diff --git a/harness/render-summary.py b/harness/render-summary.py index 11d16093..bd92bdd3 100755 --- a/harness/render-summary.py +++ b/harness/render-summary.py @@ -14,7 +14,7 @@ else: _OUT = sys.stdout -_RESULT_ROW = "| {testcase_id} | {status} | {expected} | {actual} | {context} |" +_RESULT_ROW = "| `{testcase_id}` | {status} | {expected} | {actual} | {context} |" def _render(s: str) -> None: diff --git a/limbo.json b/limbo.json index 162fead3..b600cc77 100644 --- a/limbo.json +++ b/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBEa03OGykHJDwohY18p1T4cPxwEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ1o3KKc56ZkmrPxJAXbQ1rY+Qw6RZBmzAiY+MW\nUUdbPTaD4YGx0VY0kv3zuKClFBpHkjRbbg9HBxEapuRnyB2Fo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU33A4kDDGCTTqQD988bvPtDpwQJMwCgYIKoZIzj0EAwIDSAAwRQIg\nJU5KnjVRpVa7ekppue4VKAiEesBRWjuRBVjOUozhYFYCIQDF8CgGhj0pixjxiPRO\nQ1F1P17Crs8Lmx91GVkqEmdDpw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUYIdJNjJKmWZCWEdJDv6MvVwlrtgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7RhDXBVJccL96CbwY7vJLfN4mc9UoNcY2WNN7\nLGOUDhagrgShsK7ZYv5G5H/iDVEJhH6kXXI7UPAJTG8O75c4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTU++qPVfKeYpPbhZRep6CM5Yvw8wCgYIKoZIzj0EAwIDRwAwRAIg\nHhAX2i+KKc24tKss08y7JlCCQMZ1G7reymeljrSvbPsCIBda39IqfKlW06e4tOTC\nBUeNBYsNPPODhQ0/PUrDj2Zc\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUM+Y2zT0sXsm6hD4oL/K/6dYvnxQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBmMTgwNgYDVQQLDC8yNDQxMjc3MDYyMDc4NDM5ODc4MDA4\nNzgyNDM3MDI1MTgyNTQwNDEyOTAzNjAzMzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nADGU7hhLoOM7O9B2V46hMQDAeXnD0K7mjUy6SnGFXuhO+hb+8Yv+wPwe8zdlT/8e\nf1tRm59t4Jll1bJ8XCHRiKN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU33A4kDDG\nCTTqQD988bvPtDpwQJMwHQYDVR0OBBYEFHfUToFhHrLOmmT9caC1ryYvchkBMAoG\nCCqGSM49BAMCA0gAMEUCIFX3gWzaV++8YHXwgblPCHoY7Jlx7vO3MB/f3iZX3b5b\nAiEAvCTMNWy1KjyVlEhRvv/XUKRhifyhItbCwhEk42vv9LU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHTAri4Lun1Y6Qe+Vy0+kIJHfycwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA1NTEwODAwOTIyMzk4NTk4MDE3NDY0\nMjM0MDM2MDg1OTI5NzQzMjE3NjU2OTEwOTYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJqNRo+E8HayvU/Sg9KLQL5hu5mB7d+aO2eSOOAbF5xmHl5uP4yBWtpVIAt50u5b\nbTqoE7hGLy+XSL0vKuFU37KjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFE1Pvqj1\nXynmKT24WUXqegjOWL8PMB0GA1UdDgQWBBSePNhRz2scAUWmWnbMTI7JZ92QHDAK\nBggqhkjOPQQDAgNIADBFAiBTu7ZAI+xW1fFHwDT9DsfGeXnlX+SunZMvWC5Xc2SP\nTwIhAKdEqkbe60CmMuH/rTKJ50pxoU8GUiZP2HBGsQfCyrGw\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+zCCAaKgAwIBAgIUeTdcRW7d/B5ZOP1dPPC9ST5xBIkwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjQ0MTI3NzA2MjA3ODQzOTg3ODAwODc4MjQzNzAyNTE4MjU0\nMDQxMjkwMzYwMzMxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT8XKTc\n2z3+H6q1pPbu2DnFsYDwG803xAEGiidZkez9BLM9yHP24iHb7frNm+GbY2czhyIa\n5j1Uh1sYNxQL8Xulo3wwejAdBgNVHQ4EFgQUOfnoOgbeSM3oP7H+6Uqc+5pZUiMw\nHwYDVR0jBBgwFoAUd9ROgWEess6aZP1xoLWvJi9yGQEwCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0cAMEQCIEbIp1YGIWIZSTEam9w3FwCZNnPm1Tb8wASA1LhMY/V1AiA3\nONwOieBuvDxsIoPsVve2JWQhWEDusOlHjbMWh+kGRQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUEhCEwDLMjX80fQBVXy9LVzfauEIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTUxMDgwMDkyMjM5ODU5ODAxNzQ2NDIzNDAzNjA4NTkyOTc0\nMzIxNzY1NjkxMDk2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeedg\n54yK0UySbr7IReG2Cw19Gr9JdGAXJUCQ6UKsn3UMQ1n2QLo7USW4rS7P6Bhjexfg\nYt05Jf71YEYQxt+PLqN8MHowHQYDVR0OBBYEFPi6Vygn6ayDL9dA4uA/mdFatVvE\nMB8GA1UdIwQYMBaAFJ482FHPaxwBRaZadsxMjsln3ZAcMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBauzp41ZDqqzy6rlQRgdL9G7Fx3eo6bHC7hiN7BWRtYgIh\nANnqnhwD2GtFzoNPWpicHRSMIQvVtbWPmTu9vNFZNb7r\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -31,12 +31,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJUHEjloec1yCSa3RRFnix352dZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASR0eE/t4AaB3jVRkE2UnRP29UBYAbAAHEKB2ln\ne8Wav1TwDrjVuDD6QKTZD83/2xAcAK7RleD4s77dODkgxgElo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhvtBM7jVb4rEZnpuI4ENm/+Bs+AwCgYIKoZIzj0EAwIDRwAwRAIg\nbMuaTefa8E7FambHhYIHadhPcgQ28vhoo1wlevFI1lcCIAwlC7AfGF5EwgpAcLTV\n/InSmUgOTVICj7SOOR9zBk5P\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUaxKx0muWYomdrROJTLGkY+4rWfowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR5KLZ1K9fWdUGVL9WHbUvYNX5g5FU+fpvULAEN\nB3L1KiOICjhnFr5EWwr3cTiXChsJVS4HNSnsORXPP/QOqVTko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4pIWmu6EiSrEkv9h7+ys74ETGuswCgYIKoZIzj0EAwIDRwAwRAIg\nZyOk8eUKwIKz3w3eeNMgLVSsm5kPrtlOeGWCN8TaBqQCIGY30kllXnESjaqQ4K+Y\nwnU1CEuzn30YJQeKu/oE7+Mm\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUGkNbG3b7ILnsR6H6LB2zAUtfXe8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAyMTI2OTkzMjk0MDYzMTM5MDkwMTUy\nNDY2NjM1ODU2NjM1Mjk5ODIyOTU5NjMwMzQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEQcbAvhXTd+z1lLZJbG3YR0qVLZUe2+edoe9+bK57+N7Z4OloG6a6TNvINIJirZ\nZ+8lUQ01Kabypg+fjQYiGSKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIb7QTO4\n1W+KxGZ6biOBDZv/gbPgMB0GA1UdDgQWBBQzWQAkUrOhxjqxKfto7+0j5uwgVDAK\nBggqhkjOPQQDAgNIADBFAiB9An8/lLqTZ3uK2F4CnhkETqNL3SCQmfmvO3FainAa\nLwIhAKdpn/CX07NGeqnCqLHH9MrHEVhepWPZJ171ol92g9Is\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUTQYmrsvfEzs92HSaGvO1dz81uMUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA2MTEyNzg5MTYzNjg2Mzk1OTM5Mjcx\nOTE4NDU0MjE1MTE4MjMxMDIzMTk0ODMzODYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHiXvrP7FKuABgAbqo6zc/GyUvf49FjqNQaHcIkNNZfLfZrQstwdk8dp28gVIqaw\n/yndC53nGlkjm6dIZzuBuL+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOKSFpru\nhIkqxJL/Ye/srO+BExrrMB0GA1UdDgQWBBQ0izmojEgezefsXDh7QZcoe5vNITAK\nBggqhkjOPQQDAgNHADBEAiBStzvbOKZNGJDG0rmuzI6kqF3BoNhRs1i8uWVWOBlM\nOwIgU0nNsdb1ooCEJ+Zj/cafuqO5kVprWXiWjvyC2cYN72A=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUX4lPhLNV2pJQwsXFCJBCVTtVeU0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjEyNjk5MzI5NDA2MzEzOTA5MDE1MjQ2NjYzNTg1NjYzNTI5\nOTgyMjk1OTYzMDM0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENXFQ\nhrh+HODWIf0Z7RELB8U7c9aCCD3gkTjsQB9yOtE5UnoixuJ4vNk3EboYJ3J2ch7p\nGyUlZ2BGWwUjSZZyuqN8MHowHQYDVR0OBBYEFHVQYe551yIQtLiMlJehzZajDFff\nMB8GA1UdIwQYMBaAFDNZACRSs6HGOrEp+2jv7SPm7CBUMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEA2C90E607YLwAlyio3CtCU9iRzgfbaFvsebn9nO7GtEsC\nIEH81A4nxcdXfKF2KHc4ExComkS5xM8hnC+M8RxoRRtm\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUFx4oo9Ms1yrgbqQAGOqlCSKn16MwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjExMjc4OTE2MzY4NjM5NTkzOTI3MTkxODQ1NDIxNTExODIz\nMTAyMzE5NDgzMzg2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJsY6\n6Za9tA7VH32bWBJ/3ljNb/h8boC5XeOB0OtAfvTK/6V3NPLLXVd+l3qo/XJD7tqf\nVEz1+dl5zAmrm1n4WaN8MHowHQYDVR0OBBYEFLn1A+O7yXtt6wt0xVfNRDQjJEfY\nMB8GA1UdIwQYMBaAFDSLOaiMSB7N5+xcOHtBlyh7m80hMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiA5pyBSi/lclQuiTkzA0Vfgpy78OAq142drO21KPR35pwIh\nAK/RovD7G7a9IrPKEof+RarsImFTGq2gxUgDpHjAxStZ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -55,12 +55,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUNNSOqoLHRWtCkRzLTEHK2zZnqFIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQEgaYtd+3ITxvCPga8EOkmOIs5kHSgY7meUtgN\n7Ls9PO9Py5iUOK1yRkGkxjRhLfEZ0p+xjjEj8mRCRZUQ2VyEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxfT1nInYCeO+KfVDQirOEBz0+BUwCgYIKoZIzj0EAwIDRwAwRAIg\nLVrDWh2SgpqDzZ8Dbe9nV1bU5IAYo2FICSUEuCw+8HgCIC8bp6p9SOM03OFrsuw3\nlMfRsUOLOIPlBKwAgo/aLCsd\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUP6rXPm0BUl9to1PayqcHTXWVrOcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2hU9f5+RyDShiADvI4DXnPd7LMy8FXsTF3YAJ\nBDtuwGjUW++6F9mmacrmMwixiVegBamvZgPLBCKGes4sng82o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUs7Iyt22GEemYPBrUWYNLcd8KRbQwCgYIKoZIzj0EAwIDRwAwRAIg\ncnCiezCciRqCIhY5XqZGKt1zd4Lm2QslC+VGnEn6ufoCIDDvNMU4Wn5VhWQJWLEP\nS48s/IIcJPzYj+t0bTox7cT2\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUKaztd5AjqNCuKQHXvib/CkcP6HQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzMDE2MDc3MDYwMzEzNjcxNDgzOTE4\nNTY2MzkzMjIzMjMyODQ2NjM0OTk5OTExMjIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBEYvusQIH7KVa7g4NwFEfvW/04Eu9ohk1Bd3lu7Wq+vGiyej/rv0v8JkrLX1Z4lB\n8mB3vaSEDTVs3yCZnTo6iz2jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMX09ZyJ\n2Anjvin1Q0IqzhAc9PgVMB0GA1UdDgQWBBT6GxZ9pEZqRUMG93b6//1jB32NRzAK\nBggqhkjOPQQDAgNIADBFAiBp2Z9FLNWtvMRnOuaPtvibpYBcoLvp9P5IY6A+NNsZ\nlgIhAI5NmbHh9wk9O02evFrmusEsFemdc8aO4eiac0bIgrfu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUW+mi01JYW764xjp+zx9dJIl1k14wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzNjM0NzYyOTU2Mjk1MjY4ODgwNjc1\nNzE1MTU1MTMwMDY3Njc4ODYzNzU5NTU2ODcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBO+TvHslkp0Kp6L/r0kt+6kN26KmIRe5HElo/dJdba5lKGn/xRY+iMfbH3t+LXvk\nK8+auwyb7t8FO7ZJY0BOqe6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLOyMrdt\nhhHpmDwa1FmDS3HfCkW0MB0GA1UdDgQWBBR0TpSDMprru+xCCP78JVsm7mnYezAK\nBggqhkjOPQQDAgNJADBGAiEAtVhkASR5EYkvEX1c49Q13dgbzKaTtRGDrqzElTHZ\nzv8CIQDCTX2+EpTggJ8MZ6JrnndW6BfcPWUKcSmKt7MH/SQkYA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIURNn+DqCoESbm9kTbHFyenJDlRGAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzAxNjA3NzA2MDMxMzY3MTQ4MzkxODU2NjM5MzIyMzIzMjg0\nNjYzNDk5OTkxMTIyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEc6yL\nk4iJ1v2UikvtGcZQ7KW9lOnd0r7Wk3z9TyH1ofPofHdEtHLO0uxwKsRB+NNkkuYg\nJy0b00QRCxMImC610aN8MHowHQYDVR0OBBYEFExfq/ox/YglfGVg/j3z9APwNdLV\nMB8GA1UdIwQYMBaAFPobFn2kRmpFQwb3dvr//WMHfY1HMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAt3Aj0e97qdoSmMdYBVhUmH5InEaQQ0IboPt1ERk0QCAC\nIQCkkHdi27BpwiK+8FMLVAPcJqPVZKaznr8gQohP+OyHCw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUHsMgp89HVO1MDTSqHiu6e0xht1gwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzYzNDc2Mjk1NjI5NTI2ODg4MDY3NTcxNTE1NTEzMDA2NzY3\nODg2Mzc1OTU1Njg3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0iZP\nRcuFQlQmmrTs8ppTR5t0aH8E13kOxyFPz/3v6/lfG5UEi/fd4tv277/XyE7YiMGX\njQSHnzFyEmLgoKvrC6N8MHowHQYDVR0OBBYEFEidtR7GnpzKopj1nNTBOrRTsK+Y\nMB8GA1UdIwQYMBaAFHROlIMymuu77EII/vwlWybuadh7MAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAwLhv/uu6A/dxw2AJFS6x101vUuvZ38yeYpn3+aceOkcC\nIQC8TnjdoF0SxBppTOXeQncRWhC8lfsHvHsUqkYMRMJSmQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -79,12 +79,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUF3GG4IwBot1TbzpOT4vr0wHMpqwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT7JOurgVyN+Z0rkT1aKSVDSNoTtnASgsBWFRx1\nMzprsRxg0ots1DgunRazUNsab0qxcmliQkGUtrwmwUpUqyzZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0KmQbaEswtKFn+aEiuCMVxPe1SswCgYIKoZIzj0EAwIDSAAwRQIh\nAP0creE2XgXuNgAF56y8jtCQgk8m2ktd4KTrjuF+SmLSAiBxHoa7eausqv9Y2boG\nO7pGIK6PSJdkghdunm2QYb95KQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUVMEMiwVmEYmvqxep6EXtTzHuRDswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAST9s2nzSRF4ws1nVYNiGugFs3c4XPet6tUzi0I\nT/JiizxtzrZeHXbPWRhhKlSztBq5m3NQD3jecJS/tcfA8YCoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7Z9vzhMPD3f1TZ0KYZwG70GB+J8wCgYIKoZIzj0EAwIDSQAwRgIh\nAPRCVHdOu4R++6bxnv4hQSF334zzH6B3ZZMcLs6sj+jOAiEA0h87Nh6yE23tCx3M\ntk812B5uizQ6Ej2Wz8L5rtL1+fM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUf9ujSFsig7K13wEJ6VrjgW277+cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAxMzM4Mzg1MjEzOTIwNDc3MzA2Mjc5\nNzA0OTQ5MzI3Nzk4NzEwMjcyNjg5ODY1NDAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKAoMkt7x+rhH2dNMW0IPsDI3s4ruM3Gr/L645TW9ZUyloKfuqYZRPOzHhXmSOGf\nikkE+qnEKhfPar5QStK3SfGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNCpkG2h\nLMLShZ/mhIrgjFcT3tUrMB0GA1UdDgQWBBTB1DxV0r8xd5r/uZmlXtoeCD2/wjAK\nBggqhkjOPQQDAgNHADBEAiBolGpV7SAGR7JLA4Ut+aTmT204IRqQxczGYHWbtPMf\n0gIgBfAYC5x6g8gU/+5iz0ri9tGzTsydgA6sInAlnRuj4Hs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUemDqIBq8G5peV0vnEW9qC5v6Rf8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA0ODM4NjAzNjEyMjYzNzUyMjM0MDMz\nOTAwMzMzNTUzMTE5NTM5Mzc4MTMwOTU0ODMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLmtxlKGvWZRHGSwZQD27IfWEWKpPp1vwWb06x3jske3OXLabvRJSbKXcEMPhjff\nM4L8RKlwTdGIOlbE0uuw5J2jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFO2fb84T\nDw939U2dCmGcBu9BgfifMB0GA1UdDgQWBBTnOMcefD1cXar3B4c/cE8WJcVnXDAK\nBggqhkjOPQQDAgNHADBEAiA55zIJkMI45m8oEO1kP+q/zpNGm1ae7c41kBAWvbVP\nswIgQWrvw3II17TZpQdigzxzxrn6p/2PHwrZfHzhH7IkFlE=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUFEgg18KBGgiqb/ZsLnxnKJ3Vb8MwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTMzODM4NTIxMzkyMDQ3NzMwNjI3OTcwNDk0OTMyNzc5ODcx\nMDI3MjY4OTg2NTQwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDcyOTkzOTkxNTAxNzE4MjA3ODEzNzU1MzI4MDQ2Mjc3Nzk3ODA0Njg3\nODgzODc1OTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFI2sTVwXVZVySkK6d6c0pLzx\nOjU5eMkl4mOak3QR/8IOojcNyeMEHuGLe5ExJuH3RBskxBVlCxJsyUMpXvGDfaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUwdQ8VdK/MXea/7mZpV7aHgg9v8IwHQYD\nVR0OBBYEFPpeC/gn3EpqMAFbAaMpiSi86g/wMAoGCCqGSM49BAMCA0gAMEUCIEx+\nz21kZMlR8FqqMxDtWGrVPyf0evbDtBB7Myjul9VmAiEAmWvWRlUlP58NCstsoBLP\npF20Jntqg0mUXg1VgO/p1c0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUPo1VSn7A9QR4VHkYZxG+8t/q6LkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDgzODYwMzYxMjI2Mzc1MjIzNDAzMzkwMDMzMzU1MzExOTUz\nOTM3ODEzMDk1NDgzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDY5ODY1ODE0MDc3OTA0Nzc3NDcwMDk4MjkzNDg1NjkyNDM5NzQ0NTM5\nMTczMDE3NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEG89RV9s+iAFBurrrPgVyFQ7A\n96JwVCReb1VOijINaVwdnwDAExjLW4sBkhb8ogcK05PaDOJ4hcZevhGmbWtFH6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5zjHHnw9XF2q9weHP3BPFiXFZ1wwHQYD\nVR0OBBYEFE2AJpHqf2LBKF+vN/omdPF1dLd+MAoGCCqGSM49BAMCA0kAMEYCIQCw\nghizNFw2jn7aOPKxIPQVR2Bl55z5nYYWfb93yjQPzwIhAMdmNql3uNtQ4ywus7sd\nRLL+tgl7IuaBvAaoST5J4Omj\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -103,13 +103,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURdS7DDKlNNzNKQNsk05vxTmSRE4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMzkK37PlVX7eiAcKsfhe6gUtqjLrfjnuzLd6g\nWQppv3zmaGo7WFBE/rUxCJ/JZXg/7k2/8KrnZxBq4N5yOIfHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2uk5wth+4xq1b2dpcjeLEkUIWEYwCgYIKoZIzj0EAwIDSAAwRQIg\nYBaStQPnzoUFmMVuoKPtHRcMpvH6s0cMGb2WzHSWUxYCIQDwBgA60SC7HZsZF7zZ\nzRKiXN8A+Fhy3XCWBPXuKZy7tw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQ4CLc9DY1avm0F9T2gNVvt+HyCgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATT5iB75gl64E/VSMG0lqYpyKdN5YLw46oJCaxI\n9KVcCTmI/oj2WgvFPV2RBWaoZ7qhxPTqGOKGMEIoBxRld3iEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWqJ6TGcgmsa1/cTx6M+pG/98CgIwCgYIKoZIzj0EAwIDSAAwRQIg\nWYu3gpQs9OAP6hkif0gQz5Jo66PrY5BAS6/Yz8C2lyICIQCa4Qg3KORRegUG6urU\n6pyGt6iC+HIiJroLYgoiZVXSCA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUAJWj2q80v7ofVdXODCSUPo+8KagwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzOTg2NjQ0MTUzMTcxMTAyNjI0NDUz\nNzAxNzI0NDI0MjA4NjU1MzM5NTIwMTc0ODYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBI4dwTPkafRzja9opYJQyf6PWbyU4W6ABVVfhIZpkLfGs1SvgKVVgFDs1SlAy/vY\n1clLhxYqFFW5GQwSHpFTooqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNrpOcLY\nfuMatW9naXI3ixJFCFhGMB0GA1UdDgQWBBRqiNvLPzlh+rPqG27TPEAjbWwTFTAK\nBggqhkjOPQQDAgNIADBFAiEAvontOXgm87hamK1grh1NBC6dT+3QrwYQesH8Nb7l\nZIkCIHwR1FIrPFV9avCh38ZDG3ic8B/FGHaIb4IxOP2dz//h\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSzCCAfGgAwIBAgIUb3AoRHbOrTnokHJNjEx5D+ESiJUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzk4NjY0NDE1MzE3MTEwMjYyNDQ1MzcwMTcyNDQyNDIwODY1\nNTMzOTUyMDE3NDg2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGUxNzA1\nBgNVBAsMLjMzMzcwODQ3NTE2MzI3MTU5MTgyNTE2NzQzMTUwNjk1ODQ3NDkwOTI0\nMTU5MTIxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLh6tkSBgBLCLyT0dNyGnE+3M+5M\n2irnFWt8asH+6g/sZMbOvzjWKtm1lX88yEpmJwpkPBOmREcQr8kRtpBcSK+jezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFGqI28s/OWH6s+obbtM8QCNtbBMVMB0GA1Ud\nDgQWBBRXfnygpGDWSj5o/HLAZtK4xA7l0DAKBggqhkjOPQQDAgNIADBFAiB+ZBQP\nxEJvlb42l9TrttdFH82z0qD3t5408Nxnb1yLLAIhAL+1CH00bqXhtjzVJTwuGZEs\n4GTVTAOzweiLYn2I/uOk\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUBxe6507GSwsKaRTqjL2AAQLDS8cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzODUzNjkwMjUwNDg0MzExNzE0ODUz\nNDUyNDE4MzkyMjUyMTIxMzUzOTIzOTczNTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHWh3eay3zxC93pwP6LmG9/jKbQ2beK14IDWup7JxAgAVG9wYHxFPwLFJ1XHUHFq\n9EkgYQiThzx1KWzxegRq8jqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFqiekxn\nIJrGtf3E8ejPqRv/fAoCMB0GA1UdDgQWBBQMgEQjUgrtaP7uGyLlQ00Gt331xzAK\nBggqhkjOPQQDAgNHADBEAiBGoZnfpTm2h0e77i4T+CJAItYTglQUdh3dzLpFi0TT\n6AIgfRRKVQpGaOqHw0FXaukF5nXBBuuPwX/3ZsHkW0/uiJk=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICSzCCAfKgAwIBAgIUZEMl8fITjT+EM+owXs+O1pLGkrowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzg1MzY5MDI1MDQ4NDMxMTcxNDg1MzQ1MjQxODM5MjI1MjEy\nMTM1MzkyMzk3MzUyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGYxODA2\nBgNVBAsMLzQwNDkyMTM0MTMwNDUyNTI3NjQ5MjEzOTQyMzIyMTE2MjIyNTY0MTE5\nNTYzMjA3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASu4Sk+55y6NwOByBI6DIzky3jO\nhB4cHgqOvpPSQF/4gj3XH60QY+u73t/z6tJQJTE077LvNQCWKB0I2MPIUYfno3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBQMgEQjUgrtaP7uGyLlQ00Gt331xzAdBgNV\nHQ4EFgQU8JJA4Bz/l8WAGESxYMiW5raUukowCgYIKoZIzj0EAwIDRwAwRAIgBouz\nLGhPBh0P9xxTNlBpE08KDJfSxqvVSy0uGJnBsUQCIHQ9D0tKT8h98KR0y/5hfqW+\nwxBYfw8wAodvS5Ysw/eB\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+zCCAaGgAwIBAgIUKlde3CfZzPdEeX4Op8f65UdScn4wCgYIKoZIzj0EAwIw\nZTE3MDUGA1UECwwuMzMzNzA4NDc1MTYzMjcxNTkxODI1MTY3NDMxNTA2OTU4NDc0\nOTA5MjQxNTkxMjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi0wMCAXDTcwMDEwMTAwMDAwMVoYDzI5NjkwNTAzMDAwMDAxWjAWMRQwEgYD\nVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDPBEEqa\nQy97DYOIBwb0ZvZvcP6Iiicos8s/2ePI7vXJGEoObGN7VXoyUrsSrJUfYtPdCBda\nmyeLN8GH2VH2LjijfDB6MB0GA1UdDgQWBBS8eC1ZZY8UsXqG/wpc++jar7fLqzAf\nBgNVHSMEGDAWgBRXfnygpGDWSj5o/HLAZtK4xA7l0DALBgNVHQ8EBAMCB4AwEwYD\nVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSAAwRQIgdMH5SeXDOk3PKtDuCFNrpuOM/yMDithBN/lsN+aUtwQCIQD+\nACa2ssPf99ufG4K1/Kn6ZVAHB6BNMW15TSkvGAYSEw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+zCCAaKgAwIBAgIUM/ggX2zZKDwbtHjaM0dliAzGLgcwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDA0OTIxMzQxMzA0NTI1Mjc2NDkyMTM5NDIzMjIxMTYyMjI1\nNjQxMTk1NjMyMDcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQe8fom\nOw7RNOEHRhNcOXSw80Z5cayOgMCQQlLG1nqgHH196hOZLktklhyZZV0yXVeM9zrz\nBQF3R5N1+ub+F7oIo3wwejAdBgNVHQ4EFgQUEcttnmTWJwVV6GkAOP+URQU3+Bcw\nHwYDVR0jBBgwFoAU8JJA4Bz/l8WAGESxYMiW5raUukowCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0cAMEQCIGmz4TO+GMolKvXeNp2wE/jUgW5yJP34NnTZrJYl0OFEAiBj\nYtVe2VV/6cCcz4wWUUH3nIMYhy7qtetJJ7Bgldkkxw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -128,13 +128,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPjK2hUeekIV7BejOwg/ZI+XeEUcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATKyvcDsnUmyQCfKlAb3cm2gn1s9D44inePmgpx\n4jX5Nh2WymGtYtLs1kOrnYApYhAdO+1ikxp/v799s4TMY8aDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8bfoT1r4RzEX3XKSElviZeTOIqAwCgYIKoZIzj0EAwIDSAAwRQIh\nAOjvXvZZd2o3c/DaRKiLirtwYQDMG//iDjsDnKHD4OenAiAGaQtTkfEtce7KY6XD\ntXtcD/8vswpvFEpaiKuLmCWWjw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURIYU3Iv8KfBU0wi9ZxaTXFtLKo4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR18j8j50kfXZmcv1CzRVzLrkUg+4hlyyUS93wS\nq2H5zEpG7wZGOZIp8eOAQePnAVuGXmiL2cTn/LY+So92jjrTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyNYl4OzXoRZTjl4HKslLltzGqggwCgYIKoZIzj0EAwIDSQAwRgIh\nANWK6DiAaYlTD1Zr/L2xsvfKsg1dhpzibDP45HSzAweKAiEA4xt6SD6Jiv8nJ4ZZ\nRTw2M4dP2eM4L23uYSNkEYFVEok=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUAcNoRB/1tvM4kWDpfPFdihdxtZkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzNTUwODgzNjQ4Mzk3OTc0NjQzNTYw\nMTY5MDI3MzQ5NzU5ODQ5NzA0NDMzOTUzOTkxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCrfNRxXNzW3l0uh+Qi8J5uk9dr6puMOF/1JcgsquBnT2Q7gTBDqwYGRyQSZ4ae9\nMjLGPpXHfWaQin8PwPnZksijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPG36E9a\n+EcxF91ykhJb4mXkziKgMB0GA1UdDgQWBBRzeVnN9QvOs2VR48iOrc3fZDY0YDAK\nBggqhkjOPQQDAgNIADBFAiB4K/BScn0aCrdauhGcfga+g8Uwv4YOBFTOi0a2SeVa\nXQIhAJI7VIBfIjikMteZzikDubbol4unwzx24+i7BAdORVhC\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgIUbcpRF+pi9wvhPNB+oSB8ynCA6/EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzU1MDg4MzY0ODM5Nzk3NDY0MzU2MDE2OTAyNzM0OTc1OTg0\nOTcwNDQzMzk1Mzk5MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGYxODA2\nBgNVBAsMLzEwMDY2NzE4OTQzOTU3MDU1OTk0NDcxMDY2MTgzMzYxNDEzNjEzNTE3\nNjQ5MzA1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARz1YWsopvlbA4/tXU4uzWjmnot\n65aFXQJVhgQkUv868BiDfaGAJEEDvn3+1j+T9OSOd5PKZJ0L51Ug8N8oXsIfo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgECMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRzeVnN9QvOs2VR48iOrc3fZDY0YDAdBgNV\nHQ4EFgQUReNgZlKicDvJ7kICMpId1BubnxMwCgYIKoZIzj0EAwIDSAAwRQIhAL0Z\n4bErAZ3UWFcmoY64a4YBOFYCuwBjhl2cSMTZD/LeAiAY1nctAmxE6xaNBhdxUUlC\nzG3yfs2Tezuqw5+3Ase53A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUeh8U4Ths7hTCWJyPpAtuCa5/XGIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAzOTEyMDE0ODk1NjY1MzU1NDk4MDI0\nNzMxNjU4NDI4NzQ5NjU5OTkyMjM1MTU3OTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAlcVug55Qmc1TW/qPzwtG6zXVjmiKqCQt20Dx2SWeQzWOr1r80VZtrPtNUzGKrd\nssXhwiQ3XhSR9o42IxcvhhWjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMjWJeDs\n16EWU45eByrJS5bcxqoIMB0GA1UdDgQWBBRKn0xPEKNVeaXcyaFrccd8Y8kxgDAK\nBggqhkjOPQQDAgNHADBEAiA2qhnQo9ux0oidJ5JCHO5R+mFW6xoJo0v9YpqLrB/v\nagIgMySDFUSvUMzEjOyMWNifBU2nylGAWoTzlrtc3Lt8MDI=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUKSwMKaYt9I7588E9SZ6WV01HpokwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkxMjAxNDg5NTY2NTM1NTQ5ODAyNDczMTY1ODQyODc0OTY1\nOTk5MjIzNTE1NzkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDY5NzE5MDAxNjAyNTkxNjQyODM3Mjc5MTU1ODQ2MDc2ODAxMjM5ODQy\nMjM1MDk0NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoSpSh7rIyau/PQQNr/yJx7b8\nHuH5PIQUILtCIOXVWre1bzYvNMg+LXaRROvZ/Ypx5W+30XrWfDTiTPmZuOcAVqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUSp9MTxCjVXml3Mmha3HHfGPJMYAwHQYD\nVR0OBBYEFIjY5GkFE5pgE/HGtWc2QS+hhLnLMAoGCCqGSM49BAMCA0gAMEUCIQCZ\n3GMkar+3CPLfgCDNBRyX2n7IIkMrQztDBY0ZsjRTLwIgNHP1PKEtAVB8WWgl8IQV\n4NwaOERdFUwu60tlFYuFos4=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+zCCAaKgAwIBAgIUV2tXDuz/sKuTw0Cn2IBb7RAiktowCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMTAwNjY3MTg5NDM5NTcwNTU5OTQ0NzEwNjYxODMzNjE0MTM2\nMTM1MTc2NDkzMDUxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMjAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNdQFg\nLqCO1ij/ME5yL3NCD6NCgxNTOtR/IN9lJsw4wuN44o8n8+0GSeb1rJKQezuCcx4b\nfnz/N5GPxqjn7Kiqo3wwejAdBgNVHQ4EFgQUHdvcXyKFYq3a8uCN0ASRXqf6oUUw\nHwYDVR0jBBgwFoAUReNgZlKicDvJ7kICMpId1BubnxMwCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0cAMEQCIGmAZ0SHxY9JW8qa2hYrm0PWTTlXK9KUCOW81YCfCukZAiAb\nyYC9OrHXfipMg2UOKS1a4Z0j3ZPw9f/Cup3/yLqy4g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUPpWKt5POAB8AMByEhu/0XUfZhDswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjk3MTkwMDE2MDI1OTE2NDI4MzcyNzkxNTU4NDYwNzY4MDEy\nMzk4NDIyMzUwOTQ2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf0Qy\ngzQtfhbQn+fLNy+O2uTEwXXcv00I+NCJYw5Xe5Gp029KraHIe+zI+oa7eKJIltAo\nT8hXQuQ7ZdL9VrE7+KN8MHowHQYDVR0OBBYEFEfazWYA6RSgu1pm+nqzhV/+A9OP\nMB8GA1UdIwQYMBaAFIjY5GkFE5pgE/HGtWc2QS+hhLnLMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNHADBEAiB5/xyFs2Zh2PbVng1KUDcqyiGHyNxjJU/GChVYdUUtDQIg\nBcoxYL1ZXO+Xr1QG1IEXGKaefcs9qaxjooDCyBbWogY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -153,14 +153,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUXgB1US6cYwcRzKkR6i+JRbdLBCowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQolP+5YPKk8TbZvtmq1OjsSoSvKJTb0P/ejm8V\npy6Uj+HFjgbWN92L0TjhsXpCECJmSjBW7UabxvDLng6MC4KMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg2fxTm3pv+91st5EZ2pfuAiBwtEwCgYIKoZIzj0EAwIDRwAwRAIg\nM63l7SzTM/t77DYpGdQVGoY1akad62Nhq22YUsWIgGICIFFkLPA7MuUu4KNZzMxW\nz5uszmSrs9BmnbfB/HNAtNMW\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUdGpidBIMNnVXXUP9F5qQw5YUEzAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ2u0KpH8N+btIqFP/XQP3AhAB9c2nkKbQAmHwi\naxEQC4CbCXEpR6jDhwxxhcaWCmWOvS228VhyTRdFybQcWSQjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFqLBszrDMcXumBuA+idEAUq5QBUwCgYIKoZIzj0EAwIDSQAwRgIh\nANeDNwuh1X9I0NK5Qs/TbFpZt/lKB6YdBdNDEaIdrq9KAiEApGMAQeq/6QWGUZn8\nBNFhi1PP0yjh8/YZ2vcO8FBxS/I=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUKR3+9xhNWjjCyUiJrmLDu7XwGp0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA1MzY2NTUzNTIyMTk3MjMxNDY0NTc0\nODI4NDY4NjYwMTI3NDc3MTE5MTI4MDU0MTgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBI8yDhAmCGpyfn+3ZOQGxlWYovDEZu49ZQBsJImZXbURxlHeIoh4HlSzcIaj/U9O\nW2J3Q9+4Dh0UqJVrAl33v+GjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFINn8U5t\n6b/vdbLeRGdqX7gIgcLRMB0GA1UdDgQWBBSeu6BJoKvqWRo9UBWwpVP0yLt6rzAK\nBggqhkjOPQQDAgNJADBGAiEAm4BQ20+HdEORBKrpYsLJbLeBm+rg9DLCKAYb0JIL\nXhwCIQDi46MOV4Y1HtuE+4Cec0TXxUs2s/rDij6imje0eF7Vnw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUIoVYSNjK2H+M29lGrcSnp4w8YEswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTM2NjU1MzUyMjE5NzIzMTQ2NDU3NDgyODQ2ODY2MDEyNzQ3\nNzExOTEyODA1NDE4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDIzNDczNzU1MzgxNzIwOTIxMzgwOTk4MjE3MzQxNTA5NDk3MTU3OTIx\nMjI0MTU2NTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfZaZoyJpc517k2aZ67BaTzVW\nXnL1D4FrCdo04V1WVZS5409uCRGZSQiwe9+s4pT722fGPIgjIgTFFk/pI8LE/KN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUnrugSaCr6lkaPVAVsKVT9Mi7eq8wHQYD\nVR0OBBYEFJ3i9JkzFGuUq4VgfNX/7Cw7r7jUMAoGCCqGSM49BAMCA0cAMEQCIEDp\n2wAj+2/h19xtcZsEWl3MpLjLrg41O5dBaA9l8QarAiB9b1dfcY51oy1elp45gMLF\n/T2pHXptAXc1iKJ16ZGAnA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUYvb8F9f4QcGhjuATfgXxoc/UlPowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjM0NzM3NTUzODE3MjA5MjEzODA5OTgyMTczNDE1MDk0OTcx\nNTc5MjEyMjQxNTY1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDE5NzA3OTM3NTk4OTA3NDAxMjA3MjAzNTk4ODYyODg5MzU1OTM0MDgw\nNTE1Mjg0MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoKUWpVLmvnFc0AShLi5bYBrf\nN+vvimCr7iFqDNzj5uDZBtCi2+CS82U8yQf9N3xmvoR1mMKU9vL1yHW+Za+hyqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUneL0mTMUa5SrhWB81f/sLDuvuNQwHQYD\nVR0OBBYEFMgU4aCUrVes5kFMGh7kpUJyBhFlMAoGCCqGSM49BAMCA0kAMEYCIQCw\njYbiaFZc9EsQa610irY7CfCBrNsBta4hEFYKTXZsbQIhAMkW8QnG/pB+4PsEXJWK\ntx3OoDhmNc73/WGSu4P4V5Er\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIULbEMGM5TN8yXcC8+qouE76Le5aUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA2NjQ2MTUzODQ5MDczNzUwMjIyMzAz\nNjMwNjg4ODA5NzYwNzk5MTA0ODQ1NzkxMjAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAaMm60ndNrjlDwNsDRBuIsowlQRLPkaXTAhsI9mmaykw2ha9gywz9FwGGJa9TDE\nGx0gPbNuGudL9e6VV0C3mLyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBaiwbM6\nwzHF7pgbgPonRAFKuUAVMB0GA1UdDgQWBBSsKIAfU45EfnT//xeH9jD6m4V8eTAK\nBggqhkjOPQQDAgNHADBEAiEAzPkzaVQrwzopvZ5izaduY++CBxAu69lkmtfyKTxh\n0ncCHw++ei21JCHU3RMDwSF4bmAPmGG8Mlf5kpOgpKFTvB4=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUQbmMkt7tsR1spVp9ci3T6mS9kW4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjY0NjE1Mzg0OTA3Mzc1MDIyMjMwMzYzMDY4ODgwOTc2MDc5\nOTEwNDg0NTc5MTIwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDI2MDg1Mjg3MDM3NTY3Mzc0NTYyNDkxODQ1Mjc4ODEzNDc5ODU0NTk5\nOTgxNjEwMTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENlijn583ZrCktI8Q3RZa+fg8\nsptTvABZGoMJCPn6WMwqx0iF5I+uH3JlprSTC/wTr3sdUngDFR4BLsSOaeF7vaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUrCiAH1OORH50//8Xh/Yw+puFfHkwHQYD\nVR0OBBYEFB1BWcFx+Mq7kxdkyiyT0lOpBZ0dMAoGCCqGSM49BAMCA0cAMEQCIEdv\neR2lR6IsHhkEwlYEYtjFKevHAFO9XkEYmC+VVz+7AiAD5ZwF+suP+aCqndliWbFv\n6gqsRlXJbAy+obJkY5QhGA==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUTHcjsuF93Rc0nLF4GMQWFgO/ZecwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjYwODUyODcwMzc1NjczNzQ1NjI0OTE4NDUyNzg4MTM0Nzk4\nNTQ1OTk5ODE2MTAxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDM3NTIyMjI4MzY2Mjg1NjUzMjk4NTM0OTU3MTI3NTg2NTA1OTY1MzI5\nOTU3MzEwMjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfACW9ekXTCGXTr/h6qkfp87V\nZca8OaJFJ/e+2MdR8VFr6FVuEPmxfF5ItHavzEFig5Y58rt0IY5eRHG5LSWVrKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUHUFZwXH4yruTF2TKLJPSU6kFnR0wHQYD\nVR0OBBYEFAsZCLchAp3hSgACb61/GwzOiM6uMAoGCCqGSM49BAMCA0cAMEQCIClG\nOnd8axmKHguDPGLpKM6hsb41HDOvxWGAzZap3fFpAiBXLXUxHkNhMZiKRll7AvvS\ng42+/mpLGWospmHzIakTdg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUYSXu5qE8rByEd2SqToK7Cd7LqHEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTk3MDc5Mzc1OTg5MDc0MDEyMDcyMDM1OTg4NjI4ODkzNTU5\nMzQwODA1MTUyODQzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEklyb\nyRM8Yu51OLh5wcDBnzknI1xzidQxFPtwsNAfGiGriPMKu9zVmmesQJDAcU7DktP9\njUvwTdIXK0nfKGqIFqN8MHowHQYDVR0OBBYEFEZpDWya5KpK4SS3v3KqwYwzLUJc\nMB8GA1UdIwQYMBaAFMgU4aCUrVes5kFMGh7kpUJyBhFlMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAmtULt+23GCHDiG5nWST1+apWxtxuuwp9CfbQ9twFO1gC\nIQDLDWOKxJGQclpav6eNgmsJWYZYKn2dZsi19i6++1bRXg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgITXC7jUR0nXygWhmFoeI+fyZNMJDAKBggqhkjOPQQDAjBn\nMTkwNwYDVQQLDDAzNzUyMjIyODM2NjI4NTY1MzI5ODUzNDk1NzEyNzU4NjUwNTk2\nNTMyOTk1NzMxMDIxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUtO6J\nBODRKODnYsaB7D9ZVB1Q81FD8h++i8Y50PBtjMh0tn+FUUGgXoQu+uC4cfJRvw//\nIa3hd2Yic/EzbF1po3wwejAdBgNVHQ4EFgQUc9L9z2XLTOJv3GArrjUq7ozpaY8w\nHwYDVR0jBBgwFoAUCxkItyECneFKAAJvrX8bDM6Izq4wCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIQChBNK4ObUCqhZO0R34gLN65adNjrXaa5TJJY7/jfUqswIg\nKGDJ32p+XoYdgfBosXEBlx3kkM3YTRnfdvDcKgjaBg0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -179,14 +179,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBKW9X/yyKIzTHvI4b+xdxL6doiswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARo2du5ZcB7Yo9uK/ZTp6i2RIIYkjxFQdkEpFRv\nYMe8+bK82xCp8MlrNZMI2Y9ma5xagtTjpLg3v2ms2BQrfgd2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmblv1zsKIisIS0RNPZ4fLz0NE1kwCgYIKoZIzj0EAwIDSAAwRQIh\nAM7DnO74vT5hot0nzA/JcVF+nhadmdXBC2Kdp7XQIWd/AiBJEJJAmIU1GOgRgbTg\ndk4gZePQHQIZ3HnpqsDSflywaA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUdqEGLVOoHaa7JzLnehC4yJodDx4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMzE7tZtfo2+k19nG26HxyDAZ9/xg1ZUPvYX1c\nN1Zh9pqxV2m3MksiKgRv/VWNHGSbJ8nHvSXm2k7OAjfufQuxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlludi5+/o25dW6qIPlPze43Dt34wCgYIKoZIzj0EAwIDSQAwRgIh\nAMqlqPz9cnBYw9dhwgUGCTdIR9g+GBOTOg43uAPck+BTAiEA37O7DPhOY9B7aKEU\nhXM+f9SssgNDKHZ4bXhvYyM6vPY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUJKCS8OxALMhfXIg1axqn/bKrRLswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBmMTgwNgYDVQQLDC8yNjUzMjA4MjkyNTgwOTM3NzMyMzMz\nOTg1NjAxNzg5ODMxMDEzNTUzOTY3MTU5NTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nYkviLjjQvXQKRZrK51g6gD4dTS3NuaAsyZgYJBOo6633j1ufNDN0novKOv6kY7j0\nPSB3kdeuwUMiPhxaEXIrraN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUmblv1zsK\nIisIS0RNPZ4fLz0NE1kwHQYDVR0OBBYEFFLk02//BoGk0sdcqcp1MtedaysDMAoG\nCCqGSM49BAMCA0gAMEUCIG7qShn6fPId7A6oGvAIQ94Wt3FHlaJfX4dF70Bt4JW1\nAiEA+HTIYHY6poKIkiw52OAVDmo7+yfr+mkmSOe0wZcIoWA=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSzCCAfGgAwIBAgIUCrjAPgDKYLn7gksQxC6lheIhwdAwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjY1MzIwODI5MjU4MDkzNzczMjMzMzk4NTYwMTc4OTgzMTAx\nMzU1Mzk2NzE1OTUxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowZjE4MDYG\nA1UECwwvMjY1MzIwODI5MjU4MDkzNzczMjMzMzk4NTYwMTc4OTgzMTAxMzU1Mzk2\nNzE1OTUxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIH7Npr7dkCzjVs95nV1Eo5THltW\nhYEko0ONaZcA6/mamE+puTmTOKtLy8HHIGWPmuzFaGuhf1PNAyBDHk68+0SjezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFFLk02//BoGk0sdcqcp1MtedaysDMB0GA1Ud\nDgQWBBSr04SbwtMOzvBVe6+ISwGOAE9g7TAKBggqhkjOPQQDAgNIADBFAiAZnrzR\n7YMjvtrBs5Wx0UGrSb4F0BgvNZ2I8g1wBYmYswIhAJk2WQ7rpftC5Lo8oX+m0Ieb\nh7liWLsoQ3BmElTMpSJr\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICSzCCAfGgAwIBAgIUW9tiYuRT0GV0yyjDy9luo4W7EUwwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjY1MzIwODI5MjU4MDkzNzczMjMzMzk4NTYwMTc4OTgzMTAx\nMzU1Mzk2NzE1OTUxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowZjE4MDYG\nA1UECwwvNjEyMDk5OTE0ODIyMjQ0ODI3Nzc3MDkyMDA2NDY3ODE2MTc3MzM2MDY5\nNDkzMjgxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhsZW4t\nMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPJYYBCuK9Ky7kR7Ezo+UuvQwbjw\nLFzYmKOV7ZTR3mwFaxIwCKwaRJ6RObcevc4FFDniaXEDH6oGJo90EF1V1GujezB5\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMB8GA1UdIwQYMBaAFKvThJvC0w7O8FV7r4hLAY4AT2DtMB0GA1Ud\nDgQWBBTdLA5RcJRwb18qTxm2OVnJ/OuKCzAKBggqhkjOPQQDAgNIADBFAiEA7P/V\nUWnRcpi3uzxbhPJGtYRm92nEu6gEvjC9U5tAmjgCICDBC2BS+wdNryBVhgKu/NBH\ngimz23lS4Pb7b53qq6pw\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUPapLzy77mFbf716YZSPAVUM3OwQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA2NzcyNTE4NjkwMzE3OTc0MjcxMTEw\nNjU0MDA5MDgxMTgxNDA3MjgzMTAwNDIzOTgxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGF7xDatcUmZR3Srt/Q+7n/e+sbcdlJC35UB6+3Zii+D1TTPu1VEI5c7t0h0BI/3\nlXOOjXryQxTXnNjlnyaclLGjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJZbnYuf\nv6NuXVuqiD5T83uNw7d+MB0GA1UdDgQWBBQB+Xp2IpSFGlkLzKptxt809QdxlTAK\nBggqhkjOPQQDAgNJADBGAiEAsbSMdxwa9qCNSoyBpNAmQD8DqBEf1oTGPDtRH4ji\nkoECIQC+1gW1KVYK/McfsYM8zWYePb0Ojovnc78g6d/44rGBAg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUBFofaSnkGar/+fa686VxGDkmfmowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjc3MjUxODY5MDMxNzk3NDI3MTExMDY1NDAwOTA4MTE4MTQw\nNzI4MzEwMDQyMzk4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGcxOTA3\nBgNVBAsMMDY3NzI1MTg2OTAzMTc5NzQyNzExMTA2NTQwMDkwODExODE0MDcyODMx\nMDA0MjM5ODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEw/gnrbR7SpMOzcVe70P7/D0g\nmOibxzbBfBluOzXMD+wNITuS0H6bymnD4Y5dLlaRxgIJK2qgZKdm7JFxIVCk06N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUAfl6diKUhRpZC8yqbcbfNPUHcZUwHQYD\nVR0OBBYEFOFZRVGX0uMdlFVmqLZRu0JUk8uMMAoGCCqGSM49BAMCA0cAMEQCIHgx\nL+1HJTtt62pMPcUzv3sVfaV7DqGe6o106klzUZDfAiBr/5fC2OAK2ErxpL0B9rYk\nMf0PhTFH6pfBABhBqL/wuw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIUCqaFjcZHD8Y3NlqZ7tdX83ddFeAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjc3MjUxODY5MDMxNzk3NDI3MTExMDY1NDAwOTA4MTE4MTQw\nNzI4MzEwMDQyMzk4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGYxODA2\nBgNVBAsMLzI0ODQ1NzY2NDE3MzU4MjM3NTY1MDMxNTc0NTQwMzQwNDQ3Njg3NDA2\nNDE5NTYyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAStxWYWKAixCcKxN9RLaZiOQSvq\n+QcFToxnMHnwSOw51X+Jlnd5zatV2NbjqJHBPsD6UwYmJo+NO1W2Z0Dj0Gnno3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBThWUVRl9LjHZRVZqi2UbtCVJPLjDAdBgNV\nHQ4EFgQUnOrNwSlWO4SX44UPFV0HvbT04Z4wCgYIKoZIzj0EAwIDSQAwRgIhAKRq\n4U93jT/GaKbIq54cEw7cCWuvXTbIgsbg5w9ZI4ttAiEAwE7wFvHLbbyae1EmYRBw\nNNoxLgXTlzTNQJPF1AusYJQ=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUBmpJIkxO7CxNVRF5yMXbYHFFB68wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNjEyMDk5OTE0ODIyMjQ0ODI3Nzc3MDkyMDA2NDY3ODE2MTc3\nMzM2MDY5NDkzMjgxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARHoC3V\nY+lB97m1BGyKr/mIQiGxaXDi9kXcn2pSNVC3G0PMCDItZM4ttbPBMGzm/6M9kLpb\ndrfC8F3ROK0zFf5go3wwejAdBgNVHQ4EFgQU1OtD1gHVGNbZLeWxN6UzJsyXKN0w\nHwYDVR0jBBgwFoAU3SwOUXCUcG9fKk8ZtjlZyfzrigswCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIDQRrcEbOMibPHkxqb0Eww5Uazp6zYbiMkflviwcGNiEAiEA\nhiPkv7FpSsgPhrZzC4Uemifl45L3n2vhpTRnM2rfhBQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaKgAwIBAgIUdCb6nkp0nrJS4LJERuOxW6hfLSwwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjQ4NDU3NjY0MTczNTgyMzc1NjUwMzE1NzQ1NDAzNDA0NDc2\nODc0MDY0MTk1NjIxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASgxTXk\n1pTGtWOIlz19OZqYJyUhzBkzRxV2oNhmVdvMbZmoDSkO7BvA9pWa79xpGPy9P81T\nclL0i3XQmLmG9s1Zo3wwejAdBgNVHQ4EFgQUp/MtuoqNCdMSSRv+hkLIZebXafAw\nHwYDVR0jBBgwFoAUnOrNwSlWO4SX44UPFV0HvbT04Z4wCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0kAMEYCIQDeltS15n7vSitq602vsxK7dulkXheQw/UZCPQ7PPmdkAIh\nALAGto692+gUbiVwXtUyLFC5mcn9K0fT5NOMYoMUq58B\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -207,10 +207,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nWhen validating with a maximum chain depth of 0, there may not be any\nintermediates.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVYxvx+D2CDbnTW1hB62vwe8sZTUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATISY0RSKLi1WpqGlPGScXl0FEIFxwv9Y0Zkpth\nkyLu/B5MeBqjSrt7UFDkWVo51+kJX908yYI4IFtwh6qCzKANo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUA2wgKiT/VqRrdTOhx/XDBSGEPGIwCgYIKoZIzj0EAwIDRwAwRAIg\ndtZyNKkBm6XfWHSqRqFySKDpKQ3/Eo+dhZU1/DZw7loCID7vsJCYaVjDljmte/dC\n97P6c5jWfvDgZyPtP3GGUcQw\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdN4CfO5xhpG5N72V+nOq/LDOu5QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ8CmFJBaph8DeievsvhsWH71Z2HEdo+7ElHYzA\nUMpzk2WcRWf0NSMpigyjNaE/WzriElw65xppfXYNSjZJ/45Qo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeUfKZdy3ul0jJNSlpoyWiN4fIJgwCgYIKoZIzj0EAwIDSAAwRQIg\nRyI6PZh/B+RLfzCBLPjgMU7aia8RIH+kcaDkkmij2vcCIQDWvlyHw8WNH8dMuQCY\nER/I8YBgU4//+N+8CATp6Bg1vw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUEuHu3f1jsDXRy9nBElYldLh9ON0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPbzsc6L6IApSEfhq2j/uaAHCI0+21CDpwq/iuB4WEv7\n9KoHkY1zIKtx/gkcYAM8tWcm1/d6AizxbqiTHJ1W/uOjfDB6MB0GA1UdDgQWBBS8\n98ozy+RNI4N4qyqwTdl9FPCWWTAfBgNVHSMEGDAWgBQDbCAqJP9WpGt1M6HH9cMF\nIYQ8YjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgImnuqfc/fJcVfQEjOSfw\nCC4nP+06rHaoB3ZaP4k2bRACIQCT7YaRXue9oitYHUidKWNKYHBRjpKgSu3WKI4E\nEQMqaw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUIoNXV8DsknFuNcTyrKEeif57KOkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCGVUiaSG3ZbAPxqXCJsbKH957WJEl6tLnszXPJ0fD2R\n0TeaP6fukrR5vx6JicqXRgZVdDR2TslBRC4fJ0MPhLGjfDB6MB0GA1UdDgQWBBRp\n1IZ5RQCqWJIYmpa/TtcqVzbNWjAfBgNVHSMEGDAWgBR5R8pl3Le6XSMk1KWmjJaI\n3h8gmDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgP18k31LWCzRNTna48i9Q\nj9ZIRkxHpY46EVnhWHOYeBgCIFtLfkcx8xpElSGiJq+lfz8836clwmgmlnNcuSAM\n5JHj\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -231,12 +231,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA' -> leaf\n```\n\nWhen validating with a maximum chain depth of 0, there may not be any\nintermediates.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYRYKl24mTdtOgE9KMyhqB8OHFagwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARUaCyD49aQfu9hF12JUPR3h4eTzFUzeZLd6EKQ\nOppbqM+ZMoaJJ0KJUJJ6JbB1XI0Kmw1Vnd+WqjCQuin/WK5Ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU195ceh+DEjL5O+1ySe2CpSPwTqcwCgYIKoZIzj0EAwIDSAAwRQIh\nANLwj8QxFIGpljTK/vy5kmZrMBCTGPGVeg4HYAd0lbHWAiBoFIKFzGbyDW3mmlL8\nulZauVzwC9BEZmfWFfLNspfdNg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUX1kXSatn0VxRwpl/vqoEHBvgxNkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQIDzpq5cpV1iyagZpZxOslXMr6x45c/USU43S1\nPyfxMeAIjNV/O8jHOCKxahhkYK7sRt62UCooK3yY14KyIvVwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU02IGhPUxRXtgBuOAbGlr31bsMOUwCgYIKoZIzj0EAwIDSQAwRgIh\nAM0/EiiEiDUL4mNCkn6pc9Va9fvKWqY3LaUIPJygEQajAiEAp2o7Rpy2xszAF9jv\nGtDwHCXaxU0PiXSHzfxsiL9yH4w=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUYQEWyPv4BFhhPfHfQQ/A+LwZSOAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDA1NTQyNjM2NDM4MTYxOTA3OTYxNjE2\nNzAyODAxMzU0NTE3NDU3MzcwMzU0MjEwOTYxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABBx2PhsE4CixNVQHnE9QNLo5tbDZVbhPEZYwGVnk6QDRRUQdxQYviUD4Dse1\nuEpdsaqzcPaqbkKAA6PusaitRy6jeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNfeXHof\ngxIy+TvtckntgqUj8E6nMB0GA1UdDgQWBBS+9FTcbjOlMgIdiJ0Ai3aFErbyXDAK\nBggqhkjOPQQDAgNJADBGAiEAx1RlXSzVzA26B6l7YEpe89te5tsUwneD+Tb9RVqW\nd48CIQDSiDiksZA4wOeBfch3ruWSyEwjxtMxaJ+9fMNOhXD2JA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUcRYYN3ps8F3mMLuCNx2swXwKgbwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDA1NDQzNDA5MTgyMDE5NjAyMzYxNjk0\nNzc0MTA3OTk5MTc0MzE5NTY2NDY3MDg0NDExLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABMGTI60DTYUqZMn2xJ13i5OuzTBm3TsjDccbFOlE9e+WNWNnJE2lo58QfvfY\nJ1nEYkji9pznfIsAbX15xy0jJ6KjeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFNNiBoT1\nMUV7YAbjgGxpa99W7DDlMB0GA1UdDgQWBBQ+CHa5mq6WzXHyMt3Rsi33LoUMkTAK\nBggqhkjOPQQDAgNJADBGAiEAvQ6CLM1Zd3IgOArs7obJ2y2Qmt732thD/MAK43hM\n/toCIQCXySA4OjTq+60yTiqAmu9RjdeUMElvOejfnRtj3uPw2g==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIULwEkLGPDqeo9oJE0HGWXwLBkib0wCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTU0MjYzNjQzODE2MTkwNzk2MTYxNjcwMjgwMTM1NDUxNzQ1\nNzM3MDM1NDIxMDk2MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n676RZJDdgcM4g54bcOTHZT4kro2bUFxp6/WnKmQP0mHNICcScAaxmAK4rf9w/gwD\nVa+jVVqJIbV/XJjRr6YUVKN8MHowHQYDVR0OBBYEFGocqvjXbB7n/g2QdzYi4nW/\n7dJoMB8GA1UdIwQYMBaAFL70VNxuM6UyAh2InQCLdoUStvJcMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiA/Fsf3tZoulU4UD6no7moU071T2+wyiyS+jeAP15FH\nDgIgTilFusY/H7Ro0LS1mzmMRg7YQ0DSu8M7HDJF1nGFlkY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUTpwb/j8ZOyKDXiZit22Gt+VaJYgwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTQ0MzQwOTE4MjAxOTYwMjM2MTY5NDc3NDEwNzk5OTE3NDMx\nOTU2NjQ2NzA4NDQxMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nvNPJ6ylF+uWnDItbl0+YB3RIHLPviDg6PCXq+o6v6Q+daAfQ4Zxd+/w+93Pty/M/\n/FhIK1N+9z4aso1LxHnAWqN8MHowHQYDVR0OBBYEFLxhXCj4Wr1Re5agBkHVrh1e\nNpOEMB8GA1UdIwQYMBaAFD4IdrmarpbNcfIy3dGyLfcuhQyRMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiABp1qlLVqSFgheO7VSbxp/HCQgb6mmTrjcih5MEE3G\n5AIgU0xw+p+DMt5yezcdNbbQIxdmrTZpt8hGB0VP2NzxuhM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -257,12 +257,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' -> leaf\n```\n\nWhen validating with a maximum chain depth of 1, there may only be one\nlogical intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUfRTxTIK0DOAdZk8x2bJyCa9kTTkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQHMu0Eyf/GfHvZUHnqyCxv9X8C1D0FJCf5OE4a\npc5acGDjaamt7q8Cr6Qdjy7rpBkxANtuhTAjsBTnhpa3sWNao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZCVNP8H96+JzB3ia+Kk5DukTJhwwCgYIKoZIzj0EAwIDRwAwRAIg\nOoyo/2dsaGRiJAIPFkzhHtcTlBgclZ97oLh32q+5wI0CIDLiOrWs7LTg8JZIrquw\nKJqK2JWyQ/kfJJFOKbUsiP2B\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUYToDO6gaq3ExQJcPOY9rmcPoQmYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARlDKGjHtxonZ/rcmyS1KmpujF/MfvFk/M6MMsI\nws3HxlbirePwi7KjAJpD/eN1e5MLs1a5NtjfPmN14XjvQKImo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjkvpp/DHFINmyHXZB8RjmJmn3DYwCgYIKoZIzj0EAwIDSQAwRgIh\nANvdi3aCi5Sd1Ey+c9NzASRG/+nmxh8v2M3DKXk44cr7AiEAhOflsuTdG6JXg7Bi\nSI1w804+QGNjUf86snC71DZX+FY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUTCh2R1vRfPlG6L6I/5lZTvre6OQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDA3MTQwOTA4ODEzNTMwNTQ1MDcyMzQ0\nMzY0ODc4MzcyODY5NTc0MjQ2MDIwMDg4ODkxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABMb4AcTQM+yQ7Bjc/o41OIfahprHZn7ENdOHTfhpeQEHvLb+vIzpEtkl+uTz\nLW9YGX15TTGAma4PZ+9RLrOfXpejeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFGQlTT/B\n/evicwd4mvipOQ7pEyYcMB0GA1UdDgQWBBStRtuPepkN/+V23axxzh1trm4NMjAK\nBggqhkjOPQQDAgNJADBGAiEA1hlB8NOBw41WricIEE70cUO3uUKiN/glUq+9epsZ\nBvICIQCSOMhZSrt+lwKsZ/75nKeCkbsao+RBebJtc9MJSppl/Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUMaJRxokwrDEBD80eqTP6PQGgYsMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDA1NTUwNjU4Mjk2MjgzOTM0MzM4Nzkx\nODg1MjI4MjI2MDEwNTcxODUwMTU4MDg2MTQxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABP+bKOvokIOLcN+E/JyiILUEyC6D2gxNOaQT+XcTsduu/OuIYBNKV5hFy1J4\nHjchiTIbIgHMPyfLyGWMS3l4W/2jeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFI5L6afw\nxxSDZsh12QfEY5iZp9w2MB0GA1UdDgQWBBQEJJAT1XQfrBMH7aaveExOBb9ZZzAK\nBggqhkjOPQQDAgNIADBFAiEAomWHzW32xbPWG4gVQjQfGkO9qKtz+L2mc+4xoU9b\n4P8CIENfJ31z4KsdtTPuYw4xjAE1UeXejN4HaIdWiEnReBGi\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUa0ceBxi5wjpl+fFl5k/Y3oGezBowCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNzE0MDkwODgxMzUzMDU0NTA3MjM0NDM2NDg3ODM3Mjg2OTU3\nNDI0NjAyMDA4ODg5MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nGJryd1i0AMb3mVrEHQ1wnNdFFQkyvKFf/Izt1VjcE2m2YKEktIaf7bXU85R7UcCj\nDIaw7KngGMUIdhT3R6c4+qN8MHowHQYDVR0OBBYEFMFy6MRhHpzL6gLvSnrs6H3+\nNuM/MB8GA1UdIwQYMBaAFK1G2496mQ3/5XbdrHHOHW2ubg0yMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEAhrxU9ghssoin5AAMNTW9T42OFucCVTOKyFGSINJY\nJUoCIQDuGfIcAMrh42Y/lH24WHTBcAA1y/3Q7e/jRQKGdvknqw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIULRTGvKAaJ2dYn9rVzcf4pwKOswwwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTU1MDY1ODI5NjI4MzkzNDMzODc5MTg4NTIyODIyNjAxMDU3\nMTg1MDE1ODA4NjE0MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nOHfhG1OABTYnZOTu62YMmeWL4cOW3qmqMAzIzNFHzOPhDnWVYY0S3+PzNemnT/nl\nVdRejaQjv3JwkdUdNmxxs6N8MHowHQYDVR0OBBYEFFgmF7VPuoYT+At4ZbwIcEjw\nJ0X5MB8GA1UdIwQYMBaAFAQkkBPVdB+sEwftpq94TE4Fv1lnMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiB5pG25TTLoW7XBZdlItFM5dV1DIzdl22YA9VEpue8E\n1AIhAOEMA6CPJuXvTB8H+7IHXqEwKQB1QMzDkKFG0S3NxwHl\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -283,13 +283,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA' -> ICA'' -> leaf\n```\n\nWhen validating with a maximum chain depth of 1, there may only be one\nlogical intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKGyESYMoe2ejmIJf72gpO/bYpCcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARyVHml1hFWFT5Gd6BkEO9QL5085T3dU8GOBFXo\nneh+1/tH+Sv2CDgXZZnMPN4toNXHZ+s6Bxu+LFobUlWdl2pRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVmc+TWjjhEhz2oDVu5lxanWGlLYwCgYIKoZIzj0EAwIDSAAwRQIg\nOasCPEObzd8sUbjT6QkzaSLVw7ztC2i6naz5zrF+2l8CIQCFBMVb5qyDNUnamZRs\nWSbQ5/ATn3pHFa/6gw6zdS0FVQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUL8Nqcj5Ln8lQolV5hYL/fczJvZ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATqDGE14t/R+py2Vc0iSIOKnVkLmyr2qFvd3Nyu\nyxGNiG6mS0OLNOdhfzjlvBLco4tvHpX72lEZnRIpho7DZ6i+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU8FVffhvtK45HZFmFymMHv5EqeXswCgYIKoZIzj0EAwIDSQAwRgIh\nAO4OzeK+vYFe4P7PXVco5kWPwFEYTxD9Z5/5FjbYxzh7AiEA4p7Yu9n9+lQUdKIB\nwklqYueKT4EIYfTXJzv/e7aZrOM=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIULpShqvhEPqkFP3E4KGi1opCQTkMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDAyMzA3Nzk2MzUxNTEwODk3MjgxMTkz\nNTQ1ODk0NDk0Njk5OTc2OTQzMzkwMzIxMDMxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABDM7huN1oEbQNKgkXOldaawRjNr9/vtk68qOsjbCFU+T40r7y/xhKsYfgqAS\nI+oUGegyJW1bAxh3hpURXhV3GtejeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFZnPk1o\n44RIc9qA1buZcWp1hpS2MB0GA1UdDgQWBBQhYSNBkK+uubvjTzjBc1UJ6LL4pTAK\nBggqhkjOPQQDAgNIADBFAiA/UdMXOj0AoEdT1dXGW9oa4phH25vqARz8k2afQt+C\nvgIhAL5wmwCRPIcjWhWELM73Dag0kjRZdt3qBuLpkJKXooMZ\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTzCCAfagAwIBAgIUI0w5MUt+I0pVpsT85pJpm9+8XNUwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjMwNzc5NjM1MTUxMDg5NzI4MTE5MzU0NTg5NDQ5NDY5OTk3\nNjk0MzM5MDMyMTAzMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGox\nOTA3BgNVBAsMMDI2NTkyODE2OTAwMzMxOTQzMDM0MDUzOTMxODAxNjc3MDI1Mjc0\nMzExMzcyMzQ1OTEtMCsGA1UEAwwkeDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsHEk0toc9JsaDsT2\n1S7rWf/NKKA3KSCoAeMZezGZ/hhFV2PeJ48Cf2DQMKE+OrWa4R2LXmRCRPGF+x/T\n5w8xnqN4MHYwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUIWEjQZCvrrm74084wXNVCeiy+KUw\nHQYDVR0OBBYEFOTraVbOGscVM5PkigjiDVUy32LDMAoGCCqGSM49BAMCA0cAMEQC\nIE4T+7t3+2zO3/v3ni9VOb5ci8LIBFrS0o2X8ApoWYaTAiBlCiN1QxgvA0Qo7bej\nxXOtm+UmtnoW9cHD1YxeZz30lQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUNiCSAetLzFq4zJW0Hv0T7cfUpfQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDAyNzI2ODA0ODQzMTk3MzczMjM1ODA2\nODQxOTY4NjM5NDE5MDU2Mjc1MTg0NTExMDIxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABExCLdyOxRjsJCE7rSkjQa2CziDcqmoUlv4TmswfGkwX+HwFluuXaEgjr+9A\n7vemjLmLos8M3sDCvWOvU9fILjajeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPBVX34b\n7SuOR2RZhcpjB7+RKnl7MB0GA1UdDgQWBBRkJSO9usjhvP1wSNyT8m6tcTqeyDAK\nBggqhkjOPQQDAgNJADBGAiEAwiBcpIUFcQNHcn/xAdO3Oi+ECyWByM9eI68gFblv\nZjECIQCB89wKMDl1LBj/p2e8sR+ax8zzCp30Nk3q+pHqo7wAAQ==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTzCCAfagAwIBAgIUH0dPyj7Y1UWmVbZd/PJPsPmyP9wwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjcyNjgwNDg0MzE5NzM3MzIzNTgwNjg0MTk2ODYzOTQxOTA1\nNjI3NTE4NDUxMTAyMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGox\nOTA3BgNVBAsMMDMwOTAxMTg0NDUxNzYzMDg2NDIzOTE5OTQ2NTk5NzE5MDcxMDAy\nMDE3NjkxMzkwODEtMCsGA1UEAwwkeDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAe6bybHhXCtO0pzq\n+LOKKRWb7PmAmdL0OhWzrc+AWrjPoYofpq8SCRDVIEX6JIcDztuIqTlg0nWfqqOK\ncTNdDqN4MHYwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUZCUjvbrI4bz9cEjck/JurXE6nsgw\nHQYDVR0OBBYEFAc6BuVy1IC785z2H8fkcGvsxtOuMAoGCCqGSM49BAMCA0cAMEQC\nIF55cebzzE4MthOCxAQfu83aA0d2C7MH/sXtgEMSc5odAiBkSssVFeq+hoB64E1D\nPI+aE3qxOjXQz7W+woMNDK+AqQ==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUegUqWOyrLolHgXSS9kphoQjQJUMwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjY1OTI4MTY5MDAzMzE5NDMwMzQwNTM5MzE4MDE2NzcwMjUy\nNzQzMTEzNzIzNDU5MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n9KnZFvk+j/npKKVC9dew0wD1+pGm0PTI0N1M5DHP5O/l3ABdP/5H+dWCl+joeFnp\nKWYtMGhegXbC/8DxpcQ03qN8MHowHQYDVR0OBBYEFKlkJAESMGhCmrTp3JCBMmnq\nY1ijMB8GA1UdIwQYMBaAFOTraVbOGscVM5PkigjiDVUy32LDMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiAVxNwrDvPt9GpBm+0BKEc6mBBtJRt882JY/sKP8pqu\n1wIgMTtDwjTfMpYc6M4brIZ4tWjpPRDY9Du9eNMQuxCF2TU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUOSyY4ZMqPKEwCrcyYpZWtW3kLLMwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMzA5MDExODQ0NTE3NjMwODY0MjM5MTk5NDY1OTk3MTkwNzEw\nMDIwMTc2OTEzOTA4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\natXmRyTJMKuKwoFas87nQzM0y8LlkTv8XvTlWZGnhl8C2V8kvcqNe10JHvAk1fY5\nXNJ9WEZwwU803Zz90bbOtKN8MHowHQYDVR0OBBYEFFZGUT/3gawblJcwXon45JKA\nYWXDMB8GA1UdIwQYMBaAFAc6BuVy1IC785z2H8fkcGvsxtOuMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiA9wBegs3J2RFMFxNa8rZyOXGdtyYUKl9pBWp5a7Sre\ntQIgaeCQemudRMfPcRi6waYXipKfmt56xxd5MKqnqVqwcd8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -310,13 +310,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' -> ICA' -> leaf\n```\n\nWhen validating with a maximum chain depth of 1, there may only be one\nlogical intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUTBsdsDOt4uoc6dUlnK0KASMt7/8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT6U/sDEi+HUX84Ig0U7oCC5fTfQXsOq8UphXeA\nLfRxwITDIeubrVD6F8GTt1ZlJfEIaOIkj4SyBCkMErZvN4K9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUg5ODfMqtnCf4RkbwVRZ7v7di1zwwCgYIKoZIzj0EAwIDSQAwRgIh\nAJaMVv8YKX/xOSsKkh1v4PYcqlf57/RgaUByKQkPW/jcAiEA1ilw5/yNTwwGhXoB\nIsqpx4c0gJZAO/z58kKCfbROnrs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCuNkHRrqnectjIOU5a6BDOxQVAAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATuJ4rO8AElbiaj68KGq6GCQSFZ0nPmdViFCBwQ\nqoAjaH4gLqLwJDETBzpmkbTfx2QifXFWR/XqAhouY7+zjWACo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUutKj7AH0kxxJGgyioThX2FdjO/gwCgYIKoZIzj0EAwIDSAAwRQIh\nAK+Gk3XYUSvEGYb1YFQc8VkcsoxbJICkv4VbIl26m/8vAiAa0a9CFztI4mUZ69Kw\n+ZsPwXfac7/oDk4ct6ZI+oVAUA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUcjtr8TZ/gZy7f8EI8i1FN47A4FMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDA0MzQ0ODgwMDQ5MTc2NTQyMjczMTMz\nMjg2NzU2MTUwNzMxOTY4OTEzMjQ2NzQwNDcxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABL8VHNIaAd4/LPW4vhN9t5LRGWRXvcTKQ41O2y9y/k/zJzBCWWRepkdGVqGj\nBzmyCtCNdjwsatqRu1ORXpDA9I6jeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIOTg3zK\nrZwn+EZG8FUWe7+3Ytc8MB0GA1UdDgQWBBTUZPx7QypP8WsUI+fpWJIMl7hoYjAK\nBggqhkjOPQQDAgNJADBGAiEAh1mzzaj71ThCziKxcvrTl4RJPdU5LCQO41rv4WTt\nj0wCIQC30FRzJ2Nsl/zyH8LAy18AoTHEqBwlDLCnY5EkxwYizA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICUDCCAfagAwIBAgIUbOtH3qpn1+S2sAUmfblpEfFAD/MwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDM0NDg4MDA0OTE3NjU0MjI3MzEzMzI4Njc1NjE1MDczMTk2\nODkxMzI0Njc0MDQ3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMGox\nOTA3BgNVBAsMMDQzNDQ4ODAwNDkxNzY1NDIyNzMxMzMyODY3NTYxNTA3MzE5Njg5\nMTMyNDY3NDA0NzEtMCsGA1UEAwwkeDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0\naGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5WQaEjxo3KD/Gni7\n6DTHzHAOyZx7zle2cO6sTbBi/HhR49jj6inV8ivQoR+cmyIjhy4JDJIrA6j/pErR\nR5NemKN4MHYwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU1GT8e0MqT/FrFCPn6ViSDJe4aGIw\nHQYDVR0OBBYEFByI8OdDb4AJtFIpIfUWlH85qmVPMAoGCCqGSM49BAMCA0gAMEUC\nIBrDUzDoKdzbvORAhNNyPZLFMnoSKvBfplJw+QJaunvlAiEAmK2UGNSsq7+INIXZ\nryUMtpMQR+4rN+0aOKb6/YfY/nU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIUNu4VBKAY/PqI3P1xnXodc5t5SlcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBpMTgwNgYDVQQLDC82MjE2MDg5ODAwMDg2NDc5MTQzNjc1\nNTEyMjU1NDk2Mjc3ODQyMjgzNzc5Mzc5MjEtMCsGA1UEAwwkeDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\nQgAE9WxR5zbRbbZK37Zx7JU78/SSCs+spXNCoGYXzmDzpyRHKm18UlC4TEMCg/YM\ng6CWOYaNSqRY+zWhaHH3tk5ViqN4MHYwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUutKj7AH0\nkxxJGgyioThX2FdjO/gwHQYDVR0OBBYEFCGt3o/jRuTGecj/t/jBXSNxIrnSMAoG\nCCqGSM49BAMCA0cAMEQCIARkFnyr8cAFJFURZ0xMDx5BrCXy0hxNpGdDqdhE5RjY\nAiBj6ivjMw18wjurcZLfX946TFXN4Bfs3egiz6O788TE8Q==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTzCCAfSgAwIBAgIUH0QKLzMY3+3hSGZZKeKXbW73yGcwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvNjIxNjA4OTgwMDA4NjQ3OTE0MzY3NTUxMjI1NTQ5NjI3Nzg0\nMjI4Mzc3OTM3OTIxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowaTE4\nMDYGA1UECwwvNjIxNjA4OTgwMDA4NjQ3OTE0MzY3NTUxMjI1NTQ5NjI3Nzg0MjI4\nMzc3OTM3OTIxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBhdGhs\nZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHJySi2y00r2FuWugTn8\nGWvsby+NY2TXpVm5lxAusWn5TDCCG1M8u1DB/oiczVPv+alIDLxxwvwPmWE1YaHG\nH8SjeDB2MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2C\nC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFCGt3o/jRuTGecj/t/jBXSNxIrnSMB0G\nA1UdDgQWBBSJWRs4TCU9rnGwH0ij4jjiNrqnVzAKBggqhkjOPQQDAgNJADBGAiEA\nkA9HaQbyUFOazGRILisluHOMAykJqMO03WmzX5u+IxACIQCH2o3h1U/AP51iSc9s\n88ExD3Tpb1ah96KZTRFll0t2tw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIULZ+NVFbo1fsihiPTsnRFTBoOYm4wCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDM0NDg4MDA0OTE3NjU0MjI3MzEzMzI4Njc1NjE1MDczMTk2\nODkxMzI0Njc0MDQ3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nHDgNodQtRDI6/jntyLmNcepNCwmXh+KfKZUFOtMR1ki6dTmysyg0WZUGjH9uKI2u\nRhTrupR3CoVE5izbKt3nqqN8MHowHQYDVR0OBBYEFBqo5uZR5piR+OX4Pk1DUkbU\naIkmMB8GA1UdIwQYMBaAFByI8OdDb4AJtFIpIfUWlH85qmVPMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEAhCkkEVJ4Y+hKzr+dCLVkKoDZqkAFoI7JkO3ks/Wu\ngN0CIQDB0Iyz5AOfoNHxlVg7HYLnZc80NnX1XpVlaytZ2ZNGww==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaWgAwIBAgIUaPFatJ9PZ2v63/Z0hQDr/HP6gcAwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvNjIxNjA4OTgwMDA4NjQ3OTE0MzY3NTUxMjI1NTQ5NjI3Nzg0\nMjI4Mzc3OTM3OTIxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEU\nMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARx\nw6RqWap/Eu2NHbh86yHBaOCWYOG34kMLMLPShKsrBGX9KPfm9G3LVkdiSsoye4cZ\nWDUovbgRy5wa1N0JVXh7o3wwejAdBgNVHQ4EFgQU9OM6HSsOHmL6CxiVU3sfVkmJ\n0YowHwYDVR0jBBgwFoAUiVkbOEwlPa5xsB9Io+I44ja6p1cwCwYDVR0PBAQDAgeA\nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoG\nCCqGSM49BAMCA0kAMEYCIQCQqx2fgmDi/WSJMgK4Bz/nVcyfN7wQoMtgu/K7+gJa\nGQIhANYQjZKVmNan0Lsj3GTXTe2QrjBJqGgzvldvxqebcCYY\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -335,13 +335,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJwJ6V9OZA+OAIArK3Q42CMtP1jgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARJu1/uSfqIJOr+XX1klR2ghEY963hAyG/ZueJv\n4MGerngRqKspmc+VQcCoGbN6wq28Dnod0xOKQ3FXvfs5LcwKo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjjb2kdop2H1OyQU791S4WqFeumkwCgYIKoZIzj0EAwIDSAAwRQIg\nVl74+ElyylggiNh0vo7gtOhlF8P5r1zMp8/nJkqIiwwCIQCJlFIIG2Kkn+3xJRGf\n+bscdTEkrBwYGjWxExRy2DrDqw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUTlF9Iew2Bg7VFWehyhVmMUMBpEkwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDAwMDAxWhgP\nMjk2OTA1MDMwMDAwMDFaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu813wwQtm9Ma7mQTzkrBAOVH8yFIKmoh\nMb9lpIclqmORrOnYbzqeejLDEUJpjowRq7pJwLAnRPOBOr68ZXIu2qNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFDQLOFKAlGouEBb4jS0+vHn76ZPzMAoGCCqGSM49BAMCA0gA\nMEUCIQCCsUEjnfU0LjneeT2eWbXjabxWeigJh9se5V3FPV7UhgIgOPgBsp2RHNtV\nZ63vvvaoFcz3Bq32CTXvov1BBaaqgqE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPfm6yDWzT9iALMU5b4Rd8mGtdcAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvwqKT3Bje2zKi51ZgeQjHEo3In3KIlF96MwUE\nSCygh4lQU67qRszEDEankHA77jTefkQb0qCU0Scd+Lxt172Io1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOhzm2Syr8dBA2UlX83LSxlDoopgwCgYIKoZIzj0EAwIDSAAwRQIh\nAJcTwMFi7eMLaSWWdA9/7Kx4xb2YQgQO0olg0FlvjWMmAiBWd4hTub8b2UmjEgzM\nlk/PtFTcStkjdyZZljuQ6tuaqQ==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUNno9ai87XXIqMGkiTwzu/cLRCcgwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNzAwMTAxMDAwMDAxWhgP\nMjk2OTA1MDMwMDAwMDFaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGTAPBO2xd+tMIWYMnp6OgpMBDrM0cyer\nV2IbEROaP6ibZ5TD3iAHGkXykU5NI4RCVOZxsW/x0b80bVV3Sffdy6NXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFCi503JPttnvANT8xE/iaFgyjtqxMAoGCCqGSM49BAMCA0gA\nMEUCIQDLiexkSS3EiSTvU1XUdkkKPvq2dGdSXzboVXGKEJp97QIgVnl8zSbbIhGL\nAITJ5Kk5yCCjUiT9fuwpBLleHl0N8dc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUCzuo9K+JxEj3mg/StTaxBenheaowCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDAwMDAxWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARJu1/uSfqIJOr+XX1klR2ghEY963hAyG/ZueJv\n4MGerngRqKspmc+VQcCoGbN6wq28Dnod0xOKQ3FXvfs5LcwKo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBQ0CzhSgJRqLhAW+I0tPrx5++mT8zAdBgNVHQ4EFgQUjjb2\nkdop2H1OyQU791S4WqFeumkwCgYIKoZIzj0EAwIDSQAwRgIhAI+8FSTi8/Lf/IyV\nf2otng7yJQoSsqVsQ6cBbUvZH0ONAiEA8clFvbgVKaiTcTrbtlH+CeDW9iJB7SnY\nTOsTvgvshn0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUSo1ZiJn27+AUuV73BDLg45SzSRMwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNzAwMTAxMDAwMDAxWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvwqKT3Bje2zKi51ZgeQjHEo3In3KIlF96MwUE\nSCygh4lQU67qRszEDEankHA77jTefkQb0qCU0Scd+Lxt172Io3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBQoudNyT7bZ7wDU/MRP4mhYMo7asTAdBgNVHQ4EFgQUOhzm\n2Syr8dBA2UlX83LSxlDoopgwCgYIKoZIzj0EAwIDSAAwRQIhAM7akZJDnr5FiL4N\nNCS7374y6TXavAfaqcb6AViuv+n7AiBYPS8Suz+10cQjcOM/Jhv0gg8Y1VB9vZtB\n2tfwaO13hA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUJOQAEbN6A5BBEFcfTTU6wzG+eVcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAjhyLM72mlCmH/7rsVQide4/PQ8EL/jiWXWhL5k+kX2\nIlphqam206Bh9FfxvCcfP41gYBZwKs8EGUWyKYrl/NOjfDB6MB0GA1UdDgQWBBTd\naZeR0uRsmsHQeDqxzKuctGMZhzAfBgNVHSMEGDAWgBSONvaR2inYfU7JBTv3VLha\noV66aTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgdNS6/Sj+LEKjjydQHPQF\nkiHBikGuYfazgL+zto9jUMECIQDIuxgBzhv9LqDX8MgClmY17/e6uvLljyLQGdSO\nrClspA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIULwOjttgASHQCsrxtduFkj0kMXTUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLzXWq/n2DspHtLyemEwletk1f27qu0LNnQpR+WGRBWm\npYhe+FylFquEkL84CW4i/NHSFLUe3u6ZRVmB3J85+FijfDB6MB0GA1UdDgQWBBTf\nyq2I3KvUF4xkMwnHCBxj/PEWkzAfBgNVHSMEGDAWgBQ6HObZLKvx0EDZSVfzctLG\nUOiimDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgBiiygvlXFHfQDcYirfRf\neO4J96KKpgn3qgcrZax8xh8CIQCfPa13uZbtblN0d0eCd2i3Va83NC+xVYy6bclg\n+Hfyzw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -360,13 +360,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -/-> (ICA' <-> ICA'') -> EE\n```\n\n`ICA'` and `ICA''` are separate logical CAs that sign for each other.