHjSHvzPq9l9kqLjsSg4A1i/u3JHmrUZyU9aGzS\nNW7pVUYqONmZJdN4MOxX6YQPs9I0147wtjdTu8/ISRJ9j1CmenVHb0BlhdDwdYfg\n5v7xA+E0Zkfa6K1iw+xvJqN8MHowHQYDVR0OBBYEFPLAF+Y3wMrlQ10uK+DH0G0g\nVSiuMB8GA1UdIwQYMBaAFJ4FgMMKEReSVYgPdYFOd8YJt9dRMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiBvPp8Vg+z5JuCaHVds/4MjVuY5SYdizpaiCjLwHBQg\nsAIhAJk4Z7pmPM8fAitobB5pJBeZh4sgtK8/+SI6AV2Ui/s+\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGHzCCBcWgAwIBAgIUTwSBPwFFHqekk1lzDa9+OZHRQTwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAh+IV3btRh3tf6TNFnAie/F542vsWA1p8SuP7rA1lALSx\nxMwDvTBVLRf4zv/Ek8u+Ml3Lbbg3esw3AIsVoXnhtSUGyX1tIUPj7HT0GyVhhBjl\nYWecS37sE4djZQJT6kRhhKJrlftXDYbv4oT3O7ckI9nzgwxy+IkxQsp2sZ08KIg5\newnZkGGsbV8wAkl6xuFHul3+Df7ZYumh9YbmFbLvrLizlUY47OvlwDSoSpBD8GWA\nbPA6QOL2sOSX5nscgHMNpmxU6AKnWRaKD+WTJ9kyRbdKpWPNQa9dnB6Wd4wA+z8T\n2+VrUbaydRZ7cKkbb5KDZ8V+K00iN/diYhtF0ZY+iNuI/M/GbclulUS8xqv7eNy7\nvNtttbdmoiPT20oAlp84XLwTvTWBDpx8HWPnOBp4ydtUhozcl4RqnOLU6x1uvki2\njQsLDvwHPxKhCD/GyjhKy9l0KxaMOHUAWUI49a63U87UrbT2fy7OypPcBEyEiqt/\nqVDfiK5/olcjZ0VL7PfBAiEA+xxjZHGC01R+BNX2Us3vT6BdTLNHq2UC8usxcpEk\nE8sCggGAFIWztX32t7+r5sIPD3jEecRxYvZygz2/lYzsn0b8XdBHduTwTHbouyha\nKUcbdipJN61nmw6FNrHxVd4UZCK6zQfytQf391EMZ/XobdJX5aBuEX+fnVkQ+iIo\n1VYTuGiKi3nHGof7b+B2mrNKPuiT6alQOXQlPoJB4srjYVq7osJhOZ7XQuPg3O1N\nroVyKW3N0eXA6WJztREjNuwqEtjfeuHofLA0WhFRjhh2GhFFTfh14L9QVYE6RgKA\nFONPQEb1sqhh+nBmsAyalxiFEOkx64Fgc1sK8zTHplgEuTm+QHmc6vZpv1iiTRm/\nEOFKvZUCBZKAtu8sNdiTUfmw6DcL5vnloxcg75+K8n99bhUGcdQl4Wc8kgizRdf+\n2gesLqQ+BzyWrI9oWslW4PBFe+upnn9KMd/GMfr6DwHvqX2Z2EUpmXYwAoX4Hd29\nkRa4ZAsMI9F6iBhjtHgMHiMRO6pVabTB8+rWJg7YjGLPGgLiUIF6zYhD4lut9VAa\ns0QGxHTQA4IBhQACggGABzLDcYxKAfW9/y4tiRSgRJwx1Gz7rpVxAmzBVGfG/QaF\naJvY8v+YIoWe8bCBpoFQzTU3FCTM/TO0gQO0vnf5QdZ9nDKKM0XHRfaBeGCk6WpO\n3oi4SEUNZschc4ShbBIRmLGYkaVYn8TsiK6EJZqiUkAKBYP4ijaBy/qincPxj/Hd\nIObkThw94GXOlWYfHxA/9s53G62td621IQ9vzqWj2l1sz8CzOuT90UWD+fGlob3J\nuZybw0Biwb5zJDMPS1P10rBTcPqUJyRZTrAV8+bgGhCW+BZDpD5PzjRo8a9Nhgow\nK5GlSttYM54ZzCiBPMq1c5OmgKlrpRjJRL60W04YJIkqCsf/8gLO+c6j7XaJl9tD\nqXLINNMd11iT2UYUWyRwLyhq5YkNTpLnbgS1gIpTzhtgr6bvq6biClO+SYs4xhB0\nHwDK+NDgAjZpGXHnXEqxeXyPfNM7DJPZ/gqRu2EUwKbKf3ifiGknqpPTIgFEYIMX\n+tvYld3APiH3hrSu7aLTo3wwejAdBgNVHQ4EFgQUnegIPt74xjXK+CoaEH926GOA\nbVswHwYDVR0jBBgwFoAUoGl6QrvA13ung9a66JKWvk9KCQgwCwYDVR0PBAQDAgeA\nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoG\nCCqGSM49BAMCA0gAMEUCIEsleLAKC6uiPqmvoeU8omuuvdP3w5bAJUYy0p03eFE7\nAiEA0Y1F3hn1u/YRaFACsAi78072ukqIYSzrMz5vb7nRmCM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1799,10 +1820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUDnG6RS31xcAeeAND8kUUFXQ3IE0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4YnALmTJ4tMs+EAFhpQjbrt1/woxt8JOBydvW\nY6QqWpjAYHPPccUVzvgLzU4njP2ZN9pNZ3k4hjnLC3q8Elhbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyPIJy2hWu8/hkdrsqA4Y2ieEiEQwCgYIKoZIzj0EAwIDRwAwRAIg\nPqijv3dyWbwoOwJzpTZcunsqnRa/WTB1rUAQgdvCXoUCIH4/gbg/qcZaBhXMVGMn\nQ/6dRnRf+nWvXmWIbm9LnpOl\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfF9fdGcDLE9079CH8otDfbcaqr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASigEQ14HuHwuoHFgeXfDxHmNz90Uyq+OutElWd\n54V8HP6xRydlNl7ZPIbUkDhHFRFg0nkvesJe/JMMdY9x5Xcjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIrU0zPqVeM2kGcZEpWXwGWiC/YUwCgYIKoZIzj0EAwIDSQAwRgIh\nANYWNcv42Mu3hHD6Up5l2GLNuNxUBH9iM1sGHafd9tc/AiEAqYdJP1KyTumSDruI\n/mEC/pUtbqzxo1tKYf+cSjdFvpc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUVU5dlPW9OP9z5GkHyC+QWjQSBJYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFAZvC4ze7XsHmYcAzI7FYW8DZGXIuJVEtv43ijrqFZ1\nZOgEuk4DPgq9vyScMbR0ok/u8BH0ONoaMDwlvEN9RoKjZDBiMB0GA1UdDgQWBBTv\nY6TTX12GgiTs7Xx2cVQuEWJDjTAfBgNVHSMEGDAWgBTI8gnLaFa7z+GR2uyoDhja\nJ4SIRDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSAAwRQIhAMg3EP5aMOEaf6/QTj3dnd01eIaGmElci+f7VJpDHcbWAiBSFIGB\ndRYNzVpB3dawGkrj3KlF/cqueyu0Nj3+Cf6vbw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUSvZWM8y3EBtRydiOjErLo7J/YpkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJhuDwsoKcpAT6JjdbcUI/C2te4+AKr31UuPrEsaU3jf\nxgGc/N4wc9n/WOdxfRQ4GzAV5lFRwyFoHePDNi7ZTIWjZDBiMB0GA1UdDgQWBBSC\nExsxYRDEj1Nz/JMho7pdikP3jDAfBgNVHSMEGDAWgBQitTTM+pV4zaQZxkSlZfAZ\naIL9hTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSAAwRQIgEqAadFHKGeIulQARE9B01oU/vVQC++7jUzft0XUN4ZoCIQCtfi6r\nfx699Bsj5Wv94vDVsfu3aFVvoFe+5PXnZ4vTEQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1820,10 +1841,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURvnRbYN24Cr2Xqlg1LL1N3tH1ekwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATdvRWUIYFONs2edYPIl4TXl/iLWNpqk/gsdMu8\nvxvbkls1oGp64bU/oWqK0ILwQFp0iEyFBGlwomiPZiXouuQYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWvTHaHjJypbe1FJ0YLM/9r7+VEAwCgYIKoZIzj0EAwIDSAAwRQIh\nAItTIzfvpcx7nkOngM/zSjfj6RJCBQnYvybUyenSZ2tBAiB/HJl/tu71jccZvgGl\nqec/64FmMTSloxKQ++U3+3G15Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUT0jmyPMDPb/+s4MuKu8EV7XVvTYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2ZqhSyxz9PV1KU+bWulsXOInD5G4OEbSKi4Zz\na1kSQ7FGcFpPfl3vGwfoitSKio95pxqixls+KgBLw4RaMdOuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/wSsSbbymoJMJYOd5yVz9GcOMOgwCgYIKoZIzj0EAwIDRwAwRAIg\nXdupys445JTk2rq1cjrAqr4+XVoNqZLHck2RzAnpZ1cCIAHlFeAW2BOd/3qXX73G\n+SvFzQGTa4RBZAoyTycaq6pv\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLTCB0wIUNzpD4Qri6VvNyvEz/a+sUeV4VDswCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABIxLdPg24Js1yIohieuJyfRyW+np+IGdKp47mAQdDaQbei1pKpmZ\nBTPX8okiz1H3hdBvFvPz2yN03fxUnIDMYJ0wCgYIKoZIzj0EAwIDSQAwRgIhAL51\nmftb7htAgnubwAzo14bAWDOljHD2MUpi2H02pMYuAiEApROtDZ2ojwvKx8P+ecYK\n6O1u7Jt/yZ1g1i0CUCOPhE4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLDCB0wIUDYxqo6Ak9by8t9vqq9DdQV84W3IwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABMzJn7mtVV5UTn7LmrBJy5iNmEXOzcc/6B0sjgfMM/9FmVeYKcND\nG/BQdDpSGTqvP0krYDDh8Ro6HKEPtCe5+SswCgYIKoZIzj0EAwIDSAAwRQIgLUyq\n4KAlSDDLJ2ndIDZMEjZ2+S3+J8VDoli9ndue1i8CIQCFkMc5awr5VTtBX2g1dHnz\ni6UFyzWIwYr7QOS3SQdvhw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1843,10 +1864,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert contains an\nExtended Key Usage extension that contains `anyExtendedKeyUsage`,\nwhich is explicitly forbidden under CA/B 7.1.2.7.10.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBam+D5hyJidLyBJ6G00SxtRVhJowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASTx+fUFyKP36+WVW7nlPcJYPK+R/J1WK+Br0IB\nBcx/7zFCMxOR3pyncgqsPmxYJp3fI7FKFMZS5J0WnX0qwG/Wo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFNNVYFqewUTokEcwS6nYlBiGrIMwCgYIKoZIzj0EAwIDSAAwRQIh\nAL47HA6OEceBm6dFxbiYhAixD6WiYVWjVqiPd7iKBBFdAiBW7LUEzwVye/lgfTym\nul4JhxhHu22ykyzx/oP6DWLFUw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBsA8hHkFjKgir9Be9rm+tgH0+DcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1e17LH7jcChYw6woPXdhsj2NYcO58qK5JVIHO\nFyZ+zsHvVaK2wJeiWaj2Xt3irGYCmKS0P4mQy6mqNkFS9x7Zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUR5PpeUdNsBiftB0UCI57CrTfaXwwCgYIKoZIzj0EAwIDSAAwRQIg\nIN5LuWI8P0jlgN0sOLg7y+t5fU4A9AFW4danlURTtB0CIQCAwJPZjfdeH4O7lBl+\nzRQrG61oo1omq7tsJxT2mUMf6Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUc04OKresHny+YlWqNS9dgk2TgAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEt4F7jsQsMm0RvhLgTTyfXdeJGLdo7/Z5E9GL4ws1Xu\nc+jaxDjkvuTaHwdVJatUbdQcDseHD5oPmvqzGdOW6mmjgYMwgYAwHQYDVR0OBBYE\nFDdv7maDJueIf9uz+xQJkxxxuNY7MB8GA1UdIwQYMBaAFBTTVWBansFE6JBHMEup\n2JQYhqyDMAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAoTUe8bdc\nU20rwlJMA29wcaa//SCoWY6t/ynC/mHFesACIFg3XWvBiuSbuKCGKEDZEnwJU2V/\nSAJLOBqz7LVRRlvi\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUdL05dRF1O1VndV7JQ3dMIRxchdAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFF7ftRZgD3PTAWbTx+vbJ0QrHkL7ZbL1PZSMi8nbzaL\npEtVfZa+QWL4+tonSOy6S0NSLZ0PHqCXXzG4bKrMnUejgYMwgYAwHQYDVR0OBBYE\nFGYvDm9r3af4N2oP//1JK3luCsloMB8GA1UdIwQYMBaAFEeT6XlHTbAYn7QdFAiO\newq032l8MAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAiX8FZe+p\noqIndhXRjnQflMf6WovMNLLamQWFARwl1XgCICHxNGY9DlIRLdJu/fCDCpxRVllp\nJarjvX31Lqsj1Z28\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1866,10 +1887,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE certificate has `keyUsage.keyCertSign=FALSE` but\n`basicConstraints.cA=TRUE`, which is explicitly forbidden under\nCA/B 7.1.2.7.8:\n\n> cA MUST be FALSE", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGyWxGAjcTt4+ECgvkElWofdgoZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZ7VtVcZKmaZWXtE0eIRbupReDI9SBzJEM3eaE\nAbb57eS4sR2I/ngWypbwekGPWWM4xcBCdTvnc7tfYnUALDvLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsVwtvbb2ZZ7icQR5csE1l93O0UEwCgYIKoZIzj0EAwIDSAAwRQIh\nAKw/q+BB2/O4sk1HJMzf8cMBsHuTgjOE9usI0T70cCtAAiAq2r4NAqxBRFaeZrdH\n+FwR2LaEo7CmyWr1KRphOGwIRg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUar5DHt4vI4wFXbwwM8U7yAfNWI8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfHcV8yBNVijRteGYzIOrzKfeSDQqM15e7Eb/v\nTspXQaDtWDBfe2LU59ro4hYoPatydxI9ORRkp1fso/BHpyCho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3HQLj/x4byn/cXNUxo/wqDRuSvUwCgYIKoZIzj0EAwIDSAAwRQIh\nAOlE3ACcR3xpgHjz6AIH3hgs8SeptRNEFbwd53C5oT3AAiB5B7PQ96ycuKW0OZ/p\nUJqH2tyCVy+DZZXeY3jbJS4F2w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUU1iehTcEf8Bg1W4y4sEXz+yIN2gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH5uahQI8QLFaox7rY9bB/O8jslx6iJj4iIVLgYCQeBE\ndb+bY6aAkz5agR0PKoel0T4IgROL0I9aKZTDMkIXbEKjgY4wgYswHQYDVR0OBBYE\nFAI/Zf4bJzmftVW52+X7mRagpuB4MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAUsVwtvbb2ZZ7icQR5csE1l93O0UEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIFQrLz7J8YqcSAJDXucahywVcuzTMkbR7F4xNMiWoW/wAiEA5ZbazcYzdmbC\nMDM2dYBevVw3mTVmvTbUm660OKM6tI0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUHb33M7id875Kr/HaEYJcyGkKoIowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNEtMUBB5Eds1jCR87yQmLA9enbz9ZqRhnBR+JrcQvQw\nop31lfxrfS93Gs8qIc1JyeJJ4BnHFmdMB64gUJEcHSKjgY4wgYswHQYDVR0OBBYE\nFFlYnoTIUVNis8Nu+67OdrGH8dpwMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAU3HQLj/x4byn/cXNUxo/wqDRuSvUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDopT4N9AwUu9Zt7tif9ge67RYEOWx+UgmEM+u777ffRwIhAM4kOSi+DD5g\nodwWmS5Pxa20gb4oyMRS2vfNTLKR/Wt1\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From 107c08269ab7d7a928b0720dfa31d45fa2c80019 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 3 Nov 2023 19:03:33 +0100 Subject: [PATCH 050/155] lib: Convert duplicate extension errors explicitly (#10) --- .../cryptography-x509-validation/src/lib.rs | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index cdfb5aeac9b9..36d37dbbca99 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -19,9 +19,7 @@ use crate::ApplyNameConstraintStatus::{Applied, Skipped}; use cryptography_x509::extensions::Extensions; use cryptography_x509::{ certificate::Certificate, - extensions::{ - DuplicateExtensionsError, NameConstraints, SequenceOfSubtrees, SubjectAlternativeName, - }, + extensions::{NameConstraints, SequenceOfSubtrees, SubjectAlternativeName}, name::GeneralName, oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID}, }; @@ -47,12 +45,6 @@ impl From for ValidationError { } } -impl From for ValidationError { - fn from(value: DuplicateExtensionsError) -> Self { - ValidationError::Policy(PolicyError::DuplicateExtension(value)) - } -} - #[derive(Default)] pub struct AccumulatedNameConstraints<'a> { pub permitted: Vec>, @@ -151,7 +143,9 @@ where constraints: &mut AccumulatedNameConstraints<'work>, working_cert: &'a Certificate<'work>, ) -> Result<(), ValidationError> { - let extensions: Extensions<'work> = working_cert.extensions()?; + let extensions: Extensions<'work> = working_cert + .extensions() + .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; if let Some(nc) = extensions.get_extension(&NAME_CONSTRAINTS_OID) { let nc: NameConstraints<'work> = nc.value()?; if let Some(permitted_subtrees) = nc.permitted_subtrees { @@ -199,7 +193,9 @@ where constraints: &AccumulatedNameConstraints<'work>, working_cert: &Certificate<'work>, ) -> Result<(), ValidationError> { - let extensions = working_cert.extensions()?; + let extensions = working_cert + .extensions() + .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; if let Some(sans) = extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { let sans: SubjectAlternativeName<'_> = sans.value()?; for san in sans.clone() { From be6d3d81320e76ebbfccc973867fb1fcac1b8a0e Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 3 Nov 2023 14:44:34 -0400 Subject: [PATCH 051/155] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 405 ++++++++++--------- 1 file changed, 213 insertions(+), 192 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 60d6248132ca..28a708d8c650 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeDOfH6TQd6lrwbDqdm1gvWRDyjYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQFoctIyWe6+s5WyDf3zRyHCrQpL3EzYUEvhFac\n7C2Ka4XWFZy+MtrZIL2nYhUs7h8p5SQAXiGskrX1M3bn0Ymzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUunJOY2B6qHcejeNU4g3aq9HV7KIwCgYIKoZIzj0EAwIDRwAwRAIg\nH1hBVCXT55J5czXAmnoVwcsM2UtGAkm9xDTKiJREYeQCIAu5q++8d7qQ+u04aIho\nl4e3/8cDfZFiKpxsWX4SWxFD\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIULbNy4121O8Nibg4uxcS/WXOURTUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR3VODJYkMG5SbhlKFSi3PT5+LUuNao+mE/Bgwd\n4dxeUH7gJSJnlCbuuSvj45UuUAdvrQy5aJweT3kxN7gh6kvfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzfg3ciScsDqNeJ5JPfR1tMVZc0MwCgYIKoZIzj0EAwIDSQAwRgIh\nAPFBdzuFL7nZeloiuoNGLocGxShhU+EuJo6XnTfxJQrOAiEA3CEmB7zYaZK15a1j\neIiixhjCB87pNlz6ttKHLGdUz5g=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUe7YRR2chSV2zaBz4hx3pG7mvsAYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2ODYyMzAwOTIxMjUyNzgxNDUyMDE0\nNTc1Njg0OTAzNTA4OTY0NTgyNDg3MzUyODYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJ8DrnsyiXqrM6AmyUx4qV4lyogiNSAa3GN3lzkdUSBEkJez32142GnaSL1FxcQr\nvdlFr2VNcqYuYQQnVKWJUVGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLpyTmNg\neqh3Ho3jVOIN2qvR1eyiMB0GA1UdDgQWBBRHx94AaTGw9WYmsNA/olG1KI9M4zAK\nBggqhkjOPQQDAgNHADBEAiBW1Ysfoyc30OX10qgVOFqpQoEiiPBmfZV27q4Gr5Lz\nCgIgEUY0MqP8YkQ/5Q0+xQUEUSeJ+QlRjoz6Cu7t5/g2yqA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUK8RGlQsGfmyLt5EmqOKoDNSV924wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyNjA5MDY0MjYyNDY4NjI0OTMzMzU0\nODgxNTQ4NzE3OTI0MTYwODU2MjY4NjQ5NDkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBE5y7fQhZzdWKoR8IRy3m46LtlYkjJVtEPOetIZ3leRdYdHIcNYKKWWHr2y6kcuf\nTODit3JzDkb5QVB72njNDCyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFM34N3Ik\nnLA6jXieST30dbTFWXNDMB0GA1UdDgQWBBTippUGmn4KmjWgwzhqAbT04mqz8DAK\nBggqhkjOPQQDAgNHADBEAiA5mQ3t/mbIna6vPndm9gKn0sZ4q9aEeVPZaVDuzYZ3\njAIgb++xE90/mP0S67IF4PhGwcOFniV2IMEcXCgixGwAOoQ=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUA8n6iMCfjp80DCxbpdeOYFcQ9K8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjg2MjMwMDkyMTI1Mjc4MTQ1MjAxNDU3NTY4NDkwMzUwODk2\nNDU4MjQ4NzM1Mjg2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/BeY\njjPekxZXDNM23xNWaGAe0hxgay2I086thMlHLlxWyp1e+KRXOQsGbNkbDro1Sm0T\nrcRRAbbyjgiJJqZUdaN8MHowHQYDVR0OBBYEFLKq8Ka8v2VIIaCvTZqmQAiRIa0v\nMB8GA1UdIwQYMBaAFEfH3gBpMbD1Ziaw0D+iUbUoj0zjMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAuo6Wrmfw8XZObLTNtRp5WXYsdF+sldBK43Y5oYaebocC\nIQCxBGBUUW8uufwN0uSL8dmaagKA5rFEM1BgLPUzQd4/0Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUKlRG8pw0bP2Ky8+ikmgg3AnFAzYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjYwOTA2NDI2MjQ2ODYyNDkzMzM1NDg4MTU0ODcxNzkyNDE2\nMDg1NjI2ODY0OTQ5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEd99+\nhlkQWElDob4L3C3UiC/irceNIkQIYpELVnNoTgJVYNyq995muBLEgFBgw1XM2Fmn\nsZwfCPFyCoa6h2RrnaN8MHowHQYDVR0OBBYEFCcQ4Js5Wbc5OuTg4zJvZlXbB7v4\nMB8GA1UdIwQYMBaAFOKmlQaafgqaNaDDOGoBtPTiarPwMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBQ49U68ssvJv9B7LHQ0RQ6k58SHUSXgVBqtpcPQ/V0DQIh\nAIIQMsDVOf5cznbEjyHeX3ipk4UvxqRErPhDDmNo2BRR\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUD9A8eU5+Veqz8CPSFaEBTNwijccwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATTNPQfeZHFQ+Kb8Pe1Gj5jnWy7cImvRxFNj9Ty\nOn22nlNUU4yF+lOU3wELfQCryxD4lKADSWtJCvnIpG4J1RYYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYQgSxyQhtslHtGl9IEmAVRAbAMAwCgYIKoZIzj0EAwIDSAAwRQIh\nAORPJFjtbmoVdjARJSLdRoggTBf+t22n+0qfCBSfj9W5AiBej0krYaG5d2JoWZqq\nvp09xvkH1rN9ncs2GmgaVefTvw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUNTStm8/umPWarblZ9idhhEhzitEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQJ1YhXujUZpMLB9YN9QYa5ucwA0uwuPNboEN8R\nheqxEhukybTDwjPB8RuOpAG/KZeiuFhmTytOy+NEfk/PgnI0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxYubSXLDDgOCRdbB6Ssvnu0nsZAwCgYIKoZIzj0EAwIDSQAwRgIh\nAO7hLETNScgM9qtaMqTzir2hVSLGX8rWjfpl2lB8HhnXAiEA47NYcHYYfonfa69I\nk8t6BYfLxAQ2Xaotlx7Rp8Nmg+c=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUClFpbA+k+KwSlJagYKp6B0rudXcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC85MDI3ODY4NDU3OTMxMDAyMTIwMDU4\nMjc1NzI4MDQ0MTAwNjgyMDgwNTQ3OTg3OTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nDcAGLb1HrYj5r8wwOJBsyGa3ggMfFjWVlZ4h6M9rPbmdSoT+5R/Y4OO0fAImejUO\njZMKxuPM2DmqtWkgFV98/qN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUYQgSxyQh\ntslHtGl9IEmAVRAbAMAwHQYDVR0OBBYEFCtq7TS9zrwwTXSLi98eAmMIGp8eMAoG\nCCqGSM49BAMCA0gAMEUCIQDIDL4EWi4xP09E2Q0vu0s+IxSDQLg3MOJ+yfRlrQ2d\n2QIgbPjOEZ9Tw7SZrGthqHFnaWneyBNJ44wPQKyJpuShKLA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUCA8uvEcnqV8gPfckjaRSC9oiSoAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMDM3NTEyNzMwNDk2MDkyMTg2MjA2\nODczNDIzMjMwNzE1MjE1NDQ0ODAxOTczMjkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPbZP+weNwyqA18yUSX9cOGWrctfeK3Chxt5hj06F9/6PDGdPGqKqZIXJrWc4NSJ\nV1TkMnTfTyAHgKdERgfGabWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMWLm0ly\nww4DgkXWwekrL57tJ7GQMB0GA1UdDgQWBBSh8HTC/mkG5kQWyN/hIBudUfYRoTAK\nBggqhkjOPQQDAgNIADBFAiEAoMruls6Z+sEEFSHC4x2joDn2I491kR8GckiEm+0q\nFKECIEL1yrgFYKLm+O8N+Nhvoo7VdXYQKYyOfnETXC8diNYQ\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUColWjp9YKqsliG03fbjPWf6ovSkwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvOTAyNzg2ODQ1NzkzMTAwMjEyMDA1ODI3NTcyODA0NDEwMDY4\nMjA4MDU0Nzk4NzkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASWyx/2\nAtSYNoo2eBiJBwE8jPopJVlLJ7jdV/7orkkG1y0WLBoNDMI2UGeA3na86OIJfUMz\nE3ejIHgCku6SXWZTo3wwejAdBgNVHQ4EFgQU2OsnpCvdLMNO39qvL4JWQSAlfRAw\nHwYDVR0jBBgwFoAUK2rtNL3OvDBNdIuL3x4CYwganx4wCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIEu/gygHEfgs1y+3lD9j+CdY4qpjqOx41/FWQG2E7+4CAiEA\n8ggiNU1wCyBeE8H0YaELtA2+GKwjp8Ntdoc84PoK7us=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUWUp1oKcwmFKigCFGVCp7RsqSZTkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAzNzUxMjczMDQ5NjA5MjE4NjIwNjg3MzQyMzIzMDcxNTIx\nNTQ0NDgwMTk3MzI5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7Y3x\nuTrYHLEbcmJdOtx5+OtE7Q7O+Qp7eXPmULishKaOKATH7tNY9jSPjRmRf2n442jX\ng17VgHVgOOZOqNpMC6N8MHowHQYDVR0OBBYEFNYiFbj6ZyD71LFkzl1kaV4o8vBW\nMB8GA1UdIwQYMBaAFKHwdML+aQbmRBbI3+EgG51R9hGhMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBDvbMtjRhM03vHEE9IavmSl8DQV+6zRpsOT+jKBMlA+AIg\nVkJt2g/fhOkkcI4q83V5Ss6tcDwI5kDy1rEoSeOz8GU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNMD8eU3r5hqvFAcUkaT70uFKZkowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASSsLC8mZUoEGwgBxPaTvxqEe15ptGXaZstNXV6\nKEqwls3Cel0RMKkKKFUIGYeVmQgmLoemSokLZ2s4OzPh7d7Do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGKvf23q3fPCgK3gBQj/sglQsS9UwCgYIKoZIzj0EAwIDSAAwRQIh\nAJF7sm0XYXYPsf4RjLz0m26KHewiyjcE8DKtZSKYtjZnAiBMTmNQrISKmGgd2RyU\nt+Xq2lDsfMlFZdAhZbqWeVVMfA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFe3XTelPfUWxCEpQttD580mtnEkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQrZ0JegxhwtUQGGIAtq8cyHzI4mmBbXgwii+cW\naniSki4LCuHprU+QGTlNXsjQgkqrYnSsH9fb/+RY1JP4tNAXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUi4Wv95uRYa/saavKfLR+KBY7bkEwCgYIKoZIzj0EAwIDRwAwRAIg\nBYen28ZrP0eYYA1s/dGAWBN+SbwpasX5xMkljlqTBMwCIH7hhvNTJ7cGdl4o3lzC\nXJ+3dZtF4KNR2m03yY7YMzHl\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUXlBUUinGoG7qPZCS1tA89/uDNcUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMDExNzEyNTY3MzQ3NTQxNDg0MjQ1\nMjY3Mjg0NzczMzY0Mzc5MTczMjIyMDg4NDIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOdBhjI7RdSSTCqgr8Bi2TGqsUkd7hUb6kXURsEyGkfeksValuVVavcoZSdnzOd9\nPudWZHy1dK2B61NUQXUbg0ejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBir39t6\nt3zwoCt4AUI/7IJULEvVMB0GA1UdDgQWBBSxpvcwJ8hLNRuO1j5Kp153iPDVLjAK\nBggqhkjOPQQDAgNIADBFAiEA4cuBBRt3ninIrTlszg2uxJmW/GNqgO0/RuAy5Piq\nH0ICIEL9Ek4lNxuQF+FXtDOxMM/Dz0rjBfXl7OHMBuM6fsx+\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUC14SnxrWqFqrMbPA39ga8IKJxD8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxMjUxOTI4Mzg0NTI2OTI4MjQzNTEx\nNzI4ODYyODM4NjM4Njc2OTk0MTE5MTc4OTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNKA8ADXjzMe8PbPEBjVFiMp8KMwegJeYgwiLhW0KJROpccw849QQNoSeMuWFI4x\nXaqZ6hWgfxpVmoh8e8rnlK6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIuFr/eb\nkWGv7Gmryny0figWO25BMB0GA1UdDgQWBBTtQE9kUfcVcA9ae+IJRRWfhqQljzAK\nBggqhkjOPQQDAgNIADBFAiEAvft7hgjwCNC8+zrVv4ORtW/Cnvg2Mclwa5N/RzDM\nmRICIGB9vaP6M74okNPw+YSJnLl3VTcOAPy18+b3Y/Ao9yVw\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUCF/9A8GCqSG/43mNfBbhjmjnAbowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAxMTcxMjU2NzM0NzU0MTQ4NDI0NTI2NzI4NDc3MzM2NDM3\nOTE3MzIyMjA4ODQyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8cmZ\nanI+5MIFen0rOyQOyUDHSwXTRdf6E2JUz7aRyP3zPdL1i1BdPXeFu/yM2VW5K0TO\nUoXoQZYyF2uQQEJlraN8MHowHQYDVR0OBBYEFHuzWTaOfjGVOMX2dVXxyQbWIYN0\nMB8GA1UdIwQYMBaAFLGm9zAnyEs1G47WPkqnXneI8NUuMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAFEMoX/70fG8WeCrxsf43JdbUaaTNPNuiCCUmU9WojYgIg\nWMZUpCFeTmTGtXf7/fC5UBYwzXRuawGMx1JZkVtWICU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUATlFHRKpwMNIAITbZNYHpmme5hQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTI1MTkyODM4NDUyNjkyODI0MzUxMTcyODg2MjgzODYzODY3\nNjk5NDExOTE3ODk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5vPQ\ntkmNYwmF3p7PJnpMRExyQANGYAw+agMF85qoBb9sKxPStsGdam1EwHwXQ79YPMt1\n4UH8OyKw7vzsxal9QKN8MHowHQYDVR0OBBYEFI/XNPYXhDDnnJpncliw0hq/4BdC\nMB8GA1UdIwQYMBaAFO1AT2RR9xVwD1p74glFFZ+GpCWPMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBWNcGmN9+2r3Euc1+3of0BEaK3COVQ2ua7CDduMxynMgIh\nAKTyJV/bV+XG5/8H6LKxB+2UIYD99pOH4O9piEVl4vH0\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH52oBPt5N+2xZ9WVNfa56DNbrRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASVDkXA+JqBEBJ0HsxisWoltw8PaUmT+wX0/wCN\nCPzoCHVPSQSggtx4KU3/eBE7UTJldW6Rhr87sHsaFrDftKPzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG0Gy6Kli3Pf+R2uEYQTQIEFLvwowCgYIKoZIzj0EAwIDSAAwRQIh\nAMK3scRFUaQttTf1MDXESgs2PAqLRgcTuiyxVf4ma0z5AiBs8ZiGrc8eV3QycSqI\nt0ryRHo9xJwDlawLaa9hGmO8zA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUQbTskheVYpk4aHAGSdFeJ4lD3/cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATm40X19j0Qm6GnoorbkMRBb/fZQnwQdKKvRYPy\nZS65Dy45dUmlhfJjgNpEF8TECcwxztKFjPuDPE/b8QvjtaOxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDeOQwRR1kkP8L9xEhUiN32K80qUwCgYIKoZIzj0EAwIDSQAwRgIh\nAIhg8mVoGAnjArxVkiYjx48hD328kiWW6Z2HPWuOw8h2AiEAvIjs7aa7xmpgo5MP\nwIk2pBKzdl3/U3iaiPqyoq6wBCg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUO2Za463NQ/HSAagZQmLu4U9E878wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxODA0OTQ1Njc0NTExMzk5NjU3MTYw\nNDI3NDQzMjc4OTk3MzU3NTg4MTA2MjMyNTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJSjp/y2/6m66sMkth4FuZET3x+VzVAm3DmSQJG2FFq5ye++mik3ZDz1Io/WF6z2\nz2SlZb4GO6mnAokx96Dycj6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBtBsuip\nYtz3/kdrhGEE0CBBS78KMB0GA1UdDgQWBBQvGYH33Q094WtRLOQJ7LlpIW62ojAK\nBggqhkjOPQQDAgNHADBEAiAkcihlcjf6TW4BXFmhwBAs1sjsNBAn4zXJdTPUdEc7\n3wIgbWMfs93M++SqfNR6IIElsCh8Z+M5lmo8wvvZ9saAh7A=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUc7TigBzwarM16sruuvDHYSrswgQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzNzUxMTkxNDI0NTEzMzg0NDMwNjYz\nMzcyNDUwMzQ3ODU0NTU1NDM0NDQyOTk3NjcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAW5UEDPiwNaDI+qaZp5ZLi8LmR8k4PDE47fo/jiNNOrIoIJ1CQYyFlvJAxKuLAg\n8P8Ml16Km7DBDTYxYsVsMISjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFA3jkMEU\ndZJD/C/cRIVIjd9ivNKlMB0GA1UdDgQWBBQaRr+g3wBTGEGkfdHy6yNTwly4+jAK\nBggqhkjOPQQDAgNJADBGAiEAqq8W/mVnyK3bZd+Akpz/Gjx5PupV10QtA1zz+2IR\n+GMCIQDpn3szAkjyZXBy/uqWAIDNqZ1NIpOIOIiuTBxeNJ6Vaw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUD96wVQvo2MsK5N0VvGaF//IqFRwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgwNDk0NTY3NDUxMTM5OTY1NzE2MDQyNzQ0MzI3ODk5NzM1\nNzU4ODEwNjIzMjU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMzOTExMzA0OTA2OTcxMDA0NzE3MjYzNjA4NTQ3ODUzNjY4OTEwNzAz\nMTM1NjM1MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErMPSuxA3nKLwSwyBy4l1D/+4\nnfNTdFXropfJ2YGRdQamxWk8UnlJNhANjLTM1VdwhC5DMtKFTkkJ/525n65A0KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAULxmB990NPeFrUSzkCey5aSFutqIwHQYD\nVR0OBBYEFHz5Mmszc3jtYocxKB/64mUMLmhIMAoGCCqGSM49BAMCA0cAMEQCIEZY\ngKDE/gN5VG/KmQQSQ7skd1wKNqn/3ueEvsOIWnPHAiAqkhRBQhD1VM+wb/HF4Cfa\nhrQ/lQN14G/yApSzpWR+iQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUeJegCTMOMhMVaU7cFECpqhtdGpswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzc1MTE5MTQyNDUxMzM4NDQzMDY2MzM3MjQ1MDM0Nzg1NDU1\nNTQzNDQ0Mjk5NzY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDY2MDU2NzgwMzc1MTcwNzMwMDQxMDEyNTA2ODIzNTc2MzMwMjcwMTA5\nMTA0NTg5MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE51n8i++1jO5vxbLAsUJ08gvk\nlZmdCpgd37wNDXYhBaJ0mvDLybXoR5Cz1tm6WqsO4A6llFdj4Os8Rf3E04grPqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUGka/oN8AUxhBpH3R8usjU8JcuPowHQYD\nVR0OBBYEFH7mZ5vJaENyxkoOIx4bvvr8MNbWMAoGCCqGSM49BAMCA0gAMEUCIQCO\nmyFASq4k0YQg/oSJn84He4gR1iNaK3BluWNE1QP+zQIgT0kIdPwxqHxmFAdlg9F5\nJ8YXUIQrF78C93UqV5wfOA8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHOgOT7CrTGnTllQNvQs1/yjuqacwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwf3bNt9SV78TcEdFlTL2aY/DU7NCbzagTbfJJ\nVSeGZzR7hcl0JcP4NfU1P/BBn36ZWpWF1Cd0oc0qkleLxWKTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHLl9gOpBReM9UkhjpC77xU3EBBQwCgYIKoZIzj0EAwIDSAAwRQIh\nANG4apbrPgi8g90thdZvf1olgDibxWfINrG5fFxoFPO6AiBWa/2i5FYPTrtracUD\nSg3uB8cI9FGvSI8eCquFa7PPUA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZoPilQBFVHLNCJddyTxKQNkye88wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASDLM+qDgHRAcZ9h5ksWkECyeiSWgFXniZgU3x4\nwCABq/EpVGhTttYElaUyvrPSKpMQUVuL3NU3m9SBDUdPkNPzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyKS0cPQHmUdxQCTGYfI8rtjK+dkwCgYIKoZIzj0EAwIDSAAwRQIg\neBaWOzfDsE7e7a//btHydM+pg5aPprex1UfTsC+e5P4CIQDBhkc4r43Vg2KMZnAY\nHze25Bc0w7q6OcV75MjnWGnjMg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUKHn4I7IY1oR0HzZXcy9Q44MPqIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNjUwMjY3NjExNTgyNzAyMDI1MTM0\nODA2NDUxMTY1MDE2MDEyNTk1NTIxNTYwNzExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBP5WtCIP7pSWFnUPQ1RMyFeCHbxWEq8E9ieoH5FKhx5fAQ30HVkWRcLEtABgmTF9\nGKwNyYxJDLzFzGwb7aCzfMajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBy5fYDq\nQUXjPVJIY6Qu+8VNxAQUMB0GA1UdDgQWBBT/PRRK5gRO8ri38K0PG2BHeFbCQTAK\nBggqhkjOPQQDAgNIADBFAiBJycwW9wxuF+X60QECdrRnkUPw56M1wsha8A4GOMY8\nUgIhANY7AiRY8vCI/y5FNyY/h21WknoWTBuzwLfHUMbFTHqZ\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUOyuzm2KGuHjiEzYBb8l28LtABO4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY1MDI2NzYxMTU4MjcwMjAyNTEzNDgwNjQ1MTE2NTAxNjAx\nMjU5NTUyMTU2MDcxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIzMTA3OTYzNjk5NTUwMTI1NDQ0NzQ5NjY1MDAwOTA2NDA2OTkwMzM1\nNTQ1NTYyMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu5X0t0KSysSmh6j0Xo3+IUYZ\nauYlVCz+qwsmy5CqyOx78q99BvQLOx4hRKRjERz0onzIAlPIwhJAjLKfPbRG5KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU/z0USuYETvK4t/CtDxtgR3hWwkEwHQYD\nVR0OBBYEFJ5FrsDdGaAyAcdEhtNzpAtFTqlzMAoGCCqGSM49BAMCA0gAMEUCIQDa\nEyOffyasA5OIPgAyEI8DfuMNaHtozZ9zVAWnRQb4yAIgJj8awEdUh/Y2W5RfC7J6\ns7bjnX2saYUyF0n7RD6bdcM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUH5ZH9q5ZqzfLdPNTpp+pftZO+jowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1ODUyNTgxOTQzMjQwOTIzNzM0NDAw\nMDU5OTczNzMzNTMwNDcwMzIzODU5MjgxNDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFx0LiYeU8bs1+YGTWaECcf/n1KwYX4qX7uW6Hj3UPFqlCxH4nlIqTMCRWhR4nut\nRQsXNqjBGJ13/F0L8LYO6vejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMiktHD0\nB5lHcUAkxmHyPK7YyvnZMB0GA1UdDgQWBBTBQfjXATVWvhxvaqF3hYgmGcxSsjAK\nBggqhkjOPQQDAgNHADBEAiB39Nt6WaWqVQ4ULC3414OyOCCH1mSfnjD5/A4OHrV/\nEgIgEsZeRKmft0PgOST6j+Dhmfbp3rPdfaeeSqPfmAVjcSA=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUVLAngTiwf83+0SQWwbMztYcIKHIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTg1MjU4MTk0MzI0MDkyMzczNDQwMDA1OTk3MzczMzUzMDQ3\nMDMyMzg1OTI4MTQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE4MDMzMDA5NDU4ODgzMzI5NDY1MDM3NDcwNTk3MDk4NTQwNzMyOTIx\nMjQ5NjQ0MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmh5dLuGpuUsHVxvimdv29u4R\nDVz8A6xVUL6NcnltMPfhUUPcOuzwS0BvPD8Aa1pmAWfK9SnkaFGhbny9nhru4qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUwUH41wE1Vr4cb2qhd4WIJhnMUrIwHQYD\nVR0OBBYEFEx7UI2FiB+excRCtKAe9whFsOyGMAoGCCqGSM49BAMCA0cAMEQCIAxk\nGXbjjb8UhDDklVMkxF5ZvUvUxMu8C5aUjIWHV1ulAiB5Z+3xzm8nw5PKp2ikR++A\nH+AgXaH1jTCS9SIwlV0B+A==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUIwupQexDqdJvfuBFw7oVTJveQGUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjMxMDc5NjM2OTk1NTAxMjU0NDQ3NDk2NjUwMDA5MDY0MDY5\nOTAzMzU1NDU1NjIxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWfXI\nOcC4w0U8m68y1tXJJBnk1pnyxGt/3jq+3ORz6GTEd9BsqE+wSdJbpSdDCgvS1F5R\nH5GsMdMxDAgMkPV4+aN8MHowHQYDVR0OBBYEFJOggKZ2aliGzDnPp51PjHtj4Y7q\nMB8GA1UdIwQYMBaAFJ5FrsDdGaAyAcdEhtNzpAtFTqlzMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAo1qMHU2jh+/i4prRsVQwRt4BVYlh1c8GdaUGIEhEmRUC\nIE1QfuqhqXxGTf72QkRW186//D3gqQwUwOo5bRBY9NB3\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUXRQkmh2xcJDQX9t0dLXtpHx0MeowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgwMzMwMDk0NTg4ODMzMjk0NjUwMzc0NzA1OTcwOTg1NDA3\nMzI5MjEyNDk2NDQyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPLiz\n+CoGeRmp02NA+S7d6yejmx6Tshabu6z9HdFFSFzsychjR1kPeJfjogvTL/++5g7w\nbhsQ3PzCLLog6MLLj6N8MHowHQYDVR0OBBYEFGvsGhJIu290Q7KnktRmRtcZV6GR\nMB8GA1UdIwQYMBaAFEx7UI2FiB+excRCtKAe9whFsOyGMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAsNkAj+mHeM9YDLtc9NFa8SSFmqzKg9DLpe5MdomH0FUC\nID/KAl6fi5RRtNwaAaB9Y+G+88tQV6Q9vgd9BFqGxKpW\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVyl1U6Myw90up4XuE0dfNu2iwRowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1rMqpXvpFXqPvocF5KdGnFIh9iriuG1mU+DVk\nctBKFE7cIm1w3Lfq9QLx9gChq5nxUnkrv4O0izZsiKZzRBoGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwPS758gTgwUXow5PRHmZ7kRDEdswCgYIKoZIzj0EAwIDSAAwRQIh\nAIgrc5l/Dkef9y6BHXRkN9lz3Q13iDNFcZr3oUyQYeJlAiBabxkJlKKkpWiWfbol\ngekgCAvHlHulayOkYUoqOi/tuA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUWsaF6E6Er0fTs23uB5/+nOI9AfMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQKH1Bzj6+f/fDpJl9Kb4pnQIuO77VGoeT0Elv\nWD60mDHEe5Y/5eVXFt9OzFoILIM/wcCEHR5xx1k0DdAmO/uuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUITBLtnQOZYwrG7rRoX5I/xZ1VrgwCgYIKoZIzj0EAwIDSQAwRgIh\nAMkoR3V7MqPR1zx+3GyFyYq2c/PClOaz/fs1/DWk7hRDAiEAoijK7kufGq+3cxUD\nehsaGzAx9j7ZLpX/MZJ7/XtQb60=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUW9D4QwIae4yEsn1WnPwamY6u0F4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTc2MDY3NDgyMTI2MzIwMTUyOTM0\nNDAwOTQxOTY5NDk0NjgxMDkzMzI0NjM4OTgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBP0odA2GGEONW/eI5r5c/ZhCo9Xny4B0DjSgMiwuk+hE0w/D08qi7/pIoKqirTui\nRhseutrcWvC5kO4ZD61wk9+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMD0u+fI\nE4MFF6MOT0R5me5EQxHbMB0GA1UdDgQWBBSQIAjyqewu0SQ8pMfA9EuNEE1OoDAK\nBggqhkjOPQQDAgNJADBGAiEAraYJUH2OHjBXYLqnd1gfNIeiu6WXh68hbCrRGckL\n9sYCIQC0b7G8dUlGKcEgcs0KP1IpNhxu9HOilpdIzkOEfL/NOw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUMrhn/Sv3KDxDWBVbUwdgu22lDOwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDk3NjA2NzQ4MjEyNjMyMDE1MjkzNDQwMDk0MTk2OTQ5NDY4\nMTA5MzMyNDYzODk4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDUyNDE3ODM0MTc5NDg4OTM4ODE0MTk4NDQ3NzQ1NTk3MjQ3ODIxODc0\nMDM1NTE2NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEx/wbQt/pO7R9LwvshPTWdUWv\ndCACgdoHynJVTkHmUKEZ7uKkW2bSXkfdGadEh81mAaZZdXoaz3ls0Jg9M1TJlaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUkCAI8qnsLtEkPKTHwPRLjRBNTqAwHQYD\nVR0OBBYEFNXxyL5LVoEruuzzykoGDPHbpN3oMAoGCCqGSM49BAMCA0gAMEUCIQCG\nu1XCB2JCcIWZiFbtDgdZWGpIHWppk67STPlIJmgouwIgLd6/2BDmDLcmsquqnmE4\na5VUp8R0T/aavJ/cyt/xVnc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUWp5nWR6MYwATyuLUvzFXUpJqnfEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MTgyMzYzODE5MDczNjEzOTIzMDI0\nODMwMTI1MTI3MzY1MDk5MDQ5MTAzNTI4ODMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBD3n72HkPcFwsJChGykAQc11/SQylVTvJ8XTfSzo/Vic+1PBWo5Y5Kac14QlqGdc\nZZA1+DHj0bAFpI+12XAP1wOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCEwS7Z0\nDmWMKxu60aF+SP8WdVa4MB0GA1UdDgQWBBSdJ7+rBv2gj58xXyFcyV5QADRejDAK\nBggqhkjOPQQDAgNJADBGAiEAoDySVvT5oVsu6FXlZiADFP/poWavf4ePj8Jj3drt\nHuICIQDSfIr5bu9WHbI/LOrOSM2ENcvqAxKwCpf3UXm7ZDG/Xw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUJBlSYNZoDCp1ScBV9UB+ol3vIRkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTE4MjM2MzgxOTA3MzYxMzkyMzAyNDgzMDEyNTEyNzM2NTA5\nOTA0OTEwMzUyODgzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDUxNzM0MTY5MDAwNjcwMDc5MjMwNDY5MjA0NTk0Mjg0NTQzNjg5MjI0\nNTgyNzA1NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHdPJwi5jCgYBcnrkt/I3Wja0\naMX6byiAXfxuVZ+KQfdi4EtSA+RDRQdSdgLiu+5kDkjymwYRg2qfaJa9pTvifaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUnSe/qwb9oI+fMV8hXMleUAA0XowwHQYD\nVR0OBBYEFAqv69nzhYgpl1WF6VHxrbA3bUwIMAoGCCqGSM49BAMCA0cAMEQCIGfm\nEqLbO4D1N1IEeVgeuGeh6h+YVEbDPoYzD7HjGm/9AiBj+eNwg2VXssV7tHrC97Lk\nfV+qIQbNu3EbEY2kUD0HxA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUZU3MSgUyYwM+Xg6w4KnBMWHNBD8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTI0MTc4MzQxNzk0ODg5Mzg4MTQxOTg0NDc3NDU1OTcyNDc4\nMjE4NzQwMzU1MTY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqgzm\n15VRC45+GcDbYS/eI4Np//mH9J8kWTYJ/U+Mc1aMoupx/sEKPVtTDzCgf1tWY3Ja\nBT4GhOWZeYD9t7QCG6N8MHowHQYDVR0OBBYEFBzEQLOtyc+aypb5A5IOHKiwdOMn\nMB8GA1UdIwQYMBaAFNXxyL5LVoEruuzzykoGDPHbpN3oMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAymsn3vMuUYOCq7jIASlp3CWiYFb1/XpAlQA5Mbv3/JwIg\nfFUmHlQXQLUEk+K2w81159EHm/SNu97pHAYffEudeRw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUJQROfkKpc234M7u4RJ1k9lSuTTkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTE3MzQxNjkwMDA2NzAwNzkyMzA0NjkyMDQ1OTQyODQ1NDM2\nODkyMjQ1ODI3MDU3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEth6T\nL6MbdMBpq3VUwbsXkPGwotUfPhz2ADIJVRHeYYYHHK0qkalMsShGU6WKWqbWc0SG\n9DxzudZTC4NagCRqJaN8MHowHQYDVR0OBBYEFOljRYlumRKNL/lGq2Twlssvonom\nMB8GA1UdIwQYMBaAFAqv69nzhYgpl1WF6VHxrbA3bUwIMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAtJVEzi/fF3tdUyzYg+62k165vkUBGPlgz+aKiJPpVsMC\nIDTm82OJNXfhjgk/tFe3x5pa17q+u2LXo+HgQVlXuLfo\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXf1lO893NfA0vWiRAQJtBApWGykwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT0hBOOOv3U1NKMw0KS+LvX5+YqR6QNd7aVd/ZN\nYB8qHjRxmMmwWeYifjsQLoFTx6xNdU9whK/kRmcoBx9BZP5Zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZTwaXJ4Y55BTTppyRzqa5WggBLswCgYIKoZIzj0EAwIDSQAwRgIh\nAIjHB0OWHC/o+pSsZinEWw2Mde8vw6BTJQDa9xAFOmn5AiEA9aSkwGjPBtsy0sZ+\nL4RIKBumt+8Mt8meBNMJLckQPrk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeNY9LTvB1a66V7pIprXaRO5OSTcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ8Y8Llr5opJmqjMs6Y+Yanw2B/vzONSIhki52f\nv2RTmNjm2/nX2cD4zNsbO4Mu/R4R1Eq/NK7Vefd+Ite0OKx1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwDW+vg4beT4Ux1miwQXLH4oEVcgwCgYIKoZIzj0EAwIDSAAwRQIg\nKPve9+UmrU18Real1OK9/B9NQDQG1/SrOtmJgjVyIcoCIQD1nVckePsjja1S/Xwr\nlAUErU52cBOt35pnPegVJcFvmw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUVJTbyxe5O4c7fnP+YlkmZoap2oEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MzY1ODcwNDg5MTUxNTMyNTE5ODEy\nMDQ5OTkxNDM1ODI0NjA2OTE0NzY3ODE4NjUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBORGW88mFHQ3f3+hC5qURNTyvVGF98XG+Q/vYkHW5WuIg6D0DBIM2DHA6EEApNFy\nZEfNjZJzvjst1vlFbU/aDUqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGU8Glye\nGOeQU06ackc6muVoIAS7MB0GA1UdDgQWBBRclgmXP1CI5uFts2MPsTfscCa8uTAK\nBggqhkjOPQQDAgNJADBGAiEAzRFh1pf41Q0j/7ce1NdsSBNy5HlLCtuuxd0rANcH\nNgwCIQDFzvvcyrTQ1+qZdGr9Wrr+VTEhdlJhCSojFDZJ1MUvqA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUKU+SKKvMTaZlK3zQGJMakn4d6eIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTM2NTg3MDQ4OTE1MTUzMjUxOTgxMjA0OTk5MTQzNTgyNDYw\nNjkxNDc2NzgxODY1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ4Mjg3NDg4MTczODA1ODYxODkwMzMxODExNjc5ODE2MTA0MzYyNTY4\nNzUwNTUzNzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcTlQghcAnW4TU0OOEfeY66o9\nNxScf+fy2JbWKOYKL+rCfupIeevge9e0fxh/H9W6TMHtDHbH2Jrw6czhyQMLlaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUXJYJlz9QiObhbbNjD7E37HAmvLkwHQYD\nVR0OBBYEFDVrVdWwNcCt8DYuaX3CuJCqnYwDMAoGCCqGSM49BAMCA0kAMEYCIQDv\nRqo//ZzkEQ+iJe9T/x9zKFYPmBqQB6w5eXuxV2tAegIhAKqnnN3lwDuumwHBTv0g\niCL9tt8Lr+wzPQBhAfxzbPRU\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUGzMX9tZYF8qLvPxjZZlKFAFZfLIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDgyODc0ODgxNzM4MDU4NjE4OTAzMzE4MTE2Nzk4MTYxMDQz\nNjI1Njg3NTA1NTM3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIzNTg0MzExMjcwNzg2MDg0NDMyMjM3NTkwMzIyMTE3ODcxNTQ0OTE2\nNTk5ODU2MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExsYohK7U1vSuDjWd0yzeDA+6\nWuUXv/7HjALSl+E0A3sgWJAv6pEhQvK6iPX/hbWAE+FqXS5TDARtYVSGXKu+4aN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUNWtV1bA1wK3wNi5pfcK4kKqdjAMwHQYD\nVR0OBBYEFAc7mMNetCrIrLsrPs77H6ZxpKj9MAoGCCqGSM49BAMCA0gAMEUCIFJ5\nbFT2IGGLgbREtpe3lCZp257+X7vDQNIat8mqqV28AiEAzXnxGd0tCn0Jb3Euen3w\nyr6+SXOapmfnhm4oaYmWE30=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUL7o1T/b2gMFh2a3tTW18B5qeggQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2ODk4NTY1ODEyMTI5MjU1NDQxMTkx\nNjU1OTA1NTA2NzgyMzgyODk5ODY0NzIyNDcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOzD96mPum8fRU8q2TWwbLjDp/QJUhGu8qg2LtIg4RtXIq5boPx2n++6/gTsb1JI\nTNrV+hdFUUNuQre8tk8HrpujezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMA1vr4O\nG3k+FMdZosEFyx+KBFXIMB0GA1UdDgQWBBTBx2gLOEeaut/IiwBWkVAxVBHt0TAK\nBggqhkjOPQQDAgNIADBFAiEA8emIrETIeYbLZed/tiyOAZ3JnD456rcnOqP+RqxT\nArECIFi9ly/MYkafRAqddWG0aiUWjeAVQnxzVUqd5EkCcr1P\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUdBUTtFcrc3Ku4RzVxZnpMBGKvXQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjg5ODU2NTgxMjEyOTI1NTQ0MTE5MTY1NTkwNTUwNjc4MjM4\nMjg5OTg2NDcyMjQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDI3MjQ3NTE0ODk5NzM3ODUyNzA1MDUzMDk5OTcyODY1Nzc0MTk0OTQz\nMzcwOTA2MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENAzXz7LWCiyWEdhXW2lRKIUR\nHZSNdzGAnHi4ie38ISmyAfMg7fNxnYVIU5xFmR/t+6r8zHgy94sdA/5/6BzKh6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUwcdoCzhHmrrfyIsAVpFQMVQR7dEwHQYD\nVR0OBBYEFLZgJu5BCEF30//IcSEFwisatIbhMAoGCCqGSM49BAMCA0gAMEUCIBQo\njgCB1qxCsooRMUuRzY+sWCq5EhljybzhhHEwHN9/AiEAo39hxUppkK851xnAzT4G\nJiLLjzwdEdUWqqsG8O7WiWg=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUZaG2GT6Uf9+ITm13QE1cq51P6c4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjcyNDc1MTQ4OTk3Mzc4NTI3MDUwNTMwOTk5NzI4NjU3NzQx\nOTQ5NDMzNzA5MDYwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDY2MjcxMjk2MTU2NDg2MTcyMzA3MjA2ODgxMDQ1NjY4NjUxOTU1ODcy\nNTA5MDY3NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErGVM8QROII9+4Fw1jfnndIXb\n3R42DmnCY089ntC91v17vrN4IShSWXgoAHseBo2WF+j7ngeNGB8kLoyh2NIDf6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtmAm7kEIQXfT/8hxIQXCKxq0huEwHQYD\nVR0OBBYEFE5qQ+MI08MP8rrwwkQghvamwT+TMAoGCCqGSM49BAMCA0gAMEUCIQC8\nD58zOyihMlWcvTvVE+Xw3cs+Kv1NUvArtmwQza9RzgIgKbisvj51frqkkkxwI600\nw8XbN1zgon7u+oZuWSzdcnA=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUQzwSULVMw1IkyBu9nMS+/dm+SBQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjM1ODQzMTEyNzA3ODYwODQ0MzIyMzc1OTAzMjIxMTc4NzE1\nNDQ5MTY1OTk4NTYyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDYW+\nK5omze/ZLH55gDnjmjaXpsZQmyDCNRrvk9djC9dlTUAb+nqwokxEKZlEMfkJRwVs\n4TB25lSdacToiMGpnqN8MHowHQYDVR0OBBYEFJyXJoNPZO1M6pHxRfo/wXrqdnBh\nMB8GA1UdIwQYMBaAFAc7mMNetCrIrLsrPs77H6ZxpKj9MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiA6vpEh7qqGiW995kHfYfi4Jut/jRcbojBLuCezYurCtQIh\nAP9q5oIgWVNt+ARbt0mgH9yZ23C7VMdQZzsXsBzerQ+N\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUSTw2WFykK5PZxv7OtabEcoLquuYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjYyNzEyOTYxNTY0ODYxNzIzMDcyMDY4ODEwNDU2Njg2NTE5\nNTU4NzI1MDkwNjc2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcfNr\nGcniTRJNvSc/Xd+WHXG0hUIk248GjfaERUGMHYeVQHWN0TefVBeHxS1ctUChJXHH\naGQd4ZUY+HDqrEol46N8MHowHQYDVR0OBBYEFMLLPWtm67zL9qoBOZC7cDrQa/dk\nMB8GA1UdIwQYMBaAFE5qQ+MI08MP8rrwwkQghvamwT+TMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAscTkuvF3TH26d6g/3UolekMPI2YvEm/KXphX96BvXEEC\nIFSKZYjuUGmCQqoDedzLQ8VWVuXdlFw355Kfg8BkoDxq\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSlT/EOI6Mg96fMfBq9fC2pQT1ycwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPq0oeww6p3Nwq81l5eHcqhKnzevYM8lDz3sEg\nlnxAsy9tsj/nd4xavDFS1clvfjfWvaN0u7gG1S5522a/mNr+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZzyqOorA2UmJ0P5Znbt52CQWQ+IwCgYIKoZIzj0EAwIDSQAwRgIh\nAKO4EFbzGdRN+aiYYQNbcYEub++ry4l8pG6plUuiCa+gAiEA0kovVgVXRxyLhPev\np+5DdR2VEWERMRW0jnb3rrQOj7s=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGXN0uBkVdx/WZbTviUy2HzgKfRkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+9YTqnCEOKjvAj7Hvv6K54b+cVLuFLGFwJMiZ\netJHWVJXDb1//3moXWzNTkvXifAoWJL05OrKssFB6TwBLr+Po1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/yILM/Oyrjc2JWynPZsLA1r3uLkwCgYIKoZIzj0EAwIDSAAwRQIh\nANg/CWh0pZiGkVoszEvQN4lis61KSNBIpyDAc5HVWo/aAiBDbAgVnaKioG4wIn39\nqX0G1xtF2ZfJ33WlrCwxEONYUg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUOMY47r+XminfO+SH1Q9TxclftRAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MjQzNjA3OTkwMTU3Nzg4NjIzNDcw\nNDg2MDA2OTk4OTE5MDI3ODEwNTYwNzk2NTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNFTAS4rv91qu04F6cXMIqRb87MlXKZVQNufBa1gHOfhHAft+cM1tuPigb6s24dR\n0f3Tnq/KDsRBZMhStKNWZBSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGc8qjqK\nwNlJidD+WZ27edgkFkPiMB0GA1UdDgQWBBSnntPolmKPEaDOZIRcAuU+Tk9lxTAK\nBggqhkjOPQQDAgNHADBEAiBHLVjHQin4E5lbJDJfvriiwB73YJ5K0ueUSFEFVysV\nzQIgJ2GU1ncjqdRW5vuyPl3IhgWg26+68Jyj+aEUq3c77IU=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUbqjEgxGYY1N70QHuaDh6BA+yQdcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI0MzYwNzk5MDE1Nzc4ODYyMzQ3MDQ4NjAwNjk5ODkxOTAy\nNzgxMDU2MDc5NjU1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQyNDM2MDc5OTAxNTc3ODg2MjM0NzA0ODYwMDY5OTg5MTkwMjc4MTA1\nNjA3OTY1NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5spBjnPuLgVb7SLgz64mD9HH\nhpjF4uJJxgbtk2LvX+Gqw+Lzg+lghqshMTwOO5a47NFrw1PCi1XnUoq3JmbmX6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUp57T6JZijxGgzmSEXALlPk5PZcUwHQYD\nVR0OBBYEFHeGUMQqZ/28dbn+/tZ0MmQLAnUxMAoGCCqGSM49BAMCA0gAMEUCIQCR\nyAHKmoznsxq+CnSKmXyHkwbKz5gqtaXGdTawgUj3dgIgJutQdthLDBNZzScllv2t\nLnA0LHr52QoXHWuHkbWZb7Y=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUY0sxeexT2ypEQMNFWAjjT8O5wGUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI0MzYwNzk5MDE1Nzc4ODYyMzQ3MDQ4NjAwNjk5ODkxOTAy\nNzgxMDU2MDc5NjU1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDYzMTc1MjYyODU5MjM5NjMwMzYyODM1MzcyMzg3NjY5ODU2MTExMzM0\nMTcwNjcxMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMrvqALvaYZ6dXGsm8SMoR1KB\niI/SDPz62dEH/i244JV/H0g24ftHeUYrP1NpEWzLgZB65nXiHmLA3kJstqQ+96N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUd4ZQxCpn/bx1uf7+1nQyZAsCdTEwHQYD\nVR0OBBYEFNrWFF/9lZ4CZ3A1/SHqOh8rAUVlMAoGCCqGSM49BAMCA0cAMEQCIGGu\nVMrfjH0JdhhJeb1iqv6FDA5Hz3vM4/ZdtK10GDrWAiAYVO4W7GWY0BRxI+HrRss6\nx35GMU/N7GP+2CzvKe4hKg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUHJLYpYFWMy/aEZPs5lcWvh20kZ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxNDUyOTk1MjI2Mzg4OTI3NjE2NjYy\nMTQyMzg5Mjc1MjQ1MjM2MzE0MDQ4MDk0OTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNbIaxL6ASpr/uIB0uRNLNMWQLQndyXkpM8jSIFHccOuK32z9Y1FTfHuK7m3fxG5\nlamSFzU/aM3X/QjuRNsEY/ajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFP8iCzPz\nsq43NiVspz2bCwNa97i5MB0GA1UdDgQWBBT1P7KUJAzEp4v2BX4nPPGUfKx6zTAK\nBggqhkjOPQQDAgNHADBEAiAyPiJjFfymjh5biWbQy1NOGjwpmWeWFR8IEqwXLZ2+\njgIgGZWx413JoWv1ALzZmkBC0AkAit7wXiyWyqDozR6kxLc=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUNNTCjN04662v6Jt0DASkYlAYzhcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQ1Mjk5NTIyNjM4ODkyNzYxNjY2MjE0MjM4OTI3NTI0NTIz\nNjMxNDA0ODA5NDk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE0NTI5OTUyMjYzODg5Mjc2MTY2NjIxNDIzODkyNzUyNDUyMzYzMTQw\nNDgwOTQ5NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmgmbEe4kmq0zXxItLmr7CaE\nn03aHEUSXvvZedWYbuG452g2e+vIe33TZTYhrs2v8s0zzgaC/W2OGppDqBbphKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU9T+ylCQMxKeL9gV+JzzxlHyses0wHQYD\nVR0OBBYEFEphehgumo0rT6D/xeJSgV179bGfMAoGCCqGSM49BAMCA0gAMEUCIQCL\nYjrim90WnkXG7rYzBa+1d5yfpRC8unJOMYPYZzqrPwIgJ0IEliB/ncVsnCgh6JKX\n/rMRXyODTLQWQRf+fceZ6LA=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUWesBUPL62nHz5nHIIbmZ0odAb60wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQ1Mjk5NTIyNjM4ODkyNzYxNjY2MjE0MjM4OTI3NTI0NTIz\nNjMxNDA0ODA5NDk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDMwMTYxMjIyNTc4MTk4NTIxMzYwNTA3Nzc5NjgxMzg0MzIwODMwNTYz\nNDc1ODE2NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkUCBZBfHKlydEiyxakyOPcl3\n6wcrxUgq7RzCCXkxiaa6XbDTlS4uMsTtKslAgmx8/a4nWuz5b/Pbh1QvuHwmAKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUSmF6GC6ajStPoP/F4lKBXXv1sZ8wHQYD\nVR0OBBYEFMCfNg0tU4V+wEeN6mZ2hJtN6AnGMAoGCCqGSM49BAMCA0gAMEUCIQDv\nw2d4yasHtnm7r06qSgaT1RCkl9dVkVD6XIsL7s7YuQIgC853wBA4D4aZf8yKATJP\nzBppvEsAWohT8SWqbvI7M5Y=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUZho6Xr5Pf+yKrXEHEja9J1rnNk4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMxNzUyNjI4NTkyMzk2MzAzNjI4MzUzNzIzODc2Njk4NTYx\nMTEzMzQxNzA2NzExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkeDh\nrXLKovu0GzcJq16cPQjcNJ9kpeJTDzbxZ3sdDj2nPulhNXCqdWa0rOdHnA3M+z1L\nspjhEOL6H972MKiJXKN8MHowHQYDVR0OBBYEFJzIsTyY8rmw60piGaqV+DWshq5J\nMB8GA1UdIwQYMBaAFNrWFF/9lZ4CZ3A1/SHqOh8rAUVlMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEA1nB9LAWZKDcsyau3xLIXJMCThtcNwTGFGao4ocmASGIC\nICw8RaUjijt47g61xYeOuqfGh0RMVAgxU2LrpI0vlt74\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUFHdyX+Odfh7hLMnykofPgjpGVVswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAxNjEyMjI1NzgxOTg1MjEzNjA1MDc3Nzk2ODEzODQzMjA4\nMzA1NjM0NzU4MTY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfkCc\nRdpGoVpSSMj5+v8RtmYvxuYQFF0MfuUNdtwz8ZNewdzwHkZdunRWkMC1uAAEoG60\nPqQfkaCEsqdwLHkCnqN8MHowHQYDVR0OBBYEFLDk6IGIDLroFYXebzWAET6hk++W\nMB8GA1UdIwQYMBaAFMCfNg0tU4V+wEeN6mZ2hJtN6AnGMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBAo9LXEvAD8F0Ah6PRQbFbwNK+MGmEnS56DovyanlT+gIg\nIOhegNUXlC8/xwlyJgOohejKCzV/A4rnm76WbC+5KwY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUeh7oeei8lfFL/5y6J574kuOYB6EwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvuEZjj+jH4RJ\n0vQmO7958Ui0HNLz++1sUmLE1/uJKbZ+oYZkjG/2M2qk0QhbiZ0aRcblnSlv0Rf8\nh5Hl6NlZiKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFONz2cBYXp6+ZPsW8hIIXzd5HPke\nMAoGCCqGSM49BAMCA0gAMEUCIBuMccD8kiiXx2VShiM/mJAqhLImrP2gCcPXDat4\nBu4xAiEAzVfXSAyPFEu7ckXakI0EJPRSgG2ILEEUGvaih2M26Jo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUVUJNGswhOe98CUvayQU5gAlXnr4wCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEA/xGfOCgeAIZ\ns1xDGklbhfBPlDo4EToCHAxVU4Sq3bUJOEJptAL03AbM4HG/GOuK+nUdtyuP6tUk\nSBnYBw9loqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFEyuyjPH93oY9EVshy0MY/Cm8Rg9\nMAoGCCqGSM49BAMCA0kAMEYCIQDARA/gwVg6EdGtTdTAEn5wQ2cuOeko8MDt/+IV\njITzbQIhAMYiNJjZT+R289o3s0jAU+IyfscWtpeA5QNCO6MpZg3K\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUbnBADWk2jlxXJvrhO4ubJwGfUrUwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABMSNt84+n59V6go70z+YuMlEmDFOs0xR1eFUd9j19HwFvaIi\nehRdmtT5HE+Zuf/2r3gzpIIg6Ns9rVqey3uy6gGjfDB6MB0GA1UdDgQWBBQgEXeg\n5xc0IrE9HlP9A5yZSTzYiTAfBgNVHSMEGDAWgBTjc9nAWF6evmT7FvISCF83eRz5\nHjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPc6bxeK5pI63fD2ej5DP+Vy\naux5eRLjki1Yd+3gKbw/AiB5Fhr3MSIq+ECvzOEvCeOn5UsOG/WMHrinLNeclqEF\nZQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVOgAwIBAgIUWb20cf82nLmTULa6K+yzBm1JS8AwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABBwrlp7BJn71W6NxW9Tdo9EiED2pajpIf/16L0i5LRgQvdYL\nrm+lDJ0qhp8j1UAOtDce5D2czkGzZhVm09+iA9+jfDB6MB0GA1UdDgQWBBSfdatt\n2by1mBIE0/7RHi06YfURlzAfBgNVHSMEGDAWgBRMrsozx/d6GPRFbIctDGPwpvEY\nPTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKTWE2L8o4klmNMLxkSNIRTS\nv351SUFJ1nThfslmBxa5AiEA1NQ57b+8QbI512YTxdTniyBeZIdgKgAHZisTc7Ee\nCqw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUGxPsAAiRDw43OsppKw+mC3CJmvwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6Se2RXIP\nd1n0ProOyzpo+14Qx8ZnWolGoMmJoxQ06yBxcu0MXwt3YDmZD/FU21WMo5e7SYS9\nYVZnNk/gVREOf6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJi5WSufyY8ZxyAqxHKrs28+\ny5G4MAoGCCqGSM49BAMCA0gAMEUCIQD58otb0BXNlb1tebdj2kGr5woFH9ove4tY\nAbRXxBVkHwIgMdcc8/V5u6xUpty3TynHyECizZruWT5dRAFw4aJy8dE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUEqbtpInP4Yqe+8YC3ZkDxV0boa8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8RwYaFk/\nqanLJddTVZwQx76niVJEM//1xUqj3uzJ2YWKbkJZNvWHRN4JPw+AeKTzoYyI60fM\neBGTPimrujfBr6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFHAsu/X5FX03tg+M1ctPOIZu\nEw3cMAoGCCqGSM49BAMCA0gAMEUCIQDCaG0sZK/ZvgOHFf6G8xxPnAsOHWh0BAWV\nXloPt7EdAAIgCGtLh24emDWEAS6bc60DPOWPRZP9mIw5WoL4EGbijAc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUMoT/bEFSUls71Pn0m/VKzze9omgwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ78WO5K2JRVbm1\nCW2R/yOGVuYu6eDZIOV7tT8dF5+ylnzKFzpFFhuNI9eOEEPdSyvYvgX19HdyJYJA\n0XnJJZ8vo3wwejAdBgNVHQ4EFgQUDJceQpM236IIPSbhEQ7sFOAJqP0wHwYDVR0j\nBBgwFoAUmLlZK5/JjxnHICrEcquzbz7LkbgwCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIHqWhdB/SDFMgXpsVFkXOUk2bQW8xWoaKsjSd8rljwbCAiEA8VOasyQP\nhfOBrvIDxdQk9HXZkLEt1qbJXPcwGkYHjG0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUMIE5YoYAQmZdXXtXyl/eYv7vFXQwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARCcc3lOAJvR/8R\nAKhdcw8nQryP4i8ea8TQP5W9RIbQhKnQKep++NQEWB7lCHE9w7rd+jEzernKrdg1\nSpNuEo89o3wwejAdBgNVHQ4EFgQUoY/APjtKATlNNUzOY/VZ0VcYMR8wHwYDVR0j\nBBgwFoAUcCy79fkVfTe2D4zVy084hm4TDdwwCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIE8j8fnefnFxfTY6BBKqrzWKu8laS5/C43MOG0ub+q5bAiEA74i8cmuJ\nGw+O1RJCE8017E7qOzuUWzdLRHONpJk+8/Q=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYvV+KHA0xXxu6E1T54fqmBSZGmwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQr0Q5Pd/uePS2foFjdQcs/wAnWP5O+k5G1c2U\nFiQ4ggIz8d2jCRRhYKyHba3fOky85Ckg2zXn2S8m7PaMPbNTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULJZCtkNxfV3+2kfyRl19SOqS4XswCgYIKoZIzj0EAwIDSQAwRgIh\nAMMG75J/rdq7FH5xrDv9mn2S2x9uQEJm+9KkMOdx+luuAiEA76MJTYoePfYo8Ams\nNnRzju+LVSmN0e4ZKAXMQQ+YaM8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUNR9iffAs5sYvfeAUjpsV9QRoX6cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR/s58Zhgm5UWLIc7Ikx8TVK7ri6dmcP6ithynY\nSSdJL9U76KooHcBU72dHGt8+1nq1sQIPysykQSbfgFI/pUpeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUN5801Xa94blaXWj6TRS7Nf65vUMwCgYIKoZIzj0EAwIDRwAwRAIg\nIL49CMWF1d+jm3yFAdf3R14D/3A5Ycgc5hqDgfDXj+gCIDWvVEOaRnLuCvi6rb7i\nWXFgKULLC2sNh/NO4TDLlq4A\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWygAwIBAgIUcIOykTLhevd2z1rtWIStHfNVyJMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF6de5Xkgaj9wDbQ7b/MCsl+CO8UN4357l/zK9InVgkN\nQY9IgipKcea4dF0fKJ6ukaXvRq7XZwgqD8qZq5/vqj6jgZEwgY4wHQYDVR0OBBYE\nFFanwjEN6n0FOovP+QAcZGQjqiqmMB8GA1UdIwQYMBaAFCyWQrZDcX1d/tpH8kZd\nfUjqkuF7MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0gAMEUCIQCcJNRqtpNCAYIc4NFLe9IHkTCabHRMocW8MHAY/rZEowIgBtdK+N1P\ng5t7srsdMdpY3G0xqzwI/VK7KcH9J3X5PvE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWygAwIBAgIUUMqaNMlq0G1Bb4hL+hrNgiD0yM8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE15AV1XcVV53mokPOGcPhIECJ78JwOdkUf4bAaPKLTz\n3MDB8pk9D8A0TUIdL3Rl/4Le4M1uEl0Er4stZSAlstyjgZEwgY4wHQYDVR0OBBYE\nFOzwUFGjNUJWL0wPw2Kr6Xj7AxwzMB8GA1UdIwQYMBaAFDefNNV2veG5Wl1o+k0U\nuzX+ub1DMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0gAMEUCIQCex/TBD/MmrngMGo+GvzNehmLG5Nd6gunFtDJqYj0N9gIgVOX1uDhB\noalTOr5+XFLnUuelqokPFyiJb4aZSgJ28mI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUPePdIh1++CxbhUDZAOdlsjKsUnQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASFV4zcuHOVdMvrmYbIGtiJ0WndgrhtFfUNm84o\nreUOZYi7F1/Uc1TppyGwh+5HzF7XBdD0EzwOq1dgGkAQpZDbo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgzMkwsc6D6vq3/DIkOzlZkNx6PEwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNJADBGAiEAnBInHCmOVmHAa322WYvzuPQmu5K5nRrPMSah\n1/3buWECIQDG9E1wJj5IMorIZ20O6OaTILgVcsUc38fbjIX/CusH4g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUVI6//ZVKJcabOHdDfzzWvYm7RNUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATd0/4T61UfAa+xW95qb960SdFEc0iH+uX/t7oA\nCnJjc/HqEyz2RSXLcGe+Aagmwi/VYOEjh9EFs7JainX8dN0Mo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAOlKbXetO8L18xGDn9MBZ8WWT/gwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiAMkKmabr703u74nmu1m2T0udGP0HoCm42BYYPd\nGDV/0wIhAPaXRvw9+ppHBL4msi3SaEOhpdfLq8FIUcaLrBaG0Bou\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUX6lYytxllc2GjBjbcBn1RGvPbPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDF86vDuy9wngvTNht6LFfbnauEtmJZFV/OG/vtDw3f6\nsSFgqAKhjQgvzIqFo+DPbTKXYijK8Vj5FjoIiJjhsXCjfDB6MB0GA1UdDgQWBBSV\nDUUBklgfdKtOBdWE5Ksm3XQBizAfBgNVHSMEGDAWgBSDMyTCxzoPq+rf8MiQ7OVm\nQ3Ho8TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPoQUvTJk+YAE1GbSRk7\nCoDfAtxvk8oj3PWFGfaFk0pYAiBPg37IRO967dJyqzhLTHnGcxzVHZ5FOmA22jRX\nwLwRtg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUVgZ2GVVIxr9H7y0FryQxL2UmfBIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE/9igKS+NJY+YhbQgxd7ZT5X91i4s/cAsVBKQVncQX+\n3YSSjWBPk4XKo80cc/Kuvr8aoiGsgkXgfDHF78rQ5IWjfDB6MB0GA1UdDgQWBBTM\nW2cVQ83h1n6NZh4kBjnSaIMz9jAfBgNVHSMEGDAWgBQA6Uptd607wvXzEYOf0wFn\nxZZP+DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPdHg46souHQp+N9CcPC\nT6PhdkHUqt1ZkYt8oVIxkb/8AiEA0M2oNWCxMKcBM2nI4fOqCIGgXJHEmjNJt33p\nXu4hMkw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHQh9/o+XxBwaPl7Xa818SeO1FtIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDG1qGA0B5lJ7PCy+X460g0AF7F4OyXqoPkVWI\nsGoquQvDqoxbmJU7t/5HHyQGq5aQFBTDz8ORhtaV+YK85rvHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8gv8HwUQ6Z3VJMAd5e6fT8zL8b8wCgYIKoZIzj0EAwIDSAAwRQIg\nJY8siBSuuNC0P4G7h5lLbfTdTE9cnZbYwJYPoTh4gzgCIQDLcS6JEIJByjzk4+J0\nBNaDifvTxNy8YSZfNqe395L11g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA/MR5b9GXgO8jkNfVhG4muiFO/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATcyHH/DZid4SxdR2Vjvzskd7XV0xcBWjuQPyi4\nputx3597aLKTq/O1AQbNVT1B6/vIE83lMi/9W7Wd7a4P1Hw5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXfIBRZRXO7Dx0pjO97CnbPUNVD0wCgYIKoZIzj0EAwIDSAAwRQIg\nI5/47Lb9A4LVSA9zoH7EPPV5oE0jLN95K9ExyjKARa0CIQCQBpGnH0jmOU7MCkWn\nGtWHb5NGAi9pVqA8OM+bYDa5Qg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUSnruJRfuDB0ypRn+pi/e2FjD0SEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNjU3NTAxMTM5NzM4MDk4NzY5Mzg3\nNjg2MTIzNDMzMDYyMzM3ODk1ODE0MzI1MzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFKNlRLgASFct/GMqhoY+l418JmugeJRxEIeNud360ZusqwRwBo3Gev7vovqiZ4h\nMPWx1wuzv+xWbitJ3qfgsr6jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU8gv8\nHwUQ6Z3VJMAd5e6fT8zL8b8wHQYDVR0OBBYEFP8uk8UsTOZUKDy4eq3GxFEqSXCi\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgHqYrcUpNRIHu\nHL8vn9GK5kKWOuC0fvFI4CwtcCiaTT4CIQCDCTnRiJBrVDy0uK6Gml05Zwpx68B4\nMzNOoQp0k84HWQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFDCCAbugAwIBAgIUR8/k32qTKMCKENK5Qpjzox27zyswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBmMTgwNgYDVQQLDC8yMjU0NzYxMjQ4MzQ4NTIzOTYzMjc1\nMjUwNDgyMTE1NjQxNjE2MDYwMjA3ODE5NzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nWA67R9OQXkQMawaKO504NHIl2G9gvU+HY4xe4nNgHMHu6fMp+TSloZH/4V8bX8vY\nwrMMN0jDxZ2WoB0HGfLZ1qOBkDCBjTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRd8gFF\nlFc7sPHSmM73sKds9Q1UPTAdBgNVHQ4EFgQUq+ZeUYuTBRek23JtcKL8fZ2gaBMw\nEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNHADBEAiByiN92hT9kyLhU\nVVd0+6mUJgpIeaXhfm3/pDF4P8cI7gIgR3g5q5WUNJ47NLEpM/z+FtivEW1hhU5V\nY8HHIJgwafg=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUdazbHNWSTZycGqLPVVmT6tz8+qcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY1NzUwMTEzOTczODA5ODc2OTM4NzY4NjEyMzQzMzA2MjMz\nNzg5NTgxNDMyNTMwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7UZx\nLQyV8b3udfh0ZcjmYaVxvpZOc9OKLKiWnM/Uua4oZK3qaCyCf6G6/20wpytLqeYZ\n8nO173iKSjFAOMX1xaN8MHowHQYDVR0OBBYEFKTVOVIgQStW6nP82Ft//gYGq3hY\nMB8GA1UdIwQYMBaAFP8uk8UsTOZUKDy4eq3GxFEqSXCiMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiA4r1fAmmMxxBZC1SHZEPk1AftA57K0SfIjn8EapX8AIQIh\nAID44pfz9QTuduyfQMJEmnK/NLyGS/GYuowzv2nlu6CA\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaKgAwIBAgIUem9Up056rQ3y/tPXT5UjoxWATpQwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjI1NDc2MTI0ODM0ODUyMzk2MzI3NTI1MDQ4MjExNTY0MTYx\nNjA2MDIwNzgxOTcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASOyOVd\nIBnpmpzXhP76LRdCatfyXl+ccqaHN89i2OZmDJJliutODsdj/tjWvrQBisNErGUj\n9+mat7ClBfK5fTRQo3wwejAdBgNVHQ4EFgQU6E4dDcYjxnt3vWeD1wYEa9QR8LMw\nHwYDVR0jBBgwFoAUq+ZeUYuTBRek23JtcKL8fZ2gaBMwCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0kAMEYCIQC/V53VGCJvFVMg0NT/uZgXuQPOnGz6/V8qBhppP2EeOgIh\nAOr1HDqHZY+AKy4HYpD9Gs3ys4IqptnEuPJrFVBeWMLY\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUT2+4tBpzchlbrFti0H2K6KUf+oAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATW99woL5i9kq6uTkLow4giCO+aTQA1n8P3I7zl\n3H+21UQTVNfOPEr4dAXshWR8dQkmtBFy9XiucVb1ut61iqrMo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQ/Y57vXFCQilDUuyPHMFiJg41kvTAdBgNVHQ4EFgQUP2Oe\n71xQkIpQ1LsjxzBYiYONZL0wCgYIKoZIzj0EAwIDSAAwRQIhANCeAUAAfo3bh967\nV8yHMbActi8xQFRJciACL+rrSchxAiA+tRzjfu6rMOvoMG3+oEqthe1rbJ2Ps2r1\nD//B9QRozA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUY4+x4PUoCTA0Sqx8J+PAGyHXhWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASvDbE5MnSF6MfFGmBWZep+76UGKCMnBN3r/8dB\n1XrjDv3GMiNr3rW1a+QRWH/BnbumrVOXLCALhMZkLnbRq9Uto3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQCthBxFTl52oir/ZZquo3wosX3rjAdBgNVHQ4EFgQUArYQ\ncRU5edqIq/2WarqN8KLF964wCgYIKoZIzj0EAwIDRwAwRAIgX/kke4GkfWHgpSUZ\nvueJyZge1C9jMItxoMibSzxR+YwCIHthRlOb7trxKgMRsf4tFuBNgKlN+CEtcIom\nwLuneP5k\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUDKSj3vmiXuWPGtrPFnmKQ0jAStEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHd2rzI1Qdb/2ll+PbsPeOp6Gdj6w/edo6Idl8XW/P2X\nFcZ7/IhFNkb+vegcXwCy9w22MTBegciC208IFvVh7n+jfDB6MB0GA1UdDgQWBBRS\nZU06n8S4iTG99T5nw4hZTkGqzTAfBgNVHSMEGDAWgBQ/Y57vXFCQilDUuyPHMFiJ\ng41kvTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPj1DmTdznncdKrZcnME\n3Wb2Gap+Odu11rjnbXORITDpAiAPccJK5wVsIJBTrm8licJb0BkyEgbJK3jBXFeK\nrELyBA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUSzajxV71Cw4vuE2THNSX4cujUywwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ45hm7y7IScQqAvh3VG4reP96HYHQI51ZxmtbA+ebpu\nvhm/UIu/0qdc+JEaODkcT9RhNyKg765lSjhNBwzuTr2jfDB6MB0GA1UdDgQWBBT3\nN69gnMR36mdlold1Pw6nXLlKpjAfBgNVHSMEGDAWgBQCthBxFTl52oir/ZZquo3w\nosX3rjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSk8zIwILR5VjnMQqLEL9\nvJMa2qYDAPwHsS5AYQK5340CIBim1JZQzf1dyUBrf5+qj/83uI8XIr7HudtZm9tP\nhBPs\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGxvzpd1uXNukshMP8tB+wl/fY9wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjyri71HeLPk+5LJRp8/cKkPSGkBHATeMGt9nq\nL2QAhNZxCNxdFblpVFrog1xFpD6PM0wtMuoXQiUXwjESGYXVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmRPdDjKJVbTfEXdnXHbe1vXQ9agwCgYIKoZIzj0EAwIDSAAwRQIh\nAJXHX7NWTLwhiGtePFCQIvDbInh8820TwfSwDewaeTqnAiA+zkFccf+s/Gc+Nm9x\nnO3bYBc4GHWji1o7magZAMMOzA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUGeVnwA17gA8lcZUxtXJF1LbanqYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATxReTLSWcDGEE/aDTSbh2xBt8rTRozQe+bcijC\nWpTHk/KTbpA6LZ3DgoSwGfAHZZLn8wRxpcF3WiQJt6hUQmiSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcKJoe94cJplDa+uGlFwFmpBbEY4wCgYIKoZIzj0EAwIDRwAwRAIg\nBTZj2jc5NHxd75EuG2Q0DpbcJNMd+lr7vCmUo2UAUYACIBU2b3VY2AlxQ8Tc3HvA\nCyv9iWq71LqC+UJhtbDDbdWX\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQiKFHJz5Vk/ZEf+42AZnYRq6mh0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF/5IU5Pd2u2Sp8tn6UikZQ8dvHWt3bBnAW1hNA5wJUR\n7BD+NT8KQEz6lmkELfgPYhVK2n7EcNKOWu7QOBpJH0OjfDB6MB0GA1UdDgQWBBQn\nMr2zik5lbLrLrFW6Orb+8hjs1DAfBgNVHSMEGDAWgBSZE90OMolVtN8Rd2dcdt7W\n9dD1qDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAO85K1sWbq8Fx++GjAio\nPkPOTij0d5XCH52stPfyYPEaAiBsqe62bOBGcTQKkUIKPyykmQPuOyEP69ZbRoWt\nxfKqQA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUPb4o+l/VwMbqas0NwQTJuuTF6IcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGGJT6FDdQuNqfSmB22wR4FYt218RpWN5QIZHXXrFAd0\nX8YXibYah2uCQHIYNKhhXTTNieQm80hhNl5QKlfknFWjfDB6MB0GA1UdDgQWBBTr\nD8hN4SSxKwoKmzCwAEef32CgsDAfBgNVHSMEGDAWgBRwomh73hwmmUNr64aUXAWa\nkFsRjjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgfGMV2DXCRNDOO6ZkB9ii\n+V79gneLzDCRbt2BC4Cy9c0CIQCaa+Y5Zqwe/8JU7U9Peol1FhPp8v4/HEXNylon\ni7RDPw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUI+0+eM6z0489ByJe/iOdBC1dnuAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzNzU0ODkyODc3MTY0MjQ0NTc2NTE1\nNDk4OTI2ODc0NDM5NjU2MDYzNDEwNzEwMjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPt+palKY1UXOrnc4cn3kqF1ooEsIgX01PIpMCcFXjvX32Yj3Zr4AmlfXpfw4jDz\nw4Ttrz93jhcpeKGO6TAFr3yjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSGQaPTL5wK\nhJIcrPJUfrcBxbfA1TAKBggqhkjOPQQDAgNIADBFAiBoBe0EG13ZcEzlZfeJFJej\nADrVybWurM1WjYmK9qMlGgIhAMw6984H12lPPlug0IqvlyVcXNcdByuRG/+BwU9I\nVTD6\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUF0RGBDGAoPj46l9zKKafhyzvNG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyODU1OTI1NjIzODYxNjQ2MzIyNzg0\nNzUzNDYyMjMzMzg2NjYxMjUwMTY2NDczODUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOVBYs1Hzdcpv6hypJzbRUaHw8QhA30aPL7foVFb3PqusmBDv9O6qI316oq88Xz0\nAhiFtKEtyWJgVXVQfgepyY+jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTxSMiqL3ZE\nBlE+f7NZXedavrDHFjAKBggqhkjOPQQDAgNJADBGAiEAjlShcL73E92pX+6q8QEr\n45aoRT7KthoysWOhPrZw3KsCIQCGkNfH+mmq9ZiJtJoTOovnembCMshYIk1i95PM\n7jR6YA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUMSdYAAyRI/OoNpQM1hSpF/EvaKMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzc1NDg5Mjg3NzE2NDI0NDU3NjUxNTQ5ODkyNjg3NDQzOTY1\nNjA2MzQxMDcxMDI4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOWVQ\nAQvJNuILrwFY9ArrrHV1tNCXpTNrpoLfcqqA5rjp/S3fo16dll4UmF6fFW8SoVfO\njGKjUhAohJB1tUofM6N8MHowHQYDVR0OBBYEFEuvjDY6gRQiyYx18TzbF1xZkNye\nMB8GA1UdIwQYMBaAFIZBo9MvnAqEkhys8lR+twHFt8DVMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAlzzIG3Cha5+A2hx2do9ah+RzNhZltG6siwPKHuyPNmsC\nICsokkuSIMic5OIgcY6IsYAnVR8xNw3e5CDMp1qW/N2O\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUBPh6HxMhHuvBlIqfxe1cPuXL2BQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjg1NTkyNTYyMzg2MTY0NjMyMjc4NDc1MzQ2MjIzMzM4NjY2\nMTI1MDE2NjQ3Mzg1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoAMo\nwdM8ZTxEksfn40rC7XCR6D8l45NrT8m/3Zt2hfFsZ+N/0TnQN0ZENuCR+AOsZLRs\nP9hxaZqtPKysD/VFAKN8MHowHQYDVR0OBBYEFCKGumoQk+ip8Wso3lF9BctUln+x\nMB8GA1UdIwQYMBaAFPFIyKovdkQGUT5/s1ld51q+sMcWMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBdQTbk/dMlWtL2xGIZh9nFbbDXEPh9JOH8YkIMS4d2EAIg\nAt6lHnUN7SJyXqBjWNZN/pEenwkZGyhbfyJ35yn2JCQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUS7LkPVZRsJ2Z6Viq21FlwpNz1CUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1zFubCJ4LQAuAtbY4OIc5dIFAJl7V2gJEIn4J\nETXSM9on/0DMDknRecADiqrKAsPXUPXiFfszIJHt1LCaLhBoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUET5JS1C7AvH58BwtHebnVcVttAIwCgYIKoZIzj0EAwIDSQAwRgIh\nALAFlHuPMf4rA2N4se+CWSUHtlm66DueSBpQz4tMFpD2AiEAlRTzk41QXCc49+r4\nYK0+Up58qln03FKreXY2iwC7reg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcLFwPvczIrloWodNmdeie2InMoowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASqQayygOiba0TcPbaHgu0+SJbzfPVH4cqoEamf\nh2GvClawmyykMgxnxXaorQLY/lalJz9sELKk40BRitmaAuf/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCmpbSxbQjBEssa50AMdw0zaYViwwCgYIKoZIzj0EAwIDSAAwRQIg\nbBBAH5M9SlhFzM7iBHQne0HoZ7hyX2Xuhy/LIJ89f/cCIQD5sJ6JHrlLEUcYybYI\nqxVSRvk5p3w1iqvCACXhQJd6vQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUYrwDwvK4S2l9nTIt/Pq/uXm6310wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MzIxNjM3MjI5MzAyODEwMDQ2MjM3\nNDk5OTg2ODIwODgwODc5NjI5MTA5NzA5MTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOz/4IEcydmjjcl+AMc+NCLJewlXCGMAK+V4zC3hBH/rYZrEDzLgWiXc4KHQYH9v\nE+C5d8UUd3RSsqDvvn57oHOjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTIWQVmAOxm\nzCBE2nNdRCrN9XyMtjAKBggqhkjOPQQDAgNHADBEAiAZkPuM5pUWAW6ZDCfPkoDn\n0v8pSkU0BlhXZldYbCzLEQIgZAskyzoGJS2qQKDAypAnGRXWl6l/l8g5uvWjVCSZ\nOpg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUY9IlkPQHCusBUhFICUEgfwwUe8UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2NDMzNjM5NzYyMzQ1MjU4Nzk2NDYw\nNjUwNjI0NjE3Mzk5ODYyMzc0NzQxNTcxOTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDFnqEgdUZJy58WFXAefDpbD+kcNpLI7O+czHC9b9VPZaGjR7gnEXkLe2RGn9jL3\nn9S7nV3BQjID6v0lxsj11M2jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSxAh4n/PfL\n32HbuxobprAN3JsY/zAKBggqhkjOPQQDAgNIADBFAiAFW1SQ3NLs8pMCOKHSo18s\nGknejBYeOHKQeo2hQstHyAIhAIfdl928S8pqLSibI04cq+qUnDJ+eoff7Gv3JLIQ\nID0n\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUPN84JqikijGo/0VvQb/FgOb6/ucwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDMyMTYzNzIyOTMwMjgxMDA0NjIzNzQ5OTk4NjgyMDg4MDg3\nOTYyOTEwOTcwOTE3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErLM4\nGiGAssWcsBJAqSwjpwCw8d4vSD/t2cWAVl3Y1eDcesQJOjQ2Eldi1awCHa3vnTSu\nvd2/TKpKL4Qykc3b06N8MHowHQYDVR0OBBYEFEqEtUPa0vM1pKsqd6EOprNcEXfK\nMB8GA1UdIwQYMBaAFMhZBWYA7GbMIETac11EKs31fIy2MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAtzjD3bgfqmmfhzBr/7piF9fwjWak3zZ8K7pfEF0+5M8C\nIQDnq51P4vKRv6o3aEEViGsU3cNkjcU7A+aZltGlAkVLhA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUTmVdX6LLURzSgtYi0BiryB2QCsIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjQzMzYzOTc2MjM0NTI1ODc5NjQ2MDY1MDYyNDYxNzM5OTg2\nMjM3NDc0MTU3MTk0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0+eY\nSsRf/sgf4o2MRqnogCAeRLZFbl/dQIVXzp8sVvox+v1/iVucSX5nL/w4IqbTENOr\nvbHNi/5hf4zTq5+siaN8MHowHQYDVR0OBBYEFMMAXshd8KBgcwiWt9ln2XO8GN7M\nMB8GA1UdIwQYMBaAFLECHif898vfYdu7GhumsA3cmxj/MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiA+BWqaIuYHEuWQ5mre6MEJH6cKRqs2sYHUmGZURVwWkQIg\nFQ1aKk8FkyQY5srwwmG6GS/gkuKSoBqTFV1l6x+/Xg4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUaHtVaLyq4OXjnWZrmcn95rV7xtkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR/V5wKCmbs8SsMgcyuiuSewPUYvNdwKExSTjpc\nR918gBIbQ7xJiy26motjLPGOg8Gptq7MYArJEPn+6utJ7dmco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhE5eEnxuRfOukEXS0/OvrrWk5L4wCgYIKoZIzj0EAwIDRwAwRAIg\nfFAFw0YuHsW3x1LEDf8+bcGBh7nhHvky94j4ctLqeGwCIDsVaJ/tPHfOUY6RU0gw\nqCWRSU4bQ759bvqh+5pjL4a4\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGod9zCuSi3juVUN/vwnfw0ZCHMkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASScmhOuRCfVWO7wsr24EOidtMWdrsVHfZbOFSJ\nuRr5q0DWrdsFmO/WTFPdUwQwcqBGbKhD6n7+o8KteCqBkiNMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAeje1VFSQkM4HaN1a7StVcEi7yAwCgYIKoZIzj0EAwIDSQAwRgIh\nAIhh3PgL60Q/RdicsimaYzGxaWo7ArynuY99jasiMPMaAiEAkVfm8iDJbCOo8xTb\nvdOiopRR5FnDVrT+3gJsdoS2dx0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUabkV8PoIpn5fGjhWgh4+WuGQXO0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG3IAddetBhQnSNepHYC/RIA3EzgQ5OwXfpENovMD1j+\nWva901eFhz/ly0zXwmx59kAiSDEuikdBhTP4tc3p8M6jWzBZMB0GA1UdDgQWBBRS\nlChXcN0uw6jZo68Dwvab0TQncDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIh\nAMbLUtKZXSUTB1M10EzZHA1nVAfYWiBEyPaRkFAgEHcBAiBWKMPOTZs9mLBhpJyz\n5fjTv/Lp3wRrfRA+6uG2sXnpog==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbGH23XYPS8etIIQiWvm34HLnJFgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCTmrnD6nyBM8upx4JJMqO1yTMDxSvOgnEs/cSL5rZk/\n2AnAjOndgqp8euCX7temsNhcMOdp0NCFNxJoKkuhzsyjWzBZMB0GA1UdDgQWBBSp\nUXz+IZ15QAojfgAR1QlbeNlRvjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIh\nAPYUZYA8icOAFpnqmXX0Fx5+9lR0XiC6D0jg1ABaF69mAiAlwFEyrCcWacMGr6lh\nHkIXe8QqeB7Gg552fRNpwsAfGg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUUQiBu7VjCb7Vd0ip9acdZHPSQyIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARuKOQRuE6cCqjvarekOI6J3a2rwk3npZIENDd/\nMxyZdgOnYL/7qfjtegXip80gEwXaaNERdaosWQhAvNdv6HWco1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUkx0qQsdu1V+BtzWoeTpyInr5r2cwCgYIKoZIzj0EAwIDSAAw\nRQIgek7Ish5B1b+X/0ncGMFyWaK6lk9yeGYb5++rf0QapJwCIQCrpRdYJck2n6ro\nvIDDViABO650kKYxfIa+yRGd2yf+bg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUdaDWQnyiiGLqmDskw2CY/qXTGnEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARn1zz26HsNzLFYCJlllU+pLSvPVF9W6y3tWkmu\nXA/JtNfXJkbR9TQZXZhuFcRIvLXZGfwwtIOOecSbWjjTkIp5o1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUW00eQj1lX1h8TYf5p9OKA6hLRzQwCgYIKoZIzj0EAwIDRwAw\nRAIgRMQItG/HXO+S39DdZXa7/YcCdzF6tHbbVlhIa0l3A08CIDLIjF9BW3DvbdPA\n+f0zS93jmV8moWJ2tIii+wgPuHzi\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUUT8m9vzouwYngxBhuw8z3uv13RowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABN2a1CSHpxJ6aoLE0Hwv14Vhsa0TbzzZT+k6xrntVMbP\n9bHJlHMum19wQHye4MIiU67Hpb6kU+CpMvF+nHPtIo+jfDB6MB0GA1UdDgQWBBRg\nsSMwuS8hu8dNlEwSzg8RmODaoDAfBgNVHSMEGDAWgBRTEQRUeUJ5u6Qn6tLY8gIt\nEocjmTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJp22Huay9ofQbgbVrcn\n7Wa+E/eg61By3nRANhTtjpZhAiB8GlzlFcuUInPAcGmCOGmogdpd2U/UyO9fewaM\nh6L3fA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUXVl4RZ0+eqUMKa3g2X/EI/W/VxIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF+Yj9Mf0HH+eyJGoGD64/2G7kaipxI2BTcYhEWQSoLy\nml1SAcRR9XbWrApPBiNXpPuXRKObJE5aVy47+y7aDN6jfDB6MB0GA1UdDgQWBBQ/\nsYmk3HgKzSnNf5+amvbV7SSwETAfBgNVHSMEGDAWgBSHRXfnbRFzTnO9tkdEGarK\n9xxZ2TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAOo1Dl/vSGzGLkmo2xv5\nHp6+KwXs4EmcQC1Z8sovOfMNAiEAiZZit9vqsCVgGF6JqIBmi9VfMZBFdywpLSVv\nQGAFX/I=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUPf776Z/CFwARK77gSJPyB0DhJAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASr4QgU8v0AZRmX1cKPflxp2MoNik39C46bk9Ie\n6fC56Lj8JPtJ1qhcpqon85kI8P5bDCV3FIzcU8Y1F2A8HbA0ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAyEazV/ZBVaee49N8R4+SrqR4PVVTX65ewD2X40zv\nqpUCIHdm5QkvNJF+nXZNHjZJ5Xj2nFohZCgOLCSLbKoVEAtY\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcTCCARagAwIBAgIUWCPDbz0evwdum1uurKBFaykvt1QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASx8Bv6YokgS/5+foxYYPD/lLsOLfNQKlOxHumy\n757Z0/ZIiCSPk59TDwSp8ti1s0bg8CDXeJgLUyJpka35Qu+9ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA7FxXwyPix3Ua0DA5uKkBWeJGx2dvcZAy6l+E++y1\n4jYCIQC9ZK0I98vhW/6AnR1g+4y2s84lrFb6F9XLtrVTYqJbfQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUXPPEWXTD1z1KvBVpLvS4olfQHH4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGm9jbB3e13Y59FjfkkJDcc33OtAJVzWB2NtDjsD3zzy\nM5qPjx8iYQY8YaiSEExGBYRqT9HM+YXMjIPCpTKVEQ6jfDB6MB0GA1UdDgQWBBSV\n0hhAPkb0Tmc/jk2gcGifo3w/+TAfBgNVHSMEGDAWgBT3PyUwcDGxrJTF4LyziGfZ\nC1ZOkDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAN/CqwXpIIriXvbNOHBw\nMKA54eu500FsHoNX6gVFEmCDAiEAhgNh4HavtkUT67J1Ls7090d+k8r5MPomUzqh\nTrRaRyY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUS37nJTSPJs/F2XaFnpELDLe7rrIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL7q9CVcAqbJ6sOt/MtJHvnnIEF/xCh1Qv49sjuUV2GM\nfdQNPpUxtbpR2iwK1U991xnPwXt82turhRQbMT0h6jujfDB6MB0GA1UdDgQWBBSp\nzTxjE4/bQcUvY4/bBc4bSJGVlzAfBgNVHSMEGDAWgBSDpeMv7+CRvO8jhRSJWahq\nHvoWRTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAIgi/bC9qSBfmBVkh8xR\nJze4wIo9eIWq/G4av3qPuCaPAiBB0u5HU14j6YPZdGRlLSGXHD9DiJ2QRsI8UF2e\n8V07yA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaddfGPDENHPnOK1p0KaMR2kE8oUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASldZvVysFsV9MFtBBn7jLeo2vgdzp3gfjOnUSH\nqvAoKF6uObzMCYiLzSx75OyJYbIZk7dBO4kVvS3HLZAb4/n/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMlYLE9JUE+agK9JxVQ3+WknHrQ4wCgYIKoZIzj0EAwIDSAAwRQIg\nQDJHGMEX3zno48cT3K8vEouNQ17zGf3nhdEY8odYl+0CIQDjM+ej2UqyKcC5o8zi\nuchGOZUqoQTJ43oSIlS1TMeRTw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUenakj273C8IsHiNoepr4LyiM8gkwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEo0YfrN1+mFuWXR0321pO9Zo9Gmb13SQe\nu5x4xH+FJf9YLzCeKscHsmVbh8pFNrAQKzsYqqplWFoDMNcb4dCAg6NXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFHr3JIAzi2PZbeAIpWChaYLUXrOBMAoGCCqGSM49BAMCA0cA\nMEQCIAD99h0QoXj2g2sbzawicF+RXxl8+EJN5Pm302OKjblKAiA25fzpJdkm/2oP\nZwk1nX19jSKncz6W+/3SwTTa8Sxlsw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUTuir0E7kfN6phOz9Ux9NkJxwk/8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARSwSKACjBkYi+IpRmyyHInkE2+w8zOoK/VPD9c\ngZesoMjTgMp8Tritp4hbu0LpauNFLm4hq/D/WUvK0uvb/UfPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYRkVfGkRrmJuOhBXKsmECh424HgwCgYIKoZIzj0EAwIDSQAwRgIh\nAL0HR/QLaHFxaFPanVT1QyTHCdouEu0eltAAR/xweAz6AiEAxS+/merRZCbXEOOg\nA2W5M8Ox6eFFTHkRZyOAGZtFWz0=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUNFtft+X7XRZnHb4X5ZXKh0oNgF8wCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtgiMQRt/ELelP1t1UL6WoJ6oFps5d/Da\nrHFN2KRi0qKzKKGqCm2ve2R8hm04bPTd7l45U23v6jf3CMdyUQlXA6NXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFMXt8b5snvsPQcv9BZJsOTgn+R0ZMAoGCCqGSM49BAMCA0cA\nMEQCIBZZ+3mu1sbplqA9se0689SWwdzUzbwvXzqo+9kFMoWQAiBm+ICQPastMy+9\nF6te+prohAx9Li02eNZ9rU3qYX68zQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUPaYLwkAUvnwZ0pWtC0L1B/v3lRkwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASldZvVysFsV9MFtBBn7jLeo2vgdzp3gfjOnUSH\nqvAoKF6uObzMCYiLzSx75OyJYbIZk7dBO4kVvS3HLZAb4/n/o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBR69ySAM4tj2W3gCKVgoWmC1F6zgTAdBgNVHQ4EFgQUMlYL\nE9JUE+agK9JxVQ3+WknHrQ4wCgYIKoZIzj0EAwIDSAAwRQIgQticCATV4NOu0hF4\ncC8Epcy7ZkQel2ZSsNHBXsP8XtUCIQCa0mP95rWMEOl5VpSofoCaWHrJwVCojpO3\nIAepvtbQkw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUcMhhsIT8x+/o0mdonHeKH2pIuS4wCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARSwSKACjBkYi+IpRmyyHInkE2+w8zOoK/VPD9c\ngZesoMjTgMp8Tritp4hbu0LpauNFLm4hq/D/WUvK0uvb/UfPo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBTF7fG+bJ77D0HL/QWSbDk4J/kdGTAdBgNVHQ4EFgQUYRkV\nfGkRrmJuOhBXKsmECh424HgwCgYIKoZIzj0EAwIDRwAwRAIgJlN5izbNtrUsx1FL\nFz7V2OIdaOJu1P7qj1z4Mz67uIkCIFMC7JFzDuTq0O03kwUcJUCEmAk2S7riGAEw\nPhxWr6h2\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUKfePJR6NwKoQeP29B5OdK4xOLG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPB5ZduIGvivUxB5KCC0pzSTpdLbulOzXPFoyVBNDhFt\nVsdzIF4zsYGTc/BkAeFHwlTgABZTc+w9V6dmXF4xyXSjfDB6MB0GA1UdDgQWBBT7\n95sCeBtZVuww5WYyfBIaRK3guDAfBgNVHSMEGDAWgBQyVgsT0lQT5qAr0nFVDf5a\nScetDjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJXpmeSNkN6DzN2eEfbB\nckZGiY4vkYQT6MC5vuXannACAiAA05CSN468aU0H51u8L8+WHz0tLAIwc0MMHU+K\nyQACUw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUDE5p+Y3qS+PgJcgiSqT81OTzY20wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL9GkGIO3M30XN7N+0Lt32N3g7/tPrW8EVjvmr0aT7e0\nVlUqLqvRNIn8KvByH4Yi39lN5kruW52kFdmGfd0QxRejfDB6MB0GA1UdDgQWBBRS\n3TL6RJ3n5hRWHZJoHImBvMt4+TAfBgNVHSMEGDAWgBRhGRV8aRGuYm46EFcqyYQK\nHjbgeDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJkXA8yB58F9Lva6q0cD\nWGfMixEPxkS4BDVnGUUTpr9bAiEAmoIMJnpNPPeik4eSj7E5opcuwS97tQdF+Qxl\nDpmd4lo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUTKoE8ibggclHVzvJvDZ1kNLTIBMwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPRFcn6Fygyj\nRqnSEKxovYdx1TDXsvcXeXjH3w7ZHldBqGwPXU8GCzOBb1U2D2Pq0yDp9FBI6FVO\nFFT8GzQbp52jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSibqNKswPa3Vws9SwQUmzqYX+7\nSzAKBggqhkjOPQQDAgNHADBEAiAidqujuzhv//aK8gUYolJT4hZhEmDOBap8O1Ui\nmg68egIgGQ9PUUr7S99D3s8LC/QVsLBfxivWpddsOCrkaJq4FFs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUS8vTySjfK6TslmoblAMYcl8JBqwwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBn37OiQ01Ml\nDYcRO4/P7zvUnWqACLMr0fq8+cMiQMA0tB7heNGqdQ6l5peAELpwC25w+RQwMM+z\nf9UwuEb6Ew+jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBR3rlCN1bqPDQn1Sno6Up9v6Tim\nJTAKBggqhkjOPQQDAgNIADBFAiBXy61RXg34+ydA4L0zxD9hXdMYw4OYXpsPECOa\nW4m1OAIhALXiSyty4o0m5CEcz73bd7HyCgZJsfrWRxVUOJHdzo3V\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURMplJoxJYX+9CQM7e4cYqd5Do78wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBJKKPmql2B1CeD4kNRQDQTZkz7V8Ll1W9t5WS\nhk6rxjkDS1gFEMmIJQ4CPpGp5Blk+b6QhN1w72+c4Y2nBEcho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYnpQR+eUenPNOeq108E6zmfbMsowCgYIKoZIzj0EAwIDSAAwRQIh\nAOpyDLh230ebeig6vcEhfDG4d63a4QKvNK9WF7YtlDZNAiBDUG85RXyKrtvWeRaE\nIxexabXBMOFErOvdk1inf4pP7Q==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUeGEDsnn9v+mYufNc/f0VTC4B0iEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTI3MjQ5MzQ0MDQyMDYyNTg4OTc3\nODk5NDAwMDM0MDk0MDUxNzY4NTQwNjIwMTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAPTqCjhXggIN1eU6tHJr6Ex+ofQSFY/5ltoh3jxComdFDTPLD2E6swtl9/osEb4\nXZEXniVrXvyIxvAjzniyFWCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGJ6UEfn\nlHpzzTnqtdPBOs5n2zLKMB0GA1UdDgQWBBQxZLapl+W1VUpQ9xJb8cETEw6EpjAK\nBggqhkjOPQQDAgNIADBFAiBHe65VBpWkngvAYKGBmPkalQ2b3AAreCe3KWG3z9V1\nxAIhAMBCngJ+0zeUeyn6aDP/O1cc2m8RXRHCipmiIhQoHAYM\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUN+vntLuzIUGK5/L9tZ7xzNKiJvcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASY5UFv881laG1Uttg8/jz1JMOLHn44nf6c0vC8\nKbFGXnfMKW6a5oazBRCN8MaGH9bgPD6bWpRo9eNd11OWHR8Wo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1Wkxx9c+y4kMo+9hJylhnMAxfzowCgYIKoZIzj0EAwIDRwAwRAIg\nQWOOxaLBhsbikMTlrjxvuTNE1OMauWjaIvohkA0GdwgCIA5xlkiz7I/+hGHSsKBE\ntAfUIVcq2OF7sfbZBkjerYMn\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUJHTzrP6Lx6+rn1gpkJCmf0/Zc1kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMTkyNTUzNTE5NTUzMzc4ODM1MTg3\nNzY0Mjc2MjQ0NzkzOTgwMzE1NzQzMTI2OTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCQ8cPDr5UIhIAC0MsGWoRDOUUxmUD/pxhgmbHwXowdbzuI99+KjJHve4XbqZNrL\n2M6SNM++uD6brgObxX/F+L+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNVpMcfX\nPsuJDKPvYScpYZzAMX86MB0GA1UdDgQWBBSqpdW86SudYp12pXFza4cqj1q01jAK\nBggqhkjOPQQDAgNIADBFAiEAvcciLcW7s0rAFN99t0SEI/UJped+VsCMrQidt0N3\nf7kCIGDYBeSHy+9LDQpAiSvwO30Y94ooDV7QwVGmsijuIzGI\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUT5TbDXCIQ46Oe41Rg9wGCXjBYcowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkyNzI0OTM0NDA0MjA2MjU4ODk3Nzg5OTQwMDAzNDA5NDA1\nMTc2ODU0MDYyMDE1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWJjO\nn/m6Xh5UCaUIIAdifpcrZyCx2mqvfJCC49cIz/TPx4BOW5SzgPqx04PtV3cHlpx9\nOJ0a+NRQV6oOsM4B4aN8MHowHQYDVR0OBBYEFIIxzlJoW0Ud5opfIDbIicXR7U80\nMB8GA1UdIwQYMBaAFDFktqmX5bVVSlD3ElvxwRMTDoSmMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAg7KO3wYL40dAl2CWhvoHgAC8oK7XqKcN/KeNioHwi2oC\nIQCQkk3nf9bZl/vniKEnaD8ytgO3YXw8QOq25/RJJyK/kg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUeV+lfGMHwOj/Fb28kIOaQeuZwGowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzE5MjU1MzUxOTU1MzM3ODgzNTE4Nzc2NDI3NjI0NDc5Mzk4\nMDMxNTc0MzEyNjk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiDE6\nBl+Uk/ZwLmbHmCuXLjLTyE468lYPeJZYKaE1kXLXqRX5CIBu7GIGmu/rTydm3DBf\nwxkkikRuabSjm5ihC6N8MHowHQYDVR0OBBYEFGbgi6ivH1aKp5mHwcKk+t/ftrt4\nMB8GA1UdIwQYMBaAFKql1bzpK51inXalcXNrhyqPWrTWMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAszywfQLLygcRNE0NqPhpFo5xBRz+abkjHSBiifaDILcC\nIQDdgiMREV4Cvo8SutXVNTClbTF8nXVuKqeveGO0QGSrjg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGAVUoY0c22m9MsXQleEVXRz9zK8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASLbkHdbN+QOdTbgQFAGR8Dc24lKUquKWBsnTSf\nCNQJ2zOkg+Lh7bCl/lZiuK14uh5G7JD69hrc+HBaXE3MLzzNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCc1oByTavztrd+lqecBvNNm95nIwCgYIKoZIzj0EAwIDSAAwRQIg\nGEBWRktMBOi+QVtZF7eenxnF4eA/7JadqlvP5alohT8CIQDt7IUwn3SZdg4+iWDZ\nFibJ8f8hxOPtPhvZXpXJi8B41w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUE67pvCqV4GyMbsmEsm5g0wBjNp0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6F6t20+TUUF6f/yxM/BEh2/MDh/QTA7V8pXnQ\nm1+17pN4LhUW8WffmTIzA2fKO83jDXXJ2GWV3ruZsMAvONeKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoApoWMvQPU6b5/XOiR9BVf8mff0wCgYIKoZIzj0EAwIDSQAwRgIh\nAIu45XAcX3YqiApW1XYOSNyU8USnLx8FYgQ6yAB8Q0l/AiEAycg5JqCpm6cT7axM\nKQEdvgVUHXTWof3xDT+L72cyaf8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUOCHEjYDiubR/V7KrtvTObxcd2BYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDAxMzcxMzQ2NTQ2MzA4MTUxMjU3NzIw\nNDA0ODk5MzcxMzM1MDQyOTU5NTQ0MDI0NzkxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABBvDucVWAw8bIT/O0W0q6/dDetPxWhPykHES5YAyLndbHmncd3XOMdadTnXz\nsGqMN9Ph7PPMTJVlbRgxOiFY4v+jdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAnNaAck2r87\na3fpannAbzTZveZyMB0GA1UdDgQWBBRxi303P3orJBG8SmEY3FXBHq61DjAKBggq\nhkjOPQQDAgNIADBFAiAGqi/vFSmQ9TFcOkkkY/rrU+b8WPqWAUsPb2n7zD9p9AIh\nAL3j3hLporCETLPqdOxWu/cQHqThssEbXvaUA+yOWCDN\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUdYOTC9/4UclAQaz8nUiw2icLeRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDAxMTIzNzE1MTU1MDI1MTAxNDA1NzU2\nOTk1MDM0OTI1ODM2MTExMjYyNzg5OTM1NjUxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABGipjhxffGzR27WEG+O9h8uEZsNJS6GS3wv46TOsVdCelUp2FMsVkIkdnsJc\nSdR4VpAIQzpl3u63RbeQeerNKf2jdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKAKaFjL0D1O\nm+f1zokfQVX/Jn39MB0GA1UdDgQWBBQODFGo7gu3r/aEwN8qMecIRh7XZjAKBggq\nhkjOPQQDAgNIADBFAiB+kDzphJ5XBG+gtUf+7BaetPZCo5syLw22gV7EsuW1IAIh\nAOVaqL2h/IG7Sf9iPaY1NPBdRPo8yZKXKyLjXHrkG37I\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUWq5oKq3UMCLoTIyqj7PE1YsY2AAwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTM3MTM0NjU0NjMwODE1MTI1NzcyMDQwNDg5OTM3MTMzNTA0\nMjk1OTU0NDAyNDc5MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nqOTZAKnRDNovoCRaSt1MtKXEG3gnjVrci32vQUUYK7FlsthmyxAQ9ROGAWJE7XOL\n5GgPKDQkSO4Xiz5FuNKCX6N8MHowHQYDVR0OBBYEFEv3gT+mklzjNJqmxTgbuNyf\nbX/mMB8GA1UdIwQYMBaAFHGLfTc/eiskEbxKYRjcVcEerrUOMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAwIiX8A1Bl98ZiTUE2bp4oA9IbzBMSwqwOnkKSawP\nRrgCIACXXIyeuF9TnwTrvnqU2bvPRoqZiOv+9B0/8WbrXoRK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUFPv1nzf84N1QQKODHvqtdJrAvAQwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTEyMzcxNTE1NTAyNTEwMTQwNTc1Njk5NTAzNDkyNTgzNjEx\nMTI2Mjc4OTkzNTY1MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n3+nv9ZanwALKR1RWVK7SGQoRmZyQqQpfgrcZZrHng75llunGrytaWU15lSfosXup\naOi4vMTAofz1vohPU0F/IqN8MHowHQYDVR0OBBYEFBS2JOkodsSBLXh0ap6M6/pt\n5oEeMB8GA1UdIwQYMBaAFA4MUajuC7ev9oTA3yox5whGHtdmMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAvAPUile/xZH8u5/1WleMy5bJ5IXiXZt4kuqrxwMO\n1gcCIG5k1y/HMXPaI+f+BauwcY5SH9/zo1qDbJt21prq+bSi\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXbE+qWs3VS/y+EM3sesQQYLFx+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFW+x/GDJs2WYWNyy7Tbl7VBmlPRkJpt3+JWrm\nb2y2F6eV3kVJiXIWiNDtoG3mXnhOPK6EjnnpITICs+awhcY7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+l5llhIbczmII4gr6qfSKYB2itcwCgYIKoZIzj0EAwIDSAAwRQIg\nR64Yqs77AStArBvuA7g9AhV91Pu+j7QATjC6TJPsYZICIQDd3KvPbSfVEPBXkgIG\nqKcNtHYlWLjokxB5Qhg8FT4JYg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUO1Bw5+4/aDa40xy7WiJJ/B53YEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR7uJUS/QZLmLxB6ZQDu3eqXLGbT3QmM+URPnKc\nBm8kykQ3xGrtp07EAXVOUmHZdCXr8b8Vdc3kCX5q3AKCsB4Fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTfUK3iKLJ2EFDHNHltLqheEwt6UwCgYIKoZIzj0EAwIDSQAwRgIh\nAOy9nfm0AyAoAfPuqGya/TBv0IO0PepqFs8b0tgVBCjRAiEAgP5vNMPyBDLIBhjj\nUvCsMhp7/HpltebZA3s52zIxf+I=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUFcFMO5LYAB7uRw33q+5pvc6PmLQwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTM0ODg4ODMyMTk4NzE5NDc0NTAzNTY3NDg0NjUwMjEwNzY4\nNTAwNjIxMTY2NTY3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\npOKvkXzmaWEJ8YjTobBOLlr+h6pRPgS2FDSgoeZVs7MgBOr8c6ZFJFoWweFQDW19\nJ7el5vqCDRkU+iYKPOUBoqN8MHowHQYDVR0OBBYEFCmyKN7NBFMAFIlKldJ73SjL\nDnzWMB8GA1UdIwQYMBaAFIJEPK9CLN0OuhDFxhdbsxgkug1MMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA6iS0c4RaU1/l4ld+KziMp5yJWZj7L40ctQJVbRxi\nTJICIQDR3FkeI09GacsO8Inozyp/nApHi+AGLYko8M++72DwcA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUe+tgD/yHP0TmSBV803ems9WNfaEwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDYyMDEwMjY3MTQzOTEzODExNzY3ODc4MTU4OTE4MjMyNzY4\nOTU3Nzc4NjE1NjgxMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nTsm9pqZs6B/HtOJFoJ6y1/31yPC/Jupmp/TVJeUINj0grS83cn78dLdnMgRE94RB\ns5uqRfaFk3bVY3DxmkgzCqN8MHowHQYDVR0OBBYEFHcIf88d5ZPWwEJjoUO0BHOG\n4PJnMB8GA1UdIwQYMBaAFD4arsOzgWz6v4UFALf3Fy1qNDAXMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA0gixx4uyWYZuM8bmnef3wcR9Wx2Arf7GAPjU+cPJ\n5WsCIQDG/7YWiAXAM8UomlLsoYcwGxLrmHJ8GN3e82iz/kLPWQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfzCCASSgAwIBAgIUeOcc9Goc0HxMM6uwGN68ERuKbygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXB9MdVcWt1ii752rKBhhJorDDCArjw7wfReSU\nQJ7xZ8YiSe5Bp6Fh3xp9RjEAlQxS0fgSno1XBJcTKDsCZTkuo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCKJcBokxtmr\naHHESSW9zt7e0GDgMAoGCCqGSM49BAMCA0kAMEYCIQCoxVuBUnkzViFjSXlsLieg\nYeFF0EJcucE1SE5nd8ezigIhAMwC2t1dRbcdrn76AsiayDiN44giP8jyj8lw4fMj\nzDWc\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfTCCASSgAwIBAgIUKOP++8VVrexpseg3f7GYSG9gvCcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARyc13pi42v5e8nru8Ii8v48At49XjnaKkZGBIA\n8+fvKxwMMrMjSdbRT9GrDnZd65iF064yzHgfyoNMPb/vptsjo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCpDUL+hhruw\nGY+MebnJhVorNhVZMAoGCCqGSM49BAMCA0cAMEQCIDtJtAnn8S1hzvJPDMp2prU3\nPZZ62fjHuhXc/t4nz0W5AiBcDKgktfKnuTGvklOIJqs2kWZmIFfxzPAmU8HojaSU\n0g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUGXIO+uBrt/U4TSSEVPM8P27gfVkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOA3V2VFmTRLvCNJsVtK1NBehLKZZ8wOuKSm23tWv4ss\nfbn0aAOy4/7aDhPIB/dSAZ3s25tIzXNtY2DbgK0f+1qjfDB6MB0GA1UdDgQWBBSd\nrWrOIHrvr/aradmx07uf6bPQ8DAfBgNVHSMEGDAWgBQiiXAaJMbZq2hxxEklvc7e\n3tBg4DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPhYkItNXb0zK7IKnK+3\nk45DSrYU+qSW/MB0cZdXMslAAiBFGH3oyFFYQUn+Uw9SWzgMwQcExxnB3aGED3dk\nLO18EA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUKBM6BLAPu8hnyYroPsTzXxbkhlswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAuWglwy51SQhBlQfJC2InjDwpKWxrNU0qUuzn43scAc\nPzxR2/BpTN6K8Yo8gROSgvwx8mFiJtZ6PfRPbXhGIxyjfDB6MB0GA1UdDgQWBBQG\n66MBNcZfmffgDKaEHFvEv63EOTAfBgNVHSMEGDAWgBQqQ1C/oYa7sBmPjHm5yYVa\nKzYVWTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgR8HnRw5nPmSJzGDcTHgj\npQ2s7c6ZNoePNST2OK1F044CIH6D/7uuetkK92T/bqn4U7MbNMDmqVg7C255UBEC\n+c81\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBizCCATKgAwIBAgIUZv6Ru2Sc/S72sshFEXNcXESzacYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATUEzok7aAzL7DSSWmUGQcWzZy/2GnyR7FRFsd1\nscr2DROZzx3G/zIznGQCKb5WEfTvNJlT8kkwI0Shqgzhd4jmo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUws99bIhrMaszGG/URWh9iVVGnWswCgYIKoZIzj0EAwIDRwAwRAIgAdP6\n1lLBmWzOz8634ptLK7Y+fkz3nZx0Q1Hf6UtN/N4CICpRc/PykjO/2yPKV5Ek6tcg\n9sjYBHq3Lolc/jLO9Ka4\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUOV9Iy+YNJ+4RPzONJ3+jBBhaOO0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/usgk13r5mDoTloy33GXg6ruH3Nuzk9y7PRk1\n550GTFir21NJCQHDT4jA/PJPIcDCUM1P4GC26tSPkDk+qKJ3o1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUbNrXw+J93JVJ5h1F3a91xnKM0kkwCgYIKoZIzj0EAwIDSAAwRQIhAPol\nvZDiMmvI9tFdBUxPQA/VrRaRo7LnMaXXeEU8HX3zAiBUweDaT2Hp+7c1QJMg76fN\nFg0nz3ExIfIY/PP6G2v7/w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUO0GZvPHlBEMcbRBYTLaW5mMRHM0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNDITjwDCxFybWkBt1iD/EN+bfSy0wtlXS93lNffMaAd\nm20tl5ACZyUAgmQV2LvDLfTOI/kEkB1xZRw0afYmkWujfDB6MB0GA1UdDgQWBBS1\nG9noG8bir9JBR+LttRn5V+W0vTAfBgNVHSMEGDAWgBTCz31siGsxqzMYb9RFaH2J\nVUadazALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOnZ0xVPTrUlAm+P2JSA\nP8m7OHFJt2QPnf13t2pzihk9AiBQJN4JfQAnhSUN/7T+gig+vRwbUhKyyKH+FI7c\nSMdkhA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUEm6gGk89rldELJALhNPPpffst+swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFO3S94Lell5TXZ/Fvsdyxqrdy56QRvpAwmAjRNBPs9z\n6xqkqMR4Sp4+PYX2hN3tpJDiQxUmWA1laba/ibaDxiijfDB6MB0GA1UdDgQWBBTg\nePY+l37iW+VWRGEeI9QOjAdwSDAfBgNVHSMEGDAWgBRs2tfD4n3clUnmHUXdr3XG\ncozSSTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJDFfrx83nPPOPtPL8sc\nxoX7/dl1DDH3b2/n1FY3VJOgAiEAq2nFLgMp33ncUSzPFBz8V0nhYu8voqU9MsBi\n5hinDHY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUbR4gZ37OTgH32OnAcdKkHYM/pwMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAStDeEfg1ZS9dMYr2hFVX0NCklI93VLOCCgfEL3\ndtIVVFcbdoH+wbC+dv1fgnkjcp9ksZrPQAhrIY5+R0D4e0OGo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBRZcQO9AmT/QziYnZVFQ6AUlOAXNTAKBggqhkjOPQQDAgNIADBFAiEA\nr5fU1CNRcWZuTpXfRI9IceZT1DWvY1L8fvrX10nl4NoCIBKOqdKth6x1hdFlA0z/\nLVE1cLQdGBM4uhPNDX1y3k7C\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUODqUgzk/A/jZCFMutSQafw+OcyEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ3yLzpCWRoWnwEw1aJTMyCZDS/3eFnU8cyMAXh\nbrz21HPiNMIkhVghkf/GhOop4MFllvLHjWmztK6/hlDmVbsTo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBTKRJIoNjUqbDa2d8bhRKYzw1CapjAKBggqhkjOPQQDAgNIADBFAiEA\n2tWUp6D0U2ZjY4lVFBGS47bS52R1K7U0M//YQDFRGPwCIGHSZvil7HtsLhcmJJ5a\ncEU+dk6ecbvSdP5vrfFWBP2s\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUPGkmvWrieOP+TxHsZywG4LuzWr8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMgu+Jlh4ck3RcsR4qwQBTJIZb17dOLACm/MNGLQlFSS\nE7Zo99ualEBNLaMcxCpQJwWCGV43COcCgUGqQXC+gzajfDB6MB0GA1UdDgQWBBR4\nZESB4RAdKTq1Ep+CyW/5naKbeTAfBgNVHSMEGDAWgBRZcQO9AmT/QziYnZVFQ6AU\nlOAXNTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgMkFmn+n/vJapkwwUb/Tf\nONqXZWLUU2b+wZpFHU+alMoCIQDTT46cUlGWdzi5EnWTYFkpr74HhsEngNgalL5I\n6DEzqQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUNUcp15WLDvbfrqTITiFmPlbJjoQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDl58lT6owAm28Z2BnCMqssAxOkKnImX/O80G86LUNaZ\nCJkHQ5IIZMicHUBEXdz/u/g+4UNH5RBsnuoVvJAwQ2mjfDB6MB0GA1UdDgQWBBT4\nPj3W/evLakgQgm//8yRCTr3qbzAfBgNVHSMEGDAWgBTKRJIoNjUqbDa2d8bhRKYz\nw1CapjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgBWcT6yy4Tqkdh2pCvjV/\noagFUCU/amBVB87L17CAhD4CIHWoY2+UqeBteNSwcSM37QuBd6Eq/ye/boZLz2VV\n2LIM\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUE0yauC+v7Fm/+hIdCV3Czsdha3cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASsh6qyuQPXl0V/t5BciPpxrKYHcIedoMycfI4w\nOzxR6f6NI9tCS72LRxKKvz3sJU3fByzlwPioaw60UD2A6ASio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHLOm9X5r6Tmv28RUVdKHsEU0R50wCgYIKoZIzj0EAwIDSAAwRQIh\nAIyyn1NQcqaGcfH1j09Dr3NdMrZ3hT1oXrQbX8RDDrafAiAOTlz/euKqFUFXSrfx\ncq5j8yFBAXWLb2XDKPyi7hgBbQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUT3zTNZZDJwXR47y+YajtX8tscRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpaEVfbq4EG5Rga7ufVSdOLTsbAJnRyKA5JVjI\nPOhUeqX/EhKCUfV3hDZV9e4K5QHetasCgiFW5NnZJX1pRfbTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz/E7lzsO3eYbqMbb/dtwLfkXqE0wCgYIKoZIzj0EAwIDSQAwRgIh\nAMXR9J6nR5qxNpN8y3L2BO96/BJuWxf8ixAGYom59v/FAiEApGN2ZZoGiZSgFHiN\nQEv1+qMTPfIuGz1s4PcJkAOkjtE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUEPnYE/uriB3AMcB0pWNlSkoUT98wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTEwMTc5MTU5MjQ4MTE3NDQ0MzYxMzY4ODI1OTAyNTU5Njc0\nMzA2MjA3NTA5MzY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUrfR\nU8ylIuvmB7/3ncjcs15+g5EvpdJhKelND5J5GRf1DqWbsqHCoSArf7BZsaMV+QOC\nJ9SOhQhS2jOAF4HmVqN8MHowHQYDVR0OBBYEFC06/ZWQUB9lpU+KDjU1lgCPZJea\nMB8GA1UdIwQYMBaAFC1sLzBD3bv1yl/pYg4rqrbS2+KDMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiAWuJd0PuXbFMR1YDsLzNndAczzC8JGWfOeXGS6GnPu3QIh\nAIDcJZiMr7sVnb6iWyEcYQ2mHeq8dDJKMvp6EKPfjtAC\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUMgJzjS3PyCzay4EpnTX8QIqf+VQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDUzNzkzOTYyMjI2NzMxMDQyNjM4MDgyMDUwNTE3MTc5ODQx\nNTAzNDUzNTQwNjM1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEldT1\n1z+AijNDHzuqj8+6v7oDvvYUeyczwM5jNH+KZ5xPE+CZet0oUFUSJ0OLEv8R3nSE\nDJ87LDmwzNYy0OwTXqN8MHowHQYDVR0OBBYEFPDC9cUtICVc8tqt+GsDJqzojLto\nMB8GA1UdIwQYMBaAFLRqgIGz1ccTTqU3U+z502HLG5Z1MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBEM91TPCLY8sBsKrkyfUCFiakbH1njMbumwx3pMTcOiQIh\nALgKBhRNjh+F8KlQQEkqwSXHgEyBBYNQWaQEUAfSrS0s\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSGtnaGK2zXFGFe25qt0PgUd4IqswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATveGW04aq4JPFnaqUYnocYdx/iN9MGzQ69GxMS\nS2xCdCNqrl2jwFsKoU2kYExnuz76QFsrWZZKUsynUcmSDVxGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1IRE6Ee/SEtM9g7Y9YQkQteeXGUwCgYIKoZIzj0EAwIDRwAwRAIg\nIiIJ/C2DyflGfUC/lNfVzXLYb7vBFcBsb1GxCcQU50ACIET4LxQ3kPgF2PeP5Z6i\nz8YVGfhyaBj+6PIDZ2GMIFYe\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZDfwwToJYivrT3YCAnN9IFJ/AR8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQkXM20rS52ZpWwCHezHE3XvVPKSvGUSESfhN2a\nXQeGuAbSzfKrPoSgBEvKkwmhgN5fQcF6gUoHNm+sc6r42jN6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqefoiZl7ix2ntrWCJPB7XcCbF/MwCgYIKoZIzj0EAwIDSQAwRgIh\nAKVQsU4e6BKZBCcG3IX+noxdCdhABVdIpjv7y4+dK5w0AiEAo3PEpsM6Kl3TIGhh\nCEuHdgllYO45w15Fb5dq0VWFnxA=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWagAwIBAgIUT6xywdTY/qgH7v0sEau82Zdx2q0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBuQr6KTw1WoG5zGbOHp6kOhWWV2ismK29WmPwK8Vf4Y\ncPq03OSLm0HLVRShBnsgtczehFgphTAmb8skxTnBd2ujgYswgYgwHQYDVR0OBBYE\nFHUNYxOOhxLmA5Lld8ckm52m5QRXMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\n1IRE6Ee/SEtM9g7Y9YQkQteeXGUwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQD9kHyx+UPnUU+tawOAuiB5fCX6m2YT0/wBWd3FLDNV2QIhAP/qFCaoVBQ/gIXK\n+ut4G2f5RZ6EDltC8FRPxG37Dra+\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWagAwIBAgIUC9Ts43XnDuDTtqpttS0AAyvWyhAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDtMdmVFmrJdovtdY31qi5KqZ4EB9hRKzIY67SI6SAVo\nx582tmjD/fh9Pz/YowIGHwxizajonC959FdFiONF3DejgYswgYgwHQYDVR0OBBYE\nFIjAD9fzTWJRqS84nwd7ijBHGtZtMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nqefoiZl7ix2ntrWCJPB7XcCbF/MwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQDPMl/Hkt26zmfRZvHjDBstgvWqqq8FsJn/C5WogNMxBQIhAPqFbrdt66oMoP9x\n1sbg2crxtE2WS7wz7RZVvl8tPxII\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUfOcviViK6WXKql4oUCWDgUK1rlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjv/QllcMdUrrYzwNi0hy7URM0YhOkSlIpT25o\no+AogPCOLRZatNsslxQS5SjKAZAJLANXwjkNgs9BvASBdF6To3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWRsQ4knZayUNLlcMr5Tmp0eGZggwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDTo+n5aF0zzSwAi2DFif+8\nMOhJq4jOjdZulZyIezfrYwIgYYMv9T2CZBANiONPA95GwZj5wyL0e+NeAxqAgSLV\nMrM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUKJ8cqMv5MaVb0Y7jaE8pRp4q6dcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASyyUWnwLmwhcW15XQfTLNn7mc2q0qYbbmdDJBJ\nou7kzJ2xEOo44Qle5W0EaIuEIIPs2oQwDEXRMJtDQyB6bJJgo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzsmqpVKecsLc8mVzf28713I0FVYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHvezuABUnxDq4q+cjFYMI+P\n5huGPGwmMmKqrUW/bMPEAiAQc/5qnzkAkPsuPdGOJZGN7qayryk4tTHmBO2G/3ru\nzw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUFDHI7DE1OmuVHvFfW5wKeB2Ph/swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAKoSCMvIuX2G4jgEeulDw9TjBP4XP9Bak3KHX0din41\nQs2uu4yWmLfJ4vjNVVEHxkTsNNL6GBrUpkz52juNlNCjgYAwfjAdBgNVHQ4EFgQU\nl97wvMWV7FvB5UgrjbvJgBHwc48wHwYDVR0jBBgwFoAUWRsQ4knZayUNLlcMr5Tm\np0eGZggwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA4IMNCsEk/H/X\nvfQymHMTIX67Nv8H5lyXmseFqccHGwECIQCPU9u58ofO2KA+cGc4QewNMYj3nlfA\nmm2kuAQzVSpyWw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUPI1Kut3ZjXmqJh53iEbi8U5Rw0cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFNSqrs5HouDxS+FZOnmZTBtyMFlGF5ycv+ikDUCvXpw\nItdm9HhnABx6DwD8HBpQZt0TDgN2lIt7doVNzwuPMC2jgYAwfjAdBgNVHQ4EFgQU\nZpxZ5pVZNXXRreJmaXSa2ndhKtMwHwYDVR0jBBgwFoAUzsmqpVKecsLc8mVzf287\n13I0FVYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBgf7/rGb1kE3H3\nw7a0eLR8pSbNoPHSm2LKuqeLM9wzlQIgDtxi9H1GFCB9bq8oitjAmlGEvoL9DQEW\ndjGBu/vrx0g=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUObqoFXf0EAAZC5epLVKM6gYOWjwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2lRAuO4gbDTrOYj+hQZQywoOcDPE2drkqqs2S\n3GkivXs77g33o48hIJ44pYU3TmOf8AO8Ra0dVvn3+z4LcBrXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUp4v8jtoPQHeG4gd2zqxJQOWyNzwwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIC0EO5zmgfUIRZICv/UmzTTw\nGP1fIvkRvt1yhwzJAQn0AiEAymH6oiuQ5YGEnt+bAsf2Zwr1jKbhEPrepJaoOaAm\nSso=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUIviW+uRSl+RgZbtqEscuSQXsr4EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQA/dHlCn3ms36XuEM3tTmPA0zRTIIQ4nrCh3Qj\nw1aHPOEyhog7dZ4D2MnPDGCfLNakg8n0jJgpJiTypT7PBIIno3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKQupFQu7p/w+iRpbvl40wbS1xcswHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDCS8yDsdGydO2pUosaaBRfs\nEIsowRFDJCksTOpJCeIVAiBJYQEXVDVtyCfsqQgNLHGso/DP4KiX4qZk5UH+yl6F\nJQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOQOeAPl/oPw1GvI7aitQT5Sb41AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABONcfxRzbxFLil1ccqWaKa1f63ytKeZl5LCLwg1s6oJE\nLqmwBiZXBr3arFgKtzVAToRF1igAPYE0l4myHaiLhWKjfDB6MB0GA1UdDgQWBBSZ\nnoGefUIT1eMhVP00zvJsfz543TAfBgNVHSMEGDAWgBSni/yO2g9Ad4biB3bOrElA\n5bI3PDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgRD98gLEDN3ws/EMyHNHl\n+MFZqcI+zVOL5yIPgJblCHICIQDbpa6rHnRv6dtMeanacWyRs3EBVOLR9WYaMyf9\nDKDVHw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUTd8cKYTAoBuP4BwS7gzrbwGVNT8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJdIfXZ5t3mWJSdRIsfWyvk2vlR1z0vblIxle63OnnG9\nChwjkp7BKAn5e67THEzrs30HXEkcDh9U5J7GySnuioGjfDB6MB0GA1UdDgQWBBQ0\nnBUlYy/eE2WzKi3022VZRVvtODAfBgNVHSMEGDAWgBQpC6kVC7un/D6JGlu+XjTB\ntLXFyzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgcQoLXUelK5XlMQZBBcZh\nwTOzHtlP1aqzpEIbrNE02VMCIC0DFxx0FdNQbQVwrbgku/YMBl4AaoqJnhIRxXpM\nox+V\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUa/G/KuQcv+2gEKvajr+Db3p7gS8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxwMa8eA/AX760pQxTHMFY3laTS8M/EpNLRDvk\n36QFcSr3ccssbq6V4OCevON2FXS6OaViGaftbXaCIC1uYEV6o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUImPrTIZfm77b8Y1W7VXV9OeMDGcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEP+uMYV5vCcMqoSjKyegFgA\nGiFSKlfS4nuF9AZ7+1mfAiBPylpmVyd5rvS30ajAxCTu+I8XXM77nvVK+29QNw4y\nmA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUNrvynFtSM6U5V2s1yBAQuZfIaJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASwgmu2GbNZ9rTJ4mDgJZOxZVuBO3pGXAG5FDek\n1YOaOEmBTEuNiydsDzdOk7Rm5hLaWl121hqcremwaVDKhqZ3o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0N+uc829FUyq3s7VC0xpVKgDiY8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC/cbd/atZbiKRG/C37W5F4\nh9UsiqDdF4tozOIJISAZFwIhAIi/lxfqDKBhJKjPvlIBq2Jx4q1c5rPFE8yeqesm\nxhUO\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQYlfz+dNBezDlMUcBxMDLqry1TgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFP2lbYlvnUNgrtBg3mi5ncqEnOEkMLGX8TB8EdNjBYh\nXefT5aD06YfODJiZVJPPGsTgiC4hgbULm5qaN5+IKbWjfDB6MB0GA1UdDgQWBBRg\n0GsZF4Xhim3Fb968Jh4HFSA8yDAfBgNVHSMEGDAWgBQiY+tMhl+bvtvxjVbtVdX0\n54wMZzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgHzgIes3P6VrVteH2TbHJ\nLOv69wZ3Xwy2wmTICAyEo9oCIQCHKkvYWo4n17t11K5bbdNIVujifZKWe2tAz5MA\nua2jsw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUboyqlbkWbC3cue6bVnlTY4LlHIIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFSq8/45/WGEIIK3zwLQOfnQfu1CZy3l5qj9lzeUOK7k\n2omNmQsqcEBk4eixQtmwFbJZ03bPwR1QmIY9zv2WzfmjfDB6MB0GA1UdDgQWBBSh\nO3o1YawyOluJwgoXldMYi3ZEvDAfBgNVHSMEGDAWgBTQ365zzb0VTKreztULTGlU\nqAOJjzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgURRZwsD7Ne3CIic5bAMT\n4F++n6wd7zOCCNXwoDFZK2cCIDwOBlL1nnah9FPWBigAJYkM4cqNzcLflcsN38sp\nizX6\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUITPmaoRhvZa5cMni63j6Zk0MG1owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYk+8jfe4p94kA+lrbr4tZRfIdK6OJbWYMN8KR\nFVFZIB5cBX2xfU9VxuE0bth/BMBIgb2fSjj4Q0zL+xasEjUeo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUekiGzBxW+Al3oPGpdO06yRzcefYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC42zv6ezSBFK3sfIRI4dWq\nosBw9LJ+LZoI4608NDIajgIgZ3OnqhRhJPdhSuBKdNuUP7B0Al0DEL+CXZcIjzo+\nWsE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUZoTigaLcDTLdkPMoYT17BhCvOV0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQSGE4y+iyzMIdBCQ77+iIRZVN+64fGEdX3OI6K\ng4ad+4WBI88e6nTFzmXDgwKU2lTnmCndG/en2+fKJa3w0xx3o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUppx2IHNYAUzAngLBo2PXsdKmeM4wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCcggEZ/D3VPfEybtQs77Wb\nCCt7zQ0EXa+EEOzzVrjmtwIhAO5Y4K8H5d0KmK3mlzhb0Ma5wnrMVj9z86SdZAHh\nnMAL\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAWCgAwIBAgIUGGq4FDHSs2icclPcOEHrYYaDsvUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPDXJULye3lQBk731vHJu0JxF911usWf5FYSjSo3W5LH\nfuGWUQ8QOzf1XOA3NtSnkm0qWcpyZOCVoU0RD1WsbP6jgYUwgYIwHQYDVR0OBBYE\nFIN7rrWJlmuC3GTMM1KuYoPkUlRaMB8GA1UdIwQYMBaAFHpIhswcVvgJd6DxqXTt\nOskc3Hn2MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHYLKMqK\nW4gp5VMiIdI2ssw+mgXsSOnVEhl65cFaMVjVAiBzGBVXlr32jNTo+CMbLTRhZwCG\nFNGfG4Jsu0JUITVEbw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAWCgAwIBAgIULhdjNTjjl1lB5g16uMhQOU3u0w4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHurG0bhxmLF9s/OUNF3UUbkOKliMy7o7l+M8R9aByzS\nhBro91ypYnVWK/yXI8IInQlcIhvvsEopnsPO+z9ZI1mjgYUwgYIwHQYDVR0OBBYE\nFP0TobZYdmNPJazpTl46BurMTMXuMB8GA1UdIwQYMBaAFKacdiBzWAFMwJ4CwaNj\n17HSpnjOMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIG3FtN9U\nSGhSa0oR7LhtVjNlCnMxSxUkIV2ljoKC8AfqAiBdbWesayxwiNTrfX7W4a2xPtaQ\nLOcwBD85Bxt9NDZT3A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUSP9iCrl/fZ7wRFXMbG7NbKYQXO8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATX59HLpG2K/K0QX77XO0Mb78zmCrA/akoIPbwD\nQgre+c/7a5zAAZlBKYdQ2naEPTIU1oOkc3sJo/A4LUSOxg32o4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSCxBR4hm/1t+UEu85W5kZ2Wlm4VDApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgFvJS\n9HUZB7IKli+4ygSgbzeA/5OzBd5Dn2fMNhMVeSsCIDBBIAk1N3pjl3HXG8QgHeKs\ngL1joOwsrpjdxCLH/E+X\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUH3MIoWlsoej1uO05yov1gq4eq6kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRuZeApv+RxHh44Zm03aLDr0R2RMYw8Rrxocc6\nYOWlRfiUJVaoRpEbxylo4Gta7fVFWZowFwtDyXzTUBo5styko4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRNQNzP+2BWmhX8v2wJvslqro3nCzApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgEhUY\nvHoZo262JHroMmJ/1wLS07BEYAZT4UG/EUNkAWACIQCSywG4GZmEAoM4p5dk+8Pe\nQWf29iejhFsuetmLTdnnjw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUBhc6olZ8KdzARsZ1IFrY5sf804AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMi9VYkA3EX0TWsThokN/FNsUoW5L64aWOFSYbA/w+2A\nC510H6BfqgvInP6qoZksmZksxVD0pVMb974BSqrFhhKjgZYwgZMwHQYDVR0OBBYE\nFK0OhUf687o7FSb9ZeKPjnGPBIZPMB8GA1UdIwQYMBaAFILEFHiGb/W35QS7zlbm\nRnZaWbhUMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSAAwRQIgKPDK4p+1HVSxEqgmYgdNWJMWAfdqVxFHyR+NhorcHk0CIQCh\nEyBgL6lEZS1ZGsHI+LdOW5Cq1yl1lx1TNanynHuKXQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUemxo2pc+5Od60YygMpvMQx0tsTIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNxmEor4gawYzikDARspZnsHgHCcltb+SvMIj3QHgrxy\nQ7Wj0CMMA/q0hFuHZxYFMhJOfIN9acZV/0bxYS/bHTujgZYwgZMwHQYDVR0OBBYE\nFEDs5paXoWnNTNjjF3gpEIugTYHQMB8GA1UdIwQYMBaAFE1A3M/7YFaaFfy/bAm+\nyWqujecLMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSAAwRQIhAPwbJ5vxEwtR1FNAI1ZJE6XYuzzkjV8Q/7OswB7larCyAiAE\nU+kQsbGTqsgxT1XpyH5AbcXOTbqO1XWXIrvd34DqDg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUOzWCL7on1OMrhy7T3R4KkGPhqJkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlheUSq/fcBtOkNExLGHbDCjIlF9ODFr8rA2tR\nuuFVy69nFTdtjMlvD0Ue8mc8gC8rFh+czJuQlI5j6VSmbC9Zo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+lgWf3x65Qe5GqoimUlOjcbH9x0wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIHLqgeg3j0Q2Rw4Cbz8W5PVhHLnK\n1PhIGlOex2KHstEhAiAkt4KZQW8GxTKqXjn433OEf+Z5swvseK6PJmUu28L2ug==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUeaBbhv32XDvlCu+1bf6WbvMr3xwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQtekQPQQ1DW4gfH735eNXR1NYDeDPHPvxsIrr\nqViEDthkLFbGHkuMjxvti7rRrTAf1DnUzrpaUbCqXqmV2Bxgo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3ZfyYRQTEDcuAKPkDqUZ+ZcQIB4wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDLu+RA8a16eaaj4PS9fR1/MNHA\nxdaGkxpiYHR/um1sHAIgAzy9srltHdPGA3YyC0Byw7Xi7pcHSJC0Sf8V8LBNmKo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUT60P+6ysU7yyrtPbrztaw9BLFTgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPKjNNO8E7XYZHtpCK64t6mF+GVvWoLMchL4ooCQRMvv\na6omxPoCt5RRz+RLnQKx0PRXzkvL9CXAghu2DDY/SHijdTBzMB0GA1UdDgQWBBQZ\nm89R/DLNQ0WYci014HecAkAv0jAfBgNVHSMEGDAWgBT6WBZ/fHrlB7kaqiKZSU6N\nxsf3HTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNJADBGAiEAldp/u+yzvUe94J8ijX8LpZyfJJ++\no/V/EtaiKzhblzMCIQClcac3mnEvHs5N2V32qfom5voc91DgrNhYeCQYctdi0Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUDPdw49ua1LtxGlvoDxNM8Hc/rHgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJy9nTmzITNzwb6F7huoiRMWbAoReP5PtywvUwTyEz+x\nPF5hbc26vNoYyebQNvL20NhwMxAR3S8wiir9h+4SQHCjdTBzMB0GA1UdDgQWBBQJ\neZutGQBPiD2KPO1Juq75mImAwjAfBgNVHSMEGDAWgBTdl/JhFBMQNy4Ao+QOpRn5\nlxAgHjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNHADBEAiBv81A9l10YTVc/U2OlKiKSGYkZ+zbJ\nl7vKoZ1QRBrpAgIgbloHx87cQVvpYpj/QkNNFc4YpmINRL8BBekzcEfKZFc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUa1uRFMu9yRc9QJncetvN/TGUBNYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARj399gPzFi7I8jcwR/90Slvpks68FHNAQLgEgn\nYNVTEka38hGKVdII0SwT05FWw9iOkx8Tr2tjZfgSBImzDN20o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7jD6i8sQiKFgj1uipTdlqZQwzMAwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIEwgiNxKf9Z6G7nm7vEFn4gGy29n\nsBVthslPhLXVb2dLAiEA1CqivoH44zLuR6wDdG5Aku5WuezfvfmR8IM5PzM7Xxw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUF+6uEivzqW8BcmNWfEJoPzflvPswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkmpFoeFqOXwjGm7hkuOP2oKBso9qLMmDjNulc\nj9+fSQPDEYX05vupd23DDUm6ubMCZzZRiMNU9qa1czOuKoG1o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlHNqUa56nYC+S2WEP0y59vtR7QswGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQD1opuIBSjnsq37gLRgNGvQyN/o\nkwaLYzjZpt4MtUww2AIgCOFJSyg5Fn+puk2N0u8ZUCB5AfXanE484lrzZkGUkrs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUaPTA2wXJpe5LnYe3moRDXnQDw+8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH1CRjQq15szDiDsTXz0oYBkkUomhfbuOsmUZRDAab+9\nt/+u5DxefxrYESHKIMmakieov+umwrf5b5GpzhpN43OjdTBzMB0GA1UdDgQWBBQi\nr9egyQNoSEnycvWypJ4EWy6BGzAfBgNVHSMEGDAWgBTuMPqLyxCIoWCPW6KlN2Wp\nlDDMwDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNJADBGAiEAkuj7FFcuiuadDbXFcxDH5oqlnbAA\nj5TV4Wu3Ley8E6wCIQDSuFTE4JoFufe9XFfoXDOzCJAf2w85dFhxUHuNRMZVzA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUdaigYWIAzR8whsDaThlQv2HeYDkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJZO5RN0jYGpiX2/+Ks4u/Xwxlov+i9txmqfAxUX+gdB\nG1Am57dzjuiX4yAUaCORudz11WVvJGhNsJFJmBYbiTCjdTBzMB0GA1UdDgQWBBQA\n1ILMvbpLtva6996xEsyHKuoZSzAfBgNVHSMEGDAWgBSUc2pRrnqdgL5LZYQ/TLn2\n+1HtCzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEAnYRozVKOL0kwPvr01mbTrfs5pDjW\nbJzp4/5Y6fisZnACIGF+sMjKxxJ3tpfpyVF7Mj2ySiH5hupd0oe5QjUwK60v\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUbRf8U8jhtc1j8NNwZeIhImys6ugwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2VhDWjJvKS2LeLHHE+XB57DuGnNgyv1p5Gs4Y\nck4vGl82+W2igHlDN2/LEDfkKJ1XnQHe7ms8esCIsputksuPo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUknhtzmndgMVxv1YLXO41giHAp8IwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIHLpv2PlXbNmVfFaACD8YIZaO9Gf\n1S0eaOQub5wKRLWbAiEAqzuZt0QP3qpeeMQali9SLXtRMu6YH5tx6eZ2SLVSPxs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUW1v8tQPgIB7VSnG/hFQ9yY07tOIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARYnsXjaf9PQ/abIhHPKKrYYCjzuR8JV+0jjAGi\nmhryDMhu28nG8PQW0qxdwhPTL23nkcjuHnboVuVpSKLNvbAco3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaZe6jWEsksuEHOIsSSP726Gi/qIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIBNunlVyd/j2jVFDuKPy9YnpD10v\nnzmhrVoOBzzRSDFvAiAVvbzsN13/0sPWQ/WzVf0I2fN4E7tX8BDTUboRte3wEg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUVTBQQAG8nle5/r9Z3y+yGORGwb4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGP+J613J/34OAAdLq+Eh2+uytOcSisz1aXsPJ1UPD7C\nLcfJS1ot64WqPy4EZjRl2Y6zo2mGRDwqImsUD2xLj2CjdTBzMB0GA1UdDgQWBBQa\nZa+Y9F4OM7Lr517fsTDoCdNqRzAfBgNVHSMEGDAWgBSSeG3Oad2AxXG/Vgtc7jWC\nIcCnwjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNHADBEAiAyCagKVlsbS1ChQNA+La9Qr2y+IrIB\nwlGYpksgnkO4kQIgbsZx8gvsVuju8FU3E1LApSNQeJOe0/OIcSfU3KZbhyc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUG86Oqcz/w9BNf4yUls4shqGUdekwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMpROIa0jCmF/T4ve0vtkK4x0LkvhdsqMxoB1VQSIMIf\nKmMmv9sPRL8BLUbAiCksSG9NiZCQQ58SKmEpETaXJ5KjdTBzMB0GA1UdDgQWBBQc\nwrNayiXCRvDxqKoB5WPtKaTLmjAfBgNVHSMEGDAWgBRpl7qNYSySy4Qc4ixJI/vb\noaL+ojALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEArhFjPzp1zLmleROuXgouYeG9TDh8\ni0cemO+dDzykVmACIFSMr4At7qSM2ssJYMEj6rQa6f36m7KjQFZw94+R1LSj\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUVv98Y4ytxBQigNuQOil6px2D+FMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARB4SReVF8FaRzGa5KWk+JBnt6ZAkGquIpVjhfC\nuqE12RKtkqYJCMDq6g8BK2LwjRxZ7eBwAfV3avT0cHhfobb1o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg10WlG6754eoU9A+TRKlhZ5YksIwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAOqCSasz3gn7e33u\niAKtlkw/cZYEAKKBQBWEAQ4dzjwqAiAmaO/NXwSgm3PjzOANUwp98NLXOnHaayRt\n9rXCDOYJIA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUK/TedXZgSpoZ+wyh20Ew7Ez4k48wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBoLg/jr42d98dGLmqY1vJXe03ED/BqGsJsZzy\n9y2GpRpdQ1s6yWBtbooLlTLqtnduVjs0NgFqDvkLxHz6uabPo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKmbO9i+xvUbKAX9L+RppFek3UDUwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAIyyMm0GVRmvhCB5\nMpnMWIi9pm/xJhRydZm9fHKRKBHkAiBg/LqDfY+Hm9GM5H6N32MOXX7fiLb2jrYC\n9rxqMHop4w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV2gAwIBAgIUbR5Sh0kZKWZ4qKDFy37zXOCQBMQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEMTDp2OaboNpvObK9XjyOK0KKMx+UL8w+sapwVUIto7vtHiXx\nJJOgUtM3rG+L7EIjQdhdOp2CoAy8YcgybyGTMKOBhjCBgzAdBgNVHQ4EFgQUZRtY\niw1SwdmpqKpT8k3SxaAgtwIwHwYDVR0jBBgwFoAUg10WlG6754eoU9A+TRKlhZ5Y\nksIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIDzJvcSqQacZ\nkkUHpC/oiVq4wh0YcaSBNrC0oHuHzoDNAiEApG5tj++3W9BIGJDOY7MkEh5zUgfF\nAjWbqXt/7Osj4nM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV2gAwIBAgIUHpcVZhj2isPjKli7NPsuY2Zg7SYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEfyguBOc/S+pF/iiQ2LTXmkGGdDQlbGu55sJHLle9jYvN1g1X\ndZspFy74F3K+Ls36rzYmhCXLenRhX5DNICTnrKOBhjCBgzAdBgNVHQ4EFgQUApsT\nDKMi/tm4iVb1YoPqnYwHaD4wHwYDVR0jBBgwFoAUKmbO9i+xvUbKAX9L+RppFek3\nUDUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0kAMEYCIQCnRsbhGqoS\nySIAumw8VSz1VPjUBgsXzRNQOJ3xDke4AwIhAPloI4XdJqJcg+rcoeT5K29u18Hq\nWaAU4A2KQfBi/lZX\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUNESjZkpqzDz7KMW7h9bKoJ2NZzMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNSpZT9Ekiw23L/MDdCuDag2ntYFmN+DzTnMGb\njeXSHyZaaduq9GPeCHmSHd985Nh3JMLmL2NHZSZHx2eBfW53o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7ONeirkVP85Qhc89o8ggWBsi1TIwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgTXMyW7QCCebAClJ8\ndbAfWSAHESghg+8QR163WNgiJGgCIEkiKxLYgA53iVIm5L/zruRkFbQa2w7uFUf9\nd1bvtnbC\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIULwz3pJhbvkj9B93f+F8aAn2gl1cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASy6+b45Ps95f+pKu6xcKOd1AX4UJbrlj1Ln8B6\n8CYLgCj/ZTyzaClWVINnPiwAn5O/UANGejFT4q9m2PGid0iUo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmQo6z6a/oYlORb35QJBsNbXfWGcwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALEJWmkoTxaxJiyd\nDniKbElWj4zotU46z9wXisu2LfdwAiB1TiEwtSFfJpWEFHItbFM5GuPmGydXP2Vn\nXSrYPfxN3A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUUxD+OV9klYiuMzzwino1MfzRI+UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQTngZVLnBK8osB7wu3kwdHJ5Vc9xHtTAoCcJUB90A5U40ZZbuLCKUl\nJ1Z1LbXuZRYK4NNB5ccXPnSM5H4kHsD3o4GBMH8wHQYDVR0OBBYEFGko4dglNAvh\n/tyNy+YfYdCucHIKMB8GA1UdIwQYMBaAFOzjXoq5FT/OUIXPPaPIIFgbItUyMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQDwlWTShaF8m25D7U4Np4FO\natBUAZKrQW51J4s1LLDojwIhANXAXivLGr9C2+r+Svv+5JDeAGqL22MygTkHLEq8\ng9j8\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUF15bP9J34D3uwxLleT7Jrecc+RQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQ3RqKp+2gt7unVbLYzLGhAELQzZ7GLQIqvLVWQ+Q6DTZHNbuy9sSyJ\n0gfcIZvJeRZ2A5J6sJjDC325ga3U3jRUo4GBMH8wHQYDVR0OBBYEFHa7L/d0bq7o\nbCj77jM+kbQTFcGcMB8GA1UdIwQYMBaAFJkKOs+mv6GJTkW9+UCQbDW131hnMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIQCvJGmHjGnZ3ioQWbYBmEbR\nTesqVE6uh6glNkTccuEBmgIgCAZJEPeIIOokPj/YUqtbkzdiuPy71kZ3F70lUzuE\nMI8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUFBXazDOsZtDi5mWZR1I6zrolqf8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLnqd/E83N9QuZ/Zyhl/Z0LBqsH2TqTzILkoxk\nk3ECFVtJdM9q1YRlMwOa/motEkXCTrgvR81To1Qn+akfaZiQo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUUa0Tq6HtWD3VxFDyi8S7NJ+7Y8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgECVFlKAiCHToMtdo\nIMmpLFv4WF2Pp5C0iHsi9+jwSw4CIEMrxtcCQ3sDu15Y6jc4w1UhRDOftNwXaYuS\nsrhsJkXB\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUAWz1kg7UfgtW1pKSa6NrRA4j/44wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpSejXl/Re62CgYYSvot8NH18NIvmKW4WQ1xnM\nvuZheyGvIZ+FGxmYEwKq41meh+O8g/Q6MvX+Y6KzlM8gTqVMo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsTlQ50141axRp0O6Nq04q74mkN8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAJRHSb6YzPFKMhqb\nCMDlDvVBB6EbR2U2/+VE74gD6DmYAiAuMPmhpidtD/u0CEFPAl2JAdtkCEAJS76Z\nHP5ZSetwyQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIURLuOxUr8D3tTxDRpGb3Opcy8QcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQzOk/35lIXblddlK1/+Kuq66MBjyGOFmxU6bBkGdTLdjtfdGDb4mPh\nF1B9uIhzt+FeUPt84ZTGjPFR99s+kmGLo4GBMH8wHQYDVR0OBBYEFCqdbozEypYL\n114nlFSkzgXUHyHLMB8GA1UdIwQYMBaAFFFGtE6uh7Vg91cRQ8ovEuzSfu2PMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIFwEFzOd/z+7/C8tYqbLSWJB\nSWpNoAhkL39RYG4NzhMpAiEAuy2K+dhtR0N+KlR8WKo3g8v9G9SpHaNoZDjvCgbV\nr8I=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUa1Jj/fjzxPlPga9NDDhbkvC5GxMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAT+WEH/mEMt7+fyR4DTWGVQkAHMqBTvCd0dvzXGMym81mY2tbBJ3sHT\ne2rAIXynWZRV80BPezVKj01qMCILocEHo4GBMH8wHQYDVR0OBBYEFD0gxsG9ncSw\nCaMErrnRjroh3AIpMB8GA1UdIwQYMBaAFLE5UOdNeNWsUadDujatOKu+JpDfMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0cAMEQCIEoi2ZlV/tTgDobEGA/nEQxa\n7JVvj0jCJuZHfAdsEQQPAiB6SAbFGSGlqIXy9nIDsV/etn1l7DfvaGVhuPTvCxVj\nZw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUCEhly4ESRdU6W2drKiQK5IGBu4IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWw2m6uTxN9XN7eXNbE7oghr06gD+Ntp0AVeZS\nLcvcinmE/i5U9TM8RWgt69/ptVUr2Fj2TRnEwTPmGsS7Z/k5o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUs1TXAtxSEOiWOeViqEzR/2qN4IowIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhALJznOwIRtLmnRGP\nVo4pXpaYJxeD1dz4Vr1s07iv2hdQAiEAz1PDFhLM1kUBJ5En9vzuKz5iMI24F/gC\nJvBY9ppcp5M=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUCwq+7m3JqhXPhKyFFn5LQckEDpMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjI8QVofspvlXMzrXtJscelKQDQ7zlie0rzmsP\nen3TG+ieD5473BGcx/Q6yOPlRPxwMuPxzMfZp+mDoTYE1DPZo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8vujwM+R8oEMm+du9IuWjUtvTmswIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgJNoWlIncPZA7uGqV\nvTJK2LbmTh9sueCQ/Rf4Y0rhrkgCIA7vdxPCSMutAQp6JUPLuKAfLJM4CiTSCrco\nrdXxf7Dn\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUfFsbeOtusXSqDP4hB3qWI/yhYPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEVGmeAlFDqBC/y3ZjlM9Ffj/XLvEEuQskAvAeqPAMr3OXSBQ8\nuzFMs0xdnqLx7VS0oaF5FXewu8aXdc0evbObI6OBgTB/MB0GA1UdDgQWBBTL7p2s\nkYrgM2CNOqUjEb5wqadwjjAfBgNVHSMEGDAWgBSzVNcC3FIQ6JY55WKoTNH/ao3g\nijALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiB8loqJ4wH18h8JLJrY\nU7toFG/2aFvAGi+eQzN6dgcxfAIhAMTcu9OBRn9Hd+wFxhe5zfBoWUon9bPAcein\ne2TxLvfw\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUEpTHQoz/+oK5uyZsWt0/Ea9FEXUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE61h+olrx0wxxwZR/gD3V44HFQLvIY1+sI1jUsPCgBTywr7zw\nTmAnrhB8UorHch4Pv2pD9vHPpZkxrKwo8h90MaOBgTB/MB0GA1UdDgQWBBSNC3wv\n/SAja8sqIOR8Z/65E1boeTAfBgNVHSMEGDAWgBTy+6PAz5HygQyb5270i5aNS29O\nazALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNJADBGAiEA6R5tFGf5emL3l5sQ\n+/wvysz2EEp0UBiqHikHu420TT4CIQC9duXYtNa/5w0gFszX3/cbNO0z7Q7CzXeg\nOyo0yVkAWA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUHGX52aF+5Fz/srYk+toKkePV12UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAREad7rXEmrxUelXjyRoQgmfKFz1BobmXm5rVUk\nsZfHBEXVcCmJLscGhDo6lL0HZdDuy9DYrOhyp4OO2wdYj0Mlo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU86VyrAxZ7XOy8iEJ8zU4Qmt4DnAwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAP2yRErDUEF97B77\nT0HjX+j7KHP+rupVu84jnQFxDF4aAiBoWvZ9iQG9wnYqPkTppnqlXvIOXSJ+k9AY\nBBpXIGpQeg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUFVuNDkj/5/g6vUfOIGDSr+zbX4IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLXiCxJOEJf3lMMLP+fOGwwcyLDyhA2KVEkESI\niN99gDDcL9/z0Z5/EUfSCOjD3QdZDwhexiZRSa/Bls5ztniCo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3h06gn0PQ6tP7cuC9cPMUtx2rRcwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhANXVwO0OmcDtUTFj\nq5+ufc9hs6V7OhJa3TgYb9HbskkaAiEAw9iZqN0ShoMBBIDlCA+T59Su/GleaQh9\nwFP90pYIRM8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUSQoe1u5Vk7lcQCXINjxYRpo+gF8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASV52DIEVKbcsgw/1GJGJfk8Zcwre9RSvAswnyK66e+sbrQ/UmfqLdC\nhOTXF5vEOiK6oZ2VTvju2yRYKkzlHObjo4GGMIGDMB0GA1UdDgQWBBRJjF3Stcw8\nonfQlSw0xoU8ZbUcBzAfBgNVHSMEGDAWgBTzpXKsDFntc7LyIQnzNThCa3gOcDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDRwAwRAIgB2OzDjDg/otSxlK6\n5E7RY3SLz00Uq5/MQbfBbrGlNGACICYojWPsKyMmjaHoEgHSN54VerBmPuC53fz7\njnxwUDhK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUMLnrQ5nSjscPv8VKL3NI4oyF2lYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATS/Qt12UUpZK9bSghlYVbMksnNQ/K5JG4MjXiYUUI1W+ffydWOhiWC\nHpKnOjYtx8y+3ZWynR6S5CdW5eoSbJvYo4GGMIGDMB0GA1UdDgQWBBRVH/Z8NMWM\n0+OhcJBxggRWHGynbzAfBgNVHSMEGDAWgBTeHTqCfQ9Dq0/ty4L1w8xS3HatFzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAOIset0MyaLlRPft\ni3QQHq80qJXAT8wS/EOb0rRk/bDQAiEA1zD7nld3I/Hc7xPtssmB1mZCiXLzt6qp\nCWN42DlOFbQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUNiJ1bBkOCHQRsMZnl39q2jBtGDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLq9w5iLa7ED5+ZgkKM+qSjY8302o4LeVIDTvi\nRWgUFyDVYZzW/DvvgARhP0vdPsdARRxTsaHT5X0JZe3f48vHo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFG0qAytaB34LxpBL/yemEZ0fbVg+MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAxQzoC4wGVm5II8hRp\nB70FUGOVTmT0/w272U27pZg+gQIhAKLBC9//wlb34GQI8yO3LTXQvKLFFPxqdZXt\ntfYFJX1D\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUPsGJcXj9bQxrGt+tgj709FdAAy0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASX3/hC9MYOROO9EJVOPDxSUboudpOJHBB5Q953\n2A67IoZcpeJaXXTgYp3hjMB8pS1jLFt/y4mItzb0LTrcA9Oqo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFJ4bUoI4IpNAC/PL8FDTp28FAqi7MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAohtl0Wu4zZ5OennF\n6s5TV1PlfASYNGL/XbL2HVfPMV8CIDXMvqL9n+2OPcxbmD8rvmQGN0s66RJxSRHO\n+xoVqr0K\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUJJfkAWG5D2ozePJSQ0h3/YFQiWwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQzeyS5RROXyL0P5Fb5kyD1Fogwa4J6Yop48Efw\nKLWdBEtQklSK7uq+f4wfxydVQsIkiK65g9AYXbCUcdF9MGqco3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUbSoDK1oHfgvGkEv/J6YRnR9tWD4wHQYDVR0OBBYEFDqM\nQLk+nrW3gpQHTbHyrGKVPv6GMAoGCCqGSM49BAMCA0cAMEQCIEZ5GNcKQBeSn64J\n3akgjN2oZKmhIZL2EllqkD0zhIsVAiAMXBAkr722MC8SgdNaqHZrKTPcCK2CghEY\nCQ3lpbDdUQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUVmEu7yloIm4eKCEVvGq9WKhNA5YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARcspzzPu29LPYCNBqW+2QyjBVHykt4koRbDSD4\nw+GoV3zwVGk3KMFp3Kp6w8G4tZmglHlXeiwcS+ISxcmJxd+Io3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUnhtSgjgik0AL88vwUNOnbwUCqLswHQYDVR0OBBYEFKhX\nOB2MOvoCLfv4g8yGZR0bXAARMAoGCCqGSM49BAMCA0cAMEQCIF5vP0ObLtW7J1dC\nNBvjKYT4NzD1uMYXiS/Y4oozFHXpAiATGC3L6tBIBPLjLaYm82vxp+B24jHlHC9f\nH8GRaUcNcw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUBXYmU6/Q+JYcupIrBeS+qIPOvPowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEfBgxSQ0SRMSu9VpOhviSIwGyV+litTHkJksBeG/5pS\nc0dNZN2x0iz8xEGec0nrPUq1t6Ur7JxXh8rnrtzxoSOjfDB6MB0GA1UdDgQWBBRH\nQZe9Hc6M6WBycaaXxvPJf0mmlTAfBgNVHSMEGDAWgBQ6jEC5Pp61t4KUB02x8qxi\nlT7+hjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJDrHtyZMcnwE/IUf+0I\nnbUp/IPJtVPmrIBuy4sJaN+KAiEAmDzbR6fXmZiJdq134miT2DwQI5bwbcaTB1QY\n3Lz5wcE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUHnsJJBlIxz/DhbgtsKH9gwFosNgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ6PpS11QLWBx5aWD3deCS3RZu52vGEv1L8w7A1rxm0P\nt9GubvjdIEywwI/AzMFM6s4aovHvXIUAlQoowJ8tfeajfDB6MB0GA1UdDgQWBBRJ\nt0dUKdzWaWjrJCbfrgVfRd/sVTAfBgNVHSMEGDAWgBSoVzgdjDr6Ai37+IPMhmUd\nG1wAETALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgGkhR3+WlaMDar3BLXThX\nxDura7MiqlEO3IOsEg4xN3ICIQC0I5cE5JrCOSAr4Rm7cKGhfm99CWPdNKeZiZzN\nL/3aaA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUORHkweURVwBnwmQqKZ5CE1UQ7R4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATpTbSXg8FAusF6cUIGiLTbOv1rG7niAfAoNuMy\n3IOHDhVINEU7NKxhCmHVI3fUMgNgXtJYGYKrCT8TCCmhM/DXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQT/bX9evigKdETcO9EjnOKMaEScwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIF8XDAlcVaMEOmeFKT0VlThQ\nAwUJE5jIbUGs8aGp2TLbAiEAkolbBJ0w5ctZ3dBlG1rGY9l8aR8H77yMg3LQpxhS\nFBc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUfY7+G1vGMjHaqh81FG9hWlyBpyMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS5i4vNcwDQn3rLLGph+MIEMP/rHRyfeCrs27GQ\n4ukMZ8Bcl2xahQGNB+ScgR8r8i5K8wyEFO7Kq6asLPHJkwNoo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUln/gJpXvj3bEgi8zBblPeTFUEWcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGRYw/ppg5qu6xuiuJlwIvXL\nFOU7gnDjNeGKxRp8I79GAiBaddR1xlIBU6ewnoQm73C86aBxRvDDDeEk/9nUvXUX\ntQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUWN9wCPWSuxR12tWvmslezWiulN0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQU54KPrMeDZh+NKExJ5bEi2+jxM+dYmnxHTmlA\nRj6cVPsccTCR2/vZ4b0WZNBTt43iP0zkaFoC10fNJjoD+zvNo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUQT/bX9evigKdETcO9EjnOKMaEScwHQYDVR0OBBYEFNoh\nNnobouVyJbPjeN2xRzNXlt4IMAoGCCqGSM49BAMCA0gAMEUCIQC3tFCRmZI6GTsY\n8Ze1+85eSnpEtVevkaY+qjuoFhzk5AIgZEpaULj441Uy9+RyPGkEXCRUKFo0BDyb\nXpLIzXO99t8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUEE5r638rov9g3aclLQ1kGKFsFo0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATKgYezxXZbuZyKwNZeomoMmqMcz9ILkri46luo\nWe4Fp4Hx7aXi81y7vvizrVA2xXFoOnXLxEzhc96v60YA70w1o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUln/gJpXvj3bEgi8zBblPeTFUEWcwHQYDVR0OBBYEFKZo\no1nioYTPfYPNGujXzhevZEpnMAoGCCqGSM49BAMCA0cAMEQCICneJutWhNMZUdpS\nEJViNOAyxCS7OF3H6gAjIdIyg5fYAiBaVfF8ryU7ZuIrcVkFHx1dCf6DkDSXDUi/\njGkOfGEPcA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV+gAwIBAgIUUOQq0i55B0gWBt4gORFDxdigregwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4eBJ5hNcAao93RFSMPmvtlNlTjIDhAjg+buyo\n3ZoHlfZQsCpabitbhuA7Mx8IXEFF45I9H4zPDKsrCUCPqbf9o4GAMH4wHQYDVR0O\nBBYEFDLsStQb8DnM/SbPgs3hMClTOOpdMB8GA1UdIwQYMBaAFNohNnobouVyJbPj\neN2xRzNXlt4IMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSavc6dma\na1Q0yhMl2FcVPa6tahD4BwCBd8v9orfahq0CICyHZqewZuQqzj96LgunU1CILF4w\nw1xtA1L/F7sSZUST\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAV+gAwIBAgIUQiUfqf/AU6YtI2QwCnJV1y9Rsn8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpYN+s9WP5uXuUwMtIVzJThQPmzeaqTpFgr1Y8\nhr88icL9UybORDRHOHoNEtriuRHt7FHRzGJzcxsg3wSv6DyVo4GAMH4wHQYDVR0O\nBBYEFLKmae/h7OWTyfif72DcShYdz4QDMB8GA1UdIwQYMBaAFKZoo1nioYTPfYPN\nGujXzhevZEpnMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJTA/8WL\nN71acc9aXN3rGh5ceXQuKu/toQoC6t1lUowSAiEAhDM1pPPFjnwOnPeb6xltAuSF\ng7Q/Z5syrIEwyazjc9E=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUbkYpoe0BPTaOYK1EsUhNEEwVWdEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARoL/ia1jhCOxMwM54MLeB5KIttJAsvufB822Tq\n6mJGWnkNaR/hcXwzcHCjEOgJ7tuQaEqr6+sKleCTnC13M4sLo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSYeC1/XhnkDRyqAxZzA7RqtGzc2DAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiA4/mKTZ89FoCYnLfSPijQ5fkJDTWw25mPkAtUHPuQWAwIgJz1tlnq/IqKZJZ8u\nw6XvoZy2ZPWgzwhgAdNVdmJBzGU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUDlvEsbiBrfy29+lQ65+juqqR37EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASg3h0lxsYRQGwj/b8nwjliyRv4wE+0X8XckXIR\n3aSsBNctjw4qQ8E0/BSCo8aMsk6CjEJmdC3bwSvIxV3eNiDMo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSRsJTedcwlXAh+4PYY+/vH3uAiKjAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEAzbhELspSYfaEBFoWP9LY0umUi2vtfqWr+Oul0AKeu2gCIQCgW7kHjVb6e/km\nFtP4aoyTkf55o2PomhjSpvA+umsRPg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUX5pD2+HC3Spav6xM4x7nBCmAyrwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPXCwOcfcQhRXV9o+1SMO7GKLH9EI0bcKD6knc4Rv9PL\nXm57AVd3OLHumGlLv8paqOrqaMl/ijqmYLRc6eAB2FajfDB6MB0GA1UdDgQWBBQb\nXwEGaI+JMR6FpcolybgHS9pt8TAfBgNVHSMEGDAWgBSYeC1/XhnkDRyqAxZzA7Rq\ntGzc2DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgN91ldSQnSbEmqwY6eri2\nWiYKz/+eqkHSMwFAUkg8eg8CIQD1k0Ez7rvh2l9BPmCi6+KRJxAYeeeQZuyOL5tL\n7XX0AA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUN+P4FNKaXjNd+5nXHRg6pvUJN1kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPsnINHKF6KuxedRJr2w41YnsKLstNVyFaDkSuAZ8eOi\nu2NzjfEOu3zPcDs69PNlcxgvXjfVfWvY52ADU/07VaajfDB6MB0GA1UdDgQWBBQI\n0ei8qJLM2vvHrbunCbnMtAHsADAfBgNVHSMEGDAWgBSRsJTedcwlXAh+4PYY+/vH\n3uAiKjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAIo1wGPzGN53tyU38J8O\nsYxUVS54enD5WpVn+AQcGtk0AiEAzAt1J5JWTSbvqgssL1zSqaRhq21opHYw4wPt\noRet9bc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUSEKvCLyXevWhLJBJCi+Zc+OAMC8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATy+HexOz1PFdbojNgCZOsOJ8Y7ZBGBQrWycAqs\ny8/LF5d1YB9uMDweu8kksvAZQSCnZnBg9JJkIAA2uZIRh7W4o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUobd8RTycyA4ynZEerlz7LvXgMrQwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQC8vSx6+y4yQ0pPNjeStWqBnB3b\n4YcCW3QtKXO6/vuc+QIhAK23lNfZ7kRhmiwTKgp1RocoOj4FpV4gteNE5ZNaxMKu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUYdTC+ZK1jZIFGIPasKmqWNedJQ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR/QY8L+wmnnBkoJazL6Zaawo422Kho0+cARvOL\nzaiVviEmO1bqo8x3HWZCcnP5XCk9MFI3KzC9AR1dBXi69kSYo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIFKEEC547ek/WrtYhTTIYwvU9S4wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIHBYbaODOyO070/n0TWAQoPKribI\nC7j1V1ogRkGlwO+IAiEAtzDASDXDG3ZCw85du73Oaa3c41Oo+zZEgl24h2TlzTc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUXV58i4cBLaQDYqk4gxMXzTBQRPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF1fRCwTopzeD9SngHRLMoSBkzItmsiPj5bbGSgFUnXt\nkYBeY48i0Wbf41U3BiusP4ZcFzs0OA4TpI6sKEisSDOjfDB6MB0GA1UdDgQWBBQV\nZbw/6pJ6Szg/+Cs4A7HwKckf1zAfBgNVHSMEGDAWgBSht3xFPJzIDjKdkR6uXPsu\n9eAytDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgBY6N/2oEAIONV0FLm23E\nXT7Qp7ZoGU6XxY5SEhzindMCIAIlZzcacjRHStK6k4T3ZsVSIwA2pcpaa70WkCrd\nDGNR\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUboOQN2h4e7ciCMMPSRMvWydwD7kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKq90XDiWOE9g2t16A3VcAC/xNRQt+g/tJpqg4MnHvop\nwibr4Y/T4b5zlJhp10601OfOQhwEakKHBGz2nWXsXDejfDB6MB0GA1UdDgQWBBTm\nS4n5GooSNNs6oTnIUzXYdYjJODAfBgNVHSMEGDAWgBQgUoQQLnjt6T9au1iFNMhj\nC9T1LjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgAu+13yMEmWRnZ/ereVTM\nV99IoCzXGJG8er6hVJg1k2QCIQC5h0N7KyI1HAe1Ju3loroIXEU+jz/wgLd0jfJy\nh0r06Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUDGxL/0EcbW0tE86+rQHtaUf4rDUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQiO6JTak7oLpiLc5gv/cPr7c4myiBl+eBbGyVM\nC8m3rDlSQnGy/pUNatUnhAAqCYr4qjmLM8xyL4a7qRwf/nNDo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUU1MW8Vv4WLejYi3BZU8GXXY2ygswHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBcP5H6UQ75kmXlCKSi0+\n/g/0YyyVKxX5UYGWVlN37GsCIQCzE8JSuo5EzAykYjci+JLjdbEr8Tj9TzarSVqS\nqwUDNg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUZ/T466+NfkPyheoYz66y2Yc+LHQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ0edf44WhaVRX0tWCNGQj5myvc/6yvTZfKTcUj\ndjuTSwkiX39s4ZF8Fpqlr/CvKp/ndLvVTp3dRohWVYYjQ7TZo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpY/aK+C7M/7Vp26aMYj45J/NLHIwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgaWe2zzVgVObxEhCv/9Ly\n9p9njcL7aTv6lsitV3rP1N0CIHAkoxGIEXWVXpe0n8Ccow+aWIACEEbrB6CQKwxM\nsIpk\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUAxRA/uE+uO1e++Ur0zAQWYfrcIcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNdqwvYVkMSdXSSnutBtVD+RxYZFllY+hJvZLxxFXn8y\n0jfXWpl4oOhkmRikrzOjl9Y/k1DH0tHpNIhSRHQADEijgYAwfjAdBgNVHQ4EFgQU\nvwbc+aeC4z90B10gmaZmiLZgFuQwHwYDVR0jBBgwFoAUU1MW8Vv4WLejYi3BZU8G\nXXY2ygswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiA/kzKt7xAzkNeS\n4ViNfg9Omdkk/ucBlaCkJuLjG/jNJQIgQS7rCUSYQNqWjFfl9TwMexI9lSti5I29\n8Jtv6geAnUQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUTQmJBA4MPag4phObv8e4H+8JqMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL1WwZh3rs/d8hFhvVqFl4Ma80m6AiaKI2/9zcASdM/o\nIf3T5sePVN+GnAH2waQiC5WllQDOEXAV+HB2yfEnmEmjgYAwfjAdBgNVHQ4EFgQU\nYmSidEeXrYx4MCVAm0h+NRiXGPUwHwYDVR0jBBgwFoAUpY/aK+C7M/7Vp26aMYj4\n5J/NLHIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAwsJgKsDLcXDWE\na3i5Mu2qYWK4lcVDKAFCNkLozU9pHQIhAJ0s3MSAk1talSOP2U7Sf4syWGOzW6cS\nXi7OLTsFl3lf\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUMizJKjrF0w+9M4cerJClHoun59swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQj1L1/2KoCrJ/bc5y53gtl2xduSvQuNMHv/PiY\nHI6IMRWpK5c+oivoh0weOgdskfw4rbZngNk2F6nlt0k3QMU8o28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXrDcAUiEANnpMuqigwXRRkUCxt8wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAMlHI1LHGXdAltbfItFPBUSyuChb+Fr0\nxg65L0gIAdteAiEAsqioSpGqgcRWFkwhQfvBJ6X8ER0+xT4cxtXnNUZrFjw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUXwdQweanU3o9Wz3OjFvoYMGJx54wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASx0/UxPKcwz4SZ//f1xaZ5+ozoNbpj00WFJLS/\nENoAqZ7EyP7Q/ZrFp0YXW61pn5SRnAEW0rMiii6MR+ngJZlso28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUc9WSDzWyHchajRxTqdnHhgYVQZUwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgMBct7qMUS33HBADCp1pBEYU/PH8TM5Kw\nfHEm4DOnYdsCIDP52BpS6gTqtVwk9IeepV/esrDvoIlxytXiVl2hXLYw\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUfCO0lQHH8ALR/B8ewXx5OC+wJGIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJL3Nx/cj+ngSMEIQqRGrpBW2xElrejW8FbfnX1hnQ4L\nRayaQLiq96Ikv0rRQL5NBRdWnxZwMTWEDFsw44tRdUyjdTBzMB0GA1UdDgQWBBSh\napyQB4K2FqZp3YfVEVLfrTO7TTAfBgNVHSMEGDAWgBResNwBSIQA2eky6qKDBdFG\nRQLG3zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNHADBEAiEAtYKYluoLYfAjctfwg5Ixw4eXSKUP\nT79ANGWaLCC2870CHy0Ys1SEYWnTD4tzf6jyVDDbjSbl99L9Ofg1m6FIWHs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUMRQ61v9YxlEwVmsXhHKg/TN6JkkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNq0xDK88v/dPTMEV7LctegQIKIJn8GugRmgOYW3Z3a1\nRvDwspUukTGwIn8A47p1VdHRryqpIm+FU6UjAMRxu2WjdTBzMB0GA1UdDgQWBBSU\nIY/49AiSu4Q8FDKlKwo2ZL3/MjAfBgNVHSMEGDAWgBRz1ZIPNbIdyFqNHFOp2ceG\nBhVBlTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNIADBFAiEAgz2faQaZkTrUowaClKvYS86G9m+p\nITkst09mKXDbh0gCIComhnmFUdy5gernv8gjDU1MQy0+9Su4nnFCS9m2RE2Q\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBY/7/TJand9QGWPHmx5DIiScgpswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQO9Br/dPPi/rrCWMq2e3TLFrgSXVTo57pICX5c\n7UFO+wGMBmnLwNIx5lQkci4fWwJDyatEHSSejOgOxGBuDQTUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSRaeZOmEMigrEA1NyPJhYMXa6v8wCgYIKoZIzj0EAwIDRwAwRAIg\nNXq7kUrwKZ7ahfp7adq02Li/Ieo1xjrB2/MapA+9GesCICqXMJ0ajm7bARSEVZyr\n74iyhOPzsJp0xiwOqPYOReAx\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDbMQsKZSCuwZZJFaZd7fr4IFn34wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARC0zpjeolUIEG1gaERFaV6XTrFu3TeIaTL7IAE\noikJLnDRhgBLceOx6pQ10UKl83iJgCqEQFgBTsDaWtzq8CVEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUt5BD26mvxZK5uMkqZ68jJnmHqv0wCgYIKoZIzj0EAwIDSAAwRQIg\nPQZvKBcVcaUig0SFDHA+LDtNfbATb8TP85h4XqIslDYCIQDiQbJOytBxYzvA7x6P\nbgkp9h/wqaH3XlbFQUBbxXeabw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3DCCAYGgAwIBAgIUUUX2ik7HTIq7ZiHN3OtYyl9Bxu8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAql/OzIonKJlRxqwzAit49SiK9YTyf1+sAPBQTCOjFh\n1TfdS2CMW4u50/FYOTneCN0Lg5na4Tl/PBdT4jURpA+jgaYwgaMwHQYDVR0OBBYE\nFBIir6eZzZ9fdMb3IxOiKrCVuu+fMB8GA1UdIwQYMBaAFEkWnmTphDIoKxANTcjy\nYWDF2ur/MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCC1E6Dec/6o8wYrcbUvMYG1XS6\nCUVSAdslECRnVFg2cwIhAIPMepihmtxH64SKGBNQuzQgvBBtl3CI0cuNrQyoOVeb\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3DCCAYGgAwIBAgIUTY3KqKneGlanuarzDxScnOnodiEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE0KwEbiYiYJwfoUcASiC5YTq2MOq77n3boqWu3vopTL\nbmqQoCGiRlPByOTPWcee3b3FzhvKvaur2HXhcvsB7EejgaYwgaMwHQYDVR0OBBYE\nFMsoZN45Y75H1MKQ0FRTguh9B58LMB8GA1UdIwQYMBaAFLeQQ9upr8WSubjJKmev\nIyZ5h6r9MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCvXo/5D2uGu3YFbj812H2UbOTK\nGjCifS4/WRN/FtCQdwIhAOhH6vEOjzjJRsPyYVymJ7HuSY0zACMYO871UVDDjKGv\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaPTKWkDZ38e3dGNe2IbS/zp5YEIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0oBthpDgMzWaqiOLLAetOJN2aXLYKt5bPdKuR\naQC8FHejQ/wTt+hsi9CtpVrvAcEavBN+LgcTFAvfMaE2/8MHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz+hbJp9EiMdbI+8HsPSUVTssgEowCgYIKoZIzj0EAwIDSAAwRQIh\nAKoYZFbr+DWnPpASYxYbT/9SExEZ9iEdeznkvocrdWDYAiBOn7I6nGF0QpmMUmFY\nXqM5Ob3DFdvp8O7TF3vbLIFtpw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWNl/k28/0+Fx4jLVYA7/4kJtM/wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLXC9rzadM4XilVKKOu7JfWi9C4OtOP0fEcE5j\npQ9eIkHhFdDF/LHSL0ccJ1Mzm79ERJ8uWVqALO3LDgEFUbHqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjc8G7ecRxmLpFMudLI3pXkE2t7EwCgYIKoZIzj0EAwIDSAAwRQIh\nAPNHXw3bKibRjn4dPgipsGeSkV4u3eLu7l6qjcplvEGjAiAx8oc0gsJTMgQVWg7P\nj7JQYlO65wPTLxvJGXBjefd1Qw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYSgAwIBAgIUMZiCgA/md218q0b+4Fc9+WDyyDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL2zzucsf4utxNviFd58DTj46+ujPDICG/lnsUMFWak9\njZYdx1rOWjxjnYGu2pdq3nizkSWIjC6v8LzrQHiF5O2jgakwgaYwHQYDVR0OBBYE\nFP3nKSnAf3cXFLg8I0dFQ7q/6WFhMB8GA1UdIwQYMBaAFM/oWyafRIjHWyPvB7D0\nlFU7LIBKMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCUSJA5suqb7N8CwHJWn0AJ\n2dX8oq71a2PxBrMhSzp0RQIgSoK1ICMK4E/qLASdcxCsnjXRugSqOfjZckjMhN4j\nr10=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYSgAwIBAgIUdoaU1zJK8Ui4SgNnw6bj1Ua7daUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMVpdueqej0rFyEh2m9MdDit7p4BkUCx+rfGhUU60gDP\nmMBf1uYUnIfCPVzhG8GctdeUPfAbgnUiPlC7kKJBuFyjgakwgaYwHQYDVR0OBBYE\nFBjSsrKHBRUzJAR6imI4VWacs+ALMB8GA1UdIwQYMBaAFI3PBu3nEcZi6RTLnSyN\n6V5BNrexMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCHPzBlTwM7vBJKS2BH3e1d\nrpWp9aWuXFbvzAWDYicBVQIhAIV+Hdo10N6//ZljhVsgc3vnoAh6CX3JbNNcVf9m\npbiw\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQq+pcHwZIXuISNO9p8Q9IojIQKgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbHJdseRhCKrB51VagduIOZYIPgAYd8a2upXsX\nkWqZ+/TOiv3c0pFRPUFguY8Om179q6H76Iz/BiJB0liMz+7Ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiLPqP86dZ7/utt2aVUfKj69SycowCgYIKoZIzj0EAwIDRwAwRAIg\nEygEP1xdYYAbPTW5V6YWwOTTefNdB/cQ0YFae3pibTcCIFyvqyx711O+Fwwitzar\nd9lymzrnVf/DsxyDPCzvBoY4\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUU7fVrJCBwi5cLProaUUU4/RdV4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgrf0ipPvp8pSl/FOJM/uw1GM5CLB5dLGwzZjX\nHyOQnpEuS3O38bRY0eyYICw12uoEkDuK55RpLC7alCucC5NXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUktBv4RZrQQdyi1DS9fGxveNb99EwCgYIKoZIzj0EAwIDRwAwRAIg\nZfUDoymmD+RsyjwiCaGtS8DNnhiwxoSsvd1iiMKwvXQCIB4CUFA3pFaX/EhvaY5T\n8kMR1g4lfdB4bG+9Ie/4XzI+\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUbzsVmLavPrbL5lPoKTFoLD2MguAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwQRRvhNf\nmFaTgCXxgFCi6dio0bP+veBdN5+U167cxINA/82KvWUm1WWUrM6xCm4LH67n29mi\nFUqY1OAErPlHuKN8MHowHQYDVR0OBBYEFBJC+KbsPDjnCvWjOcpbue2V3pqBMB8G\nA1UdIwQYMBaAFIiz6j/OnWe/7rbdmlVHyo+vUsnKMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiBumGihBjnavKvElAS+EtkeJkBJYx/X6IC6Ved8Ejo/JgIhAI5z\niGEGZBSvgwyB8tzli7KgWygKRGRVWkDF794+WW4m\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmTCCAUCgAwIBAgIUK+AGmyC9lcGAn2RDSZUHuP9WdPAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETq+iQ/Oa\nMDvM04sAVjYFgXOMU1pZ1isz6MiOKKd0QzqBjmj2H1T3oHX3uvxUbxCcs1BOwMXG\nmqrgAysGiuEz26N8MHowHQYDVR0OBBYEFJCXrvV4wpQUTwa3G5sWE+4PmT5vMB8G\nA1UdIwQYMBaAFJLQb+EWa0EHcotQ0vXxsb3jW/fRMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNHADBEAiB5tOyqVGUEVZvcAm5+7fJIokVdlBo2Mt2KCes+h5nDHwIgGErF\nxtnWixSyYeDmmoKyA9CuujdVrVptkiu0+B5Kfog=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1128,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfh1acSHM5OLNfiw9lVCm05N6PWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAST5YKKh299WyGEfxV7KjF7A8VD5DLpCpFKsm96\nG6PzihCTU6NXlPGxoHVHvDv0W+9lBrxLQD3IS6cwSt0Wrp/bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqgpzUt8eMZBXv0K/vlY68mfYET0wCgYIKoZIzj0EAwIDSAAwRQIh\nAN1KxV5CRSOy3OdoBImslOJMUb+s0PmTuakcOiPYyr3cAiB2Ny9rZxyc5HbZurOq\n+P94O2/tpSuEu1J2xRNnMqDgmg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUB+SpTWnUR/xSyfdaCz4c1QMqNeQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARODakgmnaRTuKCSuriEZhy7s/K4vKV6KEH0knq\nxyoHvwY4ArmKVHe+v1p4eDgJY6ypdCCTIrq0BwTrz49w4kWMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhyt83Rh99kEymQ69wkXDxuID2ycwCgYIKoZIzj0EAwIDRwAwRAIg\nbN/w+l8YYo+NPvzx65iRmMecSdeguwBZdUmG7ep0ltYCIEB9ZvecGwA9d1fsgef8\nRJOfe9pZHwgTZtLyQ7nsPISy\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIWMd384V+U2g8Sj1qPcVEhT3DOOnkxhDAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEtnspHa+Thb93oINgsXwA8ePyC7CG0dy/oqyYtiD2\n9uheK/m7qU3kG0eOGjWIXrGoWECF0Vkq1mtew9/SDu/xtaN8MHowHQYDVR0OBBYE\nFI99kW+82PWUihbOHt9AR3khFIxUMB8GA1UdIwQYMBaAFKoKc1LfHjGQV79Cv75W\nOvJn2BE9MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAx5wici1mJU3blled\n7BsK8bk3Vb1aZqvvr2cmtizwm+MCIQCl9l1EFv3knWILRt5fFNyem6f3WN8ChmlI\ndvn3ZljD0A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIXAI4bRE1f0hOG4a4m2HJ7XIKFt6xgxP8wCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoY\nDzI5NjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABG29ZzTyNUiwH9NVmbIjVv55jBH2+gOs+BIgifmh\nrtLB8g+/DuRS+/jFIOX7Esfrtgue20/d7fJ6mPa0oXKXh2+jfDB6MB0GA1UdDgQW\nBBQd0HVSnt/US3JqHv8SssfT0XfsaTAfBgNVHSMEGDAWgBSHK3zdGH32QTKZDr3C\nRcPG4gPbJzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANxQQ4Leb2HG3zRT\niMKgPWDafl6IHbXIqcwUrrHyI8OLAiEA2toHSnX6nJ3Rvju8rMzBLcGPgrBc/p38\n86mam7ZXGTM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1151,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOkYOfYCb9gWqw4pRgZNr+t3MV9UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQK7c7Xy+qpDOdoJ/clJHrh1lT3gnwdnT2JwCVo\n+56E8MRm8UgU/DwOZRU6ZUnktXeVFIWiAYuI4imTEeQBWBhso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0LmlT4nsFeuMTEK7AAoYU2dQdIwwCgYIKoZIzj0EAwIDSAAwRQIh\nAKXRzTJzGnP/nq0JUTlhoa5mZ6f7b9D8fp7jGh1UmZrkAiAwHxIX7L5K+K79sVYO\nClbbolrpSHbNG+X8AbWd5FB08g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZkihGjjbdP3yMxGDBwPOqfbxiBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmBDYA8/ZP8/a/uGOsw/ZE78Hvc6aEqOZOsVbc\nBczP2kNfNSbd8UaozckILy9W1UF1iubYNSJJ7aCqKwilebQPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjKxOUACE2bYB0Ryrp6VellnStrIwCgYIKoZIzj0EAwIDRwAwRAIg\nAwjLgUY4euaKETX6I10mH/mhlvLTUMuXJKh3z1uaqEsCIG5LStJp957XKTxN2hzr\n6DKckLOkqMTPBdoAwK80PH1n\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE72RX\n9IIYMQvKJCkE13qUYw4FmlCHwWgPNeJCAjJeGkLYTpacqAYYrbHKpJNghxR+eT5Y\nVx1gKuAoXePVQEHJjKN8MHowHQYDVR0OBBYEFG2y9AHm6WsM5jLECjp0KsnSix5F\nMB8GA1UdIwQYMBaAFNC5pU+J7BXrjExCuwAKGFNnUHSMMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBN989SSYyk4nuHm1Z/9FfoUh3hMrRSG9X1UPBEYmZjAQIh\nAPB4/+d2evQM93xc4W5vS5erydHApt3ue9yyd42rxlrS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERpHW\ndLxG59buWN3mTBirFbYaD2iU9aUAFtvLGaUG2t/oA6aF8LBi6ho7j7l6LNu15Nlf\nwtDeElRYnwgA6NM9p6N8MHowHQYDVR0OBBYEFCohEYz+UPVXoqPs3ALO67c5CrBU\nMB8GA1UdIwQYMBaAFIysTlAAhNm2AdEcq6elXpZZ0rayMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBOxq9dH9X4K29rnB/cMxyBx8m398THhgzfM/AXvyLSwAIh\nAMov4y3WBA9KJrBy5LYM0pR2Vv7UsuxMmfukoUXjYzNG\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1172,10 +1172,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcZ+OeLvcrj3LOXaNqWA5LYK5euUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATv9ng+zVkD465caNHnY3tVl3p7EKiq3U3aFawl\no68v68DFMQxtbxB4uR8EI7xtFPmXq+LxpR4VH5OxYY30qWt0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkbapRNk0uYT2RPTGkPXUbaWNKb8wCgYIKoZIzj0EAwIDSAAwRQIh\nAJwKnJfBcylmqcMP9vfkhpqnnCeJ6GyAwMSAV8EU5qCFAiBiecsKVtXq4vFplNnI\n5wbhBmMgvKTw0z7G8rnFxbMEJw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAktQrBtrxqKJVfkTRe3lHkNybWowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASDDSP7FbwokFl7KVDqNVLqPr/Cn4AqUh+aFVL3\nuwTIPZjHuW5JWF2bvmw4yw+VfqqYigcA937RL1Gk4An4fvumo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbwOR+vYPCcQVQjs41BKdcfjolfEwCgYIKoZIzj0EAwIDRwAwRAIg\nA/HEVXqR1e1LtVImJ+kmKZgcDEv46jfVzuwU2YwWuQsCIHACPAZuOyiw14m+8ajA\nJBW0g6Fi9/SfJ+nrMaiSsmtC\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAXCgAwIBAgIUPFffShT9gwvsWRGRdJgzJPnxbsQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGIkrg5CiSCwlsotdIs8h3XaUGEcql8tyJFZd2sk1rKh\nZNq31dTunM0hv24/cq4GowlSYv2PQhkdEMc+3QUwkMGjgZUwgZIwHQYDVR0OBBYE\nFFg94M1OLeKMiA5I5sgI85MvBhqfMB8GA1UdIwQYMBaAFJG2qUTZNLmE9kT0xpD1\n1G2ljSm/MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNHADBEAiAfgFoI+lf3MYq/nuGI8pZ7xul+/H9G8gmHqV6bbJ0C4gIgV/eD\nXFA++WOUaSD9y633OhlYcEoo48K+HOYdpUqp8FI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByzCCAXCgAwIBAgIUSp6LZA2l5mxZXSt56pA18ceJzFwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLg/UfMy+YFwStpXFFqvqD4pWkI7OYYzy9U8UjTue1so\n6/sD+MrIoEiYpZEGRWFwn7QS0Sg2dC+8QL0Th7H6hOyjgZUwgZIwHQYDVR0OBBYE\nFFoKnpbva3eo0ctlTliOhIj8cdrCMB8GA1UdIwQYMBaAFG8Dkfr2DwnEFUI7ONQS\nnXH46JXxMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNJADBGAiEAi034OxeArYTikevM6pXBa7TDE/gZg1j4yO3QUCcj1uUCIQD3\nDnfz4PQ5AUXFpm45ql6Sva1U5m7L9QuygHCnBG/JoQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1193,10 +1193,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUw57ad6sElzkmrmODAF6vwgvemwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASO8zkY+VgO/1oSsGwFu2JirkfVu2doiwWVAd8V\nzDyeHtGvSpY2Hxf6IX2FVc0D6DLGTpXMvAbeA4V0LcEo4OI6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxc3s7LW9Afw5MKI4e7Ex07t4od8wCgYIKoZIzj0EAwIDRwAwRAIg\nDrzMH5viQbDBUq/oCkjxZGCxJTf48fm0XTw4laWtDpsCIGB3FcQ9KsAg6RybbmL7\nHRrgbVvbkIhjeUTrdVRKrfD1\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNf881tMu5ulnEd2Hs2fO0EyFaNEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQSoQ0rsa4rQ+PaMjl8N01Y3/O+eb4vjA5fRQ6W\nWtuJw+lEvxEh/9h6lm2RqcHVQ3j0REA2GoRzFy+tweJcv81co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0/zrMR68PnYwE20qWEsyMbWOHCowCgYIKoZIzj0EAwIDSAAwRQIg\nM0nRDp5DzLqQGR1QdFffQg52EIhpL3cVh/bupPKoEuoCIQDFGbRQ3rS6rKLoXIJz\naQjcrxhvcdr4raV59Lj/TGfZ/Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUA/WIBMG+r3se2/e/UvNLx804GT8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHxQmtkbBR2K0h7T61IPNuCdAN763pGCWMupYO1BkwRi\nTCt46zacARKXd5SL7D2I/yOcFJP/vkojSULLgDzDVvOjbzBtMB0GA1UdDgQWBBS5\ng5k1e+coI9r3mwN9jvleJS/coDAfBgNVHSMEGDAWgBTFzezstb0B/Dkwojh7sTHT\nu3ih3zATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEA9AUmnWbvCOO5jI6GhxvZYI75fk2xf5gXobPV\nH1dcU4UCIQDeHzcv7IdYZf53zCs6IR4JSBi2hCmukVDxPR0KdUsGbw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUJUCgKFyVoO+/Ro27P8wg/eRUCjkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPdthpJQ7e4UZPB1QIja3m0+Bidv8I3M0J0ZZL4l94YP\niKm/kaXdg1kyk9LQlHw2D1dsZYXYY5jhX322uLfSTtijbzBtMB0GA1UdDgQWBBTF\nAXXAHR829sgv57jBwIXJ1almPDAfBgNVHSMEGDAWgBTT/OsxHrw+djATbSpYSzIx\ntY4cKjATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEAqdiapCysINQZAcDjPIYYVxtYKzd1u0ovmtqV\nhQZiQOcCIQC/DOHs+4+HI2sZ7nshqrfKiwNHx7qL2nxXB2KNN++A+g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1214,10 +1214,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Basic Constraints extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZ+e5p2r38+FNW34nsw8j2cAOJFUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASXzSLUfiWMc1ADCXjhZx7JdZAnDi/ysxZXTm+i\nZ4YCMabtH6Qv2J5MPbCDTx7dQIC23nTrvdh0N6M0TIV5ZD6fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPK4zHF1KSFBqAWAjalgDFIQadgQwCgYIKoZIzj0EAwIDRwAwRAIg\neQyX7UC+rx1lyo5fKT0iKO3ARYWwgPbFJyexzOraZdoCIGAJsmU77hIwdcFe25LZ\n9fylp2hyFgU3RDQMZ5EUY5iV\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDlu1WXdgtndQshW37lEQBovxLyAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASFYvMhOsL9mvD9VdeXWJ0E30AL4L9miohtOCf0\nr7KAcrNEXNQv4MJEX0hefeoxw/grUCbKXZRXsZdCBC7Qi2xMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUn7s6eXCIKpit6hhuGePbp/d2AzUwCgYIKoZIzj0EAwIDSAAwRQIg\nfMGpJF4p+RXgyL3OwGoKj88IuV2Gk6BoR5pN/4whlaACIQC9rL/DS1O7Nb4ejrxR\nU9fjGebdACcxUJiH4XAbraAepg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUML1XhuoYUHMajssJOCejZIQ0BG8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNYT0z4LW71cgo+fmhu3mhuNljfc/jdEPWMSlNYJSSsi\nIZBk8kdnY59EgEA2Hr9RAtolCXq1eGwmjvzb1isJChejfDB6MB0GA1UdDgQWBBS2\nzu1PITCFLGilhR8pWSBGmWnMNzAfBgNVHSMEGDAWgBQ8rjMcXUpIUGoBYCNqWAMU\nhBp2BDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOykbhTvymm0B/XwLN2p\n62O9nQ4AC5gcd7Xv6XPJ2NByAiBZwAhque10skTS9E48ICFMPSIfMl5nXrukJTGt\nLHKiwQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUBhGY2fldrII3x6o7rSA3qFF9nwwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNSKgQKJSVaTF9AYnV1EHpAXOUcOYa0d84zWMNIrqpyo\nY7BuPaW0F9+JE4TYufwSo8eWzuS2jnUTObGef4d81RajfDB6MB0GA1UdDgQWBBTZ\nwWbya5/ha6BX6/TpnTIjaElLlTAfBgNVHSMEGDAWgBSfuzp5cIgqmK3qGG4Z49un\n93YDNTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgfauwEyK9cod0EQ+cOFvP\nanvTL6XmZXTWsRX4OXE+3EQCIQC4FRM6+3l/UZwb5ZythfNaTgJxW+1dmKnkHxwF\ndufZ2w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1235,10 +1235,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert contains\nan Extended Key Usage extension that contains just `id-kp-clientAuth`\nwhile the validator expects `id-kp-serverAuth`.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBIjoiao57gXzF4LlDOrrrMrapJIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ7fLOubQJL+7fmUg6cmEs6k+CuyEPKHtcH4Z5T\n8Ypa5q1QGA2qrgZXms0toFcZrvjyL5z/RMasjLL3p6m1sLe4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUXr8epvAatBNaWp/Y997QRxgFI0wCgYIKoZIzj0EAwIDSAAwRQIg\nMNeiOmc4+o6DUdtS12U6kIdAX6JbH9/7eRmsEw/ir3ICIQC25//gHeLbYNCMKNVR\noec9X803AgZX3k6XDlj9AGdXkA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXh+4/vDDx7uUhQJyK3GI+uD4QaowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQk/3hrGDAZJP7ccupiMB8EwUI0UtdSY6twW5bS\nUqJh/ulEFP0lKPeqEXYapO5tALZzIeRoreHlwPuWOjV7fmm4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3xR5oDjmGPWrg9CDnBx3O+gkiAowCgYIKoZIzj0EAwIDSAAwRQIh\nALCn8vrxR9IM3SISdaG5jjlIG1dypLWQTD6M9oY5FpGIAiA7VTkepBmO8JsQFbVi\nbF/KNk2ps1mEY1BalCOgBZYdtQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUKGL+PWvPpScZGREU9UtzTUPm6A8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJmJKPKQL6Gw1g7tNWpK90BhMaNYVQZT5Aqt5/ovKmSC\nknUdRfR90yoHGxm48IZGO8d8j/4O5izULy9dJBHdKYCjfDB6MB0GA1UdDgQWBBT4\nZRwD0m9jMeedSyC5ZOlZrz7+zjAfBgNVHSMEGDAWgBRRevx6m8Bq0E1pan9j33tB\nHGAUjTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgEVlti17vzTpeC2Sd24Hy\nO8UInsqFsg5ZYpXJdeh4suUCIE95YJ9e2HUOagM4mMN4zqBarU8iyyc/3EoFBHz1\nYBGT\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUZejJHH4/kl6Lfy5xXmgFyKhtpqUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABARKoKkVTwYDHG5fw4JMMOROuYN+EWLLw6tIj5pl4lbJ\nD/XxvBc64oAGOGH95Kt1zZqupeHSfYe72r8S5QNS73KjfDB6MB0GA1UdDgQWBBR+\n6SRvQkLHkjXfi6nNO4cDtXf7jzAfBgNVHSMEGDAWgBTfFHmgOOYY9auD0IOcHHc7\n6CSICjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgAUIWQ7FHq7roHPlXyqJU\nxOmZT5kZ6Fya7s0wxQSqYagCIBtfE9rDeQljserx+as+sh4FsXuPhUUTzhNxGtE+\nVxek\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1276,15 +1276,36 @@ "expected_peer_names": null }, { - "id": "rfc5280::malformed-subject-alternative-name", + "id": "rfc5280::malformed-subject-alternative-name-ee", "features": null, "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has a SubjectAlternativeName with a value in ASCII bytes, rather\nthan in the expected DER encoding.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJnttr4Zzhnr5JDkQQkRos/1CWJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARO9Ny7hdlFge3jF0gO3o0ncBKTMbQNGzR07mZj\ngGPNi+UBy33z9OBCxv5c5ikWE7yatB1zRzvABrs/4gYxSR6bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQ61W5tky2dHGO3YOw0cfXcmnOC4wCgYIKoZIzj0EAwIDRwAwRAIg\nenDYQWqf3kz2uZA+MgsJO0NLdrpatfFm0XhQ8SId96UCIHduRiUPMvuviCg2kvuB\npWBGG+3Dd7Irz5PoucZcdU17\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXNddO7kwWGwU0Eb2Eu0fDfg0KxYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARdzklKCXdt2n17sW0yzZcrXV1h0DsfgWLmHvo4\nyx1IUi7MMM/uCaS31He+cVDB+M/xLUn8tfOPqwEBfsnI6Y5So1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUj68US7x7bJ5o6wsX1ooOi36gnjMwCgYIKoZIzj0EAwIDSAAwRQIh\nAOMy83wdGZ8i5tfLgz9/RvrNSr7qfdCsOggVGSFt1jl/AiA0jstqoTDxOV94kWx8\n8Oe3m/wVTT9B8sYmX9c0QiQIdA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUE+G9ylCuT/HdPLc7AdU31ErnEgAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNBk8udN5nRhLnLJ05SpEbo8OhrXcs0TihQD630fI/NX\nDoj/m0ehnV/HwPZl11m/jq9ZOd+eZlJisJ0YFIMs3KijeDB2MB0GA1UdDgQWBBT5\nLvtbRgNBMxKlb6P4Cbobe9hDOTAfBgNVHSMEGDAWgBRDrVbm2TLZ0cY7dg7DRx9d\nyac4LjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0RBAtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAk8/b1D97cco266p2PkA9iCUZ\nP7Nvt1n8PahhvXOIF18CIGIb0FfyRwbSiKFiJX3Q9EdFbddedmdtyebZnNmo/iBM\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUGD6JEAMbUG2wurQu+68tKUf4HZIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDT1QDMshk+lzjphPhFEvheDRSnMA8wXv/4gjlLwmYRR\nOKzSeDch7Kzxw8YxJhoWRY3+TEthSbQmmgczgUoXSWOjeDB2MB0GA1UdDgQWBBQ+\nouxaE1recdiRZxVuHtfaNVrINzAfBgNVHSMEGDAWgBSPrxRLvHtsnmjrCxfWig6L\nfqCeMzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0RBAtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAS2NM49bMfHcD9G3lF2XmS3rJS\nbt/sh8+HuS0pIlPVqgIhAMHrlq99Kiny/aKuWL/YR5kqal2BIujLvUmwe3Yx5Zqz\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::malformed-subject-alternative-name-root", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has a SubjectAlternativeName with a value in ASCII bytes, rather\nthan in the expected DER encoding.