\nNeither chains up to the root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUJsCGM28U6kJ0fYttSOToookTCZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATlwSIDP2dqLrnJ5FSX9Tca4PWRQLTWuGLIK4QI\nRqs/5wr5vXlfwboEZdpGeF8VZUDTKfMWYzkkXEEbJiLGYxrgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2MzYWe+L1rIvtpJiD8lcFzzS+oYwCgYIKoZIzj0EAwIDSAAwRQIh\nAMFv7oxjRaL91No5CTzUp40ul9SLnEECusULKSGAN+hUAiBux5exs7LNCtePX0Zh\nsILhrWvwLvNgIVXX7TxatXzx2A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUb+/zYrTckNFAaRa+ytD9GeRbiRcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4xRvYo6nCh+Rk4MREFSa7Aa9HSuuVXrfS7FsI\nCH8DBZz6F/TZb7TokzZ+7vASIoTAvxqYmPIQKt7LGniplBkPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUT4hS45U/YcRh4k8TdJsjySbCDSUwCgYIKoZIzj0EAwIDRwAwRAIg\nbKRzWHo5nG/XP2ywpGl0ybPDYnBmYOqta5ybLVQomXUCIGYt8MTwS+GvwcO9j6gB\nt59I+CIu0PdVKJ1Fi1iqsAMH\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUU0amxat9Fe+7m6sVgdSTDL6pI+kwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAwwfaW50ZXJtZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMjAgFw03\nMDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowKjEoMCYGA1UEAwwfaW50ZXJt\nZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABGU96qdgoNgDFpBjinyg558vRc7/kOnqHsZO1KjpuQKI8Eib6QWR0+gYdlsX\nTBRkM5F0V+Zv99zdrSfyIkHSzxWjYDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMB8GA1UdIwQYMBaAFB3ciXEUMKswvYG7dXSyVd33nP7gMB0GA1UdDgQW\nBBTXpo9T0pYjoUYx0zBWfsOHF5p2yzAKBggqhkjOPQQDAgNIADBFAiEA6UKPb4Ut\n2ixRHwc6jXAF+lv48bSNVPScn+4Bvs2unvQCIEZ3TLLG1/aqd9+FYJmiGBDbt/Gr\n1HcJ7IjP63EM2mm+\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV6gAwIBAgIUY4g1G4jNjIJyCiObOUJ5+qLAd0EwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAwwfaW50ZXJtZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMTAgFw03\nMDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowKjEoMCYGA1UEAwwfaW50ZXJt\nZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMjBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABLXhoHGRJHl7rpBvpFfOVFz08Jf3Av7D7RwqN3ms4MRyfSIzN/1QTOuuJZrQ\nAIUh1tvHtjmsLPdHbFDWCzSEsFyjYDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMB8GA1UdIwQYMBaAFNemj1PSliOhRjHTMFZ+w4cXmnbLMB0GA1UdDgQW\nBBQd3IlxFDCrML2Bu3V0slXd95z+4DAKBggqhkjOPQQDAgNJADBGAiEAqGKbthPi\nnyh2g5+jc2J8AuIPRO+ilRn4R40hlkAwUtwCIQDXfcvf57Hs/37Vuuy0MHPfIa3T\nIymzZMJlKhhrkDwPyA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUWo9TmORg+yVb5+1GK2L4svwtbCwwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAwwfaW50ZXJtZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMjAgFw03\nMDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowKjEoMCYGA1UEAwwfaW50ZXJt\nZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABOGttcgmEaJOGUFy9J53nHUyax/NxT/0ZpI2yDeEVaIkLVXJG9/2clTGbP0T\nnnMNsX4kwO9Q5YXWn7C4Kq3WuFOjYDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMB8GA1UdIwQYMBaAFMYhL14/DGxQE8oCI2ISWQ62fWc7MB0GA1UdDgQW\nBBTiblo+oQK9loQt78f7SmJ+B1gJJDAKBggqhkjOPQQDAgNIADBFAiEA1W88lJ3J\nOkKaqL3cGICPqdWP7tooMFxfOqow4I7PyYsCIBHXJPRIpexy/CZspVEfQm3oHY8u\ntUvyu/X+zibLHREN\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV6gAwIBAgIUNsSu+P4W5FMkg4CO94u+cjG+KEowCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAwwfaW50ZXJtZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMTAgFw03\nMDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowKjEoMCYGA1UEAwwfaW50ZXJt\nZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMjBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABKkn8E6LAZSs2Ts6TxRc2L70uNrbjP6V+PRszNDHQ03cLN9WW5NV4ZSgf38/\nxSQbqR7Uhiy1VDRULsxL0xLaVcOjYDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMB8GA1UdIwQYMBaAFOJuWj6hAr2WhC3vx/tKYn4HWAkkMB0GA1UdDgQW\nBBTGIS9ePwxsUBPKAiNiElkOtn1nOzAKBggqhkjOPQQDAgNJADBGAiEAhCuycAWq\nX6gfTpeBs+SM6uPX0w8a89pk2g9F4dty7KUCIQCvuc5nIvevxgFj9zHP4S9p8wds\n6Qc3I8AGhDwUWE0MDw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWagAwIBAgIUPKpGAiIPRIDfzTsz4psMDfC2G58wCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAwwfaW50ZXJtZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMTAgFw03\nMDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwLZXhhbXBs\nZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASyNvJvsr2Zt4u+FbiTdF5U\nr3gX+2ea+ZY8dBcwigbFXOZp+jFqo/EEe4kfmPcOgAseE2b3pG9fe22EX5an+vxE\no3wwejAdBgNVHQ4EFgQU3a0RDdEX0+vPHd4NEwbOyUHdxBwwHwYDVR0jBBgwFoAU\n16aPU9KWI6FGMdMwVn7DhxeadsswCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQC\nIG0HR6FJKBLk3ydcTRhJFwLaUJviRC42Z2oiavTJ3oRsAiAOQPyIXhN2hNk150vD\n7j5p1hD3jaGCK04zpYI94zpwdg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWagAwIBAgIUELyZNtK7s/2aMTZMi5f7bpngkyswCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAwwfaW50ZXJtZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMTAgFw03\nMDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwLZXhhbXBs\nZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATzqkCSin5rPdvbTPehIve9\nIjzR9X1y+aj2Hev/xmhmfBL9bzD3dgZ9Tpm1YdiuEDb5oZRyd0R1C4HuXzRtHzwB\no3wwejAdBgNVHQ4EFgQULU7HGJaCdgK/n9vgq+m77Xl6D2wwHwYDVR0jBBgwFoAU\n4m5aPqECvZaELe/H+0pifgdYCSQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQC\nIG9zvENXoZliyKi/Wh8w2Ec7yPKeAcsvOf7jtGVeNYVIAiADnPybmpfpgwcSLcts\nppvmTrzMXbYYkN8yWzgAv+YCrg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -385,13 +385,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -/-> (ICA' <-> ICA'') -> EE\n```\n\n`ICA'` and `ICA''` are separate logical CAs that sign for each other.\nNeither chains up to the root.\n\nThis testcase is identical to `intermediate-cycle-distinct-cas`, except\nthat it specifies a large explicit max depth.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVuBF1cr1PToOHfQNLBlG7KkrnH0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASnjvg74gStHsLgE1cp3BN+OMF7eHHaHQtHd3gI\n8iHYtzMDsuqNg6t8g0i4YOhfbmakXB1zTnAlIAFXONVgtVkio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4e7BdJGrTystWpoLBh22wzsOM2MwCgYIKoZIzj0EAwIDRwAwRAIg\nc+CpPC/3PQrvkZbWjVRS+MxGRBo+BcAVfTEf40tN+RQCIGwIn8Ju625B5bBWQx6s\n/uGatuIOdpeZI996hQ0iCkIa\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUILYhQUI7L3O5iBIbPaHyK4KsxjswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQPbwnqnB1oWLZhJV7ihSi2OxmkkcH3Y5+kz6GJ\nWrtyV+1xD/timNjcx1smFoTpsTRm84n+Zhb2m+DX0K1T8pGRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfqpxfYCQNMrHEFFGvgD27nevXgwwCgYIKoZIzj0EAwIDSAAwRQIh\nAKDcj3pvvGfa03wgslVoXWO/9oZP5LuhVYiKZ7QZf16RAiB2jVsOdmt9DO8XLtT9\neACCIZf/YohEUPaC3Px0/bbhRw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV6gAwIBAgIUKe7jBEOjhkB4HNuiXjwcfzvBdLMwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAwwfaW50ZXJtZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMjAgFw03\nMDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowKjEoMCYGA1UEAwwfaW50ZXJt\nZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABPkLsyBlx4PnTevVRe+Qayi4wC6llDTjJaZDeCtA0+TgLEokuhOfRUTJA2U2\n+P3E1HHFVsQmNgjX24x1GIQ3R12jYDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMB8GA1UdIwQYMBaAFPQPV50zWLzwK01pDUmzoXOwSZD/MB0GA1UdDgQW\nBBRSyJ6nTsFkcO1wf1Uaue/+zoDsjjAKBggqhkjOPQQDAgNHADBEAiBnWJnEgmV2\nJxpfrdKlEJBvQnNYwJfPF093QV55VM/sGgIgHz7ryjBkdeiccsSkZ4TDFtMRfeok\nxUuacVq7fSdfGOM=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV6gAwIBAgIUfzrYrW/MNloamuPABwskKmfsrIMwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAwwfaW50ZXJtZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMTAgFw03\nMDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowKjEoMCYGA1UEAwwfaW50ZXJt\nZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMjBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABE/16M4ysl6I3Dp5Zo/cewP+YEDYzoWEnEosTBJ0B6YbqKA6PiZTLz8AgQ10\nOHo38wzxh1jGPFue9enTI639zPmjYDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMB8GA1UdIwQYMBaAFFLInqdOwWRw7XB/VRq57/7OgOyOMB0GA1UdDgQW\nBBT0D1edM1i88CtNaQ1Js6FzsEmQ/zAKBggqhkjOPQQDAgNHADBEAiBLKFaTxeOj\nP6KjhKq8Qm82LuZ4/e/hC/VxGCwzIp0I2wIgC2I4TfZrDihfNuZxyPFNWbLM9ad+\nV9JCihzfEo3NoDg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV6gAwIBAgIUKagJJxFFRyX/r6ssN8B/sb9ZP+MwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAwwfaW50ZXJtZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMjAgFw03\nMDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowKjEoMCYGA1UEAwwfaW50ZXJt\nZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABG5rqySozHVPVBJxz6JA625GHpK7m6Qf+ZW5DxkwLWadHmVcauM7YkcRhKbN\n38qJYA5/7MoQ6bEyfO/tzMOUXoijYDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMB8GA1UdIwQYMBaAFMz/q6XrPUVXLymRNltCVE72uRl9MB0GA1UdDgQW\nBBQeA6cVHpeJ0FFIkccWYXs+AXiCaDAKBggqhkjOPQQDAgNJADBGAiEAvkfRaa9L\nB31zUWa1zCb3jkptOFAQgRjhOmM9sbzQUF4CIQD7V/dP/L3fqvs+QCh3EfF/oEyD\nFkOsOMIxYrd1sv5P2Q==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUC9sy7JkSIds/Qu0T7wjFv/xkqSIwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAwwfaW50ZXJtZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMTAgFw03\nMDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowKjEoMCYGA1UEAwwfaW50ZXJt\nZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMjBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABHGmpfq3zuzw/K5hOraxN2N8d/LtkOVodghJS7FahGp70H45MXtx+6x300dE\nby+qv/GTan6Ybj9kJaCFvn7TOr+jYDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMB8GA1UdIwQYMBaAFB4DpxUel4nQUUiRxxZhez4BeIJoMB0GA1UdDgQW\nBBTM/6ul6z1FVy8pkTZbQlRO9rkZfTAKBggqhkjOPQQDAgNIADBFAiA3J5gLJrrn\nWR9E17SPQ323Om4ONuol8Vk2INaoI/dTJAIhAJuCLdyrx9hgADcVnz8Yt7WcA8x4\n6ZuhWnLvALRI5+Hl\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUMQI5gs5E+3LAbEaJ9cXdNwKHPukwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAwwfaW50ZXJtZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMTAgFw03\nMDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwLZXhhbXBs\nZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT4+b9j1SofuOCAPN0JDhoU\n8PqE+16MWfErrTst/guAqpjCKSb9EGwR7rIPfJQDj5sCMFR6oYJuFKBJ0GF/Va8V\no3wwejAdBgNVHQ4EFgQUkDxnDaZDOT8oUkfz66DqC/BgCDowHwYDVR0jBBgwFoAU\nUsiep07BZHDtcH9VGrnv/s6A7I4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIDvJZkMpmZ1CR8QGrjTlN9Pw60gYVw3Ki39pqw2ljkcAAiEAh1likm0mTxwKlR2w\n6RwfyW5yqpArCbwSqlJdcMgzeaE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWagAwIBAgIULa4UUZm6lhL+3l4g/cuosH1BkBMwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAwwfaW50ZXJtZWRpYXRlLWN5Y2xlLWRpc3RpbmN0LWNhMTAgFw03\nMDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwLZXhhbXBs\nZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASsf2sHu/DdtBmC6YivJsPa\nog0crHpLYvjM+xlth7OuKZtXYrk+j+EQUqQ9NyZAa7qucNY20SeRMAqlSvoHxomY\no3wwejAdBgNVHQ4EFgQU+Yqvrduz02rACFGQFTFWVSjGf1YwHwYDVR0jBBgwFoAU\nHgOnFR6XidBRSJHHFmF7PgF4gmgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQC\nIBFrjITXF/KDOA6MM7I2lvrUipgsd6YE8PTE8gx4ULIxAiB4UWyPRg9PpvxzfWuX\nUkkE+a+RbxZgACYbkZMZdZL1Dg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -410,13 +410,127 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -/-> (ICA <-> ICA) -> EE\n```\n\nThe two ICA certificates are from the same logical CA (same subject),\nbut have different keys and sign for each other, forming a cycle.\nNeither chains up to the root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUFFNyyiRXUGZ+Hl3pYxaZknruA5swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQkSCeGp0RJPfrtz6QBHhGYKkZriFohwPAqRK/h\n8KExxgRT6rGwXCYlbB1aKG2k/oz7+NRuU3B/5Kun9eYaQCc6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUS9RHVOSUHA80EXx931OQD6ArsOYwCgYIKoZIzj0EAwIDSQAwRgIh\nANENErBMA+dM5OKVsLfADy9Ykl9IFyd2wKiKBNLHuDdCAiEA/ZEE38DtHQxbgpQj\ntPYjz2drC6OkgSxYtQt6LuDyt0g=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDyvpnjkrKkgtPWAgEabyCCjoCGkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARr6yWPdo40prgHKLHKhyqU246Dm87ilGqsVtQY\ny59pGABvVUCB2VTWxIjAo6sZ02AA1dFXUUG/WROcbbIQm3Rco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9nGascYZ6BJ+RmzIiRuN0Va38SIwCgYIKoZIzj0EAwIDSAAwRQIh\nAIXwh7ka9veGMyNkHcRG4SCnUCooyXTqVZ6YoH7WSTiMAiAslizckp0V+c7imUxV\n3l/cyPB06uiZBDV7cUpvnWYA6Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVegAwIBAgIUBqQzv5GK0S3DqTvGM9inKr+7E5EwCgYIKoZIzj0EAwIw\nLTErMCkGA1UEAwwiaW50ZXJtZWRpYXRlLWN5Y2xlLXNhbWUtbG9naWNhbC1jYTAg\nFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowLTErMCkGA1UEAwwiaW50\nZXJtZWRpYXRlLWN5Y2xlLXNhbWUtbG9naWNhbC1jYTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABPJ9w8SbIyxg7gOzXCV7Ckgqp2NCkYgtTU/bnN59RhfoijrsoVKu\nL/yRrJ5xg5kqimSlsJeJHO/obJHcfjULLNSjUzBRMA8GA1UdEwEB/wQFMAMBAf8w\nHwYDVR0jBBgwFoAUt23LhyVdH3NOGwdb3Y6b0njOgVcwHQYDVR0OBBYEFPVH2h8A\n2EzusNfWJiqRG6/RWcD0MAoGCCqGSM49BAMCA0gAMEUCIEGBqW4oZGyMYRdoHY9F\npF7dXs517tOUX1jBoXM5JjB0AiEA8+kYrqWkyNj7dSeqX2jl1fIpMQ5GwzDolJIK\nEOuKhmc=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVegAwIBAgIUOHGASOtjW8SRdzi6MBKLEodWd64wCgYIKoZIzj0EAwIw\nLTErMCkGA1UEAwwiaW50ZXJtZWRpYXRlLWN5Y2xlLXNhbWUtbG9naWNhbC1jYTAg\nFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowLTErMCkGA1UEAwwiaW50\nZXJtZWRpYXRlLWN5Y2xlLXNhbWUtbG9naWNhbC1jYTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABE/G0eD/nZ8M4M6flA6JX3G/qB9nHdbbGAfCJeTrWphePW0Lci8/\njeBF2k7BUl6qf0Jvp7ez62Ab1USmyYYM5EWjUzBRMA8GA1UdEwEB/wQFMAMBAf8w\nHwYDVR0jBBgwFoAU9UfaHwDYTO6w19YmKpEbr9FZwPQwHQYDVR0OBBYEFLdty4cl\nXR9zThsHW92Om9J4zoFXMAoGCCqGSM49BAMCA0cAMEQCIAhLeBZCO9lb1bRgjXQu\n+uYkQc+Uog36Sl4rYajy18QhAiAdHbVvq2vR/+WkQQpeRu0+ctHI8DuyL8YVOSjJ\n3+16VA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVegAwIBAgIULxuiLf3KYdsPxpbEXi0wvdCWEccwCgYIKoZIzj0EAwIw\nLTErMCkGA1UEAwwiaW50ZXJtZWRpYXRlLWN5Y2xlLXNhbWUtbG9naWNhbC1jYTAg\nFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowLTErMCkGA1UEAwwiaW50\nZXJtZWRpYXRlLWN5Y2xlLXNhbWUtbG9naWNhbC1jYTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABLnYbqBJUBtYcs57caL4TKJfOM074kv5xy5JCL0U4Gh5xaWTvb6t\nZl8SWm9L4apX3Jf+XgAGZKs93lxlyhkeX+yjUzBRMA8GA1UdEwEB/wQFMAMBAf8w\nHwYDVR0jBBgwFoAUUthRwDYhWYAp1TUZ1fDVe3QVpcowHQYDVR0OBBYEFCrcKCB4\nlLycteKNmLUxUb8M5VJZMAoGCCqGSM49BAMCA0cAMEQCIBTtlznONsID9OGLxNSy\n19bikPWWRldJq+tQmg1xX0QmAiB25FoZsFniId2JR/GB5hOC++dwgTyKSg9SCBro\n3hbQ2w==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVegAwIBAgIUXexCjU0FwTMaZlTCXwI9XDW9o0YwCgYIKoZIzj0EAwIw\nLTErMCkGA1UEAwwiaW50ZXJtZWRpYXRlLWN5Y2xlLXNhbWUtbG9naWNhbC1jYTAg\nFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowLTErMCkGA1UEAwwiaW50\nZXJtZWRpYXRlLWN5Y2xlLXNhbWUtbG9naWNhbC1jYTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABIuV4WndJXxK2arVEAZSgbKrCEjVYclLNHUChIlVmcfKT8zS9XCr\nq8NV6+s8lj7XOWONlrL4cZLIPeDFYzE2qkmjUzBRMA8GA1UdEwEB/wQFMAMBAf8w\nHwYDVR0jBBgwFoAUKtwoIHiUvJy14o2YtTFRvwzlUlkwHQYDVR0OBBYEFFLYUcA2\nIVmAKdU1GdXw1Xt0FaXKMAoGCCqGSM49BAMCA0kAMEYCIQCKmi2AD4aH9fdzWzJv\nAYgIva5LQS3orEQ5TPnzrNaTSwIhAI02ZC2ET8Fmy8Pti+RLv8GzCNz1jICP7jeG\nnC501lyS\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUCRSe7pnQoQlVA+LnKk+tXJWgZoIwCgYIKoZIzj0EAwIw\nLTErMCkGA1UEAwwiaW50ZXJtZWRpYXRlLWN5Y2xlLXNhbWUtbG9naWNhbC1jYTAg\nFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwLZXhh\nbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARcBmomR48neRQu7oCC\nu/1ljTTrJgRjbLe/K8ztth3nde5XZavp7UJp18VWbXNtMIOy4wL+MwEW/Kp4rKSx\nJRVqo3wwejAdBgNVHQ4EFgQUFz/mFvz0aKCz1UyQP6rx36wIa2gwHwYDVR0jBBgw\nFoAU9UfaHwDYTO6w19YmKpEbr9FZwPQwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQDW0OnP7UpGYcKdMzvttHLatCikUSpe1YOEMi4krOzZzwIhAJpozHnALw94\nDs1ll+bcq+ahAY1XK9VViz8kP8WRgvIv\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUMCiX3ATzYehHrIRewAiS0IzrViowCgYIKoZIzj0EAwIw\nLTErMCkGA1UEAwwiaW50ZXJtZWRpYXRlLWN5Y2xlLXNhbWUtbG9naWNhbC1jYTAg\nFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwLZXhh\nbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQM7sAWqa7Hm0jZdCto\nPmeNdp4lz4app3WyYmESnvu+LPBO2Ex/Vnene/q4e8U32+u7zPSvsov1MNtRBMZT\noT1Ao3wwejAdBgNVHQ4EFgQU3eN9/Dp1/1FjuHMWL09m5d3TaHYwHwYDVR0jBBgw\nFoAUKtwoIHiUvJy14o2YtTFRvwzlUlkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIHsSBOW07zC0LLA6APG2StlHyDwaP/oHzLpf5zfayieAAiEA2ItcOY2i5qWR\naTmED1EwO6VTpkQ3o4bogWOfc9XkOFY=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null, + "max_chain_depth": null + }, + { + "id": "rfc5280::aki::critical-aki", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUSUVTpo1DblZM8AwHbxJtjmOi85gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS3ePChhJQmS1H1XXEGntSu6DWXxWRh6vSkLd43\nBiLi3crhRQRH2DAbIXGUi9+YAfcVGITSm2qJLcIhFn1RTdfRo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBT3wrKYjaU5Vq3ucmlLSPGp4AydsTAdBgNVHQ4EFgQU98Ky\nmI2lOVat7nJpS0jxqeAMnbEwCgYIKoZIzj0EAwIDSAAwRQIhAOJY5QrCXHMxBiS4\neNYwdMSSyRyu+nRRbbdoD+/6Xi9sAiAEqtduYMdFkOHM5uDgEpfzrL2l09k0h5QY\nT61q8RX63w==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUV+USsgChTj/lXeGbh2Zp7TDHhhswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJfq8a3JMBLNJSfShNHOEAtsG7vUV87BzwjZvyGALshj\nYsBSGg4FeryoWHKPczdKnOWzli+4RzOvtlghOtgIFIqjfDB6MB0GA1UdDgQWBBTr\n7z20+Fzl4NpmhhShmrMX8CVIdTAfBgNVHSMEGDAWgBT3wrKYjaU5Vq3ucmlLSPGp\n4AydsTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAMw/MaIe+LFibgDxpenN\ni0yodeg8kGQZCTLK/7pqPV5KAiEAo/BvYcPyxbpV6KsFrfjv6pf7iYQwknvJZwJH\nsttdX4w=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null, + "max_chain_depth": null + }, + { + "id": "rfc5280::aki::leaf-missing-aki", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHYh/W9CuXDuBJQx1UZwGYXgBJBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT2o4Woi+UacnZ5bvjr0Kvqb22iwDU6WHobuCIi\nflwen1phwroszaK3escDuRYgwCHA0PHAZLiJIwWGk+UQCdUco1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgSohh4O61qr+/QEhGZb0hmnLApMwCgYIKoZIzj0EAwIDSAAwRQIg\nMaZRHM0K/XOXIulcLfZ7dENdCDUm1TMFJKmx9lOZJ8MCIQCMrsM8IKzJdyMgkFeo\nnO2IwNYeGzlxcWJ7eCfTcKP/6g==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUcIqiwP6j0q2rQTuslUmmbYhYrl4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIFynfOhINP3MhQTseY/z30/GQR273RMSiJldsUU8XVQ\nAXcV/EYms4muZCEfWrvqKnT1jmGYJLhHvwm7YawwitGjWzBZMB0GA1UdDgQWBBRw\nnazruiqRM+FC1b80iwZl8QfKvjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIg\nb9ayrAOomdRt1zjrm1E/k8Lw+K5xF8fFdVYzIBm6uSQCIGIHuAxQ/SX+MX1pDE1b\n5zQus0QD+Aj/ZyedFIGICcvR\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null, + "max_chain_depth": null + }, + { + "id": "rfc5280::aki::intermediate-missing-aki", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCRlxVlmQ8foEJOBE0YeEYdgwd9swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARp6A9lhDZjcFKBbOyUMvQU+Ef4uzmhcaitK3Zb\nLuRzz0nPoXlDx3MbEm8KIVHxLVSZJkRUT0PQsdFPpTGWuH+jo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYQi4aYIRVhj1Nnj03uUw6zHhXsYwCgYIKoZIzj0EAwIDSQAwRgIh\nALGylOzEOvKQkgF1RVcnVVUohzx3DdH/3XNKcMLk0vqBAiEApUsxuvEtwa8NXRmd\nhJXEIJ5QhDdOj6p5+PfTeOUKYws=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYSgAwIBAgIUbUkOaQQouT9D0iUyjB0FlFJRanYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBmMTgwNgYDVQQLDC81MTk0ODMwODYzOTAyNTU1NTY0Njcz\nOTc3MTE0MTgyMjI5NzM0OTc0Mzk5ODkzOTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nELDObN2PzWp+N6J1t0kNkNIMy+cNPDOraowtwnImPUsVc64iBBSITiX6fKX5I2A8\nNtvwd0xdDJUX3ciDIFS2GqNaMFgwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFDyVRsBCX7wx\nE7W7AVoXMCQI6QKOMAoGCCqGSM49BAMCA0gAMEUCIQCFnr/WGCQpSsbt7Gc4Q490\nL18jvF+F0ZQsRCQyVHLSlgIgJnAgtMcsKSiPZi3bklGp0SUQjrTzfJ7KQ2oimz92\nw04=\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIULo4PgKJyP7GhsGWcIvVOZABArYkwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNTE5NDgzMDg2MzkwMjU1NTU2NDY3Mzk3NzExNDE4MjIyOTcz\nNDk3NDM5OTg5MzkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARa1lHn\n4o0hs18oCHOZpX6FhdyY3tvlxiZlwOHAzEgRsAUQN1BYTPiNFHxHdwYbhOtJemDi\nOQ9i1hJG9sYyaca8o3wwejAdBgNVHQ4EFgQUC33OoCrzS2clGwxi6XUo7lPkK7Uw\nHwYDVR0jBBgwFoAUPJVGwEJfvDETtbsBWhcwJAjpAo4wCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIQDaaE8wr9hI9B1T/jutnAw4tBavkH08LtC2hZRE2JactAIg\nJw1PEbr90z9963k3/RFKBLeLBs8jLpVC0HdC5BlQT6Y=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null, + "max_chain_depth": null + }, + { + "id": "rfc5280::aki::self-signed-root-missing-aki", + "features": null, + "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUBzdAMrbMyGAolwEQrVJZPR+pqwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAScq0FvhAjn94TZtM7fScCAXCgMW8IvyECVEW7t\nGXXFLGshikbfAs/CQSPjJp2O+3q96UK6Yr9E793wSoJjnlWzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUl4SOyC9UrrIbqP6WeNw/42RWTnEwCgYIKoZIzj0EAwIDSAAwRQIg\nXVxl4Q1bXfGfwXTz2bSeBEjofD7ketRo4ETNGEWgGUcCIQCg2oq/o9dMl+2LlF1K\nBtUG9ss7AbQdfrjcFhIVOVaJ3g==\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUVWfJO9kvqzMhwVHrNxuNRIK/1KQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCbpEt3F8jK60r6UE/V7/ZxgR53tYI/uKK7FvOht6RaV\nFJfggZ55tUkunYB1RYplIVAkZtlDPp2sxE7IUbXRqeWjfDB6MB0GA1UdDgQWBBQh\nvi82hVK+uh/CaRgkz1yvmtncXjAfBgNVHSMEGDAWgBSXhI7IL1Sushuo/pZ43D/j\nZFZOcTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAIBPv8P64gmQx23xPbYf\n1uk+BCfZ5futWJcLz43jiARzAiEAzAAyuQHAjKW7yZlYkX/Fdkv6853Ih194v3Ub\ng4R0fhw=\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "SUCCESS", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null, + "max_chain_depth": null + }, + { + "id": "rfc5280::aki::cross-signed-root-missing-aki", + "features": [ + "pedantic-rfc5280" + ], + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUeYEA7YA4yVCe5gAXlyR7s+UpxicwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAxODE3MzIxNDExODYzNjQyNjkxNjgz\nNjY1MzA5NDgyMzIxMTY4OTEzNjEzMjMxODMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOY9p6/4Tn1LjmVL9DvkSMNR/3KSiiLZlPxbUB1yN/g3h2WT5AmA2GWlHSiM6rLx\nPrfzBorApz6zy//Z3KLGaM+jWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTPWTvKR2O0\nDI0c1+Q0FfdNn+fTATAKBggqhkjOPQQDAgNIADBFAiAMophsHL0j7eFbVFw3xb0D\nRtCl0ZAkliM7Beks1neW2wIhAMGMuWmZsVdOfuN5vzbf8kIeTQMlfNy6TrmQtkWD\nEJnb\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUb+9gLquo3+WJ89BYK5Dur27MfeswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTgxNzMyMTQxMTg2MzY0MjY5MTY4MzY2NTMwOTQ4MjMyMTE2\nODkxMzYxMzIzMTgzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhRJE\nQgw8+c/uAYL78tl7Z2/y6bslGFofEgOaKy3fmUTREv2A9P7EeAXz0I79Aw5Cv/NH\nMCtTsWXpRYW7Nfxv6aN8MHowHQYDVR0OBBYEFNYZMycOC5rcDn2BK7VpgIJ7cieA\nMB8GA1UdIwQYMBaAFM9ZO8pHY7QMjRzX5DQV902f59MBMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAoxwp/J4RQQziIkMJ0a/TTVh0q0BRuK6ayjGB5XWOWSoC\nIQCQtIDUpgf8SP9E0bfeNIWJWGwqdoTecC2OvSs3YINtNA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -435,10 +549,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUQq3abqkrSZCQ/OhZJc9hJBV4TCAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQV6224v3quPHU3bHjI0S74ZRrOuysZ4IQTkqlm\nj5Yz+jFP5ld0wTIuG3j0y4iRzzuuAPVPj1loeFsSmuuGZtmzo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyPcPAw+wEFhmw8F7TYjX7AOf7AIwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGslOs+7Vr+hUKHaZimdRkxN\n56/G5stTwyjnKMC3dXnXAiAfwVElmelck80gVMxZmtYQ1PJ5/m8HciaX97GwbN8I\noA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUBJ3k1Zxmqce7VTHVIWmV3j+UMIIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQeZPxA4UuLz5Q2el0dHo6vinKeAqEsUIYIS1k\nCPYyppMV0QJOnzvm9p5uiY/zuxS19CPIn7KDKUgJuQrojX/uo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqd9Jesz1ezA2jlkjh8SG80MGO8QwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIHnAtsyNyMhWIRQiXpbS2fGA\nTxecSAgKK3AfDURZiafUAiAXwDMFBBA5gQt15adMflkA/SC3zkTEOKQZj7Zv7GlW\n4w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUR48mi4wigBtgPy1JLdh49Le0Z/wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOkeCL93WYa5tuXtYKKlvzTg3HP5QFkRCTG24SdBmsT7\nqK3TSnV/xRoYrMZbWXfn7h2y0NDmN7C0REcJqYW1FgmjgYAwfjAdBgNVHQ4EFgQU\npuYKG5Ze/jjBFHOqnxlCJbxMTZkwHwYDVR0jBBgwFoAUyPcPAw+wEFhmw8F7TYjX\n7AOf7AIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBc6X9CqOYq4buL\n5a3nW64pKMeUrTH6W6qHUBvAQpl7ugIgRJVkIt7NUekxohQzqtDbSsFSYhcnjcy6\nMFJa5Lnjtsc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIULFLtxLXa598JANNF2RVmZY8r8LIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFuqOYc57iDY2korZFrwsyW9Qa1G5g+ypk9+sd8fKGdd\n986cez4Ef+1qTTmw0EMqErXHAkL+QGnwuGDq0Mfhno6jgYAwfjAdBgNVHQ4EFgQU\ngZ8tvez96HpA38s8tGCPdEsiCtkwHwYDVR0jBBgwFoAUqd9Jesz1ezA2jlkjh8SG\n80MGO8QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD25vdC1leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiANLGKyoSTQZF+P\n/JotYfSGa06QapohCvxL78bBf8N4MQIgEhDyfJfbXRF7Dj2ajGnKvwa/AbYGWKa5\nxUU4unZ68ew=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -457,10 +571,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUZWj70OoNTyw8l3FzTOq6nFXlICAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS4beW7kcNs3KWamfTWSW37xWRWD+HQOAkQnaCm\nrdxngiFeZjbs3aYZfqI2Um+RSaaFh10XDPnU1c+dPp4Slypno3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVJlKCXAmtrVG6JgBYA4iIFoxUYswHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCaZsIe9+0Wgca3su/ZM9Jb\nzwEXYcD5pku8iKKEaJCHfAIgNLigY4luuyzklzyksncoTnHok6k5/gZ4YEmcaoGd\nSko=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUX2XxeRA2et0unNENo04vdMECP08wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQHKFFhvrFnH5ToPP/dbVkeG3k61OCcJ3Jh8w4G\nWYgjzDtbwa/MVpVQOrrP7zz/Pv682fWK7LCOIPgd07AQfbguo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhP/07cntV0sA7Uigput59hvP4AwwHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDTrxLeLe5+Ckx733YLPQesz\ni6NIMKO1pPhO13VrfAO5AiByccuoN8Z1MKYHT8dlrEVXjrjfNZFCXRiWOaleMzxU\nGg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUGMOSYtlmx9DVNKDdrltTzTg7WUYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLyz4u44JI3MQ3r9uoeXW1zkPb53FgRu/s7Z021pL1c3\n75feEP+4psh4FXvHiLFWc/5HzaMICJRcTaRPCZvaT6mjfDB6MB0GA1UdDgQWBBTm\nDLMm4GvhEm+unoh6Oa+Uu047YjAfBgNVHSMEGDAWgBRUmUoJcCa2tUbomAFgDiIg\nWjFRizALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgQywFbJyTeUiazQLTDWDJ\n96olSfwO6DlDalYNZaR+HoMCIH02BM5ynZla+PkgrUkZTyrJT4/tYlP+yvkEixu/\nx2db\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUaw7HVVTYG2VOzA61BTBIyV8n4pIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBCoNkvGq59JKoau/zs5PZMYTK7cSllE9bXPtBUj2Wjt\nmHIxBadMUF17Gt916kQ+6hv8OeI0Am+tjK648dBbMLejfDB6MB0GA1UdDgQWBBR0\n0vGKW1MsSmIV9kaDGhgLn0OBqjAfBgNVHSMEGDAWgBSE//Ttye1XSwDtSKCm63n2\nG8/gDDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgSwVJ4vhd/xnpXFiO/urW\ntG+piu+9eN7wrcGXZne8XQECIBLvhRawnztrNWHQi4/Nv6oGoXIHfOSiKcGTvVc7\nf7xS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -479,10 +593,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUS7rV3nd0Kc68Fsds2MqcLyAOtnIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASoXO7p58C9y6uYDY+3EB2T6a9eBsTWy9DiY29R\nqPmdLfDamgxQzfXl1iaKyKgFhPA19VI8ltzw1jVxlkK6fA0eo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoIyyT/hfUk2DKKAxCNTD6jZKs2YwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEpADT7OVHZLqblE7+/aDhF6\nUSnemlSt95ZVRKaU1SChAiEA1H4zgEtm0Tgp9cp33KY83NNi+C+mhkPRq+TrECt7\nbdQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUM2E0aTRx+DAOxqAnFj0QB0asBzcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASEzm4nQVc84yITXFocyg+Dbk7x1THuJz84CO87\nChjtEW7599/hnauiZ9CkuZVOUIiZc1P5aWBdB/AUS1aVL1BTo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUywlsBUh1tXwU6mUYO8Ynx9PaYpYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGWC92ZZ8nRpJs9T79W4V8gZ\nS5agsPZeoTob9hlcXrNcAiEAgrL8Vey5UGEpShXPy1ZfCIH1metgMCgY3sUFrX15\n7ls=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUNWwZPUzx2Xbk5JbY+IUji8B9ScYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKSEfHK9oK81d0lma6UksqelY52F5sADN1V5KVprJpEw\novmLZb0ANzTR3WHjPTuqDfblJbOneGIecykmnW1qEXCjfDB6MB0GA1UdDgQWBBSR\n9KpK9ccNTetOyPGPP6jyo1QmDDAfBgNVHSMEGDAWgBSgjLJP+F9STYMooDEI1MPq\nNkqzZjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKFL2LDbCNlmr9Iweutu\nq36zYdRo5aQU/EnaUqnSqBIRAiBj/iTcgOguOqmJ9AqO9kUafEOx1JtS0nMtm1ro\nkzJ9XA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUBhZu9Juqgb9Y6mLlukpDGZZrafMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ1jIzS7cYRRGbfiyPKHnxaZaGlNQJ++ZU6B1hwe7G8M\n0wMnDMs4I9FcmbsR4rnVXmmd9LBsiIzDKYXtNQ2IFyejfDB6MB0GA1UdDgQWBBRG\n28DfSUkJpqxUSFEFvN7+kUrCKjAfBgNVHSMEGDAWgBTLCWwFSHW1fBTqZRg7xifH\n09piljALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgGpO0klF1v2q//85gwDwN\nDPP/7xMFOc8IH4vLRYCGxgQCIEz+9bmO+K3Mffqjv/xwDaZGwkFaQwikLW8jBL4Q\nFIek\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -503,10 +617,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName. However,\nthe NameConstraints extension is not marked as critical, which is required by\nthe RFC 5280 profile.\n\nNOTE: This exact chain is valid under the CABF profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUcXgmO76xAfrIRBI7WodQtarR9DEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATJV/bdF7YWq59vUOXqbvaThB4jj6HY8TKZtxkG\nuFGE1XRSnagQw2xr1hpsZH0gOVolUTSQpk8cZyCtTfXguloto3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUb0bYgRS5mhSDdMowM4FxlDRANf4wGgYDVR0eBBMwEaAPMA2CC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBf+sicpabWDqLpkCED8JCYQj2nR\njBznvXKkUuLz11rpAiEAw8xFD5dfaeai3lefDao2+/Xho878mFUtHwsmLRBhS+8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUdQubfgqbwCuh4fz54Sbs5F/52LwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQtiOkSILyxVJ1Dm1w29gMYFkfAHYihsllr1wm2\nw3K7+btm3Ci4OhLHwocfHO37EcW94qspKTnm8MChdUbGEcxRo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUf9CGNYFggieEhBZc/QfwN9VYv8AwGgYDVR0eBBMwEaAPMA2CC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCkPuU96NHR88xTNgyY8hfmi9hr\nuzfYMwRilnIQ8A2uFgIgI9HLpsxA6+dwILEux+MQJRk/V3bTceiRkAGkkhy7Eao=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUbQW5FKugkk5x2jii+E96gZdULoswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBl6ul2sU6kAkjYKV1SexSb1Gd3dVPDanS6eiwSKLmp5\nftqopNTZjTw2pawSIejKWbNArlobkvdzHA4HFCJBXBejfDB6MB0GA1UdDgQWBBTC\nRzLiomc4HTTWCF0DqmG1UnBPrDAfBgNVHSMEGDAWgBRvRtiBFLmaFIN0yjAzgXGU\nNEA1/jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgE2Qjib5pyuLJquraMgpo\n5SpxC3KKTgQkhCzcj9gczg8CIQD8nAVpQhvu77AtCFtLAZWi/tJP0jsgrAATx9fg\nji5XCQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUEQf0pIX51VTVdaW+uKb1pPNvHNEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJyPkNUF1E0/c27KCfEHWm0ADUfyLjGsQ4imx6r+jVly\n17yIUF6kME+ACSJgripyJGx8wJhikERLB1OqnIuTMeSjfDB6MB0GA1UdDgQWBBQc\nCK7CruqfiVZnIwX+wH5xmUtSAzAfBgNVHSMEGDAWgBR/0IY1gWCCJ4SEFlz9B/A3\n1Vi/wDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANnn/at5FeJlNPreviIl\n2QMUf87cChp/sUDuyJhd+nU0AiEAyl+4zIe/FpMUG0pwjUW2CAtcae1UTfOZewgD\n8PXduos=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -525,10 +639,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUIXYr8AabVYOPyPtfDDdnJIN+1j4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQcvDPO7DJxK4zuPoMSraLNlVQbjcGMxIjDigy7\nQaL0Qx/zTNv4/z+8+BzHBveDf2lNpJDNOa0SgkgLKoRlwqk0o3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxp90JXO14VjyLIVPpHdBFriNXIcwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIExeLGgxNB9jELBFPWL4r77e\nbZOu83z/4NoaplJf6tQSAiEAnkWHyeniCrHVb6xFjNxe30wNdHjajBL/LSwrb+1u\nnEk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUC6VSYrsEytKeR/wFv2sWa4Uf1YwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQlB1R8Qod4UlNIAtLYIHmypj00niqol0lK6fN0\nvL4lya2zlkprCb1v9PS39ZPvKfUgC1d3TythYWHpqRTw6a1to3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpIZd/+Xik8dFGL9OTzAcTWGeV1wwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCRNLxPIZ1EgDgLfQJFkF5M\nrlxHze/ZbXZkCscXsyuo/gIhAPzaxM32UZCIMTGRAgw8MEU6fClhwQb6+FfyArLq\n2rKQ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUHqZusK0YbmOd3lqDePpXVIWrXcYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI7kEiDoYQKSZyX35cVDXCOfgsJVtDka7OxjvOE5Th9I\n9X1uaUG+rJtYnsmQwLW9QClzFRPK4AIuGMi7mQN4ycqjgYUwgYIwHQYDVR0OBBYE\nFFAlibKubA/0y5ZxPYoQlns3xjOwMB8GA1UdIwQYMBaAFMafdCVzteFY8iyFT6R3\nQRa4jVyHMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDGh4Yx\nfHkPU/7fZfkcwNTqrpb3JqP6OlDg5fxYjzjHSwIgNliwBtZZtZtEykIlqKNzoQTI\nHSWmb+N/Xhkbew9Oeig=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBujCCAWCgAwIBAgIUYm/mchu2ByCxHB07xQJCTkTyzVkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMbrpjQpQwfUazFi+S2ETf50TOX34t4T6KqsvQ7SDEh+\nEWFd4ZDD4pdE+w4elvZKFJJONOVMW7FdlLxWYbRZQqqjgYUwgYIwHQYDVR0OBBYE\nFFmviRbKf7kXKylv2tJocjNEUQfZMB8GA1UdIwQYMBaAFKSGXf/l4pPHRRi/Tk8w\nHE1hnldcMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAeBgNVHREE\nFzAVghNmb28uYmFyLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDC38b0\nGXlfN7u8Hr6TKx2YSoZ+HAtTv9tiMPUzPNvcSQIgJyQFa0OW+ap2Xq7ObM5qg8K/\nmB7aiY6eGz73uhHWuoY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -547,10 +661,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUUpxFsPaR5aX2MKmmG4Y2LCli4IQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBdZ1JfhuOMfppVCZog2iM12WtgL0ow4/P2maT\nL4IQ6G5Zh381yUPsUM5LO53jh3vqWmbLcJMtSavjCVvvqGvLo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTIjDdlvo+nwBxpy67nH9t2ZnYIDjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPcx\nslheQJ4sHmMnpaPzl2v14u/1y33dBHz8bgw58SP/AiEA5MpBHzN7sJj6H2daZoRa\nB03Y5WxeNnWuUx/1p+ifNqA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWKgAwIBAgIUKmkVcuLN2Fkr4lAOKkovF/3/ZHYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQdJqmYVyE30nFd0ahX4w6GBPGWY9rjIeYh0/Nd\nuX+OPJ/JTtX6FCLs3/PMD8s2M0O4H4MnJZq2lv/HBDmkDsG2o4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQfiogXRfEbGOCKa3lTGmm7l2Us6zApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKE6\nNAMfZE+11mukwwWoniJAAQLar5Dg2uE+v61tUinXAiEAlWwR1LTiMICQzQXAiP/O\ncbCcvU2KzngH5+S4SmLHUZI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIUaOm50+/6AjU7TRftyxcHPsQLttAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCruY8pp6nIvrpE9q/YayU2rfDOznWt6N+zhGtYKhmHH\nK9KfPQNv1zSLFMAEQy4Vll87f9PeTTVpsM2gUGSlVpyjgZYwgZMwHQYDVR0OBBYE\nFLzAc4jz6OUZJdsTtsuwnAIOn07uMB8GA1UdIwQYMBaAFMiMN2W+j6fAHGnLrucf\n23ZmdggOMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDRwAwRAIgav4tPQvKbRGQXksEQghSNfJQUYa5NDGgtSRYLkiUGyoCICVY\nAlMhOOOt2IXDqEQOszQlb44dOMaoPB+V8TmIzb5b\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzDCCAXGgAwIBAgIULEXbn4JDEQzn1VjPzrE8y9cWjtwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFks3gDWdzlYkg2hBBG02zpfJHL1JKd9Isti2F4s8Xka\nr9IiY/xHxNbxji4XlUBvQXKcERZTKSpObz1cSYE8yd6jgZYwgZMwHQYDVR0OBBYE\nFBhaGYGT9kKCRZq9cpgFDr2I404GMB8GA1UdIwQYMBaAFB+KiBdF8RsY4IpreVMa\nabuXZSzrMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAvBgNVHREE\nKDAmggtleGFtcGxlLmNvbYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZI\nzj0EAwIDSQAwRgIhAPaRm2cMiKChai+SWNxsYGisTnO3KyoxZvabllQK/I3rAiEA\n9TqwNvUXu4Y8macbq8ylnZRhil5fm3FaOt1Mp8+6jew=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -569,10 +683,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUOiiTUOSJ9XHBKEU+L4OtRon0voMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT42u3TZ2fRj2pvQgpxR8j7JtS5A27usAjB3Nj2\nGbmsOg+ELevRJOIIEzK/jbITdAJHgX5py8yv1G8HhLqkfzWTo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUovVAZRXQPklD5RlPuKvs6z1rTCswGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIAIAFC61ZBt8OSxJWvXQgh8BwIgD\njl47nqDNB2MlroLaAiEA0IOpTxCQLylMjaDPFZQXCnvqmO8rcs0IfkY8m/DdYMA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUOdJFUD7aCzkAYAgXo8wpSGM/6PcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmpteBAsd71ac88xVVGo7FfsQ+MWLe4kYFT69r\nRNmyez9mP4bqqek0MFr8JChvtdXxOhpZZKgNRf41BntMVJfGo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7Nzp0RyaZcw0k0CxHW8axepOvFAwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIBean4HMf8T1FsNmuvud+OwrUH1X\n0eNMv4f9ENj94LwtAiBEcu7Ed8ANPrXYE1HvcvL+tjkJJhuLvmYa5nCjhR3gNg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUAhbv8FmkGmucP0VPRZFmdq9zuHYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGW4Se1eZvFxrxF5q8D9nGyDH7+27Hg/lFnu4JUJfFXH\nCOUGD9f2fCcrPQY8ViCMaoev8zH4vowUTMc6V+m6AlyjdTBzMB0GA1UdDgQWBBQ9\npbKN7DsIZYqmF61h5obR/oF/XzAfBgNVHSMEGDAWgBSi9UBlFdA+SUPlGU+4q+zr\nPWtMKzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNHADBEAiBrEoYXOHUh3N5DahQb1VodKKwHoMfl\nuCcUNvXF3NpyeQIgOa8K72xrtibvhd38b+VthGZn1f/wwDPMfQSfrYOeQyE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUI8+UQ6BJQxU+cImvgE8GgcQ0LF4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDmetJ/NCIFiJ4BgRkV/opxwR1PDB9uIhPOMIHgLQN6Q\nzQk5VO5Q9DBrB7dbEk3k1xiXgFVXISSvUQl3GQ9YkCSjdTBzMB0GA1UdDgQWBBRI\n1oxRmFATRwVDC9FLq/Du8yawODAfBgNVHSMEGDAWgBTs3OnRHJplzDSTQLEdbxrF\n6k68UDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAADATAKBggqhkjOPQQDAgNHADBEAiBucQGzu7pkvhbhu613WTkgaqwD5cPw\n5uaLPWlXMd16PQIgMhmPw202VJKwUTcwZk9VOGY8dYieYGjs1GgPSFzaoyc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -591,10 +705,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUWN0QUBDtzSLnkdMctUMzNhzjwqswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8x9VC7kcdDF5Cw5wnVrufoVqUiVbonue2GLeQ\nQeCiEFdb71MLbAHgaXkis97SWJjqS1QAC8C6EcQaBQ0NUcHno3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAR9MC3wVcV8c4SZtF1BLZftoZr4wGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIF76l37sAOaT4z1QFEbFUmQe8q32\naaW35pnSF4BZNFC7AiBT7GtfGgevR6o307493Ufs1PK8fY27Zn8dS56MC2IL0Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUSjkt/ZCVccLWhLcR1bsxYdExRnAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS856oJFgv6uCHwxKH6QKZjkLH9Lz2MEPjQebR9\nOW8hqM04OCC8Vv2AyE2RWcbZzj5Rxu54EAZXWRSz4AQXPL59o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUobzEldqzIhg6rolLrdTWf6Ow/bYwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCdwPdilG0p22LP1samaQxZHyfh\nQX0DuprgMA2UENbdXAIhAMtXbHriuETedUXgsBArupftQ2c89iFgOjx65XbjHUNC\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUJ5h+RI+W9l9h2qHAWhNJfthuOzMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMxUNT5EVcLhZLvsFR9l/4U279vzSPmDo/56hxOSDVcB\nCsKYJIRogluK+cWFrneP1HnEF5AnEk3pLYdso+hpSmajdTBzMB0GA1UdDgQWBBS8\nyMVXTPAo4XIDa0Su7LPFFBuTuDAfBgNVHSMEGDAWgBQBH0wLfBVxXxzhJm0XUEtl\n+2hmvjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEA2KtvTl+V9k5yk9rD27eNWbQ8JVyn\nYjX9MkSB7YSrR2wCIGxGHSEtMjfxtPFH3wlXFCk56/jDQhnX3fQePqw0YYSz\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU+gAwIBAgIUT32LMcb8x/+aTccyw5CoOJHBslswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIbnqmbWR3m4omSoB7vQAIHSDQskvkgG/cKvCjz1seJT\nDSZ5AOsfZHAPM3s8o3rdBeBX7nxlxbuoMLA+T08GfnCjdTBzMB0GA1UdDgQWBBQa\nSU+kbB3ohOwBZpB8uMvKl1A7GzAfBgNVHSMEGDAWgBShvMSV2rMiGDquiUut1NZ/\no7D9tjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNHADBEAiA9K0cIWuN8uPJM2LDEFvtNJdTaGkIP\nWxfW063D2EjRagIgZ2jY7Kn9jKTo8xjerbJCTLj/Uy7qNKWcCW+CsKCsZX0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -613,10 +727,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n::1/128, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxTCCAWugAwIBAgIUbht1EACbDJPbYa5AtzWEtk2z/OkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARyAiPCfIiVJCJBJkLg3AnE4xiuvUXnvOniB7bd\n9ydojpwoHO9NAQt5eEKy2ja4oSLwsziBSfD2wZId4418ciwuo4GMMIGJMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQZUdLwmGeFTC2nHR3jLPQAQCThFTAyBgNVHR4BAf8EKDAmoSQw\nIocgAAAAAAAAAAAAAAAAAAAAAf////////////////////8wCgYIKoZIzj0EAwID\nSAAwRQIgOWhiIGhDA0wLmT8e9rIbTfrH+Bk8/BfRQndHhr7izHYCIQDkopDzOzud\npuY98hfWbf4Vi+3FEykuy1wo6YH2IAkCMQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxTCCAWugAwIBAgIUY2aeyGOmNAnwZz3JzUK99aJEs50wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATnEe1KTZFd/PIV8ozdO0nK2ro5IrGLrGrxi5vW\njCWgmqIYZLaoMnW9qU14UbBjnPC3HbzE6CQphihNEY6jf3Eeo4GMMIGJMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSIDcHk20RdjGYXD2NDb/kytDo+4TAyBgNVHR4BAf8EKDAmoSQw\nIocgAAAAAAAAAAAAAAAAAAAAAf////////////////////8wCgYIKoZIzj0EAwID\nSAAwRQIhANnIasRn4yLeUN/3juNEpDJjj7W4yv86coLSUTysetjtAiAA41x1TpAP\nxjNyJ38SPQ2LNUjPY4PqleyNZvnLcIiaiQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAVygAwIBAgIUFSHRMNhsZAm/uLIQIMcNrUiZDuAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIlUJenMXUxCz7hLb9GLc/kkIoRCfNu3QbumJIIK6KrC\nlDc9+MlOmTtXkp+cTnJiedCigOJmAq1L6U5M2+TFN7yjgYEwfzAdBgNVHQ4EFgQU\n9G+W6q63K2R78rgFkOf1sDN5PmkwHwYDVR0jBBgwFoAUGVHS8JhnhUwtpx0d4yz0\nAEAk4RUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDSQAwRgIhAIykGRAlkTGW\nQ4PhXfd8s30lZxVK4s9gfAuCLtPs5x7FAiEA7TOkQKiwWQxBAK4bfTtcIfqMmDSk\n4zAAa1E4eJZo2yQ=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUDBsqNbImYJlWmlAoDRuun+QmQKgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA7msxboJEiCIzYXiuPsTSp8TkJ9zV/Pj4+0RulGtObH\njrjzSgbD2RfnPMgJehylt9eSt297iD6Dm21eA4eE5BejgYEwfzAdBgNVHQ4EFgQU\nvEf/PaTsh6u8T0FaENypv/FtUNwwHwYDVR0jBBgwFoAUiA3B5NtEXYxmFw9jQ2/5\nMrQ6PuEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDRwAwRAIgPsQuiGXeuGwq\nzmS9REUtqGuD4W3AGjhYT1t/2xHA7sgCIGJeUJJ1TXj1YJrmsuXcYPyJ3tHHzB+D\nSdA04GewzX9W\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -635,10 +749,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUOgGAj1QBIYDra3ISTceQfXkNHv8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVY/9YHeNU3+0dMfcek8hkjBp/Jo9azdZzZSNX\nud57GWZUZOJI/dkS/RyRJ4YSv/ZPzH510CTIkV3cwmuy3rSno3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNIe3iBn1RHe+Og9ed8H1RSuAhYAwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIBjWi5i9rrK8pVft4xorHBsa53R4\nDeJPMM92AfHltojMAiEAn1O7NhaRECoFBXjPlk6luwg4BNtpIteKujE1B1JMl5I=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUEckPWgQ5henYfWKuq6+CH9sjofEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS8O2aDoQ5vUQLsESt6yOp3rOHgOdC1cIsxFkvB\nvbSqj4iP0m7DmTWJZN1F4p2UqFx9NOl+3o/dhYuSr4LRZcPoo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUAqBXcCHe+0NKIXVtwVliMRvdW0wGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCOBGqYV5z8tD9x+YRdqUhy9ixL\nIbxPstlBz77i7fFThQIhAJhHx5a3WJSX4hai+2S+3Zt41sOM2qPUq+AYts+H/9A1\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAU+gAwIBAgIUcnffFs7UXd1CvxJ9D7wOcaVogecwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFsm2EY5IBJ1biKUw79N10RYI+kXXHLOkv2CvVU3Ms12\nWZBf4bkIeb7Th28Eu5L20XBurnZKNM/QRzng8HI796mjdTBzMB0GA1UdDgQWBBS9\n0Gvt8kar5RiQqvD/KHBqxov81jAfBgNVHSMEGDAWgBQ0h7eIGfVEd746D153wfVF\nK4CFgDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNJADBGAiEA02Sv8EwP/yFySkpUBKpznqRqhf79\nc5cKOclGcrGj+6cCIQCQoSbuiaOEjHFX12JsyBg0Z74ItMbmi5gD3fKsMkiKxA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUfyc5zanuzZsgMFyzE4wE1VUyNWMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLjnxBRjltCJ/FjXnkjMq0h86+SYe8wn/8HJygvEyrSP\nRpsBoA0ZFczON40vcHVbjjHA6HMz4HW5Owy0cpeUOKCjdTBzMB0GA1UdDgQWBBSn\nnLgq09GaOLdK7LI7Mih8E2s2uDAfBgNVHSMEGDAWgBRQCoFdwId77Q0ohdW3BWWI\nxG91bTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEwAACATAKBggqhkjOPQQDAgNIADBFAiEAgIXFxyR550CfhWN+yAerx5E8/9fr\nFtZXmWA9uQcQrKwCIBld/11nPoQPsXWV/9giGl2XxJhlZhM0Kbg/G/fhMb+J\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -657,10 +771,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n::1/128, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxTCCAWugAwIBAgIUHY9Vy9VkExf5P7yPlBv0aa3mAqgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCH6DqA3FonyF0QXg2MTrTmQB/IbjW9DIwNTGo\nmmulamCkLbFLFZ2kTc+u7Sc8ZLH8oCrTO3eYmhkTbMnmNG51o4GMMIGJMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQ6eK10yV/wTuvatbiQCtxyDxRVrDAyBgNVHR4BAf8EKDAmoCQw\nIocgAAAAAAAAAAAAAAAAAAAAAf////////////////////8wCgYIKoZIzj0EAwID\nSAAwRQIhAJaPlSmPwOsANFAz5EYKuEq0ohJ7bsTh3yUy7dgma88zAiBZjbZW2RqR\n8MxQ1usMq2khWRccW6QNwO5eFKiXvkX8zQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWugAwIBAgIUGXDB6PacWExUGbHAlPWVO4KtV18wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4H1Qeiqt63kTtDW/1TTVF1fZcHvjp0HL2muzn\nSqOZ/nFOEIzSok7Po5b5S4cAvK3G5F0x2yJ4ZxdOan+Zv/Rdo4GMMIGJMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTbw4IhMzrBS8BN+48JwBheme4gJjAyBgNVHR4BAf8EKDAmoCQw\nIocgAAAAAAAAAAAAAAAAAAAAAf////////////////////8wCgYIKoZIzj0EAwID\nRwAwRAIgPTWNiKlnuisW4QLOgDLnbBLZJWKPTHr0Pm52BGWkd3ECIDmQ14RMxfEL\nvl3y0PV3O5xCdoRo82NcyYrFN6hxhTtp\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUIvHMsadZYfzCcSe45gqvJAB2+N8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOFwEhUd2O4xae/yQEOTukksjPpgrDOD/Jlt9yqDQ2H4\nk5seWfvhBlj1VQKKL8NOj30KMV3uTGCk6vdwJx/gqTqjgYEwfzAdBgNVHQ4EFgQU\ndTiNeIxg2WdPp2Wk/sZKI3plwoEwHwYDVR0jBBgwFoAUOnitdMlf8E7r2rW4kArc\ncg8UVawwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDRwAwRAIgNe7q5UdM34Nw\n0vs+eN5jiDF8iffG3RyDW5l4zGA/kQsCIFtdoK7AVumRQqLiiavQ0LnC3HCukVEN\nU8Gtq0aWsBbk\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUTiCZf21Blu2JDUoL1cjKRcTOdVgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDS2FDTWhTMojSjKmrxlFWkU+9UgA/z3koM9iisGU8Pd\nilziGwAppRVksYmp8dyjyjwIH+Arc5X4ozp0TEKh96KjgYEwfzAdBgNVHQ4EFgQU\nvlHw6kCL++0v1ixAO6kliRy3AHIwHwYDVR0jBBgwFoAU28OCITM6wUvATfuPCcAY\nXpnuICYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDRwAwRAIgXw8fp1tg8YjO\n0ImFhzmiSgY2hjqxQssDqe2F3g5EufoCIE4YLFvulVrPlb0sNPHqMj451ih2BkC+\nSsWzeyXJLD+S\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -681,10 +795,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUK1Ll0YtP/ciz0GUi2s6YLkCjxtUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwjnh6Hq+PbEU2PSX6ZyLQVI6okRM4Zx22H17o\nHCcnmC2lhYizrD4Cv/vkjUv1KHGzENH9CI/9YbKLCFfnv4kZo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTa3SQinii87t2p7EUxTOyCmSBFYwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAOX1VesO0MwUTNAk\nm/ggKgnL6P13V5Sr6yYVq1aYi72+AiEAtVFoewctdRIZOJeGANjvpv2ylZsSTRPt\nk6YYexCZ0b8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUMiYD3/v+BMU9Z2PpDkOfgt9xHrUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQDvfRaPJ+8qmiOfS+UEOewZclRH+N52JeZ5jqY\n+d0kcF2wa05ydpsq7AjCXGVzgeizRgxCCYnSfi8Q8hSGqi+lo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUifL9b5WTSFt2Z3+oyy/W2+rTsWUwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAP0x9Z8uy02uVHk4\nOHoo6cPMuvuR7IJb6s7+hCLs2wyyAiB/YHEeg5juEYv865FmFyDz9NqK0QFhOz4n\nvPNE23B05w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV2gAwIBAgIUAt+vGGKEoA6Gt+Dv6lXV4NpjFn4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEJcg0VUKdb72maglvReUZXGeuFx17aWCD6br1B99jDQoq9LjR\nCJKoxXG1VbGz6VNfIT25M4nHDiqrLzYXC0cqZaOBhjCBgzAdBgNVHQ4EFgQUX6Dd\nZP7WFyU1d/+rhud6Xf08CgYwHwYDVR0jBBgwFoAUTa3SQinii87t2p7EUxTOyCmS\nBFYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0kAMEYCIQC5yphqWBKP\nlR7xiT/tDXcZq0AUPEyi1xJQc/hTgYegmgIhAOSRCsZp5JRLKKIMraV71jH+Nxzm\nsKVk9R3AMscs7oJY\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV2gAwIBAgIUVF5e0cwUD/2QIp5Eci1bHD4OGxAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEY4zg7ZE53zXjdNrCUBEPpRx9QiDzF2yhfB3+HWygZm5bVjjw\nJ2dImyx4uE3pZEKGu5Toj8q54rY2zKuGaBdYNKOBhjCBgzAdBgNVHQ4EFgQUdXI0\n6FiUijZ4pEi6BvgzGvwmBl4wHwYDVR0jBBgwFoAUifL9b5WTSFt2Z3+oyy/W2+rT\nsWUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQYMBak\nFDASMRAwDgYDVQQDDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIHzEwD2DIq0j\nXbeeyUpOxTyO45asBm80fWKWcSO+ygssAiEA8AAn4gBkj3G/8oPDk/1q2d3i1H6B\nNcjmbZyGAlMgW0Y=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -705,10 +819,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUBeBir0sfB5M2ElNpaGCljlHKnHIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfsQ53c8d7yAAksnueDUhAedIvbqg13plykq9C\nMUJ2vprR0fwCPdc++Ao48msoMgX8Oizuk8iY1UYaRVoijCfQo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUX6nPcAD5L4RpSkNfd5zDDIW5cGIwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgXUItmNmBqjZoD6Nn\nL6rPegv9JrbffThvoJdAFPs0UroCIFHVOTtVJiaSrSQ4Y/pHQLGcZAJvOgqUGG/+\nsPU9moVF\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUJb358J54FK1RTO7ndDt6UnrIDbowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLQk7iZkWDwRpMIYwQpaDQYrRTqChmsssoI3i9\nZVXQB0dXB8AR3mAlsxQuNx15geBYBidBc7DjXNw9vD+FF29bo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURFjMfpyHNOOIabq8aURPwHGTyjQwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgU4uiFgI6exOibaEm\nTiYUYkupF2r+5DuxswzWp2LLwtcCIDYgvn1GDQsAUvcNOY2N8t2sOYTun7TQbe4K\n3Z6sRsOT\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUUzEu9aKE6RsK25FlXmNThzwYIi4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASWtl19LyGx/lBWxPUnf6I69MJhj1eme+wjw4iTBAJs3uM3Z6rPUkan\njqHzejVuGXY58z/v0d+KZQm3CDHM/vqJo4GBMH8wHQYDVR0OBBYEFJRwV6LDEg+o\nTMe9uuFBEyOpY4ooMB8GA1UdIwQYMBaAFF+pz3AA+S+EaUpDX3ecwwyFuXBiMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIQCnQC2Z3Hw8tjbgFSwvvp5Q\nQ8tiNgS7Cm0Ro+EmzX9XugIgEIQVzHYcDvoXijocVIrbxE2BbpfJwUC/rrnbzz3O\nJ7k=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUMRBxo3v1jObDYER0fOZWV3+FNl8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAR6lRa3Ra+5wX2ujVCc/Rh++hU5gQTaCuVbndiKv4dC5O3VjcCd1Ryf\n/L7fnj/zAhTO4ngAjT7sIVOg4M8M6I6vo4GBMH8wHQYDVR0OBBYEFJc6+fXcCFS3\nwJE4Nc2MnN8KObZOMB8GA1UdIwQYMBaAFERYzH6chzTjiGm6vGlET8Bxk8o0MAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIBfU1wU+g4n73Mu0qtpsXnTX\nDA5CFmn7Qrr15khClqyPAiEA6fPqpErWYO8uf20zZFsEN+73WOjQROMb6H5YSQ1g\nXDE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -729,10 +843,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUZf04595G1HRl4S51SOMxVp5sjHwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT0TLNQl2Thi94wdLSZvdug3M6Ur3tYHR9uchNB\n22hPVpKcGQBi0+jBJyxTgT4ktkPgwIsIx13vSFWfaJqpqPIXo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTPmHeIaUgEvnk8O4LPlZnogKW64wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgIy1806jZUQEcbb3+\nHrivuAoFVSuGGq4GsON86vLfG08CIHtePsMo0QRrRJ5thkiw07PMjJ9evHyYUs/C\nLTX7Eed8\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUEV0aGxR5YLBaTj8JBrEX7WG1VYowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQJ4phPvDVVuuwKQ5Odo23NJy9jIAAGxaMAWrji\nHs4yTUPbpQEtKOXsabWdcSh45kGVojLbOnvg+KxQhQERCKFco3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPgqb7kJWWCq25oQGsd5w5h984J8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAMHIjvgzcZQq0tgQ\nttRCcwpzutqrj4ltZf84dJfv41gyAiEA755/R/nw3S6ACEXCRVxqDu+WapdlH9Va\negSiMUFY5bo=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUPPZSGVCcIDDcj8uvngsvaS2U5y4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAASuhUQIZQUpt90p1DSOuaXsJxymIQUUAPd4eGNJODDr98pHLmeKT18L\nQ8rJOgrpxK5duaRJ793nlpVal9Fd0tdCo4GBMH8wHQYDVR0OBBYEFGvIHDnFcOxo\nVsjrzU7ir5zL8KQ7MB8GA1UdIwQYMBaAFEz5h3iGlIBL55PDuCz5WZ6ICluuMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0kAMEYCIQCF/ZGfuMKR11nN7fptNQwp\nciby3ZwVemojbIS9yHQuRQIhANpo0cBQWN8yPK36msUkXdcQpBfEzlfQifn5q+ZK\nFmgk\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUXPQ9oYLlu4oI3CDhMnNAKJGv/qUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARli1YOlrnGZ7dPZgpSaLoXBAM1t/RZdXO7702qxWM4iv8rExqYvyRz\ngHhqairzT7n/aiAtq68r2e4Y349eX2j6o4GBMH8wHQYDVR0OBBYEFM8xLE9ujHDw\nvSBoq4ForqpcegdsMB8GA1UdIwQYMBaAFD4Km+5CVlgqtuaEBrHecOYffOCfMAsG\nA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASpBAwDjEM\nMAoGA1UEAwwDZm9vMAoGCCqGSM49BAMCA0gAMEUCIA32l2DIJLBJCABIaAZ6E2LB\nuNcRNCNXpXw0UHc0I2d6AiEAtRNypQeHR0KlEwR1+Wd5GaK6lsyI49aIp5hvn3B6\nDxw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -753,10 +867,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIURVZra+tTmeaapi7wsivSgq/5z10wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASqRejWtezvpvnnhT0pgQjcyssnrlyQVrX5epqF\nagTVeXvAEdSH91hx+kfyWizTyF7d4/vejjx8trwVLgcHa3V8o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUFd70VXfUYw2QLIozg6jFOof4nf0wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAIj34sU+Ylg3PMZ6\ny2by0fD0tDhQ6MjQ+X+HvLtSPkbiAiEAiZNyEEqUAOX8UoTpCo5EYxZj8cfDwVUI\nmgwYUGPRRLQ=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIULAwCYnyk3gHfC7w2SKc7eP7QRxIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARYFJVSvo/OmI5wlFP2IYJfDo4+M3xcM/PYe9+u\nYH/xWu81VSpx8axpot+H78CbyTgOaTTQFbTL2FBJwXht19iPo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhTnVEJ2gy5yz7YVYSmDwkQPdwEswIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAKHNy1taQ7jr6liq\nOHjvZPtOBc/dA3JdkQY+HhAd8z7iAiEAjrmpYFRHanheR/x7lu8n8KRLVkv85xTc\nvQt5ml0KQ1s=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUJEL+rR1KhXJT7h+pYWO73lq0jo8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAElDyD6yW7BcVgjnR0Pjuh8UAnwtJRkpJZ2+8d8KJaViUi+cTC\nQA84oCaTGDAzmeIn8YdFy+Sxw8AB9DkWsNz+v6OBgTB/MB0GA1UdDgQWBBScPn6c\n03kgSmiHNIja7MXswOovgTAfBgNVHSMEGDAWgBQV3vRVd9RjDZAsijODqMU6h/id\n/TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiBljGMhJNDQbW+BbrSL\n3eyK4fyCtgOKnHNZLUDyMRNNEwIhAKSToAgLCYb9ZLww2zkSOgUF14e1zwYnyxEO\nzJCNsHd1\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUGbTgTYTFJzhjzO6bGfkFvk5mmwEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE4GDRhIwfZyfX7WcRfT8mxwIsLOKpspjHScMCK8HOy/Plwldn\nhp0R4zqkclpQfsIXlFgDJa26QNd2dWfReTkMYKOBgTB/MB0GA1UdDgQWBBTxlPfd\n4JDoN6LRF8QTlWu/PWcDkzAfBgNVHSMEGDAWgBSFOdUQnaDLnLPthVhKYPCRA93A\nSzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEqQQ\nMA4xDDAKBgNVBAMMA2ZvbzAKBggqhkjOPQQDAgNIADBFAiBzyvVDqDqB7rli1W89\nvV3raI/oe57qdatUK3mTf/AgCwIhAOlW3XV4ndoLJHx3yXrMC9Egu/obzmPgBHKz\nXW1TvFZf\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -777,10 +891,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUa3dSYrhkily9UPmBb6EKHsEtMI0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATq1dfeNs1UC8Kf+/Hw/ZwZGkDO/1czb8pZipvv\ntKcJds3Eh139hOYwfpGTGNY7eyQm+3nC66odQsqggckows3Yo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7VvAdJ3eL+MT1k9z3QVGu/JlY6IwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgFWVQJEoKVcOTeOfY\noC7CULiKRW9CMOrdTb5Xl0+PrGwCIE6PL283ehrW4ZBFktbqjsUh4Liro7AivAU4\nLSoqY2m5\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUJm+86gvyYTODURTPUe1nNmghbNEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQibxKd73Vo6etXgOZWMbP1GKW5S7wsOp3GU8Zv\nGzzHqayiefFIFzY27soB6l2z5QYvyahJcp1buGvqn1ZURs8Po3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgyjWHuAkpbrnuQRc9FtWHukRLScwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAMfLua/SgoMjXiKi\nG4I0S78eJo+wK2DDMdeM+BCGMFYdAiBsXoeJzzZWzM1NMizkHcRsrB7svGErHpFe\nDW5PFZURIQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUAg/C+LqwqrngCH3THHjX9pZIX+IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQGhp1QCzoERWuuf9nrBKGpiSaDH7Ua96JRQGSuN1IvBwcd7i1/UNZi\nZJkyQbS2NsgstPnpbQgCsmpj3l9jyyIao4GGMIGDMB0GA1UdDgQWBBTyEv4HIdhL\napLfsdGl+eUnEtmQtzAfBgNVHSMEGDAWgBTtW8B0nd4v4xPWT3PdBUa78mVjojAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhALzZg4yxgcFUk4yo\nEPCGXLWrL/4KsrckwGVnQrIaOcEBAiEAmC6C2U/gP2tR9bRhLLcAIprfiWVSpzeB\nunJ10FVdLqo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUIPj38c+DsBc1512Gb7Hvh21PJxwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATR7ZykpJB16fvHZKjLkzTmxuWmQOHIKCVw3iXhs7xUn+F+JEMi4j0o\n24ZNGxkq7HhWLEZBvF8fL8tkl9IglN3io4GGMIGDMB0GA1UdDgQWBBTlkYqoLfvC\ndwdW/qzKbJ4jnYANmjAfBgNVHSMEGDAWgBSDKNYe4CSluue5BFz0W1Ye6REtJzAL\nBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0RBBgwFqQUMBIx\nEDAOBgNVBAMMB25vdC1mb28wCgYIKoZIzj0EAwIDSAAwRQIgCCUC6v4532+sfMKQ\nLI3LL2brtYSogvCMK0uOIkFBIZMCIQC2Lke6zJfQtcaxvHIpFBeJDluw4m/j6kti\nyEhVXOs1jQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -799,12 +913,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUYok4zfLEdQq6i2ylEA7MUoYk3lIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATLOZTjv636qny4YMEVaozOVHUwjaLV0Du1zUim\n8Vj3AJdgSQCYVGscwrP9BMZkUNEYvVfTX67BXlUJzHMyoHi3o3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFJWOD82NEL+YEfphQzv0/Y511RChMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAuCLZBFypFZWGX+rR\nd3lxAvPobZn2Jrgp4FbvsJkzSmECIQCR5D8wX8oRTMw/mIubtiQMiVtTsVemwnt6\ndSKka66sDQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIULRorxwJsqbczD3AeZJa3Pm/HvMMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASN/wafQrWyw/kXSJPstpqfGE+7x2dlzgeoj47L\nWfYzQ1znoWW4kKYsWWnVRRBqB3AmXBwtZJBRMBZKP/MnpoTWo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFFlXafP1dAOgh1N5lYR1n3Mk2uj/MB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiB6g+HO7vjGwPb3urku\n0jVJNGBwyoZaxXMzJ7k3IR+D+QIgUZWpI93EcS7vgKT0WWyszymnlx4r6J717zTk\n1xYICsE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUV84JWcMNXuhkzrE7uD4AwDtBG2YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQUwvqmMcfFa5mRppSSSUUJTthUEHyL8UfyhmKX\nsM2m3da4gRFZ60M7DHEe8ySBM4sVjAT4yT5UD9v1zzXz1nMZo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUlY4PzY0Qv5gR+mFDO/T9jnXVEKEwHQYDVR0OBBYEFEqM\nyXMiRRhdwW8nTyY9i0ERkS+2MAoGCCqGSM49BAMCA0gAMEUCIQCQHdXTyNfAZseR\nGmrdtQ7IsGpl7oW2UkgVmEjbqCk4mwIgSLJxdSqAzyyvWBmxoTEufGH/suYir8v7\nzljUb49uA7I=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUXvGr6N6vZEXU54NzZgnCFP/D9xwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATe6pIIA8H6s2UsSvtYq1YMU8m/cYrG9XAqEvsy\n/cwiU2BQPGihHuYWSaZOf5aKA1tMAbbFDSJLj9bJi7IB5/Opo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUWVdp8/V0A6CHU3mVhHWfcyTa6P8wHQYDVR0OBBYEFNih\nBX5IKmj54/GQSz1v2RFPoZiHMAoGCCqGSM49BAMCA0gAMEUCIEOQdUeBLWVHCqb7\nji5SM+p3oWNMLQ/HlBuNT8KfiFeaAiEAqgsXcso1dyzS/9W/ckf3N62jRbyBQkB3\nn9e3+PHIvV8=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUUAmgROVk4s0HsPIGsvFCgWT9OH4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAD8TuNKWCbLUvp0lAkXxMGXEsKphq115ci7LuqnK/gZ\nvusm61bdShS203zTXh80qOftPhddoVv5mrbAxFTmtWSjfDB6MB0GA1UdDgQWBBRj\na5X/L+yroX+H1w7aaeALZEUFwjAfBgNVHSMEGDAWgBRKjMlzIkUYXcFvJ08mPYtB\nEZEvtjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhALCqNPo5O1dDm+UQJ8sC\nHo1pCi8UbsV24ORvO8SFGFNzAiEAmCJzBwu30MFiu3GFUOmIuW15vdGZmPWMRSML\nvzckI2Q=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUWh+h8SMI71pZlpBiEKTGvSyDINcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABC51pCy7mPwbDMnVyiFQskUryEd6e7wg9/3HSJkC2RDm\nqdjWXASxuejE0YNITxbbfbCLTDKllnrQFDyATnjktAyjfDB6MB0GA1UdDgQWBBQy\nzglAu39Dy5sl+ltLJH9SkV8ofTAfBgNVHSMEGDAWgBTYoQV+SCpo+ePxkEs9b9kR\nT6GYhzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgQ9nKJzB+Dszs8QqqNwf7\nQgpymeZbWAWlz8ZqmA/1ntoCIQD/fv6ceyIHtyMhPO+75Vtnrril5ZiXkYBzhUJK\nUTvX4g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -823,12 +937,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUAWGEE9Da9xvhLiYwy79jFTtSD9wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASv9HzRyJWHDb2ceaZka0CAt+e+h7SHWVrfnIwN\nvEwiV0tVc6SV6IZo9mSQmXYnD2gl4Zt3YJVDH/QdLRSBsyUCo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfgW/sU30a3q0vu/EEJpgXPjEc7MwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEF9+JFZD+eGcnoQBG4jml+Y\nx4LK1HSshQ73SvRR+hO4AiBsANcKCzHtfA80jQDljLszlkIpsts6e5bnzDLZFiP7\nKg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUTweli3FkxiVHmi77fQ3muhrGQuIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARc0QDOZqCbEGUjMStub9cQ5GT4jhUuZz3TVXlA\nFaYfLgAZcXO4wqc8sbslDW4Q5luvvhAKOThiSijQPTJwfpflo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUJn/4OOKjjq3tjRJKPyPS6z25CkMwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHDjJNhCf4EEzOlNw/N5CRbY\nW4arCEKXggtBaKTWow4TAiEAiDO5YbNXXjeiYQoBNhtF1CFB/PQ5P3mMfbtKLn8W\noj4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUY4Oj0ecK1tyoqlUAlNL84yvwKVIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATj3pH5+LX9XQ8O69Tn/zycarDM7TEo5Fb4LKEZ\nQ3azAYBf67PvmMrkT0/E+qHv2LomIoyqNr+JLrTLHEM9nVxUo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUfgW/sU30a3q0vu/EEJpgXPjEc7MwHQYDVR0OBBYEFAwA\nlDOUIisgbHN/Ftp/GYv8XBGQMAoGCCqGSM49BAMCA0gAMEUCIQC8/MSx3+BZZWs1\nK7+rcDfDcxm9rTx/Gjic8bqhpZJyKAIgA38xmuxJd/ojLNM0L6l5580O40rPg7Bn\npP1Rgo7fMOM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUQ6HcUYvh4VYoYfJ8uuk4fbK3RRkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT9Menlw8zUYe5R0X+0xJEAnEaFGQaHMM7hqfmm\ndNSBGCSGjbZoJvp5GRb0QJ8X26DoED9xH/fSyDFi3wlgri2yo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUJn/4OOKjjq3tjRJKPyPS6z25CkMwHQYDVR0OBBYEFAJr\n9TFMBqxmLyxddnhy/rvXD7BAMAoGCCqGSM49BAMCA0cAMEQCIHP2bw43s9Lz+niM\n+z5A/XBntJ8H5jayEoGy8CJXuDVJAiAjJIUPrMX2Gv5uqjnw5nMKWO7XOxcr1HZP\nwVXOx9171g==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV+gAwIBAgIUBYFTs94sls+E0ZetY+2KALvE3rgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARADql7RlREFCY90r2jESxCI+e6VWKKBJo+dk63\napswhQB8x3LsWRK5aZxB9BkTr6H1/GNYUlzD2EOK+7z7hFTFo4GAMH4wHQYDVR0O\nBBYEFIJYMkiu4ykgQLO0kDlxFHPyIuOdMB8GA1UdIwQYMBaAFAwAlDOUIisgbHN/\nFtp/GYv8XBGQMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgVMc7GY1W\nqry+iuCOX8tGtKfXTCHsklM0f831pRvRqycCIQClN+mBMolr5IZysoFx3T9CY+fa\nu/EE8DVNgVfdrue83Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuTCCAV+gAwIBAgIUM5r6k6uK+jGWobCox97Lp6heHzkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARJrbfPALyywC53Fa8SFHFgzlj/ivE/A2DhslDA\nMvbXR/YGK9GZyQFJKBqwxMFq+K3TW5SzeT40tmlkRpSmXf0ho4GAMH4wHQYDVR0O\nBBYEFH0sPp+hI7hTlymDE2kCp+sDkQ0bMB8GA1UdIwQYMBaAFAJr9TFMBqxmLyxd\ndnhy/rvXD7BAMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNV\nHREEEzARgg9ub3QtZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhANidb69p\nGI+ZJrN8VmorfeK5kHCe/LP0wI2K9w4wTyK4AiBXd6t7ynzt2f5TTXzb9Csg/Ym0\noJ5Sa2RFLxdZAJzvhA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -847,10 +961,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUSidpk/lR8F1dSNv+b0qJwek2m4owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJUCfcTPBAtMZ65YYND/0qALxFb8IqOCwbXtbD\n0uI0wwO0Z8y0s5JFvWB0YKnx5wGWDB7Rv4mSiIKvlrKWslcko4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBQBPnVmWzgC8Ia6BpBplP8dn6LzvzAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiA7HdDjj5R76924Fv+CZUn7E7ZQFD30L9ZvmVKMK4VIvQIhANmCPDF55m6o1B+W\nj0hX7GEIW80XEugxx7doFZeQk4lQ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUB1bw2psbW2r0e2pCz5SppButMLIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS3ZP2SiG8DHXM8dSRB7ci0wvTLpfWzFtaL59HA\nOE/seKRAKdVJbl6b9AF85LaRKzqLeUkjYbaLrxQ1oEizE1DCo4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBSPSe1O0zG93iWdiyZRXC0cGyrrADAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEAt71X7T+VOo6F10zVGKZCQVsH/O+fqYkf+raMAdJQpGUCIB3UiHWzgkyF7CE4\npYQWlHomHelnN24OSMn2WA1hrkJg\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUd+/ntFHb5REgRwr0minu7mFOIqIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMfwP2uIEoOtsKI1vvrJBmom9KOp8oo9o+Qu75IB3xAA\nwAFrLoM7nsHd9hBY0tyTiXXX5RrK87UDJqKT29kQBBujfDB6MB0GA1UdDgQWBBRp\nlpKR+o1759V2JC4vQKM6DCdv/TAfBgNVHSMEGDAWgBQBPnVmWzgC8Ia6BpBplP8d\nn6LzvzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJQIiFhAmfKNbm86F3j9\nrKAihMZYAKPf/PLrDGwKC5wNAiBa9ZfE2WUDyqIKsspwj9XHQsfj6ppodfNHn409\nr963qw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUYUzYI3k7jytCdxmkFWadZ6NSx7QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMZ0LqaBCk9ZqzzZde3YgpCz1PzILAcoMm70b/gwt76W\nMrmXQjLLB/tuyMVCLpbTDnMbYtklromoCfqTRXe08MajfDB6MB0GA1UdDgQWBBR9\nMIapOHCUUxZZUk/xa/+/ktbVxTAfBgNVHSMEGDAWgBSPSe1O0zG93iWdiyZRXC0c\nGyrrADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALTOUN9i0x/05oGHBMv3\naWc3s9ZV4eC2OF19XnZfrMCEAiARC3Ne/jNo/6KL7ZRmiopcrF1HjoN21QJ61oUj\n6usZPg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -869,10 +983,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUYAPME7V549hbDTqZhiRxASsU+ZIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATwjlbD+ki3V8ie3U6+fdcM0F5vM62R6TlBIETV\nBob+HPXYvJzlF/TprubABfyHq9zgqplKpSDIfV3rJgMEJTXxo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxmdRDMe7FMi5ph/Ck06jdn8d4KMwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIHh6v79xjvaao+Dt+f+7ERYK7rsC\nGFrXzml+79caLDWmAiEAoALf0bN5EyDZlYjWyvcgBRAkP/u3EZ6MVQnE5RjYYio=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUR1HTDtkGHb2GLT5bGj7okky22JwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+hnGNxI+o4gg+m4UKb0TM9swHp4rOW7F1Vypq\n5q+epLuHUoKRW6K1nVipzER/1sdsjDPbbKST3qs0SKgop6eno3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWBRLDoLDOIGTV0gy5croA5XV8JcwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIF14X2DXrNqHdQ7AIJ6xvloDKPlZ\nx8NiBUY5QocIOoFgAiEAlF11HTGsk9pRX2aVQE2cqAAODUf5IeDD59tbSzNck9w=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUbFt96b1yRwA8MEoO1fTVlav5TXgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJ1Lyjo+RYHPktW/49QrQuCC4Nxb+UwWgO/Vnyb4PZaL\n5W31JLw1OhSGeG/XGRFmbCn0DZ50rOt8QiwxTbwnx/+jfDB6MB0GA1UdDgQWBBQx\nTCmfvC1jtpp7vgZ0xulgNk0XoTAfBgNVHSMEGDAWgBTGZ1EMx7sUyLmmH8KTTqN2\nfx3gozALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgaaZJYT3WyNSsUq8MDizH\ns0MEpfczbxeUmDsf83IjY7ACIQCcrabX8cnEJgJ052WszahEebdd5GqNQdrURzj0\nAmV4hg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUF+9qhP9iwTNnH1pcJlqINK1/TEcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGN7RbTwgXTntszFV8eGcdcl86+G3ONcdH+cZcfdWGw8\nfpB8/VcDoh340flxTGqdYibgbCajuVnsFtgw2cK7+BijfDB6MB0GA1UdDgQWBBTn\ngrkUvNbHJt3YnK0RjDKNIBGv8zAfBgNVHSMEGDAWgBRYFEsOgsM4gZNXSDLlyugD\nldXwlzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKCsZdvOqnlPMFz44//p\nk0ABUx/8H/2XFCka4wrTne/eAiBvkZSZlcyf0VJgabmaFMlyuF8SCXwQszjvtt4q\nxd45Jw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -891,10 +1005,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUXWpRul4L4pdyWEPiWppvap13rl4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYTg9pIsxKdFl2d0mvfZbbY/5kHEgn0ap+PAAs\nvvtQljx7equXmTUko6Zzq3N7BXnSiua4v1Z1QJN5P7btqddCo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmT+abtBGXvMAWYBA8iGHI+IDrHswGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIEY8/DfIxv/yfAKslLX3hd40uvzh\n8myKsp1phvGNRWaxAiBnr5IAxsjva1GSaCaI9E+sEAQj2MpHx5S7LJvL1php7g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUBUsBOWoQOIhT8vYuCQy/xhiqvIAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARI5zXk+bvDaHuvT5JVP/DjRaI57NKzbL5mfYk+\nRrbR763pXWw3eKlj+GXXOGKctePV/5BN5adhzNlXaEsiLF4To3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyM5DfO8P6P69xMHnBMCSWsYyRhMwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIAEVcoPRuWGkcQ2D4UgjuXUQjgSr\nvfe/sYMtGITDuAl9AiA5nIetID5nxl477r8O24/E1rlGqizuRflXxmKuMsu0QQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUVsL65Uq7+AtOKfeyMUp0BLoerBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLycvCT1n5Q168g8XFPD7ki+TkRXqfxy9SZVv0HBewms\nqjY8aqTSYvxlKE2CpwkrHynjWA8OA2/GUx6GetAjPPujfDB6MB0GA1UdDgQWBBQO\nZ9iXbj0PKDFhERzwHt2L737GxTAfBgNVHSMEGDAWgBSZP5pu0EZe8wBZgEDyIYcj\n4gOsezALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgTin+W+2n8ITO0FcDwWq6\nfZKYoRGaaYrHlakVwcTCagQCIQCTXsrR62pT0Q2ew5Kl/TVBksL6nKFKZh21BGzI\nmB8CyA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUHncLQxxAewhFzayvDbFxBmQTFQ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKCHzrXpNWNLn4Z/Nbd0Sa4w3Vx4ed3IjMdKIqoSGpMN\nx86HF+80a0JSw55/XdcnMRonCDbwVNW/AQiFjn72qqijfDB6MB0GA1UdDgQWBBT8\nOc4t748nyF/slKaCmDzcRXq0HjAfBgNVHSMEGDAWgBTIzkN87w/o/r3EwecEwJJa\nxjJGEzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgezNmcx3TjmHrRAJ67j3B\nP/U/Yt/jsQfY8cah0OEcZMoCIGSZ9IfW924rYNzBviNrrxtRaQDPhI5/jPII/9nP\noVQi\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -913,10 +1027,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUDfLxO4QGdvGciCm8QOPC+A4QBM8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATO/iJh9BwogdJ5gKbehOlnwbM4+TCCHslAOJQl\nQ+/fwbvZsoV6tSriAcT/+2akQlYQ1BM32X0f48DmO3NzRudjo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEldyFysWe4UQRi0Jq3OntoH3XkEwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKWEfLeK1FT3rRbV3xHP\niMm41fGBxc3OSdC9c0qyX5tZAiAlFQFS5N3Jk8bcA117a7nipVKGoMe1CESd6Z77\n6pzUzw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUVCrGKRe7XE3Ew4ZNUpnCbI4e7pYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQAYzAeHXkUq0D7//CmDJYL/fNSp5EgnmYWDqe\nsfuSVgiOW8idf4B+h1qYiKxL9/3PHllD+9wnFcw4up8CXGQio3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUGk3B5+/SZ4eqtiBwTDQhc9eCI0YwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgA+OnNGhwva+FKoTCmE98\nzjOQb2DC7AUppHgHgOWBoJ4CIQDVtCSIkpv8lPM7qnVGHHCX1Fb3JpiHMpnDfc3e\nCQX03g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUc5wOwzyO+0RX0/78pjPps8PSgigwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGhMzOe2dvuIjR8gvyxM2gYD5NHPIq51u2RwCE0BlrY/\nrkViPgdKtcXTbMeokeB45WHtCpQxejCP0v8EkpOx8GmjgYAwfjAdBgNVHQ4EFgQU\nzDVqn90JRuH3qNNzxj4ctQTc2RAwHwYDVR0jBBgwFoAUEldyFysWe4UQRi0Jq3On\ntoH3XkEwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA88MOwMRqvNE+\n4OL7KoduDLBW5KOT5jXyH4XhsuOhcmwCIQCj/ksejwd9W0yy1RdHWojdpAmOG13X\nqPYA2cDe1dDouw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUBwlREOUXcq2IKdU+j8b6M7osjU0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI+P0+8dSWD7NQ1df8ajieO9J5OcigfmluvLVaiHp4WB\n9n4f3Us+/5dSWsZ0DvcL8dUeTGGR6aw0bVj+JfZxuimjgYAwfjAdBgNVHQ4EFgQU\n9J4j1YVfDruO3PjyDu2sSJehlUIwHwYDVR0jBBgwFoAUGk3B5+/SZ4eqtiBwTDQh\nc9eCI0YwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2Zvby5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA2tCxi6SayHl7\nIuun/yav+srEkZ/OnQjWHXy9JEM5IO8CIQC8F2nv4c6qH/yrM4n9PwT961LMBkUE\nqTmkaGseuu20Rg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -935,10 +1049,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed IPv4\niPAddress (not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUC8ifzxOrK5MAw/1DQYn2+qvI0R8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS9+qAgHvNbgjaRg5IerF1wA74+dPmFccp5+k6E\nTCu/MKR0lRIP08SV424jh5TYxhNokl54R2Ic+s6R2rJhYBnQo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUw0KhY+Jpr+0y/R5Z4YaoycYw4NwwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgBcxY59v3WRXW4sufqOxXZFUillRcyvNt\nsbW4FzXSMOICIQCWCPNlUnHlm2h6Ok0mmlCMaG1OIRWiuZ5wRInKzAHpEA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUNKLS5nro9ClCvg3InOWH0PQ1rCEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASY+ihfZeD5H7nDn6hHqdxR/VDp2ikj4thdUhhX\nsBVvJMtD9185p9WQ8YzRAhqmzXCjL6IdvSKQxy8fnDj4cB1Xo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUi4gmtNUqILUNaxEv48ANA/JmHP4wFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgD7fC+5Hj/KrVGylrVPADLMzCGr4YiL/C\n1Wfx25gj4Z0CIQD6tA1UOplApgW/UDpeAjpYba9QObHNFM96H0pj+LqL2w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUIQ66gBGECMrMRkrFJEy/h9rxnC0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHbLPpoUwvQH9vpqc7Ocz7v7T5PxDFjcLTocP5MRRKYH\nGzAd/Spwsve097l6/awrJcjLuo63/4fE0FGoObnRYMGjdTBzMB0GA1UdDgQWBBSC\nKr30eGriCRbvbABwl+cwV4u9rzAfBgNVHSMEGDAWgBTDQqFj4mmv7TL9HlnhhqjJ\nxjDg3DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNIADBFAiAv9VndtNjr3ic++Wx0epK21yl24+du\n74r+rEiZ8eAC0wIhALpOuujFlGxWvonvAXHsapxr4mlL6IBTrj48U4i0MxkF\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUAMxCg7ga/o2dqHDf6xK4bapzeJEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABM1xKEt3Cng59zucNObW1NdCyaO5eGz2PIlpX9ckY0fp\nknDNDn84csGDuO3NanTf6PZlT1ESWKBrH7I6miEvheejdTBzMB0GA1UdDgQWBBTp\ne8hNSREL4t/dE4b4yIFlSSi76jAfBgNVHSMEGDAWgBSLiCa01SogtQ1rES/jwA0D\n8mYc/jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0RBAgw\nBocEfwAAATAKBggqhkjOPQQDAgNIADBFAiEA6xEWvp4ksmPuQzDX50q26ioInSPC\nYV1T0AVXXfq5IBYCIFS/UOch6Fj+u1sV9XPwEGmHc32HqHPVlpF99rmzFYJG\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -957,10 +1071,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed IPv6\niPAddress (not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUNfFYnn33Dgoh6vMNZrd65DV6b60wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQzcl4GAF02LFnQzL/FbDUCSQIfBo8XKDzDhjh6\nN0W+kZK2bzlr3j1VqOVNea6t3aJYjkvCbcHD1CeHNVAkvrwyo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVmT+J8nC6sAzVGi+PM0+KXQg/zYwIgYDVR0eAQH/BBgwFqAUMBKH\nEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDSQAwRgIhAPkNSQ5kGYYwOgEU\nTAOagGTNnQdbphuOktuzZhbg0bWvAiEA4AtMiIIgDkIConj+3HF8olqmStj6fn4b\nad80f/VoJTk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUUh29IhwleXK9NOOz5KdAD6bf2lgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARHwPFHVi4SigVjMzf7CPjFywCaVN49ALLpWt0H\nNBWAuF+1Topel6QH4JBMoU7TWqsgoIr/I0J1HCwAMAdAQeEso3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoLUwm6Sjn7gM0qlLsBOfGm8Z64QwIgYDVR0eAQH/BBgwFqAUMBKH\nEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDSQAwRgIhAN/50w2POJLkgYph\nUCCVToGAglfNt4qDrqNb1sVkDfnOAiEAnKVjb4/NxbSALxFlWlhcPVehO9/1xB/6\nnYKOiCHgIfI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUJoBZQGDYfhbRxTeu0Ge0WNWhVbwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDOg+qi5OnO92GzNFedNzarHg19ceaHZyb9uyYg6QafE\nqfwOtFRuPuc+Ditibp53YaCts9Cd7HQtGmXq9yvTaFmjgYEwfzAdBgNVHQ4EFgQU\n7jVkP9uqE0QqdEnpTagFwyu71CUwHwYDVR0jBBgwFoAUVmT+J8nC6sAzVGi+PM0+\nKXQg/zYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDRwAwRAIgBQ1C5a//b6TJ\nP6bnP2o2e+0Zmlhgy/PUbrkHqRd3pWECIHt1vpoM1MKtQHhVlokBTXP/GlRBJevD\n07nCjXFGNmFh\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAVygAwIBAgIUKBIkOIRdExKqmfwbVMkDNkGdPQQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAEUf2CJLDFdOmGWiuZ5BDgqfX2gW1yOhWX15BXZIdek\noTcW3VVsmcx2YYYigYBfRDdvGpXwsrl/9m7xTs6NUTijgYEwfzAdBgNVHQ4EFgQU\n2HRbC2jHT6Hv74l9Br7ehBmI/vwwHwYDVR0jBBgwFoAUoLUwm6Sjn7gM0qlLsBOf\nGm8Z64QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDSQAwRgIhAJo6OLzem1uD\noA3xpORwD8hg+BLZ8NVv6ZuT4UIt9G60AiEA/XnU2U3o5JxOEVTANeVeDQ0rtIeV\nQL12J/UfKotHLsU=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +1093,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE contains a non-critical NameConstraints extension, which is not\npermitted under the RFC 5280 profile:\n\n> The name constraints extension, which MUST be used only in a CA certificate", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYEIf0PuxDzD70Ll148rUXLHC87wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrcM6xbQDss273P0081H8X6g72XL2K0u28sbHF\nGq29QvCpVdBMnSIWXR6Q9w+hUXOvS5moiNBcCSb2ZG9J0dW6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHbYdgHs+nmgC1z4R2PDSs86BhsYwCgYIKoZIzj0EAwIDSAAwRQIh\nAL9FvXb8thi4f0BtjKZIGcdSsI89so011DDUiA8K/T6mAiA65yCMERrt8ABh6qlP\nAMgFwX2xrOSctDosks2xyQDR/A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUDRDiAbNY9mWlKVuwbRM6tytFmOcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAShvuWZnqTO/qAe0uTzDFYgAMnNwdV5tPM5/R1u\no+ovXblZvz62vlUv7jjedh/RMtUoBWpxT4FVCmpNmSGvFy1ho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkaPC0HbblxGnoWYB3ZczEdFN5Q0wCgYIKoZIzj0EAwIDSQAwRgIh\nAP9goMapbL+vH0a19pntmzUTmo09rZwVoc7thTKtl4xVAiEAykUI0Abp68EdgNkm\nWveMbJwOiHQhX0yaEUkf9+tHEY0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzjCCAXSgAwIBAgIUU1VWCgc3pa3Th7/Hl1cK6tIiF5UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO1+3+IKTHc+xTGx2SNvAW4PpZykvVdzLFJX0hBdaRXc\nRowZmdxwudxF/Nx+4czq1Kyb+H2XrRor4709FHtvpQOjgZkwgZYwHQYDVR0OBBYE\nFIlQ3mxNP9oIV5Tsve8YjB1OTST9MB8GA1UdIwQYMBaAFB22HYB7Pp5oAtc+Edjw\n0rPOgYbGMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAaBgNVHR4EEzARoA8wDYILZXhhbXBsZS5jb20wCgYI\nKoZIzj0EAwIDSAAwRQIhAIm6i29zp8YiENwSYf3KvBsidmGVInk7Eexq3s6OPTFL\nAiBYYmru91J3v672Z7FcY6gUL/H4B7RaHXYMiuIRmaj01g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBzjCCAXSgAwIBAgIUV1o4oi6Q9K9fuhHAPcJ1aDKmKD8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAS7CVGHbMN60+yRFvFzS0YXn0QVsUtLF84wiErW+Aw1\niPGZG0nrtUJUB0d2s1Y3Ubb+1lfB1QzWWxBuTdTqMrGjgZkwgZYwHQYDVR0OBBYE\nFG8kyZsThglnYkWR6oC+gr+QgQaPMB8GA1UdIwQYMBaAFJGjwtB225cRp6FmAd2X\nMxHRTeUNMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAaBgNVHR4EEzARoA8wDYILZXhhbXBsZS5jb20wCgYI\nKoZIzj0EAwIDSAAwRQIhALHEQfCOzoT4uR6+NINp4DYFZ6Oea8w0eAMHpRE6wvXB\nAiBsaDozVjE40iDekrufRjQDgg8DwDWYPUQXCZhoZG1MyA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1001,10 +1115,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE contains a critical NameConstraints extension, which is not\npermitted under the RFC 5280 profile:\n\n> The name constraints extension, which MUST be used only in a CA certificate", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUTqzKJJOSpxjJyL/VkqB/t6AHzb4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS9D8jrehCnonMQmf/Niahab2ZWNaEw4ife+Ahp\nw0HPGfz2mObNK0KYTHKfQAl2Az0+CJEvNpwY5pXe3eZlOcLMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhTEQdlz0IfPBdyAWatDp4TXNshwwCgYIKoZIzj0EAwIDRwAwRAIg\nHPBFykG8vw+8+9U+j/CfpqrFwtVjGVv+8I0bSA5D7QACIC/g75wK6tX6Wkz/N44x\nJTg7fmQVQP0n9oCrJovZJSAy\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUIxHyfalRp0CROtA02oKMOI7MaOIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQZAblmrq7zOqfsQOMVbjx0fIfzpAWByjP9uRns\nxJ04jR2P8zNsWJW0zYKT812gyt/Iqjtw12cfcBIudFNsnQMno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUo6hkAO+ID8MDYCcDnMCeZCf6Yk8wCgYIKoZIzj0EAwIDSQAwRgIh\nAJX/0/asI9Ftg2TJ9Wibk417F9pnoj6ig51V/jHtb0ImAiEApqP9HRgwJiB4ASG3\nG/Kfoqv+PO4T5G0kgmYPCsDo/a0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0TCCAXegAwIBAgIUGmj8MaLQx/BHUqOtcFpEv/L76RAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOtefBJ+TaD9mrFiB2Kl6+SBU3Tbm3mjzoGByUfv6Vbq\ntGTgAxsOSKvAy4Y6KU7ClWpgkVgr6FWoWoc2LEPnb2ejgZwwgZkwHQYDVR0OBBYE\nFI5QppXQTfhdT/hW1ajZ6nzhjCYIMB8GA1UdIwQYMBaAFIUxEHZc9CHzwXcgFmrQ\n6eE1zbIcMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAdBgNVHR4BAf8EEzARoA8wDYILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDSAAwRQIgK5OEAlXhez2ZQpBiw+BekAh8wI5o+3sCzGWEzIPg\n/X4CIQDCcy9kX4XFxZ/t5ydP1cE3SHFQk6HIA1QO7Dw476X1xQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0jCCAXegAwIBAgIUGu4jb3ZuHqzhVlHS9Jyuh52cdCkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMAqP8kHKWsZUG4IwUu8wDoJ/qhzAJlU68e9OGl0bxFA\n/joJ5uTho34uitki3+rEsWgJfjLbIoiCiTYrFluy+vWjgZwwgZkwHQYDVR0OBBYE\nFG3sps8DNVP65ehE9rhKClEKMDHsMB8GA1UdIwQYMBaAFKOoZADviA/DA2AnA5zA\nnmQn+mJPMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAdBgNVHR4BAf8EEzARoA8wDYILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDSQAwRgIhAKOHyDPO5XSbOD4HZXrSt5Y9uGDGJ8rHtZOXGMPX\n4OF1AiEArJ7QyJuMSvvSScomsp6easeIxbsGlylpDJbNXkXfk0s=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1018,15 +1132,15 @@ "max_chain_depth": null }, { - "id": "rfc5280::ee-empty-issuer", + "id": "rfc5280::san::malformed", "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has a SubjectAlternativeName with a value in ASCII bytes, rather\nthan in the expected DER encoding.