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBizCCATGgAwIBAgIUajdQgCJvlmrrPdTkKVViDhccTckwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQtkshBaJ3HiQ6gZD+HBnkH4MMlUeO6ghYNieyS\nvw+NOGRSENlKJ/vHJaWDsDbR7wxqK4YgzP8woiu5srBgSZN+o1MwUTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAdBgNVHQ4EFgQUIxB2aaYo5UAsIhlYHuk8\nVvV1/I0wEgYDVR0RBAtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAp+fQb\nx25yprDNOIrs46NysxonuFiHnBtyVmW82sZnRQIhAO3LZhnqETRUEl92RrJ/uC6k\nWt6K7N9iH+xk1Eg7SMsG\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUXxIo7Ls3A3jEcwWUoe3BzcVqkMUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGveLg8LGOXRn5Q8NM8YZsEuXFwxhqvJKeQ/MDqO3yqT\nq3HnROWY0Ocfrl+Nim9Ziyqaui1NE2WUAWXXnpD2EL2jfDB6MB0GA1UdDgQWBBRD\njJU++A4YxSwaR2Y/fd4oJUF3WjAfBgNVHSMEGDAWgBQjEHZppijlQCwiGVge6TxW\n9XX8jTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJioWSepK6+OmC6aWbey\nqYaiHtFtI0zrbGk56nkcUc5TAiEAxE2sPFeRh38RSenUj4KziT/k10JVuN2v26k3\n/ajV5X0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1350,10 +1371,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHfpodbLNRqV8YGLyEy6zAK14ecowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAScRzsh1n2TeLHopkPqolONMiBxzUd10RMu7qdb\nunq00hbPdVg3XJ0pnhwPXhIg0dcI8Dh5ySPHzMjswplBu3+co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdlDkO5Nd4Vij3xOpnTZtkSzKEm8wCgYIKoZIzj0EAwIDSAAwRQIg\nC6+cfIYBe3ybVZS4BWXuRaelL4pdjmat3JBgsqTLR78CIQCEmcTdErsE4MPeZqx9\niZqgs6iuN4MS8fH923zbLj+Jeg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPT1yF8x13F8g2WdQ3oo15dMqT3AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATynBxlsKuv84recdTOyxwT6xdYx2aS2Tqc8KTV\nLzOQGFZ18X9pmPkIn5Elw2fjawWnoEJ4+3LrIm+f1sSe9MZao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvcJLgJ+0+Ov6LenDwlXEnXKHPTQwCgYIKoZIzj0EAwIDSAAwRQIh\nAOzvCFLv0ISderPG6ZpPt0KmwPqnvipb61bsgc4tsfN7AiA6DXElOY6Z2alvvc3b\not+GU8H1z61A8NgQS1FuCB/uUg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUZ9XC8wm9xyPBF1kj+Q2Y3FGBwy8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBLcULccL09xv+2Fj+ASdln/znWdsUn4Qv0uSeROJUvv\nXOU/dmDDkuG9K1a2fKeHcbBs8KXXNfL0UpcS1ihn/9SjfDB6MB0GA1UdDgQWBBQV\nf0AGjj8L+02buuYgyujZYiDHijAfBgNVHSMEGDAWgBR2UOQ7k13hWKPfE6mdNm2R\nLMoSbzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgOv076BGQvwFYhbPH2//U\nfd7IX/iLaYXwZ+tWth8RmuMCIQD4tQbdG2TC9zGfKSa++FZdbB/24wV92I6MYPaT\nBC6htg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIULbdZ98RCBM8Ai59J+sgTTYwyZk8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBjIV7srOGunIxrl4SuGDYrk1n/GS03wYiVxg6awBr7b\nNWkQyjhOD4JdXuIKodv20iNLLwf/jH8lGids3giPA5KjfDB6MB0GA1UdDgQWBBSD\npX5n/WUE7KYjUFXXMVYJX9IkBTAfBgNVHSMEGDAWgBS9wkuAn7T46/ot6cPCVcSd\ncoc9NDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgbzHsaFEs7RVVZ3Y+0SAh\nJedm/8PfBHMNI/Lb9exaHx8CICcCA50GWnVPSy3+1Wd23aXoUjqlN/bE+N8XeiXB\n23AA\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1371,10 +1392,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUR2Z2HZVytXbmP2ftELFH+JvAlsAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzmNjE63G3r3uIUM+sr0mY0fIWnl20YIPHgHx2\n50bmMD05qi0v5BbB+iSkL8QtnQvKqqw/7NcAY/MFwW7RGSFQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSk+w4Sm3h5hv3heLYlanYeRUCS0wCgYIKoZIzj0EAwIDSQAwRgIh\nANbCMXCq4IcL6aypDJCuZqJex3rlG9AV/EeGMVt6XotOAiEA20W6YRdDNWB7OTAM\nLCDcmKtZ1Get9Iydhqui+PfXdMI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURX+HI+UXNg7XP4A9hO8alu+KvfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR5CH3TTNAdd6oACsVhdn6mob9hqCUxqNjnnseW\n2keO87sHaGNf/nmANez779n8Gpj0ztrs/0HO0lsXDcU72dHuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUw1O3fbRB8/37A6qvTQRtZaWdWOMwCgYIKoZIzj0EAwIDSAAwRQIh\nAJnI6xojiLOlZEf2YM2NJWMqsUgQz9JujJ/s2KUNUN6SAiB9yE0/FL2dOf/66tp2\nmkbDnjbbrtTaZZES78z8iWIa7A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOTGXNCRuQsufSxGKrDswI9FMwAkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMLTwKOHYHb3xfGuu8FjXvtTPIuTvWrpITPTGT4pUdNr\ntDOHLv3iyaVCW1ozqs/iMocjERyMA6uLnbZS48xMvUCjfDB6MB0GA1UdDgQWBBQr\nqP5/4MOv0c6BP5oVtHu04ODTbzAfBgNVHSMEGDAWgBRKT7DhKbeHmG/eF4tiVqdh\n5FQJLTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgVQ+FYTXWoGCZrITQUHN1\nZdKd59YELe7E/zldSRH7Nr4CIQDzTQ59Xq6hUUpYS37HZbKCLQesUxGN20hY0vL5\nB8dwmQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUD0557zqj0cS/50sJ3H4IB8sO4m0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJJKSbLqr2mgJSpXzDgTwVUTgirHwO4KlJp07qO0pvu6\nsnROygGrofpeUYsEOxqctVxG6Uamq42Xeeuxjas3pQ+jfDB6MB0GA1UdDgQWBBQ/\n0eF8kQQe65ZFE7GjXbJLnQvgwDAfBgNVHSMEGDAWgBTDU7d9tEHz/fsDqq9NBG1l\npZ1Y4zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALgt9O2RbrgK2kYa/4Nu\nR23dsCyUdFtI2v9HFQCvRhKvAiBSRuw+N7o1+rHLPTCBmDFGFEUgRkhVgCTzVJOW\n4EEIkA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1392,10 +1413,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUDZ1kinaUqTDcDHQUjuTFZ5QIBJ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7rVuGwxjRw9T7kji83e5rm0qUNzM5sTk9VFGP\n5IpeCf4jY8YNknUqN4glK6LR27zLArJINFR4anoDja1kKhDUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcMHuupabydaIZjW8svLpvg+D4/kwCgYIKoZIzj0EAwIDRwAwRAIg\nZoFzLne05uza5cmELD/wjcqCFcvwn0R8dl/S9blf8+cCIBIN/MuWMyokjL7+Fmgg\ngMCiJpb39eqVapo258aKjmzs\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVGoY9hNapBY455mz425gVEpR34YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+HGJfF+7I6dyseoyOP3ZLNqbtaXmdRq1mNt+b\n0YAAHB8dZwR4nJ46wG/DxYejOEqJeSZj3mwRNmGagpvrpllho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURUQSBjsHj/TBwDsiBTRHI27TjyAwCgYIKoZIzj0EAwIDSQAwRgIh\nAIbETamYNh2LSZ2FKP47qanLUDBQBWrqf049D957+g9IAiEA1Z/RIqjkxC/6Yek/\nmrIlB9wjoZANJbt5EcNFYPC1HAs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUNC8YMhemCn8CpK8XmfL3RlkOCaIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH7Sl6FKGA7tS+BtVI8qntD19i03ZfMMQDsvZqXmohSW\nS6NG9ueNo3lkJFtw4UuKp6dQKbkwX+HioPs1zieW1zSjgYAwfjAdBgNVHQ4EFgQU\nYGIZtjspynbnMWEm/INmKV//R/0wHwYDVR0jBBgwFoAUcMHuupabydaIZjW8svLp\nvg+D4/kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAL3sVFZCAC9wnb\nx2sczRxtpSq5OVGOBb3fUzH5RA2L8wIhAO1iDVlPsqYixOXlmBc8ein4sAhMduY5\nphQ46fLE25pX\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUdwkAaVRPxpo7BGbLjAWSIQfdt7UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABD09UMbhMxmb5041uavFVVqbrt0qzfr30gyGfvXkD0Jc\nszHKxG7pEIhooymPakrxqTWV/mmUAEHsR5wYgUKSjz6jgYAwfjAdBgNVHQ4EFgQU\nr+BjQ0h5Oy1purGbAQlcQCl1mGswHwYDVR0jBBgwFoAURUQSBjsHj/TBwDsiBTRH\nI27TjyAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAp50bTPVh9YUZ\nQEfz7hBpJWutVjFc9TSZYfGOPoVN6isCIQCMuPeU/VKeEdayX5mwODQ1Kjt3o4SF\n2r+jKK8EWkvFdw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1413,10 +1434,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUM70/XVnErRVQU5yNLP03I04X/6YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARAfMBmTS4yx7dL3uR0S9vzdTDuxqwhGhsQATdd\nWx9Fe4H6NXayGh4vWithhGDc322z6U//YyOgUE39A0mhXXlRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7HqFDirOzMQI2144eP2w4GLXvTQwCgYIKoZIzj0EAwIDRwAwRAIg\nPk+7Iu3Hp1M2YxQBUKHuMmgvOr1JouEmOW7wNuL0wsgCICBWWOhTVNRQUxLYUH0n\nCZg57Bh/H2t6flQoj6fydnsS\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUOds1o+nvdzIjwtP3/VKkOpxUeaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARe8opZt9UsJcOSKvxaFu08kw3o2mDq0ZSRUaEw\ng7NtCGNRkJcFQk/7IiYbk7PtsD5UzeLgEXM166K+gP1SM0+Uo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDN8wbUGJtqYw2SB7+vqY6G6yV6MwCgYIKoZIzj0EAwIDSQAwRgIh\nAOqbboyQybG7wHD5rTvwPLDMQ7eJnPh6ur4Guxf7+AdyAiEA2mtF+bzaxZUvrEJR\nNVtVncXrRwR8TLNo5Eme5cao2mE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUKhFTaPbTAzpNEG9f16/FO1ooERUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA+mAsQhfgiENkTY5vLkivJA323IJaikelIQJlLoGeMX\nZ7/VX7Bv8LwTKxO6//Rs5JXgywi96dSsgT/JQbSAo6SjfDB6MB0GA1UdDgQWBBSx\nJv/yI6O7ZN11dOZCfAAxFUg+QDAfBgNVHSMEGDAWgBTseoUOKs7MxAjbXjh4/bDg\nYte9NDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJfaX1ws0VQVgZA6+ChZ\n7EPCE9FWO43Vix7RavmpvG1nAiEA6hSoSAUeNlpSDres4bt2Kkj+O641RvdBmjWg\ndkoyax0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUM93Y65Qlm2v/ubb1VzwfNzSOfhIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG9GuOWsa5Xsh9yKCbKx3PTX3+RrWX3H9b4T6DOJu9Yd\nMsxCD0p4JD1OC2lEZgPpNZpI014nzl4+jwvD49uYBW2jfDB6MB0GA1UdDgQWBBSi\nT7lb0zPiLcaWQPGKd1NMSyo3wDAfBgNVHSMEGDAWgBQM3zBtQYm2pjDZIHv6+pjo\nbrJXozALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhALHIq/xWCEzxiWDDW16N\nLSIql4MT8chDgWBu6HS69DeKAiEA8bF+EbX6elt/g9kVnpaDIbH2R9K4ggMQ74U/\nusDw7qc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1434,10 +1455,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUWcH71LjeG7RVxAlWHu9VR47sScwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQyXK4vXPe66ZfhIr0Dysd0a1oWODhTkukWMA/m\nLECDF5mSoXDypZe6K66AVRhgoByLSkEToy8vOVsBilHyRmd+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkiDNa0QJMwfDthsickRymvFgEk8wCgYIKoZIzj0EAwIDSQAwRgIh\nAL26GMUuejQcyW/ZsGdHXmHYISpHkN4aUb3juFX4462HAiEAocg7irqpZLUrN+GM\nJzw4YMt0pF1B9cgvPFX3lKO/RpI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUa9V39LxAXHFJIbRxaP+WlxWjhwUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjJ8VSrHqaNZqV+iSeSyahUTBM91Do1Tb/z+a5\nthpku3/RkcE4TwiftLhNtbBIQtGvfOrsPKEWc/Snd4ixBEOxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbmCQ0E9hJThDaeNHHrywqHbVqPwwCgYIKoZIzj0EAwIDRwAwRAIg\nP0jNRT4wkyokorIKr1P3tit5bh+ZDAFFTCVD1fqtWUQCIFp2YVb/lVy4viVJCwmS\nt74BO5u4avvyCEn0hRDm7kao\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUF7A/I2gUOHfQFyywoIKkOU44wQEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA2wTPGyzMMcfHUUuao5hONbma9Ao96XXM9s0uHAhJgr\no/qN7ij0Zd+xxZAyHcFQr5IYcSqeXNL4H/AMclPP+AyjgYAwfjAdBgNVHQ4EFgQU\nRFoa+dtIewJ6lKtLLGBM27ucbQMwHwYDVR0jBBgwFoAUkiDNa0QJMwfDthsickRy\nmvFgEk8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAjVxi7f15yB8T\nkyAxyvjK12SiRRLGBl+voyn7ueJP8+UCIQCJyIXYYltLWwaNKxXATDpNmB9WYZIG\n/DwPV059YK7ANA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUf6d7bGTvBNCC1VtyIl/IKfc0V1wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBK8PJuQsYYMQxUGYezGO3TR+YnmiwXV7fYbze3+D7el\najSCNmaBoYJbtnvTEDpj/LHLePXjrQZqJuxCRb1sULejgYAwfjAdBgNVHQ4EFgQU\ndO/3gj97FL0J51/eoZus07Avw3YwHwYDVR0jBBgwFoAUbmCQ0E9hJThDaeNHHryw\nqHbVqPwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAh+PPXLwpzYwv\nC7/gM6b1RPjY7Hq1rMKonJ6ywg7FkWYCIFKAQid6aqgFsd2sKLWGydKJrudXfQdk\ntQ8F0+04EMBe\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1457,10 +1478,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUenC9QkoKjUDRHQSDiM/wtBZzNmcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATW3+APfXpF74UQSM8jdWbYpJ+2yYR1LJXfXJr8\nNyYxTonVC08IX/wmBSlkBSyGK+cZ4mWTNJhdLEPzUmcVd+cco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpwOTfKi/l7j7R7VFKitwYaW+lm0wCgYIKoZIzj0EAwIDSQAwRgIh\nAP6BHbfJ6mjZGzXCuB195HYZkyTYlEw9b5gDq/iqA/9EAiEA9JP9JF6CPFJi+pFA\ntaB2wkT1Z9ByLs8KwENhVFQ/cK0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGoQVTxf9TYtHJuBbHJmvw/RSEBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjhG6LMuKdkwcOv9Nc3guOtEIgdsgYR8G+77a1\n3vtx8gFwSCQLgLD5BAN7M8xPUOIjE8B3sB9xNSK4k3SOxtjio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeGk63NmcxBsd6uVObVZJNX7IU0cwCgYIKoZIzj0EAwIDSQAwRgIh\nALiSQaoYaoJt9X+hXkjDHlbdIHWY8h7c7qQzjbz1V4S2AiEAj6E+wiLziuZFeV+B\nuye5c8qK8UaB4Xa/WgKHbRHsYdw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIULYyJArBUmABu9jTCOd2deygmy9IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHZ4gu7knzho6dnSP4t9xR6ZawEGGy2CTly8D64t2hM8\nQq/L3bJXfwtmn4bdU17hclM2OlxGajBFjE7wJZYTNpujdjB0MB0GA1UdDgQWBBSW\n8yLFecN4m4Ogk691WBODlry1ojAfBgNVHSMEGDAWgBSnA5N8qL+XuPtHtUUqK3Bh\npb6WbTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBHvEV2Qdybqag1Q69J2RFgPOpUSh\n+WLxzCr5/MNXEukCIQDeYa//NwBlr6lApjQUfo3iTb55/qbGnXNRt7d4Boi4Bg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUesNnQgL+p5dixwfPnXOh+VAm3gwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJOTLWbpjA+IACccx1zLsfgCefFxZqeA2vnJiJJW4uW7\nZVrOryocspypRhwJ7yqJHhoZije4Ezo78wQBjP32QOejdjB0MB0GA1UdDgQWBBTW\n5MnlhjdfCjVuOsg5CWCgPkCJ0jAfBgNVHSMEGDAWgBR4aTrc2ZzEGx3q5U5tVkk1\nfshTRzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBhdMqroP9fDvKlUSN9SbqHJkrdT4\njZosqRqFgmj+uN8CIQCAuonju4sNkf6feA6c/YbWyxCum/o3GDhAZh/HZtaC7g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1478,10 +1499,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcIN1+X6Evkf0nKKr7TWEcT3c+/AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASG/NM38NzuAXApXecVdfki5coQ/m/skWdC65Jl\nQM6n4eDKDbeb/gwjqEDq9stWKEfslMD/HJ5iCdsg2o/OG0n9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG9F8cvqSBPk3KkFDZQL18Vny/lwwCgYIKoZIzj0EAwIDSAAwRQIh\nAPnje6EAubO2B3Vm63vEpqM9jIdfHncGSN6QDV0ugeWWAiAyg5p1yKavimAxyYs1\n86uPYcGsl2iMmq2hzg35vnPMOg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUc0/FGngWjsLkKcpPCQE1U1qit8UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQNsqywSqxBk8FFfY/hsb3n7IIsEgTE7NTx7jBW\n76ZQLnUb/l5TdiAvEFdV6+ZjOTngcIOIyvp1vWIdr1MXsmvXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy3tXpD57ubyFY9wj2AmLjgi6obkwCgYIKoZIzj0EAwIDSAAwRQIg\nQ/WolaLuVjJudpj3IQgtyYsLCgzh0oMQVFDcrGBY5FoCIQDz5RIcuTjqkGUO/5uX\nCakYPopeWZ1E6WXwILAYYuZMQw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUEjsYlDT2JMqL8rEr7bzJp2YRl6owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHBSwXwKOzyeLde/komzZzb/TDSmLvmHcVrmkGyZpVuP\nqfFhCllmhl54SshymCfz6h2rsV+wkpQD2kXrfOOaaFWjfjB8MB0GA1UdDgQWBBRh\nrUQaZ4f5cD7lRD/rVwYhP/3AyjAfBgNVHSMEGDAWgBQb0Xxy+pIE+TcqQUNlAvXx\nWfL+XDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAjVjAdiyq6UTSkDdtp\nCtTMovd3R3Ha0ud5gjmBXnw23AIhALQy8/aDcg9iCtrawFTMHbIhLy2pQMXECb2n\nSZh+U+1Z\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUaX5OTZvhi7jx7zQTfDGMzTP7le8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE8/rX57nTEaopivEecVVP0YFqRFQUSXnBAY06CDSGOg\n7wKkpwPYobmz0XGb/JlCtLJAdi5OmNe6VuZQj6p+WIijfjB8MB0GA1UdDgQWBBQv\nTb9qCgz1LjTEQqCf/iUmtFbWujAfBgNVHSMEGDAWgBTLe1ekPnu5vIVj3CPYCYuO\nCLqhuTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAwhuDzRsunLwIsapW\nbXQtwhEF1+rBfpD2KHsY47rZWUgCIDEamabvIg1lk7F39YZTbHE2YKZzxmiy0jRT\nMDyqi7Iu\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1499,10 +1520,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXfJKys8nheMPRbP5FJXwCRUEl2kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2ZQu1zsdDP6VaZ9+0wGJac1h/jO3PqUwWu/CI\nqkSbzmq/7EDlsyi1xCagbQBUx69uZJaOv0pGmlL/uV3xWT8Lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaRCt4C5uuR5sRPU/hc3k6CLJazIwCgYIKoZIzj0EAwIDSQAwRgIh\nAJY0dRWwS4lCNMPiuPp2PmqJqZJtrr+vk0n9ahnDope7AiEA8vUBofSPePNRFPGF\nKPSSzBw6BR8NbELKf137Ojg3yTs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUU1Xu6n7QQSZmK6POFuzxVWqGCQEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEqkA+aC5Wabknafkw04eEHNNmHHf44pLrErsm\nrg2IIjnhng0w9TXUSk2Vg7anoQeGGMSCD1yBDvi5fmDhvrb9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUq+UOEbwWKYobzm9CN2kieUXiF+4wCgYIKoZIzj0EAwIDRwAwRAIg\nKQc4tMzCP87xsgZS9SMySs5hC0GJeuI2sVpYgfr+nJACIEOVlvsayhNXQtVILwb5\nQSQjgvGZOwnxHQEV9YgCAYfH\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUV/Mbwbso0vcXLepLHphWEW9j6vUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOa4KdOW8kCha2wswMrfSE/sf/EeIYGvnc38vtkphvVC\nPJwW2HMjJryvuvuMskTOKxXu6aeIKBjwZm4n7QTG2VmjgYAwfjAdBgNVHQ4EFgQU\nb8tkxaZDiPKtOt92RYg8LNgb87cwHwYDVR0jBBgwFoAUaRCt4C5uuR5sRPU/hc3k\n6CLJazIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA+OdvbcX+9loL\nNMPXMeVMcigaP8euXdtjA7AQLwd8D68CIQDVtqqN6gwW8uzVf3/8XlCYZqVr7tJ4\nF9wQqkz7TWzYvg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUZu2aVhPRXNwL4j8xNXKNQwXVVD0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDrHnSKVLRFCfceHE974lzaXsv1Z13LI+uRNkxddG88D\nCSQj0hNKzkGElEaUJpn97L3fXTvEZD5XQ5fmXkBm89KjgYAwfjAdBgNVHQ4EFgQU\n8JZfvGDr7vGLJY4vfGMi5g32Lk8wHwYDVR0jBBgwFoAUq+UOEbwWKYobzm9CN2ki\neUXiF+4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAvvx1/tPSDqhwq\njmBpe157cPVuqYAjy3260NfV/7egbgIhALtFBHKFkf0XrcncfYONRof9+HhZrDQk\nOxPV79+4ZDda\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1520,10 +1541,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIwKaGBEyEFT5gkq15VBGXE7CTo0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+Sk7Tb01TGpOzqAiWyYuIuX5p09oLm+mDetgh\nI4WoIrmt/ZeVJS8W6biL1UtK6x2J7NeA/kEJoCMeThs1jY9wo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkFhFinzqmIklUypchgbE9NPPZhYwCgYIKoZIzj0EAwIDSAAwRQIg\nYEjgyI9uthVODVy8v6J+y/7kOWbgDvp4JGbjGhT1aGwCIQDwFAoQSCY5H9+u7isP\ntzoR6lwUM8ZpgKROQG+g+e78dg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTtm5o0K53GUGRGJWE9Ycrg0RD4YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASA/CBjD4un/Gl1NLFuG6b0Bu8ACliLGOs4242x\nu0iIgLwmkQYyj/7EX2LlKChLx0Flt+ToZAHq9DZL1i+89GOpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBx5yoMAjupHf+uZWTGK/uISFHZkwCgYIKoZIzj0EAwIDSAAwRQIg\nTp28Q6bDB08BBAekXU+5OiHesOXPYhYn/Owbk3nphHMCIQDqX3weuYDndCom5P/Y\nbi8Mp/lyAdOUcCHPfoMk28RTRA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUGwVluRFwnwi6aIztU2SZKBEKpJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLEGWCPyGzW3Gd1pHsOBWfCm6dTLJfM8TGBeryMBkKC+\navIjI96qnhBITNBWQZkhajWDn/RAshh5B600rmsXm5ejgYMwgYAwHQYDVR0OBBYE\nFAZ1Uc2m+vvxywsQLXHRlQ/sbfXAMB8GA1UdIwQYMBaAFJBYRYp86piJJVMqXIYG\nxPTTz2YWMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA0A4cw14k\nxj7vgr9oCUT4D0uxs6Sl86Eu5SVqq+uB9iECIC2KxW+yHIAX18wug5JAXMDx8Oej\nCumjAzEqs8ILCjL5\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV6gAwIBAgIUDlXqmJ8/AT2I+J5FJfPf7uEv+wcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC8ftjhS5d06M8o35anMsVccjGNVuT+AOU1wAPbp82nr\n9MQnw9+aawGpWANf9xt1JRruLGihjsBtr4teXF21I0ejgYMwgYAwHQYDVR0OBBYE\nFF4JIulsayhZGN8O8JsgkbEJ7fu6MB8GA1UdIwQYMBaAFAcecqDAI7qR3/rmVkxi\nv7iEhR2ZMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAh9tEHhYUVku\n3j4pRtOocEDpVjuwfbmtIQ2h6BGdFtQOAiEApgbUrOv+lx3+8bWqa+vJDog3cNHi\nxrbz6PF9pa53hew=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1541,10 +1562,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUDiNUzXZVgmcViBL8Ve7VFf97CWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS17gUkN9A1v/6AChCKoBkKux//0xU5CPdC4bNN\n5EB9NAsJjYLliMbCKksk4oFMk9V46/sY8n+Kst42yuLHIbXIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUESTzrhGgqxw41HI28YYOpiwn20wCgYIKoZIzj0EAwIDSQAwRgIh\nAPnZj6aINLFJ6SEf4Ls989rQK6N2xeH83vlsS1nxKVXmAiEA7/axMpmFpKZqKEZi\nqqjAvVjwqzG+nqW+lWyeB7lSV/c=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUf7oRsqLOjJiRx/XKmRIeSMhLsRkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8GH8f7D9epMZmmWxyFxgECw4A3yGPwoMZ5tjr\nTxXqw6PRAI2DgDDzu1rKYUTg676SAYsb34HI8Ey+guE9HZQOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaI6HoPLH5KAVJnkQ+vuoImKSSJswCgYIKoZIzj0EAwIDSAAwRQIg\nR8yK1ZEyDs8JpEByktYkkpj16qIVIk6ifpft7RicCL8CIQCPqUQBrjjm+w2b6/np\nBFb4AwbYz8xhynIaSypdQBe/ew==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUEOxOkSPYbzK7S9Zj6a5lJzxWARYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPSZ1A4zrCBCswKvlcjmZT7D5aEhjbfJlPxkdtgt9E8H\nnYj8FfSrc5Tht7og10B1smsdulKMvFECru2QkUtT+12jfjB8MB0GA1UdDgQWBBR9\nAN/QtE22ByZe7vmqo94B6+CvqzAfBgNVHSMEGDAWgBRQRJPOuEaCrHDjUcjbxhg6\nmLCfbTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBQIBQhScqg/6Mjn2Bm\n8yO6Rt4bh98uFCbR32DFDT7fzgIgRsYDxQosp3iUl84reW4VtNO452x66duDW7ZQ\nESduZ8k=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUSOTIA+P6eiHreMa5UHefPsD9grYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOp82ZVAklroMBIvzyvEQ1nVWXTEffu0n9uAQCvuaOYw\nsn6pJtdvHYj339Cb9Wsp0fSsOxk/CuLrXV7AjQpEdI2jfjB8MB0GA1UdDgQWBBQ9\nAj8HhUvLiLnipl/BlIt6gKd7ZDAfBgNVHSMEGDAWgBRojoeg8sfkoBUmeRD6+6gi\nYpJImzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiA3BtB1XbfmArdCc947\nOaKxBqKcL+CYwMyXlywMWp9MtgIgRVZg8ruHI8ppRa5yG8FEOmCT/jDhWxeilozw\n9TaInPo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1562,10 +1583,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUcP3Jed5wHO9OHlq3Eo/E7a62tgQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQWeesNKoZBOIIHcaIoUWTZkW8h4tjW5TgVUZlb\nsqM2aolrx3VRHh4ZmdqVs+yrB5uRsS34x03hCrkULXaVUM2Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwKGvph6w0SnxXgJo/59WRILlf5IwCgYIKoZIzj0EAwIDSQAwRgIh\nAKntphzAiAYg+WRMUGHaTr8dNliGgOKC0gLQ5SvucwEuAiEA+FgBkO075PNIQzPX\nVxruzmglLb621Yv+0/nrBVQ/3Jg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUX91kbg0E08MELxRVET9aGdJ2sAYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQYYDlpxzqODDRJnuuswb5yEZ7ktdejvqRPsrBU\nmfhX+39E6rk709MAPDxGRro/SR5sRj+MJfw7dgXq+k2xZailo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0e4HhulKsAPg4P/WD34SFblovL0wCgYIKoZIzj0EAwIDSAAwRQIg\nM2+dgxMLw1WXympV1vundeMqED9YZmu1vhGbndlRJZACIQDDgCD2lVn5/9ilR8hz\nl/XIJFKAbSSPXFv6eL2nNh6XRg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIURFoBUhfNtqsA6RnQHH0IQtPhlzwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMBvjl4GPTnFU+IfEFY6mTvZ/0jHAXUFqAUjaXctrGT+\nvRdAgOKS3HrfpPuqA0DWrRGtzNJUvgk3857y9tWmWQujgYwwgYkwHQYDVR0OBBYE\nFM8ULIKi6mdI1ehfZBkpeKCU076lMB8GA1UdIwQYMBaAFMChr6YesNEp8V4CaP+f\nVkSC5X+SMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBQ2DtLLiaJqpP2elcnDkEehwNxHifx4PrD8COoK5XE3wIgVi/Nb3QF28qmB/y3\nofVfqm8ThF9FWnTDTnoXKbN3ZNU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUF7988UHE1NV1+CcERewZWIrZ+xowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGKrj4ZRCD5lWIqlTTWJUw+4Nc6KXBklAOrVJoAsOewu\nsYqF12BDNqTIeLnZABUfSXMQSBpWKg72hG6tgF34y76jgYwwgYkwHQYDVR0OBBYE\nFE5HQEIzIUpr46H4Szew1fOgTwwLMB8GA1UdIwQYMBaAFNHuB4bpSrAD4OD/1g9+\nEhW5aLy9MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEA6NenKv6rkkoHv0V9OypNcfJS4nCR2FVSGHqiw/z8h9cCIQDlHWJpRscofwXS\naW/QXtDVw+KrICtLc+zLykguWP3TWg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1583,10 +1604,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBR3pdWWoRl5choOIMCOb56ijOqIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATo+On9XFonsV1VO9eNhIjg+1fgJ8kR935bRvxs\nuqm5xsywIzQ3Z1sz6oCW/4RiqpEVenVC+VOL87bzLPtfnE6Eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8p9ykQ2N8e2j35Tdm4y/tVSA8bMwCgYIKoZIzj0EAwIDRwAwRAIg\nQ9HXLF8hxINy5Ge7ipjRHqvSegDxBpJXYXqkPOmgftMCIBjZU+hyedq5puJWElze\n0u1a38rA7r/QIAvI2n3yS6FT\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUGBPFHoHdwVZ0eSLHpWQcEZLGi4gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6ZEpdqIC96tjX9r6QbZfQPagj2Pln5RKfmxD3\nf5aEB3BMeFM4hRpKgzsYLycRCJqrbpen1dwPUHduWMJNLRAmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5dfHnSU+DrFn/ETf/KbRMfIDe9cwCgYIKoZIzj0EAwIDRwAwRAIg\nWh/AqKrSZ107FIHcwyht/VE4lOLVPW1SoRDlTm1a2K4CIH8AvnEQvRHW90xmkmvq\nGAf4mnsHb1IpawJJ2pgBfOYF\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUKOzbdaAYDQsLB7ixVj0grb7wLE4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH0RkbanghRrOguWvrY0JPZbR1Yaba24Jc/bUkzS35T9\nuLjrzN9ouHHyb8V9uA+4hAHzfZ3OOLVn2D2G0fiii5ujgYEwfzAdBgNVHQ4EFgQU\n2R8WnjZAhxsxTslMWhcAzUcYmrowHwYDVR0jBBgwFoAU8p9ykQ2N8e2j35Tdm4y/\ntVSA8bMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgAnkmen7aHLhp\n0e/cEHxGhU1OIGV27h90QtaB6gydXmoCIDJ80tSOU4fEeHZpiFgY1lN3m6vfW5HX\nUMsmSNlh8DtS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUL4TMsHbYwCSGiradM+hDb8kNfeIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHxxSyfwA7O09ACgqdV8ny4c/5gyJTi6Oop4JM6Vw58L\nUfM54bEN69S//K914DTpvmsimRKAvrpopWy0F1F5CcCjgYEwfzAdBgNVHQ4EFgQU\nnImC0goyl+9Hs+XCCrz30822lIAwHwYDVR0jBBgwFoAU5dfHnSU+DrFn/ETf/KbR\nMfIDe9cwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgePqdGyiCvKU8\neFutsXoa9xo2UHs3PwFwpSetWhUtrF0CIGVLpx+JRujtZm/lDm5F7msNhxRUXqbJ\norEueIAOXZu8\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1604,10 +1625,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZHfrBXIGHEdmxTYmNJtCIjUhVxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBSvJgqraySnLTETEnxwRCovmsas03XcmppsRx\ny3xHO662iOmhtQDvmzplJD+1pWgRcdM94H+yH/1i4obgD5QWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/E9BlbBi9wkPeFcSN2P1Utajn1wwCgYIKoZIzj0EAwIDSAAwRQIh\nAKOlfATnBr2Z9d3gE6iAngeB0Xn8jND4ZL4GP9OkcNeIAiAw5zshObkVXn/umRul\nMaz0M3vD/JPvl6wbmfCjDeDNsg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZV+Usz+SGxn2IniPoE557SHDLRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS+/DtYiDrJ8fGWLuP0QMKNySRuSUsUbq1k/ajr\nXSVVragIOimeVrsZBFq3s2OLHkwZ9FHWqCwm0yTIKFSSSLoRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0tUTFV1wozNjVCYC5Ym6QqTtJCwwCgYIKoZIzj0EAwIDRwAwRAIg\nRuN2UpDdr8ks704+l5SXmsTNSOxMEnba/aCt5i6M9JcCIAqDmCxIWJjxg6238nUf\nDyLHhAQPYE3gM2tfjv6DnWuY\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAW+gAwIBAgIUBlxjsBXb/pfrmrTfIGAxUphflTkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI+sQobE3AWUkNMGq/w2ZBiqLusUqbBR7oILlvuys4Bl\nRJ0swRvQX0NYL414Se83jTSggcThGSV1o+XKaX0yKqWjgZQwgZEwHQYDVR0OBBYE\nFNaxhQF7okbUVhi7U9+Ap2eNv++iMB8GA1UdIwQYMBaAFPxPQZWwYvcJD3hXEjdj\n9VLWo59cMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0kAMEYCIQCTXMd8NlgYG7y1CsI3XICnn0qINxIIgYsvoct/kPijawIhAMTs\nbRBPShmXlDkyLJGcyLe5m5rm1XemHcmKE8/SvW8q\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAW+gAwIBAgIUbKU8gon1Mi0SUUYfwiUR8XsKjlYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDaVpz1NyTWYQgPh2hkS98J5fllQU+TKD0ct20XlAkCC\n4mKpMzbCTHaJs6fnU3SxN4d51IXHsptayVrJG3d3LtWjgZQwgZEwHQYDVR0OBBYE\nFBpNaNwP4Kf+9G3Zgh1+W8fpEN6sMB8GA1UdIwQYMBaAFNLVExVdcKMzY1QmAuWJ\nukKk7SQsMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0kAMEYCIQDqcDk6J+l3lYGdNm60FczhWvlaMYHBZ7m9t6bksbnTWAIhAJm8\nLU3AJ4Ac1ePEGJ6qUlAcjWmZ3u2hT8cxt4b/GPe7\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1627,10 +1648,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUWVg94dSh6HpC9BBl26KJSK9DVEMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSfQiD8+UG0LaHLDrax4iOf+VNN98DyfsLOc0W\n6wv0Q7evD4ji0vMYR6YW9sSO952UlTGO+0HB4x/UiZ6Hcgrko2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzIWhf44fwVLZRYctw4rP2f0od68wEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIgIvxPG8wc8Nx0VJocOVMQLOcybQypzcFspe34\n+CT9+KsCIQDdPZg+Bni/SqxMQnoOuHXZvqc3DbI+noQtX7/Sx+9XoA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUqgAwIBAgIUfMQ1JtM1i1yYVBJVCygGJdrkuA8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR1F2xaiH4M69azNett08m205BmP27B4ST65n9i\ncIT6p/j2BbtfyVkSW0qc7k9WfGkXDnTgFGbOslY2EU3Mvb2Wo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+7zPRX01x31Wuxj5a6dNYXzjw/gwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDRwAwRAIgJfD64GCjeMg0wR5wNN4kR2v+fqShuui7iVgw\nfcSHtU0CIAJb+0+bclvErS1i9PFABYboqLHd6pogfo9yIPFpNY9s\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQUMyj01tH6emkgC38e9dRR+boxIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHTSfhdW05mM0PPpeXy8LGzp3LNoZ0sQlhBBWAba4D/v\nILPDJNNcbyTF1WwkTZ98gxVq5lmUHJ1lDDsx+P59AZOjfDB6MB0GA1UdDgQWBBRc\noXlSnSoHbju0owwHpEeC8VdDZzAfBgNVHSMEGDAWgBTMhaF/jh/BUtlFhy3Dis/Z\n/Sh3rzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgX91+tGdFtfn8jyFjy0mb\nu8e+3nbNbbEBp6iiLnb9ZJsCIQCJGtmM17X33rgVYMfRvWxvwMfaItWdqpODSWqw\n7zqpXQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOupj48t910CEGPZ1z1XhB77uxEQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKde1F+APabHbQThPowqkwVOYNsULx63dei6g6Iu9KMw\n4+BgKvIj8jxTifuGzyN8MMHFW0BTH3pGHjhm94kiAvyjfDB6MB0GA1UdDgQWBBTF\npw4s8bs7EmKXdeOZJcvgfX9pZjAfBgNVHSMEGDAWgBT7vM9FfTXHfVa7GPlrp01h\nfOPD+DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAMFUyvb09lSbiJ9CO83K\npSTErwahNu1/JxXbmbTBx9f/AiB7FAPej8BQCIFoZ8AL8s38k1PIuFE/WVIWNKQF\nCRYfRA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1650,10 +1671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxjCCAW2gAwIBAgIUYjj3hmjaeZUMe7qwZacKZD7rsvcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKE4UrWqiOgBwu3PoAT3/EugXZXzneB7EAqX4/\neL8M+7uIC5CklU19j2RDJr7F/+NZIBtg+A7cW6jxA7V/7n0Go4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFG28alFX7uJPJDtunFmbRyiQkFKMoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBRtvGpRV+7iTyQ7bpxZm0cokJBSjDAKBggqhkjOPQQD\nAgNHADBEAiBQDyoebi6rguDKNzAGmNLcQclKiGhX4sdBEvr+hdGwWAIgcQuN2AaS\nB6JSt9yn0BNgFSA7ssLpFkHRvfVsh6Jhkw8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUUjCXLJVL+9E8p8etzF2Pf6rDe8owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQnYBN1buiE+Rr5oD9bpoDXdk8bpF4iFYa8CO4h\nLEbY84M9UJ0oEJ0rp4ZKk06cfeCmlpR2yix2E7wrkUb+dj/3o4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFFWohDx8ovdmKwKoIBhTJI8FEmJHoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBRVqIQ8fKL3ZisCqCAYUySPBRJiRzAKBggqhkjOPQQD\nAgNJADBGAiEAl1nEOL7DfmoP072VH2GYtcN96NFb4qTSgPjvADhkdFsCIQCwwb/+\nZ+hGmdhXX4oYkFDw99VIRvqSQdicBft0fHjZIA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUT/nwI+1fTAZcR6pGK16mWTCRix4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKLfOgrBG9IrdeWV0c5CZILUTI4VVAc0o+JYPGgFICmK\nccIQUYTPGvYPQ0ftbvIuMojqu0QOH/umYdov8KoZZ2ijfDB6MB0GA1UdDgQWBBQ3\nLnQQSEl3wv3fWZkqF1VB/RxlaTAfBgNVHSMEGDAWgBRtvGpRV+7iTyQ7bpxZm0co\nkJBSjDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPIFsOc+PMyhNBjtnaNS\nXlSP9zqMSd/Yw96V2nCyB6HqAiBONgEENSR2Nib5xlViDLElO62a68tunYc48sNR\nQAr4+g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUcahEMDjq4TjvmTCC7qN0dWpmxyAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF2zMTedECgSrptwgFAC7wF/3NEEb3RxeZsWkVizWi23\nAy/dZyEeUpK2sN7IwxOFSJCD2b8/cXe5TnkhNVMiGvWjfDB6MB0GA1UdDgQWBBRX\nA3HVWvvisxThgRZPKTzSXNV3IzAfBgNVHSMEGDAWgBRVqIQ8fKL3ZisCqCAYUySP\nBRJiRzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgOXLEPYs7fRAyJSpAVM9L\nAg8hI/fTLBu04HF6hyXlId8CIC/OfiBggYXoz193I0lAOmdXZZCCa/RBm/8G53OI\nBxg5\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1671,10 +1692,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUAct9ZLasFfS0DUZnhs7fte3BGn0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQTtMNmvtY3Uua9iEVTsg69faRpAQ6n1P2gdhsN\nueY5uxlmQmRCgWTNhbvyBBe19XtRAhg7DH2e23ds0BLFs8LQo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBQEMnR7QI71mKXA5KDRooGYNK1kJIICBNIwHQYDVR0OBBYEFAQy\ndHtAjvWYpcDkoNGigZg0rWQkMAoGCCqGSM49BAMCA0gAMEUCICTvCa+a+bXLb6dy\ntdC8EMc51fegjlgxhPuDuNEe4FGVAiEAiVhjB8XLrq+Kv0iYAtiM2HdgY4idedqq\nBFhrgxeQ+J8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUZnbPWg2cmjdBrZjm33uQW+KlXZEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATKi/EoIl4mbPeTzjBM++KRBi6YTNs2G4V/dHxF\nbqf6qvyB4P13OHKNoeYp+4g5ZR3SnGAEnoVqP1LptOtdBh08o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBT/yMGkTJYl3BtfokgYU3FP9SPlCoICBNIwHQYDVR0OBBYEFP/I\nwaRMliXcG1+iSBhTcU/1I+UKMAoGCCqGSM49BAMCA0cAMEQCIGuI5obC8x9pPbpW\nNmtC/hWWXTxBA7+EmjlLqp5zLyGVAiAplquo+bzZpJA2VOMJoS2otxrkgNXL8EYw\nffpzjrZMyQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUKPS5jGjYi7n4mFnyRfjc/LDJadQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOCyi+wRKCao9u1oy8BZdrpThw2GDJBmOnN51JpwUy1L\no9G07P/EnXFVMYqGrWbFB4bldlclJH7k5DDuuHchJhGjfDB6MB0GA1UdDgQWBBRe\nstGyOrYLAyUWpSA2XFAyRTWqYTAfBgNVHSMEGDAWgBQEMnR7QI71mKXA5KDRooGY\nNK1kJDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMIuv9/eOxpAEd5HVbcj\nJiAqp8I392nEGVCQqgvTaJVGAiEAiUfVRbvCY4Nb9Jc1GJ4k8kcWdiW5lOeRwEyK\nM6qmpRY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUHh6+TCHfpV6SRMidL5lF3wpJYCwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKbojsb0RVfVeA4gH69Dx4FOdA7+p9H5NBwUMSnwaaFv\niOCccGQlzTFA7HkFhg8m9U1kIiqMhQD4xANxDv7JTkSjfDB6MB0GA1UdDgQWBBTj\nY0vwDxe4LkFJo/byLuaKcFQEkzAfBgNVHSMEGDAWgBT/yMGkTJYl3BtfokgYU3FP\n9SPlCjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMyKtM7+4u9e4E+AANXA\nG3R9mL9yambt6SteAhswVUPUAiEAwdLa6paK26igLT0n693h2bm1o4P8oXw1Uma4\nGTDeXNY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1692,10 +1713,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXGgAwIBAgIUPXOD++WPomK2Sim103IvoxN/GsswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiw4Z/is+4NQZztaNXHKDUe/uaotEHt+LvmPpc\nJeM7QmE8K3HQD3OvastieGqJHIvlcaf4+L5HoeWA/z8/Y8Muo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFAZMD3YfKNHDGa4M6ciYaRmW5TKSoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUBkwPdh8o0cMZrgzpyJhpGZblMpIwCgYIKoZI\nzj0EAwIDSQAwRgIhALuV6YH2IwI31WSRcD6x+9ThpsPN1S5LMuwzK44ipgo7AiEA\nlH5NRxT6fLM6PmMiQPySsWOx0JTkfRZvE0xYmE3fvA4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUEXETfC9S7CumjG8ReN1PvPgHcJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQNhpOzfpQYsy32DblF+qmg/T3O8+wEe+DkRSdb\ni4KrDcEsSTTgaJF1+dsCW6yh+HMEhdV1vH3ZPG0GSfmv+OgGo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFN/OHhhS50AfcTxnl9emGN37bmn1oROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQU384eGFLnQB9xPGeX16YY3ftuafUwCgYIKoZI\nzj0EAwIDSAAwRQIgAr8UMM9cwKs/PAR6AXRZjftJcLqkklYwcRVu7atKIz4CIQDZ\nflWkNr47QVZKWf4klZb/WIaINd5Uc/0owilAu3zjsQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUD9tSu1oBDvMwhkUdq4mOGHYuEWAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA+F/AW1qzRQOYleOFYAjH3rRP6Mu9WJtl3G2XeVaj1D\nPCh76+rhSGqYUmUfIEWG4l16pFJhKixcxOdLyenlJrGjfDB6MB0GA1UdDgQWBBTK\nDglkWVMxnvIqPr+pktzpvSs03TAfBgNVHSMEGDAWgBQGTA92HyjRwxmuDOnImGkZ\nluUykjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBUIak94kx1X1cnKSMWyQ\nTRT4YWYy9m1YXCYqiQxKIlQCIQDFO6uKnky17WKy5puIfob+DBnnVb4V4DvvIw5T\nLNkm0g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUPLE6/z7jJRd8jx4PpT+lWUdpaRkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEQx6N/6qkplxImYzkW8YTpu+DYHWc/8bFCeAJJejMC+\nZjBJeiwAvTMfWiZQvZGb3UM2D/+9IxTRCblCBSEDrdGjfDB6MB0GA1UdDgQWBBS3\nRR5Pfn1ji+NBWkmU4sjrNaEJCTAfBgNVHSMEGDAWgBTfzh4YUudAH3E8Z5fXphjd\n+25p9TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgedmog5VWwpRGV0VwZ2aK\nlN0BCFt6j9OIdcKaYckL4ewCICNDHhA5sV8Lfd7hOdVs5yFAMItzJbd55BVN2PIN\nqkIp\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1713,10 +1734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGT5QLJfpbD0OZ0EZytZDN50s61IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKinAXl0tGwluOmPW9cEAf8NaGJUDQ5FXytJ49\nvSnU4yrYOzM0BEcpav23QWRt3G1pFIxi/Jw/znQ2/3UP0UkMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEJFoQBgVrv+pFJQA04YhZdK7p1MwCgYIKoZIzj0EAwIDSQAwRgIh\nAKfnb153xST+A7oF/sjfNWKo0MATJyIGXF7y/Fzhd6vtAiEApI75wwdl9jJAcXC3\nhpT2z9FzJkKQbW77mVqUoFqowwU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEUuMJvIJXjx/dmyiO6vCstNcZ9IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARshoPArxe2c5MhxDLqIOdyxYuyRu+TaG9sLjJs\n+MSk1TfUGxzjykH39+gK3zxUvH2+fItt7INjIK9kB6LvnBxLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYFbw3R/RC+4BeAH7pVp7H9//6yMwCgYIKoZIzj0EAwIDSAAwRQIg\nGxLp9TNf7arTULTZwcYobHObBznfbqRBeMpY5nLTLT8CIQC46JeU+R0OEtvW7L3o\nTVwCAQtOHSFu/lyV7kQ7QBSdgA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUfrUWl5p2j3pykdsqusGWB864v3MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABDiC/mVqA/xb6c1gGARkbCcWL/2wPsgjCwD1GVcx\n0yk6ICiUnYUwcCIjRD3DPtpMJ/X3rxut9Yiq59nfB1qUKzejfzB9MB0GA1UdDgQW\nBBT7AKYCvjAOKcnqYQAdyDKpBm1JIDAfBgNVHSMEGDAWgBQQkWhAGBWu/6kUlADT\nhiFl0runUzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPoSVlTXa3qr\nKHfD5H+Ebk8cwe1ubOqUFYsUQ4KAcrljAiBgjxBd2wmqkIpl+0EtVd6tPN2COqfs\nLO/0s/NjfWX5fg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUSk0cKX3aJNpAzLdIYml34zjw1fMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABMrLSmTZn2SsyR2q4XrnDd1xQuxlOxpIcwBynMY9\n3xFz/2HBy1OKxI6VY1Uu5iTwhBlL2dePiNlsGc56wP4VnDKjfzB9MB0GA1UdDgQW\nBBTzCVjEfV0x0gCrIGZrDF+rEm9zaTAfBgNVHSMEGDAWgBRgVvDdH9EL7gF4Aful\nWnsf3//rIzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgAvrDO+tQXdgG\n0pB/P60mjVI5bp0UmaKb0OobcOT8e5gCIESZxAXRdBo3ku961MAcwf2a2+N58/75\nQqMYGvqdKQYS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1734,10 +1755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUCtD3myeO9znDuMjOr/7Gh7lQIywwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATl4FbRbFqdDvzqPVfS6riOc7Kb+6i7MSxilFls\n0++EsASQJmhS/jwhmsrJJhBwf9eGetKbkMDftHgQakF/cMrzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxUlehvKIbZzGRCTwWY10fTScqSgwCgYIKoZIzj0EAwIDRwAwRAIg\nbNbkiGrZZvjzJ3iWVWyBGYGjFibiIFTcDxc0O2zVDwoCICoKkKLEJiKRXbM9uMtK\n6Ml6dkiEzjOw1Y7x0R6ROXNj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKmShdC2NchCO+b738Fi3WbgKHSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQXLMg6Eidx0TIh1CVZelnl7uWw2ARDImXr94S\nRDsEPET39fTpzDnul7LRZbCmLDxSZU4/6LikZLCUt7ODJDa5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUS5reCvB3yz/WL/+19QiEywEYyNAwCgYIKoZIzj0EAwIDSAAwRQIh\nAOCyTjS+LXlnKMwjAABc6wD01E5m5YMnpYinhJl6TKn8AiA/tRSyE0B7cSfHlGIf\nFR1aG1/7qXOsByEdXQtRjFUNiw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUagAwIBAgIUFCBJpjC3npQkebZ6cIkrH+LDHsgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABADMcIeafv/YxjEKcphixDODmAJH/9h4tqHXI5jYts1C\nWsuMHHjTR45+T4YPvAue56N8MHowHQYDVR0OBBYEFPJQirisCmmOsrijIOWsgJC8\nWDhqMB8GA1UdIwQYMBaAFMVJXobyiG2cxkQk8FmNdH00nKkoMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiApcy5LT3QKCnOSrbXdWSAZhWMH5VpKsXBSempVL3zx\nRgIhAKWOedFFEzH43jdp7xJVopzaYNEcOH/thBg8dB4LIofC\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUagAwIBAgIUMu5zN9TF5AheqfTkJDCK3WXjwMgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABHRpOQBgnDFZJjtjE5oh3wFl/gAFe2PXkSpCEMaS/Yya\n6oI09yICsQExoBWiFYKW46N8MHowHQYDVR0OBBYEFFvBnEhseMqbZf423FOzLRQJ\ngJKlMB8GA1UdIwQYMBaAFEua3grwd8s/1i//tfUIhMsBGMjQMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiBF0eYzn+BWK2mE0HAFxB0tFawejtkThuZBgI++eNVb\nGQIhAJx7YFmAyx3ZY2UuFiC1GNU3SCTg5gQifcp0dtXvOsZ4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1755,10 +1776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSQlhtkmN+KjzTALaB+xKq58qMfAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATS80xuzA0xfw+6tZlY4TjTBk/b68XIFJfHJUxt\nH55y3fwkszm2q1w5ipz6u6g2I9kGcCVjsPT/nz67mw2i0PAOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpSShG66ADe6To7C4zUsgfD9X2DowCgYIKoZIzj0EAwIDRwAwRAIg\nFjsy57s5UODRt+gs83J9v5nP7tCWECFw7EJZit5AC0gCICq6DdCijyO5TPVRuiYX\nRPn7hyeVmOwK0O3Iv6InJYo9\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCbknu0/DPBSrFB7ipudhzyPELYowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQA4nv+1wn12l/pTnWxK8S2h6fKIWhss91NaPK7\nXuY9J1eyjVR/K9C6t7rrWPTCpYRZX+pGXz5zrlGnY8PQNIA9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUp9zanCsEGAjOvjk3d6kyDFIzgkEwCgYIKoZIzj0EAwIDSAAwRQIg\nVu3rEYBkCRvX3GFLFUDsY4ZFmRemDPSkt0ifkZ7S/iQCIQD+SH9kVFWMX8YO2nsD\nRdjGhXWtIlO7IXYawTDmpKaKtw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcagAwIBAgIUYeVppUmvj58kYoOijWmTKfAHcxEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAtTsZOivm1IIHcqRedfOyokTIjG/UjDZoja7QNrNQ+fQ7\nEReFpjEMt3sRi82IoUM2U4d789CnfizxQ7k/9M4MgUm6u6LCGuSbfLGT79cLpWqh\noJNN+3WHdWeE9ceYXyh1IwhXP2byCRamoxmuQsn9KZNXTd/jMfGnavxX8+2L0zYR\nZbTmQJB8V4+YfbsTpF92IkYZCXJlL29cqcRxXAOFzO+2W6d8RRDAqgC4lkfROTAj\ntbZXLShbsPxgVdhzADZhJFKBk2eP3TvEWtjGjJ6Nb1ZOFtqPJ6wpQNMQvk21QA7z\nHlPCWJMb9lBvnXrj9oT203cP46ZcnibW5AplaFbZGpqLLBXdr66eP7+2QQmgEGKa\n0QPqfiGVDr2TOS/1Q9UMTn1v7DCPrePT3n3Nee4IlTgxOtnUxS5IfipF997dBYDN\npXYg6XDPuwihxMDBG/yujF1Oc3B11804TI0RSF3++9IqcvmbC3XsfHwwOFif0grX\nxkRB7ieXB45sxMHlvR5lAiEAxnnPqxGKqNpps4SKHJ2iFCX70zH3wda16U7iYz6G\n4GkCggGAYd7PGpGh7tMMJdU16NzYQ8hnLgm/aHuG8PDQF1R1HZ4wvdd6wSXXgmHm\nV31mQJAIU4UaOv+8YQow/nrirMFHTIZp2DkV/3d3xY8k6hDRBoR3Vo8Vm/7qq1UC\nwKqJEHIR+qE4ivV0FdmFFgrn6SGbAUhKC3PBtZkzClrclFXVhxkCnbscWQ2OECnP\ndEpPaJcMxvIT5Fit1EmrMSH708/DaPtGSL97Z50OEOma9cokfpXXHkti/WNGphMG\nNmkZ9a7KsZ6b9HfiV6heDhSUev8Cf4zRxwALW8D0exEdDKvkvl+zrH9NG8SR1R9+\nyhV07N6VtmRnk4LU8oMjGEqW82Ape5V1N1JDSR5i98XhcE4hoYomRGTJAoHl/qND\nCHrU1qN6xPQZbfB1x2bt5taiQPJaN38OHnkvAzan5UMP7KzYJxC29NpOBBBJp8X1\nUsx3FDW9l31eG0DL88XnzClL9x7wONu1uXEaD+uBgvZOdk9lRK6ZpYCoJu8qUsc/\n9YVCqEbcA4IBhgACggGBAIQcz2P4qY+Stav9EaPmtJJF8IsAuJxD4RneAGaINl8G\nX6BqWZBUBRUTTS/8RxI7L5rPPTlrWpfowKU2MvAxHL+TOgfVIJLUbF0+FqiI5+jq\nWRZnGumjPQn9ibLxD0qc6kAysK9cdT4r1lc5Q2kpBVH/qqQZb5lPNxv58AeDGywP\nL27Id9BXzIPTL4XsGRM4lD9UoZ/rpimYIiy2AkJAPXHaYnWJzZnBXzn2lQzLSRCv\nGxTH13QYK4fX3CREbTS6TxICA4RYk330NLS5X5xmkyEpyFtrhyhacbzS9HqsmkED\niQsEJ6wQXchV7uujuWNzPdCGYWpS45vG/UrWRMgQa4EO3pmelSftunMYGs/Pr6SF\nDuWXe+79dHESoAWum+91fYp+LnCs6XyvFMZRYhFR9vQeFIi9ZTy3CXYqqfpyXxEy\nc0eGbDg577N1iCl0WZGN19DuSCDckyrzmC3lpiZefjbFbyWiTeSRM6h1no2Vz3W5\nuXS0quQUXgdzv+2qmMiU96N8MHowHQYDVR0OBBYEFNNtW5WSJaNBbSokV/w1/5T/\n6EDcMB8GA1UdIwQYMBaAFKUkoRuugA3uk6OwuM1LIHw/V9g6MAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEApHLbPr1kd3njuUdPm1S4Ev2y06fPZ6oxaSmva4if\nlq8CIE7kWEkOwAA+XZO9wAiI58IrYLejKnfxDv38g6NJ/AvN\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGHzCCBcagAwIBAgIUchzavMS7DfIsGE3orr3716felw8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA6z555RWXuu2eTEXpCtGBZRVY9+xSpFh2sJMcLoshDLkq\nBVubTHu99S3iIHRyqKcdJ7RrGkMyzxLd2ebalG/ob9uA+yglYnXK8lQLjtlQisUF\nW943Q7D/dE4KiKt2KxWoD1UsUn3I+qkH359Me/0/qtOtsKuv9znU2QL52d1Vb8Ju\nkuWcuba2DvUIO8q1iG//ogr7S5cJcidfzRyYBUJ9LtrQnl4Fqo8WpoQW2SwvtxL8\nTcwAvCdaghcgV6vuIM0+U4yzCKk/3Y1lBfWQw88baP29uy4x9f3UoHp3eEfu50SB\nZ/ex5Q2lbJ2NTGqGpnrM0aHrQRmtnbvekxnmUU828Zvo5sUFVo4eC5DzU2rQfjhs\nndQ8aHfp7Y+4bBZbI0VvsiJcqld8Ezny4cU+T0c+oj/TScn285IhWSva/yV7YJe8\nRazEFkPjjYE7WVhq0e/cFpedyDLroA5KVetTT8Z3eB109Ak//CdSEobSMOX97USe\nKZgQoLk1jwNIxoRh+SjNAiEA2M91tPaGUm1fZuZUYukfXxq6h0ztncungMHBSPPK\nllUCggGBALb0xsrEzThspRGxFmpXBpdc6CYAajJqCa63WumYWl90jovQFhgwlPq2\nmAGtTB+VEXXJyzB5Q7J2WtFXEx7qrwVH9geNN9w5MEfPsHrrqPFjvnCX36syy98H\nyVOFaB2HswirPjWALPWbfsU7wvDtriy7b1JohS5R25ITg53FScjdcaj9dexKzzss\nHCypaTHWlnuSP44y1uCrSDv7PvfIB6I+PqskYck7pEqHqYf9p7z72jPPWhpY4nF1\nxIHHGCnt2bSCjGMlPNbZtzzMzY5A+UShjZiW2Mo8+TxtFEcwtZsP8qn4Db216evv\nV5vB8EMwVTpEtzNStcupkVr7/lCel1XR2e2YFPV+2vPURioNDGFPg4RQptM/tkdE\nibvv3vlSUxG6DAEABdWAosy4OhG3cVQQIpFsEW242QGmDSYPsB8YX/6oCfe49gqG\n/yQDc912PpRAr+qXHxxxVuuQ/gq0NyrG35JKOEdxAIJB516tZAdyH6YON0ikEQGM\no/tOPNdHUgOCAYUAAoIBgAWtheRH78lGOmW10sVH1jS8QexrJ2wrW1yvW4mQnMyG\nYy59heg4kckoIFQZIuZ+xt2HEx9PiV944l+Fpkap6hts3vXhQdYd9FbdrombDFdI\nF4EgdxxmFSO/l2b9AqAssw0h4WvwF7/kRTYZsfldHlC77RtKqiw5MmXNL6wPPewC\n+1GKkIeejSIb81Xehu+r7mawRaqmVjUB1GMu1Nglw+YVml6i5UiLKE4m6AdMQ/T6\n077QKoeS9Rd2/xSi/ATjsd2YSJ4QdqwcpZU6pwq1vtoXtyG8mT3TQGt+f8eH/X5D\nde7afBo7XxIGpAoQ2DT9xQSxqfVSrQxh0y3rzF99JsfWidnQOpdrxd+XVlHlHazy\njc7Q4IqVDULR8sCnIBUoT/fBbi58HICdYODuRsz2KBVWTMQkGG7dU0neA2d0Mvay\nt7dOksxP4+aM4/9UziqTSwvrS68LzWu3jz0U23d2soGfB7r6PDcFnmn73CTjMOXL\nbLX74kH2jJiK5jXOjV9P+KN8MHowHQYDVR0OBBYEFHfyvEzW+sOQyMjfbwHux1DD\nEuCPMB8GA1UdIwQYMBaAFKfc2pwrBBgIzr45N3epMgxSM4JBMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBJiTp1RuZzHT+krBk6Mcz/Xpn6yLuN7PWTxrBSwSWE\nTgIgGSI3XpKGdvC4/C8dW3C8NiRT13vy1RBGB3Y+FAaAMsk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1776,10 +1797,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGADCCBaagAwIBAgIUVoOB0g7uezvnDUYVR/GqoOnPj6AwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzkGByqGSM44BAEwggMsAoIBgQCf872e32Zq7o6ZuNWwhpLZe5x/gzHzgujTlasE\nEmyWfdBOCFUX3kq7BbWD64VK67UzEsyQsnKmrkFol859NcjkKV3NzvuFOgCN091O\nJheWmKbusgnPZqXtp9e/VSczcC/MPGFzrhLBECn2YFSfeVSzFazbhRtcsEFTzyQ0\neSkaSg9WBAmdZhA56Fer045udcr5RUwDgVptj4PKgqIX4msRKfddNh15rOF5POCQ\nIJ9+KA6O6yfrSuYkujSQdcPPIBsLQxLzYIqObIHVrOEOxJ31DrEVNOOwe5Wmo539\nzAHZWv6akCRBnZlf/cpXVAPl+fzGUInKHpC6i8FhyGXEYmPIWlRPCTyBYIy+OQhw\noh66/3WJscZ7zN6rOSd0PDM4J74RLELxNdylImm3oY/x6tqRdKy7US61IiNO9gts\nZbQFXEkeUAh3LmoH1+MogHGU6aqM/t8VnEIJQKhgNB3T+9TkafCbqTUoxg0qPKv0\nrwEHhxdDN82r0PO81ujbOdOkOYsCIQCp3EBwjt8HPcSzSm1yqgYWxinhsIvtXgtV\nfmJvMapwdQKCAYA5HXdUF824FBAmC8wg8MWXzeYdHRdW5aUheDX5C4Ri4eFtxNqo\nJlf0dl0aT/WokcX5Z4ymo+PV7z0EMJ7YWBbpLtmau53EmzdGpnbIH3OHwjwlg5kf\nQJIMqVs/4ke6QiJzgPrUpQc0NQ2xZlXqlume64o/uN/MlP9noD8MFq79VRb2hF50\n6ddH/xDPr3VyW9HG5pRKVawDclg+0wvYMBjbgrkjRJ5kEQKRqkapDHIgARZeOGmO\nKH89nyABMXckC57f6FpZydM3ukdz30JrxhyjbTWmuDLRiCdQP5b5ISAiZ1RGk8xH\n/W1GobBRDKxYkNUMeUB8QXB2yFvz0+bTM8FZrBEylU/zP5IUOX2rj6m+9iQ5wvfB\nDvA9a3c4ICvVzBIEK0S4kBXqvfVS7h9c0RGmQVOVsglIyBCtJKJTSpw70WL1tek/\nYhpGTKV5ZNuLBY9lanp92z9ZbsfV3etR/klZQQR8XmK7RKzxod4Ar/65+9kAkPIg\n3OkHD32LTBI7+iYDggGGAAKCAYEAmC/nATqWafbTyMpVEP06lUHoLx8YYHLtrjLl\ncz+CQ9ufSVUkdqcYXpqjJyd800AX9gJOIK1vehuFP6JrHrBH6Ya9sm1+3rbMgF4s\nThlii0DYEKr3fJmwrECiCdSPNiS7HUxMWoA++yuNI2Oblq8mEpiLLpQcYLWwyxD5\nERaoFJWMorNo0Zz3x+fxt6Fo56yvKerIDu2L2MriucCYlR+DYHAQGDPojIffQijd\nwLGsm/FMxHi8xJceJw0zLpacEX2IParD/kSmKssq7K4GGHnkVYAMHCc2gfFnujDs\n9dCPpDwBvtKy6nYV7k+sEC7fnZcg9onm0nRXwnmylnyeQJYoJPbSSR9IlZi5XsIS\nt4snBywxNoPQP5VmZG6KntMq+uc6vXOnvx32xAZf+DougjhcsgkvbEG+JusL528S\n604VoUF2ydM7i8hnQSqpwMIo3yt8h2EvHOQcHzjffNyb/jMyuoejqkm/ajr/KM+y\nvb+jpTajSBVSdyP4P7nQUtD2COgwo1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUzLi90u5W\nzJQsjkhTU1Gd87xHZc8wCwYJYIZIAWUDBAMCA0cAMEQCIF9WtJ02UtETgCGpzVH7\nSECT3GX0ZW/NnhYkEE7nOUPAAiAWNf7ETdfc9N2M1E+4PadoK1WD1MasLf0B69yU\nseodzw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIF/zCCBaWgAwIBAgIUHgUw9lylcojLoonpqFBZNfcI3bwwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQC2osSmdqbLe6xrUHOUfYMsgGsTAtiqbcvAGs/p\nFHL1sD85c9nGymDwsaHgCFyZvDQn7vuUFbdPPCGvuFMV15EbSP/Ve1y+8BCmmxBW\nUVHj26wcEkIaYNrLqzuW1y2iizplGj6awGKD9QE6O/qZb77VfaGmBMqF3/7tbM7X\nm4oVPnWYcA/t3xTVRn+kLKWvtZhtB4aul07xJDHd5felS7lNe3heeG+0So8lSeF0\nff0KFSBPIXzO8Qwegqq1KQ5xt8s830Be2d7CqRkEp23FD5srRoZCYoyWgxfiJZfj\nB/zG7ib+vZDWv+1a4Qog4uGXv7LeSJXwA/iKmwuYNyFUbZ2RtQ7uvn/KQdwBADgx\ngdXCTZJhY3798ef/2TMZfENybO2QwmfXR6ioZjMom9XIALvV0rDsdAMKnRMUXbJQ\ni1JCbMTtwtiNnzYJqqjm75Pn8J2imOKxJ0DsbW7N28EhRWvI3EgS7MatCkbumFi8\n9Ll4/bdvNSgt5jf3dwTEqsWuFIsCIQDkuXrJpdMClzjAqdR/T0A7YF/Bp/zGPyC6\nae7OjSKULwKCAYBRwXqE4LwuVsKPP6lRJVdxvwQcH0JNJ/wQNKEBntSyZZXN/PKc\nbT2HuoHjKM5wOtMdjSWIjczANWdMY6fzSskz/j/pjpotwyLDWVGJ//iZmUryatgc\na+IU/hyQrKD0whw3i0q2XQXqDuaBxeEqfwGG31MJgTr2ePG0V0ZSsval/1wfkUXp\n2CsJnh43BA3Mf6w361agllDCw7hqjdUx+osIQbi+MT0StWuKt+dHRVS7Yqw8ddk+\nZve4lecufQLntFq9pTuntvjV0xZyUO2VzlM1q1p/jx10uPopYBxkCC3djjWOtYA6\nVWRYA6ShVZtj0q5VWi/AFyJ7st6i9JwMaSpyk444ApRL9i/RBISyZ4MHEFeFyEnj\nqIZtXuEFlvg7xOAdr2ndELVPCkF40dDM6vm2uFdR0eRo8CJMnZfUZZHccKqviF+5\nQ9fjO999v0sBdGm8Sc5Fr/51/KbqwdpCz0TnTPktbu4EsLemgJmHYQtALmag7dy1\nw2p+cQKbKdareuQDggGFAAKCAYB70tSjh2WDI2MOgbIIG9rIl5c+WMp8x9PdQeTG\nKulpV4FeRPDwTw7rjqKW5WL1z+wGjDz4k9dTahKF9UTpC7jPPQdDNOK4xW3AeGil\nq3r1lSM/r40MDNt8+kpBLa/f9MeXErszLRfx+WXma3Z8DZJ5H8Yxz5DegAgeJszB\nY8DoXHuRW+GiOT766r7tSWkWiqdn4v5Gasqp82P9hSGr60QFpIYI9Ra9W2tJqrQr\nP+FI/RtILTOGG4PUJda7Fvp3P1mz+QquyeJ2HS3Fl2TI37wVVSbg85YEIfM+Siio\nN8myAq9x1hQAZOdBxma7ZG4ZlixOvD6N+DN1Tsy/523T19DDA93Zx+vNPxl5LhPx\nzntxD/838V6QNwWLl/0o7g3LC4NDhDKy1OouQJHvL/RCn8z6CbwB3gQ3AoGRLLNL\nB7lYoFUXoDYz9Q5qTvwyAbV6PKok2fTDXZoGz+sECmeAl84J8OXexvaj3nevKhd2\nhavWe1u2KDBHMtEZsjvR6OGprsyjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSG348XbJ7a\nAsEImq/LA0l7DgKwqjALBglghkgBZQMEAwIDRwAwRAIgacvZZMC3P/ZVB1gZKZi/\n/F8UNP9KUJwtQNjEUSWFO0cCIGI4n2RWk0+yaTWjStyiH7IfZG1HGCyEiid19VAr\nHJ3K\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVegAwIBAgIUViMOAzk3g7VM2Q28cqBLHBXRrjkwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAQQve+ypm4ALnKncVzhBCsNS+IAkcYHUL8p8svyOYvm\nEETkzWQds01gJOs/K9xdQnsamgYe3OQqajeGFCtVWUYto3wwejAdBgNVHQ4EFgQU\nWpK3bX4rAdwsH7BFD0LOSllcQWAwHwYDVR0jBBgwFoAUzLi90u5WzJQsjkhTU1Gd\n87xHZc8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNHADBEAiAaj0FPNnN8W2sUdgA4\n1kBMl43zh5YklDixgExPHiNNwQIgD/CyV7Ysuonq8ZTkpvWLSxdJ/BpC1cch3YlF\nEnbAI90=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVegAwIBAgIUbr5JAskZFASivT9haEOdY88ygPYwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAATJvxv2tNjckag5uEljg4bBj2D4umeT5S7SUPj2G2bN\nplv6tm8BU8VzJ8+IywEYbLC/d1TELbJGhoFOx0V63etXo3wwejAdBgNVHQ4EFgQU\nrqs660T4F7cKz4wPjtIXpFFm/j4wHwYDVR0jBBgwFoAUht+PF2ye2gLBCJqvywNJ\new4CsKowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNHADBEAiBuzwItJIf0pEh5cuMT\nH5uoiLFbpUnvMclyeUjVe7grbgIgYRjiad1Y7iqlrn3fRsoT2lbaA7e/RBrGyarf\npKp0J80=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1799,10 +1820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUawRJxKPs2G/CHK5kQ5K7MVDgwacwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7cK6l5qY/677aeAZouMTAdz2vbiE3mfxoCm6S\nqpZRqjueWsmsO88UQqp5+WzMVK3FP1m+gX2T2XM2VvnbXlRXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoGl6QrvA13ung9a66JKWvk9KCQgwCgYIKoZIzj0EAwIDSAAwRQIg\nExlRCdMVhbHUtG37ZgzrEJdaXNMnpAjDT/eRQezV56UCIQDTjY/5a9q6niT4Rffz\noxgSjHlK3oa1lk+DngZM2KZ7fA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZvPLfPw6lq7f79lQOa6FJFvvff8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNDDnkyj189XjUw903rTikGTg2vUVMEM5zp2I1\nS4yrQ5bP18n49TEW3Op90Ap4I9jSdIKxzlDNaT5J1mtJNM3Fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWtOWkAWldQDkHpv41RM1OUU83wwwCgYIKoZIzj0EAwIDSAAwRQIg\nVE0H+2kPjtzkCD3PqfxxdXhdm5l1pz1MEJET6uwS1rUCIQDGDhMA9U0o48/tZCzF\nwjfh3QhvEQcxv/hnFckPbShp7Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGHzCCBcWgAwIBAgIUTwSBPwFFHqekk1lzDa9+OZHRQTwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAh+IV3btRh3tf6TNFnAie/F542vsWA1p8SuP7rA1lALSx\nxMwDvTBVLRf4zv/Ek8u+Ml3Lbbg3esw3AIsVoXnhtSUGyX1tIUPj7HT0GyVhhBjl\nYWecS37sE4djZQJT6kRhhKJrlftXDYbv4oT3O7ckI9nzgwxy+IkxQsp2sZ08KIg5\newnZkGGsbV8wAkl6xuFHul3+Df7ZYumh9YbmFbLvrLizlUY47OvlwDSoSpBD8GWA\nbPA6QOL2sOSX5nscgHMNpmxU6AKnWRaKD+WTJ9kyRbdKpWPNQa9dnB6Wd4wA+z8T\n2+VrUbaydRZ7cKkbb5KDZ8V+K00iN/diYhtF0ZY+iNuI/M/GbclulUS8xqv7eNy7\nvNtttbdmoiPT20oAlp84XLwTvTWBDpx8HWPnOBp4ydtUhozcl4RqnOLU6x1uvki2\njQsLDvwHPxKhCD/GyjhKy9l0KxaMOHUAWUI49a63U87UrbT2fy7OypPcBEyEiqt/\nqVDfiK5/olcjZ0VL7PfBAiEA+xxjZHGC01R+BNX2Us3vT6BdTLNHq2UC8usxcpEk\nE8sCggGAFIWztX32t7+r5sIPD3jEecRxYvZygz2/lYzsn0b8XdBHduTwTHbouyha\nKUcbdipJN61nmw6FNrHxVd4UZCK6zQfytQf391EMZ/XobdJX5aBuEX+fnVkQ+iIo\n1VYTuGiKi3nHGof7b+B2mrNKPuiT6alQOXQlPoJB4srjYVq7osJhOZ7XQuPg3O1N\nroVyKW3N0eXA6WJztREjNuwqEtjfeuHofLA0WhFRjhh2GhFFTfh14L9QVYE6RgKA\nFONPQEb1sqhh+nBmsAyalxiFEOkx64Fgc1sK8zTHplgEuTm+QHmc6vZpv1iiTRm/\nEOFKvZUCBZKAtu8sNdiTUfmw6DcL5vnloxcg75+K8n99bhUGcdQl4Wc8kgizRdf+\n2gesLqQ+BzyWrI9oWslW4PBFe+upnn9KMd/GMfr6DwHvqX2Z2EUpmXYwAoX4Hd29\nkRa4ZAsMI9F6iBhjtHgMHiMRO6pVabTB8+rWJg7YjGLPGgLiUIF6zYhD4lut9VAa\ns0QGxHTQA4IBhQACggGABzLDcYxKAfW9/y4tiRSgRJwx1Gz7rpVxAmzBVGfG/QaF\naJvY8v+YIoWe8bCBpoFQzTU3FCTM/TO0gQO0vnf5QdZ9nDKKM0XHRfaBeGCk6WpO\n3oi4SEUNZschc4ShbBIRmLGYkaVYn8TsiK6EJZqiUkAKBYP4ijaBy/qincPxj/Hd\nIObkThw94GXOlWYfHxA/9s53G62td621IQ9vzqWj2l1sz8CzOuT90UWD+fGlob3J\nuZybw0Biwb5zJDMPS1P10rBTcPqUJyRZTrAV8+bgGhCW+BZDpD5PzjRo8a9Nhgow\nK5GlSttYM54ZzCiBPMq1c5OmgKlrpRjJRL60W04YJIkqCsf/8gLO+c6j7XaJl9tD\nqXLINNMd11iT2UYUWyRwLyhq5YkNTpLnbgS1gIpTzhtgr6bvq6biClO+SYs4xhB0\nHwDK+NDgAjZpGXHnXEqxeXyPfNM7DJPZ/gqRu2EUwKbKf3ifiGknqpPTIgFEYIMX\n+tvYld3APiH3hrSu7aLTo3wwejAdBgNVHQ4EFgQUnegIPt74xjXK+CoaEH926GOA\nbVswHwYDVR0jBBgwFoAUoGl6QrvA13ung9a66JKWvk9KCQgwCwYDVR0PBAQDAgeA\nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoG\nCCqGSM49BAMCA0gAMEUCIEsleLAKC6uiPqmvoeU8omuuvdP3w5bAJUYy0p03eFE7\nAiEA0Y1F3hn1u/YRaFACsAi78072ukqIYSzrMz5vb7nRmCM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcagAwIBAgIUc16OJcPpTZe3/rt+XQqFLrQpv88wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA3a6FLJi18M2FONGZhsghtxpm++SIaDZasqANdD8ok1QX\n7RLh63mqvzS0Dd57GZoxsXY+N3vfdTud0P9b+AeUPad2Q8+1E/kdWSNEDnAdUxv0\n3ztCN2eD3TqD6Qk74trOge3rMXkbddFdoe2WLgaoifscN2m2Ce1Lk71tr9KNVxJz\n9V6M/0BW3xzsD9MsU7ZbzHLpzl+1UBvi0calcoFMngnbqhueGSxcFEyu5Dpw6v2l\nweQ5hvIBWJ+Qv8f28WcB0WLkv23gfvXs/1OlNOhCzX9DitUCyWisEtoDy/5WWjrt\nPbidsFd6fFd6GXepWjmlQ1oC6IaBCgVMp18SvHaaZx3JE7wK6wWfQUfVArHO7UvV\nZ0IeJyEIggGlvhNFWKwP9x8dYtqKFcF5832oN9qufMNtQqr+yQuCqLjDN+NeruOk\nBjkbzYeJSLqIMjuGMDEvibYKnq16h0Zt8hSheV+37vJ8cHTSh2UHXm9Kr5GrT9XJ\nIo6sPU/BzoqH2PqZYVJzAiEAmpuvADZyYohdqZ+Uo66sZIqPb7wWQzRpCtrRYCZE\ntYECggGBAKEnrynxLHy3wkRrvBdVAOOYClXwcMEJ+HNjg6k5JQmoZCenO1VGw/qo\n2NKBYoCFGfvtZC7KGctqGM6CMi+ZuAyqxNweHX0iMACLon99BDzNwhBQ+uBlLzKK\nv/i9/EapESwSDMf99iqZfE2YWrEb9g0fCsMCVUfm1Mt2Ophysi2BphS+TM0O/49N\nsm5MFTkgT3NS0vGjX26zkhBnRtL7QVjcmDe+kBSjsLO7KSawJ0pVE9igeFi+HG2R\ni1nSVAN8ZM3gadtcBnoDiAKTCZT6c4qNMxQOEuzChWTkioHxVlgW9xNntW7exP9E\n5ZRGP5iN1hELiGMhTgss279+k78fM5junjb9pCfJvcfUddPg1OXemjHP6VzaPPE1\njnWG9WATH7mm8tU/YrVL38cHsZhLX5VO7uHBot6uGzR/9dnY3YSWIe6Yze1rS9p9\nAHFujpEMexE7NKLXs8j8SgBfqV8g0EygQpiisPC7ACYMzWRuxMVEZQxeeuDGOJv4\nP3XsfsusbAOCAYUAAoIBgB7NPRwK5AE7NALBCVnJLHFn3YrzxWAlFxubCs9UzCYL\nWKmA3SjDY7DNked43GxIVXBfk3kKzrFHt9HYZ1bLlul2d84TmMvm5MORNrFZR/9K\n9KX3A+JhX5jd6BxUdps/9H/qXEbH4p/l1D+Q6XS06Y9yxWpmLu6kfYO/bPhOGjZi\nsC7xvrC+Mz0MelcaK473zYMFK4hHotYc0y9rnNAn01TUk5GL43+2Rri01iQXRl6v\nPj3ErmlV7g3L2eL7zKiadGCRRLedofS0tUvu2DC1NpEqhtVnQj4RYWHTMjtzymZK\niCpGbbvY137eQuxXtrODxhGdrFIzNdaff+8RnZ/0ph3+izIZTxRuZ2vqbPe7HKox\nbGB7sZdDB4inSGpupxVG643LEutKpb2V7920G0SSGeVawPzrIJmJAifUpExz4DwJ\nIQzNw8Qb4KII8QddV1GVDWosVJvNzjB5xTDE90F6gLfavBquNBFdGRWIIcWJeFvy\neVJ6Vb4EiHuINynsQfe936N8MHowHQYDVR0OBBYEFPlq8WKMY8xRFspMbZH2S8c/\nt7rPMB8GA1UdIwQYMBaAFFrTlpAFpXUA5B6b+NUTNTlFPN8MMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiBBDglWy71g28Gkrji4OCn4eCsICqFPolvkzVigQUxc\nYgIhAKcxwoGFm2bHKZu2pAqxE1dXX2pHBmYxk1884rc5q7eq\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1820,10 +1841,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfF9fdGcDLE9079CH8otDfbcaqr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASigEQ14HuHwuoHFgeXfDxHmNz90Uyq+OutElWd\n54V8HP6xRydlNl7ZPIbUkDhHFRFg0nkvesJe/JMMdY9x5Xcjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIrU0zPqVeM2kGcZEpWXwGWiC/YUwCgYIKoZIzj0EAwIDSQAwRgIh\nANYWNcv42Mu3hHD6Up5l2GLNuNxUBH9iM1sGHafd9tc/AiEAqYdJP1KyTumSDruI\n/mEC/pUtbqzxo1tKYf+cSjdFvpc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBQ9ew41caaIlKsEgaFlRK/NaqlgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7DvCaAmICkS7L3Eq5BIkdyzQDcMRAuf4fgVnH\nK/i6GfMe+zrpJ04PxRQIAOVUOpNIJcbIZP5nI3eP7PeGQAnco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6f8OCLmy9vbdyuODEBvj/611Y2MwCgYIKoZIzj0EAwIDRwAwRAIg\nARAeJ7EI13A+RmQ7TF1cqbpcG8VeN+CMuAsP8NA1IBwCIFgrSomKYqRNsEnqg2m/\n5+IQD7PBCnbyhoYrWlRK+pLd\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUSvZWM8y3EBtRydiOjErLo7J/YpkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJhuDwsoKcpAT6JjdbcUI/C2te4+AKr31UuPrEsaU3jf\nxgGc/N4wc9n/WOdxfRQ4GzAV5lFRwyFoHePDNi7ZTIWjZDBiMB0GA1UdDgQWBBSC\nExsxYRDEj1Nz/JMho7pdikP3jDAfBgNVHSMEGDAWgBQitTTM+pV4zaQZxkSlZfAZ\naIL9hTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSAAwRQIgEqAadFHKGeIulQARE9B01oU/vVQC++7jUzft0XUN4ZoCIQCtfi6r\nfx699Bsj5Wv94vDVsfu3aFVvoFe+5PXnZ4vTEQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmTCCAT6gAwIBAgIUHOlcp3c5qoE2jqHqoVZsOakqrDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPXegC+pt03DaeMrQJj1re0xnm101xLPXZelHhHNHV6Y\nMhun5nBXQCP9IL2gCc77wW+ejeKLblhR28gQm8Z1IaejZDBiMB0GA1UdDgQWBBTc\nKoh8I6/V5P3xueBjFPbj6MpFPDAfBgNVHSMEGDAWgBTp/w4IubL29t3K44MQG+P/\nrXVjYzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSQAwRgIhAPtwiA1ThWJEMvDhgT00ZnFv8fkVizsTZQBmBKsIRAAOAiEAlnv5\nfUExxVqdn+CyJ8RecYsGFTLwWOS4lWQotfpgprs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1841,10 +1862,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUT0jmyPMDPb/+s4MuKu8EV7XVvTYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2ZqhSyxz9PV1KU+bWulsXOInD5G4OEbSKi4Zz\na1kSQ7FGcFpPfl3vGwfoitSKio95pxqixls+KgBLw4RaMdOuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/wSsSbbymoJMJYOd5yVz9GcOMOgwCgYIKoZIzj0EAwIDRwAwRAIg\nXdupys445JTk2rq1cjrAqr4+XVoNqZLHck2RzAnpZ1cCIAHlFeAW2BOd/3qXX73G\n+SvFzQGTa4RBZAoyTycaq6pv\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIWKYUjKhcGpkUp4Mvd5P4e46/a8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRbOWD0upt0Eh6o2/AS1DgVMLNS8CC9w+CMEFP\nECyku7TnekrwPvPdvDk8ztL/sp94ojI+KGikcoKWFVJaKA+bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXVy+Y1+SQ62gMObszgwdLVXeUsswCgYIKoZIzj0EAwIDSAAwRQIg\nZ7Al0uLLSPjF8NvYBP7GjDmz/ulT4lvS7VfrxsvbeoMCIQCB9i0SlmSNA29gMZBR\nWMirg5sEESn7ZtgX+wJcMMK1hQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLDCB0wIUDYxqo6Ak9by8t9vqq9DdQV84W3IwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABMzJn7mtVV5UTn7LmrBJy5iNmEXOzcc/6B0sjgfMM/9FmVeYKcND\nG/BQdDpSGTqvP0krYDDh8Ro6HKEPtCe5+SswCgYIKoZIzj0EAwIDSAAwRQIgLUyq\n4KAlSDDLJ2ndIDZMEjZ2+S3+J8VDoli9ndue1i8CIQCFkMc5awr5VTtBX2g1dHnz\ni6UFyzWIwYr7QOS3SQdvhw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBKzCB0wIUGH0J3n6X+2QKfThfdm3W/cTruC0wCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5NjkwNTAz\nMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABMlw8OL8lcbzbS6u8eyPETNnMT4YBdieAD0oqpnDCZ7JjoKU/6zX\nk+hJMVzaB/RPxc5D8QiscSoBylmGe2ttSZQwCgYIKoZIzj0EAwIDRwAwRAIgWSWI\n+inzJFea65MuJrY+N/Rzb01OItvY8ma3iX82DQMCIHluVXYUwPlrrGzvDLDiTG58\nIt+dRiikpL/tP3Cc/91i\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1864,10 +1885,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert contains an\nExtended Key Usage extension that contains `anyExtendedKeyUsage`,\nwhich is explicitly forbidden under CA/B 7.1.2.7.10.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBsA8hHkFjKgir9Be9rm+tgH0+DcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1e17LH7jcChYw6woPXdhsj2NYcO58qK5JVIHO\nFyZ+zsHvVaK2wJeiWaj2Xt3irGYCmKS0P4mQy6mqNkFS9x7Zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUR5PpeUdNsBiftB0UCI57CrTfaXwwCgYIKoZIzj0EAwIDSAAwRQIg\nIN5LuWI8P0jlgN0sOLg7y+t5fU4A9AFW4danlURTtB0CIQCAwJPZjfdeH4O7lBl+\nzRQrG61oo1omq7tsJxT2mUMf6Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMVu2bT/jtUT2Md8TYr6IqpBSLsEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxE+ZkqRK7KBGO0MhW8smATvZAPO5nTKrNj/Fn\nfOVZoeeZqiBJM+tW73na6f5tVCGE6zCUSobERU+S9Au1EaD6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUACmIRInz8AQdlTkUc19xWFftUlQwCgYIKoZIzj0EAwIDSAAwRQIg\nKGtYdTMrfLSzD7NRsqjSvecZgECUU1fPEk/L6CgqNW8CIQDy9uVsHUketoav4Acu\n3QxGP+ZoxAR+ZSl2//uYfhNIKg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUdL05dRF1O1VndV7JQ3dMIRxchdAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFF7ftRZgD3PTAWbTx+vbJ0QrHkL7ZbL1PZSMi8nbzaL\npEtVfZa+QWL4+tonSOy6S0NSLZ0PHqCXXzG4bKrMnUejgYMwgYAwHQYDVR0OBBYE\nFGYvDm9r3af4N2oP//1JK3luCsloMB8GA1UdIwQYMBaAFEeT6XlHTbAYn7QdFAiO\newq032l8MAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAiX8FZe+p\noqIndhXRjnQflMf6WovMNLLamQWFARwl1XgCICHxNGY9DlIRLdJu/fCDCpxRVllp\nJarjvX31Lqsj1Z28\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIURBBuUdvQUGeHRQAc5Rguz1AFkU0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJNxLGSfcO4ze5n4JWOPc0VPXD8Q0HN0wYls+BwDrVZz\nAuYAu7WMGDveOf8xAtmfnfH2I/Ktx7sumRihG3sbD5ajgYMwgYAwHQYDVR0OBBYE\nFEFp1TjXzW3C5oVP1KbuIoagHxyBMB8GA1UdIwQYMBaAFAApiESJ8/AEHZU5FHNf\ncVhX7VJUMAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBSjZLJhd5J\n0infepAyZ/UliDsyL/CD10yaCVEh+Nwe3AIhAMXY6hwqLa9NHiNq/sJdjPjMTbwf\ndj+4V44MzZWUCTXm\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1887,10 +1908,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE certificate has `keyUsage.keyCertSign=FALSE` but\n`basicConstraints.cA=TRUE`, which is explicitly forbidden under\nCA/B 7.1.2.7.8:\n\n> cA MUST be FALSE", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUar5DHt4vI4wFXbwwM8U7yAfNWI8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfHcV8yBNVijRteGYzIOrzKfeSDQqM15e7Eb/v\nTspXQaDtWDBfe2LU59ro4hYoPatydxI9ORRkp1fso/BHpyCho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3HQLj/x4byn/cXNUxo/wqDRuSvUwCgYIKoZIzj0EAwIDSAAwRQIh\nAOlE3ACcR3xpgHjz6AIH3hgs8SeptRNEFbwd53C5oT3AAiB5B7PQ96ycuKW0OZ/p\nUJqH2tyCVy+DZZXeY3jbJS4F2w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFHBrdi+GX2QfzPbzbchNlLI/GeYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQuPzTtvKv0SDn/Hnz7MHb/Oa6xyEl4fCO4nAMM\nycGdDuifyPS9myXHcSQcr6W65qQxvcVDA5+Xo91vMnpzcMeMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJkyhb/TqB+v6+xu9qjQTO4/wdaowCgYIKoZIzj0EAwIDRwAwRAIg\nBT2Yis0sZoWSRCImCA2pqBoZHp743U9O6YsJ+qjLvZcCICbgXJdXvYfa4dMjFKBj\nOHO8M3uZkcY+IC7XYBKij1Wu\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUHb33M7id875Kr/HaEYJcyGkKoIowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNEtMUBB5Eds1jCR87yQmLA9enbz9ZqRhnBR+JrcQvQw\nop31lfxrfS93Gs8qIc1JyeJJ4BnHFmdMB64gUJEcHSKjgY4wgYswHQYDVR0OBBYE\nFFlYnoTIUVNis8Nu+67OdrGH8dpwMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAU3HQLj/x4byn/cXNUxo/wqDRuSvUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDopT4N9AwUu9Zt7tif9ge67RYEOWx+UgmEM+u777ffRwIhAM4kOSi+DD5g\nodwWmS5Pxa20gb4oyMRS2vfNTLKR/Wt1\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWmgAwIBAgIUZmC0cBCWNwVQ1h3BTC4QD+G+iWYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAFLVAM+W90YZpM1J5rnRxYsC6bxLFSXvbfcbSWrRHPR\n9ENKGCyyh/nMpbyZLwGqL2BFt8p0B8px9v+WD3nWqxujgY4wgYswHQYDVR0OBBYE\nFAuuROZD3YjP2vIvR8FzJCzmODPiMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAUJkyhb/TqB+v6+xu9qjQTO4/wdaowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIFw5BAjWlQw9Y++V6PvWcGQnSAhBHrA1m6Wp0/86tJg7AiBnK52OpJCCXUeM\nnsouRcHFmINKa0rltSIpjzBcI6NDcQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From 36654c1ef634a4fec1e8f44bc7a012a53c363282 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 3 Nov 2023 15:19:23 -0400 Subject: [PATCH 052/155] lib: remove another From impl Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 36d37dbbca99..4a6c71558ba0 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -39,11 +39,11 @@ impl From for ValidationError { } } -impl From for ValidationError { - fn from(value: asn1::ParseError) -> Self { - ValidationError::Policy(PolicyError::Malformed(value)) - } -} +// impl From for ValidationError { +// fn from(value: asn1::ParseError) -> Self { +// ValidationError::Policy(PolicyError::Malformed(value)) +// } +// } #[derive(Default)] pub struct AccumulatedNameConstraints<'a> { @@ -147,7 +147,7 @@ where .extensions() .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; if let Some(nc) = extensions.get_extension(&NAME_CONSTRAINTS_OID) { - let nc: NameConstraints<'work> = nc.value()?; + let nc: NameConstraints<'work> = nc.value().map_err(PolicyError::Malformed)?; if let Some(permitted_subtrees) = nc.permitted_subtrees { constraints .permitted @@ -197,7 +197,7 @@ where .extensions() .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; if let Some(sans) = extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { - let sans: SubjectAlternativeName<'_> = sans.value()?; + let sans: SubjectAlternativeName<'_> = sans.value().map_err(PolicyError::Malformed)?; for san in sans.clone() { // If there are no applicable constraints, the SAN is considered valid so let's default to true. let mut permit = true; From 6bed9db11e197a516f0f6e3d4654bca9296376e7 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 3 Nov 2023 15:24:18 -0400 Subject: [PATCH 053/155] vectors: bump limbo Signed-off-by: William Woodruff --- vectors/cryptography_vectors/x509/limbo.json | 405 +++++++++---------- 1 file changed, 192 insertions(+), 213 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 28a708d8c650..60d6248132ca 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIULbNy4121O8Nibg4uxcS/WXOURTUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR3VODJYkMG5SbhlKFSi3PT5+LUuNao+mE/Bgwd\n4dxeUH7gJSJnlCbuuSvj45UuUAdvrQy5aJweT3kxN7gh6kvfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzfg3ciScsDqNeJ5JPfR1tMVZc0MwCgYIKoZIzj0EAwIDSQAwRgIh\nAPFBdzuFL7nZeloiuoNGLocGxShhU+EuJo6XnTfxJQrOAiEA3CEmB7zYaZK15a1j\neIiixhjCB87pNlz6ttKHLGdUz5g=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeDOfH6TQd6lrwbDqdm1gvWRDyjYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQFoctIyWe6+s5WyDf3zRyHCrQpL3EzYUEvhFac\n7C2Ka4XWFZy+MtrZIL2nYhUs7h8p5SQAXiGskrX1M3bn0Ymzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUunJOY2B6qHcejeNU4g3aq9HV7KIwCgYIKoZIzj0EAwIDRwAwRAIg\nH1hBVCXT55J5czXAmnoVwcsM2UtGAkm9xDTKiJREYeQCIAu5q++8d7qQ+u04aIho\nl4e3/8cDfZFiKpxsWX4SWxFD\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUK8RGlQsGfmyLt5EmqOKoDNSV924wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyNjA5MDY0MjYyNDY4NjI0OTMzMzU0\nODgxNTQ4NzE3OTI0MTYwODU2MjY4NjQ5NDkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBE5y7fQhZzdWKoR8IRy3m46LtlYkjJVtEPOetIZ3leRdYdHIcNYKKWWHr2y6kcuf\nTODit3JzDkb5QVB72njNDCyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFM34N3Ik\nnLA6jXieST30dbTFWXNDMB0GA1UdDgQWBBTippUGmn4KmjWgwzhqAbT04mqz8DAK\nBggqhkjOPQQDAgNHADBEAiA5mQ3t/mbIna6vPndm9gKn0sZ4q9aEeVPZaVDuzYZ3\njAIgb++xE90/mP0S67IF4PhGwcOFniV2IMEcXCgixGwAOoQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUe7YRR2chSV2zaBz4hx3pG7mvsAYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2ODYyMzAwOTIxMjUyNzgxNDUyMDE0\nNTc1Njg0OTAzNTA4OTY0NTgyNDg3MzUyODYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJ8DrnsyiXqrM6AmyUx4qV4lyogiNSAa3GN3lzkdUSBEkJez32142GnaSL1FxcQr\nvdlFr2VNcqYuYQQnVKWJUVGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLpyTmNg\neqh3Ho3jVOIN2qvR1eyiMB0GA1UdDgQWBBRHx94AaTGw9WYmsNA/olG1KI9M4zAK\nBggqhkjOPQQDAgNHADBEAiBW1Ysfoyc30OX10qgVOFqpQoEiiPBmfZV27q4Gr5Lz\nCgIgEUY0MqP8YkQ/5Q0+xQUEUSeJ+QlRjoz6Cu7t5/g2yqA=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUKlRG8pw0bP2Ky8+ikmgg3AnFAzYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjYwOTA2NDI2MjQ2ODYyNDkzMzM1NDg4MTU0ODcxNzkyNDE2\nMDg1NjI2ODY0OTQ5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEd99+\nhlkQWElDob4L3C3UiC/irceNIkQIYpELVnNoTgJVYNyq995muBLEgFBgw1XM2Fmn\nsZwfCPFyCoa6h2RrnaN8MHowHQYDVR0OBBYEFCcQ4Js5Wbc5OuTg4zJvZlXbB7v4\nMB8GA1UdIwQYMBaAFOKmlQaafgqaNaDDOGoBtPTiarPwMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBQ49U68ssvJv9B7LHQ0RQ6k58SHUSXgVBqtpcPQ/V0DQIh\nAIIQMsDVOf5cznbEjyHeX3ipk4UvxqRErPhDDmNo2BRR\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUA8n6iMCfjp80DCxbpdeOYFcQ9K8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjg2MjMwMDkyMTI1Mjc4MTQ1MjAxNDU3NTY4NDkwMzUwODk2\nNDU4MjQ4NzM1Mjg2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/BeY\njjPekxZXDNM23xNWaGAe0hxgay2I086thMlHLlxWyp1e+KRXOQsGbNkbDro1Sm0T\nrcRRAbbyjgiJJqZUdaN8MHowHQYDVR0OBBYEFLKq8Ka8v2VIIaCvTZqmQAiRIa0v\nMB8GA1UdIwQYMBaAFEfH3gBpMbD1Ziaw0D+iUbUoj0zjMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAuo6Wrmfw8XZObLTNtRp5WXYsdF+sldBK43Y5oYaebocC\nIQCxBGBUUW8uufwN0uSL8dmaagKA5rFEM1BgLPUzQd4/0Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUNTStm8/umPWarblZ9idhhEhzitEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQJ1YhXujUZpMLB9YN9QYa5ucwA0uwuPNboEN8R\nheqxEhukybTDwjPB8RuOpAG/KZeiuFhmTytOy+NEfk/PgnI0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxYubSXLDDgOCRdbB6Ssvnu0nsZAwCgYIKoZIzj0EAwIDSQAwRgIh\nAO7hLETNScgM9qtaMqTzir2hVSLGX8rWjfpl2lB8HhnXAiEA47NYcHYYfonfa69I\nk8t6BYfLxAQ2Xaotlx7Rp8Nmg+c=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUD9A8eU5+Veqz8CPSFaEBTNwijccwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATTNPQfeZHFQ+Kb8Pe1Gj5jnWy7cImvRxFNj9Ty\nOn22nlNUU4yF+lOU3wELfQCryxD4lKADSWtJCvnIpG4J1RYYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYQgSxyQhtslHtGl9IEmAVRAbAMAwCgYIKoZIzj0EAwIDSAAwRQIh\nAORPJFjtbmoVdjARJSLdRoggTBf+t22n+0qfCBSfj9W5AiBej0krYaG5d2JoWZqq\nvp09xvkH1rN9ncs2GmgaVefTvw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUCA8uvEcnqV8gPfckjaRSC9oiSoAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMDM3NTEyNzMwNDk2MDkyMTg2MjA2\nODczNDIzMjMwNzE1MjE1NDQ0ODAxOTczMjkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPbZP+weNwyqA18yUSX9cOGWrctfeK3Chxt5hj06F9/6PDGdPGqKqZIXJrWc4NSJ\nV1TkMnTfTyAHgKdERgfGabWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMWLm0ly\nww4DgkXWwekrL57tJ7GQMB0GA1UdDgQWBBSh8HTC/mkG5kQWyN/hIBudUfYRoTAK\nBggqhkjOPQQDAgNIADBFAiEAoMruls6Z+sEEFSHC4x2joDn2I491kR8GckiEm+0q\nFKECIEL1yrgFYKLm+O8N+Nhvoo7VdXYQKYyOfnETXC8diNYQ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUClFpbA+k+KwSlJagYKp6B0rudXcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC85MDI3ODY4NDU3OTMxMDAyMTIwMDU4\nMjc1NzI4MDQ0MTAwNjgyMDgwNTQ3OTg3OTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nDcAGLb1HrYj5r8wwOJBsyGa3ggMfFjWVlZ4h6M9rPbmdSoT+5R/Y4OO0fAImejUO\njZMKxuPM2DmqtWkgFV98/qN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUYQgSxyQh\ntslHtGl9IEmAVRAbAMAwHQYDVR0OBBYEFCtq7TS9zrwwTXSLi98eAmMIGp8eMAoG\nCCqGSM49BAMCA0gAMEUCIQDIDL4EWi4xP09E2Q0vu0s+IxSDQLg3MOJ+yfRlrQ2d\n2QIgbPjOEZ9Tw7SZrGthqHFnaWneyBNJ44wPQKyJpuShKLA=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUWUp1oKcwmFKigCFGVCp7RsqSZTkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAzNzUxMjczMDQ5NjA5MjE4NjIwNjg3MzQyMzIzMDcxNTIx\nNTQ0NDgwMTk3MzI5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7Y3x\nuTrYHLEbcmJdOtx5+OtE7Q7O+Qp7eXPmULishKaOKATH7tNY9jSPjRmRf2n442jX\ng17VgHVgOOZOqNpMC6N8MHowHQYDVR0OBBYEFNYiFbj6ZyD71LFkzl1kaV4o8vBW\nMB8GA1UdIwQYMBaAFKHwdML+aQbmRBbI3+EgG51R9hGhMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBDvbMtjRhM03vHEE9IavmSl8DQV+6zRpsOT+jKBMlA+AIg\nVkJt2g/fhOkkcI4q83V5Ss6tcDwI5kDy1rEoSeOz8GU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUColWjp9YKqsliG03fbjPWf6ovSkwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvOTAyNzg2ODQ1NzkzMTAwMjEyMDA1ODI3NTcyODA0NDEwMDY4\nMjA4MDU0Nzk4NzkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASWyx/2\nAtSYNoo2eBiJBwE8jPopJVlLJ7jdV/7orkkG1y0WLBoNDMI2UGeA3na86OIJfUMz\nE3ejIHgCku6SXWZTo3wwejAdBgNVHQ4EFgQU2OsnpCvdLMNO39qvL4JWQSAlfRAw\nHwYDVR0jBBgwFoAUK2rtNL3OvDBNdIuL3x4CYwganx4wCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIEu/gygHEfgs1y+3lD9j+CdY4qpjqOx41/FWQG2E7+4CAiEA\n8ggiNU1wCyBeE8H0YaELtA2+GKwjp8Ntdoc84PoK7us=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFe3XTelPfUWxCEpQttD580mtnEkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQrZ0JegxhwtUQGGIAtq8cyHzI4mmBbXgwii+cW\naniSki4LCuHprU+QGTlNXsjQgkqrYnSsH9fb/+RY1JP4tNAXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUi4Wv95uRYa/saavKfLR+KBY7bkEwCgYIKoZIzj0EAwIDRwAwRAIg\nBYen28ZrP0eYYA1s/dGAWBN+SbwpasX5xMkljlqTBMwCIH7hhvNTJ7cGdl4o3lzC\nXJ+3dZtF4KNR2m03yY7YMzHl\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNMD8eU3r5hqvFAcUkaT70uFKZkowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASSsLC8mZUoEGwgBxPaTvxqEe15ptGXaZstNXV6\nKEqwls3Cel0RMKkKKFUIGYeVmQgmLoemSokLZ2s4OzPh7d7Do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGKvf23q3fPCgK3gBQj/sglQsS9UwCgYIKoZIzj0EAwIDSAAwRQIh\nAJF7sm0XYXYPsf4RjLz0m26KHewiyjcE8DKtZSKYtjZnAiBMTmNQrISKmGgd2RyU\nt+Xq2lDsfMlFZdAhZbqWeVVMfA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUC14SnxrWqFqrMbPA39ga8IKJxD8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxMjUxOTI4Mzg0NTI2OTI4MjQzNTEx\nNzI4ODYyODM4NjM4Njc2OTk0MTE5MTc4OTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNKA8ADXjzMe8PbPEBjVFiMp8KMwegJeYgwiLhW0KJROpccw849QQNoSeMuWFI4x\nXaqZ6hWgfxpVmoh8e8rnlK6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIuFr/eb\nkWGv7Gmryny0figWO25BMB0GA1UdDgQWBBTtQE9kUfcVcA9ae+IJRRWfhqQljzAK\nBggqhkjOPQQDAgNIADBFAiEAvft7hgjwCNC8+zrVv4ORtW/Cnvg2Mclwa5N/RzDM\nmRICIGB9vaP6M74okNPw+YSJnLl3VTcOAPy18+b3Y/Ao9yVw\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUXlBUUinGoG7qPZCS1tA89/uDNcUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMDExNzEyNTY3MzQ3NTQxNDg0MjQ1\nMjY3Mjg0NzczMzY0Mzc5MTczMjIyMDg4NDIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOdBhjI7RdSSTCqgr8Bi2TGqsUkd7hUb6kXURsEyGkfeksValuVVavcoZSdnzOd9\nPudWZHy1dK2B61NUQXUbg0ejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBir39t6\nt3zwoCt4AUI/7IJULEvVMB0GA1UdDgQWBBSxpvcwJ8hLNRuO1j5Kp153iPDVLjAK\nBggqhkjOPQQDAgNIADBFAiEA4cuBBRt3ninIrTlszg2uxJmW/GNqgO0/RuAy5Piq\nH0ICIEL9Ek4lNxuQF+FXtDOxMM/Dz0rjBfXl7OHMBuM6fsx+\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUATlFHRKpwMNIAITbZNYHpmme5hQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTI1MTkyODM4NDUyNjkyODI0MzUxMTcyODg2MjgzODYzODY3\nNjk5NDExOTE3ODk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5vPQ\ntkmNYwmF3p7PJnpMRExyQANGYAw+agMF85qoBb9sKxPStsGdam1EwHwXQ79YPMt1\n4UH8OyKw7vzsxal9QKN8MHowHQYDVR0OBBYEFI/XNPYXhDDnnJpncliw0hq/4BdC\nMB8GA1UdIwQYMBaAFO1AT2RR9xVwD1p74glFFZ+GpCWPMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBWNcGmN9+2r3Euc1+3of0BEaK3COVQ2ua7CDduMxynMgIh\nAKTyJV/bV+XG5/8H6LKxB+2UIYD99pOH4O9piEVl4vH0\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUCF/9A8GCqSG/43mNfBbhjmjnAbowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAxMTcxMjU2NzM0NzU0MTQ4NDI0NTI2NzI4NDc3MzM2NDM3\nOTE3MzIyMjA4ODQyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8cmZ\nanI+5MIFen0rOyQOyUDHSwXTRdf6E2JUz7aRyP3zPdL1i1BdPXeFu/yM2VW5K0TO\nUoXoQZYyF2uQQEJlraN8MHowHQYDVR0OBBYEFHuzWTaOfjGVOMX2dVXxyQbWIYN0\nMB8GA1UdIwQYMBaAFLGm9zAnyEs1G47WPkqnXneI8NUuMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAFEMoX/70fG8WeCrxsf43JdbUaaTNPNuiCCUmU9WojYgIg\nWMZUpCFeTmTGtXf7/fC5UBYwzXRuawGMx1JZkVtWICU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUQbTskheVYpk4aHAGSdFeJ4lD3/cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATm40X19j0Qm6GnoorbkMRBb/fZQnwQdKKvRYPy\nZS65Dy45dUmlhfJjgNpEF8TECcwxztKFjPuDPE/b8QvjtaOxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDeOQwRR1kkP8L9xEhUiN32K80qUwCgYIKoZIzj0EAwIDSQAwRgIh\nAIhg8mVoGAnjArxVkiYjx48hD328kiWW6Z2HPWuOw8h2AiEAvIjs7aa7xmpgo5MP\nwIk2pBKzdl3/U3iaiPqyoq6wBCg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH52oBPt5N+2xZ9WVNfa56DNbrRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASVDkXA+JqBEBJ0HsxisWoltw8PaUmT+wX0/wCN\nCPzoCHVPSQSggtx4KU3/eBE7UTJldW6Rhr87sHsaFrDftKPzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG0Gy6Kli3Pf+R2uEYQTQIEFLvwowCgYIKoZIzj0EAwIDSAAwRQIh\nAMK3scRFUaQttTf1MDXESgs2PAqLRgcTuiyxVf4ma0z5AiBs8ZiGrc8eV3QycSqI\nt0ryRHo9xJwDlawLaa9hGmO8zA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUc7TigBzwarM16sruuvDHYSrswgQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzNzUxMTkxNDI0NTEzMzg0NDMwNjYz\nMzcyNDUwMzQ3ODU0NTU1NDM0NDQyOTk3NjcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAW5UEDPiwNaDI+qaZp5ZLi8LmR8k4PDE47fo/jiNNOrIoIJ1CQYyFlvJAxKuLAg\n8P8Ml16Km7DBDTYxYsVsMISjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFA3jkMEU\ndZJD/C/cRIVIjd9ivNKlMB0GA1UdDgQWBBQaRr+g3wBTGEGkfdHy6yNTwly4+jAK\nBggqhkjOPQQDAgNJADBGAiEAqq8W/mVnyK3bZd+Akpz/Gjx5PupV10QtA1zz+2IR\n+GMCIQDpn3szAkjyZXBy/uqWAIDNqZ1NIpOIOIiuTBxeNJ6Vaw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUO2Za463NQ/HSAagZQmLu4U9E878wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxODA0OTQ1Njc0NTExMzk5NjU3MTYw\nNDI3NDQzMjc4OTk3MzU3NTg4MTA2MjMyNTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJSjp/y2/6m66sMkth4FuZET3x+VzVAm3DmSQJG2FFq5ye++mik3ZDz1Io/WF6z2\nz2SlZb4GO6mnAokx96Dycj6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBtBsuip\nYtz3/kdrhGEE0CBBS78KMB0GA1UdDgQWBBQvGYH33Q094WtRLOQJ7LlpIW62ojAK\nBggqhkjOPQQDAgNHADBEAiAkcihlcjf6TW4BXFmhwBAs1sjsNBAn4zXJdTPUdEc7\n3wIgbWMfs93M++SqfNR6IIElsCh8Z+M5lmo8wvvZ9saAh7A=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUeJegCTMOMhMVaU7cFECpqhtdGpswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzc1MTE5MTQyNDUxMzM4NDQzMDY2MzM3MjQ1MDM0Nzg1NDU1\nNTQzNDQ0Mjk5NzY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDY2MDU2NzgwMzc1MTcwNzMwMDQxMDEyNTA2ODIzNTc2MzMwMjcwMTA5\nMTA0NTg5MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE51n8i++1jO5vxbLAsUJ08gvk\nlZmdCpgd37wNDXYhBaJ0mvDLybXoR5Cz1tm6WqsO4A6llFdj4Os8Rf3E04grPqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUGka/oN8AUxhBpH3R8usjU8JcuPowHQYD\nVR0OBBYEFH7mZ5vJaENyxkoOIx4bvvr8MNbWMAoGCCqGSM49BAMCA0gAMEUCIQCO\nmyFASq4k0YQg/oSJn84He4gR1iNaK3BluWNE1QP+zQIgT0kIdPwxqHxmFAdlg9F5\nJ8YXUIQrF78C93UqV5wfOA8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUD96wVQvo2MsK5N0VvGaF//IqFRwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgwNDk0NTY3NDUxMTM5OTY1NzE2MDQyNzQ0MzI3ODk5NzM1\nNzU4ODEwNjIzMjU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMzOTExMzA0OTA2OTcxMDA0NzE3MjYzNjA4NTQ3ODUzNjY4OTEwNzAz\nMTM1NjM1MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErMPSuxA3nKLwSwyBy4l1D/+4\nnfNTdFXropfJ2YGRdQamxWk8UnlJNhANjLTM1VdwhC5DMtKFTkkJ/525n65A0KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAULxmB990NPeFrUSzkCey5aSFutqIwHQYD\nVR0OBBYEFHz5Mmszc3jtYocxKB/64mUMLmhIMAoGCCqGSM49BAMCA0cAMEQCIEZY\ngKDE/gN5VG/KmQQSQ7skd1wKNqn/3ueEvsOIWnPHAiAqkhRBQhD1VM+wb/HF4Cfa\nhrQ/lQN14G/yApSzpWR+iQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZoPilQBFVHLNCJddyTxKQNkye88wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASDLM+qDgHRAcZ9h5ksWkECyeiSWgFXniZgU3x4\nwCABq/EpVGhTttYElaUyvrPSKpMQUVuL3NU3m9SBDUdPkNPzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyKS0cPQHmUdxQCTGYfI8rtjK+dkwCgYIKoZIzj0EAwIDSAAwRQIg\neBaWOzfDsE7e7a//btHydM+pg5aPprex1UfTsC+e5P4CIQDBhkc4r43Vg2KMZnAY\nHze25Bc0w7q6OcV75MjnWGnjMg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHOgOT7CrTGnTllQNvQs1/yjuqacwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwf3bNt9SV78TcEdFlTL2aY/DU7NCbzagTbfJJ\nVSeGZzR7hcl0JcP4NfU1P/BBn36ZWpWF1Cd0oc0qkleLxWKTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHLl9gOpBReM9UkhjpC77xU3EBBQwCgYIKoZIzj0EAwIDSAAwRQIh\nANG4apbrPgi8g90thdZvf1olgDibxWfINrG5fFxoFPO6AiBWa/2i5FYPTrtracUD\nSg3uB8cI9FGvSI8eCquFa7PPUA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUH5ZH9q5ZqzfLdPNTpp+pftZO+jowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1ODUyNTgxOTQzMjQwOTIzNzM0NDAw\nMDU5OTczNzMzNTMwNDcwMzIzODU5MjgxNDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFx0LiYeU8bs1+YGTWaECcf/n1KwYX4qX7uW6Hj3UPFqlCxH4nlIqTMCRWhR4nut\nRQsXNqjBGJ13/F0L8LYO6vejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMiktHD0\nB5lHcUAkxmHyPK7YyvnZMB0GA1UdDgQWBBTBQfjXATVWvhxvaqF3hYgmGcxSsjAK\nBggqhkjOPQQDAgNHADBEAiB39Nt6WaWqVQ4ULC3414OyOCCH1mSfnjD5/A4OHrV/\nEgIgEsZeRKmft0PgOST6j+Dhmfbp3rPdfaeeSqPfmAVjcSA=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUVLAngTiwf83+0SQWwbMztYcIKHIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTg1MjU4MTk0MzI0MDkyMzczNDQwMDA1OTk3MzczMzUzMDQ3\nMDMyMzg1OTI4MTQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE4MDMzMDA5NDU4ODgzMzI5NDY1MDM3NDcwNTk3MDk4NTQwNzMyOTIx\nMjQ5NjQ0MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmh5dLuGpuUsHVxvimdv29u4R\nDVz8A6xVUL6NcnltMPfhUUPcOuzwS0BvPD8Aa1pmAWfK9SnkaFGhbny9nhru4qN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUwUH41wE1Vr4cb2qhd4WIJhnMUrIwHQYD\nVR0OBBYEFEx7UI2FiB+excRCtKAe9whFsOyGMAoGCCqGSM49BAMCA0cAMEQCIAxk\nGXbjjb8UhDDklVMkxF5ZvUvUxMu8C5aUjIWHV1ulAiB5Z+3xzm8nw5PKp2ikR++A\nH+AgXaH1jTCS9SIwlV0B+A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUKHn4I7IY1oR0HzZXcy9Q44MPqIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNjUwMjY3NjExNTgyNzAyMDI1MTM0\nODA2NDUxMTY1MDE2MDEyNTk1NTIxNTYwNzExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBP5WtCIP7pSWFnUPQ1RMyFeCHbxWEq8E9ieoH5FKhx5fAQ30HVkWRcLEtABgmTF9\nGKwNyYxJDLzFzGwb7aCzfMajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBy5fYDq\nQUXjPVJIY6Qu+8VNxAQUMB0GA1UdDgQWBBT/PRRK5gRO8ri38K0PG2BHeFbCQTAK\nBggqhkjOPQQDAgNIADBFAiBJycwW9wxuF+X60QECdrRnkUPw56M1wsha8A4GOMY8\nUgIhANY7AiRY8vCI/y5FNyY/h21WknoWTBuzwLfHUMbFTHqZ\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUOyuzm2KGuHjiEzYBb8l28LtABO4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY1MDI2NzYxMTU4MjcwMjAyNTEzNDgwNjQ1MTE2NTAxNjAx\nMjU5NTUyMTU2MDcxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIzMTA3OTYzNjk5NTUwMTI1NDQ0NzQ5NjY1MDAwOTA2NDA2OTkwMzM1\nNTQ1NTYyMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu5X0t0KSysSmh6j0Xo3+IUYZ\nauYlVCz+qwsmy5CqyOx78q99BvQLOx4hRKRjERz0onzIAlPIwhJAjLKfPbRG5KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU/z0USuYETvK4t/CtDxtgR3hWwkEwHQYD\nVR0OBBYEFJ5FrsDdGaAyAcdEhtNzpAtFTqlzMAoGCCqGSM49BAMCA0gAMEUCIQDa\nEyOffyasA5OIPgAyEI8DfuMNaHtozZ9zVAWnRQb4yAIgJj8awEdUh/Y2W5RfC7J6\ns7bjnX2saYUyF0n7RD6bdcM=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUXRQkmh2xcJDQX9t0dLXtpHx0MeowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgwMzMwMDk0NTg4ODMzMjk0NjUwMzc0NzA1OTcwOTg1NDA3\nMzI5MjEyNDk2NDQyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPLiz\n+CoGeRmp02NA+S7d6yejmx6Tshabu6z9HdFFSFzsychjR1kPeJfjogvTL/++5g7w\nbhsQ3PzCLLog6MLLj6N8MHowHQYDVR0OBBYEFGvsGhJIu290Q7KnktRmRtcZV6GR\nMB8GA1UdIwQYMBaAFEx7UI2FiB+excRCtKAe9whFsOyGMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAsNkAj+mHeM9YDLtc9NFa8SSFmqzKg9DLpe5MdomH0FUC\nID/KAl6fi5RRtNwaAaB9Y+G+88tQV6Q9vgd9BFqGxKpW\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUIwupQexDqdJvfuBFw7oVTJveQGUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjMxMDc5NjM2OTk1NTAxMjU0NDQ3NDk2NjUwMDA5MDY0MDY5\nOTAzMzU1NDU1NjIxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWfXI\nOcC4w0U8m68y1tXJJBnk1pnyxGt/3jq+3ORz6GTEd9BsqE+wSdJbpSdDCgvS1F5R\nH5GsMdMxDAgMkPV4+aN8MHowHQYDVR0OBBYEFJOggKZ2aliGzDnPp51PjHtj4Y7q\nMB8GA1UdIwQYMBaAFJ5FrsDdGaAyAcdEhtNzpAtFTqlzMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAo1qMHU2jh+/i4prRsVQwRt4BVYlh1c8GdaUGIEhEmRUC\nIE1QfuqhqXxGTf72QkRW186//D3gqQwUwOo5bRBY9NB3\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUWsaF6E6Er0fTs23uB5/+nOI9AfMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQKH1Bzj6+f/fDpJl9Kb4pnQIuO77VGoeT0Elv\nWD60mDHEe5Y/5eVXFt9OzFoILIM/wcCEHR5xx1k0DdAmO/uuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUITBLtnQOZYwrG7rRoX5I/xZ1VrgwCgYIKoZIzj0EAwIDSQAwRgIh\nAMkoR3V7MqPR1zx+3GyFyYq2c/PClOaz/fs1/DWk7hRDAiEAoijK7kufGq+3cxUD\nehsaGzAx9j7ZLpX/MZJ7/XtQb60=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVyl1U6Myw90up4XuE0dfNu2iwRowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1rMqpXvpFXqPvocF5KdGnFIh9iriuG1mU+DVk\nctBKFE7cIm1w3Lfq9QLx9gChq5nxUnkrv4O0izZsiKZzRBoGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwPS758gTgwUXow5PRHmZ7kRDEdswCgYIKoZIzj0EAwIDSAAwRQIh\nAIgrc5l/Dkef9y6BHXRkN9lz3Q13iDNFcZr3oUyQYeJlAiBabxkJlKKkpWiWfbol\ngekgCAvHlHulayOkYUoqOi/tuA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUWp5nWR6MYwATyuLUvzFXUpJqnfEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MTgyMzYzODE5MDczNjEzOTIzMDI0\nODMwMTI1MTI3MzY1MDk5MDQ5MTAzNTI4ODMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBD3n72HkPcFwsJChGykAQc11/SQylVTvJ8XTfSzo/Vic+1PBWo5Y5Kac14QlqGdc\nZZA1+DHj0bAFpI+12XAP1wOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCEwS7Z0\nDmWMKxu60aF+SP8WdVa4MB0GA1UdDgQWBBSdJ7+rBv2gj58xXyFcyV5QADRejDAK\nBggqhkjOPQQDAgNJADBGAiEAoDySVvT5oVsu6FXlZiADFP/poWavf4ePj8Jj3drt\nHuICIQDSfIr5bu9WHbI/LOrOSM2ENcvqAxKwCpf3UXm7ZDG/Xw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUJBlSYNZoDCp1ScBV9UB+ol3vIRkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTE4MjM2MzgxOTA3MzYxMzkyMzAyNDgzMDEyNTEyNzM2NTA5\nOTA0OTEwMzUyODgzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDUxNzM0MTY5MDAwNjcwMDc5MjMwNDY5MjA0NTk0Mjg0NTQzNjg5MjI0\nNTgyNzA1NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHdPJwi5jCgYBcnrkt/I3Wja0\naMX6byiAXfxuVZ+KQfdi4EtSA+RDRQdSdgLiu+5kDkjymwYRg2qfaJa9pTvifaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUnSe/qwb9oI+fMV8hXMleUAA0XowwHQYD\nVR0OBBYEFAqv69nzhYgpl1WF6VHxrbA3bUwIMAoGCCqGSM49BAMCA0cAMEQCIGfm\nEqLbO4D1N1IEeVgeuGeh6h+YVEbDPoYzD7HjGm/9AiBj+eNwg2VXssV7tHrC97Lk\nfV+qIQbNu3EbEY2kUD0HxA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUW9D4QwIae4yEsn1WnPwamY6u0F4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTc2MDY3NDgyMTI2MzIwMTUyOTM0\nNDAwOTQxOTY5NDk0NjgxMDkzMzI0NjM4OTgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBP0odA2GGEONW/eI5r5c/ZhCo9Xny4B0DjSgMiwuk+hE0w/D08qi7/pIoKqirTui\nRhseutrcWvC5kO4ZD61wk9+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMD0u+fI\nE4MFF6MOT0R5me5EQxHbMB0GA1UdDgQWBBSQIAjyqewu0SQ8pMfA9EuNEE1OoDAK\nBggqhkjOPQQDAgNJADBGAiEAraYJUH2OHjBXYLqnd1gfNIeiu6WXh68hbCrRGckL\n9sYCIQC0b7G8dUlGKcEgcs0KP1IpNhxu9HOilpdIzkOEfL/NOw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUMrhn/Sv3KDxDWBVbUwdgu22lDOwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDk3NjA2NzQ4MjEyNjMyMDE1MjkzNDQwMDk0MTk2OTQ5NDY4\nMTA5MzMyNDYzODk4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDUyNDE3ODM0MTc5NDg4OTM4ODE0MTk4NDQ3NzQ1NTk3MjQ3ODIxODc0\nMDM1NTE2NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEx/wbQt/pO7R9LwvshPTWdUWv\ndCACgdoHynJVTkHmUKEZ7uKkW2bSXkfdGadEh81mAaZZdXoaz3ls0Jg9M1TJlaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUkCAI8qnsLtEkPKTHwPRLjRBNTqAwHQYD\nVR0OBBYEFNXxyL5LVoEruuzzykoGDPHbpN3oMAoGCCqGSM49BAMCA0gAMEUCIQCG\nu1XCB2JCcIWZiFbtDgdZWGpIHWppk67STPlIJmgouwIgLd6/2BDmDLcmsquqnmE4\na5VUp8R0T/aavJ/cyt/xVnc=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUJQROfkKpc234M7u4RJ1k9lSuTTkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTE3MzQxNjkwMDA2NzAwNzkyMzA0NjkyMDQ1OTQyODQ1NDM2\nODkyMjQ1ODI3MDU3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEth6T\nL6MbdMBpq3VUwbsXkPGwotUfPhz2ADIJVRHeYYYHHK0qkalMsShGU6WKWqbWc0SG\n9DxzudZTC4NagCRqJaN8MHowHQYDVR0OBBYEFOljRYlumRKNL/lGq2Twlssvonom\nMB8GA1UdIwQYMBaAFAqv69nzhYgpl1WF6VHxrbA3bUwIMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAtJVEzi/fF3tdUyzYg+62k165vkUBGPlgz+aKiJPpVsMC\nIDTm82OJNXfhjgk/tFe3x5pa17q+u2LXo+HgQVlXuLfo\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUZU3MSgUyYwM+Xg6w4KnBMWHNBD8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTI0MTc4MzQxNzk0ODg5Mzg4MTQxOTg0NDc3NDU1OTcyNDc4\nMjE4NzQwMzU1MTY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqgzm\n15VRC45+GcDbYS/eI4Np//mH9J8kWTYJ/U+Mc1aMoupx/sEKPVtTDzCgf1tWY3Ja\nBT4GhOWZeYD9t7QCG6N8MHowHQYDVR0OBBYEFBzEQLOtyc+aypb5A5IOHKiwdOMn\nMB8GA1UdIwQYMBaAFNXxyL5LVoEruuzzykoGDPHbpN3oMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAymsn3vMuUYOCq7jIASlp3CWiYFb1/XpAlQA5Mbv3/JwIg\nfFUmHlQXQLUEk+K2w81159EHm/SNu97pHAYffEudeRw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeNY9LTvB1a66V7pIprXaRO5OSTcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ8Y8Llr5opJmqjMs6Y+Yanw2B/vzONSIhki52f\nv2RTmNjm2/nX2cD4zNsbO4Mu/R4R1Eq/NK7Vefd+Ite0OKx1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwDW+vg4beT4Ux1miwQXLH4oEVcgwCgYIKoZIzj0EAwIDSAAwRQIg\nKPve9+UmrU18Real1OK9/B9NQDQG1/SrOtmJgjVyIcoCIQD1nVckePsjja1S/Xwr\nlAUErU52cBOt35pnPegVJcFvmw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXf1lO893NfA0vWiRAQJtBApWGykwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT0hBOOOv3U1NKMw0KS+LvX5+YqR6QNd7aVd/ZN\nYB8qHjRxmMmwWeYifjsQLoFTx6xNdU9whK/kRmcoBx9BZP5Zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZTwaXJ4Y55BTTppyRzqa5WggBLswCgYIKoZIzj0EAwIDSQAwRgIh\nAIjHB0OWHC/o+pSsZinEWw2Mde8vw6BTJQDa9xAFOmn5AiEA9aSkwGjPBtsy0sZ+\nL4RIKBumt+8Mt8meBNMJLckQPrk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUL7o1T/b2gMFh2a3tTW18B5qeggQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2ODk4NTY1ODEyMTI5MjU1NDQxMTkx\nNjU1OTA1NTA2NzgyMzgyODk5ODY0NzIyNDcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOzD96mPum8fRU8q2TWwbLjDp/QJUhGu8qg2LtIg4RtXIq5boPx2n++6/gTsb1JI\nTNrV+hdFUUNuQre8tk8HrpujezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMA1vr4O\nG3k+FMdZosEFyx+KBFXIMB0GA1UdDgQWBBTBx2gLOEeaut/IiwBWkVAxVBHt0TAK\nBggqhkjOPQQDAgNIADBFAiEA8emIrETIeYbLZed/tiyOAZ3JnD456rcnOqP+RqxT\nArECIFi9ly/MYkafRAqddWG0aiUWjeAVQnxzVUqd5EkCcr1P\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUdBUTtFcrc3Ku4RzVxZnpMBGKvXQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjg5ODU2NTgxMjEyOTI1NTQ0MTE5MTY1NTkwNTUwNjc4MjM4\nMjg5OTg2NDcyMjQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDI3MjQ3NTE0ODk5NzM3ODUyNzA1MDUzMDk5OTcyODY1Nzc0MTk0OTQz\nMzcwOTA2MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENAzXz7LWCiyWEdhXW2lRKIUR\nHZSNdzGAnHi4ie38ISmyAfMg7fNxnYVIU5xFmR/t+6r8zHgy94sdA/5/6BzKh6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUwcdoCzhHmrrfyIsAVpFQMVQR7dEwHQYD\nVR0OBBYEFLZgJu5BCEF30//IcSEFwisatIbhMAoGCCqGSM49BAMCA0gAMEUCIBQo\njgCB1qxCsooRMUuRzY+sWCq5EhljybzhhHEwHN9/AiEAo39hxUppkK851xnAzT4G\nJiLLjzwdEdUWqqsG8O7WiWg=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUZaG2GT6Uf9+ITm13QE1cq51P6c4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjcyNDc1MTQ4OTk3Mzc4NTI3MDUwNTMwOTk5NzI4NjU3NzQx\nOTQ5NDMzNzA5MDYwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDY2MjcxMjk2MTU2NDg2MTcyMzA3MjA2ODgxMDQ1NjY4NjUxOTU1ODcy\nNTA5MDY3NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErGVM8QROII9+4Fw1jfnndIXb\n3R42DmnCY089ntC91v17vrN4IShSWXgoAHseBo2WF+j7ngeNGB8kLoyh2NIDf6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtmAm7kEIQXfT/8hxIQXCKxq0huEwHQYD\nVR0OBBYEFE5qQ+MI08MP8rrwwkQghvamwT+TMAoGCCqGSM49BAMCA0gAMEUCIQC8\nD58zOyihMlWcvTvVE+Xw3cs+Kv1NUvArtmwQza9RzgIgKbisvj51frqkkkxwI600\nw8XbN1zgon7u+oZuWSzdcnA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUVJTbyxe5O4c7fnP+YlkmZoap2oEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MzY1ODcwNDg5MTUxNTMyNTE5ODEy\nMDQ5OTkxNDM1ODI0NjA2OTE0NzY3ODE4NjUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBORGW88mFHQ3f3+hC5qURNTyvVGF98XG+Q/vYkHW5WuIg6D0DBIM2DHA6EEApNFy\nZEfNjZJzvjst1vlFbU/aDUqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGU8Glye\nGOeQU06ackc6muVoIAS7MB0GA1UdDgQWBBRclgmXP1CI5uFts2MPsTfscCa8uTAK\nBggqhkjOPQQDAgNJADBGAiEAzRFh1pf41Q0j/7ce1NdsSBNy5HlLCtuuxd0rANcH\nNgwCIQDFzvvcyrTQ1+qZdGr9Wrr+VTEhdlJhCSojFDZJ1MUvqA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUKU+SKKvMTaZlK3zQGJMakn4d6eIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTM2NTg3MDQ4OTE1MTUzMjUxOTgxMjA0OTk5MTQzNTgyNDYw\nNjkxNDc2NzgxODY1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ4Mjg3NDg4MTczODA1ODYxODkwMzMxODExNjc5ODE2MTA0MzYyNTY4\nNzUwNTUzNzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcTlQghcAnW4TU0OOEfeY66o9\nNxScf+fy2JbWKOYKL+rCfupIeevge9e0fxh/H9W6TMHtDHbH2Jrw6czhyQMLlaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUXJYJlz9QiObhbbNjD7E37HAmvLkwHQYD\nVR0OBBYEFDVrVdWwNcCt8DYuaX3CuJCqnYwDMAoGCCqGSM49BAMCA0kAMEYCIQDv\nRqo//ZzkEQ+iJe9T/x9zKFYPmBqQB6w5eXuxV2tAegIhAKqnnN3lwDuumwHBTv0g\niCL9tt8Lr+wzPQBhAfxzbPRU\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUGzMX9tZYF8qLvPxjZZlKFAFZfLIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDgyODc0ODgxNzM4MDU4NjE4OTAzMzE4MTE2Nzk4MTYxMDQz\nNjI1Njg3NTA1NTM3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIzNTg0MzExMjcwNzg2MDg0NDMyMjM3NTkwMzIyMTE3ODcxNTQ0OTE2\nNTk5ODU2MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExsYohK7U1vSuDjWd0yzeDA+6\nWuUXv/7HjALSl+E0A3sgWJAv6pEhQvK6iPX/hbWAE+FqXS5TDARtYVSGXKu+4aN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUNWtV1bA1wK3wNi5pfcK4kKqdjAMwHQYD\nVR0OBBYEFAc7mMNetCrIrLsrPs77H6ZxpKj9MAoGCCqGSM49BAMCA0gAMEUCIFJ5\nbFT2IGGLgbREtpe3lCZp257+X7vDQNIat8mqqV28AiEAzXnxGd0tCn0Jb3Euen3w\nyr6+SXOapmfnhm4oaYmWE30=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUSTw2WFykK5PZxv7OtabEcoLquuYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjYyNzEyOTYxNTY0ODYxNzIzMDcyMDY4ODEwNDU2Njg2NTE5\nNTU4NzI1MDkwNjc2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcfNr\nGcniTRJNvSc/Xd+WHXG0hUIk248GjfaERUGMHYeVQHWN0TefVBeHxS1ctUChJXHH\naGQd4ZUY+HDqrEol46N8MHowHQYDVR0OBBYEFMLLPWtm67zL9qoBOZC7cDrQa/dk\nMB8GA1UdIwQYMBaAFE5qQ+MI08MP8rrwwkQghvamwT+TMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAscTkuvF3TH26d6g/3UolekMPI2YvEm/KXphX96BvXEEC\nIFSKZYjuUGmCQqoDedzLQ8VWVuXdlFw355Kfg8BkoDxq\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUQzwSULVMw1IkyBu9nMS+/dm+SBQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjM1ODQzMTEyNzA3ODYwODQ0MzIyMzc1OTAzMjIxMTc4NzE1\nNDQ5MTY1OTk4NTYyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDYW+\nK5omze/ZLH55gDnjmjaXpsZQmyDCNRrvk9djC9dlTUAb+nqwokxEKZlEMfkJRwVs\n4TB25lSdacToiMGpnqN8MHowHQYDVR0OBBYEFJyXJoNPZO1M6pHxRfo/wXrqdnBh\nMB8GA1UdIwQYMBaAFAc7mMNetCrIrLsrPs77H6ZxpKj9MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiA6vpEh7qqGiW995kHfYfi4Jut/jRcbojBLuCezYurCtQIh\nAP9q5oIgWVNt+ARbt0mgH9yZ23C7VMdQZzsXsBzerQ+N\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGXN0uBkVdx/WZbTviUy2HzgKfRkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+9YTqnCEOKjvAj7Hvv6K54b+cVLuFLGFwJMiZ\netJHWVJXDb1//3moXWzNTkvXifAoWJL05OrKssFB6TwBLr+Po1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/yILM/Oyrjc2JWynPZsLA1r3uLkwCgYIKoZIzj0EAwIDSAAwRQIh\nANg/CWh0pZiGkVoszEvQN4lis61KSNBIpyDAc5HVWo/aAiBDbAgVnaKioG4wIn39\nqX0G1xtF2ZfJ33WlrCwxEONYUg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSlT/EOI6Mg96fMfBq9fC2pQT1ycwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPq0oeww6p3Nwq81l5eHcqhKnzevYM8lDz3sEg\nlnxAsy9tsj/nd4xavDFS1clvfjfWvaN0u7gG1S5522a/mNr+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZzyqOorA2UmJ0P5Znbt52CQWQ+IwCgYIKoZIzj0EAwIDSQAwRgIh\nAKO4EFbzGdRN+aiYYQNbcYEub++ry4l8pG6plUuiCa+gAiEA0kovVgVXRxyLhPev\np+5DdR2VEWERMRW0jnb3rrQOj7s=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUHJLYpYFWMy/aEZPs5lcWvh20kZ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxNDUyOTk1MjI2Mzg4OTI3NjE2NjYy\nMTQyMzg5Mjc1MjQ1MjM2MzE0MDQ4MDk0OTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNbIaxL6ASpr/uIB0uRNLNMWQLQndyXkpM8jSIFHccOuK32z9Y1FTfHuK7m3fxG5\nlamSFzU/aM3X/QjuRNsEY/ajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFP8iCzPz\nsq43NiVspz2bCwNa97i5MB0GA1UdDgQWBBT1P7KUJAzEp4v2BX4nPPGUfKx6zTAK\nBggqhkjOPQQDAgNHADBEAiAyPiJjFfymjh5biWbQy1NOGjwpmWeWFR8IEqwXLZ2+\njgIgGZWx413JoWv1ALzZmkBC0AkAit7wXiyWyqDozR6kxLc=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUNNTCjN04662v6Jt0DASkYlAYzhcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQ1Mjk5NTIyNjM4ODkyNzYxNjY2MjE0MjM4OTI3NTI0NTIz\nNjMxNDA0ODA5NDk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE0NTI5OTUyMjYzODg5Mjc2MTY2NjIxNDIzODkyNzUyNDUyMzYzMTQw\nNDgwOTQ5NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWmgmbEe4kmq0zXxItLmr7CaE\nn03aHEUSXvvZedWYbuG452g2e+vIe33TZTYhrs2v8s0zzgaC/W2OGppDqBbphKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU9T+ylCQMxKeL9gV+JzzxlHyses0wHQYD\nVR0OBBYEFEphehgumo0rT6D/xeJSgV179bGfMAoGCCqGSM49BAMCA0gAMEUCIQCL\nYjrim90WnkXG7rYzBa+1d5yfpRC8unJOMYPYZzqrPwIgJ0IEliB/ncVsnCgh6JKX\n/rMRXyODTLQWQRf+fceZ6LA=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUWesBUPL62nHz5nHIIbmZ0odAb60wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQ1Mjk5NTIyNjM4ODkyNzYxNjY2MjE0MjM4OTI3NTI0NTIz\nNjMxNDA0ODA5NDk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDMwMTYxMjIyNTc4MTk4NTIxMzYwNTA3Nzc5NjgxMzg0MzIwODMwNTYz\nNDc1ODE2NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkUCBZBfHKlydEiyxakyOPcl3\n6wcrxUgq7RzCCXkxiaa6XbDTlS4uMsTtKslAgmx8/a4nWuz5b/Pbh1QvuHwmAKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUSmF6GC6ajStPoP/F4lKBXXv1sZ8wHQYD\nVR0OBBYEFMCfNg0tU4V+wEeN6mZ2hJtN6AnGMAoGCCqGSM49BAMCA0gAMEUCIQDv\nw2d4yasHtnm7r06qSgaT1RCkl9dVkVD6XIsL7s7YuQIgC853wBA4D4aZf8yKATJP\nzBppvEsAWohT8SWqbvI7M5Y=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUOMY47r+XminfO+SH1Q9TxclftRAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MjQzNjA3OTkwMTU3Nzg4NjIzNDcw\nNDg2MDA2OTk4OTE5MDI3ODEwNTYwNzk2NTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNFTAS4rv91qu04F6cXMIqRb87MlXKZVQNufBa1gHOfhHAft+cM1tuPigb6s24dR\n0f3Tnq/KDsRBZMhStKNWZBSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGc8qjqK\nwNlJidD+WZ27edgkFkPiMB0GA1UdDgQWBBSnntPolmKPEaDOZIRcAuU+Tk9lxTAK\nBggqhkjOPQQDAgNHADBEAiBHLVjHQin4E5lbJDJfvriiwB73YJ5K0ueUSFEFVysV\nzQIgJ2GU1ncjqdRW5vuyPl3IhgWg26+68Jyj+aEUq3c77IU=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUbqjEgxGYY1N70QHuaDh6BA+yQdcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI0MzYwNzk5MDE1Nzc4ODYyMzQ3MDQ4NjAwNjk5ODkxOTAy\nNzgxMDU2MDc5NjU1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQyNDM2MDc5OTAxNTc3ODg2MjM0NzA0ODYwMDY5OTg5MTkwMjc4MTA1\nNjA3OTY1NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5spBjnPuLgVb7SLgz64mD9HH\nhpjF4uJJxgbtk2LvX+Gqw+Lzg+lghqshMTwOO5a47NFrw1PCi1XnUoq3JmbmX6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUp57T6JZijxGgzmSEXALlPk5PZcUwHQYD\nVR0OBBYEFHeGUMQqZ/28dbn+/tZ0MmQLAnUxMAoGCCqGSM49BAMCA0gAMEUCIQCR\nyAHKmoznsxq+CnSKmXyHkwbKz5gqtaXGdTawgUj3dgIgJutQdthLDBNZzScllv2t\nLnA0LHr52QoXHWuHkbWZb7Y=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUY0sxeexT2ypEQMNFWAjjT8O5wGUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI0MzYwNzk5MDE1Nzc4ODYyMzQ3MDQ4NjAwNjk5ODkxOTAy\nNzgxMDU2MDc5NjU1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDYzMTc1MjYyODU5MjM5NjMwMzYyODM1MzcyMzg3NjY5ODU2MTExMzM0\nMTcwNjcxMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMrvqALvaYZ6dXGsm8SMoR1KB\niI/SDPz62dEH/i244JV/H0g24ftHeUYrP1NpEWzLgZB65nXiHmLA3kJstqQ+96N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUd4ZQxCpn/bx1uf7+1nQyZAsCdTEwHQYD\nVR0OBBYEFNrWFF/9lZ4CZ3A1/SHqOh8rAUVlMAoGCCqGSM49BAMCA0cAMEQCIGGu\nVMrfjH0JdhhJeb1iqv6FDA5Hz3vM4/ZdtK10GDrWAiAYVO4W7GWY0BRxI+HrRss6\nx35GMU/N7GP+2CzvKe4hKg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUFHdyX+Odfh7hLMnykofPgjpGVVswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAxNjEyMjI1NzgxOTg1MjEzNjA1MDc3Nzk2ODEzODQzMjA4\nMzA1NjM0NzU4MTY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfkCc\nRdpGoVpSSMj5+v8RtmYvxuYQFF0MfuUNdtwz8ZNewdzwHkZdunRWkMC1uAAEoG60\nPqQfkaCEsqdwLHkCnqN8MHowHQYDVR0OBBYEFLDk6IGIDLroFYXebzWAET6hk++W\nMB8GA1UdIwQYMBaAFMCfNg0tU4V+wEeN6mZ2hJtN6AnGMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBAo9LXEvAD8F0Ah6PRQbFbwNK+MGmEnS56DovyanlT+gIg\nIOhegNUXlC8/xwlyJgOohejKCzV/A4rnm76WbC+5KwY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUZho6Xr5Pf+yKrXEHEja9J1rnNk4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMxNzUyNjI4NTkyMzk2MzAzNjI4MzUzNzIzODc2Njk4NTYx\nMTEzMzQxNzA2NzExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkeDh\nrXLKovu0GzcJq16cPQjcNJ9kpeJTDzbxZ3sdDj2nPulhNXCqdWa0rOdHnA3M+z1L\nspjhEOL6H972MKiJXKN8MHowHQYDVR0OBBYEFJzIsTyY8rmw60piGaqV+DWshq5J\nMB8GA1UdIwQYMBaAFNrWFF/9lZ4CZ3A1/SHqOh8rAUVlMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEA1nB9LAWZKDcsyau3xLIXJMCThtcNwTGFGao4ocmASGIC\nICw8RaUjijt47g61xYeOuqfGh0RMVAgxU2LrpI0vlt74\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUVUJNGswhOe98CUvayQU5gAlXnr4wCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEA/xGfOCgeAIZ\ns1xDGklbhfBPlDo4EToCHAxVU4Sq3bUJOEJptAL03AbM4HG/GOuK+nUdtyuP6tUk\nSBnYBw9loqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFEyuyjPH93oY9EVshy0MY/Cm8Rg9\nMAoGCCqGSM49BAMCA0kAMEYCIQDARA/gwVg6EdGtTdTAEn5wQ2cuOeko8MDt/+IV\njITzbQIhAMYiNJjZT+R289o3s0jAU+IyfscWtpeA5QNCO6MpZg3K\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUeh7oeei8lfFL/5y6J574kuOYB6EwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvuEZjj+jH4RJ\n0vQmO7958Ui0HNLz++1sUmLE1/uJKbZ+oYZkjG/2M2qk0QhbiZ0aRcblnSlv0Rf8\nh5Hl6NlZiKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFONz2cBYXp6+ZPsW8hIIXzd5HPke\nMAoGCCqGSM49BAMCA0gAMEUCIBuMccD8kiiXx2VShiM/mJAqhLImrP2gCcPXDat4\nBu4xAiEAzVfXSAyPFEu7ckXakI0EJPRSgG2ILEEUGvaih2M26Jo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVOgAwIBAgIUWb20cf82nLmTULa6K+yzBm1JS8AwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABBwrlp7BJn71W6NxW9Tdo9EiED2pajpIf/16L0i5LRgQvdYL\nrm+lDJ0qhp8j1UAOtDce5D2czkGzZhVm09+iA9+jfDB6MB0GA1UdDgQWBBSfdatt\n2by1mBIE0/7RHi06YfURlzAfBgNVHSMEGDAWgBRMrsozx/d6GPRFbIctDGPwpvEY\nPTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKTWE2L8o4klmNMLxkSNIRTS\nv351SUFJ1nThfslmBxa5AiEA1NQ57b+8QbI512YTxdTniyBeZIdgKgAHZisTc7Ee\nCqw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUbnBADWk2jlxXJvrhO4ubJwGfUrUwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABMSNt84+n59V6go70z+YuMlEmDFOs0xR1eFUd9j19HwFvaIi\nehRdmtT5HE+Zuf/2r3gzpIIg6Ns9rVqey3uy6gGjfDB6MB0GA1UdDgQWBBQgEXeg\n5xc0IrE9HlP9A5yZSTzYiTAfBgNVHSMEGDAWgBTjc9nAWF6evmT7FvISCF83eRz5\nHjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPc6bxeK5pI63fD2ej5DP+Vy\naux5eRLjki1Yd+3gKbw/AiB5Fhr3MSIq+ECvzOEvCeOn5UsOG/WMHrinLNeclqEF\nZQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUEqbtpInP4Yqe+8YC3ZkDxV0boa8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8RwYaFk/\nqanLJddTVZwQx76niVJEM//1xUqj3uzJ2YWKbkJZNvWHRN4JPw+AeKTzoYyI60fM\neBGTPimrujfBr6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFHAsu/X5FX03tg+M1ctPOIZu\nEw3cMAoGCCqGSM49BAMCA0gAMEUCIQDCaG0sZK/ZvgOHFf6G8xxPnAsOHWh0BAWV\nXloPt7EdAAIgCGtLh24emDWEAS6bc60DPOWPRZP9mIw5WoL4EGbijAc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUGxPsAAiRDw43OsppKw+mC3CJmvwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6Se2RXIP\nd1n0ProOyzpo+14Qx8ZnWolGoMmJoxQ06yBxcu0MXwt3YDmZD/FU21WMo5e7SYS9\nYVZnNk/gVREOf6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJi5WSufyY8ZxyAqxHKrs28+\ny5G4MAoGCCqGSM49BAMCA0gAMEUCIQD58otb0BXNlb1tebdj2kGr5woFH9ove4tY\nAbRXxBVkHwIgMdcc8/V5u6xUpty3TynHyECizZruWT5dRAFw4aJy8dE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUMIE5YoYAQmZdXXtXyl/eYv7vFXQwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARCcc3lOAJvR/8R\nAKhdcw8nQryP4i8ea8TQP5W9RIbQhKnQKep++NQEWB7lCHE9w7rd+jEzernKrdg1\nSpNuEo89o3wwejAdBgNVHQ4EFgQUoY/APjtKATlNNUzOY/VZ0VcYMR8wHwYDVR0j\nBBgwFoAUcCy79fkVfTe2D4zVy084hm4TDdwwCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIE8j8fnefnFxfTY6BBKqrzWKu8laS5/C43MOG0ub+q5bAiEA74i8cmuJ\nGw+O1RJCE8017E7qOzuUWzdLRHONpJk+8/Q=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUMoT/bEFSUls71Pn0m/VKzze9omgwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ78WO5K2JRVbm1\nCW2R/yOGVuYu6eDZIOV7tT8dF5+ylnzKFzpFFhuNI9eOEEPdSyvYvgX19HdyJYJA\n0XnJJZ8vo3wwejAdBgNVHQ4EFgQUDJceQpM236IIPSbhEQ7sFOAJqP0wHwYDVR0j\nBBgwFoAUmLlZK5/JjxnHICrEcquzbz7LkbgwCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIHqWhdB/SDFMgXpsVFkXOUk2bQW8xWoaKsjSd8rljwbCAiEA8VOasyQP\nhfOBrvIDxdQk9HXZkLEt1qbJXPcwGkYHjG0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUNR9iffAs5sYvfeAUjpsV9QRoX6cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR/s58Zhgm5UWLIc7Ikx8TVK7ri6dmcP6ithynY\nSSdJL9U76KooHcBU72dHGt8+1nq1sQIPysykQSbfgFI/pUpeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUN5801Xa94blaXWj6TRS7Nf65vUMwCgYIKoZIzj0EAwIDRwAwRAIg\nIL49CMWF1d+jm3yFAdf3R14D/3A5Ycgc5hqDgfDXj+gCIDWvVEOaRnLuCvi6rb7i\nWXFgKULLC2sNh/NO4TDLlq4A\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYvV+KHA0xXxu6E1T54fqmBSZGmwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQr0Q5Pd/uePS2foFjdQcs/wAnWP5O+k5G1c2U\nFiQ4ggIz8d2jCRRhYKyHba3fOky85Ckg2zXn2S8m7PaMPbNTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULJZCtkNxfV3+2kfyRl19SOqS4XswCgYIKoZIzj0EAwIDSQAwRgIh\nAMMG75J/rdq7FH5xrDv9mn2S2x9uQEJm+9KkMOdx+luuAiEA76MJTYoePfYo8Ams\nNnRzju+LVSmN0e4ZKAXMQQ+YaM8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWygAwIBAgIUUMqaNMlq0G1Bb4hL+hrNgiD0yM8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE15AV1XcVV53mokPOGcPhIECJ78JwOdkUf4bAaPKLTz\n3MDB8pk9D8A0TUIdL3Rl/4Le4M1uEl0Er4stZSAlstyjgZEwgY4wHQYDVR0OBBYE\nFOzwUFGjNUJWL0wPw2Kr6Xj7AxwzMB8GA1UdIwQYMBaAFDefNNV2veG5Wl1o+k0U\nuzX+ub1DMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0gAMEUCIQCex/TBD/MmrngMGo+GvzNehmLG5Nd6gunFtDJqYj0N9gIgVOX1uDhB\noalTOr5+XFLnUuelqokPFyiJb4aZSgJ28mI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWygAwIBAgIUcIOykTLhevd2z1rtWIStHfNVyJMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF6de5Xkgaj9wDbQ7b/MCsl+CO8UN4357l/zK9InVgkN\nQY9IgipKcea4dF0fKJ6ukaXvRq7XZwgqD8qZq5/vqj6jgZEwgY4wHQYDVR0OBBYE\nFFanwjEN6n0FOovP+QAcZGQjqiqmMB8GA1UdIwQYMBaAFCyWQrZDcX1d/tpH8kZd\nfUjqkuF7MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0gAMEUCIQCcJNRqtpNCAYIc4NFLe9IHkTCabHRMocW8MHAY/rZEowIgBtdK+N1P\ng5t7srsdMdpY3G0xqzwI/VK7KcH9J3X5PvE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUVI6//ZVKJcabOHdDfzzWvYm7RNUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATd0/4T61UfAa+xW95qb960SdFEc0iH+uX/t7oA\nCnJjc/HqEyz2RSXLcGe+Aagmwi/VYOEjh9EFs7JainX8dN0Mo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAOlKbXetO8L18xGDn9MBZ8WWT/gwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiAMkKmabr703u74nmu1m2T0udGP0HoCm42BYYPd\nGDV/0wIhAPaXRvw9+ppHBL4msi3SaEOhpdfLq8FIUcaLrBaG0Bou\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUPePdIh1++CxbhUDZAOdlsjKsUnQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASFV4zcuHOVdMvrmYbIGtiJ0WndgrhtFfUNm84o\nreUOZYi7F1/Uc1TppyGwh+5HzF7XBdD0EzwOq1dgGkAQpZDbo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgzMkwsc6D6vq3/DIkOzlZkNx6PEwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNJADBGAiEAnBInHCmOVmHAa322WYvzuPQmu5K5nRrPMSah\n1/3buWECIQDG9E1wJj5IMorIZ20O6OaTILgVcsUc38fbjIX/CusH4g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUVgZ2GVVIxr9H7y0FryQxL2UmfBIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE/9igKS+NJY+YhbQgxd7ZT5X91i4s/cAsVBKQVncQX+\n3YSSjWBPk4XKo80cc/Kuvr8aoiGsgkXgfDHF78rQ5IWjfDB6MB0GA1UdDgQWBBTM\nW2cVQ83h1n6NZh4kBjnSaIMz9jAfBgNVHSMEGDAWgBQA6Uptd607wvXzEYOf0wFn\nxZZP+DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPdHg46souHQp+N9CcPC\nT6PhdkHUqt1ZkYt8oVIxkb/8AiEA0M2oNWCxMKcBM2nI4fOqCIGgXJHEmjNJt33p\nXu4hMkw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUX6lYytxllc2GjBjbcBn1RGvPbPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDF86vDuy9wngvTNht6LFfbnauEtmJZFV/OG/vtDw3f6\nsSFgqAKhjQgvzIqFo+DPbTKXYijK8Vj5FjoIiJjhsXCjfDB6MB0GA1UdDgQWBBSV\nDUUBklgfdKtOBdWE5Ksm3XQBizAfBgNVHSMEGDAWgBSDMyTCxzoPq+rf8MiQ7OVm\nQ3Ho8TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPoQUvTJk+YAE1GbSRk7\nCoDfAtxvk8oj3PWFGfaFk0pYAiBPg37IRO967dJyqzhLTHnGcxzVHZ5FOmA22jRX\nwLwRtg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA/MR5b9GXgO8jkNfVhG4muiFO/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATcyHH/DZid4SxdR2Vjvzskd7XV0xcBWjuQPyi4\nputx3597aLKTq/O1AQbNVT1B6/vIE83lMi/9W7Wd7a4P1Hw5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXfIBRZRXO7Dx0pjO97CnbPUNVD0wCgYIKoZIzj0EAwIDSAAwRQIg\nI5/47Lb9A4LVSA9zoH7EPPV5oE0jLN95K9ExyjKARa0CIQCQBpGnH0jmOU7MCkWn\nGtWHb5NGAi9pVqA8OM+bYDa5Qg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHQh9/o+XxBwaPl7Xa818SeO1FtIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDG1qGA0B5lJ7PCy+X460g0AF7F4OyXqoPkVWI\nsGoquQvDqoxbmJU7t/5HHyQGq5aQFBTDz8ORhtaV+YK85rvHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8gv8HwUQ6Z3VJMAd5e6fT8zL8b8wCgYIKoZIzj0EAwIDSAAwRQIg\nJY8siBSuuNC0P4G7h5lLbfTdTE9cnZbYwJYPoTh4gzgCIQDLcS6JEIJByjzk4+J0\nBNaDifvTxNy8YSZfNqe395L11g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFDCCAbugAwIBAgIUR8/k32qTKMCKENK5Qpjzox27zyswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBmMTgwNgYDVQQLDC8yMjU0NzYxMjQ4MzQ4NTIzOTYzMjc1\nMjUwNDgyMTE1NjQxNjE2MDYwMjA3ODE5NzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nWA67R9OQXkQMawaKO504NHIl2G9gvU+HY4xe4nNgHMHu6fMp+TSloZH/4V8bX8vY\nwrMMN0jDxZ2WoB0HGfLZ1qOBkDCBjTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRd8gFF\nlFc7sPHSmM73sKds9Q1UPTAdBgNVHQ4EFgQUq+ZeUYuTBRek23JtcKL8fZ2gaBMw\nEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNHADBEAiByiN92hT9kyLhU\nVVd0+6mUJgpIeaXhfm3/pDF4P8cI7gIgR3g5q5WUNJ47NLEpM/z+FtivEW1hhU5V\nY8HHIJgwafg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUSnruJRfuDB0ypRn+pi/e2FjD0SEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNjU3NTAxMTM5NzM4MDk4NzY5Mzg3\nNjg2MTIzNDMzMDYyMzM3ODk1ODE0MzI1MzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFKNlRLgASFct/GMqhoY+l418JmugeJRxEIeNud360ZusqwRwBo3Gev7vovqiZ4h\nMPWx1wuzv+xWbitJ3qfgsr6jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU8gv8\nHwUQ6Z3VJMAd5e6fT8zL8b8wHQYDVR0OBBYEFP8uk8UsTOZUKDy4eq3GxFEqSXCi\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgHqYrcUpNRIHu\nHL8vn9GK5kKWOuC0fvFI4CwtcCiaTT4CIQCDCTnRiJBrVDy0uK6Gml05Zwpx68B4\nMzNOoQp0k84HWQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaKgAwIBAgIUem9Up056rQ3y/tPXT5UjoxWATpQwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjI1NDc2MTI0ODM0ODUyMzk2MzI3NTI1MDQ4MjExNTY0MTYx\nNjA2MDIwNzgxOTcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASOyOVd\nIBnpmpzXhP76LRdCatfyXl+ccqaHN89i2OZmDJJliutODsdj/tjWvrQBisNErGUj\n9+mat7ClBfK5fTRQo3wwejAdBgNVHQ4EFgQU6E4dDcYjxnt3vWeD1wYEa9QR8LMw\nHwYDVR0jBBgwFoAUq+ZeUYuTBRek23JtcKL8fZ2gaBMwCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0kAMEYCIQC/V53VGCJvFVMg0NT/uZgXuQPOnGz6/V8qBhppP2EeOgIh\nAOr1HDqHZY+AKy4HYpD9Gs3ys4IqptnEuPJrFVBeWMLY\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUdazbHNWSTZycGqLPVVmT6tz8+qcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY1NzUwMTEzOTczODA5ODc2OTM4NzY4NjEyMzQzMzA2MjMz\nNzg5NTgxNDMyNTMwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7UZx\nLQyV8b3udfh0ZcjmYaVxvpZOc9OKLKiWnM/Uua4oZK3qaCyCf6G6/20wpytLqeYZ\n8nO173iKSjFAOMX1xaN8MHowHQYDVR0OBBYEFKTVOVIgQStW6nP82Ft//gYGq3hY\nMB8GA1UdIwQYMBaAFP8uk8UsTOZUKDy4eq3GxFEqSXCiMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiA4r1fAmmMxxBZC1SHZEPk1AftA57K0SfIjn8EapX8AIQIh\nAID44pfz9QTuduyfQMJEmnK/NLyGS/GYuowzv2nlu6CA\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUY4+x4PUoCTA0Sqx8J+PAGyHXhWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASvDbE5MnSF6MfFGmBWZep+76UGKCMnBN3r/8dB\n1XrjDv3GMiNr3rW1a+QRWH/BnbumrVOXLCALhMZkLnbRq9Uto3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQCthBxFTl52oir/ZZquo3wosX3rjAdBgNVHQ4EFgQUArYQ\ncRU5edqIq/2WarqN8KLF964wCgYIKoZIzj0EAwIDRwAwRAIgX/kke4GkfWHgpSUZ\nvueJyZge1C9jMItxoMibSzxR+YwCIHthRlOb7trxKgMRsf4tFuBNgKlN+CEtcIom\nwLuneP5k\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUT2+4tBpzchlbrFti0H2K6KUf+oAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATW99woL5i9kq6uTkLow4giCO+aTQA1n8P3I7zl\n3H+21UQTVNfOPEr4dAXshWR8dQkmtBFy9XiucVb1ut61iqrMo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQ/Y57vXFCQilDUuyPHMFiJg41kvTAdBgNVHQ4EFgQUP2Oe\n71xQkIpQ1LsjxzBYiYONZL0wCgYIKoZIzj0EAwIDSAAwRQIhANCeAUAAfo3bh967\nV8yHMbActi8xQFRJciACL+rrSchxAiA+tRzjfu6rMOvoMG3+oEqthe1rbJ2Ps2r1\nD//B9QRozA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUSzajxV71Cw4vuE2THNSX4cujUywwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ45hm7y7IScQqAvh3VG4reP96HYHQI51ZxmtbA+ebpu\nvhm/UIu/0qdc+JEaODkcT9RhNyKg765lSjhNBwzuTr2jfDB6MB0GA1UdDgQWBBT3\nN69gnMR36mdlold1Pw6nXLlKpjAfBgNVHSMEGDAWgBQCthBxFTl52oir/ZZquo3w\nosX3rjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSk8zIwILR5VjnMQqLEL9\nvJMa2qYDAPwHsS5AYQK5340CIBim1JZQzf1dyUBrf5+qj/83uI8XIr7HudtZm9tP\nhBPs\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUDKSj3vmiXuWPGtrPFnmKQ0jAStEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHd2rzI1Qdb/2ll+PbsPeOp6Gdj6w/edo6Idl8XW/P2X\nFcZ7/IhFNkb+vegcXwCy9w22MTBegciC208IFvVh7n+jfDB6MB0GA1UdDgQWBBRS\nZU06n8S4iTG99T5nw4hZTkGqzTAfBgNVHSMEGDAWgBQ/Y57vXFCQilDUuyPHMFiJ\ng41kvTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPj1DmTdznncdKrZcnME\n3Wb2Gap+Odu11rjnbXORITDpAiAPccJK5wVsIJBTrm8licJb0BkyEgbJK3jBXFeK\nrELyBA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUGeVnwA17gA8lcZUxtXJF1LbanqYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATxReTLSWcDGEE/aDTSbh2xBt8rTRozQe+bcijC\nWpTHk/KTbpA6LZ3DgoSwGfAHZZLn8wRxpcF3WiQJt6hUQmiSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcKJoe94cJplDa+uGlFwFmpBbEY4wCgYIKoZIzj0EAwIDRwAwRAIg\nBTZj2jc5NHxd75EuG2Q0DpbcJNMd+lr7vCmUo2UAUYACIBU2b3VY2AlxQ8Tc3HvA\nCyv9iWq71LqC+UJhtbDDbdWX\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGxvzpd1uXNukshMP8tB+wl/fY9wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjyri71HeLPk+5LJRp8/cKkPSGkBHATeMGt9nq\nL2QAhNZxCNxdFblpVFrog1xFpD6PM0wtMuoXQiUXwjESGYXVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmRPdDjKJVbTfEXdnXHbe1vXQ9agwCgYIKoZIzj0EAwIDSAAwRQIh\nAJXHX7NWTLwhiGtePFCQIvDbInh8820TwfSwDewaeTqnAiA+zkFccf+s/Gc+Nm9x\nnO3bYBc4GHWji1o7magZAMMOzA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUPb4o+l/VwMbqas0NwQTJuuTF6IcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGGJT6FDdQuNqfSmB22wR4FYt218RpWN5QIZHXXrFAd0\nX8YXibYah2uCQHIYNKhhXTTNieQm80hhNl5QKlfknFWjfDB6MB0GA1UdDgQWBBTr\nD8hN4SSxKwoKmzCwAEef32CgsDAfBgNVHSMEGDAWgBRwomh73hwmmUNr64aUXAWa\nkFsRjjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgfGMV2DXCRNDOO6ZkB9ii\n+V79gneLzDCRbt2BC4Cy9c0CIQCaa+Y5Zqwe/8JU7U9Peol1FhPp8v4/HEXNylon\ni7RDPw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQiKFHJz5Vk/ZEf+42AZnYRq6mh0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF/5IU5Pd2u2Sp8tn6UikZQ8dvHWt3bBnAW1hNA5wJUR\n7BD+NT8KQEz6lmkELfgPYhVK2n7EcNKOWu7QOBpJH0OjfDB6MB0GA1UdDgQWBBQn\nMr2zik5lbLrLrFW6Orb+8hjs1DAfBgNVHSMEGDAWgBSZE90OMolVtN8Rd2dcdt7W\n9dD1qDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAO85K1sWbq8Fx++GjAio\nPkPOTij0d5XCH52stPfyYPEaAiBsqe62bOBGcTQKkUIKPyykmQPuOyEP69ZbRoWt\nxfKqQA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUF0RGBDGAoPj46l9zKKafhyzvNG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAyODU1OTI1NjIzODYxNjQ2MzIyNzg0\nNzUzNDYyMjMzMzg2NjYxMjUwMTY2NDczODUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOVBYs1Hzdcpv6hypJzbRUaHw8QhA30aPL7foVFb3PqusmBDv9O6qI316oq88Xz0\nAhiFtKEtyWJgVXVQfgepyY+jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTxSMiqL3ZE\nBlE+f7NZXedavrDHFjAKBggqhkjOPQQDAgNJADBGAiEAjlShcL73E92pX+6q8QEr\n45aoRT7KthoysWOhPrZw3KsCIQCGkNfH+mmq9ZiJtJoTOovnembCMshYIk1i95PM\n7jR6YA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUI+0+eM6z0489ByJe/iOdBC1dnuAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzNzU0ODkyODc3MTY0MjQ0NTc2NTE1\nNDk4OTI2ODc0NDM5NjU2MDYzNDEwNzEwMjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPt+palKY1UXOrnc4cn3kqF1ooEsIgX01PIpMCcFXjvX32Yj3Zr4AmlfXpfw4jDz\nw4Ttrz93jhcpeKGO6TAFr3yjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSGQaPTL5wK\nhJIcrPJUfrcBxbfA1TAKBggqhkjOPQQDAgNIADBFAiBoBe0EG13ZcEzlZfeJFJej\nADrVybWurM1WjYmK9qMlGgIhAMw6984H12lPPlug0IqvlyVcXNcdByuRG/+BwU9I\nVTD6\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUBPh6HxMhHuvBlIqfxe1cPuXL2BQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjg1NTkyNTYyMzg2MTY0NjMyMjc4NDc1MzQ2MjIzMzM4NjY2\nMTI1MDE2NjQ3Mzg1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoAMo\nwdM8ZTxEksfn40rC7XCR6D8l45NrT8m/3Zt2hfFsZ+N/0TnQN0ZENuCR+AOsZLRs\nP9hxaZqtPKysD/VFAKN8MHowHQYDVR0OBBYEFCKGumoQk+ip8Wso3lF9BctUln+x\nMB8GA1UdIwQYMBaAFPFIyKovdkQGUT5/s1ld51q+sMcWMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBdQTbk/dMlWtL2xGIZh9nFbbDXEPh9JOH8YkIMS4d2EAIg\nAt6lHnUN7SJyXqBjWNZN/pEenwkZGyhbfyJ35yn2JCQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUMSdYAAyRI/OoNpQM1hSpF/EvaKMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzc1NDg5Mjg3NzE2NDI0NDU3NjUxNTQ5ODkyNjg3NDQzOTY1\nNjA2MzQxMDcxMDI4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOWVQ\nAQvJNuILrwFY9ArrrHV1tNCXpTNrpoLfcqqA5rjp/S3fo16dll4UmF6fFW8SoVfO\njGKjUhAohJB1tUofM6N8MHowHQYDVR0OBBYEFEuvjDY6gRQiyYx18TzbF1xZkNye\nMB8GA1UdIwQYMBaAFIZBo9MvnAqEkhys8lR+twHFt8DVMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAlzzIG3Cha5+A2hx2do9ah+RzNhZltG6siwPKHuyPNmsC\nICsokkuSIMic5OIgcY6IsYAnVR8xNw3e5CDMp1qW/N2O\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcLFwPvczIrloWodNmdeie2InMoowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASqQayygOiba0TcPbaHgu0+SJbzfPVH4cqoEamf\nh2GvClawmyykMgxnxXaorQLY/lalJz9sELKk40BRitmaAuf/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCmpbSxbQjBEssa50AMdw0zaYViwwCgYIKoZIzj0EAwIDSAAwRQIg\nbBBAH5M9SlhFzM7iBHQne0HoZ7hyX2Xuhy/LIJ89f/cCIQD5sJ6JHrlLEUcYybYI\nqxVSRvk5p3w1iqvCACXhQJd6vQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUS7LkPVZRsJ2Z6Viq21FlwpNz1CUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1zFubCJ4LQAuAtbY4OIc5dIFAJl7V2gJEIn4J\nETXSM9on/0DMDknRecADiqrKAsPXUPXiFfszIJHt1LCaLhBoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUET5JS1C7AvH58BwtHebnVcVttAIwCgYIKoZIzj0EAwIDSQAwRgIh\nALAFlHuPMf4rA2N4se+CWSUHtlm66DueSBpQz4tMFpD2AiEAlRTzk41QXCc49+r4\nYK0+Up58qln03FKreXY2iwC7reg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUY9IlkPQHCusBUhFICUEgfwwUe8UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2NDMzNjM5NzYyMzQ1MjU4Nzk2NDYw\nNjUwNjI0NjE3Mzk5ODYyMzc0NzQxNTcxOTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDFnqEgdUZJy58WFXAefDpbD+kcNpLI7O+czHC9b9VPZaGjR7gnEXkLe2RGn9jL3\nn9S7nV3BQjID6v0lxsj11M2jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSxAh4n/PfL\n32HbuxobprAN3JsY/zAKBggqhkjOPQQDAgNIADBFAiAFW1SQ3NLs8pMCOKHSo18s\nGknejBYeOHKQeo2hQstHyAIhAIfdl928S8pqLSibI04cq+qUnDJ+eoff7Gv3JLIQ\nID0n\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUYrwDwvK4S2l9nTIt/Pq/uXm6310wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MzIxNjM3MjI5MzAyODEwMDQ2MjM3\nNDk5OTg2ODIwODgwODc5NjI5MTA5NzA5MTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOz/4IEcydmjjcl+AMc+NCLJewlXCGMAK+V4zC3hBH/rYZrEDzLgWiXc4KHQYH9v\nE+C5d8UUd3RSsqDvvn57oHOjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTIWQVmAOxm\nzCBE2nNdRCrN9XyMtjAKBggqhkjOPQQDAgNHADBEAiAZkPuM5pUWAW6ZDCfPkoDn\n0v8pSkU0BlhXZldYbCzLEQIgZAskyzoGJS2qQKDAypAnGRXWl6l/l8g5uvWjVCSZ\nOpg=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUTmVdX6LLURzSgtYi0BiryB2QCsIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjQzMzYzOTc2MjM0NTI1ODc5NjQ2MDY1MDYyNDYxNzM5OTg2\nMjM3NDc0MTU3MTk0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0+eY\nSsRf/sgf4o2MRqnogCAeRLZFbl/dQIVXzp8sVvox+v1/iVucSX5nL/w4IqbTENOr\nvbHNi/5hf4zTq5+siaN8MHowHQYDVR0OBBYEFMMAXshd8KBgcwiWt9ln2XO8GN7M\nMB8GA1UdIwQYMBaAFLECHif898vfYdu7GhumsA3cmxj/MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiA+BWqaIuYHEuWQ5mre6MEJH6cKRqs2sYHUmGZURVwWkQIg\nFQ1aKk8FkyQY5srwwmG6GS/gkuKSoBqTFV1l6x+/Xg4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUPN84JqikijGo/0VvQb/FgOb6/ucwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDMyMTYzNzIyOTMwMjgxMDA0NjIzNzQ5OTk4NjgyMDg4MDg3\nOTYyOTEwOTcwOTE3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErLM4\nGiGAssWcsBJAqSwjpwCw8d4vSD/t2cWAVl3Y1eDcesQJOjQ2Eldi1awCHa3vnTSu\nvd2/TKpKL4Qykc3b06N8MHowHQYDVR0OBBYEFEqEtUPa0vM1pKsqd6EOprNcEXfK\nMB8GA1UdIwQYMBaAFMhZBWYA7GbMIETac11EKs31fIy2MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAtzjD3bgfqmmfhzBr/7piF9fwjWak3zZ8K7pfEF0+5M8C\nIQDnq51P4vKRv6o3aEEViGsU3cNkjcU7A+aZltGlAkVLhA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGod9zCuSi3juVUN/vwnfw0ZCHMkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASScmhOuRCfVWO7wsr24EOidtMWdrsVHfZbOFSJ\nuRr5q0DWrdsFmO/WTFPdUwQwcqBGbKhD6n7+o8KteCqBkiNMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAeje1VFSQkM4HaN1a7StVcEi7yAwCgYIKoZIzj0EAwIDSQAwRgIh\nAIhh3PgL60Q/RdicsimaYzGxaWo7ArynuY99jasiMPMaAiEAkVfm8iDJbCOo8xTb\nvdOiopRR5FnDVrT+3gJsdoS2dx0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUaHtVaLyq4OXjnWZrmcn95rV7xtkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR/V5wKCmbs8SsMgcyuiuSewPUYvNdwKExSTjpc\nR918gBIbQ7xJiy26motjLPGOg8Gptq7MYArJEPn+6utJ7dmco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhE5eEnxuRfOukEXS0/OvrrWk5L4wCgYIKoZIzj0EAwIDRwAwRAIg\nfFAFw0YuHsW3x1LEDf8+bcGBh7nhHvky94j4ctLqeGwCIDsVaJ/tPHfOUY6RU0gw\nqCWRSU4bQ759bvqh+5pjL4a4\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbGH23XYPS8etIIQiWvm34HLnJFgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCTmrnD6nyBM8upx4JJMqO1yTMDxSvOgnEs/cSL5rZk/\n2AnAjOndgqp8euCX7temsNhcMOdp0NCFNxJoKkuhzsyjWzBZMB0GA1UdDgQWBBSp\nUXz+IZ15QAojfgAR1QlbeNlRvjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIh\nAPYUZYA8icOAFpnqmXX0Fx5+9lR0XiC6D0jg1ABaF69mAiAlwFEyrCcWacMGr6lh\nHkIXe8QqeB7Gg552fRNpwsAfGg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUabkV8PoIpn5fGjhWgh4+WuGQXO0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG3IAddetBhQnSNepHYC/RIA3EzgQ5OwXfpENovMD1j+\nWva901eFhz/ly0zXwmx59kAiSDEuikdBhTP4tc3p8M6jWzBZMB0GA1UdDgQWBBRS\nlChXcN0uw6jZo68Dwvab0TQncDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIh\nAMbLUtKZXSUTB1M10EzZHA1nVAfYWiBEyPaRkFAgEHcBAiBWKMPOTZs9mLBhpJyz\n5fjTv/Lp3wRrfRA+6uG2sXnpog==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUdaDWQnyiiGLqmDskw2CY/qXTGnEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARn1zz26HsNzLFYCJlllU+pLSvPVF9W6y3tWkmu\nXA/JtNfXJkbR9TQZXZhuFcRIvLXZGfwwtIOOecSbWjjTkIp5o1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUW00eQj1lX1h8TYf5p9OKA6hLRzQwCgYIKoZIzj0EAwIDRwAw\nRAIgRMQItG/HXO+S39DdZXa7/YcCdzF6tHbbVlhIa0l3A08CIDLIjF9BW3DvbdPA\n+f0zS93jmV8moWJ2tIii+wgPuHzi\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUUQiBu7VjCb7Vd0ip9acdZHPSQyIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARuKOQRuE6cCqjvarekOI6J3a2rwk3npZIENDd/\nMxyZdgOnYL/7qfjtegXip80gEwXaaNERdaosWQhAvNdv6HWco1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUkx0qQsdu1V+BtzWoeTpyInr5r2cwCgYIKoZIzj0EAwIDSAAw\nRQIgek7Ish5B1b+X/0ncGMFyWaK6lk9yeGYb5++rf0QapJwCIQCrpRdYJck2n6ro\nvIDDViABO650kKYxfIa+yRGd2yf+bg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUXVl4RZ0+eqUMKa3g2X/EI/W/VxIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF+Yj9Mf0HH+eyJGoGD64/2G7kaipxI2BTcYhEWQSoLy\nml1SAcRR9XbWrApPBiNXpPuXRKObJE5aVy47+y7aDN6jfDB6MB0GA1UdDgQWBBQ/\nsYmk3HgKzSnNf5+amvbV7SSwETAfBgNVHSMEGDAWgBSHRXfnbRFzTnO9tkdEGarK\n9xxZ2TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAOo1Dl/vSGzGLkmo2xv5\nHp6+KwXs4EmcQC1Z8sovOfMNAiEAiZZit9vqsCVgGF6JqIBmi9VfMZBFdywpLSVv\nQGAFX/I=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUUT8m9vzouwYngxBhuw8z3uv13RowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABN2a1CSHpxJ6aoLE0Hwv14Vhsa0TbzzZT+k6xrntVMbP\n9bHJlHMum19wQHye4MIiU67Hpb6kU+CpMvF+nHPtIo+jfDB6MB0GA1UdDgQWBBRg\nsSMwuS8hu8dNlEwSzg8RmODaoDAfBgNVHSMEGDAWgBRTEQRUeUJ5u6Qn6tLY8gIt\nEocjmTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJp22Huay9ofQbgbVrcn\n7Wa+E/eg61By3nRANhTtjpZhAiB8GlzlFcuUInPAcGmCOGmogdpd2U/UyO9fewaM\nh6L3fA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcTCCARagAwIBAgIUWCPDbz0evwdum1uurKBFaykvt1QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASx8Bv6YokgS/5+foxYYPD/lLsOLfNQKlOxHumy\n757Z0/ZIiCSPk59TDwSp8ti1s0bg8CDXeJgLUyJpka35Qu+9ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA7FxXwyPix3Ua0DA5uKkBWeJGx2dvcZAy6l+E++y1\n4jYCIQC9ZK0I98vhW/6AnR1g+4y2s84lrFb6F9XLtrVTYqJbfQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUPf776Z/CFwARK77gSJPyB0DhJAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASr4QgU8v0AZRmX1cKPflxp2MoNik39C46bk9Ie\n6fC56Lj8JPtJ1qhcpqon85kI8P5bDCV3FIzcU8Y1F2A8HbA0ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAyEazV/ZBVaee49N8R4+SrqR4PVVTX65ewD2X40zv\nqpUCIHdm5QkvNJF+nXZNHjZJ5Xj2nFohZCgOLCSLbKoVEAtY\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUS37nJTSPJs/F2XaFnpELDLe7rrIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL7q9CVcAqbJ6sOt/MtJHvnnIEF/xCh1Qv49sjuUV2GM\nfdQNPpUxtbpR2iwK1U991xnPwXt82turhRQbMT0h6jujfDB6MB0GA1UdDgQWBBSp\nzTxjE4/bQcUvY4/bBc4bSJGVlzAfBgNVHSMEGDAWgBSDpeMv7+CRvO8jhRSJWahq\nHvoWRTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAIgi/bC9qSBfmBVkh8xR\nJze4wIo9eIWq/G4av3qPuCaPAiBB0u5HU14j6YPZdGRlLSGXHD9DiJ2QRsI8UF2e\n8V07yA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUXPPEWXTD1z1KvBVpLvS4olfQHH4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGm9jbB3e13Y59FjfkkJDcc33OtAJVzWB2NtDjsD3zzy\nM5qPjx8iYQY8YaiSEExGBYRqT9HM+YXMjIPCpTKVEQ6jfDB6MB0GA1UdDgQWBBSV\n0hhAPkb0Tmc/jk2gcGifo3w/+TAfBgNVHSMEGDAWgBT3PyUwcDGxrJTF4LyziGfZ\nC1ZOkDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAN/CqwXpIIriXvbNOHBw\nMKA54eu500FsHoNX6gVFEmCDAiEAhgNh4HavtkUT67J1Ls7090d+k8r5MPomUzqh\nTrRaRyY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUTuir0E7kfN6phOz9Ux9NkJxwk/8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARSwSKACjBkYi+IpRmyyHInkE2+w8zOoK/VPD9c\ngZesoMjTgMp8Tritp4hbu0LpauNFLm4hq/D/WUvK0uvb/UfPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYRkVfGkRrmJuOhBXKsmECh424HgwCgYIKoZIzj0EAwIDSQAwRgIh\nAL0HR/QLaHFxaFPanVT1QyTHCdouEu0eltAAR/xweAz6AiEAxS+/merRZCbXEOOg\nA2W5M8Ox6eFFTHkRZyOAGZtFWz0=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUNFtft+X7XRZnHb4X5ZXKh0oNgF8wCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtgiMQRt/ELelP1t1UL6WoJ6oFps5d/Da\nrHFN2KRi0qKzKKGqCm2ve2R8hm04bPTd7l45U23v6jf3CMdyUQlXA6NXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFMXt8b5snvsPQcv9BZJsOTgn+R0ZMAoGCCqGSM49BAMCA0cA\nMEQCIBZZ+3mu1sbplqA9se0689SWwdzUzbwvXzqo+9kFMoWQAiBm+ICQPastMy+9\nF6te+prohAx9Li02eNZ9rU3qYX68zQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaddfGPDENHPnOK1p0KaMR2kE8oUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASldZvVysFsV9MFtBBn7jLeo2vgdzp3gfjOnUSH\nqvAoKF6uObzMCYiLzSx75OyJYbIZk7dBO4kVvS3HLZAb4/n/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMlYLE9JUE+agK9JxVQ3+WknHrQ4wCgYIKoZIzj0EAwIDSAAwRQIg\nQDJHGMEX3zno48cT3K8vEouNQ17zGf3nhdEY8odYl+0CIQDjM+ej2UqyKcC5o8zi\nuchGOZUqoQTJ43oSIlS1TMeRTw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUenakj273C8IsHiNoepr4LyiM8gkwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEo0YfrN1+mFuWXR0321pO9Zo9Gmb13SQe\nu5x4xH+FJf9YLzCeKscHsmVbh8pFNrAQKzsYqqplWFoDMNcb4dCAg6NXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFHr3JIAzi2PZbeAIpWChaYLUXrOBMAoGCCqGSM49BAMCA0cA\nMEQCIAD99h0QoXj2g2sbzawicF+RXxl8+EJN5Pm302OKjblKAiA25fzpJdkm/2oP\nZwk1nX19jSKncz6W+/3SwTTa8Sxlsw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUcMhhsIT8x+/o0mdonHeKH2pIuS4wCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARSwSKACjBkYi+IpRmyyHInkE2+w8zOoK/VPD9c\ngZesoMjTgMp8Tritp4hbu0LpauNFLm4hq/D/WUvK0uvb/UfPo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBTF7fG+bJ77D0HL/QWSbDk4J/kdGTAdBgNVHQ4EFgQUYRkV\nfGkRrmJuOhBXKsmECh424HgwCgYIKoZIzj0EAwIDRwAwRAIgJlN5izbNtrUsx1FL\nFz7V2OIdaOJu1P7qj1z4Mz67uIkCIFMC7JFzDuTq0O03kwUcJUCEmAk2S7riGAEw\nPhxWr6h2\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUPaYLwkAUvnwZ0pWtC0L1B/v3lRkwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASldZvVysFsV9MFtBBn7jLeo2vgdzp3gfjOnUSH\nqvAoKF6uObzMCYiLzSx75OyJYbIZk7dBO4kVvS3HLZAb4/n/o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBR69ySAM4tj2W3gCKVgoWmC1F6zgTAdBgNVHQ4EFgQUMlYL\nE9JUE+agK9JxVQ3+WknHrQ4wCgYIKoZIzj0EAwIDSAAwRQIgQticCATV4NOu0hF4\ncC8Epcy7ZkQel2ZSsNHBXsP8XtUCIQCa0mP95rWMEOl5VpSofoCaWHrJwVCojpO3\nIAepvtbQkw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUDE5p+Y3qS+PgJcgiSqT81OTzY20wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL9GkGIO3M30XN7N+0Lt32N3g7/tPrW8EVjvmr0aT7e0\nVlUqLqvRNIn8KvByH4Yi39lN5kruW52kFdmGfd0QxRejfDB6MB0GA1UdDgQWBBRS\n3TL6RJ3n5hRWHZJoHImBvMt4+TAfBgNVHSMEGDAWgBRhGRV8aRGuYm46EFcqyYQK\nHjbgeDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJkXA8yB58F9Lva6q0cD\nWGfMixEPxkS4BDVnGUUTpr9bAiEAmoIMJnpNPPeik4eSj7E5opcuwS97tQdF+Qxl\nDpmd4lo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUKfePJR6NwKoQeP29B5OdK4xOLG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPB5ZduIGvivUxB5KCC0pzSTpdLbulOzXPFoyVBNDhFt\nVsdzIF4zsYGTc/BkAeFHwlTgABZTc+w9V6dmXF4xyXSjfDB6MB0GA1UdDgQWBBT7\n95sCeBtZVuww5WYyfBIaRK3guDAfBgNVHSMEGDAWgBQyVgsT0lQT5qAr0nFVDf5a\nScetDjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJXpmeSNkN6DzN2eEfbB\nckZGiY4vkYQT6MC5vuXannACAiAA05CSN468aU0H51u8L8+WHz0tLAIwc0MMHU+K\nyQACUw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUS8vTySjfK6TslmoblAMYcl8JBqwwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBn37OiQ01Ml\nDYcRO4/P7zvUnWqACLMr0fq8+cMiQMA0tB7heNGqdQ6l5peAELpwC25w+RQwMM+z\nf9UwuEb6Ew+jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBR3rlCN1bqPDQn1Sno6Up9v6Tim\nJTAKBggqhkjOPQQDAgNIADBFAiBXy61RXg34+ydA4L0zxD9hXdMYw4OYXpsPECOa\nW4m1OAIhALXiSyty4o0m5CEcz73bd7HyCgZJsfrWRxVUOJHdzo3V\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUTKoE8ibggclHVzvJvDZ1kNLTIBMwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPRFcn6Fygyj\nRqnSEKxovYdx1TDXsvcXeXjH3w7ZHldBqGwPXU8GCzOBb1U2D2Pq0yDp9FBI6FVO\nFFT8GzQbp52jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSibqNKswPa3Vws9SwQUmzqYX+7\nSzAKBggqhkjOPQQDAgNHADBEAiAidqujuzhv//aK8gUYolJT4hZhEmDOBap8O1Ui\nmg68egIgGQ9PUUr7S99D3s8LC/QVsLBfxivWpddsOCrkaJq4FFs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUN+vntLuzIUGK5/L9tZ7xzNKiJvcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASY5UFv881laG1Uttg8/jz1JMOLHn44nf6c0vC8\nKbFGXnfMKW6a5oazBRCN8MaGH9bgPD6bWpRo9eNd11OWHR8Wo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1Wkxx9c+y4kMo+9hJylhnMAxfzowCgYIKoZIzj0EAwIDRwAwRAIg\nQWOOxaLBhsbikMTlrjxvuTNE1OMauWjaIvohkA0GdwgCIA5xlkiz7I/+hGHSsKBE\ntAfUIVcq2OF7sfbZBkjerYMn\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUJHTzrP6Lx6+rn1gpkJCmf0/Zc1kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMTkyNTUzNTE5NTUzMzc4ODM1MTg3\nNzY0Mjc2MjQ0NzkzOTgwMzE1NzQzMTI2OTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCQ8cPDr5UIhIAC0MsGWoRDOUUxmUD/pxhgmbHwXowdbzuI99+KjJHve4XbqZNrL\n2M6SNM++uD6brgObxX/F+L+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNVpMcfX\nPsuJDKPvYScpYZzAMX86MB0GA1UdDgQWBBSqpdW86SudYp12pXFza4cqj1q01jAK\nBggqhkjOPQQDAgNIADBFAiEAvcciLcW7s0rAFN99t0SEI/UJped+VsCMrQidt0N3\nf7kCIGDYBeSHy+9LDQpAiSvwO30Y94ooDV7QwVGmsijuIzGI\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURMplJoxJYX+9CQM7e4cYqd5Do78wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBJKKPmql2B1CeD4kNRQDQTZkz7V8Ll1W9t5WS\nhk6rxjkDS1gFEMmIJQ4CPpGp5Blk+b6QhN1w72+c4Y2nBEcho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYnpQR+eUenPNOeq108E6zmfbMsowCgYIKoZIzj0EAwIDSAAwRQIh\nAOpyDLh230ebeig6vcEhfDG4d63a4QKvNK9WF7YtlDZNAiBDUG85RXyKrtvWeRaE\nIxexabXBMOFErOvdk1inf4pP7Q==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUeGEDsnn9v+mYufNc/f0VTC4B0iEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTI3MjQ5MzQ0MDQyMDYyNTg4OTc3\nODk5NDAwMDM0MDk0MDUxNzY4NTQwNjIwMTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAPTqCjhXggIN1eU6tHJr6Ex+ofQSFY/5ltoh3jxComdFDTPLD2E6swtl9/osEb4\nXZEXniVrXvyIxvAjzniyFWCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGJ6UEfn\nlHpzzTnqtdPBOs5n2zLKMB0GA1UdDgQWBBQxZLapl+W1VUpQ9xJb8cETEw6EpjAK\nBggqhkjOPQQDAgNIADBFAiBHe65VBpWkngvAYKGBmPkalQ2b3AAreCe3KWG3z9V1\nxAIhAMBCngJ+0zeUeyn6aDP/O1cc2m8RXRHCipmiIhQoHAYM\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUeV+lfGMHwOj/Fb28kIOaQeuZwGowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzE5MjU1MzUxOTU1MzM3ODgzNTE4Nzc2NDI3NjI0NDc5Mzk4\nMDMxNTc0MzEyNjk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiDE6\nBl+Uk/ZwLmbHmCuXLjLTyE468lYPeJZYKaE1kXLXqRX5CIBu7GIGmu/rTydm3DBf\nwxkkikRuabSjm5ihC6N8MHowHQYDVR0OBBYEFGbgi6ivH1aKp5mHwcKk+t/ftrt4\nMB8GA1UdIwQYMBaAFKql1bzpK51inXalcXNrhyqPWrTWMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAszywfQLLygcRNE0NqPhpFo5xBRz+abkjHSBiifaDILcC\nIQDdgiMREV4Cvo8SutXVNTClbTF8nXVuKqeveGO0QGSrjg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUT5TbDXCIQ46Oe41Rg9wGCXjBYcowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkyNzI0OTM0NDA0MjA2MjU4ODk3Nzg5OTQwMDAzNDA5NDA1\nMTc2ODU0MDYyMDE1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWJjO\nn/m6Xh5UCaUIIAdifpcrZyCx2mqvfJCC49cIz/TPx4BOW5SzgPqx04PtV3cHlpx9\nOJ0a+NRQV6oOsM4B4aN8MHowHQYDVR0OBBYEFIIxzlJoW0Ud5opfIDbIicXR7U80\nMB8GA1UdIwQYMBaAFDFktqmX5bVVSlD3ElvxwRMTDoSmMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAg7KO3wYL40dAl2CWhvoHgAC8oK7XqKcN/KeNioHwi2oC\nIQCQkk3nf9bZl/vniKEnaD8ytgO3YXw8QOq25/RJJyK/kg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUE67pvCqV4GyMbsmEsm5g0wBjNp0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6F6t20+TUUF6f/yxM/BEh2/MDh/QTA7V8pXnQ\nm1+17pN4LhUW8WffmTIzA2fKO83jDXXJ2GWV3ruZsMAvONeKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoApoWMvQPU6b5/XOiR9BVf8mff0wCgYIKoZIzj0EAwIDSQAwRgIh\nAIu45XAcX3YqiApW1XYOSNyU8USnLx8FYgQ6yAB8Q0l/AiEAycg5JqCpm6cT7axM\nKQEdvgVUHXTWof3xDT+L72cyaf8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGAVUoY0c22m9MsXQleEVXRz9zK8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASLbkHdbN+QOdTbgQFAGR8Dc24lKUquKWBsnTSf\nCNQJ2zOkg+Lh7bCl/lZiuK14uh5G7JD69hrc+HBaXE3MLzzNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCc1oByTavztrd+lqecBvNNm95nIwCgYIKoZIzj0EAwIDSAAwRQIg\nGEBWRktMBOi+QVtZF7eenxnF4eA/7JadqlvP5alohT8CIQDt7IUwn3SZdg4+iWDZ\nFibJ8f8hxOPtPhvZXpXJi8B41w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUdYOTC9/4UclAQaz8nUiw2icLeRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDAxMTIzNzE1MTU1MDI1MTAxNDA1NzU2\nOTk1MDM0OTI1ODM2MTExMjYyNzg5OTM1NjUxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABGipjhxffGzR27WEG+O9h8uEZsNJS6GS3wv46TOsVdCelUp2FMsVkIkdnsJc\nSdR4VpAIQzpl3u63RbeQeerNKf2jdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKAKaFjL0D1O\nm+f1zokfQVX/Jn39MB0GA1UdDgQWBBQODFGo7gu3r/aEwN8qMecIRh7XZjAKBggq\nhkjOPQQDAgNIADBFAiB+kDzphJ5XBG+gtUf+7BaetPZCo5syLw22gV7EsuW1IAIh\nAOVaqL2h/IG7Sf9iPaY1NPBdRPo8yZKXKyLjXHrkG37I\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUOCHEjYDiubR/V7KrtvTObxcd2BYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDAxMzcxMzQ2NTQ2MzA4MTUxMjU3NzIw\nNDA0ODk5MzcxMzM1MDQyOTU5NTQ0MDI0NzkxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABBvDucVWAw8bIT/O0W0q6/dDetPxWhPykHES5YAyLndbHmncd3XOMdadTnXz\nsGqMN9Ph7PPMTJVlbRgxOiFY4v+jdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAnNaAck2r87\na3fpannAbzTZveZyMB0GA1UdDgQWBBRxi303P3orJBG8SmEY3FXBHq61DjAKBggq\nhkjOPQQDAgNIADBFAiAGqi/vFSmQ9TFcOkkkY/rrU+b8WPqWAUsPb2n7zD9p9AIh\nAL3j3hLporCETLPqdOxWu/cQHqThssEbXvaUA+yOWCDN\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUFPv1nzf84N1QQKODHvqtdJrAvAQwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTEyMzcxNTE1NTAyNTEwMTQwNTc1Njk5NTAzNDkyNTgzNjEx\nMTI2Mjc4OTkzNTY1MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n3+nv9ZanwALKR1RWVK7SGQoRmZyQqQpfgrcZZrHng75llunGrytaWU15lSfosXup\naOi4vMTAofz1vohPU0F/IqN8MHowHQYDVR0OBBYEFBS2JOkodsSBLXh0ap6M6/pt\n5oEeMB8GA1UdIwQYMBaAFA4MUajuC7ev9oTA3yox5whGHtdmMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAvAPUile/xZH8u5/1WleMy5bJ5IXiXZt4kuqrxwMO\n1gcCIG5k1y/HMXPaI+f+BauwcY5SH9/zo1qDbJt21prq+bSi\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUWq5oKq3UMCLoTIyqj7PE1YsY2AAwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTM3MTM0NjU0NjMwODE1MTI1NzcyMDQwNDg5OTM3MTMzNTA0\nMjk1OTU0NDAyNDc5MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nqOTZAKnRDNovoCRaSt1MtKXEG3gnjVrci32vQUUYK7FlsthmyxAQ9ROGAWJE7XOL\n5GgPKDQkSO4Xiz5FuNKCX6N8MHowHQYDVR0OBBYEFEv3gT+mklzjNJqmxTgbuNyf\nbX/mMB8GA1UdIwQYMBaAFHGLfTc/eiskEbxKYRjcVcEerrUOMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAwIiX8A1Bl98ZiTUE2bp4oA9IbzBMSwqwOnkKSawP\nRrgCIACXXIyeuF9TnwTrvnqU2bvPRoqZiOv+9B0/8WbrXoRK\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUO1Bw5+4/aDa40xy7WiJJ/B53YEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR7uJUS/QZLmLxB6ZQDu3eqXLGbT3QmM+URPnKc\nBm8kykQ3xGrtp07EAXVOUmHZdCXr8b8Vdc3kCX5q3AKCsB4Fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTfUK3iKLJ2EFDHNHltLqheEwt6UwCgYIKoZIzj0EAwIDSQAwRgIh\nAOy9nfm0AyAoAfPuqGya/TBv0IO0PepqFs8b0tgVBCjRAiEAgP5vNMPyBDLIBhjj\nUvCsMhp7/HpltebZA3s52zIxf+I=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXbE+qWs3VS/y+EM3sesQQYLFx+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFW+x/GDJs2WYWNyy7Tbl7VBmlPRkJpt3+JWrm\nb2y2F6eV3kVJiXIWiNDtoG3mXnhOPK6EjnnpITICs+awhcY7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+l5llhIbczmII4gr6qfSKYB2itcwCgYIKoZIzj0EAwIDSAAwRQIg\nR64Yqs77AStArBvuA7g9AhV91Pu+j7QATjC6TJPsYZICIQDd3KvPbSfVEPBXkgIG\nqKcNtHYlWLjokxB5Qhg8FT4JYg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUe+tgD/yHP0TmSBV803ems9WNfaEwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDYyMDEwMjY3MTQzOTEzODExNzY3ODc4MTU4OTE4MjMyNzY4\nOTU3Nzc4NjE1NjgxMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nTsm9pqZs6B/HtOJFoJ6y1/31yPC/Jupmp/TVJeUINj0grS83cn78dLdnMgRE94RB\ns5uqRfaFk3bVY3DxmkgzCqN8MHowHQYDVR0OBBYEFHcIf88d5ZPWwEJjoUO0BHOG\n4PJnMB8GA1UdIwQYMBaAFD4arsOzgWz6v4UFALf3Fy1qNDAXMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA0gixx4uyWYZuM8bmnef3wcR9Wx2Arf7GAPjU+cPJ\n5WsCIQDG/7YWiAXAM8UomlLsoYcwGxLrmHJ8GN3e82iz/kLPWQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUFcFMO5LYAB7uRw33q+5pvc6PmLQwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTM0ODg4ODMyMTk4NzE5NDc0NTAzNTY3NDg0NjUwMjEwNzY4\nNTAwNjIxMTY2NTY3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\npOKvkXzmaWEJ8YjTobBOLlr+h6pRPgS2FDSgoeZVs7MgBOr8c6ZFJFoWweFQDW19\nJ7el5vqCDRkU+iYKPOUBoqN8MHowHQYDVR0OBBYEFCmyKN7NBFMAFIlKldJ73SjL\nDnzWMB8GA1UdIwQYMBaAFIJEPK9CLN0OuhDFxhdbsxgkug1MMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA6iS0c4RaU1/l4ld+KziMp5yJWZj7L40ctQJVbRxi\nTJICIQDR3FkeI09GacsO8Inozyp/nApHi+AGLYko8M++72DwcA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfTCCASSgAwIBAgIUKOP++8VVrexpseg3f7GYSG9gvCcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARyc13pi42v5e8nru8Ii8v48At49XjnaKkZGBIA\n8+fvKxwMMrMjSdbRT9GrDnZd65iF064yzHgfyoNMPb/vptsjo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCpDUL+hhruw\nGY+MebnJhVorNhVZMAoGCCqGSM49BAMCA0cAMEQCIDtJtAnn8S1hzvJPDMp2prU3\nPZZ62fjHuhXc/t4nz0W5AiBcDKgktfKnuTGvklOIJqs2kWZmIFfxzPAmU8HojaSU\n0g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfzCCASSgAwIBAgIUeOcc9Goc0HxMM6uwGN68ERuKbygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXB9MdVcWt1ii752rKBhhJorDDCArjw7wfReSU\nQJ7xZ8YiSe5Bp6Fh3xp9RjEAlQxS0fgSno1XBJcTKDsCZTkuo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCKJcBokxtmr\naHHESSW9zt7e0GDgMAoGCCqGSM49BAMCA0kAMEYCIQCoxVuBUnkzViFjSXlsLieg\nYeFF0EJcucE1SE5nd8ezigIhAMwC2t1dRbcdrn76AsiayDiN44giP8jyj8lw4fMj\nzDWc\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUKBM6BLAPu8hnyYroPsTzXxbkhlswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAuWglwy51SQhBlQfJC2InjDwpKWxrNU0qUuzn43scAc\nPzxR2/BpTN6K8Yo8gROSgvwx8mFiJtZ6PfRPbXhGIxyjfDB6MB0GA1UdDgQWBBQG\n66MBNcZfmffgDKaEHFvEv63EOTAfBgNVHSMEGDAWgBQqQ1C/oYa7sBmPjHm5yYVa\nKzYVWTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgR8HnRw5nPmSJzGDcTHgj\npQ2s7c6ZNoePNST2OK1F044CIH6D/7uuetkK92T/bqn4U7MbNMDmqVg7C255UBEC\n+c81\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUGXIO+uBrt/U4TSSEVPM8P27gfVkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOA3V2VFmTRLvCNJsVtK1NBehLKZZ8wOuKSm23tWv4ss\nfbn0aAOy4/7aDhPIB/dSAZ3s25tIzXNtY2DbgK0f+1qjfDB6MB0GA1UdDgQWBBSd\nrWrOIHrvr/aradmx07uf6bPQ8DAfBgNVHSMEGDAWgBQiiXAaJMbZq2hxxEklvc7e\n3tBg4DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPhYkItNXb0zK7IKnK+3\nk45DSrYU+qSW/MB0cZdXMslAAiBFGH3oyFFYQUn+Uw9SWzgMwQcExxnB3aGED3dk\nLO18EA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUOV9Iy+YNJ+4RPzONJ3+jBBhaOO0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/usgk13r5mDoTloy33GXg6ruH3Nuzk9y7PRk1\n550GTFir21NJCQHDT4jA/PJPIcDCUM1P4GC26tSPkDk+qKJ3o1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUbNrXw+J93JVJ5h1F3a91xnKM0kkwCgYIKoZIzj0EAwIDSAAwRQIhAPol\nvZDiMmvI9tFdBUxPQA/VrRaRo7LnMaXXeEU8HX3zAiBUweDaT2Hp+7c1QJMg76fN\nFg0nz3ExIfIY/PP6G2v7/w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBizCCATKgAwIBAgIUZv6Ru2Sc/S72sshFEXNcXESzacYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATUEzok7aAzL7DSSWmUGQcWzZy/2GnyR7FRFsd1\nscr2DROZzx3G/zIznGQCKb5WEfTvNJlT8kkwI0Shqgzhd4jmo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUws99bIhrMaszGG/URWh9iVVGnWswCgYIKoZIzj0EAwIDRwAwRAIgAdP6\n1lLBmWzOz8634ptLK7Y+fkz3nZx0Q1Hf6UtN/N4CICpRc/PykjO/2yPKV5Ek6tcg\n9sjYBHq3Lolc/jLO9Ka4\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUEm6gGk89rldELJALhNPPpffst+swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFO3S94Lell5TXZ/Fvsdyxqrdy56QRvpAwmAjRNBPs9z\n6xqkqMR4Sp4+PYX2hN3tpJDiQxUmWA1laba/ibaDxiijfDB6MB0GA1UdDgQWBBTg\nePY+l37iW+VWRGEeI9QOjAdwSDAfBgNVHSMEGDAWgBRs2tfD4n3clUnmHUXdr3XG\ncozSSTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJDFfrx83nPPOPtPL8sc\nxoX7/dl1DDH3b2/n1FY3VJOgAiEAq2nFLgMp33ncUSzPFBz8V0nhYu8voqU9MsBi\n5hinDHY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUO0GZvPHlBEMcbRBYTLaW5mMRHM0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNDITjwDCxFybWkBt1iD/EN+bfSy0wtlXS93lNffMaAd\nm20tl5ACZyUAgmQV2LvDLfTOI/kEkB1xZRw0afYmkWujfDB6MB0GA1UdDgQWBBS1\nG9noG8bir9JBR+LttRn5V+W0vTAfBgNVHSMEGDAWgBTCz31siGsxqzMYb9RFaH2J\nVUadazALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOnZ0xVPTrUlAm+P2JSA\nP8m7OHFJt2QPnf13t2pzihk9AiBQJN4JfQAnhSUN/7T+gig+vRwbUhKyyKH+FI7c\nSMdkhA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUODqUgzk/A/jZCFMutSQafw+OcyEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ3yLzpCWRoWnwEw1aJTMyCZDS/3eFnU8cyMAXh\nbrz21HPiNMIkhVghkf/GhOop4MFllvLHjWmztK6/hlDmVbsTo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBTKRJIoNjUqbDa2d8bhRKYzw1CapjAKBggqhkjOPQQDAgNIADBFAiEA\n2tWUp6D0U2ZjY4lVFBGS47bS52R1K7U0M//YQDFRGPwCIGHSZvil7HtsLhcmJJ5a\ncEU+dk6ecbvSdP5vrfFWBP2s\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUbR4gZ37OTgH32OnAcdKkHYM/pwMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAStDeEfg1ZS9dMYr2hFVX0NCklI93VLOCCgfEL3\ndtIVVFcbdoH+wbC+dv1fgnkjcp9ksZrPQAhrIY5+R0D4e0OGo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBRZcQO9AmT/QziYnZVFQ6AUlOAXNTAKBggqhkjOPQQDAgNIADBFAiEA\nr5fU1CNRcWZuTpXfRI9IceZT1DWvY1L8fvrX10nl4NoCIBKOqdKth6x1hdFlA0z/\nLVE1cLQdGBM4uhPNDX1y3k7C\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUNUcp15WLDvbfrqTITiFmPlbJjoQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDl58lT6owAm28Z2BnCMqssAxOkKnImX/O80G86LUNaZ\nCJkHQ5IIZMicHUBEXdz/u/g+4UNH5RBsnuoVvJAwQ2mjfDB6MB0GA1UdDgQWBBT4\nPj3W/evLakgQgm//8yRCTr3qbzAfBgNVHSMEGDAWgBTKRJIoNjUqbDa2d8bhRKYz\nw1CapjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgBWcT6yy4Tqkdh2pCvjV/\noagFUCU/amBVB87L17CAhD4CIHWoY2+UqeBteNSwcSM37QuBd6Eq/ye/boZLz2VV\n2LIM\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUPGkmvWrieOP+TxHsZywG4LuzWr8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMgu+Jlh4ck3RcsR4qwQBTJIZb17dOLACm/MNGLQlFSS\nE7Zo99ualEBNLaMcxCpQJwWCGV43COcCgUGqQXC+gzajfDB6MB0GA1UdDgQWBBR4\nZESB4RAdKTq1Ep+CyW/5naKbeTAfBgNVHSMEGDAWgBRZcQO9AmT/QziYnZVFQ6AU\nlOAXNTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgMkFmn+n/vJapkwwUb/Tf\nONqXZWLUU2b+wZpFHU+alMoCIQDTT46cUlGWdzi5EnWTYFkpr74HhsEngNgalL5I\n6DEzqQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUT3zTNZZDJwXR47y+YajtX8tscRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpaEVfbq4EG5Rga7ufVSdOLTsbAJnRyKA5JVjI\nPOhUeqX/EhKCUfV3hDZV9e4K5QHetasCgiFW5NnZJX1pRfbTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz/E7lzsO3eYbqMbb/dtwLfkXqE0wCgYIKoZIzj0EAwIDSQAwRgIh\nAMXR9J6nR5qxNpN8y3L2BO96/BJuWxf8ixAGYom59v/FAiEApGN2ZZoGiZSgFHiN\nQEv1+qMTPfIuGz1s4PcJkAOkjtE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUE0yauC+v7Fm/+hIdCV3Czsdha3cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASsh6qyuQPXl0V/t5BciPpxrKYHcIedoMycfI4w\nOzxR6f6NI9tCS72LRxKKvz3sJU3fByzlwPioaw60UD2A6ASio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHLOm9X5r6Tmv28RUVdKHsEU0R50wCgYIKoZIzj0EAwIDSAAwRQIh\nAIyyn1NQcqaGcfH1j09Dr3NdMrZ3hT1oXrQbX8RDDrafAiAOTlz/euKqFUFXSrfx\ncq5j8yFBAXWLb2XDKPyi7hgBbQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUMgJzjS3PyCzay4EpnTX8QIqf+VQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDUzNzkzOTYyMjI2NzMxMDQyNjM4MDgyMDUwNTE3MTc5ODQx\nNTAzNDUzNTQwNjM1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEldT1\n1z+AijNDHzuqj8+6v7oDvvYUeyczwM5jNH+KZ5xPE+CZet0oUFUSJ0OLEv8R3nSE\nDJ87LDmwzNYy0OwTXqN8MHowHQYDVR0OBBYEFPDC9cUtICVc8tqt+GsDJqzojLto\nMB8GA1UdIwQYMBaAFLRqgIGz1ccTTqU3U+z502HLG5Z1MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBEM91TPCLY8sBsKrkyfUCFiakbH1njMbumwx3pMTcOiQIh\nALgKBhRNjh+F8KlQQEkqwSXHgEyBBYNQWaQEUAfSrS0s\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUEPnYE/uriB3AMcB0pWNlSkoUT98wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTEwMTc5MTU5MjQ4MTE3NDQ0MzYxMzY4ODI1OTAyNTU5Njc0\nMzA2MjA3NTA5MzY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUrfR\nU8ylIuvmB7/3ncjcs15+g5EvpdJhKelND5J5GRf1DqWbsqHCoSArf7BZsaMV+QOC\nJ9SOhQhS2jOAF4HmVqN8MHowHQYDVR0OBBYEFC06/ZWQUB9lpU+KDjU1lgCPZJea\nMB8GA1UdIwQYMBaAFC1sLzBD3bv1yl/pYg4rqrbS2+KDMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiAWuJd0PuXbFMR1YDsLzNndAczzC8JGWfOeXGS6GnPu3QIh\nAIDcJZiMr7sVnb6iWyEcYQ2mHeq8dDJKMvp6EKPfjtAC\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZDfwwToJYivrT3YCAnN9IFJ/AR8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQkXM20rS52ZpWwCHezHE3XvVPKSvGUSESfhN2a\nXQeGuAbSzfKrPoSgBEvKkwmhgN5fQcF6gUoHNm+sc6r42jN6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqefoiZl7ix2ntrWCJPB7XcCbF/MwCgYIKoZIzj0EAwIDSQAwRgIh\nAKVQsU4e6BKZBCcG3IX+noxdCdhABVdIpjv7y4+dK5w0AiEAo3PEpsM6Kl3TIGhh\nCEuHdgllYO45w15Fb5dq0VWFnxA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSGtnaGK2zXFGFe25qt0PgUd4IqswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATveGW04aq4JPFnaqUYnocYdx/iN9MGzQ69GxMS\nS2xCdCNqrl2jwFsKoU2kYExnuz76QFsrWZZKUsynUcmSDVxGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1IRE6Ee/SEtM9g7Y9YQkQteeXGUwCgYIKoZIzj0EAwIDRwAwRAIg\nIiIJ/C2DyflGfUC/lNfVzXLYb7vBFcBsb1GxCcQU50ACIET4LxQ3kPgF2PeP5Z6i\nz8YVGfhyaBj+6PIDZ2GMIFYe\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWagAwIBAgIUC9Ts43XnDuDTtqpttS0AAyvWyhAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDtMdmVFmrJdovtdY31qi5KqZ4EB9hRKzIY67SI6SAVo\nx582tmjD/fh9Pz/YowIGHwxizajonC959FdFiONF3DejgYswgYgwHQYDVR0OBBYE\nFIjAD9fzTWJRqS84nwd7ijBHGtZtMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nqefoiZl7ix2ntrWCJPB7XcCbF/MwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQDPMl/Hkt26zmfRZvHjDBstgvWqqq8FsJn/C5WogNMxBQIhAPqFbrdt66oMoP9x\n1sbg2crxtE2WS7wz7RZVvl8tPxII\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWagAwIBAgIUT6xywdTY/qgH7v0sEau82Zdx2q0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBuQr6KTw1WoG5zGbOHp6kOhWWV2ismK29WmPwK8Vf4Y\ncPq03OSLm0HLVRShBnsgtczehFgphTAmb8skxTnBd2ujgYswgYgwHQYDVR0OBBYE\nFHUNYxOOhxLmA5Lld8ckm52m5QRXMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\n1IRE6Ee/SEtM9g7Y9YQkQteeXGUwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQD9kHyx+UPnUU+tawOAuiB5fCX6m2YT0/wBWd3FLDNV2QIhAP/qFCaoVBQ/gIXK\n+ut4G2f5RZ6EDltC8FRPxG37Dra+\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUKJ8cqMv5MaVb0Y7jaE8pRp4q6dcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASyyUWnwLmwhcW15XQfTLNn7mc2q0qYbbmdDJBJ\nou7kzJ2xEOo44Qle5W0EaIuEIIPs2oQwDEXRMJtDQyB6bJJgo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzsmqpVKecsLc8mVzf28713I0FVYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHvezuABUnxDq4q+cjFYMI+P\n5huGPGwmMmKqrUW/bMPEAiAQc/5qnzkAkPsuPdGOJZGN7qayryk4tTHmBO2G/3ru\nzw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUfOcviViK6WXKql4oUCWDgUK1rlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjv/QllcMdUrrYzwNi0hy7URM0YhOkSlIpT25o\no+AogPCOLRZatNsslxQS5SjKAZAJLANXwjkNgs9BvASBdF6To3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWRsQ4knZayUNLlcMr5Tmp0eGZggwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDTo+n5aF0zzSwAi2DFif+8\nMOhJq4jOjdZulZyIezfrYwIgYYMv9T2CZBANiONPA95GwZj5wyL0e+NeAxqAgSLV\nMrM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUPI1Kut3ZjXmqJh53iEbi8U5Rw0cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFNSqrs5HouDxS+FZOnmZTBtyMFlGF5ycv+ikDUCvXpw\nItdm9HhnABx6DwD8HBpQZt0TDgN2lIt7doVNzwuPMC2jgYAwfjAdBgNVHQ4EFgQU\nZpxZ5pVZNXXRreJmaXSa2ndhKtMwHwYDVR0jBBgwFoAUzsmqpVKecsLc8mVzf287\n13I0FVYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBgf7/rGb1kE3H3\nw7a0eLR8pSbNoPHSm2LKuqeLM9wzlQIgDtxi9H1GFCB9bq8oitjAmlGEvoL9DQEW\ndjGBu/vrx0g=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUFDHI7DE1OmuVHvFfW5wKeB2Ph/swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAKoSCMvIuX2G4jgEeulDw9TjBP4XP9Bak3KHX0din41\nQs2uu4yWmLfJ4vjNVVEHxkTsNNL6GBrUpkz52juNlNCjgYAwfjAdBgNVHQ4EFgQU\nl97wvMWV7FvB5UgrjbvJgBHwc48wHwYDVR0jBBgwFoAUWRsQ4knZayUNLlcMr5Tm\np0eGZggwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA4IMNCsEk/H/X\nvfQymHMTIX67Nv8H5lyXmseFqccHGwECIQCPU9u58ofO2KA+cGc4QewNMYj3nlfA\nmm2kuAQzVSpyWw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUIviW+uRSl+RgZbtqEscuSQXsr4EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQA/dHlCn3ms36XuEM3tTmPA0zRTIIQ4nrCh3Qj\nw1aHPOEyhog7dZ4D2MnPDGCfLNakg8n0jJgpJiTypT7PBIIno3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKQupFQu7p/w+iRpbvl40wbS1xcswHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDCS8yDsdGydO2pUosaaBRfs\nEIsowRFDJCksTOpJCeIVAiBJYQEXVDVtyCfsqQgNLHGso/DP4KiX4qZk5UH+yl6F\nJQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUObqoFXf0EAAZC5epLVKM6gYOWjwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2lRAuO4gbDTrOYj+hQZQywoOcDPE2drkqqs2S\n3GkivXs77g33o48hIJ44pYU3TmOf8AO8Ra0dVvn3+z4LcBrXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUp4v8jtoPQHeG4gd2zqxJQOWyNzwwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIC0EO5zmgfUIRZICv/UmzTTw\nGP1fIvkRvt1yhwzJAQn0AiEAymH6oiuQ5YGEnt+bAsf2Zwr1jKbhEPrepJaoOaAm\nSso=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUTd8cKYTAoBuP4BwS7gzrbwGVNT8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJdIfXZ5t3mWJSdRIsfWyvk2vlR1z0vblIxle63OnnG9\nChwjkp7BKAn5e67THEzrs30HXEkcDh9U5J7GySnuioGjfDB6MB0GA1UdDgQWBBQ0\nnBUlYy/eE2WzKi3022VZRVvtODAfBgNVHSMEGDAWgBQpC6kVC7un/D6JGlu+XjTB\ntLXFyzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgcQoLXUelK5XlMQZBBcZh\nwTOzHtlP1aqzpEIbrNE02VMCIC0DFxx0FdNQbQVwrbgku/YMBl4AaoqJnhIRxXpM\nox+V\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOQOeAPl/oPw1GvI7aitQT5Sb41AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABONcfxRzbxFLil1ccqWaKa1f63ytKeZl5LCLwg1s6oJE\nLqmwBiZXBr3arFgKtzVAToRF1igAPYE0l4myHaiLhWKjfDB6MB0GA1UdDgQWBBSZ\nnoGefUIT1eMhVP00zvJsfz543TAfBgNVHSMEGDAWgBSni/yO2g9Ad4biB3bOrElA\n5bI3PDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgRD98gLEDN3ws/EMyHNHl\n+MFZqcI+zVOL5yIPgJblCHICIQDbpa6rHnRv6dtMeanacWyRs3EBVOLR9WYaMyf9\nDKDVHw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUNrvynFtSM6U5V2s1yBAQuZfIaJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASwgmu2GbNZ9rTJ4mDgJZOxZVuBO3pGXAG5FDek\n1YOaOEmBTEuNiydsDzdOk7Rm5hLaWl121hqcremwaVDKhqZ3o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0N+uc829FUyq3s7VC0xpVKgDiY8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC/cbd/atZbiKRG/C37W5F4\nh9UsiqDdF4tozOIJISAZFwIhAIi/lxfqDKBhJKjPvlIBq2Jx4q1c5rPFE8yeqesm\nxhUO\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUa/G/KuQcv+2gEKvajr+Db3p7gS8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxwMa8eA/AX760pQxTHMFY3laTS8M/EpNLRDvk\n36QFcSr3ccssbq6V4OCevON2FXS6OaViGaftbXaCIC1uYEV6o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUImPrTIZfm77b8Y1W7VXV9OeMDGcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEP+uMYV5vCcMqoSjKyegFgA\nGiFSKlfS4nuF9AZ7+1mfAiBPylpmVyd5rvS30ajAxCTu+I8XXM77nvVK+29QNw4y\nmA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUboyqlbkWbC3cue6bVnlTY4LlHIIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFSq8/45/WGEIIK3zwLQOfnQfu1CZy3l5qj9lzeUOK7k\n2omNmQsqcEBk4eixQtmwFbJZ03bPwR1QmIY9zv2WzfmjfDB6MB0GA1UdDgQWBBSh\nO3o1YawyOluJwgoXldMYi3ZEvDAfBgNVHSMEGDAWgBTQ365zzb0VTKreztULTGlU\nqAOJjzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgURRZwsD7Ne3CIic5bAMT\n4F++n6wd7zOCCNXwoDFZK2cCIDwOBlL1nnah9FPWBigAJYkM4cqNzcLflcsN38sp\nizX6\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQYlfz+dNBezDlMUcBxMDLqry1TgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFP2lbYlvnUNgrtBg3mi5ncqEnOEkMLGX8TB8EdNjBYh\nXefT5aD06YfODJiZVJPPGsTgiC4hgbULm5qaN5+IKbWjfDB6MB0GA1UdDgQWBBRg\n0GsZF4Xhim3Fb968Jh4HFSA8yDAfBgNVHSMEGDAWgBQiY+tMhl+bvtvxjVbtVdX0\n54wMZzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgHzgIes3P6VrVteH2TbHJ\nLOv69wZ3Xwy2wmTICAyEo9oCIQCHKkvYWo4n17t11K5bbdNIVujifZKWe2tAz5MA\nua2jsw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUZoTigaLcDTLdkPMoYT17BhCvOV0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQSGE4y+iyzMIdBCQ77+iIRZVN+64fGEdX3OI6K\ng4ad+4WBI88e6nTFzmXDgwKU2lTnmCndG/en2+fKJa3w0xx3o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUppx2IHNYAUzAngLBo2PXsdKmeM4wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCcggEZ/D3VPfEybtQs77Wb\nCCt7zQ0EXa+EEOzzVrjmtwIhAO5Y4K8H5d0KmK3mlzhb0Ma5wnrMVj9z86SdZAHh\nnMAL\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUITPmaoRhvZa5cMni63j6Zk0MG1owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYk+8jfe4p94kA+lrbr4tZRfIdK6OJbWYMN8KR\nFVFZIB5cBX2xfU9VxuE0bth/BMBIgb2fSjj4Q0zL+xasEjUeo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUekiGzBxW+Al3oPGpdO06yRzcefYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC42zv6ezSBFK3sfIRI4dWq\nosBw9LJ+LZoI4608NDIajgIgZ3OnqhRhJPdhSuBKdNuUP7B0Al0DEL+CXZcIjzo+\nWsE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAWCgAwIBAgIULhdjNTjjl1lB5g16uMhQOU3u0w4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHurG0bhxmLF9s/OUNF3UUbkOKliMy7o7l+M8R9aByzS\nhBro91ypYnVWK/yXI8IInQlcIhvvsEopnsPO+z9ZI1mjgYUwgYIwHQYDVR0OBBYE\nFP0TobZYdmNPJazpTl46BurMTMXuMB8GA1UdIwQYMBaAFKacdiBzWAFMwJ4CwaNj\n17HSpnjOMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIG3FtN9U\nSGhSa0oR7LhtVjNlCnMxSxUkIV2ljoKC8AfqAiBdbWesayxwiNTrfX7W4a2xPtaQ\nLOcwBD85Bxt9NDZT3A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAWCgAwIBAgIUGGq4FDHSs2icclPcOEHrYYaDsvUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPDXJULye3lQBk731vHJu0JxF911usWf5FYSjSo3W5LH\nfuGWUQ8QOzf1XOA3NtSnkm0qWcpyZOCVoU0RD1WsbP6jgYUwgYIwHQYDVR0OBBYE\nFIN7rrWJlmuC3GTMM1KuYoPkUlRaMB8GA1UdIwQYMBaAFHpIhswcVvgJd6DxqXTt\nOskc3Hn2MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHYLKMqK\nW4gp5VMiIdI2ssw+mgXsSOnVEhl65cFaMVjVAiBzGBVXlr32jNTo+CMbLTRhZwCG\nFNGfG4Jsu0JUITVEbw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUH3MIoWlsoej1uO05yov1gq4eq6kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRuZeApv+RxHh44Zm03aLDr0R2RMYw8Rrxocc6\nYOWlRfiUJVaoRpEbxylo4Gta7fVFWZowFwtDyXzTUBo5styko4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRNQNzP+2BWmhX8v2wJvslqro3nCzApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgEhUY\nvHoZo262JHroMmJ/1wLS07BEYAZT4UG/EUNkAWACIQCSywG4GZmEAoM4p5dk+8Pe\nQWf29iejhFsuetmLTdnnjw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUSP9iCrl/fZ7wRFXMbG7NbKYQXO8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATX59HLpG2K/K0QX77XO0Mb78zmCrA/akoIPbwD\nQgre+c/7a5zAAZlBKYdQ2naEPTIU1oOkc3sJo/A4LUSOxg32o4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSCxBR4hm/1t+UEu85W5kZ2Wlm4VDApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgFvJS\n9HUZB7IKli+4ygSgbzeA/5OzBd5Dn2fMNhMVeSsCIDBBIAk1N3pjl3HXG8QgHeKs\ngL1joOwsrpjdxCLH/E+X\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUemxo2pc+5Od60YygMpvMQx0tsTIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNxmEor4gawYzikDARspZnsHgHCcltb+SvMIj3QHgrxy\nQ7Wj0CMMA/q0hFuHZxYFMhJOfIN9acZV/0bxYS/bHTujgZYwgZMwHQYDVR0OBBYE\nFEDs5paXoWnNTNjjF3gpEIugTYHQMB8GA1UdIwQYMBaAFE1A3M/7YFaaFfy/bAm+\nyWqujecLMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSAAwRQIhAPwbJ5vxEwtR1FNAI1ZJE6XYuzzkjV8Q/7OswB7larCyAiAE\nU+kQsbGTqsgxT1XpyH5AbcXOTbqO1XWXIrvd34DqDg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUBhc6olZ8KdzARsZ1IFrY5sf804AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMi9VYkA3EX0TWsThokN/FNsUoW5L64aWOFSYbA/w+2A\nC510H6BfqgvInP6qoZksmZksxVD0pVMb974BSqrFhhKjgZYwgZMwHQYDVR0OBBYE\nFK0OhUf687o7FSb9ZeKPjnGPBIZPMB8GA1UdIwQYMBaAFILEFHiGb/W35QS7zlbm\nRnZaWbhUMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSAAwRQIgKPDK4p+1HVSxEqgmYgdNWJMWAfdqVxFHyR+NhorcHk0CIQCh\nEyBgL6lEZS1ZGsHI+LdOW5Cq1yl1lx1TNanynHuKXQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUeaBbhv32XDvlCu+1bf6WbvMr3xwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQtekQPQQ1DW4gfH735eNXR1NYDeDPHPvxsIrr\nqViEDthkLFbGHkuMjxvti7rRrTAf1DnUzrpaUbCqXqmV2Bxgo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3ZfyYRQTEDcuAKPkDqUZ+ZcQIB4wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDLu+RA8a16eaaj4PS9fR1/MNHA\nxdaGkxpiYHR/um1sHAIgAzy9srltHdPGA3YyC0Byw7Xi7pcHSJC0Sf8V8LBNmKo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUOzWCL7on1OMrhy7T3R4KkGPhqJkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlheUSq/fcBtOkNExLGHbDCjIlF9ODFr8rA2tR\nuuFVy69nFTdtjMlvD0Ue8mc8gC8rFh+czJuQlI5j6VSmbC9Zo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+lgWf3x65Qe5GqoimUlOjcbH9x0wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIHLqgeg3j0Q2Rw4Cbz8W5PVhHLnK\n1PhIGlOex2KHstEhAiAkt4KZQW8GxTKqXjn433OEf+Z5swvseK6PJmUu28L2ug==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUDPdw49ua1LtxGlvoDxNM8Hc/rHgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJy9nTmzITNzwb6F7huoiRMWbAoReP5PtywvUwTyEz+x\nPF5hbc26vNoYyebQNvL20NhwMxAR3S8wiir9h+4SQHCjdTBzMB0GA1UdDgQWBBQJ\neZutGQBPiD2KPO1Juq75mImAwjAfBgNVHSMEGDAWgBTdl/JhFBMQNy4Ao+QOpRn5\nlxAgHjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNHADBEAiBv81A9l10YTVc/U2OlKiKSGYkZ+zbJ\nl7vKoZ1QRBrpAgIgbloHx87cQVvpYpj/QkNNFc4YpmINRL8BBekzcEfKZFc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUT60P+6ysU7yyrtPbrztaw9BLFTgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPKjNNO8E7XYZHtpCK64t6mF+GVvWoLMchL4ooCQRMvv\na6omxPoCt5RRz+RLnQKx0PRXzkvL9CXAghu2DDY/SHijdTBzMB0GA1UdDgQWBBQZ\nm89R/DLNQ0WYci014HecAkAv0jAfBgNVHSMEGDAWgBT6WBZ/fHrlB7kaqiKZSU6N\nxsf3HTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNJADBGAiEAldp/u+yzvUe94J8ijX8LpZyfJJ++\no/V/EtaiKzhblzMCIQClcac3mnEvHs5N2V32qfom5voc91DgrNhYeCQYctdi0Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUF+6uEivzqW8BcmNWfEJoPzflvPswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkmpFoeFqOXwjGm7hkuOP2oKBso9qLMmDjNulc\nj9+fSQPDEYX05vupd23DDUm6ubMCZzZRiMNU9qa1czOuKoG1o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlHNqUa56nYC+S2WEP0y59vtR7QswGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQD1opuIBSjnsq37gLRgNGvQyN/o\nkwaLYzjZpt4MtUww2AIgCOFJSyg5Fn+puk2N0u8ZUCB5AfXanE484lrzZkGUkrs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUa1uRFMu9yRc9QJncetvN/TGUBNYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARj399gPzFi7I8jcwR/90Slvpks68FHNAQLgEgn\nYNVTEka38hGKVdII0SwT05FWw9iOkx8Tr2tjZfgSBImzDN20o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7jD6i8sQiKFgj1uipTdlqZQwzMAwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIEwgiNxKf9Z6G7nm7vEFn4gGy29n\nsBVthslPhLXVb2dLAiEA1CqivoH44zLuR6wDdG5Aku5WuezfvfmR8IM5PzM7Xxw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUdaigYWIAzR8whsDaThlQv2HeYDkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJZO5RN0jYGpiX2/+Ks4u/Xwxlov+i9txmqfAxUX+gdB\nG1Am57dzjuiX4yAUaCORudz11WVvJGhNsJFJmBYbiTCjdTBzMB0GA1UdDgQWBBQA\n1ILMvbpLtva6996xEsyHKuoZSzAfBgNVHSMEGDAWgBSUc2pRrnqdgL5LZYQ/TLn2\n+1HtCzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEAnYRozVKOL0kwPvr01mbTrfs5pDjW\nbJzp4/5Y6fisZnACIGF+sMjKxxJ3tpfpyVF7Mj2ySiH5hupd0oe5QjUwK60v\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUaPTA2wXJpe5LnYe3moRDXnQDw+8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH1CRjQq15szDiDsTXz0oYBkkUomhfbuOsmUZRDAab+9\nt/+u5DxefxrYESHKIMmakieov+umwrf5b5GpzhpN43OjdTBzMB0GA1UdDgQWBBQi\nr9egyQNoSEnycvWypJ4EWy6BGzAfBgNVHSMEGDAWgBTuMPqLyxCIoWCPW6KlN2Wp\nlDDMwDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNJADBGAiEAkuj7FFcuiuadDbXFcxDH5oqlnbAA\nj5TV4Wu3Ley8E6wCIQDSuFTE4JoFufe9XFfoXDOzCJAf2w85dFhxUHuNRMZVzA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUW1v8tQPgIB7VSnG/hFQ9yY07tOIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARYnsXjaf9PQ/abIhHPKKrYYCjzuR8JV+0jjAGi\nmhryDMhu28nG8PQW0qxdwhPTL23nkcjuHnboVuVpSKLNvbAco3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaZe6jWEsksuEHOIsSSP726Gi/qIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIBNunlVyd/j2jVFDuKPy9YnpD10v\nnzmhrVoOBzzRSDFvAiAVvbzsN13/0sPWQ/WzVf0I2fN4E7tX8BDTUboRte3wEg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUbRf8U8jhtc1j8NNwZeIhImys6ugwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2VhDWjJvKS2LeLHHE+XB57DuGnNgyv1p5Gs4Y\nck4vGl82+W2igHlDN2/LEDfkKJ1XnQHe7ms8esCIsputksuPo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUknhtzmndgMVxv1YLXO41giHAp8IwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIHLpv2PlXbNmVfFaACD8YIZaO9Gf\n1S0eaOQub5wKRLWbAiEAqzuZt0QP3qpeeMQali9SLXtRMu6YH5tx6eZ2SLVSPxs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUG86Oqcz/w9BNf4yUls4shqGUdekwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMpROIa0jCmF/T4ve0vtkK4x0LkvhdsqMxoB1VQSIMIf\nKmMmv9sPRL8BLUbAiCksSG9NiZCQQ58SKmEpETaXJ5KjdTBzMB0GA1UdDgQWBBQc\nwrNayiXCRvDxqKoB5WPtKaTLmjAfBgNVHSMEGDAWgBRpl7qNYSySy4Qc4ixJI/vb\noaL+ojALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEArhFjPzp1zLmleROuXgouYeG9TDh8\ni0cemO+dDzykVmACIFSMr4At7qSM2ssJYMEj6rQa6f36m7KjQFZw94+R1LSj\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUVTBQQAG8nle5/r9Z3y+yGORGwb4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGP+J613J/34OAAdLq+Eh2+uytOcSisz1aXsPJ1UPD7C\nLcfJS1ot64WqPy4EZjRl2Y6zo2mGRDwqImsUD2xLj2CjdTBzMB0GA1UdDgQWBBQa\nZa+Y9F4OM7Lr517fsTDoCdNqRzAfBgNVHSMEGDAWgBSSeG3Oad2AxXG/Vgtc7jWC\nIcCnwjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNHADBEAiAyCagKVlsbS1ChQNA+La9Qr2y+IrIB\nwlGYpksgnkO4kQIgbsZx8gvsVuju8FU3E1LApSNQeJOe0/OIcSfU3KZbhyc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUK/TedXZgSpoZ+wyh20Ew7Ez4k48wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASBoLg/jr42d98dGLmqY1vJXe03ED/BqGsJsZzy\n9y2GpRpdQ1s6yWBtbooLlTLqtnduVjs0NgFqDvkLxHz6uabPo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKmbO9i+xvUbKAX9L+RppFek3UDUwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAIyyMm0GVRmvhCB5\nMpnMWIi9pm/xJhRydZm9fHKRKBHkAiBg/LqDfY+Hm9GM5H6N32MOXX7fiLb2jrYC\n9rxqMHop4w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUVv98Y4ytxBQigNuQOil6px2D+FMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARB4SReVF8FaRzGa5KWk+JBnt6ZAkGquIpVjhfC\nuqE12RKtkqYJCMDq6g8BK2LwjRxZ7eBwAfV3avT0cHhfobb1o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg10WlG6754eoU9A+TRKlhZ5YksIwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAOqCSasz3gn7e33u\niAKtlkw/cZYEAKKBQBWEAQ4dzjwqAiAmaO/NXwSgm3PjzOANUwp98NLXOnHaayRt\n9rXCDOYJIA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV2gAwIBAgIUHpcVZhj2isPjKli7NPsuY2Zg7SYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEfyguBOc/S+pF/iiQ2LTXmkGGdDQlbGu55sJHLle9jYvN1g1X\ndZspFy74F3K+Ls36rzYmhCXLenRhX5DNICTnrKOBhjCBgzAdBgNVHQ4EFgQUApsT\nDKMi/tm4iVb1YoPqnYwHaD4wHwYDVR0jBBgwFoAUKmbO9i+xvUbKAX9L+RppFek3\nUDUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0kAMEYCIQCnRsbhGqoS\nySIAumw8VSz1VPjUBgsXzRNQOJ3xDke4AwIhAPloI4XdJqJcg+rcoeT5K29u18Hq\nWaAU4A2KQfBi/lZX\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV2gAwIBAgIUbR5Sh0kZKWZ4qKDFy37zXOCQBMQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEMTDp2OaboNpvObK9XjyOK0KKMx+UL8w+sapwVUIto7vtHiXx\nJJOgUtM3rG+L7EIjQdhdOp2CoAy8YcgybyGTMKOBhjCBgzAdBgNVHQ4EFgQUZRtY\niw1SwdmpqKpT8k3SxaAgtwIwHwYDVR0jBBgwFoAUg10WlG6754eoU9A+TRKlhZ5Y\nksIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIDzJvcSqQacZ\nkkUHpC/oiVq4wh0YcaSBNrC0oHuHzoDNAiEApG5tj++3W9BIGJDOY7MkEh5zUgfF\nAjWbqXt/7Osj4nM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIULwz3pJhbvkj9B93f+F8aAn2gl1cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASy6+b45Ps95f+pKu6xcKOd1AX4UJbrlj1Ln8B6\n8CYLgCj/ZTyzaClWVINnPiwAn5O/UANGejFT4q9m2PGid0iUo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmQo6z6a/oYlORb35QJBsNbXfWGcwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALEJWmkoTxaxJiyd\nDniKbElWj4zotU46z9wXisu2LfdwAiB1TiEwtSFfJpWEFHItbFM5GuPmGydXP2Vn\nXSrYPfxN3A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUNESjZkpqzDz7KMW7h9bKoJ2NZzMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNSpZT9Ekiw23L/MDdCuDag2ntYFmN+DzTnMGb\njeXSHyZaaduq9GPeCHmSHd985Nh3JMLmL2NHZSZHx2eBfW53o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7ONeirkVP85Qhc89o8ggWBsi1TIwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgTXMyW7QCCebAClJ8\ndbAfWSAHESghg+8QR163WNgiJGgCIEkiKxLYgA53iVIm5L/zruRkFbQa2w7uFUf9\nd1bvtnbC\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUF15bP9J34D3uwxLleT7Jrecc+RQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQ3RqKp+2gt7unVbLYzLGhAELQzZ7GLQIqvLVWQ+Q6DTZHNbuy9sSyJ\n0gfcIZvJeRZ2A5J6sJjDC325ga3U3jRUo4GBMH8wHQYDVR0OBBYEFHa7L/d0bq7o\nbCj77jM+kbQTFcGcMB8GA1UdIwQYMBaAFJkKOs+mv6GJTkW9+UCQbDW131hnMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIQCvJGmHjGnZ3ioQWbYBmEbR\nTesqVE6uh6glNkTccuEBmgIgCAZJEPeIIOokPj/YUqtbkzdiuPy71kZ3F70lUzuE\nMI8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUUxD+OV9klYiuMzzwino1MfzRI+UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQTngZVLnBK8osB7wu3kwdHJ5Vc9xHtTAoCcJUB90A5U40ZZbuLCKUl\nJ1Z1LbXuZRYK4NNB5ccXPnSM5H4kHsD3o4GBMH8wHQYDVR0OBBYEFGko4dglNAvh\n/tyNy+YfYdCucHIKMB8GA1UdIwQYMBaAFOzjXoq5FT/OUIXPPaPIIFgbItUyMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQDwlWTShaF8m25D7U4Np4FO\natBUAZKrQW51J4s1LLDojwIhANXAXivLGr9C2+r+Svv+5JDeAGqL22MygTkHLEq8\ng9j8\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUAWz1kg7UfgtW1pKSa6NrRA4j/44wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpSejXl/Re62CgYYSvot8NH18NIvmKW4WQ1xnM\nvuZheyGvIZ+FGxmYEwKq41meh+O8g/Q6MvX+Y6KzlM8gTqVMo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsTlQ50141axRp0O6Nq04q74mkN8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAJRHSb6YzPFKMhqb\nCMDlDvVBB6EbR2U2/+VE74gD6DmYAiAuMPmhpidtD/u0CEFPAl2JAdtkCEAJS76Z\nHP5ZSetwyQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUFBXazDOsZtDi5mWZR1I6zrolqf8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLnqd/E83N9QuZ/Zyhl/Z0LBqsH2TqTzILkoxk\nk3ECFVtJdM9q1YRlMwOa/motEkXCTrgvR81To1Qn+akfaZiQo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUUa0Tq6HtWD3VxFDyi8S7NJ+7Y8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgECVFlKAiCHToMtdo\nIMmpLFv4WF2Pp5C0iHsi9+jwSw4CIEMrxtcCQ3sDu15Y6jc4w1UhRDOftNwXaYuS\nsrhsJkXB\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUa1Jj/fjzxPlPga9NDDhbkvC5GxMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAT+WEH/mEMt7+fyR4DTWGVQkAHMqBTvCd0dvzXGMym81mY2tbBJ3sHT\ne2rAIXynWZRV80BPezVKj01qMCILocEHo4GBMH8wHQYDVR0OBBYEFD0gxsG9ncSw\nCaMErrnRjroh3AIpMB8GA1UdIwQYMBaAFLE5UOdNeNWsUadDujatOKu+JpDfMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0cAMEQCIEoi2ZlV/tTgDobEGA/nEQxa\n7JVvj0jCJuZHfAdsEQQPAiB6SAbFGSGlqIXy9nIDsV/etn1l7DfvaGVhuPTvCxVj\nZw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIURLuOxUr8D3tTxDRpGb3Opcy8QcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQzOk/35lIXblddlK1/+Kuq66MBjyGOFmxU6bBkGdTLdjtfdGDb4mPh\nF1B9uIhzt+FeUPt84ZTGjPFR99s+kmGLo4GBMH8wHQYDVR0OBBYEFCqdbozEypYL\n114nlFSkzgXUHyHLMB8GA1UdIwQYMBaAFFFGtE6uh7Vg91cRQ8ovEuzSfu2PMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIFwEFzOd/z+7/C8tYqbLSWJB\nSWpNoAhkL39RYG4NzhMpAiEAuy2K+dhtR0N+KlR8WKo3g8v9G9SpHaNoZDjvCgbV\nr8I=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUCwq+7m3JqhXPhKyFFn5LQckEDpMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjI8QVofspvlXMzrXtJscelKQDQ7zlie0rzmsP\nen3TG+ieD5473BGcx/Q6yOPlRPxwMuPxzMfZp+mDoTYE1DPZo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8vujwM+R8oEMm+du9IuWjUtvTmswIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgJNoWlIncPZA7uGqV\nvTJK2LbmTh9sueCQ/Rf4Y0rhrkgCIA7vdxPCSMutAQp6JUPLuKAfLJM4CiTSCrco\nrdXxf7Dn\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUCEhly4ESRdU6W2drKiQK5IGBu4IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWw2m6uTxN9XN7eXNbE7oghr06gD+Ntp0AVeZS\nLcvcinmE/i5U9TM8RWgt69/ptVUr2Fj2TRnEwTPmGsS7Z/k5o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUs1TXAtxSEOiWOeViqEzR/2qN4IowIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhALJznOwIRtLmnRGP\nVo4pXpaYJxeD1dz4Vr1s07iv2hdQAiEAz1PDFhLM1kUBJ5En9vzuKz5iMI24F/gC\nJvBY9ppcp5M=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUEpTHQoz/+oK5uyZsWt0/Ea9FEXUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE61h+olrx0wxxwZR/gD3V44HFQLvIY1+sI1jUsPCgBTywr7zw\nTmAnrhB8UorHch4Pv2pD9vHPpZkxrKwo8h90MaOBgTB/MB0GA1UdDgQWBBSNC3wv\n/SAja8sqIOR8Z/65E1boeTAfBgNVHSMEGDAWgBTy+6PAz5HygQyb5270i5aNS29O\nazALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNJADBGAiEA6R5tFGf5emL3l5sQ\n+/wvysz2EEp0UBiqHikHu420TT4CIQC9duXYtNa/5w0gFszX3/cbNO0z7Q7CzXeg\nOyo0yVkAWA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUfFsbeOtusXSqDP4hB3qWI/yhYPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEVGmeAlFDqBC/y3ZjlM9Ffj/XLvEEuQskAvAeqPAMr3OXSBQ8\nuzFMs0xdnqLx7VS0oaF5FXewu8aXdc0evbObI6OBgTB/MB0GA1UdDgQWBBTL7p2s\nkYrgM2CNOqUjEb5wqadwjjAfBgNVHSMEGDAWgBSzVNcC3FIQ6JY55WKoTNH/ao3g\nijALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiB8loqJ4wH18h8JLJrY\nU7toFG/2aFvAGi+eQzN6dgcxfAIhAMTcu9OBRn9Hd+wFxhe5zfBoWUon9bPAcein\ne2TxLvfw\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUFVuNDkj/5/g6vUfOIGDSr+zbX4IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLXiCxJOEJf3lMMLP+fOGwwcyLDyhA2KVEkESI\niN99gDDcL9/z0Z5/EUfSCOjD3QdZDwhexiZRSa/Bls5ztniCo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3h06gn0PQ6tP7cuC9cPMUtx2rRcwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhANXVwO0OmcDtUTFj\nq5+ufc9hs6V7OhJa3TgYb9HbskkaAiEAw9iZqN0ShoMBBIDlCA+T59Su/GleaQh9\nwFP90pYIRM8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUHGX52aF+5Fz/srYk+toKkePV12UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAREad7rXEmrxUelXjyRoQgmfKFz1BobmXm5rVUk\nsZfHBEXVcCmJLscGhDo6lL0HZdDuy9DYrOhyp4OO2wdYj0Mlo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU86VyrAxZ7XOy8iEJ8zU4Qmt4DnAwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAP2yRErDUEF97B77\nT0HjX+j7KHP+rupVu84jnQFxDF4aAiBoWvZ9iQG9wnYqPkTppnqlXvIOXSJ+k9AY\nBBpXIGpQeg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUMLnrQ5nSjscPv8VKL3NI4oyF2lYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATS/Qt12UUpZK9bSghlYVbMksnNQ/K5JG4MjXiYUUI1W+ffydWOhiWC\nHpKnOjYtx8y+3ZWynR6S5CdW5eoSbJvYo4GGMIGDMB0GA1UdDgQWBBRVH/Z8NMWM\n0+OhcJBxggRWHGynbzAfBgNVHSMEGDAWgBTeHTqCfQ9Dq0/ty4L1w8xS3HatFzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAOIset0MyaLlRPft\ni3QQHq80qJXAT8wS/EOb0rRk/bDQAiEA1zD7nld3I/Hc7xPtssmB1mZCiXLzt6qp\nCWN42DlOFbQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUSQoe1u5Vk7lcQCXINjxYRpo+gF8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASV52DIEVKbcsgw/1GJGJfk8Zcwre9RSvAswnyK66e+sbrQ/UmfqLdC\nhOTXF5vEOiK6oZ2VTvju2yRYKkzlHObjo4GGMIGDMB0GA1UdDgQWBBRJjF3Stcw8\nonfQlSw0xoU8ZbUcBzAfBgNVHSMEGDAWgBTzpXKsDFntc7LyIQnzNThCa3gOcDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDRwAwRAIgB2OzDjDg/otSxlK6\n5E7RY3SLz00Uq5/MQbfBbrGlNGACICYojWPsKyMmjaHoEgHSN54VerBmPuC53fz7\njnxwUDhK\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUPsGJcXj9bQxrGt+tgj709FdAAy0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASX3/hC9MYOROO9EJVOPDxSUboudpOJHBB5Q953\n2A67IoZcpeJaXXTgYp3hjMB8pS1jLFt/y4mItzb0LTrcA9Oqo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFJ4bUoI4IpNAC/PL8FDTp28FAqi7MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAohtl0Wu4zZ5OennF\n6s5TV1PlfASYNGL/XbL2HVfPMV8CIDXMvqL9n+2OPcxbmD8rvmQGN0s66RJxSRHO\n+xoVqr0K\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUNiJ1bBkOCHQRsMZnl39q2jBtGDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLq9w5iLa7ED5+ZgkKM+qSjY8302o4LeVIDTvi\nRWgUFyDVYZzW/DvvgARhP0vdPsdARRxTsaHT5X0JZe3f48vHo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFG0qAytaB34LxpBL/yemEZ0fbVg+MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAxQzoC4wGVm5II8hRp\nB70FUGOVTmT0/w272U27pZg+gQIhAKLBC9//wlb34GQI8yO3LTXQvKLFFPxqdZXt\ntfYFJX1D\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUVmEu7yloIm4eKCEVvGq9WKhNA5YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARcspzzPu29LPYCNBqW+2QyjBVHykt4koRbDSD4\nw+GoV3zwVGk3KMFp3Kp6w8G4tZmglHlXeiwcS+ISxcmJxd+Io3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUnhtSgjgik0AL88vwUNOnbwUCqLswHQYDVR0OBBYEFKhX\nOB2MOvoCLfv4g8yGZR0bXAARMAoGCCqGSM49BAMCA0cAMEQCIF5vP0ObLtW7J1dC\nNBvjKYT4NzD1uMYXiS/Y4oozFHXpAiATGC3L6tBIBPLjLaYm82vxp+B24jHlHC9f\nH8GRaUcNcw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUJJfkAWG5D2ozePJSQ0h3/YFQiWwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQzeyS5RROXyL0P5Fb5kyD1Fogwa4J6Yop48Efw\nKLWdBEtQklSK7uq+f4wfxydVQsIkiK65g9AYXbCUcdF9MGqco3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUbSoDK1oHfgvGkEv/J6YRnR9tWD4wHQYDVR0OBBYEFDqM\nQLk+nrW3gpQHTbHyrGKVPv6GMAoGCCqGSM49BAMCA0cAMEQCIEZ5GNcKQBeSn64J\n3akgjN2oZKmhIZL2EllqkD0zhIsVAiAMXBAkr722MC8SgdNaqHZrKTPcCK2CghEY\nCQ3lpbDdUQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUHnsJJBlIxz/DhbgtsKH9gwFosNgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ6PpS11QLWBx5aWD3deCS3RZu52vGEv1L8w7A1rxm0P\nt9GubvjdIEywwI/AzMFM6s4aovHvXIUAlQoowJ8tfeajfDB6MB0GA1UdDgQWBBRJ\nt0dUKdzWaWjrJCbfrgVfRd/sVTAfBgNVHSMEGDAWgBSoVzgdjDr6Ai37+IPMhmUd\nG1wAETALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgGkhR3+WlaMDar3BLXThX\nxDura7MiqlEO3IOsEg4xN3ICIQC0I5cE5JrCOSAr4Rm7cKGhfm99CWPdNKeZiZzN\nL/3aaA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUBXYmU6/Q+JYcupIrBeS+qIPOvPowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEfBgxSQ0SRMSu9VpOhviSIwGyV+litTHkJksBeG/5pS\nc0dNZN2x0iz8xEGec0nrPUq1t6Ur7JxXh8rnrtzxoSOjfDB6MB0GA1UdDgQWBBRH\nQZe9Hc6M6WBycaaXxvPJf0mmlTAfBgNVHSMEGDAWgBQ6jEC5Pp61t4KUB02x8qxi\nlT7+hjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJDrHtyZMcnwE/IUf+0I\nnbUp/IPJtVPmrIBuy4sJaN+KAiEAmDzbR6fXmZiJdq134miT2DwQI5bwbcaTB1QY\n3Lz5wcE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUfY7+G1vGMjHaqh81FG9hWlyBpyMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS5i4vNcwDQn3rLLGph+MIEMP/rHRyfeCrs27GQ\n4ukMZ8Bcl2xahQGNB+ScgR8r8i5K8wyEFO7Kq6asLPHJkwNoo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUln/gJpXvj3bEgi8zBblPeTFUEWcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGRYw/ppg5qu6xuiuJlwIvXL\nFOU7gnDjNeGKxRp8I79GAiBaddR1xlIBU6ewnoQm73C86aBxRvDDDeEk/9nUvXUX\ntQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUORHkweURVwBnwmQqKZ5CE1UQ7R4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATpTbSXg8FAusF6cUIGiLTbOv1rG7niAfAoNuMy\n3IOHDhVINEU7NKxhCmHVI3fUMgNgXtJYGYKrCT8TCCmhM/DXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQT/bX9evigKdETcO9EjnOKMaEScwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIF8XDAlcVaMEOmeFKT0VlThQ\nAwUJE5jIbUGs8aGp2TLbAiEAkolbBJ0w5ctZ3dBlG1rGY9l8aR8H77yMg3LQpxhS\nFBc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUEE5r638rov9g3aclLQ1kGKFsFo0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATKgYezxXZbuZyKwNZeomoMmqMcz9ILkri46luo\nWe4Fp4Hx7aXi81y7vvizrVA2xXFoOnXLxEzhc96v60YA70w1o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUln/gJpXvj3bEgi8zBblPeTFUEWcwHQYDVR0OBBYEFKZo\no1nioYTPfYPNGujXzhevZEpnMAoGCCqGSM49BAMCA0cAMEQCICneJutWhNMZUdpS\nEJViNOAyxCS7OF3H6gAjIdIyg5fYAiBaVfF8ryU7ZuIrcVkFHx1dCf6DkDSXDUi/\njGkOfGEPcA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUWN9wCPWSuxR12tWvmslezWiulN0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQU54KPrMeDZh+NKExJ5bEi2+jxM+dYmnxHTmlA\nRj6cVPsccTCR2/vZ4b0WZNBTt43iP0zkaFoC10fNJjoD+zvNo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUQT/bX9evigKdETcO9EjnOKMaEScwHQYDVR0OBBYEFNoh\nNnobouVyJbPjeN2xRzNXlt4IMAoGCCqGSM49BAMCA0gAMEUCIQC3tFCRmZI6GTsY\n8Ze1+85eSnpEtVevkaY+qjuoFhzk5AIgZEpaULj441Uy9+RyPGkEXCRUKFo0BDyb\nXpLIzXO99t8=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAV+gAwIBAgIUQiUfqf/AU6YtI2QwCnJV1y9Rsn8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpYN+s9WP5uXuUwMtIVzJThQPmzeaqTpFgr1Y8\nhr88icL9UybORDRHOHoNEtriuRHt7FHRzGJzcxsg3wSv6DyVo4GAMH4wHQYDVR0O\nBBYEFLKmae/h7OWTyfif72DcShYdz4QDMB8GA1UdIwQYMBaAFKZoo1nioYTPfYPN\nGujXzhevZEpnMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJTA/8WL\nN71acc9aXN3rGh5ceXQuKu/toQoC6t1lUowSAiEAhDM1pPPFjnwOnPeb6xltAuSF\ng7Q/Z5syrIEwyazjc9E=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV+gAwIBAgIUUOQq0i55B0gWBt4gORFDxdigregwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4eBJ5hNcAao93RFSMPmvtlNlTjIDhAjg+buyo\n3ZoHlfZQsCpabitbhuA7Mx8IXEFF45I9H4zPDKsrCUCPqbf9o4GAMH4wHQYDVR0O\nBBYEFDLsStQb8DnM/SbPgs3hMClTOOpdMB8GA1UdIwQYMBaAFNohNnobouVyJbPj\neN2xRzNXlt4IMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSavc6dma\na1Q0yhMl2FcVPa6tahD4BwCBd8v9orfahq0CICyHZqewZuQqzj96LgunU1CILF4w\nw1xtA1L/F7sSZUST\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUDlvEsbiBrfy29+lQ65+juqqR37EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASg3h0lxsYRQGwj/b8nwjliyRv4wE+0X8XckXIR\n3aSsBNctjw4qQ8E0/BSCo8aMsk6CjEJmdC3bwSvIxV3eNiDMo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSRsJTedcwlXAh+4PYY+/vH3uAiKjAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEAzbhELspSYfaEBFoWP9LY0umUi2vtfqWr+Oul0AKeu2gCIQCgW7kHjVb6e/km\nFtP4aoyTkf55o2PomhjSpvA+umsRPg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUbkYpoe0BPTaOYK1EsUhNEEwVWdEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARoL/ia1jhCOxMwM54MLeB5KIttJAsvufB822Tq\n6mJGWnkNaR/hcXwzcHCjEOgJ7tuQaEqr6+sKleCTnC13M4sLo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSYeC1/XhnkDRyqAxZzA7RqtGzc2DAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiA4/mKTZ89FoCYnLfSPijQ5fkJDTWw25mPkAtUHPuQWAwIgJz1tlnq/IqKZJZ8u\nw6XvoZy2ZPWgzwhgAdNVdmJBzGU=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUN+P4FNKaXjNd+5nXHRg6pvUJN1kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPsnINHKF6KuxedRJr2w41YnsKLstNVyFaDkSuAZ8eOi\nu2NzjfEOu3zPcDs69PNlcxgvXjfVfWvY52ADU/07VaajfDB6MB0GA1UdDgQWBBQI\n0ei8qJLM2vvHrbunCbnMtAHsADAfBgNVHSMEGDAWgBSRsJTedcwlXAh+4PYY+/vH\n3uAiKjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAIo1wGPzGN53tyU38J8O\nsYxUVS54enD5WpVn+AQcGtk0AiEAzAt1J5JWTSbvqgssL1zSqaRhq21opHYw4wPt\noRet9bc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUX5pD2+HC3Spav6xM4x7nBCmAyrwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPXCwOcfcQhRXV9o+1SMO7GKLH9EI0bcKD6knc4Rv9PL\nXm57AVd3OLHumGlLv8paqOrqaMl/ijqmYLRc6eAB2FajfDB6MB0GA1UdDgQWBBQb\nXwEGaI+JMR6FpcolybgHS9pt8TAfBgNVHSMEGDAWgBSYeC1/XhnkDRyqAxZzA7Rq\ntGzc2DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgN91ldSQnSbEmqwY6eri2\nWiYKz/+eqkHSMwFAUkg8eg8CIQD1k0Ez7rvh2l9BPmCi6+KRJxAYeeeQZuyOL5tL\n7XX0AA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUYdTC+ZK1jZIFGIPasKmqWNedJQ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR/QY8L+wmnnBkoJazL6Zaawo422Kho0+cARvOL\nzaiVviEmO1bqo8x3HWZCcnP5XCk9MFI3KzC9AR1dBXi69kSYo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIFKEEC547ek/WrtYhTTIYwvU9S4wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIHBYbaODOyO070/n0TWAQoPKribI\nC7j1V1ogRkGlwO+IAiEAtzDASDXDG3ZCw85du73Oaa3c41Oo+zZEgl24h2TlzTc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUSEKvCLyXevWhLJBJCi+Zc+OAMC8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATy+HexOz1PFdbojNgCZOsOJ8Y7ZBGBQrWycAqs\ny8/LF5d1YB9uMDweu8kksvAZQSCnZnBg9JJkIAA2uZIRh7W4o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUobd8RTycyA4ynZEerlz7LvXgMrQwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQC8vSx6+y4yQ0pPNjeStWqBnB3b\n4YcCW3QtKXO6/vuc+QIhAK23lNfZ7kRhmiwTKgp1RocoOj4FpV4gteNE5ZNaxMKu\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUboOQN2h4e7ciCMMPSRMvWydwD7kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKq90XDiWOE9g2t16A3VcAC/xNRQt+g/tJpqg4MnHvop\nwibr4Y/T4b5zlJhp10601OfOQhwEakKHBGz2nWXsXDejfDB6MB0GA1UdDgQWBBTm\nS4n5GooSNNs6oTnIUzXYdYjJODAfBgNVHSMEGDAWgBQgUoQQLnjt6T9au1iFNMhj\nC9T1LjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgAu+13yMEmWRnZ/ereVTM\nV99IoCzXGJG8er6hVJg1k2QCIQC5h0N7KyI1HAe1Ju3loroIXEU+jz/wgLd0jfJy\nh0r06Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUXV58i4cBLaQDYqk4gxMXzTBQRPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF1fRCwTopzeD9SngHRLMoSBkzItmsiPj5bbGSgFUnXt\nkYBeY48i0Wbf41U3BiusP4ZcFzs0OA4TpI6sKEisSDOjfDB6MB0GA1UdDgQWBBQV\nZbw/6pJ6Szg/+Cs4A7HwKckf1zAfBgNVHSMEGDAWgBSht3xFPJzIDjKdkR6uXPsu\n9eAytDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgBY6N/2oEAIONV0FLm23E\nXT7Qp7ZoGU6XxY5SEhzindMCIAIlZzcacjRHStK6k4T3ZsVSIwA2pcpaa70WkCrd\nDGNR\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUZ/T466+NfkPyheoYz66y2Yc+LHQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ0edf44WhaVRX0tWCNGQj5myvc/6yvTZfKTcUj\ndjuTSwkiX39s4ZF8Fpqlr/CvKp/ndLvVTp3dRohWVYYjQ7TZo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpY/aK+C7M/7Vp26aMYj45J/NLHIwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgaWe2zzVgVObxEhCv/9Ly\n9p9njcL7aTv6lsitV3rP1N0CIHAkoxGIEXWVXpe0n8Ccow+aWIACEEbrB6CQKwxM\nsIpk\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUDGxL/0EcbW0tE86+rQHtaUf4rDUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQiO6JTak7oLpiLc5gv/cPr7c4myiBl+eBbGyVM\nC8m3rDlSQnGy/pUNatUnhAAqCYr4qjmLM8xyL4a7qRwf/nNDo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUU1MW8Vv4WLejYi3BZU8GXXY2ygswHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBcP5H6UQ75kmXlCKSi0+\n/g/0YyyVKxX5UYGWVlN37GsCIQCzE8JSuo5EzAykYjci+JLjdbEr8Tj9TzarSVqS\nqwUDNg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUTQmJBA4MPag4phObv8e4H+8JqMIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL1WwZh3rs/d8hFhvVqFl4Ma80m6AiaKI2/9zcASdM/o\nIf3T5sePVN+GnAH2waQiC5WllQDOEXAV+HB2yfEnmEmjgYAwfjAdBgNVHQ4EFgQU\nYmSidEeXrYx4MCVAm0h+NRiXGPUwHwYDVR0jBBgwFoAUpY/aK+C7M/7Vp26aMYj4\n5J/NLHIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAwsJgKsDLcXDWE\na3i5Mu2qYWK4lcVDKAFCNkLozU9pHQIhAJ0s3MSAk1talSOP2U7Sf4syWGOzW6cS\nXi7OLTsFl3lf\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUAxRA/uE+uO1e++Ur0zAQWYfrcIcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNdqwvYVkMSdXSSnutBtVD+RxYZFllY+hJvZLxxFXn8y\n0jfXWpl4oOhkmRikrzOjl9Y/k1DH0tHpNIhSRHQADEijgYAwfjAdBgNVHQ4EFgQU\nvwbc+aeC4z90B10gmaZmiLZgFuQwHwYDVR0jBBgwFoAUU1MW8Vv4WLejYi3BZU8G\nXXY2ygswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiA/kzKt7xAzkNeS\n4ViNfg9Omdkk/ucBlaCkJuLjG/jNJQIgQS7rCUSYQNqWjFfl9TwMexI9lSti5I29\n8Jtv6geAnUQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUXwdQweanU3o9Wz3OjFvoYMGJx54wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASx0/UxPKcwz4SZ//f1xaZ5+ozoNbpj00WFJLS/\nENoAqZ7EyP7Q/ZrFp0YXW61pn5SRnAEW0rMiii6MR+ngJZlso28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUc9WSDzWyHchajRxTqdnHhgYVQZUwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgMBct7qMUS33HBADCp1pBEYU/PH8TM5Kw\nfHEm4DOnYdsCIDP52BpS6gTqtVwk9IeepV/esrDvoIlxytXiVl2hXLYw\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUMizJKjrF0w+9M4cerJClHoun59swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQj1L1/2KoCrJ/bc5y53gtl2xduSvQuNMHv/PiY\nHI6IMRWpK5c+oivoh0weOgdskfw4rbZngNk2F6nlt0k3QMU8o28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXrDcAUiEANnpMuqigwXRRkUCxt8wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAMlHI1LHGXdAltbfItFPBUSyuChb+Fr0\nxg65L0gIAdteAiEAsqioSpGqgcRWFkwhQfvBJ6X8ER0+xT4cxtXnNUZrFjw=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUMRQ61v9YxlEwVmsXhHKg/TN6JkkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNq0xDK88v/dPTMEV7LctegQIKIJn8GugRmgOYW3Z3a1\nRvDwspUukTGwIn8A47p1VdHRryqpIm+FU6UjAMRxu2WjdTBzMB0GA1UdDgQWBBSU\nIY/49AiSu4Q8FDKlKwo2ZL3/MjAfBgNVHSMEGDAWgBRz1ZIPNbIdyFqNHFOp2ceG\nBhVBlTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNIADBFAiEAgz2faQaZkTrUowaClKvYS86G9m+p\nITkst09mKXDbh0gCIComhnmFUdy5gernv8gjDU1MQy0+9Su4nnFCS9m2RE2Q\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUfCO0lQHH8ALR/B8ewXx5OC+wJGIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJL3Nx/cj+ngSMEIQqRGrpBW2xElrejW8FbfnX1hnQ4L\nRayaQLiq96Ikv0rRQL5NBRdWnxZwMTWEDFsw44tRdUyjdTBzMB0GA1UdDgQWBBSh\napyQB4K2FqZp3YfVEVLfrTO7TTAfBgNVHSMEGDAWgBResNwBSIQA2eky6qKDBdFG\nRQLG3zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNHADBEAiEAtYKYluoLYfAjctfwg5Ixw4eXSKUP\nT79ANGWaLCC2870CHy0Ys1SEYWnTD4tzf6jyVDDbjSbl99L9Ofg1m6FIWHs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDbMQsKZSCuwZZJFaZd7fr4IFn34wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARC0zpjeolUIEG1gaERFaV6XTrFu3TeIaTL7IAE\noikJLnDRhgBLceOx6pQ10UKl83iJgCqEQFgBTsDaWtzq8CVEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUt5BD26mvxZK5uMkqZ68jJnmHqv0wCgYIKoZIzj0EAwIDSAAwRQIg\nPQZvKBcVcaUig0SFDHA+LDtNfbATb8TP85h4XqIslDYCIQDiQbJOytBxYzvA7x6P\nbgkp9h/wqaH3XlbFQUBbxXeabw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBY/7/TJand9QGWPHmx5DIiScgpswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQO9Br/dPPi/rrCWMq2e3TLFrgSXVTo57pICX5c\n7UFO+wGMBmnLwNIx5lQkci4fWwJDyatEHSSejOgOxGBuDQTUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSRaeZOmEMigrEA1NyPJhYMXa6v8wCgYIKoZIzj0EAwIDRwAwRAIg\nNXq7kUrwKZ7ahfp7adq02Li/Ieo1xjrB2/MapA+9GesCICqXMJ0ajm7bARSEVZyr\n74iyhOPzsJp0xiwOqPYOReAx\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3DCCAYGgAwIBAgIUTY3KqKneGlanuarzDxScnOnodiEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE0KwEbiYiYJwfoUcASiC5YTq2MOq77n3boqWu3vopTL\nbmqQoCGiRlPByOTPWcee3b3FzhvKvaur2HXhcvsB7EejgaYwgaMwHQYDVR0OBBYE\nFMsoZN45Y75H1MKQ0FRTguh9B58LMB8GA1UdIwQYMBaAFLeQQ9upr8WSubjJKmev\nIyZ5h6r9MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCvXo/5D2uGu3YFbj812H2UbOTK\nGjCifS4/WRN/FtCQdwIhAOhH6vEOjzjJRsPyYVymJ7HuSY0zACMYO871UVDDjKGv\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3DCCAYGgAwIBAgIUUUX2ik7HTIq7ZiHN3OtYyl9Bxu8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAql/OzIonKJlRxqwzAit49SiK9YTyf1+sAPBQTCOjFh\n1TfdS2CMW4u50/FYOTneCN0Lg5na4Tl/PBdT4jURpA+jgaYwgaMwHQYDVR0OBBYE\nFBIir6eZzZ9fdMb3IxOiKrCVuu+fMB8GA1UdIwQYMBaAFEkWnmTphDIoKxANTcjy\nYWDF2ur/MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCC1E6Dec/6o8wYrcbUvMYG1XS6\nCUVSAdslECRnVFg2cwIhAIPMepihmtxH64SKGBNQuzQgvBBtl3CI0cuNrQyoOVeb\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWNl/k28/0+Fx4jLVYA7/4kJtM/wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLXC9rzadM4XilVKKOu7JfWi9C4OtOP0fEcE5j\npQ9eIkHhFdDF/LHSL0ccJ1Mzm79ERJ8uWVqALO3LDgEFUbHqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjc8G7ecRxmLpFMudLI3pXkE2t7EwCgYIKoZIzj0EAwIDSAAwRQIh\nAPNHXw3bKibRjn4dPgipsGeSkV4u3eLu7l6qjcplvEGjAiAx8oc0gsJTMgQVWg7P\nj7JQYlO65wPTLxvJGXBjefd1Qw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaPTKWkDZ38e3dGNe2IbS/zp5YEIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0oBthpDgMzWaqiOLLAetOJN2aXLYKt5bPdKuR\naQC8FHejQ/wTt+hsi9CtpVrvAcEavBN+LgcTFAvfMaE2/8MHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz+hbJp9EiMdbI+8HsPSUVTssgEowCgYIKoZIzj0EAwIDSAAwRQIh\nAKoYZFbr+DWnPpASYxYbT/9SExEZ9iEdeznkvocrdWDYAiBOn7I6nGF0QpmMUmFY\nXqM5Ob3DFdvp8O7TF3vbLIFtpw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYSgAwIBAgIUdoaU1zJK8Ui4SgNnw6bj1Ua7daUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMVpdueqej0rFyEh2m9MdDit7p4BkUCx+rfGhUU60gDP\nmMBf1uYUnIfCPVzhG8GctdeUPfAbgnUiPlC7kKJBuFyjgakwgaYwHQYDVR0OBBYE\nFBjSsrKHBRUzJAR6imI4VWacs+ALMB8GA1UdIwQYMBaAFI3PBu3nEcZi6RTLnSyN\n6V5BNrexMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCHPzBlTwM7vBJKS2BH3e1d\nrpWp9aWuXFbvzAWDYicBVQIhAIV+Hdo10N6//ZljhVsgc3vnoAh6CX3JbNNcVf9m\npbiw\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYSgAwIBAgIUMZiCgA/md218q0b+4Fc9+WDyyDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL2zzucsf4utxNviFd58DTj46+ujPDICG/lnsUMFWak9\njZYdx1rOWjxjnYGu2pdq3nizkSWIjC6v8LzrQHiF5O2jgakwgaYwHQYDVR0OBBYE\nFP3nKSnAf3cXFLg8I0dFQ7q/6WFhMB8GA1UdIwQYMBaAFM/oWyafRIjHWyPvB7D0\nlFU7LIBKMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCUSJA5suqb7N8CwHJWn0AJ\n2dX8oq71a2PxBrMhSzp0RQIgSoK1ICMK4E/qLASdcxCsnjXRugSqOfjZckjMhN4j\nr10=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUU7fVrJCBwi5cLProaUUU4/RdV4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgrf0ipPvp8pSl/FOJM/uw1GM5CLB5dLGwzZjX\nHyOQnpEuS3O38bRY0eyYICw12uoEkDuK55RpLC7alCucC5NXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUktBv4RZrQQdyi1DS9fGxveNb99EwCgYIKoZIzj0EAwIDRwAwRAIg\nZfUDoymmD+RsyjwiCaGtS8DNnhiwxoSsvd1iiMKwvXQCIB4CUFA3pFaX/EhvaY5T\n8kMR1g4lfdB4bG+9Ie/4XzI+\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQq+pcHwZIXuISNO9p8Q9IojIQKgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbHJdseRhCKrB51VagduIOZYIPgAYd8a2upXsX\nkWqZ+/TOiv3c0pFRPUFguY8Om179q6H76Iz/BiJB0liMz+7Ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiLPqP86dZ7/utt2aVUfKj69SycowCgYIKoZIzj0EAwIDRwAwRAIg\nEygEP1xdYYAbPTW5V6YWwOTTefNdB/cQ0YFae3pibTcCIFyvqyx711O+Fwwitzar\nd9lymzrnVf/DsxyDPCzvBoY4\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmTCCAUCgAwIBAgIUK+AGmyC9lcGAn2RDSZUHuP9WdPAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETq+iQ/Oa\nMDvM04sAVjYFgXOMU1pZ1isz6MiOKKd0QzqBjmj2H1T3oHX3uvxUbxCcs1BOwMXG\nmqrgAysGiuEz26N8MHowHQYDVR0OBBYEFJCXrvV4wpQUTwa3G5sWE+4PmT5vMB8G\nA1UdIwQYMBaAFJLQb+EWa0EHcotQ0vXxsb3jW/fRMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNHADBEAiB5tOyqVGUEVZvcAm5+7fJIokVdlBo2Mt2KCes+h5nDHwIgGErF\nxtnWixSyYeDmmoKyA9CuujdVrVptkiu0+B5Kfog=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUbzsVmLavPrbL5lPoKTFoLD2MguAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwQRRvhNf\nmFaTgCXxgFCi6dio0bP+veBdN5+U167cxINA/82KvWUm1WWUrM6xCm4LH67n29mi\nFUqY1OAErPlHuKN8MHowHQYDVR0OBBYEFBJC+KbsPDjnCvWjOcpbue2V3pqBMB8G\nA1UdIwQYMBaAFIiz6j/OnWe/7rbdmlVHyo+vUsnKMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiBumGihBjnavKvElAS+EtkeJkBJYx/X6IC6Ved8Ejo/JgIhAI5z\niGEGZBSvgwyB8tzli7KgWygKRGRVWkDF794+WW4m\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1128,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUB+SpTWnUR/xSyfdaCz4c1QMqNeQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARODakgmnaRTuKCSuriEZhy7s/K4vKV6KEH0knq\nxyoHvwY4ArmKVHe+v1p4eDgJY6ypdCCTIrq0BwTrz49w4kWMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhyt83Rh99kEymQ69wkXDxuID2ycwCgYIKoZIzj0EAwIDRwAwRAIg\nbN/w+l8YYo+NPvzx65iRmMecSdeguwBZdUmG7ep0ltYCIEB9ZvecGwA9d1fsgef8\nRJOfe9pZHwgTZtLyQ7nsPISy\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfh1acSHM5OLNfiw9lVCm05N6PWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAST5YKKh299WyGEfxV7KjF7A8VD5DLpCpFKsm96\nG6PzihCTU6NXlPGxoHVHvDv0W+9lBrxLQD3IS6cwSt0Wrp/bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqgpzUt8eMZBXv0K/vlY68mfYET0wCgYIKoZIzj0EAwIDSAAwRQIh\nAN1KxV5CRSOy3OdoBImslOJMUb+s0PmTuakcOiPYyr3cAiB2Ny9rZxyc5HbZurOq\n+P94O2/tpSuEu1J2xRNnMqDgmg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIXAI4bRE1f0hOG4a4m2HJ7XIKFt6xgxP8wCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoY\nDzI5NjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABG29ZzTyNUiwH9NVmbIjVv55jBH2+gOs+BIgifmh\nrtLB8g+/DuRS+/jFIOX7Esfrtgue20/d7fJ6mPa0oXKXh2+jfDB6MB0GA1UdDgQW\nBBQd0HVSnt/US3JqHv8SssfT0XfsaTAfBgNVHSMEGDAWgBSHK3zdGH32QTKZDr3C\nRcPG4gPbJzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANxQQ4Leb2HG3zRT\niMKgPWDafl6IHbXIqcwUrrHyI8OLAiEA2toHSnX6nJ3Rvju8rMzBLcGPgrBc/p38\n86mam7ZXGTM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIWMd384V+U2g8Sj1qPcVEhT3DOOnkxhDAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEtnspHa+Thb93oINgsXwA8ePyC7CG0dy/oqyYtiD2\n9uheK/m7qU3kG0eOGjWIXrGoWECF0Vkq1mtew9/SDu/xtaN8MHowHQYDVR0OBBYE\nFI99kW+82PWUihbOHt9AR3khFIxUMB8GA1UdIwQYMBaAFKoKc1LfHjGQV79Cv75W\nOvJn2BE9MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAx5wici1mJU3blled\n7BsK8bk3Vb1aZqvvr2cmtizwm+MCIQCl9l1EFv3knWILRt5fFNyem6f3WN8ChmlI\ndvn3ZljD0A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1151,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZkihGjjbdP3yMxGDBwPOqfbxiBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmBDYA8/ZP8/a/uGOsw/ZE78Hvc6aEqOZOsVbc\nBczP2kNfNSbd8UaozckILy9W1UF1iubYNSJJ7aCqKwilebQPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjKxOUACE2bYB0Ryrp6VellnStrIwCgYIKoZIzj0EAwIDRwAwRAIg\nAwjLgUY4euaKETX6I10mH/mhlvLTUMuXJKh3z1uaqEsCIG5LStJp957XKTxN2hzr\n6DKckLOkqMTPBdoAwK80PH1n\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOkYOfYCb9gWqw4pRgZNr+t3MV9UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQK7c7Xy+qpDOdoJ/clJHrh1lT3gnwdnT2JwCVo\n+56E8MRm8UgU/DwOZRU6ZUnktXeVFIWiAYuI4imTEeQBWBhso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0LmlT4nsFeuMTEK7AAoYU2dQdIwwCgYIKoZIzj0EAwIDSAAwRQIh\nAKXRzTJzGnP/nq0JUTlhoa5mZ6f7b9D8fp7jGh1UmZrkAiAwHxIX7L5K+K79sVYO\nClbbolrpSHbNG+X8AbWd5FB08g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERpHW\ndLxG59buWN3mTBirFbYaD2iU9aUAFtvLGaUG2t/oA6aF8LBi6ho7j7l6LNu15Nlf\nwtDeElRYnwgA6NM9p6N8MHowHQYDVR0OBBYEFCohEYz+UPVXoqPs3ALO67c5CrBU\nMB8GA1UdIwQYMBaAFIysTlAAhNm2AdEcq6elXpZZ0rayMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBOxq9dH9X4K29rnB/cMxyBx8m398THhgzfM/AXvyLSwAIh\nAMov4y3WBA9KJrBy5LYM0pR2Vv7UsuxMmfukoUXjYzNG\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE72RX\n9IIYMQvKJCkE13qUYw4FmlCHwWgPNeJCAjJeGkLYTpacqAYYrbHKpJNghxR+eT5Y\nVx1gKuAoXePVQEHJjKN8MHowHQYDVR0OBBYEFG2y9AHm6WsM5jLECjp0KsnSix5F\nMB8GA1UdIwQYMBaAFNC5pU+J7BXrjExCuwAKGFNnUHSMMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBN989SSYyk4nuHm1Z/9FfoUh3hMrRSG9X1UPBEYmZjAQIh\nAPB4/+d2evQM93xc4W5vS5erydHApt3ue9yyd42rxlrS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1172,10 +1172,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAktQrBtrxqKJVfkTRe3lHkNybWowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASDDSP7FbwokFl7KVDqNVLqPr/Cn4AqUh+aFVL3\nuwTIPZjHuW5JWF2bvmw4yw+VfqqYigcA937RL1Gk4An4fvumo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbwOR+vYPCcQVQjs41BKdcfjolfEwCgYIKoZIzj0EAwIDRwAwRAIg\nA/HEVXqR1e1LtVImJ+kmKZgcDEv46jfVzuwU2YwWuQsCIHACPAZuOyiw14m+8ajA\nJBW0g6Fi9/SfJ+nrMaiSsmtC\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcZ+OeLvcrj3LOXaNqWA5LYK5euUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATv9ng+zVkD465caNHnY3tVl3p7EKiq3U3aFawl\no68v68DFMQxtbxB4uR8EI7xtFPmXq+LxpR4VH5OxYY30qWt0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkbapRNk0uYT2RPTGkPXUbaWNKb8wCgYIKoZIzj0EAwIDSAAwRQIh\nAJwKnJfBcylmqcMP9vfkhpqnnCeJ6GyAwMSAV8EU5qCFAiBiecsKVtXq4vFplNnI\n5wbhBmMgvKTw0z7G8rnFxbMEJw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByzCCAXCgAwIBAgIUSp6LZA2l5mxZXSt56pA18ceJzFwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLg/UfMy+YFwStpXFFqvqD4pWkI7OYYzy9U8UjTue1so\n6/sD+MrIoEiYpZEGRWFwn7QS0Sg2dC+8QL0Th7H6hOyjgZUwgZIwHQYDVR0OBBYE\nFFoKnpbva3eo0ctlTliOhIj8cdrCMB8GA1UdIwQYMBaAFG8Dkfr2DwnEFUI7ONQS\nnXH46JXxMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNJADBGAiEAi034OxeArYTikevM6pXBa7TDE/gZg1j4yO3QUCcj1uUCIQD3\nDnfz4PQ5AUXFpm45ql6Sva1U5m7L9QuygHCnBG/JoQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAXCgAwIBAgIUPFffShT9gwvsWRGRdJgzJPnxbsQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGIkrg5CiSCwlsotdIs8h3XaUGEcql8tyJFZd2sk1rKh\nZNq31dTunM0hv24/cq4GowlSYv2PQhkdEMc+3QUwkMGjgZUwgZIwHQYDVR0OBBYE\nFFg94M1OLeKMiA5I5sgI85MvBhqfMB8GA1UdIwQYMBaAFJG2qUTZNLmE9kT0xpD1\n1G2ljSm/MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNHADBEAiAfgFoI+lf3MYq/nuGI8pZ7xul+/H9G8gmHqV6bbJ0C4gIgV/eD\nXFA++WOUaSD9y633OhlYcEoo48K+HOYdpUqp8FI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1193,10 +1193,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNf881tMu5ulnEd2Hs2fO0EyFaNEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQSoQ0rsa4rQ+PaMjl8N01Y3/O+eb4vjA5fRQ6W\nWtuJw+lEvxEh/9h6lm2RqcHVQ3j0REA2GoRzFy+tweJcv81co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0/zrMR68PnYwE20qWEsyMbWOHCowCgYIKoZIzj0EAwIDSAAwRQIg\nM0nRDp5DzLqQGR1QdFffQg52EIhpL3cVh/bupPKoEuoCIQDFGbRQ3rS6rKLoXIJz\naQjcrxhvcdr4raV59Lj/TGfZ/Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUw57ad6sElzkmrmODAF6vwgvemwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASO8zkY+VgO/1oSsGwFu2JirkfVu2doiwWVAd8V\nzDyeHtGvSpY2Hxf6IX2FVc0D6DLGTpXMvAbeA4V0LcEo4OI6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxc3s7LW9Afw5MKI4e7Ex07t4od8wCgYIKoZIzj0EAwIDRwAwRAIg\nDrzMH5viQbDBUq/oCkjxZGCxJTf48fm0XTw4laWtDpsCIGB3FcQ9KsAg6RybbmL7\nHRrgbVvbkIhjeUTrdVRKrfD1\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUJUCgKFyVoO+/Ro27P8wg/eRUCjkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPdthpJQ7e4UZPB1QIja3m0+Bidv8I3M0J0ZZL4l94YP\niKm/kaXdg1kyk9LQlHw2D1dsZYXYY5jhX322uLfSTtijbzBtMB0GA1UdDgQWBBTF\nAXXAHR829sgv57jBwIXJ1almPDAfBgNVHSMEGDAWgBTT/OsxHrw+djATbSpYSzIx\ntY4cKjATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEAqdiapCysINQZAcDjPIYYVxtYKzd1u0ovmtqV\nhQZiQOcCIQC/DOHs+4+HI2sZ7nshqrfKiwNHx7qL2nxXB2KNN++A+g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUA/WIBMG+r3se2/e/UvNLx804GT8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHxQmtkbBR2K0h7T61IPNuCdAN763pGCWMupYO1BkwRi\nTCt46zacARKXd5SL7D2I/yOcFJP/vkojSULLgDzDVvOjbzBtMB0GA1UdDgQWBBS5\ng5k1e+coI9r3mwN9jvleJS/coDAfBgNVHSMEGDAWgBTFzezstb0B/Dkwojh7sTHT\nu3ih3zATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEA9AUmnWbvCOO5jI6GhxvZYI75fk2xf5gXobPV\nH1dcU4UCIQDeHzcv7IdYZf53zCs6IR4JSBi2hCmukVDxPR0KdUsGbw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1214,10 +1214,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Basic Constraints extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDlu1WXdgtndQshW37lEQBovxLyAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASFYvMhOsL9mvD9VdeXWJ0E30AL4L9miohtOCf0\nr7KAcrNEXNQv4MJEX0hefeoxw/grUCbKXZRXsZdCBC7Qi2xMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUn7s6eXCIKpit6hhuGePbp/d2AzUwCgYIKoZIzj0EAwIDSAAwRQIg\nfMGpJF4p+RXgyL3OwGoKj88IuV2Gk6BoR5pN/4whlaACIQC9rL/DS1O7Nb4ejrxR\nU9fjGebdACcxUJiH4XAbraAepg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZ+e5p2r38+FNW34nsw8j2cAOJFUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASXzSLUfiWMc1ADCXjhZx7JdZAnDi/ysxZXTm+i\nZ4YCMabtH6Qv2J5MPbCDTx7dQIC23nTrvdh0N6M0TIV5ZD6fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPK4zHF1KSFBqAWAjalgDFIQadgQwCgYIKoZIzj0EAwIDRwAwRAIg\neQyX7UC+rx1lyo5fKT0iKO3ARYWwgPbFJyexzOraZdoCIGAJsmU77hIwdcFe25LZ\n9fylp2hyFgU3RDQMZ5EUY5iV\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUBhGY2fldrII3x6o7rSA3qFF9nwwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNSKgQKJSVaTF9AYnV1EHpAXOUcOYa0d84zWMNIrqpyo\nY7BuPaW0F9+JE4TYufwSo8eWzuS2jnUTObGef4d81RajfDB6MB0GA1UdDgQWBBTZ\nwWbya5/ha6BX6/TpnTIjaElLlTAfBgNVHSMEGDAWgBSfuzp5cIgqmK3qGG4Z49un\n93YDNTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgfauwEyK9cod0EQ+cOFvP\nanvTL6XmZXTWsRX4OXE+3EQCIQC4FRM6+3l/UZwb5ZythfNaTgJxW+1dmKnkHxwF\ndufZ2w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUML1XhuoYUHMajssJOCejZIQ0BG8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNYT0z4LW71cgo+fmhu3mhuNljfc/jdEPWMSlNYJSSsi\nIZBk8kdnY59EgEA2Hr9RAtolCXq1eGwmjvzb1isJChejfDB6MB0GA1UdDgQWBBS2\nzu1PITCFLGilhR8pWSBGmWnMNzAfBgNVHSMEGDAWgBQ8rjMcXUpIUGoBYCNqWAMU\nhBp2BDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOykbhTvymm0B/XwLN2p\n62O9nQ4AC5gcd7Xv6XPJ2NByAiBZwAhque10skTS9E48ICFMPSIfMl5nXrukJTGt\nLHKiwQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1235,10 +1235,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert contains\nan Extended Key Usage extension that contains just `id-kp-clientAuth`\nwhile the validator expects `id-kp-serverAuth`.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXh+4/vDDx7uUhQJyK3GI+uD4QaowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQk/3hrGDAZJP7ccupiMB8EwUI0UtdSY6twW5bS\nUqJh/ulEFP0lKPeqEXYapO5tALZzIeRoreHlwPuWOjV7fmm4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3xR5oDjmGPWrg9CDnBx3O+gkiAowCgYIKoZIzj0EAwIDSAAwRQIh\nALCn8vrxR9IM3SISdaG5jjlIG1dypLWQTD6M9oY5FpGIAiA7VTkepBmO8JsQFbVi\nbF/KNk2ps1mEY1BalCOgBZYdtQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBIjoiao57gXzF4LlDOrrrMrapJIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ7fLOubQJL+7fmUg6cmEs6k+CuyEPKHtcH4Z5T\n8Ypa5q1QGA2qrgZXms0toFcZrvjyL5z/RMasjLL3p6m1sLe4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUXr8epvAatBNaWp/Y997QRxgFI0wCgYIKoZIzj0EAwIDSAAwRQIg\nMNeiOmc4+o6DUdtS12U6kIdAX6JbH9/7eRmsEw/ir3ICIQC25//gHeLbYNCMKNVR\noec9X803AgZX3k6XDlj9AGdXkA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUZejJHH4/kl6Lfy5xXmgFyKhtpqUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABARKoKkVTwYDHG5fw4JMMOROuYN+EWLLw6tIj5pl4lbJ\nD/XxvBc64oAGOGH95Kt1zZqupeHSfYe72r8S5QNS73KjfDB6MB0GA1UdDgQWBBR+\n6SRvQkLHkjXfi6nNO4cDtXf7jzAfBgNVHSMEGDAWgBTfFHmgOOYY9auD0IOcHHc7\n6CSICjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgAUIWQ7FHq7roHPlXyqJU\nxOmZT5kZ6Fya7s0wxQSqYagCIBtfE9rDeQljserx+as+sh4FsXuPhUUTzhNxGtE+\nVxek\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUKGL+PWvPpScZGREU9UtzTUPm6A8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJmJKPKQL6Gw1g7tNWpK90BhMaNYVQZT5Aqt5/ovKmSC\nknUdRfR90yoHGxm48IZGO8d8j/4O5izULy9dJBHdKYCjfDB6MB0GA1UdDgQWBBT4\nZRwD0m9jMeedSyC5ZOlZrz7+zjAfBgNVHSMEGDAWgBRRevx6m8Bq0E1pan9j33tB\nHGAUjTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgEVlti17vzTpeC2Sd24Hy\nO8UInsqFsg5ZYpXJdeh4suUCIE95YJ9e2HUOagM4mMN4zqBarU8iyyc/3EoFBHz1\nYBGT\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1276,36 +1276,15 @@ "expected_peer_names": null }, { - "id": "rfc5280::malformed-subject-alternative-name-ee", + "id": "rfc5280::malformed-subject-alternative-name", "features": null, "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has a SubjectAlternativeName with a value in ASCII bytes, rather\nthan in the expected DER encoding.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXNddO7kwWGwU0Eb2Eu0fDfg0KxYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARdzklKCXdt2n17sW0yzZcrXV1h0DsfgWLmHvo4\nyx1IUi7MMM/uCaS31He+cVDB+M/xLUn8tfOPqwEBfsnI6Y5So1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUj68US7x7bJ5o6wsX1ooOi36gnjMwCgYIKoZIzj0EAwIDSAAwRQIh\nAOMy83wdGZ8i5tfLgz9/RvrNSr7qfdCsOggVGSFt1jl/AiA0jstqoTDxOV94kWx8\n8Oe3m/wVTT9B8sYmX9c0QiQIdA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJnttr4Zzhnr5JDkQQkRos/1CWJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARO9Ny7hdlFge3jF0gO3o0ncBKTMbQNGzR07mZj\ngGPNi+UBy33z9OBCxv5c5ikWE7yatB1zRzvABrs/4gYxSR6bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQ61W5tky2dHGO3YOw0cfXcmnOC4wCgYIKoZIzj0EAwIDRwAwRAIg\nenDYQWqf3kz2uZA+MgsJO0NLdrpatfFm0XhQ8SId96UCIHduRiUPMvuviCg2kvuB\npWBGG+3Dd7Irz5PoucZcdU17\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUGD6JEAMbUG2wurQu+68tKUf4HZIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDT1QDMshk+lzjphPhFEvheDRSnMA8wXv/4gjlLwmYRR\nOKzSeDch7Kzxw8YxJhoWRY3+TEthSbQmmgczgUoXSWOjeDB2MB0GA1UdDgQWBBQ+\nouxaE1recdiRZxVuHtfaNVrINzAfBgNVHSMEGDAWgBSPrxRLvHtsnmjrCxfWig6L\nfqCeMzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0RBAtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAS2NM49bMfHcD9G3lF2XmS3rJS\nbt/sh8+HuS0pIlPVqgIhAMHrlq99Kiny/aKuWL/YR5kqal2BIujLvUmwe3Yx5Zqz\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null - }, - { - "id": "rfc5280::malformed-subject-alternative-name-root", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has a SubjectAlternativeName with a value in ASCII bytes, rather\nthan in the expected DER encoding.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBizCCATGgAwIBAgIUajdQgCJvlmrrPdTkKVViDhccTckwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQtkshBaJ3HiQ6gZD+HBnkH4MMlUeO6ghYNieyS\nvw+NOGRSENlKJ/vHJaWDsDbR7wxqK4YgzP8woiu5srBgSZN+o1MwUTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAdBgNVHQ4EFgQUIxB2aaYo5UAsIhlYHuk8\nVvV1/I0wEgYDVR0RBAtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAp+fQb\nx25yprDNOIrs46NysxonuFiHnBtyVmW82sZnRQIhAO3LZhnqETRUEl92RrJ/uC6k\nWt6K7N9iH+xk1Eg7SMsG\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUXxIo7Ls3A3jEcwWUoe3BzcVqkMUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGveLg8LGOXRn5Q8NM8YZsEuXFwxhqvJKeQ/MDqO3yqT\nq3HnROWY0Ocfrl+Nim9Ziyqaui1NE2WUAWXXnpD2EL2jfDB6MB0GA1UdDgQWBBRD\njJU++A4YxSwaR2Y/fd4oJUF3WjAfBgNVHSMEGDAWgBQjEHZppijlQCwiGVge6TxW\n9XX8jTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJioWSepK6+OmC6aWbey\nqYaiHtFtI0zrbGk56nkcUc5TAiEAxE2sPFeRh38RSenUj4KziT/k10JVuN2v26k3\n/ajV5X0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUE+G9ylCuT/HdPLc7AdU31ErnEgAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNBk8udN5nRhLnLJ05SpEbo8OhrXcs0TihQD630fI/NX\nDoj/m0ehnV/HwPZl11m/jq9ZOd+eZlJisJ0YFIMs3KijeDB2MB0GA1UdDgQWBBT5\nLvtbRgNBMxKlb6P4Cbobe9hDOTAfBgNVHSMEGDAWgBRDrVbm2TLZ0cY7dg7DRx9d\nyac4LjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0RBAtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAk8/b1D97cco266p2PkA9iCUZ\nP7Nvt1n8PahhvXOIF18CIGIb0FfyRwbSiKFiJX3Q9EdFbddedmdtyebZnNmo/iBM\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1371,10 +1350,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPT1yF8x13F8g2WdQ3oo15dMqT3AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATynBxlsKuv84recdTOyxwT6xdYx2aS2Tqc8KTV\nLzOQGFZ18X9pmPkIn5Elw2fjawWnoEJ4+3LrIm+f1sSe9MZao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvcJLgJ+0+Ov6LenDwlXEnXKHPTQwCgYIKoZIzj0EAwIDSAAwRQIh\nAOzvCFLv0ISderPG6ZpPt0KmwPqnvipb61bsgc4tsfN7AiA6DXElOY6Z2alvvc3b\not+GU8H1z61A8NgQS1FuCB/uUg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHfpodbLNRqV8YGLyEy6zAK14ecowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAScRzsh1n2TeLHopkPqolONMiBxzUd10RMu7qdb\nunq00hbPdVg3XJ0pnhwPXhIg0dcI8Dh5ySPHzMjswplBu3+co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdlDkO5Nd4Vij3xOpnTZtkSzKEm8wCgYIKoZIzj0EAwIDSAAwRQIg\nC6+cfIYBe3ybVZS4BWXuRaelL4pdjmat3JBgsqTLR78CIQCEmcTdErsE4MPeZqx9\niZqgs6iuN4MS8fH923zbLj+Jeg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIULbdZ98RCBM8Ai59J+sgTTYwyZk8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBjIV7srOGunIxrl4SuGDYrk1n/GS03wYiVxg6awBr7b\nNWkQyjhOD4JdXuIKodv20iNLLwf/jH8lGids3giPA5KjfDB6MB0GA1UdDgQWBBSD\npX5n/WUE7KYjUFXXMVYJX9IkBTAfBgNVHSMEGDAWgBS9wkuAn7T46/ot6cPCVcSd\ncoc9NDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgbzHsaFEs7RVVZ3Y+0SAh\nJedm/8PfBHMNI/Lb9exaHx8CICcCA50GWnVPSy3+1Wd23aXoUjqlN/bE+N8XeiXB\n23AA\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUZ9XC8wm9xyPBF1kj+Q2Y3FGBwy8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBLcULccL09xv+2Fj+ASdln/znWdsUn4Qv0uSeROJUvv\nXOU/dmDDkuG9K1a2fKeHcbBs8KXXNfL0UpcS1ihn/9SjfDB6MB0GA1UdDgQWBBQV\nf0AGjj8L+02buuYgyujZYiDHijAfBgNVHSMEGDAWgBR2UOQ7k13hWKPfE6mdNm2R\nLMoSbzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgOv076BGQvwFYhbPH2//U\nfd7IX/iLaYXwZ+tWth8RmuMCIQD4tQbdG2TC9zGfKSa++FZdbB/24wV92I6MYPaT\nBC6htg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1392,10 +1371,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURX+HI+UXNg7XP4A9hO8alu+KvfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR5CH3TTNAdd6oACsVhdn6mob9hqCUxqNjnnseW\n2keO87sHaGNf/nmANez779n8Gpj0ztrs/0HO0lsXDcU72dHuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUw1O3fbRB8/37A6qvTQRtZaWdWOMwCgYIKoZIzj0EAwIDSAAwRQIh\nAJnI6xojiLOlZEf2YM2NJWMqsUgQz9JujJ/s2KUNUN6SAiB9yE0/FL2dOf/66tp2\nmkbDnjbbrtTaZZES78z8iWIa7A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUR2Z2HZVytXbmP2ftELFH+JvAlsAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzmNjE63G3r3uIUM+sr0mY0fIWnl20YIPHgHx2\n50bmMD05qi0v5BbB+iSkL8QtnQvKqqw/7NcAY/MFwW7RGSFQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSk+w4Sm3h5hv3heLYlanYeRUCS0wCgYIKoZIzj0EAwIDSQAwRgIh\nANbCMXCq4IcL6aypDJCuZqJex3rlG9AV/EeGMVt6XotOAiEA20W6YRdDNWB7OTAM\nLCDcmKtZ1Get9Iydhqui+PfXdMI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUD0557zqj0cS/50sJ3H4IB8sO4m0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJJKSbLqr2mgJSpXzDgTwVUTgirHwO4KlJp07qO0pvu6\nsnROygGrofpeUYsEOxqctVxG6Uamq42Xeeuxjas3pQ+jfDB6MB0GA1UdDgQWBBQ/\n0eF8kQQe65ZFE7GjXbJLnQvgwDAfBgNVHSMEGDAWgBTDU7d9tEHz/fsDqq9NBG1l\npZ1Y4zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALgt9O2RbrgK2kYa/4Nu\nR23dsCyUdFtI2v9HFQCvRhKvAiBSRuw+N7o1+rHLPTCBmDFGFEUgRkhVgCTzVJOW\n4EEIkA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOTGXNCRuQsufSxGKrDswI9FMwAkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMLTwKOHYHb3xfGuu8FjXvtTPIuTvWrpITPTGT4pUdNr\ntDOHLv3iyaVCW1ozqs/iMocjERyMA6uLnbZS48xMvUCjfDB6MB0GA1UdDgQWBBQr\nqP5/4MOv0c6BP5oVtHu04ODTbzAfBgNVHSMEGDAWgBRKT7DhKbeHmG/eF4tiVqdh\n5FQJLTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgVQ+FYTXWoGCZrITQUHN1\nZdKd59YELe7E/zldSRH7Nr4CIQDzTQ59Xq6hUUpYS37HZbKCLQesUxGN20hY0vL5\nB8dwmQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1413,10 +1392,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVGoY9hNapBY455mz425gVEpR34YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+HGJfF+7I6dyseoyOP3ZLNqbtaXmdRq1mNt+b\n0YAAHB8dZwR4nJ46wG/DxYejOEqJeSZj3mwRNmGagpvrpllho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURUQSBjsHj/TBwDsiBTRHI27TjyAwCgYIKoZIzj0EAwIDSQAwRgIh\nAIbETamYNh2LSZ2FKP47qanLUDBQBWrqf049D957+g9IAiEA1Z/RIqjkxC/6Yek/\nmrIlB9wjoZANJbt5EcNFYPC1HAs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUDZ1kinaUqTDcDHQUjuTFZ5QIBJ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7rVuGwxjRw9T7kji83e5rm0qUNzM5sTk9VFGP\n5IpeCf4jY8YNknUqN4glK6LR27zLArJINFR4anoDja1kKhDUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcMHuupabydaIZjW8svLpvg+D4/kwCgYIKoZIzj0EAwIDRwAwRAIg\nZoFzLne05uza5cmELD/wjcqCFcvwn0R8dl/S9blf8+cCIBIN/MuWMyokjL7+Fmgg\ngMCiJpb39eqVapo258aKjmzs\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUdwkAaVRPxpo7BGbLjAWSIQfdt7UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABD09UMbhMxmb5041uavFVVqbrt0qzfr30gyGfvXkD0Jc\nszHKxG7pEIhooymPakrxqTWV/mmUAEHsR5wYgUKSjz6jgYAwfjAdBgNVHQ4EFgQU\nr+BjQ0h5Oy1purGbAQlcQCl1mGswHwYDVR0jBBgwFoAURUQSBjsHj/TBwDsiBTRH\nI27TjyAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAp50bTPVh9YUZ\nQEfz7hBpJWutVjFc9TSZYfGOPoVN6isCIQCMuPeU/VKeEdayX5mwODQ1Kjt3o4SF\n2r+jKK8EWkvFdw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUNC8YMhemCn8CpK8XmfL3RlkOCaIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH7Sl6FKGA7tS+BtVI8qntD19i03ZfMMQDsvZqXmohSW\nS6NG9ueNo3lkJFtw4UuKp6dQKbkwX+HioPs1zieW1zSjgYAwfjAdBgNVHQ4EFgQU\nYGIZtjspynbnMWEm/INmKV//R/0wHwYDVR0jBBgwFoAUcMHuupabydaIZjW8svLp\nvg+D4/kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAL3sVFZCAC9wnb\nx2sczRxtpSq5OVGOBb3fUzH5RA2L8wIhAO1iDVlPsqYixOXlmBc8ein4sAhMduY5\nphQ46fLE25pX\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1434,10 +1413,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUOds1o+nvdzIjwtP3/VKkOpxUeaAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARe8opZt9UsJcOSKvxaFu08kw3o2mDq0ZSRUaEw\ng7NtCGNRkJcFQk/7IiYbk7PtsD5UzeLgEXM166K+gP1SM0+Uo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDN8wbUGJtqYw2SB7+vqY6G6yV6MwCgYIKoZIzj0EAwIDSQAwRgIh\nAOqbboyQybG7wHD5rTvwPLDMQ7eJnPh6ur4Guxf7+AdyAiEA2mtF+bzaxZUvrEJR\nNVtVncXrRwR8TLNo5Eme5cao2mE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUM70/XVnErRVQU5yNLP03I04X/6YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARAfMBmTS4yx7dL3uR0S9vzdTDuxqwhGhsQATdd\nWx9Fe4H6NXayGh4vWithhGDc322z6U//YyOgUE39A0mhXXlRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7HqFDirOzMQI2144eP2w4GLXvTQwCgYIKoZIzj0EAwIDRwAwRAIg\nPk+7Iu3Hp1M2YxQBUKHuMmgvOr1JouEmOW7wNuL0wsgCICBWWOhTVNRQUxLYUH0n\nCZg57Bh/H2t6flQoj6fydnsS\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUM93Y65Qlm2v/ubb1VzwfNzSOfhIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG9GuOWsa5Xsh9yKCbKx3PTX3+RrWX3H9b4T6DOJu9Yd\nMsxCD0p4JD1OC2lEZgPpNZpI014nzl4+jwvD49uYBW2jfDB6MB0GA1UdDgQWBBSi\nT7lb0zPiLcaWQPGKd1NMSyo3wDAfBgNVHSMEGDAWgBQM3zBtQYm2pjDZIHv6+pjo\nbrJXozALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhALHIq/xWCEzxiWDDW16N\nLSIql4MT8chDgWBu6HS69DeKAiEA8bF+EbX6elt/g9kVnpaDIbH2R9K4ggMQ74U/\nusDw7qc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUKhFTaPbTAzpNEG9f16/FO1ooERUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA+mAsQhfgiENkTY5vLkivJA323IJaikelIQJlLoGeMX\nZ7/VX7Bv8LwTKxO6//Rs5JXgywi96dSsgT/JQbSAo6SjfDB6MB0GA1UdDgQWBBSx\nJv/yI6O7ZN11dOZCfAAxFUg+QDAfBgNVHSMEGDAWgBTseoUOKs7MxAjbXjh4/bDg\nYte9NDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJfaX1ws0VQVgZA6+ChZ\n7EPCE9FWO43Vix7RavmpvG1nAiEA6hSoSAUeNlpSDres4bt2Kkj+O641RvdBmjWg\ndkoyax0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1455,10 +1434,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUa9V39LxAXHFJIbRxaP+WlxWjhwUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjJ8VSrHqaNZqV+iSeSyahUTBM91Do1Tb/z+a5\nthpku3/RkcE4TwiftLhNtbBIQtGvfOrsPKEWc/Snd4ixBEOxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbmCQ0E9hJThDaeNHHrywqHbVqPwwCgYIKoZIzj0EAwIDRwAwRAIg\nP0jNRT4wkyokorIKr1P3tit5bh+ZDAFFTCVD1fqtWUQCIFp2YVb/lVy4viVJCwmS\nt74BO5u4avvyCEn0hRDm7kao\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUWcH71LjeG7RVxAlWHu9VR47sScwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQyXK4vXPe66ZfhIr0Dysd0a1oWODhTkukWMA/m\nLECDF5mSoXDypZe6K66AVRhgoByLSkEToy8vOVsBilHyRmd+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkiDNa0QJMwfDthsickRymvFgEk8wCgYIKoZIzj0EAwIDSQAwRgIh\nAL26GMUuejQcyW/ZsGdHXmHYISpHkN4aUb3juFX4462HAiEAocg7irqpZLUrN+GM\nJzw4YMt0pF1B9cgvPFX3lKO/RpI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUf6d7bGTvBNCC1VtyIl/IKfc0V1wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBK8PJuQsYYMQxUGYezGO3TR+YnmiwXV7fYbze3+D7el\najSCNmaBoYJbtnvTEDpj/LHLePXjrQZqJuxCRb1sULejgYAwfjAdBgNVHQ4EFgQU\ndO/3gj97FL0J51/eoZus07Avw3YwHwYDVR0jBBgwFoAUbmCQ0E9hJThDaeNHHryw\nqHbVqPwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAh+PPXLwpzYwv\nC7/gM6b1RPjY7Hq1rMKonJ6ywg7FkWYCIFKAQid6aqgFsd2sKLWGydKJrudXfQdk\ntQ8F0+04EMBe\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUF7A/I2gUOHfQFyywoIKkOU44wQEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA2wTPGyzMMcfHUUuao5hONbma9Ao96XXM9s0uHAhJgr\no/qN7ij0Zd+xxZAyHcFQr5IYcSqeXNL4H/AMclPP+AyjgYAwfjAdBgNVHQ4EFgQU\nRFoa+dtIewJ6lKtLLGBM27ucbQMwHwYDVR0jBBgwFoAUkiDNa0QJMwfDthsickRy\nmvFgEk8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAjVxi7f15yB8T\nkyAxyvjK12SiRRLGBl+voyn7ueJP8+UCIQCJyIXYYltLWwaNKxXATDpNmB9WYZIG\n/DwPV059YK7ANA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1478,10 +1457,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGoQVTxf9TYtHJuBbHJmvw/RSEBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjhG6LMuKdkwcOv9Nc3guOtEIgdsgYR8G+77a1\n3vtx8gFwSCQLgLD5BAN7M8xPUOIjE8B3sB9xNSK4k3SOxtjio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeGk63NmcxBsd6uVObVZJNX7IU0cwCgYIKoZIzj0EAwIDSQAwRgIh\nALiSQaoYaoJt9X+hXkjDHlbdIHWY8h7c7qQzjbz1V4S2AiEAj6E+wiLziuZFeV+B\nuye5c8qK8UaB4Xa/WgKHbRHsYdw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUenC9QkoKjUDRHQSDiM/wtBZzNmcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATW3+APfXpF74UQSM8jdWbYpJ+2yYR1LJXfXJr8\nNyYxTonVC08IX/wmBSlkBSyGK+cZ4mWTNJhdLEPzUmcVd+cco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpwOTfKi/l7j7R7VFKitwYaW+lm0wCgYIKoZIzj0EAwIDSQAwRgIh\nAP6BHbfJ6mjZGzXCuB195HYZkyTYlEw9b5gDq/iqA/9EAiEA9JP9JF6CPFJi+pFA\ntaB2wkT1Z9ByLs8KwENhVFQ/cK0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUesNnQgL+p5dixwfPnXOh+VAm3gwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJOTLWbpjA+IACccx1zLsfgCefFxZqeA2vnJiJJW4uW7\nZVrOryocspypRhwJ7yqJHhoZije4Ezo78wQBjP32QOejdjB0MB0GA1UdDgQWBBTW\n5MnlhjdfCjVuOsg5CWCgPkCJ0jAfBgNVHSMEGDAWgBR4aTrc2ZzEGx3q5U5tVkk1\nfshTRzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBhdMqroP9fDvKlUSN9SbqHJkrdT4\njZosqRqFgmj+uN8CIQCAuonju4sNkf6feA6c/YbWyxCum/o3GDhAZh/HZtaC7g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIULYyJArBUmABu9jTCOd2deygmy9IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHZ4gu7knzho6dnSP4t9xR6ZawEGGy2CTly8D64t2hM8\nQq/L3bJXfwtmn4bdU17hclM2OlxGajBFjE7wJZYTNpujdjB0MB0GA1UdDgQWBBSW\n8yLFecN4m4Ogk691WBODlry1ojAfBgNVHSMEGDAWgBSnA5N8qL+XuPtHtUUqK3Bh\npb6WbTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBHvEV2Qdybqag1Q69J2RFgPOpUSh\n+WLxzCr5/MNXEukCIQDeYa//NwBlr6lApjQUfo3iTb55/qbGnXNRt7d4Boi4Bg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1499,10 +1478,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUc0/FGngWjsLkKcpPCQE1U1qit8UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQNsqywSqxBk8FFfY/hsb3n7IIsEgTE7NTx7jBW\n76ZQLnUb/l5TdiAvEFdV6+ZjOTngcIOIyvp1vWIdr1MXsmvXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy3tXpD57ubyFY9wj2AmLjgi6obkwCgYIKoZIzj0EAwIDSAAwRQIg\nQ/WolaLuVjJudpj3IQgtyYsLCgzh0oMQVFDcrGBY5FoCIQDz5RIcuTjqkGUO/5uX\nCakYPopeWZ1E6WXwILAYYuZMQw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcIN1+X6Evkf0nKKr7TWEcT3c+/AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASG/NM38NzuAXApXecVdfki5coQ/m/skWdC65Jl\nQM6n4eDKDbeb/gwjqEDq9stWKEfslMD/HJ5iCdsg2o/OG0n9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG9F8cvqSBPk3KkFDZQL18Vny/lwwCgYIKoZIzj0EAwIDSAAwRQIh\nAPnje6EAubO2B3Vm63vEpqM9jIdfHncGSN6QDV0ugeWWAiAyg5p1yKavimAxyYs1\n86uPYcGsl2iMmq2hzg35vnPMOg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUaX5OTZvhi7jx7zQTfDGMzTP7le8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE8/rX57nTEaopivEecVVP0YFqRFQUSXnBAY06CDSGOg\n7wKkpwPYobmz0XGb/JlCtLJAdi5OmNe6VuZQj6p+WIijfjB8MB0GA1UdDgQWBBQv\nTb9qCgz1LjTEQqCf/iUmtFbWujAfBgNVHSMEGDAWgBTLe1ekPnu5vIVj3CPYCYuO\nCLqhuTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAwhuDzRsunLwIsapW\nbXQtwhEF1+rBfpD2KHsY47rZWUgCIDEamabvIg1lk7F39YZTbHE2YKZzxmiy0jRT\nMDyqi7Iu\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUEjsYlDT2JMqL8rEr7bzJp2YRl6owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHBSwXwKOzyeLde/komzZzb/TDSmLvmHcVrmkGyZpVuP\nqfFhCllmhl54SshymCfz6h2rsV+wkpQD2kXrfOOaaFWjfjB8MB0GA1UdDgQWBBRh\nrUQaZ4f5cD7lRD/rVwYhP/3AyjAfBgNVHSMEGDAWgBQb0Xxy+pIE+TcqQUNlAvXx\nWfL+XDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAjVjAdiyq6UTSkDdtp\nCtTMovd3R3Ha0ud5gjmBXnw23AIhALQy8/aDcg9iCtrawFTMHbIhLy2pQMXECb2n\nSZh+U+1Z\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1520,10 +1499,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUU1Xu6n7QQSZmK6POFuzxVWqGCQEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEqkA+aC5Wabknafkw04eEHNNmHHf44pLrErsm\nrg2IIjnhng0w9TXUSk2Vg7anoQeGGMSCD1yBDvi5fmDhvrb9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUq+UOEbwWKYobzm9CN2kieUXiF+4wCgYIKoZIzj0EAwIDRwAwRAIg\nKQc4tMzCP87xsgZS9SMySs5hC0GJeuI2sVpYgfr+nJACIEOVlvsayhNXQtVILwb5\nQSQjgvGZOwnxHQEV9YgCAYfH\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXfJKys8nheMPRbP5FJXwCRUEl2kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2ZQu1zsdDP6VaZ9+0wGJac1h/jO3PqUwWu/CI\nqkSbzmq/7EDlsyi1xCagbQBUx69uZJaOv0pGmlL/uV3xWT8Lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaRCt4C5uuR5sRPU/hc3k6CLJazIwCgYIKoZIzj0EAwIDSQAwRgIh\nAJY0dRWwS4lCNMPiuPp2PmqJqZJtrr+vk0n9ahnDope7AiEA8vUBofSPePNRFPGF\nKPSSzBw6BR8NbELKf137Ojg3yTs=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUZu2aVhPRXNwL4j8xNXKNQwXVVD0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDrHnSKVLRFCfceHE974lzaXsv1Z13LI+uRNkxddG88D\nCSQj0hNKzkGElEaUJpn97L3fXTvEZD5XQ5fmXkBm89KjgYAwfjAdBgNVHQ4EFgQU\n8JZfvGDr7vGLJY4vfGMi5g32Lk8wHwYDVR0jBBgwFoAUq+UOEbwWKYobzm9CN2ki\neUXiF+4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAvvx1/tPSDqhwq\njmBpe157cPVuqYAjy3260NfV/7egbgIhALtFBHKFkf0XrcncfYONRof9+HhZrDQk\nOxPV79+4ZDda\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUV/Mbwbso0vcXLepLHphWEW9j6vUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOa4KdOW8kCha2wswMrfSE/sf/EeIYGvnc38vtkphvVC\nPJwW2HMjJryvuvuMskTOKxXu6aeIKBjwZm4n7QTG2VmjgYAwfjAdBgNVHQ4EFgQU\nb8tkxaZDiPKtOt92RYg8LNgb87cwHwYDVR0jBBgwFoAUaRCt4C5uuR5sRPU/hc3k\n6CLJazIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA+OdvbcX+9loL\nNMPXMeVMcigaP8euXdtjA7AQLwd8D68CIQDVtqqN6gwW8uzVf3/8XlCYZqVr7tJ4\nF9wQqkz7TWzYvg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1541,10 +1520,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTtm5o0K53GUGRGJWE9Ycrg0RD4YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASA/CBjD4un/Gl1NLFuG6b0Bu8ACliLGOs4242x\nu0iIgLwmkQYyj/7EX2LlKChLx0Flt+ToZAHq9DZL1i+89GOpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBx5yoMAjupHf+uZWTGK/uISFHZkwCgYIKoZIzj0EAwIDSAAwRQIg\nTp28Q6bDB08BBAekXU+5OiHesOXPYhYn/Owbk3nphHMCIQDqX3weuYDndCom5P/Y\nbi8Mp/lyAdOUcCHPfoMk28RTRA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIwKaGBEyEFT5gkq15VBGXE7CTo0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+Sk7Tb01TGpOzqAiWyYuIuX5p09oLm+mDetgh\nI4WoIrmt/ZeVJS8W6biL1UtK6x2J7NeA/kEJoCMeThs1jY9wo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkFhFinzqmIklUypchgbE9NPPZhYwCgYIKoZIzj0EAwIDSAAwRQIg\nYEjgyI9uthVODVy8v6J+y/7kOWbgDvp4JGbjGhT1aGwCIQDwFAoQSCY5H9+u7isP\ntzoR6lwUM8ZpgKROQG+g+e78dg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV6gAwIBAgIUDlXqmJ8/AT2I+J5FJfPf7uEv+wcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC8ftjhS5d06M8o35anMsVccjGNVuT+AOU1wAPbp82nr\n9MQnw9+aawGpWANf9xt1JRruLGihjsBtr4teXF21I0ejgYMwgYAwHQYDVR0OBBYE\nFF4JIulsayhZGN8O8JsgkbEJ7fu6MB8GA1UdIwQYMBaAFAcecqDAI7qR3/rmVkxi\nv7iEhR2ZMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAh9tEHhYUVku\n3j4pRtOocEDpVjuwfbmtIQ2h6BGdFtQOAiEApgbUrOv+lx3+8bWqa+vJDog3cNHi\nxrbz6PF9pa53hew=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUGwVluRFwnwi6aIztU2SZKBEKpJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLEGWCPyGzW3Gd1pHsOBWfCm6dTLJfM8TGBeryMBkKC+\navIjI96qnhBITNBWQZkhajWDn/RAshh5B600rmsXm5ejgYMwgYAwHQYDVR0OBBYE\nFAZ1Uc2m+vvxywsQLXHRlQ/sbfXAMB8GA1UdIwQYMBaAFJBYRYp86piJJVMqXIYG\nxPTTz2YWMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA0A4cw14k\nxj7vgr9oCUT4D0uxs6Sl86Eu5SVqq+uB9iECIC2KxW+yHIAX18wug5JAXMDx8Oej\nCumjAzEqs8ILCjL5\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1562,10 +1541,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUf7oRsqLOjJiRx/XKmRIeSMhLsRkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8GH8f7D9epMZmmWxyFxgECw4A3yGPwoMZ5tjr\nTxXqw6PRAI2DgDDzu1rKYUTg676SAYsb34HI8Ey+guE9HZQOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaI6HoPLH5KAVJnkQ+vuoImKSSJswCgYIKoZIzj0EAwIDSAAwRQIg\nR8yK1ZEyDs8JpEByktYkkpj16qIVIk6ifpft7RicCL8CIQCPqUQBrjjm+w2b6/np\nBFb4AwbYz8xhynIaSypdQBe/ew==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUDiNUzXZVgmcViBL8Ve7VFf97CWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS17gUkN9A1v/6AChCKoBkKux//0xU5CPdC4bNN\n5EB9NAsJjYLliMbCKksk4oFMk9V46/sY8n+Kst42yuLHIbXIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUESTzrhGgqxw41HI28YYOpiwn20wCgYIKoZIzj0EAwIDSQAwRgIh\nAPnZj6aINLFJ6SEf4Ls989rQK6N2xeH83vlsS1nxKVXmAiEA7/axMpmFpKZqKEZi\nqqjAvVjwqzG+nqW+lWyeB7lSV/c=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUSOTIA+P6eiHreMa5UHefPsD9grYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOp82ZVAklroMBIvzyvEQ1nVWXTEffu0n9uAQCvuaOYw\nsn6pJtdvHYj339Cb9Wsp0fSsOxk/CuLrXV7AjQpEdI2jfjB8MB0GA1UdDgQWBBQ9\nAj8HhUvLiLnipl/BlIt6gKd7ZDAfBgNVHSMEGDAWgBRojoeg8sfkoBUmeRD6+6gi\nYpJImzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiA3BtB1XbfmArdCc947\nOaKxBqKcL+CYwMyXlywMWp9MtgIgRVZg8ruHI8ppRa5yG8FEOmCT/jDhWxeilozw\n9TaInPo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUEOxOkSPYbzK7S9Zj6a5lJzxWARYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPSZ1A4zrCBCswKvlcjmZT7D5aEhjbfJlPxkdtgt9E8H\nnYj8FfSrc5Tht7og10B1smsdulKMvFECru2QkUtT+12jfjB8MB0GA1UdDgQWBBR9\nAN/QtE22ByZe7vmqo94B6+CvqzAfBgNVHSMEGDAWgBRQRJPOuEaCrHDjUcjbxhg6\nmLCfbTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBQIBQhScqg/6Mjn2Bm\n8yO6Rt4bh98uFCbR32DFDT7fzgIgRsYDxQosp3iUl84reW4VtNO452x66duDW7ZQ\nESduZ8k=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1583,10 +1562,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUX91kbg0E08MELxRVET9aGdJ2sAYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQYYDlpxzqODDRJnuuswb5yEZ7ktdejvqRPsrBU\nmfhX+39E6rk709MAPDxGRro/SR5sRj+MJfw7dgXq+k2xZailo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0e4HhulKsAPg4P/WD34SFblovL0wCgYIKoZIzj0EAwIDSAAwRQIg\nM2+dgxMLw1WXympV1vundeMqED9YZmu1vhGbndlRJZACIQDDgCD2lVn5/9ilR8hz\nl/XIJFKAbSSPXFv6eL2nNh6XRg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUcP3Jed5wHO9OHlq3Eo/E7a62tgQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQWeesNKoZBOIIHcaIoUWTZkW8h4tjW5TgVUZlb\nsqM2aolrx3VRHh4ZmdqVs+yrB5uRsS34x03hCrkULXaVUM2Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwKGvph6w0SnxXgJo/59WRILlf5IwCgYIKoZIzj0EAwIDSQAwRgIh\nAKntphzAiAYg+WRMUGHaTr8dNliGgOKC0gLQ5SvucwEuAiEA+FgBkO075PNIQzPX\nVxruzmglLb621Yv+0/nrBVQ/3Jg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUF7988UHE1NV1+CcERewZWIrZ+xowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGKrj4ZRCD5lWIqlTTWJUw+4Nc6KXBklAOrVJoAsOewu\nsYqF12BDNqTIeLnZABUfSXMQSBpWKg72hG6tgF34y76jgYwwgYkwHQYDVR0OBBYE\nFE5HQEIzIUpr46H4Szew1fOgTwwLMB8GA1UdIwQYMBaAFNHuB4bpSrAD4OD/1g9+\nEhW5aLy9MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEA6NenKv6rkkoHv0V9OypNcfJS4nCR2FVSGHqiw/z8h9cCIQDlHWJpRscofwXS\naW/QXtDVw+KrICtLc+zLykguWP3TWg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIURFoBUhfNtqsA6RnQHH0IQtPhlzwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMBvjl4GPTnFU+IfEFY6mTvZ/0jHAXUFqAUjaXctrGT+\nvRdAgOKS3HrfpPuqA0DWrRGtzNJUvgk3857y9tWmWQujgYwwgYkwHQYDVR0OBBYE\nFM8ULIKi6mdI1ehfZBkpeKCU076lMB8GA1UdIwQYMBaAFMChr6YesNEp8V4CaP+f\nVkSC5X+SMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBQ2DtLLiaJqpP2elcnDkEehwNxHifx4PrD8COoK5XE3wIgVi/Nb3QF28qmB/y3\nofVfqm8ThF9FWnTDTnoXKbN3ZNU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1604,10 +1583,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUGBPFHoHdwVZ0eSLHpWQcEZLGi4gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6ZEpdqIC96tjX9r6QbZfQPagj2Pln5RKfmxD3\nf5aEB3BMeFM4hRpKgzsYLycRCJqrbpen1dwPUHduWMJNLRAmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5dfHnSU+DrFn/ETf/KbRMfIDe9cwCgYIKoZIzj0EAwIDRwAwRAIg\nWh/AqKrSZ107FIHcwyht/VE4lOLVPW1SoRDlTm1a2K4CIH8AvnEQvRHW90xmkmvq\nGAf4mnsHb1IpawJJ2pgBfOYF\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBR3pdWWoRl5choOIMCOb56ijOqIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATo+On9XFonsV1VO9eNhIjg+1fgJ8kR935bRvxs\nuqm5xsywIzQ3Z1sz6oCW/4RiqpEVenVC+VOL87bzLPtfnE6Eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8p9ykQ2N8e2j35Tdm4y/tVSA8bMwCgYIKoZIzj0EAwIDRwAwRAIg\nQ9HXLF8hxINy5Ge7ipjRHqvSegDxBpJXYXqkPOmgftMCIBjZU+hyedq5puJWElze\n0u1a38rA7r/QIAvI2n3yS6FT\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUL4TMsHbYwCSGiradM+hDb8kNfeIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHxxSyfwA7O09ACgqdV8ny4c/5gyJTi6Oop4JM6Vw58L\nUfM54bEN69S//K914DTpvmsimRKAvrpopWy0F1F5CcCjgYEwfzAdBgNVHQ4EFgQU\nnImC0goyl+9Hs+XCCrz30822lIAwHwYDVR0jBBgwFoAU5dfHnSU+DrFn/ETf/KbR\nMfIDe9cwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgePqdGyiCvKU8\neFutsXoa9xo2UHs3PwFwpSetWhUtrF0CIGVLpx+JRujtZm/lDm5F7msNhxRUXqbJ\norEueIAOXZu8\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUKOzbdaAYDQsLB7ixVj0grb7wLE4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH0RkbanghRrOguWvrY0JPZbR1Yaba24Jc/bUkzS35T9\nuLjrzN9ouHHyb8V9uA+4hAHzfZ3OOLVn2D2G0fiii5ujgYEwfzAdBgNVHQ4EFgQU\n2R8WnjZAhxsxTslMWhcAzUcYmrowHwYDVR0jBBgwFoAU8p9ykQ2N8e2j35Tdm4y/\ntVSA8bMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgAnkmen7aHLhp\n0e/cEHxGhU1OIGV27h90QtaB6gydXmoCIDJ80tSOU4fEeHZpiFgY1lN3m6vfW5HX\nUMsmSNlh8DtS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1625,10 +1604,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZV+Usz+SGxn2IniPoE557SHDLRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS+/DtYiDrJ8fGWLuP0QMKNySRuSUsUbq1k/ajr\nXSVVragIOimeVrsZBFq3s2OLHkwZ9FHWqCwm0yTIKFSSSLoRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0tUTFV1wozNjVCYC5Ym6QqTtJCwwCgYIKoZIzj0EAwIDRwAwRAIg\nRuN2UpDdr8ks704+l5SXmsTNSOxMEnba/aCt5i6M9JcCIAqDmCxIWJjxg6238nUf\nDyLHhAQPYE3gM2tfjv6DnWuY\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZHfrBXIGHEdmxTYmNJtCIjUhVxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBSvJgqraySnLTETEnxwRCovmsas03XcmppsRx\ny3xHO662iOmhtQDvmzplJD+1pWgRcdM94H+yH/1i4obgD5QWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/E9BlbBi9wkPeFcSN2P1Utajn1wwCgYIKoZIzj0EAwIDSAAwRQIh\nAKOlfATnBr2Z9d3gE6iAngeB0Xn8jND4ZL4GP9OkcNeIAiAw5zshObkVXn/umRul\nMaz0M3vD/JPvl6wbmfCjDeDNsg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAW+gAwIBAgIUbKU8gon1Mi0SUUYfwiUR8XsKjlYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDaVpz1NyTWYQgPh2hkS98J5fllQU+TKD0ct20XlAkCC\n4mKpMzbCTHaJs6fnU3SxN4d51IXHsptayVrJG3d3LtWjgZQwgZEwHQYDVR0OBBYE\nFBpNaNwP4Kf+9G3Zgh1+W8fpEN6sMB8GA1UdIwQYMBaAFNLVExVdcKMzY1QmAuWJ\nukKk7SQsMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0kAMEYCIQDqcDk6J+l3lYGdNm60FczhWvlaMYHBZ7m9t6bksbnTWAIhAJm8\nLU3AJ4Ac1ePEGJ6qUlAcjWmZ3u2hT8cxt4b/GPe7\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAW+gAwIBAgIUBlxjsBXb/pfrmrTfIGAxUphflTkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI+sQobE3AWUkNMGq/w2ZBiqLusUqbBR7oILlvuys4Bl\nRJ0swRvQX0NYL414Se83jTSggcThGSV1o+XKaX0yKqWjgZQwgZEwHQYDVR0OBBYE\nFNaxhQF7okbUVhi7U9+Ap2eNv++iMB8GA1UdIwQYMBaAFPxPQZWwYvcJD3hXEjdj\n9VLWo59cMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0kAMEYCIQCTXMd8NlgYG7y1CsI3XICnn0qINxIIgYsvoct/kPijawIhAMTs\nbRBPShmXlDkyLJGcyLe5m5rm1XemHcmKE8/SvW8q\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1648,10 +1627,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUqgAwIBAgIUfMQ1JtM1i1yYVBJVCygGJdrkuA8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR1F2xaiH4M69azNett08m205BmP27B4ST65n9i\ncIT6p/j2BbtfyVkSW0qc7k9WfGkXDnTgFGbOslY2EU3Mvb2Wo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+7zPRX01x31Wuxj5a6dNYXzjw/gwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDRwAwRAIgJfD64GCjeMg0wR5wNN4kR2v+fqShuui7iVgw\nfcSHtU0CIAJb+0+bclvErS1i9PFABYboqLHd6pogfo9yIPFpNY9s\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUWVg94dSh6HpC9BBl26KJSK9DVEMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSfQiD8+UG0LaHLDrax4iOf+VNN98DyfsLOc0W\n6wv0Q7evD4ji0vMYR6YW9sSO952UlTGO+0HB4x/UiZ6Hcgrko2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzIWhf44fwVLZRYctw4rP2f0od68wEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIgIvxPG8wc8Nx0VJocOVMQLOcybQypzcFspe34\n+CT9+KsCIQDdPZg+Bni/SqxMQnoOuHXZvqc3DbI+noQtX7/Sx+9XoA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOupj48t910CEGPZ1z1XhB77uxEQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKde1F+APabHbQThPowqkwVOYNsULx63dei6g6Iu9KMw\n4+BgKvIj8jxTifuGzyN8MMHFW0BTH3pGHjhm94kiAvyjfDB6MB0GA1UdDgQWBBTF\npw4s8bs7EmKXdeOZJcvgfX9pZjAfBgNVHSMEGDAWgBT7vM9FfTXHfVa7GPlrp01h\nfOPD+DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAMFUyvb09lSbiJ9CO83K\npSTErwahNu1/JxXbmbTBx9f/AiB7FAPej8BQCIFoZ8AL8s38k1PIuFE/WVIWNKQF\nCRYfRA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQUMyj01tH6emkgC38e9dRR+boxIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHTSfhdW05mM0PPpeXy8LGzp3LNoZ0sQlhBBWAba4D/v\nILPDJNNcbyTF1WwkTZ98gxVq5lmUHJ1lDDsx+P59AZOjfDB6MB0GA1UdDgQWBBRc\noXlSnSoHbju0owwHpEeC8VdDZzAfBgNVHSMEGDAWgBTMhaF/jh/BUtlFhy3Dis/Z\n/Sh3rzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgX91+tGdFtfn8jyFjy0mb\nu8e+3nbNbbEBp6iiLnb9ZJsCIQCJGtmM17X33rgVYMfRvWxvwMfaItWdqpODSWqw\n7zqpXQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1671,10 +1650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUUjCXLJVL+9E8p8etzF2Pf6rDe8owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQnYBN1buiE+Rr5oD9bpoDXdk8bpF4iFYa8CO4h\nLEbY84M9UJ0oEJ0rp4ZKk06cfeCmlpR2yix2E7wrkUb+dj/3o4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFFWohDx8ovdmKwKoIBhTJI8FEmJHoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBRVqIQ8fKL3ZisCqCAYUySPBRJiRzAKBggqhkjOPQQD\nAgNJADBGAiEAl1nEOL7DfmoP072VH2GYtcN96NFb4qTSgPjvADhkdFsCIQCwwb/+\nZ+hGmdhXX4oYkFDw99VIRvqSQdicBft0fHjZIA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxjCCAW2gAwIBAgIUYjj3hmjaeZUMe7qwZacKZD7rsvcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKE4UrWqiOgBwu3PoAT3/EugXZXzneB7EAqX4/\neL8M+7uIC5CklU19j2RDJr7F/+NZIBtg+A7cW6jxA7V/7n0Go4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFG28alFX7uJPJDtunFmbRyiQkFKMoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBRtvGpRV+7iTyQ7bpxZm0cokJBSjDAKBggqhkjOPQQD\nAgNHADBEAiBQDyoebi6rguDKNzAGmNLcQclKiGhX4sdBEvr+hdGwWAIgcQuN2AaS\nB6JSt9yn0BNgFSA7ssLpFkHRvfVsh6Jhkw8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUcahEMDjq4TjvmTCC7qN0dWpmxyAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF2zMTedECgSrptwgFAC7wF/3NEEb3RxeZsWkVizWi23\nAy/dZyEeUpK2sN7IwxOFSJCD2b8/cXe5TnkhNVMiGvWjfDB6MB0GA1UdDgQWBBRX\nA3HVWvvisxThgRZPKTzSXNV3IzAfBgNVHSMEGDAWgBRVqIQ8fKL3ZisCqCAYUySP\nBRJiRzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgOXLEPYs7fRAyJSpAVM9L\nAg8hI/fTLBu04HF6hyXlId8CIC/OfiBggYXoz193I0lAOmdXZZCCa/RBm/8G53OI\nBxg5\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUT/nwI+1fTAZcR6pGK16mWTCRix4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKLfOgrBG9IrdeWV0c5CZILUTI4VVAc0o+JYPGgFICmK\nccIQUYTPGvYPQ0ftbvIuMojqu0QOH/umYdov8KoZZ2ijfDB6MB0GA1UdDgQWBBQ3\nLnQQSEl3wv3fWZkqF1VB/RxlaTAfBgNVHSMEGDAWgBRtvGpRV+7iTyQ7bpxZm0co\nkJBSjDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPIFsOc+PMyhNBjtnaNS\nXlSP9zqMSd/Yw96V2nCyB6HqAiBONgEENSR2Nib5xlViDLElO62a68tunYc48sNR\nQAr4+g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1692,10 +1671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUZnbPWg2cmjdBrZjm33uQW+KlXZEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATKi/EoIl4mbPeTzjBM++KRBi6YTNs2G4V/dHxF\nbqf6qvyB4P13OHKNoeYp+4g5ZR3SnGAEnoVqP1LptOtdBh08o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBT/yMGkTJYl3BtfokgYU3FP9SPlCoICBNIwHQYDVR0OBBYEFP/I\nwaRMliXcG1+iSBhTcU/1I+UKMAoGCCqGSM49BAMCA0cAMEQCIGuI5obC8x9pPbpW\nNmtC/hWWXTxBA7+EmjlLqp5zLyGVAiAplquo+bzZpJA2VOMJoS2otxrkgNXL8EYw\nffpzjrZMyQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUAct9ZLasFfS0DUZnhs7fte3BGn0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQTtMNmvtY3Uua9iEVTsg69faRpAQ6n1P2gdhsN\nueY5uxlmQmRCgWTNhbvyBBe19XtRAhg7DH2e23ds0BLFs8LQo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBQEMnR7QI71mKXA5KDRooGYNK1kJIICBNIwHQYDVR0OBBYEFAQy\ndHtAjvWYpcDkoNGigZg0rWQkMAoGCCqGSM49BAMCA0gAMEUCICTvCa+a+bXLb6dy\ntdC8EMc51fegjlgxhPuDuNEe4FGVAiEAiVhjB8XLrq+Kv0iYAtiM2HdgY4idedqq\nBFhrgxeQ+J8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUHh6+TCHfpV6SRMidL5lF3wpJYCwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKbojsb0RVfVeA4gH69Dx4FOdA7+p9H5NBwUMSnwaaFv\niOCccGQlzTFA7HkFhg8m9U1kIiqMhQD4xANxDv7JTkSjfDB6MB0GA1UdDgQWBBTj\nY0vwDxe4LkFJo/byLuaKcFQEkzAfBgNVHSMEGDAWgBT/yMGkTJYl3BtfokgYU3FP\n9SPlCjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMyKtM7+4u9e4E+AANXA\nG3R9mL9yambt6SteAhswVUPUAiEAwdLa6paK26igLT0n693h2bm1o4P8oXw1Uma4\nGTDeXNY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUKPS5jGjYi7n4mFnyRfjc/LDJadQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOCyi+wRKCao9u1oy8BZdrpThw2GDJBmOnN51JpwUy1L\no9G07P/EnXFVMYqGrWbFB4bldlclJH7k5DDuuHchJhGjfDB6MB0GA1UdDgQWBBRe\nstGyOrYLAyUWpSA2XFAyRTWqYTAfBgNVHSMEGDAWgBQEMnR7QI71mKXA5KDRooGY\nNK1kJDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMIuv9/eOxpAEd5HVbcj\nJiAqp8I392nEGVCQqgvTaJVGAiEAiUfVRbvCY4Nb9Jc1GJ4k8kcWdiW5lOeRwEyK\nM6qmpRY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1713,10 +1692,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUEXETfC9S7CumjG8ReN1PvPgHcJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQNhpOzfpQYsy32DblF+qmg/T3O8+wEe+DkRSdb\ni4KrDcEsSTTgaJF1+dsCW6yh+HMEhdV1vH3ZPG0GSfmv+OgGo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFN/OHhhS50AfcTxnl9emGN37bmn1oROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQU384eGFLnQB9xPGeX16YY3ftuafUwCgYIKoZI\nzj0EAwIDSAAwRQIgAr8UMM9cwKs/PAR6AXRZjftJcLqkklYwcRVu7atKIz4CIQDZ\nflWkNr47QVZKWf4klZb/WIaINd5Uc/0owilAu3zjsQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXGgAwIBAgIUPXOD++WPomK2Sim103IvoxN/GsswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiw4Z/is+4NQZztaNXHKDUe/uaotEHt+LvmPpc\nJeM7QmE8K3HQD3OvastieGqJHIvlcaf4+L5HoeWA/z8/Y8Muo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFAZMD3YfKNHDGa4M6ciYaRmW5TKSoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUBkwPdh8o0cMZrgzpyJhpGZblMpIwCgYIKoZI\nzj0EAwIDSQAwRgIhALuV6YH2IwI31WSRcD6x+9ThpsPN1S5LMuwzK44ipgo7AiEA\nlH5NRxT6fLM6PmMiQPySsWOx0JTkfRZvE0xYmE3fvA4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUPLE6/z7jJRd8jx4PpT+lWUdpaRkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEQx6N/6qkplxImYzkW8YTpu+DYHWc/8bFCeAJJejMC+\nZjBJeiwAvTMfWiZQvZGb3UM2D/+9IxTRCblCBSEDrdGjfDB6MB0GA1UdDgQWBBS3\nRR5Pfn1ji+NBWkmU4sjrNaEJCTAfBgNVHSMEGDAWgBTfzh4YUudAH3E8Z5fXphjd\n+25p9TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgedmog5VWwpRGV0VwZ2aK\nlN0BCFt6j9OIdcKaYckL4ewCICNDHhA5sV8Lfd7hOdVs5yFAMItzJbd55BVN2PIN\nqkIp\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUD9tSu1oBDvMwhkUdq4mOGHYuEWAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA+F/AW1qzRQOYleOFYAjH3rRP6Mu9WJtl3G2XeVaj1D\nPCh76+rhSGqYUmUfIEWG4l16pFJhKixcxOdLyenlJrGjfDB6MB0GA1UdDgQWBBTK\nDglkWVMxnvIqPr+pktzpvSs03TAfBgNVHSMEGDAWgBQGTA92HyjRwxmuDOnImGkZ\nluUykjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBUIak94kx1X1cnKSMWyQ\nTRT4YWYy9m1YXCYqiQxKIlQCIQDFO6uKnky17WKy5puIfob+DBnnVb4V4DvvIw5T\nLNkm0g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1734,10 +1713,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEUuMJvIJXjx/dmyiO6vCstNcZ9IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARshoPArxe2c5MhxDLqIOdyxYuyRu+TaG9sLjJs\n+MSk1TfUGxzjykH39+gK3zxUvH2+fItt7INjIK9kB6LvnBxLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYFbw3R/RC+4BeAH7pVp7H9//6yMwCgYIKoZIzj0EAwIDSAAwRQIg\nGxLp9TNf7arTULTZwcYobHObBznfbqRBeMpY5nLTLT8CIQC46JeU+R0OEtvW7L3o\nTVwCAQtOHSFu/lyV7kQ7QBSdgA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGT5QLJfpbD0OZ0EZytZDN50s61IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKinAXl0tGwluOmPW9cEAf8NaGJUDQ5FXytJ49\nvSnU4yrYOzM0BEcpav23QWRt3G1pFIxi/Jw/znQ2/3UP0UkMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEJFoQBgVrv+pFJQA04YhZdK7p1MwCgYIKoZIzj0EAwIDSQAwRgIh\nAKfnb153xST+A7oF/sjfNWKo0MATJyIGXF7y/Fzhd6vtAiEApI75wwdl9jJAcXC3\nhpT2z9FzJkKQbW77mVqUoFqowwU=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUSk0cKX3aJNpAzLdIYml34zjw1fMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABMrLSmTZn2SsyR2q4XrnDd1xQuxlOxpIcwBynMY9\n3xFz/2HBy1OKxI6VY1Uu5iTwhBlL2dePiNlsGc56wP4VnDKjfzB9MB0GA1UdDgQW\nBBTzCVjEfV0x0gCrIGZrDF+rEm9zaTAfBgNVHSMEGDAWgBRgVvDdH9EL7gF4Aful\nWnsf3//rIzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgAvrDO+tQXdgG\n0pB/P60mjVI5bp0UmaKb0OobcOT8e5gCIESZxAXRdBo3ku961MAcwf2a2+N58/75\nQqMYGvqdKQYS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUfrUWl5p2j3pykdsqusGWB864v3MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABDiC/mVqA/xb6c1gGARkbCcWL/2wPsgjCwD1GVcx\n0yk6ICiUnYUwcCIjRD3DPtpMJ/X3rxut9Yiq59nfB1qUKzejfzB9MB0GA1UdDgQW\nBBT7AKYCvjAOKcnqYQAdyDKpBm1JIDAfBgNVHSMEGDAWgBQQkWhAGBWu/6kUlADT\nhiFl0runUzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPoSVlTXa3qr\nKHfD5H+Ebk8cwe1ubOqUFYsUQ4KAcrljAiBgjxBd2wmqkIpl+0EtVd6tPN2COqfs\nLO/0s/NjfWX5fg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1755,10 +1734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKmShdC2NchCO+b738Fi3WbgKHSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQXLMg6Eidx0TIh1CVZelnl7uWw2ARDImXr94S\nRDsEPET39fTpzDnul7LRZbCmLDxSZU4/6LikZLCUt7ODJDa5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUS5reCvB3yz/WL/+19QiEywEYyNAwCgYIKoZIzj0EAwIDSAAwRQIh\nAOCyTjS+LXlnKMwjAABc6wD01E5m5YMnpYinhJl6TKn8AiA/tRSyE0B7cSfHlGIf\nFR1aG1/7qXOsByEdXQtRjFUNiw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUCtD3myeO9znDuMjOr/7Gh7lQIywwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATl4FbRbFqdDvzqPVfS6riOc7Kb+6i7MSxilFls\n0++EsASQJmhS/jwhmsrJJhBwf9eGetKbkMDftHgQakF/cMrzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxUlehvKIbZzGRCTwWY10fTScqSgwCgYIKoZIzj0EAwIDRwAwRAIg\nbNbkiGrZZvjzJ3iWVWyBGYGjFibiIFTcDxc0O2zVDwoCICoKkKLEJiKRXbM9uMtK\n6Ml6dkiEzjOw1Y7x0R6ROXNj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUagAwIBAgIUMu5zN9TF5AheqfTkJDCK3WXjwMgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABHRpOQBgnDFZJjtjE5oh3wFl/gAFe2PXkSpCEMaS/Yya\n6oI09yICsQExoBWiFYKW46N8MHowHQYDVR0OBBYEFFvBnEhseMqbZf423FOzLRQJ\ngJKlMB8GA1UdIwQYMBaAFEua3grwd8s/1i//tfUIhMsBGMjQMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiBF0eYzn+BWK2mE0HAFxB0tFawejtkThuZBgI++eNVb\nGQIhAJx7YFmAyx3ZY2UuFiC1GNU3SCTg5gQifcp0dtXvOsZ4\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUagAwIBAgIUFCBJpjC3npQkebZ6cIkrH+LDHsgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABADMcIeafv/YxjEKcphixDODmAJH/9h4tqHXI5jYts1C\nWsuMHHjTR45+T4YPvAue56N8MHowHQYDVR0OBBYEFPJQirisCmmOsrijIOWsgJC8\nWDhqMB8GA1UdIwQYMBaAFMVJXobyiG2cxkQk8FmNdH00nKkoMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiApcy5LT3QKCnOSrbXdWSAZhWMH5VpKsXBSempVL3zx\nRgIhAKWOedFFEzH43jdp7xJVopzaYNEcOH/thBg8dB4LIofC\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1776,10 +1755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCbknu0/DPBSrFB7ipudhzyPELYowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQA4nv+1wn12l/pTnWxK8S2h6fKIWhss91NaPK7\nXuY9J1eyjVR/K9C6t7rrWPTCpYRZX+pGXz5zrlGnY8PQNIA9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUp9zanCsEGAjOvjk3d6kyDFIzgkEwCgYIKoZIzj0EAwIDSAAwRQIg\nVu3rEYBkCRvX3GFLFUDsY4ZFmRemDPSkt0ifkZ7S/iQCIQD+SH9kVFWMX8YO2nsD\nRdjGhXWtIlO7IXYawTDmpKaKtw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSQlhtkmN+KjzTALaB+xKq58qMfAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATS80xuzA0xfw+6tZlY4TjTBk/b68XIFJfHJUxt\nH55y3fwkszm2q1w5ipz6u6g2I9kGcCVjsPT/nz67mw2i0PAOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpSShG66ADe6To7C4zUsgfD9X2DowCgYIKoZIzj0EAwIDRwAwRAIg\nFjsy57s5UODRt+gs83J9v5nP7tCWECFw7EJZit5AC0gCICq6DdCijyO5TPVRuiYX\nRPn7hyeVmOwK0O3Iv6InJYo9\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGHzCCBcagAwIBAgIUchzavMS7DfIsGE3orr3716felw8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA6z555RWXuu2eTEXpCtGBZRVY9+xSpFh2sJMcLoshDLkq\nBVubTHu99S3iIHRyqKcdJ7RrGkMyzxLd2ebalG/ob9uA+yglYnXK8lQLjtlQisUF\nW943Q7D/dE4KiKt2KxWoD1UsUn3I+qkH359Me/0/qtOtsKuv9znU2QL52d1Vb8Ju\nkuWcuba2DvUIO8q1iG//ogr7S5cJcidfzRyYBUJ9LtrQnl4Fqo8WpoQW2SwvtxL8\nTcwAvCdaghcgV6vuIM0+U4yzCKk/3Y1lBfWQw88baP29uy4x9f3UoHp3eEfu50SB\nZ/ex5Q2lbJ2NTGqGpnrM0aHrQRmtnbvekxnmUU828Zvo5sUFVo4eC5DzU2rQfjhs\nndQ8aHfp7Y+4bBZbI0VvsiJcqld8Ezny4cU+T0c+oj/TScn285IhWSva/yV7YJe8\nRazEFkPjjYE7WVhq0e/cFpedyDLroA5KVetTT8Z3eB109Ak//CdSEobSMOX97USe\nKZgQoLk1jwNIxoRh+SjNAiEA2M91tPaGUm1fZuZUYukfXxq6h0ztncungMHBSPPK\nllUCggGBALb0xsrEzThspRGxFmpXBpdc6CYAajJqCa63WumYWl90jovQFhgwlPq2\nmAGtTB+VEXXJyzB5Q7J2WtFXEx7qrwVH9geNN9w5MEfPsHrrqPFjvnCX36syy98H\nyVOFaB2HswirPjWALPWbfsU7wvDtriy7b1JohS5R25ITg53FScjdcaj9dexKzzss\nHCypaTHWlnuSP44y1uCrSDv7PvfIB6I+PqskYck7pEqHqYf9p7z72jPPWhpY4nF1\nxIHHGCnt2bSCjGMlPNbZtzzMzY5A+UShjZiW2Mo8+TxtFEcwtZsP8qn4Db216evv\nV5vB8EMwVTpEtzNStcupkVr7/lCel1XR2e2YFPV+2vPURioNDGFPg4RQptM/tkdE\nibvv3vlSUxG6DAEABdWAosy4OhG3cVQQIpFsEW242QGmDSYPsB8YX/6oCfe49gqG\n/yQDc912PpRAr+qXHxxxVuuQ/gq0NyrG35JKOEdxAIJB516tZAdyH6YON0ikEQGM\no/tOPNdHUgOCAYUAAoIBgAWtheRH78lGOmW10sVH1jS8QexrJ2wrW1yvW4mQnMyG\nYy59heg4kckoIFQZIuZ+xt2HEx9PiV944l+Fpkap6hts3vXhQdYd9FbdrombDFdI\nF4EgdxxmFSO/l2b9AqAssw0h4WvwF7/kRTYZsfldHlC77RtKqiw5MmXNL6wPPewC\n+1GKkIeejSIb81Xehu+r7mawRaqmVjUB1GMu1Nglw+YVml6i5UiLKE4m6AdMQ/T6\n077QKoeS9Rd2/xSi/ATjsd2YSJ4QdqwcpZU6pwq1vtoXtyG8mT3TQGt+f8eH/X5D\nde7afBo7XxIGpAoQ2DT9xQSxqfVSrQxh0y3rzF99JsfWidnQOpdrxd+XVlHlHazy\njc7Q4IqVDULR8sCnIBUoT/fBbi58HICdYODuRsz2KBVWTMQkGG7dU0neA2d0Mvay\nt7dOksxP4+aM4/9UziqTSwvrS68LzWu3jz0U23d2soGfB7r6PDcFnmn73CTjMOXL\nbLX74kH2jJiK5jXOjV9P+KN8MHowHQYDVR0OBBYEFHfyvEzW+sOQyMjfbwHux1DD\nEuCPMB8GA1UdIwQYMBaAFKfc2pwrBBgIzr45N3epMgxSM4JBMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBJiTp1RuZzHT+krBk6Mcz/Xpn6yLuN7PWTxrBSwSWE\nTgIgGSI3XpKGdvC4/C8dW3C8NiRT13vy1RBGB3Y+FAaAMsk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcagAwIBAgIUYeVppUmvj58kYoOijWmTKfAHcxEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAtTsZOivm1IIHcqRedfOyokTIjG/UjDZoja7QNrNQ+fQ7\nEReFpjEMt3sRi82IoUM2U4d789CnfizxQ7k/9M4MgUm6u6LCGuSbfLGT79cLpWqh\noJNN+3WHdWeE9ceYXyh1IwhXP2byCRamoxmuQsn9KZNXTd/jMfGnavxX8+2L0zYR\nZbTmQJB8V4+YfbsTpF92IkYZCXJlL29cqcRxXAOFzO+2W6d8RRDAqgC4lkfROTAj\ntbZXLShbsPxgVdhzADZhJFKBk2eP3TvEWtjGjJ6Nb1ZOFtqPJ6wpQNMQvk21QA7z\nHlPCWJMb9lBvnXrj9oT203cP46ZcnibW5AplaFbZGpqLLBXdr66eP7+2QQmgEGKa\n0QPqfiGVDr2TOS/1Q9UMTn1v7DCPrePT3n3Nee4IlTgxOtnUxS5IfipF997dBYDN\npXYg6XDPuwihxMDBG/yujF1Oc3B11804TI0RSF3++9IqcvmbC3XsfHwwOFif0grX\nxkRB7ieXB45sxMHlvR5lAiEAxnnPqxGKqNpps4SKHJ2iFCX70zH3wda16U7iYz6G\n4GkCggGAYd7PGpGh7tMMJdU16NzYQ8hnLgm/aHuG8PDQF1R1HZ4wvdd6wSXXgmHm\nV31mQJAIU4UaOv+8YQow/nrirMFHTIZp2DkV/3d3xY8k6hDRBoR3Vo8Vm/7qq1UC\nwKqJEHIR+qE4ivV0FdmFFgrn6SGbAUhKC3PBtZkzClrclFXVhxkCnbscWQ2OECnP\ndEpPaJcMxvIT5Fit1EmrMSH708/DaPtGSL97Z50OEOma9cokfpXXHkti/WNGphMG\nNmkZ9a7KsZ6b9HfiV6heDhSUev8Cf4zRxwALW8D0exEdDKvkvl+zrH9NG8SR1R9+\nyhV07N6VtmRnk4LU8oMjGEqW82Ape5V1N1JDSR5i98XhcE4hoYomRGTJAoHl/qND\nCHrU1qN6xPQZbfB1x2bt5taiQPJaN38OHnkvAzan5UMP7KzYJxC29NpOBBBJp8X1\nUsx3FDW9l31eG0DL88XnzClL9x7wONu1uXEaD+uBgvZOdk9lRK6ZpYCoJu8qUsc/\n9YVCqEbcA4IBhgACggGBAIQcz2P4qY+Stav9EaPmtJJF8IsAuJxD4RneAGaINl8G\nX6BqWZBUBRUTTS/8RxI7L5rPPTlrWpfowKU2MvAxHL+TOgfVIJLUbF0+FqiI5+jq\nWRZnGumjPQn9ibLxD0qc6kAysK9cdT4r1lc5Q2kpBVH/qqQZb5lPNxv58AeDGywP\nL27Id9BXzIPTL4XsGRM4lD9UoZ/rpimYIiy2AkJAPXHaYnWJzZnBXzn2lQzLSRCv\nGxTH13QYK4fX3CREbTS6TxICA4RYk330NLS5X5xmkyEpyFtrhyhacbzS9HqsmkED\niQsEJ6wQXchV7uujuWNzPdCGYWpS45vG/UrWRMgQa4EO3pmelSftunMYGs/Pr6SF\nDuWXe+79dHESoAWum+91fYp+LnCs6XyvFMZRYhFR9vQeFIi9ZTy3CXYqqfpyXxEy\nc0eGbDg577N1iCl0WZGN19DuSCDckyrzmC3lpiZefjbFbyWiTeSRM6h1no2Vz3W5\nuXS0quQUXgdzv+2qmMiU96N8MHowHQYDVR0OBBYEFNNtW5WSJaNBbSokV/w1/5T/\n6EDcMB8GA1UdIwQYMBaAFKUkoRuugA3uk6OwuM1LIHw/V9g6MAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEApHLbPr1kd3njuUdPm1S4Ev2y06fPZ6oxaSmva4if\nlq8CIE7kWEkOwAA+XZO9wAiI58IrYLejKnfxDv38g6NJ/AvN\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1797,10 +1776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIF/zCCBaWgAwIBAgIUHgUw9lylcojLoonpqFBZNfcI3bwwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQC2osSmdqbLe6xrUHOUfYMsgGsTAtiqbcvAGs/p\nFHL1sD85c9nGymDwsaHgCFyZvDQn7vuUFbdPPCGvuFMV15EbSP/Ve1y+8BCmmxBW\nUVHj26wcEkIaYNrLqzuW1y2iizplGj6awGKD9QE6O/qZb77VfaGmBMqF3/7tbM7X\nm4oVPnWYcA/t3xTVRn+kLKWvtZhtB4aul07xJDHd5felS7lNe3heeG+0So8lSeF0\nff0KFSBPIXzO8Qwegqq1KQ5xt8s830Be2d7CqRkEp23FD5srRoZCYoyWgxfiJZfj\nB/zG7ib+vZDWv+1a4Qog4uGXv7LeSJXwA/iKmwuYNyFUbZ2RtQ7uvn/KQdwBADgx\ngdXCTZJhY3798ef/2TMZfENybO2QwmfXR6ioZjMom9XIALvV0rDsdAMKnRMUXbJQ\ni1JCbMTtwtiNnzYJqqjm75Pn8J2imOKxJ0DsbW7N28EhRWvI3EgS7MatCkbumFi8\n9Ll4/bdvNSgt5jf3dwTEqsWuFIsCIQDkuXrJpdMClzjAqdR/T0A7YF/Bp/zGPyC6\nae7OjSKULwKCAYBRwXqE4LwuVsKPP6lRJVdxvwQcH0JNJ/wQNKEBntSyZZXN/PKc\nbT2HuoHjKM5wOtMdjSWIjczANWdMY6fzSskz/j/pjpotwyLDWVGJ//iZmUryatgc\na+IU/hyQrKD0whw3i0q2XQXqDuaBxeEqfwGG31MJgTr2ePG0V0ZSsval/1wfkUXp\n2CsJnh43BA3Mf6w361agllDCw7hqjdUx+osIQbi+MT0StWuKt+dHRVS7Yqw8ddk+\nZve4lecufQLntFq9pTuntvjV0xZyUO2VzlM1q1p/jx10uPopYBxkCC3djjWOtYA6\nVWRYA6ShVZtj0q5VWi/AFyJ7st6i9JwMaSpyk444ApRL9i/RBISyZ4MHEFeFyEnj\nqIZtXuEFlvg7xOAdr2ndELVPCkF40dDM6vm2uFdR0eRo8CJMnZfUZZHccKqviF+5\nQ9fjO999v0sBdGm8Sc5Fr/51/KbqwdpCz0TnTPktbu4EsLemgJmHYQtALmag7dy1\nw2p+cQKbKdareuQDggGFAAKCAYB70tSjh2WDI2MOgbIIG9rIl5c+WMp8x9PdQeTG\nKulpV4FeRPDwTw7rjqKW5WL1z+wGjDz4k9dTahKF9UTpC7jPPQdDNOK4xW3AeGil\nq3r1lSM/r40MDNt8+kpBLa/f9MeXErszLRfx+WXma3Z8DZJ5H8Yxz5DegAgeJszB\nY8DoXHuRW+GiOT766r7tSWkWiqdn4v5Gasqp82P9hSGr60QFpIYI9Ra9W2tJqrQr\nP+FI/RtILTOGG4PUJda7Fvp3P1mz+QquyeJ2HS3Fl2TI37wVVSbg85YEIfM+Siio\nN8myAq9x1hQAZOdBxma7ZG4ZlixOvD6N+DN1Tsy/523T19DDA93Zx+vNPxl5LhPx\nzntxD/838V6QNwWLl/0o7g3LC4NDhDKy1OouQJHvL/RCn8z6CbwB3gQ3AoGRLLNL\nB7lYoFUXoDYz9Q5qTvwyAbV6PKok2fTDXZoGz+sECmeAl84J8OXexvaj3nevKhd2\nhavWe1u2KDBHMtEZsjvR6OGprsyjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSG348XbJ7a\nAsEImq/LA0l7DgKwqjALBglghkgBZQMEAwIDRwAwRAIgacvZZMC3P/ZVB1gZKZi/\n/F8UNP9KUJwtQNjEUSWFO0cCIGI4n2RWk0+yaTWjStyiH7IfZG1HGCyEiid19VAr\nHJ3K\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGADCCBaagAwIBAgIUVoOB0g7uezvnDUYVR/GqoOnPj6AwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzkGByqGSM44BAEwggMsAoIBgQCf872e32Zq7o6ZuNWwhpLZe5x/gzHzgujTlasE\nEmyWfdBOCFUX3kq7BbWD64VK67UzEsyQsnKmrkFol859NcjkKV3NzvuFOgCN091O\nJheWmKbusgnPZqXtp9e/VSczcC/MPGFzrhLBECn2YFSfeVSzFazbhRtcsEFTzyQ0\neSkaSg9WBAmdZhA56Fer045udcr5RUwDgVptj4PKgqIX4msRKfddNh15rOF5POCQ\nIJ9+KA6O6yfrSuYkujSQdcPPIBsLQxLzYIqObIHVrOEOxJ31DrEVNOOwe5Wmo539\nzAHZWv6akCRBnZlf/cpXVAPl+fzGUInKHpC6i8FhyGXEYmPIWlRPCTyBYIy+OQhw\noh66/3WJscZ7zN6rOSd0PDM4J74RLELxNdylImm3oY/x6tqRdKy7US61IiNO9gts\nZbQFXEkeUAh3LmoH1+MogHGU6aqM/t8VnEIJQKhgNB3T+9TkafCbqTUoxg0qPKv0\nrwEHhxdDN82r0PO81ujbOdOkOYsCIQCp3EBwjt8HPcSzSm1yqgYWxinhsIvtXgtV\nfmJvMapwdQKCAYA5HXdUF824FBAmC8wg8MWXzeYdHRdW5aUheDX5C4Ri4eFtxNqo\nJlf0dl0aT/WokcX5Z4ymo+PV7z0EMJ7YWBbpLtmau53EmzdGpnbIH3OHwjwlg5kf\nQJIMqVs/4ke6QiJzgPrUpQc0NQ2xZlXqlume64o/uN/MlP9noD8MFq79VRb2hF50\n6ddH/xDPr3VyW9HG5pRKVawDclg+0wvYMBjbgrkjRJ5kEQKRqkapDHIgARZeOGmO\nKH89nyABMXckC57f6FpZydM3ukdz30JrxhyjbTWmuDLRiCdQP5b5ISAiZ1RGk8xH\n/W1GobBRDKxYkNUMeUB8QXB2yFvz0+bTM8FZrBEylU/zP5IUOX2rj6m+9iQ5wvfB\nDvA9a3c4ICvVzBIEK0S4kBXqvfVS7h9c0RGmQVOVsglIyBCtJKJTSpw70WL1tek/\nYhpGTKV5ZNuLBY9lanp92z9ZbsfV3etR/klZQQR8XmK7RKzxod4Ar/65+9kAkPIg\n3OkHD32LTBI7+iYDggGGAAKCAYEAmC/nATqWafbTyMpVEP06lUHoLx8YYHLtrjLl\ncz+CQ9ufSVUkdqcYXpqjJyd800AX9gJOIK1vehuFP6JrHrBH6Ya9sm1+3rbMgF4s\nThlii0DYEKr3fJmwrECiCdSPNiS7HUxMWoA++yuNI2Oblq8mEpiLLpQcYLWwyxD5\nERaoFJWMorNo0Zz3x+fxt6Fo56yvKerIDu2L2MriucCYlR+DYHAQGDPojIffQijd\nwLGsm/FMxHi8xJceJw0zLpacEX2IParD/kSmKssq7K4GGHnkVYAMHCc2gfFnujDs\n9dCPpDwBvtKy6nYV7k+sEC7fnZcg9onm0nRXwnmylnyeQJYoJPbSSR9IlZi5XsIS\nt4snBywxNoPQP5VmZG6KntMq+uc6vXOnvx32xAZf+DougjhcsgkvbEG+JusL528S\n604VoUF2ydM7i8hnQSqpwMIo3yt8h2EvHOQcHzjffNyb/jMyuoejqkm/ajr/KM+y\nvb+jpTajSBVSdyP4P7nQUtD2COgwo1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUzLi90u5W\nzJQsjkhTU1Gd87xHZc8wCwYJYIZIAWUDBAMCA0cAMEQCIF9WtJ02UtETgCGpzVH7\nSECT3GX0ZW/NnhYkEE7nOUPAAiAWNf7ETdfc9N2M1E+4PadoK1WD1MasLf0B69yU\nseodzw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVegAwIBAgIUbr5JAskZFASivT9haEOdY88ygPYwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAATJvxv2tNjckag5uEljg4bBj2D4umeT5S7SUPj2G2bN\nplv6tm8BU8VzJ8+IywEYbLC/d1TELbJGhoFOx0V63etXo3wwejAdBgNVHQ4EFgQU\nrqs660T4F7cKz4wPjtIXpFFm/j4wHwYDVR0jBBgwFoAUht+PF2ye2gLBCJqvywNJ\new4CsKowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNHADBEAiBuzwItJIf0pEh5cuMT\nH5uoiLFbpUnvMclyeUjVe7grbgIgYRjiad1Y7iqlrn3fRsoT2lbaA7e/RBrGyarf\npKp0J80=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVegAwIBAgIUViMOAzk3g7VM2Q28cqBLHBXRrjkwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAQQve+ypm4ALnKncVzhBCsNS+IAkcYHUL8p8svyOYvm\nEETkzWQds01gJOs/K9xdQnsamgYe3OQqajeGFCtVWUYto3wwejAdBgNVHQ4EFgQU\nWpK3bX4rAdwsH7BFD0LOSllcQWAwHwYDVR0jBBgwFoAUzLi90u5WzJQsjkhTU1Gd\n87xHZc8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNHADBEAiAaj0FPNnN8W2sUdgA4\n1kBMl43zh5YklDixgExPHiNNwQIgD/CyV7Ysuonq8ZTkpvWLSxdJ/BpC1cch3YlF\nEnbAI90=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1820,10 +1799,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZvPLfPw6lq7f79lQOa6FJFvvff8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNDDnkyj189XjUw903rTikGTg2vUVMEM5zp2I1\nS4yrQ5bP18n49TEW3Op90Ap4I9jSdIKxzlDNaT5J1mtJNM3Fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWtOWkAWldQDkHpv41RM1OUU83wwwCgYIKoZIzj0EAwIDSAAwRQIg\nVE0H+2kPjtzkCD3PqfxxdXhdm5l1pz1MEJET6uwS1rUCIQDGDhMA9U0o48/tZCzF\nwjfh3QhvEQcxv/hnFckPbShp7Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUawRJxKPs2G/CHK5kQ5K7MVDgwacwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7cK6l5qY/677aeAZouMTAdz2vbiE3mfxoCm6S\nqpZRqjueWsmsO88UQqp5+WzMVK3FP1m+gX2T2XM2VvnbXlRXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoGl6QrvA13ung9a66JKWvk9KCQgwCgYIKoZIzj0EAwIDSAAwRQIg\nExlRCdMVhbHUtG37ZgzrEJdaXNMnpAjDT/eRQezV56UCIQDTjY/5a9q6niT4Rffz\noxgSjHlK3oa1lk+DngZM2KZ7fA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcagAwIBAgIUc16OJcPpTZe3/rt+XQqFLrQpv88wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA3a6FLJi18M2FONGZhsghtxpm++SIaDZasqANdD8ok1QX\n7RLh63mqvzS0Dd57GZoxsXY+N3vfdTud0P9b+AeUPad2Q8+1E/kdWSNEDnAdUxv0\n3ztCN2eD3TqD6Qk74trOge3rMXkbddFdoe2WLgaoifscN2m2Ce1Lk71tr9KNVxJz\n9V6M/0BW3xzsD9MsU7ZbzHLpzl+1UBvi0calcoFMngnbqhueGSxcFEyu5Dpw6v2l\nweQ5hvIBWJ+Qv8f28WcB0WLkv23gfvXs/1OlNOhCzX9DitUCyWisEtoDy/5WWjrt\nPbidsFd6fFd6GXepWjmlQ1oC6IaBCgVMp18SvHaaZx3JE7wK6wWfQUfVArHO7UvV\nZ0IeJyEIggGlvhNFWKwP9x8dYtqKFcF5832oN9qufMNtQqr+yQuCqLjDN+NeruOk\nBjkbzYeJSLqIMjuGMDEvibYKnq16h0Zt8hSheV+37vJ8cHTSh2UHXm9Kr5GrT9XJ\nIo6sPU/BzoqH2PqZYVJzAiEAmpuvADZyYohdqZ+Uo66sZIqPb7wWQzRpCtrRYCZE\ntYECggGBAKEnrynxLHy3wkRrvBdVAOOYClXwcMEJ+HNjg6k5JQmoZCenO1VGw/qo\n2NKBYoCFGfvtZC7KGctqGM6CMi+ZuAyqxNweHX0iMACLon99BDzNwhBQ+uBlLzKK\nv/i9/EapESwSDMf99iqZfE2YWrEb9g0fCsMCVUfm1Mt2Ophysi2BphS+TM0O/49N\nsm5MFTkgT3NS0vGjX26zkhBnRtL7QVjcmDe+kBSjsLO7KSawJ0pVE9igeFi+HG2R\ni1nSVAN8ZM3gadtcBnoDiAKTCZT6c4qNMxQOEuzChWTkioHxVlgW9xNntW7exP9E\n5ZRGP5iN1hELiGMhTgss279+k78fM5junjb9pCfJvcfUddPg1OXemjHP6VzaPPE1\njnWG9WATH7mm8tU/YrVL38cHsZhLX5VO7uHBot6uGzR/9dnY3YSWIe6Yze1rS9p9\nAHFujpEMexE7NKLXs8j8SgBfqV8g0EygQpiisPC7ACYMzWRuxMVEZQxeeuDGOJv4\nP3XsfsusbAOCAYUAAoIBgB7NPRwK5AE7NALBCVnJLHFn3YrzxWAlFxubCs9UzCYL\nWKmA3SjDY7DNked43GxIVXBfk3kKzrFHt9HYZ1bLlul2d84TmMvm5MORNrFZR/9K\n9KX3A+JhX5jd6BxUdps/9H/qXEbH4p/l1D+Q6XS06Y9yxWpmLu6kfYO/bPhOGjZi\nsC7xvrC+Mz0MelcaK473zYMFK4hHotYc0y9rnNAn01TUk5GL43+2Rri01iQXRl6v\nPj3ErmlV7g3L2eL7zKiadGCRRLedofS0tUvu2DC1NpEqhtVnQj4RYWHTMjtzymZK\niCpGbbvY137eQuxXtrODxhGdrFIzNdaff+8RnZ/0ph3+izIZTxRuZ2vqbPe7HKox\nbGB7sZdDB4inSGpupxVG643LEutKpb2V7920G0SSGeVawPzrIJmJAifUpExz4DwJ\nIQzNw8Qb4KII8QddV1GVDWosVJvNzjB5xTDE90F6gLfavBquNBFdGRWIIcWJeFvy\neVJ6Vb4EiHuINynsQfe936N8MHowHQYDVR0OBBYEFPlq8WKMY8xRFspMbZH2S8c/\nt7rPMB8GA1UdIwQYMBaAFFrTlpAFpXUA5B6b+NUTNTlFPN8MMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiBBDglWy71g28Gkrji4OCn4eCsICqFPolvkzVigQUxc\nYgIhAKcxwoGFm2bHKZu2pAqxE1dXX2pHBmYxk1884rc5q7eq\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGHzCCBcWgAwIBAgIUTwSBPwFFHqekk1lzDa9+OZHRQTwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAh+IV3btRh3tf6TNFnAie/F542vsWA1p8SuP7rA1lALSx\nxMwDvTBVLRf4zv/Ek8u+Ml3Lbbg3esw3AIsVoXnhtSUGyX1tIUPj7HT0GyVhhBjl\nYWecS37sE4djZQJT6kRhhKJrlftXDYbv4oT3O7ckI9nzgwxy+IkxQsp2sZ08KIg5\newnZkGGsbV8wAkl6xuFHul3+Df7ZYumh9YbmFbLvrLizlUY47OvlwDSoSpBD8GWA\nbPA6QOL2sOSX5nscgHMNpmxU6AKnWRaKD+WTJ9kyRbdKpWPNQa9dnB6Wd4wA+z8T\n2+VrUbaydRZ7cKkbb5KDZ8V+K00iN/diYhtF0ZY+iNuI/M/GbclulUS8xqv7eNy7\nvNtttbdmoiPT20oAlp84XLwTvTWBDpx8HWPnOBp4ydtUhozcl4RqnOLU6x1uvki2\njQsLDvwHPxKhCD/GyjhKy9l0KxaMOHUAWUI49a63U87UrbT2fy7OypPcBEyEiqt/\nqVDfiK5/olcjZ0VL7PfBAiEA+xxjZHGC01R+BNX2Us3vT6BdTLNHq2UC8usxcpEk\nE8sCggGAFIWztX32t7+r5sIPD3jEecRxYvZygz2/lYzsn0b8XdBHduTwTHbouyha\nKUcbdipJN61nmw6FNrHxVd4UZCK6zQfytQf391EMZ/XobdJX5aBuEX+fnVkQ+iIo\n1VYTuGiKi3nHGof7b+B2mrNKPuiT6alQOXQlPoJB4srjYVq7osJhOZ7XQuPg3O1N\nroVyKW3N0eXA6WJztREjNuwqEtjfeuHofLA0WhFRjhh2GhFFTfh14L9QVYE6RgKA\nFONPQEb1sqhh+nBmsAyalxiFEOkx64Fgc1sK8zTHplgEuTm+QHmc6vZpv1iiTRm/\nEOFKvZUCBZKAtu8sNdiTUfmw6DcL5vnloxcg75+K8n99bhUGcdQl4Wc8kgizRdf+\n2gesLqQ+BzyWrI9oWslW4PBFe+upnn9KMd/GMfr6DwHvqX2Z2EUpmXYwAoX4Hd29\nkRa4ZAsMI9F6iBhjtHgMHiMRO6pVabTB8+rWJg7YjGLPGgLiUIF6zYhD4lut9VAa\ns0QGxHTQA4IBhQACggGABzLDcYxKAfW9/y4tiRSgRJwx1Gz7rpVxAmzBVGfG/QaF\naJvY8v+YIoWe8bCBpoFQzTU3FCTM/TO0gQO0vnf5QdZ9nDKKM0XHRfaBeGCk6WpO\n3oi4SEUNZschc4ShbBIRmLGYkaVYn8TsiK6EJZqiUkAKBYP4ijaBy/qincPxj/Hd\nIObkThw94GXOlWYfHxA/9s53G62td621IQ9vzqWj2l1sz8CzOuT90UWD+fGlob3J\nuZybw0Biwb5zJDMPS1P10rBTcPqUJyRZTrAV8+bgGhCW+BZDpD5PzjRo8a9Nhgow\nK5GlSttYM54ZzCiBPMq1c5OmgKlrpRjJRL60W04YJIkqCsf/8gLO+c6j7XaJl9tD\nqXLINNMd11iT2UYUWyRwLyhq5YkNTpLnbgS1gIpTzhtgr6bvq6biClO+SYs4xhB0\nHwDK+NDgAjZpGXHnXEqxeXyPfNM7DJPZ/gqRu2EUwKbKf3ifiGknqpPTIgFEYIMX\n+tvYld3APiH3hrSu7aLTo3wwejAdBgNVHQ4EFgQUnegIPt74xjXK+CoaEH926GOA\nbVswHwYDVR0jBBgwFoAUoGl6QrvA13ung9a66JKWvk9KCQgwCwYDVR0PBAQDAgeA\nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoG\nCCqGSM49BAMCA0gAMEUCIEsleLAKC6uiPqmvoeU8omuuvdP3w5bAJUYy0p03eFE7\nAiEA0Y1F3hn1u/YRaFACsAi78072ukqIYSzrMz5vb7nRmCM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1841,10 +1820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBQ9ew41caaIlKsEgaFlRK/NaqlgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS7DvCaAmICkS7L3Eq5BIkdyzQDcMRAuf4fgVnH\nK/i6GfMe+zrpJ04PxRQIAOVUOpNIJcbIZP5nI3eP7PeGQAnco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6f8OCLmy9vbdyuODEBvj/611Y2MwCgYIKoZIzj0EAwIDRwAwRAIg\nARAeJ7EI13A+RmQ7TF1cqbpcG8VeN+CMuAsP8NA1IBwCIFgrSomKYqRNsEnqg2m/\n5+IQD7PBCnbyhoYrWlRK+pLd\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfF9fdGcDLE9079CH8otDfbcaqr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASigEQ14HuHwuoHFgeXfDxHmNz90Uyq+OutElWd\n54V8HP6xRydlNl7ZPIbUkDhHFRFg0nkvesJe/JMMdY9x5Xcjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIrU0zPqVeM2kGcZEpWXwGWiC/YUwCgYIKoZIzj0EAwIDSQAwRgIh\nANYWNcv42Mu3hHD6Up5l2GLNuNxUBH9iM1sGHafd9tc/AiEAqYdJP1KyTumSDruI\n/mEC/pUtbqzxo1tKYf+cSjdFvpc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmTCCAT6gAwIBAgIUHOlcp3c5qoE2jqHqoVZsOakqrDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPXegC+pt03DaeMrQJj1re0xnm101xLPXZelHhHNHV6Y\nMhun5nBXQCP9IL2gCc77wW+ejeKLblhR28gQm8Z1IaejZDBiMB0GA1UdDgQWBBTc\nKoh8I6/V5P3xueBjFPbj6MpFPDAfBgNVHSMEGDAWgBTp/w4IubL29t3K44MQG+P/\nrXVjYzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSQAwRgIhAPtwiA1ThWJEMvDhgT00ZnFv8fkVizsTZQBmBKsIRAAOAiEAlnv5\nfUExxVqdn+CyJ8RecYsGFTLwWOS4lWQotfpgprs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUSvZWM8y3EBtRydiOjErLo7J/YpkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJhuDwsoKcpAT6JjdbcUI/C2te4+AKr31UuPrEsaU3jf\nxgGc/N4wc9n/WOdxfRQ4GzAV5lFRwyFoHePDNi7ZTIWjZDBiMB0GA1UdDgQWBBSC\nExsxYRDEj1Nz/JMho7pdikP3jDAfBgNVHSMEGDAWgBQitTTM+pV4zaQZxkSlZfAZ\naIL9hTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSAAwRQIgEqAadFHKGeIulQARE9B01oU/vVQC++7jUzft0XUN4ZoCIQCtfi6r\nfx699Bsj5Wv94vDVsfu3aFVvoFe+5PXnZ4vTEQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1862,10 +1841,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIWKYUjKhcGpkUp4Mvd5P4e46/a8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRbOWD0upt0Eh6o2/AS1DgVMLNS8CC9w+CMEFP\nECyku7TnekrwPvPdvDk8ztL/sp94ojI+KGikcoKWFVJaKA+bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXVy+Y1+SQ62gMObszgwdLVXeUsswCgYIKoZIzj0EAwIDSAAwRQIg\nZ7Al0uLLSPjF8NvYBP7GjDmz/ulT4lvS7VfrxsvbeoMCIQCB9i0SlmSNA29gMZBR\nWMirg5sEESn7ZtgX+wJcMMK1hQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUT0jmyPMDPb/+s4MuKu8EV7XVvTYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2ZqhSyxz9PV1KU+bWulsXOInD5G4OEbSKi4Zz\na1kSQ7FGcFpPfl3vGwfoitSKio95pxqixls+KgBLw4RaMdOuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/wSsSbbymoJMJYOd5yVz9GcOMOgwCgYIKoZIzj0EAwIDRwAwRAIg\nXdupys445JTk2rq1cjrAqr4+XVoNqZLHck2RzAnpZ1cCIAHlFeAW2BOd/3qXX73G\n+SvFzQGTa4RBZAoyTycaq6pv\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBKzCB0wIUGH0J3n6X+2QKfThfdm3W/cTruC0wCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5NjkwNTAz\nMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABMlw8OL8lcbzbS6u8eyPETNnMT4YBdieAD0oqpnDCZ7JjoKU/6zX\nk+hJMVzaB/RPxc5D8QiscSoBylmGe2ttSZQwCgYIKoZIzj0EAwIDRwAwRAIgWSWI\n+inzJFea65MuJrY+N/Rzb01OItvY8ma3iX82DQMCIHluVXYUwPlrrGzvDLDiTG58\nIt+dRiikpL/tP3Cc/91i\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLDCB0wIUDYxqo6Ak9by8t9vqq9DdQV84W3IwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABMzJn7mtVV5UTn7LmrBJy5iNmEXOzcc/6B0sjgfMM/9FmVeYKcND\nG/BQdDpSGTqvP0krYDDh8Ro6HKEPtCe5+SswCgYIKoZIzj0EAwIDSAAwRQIgLUyq\n4KAlSDDLJ2ndIDZMEjZ2+S3+J8VDoli9ndue1i8CIQCFkMc5awr5VTtBX2g1dHnz\ni6UFyzWIwYr7QOS3SQdvhw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1885,10 +1864,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert contains an\nExtended Key Usage extension that contains `anyExtendedKeyUsage`,\nwhich is explicitly forbidden under CA/B 7.1.2.7.10.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMVu2bT/jtUT2Md8TYr6IqpBSLsEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxE+ZkqRK7KBGO0MhW8smATvZAPO5nTKrNj/Fn\nfOVZoeeZqiBJM+tW73na6f5tVCGE6zCUSobERU+S9Au1EaD6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUACmIRInz8AQdlTkUc19xWFftUlQwCgYIKoZIzj0EAwIDSAAwRQIg\nKGtYdTMrfLSzD7NRsqjSvecZgECUU1fPEk/L6CgqNW8CIQDy9uVsHUketoav4Acu\n3QxGP+ZoxAR+ZSl2//uYfhNIKg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBsA8hHkFjKgir9Be9rm+tgH0+DcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1e17LH7jcChYw6woPXdhsj2NYcO58qK5JVIHO\nFyZ+zsHvVaK2wJeiWaj2Xt3irGYCmKS0P4mQy6mqNkFS9x7Zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUR5PpeUdNsBiftB0UCI57CrTfaXwwCgYIKoZIzj0EAwIDSAAwRQIg\nIN5LuWI8P0jlgN0sOLg7y+t5fU4A9AFW4danlURTtB0CIQCAwJPZjfdeH4O7lBl+\nzRQrG61oo1omq7tsJxT2mUMf6Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIURBBuUdvQUGeHRQAc5Rguz1AFkU0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJNxLGSfcO4ze5n4JWOPc0VPXD8Q0HN0wYls+BwDrVZz\nAuYAu7WMGDveOf8xAtmfnfH2I/Ktx7sumRihG3sbD5ajgYMwgYAwHQYDVR0OBBYE\nFEFp1TjXzW3C5oVP1KbuIoagHxyBMB8GA1UdIwQYMBaAFAApiESJ8/AEHZU5FHNf\ncVhX7VJUMAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBSjZLJhd5J\n0infepAyZ/UliDsyL/CD10yaCVEh+Nwe3AIhAMXY6hwqLa9NHiNq/sJdjPjMTbwf\ndj+4V44MzZWUCTXm\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUdL05dRF1O1VndV7JQ3dMIRxchdAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFF7ftRZgD3PTAWbTx+vbJ0QrHkL7ZbL1PZSMi8nbzaL\npEtVfZa+QWL4+tonSOy6S0NSLZ0PHqCXXzG4bKrMnUejgYMwgYAwHQYDVR0OBBYE\nFGYvDm9r3af4N2oP//1JK3luCsloMB8GA1UdIwQYMBaAFEeT6XlHTbAYn7QdFAiO\newq032l8MAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAiX8FZe+p\noqIndhXRjnQflMf6WovMNLLamQWFARwl1XgCICHxNGY9DlIRLdJu/fCDCpxRVllp\nJarjvX31Lqsj1Z28\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1908,10 +1887,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE certificate has `keyUsage.keyCertSign=FALSE` but\n`basicConstraints.cA=TRUE`, which is explicitly forbidden under\nCA/B 7.1.2.7.8:\n\n> cA MUST be FALSE", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFHBrdi+GX2QfzPbzbchNlLI/GeYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQuPzTtvKv0SDn/Hnz7MHb/Oa6xyEl4fCO4nAMM\nycGdDuifyPS9myXHcSQcr6W65qQxvcVDA5+Xo91vMnpzcMeMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJkyhb/TqB+v6+xu9qjQTO4/wdaowCgYIKoZIzj0EAwIDRwAwRAIg\nBT2Yis0sZoWSRCImCA2pqBoZHp743U9O6YsJ+qjLvZcCICbgXJdXvYfa4dMjFKBj\nOHO8M3uZkcY+IC7XYBKij1Wu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUar5DHt4vI4wFXbwwM8U7yAfNWI8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfHcV8yBNVijRteGYzIOrzKfeSDQqM15e7Eb/v\nTspXQaDtWDBfe2LU59ro4hYoPatydxI9ORRkp1fso/BHpyCho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3HQLj/x4byn/cXNUxo/wqDRuSvUwCgYIKoZIzj0EAwIDSAAwRQIh\nAOlE3ACcR3xpgHjz6AIH3hgs8SeptRNEFbwd53C5oT3AAiB5B7PQ96ycuKW0OZ/p\nUJqH2tyCVy+DZZXeY3jbJS4F2w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWmgAwIBAgIUZmC0cBCWNwVQ1h3BTC4QD+G+iWYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAFLVAM+W90YZpM1J5rnRxYsC6bxLFSXvbfcbSWrRHPR\n9ENKGCyyh/nMpbyZLwGqL2BFt8p0B8px9v+WD3nWqxujgY4wgYswHQYDVR0OBBYE\nFAuuROZD3YjP2vIvR8FzJCzmODPiMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAUJkyhb/TqB+v6+xu9qjQTO4/wdaowCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIFw5BAjWlQw9Y++V6PvWcGQnSAhBHrA1m6Wp0/86tJg7AiBnK52OpJCCXUeM\nnsouRcHFmINKa0rltSIpjzBcI6NDcQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUHb33M7id875Kr/HaEYJcyGkKoIowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNEtMUBB5Eds1jCR87yQmLA9enbz9ZqRhnBR+JrcQvQw\nop31lfxrfS93Gs8qIc1JyeJJ4BnHFmdMB64gUJEcHSKjgY4wgYswHQYDVR0OBBYE\nFFlYnoTIUVNis8Nu+67OdrGH8dpwMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAU3HQLj/x4byn/cXNUxo/wqDRuSvUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDopT4N9AwUu9Zt7tif9ge67RYEOWx+UgmEM+u777ffRwIhAM4kOSi+DD5g\nodwWmS5Pxa20gb4oyMRS2vfNTLKR/Wt1\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From 6d3714c22d37116245b30231e2d1ee784b6edfee Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Mon, 6 Nov 2023 13:39:03 +0100 Subject: [PATCH 054/155] vectors: bump limbo --- vectors/cryptography_vectors/x509/limbo.json | 403 ++++++++++--------- 1 file changed, 212 insertions(+), 191 deletions(-) diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 60d6248132ca..4e1e5505da85 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeDOfH6TQd6lrwbDqdm1gvWRDyjYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQFoctIyWe6+s5WyDf3zRyHCrQpL3EzYUEvhFac\n7C2Ka4XWFZy+MtrZIL2nYhUs7h8p5SQAXiGskrX1M3bn0Ymzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUunJOY2B6qHcejeNU4g3aq9HV7KIwCgYIKoZIzj0EAwIDRwAwRAIg\nH1hBVCXT55J5czXAmnoVwcsM2UtGAkm9xDTKiJREYeQCIAu5q++8d7qQ+u04aIho\nl4e3/8cDfZFiKpxsWX4SWxFD\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaB3gtVyLYrd5t9jBlN05Cw+eAqwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARJUqZTEMKi+WXbZJFK5Rs4hL2dG1L33qn3bTnf\nIilZjrr4uelN9WCsakklGzxBecBMnU9CDBQXfqnkzMRkHxwAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIgozv+z08jEJpoD6IEw+dl0K2zkwCgYIKoZIzj0EAwIDSAAwRQIg\nec8NqnrEZQ5iIwvXkq/9HxrTAQ88qoWwIrmcNHsaqhYCIQDvAuqKPFKW++y19kH1\nhNpW9pYZx+0QOREINhqN7JAxyA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUe7YRR2chSV2zaBz4hx3pG7mvsAYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2ODYyMzAwOTIxMjUyNzgxNDUyMDE0\nNTc1Njg0OTAzNTA4OTY0NTgyNDg3MzUyODYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJ8DrnsyiXqrM6AmyUx4qV4lyogiNSAa3GN3lzkdUSBEkJez32142GnaSL1FxcQr\nvdlFr2VNcqYuYQQnVKWJUVGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLpyTmNg\neqh3Ho3jVOIN2qvR1eyiMB0GA1UdDgQWBBRHx94AaTGw9WYmsNA/olG1KI9M4zAK\nBggqhkjOPQQDAgNHADBEAiBW1Ysfoyc30OX10qgVOFqpQoEiiPBmfZV27q4Gr5Lz\nCgIgEUY0MqP8YkQ/5Q0+xQUEUSeJ+QlRjoz6Cu7t5/g2yqA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUDYaVT/pIAlqPmrbNLSx57KQmbOgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1OTQ0MDEzMzY2NDI2MDY1MzI2NjQ1\nNzU2NzIyODIyNjE1MzU4MDEwOTc0NTQyNTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBD6jTI52Rb4KUj1hggkA/WjGKVeIzlol47mFKiIF2lrDU4eA1tufQF/r5pqbWWoE\nMQyOT50sjaFEQAZJ0209PFujezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCIKM7/s\n9PIxCaaA+iBMPnZdCts5MB0GA1UdDgQWBBTMF/Mj5GIYMe+zYsD/jCVTLCjCvTAK\nBggqhkjOPQQDAgNJADBGAiEA3QFB71LWsOp59t0TGVKcD3mfU6tCyspgYfW/neBT\nONkCIQDWKTiZZqYVyS+LHufWDYZVtqh+BoInrbPQEkdoXdW0og==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUA8n6iMCfjp80DCxbpdeOYFcQ9K8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjg2MjMwMDkyMTI1Mjc4MTQ1MjAxNDU3NTY4NDkwMzUwODk2\nNDU4MjQ4NzM1Mjg2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/BeY\njjPekxZXDNM23xNWaGAe0hxgay2I086thMlHLlxWyp1e+KRXOQsGbNkbDro1Sm0T\nrcRRAbbyjgiJJqZUdaN8MHowHQYDVR0OBBYEFLKq8Ka8v2VIIaCvTZqmQAiRIa0v\nMB8GA1UdIwQYMBaAFEfH3gBpMbD1Ziaw0D+iUbUoj0zjMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAuo6Wrmfw8XZObLTNtRp5WXYsdF+sldBK43Y5oYaebocC\nIQCxBGBUUW8uufwN0uSL8dmaagKA5rFEM1BgLPUzQd4/0Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUDJm6FD/xItB9Q9HmOL9yvsZL0f4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTk0NDAxMzM2NjQyNjA2NTMyNjY0NTc1NjcyMjgyMjYxNTM1\nODAxMDk3NDU0MjUyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWiS+\nCTJoPdBlMQPEkIhHqX7bFZpVcQ4/etxsBJupp9t+fUn6BlRYQ+/BTmRsaZTelxGg\neXqp9rQZHztnlAErZ6N8MHowHQYDVR0OBBYEFOLNKTWxfDEK8bCMO4i0w7wruDe2\nMB8GA1UdIwQYMBaAFMwX8yPkYhgx77NiwP+MJVMsKMK9MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAhvP0qCg1YAFXlxynxbEC6X6dJ0qlL+x9oX/LOYCeRoMC\nIDcbds+yjScXpMua0vbsyjqEeFgsdMvxtQGEdwFuplRp\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUD9A8eU5+Veqz8CPSFaEBTNwijccwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATTNPQfeZHFQ+Kb8Pe1Gj5jnWy7cImvRxFNj9Ty\nOn22nlNUU4yF+lOU3wELfQCryxD4lKADSWtJCvnIpG4J1RYYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYQgSxyQhtslHtGl9IEmAVRAbAMAwCgYIKoZIzj0EAwIDSAAwRQIh\nAORPJFjtbmoVdjARJSLdRoggTBf+t22n+0qfCBSfj9W5AiBej0krYaG5d2JoWZqq\nvp09xvkH1rN9ncs2GmgaVefTvw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUayXFAXlWypOwdKJHJ1AZTMpqWqowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6jaWJZxzBnSbTPb/h5lCToweGu99+/KzMMqWA\nWm7no1H2YV3GurtLzaq5KZ17c6n9B8bYIqPGnq7LVnLwx8cjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7qoThq1eZaj3bzuwxlyDuVlDMSMwCgYIKoZIzj0EAwIDSAAwRQIh\nAL5BZ3kdy42D4ahEZv6wlFAdFMK0jI7TV0CkmMMsyD09AiALFnFFTEgaIfnJyxlt\nmzmgW+193dCPG1t3j4W77LlTRw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUClFpbA+k+KwSlJagYKp6B0rudXcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC85MDI3ODY4NDU3OTMxMDAyMTIwMDU4\nMjc1NzI4MDQ0MTAwNjgyMDgwNTQ3OTg3OTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nDcAGLb1HrYj5r8wwOJBsyGa3ggMfFjWVlZ4h6M9rPbmdSoT+5R/Y4OO0fAImejUO\njZMKxuPM2DmqtWkgFV98/qN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUYQgSxyQh\ntslHtGl9IEmAVRAbAMAwHQYDVR0OBBYEFCtq7TS9zrwwTXSLi98eAmMIGp8eMAoG\nCCqGSM49BAMCA0gAMEUCIQDIDL4EWi4xP09E2Q0vu0s+IxSDQLg3MOJ+yfRlrQ2d\n2QIgbPjOEZ9Tw7SZrGthqHFnaWneyBNJ44wPQKyJpuShKLA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUDHpAyApR3GpH54hp/xEDQ+Cu6cswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2MTE3MDQzMDE2NzIzOTQ2MTk2MDY0\nMTAwNzEzNjMyOTk5Mjk4NjY2NTA2NzE3ODYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIqWHXCLt6eMV8rvqMFWEPbuHJ+aJHLJlcg8QYbtjvx4ON6gXi5AU5yiI95x8TEg\nXYTlh4ICuPZkApvO7ool1sWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFO6qE4at\nXmWo9287sMZcg7lZQzEjMB0GA1UdDgQWBBTgcdYstKkjQDTsBVZcsQ0atMpx3TAK\nBggqhkjOPQQDAgNIADBFAiEA0h9ooaF0gUyOmRB92ygFBMlOXvWyWtoh/Fr79i7t\nqfACIA9kunTPcOPRyJDDhAbsP5882QzLkAF9lAvgnIcBlRvQ\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUColWjp9YKqsliG03fbjPWf6ovSkwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvOTAyNzg2ODQ1NzkzMTAwMjEyMDA1ODI3NTcyODA0NDEwMDY4\nMjA4MDU0Nzk4NzkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASWyx/2\nAtSYNoo2eBiJBwE8jPopJVlLJ7jdV/7orkkG1y0WLBoNDMI2UGeA3na86OIJfUMz\nE3ejIHgCku6SXWZTo3wwejAdBgNVHQ4EFgQU2OsnpCvdLMNO39qvL4JWQSAlfRAw\nHwYDVR0jBBgwFoAUK2rtNL3OvDBNdIuL3x4CYwganx4wCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIEu/gygHEfgs1y+3lD9j+CdY4qpjqOx41/FWQG2E7+4CAiEA\n8ggiNU1wCyBeE8H0YaELtA2+GKwjp8Ntdoc84PoK7us=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUBhzbiyuSfW/8BLm6+7Z7KmV2bk0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjExNzA0MzAxNjcyMzk0NjE5NjA2NDEwMDcxMzYzMjk5OTI5\nODY2NjUwNjcxNzg2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETEm7\n9hTCYR5bQz1KzSMMBW9NJ0ah1GSdw7nWBYdAo2pWXE7O18BUd10D3jpqRctjt0WH\nFH3OmwecCVCO9QCCuqN8MHowHQYDVR0OBBYEFKcsjbZZssPTO3OlxQqJuBdAaB59\nMB8GA1UdIwQYMBaAFOBx1iy0qSNANOwFVlyxDRq0ynHdMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEA0Qzj9DTQTwsiCj6QJLq0zWUWAVhuVWs8d1SrVP7WyDEC\nIQDJ64Wm7dZ5uQDRF5VpIvWPcZxSitS2RgKg8i7LgNxGdw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNMD8eU3r5hqvFAcUkaT70uFKZkowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASSsLC8mZUoEGwgBxPaTvxqEe15ptGXaZstNXV6\nKEqwls3Cel0RMKkKKFUIGYeVmQgmLoemSokLZ2s4OzPh7d7Do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGKvf23q3fPCgK3gBQj/sglQsS9UwCgYIKoZIzj0EAwIDSAAwRQIh\nAJF7sm0XYXYPsf4RjLz0m26KHewiyjcE8DKtZSKYtjZnAiBMTmNQrISKmGgd2RyU\nt+Xq2lDsfMlFZdAhZbqWeVVMfA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSWNLRae2h4yfflSJ6ihzR4Zz7zAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZVTExkz6LFebQdFCcHBn5pOAjhshREHjoX39p\nhZElj89Ptld2eLRjf7gdRY7CqvwTtPxifFQrp1e+ER66hIcRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMJXOxwaCN7a1fJgb+2yQ8eoTVccwCgYIKoZIzj0EAwIDSAAwRQIg\nL6gG8p3vUBe96wNv72VumJo5K1LTmClYO1uinxN0tSACIQDi203/ggnKgChL35m8\nH/23fuFqxC1vJ12iZFng5TjNlg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUXlBUUinGoG7qPZCS1tA89/uDNcUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMDExNzEyNTY3MzQ3NTQxNDg0MjQ1\nMjY3Mjg0NzczMzY0Mzc5MTczMjIyMDg4NDIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOdBhjI7RdSSTCqgr8Bi2TGqsUkd7hUb6kXURsEyGkfeksValuVVavcoZSdnzOd9\nPudWZHy1dK2B61NUQXUbg0ejezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBir39t6\nt3zwoCt4AUI/7IJULEvVMB0GA1UdDgQWBBSxpvcwJ8hLNRuO1j5Kp153iPDVLjAK\nBggqhkjOPQQDAgNIADBFAiEA4cuBBRt3ninIrTlszg2uxJmW/GNqgO0/RuAy5Piq\nH0ICIEL9Ek4lNxuQF+FXtDOxMM/Dz0rjBfXl7OHMBuM6fsx+\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUdveox5mQZp575EXU9bKL2w3d+wswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0MTg5NzA2NTcxNjg2NTE4MzkxMTQy\nMTgzODk3NjcxMjQ4NjY4MzQ5NzE3NTAxOTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDm0wpBrIcjG48ui69qch5l+0Uiih5GR1Q60BiOsOHvAwJvjy1OPSwXec+oT11TC\n9P1p2hD/XEzxLulILXlF2OajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDCVzscG\ngje2tXyYG/tskPHqE1XHMB0GA1UdDgQWBBQt9EhRfXzjzVa7o39HHGRHGMTaVzAK\nBggqhkjOPQQDAgNIADBFAiBEG13/SOlwi3kGhGHqU7dP3+8m6b2u+QBwzG3uz+os\n4wIhANl2uh273HuetjKw6aaDk8gh59dM1bo1wGOqiL29dO/r\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUCF/9A8GCqSG/43mNfBbhjmjnAbowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAxMTcxMjU2NzM0NzU0MTQ4NDI0NTI2NzI4NDc3MzM2NDM3\nOTE3MzIyMjA4ODQyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8cmZ\nanI+5MIFen0rOyQOyUDHSwXTRdf6E2JUz7aRyP3zPdL1i1BdPXeFu/yM2VW5K0TO\nUoXoQZYyF2uQQEJlraN8MHowHQYDVR0OBBYEFHuzWTaOfjGVOMX2dVXxyQbWIYN0\nMB8GA1UdIwQYMBaAFLGm9zAnyEs1G47WPkqnXneI8NUuMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAFEMoX/70fG8WeCrxsf43JdbUaaTNPNuiCCUmU9WojYgIg\nWMZUpCFeTmTGtXf7/fC5UBYwzXRuawGMx1JZkVtWICU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUXJg9nLZmyoXk791pj20+HPOeU2kwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDE4OTcwNjU3MTY4NjUxODM5MTE0MjE4Mzg5NzY3MTI0ODY2\nODM0OTcxNzUwMTkyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0diL\nnhrzHR6SezoWE3GscI6g4ZJ7CRCDfUC1y6298bk4vgreGnWB1kAzV+znQOGlj084\nznRw15Q7o14UaZgLFaN8MHowHQYDVR0OBBYEFIEqlFxYXB/AX+7nCqYgS+UhMwIP\nMB8GA1UdIwQYMBaAFC30SFF9fOPNVrujf0ccZEcYxNpXMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiB9fnMPCyP2l837xmAVUcz3UHhGHh+NGpWHriw7uhbuNgIh\nAK4egItCXPjgW952prJifYjQ5lzuSuQXAM9khvmby1Yn\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH52oBPt5N+2xZ9WVNfa56DNbrRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASVDkXA+JqBEBJ0HsxisWoltw8PaUmT+wX0/wCN\nCPzoCHVPSQSggtx4KU3/eBE7UTJldW6Rhr87sHsaFrDftKPzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG0Gy6Kli3Pf+R2uEYQTQIEFLvwowCgYIKoZIzj0EAwIDSAAwRQIh\nAMK3scRFUaQttTf1MDXESgs2PAqLRgcTuiyxVf4ma0z5AiBs8ZiGrc8eV3QycSqI\nt0ryRHo9xJwDlawLaa9hGmO8zA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOdqOeDzPjQE9QdFVPebLFZ3FjeMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARhM6m1PFRc8HUjkI8+iA0xVvTcQj2iFdLrlOIo\nvoHtT5xpRE6SJ7+jciQm4Ck3ixXOGl50LI1V+SHObYWBmPUYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeyP2gHzvV+Ts/yp2k5xosUoxTAUwCgYIKoZIzj0EAwIDSAAwRQIg\nazsytfT2Ts70B2UuTcWvya36F8hVzcnM7SYlV129WrACIQCFeeQsPkaNDr5GKfW9\n3Fu/jS7F203gphshDN1zFsz2kg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUO2Za463NQ/HSAagZQmLu4U9E878wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxODA0OTQ1Njc0NTExMzk5NjU3MTYw\nNDI3NDQzMjc4OTk3MzU3NTg4MTA2MjMyNTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJSjp/y2/6m66sMkth4FuZET3x+VzVAm3DmSQJG2FFq5ye++mik3ZDz1Io/WF6z2\nz2SlZb4GO6mnAokx96Dycj6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBtBsuip\nYtz3/kdrhGEE0CBBS78KMB0GA1UdDgQWBBQvGYH33Q094WtRLOQJ7LlpIW62ojAK\nBggqhkjOPQQDAgNHADBEAiAkcihlcjf6TW4BXFmhwBAs1sjsNBAn4zXJdTPUdEc7\n3wIgbWMfs93M++SqfNR6IIElsCh8Z+M5lmo8wvvZ9saAh7A=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUCyeg+Zkrf5pB5qdJZi+5UmiYwr8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMzAyODY0NDcyNDk1NTYyMTQzMDg1\nMzU1MTcyMzQxMzg0Nzc3NTExMTA1Njk0NDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDdyoBTsu7R+xxrtGw3m33YBEa6PcWZR2gea6MMh/RQo8jn719P92XVqQhIOS2ZR\nxZqJsqiFb1XEhrArwSiIH/+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFHsj9oB8\n71fk7P8qdpOcaLFKMUwFMB0GA1UdDgQWBBRbB2ahT7V2aCbhOLQYlNntdvarCjAK\nBggqhkjOPQQDAgNIADBFAiEAodYTxHBN2eY8t0Cb/bDH8nqymhuiH7F1ydtJplEM\n+B0CIF2CtG9D6TxPL29c17rPXwaR3faCJx5mOuJ2O5VUlbX6\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUD96wVQvo2MsK5N0VvGaF//IqFRwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgwNDk0NTY3NDUxMTM5OTY1NzE2MDQyNzQ0MzI3ODk5NzM1\nNzU4ODEwNjIzMjU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMzOTExMzA0OTA2OTcxMDA0NzE3MjYzNjA4NTQ3ODUzNjY4OTEwNzAz\nMTM1NjM1MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErMPSuxA3nKLwSwyBy4l1D/+4\nnfNTdFXropfJ2YGRdQamxWk8UnlJNhANjLTM1VdwhC5DMtKFTkkJ/525n65A0KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAULxmB990NPeFrUSzkCey5aSFutqIwHQYD\nVR0OBBYEFHz5Mmszc3jtYocxKB/64mUMLmhIMAoGCCqGSM49BAMCA0cAMEQCIEZY\ngKDE/gN5VG/KmQQSQ7skd1wKNqn/3ueEvsOIWnPHAiAqkhRBQhD1VM+wb/HF4Cfa\nhrQ/lQN14G/yApSzpWR+iQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUYR7rPyMfHzFJm37BoGjDZa2tQJUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzMwMjg2NDQ3MjQ5NTU2MjE0MzA4NTM1NTE3MjM0MTM4NDc3\nNzUxMTEwNTY5NDQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzYzNjgyNjUwNDQxNDYxMTE0MjI5Nzg2NTIzNTM5ODQ2OTA4NTc1NzM5\nMzMxMjYzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATraf9ISPaqljvs7L9vsdPbRmTL\nnIBlgvHshe63+w0+tYGqzYCsUJUBkc9cbbLdjfYN1KKQn8iJ3xSu0taqzwA/o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRbB2ahT7V2aCbhOLQYlNntdvarCjAdBgNV\nHQ4EFgQUsXXjycNKgEdMXIowD1VdUXLbbd0wCgYIKoZIzj0EAwIDSAAwRQIgTN6g\nNz7rlFW14vb2KyxDwebCsacWM4HiqS2CxUFMSpMCIQDxfhIffle2NL8oPSY1b2N7\ndCIXWwP00pekfnHccdqtGw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHOgOT7CrTGnTllQNvQs1/yjuqacwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwf3bNt9SV78TcEdFlTL2aY/DU7NCbzagTbfJJ\nVSeGZzR7hcl0JcP4NfU1P/BBn36ZWpWF1Cd0oc0qkleLxWKTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHLl9gOpBReM9UkhjpC77xU3EBBQwCgYIKoZIzj0EAwIDSAAwRQIh\nANG4apbrPgi8g90thdZvf1olgDibxWfINrG5fFxoFPO6AiBWa/2i5FYPTrtracUD\nSg3uB8cI9FGvSI8eCquFa7PPUA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNZqgzYwN3RapiWXKGUS+93oHN/wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQ6UvAkZDjcMeSU1EjhGU+ejqmB5SigLhU/XeO\nGFfDiogqcBUUsWffQ7hS/bxncuuIfuf68Vt922N6KD/RoeHRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlg1NRbI3feJVx6wOoKRrwyjd1NswCgYIKoZIzj0EAwIDSAAwRQIh\nAPDZeEKO88tXEiB/2pRfb6035CUqN/yU3LtxHh5P4C3JAiAL138/n8+Wu/Kd3rPW\nUuX7gRyCblqCvwrxDh4suTjtkQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUKHn4I7IY1oR0HzZXcy9Q44MPqIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNjUwMjY3NjExNTgyNzAyMDI1MTM0\nODA2NDUxMTY1MDE2MDEyNTk1NTIxNTYwNzExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBP5WtCIP7pSWFnUPQ1RMyFeCHbxWEq8E9ieoH5FKhx5fAQ30HVkWRcLEtABgmTF9\nGKwNyYxJDLzFzGwb7aCzfMajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBy5fYDq\nQUXjPVJIY6Qu+8VNxAQUMB0GA1UdDgQWBBT/PRRK5gRO8ri38K0PG2BHeFbCQTAK\nBggqhkjOPQQDAgNIADBFAiBJycwW9wxuF+X60QECdrRnkUPw56M1wsha8A4GOMY8\nUgIhANY7AiRY8vCI/y5FNyY/h21WknoWTBuzwLfHUMbFTHqZ\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUOyuzm2KGuHjiEzYBb8l28LtABO4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY1MDI2NzYxMTU4MjcwMjAyNTEzNDgwNjQ1MTE2NTAxNjAx\nMjU5NTUyMTU2MDcxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIzMTA3OTYzNjk5NTUwMTI1NDQ0NzQ5NjY1MDAwOTA2NDA2OTkwMzM1\nNTQ1NTYyMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu5X0t0KSysSmh6j0Xo3+IUYZ\nauYlVCz+qwsmy5CqyOx78q99BvQLOx4hRKRjERz0onzIAlPIwhJAjLKfPbRG5KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU/z0USuYETvK4t/CtDxtgR3hWwkEwHQYD\nVR0OBBYEFJ5FrsDdGaAyAcdEhtNzpAtFTqlzMAoGCCqGSM49BAMCA0gAMEUCIQDa\nEyOffyasA5OIPgAyEI8DfuMNaHtozZ9zVAWnRQb4yAIgJj8awEdUh/Y2W5RfC7J6\ns7bjnX2saYUyF0n7RD6bdcM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUAoZBn7ui9AiOmCY9BDBghmt9iJkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMDYwMjQ4MzM1MjQwMzU0MTQ2NTcw\nNjE4MjM0MzU4NTExMzMyNjk5MTM4NDM3MDgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIzL4t0Olpvm+zgWtAjfDpTeNo6AgdpWF5XGhHooWBAfJ8Dg2E5dm+Su5O5Vf1aG\nbulz/E479BZEQcdxZ5rAFLqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJYNTUWy\nN33iVcesDqCka8Mo3dTbMB0GA1UdDgQWBBTLXBVgBKDwxvTzOiOvGAT1zx4y0DAK\nBggqhkjOPQQDAgNHADBEAiBVxLxIOFVHOt1+ttYcuafgdMeBgvEMq40c+xOe54eh\nPgIgDLUDVxji64MmQGW5V0Qgw0X0zoV9/YgxTFCFX/VR00U=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIURAX1oRubZxfMEKcIZTub/+TH+qYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzA2MDI0ODMzNTI0MDM1NDE0NjU3MDYxODIzNDM1ODUxMTMz\nMjY5OTEzODQzNzA4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzE0NDExOTk4MDUxMTQ0NDI0MjgzNDQxMTA1MzU5Mzg1MTAwNjA0MjI1\nMTk0MTM3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQq1BBBfnzrkb4gKE3tbM3cnTRf\nK3Zn3Xk54h33a2AYG3/y4kWH6wN26ofDCEBODvEJFkq6D6xBvLyu9Pw5zn0Ho3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTLXBVgBKDwxvTzOiOvGAT1zx4y0DAdBgNV\nHQ4EFgQUvVIWkTVyFIFc3jbBZJJgDKjd+iMwCgYIKoZIzj0EAwIDRwAwRAIgXO9J\nA/kY9gw5hVuns0KeqkaPmpPLd46Twyb4UkkYcScCICViQ5EKwX3ge0NHzey+jSTB\nBes+w01/CAHNEtfcFG6J\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUIwupQexDqdJvfuBFw7oVTJveQGUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjMxMDc5NjM2OTk1NTAxMjU0NDQ3NDk2NjUwMDA5MDY0MDY5\nOTAzMzU1NDU1NjIxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWfXI\nOcC4w0U8m68y1tXJJBnk1pnyxGt/3jq+3ORz6GTEd9BsqE+wSdJbpSdDCgvS1F5R\nH5GsMdMxDAgMkPV4+aN8MHowHQYDVR0OBBYEFJOggKZ2aliGzDnPp51PjHtj4Y7q\nMB8GA1UdIwQYMBaAFJ5FrsDdGaAyAcdEhtNzpAtFTqlzMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAo1qMHU2jh+/i4prRsVQwRt4BVYlh1c8GdaUGIEhEmRUC\nIE1QfuqhqXxGTf72QkRW186//D3gqQwUwOo5bRBY9NB3\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUPreoZGPUmCBQZg8NdAhbTt1C0IgwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMTQ0MTE5OTgwNTExNDQ0MjQyODM0NDExMDUzNTkzODUxMDA2\nMDQyMjUxOTQxMzcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARODDN/\n6brnKtCEtum32ChlgTjn5fFC9luoEpD9eDI7t7bvIghoaGgZaZzB5dfX0vIH0YGV\nG3tUzCOPAWb8lmXVo3wwejAdBgNVHQ4EFgQUkxyhKs1493wCvmuWhJtIECtJaNMw\nHwYDVR0jBBgwFoAUvVIWkTVyFIFc3jbBZJJgDKjd+iMwCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIG2atVxg3E+1kXESy3qs1nQ0JSklZHndTp0s6eoxMaMJAiEA\ntTkTvEy+jEqVV1bQZYfatL5gbl3bVIXqv209jHsfxF0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVyl1U6Myw90up4XuE0dfNu2iwRowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1rMqpXvpFXqPvocF5KdGnFIh9iriuG1mU+DVk\nctBKFE7cIm1w3Lfq9QLx9gChq5nxUnkrv4O0izZsiKZzRBoGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwPS758gTgwUXow5PRHmZ7kRDEdswCgYIKoZIzj0EAwIDSAAwRQIh\nAIgrc5l/Dkef9y6BHXRkN9lz3Q13iDNFcZr3oUyQYeJlAiBabxkJlKKkpWiWfbol\ngekgCAvHlHulayOkYUoqOi/tuA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOHR6StLF7ct4jLN/sztY8R247MYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASoRZOVc+/hVYgu0S7UcUy8MCMAF+9af6pVCxo/\noF1OX9JkjmoXBOCscwkNUY+WR/NEMexfCVITq3RTKpdwOKc/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIvr2VtUECuIZkALH8nsohk1RbtkwCgYIKoZIzj0EAwIDRwAwRAIg\nR8Y98kzO0SBYK+3SyW4MOtaIpgM8gWUuaEDinBzJUTYCIHa/g8klmSbVAq71XhH2\nkjqzaFHdHowHrmOuRvaVCpT0\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUW9D4QwIae4yEsn1WnPwamY6u0F4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTc2MDY3NDgyMTI2MzIwMTUyOTM0\nNDAwOTQxOTY5NDk0NjgxMDkzMzI0NjM4OTgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBP0odA2GGEONW/eI5r5c/ZhCo9Xny4B0DjSgMiwuk+hE0w/D08qi7/pIoKqirTui\nRhseutrcWvC5kO4ZD61wk9+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMD0u+fI\nE4MFF6MOT0R5me5EQxHbMB0GA1UdDgQWBBSQIAjyqewu0SQ8pMfA9EuNEE1OoDAK\nBggqhkjOPQQDAgNJADBGAiEAraYJUH2OHjBXYLqnd1gfNIeiu6WXh68hbCrRGckL\n9sYCIQC0b7G8dUlGKcEgcs0KP1IpNhxu9HOilpdIzkOEfL/NOw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUMrhn/Sv3KDxDWBVbUwdgu22lDOwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDk3NjA2NzQ4MjEyNjMyMDE1MjkzNDQwMDk0MTk2OTQ5NDY4\nMTA5MzMyNDYzODk4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDUyNDE3ODM0MTc5NDg4OTM4ODE0MTk4NDQ3NzQ1NTk3MjQ3ODIxODc0\nMDM1NTE2NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEx/wbQt/pO7R9LwvshPTWdUWv\ndCACgdoHynJVTkHmUKEZ7uKkW2bSXkfdGadEh81mAaZZdXoaz3ls0Jg9M1TJlaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUkCAI8qnsLtEkPKTHwPRLjRBNTqAwHQYD\nVR0OBBYEFNXxyL5LVoEruuzzykoGDPHbpN3oMAoGCCqGSM49BAMCA0gAMEUCIQCG\nu1XCB2JCcIWZiFbtDgdZWGpIHWppk67STPlIJmgouwIgLd6/2BDmDLcmsquqnmE4\na5VUp8R0T/aavJ/cyt/xVnc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUb+esFA3iqTmQ/KnRbURWocBr0JowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMjIzMDEwMjI3NjkxMDg5NzcxODg2\nNzY0MzM1Mjg1MDQ3NzgzNTE4MjUxODU5OTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPQ0gbiHkzTIcGePWSFlbUwB4c0rkdAm8nFJiub+MwZ1VJx2cO4IK5REFJwGgMJk\nGkx1PmmtwFOMYWVRbfTm9UWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCL69lbV\nBAriGZACx/J7KIZNUW7ZMB0GA1UdDgQWBBR/44I5XLiId2BMYaqN+1bI3CdplzAK\nBggqhkjOPQQDAgNIADBFAiEAr8EKkRGrp5jlc9Yx85dPPE1izfn9t8MtYeZpAfCT\nJZoCIH4Km3rSKJDvQ0AzPXPuUBmR2kHolXGfPlL3dsq3W1c5\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUfvohXNJDFQPKqFbCT+NUc3Jb8B0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzIyMzAxMDIyNzY5MTA4OTc3MTg4Njc2NDMzNTI4NTA0Nzc4\nMzUxODI1MTg1OTkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDYzODg2NDQzNzgzOTU5MTIxNzY0MDA5ODU2MDQzNTkyNTY3NjMxMTU5\nMzA3ODkzODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHkFcwz4koGLmKrkvwwByMAQT\nWbCcuEwAkNHb3Fis5SA681dzA93TFjKSRmdB0gcIUKkzpWq9iGN7qVpjE5h6IqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUf+OCOVy4iHdgTGGqjftWyNwnaZcwHQYD\nVR0OBBYEFA0fmtjTnxB9csx1+ZFCc4RdlO1BMAoGCCqGSM49BAMCA0gAMEUCIHWA\nU0Z4p+IVD9reYsMRCddgbzeGZe0Q2PspQLJqaB4jAiEA2oUgdLST3Oix4aYbqADM\n+wIavscj8CmhXdSbQ+NdSRs=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUZU3MSgUyYwM+Xg6w4KnBMWHNBD8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTI0MTc4MzQxNzk0ODg5Mzg4MTQxOTg0NDc3NDU1OTcyNDc4\nMjE4NzQwMzU1MTY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqgzm\n15VRC45+GcDbYS/eI4Np//mH9J8kWTYJ/U+Mc1aMoupx/sEKPVtTDzCgf1tWY3Ja\nBT4GhOWZeYD9t7QCG6N8MHowHQYDVR0OBBYEFBzEQLOtyc+aypb5A5IOHKiwdOMn\nMB8GA1UdIwQYMBaAFNXxyL5LVoEruuzzykoGDPHbpN3oMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAymsn3vMuUYOCq7jIASlp3CWiYFb1/XpAlQA5Mbv3/JwIg\nfFUmHlQXQLUEk+K2w81159EHm/SNu97pHAYffEudeRw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUUH9INL2EtMsHrwkXsLBp/pJT8wwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjM4ODY0NDM3ODM5NTkxMjE3NjQwMDk4NTYwNDM1OTI1Njc2\nMzExNTkzMDc4OTM4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElGch\nKXf1tbzl5MPiWShBlUgiJF2isP9KYiCe8Q+SIO9xoZbdlK1JGbgVXTHCGTCM34rQ\nf6hK2xodDa8FnKxkzKN8MHowHQYDVR0OBBYEFARL9wCvlCZRFCLjbV6iA+zkVVcq\nMB8GA1UdIwQYMBaAFA0fmtjTnxB9csx1+ZFCc4RdlO1BMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiB99VYw3FFAlfDCEFu3RLWyoSVr/FH56gawmch/bGXXpwIg\nUkyikEYTXKzkL6HXeHRSoFIhnXPwlsxPH8qHNExT2Fc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXf1lO893NfA0vWiRAQJtBApWGykwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT0hBOOOv3U1NKMw0KS+LvX5+YqR6QNd7aVd/ZN\nYB8qHjRxmMmwWeYifjsQLoFTx6xNdU9whK/kRmcoBx9BZP5Zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZTwaXJ4Y55BTTppyRzqa5WggBLswCgYIKoZIzj0EAwIDSQAwRgIh\nAIjHB0OWHC/o+pSsZinEWw2Mde8vw6BTJQDa9xAFOmn5AiEA9aSkwGjPBtsy0sZ+\nL4RIKBumt+8Mt8meBNMJLckQPrk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXK8evng2WA5nBOReYGQnWvd4r+8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQZoPf4ighEnqpC9C15vIjDyyD0xbpOmpYxE0Kz\n3q6Kpoozun5lA5TYR0CmY1E1egnBHTQwrMSMl1SWx/H3i1GVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrWSeC7KaUlo/UhG7ihNuslktHuQwCgYIKoZIzj0EAwIDSAAwRQIg\nPjokj1CNl35CiRvxO71VkRD7vyludkYwfrkpmL0LgAcCIQDxGIh0Jm/lSjlawG95\nWP6/UKYOqUbq2KSJBp4jj0cMhg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUVJTbyxe5O4c7fnP+YlkmZoap2oEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MzY1ODcwNDg5MTUxNTMyNTE5ODEy\nMDQ5OTkxNDM1ODI0NjA2OTE0NzY3ODE4NjUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBORGW88mFHQ3f3+hC5qURNTyvVGF98XG+Q/vYkHW5WuIg6D0DBIM2DHA6EEApNFy\nZEfNjZJzvjst1vlFbU/aDUqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGU8Glye\nGOeQU06ackc6muVoIAS7MB0GA1UdDgQWBBRclgmXP1CI5uFts2MPsTfscCa8uTAK\nBggqhkjOPQQDAgNJADBGAiEAzRFh1pf41Q0j/7ce1NdsSBNy5HlLCtuuxd0rANcH\nNgwCIQDFzvvcyrTQ1+qZdGr9Wrr+VTEhdlJhCSojFDZJ1MUvqA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUKU+SKKvMTaZlK3zQGJMakn4d6eIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTM2NTg3MDQ4OTE1MTUzMjUxOTgxMjA0OTk5MTQzNTgyNDYw\nNjkxNDc2NzgxODY1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQ4Mjg3NDg4MTczODA1ODYxODkwMzMxODExNjc5ODE2MTA0MzYyNTY4\nNzUwNTUzNzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcTlQghcAnW4TU0OOEfeY66o9\nNxScf+fy2JbWKOYKL+rCfupIeevge9e0fxh/H9W6TMHtDHbH2Jrw6czhyQMLlaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUXJYJlz9QiObhbbNjD7E37HAmvLkwHQYD\nVR0OBBYEFDVrVdWwNcCt8DYuaX3CuJCqnYwDMAoGCCqGSM49BAMCA0kAMEYCIQDv\nRqo//ZzkEQ+iJe9T/x9zKFYPmBqQB6w5eXuxV2tAegIhAKqnnN3lwDuumwHBTv0g\niCL9tt8Lr+wzPQBhAfxzbPRU\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUGzMX9tZYF8qLvPxjZZlKFAFZfLIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDgyODc0ODgxNzM4MDU4NjE4OTAzMzE4MTE2Nzk4MTYxMDQz\nNjI1Njg3NTA1NTM3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIzNTg0MzExMjcwNzg2MDg0NDMyMjM3NTkwMzIyMTE3ODcxNTQ0OTE2\nNTk5ODU2MjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExsYohK7U1vSuDjWd0yzeDA+6\nWuUXv/7HjALSl+E0A3sgWJAv6pEhQvK6iPX/hbWAE+FqXS5TDARtYVSGXKu+4aN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUNWtV1bA1wK3wNi5pfcK4kKqdjAMwHQYD\nVR0OBBYEFAc7mMNetCrIrLsrPs77H6ZxpKj9MAoGCCqGSM49BAMCA0gAMEUCIFJ5\nbFT2IGGLgbREtpe3lCZp257+X7vDQNIat8mqqV28AiEAzXnxGd0tCn0Jb3Euen3w\nyr6+SXOapmfnhm4oaYmWE30=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUAdGgttYBGwRl62W1uANuvcAJw4MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MjkxMzI0NTk1MDc1NTMyOTI1ODI1\nOTg0OTYzNTU3NTg0NDY3NzE0OTE2MTQ3MDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAa2oXrr83ApPEJOhnr+Y8Z1BWBohlMxfGPiBnAyTDR5/hOvVLScSNIkaocSzkVI\nV4WgapxiAOQzgzCz7nF7LWijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFK1knguy\nmlJaP1IRu4oTbrJZLR7kMB0GA1UdDgQWBBSnh0mJJcOkhoDHas47eEDfp3zY9TAK\nBggqhkjOPQQDAgNJADBGAiEAo7sft+N5ZbcoAwP3ofzONaAExoTUQnIMFp7+KULs\nw38CIQCgwMOH08I59LEhOKPyQNC83ci2T5uoewjVgZrFTjvYeg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIUbxBU9OOFvLY/c1zwL6PvYCMSw28wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTI5MTMyNDU5NTA3NTUzMjkyNTgyNTk4NDk2MzU1NzU4NDQ2\nNzcxNDkxNjE0NzAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzEwMzgzODQ2Njk4OTE3MTMyMzc5NDIyOTYzMzA2NzgyNzg0NzE2MzMy\nOTc0OTc5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASBHHzZs/Xx1+Fa7nJN9oZ4O9WB\n+v/7Z3OqXp/NK6HEhoP0/BKxo2lbN3PgNZCaPOhtEGneezWt9JHgTl/Sum27o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSnh0mJJcOkhoDHas47eEDfp3zY9TAdBgNV\nHQ4EFgQU1vr0Q1aviuZ2xAlHkBmbZBqDsIUwCgYIKoZIzj0EAwIDSQAwRgIhAMav\nIgz9Zl30KqB9qdzq/RFT4Fen/PnTy1PaZ2p31Gm2AiEA+bl2uHPh5XUTp0nFnvfl\n+2ADuqE1lkf+n3ZfvRm4DAM=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUZUxQHygDY+QWxP2p8OHq0Y9PQUAwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMTAzODM4NDY2OTg5MTcxMzIzNzk0MjI5NjMzMDY3ODI3ODQ3\nMTYzMzI5NzQ5NzkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowZzE5MDcG\nA1UECwwwNjM0MDYyMTg4MjQ3OTY3NjMxNzg3Mzc2MDYzNzA5MTc2ODE3MTU2MzM4\nNDAyMTU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQCM+/vNoc/TyVMYCRnX4gC+mwl\nzfNcO+U46a4mqVRfpuzhG9tNBGvTiMoSgG9wRC+m2yrqOgXZ6MmeTmSJHaLWo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTW+vRDVq+K5nbECUeQGZtkGoOwhTAdBgNV\nHQ4EFgQU7Zj3q624oyIQX5FCOkSZhvQRpwQwCgYIKoZIzj0EAwIDSAAwRQIhAMb8\nPQFiPun1b+AXwg4Mtlg1zdjLQrMaQoJj9nAfWwnzAiBEXni1CTmhTf9mGWZusaCN\n/0UAfFnEGRmC3mYFAjZezA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUQzwSULVMw1IkyBu9nMS+/dm+SBQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjM1ODQzMTEyNzA3ODYwODQ0MzIyMzc1OTAzMjIxMTc4NzE1\nNDQ5MTY1OTk4NTYyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDYW+\nK5omze/ZLH55gDnjmjaXpsZQmyDCNRrvk9djC9dlTUAb+nqwokxEKZlEMfkJRwVs\n4TB25lSdacToiMGpnqN8MHowHQYDVR0OBBYEFJyXJoNPZO1M6pHxRfo/wXrqdnBh\nMB8GA1UdIwQYMBaAFAc7mMNetCrIrLsrPs77H6ZxpKj9MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiA6vpEh7qqGiW995kHfYfi4Jut/jRcbojBLuCezYurCtQIh\nAP9q5oIgWVNt+ARbt0mgH9yZ23C7VMdQZzsXsBzerQ+N\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUPQiZdcR6fw0/+pnupnzpdbJ82lgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjM0MDYyMTg4MjQ3OTY3NjMxNzg3Mzc2MDYzNzA5MTc2ODE3\nMTU2MzM4NDAyMTU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyTCi\nY/EgvI9Qp0ftNwb3ShYMsIDjXA2kkq0m9Yyicq7vax1YcyMM7RGHcg62ItfmFJ3B\nnHoG1PByOSFnCAsgR6N8MHowHQYDVR0OBBYEFLqese2XOTHImDUzQrIO95B1yds1\nMB8GA1UdIwQYMBaAFO2Y96utuKMiEF+RQjpEmYb0EacEMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAqFcWimrnPlInm/QEiOCrVLdLRF0glix0dFnk+nAjg1EC\nIHmQwQWNCFPgiGBDILmxU5OKENfZUhGJtSNs5yJL3hQb\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSlT/EOI6Mg96fMfBq9fC2pQT1ycwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPq0oeww6p3Nwq81l5eHcqhKnzevYM8lDz3sEg\nlnxAsy9tsj/nd4xavDFS1clvfjfWvaN0u7gG1S5522a/mNr+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZzyqOorA2UmJ0P5Znbt52CQWQ+IwCgYIKoZIzj0EAwIDSQAwRgIh\nAKO4EFbzGdRN+aiYYQNbcYEub++ry4l8pG6plUuiCa+gAiEA0kovVgVXRxyLhPev\np+5DdR2VEWERMRW0jnb3rrQOj7s=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUITad1mwNCEPg0f352SSven8pNQswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARdl0R5AprqY5UFGv4o5Ojs04DY5ebuy2Cg6tpq\nJAKMoO2qlBFINleF30LQ5PITweqHA60RF32TNKQb1Umw1ASdo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM9CS15TLbPJQd4Uhz0EKLRHliggwCgYIKoZIzj0EAwIDSQAwRgIh\nAIoYQYs2Mt0lU6FiQop1PRO9mIF7n8Mn2HzgoQLyhVqoAiEApuFRVvHKfeDwQgzU\nbtjEH4pdY1KVJV9H51pvSeo3G8I=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUOMY47r+XminfO+SH1Q9TxclftRAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MjQzNjA3OTkwMTU3Nzg4NjIzNDcw\nNDg2MDA2OTk4OTE5MDI3ODEwNTYwNzk2NTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNFTAS4rv91qu04F6cXMIqRb87MlXKZVQNufBa1gHOfhHAft+cM1tuPigb6s24dR\n0f3Tnq/KDsRBZMhStKNWZBSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGc8qjqK\nwNlJidD+WZ27edgkFkPiMB0GA1UdDgQWBBSnntPolmKPEaDOZIRcAuU+Tk9lxTAK\nBggqhkjOPQQDAgNHADBEAiBHLVjHQin4E5lbJDJfvriiwB73YJ5K0ueUSFEFVysV\nzQIgJ2GU1ncjqdRW5vuyPl3IhgWg26+68Jyj+aEUq3c77IU=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUbqjEgxGYY1N70QHuaDh6BA+yQdcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI0MzYwNzk5MDE1Nzc4ODYyMzQ3MDQ4NjAwNjk5ODkxOTAy\nNzgxMDU2MDc5NjU1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQyNDM2MDc5OTAxNTc3ODg2MjM0NzA0ODYwMDY5OTg5MTkwMjc4MTA1\nNjA3OTY1NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5spBjnPuLgVb7SLgz64mD9HH\nhpjF4uJJxgbtk2LvX+Gqw+Lzg+lghqshMTwOO5a47NFrw1PCi1XnUoq3JmbmX6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUp57T6JZijxGgzmSEXALlPk5PZcUwHQYD\nVR0OBBYEFHeGUMQqZ/28dbn+/tZ0MmQLAnUxMAoGCCqGSM49BAMCA0gAMEUCIQCR\nyAHKmoznsxq+CnSKmXyHkwbKz5gqtaXGdTawgUj3dgIgJutQdthLDBNZzScllv2t\nLnA0LHr52QoXHWuHkbWZb7Y=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUY0sxeexT2ypEQMNFWAjjT8O5wGUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI0MzYwNzk5MDE1Nzc4ODYyMzQ3MDQ4NjAwNjk5ODkxOTAy\nNzgxMDU2MDc5NjU1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDYzMTc1MjYyODU5MjM5NjMwMzYyODM1MzcyMzg3NjY5ODU2MTExMzM0\nMTcwNjcxMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMrvqALvaYZ6dXGsm8SMoR1KB\niI/SDPz62dEH/i244JV/H0g24ftHeUYrP1NpEWzLgZB65nXiHmLA3kJstqQ+96N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUd4ZQxCpn/bx1uf7+1nQyZAsCdTEwHQYD\nVR0OBBYEFNrWFF/9lZ4CZ3A1/SHqOh8rAUVlMAoGCCqGSM49BAMCA0cAMEQCIGGu\nVMrfjH0JdhhJeb1iqv6FDA5Hz3vM4/ZdtK10GDrWAiAYVO4W7GWY0BRxI+HrRss6\nx35GMU/N7GP+2CzvKe4hKg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUbRuBZBQj3ZYdDdpd+wsOyNw+2xAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxODk2MTQ2ODUyNzA4NDk0NTY0Mjk5\nNjU0Njk2MzQxODczNDQwNzAwMzc4MTI0OTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOZ/Jb/fRlmUylBPRDREzcN4V45GE3iWQlpO9Nb3DjIWBPawGlsat2ZfvF2u5zuq\naTsD7xd7fhw1CpG5y4wGMhyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDPQkteU\ny2zyUHeFIc9BCi0R5YoIMB0GA1UdDgQWBBS1hW8SXCSwpiiNoHE3gQ4BlUyy1TAK\nBggqhkjOPQQDAgNIADBFAiBTzWQMJC2jCo/eaweDfOauELRP9V47CMar/gNJ9q4P\nXQIhAO6pkgMLRAmhxRkv8y/spGtIZyD6wm0olyZLoLyI0WAQ\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUaYyY4Xx4bjzU3whuWz2EZyWVBBAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTg5NjE0Njg1MjcwODQ5NDU2NDI5OTY1NDY5NjM0MTg3MzQ0\nMDcwMDM3ODEyNDkxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE4OTYxNDY4NTI3MDg0OTQ1NjQyOTk2NTQ2OTYzNDE4NzM0NDA3MDAz\nNzgxMjQ5MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqGSj8I20PU8vR45Od8kgwyWL\n9l87n/Ec5RgY5YVzw6I2fEPEyX+MAM+gNtoCBqZNTcW3YBJoNw6qoBsDhDzyuKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtYVvElwksKYojaBxN4EOAZVMstUwHQYD\nVR0OBBYEFIV/fY1HeG0fUe1WtCWfNb8kxztiMAoGCCqGSM49BAMCA0cAMEQCIDcO\nlnrZH8OviHJ85q6RUCINF5fzql7cA0OB4vEWqGg3AiBhOhJyGxJxyCcxHlYALcfT\nKF8KlCApTOjFZrVyYXgLUw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIURfjbbbhyNDqm5W3POEEDKMjpu9QwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTg5NjE0Njg1MjcwODQ5NDU2NDI5OTY1NDY5NjM0MTg3MzQ0\nMDcwMDM3ODEyNDkxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDYwMjU3OTQ1MzA2MDc0MTIwNTAzNzkyMDAyNjI2ODYxOTg5NDM5OTAz\nMzQ3NjExMjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/Lrv2ZZx8OUj3WfVHDbtbLx5\noR4iN/W8BRJG8wg04DB8a6W+6CblsrcLNcQbODVtVFNgLJCnPwi/8n9eY6BBVqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUhX99jUd4bR9R7Va0JZ81vyTHO2IwHQYD\nVR0OBBYEFPYmZ7H8Pf1ogtLVOWeecrQWeRSoMAoGCCqGSM49BAMCA0gAMEUCIBvC\nO1hnUWt9EcrliFOVpttGz0hx331BplHtqee/vnFDAiEAi6RAGxC3hz6R8kjz6KZB\nngp2OFdPBk5WYoATW9VPbuI=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUZho6Xr5Pf+yKrXEHEja9J1rnNk4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMxNzUyNjI4NTkyMzk2MzAzNjI4MzUzNzIzODc2Njk4NTYx\nMTEzMzQxNzA2NzExMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkeDh\nrXLKovu0GzcJq16cPQjcNJ9kpeJTDzbxZ3sdDj2nPulhNXCqdWa0rOdHnA3M+z1L\nspjhEOL6H972MKiJXKN8MHowHQYDVR0OBBYEFJzIsTyY8rmw60piGaqV+DWshq5J\nMB8GA1UdIwQYMBaAFNrWFF/9lZ4CZ3A1/SHqOh8rAUVlMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEA1nB9LAWZKDcsyau3xLIXJMCThtcNwTGFGao4ocmASGIC\nICw8RaUjijt47g61xYeOuqfGh0RMVAgxU2LrpI0vlt74\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUEcitn3p/cAhCqS98k9HHG6TxfrcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAyNTc5NDUzMDYwNzQxMjA1MDM3OTIwMDI2MjY4NjE5ODk0\nMzk5MDMzNDc2MTEyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElQDz\n23bERVaNMcha+ZlYs9h1qlX4Pqya/hoTZp7DD1I7SP8HAubBArSHAY/ECsiJGnn+\n0jrBDZkYEMePoRxmhqN8MHowHQYDVR0OBBYEFEJHfAn2rQ8JyTU+4Z6d82EcnrLM\nMB8GA1UdIwQYMBaAFPYmZ7H8Pf1ogtLVOWeecrQWeRSoMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAWPTGAq+biQO3y5yE4pp5s+K+a+Pp7RKQkPV49yjiQIgIg\nf+K925Z/YEiMfNB5s0whpHvC5TU43YttLwi90uaW/wQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUeh7oeei8lfFL/5y6J574kuOYB6EwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvuEZjj+jH4RJ\n0vQmO7958Ui0HNLz++1sUmLE1/uJKbZ+oYZkjG/2M2qk0QhbiZ0aRcblnSlv0Rf8\nh5Hl6NlZiKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFONz2cBYXp6+ZPsW8hIIXzd5HPke\nMAoGCCqGSM49BAMCA0gAMEUCIBuMccD8kiiXx2VShiM/mJAqhLImrP2gCcPXDat4\nBu4xAiEAzVfXSAyPFEu7ckXakI0EJPRSgG2ILEEUGvaih2M26Jo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUWBJGiE0pio9Q79Xrw42P/pqj1KUwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz9xOZT87zh0n\n62rjHBUs6xfhj5QhJom9MbIhxxTOco0REKqSy/HSGvCPinoNQzYbuh/vZM+7dGJZ\nrx9SIJ40U6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJMoMcOlb6eQ0ijUAZ/pfpwde5bk\nMAoGCCqGSM49BAMCA0kAMEYCIQDCeDF5uGzleaeeSNqGowOtG7+WN8goRUZRayWe\niKtWrwIhAKY2VpM9Zqko9IFolVFVTvuno2hFscFDQvuly6g5aSXd\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUbnBADWk2jlxXJvrhO4ubJwGfUrUwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABMSNt84+n59V6go70z+YuMlEmDFOs0xR1eFUd9j19HwFvaIi\nehRdmtT5HE+Zuf/2r3gzpIIg6Ns9rVqey3uy6gGjfDB6MB0GA1UdDgQWBBQgEXeg\n5xc0IrE9HlP9A5yZSTzYiTAfBgNVHSMEGDAWgBTjc9nAWF6evmT7FvISCF83eRz5\nHjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPc6bxeK5pI63fD2ej5DP+Vy\naux5eRLjki1Yd+3gKbw/AiB5Fhr3MSIq+ECvzOEvCeOn5UsOG/WMHrinLNeclqEF\nZQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVOgAwIBAgIUZcZISz4ninwlZjdcVBvZb+9wt9YwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABO9W6Pxqy+1BdCIBcPGlk+x/Z4y3iWCVhekCi7CODZS2uf5M\nP/Ty94ulILPN1nFKxVC0p4lrSL0HYGFznLKLUoijfDB6MB0GA1UdDgQWBBTmfoHo\nOVvOCoSahgzIZi5nkR9iGDAfBgNVHSMEGDAWgBSTKDHDpW+nkNIo1AGf6X6cHXuW\n5DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgQFPIa96HoN0aSieolWeKJSE7\nbCatuyFJrH++WO9KA0ECIG/8Y3Gh1u+BHFfyM3E66RdmOlNcxXSgnc3rWPkZe6ec\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUGxPsAAiRDw43OsppKw+mC3CJmvwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6Se2RXIP\nd1n0ProOyzpo+14Qx8ZnWolGoMmJoxQ06yBxcu0MXwt3YDmZD/FU21WMo5e7SYS9\nYVZnNk/gVREOf6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJi5WSufyY8ZxyAqxHKrs28+\ny5G4MAoGCCqGSM49BAMCA0gAMEUCIQD58otb0BXNlb1tebdj2kGr5woFH9ove4tY\nAbRXxBVkHwIgMdcc8/V5u6xUpty3TynHyECizZruWT5dRAFw4aJy8dE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUciql3EBNUBr/AZfh0rP04U2KttgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEe4jYYxAo\nxRGcwqmGiaj3HVTDq60nXZpT50GOv6gP43aOoiWr86jzA/o3OaYc/sxLMNnJUC34\njwtXWY6VGDw0UKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJzxoTySuMOhoiHwVWck0qhb\nuw3BMAoGCCqGSM49BAMCA0gAMEUCIQC41L2xMBx70TUXffTlhJFajnBDKX0D0oB4\n3WxJC6voZAIgV39dwdgpbEFBFWVeTYFnWPoUcXYd+tjL2VFDDT03gko=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUMoT/bEFSUls71Pn0m/VKzze9omgwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ78WO5K2JRVbm1\nCW2R/yOGVuYu6eDZIOV7tT8dF5+ylnzKFzpFFhuNI9eOEEPdSyvYvgX19HdyJYJA\n0XnJJZ8vo3wwejAdBgNVHQ4EFgQUDJceQpM236IIPSbhEQ7sFOAJqP0wHwYDVR0j\nBBgwFoAUmLlZK5/JjxnHICrEcquzbz7LkbgwCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIHqWhdB/SDFMgXpsVFkXOUk2bQW8xWoaKsjSd8rljwbCAiEA8VOasyQP\nhfOBrvIDxdQk9HXZkLEt1qbJXPcwGkYHjG0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUQChzkNRuEEE4RzVUrhEm9QjavaAwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASWFTM/uxHbnuai\ntuNPRR3AjpPFBZ7CbD1TtRBo+7dvMzION1n453WC1fSj1rabrpaRaeyn8zoVpHDW\nqkQGtTEGo3wwejAdBgNVHQ4EFgQUJysAITFPDSZET5bbe6Yv3g+bh/EwHwYDVR0j\nBBgwFoAUnPGhPJK4w6GiIfBVZyTSqFu7DcEwCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIFnnvIkwi4yz7aCZZoEG5pq6YGRlZl/qmeQONAzlKjTjAiEA3GXL71Ql\nccw788AzUSlp6nx7yLys5jJt7frqcohIPCE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYvV+KHA0xXxu6E1T54fqmBSZGmwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQr0Q5Pd/uePS2foFjdQcs/wAnWP5O+k5G1c2U\nFiQ4ggIz8d2jCRRhYKyHba3fOky85Ckg2zXn2S8m7PaMPbNTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULJZCtkNxfV3+2kfyRl19SOqS4XswCgYIKoZIzj0EAwIDSQAwRgIh\nAMMG75J/rdq7FH5xrDv9mn2S2x9uQEJm+9KkMOdx+luuAiEA76MJTYoePfYo8Ams\nNnRzju+LVSmN0e4ZKAXMQQ+YaM8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUCstrrODB93cBHDQjExvVavNkF8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARzir1oZOwVQ0ggPXjJrMdeE1IMBDObmX/Sy9Ue\nBZ2XkiRQAHgHV+KnJA23wKQv38OCPN1WvAkWRpUiSzWYy1Oio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8VYSGVu9SBJKR/YqqSupBBGGsFQwCgYIKoZIzj0EAwIDSQAwRgIh\nAJg5WkykUILS/sv5+KxPV2lr2TNkX0wd+7ksWXKgHtmuAiEAm9a7HYWtFSyXjE1x\ngOkUYkC7985HNG9NCA0nf1sIC+A=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWygAwIBAgIUcIOykTLhevd2z1rtWIStHfNVyJMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF6de5Xkgaj9wDbQ7b/MCsl+CO8UN4357l/zK9InVgkN\nQY9IgipKcea4dF0fKJ6ukaXvRq7XZwgqD8qZq5/vqj6jgZEwgY4wHQYDVR0OBBYE\nFFanwjEN6n0FOovP+QAcZGQjqiqmMB8GA1UdIwQYMBaAFCyWQrZDcX1d/tpH8kZd\nfUjqkuF7MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0gAMEUCIQCcJNRqtpNCAYIc4NFLe9IHkTCabHRMocW8MHAY/rZEowIgBtdK+N1P\ng5t7srsdMdpY3G0xqzwI/VK7KcH9J3X5PvE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWygAwIBAgIUMIEMUwOBsNdmpGNnqNFXJVLDXdcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMxD9D5eAbgSy7rYZpnGIRogXUVqcioNb086JEDUS75+\nrmbZFR2DnOT6UhaGjPDYt6AKVdlij06tesaCvOi5oTSjgZEwgY4wHQYDVR0OBBYE\nFAohBsaTmoLo9rwWkB1A0LrZl6nVMB8GA1UdIwQYMBaAFPFWEhlbvUgSSkf2Kqkr\nqQQRhrBUMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0gAMEUCIQDaSQMT3tVOYwYk4rJmuxRjFceSQKUAOt2v0vdF/wymXAIgQSYWSttE\nqCZI0SWnL1cKwepfG5VWVRBkQbULWQ8HeZE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUPePdIh1++CxbhUDZAOdlsjKsUnQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASFV4zcuHOVdMvrmYbIGtiJ0WndgrhtFfUNm84o\nreUOZYi7F1/Uc1TppyGwh+5HzF7XBdD0EzwOq1dgGkAQpZDbo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgzMkwsc6D6vq3/DIkOzlZkNx6PEwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNJADBGAiEAnBInHCmOVmHAa322WYvzuPQmu5K5nRrPMSah\n1/3buWECIQDG9E1wJj5IMorIZ20O6OaTILgVcsUc38fbjIX/CusH4g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUb45c4tS8lozl3YbNnaYULGpGwPowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAST/3cKSSI1WYF0E5D+dWUUwPwbras9/p6oH20Y\n4jDQxW3Aj5QvXxjwo9eASX90cjzmwToSbrEtx7lfSHPRXmbNo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+OYNAh4hPa3YD+SeMfULR6fhPxUwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEAtMoZDm2jGFDMToIYF2TPCIlllRTS0HzFd85K\n5DeDsT0CIGwrWXBy8ehUjeg7hQi2EApt8MywssTvN36Kv+2/ynoj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUX6lYytxllc2GjBjbcBn1RGvPbPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDF86vDuy9wngvTNht6LFfbnauEtmJZFV/OG/vtDw3f6\nsSFgqAKhjQgvzIqFo+DPbTKXYijK8Vj5FjoIiJjhsXCjfDB6MB0GA1UdDgQWBBSV\nDUUBklgfdKtOBdWE5Ksm3XQBizAfBgNVHSMEGDAWgBSDMyTCxzoPq+rf8MiQ7OVm\nQ3Ho8TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPoQUvTJk+YAE1GbSRk7\nCoDfAtxvk8oj3PWFGfaFk0pYAiBPg37IRO967dJyqzhLTHnGcxzVHZ5FOmA22jRX\nwLwRtg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUKFN47Qw51tu3mfjbsnVozk1W+KgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFJU7JggstECHjrYgfl2NvgyVypdgKj/XTHmFXDsb7M4\n3R2Azm6qLXF5GD273IiPfNVzkMPqAdh5u8eaULxubc2jfDB6MB0GA1UdDgQWBBSt\ndHYN7Ez1BSvqMr1w5ZvnJw3dijAfBgNVHSMEGDAWgBT45g0CHiE9rdgP5J4x9QtH\np+E/FTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgB7dWey+jzVNq1B2u3QTq\nJSPvMdiPzIV+KG0844V1WcECIQDsXbcXlPrIOXeM7xjQUwAyZZxISdFdYY6Qv63M\n+HUWnA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHQh9/o+XxBwaPl7Xa818SeO1FtIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDG1qGA0B5lJ7PCy+X460g0AF7F4OyXqoPkVWI\nsGoquQvDqoxbmJU7t/5HHyQGq5aQFBTDz8ORhtaV+YK85rvHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8gv8HwUQ6Z3VJMAd5e6fT8zL8b8wCgYIKoZIzj0EAwIDSAAwRQIg\nJY8siBSuuNC0P4G7h5lLbfTdTE9cnZbYwJYPoTh4gzgCIQDLcS6JEIJByjzk4+J0\nBNaDifvTxNy8YSZfNqe395L11g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOSiqR+8tkcieyA4SIQpwt5fRDAswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATcLBarjilh7ItXynrI8mwzopO4x/rN4lYJe9AR\nm/WViZEoEymWmxEeCYQQTrr0+bp5wNyt2uuF/f/8pCtDtNi9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKMiHu9q0PTvgbQzK90crDOVWhTwwCgYIKoZIzj0EAwIDSAAwRQIh\nAKL/kCTMshJTA8eBz2QSm3SWmTOeTHnhyWlkaUS0DMQ2AiBmAmzaHzgiuFtuwdxy\nlkJsw0eVWPTcs+KFDtecZ5qKmA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUSnruJRfuDB0ypRn+pi/e2FjD0SEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNjU3NTAxMTM5NzM4MDk4NzY5Mzg3\nNjg2MTIzNDMzMDYyMzM3ODk1ODE0MzI1MzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFKNlRLgASFct/GMqhoY+l418JmugeJRxEIeNud360ZusqwRwBo3Gev7vovqiZ4h\nMPWx1wuzv+xWbitJ3qfgsr6jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU8gv8\nHwUQ6Z3VJMAd5e6fT8zL8b8wHQYDVR0OBBYEFP8uk8UsTOZUKDy4eq3GxFEqSXCi\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgHqYrcUpNRIHu\nHL8vn9GK5kKWOuC0fvFI4CwtcCiaTT4CIQCDCTnRiJBrVDy0uK6Gml05Zwpx68B4\nMzNOoQp0k84HWQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUdu43OJD0pzwtnLCXxDolckTJvSUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMjYzMTkzMzczMTE0Nzg2Mjk2MzA5\nMDU5MzgxMDM1MjQ1NzQwNDc3NjM1MDAwNDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMS+GVB+Tah7+Td3T8ltm3/JY9SZCFDZp7eSiAcxYXZCn3+iZdsNJjHcarvC9cY3\nWjtQ2Kr2713xVChTV66u4k+jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUKMiH\nu9q0PTvgbQzK90crDOVWhTwwHQYDVR0OBBYEFP8/kUI6cPgNqEPyvTVfVC907Hep\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgDWV/tG1h5eh8\niTNSWA0OH749OvLfZR5tilUdmK7caF0CIQCMhMmBnmNRcXWnteckaf0Yb90t+WVK\nbVfNbxG1eyoK1Q==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUdazbHNWSTZycGqLPVVmT6tz8+qcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTY1NzUwMTEzOTczODA5ODc2OTM4NzY4NjEyMzQzMzA2MjMz\nNzg5NTgxNDMyNTMwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7UZx\nLQyV8b3udfh0ZcjmYaVxvpZOc9OKLKiWnM/Uua4oZK3qaCyCf6G6/20wpytLqeYZ\n8nO173iKSjFAOMX1xaN8MHowHQYDVR0OBBYEFKTVOVIgQStW6nP82Ft//gYGq3hY\nMB8GA1UdIwQYMBaAFP8uk8UsTOZUKDy4eq3GxFEqSXCiMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiA4r1fAmmMxxBZC1SHZEPk1AftA57K0SfIjn8EapX8AIQIh\nAID44pfz9QTuduyfQMJEmnK/NLyGS/GYuowzv2nlu6CA\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUM9LqBtssjrqfjq0Cu04jiXJzSh0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzI2MzE5MzM3MzExNDc4NjI5NjMwOTA1OTM4MTAzNTI0NTc0\nMDQ3NzYzNTAwMDQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuu+V\nfZEfKY8PIFZ1J4+03RQyR7llC/5R9979PddBbBaDvNlXaIUT+dpMwd6J6jpOFXJ/\nR71vourUO7ea0ys/CqN8MHowHQYDVR0OBBYEFE3/eVLCvByL++hN/lBb5ALzDsXM\nMB8GA1UdIwQYMBaAFP8/kUI6cPgNqEPyvTVfVC907HepMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEA6+G14GoLNU9UMr1m+cE5z9FFPaCxO+dOf8c6awbiGOEC\nICG+EkbgvPZR8aBf/MImma6GIpG9d+D6hXlR2ovhz0Nb\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUT2+4tBpzchlbrFti0H2K6KUf+oAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATW99woL5i9kq6uTkLow4giCO+aTQA1n8P3I7zl\n3H+21UQTVNfOPEr4dAXshWR8dQkmtBFy9XiucVb1ut61iqrMo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQ/Y57vXFCQilDUuyPHMFiJg41kvTAdBgNVHQ4EFgQUP2Oe\n71xQkIpQ1LsjxzBYiYONZL0wCgYIKoZIzj0EAwIDSAAwRQIhANCeAUAAfo3bh967\nV8yHMbActi8xQFRJciACL+rrSchxAiA+tRzjfu6rMOvoMG3+oEqthe1rbJ2Ps2r1\nD//B9QRozA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUf8tpeGjSSGr30JwGX7BiLvcsehQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATj9si16kD8GXlrtidZPFn/mxqH+XC8VL5JImY/\nZnL7eB9D4sp24LiIqoWHT7X1KALvutTbj71M5ZBeBXnaa+ZBo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBS6xbZU7fmyhHwNOAq/kHu5QO1KrjAdBgNVHQ4EFgQUusW2\nVO35soR8DTgKv5B7uUDtSq4wCgYIKoZIzj0EAwIDSQAwRgIhAIBIq5c+Bcy82s7H\nflewfhMtHMRDURnXwe8N52ej6lrCAiEAniqPDrlS75TrcWY41tpTrOqd17bw8/O2\nJZdIkkDtT1o=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUDKSj3vmiXuWPGtrPFnmKQ0jAStEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHd2rzI1Qdb/2ll+PbsPeOp6Gdj6w/edo6Idl8XW/P2X\nFcZ7/IhFNkb+vegcXwCy9w22MTBegciC208IFvVh7n+jfDB6MB0GA1UdDgQWBBRS\nZU06n8S4iTG99T5nw4hZTkGqzTAfBgNVHSMEGDAWgBQ/Y57vXFCQilDUuyPHMFiJ\ng41kvTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPj1DmTdznncdKrZcnME\n3Wb2Gap+Odu11rjnbXORITDpAiAPccJK5wVsIJBTrm8licJb0BkyEgbJK3jBXFeK\nrELyBA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUL817Kob4lsLLa3QOlkogBFjx7vUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC6ITmCX1ROysJcVo1Bc98dKX6CT3fPhmJmB4Q6/abE8\n8hfcxia51by2+vCU4iF0stp0wq5XENNnH26J8CM8LWyjfDB6MB0GA1UdDgQWBBT6\ncpvxSlx2Tu1PhJs0tHOxkkc5JTAfBgNVHSMEGDAWgBS6xbZU7fmyhHwNOAq/kHu5\nQO1KrjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgP0F/1GH/P2f9iHyhgwie\nvyhlDkFVBQT4iAadkY6fcIACIHdVhVnhg5lFAgYlpkHJ04Y+AIaVNEKDGMO405+0\n2/B5\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGxvzpd1uXNukshMP8tB+wl/fY9wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjyri71HeLPk+5LJRp8/cKkPSGkBHATeMGt9nq\nL2QAhNZxCNxdFblpVFrog1xFpD6PM0wtMuoXQiUXwjESGYXVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmRPdDjKJVbTfEXdnXHbe1vXQ9agwCgYIKoZIzj0EAwIDSAAwRQIh\nAJXHX7NWTLwhiGtePFCQIvDbInh8820TwfSwDewaeTqnAiA+zkFccf+s/Gc+Nm9x\nnO3bYBc4GHWji1o7magZAMMOzA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVBBHbfYRIuBiO3P6k703WGmfEbkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWcfYPn+7TNYo7l52ccekSTuGibO2rT8veg9kK\no1JoWSlgqgyxZYOaxyfX8IQ+6JbujphDs7vn5pnKXfb7n+9vo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQW4CTHMoawIRQkSGwPnTOfove70wCgYIKoZIzj0EAwIDSAAwRQIh\nANXxURjqs3QsHeJ+proS+6QFBjrNevLoRHpSORzNN0oHAiBpXvCT81nMBi8iCEOb\nOrfpDREQul+11QpM6r1KXlqEjw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQiKFHJz5Vk/ZEf+42AZnYRq6mh0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF/5IU5Pd2u2Sp8tn6UikZQ8dvHWt3bBnAW1hNA5wJUR\n7BD+NT8KQEz6lmkELfgPYhVK2n7EcNKOWu7QOBpJH0OjfDB6MB0GA1UdDgQWBBQn\nMr2zik5lbLrLrFW6Orb+8hjs1DAfBgNVHSMEGDAWgBSZE90OMolVtN8Rd2dcdt7W\n9dD1qDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAO85K1sWbq8Fx++GjAio\nPkPOTij0d5XCH52stPfyYPEaAiBsqe62bOBGcTQKkUIKPyykmQPuOyEP69ZbRoWt\nxfKqQA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUUbJOoXIV952+ladlULP6yM0qPnIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLwzW6zE7yd21eBZdMVYoOuErngZGGa4bAQjnxQGOEKd\n81TY6aXUZKtndncL06X8Yd2P79+5o/JbaY228CRac/ijfDB6MB0GA1UdDgQWBBSU\nJ9f5TMsvJgwSrjW6OHLHBqe4vjAfBgNVHSMEGDAWgBRBbgJMcyhrAhFCRIbA+dM5\n+i97vTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgJRJXbzbBcc+VL/Li4UlG\nmPW2BRuFNB/ga/PvI8MypxoCIEMw0Nls3AebPxmZpaJE1zV4gGrHE8z72ybMinpd\nTOqV\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUI+0+eM6z0489ByJe/iOdBC1dnuAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzNzU0ODkyODc3MTY0MjQ0NTc2NTE1\nNDk4OTI2ODc0NDM5NjU2MDYzNDEwNzEwMjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPt+palKY1UXOrnc4cn3kqF1ooEsIgX01PIpMCcFXjvX32Yj3Zr4AmlfXpfw4jDz\nw4Ttrz93jhcpeKGO6TAFr3yjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSGQaPTL5wK\nhJIcrPJUfrcBxbfA1TAKBggqhkjOPQQDAgNIADBFAiBoBe0EG13ZcEzlZfeJFJej\nADrVybWurM1WjYmK9qMlGgIhAMw6984H12lPPlug0IqvlyVcXNcdByuRG/+BwU9I\nVTD6\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUMj2awifiI3kYxoRVJhN9Gw68AiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzNDI1MzcxMTA0OTAwODkyNDQxMTM4\nODYwNjc5MTE2NjUxNzcxNDUwMTk2NDQxMjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCjLL2utxdwX6PXSI8F1Wk+2DOSv/PSwbbfp6NiWlZoN9D//yJYFdU0/6ExmGwOP\nykSSOfuu2WgLTk1s94wxLwSjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSMsVR9dCpW\nA0ZZ/QGc143xJl1zMjAKBggqhkjOPQQDAgNIADBFAiB4QXTh2jz8nKMcJWy8nFOP\n4VKr5bwpHaeHMUPYQWaw9AIhAMeK6zdr1dlmQksWastYtBsQnmNW7CgeRbH37hnv\nzqKC\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUMSdYAAyRI/OoNpQM1hSpF/EvaKMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzc1NDg5Mjg3NzE2NDI0NDU3NjUxNTQ5ODkyNjg3NDQzOTY1\nNjA2MzQxMDcxMDI4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOWVQ\nAQvJNuILrwFY9ArrrHV1tNCXpTNrpoLfcqqA5rjp/S3fo16dll4UmF6fFW8SoVfO\njGKjUhAohJB1tUofM6N8MHowHQYDVR0OBBYEFEuvjDY6gRQiyYx18TzbF1xZkNye\nMB8GA1UdIwQYMBaAFIZBo9MvnAqEkhys8lR+twHFt8DVMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAlzzIG3Cha5+A2hx2do9ah+RzNhZltG6siwPKHuyPNmsC\nICsokkuSIMic5OIgcY6IsYAnVR8xNw3e5CDMp1qW/N2O\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUMO0Y8pUb3hi+cIBAAnGDDoLL1oMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzQyNTM3MTEwNDkwMDg5MjQ0MTEzODg2MDY3OTExNjY1MTc3\nMTQ1MDE5NjQ0MTI4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4HdK\nzRCphYRBE9vKAsBxdQo5J/bCxgjHLOahn6IvbiE1XhH8WsLdSyMwfkdbecuXX9Bm\n7tGVOWHJSsMP4sN4UKN8MHowHQYDVR0OBBYEFI8Geyy0C3O41DUH1oAf0xCmntdh\nMB8GA1UdIwQYMBaAFIyxVH10KlYDRln9AZzXjfEmXXMyMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAlSFN2Hbbo2YV5VxOIGqZ2HOqU8wvInseMWe7Ss8uegUC\nIGXjl1g3rv/bS5zENxSVbSt5WGY3kzFJ1BiUGzISThfv\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUS7LkPVZRsJ2Z6Viq21FlwpNz1CUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1zFubCJ4LQAuAtbY4OIc5dIFAJl7V2gJEIn4J\nETXSM9on/0DMDknRecADiqrKAsPXUPXiFfszIJHt1LCaLhBoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUET5JS1C7AvH58BwtHebnVcVttAIwCgYIKoZIzj0EAwIDSQAwRgIh\nALAFlHuPMf4rA2N4se+CWSUHtlm66DueSBpQz4tMFpD2AiEAlRTzk41QXCc49+r4\nYK0+Up58qln03FKreXY2iwC7reg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYlBk+UeExvU3H4ttfG+HcqCfK1EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNGkylDEvt3m4EuQNFDl0rLdEx0rif1AkEGT4I\nJVHqkCY13GA5/D7qEISyCgLpqkYMmknzby7MnrePiHg07tzro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy5XuSByRFp7xZRsIFP2SMic7dr4wCgYIKoZIzj0EAwIDSAAwRQIg\nIz1CW7cf7k3SoUV6m+ZLj1fUr0rSKYCwWWfj0ODljdkCIQCXuW90hWcq/MTS2jhW\nsj0YHZxdA5q7c/Vb9ohC0mreyQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUYrwDwvK4S2l9nTIt/Pq/uXm6310wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0MzIxNjM3MjI5MzAyODEwMDQ2MjM3\nNDk5OTg2ODIwODgwODc5NjI5MTA5NzA5MTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOz/4IEcydmjjcl+AMc+NCLJewlXCGMAK+V4zC3hBH/rYZrEDzLgWiXc4KHQYH9v\nE+C5d8UUd3RSsqDvvn57oHOjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTIWQVmAOxm\nzCBE2nNdRCrN9XyMtjAKBggqhkjOPQQDAgNHADBEAiAZkPuM5pUWAW6ZDCfPkoDn\n0v8pSkU0BlhXZldYbCzLEQIgZAskyzoGJS2qQKDAypAnGRXWl6l/l8g5uvWjVCSZ\nOpg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUTO2G2nE5gVeRwBJfrnJ/EpaCNyswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1NjEyNzM5NTEyMTA1ODU4Njg3OTU2\nMjk3OTYxNzQwNjkyMzQ0MzcyMTA0NTA3NjkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMX97EJENbBLc9gTl2AU2rqRwgh4W4EFvY9gAsg+RoUXEcg+QbknpgUg6PwQwxx6\n90C4IJT+FGY3wN8cmn2vrO+jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSmmGVzMz4s\nVu31HFiONfeWUFzX6TAKBggqhkjOPQQDAgNJADBGAiEAlNYuzIpjq3CICVKbIUJg\nHQBlBuOwjbRRKRUgTfBt91cCIQDqymDfgzVU8UoXMRkMIjnr0atWDnFtjarUZ2ki\ni7ts7A==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUPN84JqikijGo/0VvQb/FgOb6/ucwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDMyMTYzNzIyOTMwMjgxMDA0NjIzNzQ5OTk4NjgyMDg4MDg3\nOTYyOTEwOTcwOTE3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErLM4\nGiGAssWcsBJAqSwjpwCw8d4vSD/t2cWAVl3Y1eDcesQJOjQ2Eldi1awCHa3vnTSu\nvd2/TKpKL4Qykc3b06N8MHowHQYDVR0OBBYEFEqEtUPa0vM1pKsqd6EOprNcEXfK\nMB8GA1UdIwQYMBaAFMhZBWYA7GbMIETac11EKs31fIy2MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAtzjD3bgfqmmfhzBr/7piF9fwjWak3zZ8K7pfEF0+5M8C\nIQDnq51P4vKRv6o3aEEViGsU3cNkjcU7A+aZltGlAkVLhA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUdaQc96eSDUAoH6oxLmkaFxOJuvQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTYxMjczOTUxMjEwNTg1ODY4Nzk1NjI5Nzk2MTc0MDY5MjM0\nNDM3MjEwNDUwNzY5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEF04Y\n0umBjtOI1/BtpozepT+PfPmEsb5agpwk6X4Ah63CrhVuwNw+bqqs/PoEMEYf3fz8\nJQXhWr7/ka+Y0N3jsqN8MHowHQYDVR0OBBYEFKPE7s43m1DjDUm+K9gk1TAd2h5D\nMB8GA1UdIwQYMBaAFKaYZXMzPixW7fUcWI4195ZQXNfpMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBUQQc5IWF66IBryA15fzFTh125HatWsBnELkmUItm+SQIg\nfAAptFq9Sw5QHwDCKKh1CAUsI8tAYG/KQcQyQNhSgIM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUaHtVaLyq4OXjnWZrmcn95rV7xtkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR/V5wKCmbs8SsMgcyuiuSewPUYvNdwKExSTjpc\nR918gBIbQ7xJiy26motjLPGOg8Gptq7MYArJEPn+6utJ7dmco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhE5eEnxuRfOukEXS0/OvrrWk5L4wCgYIKoZIzj0EAwIDRwAwRAIg\nfFAFw0YuHsW3x1LEDf8+bcGBh7nhHvky94j4ctLqeGwCIDsVaJ/tPHfOUY6RU0gw\nqCWRSU4bQ759bvqh+5pjL4a4\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUKkty1fZTV7hHWJsHj7nz7hKiRAowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR1c/F9tb+rpOnrERJqWMEupvV3Xtx3497LbtiV\nYeeBqLUQikNakolnf7b345IO6HfjeStAqLvQnRpaQ7z55pqfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqqWtyu3gwELynPH1cnFroc+p6W8wCgYIKoZIzj0EAwIDRwAwRAIg\nJ/zxDgvEyspANxA3asJIw3IjYZMk/zpmUsFRuTZGjwwCIFQnvG6BaGh1uP0TD+9L\nSE4G5R1Jr7Oq6+ND5HHq251m\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUabkV8PoIpn5fGjhWgh4+WuGQXO0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG3IAddetBhQnSNepHYC/RIA3EzgQ5OwXfpENovMD1j+\nWva901eFhz/ly0zXwmx59kAiSDEuikdBhTP4tc3p8M6jWzBZMB0GA1UdDgQWBBRS\nlChXcN0uw6jZo68Dwvab0TQncDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIh\nAMbLUtKZXSUTB1M10EzZHA1nVAfYWiBEyPaRkFAgEHcBAiBWKMPOTZs9mLBhpJyz\n5fjTv/Lp3wRrfRA+6uG2sXnpog==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNHe+VowPh4IDukWXmRrQGQ+NZS0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBOebpP4rrPqf6cnGTyKxGC2DWwrks5Dm5fkGsoWf/k2\nWB7BYYKHYLYGD7H3NI8AjPby04+ZdYLC5Jinye/P0lajWzBZMB0GA1UdDgQWBBQw\n/iU816hqw+QaQWHEQRtdWY/RojALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIh\nAMvCm3wz7M6EZ9YV1sEj4Ik4q1MmBGH1OUBs8y0nf6iEAiAZvrEOY+xrWsLZtVBE\n0EfW/yvkdmqTfN/DC/zYsx0R7w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUUQiBu7VjCb7Vd0ip9acdZHPSQyIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARuKOQRuE6cCqjvarekOI6J3a2rwk3npZIENDd/\nMxyZdgOnYL/7qfjtegXip80gEwXaaNERdaosWQhAvNdv6HWco1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUkx0qQsdu1V+BtzWoeTpyInr5r2cwCgYIKoZIzj0EAwIDSAAw\nRQIgek7Ish5B1b+X/0ncGMFyWaK6lk9yeGYb5++rf0QapJwCIQCrpRdYJck2n6ro\nvIDDViABO650kKYxfIa+yRGd2yf+bg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUO8Xiw9AP4QrF7EUzCn5K7rk7lBQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASiPDfyN74UnMTQi4JWxaRHUDUQSlYAY8Li/sxQ\nj+lQqHuRD09Ey/fi/fORgCYENwnOHbMLjpoKZ680MIK6/Q4Ao1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUPiFfnQeEtRfC/WMyrZswHFXUbykwCgYIKoZIzj0EAwIDSAAw\nRQIgIJrhDedHB7jEJQ7P2Ntb7+LkYpRHYsZP+xDbb0J2QAECIQCdvVSFVjLmZKqT\n1ApX3NNYtQKlOE+eTUTvhkqnc8stXA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUUT8m9vzouwYngxBhuw8z3uv13RowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABN2a1CSHpxJ6aoLE0Hwv14Vhsa0TbzzZT+k6xrntVMbP\n9bHJlHMum19wQHye4MIiU67Hpb6kU+CpMvF+nHPtIo+jfDB6MB0GA1UdDgQWBBRg\nsSMwuS8hu8dNlEwSzg8RmODaoDAfBgNVHSMEGDAWgBRTEQRUeUJ5u6Qn6tLY8gIt\nEocjmTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJp22Huay9ofQbgbVrcn\n7Wa+E/eg61By3nRANhTtjpZhAiB8GlzlFcuUInPAcGmCOGmogdpd2U/UyO9fewaM\nh6L3fA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUMJt8a7pduajroujW7H15r7bAe3MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCp9Pulo90D9NpKAonYa/JZFn3wu7x4/KhIJoc48lw99\nf36xP6k02/ejJ/UCkPGXAtiyuFv6VAizIzchuw5mKHGjfDB6MB0GA1UdDgQWBBQR\nJfwbs4gJ034jkvbSqLcKNs3f6DAfBgNVHSMEGDAWgBT412Y3DuzUDkgmZMPZCXjl\nluK6gDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJlVweSHukcOzc64Eh8c\nHmef3KUM3cdwQ2ZIzBSmoxR8AiEArbQQ1FDQWd++GtvLN5qUCAXEJATcUnXcbwTO\nWDd3QUw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUPf776Z/CFwARK77gSJPyB0DhJAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASr4QgU8v0AZRmX1cKPflxp2MoNik39C46bk9Ie\n6fC56Lj8JPtJ1qhcpqon85kI8P5bDCV3FIzcU8Y1F2A8HbA0ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAyEazV/ZBVaee49N8R4+SrqR4PVVTX65ewD2X40zv\nqpUCIHdm5QkvNJF+nXZNHjZJ5Xj2nFohZCgOLCSLbKoVEAtY\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUA2+J0Ddrm8DEzseDvcksYA0Fbn4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATa3gT7NvfkWXV8fgcAOMvMbBYVm9P4kW41J1+1\nN8e4tkV7IMRstSpz0qfXK06XgZ8z0M5QAHg434WL9P1IQxYsozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiAIOrz2EQFCq3SrsPhmRtab0WGd+aYXFD3gX/kwo0J1\nRgIhANz1SQs7fUa8B1ND6lo0zTzKj3AyOIynO+Z+DseYtJ3Y\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUXPPEWXTD1z1KvBVpLvS4olfQHH4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGm9jbB3e13Y59FjfkkJDcc33OtAJVzWB2NtDjsD3zzy\nM5qPjx8iYQY8YaiSEExGBYRqT9HM+YXMjIPCpTKVEQ6jfDB6MB0GA1UdDgQWBBSV\n0hhAPkb0Tmc/jk2gcGifo3w/+TAfBgNVHSMEGDAWgBT3PyUwcDGxrJTF4LyziGfZ\nC1ZOkDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAN/CqwXpIIriXvbNOHBw\nMKA54eu500FsHoNX6gVFEmCDAiEAhgNh4HavtkUT67J1Ls7090d+k8r5MPomUzqh\nTrRaRyY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUBj1ntRYg1qpCUHAQAjtfKuYs+hUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDtpGwqDBDbKcm8Npi+8HiBS3JrtQ/mkq5IZZMyMCwo7\n5flVI/oIgChZbVGXF41wOvz9bgI8fN9zFSOUwIqrYhGjfDB6MB0GA1UdDgQWBBSH\nUomZjbNl42+cD/Q0VZihIcqNGzAfBgNVHSMEGDAWgBQ2lwD9c4pzo6n2u1iBYJwM\nfVHY4jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKdq0o++46NI4O1pb4pT\n3kZKb2lCQLy8bDkBLXk/N+wiAiABzR4ekJP9sa9d6CIvVCPk5rxMOSW2UHif3P61\nEAe2aQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaddfGPDENHPnOK1p0KaMR2kE8oUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASldZvVysFsV9MFtBBn7jLeo2vgdzp3gfjOnUSH\nqvAoKF6uObzMCYiLzSx75OyJYbIZk7dBO4kVvS3HLZAb4/n/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMlYLE9JUE+agK9JxVQ3+WknHrQ4wCgYIKoZIzj0EAwIDSAAwRQIg\nQDJHGMEX3zno48cT3K8vEouNQ17zGf3nhdEY8odYl+0CIQDjM+ej2UqyKcC5o8zi\nuchGOZUqoQTJ43oSIlS1TMeRTw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUenakj273C8IsHiNoepr4LyiM8gkwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEo0YfrN1+mFuWXR0321pO9Zo9Gmb13SQe\nu5x4xH+FJf9YLzCeKscHsmVbh8pFNrAQKzsYqqplWFoDMNcb4dCAg6NXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFHr3JIAzi2PZbeAIpWChaYLUXrOBMAoGCCqGSM49BAMCA0cA\nMEQCIAD99h0QoXj2g2sbzawicF+RXxl8+EJN5Pm302OKjblKAiA25fzpJdkm/2oP\nZwk1nX19jSKncz6W+/3SwTTa8Sxlsw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUEScXlACDiNow8aIvJQ8uGHjVweowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARTpYCJqFGZMigiE3yc9CbngxjHyN8Iijz62gG+\nBNgKgLJkkOngC6SZeSIx405ocuYVtuWX9DemTYvLxyjuizaFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUH4leLQGZxmlagymdKVtYQ5t+QAwCgYIKoZIzj0EAwIDSQAwRgIh\nAID0rXc5yiPDoJ+ponqB+pqEP3fD797YOpefsxmTBd0GAiEAr+SY4Q6FzTf2Le63\n7jiT6BRpjVYvhzCtyd0M6zCHgpc=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBlDCCATmgAwIBAgIUTYAPyag+1CFlWxio02SadwEXgPcwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdYZ/x6n7kDW3G0Og/RbQPEccRLxVnQjm\n1ICfAXHp1cpL767sIPa5yaIUbwOJbGtxOlTaeNLZ/Da/UG85ErVV+aNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFNnidg+ivVoum2tEp13NCOFuuYL/MAoGCCqGSM49BAMCA0kA\nMEYCIQDGqd/+bLRqRa3ZE4E5EZEnuJS1ay20T2xI1BQp4zTvkQIhALu6Y+1sBPFf\nBoAZ45nEfBjYbBX6UHYIxv0XrF1hujp9\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUPaYLwkAUvnwZ0pWtC0L1B/v3lRkwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASldZvVysFsV9MFtBBn7jLeo2vgdzp3gfjOnUSH\nqvAoKF6uObzMCYiLzSx75OyJYbIZk7dBO4kVvS3HLZAb4/n/o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBR69ySAM4tj2W3gCKVgoWmC1F6zgTAdBgNVHQ4EFgQUMlYL\nE9JUE+agK9JxVQ3+WknHrQ4wCgYIKoZIzj0EAwIDSAAwRQIgQticCATV4NOu0hF4\ncC8Epcy7ZkQel2ZSsNHBXsP8XtUCIQCa0mP95rWMEOl5VpSofoCaWHrJwVCojpO3\nIAepvtbQkw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUIejhU4zPA0VGWLGh0SpV51eNzYAwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARTpYCJqFGZMigiE3yc9CbngxjHyN8Iijz62gG+\nBNgKgLJkkOngC6SZeSIx405ocuYVtuWX9DemTYvLxyjuizaFo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBTZ4nYPor1aLptrRKddzQjhbrmC/zAdBgNVHQ4EFgQUUH4l\neLQGZxmlagymdKVtYQ5t+QAwCgYIKoZIzj0EAwIDSAAwRQIhAP9Mp9ukDztlFlzh\n1lJr/ZJtIVfjWnwVzXGMz1puHLYvAiA/fC24EZFelx6h3NR5l+a/hpI+jSBoJfkO\nvkD5sCNQAQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUKfePJR6NwKoQeP29B5OdK4xOLG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPB5ZduIGvivUxB5KCC0pzSTpdLbulOzXPFoyVBNDhFt\nVsdzIF4zsYGTc/BkAeFHwlTgABZTc+w9V6dmXF4xyXSjfDB6MB0GA1UdDgQWBBT7\n95sCeBtZVuww5WYyfBIaRK3guDAfBgNVHSMEGDAWgBQyVgsT0lQT5qAr0nFVDf5a\nScetDjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJXpmeSNkN6DzN2eEfbB\nckZGiY4vkYQT6MC5vuXannACAiAA05CSN468aU0H51u8L8+WHz0tLAIwc0MMHU+K\nyQACUw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUVGag+JRJShJa1OhGwHqtBTGeACkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAP6OPkXknQSGiKpO6z59+xLbwWb8ZZ4Uel3VkuXcaVl\n6yASTRmtusoK/XQpn4DwHNQ1quxs35hScAUimmNjxPijfDB6MB0GA1UdDgQWBBRX\nDURFQG2YDIzvRFPdTm8JedlQCTAfBgNVHSMEGDAWgBRQfiV4tAZnGaVqDKZ0pW1h\nDm35ADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgEQ/TA5NgqbsMCem8BbJa\nt/mwFLqg0zFdKW8Y3XqzNGQCIBv7Yn6AwID/O4F513i1KFV124HErVXZeP1MMkWh\nA44L\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUTKoE8ibggclHVzvJvDZ1kNLTIBMwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPRFcn6Fygyj\nRqnSEKxovYdx1TDXsvcXeXjH3w7ZHldBqGwPXU8GCzOBb1U2D2Pq0yDp9FBI6FVO\nFFT8GzQbp52jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSibqNKswPa3Vws9SwQUmzqYX+7\nSzAKBggqhkjOPQQDAgNHADBEAiAidqujuzhv//aK8gUYolJT4hZhEmDOBap8O1Ui\nmg68egIgGQ9PUUr7S99D3s8LC/QVsLBfxivWpddsOCrkaJq4FFs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUa5Sf8HO6ZCWLcDvrH64ms7BUCCUwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEdCVKcg/0Ev\nmGZWYFtpTG5W0OfyYzmvN/1pVTf0QbQI6XFizaEL4xasjP9/CAFWUgA39esJKWh/\nhgNh0NJZBl6jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBS3nO2xL/m4zWvP7aZPl5jidPvy\nZDAKBggqhkjOPQQDAgNIADBFAiEAmdKbHsnCX46NlMXVVRRE7qzocgU84dT0rn37\nOvBXwRkCIF1CaiIhItmmTDc0F91ID/2J+5syH5NoWTEop7gNZDv7\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURMplJoxJYX+9CQM7e4cYqd5Do78wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBJKKPmql2B1CeD4kNRQDQTZkz7V8Ll1W9t5WS\nhk6rxjkDS1gFEMmIJQ4CPpGp5Blk+b6QhN1w72+c4Y2nBEcho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYnpQR+eUenPNOeq108E6zmfbMsowCgYIKoZIzj0EAwIDSAAwRQIh\nAOpyDLh230ebeig6vcEhfDG4d63a4QKvNK9WF7YtlDZNAiBDUG85RXyKrtvWeRaE\nIxexabXBMOFErOvdk1inf4pP7Q==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUeGEDsnn9v+mYufNc/f0VTC4B0iEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTI3MjQ5MzQ0MDQyMDYyNTg4OTc3\nODk5NDAwMDM0MDk0MDUxNzY4NTQwNjIwMTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAPTqCjhXggIN1eU6tHJr6Ex+ofQSFY/5ltoh3jxComdFDTPLD2E6swtl9/osEb4\nXZEXniVrXvyIxvAjzniyFWCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGJ6UEfn\nlHpzzTnqtdPBOs5n2zLKMB0GA1UdDgQWBBQxZLapl+W1VUpQ9xJb8cETEw6EpjAK\nBggqhkjOPQQDAgNIADBFAiBHe65VBpWkngvAYKGBmPkalQ2b3AAreCe3KWG3z9V1\nxAIhAMBCngJ+0zeUeyn6aDP/O1cc2m8RXRHCipmiIhQoHAYM\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOx/xTyUtrQ/vNO9u9FaOOfKhJcIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASddUeZWibihTVeaK8HCEz2m9SsuYJ8vPGp33NE\n74pkvzxYZQ97AWaAM8qndYf2NjqDBJI3YcdXxnD6+y+eHH+po1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfcMUt91FQ1f8ktndA8o4s0mChG8wCgYIKoZIzj0EAwIDRwAwRAIg\nOrqaMphg3AoUiW6DeryuA/3dDuGI77pCEK25NCGr/xACIGzC6bs5QLzFQcNdEpBx\nA0OKEs4V35uxQ3wO2vBKHvV3\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUMrJ84RJc070/LCB3BSQGdAht5OwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMzc1NDI3OTk1NzIzOTYxMjE1NDI3\nMTQyODIxOTg4MzkyOTE0ODU0NDYyODQ3MzgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNneYg8WTiU6m45ZTUgNgtyr7mH27sp/Ft9/FBtaO4dxarxjfGtkXblqICJAGp7e\nmEZWHCERrKRSXoZ0V6aGC9CjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFH3DFLfd\nRUNX/JLZ3QPKOLNJgoRvMB0GA1UdDgQWBBR+3KWcD07LHjy4Qf15V7QhXv99GDAK\nBggqhkjOPQQDAgNJADBGAiEA2ti8bcco6qpo2HBFeptE6+BVW7jXzxEmrUE6yoId\nxxkCIQDTyktYbJ248t4T5S0fpHG1PLfCitq2ylWAB9DFCqbZHw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUT5TbDXCIQ46Oe41Rg9wGCXjBYcowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkyNzI0OTM0NDA0MjA2MjU4ODk3Nzg5OTQwMDAzNDA5NDA1\nMTc2ODU0MDYyMDE1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWJjO\nn/m6Xh5UCaUIIAdifpcrZyCx2mqvfJCC49cIz/TPx4BOW5SzgPqx04PtV3cHlpx9\nOJ0a+NRQV6oOsM4B4aN8MHowHQYDVR0OBBYEFIIxzlJoW0Ud5opfIDbIicXR7U80\nMB8GA1UdIwQYMBaAFDFktqmX5bVVSlD3ElvxwRMTDoSmMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAg7KO3wYL40dAl2CWhvoHgAC8oK7XqKcN/KeNioHwi2oC\nIQCQkk3nf9bZl/vniKEnaD8ytgO3YXw8QOq25/RJJyK/kg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUFmmTOOhqu0TNN72gSerHtYvR/BAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzM3NTQyNzk5NTcyMzk2MTIxNTQyNzE0MjgyMTk4ODM5Mjkx\nNDg1NDQ2Mjg0NzM4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOyec\nipJTn+L7Z/2AJRdy8JRQdWU1YH1nQkOuS57zpoDrLyxMYaFbl/2d5r5IOn2kyZbN\ntxYnud9Be/KzaXT6f6N8MHowHQYDVR0OBBYEFAciN+jH/E3eJHvDBICkP4yMWsvj\nMB8GA1UdIwQYMBaAFH7cpZwPTssePLhB/XlXtCFe/30YMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEA9rfvDOvKzkfXqc6mqIDy2DVTSW4RFyN2SRRdne7fIBMC\nIQDdqM3Il2N+GtFooJ9ne9bxZmF2K2Y6djdqmtZokvvocw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGAVUoY0c22m9MsXQleEVXRz9zK8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASLbkHdbN+QOdTbgQFAGR8Dc24lKUquKWBsnTSf\nCNQJ2zOkg+Lh7bCl/lZiuK14uh5G7JD69hrc+HBaXE3MLzzNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCc1oByTavztrd+lqecBvNNm95nIwCgYIKoZIzj0EAwIDSAAwRQIg\nGEBWRktMBOi+QVtZF7eenxnF4eA/7JadqlvP5alohT8CIQDt7IUwn3SZdg4+iWDZ\nFibJ8f8hxOPtPhvZXpXJi8B41w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSuJgE5vjK3hRI8g1tkuNVHqztk4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQmbf2Mhfe+nDNUWo3j/X/rPXdiF+7MlThRdfQg\nl9neqxyOmYUzeq+JSwgWEMsvufkVhUvkzjo+tqsKeVBzv+wpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU94Yr1o340oPTM1xJ/0PA/08YNF8wCgYIKoZIzj0EAwIDSQAwRgIh\nAKeO/c+uP7Uq2FuaMTt76DzZeIkFBEgZgPgg4lqd9uVqAiEA/LZfJ08r5enX8SlQ\nsk5IaO6xVFeesBuZcq7+ApS0BE4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUOCHEjYDiubR/V7KrtvTObxcd2BYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDAxMzcxMzQ2NTQ2MzA4MTUxMjU3NzIw\nNDA0ODk5MzcxMzM1MDQyOTU5NTQ0MDI0NzkxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABBvDucVWAw8bIT/O0W0q6/dDetPxWhPykHES5YAyLndbHmncd3XOMdadTnXz\nsGqMN9Ph7PPMTJVlbRgxOiFY4v+jdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFAnNaAck2r87\na3fpannAbzTZveZyMB0GA1UdDgQWBBRxi303P3orJBG8SmEY3FXBHq61DjAKBggq\nhkjOPQQDAgNIADBFAiAGqi/vFSmQ9TFcOkkkY/rrU+b8WPqWAUsPb2n7zD9p9AIh\nAL3j3hLporCETLPqdOxWu/cQHqThssEbXvaUA+yOWCDN\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUZI1UxY6TYImvXGHSyiX82KRQWL8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDA0Mjc1MTM2NTQ5MDc4NTYzMzg1MTQ0\nMDE5Njk1NTM3NzkzNTI5MzE2NzM1NTI0NjIxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABOmmIKKsVGp6HDyUVFWJStFGt4Qx6To0H3Pm8WCxdLqfEhRml86BqhurwTP1\nFfIq7QoFHrrAkk8a32tARzqJ6pSjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPeGK9aN+NKD\n0zNcSf9DwP9PGDRfMB0GA1UdDgQWBBRQuUieisjt5wmUGHH1t1ANhBfUkDAKBggq\nhkjOPQQDAgNIADBFAiAaiXZTRERFQZbCIw6J7ZYloYV5U13SFOU2o9VHo5mgcAIh\nAMeLcLU1mrgW4mS622ZdLbzDHoSM262pOUG0ed0vxjLw\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUWq5oKq3UMCLoTIyqj7PE1YsY2AAwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTM3MTM0NjU0NjMwODE1MTI1NzcyMDQwNDg5OTM3MTMzNTA0\nMjk1OTU0NDAyNDc5MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nqOTZAKnRDNovoCRaSt1MtKXEG3gnjVrci32vQUUYK7FlsthmyxAQ9ROGAWJE7XOL\n5GgPKDQkSO4Xiz5FuNKCX6N8MHowHQYDVR0OBBYEFEv3gT+mklzjNJqmxTgbuNyf\nbX/mMB8GA1UdIwQYMBaAFHGLfTc/eiskEbxKYRjcVcEerrUOMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEAwIiX8A1Bl98ZiTUE2bp4oA9IbzBMSwqwOnkKSawP\nRrgCIACXXIyeuF9TnwTrvnqU2bvPRoqZiOv+9B0/8WbrXoRK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUF0ReyWii491y6zMDFWpmlb+Z3CkwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDI3NTEzNjU0OTA3ODU2MzM4NTE0NDAxOTY5NTUzNzc5MzUy\nOTMxNjczNTUyNDYyMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n+au1Dc0n+wArBW+Dsd4JMGTVVeIZjNVONDSDlF7j0/6j7pPaOJ8l0JQ7ihzUP3/1\nHKXgr+BirZPdlVGXxSya9aN8MHowHQYDVR0OBBYEFPxrQrHYyiHDQXsjHDCM0zye\nn+jFMB8GA1UdIwQYMBaAFFC5SJ6KyO3nCZQYcfW3UA2EF9SQMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBcUqrAO0qvcJsd+a2li4B8gGDN6yG4C0xgpu+lkbCC\nJwIgJy5hPbprfn3o2hRuJ9VWqob2+Wrs2Xha8EmB0sIp0Rg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXbE+qWs3VS/y+EM3sesQQYLFx+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFW+x/GDJs2WYWNyy7Tbl7VBmlPRkJpt3+JWrm\nb2y2F6eV3kVJiXIWiNDtoG3mXnhOPK6EjnnpITICs+awhcY7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+l5llhIbczmII4gr6qfSKYB2itcwCgYIKoZIzj0EAwIDSAAwRQIg\nR64Yqs77AStArBvuA7g9AhV91Pu+j7QATjC6TJPsYZICIQDd3KvPbSfVEPBXkgIG\nqKcNtHYlWLjokxB5Qhg8FT4JYg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUFQJXl1Vd2fKXeodGRlZ5T6/3MNowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR9BNd1YHke3V/ZY9zeKeRwo+jfltD7KtIdsGL+\nmXbf5REP/InD6ul7Dc8eYGl9TgGrW2XpmBZG8S10w613it6yo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5wypRBoMBr6atOxqfb9o/++ibuswCgYIKoZIzj0EAwIDSQAwRgIh\nAKsAJVpvzBM3uADWO2HEdhElZx9/d/Wfuc9TUqW0ojlNAiEAu+ekdr9hydG4g/QA\nR5uhSPXeAwpQoLL3PlhfFo4thTo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUFcFMO5LYAB7uRw33q+5pvc6PmLQwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTM0ODg4ODMyMTk4NzE5NDc0NTAzNTY3NDg0NjUwMjEwNzY4\nNTAwNjIxMTY2NTY3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\npOKvkXzmaWEJ8YjTobBOLlr+h6pRPgS2FDSgoeZVs7MgBOr8c6ZFJFoWweFQDW19\nJ7el5vqCDRkU+iYKPOUBoqN8MHowHQYDVR0OBBYEFCmyKN7NBFMAFIlKldJ73SjL\nDnzWMB8GA1UdIwQYMBaAFIJEPK9CLN0OuhDFxhdbsxgkug1MMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA6iS0c4RaU1/l4ld+KziMp5yJWZj7L40ctQJVbRxi\nTJICIQDR3FkeI09GacsO8Inozyp/nApHi+AGLYko8M++72DwcA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUbsdRtHXV55XjLhoAV6QRCKcmDhQwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTE5OTQxMDM3OTQyNjgyODQzMjEwODg2NjA1Mzk4Njg1Njk1\nNzAzNzIyMTc2NzMwMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n9vRcpZnCdMRPBDUxWIjjQcJDexAzJ00oOw9g+vun4Qedb8JVfTUwmXHfJFpxCtYF\nZyx+9hnWVEcW4lVQ7uLHXaN8MHowHQYDVR0OBBYEFC6j/9/kS5Jmq79jrcNyA2gS\nW5BsMB8GA1UdIwQYMBaAFNcDi5LIG23k4OsiOfakKT8Gzzj4MAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiAaZe6culr43vm2e+XJauJhGhGKe5Rv3bNle08bfEwV\ndgIgVBeHWlVUahJU3h+N3F4Z5lJwzXWfx2feza44EB2bzM8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfzCCASSgAwIBAgIUeOcc9Goc0HxMM6uwGN68ERuKbygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXB9MdVcWt1ii752rKBhhJorDDCArjw7wfReSU\nQJ7xZ8YiSe5Bp6Fh3xp9RjEAlQxS0fgSno1XBJcTKDsCZTkuo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCKJcBokxtmr\naHHESSW9zt7e0GDgMAoGCCqGSM49BAMCA0kAMEYCIQCoxVuBUnkzViFjSXlsLieg\nYeFF0EJcucE1SE5nd8ezigIhAMwC2t1dRbcdrn76AsiayDiN44giP8jyj8lw4fMj\nzDWc\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUcWpDQAldMzv3tU03M79NXoDtqa0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARPfftl8HUoJVw7o+qQITM7p7j50ZAbGrRyocPU\nubYW0OogL/Nubl6ihEBXhNoFWNy5ePFlbIYR7nvP2xq9jKwTo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFGmdxAEEH6oB\nTwfZX4ABMwEPX1NVMAoGCCqGSM49BAMCA0gAMEUCIDKmtbtWUANO4MRqxAtumNj8\nsAtYNStmhOK/hYeoYRWgAiEA1hyFOUXtc9um6yKNQqkqSzB0kZOzXbpRsWOZKtH7\nNLI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUGXIO+uBrt/U4TSSEVPM8P27gfVkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOA3V2VFmTRLvCNJsVtK1NBehLKZZ8wOuKSm23tWv4ss\nfbn0aAOy4/7aDhPIB/dSAZ3s25tIzXNtY2DbgK0f+1qjfDB6MB0GA1UdDgQWBBSd\nrWrOIHrvr/aradmx07uf6bPQ8DAfBgNVHSMEGDAWgBQiiXAaJMbZq2hxxEklvc7e\n3tBg4DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPhYkItNXb0zK7IKnK+3\nk45DSrYU+qSW/MB0cZdXMslAAiBFGH3oyFFYQUn+Uw9SWzgMwQcExxnB3aGED3dk\nLO18EA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUW0KRE7OJ9pW0Wk7idAhTtoaWqwAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKPkacT59sNNmjTRgQK4kb4pN9NZfXyezEU5q9etXup7\nQgKtoyLItjaAjT2UM8YJtER9JwiU2fdtOsXQOfNbFbGjfDB6MB0GA1UdDgQWBBTq\nIMsVoEbgctelCvdqCeDfbj7JvDAfBgNVHSMEGDAWgBRpncQBBB+qAU8H2V+AATMB\nD19TVTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgKup4T0EJjTyGdjoeRlMD\n7SKruF0hhYkXAEEnppKLDewCIC845Jh3f4kNDI92cr3H1BrJAGcWX3EYMGEv/Xw2\nZOOK\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBizCCATKgAwIBAgIUZv6Ru2Sc/S72sshFEXNcXESzacYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATUEzok7aAzL7DSSWmUGQcWzZy/2GnyR7FRFsd1\nscr2DROZzx3G/zIznGQCKb5WEfTvNJlT8kkwI0Shqgzhd4jmo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUws99bIhrMaszGG/URWh9iVVGnWswCgYIKoZIzj0EAwIDRwAwRAIgAdP6\n1lLBmWzOz8634ptLK7Y+fkz3nZx0Q1Hf6UtN/N4CICpRc/PykjO/2yPKV5Ek6tcg\n9sjYBHq3Lolc/jLO9Ka4\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUIyOqZ2rn8g/3CD7TJKCCd6Tv5V4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATsGwtvvwimEQRxhzhjf+VfqLBK7XQc8JR6FZ/t\nIi1MoIQ5hmz2Hb4How7Xk4jMDKKUc2jt3cVBLPCYytWIfWtzo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUrP2yKjFdqCQ1GFqO6RISWHpMZ0EwCgYIKoZIzj0EAwIDSAAwRQIhAJO+\nYliwygo334r2Zktpgx5RO1gqG82g4EXq3PBw1PzDAiAqmsiwxVXs6whqC3UJHPsQ\nxBi1DV1QXznx9GRMWzEwlg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUO0GZvPHlBEMcbRBYTLaW5mMRHM0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNDITjwDCxFybWkBt1iD/EN+bfSy0wtlXS93lNffMaAd\nm20tl5ACZyUAgmQV2LvDLfTOI/kEkB1xZRw0afYmkWujfDB6MB0GA1UdDgQWBBS1\nG9noG8bir9JBR+LttRn5V+W0vTAfBgNVHSMEGDAWgBTCz31siGsxqzMYb9RFaH2J\nVUadazALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOnZ0xVPTrUlAm+P2JSA\nP8m7OHFJt2QPnf13t2pzihk9AiBQJN4JfQAnhSUN/7T+gig+vRwbUhKyyKH+FI7c\nSMdkhA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUEsEJP+nagYv6PIM9PR2VD1AIgKYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMpLHAC3ywwQAhZ4pKExEs3kwReFEWjIb4Ljdqm86+no\nshdyua2+t7bsSGfkcfi9FJ9q5RGuWmw7+6t3Wx6ySrajfDB6MB0GA1UdDgQWBBQr\npLyE5pwxvUO1jJ4mxy7DUK9XnjAfBgNVHSMEGDAWgBSs/bIqMV2oJDUYWo7pEhJY\nekxnQTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgEYmZnqPA/J1Xi0N2P0rR\n45e7uQvV/GpOW7i9z7O82lsCIGe2P/hqCzHdW/euU/ol3tpvSZUIAfW2CqT3X2xa\nKp3N\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUbR4gZ37OTgH32OnAcdKkHYM/pwMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAStDeEfg1ZS9dMYr2hFVX0NCklI93VLOCCgfEL3\ndtIVVFcbdoH+wbC+dv1fgnkjcp9ksZrPQAhrIY5+R0D4e0OGo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBRZcQO9AmT/QziYnZVFQ6AUlOAXNTAKBggqhkjOPQQDAgNIADBFAiEA\nr5fU1CNRcWZuTpXfRI9IceZT1DWvY1L8fvrX10nl4NoCIBKOqdKth6x1hdFlA0z/\nLVE1cLQdGBM4uhPNDX1y3k7C\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUWymRvwvCPfMflGGllBy0jPP05sUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEwDVG+nFfjN6aYdongOnZVUyTI49QieXGdhYZ\nCA7lSpEf1CEXvUEnVREjAabig5M9IsJLd7xzkQ5oFTUqnjHlo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBS+UR/KenFoIdLX/pMe2WUy37wyqzAKBggqhkjOPQQDAgNJADBGAiEA\ns7YZbKcEPxitMekHI/LOUrEaDVVaLsPL772VICxyQBYCIQChKBopyzBH7Pt8gAek\n69lX1r88siVoA5Nj+6VBUyz1rg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUPGkmvWrieOP+TxHsZywG4LuzWr8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMgu+Jlh4ck3RcsR4qwQBTJIZb17dOLACm/MNGLQlFSS\nE7Zo99ualEBNLaMcxCpQJwWCGV43COcCgUGqQXC+gzajfDB6MB0GA1UdDgQWBBR4\nZESB4RAdKTq1Ep+CyW/5naKbeTAfBgNVHSMEGDAWgBRZcQO9AmT/QziYnZVFQ6AU\nlOAXNTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgMkFmn+n/vJapkwwUb/Tf\nONqXZWLUU2b+wZpFHU+alMoCIQDTT46cUlGWdzi5EnWTYFkpr74HhsEngNgalL5I\n6DEzqQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQIAUZofWB0yF0nKgWrr2K87pJncwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPczJvl2/s4GXVJ7f4XjzhBHbWgbYNyuwLij2dUxZejq\nNtFkeXVkgwChYeBjojSKEBKNPlbtQB+M3m7xTxyQloKjfDB6MB0GA1UdDgQWBBTO\nov0ov1V+hOo99CyZTkFnJ5AU0jAfBgNVHSMEGDAWgBS+UR/KenFoIdLX/pMe2WUy\n37wyqzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAM6dnGZCufXfZ9mFVyfq\nxc3OZW5FmhL/XZUAdYuvqN4GAiBBd7yJ/AoWEcfxU09mT57ZSlKv3VGGBGy+QXJb\nlAmBJA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUE0yauC+v7Fm/+hIdCV3Czsdha3cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASsh6qyuQPXl0V/t5BciPpxrKYHcIedoMycfI4w\nOzxR6f6NI9tCS72LRxKKvz3sJU3fByzlwPioaw60UD2A6ASio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHLOm9X5r6Tmv28RUVdKHsEU0R50wCgYIKoZIzj0EAwIDSAAwRQIh\nAIyyn1NQcqaGcfH1j09Dr3NdMrZ3hT1oXrQbX8RDDrafAiAOTlz/euKqFUFXSrfx\ncq5j8yFBAXWLb2XDKPyi7hgBbQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUecFyLONKSc2AFua7wMGhjyc0srAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASL8UZ8exg/Mi+URpW5+E9hJ/UzbMnq7kyn9/Do\nNkDOqVCSR63gjqFFI/a8p8lszATzsbTE1nLZYpwZol4EBsmmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUb6BBEluw9WOFO5pCzv9Pw9iCzLwwCgYIKoZIzj0EAwIDRwAwRAIg\nF1DesuvnBNoAMwVy1fFh3FGJrKcJLH3J17ksP0zWVLICIERb5gIo2XBv+nY7qf3f\nbFR3gJ575k6mEV+GaRX7XQgY\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUEPnYE/uriB3AMcB0pWNlSkoUT98wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTEwMTc5MTU5MjQ4MTE3NDQ0MzYxMzY4ODI1OTAyNTU5Njc0\nMzA2MjA3NTA5MzY3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUrfR\nU8ylIuvmB7/3ncjcs15+g5EvpdJhKelND5J5GRf1DqWbsqHCoSArf7BZsaMV+QOC\nJ9SOhQhS2jOAF4HmVqN8MHowHQYDVR0OBBYEFC06/ZWQUB9lpU+KDjU1lgCPZJea\nMB8GA1UdIwQYMBaAFC1sLzBD3bv1yl/pYg4rqrbS2+KDMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiAWuJd0PuXbFMR1YDsLzNndAczzC8JGWfOeXGS6GnPu3QIh\nAIDcJZiMr7sVnb6iWyEcYQ2mHeq8dDJKMvp6EKPfjtAC\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUSUWH070F169J/xLJn8o2M2kWepQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjk1MTAxODczMTY4MTQxODM5Nzk1OTYwNTM5OTc1ODkzODYy\nNTQxNzQwNTIwMTEyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1nf4\nRQYGpPCrVk53w2yrb5GlwS58Uk/UICOT/ht0xo/GfbU7giPzP2n4za57h6ct6iSF\nAMNgn6kZ1PJZBQz9eqN8MHowHQYDVR0OBBYEFKQZeg8wq48tFX/p8ce1f4z0Km98\nMB8GA1UdIwQYMBaAFHE5g4ODBEPqljfaHCwGVE/zpK7mMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAh93qW70ed3q5hnZ1D2eeyVdAzwnRuiFgUAaOZajzTtUC\nIQC/A/DFwF7ntnpLW+eem+/lfuwE9N4KLmgJgOflIHjCgA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSGtnaGK2zXFGFe25qt0PgUd4IqswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATveGW04aq4JPFnaqUYnocYdx/iN9MGzQ69GxMS\nS2xCdCNqrl2jwFsKoU2kYExnuz76QFsrWZZKUsynUcmSDVxGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1IRE6Ee/SEtM9g7Y9YQkQteeXGUwCgYIKoZIzj0EAwIDRwAwRAIg\nIiIJ/C2DyflGfUC/lNfVzXLYb7vBFcBsb1GxCcQU50ACIET4LxQ3kPgF2PeP5Z6i\nz8YVGfhyaBj+6PIDZ2GMIFYe\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgITJHBCfo3OMJCg2+GhGtZZVOE5ITAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2\nOTA1MDMwMTAwMDBaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABGSeYlmOLBYgA7CoK/TJNZUNmDnuIHkYmgHt/tc+\nEeVKVvbVgLJPndkMnmrQcP8VhuLBHwVEciRc/XNddjC0VaOjVzBVMA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQ5Osv2AxW+RG0a9D0aj5i+9eZH7DAKBggqhkjOPQQDAgNJADBGAiEA\nsrqyY7wyggPqmyZPxXgx+4aKlJ6+hMC7lwXajS7HT54CIQCqQPk0eg7GSA4myJek\nLIhFyAk0dMIqpsDavUyQz91j0g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWagAwIBAgIUT6xywdTY/qgH7v0sEau82Zdx2q0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBuQr6KTw1WoG5zGbOHp6kOhWWV2ismK29WmPwK8Vf4Y\ncPq03OSLm0HLVRShBnsgtczehFgphTAmb8skxTnBd2ujgYswgYgwHQYDVR0OBBYE\nFHUNYxOOhxLmA5Lld8ckm52m5QRXMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\n1IRE6Ee/SEtM9g7Y9YQkQteeXGUwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQD9kHyx+UPnUU+tawOAuiB5fCX6m2YT0/wBWd3FLDNV2QIhAP/qFCaoVBQ/gIXK\n+ut4G2f5RZ6EDltC8FRPxG37Dra+\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUYb2LXT9OxEhqtZrJCLGcRsV1Zt8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKG1hSzV7GJyK+SyKnv6KFHnCDe/QYUK19KkFLq8A3zr\nbP78RBu+zV4HTCJlFMVbaPLfxHukNV5b3w3leMtzbrijgYswgYgwHQYDVR0OBBYE\nFE1+tKSwceoHIbKwD1wpHXBPb0mBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nOTrL9gMVvkRtGvQ9Go+YvvXmR+wwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIHCl9K8F0xwc8Ged5cL4FtuyRl2e2nic0qCJxhI0R7feAiEAxvsTpBj+apCkTowV\nPwqOzFqI9Wk40e5oj3tUkN59TyI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUfOcviViK6WXKql4oUCWDgUK1rlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjv/QllcMdUrrYzwNi0hy7URM0YhOkSlIpT25o\no+AogPCOLRZatNsslxQS5SjKAZAJLANXwjkNgs9BvASBdF6To3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWRsQ4knZayUNLlcMr5Tmp0eGZggwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDTo+n5aF0zzSwAi2DFif+8\nMOhJq4jOjdZulZyIezfrYwIgYYMv9T2CZBANiONPA95GwZj5wyL0e+NeAxqAgSLV\nMrM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUKW9zsNmKeuKDVrBXvDabkVpIVgQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATFaeQeTRxy0inIFB43BIPZRsFJwMcLsEIZ46uc\nxgQVt1LKhKEhdEy8r0WLNA01DdjV3bDQwzKODm89UGn9gNWGo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaBB3TjT23YZPaWwmNZQg6wlH6jkwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBLOkBY8MTes8CftZQauREvJ\n/H/GaA9leZ2yCU3tLdDVAiAQwVqzHoxBtG1WMWBVV5+nbCpbhp3vTzHYF2cQwaqT\nfg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUFDHI7DE1OmuVHvFfW5wKeB2Ph/swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAKoSCMvIuX2G4jgEeulDw9TjBP4XP9Bak3KHX0din41\nQs2uu4yWmLfJ4vjNVVEHxkTsNNL6GBrUpkz52juNlNCjgYAwfjAdBgNVHQ4EFgQU\nl97wvMWV7FvB5UgrjbvJgBHwc48wHwYDVR0jBBgwFoAUWRsQ4knZayUNLlcMr5Tm\np0eGZggwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA4IMNCsEk/H/X\nvfQymHMTIX67Nv8H5lyXmseFqccHGwECIQCPU9u58ofO2KA+cGc4QewNMYj3nlfA\nmm2kuAQzVSpyWw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUX34PNq6yIJ/NPkx36aVVO1k2hdcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMRhydI/JQ82I2ip+XzaLnMQR8F0fNEm2JtLLuABFmkd\njoKyde2/SG1vS2sB0hUx2SMzWBpsLhTyX6fVpPCxJDujgYAwfjAdBgNVHQ4EFgQU\nuImc5hQ5BAkFpqRTO//MIgKAUigwHwYDVR0jBBgwFoAUaBB3TjT23YZPaWwmNZQg\n6wlH6jkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA1ezuEjwbQuRo\n9ku+WRH64OyhGLDXw+he1s2Abk9v/t4CIQChdKm5gORi1r0Q16hCIs/tCBWoL7np\nfyrXT5P1vM7e1Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUObqoFXf0EAAZC5epLVKM6gYOWjwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2lRAuO4gbDTrOYj+hQZQywoOcDPE2drkqqs2S\n3GkivXs77g33o48hIJ44pYU3TmOf8AO8Ra0dVvn3+z4LcBrXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUp4v8jtoPQHeG4gd2zqxJQOWyNzwwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIC0EO5zmgfUIRZICv/UmzTTw\nGP1fIvkRvt1yhwzJAQn0AiEAymH6oiuQ5YGEnt+bAsf2Zwr1jKbhEPrepJaoOaAm\nSso=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUL+4NJFiG6hY9B7pBvjfC9BFr6EwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQvyO0AWFQqYdzko7XIDbLRgDi7iXmMZfhj5HZz\n2LwwYlOeJhwV9ItFEzFLfU3A83/OiGNj8HbiSsAXND5ybC+9o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJFHzGe43OjeFJ/LHLCa5o0ERkUswHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHI6vzwdmi1JBJVjqb8VZmVZ\nNlAt3tff4k6olF1EaXBbAiBaNMqNRJmiVo9kqnU5Zv21y4jdvWsgGA07xmUafybg\n7Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOQOeAPl/oPw1GvI7aitQT5Sb41AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABONcfxRzbxFLil1ccqWaKa1f63ytKeZl5LCLwg1s6oJE\nLqmwBiZXBr3arFgKtzVAToRF1igAPYE0l4myHaiLhWKjfDB6MB0GA1UdDgQWBBSZ\nnoGefUIT1eMhVP00zvJsfz543TAfBgNVHSMEGDAWgBSni/yO2g9Ad4biB3bOrElA\n5bI3PDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgRD98gLEDN3ws/EMyHNHl\n+MFZqcI+zVOL5yIPgJblCHICIQDbpa6rHnRv6dtMeanacWyRs3EBVOLR9WYaMyf9\nDKDVHw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUPDkVWwon21Zl7OUFupoB1jtQeGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB0gRX+SfNGmTpmSL1euBgMxxIFSInS4WX0mGLtQID9y\nXCMWPeVy+LbzBaMFCyWyrTsdCLaE25gR6dJi5p4EnkOjfDB6MB0GA1UdDgQWBBSb\nfLzcBr6U1qZBsmHd+4kD2sEypDAfBgNVHSMEGDAWgBQkUfMZ7jc6N4Un8scsJrmj\nQRGRSzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALGMA2xmYysPk4R2TXNO\nyip8muvEr4V//bruJlOrH1yEAiAQmpiFYR0jfP73wcPs4pce6POg9F71io7xdFiV\nuqXKkQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUa/G/KuQcv+2gEKvajr+Db3p7gS8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxwMa8eA/AX760pQxTHMFY3laTS8M/EpNLRDvk\n36QFcSr3ccssbq6V4OCevON2FXS6OaViGaftbXaCIC1uYEV6o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUImPrTIZfm77b8Y1W7VXV9OeMDGcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEP+uMYV5vCcMqoSjKyegFgA\nGiFSKlfS4nuF9AZ7+1mfAiBPylpmVyd5rvS30ajAxCTu+I8XXM77nvVK+29QNw4y\nmA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUIeqr1sut47fu3bK0dN8tNnQWEs4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATpd2j3HvhrrDIbDhMC3Plmz1nMtd5z0Id/1b6k\nvdjZ+KE9vqRmUAT4b6CzThEpHqPCrsUUZkPwyE9L3UKSpKU5o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2TPYr3UAZ2ue5//ty0/UxR7jw+IwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGbPAskyoW77OiDOqobde5Ew\nSX8pX2d4yMfIZ78LnKIKAiEA9n0wczn+PuOb1YUTIUxl79x1LEJEiaFLl7kY5z9s\nTPc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQYlfz+dNBezDlMUcBxMDLqry1TgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFP2lbYlvnUNgrtBg3mi5ncqEnOEkMLGX8TB8EdNjBYh\nXefT5aD06YfODJiZVJPPGsTgiC4hgbULm5qaN5+IKbWjfDB6MB0GA1UdDgQWBBRg\n0GsZF4Xhim3Fb968Jh4HFSA8yDAfBgNVHSMEGDAWgBQiY+tMhl+bvtvxjVbtVdX0\n54wMZzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgHzgIes3P6VrVteH2TbHJ\nLOv69wZ3Xwy2wmTICAyEo9oCIQCHKkvYWo4n17t11K5bbdNIVujifZKWe2tAz5MA\nua2jsw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUZHXJwc8z3d3cnFUP9tbJ8jvYOyEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJkE9WMnOmiOPh3/1efeqE9VuzZifn+gV4tK28Yxk/Yq\n8b0lkwM5XUGTLABUdFFxEUuCp8UMDnKvDI5wDmhI6CCjfDB6MB0GA1UdDgQWBBTw\n37x0udDhEfGYG61ocVK+MVt/1TAfBgNVHSMEGDAWgBTZM9ivdQBna57n/+3LT9TF\nHuPD4jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAI3/d+cpZInfCxoXvk82\nDQgOdxqXCrvuc3zWXKpNTy+EAiEAqxzb+mp6XE0JhbTPRrWuQ8zaGLdVzbcIKXkG\nbFAf3No=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUITPmaoRhvZa5cMni63j6Zk0MG1owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYk+8jfe4p94kA+lrbr4tZRfIdK6OJbWYMN8KR\nFVFZIB5cBX2xfU9VxuE0bth/BMBIgb2fSjj4Q0zL+xasEjUeo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUekiGzBxW+Al3oPGpdO06yRzcefYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC42zv6ezSBFK3sfIRI4dWq\nosBw9LJ+LZoI4608NDIajgIgZ3OnqhRhJPdhSuBKdNuUP7B0Al0DEL+CXZcIjzo+\nWsE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIULFTN7vEgnvACmrzFZ2aZNvowx+owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSsG5MbAbyyThYCwTzlMHD6c3B4I6OxiKzVhCj\nSsZMpY/ScpZ7iDlKH34FwBXwfxyTp4J2GIkcoAUj47WKgveso3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9jX2XwkOYNlCNFBMME2chix97/IwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD1le6YX2ajo/LV49hueytL\nZX8Hri90ewMcpnNy9oSM9wIhAK01S+9HQVUgD4lWvOZIr9XBBR+MdoeqKAtJlO8d\nDeib\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAWCgAwIBAgIUGGq4FDHSs2icclPcOEHrYYaDsvUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPDXJULye3lQBk731vHJu0JxF911usWf5FYSjSo3W5LH\nfuGWUQ8QOzf1XOA3NtSnkm0qWcpyZOCVoU0RD1WsbP6jgYUwgYIwHQYDVR0OBBYE\nFIN7rrWJlmuC3GTMM1KuYoPkUlRaMB8GA1UdIwQYMBaAFHpIhswcVvgJd6DxqXTt\nOskc3Hn2MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHYLKMqK\nW4gp5VMiIdI2ssw+mgXsSOnVEhl65cFaMVjVAiBzGBVXlr32jNTo+CMbLTRhZwCG\nFNGfG4Jsu0JUITVEbw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAWCgAwIBAgIUD+VHU4P5ypH3vgvsetSookjKyDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIfzLp+vnsd1wxAVgBU+7Z6NUR+yPgxdfO/OnKVau+Wb\nNPKKRK20nSL59Tt1AdVmWgfHUFJQ50ncBvE0jdQ1Zs6jgYUwgYIwHQYDVR0OBBYE\nFFvRU1irNd8gJhxMH2M1f9x/LXtmMB8GA1UdIwQYMBaAFPY19l8JDmDZQjRQTDBN\nnIYsfe/yMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIETfnO6f\npAGp9oKyZIpXghe8AYUyq8wVfnIdFohsPrMiAiAWu2BhPjN7g5RRkggcRfVVosGA\n96FjaITQsKaoN0xNDQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUSP9iCrl/fZ7wRFXMbG7NbKYQXO8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATX59HLpG2K/K0QX77XO0Mb78zmCrA/akoIPbwD\nQgre+c/7a5zAAZlBKYdQ2naEPTIU1oOkc3sJo/A4LUSOxg32o4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSCxBR4hm/1t+UEu85W5kZ2Wlm4VDApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgFvJS\n9HUZB7IKli+4ygSgbzeA/5OzBd5Dn2fMNhMVeSsCIDBBIAk1N3pjl3HXG8QgHeKs\ngL1joOwsrpjdxCLH/E+X\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUcThSvCAXHPmhj0tHHI4vpaYmvL8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjiTYvZna2Sxu5mlcniGrH83rxL24HIfNzrhzw\nKyDZnVwnAGyfZd454/GubQ6g4cncNdcq8rvnMJrswvdmOQE8o4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSdJaurjaGlCG7MuJcOHFctY3i1szApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAM1v\nWfZniwgm7oLl+coK5bGFo5JVkek54f5cCIXL9HjrAiEApEIBXGE35OEPirFHeQYQ\nMi62vZW/gKyJaHNKVGYWiXk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUBhc6olZ8KdzARsZ1IFrY5sf804AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMi9VYkA3EX0TWsThokN/FNsUoW5L64aWOFSYbA/w+2A\nC510H6BfqgvInP6qoZksmZksxVD0pVMb974BSqrFhhKjgZYwgZMwHQYDVR0OBBYE\nFK0OhUf687o7FSb9ZeKPjnGPBIZPMB8GA1UdIwQYMBaAFILEFHiGb/W35QS7zlbm\nRnZaWbhUMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSAAwRQIgKPDK4p+1HVSxEqgmYgdNWJMWAfdqVxFHyR+NhorcHk0CIQCh\nEyBgL6lEZS1ZGsHI+LdOW5Cq1yl1lx1TNanynHuKXQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIUTnS4t6jfx455VKaLbraxaQMoJiYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJMrVQSN9PVikjJrsol377VTy87pBc9W4D4DbtCogpHu\nJXG5ZGpot+bwWzezMHCF0dFwELA78isQbhX+XE4mdiSjgZYwgZMwHQYDVR0OBBYE\nFBdG0g/UohH1p6MugmxpdohJRJeKMB8GA1UdIwQYMBaAFJ0lq6uNoaUIbsy4lw4c\nVy1jeLWzMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDRwAwRAIgAIZW7z9YXofKzny+OVlIbPcloDQIVIXaMOgg6yByFGUCIAdS\nECI5Q7hSRO13ZWdGLUKx3MKsd4s4j24CIje+truv\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUOzWCL7on1OMrhy7T3R4KkGPhqJkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlheUSq/fcBtOkNExLGHbDCjIlF9ODFr8rA2tR\nuuFVy69nFTdtjMlvD0Ue8mc8gC8rFh+czJuQlI5j6VSmbC9Zo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+lgWf3x65Qe5GqoimUlOjcbH9x0wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIHLqgeg3j0Q2Rw4Cbz8W5PVhHLnK\n1PhIGlOex2KHstEhAiAkt4KZQW8GxTKqXjn433OEf+Z5swvseK6PJmUu28L2ug==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUbjVPXaFHEiqD8kjBp83zAzWpcyAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARD2CDkTw8B6yC5pWBqYgNLGQS4Gt4QmWMe4ppg\nJUU95iSW8n5awvu21bb/TyXzuAGrCw4TnYBqCSXtNYWGOOmDo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsEwTekYKew6a25Zn9RNTWfer1wIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQClbWwpTiVqeReDfqeTL8o58l83\nKQVErnReicC/BO7OjgIhAN7v1yRB6id8zngYxh4JR4iOzIhfZD6sWF/P0HqSeQVT\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUT60P+6ysU7yyrtPbrztaw9BLFTgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPKjNNO8E7XYZHtpCK64t6mF+GVvWoLMchL4ooCQRMvv\na6omxPoCt5RRz+RLnQKx0PRXzkvL9CXAghu2DDY/SHijdTBzMB0GA1UdDgQWBBQZ\nm89R/DLNQ0WYci014HecAkAv0jAfBgNVHSMEGDAWgBT6WBZ/fHrlB7kaqiKZSU6N\nxsf3HTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNJADBGAiEAldp/u+yzvUe94J8ijX8LpZyfJJ++\no/V/EtaiKzhblzMCIQClcac3mnEvHs5N2V32qfom5voc91DgrNhYeCQYctdi0Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUPLQjbsSFr5KigKPxsIqJhvfRwg8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDpZuMphw5E1xpM0EGb3B/YcwnpuHWJHof88VlXmwZub\nEFZjaG0LPP617/UsYRIm4JQyvG97Zk7JBAk122TYVFyjdTBzMB0GA1UdDgQWBBS3\n8+DrlqNgYkHtZILr/kfc/pHl+zAfBgNVHSMEGDAWgBSwTBN6Rgp7Dprblmf1E1NZ\n96vXAjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNIADBFAiAcNdrAI89e2cMnFjLAeyE8D8HwBzHy\nSrGP9w9kJlszsQIhAIDHJUoNw8bTpVG5YZk5BogwDY4DzSK6p5MIuSg4QSIn\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUa1uRFMu9yRc9QJncetvN/TGUBNYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARj399gPzFi7I8jcwR/90Slvpks68FHNAQLgEgn\nYNVTEka38hGKVdII0SwT05FWw9iOkx8Tr2tjZfgSBImzDN20o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7jD6i8sQiKFgj1uipTdlqZQwzMAwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIEwgiNxKf9Z6G7nm7vEFn4gGy29n\nsBVthslPhLXVb2dLAiEA1CqivoH44zLuR6wDdG5Aku5WuezfvfmR8IM5PzM7Xxw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUGzZ5tEueo8EfKkIciX+ETDiP6hYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYninvTxxryBt2IWS6Oa6SkR5oMWqdrK+H310y\nRy5nXpMRO4EWJmMjIdNKcH31bW55SUY+JF14Suhb9EbcYTjWo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSO1VPiu8CS7ocklf6MgUo6pQwH8wGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCICHO5yCWbmv/7Jgr7QNcRjXEa1NF\nouZKe+x0wDnykqSiAiEAqqqhY1FmtwJ79aLLR9vmsAOjnC+Clm5JvfGS7hdPi8I=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUaPTA2wXJpe5LnYe3moRDXnQDw+8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH1CRjQq15szDiDsTXz0oYBkkUomhfbuOsmUZRDAab+9\nt/+u5DxefxrYESHKIMmakieov+umwrf5b5GpzhpN43OjdTBzMB0GA1UdDgQWBBQi\nr9egyQNoSEnycvWypJ4EWy6BGzAfBgNVHSMEGDAWgBTuMPqLyxCIoWCPW6KlN2Wp\nlDDMwDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNJADBGAiEAkuj7FFcuiuadDbXFcxDH5oqlnbAA\nj5TV4Wu3Ley8E6wCIQDSuFTE4JoFufe9XFfoXDOzCJAf2w85dFhxUHuNRMZVzA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUNTu2IoNrNKYP5Ndnzy6LtICO3s4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMkDgHv2vHzNaeDLk/LoPWDdRfm95Oem0HU+UvDU6pKS\nbvxur0ggc83JHzSunukpqXEmd7GjdtKiXWIe3tWJAq6jdTBzMB0GA1UdDgQWBBQZ\n3rnUshcqXw6scUEN2g6MwgwmcTAfBgNVHSMEGDAWgBRI7VU+K7wJLuhySV/oyBSj\nqlDAfzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEA0dXppvOdfm+ZCeTGUY3uJ7XGQWX3\naX+8yhjM7QHEr/0CIAGav2PgigbSAP0+cRm7bNhH7s7ODr3frnWb+hooOJKj\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUbRf8U8jhtc1j8NNwZeIhImys6ugwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2VhDWjJvKS2LeLHHE+XB57DuGnNgyv1p5Gs4Y\nck4vGl82+W2igHlDN2/LEDfkKJ1XnQHe7ms8esCIsputksuPo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUknhtzmndgMVxv1YLXO41giHAp8IwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIHLpv2PlXbNmVfFaACD8YIZaO9Gf\n1S0eaOQub5wKRLWbAiEAqzuZt0QP3qpeeMQali9SLXtRMu6YH5tx6eZ2SLVSPxs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUZkONh1cvRNoUEJ2sdirqCAyEFPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASgYECa991EEBJquU8W/V9wYaK8pRFZoyoENk7T\nDstMO2aupUlV0JpQNTMkHWpoFoDXs3HWdv0zZf8wcJBz4s7Ho3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUv4C0K1uFbPJlZwbI1CXA2jI5lm4wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCUTv4T2ItxaspxWzytvQpCzwi0\nyxd+HdrsFnVo+fzInwIgBZs0PABjJrcW67svWct0RByBmqUbGSv7XS7DDGjfDTQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUVTBQQAG8nle5/r9Z3y+yGORGwb4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGP+J613J/34OAAdLq+Eh2+uytOcSisz1aXsPJ1UPD7C\nLcfJS1ot64WqPy4EZjRl2Y6zo2mGRDwqImsUD2xLj2CjdTBzMB0GA1UdDgQWBBQa\nZa+Y9F4OM7Lr517fsTDoCdNqRzAfBgNVHSMEGDAWgBSSeG3Oad2AxXG/Vgtc7jWC\nIcCnwjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNHADBEAiAyCagKVlsbS1ChQNA+La9Qr2y+IrIB\nwlGYpksgnkO4kQIgbsZx8gvsVuju8FU3E1LApSNQeJOe0/OIcSfU3KZbhyc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUVqzSW9iaWvjkVVpV5EXrndNe5DcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNvKJmweenjvVhKiGZVUMQh4E1KzRlYxCUDR6ikLd0a9\nszDYRv5ehyvZTIr3cNicXQr4qdQZMdiHlcrpfLI06tyjdTBzMB0GA1UdDgQWBBTB\nBg7gpuwrXqka7q0jAtDfzZ3ACTAfBgNVHSMEGDAWgBS/gLQrW4Vs8mVnBsjUJcDa\nMjmWbjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiB0wiA/poLO9fDp4OR9RKJroyhFb03i\n9pgRWZcWGl3+fAIhAKNC1nnMtsPdxpy8eWyQ+pbDK7TWhtAyqmmuwXvKjWra\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUVv98Y4ytxBQigNuQOil6px2D+FMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARB4SReVF8FaRzGa5KWk+JBnt6ZAkGquIpVjhfC\nuqE12RKtkqYJCMDq6g8BK2LwjRxZ7eBwAfV3avT0cHhfobb1o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg10WlG6754eoU9A+TRKlhZ5YksIwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAOqCSasz3gn7e33u\niAKtlkw/cZYEAKKBQBWEAQ4dzjwqAiAmaO/NXwSgm3PjzOANUwp98NLXOnHaayRt\n9rXCDOYJIA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUTaOnv7Ne0tF1r5vAd6nGCriCIdAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ/mBurd7cZyKD4qsp+xncWP8JJ9O7xu0iiTuBQ\nTH/oIrgSAAziwd0MX6c0tZwXbysCu+4tm8u8i2sUn29vJ2JJo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFbVVace4eGOFegdVCSRhvjkavPcwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgXIU0Fo7CMDIt5xwW\nUewyWqhrVO8cUNaiEeW9FrTqemICIQC86QN7kNPsfvVSlba2/KUq83c6N69ekCxW\njekhCS8DYA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV2gAwIBAgIUbR5Sh0kZKWZ4qKDFy37zXOCQBMQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEMTDp2OaboNpvObK9XjyOK0KKMx+UL8w+sapwVUIto7vtHiXx\nJJOgUtM3rG+L7EIjQdhdOp2CoAy8YcgybyGTMKOBhjCBgzAdBgNVHQ4EFgQUZRtY\niw1SwdmpqKpT8k3SxaAgtwIwHwYDVR0jBBgwFoAUg10WlG6754eoU9A+TRKlhZ5Y\nksIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIDzJvcSqQacZ\nkkUHpC/oiVq4wh0YcaSBNrC0oHuHzoDNAiEApG5tj++3W9BIGJDOY7MkEh5zUgfF\nAjWbqXt/7Osj4nM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV2gAwIBAgIUf/WC/4M7/+Z6riBds7caKz0BhcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEGZu+9mjm8KBPScda6HakbuQg0U2tv/q+7hHJPx3fhrmkyWxx\nARPXHpgQBsSbWmui/ZrSj+LvXH9VS5/NOTslv6OBhjCBgzAdBgNVHQ4EFgQUUVQZ\n08u6tPZlFEXd3LbWCbA1McswHwYDVR0jBBgwFoAUFbVVace4eGOFegdVCSRhvjka\nvPcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIQC9TaNWTvwL\nvdGEfxXjsYiQoMjFaWJJtArKx94zf3bZgAIgT/GvML5rw0+zR8sHJOtEVVmumbon\nBzDxPJYXvvejmFU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUNESjZkpqzDz7KMW7h9bKoJ2NZzMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNSpZT9Ekiw23L/MDdCuDag2ntYFmN+DzTnMGb\njeXSHyZaaduq9GPeCHmSHd985Nh3JMLmL2NHZSZHx2eBfW53o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7ONeirkVP85Qhc89o8ggWBsi1TIwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgTXMyW7QCCebAClJ8\ndbAfWSAHESghg+8QR163WNgiJGgCIEkiKxLYgA53iVIm5L/zruRkFbQa2w7uFUf9\nd1bvtnbC\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUTRrJBSTGl9vlQeFcMykPZsvSpDYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpS80NgxA2PR9PNXI0P78cwd5fJEnAoB1Hpngo\nSDqg9YhgDu8vkO4VtKv3+8fmkVKGR7SAKVcJ8oIfIX0KhGnPo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUb8XKlB5Rjwgzsm2MdD2+AfGqdOEwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgRa5ds0Ce55UkcFq1\nH6D2vu0ZuRjM6vkELljtqRi7Mb4CIQCYlwTQdVS5tP+euBZh3MlKBLlkxK+XdXOU\nBgysxrvAaQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUUxD+OV9klYiuMzzwino1MfzRI+UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQTngZVLnBK8osB7wu3kwdHJ5Vc9xHtTAoCcJUB90A5U40ZZbuLCKUl\nJ1Z1LbXuZRYK4NNB5ccXPnSM5H4kHsD3o4GBMH8wHQYDVR0OBBYEFGko4dglNAvh\n/tyNy+YfYdCucHIKMB8GA1UdIwQYMBaAFOzjXoq5FT/OUIXPPaPIIFgbItUyMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQDwlWTShaF8m25D7U4Np4FO\natBUAZKrQW51J4s1LLDojwIhANXAXivLGr9C2+r+Svv+5JDeAGqL22MygTkHLEq8\ng9j8\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUYCh8YEcBkZZ9Vl7PJwMY8K1GGrowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARFnJV7mIdxllOTJkbNsH9nLL+9iD4yesjmv2Fvqq89FKoFgzqL6cw9\n1SiCsbjBheRl+WaUf8VgzTgQspYcsAYLo4GBMH8wHQYDVR0OBBYEFJVcZvljx0kh\n5+7gWwauovx+UV/rMB8GA1UdIwQYMBaAFG/FypQeUY8IM7JtjHQ9vgHxqnThMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQDV8Uqr7sThKV7xSWB+F8zR\nmd7ZQR5xvBwoSAXCtC6QJgIhAJQAs5lMDpCKG4Ht3lT4LMTIOlBVDGrlbPL/3Wf/\nDAX7\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUFBXazDOsZtDi5mWZR1I6zrolqf8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLnqd/E83N9QuZ/Zyhl/Z0LBqsH2TqTzILkoxk\nk3ECFVtJdM9q1YRlMwOa/motEkXCTrgvR81To1Qn+akfaZiQo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUUa0Tq6HtWD3VxFDyi8S7NJ+7Y8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgECVFlKAiCHToMtdo\nIMmpLFv4WF2Pp5C0iHsi9+jwSw4CIEMrxtcCQ3sDu15Y6jc4w1UhRDOftNwXaYuS\nsrhsJkXB\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUOhy8rZQV0KBWXXLwX5fmfiafAYIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBQ6DQVwxNrZ1UKLbDKxbtvNrTePFVl2PvmPHf\nivzwXbyjf2V+6JhToc4e7fqQe64fv8zPlekyf42Qz5Y4MopDo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmulxJTQpDWe+EwW0lsIS/QNrKlUwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAN1fFPjyDzHtLvlP\nZutkW66zjqC6sIoT0U0omhQ1TSSbAiBlzbedtlebVX9hYHsDIdv3VY762f+4TKgw\nwTUT6gVbjg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIURLuOxUr8D3tTxDRpGb3Opcy8QcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQzOk/35lIXblddlK1/+Kuq66MBjyGOFmxU6bBkGdTLdjtfdGDb4mPh\nF1B9uIhzt+FeUPt84ZTGjPFR99s+kmGLo4GBMH8wHQYDVR0OBBYEFCqdbozEypYL\n114nlFSkzgXUHyHLMB8GA1UdIwQYMBaAFFFGtE6uh7Vg91cRQ8ovEuzSfu2PMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIFwEFzOd/z+7/C8tYqbLSWJB\nSWpNoAhkL39RYG4NzhMpAiEAuy2K+dhtR0N+KlR8WKo3g8v9G9SpHaNoZDjvCgbV\nr8I=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUf4UwTlskgDggqfzIQQdobF+hWV8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARmB6uVmZYhiDApALl6tDr7gKiORRSQqo0q7CcEGJsaotgsHuTpuZjx\nfKv+NgXYp0gbRh9UVy6iIgQPGegv60Yao4GBMH8wHQYDVR0OBBYEFBxQUeCOIH+E\nxl38ytLAOpDwDlXNMB8GA1UdIwQYMBaAFJrpcSU0KQ1nvhMFtJbCEv0DaypVMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQC+JoeoOGAeu+BudV/Vebel\nmR6H9SXihvwXGrDyT8ZG/gIhAN8A5tTDx/OYkXufqMJu2u2BPpEPfDHF8i6N8VzG\nfI3k\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUCEhly4ESRdU6W2drKiQK5IGBu4IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWw2m6uTxN9XN7eXNbE7oghr06gD+Ntp0AVeZS\nLcvcinmE/i5U9TM8RWgt69/ptVUr2Fj2TRnEwTPmGsS7Z/k5o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUs1TXAtxSEOiWOeViqEzR/2qN4IowIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhALJznOwIRtLmnRGP\nVo4pXpaYJxeD1dz4Vr1s07iv2hdQAiEAz1PDFhLM1kUBJ5En9vzuKz5iMI24F/gC\nJvBY9ppcp5M=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUThMeO+PpzRHKdjZMCifjATYYK0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8qDD5eadSqWrI6DVZyJzCwVjHQOWanPM1pmQF\nTHdq6dFJ6E9yDAqVOlmytbJHGex5POTG4yclrX7EUlHQ99ARo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5Oj4rlEv4m1UhbBSpNUCUyNkr18wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALsda1D7/E+qb/ok\nALeKAvy7MoHYg5lmQjUoIDAQN7/BAiAz9tTbBFHSayTkYbV730juVGhJOpaj21Kf\n6/vyK6W1LA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUfFsbeOtusXSqDP4hB3qWI/yhYPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEVGmeAlFDqBC/y3ZjlM9Ffj/XLvEEuQskAvAeqPAMr3OXSBQ8\nuzFMs0xdnqLx7VS0oaF5FXewu8aXdc0evbObI6OBgTB/MB0GA1UdDgQWBBTL7p2s\nkYrgM2CNOqUjEb5wqadwjjAfBgNVHSMEGDAWgBSzVNcC3FIQ6JY55WKoTNH/ao3g\nijALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiB8loqJ4wH18h8JLJrY\nU7toFG/2aFvAGi+eQzN6dgcxfAIhAMTcu9OBRn9Hd+wFxhe5zfBoWUon9bPAcein\ne2TxLvfw\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUU94UyyRXhZKX5LWjOstaXCOGoWEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEyfb4S93Ztcxl9AOAswMuY6VE9oc7JZlAozBGlZvtJjPj+aBW\np2nzHFDDAqBNZWFzl3zG+qDApp9O+GCZYX+scKOBgTB/MB0GA1UdDgQWBBQQYNTF\nLuVPW5CeOb3S6OlOoSs7LTAfBgNVHSMEGDAWgBTk6PiuUS/ibVSFsFKk1QJTI2Sv\nXzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiEAwt1tQ5wURlWHC3O9\nYjG+CYD5hWvPeh5CBVUsHXuFU6sCIHGrd6C6EvlRMuYIwCiR/jrqh9gSibHqq5Ei\nDkk8xhFN\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUHGX52aF+5Fz/srYk+toKkePV12UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAREad7rXEmrxUelXjyRoQgmfKFz1BobmXm5rVUk\nsZfHBEXVcCmJLscGhDo6lL0HZdDuy9DYrOhyp4OO2wdYj0Mlo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU86VyrAxZ7XOy8iEJ8zU4Qmt4DnAwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAP2yRErDUEF97B77\nT0HjX+j7KHP+rupVu84jnQFxDF4aAiBoWvZ9iQG9wnYqPkTppnqlXvIOXSJ+k9AY\nBBpXIGpQeg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUDjOsCIlQ7fzrs+RUV5e9k760soAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtlujL8dRJtTLeWNLSUDBGLN+swvLnPnMZKAMX\nheiUBwDEb00yrXgXHeYUxA8dv53WGFkXC7Ux5yKRLWdUeB3Ro3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU145VZoqUwvGKsBX9miyUHWLRkw4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAM4ljLMnMdvqSr+P\nZGf7M1LAdlELJ+E5c5sSzajeMb2kAiAp7IionUGCxpP/92HDAR/iKhU5ywWvMrOt\n9j8ChlMwkA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUSQoe1u5Vk7lcQCXINjxYRpo+gF8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASV52DIEVKbcsgw/1GJGJfk8Zcwre9RSvAswnyK66e+sbrQ/UmfqLdC\nhOTXF5vEOiK6oZ2VTvju2yRYKkzlHObjo4GGMIGDMB0GA1UdDgQWBBRJjF3Stcw8\nonfQlSw0xoU8ZbUcBzAfBgNVHSMEGDAWgBTzpXKsDFntc7LyIQnzNThCa3gOcDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDRwAwRAIgB2OzDjDg/otSxlK6\n5E7RY3SLz00Uq5/MQbfBbrGlNGACICYojWPsKyMmjaHoEgHSN54VerBmPuC53fz7\njnxwUDhK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIULoRNgIQCp9WDPXRh25FTyfhM6TkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASvBIsjFpkrCh9uOA2A+WXl287XrULwLwMICeQt9P+TI6jOvWdk8blL\nSjNYl5orGR7pr8GJSN8+6gxxG9+Emfd/o4GGMIGDMB0GA1UdDgQWBBR8jZCHe9fX\nmhc1opdVpdcJBjh2RzAfBgNVHSMEGDAWgBTXjlVmipTC8YqwFf2aLJQdYtGTDjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDRwAwRAIgeZqu/GvBa0WXJJWj\nvEZurFyr78UKMAzobnyTMrIzLgUCIA8UjT1CUM6Z+FkHUuaZLVrbL7H+Zh2Bx5y8\ndXREY8cK\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUNiJ1bBkOCHQRsMZnl39q2jBtGDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLq9w5iLa7ED5+ZgkKM+qSjY8302o4LeVIDTvi\nRWgUFyDVYZzW/DvvgARhP0vdPsdARRxTsaHT5X0JZe3f48vHo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFG0qAytaB34LxpBL/yemEZ0fbVg+MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAxQzoC4wGVm5II8hRp\nB70FUGOVTmT0/w272U27pZg+gQIhAKLBC9//wlb34GQI8yO3LTXQvKLFFPxqdZXt\ntfYFJX1D\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUZG4Mok+yY5iEU9mt75lhS80TlOcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR44DDkuXYWKz08lKrbhJ+N0H1H8zzmcMbynZhM\nZtobXGHF2UwNcQxtscWPx9edbXizckh7jeh1l3TfOTC7DEA7o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFPsocDwHfqpZ/cYhmxik7hZ6px0vMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBnlL1bjxhQt5TgSEy7\n66rW+XShLWu7IGHHeA931iuVeAIgdDDKgNidT5wcmlTukr3NhjHA7j5l49sv79gG\nRRuC3R8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUJJfkAWG5D2ozePJSQ0h3/YFQiWwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQzeyS5RROXyL0P5Fb5kyD1Fogwa4J6Yop48Efw\nKLWdBEtQklSK7uq+f4wfxydVQsIkiK65g9AYXbCUcdF9MGqco3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUbSoDK1oHfgvGkEv/J6YRnR9tWD4wHQYDVR0OBBYEFDqM\nQLk+nrW3gpQHTbHyrGKVPv6GMAoGCCqGSM49BAMCA0cAMEQCIEZ5GNcKQBeSn64J\n3akgjN2oZKmhIZL2EllqkD0zhIsVAiAMXBAkr722MC8SgdNaqHZrKTPcCK2CghEY\nCQ3lpbDdUQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUGVZHy7/aDCVZzFJ1089d9RvrWFUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATCiIcBBjPM/c9BpWQwt+Jq8hOZl7FUMXaUH8aG\nLn8ShQxuPDw3MPp0/bpMppsFo9CiPQmT22WiCBO7KxwSG3cuo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU+yhwPAd+qln9xiGbGKTuFnqnHS8wHQYDVR0OBBYEFGWe\ngMywBJajrJv6BWqw+4QJ6WmBMAoGCCqGSM49BAMCA0gAMEUCIAnFIDBsrqW/s6jb\nia2wEYhug9J/ldnvj07OpKXv2Wo2AiEAofgVjiInDDUHwzfjjjpqVreBNbYQZnPw\nwYZehiMI5EQ=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUBXYmU6/Q+JYcupIrBeS+qIPOvPowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEfBgxSQ0SRMSu9VpOhviSIwGyV+litTHkJksBeG/5pS\nc0dNZN2x0iz8xEGec0nrPUq1t6Ur7JxXh8rnrtzxoSOjfDB6MB0GA1UdDgQWBBRH\nQZe9Hc6M6WBycaaXxvPJf0mmlTAfBgNVHSMEGDAWgBQ6jEC5Pp61t4KUB02x8qxi\nlT7+hjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJDrHtyZMcnwE/IUf+0I\nnbUp/IPJtVPmrIBuy4sJaN+KAiEAmDzbR6fXmZiJdq134miT2DwQI5bwbcaTB1QY\n3Lz5wcE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOhmU8FMo3d1CeQu8heL3ZeN0LW8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF2paAenc6///4GFBnGaFhvdBhQi6YG4gL63DcNHS+kD\nF0V6EZZ/t6PrKRM64ckkJ1zND0glEQT+eTUGdnOp39SjfDB6MB0GA1UdDgQWBBQA\nMCUpVTqPj4o49So3D5X0pPPQAzAfBgNVHSMEGDAWgBRlnoDMsASWo6yb+gVqsPuE\nCelpgTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgcZ2G8PQeb7TeEWWWeRIm\nV5ObnIyPGBMyqoEe1wgjvhACIQDeGZV6edu5ROIdnz7na2zhonb7IoK3k6Xxj5r8\n+J8+sA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUORHkweURVwBnwmQqKZ5CE1UQ7R4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATpTbSXg8FAusF6cUIGiLTbOv1rG7niAfAoNuMy\n3IOHDhVINEU7NKxhCmHVI3fUMgNgXtJYGYKrCT8TCCmhM/DXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQT/bX9evigKdETcO9EjnOKMaEScwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIF8XDAlcVaMEOmeFKT0VlThQ\nAwUJE5jIbUGs8aGp2TLbAiEAkolbBJ0w5ctZ3dBlG1rGY9l8aR8H77yMg3LQpxhS\nFBc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUUSSVmLH7ZFO6vIPVDs+NNTj8ThowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATvgFm2eFb0YWqAmB26xZfSQztq7j7Jud7AMxj3\nuDVfk/zEpmWLxUE3hVN8BZVQe6c46mmyN4UNEBP9pMyGA9iLo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUITZVvUpe2BxFWa7MRGyzjk8bXV4wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIH0KSXUPrcf6DebRLctND9xS\ngDr4k3gnMvyg2ChsQ1bhAiEAh5FqwDA9/O9/KH7d4ZWdmgC/SY0jZeA5KaM+LV4J\n2vc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUWN9wCPWSuxR12tWvmslezWiulN0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQU54KPrMeDZh+NKExJ5bEi2+jxM+dYmnxHTmlA\nRj6cVPsccTCR2/vZ4b0WZNBTt43iP0zkaFoC10fNJjoD+zvNo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUQT/bX9evigKdETcO9EjnOKMaEScwHQYDVR0OBBYEFNoh\nNnobouVyJbPjeN2xRzNXlt4IMAoGCCqGSM49BAMCA0gAMEUCIQC3tFCRmZI6GTsY\n8Ze1+85eSnpEtVevkaY+qjuoFhzk5AIgZEpaULj441Uy9+RyPGkEXCRUKFo0BDyb\nXpLIzXO99t8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUT2bEDKiaJO80YqgSPKIqycTDxR4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQiuXrRXTONO4sVy8g02HsouvMcNdL80dYttJGK\nUW8caRFp4rgpRWPn/ej087UIqVJNCkefMmfT1UoXBFvEC9X+o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUITZVvUpe2BxFWa7MRGyzjk8bXV4wHQYDVR0OBBYEFMeb\nF7qHt0Rm0+urpOPcUD2HvSX6MAoGCCqGSM49BAMCA0gAMEUCIAaB/fUjl/2S6PSr\nSQR8p6IPyBWDjNXQ42ilCqC8z+bHAiEA3HMvIDjgD2Uy+EakI0YdRsV3U10bacyp\nLk5ebxnymNk=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV+gAwIBAgIUUOQq0i55B0gWBt4gORFDxdigregwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4eBJ5hNcAao93RFSMPmvtlNlTjIDhAjg+buyo\n3ZoHlfZQsCpabitbhuA7Mx8IXEFF45I9H4zPDKsrCUCPqbf9o4GAMH4wHQYDVR0O\nBBYEFDLsStQb8DnM/SbPgs3hMClTOOpdMB8GA1UdIwQYMBaAFNohNnobouVyJbPj\neN2xRzNXlt4IMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSavc6dma\na1Q0yhMl2FcVPa6tahD4BwCBd8v9orfahq0CICyHZqewZuQqzj96LgunU1CILF4w\nw1xtA1L/F7sSZUST\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV+gAwIBAgIUdoJaj5moXcdxt9ymD3RoyyVab2QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1/I3lianPM9/ttxipEa+RUVp9yidz0+eoll/F\n0tBLcWgBwIiTVnrqoqBl3brbOFJGb76eh4IHD5bVP0MkbXRfo4GAMH4wHQYDVR0O\nBBYEFNwi6mvdCyVnluptAWQ8HifyF6J1MB8GA1UdIwQYMBaAFMebF7qHt0Rm0+ur\npOPcUD2HvSX6MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgDvGdHhLl\n33ArbdKVKSbfiY4rgMSq/nWU0Bf5X6DT5IYCIQDcEqTfXT80v7F7a5gWieqKWUln\nqSq7+iUdrdiwp6Iaiw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUbkYpoe0BPTaOYK1EsUhNEEwVWdEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARoL/ia1jhCOxMwM54MLeB5KIttJAsvufB822Tq\n6mJGWnkNaR/hcXwzcHCjEOgJ7tuQaEqr6+sKleCTnC13M4sLo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSYeC1/XhnkDRyqAxZzA7RqtGzc2DAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiA4/mKTZ89FoCYnLfSPijQ5fkJDTWw25mPkAtUHPuQWAwIgJz1tlnq/IqKZJZ8u\nw6XvoZy2ZPWgzwhgAdNVdmJBzGU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUGMYE5zfLhK7wbOl+pKNRij8DhHUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATsp8OncEjs2zW+MLhBbO45TpTAHvwSZjIL7CAF\nSlpXzvGWwC0HOkTHUEA0Rmv+iahQ/tToh4A7Heen1pXdB+F4o4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQ8v1UOH4fs4uHwRcyWjbycxT0AeTAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBQuZgInPSSx8OGdy9Fq4R0NY8OMracGzStlIzqwUmB3AIgI00EOuhHO9eMIta5\nt8BBwHdkjasxEkp+kM2sdjnDEe0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUX5pD2+HC3Spav6xM4x7nBCmAyrwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPXCwOcfcQhRXV9o+1SMO7GKLH9EI0bcKD6knc4Rv9PL\nXm57AVd3OLHumGlLv8paqOrqaMl/ijqmYLRc6eAB2FajfDB6MB0GA1UdDgQWBBQb\nXwEGaI+JMR6FpcolybgHS9pt8TAfBgNVHSMEGDAWgBSYeC1/XhnkDRyqAxZzA7Rq\ntGzc2DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgN91ldSQnSbEmqwY6eri2\nWiYKz/+eqkHSMwFAUkg8eg8CIQD1k0Ez7rvh2l9BPmCi6+KRJxAYeeeQZuyOL5tL\n7XX0AA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIULu2nm7QSWglNe90jKaaZ9CL/pKYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNU5jEn8GjBiMtzFITjxoPnbDZYAXLJe4ZHRcsEAWNth\nyUNyfnsvmgRDGavmCUjyOysRpcTm7QxwuOxNSuTIW8SjfDB6MB0GA1UdDgQWBBQI\n1LFPHX5RogULMGomuqO7CyGHjzAfBgNVHSMEGDAWgBQ8v1UOH4fs4uHwRcyWjbyc\nxT0AeTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgPWhiZRg7rZHmxSXVQ7IL\nlrcreiOfnOsXkvoXTjVUzjYCIQDN7/MzR3onRrGpRH3BgDtoIUNH8GnJ4Bp4Ode6\nAh9bRw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,31 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUSEKvCLyXevWhLJBJCi+Zc+OAMC8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATy+HexOz1PFdbojNgCZOsOJ8Y7ZBGBQrWycAqs\ny8/LF5d1YB9uMDweu8kksvAZQSCnZnBg9JJkIAA2uZIRh7W4o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUobd8RTycyA4ynZEerlz7LvXgMrQwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQC8vSx6+y4yQ0pPNjeStWqBnB3b\n4YcCW3QtKXO6/vuc+QIhAK23lNfZ7kRhmiwTKgp1RocoOj4FpV4gteNE5ZNaxMKu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUWUSMDC8wmXyBT1Z3SUAheESJUgEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARCxSCQLaqDCOWPp8sskrF1LunpIjo8X6aUAC74\nn/BM8EFuYfNzAKVx2Tf0708zUADkbcAwnS4A2a9kMBzDj2oCo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGnS/otFbqycRmO6Tpxsn1yMwv40wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQD34WNo0H8EuJCIA8K2wZDwRpDv\nmLehMDB75nMp4HCchQIgPECDqLCVyT8UELkvORdW2uSN2kxxBnpp2+q9st9Z2DY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUXV58i4cBLaQDYqk4gxMXzTBQRPMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF1fRCwTopzeD9SngHRLMoSBkzItmsiPj5bbGSgFUnXt\nkYBeY48i0Wbf41U3BiusP4ZcFzs0OA4TpI6sKEisSDOjfDB6MB0GA1UdDgQWBBQV\nZbw/6pJ6Szg/+Cs4A7HwKckf1zAfBgNVHSMEGDAWgBSht3xFPJzIDjKdkR6uXPsu\n9eAytDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgBY6N/2oEAIONV0FLm23E\nXT7Qp7ZoGU6XxY5SEhzindMCIAIlZzcacjRHStK6k4T3ZsVSIwA2pcpaa70WkCrd\nDGNR\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIULA8dfTDVSc78USI+U/VkObKL6WwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAVg5n+bVyaIfIX2RnHxzHrQs4+0vMlF5Ykq6RLTFOh9\ngDU1hu070fFTbT7sy3e1YyGFTQEUBQ/97ZJLFmfKIDOjfDB6MB0GA1UdDgQWBBT+\nhNcmbIZ0Zfh7K79CzXCiM0KQ5TAfBgNVHSMEGDAWgBQadL+i0VurJxGY7pOnGyfX\nIzC/jTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJO4DhASuUtygOBaMRSv\ncL5oBQrdIedCBF7hhHsmv4NCAiEApXGAy//TPi2AL0QViXTLa4VnG3Oe98/41V/C\n1KKUTJE=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::ca-nameconstraints-excluded-different-constraint-type", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUaOK5Lm0lIxeGC8eUXtUvNHsxhRwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATGs2bDLf5FGjED8mvgxOWPnJxuhaI1/T01Tmwq\nCR6E/vui2WA0nNQA7JsV7/8cpY1oivhcojoCbpftFj4NN+r8o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYOzbJzLiprT7zxsFJU/gFlfK6RYwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCC+Ve/jYb07DwWCTDns0FiMU4t\nXLcVGuLZSNU/hTCSVAIhAOekpec8iAJIh5JO3aDw2CE9QFuk8D5GJxmutIA+PnGa\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUD8yAO7c5puf8O8pGB6aDHEn81HIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABISBMD3KEYFULMfsHu7BXP0CPyToWcC9cqpBWkBhIViS\nD8W0jomNgRa/d/XxGjcCqIEPingvFKFXSGW/zZKLSS2jfDB6MB0GA1UdDgQWBBTJ\nuQ8w6aQ1TK/PHFvI/nReleOasDAfBgNVHSMEGDAWgBRg7NsnMuKmtPvPGwUlT+AW\nV8rpFjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKhVXEQYOLiMITIZ0n6X\nslij8LmYFI8UvXi1WqjUEht+AiEAolAcKa3cj5JJRy5uU837WUDM0/qw5Ga+x4cj\nVbVzp/c=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUDGxL/0EcbW0tE86+rQHtaUf4rDUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQiO6JTak7oLpiLc5gv/cPr7c4myiBl+eBbGyVM\nC8m3rDlSQnGy/pUNatUnhAAqCYr4qjmLM8xyL4a7qRwf/nNDo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUU1MW8Vv4WLejYi3BZU8GXXY2ygswHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBcP5H6UQ75kmXlCKSi0+\n/g/0YyyVKxX5UYGWVlN37GsCIQCzE8JSuo5EzAykYjci+JLjdbEr8Tj9TzarSVqS\nqwUDNg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUNbU+146+S7zxLU8tHeiiu9HnonkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQmlwLq4LqniEsNaaRsYNNqUbevHNrGH6uzpP0\nbkP5A1HUGQaf24px6Hubi85djAxqSvai77XpkKtT7YBSJBPVo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcCCU0vtB25IJKdY44hNaK3ZJYrAwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgPXfsqFGnCERdSn5SO14m\ngaRSZZKUvslxLTPxQ/RMh4gCICIuDQlVCTSr10k1etzCHCDAyhpK87p+unJ2VjT8\n7ISj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUAxRA/uE+uO1e++Ur0zAQWYfrcIcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNdqwvYVkMSdXSSnutBtVD+RxYZFllY+hJvZLxxFXn8y\n0jfXWpl4oOhkmRikrzOjl9Y/k1DH0tHpNIhSRHQADEijgYAwfjAdBgNVHQ4EFgQU\nvwbc+aeC4z90B10gmaZmiLZgFuQwHwYDVR0jBBgwFoAUU1MW8Vv4WLejYi3BZU8G\nXXY2ygswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiA/kzKt7xAzkNeS\n4ViNfg9Omdkk/ucBlaCkJuLjG/jNJQIgQS7rCUSYQNqWjFfl9TwMexI9lSti5I29\n8Jtv6geAnUQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUIO9ralhcIR9qpyBngV8L+H8cLI0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLqccxE/ULFxGFIVTXK4O4HawJR3JOAWPFZ9x82rUi8p\nhvjkwcUxGGBBKB0XX/3m1G7yGrr54v9/vxVzcAIDUIKjgYAwfjAdBgNVHQ4EFgQU\ntxzlS3BmgAGWgziSHw7aDStH2RMwHwYDVR0jBBgwFoAUcCCU0vtB25IJKdY44hNa\nK3ZJYrAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBxCYcfVfC7FDQH\nWJvzKS67wBFkJvDvY3PTfR4frZZisAIgH1/kARuURuB+IAk5dC1cPRSlQ6B94bIE\nNOZyPdbnD6s=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1063,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUMizJKjrF0w+9M4cerJClHoun59swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQj1L1/2KoCrJ/bc5y53gtl2xduSvQuNMHv/PiY\nHI6IMRWpK5c+oivoh0weOgdskfw4rbZngNk2F6nlt0k3QMU8o28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXrDcAUiEANnpMuqigwXRRkUCxt8wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAMlHI1LHGXdAltbfItFPBUSyuChb+Fr0\nxg65L0gIAdteAiEAsqioSpGqgcRWFkwhQfvBJ6X8ER0+xT4cxtXnNUZrFjw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUGK434F2lUTrNC7iDfanC5kIq3dQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATUPUnEfYOl9AiCg+jCDmcOCQGeQDAeIlcUg4PF\nCKme7XEkJ/KxSavHdW7ZMgK35cEhv7EZuxTOmfL2cHPLMrVZo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUr+z4W++TP4jjP7eTsQX9Ho8DPUwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgTB6y7dGPVC6/d5pnnEQAVV6keT4GS8wb\n/F/ML2X1Jx8CICcclRXQ2Ze3d6fPjyppVRKmueS0epBpJkzG23dPPv+8\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUfCO0lQHH8ALR/B8ewXx5OC+wJGIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJL3Nx/cj+ngSMEIQqRGrpBW2xElrejW8FbfnX1hnQ4L\nRayaQLiq96Ikv0rRQL5NBRdWnxZwMTWEDFsw44tRdUyjdTBzMB0GA1UdDgQWBBSh\napyQB4K2FqZp3YfVEVLfrTO7TTAfBgNVHSMEGDAWgBResNwBSIQA2eky6qKDBdFG\nRQLG3zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNHADBEAiEAtYKYluoLYfAjctfwg5Ixw4eXSKUP\nT79ANGWaLCC2870CHy0Ys1SEYWnTD4tzf6jyVDDbjSbl99L9Ofg1m6FIWHs=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUdxDotbU0BGwAENKjJXCm+04KkMEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPEG/y22o2c0QU5B9zUrhqPkoTyanTQ4WhNbAZj9YkvB\nUyHSomhdIGX1s9Qtj66dDTa7jtyPuXk8OGJiF8tq376jdTBzMB0GA1UdDgQWBBQi\nGSBCkuL7uEfZK8wmlqgnuNnAvjAfBgNVHSMEGDAWgBRSv7Phb75M/iOM/t5OxBf0\nejwM9TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNHADBEAiBEJ0qLGLcmh6VTqboqLdbTIySLmhr2\niKPqebK6AnasTgIgDlHpV7cTzPO8+KrXQaX5SrSN1MK8Qwqm1kR3J/uuNDk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1084,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBY/7/TJand9QGWPHmx5DIiScgpswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQO9Br/dPPi/rrCWMq2e3TLFrgSXVTo57pICX5c\n7UFO+wGMBmnLwNIx5lQkci4fWwJDyatEHSSejOgOxGBuDQTUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSRaeZOmEMigrEA1NyPJhYMXa6v8wCgYIKoZIzj0EAwIDRwAwRAIg\nNXq7kUrwKZ7ahfp7adq02Li/Ieo1xjrB2/MapA+9GesCICqXMJ0ajm7bARSEVZyr\n74iyhOPzsJp0xiwOqPYOReAx\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKA0Rm1D/nCowhAMp8EhvQVaYQNowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxCh0HTPj2U4+7viBYhKMTTDxaAj61tUfB3RNA\neFJuipEmRe3hjdmexFxNGcMnPTwRNPkGeetO6p2JCV+3eA1no1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5V4tiiNDERL1kH7Jq42wLNqRcqwwCgYIKoZIzj0EAwIDSAAwRQIh\nAJ8BLp/Pmu38uhB1Ri332X/oIZTLt8M9eFanDFAyC1WHAiAiZRkdPbO2KUcIIn3s\nz5cmzbf4fWNREA+0HAACXm/hJg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3DCCAYGgAwIBAgIUUUX2ik7HTIq7ZiHN3OtYyl9Bxu8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAql/OzIonKJlRxqwzAit49SiK9YTyf1+sAPBQTCOjFh\n1TfdS2CMW4u50/FYOTneCN0Lg5na4Tl/PBdT4jURpA+jgaYwgaMwHQYDVR0OBBYE\nFBIir6eZzZ9fdMb3IxOiKrCVuu+fMB8GA1UdIwQYMBaAFEkWnmTphDIoKxANTcjy\nYWDF2ur/MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCC1E6Dec/6o8wYrcbUvMYG1XS6\nCUVSAdslECRnVFg2cwIhAIPMepihmtxH64SKGBNQuzQgvBBtl3CI0cuNrQyoOVeb\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3DCCAYGgAwIBAgIUOu0n4193giiMRdfU6Ur8kC5tY9kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFPtfs+USzI76G/UjmWILvKK/NJ17Cj/PXBKEIdhRmrF\nJzhAzGFcSj1qsn7bJK+CXR8QBddvdSxEDNWISl2xa6qjgaYwgaMwHQYDVR0OBBYE\nFCHPYZfbQf4Tz6hkQI1t7lphhGYZMB8GA1UdIwQYMBaAFOVeLYojQxES9ZB+yauN\nsCzakXKsMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCEiLGSqY1+ZsobWTPHzhW17EZw\nWFdMwbYtzhc7oTu+LAIhAOCKrJ+HDCXeg7kQUkKsOYEz5A01Bsj8W49coio6q6ul\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1105,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaPTKWkDZ38e3dGNe2IbS/zp5YEIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0oBthpDgMzWaqiOLLAetOJN2aXLYKt5bPdKuR\naQC8FHejQ/wTt+hsi9CtpVrvAcEavBN+LgcTFAvfMaE2/8MHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz+hbJp9EiMdbI+8HsPSUVTssgEowCgYIKoZIzj0EAwIDSAAwRQIh\nAKoYZFbr+DWnPpASYxYbT/9SExEZ9iEdeznkvocrdWDYAiBOn7I6nGF0QpmMUmFY\nXqM5Ob3DFdvp8O7TF3vbLIFtpw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQvs2zLlcFb78OOMTEJ/dc955JrkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQZqiartbsGei0m60lIb3TJBULzlOwgi9VhJSqO\n6GycZKecMDX5IZupZTSoJbSf58JfBWK5KOrjm657irrkxgVbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURN9L+yQN4sjDXYcXy2vf7s/Xq5UwCgYIKoZIzj0EAwIDSAAwRQIg\nJT0tmInVrTv+6UtpiJyrtTPWzkJ8H+h3YCQvJHJF3xoCIQClWWtqkU/spnaxaf/Y\n09HS2kxnDe9qmBKQGuRWT9goIQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYSgAwIBAgIUMZiCgA/md218q0b+4Fc9+WDyyDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL2zzucsf4utxNviFd58DTj46+ujPDICG/lnsUMFWak9\njZYdx1rOWjxjnYGu2pdq3nizkSWIjC6v8LzrQHiF5O2jgakwgaYwHQYDVR0OBBYE\nFP3nKSnAf3cXFLg8I0dFQ7q/6WFhMB8GA1UdIwQYMBaAFM/oWyafRIjHWyPvB7D0\nlFU7LIBKMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCUSJA5suqb7N8CwHJWn0AJ\n2dX8oq71a2PxBrMhSzp0RQIgSoK1ICMK4E/qLASdcxCsnjXRugSqOfjZckjMhN4j\nr10=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3TCCAYSgAwIBAgIURgaJui/fTZ04/8LbaacgUCQRcqowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEzFMtQeUnEj+nMmpcCwi3UuBnd5scWaKmUorMVtURoE\n4yhWazRxlQY6UKxcx2hR6efj92m314K4rGfO6YZsllCjgakwgaYwHQYDVR0OBBYE\nFJ99r68RfnJocCGx0SoXbqg9d0EgMB8GA1UdIwQYMBaAFETfS/skDeLIw12HF8tr\n3+7P16uVMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDlbvQWDAA5dbq/YkgKbhO1U\n07rWrITf1CYS+KaOYrWcAiB6ExNbR+5n8o+tHCBP/IW84dbdkv6h1nZGkxA2ho6C\nPQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1126,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQq+pcHwZIXuISNO9p8Q9IojIQKgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbHJdseRhCKrB51VagduIOZYIPgAYd8a2upXsX\nkWqZ+/TOiv3c0pFRPUFguY8Om179q6H76Iz/BiJB0liMz+7Ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiLPqP86dZ7/utt2aVUfKj69SycowCgYIKoZIzj0EAwIDRwAwRAIg\nEygEP1xdYYAbPTW5V6YWwOTTefNdB/cQ0YFae3pibTcCIFyvqyx711O+Fwwitzar\nd9lymzrnVf/DsxyDPCzvBoY4\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQ+Dn2s0j1SuHa+UDRwQ9/M1Z1RswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR48PEIa4xSQVgfDiWn9zMLSsWBDNOHH5Hdqq2t\nBl/84vQZXYbuIaNtHR4OLf8CaRje2Yn4g76xT4RdE6NEJZ2uo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSHx3sL2H2zvjPnYSRV4SX2NZAzEwCgYIKoZIzj0EAwIDSAAwRQIh\nANtJfaOJCOnboCzFbedrffD4/c+6PS7N0IOFjbCUT9imAiA47CbcoIXah8yF3Gzr\n1tpg2poJqsvwDidDbdyF1uT0Gw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUbzsVmLavPrbL5lPoKTFoLD2MguAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwQRRvhNf\nmFaTgCXxgFCi6dio0bP+veBdN5+U167cxINA/82KvWUm1WWUrM6xCm4LH67n29mi\nFUqY1OAErPlHuKN8MHowHQYDVR0OBBYEFBJC+KbsPDjnCvWjOcpbue2V3pqBMB8G\nA1UdIwQYMBaAFIiz6j/OnWe/7rbdmlVHyo+vUsnKMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiBumGihBjnavKvElAS+EtkeJkBJYx/X6IC6Ved8Ejo/JgIhAI5z\niGEGZBSvgwyB8tzli7KgWygKRGRVWkDF794+WW4m\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUIhcEPowP5LErL1poUyN3P3WV9EYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwVxrIJb5\nL/3a+tt8+RZSlik5Fm00hEhEgwmFNqdcpdB0PTYwgY07d0gaffkejw8k8S7eCS3M\n5CslT+MrfBzsX6N8MHowHQYDVR0OBBYEFCEyZK7fzT/UOCMuPjqvvd2cC/QvMB8G\nA1UdIwQYMBaAFEh8d7C9h9s74z52EkVeEl9jWQMxMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiBrqwuaW0lXOUVq9qocMZ0YBfpYFx5mb3bQkkiWEQxfOQIhALrL\ne5bw1oPOjANvPtx9C2yYYkrMYuNV9Nul0Jplw/hb\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1128,10 +1149,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfh1acSHM5OLNfiw9lVCm05N6PWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAST5YKKh299WyGEfxV7KjF7A8VD5DLpCpFKsm96\nG6PzihCTU6NXlPGxoHVHvDv0W+9lBrxLQD3IS6cwSt0Wrp/bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqgpzUt8eMZBXv0K/vlY68mfYET0wCgYIKoZIzj0EAwIDSAAwRQIh\nAN1KxV5CRSOy3OdoBImslOJMUb+s0PmTuakcOiPYyr3cAiB2Ny9rZxyc5HbZurOq\n+P94O2/tpSuEu1J2xRNnMqDgmg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcfF32g2qzMxMBrh39NzuCaUBcH8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARGx6CY4nJK/iWF8TXjrYPghxL8wT5cQLHXMIb9\nqUFB/mb8YA4hpfSjAyLc54J7J/J8RMcxFZM6Yz9sRJeExp4Ko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSsQijbMIBzvyvuCStj1OM/WFNYMwCgYIKoZIzj0EAwIDSAAwRQIh\nAMmpw0GW/6iHKExmXNYx1X4nfPZq+0kcsy9DxKjJSsXCAiBy+u9WSp1BIpVpsMwj\nhghHJmUuAqg2ZElVtxOwJ098GA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIWMd384V+U2g8Sj1qPcVEhT3DOOnkxhDAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEtnspHa+Thb93oINgsXwA8ePyC7CG0dy/oqyYtiD2\n9uheK/m7qU3kG0eOGjWIXrGoWECF0Vkq1mtew9/SDu/xtaN8MHowHQYDVR0OBBYE\nFI99kW+82PWUihbOHt9AR3khFIxUMB8GA1UdIwQYMBaAFKoKc1LfHjGQV79Cv75W\nOvJn2BE9MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAx5wici1mJU3blled\n7BsK8bk3Vb1aZqvvr2cmtizwm+MCIQCl9l1EFv3knWILRt5fFNyem6f3WN8ChmlI\ndvn3ZljD0A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIWU5va6iGzkiUfa9aELMxK+0J9mj+LKjAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEH/itXluM/sSdN0SiKYgsudnT1JYCIiuu8kmKxGGn\noMQ0XYjxUgYW0VJgpBJ0uYjYk1mYoCpIxxdISDP0xcYUbqN8MHowHQYDVR0OBBYE\nFIijWabom8rzs3XhNZIq+n3/SqW9MB8GA1UdIwQYMBaAFErEIo2zCAc78r7gkrY9\nTjP1hTWDMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiA+olHYhIBqstWTi3h5\nZCOlCwOQWTCuV3OtR/LpI29UcAIgdW0n6JtUor7aSygYmt5JFTxo9GeDcb0n6gDW\n7NtPQW4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1151,10 +1172,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOkYOfYCb9gWqw4pRgZNr+t3MV9UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQK7c7Xy+qpDOdoJ/clJHrh1lT3gnwdnT2JwCVo\n+56E8MRm8UgU/DwOZRU6ZUnktXeVFIWiAYuI4imTEeQBWBhso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0LmlT4nsFeuMTEK7AAoYU2dQdIwwCgYIKoZIzj0EAwIDSAAwRQIh\nAKXRzTJzGnP/nq0JUTlhoa5mZ6f7b9D8fp7jGh1UmZrkAiAwHxIX7L5K+K79sVYO\nClbbolrpSHbNG+X8AbWd5FB08g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHrO77PYZ31Db8JalxEogwB5/NE4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR3fE5KJw8gKH8Tytm/TBXzei71SGMjEzOeQQEi\nkV3JcHTWa6qOQreIhWRFQkCaudsOvSmQIIoTY2w8dRaM36Kqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpejqfFN7DsX9iiMunZh98fBKcMIwCgYIKoZIzj0EAwIDSQAwRgIh\nAKLAyRm7Pj1AqqDurb+NbCqJmL2oLM9KXrWg28EKDI7eAiEA6uRUSd2Y5rGWvabK\nOJ2LQG00grVkPUfNMIOBFlspaA4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE72RX\n9IIYMQvKJCkE13qUYw4FmlCHwWgPNeJCAjJeGkLYTpacqAYYrbHKpJNghxR+eT5Y\nVx1gKuAoXePVQEHJjKN8MHowHQYDVR0OBBYEFG2y9AHm6WsM5jLECjp0KsnSix5F\nMB8GA1UdIwQYMBaAFNC5pU+J7BXrjExCuwAKGFNnUHSMMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBN989SSYyk4nuHm1Z/9FfoUh3hMrRSG9X1UPBEYmZjAQIh\nAPB4/+d2evQM93xc4W5vS5erydHApt3ue9yyd42rxlrS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPD7L\nSTOAqw5dzh7L5kG85ynL6n54G0+hvZdO2AA0avDrkjp3C/sOsvauaWZzJWjqx5J3\nxqMgCaQVxiC2tyGrXKN8MHowHQYDVR0OBBYEFG0HplZk4gyohsZNG8tBhov5NXF9\nMB8GA1UdIwQYMBaAFKXo6nxTew7F/YojLp2YffHwSnDCMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBzKDVk3EkkAHhbOnmo1VlMaTa8noe1B2WcTTCvlU4vXQIh\nAKPGYNH6brCTYWdo0/oey1tK0xdhF8c1Cf+zAaWoBONH\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1172,10 +1193,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcZ+OeLvcrj3LOXaNqWA5LYK5euUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATv9ng+zVkD465caNHnY3tVl3p7EKiq3U3aFawl\no68v68DFMQxtbxB4uR8EI7xtFPmXq+LxpR4VH5OxYY30qWt0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkbapRNk0uYT2RPTGkPXUbaWNKb8wCgYIKoZIzj0EAwIDSAAwRQIh\nAJwKnJfBcylmqcMP9vfkhpqnnCeJ6GyAwMSAV8EU5qCFAiBiecsKVtXq4vFplNnI\n5wbhBmMgvKTw0z7G8rnFxbMEJw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKtAQ8nDm7MNmo3mXfQMDkHUYzLwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEL0DeHo2OV32E5uGXZ4x0Ou+DQSiKjrhzUgHy\nwGbBLZcD35pIT363/+mWoFs4HwyKNP79wuHNbqOTmyOlqrkSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUD0MM1oqnnexC8NAFBDqxbQYKoQIwCgYIKoZIzj0EAwIDSAAwRQIg\nJrlLjxbkrpaS1pTRppKEnpu8hlfUla2N8smCv36p6YUCIQC01qQ5pm/OkEhqdqzj\neFYhk4g/Qmhc7eK0baKJmzb4DQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAXCgAwIBAgIUPFffShT9gwvsWRGRdJgzJPnxbsQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGIkrg5CiSCwlsotdIs8h3XaUGEcql8tyJFZd2sk1rKh\nZNq31dTunM0hv24/cq4GowlSYv2PQhkdEMc+3QUwkMGjgZUwgZIwHQYDVR0OBBYE\nFFg94M1OLeKMiA5I5sgI85MvBhqfMB8GA1UdIwQYMBaAFJG2qUTZNLmE9kT0xpD1\n1G2ljSm/MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNHADBEAiAfgFoI+lf3MYq/nuGI8pZ7xul+/H9G8gmHqV6bbJ0C4gIgV/eD\nXFA++WOUaSD9y633OhlYcEoo48K+HOYdpUqp8FI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAXCgAwIBAgIURk5EMM7SgVg3KS2ZuddI9mj4hSswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOeTsJFnKEuwfTdR5vDZo+j+hhIy6Lp9Hi3aB8fobSJL\nFqmzUohKSiAW71kcVU9QvrJQ8usMF6lKCySQ+PBRzqSjgZUwgZIwHQYDVR0OBBYE\nFOF7IJ6HVa40Q7TFtlUeBv0qqsFHMB8GA1UdIwQYMBaAFA9DDNaKp53sQvDQBQQ6\nsW0GCqECMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNHADBEAiAuIJU3CDkmsZVJyKcz4G/R6Sl1PXIKnG9+Upm4NcYjGQIgdB4H\nIqBXEuy4SfqzS6IWw26zNl970WZ2fxeh3jGIpV8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1193,10 +1214,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUw57ad6sElzkmrmODAF6vwgvemwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASO8zkY+VgO/1oSsGwFu2JirkfVu2doiwWVAd8V\nzDyeHtGvSpY2Hxf6IX2FVc0D6DLGTpXMvAbeA4V0LcEo4OI6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxc3s7LW9Afw5MKI4e7Ex07t4od8wCgYIKoZIzj0EAwIDRwAwRAIg\nDrzMH5viQbDBUq/oCkjxZGCxJTf48fm0XTw4laWtDpsCIGB3FcQ9KsAg6RybbmL7\nHRrgbVvbkIhjeUTrdVRKrfD1\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZzqvCusLA6A3lt6eHuUsawLoODQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASZBQaMiArAKa/c/ynsJM5O3MQa53ILyElp5yK0\nNocgC/5GKgzVXnqmsrZqgS3e8IMXKy4c0rIYDMrQzbNBcTENo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUL6YTWinDt+pXh0ukXFiJ2nz8534wCgYIKoZIzj0EAwIDSQAwRgIh\nANDx6pjz5RiA7SmZ05zsOUyTc7I42Ikr9+YrZQ3W0PQpAiEA4aory2gTcPIE1Prc\nSzL1DimzLLNeBXQWJao8hBjK0z8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUA/WIBMG+r3se2/e/UvNLx804GT8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHxQmtkbBR2K0h7T61IPNuCdAN763pGCWMupYO1BkwRi\nTCt46zacARKXd5SL7D2I/yOcFJP/vkojSULLgDzDVvOjbzBtMB0GA1UdDgQWBBS5\ng5k1e+coI9r3mwN9jvleJS/coDAfBgNVHSMEGDAWgBTFzezstb0B/Dkwojh7sTHT\nu3ih3zATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEA9AUmnWbvCOO5jI6GhxvZYI75fk2xf5gXobPV\nH1dcU4UCIQDeHzcv7IdYZf53zCs6IR4JSBi2hCmukVDxPR0KdUsGbw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUd7Mp+aHlKMcQq9y6LEGEYLT1BJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO4D3p+WNZBcaN86098bE6Y1WPa6fCFdd2/D5bO8uSjH\nIkl2PaJUKKm11vJkJKazq5CUjQM634Cw82iW9F9c+1ijbzBtMB0GA1UdDgQWBBQ2\naRMdzDcgBS5KDftuOMsOrSH7BjAfBgNVHSMEGDAWgBQvphNaKcO36leHS6RcWIna\nfPznfjATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiBsGEnRTe4YTVglzTHY74rB6H1aoIqJKQ8MRJfl\n2cB5PwIhAPPpZGgwBLhWJCp8kbZyppUArLHErjfHno5pQ/iK5ub/\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1214,10 +1235,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Basic Constraints extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZ+e5p2r38+FNW34nsw8j2cAOJFUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASXzSLUfiWMc1ADCXjhZx7JdZAnDi/ysxZXTm+i\nZ4YCMabtH6Qv2J5MPbCDTx7dQIC23nTrvdh0N6M0TIV5ZD6fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPK4zHF1KSFBqAWAjalgDFIQadgQwCgYIKoZIzj0EAwIDRwAwRAIg\neQyX7UC+rx1lyo5fKT0iKO3ARYWwgPbFJyexzOraZdoCIGAJsmU77hIwdcFe25LZ\n9fylp2hyFgU3RDQMZ5EUY5iV\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDzHT4k7cJsNTKamLd7DZJo3nErMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLa4zpml32BvWouIFjtB3AO/I/X+7CXcv3+GgS\nbrJE4e8aJqpf8lrDoQy9EO2b8gYYG8cVZimn046LIACmYQJVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUR/MmvMkpTh3ZuDQYB5P78Ml5oiUwCgYIKoZIzj0EAwIDSAAwRQIh\nAJn4c7YbX1OK7b3cwrwlMEOfq3sl0CZtE4l8gk7foCpbAiBVWzPtokBxrP/Iit9m\nyBP86VZGB6I1XLxl9nrkYNfm9Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUML1XhuoYUHMajssJOCejZIQ0BG8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNYT0z4LW71cgo+fmhu3mhuNljfc/jdEPWMSlNYJSSsi\nIZBk8kdnY59EgEA2Hr9RAtolCXq1eGwmjvzb1isJChejfDB6MB0GA1UdDgQWBBS2\nzu1PITCFLGilhR8pWSBGmWnMNzAfBgNVHSMEGDAWgBQ8rjMcXUpIUGoBYCNqWAMU\nhBp2BDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOykbhTvymm0B/XwLN2p\n62O9nQ4AC5gcd7Xv6XPJ2NByAiBZwAhque10skTS9E48ICFMPSIfMl5nXrukJTGt\nLHKiwQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUJDW4RpXpQn8aXsP8lKjaSA5QIsYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO4j8hjOIM0TmmURxipCO7rSG7XyUGh1hUNrQYVHD2GS\nr4o9QF/wYQfZoYAkkPyUhS3y5wmHVvWVjaYMfwpDSW6jfDB6MB0GA1UdDgQWBBSJ\nrvQnUaBbc7OrrqYyw0fFy1L89zAfBgNVHSMEGDAWgBRH8ya8ySlOHdm4NBgHk/vw\nyXmiJTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgfNfJJ42LBsyVk9cKkn3Y\nIGqYnj1isVGJadTT6qwEoKUCICBlMu2P/TImuOojzKrlNyvRAytnDO2vJOB9Ltdm\nJlxB\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1235,10 +1256,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert contains\nan Extended Key Usage extension that contains just `id-kp-clientAuth`\nwhile the validator expects `id-kp-serverAuth`.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBIjoiao57gXzF4LlDOrrrMrapJIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ7fLOubQJL+7fmUg6cmEs6k+CuyEPKHtcH4Z5T\n8Ypa5q1QGA2qrgZXms0toFcZrvjyL5z/RMasjLL3p6m1sLe4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUXr8epvAatBNaWp/Y997QRxgFI0wCgYIKoZIzj0EAwIDSAAwRQIg\nMNeiOmc4+o6DUdtS12U6kIdAX6JbH9/7eRmsEw/ir3ICIQC25//gHeLbYNCMKNVR\noec9X803AgZX3k6XDlj9AGdXkA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULN8p0/cQ7a03hzMB2QvYe3dLLFYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARGk3No9HeR33ywDKEwCM28eowHIrzHloxu1aq5\n90H/kopxa7kv8/qz9jkLGYKEhBjq0v7WUlRTTvz9l0se83Fuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+V9DbSCvo6vwOrZA6TZm6Lcu7Z8wCgYIKoZIzj0EAwIDRwAwRAIg\nCEWff5aj4N2yJCTBBVEyzQO9oVAdRj+D6C6M/k/bqRkCIC/5iWGOijZQI4IPUtHQ\nfxLZLVnV4czGopPozXek/isK\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUKGL+PWvPpScZGREU9UtzTUPm6A8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJmJKPKQL6Gw1g7tNWpK90BhMaNYVQZT5Aqt5/ovKmSC\nknUdRfR90yoHGxm48IZGO8d8j/4O5izULy9dJBHdKYCjfDB6MB0GA1UdDgQWBBT4\nZRwD0m9jMeedSyC5ZOlZrz7+zjAfBgNVHSMEGDAWgBRRevx6m8Bq0E1pan9j33tB\nHGAUjTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgEVlti17vzTpeC2Sd24Hy\nO8UInsqFsg5ZYpXJdeh4suUCIE95YJ9e2HUOagM4mMN4zqBarU8iyyc/3EoFBHz1\nYBGT\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUMrKJK2uz7W7od5EJbS7tf05yqr8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDw597Mr+1LPGW7i5DSU9HOsBxUWqAjfiZD/SfTC+A5l\nmbwW/AbedqEO+oUDnu2mFACWc1k7DgUrrmma8DegYv+jfDB6MB0GA1UdDgQWBBSo\n2uzNtzrFDsagZhXOxqaEwfCx/DAfBgNVHSMEGDAWgBT5X0NtIK+jq/A6tkDpNmbo\nty7tnzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgEywqjC/Gr9t+74Yemmxs\nZtgx7tVnkIc1IGfV8DuoZY0CIQClCyQL8efxmR2c71KfK7/RU1LP3NIkCd6N9dYs\nsaH/sw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1281,10 +1302,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has a SubjectAlternativeName with a value in ASCII bytes, rather\nthan in the expected DER encoding.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJnttr4Zzhnr5JDkQQkRos/1CWJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARO9Ny7hdlFge3jF0gO3o0ncBKTMbQNGzR07mZj\ngGPNi+UBy33z9OBCxv5c5ikWE7yatB1zRzvABrs/4gYxSR6bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQ61W5tky2dHGO3YOw0cfXcmnOC4wCgYIKoZIzj0EAwIDRwAwRAIg\nenDYQWqf3kz2uZA+MgsJO0NLdrpatfFm0XhQ8SId96UCIHduRiUPMvuviCg2kvuB\npWBGG+3Dd7Irz5PoucZcdU17\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUWtVOv5XME9+sCf0loCZ/mo8MGxkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARgKEhrZq/e1yeCKG5t8gg3BuuyyiUqxBzGjq1l\nfi3aFL2bTgWi2qI0Xi/mufiwUwH8sKkBdVMJjYgPiPMIM2exo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVJbvHxvZgKkIbNuuMhnrAja9UYMwCgYIKoZIzj0EAwIDRwAwRAIg\nSJ5wUHf9O8cEoDo/ceK4XZKZNOn7BYjM6ogOcZRo+8wCIERdWggwJO/VeklFb8kR\n387acAwL/qZJ5ClZOuQe7Tng\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUE+G9ylCuT/HdPLc7AdU31ErnEgAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNBk8udN5nRhLnLJ05SpEbo8OhrXcs0TihQD630fI/NX\nDoj/m0ehnV/HwPZl11m/jq9ZOd+eZlJisJ0YFIMs3KijeDB2MB0GA1UdDgQWBBT5\nLvtbRgNBMxKlb6P4Cbobe9hDOTAfBgNVHSMEGDAWgBRDrVbm2TLZ0cY7dg7DRx9d\nyac4LjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0RBAtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAk8/b1D97cco266p2PkA9iCUZ\nP7Nvt1n8PahhvXOIF18CIGIb0FfyRwbSiKFiJX3Q9EdFbddedmdtyebZnNmo/iBM\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUfHj9j+e4b7ek8oDIgpAWMSHBiEgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF75f7djiWNEpC4DRANQX4GxG0GyE53h0S67LbvESRPr\nuFahb7x3rVKR7TLvSyl+EjI3m6T0ilQQkUrVpVfHx6ujeDB2MB0GA1UdDgQWBBQ3\nsfEqwGPVHwR7mNt2swO1xEiKPTAfBgNVHSMEGDAWgBRUlu8fG9mAqQhs264yGesC\nNr1RgzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0RBAtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBswIN2XNgeJ162QFjjSJnF9HSt\n8ANk7cY+CHKVowr9XQIhAIlYO2q7zBnSaEXJ8fWOw61PrpNmVpZCjXyWX2vy5Bk7\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1350,10 +1371,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHfpodbLNRqV8YGLyEy6zAK14ecowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAScRzsh1n2TeLHopkPqolONMiBxzUd10RMu7qdb\nunq00hbPdVg3XJ0pnhwPXhIg0dcI8Dh5ySPHzMjswplBu3+co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdlDkO5Nd4Vij3xOpnTZtkSzKEm8wCgYIKoZIzj0EAwIDSAAwRQIg\nC6+cfIYBe3ybVZS4BWXuRaelL4pdjmat3JBgsqTLR78CIQCEmcTdErsE4MPeZqx9\niZqgs6iuN4MS8fH923zbLj+Jeg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCuqT6EmIliX+N4Vv6LcYofpAW0YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXljNoVo9H9rxWhiiYls9ulKVBk0MLOIGYFW1e\nvBCAuQiLUUZrlPyGd5nLp3q5oOXpkM0gwtmPiPIF5PEe/MJ2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4Ya553IwRiaoaVqJcLPG13vA0w0wCgYIKoZIzj0EAwIDSAAwRQIg\nQ5WTJSAzYvlpZlPF+GbOVjeLDGJ+bJ18Z+c4zd4oK4gCIQC8BpxRdO7oOQUgKzI9\n8lODPS8eIJGjbpKCG5oq+Z9AVA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUZ9XC8wm9xyPBF1kj+Q2Y3FGBwy8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBLcULccL09xv+2Fj+ASdln/znWdsUn4Qv0uSeROJUvv\nXOU/dmDDkuG9K1a2fKeHcbBs8KXXNfL0UpcS1ihn/9SjfDB6MB0GA1UdDgQWBBQV\nf0AGjj8L+02buuYgyujZYiDHijAfBgNVHSMEGDAWgBR2UOQ7k13hWKPfE6mdNm2R\nLMoSbzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgOv076BGQvwFYhbPH2//U\nfd7IX/iLaYXwZ+tWth8RmuMCIQD4tQbdG2TC9zGfKSa++FZdbB/24wV92I6MYPaT\nBC6htg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUd7sMBjcV1G+gl2Guiv9rWQhvx7owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL+BpnyA2EW1N+1Oc2z94mY17+Ata805X0ndmnIMg9zP\n68aleyWxVnzHlCzM9BVJ/XUeZH1mVYPcpZTdVY3AOSijfDB6MB0GA1UdDgQWBBQj\n5NnGrsnTCNb7I0LgoHxgJgdQADAfBgNVHSMEGDAWgBThhrnncjBGJqhpWolws8bX\ne8DTDTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgLc+5bdFwtt0bGOd7pzLy\na5kjEPrJDe3r8CQLv3qGJp8CIDaWL2w43GVgOco8A6DILwok47FwjxgfVINeFfkq\nhKZ7\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1371,10 +1392,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUR2Z2HZVytXbmP2ftELFH+JvAlsAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzmNjE63G3r3uIUM+sr0mY0fIWnl20YIPHgHx2\n50bmMD05qi0v5BbB+iSkL8QtnQvKqqw/7NcAY/MFwW7RGSFQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSk+w4Sm3h5hv3heLYlanYeRUCS0wCgYIKoZIzj0EAwIDSQAwRgIh\nANbCMXCq4IcL6aypDJCuZqJex3rlG9AV/EeGMVt6XotOAiEA20W6YRdDNWB7OTAM\nLCDcmKtZ1Get9Iydhqui+PfXdMI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUM7MuD8BQtoIhWhpApZ4QfaQ5ss4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrOahOPbCWJQEXS+PY/ib+1TV2W87V5jKT7W5o\niiRjcEuOr6zbnCKXzirPkEvymq6Hx9DVXJg3ArqEkt6WJJVfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSQxYGECBpcIe1HE1kx/NS+vOD9owCgYIKoZIzj0EAwIDRwAwRAIg\nWFI374skcyM/BXLdsvlJJuwwA1mRU6bhAmK4lsaGL9YCICgDJL1XgkNhtv1jgfD0\ni8cTEjOVeVlCSjVDmBR+oVN/\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOTGXNCRuQsufSxGKrDswI9FMwAkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMLTwKOHYHb3xfGuu8FjXvtTPIuTvWrpITPTGT4pUdNr\ntDOHLv3iyaVCW1ozqs/iMocjERyMA6uLnbZS48xMvUCjfDB6MB0GA1UdDgQWBBQr\nqP5/4MOv0c6BP5oVtHu04ODTbzAfBgNVHSMEGDAWgBRKT7DhKbeHmG/eF4tiVqdh\n5FQJLTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgVQ+FYTXWoGCZrITQUHN1\nZdKd59YELe7E/zldSRH7Nr4CIQDzTQ59Xq6hUUpYS37HZbKCLQesUxGN20hY0vL5\nB8dwmQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUVt02V5yr3Plq0oQzR3KsLHZqoBwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG4EdqZfCsYFqxl2OocLkbBQJ887ybMXB5ojRDbZxlJT\nFDbxpcO+AO9lvgVZJi9Nli5Y7r/bJGzBZTO2nTgMABujfDB6MB0GA1UdDgQWBBSy\nG5+UtDFaNZsmUSErUXYmdf4f1TAfBgNVHSMEGDAWgBRJDFgYQIGlwh7UcTWTH81L\n684P2jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhALobmxCMYomQJUKbwYHB\njakAjDcSB/nhFumJv3yFghvlAiEA4XIcFt7Vpa4LGpHzVZIhZePahIXtpR8YkstK\nXaUAcrw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1392,10 +1413,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUDZ1kinaUqTDcDHQUjuTFZ5QIBJ0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7rVuGwxjRw9T7kji83e5rm0qUNzM5sTk9VFGP\n5IpeCf4jY8YNknUqN4glK6LR27zLArJINFR4anoDja1kKhDUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcMHuupabydaIZjW8svLpvg+D4/kwCgYIKoZIzj0EAwIDRwAwRAIg\nZoFzLne05uza5cmELD/wjcqCFcvwn0R8dl/S9blf8+cCIBIN/MuWMyokjL7+Fmgg\ngMCiJpb39eqVapo258aKjmzs\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVIs7PNiaq7eGQjgVBlacJK8D9LEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVlHM7wJnNTKdHXnXL5TwIrkHGJMawTW5jB+9A\nkyZRp4kkLW186eqFgceuNFmuFSYy8f+kbtzoAG57v5WRF7l3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtKae4QmOFFpfEkz2JfFGIAQpc8cwCgYIKoZIzj0EAwIDSAAwRQIg\nLuHf1kSlTMws9CpHMYvrFVCAm4Kjo5JSEEfAmVrw36ACIQCjXHr+DJ/K23Q91SI7\n/BIaaCVu5GQnzm4id7g2OCpfpw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUNC8YMhemCn8CpK8XmfL3RlkOCaIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH7Sl6FKGA7tS+BtVI8qntD19i03ZfMMQDsvZqXmohSW\nS6NG9ueNo3lkJFtw4UuKp6dQKbkwX+HioPs1zieW1zSjgYAwfjAdBgNVHQ4EFgQU\nYGIZtjspynbnMWEm/INmKV//R/0wHwYDVR0jBBgwFoAUcMHuupabydaIZjW8svLp\nvg+D4/kwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAL3sVFZCAC9wnb\nx2sczRxtpSq5OVGOBb3fUzH5RA2L8wIhAO1iDVlPsqYixOXlmBc8ein4sAhMduY5\nphQ46fLE25pX\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUNqAEgaeTXvzUC5LAfNvfFlIXkp8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOb1qxPH1/Z2O2bYuHWKvVHnIPVqcDjtD0hDbUSGBdMO\njY1zHuYvwPHxbRHd2GTS1Nd2Z5NSOoYZqlndceT8o5qjgYAwfjAdBgNVHQ4EFgQU\nRxYlvQ0ExvyyGgRSx7ev/8ZA86UwHwYDVR0jBBgwFoAUtKae4QmOFFpfEkz2JfFG\nIAQpc8cwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAhU608YGjK9Lh\n+bVrl5CzNdfWSLuYk1dr2PO+DS370u0CIQCsW4y+oXXpm6R8FZs8ZcR1VtwAMiHx\nfjhKmLdyRTmaEA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1413,10 +1434,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUM70/XVnErRVQU5yNLP03I04X/6YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARAfMBmTS4yx7dL3uR0S9vzdTDuxqwhGhsQATdd\nWx9Fe4H6NXayGh4vWithhGDc322z6U//YyOgUE39A0mhXXlRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7HqFDirOzMQI2144eP2w4GLXvTQwCgYIKoZIzj0EAwIDRwAwRAIg\nPk+7Iu3Hp1M2YxQBUKHuMmgvOr1JouEmOW7wNuL0wsgCICBWWOhTVNRQUxLYUH0n\nCZg57Bh/H2t6flQoj6fydnsS\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSJwAsrtxmq3OU7Tc9I+OmgBlV1swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATJ1CH8xJFkpCpwUp1y75kJrgwvUfv8mRhR7vew\nvOIgAXTTlVCmihJJbc+EnLLoxpfJLr0u7R6SyULL54LSFHiLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDEWbRf70UPWuB48CpCyyGYRcH5EwCgYIKoZIzj0EAwIDSAAwRQIg\ndqiNOp1UYS82OwI+bKd9PeJAHA6leG3gUKACh5jEhGgCIQDbco5z12u5V1X+/6Sb\nmUC7tTGdWrTtd8N6cduYPP9spg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUKhFTaPbTAzpNEG9f16/FO1ooERUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA+mAsQhfgiENkTY5vLkivJA323IJaikelIQJlLoGeMX\nZ7/VX7Bv8LwTKxO6//Rs5JXgywi96dSsgT/JQbSAo6SjfDB6MB0GA1UdDgQWBBSx\nJv/yI6O7ZN11dOZCfAAxFUg+QDAfBgNVHSMEGDAWgBTseoUOKs7MxAjbXjh4/bDg\nYte9NDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJfaX1ws0VQVgZA6+ChZ\n7EPCE9FWO43Vix7RavmpvG1nAiEA6hSoSAUeNlpSDres4bt2Kkj+O641RvdBmjWg\ndkoyax0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUHbmqTfVeuHRfRIJkJCA9/cd55mkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBkNZgX56iXec7rAFkhqL269/ibAY2Ybo3CKVGYh+FDf\n9B5iiQZUSGT+p8gWqs4OyZ8pn1hV1oL2XyCFoHmJO6ujfDB6MB0GA1UdDgQWBBQb\nEF3T9YDH9RyObHKbHEeXtdpm+jAfBgNVHSMEGDAWgBQMRZtF/vRQ9a4HjwKkLLIZ\nhFwfkTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgY63HAiDJGBK6cWP5ULe+\nhanDfyCIhRzp//oBh76MqecCIQCStzbHPYp/0VPKV0ibHAAQ+wmkaoowcvrT6Gz/\nAlExxQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1434,10 +1455,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUWcH71LjeG7RVxAlWHu9VR47sScwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQyXK4vXPe66ZfhIr0Dysd0a1oWODhTkukWMA/m\nLECDF5mSoXDypZe6K66AVRhgoByLSkEToy8vOVsBilHyRmd+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkiDNa0QJMwfDthsickRymvFgEk8wCgYIKoZIzj0EAwIDSQAwRgIh\nAL26GMUuejQcyW/ZsGdHXmHYISpHkN4aUb3juFX4462HAiEAocg7irqpZLUrN+GM\nJzw4YMt0pF1B9cgvPFX3lKO/RpI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBfV9EaV4oZ1QTjZCXjwg6av7lmMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXM/i1U6W05dBFWVtSiTdfS6vTr1WKYYlPexcY\nLlfFG5tn5aptAOEioR0xUW9xrUdAyp8kRkFoQrWwS0dMO1OWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNnG+0zRzTEZaJkBr3tQqFuBPC80wCgYIKoZIzj0EAwIDSAAwRQIh\nAJGis5HecVCQITF9Swr4o7XLWUI6iTWpGF37HuF2HGfrAiBvLbL9xTdKfPHmcWKk\nrPopBMxdyGKMr2ea735JT/yTuw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUF7A/I2gUOHfQFyywoIKkOU44wQEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA2wTPGyzMMcfHUUuao5hONbma9Ao96XXM9s0uHAhJgr\no/qN7ij0Zd+xxZAyHcFQr5IYcSqeXNL4H/AMclPP+AyjgYAwfjAdBgNVHQ4EFgQU\nRFoa+dtIewJ6lKtLLGBM27ucbQMwHwYDVR0jBBgwFoAUkiDNa0QJMwfDthsickRy\nmvFgEk8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAjVxi7f15yB8T\nkyAxyvjK12SiRRLGBl+voyn7ueJP8+UCIQCJyIXYYltLWwaNKxXATDpNmB9WYZIG\n/DwPV059YK7ANA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUfbehToDTqit9dkGyubqvfUEYSucwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKTPMSRCRQMS8Eh33jV5PaXKEbHpWp9YdJ5qL1YiFgzm\nQ25V0os0cU5pcTRUKzqq6pTAy6lAA99ac9JkAdHJKNejgYAwfjAdBgNVHQ4EFgQU\nvV1BaR3BNq9XggR0XI9hQQxLe7MwHwYDVR0jBBgwFoAUNnG+0zRzTEZaJkBr3tQq\nFuBPC80wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA/hIKWwTxF0yy\n29F53+sDbGwSuFcI38p9GQg40EPo+E0CIBcR3RXcdUDx1O7JYR6mcjdD0p46t4vA\nWyd9zcEuYVil\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1457,10 +1478,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUenC9QkoKjUDRHQSDiM/wtBZzNmcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATW3+APfXpF74UQSM8jdWbYpJ+2yYR1LJXfXJr8\nNyYxTonVC08IX/wmBSlkBSyGK+cZ4mWTNJhdLEPzUmcVd+cco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpwOTfKi/l7j7R7VFKitwYaW+lm0wCgYIKoZIzj0EAwIDSQAwRgIh\nAP6BHbfJ6mjZGzXCuB195HYZkyTYlEw9b5gDq/iqA/9EAiEA9JP9JF6CPFJi+pFA\ntaB2wkT1Z9ByLs8KwENhVFQ/cK0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZj/KzQZLOuMBxvVkfe3Ed6C8bHQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAST9597/kdw5HTm8F4WujoN2Iuxf7rA02XXSJmY\nB2tYGhsCv0eLXfD6Wkf8ncr9CkAypJ0s85Rnk+veolobdJ3lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqOPKSE0iwmcTDH9I/ZKbpPvwF/swCgYIKoZIzj0EAwIDSQAwRgIh\nAJwU5Ic64wVl5rWJXsQ7PMaSqpy5C5Ke0JdDFN92FWGnAiEA9wfw/BAmzhQ/MIX1\nzSMfy6Jap8Go3rG5GMRcoGFE7Vc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIULYyJArBUmABu9jTCOd2deygmy9IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHZ4gu7knzho6dnSP4t9xR6ZawEGGy2CTly8D64t2hM8\nQq/L3bJXfwtmn4bdU17hclM2OlxGajBFjE7wJZYTNpujdjB0MB0GA1UdDgQWBBSW\n8yLFecN4m4Ogk691WBODlry1ojAfBgNVHSMEGDAWgBSnA5N8qL+XuPtHtUUqK3Bh\npb6WbTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBHvEV2Qdybqag1Q69J2RFgPOpUSh\n+WLxzCr5/MNXEukCIQDeYa//NwBlr6lApjQUfo3iTb55/qbGnXNRt7d4Boi4Bg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIULWahzDblDxz7uisMbvGmbWlc9sIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKjZ/RhQFHm9Ix5QYDdDM5OeUv/hnzW0TbxUquzY5IM5\nOlycnhH5ovwZaJzldWKNbzIENxnMsZ9AF8+wmTfs4OWjdjB0MB0GA1UdDgQWBBQT\n2tha5gqeYOlbNMcbvYi1l0MrETAfBgNVHSMEGDAWgBSo48pITSLCZxMMf0j9kpuk\n+/AX+zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIhANHznbWJRYof9AnjX4jCBo+PpZYL\nUmZa8KgDptHC0ySvAiAA7ebdV5dUByjy0x2sG/mT6NK80tHqgeUowmF6vRU/3g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1478,10 +1499,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcIN1+X6Evkf0nKKr7TWEcT3c+/AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASG/NM38NzuAXApXecVdfki5coQ/m/skWdC65Jl\nQM6n4eDKDbeb/gwjqEDq9stWKEfslMD/HJ5iCdsg2o/OG0n9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUG9F8cvqSBPk3KkFDZQL18Vny/lwwCgYIKoZIzj0EAwIDSAAwRQIh\nAPnje6EAubO2B3Vm63vEpqM9jIdfHncGSN6QDV0ugeWWAiAyg5p1yKavimAxyYs1\n86uPYcGsl2iMmq2hzg35vnPMOg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGJ3ayFHEslp1Nu+w4+R5ZVxxoDgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJBA/VKFUEiq4Vtk/rcG5kieoFfBx+nKqHWVZU\ndWoQVvBe2a7SdZym2NOJGCOKG7xNPmL0DYidcEdxheN9gVd5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1m5AByc3fqpndvjGI1zBCt1QKMIwCgYIKoZIzj0EAwIDSAAwRQIh\nALF+9+HV05Zs7YpWHIaq4/bjOFIfOvyBwMoH03BwCsHEAiAbdjXUtmfCHB8IpzqJ\nKwPKcx1hpzhpwOkUl/qT4FmqXw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUEjsYlDT2JMqL8rEr7bzJp2YRl6owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHBSwXwKOzyeLde/komzZzb/TDSmLvmHcVrmkGyZpVuP\nqfFhCllmhl54SshymCfz6h2rsV+wkpQD2kXrfOOaaFWjfjB8MB0GA1UdDgQWBBRh\nrUQaZ4f5cD7lRD/rVwYhP/3AyjAfBgNVHSMEGDAWgBQb0Xxy+pIE+TcqQUNlAvXx\nWfL+XDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAjVjAdiyq6UTSkDdtp\nCtTMovd3R3Ha0ud5gjmBXnw23AIhALQy8/aDcg9iCtrawFTMHbIhLy2pQMXECb2n\nSZh+U+1Z\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUR2v2plEEQm/jLi0m4LJXAGlZZfUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB5LTXtVg1FrGE6c+DmG1cVMt4xas7aUxPajhYxj184+\nzzzoS8u9yGUIG2+tqGmCopRqzcoYVcBBpnrd7JHSt7OjfjB8MB0GA1UdDgQWBBRk\nEr4Ai209ASfCbXOYSgz4/kGyYzAfBgNVHSMEGDAWgBTWbkAHJzd+qmd2+MYjXMEK\n3VAowjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAp5Tscu4z+mR8b/LU\nb2oAtBZadNCBqiwDSfsa9avjESECIQC8Ie07ZRJIwbs4PkKcee48y80YF/zt7wIz\nWsD/1gPVhg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1499,10 +1520,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUXfJKys8nheMPRbP5FJXwCRUEl2kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2ZQu1zsdDP6VaZ9+0wGJac1h/jO3PqUwWu/CI\nqkSbzmq/7EDlsyi1xCagbQBUx69uZJaOv0pGmlL/uV3xWT8Lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaRCt4C5uuR5sRPU/hc3k6CLJazIwCgYIKoZIzj0EAwIDSQAwRgIh\nAJY0dRWwS4lCNMPiuPp2PmqJqZJtrr+vk0n9ahnDope7AiEA8vUBofSPePNRFPGF\nKPSSzBw6BR8NbELKf137Ojg3yTs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUAysdfLm2lZ4YILsuz2nOZ6XZpG8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQVTjRKP4kYSBmXoqElo3m4gIMaaVUiusrZCUeY\nRxyiV6JE8/KaEhALXIr3f7fqNI0dLH+76tOQy16BppvItZKKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU50+isgtCVsiQKcM6ugsGqWYYNUMwCgYIKoZIzj0EAwIDSQAwRgIh\nAIR4wlLBskBI3bV1kv34VgMYSh21llPpW0GElV46xXSuAiEAisepwgAKbToFUlFF\nAe4XHRxTMQyF+f3zbpWrcvdOwo4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUV/Mbwbso0vcXLepLHphWEW9j6vUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOa4KdOW8kCha2wswMrfSE/sf/EeIYGvnc38vtkphvVC\nPJwW2HMjJryvuvuMskTOKxXu6aeIKBjwZm4n7QTG2VmjgYAwfjAdBgNVHQ4EFgQU\nb8tkxaZDiPKtOt92RYg8LNgb87cwHwYDVR0jBBgwFoAUaRCt4C5uuR5sRPU/hc3k\n6CLJazIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA+OdvbcX+9loL\nNMPXMeVMcigaP8euXdtjA7AQLwd8D68CIQDVtqqN6gwW8uzVf3/8XlCYZqVr7tJ4\nF9wQqkz7TWzYvg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUHXgTV2qJXPGGwkOH75dQccgBOnIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKM9Q2hJ3xunmf41W4HFRWy897LSXvSpkFOUSDxVHqua\nq0t0juhSu3vLBGwznoBAaL39JOoLDrRiDJVBlEPU8mSjgYAwfjAdBgNVHQ4EFgQU\nRU0MzBuTL+uxKDAwjDzXdzEHEPAwHwYDVR0jBBgwFoAU50+isgtCVsiQKcM6ugsG\nqWYYNUMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAKfmmSC4lkIsXV\nonqSD650AvWGSuy5Yqp3RDXXbsjy+wIgOTOwDH19EnXTgONJuiZyeOrInoBtRCkz\n1xbh9qQAQzM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1520,10 +1541,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIwKaGBEyEFT5gkq15VBGXE7CTo0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+Sk7Tb01TGpOzqAiWyYuIuX5p09oLm+mDetgh\nI4WoIrmt/ZeVJS8W6biL1UtK6x2J7NeA/kEJoCMeThs1jY9wo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkFhFinzqmIklUypchgbE9NPPZhYwCgYIKoZIzj0EAwIDSAAwRQIg\nYEjgyI9uthVODVy8v6J+y/7kOWbgDvp4JGbjGhT1aGwCIQDwFAoQSCY5H9+u7isP\ntzoR6lwUM8ZpgKROQG+g+e78dg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUI1oJ9krv/Oxd5Te/3ny1GUNE6u4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQFJvGqVPYyCEjvXK5x0n5m4MNNcg1p0aQ6yPmX\nN6xbSa93oZUnFehh1fU8/JjLrP09jIF9i9CkSntP/IHRm/7To1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUP4VoRn0vFnyIgo5v/+DdivBBfOwwCgYIKoZIzj0EAwIDSAAwRQIg\nKPKWz36t6wiQti7Idtpr2R76I1Xekmz7s1UvXJA9FSgCIQCwVp0DjM0sQiVsLMBW\n3WgJg4LZhMWhh76QdiW1dYMZtA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUGwVluRFwnwi6aIztU2SZKBEKpJswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLEGWCPyGzW3Gd1pHsOBWfCm6dTLJfM8TGBeryMBkKC+\navIjI96qnhBITNBWQZkhajWDn/RAshh5B600rmsXm5ejgYMwgYAwHQYDVR0OBBYE\nFAZ1Uc2m+vvxywsQLXHRlQ/sbfXAMB8GA1UdIwQYMBaAFJBYRYp86piJJVMqXIYG\nxPTTz2YWMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA0A4cw14k\nxj7vgr9oCUT4D0uxs6Sl86Eu5SVqq+uB9iECIC2KxW+yHIAX18wug5JAXMDx8Oej\nCumjAzEqs8ILCjL5\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUWIQcohUtDI6w1LCEXNNr7FqCM8IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFSEXmA0fzg80QvwtOUhroPjf2fwes99jMfYq2xRR++y\nXtpTnAcwtcrej12r59sspTG5EyEohBhWtuS1vHusDEajgYMwgYAwHQYDVR0OBBYE\nFHjXlnaVfQYYyOOkPj9gOnOi1cwGMB8GA1UdIwQYMBaAFD+FaEZ9LxZ8iIKOb//g\n3YrwQXzsMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBKvYMf/DIs\nvQeop+xaQHM08B5sZckrKyUQazIDqiBlKQIhAMyaaZq9f2tgVa6m+yjF4YzGrbEU\nn32leZ+bH8U176BX\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1541,10 +1562,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUDiNUzXZVgmcViBL8Ve7VFf97CWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS17gUkN9A1v/6AChCKoBkKux//0xU5CPdC4bNN\n5EB9NAsJjYLliMbCKksk4oFMk9V46/sY8n+Kst42yuLHIbXIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUESTzrhGgqxw41HI28YYOpiwn20wCgYIKoZIzj0EAwIDSQAwRgIh\nAPnZj6aINLFJ6SEf4Ls989rQK6N2xeH83vlsS1nxKVXmAiEA7/axMpmFpKZqKEZi\nqqjAvVjwqzG+nqW+lWyeB7lSV/c=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGLNJAVaKdKqUntYASNOl7wDA9qUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ227O8TT0RdVJ3RYDskggH7JXTZKAM2r5dGJmp\n6OA+G51ziPsYbFD3uXGBnHVxrVpsPtm+kgv6S8NI4tQJuDZWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/FJnEyx4RlLvvo6QWl6F0E88iz8wCgYIKoZIzj0EAwIDSAAwRQIh\nALsdstBjHUc97NHuTDTGBAYKfGNgaEOU9z8K3PGhjlIOAiAwz1ZQCjHPMrqjMtPP\nwT9gaZtq50+u8vfhEgqgrRit4A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUEOxOkSPYbzK7S9Zj6a5lJzxWARYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPSZ1A4zrCBCswKvlcjmZT7D5aEhjbfJlPxkdtgt9E8H\nnYj8FfSrc5Tht7og10B1smsdulKMvFECru2QkUtT+12jfjB8MB0GA1UdDgQWBBR9\nAN/QtE22ByZe7vmqo94B6+CvqzAfBgNVHSMEGDAWgBRQRJPOuEaCrHDjUcjbxhg6\nmLCfbTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBQIBQhScqg/6Mjn2Bm\n8yO6Rt4bh98uFCbR32DFDT7fzgIgRsYDxQosp3iUl84reW4VtNO452x66duDW7ZQ\nESduZ8k=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUQcQQWF2qw160ZvbVcOF9FqfMfqowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO042g0bNKiWfP/qX7sGWnOW2YvC2jfoht1C5ErqdZtt\nlrW47uyahGK/LqoBc8JZSmGi/ooQurZVGWzB2H9qf2qjfjB8MB0GA1UdDgQWBBS3\nBVlIj49IwXKPQi5z2bwIcLn8+TAfBgNVHSMEGDAWgBT8UmcTLHhGUu++jpBaXoXQ\nTzyLPzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA1oYxL9ErA4/nbEHZ\nnh15WMnSVbje9NRER7Vo/D96x44CIQDYloTgDLWRIpD2QtNdyMR1J7mBJmfkr9DB\nGAIqjQ2RjA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1562,10 +1583,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUcP3Jed5wHO9OHlq3Eo/E7a62tgQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQWeesNKoZBOIIHcaIoUWTZkW8h4tjW5TgVUZlb\nsqM2aolrx3VRHh4ZmdqVs+yrB5uRsS34x03hCrkULXaVUM2Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwKGvph6w0SnxXgJo/59WRILlf5IwCgYIKoZIzj0EAwIDSQAwRgIh\nAKntphzAiAYg+WRMUGHaTr8dNliGgOKC0gLQ5SvucwEuAiEA+FgBkO075PNIQzPX\nVxruzmglLb621Yv+0/nrBVQ/3Jg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZKECIX5Rvf2tBLWZp0gLN77okLMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATgMtGmgsQ9GCqQLjxQEtS6E6szfnh1Hz4ycWeO\nhEUmft0FPgERqG1JkRHg+mZ9XuMcCznd4o5x2D8gGpJ33aV8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+4icukLpL0oGM2hRDUXwADXaGOcwCgYIKoZIzj0EAwIDSQAwRgIh\nAO/hMU6OqL43JR5HaBH8tjt8gFpqSVmVNdJebu92oYVMAiEAgPMwHGUGBJDUSwye\nIa1JMDBNXEh+hcpla1yHL64lrOc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIURFoBUhfNtqsA6RnQHH0IQtPhlzwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMBvjl4GPTnFU+IfEFY6mTvZ/0jHAXUFqAUjaXctrGT+\nvRdAgOKS3HrfpPuqA0DWrRGtzNJUvgk3857y9tWmWQujgYwwgYkwHQYDVR0OBBYE\nFM8ULIKi6mdI1ehfZBkpeKCU076lMB8GA1UdIwQYMBaAFMChr6YesNEp8V4CaP+f\nVkSC5X+SMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBQ2DtLLiaJqpP2elcnDkEehwNxHifx4PrD8COoK5XE3wIgVi/Nb3QF28qmB/y3\nofVfqm8ThF9FWnTDTnoXKbN3ZNU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUXnnOTgmN6Q+t7aL8VlKkSiYP+GUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBY+6sMFjQIoYffK4LnbMJg2aTYH01Xe8g36hJS3zuY4\nYZsOT0huqkLseuuRxT8zqgQGYqE0w8V845HyYhwHnQijgYwwgYkwHQYDVR0OBBYE\nFPoSJ0SSKwDFwu7N6akvLgSGObXSMB8GA1UdIwQYMBaAFPuInLpC6S9KBjNoUQ1F\n8AA12hjnMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEAgPQ7TwiLXk1qC+sx4ebDIR2FFf1Dopmy22y03/AYSpcCIF7+DNlBf9CcKtsq\nkZPdjBjaB2buPPpLZ+WhPa2KKKO2\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1583,10 +1604,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBR3pdWWoRl5choOIMCOb56ijOqIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATo+On9XFonsV1VO9eNhIjg+1fgJ8kR935bRvxs\nuqm5xsywIzQ3Z1sz6oCW/4RiqpEVenVC+VOL87bzLPtfnE6Eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8p9ykQ2N8e2j35Tdm4y/tVSA8bMwCgYIKoZIzj0EAwIDRwAwRAIg\nQ9HXLF8hxINy5Ge7ipjRHqvSegDxBpJXYXqkPOmgftMCIBjZU+hyedq5puJWElze\n0u1a38rA7r/QIAvI2n3yS6FT\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHOQPMPKOA5SHMjVcMCUj2TtWkuAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQaBwlt5eDzHsg+CD0P3oQxozTPh3Qy4p+iNV8f\na9DEFZbDqLhgsKBqNRJ+nf1r9/rEmoC2IfGTpqb+Tw7wDhijo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFhJGSkD9XwVPFgKc2XymRXc4/ucwCgYIKoZIzj0EAwIDSQAwRgIh\nAJskGgJL20+e+MBL+neAo33F2NCx0UFEobDEOFArY1qgAiEAl/fT8CIz/XYeA6pd\nb1JwaYQHkxv6JDThfjfccArMYSQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUKOzbdaAYDQsLB7ixVj0grb7wLE4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH0RkbanghRrOguWvrY0JPZbR1Yaba24Jc/bUkzS35T9\nuLjrzN9ouHHyb8V9uA+4hAHzfZ3OOLVn2D2G0fiii5ujgYEwfzAdBgNVHQ4EFgQU\n2R8WnjZAhxsxTslMWhcAzUcYmrowHwYDVR0jBBgwFoAU8p9ykQ2N8e2j35Tdm4y/\ntVSA8bMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgAnkmen7aHLhp\n0e/cEHxGhU1OIGV27h90QtaB6gydXmoCIDJ80tSOU4fEeHZpiFgY1lN3m6vfW5HX\nUMsmSNlh8DtS\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUc5YYmBxRhUTZr41Lh4eLTCUfrGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ7od0rOSpH6cahgBuh3dyrLvd9YPdCLSn6mhG/jX9nm\n+JVC1tyrqQTLUCZrUglTVKQEIxS6DZZCKcF1uy/bSKOjgYEwfzAdBgNVHQ4EFgQU\nJGlzfxjCLxbkdmPjZusnmaag/fswHwYDVR0jBBgwFoAUFhJGSkD9XwVPFgKc2Xym\nRXc4/ucwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOsQ/RDHKar7\nw3avXEBaRO1kgLx2iV7JMXasyCCFxWf3AiA7XnYRjkFGjrJzHeT4+VUSl1moVpx4\naCkxOXG9BIDmkw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1604,10 +1625,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZHfrBXIGHEdmxTYmNJtCIjUhVxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBSvJgqraySnLTETEnxwRCovmsas03XcmppsRx\ny3xHO662iOmhtQDvmzplJD+1pWgRcdM94H+yH/1i4obgD5QWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/E9BlbBi9wkPeFcSN2P1Utajn1wwCgYIKoZIzj0EAwIDSAAwRQIh\nAKOlfATnBr2Z9d3gE6iAngeB0Xn8jND4ZL4GP9OkcNeIAiAw5zshObkVXn/umRul\nMaz0M3vD/JPvl6wbmfCjDeDNsg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJu5XHGVvGsGQaM+34NVcNyH9+0EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARkkm0cPBAQKzMw+JVQ7+jCZkX5FOfPZcvBP3oY\nuXJmBWkgHN6wCBp7/KOfu/p8RPHEH2Cw8VsrfNrio1WHYQuro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXhqNU2MH9Clc60SkJ+0dZbG8I8owCgYIKoZIzj0EAwIDRwAwRAIg\ne9dULhmDP5PzHVLu/YXrNJCY3BXp85eNxccnhDcj/icCICguIYB4HiFz/OGjkNLJ\n3riRKE2PhITVZzw9S1V2mLlB\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAW+gAwIBAgIUBlxjsBXb/pfrmrTfIGAxUphflTkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI+sQobE3AWUkNMGq/w2ZBiqLusUqbBR7oILlvuys4Bl\nRJ0swRvQX0NYL414Se83jTSggcThGSV1o+XKaX0yKqWjgZQwgZEwHQYDVR0OBBYE\nFNaxhQF7okbUVhi7U9+Ap2eNv++iMB8GA1UdIwQYMBaAFPxPQZWwYvcJD3hXEjdj\n9VLWo59cMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0kAMEYCIQCTXMd8NlgYG7y1CsI3XICnn0qINxIIgYsvoct/kPijawIhAMTs\nbRBPShmXlDkyLJGcyLe5m5rm1XemHcmKE8/SvW8q\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAW+gAwIBAgIUK9WpJtDEae18WD3HcvSn4swZ9VIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE1jIGFBVBNJJ9NfinzH/3RO1opbwwpC9ties/1QzqgO\nnk4UDcW0aPbf353wDLRVwxyiUax/6LsiDPen5m4VEFSjgZQwgZEwHQYDVR0OBBYE\nFDGlNHfKXjP7aYZxgl9Gg/BVrFhUMB8GA1UdIwQYMBaAFF4ajVNjB/QpXOtEpCft\nHWWxvCPKMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0gAMEUCIFu6j07ShsXMHODs5BVZlsRLeeDBpT3BReLwj0ArE22uAiEAkYIK\nJY3iCP0hoAab6jXjGNCcMdOURYNZ1uPq9WNcqYE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1627,10 +1648,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUWVg94dSh6HpC9BBl26KJSK9DVEMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSfQiD8+UG0LaHLDrax4iOf+VNN98DyfsLOc0W\n6wv0Q7evD4ji0vMYR6YW9sSO952UlTGO+0HB4x/UiZ6Hcgrko2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzIWhf44fwVLZRYctw4rP2f0od68wEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIgIvxPG8wc8Nx0VJocOVMQLOcybQypzcFspe34\n+CT9+KsCIQDdPZg+Bni/SqxMQnoOuHXZvqc3DbI+noQtX7/Sx+9XoA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUqgAwIBAgIUIBvNtpfAhn98/ejymBqzytznJq4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARq4z+YtLDnyfmIov52h4scchV9Dn7ZUX6a8DWP\nejnghT1cEv2lWXA9u6MsoCvgiYB8sBFN1vhDcSSvlXHvROU4o2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFrfJv+SnRazZap9pjTpS5SJvpG8wEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSQAwRgIhAKWLk+SMrccI8FVcT0rM4gYZFdCYyBqIqMYu\nGz9Gv4wkAiEAunHhj57D9b/aHjPMmAaihyhJYYaa96s9qkVB52yXFO0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQUMyj01tH6emkgC38e9dRR+boxIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHTSfhdW05mM0PPpeXy8LGzp3LNoZ0sQlhBBWAba4D/v\nILPDJNNcbyTF1WwkTZ98gxVq5lmUHJ1lDDsx+P59AZOjfDB6MB0GA1UdDgQWBBRc\noXlSnSoHbju0owwHpEeC8VdDZzAfBgNVHSMEGDAWgBTMhaF/jh/BUtlFhy3Dis/Z\n/Sh3rzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgX91+tGdFtfn8jyFjy0mb\nu8e+3nbNbbEBp6iiLnb9ZJsCIQCJGtmM17X33rgVYMfRvWxvwMfaItWdqpODSWqw\n7zqpXQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUN77z8FtF0Sc7BNXIHRtf+gtrkFQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL0hzbPhcMDIvDJhQ4jWFp9U11UN37KdkYmd/M6pacdG\ngPK+1mgx0shdlDKIxGpi6MS27iiaZtRkzSftA5E2co+jfDB6MB0GA1UdDgQWBBRP\nlCrI/tm3FToga0/jlK+FGXoY+jAfBgNVHSMEGDAWgBQWt8m/5KdFrNlqn2mNOlLl\nIm+kbzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANmpXf3UgoZ2xSeJ+7Rx\n9tgzUB+D5jAga88l4en/4Tt9AiEAxU5gwttZrXPPGwsXzQ49r9343QxpgGhktKSX\nhBtxF6A=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1650,10 +1671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxjCCAW2gAwIBAgIUYjj3hmjaeZUMe7qwZacKZD7rsvcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKE4UrWqiOgBwu3PoAT3/EugXZXzneB7EAqX4/\neL8M+7uIC5CklU19j2RDJr7F/+NZIBtg+A7cW6jxA7V/7n0Go4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFG28alFX7uJPJDtunFmbRyiQkFKMoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBRtvGpRV+7iTyQ7bpxZm0cokJBSjDAKBggqhkjOPQQD\nAgNHADBEAiBQDyoebi6rguDKNzAGmNLcQclKiGhX4sdBEvr+hdGwWAIgcQuN2AaS\nB6JSt9yn0BNgFSA7ssLpFkHRvfVsh6Jhkw8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUG7zuQOyfxDVZKDIp38HQASS54/4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASx6Svg+mULnBQTqneakkUwPXzNIUmyEEXHrdU6\nn7mg9Rojx0HZOKhrOoBIZjE4+PbTq7lwJFsM6y6ycJjudy//o4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFHv9xjmdnog9NvngRmJxCN5OWJu4oROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBR7/cY5nZ6IPTb54EZicQjeTlibuDAKBggqhkjOPQQD\nAgNIADBFAiEAmIj5MRHvY/ZJDXi9MhtgqbsXmnL2ipKwYfrw0lwBo3ICIA/Ro7Fh\nTZEMzb1OXgTiLFjFmm35x69rdGQ7XGUW6Bnn\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUT/nwI+1fTAZcR6pGK16mWTCRix4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKLfOgrBG9IrdeWV0c5CZILUTI4VVAc0o+JYPGgFICmK\nccIQUYTPGvYPQ0ftbvIuMojqu0QOH/umYdov8KoZZ2ijfDB6MB0GA1UdDgQWBBQ3\nLnQQSEl3wv3fWZkqF1VB/RxlaTAfBgNVHSMEGDAWgBRtvGpRV+7iTyQ7bpxZm0co\nkJBSjDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPIFsOc+PMyhNBjtnaNS\nXlSP9zqMSd/Yw96V2nCyB6HqAiBONgEENSR2Nib5xlViDLElO62a68tunYc48sNR\nQAr4+g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUIYnsLeroGl/kCSL2D8nvi4ab8TswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJDgdEyn6s9j6S9u+8/E9WJS1dp9+WPbxuEaA6iMJ1+0\n8lJSXhgRKpybUjvYBR9Ck/5o1XO83eXsOgaq38Npc92jfDB6MB0GA1UdDgQWBBT1\nlScY0mm1uqZpAA5NC/yS40KBxzAfBgNVHSMEGDAWgBR7/cY5nZ6IPTb54EZicQje\nTlibuDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANoQJxMnuwU4jP3QJJy0\nRib8HiwKZYb0UfUubmfcjUq+AiEAn3jbPluXLRioHfChgEBvkdX8wbs64EAjOkIm\nG3zAru0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1671,10 +1692,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUAct9ZLasFfS0DUZnhs7fte3BGn0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQTtMNmvtY3Uua9iEVTsg69faRpAQ6n1P2gdhsN\nueY5uxlmQmRCgWTNhbvyBBe19XtRAhg7DH2e23ds0BLFs8LQo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBQEMnR7QI71mKXA5KDRooGYNK1kJIICBNIwHQYDVR0OBBYEFAQy\ndHtAjvWYpcDkoNGigZg0rWQkMAoGCCqGSM49BAMCA0gAMEUCICTvCa+a+bXLb6dy\ntdC8EMc51fegjlgxhPuDuNEe4FGVAiEAiVhjB8XLrq+Kv0iYAtiM2HdgY4idedqq\nBFhrgxeQ+J8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUQ7h1Sg69l7TyzfOfBe3yoDoSJyAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6W9gQ6mMjdKWoNl5KqydZknlTJEiIJOZfLXgN\nKYvqKLM+dCUkqXdnQaxxSHnBqijgXefFNGIZJiSpTNnJyHuTo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBRzA3MDRhBiYKUTINxRcH4e22yrv4ICBNIwHQYDVR0OBBYEFHMD\ncwNGEGJgpRMg3FFwfh7bbKu/MAoGCCqGSM49BAMCA0gAMEUCIEJGvGDDWjfHW6wp\naxxIKJh3vFzh0YlW3RYMzvFxLz6nAiEA+l0vhPQ5qKK9qmrRYaXHwz/2GUClOqh9\nAqo5eNGnYlk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUKPS5jGjYi7n4mFnyRfjc/LDJadQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOCyi+wRKCao9u1oy8BZdrpThw2GDJBmOnN51JpwUy1L\no9G07P/EnXFVMYqGrWbFB4bldlclJH7k5DDuuHchJhGjfDB6MB0GA1UdDgQWBBRe\nstGyOrYLAyUWpSA2XFAyRTWqYTAfBgNVHSMEGDAWgBQEMnR7QI71mKXA5KDRooGY\nNK1kJDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMIuv9/eOxpAEd5HVbcj\nJiAqp8I392nEGVCQqgvTaJVGAiEAiUfVRbvCY4Nb9Jc1GJ4k8kcWdiW5lOeRwEyK\nM6qmpRY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUceXr3zJEp6KD8jDi9hCy2tcLmcUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOyjMluE5zMuTCvyxX90U6vhzflGibXaNYfTTLX9AC/S\nRVg4IrLYuUktE69f9oN2T2TVm0K1URDoY2bVFz0/nIGjfDB6MB0GA1UdDgQWBBRE\nWflBqq4bzHNEEwyHszJJlICH5jAfBgNVHSMEGDAWgBRzA3MDRhBiYKUTINxRcH4e\n22yrvzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAO13TZTLqG/m19XHzwq4\nb0vkiJHi3ZApwOMBjF8olVmOAiA+X6HyIO+MEiWH9VeetOCGda7yHBj77zXjXjVS\n94SeuQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1692,10 +1713,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXGgAwIBAgIUPXOD++WPomK2Sim103IvoxN/GsswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiw4Z/is+4NQZztaNXHKDUe/uaotEHt+LvmPpc\nJeM7QmE8K3HQD3OvastieGqJHIvlcaf4+L5HoeWA/z8/Y8Muo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFAZMD3YfKNHDGa4M6ciYaRmW5TKSoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUBkwPdh8o0cMZrgzpyJhpGZblMpIwCgYIKoZI\nzj0EAwIDSQAwRgIhALuV6YH2IwI31WSRcD6x+9ThpsPN1S5LMuwzK44ipgo7AiEA\nlH5NRxT6fLM6PmMiQPySsWOx0JTkfRZvE0xYmE3fvA4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIUJw7ZARUtn8eOUx7JwsuaxAFyFuwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARhI6LS93wKBmp5hbwOVe0HUboX2eBdmb3hu9uF\n+9jFdEoiXmughn9YKRc7H5nJGh+bGw0W8+m5+p5DC+Ig/nQ8o4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFPDo9TcRu8ybmZLzy8qizBIlmPL3oROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQU8Oj1NxG7zJuZkvPLyqLMEiWY8vcwCgYIKoZI\nzj0EAwIDRwAwRAIgK4m4UxK7QXrmjON984lxORLtwg2dMkbA0Mfo19ly7f8CIHsX\ngyFFMv06uuB37yYtghcFjmFqbcDRc97DNOkDvfSh\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUD9tSu1oBDvMwhkUdq4mOGHYuEWAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA+F/AW1qzRQOYleOFYAjH3rRP6Mu9WJtl3G2XeVaj1D\nPCh76+rhSGqYUmUfIEWG4l16pFJhKixcxOdLyenlJrGjfDB6MB0GA1UdDgQWBBTK\nDglkWVMxnvIqPr+pktzpvSs03TAfBgNVHSMEGDAWgBQGTA92HyjRwxmuDOnImGkZ\nluUykjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBUIak94kx1X1cnKSMWyQ\nTRT4YWYy9m1YXCYqiQxKIlQCIQDFO6uKnky17WKy5puIfob+DBnnVb4V4DvvIw5T\nLNkm0g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUdcl6QjeVdDg7iX9cnMdR+xdv3lYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLGgzyZgfJwGxrEltc4iCFqDEQPn5vlY2GVu9WYXE3WO\n1MegEYFFRd+seibyMEPMUdrzOIlFZQ95R2Txv8qvsVajfDB6MB0GA1UdDgQWBBSZ\n24oEMJo7ZCqj0ldxFxz1wiL8GjAfBgNVHSMEGDAWgBTw6PU3EbvMm5mS88vKoswS\nJZjy9zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPbZZvEwso6/4WmiHUMe\nZCDRqiSZGpU0ijgmjPgPNbJgAiEA2NMWUxPnM4KmaurydrOazg+sMa9hBjSqBm+m\n3sOWMiQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1713,10 +1734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGT5QLJfpbD0OZ0EZytZDN50s61IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKinAXl0tGwluOmPW9cEAf8NaGJUDQ5FXytJ49\nvSnU4yrYOzM0BEcpav23QWRt3G1pFIxi/Jw/znQ2/3UP0UkMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEJFoQBgVrv+pFJQA04YhZdK7p1MwCgYIKoZIzj0EAwIDSQAwRgIh\nAKfnb153xST+A7oF/sjfNWKo0MATJyIGXF7y/Fzhd6vtAiEApI75wwdl9jJAcXC3\nhpT2z9FzJkKQbW77mVqUoFqowwU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUOHIfKIqmzd9ZmAJgCBLII4FFx+0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ58IWTHT2bNbVbmzDJNGJkzRcqgLnI+CSiGPBU\n4B7uvGER8xj4ioQeIhpwQWos1R/6XsTswh+oF0RcALb1/rMVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1brD1ypGaFTQVhFaVYG28/9yyqYwCgYIKoZIzj0EAwIDSQAwRgIh\nANR1i6ItL7zuGZqBc/Sfz2HIqQ3eYziBeNQC1YcRSOz/AiEA/r95OtgeadTNXdDQ\n8b87pKw4seIz1o1xBW3ohD5yBog=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUfrUWl5p2j3pykdsqusGWB864v3MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABDiC/mVqA/xb6c1gGARkbCcWL/2wPsgjCwD1GVcx\n0yk6ICiUnYUwcCIjRD3DPtpMJ/X3rxut9Yiq59nfB1qUKzejfzB9MB0GA1UdDgQW\nBBT7AKYCvjAOKcnqYQAdyDKpBm1JIDAfBgNVHSMEGDAWgBQQkWhAGBWu/6kUlADT\nhiFl0runUzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPoSVlTXa3qr\nKHfD5H+Ebk8cwe1ubOqUFYsUQ4KAcrljAiBgjxBd2wmqkIpl+0EtVd6tPN2COqfs\nLO/0s/NjfWX5fg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUVyhlr+DnEb+VQ0Oh/rwirj+4CZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABClCAeULjI+sZk2P4gcfeb2dIjT98eev6OoYLnOr\nOFlaQp/jLsaLk/Fdvz33cqwbEj0zPfmjoGDOjTCEFCIQfw2jfzB9MB0GA1UdDgQW\nBBQBFXuU5/+ErXiFIO6gEfLErIooQjAfBgNVHSMEGDAWgBTVusPXKkZoVNBWEVpV\ngbbz/3LKpjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgaU8i/Bb0qmvw\nkKL2NA8hfRfhuJ+Ff9NkbyMBeVdhXaMCIQCxTKKq5Dn9IUDuX0yRUPa3fWliBgHO\nf6wBlCQzsas7eg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1734,10 +1755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUCtD3myeO9znDuMjOr/7Gh7lQIywwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATl4FbRbFqdDvzqPVfS6riOc7Kb+6i7MSxilFls\n0++EsASQJmhS/jwhmsrJJhBwf9eGetKbkMDftHgQakF/cMrzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxUlehvKIbZzGRCTwWY10fTScqSgwCgYIKoZIzj0EAwIDRwAwRAIg\nbNbkiGrZZvjzJ3iWVWyBGYGjFibiIFTcDxc0O2zVDwoCICoKkKLEJiKRXbM9uMtK\n6Ml6dkiEzjOw1Y7x0R6ROXNj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNqQKnpCNPwu5qQZJmpJuaESHjK0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATt07DR50pKgDWVOLatM5pIwWU68S8aHZIpUYKN\nvuczY/F65XBUw4kxJycvqR/wTY22J6c+JPWvV02QGvkMbLjvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUI0Iw+m5ssNF7BZ29DbDk15d3TmUwCgYIKoZIzj0EAwIDSAAwRQIg\nHUba9XfkNBMdg6Y9Zg2BN0Pc6vLvKW8BnJFFOPKfa0UCIQDhN7t+XPzbWcIHowpT\ntnnssyEDg4mZ31hiQ4Wdjdlxow==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUagAwIBAgIUFCBJpjC3npQkebZ6cIkrH+LDHsgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABADMcIeafv/YxjEKcphixDODmAJH/9h4tqHXI5jYts1C\nWsuMHHjTR45+T4YPvAue56N8MHowHQYDVR0OBBYEFPJQirisCmmOsrijIOWsgJC8\nWDhqMB8GA1UdIwQYMBaAFMVJXobyiG2cxkQk8FmNdH00nKkoMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiApcy5LT3QKCnOSrbXdWSAZhWMH5VpKsXBSempVL3zx\nRgIhAKWOedFFEzH43jdp7xJVopzaYNEcOH/thBg8dB4LIofC\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUagAwIBAgIUcoC77B0wfTmDTzVm2HNILAno6UEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABG1BvHMoHx5tuqoxKog2icUalllfseSESK3wxsTQDH8N\n/sllUAZtC73BF5vnWyef9KN8MHowHQYDVR0OBBYEFDPGNuNeyd2Q3o0BzVkHP/gL\nV8GiMB8GA1UdIwQYMBaAFCNCMPpubLDRewWdvQ2w5NeXd05lMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBH+78sgqUvv0J5g/zpT10IRVEDPdG62XCp/n70dXYs\nCwIgIeW08+crdXwYruoYtdxYaGXy63vbD9Z6Ie1zYCEjAYU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1755,10 +1776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUSQlhtkmN+KjzTALaB+xKq58qMfAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATS80xuzA0xfw+6tZlY4TjTBk/b68XIFJfHJUxt\nH55y3fwkszm2q1w5ipz6u6g2I9kGcCVjsPT/nz67mw2i0PAOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpSShG66ADe6To7C4zUsgfD9X2DowCgYIKoZIzj0EAwIDRwAwRAIg\nFjsy57s5UODRt+gs83J9v5nP7tCWECFw7EJZit5AC0gCICq6DdCijyO5TPVRuiYX\nRPn7hyeVmOwK0O3Iv6InJYo9\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEKJV5uwMAPmBe5/kJNukrZxHpmQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjzdaEMVPPFFv/GGTveA/Fe8QdXvcuYFfsRj2g\nFdcgVdBelAjLlYOIHcXpaEdtu/m7j7uYPnn0frOWM7dNeyUCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiyweND5NNxIM9qu06irt1Pv/5xcwCgYIKoZIzj0EAwIDSAAwRQIg\nbhBwZALu/gMUWDphh+ftVdtSSJyx6tcQZUtIEJMBuZsCIQD9/UBegDQnnOrshzlj\n5GpIV0ttahyUCB2/Xr28m3HlGg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcagAwIBAgIUYeVppUmvj58kYoOijWmTKfAHcxEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAtTsZOivm1IIHcqRedfOyokTIjG/UjDZoja7QNrNQ+fQ7\nEReFpjEMt3sRi82IoUM2U4d789CnfizxQ7k/9M4MgUm6u6LCGuSbfLGT79cLpWqh\noJNN+3WHdWeE9ceYXyh1IwhXP2byCRamoxmuQsn9KZNXTd/jMfGnavxX8+2L0zYR\nZbTmQJB8V4+YfbsTpF92IkYZCXJlL29cqcRxXAOFzO+2W6d8RRDAqgC4lkfROTAj\ntbZXLShbsPxgVdhzADZhJFKBk2eP3TvEWtjGjJ6Nb1ZOFtqPJ6wpQNMQvk21QA7z\nHlPCWJMb9lBvnXrj9oT203cP46ZcnibW5AplaFbZGpqLLBXdr66eP7+2QQmgEGKa\n0QPqfiGVDr2TOS/1Q9UMTn1v7DCPrePT3n3Nee4IlTgxOtnUxS5IfipF997dBYDN\npXYg6XDPuwihxMDBG/yujF1Oc3B11804TI0RSF3++9IqcvmbC3XsfHwwOFif0grX\nxkRB7ieXB45sxMHlvR5lAiEAxnnPqxGKqNpps4SKHJ2iFCX70zH3wda16U7iYz6G\n4GkCggGAYd7PGpGh7tMMJdU16NzYQ8hnLgm/aHuG8PDQF1R1HZ4wvdd6wSXXgmHm\nV31mQJAIU4UaOv+8YQow/nrirMFHTIZp2DkV/3d3xY8k6hDRBoR3Vo8Vm/7qq1UC\nwKqJEHIR+qE4ivV0FdmFFgrn6SGbAUhKC3PBtZkzClrclFXVhxkCnbscWQ2OECnP\ndEpPaJcMxvIT5Fit1EmrMSH708/DaPtGSL97Z50OEOma9cokfpXXHkti/WNGphMG\nNmkZ9a7KsZ6b9HfiV6heDhSUev8Cf4zRxwALW8D0exEdDKvkvl+zrH9NG8SR1R9+\nyhV07N6VtmRnk4LU8oMjGEqW82Ape5V1N1JDSR5i98XhcE4hoYomRGTJAoHl/qND\nCHrU1qN6xPQZbfB1x2bt5taiQPJaN38OHnkvAzan5UMP7KzYJxC29NpOBBBJp8X1\nUsx3FDW9l31eG0DL88XnzClL9x7wONu1uXEaD+uBgvZOdk9lRK6ZpYCoJu8qUsc/\n9YVCqEbcA4IBhgACggGBAIQcz2P4qY+Stav9EaPmtJJF8IsAuJxD4RneAGaINl8G\nX6BqWZBUBRUTTS/8RxI7L5rPPTlrWpfowKU2MvAxHL+TOgfVIJLUbF0+FqiI5+jq\nWRZnGumjPQn9ibLxD0qc6kAysK9cdT4r1lc5Q2kpBVH/qqQZb5lPNxv58AeDGywP\nL27Id9BXzIPTL4XsGRM4lD9UoZ/rpimYIiy2AkJAPXHaYnWJzZnBXzn2lQzLSRCv\nGxTH13QYK4fX3CREbTS6TxICA4RYk330NLS5X5xmkyEpyFtrhyhacbzS9HqsmkED\niQsEJ6wQXchV7uujuWNzPdCGYWpS45vG/UrWRMgQa4EO3pmelSftunMYGs/Pr6SF\nDuWXe+79dHESoAWum+91fYp+LnCs6XyvFMZRYhFR9vQeFIi9ZTy3CXYqqfpyXxEy\nc0eGbDg577N1iCl0WZGN19DuSCDckyrzmC3lpiZefjbFbyWiTeSRM6h1no2Vz3W5\nuXS0quQUXgdzv+2qmMiU96N8MHowHQYDVR0OBBYEFNNtW5WSJaNBbSokV/w1/5T/\n6EDcMB8GA1UdIwQYMBaAFKUkoRuugA3uk6OwuM1LIHw/V9g6MAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEApHLbPr1kd3njuUdPm1S4Ev2y06fPZ6oxaSmva4if\nlq8CIE7kWEkOwAA+XZO9wAiI58IrYLejKnfxDv38g6NJ/AvN\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGITCCBcegAwIBAgIUSGAAJaewFzVsCRR3rpFTU0irjoYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMgwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA2oNUDTuR4KPe4QHhES0LRUImSpjR5I21f+rPGb+czhqo\nBdsq0wodrlcp8eNG9sUodEpReGUGuamkmtOLY3A57dY08xn8rHWWF50vSjeN+TcR\nC1p/IZVrsoaNTYe6bo4CIgHLSwjvl+Yfn3WW3TwUErHyYp2UT2Ldb8KMmClw+d2k\n1yBSfofbVVRHaNoNwEOHE8QtolmLC7vDXxfi7u8MUF6UPOB7Aq00IIjmNIuGJlSg\nmJKjVJMCGiO1bdObYyYg1MHoIlL5rEM3MxKTWT2ETcFEewIeAgYySfXpoXH9JLhL\nJZriDlUnP/Vx4BOVOwtqwNX2WT9xFhJKRQIuX++9n/EaL2YDFAhher8Nqcocjna8\nNiffceEIZ/SgYbYfl9rBT9GFTn9EYweTTqRdrUsOKNwEUDwaf5u9hvs+2EX9J3ij\nhn45y9u6p2e2TzFKEXkOvDDtpup2tZlN6iiDkIe2FJvxlGtLVLLpoTc+gzMkC9Bw\nzFe56qjrBO7LKwNl3RfxAiEAvY+fXVkR0lMlF1Gv6xG1QibIClwbhEatXuUwwAI0\n4Y0CggGBAMNYkQAvESlsgGcmqBgAr1625TZqdBwnnS0DKGz3uUWro/PgH4DO4JEX\n/qknkdBZNc2fFmlUeEQH4PkSuHFndR2u1lSNLKrcYt9gfME28bsXR6iDGNHLtd4Q\nwjLR0O6vmNjBeCpnWu19bJbgnRvOhdPHV6vdFAWAZVTjDTyqkF2dhRr4zBIJpf82\nX0OnBOOtlSqPPLuPwXNmqWHlg1Jk7zOST+fgyIsDQm6KOexkwsITIpvki3Su9SbV\nbXgCayZ3lvFc4TybUlGMHOeQvoq2JtPw9nmtG9gF7DAlb8wTTKc19VaWs+NcvzDw\nHaLE8Y//zTEG1mhDxHMmDvLaLlN96IIG6EnBbIiwvXwzgnNncQWcmZeQ60JAQhg7\n/v7mtf0/eyQ4a5FIXEoRW0VhRrQnUzvUAOF7m4MUnJXdDbTU0noLSUVGJrL6BKib\njx4wEva5ccIcFSQLLbwTgX8PpLsJ6pHcg4Whw+rhbvTM5s1LXLNie21ds6u++FHu\nBrI6VrxJUQOCAYYAAoIBgQCcMf5e4g0Hc1SUXsus8NNRPr8aXbvEGXIkkBaMy5mF\nA6mKPzLV6dkKRfrmygxg1qdIVCZJYoQYUtZ8sf50v/Sk4XTQ0+++YxUSOCjsj08L\nuarcYg5OZp3VLpt3adNnjcthJtl3AEzNQEoqLEvh+AtjhgdlDoEINNAjysID3kF8\nk4nXiPXTIJzQFcdwqGeI2XtdeN+TC4Lk1ItPph5AaxUhmmLIm6SXLmf9VWLG8TGq\nSokjwtSS5icCSXbtk2dnDiIGEWwYa7voca0Dw52FR6jt8wh44b6ETL4a37EWzH/5\nCp71kJjNrwVwvDFGQX+NgwgM5hIGdhHtd3SEjJgmNEL5DH7hHUAcW1vYdUmb3ZcV\n9qZxTcrAL8mi1k8HD+wW6Ulkpj8O5Chki/VTxEeF5TAX4Xdvq2g7fN2M96U5RIvq\nbPdNCH2rk6PiraT+8J9iDdMgqrmeDnxF3xpaoOYlzBJq0Xq0xuLEov/oauCUoBMS\nO5iQinejOAvT+tHynectYHmjfDB6MB0GA1UdDgQWBBTjstCLa0BTxC9BKaY4ko7y\nisQJwDAfBgNVHSMEGDAWgBSLLB40Pk03Egz2q7TqKu3U+//nFzALBgNVHQ8EBAMC\nB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDSAAwRQIgPaRJxZdS5lm40mOU/UG5Vh0APNWtgNWOh+vLRRCp\npe0CIQDWqsJ0LUxQOBLzFRAD5BmYd/YxVWaKiY/YwMya/PaR7g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1776,10 +1797,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGADCCBaagAwIBAgIUVoOB0g7uezvnDUYVR/GqoOnPj6AwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzkGByqGSM44BAEwggMsAoIBgQCf872e32Zq7o6ZuNWwhpLZe5x/gzHzgujTlasE\nEmyWfdBOCFUX3kq7BbWD64VK67UzEsyQsnKmrkFol859NcjkKV3NzvuFOgCN091O\nJheWmKbusgnPZqXtp9e/VSczcC/MPGFzrhLBECn2YFSfeVSzFazbhRtcsEFTzyQ0\neSkaSg9WBAmdZhA56Fer045udcr5RUwDgVptj4PKgqIX4msRKfddNh15rOF5POCQ\nIJ9+KA6O6yfrSuYkujSQdcPPIBsLQxLzYIqObIHVrOEOxJ31DrEVNOOwe5Wmo539\nzAHZWv6akCRBnZlf/cpXVAPl+fzGUInKHpC6i8FhyGXEYmPIWlRPCTyBYIy+OQhw\noh66/3WJscZ7zN6rOSd0PDM4J74RLELxNdylImm3oY/x6tqRdKy7US61IiNO9gts\nZbQFXEkeUAh3LmoH1+MogHGU6aqM/t8VnEIJQKhgNB3T+9TkafCbqTUoxg0qPKv0\nrwEHhxdDN82r0PO81ujbOdOkOYsCIQCp3EBwjt8HPcSzSm1yqgYWxinhsIvtXgtV\nfmJvMapwdQKCAYA5HXdUF824FBAmC8wg8MWXzeYdHRdW5aUheDX5C4Ri4eFtxNqo\nJlf0dl0aT/WokcX5Z4ymo+PV7z0EMJ7YWBbpLtmau53EmzdGpnbIH3OHwjwlg5kf\nQJIMqVs/4ke6QiJzgPrUpQc0NQ2xZlXqlume64o/uN/MlP9noD8MFq79VRb2hF50\n6ddH/xDPr3VyW9HG5pRKVawDclg+0wvYMBjbgrkjRJ5kEQKRqkapDHIgARZeOGmO\nKH89nyABMXckC57f6FpZydM3ukdz30JrxhyjbTWmuDLRiCdQP5b5ISAiZ1RGk8xH\n/W1GobBRDKxYkNUMeUB8QXB2yFvz0+bTM8FZrBEylU/zP5IUOX2rj6m+9iQ5wvfB\nDvA9a3c4ICvVzBIEK0S4kBXqvfVS7h9c0RGmQVOVsglIyBCtJKJTSpw70WL1tek/\nYhpGTKV5ZNuLBY9lanp92z9ZbsfV3etR/klZQQR8XmK7RKzxod4Ar/65+9kAkPIg\n3OkHD32LTBI7+iYDggGGAAKCAYEAmC/nATqWafbTyMpVEP06lUHoLx8YYHLtrjLl\ncz+CQ9ufSVUkdqcYXpqjJyd800AX9gJOIK1vehuFP6JrHrBH6Ya9sm1+3rbMgF4s\nThlii0DYEKr3fJmwrECiCdSPNiS7HUxMWoA++yuNI2Oblq8mEpiLLpQcYLWwyxD5\nERaoFJWMorNo0Zz3x+fxt6Fo56yvKerIDu2L2MriucCYlR+DYHAQGDPojIffQijd\nwLGsm/FMxHi8xJceJw0zLpacEX2IParD/kSmKssq7K4GGHnkVYAMHCc2gfFnujDs\n9dCPpDwBvtKy6nYV7k+sEC7fnZcg9onm0nRXwnmylnyeQJYoJPbSSR9IlZi5XsIS\nt4snBywxNoPQP5VmZG6KntMq+uc6vXOnvx32xAZf+DougjhcsgkvbEG+JusL528S\n604VoUF2ydM7i8hnQSqpwMIo3yt8h2EvHOQcHzjffNyb/jMyuoejqkm/ajr/KM+y\nvb+jpTajSBVSdyP4P7nQUtD2COgwo1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUzLi90u5W\nzJQsjkhTU1Gd87xHZc8wCwYJYIZIAWUDBAMCA0cAMEQCIF9WtJ02UtETgCGpzVH7\nSECT3GX0ZW/NnhYkEE7nOUPAAiAWNf7ETdfc9N2M1E+4PadoK1WD1MasLf0B69yU\nseodzw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGADCCBaWgAwIBAgIULrU0tWymPMXKOZKOGKDonm+r8TUwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQDBGWtPmnio98FrFYNrstnclYlXzks6Tqh2xoNe\npnPVZ+2TD3/x3CK/kRHtQdljGvGqccJByZtEY/DwbGgbnKGG1WUdJwLisLZmAZ3Q\n03ByQLID0f/DTZet9MB9f2n32mzs2FTgSHfgKYDcztYPteMsZv8iufxou5HEqggF\n9mEE7v75+hfurk2hcr4832lMA9/7GUuYtL3rZ2+CufgJTHnYdtaUgQfqnkUsRGpu\n10ZoVxP+XiZ1AWY3ECevHYlb2L1mYo64R/cibLWAmmO3mGvQXc4lsFA9kqIZKl+v\nfnconjn8LqHgwnSdpI5vFlGw1eSSyKfSJl+57BpEhYjJcqXhW62KslJJI3LmTTrb\nEgtIacq90HW/eO+UlCQqdKkzDM8uWX0gwfUjr+kyhBml5uK5/99kg9xrpRsbFh9s\nIV0H275+lnQcF521ZiZ9LwEjVG0OJnJoOeQfDykmGIA4MbvrX4Pd6XoVlegu626W\n5cYlmaupA7anhbQdlf+MhPmeLMMCIQDUJ3XW58h9f+frQUTW+pfo+E0zNhDCEbyn\nZunhfwCA2wKCAYAj494zc/6BoT+KdYYPBNCTFCISl8IHWz7fsE2EckeAq+arOFRM\n1oWCnBlKbRu3HqtDEjDSeMqBPvGhudOggYQzHtb8n6FpS5hGATIbkeND62V4YjnU\nwWNjMvYHZQlRZA0XbsvDD7UZslLPMiNuLH5RoF7oDco/5iXO6s3dPP5ul3aRvWsp\nlgQRzQZEcGIQlNn2bxBXsl8XKeYipgWBHGZkSLyIEYHEiLASCl+6eSp7sg7Jgc6o\n8IyLa/w1xSZRFSENBvkALNE1lmbPqwBS+/RHvqaiVdFzWhW9lCJx7x0xR4XJozef\nBkcH1Vjp8g+83xrgDfF1tV/9jovkGWmu+OhCf9EO4rivvr7xp8hAPuNrHBetmgYk\n782Wx/ZL6qTDJ2KfEenxyvJjV8fW77JKPa5yfZI+vyxVg95oZl2GKqHFKDnh4YGD\nVbCXgJmkAbLlnn+pDjHq3u8gbj6ikz+xfO4mcMngFF/i53112kBc6Djm/qwCvKBQ\ndsIJ+gmL14UuiWsDggGFAAKCAYAOBSlT1+FpoA3xl8kA2o0E5Gake555p9mjNpAT\n5hsWzisbNu8nmaY07ys+H8qtQHjjXz7KGWm/+0Ph8V8Z5P8FFvEVHfAZpo1TAj9V\nXOTqXksKmB6aR9jf+qO3o3300z98tv5WjwkUFGjBmoEtLR707caaawybDQVc2O0k\nx3yP21kKPJObA0TRrsJXjaqUG5z2p5pYdsDib0N3IIktD80r5gIYJuzQQUiKRwUg\n8oDvJeluOb9+sPp/17HXQLpOUNHbtPFqCpK+T7aks+qgvI27r3mwCOFZ3SaMKCCt\n6Va7gtJAIlrFpFFxtCtp7eCVTUt1csBfAbTdZAGh5uy+0oqp7r35gQTs/moEkWjF\n8pUXpFDiNAqjd9rFfBsa2zLCHL3jozxS+k/HTyxubIr9b7SJIklx/mZr1EFa6EYL\nQ/35yG2c395YFpSe1BeGYqYW69lZ2c0NptZ6PlqczXhrM26o4Q/6Y1bxY5Ov5Hv+\nRVpaSeXACFxjdWKX2miXstcF832jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTYX4mFZRM1\nUOunckZBF0pSCaqAIDALBglghkgBZQMEAwIDSAAwRQIgdCRHvpgal2zQcNF9dC+h\nmkwctdkgCF/Z7D4jcWAmbOsCIQCj3DNkD1BQ16HDs0Z2LejV0D1nHkRmYa6s50Dy\nNAw3Ew==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVegAwIBAgIUViMOAzk3g7VM2Q28cqBLHBXRrjkwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAQQve+ypm4ALnKncVzhBCsNS+IAkcYHUL8p8svyOYvm\nEETkzWQds01gJOs/K9xdQnsamgYe3OQqajeGFCtVWUYto3wwejAdBgNVHQ4EFgQU\nWpK3bX4rAdwsH7BFD0LOSllcQWAwHwYDVR0jBBgwFoAUzLi90u5WzJQsjkhTU1Gd\n87xHZc8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNHADBEAiAaj0FPNnN8W2sUdgA4\n1kBMl43zh5YklDixgExPHiNNwQIgD/CyV7Ysuonq8ZTkpvWLSxdJ/BpC1cch3YlF\nEnbAI90=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVegAwIBAgIUOxBsODCwZeWMj3/n1SWDS0IqiHswCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAATIYowuHBW3zSdVHFI3OaGMZmWLYBtdKmX5sIGq4SQ9\nVc0w4dq/EsvTk3Nn60S54hxHzoomNKlw/Q9+L1ONLzplo3wwejAdBgNVHQ4EFgQU\nDatEF9ryk24p4hatdAfII/5hqpcwHwYDVR0jBBgwFoAU2F+JhWUTNVDrp3JGQRdK\nUgmqgCAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNIADBFAiAKTYJ+GocrUwTozNP7\n6d4Gq63oECAbRBLXP6aTkVyGNgIhALSTNZS13SnXbwWCv9wz5qqJduRBkQyCyYHe\n/IAEYFhJ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1799,10 +1820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUawRJxKPs2G/CHK5kQ5K7MVDgwacwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7cK6l5qY/677aeAZouMTAdz2vbiE3mfxoCm6S\nqpZRqjueWsmsO88UQqp5+WzMVK3FP1m+gX2T2XM2VvnbXlRXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoGl6QrvA13ung9a66JKWvk9KCQgwCgYIKoZIzj0EAwIDSAAwRQIg\nExlRCdMVhbHUtG37ZgzrEJdaXNMnpAjDT/eRQezV56UCIQDTjY/5a9q6niT4Rffz\noxgSjHlK3oa1lk+DngZM2KZ7fA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUTKwjb6KjWbb/pxPAiqbe+sYjPxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBOJLn7OjpZ6sMp+pRDEUR9CSVLKF8Z/qHidC8\nA5yB5rLNDwNEQ/Qfjc+0bOkXxc5jBDECfVNV5Uu5WaeB6PAYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfHdGr7tHb7Vmq+J21HLzNir+CUkwCgYIKoZIzj0EAwIDRwAwRAIg\nbeS07L1LHIykm1+Ex6vGjCP9U0qgiwFwCbX3o/K+uVwCIAr3+hhbIp8LfritcWo8\n+WMPo8tw5OfouGyvtJaLvuOq\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGHzCCBcWgAwIBAgIUTwSBPwFFHqekk1lzDa9+OZHRQTwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAh+IV3btRh3tf6TNFnAie/F542vsWA1p8SuP7rA1lALSx\nxMwDvTBVLRf4zv/Ek8u+Ml3Lbbg3esw3AIsVoXnhtSUGyX1tIUPj7HT0GyVhhBjl\nYWecS37sE4djZQJT6kRhhKJrlftXDYbv4oT3O7ckI9nzgwxy+IkxQsp2sZ08KIg5\newnZkGGsbV8wAkl6xuFHul3+Df7ZYumh9YbmFbLvrLizlUY47OvlwDSoSpBD8GWA\nbPA6QOL2sOSX5nscgHMNpmxU6AKnWRaKD+WTJ9kyRbdKpWPNQa9dnB6Wd4wA+z8T\n2+VrUbaydRZ7cKkbb5KDZ8V+K00iN/diYhtF0ZY+iNuI/M/GbclulUS8xqv7eNy7\nvNtttbdmoiPT20oAlp84XLwTvTWBDpx8HWPnOBp4ydtUhozcl4RqnOLU6x1uvki2\njQsLDvwHPxKhCD/GyjhKy9l0KxaMOHUAWUI49a63U87UrbT2fy7OypPcBEyEiqt/\nqVDfiK5/olcjZ0VL7PfBAiEA+xxjZHGC01R+BNX2Us3vT6BdTLNHq2UC8usxcpEk\nE8sCggGAFIWztX32t7+r5sIPD3jEecRxYvZygz2/lYzsn0b8XdBHduTwTHbouyha\nKUcbdipJN61nmw6FNrHxVd4UZCK6zQfytQf391EMZ/XobdJX5aBuEX+fnVkQ+iIo\n1VYTuGiKi3nHGof7b+B2mrNKPuiT6alQOXQlPoJB4srjYVq7osJhOZ7XQuPg3O1N\nroVyKW3N0eXA6WJztREjNuwqEtjfeuHofLA0WhFRjhh2GhFFTfh14L9QVYE6RgKA\nFONPQEb1sqhh+nBmsAyalxiFEOkx64Fgc1sK8zTHplgEuTm+QHmc6vZpv1iiTRm/\nEOFKvZUCBZKAtu8sNdiTUfmw6DcL5vnloxcg75+K8n99bhUGcdQl4Wc8kgizRdf+\n2gesLqQ+BzyWrI9oWslW4PBFe+upnn9KMd/GMfr6DwHvqX2Z2EUpmXYwAoX4Hd29\nkRa4ZAsMI9F6iBhjtHgMHiMRO6pVabTB8+rWJg7YjGLPGgLiUIF6zYhD4lut9VAa\ns0QGxHTQA4IBhQACggGABzLDcYxKAfW9/y4tiRSgRJwx1Gz7rpVxAmzBVGfG/QaF\naJvY8v+YIoWe8bCBpoFQzTU3FCTM/TO0gQO0vnf5QdZ9nDKKM0XHRfaBeGCk6WpO\n3oi4SEUNZschc4ShbBIRmLGYkaVYn8TsiK6EJZqiUkAKBYP4ijaBy/qincPxj/Hd\nIObkThw94GXOlWYfHxA/9s53G62td621IQ9vzqWj2l1sz8CzOuT90UWD+fGlob3J\nuZybw0Biwb5zJDMPS1P10rBTcPqUJyRZTrAV8+bgGhCW+BZDpD5PzjRo8a9Nhgow\nK5GlSttYM54ZzCiBPMq1c5OmgKlrpRjJRL60W04YJIkqCsf/8gLO+c6j7XaJl9tD\nqXLINNMd11iT2UYUWyRwLyhq5YkNTpLnbgS1gIpTzhtgr6bvq6biClO+SYs4xhB0\nHwDK+NDgAjZpGXHnXEqxeXyPfNM7DJPZ/gqRu2EUwKbKf3ifiGknqpPTIgFEYIMX\n+tvYld3APiH3hrSu7aLTo3wwejAdBgNVHQ4EFgQUnegIPt74xjXK+CoaEH926GOA\nbVswHwYDVR0jBBgwFoAUoGl6QrvA13ung9a66JKWvk9KCQgwCwYDVR0PBAQDAgeA\nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoG\nCCqGSM49BAMCA0gAMEUCIEsleLAKC6uiPqmvoeU8omuuvdP3w5bAJUYy0p03eFE7\nAiEA0Y1F3hn1u/YRaFACsAi78072ukqIYSzrMz5vb7nRmCM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcegAwIBAgIUU3nPBZvgwmT6nbIyWvCWxAxhusEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMgwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA9Fq6P0oSAnw7tK7ukYUs1cLmhWj5Hj52B4WhdVEGBnXN\nXsWRJoYrqTlzGJdwT0qa+rlNocfVQdCnDbWFS9wKPX/Bo4W9LxKywG8Oz2ACKpg4\nd50+9liPOpfQPbr499GZbrKN3BRptVczi9/vjyKdp5ndiL88wbvc59V66ZLNnscY\nRKREKkmyCSezne8mTxC61YIT4PZhntuvok7IV1VioCKF9769nwd719o5enia76aU\nngbL3XUIPjVLhH1eekjybiodh5IBGb9N8ji8iHlPD+RZifLsxGtxVgFzrKNNDgBI\nY+G+fHJedYHJJL8YhB8n4pvLikGV6469JIq05cFBzbECq1LcFJegC4COiBDFqGUj\n0DX+6a+Utp9+S3ZGdXr5jWoZXM0WO+/nKURrXThtgtdxUgJ/SFc5peKd6CuKwBAj\ncqvYgnSgzvXNZdo9PIRhkR+T4/viObJOQMQbef3WJKtsmuhzCW2WnuLeVuN+7KvA\nJXY0W7xjwVcm8zibTg0zAiEAv5GT3G1IG54/EcIap1JIk+5T4bHYbtehugWyqrQ7\nybcCggGBAMq3ckZpYTO6ULrgfpJyGO70ajSDf/OVQymkiHeHARVdt1HXN3qe9hO/\n7EmO3SHBly91IIpXw96n9cidpWeL4ATI6o6KKutgabEBLUnk47VheifmihLdYCy+\n+feDRzdIoLCHCyxhJfUDvkyhx837zioP1wgX/q32dSUSPj6A3RLX8s/l2IwVMlwt\ngLXLvdQHMra/1BTsmn8w8c4imbMkxzBxDwgt375WBApdS3c2DOj6RLFobYxdDHrO\nMFkhTWUSwzJhqNZnq8l7x2s4zcdbtU3ENYbFiV4lRe0Yv8BPFWc9WekRev4PDDvX\nr3bBg7GI5vkWJ45aUngg8Ny7QR33fBOmO/A/wyMIpMvaPjmnnNlzoXksCyDwzYhN\ntDO1zPCB1lStYqGhpBAvyPUJP3J2exJeZSNs7P5/LjpeAkjawYzX9B8j1mQgJsnG\nw1c7MqZOKt6t6LRR49llKCbnmzDXDNKXwhsIa6S99epPdH62iDRJi1TKnT+1iVcD\nhijBm0Ho+gOCAYYAAoIBgQDeFgtnv7VFDWfJFsg7CdCauEMPY87DW9QFn8RKA4U5\nZg3FuaGx2HUnG1on7mzY6p8o7ulVGlDFxuT1Y6Y5ZsbUzvbR33jkfQKe+pk8jZ+/\nmUG0WyA0mCyRzT0ETT13XyPsQ6z6fcZHEiW+YsRQk0Hpc9v+6LwL1zK64PQ3KqYw\nDxI2d1LWkbhyLvTn4ddFnS+SpiW9HG4Ep90MifW3xZHYnsiDClxDu+kyBeNzjBem\n5s9x/lRiUFDdwUm1ryqtObV3lVFdJ4942rpCD0pc0rSSLdiLnRnq+JNAim8OhL22\nul4vvRJKFWTIVJasq30CymO795AMpqpl9hEck1F4DBKclDCLiPxlDbNno8xDjf6H\ntWPbAaF8ULI5feiA2lWsV3UGMWSYk402UOCOparAwpsl3/FP7XKN+l1t5PA4DPC4\nwmUFwI3uj6ZBPdjx3ecSMacyWHN0uietEFIL/i+htPYoWhADyWDtQKYaFs+qeros\n4by5NXLfdTkId+8vKY7oNtKjfDB6MB0GA1UdDgQWBBQrMGS+pdh8doeakkGhYAXs\nXKbxrDAfBgNVHSMEGDAWgBR8d0avu0dvtWar4nbUcvM2Kv4JSTALBgNVHQ8EBAMC\nB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDRwAwRAIgIT0aRlhIt25k9fcocFuAO3X6HEU6FRzC3+Dc8Ws0\nUIsCIBJzkckFWkP1kT9xmQPuD4pEFpBwsmnPMFEDFm1HqUdN\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1820,10 +1841,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfF9fdGcDLE9079CH8otDfbcaqr0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASigEQ14HuHwuoHFgeXfDxHmNz90Uyq+OutElWd\n54V8HP6xRydlNl7ZPIbUkDhHFRFg0nkvesJe/JMMdY9x5Xcjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIrU0zPqVeM2kGcZEpWXwGWiC/YUwCgYIKoZIzj0EAwIDSQAwRgIh\nANYWNcv42Mu3hHD6Up5l2GLNuNxUBH9iM1sGHafd9tc/AiEAqYdJP1KyTumSDruI\n/mEC/pUtbqzxo1tKYf+cSjdFvpc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUeziRoXTc+hDnsQXtEzxYkM0j9fwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATI4qMOPgJUYcxGIlL6LUN+AJcuT23pNJ11Sj+7\nSWt+x0ewkUzhRBF63uAHemPWYQA8/UpLSt8rYR4bY/cwtp4Mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrFixjLNbWcHegp/KcY3HH1tp70kwCgYIKoZIzj0EAwIDSQAwRgIh\nAJfoO2dn3d+IyWxPzziy11Bcu9ojzPHwaN5aXaajRmQzAiEA5CMVel6BpNzi3WCB\n55XpqbmskGUW4IbOuTLuudQi7rY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUSvZWM8y3EBtRydiOjErLo7J/YpkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJhuDwsoKcpAT6JjdbcUI/C2te4+AKr31UuPrEsaU3jf\nxgGc/N4wc9n/WOdxfRQ4GzAV5lFRwyFoHePDNi7ZTIWjZDBiMB0GA1UdDgQWBBSC\nExsxYRDEj1Nz/JMho7pdikP3jDAfBgNVHSMEGDAWgBQitTTM+pV4zaQZxkSlZfAZ\naIL9hTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSAAwRQIgEqAadFHKGeIulQARE9B01oU/vVQC++7jUzft0XUN4ZoCIQCtfi6r\nfx699Bsj5Wv94vDVsfu3aFVvoFe+5PXnZ4vTEQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUALOxM3nmRMeXRDGSKCy+n/yfO5YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJtAzIRKSUK01EgNN7mbkpMUbNdxRMKBTnuZN/PqCAb7\nPRNMX4uBDiyeoEn81S41TgGAv1g/r819xX8avSl0IDqjZDBiMB0GA1UdDgQWBBRO\ngdIBCKswbw33P/YWNlvjjVtsnzAfBgNVHSMEGDAWgBSsWLGMs1tZwd6Cn8pxjccf\nW2nvSTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSAAwRQIhAP7gntIxlAbJSa+2Tqx0SxoqXdvbpKEoPJNYGhn00CGrAiBSGQmb\n7DGMyZdexedcEndPMMOLD9SZQ6pf0OprK2uklA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1841,10 +1862,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUT0jmyPMDPb/+s4MuKu8EV7XVvTYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2ZqhSyxz9PV1KU+bWulsXOInD5G4OEbSKi4Zz\na1kSQ7FGcFpPfl3vGwfoitSKio95pxqixls+KgBLw4RaMdOuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/wSsSbbymoJMJYOd5yVz9GcOMOgwCgYIKoZIzj0EAwIDRwAwRAIg\nXdupys445JTk2rq1cjrAqr4+XVoNqZLHck2RzAnpZ1cCIAHlFeAW2BOd/3qXX73G\n+SvFzQGTa4RBZAoyTycaq6pv\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUX9vIHNzme7pmCLIIhtsNDiivnnkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASZe8D6Z0Se0fb9YsvVJyD0EHB8tLx0xG3BmsQg\nK2i06KGs9NcJQIV9oLLR7Ijp5weH0zkiQbi5m8ighy5RWeo1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmI+YySDxX5C8YQx3MlTVtqSEUCcwCgYIKoZIzj0EAwIDSAAwRQIg\nQkrtdVRhmiYc7N9c/cncOxdgVpWDbBUR7nTKQKkhanwCIQD0rodEYsBoUcVoMR3v\n+3ASkHNls7/fCBPX83dNt7Vf6g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLDCB0wIUDYxqo6Ak9by8t9vqq9DdQV84W3IwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAy\nMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABMzJn7mtVV5UTn7LmrBJy5iNmEXOzcc/6B0sjgfMM/9FmVeYKcND\nG/BQdDpSGTqvP0krYDDh8Ro6HKEPtCe5+SswCgYIKoZIzj0EAwIDSAAwRQIgLUyq\n4KAlSDDLJ2ndIDZMEjZ2+S3+J8VDoli9ndue1i8CIQCFkMc5awr5VTtBX2g1dHnz\ni6UFyzWIwYr7QOS3SQdvhw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLTCB0wIUOu/cI8frHKttLrKH4L1Gw35IJogwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5NjkwNTAz\nMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABFMzjGbKgxbDm3UomrTYvWIYrUn9Geh9Jhhs2lbpPH7NnavReHL6\nAsG0ZaL9O1KGmvHNFlfI0d+PK8WPXZSc0rIwCgYIKoZIzj0EAwIDSQAwRgIhAJXJ\njUNMReWuPGf5vsSzjgwHvLDwFZBx/FgfsFtIb6B0AiEA7RZMkNEz+U4Wtsk+F7wx\nUxz1GuEyEOiBBuKFJXqfBiM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1864,10 +1885,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert contains an\nExtended Key Usage extension that contains `anyExtendedKeyUsage`,\nwhich is explicitly forbidden under CA/B 7.1.2.7.10.