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUMaseJVNbrRq5ujmj064/fUfd0ZYwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzj9muceGAXJn\nMZw5hoXbhA0wcNYEzHN7tfCtLWuiH0pjvRUAXJdRzbRtvo0sVWjeaeDBxz9lBTnR\nd5l1Kc1bc6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFM869MzTWvk8vLD4zHdC7VjPCuQA\nMAoGCCqGSM49BAMCA0gAMEUCIQCbbJEP4ai3yptLdtQRYC9ES+DfpJxpB/MzqbW5\nOpEwgQIgGpHMEQ5IceguoNKyf2dYzVQwk7mBbom/Syc/iGnJf5I=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOeVkzwMw7nGwWIw4phQcQgLp+EMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARetEEhBna929rNnzwALix/hh2VLKEQudsteYg5\noNrgxbsKXn2c11+VqRq/TPBdEbDxj9ToPHdHdSt6zkWBlOcPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUduelGveXYB3S15ScBW4qvStIAKQwCgYIKoZIzj0EAwIDSAAwRQIg\nUuG+OztwCqpeZOV5YS5HULvhbcRbsP0OAEvF5shlQc4CIQD1TPPvf6k2Yc/hJ0yT\nXHV5f2QsdDzRX2rHVLIqJLdBdA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVOgAwIBAgIUN2HMla+d/iNTpcOEia42rYWvHdcwCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAwMDAwMVoYDzI5Njkw\nNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABPEBWa2LFE9V+VC7p5FlMOTEXYwqWRU+FpEcVj/sFXBvPN+A\nY/Q9Fb+eF2sc5JUZnegH1XkYKVuQJ/mTzZQJglSjfDB6MB0GA1UdDgQWBBTuWEMa\ngd01kw96UOnKtkzwmQhnszAfBgNVHSMEGDAWgBTPOvTM01r5PLyw+Mx3Qu1Yzwrk\nADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAN5W11gVw5rMbJYt/NFj4hRm\nwQN6k3BDPI9UjiPsNyJ6AiEA29X+oV1gNYhS0VOVKtp7nXI3GBzD5/LVMGB2/fHV\n4EM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUCtHqkGVdbfa/tK+0D0lBYNWfQY4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBcDa7tYYiKos2OA2WUU16vcviShgKTqkfUx5qotqftp\n9VaCysvfmgmWkVyNdNSjvga2ieKbnD4z51kIjveQNK+jeDB2MB0GA1UdDgQWBBQl\nTcZGxfjqLey2g7N8wLwofxpzCzAfBgNVHSMEGDAWgBR256Ua95dgHdLXlJwFbiq9\nK0gApDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0RBAtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAryxsQ+PkPNeu8/utTXc9+rdF\nsYBvj6sNOU2yJqLmn7ECIQCAC9/PjPl9s7bMunx5y8V4Ft+aEiapjg/xL5sEQQj4\n1w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1040,15 +1154,15 @@ "max_chain_depth": null }, { - "id": "rfc5280::ca-empty-subject", + "id": "rfc5280::san::noncritical-with-empty-subject", "features": null, - "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", + "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUSAH/VrvZixBcn7CoW1oBubOxzCQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUU/X9VsD\n8DwnFbQNfsvX71wECztzrlM6369Ikt29LcBl8rGV0Q8YS+ouwUxNUDPY9R37BAsk\ngySMLlKCEq+Zt6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFN18oiKoSVAPLZdpnpFwNLQO\nft2sMAoGCCqGSM49BAMCA0gAMEUCIAdtUPIOZDO5yVIV/S9U+HrW9XdeiMi/WI97\npDwvNQKtAiEA5NejRNAAQPzMrC20i1wRxKjMhBFRiQXDWHCdDFJnomg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUOEwpIDbkLQ6YVXANfGGWptfavv0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATmblbX27Qq9Zjko3yHj7ZSACash8Zq8YN1DYj3\nBuK53WKnfC6nyIlF+JeJDGb2TkXvWnv9JKlSJGbckk1KJKYHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5pvJe0I9QPxfeiB1Auch9tPz02owCgYIKoZIzj0EAwIDSAAwRQIg\nQKuUlCwvVDyFOdtUzd1ABxH3Eg/lR7iLqUIDex5qYa0CIQD0Dfk/E+zENCv+hDLi\nMSawIyVjlL2N2H2Cye7dudCXpA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIURC6aUkKc5tefQDZinhX0MNEBuEcwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATHR3Wyuy5mbCx+\nXojCBHEUVjgzr5JjGWYdY0D+Yjo5b1q+sRZ0+CyPJJx+NmyR3YOfLEGAMtw0Rdoo\nI2sBFjJco3wwejAdBgNVHQ4EFgQUGSXWWT8KsHra3WbwqbeiRcmvxKMwHwYDVR0j\nBBgwFoAU3XyiIqhJUA8tl2mekXA0tA5+3awwCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIBQWRs5rTGKig9BkS57nxoJ10TgoAt2o6HeNhqU/djGoAiEA2BQl8I4z\nmbTbB3Fj3w8USVjHa7KFfQrKsadJdys7jkc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUMz2vfVwoNITgqGTNOr4YB99o+CYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVUmLJ8G+\nqoCiTw1kWQOP6BuyyuImYPPMTTJ3w+AQNQmRwRcVg38XNrCnI6582KNqqNQHE3Hq\n767Jy5hD6TY/H6N8MHowHQYDVR0OBBYEFEjP52I2EyMd/b/VwnTmXDcofgIhMB8G\nA1UdIwQYMBaAFOabyXtCPUD8X3ogdQLnIfbT89NqMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiEAsziLu66vGnimKx4Cfs/7RN+tndDiFnzIpFEQ/glXtPcCIANv\nvfKurY6h/tpPFArGp0qrV1MAOnrIDyoYE/1W+uaB\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1062,15 +1176,15 @@ "max_chain_depth": null }, { - "id": "rfc5280::unknown-critical-extension-ee", + "id": "rfc5280::ski::critical-ski", "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUX+Od/gdLkh/VCud7bKBlsVnzcd8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARXZjl6swrdWGfV73DJRFhb7F23reKTP/DFJV8g\nB9X14FqNdEh2arBZkf9BEgrENwBNII321lC7XpqYITwlEk7/o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoMox80lyqh7fkIhwaCpOyhMaq90wCgYIKoZIzj0EAwIDSAAwRQIh\nAJytUarb5D74XvYSkxlWLyTQdS7ruGZALZxnwmlKo1kOAiA5LnETFVDzYbS75nDq\nFHDqJVlEewhqd6+8Uu+PodIZrg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUXaSO0QwYcPYY57Zzq3s0LJYGshcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATFAepccN5l/uXftET9KLNBqmwF5HVO573pYRqj\nGaJAdCCJaNe8tCiIqCAUTmI6/3iutIeTGCP98kQy4LGOtq+3o1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUOwHKo7klAXCYUCH7+k2CPeO+bkEwCgYIKoZIzj0EAwIDRwAw\nRAIgQBp/Fboy10/KWOqvMlWv5inDB0Jv4B0kw84rHvSEN7MCICrqCjWOejWjU6J2\n6y114RA0XWujTYNdQ/5Ixa+WR3Nj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxTCCAWygAwIBAgIUT5nmCKGunc+IvCu4eheA9Q3eN7AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKmvMRvTxttI1dtzYnc+/RwAoGRL+b+ylbrzekrntbrd\n0yPFahjCkl+n7rjXFTXcu8fAHO+HG3Bc++KQMEHHdaqjgZEwgY4wHQYDVR0OBBYE\nFEOLomYhhJyokWrMt7cmUd5LYHWAMB8GA1UdIwQYMBaAFKDKMfNJcqoe35CIcGgq\nTsoTGqvdMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0cAMEQCICPXoJuEwM/Oq3daplGbbST3xmz/FoB6BG6ZXK7OpYpMAiBdmxoqrNe9\n4Vck6Cpi0galIsWiE85EXt457PNdq6mXaQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUS2bTLn2IiKoGer8YmYwjhfAhoJgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBPXvxRIHRJu75pIaChL+NPmVB739yQABYifMiYu2DQJ\nsSDl8ylMxuXzlleY7ZVki9JGGdgxzorryMvFOB8KP3GjfDB6MB0GA1UdDgQWBBTi\nD6Xn5TwC9SNuvx9waJ80p7ijGTAfBgNVHSMEGDAWgBQX6/vKaStbchMQC6K0nZvW\nIllMSDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANLGvQ8QMtf6AiBn+WAW\n3L/xZMmw5SjusCc/u9MasG6dAiEA65yDnfc+m9QakKDO6myV6gza0526VCpGU64S\nA8jn0+8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,15 +1198,15 @@ "max_chain_depth": null }, { - "id": "rfc5280::unknown-critical-extension-root", + "id": "rfc5280::ski::missing-ski", "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUfYZdGpVZrpUQsGqNbJkqNoAnaRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKRVpnaglfFbP+6msBNxcpseDI26Ag1uW7t6oF\nRSTZlG7L/Rakmq2ZYsr9Qdu+MghDyrjC0dcvHd6rcGYPzPpKo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUX1jOfLn3pmESwWed3Em18sTx2ocwEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEA4I+dzHfVeYrWthc4XzqcJU/q2BgpJV+sVx6Z\nS07+Xa8CIAt/k+94uktu/FdGULUn+ilXmXHd6Arr9rs/q0PS8Sfz\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcTCCARagAwIBAgIUYlXKKA2OA59Ryp1h3Zmgzl9toawwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASPJvmaQg/rwrwaeGzeUnVW0FhkpAqtegyMwUL6\nI3C6pYwBjLx917N/zpK7gG/nDnZR9fDdITHUyCa8ppb9qoLmozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEArq0G728XeQIpChuYyJpg7pmTPvnFONaQMdYQform\nwkwCIQCPRkf/KHzVs6uMjrktNFLzYGoIceIiSdz3/bg33XLeTA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIURIFURXzqJtpaOEUgK9Iq6br881wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIx9/son8nlEg30hA3Pw1XgCXTZGFgavUhYeljEXXX9z\nPIhZS97ZD4457uYUioMkqWMuQbHfBiDaPgrNzSFeysSjfDB6MB0GA1UdDgQWBBTq\nR5yghsND17ItI3P1E1RHSda90jAfBgNVHSMEGDAWgBRfWM58ufemYRLBZ53cSbXy\nxPHahzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgRR3eX42EcW5KKL8ba6lw\niNMtkGfaVVqKfW7HQelMX/QCIHCqFjsuHJZnBkE9glZptaUhPc7ht1vILn6YMmbh\nPm61\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUB4dlnfp5eu9cE3lRkbDisxxdXeQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCuTZk5akuebtdA1/J0iZwiQtOn0stbSuSrN1c2bQ+g6\nAf4eiYGkacLHpcJapAEkkBIYDfPyIhPVpq3xquibRRejfDB6MB0GA1UdDgQWBBRW\noN/5no0zSHDjtVCBSK+NjoIiSzAfBgNVHSMEGDAWgBSpRsPbPvEuJRBFcLUBi6r7\nyM7aKzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgHPdWoDMGj/yJl7Hg2tR/\nSKt2QH5V41ONc0y5sVaNfo4CIGBeotbNKbO9QMj5nUFaC8VASgru1OSy1icnMHWV\nyigz\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1106,18 +1220,18 @@ "max_chain_depth": null }, { - "id": "rfc5280::unknown-critical-extension-intermediate", + "id": "rfc5280::validity::expired-root", "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", + "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nAll three certificates are well-formed, but the root\n(and only the root) is expired at the validation time.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYXdhlpkU6swsnC/Nzup6cTWRTBUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkSt5Q9Rqa7Hx9/ITnFnp37P0LhQ4tNeLZH5LW\ngH7hdL5ZYo2XGJTUc5DOzkrhctSbEYf1zAGjo6sFeHMsggVAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNTs3ToF1rVHpBSpvrshnLdPdyfYwCgYIKoZIzj0EAwIDSAAwRQIg\nJ8qaHtWeBzmwFHHXUUHA9wJNPHgCHQV8eeVHwddLBeICIQCRUXkYmFqqHhRXJTSh\ndWZWvlHj0eWYbiUOPGzKVLVO3Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATOgAwIBAgIUKuLSLauTHyjAj3mQFY+MOtryagIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MB4XDTE2MDEwMTAwMDAwMFoXDTIw\nMDEwMTAwMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEd3vSXbg1iBuQEPWHi4Yf0AKV4c8R28e3zUumXzHx\nfYddQXZgTo5jaw4qey4Naxkkt+TxviwQ53DCV7zWljWhY6NXMFUwDwYDVR0TAQH/\nBAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYD\nVR0OBBYEFEueRjV7N9YUDPwA38XE7L2zpSONMAoGCCqGSM49BAMCA0kAMEYCIQDY\noGxtoi7U1kLl5Q9/AkNZUmgfMNxfWi+WYBC+t4g3gAIhAPCiYQAD6c5PVdebjvyb\ngk35dm6Z3J3KfG9T44rF6KMO\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFjCCAbygAwIBAgIUJ0PIzXw1AkgjiQTG5LznjkcOOfcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDA1NTY0MzQzOTQ1ODYxMDg0ODg0NDE2\nMTMzMzk3NjA2NjU0NTA1NjAzNTk1ODI3NDExKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBO1FiDlicWV3+rWrryQ1/UU1354ctwLCsBIuC6vB+W50dXKmkWYlCc3jylJRyKOc\nnz4OtxBys6KNpW7DhpUyVG2jgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUNTs3\nToF1rVHpBSpvrshnLdPdyfYwHQYDVR0OBBYEFL7HkV5fzlZ+UQkgbZGuOv3HsDgp\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSAAwRQIhAIlp3+1jwIKE\ngzw3Geiw2topGae+J0rfcLBVOG6mX3wPAiBL82n7ceBjTOVWNtucqvwRY7feXHrf\n0HsnqojldSF6JA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaSgAwIBAgIUExXbCwhRjq6HFjVpZKHKZH3ISj4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MB4XDTE2MDEwMTAwMDAwMFoXDTI2\nMDEwMTAwMDAwMFowajE5MDcGA1UECwwwMjQ0ODM1ODg5OTEwMjgzMjQ4ODQyNjQ5\nNzgyMTEwMzIwNTQ4ODY1NDE1MjExNTIyMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWlu\ndGVybWVkaWF0ZS1wYXRobGVuLU5vbmUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAQ9fueU9roZ8WB2KQN/12IqLR/9Za8daMLetELqZNrq0JBOpSSU3NXCXv/PtEsn\nxP2dviulZBaTooXJ6kFaK+qGo3gwdjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQE\nAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRLnkY1ezfW\nFAz8AN/FxOy9s6UjjTAdBgNVHQ4EFgQUETHdDAyg/LT8wplxyjOkvvRNUWowCgYI\nKoZIzj0EAwIDSAAwRQIhAN04r51WNvoQC+0qtvLjbIVUINgaBtKQJktjFFKgrpt0\nAiA4rJQif+QtzVzRfAR/XtWp408Nwk0b4J5jSgqS2nvyYA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUL+y4BALOtEhXXuiqOtiDYgugiN0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTU2NDM0Mzk0NTg2MTA4NDg4NDQxNjEzMzM5NzYwNjY1NDUw\nNTYwMzU5NTgyNzQxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbPwY\npn6OZw9dn+DtNtiTrG0rbi8e6Y9t79yZ7ddlvqCHsa1+SzXuFRd0M683sYfMY4wu\nqy8+KFacDgL05NRaNqN8MHowHQYDVR0OBBYEFJw/HPhrlQpLPI0GiV7tUavPmjTm\nMB8GA1UdIwQYMBaAFL7HkV5fzlZ+UQkgbZGuOv3HsDgpMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAwy3QdrYJMOI9yhVnldP4stzxfJP3FLNzZIBMroQJA8IC\nIQCQDmtqCXpqqDLxQsP2d407kICrLwIwUUxn5LiVLz6xWg==\n-----END CERTIFICATE-----\n", - "validation_time": null, + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaSgAwIBAgIUCKVJ6FtsDI3LVkUAHatzmOctAkAwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjQ0ODM1ODg5OTEwMjgzMjQ4ODQyNjQ5NzgyMTEwMzIwNTQ4\nODY1NDE1MjExNTIyMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwHhcNMTgwMTAxMDAwMDAwWhcNMjMwMTAxMDAwMDAwWjAWMRQw\nEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAAD\nMwTL/zY01W4s3N3wZ7m7L7A+YaUemAKGCO1R2NT7nSchYxvzZEyGxn6zIp9AdtQB\nems4jirLRqIsjPWFdM+jfDB6MB0GA1UdDgQWBBR50JWYo9qgTqWiE21W09EUq86r\n6DAfBgNVHSMEGDAWgBQRMd0MDKD8tPzCmXHKM6S+9E1RajALBgNVHQ8EBAMCB4Aw\nEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYI\nKoZIzj0EAwIDSAAwRQIgIM7sx/IFkkUkS5OdO4pEHZJTEm6nq6fWz6oz8Jp0TsIC\nIQCh/ShARpJKw1dHZrfRnW1ERC02l2c4BYPpepD4LOmXvQ==\n-----END CERTIFICATE-----\n", + "validation_time": "2022-01-01T00:00:00+00:00", "signature_algorithms": null, "key_usage": null, "extended_key_usage": null, @@ -1130,16 +1244,18 @@ "max_chain_depth": null }, { - "id": "rfc5280::critical-aki", + "id": "rfc5280::validity::expired-intermediate", "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nAll three certificates are well-formed, but the intermediate\n(and only the intermediate) is expired at the validation time.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUWGTr8NRgH0Iq7si0rgzItaGAfigwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyceU02WIQEJJxNONWlQFgq4kLYCufVHJGN70e\n8Sg4CNIO0JKc+3B7IhpIlSwp40vqb6fGfjMcNsBYwN/z97nAo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQENkWl5u/7aFGleVa1ArY+KvcQ8jAdBgNVHQ4EFgQUBDZF\npebv+2hRpXlWtQK2Pir3EPIwCgYIKoZIzj0EAwIDSQAwRgIhALg55vFZqJMn01sk\nQFhXjNyI4HETxdYYQ0j/7XdTHWuaAiEA+onqsquxjqV7xf1YQZDFYdnqWQ+7AnFe\nT9CLJicBjt4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjDCCATOgAwIBAgIUFkOS19iZkXVmUjVE661khETLX6AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MB4XDTE2MDEwMTAwMDAwMFoXDTI2\nMDEwMTAwMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE6Ndrts7SF+tbIJhJfhJRb7jyMLohDeLSfkQqBsPZ\n4dTXLfFFI8drj67Ze7j0M1ZhvM6wQfIcs5If3CwuLZChc6NXMFUwDwYDVR0TAQH/\nBAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYD\nVR0OBBYEFFGsl9pixiGWpIuATx/2q2FJ5M/tMAoGCCqGSM49BAMCA0cAMEQCICI0\nPznoZ3+Og/Zk3GLaorvd+43T+kjHXFiY7P5ISGmmAiAmX3IbeanNIVFwgKLzaBxT\nX8vD6NqW6/PAOefg+8rTag==\n-----END CERTIFICATE-----\n" ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUYp1B+AChkgph2RdZLYgdwq5qi1EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG7sVm9xxNaHhJU7MdQ4dcXYTf/nhBB2iTAJVy566V25\nwlwBoS1R2cTjVScMujG9VfXaQsRcUcGyrhov0z9zWG+jfDB6MB0GA1UdDgQWBBQy\nlLxqyBmSjz/TQyXFBSdhQpR/qDAfBgNVHSMEGDAWgBQENkWl5u/7aFGleVa1ArY+\nKvcQ8jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKnssCBZ0QOZevsg0/2q\nMDBu54S9W6+s0zvYnFGLVVXoAiAlMdkRsZWEVI0Jv/UXnbsFdXeSt1ogFaphe6xG\nSPUXoA==\n-----END CERTIFICATE-----\n", - "validation_time": null, + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaSgAwIBAgIUASlDs5sJD4OnyOZzISEwJb7oesowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MB4XDTE2MDEwMTAwMDAwMFoXDTIw\nMDEwMTAwMDAwMFowajE5MDcGA1UECwwwMTI3MTA0NzM4NzI4NzkxNTY1MDQxMDQ0\nMTY1NDYxOTg3NTY3NTcxMjU5MDU2MDMyMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWlu\ndGVybWVkaWF0ZS1wYXRobGVuLU5vbmUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAARw/wxxh8m/05L6jb3UmLoTTCwHIisCjnt5VUnHn9Bw0cDVI+s3BjnOdK4rmL1r\nAZn6Uzp0PQII+q0S5WggL97qo3gwdjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQE\nAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRRrJfaYsYh\nlqSLgE8f9qthSeTP7TAdBgNVHQ4EFgQUuCx81Zpcs7yeIRUpq8RlK76uZggwCgYI\nKoZIzj0EAwIDRwAwRAIgB5p5HZwi7RtOTWywXhuqw7CTflepj7eIT1iZS8HCX0kC\nIFE+xE2elXdQfyGAjuI/G986DDASCUPpxkjfM57hGsIv\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaSgAwIBAgIUakmArzykCmNrk0aFA1C6NCj0pkgwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTI3MTA0NzM4NzI4NzkxNTY1MDQxMDQ0MTY1NDYxOTg3NTY3\nNTcxMjU5MDU2MDMyMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwHhcNMTgwMTAxMDAwMDAwWhcNMjMwMTAxMDAwMDAwWjAWMRQw\nEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABM1C\n3NrtEJ4xcuRL+czjZqamyMVZo08y2DnCyt1VyxS3G2aOl4dqVo6JY246HN1fwvQg\nu9DOvsQLC7bUHAcYJpKjfDB6MB0GA1UdDgQWBBRBvZQEid70CUAyNujUFTcWeEd6\najAfBgNVHSMEGDAWgBS4LHzVmlyzvJ4hFSmrxGUrvq5mCDALBgNVHQ8EBAMCB4Aw\nEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYI\nKoZIzj0EAwIDSQAwRgIhAKuVEcuy7CXSwSyDP3WwW6z2SQ2xL6nzJ/z4Oo8BDDYf\nAiEAviXlMQMruPgD7zOiEKSRHmCJPmco1vXndnTxJGOM2lA=\n-----END CERTIFICATE-----\n", + "validation_time": "2022-01-01T00:00:00+00:00", "signature_algorithms": null, "key_usage": null, "extended_key_usage": null, @@ -1152,20 +1268,22 @@ "max_chain_depth": null }, { - "id": "rfc5280::self-signed-root-missing-aki", + "id": "rfc5280::validity::expired-leaf", "features": null, - "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nAll three certificates are well-formed, but the leaf\n(and only the leaf) is expired at the validation time.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUe1HieRyWKjoI+g2S4QX/hV0J9F8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkbPPfO7q9ZUcgKcOSBbCNNeHfozNaiuI+Ah9O\nvKH4dZ7PqAuxHLfY+aK7onA9osOPlyporo08OM5TISFIauM8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQTnBxCvUSaN4Z9Ksmva8QgQOA+YwCgYIKoZIzj0EAwIDSAAwRQIg\nLRc5brVNNNNBcPgQ56UR+xEhsblFtrGDecjruw2GJO8CIQCutFUhm9mdkDmbjVYY\n/94NRYHvIk9wYver23pmgm8DfQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjTCCATOgAwIBAgIUGTCRYYXXCFr99jAznwSE3DT4ByIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MB4XDTE2MDEwMTAwMDAwMFoXDTI2\nMDEwMTAwMDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE6xJHuIVk08lNi7kLb7shScTQGOVj6ffk0f3ZEJjF\nkJ/BompoFQe2kvmexjGrgFe8LgjuMYeiuRLVTnClMbBMC6NXMFUwDwYDVR0TAQH/\nBAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYD\nVR0OBBYEFN5J9IeHgG1L0zx1dpyYGklpzHgSMAoGCCqGSM49BAMCA0gAMEUCIQDl\nfNuAuYC9LGX5tGnx3+VMPC+306QebqRNbYa8coOXIQIgMA8rNYLRb2y8hvYQL8fQ\nrf8Y88Mh9LQb4K+Sr349bPU=\n-----END CERTIFICATE-----\n" ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUROHbIvGurXLrO0kcupsvuGH21JEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHwORAh3eTW2IxbddjiLMNywOPcnrR4I2bXIxB3F4Q+c\nOP4QFaDFUZNyPsw97OiFXj3VxiDlWjiwJ4NTuRzLUoyjfDB6MB0GA1UdDgQWBBS8\nB4mVKlWiW/SN04QBEIHpHdBwRzAfBgNVHSMEGDAWgBRBOcHEK9RJo3hn0qya9rxC\nBA4D5jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAOMWmdbRN+mQHUPruiFw\nnby9K353U+AEfmNsZWbjmAi0AiEApvi/nuk3hHuT0hruITGzaOKrj05UWF25kgRw\n33+WFPQ=\n-----END CERTIFICATE-----\n", - "validation_time": null, + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaSgAwIBAgIUBzfxotQPZieahK5p09XgFP9gNKIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MB4XDTE2MDEwMTAwMDAwMFoXDTI2\nMDEwMTAwMDAwMFowajE5MDcGA1UECwwwMTQzODA3ODY5NTA2ODc4OTkxMzE1ODA0\nNjEzMjMwNTU0NjQ5OTMyODc5ODkwMjEwMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWlu\ndGVybWVkaWF0ZS1wYXRobGVuLU5vbmUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAATs6auCILOw8372hSEcIxqRfn20xJyPxoJiMgAjGOaVpbsnizcfiRiogwhhQGLK\ncUWDgpeL2xWRCckhe1SYT4ipo3gwdjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQE\nAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTeSfSHh4Bt\nS9M8dXacmBpJacx4EjAdBgNVHQ4EFgQUa74djl2l4KoBW3adp4BIzycFKfgwCgYI\nKoZIzj0EAwIDRwAwRAIgLX5Mg9f27kUIeY3ylaX4FZO3NGTj0QA3yfI7CcJB7ToC\nIEY1W/4etPGbwNqGU2h0GRQxRfc1zGN/NbVGq5BkAhnu\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaSgAwIBAgIUMnn65U0IRvRmeb2Wb+t0HZd5IUkwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTQzODA3ODY5NTA2ODc4OTkxMzE1ODA0NjEzMjMwNTU0NjQ5\nOTMyODc5ODkwMjEwMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwHhcNMTgwMTAxMDAwMDAwWhcNMjEwMTAxMDAwMDAwWjAWMRQw\nEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE0K\nOUEaTL+RLqgqfjtyCzlEwbUCWvC2QjhFE9AH+jotgArxmcYX6e/clQeXzVq1EjK3\ngXgu9UUTNVwl3lu8pa6jfDB6MB0GA1UdDgQWBBT3I1gQAzVGvULudh93kDhazXrp\nWzAfBgNVHSMEGDAWgBRrvh2OXaXgqgFbdp2ngEjPJwUp+DALBgNVHQ8EBAMCB4Aw\nEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYI\nKoZIzj0EAwIDSAAwRQIhAKXYOjQTDylmQfKIj6X2dtFoXZLIw/Q7dO1w6x+iYsTe\nAiBIkbGSshWMvK17i1ksuXCX4c5dUIfP4mUP97nGF4zhyw==\n-----END CERTIFICATE-----\n", + "validation_time": "2022-01-01T00:00:00+00:00", "signature_algorithms": null, "key_usage": null, "extended_key_usage": null, - "expected_result": "SUCCESS", + "expected_result": "FAILURE", "expected_peer_name": { "kind": "DNS", "value": "example.com" @@ -1174,17 +1292,15 @@ "max_chain_depth": null }, { - "id": "rfc5280::cross-signed-root-missing-aki", - "features": [ - "pedantic-rfc5280" - ], - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "id": "rfc5280::ee-empty-issuer", + "features": null, + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYSgAwIBAgIUTCC/t9wBhE2r8mUDaE1z6bT/7rgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBmMTgwNgYDVQQLDC83ODIyMTU3OTc3MDYwNTEyNjQ5MjM3\nODkxMzY4MTIwNzI2Mjk1OTU5Mzc2MjQ2MjEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nVR3k3PuQoGqW5sLmiN2Jkq632s9rxmaPPwS9EJotM/vvlZQbA1xkX2mdU5x2zQUZ\nhIl0cO/kHaJWwNHR7IUQCqNaMFgwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFBP7W1EINcAR\nZNM9dQ+sp9ZNjLw6MAoGCCqGSM49BAMCA0gAMEUCIQDon/rqCxSL8ecnwq4vVv1V\n34JRM9y8efITeHJ53Ip2igIgS/zsk20KfiazrqfQW6CEK2HJMDDgwSSQ9U26qvYC\nTI8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcjCCARigAwIBAgIUTdB9gHFotFeAcFUTy22oE1J8dUYwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7VCslKgfjMYD\nId2TFA/4wcPRkuSEJl3eIk1hoEdDG5lzArUe7/+CZ0O0EFTzLck0B4YSNNUajYr6\nL2oXtzSs8qNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFNwj2bEJN7o3u/5sAHXRsN4KolAu\nMAoGCCqGSM49BAMCA0gAMEUCIQCMrdQlF0Y/nx5QBiL3EAzvOHu6E97yDQydo+Gh\n/PkAewIgFE62mx4Zq/gvyoBuJAqOFuTwoNqpQi4twzXXosHCFco=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaKgAwIBAgIUZ8J50CdpoEk/bHEoTl7Ew58Qx1YwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNzgyMjE1Nzk3NzA2MDUxMjY0OTIzNzg5MTM2ODEyMDcyNjI5\nNTk1OTM3NjI0NjIxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASC7uGW\nTJTnF+HqB2wYI9kerEK0bAiFI3b7LJZWCtBLW7YfiYAmDZEqptIeZXS2frhT2NxW\nYYtDdK+iUTtD7zEVo3wwejAdBgNVHQ4EFgQUrSL/+7kmPIU8IMuJVblgieRiYnQw\nHwYDVR0jBBgwFoAUE/tbUQg1wBFk0z11D6yn1k2MvDowCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0kAMEYCIQCK3bZX/JYmstihXdIqVxr80xd9hIklZw+GeEeuNThP5gIh\nAP+EzrIHs/jWOaOnAn2UyzBY3eN1lrD7hgIVc0N+IVk+\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUbZ9qlprJaaLO2gggmNuTSGEHXbswCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTcwMDEwMTAwMDAwMVoYDzI5Njkw\nNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG\nCCqGSM49AwEHA0IABF5LblANBPEUGqn4TPN/GRDM+mOeSNMdf5oHjM5ue5+se4/U\nF3vM8ioRJPHz9GQmlf9q9yDiY3QQzED6SJc9ii+jfDB6MB0GA1UdDgQWBBRT4E46\nReX5Zz0uOx9CHB5WvXll8DAfBgNVHSMEGDAWgBTcI9mxCTe6N7v+bAB10bDeCqJQ\nLjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAM7RVoZXpLUVP7lPkrPzg4Ru\na+BlECbokviSHJ/o0TAkAiB7mBYIzprhopq6qTGehRu6c37+5T8Jj34/IqaAQFM/\nug==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1198,17 +1314,15 @@ "max_chain_depth": null }, { - "id": "rfc5280::intermediate-missing-aki", + "id": "rfc5280::ca-empty-subject", "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIULy1xZ5RchhLxvOTXfc1HGTNwpXkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATgQZTkhzyLFQO4CxPsoHe5RVj59rMQWQxAAg3M\nX0IhN3LDQroEB5RxcZs+UVFQ8xTruxNyhXZXkYRCyRq6ri3qo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvAf3puHwZj8iaFqMIWabIISsFscwCgYIKoZIzj0EAwIDRwAwRAIg\nHoj/D32PTU4cYV9sP1EULq8JzO4zNalEuQxAGiRrX7YCIHYOVciUESCxW1fjoOzb\nGVK2ykwfv8N2qUpMgevXPLyz\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdjCCARugAwIBAgIUXQZqydG2T/m31bA8aIf3+3o0eqEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqcSp+2BW\n3/x1i1NOCxMIUh/l2l96UdcfgkFRWYmKrSkPsJEpZL53oTrWR/Wvv9Np6NEmi8S6\nYng9w9JKa8qp+KNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFKHsPgAeyYYCyo0LSiqHzsoq\nQKqJMAoGCCqGSM49BAMCA0kAMEYCIQDpJELqTC9at3M8jlqtc6OjRIqLKIBdw+hM\nqZbJQn7wvAIhAJ97st0mYiM62bzqQI4dBmClXxYJe/QoIjvzc6dF73XS\n-----END CERTIFICATE-----\n" ], - "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYWgAwIBAgIUJy9wfls2kxj+qFxiNG5n4iUsoB8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAyNjkzMzU5Nzg2OTcyNTQ1NzE0NzU4\nMjA0ODg4MTQ4OTA1MTE1NDI2MjM3MDg1MzcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBF/BvOEK335WRLhh//jDhvSm63ppdik1AWcJW+LS0IA/aI/ZqRbK1vCVHuByTQ2F\nwXEBZHAN8xpGJDgYQq/65JWjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQm79Ra9/yz\ntYSbiIRHkj4y36sN0TAKBggqhkjOPQQDAgNHADBEAiBwST5XdlT/Au313ipLVBLf\nCwSzGrm/YbgmWkkwew4BeQIgRNKO+p+yvJDnbjubOaypd10Eh/DYmLfpFL26+CJM\n0kE=\n-----END CERTIFICATE-----\n" - ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUDqypCkgZnuhP1QrqXzWaHOZ9zCswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjY5MzM1OTc4Njk3MjU0NTcxNDc1ODIwNDg4ODE0ODkwNTEx\nNTQyNjIzNzA4NTM3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfYX8\n+196wPo4EJKvET+CVaB5PzMT4m2pWBWz1HxIkzcQuueAim6uA3PHfxRPl+LRe4h6\no6Q3a03/lk5y50I6RKN8MHowHQYDVR0OBBYEFPdx/LxnJUTl+NRIuxj4pI+ayuhA\nMB8GA1UdIwQYMBaAFCbv1Fr3/LO1hJuIhEeSPjLfqw3RMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEA4Lg8wuTmsYPKqBuMWNWcl7JBwiS/fbUADd9FvIwUUe4C\nIBfUBg87lTrqXd/eV8pDSi/V3f86alTqGXubBDkFyJJ9\n-----END CERTIFICATE-----\n", + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATygAwIBAgIUNG2uEWDw0u5saKtqvWr3YyRlA9YwCgYIKoZIzj0EAwIw\nADAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwL\nZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASyIptK26tPhuD6\n/daHvPWlZZDeE9gQ1GvnIlj/M8SZFGiw1uqBpyoZKCfpBnKtTcVYw64x+43x+R79\n5liO4Fc5o3wwejAdBgNVHQ4EFgQU/9OodjN5I2N9rkitwbm1oTpJg1UwHwYDVR0j\nBBgwFoAUoew+AB7JhgLKjQtKKofOyipAqokwCwYDVR0PBAQDAgeAMBMGA1UdJQQM\nMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMC\nA0gAMEUCIHssMIQrzvwfI8bkUWxrxDZamdM+sUZP43AhWQHDU9BkAiEA6VxhX23+\nGQ2ttcTpjtj+WJ5RQ2TMBF+79bEtx3uu/bY=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1222,15 +1336,15 @@ "max_chain_depth": null }, { - "id": "rfc5280::leaf-missing-aki", + "id": "rfc5280::unknown-critical-extension-ee", "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJ8F3q8gvtjVPpB/lkRr1VrukwbgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAART8Zcv11ErHNKkJmaZ6n6q90KrjDM6XZTapI+q\nbaXUQr0GsO3lkUx5ju2a8o2Aq9foY8p+judrtpa9K55D5Qaso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzLfriviBUbHc1ICcEwDQoxR3FkAwCgYIKoZIzj0EAwIDRwAwRAIg\nM2iqJ9Sv4axKp34/IdzOEg8qNMWpJ2HGsZ640hd8HgICIAvWjqU0SEIbZC5yeara\nZ5yddTrqX7gv54tYHJ7yeJdJ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUaFel3y+M+o3mNp21LDtgslq+fTYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARH4nWwn1snQrJLDQSUot4fYxO1FJOxqsQR+QmA\nHxnWfzso4myjDcGrrzMNLsQmKyPpqPfP4J+FAE9GCvFsaz+Yo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUHBwhSKiORbrsEfzRtrBcKZ/Xc2kwCgYIKoZIzj0EAwIDSAAwRQIg\nUeceJrQoMSAf2QpQ4pmfumUWnIq7eyJb0muOnVAYM0kCIQDHc2w1rQpb7+jK6b0c\nm1smpDKuaDPgyRrO44nPfSe+KQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUX79zmCkqDi/xHC2PMgtOpqSEsl0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKEVjsRHNbYL6448JZcSuVU1dyOGyzFhXoGCfHHkjNmu\nRhONRf0gjtVFNpgs1lo/pib8Btg1MiZk+VgRc+3gU5mjWzBZMB0GA1UdDgQWBBQU\nXeN1C9NIXaaGqeCIq7/wksLLZjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIh\nAKxqgk3oYIxwfvFI2Se+QT1jfsAhXqdVPvw5SF3cPeknAiEAnC2IOZ7xnFYP0WYz\nzjYGsVychlYNE+34Ezxc+BKqMdg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxjCCAWygAwIBAgIURH8JBwJIlwh52CrqzeqCV3QXkv8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNzt5IL7jlJZ/0KbV56r5UsOLZshcm73+V586P64C2oA\nEGA66zyRIMHuSkEihVgNrrcJFxgf+fRIHRU2351wn7ajgZEwgY4wHQYDVR0OBBYE\nFDzqwtYgZRLBa0UWmqcF1hrmzkWDMB8GA1UdIwQYMBaAFBwcIUiojkW67BH80baw\nXCmf13NpMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTASBgsrBgEEAYOzOoUaAQEB/wQAMAoGCCqGSM49BAMC\nA0gAMEUCIB68TbW3K3mxf/AKA9xtB7+4RlPTBopLP7j0qKAh9L87AiEAmKncdQxO\nJJS3dWG7G4pApEngtapnCKQvXjff2hTfTK4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1244,15 +1358,15 @@ "max_chain_depth": null }, { - "id": "rfc5280::critical-ski", + "id": "rfc5280::unknown-critical-extension-root", "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", + "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkTCCATigAwIBAgIUIxoK82fVCqyJZKV2vq5POcouaeMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARxv57rtg0G1i2uJ8SBElZ+6xVw93PwxAvefAO5\naQ55a7/s9FcpdFazoAGPX2NS16DJOFYQAjnvy0yiDreVVREho1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUafHrsLPcYmW8ZD3uNbwvrf6wm2YwCgYIKoZIzj0EAwIDRwAw\nRAIgaQcEOUESYjfQwQKhZzPt/AVGi6zd83BXhv+wDrjssQMCIGoK0dMMtBjDDs/o\nQu9Juuoz5G/gYcG2DBkIWWP3q/+G\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUR+FeUJ2ZO5QKrbrww+fYzyvO6MEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQWsA64TLIZhHPTt8CBceVnAeS9TS3rH2vKllOG\n8xaDRITR0lAc4H0UZvh6D62e4SH3JUwE/UIysDWoWe0G/FsUo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0nBvX3Pz9H+cTTGeJvYqRejcqY8wEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiBAZsg7VZDYwVsWO8qqZdeYdim3fs73GmK380SB\nFif7rQIhAMmuQX29FTnoCtMdqzuc0amomPURvlwh6VY/keqj8Evh\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUQCnPvv/3zjj61yDjaSgufekDn34wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKzkMLPMC7Rl9J2d7JsG0FJnfvfFJ7qxzql1mBeDUFzN\nC5snzQqpqgpIV+lT02Yx+WkiChTY8MOQZWcXfk2j+KqjfDB6MB0GA1UdDgQWBBSZ\nvWC2i9Ezz5/eBERi/FpE1NkcpzAfBgNVHSMEGDAWgBSL/a2SBExqoxJeHmAsavir\nK1hxlTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALZJSoNGYmQWEGE4JDLS\n6Cy+7kE2TSywCuz3/jBhFLFxAiBjePUm06BwrbryXcWxMJQ1KKImlC2T4ikvR/J5\nz9We6g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUS0Lfbm0nP6J7ObIGqaTuIRx9RR4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIHh3vhxnkAgy6wSanZcgRtFuhcchRFQ2j0D0MdfI7b2\n9y9UxnZCbZgHGflp4E8vhQutj9BURUmC81kowK9gWQSjfDB6MB0GA1UdDgQWBBSy\ncZZLURpIAg4i/bzD9CKrHt5j4DAfBgNVHSMEGDAWgBTScG9fc/P0f5xNMZ4m9ipF\n6NypjzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAIGmJ8Ej8+MxrBGWuh/g\nCPulf0vmbjvvp+T6HNiqDtXMAiEA2zo6aWHibMYGpGdxs7MYLngS//4/6jgcd6X1\n9/lc6nM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1266,15 +1380,17 @@ "max_chain_depth": null }, { - "id": "rfc5280::missing-ski", + "id": "rfc5280::unknown-critical-extension-intermediate", "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", + "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBbzCCARagAwIBAgIUa37IkoPn2oer8VO39kXikMaQKJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1WObFB9+C4FGWmoju6evi8V1x30FC4WSMOEl0\nF8swdS9dHydLUqpu2460gWi1OXJM4sj1j7mQsu5v0lGT+4mPozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBQfBaoiHTbOtdUoxzlmHrzCXHp3OzoGDTl+/nasPM2\nMgIgVt0//F0SbDrrlgxoDPP8/z4P4kcgqnv9YuFcfQ7qXss=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGaUJ84JO9cAMWfF4nhj0foCTDFUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKaXEw5jzFPS1IEO0/cu0N9mxHXpLOSa/trLue\nDQqzdqba9LJ05UZ2j2g2On/n2zBGfrt8UKDR6mzm0ev+BrRyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKBcd/wQVyN+f9nCKwMGL9QIQFlQwCgYIKoZIzj0EAwIDSAAwRQIh\nAOhu67DXLslp4SN5R7gPeyxAVuY/fSBuVv6F54kxbGMhAiAjsNW1Z7BeQQsp7tAc\nwke4sfrT9pm3wNEGeI8WddwTKg==\n-----END CERTIFICATE-----\n" ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUS1vy9DKJGrY/Z/UpcQLSc5HvOskwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHYBBceB22quDBNAhVBD+jw2q2vlxzerJDHX/VkM/PCk\np6hoyc2UjSxlluY3i1VGxbg4ZB7vWlNG6nGsncQwdOujfDB6MB0GA1UdDgQWBBSi\nw01euZ5YJIL9g5SpFf6s9xSWmDAfBgNVHSMEGDAWgBQA78fDlT5AUHj8Jp7JWjmM\n0LjuXDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAPyiEyCvR4MIRayUfa2O\njCoikXDyTezIAdBkM8Fst36DAiEAutNPlZR6Wzdaw8Ft2NG03Q/v2CYSbKuNyYlK\nThItDw4=\n-----END CERTIFICATE-----\n", + "untrusted_intermediates": [ + "-----BEGIN CERTIFICATE-----\nMIICFTCCAbygAwIBAgIUJtiaVLCbIurZdSxIDia/irr1TRwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAxNDY0MDUyNTkxMDA3NTE3MTE1Njc0\nMzU4NjM5MzY3MTQyMzA5MjAwMDYyNzQxMzMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBNC4MiR9MDhmlgwxiwt76tnrfpvi6/t4GpMLezD97gYRbeicb3v5vaIbdzSbXq47\nTHawazhhHm8ot9i0fe1Zp2GjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUKBcd\n/wQVyN+f9nCKwMGL9QIQFlQwHQYDVR0OBBYEFLpn+6PmkxpqeELAgJLJf0KMWiLc\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDRwAwRAIgNzMPmd36pdRO\n7d5+L7DWq1uY8+28RmRvzCF2hPRP6rECIH2P3dmV5Yp5NOCgws7/akYPTTKHEjXp\nQ9ylhMlGvfxy\n-----END CERTIFICATE-----\n" + ], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUNz6Asj66ecjJp4VoPapUZp2T/0UwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTQ2NDA1MjU5MTAwNzUxNzExNTY3NDM1ODYzOTM2NzE0MjMw\nOTIwMDA2Mjc0MTMzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUh7m\nTmfz5RF7CQvW9AhbxXz8AiOANcGXgg3FmaWAsKFi1rxRQrwYIF1nMwXldBwPUkJz\ncPvoVQl7rqIucyb4IKN8MHowHQYDVR0OBBYEFL4Zf7SLFXBc2VNMWaZPpkMuQEl8\nMB8GA1UdIwQYMBaAFLpn+6PmkxpqeELAgJLJf0KMWiLcMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiBsBLvhosNzBpMgFVEFAR2lnAJTRXsGgs/bxpPz/S1prwIh\nAORasgnK1d9dV5d/M3VRHRDdqhPZ4mtlYSWGa4ziBDdV\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1293,13 +1409,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUAyflcI8tblCvxldWb4gMlUgqHkMwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGHcrCK2r390\nSxX4AIH9niiWDp+PI0PGnpw7P3xCmPf4N7Ecr8ycpahDpVUMhTON8/xTwI1e41zP\nJ/l58lfq1GqjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSdfFU3qt4jdSRteC1eMqPxT1tF\nrTAKBggqhkjOPQQDAgNIADBFAiEAlEw7xQ+k1WGiT7Y1B1OJ30ziqoSDDqmLODg1\nKm/tY1wCIFPUknr36XYpuS86iYl5SPiEIxins1w3LrmbKY1QeCH9\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUFvV47JtbN0VZomZnnFHZIe2QnycwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw03MDAxMDEw\nMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN6kLPDsHyWu\nBWkd0mlUV42FkocwTF5q/KmTuFnnoLkk3ZELBJ5aVvN+Y0h+D8t48UqYDX8vqtp2\n/RKikKTfg06jVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQJ8X5JHhYkVaKp3SJAHID5G/Rf\noTAKBggqhkjOPQQDAgNJADBGAiEApAt4jRCaoYf7dq4onkMCuiUQXPnP8n5KB54O\nJxKgAQcCIQDZjeb8sJpyTkMNv6r3TInGbrvZqetwXDplUagEI+qefg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJgDCj+RdvznISr8nTW/sxdUe/oAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASZBTJZMU1n+zfoxrSPjJF+bipB7URO1/ZCSqE6\nJ44Zw/0mUWXOqyNplM9KYddxbys8HkVjOiX1+mMs4/nV38Ueo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUq3Vu7krWV2g6+tEZCa5ud0qIUOAwCgYIKoZIzj0EAwIDRwAwRAIg\nF5LnllTAqcP7B6K0T1y4c2mCfM4JiDBDkylH/1vNYrkCIAkeoFq8Ls4ZcQYhp3n9\nE8k8bSZu+B2Kruz1MLX/Q4wl\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUe5PBvENZ0cGwoYih8alV5MlM7KAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBnMTkwNwYDVQQLDDAyMTY5NTg1OTgwMzg3MDU4NzgyNjc5\nNDA2NzE2MDA5NTY4NTk1NDc1Nzg3MjgwNjQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBBlnmZ6WGlcF0NYCiQyqI5m0iNiTaUezv5b2cNWKAxjmnHo4Y1QrRn84OSEmhwYr\nPHAhir83j/aJiFnnfFfoSuCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKt1bu5K\n1ldoOvrRGQmubndKiFDgMB0GA1UdDgQWBBTY8kobv6EruDtmEQr+FtT6AUnkqjAK\nBggqhkjOPQQDAgNIADBFAiAKq+5+ZpZlN5YT5MaM8ojZhiaytavyWe/ArMxGG+2K\nvgIhAMlbkNFW6vI6d5Rx+dS6KqwGVc4OUj5QTLYD7+jy4TiX\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBGZzdhulp3q8P9WB+6zhgkbNSf8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQULEVJtWl+ZUbMBOgzJJ1cf6BkNfZahyDkK84V\nx9l1WUbei613g0Pk7uv+qFXzBuqJ16gf+17XB0KjXRS5Q0CTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPQVHVp+Jrg74cbc497Rl6N0cW+swCgYIKoZIzj0EAwIDSAAwRQIh\nAPuOpgQcFg8hPy4Q54q59pDeRZU45fy+WkXmBaMI+iEtAiAcllekm3CzdXxKUCpe\nPeLIZazgf1dmmdxhPZuG4qGTLg==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIULR5Rvz3B2aE0Njx/y2PX9Yb27HUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBmMTgwNgYDVQQLDC8yNTEyMDY5NzE5NjQ5NjIxMjUxMDgy\nMzIzMzMzMjg0MzM4MDQzNjEzNzQ5NTAzOTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nRlOFXsP6P8/2px9kNU+SiU7dXVD0F/W3bxGRjrerMq167HUFAnNzZkc0ZMrg9xJL\nBkUfIf8rPT2aT/y6/IMoJKN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUPQVHVp+J\nrg74cbc497Rl6N0cW+swHQYDVR0OBBYEFDvQRMCy+W39fDRl0bPKMliZSc3rMAoG\nCCqGSM49BAMCA0cAMEQCIEmJ+SnV4CmWy1qLf4svwTVbCspJ4jiNNzZ0GTEnlGZp\nAiB/6nQ7OiHSqHCjoJnPSDMuAf5EezUsy+XLL7Sfj4OeAg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/TCCAaOgAwIBAgIUcLYO9AkA/NRQQkETGPmXWMvEuZEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjE2OTU4NTk4MDM4NzA1ODc4MjY3OTQwNjcxNjAwOTU2ODU5\nNTQ3NTc4NzI4MDY0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExNL5\nlvdhmtx2G6H21oks7fFUqZASD+wXH/LRX3+k77b8joVbtn/QX+rqRtKZcN4JyZyU\n32o1JaTdcAcqpE+ZsqN8MHowHQYDVR0OBBYEFGBl6ZVCJN2Qm4QAOS+CGH5f/M+M\nMB8GA1UdIwQYMBaAFNjyShu/oSu4O2YRCv4W1PoBSeSqMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiAG6ko1TXyySp0ooOYDKKCRmWt18eCq+u4PIIzXfzPeuwIh\nAJW4FkHTExZK8ADevq3e1oyEjXr2IPyg8TGld7+qcVoK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaKgAwIBAgIUbY7+MUbbtuZsvznOE9Q7el2fepswCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjUxMjA2OTcxOTY0OTYyMTI1MTA4MjMyMzMzMzI4NDMzODA0\nMzYxMzc0OTUwMzkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUekYr\nqo9jdhdE7PA0HLtkhOHUAdB/6qjiIh97K/ZwFVyKoKA39U+ZjD3bEXwRvxzztJsX\nds5slBatb7I/WfX5o3wwejAdBgNVHQ4EFgQUogeg3P4f9xn65rGoYx/pC4mzKtgw\nHwYDVR0jBBgwFoAUO9BEwLL5bf18NGXRs8oyWJlJzeswCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0gAMEUCIF7mK3+UmoHfCVii26kBCoQUEXTbYruwf5ZznVPJ1fE8AiEA\n9sJ+rKOClK9JlqktCsTBAjlSAkxwxuYg59b8OCv/vHs=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1318,12 +1434,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBufurmdLpLrOjLMqUU7bHLBb2lEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEM7RiDezJscy5eYzrSmG9S+Z9j7+CNGAZTHgH\n5f3kumz1MbM3k8ktbQ6gWknS06owgH8/TFAATeS538328Xqxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMH3mWVZWOak3oa8yM52P90+ECh8wCgYIKoZIzj0EAwIDRwAwRAIg\nW9XCF4SvOU5iWbwGUH1b0PrUT1tettzWYWoXx54tPKgCIFcnGSFZHbRMCy+RGmY3\nsNd5zLkMoVMXcP8OGrbKdhzZ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUJr3RdjZ1U769VxKPV9gd6dggRa8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR3FhQuFXGHPMdbKcXSuGBh+bjYKV3aHxQixpm1\n8STtDPBeh0AQVoZFvtnD4oexhkwLs7+4KeRku4vVgkGuvOnqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUE0HSI3s84VY5ws75USl136jxxMYwCgYIKoZIzj0EAwIDRwAwRAIg\nC1ThqTMsXJndjXIIvYkGpPs5PxmeC5CPncLt5+t0uGcCIE9XddSX5gUpZGmB1Jli\nBsDkGpMgR1cjfBqTKJN7D9Eg\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB+zCCAaKgAwIBAgIUPfePrNeVHBMAoexDi3U572qxes8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBpMTgwNgYDVQQLDC8zOTQyNjIwODgzNjI5MDQ2MTIxODg2\nMTgzNDUzMzU0Njg2Mjk0OTg1NDU5OTc2MTEtMCsGA1UEAwwkeDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi1Ob25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\nQgAE+j7SzWa40yifOQj4OKQ+N0hu2Ayayco0UFPdZ0ndFGDG++3QYIGya9G0248q\ntZr7HmFlkno8YYZVLIFJ9318PKN1MHMwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMC\nAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUMH3mWVZWOak3\noa8yM52P90+ECh8wHQYDVR0OBBYEFJUgIlzmr6YSba5e3jI0TXHCm6PsMAoGCCqG\nSM49BAMCA0cAMEQCIBKYp5R7NSliHPzJDCM+sQy3dACC+Ujads6PirGwVQi5AiBA\nbouWy25+AAoBQ685Ih2J832xEOaM2d6rZLktnLEfWA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/DCCAaOgAwIBAgIUf2b1eno5rVmItw0IXU6bXfpnlxwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDAyMjExNzQ3MzY4MjcyOTQ3MzMzMTM2\nNzc0OTUwMDA2MTgxMTQxMzg0Mjk3MzYzNjcxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABM4Er0dsjMgEhqpBWQzyn9rAsApzgtH2xSz8E+kBuHEOARyoTrKhgKHQi4ny\ndzMQmOzLpFZ9Vofy9gaQUSH0PsmjdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFBNB0iN7POFW\nOcLO+VEpdd+o8cTGMB0GA1UdDgQWBBQTUOlxEHXPw962unouFcqZVZkqRzAKBggq\nhkjOPQQDAgNHADBEAiBC35fBz46fsoUdicy/CTQp6AFoDvJx+UshLRRAwobogQIg\nMp1EYjEifoGhJGwAX43zOMnAJFtpZDEuiIc5KwgzFHE=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUPEYi8lhandCxyj7swvkqaWqlXykwCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvMzk0MjYyMDg4MzYyOTA0NjEyMTg4NjE4MzQ1MzM1NDY4NjI5\nNDk4NTQ1OTk3NjExLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEU\nMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARD\nVT7+/++sHtZq5A4855RRXHrTGqNlpZeNauEVRC5JPb4VWqtn+BmkKE/Hjr3ENVRD\nYbaz4AKljigbTJPvOAYXo3wwejAdBgNVHQ4EFgQUeFXWesBlCSYBtI+xba7rRzfd\nYq4wHwYDVR0jBBgwFoAUlSAiXOavphJtrl7eMjRNccKbo+wwCwYDVR0PBAQDAgeA\nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoG\nCCqGSM49BAMCA0gAMEUCIEAGjaWRM0QCFqHuW8rWWPvy7xr9bB3JZ7e41KBWV2A1\nAiEA0WjbOKC7W+kzY7gRuUSqkprEilcPiIe1LDl7p0elwhg=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUKk64K6Wugiixhare0OskBcxXo5QwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjIxMTc0NzM2ODI3Mjk0NzMzMzEzNjc3NDk1MDAwNjE4MTE0\nMTM4NDI5NzM2MzY3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nPDjf7tr18k52BR1m2TfMEC+e09dGvMCG4mYSXOEJiS+JeZ8jgxPkok5PKJy8IDAy\nyMLKwWo8hyeLPl/LDzDlRqN8MHowHQYDVR0OBBYEFCWdLUIpJMJcED3a9trWic4i\n5EMyMB8GA1UdIwQYMBaAFBNQ6XEQdc/D3ra6ei4VyplVmSpHMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiBckeREHKubkmzepbX+azKd186xv5KzXpyRhHHAAzPv\n6AIhAPljff8A5VM3dNTHGIjPkmD0kKGCy10I/xrUiDlz1VyC\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1342,10 +1458,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUI9S96/Qdsj8IG+9FDZyEU9RVuaowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvXJjPoU8vZ0DUYUgJNH/v/moilWGVwZ6V3KT+\nE07ZYyiDkIrGM36FjlSGqjJ+0v8UEMRYF+Kjw27Wo9ED8NZ1o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfDaOkCKwbkUUltPNZfKGtov+7TowCgYIKoZIzj0EAwIDSQAwRgIh\nAJNRYrhq0JvHhIqL72B0uo/iSRYwMyKtx7KnL/i26JpUAiEAoxmlNI8wlPC9/n3h\nWGa5+JKmEhD7NDuOo7jYcwVRbK8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTsUcaXxqoIs93bZKmfqQmHKwfUgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmPEmSZv6I5UFc7aaI1o1lsHUbwPBgoxQl2HTL\ndUwjmXc6NwZZOYpFQH05ZpkV4NUCn2736yovQXusMl6/bFSTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiMaSn/BpRJzRGPqJ2ZOwAAikllAwCgYIKoZIzj0EAwIDSAAwRQIg\nOyBrRDXg5vn7MeaMjvioK/kGISMsaSBzoHISVWe169ICIQCIB5UO7pX/NaUiHA01\nVVpg9Fjj8dDwKPr4IzyUZRYyYQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUMN0JvadIJv+VpXi1RkQFvtJKXMAwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMjA0NTU4OTc5NDczODA2MDI3NDA0NTMxMDU2MTg3NjEwNDQx\nNzYwNTk0MzExNTk0MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n/o3sq6MxBC2lZ2DcI4qbZsp5hYnrQGDefDLqioNM1rJiYeb6z8+BEPQBsyAyew8G\n8GU1CgOh419U0+mwAmWEYKN8MHowHQYDVR0OBBYEFONdWBZVX5IT1Z5UHvmzjMfU\nfJClMB8GA1UdIwQYMBaAFMekvcOoAP2iWQXkzLQtvptkfUdXMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiAH5Ayvs+oqWXf7+TqAEVxqDdNFDF9GZzUisIUCu/Rj\nNwIgT31ahl/vfLnSlENi2ngYxdhMQyWYNUW/JzNl+jYXb7w=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUSS7n+TCIs8v+IpPYbwJomRe/pZswCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDQ5Njk3MDAxOTY3NDAyNTQyNzk2MjQ0NTgwODYyMjcyMjkx\nNzUyOTQzNTgyNTM2MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nc+ID4TEAO+ewdIG/izYfrAkpG6V8uxX1PjleHRVLVeVqNZsVE3fgxSJ/Ih4tqSHj\nQbamrPXK78ap1UI3qS2oVaN8MHowHQYDVR0OBBYEFGgld6orWioCrQ6LwkioDavR\nVk44MB8GA1UdIwQYMBaAFFVg/9T+8IDQzWji5aCnUAewdqbgMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEAvdqmdT0Ztn5GKCrA89YihtsNIKLbydnF6yFQI7iX\neYQCIQDW9iZOJr8SozxZT1YG7EK1if3IjTiN9fD5SVUbjc6o6g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1364,10 +1480,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUd3AmyOAoVFoFOlkC8Q/QiJXI650wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVq1J6Ai2OknopHLjZuYY/GrWEXBLQBrIM6FCm\nZ7DbMRpKGqeZl6ULW1FvLy4ILfC4N2ZBfl+TitmrJPJ/SKPyo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFLiSwh6pTAmk\nXuUWzomjhLL+LuvXMAoGCCqGSM49BAMCA0gAMEUCIQCIhFuS75+Rw6+iJKCcK2fK\nI/DrEUDBZjqo6QFkoG1pSwIgL6fsofBSnPMf2CLsj8JzMF0TdhRM//8bvYGzEEG2\nfvY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUTWm1LATL48BrdcKrY4iW4Gs1XrswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8QOSPmoSv1vyHA6FWTzqs+SsEHGwNQywpIz3+\ng/A16DMPU7Wd/LcO9rpoJB/bu5AZGK4bYgKLF5p4xblig6cao0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFMNLg4ak/Ajz\ntPngHiRi5uj7moSXMAoGCCqGSM49BAMCA0gAMEUCIQCdsmBz0oBLHz4aYaCO4QyQ\nF6tWP6QiokstPo3kZCmr5gIgYSNV+RGpxsngvNB2zdtryo4VSf4l0RJ2HgSytPTr\nBfc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIURRoWdqVZoqrVXx8qqcK3HCi8bGUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABN03wFtNqXtSYbaJwRbsiTU7PguTwgQE9wAwT3IYDpid\nKYJOpMSQcpTrHqFkeU0hSYnOyxg+D/QjgGnlL/DTx8mjfDB6MB0GA1UdDgQWBBRb\nTlkdIIKANwOChgHCOnlTz+MDWjAfBgNVHSMEGDAWgBS4ksIeqUwJpF7lFs6Jo4Sy\n/i7r1zALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAP41MmUZuGYjaKhy3OZ0\nwQdZv6r5jOS+5j9t5jEFtfYJAiArSGXaivnqknDZ0EO5BYPqkt6bZIFIxb3V6pR7\nVjNqtA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUbH0T51VsWfY/9Xa90pTCCZfN4V4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKw1bepIuMKEhgamo6o1J408HaOY0YA/nD3FpJVjn/V4\nZooECN4D1lxLwg123JCMWvBG23LvrpfbRStUcznjT7OjfDB6MB0GA1UdDgQWBBQe\nRECfMHS24xQEX8xqKxFyfqFVDzAfBgNVHSMEGDAWgBTDS4OGpPwI87T54B4kYubo\n+5qElzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPsfXjEDAyyNdEoAMwEK\nqcHn1qm1sTM3YI4+/pmO7p+7AiBtSlQEJwGwD9fZi2G3muM/JfaXFbJhpffVVQCr\n7Tbhow==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1386,10 +1502,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBizCCATKgAwIBAgIUPDoy9cNKLP4+6c6v/vHOm3MdXm4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT1UsFdk5k/6KlGiBd/XirEBPkmJVw3lUfOULkL\nW0BIcLzlgwOLJWDq3coz+SJDyrIUWFcLJhRPsW0rfI/3Cbtfo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUBjRFWHHliee4QTQqgZCXzJOracswCgYIKoZIzj0EAwIDRwAwRAIgEo67\nN8qlDa1IWpAB0ulk7YJDLtMSg/efEznrwOEUP/wCIEKLKjO7lMGJTGdHfibDENo+\nIADAC8li0gwgiZ4CJw6k\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjTCCATKgAwIBAgIUErpWShZ737pimE1Ik5uZ88BtGdMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARgj5rGRRUC94AkBmAEo9NoJ1ms0AlKx4dmactd\nGsgtGwB4XsOYF594RaAfRB/ixFhlgxksdeQm834mVdrQYtH8o1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUY6SWFNYdl7xGFpbE7KqjFj1Dy28wCgYIKoZIzj0EAwIDSQAwRgIhAOvz\nQ1adiyEZLSWc+LnCIQ1PDZJt+VEysFX46f3AtZNIAiEA64hsSrI2J3TDos3UKWgr\nyznwwgqvoouUjBY1Gh/FMrE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUTT/ry6bBtrfAcQ2hEVOCOX5lQC8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPpUKbgT5Vq7lV5Qk36EmaWXxkRDfi0YuKk6ZggesLLL\nVumgZTbzpA0cGsd9alC2Ve8RnXTSlpPPOoQXpbnd09yjfDB6MB0GA1UdDgQWBBRx\nfzhP7sHGvZTGdlzcRl/aIh5YEDAfBgNVHSMEGDAWgBQGNEVYceWJ57hBNCqBkJfM\nk6tpyzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgMLDIG1G9HQJI+jPB+mpF\nuGr8qM1FYwkQtuxU56/vfX8CIQDzcJdlJq2yxdsnEQOQCabTQKMsd3d1hvZeRlDw\n67PrxA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUQgvUVkeveQUKkbkPZ96MFX6Mk20wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJFlNv99r2gus3Rv9fNhE4l/BpQpiBXVJA3KAPRtV6IA\nuEN6speeDil19g11RDJlrHunOUWRuQb6fWbbzaFdyQCjfDB6MB0GA1UdDgQWBBT+\nM/CJ1EhFEmdzy6lHyijTOyMHbjAfBgNVHSMEGDAWgBRjpJYU1h2XvEYWlsTsqqMW\nPUPLbzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgDg5tHZEUaXq4M/nZLnva\npDCDie9Apo0ecgfUdezy7+kCIDrNmft1TPlfw7v2XiNE02J+TggkgYCc8/R/+hiX\nnzET\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1408,10 +1524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjTCCATSgAwIBAgIUEVLJh++5IqpZVIvbaoWFtdwDVzkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+V7FVwJ/V/sKFcK3E5d7KFNor64Oqc1+02QDx\nxKGC1OhXbA9rcX5Dxq1bd/ZVV0E5kWkLyojEp+yO4hmwbom4o1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBTxrrz8vmSSfky1FoG16GHv9OcvxzAKBggqhkjOPQQDAgNHADBEAiBD\nTNIL5heGXDpkGvuI/noXrQQn2ZbvnbHk0zN1N+fRigIgUwNoFxGr3RlFtevhu39+\na3XyFmVMy59hkXqEX874awA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUfznozdvSZieNvXAu5NiZevOw56AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQHvzabDfnM98UU+82UriM6drvmY0GN9V7JTf6v\nheHao83UVkEbptBM2gsPoe17j/JnR8YikXj013VnxTZgu6VJo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBRBy0IeGe/b8EjJagdy5KOgC6qScDAKBggqhkjOPQQDAgNJADBGAiEA\n96NGykMKyUGrNrziEmLdZdpr31rHXT8DTMxvc28/8JcCIQDPCkTL31turrkTGRE8\nUyZ28R30A0FQ4DuSDBK0N0YTGQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUW652pFQE3i39GMw6kvDyDCuaqJ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCML3lMOc8jgYIBiPwHli2Ge0GkLoFqJ9NjG22lqh2d8\nv4YbUeNpPCbv9Ckm8mP2E+lMHsAzspWqKwaebzbdUlijfDB6MB0GA1UdDgQWBBQA\nwp80sNvUwZouLLmDXSrkI39qvjAfBgNVHSMEGDAWgBTxrrz8vmSSfky1FoG16GHv\n9OcvxzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhALdSKU6fuuTybXZHNVfi\nrH9M6Mgde0MtK4KZtXfcfZbMAiEAnAv0/Jhjv0MFEMC63k1O3CV2Y2z+lytJka95\nSUt+S/0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUN+PpEZRxMjVrdveQ6tPrE+B+kPYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABMGEZc1qzxEvaj3JaV6uepd6qKv6BoTfx5/+fbn4O52J\nHMjI2bgzVdWg/RMCcDN+ddpr4fJ+aF9Zeh5CFCb9tnyjfDB6MB0GA1UdDgQWBBTQ\nMv748Zuj0htJs1R1AuiRGiylnDAfBgNVHSMEGDAWgBRBy0IeGe/b8EjJagdy5KOg\nC6qScDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgdFAijNW5AEvZSC8+qPgY\nHzC5bCtL7cO65X2/vWalkBACIEmwGo9/ih5ESUNG63O8ryj+5uZVSy+7Rftc6sc+\nndID\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1430,10 +1546,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULLBAjxrR0dI9CDwFnUY72fLJw/gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRudLkeW8Ka6hG+br9V+mmhJdhcN4uDf2NptOo\nAaIP8gH4uUO8/yOl4poPl2wvXm8qZY1bElivQ3XfqAv8Y4Aqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAWngD+LOAkIYkReLKmKEqYb1JxcwCgYIKoZIzj0EAwIDSAAwRQIh\nANn06me+UEh6eOsT5hR5rONMekb2zdwPo39phx7M/Mx8AiA854Ah5r4tLGj9LiLz\nCsFltJvVM4VsKMp0csSFdPeafQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUBAkqSZLiYrogvDQrV6sMfA/YJWAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYrSEGSjC0NYtkEW/61pE3cLJbUwek0xCMzOLo\nRD5KmbDESgPCcvHCVW/NG1hSyfXW5I084aOke1PrFFZT5Oi4o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4AuDG/A3ZtKWYXDFIAAPAF8awvUwCgYIKoZIzj0EAwIDSAAwRQIg\nKC3kKRZE3d+EFQ4/s5k2lsj5PtMSw2xYEW8LzZL1rbwCIQDiznS/MnrMDkeO6QC0\n8iEMbaZohA8IgYDmv3InxW4F1g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUfjdBNbeVVQ60FH/oL4I0xWGjH64wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjU1MTI2MTQ4OTUzNTE3ODA0NzAzNDA1Njk5NTQ2OTQwMTA3\nNDczOTUyNTU2MDI0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEivGQ\nxxNo2TLrIhvTFCklarSeJ8Nn0oduDDTjPDCIzLcGu18P4ErR3A9NnwNkL55kbipe\njFNrdLTQ6af9odAzVqN8MHowHQYDVR0OBBYEFB41jKqYAD0uFUKjobAdv92Dp0+n\nMB8GA1UdIwQYMBaAFJerAV1XG2T0dWdmYkapXV/v7aSQMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNJADBGAiEAmCwYG+5z673HbOcf32VDm9VVQYxppjAp72zgYGeLs9QC\nIQD9949gHONz47iBUnXYf8szAHJMH/Fr6wT9PiQ/fBdW4w==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+zCCAaKgAwIBAgIUUUdzFzFQFekt9asCLLcIMhD15EkwCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvMjMwNDAzNTM1NDE5NDY4MDE3NjE0MTA0MDY3NDE1OTgxMjIw\nMzIwOTk3NjM1NTIxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw03MDAxMDEwMDAwMDFaGA8yOTY5MDUwMzAwMDAwMVowFjEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQTnuTO\nOOxsHVz+0MKnUj7iqaKus75nIJRsK1g6aHGNSvez/v3Dx0f+a8CVNRCp1qKz42u1\n2lY3qMYrVDC6O5/+o3wwejAdBgNVHQ4EFgQUSCpx11Mpuxq7nhh6Q3UTdsM+xBkw\nHwYDVR0jBBgwFoAUFUPMkrCzYlFTgQ+puuEylvOlOZswCwYDVR0PBAQDAgeAMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqG\nSM49BAMCA0cAMEQCIClzIycmjavCel7B82WE+AoBWkIwBsCLx/3qsw2KAr7kAiBN\n93Es8gRvWNjOf0fq+W3XybnnrSi5h9x01F3o6fMRNg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1452,10 +1568,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdFlq4pl0c1U02u6cFxuxEQHmBYowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASkXycaRgLMejWw3wEHbJ2GFkrdJiqnLCsVCjQ4\n8N1uRqpoWwWdmpBOsKOKtY/CJQo7EDpG1oTNwAJ0B+QhQPBfo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPhq66kL2VEtr7Y8pdTU+T94MmI8wCgYIKoZIzj0EAwIDSAAwRQIh\nAMMk39lOSrvhTyrDnUR+WW2J/MPtvS9AXirN1lhPjPx5AiBKx+UUG6+9/uh34NZ2\nVA8q+cQCzfojc1WPhfA9DnJNvg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULvx6JfW+94AVrU1II11vkn/yBRowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS686vPNl7YDT+pX0UyBwCmH6NLWzHz9hG6hMVv\nwfXwenMrkYPVvUQqcag41k/SmE6gkuRim9XXzUK6Yxxcn/Zvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSw5foPNx4RuQlxBFZ8RszsdrfqkwCgYIKoZIzj0EAwIDSAAwRQIh\nANJ6T+Ebi7i07ZKB3hoQON5UJMcPmVrhKSppyeSnjGXFAiAeFnrwzJ+cozrv7dgb\n3V4r8h5Xj48GQ5MGgwxwBLwHVQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWagAwIBAgIUXsa2f+JlyCDrB4f7A+zkYtYc1yYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABI1CbEZpKP/zr36/ueAhArUj14REHlwJgzNsTOPdVsRH\nrD1u7v0JyaONV9shDWi5Lc/VXs6tko7b0GWShA2mId2jgYswgYgwHQYDVR0OBBYE\nFI7Gr0ZLAv+X55+6K3IO0FRVHzx5MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nPhq66kL2VEtr7Y8pdTU+T94MmI8wCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQC\nIGmGuuGxw2vjAZzzQmJERoGIPehRLZfOlnHWgmGPbX9YAiA+xGxYNpkSMNVJxYBT\nsWqP6jBmgZwZmLIh+EXktYR19Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWagAwIBAgIUZDNbMBO2i4TLavGR/PLYXEjQCBAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFqgzCbNVV1LcymPBGR8Tkh4U7nrk1LnQg2f/YcRgfpM\nAc7/YsyehFyY4Ruvj2q4fUHVVSJ84siYe4WcG7W3+GCjgYswgYgwHQYDVR0OBBYE\nFE1TYtky27xeFGW88lM3ufMvdLgZMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU\nSw5foPNx4RuQlxBFZ8RszsdrfqkwCwYDVR0PBAQDAgKEMBMGA1UdJQQMMAoGCCsG\nAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIBcChf9QqGvtaIA4kfPYDPMo0OGfiF06Y+wYONulMmD5AiEAnam11iTr0QVhkHOD\nwqs+U/gE7BXf9Ic6hYQUD/Jq8l4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1474,10 +1590,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHeqpYmJ3o3ohCM4m3qNEVtg5FA8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATV8iFHvU6lBqnxzGKm33rklwMWORoXetoFWc83\noaEGSP70gw7pHBBxY9ZvGY5A/axrIIwii2kphepnt+poEdSwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhDz12aW4IFVFRcpR0xDYpC3B6lgwCgYIKoZIzj0EAwIDSQAwRgIh\nAIxjwUc6rv+TBpUvteGMKtqHojd5GMeSTBK41aqzgXPJAiEAtLUa9DrNreOLJ5Sv\nt/iNKIU/pxtAWbDmNq9q2g/Xx7I=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUeYrpm8p/btJp3Olrj3JBMA8r6DswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmrhxcM5za8dPNSLjgxFrcvowhlmv1o+bPcnYG\n2s42IIrQLPVIOMxUFbd+IwaXwue+WD9UUpFW2U4iVG30Rr3Po1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUA5yN2JnJ0mtvGZecEuXdbX9Lg5kwCgYIKoZIzj0EAwIDSQAwRgIh\nAOzbGdhr6XxnQmPR3+rRJdIKqDdN3+FsvUB2Kll2RGyeAiEAtrQjFftZ37u3/Ow8\naE0Y+ZL7V7Y9N27wVntQUcD6U9A=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB2zCCAYGgAwIBAgIUP848W27Bvq4CwjHW3ebEoui8fFkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA+YMXVl9qzEtUystyAcmpMJ41uUxos6fGvzR7PwpsJA\n2fblvSXbUWHd/V6QyWCLwh19Akpfv0UIBzl7bfSG/06jgaYwgaMwHQYDVR0OBBYE\nFPDubSLjDSizerLNvlLAELy/ew1VMB8GA1UdIwQYMBaAFIQ89dmluCBVRUXKUdMQ\n2KQtwepYMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIAE1tcsSDFeBnqGzBiMISkut/qkA\nWZay2yOYe8Jo9p68AiEAiUj+vBs7gXvG4j7TZ2EGNTOZilTyOMJJj04PEaSMBFY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3DCCAYGgAwIBAgIUKOhEdQYutHALsSgTGeb48/R1LbMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJynFEaM2scC7WqBeSEQp2QxlxPY/MWRmK1cnyys7lA6\nI0Yfd6tVem8MaZnZGyAYfuYE4OvNyniOg5Rs+Nvp31KjgaYwgaMwHQYDVR0OBBYE\nFLlpOhS5u19fcbAwqhjJtg68dtamMB8GA1UdIwQYMBaAFAOcjdiZydJrbxmXnBLl\n3W1/S4OZMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAnBggrBgEFBQcBAQQbMBkwFwYIKwYBBQUHMAKCC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDoVJYlILA/fr2F70GNb80shktL\npICowVA7nzeLBkzBwgIhAOyuuBDdCIivbNeypAEPGwS5HoB79p/C/COrrPeQMDOw\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1496,32 +1612,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIJx5IjcA12by7I7nPOld/dapN6UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARqXJquvo/tvRhzCW2CqXDYbTc5yOB1RZUTHssV\ng3qZf19aEaUKa4pp6QDXDn5NWvTB5pkoZx9Y6ghxJ8IuTQq+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZ/9UqCFcV6UYJ9bD9ZpIljaClQIwCgYIKoZIzj0EAwIDSAAwRQIg\nD7+pB1IKXGH+x7CNrdLbiV34UorQFQfEu2iHzHSBk4ECIQC3eyVaR3ABz5F8tq4t\nQRKfLIzSZPj1a4MfyOG7GRo4eA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUT0fFan6dBmnxRf4gOzf5fE1QKCIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATSWN/xUsMgVXduiK5nhA3quDhM+wf/H5Rmx63Z\nSXSoIXBnukcF6Fo7uyj1zB2nrB/qfpFetD4xYWlohDsi7WnDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrppuJ+TRG62+KG+nFLkUkQALDtMwCgYIKoZIzj0EAwIDSAAwRQIh\nAJD4sCJOfnETSJV+uluad++8srINUOq+lha7nsQ8tOTUAiAoqTLpxLj3SGxrR3PU\nYMpG6HPFhDP51He/qK+0GCjJeA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYSgAwIBAgIUNpBm07TTrL0/r3azcUYAlqt7bh0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPDK7fZrxF1/sYqWR3U/3ZhL3E3ayeD28SFFyTqhCL/i\naBlP/GacGp27YXa81W1M1WfBHuu4XCZDSXfyQmbiGzWjgakwgaYwHQYDVR0OBBYE\nFPucbRHcwdb0JKG7blU2Y6L9yiPIMB8GA1UdIwQYMBaAFGf/VKghXFelGCfWw/Wa\nSJY2gpUCMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCuMM1pYhnGZfZPba6M/HsG\nHJ2VB2ZHD0TOIne2/MyLBwIhAOLw6HmFFfwT2FA3stPmQUeT+etGctjT3eMNEcvV\nbfmg\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, - { - "id": "rfc5280::san-noncritical-with-empty-subject", - "features": null, - "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUfNjtYQ3xhgKg+KfJ7EufMZgJMOAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARD4wGcZyRc3dTFcqaGy8pYT/hHhySBGzfFGxvi\niEFJhphRZTOyYxnmqEWlVO6KYS/CoGteMsrWu+s4tkCasgfko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyoFZXApo6sYksDhn5SDlwqbQ4cowCgYIKoZIzj0EAwIDSQAwRgIh\nANxt/FfteAXZ5VYEGupkc+dvJ6VTk4TdSD9EL/n5+mopAiEA+hsldyKCUx5Uz20n\n4Fcdefnuep5kP9diVvdrej6XYHc=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmzCCAUCgAwIBAgIUJjkUjorZDf9Dzm2SyMFzjye64qowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2WbO85w0\nSMj0MQ3D2Jnap4fH16jUxPv6+EqR4qbF3TGK8gOasND9ASWYRsX1t1C0UCJ5zFqs\nHGiLtDa8cxA1DqN8MHowHQYDVR0OBBYEFFjr+HU7AtwA+Wkpow91NkDl7GgQMB8G\nA1UdIwQYMBaAFMqBWVwKaOrGJLA4Z+Ug5cKm0OHKMAsGA1UdDwQEAwIHgDATBgNV\nHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNJADBGAiEA0oQVcYz7mtfkOL1mI+XeCTNYmwKLxRmtx5DkVj/c50ICIQDR\n4vAlQoI2eiblJDnvsnurTEvbLSTjeSRMCk+mCiGLLg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB3jCCAYSgAwIBAgIUImg/tcdDSJ0mel8g7jwgHnpbH0kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJzvFEBoMJzSesmoHdEOlZjFBpm+vd3t364/U0oY7j9f\n/R+8q8ucm6g8XIbgjcwGW2oXqXRKeZXLmS1WDAjj2FyjgakwgaYwHQYDVR0OBBYE\nFLqarCLJRrtyosN98oybx0G1pa0EMB8GA1UdIwQYMBaAFK6abifk0RutvihvpxS5\nFJEACw7TMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAqBggrBgEFBQcBAQEB/wQbMBkwFwYIKwYBBQUHMAKC\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEvrmVHLw+j/zsTKc5ZZnZAJ\n4zXlM4rhrBjMxFHZ/RX+AiEA1K4SLWF3r2BbeFUvc07pUNgLKGHygVtmoa9pSFUd\nvqg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1542,10 +1636,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEvW+Sy58IgYd9OHmyXqZLV043zYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATbfrBzdiOiyEvtdQV11/lSb3c8moMVzk6UVvuG\nkHbDy2mTSedUtcgxquMSRzAl2+79M8Hh6GKUbBSj39NFvAJwo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUio2Ik9sg1qXj2omF5t/WfdNuTFMwCgYIKoZIzj0EAwIDSAAwRQIg\nQCWq1atDVlNJp0nRw2FLmwTgDGjcIFMyuwJmrygTtvgCIQCKMh7j7gTsCGzAAFQv\nDsRLwPLhIvSM8Sfl6a15RH4s2w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUEeQQrlIzPOTDJWKfpa5Yb7ljgpgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAThC4w9D5rXEPzzFASRRKnC7Dn7qWYzwhIaEkh1\nqEMkwz8GXwD91B1RYBJi+bukH2IimkFgYv/E8D3L9CHHXva2o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUva1sm09w3KU9mWiylQfo8TEC3BUwCgYIKoZIzj0EAwIDSAAwRQIh\nAPKuDZzUPlWA8YBWmhaUcIOdC9gIXEBeayrWJ9mSs0m7AiBT/UBhWhC/8y4NbnTd\nbtsSeN4nbN6fqNqhcX4RdLY08g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIWOD4FfyUtY1CgQB87NQO7Ewpoc09lKzAKBggqhkjOPQQD\nAjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDAwMDAxWhgP\nMjk2OTA1MDMwMDAwMDFaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEmUY08M8j/OM2IkMHXhYzUbE5ir7+BiSEpT88WhEK\njanVakenHs/LgyhNCcnz3p2hb2SsT66KbzFe+rcbMKVWvaN8MHowHQYDVR0OBBYE\nFD+8DaVZPy0iCgicuvTRNtnWlrhwMB8GA1UdIwQYMBaAFIqNiJPbINal49qJhebf\n1n3TbkxTMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAzHwkhJgIY6mGp2yP\nCUMDBfsIV2ZKIxKgLM8EyNn5tIUCIQDOTrxjUC3KfPthIM3xdK7GbVoQBXHVS0Um\nKxB80AVnOw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIXAMjQnVT6Epy42+SR/LXgPJUOgrG0RCQwCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoY\nDzI5NjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABBSuDpykfYxixScBRazjJ29qnZbJIFOQ3dFEtsrq\nPXA8K+R3Zkc8rL0avCDp87GoJR00I0qfaui5kdvyhErDRDSjfDB6MB0GA1UdDgQW\nBBTPF8+VsVfMqztkG/4sQSi0Iny9qDAfBgNVHSMEGDAWgBS9rWybT3DcpT2ZaLKV\nB+jxMQLcFTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhALwi4G70liHahut7\nyPYFNpN+hkwaJuiGXxu8BZTKz3tzAiAqXlyWI0N5Rxon8LK0vHnaihX2ZPV3BBAQ\nBZdtPG+tHA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1566,10 +1660,10 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGQeVqNACoWjn4blOiUVoBzkeZacwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATPy1QTf50d7tHwdY9Gjx8Nb+m+GXK20BobpJ5h\nOOnVtr2DvpVVVHfxPSKS9xIVQwUl2f2pA6jUxmxahZyjGzp9o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCgjPgnzOHD1HSF6o0N+YnzDexAAwCgYIKoZIzj0EAwIDSQAwRgIh\nANpyO1rLvSDxBvUOkT+D1GjjcN/Bl+fAJ5vsLOyEpyczAiEAkfTM9XnHdrMtVJGw\ntdeoe7fMSYyEO/Txwogn5/vTN70=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUEgAPP3dqgJxhs4X3JqpzmsvZdqcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYLvXRcPr1iq/Di0XBtrbMabT9/yCxgro4VNEY\nqygdG7jmvWkKwom2wxSTfbwsVhXLa/bYzpUPcvSl9uIIGvgOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU84RNT6e5MO4gpAz/EstmPeve7XIwCgYIKoZIzj0EAwIDSQAwRgIh\nANM7/7O7zb1j8/1qqbZNWX083NjOFKrqBNtmZynJZMgZAiEAyQ5e79a+gZ5dTfUt\nVEIekezwOIBlqfmuZf56U6EcsNc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPAS4\nUJxHjL2QuLY/7eMd/QowHKwaoQxN//ktn6WallVWoijLSY7KqEk7fRExSMjkzU3P\nBnWlNKcxv0kWbne2IKN8MHowHQYDVR0OBBYEFDEDHle6UtlCMe8gDTyY6qhTysLw\nMB8GA1UdIwQYMBaAFAoIz4J8zhw9R0heqNDfmJ8w3sQAMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAxg8yHFyhRzGl5u8fPkXQmBCuaZnCl7GuWX4UJBaRQHEC\nIACKG3wtD64jXQ0ZpqJcIDuKGyvv3l1ttmznmchcxFDP\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnTCCAUOgAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYxFDAS\nBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaN1i\njaFwcJrkCqXKXbTb88HNvrGOns1ALDDH+WSFQvd1va4FKIMr9piFhVT8U9o9Tfc0\nd73tb3C4nKfkIWqTrKN8MHowHQYDVR0OBBYEFJIT+GqIKNdPoqiwJDhuUWW9fD+Q\nMB8GA1UdIwQYMBaAFPOETU+nuTDuIKQM/xLLZj3r3u1yMAsGA1UdDwQEAwIHgDAT\nBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggq\nhkjOPQQDAgNIADBFAiEAkwxCwSVZncEgNibLF0HclosZE7MsbXe2NU4DxliVcY8C\nIGmQhXxe2x4Mzi3fvgC36sUuQovZpRR+Iek7oMLN4DXP\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1612,10 +1706,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit contains multiple X.509v3 extensions with the same OID, which\nis prohibited under the [RFC 5280 profile].