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBsA8hHkFjKgir9Be9rm+tgH0+DcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1e17LH7jcChYw6woPXdhsj2NYcO58qK5JVIHO\nFyZ+zsHvVaK2wJeiWaj2Xt3irGYCmKS0P4mQy6mqNkFS9x7Zo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUR5PpeUdNsBiftB0UCI57CrTfaXwwCgYIKoZIzj0EAwIDSAAwRQIg\nIN5LuWI8P0jlgN0sOLg7y+t5fU4A9AFW4danlURTtB0CIQCAwJPZjfdeH4O7lBl+\nzRQrG61oo1omq7tsJxT2mUMf6Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVWJ0qZ7RNKlYgN2llPD1aBYvDN0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS4wdYsl4hRFbqj72e/jXuZG7xWPtTE2IuH/j4T\nU6J53Wz3o4/r/wAvRrn8zCvrDOWtwOuT10J1RegCvdHxNRLYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURieuhD4gluez5Y9z0wamshaHxJMwCgYIKoZIzj0EAwIDRwAwRAIg\nPyIulZEhgbuBjeKYzi+VgrYAaprW9qxgjBM5ZD7aW3kCIBHyHvWOOdD0wDEZvUN9\n0kCXvHMQlnVgZpmTQd8TzVxr\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUdL05dRF1O1VndV7JQ3dMIRxchdAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFF7ftRZgD3PTAWbTx+vbJ0QrHkL7ZbL1PZSMi8nbzaL\npEtVfZa+QWL4+tonSOy6S0NSLZ0PHqCXXzG4bKrMnUejgYMwgYAwHQYDVR0OBBYE\nFGYvDm9r3af4N2oP//1JK3luCsloMB8GA1UdIwQYMBaAFEeT6XlHTbAYn7QdFAiO\newq032l8MAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAiX8FZe+p\noqIndhXRjnQflMf6WovMNLLamQWFARwl1XgCICHxNGY9DlIRLdJu/fCDCpxRVllp\nJarjvX31Lqsj1Z28\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV6gAwIBAgIURmkMObz5sfOuR+7dMit2MC3lzC4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAc1C+vV7u3jepkSVjo9FD0p9u9Pf+6OHB8R7/H0SIu7\n1MiCDEmSH8jXoWy3Fj1ib+UrRcTqyZOy7I7d8YTMRBCjgYMwgYAwHQYDVR0OBBYE\nFMXmIh2KvD4T3WY9YfddUewRI14bMB8GA1UdIwQYMBaAFEYnroQ+IJbns+WPc9MG\nprIWh8STMAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAjds4Mtvj\nVXnGKud2SC184qPfWvvmX179DaiF7ZGUh9YCIQDYZGGhA1Egjj5YEKUS1N2iovK3\nB03TM0hsyvO+OQVTAA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1887,10 +1908,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE certificate has `keyUsage.keyCertSign=FALSE` but\n`basicConstraints.cA=TRUE`, which is explicitly forbidden under\nCA/B 7.1.2.7.8:\n\n> cA MUST be FALSE", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUar5DHt4vI4wFXbwwM8U7yAfNWI8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfHcV8yBNVijRteGYzIOrzKfeSDQqM15e7Eb/v\nTspXQaDtWDBfe2LU59ro4hYoPatydxI9ORRkp1fso/BHpyCho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3HQLj/x4byn/cXNUxo/wqDRuSvUwCgYIKoZIzj0EAwIDSAAwRQIh\nAOlE3ACcR3xpgHjz6AIH3hgs8SeptRNEFbwd53C5oT3AAiB5B7PQ96ycuKW0OZ/p\nUJqH2tyCVy+DZZXeY3jbJS4F2w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUC6eFChGFCiNSILImeq4+nT4P37AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATtRsfFKr2GGq5SlEA0XKw7CabvNE2elUerjZMd\nponY/T+5nnXVYXdHJ3JLAlUKmKDkKid8wHKAZ/0FVNIBrp4To1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2k5KXHnEpJuq52fpBRyxzCxp3k8wCgYIKoZIzj0EAwIDSAAwRQIh\nAMJ2ZfDCP2znsMgQBTSEAgsGWdXeb1YnkgKmvStJ2AXGAiAdc2UQE6hyP4e8VOBU\nIJB8yAGeJILw4QRclxyUei3Ztg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUHb33M7id875Kr/HaEYJcyGkKoIowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNEtMUBB5Eds1jCR87yQmLA9enbz9ZqRhnBR+JrcQvQw\nop31lfxrfS93Gs8qIc1JyeJJ4BnHFmdMB64gUJEcHSKjgY4wgYswHQYDVR0OBBYE\nFFlYnoTIUVNis8Nu+67OdrGH8dpwMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAU3HQLj/x4byn/cXNUxo/wqDRuSvUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDopT4N9AwUu9Zt7tif9ge67RYEOWx+UgmEM+u777ffRwIhAM4kOSi+DD5g\nodwWmS5Pxa20gb4oyMRS2vfNTLKR/Wt1\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIURNIKauhpJulCIWK3c9nT3TK8A00wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCzMNPMWElef0+Ukp54YprJmbMUp76eYeKaiGjPXFXHg\njHw7vCtzbYkBTvL+Beo9lzBMHKs9Ud5R2GQydEOA3g+jgY4wgYswHQYDVR0OBBYE\nFF202XfQqppZrshQA2onbZGEr8Q/MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAU2k5KXHnEpJuq52fpBRyxzCxp3k8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQD2qxpiGQSHIBBGuDpHZDxvqXeMcb7YeOt1i9W6ybQEnAIgPJxQnRFtZhBu\nJO5x/DJHZjffHuRM0D5GpCp/Och5pAg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, From 7546674c0c8835de812fe440fd9da2bf1ef78e41 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Fri, 10 Nov 2023 02:10:34 +1100 Subject: [PATCH 055/155] validation: Add `max_chain_depth` parameter to `ServerVerifier` (#9) * validation: Add `max_chain_depth` parameter to `ServerVerifier` * test: Bump `limbo.json` and support `max_chain_depth` in the harness * Bump `limbo.json` * rust: Fix bad merge * Bump `limbo.json` --- .../hazmat/bindings/_rust/x509.pyi | 3 + src/cryptography/x509/verification.py | 29 +- .../cryptography-x509-validation/src/lib.rs | 5 +- .../src/policy/extension.rs | 5 + .../src/policy/mod.rs | 18 +- src/rust/src/x509/verify.rs | 12 + tests/x509/test_verification.py | 14 +- vectors/cryptography_vectors/x509/limbo.json | 780 +++++++++++------- 8 files changed, 567 insertions(+), 299 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index c1ef852ee76e..47e8494ca6b1 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -41,6 +41,7 @@ def create_server_verifier( name: x509.verification.Subject, store: Store, time: datetime.datetime | None, + max_chain_depth: int | None, ) -> x509.verification.ServerVerifier: ... class Sct: ... @@ -56,6 +57,8 @@ class ServerVerifier: def validation_time(self) -> datetime.datetime: ... @property def store(self) -> Store: ... + @property + def max_chain_depth(self) -> int: ... def verify( self, leaf: x509.Certificate, diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index bf200f73a724..06bb42b91f15 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -25,9 +25,11 @@ def __init__( *, time: datetime.datetime | None = None, store: Store | None = None, + max_chain_depth: int | None = None, ): self._time = time self._store = store + self._max_chain_depth = max_chain_depth def time(self, new_time: datetime.datetime) -> PolicyBuilder: """ @@ -36,7 +38,11 @@ def time(self, new_time: datetime.datetime) -> PolicyBuilder: if self._time is not None: raise ValueError("The validation time may only be set once.") - return PolicyBuilder(time=new_time, store=self._store) + return PolicyBuilder( + time=new_time, + store=self._store, + max_chain_depth=self._max_chain_depth, + ) def store(self, new_store: Store) -> PolicyBuilder: """ @@ -46,7 +52,25 @@ def store(self, new_store: Store) -> PolicyBuilder: if self._store is not None: raise ValueError("The trust store may only be set once.") - return PolicyBuilder(time=self._time, store=new_store) + return PolicyBuilder( + time=self._time, + store=new_store, + max_chain_depth=self._max_chain_depth, + ) + + def max_chain_depth(self, new_max_chain_depth: int) -> PolicyBuilder: + """ + Sets the maximum chain depth. + """ + + if self._max_chain_depth is not None: + raise ValueError("The maximum chain depth may only be set once.") + + return PolicyBuilder( + time=self._time, + store=self._store, + max_chain_depth=new_max_chain_depth, + ) def build_server_verifier(self, subject: Subject) -> ServerVerifier: """ @@ -60,4 +84,5 @@ def build_server_verifier(self, subject: Subject) -> ServerVerifier: subject, self._store, self._time, + self._max_chain_depth, ) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 4a6c71558ba0..c03c73997871 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -300,8 +300,7 @@ where // against the EE cert's SANs. self.policy.permits_leaf(leaf)?; - // NOTE: We start the chain depth at 1, indicating the EE. - let result = self.build_chain_inner(leaf, 1, true); + let result = self.build_chain_inner(leaf, 0, true); match result { Ok(result) => { let (chain, _) = result; @@ -440,6 +439,7 @@ emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= ops, policy::Subject::DNS(DNSName::new("cryptography.io").unwrap()), time, + None, ); let chain = verify(&ee, [intermediate.clone()], &policy, &store).unwrap(); @@ -528,6 +528,7 @@ nLRbwHOoq7hHwg== ops, policy::Subject::DNS(DNSName::new("cryptography.io").unwrap()), time, + None, ); assert_eq!( verify(&ee, [intermediate.clone()], &policy, &store).err(), diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 6433e9a4b386..a4396203a693 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -415,6 +415,7 @@ mod tests { ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), + None, ); // Test a policy that stipulates that a given extension MUST be present. @@ -463,6 +464,7 @@ mod tests { ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), + None, ); // Test a policy that stipulates that a given extension CAN be present. @@ -503,6 +505,7 @@ mod tests { ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), + None, ); // Test a policy that stipulates that a given extension MUST NOT be present. @@ -539,6 +542,7 @@ mod tests { ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), + None, ); // Test a present policy that stipulates that a given extension MUST be critical. @@ -571,6 +575,7 @@ mod tests { ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), + None, ); // Test a maybe present policy that stipulates that a given extension MUST be critical. diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index e4ecf0252e88..f5a177346f34 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -253,10 +253,15 @@ pub struct Policy<'a, B: CryptoOps> { impl<'a, B: CryptoOps> Policy<'a, B> { /// Create a new policy with defaults for the certificate profile defined in /// the CA/B Forum's Basic Requirements. - pub fn new(ops: B, subject: Subject<'a>, time: asn1::DateTime) -> Self { + pub fn new( + ops: B, + subject: Subject<'a>, + time: asn1::DateTime, + max_chain_depth: Option, + ) -> Self { Self { ops, - max_chain_depth: 8, + max_chain_depth: max_chain_depth.unwrap_or(8), subject, validation_time: time, extended_key_usage: EKU_SERVER_AUTH_OID.clone(), @@ -452,9 +457,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { let key_usage: KeyUsage<'_> = key_usage.value()?; if key_usage.key_cert_sign() { - // NOTE: Pass in a current depth of 1 here, since we're - // checking a CA in the leaf position. - return self.permits_ca(leaf, 1); + return self.permits_ca(leaf, 0); } } self.permits_ee(leaf) @@ -485,12 +488,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .value() .map_err(|_| PolicyError::Other("issuer has malformed basicConstraints"))?; - // NOTE: `current_depth` starts at 1, indicating the EE cert in the chain. - // Path length constraints only concern the intermediate portion of a chain, - // so we have to adjust by 1. if bc .path_length - .map_or(false, |len| (current_depth as u64) - 1 > len) + .map_or(false, |len| current_depth as u64 > len) { return Err(PolicyError::Other("path length constraint violated")); } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 1325c6d4b585..d8e8ab34ddce 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -9,6 +9,7 @@ use cryptography_x509_validation::{ trust_store::Store, types::{DNSName, IPAddress}, }; +use pyo3::IntoPy; use crate::error::{CryptographyError, CryptographyResult}; use crate::types; @@ -96,6 +97,11 @@ impl PyServerVerifier { datetime_to_py(py, &self.as_policy().validation_time) } + #[getter] + fn max_chain_depth(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { + Ok(self.as_policy().max_chain_depth.into_py(py)) + } + fn verify<'p>( &self, py: pyo3::Python<'p>, @@ -197,11 +203,16 @@ fn create_server_verifier( subject: pyo3::Py, store: pyo3::Py, time: Option<&pyo3::PyAny>, + max_chain_depth: Option<&pyo3::PyAny>, ) -> pyo3::PyResult { let time = match time { Some(time) => py_to_datetime(py, time)?, None => datetime_now(py)?, }; + let max_chain_depth: Option = match max_chain_depth { + Some(max_chain_depth) => max_chain_depth.extract()?, + None => None, + }; let subject_owner = build_subject_owner(py, &subject)?; let policy = OwnedPolicy::try_new(subject_owner, |subject_owner| { @@ -210,6 +221,7 @@ fn create_server_verifier( PyCryptoOps {}, subject, time, + max_chain_depth, ))) })?; diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 208868654da1..0b6f1be6bcf4 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -84,13 +84,14 @@ def _limbo_testcase(testcase): if validation_time is not None else None ) + max_chain_depth = testcase["max_chain_depth"] should_pass = testcase["expected_result"] == "SUCCESS" - verifier = ( - PolicyBuilder(time=validation_time) - .store(Store(trusted_certs)) - .build_server_verifier(peer_name) - ) + verifier = PolicyBuilder( + time=validation_time, + store=Store(trusted_certs), + max_chain_depth=max_chain_depth, + ).build_server_verifier(peer_name) try: verifier.verify(peer_certificate, untrusted_intermediates) @@ -277,15 +278,18 @@ def test_subject_bad_types(self): def test_builder_pattern(self): now = datetime.datetime.now().replace(microsecond=0) store = dummy_store() + max_chain_depth = 16 builder = PolicyBuilder() builder = builder.time(now) builder = builder.store(store) + builder = builder.max_chain_depth(max_chain_depth) verifier = builder.build_server_verifier(DNSName("cryptography.io")) assert verifier.subject == DNSName("cryptography.io") assert verifier.validation_time == now assert verifier.store == store + assert verifier.max_chain_depth == max_chain_depth def test_build_server_verifier_missing_store(self): with pytest.raises( diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json index 4e1e5505da85..97fcc486ffe0 100644 --- a/vectors/cryptography_vectors/x509/limbo.json +++ b/vectors/cryptography_vectors/x509/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaB3gtVyLYrd5t9jBlN05Cw+eAqwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARJUqZTEMKi+WXbZJFK5Rs4hL2dG1L33qn3bTnf\nIilZjrr4uelN9WCsakklGzxBecBMnU9CDBQXfqnkzMRkHxwAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIgozv+z08jEJpoD6IEw+dl0K2zkwCgYIKoZIzj0EAwIDSAAwRQIg\nec8NqnrEZQ5iIwvXkq/9HxrTAQ88qoWwIrmcNHsaqhYCIQDvAuqKPFKW++y19kH1\nhNpW9pYZx+0QOREINhqN7JAxyA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULQQ1ynA0WIBrn5llsmmzDboRyKMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7V2AHGV1xRZshNhZyZz0AohbJ2zrhdSzLQi9u\neNCReTHc/hwQbWWpUXfugaiMqLFXxpnzjJEnJU5LKrlnVzyho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFG6umju93B3Af0tTtE6BPbxpEgIwCgYIKoZIzj0EAwIDSAAwRQIh\nAO3S1BqgqivstZx4103j33wIdGUuuVSyjQmjwajNfxjKAiAxtL0kShu66iCGD6wU\nshyUHGBwghHJrCnXHq7Y1YbHww==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUDYaVT/pIAlqPmrbNLSx57KQmbOgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1OTQ0MDEzMzY2NDI2MDY1MzI2NjQ1\nNzU2NzIyODIyNjE1MzU4MDEwOTc0NTQyNTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBD6jTI52Rb4KUj1hggkA/WjGKVeIzlol47mFKiIF2lrDU4eA1tufQF/r5pqbWWoE\nMQyOT50sjaFEQAZJ0209PFujezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCIKM7/s\n9PIxCaaA+iBMPnZdCts5MB0GA1UdDgQWBBTMF/Mj5GIYMe+zYsD/jCVTLCjCvTAK\nBggqhkjOPQQDAgNJADBGAiEA3QFB71LWsOp59t0TGVKcD3mfU6tCyspgYfW/neBT\nONkCIQDWKTiZZqYVyS+LHufWDYZVtqh+BoInrbPQEkdoXdW0og==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUCCFIlXMf+gVCQqeZzcwIByD/q20wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAyNTY5OTg0NzM1MDUyMDQ3MzIzOTY4\nMTE2NTk2NzEzMzgyMzE3MTEwMDI2NDI1OTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCKleXXd5bzSqwPdIxXJIyWxi2fK166SBflxzMbJzEmg09agaMIuUpBkN/mTdkLz\nc6z278wHtokFqAKDSdcKWCSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBRurpo7\nvdwdwH9LU7ROgT28aRICMB0GA1UdDgQWBBQ/p9oo811Gw7Jzn8DhZioZD9TnHDAK\nBggqhkjOPQQDAgNIADBFAiEAwkPaPTzI0kXqTEsmPaRofbLSVzFocvZROsstYpt7\nRJICIGRSJpRFEO8UbaE7tHwdQcCtEDDORnKxC84U/oZ5jCNs\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUDJm6FD/xItB9Q9HmOL9yvsZL0f4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTk0NDAxMzM2NjQyNjA2NTMyNjY0NTc1NjcyMjgyMjYxNTM1\nODAxMDk3NDU0MjUyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWiS+\nCTJoPdBlMQPEkIhHqX7bFZpVcQ4/etxsBJupp9t+fUn6BlRYQ+/BTmRsaZTelxGg\neXqp9rQZHztnlAErZ6N8MHowHQYDVR0OBBYEFOLNKTWxfDEK8bCMO4i0w7wruDe2\nMB8GA1UdIwQYMBaAFMwX8yPkYhgx77NiwP+MJVMsKMK9MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAhvP0qCg1YAFXlxynxbEC6X6dJ0qlL+x9oX/LOYCeRoMC\nIDcbds+yjScXpMua0vbsyjqEeFgsdMvxtQGEdwFuplRp\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUdPjE4c37d3vr9xCmVJDqNt8OBRgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjU2OTk4NDczNTA1MjA0NzMyMzk2ODExNjU5NjcxMzM4MjMx\nNzExMDAyNjQyNTk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf/Dk\n89Tw02RWp6Kr7GPWIUHuOlB5nwvc9wgWj1Lilas8Y7yIcScuVFwGIwDgKeTEveQM\nYI39WjGj3m+jCe5bD6N8MHowHQYDVR0OBBYEFBh9GDzl65gmLK/ibYeViEV9xpPD\nMB8GA1UdIwQYMBaAFD+n2ijzXUbDsnOfwOFmKhkP1OccMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEApMvpZoxvgdojXhpPo84QAvSgobUPUMDuDAVskI+QbtEC\nIDNWUlj/JHRBHiZDaJWJd+v7vE10O81fAuoOKIs3auyg\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -22,7 +22,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "pathlen::ee-with-intermediate-pathlen-1", @@ -30,12 +31,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUayXFAXlWypOwdKJHJ1AZTMpqWqowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6jaWJZxzBnSbTPb/h5lCToweGu99+/KzMMqWA\nWm7no1H2YV3GurtLzaq5KZ17c6n9B8bYIqPGnq7LVnLwx8cjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7qoThq1eZaj3bzuwxlyDuVlDMSMwCgYIKoZIzj0EAwIDSAAwRQIh\nAL5BZ3kdy42D4ahEZv6wlFAdFMK0jI7TV0CkmMMsyD09AiALFnFFTEgaIfnJyxlt\nmzmgW+193dCPG1t3j4W77LlTRw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUNbYMjzp3Ohl90NuOo74xplHC7HcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1hx3YEsooEMqAM2IdDkMnTth3C0gh0GJuwDNR\ncUu+L81Lig46m0n3fEcF6Pc0EmpOIuTC3hqXJpxsXhFPtVRoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSja/YkKWYZRdVH1lFLku4C9SVp8wCgYIKoZIzj0EAwIDSQAwRgIh\nAMgXM9HrA68tK+ghZflWjyBn4CPgW4PLC3RRLBRAi1TqAiEAmvuUD4vZx1Py3OoU\nfmKIUcvHvyuStu62LpVY7HHzZso=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUDHpAyApR3GpH54hp/xEDQ+Cu6cswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA2MTE3MDQzMDE2NzIzOTQ2MTk2MDY0\nMTAwNzEzNjMyOTk5Mjk4NjY2NTA2NzE3ODYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIqWHXCLt6eMV8rvqMFWEPbuHJ+aJHLJlcg8QYbtjvx4ON6gXi5AU5yiI95x8TEg\nXYTlh4ICuPZkApvO7ool1sWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFO6qE4at\nXmWo9287sMZcg7lZQzEjMB0GA1UdDgQWBBTgcdYstKkjQDTsBVZcsQ0atMpx3TAK\nBggqhkjOPQQDAgNIADBFAiEA0h9ooaF0gUyOmRB92ygFBMlOXvWyWtoh/Fr79i7t\nqfACIA9kunTPcOPRyJDDhAbsP5882QzLkAF9lAvgnIcBlRvQ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUVo+nxZD1YpdvVBslBy/8Q4PM2ScwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzMDY2MzYzNDA1NjUzMjAwMDQ0OTQz\nNjYxMjAzOTU2MzExMzcyMjI3OTkwNjAwODcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBC3jp2C1e/ri9qXhUVyx36ZRiOrKMcdX7/sXIDkb4KMjVMqp+S5Tr+l7IZxPWrEv\nnG/yKzV+QNKDB0frpZFjFKWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEo2v2JC\nlmGUXVR9ZRS5LuAvUlafMB0GA1UdDgQWBBRUg66/2l9pw1zGlsibL6jp3EJL8DAK\nBggqhkjOPQQDAgNHADBEAiBqpFFPBS2qOCvvRHJok7gk0aLDokbTZA3TXc+WA2lJ\nmQIgKZ0+Rrx3adwr/1X+XMxygBVtfztbLSX34ILgeNLBtco=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUBhzbiyuSfW/8BLm6+7Z7KmV2bk0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjExNzA0MzAxNjcyMzk0NjE5NjA2NDEwMDcxMzYzMjk5OTI5\nODY2NjUwNjcxNzg2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETEm7\n9hTCYR5bQz1KzSMMBW9NJ0ah1GSdw7nWBYdAo2pWXE7O18BUd10D3jpqRctjt0WH\nFH3OmwecCVCO9QCCuqN8MHowHQYDVR0OBBYEFKcsjbZZssPTO3OlxQqJuBdAaB59\nMB8GA1UdIwQYMBaAFOBx1iy0qSNANOwFVlyxDRq0ynHdMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEA0Qzj9DTQTwsiCj6QJLq0zWUWAVhuVWs8d1SrVP7WyDEC\nIQDJ64Wm7dZ5uQDRF5VpIvWPcZxSitS2RgKg8i7LgNxGdw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUChr0m1XpfkRp7WZOSB5ojwahuHMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzA2NjM2MzQwNTY1MzIwMDA0NDk0MzY2MTIwMzk1NjMxMTM3\nMjIyNzk5MDYwMDg3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOsDJ\nLrVeQHjpphSNtyHUHsWkwGU6KccRm8eSUw1/rc+BFdg6PN72If1eXuzB73KMNDDD\ncc+DXHWDlMerH4Tk86N8MHowHQYDVR0OBBYEFC5U5B9SbaQ/FmmnMwmrl1O1c4sm\nMB8GA1UdIwQYMBaAFFSDrr/aX2nDXMaWyJsvqOncQkvwMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBWY332+yk7Vr9fPs/pSCg32asE5wk3ec1F40KkeSlZ/gIg\nAvV8o8w1Ap7OzIhvXhWBVB1aTB21/hiE6g7vw6xXSaM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -45,7 +46,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "pathlen::ee-with-intermediate-pathlen-2", @@ -53,12 +55,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSWNLRae2h4yfflSJ6ihzR4Zz7zAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZVTExkz6LFebQdFCcHBn5pOAjhshREHjoX39p\nhZElj89Ptld2eLRjf7gdRY7CqvwTtPxifFQrp1e+ER66hIcRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMJXOxwaCN7a1fJgb+2yQ8eoTVccwCgYIKoZIzj0EAwIDSAAwRQIg\nL6gG8p3vUBe96wNv72VumJo5K1LTmClYO1uinxN0tSACIQDi203/ggnKgChL35m8\nH/23fuFqxC1vJ12iZFng5TjNlg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVzMGlc73AaVnUvuezE6TZOM1beIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBeNL/jaoWXyRjGbYrA5RhFaZRJAr6Z31seLUM\nK10Nt2U54XpaQvi9JipxeURw/k5Vfen15IIgHvfjqBxYvcuuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXliaTMvYV/1l0V716Lx0ngWn83YwCgYIKoZIzj0EAwIDSQAwRgIh\nALi0ndVA/XpoxaT8aFYxX5vLaVh0WET2HgbtYUOpf5ScAiEA93YnbHOKnhFeEjhj\n1KRg847xiWE5m3z8AORmI0sKw0A=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUdveox5mQZp575EXU9bKL2w3d+wswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA0MTg5NzA2NTcxNjg2NTE4MzkxMTQy\nMTgzODk3NjcxMjQ4NjY4MzQ5NzE3NTAxOTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDm0wpBrIcjG48ui69qch5l+0Uiih5GR1Q60BiOsOHvAwJvjy1OPSwXec+oT11TC\n9P1p2hD/XEzxLulILXlF2OajezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDCVzscG\ngje2tXyYG/tskPHqE1XHMB0GA1UdDgQWBBQt9EhRfXzjzVa7o39HHGRHGMTaVzAK\nBggqhkjOPQQDAgNIADBFAiBEG13/SOlwi3kGhGHqU7dP3+8m6b2u+QBwzG3uz+os\n4wIhANl2uh273HuetjKw6aaDk8gh59dM1bo1wGOqiL29dO/r\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUGo9OAXmae6IKfei4k+yyp+QqR2kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA0OTc4MjAxMDg3MTc2OTA4NjAwMTI1\nOTcyNDE3MDYzNjE4ODIyMTE5ODMzODgxMzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHfxehwWRY9jsUEY8MylF/3t4IqQCmhwQDnhTlQvxRsWo1gsjMrkGFwE5Ms+xd4U\ninzF4iZmP6zPlEWgjfVyF8yjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFF5YmkzL\n2Ff9ZdFe9ei8dJ4Fp/N2MB0GA1UdDgQWBBSqZGm3oG5Um8Ti98PG99+0jHp1CTAK\nBggqhkjOPQQDAgNIADBFAiEA3jkcMfuBlISoLjwOuWN3WIwzvpzdUW8J3DJ76vRd\n+R8CICCzd16boZQro+Sw6mcQOqur3Bok1ptpX8o5K4nL8MM7\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUXJg9nLZmyoXk791pj20+HPOeU2kwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDE4OTcwNjU3MTY4NjUxODM5MTE0MjE4Mzg5NzY3MTI0ODY2\nODM0OTcxNzUwMTkyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0diL\nnhrzHR6SezoWE3GscI6g4ZJ7CRCDfUC1y6298bk4vgreGnWB1kAzV+znQOGlj084\nznRw15Q7o14UaZgLFaN8MHowHQYDVR0OBBYEFIEqlFxYXB/AX+7nCqYgS+UhMwIP\nMB8GA1UdIwQYMBaAFC30SFF9fOPNVrujf0ccZEcYxNpXMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiB9fnMPCyP2l837xmAVUcz3UHhGHh+NGpWHriw7uhbuNgIh\nAK4egItCXPjgW952prJifYjQ5lzuSuQXAM9khvmby1Yn\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUUGKMmVeEA+xHWk1bxWQtH51AiMQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDk3ODIwMTA4NzE3NjkwODYwMDEyNTk3MjQxNzA2MzYxODgy\nMjExOTgzMzg4MTMwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaslr\n7U5IWMZe7kM/Qpp85PtKC7tH27vKe/qtkBeMwrEAC2ab6/vHsa6BgMK3B+mczoVL\nf/EMAptY3r564zQR3aN8MHowHQYDVR0OBBYEFOSfS4XdiJs+NpXWiZ6PJEr8Tfii\nMB8GA1UdIwQYMBaAFKpkabegblSbxOL3w8b337SMenUJMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAqd77YPnvsQq4myYG0eBRpwjNGIbIxqBc7i+eeLA3J/IC\nIQDmBW/kuCKeirtdbtiLF/m6HEkNVugKxKHYPPGylTGBIg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -68,7 +70,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "pathlen::validation-ignores-pathlen-in-leaf", @@ -76,12 +79,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOdqOeDzPjQE9QdFVPebLFZ3FjeMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARhM6m1PFRc8HUjkI8+iA0xVvTcQj2iFdLrlOIo\nvoHtT5xpRE6SJ7+jciQm4Ck3ixXOGl50LI1V+SHObYWBmPUYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeyP2gHzvV+Ts/yp2k5xosUoxTAUwCgYIKoZIzj0EAwIDSAAwRQIg\nazsytfT2Ts70B2UuTcWvya36F8hVzcnM7SYlV129WrACIQCFeeQsPkaNDr5GKfW9\n3Fu/jS7F203gphshDN1zFsz2kg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUU5p3TmVK7kr0ooDJbRUAPfItGv4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATpsK7H0/NRGFr7loGzGYKJ/G5WxfIcn03B7/hv\nvbbG5Vw3rLqgR8DuKRF6hSyoorB0N3pPJLHEa07bxDZrGBcTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTO2ci65w40HP50UxDrv7Zy192YAwCgYIKoZIzj0EAwIDSAAwRQIh\nALOVEtAXIOY765y4QOB9ypkB70HjZOxrvxCHSIl7LEF1AiAlYKJHW5LE2gg1iV/w\n4gAiT8htGrxUYb8lg3FQ6NAXZQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUCyeg+Zkrf5pB5qdJZi+5UmiYwr8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMzAyODY0NDcyNDk1NTYyMTQzMDg1\nMzU1MTcyMzQxMzg0Nzc3NTExMTA1Njk0NDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDdyoBTsu7R+xxrtGw3m33YBEa6PcWZR2gea6MMh/RQo8jn719P92XVqQhIOS2ZR\nxZqJsqiFb1XEhrArwSiIH/+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFHsj9oB8\n71fk7P8qdpOcaLFKMUwFMB0GA1UdDgQWBBRbB2ahT7V2aCbhOLQYlNntdvarCjAK\nBggqhkjOPQQDAgNIADBFAiEAodYTxHBN2eY8t0Cb/bDH8nqymhuiH7F1ydtJplEM\n+B0CIF2CtG9D6TxPL29c17rPXwaR3faCJx5mOuJ2O5VUlbX6\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUaWpE5uKk7r6xXu10SePJCjxlPOEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA0NzcyOTA5NDE3Nzc2NDM5ODY0NzE1\nODcxMTI5NzcxNDkzODcwMTY0OTk5NjA1NzQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJNo9roYaE2pUHE//eBRoqKldCLwGlhKrcQ//w9DjM9uKH3VuYKy4twPoEfnnd8d\nS3iC06+AYt++ciucWlcVZK+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEztnIuu\ncONBz+dFMQ67+2ctfdmAMB0GA1UdDgQWBBTIzo6kDjq4VTUJDEvX9dy5A5AwszAK\nBggqhkjOPQQDAgNHADBEAiAifKcE+PhtKDCYhOCl2nSf4ft517ttQN251YzXDtOX\n7wIgE/kB3fh/7RlDwTlYMwiJ2QXW1S4Zz61svCJ/Z9Po69g=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUYR7rPyMfHzFJm37BoGjDZa2tQJUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzMwMjg2NDQ3MjQ5NTU2MjE0MzA4NTM1NTE3MjM0MTM4NDc3\nNzUxMTEwNTY5NDQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzYzNjgyNjUwNDQxNDYxMTE0MjI5Nzg2NTIzNTM5ODQ2OTA4NTc1NzM5\nMzMxMjYzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATraf9ISPaqljvs7L9vsdPbRmTL\nnIBlgvHshe63+w0+tYGqzYCsUJUBkc9cbbLdjfYN1KKQn8iJ3xSu0taqzwA/o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRbB2ahT7V2aCbhOLQYlNntdvarCjAdBgNV\nHQ4EFgQUsXXjycNKgEdMXIowD1VdUXLbbd0wCgYIKoZIzj0EAwIDSAAwRQIgTN6g\nNz7rlFW14vb2KyxDwebCsacWM4HiqS2CxUFMSpMCIQDxfhIffle2NL8oPSY1b2N7\ndCIXWwP00pekfnHccdqtGw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUARX0CwgOKcYEBzZLTh5ZbfLpS0EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDc3MjkwOTQxNzc3NjQzOTg2NDcxNTg3MTEyOTc3MTQ5Mzg3\nMDE2NDk5OTYwNTc0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDYwMTgxMzkxMjEyOTE5NzA1MzY2NDAyMjMxMzIzMzU2MzkyOTU2MTgy\nMjIxNTM5MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECnVpk4APUeuszTs9kHLoYxHn\njWwPlhZbOGruJyxVEzjlK1IDKkuJjbvniy1wjTB7CWmQNsnkPq3nOaKSGTQ2o6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUyM6OpA46uFU1CQxL1/XcuQOQMLMwHQYD\nVR0OBBYEFA2+oZRHEfCvGJuDWpPpQ1rpirTLMAoGCCqGSM49BAMCA0kAMEYCIQD+\nBCIVSQP2llmg6vULYYLTCbz5yavRX3L73tDg7pj5BwIhAOSD1+MaJBs/Bw8BOnll\nMA6ghIY6U+FD6YtR6Db6DU9S\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -91,7 +94,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "pathlen::intermediate-violates-pathlen-0", @@ -99,13 +103,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNZqgzYwN3RapiWXKGUS+93oHN/wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQ6UvAkZDjcMeSU1EjhGU+ejqmB5SigLhU/XeO\nGFfDiogqcBUUsWffQ7hS/bxncuuIfuf68Vt922N6KD/RoeHRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlg1NRbI3feJVx6wOoKRrwyjd1NswCgYIKoZIzj0EAwIDSAAwRQIh\nAPDZeEKO88tXEiB/2pRfb6035CUqN/yU3LtxHh5P4C3JAiAL138/n8+Wu/Kd3rPW\nUuX7gRyCblqCvwrxDh4suTjtkQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOjsrHweuyrvsswYkRuBj7dvDCjcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhEckttOFN7V0TC6UzZv6//B3QXBHCMk9K0llx\n/PD02eg1Z1KoWGpwq+9/ulhVEYOjLuXEvAzcpOLqzScM4AH4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhZ/oSpCgr//LLldBfLPq2+CJi0EwCgYIKoZIzj0EAwIDSAAwRQIg\ndd90ZbfS0comBYFYcUDb+ecShQCkr1vnmCm5BztocoUCIQD8VHNrNrYPHCo608wt\neFLuPui4NEUaWbDocRj62krc4g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUAoZBn7ui9AiOmCY9BDBghmt9iJkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMDYwMjQ4MzM1MjQwMzU0MTQ2NTcw\nNjE4MjM0MzU4NTExMzMyNjk5MTM4NDM3MDgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIzL4t0Olpvm+zgWtAjfDpTeNo6AgdpWF5XGhHooWBAfJ8Dg2E5dm+Su5O5Vf1aG\nbulz/E479BZEQcdxZ5rAFLqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJYNTUWy\nN33iVcesDqCka8Mo3dTbMB0GA1UdDgQWBBTLXBVgBKDwxvTzOiOvGAT1zx4y0DAK\nBggqhkjOPQQDAgNHADBEAiBVxLxIOFVHOt1+ttYcuafgdMeBgvEMq40c+xOe54eh\nPgIgDLUDVxji64MmQGW5V0Qgw0X0zoV9/YgxTFCFX/VR00U=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIURAX1oRubZxfMEKcIZTub/+TH+qYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzA2MDI0ODMzNTI0MDM1NDE0NjU3MDYxODIzNDM1ODUxMTMz\nMjY5OTEzODQzNzA4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzE0NDExOTk4MDUxMTQ0NDI0MjgzNDQxMTA1MzU5Mzg1MTAwNjA0MjI1\nMTk0MTM3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQq1BBBfnzrkb4gKE3tbM3cnTRf\nK3Zn3Xk54h33a2AYG3/y4kWH6wN26ofDCEBODvEJFkq6D6xBvLyu9Pw5zn0Ho3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTLXBVgBKDwxvTzOiOvGAT1zx4y0DAdBgNV\nHQ4EFgQUvVIWkTVyFIFc3jbBZJJgDKjd+iMwCgYIKoZIzj0EAwIDRwAwRAIgXO9J\nA/kY9gw5hVuns0KeqkaPmpPLd46Twyb4UkkYcScCICViQ5EKwX3ge0NHzey+jSTB\nBes+w01/CAHNEtfcFG6J\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUNzeYPIiLy1QSDt4LWXdgcOmxoXkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzMzI0NDA5NjUwNjE3NTY2MDY5NzAx\nMTE4MTI0NDgxNDU2MTc5NDMwODA5Mjk4NDcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBG7oq7ln4l2GvCFmPISKNt0a01tW4AIuTGTj5G7uSyjBxSKI+Nn3LE78COl2TZ0O\npwQoB21Bazn+nPIrttkSvv6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIWf6EqQ\noK//yy5XQXyz6tvgiYtBMB0GA1UdDgQWBBT/9soL+N+O7WYi6MeX2T4UvzG7zzAK\nBggqhkjOPQQDAgNHADBEAiAVgiCdPcrtFoT17kzc84ZOSFknhWfBDSOW6K9YYY9D\nIgIgcF/tQvQ1LJNzSM8hUGUvqNiYYjGf47VZp3wMOf440IY=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUZMQFXNmBQIy4QL5b+f19TM6gbL4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzMyNDQwOTY1MDYxNzU2NjA2OTcwMTExODEyNDQ4MTQ1NjE3\nOTQzMDgwOTI5ODQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDMxNTIzNDI5NTA0NzEzNDg2MTU5OTM5NDI2ODM3NDY0ODI2NDQ0MjU3\nMzMzMjg1NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ1LbnZqNSNDWR5WukxM0Kuu2\nEmpo3pP3CKnwbb2M5ILUjPsIkoYxecJBYnHCLOcPq4rhBK74gPKZgZyOAwLE/aN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU//bKC/jfju1mIujHl9k+FL8xu88wHQYD\nVR0OBBYEFCbv56ZAWS7POnoyd48JGzNTrIWEMAoGCCqGSM49BAMCA0kAMEYCIQCn\nwIX6SGR9CF8MtFdGqD7SZDT6CC/59KLovDberc5itgIhAKTMxa83jPgic38s+ydV\naj/+Rw0GE/C4WcvH8Jrc0JsG\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUPreoZGPUmCBQZg8NdAhbTt1C0IgwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMTQ0MTE5OTgwNTExNDQ0MjQyODM0NDExMDUzNTkzODUxMDA2\nMDQyMjUxOTQxMzcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARODDN/\n6brnKtCEtum32ChlgTjn5fFC9luoEpD9eDI7t7bvIghoaGgZaZzB5dfX0vIH0YGV\nG3tUzCOPAWb8lmXVo3wwejAdBgNVHQ4EFgQUkxyhKs1493wCvmuWhJtIECtJaNMw\nHwYDVR0jBBgwFoAUvVIWkTVyFIFc3jbBZJJgDKjd+iMwCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIG2atVxg3E+1kXESy3qs1nQ0JSklZHndTp0s6eoxMaMJAiEA\ntTkTvEy+jEqVV1bQZYfatL5gbl3bVIXqv209jHsfxF0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUSCASYPcuKazQo2IrwNGHvzszMT0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzE1MjM0Mjk1MDQ3MTM0ODYxNTk5Mzk0MjY4Mzc0NjQ4MjY0\nNDQyNTczMzMyODU3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQR4L\nUY3gr38j0d8BISAwIM5VpIqXBnU/4oSA7bbyucFsYeU3maVQnPdEuXdoYUM5o6O3\nCISue12SV/+wDPn6D6N8MHowHQYDVR0OBBYEFI0kb4GvoPzzORbma05DVbjz68e2\nMB8GA1UdIwQYMBaAFCbv56ZAWS7POnoyd48JGzNTrIWEMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBLsFAxj5g9i79yNdc5LfZQ84A0S//0MfC+wR4ZmB0yqQIh\nAIIeicClAtubQgmSSHA1i8VuNbSjSq5Z/Nc49N13AErj\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -115,7 +119,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "pathlen::intermediate-pathlen-may-increase", @@ -123,13 +128,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOHR6StLF7ct4jLN/sztY8R247MYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASoRZOVc+/hVYgu0S7UcUy8MCMAF+9af6pVCxo/\noF1OX9JkjmoXBOCscwkNUY+WR/NEMexfCVITq3RTKpdwOKc/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIvr2VtUECuIZkALH8nsohk1RbtkwCgYIKoZIzj0EAwIDRwAwRAIg\nR8Y98kzO0SBYK+3SyW4MOtaIpgM8gWUuaEDinBzJUTYCIHa/g8klmSbVAq71XhH2\nkjqzaFHdHowHrmOuRvaVCpT0\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBCKP606KU6P7Cosk31AgJY1tg7gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWJVzVszfQEjYu6OBA3xJLCR3b/bNqAxrnltwk\nd0gS5G86YDjO4KmBWYGhF1MKObVeA9X5wHhVTcRy3GIBmaHxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURhZ0koEvJWWJO4/NhBUySQEU99IwCgYIKoZIzj0EAwIDRwAwRAIg\nSlH5XlmnfTFbbzyTXFTrSiSiVqGhggYrV8QKSv/xEpoCIGHVSxAv6kzq5BhWsZi1\n8Hv33SfzZNmFB5bEA5Rs8Jur\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUb+esFA3iqTmQ/KnRbURWocBr0JowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMjIzMDEwMjI3NjkxMDg5NzcxODg2\nNzY0MzM1Mjg1MDQ3NzgzNTE4MjUxODU5OTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPQ0gbiHkzTIcGePWSFlbUwB4c0rkdAm8nFJiub+MwZ1VJx2cO4IK5REFJwGgMJk\nGkx1PmmtwFOMYWVRbfTm9UWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCL69lbV\nBAriGZACx/J7KIZNUW7ZMB0GA1UdDgQWBBR/44I5XLiId2BMYaqN+1bI3CdplzAK\nBggqhkjOPQQDAgNIADBFAiEAr8EKkRGrp5jlc9Yx85dPPE1izfn9t8MtYeZpAfCT\nJZoCIH4Km3rSKJDvQ0AzPXPuUBmR2kHolXGfPlL3dsq3W1c5\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUfvohXNJDFQPKqFbCT+NUc3Jb8B0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzIyMzAxMDIyNzY5MTA4OTc3MTg4Njc2NDMzNTI4NTA0Nzc4\nMzUxODI1MTg1OTkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDYzODg2NDQzNzgzOTU5MTIxNzY0MDA5ODU2MDQzNTkyNTY3NjMxMTU5\nMzA3ODkzODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHkFcwz4koGLmKrkvwwByMAQT\nWbCcuEwAkNHb3Fis5SA681dzA93TFjKSRmdB0gcIUKkzpWq9iGN7qVpjE5h6IqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUf+OCOVy4iHdgTGGqjftWyNwnaZcwHQYD\nVR0OBBYEFA0fmtjTnxB9csx1+ZFCc4RdlO1BMAoGCCqGSM49BAMCA0gAMEUCIHWA\nU0Z4p+IVD9reYsMRCddgbzeGZe0Q2PspQLJqaB4jAiEA2oUgdLST3Oix4aYbqADM\n+wIavscj8CmhXdSbQ+NdSRs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUBOBbByV8Srw3UK3lDUiGYiJNKYkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBmMTgwNgYDVQQLDC8yMzYwNjcyNTU0NzY4Nzg4NDQ4OTEz\nNjQ5MjA2ODU1OTAxMDU2NDUxMDk0MjEzNjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nWAKo8i6z38q7iF140ZRA765jIIo8F+plPLDzXLVheGL7nw/Z4cH0gysiunA3Sw9O\nU9A8eUFn2SSjoOKkELmlhKN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAURhZ0koEv\nJWWJO4/NhBUySQEU99IwHQYDVR0OBBYEFNkq4Bhlm/WfCD6cPGO1kivFPZ1aMAoG\nCCqGSM49BAMCA0gAMEUCICVax36cvJ3QLeqWtBv9ZCWruOnAyMHeaeM/0EUgKAGu\nAiEAhOMKXI6946kYYoYzfDpozzyRkTfVGZJOTXG09nze4+4=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfGgAwIBAgIUK1j1Y66zGhFNGtdyJZb6BkHsGwEwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjM2MDY3MjU1NDc2ODc4ODQ0ODkxMzY0OTIwNjg1NTkwMTA1\nNjQ1MTA5NDIxMzYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowZjE4MDYG\nA1UECwwvMjc4MzkyNTk2NTc1ODkzNzI3NzQ0NzUzMDMwNTE4MzM4NjEyMzA5NTQz\nNTkxNzcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDtMbGGDH/9CGvhKS2R2rg2z7Vvz\nxZJopJqBOZXK23fesR087xr5eDKNgFNj1WoJff4Rh9YrPjX/mD09BExl9RmjezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFNkq4Bhlm/WfCD6cPGO1kivFPZ1aMB0GA1Ud\nDgQWBBT5v8KyTq/VojT2Q4XAIX1/m8ECoDAKBggqhkjOPQQDAgNJADBGAiEA/Dt+\n60ndmq31nmkBLi4Pb8sktAGWbjE+MHuDgE1XbBQCIQCVTR8ElT/iAEY9MAldWiFU\nsQvccnkPY1r91wFFqr+hPQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUUH9INL2EtMsHrwkXsLBp/pJT8wwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjM4ODY0NDM3ODM5NTkxMjE3NjQwMDk4NTYwNDM1OTI1Njc2\nMzExNTkzMDc4OTM4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElGch\nKXf1tbzl5MPiWShBlUgiJF2isP9KYiCe8Q+SIO9xoZbdlK1JGbgVXTHCGTCM34rQ\nf6hK2xodDa8FnKxkzKN8MHowHQYDVR0OBBYEFARL9wCvlCZRFCLjbV6iA+zkVVcq\nMB8GA1UdIwQYMBaAFA0fmtjTnxB9csx1+ZFCc4RdlO1BMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiB99VYw3FFAlfDCEFu3RLWyoSVr/FH56gawmch/bGXXpwIg\nUkyikEYTXKzkL6HXeHRSoFIhnXPwlsxPH8qHNExT2Fc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUTfJyqiY2Qv1CA78ng9Zn7kbgtc0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjc4MzkyNTk2NTc1ODkzNzI3NzQ0NzUzMDMwNTE4MzM4NjEy\nMzA5NTQzNTkxNzcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMjAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATaETgG\nW8u60VyC63bj4Nj50d2kwn/JrsS/ZDmT5sdFg1/YVltHKSlyrprd6ITGTUfuDFk0\nLLf7SZCTkP2Ep/jpo3wwejAdBgNVHQ4EFgQUugI9UqD85aHhhhV2q4QTa5gnrIYw\nHwYDVR0jBBgwFoAU+b/Csk6v1aI09kOFwCF9f5vBAqAwCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIQCF02KUa7imdCnCdiDCN7rNQGHqPWLpn9AI6/Q7kZUswwIg\nY4dVpKr1hFRyA0gVeYCTA9Sb7p2TJTKqdteP8KfDlVQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -139,7 +144,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "pathlen::intermediate-pathlen-too-long", @@ -147,14 +153,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXK8evng2WA5nBOReYGQnWvd4r+8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQZoPf4ighEnqpC9C15vIjDyyD0xbpOmpYxE0Kz\n3q6Kpoozun5lA5TYR0CmY1E1egnBHTQwrMSMl1SWx/H3i1GVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrWSeC7KaUlo/UhG7ihNuslktHuQwCgYIKoZIzj0EAwIDSAAwRQIg\nPjokj1CNl35CiRvxO71VkRD7vyludkYwfrkpmL0LgAcCIQDxGIh0Jm/lSjlawG95\nWP6/UKYOqUbq2KSJBp4jj0cMhg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUPYorKJE7tPVardWVzXHYupgFmn0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/Hm5rGstwYYCnCl1sY8E4KnsV+hvy5ftMx+KT\nenh/pjYw52e9Lb2AvALZEWYOtl4xepokq+k9WqZqJiqK2PVSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXOQhRtX07Vgm7+gfitz91rs5XcEwCgYIKoZIzj0EAwIDRwAwRAIg\nPxxXtAgDOqhRI7p1n8V+atYBav0d1f9jDAp8yb7SUL0CICsHLm+Fzb4bE+7L74cn\nwkPvxuM9cRvth6caI3Ctrr7T\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUAdGgttYBGwRl62W1uANuvcAJw4MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1MjkxMzI0NTk1MDc1NTMyOTI1ODI1\nOTg0OTYzNTU3NTg0NDY3NzE0OTE2MTQ3MDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAa2oXrr83ApPEJOhnr+Y8Z1BWBohlMxfGPiBnAyTDR5/hOvVLScSNIkaocSzkVI\nV4WgapxiAOQzgzCz7nF7LWijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFK1knguy\nmlJaP1IRu4oTbrJZLR7kMB0GA1UdDgQWBBSnh0mJJcOkhoDHas47eEDfp3zY9TAK\nBggqhkjOPQQDAgNJADBGAiEAo7sft+N5ZbcoAwP3ofzONaAExoTUQnIMFp7+KULs\nw38CIQCgwMOH08I59LEhOKPyQNC83ci2T5uoewjVgZrFTjvYeg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIUbxBU9OOFvLY/c1zwL6PvYCMSw28wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTI5MTMyNDU5NTA3NTUzMjkyNTgyNTk4NDk2MzU1NzU4NDQ2\nNzcxNDkxNjE0NzAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGYxODA2\nBgNVBAsMLzEwMzgzODQ2Njk4OTE3MTMyMzc5NDIyOTYzMzA2NzgyNzg0NzE2MzMy\nOTc0OTc5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASBHHzZs/Xx1+Fa7nJN9oZ4O9WB\n+v/7Z3OqXp/NK6HEhoP0/BKxo2lbN3PgNZCaPOhtEGneezWt9JHgTl/Sum27o3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBSnh0mJJcOkhoDHas47eEDfp3zY9TAdBgNV\nHQ4EFgQU1vr0Q1aviuZ2xAlHkBmbZBqDsIUwCgYIKoZIzj0EAwIDSQAwRgIhAMav\nIgz9Zl30KqB9qdzq/RFT4Fen/PnTy1PaZ2p31Gm2AiEA+bl2uHPh5XUTp0nFnvfl\n+2ADuqE1lkf+n3ZfvRm4DAM=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUZUxQHygDY+QWxP2p8OHq0Y9PQUAwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMTAzODM4NDY2OTg5MTcxMzIzNzk0MjI5NjMzMDY3ODI3ODQ3\nMTYzMzI5NzQ5NzkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowZzE5MDcG\nA1UECwwwNjM0MDYyMTg4MjQ3OTY3NjMxNzg3Mzc2MDYzNzA5MTc2ODE3MTU2MzM4\nNDAyMTU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQCM+/vNoc/TyVMYCRnX4gC+mwl\nzfNcO+U46a4mqVRfpuzhG9tNBGvTiMoSgG9wRC+m2yrqOgXZ6MmeTmSJHaLWo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTW+vRDVq+K5nbECUeQGZtkGoOwhTAdBgNV\nHQ4EFgQU7Zj3q624oyIQX5FCOkSZhvQRpwQwCgYIKoZIzj0EAwIDSAAwRQIhAMb8\nPQFiPun1b+AXwg4Mtlg1zdjLQrMaQoJj9nAfWwnzAiBEXni1CTmhTf9mGWZusaCN\n/0UAfFnEGRmC3mYFAjZezA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUYdk9mwDk51d+/AG+ggsjCxn9+K8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzNTEzMjk2OTk0OTAyODkyNTQ2NzYw\nNTY2ODI0MDQ2ODM0OTQyODM2NjY2MjcxOTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBA1YmIzAveC0mOWJJlbEDJsBh1uO7/6378xzm97eoLhgUpfjxVR0eEIvXWYjJ83e\n8lzWvInQpxXrmASuNQ/HWtujezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFzkIUbV\n9O1YJu/oH4rc/da7OV3BMB0GA1UdDgQWBBSaCNmGWVLCNxJLKQiyc2MCEU7u2TAK\nBggqhkjOPQQDAgNHADBEAiBPdPxNGoAC38js1ZN/ZvjCpafy1yccuzw30t/GOb+i\nNwIgehuMvXQSNlnH4AyScRudGSmVyKKUfIyaE/hJdVEpujA=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUAOwqK7RhT5c3YzStJTTb4OUL48owCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzUxMzI5Njk5NDkwMjg5MjU0Njc2MDU2NjgyNDA0NjgzNDk0\nMjgzNjY2NjI3MTk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDU1ODYxNjczMzA3MjM5MDgyNTA0NTM0OTc3OTY0OTMyMzcxMzQ2MjI2\nOTc2OTkwMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsWanWVzvD6H1rYZuY5gBHx6T\n25Mfw9HmsFVkv1bGvdJcy/Q5diNLgE2Qaexg9OpcvurWGfYoZMmMng8FRBaGtaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUmgjZhllSwjcSSykIsnNjAhFO7tkwHQYD\nVR0OBBYEFNocRHfonmJ6XsN4WkDLj5tuajb2MAoGCCqGSM49BAMCA0cAMEQCIDXG\nKEkBRWVTyJCGhxfDtbMRqasHRDKewbwfRTiLdjBHAiACkU02NbJ13df+hMpEOoHd\n8VyYr5F5aUZkMnQJQxI8zg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSjCCAfGgAwIBAgIUBjOh5b8MV34LXZfN6i/idpFUvMowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTU4NjE2NzMzMDcyMzkwODI1MDQ1MzQ5Nzc5NjQ5MzIzNzEz\nNDYyMjY5NzY5OTAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGUxNzA1\nBgNVBAsMLjUyNjY2NDk0NTQ3NzA0NDQ5MTk2MzEwODgxMzMxMDQxMDcxODQyNTUx\nMzI2MTgxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJOvDmhi6YVu2vXg7/Pbz/BYYVSk\n5KPwP0A2qZNqHcafYgw1Q6rtqKOn117d4Gi45x0mBn6tKodzjx1m4kQWwvajezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFNocRHfonmJ6XsN4WkDLj5tuajb2MB0GA1Ud\nDgQWBBQmj67grm0Na2xr3Ksm1X5jQDRgvzAKBggqhkjOPQQDAgNHADBEAiAk24ti\nb7LfpNVzCWdhFgGVTjxQLTk676/ApQ1coRR26wIgUkQlXSjTh2xfmxbmTvQCoq0U\nPEcE0fLUPti+dFdTFmU=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUPQiZdcR6fw0/+pnupnzpdbJ82lgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjM0MDYyMTg4MjQ3OTY3NjMxNzg3Mzc2MDYzNzA5MTc2ODE3\nMTU2MzM4NDAyMTU5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyTCi\nY/EgvI9Qp0ftNwb3ShYMsIDjXA2kkq0m9Yyicq7vax1YcyMM7RGHcg62ItfmFJ3B\nnHoG1PByOSFnCAsgR6N8MHowHQYDVR0OBBYEFLqese2XOTHImDUzQrIO95B1yds1\nMB8GA1UdIwQYMBaAFO2Y96utuKMiEF+RQjpEmYb0EacEMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAqFcWimrnPlInm/QEiOCrVLdLRF0glix0dFnk+nAjg1EC\nIHmQwQWNCFPgiGBDILmxU5OKENfZUhGJtSNs5yJL3hQb\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+zCCAaGgAwIBAgIUVqTzixDB2qHy+A+Fnroy/7U3MgcwCgYIKoZIzj0EAwIw\nZTE3MDUGA1UECwwuNTI2NjY0OTQ1NDc3MDQ0NDkxOTYzMTA4ODEzMzEwNDEwNzE4\nNDI1NTEzMjYxODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi0wMCAXDTcwMDEwMTAwMDAwMVoYDzI5NjkwNTAzMDAwMDAxWjAWMRQwEgYD\nVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDK2pVCo\nc/8W9rfpT1sMfsXogEor8SZTOalHIc1PvCFxRFeQtkQx1iTT7LeA8wd2D2wxgJ9j\njPBgBG5rVssIeZGjfDB6MB0GA1UdDgQWBBTklT/uMbI+eVazYMkVNMeIIHDH2zAf\nBgNVHSMEGDAWgBQmj67grm0Na2xr3Ksm1X5jQDRgvzALBgNVHQ8EBAMCB4AwEwYD\nVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSAAwRQIhAMza/5Jb07n6MQWBVPISKCTVGfsYVXNgfnEi1eyYmGlBAiAX\nmUMzv83V44C89sv7/GFOU0OGBbJtnBcfMRACjKRO8A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -164,7 +170,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "pathlen::self-issued-certs-pathlen", @@ -172,14 +179,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUITad1mwNCEPg0f352SSven8pNQswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARdl0R5AprqY5UFGv4o5Ojs04DY5ebuy2Cg6tpq\nJAKMoO2qlBFINleF30LQ5PITweqHA60RF32TNKQb1Umw1ASdo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM9CS15TLbPJQd4Uhz0EKLRHliggwCgYIKoZIzj0EAwIDSQAwRgIh\nAIoYQYs2Mt0lU6FiQop1PRO9mIF7n8Mn2HzgoQLyhVqoAiEApuFRVvHKfeDwQgzU\nbtjEH4pdY1KVJV9H51pvSeo3G8I=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUaabgIL4OJ9M7K4aalDgXBQiGb/EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARF6AZaRukOwPbESbW28c0VNbjXxUcTJj7VGahk\n/7+B319+jjJoAasIvF6XyAYPhQX6uKgG17BTC0s6Rrwz60l0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiHyleNE6UY7jxgCmTre88NSMY1wwCgYIKoZIzj0EAwIDSQAwRgIh\nAIgDM5HAT76cvijy4edphTFj4Ob0ThaGekmGv444o6YaAiEA1+jWdsImD1T/Iqoz\naF8iIk4JKFUtq2tnFswNoLhgK+M=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUbRuBZBQj3ZYdDdpd+wsOyNw+2xAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAxODk2MTQ2ODUyNzA4NDk0NTY0Mjk5\nNjU0Njk2MzQxODczNDQwNzAwMzc4MTI0OTExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOZ/Jb/fRlmUylBPRDREzcN4V45GE3iWQlpO9Nb3DjIWBPawGlsat2ZfvF2u5zuq\naTsD7xd7fhw1CpG5y4wGMhyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDPQkteU\ny2zyUHeFIc9BCi0R5YoIMB0GA1UdDgQWBBS1hW8SXCSwpiiNoHE3gQ4BlUyy1TAK\nBggqhkjOPQQDAgNIADBFAiBTzWQMJC2jCo/eaweDfOauELRP9V47CMar/gNJ9q4P\nXQIhAO6pkgMLRAmhxRkv8y/spGtIZyD6wm0olyZLoLyI0WAQ\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUaYyY4Xx4bjzU3whuWz2EZyWVBBAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTg5NjE0Njg1MjcwODQ5NDU2NDI5OTY1NDY5NjM0MTg3MzQ0\nMDcwMDM3ODEyNDkxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDE4OTYxNDY4NTI3MDg0OTQ1NjQyOTk2NTQ2OTYzNDE4NzM0NDA3MDAz\nNzgxMjQ5MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqGSj8I20PU8vR45Od8kgwyWL\n9l87n/Ec5RgY5YVzw6I2fEPEyX+MAM+gNtoCBqZNTcW3YBJoNw6qoBsDhDzyuKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtYVvElwksKYojaBxN4EOAZVMstUwHQYD\nVR0OBBYEFIV/fY1HeG0fUe1WtCWfNb8kxztiMAoGCCqGSM49BAMCA0cAMEQCIDcO\nlnrZH8OviHJ85q6RUCINF5fzql7cA0OB4vEWqGg3AiBhOhJyGxJxyCcxHlYALcfT\nKF8KlCApTOjFZrVyYXgLUw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIURfjbbbhyNDqm5W3POEEDKMjpu9QwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTg5NjE0Njg1MjcwODQ5NDU2NDI5OTY1NDY5NjM0MTg3MzQ0\nMDcwMDM3ODEyNDkxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMGcxOTA3\nBgNVBAsMMDYwMjU3OTQ1MzA2MDc0MTIwNTAzNzkyMDAyNjI2ODYxOTg5NDM5OTAz\nMzQ3NjExMjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/Lrv2ZZx8OUj3WfVHDbtbLx5\noR4iN/W8BRJG8wg04DB8a6W+6CblsrcLNcQbODVtVFNgLJCnPwi/8n9eY6BBVqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUhX99jUd4bR9R7Va0JZ81vyTHO2IwHQYD\nVR0OBBYEFPYmZ7H8Pf1ogtLVOWeecrQWeRSoMAoGCCqGSM49BAMCA0gAMEUCIBvC\nO1hnUWt9EcrliFOVpttGz0hx331BplHtqee/vnFDAiEAi6RAGxC3hz6R8kjz6KZB\nngp2OFdPBk5WYoATW9VPbuI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUZjNsZbgMBDECCO5B69E2JkwNLlkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA2MDMxNjU0Nzg5MzMxNzA1MDgzNTU4\nMzcyODIzODUyNTg1MTY4MjU3OTM1MjM2OTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHop9BUnFv5brNM1D7HnUxyhgBKd38hLT0pwEKDvZBDxYOzN65acL6YNxaMrA9BO\n61etiWWnd4IshqyUOxy/t5qjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIh8pXjR\nOlGO48YApk63vPDUjGNcMB0GA1UdDgQWBBRWGQFgtJFXg6f0LWtoNM5fwnAs4DAK\nBggqhkjOPQQDAgNHADBEAiAqvbNsfLIQ851hTTEHEZNKAuwC9zEMznIMHFsuoMPd\nLgIgVWIb64FPiTmujUYGcTSHNYdoIj8VOsAzA90tWDX1SaY=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUA9mU1SLYyE9kR1WxGUQTO+yYoogwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAzMTY1NDc4OTMzMTcwNTA4MzU1ODM3MjgyMzg1MjU4NTE2\nODI1NzkzNTIzNjk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDYwMzE2NTQ3ODkzMzE3MDUwODM1NTgzNzI4MjM4NTI1ODUxNjgyNTc5\nMzUyMzY5NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7FJ4XKIJ6ymYbYZ8JAni6oXd\nocgykK/ONkK1JSCacffIF7bRzajzmt7AZBvfio7zEDv449uXzX1DrPmfkU1DZaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUVhkBYLSRV4On9C1raDTOX8JwLOAwHQYD\nVR0OBBYEFD8FhVt9MKtOPA1+BscbSCY0vnY+MAoGCCqGSM49BAMCA0kAMEYCIQDT\nS50cjuvirzqwd6boiu54GnCLhYs05cupBDVgfe+PzAIhAN0ZCrt1YnoUFDLexksV\nOstItmlp0gVielIJ4pdGaUl3\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIUdwIGbldhLIU2qJhFouX7g3Z7DwQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAzMTY1NDc4OTMzMTcwNTA4MzU1ODM3MjgyMzg1MjU4NTE2\nODI1NzkzNTIzNjk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGYxODA2\nBgNVBAsMLzIxOTc5MTk5MTY1MzM0MDY5MjIwOTIwMDcxMzI1MzA4MzcyMjg4NjYx\nOTIyNDQwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATlJ7jT+aFxYQTA8auLmTgQzyEw\nsugZAOndwWhZeYshfYsroF+rnlFQrHd5SLPlnEFHYQu9Vt0gK6UIteTPXCCTo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBQ/BYVbfTCrTjwNfgbHG0gmNL52PjAdBgNV\nHQ4EFgQU8a0AYnGNdN87vEaNqYlq4xkjImIwCgYIKoZIzj0EAwIDRwAwRAIgatKJ\nVdtpaJkhVyvkrsuunb6NQ1Qz+IlcfziCGVTpO6UCIH2nfnNF4iUr2u+1aJSxNPBs\nLnDS3ItO5MfzrxKvXJau\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUEcitn3p/cAhCqS98k9HHG6TxfrcwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAyNTc5NDUzMDYwNzQxMjA1MDM3OTIwMDI2MjY4NjE5ODk0\nMzk5MDMzNDc2MTEyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElQDz\n23bERVaNMcha+ZlYs9h1qlX4Pqya/hoTZp7DD1I7SP8HAubBArSHAY/ECsiJGnn+\n0jrBDZkYEMePoRxmhqN8MHowHQYDVR0OBBYEFEJHfAn2rQ8JyTU+4Z6d82EcnrLM\nMB8GA1UdIwQYMBaAFPYmZ7H8Pf1ogtLVOWeecrQWeRSoMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAWPTGAq+biQO3y5yE4pp5s+K+a+Pp7RKQkPV49yjiQIgIg\nf+K925Z/YEiMfNB5s0whpHvC5TU43YttLwi90uaW/wQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUW0bZCmVtQ8t9i9NfJmcdflpdMN0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjE5NzkxOTkxNjUzMzQwNjkyMjA5MjAwNzEzMjUzMDgzNzIy\nODg2NjE5MjI0NDAxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASK11Ws\niviQbcqQ5k/Due3+97cupwl4UAH0ZXWcWEtqBigRb1tP/gwg1+W4FBssnyExJ5MT\n7O4O+SyNEI0SCFEgo3wwejAdBgNVHQ4EFgQUrOU7XFlGxOdtpo9no14J9R3KFSsw\nHwYDVR0jBBgwFoAU8a0AYnGNdN87vEaNqYlq4xkjImIwCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIQCAlpviROwtn/Vwb7LMouXUg715E+QnFIvRfoJyBk0F4gIg\ndNnFncEALBO/VNH1TOy3rN10UzztXCfg71xVuazcLmA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -189,7 +196,138 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null + }, + { + "id": "pathlen::max-chain-depth-0", + "features": [ + "max-chain-depth" + ], + "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nWhen validating with a maximum chain depth of 0, there may not be any\nintermediates.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEg0ONUuYZirUfYBkz9XeqWCSgygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCMvJl+ru3i6Q+miGTO4liE0pUrCOzHKLZNvSE\nu6EdePBkIk4xoaEvDKmzzRlhSUDEPPv/qjMxATJKqkdlhaFpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5mqdYcS0Cv2Xe413QTxXnssC53owCgYIKoZIzj0EAwIDRwAwRAIg\nKZCMEhUkp990YMjnkSGChpI3pqpIH8UH/d8W1nSm+LACICYtapLhKiCTS0PGPr1j\n57YRt2cEera+HTrxSLZz3Upo\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUAxLyE+QP9Uemj6SKKNIEe5ISMQUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLjULdYbbmM8ECgIyniniFmq4HQGRGrQxIRv45aZDwmN\n3F7H2AMFhFNdNBd7RF1BdkODyDDOsovU718FdaGgIOyjfDB6MB0GA1UdDgQWBBRv\nzmV9wo1MtC1J8/j94wYKLM6JEzAfBgNVHSMEGDAWgBTmap1hxLQK/Zd7jXdBPFee\nywLnejALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgUFPLQmjcC5q5KFMq3qLN\n9uNmwQRCIr+CHGi/TPr4C2ACIQCyOCxysJ7vR/mWSLKIFaJRv07C2i5SNCXK6w2/\nGG1uDw==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null, + "max_chain_depth": 0 + }, + { + "id": "pathlen::max-chain-depth-0-exhausted", + "features": [ + "max-chain-depth" + ], + "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA' -> leaf\n```\n\nWhen validating with a maximum chain depth of 0, there may not be any\nintermediates.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCSfZgcY08M9ZdOrW2cKwqN8lHgowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjP0LfFLhobEjqz4mGY0421831WgEMu9s6pbBe\n4bEaWPXQCXBWjIJz/FTpsVik+aCHWGFwvBImBFYdG5iNw9Dko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhgFk7AhUoy8z55/kDS/WGzY8E9kwCgYIKoZIzj0EAwIDSAAwRQIh\nALqC9HQZvNJSFVu4M85HiBl3tah/nxQ2DbSCSezc+jlYAiBS0CuKSvtWKnuHM2ZK\nlrGZdHFo2i3KjUNPeVXjKtDmZg==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIICADCCAaWgAwIBAgIULcB1EZHGo5yk5K0EJOqrqryw1f8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBpMTgwNgYDVQQLDC81MjI2OTU5MzUyNjA5MTgwMTYwMzQ3\nOTQ3MzA2NTgxNTA2MTkwNTQ4MDY4NzExNDEtMCsGA1UEAwwkeDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\nQgAENKw2KxG8cD9m+Xk3aq+E8FfvhREDl+TaDPMCQizuRJsUjPoio/PPu9bbhHP+\nlfraAQ+edWY0W6l8WbG5BcKDCKN4MHYwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUhgFk7AhU\noy8z55/kDS/WGzY8E9kwHQYDVR0OBBYEFP7atqzMlG1WYS8Nk8qrXKWtIAwnMAoG\nCCqGSM49BAMCA0kAMEYCIQDe5w/Gfi4qK9mj5cB4N9ozlXnsWHotuVqeXuup4MuO\nhAIhAJ6Ba6d80gPd4itdvv29S018FkshUsWc9ohATA4e4URp\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIUEqccW3P2wL9EZIj1iWH7wee6XPEwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvNTIyNjk1OTM1MjYwOTE4MDE2MDM0Nzk0NzMwNjU4MTUwNjE5\nMDU0ODA2ODcxMTQxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEU\nMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARp\n/+SAv81k0xIQlt7IXgTMT0fZ5JhxpjfrEA7UoMJhk7oa8azbtsJlZLb/iVHkK4ZH\nPjFIITrDgf5s/817QAlDo3wwejAdBgNVHQ4EFgQUgfufuwT7NcHTHGlbOAVfOwsm\nrvMwHwYDVR0jBBgwFoAU/tq2rMyUbVZhLw2Tyqtcpa0gDCcwCwYDVR0PBAQDAgeA\nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoG\nCCqGSM49BAMCA0cAMEQCIGzVcrozXg4/Dpb9qtX9sVyN3MV8QQLnrDffN5n7FZPr\nAiB4tVKxCRi0iB5Mfga7g5ItPzDZJGeKMsOeAmJTDGeGBw==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null, + "max_chain_depth": 0 + }, + { + "id": "pathlen::max-chain-depth-1", + "features": [ + "max-chain-depth" + ], + "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' -> leaf\n```\n\nWhen validating with a maximum chain depth of 1, there may only be one\nlogical intermediate.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUE9Z6cGKmqbo1Ap+9oJ2zNNr/BYkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQihZonfRcBxjacUIMMZCjUWbzEpwJZqMEzc1F\n6DMWcj1FHyYSvK/+GLAXBxPfNph69OwcAg9dX20AgPCUGL3io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8BNAT3em4yoXm51lUon53de7z2UwCgYIKoZIzj0EAwIDRwAwRAIg\nNWGq32POOzNt0sS/HdZ6RQbDvy9Pda6T+TxHMyvIH/gCIH3/9Z9SjWSPXQncQmTv\nycazEeR1LrQP5worT5xHLPBo\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUTDdI4suGrY+CA8uzHfcM4mjXihUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDAxMTMyNTM4NTAwNTk3NzY5ODE1NTM0\nMjI4MzI4NDUwMzA4NDI2MTU0MTc3MzQ1MzcxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABGfiHOeyRLR31T8erpW4GkD9wt9gz9CV7Zb9RLIU2uNtDdh5lqimgJd5mWij\nWJKYSbjWujHx/f++vcoeugz9jwyjeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPATQE93\npuMqF5udZVKJ+d3Xu89lMB0GA1UdDgQWBBS4gRbyMFOkqL6Ga2z0pJ6iDESO8zAK\nBggqhkjOPQQDAgNHADBEAiAhVXXp/AE1IEeUkLd7HjTE+pM6khdhVGPzmAL92VQz\nagIgBtcSWYNln+rMudmPDmj7W7g8I5dnYcTZZCNXE+cUCW4=\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUL6jDXl76ALt6xCFaj0gDENWhRbwwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTEzMjUzODUwMDU5Nzc2OTgxNTUzNDIyODMyODQ1MDMwODQy\nNjE1NDE3NzM0NTM3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\ndveEwtzV7bMOiwzLau/wwXMiuvDPNWgO+0s0Bu45/Uz6LvZsRMMdhLyocrADVaTx\nylC3OSflGmlzYHRWGHCMOqN8MHowHQYDVR0OBBYEFFPfnAqjqU/Wi0QEDOAdOYQt\n8jiAMB8GA1UdIwQYMBaAFLiBFvIwU6SovoZrbPSknqIMRI7zMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiAP8AkPTkCYXBQWl/0gCaiml3XuDsDQB+bd4g+W0ZPc\nyAIhALC5X3XryLF4m4pjsR4a2F14MBHKqCz5QF4Xy1VPDA3D\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null, + "max_chain_depth": 1 + }, + { + "id": "pathlen::max-chain-depth-1-exhausted", + "features": [ + "max-chain-depth" + ], + "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA' -> ICA'' -> leaf\n```\n\nWhen validating with a maximum chain depth of 1, there may only be one\nlogical intermediate.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUKPHeOjbJzvLyEPbHinPV7wKsKbEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASUhaWPDOtTtR3taLIgQDwFnWrR5e473nhbsZZD\nX7iQAynMNntAXzosO1tNZtvUKTK3V+Ms4SJworQmNhMBa1QLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqfWBlAwcEmfaxDf8OegVkpVSNZ4wCgYIKoZIzj0EAwIDRwAwRAIg\nNzVjbEwEpH/L0L7EgaebOTRQCmKUGcPKbrfIOoNy/0sCIEcWQiSulBln0fJ5inh/\nJkVisLXRMrkZ6gozmBeQ35m0\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUJ24HfhdUMNPGXgxljE0i+tbrN+wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDAyMzM3NTM0NjkxNjI0Nzk3NTQyMDEw\nODI4MTMzNTYxNzQyNjIxNDc2MzMzOTIwNDkxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABHMoHyOh9Cz8p0aa6Njk6ilAwlKFXdI44NwWaeuFDX9/ZosQZtJYOgsitufu\nvOYm4+MRRE5Yk0kj2gKyY7JW4JWjeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKn1gZQM\nHBJn2sQ3/DnoFZKVUjWeMB0GA1UdDgQWBBRSZLtmj787y9YiLpUnLLi+lbzZuDAK\nBggqhkjOPQQDAgNHADBEAiAybnHFPFNjTT6vd0akVGhbMYjXJss0YJjzvENjJLl2\nowIgBnOkCgYHVRniwM1bc253pGnIT/eirNBwxPV7arc5k04=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTzCCAfagAwIBAgIUSF+9wirDl5oc04uTGbBdC3iBzFMwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjMzNzUzNDY5MTYyNDc5NzU0MjAxMDgyODEzMzU2MTc0MjYy\nMTQ3NjMzMzkyMDQ5MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGox\nOTA3BgNVBAsMMDIyNTEwNDM3NDcyNjU1NzI1MTUyMzk5OTQ0ODg5NzQ0ODE0MDc4\nNjMyOTQwMTMyNDEtMCsGA1UEAwwkeDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC3qhRJR4QbSUVz/R\nLcic+njFpIlqzFttc2C0a3PVjOXrWBtdqboKYafDUu4LtBsfHo6oNkSuGAYk+TTC\npc0caaN4MHYwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUUmS7Zo+/O8vWIi6VJyy4vpW82bgw\nHQYDVR0OBBYEFMagXfVVdEH0XShGTZGCVRmSJjD+MAoGCCqGSM49BAMCA0cAMEQC\nIDaim4GCaT23NZiSA3AjW/d9ZzHW0sVqkF53Tb7BRMzBAiBLE4FL/62UjC45gqru\nxRVs+eGbqdJVdmAbRYk/a8IIWg==\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUTZc5nnb5M5ubZCHO7Ff6zjTOa8owCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjI1MTA0Mzc0NzI2NTU3MjUxNTIzOTk5NDQ4ODk3NDQ4MTQw\nNzg2MzI5NDAxMzI0MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nRbkEw6FFbu+Uwy9yeOhyeX+UM0WYcSOW9U2oTncjB5yRKEx4QaXMXTxMcAtbA3f1\nA+W5VDQkMGXNLPQypEkYq6N8MHowHQYDVR0OBBYEFJKndHpJa7kWeLGhe3ce7WBY\nNygVMB8GA1UdIwQYMBaAFMagXfVVdEH0XShGTZGCVRmSJjD+MAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiB+GuO69iQpcJxPcZdtu5XSUMTp0Tyy/FReT9GMIDUN\nkwIgdxuwyJNfHrTAp6EzrqkxsdaRYNynr22qhCWZEivIkFw=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null, + "max_chain_depth": 1 + }, + { + "id": "pathlen::max-chain-depth-1-self-issued", + "features": [ + "max-chain-depth" + ], + "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' -> ICA' -> leaf\n```\n\nWhen validating with a maximum chain depth of 1, there may only be one\nlogical intermediate.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJnPd+f+0fvUD5bTFn/SL9xs3jlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMHvXpbUHb62pi4NehxmbBJB/83pUC9UIcK9lW\n0saBadbEJJN4AkGaSlWWeqZt7rTThulJwYm4FIjtlfW8Sfrno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbBKdf8oGuU+cSQEEqIGm/NvcJQkwCgYIKoZIzj0EAwIDSAAwRQIg\nJN3pg/mR5ocRZyp/511h98c5hw4VpdL78qR6aCKB5QYCIQD5rMJydg85rv5QJgQl\n3cz4b21Wli87KTBBHS00Ey3JUg==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUPEqoIGm98meiL0wOXfoGkiZ9fwYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDAyMTk1MjU1NzE4NzQ1Mjc1MzMyNjU3\nMjgyMjY2MDIyNDQ4MjU1OTg1Mzg1MTgwOTcxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABFOIAY7SjYWRN3SONAzFseegiQ0o+a8GxS8V7dQAncrUGERkQmxwfroAwxuB\nyZtopjwJM+m3WoO4A5Qued22E7ejeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGwSnX/K\nBrlPnEkBBKiBpvzb3CUJMB0GA1UdDgQWBBQnxx0L4paZdG30//rv+23fpdAYiDAK\nBggqhkjOPQQDAgNIADBFAiEAu25pcdaoqcYSasOjldqij0LZhK+/jwNz6t6GvS2x\ndZsCICw6IrI9TNLjuK2y8Y6XKA+5zWElfBvDiP+/hpopdSCV\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICUDCCAfagAwIBAgIUEFTPa5swwfC+WK+wbhStsaO1YbUwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjE5NTI1NTcxODc0NTI3NTMzMjY1NzI4MjI2NjAyMjQ0ODI1\nNTk4NTM4NTE4MDk3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGox\nOTA3BgNVBAsMMDIxOTUyNTU3MTg3NDUyNzUzMzI2NTcyODIyNjYwMjI0NDgyNTU5\nODUzODUxODA5NzEtMCsGA1UEAwwkeDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElakemMFZeTR0N5Nn\nCTjouZ8URb4QtMcI361En12jPU3f4xHVfpDld2gysbDe+r13xqAypuI5qH7li7GY\nr3NDfqN4MHYwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUJ8cdC+KWmXRt9P/67/tt36XQGIgw\nHQYDVR0OBBYEFGl2cCXVKUxtM/Cjpjo3bimARUqUMAoGCCqGSM49BAMCA0gAMEUC\nIQCWkRPK6CEVDkFTrZhzT8s1lSx+KdL/B/XPw6qcJ1Oj8QIgey0GzwZAb7tqfCT/\ndiRmurdC1RkEcbdlaScVAE1uqg0=\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUUzNEZy6zaGfjpM7EcNRVYFjAdUwwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjE5NTI1NTcxODc0NTI3NTMzMjY1NzI4MjI2NjAyMjQ0ODI1\nNTk4NTM4NTE4MDk3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\niEBqgpUambdvBu+aI/q80rE5z6vFD//lcCD1mbhQTpE/J5Pz/d/iRkt66qYELI3G\nkGp/jQ91425jpXLh0dQmLaN8MHowHQYDVR0OBBYEFK54XkWP/oQj9R6vPMeXhE5o\nAsjJMB8GA1UdIwQYMBaAFGl2cCXVKUxtM/Cjpjo3bimARUqUMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiA26ls/r1yqeMO0bZlhjNZ+/V+cbJfDOGrKyn8aG6ie\nFQIhAOSaumPrfvXk0IXFYmMxwru1njSLnX6UU/k1nkznDTQc\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null, + "max_chain_depth": 1 }, { "id": "rfc5280::ee-empty-issuer", @@ -197,10 +335,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBczCCARigAwIBAgIUWBJGiE0pio9Q79Xrw42P/pqj1KUwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz9xOZT87zh0n\n62rjHBUs6xfhj5QhJom9MbIhxxTOco0REKqSy/HSGvCPinoNQzYbuh/vZM+7dGJZ\nrx9SIJ40U6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJMoMcOlb6eQ0ijUAZ/pfpwde5bk\nMAoGCCqGSM49BAMCA0kAMEYCIQDCeDF5uGzleaeeSNqGowOtG7+WN8goRUZRayWe\niKtWrwIhAKY2VpM9Zqko9IFolVFVTvuno2hFscFDQvuly6g5aSXd\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcTCCARigAwIBAgIUTu20N4ajWkIqxlj5JXHKcLklF0UwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElODE7WUxSCWJ\nikei9lfIhlviMEv6jw+EkOFQzT3ri/01ZFvYxGUnR3dYAl/NZEgB+obLa7BkNZFY\nnaX+5+PsD6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFEVUkNHe6hUCGuEvoj4koGFrcIpt\nMAoGCCqGSM49BAMCA0cAMEQCIBntypU1zozvbB6yaMiHFrt0M76ajNyQt5rpQv6t\nhBAeAiBK9HxKm2wxqiVrdljUz9ivOZ+JuB7Wd0K96aHZB48LkQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVOgAwIBAgIUZcZISz4ninwlZjdcVBvZb+9wt9YwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAxMDAwMFoYDzI5Njkw\nNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABO9W6Pxqy+1BdCIBcPGlk+x/Z4y3iWCVhekCi7CODZS2uf5M\nP/Ty94ulILPN1nFKxVC0p4lrSL0HYGFznLKLUoijfDB6MB0GA1UdDgQWBBTmfoHo\nOVvOCoSahgzIZi5nkR9iGDAfBgNVHSMEGDAWgBSTKDHDpW+nkNIo1AGf6X6cHXuW\n5DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgQFPIa96HoN0aSieolWeKJSE7\nbCatuyFJrH++WO9KA0ECIG/8Y3Gh1u+BHFfyM3E66RdmOlNcxXSgnc3rWPkZe6ec\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVOgAwIBAgIUX9TMfCQRKYOGLwB3FhisGcMgez4wCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAwMDAwMVoYDzI5Njkw\nNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABOOX5QlO+rd3secjL2ZfSX7+H7vbde209YxDeljo17vQUZ3v\nEA6g3/w5vnx2KG0+lZBp1QZfGA2gCRmIyBO4MVmjfDB6MB0GA1UdDgQWBBR3Zm4e\nPyY+pvXnFBEKIVn2oSNcsjAfBgNVHSMEGDAWgBRFVJDR3uoVAhrhL6I+JKBha3CK\nbTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ2QllY4bM+O2fCD13hx51hJ\nZgblwvdPWP3xu/mzpwyWAiEApyNwASTQFUKLdUbrvCHtdEiN/SxfRaMQyV03m/jK\nicQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -210,7 +348,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-empty-subject", @@ -218,10 +357,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUciql3EBNUBr/AZfh0rP04U2KttgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEe4jYYxAo\nxRGcwqmGiaj3HVTDq60nXZpT50GOv6gP43aOoiWr86jzA/o3OaYc/sxLMNnJUC34\njwtXWY6VGDw0UKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFJzxoTySuMOhoiHwVWck0qhb\nuw3BMAoGCCqGSM49BAMCA0gAMEUCIQC41L2xMBx70TUXffTlhJFajnBDKX0D0oB4\n3WxJC6voZAIgV39dwdgpbEFBFWVeTYFnWPoUcXYd+tjL2VFDDT03gko=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUGT9j1IkmVyo7j6kXcVsaFAsRsPAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzIAbfvOe\noCVB6C1/iCd1tYk5mJX5Piug4TcnkCBLYuUmPXYJUakuIO2N+BOg962fdOaNXL3q\nMBBYzhZUD7PclqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCYxpOt+A9wC4pRd40zs6T4G\nOj79MAoGCCqGSM49BAMCA0gAMEUCIQCMfuJm1ik7DsW+PhaN6v0cHDJD749ozB/G\nhyEcRDA+bAIgXDRbbaA4drl+fVM6874K/7QAA/fgb5122FnrpMzvRKY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUQChzkNRuEEE4RzVUrhEm9QjavaAwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASWFTM/uxHbnuai\ntuNPRR3AjpPFBZ7CbD1TtRBo+7dvMzION1n453WC1fSj1rabrpaRaeyn8zoVpHDW\nqkQGtTEGo3wwejAdBgNVHQ4EFgQUJysAITFPDSZET5bbe6Yv3g+bh/EwHwYDVR0j\nBBgwFoAUnPGhPJK4w6GiIfBVZyTSqFu7DcEwCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIFnnvIkwi4yz7aCZZoEG5pq6YGRlZl/qmeQONAzlKjTjAiEA3GXL71Ql\nccw788AzUSlp6nx7yLys5jJt7frqcohIPCE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUB2oxl1C3PPjGU/cDhxTV9Xod6XUwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQIqY3LQ1jGLBeS\noSjmb+sgK7l7Ct5xOaxKmurGzgm/lVcVYcDzR2n5jnabBflPCWlFBRUDqw8oaDZS\niaIB6WyPo3wwejAdBgNVHQ4EFgQUwogJR/zFO5z7CiNlyUk0qwxCcI8wHwYDVR0j\nBBgwFoAUJjGk634D3ALilF3jTOzpPgY6Pv0wCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIQD8e3hUQj8vxe31kRmDE85Ca3TaXWz2I1IRzy5XfVlO9gIgGDuFtyOo\nNDOI4x8bH9qzx1oSQVjQYy4B58iaxfv7t1w=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -231,7 +370,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::unknown-critical-extension-ee", @@ -239,10 +379,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUCstrrODB93cBHDQjExvVavNkF8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARzir1oZOwVQ0ggPXjJrMdeE1IMBDObmX/Sy9Ue\nBZ2XkiRQAHgHV+KnJA23wKQv38OCPN1WvAkWRpUiSzWYy1Oio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8VYSGVu9SBJKR/YqqSupBBGGsFQwCgYIKoZIzj0EAwIDSQAwRgIh\nAJg5WkykUILS/sv5+KxPV2lr2TNkX0wd+7ksWXKgHtmuAiEAm9a7HYWtFSyXjE1x\ngOkUYkC7985HNG9NCA0nf1sIC+A=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZNouyhu5KSFWbIBxANasnOYbyoQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARAkOW+3/urlqi4olSD0+G2WsEGtDvCniLyUiiT\nszSteWSb/fH3SemTHCjggobE/rW+mgmSLHWvdlaA08Sd3wOso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8exgatpZAv6m/flLI69kKQzr5q0wCgYIKoZIzj0EAwIDSAAwRQIg\nOgN/G2upTvPbsoDl9Hwy1CG6l7iswWLKM40beTbASRYCIQCG11+aOdeFQt0t9cBE\nFxQy4ZZFKrPsiThQUYHWRQ2Yuw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWygAwIBAgIUMIEMUwOBsNdmpGNnqNFXJVLDXdcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMxD9D5eAbgSy7rYZpnGIRogXUVqcioNb086JEDUS75+\nrmbZFR2DnOT6UhaGjPDYt6AKVdlij06tesaCvOi5oTSjgZEwgY4wHQYDVR0OBBYE\nFAohBsaTmoLo9rwWkB1A0LrZl6nVMB8GA1UdIwQYMBaAFPFWEhlbvUgSSkf2Kqkr\nqQQRhrBUMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0gAMEUCIQDaSQMT3tVOYwYk4rJmuxRjFceSQKUAOt2v0vdF/wymXAIgQSYWSttE\nqCZI0SWnL1cKwepfG5VWVRBkQbULWQ8HeZE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWygAwIBAgIURyNxOYVz8C4ahTdaR0Z+HyyLW4swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFKb/LlWEe3T0D+mfZezqF5F9ITGHCR5KQ1Zwm1vnfGn\nf7hvpWMso4W5RZzx9vwG8QEGULSI6PQOkv1btizG+wKjgZEwgY4wHQYDVR0OBBYE\nFCOF29IsBj4KThXVNJLwgHcv27xXMB8GA1UdIwQYMBaAFPHsYGraWQL+pv35SyOv\nZCkM6+atMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0gAMEUCIGNInfgz7sEI1peLPS/+OHIvEh9oviXzHuWjM9uf2g3iAiEAjDt8lsUr\nktHywxbYAA6PdXiJGy8vKJjGKB3naVphdok=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -252,7 +392,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::unknown-critical-extension-root", @@ -260,10 +401,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUb45c4tS8lozl3YbNnaYULGpGwPowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAST/3cKSSI1WYF0E5D+dWUUwPwbras9/p6oH20Y\n4jDQxW3Aj5QvXxjwo9eASX90cjzmwToSbrEtx7lfSHPRXmbNo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+OYNAh4hPa3YD+SeMfULR6fhPxUwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEAtMoZDm2jGFDMToIYF2TPCIlllRTS0HzFd85K\n5DeDsT0CIGwrWXBy8ehUjeg7hQi2EApt8MywssTvN36Kv+2/ynoj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUDtjZFI6UxgzjJp9+yz+Dge+XORwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATC5BSnKN5TwieoEoSsM59PWfq3ZSlaYJkL+nWh\nyZ2GKGLxNhNSnmjUOw7DkoIsma9wnA/Qw9tnSRyC0bmahc4Jo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2JmIPtIU7YVKtEL/nIFca4n5L1YwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNJADBGAiEAu8HX8pTOW7biM1LpDUfw7ufKuh3DH3ChWBF5\nSni6JgACIQCAXWVKwRI/om2ZdTE2lRpuc9/WOgBXFAokJT1MfRLxXw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUKFN47Qw51tu3mfjbsnVozk1W+KgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFJU7JggstECHjrYgfl2NvgyVypdgKj/XTHmFXDsb7M4\n3R2Azm6qLXF5GD273IiPfNVzkMPqAdh5u8eaULxubc2jfDB6MB0GA1UdDgQWBBSt\ndHYN7Ez1BSvqMr1w5ZvnJw3dijAfBgNVHSMEGDAWgBT45g0CHiE9rdgP5J4x9QtH\np+E/FTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgB7dWey+jzVNq1B2u3QTq\nJSPvMdiPzIV+KG0844V1WcECIQDsXbcXlPrIOXeM7xjQUwAyZZxISdFdYY6Qv63M\n+HUWnA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUYYoIFFrfFRLdTPAYy/sgQySCRowwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNiI9vG6x19c2kLbS5ZDwoFlIw+bi064N+uVpoQiUZrf\nlSwATI4Sv+cu5gX4RZO+LKZwHYT3p10YRA4iQveBYUmjfDB6MB0GA1UdDgQWBBR2\nK62UfMrC3vCQ8h/T2R3avYzWfDAfBgNVHSMEGDAWgBTYmYg+0hTthUq0Qv+cgVxr\nifkvVjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ9qJGUBankhppLBjL7R\nuZySjhg+wijbogCFvpjcazO/AiEAnIc0rcNF+H85Kupn2bDpbJP5DCrZkL20yaRC\n7p5SYqY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -273,7 +414,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::unknown-critical-extension-intermediate", @@ -281,12 +423,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOSiqR+8tkcieyA4SIQpwt5fRDAswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATcLBarjilh7ItXynrI8mwzopO4x/rN4lYJe9AR\nm/WViZEoEymWmxEeCYQQTrr0+bp5wNyt2uuF/f/8pCtDtNi9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKMiHu9q0PTvgbQzK90crDOVWhTwwCgYIKoZIzj0EAwIDSAAwRQIh\nAKL/kCTMshJTA8eBz2QSm3SWmTOeTHnhyWlkaUS0DMQ2AiBmAmzaHzgiuFtuwdxy\nlkJsw0eVWPTcs+KFDtecZ5qKmA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNIRvsKDKoI179bHfUj3jaLFzMuwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4hHeMxhPoYJqAkZJQ7MN2slkToCHDt6OvEDlc\npGzHaJbCx5TdzTXK5DLO06g63/gRnctlXBwhBvkW+sAWmivPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2eZL6OCJqsRyBM3/q8A/iOpYes8wCgYIKoZIzj0EAwIDSAAwRQIg\nCJRamGePGzHiwqyAj4QKl6SBQ/jwxyG6OvhI5qyn6n8CIQCg6QfcJdqJC9l//wV2\nxH5ztyZgebnaSE9sMCMZHOyKZQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUdu43OJD0pzwtnLCXxDolckTJvSUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMjYzMTkzMzczMTE0Nzg2Mjk2MzA5\nMDU5MzgxMDM1MjQ1NzQwNDc3NjM1MDAwNDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMS+GVB+Tah7+Td3T8ltm3/JY9SZCFDZp7eSiAcxYXZCn3+iZdsNJjHcarvC9cY3\nWjtQ2Kr2713xVChTV66u4k+jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUKMiH\nu9q0PTvgbQzK90crDOVWhTwwHQYDVR0OBBYEFP8/kUI6cPgNqEPyvTVfVC907Hep\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIgDWV/tG1h5eh8\niTNSWA0OH749OvLfZR5tilUdmK7caF0CIQCMhMmBnmNRcXWnteckaf0Yb90t+WVK\nbVfNbxG1eyoK1Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFTCCAbygAwIBAgIUAgqBfXo8FFwd4XOUKQbhK8FdgBkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAyOTk4MjA5NDgwMTYyMDkyODA2NzM0\nMzUyOTc5MDA2MjA1NTAwNDUyMjk1OTMzMjQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEqlCFbXxGaOjYi34/5etFT0vr06lr78ZC5M6fmmW+Ibv3RoognEghOS2opQ6S6l\n7joPrhL67y6Zf/oRkwMNeJCjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU2eZL\n6OCJqsRyBM3/q8A/iOpYes8wHQYDVR0OBBYEFLK2X8uSnOU7HsgX199mL8z9hC+c\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDRwAwRAIgQ3esKh4YTQyY\noGv0IuiNS+GC29Nl+8f4nqpZ5piU7b0CIBYx2vmj5m2Ey8fj0QlO2dD0zwnv7/Jq\nw14lzbHOz+GJ\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUM9LqBtssjrqfjq0Cu04jiXJzSh0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzI2MzE5MzM3MzExNDc4NjI5NjMwOTA1OTM4MTAzNTI0NTc0\nMDQ3NzYzNTAwMDQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuu+V\nfZEfKY8PIFZ1J4+03RQyR7llC/5R9979PddBbBaDvNlXaIUT+dpMwd6J6jpOFXJ/\nR71vourUO7ea0ys/CqN8MHowHQYDVR0OBBYEFE3/eVLCvByL++hN/lBb5ALzDsXM\nMB8GA1UdIwQYMBaAFP8/kUI6cPgNqEPyvTVfVC907HepMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEA6+G14GoLNU9UMr1m+cE5z9FFPaCxO+dOf8c6awbiGOEC\nICG+EkbgvPZR8aBf/MImma6GIpG9d+D6hXlR2ovhz0Nb\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUWrdQAUDoubjD1GHMKBfi5qPTgUMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjk5ODIwOTQ4MDE2MjA5MjgwNjczNDM1Mjk3OTAwNjIwNTUw\nMDQ1MjI5NTkzMzI0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOumJ\n9hqH/Gy5oeReGML1F1bTBoB2tP//dt5ttB+X6mHCEohVk6wPZzuWoa73iPksC8Zv\njTSlfP/DeSVGZj91m6N8MHowHQYDVR0OBBYEFKxNdKadwXk1rZNU4l+BZ17EJc54\nMB8GA1UdIwQYMBaAFLK2X8uSnOU7HsgX199mL8z9hC+cMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiAEo3MicBdg0Yuxj43ExbNloyqlqtJhCtAaOMK/c3VUKQIh\nAJCv60n7I6BSuyEIf1L8MKRCO9e8mBoDvMXidm513vWn\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -296,7 +438,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::critical-aki", @@ -304,10 +447,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUf8tpeGjSSGr30JwGX7BiLvcsehQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATj9si16kD8GXlrtidZPFn/mxqH+XC8VL5JImY/\nZnL7eB9D4sp24LiIqoWHT7X1KALvutTbj71M5ZBeBXnaa+ZBo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBS6xbZU7fmyhHwNOAq/kHu5QO1KrjAdBgNVHQ4EFgQUusW2\nVO35soR8DTgKv5B7uUDtSq4wCgYIKoZIzj0EAwIDSQAwRgIhAIBIq5c+Bcy82s7H\nflewfhMtHMRDURnXwe8N52ej6lrCAiEAniqPDrlS75TrcWY41tpTrOqd17bw8/O2\nJZdIkkDtT1o=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUMI7wb/XIL5zEuWTImzFx+7JjSIYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATD27A/eK+5EZHHrU5wYBX/tUgWiXJHJuV78Mjk\nxX++N6vKX1UzQx9FzC27h/iZu0Vj7lq4+TwB2NLfmf1XdeAuo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRiM6RPLCzuS6Qb1rs65uPkrl+AWzAdBgNVHQ4EFgQUYjOk\nTyws7kukG9a7Oubj5K5fgFswCgYIKoZIzj0EAwIDSQAwRgIhALJpd4m689HlNqBI\n6LrK2dqE07WTHeulLBQIw7Phpk/hAiEA5VirjDP1fRfQrKnktNMgYfN+rs8CZcPe\nBYJ6qNEpfp8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUL817Kob4lsLLa3QOlkogBFjx7vUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC6ITmCX1ROysJcVo1Bc98dKX6CT3fPhmJmB4Q6/abE8\n8hfcxia51by2+vCU4iF0stp0wq5XENNnH26J8CM8LWyjfDB6MB0GA1UdDgQWBBT6\ncpvxSlx2Tu1PhJs0tHOxkkc5JTAfBgNVHSMEGDAWgBS6xbZU7fmyhHwNOAq/kHu5\nQO1KrjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgP0F/1GH/P2f9iHyhgwie\nvyhlDkFVBQT4iAadkY6fcIACIHdVhVnhg5lFAgYlpkHJ04Y+AIaVNEKDGMO405+0\n2/B5\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIURSm8+Ex/9x0l0A4gRCuKOoms150wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEgK7zCxTUezroJp7o307Vaf19QApNtuovuC8goBT7BD\n1e6g3uAPpaco+NnZ8MJ60WcRz5xiQ+p6QERt2AfSItmjfDB6MB0GA1UdDgQWBBQf\n/YwDYt/NJ361iIzZ/tY20LzkQTAfBgNVHSMEGDAWgBRiM6RPLCzuS6Qb1rs65uPk\nrl+AWzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgCdXfwMGS/+ClVngrQfXk\nNmR+abxu0sTpmB1bg84QHHwCIQD+rstp83rAVol/vcaOQYMiH1mosIlTbwns6u6N\nyw1wxw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -317,7 +460,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::self-signed-root-missing-aki", @@ -325,10 +469,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVBBHbfYRIuBiO3P6k703WGmfEbkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWcfYPn+7TNYo7l52ccekSTuGibO2rT8veg9kK\no1JoWSlgqgyxZYOaxyfX8IQ+6JbujphDs7vn5pnKXfb7n+9vo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQW4CTHMoawIRQkSGwPnTOfove70wCgYIKoZIzj0EAwIDSAAwRQIh\nANXxURjqs3QsHeJ+proS+6QFBjrNevLoRHpSORzNN0oHAiBpXvCT81nMBi8iCEOb\nOrfpDREQul+11QpM6r1KXlqEjw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeAR0yoDsTAYySq8c2+y9wJdcxiYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPDdkB+0IVB2rUjQ14dgQbKIqK9FVyHvqb8TQD\nPQGNwS7PlgYBqc3Hx/qCG/ZvXRNBJe1Zkpspn5Pg3WermLdro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0aM6GbrL3o0koGs5KZBSH5h4/AcwCgYIKoZIzj0EAwIDRwAwRAIg\nFUMmevSmxpqGCRuanBWweTpj+VDUBFmxbMII02FrhloCIH//mZAzt1O6blDdRPUB\nrodVdBLdwswIuqgt+0s7LfXW\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUUbJOoXIV952+ladlULP6yM0qPnIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLwzW6zE7yd21eBZdMVYoOuErngZGGa4bAQjnxQGOEKd\n81TY6aXUZKtndncL06X8Yd2P79+5o/JbaY228CRac/ijfDB6MB0GA1UdDgQWBBSU\nJ9f5TMsvJgwSrjW6OHLHBqe4vjAfBgNVHSMEGDAWgBRBbgJMcyhrAhFCRIbA+dM5\n+i97vTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgJRJXbzbBcc+VL/Li4UlG\nmPW2BRuFNB/ga/PvI8MypxoCIEMw0Nls3AebPxmZpaJE1zV4gGrHE8z72ybMinpd\nTOqV\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIULZiAwoJerRo17HcOG7c3J0tO2k4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBTRp3ox+Zk+1oWW8oxj79La9IbdBYNZ2n8Ve6akZFuK\nLxDTldrDON5J6wTkvktgxw8Ekpih1Vm6nqfKUQR7yE+jfDB6MB0GA1UdDgQWBBQr\n+kEfieBtc36MC63/zVwXKtIASTAfBgNVHSMEGDAWgBTRozoZusvejSSgazkpkFIf\nmHj8BzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgTjpY3ukk6Bx1o3ui1QDc\nHMuRTjFpHEhbMI6spl2Q1vgCIQDW85g7Od6DdKWdvqdVFid3SJFl2QbbfAJINlhM\nWaClYQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -338,7 +482,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::cross-signed-root-missing-aki", @@ -346,10 +491,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUMj2awifiI3kYxoRVJhN9Gw68AiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzNDI1MzcxMTA0OTAwODkyNDQxMTM4\nODYwNjc5MTE2NjUxNzcxNDUwMTk2NDQxMjgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCjLL2utxdwX6PXSI8F1Wk+2DOSv/PSwbbfp6NiWlZoN9D//yJYFdU0/6ExmGwOP\nykSSOfuu2WgLTk1s94wxLwSjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSMsVR9dCpW\nA0ZZ/QGc143xJl1zMjAKBggqhkjOPQQDAgNIADBFAiB4QXTh2jz8nKMcJWy8nFOP\n4VKr5bwpHaeHMUPYQWaw9AIhAMeK6zdr1dlmQksWastYtBsQnmNW7CgeRbH37hnv\nzqKC\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUSryYveoWPSe/Q4knJKpjd/tC1VgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA0MjgwMzMxNTU2NTYwODc2NjQ2MjMz\nNjM1MjAwMTgxMDQ4NDk0MjE0NDM0MDg5NTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJ+V0CSatxjIddLjHBpGUnlQUg66vcddUE9lnTMkhUEsZf7Sh5Xs5gN/3nuhJcIt\noOa67EOxroWZEvuntnGgBHejWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSJKL1d0CX/\n0iTyTRmHzTkJF8ptPTAKBggqhkjOPQQDAgNHADBEAiADY+mM0BSk1283+QAN+GXi\nmpCYnUpb8pWOytLdjYnFlAIgKBB6chPa+lZGtutxBcHXi92FvbC9gU03X2tmhCwp\nMTI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUMO0Y8pUb3hi+cIBAAnGDDoLL1oMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzQyNTM3MTEwNDkwMDg5MjQ0MTEzODg2MDY3OTExNjY1MTc3\nMTQ1MDE5NjQ0MTI4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4HdK\nzRCphYRBE9vKAsBxdQo5J/bCxgjHLOahn6IvbiE1XhH8WsLdSyMwfkdbecuXX9Bm\n7tGVOWHJSsMP4sN4UKN8MHowHQYDVR0OBBYEFI8Geyy0C3O41DUH1oAf0xCmntdh\nMB8GA1UdIwQYMBaAFIyxVH10KlYDRln9AZzXjfEmXXMyMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAlSFN2Hbbo2YV5VxOIGqZ2HOqU8wvInseMWe7Ss8uegUC\nIGXjl1g3rv/bS5zENxSVbSt5WGY3kzFJ1BiUGzISThfv\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUKIlHuri+zZ+7m0iniEqIQCPRdEAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI4MDMzMTU1NjU2MDg3NjY0NjIzMzYzNTIwMDE4MTA0ODQ5\nNDIxNDQzNDA4OTU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYMJ/\nK5kxA+qjWe23FW14HrMA8v3kFYy6abEKMZEFYc4g8JfN5CAcHgfqFYXjQuUbxz3v\nT6NbyoaSCYLczbsoEaN8MHowHQYDVR0OBBYEFLbdbpci1qkDRw6nMZ0fyMo256tW\nMB8GA1UdIwQYMBaAFIkovV3QJf/SJPJNGYfNOQkXym09MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAKl1Wg2icsN9UThGeGAHE67hLVtFJnIZAkl51Wp9G/iQIg\nXF5fddS6149az4blL/gHmacP+1cmCyvDrZ6LuyhFMRM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -359,7 +504,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::intermediate-missing-aki", @@ -367,12 +513,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYlBk+UeExvU3H4ttfG+HcqCfK1EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASNGkylDEvt3m4EuQNFDl0rLdEx0rif1AkEGT4I\nJVHqkCY13GA5/D7qEISyCgLpqkYMmknzby7MnrePiHg07tzro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUy5XuSByRFp7xZRsIFP2SMic7dr4wCgYIKoZIzj0EAwIDSAAwRQIg\nIz1CW7cf7k3SoUV6m+ZLj1fUr0rSKYCwWWfj0ODljdkCIQCXuW90hWcq/MTS2jhW\nsj0YHZxdA5q7c/Vb9ohC0mreyQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUPm1MW05ThkywrwM9+qdEDnBM1EswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCS8pPW/IDcZPIDN3qGBfYJMjEEjbDYIzKxv3E\nzU6vmHuuMRAZ6/PWMWGe8cGLl2yQx4BL+RrL0GyUYvkRSrBNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXpnfZZc/K/+Hft8J5qMXjMDoTwMwCgYIKoZIzj0EAwIDSQAwRgIh\nANbVhExfQ4sQL3YcY9GhaPlH2s2iTd9vOm4x0WaKkhGLAiEA1y++UyHHGu+L8cH4\n6ZO0wY6qD43iAXzY2N3G2QZwxAk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUTO2G2nE5gVeRwBJfrnJ/EpaCNyswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDA1NjEyNzM5NTEyMTA1ODU4Njg3OTU2\nMjk3OTYxNzQwNjkyMzQ0MzcyMTA0NTA3NjkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMX97EJENbBLc9gTl2AU2rqRwgh4W4EFvY9gAsg+RoUXEcg+QbknpgUg6PwQwxx6\n90C4IJT+FGY3wN8cmn2vrO+jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSmmGVzMz4s\nVu31HFiONfeWUFzX6TAKBggqhkjOPQQDAgNJADBGAiEAlNYuzIpjq3CICVKbIUJg\nHQBlBuOwjbRRKRUgTfBt91cCIQDqymDfgzVU8UoXMRkMIjnr0atWDnFtjarUZ2ki\ni7ts7A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUCL58BTniAlC3ClihiGJ9lGGNH54wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzNTYzOTQ4NjA2MjEyNTc1NjAyMzg0\nMTc2NDA1NDM2Mzc5OTA5MDQyNTczNjkxNjMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKp9WLxEnS/0VzpK4ukL9gOr/znib7Fv5Di3ZfFh//NtZEpme1y7AbIb1almNYmJ\nEQaAQ9zs1U/f0+MJaB5mXCOjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBR3HvKhhSC8\nurRYeEPP4mnxvJv6hTAKBggqhkjOPQQDAgNJADBGAiEAp2c9M4jG/LqJpnMixEHa\n0BwQclUJhOMCaQ4W0JUD0EYCIQC/Fmu5sBLIDZWsx05FFjwEApj8qVB27yo0ma8W\n26cfWw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUdaQc96eSDUAoH6oxLmkaFxOJuvQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTYxMjczOTUxMjEwNTg1ODY4Nzk1NjI5Nzk2MTc0MDY5MjM0\nNDM3MjEwNDUwNzY5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEF04Y\n0umBjtOI1/BtpozepT+PfPmEsb5agpwk6X4Ah63CrhVuwNw+bqqs/PoEMEYf3fz8\nJQXhWr7/ka+Y0N3jsqN8MHowHQYDVR0OBBYEFKPE7s43m1DjDUm+K9gk1TAd2h5D\nMB8GA1UdIwQYMBaAFKaYZXMzPixW7fUcWI4195ZQXNfpMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBUQQc5IWF66IBryA15fzFTh125HatWsBnELkmUItm+SQIg\nfAAptFq9Sw5QHwDCKKh1CAUsI8tAYG/KQcQyQNhSgIM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUKjwcEAG8wEE1ZRyO0ICjZRETd6gwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzU2Mzk0ODYwNjIxMjU3NTYwMjM4NDE3NjQwNTQzNjM3OTkw\nOTA0MjU3MzY5MTYzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqxrV\nfSA45+LkaTMj1IVzoLj7hT376uyS2o2XUxrjoNISGGt8oyGMD/bliIczhrKx9xSD\nLsaNuIKz5/IfgSNrvaN8MHowHQYDVR0OBBYEFLngdXGdwFusgwKXLBpAzVX0XDQa\nMB8GA1UdIwQYMBaAFHce8qGFILy6tFh4Q8/iafG8m/qFMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAqw2qUPRQuX6ZmUibg37mFbNk3VF9Ry2zAi+/6pSMhWMC\nIAy7lA/1ZnhKWcoNLPTrm8BsRSI2CX3QyCvhHwSUjV1T\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -382,7 +528,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::leaf-missing-aki", @@ -390,10 +537,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUKkty1fZTV7hHWJsHj7nz7hKiRAowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR1c/F9tb+rpOnrERJqWMEupvV3Xtx3497LbtiV\nYeeBqLUQikNakolnf7b345IO6HfjeStAqLvQnRpaQ7z55pqfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqqWtyu3gwELynPH1cnFroc+p6W8wCgYIKoZIzj0EAwIDRwAwRAIg\nJ/zxDgvEyspANxA3asJIw3IjYZMk/zpmUsFRuTZGjwwCIFQnvG6BaGh1uP0TD+9L\nSE4G5R1Jr7Oq6+ND5HHq251m\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULSpNL+hpU9/56Rf30/E7whsTE70wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATg1++cZEwH08t6NIHwfxCs2hoeLLAn1FS5Zqmf\nXdrlDm+zeoWuQdY1N7cp/jHUCCadKjXsYn7uDlw1KJnIz4Vqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtXR073HRdQGTN1o1qQU5UgIZfY4wCgYIKoZIzj0EAwIDRwAwRAIg\nPGkhKHiYvfsApz70f7RwIdw4hQ1nE69eLxZTenq78iICIDw6980B0eLaAOjW1aI6\neg0b1RUN0+MLlKwywey6y2zU\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNHe+VowPh4IDukWXmRrQGQ+NZS0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBOebpP4rrPqf6cnGTyKxGC2DWwrks5Dm5fkGsoWf/k2\nWB7BYYKHYLYGD7H3NI8AjPby04+ZdYLC5Jinye/P0lajWzBZMB0GA1UdDgQWBBQw\n/iU816hqw+QaQWHEQRtdWY/RojALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIh\nAMvCm3wz7M6EZ9YV1sEj4Ik4q1MmBGH1OUBs8y0nf6iEAiAZvrEOY+xrWsLZtVBE\n0EfW/yvkdmqTfN/DC/zYsx0R7w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZiDvI+NY5Y7bkoIRi5kf10J2sIswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBEND/wTT4Tp5ceGxcr0Y/m1wqisstZf3NyUi0shB8bS\ndGQ1twSkUBx8MUtRi7W7LeTA6tmYKAtgU78G+QhMR5KjWzBZMB0GA1UdDgQWBBQB\nJI7zOxsmhZnlH/MN1Ftg7mP1xDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIh\nANRY6l9sxZcuoxY+kDpi7oQRcbsSKeYJj0Sa2aV/DZ7jAiEA6T3ExFqEV4tVoO+/\nxigjtw7dXhHALrRFnx9MzhvmGVw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -403,7 +550,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::critical-ski", @@ -411,10 +559,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUO8Xiw9AP4QrF7EUzCn5K7rk7lBQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASiPDfyN74UnMTQi4JWxaRHUDUQSlYAY8Li/sxQ\nj+lQqHuRD09Ey/fi/fORgCYENwnOHbMLjpoKZ680MIK6/Q4Ao1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUPiFfnQeEtRfC/WMyrZswHFXUbykwCgYIKoZIzj0EAwIDSAAw\nRQIgIJrhDedHB7jEJQ7P2Ntb7+LkYpRHYsZP+xDbb0J2QAECIQCdvVSFVjLmZKqT\n1ApX3NNYtQKlOE+eTUTvhkqnc8stXA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUUlaW58W3rMBpAXclQPvnw0EJSHEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAThhfSMXE/IXHLjcylGPo4tJ0go26aEgEi1Kbx7\nyzTiIKckFbaR2/Bzny9v+iEPsSKkxWbaNcdM1ZWdK5OBel4Mo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUsd01ZB/lg4Ji1obSfeMWhpbKwLowCgYIKoZIzj0EAwIDRwAw\nRAIgBr1U2OmcC3KTeRsvVXai7ieRyH0jFPn6meEvvTsnWrgCIHFyHIlLLn5Wg6h2\nAVsZZnnjzrUeevak7Kb70IbvpSKc\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUMJt8a7pduajroujW7H15r7bAe3MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCp9Pulo90D9NpKAonYa/JZFn3wu7x4/KhIJoc48lw99\nf36xP6k02/ejJ/UCkPGXAtiyuFv6VAizIzchuw5mKHGjfDB6MB0GA1UdDgQWBBQR\nJfwbs4gJ034jkvbSqLcKNs3f6DAfBgNVHSMEGDAWgBT412Y3DuzUDkgmZMPZCXjl\nluK6gDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJlVweSHukcOzc64Eh8c\nHmef3KUM3cdwQ2ZIzBSmoxR8AiEArbQQ1FDQWd++GtvLN5qUCAXEJATcUnXcbwTO\nWDd3QUw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUObpNMO7LbMFif9ToEMb0kcCtPeUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG6/Et7UgfZFZqLNHOmVxmH/Kwmyn4K/udVRqRgrZMLA\nYUTr+4BL5gW0vCfv031AGN0GaE75hIHPcs16XFZLXz2jfDB6MB0GA1UdDgQWBBSG\n8ol5Qk5Ww2Ug+VEzD/5jMyOVmTAfBgNVHSMEGDAWgBS5jbthnV5B1wHNPEkpYwia\n0qwStjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANpoYezRiyVBWApOQUOT\nwLJMxZgULw0lfQ9YmBCD/KHfAiEA7GHcRzhAPTsYht+e8CUyb/xyuaAfBwHW7hCZ\neLSLnMk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -424,7 +572,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::missing-ski", @@ -432,10 +581,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUA2+J0Ddrm8DEzseDvcksYA0Fbn4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATa3gT7NvfkWXV8fgcAOMvMbBYVm9P4kW41J1+1\nN8e4tkV7IMRstSpz0qfXK06XgZ8z0M5QAHg434WL9P1IQxYsozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiAIOrz2EQFCq3SrsPhmRtab0WGd+aYXFD3gX/kwo0J1\nRgIhANz1SQs7fUa8B1ND6lo0zTzKj3AyOIynO+Z+DseYtJ3Y\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUEnW1fJ5RCirnKhXb1zJW9n4fbQMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfRLsPsoNVFfp8hxzATjisCsnhF4EWfq2VIyRo\nw8/xjkIQwbQ+Z2SmG82yemH5+xtNRtXpcdyFYgq9jmfmdURkozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiAfYC5CQO+HRklFCksa6ttAzYUY3iWM9N776rKMJX0M\nxgIhAIPTOxscfN3sNLQqIMvJgN58x5xA1Aj0rjjNC3iUn+eO\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUBj1ntRYg1qpCUHAQAjtfKuYs+hUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDtpGwqDBDbKcm8Npi+8HiBS3JrtQ/mkq5IZZMyMCwo7\n5flVI/oIgChZbVGXF41wOvz9bgI8fN9zFSOUwIqrYhGjfDB6MB0GA1UdDgQWBBSH\nUomZjbNl42+cD/Q0VZihIcqNGzAfBgNVHSMEGDAWgBQ2lwD9c4pzo6n2u1iBYJwM\nfVHY4jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKdq0o++46NI4O1pb4pT\n3kZKb2lCQLy8bDkBLXk/N+wiAiABzR4ekJP9sa9d6CIvVCPk5rxMOSW2UHif3P61\nEAe2aQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUBVlzxa9qVqnApp78geAwBghX6vQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNL686PmNX5Y+LVlrH4bWcwZqSoXL8JW5+Cb/vzBdJxn\nZ0iurW4+vEVY8RRlLdkDwrYzWMnEi9/OS+7GeJT2y9+jfDB6MB0GA1UdDgQWBBS9\n8nbVOZRI4D3ukFUo7uXJK6+YiTAfBgNVHSMEGDAWgBQB4ls3or13aqULLs/DVEyP\nLLvauDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgejaD3RXqeCnz9zL7R7uh\nawIipRMmzsfCq2uE3hVUAkwCIHcQUY1qjxRo7s2QjefdyQLCMnvtqRHTY+2kai7G\npc6+\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -445,7 +594,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::multiple-chains-expired-intermediate", @@ -453,13 +603,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUEScXlACDiNow8aIvJQ8uGHjVweowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARTpYCJqFGZMigiE3yc9CbngxjHyN8Iijz62gG+\nBNgKgLJkkOngC6SZeSIx405ocuYVtuWX9DemTYvLxyjuizaFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUH4leLQGZxmlagymdKVtYQ5t+QAwCgYIKoZIzj0EAwIDSQAwRgIh\nAID0rXc5yiPDoJ+ponqB+pqEP3fD797YOpefsxmTBd0GAiEAr+SY4Q6FzTf2Le63\n7jiT6BRpjVYvhzCtyd0M6zCHgpc=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBlDCCATmgAwIBAgIUTYAPyag+1CFlWxio02SadwEXgPcwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdYZ/x6n7kDW3G0Og/RbQPEccRLxVnQjm\n1ICfAXHp1cpL767sIPa5yaIUbwOJbGtxOlTaeNLZ/Da/UG85ErVV+aNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFNnidg+ivVoum2tEp13NCOFuuYL/MAoGCCqGSM49BAMCA0kA\nMEYCIQDGqd/+bLRqRa3ZE4E5EZEnuJS1ay20T2xI1BQp4zTvkQIhALu6Y+1sBPFf\nBoAZ45nEfBjYbBX6UHYIxv0XrF1hujp9\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULPDxp3y2TopID2b/VBiY1Raf0jswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATtdJxMs/GitbVWNPSdRyBP2jSsXCaiIZXnxGd7\nAWrD5T0GGzrsMtOLoRBr2ZeYxljRrz5iF9iUrTdsuOXdhEO/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwhK58e3gZA3/OPY5GWJhklggT0AwCgYIKoZIzj0EAwIDRwAwRAIg\nEOCNUw9xrW1os1UdpnEkJHR0l6Wp/Bvz2DUy4IeKihsCIAQzSXVmG3rbvFSOgBmM\nP2Ij+o64n3M0haJRNwIhKINK\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUZqzXW+bfqo8wCJv8FNn/jl+zE70wCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDAwMDAxWhgP\nMjk2OTA1MDMwMDAwMDFaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGR6CYFK8joV4BwpUZbRcmvK+i0gamm4O\nyKi9Xum0QiAxCYL1raDLOVlop28FYcSjw0F/j5QvE2dSThyr2P88bqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFOVCBeaLiiPdBh9hWssa3dX0uJMrMAoGCCqGSM49BAMCA0cA\nMEQCIB1FPFQTk39qe/gxveKYRdYF4X9Eyu548aBHwY2fo5h5AiBDr0FMyXzsAtFN\njZgI4a3TiGvLhla2hUveRc3+mDdQDw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUIejhU4zPA0VGWLGh0SpV51eNzYAwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDEwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARTpYCJqFGZMigiE3yc9CbngxjHyN8Iijz62gG+\nBNgKgLJkkOngC6SZeSIx405ocuYVtuWX9DemTYvLxyjuizaFo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBTZ4nYPor1aLptrRKddzQjhbrmC/zAdBgNVHQ4EFgQUUH4l\neLQGZxmlagymdKVtYQ5t+QAwCgYIKoZIzj0EAwIDSAAwRQIhAP9Mp9ukDztlFlzh\n1lJr/ZJtIVfjWnwVzXGMz1puHLYvAiA/fC24EZFelx6h3NR5l+a/hpI+jSBoJfkO\nvkD5sCNQAQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUaA5+FjpvnQbMGsTvGQ4bm5t5+0cwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDAwMDAxWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATtdJxMs/GitbVWNPSdRyBP2jSsXCaiIZXnxGd7\nAWrD5T0GGzrsMtOLoRBr2ZeYxljRrz5iF9iUrTdsuOXdhEO/o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBTlQgXmi4oj3QYfYVrLGt3V9LiTKzAdBgNVHQ4EFgQUwhK5\n8e3gZA3/OPY5GWJhklggT0AwCgYIKoZIzj0EAwIDRwAwRAIgBtEix4pUC7dbfVuz\nM6zIf1nkFEt6H6eIOq14XqA+BKoCIANmFRCLZCYMIVp8Pyjw1OvToUYlbG5tswAW\nvVFx5ymL\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUVGag+JRJShJa1OhGwHqtBTGeACkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAP6OPkXknQSGiKpO6z59+xLbwWb8ZZ4Uel3VkuXcaVl\n6yASTRmtusoK/XQpn4DwHNQ1quxs35hScAUimmNjxPijfDB6MB0GA1UdDgQWBBRX\nDURFQG2YDIzvRFPdTm8JedlQCTAfBgNVHSMEGDAWgBRQfiV4tAZnGaVqDKZ0pW1h\nDm35ADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgEQ/TA5NgqbsMCem8BbJa\nt/mwFLqg0zFdKW8Y3XqzNGQCIBv7Yn6AwID/O4F513i1KFV124HErVXZeP1MMkWh\nA44L\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUf0VW9tBTYfGyCJ78C81yXZBpWQ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEF+WaJV/2GmF9uteJG2+xr/jY0bMWgqMSr+vowU1XtG\nYik4I7nLyscCokR5f5aNXCi0fGKd5Qlk2ELC4M3WcQejfDB6MB0GA1UdDgQWBBTE\nqL6jKk0YANwtCQoQl9plTG+baTAfBgNVHSMEGDAWgBTCErnx7eBkDf849jkZYmGS\nWCBPQDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgN6l101OZUIIUkZB0o75j\nW12+sS1QkCtEBEwFTaNQiaUCIQDyF92JoM050mDxNxkGQ45p1iMJjJr+hMycA1ju\nfUgd2w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -469,7 +619,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::chain-untrusted-root", @@ -477,13 +628,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUa5Sf8HO6ZCWLcDvrH64ms7BUCCUwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMTAwMDBaGA8yOTY5MDUwMzAxMDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEdCVKcg/0Ev\nmGZWYFtpTG5W0OfyYzmvN/1pVTf0QbQI6XFizaEL4xasjP9/CAFWUgA39esJKWh/\nhgNh0NJZBl6jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBS3nO2xL/m4zWvP7aZPl5jidPvy\nZDAKBggqhkjOPQQDAgNIADBFAiEAmdKbHsnCX46NlMXVVRRE7qzocgU84dT0rn37\nOvBXwRkCIF1CaiIhItmmTDc0F91ID/2J+5syH5NoWTEop7gNZDv7\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUWy9rVQKTaC9g1XhgCTmsuPhWTz4wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB6brDn4J6d5\n7h5yyki+CXTeolUOvPPopcQEDJYmAZoaTizKOIagJP5zgj2WBOIe8yJfw0EgPDU1\nN5D/Jmx6s1ujVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRbXT/ZE8e8V4AG/kTv01DDiRWs\nTDAKBggqhkjOPQQDAgNJADBGAiEAkqIRR6PzIPnC2Hq+92ojNWkBmCdvBIVJWtNk\nj/dc95wCIQDAHsO1I+oSdUyqVcDZQrdXdfq6p4i4eJXdAWyD25P8yg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOx/xTyUtrQ/vNO9u9FaOOfKhJcIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASddUeZWibihTVeaK8HCEz2m9SsuYJ8vPGp33NE\n74pkvzxYZQ97AWaAM8qndYf2NjqDBJI3YcdXxnD6+y+eHH+po1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfcMUt91FQ1f8ktndA8o4s0mChG8wCgYIKoZIzj0EAwIDRwAwRAIg\nOrqaMphg3AoUiW6DeryuA/3dDuGI77pCEK25NCGr/xACIGzC6bs5QLzFQcNdEpBx\nA0OKEs4V35uxQ3wO2vBKHvV3\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUMrJ84RJc070/LCB3BSQGdAht5OwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBnMTkwNwYDVQQLDDAzMzc1NDI3OTk1NzIzOTYxMjE1NDI3\nMTQyODIxOTg4MzkyOTE0ODU0NDYyODQ3MzgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNneYg8WTiU6m45ZTUgNgtyr7mH27sp/Ft9/FBtaO4dxarxjfGtkXblqICJAGp7e\nmEZWHCERrKRSXoZ0V6aGC9CjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFH3DFLfd\nRUNX/JLZ3QPKOLNJgoRvMB0GA1UdDgQWBBR+3KWcD07LHjy4Qf15V7QhXv99GDAK\nBggqhkjOPQQDAgNJADBGAiEA2ti8bcco6qpo2HBFeptE6+BVW7jXzxEmrUE6yoId\nxxkCIQDTyktYbJ248t4T5S0fpHG1PLfCitq2ylWAB9DFCqbZHw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJ6Nu8Vhxx2iAnCYL0CsZGhggJrQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARPkbuBmctz5ni3Up/U318gOE5FnmvE4lREVN+y\n9JK0+hPyMx19jHHBWEm9r44rbqdlMKp35uK0lHuLs1cjflQao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGw9aFdUdwgvnhfx0Po5vrKwB2rUwCgYIKoZIzj0EAwIDSAAwRQIg\nPtT1nVgJaZIKUeXAo5jA+YZ8LDACL4IK58/jWJU9B3UCIQCSg3B54LoO/N5koP+x\na46OuaKeJOCxPqnwEWh27+uObQ==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUJT6SiL/+rFGiEcHe6KsMV3TFiSgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAyMjYyOTUzMjYwMDY1NTU5OTIyNDM1\nOTM2NzA0NzEwODU3MzE4NjA3MDcyODg3NTYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBE8Kz4UCz2UAYiD7izVOBDoBPU9OaL5EJ/GEqiyaONiA5gH2WcTZq46lt5I5KQX7\neJQ5IRaqNLQrmOGDBPDUeo6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBsPWhXV\nHcIL54X8dD6Ob6ysAdq1MB0GA1UdDgQWBBS9wI3+nsrNRXQT4Tf4Fb+kP5qoozAK\nBggqhkjOPQQDAgNHADBEAiAw7Ogsn94MmZlY2sQuFh13z5CyvPnVnh8bLAwGl0tK\nhwIgdsHs9KzLk8TlbzwrHMxOb97AMGZNl/Zwg8MsRj+zwWs=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUFmmTOOhqu0TNN72gSerHtYvR/BAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzM3NTQyNzk5NTcyMzk2MTIxNTQyNzE0MjgyMTk4ODM5Mjkx\nNDg1NDQ2Mjg0NzM4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOyec\nipJTn+L7Z/2AJRdy8JRQdWU1YH1nQkOuS57zpoDrLyxMYaFbl/2d5r5IOn2kyZbN\ntxYnud9Be/KzaXT6f6N8MHowHQYDVR0OBBYEFAciN+jH/E3eJHvDBICkP4yMWsvj\nMB8GA1UdIwQYMBaAFH7cpZwPTssePLhB/XlXtCFe/30YMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEA9rfvDOvKzkfXqc6mqIDy2DVTSW4RFyN2SRRdne7fIBMC\nIQDdqM3Il2N+GtFooJ9ne9bxZmF2K2Y6djdqmtZokvvocw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUUijCQXM7UuvzPu5dz3pyHFPOZNowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjI2Mjk1MzI2MDA2NTU1OTkyMjQzNTkzNjcwNDcxMDg1NzMx\nODYwNzA3Mjg4NzU2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3lel\nwbZNkd8aChpbBtkN+RII3+hzFtKE03U+W5hRWGQKfmA093D+lC1mBnLoOC/zFT+z\nVTh3LYAU6P1qFHbseqN8MHowHQYDVR0OBBYEFK1Hj/iFoV6QUZqyDTvwT+Av3Flu\nMB8GA1UdIwQYMBaAFL3Ajf6eys1FdBPhN/gVv6Q/mqijMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAy3Pdl1sbzkH+5zFVYojAn8o/zMobI/5E/u80F7YJIYEC\nIH6INl4Qm3TVFxUMm5F18CljFSVomEYaYvTsiIiJP/dL\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -493,7 +644,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::intermediate-ca-without-ca-bit", @@ -501,12 +653,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSuJgE5vjK3hRI8g1tkuNVHqztk4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQmbf2Mhfe+nDNUWo3j/X/rPXdiF+7MlThRdfQg\nl9neqxyOmYUzeq+JSwgWEMsvufkVhUvkzjo+tqsKeVBzv+wpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU94Yr1o340oPTM1xJ/0PA/08YNF8wCgYIKoZIzj0EAwIDSQAwRgIh\nAKeO/c+uP7Uq2FuaMTt76DzZeIkFBEgZgPgg4lqd9uVqAiEA/LZfJ08r5enX8SlQ\nsk5IaO6xVFeesBuZcq7+ApS0BE4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWsQOZLtXN7OI+tHArM8baIwKZxUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARerOyXfnLpOgDaKeXRAIAVeNX9Vt09oqADIrKb\ndYtY+TzjNnqxONtBhK92mL3D8iF3aU4mC8jksY7KFsZY8vvPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwrEqX9lffpgt1G+ttsbNHbrrCwkwCgYIKoZIzj0EAwIDSAAwRQIh\nANNh+HxPOsI6JykLfJjlknap9WBmS7UP7U7Hk5WwcKplAiBCOFsgKNdZf7h2/f/K\ntfWawxJHZD3TqzE3SfkyOMlQBQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUZI1UxY6TYImvXGHSyiX82KRQWL8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjBqMTkwNwYDVQQLDDA0Mjc1MTM2NTQ5MDc4NTYzMzg1MTQ0\nMDE5Njk1NTM3NzkzNTI5MzE2NzM1NTI0NjIxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABOmmIKKsVGp6HDyUVFWJStFGt4Qx6To0H3Pm8WCxdLqfEhRml86BqhurwTP1\nFfIq7QoFHrrAkk8a32tARzqJ6pSjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPeGK9aN+NKD\n0zNcSf9DwP9PGDRfMB0GA1UdDgQWBBRQuUieisjt5wmUGHH1t1ANhBfUkDAKBggq\nhkjOPQQDAgNIADBFAiAaiXZTRERFQZbCIw6J7ZYloYV5U13SFOU2o9VHo5mgcAIh\nAMeLcLU1mrgW4mS622ZdLbzDHoSM262pOUG0ed0vxjLw\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUGHKsR30kFh8Me6tf1L5n31NkBtwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDA1MTgxODEzNjkyODIzMTU3OTA4NDky\nNTc2MjEzMDY2MjM0OTY1NjIxNzk0NjcwMjkxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABMc+yIOOnWWI6XfuCbHWx/wZJywoSYo4NwANGRPevPTPJvJNypWjonJmtMDN\nzvPxgA5AD2Bq50/KTHK0wjztwSKjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMKxKl/ZX36Y\nLdRvrbbGzR266wsJMB0GA1UdDgQWBBQAyGXI9FZ335HwDclSbMZlDfmCADAKBggq\nhkjOPQQDAgNJADBGAiEAkqTqbBc3ttr3qigXDpC3f8b0ck79CEzeA8+4/EXJpSkC\nIQCn6W1fwkVIXaKVU3oDeyosy3y6jJ7DouWzjyHtGpePxQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUF0ReyWii491y6zMDFWpmlb+Z3CkwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDI3NTEzNjU0OTA3ODU2MzM4NTE0NDAxOTY5NTUzNzc5MzUy\nOTMxNjczNTUyNDYyMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n+au1Dc0n+wArBW+Dsd4JMGTVVeIZjNVONDSDlF7j0/6j7pPaOJ8l0JQ7ihzUP3/1\nHKXgr+BirZPdlVGXxSya9aN8MHowHQYDVR0OBBYEFPxrQrHYyiHDQXsjHDCM0zye\nn+jFMB8GA1UdIwQYMBaAFFC5SJ6KyO3nCZQYcfW3UA2EF9SQMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBcUqrAO0qvcJsd+a2li4B8gGDN6yG4C0xgpu+lkbCC\nJwIgJy5hPbprfn3o2hRuJ9VWqob2+Wrs2Xha8EmB0sIp0Rg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUbpdabzuP3fFTQClpyK+XCn4mSxkwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTE4MTgxMzY5MjgyMzE1NzkwODQ5MjU3NjIxMzA2NjIzNDk2\nNTYyMTc5NDY3MDI5MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nvTj3BJxKUYYtWA0Epj1hnm1onGlX4euE87ns6a6h2wVCo0qVQpG+C9YPXJUoLHbW\n9Z/Yxa2SKkRbv9Pk9L5DRqN8MHowHQYDVR0OBBYEFHPreTz49+vGFnkSXYneIHRR\nyBqPMB8GA1UdIwQYMBaAFADIZcj0VnffkfANyVJsxmUN+YIAMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEA6ctHpahVOH3liHNYi0/Ufaaw/+xBXc4zcj9WQx4W\ntlkCID+PqnOIOpNkT5Hx/W2jIhErB/by0QcUgbzrF/G7M6P8\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -516,7 +668,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::intermediate-ca-missing-basic-constraints", @@ -524,10 +677,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUFQJXl1Vd2fKXeodGRlZ5T6/3MNowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR9BNd1YHke3V/ZY9zeKeRwo+jfltD7KtIdsGL+\nmXbf5REP/InD6ul7Dc8eYGl9TgGrW2XpmBZG8S10w613it6yo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5wypRBoMBr6atOxqfb9o/++ibuswCgYIKoZIzj0EAwIDSQAwRgIh\nAKsAJVpvzBM3uADWO2HEdhElZx9/d/Wfuc9TUqW0ojlNAiEAu+ekdr9hydG4g/QA\nR5uhSPXeAwpQoLL3PlhfFo4thTo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgITKzxLdtMPnsDSO2F9+n4Q6CXA9TAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDAwMDAxWhgPMjk2\nOTA1MDMwMDAwMDFaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABLivw3hfJMcmdehbaq457zQvJDQV0FmYJCGHXhmO\nGtB1GGsyb2bKwgVmAdO2wiwvTJO2Nf6/KL4vJdYfofxnuqyjVzBVMA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBSm9j9IAUN/lqZxs4BFVMkqTiZpXTAKBggqhkjOPQQDAgNIADBFAiBU\nuysYfzIQALV70mvWWDkfs/a6KBrMVlRMTxgNKD+/dAIhAMadtqIlruOKcqmO1eSu\nqkQo5Hutwb/WrKtJbx8TjJ7x\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUbsdRtHXV55XjLhoAV6QRCKcmDhQwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTE5OTQxMDM3OTQyNjgyODQzMjEwODg2NjA1Mzk4Njg1Njk1\nNzAzNzIyMTc2NzMwMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n9vRcpZnCdMRPBDUxWIjjQcJDexAzJ00oOw9g+vun4Qedb8JVfTUwmXHfJFpxCtYF\nZyx+9hnWVEcW4lVQ7uLHXaN8MHowHQYDVR0OBBYEFC6j/9/kS5Jmq79jrcNyA2gS\nW5BsMB8GA1UdIwQYMBaAFNcDi5LIG23k4OsiOfakKT8Gzzj4MAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiAaZe6culr43vm2e+XJauJhGhGKe5Rv3bNle08bfEwV\ndgIgVBeHWlVUahJU3h+N3F4Z5lJwzXWfx2feza44EB2bzM8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIURL8d6StsQakYbkL1XproYqGJZ+QwCgYIKoZIzj0EAwIw\nZzE2MDQGA1UECwwtOTY0MTg0NDU5ODE1MDM2NDMzOTA5NTIzNDU5NzMyMTUyMTA1\nMDk4OTIwMTgxMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRo\nbGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtiyX\nH6CoDQ1/4EwH687S1UvdPjk/jh2tnJAZhqdy5HU1trNOrKLr4u8/JUn56alyqe7u\ncJwysBMcoTbh6vSfF6N8MHowHQYDVR0OBBYEFG4YoVkS1lnrww1jd3Hg/+xJNdsp\nMB8GA1UdIwQYMBaAFMQrWZgvQKp2CtvBkfD5xQsRg19/MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiAafWVT4ywh7Juy8LAKZ60CqOHDZpuJPFlqvGY9G8S9zgIh\nAK6fZVYhBrw+WJy2ET1BfHQoxOhqVAYa/a2vlJ20TnEN\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -537,7 +690,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::root-missing-basic-constraints", @@ -545,10 +699,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUcWpDQAldMzv3tU03M79NXoDtqa0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARPfftl8HUoJVw7o+qQITM7p7j50ZAbGrRyocPU\nubYW0OogL/Nubl6ihEBXhNoFWNy5ePFlbIYR7nvP2xq9jKwTo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFGmdxAEEH6oB\nTwfZX4ABMwEPX1NVMAoGCCqGSM49BAMCA0gAMEUCIDKmtbtWUANO4MRqxAtumNj8\nsAtYNStmhOK/hYeoYRWgAiEA1hyFOUXtc9um6yKNQqkqSzB0kZOzXbpRsWOZKtH7\nNLI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUPIMoca2qs49u6TeDuhvmMuZV4p4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnydNyEn+QGFnCWWDmFjE/uTSSIinE5diipZPd\n+VpMhVo6s72XTZkPulIPBEMoHxPza1x8uqf6qleTD7Jmj2Xto0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFANKM1pKwrvQ\nM59TsaPHpiL/EEILMAoGCCqGSM49BAMCA0gAMEUCIBrYdL/GW96nqsGkmSUxReOT\n9HuyheV3JHXz+bZkSFAIAiEAzEYurRaoUm2zsfLY5XxwXW6wXM60lhIbyBZm0v4R\n+Wk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUW0KRE7OJ9pW0Wk7idAhTtoaWqwAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKPkacT59sNNmjTRgQK4kb4pN9NZfXyezEU5q9etXup7\nQgKtoyLItjaAjT2UM8YJtER9JwiU2fdtOsXQOfNbFbGjfDB6MB0GA1UdDgQWBBTq\nIMsVoEbgctelCvdqCeDfbj7JvDAfBgNVHSMEGDAWgBRpncQBBB+qAU8H2V+AATMB\nD19TVTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgKup4T0EJjTyGdjoeRlMD\n7SKruF0hhYkXAEEnppKLDewCIC845Jh3f4kNDI92cr3H1BrJAGcWX3EYMGEv/Xw2\nZOOK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUL1AqcI+a5gonCifro48e1G/rwlYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOrS7EwPTvV4Ks3Nh1on7hkvLtoykS8nCMAqPGv0Czpo\n4TqAfxsI71/lGwv4EFCrQUWWZrZoM7ojGlD1s454CUGjfDB6MB0GA1UdDgQWBBQV\nmNalQutuv35RPktwEKGHZKBrhzAfBgNVHSMEGDAWgBQDSjNaSsK70DOfU7Gjx6Yi\n/xBCCzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhANnERNyGBpSq6oUY5Tfv\noq9V3hq6Uh6B2PzvOJch7vNWAiBE5vh4Rz7LYg4q3IkuVYJOdwe2YFM7viw1LkIE\ndBiPSw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -558,7 +712,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::root-non-critical-basic-constraints", @@ -566,10 +721,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUIyOqZ2rn8g/3CD7TJKCCd6Tv5V4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATsGwtvvwimEQRxhzhjf+VfqLBK7XQc8JR6FZ/t\nIi1MoIQ5hmz2Hb4How7Xk4jMDKKUc2jt3cVBLPCYytWIfWtzo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUrP2yKjFdqCQ1GFqO6RISWHpMZ0EwCgYIKoZIzj0EAwIDSAAwRQIhAJO+\nYliwygo334r2Zktpgx5RO1gqG82g4EXq3PBw1PzDAiAqmsiwxVXs6whqC3UJHPsQ\nxBi1DV1QXznx9GRMWzEwlg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUBuDte23kPFdwKdl3+pk8WMrMv+wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9kK+BFM9V302o0a4AmCfHN3D/H5+fLiWwjxEp\nRn2ewQqR3wXAOt76kzwKPyePOkuPdJeaHIZ7ZwZybEMbN+Dzo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQU4akcaZA2sQ+vee9V9oRZ09o4+MQwCgYIKoZIzj0EAwIDSAAwRQIgUjPd\nyBR9EIK9cX0VFGC8VpwjmaKBsDTCHMvgUuxEgFYCIQDVsuLlWrUFPWdarNO8LyHo\nJkT359H+BNQVr5zqNtZC5A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUEsEJP+nagYv6PIM9PR2VD1AIgKYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMpLHAC3ywwQAhZ4pKExEs3kwReFEWjIb4Ljdqm86+no\nshdyua2+t7bsSGfkcfi9FJ9q5RGuWmw7+6t3Wx6ySrajfDB6MB0GA1UdDgQWBBQr\npLyE5pwxvUO1jJ4mxy7DUK9XnjAfBgNVHSMEGDAWgBSs/bIqMV2oJDUYWo7pEhJY\nekxnQTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgEYmZnqPA/J1Xi0N2P0rR\n45e7uQvV/GpOW7i9z7O82lsCIGe2P/hqCzHdW/euU/ol3tpvSZUIAfW2CqT3X2xa\nKp3N\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUaDY+kBijQnMKtlQYCjyjflvx7Q0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMoJgsnvMsLNnjWX+ucmslG6sB630jjzwUuyCawtI4+N\nxBo8SD1hmu9fFGun1n0mX5FFZ82TlURZpLzg9/WrBcejfDB6MB0GA1UdDgQWBBRY\nsBbG2/FbEa2aaHrlEDASSDotKDAfBgNVHSMEGDAWgBThqRxpkDaxD69571X2hFnT\n2jj4xDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgeRuRzT11m9w+gO84yUg8\nW7R/NHIQl36peAwgk7moa9ECIQCTIf3T2KcmjbISCAyGsFsQbFknTNw3QACQLQKI\n7kp5Qw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -579,7 +734,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::root-inconsistent-ca-extensions", @@ -587,10 +743,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUWymRvwvCPfMflGGllBy0jPP05sUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEwDVG+nFfjN6aYdongOnZVUyTI49QieXGdhYZ\nCA7lSpEf1CEXvUEnVREjAabig5M9IsJLd7xzkQ5oFTUqnjHlo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBS+UR/KenFoIdLX/pMe2WUy37wyqzAKBggqhkjOPQQDAgNJADBGAiEA\ns7YZbKcEPxitMekHI/LOUrEaDVVaLsPL772VICxyQBYCIQChKBopyzBH7Pt8gAek\n69lX1r88siVoA5Nj+6VBUyz1rg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUJeGHQ7u+NlQGUaWVRDksR8bDjUMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASvZVYhH9ArslhO5Pj6jqtU7tgGOarASU3pVjf3\ni5kotogaQLfH/hmv0qKIKWtBlkA5EQboOeCXz9kyVkq6Qz1Eo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBSvIBAYj8j5FNW76aeivFmPlv5KmjAKBggqhkjOPQQDAgNIADBFAiBW\n7psl0NDJX+JAnzwhK04+ejyiWElowEnSwXFUs4phFgIhAI2TtJ3riViEElyGR2Ig\n0PxfPKsnnvgauxnIyquVdyfZ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQIAUZofWB0yF0nKgWrr2K87pJncwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPczJvl2/s4GXVJ7f4XjzhBHbWgbYNyuwLij2dUxZejq\nNtFkeXVkgwChYeBjojSKEBKNPlbtQB+M3m7xTxyQloKjfDB6MB0GA1UdDgQWBBTO\nov0ov1V+hOo99CyZTkFnJ5AU0jAfBgNVHSMEGDAWgBS+UR/KenFoIdLX/pMe2WUy\n37wyqzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAM6dnGZCufXfZ9mFVyfq\nxc3OZW5FmhL/XZUAdYuvqN4GAiBBd7yJ/AoWEcfxU09mT57ZSlKv3VGGBGy+QXJb\nlAmBJA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUNjFdjmtyx3Gz3O3Vj7Q3dAkk7a4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI3LFTzryRKOCptIrjoHIzTdFf2w7xJS0DqyNQ7bRrqV\nF4LowAcZ5K7PFnOujcPGqdWdfexjdp454FqUtX6uS9+jfDB6MB0GA1UdDgQWBBRI\nTz0Sdnhpy68PufXr1p5GvXUiDjAfBgNVHSMEGDAWgBSvIBAYj8j5FNW76aeivFmP\nlv5KmjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPzPo80wOzg9IYNEoB+X\n+RoabD981R09/MNhQm4hXrhfAiEA2e7d1LXbJhDGcvYQzf4uprTdp69LlkYNeAHL\n//Xb8I8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -600,7 +756,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ica-ku-keycertsign", @@ -608,10 +765,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUecFyLONKSc2AFua7wMGhjyc0srAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASL8UZ8exg/Mi+URpW5+E9hJ/UzbMnq7kyn9/Do\nNkDOqVCSR63gjqFFI/a8p8lszATzsbTE1nLZYpwZol4EBsmmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUb6BBEluw9WOFO5pCzv9Pw9iCzLwwCgYIKoZIzj0EAwIDRwAwRAIg\nF1DesuvnBNoAMwVy1fFh3FGJrKcJLH3J17ksP0zWVLICIERb5gIo2XBv+nY7qf3f\nbFR3gJ575k6mEV+GaRX7XQgY\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUB/edGv1Vk+1eWjxEctxysivIAiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxXKUSxhn+TAsomj+Y75XVpvQyaJb7o3t+9Ey7\nQXSyVJ86/NeXGYMHzwPdO+aqjx7vSkIErjcCfpS/0zr0uClXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcuIqTiQhXzIE6Vu66RhdxSlXBhEwCgYIKoZIzj0EAwIDSAAwRQIg\nNZMXY5if7lqaK0rEpK9GYWigJpi90aheonwZil9VtrkCIQCyArb860IM0vqhSqZ2\nfIaqok3tCZ8NOuBJpWEH0jBkgQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUSUWH070F169J/xLJn8o2M2kWepQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjk1MTAxODczMTY4MTQxODM5Nzk1OTYwNTM5OTc1ODkzODYy\nNTQxNzQwNTIwMTEyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1nf4\nRQYGpPCrVk53w2yrb5GlwS58Uk/UICOT/ht0xo/GfbU7giPzP2n4za57h6ct6iSF\nAMNgn6kZ1PJZBQz9eqN8MHowHQYDVR0OBBYEFKQZeg8wq48tFX/p8ce1f4z0Km98\nMB8GA1UdIwQYMBaAFHE5g4ODBEPqljfaHCwGVE/zpK7mMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAh93qW70ed3q5hnZ1D2eeyVdAzwnRuiFgUAaOZajzTtUC\nIQC/A/DFwF7ntnpLW+eem+/lfuwE9N4KLmgJgOflIHjCgA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUbVaIyXWcRv3FLJhvUbDrF0FRW2UwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDU0ODQ5MDUyNzI3NzU3OTUzNzU3NjEwMDcyNzg3OTYyNDY5\nMjA5NjgyNzQ0NzYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT/WGkd\nKsjrT0zq+8jo/CMTjFT2bvDCitmxIJSD8tYgPtttnWeGyWJahIz9+95udZ+U7aR+\nIS9fs47hMevxZ/e9o3wwejAdBgNVHQ4EFgQUZkkj6eDpJN5lcXpBbsY/iakLe0Yw\nHwYDVR0jBBgwFoAUfPPnUdqdy89Ds0HE8uEaLfGy3H0wCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIHkOalcN63E4ViFBCClIGTdAO2WB4n/DD8UmMvxMxGSOAiEA\nimdXp4RKUhaQn6qAnlO5e5Zuytg5WzVNL/DVkWM+d7U=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -621,7 +778,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::leaf-ku-keycertsign", @@ -629,10 +787,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgITJHBCfo3OMJCg2+GhGtZZVOE5ITAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2\nOTA1MDMwMTAwMDBaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABGSeYlmOLBYgA7CoK/TJNZUNmDnuIHkYmgHt/tc+\nEeVKVvbVgLJPndkMnmrQcP8VhuLBHwVEciRc/XNddjC0VaOjVzBVMA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQ5Osv2AxW+RG0a9D0aj5i+9eZH7DAKBggqhkjOPQQDAgNJADBGAiEA\nsrqyY7wyggPqmyZPxXgx+4aKlJ6+hMC7lwXajS7HT54CIQCqQPk0eg7GSA4myJek\nLIhFyAk0dMIqpsDavUyQz91j0g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVC/8MnKVXvJ1gsCefnpa0pLxNR0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQC29VxgsxINlIlDcB0YliolRpxhR+/bwzc+pQA\nIzWxBFSjFBL43QmYfhFJvNy8AgxMGQ/c7T6L2vvvtVilCQ8Ko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg8eqF1pJ9mq7/ICUPYlaLJKV9q4wCgYIKoZIzj0EAwIDSQAwRgIh\nAKf9YBoXaWq1KrVpUxl6fZ3ZmhN+1Rlnw+e4MP/Ove6CAiEAwscbZXz+wmJN9tUj\ndlDBTUt3rHAB+ePZsWMV0m67FT4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUYb2LXT9OxEhqtZrJCLGcRsV1Zt8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKG1hSzV7GJyK+SyKnv6KFHnCDe/QYUK19KkFLq8A3zr\nbP78RBu+zV4HTCJlFMVbaPLfxHukNV5b3w3leMtzbrijgYswgYgwHQYDVR0OBBYE\nFE1+tKSwceoHIbKwD1wpHXBPb0mBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nOTrL9gMVvkRtGvQ9Go+YvvXmR+wwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIHCl9K8F0xwc8Ged5cL4FtuyRl2e2nic0qCJxhI0R7feAiEAxvsTpBj+apCkTowV\nPwqOzFqI9Wk40e5oj3tUkN59TyI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUPikVkDkhYOa12OJiOAdRdLwS2nEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKttpwHjS7VAJvJJbZmjNkJZ6vmkcgfL9WwtwegVQ6/r\nkGC2/OGhwgs2RHvUnPLqNqKuYpSqtkn8X++g60liBy+jgYswgYgwHQYDVR0OBBYE\nFAjpzLZOJFKuAHG22IIDCP6MiaO8MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\ng8eqF1pJ9mq7/ICUPYlaLJKV9q4wCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQDe3onhgge7g/t3z+rWE8gRKeQOX3/DRqOYZvM8m82QnQIgVyWtgu5ORiajr1LW\nzchi2HDo3b8UaQU8T61e8ZSvNek=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -642,7 +800,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-permitted-dns-mismatch", @@ -650,10 +809,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUKW9zsNmKeuKDVrBXvDabkVpIVgQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATFaeQeTRxy0inIFB43BIPZRsFJwMcLsEIZ46uc\nxgQVt1LKhKEhdEy8r0WLNA01DdjV3bDQwzKODm89UGn9gNWGo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaBB3TjT23YZPaWwmNZQg6wlH6jkwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBLOkBY8MTes8CftZQauREvJ\n/H/GaA9leZ2yCU3tLdDVAiAQwVqzHoxBtG1WMWBVV5+nbCpbhp3vTzHYF2cQwaqT\nfg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUX8CUTIu8sI5XXpa7cQJQFbD/MGAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARJzyhyiurjTREs4UVS+tZy1vvYP4czj5s4+VSh\nKy/78eLVgjyzC41MC0ahi++ZmQAkE8Nrm7ps9VsmLLmR9qm8o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoi1xbfHY/JggppzTOlJDhdVwrZcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHEu+gdrMtAgtWJT/wbdVK9a\nxT4zyVF8uMteuWpKdZZZAiApKVBLdRSzoH2lrfdfHX140eEYMmODwmH98lF+0SfK\nzQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUX34PNq6yIJ/NPkx36aVVO1k2hdcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMRhydI/JQ82I2ip+XzaLnMQR8F0fNEm2JtLLuABFmkd\njoKyde2/SG1vS2sB0hUx2SMzWBpsLhTyX6fVpPCxJDujgYAwfjAdBgNVHQ4EFgQU\nuImc5hQ5BAkFpqRTO//MIgKAUigwHwYDVR0jBBgwFoAUaBB3TjT23YZPaWwmNZQg\n6wlH6jkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA1ezuEjwbQuRo\n9ku+WRH64OyhGLDXw+he1s2Abk9v/t4CIQChdKm5gORi1r0Q16hCIs/tCBWoL7np\nfyrXT5P1vM7e1Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUSkaT4ogRe722nvptXh260K7BVMgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBuiTYM/DC+DhyJxbp10NKnB4eU2qXcr0D/IhSBHthss\n0eyr2KaDCCmZGzavSFppgg8eYi/16OuVzAwl+e8huFyjgYAwfjAdBgNVHQ4EFgQU\np3bfMwcfB5wFZILDuPSq2yOSJ5swHwYDVR0jBBgwFoAUoi1xbfHY/JggppzTOlJD\nhdVwrZcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA0H1L5YOdwOG9\nr+04X0ucWyC2fhKsVeMiaOyUqZRjJ8QCIQCe3aQgoBNbvSwexTkqCwAWibMdyCNo\nMPy+SkoG4taAlg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -663,7 +822,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-excluded-dns-match", @@ -671,10 +831,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUL+4NJFiG6hY9B7pBvjfC9BFr6EwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQvyO0AWFQqYdzko7XIDbLRgDi7iXmMZfhj5HZz\n2LwwYlOeJhwV9ItFEzFLfU3A83/OiGNj8HbiSsAXND5ybC+9o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJFHzGe43OjeFJ/LHLCa5o0ERkUswHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHI6vzwdmi1JBJVjqb8VZmVZ\nNlAt3tff4k6olF1EaXBbAiBaNMqNRJmiVo9kqnU5Zv21y4jdvWsgGA07xmUafybg\n7Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUUvir3cXSsIze7VlvFFvrI+cg7EIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtl0rlapwYnCt2a7KJgiowkO3TE33Iw2gidEpp\n2J4Fs3jonw3RQ/7mtctqTpFPFoHW8PMlD3Bf/g2/rjkhJQLqo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqMr6iVHfIyckj/srYpBsBAVa+6gwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFIyHfD3XIrwkXCCAMbFoA7K\nGyde5RbR3tAmDdrFRZCqAiBbxpPhHNbwMIqpKNhgt/Q8RyHWmJmQe0NfwaC0kbzY\nUw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUPDkVWwon21Zl7OUFupoB1jtQeGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB0gRX+SfNGmTpmSL1euBgMxxIFSInS4WX0mGLtQID9y\nXCMWPeVy+LbzBaMFCyWyrTsdCLaE25gR6dJi5p4EnkOjfDB6MB0GA1UdDgQWBBSb\nfLzcBr6U1qZBsmHd+4kD2sEypDAfBgNVHSMEGDAWgBQkUfMZ7jc6N4Un8scsJrmj\nQRGRSzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALGMA2xmYysPk4R2TXNO\nyip8muvEr4V//bruJlOrH1yEAiAQmpiFYR0jfP73wcPs4pce6POg9F71io7xdFiV\nuqXKkQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUMKpc3R80JVcOTRqf7sN52B+iW6gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCD+7ddZVOwL2qzn1n1nP2mFcYDHZrbaU/ldvdP/6rmw\nYSCAnGKHDOQKc5TJ0hL13SMSPOGBEzLsf0LoErUIFLSjfDB6MB0GA1UdDgQWBBS6\n/Exxx6VHM2DDlLcn+3KG36/6AzAfBgNVHSMEGDAWgBSoyvqJUd8jJySP+ytikGwE\nBVr7qDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJVaB1pQxX3W/wgxk2/M\nrhEJlpF89A1ORjt3OzURwykRAiBkd8mJpEsyXX56VcZ3k/R9Jirkhstp1Ele+Utr\ny5kZRg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -684,7 +844,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-permitted-dns-match", @@ -692,10 +853,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUIeqr1sut47fu3bK0dN8tNnQWEs4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATpd2j3HvhrrDIbDhMC3Plmz1nMtd5z0Id/1b6k\nvdjZ+KE9vqRmUAT4b6CzThEpHqPCrsUUZkPwyE9L3UKSpKU5o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2TPYr3UAZ2ue5//ty0/UxR7jw+IwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGbPAskyoW77OiDOqobde5Ew\nSX8pX2d4yMfIZ78LnKIKAiEA9n0wczn+PuOb1YUTIUxl79x1LEJEiaFLl7kY5z9s\nTPc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUc+L8Nwr/bnLRTgKQ4N+hKn0YjgswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR1fCCvTeLjPK4XnsEqy2kLDnfzL/6nwgJTA0WO\nVyq4dUCrKDSHrK4IwKHvPAd9IvCusnrYr4U13SDISZKCdwyBo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUO9BuWn99lZ0Vd1FTsBGw7MCyRaswHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIADKKsdWuf9f/vbr0w5BK8HQ\nLtpBWoRMftwwzcBMY4WEAiBOWV2IL5DEbGRhx4RTQhcAyCJZv2XGHx4MAsWmLwXq\nhw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUZHXJwc8z3d3cnFUP9tbJ8jvYOyEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJkE9WMnOmiOPh3/1efeqE9VuzZifn+gV4tK28Yxk/Yq\n8b0lkwM5XUGTLABUdFFxEUuCp8UMDnKvDI5wDmhI6CCjfDB6MB0GA1UdDgQWBBTw\n37x0udDhEfGYG61ocVK+MVt/1TAfBgNVHSMEGDAWgBTZM9ivdQBna57n/+3LT9TF\nHuPD4jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAI3/d+cpZInfCxoXvk82\nDQgOdxqXCrvuc3zWXKpNTy+EAiEAqxzb+mp6XE0JhbTPRrWuQ8zaGLdVzbcIKXkG\nbFAf3No=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUd/80xfLfgCudax3A81k1HDr8ktMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJiJkCb8sWOhqh6opRT/6jqRaOcOBsWxLkKIBZIKr8UG\nHSniqI7XJ2tmOFUMw5G0GO1pmTOOP3xOO8VRD3Chy96jfDB6MB0GA1UdDgQWBBR1\nynBiZ07I1sVY/g2YWgxpsRIukTAfBgNVHSMEGDAWgBQ70G5af32VnRV3UVOwEbDs\nwLJFqzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgBkcbQZRPFI+Y1kwzyW4x\nfXRd+E2UNT5+jwU6V6ese6ECICNCX+3EYn3+vEkp1LkiH353u7PApa/e3iThMFtJ\nfkTy\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -705,7 +866,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-permitted-dns-match-more", @@ -713,10 +875,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIULFTN7vEgnvACmrzFZ2aZNvowx+owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSsG5MbAbyyThYCwTzlMHD6c3B4I6OxiKzVhCj\nSsZMpY/ScpZ7iDlKH34FwBXwfxyTp4J2GIkcoAUj47WKgveso3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9jX2XwkOYNlCNFBMME2chix97/IwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD1le6YX2ajo/LV49hueytL\nZX8Hri90ewMcpnNy9oSM9wIhAK01S+9HQVUgD4lWvOZIr9XBBR+MdoeqKAtJlO8d\nDeib\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIURCXjG8Zo83I0enM+TOXzJTL5vIowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASrMPaUKmsCS7ipV38oEEN4Vwp1h+5AItzqcBW0\n209kdQ8kVDT50Xm/rDU67A0HXiYwAH10hMS68dYUkDSQyDFIo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM5LLuyugbso4p1c5KX4sQuggGXUwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDXdUoV1I2UjyVs2DTHIcFb\n57cCpwh+0QQw2B4GI0AccgIgBEmWWF6JIdfPaBagQt/zErDBdlWNAug4QptYxt22\nOYo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAWCgAwIBAgIUD+VHU4P5ypH3vgvsetSookjKyDMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIfzLp+vnsd1wxAVgBU+7Z6NUR+yPgxdfO/OnKVau+Wb\nNPKKRK20nSL59Tt1AdVmWgfHUFJQ50ncBvE0jdQ1Zs6jgYUwgYIwHQYDVR0OBBYE\nFFvRU1irNd8gJhxMH2M1f9x/LXtmMB8GA1UdIwQYMBaAFPY19l8JDmDZQjRQTDBN\nnIYsfe/yMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIETfnO6f\npAGp9oKyZIpXghe8AYUyq8wVfnIdFohsPrMiAiAWu2BhPjN7g5RRkggcRfVVosGA\n96FjaITQsKaoN0xNDQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUTo6Lsg1gJ5VaYQ8o8GbsjCb/+UswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNkUp/6vSYEdPztmto21dM7iTKCsKq0gvEBdac0XfyRJ\ntWF5kn1prRNDqlv7mAT83meS7t81p1HHCKmyA+3aU8KjgYUwgYIwHQYDVR0OBBYE\nFPrTxpLaswx6TdugXFZCD4a7f0PLMB8GA1UdIwQYMBaAFDOSy7sroG7KOKdXOSl+\nLELoIBl1MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBmugA24\nsLpoWZoIIdMh0oaHhLW6jSSxDTs+eLceO5ZMAiEAtO7aSHXZiDNFJd03nuA5qAze\n+8L7td3oqOg7gc6bHOQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -726,7 +888,8 @@ "kind": "DNS", "value": "foo.bar.example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-excluded-dns-match-second", @@ -734,10 +897,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUcThSvCAXHPmhj0tHHI4vpaYmvL8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQjiTYvZna2Sxu5mlcniGrH83rxL24HIfNzrhzw\nKyDZnVwnAGyfZd454/GubQ6g4cncNdcq8rvnMJrswvdmOQE8o4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSdJaurjaGlCG7MuJcOHFctY3i1szApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAM1v\nWfZniwgm7oLl+coK5bGFo5JVkek54f5cCIXL9HjrAiEApEIBXGE35OEPirFHeQYQ\nMi62vZW/gKyJaHNKVGYWiXk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIURr3f2sdDSPYH7aKKezIusehvwiUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZKhllN6Aip2Ig+LB0S2Gem7MG6PNq4Kp6Vwu/\nddJnGARuUOl2w79Z2Rj0y6SjVwexDCK11k+4iVzM+QEXdjgVo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTOU9vAZlSiycSvfkP6CDRZBigSTDApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKif\nO/A5k/5FU+FyguWdbKnkw/duhtbUd3RkEwhH1jO5AiEA0kfcyqOx46ozFDGqvnQw\ng4YW/k205GxFdk7RiDwQfFg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIUTnS4t6jfx455VKaLbraxaQMoJiYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJMrVQSN9PVikjJrsol377VTy87pBc9W4D4DbtCogpHu\nJXG5ZGpot+bwWzezMHCF0dFwELA78isQbhX+XE4mdiSjgZYwgZMwHQYDVR0OBBYE\nFBdG0g/UohH1p6MugmxpdohJRJeKMB8GA1UdIwQYMBaAFJ0lq6uNoaUIbsy4lw4c\nVy1jeLWzMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDRwAwRAIgAIZW7z9YXofKzny+OVlIbPcloDQIVIXaMOgg6yByFGUCIAdS\nECI5Q7hSRO13ZWdGLUKx3MKsd4s4j24CIje+truv\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXGgAwIBAgIUfRV9vV8ekE5mzfRHscTmhQxbe/IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAZ19obrTAm3jsDUsns+0s944L+K8t72geXQZGwDwzL7\neakbq8eegiP65HpR4LTqxcltW97ERlLlqooNU7gIonWjgZYwgZMwHQYDVR0OBBYE\nFLJ9csbcI8QN8BTjaSRPrWBjMqzMMB8GA1UdIwQYMBaAFM5T28BmVKLJxK9+Q/oI\nNFkGKBJMMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSQAwRgIhAIilXmZoFnjlWmapPp0gkdVnRKtbq5htvqkzr4c4UDRMAiEA\n+rYmTNmjcCLmJ+pKaE59j7aHigSDJ4K8D563fjgffQg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -747,7 +910,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-permitted-ip-mismatch", @@ -755,10 +919,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUbjVPXaFHEiqD8kjBp83zAzWpcyAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARD2CDkTw8B6yC5pWBqYgNLGQS4Gt4QmWMe4ppg\nJUU95iSW8n5awvu21bb/TyXzuAGrCw4TnYBqCSXtNYWGOOmDo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUsEwTekYKew6a25Zn9RNTWfer1wIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQClbWwpTiVqeReDfqeTL8o58l83\nKQVErnReicC/BO7OjgIhAN7v1yRB6id8zngYxh4JR4iOzIhfZD6sWF/P0HqSeQVT\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUBXKzop8h92ZokXkDb2YrQUXn4bMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwNSLL3pOxc1w9L6qCnFEsP9Pbtm6QM+B1AD67\nq8xVFACOGC1v6qITezek/0ngQmwpl+9sqIJhVpEQmehIlcE/o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQPuwkTTc136qqb6hl4mCQfANb+QwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIFkXO6Rzxd8d2rgbNeQJP30dG47O\nu69kynrHRzL0w9jrAiEAuQGI14z9XiGgMUuqkYHj4aOP2VEw0j5PPOIN2f5X13Y=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUPLQjbsSFr5KigKPxsIqJhvfRwg8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDpZuMphw5E1xpM0EGb3B/YcwnpuHWJHof88VlXmwZub\nEFZjaG0LPP617/UsYRIm4JQyvG97Zk7JBAk122TYVFyjdTBzMB0GA1UdDgQWBBS3\n8+DrlqNgYkHtZILr/kfc/pHl+zAfBgNVHSMEGDAWgBSwTBN6Rgp7Dprblmf1E1NZ\n96vXAjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNIADBFAiAcNdrAI89e2cMnFjLAeyE8D8HwBzHy\nSrGP9w9kJlszsQIhAIDHJUoNw8bTpVG5YZk5BogwDY4DzSK6p5MIuSg4QSIn\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUBrP30wtbV3PYE7MSsGJ/FeULWBUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMU0kInuvVH7QM++4dVMwyMQitYxfN11CGGIT9eeJv2e\nl3p3t2nJuAtEgQJSCyj1XmsRpuY9vCvSeWUvJGQyF/2jdTBzMB0GA1UdDgQWBBQF\nNzaRzrFr5xXrAqK+8juHHgEDVDAfBgNVHSMEGDAWgBRA+7CRNNzXfqqpvqGXiYJB\n8A1v5DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNIADBFAiAbtu2iIaKfvg30Lcny6pG7V+URnFGg\njTJCikej0eFzxgIhAPosBFS0OC5BX8ifpW8dvEFXYVwyufx2V7E+4C96woSj\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -768,7 +932,8 @@ "kind": "IP", "value": "192.0.3.1" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-excluded-ip-match", @@ -776,10 +941,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUGzZ5tEueo8EfKkIciX+ETDiP6hYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYninvTxxryBt2IWS6Oa6SkR5oMWqdrK+H310y\nRy5nXpMRO4EWJmMjIdNKcH31bW55SUY+JF14Suhb9EbcYTjWo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSO1VPiu8CS7ocklf6MgUo6pQwH8wGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCICHO5yCWbmv/7Jgr7QNcRjXEa1NF\nouZKe+x0wDnykqSiAiEAqqqhY1FmtwJ79aLLR9vmsAOjnC+Clm5JvfGS7hdPi8I=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUQvM9vULuFxUYI9VYaGqwDRE2ZsowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpI9eXOm2YZ0BCOWVv7rReBPbasUEtp/ZqvZG7\nQjgkbqxT0rumB33jUtkGvCJzjZZgnYfQ13MrCQ28hS5fQYWso3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUttImhLo/oO6J51I6vtwQm2QmcN0wGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQC896ShkSAT/5DreRfSadLgm14v\n0gOZz+TCY2bWB93VhwIhAK+GeCjAlu0QpFPbldmgu4LomobDWtR70zI/GLkwvkR+\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUNTu2IoNrNKYP5Ndnzy6LtICO3s4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMkDgHv2vHzNaeDLk/LoPWDdRfm95Oem0HU+UvDU6pKS\nbvxur0ggc83JHzSunukpqXEmd7GjdtKiXWIe3tWJAq6jdTBzMB0GA1UdDgQWBBQZ\n3rnUshcqXw6scUEN2g6MwgwmcTAfBgNVHSMEGDAWgBRI7VU+K7wJLuhySV/oyBSj\nqlDAfzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEA0dXppvOdfm+ZCeTGUY3uJ7XGQWX3\naX+8yhjM7QHEr/0CIAGav2PgigbSAP0+cRm7bNhH7s7ODr3frnWb+hooOJKj\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUfru1ZtCPT3Hf/MVCzlcg0iwilZAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG1d8jp7t6jtX7Pijgn+aXpyVlJDyuaGL2xXyE6RiPLC\nP9zIBsbJmQQlIO2B2y2VQypnf1+o6vq7olEuYSIUb9SjdTBzMB0GA1UdDgQWBBQY\n63WdFWeN5tyEWrzX3gLyQES5tDAfBgNVHSMEGDAWgBS20iaEuj+g7onnUjq+3BCb\nZCZw3TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiBz55beS8t5Q/+m6Pfmzy6uJZ91k1af\nJgPK0baejfBETgIhAMTreWJ/TjT6t2ZFhPvajBc/sEIRXNbJpgi6zkLr1Wkr\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -789,7 +954,8 @@ "kind": "IP", "value": "192.0.2.1" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-permitted-ip-match", @@ -797,10 +963,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUZkONh1cvRNoUEJ2sdirqCAyEFPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASgYECa991EEBJquU8W/V9wYaK8pRFZoyoENk7T\nDstMO2aupUlV0JpQNTMkHWpoFoDXs3HWdv0zZf8wcJBz4s7Ho3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUv4C0K1uFbPJlZwbI1CXA2jI5lm4wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCUTv4T2ItxaspxWzytvQpCzwi0\nyxd+HdrsFnVo+fzInwIgBZs0PABjJrcW67svWct0RByBmqUbGSv7XS7DDGjfDTQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUGLu6y0CutctffkBhNDHgp8B2cJowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATCqLJGMSEa+Dj9ROaI7mHx0RBQQL6OWMRJDsje\nEZjrq6UBYxxF/prndb8BPLLVkzYbb/ZO3GBveREOK04g8G0Fo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgh/yKhvaBgan8G++iN7MqW4+yeAwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIEep8+SckA7lNhD5klxrWdm9QUp3\nuGSx/vxbNaccC7pyAiB9BkK9GlksdbX1clWFeLwlgJxw9ORHUmu1dV5XHx8mhQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUVqzSW9iaWvjkVVpV5EXrndNe5DcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNvKJmweenjvVhKiGZVUMQh4E1KzRlYxCUDR6ikLd0a9\nszDYRv5ehyvZTIr3cNicXQr4qdQZMdiHlcrpfLI06tyjdTBzMB0GA1UdDgQWBBTB\nBg7gpuwrXqka7q0jAtDfzZ3ACTAfBgNVHSMEGDAWgBS/gLQrW4Vs8mVnBsjUJcDa\nMjmWbjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiB0wiA/poLO9fDp4OR9RKJroyhFb03i\n9pgRWZcWGl3+fAIhAKNC1nnMtsPdxpy8eWyQ+pbDK7TWhtAyqmmuwXvKjWra\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUYdWPX8GFu4ucJdYvGZrK7LUXWqswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDe3aog3fZ2IeO3L/gYIBMQ2H1NMVpSDa2yvKyNj48u7\nBPU+XZAgykdIoTjPn1hum/7KBv0l/ejTdffeOhEmAOOjdTBzMB0GA1UdDgQWBBSQ\no2FObtmlECzJkNFCTvKA0hYZbjAfBgNVHSMEGDAWgBSCH/IqG9oGBqfwb76I3syp\nbj7J4DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNJADBGAiEAnTE2SftvSrGpcS6yCdx/BTn00R4d\nJs5bzxclgW2mK+ECIQDs1e3G58+78rc6PqmCebkwHVyHtjPVLyG6ZbmYMpp8JA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -810,7 +976,8 @@ "kind": "IP", "value": "192.0.2.1" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-permitted-dn-mismatch", @@ -820,10 +987,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUTaOnv7Ne0tF1r5vAd6nGCriCIdAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ/mBurd7cZyKD4qsp+xncWP8JJ9O7xu0iiTuBQ\nTH/oIrgSAAziwd0MX6c0tZwXbysCu+4tm8u8i2sUn29vJ2JJo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFbVVace4eGOFegdVCSRhvjkavPcwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgXIU0Fo7CMDIt5xwW\nUewyWqhrVO8cUNaiEeW9FrTqemICIQC86QN7kNPsfvVSlba2/KUq83c6N69ekCxW\njekhCS8DYA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUWNJggdNtXRsm4E8raJLk5zdNJZcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR5CSrm/yWyA+4JiIAqTGhn53AKfIZAMV845zxR\nA55XZ9xX+Q1pi+kSXN5DyQyXrPv5SzPiPBCpvnC5iDOZUZgxo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYoKNRX6aBCTB6Ro3mr+Vj2fVh/owIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgP38jSIibu+4mYZ8n\nuQSKa+xY1mgbn5uubYZuplgtYZ0CIQC3ISYrbZBOxgPuy9Oi0Z7SRmZKMsQvNr/P\nVR0FNA4/4Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV2gAwIBAgIUf/WC/4M7/+Z6riBds7caKz0BhcMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEGZu+9mjm8KBPScda6HakbuQg0U2tv/q+7hHJPx3fhrmkyWxx\nARPXHpgQBsSbWmui/ZrSj+LvXH9VS5/NOTslv6OBhjCBgzAdBgNVHQ4EFgQUUVQZ\n08u6tPZlFEXd3LbWCbA1McswHwYDVR0jBBgwFoAUFbVVace4eGOFegdVCSRhvjka\nvPcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIQC9TaNWTvwL\nvdGEfxXjsYiQoMjFaWJJtArKx94zf3bZgAIgT/GvML5rw0+zR8sHJOtEVVmumbon\nBzDxPJYXvvejmFU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV2gAwIBAgIUE1sKMfa5651DqDdivFT819ieplgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEjPMeDwpihcKw2aDJnAvsaQaJYWDMrkxbp6sAlJ5JoZzPxx2t\nnjN/kKIqhBlrcxtH4u+END5Yov75Z/hVj7dqV6OBhjCBgzAdBgNVHQ4EFgQUbbEa\n1uHylxN+GDrFOjxdoundFJAwHwYDVR0jBBgwFoAUYoKNRX6aBCTB6Ro3mr+Vj2fV\nh/owCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIETZDh/ARBL6\neJaTv/j22i8MoGe0T+2ShhrP8v1BD8S5AiEA8iirCqlninpR5vCnCTX2QvBYhRC2\ncaZNJzWsVZc59tA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -833,7 +1000,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-excluded-dn-match", @@ -843,10 +1011,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUTRrJBSTGl9vlQeFcMykPZsvSpDYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpS80NgxA2PR9PNXI0P78cwd5fJEnAoB1Hpngo\nSDqg9YhgDu8vkO4VtKv3+8fmkVKGR7SAKVcJ8oIfIX0KhGnPo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUb8XKlB5Rjwgzsm2MdD2+AfGqdOEwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgRa5ds0Ce55UkcFq1\nH6D2vu0ZuRjM6vkELljtqRi7Mb4CIQCYlwTQdVS5tP+euBZh3MlKBLlkxK+XdXOU\nBgysxrvAaQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUHiZsdAz/Nz1u4fj0jtLddX+iRmswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNENXdG3ygcTLZKq/7Mby73c/lbQ4yrT6XorF6\nb9lDnT9qE9GeIv26VPiiEIezBBwHvo1p5HJa3WRu7cIdq/Tio3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6Had7KH0gPacHhnL2s4waHCatUMwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAL+DBGt2cC9jRnij\n6/pnlrAcLJfSC/zCrE+9lgx4YI4eAiEA8dDSZYDTpB1SfFXW2qqgV4GVsBbbt/Td\nCunkec5Z4LQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUYCh8YEcBkZZ9Vl7PJwMY8K1GGrowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARFnJV7mIdxllOTJkbNsH9nLL+9iD4yesjmv2Fvqq89FKoFgzqL6cw9\n1SiCsbjBheRl+WaUf8VgzTgQspYcsAYLo4GBMH8wHQYDVR0OBBYEFJVcZvljx0kh\n5+7gWwauovx+UV/rMB8GA1UdIwQYMBaAFG/FypQeUY8IM7JtjHQ9vgHxqnThMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQDV8Uqr7sThKV7xSWB+F8zR\nmd7ZQR5xvBwoSAXCtC6QJgIhAJQAs5lMDpCKG4Ht3lT4LMTIOlBVDGrlbPL/3Wf/\nDAX7\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUFEVDZmlZzO13Nd/9N4ga5hp0qsQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATJVbpHRneoc60p3b8pco9wjrQyf01vMXANlnVhq0Zm8CB+HLa7Z+rq\nTSk7w47Tpfq7Wgez2of/ZJze7fna4M+5o4GBMH8wHQYDVR0OBBYEFN9S/c55PFR/\n999PKyc/RdCUL3gGMB8GA1UdIwQYMBaAFOh2neyh9ID2nB4Zy9rOMGhwmrVDMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCICtYHBAQkA3fe1TeJxk1kVlL\nsdu5f8faOYquOUGNvcUQAiEA35uhF0DR8lXDdxQ55yFj5DxQgeglqZlcg/BQ95BV\nPeM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -856,7 +1024,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-permitted-dn-match", @@ -866,10 +1035,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUOhy8rZQV0KBWXXLwX5fmfiafAYIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBQ6DQVwxNrZ1UKLbDKxbtvNrTePFVl2PvmPHf\nivzwXbyjf2V+6JhToc4e7fqQe64fv8zPlekyf42Qz5Y4MopDo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmulxJTQpDWe+EwW0lsIS/QNrKlUwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAN1fFPjyDzHtLvlP\nZutkW66zjqC6sIoT0U0omhQ1TSSbAiBlzbedtlebVX9hYHsDIdv3VY762f+4TKgw\nwTUT6gVbjg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUW3ylN+Boqcd9N9FwMbh4pniQyJwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ05PnCe4Po1q8vQ+eM9MXUKH9ug6L/khFFpmfT\nxLlyd39NdaQckcgrqcCCwlG0joa5WaDCeV4FSHqq1weh2zpfo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFI7ASVR5m3MZNbEdAkQo2ZA35SYwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgdskaqXOhfvy7zrAT\nTw1HkD5nXhOlR6cyt+orm44WJPUCIQDa0uKz2VdlVS8J1xVObn+k0GxtXfUvotne\n4ca+FQyeiA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUf4UwTlskgDggqfzIQQdobF+hWV8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARmB6uVmZYhiDApALl6tDr7gKiORRSQqo0q7CcEGJsaotgsHuTpuZjx\nfKv+NgXYp0gbRh9UVy6iIgQPGegv60Yao4GBMH8wHQYDVR0OBBYEFBxQUeCOIH+E\nxl38ytLAOpDwDlXNMB8GA1UdIwQYMBaAFJrpcSU0KQ1nvhMFtJbCEv0DaypVMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQC+JoeoOGAeu+BudV/Vebel\nmR6H9SXihvwXGrDyT8ZG/gIhAN8A5tTDx/OYkXufqMJu2u2BPpEPfDHF8i6N8VzG\nfI3k\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUHqVBim02VpLyQTQflgfoY9vqkl4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQlv1qjIl3cTQ3Uyf92YVn7Ny9GaRbr2mU1mZMoCEV0SadSZJ5CmvzG\nCHXMg/dfVnBpLL3ig1pEmRt71lw8FHQqo4GBMH8wHQYDVR0OBBYEFLdNJAt97+YL\n+j3Ss9tf0wuqtg7ZMB8GA1UdIwQYMBaAFBSOwElUeZtzGTWxHQJEKNmQN+UmMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0cAMEQCIAV39/SekmI/0vZGSOrn+WHt\npATh8N2tSfrIOzM9RgYLAiBBtz/lRN7kPvRoh7MAnUbuNEim+NHcPBMItE1BrZb7\nVg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -879,7 +1048,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-permitted-dn-match-subject-san-mismatch", @@ -889,10 +1059,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUThMeO+PpzRHKdjZMCifjATYYK0swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8qDD5eadSqWrI6DVZyJzCwVjHQOWanPM1pmQF\nTHdq6dFJ6E9yDAqVOlmytbJHGex5POTG4yclrX7EUlHQ99ARo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5Oj4rlEv4m1UhbBSpNUCUyNkr18wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALsda1D7/E+qb/ok\nALeKAvy7MoHYg5lmQjUoIDAQN7/BAiAz9tTbBFHSayTkYbV730juVGhJOpaj21Kf\n6/vyK6W1LA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUXsZ/dur6kM1BSxg7g843/9OPQMowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYtdiqtm2dTeaOrxz1i4gxoaJBZk/tvVLi9U+T\nDeep9p3MS7WhW2qHdcRJLayccsUl+KI4k3tiEgtRvk8QPhc2o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvyq+cRhMOfaqJjtEcWaTeBc861UwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhANaTRgURGbw/rayP\n6uAvrEyvjX0PTkMg/nrwm2mDJpptAiEArzZA4sYScpojyL+eDjFPlKzPpQrlQ///\n57qzHvf0emM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUU94UyyRXhZKX5LWjOstaXCOGoWEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEyfb4S93Ztcxl9AOAswMuY6VE9oc7JZlAozBGlZvtJjPj+aBW\np2nzHFDDAqBNZWFzl3zG+qDApp9O+GCZYX+scKOBgTB/MB0GA1UdDgQWBBQQYNTF\nLuVPW5CeOb3S6OlOoSs7LTAfBgNVHSMEGDAWgBTk6PiuUS/ibVSFsFKk1QJTI2Sv\nXzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiEAwt1tQ5wURlWHC3O9\nYjG+CYD5hWvPeh5CBVUsHXuFU6sCIHGrd6C6EvlRMuYIwCiR/jrqh9gSibHqq5Ei\nDkk8xhFN\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUQxqI0MP4GGmoU2wXqwrxwg5Rc+AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEcPPx/QSOoy/488X0k70lmpO2hnipip5epsIwQ4+KLJjEwCws\nhXW2wkjUTb15d6MmedkDVYzXxpHxC3vRqRqugqOBgTB/MB0GA1UdDgQWBBSBxpSf\n/WySL4oycduLfCtIk+ZteDAfBgNVHSMEGDAWgBS/Kr5xGEw59qomO0RxZpN4Fzzr\nVTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNJADBGAiEAl88HEyAo6jsSZL2J\niYPy5LTH90g7eQQMOs6pqYOwm8MCIQDl5Msvb6JkUHx2UGTvozC8ZC59oHipGnRb\naWxT41sB8Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -902,7 +1072,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-excluded-dn-match-sub-mismatch", @@ -912,10 +1083,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUDjOsCIlQ7fzrs+RUV5e9k760soAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtlujL8dRJtTLeWNLSUDBGLN+swvLnPnMZKAMX\nheiUBwDEb00yrXgXHeYUxA8dv53WGFkXC7Ux5yKRLWdUeB3Ro3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU145VZoqUwvGKsBX9miyUHWLRkw4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAM4ljLMnMdvqSr+P\nZGf7M1LAdlELJ+E5c5sSzajeMb2kAiAp7IionUGCxpP/92HDAR/iKhU5ywWvMrOt\n9j8ChlMwkA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUNYf6GaZhjwPZYfPH8nq7O94FWTswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKFqO1MyXXi4dNx39lU9MNeiiDmJEZ8cocDtq9\nr0BLZjnHWeOoO4xScaSapmurzJ+O3CU380Com1qyCgQT3yJIo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0pJshXEC9CF9S6rR8V7VR3Dn2HAwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgTZBBAD4YjBbKmYPZ\nfW5/A0aSpHMvvkpHKlNmHvmFKd4CIQC1VVFlPFYfWJt8UDJY2T2geTTae1o7gnbb\nOe0kWjA2aA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIULoRNgIQCp9WDPXRh25FTyfhM6TkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASvBIsjFpkrCh9uOA2A+WXl287XrULwLwMICeQt9P+TI6jOvWdk8blL\nSjNYl5orGR7pr8GJSN8+6gxxG9+Emfd/o4GGMIGDMB0GA1UdDgQWBBR8jZCHe9fX\nmhc1opdVpdcJBjh2RzAfBgNVHSMEGDAWgBTXjlVmipTC8YqwFf2aLJQdYtGTDjAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDRwAwRAIgeZqu/GvBa0WXJJWj\nvEZurFyr78UKMAzobnyTMrIzLgUCIA8UjT1CUM6Z+FkHUuaZLVrbL7H+Zh2Bx5y8\ndXREY8cK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUdK053QSmGFpgw5aAhqELK+NGS2owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQSJD05oU3X/YiwakPNpHLEi8CJEsRyFyxtsfQcL+dOf0oRqYnViV7F\nFkBwbbNZhIYi35IQRODMUR2Kd42UjItno4GGMIGDMB0GA1UdDgQWBBSOHlfqpTwx\nSesa9Tdue78+dQyyTDAfBgNVHSMEGDAWgBTSkmyFcQL0IX1LqtHxXtVHcOfYcDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAJqPAUCydLFht2v1\njOh7xeQags+kZNzyJCv0IcfEG0ugAiEAje+bc3qFG38IhRBlbxcpPyMDLkW14V69\ndLxiLuOww7E=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -925,7 +1096,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-permitted-self-issued", @@ -933,12 +1105,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUZG4Mok+yY5iEU9mt75lhS80TlOcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR44DDkuXYWKz08lKrbhJ+N0H1H8zzmcMbynZhM\nZtobXGHF2UwNcQxtscWPx9edbXizckh7jeh1l3TfOTC7DEA7o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFPsocDwHfqpZ/cYhmxik7hZ6px0vMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBnlL1bjxhQt5TgSEy7\n66rW+XShLWu7IGHHeA931iuVeAIgdDDKgNidT5wcmlTukr3NhjHA7j5l49sv79gG\nRRuC3R8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUSJwfxliyPCvWdya2j0fx6LMsSUswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATxsJjyAxXgU7Vfw+6WoXUtt0MwSXZLJ+eU1iS2\ndwgEEOedTWy+KRY5jr/iKL7gxRv0q+NDDBy79tfPRrLUc1WMo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFHyOKbYC7muvIcwMySIe4Nee/hKRMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAjauTX3BeHTO7dB2y\nqIyShK4T79Kb6Ftc8vP8JToZVPsCIFe1//NAUZM4GxrTCUM0ESS9JFlRkCO0iPbu\nKGk2xGkT\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUGVZHy7/aDCVZzFJ1089d9RvrWFUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATCiIcBBjPM/c9BpWQwt+Jq8hOZl7FUMXaUH8aG\nLn8ShQxuPDw3MPp0/bpMppsFo9CiPQmT22WiCBO7KxwSG3cuo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAU+yhwPAd+qln9xiGbGKTuFnqnHS8wHQYDVR0OBBYEFGWe\ngMywBJajrJv6BWqw+4QJ6WmBMAoGCCqGSM49BAMCA0gAMEUCIAnFIDBsrqW/s6jb\nia2wEYhug9J/ldnvj07OpKXv2Wo2AiEAofgVjiInDDUHwzfjjjpqVreBNbYQZnPw\nwYZehiMI5EQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUG/Jq0XiPdwjckFeGQJVdFX7DW1kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASZqT1tI641XQtqKgVXRnW57gTJnBu6osXBjHMS\nCqimhJkN5cRJMydzFV1m5l6QkRuxcEDjenG/GHcJG0V1h2+vo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUfI4ptgLua68hzAzJIh7g157+EpEwHQYDVR0OBBYEFD1z\nRSnG9G1GDQnJBPFnabQKh278MAoGCCqGSM49BAMCA0cAMEQCIB+PYEay11lGKcMM\nqSmzXmHwvFOMJr19/I48IfmEdZn7AiBrnfUStC0mi9cSlwbe9WQZVzD5dJDGnK/Q\nsNwcuxUijA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOhmU8FMo3d1CeQu8heL3ZeN0LW8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF2paAenc6///4GFBnGaFhvdBhQi6YG4gL63DcNHS+kD\nF0V6EZZ/t6PrKRM64ckkJ1zND0glEQT+eTUGdnOp39SjfDB6MB0GA1UdDgQWBBQA\nMCUpVTqPj4o49So3D5X0pPPQAzAfBgNVHSMEGDAWgBRlnoDMsASWo6yb+gVqsPuE\nCelpgTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgcZ2G8PQeb7TeEWWWeRIm\nV5ObnIyPGBMyqoEe1wgjvhACIQDeGZV6edu5ROIdnz7na2zhonb7IoK3k6Xxj5r8\n+J8+sA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUDSAwdOWy+pti2NwXnOsEDsSikrQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOZDOHMAtjGNh/xBdO/cye5MsM3TLWHHaoUAsRV4B/5V\nP5mvsn7Q92HFCMjlwBrBvLIr3OO55H81uFWRUsNvcLWjfDB6MB0GA1UdDgQWBBSr\n1jf2BHBN0e4lMKuvtjb/OzMRXjAfBgNVHSMEGDAWgBQ9c0UpxvRtRg0JyQTxZ2m0\nCodu/DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgKnv/QTE2D8EVowgM3WaN\n+GAzgqq36gyAIlz+4U1/Cp4CIC940ccKO5TIv+ba/M7XfLU5nnD1KiPwGgVxE8NM\nqFPY\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -948,7 +1120,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-excluded-self-issued-leaf", @@ -956,12 +1129,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUUSSVmLH7ZFO6vIPVDs+NNTj8ThowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATvgFm2eFb0YWqAmB26xZfSQztq7j7Jud7AMxj3\nuDVfk/zEpmWLxUE3hVN8BZVQe6c46mmyN4UNEBP9pMyGA9iLo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUITZVvUpe2BxFWa7MRGyzjk8bXV4wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIH0KSXUPrcf6DebRLctND9xS\ngDr4k3gnMvyg2ChsQ1bhAiEAh5FqwDA9/O9/KH7d4ZWdmgC/SY0jZeA5KaM+LV4J\n2vc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUbo8WqpsEfe0e9R5JF9BAC15+KeUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxLy/SPsCObUCvN6Blb0XS8Y8E9TLSx3XQ92yY\n+AVfK+6R+cUB6XvAAfdNT7YHZADq2n1hdSoPDKDp76oayCLvo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUd1e7GS7Yn3854KWM93OwclZbqBcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDqjAOAchat8Yw1bfgnP3m1\nl+X1Cqq6ld2d5ayOIRE58AIhAI7PEkel1k37UZT9sfOeiFlCPBhTzhrBIobn1KKd\nm9SL\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUT2bEDKiaJO80YqgSPKIqycTDxR4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQiuXrRXTONO4sVy8g02HsouvMcNdL80dYttJGK\nUW8caRFp4rgpRWPn/ej087UIqVJNCkefMmfT1UoXBFvEC9X+o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUITZVvUpe2BxFWa7MRGyzjk8bXV4wHQYDVR0OBBYEFMeb\nF7qHt0Rm0+urpOPcUD2HvSX6MAoGCCqGSM49BAMCA0gAMEUCIAaB/fUjl/2S6PSr\nSQR8p6IPyBWDjNXQ42ilCqC8z+bHAiEA3HMvIDjgD2Uy+EakI0YdRsV3U10bacyp\nLk5ebxnymNk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUWGDNYFIeudEXoRW0V3OMw5SafqEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATaDrTGqhWRZCfYmoBtNXBBZKkrb8U/we9e6HG4\n7Bf7oW2WkWHKiXfM9S4QHje3kGRmDuKsj+kt8mIIHBcWzxSLo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUd1e7GS7Yn3854KWM93OwclZbqBcwHQYDVR0OBBYEFJb9\nME1/hJPyHbroCCP1kUrJHDvsMAoGCCqGSM49BAMCA0gAMEUCIQDbcJsGpqyzn0e+\nqNghIHZ1Ym0WCmYBaCf3nNwyMMbPiwIgGbIbkoInLpIKFpHgivGy7kJX35Ydy4Cz\nRYWNE7UgMTI=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV+gAwIBAgIUdoJaj5moXcdxt9ymD3RoyyVab2QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1/I3lianPM9/ttxipEa+RUVp9yidz0+eoll/F\n0tBLcWgBwIiTVnrqoqBl3brbOFJGb76eh4IHD5bVP0MkbXRfo4GAMH4wHQYDVR0O\nBBYEFNwi6mvdCyVnluptAWQ8HifyF6J1MB8GA1UdIwQYMBaAFMebF7qHt0Rm0+ur\npOPcUD2HvSX6MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgDvGdHhLl\n33ArbdKVKSbfiY4rgMSq/nWU0Bf5X6DT5IYCIQDcEqTfXT80v7F7a5gWieqKWUln\nqSq7+iUdrdiwp6Iaiw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV+gAwIBAgIUOxed5KOCrPWN0sUGB8WXv7CdH+8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRadjlp6unaYKK7s42oTJHkJsNQSYuZ4hQGf3I\nwcDvV43A1SA0OQHPbXF9ZwCIqGmK/Fuv9OCprNQ3cYd/5v7co4GAMH4wHQYDVR0O\nBBYEFKYuHFiWc9vHKmez1fMcSF7lCt7EMB8GA1UdIwQYMBaAFJb9ME1/hJPyHbro\nCCP1kUrJHDvsMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPaOwWqX\nC9H2BItj24S+hZoL2gMrbnehkgi+qxeo6qOWAiAIx4cugUKQs31lNnhuUF7/Z9a+\nSmeETpYo8QunNLZEgg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -971,7 +1144,8 @@ "kind": "DNS", "value": "not-example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-excluded-match-permitted-and-excluded", @@ -979,10 +1153,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUGMYE5zfLhK7wbOl+pKNRij8DhHUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATsp8OncEjs2zW+MLhBbO45TpTAHvwSZjIL7CAF\nSlpXzvGWwC0HOkTHUEA0Rmv+iahQ/tToh4A7Heen1pXdB+F4o4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQ8v1UOH4fs4uHwRcyWjbycxT0AeTAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBQuZgInPSSx8OGdy9Fq4R0NY8OMracGzStlIzqwUmB3AIgI00EOuhHO9eMIta5\nt8BBwHdkjasxEkp+kM2sdjnDEe0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUQgXRHjJPkrCdv/1iHXzVIxK/OhYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ3bKppUPbjhMMc9+bsdkMlQX1gJGupDqjlXSEr\nBGifE2O0euCE8TTcdtuQmzv5/nXCbE/x8Oki9rF4euDyQqZSo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTLf6sipAQSaS1v9+HxqvCtf9KfFTAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAbSELct1K7oOpKGQ/c+ulczy99yZOs0BdfhSP/T9ainwIgWbCVPwMzqeh2leio\nrdjRTeOGhQMO5LjDMgRIxehUH1I=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIULu2nm7QSWglNe90jKaaZ9CL/pKYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNU5jEn8GjBiMtzFITjxoPnbDZYAXLJe4ZHRcsEAWNth\nyUNyfnsvmgRDGavmCUjyOysRpcTm7QxwuOxNSuTIW8SjfDB6MB0GA1UdDgQWBBQI\n1LFPHX5RogULMGomuqO7CyGHjzAfBgNVHSMEGDAWgBQ8v1UOH4fs4uHwRcyWjbyc\nxT0AeTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgPWhiZRg7rZHmxSXVQ7IL\nlrcreiOfnOsXkvoXTjVUzjYCIQDN7/MzR3onRrGpRH3BgDtoIUNH8GnJ4Bp4Ode6\nAh9bRw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUS6aGKP6jY5eNgfRJNyeOVPxnFTYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNt/i+Vmdkbdj/m7TibyTO2PzxYwY1GZv85lqDNFzmll\nLR8AzTNyWopeLddPdI9dmRH/UAMa/CCIIscUHopxObSjfDB6MB0GA1UdDgQWBBQV\nakR9Pccly2IXk3p38kxZrg/mNDAfBgNVHSMEGDAWgBTLf6sipAQSaS1v9+HxqvCt\nf9KfFTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgBYN4Uqul1u8vxsUCYch4\nqbxY2LsgchEOwT/Y/4WaItQCIGZYJOBS9dNgFz66ocZy2y5QY+ZKi91YNazsrSCb\na73K\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -992,7 +1166,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-permitted-different-constraint-type", @@ -1000,10 +1175,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUWUSMDC8wmXyBT1Z3SUAheESJUgEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARCxSCQLaqDCOWPp8sskrF1LunpIjo8X6aUAC74\nn/BM8EFuYfNzAKVx2Tf0708zUADkbcAwnS4A2a9kMBzDj2oCo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGnS/otFbqycRmO6Tpxsn1yMwv40wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQD34WNo0H8EuJCIA8K2wZDwRpDv\nmLehMDB75nMp4HCchQIgPECDqLCVyT8UELkvORdW2uSN2kxxBnpp2+q9st9Z2DY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUT+pjOtJQjEts9116oetcv8te2kQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATDXT1Xk54WbfTKnvfv41aB9IFllIKIeNBe5lfd\nJvKseFqaemGk+v2ylMKhazICxlHElGaulA+qCaAumll54ggfo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzbJJtmdJbi1OzQ6vDBdqpiYlAhYwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIBvFBSnN72zhc2sEMtv8AoJgg5SF\nU3sC4pK+1IY9QJw2AiAyp8yxU+i2lGNaJuhTQYzggW2wbkkxzrtE19x/ITaDcA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIULA8dfTDVSc78USI+U/VkObKL6WwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAVg5n+bVyaIfIX2RnHxzHrQs4+0vMlF5Ykq6RLTFOh9\ngDU1hu070fFTbT7sy3e1YyGFTQEUBQ/97ZJLFmfKIDOjfDB6MB0GA1UdDgQWBBT+\nhNcmbIZ0Zfh7K79CzXCiM0KQ5TAfBgNVHSMEGDAWgBQadL+i0VurJxGY7pOnGyfX\nIzC/jTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJO4DhASuUtygOBaMRSv\ncL5oBQrdIedCBF7hhHsmv4NCAiEApXGAy//TPi2AL0QViXTLa4VnG3Oe98/41V/C\n1KKUTJE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUWhBEzH/P5RB2Iiy7kNOmrhIywHswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCA9N3bNpcWS4j+A2jdlm2heOJXTTOJbYgu1J9UqdtMG\nqY/OKEY/Fn53P9WNhs1aVj4pc3HgNOdU7eTOEi0MLFKjfDB6MB0GA1UdDgQWBBR3\nMuFojqwn2D+o47AxX95OmSe5ZTAfBgNVHSMEGDAWgBTNskm2Z0luLU7NDq8MF2qm\nJiUCFjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJ8FJPkg6nLf/HMLWiEx\nIbTrIumUAoOGCazEvNiZ1UihAiBd3+FpJAvd40pUaj10/3gBDIKr8Lr1Dg6VmaEY\n29RvFA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1013,7 +1188,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-excluded-different-constraint-type", @@ -1021,10 +1197,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUaOK5Lm0lIxeGC8eUXtUvNHsxhRwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATGs2bDLf5FGjED8mvgxOWPnJxuhaI1/T01Tmwq\nCR6E/vui2WA0nNQA7JsV7/8cpY1oivhcojoCbpftFj4NN+r8o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYOzbJzLiprT7zxsFJU/gFlfK6RYwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCC+Ve/jYb07DwWCTDns0FiMU4t\nXLcVGuLZSNU/hTCSVAIhAOekpec8iAJIh5JO3aDw2CE9QFuk8D5GJxmutIA+PnGa\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUXMmofk5f2fYH9SuUjBBpAMIPVT4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATi7smVIeuKppJ9UezJWlXWaE443GeWNskzOnTP\nIjZcb58Y9NOje5kTQyENJewV3Rfh44Cr+4KWKdDoM3Uu1faGo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgRW8CIzyhlKkZfMCY40CD2pIr54wGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCLGHHaioFYfraWaJHaLB85d1KM\nhtEo7JXWKE1aQvlkkAIgN/pIGLtjSfa24c9uujdvE5bB3UuylybOW9lhdZgfemc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUD8yAO7c5puf8O8pGB6aDHEn81HIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABISBMD3KEYFULMfsHu7BXP0CPyToWcC9cqpBWkBhIViS\nD8W0jomNgRa/d/XxGjcCqIEPingvFKFXSGW/zZKLSS2jfDB6MB0GA1UdDgQWBBTJ\nuQ8w6aQ1TK/PHFvI/nReleOasDAfBgNVHSMEGDAWgBRg7NsnMuKmtPvPGwUlT+AW\nV8rpFjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKhVXEQYOLiMITIZ0n6X\nslij8LmYFI8UvXi1WqjUEht+AiEAolAcKa3cj5JJRy5uU837WUDM0/qw5Ga+x4cj\nVbVzp/c=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUIlKNOZ7SWbrlHZNTUSKsmbapf9AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB4N6muXmIZ84liGb5IeLh+2KFcHJy5bKefjKzml9TIo\nB1PKBuxP8qFfYdC+/txZfoDR11Tq7IZc097LrBOEuD2jfDB6MB0GA1UdDgQWBBR7\nXm0ZPwGOcFOe+l+NPOd/EfeAXjAfBgNVHSMEGDAWgBSBFbwIjPKGUqRl8wJjjQIP\nakivnjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJsXbak9DorEIR0QkVxs\nhtLVh8mVKEnmkH8fICeSVZV0AiEAva5Vt2igbKVC1UnmPlTf47m3STHqSWI2A/Hf\ndSz7EFg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1034,7 +1210,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-invalid-dnsname", @@ -1042,10 +1219,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUNbU+146+S7zxLU8tHeiiu9HnonkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQmlwLq4LqniEsNaaRsYNNqUbevHNrGH6uzpP0\nbkP5A1HUGQaf24px6Hubi85djAxqSvai77XpkKtT7YBSJBPVo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcCCU0vtB25IJKdY44hNaK3ZJYrAwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgPXfsqFGnCERdSn5SO14m\ngaRSZZKUvslxLTPxQ/RMh4gCICIuDQlVCTSr10k1etzCHCDAyhpK87p+unJ2VjT8\n7ISj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUHWJp+yoH9yU7g7byaux44LPwTPswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASsPcFCevyFkjlRGGq0+bLpfmNIb+t+3lKaf5D6\nL9VsGkN61g9mLu8ro6iRruRAWqqx/XIfV3LjSMbbeDH4VZufo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOjiKyM9pf1yI0Dkyp5vY7YMZfqEwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgL8E8/IwlSQEF85209qeh\nyWKs6tj9NQiBy+HJV+T1rToCIQD8RzLh0NIDzRI4nfBcofLWN4MytrwPXstwy5O8\ncsiVLw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUIO9ralhcIR9qpyBngV8L+H8cLI0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLqccxE/ULFxGFIVTXK4O4HawJR3JOAWPFZ9x82rUi8p\nhvjkwcUxGGBBKB0XX/3m1G7yGrr54v9/vxVzcAIDUIKjgYAwfjAdBgNVHQ4EFgQU\ntxzlS3BmgAGWgziSHw7aDStH2RMwHwYDVR0jBBgwFoAUcCCU0vtB25IJKdY44hNa\nK3ZJYrAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBxCYcfVfC7FDQH\nWJvzKS67wBFkJvDvY3PTfR4frZZisAIgH1/kARuURuB+IAk5dC1cPRSlQ6B94bIE\nNOZyPdbnD6s=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUYwthnYzP4eyJVdu9QbgDfqfgP98wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKN0Qg3D14ROVxgZTHKQhufJl3N2KgQWLtAtXzEHzQZM\nncvFYwSpmxM/qdQN28fApTT9MF7S7tgwSutKFWz5S+ijgYAwfjAdBgNVHQ4EFgQU\n+Fm4bEywl3kelgOpFhrwy4Ugz38wHwYDVR0jBBgwFoAUOjiKyM9pf1yI0Dkyp5vY\n7YMZfqEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAlom+FOy9dfll\nBVTHikpE8TVacu7fAvL+NabgLsPrYpgCIQC46WKcSlkzmLh2cVOdub0Gidldq6B9\njpsx4tC0BKGNHw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1055,7 +1232,8 @@ "kind": "DNS", "value": "foo.example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ca-nameconstraints-invalid-ipaddress", @@ -1063,10 +1241,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUGK434F2lUTrNC7iDfanC5kIq3dQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATUPUnEfYOl9AiCg+jCDmcOCQGeQDAeIlcUg4PF\nCKme7XEkJ/KxSavHdW7ZMgK35cEhv7EZuxTOmfL2cHPLMrVZo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUr+z4W++TP4jjP7eTsQX9Ho8DPUwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgTB6y7dGPVC6/d5pnnEQAVV6keT4GS8wb\n/F/ML2X1Jx8CICcclRXQ2Ze3d6fPjyppVRKmueS0epBpJkzG23dPPv+8\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUNR2fqc9D9fDadQF/2QHzazHDYiQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASrf12QU5fBRpZvLd/wLYuxNjj9j+RLlOGmO0Zd\nkpI1WlmmIn3n2uogwsGZ7rdz8LCQQ56S1C9fMjUxwz7aazwwo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjXthZfq3a7N9qzmjo8UHtfEWrK8wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgVApXTkRT+eptAsyhJlWdaIn8CzBIUdyo\nWamOEDc8FvUCIQD5pNjkvVDFBSTgO7r5VGy17FsUWLyMmr8QHYal9GgqvA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUdxDotbU0BGwAENKjJXCm+04KkMEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPEG/y22o2c0QU5B9zUrhqPkoTyanTQ4WhNbAZj9YkvB\nUyHSomhdIGX1s9Qtj66dDTa7jtyPuXk8OGJiF8tq376jdTBzMB0GA1UdDgQWBBQi\nGSBCkuL7uEfZK8wmlqgnuNnAvjAfBgNVHSMEGDAWgBRSv7Phb75M/iOM/t5OxBf0\nejwM9TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNHADBEAiBEJ0qLGLcmh6VTqboqLdbTIySLmhr2\niKPqebK6AnasTgIgDlHpV7cTzPO8+KrXQaX5SrSN1MK8Qwqm1kR3J/uuNDk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUUCrZASXP2gUU13Akzqm+S8WC5GMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL6Ue5e3zBcQ9YdQPNCtbyLwp6LbB+nZY1+cmKBcH8XZ\nWrr0abwUPdHHPI4M6Y6n6VPkoEFdR3BvOHrAqRii8kGjdTBzMB0GA1UdDgQWBBQz\nNC2XjWdEYMSpuVAZrGOLib6YnzAfBgNVHSMEGDAWgBSNe2Fl+rdrs32rOaOjxQe1\n8RasrzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNJADBGAiEAjPz6hncTwS5QXJyWXIZOfxUkXP2S\ntZZ5Ghrv5NLp908CIQDCUuxan5d9Q7m4J3sCpNSAeFAbiUcXjRYq6d+jkyoV2g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1076,7 +1254,8 @@ "kind": "IP", "value": "127.0.0.1" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ee-aia", @@ -1084,10 +1263,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKA0Rm1D/nCowhAMp8EhvQVaYQNowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxCh0HTPj2U4+7viBYhKMTTDxaAj61tUfB3RNA\neFJuipEmRe3hjdmexFxNGcMnPTwRNPkGeetO6p2JCV+3eA1no1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5V4tiiNDERL1kH7Jq42wLNqRcqwwCgYIKoZIzj0EAwIDSAAwRQIh\nAJ8BLp/Pmu38uhB1Ri332X/oIZTLt8M9eFanDFAyC1WHAiAiZRkdPbO2KUcIIn3s\nz5cmzbf4fWNREA+0HAACXm/hJg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULPBqG+IoqDoAQV0ZuG3CuOs20DkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQib8uxxbWpVGLBp1Zy9Su/9r8pVMuwFJtz8lng\niRx/7XVDO5Hw8KSJBtDIoouO+UQTUH62it9vEvfFLTUexIbbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1Lo9hqUPG4haBT01f3IlxSMlgAcwCgYIKoZIzj0EAwIDSAAwRQIh\nALlPdqS2xEmT6lBC+z95HXzdTdzj4qhNjvlZjIfVLrW6AiAXbmbl5gulBomajpZ2\n6pXiDBOHX1RpThr/L1DPGoLpvA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3DCCAYGgAwIBAgIUOu0n4193giiMRdfU6Ur8kC5tY9kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFPtfs+USzI76G/UjmWILvKK/NJ17Cj/PXBKEIdhRmrF\nJzhAzGFcSj1qsn7bJK+CXR8QBddvdSxEDNWISl2xa6qjgaYwgaMwHQYDVR0OBBYE\nFCHPYZfbQf4Tz6hkQI1t7lphhGYZMB8GA1UdIwQYMBaAFOVeLYojQxES9ZB+yauN\nsCzakXKsMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCEiLGSqY1+ZsobWTPHzhW17EZw\nWFdMwbYtzhc7oTu+LAIhAOCKrJ+HDCXeg7kQUkKsOYEz5A01Bsj8W49coio6q6ul\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3DCCAYGgAwIBAgIUDyYPBUJ9tlxifigWqa8JqeWO8uMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAn5518MyxLy1sPe5MBK3cJ8yPg9gxWaZN9nmeR/Pr8z\nhORV/TdtUhWBRI+dDG4+poR9KMporvIO106OSgoJWpqjgaYwgaMwHQYDVR0OBBYE\nFBDQ6tSM2EOGjDQt14iT0mN2fnx4MB8GA1UdIwQYMBaAFNS6PYalDxuIWgU9NX9y\nJcUjJYAHMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDwhoFQp4eoatr0E0dR8zLo3LrZ\niQ3WAvAYTsFdnlQdPQIhAOCqkaGWBygx1AaW5tRFcDjbh5M/MhG0kw5IhVUcziRO\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1097,7 +1276,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::ee-critical-aia-invalid", @@ -1105,10 +1285,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQvs2zLlcFb78OOMTEJ/dc955JrkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQZqiartbsGei0m60lIb3TJBULzlOwgi9VhJSqO\n6GycZKecMDX5IZupZTSoJbSf58JfBWK5KOrjm657irrkxgVbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURN9L+yQN4sjDXYcXy2vf7s/Xq5UwCgYIKoZIzj0EAwIDSAAwRQIg\nJT0tmInVrTv+6UtpiJyrtTPWzkJ8H+h3YCQvJHJF3xoCIQClWWtqkU/spnaxaf/Y\n09HS2kxnDe9qmBKQGuRWT9goIQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGtZVe1pBodKV+QdyOY6/FuGspnMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwRZxgwrNsNJRBJepCWDNkxn5vPFZKd/cHNWCz\naHvrdFpLcupfsWkjaJQIzxPtfWJzd9Nx3fNOmSymyzEAmFzFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUs8jaANHsLpIBo6ZXUU+T2OgDsbUwCgYIKoZIzj0EAwIDSAAwRQIg\nZC6p6RYhoylhItGQbYggGP1o2MoLDQwMD5MoQDRWrkACIQDitp9ph9V6CNg24qlX\n0hoB60JlBtfVTmccsRjj5Wwo3g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3TCCAYSgAwIBAgIURgaJui/fTZ04/8LbaacgUCQRcqowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEzFMtQeUnEj+nMmpcCwi3UuBnd5scWaKmUorMVtURoE\n4yhWazRxlQY6UKxcx2hR6efj92m314K4rGfO6YZsllCjgakwgaYwHQYDVR0OBBYE\nFJ99r68RfnJocCGx0SoXbqg9d0EgMB8GA1UdIwQYMBaAFETfS/skDeLIw12HF8tr\n3+7P16uVMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDlbvQWDAA5dbq/YkgKbhO1U\n07rWrITf1CYS+KaOYrWcAiB6ExNbR+5n8o+tHCBP/IW84dbdkv6h1nZGkxA2ho6C\nPQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYSgAwIBAgIUBocERYKz6OsThmahdM0Zml9oHA0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJgf59QHcTyWzDk6qx4tnIsw1YRjT/OqnzuLHQlMwYSI\ns6eZU1s4St3MBiPctDrSoJdGJfYki4T+Y+GO6CfV9jSjgakwgaYwHQYDVR0OBBYE\nFFV4oa6Se3tcvvjtoqJ5QhM3ONrqMB8GA1UdIwQYMBaAFLPI2gDR7C6SAaOmV1FP\nk9joA7G1MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDLG9e0qSjkXUlcNRumCznb\nEVM9Q6OZSlDbrFyIewY9qAIgZR97KdErHwXYiqqpY/oBYIeOb4a+BcJFp0xuczkk\nhJA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1118,7 +1298,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::san-noncritical-with-empty-subject", @@ -1126,10 +1307,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQ+Dn2s0j1SuHa+UDRwQ9/M1Z1RswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR48PEIa4xSQVgfDiWn9zMLSsWBDNOHH5Hdqq2t\nBl/84vQZXYbuIaNtHR4OLf8CaRje2Yn4g76xT4RdE6NEJZ2uo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSHx3sL2H2zvjPnYSRV4SX2NZAzEwCgYIKoZIzj0EAwIDSAAwRQIh\nANtJfaOJCOnboCzFbedrffD4/c+6PS7N0IOFjbCUT9imAiA47CbcoIXah8yF3Gzr\n1tpg2poJqsvwDidDbdyF1uT0Gw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXiGomwIDWjsDg8M+eQGWVmNd4mAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT95PXkAbmLYVigriyReCO2FnT8ojxQS9BqKvj/\nByIvfjZYLRkGTEddFgKRpjaDohigGWTYxoYnojDcF/QM8dXmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiIZrX3yke+BSO16IdILtV65PnFIwCgYIKoZIzj0EAwIDSAAwRQIh\nAMB9Jm4tLCNJO18weLgIbjqiy+7PRkx+rneGQrxTPEH8AiByX8BSNJI5dTLX/mzV\n5sqLz6iMZP/U8EZGSLSeDssqVA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUIhcEPowP5LErL1poUyN3P3WV9EYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwVxrIJb5\nL/3a+tt8+RZSlik5Fm00hEhEgwmFNqdcpdB0PTYwgY07d0gaffkejw8k8S7eCS3M\n5CslT+MrfBzsX6N8MHowHQYDVR0OBBYEFCEyZK7fzT/UOCMuPjqvvd2cC/QvMB8G\nA1UdIwQYMBaAFEh8d7C9h9s74z52EkVeEl9jWQMxMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiBrqwuaW0lXOUVq9qocMZ0YBfpYFx5mb3bQkkiWEQxfOQIhALrL\ne5bw1oPOjANvPtx9C2yYYkrMYuNV9Nul0Jplw/hb\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmzCCAUCgAwIBAgIUPvO8qEt1ybtsqh2oRiiToPSwROUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETMFuRJeG\nHdZ5mImrAE0XpiWA23WlyqGusUrhp+aeCBHRD9Ju4SAIsT+ih3hUki3wlR4oG0OV\nABXuigcX36qUMKN8MHowHQYDVR0OBBYEFEXGHfjLKX6x/ZMdLRYWj1GmGH0tMB8G\nA1UdIwQYMBaAFIiGa198pHvgUjteiHSC7VeuT5xSMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNJADBGAiEAxd1Kd0mqz5vumNgDoDMKtd2Qm5TYT5KN70nlP60quHICIQCp\n3uITTzEtHvbEz+ube7oP8MgWgBxBLDlsn4g1gQZ+pA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1139,7 +1320,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::serial-number-too-long", @@ -1149,10 +1331,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcfF32g2qzMxMBrh39NzuCaUBcH8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARGx6CY4nJK/iWF8TXjrYPghxL8wT5cQLHXMIb9\nqUFB/mb8YA4hpfSjAyLc54J7J/J8RMcxFZM6Yz9sRJeExp4Ko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSsQijbMIBzvyvuCStj1OM/WFNYMwCgYIKoZIzj0EAwIDSAAwRQIh\nAMmpw0GW/6iHKExmXNYx1X4nfPZq+0kcsy9DxKjJSsXCAiBy+u9WSp1BIpVpsMwj\nhghHJmUuAqg2ZElVtxOwJ098GA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbYqsflU7j29n7uQRiLA86M/EakMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ0+je6vp1vTi//MoHCVxLlaeoEEiu7RYRUSFj4\nVcpG3fWqL6Jlh8WUU6Xxl31MtmPi2mEtiQfvll4tsPo12HTHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7/0bWIx1IXPz1/3iX7Afd9VaYgYwCgYIKoZIzj0EAwIDSAAwRQIg\nIxVRdwE3gVDbXmuFdmW9iJtGfjuEYW50jQKb92NsD7ACIQDOeIUPIVr5XLgwChz+\npHiOnQgbqZszRRK++fFA5Fu1Cw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIWU5va6iGzkiUfa9aELMxK+0J9mj+LKjAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgP\nMjk2OTA1MDMwMTAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEH/itXluM/sSdN0SiKYgsudnT1JYCIiuu8kmKxGGn\noMQ0XYjxUgYW0VJgpBJ0uYjYk1mYoCpIxxdISDP0xcYUbqN8MHowHQYDVR0OBBYE\nFIijWabom8rzs3XhNZIq+n3/SqW9MB8GA1UdIwQYMBaAFErEIo2zCAc78r7gkrY9\nTjP1hTWDMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiA+olHYhIBqstWTi3h5\nZCOlCwOQWTCuV3OtR/LpI29UcAIgdW0n6JtUor7aSygYmt5JFTxo9GeDcb0n6gDW\n7NtPQW4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIXAM8g/LdqrInDZKdIMwZn6gjlcZn2WOUwCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoY\nDzI5NjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABEXqr2pdUyH4Xn3QcZ4jVMrs9OVujrZtXuzNI7pC\nYkcRaDtl+Ud2Mf3mxT/DQqfz1O9AwU08sJgVLtP5dtcJqK2jfDB6MB0GA1UdDgQW\nBBQsrAGzhYkcYETnKLgHaljlHV04mTAfBgNVHSMEGDAWgBTv/RtYjHUhc/PX/eJf\nsB931VpiBjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgcAdbq8pHL/KJwiGa\nkRBlrmkZyi+1+vg1AAnGl4jYGZwCIQDCOr3UVFCkpvlPXJZfP97arSnWxmbE+fqJ\nq+npCmUkHw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1162,7 +1344,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::serial-number-zero", @@ -1172,10 +1355,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHrO77PYZ31Db8JalxEogwB5/NE4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR3fE5KJw8gKH8Tytm/TBXzei71SGMjEzOeQQEi\nkV3JcHTWa6qOQreIhWRFQkCaudsOvSmQIIoTY2w8dRaM36Kqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpejqfFN7DsX9iiMunZh98fBKcMIwCgYIKoZIzj0EAwIDSQAwRgIh\nAKLAyRm7Pj1AqqDurb+NbCqJmL2oLM9KXrWg28EKDI7eAiEA6uRUSd2Y5rGWvabK\nOJ2LQG00grVkPUfNMIOBFlspaA4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFZAo2oQdLYtjlis8Oty3iIhuBR0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2rk7WMHDKbx0RvOOL70ZohrDjlAbInEh/iWva\nz5hRMBN2JNvSgJCIyVJtrpBusBn+ErBOUm8dmX6Ak+WzHrV+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZQ/fmLmkGm2gku9DbMEuWlkdX6MwCgYIKoZIzj0EAwIDRwAwRAIg\nE0RZmNWgAsOPkQ4gf/cNCzqzEyWl0bO0NRcHclKrN80CIFqFMhSn7DsCxjB69slz\nBhAhXOTXK3L6NuIECvqBzAT8\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNzAwMTAxMDEwMDAwWhgPMjk2OTA1MDMwMTAwMDBaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPD7L\nSTOAqw5dzh7L5kG85ynL6n54G0+hvZdO2AA0avDrkjp3C/sOsvauaWZzJWjqx5J3\nxqMgCaQVxiC2tyGrXKN8MHowHQYDVR0OBBYEFG0HplZk4gyohsZNG8tBhov5NXF9\nMB8GA1UdIwQYMBaAFKXo6nxTew7F/YojLp2YffHwSnDCMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBzKDVk3EkkAHhbOnmo1VlMaTa8noe1B2WcTTCvlU4vXQIh\nAKPGYNH6brCTYWdo0/oey1tK0xdhF8c1Cf+zAaWoBONH\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtXfv\n1oOzLgVN4s84+k/UOqjZbj6593v8Ik6SGtAqgQYlAG5KLxEpnOoSxTMRmbFs4gl3\njznZEl5YO6Ec45ltq6N8MHowHQYDVR0OBBYEFEj0RjlrqrfBqo4sRHfiekQB5eMo\nMB8GA1UdIwQYMBaAFGUP35i5pBptoJLvQ2zBLlpZHV+jMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAwiWp2WlXsJznxkzzhc8bJRYX21L9U5F/dvJwNsnUDKAC\nIBkRiJwrPQdF3+TUPYIhvlXghBhGqeanQqAkD3DlO2rh\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1185,7 +1368,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::duplicate-extensions", @@ -1193,10 +1377,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKtAQ8nDm7MNmo3mXfQMDkHUYzLwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEL0DeHo2OV32E5uGXZ4x0Ou+DQSiKjrhzUgHy\nwGbBLZcD35pIT363/+mWoFs4HwyKNP79wuHNbqOTmyOlqrkSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUD0MM1oqnnexC8NAFBDqxbQYKoQIwCgYIKoZIzj0EAwIDSAAwRQIg\nJrlLjxbkrpaS1pTRppKEnpu8hlfUla2N8smCv36p6YUCIQC01qQ5pm/OkEhqdqzj\neFYhk4g/Qmhc7eK0baKJmzb4DQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfgCHlpB1SmyCXL2S+apYwezfcjcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtbOz8JyeEscojJWVAK9B7UwRgeDmQGHq7MGEs\nM6gUlWlrJUbbik7uNQLQWwbjDjUAXGS+8JkJlPjhrVsU1OSOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUK2GgAnD2/z8pc3BoZ0EVf6+39aIwCgYIKoZIzj0EAwIDSAAwRQIg\nNEyoQ5L3HU2a0ILxUgb91yP67VutyxI4GaNDckGaWvUCIQD949HoAFehs9U0TqhI\nIonvedsIxWd2x8gtO5TfW8nPJg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAXCgAwIBAgIURk5EMM7SgVg3KS2ZuddI9mj4hSswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOeTsJFnKEuwfTdR5vDZo+j+hhIy6Lp9Hi3aB8fobSJL\nFqmzUohKSiAW71kcVU9QvrJQ8usMF6lKCySQ+PBRzqSjgZUwgZIwHQYDVR0OBBYE\nFOF7IJ6HVa40Q7TFtlUeBv0qqsFHMB8GA1UdIwQYMBaAFA9DDNaKp53sQvDQBQQ6\nsW0GCqECMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNHADBEAiAuIJU3CDkmsZVJyKcz4G/R6Sl1PXIKnG9+Upm4NcYjGQIgdB4H\nIqBXEuy4SfqzS6IWw26zNl970WZ2fxeh3jGIpV8=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAXCgAwIBAgIUJu/MNKb6noeI/MQidJyscW1HZi8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA/bhn2fvUCvyB+IHgwTGnot/HCw3E+anJsZm8iiZaws\nkf10v8K0nnGN1dIqzIpP/nTvJR0YOGBHkApwQN9wrk6jgZUwgZIwHQYDVR0OBBYE\nFNZtcGbq9z9+6iehsEx9cz40ZjBVMB8GA1UdIwQYMBaAFCthoAJw9v8/KXNwaGdB\nFX+vt/WiMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiBozcbbFz+X5tvayf/P/jonmZUzA7WxdYHpEkXS8rbN5wIhAICE\nR1KtDQwuSNEvy+StMbuZ4b6xP7lv8hAfR0MKqTdN\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1206,7 +1390,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::no-keyusage", @@ -1214,10 +1399,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZzqvCusLA6A3lt6eHuUsawLoODQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASZBQaMiArAKa/c/ynsJM5O3MQa53ILyElp5yK0\nNocgC/5GKgzVXnqmsrZqgS3e8IMXKy4c0rIYDMrQzbNBcTENo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUL6YTWinDt+pXh0ukXFiJ2nz8534wCgYIKoZIzj0EAwIDSQAwRgIh\nANDx6pjz5RiA7SmZ05zsOUyTc7I42Ikr9+YrZQ3W0PQpAiEA4aory2gTcPIE1Prc\nSzL1DimzLLNeBXQWJao8hBjK0z8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFWUYWY07ZHNh6OOAlb3ytoE9RlkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVIloba3aFuHaCH+FMszMMbD82QjGh7tpPLc6e\nYVPWjc7aKEvDLQvhj7RMKKF/urAf0ELezJES2K/HyJGi9Goio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpxqNiBOTU6KlZHV32/VKXDWN+BAwCgYIKoZIzj0EAwIDRwAwRAIg\nA3WaY5OKpDjCUxm39kwsM/yiAILJgX3qPjdmaHHHqUECIEPtUXyMHhvrjn39aOrR\niyZ9z46+7ww9uW8otibE26mR\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUd7Mp+aHlKMcQq9y6LEGEYLT1BJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO4D3p+WNZBcaN86098bE6Y1WPa6fCFdd2/D5bO8uSjH\nIkl2PaJUKKm11vJkJKazq5CUjQM634Cw82iW9F9c+1ijbzBtMB0GA1UdDgQWBBQ2\naRMdzDcgBS5KDftuOMsOrSH7BjAfBgNVHSMEGDAWgBQvphNaKcO36leHS6RcWIna\nfPznfjATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiBsGEnRTe4YTVglzTHY74rB6H1aoIqJKQ8MRJfl\n2cB5PwIhAPPpZGgwBLhWJCp8kbZyppUArLHErjfHno5pQ/iK5ub/\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUUsNoAuNAgroSTDH9bBB03r9dJtUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAoDh5OCdnboJFrX40Yc0voHf7feiXTAo/1FmwlNyGGG\nf5IJQgpUCIXP1fwe9dBfjnn6qxXzotMW5LKCvAHtHLijbzBtMB0GA1UdDgQWBBST\nOaQaA3emji3KKZ/Brnu0uHGoGDAfBgNVHSMEGDAWgBSnGo2IE5NToqVkdXfb9Upc\nNY34EDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEAkH3jUdUs2S2wXVTvqS760Dz5WSnAkPBsArp2\nZqqWHgQCIQC1PZrW6w1oQnn194/T3h1fh5/w0APnecGIXxTFyYeALg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1227,7 +1412,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::no-basicconstraints", @@ -1235,10 +1421,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Basic Constraints extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDzHT4k7cJsNTKamLd7DZJo3nErMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLa4zpml32BvWouIFjtB3AO/I/X+7CXcv3+GgS\nbrJE4e8aJqpf8lrDoQy9EO2b8gYYG8cVZimn046LIACmYQJVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUR/MmvMkpTh3ZuDQYB5P78Ml5oiUwCgYIKoZIzj0EAwIDSAAwRQIh\nAJn4c7YbX1OK7b3cwrwlMEOfq3sl0CZtE4l8gk7foCpbAiBVWzPtokBxrP/Iit9m\nyBP86VZGB6I1XLxl9nrkYNfm9Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH0oIpDKq5Z1n1CcfhCBXYJ52osowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASL+TFCdg9maCASL0OCsbCQsNjP4Y0FUeTX96X6\nUQd34cEJdl7wDl0lCS8vQTEv9Vhwzpi4+YGVKNhsa4O/qhfzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU74AB+gTPsmjuMXOkOUT7vAsKK/0wCgYIKoZIzj0EAwIDSAAwRQIg\nWJj/oEg9F2fYmLngUaufLu9hXP3N+ZKluCjE7jr2o1ICIQDcTCxHTJKATm8dLE1I\noLBtu/b+sosuwD3kJJzqh+SLWg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUJDW4RpXpQn8aXsP8lKjaSA5QIsYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO4j8hjOIM0TmmURxipCO7rSG7XyUGh1hUNrQYVHD2GS\nr4o9QF/wYQfZoYAkkPyUhS3y5wmHVvWVjaYMfwpDSW6jfDB6MB0GA1UdDgQWBBSJ\nrvQnUaBbc7OrrqYyw0fFy1L89zAfBgNVHSMEGDAWgBRH8ya8ySlOHdm4NBgHk/vw\nyXmiJTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgfNfJJ42LBsyVk9cKkn3Y\nIGqYnj1isVGJadTT6qwEoKUCICBlMu2P/TImuOojzKrlNyvRAytnDO2vJOB9Ltdm\nJlxB\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUNeOuf9RljrLi0TqOSKNg4nn1sDwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDQRBkt1mx1f0/Tj+338yqlurpw8qxOjv7IDkovrtBZU\nDXFSfXS4ynKSCEHShaudWOQuQ7jiW3hTPcmZJwo3yW2jfDB6MB0GA1UdDgQWBBSo\nkHz+EJGRyCwaF1Id7j5LeVrGUTAfBgNVHSMEGDAWgBTvgAH6BM+yaO4xc6Q5RPu8\nCwor/TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAP36ANQIbPLw8ADxiFiz\nuCwOUG8JBu8HizxIv5vogMvyAiEA38YubvJ3TljN7zqHrKYXYEjOkOHXAomcpuqd\n2cDj9GQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1248,7 +1434,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::wrong-eku", @@ -1256,10 +1443,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert contains\nan Extended Key Usage extension that contains just `id-kp-clientAuth`\nwhile the validator expects `id-kp-serverAuth`.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULN8p0/cQ7a03hzMB2QvYe3dLLFYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARGk3No9HeR33ywDKEwCM28eowHIrzHloxu1aq5\n90H/kopxa7kv8/qz9jkLGYKEhBjq0v7WUlRTTvz9l0se83Fuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+V9DbSCvo6vwOrZA6TZm6Lcu7Z8wCgYIKoZIzj0EAwIDRwAwRAIg\nCEWff5aj4N2yJCTBBVEyzQO9oVAdRj+D6C6M/k/bqRkCIC/5iWGOijZQI4IPUtHQ\nfxLZLVnV4czGopPozXek/isK\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMyw54i46pYmxJOFHWfWRb0hU9lUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjW8JqNGtFCWa53QZf7SEocYbS9EIik+xwdGDS\n4gSV8/fgd4CEmwn4YUy0OfymM0osB9T+Gu+3/rN6D47+Fob5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULdvYOUrQOWl8+594qLu0sMMDohswCgYIKoZIzj0EAwIDSAAwRQIg\nJZdNSksWtScMjQXsHo1HdzqkHcPaprw1a6j1O7ukBswCIQDm5nVNDjFwL7urVUbw\nLHhpzQOCAErYP8868wgQqnt1cg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUMrKJK2uz7W7od5EJbS7tf05yqr8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDw597Mr+1LPGW7i5DSU9HOsBxUWqAjfiZD/SfTC+A5l\nmbwW/AbedqEO+oUDnu2mFACWc1k7DgUrrmma8DegYv+jfDB6MB0GA1UdDgQWBBSo\n2uzNtzrFDsagZhXOxqaEwfCx/DAfBgNVHSMEGDAWgBT5X0NtIK+jq/A6tkDpNmbo\nty7tnzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgEywqjC/Gr9t+74Yemmxs\nZtgx7tVnkIc1IGfV8DuoZY0CIQClCyQL8efxmR2c71KfK7/RU1LP3NIkCd6N9dYs\nsaH/sw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUW3uL790JINVwjEZtYw9U+wCxmWAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLyBJgMi8LedezPQru0uqYTl87O2B9YR6sFSdE0PIRBR\nnopsOpzVP4swtQTATMhKclMz6zvdApdupaTuSxn5ji2jfDB6MB0GA1UdDgQWBBS3\nGg9cdM1gUeGypl7ORY4LlbJqvDAfBgNVHSMEGDAWgBQt29g5StA5aXz7n3iou7Sw\nwwOiGzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAN2r+3bTEQhAhNnVGwKZ\nDBPB0oJoAC4og71TTOMqplNVAiBRrgq7gVPjV9YzjQdUGKVehmpJDjFOprYM6UD3\nYYI0Zw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1271,7 +1458,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::mismatching-signature-algorithm", @@ -1294,7 +1482,8 @@ "kind": "DNS", "value": "cryptography.io" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "rfc5280::malformed-subject-alternative-name", @@ -1302,10 +1491,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has a SubjectAlternativeName with a value in ASCII bytes, rather\nthan in the expected DER encoding.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUWtVOv5XME9+sCf0loCZ/mo8MGxkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARgKEhrZq/e1yeCKG5t8gg3BuuyyiUqxBzGjq1l\nfi3aFL2bTgWi2qI0Xi/mufiwUwH8sKkBdVMJjYgPiPMIM2exo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVJbvHxvZgKkIbNuuMhnrAja9UYMwCgYIKoZIzj0EAwIDRwAwRAIg\nSJ5wUHf9O8cEoDo/ceK4XZKZNOn7BYjM6ogOcZRo+8wCIERdWggwJO/VeklFb8kR\n387acAwL/qZJ5ClZOuQe7Tng\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUY1oIGbL52ZrE8PES5ih3DynVdxkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQnbSG1sKh6Hv6hHlS0Jgah4lVpofplawwUgFQ7\njdEG23yCdD62L/o3XyiI7cknZRnuEOdUmImoQktKtQGWrEhko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDK1qLyWE2/2H2ccMzNCfpTWPVDQwCgYIKoZIzj0EAwIDSAAwRQIg\nL1c+UTivSK1+m1Ctzri0uRH42xdxuVDI6Xs5V7P0k0kCIQDMUzPcAU7ZDSie5qm7\no1utW65qfdMCWQ5CMv2sMdOg8g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUfHj9j+e4b7ek8oDIgpAWMSHBiEgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF75f7djiWNEpC4DRANQX4GxG0GyE53h0S67LbvESRPr\nuFahb7x3rVKR7TLvSyl+EjI3m6T0ilQQkUrVpVfHx6ujeDB2MB0GA1UdDgQWBBQ3\nsfEqwGPVHwR7mNt2swO1xEiKPTAfBgNVHSMEGDAWgBRUlu8fG9mAqQhs264yGesC\nNr1RgzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0RBAtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBswIN2XNgeJ162QFjjSJnF9HSt\n8ANk7cY+CHKVowr9XQIhAIlYO2q7zBnSaEXJ8fWOw61PrpNmVpZCjXyWX2vy5Bk7\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUYGC03CbMbGEhATH/cWjuaYMc6fUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE59sFufYw10hoFZltWNfnQQ78xBuqrWFgxxg4eCA/hZ\nzk+bTdWDWacI285tx7lkfmLWoz/mRhCb28zxJU5vTQqjeDB2MB0GA1UdDgQWBBS+\nNw0oYtO6TAXzkByWgLQd2tZo5jAfBgNVHSMEGDAWgBQMrWovJYTb/YfZxwzM0J+l\nNY9UNDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0RBAtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAo+Q6Ev3vRFWKCr3jkPpPlNbk\nWwrNEx8TB6eNHZSIQ8ICIQDBmnGkjseJ1JzJ9VvZyJzEF0eOwvsN1X48ycfR8h+f\nyQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1315,7 +1504,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::cryptographydotio-chain", @@ -1340,7 +1530,8 @@ "kind": "DNS", "value": "cryptography.io" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::cryptographydotio-chain-missing-intermediate", @@ -1363,7 +1554,8 @@ "kind": "DNS", "value": "cryptography.io" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::exact-san", @@ -1371,10 +1563,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCuqT6EmIliX+N4Vv6LcYofpAW0YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATXljNoVo9H9rxWhiiYls9ulKVBk0MLOIGYFW1e\nvBCAuQiLUUZrlPyGd5nLp3q5oOXpkM0gwtmPiPIF5PEe/MJ2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4Ya553IwRiaoaVqJcLPG13vA0w0wCgYIKoZIzj0EAwIDSAAwRQIg\nQ5WTJSAzYvlpZlPF+GbOVjeLDGJ+bJ18Z+c4zd4oK4gCIQC8BpxRdO7oOQUgKzI9\n8lODPS8eIJGjbpKCG5oq+Z9AVA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfFFZpydJyaFlLPVTrHRJJ0pOIcswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/VtwXBCEWuH530RESsCLH7fHu5T7jXucfZzIY\nmvJTNb7RkWc7CbItp0F9IfwbZjNquPDrqG57rdd0Zsczo4CRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUV6AVIKSQ7QxzShSPHbUGyn2qkl4wCgYIKoZIzj0EAwIDRwAwRAIg\nKG/iHVQe/E9ecVWd3zpQlN4AWTVG7Pv0/F3WwppZurACIHVHY77fWCprBxueU3Lz\nGLObR5+AHnT6GqnuHqb8EJIf\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUd7sMBjcV1G+gl2Guiv9rWQhvx7owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL+BpnyA2EW1N+1Oc2z94mY17+Ata805X0ndmnIMg9zP\n68aleyWxVnzHlCzM9BVJ/XUeZH1mVYPcpZTdVY3AOSijfDB6MB0GA1UdDgQWBBQj\n5NnGrsnTCNb7I0LgoHxgJgdQADAfBgNVHSMEGDAWgBThhrnncjBGJqhpWolws8bX\ne8DTDTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgLc+5bdFwtt0bGOd7pzLy\na5kjEPrJDe3r8CQLv3qGJp8CIDaWL2w43GVgOco8A6DILwok47FwjxgfVINeFfkq\nhKZ7\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUftyrlRTgolMNZpr55lRRXQ7qcY0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO3elq/ToyjLGL8QM+KWFNXwJidT040obdETOGIWmqDu\nourlHUZaTLv+/qXn+txhKC3ktFUC/SCKDUnwtaOQFoyjfDB6MB0GA1UdDgQWBBTV\n7L9e5FdYU3FFPD/x2ynDorgRPzAfBgNVHSMEGDAWgBRXoBUgpJDtDHNKFI8dtQbK\nfaqSXjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPoqRp+JiNvYHqBT826y\nFl6VBT8lojrTLOVPAmQRhV/eAiAUJ1FRok9blFJrBoTdhHfSWuv92d7Vz5c2cWtX\nTIYZiA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1384,7 +1576,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::mismatch-domain-san", @@ -1392,10 +1585,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUM7MuD8BQtoIhWhpApZ4QfaQ5ss4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrOahOPbCWJQEXS+PY/ib+1TV2W87V5jKT7W5o\niiRjcEuOr6zbnCKXzirPkEvymq6Hx9DVXJg3ArqEkt6WJJVfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSQxYGECBpcIe1HE1kx/NS+vOD9owCgYIKoZIzj0EAwIDRwAwRAIg\nWFI374skcyM/BXLdsvlJJuwwA1mRU6bhAmK4lsaGL9YCICgDJL1XgkNhtv1jgfD0\ni8cTEjOVeVlCSjVDmBR+oVN/\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUCGcjQyawyZ41yAxdnhCkmtD5ilYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATxlgYH6dDIS2Hik4QubCfkEZ37Ua1biGaveH4Y\ny4g9HuJZGF7eIOAjtj3DNj43UpNuP/BMCJQItMqV8JvYcyS1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4oUAx0mxl3xdZpwpTjua5aI1nU0wCgYIKoZIzj0EAwIDRwAwRAIg\nXnVYHi4Z4SRkR8CJlvbUdS9jT3ggI0nh8qTePrcIrrkCIAgJKg6Kneu8ihZhPr39\ngd/eXruWQZ3mkY6zfI7DMAuz\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUVt02V5yr3Plq0oQzR3KsLHZqoBwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG4EdqZfCsYFqxl2OocLkbBQJ887ybMXB5ojRDbZxlJT\nFDbxpcO+AO9lvgVZJi9Nli5Y7r/bJGzBZTO2nTgMABujfDB6MB0GA1UdDgQWBBSy\nG5+UtDFaNZsmUSErUXYmdf4f1TAfBgNVHSMEGDAWgBRJDFgYQIGlwh7UcTWTH81L\n684P2jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhALobmxCMYomQJUKbwYHB\njakAjDcSB/nhFumJv3yFghvlAiEA4XIcFt7Vpa4LGpHzVZIhZePahIXtpR8YkstK\nXaUAcrw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUQ8kzJM3tYuKTu0+ARfRL/aak5rwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHx88BK9SwOWXIKb+69N0uRjJSqoWo+EDxUIDK3CLXU0\nXneprKw28KJ7a0dScmxtvDQLnh/7le/SshG7YEtwJW+jfDB6MB0GA1UdDgQWBBT0\n7eeWM42ahXeEipp/7Ko3ph2iXDAfBgNVHSMEGDAWgBTihQDHSbGXfF1mnClOO5rl\nojWdTTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgV1LD30OSMSNFrEZoSClF\n54GH3KrJXlC2wnFzBnA+Us4CIDNFARi4oxlLqqVfdvefDi0n7IXC9APVJgwKXoPp\n6yqT\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1405,7 +1598,8 @@ "kind": "DNS", "value": "example2.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::mismatch-subdomain-san", @@ -1413,10 +1607,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVIs7PNiaq7eGQjgVBlacJK8D9LEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVlHM7wJnNTKdHXnXL5TwIrkHGJMawTW5jB+9A\nkyZRp4kkLW186eqFgceuNFmuFSYy8f+kbtzoAG57v5WRF7l3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtKae4QmOFFpfEkz2JfFGIAQpc8cwCgYIKoZIzj0EAwIDSAAwRQIg\nLuHf1kSlTMws9CpHMYvrFVCAm4Kjo5JSEEfAmVrw36ACIQCjXHr+DJ/K23Q91SI7\n/BIaaCVu5GQnzm4id7g2OCpfpw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAPi5xt2sKl1K9a5QPbgGIv/KLXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1wxwzCX3lcgzYDlalfWzNYm39bcHihfAK/VHH\n5DLOxYgD2varJEIcAzbpqhnqo6poDeB1oAHFKYDg86APGCZKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0QXuCFqDP+2bkSqFAuuCXrWtwwswCgYIKoZIzj0EAwIDRwAwRAIg\nCQzRZAqRxYRSWvK6zEbqAYRI+KwVNzpmq+Z6G4bDh7gCIB46478jWT7pNB7iyBpz\npyMKkphPiHDc8gdXBdJ0XZxE\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUNqAEgaeTXvzUC5LAfNvfFlIXkp8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOb1qxPH1/Z2O2bYuHWKvVHnIPVqcDjtD0hDbUSGBdMO\njY1zHuYvwPHxbRHd2GTS1Nd2Z5NSOoYZqlndceT8o5qjgYAwfjAdBgNVHQ4EFgQU\nRxYlvQ0ExvyyGgRSx7ev/8ZA86UwHwYDVR0jBBgwFoAUtKae4QmOFFpfEkz2JfFG\nIAQpc8cwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAhU608YGjK9Lh\n+bVrl5CzNdfWSLuYk1dr2PO+DS370u0CIQCsW4y+oXXpm6R8FZs8ZcR1VtwAMiHx\nfjhKmLdyRTmaEA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUTT4anwP5YPPcOqlB9vbza5nAkAMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOdFjwuxihTw21vyaXEX54Rz/hKv5isIcHK2u41UP5PJ\n49UtryzLEWG7WTbF59nT7f73d6tBpbhtrHkwpFierLSjgYAwfjAdBgNVHQ4EFgQU\nr4HY53hHzEwNlnbDQORNHWUalNMwHwYDVR0jBBgwFoAU0QXuCFqDP+2bkSqFAuuC\nXrWtwwswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBlTKdb4M0qyqx/\nREDPeKzHMCivi8j7CHoCNHMkoLbNtgIgbavzzeOyjwaNFNTfkaReQ2+gdYoz3hyf\nYTcDZnn1OTU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1426,7 +1620,8 @@ "kind": "DNS", "value": "def.example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::mismatch-subdomain-apex-san", @@ -1434,10 +1629,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSJwAsrtxmq3OU7Tc9I+OmgBlV1swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATJ1CH8xJFkpCpwUp1y75kJrgwvUfv8mRhR7vew\nvOIgAXTTlVCmihJJbc+EnLLoxpfJLr0u7R6SyULL54LSFHiLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDEWbRf70UPWuB48CpCyyGYRcH5EwCgYIKoZIzj0EAwIDSAAwRQIg\ndqiNOp1UYS82OwI+bKd9PeJAHA6leG3gUKACh5jEhGgCIQDbco5z12u5V1X+/6Sb\nmUC7tTGdWrTtd8N6cduYPP9spg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUV11q9s6alX0HgqBdD14HuN7i8pgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARPyo37vrYTjlam9lHtuDC5+2I7LftmmNXBj71H\nw+KYPYH9N18JvKYj5u1hlvePX61U0lWhF7xVbnqMbiV+tvlQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOB/MbLYSmeZzSPcqC0uu/Ee2L8gwCgYIKoZIzj0EAwIDSAAwRQIg\nC4gJttW8N5XYznv6/JSWGbOOeJMad9NYPam0uah2W2gCIQD/7t5DO2PWpVpj07Gc\n1/UZCyA6d9MmUEPDcjNtt1K3QQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUHbmqTfVeuHRfRIJkJCA9/cd55mkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBkNZgX56iXec7rAFkhqL269/ibAY2Ybo3CKVGYh+FDf\n9B5iiQZUSGT+p8gWqs4OyZ8pn1hV1oL2XyCFoHmJO6ujfDB6MB0GA1UdDgQWBBQb\nEF3T9YDH9RyObHKbHEeXtdpm+jAfBgNVHSMEGDAWgBQMRZtF/vRQ9a4HjwKkLLIZ\nhFwfkTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgY63HAiDJGBK6cWP5ULe+\nhanDfyCIhRzp//oBh76MqecCIQCStzbHPYp/0VPKV0ibHAAQ+wmkaoowcvrT6Gz/\nAlExxQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIULiEtnVkwusD2PSYIlDSfcYWeViMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIayei1d+MTLSxAAwVD6i73ah1YEbssBLX2k3Pb+09Oi\n/0lDpg8lLpeOR8kTzQaHIGRBn+MvHAOom/herpax2MmjfDB6MB0GA1UdDgQWBBTC\n/SqCgmV5ArDxI6iIdwsPIHxApzAfBgNVHSMEGDAWgBQ4H8xsthKZ5nNI9yoLS678\nR7YvyDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKtjFU+QZGcCjH8Uyt7S\nEI4Hw8ODL6ne2kG081OnB+GzAiBbx0Q2V3RVTKqomHV9WbYCmHQGNoLQxr8YesHR\nY70+fw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1447,7 +1642,8 @@ "kind": "DNS", "value": "abc.example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::mismatch-apex-subdomain-san", @@ -1455,10 +1651,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBfV9EaV4oZ1QTjZCXjwg6av7lmMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXM/i1U6W05dBFWVtSiTdfS6vTr1WKYYlPexcY\nLlfFG5tn5aptAOEioR0xUW9xrUdAyp8kRkFoQrWwS0dMO1OWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNnG+0zRzTEZaJkBr3tQqFuBPC80wCgYIKoZIzj0EAwIDSAAwRQIh\nAJGis5HecVCQITF9Swr4o7XLWUI6iTWpGF37HuF2HGfrAiBvLbL9xTdKfPHmcWKk\nrPopBMxdyGKMr2ea735JT/yTuw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAoPVj4RFLbozudw+F4Jp0sDRGoQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKbXXFb/+5QriZSmJ9S6XZXwKwK3QW2JkN+Mf8\nrJfxP+0gQXEg8gidkorGjXyEdsyeLugcYTnlzZa4ntb5iMpmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAuuDzKLZJ5SiPdKMnojdbZS2isgwCgYIKoZIzj0EAwIDRwAwRAIg\nIxD/RpbmNZ2a8klywMoXl3ppqDHdLGvj4oCiy1dhqU8CIFTTrKEOjSknbiiouhhl\nm8A1RJTKoMEcUhtzwPdTVKlQ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUfbehToDTqit9dkGyubqvfUEYSucwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKTPMSRCRQMS8Eh33jV5PaXKEbHpWp9YdJ5qL1YiFgzm\nQ25V0os0cU5pcTRUKzqq6pTAy6lAA99ac9JkAdHJKNejgYAwfjAdBgNVHQ4EFgQU\nvV1BaR3BNq9XggR0XI9hQQxLe7MwHwYDVR0jBBgwFoAUNnG+0zRzTEZaJkBr3tQq\nFuBPC80wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA/hIKWwTxF0yy\n29F53+sDbGwSuFcI38p9GQg40EPo+E0CIBcR3RXcdUDx1O7JYR6mcjdD0p46t4vA\nWyd9zcEuYVil\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUTgVwszGjPxFrtWjBxeKOrmoNPv0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABConaLtOupOfZ+Cy4kGuQd2Y7FVxkgxxklDVS5ktqkFz\ntUCF8t2J//vccalEikbdwpuZBuWuqu+0dzUlncAiPHOjgYAwfjAdBgNVHQ4EFgQU\num8xrN1Lmd4nq0+v22NayZc51VMwHwYDVR0jBBgwFoAUAuuDzKLZJ5SiPdKMnojd\nbZS2isgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAy67gzQzH+LKr\nQJFM+GfnNbtLIoWer+2btiH9yPJmk6kCIHsZ9w6uNSVRQzIsEz4AGL9wpCVcY1fi\n07dDkoO98D9B\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1468,7 +1664,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::public-suffix-wildcard-san", @@ -1478,10 +1675,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZj/KzQZLOuMBxvVkfe3Ed6C8bHQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAST9597/kdw5HTm8F4WujoN2Iuxf7rA02XXSJmY\nB2tYGhsCv0eLXfD6Wkf8ncr9CkAypJ0s85Rnk+veolobdJ3lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqOPKSE0iwmcTDH9I/ZKbpPvwF/swCgYIKoZIzj0EAwIDSQAwRgIh\nAJwU5Ic64wVl5rWJXsQ7PMaSqpy5C5Ke0JdDFN92FWGnAiEA9wfw/BAmzhQ/MIX1\nzSMfy6Jap8Go3rG5GMRcoGFE7Vc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAL4bNGl4c7u6J9ID150cYJvS4SgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFbD/3KaChl4jxPy+Wkl0XS+wSlgzT4yw7qhLt\nt4kw3JfXpg0iZu7g3t/sO06Qxd5GVF8VZMt8tOtbO+fiR5yNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDmxflVn5gVZeIkppz9xMQbLYzm4wCgYIKoZIzj0EAwIDRwAwRAIg\nYrm339m0u0wbmazS0+e6CpVxSfltAB+2Suq66t9xL+MCIDpm4vZynMAmhkkFgT8Q\nsNV1Mxu+3+kGpOPTddAHCFqY\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIULWahzDblDxz7uisMbvGmbWlc9sIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKjZ/RhQFHm9Ix5QYDdDM5OeUv/hnzW0TbxUquzY5IM5\nOlycnhH5ovwZaJzldWKNbzIENxnMsZ9AF8+wmTfs4OWjdjB0MB0GA1UdDgQWBBQT\n2tha5gqeYOlbNMcbvYi1l0MrETAfBgNVHSMEGDAWgBSo48pITSLCZxMMf0j9kpuk\n+/AX+zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIhANHznbWJRYof9AnjX4jCBo+PpZYL\nUmZa8KgDptHC0ySvAiAA7ebdV5dUByjy0x2sG/mT6NK80tHqgeUowmF6vRU/3g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUCHC9AtNmdt2h46Of8Ajf/9tRUaswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDqsX3i7QizdGxKgdr6S5sTmJZsBuQtq1T5cSlE1LbYS\nn8d8oPqtDNJI5ePKqYPJ+X6QAgaQilqnkY412oH3NMyjdjB0MB0GA1UdDgQWBBTX\nRGO/yXdla5Noo6mgzZ3gZtpOnjAfBgNVHSMEGDAWgBQObF+VWfmBVl4iSmnP3ExB\nstjObjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMTy04f+hLJ3FStXGue3k5U0MFN5\nC+iIl9FFx9Wo0h8zAiEAlvdHUK6S24Orc6FNSPUrMCybZpxlsqR8apM4+CMirWY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1491,7 +1688,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::leftmost-wildcard-san", @@ -1499,10 +1697,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGJ3ayFHEslp1Nu+w4+R5ZVxxoDgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJBA/VKFUEiq4Vtk/rcG5kieoFfBx+nKqHWVZU\ndWoQVvBe2a7SdZym2NOJGCOKG7xNPmL0DYidcEdxheN9gVd5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1m5AByc3fqpndvjGI1zBCt1QKMIwCgYIKoZIzj0EAwIDSAAwRQIh\nALF+9+HV05Zs7YpWHIaq4/bjOFIfOvyBwMoH03BwCsHEAiAbdjXUtmfCHB8IpzqJ\nKwPKcx1hpzhpwOkUl/qT4FmqXw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUE+Bn73yqgUvzp2JMHoV+mU7oKFAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWT/lEsokoTLcDt5b1FJV3PRAyVhtKS4UxOiEP\nCOqeVHQNcHd1ZlZznxzvWCoVMhgj0WqWaHUj2d8KdDBQaZW8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDAZbOIDhxjOPgcVan+90vjh7Q+cwCgYIKoZIzj0EAwIDRwAwRAIg\nAl8kkLBQxyGREqXL4h3bZpfFZj+5f0x4b0DRFHgerUoCIFGCQwkhb4ySS/OcLZO4\nI1ce1CTRroiWOfNF7Z/7HJhj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUR2v2plEEQm/jLi0m4LJXAGlZZfUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB5LTXtVg1FrGE6c+DmG1cVMt4xas7aUxPajhYxj184+\nzzzoS8u9yGUIG2+tqGmCopRqzcoYVcBBpnrd7JHSt7OjfjB8MB0GA1UdDgQWBBRk\nEr4Ai209ASfCbXOYSgz4/kGyYzAfBgNVHSMEGDAWgBTWbkAHJzd+qmd2+MYjXMEK\n3VAowjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAp5Tscu4z+mR8b/LU\nb2oAtBZadNCBqiwDSfsa9avjESECIQC8Ie07ZRJIwbs4PkKcee48y80YF/zt7wIz\nWsD/1gPVhg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUYbTPCv+9+OZ9fGpXHSs7e/O+BY0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGiMAqgB3HWjfGnVehrFEBwhVgSsqE37NIpfk3idTd/X\nypctijo2BhaPnIlUZMsfLyCZLq6DpJ0FuwT31fWnixyjfjB8MB0GA1UdDgQWBBTo\noPSKMaL3PNPBmVMogzdicejujjAfBgNVHSMEGDAWgBQMBls4gOHGM4+BxVqf73S+\nOHtD5zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiASQUQTIWe4KdXr2gLi\nAT9LSL40y9hp2nXMkyMH79ToewIhAIZdhd4ol0j1G8bLsuwLCC1sKzeyNHwlAjfL\nuf4YCUZS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1512,7 +1710,8 @@ "kind": "DNS", "value": "foo.example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::wildcard-embedded-leftmost-san", @@ -1520,10 +1719,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUAysdfLm2lZ4YILsuz2nOZ6XZpG8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQVTjRKP4kYSBmXoqElo3m4gIMaaVUiusrZCUeY\nRxyiV6JE8/KaEhALXIr3f7fqNI0dLH+76tOQy16BppvItZKKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU50+isgtCVsiQKcM6ugsGqWYYNUMwCgYIKoZIzj0EAwIDSQAwRgIh\nAIR4wlLBskBI3bV1kv34VgMYSh21llPpW0GElV46xXSuAiEAisepwgAKbToFUlFF\nAe4XHRxTMQyF+f3zbpWrcvdOwo4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSudKbFPH296eRvf3+ablzhEQkkcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARWo5jD0nnrCRbnW/qxri2ngyqpW2EfGcjo9qFi\nX1YLw+qsBlX/6arR+5RyK+nkkfYwcKvzlr2hn8MdiM321UhJo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUK2/5G/8WFXypOY5dBxaPsHa6vLcwCgYIKoZIzj0EAwIDSAAwRQIh\nAMgBLd1mNcL1qrVUsb/2qCi3mzilVSVSBZMb323rCktNAiBD7PGOxs2DJ2g+gRzZ\nkQp6Ky6YTQI7aHCZf+QE9kdSSw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUHXgTV2qJXPGGwkOH75dQccgBOnIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKM9Q2hJ3xunmf41W4HFRWy897LSXvSpkFOUSDxVHqua\nq0t0juhSu3vLBGwznoBAaL39JOoLDrRiDJVBlEPU8mSjgYAwfjAdBgNVHQ4EFgQU\nRU0MzBuTL+uxKDAwjDzXdzEHEPAwHwYDVR0jBBgwFoAU50+isgtCVsiQKcM6ugsG\nqWYYNUMwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAKfmmSC4lkIsXV\nonqSD650AvWGSuy5Yqp3RDXXbsjy+wIgOTOwDH19EnXTgONJuiZyeOrInoBtRCkz\n1xbh9qQAQzM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUQMTo3smq//AKtE/jqVHkv2XDf0EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFVkUO+aGsFhHQhuXSdn6DYw1nsZ9n8lUQiGHF0Iz7ze\nXMJXgz3IVPhLZkAkAJBUbLBWwmYHCpKOEg40Uh4lPPyjgYAwfjAdBgNVHQ4EFgQU\nMGa7kUauilKO7hn+r9E6ZhXx22QwHwYDVR0jBBgwFoAUK2/5G/8WFXypOY5dBxaP\nsHa6vLcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAuv1VEQCo4FYZI\nZfwZpUH/iiX1ctXIoMTF/eRkpAzPHgIgFZW9c4iYyZPB2gOBtN+BXt3jxH5NT/nl\nSJsp1GbhFU4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1533,7 +1732,8 @@ "kind": "DNS", "value": "baz.example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::wildcard-not-in-leftmost-san", @@ -1541,10 +1741,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUI1oJ9krv/Oxd5Te/3ny1GUNE6u4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQFJvGqVPYyCEjvXK5x0n5m4MNNcg1p0aQ6yPmX\nN6xbSa93oZUnFehh1fU8/JjLrP09jIF9i9CkSntP/IHRm/7To1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUP4VoRn0vFnyIgo5v/+DdivBBfOwwCgYIKoZIzj0EAwIDSAAwRQIg\nKPKWz36t6wiQti7Idtpr2R76I1Xekmz7s1UvXJA9FSgCIQCwVp0DjM0sQiVsLMBW\n3WgJg4LZhMWhh76QdiW1dYMZtA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPyOnhCK9Z9a85jh6vzU4HpSyiuYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATfJT+oehbs8YV7opqk6BGhJOrDWwCa9h2fP0Wh\nc/5a5y+/G2OvKj9KWDXJBG3ca8gP2SxdEwOTd7xzEj6v3+sno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3KJYzhZEeDaQ2Gk0jfpArADn6KEwCgYIKoZIzj0EAwIDSAAwRQIh\nAItVz6h7o/oBxUJOl6ZFxphXWOkd5u/5gPpopTYqDN8VAiB+hQ7sQm1cYLrzi1WY\nMYRTTIfbR99zFUKgLC8fcKpJAA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUWIQcohUtDI6w1LCEXNNr7FqCM8IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFSEXmA0fzg80QvwtOUhroPjf2fwes99jMfYq2xRR++y\nXtpTnAcwtcrej12r59sspTG5EyEohBhWtuS1vHusDEajgYMwgYAwHQYDVR0OBBYE\nFHjXlnaVfQYYyOOkPj9gOnOi1cwGMB8GA1UdIwQYMBaAFD+FaEZ9LxZ8iIKOb//g\n3YrwQXzsMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBKvYMf/DIs\nvQeop+xaQHM08B5sZckrKyUQazIDqiBlKQIhAMyaaZq9f2tgVa6m+yjF4YzGrbEU\nn32leZ+bH8U176BX\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV6gAwIBAgIUblrbZkxAY3RPJndR51hSNW44jxgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHeGWNa/n4YNraZsYtfQJy0e1okAfb6KhDo19f3xHBxl\nUyfFs798x5oEe1daVZZ3JZUdbtkcMX4O00YIfxhZzbqjgYMwgYAwHQYDVR0OBBYE\nFFz2lLpDyLIehps56tNKGeqxZtpuMB8GA1UdIwQYMBaAFNyiWM4WRHg2kNhpNI36\nQKwA5+ihMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBUkv5Q3a4y\niW+QCmSSHqFQYP6AT0AjTLT/N405drbiCQIgC+pGf0nEmy/0I7y60jFyCspBx0Rc\nnWFjZjastM9Vlkw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1554,7 +1754,8 @@ "kind": "DNS", "value": "foo.bar.example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::wildcard-match-across-labels-san", @@ -1562,10 +1763,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGLNJAVaKdKqUntYASNOl7wDA9qUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ227O8TT0RdVJ3RYDskggH7JXTZKAM2r5dGJmp\n6OA+G51ziPsYbFD3uXGBnHVxrVpsPtm+kgv6S8NI4tQJuDZWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/FJnEyx4RlLvvo6QWl6F0E88iz8wCgYIKoZIzj0EAwIDSAAwRQIh\nALsdstBjHUc97NHuTDTGBAYKfGNgaEOU9z8K3PGhjlIOAiAwz1ZQCjHPMrqjMtPP\nwT9gaZtq50+u8vfhEgqgrRit4A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdR5z46JjR/52vQaBl+MJtzOIRbMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARRjeY9fyQ0LLnZKMe2zNpnF86Oln16hXaBYW4e\nO197EqawOHba/lwGNJ2wzqJ7mpZA53RzkUl1fA12WSDBqU3xo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWQUBOBIukaoJRoVZVohXQRynCnowCgYIKoZIzj0EAwIDSAAwRQIh\nAPudjjbIuyjlvDQ8tBqSW4N6ilW9tB3hhP1uPs37BoCiAiBAi53dn0awcDENTPJ7\nANWNEhYgz7sIKLqqGK7A8NwzzQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUQcQQWF2qw160ZvbVcOF9FqfMfqowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO042g0bNKiWfP/qX7sGWnOW2YvC2jfoht1C5ErqdZtt\nlrW47uyahGK/LqoBc8JZSmGi/ooQurZVGWzB2H9qf2qjfjB8MB0GA1UdDgQWBBS3\nBVlIj49IwXKPQi5z2bwIcLn8+TAfBgNVHSMEGDAWgBT8UmcTLHhGUu++jpBaXoXQ\nTzyLPzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA1oYxL9ErA4/nbEHZ\nnh15WMnSVbje9NRER7Vo/D96x44CIQDYloTgDLWRIpD2QtNdyMR1J7mBJmfkr9DB\nGAIqjQ2RjA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUf0x0HSiXYV229AvBoo6DFrwpf2cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGKP8RB+/QR6iDQiy5usZ8kKSZ6A96/BpLtPdDimv/pd\nzGSYdLr6FZAz9FEyGNO0q9R8YHdcF8Q0MKfKAD6fObWjfjB8MB0GA1UdDgQWBBTg\n7pLnOov/h7ZO/lYVBph8ptCTtjAfBgNVHSMEGDAWgBRZBQE4Ei6RqglGhVlWiFdB\nHKcKejALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiA45O1vvKJ8gIJAKPZz\nDBlNi2aTN9hhgE2nWxfkLIeUpAIhAIgD0Hpjtc2rXkpmZGg8vA3eUumy8ufWQSr3\nh3FOS5uv\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1575,7 +1776,8 @@ "kind": "DNS", "value": "foo.bar.example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::wildcard-embedded-ulabel-san", @@ -1583,10 +1785,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZKECIX5Rvf2tBLWZp0gLN77okLMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATgMtGmgsQ9GCqQLjxQEtS6E6szfnh1Hz4ycWeO\nhEUmft0FPgERqG1JkRHg+mZ9XuMcCznd4o5x2D8gGpJ33aV8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+4icukLpL0oGM2hRDUXwADXaGOcwCgYIKoZIzj0EAwIDSQAwRgIh\nAO/hMU6OqL43JR5HaBH8tjt8gFpqSVmVNdJebu92oYVMAiEAgPMwHGUGBJDUSwye\nIa1JMDBNXEh+hcpla1yHL64lrOc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBTbSLvog6sn+iCes0e7v3SHC3NEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATScoZl4ZRPLIvoSDzfHChfrjNfc5ZM88330WM0\nQFs8AHmezFuTjK66PGt8QP7m0YtTONc1+2MfMYfkua8gmpcto1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/M/L1u9yP4mUMQxIMLw9CQ0BSEgwCgYIKoZIzj0EAwIDSAAwRQIg\nHAssXAo73le9UMXVLOaoqbrLFz5Cr8ECWJEEYoNC5b4CIQDXAs6EvLXwbh4IrrNk\nfvGAqOZuU0JnL48wwDEOf1krWA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUXnnOTgmN6Q+t7aL8VlKkSiYP+GUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBY+6sMFjQIoYffK4LnbMJg2aTYH01Xe8g36hJS3zuY4\nYZsOT0huqkLseuuRxT8zqgQGYqE0w8V845HyYhwHnQijgYwwgYkwHQYDVR0OBBYE\nFPoSJ0SSKwDFwu7N6akvLgSGObXSMB8GA1UdIwQYMBaAFPuInLpC6S9KBjNoUQ1F\n8AA12hjnMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEAgPQ7TwiLXk1qC+sx4ebDIR2FFf1Dopmy22y03/AYSpcCIF7+DNlBf9CcKtsq\nkZPdjBjaB2buPPpLZ+WhPa2KKKO2\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUTSmlezsyOh8cvSrfZ99rDKcAuvowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHSCD5JUflfAyxFDUcudKWXnmTQppkV9GcOMKc2AOiNh\n5PpqILXgmP7c4Sjhju2Jnz26tx/+Kt+eWlrw/WEiUwejgYwwgYkwHQYDVR0OBBYE\nFNk4+XoHlKZsKXO59LLFnTzdJ5XeMB8GA1UdIwQYMBaAFPzPy9bvcj+JlDEMSDC8\nPQkNAUhIMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEAoaJJBqTjwUVBds6Dpra4Pj+dt5HKlcpc4fTfo0KxbqMCIQDpYy8UaGYdRf0d\n1M961k1vTgISG87Tc5sCoe/9JHAMfg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1596,7 +1798,8 @@ "kind": "DNS", "value": "xn--bliss-1b3c148a.example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::unicode-emoji-san", @@ -1604,10 +1807,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHOQPMPKOA5SHMjVcMCUj2TtWkuAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQaBwlt5eDzHsg+CD0P3oQxozTPh3Qy4p+iNV8f\na9DEFZbDqLhgsKBqNRJ+nf1r9/rEmoC2IfGTpqb+Tw7wDhijo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFhJGSkD9XwVPFgKc2XymRXc4/ucwCgYIKoZIzj0EAwIDSQAwRgIh\nAJskGgJL20+e+MBL+neAo33F2NCx0UFEobDEOFArY1qgAiEAl/fT8CIz/XYeA6pd\nb1JwaYQHkxv6JDThfjfccArMYSQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUEhNspzJ2R5X/T2YZzmD65JsZJiswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS65oxM+UIyDvYz2NPDR21I2rdJKYy0sBlmcHQz\nb/spV7qzo98TWp7EFo4k/5q47xqttHATgYHLlheFYE7oRfsio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVZv0wgZJRy7PhkyDScDDQoc28WUwCgYIKoZIzj0EAwIDSQAwRgIh\nAJLuDlGXnrMwZj0RwPCGhTpydRmuZ/I3cN9Z2ecnwWI2AiEAhuEuZo+PyKC6Vc2y\nWIPGIYIQDUqmG6MgBHBddMezKPU=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUc5YYmBxRhUTZr41Lh4eLTCUfrGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ7od0rOSpH6cahgBuh3dyrLvd9YPdCLSn6mhG/jX9nm\n+JVC1tyrqQTLUCZrUglTVKQEIxS6DZZCKcF1uy/bSKOjgYEwfzAdBgNVHQ4EFgQU\nJGlzfxjCLxbkdmPjZusnmaag/fswHwYDVR0jBBgwFoAUFhJGSkD9XwVPFgKc2Xym\nRXc4/ucwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOsQ/RDHKar7\nw3avXEBaRO1kgLx2iV7JMXasyCCFxWf3AiA7XnYRjkFGjrJzHeT4+VUSl1moVpx4\naCkxOXG9BIDmkw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIURQTbvuHgyOFqsU9aneCxth2+ClMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJhNMOdD6ioGMBLiORKf5idjgrFVg/0d9EaGkBhWX9j0\nEP+kKqJzuNIZDrTcucNlkQYP6s1NITfvInZwmOFi2GSjgYEwfzAdBgNVHQ4EFgQU\n4KqbLjAT1Jhir0iYQXgIE5PHp+EwHwYDVR0jBBgwFoAUVZv0wgZJRy7PhkyDScDD\nQoc28WUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJ3VUy7xdBGw\n+v0ERQSY2vXAcXVcXS/TPFCCY2O42tdkAiAfpK7+WX1BMWfKtzWH9hQ4qZx9YDjq\npgcgK6h2pRLX3Q==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1617,7 +1820,8 @@ "kind": "DNS", "value": "xn--628h.example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::malformed-aia", @@ -1625,10 +1829,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJu5XHGVvGsGQaM+34NVcNyH9+0EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARkkm0cPBAQKzMw+JVQ7+jCZkX5FOfPZcvBP3oY\nuXJmBWkgHN6wCBp7/KOfu/p8RPHEH2Cw8VsrfNrio1WHYQuro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXhqNU2MH9Clc60SkJ+0dZbG8I8owCgYIKoZIzj0EAwIDRwAwRAIg\ne9dULhmDP5PzHVLu/YXrNJCY3BXp85eNxccnhDcj/icCICguIYB4HiFz/OGjkNLJ\n3riRKE2PhITVZzw9S1V2mLlB\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIw8vS6kHVU/b9yh5YztrGfiveaYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvP3YstRqcnE1X+m8RHDPI2ry6Ajs+8qu3Jiuk\n0puaxjyNun8QcBqaOFII7hUpRZnPORbqvwf7FytFc4ZsihMLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU338Wz+0+EqEOGC2eGADXEuIhfKMwCgYIKoZIzj0EAwIDSAAwRQIh\nAIpP+HAuGIWS8yCignohdAfk9Zurhllg8M//CExN1Jd7AiAysRUYb/VaspQZYC4W\n2AWbeewxn5kV3+p+OYZufmtuSQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAW+gAwIBAgIUK9WpJtDEae18WD3HcvSn4swZ9VIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE1jIGFBVBNJJ9NfinzH/3RO1opbwwpC9ties/1QzqgO\nnk4UDcW0aPbf353wDLRVwxyiUax/6LsiDPen5m4VEFSjgZQwgZEwHQYDVR0OBBYE\nFDGlNHfKXjP7aYZxgl9Gg/BVrFhUMB8GA1UdIwQYMBaAFF4ajVNjB/QpXOtEpCft\nHWWxvCPKMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0gAMEUCIFu6j07ShsXMHODs5BVZlsRLeeDBpT3BReLwj0ArE22uAiEAkYIK\nJY3iCP0hoAab6jXjGNCcMdOURYNZ1uPq9WNcqYE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAW+gAwIBAgIUFPw7waahVU7a1QgyjeDdZWMqRXEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKRtooqgIkJOHK+A0VEFZwmlKwD3wezgnAAP07zbsVOg\nTntFlgwb9AJP0h/wgkoMKlM1UL+yb6g4xi0dpLdv7CSjgZQwgZEwHQYDVR0OBBYE\nFIcX38+X0jGAi4FhnPJw4F9tfifIMB8GA1UdIwQYMBaAFN9/Fs/tPhKhDhgtnhgA\n1xLiIXyjMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0gAMEUCIEoiM5pm0S8NdLw9Sn0feoEJOxp2E/K1aS1itghFMJMDAiEA23+b\nd7vHCmRq05EF+/Rt/EJxMRvdRkr44ixcPGjbbEA=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1638,7 +1842,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::root-with-extkeyusage", @@ -1648,10 +1853,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUqgAwIBAgIUIBvNtpfAhn98/ejymBqzytznJq4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARq4z+YtLDnyfmIov52h4scchV9Dn7ZUX6a8DWP\nejnghT1cEv2lWXA9u6MsoCvgiYB8sBFN1vhDcSSvlXHvROU4o2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFrfJv+SnRazZap9pjTpS5SJvpG8wEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSQAwRgIhAKWLk+SMrccI8FVcT0rM4gYZFdCYyBqIqMYu\nGz9Gv4wkAiEAunHhj57D9b/aHjPMmAaihyhJYYaa96s9qkVB52yXFO0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUqgAwIBAgIUWSkwNJaZ3YnDcbi6PgCl3p+YRxEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARRUKBMKCzuMAODnd5lWQsbFWDM4j86414kWITc\nNpaDg2zuuehktWh/D4R4w9Xl91pxOMvj97sIS8MkGm0vikclo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrwYhZH4enArCxM06QatOrox2/1owEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSQAwRgIhAPqoqsiikHjmFChCxZMpgtbadh/N5mFy0pti\nZ/jyOVrWAiEAhQtuuolf1hT075BPlm/GjfJNb7QqKh11NXFk99uWSt4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUN77z8FtF0Sc7BNXIHRtf+gtrkFQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL0hzbPhcMDIvDJhQ4jWFp9U11UN37KdkYmd/M6pacdG\ngPK+1mgx0shdlDKIxGpi6MS27iiaZtRkzSftA5E2co+jfDB6MB0GA1UdDgQWBBRP\nlCrI/tm3FToga0/jlK+FGXoY+jAfBgNVHSMEGDAWgBQWt8m/5KdFrNlqn2mNOlLl\nIm+kbzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANmpXf3UgoZ2xSeJ+7Rx\n9tgzUB+D5jAga88l4en/4Tt9AiEAxU5gwttZrXPPGwsXzQ49r9343QxpgGhktKSX\nhBtxF6A=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUQ+ct020x7R2s7tS1RVbsHWMR8EAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMypJP4KU3vbpVo1Rv/5pEvt+i4ukFxOo/7w8l87qemy\n28aS7bUDVuRvBDv1d0jmZxQSOAnb2VPV+F2w0s/TSY6jfDB6MB0GA1UdDgQWBBQT\nMdoakY36suzvgXB5+zhSZXdqbjAfBgNVHSMEGDAWgBSvBiFkfh6cCsLEzTpBq06u\njHb/WjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgZh9FuzcWvpFNUwlt4KJV\nCYFLdGaIq1rQqS+NRObX5KICIGIp5SDt1tPwfFbqPLU53nTrzRcGO5+0Ke1wORlB\nB2ia\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1663,7 +1868,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::root-with-aki-authoritycertissuer", @@ -1671,10 +1877,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUG7zuQOyfxDVZKDIp38HQASS54/4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASx6Svg+mULnBQTqneakkUwPXzNIUmyEEXHrdU6\nn7mg9Rojx0HZOKhrOoBIZjE4+PbTq7lwJFsM6y6ycJjudy//o4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFHv9xjmdnog9NvngRmJxCN5OWJu4oROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBR7/cY5nZ6IPTb54EZicQjeTlibuDAKBggqhkjOPQQD\nAgNIADBFAiEAmIj5MRHvY/ZJDXi9MhtgqbsXmnL2ipKwYfrw0lwBo3ICIA/Ro7Fh\nTZEMzb1OXgTiLFjFmm35x69rdGQ7XGUW6Bnn\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUcxHgn+rge+p1+hSw/0TEP3YEAqgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS+AOEsteIVx84TkIIxSWqsfoIj47Fqe9GhOTpe\ny6HeerX1YUx0IFxos1bB3RPrqaDAqR1bodIfurS0aKyooo3bo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFPfEwNlkBr37eb7HSZ5Di20GjRzNoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBT3xMDZZAa9+3m+x0meQ4ttBo0czTAKBggqhkjOPQQD\nAgNIADBFAiAqXclmOKwC+2Fpeywj93DUMVbTDz9TYWrGNaeETWiUCwIhAM5bDgko\nB2JeqNZKOkmiIeJcz3lyETnkMeuqq2/RPrXT\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUIYnsLeroGl/kCSL2D8nvi4ab8TswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJDgdEyn6s9j6S9u+8/E9WJS1dp9+WPbxuEaA6iMJ1+0\n8lJSXhgRKpybUjvYBR9Ck/5o1XO83eXsOgaq38Npc92jfDB6MB0GA1UdDgQWBBT1\nlScY0mm1uqZpAA5NC/yS40KBxzAfBgNVHSMEGDAWgBR7/cY5nZ6IPTb54EZicQje\nTlibuDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANoQJxMnuwU4jP3QJJy0\nRib8HiwKZYb0UfUubmfcjUq+AiEAn3jbPluXLRioHfChgEBvkdX8wbs64EAjOkIm\nG3zAru0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUWjWxXM+Y/ArrRzskV9bcr2Iej6AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCxN1wviINGGiCwfFbDNqMas7GKUu0sHaU1eQE5PdpZc\nHV4iU3Pwa4B5hgoaweVfDq9gWEj1EtdAD06aoI+lWQajfDB6MB0GA1UdDgQWBBQ5\naYKwsCCkJ1zHfZ8776bqcWnr0zAfBgNVHSMEGDAWgBT3xMDZZAa9+3m+x0meQ4tt\nBo0czTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgXX2D36rwZlbLNbHtZBaF\nfUMwYnupNzD9UzSIascSCs4CIQDI21dD6COEIA0r3UOYUW2VRj0CzsJ4OUaI8jj+\nrIb0VQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1684,7 +1890,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::root-with-aki-authoritycertserialnumber", @@ -1692,10 +1899,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUQ7h1Sg69l7TyzfOfBe3yoDoSJyAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6W9gQ6mMjdKWoNl5KqydZknlTJEiIJOZfLXgN\nKYvqKLM+dCUkqXdnQaxxSHnBqijgXefFNGIZJiSpTNnJyHuTo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBRzA3MDRhBiYKUTINxRcH4e22yrv4ICBNIwHQYDVR0OBBYEFHMD\ncwNGEGJgpRMg3FFwfh7bbKu/MAoGCCqGSM49BAMCA0gAMEUCIEJGvGDDWjfHW6wp\naxxIKJh3vFzh0YlW3RYMzvFxLz6nAiEA+l0vhPQ5qKK9qmrRYaXHwz/2GUClOqh9\nAqo5eNGnYlk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUbqrBhZxfKvNrW0O22bX8FMKqxjAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQDpOsEJEDNQoTCMr+ZD3DcGJ1wh7wN+Etq4Ii\nvVnaTjthfRUpCDmXRw/b0S2QalGV4inWAjvOCq5WXTuVkyyHo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBSbWYjkCoqiSE8tMr5RJ55aP1hee4ICBNIwHQYDVR0OBBYEFJtZ\niOQKiqJITy0yvlEnnlo/WF57MAoGCCqGSM49BAMCA0gAMEUCIQCPiSCSX+Gg/c8c\nd+vV1VDxo5Jx2UTUTlvITSpwq8fSUQIgOHCuL4AzxaggR8tsO06OET5b/6PctSmt\nwD0JGEA4//A=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUceXr3zJEp6KD8jDi9hCy2tcLmcUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOyjMluE5zMuTCvyxX90U6vhzflGibXaNYfTTLX9AC/S\nRVg4IrLYuUktE69f9oN2T2TVm0K1URDoY2bVFz0/nIGjfDB6MB0GA1UdDgQWBBRE\nWflBqq4bzHNEEwyHszJJlICH5jAfBgNVHSMEGDAWgBRzA3MDRhBiYKUTINxRcH4e\n22yrvzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAO13TZTLqG/m19XHzwq4\nb0vkiJHi3ZApwOMBjF8olVmOAiA+X6HyIO+MEiWH9VeetOCGda7yHBj77zXjXjVS\n94SeuQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUTNEtu72ar9oz3sT3F2dsYiM3fbYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB9LyLjW6sQUxpt7TZMO7/8mCPWu0VECVSz0160c1q5t\ne/PfU9Y1yHalUSRGbj25Uvcw9eRRxNNZtfkVlOiDyg+jfDB6MB0GA1UdDgQWBBRk\nsNvh0kFFf38POj9yedfeD8LBFjAfBgNVHSMEGDAWgBSbWYjkCoqiSE8tMr5RJ55a\nP1heezALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgZcleBRGYetR5JwIcSJEL\nLnghO+GMaCI83TJ21d81vsECIQDgxc8ot9WuAGPcLlWtn7Hkt7EZ79Lh9JhmYJdX\nI2u++g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1705,7 +1912,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::root-with-aki-all-fields", @@ -1713,10 +1921,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIUJw7ZARUtn8eOUx7JwsuaxAFyFuwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARhI6LS93wKBmp5hbwOVe0HUboX2eBdmb3hu9uF\n+9jFdEoiXmughn9YKRc7H5nJGh+bGw0W8+m5+p5DC+Ig/nQ8o4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFPDo9TcRu8ybmZLzy8qizBIlmPL3oROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQU8Oj1NxG7zJuZkvPLyqLMEiWY8vcwCgYIKoZI\nzj0EAwIDRwAwRAIgK4m4UxK7QXrmjON984lxORLtwg2dMkbA0Mfo19ly7f8CIHsX\ngyFFMv06uuB37yYtghcFjmFqbcDRc97DNOkDvfSh\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUXJIr53QTZKVtNL/C1GdHJVHMa1cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpDkPKc54Rg7nNk2VG7c9M/SzZ0YNdhGbipAq9\nmEhF0yphGwK7sKUs5JQeNgiKKimbi2VELUI1KdksbxnH6mj+o4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFIwFjbNcu2UKPk85VnOuVeIDyWEKoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUjAWNs1y7ZQo+TzlWc65V4gPJYQowCgYIKoZI\nzj0EAwIDSAAwRQIhAPOHgmuulrO3o5xT21LtEu5D1BDU2c63C06AQOMurTOWAiAE\nIYrTyIadyOIkO8HJ4oYB4Wk9JGP00PVXmwvQ1Gy8EQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUdcl6QjeVdDg7iX9cnMdR+xdv3lYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLGgzyZgfJwGxrEltc4iCFqDEQPn5vlY2GVu9WYXE3WO\n1MegEYFFRd+seibyMEPMUdrzOIlFZQ95R2Txv8qvsVajfDB6MB0GA1UdDgQWBBSZ\n24oEMJo7ZCqj0ldxFxz1wiL8GjAfBgNVHSMEGDAWgBTw6PU3EbvMm5mS88vKoswS\nJZjy9zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPbZZvEwso6/4WmiHUMe\nZCDRqiSZGpU0ijgmjPgPNbJgAiEA2NMWUxPnM4KmaurydrOazg+sMa9hBjSqBm+m\n3sOWMiQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUV316QEmB1jGiVHrjHOSuzvReFMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPsOUAdSH45Wv2HEdH7N3AFY5WFcZtBqsL3QwO0rQsg7\n+eJv4B1oBDDsEmWFfqwMS8F8i998xz1FaWtPmDVSaZKjfDB6MB0GA1UdDgQWBBTy\nWTqHNY45ljz6n7VR60CRRAV3GDAfBgNVHSMEGDAWgBSMBY2zXLtlCj5POVZzrlXi\nA8lhCjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgcX9V2Clpun4c7tuHCJM6\n5rmyidYR0jmr0yZqXjZ6KUgCID5mFedWFKV1L3/R+0MfqJb6xcz+FzZyEPAyrd6M\nVuhG\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1726,7 +1934,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::san-critical-with-nonempty-subject", @@ -1734,10 +1943,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUOHIfKIqmzd9ZmAJgCBLII4FFx+0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ58IWTHT2bNbVbmzDJNGJkzRcqgLnI+CSiGPBU\n4B7uvGER8xj4ioQeIhpwQWos1R/6XsTswh+oF0RcALb1/rMVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1brD1ypGaFTQVhFaVYG28/9yyqYwCgYIKoZIzj0EAwIDSQAwRgIh\nANR1i6ItL7zuGZqBc/Sfz2HIqQ3eYziBeNQC1YcRSOz/AiEA/r95OtgeadTNXdDQ\n8b87pKw4seIz1o1xBW3ohD5yBog=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURRNlaq3ihL4N6doo0qSM+Jdu8yswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxofQJdPcAwKc+3Ep7HvexMzNYsBZOsr0pMnpX\nXoGXebajI8CaCXp5vTr7UqfC0LHPTEjnyot0RsZ6xhekTHB/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZtbhz5qTT0OGgFGkyvpsKaOY9jYwCgYIKoZIzj0EAwIDSQAwRgIh\nANosRMhDmYY7M6cSqmmfBFehiiJGiaOXR9wIISMh5OokAiEAlPEo/OYExQIXYchu\nj+SbLnZeyOFkBkKWeYYi8MFkiUM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUVyhlr+DnEb+VQ0Oh/rwirj+4CZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABClCAeULjI+sZk2P4gcfeb2dIjT98eev6OoYLnOr\nOFlaQp/jLsaLk/Fdvz33cqwbEj0zPfmjoGDOjTCEFCIQfw2jfzB9MB0GA1UdDgQW\nBBQBFXuU5/+ErXiFIO6gEfLErIooQjAfBgNVHSMEGDAWgBTVusPXKkZoVNBWEVpV\ngbbz/3LKpjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgaU8i/Bb0qmvw\nkKL2NA8hfRfhuJ+Ff9NkbyMBeVdhXaMCIQCxTKKq5Dn9IUDuX0yRUPa3fWliBgHO\nf6wBlCQzsas7eg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUL6qNPSxsfeHn04G7zLOuAx4NpsEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABEPmhIa5rAWJ465N7YgCYfWILxI6D1FnImMLURy3\nNQE8HlyL0e7You6T+U112katHtpdLMJXMUoymqhee+AUvBejfzB9MB0GA1UdDgQW\nBBQwkXQ+kIeh35eQm6X65xMNf1xx8zAfBgNVHSMEGDAWgBRm1uHPmpNPQ4aAUaTK\n+mwpo5j2NjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgaGYGglOPVM+8\n5RpQROkS81/p2okDOZqpRmlVcZXHVZoCIBM0mLcLqIDeNTurFtRgU7rTPYkXaNNZ\nzmi3wytrqPf+\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1747,7 +1956,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::forbidden-p192-spki-leaf", @@ -1755,10 +1965,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNqQKnpCNPwu5qQZJmpJuaESHjK0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATt07DR50pKgDWVOLatM5pIwWU68S8aHZIpUYKN\nvuczY/F65XBUw4kxJycvqR/wTY22J6c+JPWvV02QGvkMbLjvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUI0Iw+m5ssNF7BZ29DbDk15d3TmUwCgYIKoZIzj0EAwIDSAAwRQIg\nHUba9XfkNBMdg6Y9Zg2BN0Pc6vLvKW8BnJFFOPKfa0UCIQDhN7t+XPzbWcIHowpT\ntnnssyEDg4mZ31hiQ4Wdjdlxow==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUci7yu9sbjTvD6bpJ4kmpqnr5EnIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9/HMUKHU5mxElxb2hJqHiW1tAxBMznlCn9/JD\nhJdSg2El4sGIU6QnQlkRX5uB47TjLWfkrgngCIFMhF7UXvCho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXjdJYTrVpiv4xZsIoVmBCSs0szAwCgYIKoZIzj0EAwIDRwAwRAIg\na4g7Ktgm6fwS9V9DHCc21omMcIEhZUzFs4m05z9pNdkCIDFOaHhY8vZmaaDHOdgB\nsAIigU85tI/PA6PFIphVz3Vc\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUagAwIBAgIUcoC77B0wfTmDTzVm2HNILAno6UEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABG1BvHMoHx5tuqoxKog2icUalllfseSESK3wxsTQDH8N\n/sllUAZtC73BF5vnWyef9KN8MHowHQYDVR0OBBYEFDPGNuNeyd2Q3o0BzVkHP/gL\nV8GiMB8GA1UdIwQYMBaAFCNCMPpubLDRewWdvQ2w5NeXd05lMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBH+78sgqUvv0J5g/zpT10IRVEDPdG62XCp/n70dXYs\nCwIgIeW08+crdXwYruoYtdxYaGXy63vbD9Z6Ie1zYCEjAYU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUagAwIBAgIUb2xuGMaFNq7sfgICxM4bGZVbp44wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABDEsb4FAtGJvtqnERLgzQOoVWv6ZXbd113wdn3KaHFSP\n5sRJxBHLRZsslEcCWpNIn6N8MHowHQYDVR0OBBYEFPpRYJMkbZy2SCp2vwCxR3tI\nA8GOMB8GA1UdIwQYMBaAFF43SWE61aYr+MWbCKFZgQkrNLMwMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEAptQyID8IxqU+brTaqKF1tKGAa3OzhtldyM0F3sAE\nEvECIQDm136ku44hojL0HXKYrcIcUvDg8HqlGtX+kK0dvYc04w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1768,7 +1978,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::forbidden-dsa-spki-leaf", @@ -1776,10 +1987,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEKJV5uwMAPmBe5/kJNukrZxHpmQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjzdaEMVPPFFv/GGTveA/Fe8QdXvcuYFfsRj2g\nFdcgVdBelAjLlYOIHcXpaEdtu/m7j7uYPnn0frOWM7dNeyUCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiyweND5NNxIM9qu06irt1Pv/5xcwCgYIKoZIzj0EAwIDSAAwRQIg\nbhBwZALu/gMUWDphh+ftVdtSSJyx6tcQZUtIEJMBuZsCIQD9/UBegDQnnOrshzlj\n5GpIV0ttahyUCB2/Xr28m3HlGg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcBTwnYZ8cteTgN+5wg1p49q4hBUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6oXVf7cfOZ8KamgpIUkFuBpphbidubpH3cZAM\nv8F3zorsRmEA1ay8sT0oQfe1mnW7bUyaznx7e5dcQ5Pos8ZPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeR9x9GOFd4vB1OStvXjHAZlyOeswCgYIKoZIzj0EAwIDSAAwRQIh\nAIIbAMpG71EVJ8mTtx/KeJ6iJBJn7oQK8nn43rXpavuvAiBnMYcvnXmUH59fu5FQ\nPS2f3zClmRc2DpTZXb7lE+GvOQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGITCCBcegAwIBAgIUSGAAJaewFzVsCRR3rpFTU0irjoYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMgwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA2oNUDTuR4KPe4QHhES0LRUImSpjR5I21f+rPGb+czhqo\nBdsq0wodrlcp8eNG9sUodEpReGUGuamkmtOLY3A57dY08xn8rHWWF50vSjeN+TcR\nC1p/IZVrsoaNTYe6bo4CIgHLSwjvl+Yfn3WW3TwUErHyYp2UT2Ldb8KMmClw+d2k\n1yBSfofbVVRHaNoNwEOHE8QtolmLC7vDXxfi7u8MUF6UPOB7Aq00IIjmNIuGJlSg\nmJKjVJMCGiO1bdObYyYg1MHoIlL5rEM3MxKTWT2ETcFEewIeAgYySfXpoXH9JLhL\nJZriDlUnP/Vx4BOVOwtqwNX2WT9xFhJKRQIuX++9n/EaL2YDFAhher8Nqcocjna8\nNiffceEIZ/SgYbYfl9rBT9GFTn9EYweTTqRdrUsOKNwEUDwaf5u9hvs+2EX9J3ij\nhn45y9u6p2e2TzFKEXkOvDDtpup2tZlN6iiDkIe2FJvxlGtLVLLpoTc+gzMkC9Bw\nzFe56qjrBO7LKwNl3RfxAiEAvY+fXVkR0lMlF1Gv6xG1QibIClwbhEatXuUwwAI0\n4Y0CggGBAMNYkQAvESlsgGcmqBgAr1625TZqdBwnnS0DKGz3uUWro/PgH4DO4JEX\n/qknkdBZNc2fFmlUeEQH4PkSuHFndR2u1lSNLKrcYt9gfME28bsXR6iDGNHLtd4Q\nwjLR0O6vmNjBeCpnWu19bJbgnRvOhdPHV6vdFAWAZVTjDTyqkF2dhRr4zBIJpf82\nX0OnBOOtlSqPPLuPwXNmqWHlg1Jk7zOST+fgyIsDQm6KOexkwsITIpvki3Su9SbV\nbXgCayZ3lvFc4TybUlGMHOeQvoq2JtPw9nmtG9gF7DAlb8wTTKc19VaWs+NcvzDw\nHaLE8Y//zTEG1mhDxHMmDvLaLlN96IIG6EnBbIiwvXwzgnNncQWcmZeQ60JAQhg7\n/v7mtf0/eyQ4a5FIXEoRW0VhRrQnUzvUAOF7m4MUnJXdDbTU0noLSUVGJrL6BKib\njx4wEva5ccIcFSQLLbwTgX8PpLsJ6pHcg4Whw+rhbvTM5s1LXLNie21ds6u++FHu\nBrI6VrxJUQOCAYYAAoIBgQCcMf5e4g0Hc1SUXsus8NNRPr8aXbvEGXIkkBaMy5mF\nA6mKPzLV6dkKRfrmygxg1qdIVCZJYoQYUtZ8sf50v/Sk4XTQ0+++YxUSOCjsj08L\nuarcYg5OZp3VLpt3adNnjcthJtl3AEzNQEoqLEvh+AtjhgdlDoEINNAjysID3kF8\nk4nXiPXTIJzQFcdwqGeI2XtdeN+TC4Lk1ItPph5AaxUhmmLIm6SXLmf9VWLG8TGq\nSokjwtSS5icCSXbtk2dnDiIGEWwYa7voca0Dw52FR6jt8wh44b6ETL4a37EWzH/5\nCp71kJjNrwVwvDFGQX+NgwgM5hIGdhHtd3SEjJgmNEL5DH7hHUAcW1vYdUmb3ZcV\n9qZxTcrAL8mi1k8HD+wW6Ulkpj8O5Chki/VTxEeF5TAX4Xdvq2g7fN2M96U5RIvq\nbPdNCH2rk6PiraT+8J9iDdMgqrmeDnxF3xpaoOYlzBJq0Xq0xuLEov/oauCUoBMS\nO5iQinejOAvT+tHynectYHmjfDB6MB0GA1UdDgQWBBTjstCLa0BTxC9BKaY4ko7y\nisQJwDAfBgNVHSMEGDAWgBSLLB40Pk03Egz2q7TqKu3U+//nFzALBgNVHQ8EBAMC\nB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDSAAwRQIgPaRJxZdS5lm40mOU/UG5Vh0APNWtgNWOh+vLRRCp\npe0CIQDWqsJ0LUxQOBLzFRAD5BmYd/YxVWaKiY/YwMya/PaR7g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcagAwIBAgIUeiluFmZtVBzA5p/W/N9aot5bCUYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEA4r50hQfMruJGG9eQcxsLao9oLmG1zynYrB1CPlunzDqv\nEiuYpnhU5VD2Cv57bQT11a4Q03dlXh2FLcsZd8ACqRmwk1IFwlXRy1NcJ60ghL6e\nrItImBj8t7dAEV6NWHXkNI7Sv6uK+wtvuTPxCRPN4Txv7igRBn+3C+ZdUXFQoqKl\nNPsNfGAyqfsfPutP4FMGtm5vidrkZzLYBvwiv7W53vgGc0xqj3ANNlKawxuaYcX6\n2E6yyYVt5vfHehrOI5Vhhs8OgSKjAfwxeggIfHvr38LLIQcjJmstanPARNImUgfa\nOVz0l01lZ4KP4famLk8EgbwFMRcWWhVE+4pq0WKjQMg6V0lK31uyg3PAfnSt6Nx7\nCuUTDgAi8dPnWK+HicYf6ykveW9N5jg/lA+C8bTAqA2sFmcf3mKezFX+29GOGJcw\nwnaNDqrnNA1CiLMfjyKvX8ZsNuB88Z5M+WlIPSvRGe61m5rTY8PavicuMWW9e7x7\nVnTC295Wq0eeBTnYuhqXAiEAveUQztthbAR8gTOFETynBTi6TVrn3wNf29mNeNLN\nlkECggGAfgABkSedPeGPmApwVeaA8bnJdISX5WmwUKm/KF4qHokiIgcRWcmORGX1\nR08ILgQU6TRl0S6lkLG0sQKmjaj51HMVX2AJfC0ncsxvQ39oy6bx1rxE9YArBfRS\n7D5CQ0P/X/BjlVkeLn4Y3RjG+zjpdmwsa3ruzS0JWfp9aUqz2u+4zfr3hUlmqoD0\nOiiYtH2qL/5r4ZIgcO2yhq86C03xN765RaHtn3rm8q41cjLi1/thIkpd6yVUjbIn\nwE5GemzNJ8I9Zgco0sJdBKm5uDqr23+okvuJ9yVbhxXvpA26+VjMbiBJIxhGgLDc\ndVSNTOBYZ+c1D65Gsgs03GjZdb5AAhp/CVw1zQ5n7dYzHcimN4AgIXAoVtZtBq9D\nJLKtgGJYEt56gV7UBMD+TnTV+a8TYrCGoHvEjzqWScrsm/b9xDxPBEVLjLHxJtCO\njtErS2Hh3YQegUMD7EsG24qLFpVr4iBvRXnavZTbjyzTIKSx87BQluR6tw/+Kuxy\nBn0bjWH7A4IBhgACggGBAKnbCkqYPZOGT/ZATc819m/dUk8hdroZ7hBfmJndNwCT\nmxCAdjLklBQsV3J0/RsCf9aNtf8+ZiplWBn/AqZHHWEWelRLrqL8kHZnet5e4P3l\nAZYHPCak8Ec4G9cCHW7xM4ZxMO7O72ZbJGGpyJlX7Hbo8+xPU3uTVKjNb89Ne12K\ngF/Rr2348M5P95/wgQdRe9ZEi4NbsBhrzD3FFq2GK1SWl5jBXinmQ0T4dlDIcMdX\nRKRuEDgyckTujdzCZD1dfrWpmDByv1/PuloYIprVSe/FJmIFPgzZPp+imDag9Bfe\nZHzXyAH4826zgs7fb7CtqQlOVC6SDJ0LHJgBhU6/VhAgZ0CUvQZMGzoDzIhPurxq\nDtKLNhdDPKzl3kj0Pj9i5F3CoZ1pdGX58OBKkOQAH3hAxaPIMMJ0N0B4D1D3XOaP\n6RxPBTkpXQTxm4Wjw+qiTj6NQ9nkxOHN2XKf/yNsrOI8UxUkEZaouGS0DF+NEF5F\nmGhKwylp0Hm7o6ziNz2KvaN8MHowHQYDVR0OBBYEFH5QatZhwvr8tEDSPGkpciPv\nRWGmMB8GA1UdIwQYMBaAFHkfcfRjhXeLwdTkrb14xwGZcjnrMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEA5Izp/FcwhPPFS/89BgHPs57jovx/LCkVFvjrOOdl\nEIwCIHnR2S13ekDSmlNRQr25q8HRCPz2VokJNSlw7ogAr6gj\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1789,7 +2000,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::forbidden-signature-algorithm-in-root", @@ -1797,10 +2009,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGADCCBaWgAwIBAgIULrU0tWymPMXKOZKOGKDonm+r8TUwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQDBGWtPmnio98FrFYNrstnclYlXzks6Tqh2xoNe\npnPVZ+2TD3/x3CK/kRHtQdljGvGqccJByZtEY/DwbGgbnKGG1WUdJwLisLZmAZ3Q\n03ByQLID0f/DTZet9MB9f2n32mzs2FTgSHfgKYDcztYPteMsZv8iufxou5HEqggF\n9mEE7v75+hfurk2hcr4832lMA9/7GUuYtL3rZ2+CufgJTHnYdtaUgQfqnkUsRGpu\n10ZoVxP+XiZ1AWY3ECevHYlb2L1mYo64R/cibLWAmmO3mGvQXc4lsFA9kqIZKl+v\nfnconjn8LqHgwnSdpI5vFlGw1eSSyKfSJl+57BpEhYjJcqXhW62KslJJI3LmTTrb\nEgtIacq90HW/eO+UlCQqdKkzDM8uWX0gwfUjr+kyhBml5uK5/99kg9xrpRsbFh9s\nIV0H275+lnQcF521ZiZ9LwEjVG0OJnJoOeQfDykmGIA4MbvrX4Pd6XoVlegu626W\n5cYlmaupA7anhbQdlf+MhPmeLMMCIQDUJ3XW58h9f+frQUTW+pfo+E0zNhDCEbyn\nZunhfwCA2wKCAYAj494zc/6BoT+KdYYPBNCTFCISl8IHWz7fsE2EckeAq+arOFRM\n1oWCnBlKbRu3HqtDEjDSeMqBPvGhudOggYQzHtb8n6FpS5hGATIbkeND62V4YjnU\nwWNjMvYHZQlRZA0XbsvDD7UZslLPMiNuLH5RoF7oDco/5iXO6s3dPP5ul3aRvWsp\nlgQRzQZEcGIQlNn2bxBXsl8XKeYipgWBHGZkSLyIEYHEiLASCl+6eSp7sg7Jgc6o\n8IyLa/w1xSZRFSENBvkALNE1lmbPqwBS+/RHvqaiVdFzWhW9lCJx7x0xR4XJozef\nBkcH1Vjp8g+83xrgDfF1tV/9jovkGWmu+OhCf9EO4rivvr7xp8hAPuNrHBetmgYk\n782Wx/ZL6qTDJ2KfEenxyvJjV8fW77JKPa5yfZI+vyxVg95oZl2GKqHFKDnh4YGD\nVbCXgJmkAbLlnn+pDjHq3u8gbj6ikz+xfO4mcMngFF/i53112kBc6Djm/qwCvKBQ\ndsIJ+gmL14UuiWsDggGFAAKCAYAOBSlT1+FpoA3xl8kA2o0E5Gake555p9mjNpAT\n5hsWzisbNu8nmaY07ys+H8qtQHjjXz7KGWm/+0Ph8V8Z5P8FFvEVHfAZpo1TAj9V\nXOTqXksKmB6aR9jf+qO3o3300z98tv5WjwkUFGjBmoEtLR707caaawybDQVc2O0k\nx3yP21kKPJObA0TRrsJXjaqUG5z2p5pYdsDib0N3IIktD80r5gIYJuzQQUiKRwUg\n8oDvJeluOb9+sPp/17HXQLpOUNHbtPFqCpK+T7aks+qgvI27r3mwCOFZ3SaMKCCt\n6Va7gtJAIlrFpFFxtCtp7eCVTUt1csBfAbTdZAGh5uy+0oqp7r35gQTs/moEkWjF\n8pUXpFDiNAqjd9rFfBsa2zLCHL3jozxS+k/HTyxubIr9b7SJIklx/mZr1EFa6EYL\nQ/35yG2c395YFpSe1BeGYqYW69lZ2c0NptZ6PlqczXhrM26o4Q/6Y1bxY5Ov5Hv+\nRVpaSeXACFxjdWKX2miXstcF832jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTYX4mFZRM1\nUOunckZBF0pSCaqAIDALBglghkgBZQMEAwIDSAAwRQIgdCRHvpgal2zQcNF9dC+h\nmkwctdkgCF/Z7D4jcWAmbOsCIQCj3DNkD1BQ16HDs0Z2LejV0D1nHkRmYa6s50Dy\nNAw3Ew==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGAjCCBaegAwIBAgIUXYcWXWmV3CbYS+yTZ5GP9wYJdyIwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMDAwMDFaGA8y\nOTY5MDUwMzAwMDAwMVowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIEyDCC\nAzoGByqGSM44BAEwggMtAoIBgQDsooIi7G4Eh8ZWqR/IHYu1sFtCyuaOLDrHYjgS\nNMwojF7VzRALBnznXTb9pFsk7hpnyOZ8BEwonec2YYcJYiCQAR0YHsPLXTpwcVUO\nPmHYt8+/+YZKBXKc0oeIkJHFXEQT+8KgH0Yo5GkZQJYlF46X/RM7eafS3U7gD681\nAhuSllaxWrBBa6VaYS++vF+xzJY1zKxlsksE1dGBQf9qd+UrtYzc5QEXBkq+wVW2\n2k27bk8HSFVfow1RMW5Nny/ty/OEHP38AM1URWc9wz7lHkE0LBk5eEQ0DfrspPJM\nQKWFZ5WdX7vkyBAs8PoP2LOMRg/p39JExdiHe3mQkTDEY+DShXG4kgfY+DvBERaf\nKEuW7ELz28GnLYGP+lscXV9sXYj/vctyQp/TjVFg0lRH/5dPVxcuvBsi9aRG48L6\n2dameyFIzxPLEZyhkeJvsK3OeKLqpW88ePkNA58Xd/7CvyBziqA5anQmlUo3muSQ\nXPb/Cqk0JUc2l+UGJxaRS98M22kCIQCncEheJfP59kG76sxB4a6V87AzCYWWMbUG\nI8cXPDC6nQKCAYEA6y/YZ1L7cpJa2rvVYLDUfQF6OK/DT7M/tRziRpUHbarEarV2\nRKoxvqkhRntt0TWWtxl7xB0wDaMc9sIKoAXYgV4Ab/p7mKTf9cZHh9xvVXR9DurE\nrm/lhVOkkMFR/mfVfiCLD0W721Q7vskoDc+ncriA3KXIeLJfZdZyWM89D7nXW8Wa\ntBcBMjJuTh+kO2xz/LmY44WoG5k1JnEtn2oX5FMAVuT8j9WrrVUCflHYSLcn7+Nj\nqNU3MA6lXSsGtOkHRoSjjxecqRSgZ5aIyH40GDtBnkmYz6HsAkQkS1msAOdJVaX2\nLnx4H8frUoKf6icotDDRWIrqqxX0NSokNsID/ajea2fzSzfkGd7IVpxIGv1z6/sM\nMHRZ1Ip9GVwXoI6ERPkPzyVR/GHX/Gd/WgLcM1U/OGkvyX7ZDEtLyuq1upPe0a+I\nW+OhJ4pnMHbWHJSrVojF2Dse9SeB1eOk5o8ow3eMrGxFwuDE8TUDkV1pk1cjfN2P\nphg9u73oxRsfdqByA4IBhgACggGBAL8xtX4gJ7IEXbw8uZ0SIhjPJRHFIHW0QXrw\nGfp7MszvCpKFOVizuS6BCnwnkAiU6F8IEUahRs3JUwdo851l9sH9dm9FHdY+TIkm\n/mDSuvshk1gaRYsxwxZ6+c7J/HFpnvbU3X3r8MURrPZSnqtawW0xogO7ASLXIn/b\nXBnIM6qIVlVJz1iJ1h09wQxrc4z5vIMXhOgPvM3GQko8VIYj9h9GKr8nlXZiIYam\nk0WKKujA3JTfqNSG+MFldGL+SZnh0zaFpEO0V5zyGNdp1z7oqQFUCE0njIVR9Xl2\nSmKnTS+JvF8BVbwJXkYYFBLU0hN2PdSrFC9YJSig027rSwuTz9X0jA9Bu8pht4Ko\n03xj52HHjgY8PYQyTMIeem6XSSBEauo6d77CK84fRevRZK+DVryCKvIn5xTYcyoE\nQEnvf2NKZJF7+GHjN3nlDxymKwrXMb5Dt9RfdGHpU3Q0PLsKRKOk2/mXLAa5Z8cK\nQ3KCIuJ7iFBRC6yfjhrptUm7OXKCzKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFE0pWtdo\nLMXSaEm/Gauivd9Z583JMAsGCWCGSAFlAwQDAgNIADBFAiAhCsNko2mvcHkCoJdt\nM46ovrLrUrKHI/GLxxT9nJ+myAIhAI2RQ3WZ0IPPxl41ytBzaSx/Q2GUKRhjlBhV\n34cQIjQF\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVegAwIBAgIUOxBsODCwZeWMj3/n1SWDS0IqiHswCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMTAwMDBaGA8y\nOTY5MDUwMzAxMDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAATIYowuHBW3zSdVHFI3OaGMZmWLYBtdKmX5sIGq4SQ9\nVc0w4dq/EsvTk3Nn60S54hxHzoomNKlw/Q9+L1ONLzplo3wwejAdBgNVHQ4EFgQU\nDatEF9ryk24p4hatdAfII/5hqpcwHwYDVR0jBBgwFoAU2F+JhWUTNVDrp3JGQRdK\nUgmqgCAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNIADBFAiAKTYJ+GocrUwTozNP7\n6d4Gq63oECAbRBLXP6aTkVyGNgIhALSTNZS13SnXbwWCv9wz5qqJduRBkQyCyYHe\n/IAEYFhJ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVegAwIBAgIUKeGEo2IZX3Lfygoy2UFf9xTJ8vQwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMDAwMDFaGA8y\nOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAASX2+p0tprsGNiu85wfuUvGovG14u+CWx+EjFmuMjCy\n66zJxsO6aCEZwbjRY1VuEP0TFXlmClUBjA3KjHWX6BhTo3wwejAdBgNVHQ4EFgQU\nbILOKRpAS79m5gT6D5Uy02v0xmowHwYDVR0jBBgwFoAUTSla12gsxdJoSb8Zq6K9\n31nnzckwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNJADBGAiEAgwEipHY3xHfA7LXl\nDgoyf1/kFM6Oyp8ip+z6EsfST50CIQCOKjVbjyKMLAjKSioHAf8oS0zSQRZvR+AG\nBloaEpUujA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1810,7 +2022,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::forbidden-signature-algorithm-in-leaf", @@ -1820,10 +2033,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUTKwjb6KjWbb/pxPAiqbe+sYjPxcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBOJLn7OjpZ6sMp+pRDEUR9CSVLKF8Z/qHidC8\nA5yB5rLNDwNEQ/Qfjc+0bOkXxc5jBDECfVNV5Uu5WaeB6PAYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfHdGr7tHb7Vmq+J21HLzNir+CUkwCgYIKoZIzj0EAwIDRwAwRAIg\nbeS07L1LHIykm1+Ex6vGjCP9U0qgiwFwCbX3o/K+uVwCIAr3+hhbIp8LfritcWo8\n+WMPo8tw5OfouGyvtJaLvuOq\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUS4JKFcFLK2VKfvWVOhCOkXJmfmAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKBoRPcLNuNr2hj9nm2Z+v5wfW0vOZefwQFPoY\nr/CdAlVpLJQWrPO7D1NATcVcS4FFZPhoKqFYaAGwJafEUneVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUldclMAn4LSD7WmsmFIhi4g/7olcwCgYIKoZIzj0EAwIDRwAwRAIg\nQ0UUFzP2mue6jXXSZfsvexcX/Chlqg5IuysccmXderYCIFgN6o+qPjsBvWCdF9zg\nYlF9vwOv7u1FSNYkKxRZr5ac\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcegAwIBAgIUU3nPBZvgwmT6nbIyWvCWxAxhusEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMgwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA9Fq6P0oSAnw7tK7ukYUs1cLmhWj5Hj52B4WhdVEGBnXN\nXsWRJoYrqTlzGJdwT0qa+rlNocfVQdCnDbWFS9wKPX/Bo4W9LxKywG8Oz2ACKpg4\nd50+9liPOpfQPbr499GZbrKN3BRptVczi9/vjyKdp5ndiL88wbvc59V66ZLNnscY\nRKREKkmyCSezne8mTxC61YIT4PZhntuvok7IV1VioCKF9769nwd719o5enia76aU\nngbL3XUIPjVLhH1eekjybiodh5IBGb9N8ji8iHlPD+RZifLsxGtxVgFzrKNNDgBI\nY+G+fHJedYHJJL8YhB8n4pvLikGV6469JIq05cFBzbECq1LcFJegC4COiBDFqGUj\n0DX+6a+Utp9+S3ZGdXr5jWoZXM0WO+/nKURrXThtgtdxUgJ/SFc5peKd6CuKwBAj\ncqvYgnSgzvXNZdo9PIRhkR+T4/viObJOQMQbef3WJKtsmuhzCW2WnuLeVuN+7KvA\nJXY0W7xjwVcm8zibTg0zAiEAv5GT3G1IG54/EcIap1JIk+5T4bHYbtehugWyqrQ7\nybcCggGBAMq3ckZpYTO6ULrgfpJyGO70ajSDf/OVQymkiHeHARVdt1HXN3qe9hO/\n7EmO3SHBly91IIpXw96n9cidpWeL4ATI6o6KKutgabEBLUnk47VheifmihLdYCy+\n+feDRzdIoLCHCyxhJfUDvkyhx837zioP1wgX/q32dSUSPj6A3RLX8s/l2IwVMlwt\ngLXLvdQHMra/1BTsmn8w8c4imbMkxzBxDwgt375WBApdS3c2DOj6RLFobYxdDHrO\nMFkhTWUSwzJhqNZnq8l7x2s4zcdbtU3ENYbFiV4lRe0Yv8BPFWc9WekRev4PDDvX\nr3bBg7GI5vkWJ45aUngg8Ny7QR33fBOmO/A/wyMIpMvaPjmnnNlzoXksCyDwzYhN\ntDO1zPCB1lStYqGhpBAvyPUJP3J2exJeZSNs7P5/LjpeAkjawYzX9B8j1mQgJsnG\nw1c7MqZOKt6t6LRR49llKCbnmzDXDNKXwhsIa6S99epPdH62iDRJi1TKnT+1iVcD\nhijBm0Ho+gOCAYYAAoIBgQDeFgtnv7VFDWfJFsg7CdCauEMPY87DW9QFn8RKA4U5\nZg3FuaGx2HUnG1on7mzY6p8o7ulVGlDFxuT1Y6Y5ZsbUzvbR33jkfQKe+pk8jZ+/\nmUG0WyA0mCyRzT0ETT13XyPsQ6z6fcZHEiW+YsRQk0Hpc9v+6LwL1zK64PQ3KqYw\nDxI2d1LWkbhyLvTn4ddFnS+SpiW9HG4Ep90MifW3xZHYnsiDClxDu+kyBeNzjBem\n5s9x/lRiUFDdwUm1ryqtObV3lVFdJ4942rpCD0pc0rSSLdiLnRnq+JNAim8OhL22\nul4vvRJKFWTIVJasq30CymO795AMpqpl9hEck1F4DBKclDCLiPxlDbNno8xDjf6H\ntWPbAaF8ULI5feiA2lWsV3UGMWSYk402UOCOparAwpsl3/FP7XKN+l1t5PA4DPC4\nwmUFwI3uj6ZBPdjx3ecSMacyWHN0uietEFIL/i+htPYoWhADyWDtQKYaFs+qeros\n4by5NXLfdTkId+8vKY7oNtKjfDB6MB0GA1UdDgQWBBQrMGS+pdh8doeakkGhYAXs\nXKbxrDAfBgNVHSMEGDAWgBR8d0avu0dvtWar4nbUcvM2Kv4JSTALBgNVHQ8EBAMC\nB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDRwAwRAIgIT0aRlhIt25k9fcocFuAO3X6HEU6FRzC3+Dc8Ws0\nUIsCIBJzkckFWkP1kT9xmQPuD4pEFpBwsmnPMFEDFm1HqUdN\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcegAwIBAgIUFSHled3PqfOGnLK7lqBIdnrnnfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMgwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEAyM2vEtbxswAyb9RkZf1e5Rl0TTxLutPEoQU1Lb+UBBGJ\nmvs/yyjLbgXBLaafBhrmcSW+174LwMfmEQoA3HhO0SKiyPune17WnoL1iKhLhKFE\nqzc2a5qkVupX0cQX1jvmtSS2nP0FumoaaC0KeR0g9pujZIAs3Tfk6fuPoSzo1hxI\nT2Bh1ySmiLpDiacMpkymExIAPv4/V4ECx5KX7dYCTyvNHI5yZ58o66HhrZcK7dmW\na+ggXwbRv8buvWgOBjQpGLBvnnr8iBaKM7ZWB2p+2aDJv3ET0aZC+NXXWAOqahFX\nl/E8K+1GMCPMC9stMaWtVIF3vucSBW90iMrlAKVr0tB0mH6dIB+GxWmwfkHSGuJc\nuWDVKgJspRL0B4rRXbnLnpERHGspQhXMkW711BM0eZZSQGz7Smy37H9LyfIJ/hQe\nvGXjSz5n3ATneZFBNmWYjuw9B/Led5n8rXkuuVFXyhTgN3tH6YVQBgmJX8mnlrdW\n59sOqdQbK9grwBKpKY6fAiEAy+5J3REoiYknfR88wwF3NWZMCxzSNLp2ijW4nXE6\nsvUCggGBAIfSlwSsV+eLx+XrJBvIadB02UqLoYBoH9oQ17lMg+yn6gULrGCMGS2l\nOkvzR2JkCACV/R9RAO7BXKcoJWpgSqOu+KEIiIkzNPa6Im4nmoeZI1nGmbTKmkSO\nMnFmQw5z78FfjdX1ZPzk/ianL30cSDI5gFPdYrGxM1Pe9NXppwLgAph6eqlM4MPI\nqdoQiiV3gFAd1Jho7OlQnAZLvje1XGmOS/hnohR7BAV6g7WtelTDvAmuy8q/NYIx\nNljfeJtEgGgNKqh9Zz9NVy5GiP4r3zSndZqVDM5PhmmNEUTI7yazwGzNz/RfnFsR\nEVGFZvKB6Uo5WasdDQoXHefNc4NuNClF/j69e6dZPSpgfjzuRUoVVfrvguwUEpDU\nT9T5TuS8Yseq54jbYPy8QV836VS/MjRul56EZkkHuUHtK9fInpd+ts/OzhNM8r2X\n9uSUfb8ASM4xDa78Y74/iTvKHUfI5qarsAthpI/mHkJo09qrkR3WAT6SIdtv1bOj\ncLFliOd9+AOCAYYAAoIBgQCEHAQNP0WBA6N06zUKHlI5fSlSRgFGX5xoArqFRzpb\nb3/qbTapNY7R3gtfbbn3814xxt9jAknh3Jw83gBDTiL9ZIqRUfWc0nDE9sNeQIyB\n1EtroNcPeySQG+6BXlvBlch2ihoTmkmYSjziMFrilrnQevkqeHpHm+8SexuOHe20\n8sUbF0n+mYh1aFaID6l8whuHDMgeHbXsbjhsV3qVJkizcwJk1iAaqez7/olntPmB\nwQDINK/ym1NM89jqZOrTVW6KX74XdxbMLio7gmFtwLk4ZvAokK6VvnhF04yJMOU3\nfA/giYVn/cpZBR++y+1J+OJN8Q5H4HalN42BgTCxxcYLzDXyiNcz6TtN+Y9PveBI\nRsoxRtQrSlgM2mE6q10Zaew08CV4KppIRFnEYVe/fyR/QcigZQanRzHA4AcgpVJJ\n+UjHuUocde0p9+MV99Ee0jqdqbuXEd/BS3Q5w8/N7oZJbSVGAUHcKEIBmkahWwR4\nVPwoTtgI9w60MftFP24JrmqjfDB6MB0GA1UdDgQWBBTRx+e5qPFNuSS9KACXDcxg\nOWJVVDAfBgNVHSMEGDAWgBSV1yUwCfgtIPtaayYUiGLiD/uiVzALBgNVHQ8EBAMC\nB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDRwAwRAIgaUK95icjyr0XSPMRI4e788s8mqkKBJEIMuS6GLZw\ndwgCIA8ygkrupTxAZC3ioUhRBP5wc3zJeWow2tFqTPY10G7b\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1833,7 +2046,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::no-san", @@ -1841,10 +2055,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUeziRoXTc+hDnsQXtEzxYkM0j9fwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATI4qMOPgJUYcxGIlL6LUN+AJcuT23pNJ11Sj+7\nSWt+x0ewkUzhRBF63uAHemPWYQA8/UpLSt8rYR4bY/cwtp4Mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrFixjLNbWcHegp/KcY3HH1tp70kwCgYIKoZIzj0EAwIDSQAwRgIh\nAJfoO2dn3d+IyWxPzziy11Bcu9ojzPHwaN5aXaajRmQzAiEA5CMVel6BpNzi3WCB\n55XpqbmskGUW4IbOuTLuudQi7rY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTqyr0CBfN/czCGeF6VGbUbjo/e0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARffZG3TcaVlavZhfNdsZnPEigRAV0XL/fYHEFH\nORC5W696jNwNk1vaOORhR6H0rrcDFegJELI+zl6EmGSva6ymo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2LCe8Jwlsp89PXu2qphi4S6cZWkwCgYIKoZIzj0EAwIDSAAwRQIg\nXOs3giCuIx19xF/drCVEXjPI3ohCTprNy2UtWGvEwTECIQCamGnejFsmdJA5Pk7T\nw2r03U1R9EL3F4r3kFmd3Z8ldg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUALOxM3nmRMeXRDGSKCy+n/yfO5YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJtAzIRKSUK01EgNN7mbkpMUbNdxRMKBTnuZN/PqCAb7\nPRNMX4uBDiyeoEn81S41TgGAv1g/r819xX8avSl0IDqjZDBiMB0GA1UdDgQWBBRO\ngdIBCKswbw33P/YWNlvjjVtsnzAfBgNVHSMEGDAWgBSsWLGMs1tZwd6Cn8pxjccf\nW2nvSTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSAAwRQIhAP7gntIxlAbJSa+2Tqx0SxoqXdvbpKEoPJNYGhn00CGrAiBSGQmb\n7DGMyZdexedcEndPMMOLD9SZQ6pf0OprK2uklA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUWpBRWmLOjrJTj7mZWhIGDkg2QFkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGt9qRaThCK+0QFpoO83SdbD7W3RSJWI9TjsfTSjC2LE\nYDeJ4Ef2h7bnvUlvWDM+pCKEgh7D/hrfid83E/vWSB+jZDBiMB0GA1UdDgQWBBQF\nGQmvsqsJki/U7weBxAIJCJptmzAfBgNVHSMEGDAWgBTYsJ7wnCWynz09e7aqmGLh\nLpxlaTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSAAwRQIgb/E5UfkT1FfnIzW/sRryOZACBMR8OKSjBABU+Gkosj8CIQCv7FCV\nlMZx6Td+Yb0KygZfDjscmP2FBKKU0qrCBXI4UQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1854,7 +2068,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::v1-cert", @@ -1862,10 +2077,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUX9vIHNzme7pmCLIIhtsNDiivnnkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASZe8D6Z0Se0fb9YsvVJyD0EHB8tLx0xG3BmsQg\nK2i06KGs9NcJQIV9oLLR7Ijp5weH0zkiQbi5m8ighy5RWeo1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmI+YySDxX5C8YQx3MlTVtqSEUCcwCgYIKoZIzj0EAwIDSAAwRQIg\nQkrtdVRhmiYc7N9c/cncOxdgVpWDbBUR7nTKQKkhanwCIQD0rodEYsBoUcVoMR3v\n+3ASkHNls7/fCBPX83dNt7Vf6g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVdQ6yuFsyFiuXMVDermbEg5JHv0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARYl18OgbshZJT1WS0Rd9IqnR4hfcUHUi6BzKdw\n36HZzH2wcr6lcmW3D7yWAi14MUfUyaSdJwlY0RgnmLOp/nGro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhfTw4cep1t0yJIcI0DcomfUrWyQwCgYIKoZIzj0EAwIDSQAwRgIh\nAK20l4EetZEjF9votonwwc+QN7wT8lnLCqWHle9nc4TjAiEA9pzifljeQ5Lrmbi6\nunNklcQFZhRwxdJrfvofcfAap0A=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLTCB0wIUOu/cI8frHKttLrKH4L1Gw35IJogwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5NjkwNTAz\nMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABFMzjGbKgxbDm3UomrTYvWIYrUn9Geh9Jhhs2lbpPH7NnavReHL6\nAsG0ZaL9O1KGmvHNFlfI0d+PK8WPXZSc0rIwCgYIKoZIzj0EAwIDSQAwRgIhAJXJ\njUNMReWuPGf5vsSzjgwHvLDwFZBx/FgfsFtIb6B0AiEA7RZMkNEz+U4Wtsk+F7wx\nUxz1GuEyEOiBBuKFJXqfBiM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBKzCB0wIUfBmw4Wd/kkinMlUhpPT1CEV95OAwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5NjkwNTAz\nMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABJPsQr4DcGTL07KOCHBv2e9lDTZU8/oOPbPXeGtXCKFj3FclZ/ev\nJtNfuNKIiEMyFkDC9Md6jcbAv+Ykb1c9AxcwCgYIKoZIzj0EAwIDRwAwRAIgEmyB\nPrAJA/wwBEaQBhcddxgDbzuLyCNiFdKzrxRJ/rQCIFZ9RTiIQsd9bTvbMF7hV/09\nAJlt06DXzrLxblOReo+b\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1875,7 +2090,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::eku-contains-anyeku", @@ -1885,10 +2101,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert contains an\nExtended Key Usage extension that contains `anyExtendedKeyUsage`,\nwhich is explicitly forbidden under CA/B 7.1.2.7.10.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVWJ0qZ7RNKlYgN2llPD1aBYvDN0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS4wdYsl4hRFbqj72e/jXuZG7xWPtTE2IuH/j4T\nU6J53Wz3o4/r/wAvRrn8zCvrDOWtwOuT10J1RegCvdHxNRLYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURieuhD4gluez5Y9z0wamshaHxJMwCgYIKoZIzj0EAwIDRwAwRAIg\nPyIulZEhgbuBjeKYzi+VgrYAaprW9qxgjBM5ZD7aW3kCIBHyHvWOOdD0wDEZvUN9\n0kCXvHMQlnVgZpmTQd8TzVxr\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUS0uS5h624h4AwMiYvq5KJ2ADiUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT2Y2tdHGEPQJ++DB1ianRV+LhdjPIY7jGIxQ+B\nfBF6SJcAoygU4VN1KXAf2pA6Zlrp04NMMFTqOai/28SCQoESo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNtNRhY8tDLU0PqW5gYhAo3HF5kAwCgYIKoZIzj0EAwIDSAAwRQIh\nAOXrabr3D69HsVhiXQr1E7LVrR/fdcon79iuLZL1ctUXAiB7z2LjOQ+2QEF3SFwJ\nYJFrlWnVaNeydmCx0TiA0kYqUA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV6gAwIBAgIURmkMObz5sfOuR+7dMit2MC3lzC4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAc1C+vV7u3jepkSVjo9FD0p9u9Pf+6OHB8R7/H0SIu7\n1MiCDEmSH8jXoWy3Fj1ib+UrRcTqyZOy7I7d8YTMRBCjgYMwgYAwHQYDVR0OBBYE\nFMXmIh2KvD4T3WY9YfddUewRI14bMB8GA1UdIwQYMBaAFEYnroQ+IJbns+WPc9MG\nprIWh8STMAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAjds4Mtvj\nVXnGKud2SC184qPfWvvmX179DaiF7ZGUh9YCIQDYZGGhA1Egjj5YEKUS1N2iovK3\nB03TM0hsyvO+OQVTAA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUYW9rRa7Cz0LbtZrlBMHoce5QHrEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL1z/51M63FfhYoPw1WpT5vWtsqsw65J+sezQfiHGWDa\nqnZaYoqHfzq54allAHFgZzbQrWszP5KXzDvAzC8lbw2jgYMwgYAwHQYDVR0OBBYE\nFKZTw+0tWhRuN9hVlELkSJ5xut82MB8GA1UdIwQYMBaAFDbTUYWPLQy1ND6luYGI\nQKNxxeZAMAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiB9J47k5uAw\nVCLlwx/zQa9QFzkxv04h4Cw7xVr2SVSkYQIhANILO09lLBHkuRf+ZQkx66MzgM4o\n3qYezDIwyjWCakj9\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1900,7 +2116,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null }, { "id": "webpki::ee-basicconstraints-ca", @@ -1908,10 +2125,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE certificate has `keyUsage.keyCertSign=FALSE` but\n`basicConstraints.cA=TRUE`, which is explicitly forbidden under\nCA/B 7.1.2.7.8:\n\n> cA MUST be FALSE", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUC6eFChGFCiNSILImeq4+nT4P37AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATtRsfFKr2GGq5SlEA0XKw7CabvNE2elUerjZMd\nponY/T+5nnXVYXdHJ3JLAlUKmKDkKid8wHKAZ/0FVNIBrp4To1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2k5KXHnEpJuq52fpBRyxzCxp3k8wCgYIKoZIzj0EAwIDSAAwRQIh\nAMJ2ZfDCP2znsMgQBTSEAgsGWdXeb1YnkgKmvStJ2AXGAiAdc2UQE6hyP4e8VOBU\nIJB8yAGeJILw4QRclxyUei3Ztg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBhuiGYyjHmVQ+wTMwbaiun0VmuwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ0o/FC1xa5Gpv3juMt/8rLUMbnZUrPfpfN/9Qs\no053efGd/Sqd+vqZb5kwaeG7CfvqXLzumfqk34vF31bqi7jDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiEe5rEr0fS27gAASaKnNr/UiEegwCgYIKoZIzj0EAwIDSAAwRQIg\nZEUxEoCKd+78PAjf5Jw3EqL/updJGGV4D7agO4o+zkgCIQCrURRD53rA+n9D7Jcf\nV/SyAg1MEmen4LAL4IoRjuuOzQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIURNIKauhpJulCIWK3c9nT3TK8A00wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAxMDAwMFoYDzI5\nNjkwNTAzMDEwMDAwWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCzMNPMWElef0+Ukp54YprJmbMUp76eYeKaiGjPXFXHg\njHw7vCtzbYkBTvL+Beo9lzBMHKs9Ud5R2GQydEOA3g+jgY4wgYswHQYDVR0OBBYE\nFF202XfQqppZrshQA2onbZGEr8Q/MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAU2k5KXHnEpJuq52fpBRyxzCxp3k8wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQD2qxpiGQSHIBBGuDpHZDxvqXeMcb7YeOt1i9W6ybQEnAIgPJxQnRFtZhBu\nJO5x/DJHZjffHuRM0D5GpCp/Och5pAg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUCr4yja1R2MxJ5VNm972g0oK2oPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIxXdaCj9c1B+NHC1yolX/tncrTkQu1lOhFHKcV7tr4A\naueAumy8zsCpY2v5P+O6n2U/SvAi/2G3qdWakiYjHgujgY4wgYswHQYDVR0OBBYE\nFLNHxShHCTOswlfG8314tdjLZnxyMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAUiEe5rEr0fS27gAASaKnNr/UiEegwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIDYbJ40u4iBg67zfpZK6z5OmLjhzCvYVhDnfVrbuwuE0AiEAuo87MQqX4AnC\ncY09h/D8EwX1y0evlApSEJT6yLCCnUk=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1921,7 +2138,8 @@ "kind": "DNS", "value": "example.com" }, - "expected_peer_names": null + "expected_peer_names": null, + "max_chain_depth": null } ] } From af0d43b178b80cc00a2c58cad44d8a71b51b8be3 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 9 Nov 2023 10:22:38 -0500 Subject: [PATCH 056/155] test_verification: add already-set test for max_chain_depth Signed-off-by: William Woodruff --- tests/x509/test_verification.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 0b6f1be6bcf4..765dc1df5952 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -242,6 +242,10 @@ def test_store_already_set(self): with pytest.raises(ValueError): PolicyBuilder().store(dummy_store()).store(dummy_store()) + def test_max_chain_depth_already_set(self): + with pytest.raises(ValueError): + PolicyBuilder().max_chain_depth(8).max_chain_depth(9) + def test_ipaddress_subject(self): policy = ( PolicyBuilder() From 06e1be59f5b0ad7bd9508a2b1dadd745f003c11f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 9 Nov 2023 16:57:14 -0500 Subject: [PATCH 057/155] verification: fix bad merge Signed-off-by: William Woodruff --- src/cryptography/x509/verification.py | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index 956f706fa058..06bb42b91f15 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -72,20 +72,6 @@ def max_chain_depth(self, new_max_chain_depth: int) -> PolicyBuilder: max_chain_depth=new_max_chain_depth, ) - def max_chain_depth(self, new_max_chain_depth: int) -> PolicyBuilder: - """ - Sets the maximum chain depth. - """ - - if self._max_chain_depth is not None: - raise ValueError("The maximum chain depth may only be set once.") - - return PolicyBuilder( - time=self._time, - store=self._store, - max_chain_depth=new_max_chain_depth, - ) - def build_server_verifier(self, subject: Subject) -> ServerVerifier: """ Builds a verifier for verifying server certificates. From 329eed5782268e5fd6f687144664ebc2f1e22300 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 9 Nov 2023 17:33:10 -0500 Subject: [PATCH 058/155] remove commented code, redundant tests Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 232 ------------------ 1 file changed, 232 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index c03c73997871..22c393df87bc 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -39,12 +39,6 @@ impl From for ValidationError { } } -// impl From for ValidationError { -// fn from(value: asn1::ParseError) -> Self { -// ValidationError::Policy(PolicyError::Malformed(value)) -// } -// } - #[derive(Default)] pub struct AccumulatedNameConstraints<'a> { pub permitted: Vec>, @@ -310,229 +304,3 @@ where } } } - -#[cfg(test)] -pub(crate) mod tests { - use super::*; - use crate::{ops::tests::NullOps, types::DNSName}; - - #[macro_export] - macro_rules! cert { - ($pem:literal) => {{ - let parsed = Box::leak(Box::new(pem::parse($pem).unwrap())); - asn1::parse_single::>(&parsed.contents()).unwrap() - }}; - } - - #[test] - fn test_verify_trivial() { - let ee = cert!( - " ------BEGIN CERTIFICATE----- -MIIFJDCCBAygAwIBAgISBCjrgR1TEHICklNpQDzj1PqPMA0GCSqGSIb3DQEBCwUA -MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzA1MjkxODQ0MDBaFw0yMzA4MjcxODQzNTlaMBoxGDAWBgNVBAMT -D2NyeXB0b2dyYXBoeS5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AObo0GReSiFFL4eMlFHutcV+LpLDorPpzzFxxJsXhrm19GyWYHdr4ml7GIAEjqI7 -QZp0aYw1lmtHwgNnaRySU+aWj6LMWI/rIP5rXZYIZLyXSfLbHP0xlfYEvcrcprOm -Au0YuQgy3TBO0qz6FKx5PtfbDc7p/LYD5tnG5NkbQ4o+7Ko361w787WSb8OV5NFd -nPqSeIjwxqSy62G6oOHL4wRFDTCOdNjHeYJnPC0L3P9qkGeC6zjqt2h8Q+GE9zNQ -enqaEOeBIZo46mti6Tvzzc7dqILw1ATqIXJdjwABzuT8Ob34/LsPorLQoRP1+YHF -++D2JyyvYKM/aFpQI+HHfGUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd -BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV -HQ4EFgQUOtGXHs6fLoMQEwjlwSu88r4qLf0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu -UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v -cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y -Zy8wGgYDVR0RBBMwEYIPY3J5cHRvZ3JhcGh5LmlvMEwGA1UdIARFMEMwCAYGZ4EM -AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0 -c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAtz77JN+cTbp1 -8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGIaQn30wAABAMASDBGAiEAglrQJj8G -a7/1upmZ2Is6AqPT9pQpSty0sH4PgnqyQxICIQDEpKnk6Rt6KzvEpIIIEtXgrYx+ -crerlx4SQVQbnwfz0gB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS -AAABiGkJ9+sAAAQDAEYwRAIgaLwFE4CfhV09wq5IR5zmo/90y5OQJ2MnW5gpRZZh -s4YCICEAGxUN/f95xFmxOCfqXv3SEozwkrMHA33abVjCQiaGMA0GCSqGSIb3DQEB -CwUAA4IBAQBSTN5U/3yp6cGMBXlS5WcrB/XOY6TtxPmeSvLM3vqNbpRGu1JOFFtn -31eweHOTj66GWowSy9+uAhp1V9Uf0hoJMa/b+CkCelyJN4QZCcMfhKrPAD4prbHa -GYFaLo5SQqkK1hYHo9LH+qhaOBx9hF5aLrGbEFWXQE9/W7KSeCzz6LBLw9xVrB2v -NTLlXXt5tUiczOIzge5KGaSQr5wgc1viddcRsYuZjtgWlqJ5E5QcZxD8xLTfBe5W -9vl/k1CB4CZ1IG8Sa9+n91Kxm3HTLL6TcrEOutChwMfZfrLH/piWoRQxezCpn82N -RaeeHd1Bv3oH3SeVJUHLxgzUv/dh6GSi ------END CERTIFICATE----- -" - ); - - let intermediate = cert!( - " ------BEGIN CERTIFICATE----- -MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw -WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP -R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx -sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm -NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg -Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG -/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB -Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA -FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw -Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB -gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W -PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl -ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz -CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm -lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 -avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 -yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O -yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids -hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ -HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv -MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX -nLRbwHOoq7hHwg== ------END CERTIFICATE----- -" - ); - - let root = cert!( - " ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 -WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu -ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY -MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc -h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ -0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U -A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW -T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH -B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC -B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv -KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn -OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn -jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw -qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI -rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq -hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL -ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ -3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK -NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 -ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur -TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC -jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc -oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq -4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA -mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d -emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= ------END CERTIFICATE----- -" - ); - - let store = Store::new([root.clone()]); - let ops = NullOps {}; - let time = asn1::DateTime::new(2023, 7, 10, 0, 0, 0).unwrap(); - let policy: Policy<'_, _> = Policy::new( - ops, - policy::Subject::DNS(DNSName::new("cryptography.io").unwrap()), - time, - None, - ); - - let chain = verify(&ee, [intermediate.clone()], &policy, &store).unwrap(); - assert_eq!(chain.len(), 3); - assert!(chain[0] == ee); - assert!(chain[1] == intermediate); - assert!(chain[2] == root); - } - - #[test] - fn test_verify_trivial_missing_root() { - let ee = cert!( - " ------BEGIN CERTIFICATE----- -MIIFJDCCBAygAwIBAgISBCjrgR1TEHICklNpQDzj1PqPMA0GCSqGSIb3DQEBCwUA -MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzA1MjkxODQ0MDBaFw0yMzA4MjcxODQzNTlaMBoxGDAWBgNVBAMT -D2NyeXB0b2dyYXBoeS5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AObo0GReSiFFL4eMlFHutcV+LpLDorPpzzFxxJsXhrm19GyWYHdr4ml7GIAEjqI7 -QZp0aYw1lmtHwgNnaRySU+aWj6LMWI/rIP5rXZYIZLyXSfLbHP0xlfYEvcrcprOm -Au0YuQgy3TBO0qz6FKx5PtfbDc7p/LYD5tnG5NkbQ4o+7Ko361w787WSb8OV5NFd -nPqSeIjwxqSy62G6oOHL4wRFDTCOdNjHeYJnPC0L3P9qkGeC6zjqt2h8Q+GE9zNQ -enqaEOeBIZo46mti6Tvzzc7dqILw1ATqIXJdjwABzuT8Ob34/LsPorLQoRP1+YHF -++D2JyyvYKM/aFpQI+HHfGUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd -BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV -HQ4EFgQUOtGXHs6fLoMQEwjlwSu88r4qLf0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu -UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v -cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y -Zy8wGgYDVR0RBBMwEYIPY3J5cHRvZ3JhcGh5LmlvMEwGA1UdIARFMEMwCAYGZ4EM -AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0 -c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAtz77JN+cTbp1 -8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGIaQn30wAABAMASDBGAiEAglrQJj8G -a7/1upmZ2Is6AqPT9pQpSty0sH4PgnqyQxICIQDEpKnk6Rt6KzvEpIIIEtXgrYx+ -crerlx4SQVQbnwfz0gB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS -AAABiGkJ9+sAAAQDAEYwRAIgaLwFE4CfhV09wq5IR5zmo/90y5OQJ2MnW5gpRZZh -s4YCICEAGxUN/f95xFmxOCfqXv3SEozwkrMHA33abVjCQiaGMA0GCSqGSIb3DQEB -CwUAA4IBAQBSTN5U/3yp6cGMBXlS5WcrB/XOY6TtxPmeSvLM3vqNbpRGu1JOFFtn -31eweHOTj66GWowSy9+uAhp1V9Uf0hoJMa/b+CkCelyJN4QZCcMfhKrPAD4prbHa -GYFaLo5SQqkK1hYHo9LH+qhaOBx9hF5aLrGbEFWXQE9/W7KSeCzz6LBLw9xVrB2v -NTLlXXt5tUiczOIzge5KGaSQr5wgc1viddcRsYuZjtgWlqJ5E5QcZxD8xLTfBe5W -9vl/k1CB4CZ1IG8Sa9+n91Kxm3HTLL6TcrEOutChwMfZfrLH/piWoRQxezCpn82N -RaeeHd1Bv3oH3SeVJUHLxgzUv/dh6GSi ------END CERTIFICATE----- -" - ); - - let intermediate = cert!( - " ------BEGIN CERTIFICATE----- -MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw -WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP -R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx -sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm -NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg -Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG -/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB -Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA -FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw -Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB -gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W -PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl -ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz -CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm -lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 -avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 -yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O -yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids -hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ -HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv -MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX -nLRbwHOoq7hHwg== ------END CERTIFICATE----- -" - ); - - let store = Store::new([]); - let ops = NullOps {}; - let time = asn1::DateTime::new(2023, 7, 10, 0, 0, 0).unwrap(); - let policy: Policy<'_, _> = Policy::new( - ops, - policy::Subject::DNS(DNSName::new("cryptography.io").unwrap()), - time, - None, - ); - assert_eq!( - verify(&ee, [intermediate.clone()], &policy, &store).err(), - Some(PolicyError::Other("chain construction exhausted all candidates").into()) - ); - } -} From c0ec72f5bf4fb8401d8fed48864c5991c4f992bf Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 9 Nov 2023 18:04:45 -0500 Subject: [PATCH 059/155] actions: add a fetch-limbo action Not hooked up to anything yet. Signed-off-by: William Woodruff --- .github/actions/fetch-limbo/action.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/actions/fetch-limbo/action.yml diff --git a/.github/actions/fetch-limbo/action.yml b/.github/actions/fetch-limbo/action.yml new file mode 100644 index 000000000000..d61471b87b40 --- /dev/null +++ b/.github/actions/fetch-limbo/action.yml @@ -0,0 +1,12 @@ +name: Clone x509-limbo +description: Clones the x509-limbo repository + +runs: + using: "composite" + + steps: + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + repository: "trailofbits/x509-limbo" + path: "x509-limbo" + ref: "main" From c270e4a4fe57b5827d07718fad84765b752b9e6d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 9 Nov 2023 18:16:59 -0500 Subject: [PATCH 060/155] tests: prep limbo a la wycheproof Signed-off-by: William Woodruff --- tests/conftest.py | 1 + tests/x509/limbo/__init__.py | 0 tests/x509/limbo/test_limbo.py | 111 +++++++++++++++++++++++++++++++++ 3 files changed, 112 insertions(+) create mode 100644 tests/x509/limbo/__init__.py create mode 100644 tests/x509/limbo/test_limbo.py diff --git a/tests/conftest.py b/tests/conftest.py index d99bb76c1913..d1f11abbb3c7 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -27,6 +27,7 @@ def pytest_report_header(config): def pytest_addoption(parser): parser.addoption("--wycheproof-root", default=None) + parser.addoption("--x509-limbo-root", default=None) parser.addoption("--enable-fips", default=False) diff --git a/tests/x509/limbo/__init__.py b/tests/x509/limbo/__init__.py new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/limbo/test_limbo.py new file mode 100644 index 000000000000..46653b817fb4 --- /dev/null +++ b/tests/x509/limbo/test_limbo.py @@ -0,0 +1,111 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import datetime +import json +import os +from ipaddress import IPv4Address + +from cryptography import x509 +from cryptography.x509 import load_pem_x509_certificate +from cryptography.x509.verification import PolicyBuilder, Store +from vectors import cryptography_vectors + +LIMBO_UNSUPPORTED_FEATURES = { + # NOTE: Path validation is required to reject wildcards on public suffixes, + # however this isn't practical and most implementations make no attempt to + # comply with this. + "pedantic-public-suffix-wildcard", + # TODO: We don't support Distinguished Name Constraints yet. + "name-constraint-dn", + # Our support for custom EKUs is limited, and we (like most impls.) don't + # handle all EKU conditions under CABF. + "pedantic-webpki-eku", +} + + +def _get_limbo_peer(expected_peer, testcase_id): + assert expected_peer is not None, f"{testcase_id}: no expected peer name" + + kind = expected_peer["kind"] + assert kind in ( + "DNS", + "IP", + ), f"{testcase_id}: unexpected peer kind: {kind}" + value = expected_peer["value"] + if kind == "DNS": + return x509.DNSName(value) + else: + return x509.IPAddress(IPv4Address(value)) + + +def _limbo_testcase(testcase): + features = testcase["features"] + if features is not None and LIMBO_UNSUPPORTED_FEATURES.intersection( + features + ): + return + testcase_id = testcase["id"] + assert ( + testcase["validation_kind"] == "SERVER" + ), f"{testcase_id}: non-SERVER testcases not supported yet" + assert ( + testcase["signature_algorithms"] is None + ), f"{testcase_id}: signature_algorithms not supported yet" + assert testcase["extended_key_usage"] is None or testcase[ + "extended_key_usage" + ] == ["serverAuth"], f"{testcase_id}: extended_key_usage not supported yet" + assert ( + testcase["expected_peer_names"] is None + ), f"{testcase_id}: expected_peer_names not supported yet" + + trusted_certs = [ + load_pem_x509_certificate(cert.encode()) + for cert in testcase["trusted_certs"] + ] + untrusted_intermediates = [ + load_pem_x509_certificate(cert.encode()) + for cert in testcase["untrusted_intermediates"] + ] + peer_certificate = load_pem_x509_certificate( + testcase["peer_certificate"].encode() + ) + peer_name = _get_limbo_peer(testcase["expected_peer_name"], testcase_id) + validation_time = testcase["validation_time"] + validation_time = ( + datetime.datetime.fromisoformat(validation_time) + if validation_time is not None + else None + ) + max_chain_depth = testcase["max_chain_depth"] + should_pass = testcase["expected_result"] == "SUCCESS" + + verifier = PolicyBuilder( + time=validation_time, + store=Store(trusted_certs), + max_chain_depth=max_chain_depth, + ).build_server_verifier(peer_name) + + try: + verifier.verify(peer_certificate, untrusted_intermediates) + assert ( + should_pass + ), f"{testcase_id}: verification succeeded when we expected failure" + except ValueError as e: + assert ( + not should_pass + ), f"{testcase_id}: verification failed when we expected success: {e}" + + +def test_limbo(subtests, pytestconfig): + limbo_root = pytestconfig.getoption("--x509-limbo-root", skip=True) + limbo_file = cryptography_vectors.open_vector_file( + os.path.join(limbo_root, "limbo.json"), "r" + ) + with limbo_file: + limbo = json.load(limbo_file) + testcases = limbo["testcases"] + for testcase in testcases: + with subtests.test(): + _limbo_testcase(testcase) From 74343733cd06e735e424b0b06b01c0433d9133d3 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 9 Nov 2023 18:19:51 -0500 Subject: [PATCH 061/155] tests: migrate limbo Signed-off-by: William Woodruff --- tests/x509/test_verification.py | 100 -------------------------------- 1 file changed, 100 deletions(-) diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 765dc1df5952..5365e4696e0c 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -3,14 +3,12 @@ # for complete details. import datetime -import json import os from functools import lru_cache from ipaddress import IPv4Address import pytest -import cryptography_vectors from cryptography import x509 from cryptography.x509 import load_pem_x509_certificate from cryptography.x509.general_name import DNSName, IPAddress @@ -18,92 +16,6 @@ from tests.x509.test_x509 import _load_cert -def _get_limbo_peer(expected_peer, testcase_id): - assert expected_peer is not None, f"{testcase_id}: no expected peer name" - - kind = expected_peer["kind"] - assert kind in ( - "DNS", - "IP", - ), f"{testcase_id}: unexpected peer kind: {kind}" - value = expected_peer["value"] - if kind == "DNS": - return x509.DNSName(value) - else: - return x509.IPAddress(IPv4Address(value)) - - -LIMBO_UNSUPPORTED_FEATURES = { - # NOTE: Path validation is required to reject wildcards on public suffixes, - # however this isn't practical and most implementations make no attempt to - # comply with this. - "pedantic-public-suffix-wildcard", - # TODO: We don't support Distinguished Name Constraints yet. - "name-constraint-dn", - # Our support for custom EKUs is limited, and we (like most impls.) don't - # handle all EKU conditions under CABF. - "pedantic-webpki-eku", -} - - -def _limbo_testcase(testcase): - features = testcase["features"] - if features is not None and LIMBO_UNSUPPORTED_FEATURES.intersection( - features - ): - return - testcase_id = testcase["id"] - assert ( - testcase["validation_kind"] == "SERVER" - ), f"{testcase_id}: non-SERVER testcases not supported yet" - assert ( - testcase["signature_algorithms"] is None - ), f"{testcase_id}: signature_algorithms not supported yet" - assert testcase["extended_key_usage"] is None or testcase[ - "extended_key_usage" - ] == ["serverAuth"], f"{testcase_id}: extended_key_usage not supported yet" - assert ( - testcase["expected_peer_names"] is None - ), f"{testcase_id}: expected_peer_names not supported yet" - - trusted_certs = [ - load_pem_x509_certificate(cert.encode()) - for cert in testcase["trusted_certs"] - ] - untrusted_intermediates = [ - load_pem_x509_certificate(cert.encode()) - for cert in testcase["untrusted_intermediates"] - ] - peer_certificate = load_pem_x509_certificate( - testcase["peer_certificate"].encode() - ) - peer_name = _get_limbo_peer(testcase["expected_peer_name"], testcase_id) - validation_time = testcase["validation_time"] - validation_time = ( - datetime.datetime.fromisoformat(validation_time) - if validation_time is not None - else None - ) - max_chain_depth = testcase["max_chain_depth"] - should_pass = testcase["expected_result"] == "SUCCESS" - - verifier = PolicyBuilder( - time=validation_time, - store=Store(trusted_certs), - max_chain_depth=max_chain_depth, - ).build_server_verifier(peer_name) - - try: - verifier.verify(peer_certificate, untrusted_intermediates) - assert ( - should_pass - ), f"{testcase_id}: verification succeeded when we expected failure" - except ValueError as e: - assert ( - not should_pass - ), f"{testcase_id}: verification failed when we expected success: {e}" - - def test_verify_basic(): ee = load_pem_x509_certificate( b""" @@ -310,15 +222,3 @@ def test_store_rejects_empty_list(self): def test_store_rejects_non_certificates(self): with pytest.raises(TypeError): Store(["not a cert"]) # type: ignore[list-item] - - -def test_limbo(subtests): - limbo_file = cryptography_vectors.open_vector_file( - os.path.join("x509", "limbo.json"), "r" - ) - with limbo_file: - limbo = json.load(limbo_file) - testcases = limbo["testcases"] - for testcase in testcases: - with subtests.test(): - _limbo_testcase(testcase) From efc8f29d07919cfcfe4707e78bc8c56cf4578937 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 9 Nov 2023 18:25:33 -0500 Subject: [PATCH 062/155] ci: use fetch-limbo Signed-off-by: William Woodruff --- .github/workflows/ci.yml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4f650c6d1052..689bf094b831 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -80,6 +80,12 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/wycheproof if: matrix.PYTHON.NOXSESSION != 'flake' && matrix.PYTHON.NOXSESSION != 'docs' && matrix.PYTHON.NOXSESSION != 'rust' + + - name: Clone x509-limbo + timeout-minutes: 2 + uses: ./.github/actions/fetch-limbo + if: matrix.PYTHON.NOXSESSION != 'flake' && matrix.PYTHON.NOXSESSION != 'docs' && matrix.PYTHON.NOXSESSION != 'rust' + - name: Compute config hash and set config vars run: | DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3" @@ -133,7 +139,7 @@ jobs: CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - name: Tests run: | - nox --no-install -- --color=yes --wycheproof-root=wycheproof ${{ matrix.PYTHON.NOXARGS }} + nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo ${{ matrix.PYTHON.NOXARGS }} env: NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} COLUMNS: 80 @@ -191,6 +197,9 @@ jobs: - name: Clone wycheproof timeout-minutes: 2 uses: ./.github/actions/wycheproof + - name: Clone x509-limbo + timeout-minutes: 2 + uses: ./.github/actions/fetch-limbo # When run in a docker container the home directory doesn't have the same owner as the # apparent user so pip refuses to create a cache dir - name: create pip cache dir @@ -205,7 +214,7 @@ jobs: # OPENSSL_ENABLE_SHA1_SIGNATURES is for CentOS 9 Stream OPENSSL_ENABLE_SHA1_SIGNATURES: 1 NOXSESSION: ${{ matrix.IMAGE.NOXSESSION }} - - run: '/venv/bin/nox --no-install -- --color=yes --wycheproof-root="wycheproof"' + - run: '/venv/bin/nox --no-install -- --color=yes --wycheproof-root="wycheproof" --x509-limbo-root="x509-limbo"' env: COLUMNS: 80 # OPENSSL_ENABLE_SHA1_SIGNATURES is for CentOS 9 Stream @@ -255,6 +264,10 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/wycheproof + - name: Clone x509-limbo + timeout-minutes: 2 + uses: ./.github/actions/fetch-limbo + - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 with: repo: pyca/infra @@ -274,7 +287,7 @@ jobs: NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - name: Tests - run: nox --no-install -- --color=yes --wycheproof-root=wycheproof + run: nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo env: NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} COLUMNS: 80 @@ -332,13 +345,17 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/wycheproof + - name: Clone x509-limbo + timeout-minutes: 2 + uses: ./.github/actions/fetch-limbo + - name: Build nox environment run: nox -v --install-only env: NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - name: Tests - run: nox --no-install -- --color=yes --wycheproof-root=wycheproof + run: nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo env: NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} COLUMNS: 80 From 3e838c75076a0c054793d427155b6be2c06b02ae Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 9 Nov 2023 18:31:40 -0500 Subject: [PATCH 063/155] remove hardcopied limbo Signed-off-by: William Woodruff --- tests/x509/limbo/test_limbo.py | 7 +- vectors/cryptography_vectors/x509/limbo.json | 2145 ------------------ 2 files changed, 2 insertions(+), 2150 deletions(-) delete mode 100644 vectors/cryptography_vectors/x509/limbo.json diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/limbo/test_limbo.py index 46653b817fb4..00e69b6330b3 100644 --- a/tests/x509/limbo/test_limbo.py +++ b/tests/x509/limbo/test_limbo.py @@ -10,7 +10,6 @@ from cryptography import x509 from cryptography.x509 import load_pem_x509_certificate from cryptography.x509.verification import PolicyBuilder, Store -from vectors import cryptography_vectors LIMBO_UNSUPPORTED_FEATURES = { # NOTE: Path validation is required to reject wildcards on public suffixes, @@ -100,10 +99,8 @@ def _limbo_testcase(testcase): def test_limbo(subtests, pytestconfig): limbo_root = pytestconfig.getoption("--x509-limbo-root", skip=True) - limbo_file = cryptography_vectors.open_vector_file( - os.path.join(limbo_root, "limbo.json"), "r" - ) - with limbo_file: + limbo_path = os.path.join(limbo_root, "limbo.json") + with open(limbo_path) as limbo_file: limbo = json.load(limbo_file) testcases = limbo["testcases"] for testcase in testcases: diff --git a/vectors/cryptography_vectors/x509/limbo.json b/vectors/cryptography_vectors/x509/limbo.json deleted file mode 100644 index 97fcc486ffe0..000000000000 --- a/vectors/cryptography_vectors/x509/limbo.json +++ /dev/null @@ -1,2145 +0,0 @@ -{ - "version": 1, - "testcases": [ - { - "id": "pathlen::ee-with-intermediate-pathlen-0", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULQQ1ynA0WIBrn5llsmmzDboRyKMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7V2AHGV1xRZshNhZyZz0AohbJ2zrhdSzLQi9u\neNCReTHc/hwQbWWpUXfugaiMqLFXxpnzjJEnJU5LKrlnVzyho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFG6umju93B3Af0tTtE6BPbxpEgIwCgYIKoZIzj0EAwIDSAAwRQIh\nAO3S1BqgqivstZx4103j33wIdGUuuVSyjQmjwajNfxjKAiAxtL0kShu66iCGD6wU\nshyUHGBwghHJrCnXHq7Y1YbHww==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUCCFIlXMf+gVCQqeZzcwIByD/q20wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAyNTY5OTg0NzM1MDUyMDQ3MzIzOTY4\nMTE2NTk2NzEzMzgyMzE3MTEwMDI2NDI1OTUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCKleXXd5bzSqwPdIxXJIyWxi2fK166SBflxzMbJzEmg09agaMIuUpBkN/mTdkLz\nc6z278wHtokFqAKDSdcKWCSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBRurpo7\nvdwdwH9LU7ROgT28aRICMB0GA1UdDgQWBBQ/p9oo811Gw7Jzn8DhZioZD9TnHDAK\nBggqhkjOPQQDAgNIADBFAiEAwkPaPTzI0kXqTEsmPaRofbLSVzFocvZROsstYpt7\nRJICIGRSJpRFEO8UbaE7tHwdQcCtEDDORnKxC84U/oZ5jCNs\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUdPjE4c37d3vr9xCmVJDqNt8OBRgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjU2OTk4NDczNTA1MjA0NzMyMzk2ODExNjU5NjcxMzM4MjMx\nNzExMDAyNjQyNTk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf/Dk\n89Tw02RWp6Kr7GPWIUHuOlB5nwvc9wgWj1Lilas8Y7yIcScuVFwGIwDgKeTEveQM\nYI39WjGj3m+jCe5bD6N8MHowHQYDVR0OBBYEFBh9GDzl65gmLK/ibYeViEV9xpPD\nMB8GA1UdIwQYMBaAFD+n2ijzXUbDsnOfwOFmKhkP1OccMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEApMvpZoxvgdojXhpPo84QAvSgobUPUMDuDAVskI+QbtEC\nIDNWUlj/JHRBHiZDaJWJd+v7vE10O81fAuoOKIs3auyg\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "pathlen::ee-with-intermediate-pathlen-1", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUNbYMjzp3Ohl90NuOo74xplHC7HcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1hx3YEsooEMqAM2IdDkMnTth3C0gh0GJuwDNR\ncUu+L81Lig46m0n3fEcF6Pc0EmpOIuTC3hqXJpxsXhFPtVRoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSja/YkKWYZRdVH1lFLku4C9SVp8wCgYIKoZIzj0EAwIDSQAwRgIh\nAMgXM9HrA68tK+ghZflWjyBn4CPgW4PLC3RRLBRAi1TqAiEAmvuUD4vZx1Py3OoU\nfmKIUcvHvyuStu62LpVY7HHzZso=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUVo+nxZD1YpdvVBslBy/8Q4PM2ScwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzMDY2MzYzNDA1NjUzMjAwMDQ0OTQz\nNjYxMjAzOTU2MzExMzcyMjI3OTkwNjAwODcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBC3jp2C1e/ri9qXhUVyx36ZRiOrKMcdX7/sXIDkb4KMjVMqp+S5Tr+l7IZxPWrEv\nnG/yKzV+QNKDB0frpZFjFKWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEo2v2JC\nlmGUXVR9ZRS5LuAvUlafMB0GA1UdDgQWBBRUg66/2l9pw1zGlsibL6jp3EJL8DAK\nBggqhkjOPQQDAgNHADBEAiBqpFFPBS2qOCvvRHJok7gk0aLDokbTZA3TXc+WA2lJ\nmQIgKZ0+Rrx3adwr/1X+XMxygBVtfztbLSX34ILgeNLBtco=\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUChr0m1XpfkRp7WZOSB5ojwahuHMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzA2NjM2MzQwNTY1MzIwMDA0NDk0MzY2MTIwMzk1NjMxMTM3\nMjIyNzk5MDYwMDg3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOsDJ\nLrVeQHjpphSNtyHUHsWkwGU6KccRm8eSUw1/rc+BFdg6PN72If1eXuzB73KMNDDD\ncc+DXHWDlMerH4Tk86N8MHowHQYDVR0OBBYEFC5U5B9SbaQ/FmmnMwmrl1O1c4sm\nMB8GA1UdIwQYMBaAFFSDrr/aX2nDXMaWyJsvqOncQkvwMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiBWY332+yk7Vr9fPs/pSCg32asE5wk3ec1F40KkeSlZ/gIg\nAvV8o8w1Ap7OzIhvXhWBVB1aTB21/hiE6g7vw6xXSaM=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "pathlen::ee-with-intermediate-pathlen-2", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVzMGlc73AaVnUvuezE6TZOM1beIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBeNL/jaoWXyRjGbYrA5RhFaZRJAr6Z31seLUM\nK10Nt2U54XpaQvi9JipxeURw/k5Vfen15IIgHvfjqBxYvcuuo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXliaTMvYV/1l0V716Lx0ngWn83YwCgYIKoZIzj0EAwIDSQAwRgIh\nALi0ndVA/XpoxaT8aFYxX5vLaVh0WET2HgbtYUOpf5ScAiEA93YnbHOKnhFeEjhj\n1KRg847xiWE5m3z8AORmI0sKw0A=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUGo9OAXmae6IKfei4k+yyp+QqR2kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA0OTc4MjAxMDg3MTc2OTA4NjAwMTI1\nOTcyNDE3MDYzNjE4ODIyMTE5ODMzODgxMzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHfxehwWRY9jsUEY8MylF/3t4IqQCmhwQDnhTlQvxRsWo1gsjMrkGFwE5Ms+xd4U\ninzF4iZmP6zPlEWgjfVyF8yjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFF5YmkzL\n2Ff9ZdFe9ei8dJ4Fp/N2MB0GA1UdDgQWBBSqZGm3oG5Um8Ti98PG99+0jHp1CTAK\nBggqhkjOPQQDAgNIADBFAiEA3jkcMfuBlISoLjwOuWN3WIwzvpzdUW8J3DJ76vRd\n+R8CICCzd16boZQro+Sw6mcQOqur3Bok1ptpX8o5K4nL8MM7\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUUGKMmVeEA+xHWk1bxWQtH51AiMQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDk3ODIwMTA4NzE3NjkwODYwMDEyNTk3MjQxNzA2MzYxODgy\nMjExOTgzMzg4MTMwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaslr\n7U5IWMZe7kM/Qpp85PtKC7tH27vKe/qtkBeMwrEAC2ab6/vHsa6BgMK3B+mczoVL\nf/EMAptY3r564zQR3aN8MHowHQYDVR0OBBYEFOSfS4XdiJs+NpXWiZ6PJEr8Tfii\nMB8GA1UdIwQYMBaAFKpkabegblSbxOL3w8b337SMenUJMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAqd77YPnvsQq4myYG0eBRpwjNGIbIxqBc7i+eeLA3J/IC\nIQDmBW/kuCKeirtdbtiLF/m6HEkNVugKxKHYPPGylTGBIg==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "pathlen::validation-ignores-pathlen-in-leaf", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUU5p3TmVK7kr0ooDJbRUAPfItGv4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATpsK7H0/NRGFr7loGzGYKJ/G5WxfIcn03B7/hv\nvbbG5Vw3rLqgR8DuKRF6hSyoorB0N3pPJLHEa07bxDZrGBcTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTO2ci65w40HP50UxDrv7Zy192YAwCgYIKoZIzj0EAwIDSAAwRQIh\nALOVEtAXIOY765y4QOB9ypkB70HjZOxrvxCHSIl7LEF1AiAlYKJHW5LE2gg1iV/w\n4gAiT8htGrxUYb8lg3FQ6NAXZQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUaWpE5uKk7r6xXu10SePJCjxlPOEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA0NzcyOTA5NDE3Nzc2NDM5ODY0NzE1\nODcxMTI5NzcxNDkzODcwMTY0OTk5NjA1NzQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJNo9roYaE2pUHE//eBRoqKldCLwGlhKrcQ//w9DjM9uKH3VuYKy4twPoEfnnd8d\nS3iC06+AYt++ciucWlcVZK+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEztnIuu\ncONBz+dFMQ67+2ctfdmAMB0GA1UdDgQWBBTIzo6kDjq4VTUJDEvX9dy5A5AwszAK\nBggqhkjOPQQDAgNHADBEAiAifKcE+PhtKDCYhOCl2nSf4ft517ttQN251YzXDtOX\n7wIgE/kB3fh/7RlDwTlYMwiJ2QXW1S4Zz61svCJ/Z9Po69g=\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUARX0CwgOKcYEBzZLTh5ZbfLpS0EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDc3MjkwOTQxNzc3NjQzOTg2NDcxNTg3MTEyOTc3MTQ5Mzg3\nMDE2NDk5OTYwNTc0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDYwMTgxMzkxMjEyOTE5NzA1MzY2NDAyMjMxMzIzMzU2MzkyOTU2MTgy\nMjIxNTM5MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECnVpk4APUeuszTs9kHLoYxHn\njWwPlhZbOGruJyxVEzjlK1IDKkuJjbvniy1wjTB7CWmQNsnkPq3nOaKSGTQ2o6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUyM6OpA46uFU1CQxL1/XcuQOQMLMwHQYD\nVR0OBBYEFA2+oZRHEfCvGJuDWpPpQ1rpirTLMAoGCCqGSM49BAMCA0kAMEYCIQD+\nBCIVSQP2llmg6vULYYLTCbz5yavRX3L73tDg7pj5BwIhAOSD1+MaJBs/Bw8BOnll\nMA6ghIY6U+FD6YtR6Db6DU9S\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "pathlen::intermediate-violates-pathlen-0", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOjsrHweuyrvsswYkRuBj7dvDCjcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhEckttOFN7V0TC6UzZv6//B3QXBHCMk9K0llx\n/PD02eg1Z1KoWGpwq+9/ulhVEYOjLuXEvAzcpOLqzScM4AH4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhZ/oSpCgr//LLldBfLPq2+CJi0EwCgYIKoZIzj0EAwIDSAAwRQIg\ndd90ZbfS0comBYFYcUDb+ecShQCkr1vnmCm5BztocoUCIQD8VHNrNrYPHCo608wt\neFLuPui4NEUaWbDocRj62krc4g==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUNzeYPIiLy1QSDt4LWXdgcOmxoXkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzMzI0NDA5NjUwNjE3NTY2MDY5NzAx\nMTE4MTI0NDgxNDU2MTc5NDMwODA5Mjk4NDcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBG7oq7ln4l2GvCFmPISKNt0a01tW4AIuTGTj5G7uSyjBxSKI+Nn3LE78COl2TZ0O\npwQoB21Bazn+nPIrttkSvv6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIWf6EqQ\noK//yy5XQXyz6tvgiYtBMB0GA1UdDgQWBBT/9soL+N+O7WYi6MeX2T4UvzG7zzAK\nBggqhkjOPQQDAgNHADBEAiAVgiCdPcrtFoT17kzc84ZOSFknhWfBDSOW6K9YYY9D\nIgIgcF/tQvQ1LJNzSM8hUGUvqNiYYjGf47VZp3wMOf440IY=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUZMQFXNmBQIy4QL5b+f19TM6gbL4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzMyNDQwOTY1MDYxNzU2NjA2OTcwMTExODEyNDQ4MTQ1NjE3\nOTQzMDgwOTI5ODQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDMxNTIzNDI5NTA0NzEzNDg2MTU5OTM5NDI2ODM3NDY0ODI2NDQ0MjU3\nMzMzMjg1NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ1LbnZqNSNDWR5WukxM0Kuu2\nEmpo3pP3CKnwbb2M5ILUjPsIkoYxecJBYnHCLOcPq4rhBK74gPKZgZyOAwLE/aN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU//bKC/jfju1mIujHl9k+FL8xu88wHQYD\nVR0OBBYEFCbv56ZAWS7POnoyd48JGzNTrIWEMAoGCCqGSM49BAMCA0kAMEYCIQCn\nwIX6SGR9CF8MtFdGqD7SZDT6CC/59KLovDberc5itgIhAKTMxa83jPgic38s+ydV\naj/+Rw0GE/C4WcvH8Jrc0JsG\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUSCASYPcuKazQo2IrwNGHvzszMT0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzE1MjM0Mjk1MDQ3MTM0ODYxNTk5Mzk0MjY4Mzc0NjQ4MjY0\nNDQyNTczMzMyODU3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQR4L\nUY3gr38j0d8BISAwIM5VpIqXBnU/4oSA7bbyucFsYeU3maVQnPdEuXdoYUM5o6O3\nCISue12SV/+wDPn6D6N8MHowHQYDVR0OBBYEFI0kb4GvoPzzORbma05DVbjz68e2\nMB8GA1UdIwQYMBaAFCbv56ZAWS7POnoyd48JGzNTrIWEMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBLsFAxj5g9i79yNdc5LfZQ84A0S//0MfC+wR4ZmB0yqQIh\nAIIeicClAtubQgmSSHA1i8VuNbSjSq5Z/Nc49N13AErj\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "pathlen::intermediate-pathlen-may-increase", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBCKP606KU6P7Cosk31AgJY1tg7gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWJVzVszfQEjYu6OBA3xJLCR3b/bNqAxrnltwk\nd0gS5G86YDjO4KmBWYGhF1MKObVeA9X5wHhVTcRy3GIBmaHxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURhZ0koEvJWWJO4/NhBUySQEU99IwCgYIKoZIzj0EAwIDRwAwRAIg\nSlH5XlmnfTFbbzyTXFTrSiSiVqGhggYrV8QKSv/xEpoCIGHVSxAv6kzq5BhWsZi1\n8Hv33SfzZNmFB5bEA5Rs8Jur\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUBOBbByV8Srw3UK3lDUiGYiJNKYkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBmMTgwNgYDVQQLDC8yMzYwNjcyNTU0NzY4Nzg4NDQ4OTEz\nNjQ5MjA2ODU1OTAxMDU2NDUxMDk0MjEzNjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nWAKo8i6z38q7iF140ZRA765jIIo8F+plPLDzXLVheGL7nw/Z4cH0gysiunA3Sw9O\nU9A8eUFn2SSjoOKkELmlhKN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAURhZ0koEv\nJWWJO4/NhBUySQEU99IwHQYDVR0OBBYEFNkq4Bhlm/WfCD6cPGO1kivFPZ1aMAoG\nCCqGSM49BAMCA0gAMEUCICVax36cvJ3QLeqWtBv9ZCWruOnAyMHeaeM/0EUgKAGu\nAiEAhOMKXI6946kYYoYzfDpozzyRkTfVGZJOTXG09nze4+4=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfGgAwIBAgIUK1j1Y66zGhFNGtdyJZb6BkHsGwEwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjM2MDY3MjU1NDc2ODc4ODQ0ODkxMzY0OTIwNjg1NTkwMTA1\nNjQ1MTA5NDIxMzYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowZjE4MDYG\nA1UECwwvMjc4MzkyNTk2NTc1ODkzNzI3NzQ0NzUzMDMwNTE4MzM4NjEyMzA5NTQz\nNTkxNzcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDtMbGGDH/9CGvhKS2R2rg2z7Vvz\nxZJopJqBOZXK23fesR087xr5eDKNgFNj1WoJff4Rh9YrPjX/mD09BExl9RmjezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFNkq4Bhlm/WfCD6cPGO1kivFPZ1aMB0GA1Ud\nDgQWBBT5v8KyTq/VojT2Q4XAIX1/m8ECoDAKBggqhkjOPQQDAgNJADBGAiEA/Dt+\n60ndmq31nmkBLi4Pb8sktAGWbjE+MHuDgE1XbBQCIQCVTR8ElT/iAEY9MAldWiFU\nsQvccnkPY1r91wFFqr+hPQ==\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUTfJyqiY2Qv1CA78ng9Zn7kbgtc0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjc4MzkyNTk2NTc1ODkzNzI3NzQ0NzUzMDMwNTE4MzM4NjEy\nMzA5NTQzNTkxNzcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMjAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATaETgG\nW8u60VyC63bj4Nj50d2kwn/JrsS/ZDmT5sdFg1/YVltHKSlyrprd6ITGTUfuDFk0\nLLf7SZCTkP2Ep/jpo3wwejAdBgNVHQ4EFgQUugI9UqD85aHhhhV2q4QTa5gnrIYw\nHwYDVR0jBBgwFoAU+b/Csk6v1aI09kOFwCF9f5vBAqAwCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIQCF02KUa7imdCnCdiDCN7rNQGHqPWLpn9AI6/Q7kZUswwIg\nY4dVpKr1hFRyA0gVeYCTA9Sb7p2TJTKqdteP8KfDlVQ=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "pathlen::intermediate-pathlen-too-long", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUPYorKJE7tPVardWVzXHYupgFmn0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/Hm5rGstwYYCnCl1sY8E4KnsV+hvy5ftMx+KT\nenh/pjYw52e9Lb2AvALZEWYOtl4xepokq+k9WqZqJiqK2PVSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXOQhRtX07Vgm7+gfitz91rs5XcEwCgYIKoZIzj0EAwIDRwAwRAIg\nPxxXtAgDOqhRI7p1n8V+atYBav0d1f9jDAp8yb7SUL0CICsHLm+Fzb4bE+7L74cn\nwkPvxuM9cRvth6caI3Ctrr7T\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUYdk9mwDk51d+/AG+ggsjCxn9+K8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzNTEzMjk2OTk0OTAyODkyNTQ2NzYw\nNTY2ODI0MDQ2ODM0OTQyODM2NjY2MjcxOTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBA1YmIzAveC0mOWJJlbEDJsBh1uO7/6378xzm97eoLhgUpfjxVR0eEIvXWYjJ83e\n8lzWvInQpxXrmASuNQ/HWtujezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFzkIUbV\n9O1YJu/oH4rc/da7OV3BMB0GA1UdDgQWBBSaCNmGWVLCNxJLKQiyc2MCEU7u2TAK\nBggqhkjOPQQDAgNHADBEAiBPdPxNGoAC38js1ZN/ZvjCpafy1yccuzw30t/GOb+i\nNwIgehuMvXQSNlnH4AyScRudGSmVyKKUfIyaE/hJdVEpujA=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUAOwqK7RhT5c3YzStJTTb4OUL48owCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzUxMzI5Njk5NDkwMjg5MjU0Njc2MDU2NjgyNDA0NjgzNDk0\nMjgzNjY2NjI3MTk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDU1ODYxNjczMzA3MjM5MDgyNTA0NTM0OTc3OTY0OTMyMzcxMzQ2MjI2\nOTc2OTkwMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsWanWVzvD6H1rYZuY5gBHx6T\n25Mfw9HmsFVkv1bGvdJcy/Q5diNLgE2Qaexg9OpcvurWGfYoZMmMng8FRBaGtaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUmgjZhllSwjcSSykIsnNjAhFO7tkwHQYD\nVR0OBBYEFNocRHfonmJ6XsN4WkDLj5tuajb2MAoGCCqGSM49BAMCA0cAMEQCIDXG\nKEkBRWVTyJCGhxfDtbMRqasHRDKewbwfRTiLdjBHAiACkU02NbJ13df+hMpEOoHd\n8VyYr5F5aUZkMnQJQxI8zg==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSjCCAfGgAwIBAgIUBjOh5b8MV34LXZfN6i/idpFUvMowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTU4NjE2NzMzMDcyMzkwODI1MDQ1MzQ5Nzc5NjQ5MzIzNzEz\nNDYyMjY5NzY5OTAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGUxNzA1\nBgNVBAsMLjUyNjY2NDk0NTQ3NzA0NDQ5MTk2MzEwODgxMzMxMDQxMDcxODQyNTUx\nMzI2MTgxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJOvDmhi6YVu2vXg7/Pbz/BYYVSk\n5KPwP0A2qZNqHcafYgw1Q6rtqKOn117d4Gi45x0mBn6tKodzjx1m4kQWwvajezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFNocRHfonmJ6XsN4WkDLj5tuajb2MB0GA1Ud\nDgQWBBQmj67grm0Na2xr3Ksm1X5jQDRgvzAKBggqhkjOPQQDAgNHADBEAiAk24ti\nb7LfpNVzCWdhFgGVTjxQLTk676/ApQ1coRR26wIgUkQlXSjTh2xfmxbmTvQCoq0U\nPEcE0fLUPti+dFdTFmU=\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+zCCAaGgAwIBAgIUVqTzixDB2qHy+A+Fnroy/7U3MgcwCgYIKoZIzj0EAwIw\nZTE3MDUGA1UECwwuNTI2NjY0OTQ1NDc3MDQ0NDkxOTYzMTA4ODEzMzEwNDEwNzE4\nNDI1NTEzMjYxODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi0wMCAXDTcwMDEwMTAwMDAwMVoYDzI5NjkwNTAzMDAwMDAxWjAWMRQwEgYD\nVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDK2pVCo\nc/8W9rfpT1sMfsXogEor8SZTOalHIc1PvCFxRFeQtkQx1iTT7LeA8wd2D2wxgJ9j\njPBgBG5rVssIeZGjfDB6MB0GA1UdDgQWBBTklT/uMbI+eVazYMkVNMeIIHDH2zAf\nBgNVHSMEGDAWgBQmj67grm0Na2xr3Ksm1X5jQDRgvzALBgNVHQ8EBAMCB4AwEwYD\nVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSAAwRQIhAMza/5Jb07n6MQWBVPISKCTVGfsYVXNgfnEi1eyYmGlBAiAX\nmUMzv83V44C89sv7/GFOU0OGBbJtnBcfMRACjKRO8A==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "pathlen::self-issued-certs-pathlen", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUaabgIL4OJ9M7K4aalDgXBQiGb/EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARF6AZaRukOwPbESbW28c0VNbjXxUcTJj7VGahk\n/7+B319+jjJoAasIvF6XyAYPhQX6uKgG17BTC0s6Rrwz60l0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiHyleNE6UY7jxgCmTre88NSMY1wwCgYIKoZIzj0EAwIDSQAwRgIh\nAIgDM5HAT76cvijy4edphTFj4Ob0ThaGekmGv444o6YaAiEA1+jWdsImD1T/Iqoz\naF8iIk4JKFUtq2tnFswNoLhgK+M=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUZjNsZbgMBDECCO5B69E2JkwNLlkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA2MDMxNjU0Nzg5MzMxNzA1MDgzNTU4\nMzcyODIzODUyNTg1MTY4MjU3OTM1MjM2OTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHop9BUnFv5brNM1D7HnUxyhgBKd38hLT0pwEKDvZBDxYOzN65acL6YNxaMrA9BO\n61etiWWnd4IshqyUOxy/t5qjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIh8pXjR\nOlGO48YApk63vPDUjGNcMB0GA1UdDgQWBBRWGQFgtJFXg6f0LWtoNM5fwnAs4DAK\nBggqhkjOPQQDAgNHADBEAiAqvbNsfLIQ851hTTEHEZNKAuwC9zEMznIMHFsuoMPd\nLgIgVWIb64FPiTmujUYGcTSHNYdoIj8VOsAzA90tWDX1SaY=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUA9mU1SLYyE9kR1WxGUQTO+yYoogwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAzMTY1NDc4OTMzMTcwNTA4MzU1ODM3MjgyMzg1MjU4NTE2\nODI1NzkzNTIzNjk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDYwMzE2NTQ3ODkzMzE3MDUwODM1NTgzNzI4MjM4NTI1ODUxNjgyNTc5\nMzUyMzY5NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7FJ4XKIJ6ymYbYZ8JAni6oXd\nocgykK/ONkK1JSCacffIF7bRzajzmt7AZBvfio7zEDv449uXzX1DrPmfkU1DZaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUVhkBYLSRV4On9C1raDTOX8JwLOAwHQYD\nVR0OBBYEFD8FhVt9MKtOPA1+BscbSCY0vnY+MAoGCCqGSM49BAMCA0kAMEYCIQDT\nS50cjuvirzqwd6boiu54GnCLhYs05cupBDVgfe+PzAIhAN0ZCrt1YnoUFDLexksV\nOstItmlp0gVielIJ4pdGaUl3\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIUdwIGbldhLIU2qJhFouX7g3Z7DwQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAzMTY1NDc4OTMzMTcwNTA4MzU1ODM3MjgyMzg1MjU4NTE2\nODI1NzkzNTIzNjk3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGYxODA2\nBgNVBAsMLzIxOTc5MTk5MTY1MzM0MDY5MjIwOTIwMDcxMzI1MzA4MzcyMjg4NjYx\nOTIyNDQwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATlJ7jT+aFxYQTA8auLmTgQzyEw\nsugZAOndwWhZeYshfYsroF+rnlFQrHd5SLPlnEFHYQu9Vt0gK6UIteTPXCCTo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBQ/BYVbfTCrTjwNfgbHG0gmNL52PjAdBgNV\nHQ4EFgQU8a0AYnGNdN87vEaNqYlq4xkjImIwCgYIKoZIzj0EAwIDRwAwRAIgatKJ\nVdtpaJkhVyvkrsuunb6NQ1Qz+IlcfziCGVTpO6UCIH2nfnNF4iUr2u+1aJSxNPBs\nLnDS3ItO5MfzrxKvXJau\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUW0bZCmVtQ8t9i9NfJmcdflpdMN0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjE5NzkxOTkxNjUzMzQwNjkyMjA5MjAwNzEzMjUzMDgzNzIy\nODg2NjE5MjI0NDAxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASK11Ws\niviQbcqQ5k/Due3+97cupwl4UAH0ZXWcWEtqBigRb1tP/gwg1+W4FBssnyExJ5MT\n7O4O+SyNEI0SCFEgo3wwejAdBgNVHQ4EFgQUrOU7XFlGxOdtpo9no14J9R3KFSsw\nHwYDVR0jBBgwFoAU8a0AYnGNdN87vEaNqYlq4xkjImIwCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIQCAlpviROwtn/Vwb7LMouXUg715E+QnFIvRfoJyBk0F4gIg\ndNnFncEALBO/VNH1TOy3rN10UzztXCfg71xVuazcLmA=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "pathlen::max-chain-depth-0", - "features": [ - "max-chain-depth" - ], - "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nWhen validating with a maximum chain depth of 0, there may not be any\nintermediates.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEg0ONUuYZirUfYBkz9XeqWCSgygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCMvJl+ru3i6Q+miGTO4liE0pUrCOzHKLZNvSE\nu6EdePBkIk4xoaEvDKmzzRlhSUDEPPv/qjMxATJKqkdlhaFpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5mqdYcS0Cv2Xe413QTxXnssC53owCgYIKoZIzj0EAwIDRwAwRAIg\nKZCMEhUkp990YMjnkSGChpI3pqpIH8UH/d8W1nSm+LACICYtapLhKiCTS0PGPr1j\n57YRt2cEera+HTrxSLZz3Upo\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUAxLyE+QP9Uemj6SKKNIEe5ISMQUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLjULdYbbmM8ECgIyniniFmq4HQGRGrQxIRv45aZDwmN\n3F7H2AMFhFNdNBd7RF1BdkODyDDOsovU718FdaGgIOyjfDB6MB0GA1UdDgQWBBRv\nzmV9wo1MtC1J8/j94wYKLM6JEzAfBgNVHSMEGDAWgBTmap1hxLQK/Zd7jXdBPFee\nywLnejALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgUFPLQmjcC5q5KFMq3qLN\n9uNmwQRCIr+CHGi/TPr4C2ACIQCyOCxysJ7vR/mWSLKIFaJRv07C2i5SNCXK6w2/\nGG1uDw==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": 0 - }, - { - "id": "pathlen::max-chain-depth-0-exhausted", - "features": [ - "max-chain-depth" - ], - "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA' -> leaf\n```\n\nWhen validating with a maximum chain depth of 0, there may not be any\nintermediates.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCSfZgcY08M9ZdOrW2cKwqN8lHgowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjP0LfFLhobEjqz4mGY0421831WgEMu9s6pbBe\n4bEaWPXQCXBWjIJz/FTpsVik+aCHWGFwvBImBFYdG5iNw9Dko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhgFk7AhUoy8z55/kDS/WGzY8E9kwCgYIKoZIzj0EAwIDSAAwRQIh\nALqC9HQZvNJSFVu4M85HiBl3tah/nxQ2DbSCSezc+jlYAiBS0CuKSvtWKnuHM2ZK\nlrGZdHFo2i3KjUNPeVXjKtDmZg==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaWgAwIBAgIULcB1EZHGo5yk5K0EJOqrqryw1f8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBpMTgwNgYDVQQLDC81MjI2OTU5MzUyNjA5MTgwMTYwMzQ3\nOTQ3MzA2NTgxNTA2MTkwNTQ4MDY4NzExNDEtMCsGA1UEAwwkeDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\nQgAENKw2KxG8cD9m+Xk3aq+E8FfvhREDl+TaDPMCQizuRJsUjPoio/PPu9bbhHP+\nlfraAQ+edWY0W6l8WbG5BcKDCKN4MHYwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUhgFk7AhU\noy8z55/kDS/WGzY8E9kwHQYDVR0OBBYEFP7atqzMlG1WYS8Nk8qrXKWtIAwnMAoG\nCCqGSM49BAMCA0kAMEYCIQDe5w/Gfi4qK9mj5cB4N9ozlXnsWHotuVqeXuup4MuO\nhAIhAJ6Ba6d80gPd4itdvv29S018FkshUsWc9ohATA4e4URp\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIUEqccW3P2wL9EZIj1iWH7wee6XPEwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvNTIyNjk1OTM1MjYwOTE4MDE2MDM0Nzk0NzMwNjU4MTUwNjE5\nMDU0ODA2ODcxMTQxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEU\nMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARp\n/+SAv81k0xIQlt7IXgTMT0fZ5JhxpjfrEA7UoMJhk7oa8azbtsJlZLb/iVHkK4ZH\nPjFIITrDgf5s/817QAlDo3wwejAdBgNVHQ4EFgQUgfufuwT7NcHTHGlbOAVfOwsm\nrvMwHwYDVR0jBBgwFoAU/tq2rMyUbVZhLw2Tyqtcpa0gDCcwCwYDVR0PBAQDAgeA\nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoG\nCCqGSM49BAMCA0cAMEQCIGzVcrozXg4/Dpb9qtX9sVyN3MV8QQLnrDffN5n7FZPr\nAiB4tVKxCRi0iB5Mfga7g5ItPzDZJGeKMsOeAmJTDGeGBw==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": 0 - }, - { - "id": "pathlen::max-chain-depth-1", - "features": [ - "max-chain-depth" - ], - "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' -> leaf\n```\n\nWhen validating with a maximum chain depth of 1, there may only be one\nlogical intermediate.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUE9Z6cGKmqbo1Ap+9oJ2zNNr/BYkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQihZonfRcBxjacUIMMZCjUWbzEpwJZqMEzc1F\n6DMWcj1FHyYSvK/+GLAXBxPfNph69OwcAg9dX20AgPCUGL3io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8BNAT3em4yoXm51lUon53de7z2UwCgYIKoZIzj0EAwIDRwAwRAIg\nNWGq32POOzNt0sS/HdZ6RQbDvy9Pda6T+TxHMyvIH/gCIH3/9Z9SjWSPXQncQmTv\nycazEeR1LrQP5worT5xHLPBo\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUTDdI4suGrY+CA8uzHfcM4mjXihUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDAxMTMyNTM4NTAwNTk3NzY5ODE1NTM0\nMjI4MzI4NDUwMzA4NDI2MTU0MTc3MzQ1MzcxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABGfiHOeyRLR31T8erpW4GkD9wt9gz9CV7Zb9RLIU2uNtDdh5lqimgJd5mWij\nWJKYSbjWujHx/f++vcoeugz9jwyjeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPATQE93\npuMqF5udZVKJ+d3Xu89lMB0GA1UdDgQWBBS4gRbyMFOkqL6Ga2z0pJ6iDESO8zAK\nBggqhkjOPQQDAgNHADBEAiAhVXXp/AE1IEeUkLd7HjTE+pM6khdhVGPzmAL92VQz\nagIgBtcSWYNln+rMudmPDmj7W7g8I5dnYcTZZCNXE+cUCW4=\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUL6jDXl76ALt6xCFaj0gDENWhRbwwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTEzMjUzODUwMDU5Nzc2OTgxNTUzNDIyODMyODQ1MDMwODQy\nNjE1NDE3NzM0NTM3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\ndveEwtzV7bMOiwzLau/wwXMiuvDPNWgO+0s0Bu45/Uz6LvZsRMMdhLyocrADVaTx\nylC3OSflGmlzYHRWGHCMOqN8MHowHQYDVR0OBBYEFFPfnAqjqU/Wi0QEDOAdOYQt\n8jiAMB8GA1UdIwQYMBaAFLiBFvIwU6SovoZrbPSknqIMRI7zMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiAP8AkPTkCYXBQWl/0gCaiml3XuDsDQB+bd4g+W0ZPc\nyAIhALC5X3XryLF4m4pjsR4a2F14MBHKqCz5QF4Xy1VPDA3D\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": 1 - }, - { - "id": "pathlen::max-chain-depth-1-exhausted", - "features": [ - "max-chain-depth" - ], - "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA' -> ICA'' -> leaf\n```\n\nWhen validating with a maximum chain depth of 1, there may only be one\nlogical intermediate.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUKPHeOjbJzvLyEPbHinPV7wKsKbEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASUhaWPDOtTtR3taLIgQDwFnWrR5e473nhbsZZD\nX7iQAynMNntAXzosO1tNZtvUKTK3V+Ms4SJworQmNhMBa1QLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqfWBlAwcEmfaxDf8OegVkpVSNZ4wCgYIKoZIzj0EAwIDRwAwRAIg\nNzVjbEwEpH/L0L7EgaebOTRQCmKUGcPKbrfIOoNy/0sCIEcWQiSulBln0fJ5inh/\nJkVisLXRMrkZ6gozmBeQ35m0\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUJ24HfhdUMNPGXgxljE0i+tbrN+wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDAyMzM3NTM0NjkxNjI0Nzk3NTQyMDEw\nODI4MTMzNTYxNzQyNjIxNDc2MzMzOTIwNDkxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABHMoHyOh9Cz8p0aa6Njk6ilAwlKFXdI44NwWaeuFDX9/ZosQZtJYOgsitufu\nvOYm4+MRRE5Yk0kj2gKyY7JW4JWjeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKn1gZQM\nHBJn2sQ3/DnoFZKVUjWeMB0GA1UdDgQWBBRSZLtmj787y9YiLpUnLLi+lbzZuDAK\nBggqhkjOPQQDAgNHADBEAiAybnHFPFNjTT6vd0akVGhbMYjXJss0YJjzvENjJLl2\nowIgBnOkCgYHVRniwM1bc253pGnIT/eirNBwxPV7arc5k04=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTzCCAfagAwIBAgIUSF+9wirDl5oc04uTGbBdC3iBzFMwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjMzNzUzNDY5MTYyNDc5NzU0MjAxMDgyODEzMzU2MTc0MjYy\nMTQ3NjMzMzkyMDQ5MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGox\nOTA3BgNVBAsMMDIyNTEwNDM3NDcyNjU1NzI1MTUyMzk5OTQ0ODg5NzQ0ODE0MDc4\nNjMyOTQwMTMyNDEtMCsGA1UEAwwkeDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC3qhRJR4QbSUVz/R\nLcic+njFpIlqzFttc2C0a3PVjOXrWBtdqboKYafDUu4LtBsfHo6oNkSuGAYk+TTC\npc0caaN4MHYwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUUmS7Zo+/O8vWIi6VJyy4vpW82bgw\nHQYDVR0OBBYEFMagXfVVdEH0XShGTZGCVRmSJjD+MAoGCCqGSM49BAMCA0cAMEQC\nIDaim4GCaT23NZiSA3AjW/d9ZzHW0sVqkF53Tb7BRMzBAiBLE4FL/62UjC45gqru\nxRVs+eGbqdJVdmAbRYk/a8IIWg==\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUTZc5nnb5M5ubZCHO7Ff6zjTOa8owCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjI1MTA0Mzc0NzI2NTU3MjUxNTIzOTk5NDQ4ODk3NDQ4MTQw\nNzg2MzI5NDAxMzI0MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nRbkEw6FFbu+Uwy9yeOhyeX+UM0WYcSOW9U2oTncjB5yRKEx4QaXMXTxMcAtbA3f1\nA+W5VDQkMGXNLPQypEkYq6N8MHowHQYDVR0OBBYEFJKndHpJa7kWeLGhe3ce7WBY\nNygVMB8GA1UdIwQYMBaAFMagXfVVdEH0XShGTZGCVRmSJjD+MAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiB+GuO69iQpcJxPcZdtu5XSUMTp0Tyy/FReT9GMIDUN\nkwIgdxuwyJNfHrTAp6EzrqkxsdaRYNynr22qhCWZEivIkFw=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": 1 - }, - { - "id": "pathlen::max-chain-depth-1-self-issued", - "features": [ - "max-chain-depth" - ], - "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' -> ICA' -> leaf\n```\n\nWhen validating with a maximum chain depth of 1, there may only be one\nlogical intermediate.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJnPd+f+0fvUD5bTFn/SL9xs3jlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASMHvXpbUHb62pi4NehxmbBJB/83pUC9UIcK9lW\n0saBadbEJJN4AkGaSlWWeqZt7rTThulJwYm4FIjtlfW8Sfrno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbBKdf8oGuU+cSQEEqIGm/NvcJQkwCgYIKoZIzj0EAwIDSAAwRQIg\nJN3pg/mR5ocRZyp/511h98c5hw4VpdL78qR6aCKB5QYCIQD5rMJydg85rv5QJgQl\n3cz4b21Wli87KTBBHS00Ey3JUg==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUPEqoIGm98meiL0wOXfoGkiZ9fwYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDAyMTk1MjU1NzE4NzQ1Mjc1MzMyNjU3\nMjgyMjY2MDIyNDQ4MjU1OTg1Mzg1MTgwOTcxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABFOIAY7SjYWRN3SONAzFseegiQ0o+a8GxS8V7dQAncrUGERkQmxwfroAwxuB\nyZtopjwJM+m3WoO4A5Qued22E7ejeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGwSnX/K\nBrlPnEkBBKiBpvzb3CUJMB0GA1UdDgQWBBQnxx0L4paZdG30//rv+23fpdAYiDAK\nBggqhkjOPQQDAgNIADBFAiEAu25pcdaoqcYSasOjldqij0LZhK+/jwNz6t6GvS2x\ndZsCICw6IrI9TNLjuK2y8Y6XKA+5zWElfBvDiP+/hpopdSCV\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICUDCCAfagAwIBAgIUEFTPa5swwfC+WK+wbhStsaO1YbUwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjE5NTI1NTcxODc0NTI3NTMzMjY1NzI4MjI2NjAyMjQ0ODI1\nNTk4NTM4NTE4MDk3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGox\nOTA3BgNVBAsMMDIxOTUyNTU3MTg3NDUyNzUzMzI2NTcyODIyNjYwMjI0NDgyNTU5\nODUzODUxODA5NzEtMCsGA1UEAwwkeDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElakemMFZeTR0N5Nn\nCTjouZ8URb4QtMcI361En12jPU3f4xHVfpDld2gysbDe+r13xqAypuI5qH7li7GY\nr3NDfqN4MHYwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUJ8cdC+KWmXRt9P/67/tt36XQGIgw\nHQYDVR0OBBYEFGl2cCXVKUxtM/Cjpjo3bimARUqUMAoGCCqGSM49BAMCA0gAMEUC\nIQCWkRPK6CEVDkFTrZhzT8s1lSx+KdL/B/XPw6qcJ1Oj8QIgey0GzwZAb7tqfCT/\ndiRmurdC1RkEcbdlaScVAE1uqg0=\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUUzNEZy6zaGfjpM7EcNRVYFjAdUwwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjE5NTI1NTcxODc0NTI3NTMzMjY1NzI4MjI2NjAyMjQ0ODI1\nNTk4NTM4NTE4MDk3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\niEBqgpUambdvBu+aI/q80rE5z6vFD//lcCD1mbhQTpE/J5Pz/d/iRkt66qYELI3G\nkGp/jQ91425jpXLh0dQmLaN8MHowHQYDVR0OBBYEFK54XkWP/oQj9R6vPMeXhE5o\nAsjJMB8GA1UdIwQYMBaAFGl2cCXVKUxtM/Cjpjo3bimARUqUMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiA26ls/r1yqeMO0bZlhjNZ+/V+cbJfDOGrKyn8aG6ie\nFQIhAOSaumPrfvXk0IXFYmMxwru1njSLnX6UU/k1nkznDTQc\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": 1 - }, - { - "id": "rfc5280::ee-empty-issuer", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcTCCARigAwIBAgIUTu20N4ajWkIqxlj5JXHKcLklF0UwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElODE7WUxSCWJ\nikei9lfIhlviMEv6jw+EkOFQzT3ri/01ZFvYxGUnR3dYAl/NZEgB+obLa7BkNZFY\nnaX+5+PsD6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFEVUkNHe6hUCGuEvoj4koGFrcIpt\nMAoGCCqGSM49BAMCA0cAMEQCIBntypU1zozvbB6yaMiHFrt0M76ajNyQt5rpQv6t\nhBAeAiBK9HxKm2wxqiVrdljUz9ivOZ+JuB7Wd0K96aHZB48LkQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVOgAwIBAgIUX9TMfCQRKYOGLwB3FhisGcMgez4wCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAwMDAwMVoYDzI5Njkw\nNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABOOX5QlO+rd3secjL2ZfSX7+H7vbde209YxDeljo17vQUZ3v\nEA6g3/w5vnx2KG0+lZBp1QZfGA2gCRmIyBO4MVmjfDB6MB0GA1UdDgQWBBR3Zm4e\nPyY+pvXnFBEKIVn2oSNcsjAfBgNVHSMEGDAWgBRFVJDR3uoVAhrhL6I+JKBha3CK\nbTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ2QllY4bM+O2fCD13hx51hJ\nZgblwvdPWP3xu/mzpwyWAiEApyNwASTQFUKLdUbrvCHtdEiN/SxfRaMQyV03m/jK\nicQ=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-empty-subject", - "features": null, - "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUGT9j1IkmVyo7j6kXcVsaFAsRsPAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzIAbfvOe\noCVB6C1/iCd1tYk5mJX5Piug4TcnkCBLYuUmPXYJUakuIO2N+BOg962fdOaNXL3q\nMBBYzhZUD7PclqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCYxpOt+A9wC4pRd40zs6T4G\nOj79MAoGCCqGSM49BAMCA0gAMEUCIQCMfuJm1ik7DsW+PhaN6v0cHDJD749ozB/G\nhyEcRDA+bAIgXDRbbaA4drl+fVM6874K/7QAA/fgb5122FnrpMzvRKY=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUB2oxl1C3PPjGU/cDhxTV9Xod6XUwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQIqY3LQ1jGLBeS\noSjmb+sgK7l7Ct5xOaxKmurGzgm/lVcVYcDzR2n5jnabBflPCWlFBRUDqw8oaDZS\niaIB6WyPo3wwejAdBgNVHQ4EFgQUwogJR/zFO5z7CiNlyUk0qwxCcI8wHwYDVR0j\nBBgwFoAUJjGk634D3ALilF3jTOzpPgY6Pv0wCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIQD8e3hUQj8vxe31kRmDE85Ca3TaXWz2I1IRzy5XfVlO9gIgGDuFtyOo\nNDOI4x8bH9qzx1oSQVjQYy4B58iaxfv7t1w=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::unknown-critical-extension-ee", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZNouyhu5KSFWbIBxANasnOYbyoQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARAkOW+3/urlqi4olSD0+G2WsEGtDvCniLyUiiT\nszSteWSb/fH3SemTHCjggobE/rW+mgmSLHWvdlaA08Sd3wOso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8exgatpZAv6m/flLI69kKQzr5q0wCgYIKoZIzj0EAwIDSAAwRQIg\nOgN/G2upTvPbsoDl9Hwy1CG6l7iswWLKM40beTbASRYCIQCG11+aOdeFQt0t9cBE\nFxQy4ZZFKrPsiThQUYHWRQ2Yuw==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWygAwIBAgIURyNxOYVz8C4ahTdaR0Z+HyyLW4swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFKb/LlWEe3T0D+mfZezqF5F9ITGHCR5KQ1Zwm1vnfGn\nf7hvpWMso4W5RZzx9vwG8QEGULSI6PQOkv1btizG+wKjgZEwgY4wHQYDVR0OBBYE\nFCOF29IsBj4KThXVNJLwgHcv27xXMB8GA1UdIwQYMBaAFPHsYGraWQL+pv35SyOv\nZCkM6+atMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0gAMEUCIGNInfgz7sEI1peLPS/+OHIvEh9oviXzHuWjM9uf2g3iAiEAjDt8lsUr\nktHywxbYAA6PdXiJGy8vKJjGKB3naVphdok=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::unknown-critical-extension-root", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUDtjZFI6UxgzjJp9+yz+Dge+XORwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATC5BSnKN5TwieoEoSsM59PWfq3ZSlaYJkL+nWh\nyZ2GKGLxNhNSnmjUOw7DkoIsma9wnA/Qw9tnSRyC0bmahc4Jo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2JmIPtIU7YVKtEL/nIFca4n5L1YwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNJADBGAiEAu8HX8pTOW7biM1LpDUfw7ufKuh3DH3ChWBF5\nSni6JgACIQCAXWVKwRI/om2ZdTE2lRpuc9/WOgBXFAokJT1MfRLxXw==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUYYoIFFrfFRLdTPAYy/sgQySCRowwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNiI9vG6x19c2kLbS5ZDwoFlIw+bi064N+uVpoQiUZrf\nlSwATI4Sv+cu5gX4RZO+LKZwHYT3p10YRA4iQveBYUmjfDB6MB0GA1UdDgQWBBR2\nK62UfMrC3vCQ8h/T2R3avYzWfDAfBgNVHSMEGDAWgBTYmYg+0hTthUq0Qv+cgVxr\nifkvVjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ9qJGUBankhppLBjL7R\nuZySjhg+wijbogCFvpjcazO/AiEAnIc0rcNF+H85Kupn2bDpbJP5DCrZkL20yaRC\n7p5SYqY=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::unknown-critical-extension-intermediate", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNIRvsKDKoI179bHfUj3jaLFzMuwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4hHeMxhPoYJqAkZJQ7MN2slkToCHDt6OvEDlc\npGzHaJbCx5TdzTXK5DLO06g63/gRnctlXBwhBvkW+sAWmivPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2eZL6OCJqsRyBM3/q8A/iOpYes8wCgYIKoZIzj0EAwIDSAAwRQIg\nCJRamGePGzHiwqyAj4QKl6SBQ/jwxyG6OvhI5qyn6n8CIQCg6QfcJdqJC9l//wV2\nxH5ztyZgebnaSE9sMCMZHOyKZQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFTCCAbygAwIBAgIUAgqBfXo8FFwd4XOUKQbhK8FdgBkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAyOTk4MjA5NDgwMTYyMDkyODA2NzM0\nMzUyOTc5MDA2MjA1NTAwNDUyMjk1OTMzMjQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEqlCFbXxGaOjYi34/5etFT0vr06lr78ZC5M6fmmW+Ibv3RoognEghOS2opQ6S6l\n7joPrhL67y6Zf/oRkwMNeJCjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU2eZL\n6OCJqsRyBM3/q8A/iOpYes8wHQYDVR0OBBYEFLK2X8uSnOU7HsgX199mL8z9hC+c\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDRwAwRAIgQ3esKh4YTQyY\noGv0IuiNS+GC29Nl+8f4nqpZ5piU7b0CIBYx2vmj5m2Ey8fj0QlO2dD0zwnv7/Jq\nw14lzbHOz+GJ\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUWrdQAUDoubjD1GHMKBfi5qPTgUMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjk5ODIwOTQ4MDE2MjA5MjgwNjczNDM1Mjk3OTAwNjIwNTUw\nMDQ1MjI5NTkzMzI0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOumJ\n9hqH/Gy5oeReGML1F1bTBoB2tP//dt5ttB+X6mHCEohVk6wPZzuWoa73iPksC8Zv\njTSlfP/DeSVGZj91m6N8MHowHQYDVR0OBBYEFKxNdKadwXk1rZNU4l+BZ17EJc54\nMB8GA1UdIwQYMBaAFLK2X8uSnOU7HsgX199mL8z9hC+cMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiAEo3MicBdg0Yuxj43ExbNloyqlqtJhCtAaOMK/c3VUKQIh\nAJCv60n7I6BSuyEIf1L8MKRCO9e8mBoDvMXidm513vWn\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::critical-aki", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUMI7wb/XIL5zEuWTImzFx+7JjSIYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATD27A/eK+5EZHHrU5wYBX/tUgWiXJHJuV78Mjk\nxX++N6vKX1UzQx9FzC27h/iZu0Vj7lq4+TwB2NLfmf1XdeAuo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRiM6RPLCzuS6Qb1rs65uPkrl+AWzAdBgNVHQ4EFgQUYjOk\nTyws7kukG9a7Oubj5K5fgFswCgYIKoZIzj0EAwIDSQAwRgIhALJpd4m689HlNqBI\n6LrK2dqE07WTHeulLBQIw7Phpk/hAiEA5VirjDP1fRfQrKnktNMgYfN+rs8CZcPe\nBYJ6qNEpfp8=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIURSm8+Ex/9x0l0A4gRCuKOoms150wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEgK7zCxTUezroJp7o307Vaf19QApNtuovuC8goBT7BD\n1e6g3uAPpaco+NnZ8MJ60WcRz5xiQ+p6QERt2AfSItmjfDB6MB0GA1UdDgQWBBQf\n/YwDYt/NJ361iIzZ/tY20LzkQTAfBgNVHSMEGDAWgBRiM6RPLCzuS6Qb1rs65uPk\nrl+AWzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgCdXfwMGS/+ClVngrQfXk\nNmR+abxu0sTpmB1bg84QHHwCIQD+rstp83rAVol/vcaOQYMiH1mosIlTbwns6u6N\nyw1wxw==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::self-signed-root-missing-aki", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUeAR0yoDsTAYySq8c2+y9wJdcxiYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPDdkB+0IVB2rUjQ14dgQbKIqK9FVyHvqb8TQD\nPQGNwS7PlgYBqc3Hx/qCG/ZvXRNBJe1Zkpspn5Pg3WermLdro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0aM6GbrL3o0koGs5KZBSH5h4/AcwCgYIKoZIzj0EAwIDRwAwRAIg\nFUMmevSmxpqGCRuanBWweTpj+VDUBFmxbMII02FrhloCIH//mZAzt1O6blDdRPUB\nrodVdBLdwswIuqgt+0s7LfXW\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIULZiAwoJerRo17HcOG7c3J0tO2k4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBTRp3ox+Zk+1oWW8oxj79La9IbdBYNZ2n8Ve6akZFuK\nLxDTldrDON5J6wTkvktgxw8Ekpih1Vm6nqfKUQR7yE+jfDB6MB0GA1UdDgQWBBQr\n+kEfieBtc36MC63/zVwXKtIASTAfBgNVHSMEGDAWgBTRozoZusvejSSgazkpkFIf\nmHj8BzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgTjpY3ukk6Bx1o3ui1QDc\nHMuRTjFpHEhbMI6spl2Q1vgCIQDW85g7Od6DdKWdvqdVFid3SJFl2QbbfAJINlhM\nWaClYQ==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::cross-signed-root-missing-aki", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUSryYveoWPSe/Q4knJKpjd/tC1VgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA0MjgwMzMxNTU2NTYwODc2NjQ2MjMz\nNjM1MjAwMTgxMDQ4NDk0MjE0NDM0MDg5NTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJ+V0CSatxjIddLjHBpGUnlQUg66vcddUE9lnTMkhUEsZf7Sh5Xs5gN/3nuhJcIt\noOa67EOxroWZEvuntnGgBHejWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSJKL1d0CX/\n0iTyTRmHzTkJF8ptPTAKBggqhkjOPQQDAgNHADBEAiADY+mM0BSk1283+QAN+GXi\nmpCYnUpb8pWOytLdjYnFlAIgKBB6chPa+lZGtutxBcHXi92FvbC9gU03X2tmhCwp\nMTI=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUKIlHuri+zZ+7m0iniEqIQCPRdEAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDI4MDMzMTU1NjU2MDg3NjY0NjIzMzYzNTIwMDE4MTA0ODQ5\nNDIxNDQzNDA4OTU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYMJ/\nK5kxA+qjWe23FW14HrMA8v3kFYy6abEKMZEFYc4g8JfN5CAcHgfqFYXjQuUbxz3v\nT6NbyoaSCYLczbsoEaN8MHowHQYDVR0OBBYEFLbdbpci1qkDRw6nMZ0fyMo256tW\nMB8GA1UdIwQYMBaAFIkovV3QJf/SJPJNGYfNOQkXym09MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiAKl1Wg2icsN9UThGeGAHE67hLVtFJnIZAkl51Wp9G/iQIg\nXF5fddS6149az4blL/gHmacP+1cmCyvDrZ6LuyhFMRM=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::intermediate-missing-aki", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUPm1MW05ThkywrwM9+qdEDnBM1EswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCS8pPW/IDcZPIDN3qGBfYJMjEEjbDYIzKxv3E\nzU6vmHuuMRAZ6/PWMWGe8cGLl2yQx4BL+RrL0GyUYvkRSrBNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXpnfZZc/K/+Hft8J5qMXjMDoTwMwCgYIKoZIzj0EAwIDSQAwRgIh\nANbVhExfQ4sQL3YcY9GhaPlH2s2iTd9vOm4x0WaKkhGLAiEA1y++UyHHGu+L8cH4\n6ZO0wY6qD43iAXzY2N3G2QZwxAk=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUCL58BTniAlC3ClihiGJ9lGGNH54wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzNTYzOTQ4NjA2MjEyNTc1NjAyMzg0\nMTc2NDA1NDM2Mzc5OTA5MDQyNTczNjkxNjMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKp9WLxEnS/0VzpK4ukL9gOr/znib7Fv5Di3ZfFh//NtZEpme1y7AbIb1almNYmJ\nEQaAQ9zs1U/f0+MJaB5mXCOjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBR3HvKhhSC8\nurRYeEPP4mnxvJv6hTAKBggqhkjOPQQDAgNJADBGAiEAp2c9M4jG/LqJpnMixEHa\n0BwQclUJhOMCaQ4W0JUD0EYCIQC/Fmu5sBLIDZWsx05FFjwEApj8qVB27yo0ma8W\n26cfWw==\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUKjwcEAG8wEE1ZRyO0ICjZRETd6gwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzU2Mzk0ODYwNjIxMjU3NTYwMjM4NDE3NjQwNTQzNjM3OTkw\nOTA0MjU3MzY5MTYzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqxrV\nfSA45+LkaTMj1IVzoLj7hT376uyS2o2XUxrjoNISGGt8oyGMD/bliIczhrKx9xSD\nLsaNuIKz5/IfgSNrvaN8MHowHQYDVR0OBBYEFLngdXGdwFusgwKXLBpAzVX0XDQa\nMB8GA1UdIwQYMBaAFHce8qGFILy6tFh4Q8/iafG8m/qFMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAqw2qUPRQuX6ZmUibg37mFbNk3VF9Ry2zAi+/6pSMhWMC\nIAy7lA/1ZnhKWcoNLPTrm8BsRSI2CX3QyCvhHwSUjV1T\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::leaf-missing-aki", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULSpNL+hpU9/56Rf30/E7whsTE70wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATg1++cZEwH08t6NIHwfxCs2hoeLLAn1FS5Zqmf\nXdrlDm+zeoWuQdY1N7cp/jHUCCadKjXsYn7uDlw1KJnIz4Vqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtXR073HRdQGTN1o1qQU5UgIZfY4wCgYIKoZIzj0EAwIDRwAwRAIg\nPGkhKHiYvfsApz70f7RwIdw4hQ1nE69eLxZTenq78iICIDw6980B0eLaAOjW1aI6\neg0b1RUN0+MLlKwywey6y2zU\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZiDvI+NY5Y7bkoIRi5kf10J2sIswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBEND/wTT4Tp5ceGxcr0Y/m1wqisstZf3NyUi0shB8bS\ndGQ1twSkUBx8MUtRi7W7LeTA6tmYKAtgU78G+QhMR5KjWzBZMB0GA1UdDgQWBBQB\nJI7zOxsmhZnlH/MN1Ftg7mP1xDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIh\nANRY6l9sxZcuoxY+kDpi7oQRcbsSKeYJj0Sa2aV/DZ7jAiEA6T3ExFqEV4tVoO+/\nxigjtw7dXhHALrRFnx9MzhvmGVw=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::critical-ski", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUUlaW58W3rMBpAXclQPvnw0EJSHEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAThhfSMXE/IXHLjcylGPo4tJ0go26aEgEi1Kbx7\nyzTiIKckFbaR2/Bzny9v+iEPsSKkxWbaNcdM1ZWdK5OBel4Mo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUsd01ZB/lg4Ji1obSfeMWhpbKwLowCgYIKoZIzj0EAwIDRwAw\nRAIgBr1U2OmcC3KTeRsvVXai7ieRyH0jFPn6meEvvTsnWrgCIHFyHIlLLn5Wg6h2\nAVsZZnnjzrUeevak7Kb70IbvpSKc\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUObpNMO7LbMFif9ToEMb0kcCtPeUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG6/Et7UgfZFZqLNHOmVxmH/Kwmyn4K/udVRqRgrZMLA\nYUTr+4BL5gW0vCfv031AGN0GaE75hIHPcs16XFZLXz2jfDB6MB0GA1UdDgQWBBSG\n8ol5Qk5Ww2Ug+VEzD/5jMyOVmTAfBgNVHSMEGDAWgBS5jbthnV5B1wHNPEkpYwia\n0qwStjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANpoYezRiyVBWApOQUOT\nwLJMxZgULw0lfQ9YmBCD/KHfAiEA7GHcRzhAPTsYht+e8CUyb/xyuaAfBwHW7hCZ\neLSLnMk=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::missing-ski", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUEnW1fJ5RCirnKhXb1zJW9n4fbQMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfRLsPsoNVFfp8hxzATjisCsnhF4EWfq2VIyRo\nw8/xjkIQwbQ+Z2SmG82yemH5+xtNRtXpcdyFYgq9jmfmdURkozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiAfYC5CQO+HRklFCksa6ttAzYUY3iWM9N776rKMJX0M\nxgIhAIPTOxscfN3sNLQqIMvJgN58x5xA1Aj0rjjNC3iUn+eO\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUBVlzxa9qVqnApp78geAwBghX6vQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNL686PmNX5Y+LVlrH4bWcwZqSoXL8JW5+Cb/vzBdJxn\nZ0iurW4+vEVY8RRlLdkDwrYzWMnEi9/OS+7GeJT2y9+jfDB6MB0GA1UdDgQWBBS9\n8nbVOZRI4D3ukFUo7uXJK6+YiTAfBgNVHSMEGDAWgBQB4ls3or13aqULLs/DVEyP\nLLvauDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgejaD3RXqeCnz9zL7R7uh\nawIipRMmzsfCq2uE3hVUAkwCIHcQUY1qjxRo7s2QjefdyQLCMnvtqRHTY+2kai7G\npc6+\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::multiple-chains-expired-intermediate", - "features": null, - "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULPDxp3y2TopID2b/VBiY1Raf0jswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATtdJxMs/GitbVWNPSdRyBP2jSsXCaiIZXnxGd7\nAWrD5T0GGzrsMtOLoRBr2ZeYxljRrz5iF9iUrTdsuOXdhEO/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwhK58e3gZA3/OPY5GWJhklggT0AwCgYIKoZIzj0EAwIDRwAwRAIg\nEOCNUw9xrW1os1UdpnEkJHR0l6Wp/Bvz2DUy4IeKihsCIAQzSXVmG3rbvFSOgBmM\nP2Ij+o64n3M0haJRNwIhKINK\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATmgAwIBAgIUZqzXW+bfqo8wCJv8FNn/jl+zE70wCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDAwMDAxWhgP\nMjk2OTA1MDMwMDAwMDFaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGR6CYFK8joV4BwpUZbRcmvK+i0gamm4O\nyKi9Xum0QiAxCYL1raDLOVlop28FYcSjw0F/j5QvE2dSThyr2P88bqNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFOVCBeaLiiPdBh9hWssa3dX0uJMrMAoGCCqGSM49BAMCA0cA\nMEQCIB1FPFQTk39qe/gxveKYRdYF4X9Eyu548aBHwY2fo5h5AiBDr0FMyXzsAtFN\njZgI4a3TiGvLhla2hUveRc3+mDdQDw==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUaA5+FjpvnQbMGsTvGQ4bm5t5+0cwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDAwMDAxWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATtdJxMs/GitbVWNPSdRyBP2jSsXCaiIZXnxGd7\nAWrD5T0GGzrsMtOLoRBr2ZeYxljRrz5iF9iUrTdsuOXdhEO/o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBTlQgXmi4oj3QYfYVrLGt3V9LiTKzAdBgNVHQ4EFgQUwhK5\n8e3gZA3/OPY5GWJhklggT0AwCgYIKoZIzj0EAwIDRwAwRAIgBtEix4pUC7dbfVuz\nM6zIf1nkFEt6H6eIOq14XqA+BKoCIANmFRCLZCYMIVp8Pyjw1OvToUYlbG5tswAW\nvVFx5ymL\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUf0VW9tBTYfGyCJ78C81yXZBpWQ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEF+WaJV/2GmF9uteJG2+xr/jY0bMWgqMSr+vowU1XtG\nYik4I7nLyscCokR5f5aNXCi0fGKd5Qlk2ELC4M3WcQejfDB6MB0GA1UdDgQWBBTE\nqL6jKk0YANwtCQoQl9plTG+baTAfBgNVHSMEGDAWgBTCErnx7eBkDf849jkZYmGS\nWCBPQDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgN6l101OZUIIUkZB0o75j\nW12+sS1QkCtEBEwFTaNQiaUCIQDyF92JoM050mDxNxkGQ45p1iMJjJr+hMycA1ju\nfUgd2w==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::chain-untrusted-root", - "features": null, - "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUWy9rVQKTaC9g1XhgCTmsuPhWTz4wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB6brDn4J6d5\n7h5yyki+CXTeolUOvPPopcQEDJYmAZoaTizKOIagJP5zgj2WBOIe8yJfw0EgPDU1\nN5D/Jmx6s1ujVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRbXT/ZE8e8V4AG/kTv01DDiRWs\nTDAKBggqhkjOPQQDAgNJADBGAiEAkqIRR6PzIPnC2Hq+92ojNWkBmCdvBIVJWtNk\nj/dc95wCIQDAHsO1I+oSdUyqVcDZQrdXdfq6p4i4eJXdAWyD25P8yg==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJ6Nu8Vhxx2iAnCYL0CsZGhggJrQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARPkbuBmctz5ni3Up/U318gOE5FnmvE4lREVN+y\n9JK0+hPyMx19jHHBWEm9r44rbqdlMKp35uK0lHuLs1cjflQao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGw9aFdUdwgvnhfx0Po5vrKwB2rUwCgYIKoZIzj0EAwIDSAAwRQIg\nPtT1nVgJaZIKUeXAo5jA+YZ8LDACL4IK58/jWJU9B3UCIQCSg3B54LoO/N5koP+x\na46OuaKeJOCxPqnwEWh27+uObQ==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUJT6SiL/+rFGiEcHe6KsMV3TFiSgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAyMjYyOTUzMjYwMDY1NTU5OTIyNDM1\nOTM2NzA0NzEwODU3MzE4NjA3MDcyODg3NTYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBE8Kz4UCz2UAYiD7izVOBDoBPU9OaL5EJ/GEqiyaONiA5gH2WcTZq46lt5I5KQX7\neJQ5IRaqNLQrmOGDBPDUeo6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBsPWhXV\nHcIL54X8dD6Ob6ysAdq1MB0GA1UdDgQWBBS9wI3+nsrNRXQT4Tf4Fb+kP5qoozAK\nBggqhkjOPQQDAgNHADBEAiAw7Ogsn94MmZlY2sQuFh13z5CyvPnVnh8bLAwGl0tK\nhwIgdsHs9KzLk8TlbzwrHMxOb97AMGZNl/Zwg8MsRj+zwWs=\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUUijCQXM7UuvzPu5dz3pyHFPOZNowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjI2Mjk1MzI2MDA2NTU1OTkyMjQzNTkzNjcwNDcxMDg1NzMx\nODYwNzA3Mjg4NzU2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3lel\nwbZNkd8aChpbBtkN+RII3+hzFtKE03U+W5hRWGQKfmA093D+lC1mBnLoOC/zFT+z\nVTh3LYAU6P1qFHbseqN8MHowHQYDVR0OBBYEFK1Hj/iFoV6QUZqyDTvwT+Av3Flu\nMB8GA1UdIwQYMBaAFL3Ajf6eys1FdBPhN/gVv6Q/mqijMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAy3Pdl1sbzkH+5zFVYojAn8o/zMobI/5E/u80F7YJIYEC\nIH6INl4Qm3TVFxUMm5F18CljFSVomEYaYvTsiIiJP/dL\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::intermediate-ca-without-ca-bit", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWsQOZLtXN7OI+tHArM8baIwKZxUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARerOyXfnLpOgDaKeXRAIAVeNX9Vt09oqADIrKb\ndYtY+TzjNnqxONtBhK92mL3D8iF3aU4mC8jksY7KFsZY8vvPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwrEqX9lffpgt1G+ttsbNHbrrCwkwCgYIKoZIzj0EAwIDSAAwRQIh\nANNh+HxPOsI6JykLfJjlknap9WBmS7UP7U7Hk5WwcKplAiBCOFsgKNdZf7h2/f/K\ntfWawxJHZD3TqzE3SfkyOMlQBQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUGHKsR30kFh8Me6tf1L5n31NkBtwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDA1MTgxODEzNjkyODIzMTU3OTA4NDky\nNTc2MjEzMDY2MjM0OTY1NjIxNzk0NjcwMjkxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABMc+yIOOnWWI6XfuCbHWx/wZJywoSYo4NwANGRPevPTPJvJNypWjonJmtMDN\nzvPxgA5AD2Bq50/KTHK0wjztwSKjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMKxKl/ZX36Y\nLdRvrbbGzR266wsJMB0GA1UdDgQWBBQAyGXI9FZ335HwDclSbMZlDfmCADAKBggq\nhkjOPQQDAgNJADBGAiEAkqTqbBc3ttr3qigXDpC3f8b0ck79CEzeA8+4/EXJpSkC\nIQCn6W1fwkVIXaKVU3oDeyosy3y6jJ7DouWzjyHtGpePxQ==\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUbpdabzuP3fFTQClpyK+XCn4mSxkwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTE4MTgxMzY5MjgyMzE1NzkwODQ5MjU3NjIxMzA2NjIzNDk2\nNTYyMTc5NDY3MDI5MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nvTj3BJxKUYYtWA0Epj1hnm1onGlX4euE87ns6a6h2wVCo0qVQpG+C9YPXJUoLHbW\n9Z/Yxa2SKkRbv9Pk9L5DRqN8MHowHQYDVR0OBBYEFHPreTz49+vGFnkSXYneIHRR\nyBqPMB8GA1UdIwQYMBaAFADIZcj0VnffkfANyVJsxmUN+YIAMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEA6ctHpahVOH3liHNYi0/Ufaaw/+xBXc4zcj9WQx4W\ntlkCID+PqnOIOpNkT5Hx/W2jIhErB/by0QcUgbzrF/G7M6P8\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::intermediate-ca-missing-basic-constraints", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgITKzxLdtMPnsDSO2F9+n4Q6CXA9TAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDAwMDAxWhgPMjk2\nOTA1MDMwMDAwMDFaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABLivw3hfJMcmdehbaq457zQvJDQV0FmYJCGHXhmO\nGtB1GGsyb2bKwgVmAdO2wiwvTJO2Nf6/KL4vJdYfofxnuqyjVzBVMA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBSm9j9IAUN/lqZxs4BFVMkqTiZpXTAKBggqhkjOPQQDAgNIADBFAiBU\nuysYfzIQALV70mvWWDkfs/a6KBrMVlRMTxgNKD+/dAIhAMadtqIlruOKcqmO1eSu\nqkQo5Hutwb/WrKtJbx8TjJ7x\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIURL8d6StsQakYbkL1XproYqGJZ+QwCgYIKoZIzj0EAwIw\nZzE2MDQGA1UECwwtOTY0MTg0NDU5ODE1MDM2NDMzOTA5NTIzNDU5NzMyMTUyMTA1\nMDk4OTIwMTgxMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRo\nbGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtiyX\nH6CoDQ1/4EwH687S1UvdPjk/jh2tnJAZhqdy5HU1trNOrKLr4u8/JUn56alyqe7u\ncJwysBMcoTbh6vSfF6N8MHowHQYDVR0OBBYEFG4YoVkS1lnrww1jd3Hg/+xJNdsp\nMB8GA1UdIwQYMBaAFMQrWZgvQKp2CtvBkfD5xQsRg19/MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiAafWVT4ywh7Juy8LAKZ60CqOHDZpuJPFlqvGY9G8S9zgIh\nAK6fZVYhBrw+WJy2ET1BfHQoxOhqVAYa/a2vlJ20TnEN\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::root-missing-basic-constraints", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUPIMoca2qs49u6TeDuhvmMuZV4p4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnydNyEn+QGFnCWWDmFjE/uTSSIinE5diipZPd\n+VpMhVo6s72XTZkPulIPBEMoHxPza1x8uqf6qleTD7Jmj2Xto0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFANKM1pKwrvQ\nM59TsaPHpiL/EEILMAoGCCqGSM49BAMCA0gAMEUCIBrYdL/GW96nqsGkmSUxReOT\n9HuyheV3JHXz+bZkSFAIAiEAzEYurRaoUm2zsfLY5XxwXW6wXM60lhIbyBZm0v4R\n+Wk=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUL1AqcI+a5gonCifro48e1G/rwlYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOrS7EwPTvV4Ks3Nh1on7hkvLtoykS8nCMAqPGv0Czpo\n4TqAfxsI71/lGwv4EFCrQUWWZrZoM7ojGlD1s454CUGjfDB6MB0GA1UdDgQWBBQV\nmNalQutuv35RPktwEKGHZKBrhzAfBgNVHSMEGDAWgBQDSjNaSsK70DOfU7Gjx6Yi\n/xBCCzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhANnERNyGBpSq6oUY5Tfv\noq9V3hq6Uh6B2PzvOJch7vNWAiBE5vh4Rz7LYg4q3IkuVYJOdwe2YFM7viw1LkIE\ndBiPSw==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::root-non-critical-basic-constraints", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUBuDte23kPFdwKdl3+pk8WMrMv+wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9kK+BFM9V302o0a4AmCfHN3D/H5+fLiWwjxEp\nRn2ewQqR3wXAOt76kzwKPyePOkuPdJeaHIZ7ZwZybEMbN+Dzo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQU4akcaZA2sQ+vee9V9oRZ09o4+MQwCgYIKoZIzj0EAwIDSAAwRQIgUjPd\nyBR9EIK9cX0VFGC8VpwjmaKBsDTCHMvgUuxEgFYCIQDVsuLlWrUFPWdarNO8LyHo\nJkT359H+BNQVr5zqNtZC5A==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUaDY+kBijQnMKtlQYCjyjflvx7Q0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMoJgsnvMsLNnjWX+ucmslG6sB630jjzwUuyCawtI4+N\nxBo8SD1hmu9fFGun1n0mX5FFZ82TlURZpLzg9/WrBcejfDB6MB0GA1UdDgQWBBRY\nsBbG2/FbEa2aaHrlEDASSDotKDAfBgNVHSMEGDAWgBThqRxpkDaxD69571X2hFnT\n2jj4xDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgeRuRzT11m9w+gO84yUg8\nW7R/NHIQl36peAwgk7moa9ECIQCTIf3T2KcmjbISCAyGsFsQbFknTNw3QACQLQKI\n7kp5Qw==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::root-inconsistent-ca-extensions", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUJeGHQ7u+NlQGUaWVRDksR8bDjUMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASvZVYhH9ArslhO5Pj6jqtU7tgGOarASU3pVjf3\ni5kotogaQLfH/hmv0qKIKWtBlkA5EQboOeCXz9kyVkq6Qz1Eo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBSvIBAYj8j5FNW76aeivFmPlv5KmjAKBggqhkjOPQQDAgNIADBFAiBW\n7psl0NDJX+JAnzwhK04+ejyiWElowEnSwXFUs4phFgIhAI2TtJ3riViEElyGR2Ig\n0PxfPKsnnvgauxnIyquVdyfZ\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUNjFdjmtyx3Gz3O3Vj7Q3dAkk7a4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI3LFTzryRKOCptIrjoHIzTdFf2w7xJS0DqyNQ7bRrqV\nF4LowAcZ5K7PFnOujcPGqdWdfexjdp454FqUtX6uS9+jfDB6MB0GA1UdDgQWBBRI\nTz0Sdnhpy68PufXr1p5GvXUiDjAfBgNVHSMEGDAWgBSvIBAYj8j5FNW76aeivFmP\nlv5KmjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPzPo80wOzg9IYNEoB+X\n+RoabD981R09/MNhQm4hXrhfAiEA2e7d1LXbJhDGcvYQzf4uprTdp69LlkYNeAHL\n//Xb8I8=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ica-ku-keycertsign", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUB/edGv1Vk+1eWjxEctxysivIAiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxXKUSxhn+TAsomj+Y75XVpvQyaJb7o3t+9Ey7\nQXSyVJ86/NeXGYMHzwPdO+aqjx7vSkIErjcCfpS/0zr0uClXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUcuIqTiQhXzIE6Vu66RhdxSlXBhEwCgYIKoZIzj0EAwIDSAAwRQIg\nNZMXY5if7lqaK0rEpK9GYWigJpi90aheonwZil9VtrkCIQCyArb860IM0vqhSqZ2\nfIaqok3tCZ8NOuBJpWEH0jBkgQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUbVaIyXWcRv3FLJhvUbDrF0FRW2UwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDU0ODQ5MDUyNzI3NzU3OTUzNzU3NjEwMDcyNzg3OTYyNDY5\nMjA5NjgyNzQ0NzYxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT/WGkd\nKsjrT0zq+8jo/CMTjFT2bvDCitmxIJSD8tYgPtttnWeGyWJahIz9+95udZ+U7aR+\nIS9fs47hMevxZ/e9o3wwejAdBgNVHQ4EFgQUZkkj6eDpJN5lcXpBbsY/iakLe0Yw\nHwYDVR0jBBgwFoAUfPPnUdqdy89Ds0HE8uEaLfGy3H0wCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIHkOalcN63E4ViFBCClIGTdAO2WB4n/DD8UmMvxMxGSOAiEA\nimdXp4RKUhaQn6qAnlO5e5Zuytg5WzVNL/DVkWM+d7U=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::leaf-ku-keycertsign", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVC/8MnKVXvJ1gsCefnpa0pLxNR0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQC29VxgsxINlIlDcB0YliolRpxhR+/bwzc+pQA\nIzWxBFSjFBL43QmYfhFJvNy8AgxMGQ/c7T6L2vvvtVilCQ8Ko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg8eqF1pJ9mq7/ICUPYlaLJKV9q4wCgYIKoZIzj0EAwIDSQAwRgIh\nAKf9YBoXaWq1KrVpUxl6fZ3ZmhN+1Rlnw+e4MP/Ove6CAiEAwscbZXz+wmJN9tUj\ndlDBTUt3rHAB+ePZsWMV0m67FT4=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUPikVkDkhYOa12OJiOAdRdLwS2nEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKttpwHjS7VAJvJJbZmjNkJZ6vmkcgfL9WwtwegVQ6/r\nkGC2/OGhwgs2RHvUnPLqNqKuYpSqtkn8X++g60liBy+jgYswgYgwHQYDVR0OBBYE\nFAjpzLZOJFKuAHG22IIDCP6MiaO8MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\ng8eqF1pJ9mq7/ICUPYlaLJKV9q4wCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIQDe3onhgge7g/t3z+rWE8gRKeQOX3/DRqOYZvM8m82QnQIgVyWtgu5ORiajr1LW\nzchi2HDo3b8UaQU8T61e8ZSvNek=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-permitted-dns-mismatch", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUX8CUTIu8sI5XXpa7cQJQFbD/MGAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARJzyhyiurjTREs4UVS+tZy1vvYP4czj5s4+VSh\nKy/78eLVgjyzC41MC0ahi++ZmQAkE8Nrm7ps9VsmLLmR9qm8o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoi1xbfHY/JggppzTOlJDhdVwrZcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHEu+gdrMtAgtWJT/wbdVK9a\nxT4zyVF8uMteuWpKdZZZAiApKVBLdRSzoH2lrfdfHX140eEYMmODwmH98lF+0SfK\nzQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUSkaT4ogRe722nvptXh260K7BVMgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBuiTYM/DC+DhyJxbp10NKnB4eU2qXcr0D/IhSBHthss\n0eyr2KaDCCmZGzavSFppgg8eYi/16OuVzAwl+e8huFyjgYAwfjAdBgNVHQ4EFgQU\np3bfMwcfB5wFZILDuPSq2yOSJ5swHwYDVR0jBBgwFoAUoi1xbfHY/JggppzTOlJD\nhdVwrZcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA0H1L5YOdwOG9\nr+04X0ucWyC2fhKsVeMiaOyUqZRjJ8QCIQCe3aQgoBNbvSwexTkqCwAWibMdyCNo\nMPy+SkoG4taAlg==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-excluded-dns-match", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUUvir3cXSsIze7VlvFFvrI+cg7EIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtl0rlapwYnCt2a7KJgiowkO3TE33Iw2gidEpp\n2J4Fs3jonw3RQ/7mtctqTpFPFoHW8PMlD3Bf/g2/rjkhJQLqo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqMr6iVHfIyckj/srYpBsBAVa+6gwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIFIyHfD3XIrwkXCCAMbFoA7K\nGyde5RbR3tAmDdrFRZCqAiBbxpPhHNbwMIqpKNhgt/Q8RyHWmJmQe0NfwaC0kbzY\nUw==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUMKpc3R80JVcOTRqf7sN52B+iW6gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCD+7ddZVOwL2qzn1n1nP2mFcYDHZrbaU/ldvdP/6rmw\nYSCAnGKHDOQKc5TJ0hL13SMSPOGBEzLsf0LoErUIFLSjfDB6MB0GA1UdDgQWBBS6\n/Exxx6VHM2DDlLcn+3KG36/6AzAfBgNVHSMEGDAWgBSoyvqJUd8jJySP+ytikGwE\nBVr7qDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJVaB1pQxX3W/wgxk2/M\nrhEJlpF89A1ORjt3OzURwykRAiBkd8mJpEsyXX56VcZ3k/R9Jirkhstp1Ele+Utr\ny5kZRg==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-permitted-dns-match", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUc+L8Nwr/bnLRTgKQ4N+hKn0YjgswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR1fCCvTeLjPK4XnsEqy2kLDnfzL/6nwgJTA0WO\nVyq4dUCrKDSHrK4IwKHvPAd9IvCusnrYr4U13SDISZKCdwyBo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUO9BuWn99lZ0Vd1FTsBGw7MCyRaswHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIADKKsdWuf9f/vbr0w5BK8HQ\nLtpBWoRMftwwzcBMY4WEAiBOWV2IL5DEbGRhx4RTQhcAyCJZv2XGHx4MAsWmLwXq\nhw==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUd/80xfLfgCudax3A81k1HDr8ktMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJiJkCb8sWOhqh6opRT/6jqRaOcOBsWxLkKIBZIKr8UG\nHSniqI7XJ2tmOFUMw5G0GO1pmTOOP3xOO8VRD3Chy96jfDB6MB0GA1UdDgQWBBR1\nynBiZ07I1sVY/g2YWgxpsRIukTAfBgNVHSMEGDAWgBQ70G5af32VnRV3UVOwEbDs\nwLJFqzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgBkcbQZRPFI+Y1kwzyW4x\nfXRd+E2UNT5+jwU6V6ese6ECICNCX+3EYn3+vEkp1LkiH353u7PApa/e3iThMFtJ\nfkTy\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-permitted-dns-match-more", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIURCXjG8Zo83I0enM+TOXzJTL5vIowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASrMPaUKmsCS7ipV38oEEN4Vwp1h+5AItzqcBW0\n209kdQ8kVDT50Xm/rDU67A0HXiYwAH10hMS68dYUkDSQyDFIo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM5LLuyugbso4p1c5KX4sQuggGXUwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDXdUoV1I2UjyVs2DTHIcFb\n57cCpwh+0QQw2B4GI0AccgIgBEmWWF6JIdfPaBagQt/zErDBdlWNAug4QptYxt22\nOYo=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUTo6Lsg1gJ5VaYQ8o8GbsjCb/+UswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNkUp/6vSYEdPztmto21dM7iTKCsKq0gvEBdac0XfyRJ\ntWF5kn1prRNDqlv7mAT83meS7t81p1HHCKmyA+3aU8KjgYUwgYIwHQYDVR0OBBYE\nFPrTxpLaswx6TdugXFZCD4a7f0PLMB8GA1UdIwQYMBaAFDOSy7sroG7KOKdXOSl+\nLELoIBl1MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBmugA24\nsLpoWZoIIdMh0oaHhLW6jSSxDTs+eLceO5ZMAiEAtO7aSHXZiDNFJd03nuA5qAze\n+8L7td3oqOg7gc6bHOQ=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "foo.bar.example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-excluded-dns-match-second", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIURr3f2sdDSPYH7aKKezIusehvwiUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZKhllN6Aip2Ig+LB0S2Gem7MG6PNq4Kp6Vwu/\nddJnGARuUOl2w79Z2Rj0y6SjVwexDCK11k+4iVzM+QEXdjgVo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTOU9vAZlSiycSvfkP6CDRZBigSTDApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKif\nO/A5k/5FU+FyguWdbKnkw/duhtbUd3RkEwhH1jO5AiEA0kfcyqOx46ozFDGqvnQw\ng4YW/k205GxFdk7RiDwQfFg=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXGgAwIBAgIUfRV9vV8ekE5mzfRHscTmhQxbe/IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAZ19obrTAm3jsDUsns+0s944L+K8t72geXQZGwDwzL7\neakbq8eegiP65HpR4LTqxcltW97ERlLlqooNU7gIonWjgZYwgZMwHQYDVR0OBBYE\nFLJ9csbcI8QN8BTjaSRPrWBjMqzMMB8GA1UdIwQYMBaAFM5T28BmVKLJxK9+Q/oI\nNFkGKBJMMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSQAwRgIhAIilXmZoFnjlWmapPp0gkdVnRKtbq5htvqkzr4c4UDRMAiEA\n+rYmTNmjcCLmJ+pKaE59j7aHigSDJ4K8D563fjgffQg=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-permitted-ip-mismatch", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUBXKzop8h92ZokXkDb2YrQUXn4bMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwNSLL3pOxc1w9L6qCnFEsP9Pbtm6QM+B1AD67\nq8xVFACOGC1v6qITezek/0ngQmwpl+9sqIJhVpEQmehIlcE/o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQPuwkTTc136qqb6hl4mCQfANb+QwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIFkXO6Rzxd8d2rgbNeQJP30dG47O\nu69kynrHRzL0w9jrAiEAuQGI14z9XiGgMUuqkYHj4aOP2VEw0j5PPOIN2f5X13Y=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUBrP30wtbV3PYE7MSsGJ/FeULWBUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMU0kInuvVH7QM++4dVMwyMQitYxfN11CGGIT9eeJv2e\nl3p3t2nJuAtEgQJSCyj1XmsRpuY9vCvSeWUvJGQyF/2jdTBzMB0GA1UdDgQWBBQF\nNzaRzrFr5xXrAqK+8juHHgEDVDAfBgNVHSMEGDAWgBRA+7CRNNzXfqqpvqGXiYJB\n8A1v5DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNIADBFAiAbtu2iIaKfvg30Lcny6pG7V+URnFGg\njTJCikej0eFzxgIhAPosBFS0OC5BX8ifpW8dvEFXYVwyufx2V7E+4C96woSj\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "IP", - "value": "192.0.3.1" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-excluded-ip-match", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUQvM9vULuFxUYI9VYaGqwDRE2ZsowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASpI9eXOm2YZ0BCOWVv7rReBPbasUEtp/ZqvZG7\nQjgkbqxT0rumB33jUtkGvCJzjZZgnYfQ13MrCQ28hS5fQYWso3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUttImhLo/oO6J51I6vtwQm2QmcN0wGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQC896ShkSAT/5DreRfSadLgm14v\n0gOZz+TCY2bWB93VhwIhAK+GeCjAlu0QpFPbldmgu4LomobDWtR70zI/GLkwvkR+\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUfru1ZtCPT3Hf/MVCzlcg0iwilZAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG1d8jp7t6jtX7Pijgn+aXpyVlJDyuaGL2xXyE6RiPLC\nP9zIBsbJmQQlIO2B2y2VQypnf1+o6vq7olEuYSIUb9SjdTBzMB0GA1UdDgQWBBQY\n63WdFWeN5tyEWrzX3gLyQES5tDAfBgNVHSMEGDAWgBS20iaEuj+g7onnUjq+3BCb\nZCZw3TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiBz55beS8t5Q/+m6Pfmzy6uJZ91k1af\nJgPK0baejfBETgIhAMTreWJ/TjT6t2ZFhPvajBc/sEIRXNbJpgi6zkLr1Wkr\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "IP", - "value": "192.0.2.1" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-permitted-ip-match", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUGLu6y0CutctffkBhNDHgp8B2cJowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATCqLJGMSEa+Dj9ROaI7mHx0RBQQL6OWMRJDsje\nEZjrq6UBYxxF/prndb8BPLLVkzYbb/ZO3GBveREOK04g8G0Fo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgh/yKhvaBgan8G++iN7MqW4+yeAwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIEep8+SckA7lNhD5klxrWdm9QUp3\nuGSx/vxbNaccC7pyAiB9BkK9GlksdbX1clWFeLwlgJxw9ORHUmu1dV5XHx8mhQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUYdWPX8GFu4ucJdYvGZrK7LUXWqswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDe3aog3fZ2IeO3L/gYIBMQ2H1NMVpSDa2yvKyNj48u7\nBPU+XZAgykdIoTjPn1hum/7KBv0l/ejTdffeOhEmAOOjdTBzMB0GA1UdDgQWBBSQ\no2FObtmlECzJkNFCTvKA0hYZbjAfBgNVHSMEGDAWgBSCH/IqG9oGBqfwb76I3syp\nbj7J4DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNJADBGAiEAnTE2SftvSrGpcS6yCdx/BTn00R4d\nJs5bzxclgW2mK+ECIQDs1e3G58+78rc6PqmCebkwHVyHtjPVLyG6ZbmYMpp8JA==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "IP", - "value": "192.0.2.1" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-permitted-dn-mismatch", - "features": [ - "name-constraint-dn" - ], - "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUWNJggdNtXRsm4E8raJLk5zdNJZcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR5CSrm/yWyA+4JiIAqTGhn53AKfIZAMV845zxR\nA55XZ9xX+Q1pi+kSXN5DyQyXrPv5SzPiPBCpvnC5iDOZUZgxo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYoKNRX6aBCTB6Ro3mr+Vj2fVh/owIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgP38jSIibu+4mYZ8n\nuQSKa+xY1mgbn5uubYZuplgtYZ0CIQC3ISYrbZBOxgPuy9Oi0Z7SRmZKMsQvNr/P\nVR0FNA4/4Q==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV2gAwIBAgIUE1sKMfa5651DqDdivFT819ieplgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEjPMeDwpihcKw2aDJnAvsaQaJYWDMrkxbp6sAlJ5JoZzPxx2t\nnjN/kKIqhBlrcxtH4u+END5Yov75Z/hVj7dqV6OBhjCBgzAdBgNVHQ4EFgQUbbEa\n1uHylxN+GDrFOjxdoundFJAwHwYDVR0jBBgwFoAUYoKNRX6aBCTB6Ro3mr+Vj2fV\nh/owCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIETZDh/ARBL6\neJaTv/j22i8MoGe0T+2ShhrP8v1BD8S5AiEA8iirCqlninpR5vCnCTX2QvBYhRC2\ncaZNJzWsVZc59tA=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-excluded-dn-match", - "features": [ - "name-constraint-dn" - ], - "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUHiZsdAz/Nz1u4fj0jtLddX+iRmswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNENXdG3ygcTLZKq/7Mby73c/lbQ4yrT6XorF6\nb9lDnT9qE9GeIv26VPiiEIezBBwHvo1p5HJa3WRu7cIdq/Tio3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6Had7KH0gPacHhnL2s4waHCatUMwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAL+DBGt2cC9jRnij\n6/pnlrAcLJfSC/zCrE+9lgx4YI4eAiEA8dDSZYDTpB1SfFXW2qqgV4GVsBbbt/Td\nCunkec5Z4LQ=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUFEVDZmlZzO13Nd/9N4ga5hp0qsQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATJVbpHRneoc60p3b8pco9wjrQyf01vMXANlnVhq0Zm8CB+HLa7Z+rq\nTSk7w47Tpfq7Wgez2of/ZJze7fna4M+5o4GBMH8wHQYDVR0OBBYEFN9S/c55PFR/\n999PKyc/RdCUL3gGMB8GA1UdIwQYMBaAFOh2neyh9ID2nB4Zy9rOMGhwmrVDMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCICtYHBAQkA3fe1TeJxk1kVlL\nsdu5f8faOYquOUGNvcUQAiEA35uhF0DR8lXDdxQ55yFj5DxQgeglqZlcg/BQ95BV\nPeM=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-permitted-dn-match", - "features": [ - "name-constraint-dn" - ], - "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUW3ylN+Boqcd9N9FwMbh4pniQyJwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ05PnCe4Po1q8vQ+eM9MXUKH9ug6L/khFFpmfT\nxLlyd39NdaQckcgrqcCCwlG0joa5WaDCeV4FSHqq1weh2zpfo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFI7ASVR5m3MZNbEdAkQo2ZA35SYwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgdskaqXOhfvy7zrAT\nTw1HkD5nXhOlR6cyt+orm44WJPUCIQDa0uKz2VdlVS8J1xVObn+k0GxtXfUvotne\n4ca+FQyeiA==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUHqVBim02VpLyQTQflgfoY9vqkl4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQlv1qjIl3cTQ3Uyf92YVn7Ny9GaRbr2mU1mZMoCEV0SadSZJ5CmvzG\nCHXMg/dfVnBpLL3ig1pEmRt71lw8FHQqo4GBMH8wHQYDVR0OBBYEFLdNJAt97+YL\n+j3Ss9tf0wuqtg7ZMB8GA1UdIwQYMBaAFBSOwElUeZtzGTWxHQJEKNmQN+UmMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0cAMEQCIAV39/SekmI/0vZGSOrn+WHt\npATh8N2tSfrIOzM9RgYLAiBBtz/lRN7kPvRoh7MAnUbuNEim+NHcPBMItE1BrZb7\nVg==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-permitted-dn-match-subject-san-mismatch", - "features": [ - "name-constraint-dn" - ], - "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUXsZ/dur6kM1BSxg7g843/9OPQMowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYtdiqtm2dTeaOrxz1i4gxoaJBZk/tvVLi9U+T\nDeep9p3MS7WhW2qHdcRJLayccsUl+KI4k3tiEgtRvk8QPhc2o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvyq+cRhMOfaqJjtEcWaTeBc861UwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhANaTRgURGbw/rayP\n6uAvrEyvjX0PTkMg/nrwm2mDJpptAiEArzZA4sYScpojyL+eDjFPlKzPpQrlQ///\n57qzHvf0emM=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUQxqI0MP4GGmoU2wXqwrxwg5Rc+AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEcPPx/QSOoy/488X0k70lmpO2hnipip5epsIwQ4+KLJjEwCws\nhXW2wkjUTb15d6MmedkDVYzXxpHxC3vRqRqugqOBgTB/MB0GA1UdDgQWBBSBxpSf\n/WySL4oycduLfCtIk+ZteDAfBgNVHSMEGDAWgBS/Kr5xGEw59qomO0RxZpN4Fzzr\nVTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNJADBGAiEAl88HEyAo6jsSZL2J\niYPy5LTH90g7eQQMOs6pqYOwm8MCIQDl5Msvb6JkUHx2UGTvozC8ZC59oHipGnRb\naWxT41sB8Q==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-excluded-dn-match-sub-mismatch", - "features": [ - "name-constraint-dn" - ], - "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUNYf6GaZhjwPZYfPH8nq7O94FWTswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKFqO1MyXXi4dNx39lU9MNeiiDmJEZ8cocDtq9\nr0BLZjnHWeOoO4xScaSapmurzJ+O3CU380Com1qyCgQT3yJIo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0pJshXEC9CF9S6rR8V7VR3Dn2HAwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgTZBBAD4YjBbKmYPZ\nfW5/A0aSpHMvvkpHKlNmHvmFKd4CIQC1VVFlPFYfWJt8UDJY2T2geTTae1o7gnbb\nOe0kWjA2aA==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUdK053QSmGFpgw5aAhqELK+NGS2owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQSJD05oU3X/YiwakPNpHLEi8CJEsRyFyxtsfQcL+dOf0oRqYnViV7F\nFkBwbbNZhIYi35IQRODMUR2Kd42UjItno4GGMIGDMB0GA1UdDgQWBBSOHlfqpTwx\nSesa9Tdue78+dQyyTDAfBgNVHSMEGDAWgBTSkmyFcQL0IX1LqtHxXtVHcOfYcDAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAJqPAUCydLFht2v1\njOh7xeQags+kZNzyJCv0IcfEG0ugAiEAje+bc3qFG38IhRBlbxcpPyMDLkW14V69\ndLxiLuOww7E=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-permitted-self-issued", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUSJwfxliyPCvWdya2j0fx6LMsSUswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATxsJjyAxXgU7Vfw+6WoXUtt0MwSXZLJ+eU1iS2\ndwgEEOedTWy+KRY5jr/iKL7gxRv0q+NDDBy79tfPRrLUc1WMo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFHyOKbYC7muvIcwMySIe4Nee/hKRMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAjauTX3BeHTO7dB2y\nqIyShK4T79Kb6Ftc8vP8JToZVPsCIFe1//NAUZM4GxrTCUM0ESS9JFlRkCO0iPbu\nKGk2xGkT\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUG/Jq0XiPdwjckFeGQJVdFX7DW1kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASZqT1tI641XQtqKgVXRnW57gTJnBu6osXBjHMS\nCqimhJkN5cRJMydzFV1m5l6QkRuxcEDjenG/GHcJG0V1h2+vo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUfI4ptgLua68hzAzJIh7g157+EpEwHQYDVR0OBBYEFD1z\nRSnG9G1GDQnJBPFnabQKh278MAoGCCqGSM49BAMCA0cAMEQCIB+PYEay11lGKcMM\nqSmzXmHwvFOMJr19/I48IfmEdZn7AiBrnfUStC0mi9cSlwbe9WQZVzD5dJDGnK/Q\nsNwcuxUijA==\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUDSAwdOWy+pti2NwXnOsEDsSikrQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOZDOHMAtjGNh/xBdO/cye5MsM3TLWHHaoUAsRV4B/5V\nP5mvsn7Q92HFCMjlwBrBvLIr3OO55H81uFWRUsNvcLWjfDB6MB0GA1UdDgQWBBSr\n1jf2BHBN0e4lMKuvtjb/OzMRXjAfBgNVHSMEGDAWgBQ9c0UpxvRtRg0JyQTxZ2m0\nCodu/DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgKnv/QTE2D8EVowgM3WaN\n+GAzgqq36gyAIlz+4U1/Cp4CIC940ccKO5TIv+ba/M7XfLU5nnD1KiPwGgVxE8NM\nqFPY\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-excluded-self-issued-leaf", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUbo8WqpsEfe0e9R5JF9BAC15+KeUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQxLy/SPsCObUCvN6Blb0XS8Y8E9TLSx3XQ92yY\n+AVfK+6R+cUB6XvAAfdNT7YHZADq2n1hdSoPDKDp76oayCLvo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUd1e7GS7Yn3854KWM93OwclZbqBcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDqjAOAchat8Yw1bfgnP3m1\nl+X1Cqq6ld2d5ayOIRE58AIhAI7PEkel1k37UZT9sfOeiFlCPBhTzhrBIobn1KKd\nm9SL\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUWGDNYFIeudEXoRW0V3OMw5SafqEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATaDrTGqhWRZCfYmoBtNXBBZKkrb8U/we9e6HG4\n7Bf7oW2WkWHKiXfM9S4QHje3kGRmDuKsj+kt8mIIHBcWzxSLo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUd1e7GS7Yn3854KWM93OwclZbqBcwHQYDVR0OBBYEFJb9\nME1/hJPyHbroCCP1kUrJHDvsMAoGCCqGSM49BAMCA0gAMEUCIQDbcJsGpqyzn0e+\nqNghIHZ1Ym0WCmYBaCf3nNwyMMbPiwIgGbIbkoInLpIKFpHgivGy7kJX35Ydy4Cz\nRYWNE7UgMTI=\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV+gAwIBAgIUOxed5KOCrPWN0sUGB8WXv7CdH+8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRadjlp6unaYKK7s42oTJHkJsNQSYuZ4hQGf3I\nwcDvV43A1SA0OQHPbXF9ZwCIqGmK/Fuv9OCprNQ3cYd/5v7co4GAMH4wHQYDVR0O\nBBYEFKYuHFiWc9vHKmez1fMcSF7lCt7EMB8GA1UdIwQYMBaAFJb9ME1/hJPyHbro\nCCP1kUrJHDvsMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPaOwWqX\nC9H2BItj24S+hZoL2gMrbnehkgi+qxeo6qOWAiAIx4cugUKQs31lNnhuUF7/Z9a+\nSmeETpYo8QunNLZEgg==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "not-example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-excluded-match-permitted-and-excluded", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUQgXRHjJPkrCdv/1iHXzVIxK/OhYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ3bKppUPbjhMMc9+bsdkMlQX1gJGupDqjlXSEr\nBGifE2O0euCE8TTcdtuQmzv5/nXCbE/x8Oki9rF4euDyQqZSo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTLf6sipAQSaS1v9+HxqvCtf9KfFTAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiAbSELct1K7oOpKGQ/c+ulczy99yZOs0BdfhSP/T9ainwIgWbCVPwMzqeh2leio\nrdjRTeOGhQMO5LjDMgRIxehUH1I=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUS6aGKP6jY5eNgfRJNyeOVPxnFTYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNt/i+Vmdkbdj/m7TibyTO2PzxYwY1GZv85lqDNFzmll\nLR8AzTNyWopeLddPdI9dmRH/UAMa/CCIIscUHopxObSjfDB6MB0GA1UdDgQWBBQV\nakR9Pccly2IXk3p38kxZrg/mNDAfBgNVHSMEGDAWgBTLf6sipAQSaS1v9+HxqvCt\nf9KfFTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgBYN4Uqul1u8vxsUCYch4\nqbxY2LsgchEOwT/Y/4WaItQCIGZYJOBS9dNgFz66ocZy2y5QY+ZKi91YNazsrSCb\na73K\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-permitted-different-constraint-type", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUT+pjOtJQjEts9116oetcv8te2kQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATDXT1Xk54WbfTKnvfv41aB9IFllIKIeNBe5lfd\nJvKseFqaemGk+v2ylMKhazICxlHElGaulA+qCaAumll54ggfo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzbJJtmdJbi1OzQ6vDBdqpiYlAhYwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIBvFBSnN72zhc2sEMtv8AoJgg5SF\nU3sC4pK+1IY9QJw2AiAyp8yxU+i2lGNaJuhTQYzggW2wbkkxzrtE19x/ITaDcA==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUWhBEzH/P5RB2Iiy7kNOmrhIywHswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCA9N3bNpcWS4j+A2jdlm2heOJXTTOJbYgu1J9UqdtMG\nqY/OKEY/Fn53P9WNhs1aVj4pc3HgNOdU7eTOEi0MLFKjfDB6MB0GA1UdDgQWBBR3\nMuFojqwn2D+o47AxX95OmSe5ZTAfBgNVHSMEGDAWgBTNskm2Z0luLU7NDq8MF2qm\nJiUCFjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJ8FJPkg6nLf/HMLWiEx\nIbTrIumUAoOGCazEvNiZ1UihAiBd3+FpJAvd40pUaj10/3gBDIKr8Lr1Dg6VmaEY\n29RvFA==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-excluded-different-constraint-type", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUXMmofk5f2fYH9SuUjBBpAMIPVT4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATi7smVIeuKppJ9UezJWlXWaE443GeWNskzOnTP\nIjZcb58Y9NOje5kTQyENJewV3Rfh44Cr+4KWKdDoM3Uu1faGo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgRW8CIzyhlKkZfMCY40CD2pIr54wGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQCLGHHaioFYfraWaJHaLB85d1KM\nhtEo7JXWKE1aQvlkkAIgN/pIGLtjSfa24c9uujdvE5bB3UuylybOW9lhdZgfemc=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUIlKNOZ7SWbrlHZNTUSKsmbapf9AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB4N6muXmIZ84liGb5IeLh+2KFcHJy5bKefjKzml9TIo\nB1PKBuxP8qFfYdC+/txZfoDR11Tq7IZc097LrBOEuD2jfDB6MB0GA1UdDgQWBBR7\nXm0ZPwGOcFOe+l+NPOd/EfeAXjAfBgNVHSMEGDAWgBSBFbwIjPKGUqRl8wJjjQIP\nakivnjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJsXbak9DorEIR0QkVxs\nhtLVh8mVKEnmkH8fICeSVZV0AiEAva5Vt2igbKVC1UnmPlTf47m3STHqSWI2A/Hf\ndSz7EFg=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-invalid-dnsname", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUHWJp+yoH9yU7g7byaux44LPwTPswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASsPcFCevyFkjlRGGq0+bLpfmNIb+t+3lKaf5D6\nL9VsGkN61g9mLu8ro6iRruRAWqqx/XIfV3LjSMbbeDH4VZufo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOjiKyM9pf1yI0Dkyp5vY7YMZfqEwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgL8E8/IwlSQEF85209qeh\nyWKs6tj9NQiBy+HJV+T1rToCIQD8RzLh0NIDzRI4nfBcofLWN4MytrwPXstwy5O8\ncsiVLw==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUYwthnYzP4eyJVdu9QbgDfqfgP98wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKN0Qg3D14ROVxgZTHKQhufJl3N2KgQWLtAtXzEHzQZM\nncvFYwSpmxM/qdQN28fApTT9MF7S7tgwSutKFWz5S+ijgYAwfjAdBgNVHQ4EFgQU\n+Fm4bEywl3kelgOpFhrwy4Ugz38wHwYDVR0jBBgwFoAUOjiKyM9pf1yI0Dkyp5vY\n7YMZfqEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAlom+FOy9dfll\nBVTHikpE8TVacu7fAvL+NabgLsPrYpgCIQC46WKcSlkzmLh2cVOdub0Gidldq6B9\njpsx4tC0BKGNHw==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "foo.example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ca-nameconstraints-invalid-ipaddress", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUNR2fqc9D9fDadQF/2QHzazHDYiQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASrf12QU5fBRpZvLd/wLYuxNjj9j+RLlOGmO0Zd\nkpI1WlmmIn3n2uogwsGZ7rdz8LCQQ56S1C9fMjUxwz7aazwwo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjXthZfq3a7N9qzmjo8UHtfEWrK8wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgVApXTkRT+eptAsyhJlWdaIn8CzBIUdyo\nWamOEDc8FvUCIQD5pNjkvVDFBSTgO7r5VGy17FsUWLyMmr8QHYal9GgqvA==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUUCrZASXP2gUU13Akzqm+S8WC5GMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL6Ue5e3zBcQ9YdQPNCtbyLwp6LbB+nZY1+cmKBcH8XZ\nWrr0abwUPdHHPI4M6Y6n6VPkoEFdR3BvOHrAqRii8kGjdTBzMB0GA1UdDgQWBBQz\nNC2XjWdEYMSpuVAZrGOLib6YnzAfBgNVHSMEGDAWgBSNe2Fl+rdrs32rOaOjxQe1\n8RasrzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNJADBGAiEAjPz6hncTwS5QXJyWXIZOfxUkXP2S\ntZZ5Ghrv5NLp908CIQDCUuxan5d9Q7m4J3sCpNSAeFAbiUcXjRYq6d+jkyoV2g==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "IP", - "value": "127.0.0.1" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ee-aia", - "features": null, - "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULPBqG+IoqDoAQV0ZuG3CuOs20DkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQib8uxxbWpVGLBp1Zy9Su/9r8pVMuwFJtz8lng\niRx/7XVDO5Hw8KSJBtDIoouO+UQTUH62it9vEvfFLTUexIbbo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1Lo9hqUPG4haBT01f3IlxSMlgAcwCgYIKoZIzj0EAwIDSAAwRQIh\nALlPdqS2xEmT6lBC+z95HXzdTdzj4qhNjvlZjIfVLrW6AiAXbmbl5gulBomajpZ2\n6pXiDBOHX1RpThr/L1DPGoLpvA==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3DCCAYGgAwIBAgIUDyYPBUJ9tlxifigWqa8JqeWO8uMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAn5518MyxLy1sPe5MBK3cJ8yPg9gxWaZN9nmeR/Pr8z\nhORV/TdtUhWBRI+dDG4+poR9KMporvIO106OSgoJWpqjgaYwgaMwHQYDVR0OBBYE\nFBDQ6tSM2EOGjDQt14iT0mN2fnx4MB8GA1UdIwQYMBaAFNS6PYalDxuIWgU9NX9y\nJcUjJYAHMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDwhoFQp4eoatr0E0dR8zLo3LrZ\niQ3WAvAYTsFdnlQdPQIhAOCqkaGWBygx1AaW5tRFcDjbh5M/MhG0kw5IhVUcziRO\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::ee-critical-aia-invalid", - "features": null, - "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGtZVe1pBodKV+QdyOY6/FuGspnMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwRZxgwrNsNJRBJepCWDNkxn5vPFZKd/cHNWCz\naHvrdFpLcupfsWkjaJQIzxPtfWJzd9Nx3fNOmSymyzEAmFzFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUs8jaANHsLpIBo6ZXUU+T2OgDsbUwCgYIKoZIzj0EAwIDSAAwRQIg\nZC6p6RYhoylhItGQbYggGP1o2MoLDQwMD5MoQDRWrkACIQDitp9ph9V6CNg24qlX\n0hoB60JlBtfVTmccsRjj5Wwo3g==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYSgAwIBAgIUBocERYKz6OsThmahdM0Zml9oHA0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJgf59QHcTyWzDk6qx4tnIsw1YRjT/OqnzuLHQlMwYSI\ns6eZU1s4St3MBiPctDrSoJdGJfYki4T+Y+GO6CfV9jSjgakwgaYwHQYDVR0OBBYE\nFFV4oa6Se3tcvvjtoqJ5QhM3ONrqMB8GA1UdIwQYMBaAFLPI2gDR7C6SAaOmV1FP\nk9joA7G1MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDLG9e0qSjkXUlcNRumCznb\nEVM9Q6OZSlDbrFyIewY9qAIgZR97KdErHwXYiqqpY/oBYIeOb4a+BcJFp0xuczkk\nhJA=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::san-noncritical-with-empty-subject", - "features": null, - "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXiGomwIDWjsDg8M+eQGWVmNd4mAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT95PXkAbmLYVigriyReCO2FnT8ojxQS9BqKvj/\nByIvfjZYLRkGTEddFgKRpjaDohigGWTYxoYnojDcF/QM8dXmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiIZrX3yke+BSO16IdILtV65PnFIwCgYIKoZIzj0EAwIDSAAwRQIh\nAMB9Jm4tLCNJO18weLgIbjqiy+7PRkx+rneGQrxTPEH8AiByX8BSNJI5dTLX/mzV\n5sqLz6iMZP/U8EZGSLSeDssqVA==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmzCCAUCgAwIBAgIUPvO8qEt1ybtsqh2oRiiToPSwROUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETMFuRJeG\nHdZ5mImrAE0XpiWA23WlyqGusUrhp+aeCBHRD9Ju4SAIsT+ih3hUki3wlR4oG0OV\nABXuigcX36qUMKN8MHowHQYDVR0OBBYEFEXGHfjLKX6x/ZMdLRYWj1GmGH0tMB8G\nA1UdIwQYMBaAFIiGa198pHvgUjteiHSC7VeuT5xSMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNJADBGAiEAxd1Kd0mqz5vumNgDoDMKtd2Qm5TYT5KN70nlP60quHICIQCp\n3uITTzEtHvbEz+ube7oP8MgWgBxBLDlsn4g1gQZ+pA==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::serial-number-too-long", - "features": [ - "pedantic-serial-number" - ], - "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbYqsflU7j29n7uQRiLA86M/EakMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ0+je6vp1vTi//MoHCVxLlaeoEEiu7RYRUSFj4\nVcpG3fWqL6Jlh8WUU6Xxl31MtmPi2mEtiQfvll4tsPo12HTHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7/0bWIx1IXPz1/3iX7Afd9VaYgYwCgYIKoZIzj0EAwIDSAAwRQIg\nIxVRdwE3gVDbXmuFdmW9iJtGfjuEYW50jQKb92NsD7ACIQDOeIUPIVr5XLgwChz+\npHiOnQgbqZszRRK++fFA5Fu1Cw==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIXAM8g/LdqrInDZKdIMwZn6gjlcZn2WOUwCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoY\nDzI5NjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABEXqr2pdUyH4Xn3QcZ4jVMrs9OVujrZtXuzNI7pC\nYkcRaDtl+Ud2Mf3mxT/DQqfz1O9AwU08sJgVLtP5dtcJqK2jfDB6MB0GA1UdDgQW\nBBQsrAGzhYkcYETnKLgHaljlHV04mTAfBgNVHSMEGDAWgBTv/RtYjHUhc/PX/eJf\nsB931VpiBjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgcAdbq8pHL/KJwiGa\nkRBlrmkZyi+1+vg1AAnGl4jYGZwCIQDCOr3UVFCkpvlPXJZfP97arSnWxmbE+fqJ\nq+npCmUkHw==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::serial-number-zero", - "features": [ - "pedantic-serial-number" - ], - "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFZAo2oQdLYtjlis8Oty3iIhuBR0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2rk7WMHDKbx0RvOOL70ZohrDjlAbInEh/iWva\nz5hRMBN2JNvSgJCIyVJtrpBusBn+ErBOUm8dmX6Ak+WzHrV+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZQ/fmLmkGm2gku9DbMEuWlkdX6MwCgYIKoZIzj0EAwIDRwAwRAIg\nE0RZmNWgAsOPkQ4gf/cNCzqzEyWl0bO0NRcHclKrN80CIFqFMhSn7DsCxjB69slz\nBhAhXOTXK3L6NuIECvqBzAT8\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtXfv\n1oOzLgVN4s84+k/UOqjZbj6593v8Ik6SGtAqgQYlAG5KLxEpnOoSxTMRmbFs4gl3\njznZEl5YO6Ec45ltq6N8MHowHQYDVR0OBBYEFEj0RjlrqrfBqo4sRHfiekQB5eMo\nMB8GA1UdIwQYMBaAFGUP35i5pBptoJLvQ2zBLlpZHV+jMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAwiWp2WlXsJznxkzzhc8bJRYX21L9U5F/dvJwNsnUDKAC\nIBkRiJwrPQdF3+TUPYIhvlXghBhGqeanQqAkD3DlO2rh\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::duplicate-extensions", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfgCHlpB1SmyCXL2S+apYwezfcjcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtbOz8JyeEscojJWVAK9B7UwRgeDmQGHq7MGEs\nM6gUlWlrJUbbik7uNQLQWwbjDjUAXGS+8JkJlPjhrVsU1OSOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUK2GgAnD2/z8pc3BoZ0EVf6+39aIwCgYIKoZIzj0EAwIDSAAwRQIg\nNEyoQ5L3HU2a0ILxUgb91yP67VutyxI4GaNDckGaWvUCIQD949HoAFehs9U0TqhI\nIonvedsIxWd2x8gtO5TfW8nPJg==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAXCgAwIBAgIUJu/MNKb6noeI/MQidJyscW1HZi8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA/bhn2fvUCvyB+IHgwTGnot/HCw3E+anJsZm8iiZaws\nkf10v8K0nnGN1dIqzIpP/nTvJR0YOGBHkApwQN9wrk6jgZUwgZIwHQYDVR0OBBYE\nFNZtcGbq9z9+6iehsEx9cz40ZjBVMB8GA1UdIwQYMBaAFCthoAJw9v8/KXNwaGdB\nFX+vt/WiMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiBozcbbFz+X5tvayf/P/jonmZUzA7WxdYHpEkXS8rbN5wIhAICE\nR1KtDQwuSNEvy+StMbuZ4b6xP7lv8hAfR0MKqTdN\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::no-keyusage", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUFWUYWY07ZHNh6OOAlb3ytoE9RlkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVIloba3aFuHaCH+FMszMMbD82QjGh7tpPLc6e\nYVPWjc7aKEvDLQvhj7RMKKF/urAf0ELezJES2K/HyJGi9Goio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpxqNiBOTU6KlZHV32/VKXDWN+BAwCgYIKoZIzj0EAwIDRwAwRAIg\nA3WaY5OKpDjCUxm39kwsM/yiAILJgX3qPjdmaHHHqUECIEPtUXyMHhvrjn39aOrR\niyZ9z46+7ww9uW8otibE26mR\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUUsNoAuNAgroSTDH9bBB03r9dJtUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAoDh5OCdnboJFrX40Yc0voHf7feiXTAo/1FmwlNyGGG\nf5IJQgpUCIXP1fwe9dBfjnn6qxXzotMW5LKCvAHtHLijbzBtMB0GA1UdDgQWBBST\nOaQaA3emji3KKZ/Brnu0uHGoGDAfBgNVHSMEGDAWgBSnGo2IE5NToqVkdXfb9Upc\nNY34EDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEAkH3jUdUs2S2wXVTvqS760Dz5WSnAkPBsArp2\nZqqWHgQCIQC1PZrW6w1oQnn194/T3h1fh5/w0APnecGIXxTFyYeALg==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::no-basicconstraints", - "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Basic Constraints extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH0oIpDKq5Z1n1CcfhCBXYJ52osowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASL+TFCdg9maCASL0OCsbCQsNjP4Y0FUeTX96X6\nUQd34cEJdl7wDl0lCS8vQTEv9Vhwzpi4+YGVKNhsa4O/qhfzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU74AB+gTPsmjuMXOkOUT7vAsKK/0wCgYIKoZIzj0EAwIDSAAwRQIg\nWJj/oEg9F2fYmLngUaufLu9hXP3N+ZKluCjE7jr2o1ICIQDcTCxHTJKATm8dLE1I\noLBtu/b+sosuwD3kJJzqh+SLWg==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUNeOuf9RljrLi0TqOSKNg4nn1sDwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDQRBkt1mx1f0/Tj+338yqlurpw8qxOjv7IDkovrtBZU\nDXFSfXS4ynKSCEHShaudWOQuQ7jiW3hTPcmZJwo3yW2jfDB6MB0GA1UdDgQWBBSo\nkHz+EJGRyCwaF1Id7j5LeVrGUTAfBgNVHSMEGDAWgBTvgAH6BM+yaO4xc6Q5RPu8\nCwor/TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAP36ANQIbPLw8ADxiFiz\nuCwOUG8JBu8HizxIv5vogMvyAiEA38YubvJ3TljN7zqHrKYXYEjOkOHXAomcpuqd\n2cDj9GQ=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::wrong-eku", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert contains\nan Extended Key Usage extension that contains just `id-kp-clientAuth`\nwhile the validator expects `id-kp-serverAuth`.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMyw54i46pYmxJOFHWfWRb0hU9lUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjW8JqNGtFCWa53QZf7SEocYbS9EIik+xwdGDS\n4gSV8/fgd4CEmwn4YUy0OfymM0osB9T+Gu+3/rN6D47+Fob5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULdvYOUrQOWl8+594qLu0sMMDohswCgYIKoZIzj0EAwIDSAAwRQIg\nJZdNSksWtScMjQXsHo1HdzqkHcPaprw1a6j1O7ukBswCIQDm5nVNDjFwL7urVUbw\nLHhpzQOCAErYP8868wgQqnt1cg==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUW3uL790JINVwjEZtYw9U+wCxmWAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLyBJgMi8LedezPQru0uqYTl87O2B9YR6sFSdE0PIRBR\nnopsOpzVP4swtQTATMhKclMz6zvdApdupaTuSxn5ji2jfDB6MB0GA1UdDgQWBBS3\nGg9cdM1gUeGypl7ORY4LlbJqvDAfBgNVHSMEGDAWgBQt29g5StA5aXz7n3iou7Sw\nwwOiGzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAN2r+3bTEQhAhNnVGwKZ\nDBPB0oJoAC4og71TTOMqplNVAiBRrgq7gVPjV9YzjQdUGKVehmpJDjFOprYM6UD3\nYYI0Zw==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": [ - "serverAuth" - ], - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::mismatching-signature-algorithm", - "features": null, - "description": "Verifies against a saved copy of `cryptography.io`'s chain with\nthe root certificate modified to have mismatched `signatureAlgorithm`\nfields, which is prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\nWhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\nZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\nMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\nh77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\nA5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\nT8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\nB5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\nB5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\nKBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\nOlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\njh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\nqHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\nrU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\nhkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\nubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\nNFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\nORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\nTkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\njNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\noyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\nmRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\nemyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\nWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\nRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\nR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\nsxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\nNHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\nZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\nAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\nAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\nFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\nAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\nOi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\ngt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\nPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\nikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\nCkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\nlJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\navAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\nyJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\nyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\nhCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\nHlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\nMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\nnLRbwHOoq7hHwg==\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIFJDCCBAygAwIBAgISBCjrgR1TEHICklNpQDzj1PqPMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMzA1MjkxODQ0MDBaFw0yMzA4MjcxODQzNTlaMBoxGDAWBgNVBAMT\nD2NyeXB0b2dyYXBoeS5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAObo0GReSiFFL4eMlFHutcV+LpLDorPpzzFxxJsXhrm19GyWYHdr4ml7GIAEjqI7\nQZp0aYw1lmtHwgNnaRySU+aWj6LMWI/rIP5rXZYIZLyXSfLbHP0xlfYEvcrcprOm\nAu0YuQgy3TBO0qz6FKx5PtfbDc7p/LYD5tnG5NkbQ4o+7Ko361w787WSb8OV5NFd\nnPqSeIjwxqSy62G6oOHL4wRFDTCOdNjHeYJnPC0L3P9qkGeC6zjqt2h8Q+GE9zNQ\nenqaEOeBIZo46mti6Tvzzc7dqILw1ATqIXJdjwABzuT8Ob34/LsPorLQoRP1+YHF\n++D2JyyvYKM/aFpQI+HHfGUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd\nBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV\nHQ4EFgQUOtGXHs6fLoMQEwjlwSu88r4qLf0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu\nUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v\ncjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y\nZy8wGgYDVR0RBBMwEYIPY3J5cHRvZ3JhcGh5LmlvMEwGA1UdIARFMEMwCAYGZ4EM\nAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0\nc2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAtz77JN+cTbp1\n8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGIaQn30wAABAMASDBGAiEAglrQJj8G\na7/1upmZ2Is6AqPT9pQpSty0sH4PgnqyQxICIQDEpKnk6Rt6KzvEpIIIEtXgrYx+\ncrerlx4SQVQbnwfz0gB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS\nAAABiGkJ9+sAAAQDAEYwRAIgaLwFE4CfhV09wq5IR5zmo/90y5OQJ2MnW5gpRZZh\ns4YCICEAGxUN/f95xFmxOCfqXv3SEozwkrMHA33abVjCQiaGMA0GCSqGSIb3DQEB\nDQUAA4IBAQBSTN5U/3yp6cGMBXlS5WcrB/XOY6TtxPmeSvLM3vqNbpRGu1JOFFtn\n31eweHOTj66GWowSy9+uAhp1V9Uf0hoJMa/b+CkCelyJN4QZCcMfhKrPAD4prbHa\nGYFaLo5SQqkK1hYHo9LH+qhaOBx9hF5aLrGbEFWXQE9/W7KSeCzz6LBLw9xVrB2v\nNTLlXXt5tUiczOIzge5KGaSQr5wgc1viddcRsYuZjtgWlqJ5E5QcZxD8xLTfBe5W\n9vl/k1CB4CZ1IG8Sa9+n91Kxm3HTLL6TcrEOutChwMfZfrLH/piWoRQxezCpn82N\nRaeeHd1Bv3oH3SeVJUHLxgzUv/dh6GSi\n-----END CERTIFICATE-----\n", - "validation_time": "2023-07-10T00:00:00+00:00", - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "cryptography.io" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::malformed-subject-alternative-name", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has a SubjectAlternativeName with a value in ASCII bytes, rather\nthan in the expected DER encoding.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUY1oIGbL52ZrE8PES5ih3DynVdxkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQnbSG1sKh6Hv6hHlS0Jgah4lVpofplawwUgFQ7\njdEG23yCdD62L/o3XyiI7cknZRnuEOdUmImoQktKtQGWrEhko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDK1qLyWE2/2H2ccMzNCfpTWPVDQwCgYIKoZIzj0EAwIDSAAwRQIg\nL1c+UTivSK1+m1Ctzri0uRH42xdxuVDI6Xs5V7P0k0kCIQDMUzPcAU7ZDSie5qm7\no1utW65qfdMCWQ5CMv2sMdOg8g==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUYGC03CbMbGEhATH/cWjuaYMc6fUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE59sFufYw10hoFZltWNfnQQ78xBuqrWFgxxg4eCA/hZ\nzk+bTdWDWacI285tx7lkfmLWoz/mRhCb28zxJU5vTQqjeDB2MB0GA1UdDgQWBBS+\nNw0oYtO6TAXzkByWgLQd2tZo5jAfBgNVHSMEGDAWgBQMrWovJYTb/YfZxwzM0J+l\nNY9UNDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0RBAtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAo+Q6Ev3vRFWKCr3jkPpPlNbk\nWwrNEx8TB6eNHZSIQ8ICIQDBmnGkjseJ1JzJ9VvZyJzEF0eOwvsN1X48ycfR8h+f\nyQ==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::cryptographydotio-chain", - "features": null, - "description": "Verifies against a saved copy of `cryptography.io`'s chain. This should\ntrivially succeed.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\nWhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\nZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\nMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\nh77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\nA5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\nT8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\nB5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\nB5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\nKBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\nOlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\njh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\nqHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\nrU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\nhkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\nubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\nNFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\nORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\nTkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\njNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\noyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\nmRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\nemyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\nWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\nRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\nR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\nsxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\nNHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\nZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\nAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\nAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\nFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\nAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\nOi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\ngt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\nPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\nikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\nCkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\nlJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\navAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\nyJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\nyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\nhCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\nHlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\nMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\nnLRbwHOoq7hHwg==\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIFJDCCBAygAwIBAgISBCjrgR1TEHICklNpQDzj1PqPMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMzA1MjkxODQ0MDBaFw0yMzA4MjcxODQzNTlaMBoxGDAWBgNVBAMT\nD2NyeXB0b2dyYXBoeS5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAObo0GReSiFFL4eMlFHutcV+LpLDorPpzzFxxJsXhrm19GyWYHdr4ml7GIAEjqI7\nQZp0aYw1lmtHwgNnaRySU+aWj6LMWI/rIP5rXZYIZLyXSfLbHP0xlfYEvcrcprOm\nAu0YuQgy3TBO0qz6FKx5PtfbDc7p/LYD5tnG5NkbQ4o+7Ko361w787WSb8OV5NFd\nnPqSeIjwxqSy62G6oOHL4wRFDTCOdNjHeYJnPC0L3P9qkGeC6zjqt2h8Q+GE9zNQ\nenqaEOeBIZo46mti6Tvzzc7dqILw1ATqIXJdjwABzuT8Ob34/LsPorLQoRP1+YHF\n++D2JyyvYKM/aFpQI+HHfGUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd\nBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV\nHQ4EFgQUOtGXHs6fLoMQEwjlwSu88r4qLf0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu\nUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v\ncjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y\nZy8wGgYDVR0RBBMwEYIPY3J5cHRvZ3JhcGh5LmlvMEwGA1UdIARFMEMwCAYGZ4EM\nAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0\nc2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAtz77JN+cTbp1\n8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGIaQn30wAABAMASDBGAiEAglrQJj8G\na7/1upmZ2Is6AqPT9pQpSty0sH4PgnqyQxICIQDEpKnk6Rt6KzvEpIIIEtXgrYx+\ncrerlx4SQVQbnwfz0gB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS\nAAABiGkJ9+sAAAQDAEYwRAIgaLwFE4CfhV09wq5IR5zmo/90y5OQJ2MnW5gpRZZh\ns4YCICEAGxUN/f95xFmxOCfqXv3SEozwkrMHA33abVjCQiaGMA0GCSqGSIb3DQEB\nCwUAA4IBAQBSTN5U/3yp6cGMBXlS5WcrB/XOY6TtxPmeSvLM3vqNbpRGu1JOFFtn\n31eweHOTj66GWowSy9+uAhp1V9Uf0hoJMa/b+CkCelyJN4QZCcMfhKrPAD4prbHa\nGYFaLo5SQqkK1hYHo9LH+qhaOBx9hF5aLrGbEFWXQE9/W7KSeCzz6LBLw9xVrB2v\nNTLlXXt5tUiczOIzge5KGaSQr5wgc1viddcRsYuZjtgWlqJ5E5QcZxD8xLTfBe5W\n9vl/k1CB4CZ1IG8Sa9+n91Kxm3HTLL6TcrEOutChwMfZfrLH/piWoRQxezCpn82N\nRaeeHd1Bv3oH3SeVJUHLxgzUv/dh6GSi\n-----END CERTIFICATE-----\n", - "validation_time": "2023-07-10T00:00:00+00:00", - "signature_algorithms": null, - "key_usage": [ - "digitalSignature" - ], - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "cryptography.io" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::cryptographydotio-chain-missing-intermediate", - "features": null, - "description": "Verifies against a saved copy of `cryptography.io`'s chain, but without its\nintermediates. This should trivially fail.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\nWhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\nZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\nMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\nh77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\nA5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\nT8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\nB5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\nB5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\nKBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\nOlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\njh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\nqHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\nrU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\nhkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\nubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\nNFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\nORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\nTkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\njNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\noyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\nmRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\nemyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIFJDCCBAygAwIBAgISBCjrgR1TEHICklNpQDzj1PqPMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMzA1MjkxODQ0MDBaFw0yMzA4MjcxODQzNTlaMBoxGDAWBgNVBAMT\nD2NyeXB0b2dyYXBoeS5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAObo0GReSiFFL4eMlFHutcV+LpLDorPpzzFxxJsXhrm19GyWYHdr4ml7GIAEjqI7\nQZp0aYw1lmtHwgNnaRySU+aWj6LMWI/rIP5rXZYIZLyXSfLbHP0xlfYEvcrcprOm\nAu0YuQgy3TBO0qz6FKx5PtfbDc7p/LYD5tnG5NkbQ4o+7Ko361w787WSb8OV5NFd\nnPqSeIjwxqSy62G6oOHL4wRFDTCOdNjHeYJnPC0L3P9qkGeC6zjqt2h8Q+GE9zNQ\nenqaEOeBIZo46mti6Tvzzc7dqILw1ATqIXJdjwABzuT8Ob34/LsPorLQoRP1+YHF\n++D2JyyvYKM/aFpQI+HHfGUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd\nBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV\nHQ4EFgQUOtGXHs6fLoMQEwjlwSu88r4qLf0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu\nUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v\ncjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y\nZy8wGgYDVR0RBBMwEYIPY3J5cHRvZ3JhcGh5LmlvMEwGA1UdIARFMEMwCAYGZ4EM\nAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0\nc2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAtz77JN+cTbp1\n8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGIaQn30wAABAMASDBGAiEAglrQJj8G\na7/1upmZ2Is6AqPT9pQpSty0sH4PgnqyQxICIQDEpKnk6Rt6KzvEpIIIEtXgrYx+\ncrerlx4SQVQbnwfz0gB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS\nAAABiGkJ9+sAAAQDAEYwRAIgaLwFE4CfhV09wq5IR5zmo/90y5OQJ2MnW5gpRZZh\ns4YCICEAGxUN/f95xFmxOCfqXv3SEozwkrMHA33abVjCQiaGMA0GCSqGSIb3DQEB\nCwUAA4IBAQBSTN5U/3yp6cGMBXlS5WcrB/XOY6TtxPmeSvLM3vqNbpRGu1JOFFtn\n31eweHOTj66GWowSy9+uAhp1V9Uf0hoJMa/b+CkCelyJN4QZCcMfhKrPAD4prbHa\nGYFaLo5SQqkK1hYHo9LH+qhaOBx9hF5aLrGbEFWXQE9/W7KSeCzz6LBLw9xVrB2v\nNTLlXXt5tUiczOIzge5KGaSQr5wgc1viddcRsYuZjtgWlqJ5E5QcZxD8xLTfBe5W\n9vl/k1CB4CZ1IG8Sa9+n91Kxm3HTLL6TcrEOutChwMfZfrLH/piWoRQxezCpn82N\nRaeeHd1Bv3oH3SeVJUHLxgzUv/dh6GSi\n-----END CERTIFICATE-----\n", - "validation_time": "2023-07-10T00:00:00+00:00", - "signature_algorithms": null, - "key_usage": [ - "digitalSignature" - ], - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "cryptography.io" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::exact-san", - "features": null, - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfFFZpydJyaFlLPVTrHRJJ0pOIcswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/VtwXBCEWuH530RESsCLH7fHu5T7jXucfZzIY\nmvJTNb7RkWc7CbItp0F9IfwbZjNquPDrqG57rdd0Zsczo4CRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUV6AVIKSQ7QxzShSPHbUGyn2qkl4wCgYIKoZIzj0EAwIDRwAwRAIg\nKG/iHVQe/E9ecVWd3zpQlN4AWTVG7Pv0/F3WwppZurACIHVHY77fWCprBxueU3Lz\nGLObR5+AHnT6GqnuHqb8EJIf\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUftyrlRTgolMNZpr55lRRXQ7qcY0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO3elq/ToyjLGL8QM+KWFNXwJidT040obdETOGIWmqDu\nourlHUZaTLv+/qXn+txhKC3ktFUC/SCKDUnwtaOQFoyjfDB6MB0GA1UdDgQWBBTV\n7L9e5FdYU3FFPD/x2ynDorgRPzAfBgNVHSMEGDAWgBRXoBUgpJDtDHNKFI8dtQbK\nfaqSXjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPoqRp+JiNvYHqBT826y\nFl6VBT8lojrTLOVPAmQRhV/eAiAUJ1FRok9blFJrBoTdhHfSWuv92d7Vz5c2cWtX\nTIYZiA==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::mismatch-domain-san", - "features": null, - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUCGcjQyawyZ41yAxdnhCkmtD5ilYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATxlgYH6dDIS2Hik4QubCfkEZ37Ua1biGaveH4Y\ny4g9HuJZGF7eIOAjtj3DNj43UpNuP/BMCJQItMqV8JvYcyS1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4oUAx0mxl3xdZpwpTjua5aI1nU0wCgYIKoZIzj0EAwIDRwAwRAIg\nXnVYHi4Z4SRkR8CJlvbUdS9jT3ggI0nh8qTePrcIrrkCIAgJKg6Kneu8ihZhPr39\ngd/eXruWQZ3mkY6zfI7DMAuz\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUQ8kzJM3tYuKTu0+ARfRL/aak5rwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHx88BK9SwOWXIKb+69N0uRjJSqoWo+EDxUIDK3CLXU0\nXneprKw28KJ7a0dScmxtvDQLnh/7le/SshG7YEtwJW+jfDB6MB0GA1UdDgQWBBT0\n7eeWM42ahXeEipp/7Ko3ph2iXDAfBgNVHSMEGDAWgBTihQDHSbGXfF1mnClOO5rl\nojWdTTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgV1LD30OSMSNFrEZoSClF\n54GH3KrJXlC2wnFzBnA+Us4CIDNFARi4oxlLqqVfdvefDi0n7IXC9APVJgwKXoPp\n6yqT\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example2.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::mismatch-subdomain-san", - "features": null, - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAPi5xt2sKl1K9a5QPbgGIv/KLXwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1wxwzCX3lcgzYDlalfWzNYm39bcHihfAK/VHH\n5DLOxYgD2varJEIcAzbpqhnqo6poDeB1oAHFKYDg86APGCZKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0QXuCFqDP+2bkSqFAuuCXrWtwwswCgYIKoZIzj0EAwIDRwAwRAIg\nCQzRZAqRxYRSWvK6zEbqAYRI+KwVNzpmq+Z6G4bDh7gCIB46478jWT7pNB7iyBpz\npyMKkphPiHDc8gdXBdJ0XZxE\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUTT4anwP5YPPcOqlB9vbza5nAkAMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOdFjwuxihTw21vyaXEX54Rz/hKv5isIcHK2u41UP5PJ\n49UtryzLEWG7WTbF59nT7f73d6tBpbhtrHkwpFierLSjgYAwfjAdBgNVHQ4EFgQU\nr4HY53hHzEwNlnbDQORNHWUalNMwHwYDVR0jBBgwFoAU0QXuCFqDP+2bkSqFAuuC\nXrWtwwswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBlTKdb4M0qyqx/\nREDPeKzHMCivi8j7CHoCNHMkoLbNtgIgbavzzeOyjwaNFNTfkaReQ2+gdYoz3hyf\nYTcDZnn1OTU=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "def.example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::mismatch-subdomain-apex-san", - "features": null, - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUV11q9s6alX0HgqBdD14HuN7i8pgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARPyo37vrYTjlam9lHtuDC5+2I7LftmmNXBj71H\nw+KYPYH9N18JvKYj5u1hlvePX61U0lWhF7xVbnqMbiV+tvlQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOB/MbLYSmeZzSPcqC0uu/Ee2L8gwCgYIKoZIzj0EAwIDSAAwRQIg\nC4gJttW8N5XYznv6/JSWGbOOeJMad9NYPam0uah2W2gCIQD/7t5DO2PWpVpj07Gc\n1/UZCyA6d9MmUEPDcjNtt1K3QQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIULiEtnVkwusD2PSYIlDSfcYWeViMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIayei1d+MTLSxAAwVD6i73ah1YEbssBLX2k3Pb+09Oi\n/0lDpg8lLpeOR8kTzQaHIGRBn+MvHAOom/herpax2MmjfDB6MB0GA1UdDgQWBBTC\n/SqCgmV5ArDxI6iIdwsPIHxApzAfBgNVHSMEGDAWgBQ4H8xsthKZ5nNI9yoLS678\nR7YvyDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKtjFU+QZGcCjH8Uyt7S\nEI4Hw8ODL6ne2kG081OnB+GzAiBbx0Q2V3RVTKqomHV9WbYCmHQGNoLQxr8YesHR\nY70+fw==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "abc.example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::mismatch-apex-subdomain-san", - "features": null, - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAoPVj4RFLbozudw+F4Jp0sDRGoQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKbXXFb/+5QriZSmJ9S6XZXwKwK3QW2JkN+Mf8\nrJfxP+0gQXEg8gidkorGjXyEdsyeLugcYTnlzZa4ntb5iMpmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAuuDzKLZJ5SiPdKMnojdbZS2isgwCgYIKoZIzj0EAwIDRwAwRAIg\nIxD/RpbmNZ2a8klywMoXl3ppqDHdLGvj4oCiy1dhqU8CIFTTrKEOjSknbiiouhhl\nm8A1RJTKoMEcUhtzwPdTVKlQ\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUTgVwszGjPxFrtWjBxeKOrmoNPv0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABConaLtOupOfZ+Cy4kGuQd2Y7FVxkgxxklDVS5ktqkFz\ntUCF8t2J//vccalEikbdwpuZBuWuqu+0dzUlncAiPHOjgYAwfjAdBgNVHQ4EFgQU\num8xrN1Lmd4nq0+v22NayZc51VMwHwYDVR0jBBgwFoAUAuuDzKLZJ5SiPdKMnojd\nbZS2isgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAy67gzQzH+LKr\nQJFM+GfnNbtLIoWer+2btiH9yPJmk6kCIHsZ9w6uNSVRQzIsEz4AGL9wpCVcY1fi\n07dDkoO98D9B\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::public-suffix-wildcard-san", - "features": [ - "pedantic-public-suffix-wildcard" - ], - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAL4bNGl4c7u6J9ID150cYJvS4SgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFbD/3KaChl4jxPy+Wkl0XS+wSlgzT4yw7qhLt\nt4kw3JfXpg0iZu7g3t/sO06Qxd5GVF8VZMt8tOtbO+fiR5yNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDmxflVn5gVZeIkppz9xMQbLYzm4wCgYIKoZIzj0EAwIDRwAwRAIg\nYrm339m0u0wbmazS0+e6CpVxSfltAB+2Suq66t9xL+MCIDpm4vZynMAmhkkFgT8Q\nsNV1Mxu+3+kGpOPTddAHCFqY\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUCHC9AtNmdt2h46Of8Ajf/9tRUaswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDqsX3i7QizdGxKgdr6S5sTmJZsBuQtq1T5cSlE1LbYS\nn8d8oPqtDNJI5ePKqYPJ+X6QAgaQilqnkY412oH3NMyjdjB0MB0GA1UdDgQWBBTX\nRGO/yXdla5Noo6mgzZ3gZtpOnjAfBgNVHSMEGDAWgBQObF+VWfmBVl4iSmnP3ExB\nstjObjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMTy04f+hLJ3FStXGue3k5U0MFN5\nC+iIl9FFx9Wo0h8zAiEAlvdHUK6S24Orc6FNSPUrMCybZpxlsqR8apM4+CMirWY=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::leftmost-wildcard-san", - "features": null, - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUE+Bn73yqgUvzp2JMHoV+mU7oKFAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWT/lEsokoTLcDt5b1FJV3PRAyVhtKS4UxOiEP\nCOqeVHQNcHd1ZlZznxzvWCoVMhgj0WqWaHUj2d8KdDBQaZW8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDAZbOIDhxjOPgcVan+90vjh7Q+cwCgYIKoZIzj0EAwIDRwAwRAIg\nAl8kkLBQxyGREqXL4h3bZpfFZj+5f0x4b0DRFHgerUoCIFGCQwkhb4ySS/OcLZO4\nI1ce1CTRroiWOfNF7Z/7HJhj\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUYbTPCv+9+OZ9fGpXHSs7e/O+BY0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGiMAqgB3HWjfGnVehrFEBwhVgSsqE37NIpfk3idTd/X\nypctijo2BhaPnIlUZMsfLyCZLq6DpJ0FuwT31fWnixyjfjB8MB0GA1UdDgQWBBTo\noPSKMaL3PNPBmVMogzdicejujjAfBgNVHSMEGDAWgBQMBls4gOHGM4+BxVqf73S+\nOHtD5zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiASQUQTIWe4KdXr2gLi\nAT9LSL40y9hp2nXMkyMH79ToewIhAIZdhd4ol0j1G8bLsuwLCC1sKzeyNHwlAjfL\nuf4YCUZS\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "SUCCESS", - "expected_peer_name": { - "kind": "DNS", - "value": "foo.example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::wildcard-embedded-leftmost-san", - "features": null, - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSudKbFPH296eRvf3+ablzhEQkkcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARWo5jD0nnrCRbnW/qxri2ngyqpW2EfGcjo9qFi\nX1YLw+qsBlX/6arR+5RyK+nkkfYwcKvzlr2hn8MdiM321UhJo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUK2/5G/8WFXypOY5dBxaPsHa6vLcwCgYIKoZIzj0EAwIDSAAwRQIh\nAMgBLd1mNcL1qrVUsb/2qCi3mzilVSVSBZMb323rCktNAiBD7PGOxs2DJ2g+gRzZ\nkQp6Ky6YTQI7aHCZf+QE9kdSSw==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUQMTo3smq//AKtE/jqVHkv2XDf0EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFVkUO+aGsFhHQhuXSdn6DYw1nsZ9n8lUQiGHF0Iz7ze\nXMJXgz3IVPhLZkAkAJBUbLBWwmYHCpKOEg40Uh4lPPyjgYAwfjAdBgNVHQ4EFgQU\nMGa7kUauilKO7hn+r9E6ZhXx22QwHwYDVR0jBBgwFoAUK2/5G/8WFXypOY5dBxaP\nsHa6vLcwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAuv1VEQCo4FYZI\nZfwZpUH/iiX1ctXIoMTF/eRkpAzPHgIgFZW9c4iYyZPB2gOBtN+BXt3jxH5NT/nl\nSJsp1GbhFU4=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "baz.example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::wildcard-not-in-leftmost-san", - "features": null, - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPyOnhCK9Z9a85jh6vzU4HpSyiuYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATfJT+oehbs8YV7opqk6BGhJOrDWwCa9h2fP0Wh\nc/5a5y+/G2OvKj9KWDXJBG3ca8gP2SxdEwOTd7xzEj6v3+sno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3KJYzhZEeDaQ2Gk0jfpArADn6KEwCgYIKoZIzj0EAwIDSAAwRQIh\nAItVz6h7o/oBxUJOl6ZFxphXWOkd5u/5gPpopTYqDN8VAiB+hQ7sQm1cYLrzi1WY\nMYRTTIfbR99zFUKgLC8fcKpJAA==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV6gAwIBAgIUblrbZkxAY3RPJndR51hSNW44jxgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHeGWNa/n4YNraZsYtfQJy0e1okAfb6KhDo19f3xHBxl\nUyfFs798x5oEe1daVZZ3JZUdbtkcMX4O00YIfxhZzbqjgYMwgYAwHQYDVR0OBBYE\nFFz2lLpDyLIehps56tNKGeqxZtpuMB8GA1UdIwQYMBaAFNyiWM4WRHg2kNhpNI36\nQKwA5+ihMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBUkv5Q3a4y\niW+QCmSSHqFQYP6AT0AjTLT/N405drbiCQIgC+pGf0nEmy/0I7y60jFyCspBx0Rc\nnWFjZjastM9Vlkw=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "foo.bar.example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::wildcard-match-across-labels-san", - "features": null, - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdR5z46JjR/52vQaBl+MJtzOIRbMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARRjeY9fyQ0LLnZKMe2zNpnF86Oln16hXaBYW4e\nO197EqawOHba/lwGNJ2wzqJ7mpZA53RzkUl1fA12WSDBqU3xo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWQUBOBIukaoJRoVZVohXQRynCnowCgYIKoZIzj0EAwIDSAAwRQIh\nAPudjjbIuyjlvDQ8tBqSW4N6ilW9tB3hhP1uPs37BoCiAiBAi53dn0awcDENTPJ7\nANWNEhYgz7sIKLqqGK7A8NwzzQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUf0x0HSiXYV229AvBoo6DFrwpf2cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGKP8RB+/QR6iDQiy5usZ8kKSZ6A96/BpLtPdDimv/pd\nzGSYdLr6FZAz9FEyGNO0q9R8YHdcF8Q0MKfKAD6fObWjfjB8MB0GA1UdDgQWBBTg\n7pLnOov/h7ZO/lYVBph8ptCTtjAfBgNVHSMEGDAWgBRZBQE4Ei6RqglGhVlWiFdB\nHKcKejALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiA45O1vvKJ8gIJAKPZz\nDBlNi2aTN9hhgE2nWxfkLIeUpAIhAIgD0Hpjtc2rXkpmZGg8vA3eUumy8ufWQSr3\nh3FOS5uv\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "foo.bar.example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::wildcard-embedded-ulabel-san", - "features": null, - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBTbSLvog6sn+iCes0e7v3SHC3NEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATScoZl4ZRPLIvoSDzfHChfrjNfc5ZM88330WM0\nQFs8AHmezFuTjK66PGt8QP7m0YtTONc1+2MfMYfkua8gmpcto1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/M/L1u9yP4mUMQxIMLw9CQ0BSEgwCgYIKoZIzj0EAwIDSAAwRQIg\nHAssXAo73le9UMXVLOaoqbrLFz5Cr8ECWJEEYoNC5b4CIQDXAs6EvLXwbh4IrrNk\nfvGAqOZuU0JnL48wwDEOf1krWA==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUTSmlezsyOh8cvSrfZ99rDKcAuvowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHSCD5JUflfAyxFDUcudKWXnmTQppkV9GcOMKc2AOiNh\n5PpqILXgmP7c4Sjhju2Jnz26tx/+Kt+eWlrw/WEiUwejgYwwgYkwHQYDVR0OBBYE\nFNk4+XoHlKZsKXO59LLFnTzdJ5XeMB8GA1UdIwQYMBaAFPzPy9bvcj+JlDEMSDC8\nPQkNAUhIMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBG\nAiEAoaJJBqTjwUVBds6Dpra4Pj+dt5HKlcpc4fTfo0KxbqMCIQDpYy8UaGYdRf0d\n1M961k1vTgISG87Tc5sCoe/9JHAMfg==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "xn--bliss-1b3c148a.example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::unicode-emoji-san", - "features": null, - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUEhNspzJ2R5X/T2YZzmD65JsZJiswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS65oxM+UIyDvYz2NPDR21I2rdJKYy0sBlmcHQz\nb/spV7qzo98TWp7EFo4k/5q47xqttHATgYHLlheFYE7oRfsio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVZv0wgZJRy7PhkyDScDDQoc28WUwCgYIKoZIzj0EAwIDSQAwRgIh\nAJLuDlGXnrMwZj0RwPCGhTpydRmuZ/I3cN9Z2ecnwWI2AiEAhuEuZo+PyKC6Vc2y\nWIPGIYIQDUqmG6MgBHBddMezKPU=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIURQTbvuHgyOFqsU9aneCxth2+ClMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJhNMOdD6ioGMBLiORKf5idjgrFVg/0d9EaGkBhWX9j0\nEP+kKqJzuNIZDrTcucNlkQYP6s1NITfvInZwmOFi2GSjgYEwfzAdBgNVHQ4EFgQU\n4KqbLjAT1Jhir0iYQXgIE5PHp+EwHwYDVR0jBBgwFoAUVZv0wgZJRy7PhkyDScDD\nQoc28WUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJ3VUy7xdBGw\n+v0ERQSY2vXAcXVcXS/TPFCCY2O42tdkAiAfpK7+WX1BMWfKtzWH9hQ4qZx9YDjq\npgcgK6h2pRLX3Q==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "xn--628h.example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::malformed-aia", - "features": null, - "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIw8vS6kHVU/b9yh5YztrGfiveaYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvP3YstRqcnE1X+m8RHDPI2ry6Ajs+8qu3Jiuk\n0puaxjyNun8QcBqaOFII7hUpRZnPORbqvwf7FytFc4ZsihMLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU338Wz+0+EqEOGC2eGADXEuIhfKMwCgYIKoZIzj0EAwIDSAAwRQIh\nAIpP+HAuGIWS8yCignohdAfk9Zurhllg8M//CExN1Jd7AiAysRUYb/VaspQZYC4W\n2AWbeewxn5kV3+p+OYZufmtuSQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAW+gAwIBAgIUFPw7waahVU7a1QgyjeDdZWMqRXEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKRtooqgIkJOHK+A0VEFZwmlKwD3wezgnAAP07zbsVOg\nTntFlgwb9AJP0h/wgkoMKlM1UL+yb6g4xi0dpLdv7CSjgZQwgZEwHQYDVR0OBBYE\nFIcX38+X0jGAi4FhnPJw4F9tfifIMB8GA1UdIwQYMBaAFN9/Fs/tPhKhDhgtnhgA\n1xLiIXyjMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0gAMEUCIEoiM5pm0S8NdLw9Sn0feoEJOxp2E/K1aS1itghFMJMDAiEA23+b\nd7vHCmRq05EF+/Rt/EJxMRvdRkr44ixcPGjbbEA=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::root-with-extkeyusage", - "features": [ - "pedantic-webpki-eku" - ], - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUqgAwIBAgIUWSkwNJaZ3YnDcbi6PgCl3p+YRxEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARRUKBMKCzuMAODnd5lWQsbFWDM4j86414kWITc\nNpaDg2zuuehktWh/D4R4w9Xl91pxOMvj97sIS8MkGm0vikclo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrwYhZH4enArCxM06QatOrox2/1owEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSQAwRgIhAPqoqsiikHjmFChCxZMpgtbadh/N5mFy0pti\nZ/jyOVrWAiEAhQtuuolf1hT075BPlm/GjfJNb7QqKh11NXFk99uWSt4=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUQ+ct020x7R2s7tS1RVbsHWMR8EAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMypJP4KU3vbpVo1Rv/5pEvt+i4ukFxOo/7w8l87qemy\n28aS7bUDVuRvBDv1d0jmZxQSOAnb2VPV+F2w0s/TSY6jfDB6MB0GA1UdDgQWBBQT\nMdoakY36suzvgXB5+zhSZXdqbjAfBgNVHSMEGDAWgBSvBiFkfh6cCsLEzTpBq06u\njHb/WjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgZh9FuzcWvpFNUwlt4KJV\nCYFLdGaIq1rQqS+NRObX5KICIGIp5SDt1tPwfFbqPLU53nTrzRcGO5+0Ke1wORlB\nB2ia\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": [ - "serverAuth" - ], - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::root-with-aki-authoritycertissuer", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUcxHgn+rge+p1+hSw/0TEP3YEAqgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS+AOEsteIVx84TkIIxSWqsfoIj47Fqe9GhOTpe\ny6HeerX1YUx0IFxos1bB3RPrqaDAqR1bodIfurS0aKyooo3bo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFPfEwNlkBr37eb7HSZ5Di20GjRzNoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBT3xMDZZAa9+3m+x0meQ4ttBo0czTAKBggqhkjOPQQD\nAgNIADBFAiAqXclmOKwC+2Fpeywj93DUMVbTDz9TYWrGNaeETWiUCwIhAM5bDgko\nB2JeqNZKOkmiIeJcz3lyETnkMeuqq2/RPrXT\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUWjWxXM+Y/ArrRzskV9bcr2Iej6AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCxN1wviINGGiCwfFbDNqMas7GKUu0sHaU1eQE5PdpZc\nHV4iU3Pwa4B5hgoaweVfDq9gWEj1EtdAD06aoI+lWQajfDB6MB0GA1UdDgQWBBQ5\naYKwsCCkJ1zHfZ8776bqcWnr0zAfBgNVHSMEGDAWgBT3xMDZZAa9+3m+x0meQ4tt\nBo0czTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgXX2D36rwZlbLNbHtZBaF\nfUMwYnupNzD9UzSIascSCs4CIQDI21dD6COEIA0r3UOYUW2VRj0CzsJ4OUaI8jj+\nrIb0VQ==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::root-with-aki-authoritycertserialnumber", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUbqrBhZxfKvNrW0O22bX8FMKqxjAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATQDpOsEJEDNQoTCMr+ZD3DcGJ1wh7wN+Etq4Ii\nvVnaTjthfRUpCDmXRw/b0S2QalGV4inWAjvOCq5WXTuVkyyHo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBSbWYjkCoqiSE8tMr5RJ55aP1hee4ICBNIwHQYDVR0OBBYEFJtZ\niOQKiqJITy0yvlEnnlo/WF57MAoGCCqGSM49BAMCA0gAMEUCIQCPiSCSX+Gg/c8c\nd+vV1VDxo5Jx2UTUTlvITSpwq8fSUQIgOHCuL4AzxaggR8tsO06OET5b/6PctSmt\nwD0JGEA4//A=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUTNEtu72ar9oz3sT3F2dsYiM3fbYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB9LyLjW6sQUxpt7TZMO7/8mCPWu0VECVSz0160c1q5t\ne/PfU9Y1yHalUSRGbj25Uvcw9eRRxNNZtfkVlOiDyg+jfDB6MB0GA1UdDgQWBBRk\nsNvh0kFFf38POj9yedfeD8LBFjAfBgNVHSMEGDAWgBSbWYjkCoqiSE8tMr5RJ55a\nP1heezALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgZcleBRGYetR5JwIcSJEL\nLnghO+GMaCI83TJ21d81vsECIQDgxc8ot9WuAGPcLlWtn7Hkt7EZ79Lh9JhmYJdX\nI2u++g==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::root-with-aki-all-fields", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUXJIr53QTZKVtNL/C1GdHJVHMa1cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpDkPKc54Rg7nNk2VG7c9M/SzZ0YNdhGbipAq9\nmEhF0yphGwK7sKUs5JQeNgiKKimbi2VELUI1KdksbxnH6mj+o4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFIwFjbNcu2UKPk85VnOuVeIDyWEKoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUjAWNs1y7ZQo+TzlWc65V4gPJYQowCgYIKoZI\nzj0EAwIDSAAwRQIhAPOHgmuulrO3o5xT21LtEu5D1BDU2c63C06AQOMurTOWAiAE\nIYrTyIadyOIkO8HJ4oYB4Wk9JGP00PVXmwvQ1Gy8EQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUV316QEmB1jGiVHrjHOSuzvReFMwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPsOUAdSH45Wv2HEdH7N3AFY5WFcZtBqsL3QwO0rQsg7\n+eJv4B1oBDDsEmWFfqwMS8F8i998xz1FaWtPmDVSaZKjfDB6MB0GA1UdDgQWBBTy\nWTqHNY45ljz6n7VR60CRRAV3GDAfBgNVHSMEGDAWgBSMBY2zXLtlCj5POVZzrlXi\nA8lhCjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgcX9V2Clpun4c7tuHCJM6\n5rmyidYR0jmr0yZqXjZ6KUgCID5mFedWFKV1L3/R+0MfqJb6xcz+FzZyEPAyrd6M\nVuhG\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::san-critical-with-nonempty-subject", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURRNlaq3ihL4N6doo0qSM+Jdu8yswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxofQJdPcAwKc+3Ep7HvexMzNYsBZOsr0pMnpX\nXoGXebajI8CaCXp5vTr7UqfC0LHPTEjnyot0RsZ6xhekTHB/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZtbhz5qTT0OGgFGkyvpsKaOY9jYwCgYIKoZIzj0EAwIDSQAwRgIh\nANosRMhDmYY7M6cSqmmfBFehiiJGiaOXR9wIISMh5OokAiEAlPEo/OYExQIXYchu\nj+SbLnZeyOFkBkKWeYYi8MFkiUM=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUL6qNPSxsfeHn04G7zLOuAx4NpsEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABEPmhIa5rAWJ465N7YgCYfWILxI6D1FnImMLURy3\nNQE8HlyL0e7You6T+U112katHtpdLMJXMUoymqhee+AUvBejfzB9MB0GA1UdDgQW\nBBQwkXQ+kIeh35eQm6X65xMNf1xx8zAfBgNVHSMEGDAWgBRm1uHPmpNPQ4aAUaTK\n+mwpo5j2NjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgaGYGglOPVM+8\n5RpQROkS81/p2okDOZqpRmlVcZXHVZoCIBM0mLcLqIDeNTurFtRgU7rTPYkXaNNZ\nzmi3wytrqPf+\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::forbidden-p192-spki-leaf", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUci7yu9sbjTvD6bpJ4kmpqnr5EnIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9/HMUKHU5mxElxb2hJqHiW1tAxBMznlCn9/JD\nhJdSg2El4sGIU6QnQlkRX5uB47TjLWfkrgngCIFMhF7UXvCho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXjdJYTrVpiv4xZsIoVmBCSs0szAwCgYIKoZIzj0EAwIDRwAwRAIg\na4g7Ktgm6fwS9V9DHCc21omMcIEhZUzFs4m05z9pNdkCIDFOaHhY8vZmaaDHOdgB\nsAIigU85tI/PA6PFIphVz3Vc\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUagAwIBAgIUb2xuGMaFNq7sfgICxM4bGZVbp44wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABDEsb4FAtGJvtqnERLgzQOoVWv6ZXbd113wdn3KaHFSP\n5sRJxBHLRZsslEcCWpNIn6N8MHowHQYDVR0OBBYEFPpRYJMkbZy2SCp2vwCxR3tI\nA8GOMB8GA1UdIwQYMBaAFF43SWE61aYr+MWbCKFZgQkrNLMwMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEAptQyID8IxqU+brTaqKF1tKGAa3OzhtldyM0F3sAE\nEvECIQDm136ku44hojL0HXKYrcIcUvDg8HqlGtX+kK0dvYc04w==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::forbidden-dsa-spki-leaf", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUcBTwnYZ8cteTgN+5wg1p49q4hBUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR6oXVf7cfOZ8KamgpIUkFuBpphbidubpH3cZAM\nv8F3zorsRmEA1ay8sT0oQfe1mnW7bUyaznx7e5dcQ5Pos8ZPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeR9x9GOFd4vB1OStvXjHAZlyOeswCgYIKoZIzj0EAwIDSAAwRQIh\nAIIbAMpG71EVJ8mTtx/KeJ6iJBJn7oQK8nn43rXpavuvAiBnMYcvnXmUH59fu5FQ\nPS2f3zClmRc2DpTZXb7lE+GvOQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcagAwIBAgIUeiluFmZtVBzA5p/W/N9aot5bCUYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMcwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEA4r50hQfMruJGG9eQcxsLao9oLmG1zynYrB1CPlunzDqv\nEiuYpnhU5VD2Cv57bQT11a4Q03dlXh2FLcsZd8ACqRmwk1IFwlXRy1NcJ60ghL6e\nrItImBj8t7dAEV6NWHXkNI7Sv6uK+wtvuTPxCRPN4Txv7igRBn+3C+ZdUXFQoqKl\nNPsNfGAyqfsfPutP4FMGtm5vidrkZzLYBvwiv7W53vgGc0xqj3ANNlKawxuaYcX6\n2E6yyYVt5vfHehrOI5Vhhs8OgSKjAfwxeggIfHvr38LLIQcjJmstanPARNImUgfa\nOVz0l01lZ4KP4famLk8EgbwFMRcWWhVE+4pq0WKjQMg6V0lK31uyg3PAfnSt6Nx7\nCuUTDgAi8dPnWK+HicYf6ykveW9N5jg/lA+C8bTAqA2sFmcf3mKezFX+29GOGJcw\nwnaNDqrnNA1CiLMfjyKvX8ZsNuB88Z5M+WlIPSvRGe61m5rTY8PavicuMWW9e7x7\nVnTC295Wq0eeBTnYuhqXAiEAveUQztthbAR8gTOFETynBTi6TVrn3wNf29mNeNLN\nlkECggGAfgABkSedPeGPmApwVeaA8bnJdISX5WmwUKm/KF4qHokiIgcRWcmORGX1\nR08ILgQU6TRl0S6lkLG0sQKmjaj51HMVX2AJfC0ncsxvQ39oy6bx1rxE9YArBfRS\n7D5CQ0P/X/BjlVkeLn4Y3RjG+zjpdmwsa3ruzS0JWfp9aUqz2u+4zfr3hUlmqoD0\nOiiYtH2qL/5r4ZIgcO2yhq86C03xN765RaHtn3rm8q41cjLi1/thIkpd6yVUjbIn\nwE5GemzNJ8I9Zgco0sJdBKm5uDqr23+okvuJ9yVbhxXvpA26+VjMbiBJIxhGgLDc\ndVSNTOBYZ+c1D65Gsgs03GjZdb5AAhp/CVw1zQ5n7dYzHcimN4AgIXAoVtZtBq9D\nJLKtgGJYEt56gV7UBMD+TnTV+a8TYrCGoHvEjzqWScrsm/b9xDxPBEVLjLHxJtCO\njtErS2Hh3YQegUMD7EsG24qLFpVr4iBvRXnavZTbjyzTIKSx87BQluR6tw/+Kuxy\nBn0bjWH7A4IBhgACggGBAKnbCkqYPZOGT/ZATc819m/dUk8hdroZ7hBfmJndNwCT\nmxCAdjLklBQsV3J0/RsCf9aNtf8+ZiplWBn/AqZHHWEWelRLrqL8kHZnet5e4P3l\nAZYHPCak8Ec4G9cCHW7xM4ZxMO7O72ZbJGGpyJlX7Hbo8+xPU3uTVKjNb89Ne12K\ngF/Rr2348M5P95/wgQdRe9ZEi4NbsBhrzD3FFq2GK1SWl5jBXinmQ0T4dlDIcMdX\nRKRuEDgyckTujdzCZD1dfrWpmDByv1/PuloYIprVSe/FJmIFPgzZPp+imDag9Bfe\nZHzXyAH4826zgs7fb7CtqQlOVC6SDJ0LHJgBhU6/VhAgZ0CUvQZMGzoDzIhPurxq\nDtKLNhdDPKzl3kj0Pj9i5F3CoZ1pdGX58OBKkOQAH3hAxaPIMMJ0N0B4D1D3XOaP\n6RxPBTkpXQTxm4Wjw+qiTj6NQ9nkxOHN2XKf/yNsrOI8UxUkEZaouGS0DF+NEF5F\nmGhKwylp0Hm7o6ziNz2KvaN8MHowHQYDVR0OBBYEFH5QatZhwvr8tEDSPGkpciPv\nRWGmMB8GA1UdIwQYMBaAFHkfcfRjhXeLwdTkrb14xwGZcjnrMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEA5Izp/FcwhPPFS/89BgHPs57jovx/LCkVFvjrOOdl\nEIwCIHnR2S13ekDSmlNRQr25q8HRCPz2VokJNSlw7ogAr6gj\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::forbidden-signature-algorithm-in-root", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGAjCCBaegAwIBAgIUXYcWXWmV3CbYS+yTZ5GP9wYJdyIwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMDAwMDFaGA8y\nOTY5MDUwMzAwMDAwMVowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIEyDCC\nAzoGByqGSM44BAEwggMtAoIBgQDsooIi7G4Eh8ZWqR/IHYu1sFtCyuaOLDrHYjgS\nNMwojF7VzRALBnznXTb9pFsk7hpnyOZ8BEwonec2YYcJYiCQAR0YHsPLXTpwcVUO\nPmHYt8+/+YZKBXKc0oeIkJHFXEQT+8KgH0Yo5GkZQJYlF46X/RM7eafS3U7gD681\nAhuSllaxWrBBa6VaYS++vF+xzJY1zKxlsksE1dGBQf9qd+UrtYzc5QEXBkq+wVW2\n2k27bk8HSFVfow1RMW5Nny/ty/OEHP38AM1URWc9wz7lHkE0LBk5eEQ0DfrspPJM\nQKWFZ5WdX7vkyBAs8PoP2LOMRg/p39JExdiHe3mQkTDEY+DShXG4kgfY+DvBERaf\nKEuW7ELz28GnLYGP+lscXV9sXYj/vctyQp/TjVFg0lRH/5dPVxcuvBsi9aRG48L6\n2dameyFIzxPLEZyhkeJvsK3OeKLqpW88ePkNA58Xd/7CvyBziqA5anQmlUo3muSQ\nXPb/Cqk0JUc2l+UGJxaRS98M22kCIQCncEheJfP59kG76sxB4a6V87AzCYWWMbUG\nI8cXPDC6nQKCAYEA6y/YZ1L7cpJa2rvVYLDUfQF6OK/DT7M/tRziRpUHbarEarV2\nRKoxvqkhRntt0TWWtxl7xB0wDaMc9sIKoAXYgV4Ab/p7mKTf9cZHh9xvVXR9DurE\nrm/lhVOkkMFR/mfVfiCLD0W721Q7vskoDc+ncriA3KXIeLJfZdZyWM89D7nXW8Wa\ntBcBMjJuTh+kO2xz/LmY44WoG5k1JnEtn2oX5FMAVuT8j9WrrVUCflHYSLcn7+Nj\nqNU3MA6lXSsGtOkHRoSjjxecqRSgZ5aIyH40GDtBnkmYz6HsAkQkS1msAOdJVaX2\nLnx4H8frUoKf6icotDDRWIrqqxX0NSokNsID/ajea2fzSzfkGd7IVpxIGv1z6/sM\nMHRZ1Ip9GVwXoI6ERPkPzyVR/GHX/Gd/WgLcM1U/OGkvyX7ZDEtLyuq1upPe0a+I\nW+OhJ4pnMHbWHJSrVojF2Dse9SeB1eOk5o8ow3eMrGxFwuDE8TUDkV1pk1cjfN2P\nphg9u73oxRsfdqByA4IBhgACggGBAL8xtX4gJ7IEXbw8uZ0SIhjPJRHFIHW0QXrw\nGfp7MszvCpKFOVizuS6BCnwnkAiU6F8IEUahRs3JUwdo851l9sH9dm9FHdY+TIkm\n/mDSuvshk1gaRYsxwxZ6+c7J/HFpnvbU3X3r8MURrPZSnqtawW0xogO7ASLXIn/b\nXBnIM6qIVlVJz1iJ1h09wQxrc4z5vIMXhOgPvM3GQko8VIYj9h9GKr8nlXZiIYam\nk0WKKujA3JTfqNSG+MFldGL+SZnh0zaFpEO0V5zyGNdp1z7oqQFUCE0njIVR9Xl2\nSmKnTS+JvF8BVbwJXkYYFBLU0hN2PdSrFC9YJSig027rSwuTz9X0jA9Bu8pht4Ko\n03xj52HHjgY8PYQyTMIeem6XSSBEauo6d77CK84fRevRZK+DVryCKvIn5xTYcyoE\nQEnvf2NKZJF7+GHjN3nlDxymKwrXMb5Dt9RfdGHpU3Q0PLsKRKOk2/mXLAa5Z8cK\nQ3KCIuJ7iFBRC6yfjhrptUm7OXKCzKNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFE0pWtdo\nLMXSaEm/Gauivd9Z583JMAsGCWCGSAFlAwQDAgNIADBFAiAhCsNko2mvcHkCoJdt\nM46ovrLrUrKHI/GLxxT9nJ+myAIhAI2RQ3WZ0IPPxl41ytBzaSx/Q2GUKRhjlBhV\n34cQIjQF\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVegAwIBAgIUKeGEo2IZX3Lfygoy2UFf9xTJ8vQwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMDAwMDFaGA8y\nOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAASX2+p0tprsGNiu85wfuUvGovG14u+CWx+EjFmuMjCy\n66zJxsO6aCEZwbjRY1VuEP0TFXlmClUBjA3KjHWX6BhTo3wwejAdBgNVHQ4EFgQU\nbILOKRpAS79m5gT6D5Uy02v0xmowHwYDVR0jBBgwFoAUTSla12gsxdJoSb8Zq6K9\n31nnzckwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNJADBGAiEAgwEipHY3xHfA7LXl\nDgoyf1/kFM6Oyp8ip+z6EsfST50CIQCOKjVbjyKMLAjKSioHAf8oS0zSQRZvR+AG\nBloaEpUujA==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::forbidden-signature-algorithm-in-leaf", - "features": [ - "pedantic-webpki" - ], - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUS4JKFcFLK2VKfvWVOhCOkXJmfmAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKBoRPcLNuNr2hj9nm2Z+v5wfW0vOZefwQFPoY\nr/CdAlVpLJQWrPO7D1NATcVcS4FFZPhoKqFYaAGwJafEUneVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUldclMAn4LSD7WmsmFIhi4g/7olcwCgYIKoZIzj0EAwIDRwAwRAIg\nQ0UUFzP2mue6jXXSZfsvexcX/Chlqg5IuysccmXderYCIFgN6o+qPjsBvWCdF9zg\nYlF9vwOv7u1FSNYkKxRZr5ac\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGIDCCBcegAwIBAgIUFSHled3PqfOGnLK7lqBIdnrnnfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMgwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEAyM2vEtbxswAyb9RkZf1e5Rl0TTxLutPEoQU1Lb+UBBGJ\nmvs/yyjLbgXBLaafBhrmcSW+174LwMfmEQoA3HhO0SKiyPune17WnoL1iKhLhKFE\nqzc2a5qkVupX0cQX1jvmtSS2nP0FumoaaC0KeR0g9pujZIAs3Tfk6fuPoSzo1hxI\nT2Bh1ySmiLpDiacMpkymExIAPv4/V4ECx5KX7dYCTyvNHI5yZ58o66HhrZcK7dmW\na+ggXwbRv8buvWgOBjQpGLBvnnr8iBaKM7ZWB2p+2aDJv3ET0aZC+NXXWAOqahFX\nl/E8K+1GMCPMC9stMaWtVIF3vucSBW90iMrlAKVr0tB0mH6dIB+GxWmwfkHSGuJc\nuWDVKgJspRL0B4rRXbnLnpERHGspQhXMkW711BM0eZZSQGz7Smy37H9LyfIJ/hQe\nvGXjSz5n3ATneZFBNmWYjuw9B/Led5n8rXkuuVFXyhTgN3tH6YVQBgmJX8mnlrdW\n59sOqdQbK9grwBKpKY6fAiEAy+5J3REoiYknfR88wwF3NWZMCxzSNLp2ijW4nXE6\nsvUCggGBAIfSlwSsV+eLx+XrJBvIadB02UqLoYBoH9oQ17lMg+yn6gULrGCMGS2l\nOkvzR2JkCACV/R9RAO7BXKcoJWpgSqOu+KEIiIkzNPa6Im4nmoeZI1nGmbTKmkSO\nMnFmQw5z78FfjdX1ZPzk/ianL30cSDI5gFPdYrGxM1Pe9NXppwLgAph6eqlM4MPI\nqdoQiiV3gFAd1Jho7OlQnAZLvje1XGmOS/hnohR7BAV6g7WtelTDvAmuy8q/NYIx\nNljfeJtEgGgNKqh9Zz9NVy5GiP4r3zSndZqVDM5PhmmNEUTI7yazwGzNz/RfnFsR\nEVGFZvKB6Uo5WasdDQoXHefNc4NuNClF/j69e6dZPSpgfjzuRUoVVfrvguwUEpDU\nT9T5TuS8Yseq54jbYPy8QV836VS/MjRul56EZkkHuUHtK9fInpd+ts/OzhNM8r2X\n9uSUfb8ASM4xDa78Y74/iTvKHUfI5qarsAthpI/mHkJo09qrkR3WAT6SIdtv1bOj\ncLFliOd9+AOCAYYAAoIBgQCEHAQNP0WBA6N06zUKHlI5fSlSRgFGX5xoArqFRzpb\nb3/qbTapNY7R3gtfbbn3814xxt9jAknh3Jw83gBDTiL9ZIqRUfWc0nDE9sNeQIyB\n1EtroNcPeySQG+6BXlvBlch2ihoTmkmYSjziMFrilrnQevkqeHpHm+8SexuOHe20\n8sUbF0n+mYh1aFaID6l8whuHDMgeHbXsbjhsV3qVJkizcwJk1iAaqez7/olntPmB\nwQDINK/ym1NM89jqZOrTVW6KX74XdxbMLio7gmFtwLk4ZvAokK6VvnhF04yJMOU3\nfA/giYVn/cpZBR++y+1J+OJN8Q5H4HalN42BgTCxxcYLzDXyiNcz6TtN+Y9PveBI\nRsoxRtQrSlgM2mE6q10Zaew08CV4KppIRFnEYVe/fyR/QcigZQanRzHA4AcgpVJJ\n+UjHuUocde0p9+MV99Ee0jqdqbuXEd/BS3Q5w8/N7oZJbSVGAUHcKEIBmkahWwR4\nVPwoTtgI9w60MftFP24JrmqjfDB6MB0GA1UdDgQWBBTRx+e5qPFNuSS9KACXDcxg\nOWJVVDAfBgNVHSMEGDAWgBSV1yUwCfgtIPtaayYUiGLiD/uiVzALBgNVHQ8EBAMC\nB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDRwAwRAIgaUK95icjyr0XSPMRI4e788s8mqkKBJEIMuS6GLZw\ndwgCIA8ygkrupTxAZC3ioUhRBP5wc3zJeWow2tFqTPY10G7b\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::no-san", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTqyr0CBfN/czCGeF6VGbUbjo/e0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARffZG3TcaVlavZhfNdsZnPEigRAV0XL/fYHEFH\nORC5W696jNwNk1vaOORhR6H0rrcDFegJELI+zl6EmGSva6ymo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2LCe8Jwlsp89PXu2qphi4S6cZWkwCgYIKoZIzj0EAwIDSAAwRQIg\nXOs3giCuIx19xF/drCVEXjPI3ohCTprNy2UtWGvEwTECIQCamGnejFsmdJA5Pk7T\nw2r03U1R9EL3F4r3kFmd3Z8ldg==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUWpBRWmLOjrJTj7mZWhIGDkg2QFkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGt9qRaThCK+0QFpoO83SdbD7W3RSJWI9TjsfTSjC2LE\nYDeJ4Ef2h7bnvUlvWDM+pCKEgh7D/hrfid83E/vWSB+jZDBiMB0GA1UdDgQWBBQF\nGQmvsqsJki/U7weBxAIJCJptmzAfBgNVHSMEGDAWgBTYsJ7wnCWynz09e7aqmGLh\nLpxlaTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSAAwRQIgb/E5UfkT1FfnIzW/sRryOZACBMR8OKSjBABU+Gkosj8CIQCv7FCV\nlMZx6Td+Yb0KygZfDjscmP2FBKKU0qrCBXI4UQ==\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::v1-cert", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVdQ6yuFsyFiuXMVDermbEg5JHv0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARYl18OgbshZJT1WS0Rd9IqnR4hfcUHUi6BzKdw\n36HZzH2wcr6lcmW3D7yWAi14MUfUyaSdJwlY0RgnmLOp/nGro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhfTw4cep1t0yJIcI0DcomfUrWyQwCgYIKoZIzj0EAwIDSQAwRgIh\nAK20l4EetZEjF9votonwwc+QN7wT8lnLCqWHle9nc4TjAiEA9pzifljeQ5Lrmbi6\nunNklcQFZhRwxdJrfvofcfAap0A=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBKzCB0wIUfBmw4Wd/kkinMlUhpPT1CEV95OAwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5NjkwNTAz\nMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABJPsQr4DcGTL07KOCHBv2e9lDTZU8/oOPbPXeGtXCKFj3FclZ/ev\nJtNfuNKIiEMyFkDC9Md6jcbAv+Ykb1c9AxcwCgYIKoZIzj0EAwIDRwAwRAIgEmyB\nPrAJA/wwBEaQBhcddxgDbzuLyCNiFdKzrxRJ/rQCIFZ9RTiIQsd9bTvbMF7hV/09\nAJlt06DXzrLxblOReo+b\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::eku-contains-anyeku", - "features": [ - "pedantic-webpki-eku" - ], - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert contains an\nExtended Key Usage extension that contains `anyExtendedKeyUsage`,\nwhich is explicitly forbidden under CA/B 7.1.2.7.10.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUS0uS5h624h4AwMiYvq5KJ2ADiUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT2Y2tdHGEPQJ++DB1ianRV+LhdjPIY7jGIxQ+B\nfBF6SJcAoygU4VN1KXAf2pA6Zlrp04NMMFTqOai/28SCQoESo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNtNRhY8tDLU0PqW5gYhAo3HF5kAwCgYIKoZIzj0EAwIDSAAwRQIh\nAOXrabr3D69HsVhiXQr1E7LVrR/fdcon79iuLZL1ctUXAiB7z2LjOQ+2QEF3SFwJ\nYJFrlWnVaNeydmCx0TiA0kYqUA==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUYW9rRa7Cz0LbtZrlBMHoce5QHrEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL1z/51M63FfhYoPw1WpT5vWtsqsw65J+sezQfiHGWDa\nqnZaYoqHfzq54allAHFgZzbQrWszP5KXzDvAzC8lbw2jgYMwgYAwHQYDVR0OBBYE\nFKZTw+0tWhRuN9hVlELkSJ5xut82MB8GA1UdIwQYMBaAFDbTUYWPLQy1ND6luYGI\nQKNxxeZAMAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiB9J47k5uAw\nVCLlwx/zQa9QFzkxv04h4Cw7xVr2SVSkYQIhANILO09lLBHkuRf+ZQkx66MzgM4o\n3qYezDIwyjWCakj9\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": [ - "serverAuth" - ], - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "webpki::ee-basicconstraints-ca", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE certificate has `keyUsage.keyCertSign=FALSE` but\n`basicConstraints.cA=TRUE`, which is explicitly forbidden under\nCA/B 7.1.2.7.8:\n\n> cA MUST be FALSE", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBhuiGYyjHmVQ+wTMwbaiun0VmuwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ0o/FC1xa5Gpv3juMt/8rLUMbnZUrPfpfN/9Qs\no053efGd/Sqd+vqZb5kwaeG7CfvqXLzumfqk34vF31bqi7jDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiEe5rEr0fS27gAASaKnNr/UiEegwCgYIKoZIzj0EAwIDSAAwRQIg\nZEUxEoCKd+78PAjf5Jw3EqL/updJGGV4D7agO4o+zkgCIQCrURRD53rA+n9D7Jcf\nV/SyAg1MEmen4LAL4IoRjuuOzQ==\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUCr4yja1R2MxJ5VNm972g0oK2oPgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIxXdaCj9c1B+NHC1yolX/tncrTkQu1lOhFHKcV7tr4A\naueAumy8zsCpY2v5P+O6n2U/SvAi/2G3qdWakiYjHgujgY4wgYswHQYDVR0OBBYE\nFLNHxShHCTOswlfG8314tdjLZnxyMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAUiEe5rEr0fS27gAASaKnNr/UiEegwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIDYbJ40u4iBg67zfpZK6z5OmLjhzCvYVhDnfVrbuwuE0AiEAuo87MQqX4AnC\ncY09h/D8EwX1y0evlApSEJT6yLCCnUk=\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - } - ] -} From f7fdeafdeba7da38dafb01a955ba73dafc51fe69 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 10 Nov 2023 11:13:54 -0500 Subject: [PATCH 064/155] tests: remove test_verify_basic Now covered by limbo. Signed-off-by: William Woodruff --- tests/x509/test_verification.py | 119 -------------------------------- 1 file changed, 119 deletions(-) diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 5365e4696e0c..d4b0bc07d606 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -10,130 +10,11 @@ import pytest from cryptography import x509 -from cryptography.x509 import load_pem_x509_certificate from cryptography.x509.general_name import DNSName, IPAddress from cryptography.x509.verification import PolicyBuilder, Store from tests.x509.test_x509 import _load_cert -def test_verify_basic(): - ee = load_pem_x509_certificate( - b""" ------BEGIN CERTIFICATE----- -MIIFJDCCBAygAwIBAgISBCjrgR1TEHICklNpQDzj1PqPMA0GCSqGSIb3DQEBCwUA -MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzA1MjkxODQ0MDBaFw0yMzA4MjcxODQzNTlaMBoxGDAWBgNVBAMT -D2NyeXB0b2dyYXBoeS5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AObo0GReSiFFL4eMlFHutcV+LpLDorPpzzFxxJsXhrm19GyWYHdr4ml7GIAEjqI7 -QZp0aYw1lmtHwgNnaRySU+aWj6LMWI/rIP5rXZYIZLyXSfLbHP0xlfYEvcrcprOm -Au0YuQgy3TBO0qz6FKx5PtfbDc7p/LYD5tnG5NkbQ4o+7Ko361w787WSb8OV5NFd -nPqSeIjwxqSy62G6oOHL4wRFDTCOdNjHeYJnPC0L3P9qkGeC6zjqt2h8Q+GE9zNQ -enqaEOeBIZo46mti6Tvzzc7dqILw1ATqIXJdjwABzuT8Ob34/LsPorLQoRP1+YHF -++D2JyyvYKM/aFpQI+HHfGUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd -BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV -HQ4EFgQUOtGXHs6fLoMQEwjlwSu88r4qLf0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu -UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v -cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y -Zy8wGgYDVR0RBBMwEYIPY3J5cHRvZ3JhcGh5LmlvMEwGA1UdIARFMEMwCAYGZ4EM -AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0 -c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAtz77JN+cTbp1 -8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGIaQn30wAABAMASDBGAiEAglrQJj8G -a7/1upmZ2Is6AqPT9pQpSty0sH4PgnqyQxICIQDEpKnk6Rt6KzvEpIIIEtXgrYx+ -crerlx4SQVQbnwfz0gB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS -AAABiGkJ9+sAAAQDAEYwRAIgaLwFE4CfhV09wq5IR5zmo/90y5OQJ2MnW5gpRZZh -s4YCICEAGxUN/f95xFmxOCfqXv3SEozwkrMHA33abVjCQiaGMA0GCSqGSIb3DQEB -CwUAA4IBAQBSTN5U/3yp6cGMBXlS5WcrB/XOY6TtxPmeSvLM3vqNbpRGu1JOFFtn -31eweHOTj66GWowSy9+uAhp1V9Uf0hoJMa/b+CkCelyJN4QZCcMfhKrPAD4prbHa -GYFaLo5SQqkK1hYHo9LH+qhaOBx9hF5aLrGbEFWXQE9/W7KSeCzz6LBLw9xVrB2v -NTLlXXt5tUiczOIzge5KGaSQr5wgc1viddcRsYuZjtgWlqJ5E5QcZxD8xLTfBe5W -9vl/k1CB4CZ1IG8Sa9+n91Kxm3HTLL6TcrEOutChwMfZfrLH/piWoRQxezCpn82N -RaeeHd1Bv3oH3SeVJUHLxgzUv/dh6GSi ------END CERTIFICATE----- -""" - ) - - intermediate = load_pem_x509_certificate( - b""" ------BEGIN CERTIFICATE----- -MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw -WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP -R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx -sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm -NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg -Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG -/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB -Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA -FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw -Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB -gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W -PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl -ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz -CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm -lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 -avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 -yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O -yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids -hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ -HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv -MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX -nLRbwHOoq7hHwg== ------END CERTIFICATE----- -""" - ) - - root = load_pem_x509_certificate( - b""" ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 -WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu -ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY -MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc -h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ -0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U -A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW -T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH -B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC -B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv -KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn -OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn -jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw -qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI -rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq -hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL -ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ -3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK -NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 -ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur -TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC -jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc -oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq -4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA -mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d -emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= ------END CERTIFICATE----- -""" - ) - - verifier = ( - PolicyBuilder() - .time(datetime.datetime(2023, 7, 10)) - .store(Store([root])) - .build_server_verifier(subject=DNSName("cryptography.io")) - ) - chain = verifier.verify(ee, [intermediate]) - - assert chain == [ee, intermediate, root] - - @lru_cache(maxsize=1) def dummy_store() -> Store: cert = _load_cert( From ab7de49b27ea62639dc7f2da2a75520fa121f889 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 10 Nov 2023 11:46:20 -0500 Subject: [PATCH 065/155] validation/certificate: remove dead_code attrs Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/certificate.rs | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/certificate.rs b/src/rust/cryptography-x509-validation/src/certificate.rs index 8aa65a4a8ac8..4f2b4151b108 100644 --- a/src/rust/cryptography-x509-validation/src/certificate.rs +++ b/src/rust/cryptography-x509-validation/src/certificate.rs @@ -8,13 +8,10 @@ use cryptography_x509::certificate::Certificate; use crate::ops::CryptoOps; -// TODO: Remove these attributes once we start using these helpers. -#[allow(dead_code)] pub(crate) fn cert_is_self_issued(cert: &Certificate<'_>) -> bool { cert.issuer() == cert.subject() } -#[allow(dead_code)] pub(crate) fn cert_is_self_signed(cert: &Certificate<'_>, ops: &B) -> bool { match ops.public_key(cert) { Ok(pk) => cert_is_self_issued(cert) && ops.verify_signed_by(cert, pk).is_ok(), From 421594afd4dd609061a2572df0a22e22e2d6d007 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 10 Nov 2023 11:47:29 -0500 Subject: [PATCH 066/155] validation/extension: remove more dead_code attrs Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/policy/extension.rs | 9 --------- 1 file changed, 9 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index a4396203a693..482fd73dde07 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -12,10 +12,7 @@ use crate::ops::CryptoOps; use super::{Policy, PolicyError}; -// TODO: Remove `dead_code` attributes once we start using these helpers. - /// Represents different criticality states for an extension. -#[allow(dead_code)] pub(crate) enum Criticality { /// The extension MUST be marked as critical. Critical, @@ -25,7 +22,6 @@ pub(crate) enum Criticality { NonCritical, } -#[allow(dead_code)] impl Criticality { pub(crate) fn permits(&self, critical: bool) -> bool { match (self, critical) { @@ -38,16 +34,13 @@ impl Criticality { } } -#[allow(dead_code)] type PresentExtensionValidatorCallback = fn(&Policy<'_, B>, &Certificate<'_>, &Extension<'_>) -> Result<(), PolicyError>; -#[allow(dead_code)] type MaybeExtensionValidatorCallback = fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> Result<(), PolicyError>; /// Represents different validation states for an extension. -#[allow(dead_code)] pub(crate) enum ExtensionValidator { /// The extension MUST NOT be present. NotPresent, @@ -69,13 +62,11 @@ pub(crate) enum ExtensionValidator { /// A "policy" for validating a specific X.509v3 extension, identified by /// its OID. -#[allow(dead_code)] pub(crate) struct ExtensionPolicy { pub(crate) oid: asn1::ObjectIdentifier, pub(crate) validator: ExtensionValidator, } -#[allow(dead_code)] impl ExtensionPolicy { pub(crate) fn not_present(oid: ObjectIdentifier) -> Self { Self { From ef9061f3e6ba4d0ff6edffd9bc1fd4e377df3ecf Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 14:13:59 -0500 Subject: [PATCH 067/155] verify: simplify types Signed-off-by: William Woodruff --- src/rust/src/x509/verify.rs | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 4d595389281d..ed43194a6a17 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -106,12 +106,8 @@ impl PyServerVerifier { &self, py: pyo3::Python<'p>, leaf: &PyCertificate, - intermediates: &'p pyo3::types::PyList, + intermediates: Vec>, ) -> CryptographyResult> { - let intermediates = intermediates - .iter() - .map(|o| o.extract::>()) - .collect::, _>>()?; let store = Store::new( self.store .as_ref(py) From bf3b3cb05a7a4faf31c09e4c1c3e5009a2b3c29e Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 14:22:35 -0500 Subject: [PATCH 068/155] document, enforce chain order Signed-off-by: William Woodruff --- docs/x509/verification.rst | 4 +++- tests/x509/limbo/test_limbo.py | 18 ++++++++++-------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 4b0351af5870..f9bebd6ceef6 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -72,7 +72,9 @@ chain building, etc. .. method:: verify(leaf, intermediates) Performs path validation on ``leaf``, returning a valid path - if one exists. + if one exists. The path is returned in leaf-first order: + the first member is ``leaf``, followed by the intermediates used + (if any), followed by a member of the ``store``. :param leaf: The leaf :class:`~cryptography.x509.Certificate` to validate :param intermediates: A :class:`list` of intermediate :class:`~cryptography.x509.Certificate` to attempt to use diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/limbo/test_limbo.py index 00e69b6330b3..446060e7e31b 100644 --- a/tests/x509/limbo/test_limbo.py +++ b/tests/x509/limbo/test_limbo.py @@ -87,14 +87,16 @@ def _limbo_testcase(testcase): ).build_server_verifier(peer_name) try: - verifier.verify(peer_certificate, untrusted_intermediates) - assert ( - should_pass - ), f"{testcase_id}: verification succeeded when we expected failure" - except ValueError as e: - assert ( - not should_pass - ), f"{testcase_id}: verification failed when we expected success: {e}" + built_chain = verifier.verify( + peer_certificate, untrusted_intermediates + ) + assert should_pass + + # Assert that the verifier returns chains in [EE, ..., TA] order. + assert built_chain[0] == peer_certificate + assert built_chain[-1] in trusted_certs + except ValueError: + assert not should_pass def test_limbo(subtests, pytestconfig): From ea88d53101b05d3220b3b01bcc05365e2946ec8c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 14:24:20 -0500 Subject: [PATCH 069/155] lib: simplify is_match Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 22c393df87bc..4e6faaea0358 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -80,10 +80,7 @@ impl ApplyNameConstraintStatus { } fn is_match(&self) -> bool { - match self { - Applied(a) => *a, - _ => false, - } + matches!(self, Applied(true)) } } From 7bfab597addce55e4c31e0829d286ebfee557718 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 14:32:08 -0500 Subject: [PATCH 070/155] Update src/rust/cryptography-x509-validation/src/lib.rs Co-authored-by: Alex Gaynor --- src/rust/cryptography-x509-validation/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 4e6faaea0358..f4c652c0c508 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -190,7 +190,7 @@ where if let Some(sans) = extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { let sans: SubjectAlternativeName<'_> = sans.value().map_err(PolicyError::Malformed)?; for san in sans.clone() { - // If there are no applicable constraints, the SAN is considered valid so let's default to true. + // If there are no applicable constraints, the SAN is considered valid so the default is true. let mut permit = true; for c in constraints.permitted.iter() { let status = self.apply_name_constraint(c, &san)?; From 97c551ff9fc0119e04e35440a7abf27f15fcbd25 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 14:31:46 -0500 Subject: [PATCH 071/155] validation/lib: return impl iterator Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index f4c652c0c508..dc805bc47fad 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -125,8 +125,8 @@ where fn build_name_constraints_subtrees( &self, subtrees: SequenceOfSubtrees<'work>, - ) -> Vec> { - subtrees.unwrap_read().clone().map(|x| x.base).collect() + ) -> impl Iterator> { + subtrees.unwrap_read().clone().map(|x| x.base) } fn build_name_constraints( From af14ec426a5eb63c4049f637f936518152798dcc Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 16:18:52 -0500 Subject: [PATCH 072/155] validation/ops: remove old coverage stub Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/ops.rs | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/ops.rs b/src/rust/cryptography-x509-validation/src/ops.rs index 9be641202957..57528005c60a 100644 --- a/src/rust/cryptography-x509-validation/src/ops.rs +++ b/src/rust/cryptography-x509-validation/src/ops.rs @@ -65,18 +65,4 @@ zl9HYIMxATFyqSiD9jsx pub(crate) fn cert(cert_pem: &pem::Pem) -> Certificate<'_> { asn1::parse_single(cert_pem.contents()).unwrap() } - - #[test] - fn test_nullops() { - let cert_pem = v1_cert_pem(); - let cert = cert(&cert_pem); - - let ops = NullOps {}; - assert_eq!(ops.public_key(&cert), Ok(())); - assert!({ - ops.public_key(&cert).unwrap(); - ops.verify_signed_by(&cert, ()) - } - .is_ok()); - } } From eac3a0756d57eba0dc677d00be50095d73f53146 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 16:23:49 -0500 Subject: [PATCH 073/155] test_limbo: remove assert messages Signed-off-by: William Woodruff --- tests/x509/limbo/test_limbo.py | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/limbo/test_limbo.py index 446060e7e31b..d7ad73a4e9f1 100644 --- a/tests/x509/limbo/test_limbo.py +++ b/tests/x509/limbo/test_limbo.py @@ -24,14 +24,11 @@ } -def _get_limbo_peer(expected_peer, testcase_id): - assert expected_peer is not None, f"{testcase_id}: no expected peer name" +def _get_limbo_peer(expected_peer): + assert expected_peer is not None kind = expected_peer["kind"] - assert kind in ( - "DNS", - "IP", - ), f"{testcase_id}: unexpected peer kind: {kind}" + assert kind in ("DNS", "IP") value = expected_peer["value"] if kind == "DNS": return x509.DNSName(value) @@ -45,19 +42,12 @@ def _limbo_testcase(testcase): features ): return - testcase_id = testcase["id"] - assert ( - testcase["validation_kind"] == "SERVER" - ), f"{testcase_id}: non-SERVER testcases not supported yet" - assert ( - testcase["signature_algorithms"] is None - ), f"{testcase_id}: signature_algorithms not supported yet" + assert testcase["validation_kind"] == "SERVER" + assert testcase["signature_algorithms"] is None assert testcase["extended_key_usage"] is None or testcase[ "extended_key_usage" - ] == ["serverAuth"], f"{testcase_id}: extended_key_usage not supported yet" - assert ( - testcase["expected_peer_names"] is None - ), f"{testcase_id}: expected_peer_names not supported yet" + ] == ["serverAuth"] + assert testcase["expected_peer_names"] is None trusted_certs = [ load_pem_x509_certificate(cert.encode()) @@ -70,7 +60,7 @@ def _limbo_testcase(testcase): peer_certificate = load_pem_x509_certificate( testcase["peer_certificate"].encode() ) - peer_name = _get_limbo_peer(testcase["expected_peer_name"], testcase_id) + peer_name = _get_limbo_peer(testcase["expected_peer_name"]) validation_time = testcase["validation_time"] validation_time = ( datetime.datetime.fromisoformat(validation_time) From 062a64b948180e7cc52d63b3e59799cc3999bb8f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 16:52:34 -0500 Subject: [PATCH 074/155] drastically simplify lifetimes Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 60 ++++++++----------- src/rust/src/x509/verify.rs | 4 +- tests/x509/limbo/test_limbo.py | 8 ++- 3 files changed, 32 insertions(+), 40 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index dc805bc47fad..74b0070124f3 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -48,21 +48,21 @@ pub struct AccumulatedNameConstraints<'a> { pub type Chain<'c> = Vec>; type IntermediateChain<'c> = (Chain<'c>, AccumulatedNameConstraints<'c>); -pub fn verify<'leaf: 'chain, 'inter: 'chain, 'store: 'chain, 'chain, B: CryptoOps>( - leaf: &'chain Certificate<'leaf>, - intermediates: impl IntoIterator>, +pub fn verify<'a, 'chain, B: CryptoOps>( + leaf: &'a Certificate<'chain>, + intermediates: impl IntoIterator>, policy: &Policy<'_, B>, - store: &'chain Store<'store>, + store: &'a Store<'chain>, ) -> Result, ValidationError> { let builder = ChainBuilder::new(HashSet::from_iter(intermediates), policy, store); builder.build_chain(leaf) } -struct ChainBuilder<'a, 'inter, 'store, B: CryptoOps> { - intermediates: HashSet>, +struct ChainBuilder<'a, 'chain, B: CryptoOps> { + intermediates: HashSet>, policy: &'a Policy<'a, B>, - store: &'a Store<'store>, + store: &'a Store<'chain>, } // When applying a name constraint, we need to distinguish between a few different scenarios: @@ -84,18 +84,11 @@ impl ApplyNameConstraintStatus { } } -impl<'a, 'inter, 'store, 'leaf, 'chain, 'work, B: CryptoOps> ChainBuilder<'a, 'inter, 'store, B> -where - 'leaf: 'chain, - 'inter: 'chain, - 'store: 'chain, - 'work: 'leaf + 'inter, - 'chain: 'work, -{ +impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn new( - intermediates: HashSet>, + intermediates: HashSet>, policy: &'a Policy<'a, B>, - store: &'a Store<'store>, + store: &'a Store<'chain>, ) -> Self { Self { intermediates, @@ -106,8 +99,8 @@ where fn potential_issuers( &'a self, - cert: &'a Certificate<'work>, - ) -> impl Iterator> + '_ { + cert: &'a Certificate<'chain>, + ) -> impl Iterator> + '_ { // TODO: Optimizations: // * Use a backing structure that allows us to search by name // rather than doing a linear scan @@ -124,21 +117,21 @@ where fn build_name_constraints_subtrees( &self, - subtrees: SequenceOfSubtrees<'work>, - ) -> impl Iterator> { + subtrees: SequenceOfSubtrees<'chain>, + ) -> impl Iterator> { subtrees.unwrap_read().clone().map(|x| x.base) } fn build_name_constraints( &self, - constraints: &mut AccumulatedNameConstraints<'work>, - working_cert: &'a Certificate<'work>, + constraints: &mut AccumulatedNameConstraints<'chain>, + working_cert: &'a Certificate<'chain>, ) -> Result<(), ValidationError> { - let extensions: Extensions<'work> = working_cert + let extensions: Extensions<'chain> = working_cert .extensions() .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; if let Some(nc) = extensions.get_extension(&NAME_CONSTRAINTS_OID) { - let nc: NameConstraints<'work> = nc.value().map_err(PolicyError::Malformed)?; + let nc: NameConstraints<'chain> = nc.value().map_err(PolicyError::Malformed)?; if let Some(permitted_subtrees) = nc.permitted_subtrees { constraints .permitted @@ -155,7 +148,7 @@ where fn apply_name_constraint( &self, - constraint: &GeneralName<'work>, + constraint: &GeneralName<'chain>, san: &GeneralName<'_>, ) -> Result { match (constraint, san) { @@ -181,8 +174,8 @@ where fn apply_name_constraints( &self, - constraints: &AccumulatedNameConstraints<'work>, - working_cert: &Certificate<'work>, + constraints: &AccumulatedNameConstraints<'chain>, + working_cert: &Certificate<'chain>, ) -> Result<(), ValidationError> { let extensions = working_cert .extensions() @@ -221,10 +214,10 @@ where fn build_chain_inner( &self, - working_cert: &'a Certificate<'work>, + working_cert: &'a Certificate<'chain>, current_depth: u8, is_leaf: bool, - ) -> Result, ValidationError> { + ) -> Result, ValidationError> { if current_depth > self.policy.max_chain_depth { return Err(PolicyError::Other("chain construction exceeds max depth").into()); } @@ -265,7 +258,7 @@ where .apply_name_constraints(&constraints, working_cert) .is_ok() { - let mut chain: Vec> = vec![working_cert.clone()]; + let mut chain: Vec> = vec![working_cert.clone()]; chain.extend(remaining); self.build_name_constraints(&mut constraints, working_cert)?; return Ok((chain, constraints)); @@ -279,10 +272,7 @@ where Err(PolicyError::Other("chain construction exhausted all candidates").into()) } - fn build_chain( - &self, - leaf: &'chain Certificate<'leaf>, - ) -> Result, ValidationError> { + fn build_chain(&self, leaf: &'a Certificate<'chain>) -> Result, ValidationError> { // Before anything else, check whether the given leaf cert // is well-formed according to our policy (and its underlying // certificate profile). diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 01b02462ee78..d2c976c2d0a7 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -129,9 +129,7 @@ impl PyServerVerifier { policy, &store, ) - .map_err(|e| { - pyo3::exceptions::PyValueError::new_err(format!("validation failed: {e:?}")) - })?; + .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; // TODO: Optimize this? Turning a Certificate back into a PyCertificate // involves a full round-trip back through DER, which isn't ideal. diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/limbo/test_limbo.py index d7ad73a4e9f1..0391bcb71fdf 100644 --- a/tests/x509/limbo/test_limbo.py +++ b/tests/x509/limbo/test_limbo.py @@ -9,7 +9,11 @@ from cryptography import x509 from cryptography.x509 import load_pem_x509_certificate -from cryptography.x509.verification import PolicyBuilder, Store +from cryptography.x509.verification import ( + PolicyBuilder, + Store, + VerificationError, +) LIMBO_UNSUPPORTED_FEATURES = { # NOTE: Path validation is required to reject wildcards on public suffixes, @@ -85,7 +89,7 @@ def _limbo_testcase(testcase): # Assert that the verifier returns chains in [EE, ..., TA] order. assert built_chain[0] == peer_certificate assert built_chain[-1] in trusted_certs - except ValueError: + except VerificationError: assert not should_pass From ace81423e2785782ce4d4fcf4232a06d2c985f23 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 17:17:09 -0500 Subject: [PATCH 075/155] test_verification: remove unused import Signed-off-by: William Woodruff --- tests/x509/test_verification.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 2b930a71f953..d4b0bc07d606 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -11,11 +11,7 @@ from cryptography import x509 from cryptography.x509.general_name import DNSName, IPAddress -from cryptography.x509.verification import ( - PolicyBuilder, - Store, - VerificationError, -) +from cryptography.x509.verification import PolicyBuilder, Store from tests.x509.test_x509 import _load_cert From 9793bb25b6467099f5aaff06005fddb6edafc5dd Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Tue, 14 Nov 2023 13:51:10 +1100 Subject: [PATCH 076/155] validation/lib: Remove unnecessary `AccumulatedNameConstraints` type --- .../cryptography-x509-validation/src/lib.rs | 67 ++++++++----------- 1 file changed, 27 insertions(+), 40 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 74b0070124f3..3465cbe5f15f 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -19,7 +19,7 @@ use crate::ApplyNameConstraintStatus::{Applied, Skipped}; use cryptography_x509::extensions::Extensions; use cryptography_x509::{ certificate::Certificate, - extensions::{NameConstraints, SequenceOfSubtrees, SubjectAlternativeName}, + extensions::{NameConstraints, SubjectAlternativeName}, name::GeneralName, oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID}, }; @@ -39,14 +39,8 @@ impl From for ValidationError { } } -#[derive(Default)] -pub struct AccumulatedNameConstraints<'a> { - pub permitted: Vec>, - pub excluded: Vec>, -} - pub type Chain<'c> = Vec>; -type IntermediateChain<'c> = (Chain<'c>, AccumulatedNameConstraints<'c>); +type IntermediateChain<'c> = (Chain<'c>, Vec>); pub fn verify<'a, 'chain, B: CryptoOps>( leaf: &'a Certificate<'chain>, @@ -115,16 +109,9 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { .filter(|&candidate| candidate.subject() == cert.issuer()) } - fn build_name_constraints_subtrees( - &self, - subtrees: SequenceOfSubtrees<'chain>, - ) -> impl Iterator> { - subtrees.unwrap_read().clone().map(|x| x.base) - } - fn build_name_constraints( &self, - constraints: &mut AccumulatedNameConstraints<'chain>, + constraints: &mut Vec>, working_cert: &'a Certificate<'chain>, ) -> Result<(), ValidationError> { let extensions: Extensions<'chain> = working_cert @@ -132,16 +119,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; if let Some(nc) = extensions.get_extension(&NAME_CONSTRAINTS_OID) { let nc: NameConstraints<'chain> = nc.value().map_err(PolicyError::Malformed)?; - if let Some(permitted_subtrees) = nc.permitted_subtrees { - constraints - .permitted - .extend(self.build_name_constraints_subtrees(permitted_subtrees)); - } - if let Some(excluded_subtrees) = nc.excluded_subtrees { - constraints - .excluded - .extend(self.build_name_constraints_subtrees(excluded_subtrees)); - } + constraints.push(nc); } Ok(()) } @@ -174,7 +152,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn apply_name_constraints( &self, - constraints: &AccumulatedNameConstraints<'chain>, + constraints: &Vec>, working_cert: &Certificate<'chain>, ) -> Result<(), ValidationError> { let extensions = working_cert @@ -185,12 +163,16 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { for san in sans.clone() { // If there are no applicable constraints, the SAN is considered valid so the default is true. let mut permit = true; - for c in constraints.permitted.iter() { - let status = self.apply_name_constraint(c, &san)?; - if status.is_applied() { - permit = status.is_match(); - if permit { - break; + for nc in constraints { + if let Some(permitted_subtrees) = &nc.permitted_subtrees { + for p in permitted_subtrees.unwrap_read().clone() { + let status = self.apply_name_constraint(&p.base, &san)?; + if status.is_applied() { + permit = status.is_match(); + if permit { + break; + } + } } } } @@ -199,12 +181,17 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { PolicyError::Other("no permitted name constraints matched SAN").into(), ); } - for c in constraints.excluded.iter() { - let status = self.apply_name_constraint(c, &san)?; - if status.is_match() { - return Err( - PolicyError::Other("excluded name constraint matched SAN").into() - ); + for nc in constraints { + if let Some(excluded_subtrees) = &nc.excluded_subtrees { + for e in excluded_subtrees.unwrap_read().clone() { + let status = self.apply_name_constraint(&e.base, &san)?; + if status.is_match() { + return Err(PolicyError::Other( + "excluded name constraint matched SAN", + ) + .into()); + } + } } } } @@ -229,7 +216,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // here: inclusion in the root set implies a trust relationship, // even if the working certificate is an EE or intermediate CA. if self.store.contains(working_cert) { - let mut constraints = AccumulatedNameConstraints::default(); + let mut constraints = vec![]; self.build_name_constraints(&mut constraints, working_cert)?; return Ok((vec![working_cert.clone()], constraints)); } From d498f67c19a97778aa9739b0b69fb9edeed49d0d Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Tue, 14 Nov 2023 14:01:43 +1100 Subject: [PATCH 077/155] validation/lib: Use `cert_is_self_issued` for potential issuers --- src/rust/cryptography-x509-validation/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 3465cbe5f15f..69631f50693f 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -104,7 +104,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // NOTE: The intermediate set isn't allowed to offer a self-signed // certificate as a candidate, since self-signed certs can only // be roots. - .filter(|&candidate| *candidate != *cert) + .filter(|&candidate| cert_is_self_issued(candidate)) .chain(self.store.iter()) .filter(|&candidate| candidate.subject() == cert.issuer()) } From 2f52dd0bbdc512055c6a3419925ab01d82ad2ca1 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Tue, 14 Nov 2023 17:00:56 +1100 Subject: [PATCH 078/155] validation/lib: Flip condition --- src/rust/cryptography-x509-validation/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 69631f50693f..3ba0398f61a2 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -104,7 +104,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // NOTE: The intermediate set isn't allowed to offer a self-signed // certificate as a candidate, since self-signed certs can only // be roots. - .filter(|&candidate| cert_is_self_issued(candidate)) + .filter(|&candidate| !cert_is_self_issued(candidate)) .chain(self.store.iter()) .filter(|&candidate| candidate.subject() == cert.issuer()) } From c40761f209f097d89d3d4e1570b89fe3cc317979 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Tue, 14 Nov 2023 17:18:28 +1100 Subject: [PATCH 079/155] validation/lib: Use `cert_is_self_signed` --- src/rust/cryptography-x509-validation/src/lib.rs | 4 ++-- src/rust/cryptography-x509-validation/src/policy/mod.rs | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 3ba0398f61a2..8a14b4dc126e 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -13,7 +13,7 @@ pub mod types; use std::collections::HashSet; -use crate::certificate::cert_is_self_issued; +use crate::certificate::{cert_is_self_issued, cert_is_self_signed}; use crate::types::{DNSConstraint, IPAddress, IPConstraint}; use crate::ApplyNameConstraintStatus::{Applied, Skipped}; use cryptography_x509::extensions::Extensions; @@ -104,7 +104,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // NOTE: The intermediate set isn't allowed to offer a self-signed // certificate as a candidate, since self-signed certs can only // be roots. - .filter(|&candidate| !cert_is_self_issued(candidate)) + .filter(|&candidate| !cert_is_self_signed(candidate, &self.policy.ops)) .chain(self.store.iter()) .filter(|&candidate| candidate.subject() == cert.issuer()) } diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index f23e1dca2659..027bf168a7e0 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -227,7 +227,7 @@ impl From for Subject<'_> { /// A `Policy` describes user-configurable aspects of X.509 path validation. pub struct Policy<'a, B: CryptoOps> { - ops: B, + pub ops: B, /// A top-level constraint on the length of intermediate CA paths /// constructed under this policy. From e0c377d4ea063d59e2ca04d67a6626471bba87a6 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Tue, 14 Nov 2023 17:32:27 +1100 Subject: [PATCH 080/155] validation/lib: Reduce calls to `Certificate::extensions` --- .../cryptography-x509-validation/src/lib.rs | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 8a14b4dc126e..45bb65b4b328 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -112,11 +112,8 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn build_name_constraints( &self, constraints: &mut Vec>, - working_cert: &'a Certificate<'chain>, + extensions: &Extensions<'chain>, ) -> Result<(), ValidationError> { - let extensions: Extensions<'chain> = working_cert - .extensions() - .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; if let Some(nc) = extensions.get_extension(&NAME_CONSTRAINTS_OID) { let nc: NameConstraints<'chain> = nc.value().map_err(PolicyError::Malformed)?; constraints.push(nc); @@ -153,11 +150,8 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn apply_name_constraints( &self, constraints: &Vec>, - working_cert: &Certificate<'chain>, + extensions: &Extensions<'chain>, ) -> Result<(), ValidationError> { - let extensions = working_cert - .extensions() - .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; if let Some(sans) = extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { let sans: SubjectAlternativeName<'_> = sans.value().map_err(PolicyError::Malformed)?; for san in sans.clone() { @@ -209,6 +203,10 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { return Err(PolicyError::Other("chain construction exceeds max depth").into()); } + let extensions = working_cert + .extensions() + .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; + // Look in the store's root set to see if the working cert is listed. // If it is, we've reached the end. // @@ -217,7 +215,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // even if the working certificate is an EE or intermediate CA. if self.store.contains(working_cert) { let mut constraints = vec![]; - self.build_name_constraints(&mut constraints, working_cert)?; + self.build_name_constraints(&mut constraints, &extensions)?; return Ok((vec![working_cert.clone()], constraints)); } @@ -242,12 +240,12 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { let skip_name_constraints = cert_is_self_issued(working_cert) && !is_leaf; if skip_name_constraints || self - .apply_name_constraints(&constraints, working_cert) + .apply_name_constraints(&constraints, &extensions) .is_ok() { let mut chain: Vec> = vec![working_cert.clone()]; chain.extend(remaining); - self.build_name_constraints(&mut constraints, working_cert)?; + self.build_name_constraints(&mut constraints, &extensions)?; return Ok((chain, constraints)); } } From 269ef79f6080bd8da077757ca842968a5016a03d Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Wed, 15 Nov 2023 00:41:51 +1100 Subject: [PATCH 081/155] validation/lib: Remove more calls to `extensions` --- .../cryptography-x509-validation/src/lib.rs | 39 ++++++++++++------- .../src/policy/mod.rs | 30 ++++++++------ 2 files changed, 43 insertions(+), 26 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 45bb65b4b328..6777e7cac5ce 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -198,15 +198,12 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { working_cert: &'a Certificate<'chain>, current_depth: u8, is_leaf: bool, + extensions: &'a Extensions<'chain>, ) -> Result, ValidationError> { if current_depth > self.policy.max_chain_depth { return Err(PolicyError::Other("chain construction exceeds max depth").into()); } - let extensions = working_cert - .extensions() - .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; - // Look in the store's root set to see if the working cert is listed. // If it is, we've reached the end. // @@ -215,7 +212,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // even if the working certificate is an EE or intermediate CA. if self.store.contains(working_cert) { let mut constraints = vec![]; - self.build_name_constraints(&mut constraints, &extensions)?; + self.build_name_constraints(&mut constraints, extensions)?; return Ok((vec![working_cert.clone()], constraints)); } @@ -225,11 +222,21 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // A candidate issuer is said to verify if it both // signs for the working certificate and conforms to the // policy. - if let Ok(next_depth) = - self.policy - .valid_issuer(issuing_cert_candidate, working_cert, current_depth) - { - let result = self.build_chain_inner(issuing_cert_candidate, next_depth, false); + let issuer_extensions = issuing_cert_candidate + .extensions() + .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; + if let Ok(next_depth) = self.policy.valid_issuer( + issuing_cert_candidate, + working_cert, + current_depth, + &issuer_extensions, + ) { + let result = self.build_chain_inner( + issuing_cert_candidate, + next_depth, + false, + &issuer_extensions, + ); if let Ok(result) = result { let (remaining, mut constraints) = result; // Name constraints are not applied to self-issued certificates unless they're @@ -240,12 +247,12 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { let skip_name_constraints = cert_is_self_issued(working_cert) && !is_leaf; if skip_name_constraints || self - .apply_name_constraints(&constraints, &extensions) + .apply_name_constraints(&constraints, extensions) .is_ok() { let mut chain: Vec> = vec![working_cert.clone()]; chain.extend(remaining); - self.build_name_constraints(&mut constraints, &extensions)?; + self.build_name_constraints(&mut constraints, extensions)?; return Ok((chain, constraints)); } } @@ -264,9 +271,13 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // // In the case that the leaf is an EE, this includes a check // against the EE cert's SANs. - self.policy.permits_leaf(leaf)?; + let extensions = leaf + .extensions() + .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; + + self.policy.permits_leaf(leaf, &extensions)?; - let result = self.build_chain_inner(leaf, 0, true); + let result = self.build_chain_inner(leaf, 0, true, &extensions); match result { Ok(result) => { let (chain, _) = result; diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 027bf168a7e0..146c402c2341 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -16,7 +16,7 @@ use cryptography_x509::common::{ PSS_SHA512_MASK_GEN_ALG, }; use cryptography_x509::extensions::{ - BasicConstraints, DuplicateExtensionsError, KeyUsage, SubjectAlternativeName, + BasicConstraints, DuplicateExtensionsError, Extensions, KeyUsage, SubjectAlternativeName, }; use cryptography_x509::name::GeneralName; use cryptography_x509::oid::{ @@ -460,17 +460,20 @@ impl<'a, B: CryptoOps> Policy<'a, B> { /// A "leaf" certificate is just the certificate in the leaf position during /// path validation, whether it be a CA or EE. As such, `permits_leaf` /// is logically equivalent to `permits_ee(leaf) || permits_ca(leaf)`. - pub(crate) fn permits_leaf(&self, leaf: &Certificate<'_>) -> Result<(), PolicyError> { + pub(crate) fn permits_leaf( + &self, + leaf: &Certificate<'_>, + extensions: &Extensions<'_>, + ) -> Result<(), PolicyError> { // NOTE: Avoid refactoring this to `permits_ee() || permits_ca()` or any variation thereof. // Code like this will propagate irrelevant error messages out of the API. - let extensions = leaf.extensions()?; if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { let key_usage: KeyUsage<'_> = key_usage.value()?; if key_usage.key_cert_sign() { - return self.permits_ca(leaf, 0); + return self.permits_ca(leaf, 0, extensions); } } - self.permits_ee(leaf) + self.permits_ee(leaf, extensions) } /// Checks whether the given CA certificate is compatible with this policy. @@ -478,6 +481,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { &self, cert: &Certificate<'_>, current_depth: u8, + extensions: &Extensions<'_>, ) -> Result<(), PolicyError> { self.permits_basic(cert)?; @@ -487,8 +491,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // and `ChainBuilder::potential_issuers` enforces subject/issuer matching, // meaning that an CA with an empty subject cannot occur in a built chain. - let extensions = cert.extensions()?; - // NOTE: This conceptually belongs in `valid_issuer`, but is easier // to test here. It's also conceptually an extension policy, but // requires a bit of extra external state (`current_depth`) that isn't @@ -507,19 +509,22 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } for ext_policy in self.ca_extension_policies.iter() { - ext_policy.permits(self, cert, &extensions)?; + ext_policy.permits(self, cert, extensions)?; } Ok(()) } /// Checks whether the given EE certificate is compatible with this policy. - pub(crate) fn permits_ee(&self, cert: &Certificate<'_>) -> Result<(), PolicyError> { + pub(crate) fn permits_ee( + &self, + cert: &Certificate<'_>, + extensions: &Extensions<'_>, + ) -> Result<(), PolicyError> { self.permits_basic(cert)?; - let extensions = cert.extensions()?; for ext_policy in self.ee_extension_policies.iter() { - ext_policy.permits(self, cert, &extensions)?; + ext_policy.permits(self, cert, extensions)?; } Ok(()) @@ -540,9 +545,10 @@ impl<'a, B: CryptoOps> Policy<'a, B> { issuer: &Certificate<'_>, child: &Certificate<'_>, current_depth: u8, + issuer_extensions: &Extensions<'_>, ) -> Result { // The issuer needs to be a valid CA at the current depth. - self.permits_ca(issuer, current_depth)?; + self.permits_ca(issuer, current_depth, issuer_extensions)?; let pk = self .ops From 90162e436fd38dad887f597d5cdf31bc0489c727 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Wed, 15 Nov 2023 01:19:10 +1100 Subject: [PATCH 082/155] validation/policy: Check for overflow of current depth --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 146c402c2341..3be723e6c5a5 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -561,7 +561,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // Self-issued issuers don't increase the working depth. match cert_is_self_issued(issuer) { true => Ok(current_depth), - false => Ok(current_depth + 1), + false => Ok(current_depth + .checked_add(1) + .ok_or(PolicyError::Other("current depth calculation overflowed"))?), } } } From adc7333ec9e0022d819c75e12fe25af70f722fce Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Wed, 15 Nov 2023 01:43:38 +1100 Subject: [PATCH 083/155] validation/policy: Check validity dates for generalized date cutoff --- .../src/policy/mod.rs | 40 ++++++++++++++----- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 3be723e6c5a5..e38df1a55e98 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -6,14 +6,14 @@ mod extension; use std::collections::HashSet; -use asn1::ObjectIdentifier; +use asn1::{DateTime, ObjectIdentifier}; use cryptography_x509::certificate::Certificate; use once_cell::sync::Lazy; use cryptography_x509::common::{ - AlgorithmIdentifier, AlgorithmParameters, EcParameters, RsaPssParameters, PSS_SHA256_HASH_ALG, - PSS_SHA256_MASK_GEN_ALG, PSS_SHA384_HASH_ALG, PSS_SHA384_MASK_GEN_ALG, PSS_SHA512_HASH_ALG, - PSS_SHA512_MASK_GEN_ALG, + AlgorithmIdentifier, AlgorithmParameters, EcParameters, RsaPssParameters, Time, + PSS_SHA256_HASH_ALG, PSS_SHA256_MASK_GEN_ALG, PSS_SHA384_HASH_ALG, PSS_SHA384_MASK_GEN_ALG, + PSS_SHA512_HASH_ALG, PSS_SHA512_MASK_GEN_ALG, }; use cryptography_x509::extensions::{ BasicConstraints, DuplicateExtensionsError, Extensions, KeyUsage, SubjectAlternativeName, @@ -397,12 +397,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // 5280 4.1.2.5: Validity // Validity dates before 2050 MUST be encoded as UTCTime; // dates in or after 2050 MUST be encoded as GeneralizedTime. - // TODO: The existing `tbs_cert.validity` types don't expose this - // underlying detail. This check has no practical effect on the - // correctness of the certificate, so it's pretty low priority. - if &self.validation_time < cert.tbs_cert.validity.not_before.as_datetime() - || &self.validation_time > cert.tbs_cert.validity.not_after.as_datetime() - { + let not_before = cert.tbs_cert.validity.not_before.as_datetime(); + let not_after = cert.tbs_cert.validity.not_after.as_datetime(); + self.valid_validity_date(&cert.tbs_cert.validity.not_before, not_before)?; + self.valid_validity_date(&cert.tbs_cert.validity.not_after, not_after)?; + if &self.validation_time < not_before || &self.validation_time > not_after { return Err(PolicyError::Other("cert is not valid at validation time")); } @@ -566,6 +565,27 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .ok_or(PolicyError::Other("current depth calculation overflowed"))?), } } + + fn valid_validity_date(&self, validity_date: &Time, dt: &DateTime) -> Result<(), PolicyError> { + const GENERALIZED_DATE_CUTOFF_YEAR: u16 = 2050; + match validity_date { + Time::UtcTime(_) => { + if dt.year() >= GENERALIZED_DATE_CUTOFF_YEAR { + return Err(PolicyError::Other( + "validity dates after generalized date cutoff must be GeneralizedTime", + )); + } + } + Time::GeneralizedTime(_) => { + if dt.year() < GENERALIZED_DATE_CUTOFF_YEAR { + return Err(PolicyError::Other( + "validity dates before generalized date cutoff must be UtcTime", + )); + } + } + } + Ok(()) + } } #[cfg(test)] From 0c5ff83ddc235918cc6254dc44a8921de4865984 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Wed, 15 Nov 2023 02:08:07 +1100 Subject: [PATCH 084/155] validation/policy: Check for negative serial numbers --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index e38df1a55e98..0f2a97221532 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -386,6 +386,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // then forget to check whether that number would be negative, resulting // in a 21-byte encoding. return Err("certificate must have a serial between 1 and 20 octets".into()); + } else if serial_bytes[0] & 0x80 == 0x80 { + // If the high-bit is set, then we know the serial number is negative. + return Err("certificate serial number cannot be negative".into()); } // 5280 4.1.2.4: Issuer From 2ce7a34b26679231e65dc488a146888c66de089c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 14 Nov 2023 16:58:01 -0500 Subject: [PATCH 085/155] validation: only check spki and signature_alg when verifying sigs This is consistent with how other path validation libraries behave. Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 0f2a97221532..d485216b5169 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -413,24 +413,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ext_policy.permits(self, cert, &extensions)?; } - // CA/B 7.1.3.1 SubjectPublicKeyInfo - if !self - .permitted_public_key_algorithms - .contains(&cert.tbs_cert.spki.algorithm) - { - // TODO: Should probably include the OID here. - return Err("Forbidden public key algorithm".into()); - } - - // CA/B 7.1.3.2 Signature AlgorithmIdentifier - if !self - .permitted_signature_algorithms - .contains(&cert.signature_alg) - { - // TODO: Should probably include the OID here. - return Err("Forbidden signature algorithm".into()); - } - // Check that all critical extensions in this certificate are accounted for. let critical_extensions = extensions .iter() @@ -552,6 +534,24 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // The issuer needs to be a valid CA at the current depth. self.permits_ca(issuer, current_depth, issuer_extensions)?; + // CA/B 7.1.3.1 SubjectPublicKeyInfo + if !self + .permitted_public_key_algorithms + .contains(&child.tbs_cert.spki.algorithm) + { + // TODO: Should probably include the OID here. + return Err("Forbidden public key algorithm".into()); + } + + // CA/B 7.1.3.2 Signature AlgorithmIdentifier + if !self + .permitted_signature_algorithms + .contains(&child.signature_alg) + { + // TODO: Should probably include the OID here. + return Err("Forbidden signature algorithm".into()); + } + let pk = self .ops .public_key(issuer) From 0f6214f9ba748268a0f3dced90e4372bd3972e27 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 15 Nov 2023 12:10:38 -0500 Subject: [PATCH 086/155] validation: add API TODO Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index d485216b5169..33622f7f7815 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -387,7 +387,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // in a 21-byte encoding. return Err("certificate must have a serial between 1 and 20 octets".into()); } else if serial_bytes[0] & 0x80 == 0x80 { - // If the high-bit is set, then we know the serial number is negative. + // TODO: replace with `is_negative`: https://github.com/alex/rust-asn1/pull/425 return Err("certificate serial number cannot be negative".into()); } From 55e82f733515fde6be7158e8262a0737b60e48a0 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 15 Nov 2023 12:11:34 -0500 Subject: [PATCH 087/155] test_limbo: more features Signed-off-by: William Woodruff --- tests/x509/limbo/test_limbo.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/limbo/test_limbo.py index 0391bcb71fdf..8fe06de64f59 100644 --- a/tests/x509/limbo/test_limbo.py +++ b/tests/x509/limbo/test_limbo.py @@ -25,6 +25,13 @@ # Our support for custom EKUs is limited, and we (like most impls.) don't # handle all EKU conditions under CABF. "pedantic-webpki-eku", + # Contains tests that fail as a matter of strict CA/BF policy, but + # aren't strictly a part of path validation (meaning that compliant + # validators largely ignore them), + "pedantic-webpki", + # Similarly: contains tests that fail based on a strict reading of RFC 5280 + # but are widely ignored by validators. + "pedantic-rfc5280", } From bf12b48a20635399673bdfc3c8f4eb631cd96d3a Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 15 Nov 2023 13:53:26 -0500 Subject: [PATCH 088/155] policy/extension: allow missing AKI on CAs Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 60 ++++++++++--------- tests/x509/limbo/test_limbo.py | 10 ++++ 2 files changed, 43 insertions(+), 27 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 482fd73dde07..06f21448c150 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -237,42 +237,48 @@ pub(crate) mod ca { }; use crate::{ - certificate::cert_is_self_signed, ops::CryptoOps, policy::{Policy, PolicyError}, }; pub(crate) fn authority_key_identifier( - policy: &Policy<'_, B>, - cert: &Certificate<'_>, + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, ) -> Result<(), PolicyError> { - // The Authority Key Identifier MUST be present, with one exception: - // self-signed CAs may omit it. - match extn { - Some(extn) => { - let aki: AuthorityKeyIdentifier<'_> = extn.value()?; - // 7.1.2.11.1 Authority Key Identifier: - // authorityCertIssuer and authorityCertSerialNumber MUST NOT be present. - if aki.authority_cert_issuer.is_some() { - return Err( - "authorityKeyIdentifier must not contain authorityCertIssuer".into(), - ); - } + // CABF: AKI is required on all CA certificates *except* root CA certificates, + // where is it merely recommended. This is slightly different from RFC 5280, + // which requires AKI on all CA certificates *except* self-signed root CA certificates. + // + // This discrepancy poses a challenge: from a strict CABF perspective we should + // require the AKI unless we're on a root CA, but we lack the context to determine that + // here. We *could* infer that we're on a root by checking whether the CA is self-signed, + // but many root CAs still use RSA with SHA-1 (which is intentionally unsupported + // for signature verification). + // + // Consequently, the best we can currently do here is check whether the AKI conforms + // to the CABF mandated format, *if* it exists. This means that we will accept + // some chains that are not strictly CABF compliant (e.g. ones where intermediate + // CAs are missing AKIs), but this is a relatively minor discrepancy. + if let Some(extn) = extn { + let aki: AuthorityKeyIdentifier<'_> = extn.value()?; + // 7.1.2.11.1 Authority Key Identifier: - if aki.authority_cert_serial_number.is_some() { - return Err( - "authorityKeyIdentifier must not contain authorityCertSerialNumber".into(), - ); - } + // keyIdentifier MUST be present. + // TODO: Check that keyIdentifier matches subjectKeyIdentifier. + if aki.key_identifier.is_none() { + return Err("authorityKeyIdentifier must contain keyIdentifier".into()); } - None => { - if !cert_is_self_signed(cert, &policy.ops) { - return Err( - "authorityKeyIdentifier must be present in cross-signed CA certificate" - .into(), - ); - } + + // authorityCertIssuer and authorityCertSerialNumber MUST NOT be present. + if aki.authority_cert_issuer.is_some() { + return Err("authorityKeyIdentifier must not contain authorityCertIssuer".into()); + } + + if aki.authority_cert_serial_number.is_some() { + return Err( + "authorityKeyIdentifier must not contain authorityCertSerialNumber".into(), + ); } } diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/limbo/test_limbo.py index 8fe06de64f59..49e2c5cfb8ea 100644 --- a/tests/x509/limbo/test_limbo.py +++ b/tests/x509/limbo/test_limbo.py @@ -34,6 +34,13 @@ "pedantic-rfc5280", } +LIMBO_XFAIL_TESTCASES = { + # We currently allow intermediate CAs that don't have AKIs, which + # is technically forbidden under CABF. This is consistent with that + # Go's crypto/x509 and Rust's webpki crate do. + "rfc5280::intermediate-missing-aki" +} + def _get_limbo_peer(expected_peer): assert expected_peer is not None @@ -48,6 +55,9 @@ def _get_limbo_peer(expected_peer): def _limbo_testcase(testcase): + if testcase["id"] in LIMBO_XFAIL_TESTCASES: + return + features = testcase["features"] if features is not None and LIMBO_UNSUPPORTED_FEATURES.intersection( features From e665d3b36f0523129dee8652109414a49d82049d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 15 Nov 2023 14:49:26 -0500 Subject: [PATCH 089/155] tests/limbo: skip webpki::aki::root-with-aki-ski-mismatch Signed-off-by: William Woodruff --- tests/x509/limbo/test_limbo.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/limbo/test_limbo.py index 49e2c5cfb8ea..033c97958c89 100644 --- a/tests/x509/limbo/test_limbo.py +++ b/tests/x509/limbo/test_limbo.py @@ -36,9 +36,13 @@ LIMBO_XFAIL_TESTCASES = { # We currently allow intermediate CAs that don't have AKIs, which - # is technically forbidden under CABF. This is consistent with that + # is technically forbidden under CABF. This is consistent with what # Go's crypto/x509 and Rust's webpki crate do. - "rfc5280::intermediate-missing-aki" + "rfc5280::intermediate-missing-aki", + # We allow root CAs where the AKI and SKI mismatch, which is technically + # forbidden under CABF. This is consistent with what + # Go's crypto/x509 and Rust's webpki crate do. + "webpki::aki::root-with-aki-ski-mismatch", } From ba7dbf3db7b4ed0c3b4b550a0eec9a2457684dec Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Fri, 17 Nov 2023 16:39:07 +1100 Subject: [PATCH 090/155] tests: Remove `pedantic-webpki` from unsupported list --- tests/x509/limbo/test_limbo.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/limbo/test_limbo.py index 033c97958c89..3c5437186efa 100644 --- a/tests/x509/limbo/test_limbo.py +++ b/tests/x509/limbo/test_limbo.py @@ -25,10 +25,6 @@ # Our support for custom EKUs is limited, and we (like most impls.) don't # handle all EKU conditions under CABF. "pedantic-webpki-eku", - # Contains tests that fail as a matter of strict CA/BF policy, but - # aren't strictly a part of path validation (meaning that compliant - # validators largely ignore them), - "pedantic-webpki", # Similarly: contains tests that fail based on a strict reading of RFC 5280 # but are widely ignored by validators. "pedantic-rfc5280", From 8d06d263643d2bc6dfcd9af539c69712ba537da1 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Fri, 17 Nov 2023 17:42:30 +1100 Subject: [PATCH 091/155] validation/policy: Remove unused conversion --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 33622f7f7815..8bb8d78a99cb 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -174,12 +174,6 @@ impl From for PolicyError { } } -impl From for PolicyError { - fn from(value: DuplicateExtensionsError) -> Self { - Self::DuplicateExtension(value) - } -} - impl From<&'static str> for PolicyError { fn from(value: &'static str) -> Self { Self::Other(value) @@ -359,7 +353,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } fn permits_basic(&self, cert: &Certificate<'_>) -> Result<(), PolicyError> { - let extensions = cert.extensions()?; + let extensions = cert.extensions().map_err(PolicyError::DuplicateExtension)?; // CA/B 7.1.1: // Certificates MUST be of type X.509 v3. From 0d98eaffc171521b0991b49e3802bc16a33bace6 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Fri, 17 Nov 2023 20:22:51 +1100 Subject: [PATCH 092/155] validation/policy: Add unit tests for validity dates --- .../src/policy/mod.rs | 99 ++++++++++++++----- 1 file changed, 75 insertions(+), 24 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 8bb8d78a99cb..96b1688af697 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -6,7 +6,7 @@ mod extension; use std::collections::HashSet; -use asn1::{DateTime, ObjectIdentifier}; +use asn1::ObjectIdentifier; use cryptography_x509::certificate::Certificate; use once_cell::sync::Lazy; @@ -396,8 +396,8 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // dates in or after 2050 MUST be encoded as GeneralizedTime. let not_before = cert.tbs_cert.validity.not_before.as_datetime(); let not_after = cert.tbs_cert.validity.not_after.as_datetime(); - self.valid_validity_date(&cert.tbs_cert.validity.not_before, not_before)?; - self.valid_validity_date(&cert.tbs_cert.validity.not_after, not_after)?; + valid_validity_date(&cert.tbs_cert.validity.not_before)?; + valid_validity_date(&cert.tbs_cert.validity.not_after)?; if &self.validation_time < not_before || &self.validation_time > not_after { return Err(PolicyError::Other("cert is not valid at validation time")); } @@ -562,34 +562,32 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .ok_or(PolicyError::Other("current depth calculation overflowed"))?), } } +} - fn valid_validity_date(&self, validity_date: &Time, dt: &DateTime) -> Result<(), PolicyError> { - const GENERALIZED_DATE_CUTOFF_YEAR: u16 = 2050; - match validity_date { - Time::UtcTime(_) => { - if dt.year() >= GENERALIZED_DATE_CUTOFF_YEAR { - return Err(PolicyError::Other( - "validity dates after generalized date cutoff must be GeneralizedTime", - )); - } - } - Time::GeneralizedTime(_) => { - if dt.year() < GENERALIZED_DATE_CUTOFF_YEAR { - return Err(PolicyError::Other( - "validity dates before generalized date cutoff must be UtcTime", - )); - } +fn valid_validity_date(validity_date: &Time) -> Result<(), PolicyError> { + const GENERALIZED_DATE_CUTOFF_YEAR: u16 = 2050; + match validity_date { + Time::UtcTime(_) => { + // NOTE: The `asn1::UtcTime` constructor already checks the underlying datetime year so + // it's not possible for this type to exist past the cutoff. + } + Time::GeneralizedTime(_) => { + if validity_date.as_datetime().year() < GENERALIZED_DATE_CUTOFF_YEAR { + return Err(PolicyError::Other( + "validity dates before generalized date cutoff must be UtcTime", + )); } } - Ok(()) } + Ok(()) } #[cfg(test)] mod tests { use std::ops::Deref; - use asn1::SequenceOfWriter; + use asn1::{DateTime, SequenceOfWriter}; + use cryptography_x509::common::Time; use cryptography_x509::{ extensions::SubjectAlternativeName, name::{GeneralName, UnvalidatedIA5String}, @@ -604,9 +602,9 @@ mod tests { }; use super::{ - ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, RSASSA_PKCS1V15_SHA384, - RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, RSASSA_PSS_SHA512, - WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS, + valid_validity_date, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, + RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, + RSASSA_PSS_SHA512, WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS, }; #[test] @@ -773,4 +771,57 @@ mod tests { assert!(!domain_sub.matches(&any_cryptography_io)); } } + + #[test] + fn test_validity_date() { + { + // Pre-2050 date. + let utc_dt = DateTime::new(1980, 1, 1, 0, 0, 0).unwrap(); + let generalized_dt = utc_dt.clone(); + let utc_validity = Time::UtcTime(asn1::UtcTime::new(utc_dt).unwrap()); + let generalized_validity = + Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + assert!(valid_validity_date(&utc_validity).is_ok()); + assert!(valid_validity_date(&generalized_validity).is_err()); + } + { + // 2049 date. + let utc_dt = DateTime::new(2049, 1, 1, 0, 0, 0).unwrap(); + let generalized_dt = utc_dt.clone(); + let utc_validity = Time::UtcTime(asn1::UtcTime::new(utc_dt).unwrap()); + let generalized_validity = + Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + assert!(valid_validity_date(&utc_validity).is_ok()); + assert!(valid_validity_date(&generalized_validity).is_err()); + } + { + // 2050 date. + let utc_dt = DateTime::new(2050, 1, 1, 0, 0, 0).unwrap(); + let generalized_dt = utc_dt.clone(); + assert!(asn1::UtcTime::new(utc_dt).is_err()); + let generalized_validity = + Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + assert!(valid_validity_date(&generalized_validity).is_ok()); + } + { + // 2051 date. + let utc_dt = DateTime::new(2051, 1, 1, 0, 0, 0).unwrap(); + let generalized_dt = utc_dt.clone(); + // The `asn1::UtcTime` constructor prevents this. + assert!(asn1::UtcTime::new(utc_dt).is_err()); + let generalized_validity = + Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + assert!(valid_validity_date(&generalized_validity).is_ok()); + } + { + // Post-2050 date. + let utc_dt = DateTime::new(3050, 1, 1, 0, 0, 0).unwrap(); + let generalized_dt = utc_dt.clone(); + // The `asn1::UtcTime` constructor prevents this. + assert!(asn1::UtcTime::new(utc_dt).is_err()); + let generalized_validity = + Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + assert!(valid_validity_date(&generalized_validity).is_ok()); + } + } } From 6be1f5072fd5f697b476d7edb8c2654a283bb7b3 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 17 Nov 2023 12:24:33 -0500 Subject: [PATCH 093/155] ci: remove a line Signed-off-by: William Woodruff --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e45d8293f540..481fd34b4e6f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -80,7 +80,6 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors if: matrix.PYTHON.NOXSESSION != 'flake' && matrix.PYTHON.NOXSESSION != 'docs' && matrix.PYTHON.NOXSESSION != 'rust' - - name: Compute config hash and set config vars run: | DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3" From 09377a52793df4925438a70cd259c6951fcb7bd7 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 17 Nov 2023 17:58:50 -0500 Subject: [PATCH 094/155] validation: flatten error types Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 62 +++++++++++-------- .../src/policy/extension.rs | 58 ++++++++--------- .../src/policy/mod.rs | 54 +++++----------- 3 files changed, 80 insertions(+), 94 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 6777e7cac5ce..0a33e6180d35 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -16,7 +16,7 @@ use std::collections::HashSet; use crate::certificate::{cert_is_self_issued, cert_is_self_signed}; use crate::types::{DNSConstraint, IPAddress, IPConstraint}; use crate::ApplyNameConstraintStatus::{Applied, Skipped}; -use cryptography_x509::extensions::Extensions; +use cryptography_x509::extensions::{DuplicateExtensionsError, Extensions}; use cryptography_x509::{ certificate::Certificate, extensions::{NameConstraints, SubjectAlternativeName}, @@ -24,18 +24,39 @@ use cryptography_x509::{ oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID}, }; use ops::CryptoOps; -use policy::{Policy, PolicyError}; +use policy::Policy; use trust_store::Store; use types::DNSName; #[derive(Debug, PartialEq, Eq)] pub enum ValidationError { - Policy(PolicyError), + CandidatesExhausted, + Malformed(asn1::ParseError), + DuplicateExtension(DuplicateExtensionsError), + Other(String), } -impl From for ValidationError { - fn from(value: PolicyError) -> Self { - ValidationError::Policy(value) +impl From for ValidationError { + fn from(value: asn1::ParseError) -> Self { + Self::Malformed(value) + } +} + +impl From for ValidationError { + fn from(value: DuplicateExtensionsError) -> Self { + Self::DuplicateExtension(value) + } +} + +impl From<&str> for ValidationError { + fn from(value: &str) -> Self { + Self::Other(value.into()) + } +} + +impl From for ValidationError { + fn from(value: String) -> Self { + Self::Other(value) } } @@ -115,7 +136,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { extensions: &Extensions<'chain>, ) -> Result<(), ValidationError> { if let Some(nc) = extensions.get_extension(&NAME_CONSTRAINTS_OID) { - let nc: NameConstraints<'chain> = nc.value().map_err(PolicyError::Malformed)?; + let nc: NameConstraints<'chain> = nc.value()?; constraints.push(nc); } Ok(()) @@ -132,7 +153,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { let name = DNSName::new(name.0).unwrap(); Ok(Applied(pattern.matches(&name))) } else { - Err(PolicyError::Other("malformed DNS name constraint").into()) + Err("malformed DNS name constraint".into()) } } (GeneralName::IPAddress(pattern), GeneralName::IPAddress(name)) => { @@ -140,7 +161,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { let name = IPAddress::from_bytes(name).unwrap(); Ok(Applied(pattern.matches(&name))) } else { - Err(PolicyError::Other("malformed IP name constraint").into()) + Err("malformed IP name constraint".into()) } } _ => Ok(Skipped), @@ -153,7 +174,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { extensions: &Extensions<'chain>, ) -> Result<(), ValidationError> { if let Some(sans) = extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { - let sans: SubjectAlternativeName<'_> = sans.value().map_err(PolicyError::Malformed)?; + let sans: SubjectAlternativeName<'_> = sans.value()?; for san in sans.clone() { // If there are no applicable constraints, the SAN is considered valid so the default is true. let mut permit = true; @@ -171,19 +192,14 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { } } if !permit { - return Err( - PolicyError::Other("no permitted name constraints matched SAN").into(), - ); + return Err("no permitted name constraints matched SAN".into()); } for nc in constraints { if let Some(excluded_subtrees) = &nc.excluded_subtrees { for e in excluded_subtrees.unwrap_read().clone() { let status = self.apply_name_constraint(&e.base, &san)?; if status.is_match() { - return Err(PolicyError::Other( - "excluded name constraint matched SAN", - ) - .into()); + return Err("excluded name constraint matched SAN".into()); } } } @@ -201,7 +217,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { extensions: &'a Extensions<'chain>, ) -> Result, ValidationError> { if current_depth > self.policy.max_chain_depth { - return Err(PolicyError::Other("chain construction exceeds max depth").into()); + return Err("chain construction exceeds max depth".into()); } // Look in the store's root set to see if the working cert is listed. @@ -222,9 +238,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // A candidate issuer is said to verify if it both // signs for the working certificate and conforms to the // policy. - let issuer_extensions = issuing_cert_candidate - .extensions() - .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; + let issuer_extensions = issuing_cert_candidate.extensions()?; if let Ok(next_depth) = self.policy.valid_issuer( issuing_cert_candidate, working_cert, @@ -261,7 +275,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // We only reach this if we fail to hit our base case above, or if // a chain building step fails to find a next valid certificate. - Err(PolicyError::Other("chain construction exhausted all candidates").into()) + Err(ValidationError::CandidatesExhausted) } fn build_chain(&self, leaf: &'a Certificate<'chain>) -> Result, ValidationError> { @@ -271,9 +285,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // // In the case that the leaf is an EE, this includes a check // against the EE cert's SANs. - let extensions = leaf - .extensions() - .map_err(|e| ValidationError::Policy(PolicyError::DuplicateExtension(e)))?; + let extensions = leaf.extensions()?; self.policy.permits_leaf(leaf, &extensions)?; diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 06f21448c150..3feaac90a793 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -10,7 +10,7 @@ use cryptography_x509::{ use crate::ops::CryptoOps; -use super::{Policy, PolicyError}; +use super::{Policy, ValidationError}; /// Represents different criticality states for an extension. pub(crate) enum Criticality { @@ -35,10 +35,10 @@ impl Criticality { } type PresentExtensionValidatorCallback = - fn(&Policy<'_, B>, &Certificate<'_>, &Extension<'_>) -> Result<(), PolicyError>; + fn(&Policy<'_, B>, &Certificate<'_>, &Extension<'_>) -> Result<(), ValidationError>; type MaybeExtensionValidatorCallback = - fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> Result<(), PolicyError>; + fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> Result<(), ValidationError>; /// Represents different validation states for an extension. pub(crate) enum ExtensionValidator { @@ -108,18 +108,18 @@ impl ExtensionPolicy { policy: &Policy<'_, B>, cert: &Certificate<'_>, extensions: &Extensions<'_>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { match (&self.validator, extensions.get_extension(&self.oid)) { // Extension MUST NOT be present and isn't; OK. (ExtensionValidator::NotPresent, None) => Ok(()), // Extension MUST NOT be present but is; NOT OK. - (ExtensionValidator::NotPresent, Some(_)) => Err(PolicyError::Other( - "EE certificate contains prohibited extension", - )), + (ExtensionValidator::NotPresent, Some(_)) => { + Err("EE certificate contains prohibited extension".into()) + } // Extension MUST be present but is not; NOT OK. - (ExtensionValidator::Present { .. }, None) => Err(PolicyError::Other( - "EE certificate is missing required extension", - )), + (ExtensionValidator::Present { .. }, None) => { + Err("EE certificate is missing required extension".into()) + } // Extension MUST be present and is; check it. ( ExtensionValidator::Present { @@ -129,9 +129,7 @@ impl ExtensionPolicy { Some(extn), ) => { if !criticality.permits(extn.critical) { - return Err(PolicyError::Other( - "EE certificate extension has incorrect criticality", - )); + return Err("EE certificate extension has incorrect criticality".into()); } // If a custom validator is supplied, apply it. @@ -150,9 +148,7 @@ impl ExtensionPolicy { .as_ref() .map_or(false, |extn| !criticality.permits(extn.critical)) { - return Err(PolicyError::Other( - "EE certificate extension has incorrect criticality", - )); + return Err("EE certificate extension has incorrect criticality".into()); } // If a custom validator is supplied, apply it. @@ -170,14 +166,14 @@ pub(crate) mod ee { use crate::{ ops::CryptoOps, - policy::{Policy, PolicyError}, + policy::{Policy, ValidationError}, }; pub(crate) fn basic_constraints( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { if let Some(extn) = extn { let basic_constraints: BasicConstraints = extn.value()?; @@ -193,7 +189,7 @@ pub(crate) mod ee { policy: &Policy<'_, B>, cert: &Certificate<'_>, extn: &Extension<'_>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { match (cert.subject().is_empty(), extn.critical) { // If the subject is empty, the SAN MUST be critical. (true, false) => { @@ -211,7 +207,7 @@ pub(crate) mod ee { let san: SubjectAlternativeName<'_> = extn.value()?; match policy.subject.matches(&san) { true => Ok(()), - false => Err(PolicyError::Other("EE cert has no matching SAN")), + false => Err("EE cert has no matching SAN".into()), } } @@ -219,13 +215,13 @@ pub(crate) mod ee { policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: &Extension<'_>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; if ekus.any(|eku| eku == policy.extended_key_usage) { Ok(()) } else { - Err(PolicyError::Other("required EKU not found")) + Err("required EKU not found".into()) } } } @@ -238,14 +234,14 @@ pub(crate) mod ca { use crate::{ ops::CryptoOps, - policy::{Policy, PolicyError}, + policy::{Policy, ValidationError}, }; pub(crate) fn authority_key_identifier( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { // CABF: AKI is required on all CA certificates *except* root CA certificates, // where is it merely recommended. This is slightly different from RFC 5280, // which requires AKI on all CA certificates *except* self-signed root CA certificates. @@ -289,7 +285,7 @@ pub(crate) mod ca { _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: &Extension<'_>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { let key_usage: KeyUsage<'_> = extn.value()?; if !key_usage.key_cert_sign() { @@ -303,7 +299,7 @@ pub(crate) mod ca { _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: &Extension<'_>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { let basic_constraints: BasicConstraints = extn.value()?; if !basic_constraints.ca { @@ -324,14 +320,14 @@ pub(crate) mod common { use crate::{ ops::CryptoOps, - policy::{Policy, PolicyError}, + policy::{Policy, ValidationError}, }; pub(crate) fn authority_information_access( _policy: &Policy<'_, B>, _cert: &Certificate<'_>, extn: Option<&Extension<'_>>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { if let Some(extn) = extn { // We don't currently do anything useful with these, but we // do check that they're well-formed. @@ -347,7 +343,7 @@ mod tests { use super::{Criticality, ExtensionPolicy}; use crate::ops::tests::{cert, v1_cert_pem, NullOps}; use crate::ops::CryptoOps; - use crate::policy::{Policy, PolicyError, Subject}; + use crate::policy::{Policy, Subject, ValidationError}; use crate::types::DNSName; use asn1::{ObjectIdentifier, SimpleAsn1Writable}; use cryptography_x509::certificate::Certificate; @@ -398,7 +394,7 @@ mod tests { _policy: &Policy<'_, B>, _cert: &Certificate<'_>, _ext: &Extension<'_>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { Ok(()) } @@ -447,7 +443,7 @@ mod tests { _policy: &Policy<'_, B>, _cert: &Certificate<'_>, _ext: Option<&Extension<'_>>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { Ok(()) } diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 96b1688af697..33e4045bb2b9 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -16,7 +16,7 @@ use cryptography_x509::common::{ PSS_SHA512_HASH_ALG, PSS_SHA512_MASK_GEN_ALG, }; use cryptography_x509::extensions::{ - BasicConstraints, DuplicateExtensionsError, Extensions, KeyUsage, SubjectAlternativeName, + BasicConstraints, Extensions, KeyUsage, SubjectAlternativeName, }; use cryptography_x509::name::GeneralName; use cryptography_x509::oid::{ @@ -30,6 +30,7 @@ use self::extension::{ca, common, ee, Criticality, ExtensionPolicy}; use crate::certificate::cert_is_self_issued; use crate::ops::CryptoOps; use crate::types::{DNSName, DNSPattern, IPAddress}; +use crate::ValidationError; // SubjectPublicKeyInfo AlgorithmIdentifier constants, as defined in CA/B 7.1.3.1. @@ -161,25 +162,6 @@ pub static WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS: Lazy for PolicyError { - fn from(value: asn1::ParseError) -> Self { - Self::Malformed(value) - } -} - -impl From<&'static str> for PolicyError { - fn from(value: &'static str) -> Self { - Self::Other(value) - } -} - /// Represents a logical certificate "subject," i.e. a principal matching /// one of the names listed in a certificate's `subjectAltNames` extension. pub enum Subject<'a> { @@ -352,8 +334,8 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } } - fn permits_basic(&self, cert: &Certificate<'_>) -> Result<(), PolicyError> { - let extensions = cert.extensions().map_err(PolicyError::DuplicateExtension)?; + fn permits_basic(&self, cert: &Certificate<'_>) -> Result<(), ValidationError> { + let extensions = cert.extensions()?; // CA/B 7.1.1: // Certificates MUST be of type X.509 v3. @@ -399,7 +381,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { valid_validity_date(&cert.tbs_cert.validity.not_before)?; valid_validity_date(&cert.tbs_cert.validity.not_after)?; if &self.validation_time < not_before || &self.validation_time > not_after { - return Err(PolicyError::Other("cert is not valid at validation time")); + return Err("cert is not valid at validation time".into()); } // Extension policy checks. @@ -442,7 +424,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { &self, leaf: &Certificate<'_>, extensions: &Extensions<'_>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { // NOTE: Avoid refactoring this to `permits_ee() || permits_ca()` or any variation thereof. // Code like this will propagate irrelevant error messages out of the API. if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { @@ -460,7 +442,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { cert: &Certificate<'_>, current_depth: u8, extensions: &Extensions<'_>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { self.permits_basic(cert)?; // 5280 4.1.2.6: Subject @@ -474,15 +456,13 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // requires a bit of extra external state (`current_depth`) that isn't // presently convenient to push into that layer. if let Some(bc) = extensions.get_extension(&BASIC_CONSTRAINTS_OID) { - let bc: BasicConstraints = bc - .value() - .map_err(|_| PolicyError::Other("issuer has malformed basicConstraints"))?; + let bc: BasicConstraints = bc.value()?; if bc .path_length .map_or(false, |len| current_depth as u64 > len) { - return Err(PolicyError::Other("path length constraint violated")); + return Err(ValidationError::from("path length constraint violated"))?; } } @@ -498,7 +478,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { &self, cert: &Certificate<'_>, extensions: &Extensions<'_>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { self.permits_basic(cert)?; for ext_policy in self.ee_extension_policies.iter() { @@ -524,7 +504,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { child: &Certificate<'_>, current_depth: u8, issuer_extensions: &Extensions<'_>, - ) -> Result { + ) -> Result { // The issuer needs to be a valid CA at the current depth. self.permits_ca(issuer, current_depth, issuer_extensions)?; @@ -549,9 +529,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { let pk = self .ops .public_key(issuer) - .map_err(|_| PolicyError::Other("issuer has malformed public key"))?; + .map_err(|_| ValidationError::from("issuer has malformed public key"))?; if self.ops.verify_signed_by(child, pk).is_err() { - return Err(PolicyError::Other("signature does not match")); + return Err("signature does not match".into()); } // Self-issued issuers don't increase the working depth. @@ -559,12 +539,12 @@ impl<'a, B: CryptoOps> Policy<'a, B> { true => Ok(current_depth), false => Ok(current_depth .checked_add(1) - .ok_or(PolicyError::Other("current depth calculation overflowed"))?), + .ok_or_else(|| ValidationError::from("current depth calculation overflowed"))?), } } } -fn valid_validity_date(validity_date: &Time) -> Result<(), PolicyError> { +fn valid_validity_date(validity_date: &Time) -> Result<(), ValidationError> { const GENERALIZED_DATE_CUTOFF_YEAR: u16 = 2050; match validity_date { Time::UtcTime(_) => { @@ -573,9 +553,7 @@ fn valid_validity_date(validity_date: &Time) -> Result<(), PolicyError> { } Time::GeneralizedTime(_) => { if validity_date.as_datetime().year() < GENERALIZED_DATE_CUTOFF_YEAR { - return Err(PolicyError::Other( - "validity dates before generalized date cutoff must be UtcTime", - )); + return Err("validity dates before generalized date cutoff must be UtcTime".into()); } } } From 1a4cf74bfeaa96b82c8fc595d6377d8a19ea6bbc Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 17 Nov 2023 18:01:06 -0500 Subject: [PATCH 095/155] validation: remove unnecessary From impls Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 29 ++----------------- 1 file changed, 2 insertions(+), 27 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 33e4045bb2b9..c4dc991a4d52 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -189,18 +189,6 @@ impl Subject<'_> { } } -impl<'a> From> for Subject<'a> { - fn from(value: DNSName<'a>) -> Self { - Self::DNS(value) - } -} - -impl From for Subject<'_> { - fn from(value: IPAddress) -> Self { - Self::IP(value) - } -} - /// A `Policy` describes user-configurable aspects of X.509 path validation. pub struct Policy<'a, B: CryptoOps> { pub ops: B, @@ -687,23 +675,10 @@ mod tests { } } - #[test] - fn test_subject_from_impls() { - assert!(matches!( - Subject::from(DNSName::new("cryptography.io").unwrap()), - Subject::DNS(_) - )); - - assert!(matches!( - Subject::from(IPAddress::from_str("1.1.1.1").unwrap()), - Subject::IP(_) - )); - } - #[test] fn test_subject_matches() { - let domain_sub = Subject::from(DNSName::new("test.cryptography.io").unwrap()); - let ip_sub = Subject::from(IPAddress::from_str("127.0.0.1").unwrap()); + let domain_sub = Subject::DNS(DNSName::new("test.cryptography.io").unwrap()); + let ip_sub = Subject::IP(IPAddress::from_str("127.0.0.1").unwrap()); // Single SAN, domain wildcard. { From e93bc07c5d2b0cb8f9b78ff35fab97f8f07c8e86 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 17 Nov 2023 18:07:21 -0500 Subject: [PATCH 096/155] validation: render OIDs in a few errors Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/policy/mod.rs | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index c4dc991a4d52..4d9526d01028 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -501,8 +501,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .permitted_public_key_algorithms .contains(&child.tbs_cert.spki.algorithm) { - // TODO: Should probably include the OID here. - return Err("Forbidden public key algorithm".into()); + return Err(format!( + "Forbidden public key algorithm: {:?}", + &child.tbs_cert.spki.algorithm + ) + .into()); } // CA/B 7.1.3.2 Signature AlgorithmIdentifier @@ -510,8 +513,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .permitted_signature_algorithms .contains(&child.signature_alg) { - // TODO: Should probably include the OID here. - return Err("Forbidden signature algorithm".into()); + return Err( + format!("Forbidden signature algorithm: {:?}", &child.signature_alg).into(), + ); } let pk = self From 6c577bee7eea084204255c06899e1b6ef37cd86b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 17 Nov 2023 18:59:33 -0500 Subject: [PATCH 097/155] validation/policy: free coverage Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index c22c06ff66ed..883e62a0230d 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -549,9 +549,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // Self-issued issuers don't increase the working depth. match cert_is_self_issued(issuer) { true => Ok(current_depth), - false => Ok(current_depth.checked_add(1).ok_or_else(|| { - ValidationError::Other("current depth calculation overflowed".to_string()) - })?), + false => Ok(current_depth.checked_add(1).ok_or(ValidationError::Other( + "current depth calculation overflowed".to_string(), + ))?), } } } From a8602326b93df0893c4c8bc28db5457e17630021 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 17 Nov 2023 19:04:32 -0500 Subject: [PATCH 098/155] validation/policy: ok_or_else (no escaping the coverage gods) Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 883e62a0230d..c22c06ff66ed 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -549,9 +549,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // Self-issued issuers don't increase the working depth. match cert_is_self_issued(issuer) { true => Ok(current_depth), - false => Ok(current_depth.checked_add(1).ok_or(ValidationError::Other( - "current depth calculation overflowed".to_string(), - ))?), + false => Ok(current_depth.checked_add(1).ok_or_else(|| { + ValidationError::Other("current depth calculation overflowed".to_string()) + })?), } } } From d231e1e68308411980c432de64be37541ef7fb43 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 20 Nov 2023 12:48:37 -0500 Subject: [PATCH 099/155] validation/policy: remove no-op branch Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 42 +++++++++---------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index c22c06ff66ed..ff3e831cb122 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -378,8 +378,8 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // dates in or after 2050 MUST be encoded as GeneralizedTime. let not_before = cert.tbs_cert.validity.not_before.as_datetime(); let not_after = cert.tbs_cert.validity.not_after.as_datetime(); - valid_validity_date(&cert.tbs_cert.validity.not_before)?; - valid_validity_date(&cert.tbs_cert.validity.not_after)?; + permits_validity_date(&cert.tbs_cert.validity.not_before)?; + permits_validity_date(&cert.tbs_cert.validity.not_after)?; if &self.validation_time < not_before || &self.validation_time > not_after { return Err(ValidationError::Other( "cert is not valid at validation time".to_string(), @@ -556,21 +556,19 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } } -fn valid_validity_date(validity_date: &Time) -> Result<(), ValidationError> { +fn permits_validity_date(validity_date: &Time) -> Result<(), ValidationError> { const GENERALIZED_DATE_CUTOFF_YEAR: u16 = 2050; - match validity_date { - Time::UtcTime(_) => { - // NOTE: The `asn1::UtcTime` constructor already checks the underlying datetime year so - // it's not possible for this type to exist past the cutoff. - } - Time::GeneralizedTime(_) => { - if validity_date.as_datetime().year() < GENERALIZED_DATE_CUTOFF_YEAR { - return Err(ValidationError::Other( - "validity dates before generalized date cutoff must be UtcTime".to_string(), - )); - } + + // NOTE: The inverse check on `asn1::UtcTime` is already done for us + // by the variant's constructor. + if let Time::GeneralizedTime(_) = validity_date { + if validity_date.as_datetime().year() < GENERALIZED_DATE_CUTOFF_YEAR { + return Err(ValidationError::Other( + "validity dates before generalized date cutoff must be UtcTime".to_string(), + )); } } + Ok(()) } @@ -594,7 +592,7 @@ mod tests { }; use super::{ - valid_validity_date, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, + permits_validity_date, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, RSASSA_PSS_SHA512, WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS, }; @@ -760,8 +758,8 @@ mod tests { let utc_validity = Time::UtcTime(asn1::UtcTime::new(utc_dt).unwrap()); let generalized_validity = Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); - assert!(valid_validity_date(&utc_validity).is_ok()); - assert!(valid_validity_date(&generalized_validity).is_err()); + assert!(permits_validity_date(&utc_validity).is_ok()); + assert!(permits_validity_date(&generalized_validity).is_err()); } { // 2049 date. @@ -770,8 +768,8 @@ mod tests { let utc_validity = Time::UtcTime(asn1::UtcTime::new(utc_dt).unwrap()); let generalized_validity = Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); - assert!(valid_validity_date(&utc_validity).is_ok()); - assert!(valid_validity_date(&generalized_validity).is_err()); + assert!(permits_validity_date(&utc_validity).is_ok()); + assert!(permits_validity_date(&generalized_validity).is_err()); } { // 2050 date. @@ -780,7 +778,7 @@ mod tests { assert!(asn1::UtcTime::new(utc_dt).is_err()); let generalized_validity = Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); - assert!(valid_validity_date(&generalized_validity).is_ok()); + assert!(permits_validity_date(&generalized_validity).is_ok()); } { // 2051 date. @@ -790,7 +788,7 @@ mod tests { assert!(asn1::UtcTime::new(utc_dt).is_err()); let generalized_validity = Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); - assert!(valid_validity_date(&generalized_validity).is_ok()); + assert!(permits_validity_date(&generalized_validity).is_ok()); } { // Post-2050 date. @@ -800,7 +798,7 @@ mod tests { assert!(asn1::UtcTime::new(utc_dt).is_err()); let generalized_validity = Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); - assert!(valid_validity_date(&generalized_validity).is_ok()); + assert!(permits_validity_date(&generalized_validity).is_ok()); } } } From 7b4c2c0ec7500c20f33dc1d40ac5fa401b0593db Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 20 Nov 2023 12:51:27 -0500 Subject: [PATCH 100/155] validation: add EKU note Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/extension.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index d9c73a3e7d2c..0a2204255ed8 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -226,6 +226,8 @@ pub(crate) mod ee { ) -> Result<(), ValidationError> { let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; + // NOTE: Exact match for now because CABF says that EE certs + // MUST NOT contain anyExtendedKeyUsage. if ekus.any(|eku| eku == policy.extended_key_usage) { Ok(()) } else { From 5ee09e57e9ab8f37ba06afd7f0e48e759b1edf00 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 20 Nov 2023 15:50:15 -0500 Subject: [PATCH 101/155] validation: add invariant-preserving Intermediates type Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 32 +++++++++++++++---- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 446fc3474c82..63d49391abdb 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -48,6 +48,27 @@ impl From for ValidationError { } } +pub struct Intermediates<'a>(HashSet>); + +impl<'a> Intermediates<'a> { + fn new( + intermediates: impl IntoIterator>, + policy: &Policy<'_, B>, + ) -> Result { + Ok(Self( + intermediates + .into_iter() + .map( + |intermediate| match cert_is_self_signed(&intermediate, &policy.ops) { + true => Ok(intermediate), + false => Err(ValidationError::Other("oops".to_string())), + }, + ) + .collect::>()?, + )) + } +} + pub type Chain<'c> = Vec>; type IntermediateChain<'c> = (Chain<'c>, Vec>); @@ -57,13 +78,13 @@ pub fn verify<'a, 'chain, B: CryptoOps>( policy: &Policy<'_, B>, store: &'a Store<'chain>, ) -> Result, ValidationError> { - let builder = ChainBuilder::new(HashSet::from_iter(intermediates), policy, store); + let builder = ChainBuilder::new(Intermediates::new(intermediates, policy)?, policy, store); builder.build_chain(leaf) } struct ChainBuilder<'a, 'chain, B: CryptoOps> { - intermediates: HashSet>, + intermediates: Intermediates<'chain>, policy: &'a Policy<'a, B>, store: &'a Store<'chain>, } @@ -89,7 +110,7 @@ impl ApplyNameConstraintStatus { impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn new( - intermediates: HashSet>, + intermediates: Intermediates<'chain>, policy: &'a Policy<'a, B>, store: &'a Store<'chain>, ) -> Self { @@ -109,11 +130,8 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // rather than doing a linear scan // * Search by AKI and other identifiers? self.intermediates + .0 .iter() - // NOTE: The intermediate set isn't allowed to offer a self-signed - // certificate as a candidate, since self-signed certs can only - // be roots. - .filter(|&candidate| !cert_is_self_signed(candidate, &self.policy.ops)) .chain(self.store.iter()) .filter(|&candidate| candidate.subject() == cert.issuer()) } From bd1553f3859821a42a35f7c186a2dd48b8e90509 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 20 Nov 2023 15:53:32 -0500 Subject: [PATCH 102/155] validation: better error message Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 63d49391abdb..a8f6b409d18a 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -61,7 +61,9 @@ impl<'a> Intermediates<'a> { .map( |intermediate| match cert_is_self_signed(&intermediate, &policy.ops) { true => Ok(intermediate), - false => Err(ValidationError::Other("oops".to_string())), + false => Err(ValidationError::Other( + "self-signed certificate cannot be an intermediate".to_string(), + )), }, ) .collect::>()?, From 89067e2dcb05e4aa57800d228a6cb73aa3dc681e Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 20 Nov 2023 17:04:24 -0500 Subject: [PATCH 103/155] invert conditions Oops. Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 4 ++-- tests/x509/limbo/test_limbo.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index a8f6b409d18a..d9f535945f43 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -60,10 +60,10 @@ impl<'a> Intermediates<'a> { .into_iter() .map( |intermediate| match cert_is_self_signed(&intermediate, &policy.ops) { - true => Ok(intermediate), - false => Err(ValidationError::Other( + true => Err(ValidationError::Other( "self-signed certificate cannot be an intermediate".to_string(), )), + false => Ok(intermediate), }, ) .collect::>()?, diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/limbo/test_limbo.py index 3c5437186efa..1a2d9cb54a7c 100644 --- a/tests/x509/limbo/test_limbo.py +++ b/tests/x509/limbo/test_limbo.py @@ -101,13 +101,13 @@ def _limbo_testcase(testcase): built_chain = verifier.verify( peer_certificate, untrusted_intermediates ) - assert should_pass + assert should_pass, testcase["id"] # Assert that the verifier returns chains in [EE, ..., TA] order. assert built_chain[0] == peer_certificate assert built_chain[-1] in trusted_certs except VerificationError: - assert not should_pass + assert not should_pass, testcase["id"] def test_limbo(subtests, pytestconfig): From adeb62dc9821b06bfd528b4c00cca3b4cba57252 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 20 Nov 2023 18:23:56 -0500 Subject: [PATCH 104/155] validation: rewrite error handling Plumb penultimate errors through the validation cycle. Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 74 ++++++++++++------- .../src/policy/extension.rs | 7 +- 2 files changed, 50 insertions(+), 31 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index d9f535945f43..400717c8de37 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -30,7 +30,7 @@ use types::DNSName; #[derive(Debug, PartialEq, Eq)] pub enum ValidationError { - CandidatesExhausted, + CandidatesExhausted(Box), Malformed(asn1::ParseError), DuplicateExtension(DuplicateExtensionsError), Other(String), @@ -252,48 +252,66 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // Otherwise, we collect a list of potential issuers for this cert, // and continue with the first that verifies. + let mut last_err: Option = None; for issuing_cert_candidate in self.potential_issuers(working_cert) { // A candidate issuer is said to verify if it both // signs for the working certificate and conforms to the // policy. let issuer_extensions = issuing_cert_candidate.extensions()?; - if let Ok(next_depth) = self.policy.valid_issuer( + match self.policy.valid_issuer( issuing_cert_candidate, working_cert, current_depth, &issuer_extensions, ) { - let result = self.build_chain_inner( - issuing_cert_candidate, - next_depth, - false, - &issuer_extensions, - ); - if let Ok(result) = result { - let (remaining, mut constraints) = result; - // Name constraints are not applied to self-issued certificates unless they're - // the leaf certificate in the chain. - // - // NOTE: We can't simply check the `current_depth` since self-issued - // certificates don't increase the working depth. - let skip_name_constraints = cert_is_self_issued(working_cert) && !is_leaf; - if skip_name_constraints - || self - .apply_name_constraints(&constraints, extensions) - .is_ok() - { - let mut chain: Vec> = vec![working_cert.clone()]; - chain.extend(remaining); - self.build_name_constraints(&mut constraints, extensions)?; - return Ok((chain, constraints)); - } + Ok(next_depth) => { + match self.build_chain_inner( + issuing_cert_candidate, + next_depth, + false, + &issuer_extensions, + ) { + Ok((remaining, mut constraints)) => { + // Name constraints are not applied to self-issued certificates unless they're + // the leaf certificate in the chain. + // + // NOTE: We can't simply check the `current_depth` since self-issued + // certificates don't increase the working depth. + let skip_name_constraints = + cert_is_self_issued(working_cert) && !is_leaf; + if skip_name_constraints + || self + .apply_name_constraints(&constraints, extensions) + .is_ok() + { + let mut chain: Vec> = + vec![working_cert.clone()]; + chain.extend(remaining); + self.build_name_constraints(&mut constraints, extensions)?; + return Ok((chain, constraints)); + } + } + Err(e) => last_err = Some(e), + }; } - } + Err(e) => last_err = Some(e), + }; } // We only reach this if we fail to hit our base case above, or if // a chain building step fails to find a next valid certificate. - Err(ValidationError::CandidatesExhausted) + Err(ValidationError::CandidatesExhausted(last_err.map_or_else( + || { + Box::new(ValidationError::Other( + "all candidates exhausted with no interior errors".to_string(), + )) + }, + |e| match e { + // Avoid spamming the user with nested `CandidatesExhausted` errors. + ValidationError::CandidatesExhausted(e) => e, + _ => Box::new(e), + }, + ))) } fn build_chain(&self, leaf: &'a Certificate<'chain>) -> Result, ValidationError> { diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 0a2204255ed8..0185b841e00d 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -115,9 +115,10 @@ impl ExtensionPolicy { "EE certificate contains prohibited extension".to_string(), )), // Extension MUST be present but is not; NOT OK. - (ExtensionValidator::Present { .. }, None) => Err(ValidationError::Other( - "EE certificate is missing required extension".to_string(), - )), + (ExtensionValidator::Present { .. }, None) => Err(ValidationError::Other(format!( + "EE certificate is missing required extension: {}", + self.oid + ))), // Extension MUST be present and is; check it. ( ExtensionValidator::Present { From 518da01149543706868fe590c7bbb59d95a02338 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 20 Nov 2023 18:47:13 -0500 Subject: [PATCH 105/155] lib: misleading comment Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 400717c8de37..d7ed6b265208 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -240,10 +240,6 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // Look in the store's root set to see if the working cert is listed. // If it is, we've reached the end. - // - // Observe that no issuer connection or signature verification happens - // here: inclusion in the root set implies a trust relationship, - // even if the working certificate is an EE or intermediate CA. if self.store.contains(working_cert) { let mut constraints = vec![]; self.build_name_constraints(&mut constraints, extensions)?; From f964ce77c52745acfc06e81321119bfb792b93dc Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 21 Nov 2023 18:38:00 -0500 Subject: [PATCH 106/155] test_limbo: handle IPv6 addresses correctly Signed-off-by: William Woodruff --- tests/x509/limbo/test_limbo.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/limbo/test_limbo.py index 1a2d9cb54a7c..2cede7362bde 100644 --- a/tests/x509/limbo/test_limbo.py +++ b/tests/x509/limbo/test_limbo.py @@ -3,9 +3,9 @@ # for complete details. import datetime +import ipaddress import json import os -from ipaddress import IPv4Address from cryptography import x509 from cryptography.x509 import load_pem_x509_certificate @@ -51,7 +51,7 @@ def _get_limbo_peer(expected_peer): if kind == "DNS": return x509.DNSName(value) else: - return x509.IPAddress(IPv4Address(value)) + return x509.IPAddress(ipaddress.ip_address(value)) def _limbo_testcase(testcase): From 48af1c5b52c1231374e701d8d2b59a139110c782 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 22 Nov 2023 15:04:58 -0500 Subject: [PATCH 107/155] test_limbo: add another feature flag Signed-off-by: William Woodruff --- tests/x509/limbo/test_limbo.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/limbo/test_limbo.py index 2cede7362bde..ee80e9a43998 100644 --- a/tests/x509/limbo/test_limbo.py +++ b/tests/x509/limbo/test_limbo.py @@ -28,6 +28,10 @@ # Similarly: contains tests that fail based on a strict reading of RFC 5280 # but are widely ignored by validators. "pedantic-rfc5280", + # In rare circumstances, CABF relaxes RFC 5280's prescriptions in + # incompatible ways. Our validator always tries (by default) to comply + # closer to CABF, so we skip these. + "rfc5280-incompatible-with-webpki", } LIMBO_XFAIL_TESTCASES = { From c79f40be74553b5e2db8548fdaf4284e9f92c82d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 22 Nov 2023 15:29:52 -0500 Subject: [PATCH 108/155] validation/extensions: add some NC checks Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 51 ++++++++++++++++++- .../src/policy/mod.rs | 7 ++- 2 files changed, 56 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 0185b841e00d..457ca84ca421 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -240,7 +240,9 @@ pub(crate) mod ee { pub(crate) mod ca { use cryptography_x509::{ certificate::Certificate, - extensions::{AuthorityKeyIdentifier, BasicConstraints, Extension, KeyUsage}, + extensions::{ + self, AuthorityKeyIdentifier, BasicConstraints, Extension, KeyUsage, NameConstraints, + }, }; use crate::{ @@ -328,6 +330,53 @@ pub(crate) mod ca { Ok(()) } + pub(crate) fn name_constraints( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), ValidationError> { + if let Some(extn) = extn { + let name_constraints: NameConstraints<'_> = extn.value()?; + + let permitted_subtrees_empty = name_constraints + .permitted_subtrees + .as_ref() + .map_or(true, |pst| pst.unwrap_read().is_empty()); + let excluded_subtrees_empty = name_constraints + .excluded_subtrees + .as_ref() + .map_or(true, |est| est.unwrap_read().is_empty()); + + if permitted_subtrees_empty && excluded_subtrees_empty { + return Err(ValidationError::Other( + "nameConstraints must have non-empty permittedSubtrees or excludedSubtrees" + .to_string(), + )); + } + + let all_general_subtrees = name_constraints + .permitted_subtrees + .iter() + .flat_map(|pst| pst.unwrap_read().clone()) + .chain( + name_constraints + .excluded_subtrees + .iter() + .flat_map(|est| est.unwrap_read().clone()), + ); + for general_subtree in all_general_subtrees { + // 7.1.2.5.2 and 7.1.2.10.8: minimum and maximum MUST NOT be present. + if general_subtree.maximum.is_some() || general_subtree.maximum.is_some() { + return Err(ValidationError::Other( + "nameConstraints must not have minimum or maxmimum constraints".to_string(), + )); + } + } + } + + Ok(()) + } + // TODO: Validate EKUs for non-root CAs as well. } diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index ff3e831cb122..fb10418d5d61 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -285,7 +285,12 @@ impl<'a, B: CryptoOps> Policy<'a, B> { Some(ca::basic_constraints), ), // 5280 4.2.1.10: Name Constraints - ExtensionPolicy::maybe_present(NAME_CONSTRAINTS_OID, Criticality::Critical, None), + // NOTE: MUST be critical in 5280, but CABF relaxes to MAY. + ExtensionPolicy::maybe_present( + NAME_CONSTRAINTS_OID, + Criticality::Agnostic, + Some(ca::name_constraints), + ), // 5280 4.2.1.10: Policy Constraints ExtensionPolicy::maybe_present(POLICY_CONSTRAINTS_OID, Criticality::Critical, None), ]), From a29c73e72e2f67982e11233b6245c8d10970f2bb Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 22 Nov 2023 15:32:03 -0500 Subject: [PATCH 109/155] lintage Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/extension.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 457ca84ca421..9eadc2621175 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -241,7 +241,7 @@ pub(crate) mod ca { use cryptography_x509::{ certificate::Certificate, extensions::{ - self, AuthorityKeyIdentifier, BasicConstraints, Extension, KeyUsage, NameConstraints, + AuthorityKeyIdentifier, BasicConstraints, Extension, KeyUsage, NameConstraints, }, }; From bab3d2a24e9ff7af659c33f9e77f44b48dcb8376 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 22 Nov 2023 15:58:52 -0500 Subject: [PATCH 110/155] validation/extension: fix subtree check Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/extension.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 9eadc2621175..9fa7b4d608d3 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -366,7 +366,7 @@ pub(crate) mod ca { ); for general_subtree in all_general_subtrees { // 7.1.2.5.2 and 7.1.2.10.8: minimum and maximum MUST NOT be present. - if general_subtree.maximum.is_some() || general_subtree.maximum.is_some() { + if general_subtree.minimum != 0 || general_subtree.maximum.is_some() { return Err(ValidationError::Other( "nameConstraints must not have minimum or maxmimum constraints".to_string(), )); From 8135121a18240253be1d33215e67ed0564560475 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 22 Nov 2023 17:04:00 -0500 Subject: [PATCH 111/155] validation/extension: remove pedantic check Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 21 +++---------------- 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 9fa7b4d608d3..bf62dafa6b3b 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -354,24 +354,9 @@ pub(crate) mod ca { )); } - let all_general_subtrees = name_constraints - .permitted_subtrees - .iter() - .flat_map(|pst| pst.unwrap_read().clone()) - .chain( - name_constraints - .excluded_subtrees - .iter() - .flat_map(|est| est.unwrap_read().clone()), - ); - for general_subtree in all_general_subtrees { - // 7.1.2.5.2 and 7.1.2.10.8: minimum and maximum MUST NOT be present. - if general_subtree.minimum != 0 || general_subtree.maximum.is_some() { - return Err(ValidationError::Other( - "nameConstraints must not have minimum or maxmimum constraints".to_string(), - )); - } - } + // NOTE: Both RFC 5280 and CABF require each `GeneralSubtree` + // to have `minimum=0` and `maximum=NULL`, but experimentally + // not many validators check for this. } Ok(()) From 31d7d81d73a1ba5ded381faabbe696dfa89b6e72 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 23 Nov 2023 12:46:27 -0500 Subject: [PATCH 112/155] validation: avoid an intermediate vector Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index d7ed6b265208..8f6cba73ccfd 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -267,7 +267,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { false, &issuer_extensions, ) { - Ok((remaining, mut constraints)) => { + Ok((mut chain, mut constraints)) => { // Name constraints are not applied to self-issued certificates unless they're // the leaf certificate in the chain. // @@ -280,9 +280,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { .apply_name_constraints(&constraints, extensions) .is_ok() { - let mut chain: Vec> = - vec![working_cert.clone()]; - chain.extend(remaining); + chain.insert(0, working_cert.clone()); self.build_name_constraints(&mut constraints, extensions)?; return Ok((chain, constraints)); } From d294958ea5ed37d3d4b6e5ec37c545aa837e1fcf Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 23 Nov 2023 12:48:13 -0500 Subject: [PATCH 113/155] validation: `&Vec<_>` -> `&[_]` Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 8f6cba73ccfd..308a6af77fe8 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -182,7 +182,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn apply_name_constraints( &self, - constraints: &Vec>, + constraints: &[NameConstraints<'chain>], extensions: &Extensions<'chain>, ) -> Result<(), ValidationError> { if let Some(sans) = extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { From d1b0a3376f71653f34bdd68b22f067e956cf6983 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 23 Nov 2023 13:00:42 -0500 Subject: [PATCH 114/155] validation: search the store first Effectively means that we'll prefer shorter chains. Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 308a6af77fe8..9aa27fe47faa 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -131,10 +131,9 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // * Use a backing structure that allows us to search by name // rather than doing a linear scan // * Search by AKI and other identifiers? - self.intermediates - .0 + self.store .iter() - .chain(self.store.iter()) + .chain(self.intermediates.0.iter()) .filter(|&candidate| candidate.subject() == cert.issuer()) } From 6c2eafe027da65bd9ee4ea13d3b698b888cfc0e2 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 23 Nov 2023 13:02:18 -0500 Subject: [PATCH 115/155] validation: simplify match Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 9aa27fe47faa..040e4499f740 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -320,10 +320,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { let result = self.build_chain_inner(leaf, 0, true, &extensions); match result { - Ok(result) => { - let (chain, _) = result; - Ok(chain) - } + Ok((chain, _)) => Ok(chain), Err(error) => Err(error), } } From f591c12d1a74034cdff34c8307e11795876b148d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 23 Nov 2023 13:02:53 -0500 Subject: [PATCH 116/155] validation: rename IntermediateChain -> PartialChainState Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 040e4499f740..a3408c595467 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -72,7 +72,7 @@ impl<'a> Intermediates<'a> { } pub type Chain<'c> = Vec>; -type IntermediateChain<'c> = (Chain<'c>, Vec>); +type PartialChainState<'c> = (Chain<'c>, Vec>); pub fn verify<'a, 'chain, B: CryptoOps>( leaf: &'a Certificate<'chain>, @@ -230,7 +230,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { current_depth: u8, is_leaf: bool, extensions: &'a Extensions<'chain>, - ) -> Result, ValidationError> { + ) -> Result, ValidationError> { if current_depth > self.policy.max_chain_depth { return Err(ValidationError::Other( "chain construction exceeds max depth".into(), From 1adf14f31321d599833e3f4a096edb3d5eeef06a Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 23 Nov 2023 13:05:58 -0500 Subject: [PATCH 117/155] policy/extension: add a NOTE about pathLength validation Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/extension.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index bf62dafa6b3b..c6f37eddb062 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -327,6 +327,10 @@ pub(crate) mod ca { )); } + // NOTE: basicConstraints.pathLength is checked as part of + // `Policy::permits_ca`, since we need the current chain building + // depth to check it. + Ok(()) } From 9ce06d0c8b105427be12ee23be31ef2520cf15ef Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 23 Nov 2023 13:42:50 -0500 Subject: [PATCH 118/155] tests/x509: restructure verification tests Signed-off-by: William Woodruff --- tests/x509/{limbo => verification}/__init__.py | 0 tests/x509/{limbo => verification}/test_limbo.py | 16 ++++++++-------- .../x509/{ => verification}/test_verification.py | 0 3 files changed, 8 insertions(+), 8 deletions(-) rename tests/x509/{limbo => verification}/__init__.py (100%) rename tests/x509/{limbo => verification}/test_limbo.py (94%) rename tests/x509/{ => verification}/test_verification.py (100%) diff --git a/tests/x509/limbo/__init__.py b/tests/x509/verification/__init__.py similarity index 100% rename from tests/x509/limbo/__init__.py rename to tests/x509/verification/__init__.py diff --git a/tests/x509/limbo/test_limbo.py b/tests/x509/verification/test_limbo.py similarity index 94% rename from tests/x509/limbo/test_limbo.py rename to tests/x509/verification/test_limbo.py index ee80e9a43998..7b8f9099e334 100644 --- a/tests/x509/limbo/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -7,6 +7,8 @@ import json import os +import pytest + from cryptography import x509 from cryptography.x509 import load_pem_x509_certificate from cryptography.x509.verification import ( @@ -34,7 +36,7 @@ "rfc5280-incompatible-with-webpki", } -LIMBO_XFAIL_TESTCASES = { +LIMBO_SKIP_TESTCASES = { # We currently allow intermediate CAs that don't have AKIs, which # is technically forbidden under CABF. This is consistent with what # Go's crypto/x509 and Rust's webpki crate do. @@ -47,8 +49,6 @@ def _get_limbo_peer(expected_peer): - assert expected_peer is not None - kind = expected_peer["kind"] assert kind in ("DNS", "IP") value = expected_peer["value"] @@ -59,7 +59,7 @@ def _get_limbo_peer(expected_peer): def _limbo_testcase(testcase): - if testcase["id"] in LIMBO_XFAIL_TESTCASES: + if testcase["id"] in LIMBO_SKIP_TESTCASES: return features = testcase["features"] @@ -101,17 +101,17 @@ def _limbo_testcase(testcase): max_chain_depth=max_chain_depth, ).build_server_verifier(peer_name) - try: + if should_pass: built_chain = verifier.verify( peer_certificate, untrusted_intermediates ) - assert should_pass, testcase["id"] # Assert that the verifier returns chains in [EE, ..., TA] order. assert built_chain[0] == peer_certificate assert built_chain[-1] in trusted_certs - except VerificationError: - assert not should_pass, testcase["id"] + else: + with pytest.raises(VerificationError): + verifier.verify(peer_certificate, untrusted_intermediates) def test_limbo(subtests, pytestconfig): diff --git a/tests/x509/test_verification.py b/tests/x509/verification/test_verification.py similarity index 100% rename from tests/x509/test_verification.py rename to tests/x509/verification/test_verification.py From 030b79f74b0ae941447dceab47ccff1e04a9270c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 23 Nov 2023 19:54:09 -0500 Subject: [PATCH 119/155] test_limbo: update ID Signed-off-by: William Woodruff --- tests/x509/verification/test_limbo.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 7b8f9099e334..95c87a1479d1 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -40,7 +40,7 @@ # We currently allow intermediate CAs that don't have AKIs, which # is technically forbidden under CABF. This is consistent with what # Go's crypto/x509 and Rust's webpki crate do. - "rfc5280::intermediate-missing-aki", + "rfc5280::aki::intermediate-missing-aki", # We allow root CAs where the AKI and SKI mismatch, which is technically # forbidden under CABF. This is consistent with what # Go's crypto/x509 and Rust's webpki crate do. From b6de1f91c3077c719a89545ec090037555bbf31f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 23 Nov 2023 20:11:44 -0500 Subject: [PATCH 120/155] validation: expand NC skip comment Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index a3408c595467..cba4fe691c9a 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -267,11 +267,18 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { &issuer_extensions, ) { Ok((mut chain, mut constraints)) => { - // Name constraints are not applied to self-issued certificates unless they're - // the leaf certificate in the chain. + // Per RFC 5280: Name constraints are not applied + // to self-issued certificates, *unless* the + // certificate is the final certificate in the path. // - // NOTE: We can't simply check the `current_depth` since self-issued - // certificates don't increase the working depth. + // Naively we'd check `current_depth == 0` to determine + // if we're checking the final certificate, but this + // isn't sufficient: self-issued certificates don't + // increase the depth, so we pass in a special-purpose + // `is_leaf` state that's only true on the first chain + // building step. + // + // See: RFC 5280 4.2.1.10 let skip_name_constraints = cert_is_self_issued(working_cert) && !is_leaf; if skip_name_constraints From 6e6d7c7af716b7c9787b6968b6cdf5925126c667 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 23 Nov 2023 23:38:19 -0500 Subject: [PATCH 121/155] validation: fixup NC handling, expose NC errors Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 38 +++++++++++++------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index cba4fe691c9a..2f9dcb0eee95 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -201,12 +201,14 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { } } } + + if !permit { + return Err(ValidationError::Other( + "no permitted name constraints matched SAN".into(), + )); + } } - if !permit { - return Err(ValidationError::Other( - "no permitted name constraints matched SAN".into(), - )); - } + for nc in constraints { if let Some(excluded_subtrees) = &nc.excluded_subtrees { for e in excluded_subtrees.unwrap_read().clone() { @@ -281,14 +283,26 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // See: RFC 5280 4.2.1.10 let skip_name_constraints = cert_is_self_issued(working_cert) && !is_leaf; - if skip_name_constraints - || self - .apply_name_constraints(&constraints, extensions) - .is_ok() - { + + let name_constraints_pass = match skip_name_constraints { + true => true, + false => { + match self.apply_name_constraints(&constraints, extensions) { + Ok(()) => true, + Err(e) => { + last_err = Some(e); + false + } + } + } + }; + + if name_constraints_pass { chain.insert(0, working_cert.clone()); - self.build_name_constraints(&mut constraints, extensions)?; - return Ok((chain, constraints)); + match self.build_name_constraints(&mut constraints, extensions) { + Ok(()) => return Ok((chain, constraints)), + Err(e) => last_err = Some(e), + }; } } Err(e) => last_err = Some(e), From 6607e75b8f49625161705f4d9b50f3c29da5724e Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 24 Nov 2023 10:10:59 -0500 Subject: [PATCH 122/155] validation: remove unreachable error case Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 2f9dcb0eee95..46597b0fd37c 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -299,10 +299,8 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { if name_constraints_pass { chain.insert(0, working_cert.clone()); - match self.build_name_constraints(&mut constraints, extensions) { - Ok(()) => return Ok((chain, constraints)), - Err(e) => last_err = Some(e), - }; + self.build_name_constraints(&mut constraints, extensions)?; + return Ok((chain, constraints)); } } Err(e) => last_err = Some(e), From 24ecf763fa4cc4a45b5ca7dd3f693a996625a43f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 24 Nov 2023 11:07:49 -0500 Subject: [PATCH 123/155] validation: remove unnecessary clone Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 46597b0fd37c..d8a5af31ecf4 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -186,7 +186,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { ) -> Result<(), ValidationError> { if let Some(sans) = extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { let sans: SubjectAlternativeName<'_> = sans.value()?; - for san in sans.clone() { + for san in sans { // If there are no applicable constraints, the SAN is considered valid so the default is true. let mut permit = true; for nc in constraints { From 3060a7031720b00416db3db4cd8a938cd6b4e3a9 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 25 Nov 2023 17:25:00 -0500 Subject: [PATCH 124/155] validation: handle malformed SANs in NC checking Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 37 ++++++++++++------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index d8a5af31ecf4..10795f7d6492 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -156,23 +156,32 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { ) -> Result { match (constraint, san) { (GeneralName::DNSName(pattern), GeneralName::DNSName(name)) => { - if let Some(pattern) = DNSConstraint::new(pattern.0) { - let name = DNSName::new(name.0).unwrap(); - Ok(Applied(pattern.matches(&name))) - } else { - Err(ValidationError::Other( - "malformed DNS name constraint".to_string(), - )) + match (DNSConstraint::new(pattern.0), DNSName::new(name.0)) { + (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), + (Some(_), None) => Err(ValidationError::Other(format!( + "unsatisfiable DNS name constraint: NC {} cannot match SAN {}", + pattern.0, name.0 + ))), + (None, _) => Err(ValidationError::Other(format!( + "malformed DNS name constraint: {}", + pattern.0 + ))), } } (GeneralName::IPAddress(pattern), GeneralName::IPAddress(name)) => { - if let Some(pattern) = IPConstraint::from_bytes(pattern) { - let name = IPAddress::from_bytes(name).unwrap(); - Ok(Applied(pattern.matches(&name))) - } else { - Err(ValidationError::Other( - "malformed IP name constraint".to_string(), - )) + match ( + IPConstraint::from_bytes(pattern), + IPAddress::from_bytes(name), + ) { + (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), + (Some(_), None) => Err(ValidationError::Other(format!( + "unsatisfiable IP name constraint: NC {:?} cannot match SAN {:?}", + pattern, name, + ))), + (None, _) => Err(ValidationError::Other(format!( + "malformed IP name constraints: {:?}", + pattern + ))), } } _ => Ok(Skipped), From e1ee96709f15066ca8bd016a43f8e639c1e93b18 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 25 Nov 2023 17:42:43 -0500 Subject: [PATCH 125/155] validation: allow SN==0 Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/policy/mod.rs | 10 ++++++---- tests/x509/verification/test_limbo.py | 4 ++++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index fb10418d5d61..4cf04f6397d0 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -350,10 +350,12 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // 5280 4.1.2.2: Serial Number let serial_bytes = cert.tbs_cert.serial.as_bytes(); if serial_bytes.len() == 1 && serial_bytes[0] == 0 { - // The serial number MUST be a positive integer. - return Err(ValidationError::Other( - "certificate serial number must not be 0".to_string(), - )); + // Per 5280: The serial number MUST be a positive integer. + // In practice, there are a few roots in common trust stores (like certifi) + // that have `serial == 0`, so we can't enforce this. + // It's left as a separate return condition here so that + // an error case can be added in the distant future. + return Ok(()); } else if !(1..=21).contains(&serial_bytes.len()) { // Conforming CAs MUST NOT use serial numbers longer than 20 octets. // NOTE: In practice, this requires us to check for an encoding of diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 95c87a1479d1..9a312d797067 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -37,6 +37,10 @@ } LIMBO_SKIP_TESTCASES = { + # We allow certificates with serial numbers of zero. This is + # invalid under RFC 5280 but is widely violated by certs in common + # trust stores. + "rfc5280::serial-number-zero", # We currently allow intermediate CAs that don't have AKIs, which # is technically forbidden under CABF. This is consistent with what # Go's crypto/x509 and Rust's webpki crate do. From 642e72e19a006bcbde5184f6ee912eeff8e24d7f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 25 Nov 2023 20:43:53 -0500 Subject: [PATCH 126/155] validation: remove redundant branch Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/policy/mod.rs | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 4cf04f6397d0..8b2adc74ecf9 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -348,15 +348,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } // 5280 4.1.2.2: Serial Number + // Per 5280: The serial number MUST be a positive integer. + // In practice, there are a few roots in common trust stores (like certifi) + // that have `serial == 0`, so we can't enforce this yet. let serial_bytes = cert.tbs_cert.serial.as_bytes(); - if serial_bytes.len() == 1 && serial_bytes[0] == 0 { - // Per 5280: The serial number MUST be a positive integer. - // In practice, there are a few roots in common trust stores (like certifi) - // that have `serial == 0`, so we can't enforce this. - // It's left as a separate return condition here so that - // an error case can be added in the distant future. - return Ok(()); - } else if !(1..=21).contains(&serial_bytes.len()) { + if !(1..=21).contains(&serial_bytes.len()) { // Conforming CAs MUST NOT use serial numbers longer than 20 octets. // NOTE: In practice, this requires us to check for an encoding of // 21 octets, since some CAs generate 20 bytes of randomness and From c6d502e5aa3861b11d6b1c4120f27b8b52c66e00 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 25 Nov 2023 21:03:51 -0500 Subject: [PATCH 127/155] validation: relax SKI check on CA certs Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 4 +++- tests/x509/verification/test_limbo.py | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 8b2adc74ecf9..b0614584ea34 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -271,7 +271,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { Some(ca::authority_key_identifier), ), // 5280 4.2.1.2: Subject Key Identifier - ExtensionPolicy::present( + // NOTE: CABF requires SKI in CA certificates, but many older CAs lack it. + // We choose to be permissive here. + ExtensionPolicy::maybe_present( SUBJECT_KEY_IDENTIFIER_OID, Criticality::NonCritical, None, diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 9a312d797067..87da82e42ecf 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -41,6 +41,11 @@ # invalid under RFC 5280 but is widely violated by certs in common # trust stores. "rfc5280::serial-number-zero", + # We allow CAs that don't have AKIs, which is forbidden under + # RFC 5280. This is consistent with what Go's crypto/x509 and Rust's + # webpki crate do. + "rfc5280::ski::root-missing-ski", + "rfc5280::ski::intermediate-missing-ski", # We currently allow intermediate CAs that don't have AKIs, which # is technically forbidden under CABF. This is consistent with what # Go's crypto/x509 and Rust's webpki crate do. From e26feb874f24391db54645078c01f928e69334e5 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 25 Nov 2023 21:06:39 -0500 Subject: [PATCH 128/155] validation: document BC handling Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index b0614584ea34..ec67f1b3d046 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -464,6 +464,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // to test here. It's also conceptually an extension policy, but // requires a bit of extra external state (`current_depth`) that isn't // presently convenient to push into that layer. + // + // NOTE: BasicConstraints is required via `ca_extension_policies`, + // so we always take this branch. if let Some(bc) = extensions.get_extension(&BASIC_CONSTRAINTS_OID) { let bc: BasicConstraints = bc.value()?; From b1e8d2a5bb256a9454415e04cc5c80bf24663c50 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 25 Nov 2023 21:14:13 -0500 Subject: [PATCH 129/155] validation: document precondition on valid_issuer Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index ec67f1b3d046..6739e312f59e 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -508,6 +508,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { /// This checks that `issuer` is permitted under this policy and that /// it was used to sign for `child`. /// + /// As a precondition, the caller must have already checked that + /// `issuer.subject() == child.issuer()`. + /// /// On success, this function returns the new path-building depth. This /// may or may not be a higher number than the original depth, depending /// on the kind of validation performed (e.g., whether the issuer was From dcc7069f6b3f7badd284d0e5ca47f485e41f81d6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 1 Dec 2023 00:33:06 +0100 Subject: [PATCH 130/155] validation: make EKU in EEs optional Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 20 +++++++++++-------- .../src/policy/mod.rs | 5 ++++- tests/x509/verification/test_limbo.py | 2 +- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index c6f37eddb062..e76b4c2c99cc 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -223,16 +223,20 @@ pub(crate) mod ee { pub(crate) fn extended_key_usage( policy: &Policy<'_, B>, _cert: &Certificate<'_>, - extn: &Extension<'_>, + extn: Option<&Extension<'_>>, ) -> Result<(), ValidationError> { - let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; - - // NOTE: Exact match for now because CABF says that EE certs - // MUST NOT contain anyExtendedKeyUsage. - if ekus.any(|eku| eku == policy.extended_key_usage) { - Ok(()) + if let Some(extn) = extn { + let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; + + // NOTE: Exact match for now because CABF says that EE certs + // MUST NOT contain anyExtendedKeyUsage. + if ekus.any(|eku| eku == policy.extended_key_usage) { + Ok(()) + } else { + Err(ValidationError::Other("required EKU not found".to_string())) + } } else { - Err(ValidationError::Other("required EKU not found".to_string())) + Ok(()) } } } diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 6739e312f59e..d509e5757807 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -320,7 +320,10 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // 5280 4.2.1.10: Name Constraints ExtensionPolicy::not_present(NAME_CONSTRAINTS_OID), // CA/B 7.1.2.7.10 Subscriber Certificate Extended Key Usage - ExtensionPolicy::present( + // NOTE: CABF requires EKUs in EE certs, but many validators + // treat the absence of an EKU as "any EKU," so we choose to be + // permissive. + ExtensionPolicy::maybe_present( EXTENDED_KEY_USAGE_OID, Criticality::NonCritical, Some(ee::extended_key_usage), diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 87da82e42ecf..ff61e0fd58b8 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -40,7 +40,7 @@ # We allow certificates with serial numbers of zero. This is # invalid under RFC 5280 but is widely violated by certs in common # trust stores. - "rfc5280::serial-number-zero", + "rfc5280::serial::zero", # We allow CAs that don't have AKIs, which is forbidden under # RFC 5280. This is consistent with what Go's crypto/x509 and Rust's # webpki crate do. From 1ed7c2b45a7c1dcd15c1afc4bb0917727ef9ede1 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 1 Dec 2023 15:30:16 +0100 Subject: [PATCH 131/155] validation: make EKU handling common This makes us handle EKU constraints in CAs, which the Web PKI stipulates. Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 46 +++++++++---------- .../src/policy/mod.rs | 20 ++++---- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index e76b4c2c99cc..298922506766 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -164,7 +164,7 @@ impl ExtensionPolicy { pub(crate) mod ee { use cryptography_x509::{ certificate::Certificate, - extensions::{BasicConstraints, ExtendedKeyUsage, Extension, SubjectAlternativeName}, + extensions::{BasicConstraints, Extension, SubjectAlternativeName}, }; use crate::{ @@ -219,26 +219,6 @@ pub(crate) mod ee { )), } } - - pub(crate) fn extended_key_usage( - policy: &Policy<'_, B>, - _cert: &Certificate<'_>, - extn: Option<&Extension<'_>>, - ) -> Result<(), ValidationError> { - if let Some(extn) = extn { - let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; - - // NOTE: Exact match for now because CABF says that EE certs - // MUST NOT contain anyExtendedKeyUsage. - if ekus.any(|eku| eku == policy.extended_key_usage) { - Ok(()) - } else { - Err(ValidationError::Other("required EKU not found".to_string())) - } - } else { - Ok(()) - } - } } pub(crate) mod ca { @@ -369,14 +349,12 @@ pub(crate) mod ca { Ok(()) } - - // TODO: Validate EKUs for non-root CAs as well. } pub(crate) mod common { use cryptography_x509::{ certificate::Certificate, - extensions::{Extension, SequenceOfAccessDescriptions}, + extensions::{ExtendedKeyUsage, Extension, SequenceOfAccessDescriptions}, }; use crate::{ @@ -397,6 +375,26 @@ pub(crate) mod common { Ok(()) } + + pub(crate) fn extended_key_usage( + policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), ValidationError> { + if let Some(extn) = extn { + let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; + + // NOTE: Exact match for now because CABF says that EE certs + // MUST NOT contain anyExtendedKeyUsage. + if ekus.any(|eku| eku == policy.extended_key_usage) { + Ok(()) + } else { + Err(ValidationError::Other("required EKU not found".to_string())) + } + } else { + Ok(()) + } + } } #[cfg(test)] diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index d509e5757807..6b8e7d63bb3a 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -262,6 +262,17 @@ impl<'a, B: CryptoOps> Policy<'a, B> { Criticality::NonCritical, Some(common::authority_information_access), ), + // 5280 4.2.1.12: Extended Key Usage + // + // NOTE: CABF requires EKUs in all subscriber certs and in many + // non-root CA certs, but validators widely ignore this + // requirement and treat a missing EKU as "any EKU". + // We choose to be permissive here. + ExtensionPolicy::maybe_present( + EXTENDED_KEY_USAGE_OID, + Criticality::NonCritical, + Some(common::extended_key_usage), + ), ]), ca_extension_policies: Vec::from([ // 5280 4.2.1.1: Authority Key Identifier @@ -319,15 +330,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ), // 5280 4.2.1.10: Name Constraints ExtensionPolicy::not_present(NAME_CONSTRAINTS_OID), - // CA/B 7.1.2.7.10 Subscriber Certificate Extended Key Usage - // NOTE: CABF requires EKUs in EE certs, but many validators - // treat the absence of an EKU as "any EKU," so we choose to be - // permissive. - ExtensionPolicy::maybe_present( - EXTENDED_KEY_USAGE_OID, - Criticality::NonCritical, - Some(ee::extended_key_usage), - ), ]), } } From e4c33bb4cdefdf11067e9fb121f2881fc5dc36e7 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 1 Dec 2023 20:52:28 +0100 Subject: [PATCH 132/155] [WIP] validation: refactor name constraints handling Signed-off-by: William Woodruff tests: debugging assistance Signed-off-by: William Woodruff validation: only accumulate NC if applied Need to refactor this a bit, but it's functionally correct. Signed-off-by: William Woodruff validation: cleanup, docs Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 291 +++++++++--------- tests/x509/verification/test_limbo.py | 8 +- 2 files changed, 154 insertions(+), 145 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 10795f7d6492..0f6ba7d6cdfa 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -12,6 +12,7 @@ pub mod trust_store; pub mod types; use std::collections::HashSet; +use std::vec; use crate::certificate::{cert_is_self_issued, cert_is_self_signed}; use crate::types::{DNSConstraint, IPAddress, IPConstraint}; @@ -48,6 +49,117 @@ impl From for ValidationError { } } +#[derive(Default)] +struct AccumulatedNameConstraints<'a> { + sans: Vec>, + name_constraints: Vec>, +} + +impl<'a> AccumulatedNameConstraints<'a> { + fn accumulate_san(&mut self, extensions: &Extensions<'a>) -> Result<(), ValidationError> { + if let Some(sans) = extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { + let sans: SubjectAlternativeName<'_> = sans.value()?; + self.sans.extend(sans); + } + + Ok(()) + } + + fn apply_inner( + &self, + constraint: &GeneralName<'a>, + san: &GeneralName<'_>, + ) -> Result { + match (constraint, san) { + (GeneralName::DNSName(pattern), GeneralName::DNSName(name)) => { + match (DNSConstraint::new(pattern.0), DNSName::new(name.0)) { + (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), + (Some(_), None) => Err(ValidationError::Other(format!( + "unsatisfiable DNS name constraint: NC {} cannot match SAN {}", + pattern.0, name.0 + ))), + (None, _) => Err(ValidationError::Other(format!( + "malformed DNS name constraint: {}", + pattern.0 + ))), + } + } + (GeneralName::IPAddress(pattern), GeneralName::IPAddress(name)) => { + match ( + IPConstraint::from_bytes(pattern), + IPAddress::from_bytes(name), + ) { + (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), + (Some(_), None) => Err(ValidationError::Other(format!( + "unsatisfiable IP name constraint: NC {:?} cannot match SAN {:?}", + pattern, name, + ))), + (None, _) => Err(ValidationError::Other(format!( + "malformed IP name constraints: {:?}", + pattern + ))), + } + } + _ => Ok(Skipped), + } + } + + /// Apply the current name constraints (including those in the specified + /// extensions, if any) to the accumulated SAN set. + /// + /// On success (no constraint violations found), the new constraints + /// are additionally added to the name constraint set for future checks. + fn apply_and_accumulate(&mut self, extensions: &Extensions<'a>) -> Result<(), ValidationError> { + let new_constraints = match extensions.get_extension(&NAME_CONSTRAINTS_OID) { + Some(nc) => Some(nc.value::>()?), + None => None, + }; + + for san in &self.sans { + // If there are no applicable constraints, the SAN is considered valid so the default is true. + let mut permit = true; + for nc in self.name_constraints.iter().chain(new_constraints.iter()) { + if let Some(permitted_subtrees) = &nc.permitted_subtrees { + for p in permitted_subtrees.unwrap_read().clone() { + let status = self.apply_inner(&p.base, san)?; + if status.is_applied() { + permit = status.is_match(); + if permit { + break; + } + } + } + } + + if !permit { + return Err(ValidationError::Other( + "no permitted name constraints matched SAN".into(), + )); + } + } + + for nc in self.name_constraints.iter().chain(new_constraints.iter()) { + if let Some(excluded_subtrees) = &nc.excluded_subtrees { + for e in excluded_subtrees.unwrap_read().clone() { + let status = self.apply_inner(&e.base, san)?; + if status.is_match() { + return Err(ValidationError::Other( + "excluded name constraint matched SAN".into(), + )); + } + } + } + } + } + + if let Some(new_constraints) = new_constraints { + self.name_constraints.push(new_constraints); + } + + Ok(()) + } +} + pub struct Intermediates<'a>(HashSet>); impl<'a> Intermediates<'a> { @@ -72,7 +184,6 @@ impl<'a> Intermediates<'a> { } pub type Chain<'c> = Vec>; -type PartialChainState<'c> = (Chain<'c>, Vec>); pub fn verify<'a, 'chain, B: CryptoOps>( leaf: &'a Certificate<'chain>, @@ -137,123 +248,43 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { .filter(|&candidate| candidate.subject() == cert.issuer()) } - fn build_name_constraints( - &self, - constraints: &mut Vec>, - extensions: &Extensions<'chain>, - ) -> Result<(), ValidationError> { - if let Some(nc) = extensions.get_extension(&NAME_CONSTRAINTS_OID) { - let nc: NameConstraints<'chain> = nc.value()?; - constraints.push(nc); - } - Ok(()) - } - - fn apply_name_constraint( - &self, - constraint: &GeneralName<'chain>, - san: &GeneralName<'_>, - ) -> Result { - match (constraint, san) { - (GeneralName::DNSName(pattern), GeneralName::DNSName(name)) => { - match (DNSConstraint::new(pattern.0), DNSName::new(name.0)) { - (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), - (Some(_), None) => Err(ValidationError::Other(format!( - "unsatisfiable DNS name constraint: NC {} cannot match SAN {}", - pattern.0, name.0 - ))), - (None, _) => Err(ValidationError::Other(format!( - "malformed DNS name constraint: {}", - pattern.0 - ))), - } - } - (GeneralName::IPAddress(pattern), GeneralName::IPAddress(name)) => { - match ( - IPConstraint::from_bytes(pattern), - IPAddress::from_bytes(name), - ) { - (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), - (Some(_), None) => Err(ValidationError::Other(format!( - "unsatisfiable IP name constraint: NC {:?} cannot match SAN {:?}", - pattern, name, - ))), - (None, _) => Err(ValidationError::Other(format!( - "malformed IP name constraints: {:?}", - pattern - ))), - } - } - _ => Ok(Skipped), - } - } - - fn apply_name_constraints( - &self, - constraints: &[NameConstraints<'chain>], - extensions: &Extensions<'chain>, - ) -> Result<(), ValidationError> { - if let Some(sans) = extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { - let sans: SubjectAlternativeName<'_> = sans.value()?; - for san in sans { - // If there are no applicable constraints, the SAN is considered valid so the default is true. - let mut permit = true; - for nc in constraints { - if let Some(permitted_subtrees) = &nc.permitted_subtrees { - for p in permitted_subtrees.unwrap_read().clone() { - let status = self.apply_name_constraint(&p.base, &san)?; - if status.is_applied() { - permit = status.is_match(); - if permit { - break; - } - } - } - } - - if !permit { - return Err(ValidationError::Other( - "no permitted name constraints matched SAN".into(), - )); - } - } - - for nc in constraints { - if let Some(excluded_subtrees) = &nc.excluded_subtrees { - for e in excluded_subtrees.unwrap_read().clone() { - let status = self.apply_name_constraint(&e.base, &san)?; - if status.is_match() { - return Err(ValidationError::Other( - "excluded name constraint matched SAN".into(), - )); - } - } - } - } - } - } - Ok(()) - } - fn build_chain_inner( &self, working_cert: &'a Certificate<'chain>, current_depth: u8, is_leaf: bool, - extensions: &'a Extensions<'chain>, - ) -> Result, ValidationError> { + working_cert_extensions: &'a Extensions<'chain>, + accumulated_constraints: &'a mut AccumulatedNameConstraints<'chain>, + ) -> Result, ValidationError> { if current_depth > self.policy.max_chain_depth { return Err(ValidationError::Other( "chain construction exceeds max depth".into(), )); } + // Per RFC 5280: Name constraints are not applied + // to subjects in self-issued certificates, *unless* the + // certificate is the final certificate in the path. + // + // Naively we'd check `current_depth == 0` to determine + // if we're checking the final certificate, but this + // isn't sufficient: self-issued certificates don't + // increase the depth, so we pass in a special-purpose + // `is_leaf` state that's only true on the first chain + // building step. + // + // See: RFC 5280 4.2.1.10 + let skip_name_constraints = cert_is_self_issued(working_cert) && !is_leaf; + if !skip_name_constraints { + accumulated_constraints.accumulate_san(working_cert_extensions)?; + } + + accumulated_constraints.apply_and_accumulate(working_cert_extensions)?; + // Look in the store's root set to see if the working cert is listed. // If it is, we've reached the end. if self.store.contains(working_cert) { - let mut constraints = vec![]; - self.build_name_constraints(&mut constraints, extensions)?; - return Ok((vec![working_cert.clone()], constraints)); + return Ok(vec![working_cert.clone()]); } // Otherwise, we collect a list of potential issuers for this cert, @@ -276,41 +307,11 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { next_depth, false, &issuer_extensions, + accumulated_constraints, ) { - Ok((mut chain, mut constraints)) => { - // Per RFC 5280: Name constraints are not applied - // to self-issued certificates, *unless* the - // certificate is the final certificate in the path. - // - // Naively we'd check `current_depth == 0` to determine - // if we're checking the final certificate, but this - // isn't sufficient: self-issued certificates don't - // increase the depth, so we pass in a special-purpose - // `is_leaf` state that's only true on the first chain - // building step. - // - // See: RFC 5280 4.2.1.10 - let skip_name_constraints = - cert_is_self_issued(working_cert) && !is_leaf; - - let name_constraints_pass = match skip_name_constraints { - true => true, - false => { - match self.apply_name_constraints(&constraints, extensions) { - Ok(()) => true, - Err(e) => { - last_err = Some(e); - false - } - } - } - }; - - if name_constraints_pass { - chain.insert(0, working_cert.clone()); - self.build_name_constraints(&mut constraints, extensions)?; - return Ok((chain, constraints)); - } + Ok(mut chain) => { + chain.insert(0, working_cert.clone()); + return Ok(chain); } Err(e) => last_err = Some(e), }; @@ -342,13 +343,19 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // // In the case that the leaf is an EE, this includes a check // against the EE cert's SANs. - let extensions = leaf.extensions()?; + let leaf_extensions = leaf.extensions()?; - self.policy.permits_leaf(leaf, &extensions)?; + self.policy.permits_leaf(leaf, &leaf_extensions)?; - let result = self.build_chain_inner(leaf, 0, true, &extensions); + let result = self.build_chain_inner( + leaf, + 0, + true, + &leaf_extensions, + &mut AccumulatedNameConstraints::default(), + ); match result { - Ok((chain, _)) => Ok(chain), + Ok(chain) => Ok(chain), Err(error) => Err(error), } } diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index ff61e0fd58b8..99adf922e8e8 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -67,8 +67,8 @@ def _get_limbo_peer(expected_peer): return x509.IPAddress(ipaddress.ip_address(value)) -def _limbo_testcase(testcase): - if testcase["id"] in LIMBO_SKIP_TESTCASES: +def _limbo_testcase(id_, testcase): + if id_ in LIMBO_SKIP_TESTCASES: return features = testcase["features"] @@ -131,4 +131,6 @@ def test_limbo(subtests, pytestconfig): testcases = limbo["testcases"] for testcase in testcases: with subtests.test(): - _limbo_testcase(testcase) + # NOTE: Pass in the id separately to make pytest + # error renderings slightly nicer. + _limbo_testcase(testcase["id"], testcase) From baaeeb286811509c94253d1535e419f00255b24d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 18 Dec 2023 14:54:01 -0500 Subject: [PATCH 133/155] src, tests: remove self-issued special-casing Self-issued intermediates are now counted for pathlen and max chain length purposes. This is nominally an RFC 5280 violation, but one that is widely performed by path validation implementations. Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 71 +++++++++---------- .../src/policy/mod.rs | 11 +-- tests/x509/verification/test_limbo.py | 6 ++ 3 files changed, 42 insertions(+), 46 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 0f6ba7d6cdfa..ff52a97d4c90 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -163,23 +163,8 @@ impl<'a> AccumulatedNameConstraints<'a> { pub struct Intermediates<'a>(HashSet>); impl<'a> Intermediates<'a> { - fn new( - intermediates: impl IntoIterator>, - policy: &Policy<'_, B>, - ) -> Result { - Ok(Self( - intermediates - .into_iter() - .map( - |intermediate| match cert_is_self_signed(&intermediate, &policy.ops) { - true => Err(ValidationError::Other( - "self-signed certificate cannot be an intermediate".to_string(), - )), - false => Ok(intermediate), - }, - ) - .collect::>()?, - )) + fn new(intermediates: impl IntoIterator>) -> Self { + Self(intermediates.into_iter().collect()) } } @@ -191,7 +176,7 @@ pub fn verify<'a, 'chain, B: CryptoOps>( policy: &Policy<'_, B>, store: &'a Store<'chain>, ) -> Result, ValidationError> { - let builder = ChainBuilder::new(Intermediates::new(intermediates, policy)?, policy, store); + let builder = ChainBuilder::new(Intermediates::new(intermediates), policy, store); builder.build_chain(leaf) } @@ -252,29 +237,15 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { &self, working_cert: &'a Certificate<'chain>, current_depth: u8, - is_leaf: bool, working_cert_extensions: &'a Extensions<'chain>, accumulated_constraints: &'a mut AccumulatedNameConstraints<'chain>, ) -> Result, ValidationError> { - if current_depth > self.policy.max_chain_depth { - return Err(ValidationError::Other( - "chain construction exceeds max depth".into(), - )); - } - // Per RFC 5280: Name constraints are not applied // to subjects in self-issued certificates, *unless* the // certificate is the final certificate in the path. // - // Naively we'd check `current_depth == 0` to determine - // if we're checking the final certificate, but this - // isn't sufficient: self-issued certificates don't - // increase the depth, so we pass in a special-purpose - // `is_leaf` state that's only true on the first chain - // building step. - // // See: RFC 5280 4.2.1.10 - let skip_name_constraints = cert_is_self_issued(working_cert) && !is_leaf; + let skip_name_constraints = cert_is_self_issued(working_cert) && current_depth != 0; if !skip_name_constraints { accumulated_constraints.accumulate_san(working_cert_extensions)?; } @@ -287,6 +258,15 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { return Ok(vec![working_cert.clone()]); } + // Check that our current depth does not exceed our policy-configured + // max depth. We do this after the root set check, since the depth + // only measures the intermediate chain's length, not the root or leaf. + if current_depth > self.policy.max_chain_depth { + return Err(ValidationError::Other( + "chain construction exceeds max depth".into(), + )); + } + // Otherwise, we collect a list of potential issuers for this cert, // and continue with the first that verifies. let mut last_err: Option = None; @@ -301,11 +281,29 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { current_depth, &issuer_extensions, ) { - Ok(next_depth) => { + Ok(_) => { match self.build_chain_inner( issuing_cert_candidate, - next_depth, - false, + // NOTE(ww): According to RFC 5280, we should only + // increase the chain depth when the certificate is **not** + // self-issued. In practice however, implementations widely + // ignore this requirement, and unconditionally increment + // the depth with every chain member. We choose to do the same; + // see `pathlen::self-issued-certs-pathlen` from x509-limbo + // for the testcase we intentionally fail. + // + // Implementation note for someone looking to change this in the future: + // care should be taken to avoid infinite recursion with self-signed + // certificates in the intermediate set; changing this behavior will + // also require a "is not self-signed" check on intermediate candidates. + // + // See https://gist.github.com/woodruffw/776153088e0df3fc2f0675c5e835f7b8 + // for an example of this change. + current_depth.checked_add(1).ok_or_else(|| { + ValidationError::Other( + "current depth calculation overflowed".to_string(), + ) + })?, &issuer_extensions, accumulated_constraints, ) { @@ -350,7 +348,6 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { let result = self.build_chain_inner( leaf, 0, - true, &leaf_extensions, &mut AccumulatedNameConstraints::default(), ); diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 6b8e7d63bb3a..6bd0aeacad48 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -27,7 +27,6 @@ use cryptography_x509::oid::{ }; use self::extension::{ca, common, ee, Criticality, ExtensionPolicy}; -use crate::certificate::cert_is_self_issued; use crate::ops::CryptoOps; use crate::types::{DNSName, DNSPattern, IPAddress}; use crate::ValidationError; @@ -526,7 +525,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { child: &Certificate<'_>, current_depth: u8, issuer_extensions: &Extensions<'_>, - ) -> Result { + ) -> Result<(), ValidationError> { // The issuer needs to be a valid CA at the current depth. self.permits_ca(issuer, current_depth, issuer_extensions)?; @@ -562,13 +561,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { )); } - // Self-issued issuers don't increase the working depth. - match cert_is_self_issued(issuer) { - true => Ok(current_depth), - false => Ok(current_depth.checked_add(1).ok_or_else(|| { - ValidationError::Other("current depth calculation overflowed".to_string()) - })?), - } + Ok(()) } } diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 99adf922e8e8..24cc3bdf2f8d 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -37,6 +37,12 @@ } LIMBO_SKIP_TESTCASES = { + # We unconditionally count intermediate certificates for pathlen and max + # depth constraint purposes, even when self-issued. + # This is a violation of RFC 5280, but is consistent with Go's crypto/x509 + # and Rust's webpki crate do. + "pathlen::self-issued-certs-pathlen", + "pathlen::max-chain-depth-1-self-issued", # We allow certificates with serial numbers of zero. This is # invalid under RFC 5280 but is widely violated by certs in common # trust stores. From 6c886b5b8a824c04f0bafebac98b95bf1353444f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 18 Dec 2023 15:08:33 -0500 Subject: [PATCH 134/155] lintage Signed-off-by: William Woodruff --- .../src/certificate.rs | 19 ++----------------- .../cryptography-x509-validation/src/lib.rs | 2 +- 2 files changed, 3 insertions(+), 18 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/certificate.rs b/src/rust/cryptography-x509-validation/src/certificate.rs index 4f2b4151b108..f04a1f670d13 100644 --- a/src/rust/cryptography-x509-validation/src/certificate.rs +++ b/src/rust/cryptography-x509-validation/src/certificate.rs @@ -6,35 +6,24 @@ use cryptography_x509::certificate::Certificate; -use crate::ops::CryptoOps; - pub(crate) fn cert_is_self_issued(cert: &Certificate<'_>) -> bool { cert.issuer() == cert.subject() } -pub(crate) fn cert_is_self_signed(cert: &Certificate<'_>, ops: &B) -> bool { - match ops.public_key(cert) { - Ok(pk) => cert_is_self_issued(cert) && ops.verify_signed_by(cert, pk).is_ok(), - Err(_) => false, - } -} - #[cfg(test)] mod tests { use crate::certificate::Certificate; - use crate::ops::tests::{cert, v1_cert_pem, NullOps}; + use crate::ops::tests::{cert, v1_cert_pem}; use crate::ops::CryptoOps; - use super::{cert_is_self_issued, cert_is_self_signed}; + use super::cert_is_self_issued; #[test] fn test_certificate_v1() { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; assert!(!cert_is_self_issued(&cert)); - assert!(!cert_is_self_signed(&cert, &ops)); } fn ca_pem() -> pem::Pem { @@ -58,10 +47,8 @@ Xw4nMqk= fn test_certificate_ca() { let cert_pem = ca_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; assert!(cert_is_self_issued(&cert)); - assert!(cert_is_self_signed(&cert, &ops)); } struct PublicKeyErrorOps {} @@ -87,10 +74,8 @@ Xw4nMqk= fn test_certificate_public_key_error() { let cert_pem = ca_pem(); let cert = cert(&cert_pem); - let ops = PublicKeyErrorOps {}; assert!(cert_is_self_issued(&cert)); - assert!(!cert_is_self_signed(&cert, &ops)); } #[test] diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index ff52a97d4c90..52dbc4d129e4 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -14,7 +14,7 @@ pub mod types; use std::collections::HashSet; use std::vec; -use crate::certificate::{cert_is_self_issued, cert_is_self_signed}; +use crate::certificate::cert_is_self_issued; use crate::types::{DNSConstraint, IPAddress, IPConstraint}; use crate::ApplyNameConstraintStatus::{Applied, Skipped}; use cryptography_x509::extensions::{DuplicateExtensionsError, Extensions}; From a167fd2ffea4998b3c64b705302eeb1fddf01fca Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 18 Dec 2023 19:17:13 -0500 Subject: [PATCH 135/155] validation: remove NullOps Easier to reuse PublicKeyErrorOps, since we're not relying on its APIs. Signed-off-by: William Woodruff --- .../src/certificate.rs | 4 ++-- .../cryptography-x509-validation/src/ops.rs | 20 ------------------- .../src/policy/extension.rs | 13 ++++++------ 3 files changed, 9 insertions(+), 28 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/certificate.rs b/src/rust/cryptography-x509-validation/src/certificate.rs index f04a1f670d13..335312ccd265 100644 --- a/src/rust/cryptography-x509-validation/src/certificate.rs +++ b/src/rust/cryptography-x509-validation/src/certificate.rs @@ -11,7 +11,7 @@ pub(crate) fn cert_is_self_issued(cert: &Certificate<'_>) -> bool { } #[cfg(test)] -mod tests { +pub(crate) mod tests { use crate::certificate::Certificate; use crate::ops::tests::{cert, v1_cert_pem}; use crate::ops::CryptoOps; @@ -51,7 +51,7 @@ Xw4nMqk= assert!(cert_is_self_issued(&cert)); } - struct PublicKeyErrorOps {} + pub(crate) struct PublicKeyErrorOps {} impl CryptoOps for PublicKeyErrorOps { type Key = (); type Err = (); diff --git a/src/rust/cryptography-x509-validation/src/ops.rs b/src/rust/cryptography-x509-validation/src/ops.rs index 57528005c60a..719d9aa04617 100644 --- a/src/rust/cryptography-x509-validation/src/ops.rs +++ b/src/rust/cryptography-x509-validation/src/ops.rs @@ -25,26 +25,6 @@ pub trait CryptoOps { pub(crate) mod tests { use cryptography_x509::certificate::Certificate; - use super::CryptoOps; - - pub(crate) struct NullOps {} - impl CryptoOps for NullOps { - type Key = (); - type Err = (); - - fn public_key(&self, _cert: &Certificate<'_>) -> Result { - Ok(()) - } - - fn verify_signed_by( - &self, - _cert: &Certificate<'_>, - _key: Self::Key, - ) -> Result<(), Self::Err> { - Ok(()) - } - } - pub(crate) fn v1_cert_pem() -> pem::Pem { pem::parse( " diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 298922506766..0287dcaa3196 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -400,7 +400,8 @@ pub(crate) mod common { #[cfg(test)] mod tests { use super::{Criticality, ExtensionPolicy}; - use crate::ops::tests::{cert, v1_cert_pem, NullOps}; + use crate::certificate::tests::PublicKeyErrorOps; + use crate::ops::tests::{cert, v1_cert_pem}; use crate::ops::CryptoOps; use crate::policy::{Policy, Subject, ValidationError}; use crate::types::DNSName; @@ -462,7 +463,7 @@ mod tests { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; + let ops = PublicKeyErrorOps {}; let policy = Policy::new( ops, Subject::DNS(DNSName::new("example.com").unwrap()), @@ -511,7 +512,7 @@ mod tests { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; + let ops = PublicKeyErrorOps {}; let policy = Policy::new( ops, Subject::DNS(DNSName::new("example.com").unwrap()), @@ -552,7 +553,7 @@ mod tests { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; + let ops = PublicKeyErrorOps {}; let policy = Policy::new( ops, Subject::DNS(DNSName::new("example.com").unwrap()), @@ -589,7 +590,7 @@ mod tests { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; + let ops = PublicKeyErrorOps {}; let policy = Policy::new( ops, Subject::DNS(DNSName::new("example.com").unwrap()), @@ -622,7 +623,7 @@ mod tests { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; + let ops = PublicKeyErrorOps {}; let policy = Policy::new( ops, Subject::DNS(DNSName::new("example.com").unwrap()), From 9926b98abb60d6b5a3feaa866899c3f9d26c5947 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 18 Dec 2023 20:17:57 -0500 Subject: [PATCH 136/155] validation: feedback Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 33 ++++++++----------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 52dbc4d129e4..5217656e72e9 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -75,8 +75,8 @@ impl<'a> AccumulatedNameConstraints<'a> { match (DNSConstraint::new(pattern.0), DNSName::new(name.0)) { (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), (Some(_), None) => Err(ValidationError::Other(format!( - "unsatisfiable DNS name constraint: NC {} cannot match SAN {}", - pattern.0, name.0 + "unsatisfiable DNS name constraint: malformed SAN {}", + name.0 ))), (None, _) => Err(ValidationError::Other(format!( "malformed DNS name constraint: {}", @@ -91,8 +91,8 @@ impl<'a> AccumulatedNameConstraints<'a> { ) { (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), (Some(_), None) => Err(ValidationError::Other(format!( - "unsatisfiable IP name constraint: NC {:?} cannot match SAN {:?}", - pattern, name, + "unsatisfiable IP name constraint: malformed SAN {:?}", + name, ))), (None, _) => Err(ValidationError::Other(format!( "malformed IP name constraints: {:?}", @@ -109,7 +109,10 @@ impl<'a> AccumulatedNameConstraints<'a> { /// /// On success (no constraint violations found), the new constraints /// are additionally added to the name constraint set for future checks. - fn apply_and_accumulate(&mut self, extensions: &Extensions<'a>) -> Result<(), ValidationError> { + fn apply_and_accumulate_name_constraints( + &mut self, + extensions: &Extensions<'a>, + ) -> Result<(), ValidationError> { let new_constraints = match extensions.get_extension(&NAME_CONSTRAINTS_OID) { Some(nc) => Some(nc.value::>()?), None => None, @@ -160,14 +163,6 @@ impl<'a> AccumulatedNameConstraints<'a> { } } -pub struct Intermediates<'a>(HashSet>); - -impl<'a> Intermediates<'a> { - fn new(intermediates: impl IntoIterator>) -> Self { - Self(intermediates.into_iter().collect()) - } -} - pub type Chain<'c> = Vec>; pub fn verify<'a, 'chain, B: CryptoOps>( @@ -176,13 +171,13 @@ pub fn verify<'a, 'chain, B: CryptoOps>( policy: &Policy<'_, B>, store: &'a Store<'chain>, ) -> Result, ValidationError> { - let builder = ChainBuilder::new(Intermediates::new(intermediates), policy, store); + let builder = ChainBuilder::new(intermediates.into_iter().collect(), policy, store); builder.build_chain(leaf) } struct ChainBuilder<'a, 'chain, B: CryptoOps> { - intermediates: Intermediates<'chain>, + intermediates: HashSet>, policy: &'a Policy<'a, B>, store: &'a Store<'chain>, } @@ -208,7 +203,7 @@ impl ApplyNameConstraintStatus { impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn new( - intermediates: Intermediates<'chain>, + intermediates: HashSet>, policy: &'a Policy<'a, B>, store: &'a Store<'chain>, ) -> Self { @@ -229,7 +224,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // * Search by AKI and other identifiers? self.store .iter() - .chain(self.intermediates.0.iter()) + .chain(self.intermediates.iter()) .filter(|&candidate| candidate.subject() == cert.issuer()) } @@ -242,7 +237,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { ) -> Result, ValidationError> { // Per RFC 5280: Name constraints are not applied // to subjects in self-issued certificates, *unless* the - // certificate is the final certificate in the path. + // certificate is the final (i.e., leaf) certificate in the path. // // See: RFC 5280 4.2.1.10 let skip_name_constraints = cert_is_self_issued(working_cert) && current_depth != 0; @@ -250,7 +245,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { accumulated_constraints.accumulate_san(working_cert_extensions)?; } - accumulated_constraints.apply_and_accumulate(working_cert_extensions)?; + accumulated_constraints.apply_and_accumulate_name_constraints(working_cert_extensions)?; // Look in the store's root set to see if the working cert is listed. // If it is, we've reached the end. From d4a876f94cdf2fb03b98eb50b618a194038b1f55 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 18 Dec 2023 20:21:04 -0500 Subject: [PATCH 137/155] validation: remove unnecessary second loop Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 5217656e72e9..de1a6c197509 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -139,9 +139,7 @@ impl<'a> AccumulatedNameConstraints<'a> { "no permitted name constraints matched SAN".into(), )); } - } - for nc in self.name_constraints.iter().chain(new_constraints.iter()) { if let Some(excluded_subtrees) = &nc.excluded_subtrees { for e in excluded_subtrees.unwrap_read().clone() { let status = self.apply_inner(&e.base, san)?; From 474a92581a07408d4d5be8131b4da1e302b72c2f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 20 Dec 2023 14:21:20 -0500 Subject: [PATCH 138/155] tests/limbo: fixup schema assertions Signed-off-by: William Woodruff --- tests/x509/verification/test_limbo.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 24cc3bdf2f8d..92fe96cb3d3b 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -78,16 +78,14 @@ def _limbo_testcase(id_, testcase): return features = testcase["features"] - if features is not None and LIMBO_UNSUPPORTED_FEATURES.intersection( - features - ): + if LIMBO_UNSUPPORTED_FEATURES.intersection(features): return assert testcase["validation_kind"] == "SERVER" - assert testcase["signature_algorithms"] is None - assert testcase["extended_key_usage"] is None or testcase[ + assert testcase["signature_algorithms"] == [] + assert testcase["extended_key_usage"] == [] or testcase[ "extended_key_usage" ] == ["serverAuth"] - assert testcase["expected_peer_names"] is None + assert testcase["expected_peer_names"] == [] trusted_certs = [ load_pem_x509_certificate(cert.encode()) From 815257805c77e229721cb3fe85600e9cccffa04c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 20 Dec 2023 14:21:32 -0500 Subject: [PATCH 139/155] validation: remove no-op match Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index de1a6c197509..4fcecb2d878f 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -338,15 +338,11 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { self.policy.permits_leaf(leaf, &leaf_extensions)?; - let result = self.build_chain_inner( + self.build_chain_inner( leaf, 0, &leaf_extensions, &mut AccumulatedNameConstraints::default(), - ); - match result { - Ok(chain) => Ok(chain), - Err(error) => Err(error), - } + ) } } From 52448846d177d4580a1c5d771f9de639d421bc3e Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 20 Dec 2023 16:29:40 -0500 Subject: [PATCH 140/155] Update src/rust/cryptography-x509-validation/src/policy/mod.rs Co-authored-by: Alex Gaynor --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 6bd0aeacad48..ece8fe66fa79 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -476,7 +476,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { if bc .path_length - .map_or(false, |len| current_depth as u64 > len) + .map_or(false, |len| current_depth.into() > len) { return Err(ValidationError::Other( "path length constraint violated".to_string(), From be840308b8e44a4252a224dbeef01931899b33fd Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 20 Dec 2023 16:39:04 -0500 Subject: [PATCH 141/155] policy: u64::from Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index ece8fe66fa79..5d299e0d6eec 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -476,7 +476,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { if bc .path_length - .map_or(false, |len| current_depth.into() > len) + .map_or(false, |len| u64::from(current_depth) > len) { return Err(ValidationError::Other( "path length constraint violated".to_string(), From 27b2b0d344e84b80a8c708785426c0c3b032fbfc Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 20 Dec 2023 16:41:58 -0500 Subject: [PATCH 142/155] test_limbo: assert that intermediates come from untrusted_intermediates Signed-off-by: William Woodruff --- tests/x509/verification/test_limbo.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 92fe96cb3d3b..fc4922bd9638 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -121,6 +121,8 @@ def _limbo_testcase(id_, testcase): # Assert that the verifier returns chains in [EE, ..., TA] order. assert built_chain[0] == peer_certificate + for intermediate in built_chain[1:-1]: + assert intermediate in untrusted_intermediates assert built_chain[-1] in trusted_certs else: with pytest.raises(VerificationError): From 0220e9395ea83c9d6460c6da5627b0a23101f8b5 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 20 Dec 2023 16:45:18 -0500 Subject: [PATCH 143/155] validation: simplify match exprs Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 4fcecb2d878f..1309255408bf 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -74,7 +74,7 @@ impl<'a> AccumulatedNameConstraints<'a> { (GeneralName::DNSName(pattern), GeneralName::DNSName(name)) => { match (DNSConstraint::new(pattern.0), DNSName::new(name.0)) { (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), - (Some(_), None) => Err(ValidationError::Other(format!( + (_, None) => Err(ValidationError::Other(format!( "unsatisfiable DNS name constraint: malformed SAN {}", name.0 ))), @@ -90,7 +90,7 @@ impl<'a> AccumulatedNameConstraints<'a> { IPAddress::from_bytes(name), ) { (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), - (Some(_), None) => Err(ValidationError::Other(format!( + (_, None) => Err(ValidationError::Other(format!( "unsatisfiable IP name constraint: malformed SAN {:?}", name, ))), From 35de5fdc415786db6d5fbd7f76bdec95a36c2961 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 20 Dec 2023 16:46:18 -0500 Subject: [PATCH 144/155] lib: apply_inner -> apply_single_constraint Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 1309255408bf..47df17d46fa0 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -65,7 +65,7 @@ impl<'a> AccumulatedNameConstraints<'a> { Ok(()) } - fn apply_inner( + fn apply_single_constraint( &self, constraint: &GeneralName<'a>, san: &GeneralName<'_>, @@ -124,7 +124,7 @@ impl<'a> AccumulatedNameConstraints<'a> { for nc in self.name_constraints.iter().chain(new_constraints.iter()) { if let Some(permitted_subtrees) = &nc.permitted_subtrees { for p in permitted_subtrees.unwrap_read().clone() { - let status = self.apply_inner(&p.base, san)?; + let status = self.apply_single_constraint(&p.base, san)?; if status.is_applied() { permit = status.is_match(); if permit { @@ -142,7 +142,7 @@ impl<'a> AccumulatedNameConstraints<'a> { if let Some(excluded_subtrees) = &nc.excluded_subtrees { for e in excluded_subtrees.unwrap_read().clone() { - let status = self.apply_inner(&e.base, san)?; + let status = self.apply_single_constraint(&e.base, san)?; if status.is_match() { return Err(ValidationError::Other( "excluded name constraint matched SAN".into(), From 07f2445f3c4e2d88d0aa1d2b8222401306ab8bce Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 20 Dec 2023 17:00:36 -0500 Subject: [PATCH 145/155] test_limbo: open limbo.json in binary mode Unclear why this suddenly broke on Windows. Signed-off-by: William Woodruff --- tests/x509/verification/test_limbo.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index fc4922bd9638..30cf54e03d25 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -132,7 +132,7 @@ def _limbo_testcase(id_, testcase): def test_limbo(subtests, pytestconfig): limbo_root = pytestconfig.getoption("--x509-limbo-root", skip=True) limbo_path = os.path.join(limbo_root, "limbo.json") - with open(limbo_path) as limbo_file: + with open(limbo_path, mode="rb") as limbo_file: limbo = json.load(limbo_file) testcases = limbo["testcases"] for testcase in testcases: From d5b8a456979abb8b0168f4e13ba83cb816bc1239 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 21 Dec 2023 13:47:21 -0500 Subject: [PATCH 146/155] validation: simplify, fix NC validation Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 124 +++++++++--------- 1 file changed, 60 insertions(+), 64 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 47df17d46fa0..901c898b125e 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -50,25 +50,32 @@ impl From for ValidationError { } #[derive(Default)] -struct AccumulatedNameConstraints<'a> { - sans: Vec>, - name_constraints: Vec>, +struct NameChain<'a, 'chain> { + child: Option<&'a NameChain<'a, 'chain>>, + sans: Vec>, } -impl<'a> AccumulatedNameConstraints<'a> { - fn accumulate_san(&mut self, extensions: &Extensions<'a>) -> Result<(), ValidationError> { - if let Some(sans) = extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { - let sans: SubjectAlternativeName<'_> = sans.value()?; - self.sans.extend(sans); - } +impl<'a, 'chain> NameChain<'a, 'chain> { + fn new( + child: Option<&'a NameChain<'a, 'chain>>, + extensions: &Extensions<'chain>, + self_issued_intermediate: bool, + ) -> Result { + let sans = match ( + self_issued_intermediate, + extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID), + ) { + (false, Some(sans)) => sans.value::>()?.collect(), + _ => vec![], + }; - Ok(()) + Ok(Self { child, sans }) } - fn apply_single_constraint( + fn evaluate_single_constraint( &self, - constraint: &GeneralName<'a>, - san: &GeneralName<'_>, + constraint: &GeneralName<'chain>, + san: &GeneralName<'chain>, ) -> Result { match (constraint, san) { (GeneralName::DNSName(pattern), GeneralName::DNSName(name)) => { @@ -104,59 +111,47 @@ impl<'a> AccumulatedNameConstraints<'a> { } } - /// Apply the current name constraints (including those in the specified - /// extensions, if any) to the accumulated SAN set. - /// - /// On success (no constraint violations found), the new constraints - /// are additionally added to the name constraint set for future checks. - fn apply_and_accumulate_name_constraints( - &mut self, - extensions: &Extensions<'a>, + fn evaluate_constraints( + &self, + constraints: &NameConstraints<'chain>, ) -> Result<(), ValidationError> { - let new_constraints = match extensions.get_extension(&NAME_CONSTRAINTS_OID) { - Some(nc) => Some(nc.value::>()?), - None => None, - }; + if let Some(child) = self.child { + child.evaluate_constraints(constraints)?; + } for san in &self.sans { // If there are no applicable constraints, the SAN is considered valid so the default is true. let mut permit = true; - for nc in self.name_constraints.iter().chain(new_constraints.iter()) { - if let Some(permitted_subtrees) = &nc.permitted_subtrees { - for p in permitted_subtrees.unwrap_read().clone() { - let status = self.apply_single_constraint(&p.base, san)?; - if status.is_applied() { - permit = status.is_match(); - if permit { - break; - } + if let Some(permitted_subtrees) = &constraints.permitted_subtrees { + for p in permitted_subtrees.unwrap_read().clone() { + let status = self.evaluate_single_constraint(&p.base, san)?; + if status.is_applied() { + permit = status.is_match(); + if permit { + break; } } } + } - if !permit { - return Err(ValidationError::Other( - "no permitted name constraints matched SAN".into(), - )); - } + if !permit { + return Err(ValidationError::Other( + "no permitted name constraints matched SAN".into(), + )); + } - if let Some(excluded_subtrees) = &nc.excluded_subtrees { - for e in excluded_subtrees.unwrap_read().clone() { - let status = self.apply_single_constraint(&e.base, san)?; - if status.is_match() { - return Err(ValidationError::Other( - "excluded name constraint matched SAN".into(), - )); - } + if let Some(excluded_subtrees) = &constraints.excluded_subtrees { + for e in excluded_subtrees.unwrap_read().clone() { + let status = self.evaluate_single_constraint(&e.base, san)?; + if status.is_match() { + return Err(ValidationError::Other( + "excluded name constraint matched SAN".into(), + )); } } } } - if let Some(new_constraints) = new_constraints { - self.name_constraints.push(new_constraints); - } - Ok(()) } } @@ -231,20 +226,12 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { working_cert: &'a Certificate<'chain>, current_depth: u8, working_cert_extensions: &'a Extensions<'chain>, - accumulated_constraints: &'a mut AccumulatedNameConstraints<'chain>, + name_chain: NameChain<'a, 'chain>, ) -> Result, ValidationError> { - // Per RFC 5280: Name constraints are not applied - // to subjects in self-issued certificates, *unless* the - // certificate is the final (i.e., leaf) certificate in the path. - // - // See: RFC 5280 4.2.1.10 - let skip_name_constraints = cert_is_self_issued(working_cert) && current_depth != 0; - if !skip_name_constraints { - accumulated_constraints.accumulate_san(working_cert_extensions)?; + if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) { + name_chain.evaluate_constraints(&nc.value()?)?; } - accumulated_constraints.apply_and_accumulate_name_constraints(working_cert_extensions)?; - // Look in the store's root set to see if the working cert is listed. // If it is, we've reached the end. if self.store.contains(working_cert) { @@ -298,7 +285,16 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { ) })?, &issuer_extensions, - accumulated_constraints, + NameChain::new( + Some(&name_chain), + &issuer_extensions, + // Per RFC 5280 4.2.1.10: Name constraints are not applied + // to subjects in self-issued certificates, *unless* the + // certificate is the "final" (i.e., leaf) certificate in the path. + // We accomplish this by only collecting the SANs when the issuing + // candidate (which is a non-leaf by definition) isn't self-issued. + cert_is_self_issued(issuing_cert_candidate), + )?, ) { Ok(mut chain) => { chain.insert(0, working_cert.clone()); @@ -342,7 +338,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { leaf, 0, &leaf_extensions, - &mut AccumulatedNameConstraints::default(), + NameChain::new(None, &leaf_extensions, false)?, ) } } From c52b59761c1ccb6538f9e83d810145870d411f7b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 21 Dec 2023 14:26:20 -0500 Subject: [PATCH 147/155] lib: remove unused default derive Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/lib.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 901c898b125e..ea1f6430ac80 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -49,7 +49,6 @@ impl From for ValidationError { } } -#[derive(Default)] struct NameChain<'a, 'chain> { child: Option<&'a NameChain<'a, 'chain>>, sans: Vec>, From 6e7379a20f8df044f10b6c48d72b34ec17fbb7b3 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 21 Dec 2023 14:48:45 -0500 Subject: [PATCH 148/155] policy: add NOTE, relax EKU check Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/policy/extension.rs | 7 ++++--- src/rust/cryptography-x509-validation/src/policy/mod.rs | 2 ++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 0287dcaa3196..216423cc6381 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -355,6 +355,7 @@ pub(crate) mod common { use cryptography_x509::{ certificate::Certificate, extensions::{ExtendedKeyUsage, Extension, SequenceOfAccessDescriptions}, + oid::EKU_ANY_KEY_USAGE_OID, }; use crate::{ @@ -384,9 +385,9 @@ pub(crate) mod common { if let Some(extn) = extn { let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; - // NOTE: Exact match for now because CABF says that EE certs - // MUST NOT contain anyExtendedKeyUsage. - if ekus.any(|eku| eku == policy.extended_key_usage) { + // NOTE: CABF explicitly forbids anyEKU in all EEs and most CA certs, + // but this is widely (universally?) ignored by other implementations. + if ekus.any(|eku| eku == policy.extended_key_usage || eku == EKU_ANY_KEY_USAGE_OID) { Ok(()) } else { Err(ValidationError::Other("required EKU not found".to_string())) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 5d299e0d6eec..585f155efcea 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -571,6 +571,8 @@ fn permits_validity_date(validity_date: &Time) -> Result<(), ValidationError> { // NOTE: The inverse check on `asn1::UtcTime` is already done for us // by the variant's constructor. if let Time::GeneralizedTime(_) = validity_date { + // NOTE: This is technically wrong for certificates issued before 1950, + // but this does not matter in practice. if validity_date.as_datetime().year() < GENERALIZED_DATE_CUTOFF_YEAR { return Err(ValidationError::Other( "validity dates before generalized date cutoff must be UtcTime".to_string(), From 7830bade4556e85812fe9cb505b88d9d1014ded8 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 21 Dec 2023 15:07:47 -0500 Subject: [PATCH 149/155] validation: move SAN matching to permits_leaf Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 13 ++++--------- .../src/policy/mod.rs | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 216423cc6381..2b3e32913be1 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -164,7 +164,7 @@ impl ExtensionPolicy { pub(crate) mod ee { use cryptography_x509::{ certificate::Certificate, - extensions::{BasicConstraints, Extension, SubjectAlternativeName}, + extensions::{BasicConstraints, Extension}, }; use crate::{ @@ -191,7 +191,7 @@ pub(crate) mod ee { } pub(crate) fn subject_alternative_name( - policy: &Policy<'_, B>, + _policy: &Policy<'_, B>, cert: &Certificate<'_>, extn: &Extension<'_>, ) -> Result<(), ValidationError> { @@ -211,13 +211,8 @@ pub(crate) mod ee { _ => (), }; - let san: SubjectAlternativeName<'_> = extn.value()?; - match policy.subject.matches(&san) { - true => Ok(()), - false => Err(ValidationError::Other( - "EE cert has no matching SAN".to_string(), - )), - } + // NOTE: SAN matching is performed in `Policy::permits_leaf`. + Ok(()) } } diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 585f155efcea..c50174e518f0 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -438,6 +438,24 @@ impl<'a, B: CryptoOps> Policy<'a, B> { leaf: &Certificate<'_>, extensions: &Extensions<'_>, ) -> Result<(), ValidationError> { + // Regardless of whether it's a CA or an EE, we expect our leaf certificate to have a + // SAN for matching against the policy. + match extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { + Some(san) => { + let san: SubjectAlternativeName<'_> = san.value()?; + if !self.subject.matches(&san) { + return Err(ValidationError::Other( + "leaf certificate has no matching subjectAltName".into(), + )); + } + } + None => { + return Err(ValidationError::Other( + "leaf certificate has no subjectAltName".into(), + )) + } + } + // NOTE: Avoid refactoring this to `permits_ee() || permits_ca()` or any variation thereof. // Code like this will propagate irrelevant error messages out of the API. if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { From e16a347d68644332a27a82389e03f21f2f4504be Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 21 Dec 2023 16:15:42 -0500 Subject: [PATCH 150/155] break apart EKU handling by EE/CA Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 73 +++++++++++++------ .../src/policy/mod.rs | 29 +++++--- tests/x509/verification/test_limbo.py | 4 + 3 files changed, 70 insertions(+), 36 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 2b3e32913be1..03cab03e1255 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -164,7 +164,7 @@ impl ExtensionPolicy { pub(crate) mod ee { use cryptography_x509::{ certificate::Certificate, - extensions::{BasicConstraints, Extension}, + extensions::{BasicConstraints, ExtendedKeyUsage, Extension}, }; use crate::{ @@ -214,14 +214,40 @@ pub(crate) mod ee { // NOTE: SAN matching is performed in `Policy::permits_leaf`. Ok(()) } + + pub(crate) fn extended_key_usage( + policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), ValidationError> { + if let Some(extn) = extn { + let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; + + // CABF requires EKUs in EE certs, but this is widely ignored + // by implementations (which treat a missing EKU as "any EKU"). + // On the other hand, if the EKU is present, it **must** be + // the one specified in the policy (e.g., `serverAuth`) and + // **must not** be the explicit `anyExtendedKeyUsage` EKU. + // See: CABF 7.1.2.7.10. + if ekus.any(|eku| eku == policy.extended_key_usage) { + Ok(()) + } else { + Err(ValidationError::Other("required EKU not found".to_string())) + } + } else { + Ok(()) + } + } } pub(crate) mod ca { use cryptography_x509::{ certificate::Certificate, extensions::{ - AuthorityKeyIdentifier, BasicConstraints, Extension, KeyUsage, NameConstraints, + AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, Extension, KeyUsage, + NameConstraints, }, + oid::EKU_ANY_KEY_USAGE_OID, }; use crate::{ @@ -344,13 +370,32 @@ pub(crate) mod ca { Ok(()) } + + pub(crate) fn extended_key_usage( + policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), ValidationError> { + if let Some(extn) = extn { + let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; + + // NOTE: CABF explicitly forbids anyEKU in and most CA certs, + // but this is widely (universally?) ignored by other implementations. + if ekus.any(|eku| eku == policy.extended_key_usage || eku == EKU_ANY_KEY_USAGE_OID) { + Ok(()) + } else { + Err(ValidationError::Other("required EKU not found".to_string())) + } + } else { + Ok(()) + } + } } pub(crate) mod common { use cryptography_x509::{ certificate::Certificate, - extensions::{ExtendedKeyUsage, Extension, SequenceOfAccessDescriptions}, - oid::EKU_ANY_KEY_USAGE_OID, + extensions::{Extension, SequenceOfAccessDescriptions}, }; use crate::{ @@ -371,26 +416,6 @@ pub(crate) mod common { Ok(()) } - - pub(crate) fn extended_key_usage( - policy: &Policy<'_, B>, - _cert: &Certificate<'_>, - extn: Option<&Extension<'_>>, - ) -> Result<(), ValidationError> { - if let Some(extn) = extn { - let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; - - // NOTE: CABF explicitly forbids anyEKU in all EEs and most CA certs, - // but this is widely (universally?) ignored by other implementations. - if ekus.any(|eku| eku == policy.extended_key_usage || eku == EKU_ANY_KEY_USAGE_OID) { - Ok(()) - } else { - Err(ValidationError::Other("required EKU not found".to_string())) - } - } else { - Ok(()) - } - } } #[cfg(test)] diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index c50174e518f0..4fedc6a335b4 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -261,17 +261,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { Criticality::NonCritical, Some(common::authority_information_access), ), - // 5280 4.2.1.12: Extended Key Usage - // - // NOTE: CABF requires EKUs in all subscriber certs and in many - // non-root CA certs, but validators widely ignore this - // requirement and treat a missing EKU as "any EKU". - // We choose to be permissive here. - ExtensionPolicy::maybe_present( - EXTENDED_KEY_USAGE_OID, - Criticality::NonCritical, - Some(common::extended_key_usage), - ), ]), ca_extension_policies: Vec::from([ // 5280 4.2.1.1: Authority Key Identifier @@ -303,8 +292,17 @@ impl<'a, B: CryptoOps> Policy<'a, B> { Criticality::Agnostic, Some(ca::name_constraints), ), - // 5280 4.2.1.10: Policy Constraints + // 5280 4.2.1.11: Policy Constraints ExtensionPolicy::maybe_present(POLICY_CONSTRAINTS_OID, Criticality::Critical, None), + // 5280: 4.2.1.12: Extended Key Usage + // NOTE: CABF requires EKUs in many non-root CA certs, but validators widely + // ignore this requirement and treat a missing EKU as "any EKU". + // We choose to be permissive here. + ExtensionPolicy::maybe_present( + EXTENDED_KEY_USAGE_OID, + Criticality::NonCritical, + Some(ca::extended_key_usage), + ), ]), ee_extension_policies: Vec::from([ // 5280 4.2.1.1.: Authority Key Identifier @@ -329,6 +327,13 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ), // 5280 4.2.1.10: Name Constraints ExtensionPolicy::not_present(NAME_CONSTRAINTS_OID), + // CA/B: 7.1.2.7.10: Subscriber Certificate Extended Key Usage + // NOTE: CABF requires EKUs in EE certs, while RFC 5280 does not. + ExtensionPolicy::maybe_present( + EXTENDED_KEY_USAGE_OID, + Criticality::NonCritical, + Some(ee::extended_key_usage), + ), ]), } } diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 30cf54e03d25..db9427e551e9 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -60,6 +60,10 @@ # forbidden under CABF. This is consistent with what # Go's crypto/x509 and Rust's webpki crate do. "webpki::aki::root-with-aki-ski-mismatch", + # We allow CAs in the leaf position, which are explicitly forbidden by + # CABF but allowed under RFC 5280. This is consistent with Go's + # crypto/x509 and OpenSSL, but inconsistent with rustls and webpki. + "webpki::ca-as-leaf", } From 1e001992d26890c936d6bf50b739626087307f85 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 21 Dec 2023 17:31:38 -0500 Subject: [PATCH 151/155] validation: reorder permits_leaf for coverage Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 26 ++++++++++++------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 4fedc6a335b4..11b687be9307 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -443,6 +443,22 @@ impl<'a, B: CryptoOps> Policy<'a, B> { leaf: &Certificate<'_>, extensions: &Extensions<'_>, ) -> Result<(), ValidationError> { + // NOTE: Avoid refactoring this to `permits_ee() || permits_ca()` or any variation thereof. + // Code like this will propagate irrelevant error messages out of the API. + match extensions.get_extension(&KEY_USAGE_OID) { + Some(key_usage) => { + let key_usage: KeyUsage<'_> = key_usage.value()?; + if key_usage.key_cert_sign() { + self.permits_ca(leaf, 0, extensions)?; + } else { + self.permits_ee(leaf, extensions)?; + } + } + // No keyUsage extension implies an EE cert, since CA certs have + // keyUsage as a matter of policy. + None => self.permits_ee(leaf, extensions)?, + }; + // Regardless of whether it's a CA or an EE, we expect our leaf certificate to have a // SAN for matching against the policy. match extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { @@ -461,15 +477,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } } - // NOTE: Avoid refactoring this to `permits_ee() || permits_ca()` or any variation thereof. - // Code like this will propagate irrelevant error messages out of the API. - if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { - let key_usage: KeyUsage<'_> = key_usage.value()?; - if key_usage.key_cert_sign() { - return self.permits_ca(leaf, 0, extensions); - } - } - self.permits_ee(leaf, extensions) + Ok(()) } /// Checks whether the given CA certificate is compatible with this policy. From fee2aa3605943085805e8e3a57fa73473b5d8250 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 21 Dec 2023 18:13:16 -0500 Subject: [PATCH 152/155] src, tests: remove CA-in-leaf-position support Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 20 ++++++++++- .../src/policy/mod.rs | 35 +++++++------------ tests/x509/verification/test_limbo.py | 9 ++--- 3 files changed, 37 insertions(+), 27 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 03cab03e1255..f9ff164ce189 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -164,7 +164,7 @@ impl ExtensionPolicy { pub(crate) mod ee { use cryptography_x509::{ certificate::Certificate, - extensions::{BasicConstraints, ExtendedKeyUsage, Extension}, + extensions::{BasicConstraints, ExtendedKeyUsage, Extension, KeyUsage}, }; use crate::{ @@ -238,6 +238,24 @@ pub(crate) mod ee { Ok(()) } } + + pub(crate) fn key_usage( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), ValidationError> { + if let Some(extn) = extn { + let key_usage: KeyUsage<'_> = extn.value()?; + + if key_usage.key_cert_sign() { + return Err(ValidationError::Other( + "EE keyUsage must not assert keyCertSign".to_string(), + )); + } + } + + Ok(()) + } } pub(crate) mod ca { diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 11b687be9307..dd484f8fc3f8 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -15,9 +15,7 @@ use cryptography_x509::common::{ PSS_SHA256_HASH_ALG, PSS_SHA256_MASK_GEN_ALG, PSS_SHA384_HASH_ALG, PSS_SHA384_MASK_GEN_ALG, PSS_SHA512_HASH_ALG, PSS_SHA512_MASK_GEN_ALG, }; -use cryptography_x509::extensions::{ - BasicConstraints, Extensions, KeyUsage, SubjectAlternativeName, -}; +use cryptography_x509::extensions::{BasicConstraints, Extensions, SubjectAlternativeName}; use cryptography_x509::name::GeneralName; use cryptography_x509::oid::{ AUTHORITY_INFORMATION_ACCESS_OID, AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID, @@ -312,7 +310,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { None, ), // 5280 4.2.1.3: Key Usage - ExtensionPolicy::maybe_present(KEY_USAGE_OID, Criticality::Agnostic, None), + ExtensionPolicy::maybe_present( + KEY_USAGE_OID, + Criticality::Agnostic, + Some(ee::key_usage), + ), // CA/B 7.1.2.7.12 Subscriber Certificate Subject Alternative Name ExtensionPolicy::present( SUBJECT_ALTERNATIVE_NAME_OID, @@ -435,29 +437,18 @@ impl<'a, B: CryptoOps> Policy<'a, B> { /// Checks whether the given "leaf" certificate is compatible with this policy. /// - /// A "leaf" certificate is just the certificate in the leaf position during - /// path validation, whether it be a CA or EE. As such, `permits_leaf` - /// is logically equivalent to `permits_ee(leaf) || permits_ca(leaf)`. + /// A "leaf" certificate is conceptually any certificate in the "leaf" position, + /// whether it's a CA or EE. However, this function currently only accepts + /// EEs in the leaf position, which is consistent with what CABF stipulates. pub(crate) fn permits_leaf( &self, leaf: &Certificate<'_>, extensions: &Extensions<'_>, ) -> Result<(), ValidationError> { - // NOTE: Avoid refactoring this to `permits_ee() || permits_ca()` or any variation thereof. - // Code like this will propagate irrelevant error messages out of the API. - match extensions.get_extension(&KEY_USAGE_OID) { - Some(key_usage) => { - let key_usage: KeyUsage<'_> = key_usage.value()?; - if key_usage.key_cert_sign() { - self.permits_ca(leaf, 0, extensions)?; - } else { - self.permits_ee(leaf, extensions)?; - } - } - // No keyUsage extension implies an EE cert, since CA certs have - // keyUsage as a matter of policy. - None => self.permits_ee(leaf, extensions)?, - }; + // In the future this could be made into a check on the `keyUsage`, + // with a dispatch to either `permits_ca` or `permits_ca` depending + // on whether `keyCertSign` is asserted. + self.permits_ee(leaf, extensions)?; // Regardless of whether it's a CA or an EE, we expect our leaf certificate to have a // SAN for matching against the policy. diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index db9427e551e9..2d2f1fd6fe0f 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -60,10 +60,11 @@ # forbidden under CABF. This is consistent with what # Go's crypto/x509 and Rust's webpki crate do. "webpki::aki::root-with-aki-ski-mismatch", - # We allow CAs in the leaf position, which are explicitly forbidden by - # CABF but allowed under RFC 5280. This is consistent with Go's - # crypto/x509 and OpenSSL, but inconsistent with rustls and webpki. - "webpki::ca-as-leaf", + # We disallow CAs in the leaf position, which is explicitly forbidden + # by CABF (but implicitly permitted under RFC 5280). This is consistent + # with what webpki and rustls do, but inconsistent with Go and OpenSSL. + "rfc5280::ca-as-leaf", + "pathlen::validation-ignores-pathlen-in-leaf", } From b65d12f464815eb64954c25cc61e855fa3aafc86 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 21 Dec 2023 18:17:58 -0500 Subject: [PATCH 153/155] validation: unwrap and explain why Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 33 ++++++++++--------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index dd484f8fc3f8..5da7ede4ac84 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -450,22 +450,23 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // on whether `keyCertSign` is asserted. self.permits_ee(leaf, extensions)?; - // Regardless of whether it's a CA or an EE, we expect our leaf certificate to have a - // SAN for matching against the policy. - match extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) { - Some(san) => { - let san: SubjectAlternativeName<'_> = san.value()?; - if !self.subject.matches(&san) { - return Err(ValidationError::Other( - "leaf certificate has no matching subjectAltName".into(), - )); - } - } - None => { - return Err(ValidationError::Other( - "leaf certificate has no subjectAltName".into(), - )) - } + // No matter what, we expect our leaf certificate to have a SAN for + // matching against the policy. + // + // NOTE: The unwrap here is intentional and safe: we assert the + // presence of the SAN as a matter of EE policy + // (see `policy::extension::ee::subject_alternative_name`), + // so we cannot have a missing SAN after calling `permits_ee`. + // Consequently, we unwrap to bypass the coverage gap (since + // we'd never be able to reach a "no SAN" condition here). + let san: SubjectAlternativeName<'_> = extensions + .get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) + .unwrap() + .value()?; + if !self.subject.matches(&san) { + return Err(ValidationError::Other( + "leaf certificate has no matching subjectAltName".into(), + )); } Ok(()) From 6aa642c962dd3f5af75be94979fcb57c07d7914a Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 22 Dec 2023 14:59:49 -0500 Subject: [PATCH 154/155] validation: remove permits_leaf entirely Just call permits_ee directly. Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 5 +-- .../src/policy/extension.rs | 14 +++++-- .../src/policy/mod.rs | 37 ------------------- 3 files changed, 13 insertions(+), 43 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index ea1f6430ac80..084eb2a505da 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -327,11 +327,10 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // is well-formed according to our policy (and its underlying // certificate profile). // - // In the case that the leaf is an EE, this includes a check - // against the EE cert's SANs. + // The leaf must be an EE; a CA cert in the leaf position will be rejected. let leaf_extensions = leaf.extensions()?; - self.policy.permits_leaf(leaf, &leaf_extensions)?; + self.policy.permits_ee(leaf, &leaf_extensions)?; self.build_chain_inner( leaf, diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index f9ff164ce189..834506af6594 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -164,7 +164,9 @@ impl ExtensionPolicy { pub(crate) mod ee { use cryptography_x509::{ certificate::Certificate, - extensions::{BasicConstraints, ExtendedKeyUsage, Extension, KeyUsage}, + extensions::{ + BasicConstraints, ExtendedKeyUsage, Extension, KeyUsage, SubjectAlternativeName, + }, }; use crate::{ @@ -191,7 +193,7 @@ pub(crate) mod ee { } pub(crate) fn subject_alternative_name( - _policy: &Policy<'_, B>, + policy: &Policy<'_, B>, cert: &Certificate<'_>, extn: &Extension<'_>, ) -> Result<(), ValidationError> { @@ -211,7 +213,13 @@ pub(crate) mod ee { _ => (), }; - // NOTE: SAN matching is performed in `Policy::permits_leaf`. + let san: SubjectAlternativeName<'_> = extn.value()?; + if !policy.subject.matches(&san) { + return Err(ValidationError::Other( + "leaf certificate has no matching subjectAltName".into(), + )); + } + Ok(()) } diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 5da7ede4ac84..8795bda31d3a 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -435,43 +435,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { Ok(()) } - /// Checks whether the given "leaf" certificate is compatible with this policy. - /// - /// A "leaf" certificate is conceptually any certificate in the "leaf" position, - /// whether it's a CA or EE. However, this function currently only accepts - /// EEs in the leaf position, which is consistent with what CABF stipulates. - pub(crate) fn permits_leaf( - &self, - leaf: &Certificate<'_>, - extensions: &Extensions<'_>, - ) -> Result<(), ValidationError> { - // In the future this could be made into a check on the `keyUsage`, - // with a dispatch to either `permits_ca` or `permits_ca` depending - // on whether `keyCertSign` is asserted. - self.permits_ee(leaf, extensions)?; - - // No matter what, we expect our leaf certificate to have a SAN for - // matching against the policy. - // - // NOTE: The unwrap here is intentional and safe: we assert the - // presence of the SAN as a matter of EE policy - // (see `policy::extension::ee::subject_alternative_name`), - // so we cannot have a missing SAN after calling `permits_ee`. - // Consequently, we unwrap to bypass the coverage gap (since - // we'd never be able to reach a "no SAN" condition here). - let san: SubjectAlternativeName<'_> = extensions - .get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) - .unwrap() - .value()?; - if !self.subject.matches(&san) { - return Err(ValidationError::Other( - "leaf certificate has no matching subjectAltName".into(), - )); - } - - Ok(()) - } - /// Checks whether the given CA certificate is compatible with this policy. pub(crate) fn permits_ca( &self, From 0fc7327c7bbadd062201520225f3ed1539b8c5fb Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 22 Dec 2023 15:15:03 -0500 Subject: [PATCH 155/155] validation/policy: fix validity_date GeneralizedTime check Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 8795bda31d3a..2e3652505e57 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -5,6 +5,7 @@ mod extension; use std::collections::HashSet; +use std::ops::Range; use asn1::ObjectIdentifier; use cryptography_x509::certificate::Certificate; @@ -552,16 +553,14 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } fn permits_validity_date(validity_date: &Time) -> Result<(), ValidationError> { - const GENERALIZED_DATE_CUTOFF_YEAR: u16 = 2050; + const GENERALIZED_DATE_INVALIDITY_RANGE: Range = 1950..2050; // NOTE: The inverse check on `asn1::UtcTime` is already done for us // by the variant's constructor. if let Time::GeneralizedTime(_) = validity_date { - // NOTE: This is technically wrong for certificates issued before 1950, - // but this does not matter in practice. - if validity_date.as_datetime().year() < GENERALIZED_DATE_CUTOFF_YEAR { + if GENERALIZED_DATE_INVALIDITY_RANGE.contains(&validity_date.as_datetime().year()) { return Err(ValidationError::Other( - "validity dates before generalized date cutoff must be UtcTime".to_string(), + "validity dates between 1950 and 2049 must be UtcTime".to_string(), )); } }