\n\n> A certificate MUST NOT include more than one instance of a particular\n> extension.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUcpvWg7RX0AXE1W2bSo8MrdIBtvowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQGMFS6tYK02p2xAzzv4YcZaGMvh9XjN2L6siT4\nZ6A/vES6pFwDhuMLNw9nzSCk/XvSfXjwYy788rkcf6dekT2mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUan/kMe/ywf6ZVCYf0QRa6RevE8cwCgYIKoZIzj0EAwIDRwAwRAIg\nPp11wQWIloPTMj8gt9dfD9JTUJWU5Udpz3gp9TCRCJoCICp8Fz81cD1j8xTB+cr4\nEXpJSE9ROHKibJmLEelCrDPH\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMe+RqgRT3gzjMdwIdgXRKIl34NEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzoYC7yGmFQvJ9YoHswhJNxayMRqt+xg12CYu3\ndnUG8zQJU3M6wpib8nvr7A38pKqIuH90MKqS6T2x5c6U/zIYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOccR9SvmJNQbIyy+e5cVE5yF/BwwCgYIKoZIzj0EAwIDSAAwRQIg\nRZyRJiG5KUpzxPWAYnt4EstwfrvUXQ0cBNMqi1/q4S4CIQD6GfvUJ7oHb9tMTMHM\nuDW6+4USBH3Bjei6FyfRD75AXg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByjCCAXCgAwIBAgIUQtDjEQS22HOt77nvDT8IpPgfuuQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFSgDNHdk/PmJX1K+3v/zh+LvkMydSr2sFN/g3gZo+U+\no7QVrKySQT68kLdDQMTdS1uTC6xYpf3M9j1CSUtTdzmjgZUwgZIwHQYDVR0OBBYE\nFNzeRsmjXHGe8xPB7LstZ6D/QscuMB8GA1UdIwQYMBaAFGp/5DHv8sH+mVQmH9EE\nWukXrxPHMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNIADBFAiAVeJBNJyYZm73PWe3QHuGvmgNN8gXoo50uHmJfFXsslwIhAPFC\n0sEvQYDa929Qrm6i4VXgQPZHhfKiN64ihg9VikTw\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByzCCAXCgAwIBAgIUTQ6FlXIojzLbswbTyI6eDwfEvPwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGImg8I599d/G7c0umdKcxjelBZC3xhj0dlc3QAW01qS\n5KyCvcKyhu9EgibWteIA3Gro+t2UqnuWPXl2PX6lLCejgZUwgZIwHQYDVR0OBBYE\nFP/wBpZ6XFlsHkm6gfkuWpDq8SV1MB8GA1UdIwQYMBaAFDnHEfUr5iTUGyMsvnuX\nFROchfwcMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjO\nPQQDAgNJADBGAiEAyI83scxmIHYHCA3DLHPfaqy1mCgtP+ir8CGlp52l9bYCIQCZ\nmxYd7UUAHVdJyz+hPaydtoTi2Ic1Y7wMBs6eBCMONg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1634,10 +1728,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Key Usage extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNO3JE6RXqtaHbYcXz/j5X5EzzsswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ9KB7PFqS+tRqzEwWa/94cVO20Nt7lWI6FJM8i\nyblWXbUnVIRnCeO2dExW98I6sJPDhaLSI3MUOnfcHQdGAAP+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzqEKtIkjRq1wzmtS3bGCq1M7bNUwCgYIKoZIzj0EAwIDSAAwRQIg\nT+odKFFwvV0lZuKkUkahpnyJ+fK7BQ0VxGOT08ideqICIQDDjumV4CRlOzBhR8Zm\nhTvvstVsy1c7u2J+mFuTAcvuWA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgITQae7AgdzQc35AeQbDpIhplKlKjAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDAwMDAxWhgPMjk2\nOTA1MDMwMDAwMDFaMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABK3KvtDcrriBfURjnClvQXEIjNa9/I1V8UBthmkP\nSSD9g28bw7RGNRrzs4noCZ8qnXnXiHhdPM4TaUIkdWS4oUujVzBVMA8GA1UdEwEB\n/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQ80Tnte6k7xdVFnDZMEdqp/m8qnjAKBggqhkjOPQQDAgNIADBFAiEA\nocEA95kxbIJcPIs+SnwPmDn6ZbwnzlfTWnQZC7457LgCIDxNIO+/OZaWN5HzGRYr\n3gpY80F4kKm54xuWe+EMZ4lk\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUWSZsH9+9Yq3E5k8rLfCR3LV5hf0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDeoyiVnFTuCeryIhkqI6C1TvqisFJQuxMSvxMVrj9Nb\nCf66XpjzK7Cgve9YPPmVuJuW8m4FIAZdxc5IK4IoPDyjbzBtMB0GA1UdDgQWBBRv\nuscie+SHeOxh/KqUDIesiozRJDAfBgNVHSMEGDAWgBTOoQq0iSNGrXDOa1LdsYKr\nUzts1TATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiEA/gW/GhStMkqTyO7fsPVqapibsQhUAmo+uCx0\ngZmkUMwCIEqgjHO2QDe99QNbR+Th42s/BVt694lhvwNgmwOq0FLA\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUWEAelI+zEaQTp0iNhg4HUOaIKtkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDav+x/Yum+tpToCwmDy2jPShR4EeAFrkWTIu2B6WqwT\nXpYYzcGQdwyEBTKCjOCG0YA5K1b/kz9EsKyTbYM//oKjbzBtMB0GA1UdDgQWBBRi\n4id0IiYRAlmZGE2a9sWRVzmE9DAfBgNVHSMEGDAWgBQ80Tnte6k7xdVFnDZMEdqp\n/m8qnjATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNIADBFAiEA/8JyTccbo+YGd/YVgXBECXkBrJqOCxmuzaOo\nVKCcHRACIDY7bo0Y1vQyG67TxT7POOcdKBI9ZzHSvrAgxEnAkXQj\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1656,10 +1750,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe EE lacks a Basic Constraints extension, which is not required for\nend-entity certificates under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPZ5n6adEhX2s9XCUTB6aejbCpEAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASSP+/WfVljw+feM7DTptD1kbgU/3go5OfhuVAZ\nFfF3GsAXDg19XJQecZLq7d8A+f9ibEngrqc1XIcl9d+0fFDso1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU39xpirkcTzpu+E35/CdXu3m0TvYwCgYIKoZIzj0EAwIDSAAwRQIg\nAWBZ5mEzs+GuW/NhChzglrPZm+tj9hOSJJIFqDurYmQCIQCILVSlN7JeCiCSIFkm\n8YWGUg/bxjRNu4D98ez3bw9mNQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUV/Nw3GLQzQiY8nrHXggGT5FO5DkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASCu2JkGYwlhdvrHPYiL3LdBigInTP0EAw6V7OQ\ng4NiV8kQ9icead720paKF0H1SEE1nKSCb/gV0If8FNdmVHL0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPqhCVW/5jM0FU3ohbuBV0wP/enkwCgYIKoZIzj0EAwIDSAAwRQIg\ncdHht/4uUt+XnBOvlEE2qV27UtrJkBGNAWbiDj55zU0CIQC+4a5X3NAhkyv/WgRu\ngFaUgEayu/TkKH320jRUvh7SMw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUDBEEtxpI7Y8pu8a761/pY0suFFEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABN4+0jvOagrW3tyhH1d02bB91fJEvbglmLCBiRnwBFRv\ngUxzKJa8dpfmaUSL9ygfNqzPPXVlkh+aetGHwj0XDgOjfDB6MB0GA1UdDgQWBBQw\nz4sB/I4fh+6I2iVJsVJVZ4trPzAfBgNVHSMEGDAWgBTf3GmKuRxPOm74Tfn8J1e7\nebRO9jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgcupP2CWfr6vFrY5I1E8W\nuWX6KTA3CoFLpUE4hgCIxgACIDyjOQCVF5szZoUKBvsXKC23OYbx+4SQk3BT3l4P\n6Qf5\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUIVrjhiACouYmyXhuskMr+4aNuNswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAcHqdqjkKmG+LKNmKamQAl+E1k+vh1GRNkXAXhRMeU8\nRfNn3Nv5eRTtVtUNYkAlsJmh2AsDE1YOG8Pl0TP+/v+jfDB6MB0GA1UdDgQWBBR0\nu+7KTz/QRO7sT9YXbIrq5FLUKjAfBgNVHSMEGDAWgBQ+qEJVb/mMzQVTeiFu4FXT\nA/96eTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgdeb0FkQBP0Xlzel6dul4\nm63/Q8ebg9qKjKl1AG+drhECIQCRLK+GXUtmxg1Uq6am1vu/ks8HkQbTbXUe4V/9\nP9PryA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1678,10 +1772,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert contains\nan Extended Key Usage extension that contains just `id-kp-clientAuth`\nwhile the validator expects `id-kp-serverAuth`.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXFr1+JpMB4p36E/o4ZdgvBmgOIAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT4dq6q7O1ftB26xLekNFGj9Cot5npZZKi7GYcV\ney6797sMlJphcFf7TbIb6f/pXI41WB5eOBnUEWH2tw4yHorTo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUep5DFYekecoc5i4egKCiGNvFxyUwCgYIKoZIzj0EAwIDSAAwRQIg\nbZDo6UwJ3UffOvcayg0h7k0s36CrfRgfukVn0XUtfakCIQCcQC6ilXkdyyzJUIAM\nr78BLuMh8QoQNrq8GjXx5NcmbA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURf4Z6AZVPlv8wrkAG14J/Je2xB4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/Jhkcvxmp5rBkfGLfzxRFYpuD4XSzQQXUd4g9\nDcMT0B1WY+Q3K2mrc44EGQCKB1LYmGTgAV37vGqJBMW/i7EEo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+grXdQJ/zSTNeMJFDlse5yTS/m8wCgYIKoZIzj0EAwIDSQAwRgIh\nAI/2wtTCoyYcBZgthWxolIsX8VE3pyfiKXncE8HnEbDJAiEAvanb9uMT5aUFf1af\nPBzVwTaRu6TKPMsvPDCEAF7BR1A=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUYboreytYL05VXQmHFwg3Hd96w6owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCVNtTIpTY3FG4EBpdHIHUmdTd1RBiFkuUgzvRQuTosc\nhlpVp7HlWASBi8GdB5BSRl9ySD/UbRlwmc7J/A8s7hOjfDB6MB0GA1UdDgQWBBS8\nhvkJK+ch5uySvOaz3+hv7YS21TAfBgNVHSMEGDAWgBR6nkMVh6R5yhzmLh6AoKIY\n28XHJTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAIloxVIe9s7GZbFnqSYQ\nJ30SAVBIo3Mf2sEfGkByPzP3AiAOCSu+Bs1Vl9QiLlOid+7QJUH2ibs4LymNgOAr\nLpw/0g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUTdjw1XY4b2f/wpFphTHQmOKy2B0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABHpQ1aI0qAOkhzFXiJuGr9tTc3mHCBAQUgS4XJNuaFxm\nBdgtHyxF2wY4Z1WiDO/M4JZ4KBDk8B5fpc1eActVRcOjfDB6MB0GA1UdDgQWBBRi\n8CLdcCBHDWq9hizhBBxH22pY7DAfBgNVHSMEGDAWgBT6Ctd1An/NJM14wkUOWx7n\nJNL+bzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPqVJvSXDz8xmstxGgSC\naLXfdtITNtDuNsQ/ab3tHcGxAiAJTuNAjduOzpFz2dPJEzlc2mH7Rbq87lIZck8A\n7WJ8Qg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1720,38 +1814,16 @@ "expected_peer_names": null, "max_chain_depth": null }, - { - "id": "rfc5280::malformed-subject-alternative-name", - "features": null, - "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has a SubjectAlternativeName with a value in ASCII bytes, rather\nthan in the expected DER encoding.", - "validation_kind": "SERVER", - "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUKKQNO7AUIvRn/Q1CVmSBNNxOqlEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS+E/IGIcscbp+zWMl89E6l67S+lFmN5T2MzNXt\nFdw7C1ItJpiBnD8iHysRCwx/oSvxCxE98e9iVjYqkI53W46co1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdEeUo/D8lTStQH7HtLWS2MrmBQ4wCgYIKoZIzj0EAwIDSQAwRgIh\nAI2/KsBBAlkNshSU2StKPB89xp/+ihHoKJ0ck0GlA0QdAiEAlW3DpPGshiFZkSOB\nWyl+sRdY2H+jywe2Jaj+gjOdkVE=\n-----END CERTIFICATE-----\n" - ], - "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUaeCsYHLHsStfjpYglgluPMNfIDQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKwpTA0Vv2xz7vWsRhH0l29CvlReWUCJwRHhlllkRu9L\n4QYUZdVL18BXbTQsJPmwM7cBHPrHnJQnPfKY0PJk/kCjeDB2MB0GA1UdDgQWBBR9\nMsJLyPsvjWZ3gSPDrD+7PHaD/TAfBgNVHSMEGDAWgBR0R5Sj8PyVNK1Afse0tZLY\nyuYFDjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0RBAtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiB/ZvqWqXI9N0oQzCRvSB6hYpuZ\nYZedhBkTlW0FjN76TwIhAL3FqN79xtubNJEOsnGKFQ45HV6F5W+VJWnq0sJxsazg\n-----END CERTIFICATE-----\n", - "validation_time": null, - "signature_algorithms": null, - "key_usage": null, - "extended_key_usage": null, - "expected_result": "FAILURE", - "expected_peer_name": { - "kind": "DNS", - "value": "example.com" - }, - "expected_peer_names": null, - "max_chain_depth": null - }, { "id": "webpki::aki::root-with-aki-missing-keyidentifier", "features": null, "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert incudes the authorityKeyIdentifier extension but without\nthe keyIdentifier field, which is required under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> keyIdentifier MUST be present. MUST be identical to the subjectKeyIdentifier field.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBmTCCAUCgAwIBAgIUKbhxL7L4OvjkoDqvYvhtr7RyxXMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJvGAoivDXsqxiX7GEMsVSpaHaLIjTHFZOds1e\nqEJKPwcyuMqB+01xDtAFrDgtJcqz3CtfuKs5YcbS9qHlOrJKo2IwYDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAJ\nBgNVHSMEAjAAMB0GA1UdDgQWBBStD/HHDUtcxTZMIc93epidVt9kYzAKBggqhkjO\nPQQDAgNHADBEAiBh6mNJJFxaEBtjO+vKvQThvGtKipy08v+hMqNI6b+N6AIgHVGO\nCySbsdkH2avGsY2/v+1g5jzK78m2wN0NnFrKRT4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIUap0QeeH8aDtWO8nSfAMocHmGL5swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS/VNCmQmtt0UsX5V0tmuu4wbP2MV/ekO7bXaix\nj06QRpf6pfa894V+lzdLIt1hrCA+2RF7SRRcLAYN7NiAYjypo2IwYDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAJ\nBgNVHSMEAjAAMB0GA1UdDgQWBBQO0b00tAeasYf1JCozDTjMRV4XCDAKBggqhkjO\nPQQDAgNIADBFAiATAOPmhzMhR/35C5sB/lXGJonSofD4twRT60+uwuuoogIhAJXV\nruIEcMfywL0zaCa0QOas7sgamToEg8o7l7K7crrP\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUVACMEMzCMMV+ZSbHdchwdUSImNcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFg/Fg+0u+QhmC7kIwl73Cu3B2km2AU0H79kVqen+Hiu\neXeurnugWiygj4u6WVtGVIg71C3ZUbM6j9sADOvYdBqjfDB6MB0GA1UdDgQWBBTS\nemC/XQjyLIcsTMF9Pln5E49/0jAfBgNVHSMEGDAWgBStD/HHDUtcxTZMIc93epid\nVt9kYzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgMtTqEr/O+PfDWdKl2r01\nlVRZpzy8J4jzm1FVgj98UoECIQCgZROcrrrCQQwxdRE/Y+suW6/cLtDDatDMDtaN\niZBxEg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUf2URTs8FumwBnM1drq7M/59CWtYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAluFSoeNZH5I6ZtrYGU+Pu/rvFUOTD7CDNFLqVlIjBF\nf1bJHg8zUBbMwZBcKBaKIONNQQySaJAcuJ0cl2j0+WGjfDB6MB0GA1UdDgQWBBSc\nNgpsDy3yJMjGgGjW0RFTxXvYtzAfBgNVHSMEGDAWgBQO0b00tAeasYf1JCozDTjM\nRV4XCDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKL4XYC9usRQduZTOvWR\n+OvQQfPZt3a2Ao8ddbyfh7m7AiEAhTF99pNaeVHO4mgKbTWp9KULr1dgt3vfrjH2\naeefkDE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1770,10 +1842,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUEx+HF+FvHxUtiWLiuDehVTJfEz0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQU11K3+pvpifpuHsq4k1Dn2CKRJlBPC6mJ+vXG\n1mPoaQJ9BrDIMOg6159StKi9/RVgIUeKlu12Ca+65+QGZxnoo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFAn5vUti0SYP0V7s9OHuzINECfXYoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBQJ+b1LYtEmD9Fe7PTh7syDRAn12DAKBggqhkjOPQQD\nAgNIADBFAiEA77c9lE5ym9asqgKEUJlybDo6qdMn+RGqvkPiKLstOiwCIA2vEiSZ\njVO2OiAaGv8zZ7+LdLMKmjn8t6I3qEFKbip3\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUaBny6jqgENqMIyELrZwDQhUZ0+gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASPhIOupf1i2aFJCAo18f5Fbaoqc1O1qau1GlkH\n2RxshB892g2W+kcol9uDm007L0Z5cMpx712OQf7UzwpZ6D51o4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFCaPCKgDsGuVhUjOjv+PIbmAKsN2oROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBQmjwioA7BrlYVIzo7/jyG5gCrDdjAKBggqhkjOPQQD\nAgNIADBFAiEAlSIB/tI2X3+VDHiSwZaGZi7ibApZ78waRI2SzZo8tvYCIG5hBCF2\n0skRywI4rSysJi6Iq4szV22tVhNPb6xEYoP7\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUbiVc+aHrQ89W+SusLXUHMQDvzx8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEc3T5US3ymOSe8HVh9/fSUIocCH9m5ATBwN9ehnVbVz\nafgoegtlF9it3hqhc07418MaX8tVM5shnB8VdtiiESKjfDB6MB0GA1UdDgQWBBTe\nGmg5wAhMdJHJ2p+zhKDclhP3wjAfBgNVHSMEGDAWgBQJ+b1LYtEmD9Fe7PTh7syD\nRAn12DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgARKDqZXYHhAd5Q807mu+\n6LV0Oy5A1Q11dPt89SNwh5cCIFEhPeSPskK7gXbHtA+LO1/+awaYSa5npIx/k4Wm\nk3RJ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVWgAwIBAgITOG9zxrfJswrgDmQYOm3+wxKnOTAKBggqhkjOPQQDAjAa\nMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwIBcNNzAwMTAxMDAwMDAxWhgPMjk2\nOTA1MDMwMDAwMDFaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEaqUPA4E5pHfhQA03Lpd15xb6UnUZLpqo+zGHpgaJhk/A\nRwnvOsXYX3dSyNijeL3GhXCmWiBQjrzDjQvbrrdcdKN8MHowHQYDVR0OBBYEFNg1\nDzFD+L/HDh2zn0LRDS83NeUlMB8GA1UdIwQYMBaAFCaPCKgDsGuVhUjOjv+PIbmA\nKsN2MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzAN\nggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA0fx3VARrvrBQZQmfSkxh\ns8f6KAWaOH1XVAY0ZvTIOngCIBPJRWaPjv3sEEOqiS4i/q4vUp97mC1WOd00bppz\nOTJp\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1792,10 +1864,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUGeD04x6gL6XtVX6U7QlXRXTgo9IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDC5whBYrYPfo8fJajtEbPEJaC1aPUhHNqeKOL\nuzPogJzP4gtTwmX0EuJpY1FGvxtbflwG1rOD/KelcQZQyblao3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBROIiTC/nK7BWBUNqRuDAK+wIVhYoICBNIwHQYDVR0OBBYEFE4i\nJML+crsFYFQ2pG4MAr7AhWFiMAoGCCqGSM49BAMCA0kAMEYCIQDcuTcDEW7B31OO\nc3tPKP8q3Mjw638OczdSDYLHBBFlhAIhAPK2b/XQmpJIOIM12yXHUu/8bUpZyozv\nl0Kxjn8b+DaU\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUQHmyvVFalLQlGwdscS84QZL5Zk0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATzYpLtRwpemM3Ak1YFP+CK2tnieGxQ5EfD+IZA\nQ8+bhkbSmR7IesvlpmFJMcHlqa/LyEaH0g1gjXw65h6kYk5oo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBRwghfsW+pUttjCx4wQLx/zIlmxxYICBNIwHQYDVR0OBBYEFHCC\nF+xb6lS22MLHjBAvH/MiWbHFMAoGCCqGSM49BAMCA0gAMEUCIF1d6jCQq13s2/F1\nqShxWhTOW/AZH9s/FYMnv3ZHZmayAiEA3bvifdamCZ1+jVtF1TW+gs5+vl4KdPS0\nFIqnwjZSG2E=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUaB2TagXdBQ0nL/wJ993Y3I2oyC8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA9ONjav6swScKElXOCJOHBwBiY7R63Pa0XvvdPv4Y7f\nuyqmBLAPpiJZ1EtP3f4zDd6OYICWqWNGKj83bssulh6jfDB6MB0GA1UdDgQWBBRb\nzMBDcEmt/RYJyoENov2Qsxr5QjAfBgNVHSMEGDAWgBROIiTC/nK7BWBUNqRuDAK+\nwIVhYjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgR4emDjJHW6l2Ebkr3m8c\ngGRnRcMQQV1u/mOQSXhvNcoCIQDkMfds+2xk5/SejAEEr2yNfxe0MqsE8O8ac1jl\nwPFIqQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUQt9F+yG9GwMlqHZM8seoPaawHsgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLxam/bfzMfpFoS+pZ9jczDWSlAf57D0uqgJlunuCvUI\nlvUl+dJvObl5f8EGOGFXQZjn2in4W3pZezImMN2QQW2jfDB6MB0GA1UdDgQWBBQI\n31JTXDgqzg2NAmc1yBrXCjPZrjAfBgNVHSMEGDAWgBRwghfsW+pUttjCx4wQLx/z\nIlmxxTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgMxXrKopXfTtEriUPBii3\n19YtdJl0POghKk4QeE12fPACIAo9rtmzk0/1D5pKwCLJbgHK3apMt2hMY96Bu+lR\nG/tF\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1814,10 +1886,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIUR8gwELY1MND8DYPbg1yt2TpO890wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQMnQfBcufs/z7/ZMRovHNk2jkvOhLYC5IMCDPe\ndVcccOkTqcDf56Iqy35ldDOZ7rcPkxIB8BBGIJ9WE3zjfBUJo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFPZpwwG6+KY5DQqhSPUTCAMrZsJPoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQU9mnDAbr4pjkNCqFI9RMIAytmwk8wCgYIKoZI\nzj0EAwIDRwAwRAIgN6kWv2Y7uU1IOIEMuIReo20Ws+rV9NTMxWu2gTAUuKECIH1z\n/jsqnUJvNReW3uksPcOW540aLpLgpoSRvJbP+TGM\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUFx3oX2NYqQWCAsXulKI3WY7kYU4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARMQh2iRJIci4jI3At5mrvj9oGm0O1FTw2yhk9S\nvyjVSdpaMJkOwyuUvHZ6lhbUeMIMKcyX7hV+0qd5Hw69L7lSo4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFGiCfcUvnM66XEA3WenEdmen7EjMoROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUaIJ9xS+czrpcQDdZ6cR2Z6fsSMwwCgYIKoZI\nzj0EAwIDSAAwRQIhAIiNfVs27WSH3VNwF+ahgFdfV6DNKGjpqpvfLOjo848tAiBd\nXSTdNKV0TLbSrIQswmtJI6P6pjz/qmXJXmlnlZLGrQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUGXjUjUbgq2NvuPBs0aSh1cagIlAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJpovc/dcfZEMIRsLdTb/BvU1A+KFKtJi9Sz8470UMfT\n8pG0AS5uAoK+hfjCqrCcnCHXq+f+1/Fd0JUhE79yupmjfDB6MB0GA1UdDgQWBBTF\niMMk9sen81zTfcdogOzPWNHrjTAfBgNVHSMEGDAWgBT2acMBuvimOQ0KoUj1EwgD\nK2bCTzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgP6aaDu/d3FQGiJEbPGte\n3dRivr5aQX+ev5vd44cjFLYCICjqdBWxOwOEc+O26bJjUPuKoEPjT8YQnE8+Fc9W\nchME\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUezBuPlb0YqbR0LIbQ0pJcRslGvAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBEse5D59tVT+taZZ00b/2T/NEsvnW6fp85zOPvuaESS\ngPPvQRHXI6LLEnOwxUKa7SFoXz7oVuWqCipjgJmmDxWjfDB6MB0GA1UdDgQWBBSs\ncEhsBb4QNFcz3oN+EmvWWR137jAfBgNVHSMEGDAWgBRogn3FL5zOulxAN1npxHZn\np+xIzDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAKyHnJtwuOdDAQUJjBgp\njubsJ//fZxTlwf5ToyuAeNbEAiAEETD6kVqCJQ6WE9GBiSubYBRSqqbRLxTzmOVM\nk7bKuQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1836,10 +1908,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is self-signed contains an authorityKeyIdentifier, but\nthe keyIdentifier field doesn't match the subjectKeyIdentifier field\nas required under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUJxCwLAzib7sNZaVobdRPKqQrurswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZGcQlPE/saIyiEx1b0qW5KoLbXwrBtwM+VGkA\nlz3zdWsv4bOjKS4FHEzCLaZ0T80lVkYqm/G5/O7K1j7vQupbo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAf\nBgNVHSMEGDAWgBSvQIrDbyRxVREt/VFBrJ++3LmB1jAdBgNVHQ4EFgQUEWLNSb+6\nfnaCOtWPGGTPDJtdJkQwCgYIKoZIzj0EAwIDSQAwRgIhALFIkHSCN4sH9M6Ejy01\noh3Nl0r6FDnkBTHGGvHLiOT3AiEA+A8aOulQb4SOlyCzAVU9z5Z5ZoWx2v2+0tdX\nLl6XqN4=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUOXj4XlarH4DnQXO3DLbGLYo4aw0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMDdT97NJnawv7ESshMWHKOdpMlDg3i3ygFjb8\nSPeihBJlWIq4ofCa5d5Y0FpmDpI4HjrV/uugL4anNdIdtMsPo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAf\nBgNVHSMEGDAWgBS48jRSeU60vr+H/HFg9FRFnmfA9DAdBgNVHQ4EFgQUQcwm+8K9\nnVZ7tkQav9E9MODBRYQwCgYIKoZIzj0EAwIDSAAwRQIgYx6/gdwd+sibBR8qLLEy\n+esRzwjz6b5pjjgBDGuMroICIQDhaJnQMEvuS7QIiaYx4fVpq8gLApcSBTuqNvad\nL56CdA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUG0j8cBkIj+phMIxTG5Lr7f3iQ44wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABKWSQckNkcciqb3zxOQnwHSxFTUnqVb47fwd3fiKL+qQ\n7/p+Xwf8iCGyvK+5O3312hwuFZy9dRoqxZEvk0SqLmCjfDB6MB0GA1UdDgQWBBTT\n22YjH4DtkMjiPgPuuooJoWJ0OjAfBgNVHSMEGDAWgBQRYs1Jv7p+doI61Y8YZM8M\nm10mRDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAOxcyMWW6hhL5e40oIFT\nR8/k/oyiPkWrBrobmjpZQhOgAiEAnjPB0l6yfqkyDMQ/XYoE/YkirhIskrIQ43Zz\nO++ol+g=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUJ8PZXrWpwkGAybTvM4kHkJPdXCgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCWimoVwcdqHQ7qNkVr2o1yb8pOssLe1MP79udk43qM7\nOtelNA1oTmz6eGbYM9r+WWx4KKSpj/9ewhE71uuO4xmjfDB6MB0GA1UdDgQWBBRk\n+iLWXDuZ99+Mp58UNd0tDwZSGzAfBgNVHSMEGDAWgBRBzCb7wr2dVnu2RBq/0T0w\n4MFFhDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgBdanNOjp9N2O0OAJc8KW\nvSaoYSnKe0G3A6yDBq99iZwCIHA3yEEb4wHgNvUfhpW3onKvA0SbIMHS23YhTzxQ\ntnD1\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1858,10 +1930,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.\nThe NameConstraints extension is marked as non-critical, which would\nbe a violation of RFC 5280, but CABF explicitly permits this as an\nexception to RFC 5280:\n\n> As an explicit exception from RFC 5280, this extension SHOULD be marked\n> critical, but MAY be marked non-critical if compatibility with certain\n> legacy applications that do not support Name Constraints is necessary.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIURnzx6I/m25LETdhrp+n0jJIsaIswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASTTw8AvOcqopbeeL0037UaVEtgj67WZ4Y4An/n\nPgRg7EWagA1cmmSLGg/nwDhh1xwvKM8PwCtA7E1DwjEwCZiGo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUa3ir+YeeRF9c3Kse0yeSVOZt3tkwGgYDVR0eBBMwEaAPMA2CC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGoqJEyMaDn5e1mEIJhigVTSCW4n\n8R2DPZMRjfDNrmLcAiEAkLelQVmMF8iWHWWT7qyWDHbharDEmjKyw3UchcZepdo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUBBFuvkWymm//izhksf+lTzMXBe8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQblc66drrto45OJi/iKisx5y6KBAwP+U+i25nb\n7fMKutD6QZOG58cZzu1Pllk4zQ2ZiDbWkA3PIs63THDnO0dVo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIyy1I8rjdgpcLpnJhd2AyyQQXEgwGgYDVR0eBBMwEaAPMA2CC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDwCSaS5tnedae+l5dbg5kTF49oi\nrVRsORkCbF5182iSAiBVInpHgHvAUZsqhBK3X6lL4aoL2UyHyQTgbygHUgFk3Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUU7fQ2lleT7k5bJ1c/QqFUYHsJ+0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNF1elzdZ64s7qCU+mPS1fSByqClCVKxijZsoN85a2Hg\nM2Hb4oM9aQQdk+CXGa16BeRiZxyt5inZ8yCML8ty0qGjfDB6MB0GA1UdDgQWBBQG\nqVJbpK9FU1RuVQbKcXGN6tM/qDAfBgNVHSMEGDAWgBRreKv5h55EX1zcqx7TJ5JU\n5m3e2TALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhANBpO5ceyEZ1nAy5gqNX\nmDEX4ATImfIpUpRqA85oZM7nAiEAvqGlP1aEKk90GbUYuAkJb8kgW44/OhnMCvZT\nz/63aBY=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUS/pj4WsfNVAYKUazzsGtTR2APmgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJmIZ1eWlQuki0v9/PvjlZ4tVVYy19G9UC4KkovYN5Yx\n9q/DV1WxvGsCYIdJe8YGijTMuhZsN5wTCj8DroZ6gR+jfDB6MB0GA1UdDgQWBBRg\n/LYNgHXHCK16PcNk48zL4B01nzAfBgNVHSMEGDAWgBQjLLUjyuN2ClwumcmF3YDL\nJBBcSDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgEUnb9vAUag7L+gF4ddm4\nG4iqVWpYdn//GPKccW0y/pcCIF91Scdpxt5VVxTtNkhht5f2SgFgRQIDJFhAWlLN\nGEdI\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1880,12 +1952,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe intermediate contains a NameConstraints extension with `ASN.1 NULL` for\nboth permittedSubtrees and excludedSubtrees, which is forbidden under\nCABF 7.1.2.5.2.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUIht+LdlBpSryt+fq+l9BJBq13s4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATmqBV2T3ii3Nu/7Bgf/2pbe9hndnhk7mTqdLUn\nyK/u/CxVl7kR1Xa2XhGv3xQaPb1czYmuPLh+ckG8Pu7pEsJio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5rd6fGmFCaDeKUhmPjjQmIfY6TEwCgYIKoZIzj0EAwIDRwAwRAIg\narKUFhMFMX2dkVIdzMKK4hZ3ATn30VoA20dNdgvaTZgCICFGrJFJkrEFl6Vwap7r\n/DV/9ZdUVf7l9/G+wrlqp/A6\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUTaSwNrwcWyJlIOnkStnbBBDsixYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASffqkgqrh7hT0s87/Y8wcIVIS6Ho6N70GrE+DE\nCx6WXRELq5N0exKr97oqaoZnnjTl/HmjHmAJ0d9gP0XvRryGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrHTFa1buqh5BhyC5NNf7khg8alkwCgYIKoZIzj0EAwIDSQAwRgIh\nAJ2XaNb1eSXH48uwAG6rg6DLOekyCAs0x6FFKrdHAmrGAiEAvcehZfxMi25mMtmy\ntEWAzOx8zqPeliJPzO6fcupbJ5E=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICEDCCAbagAwIBAgIUHimvTSpkO9AbwM6NzJqazfMQiLQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDAxOTQ3MTg3OTgwNzc4ODgxMDgyNjM0\nNzMzMjQwNDUzODIwOTI1ODMyOTUzNzcxMDIxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABOs0DdqeXv4nOWIHs3eUYNwRAs5VuEycPfWzYoOZMkt1ZJAsNSqzRIQpEQUP\nXshJ6EGZcLUUm4RjyOYGV6G1NXKjgYcwgYQwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5rd6\nfGmFCaDeKUhmPjjQmIfY6TEwHQYDVR0OBBYEFKDCaME/UDtqmr7BU9BYzYj+55t7\nMAwGA1UdHgEB/wQCMAAwCgYIKoZIzj0EAwIDSAAwRQIhAMsqmWklsJS/sOuyRIWo\nj9niSKyOCsnDpsdacf+19qb6AiAymIDZ5QtPvgMG9DyLwa/9bzUyMT1ZHDliVJ18\ngynXFg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICDzCCAbagAwIBAgIULLbG/lpag1ae+x/nUCu2R0OxvVAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDA0NDMyNjQ5NjE5NTM2MDg1NjUwMzkx\nODMxNjI0MjMwMzU5NzkzMTQzMzkwMjM2MzgxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABD/0fQCOKKdWhP4ErNmM8T3LjGAgwE+ZnDM6GdMUfU5OxbilyzqedoA3mzJa\n2qhO45Fa+/UQ5xmvTkU/cFoH/oajgYcwgYQwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUrHTF\na1buqh5BhyC5NNf7khg8alkwHQYDVR0OBBYEFJICx7LfIXbRAmlzC62OwFqYXKLN\nMAwGA1UdHgEB/wQCMAAwCgYIKoZIzj0EAwIDRwAwRAIgajo2yUcRj9zAj82+6Ivu\ncJp+1t52OvZ1AvN/GN4fjpoCIE7Nc1I05+e/XsAt3l2OsSqhkYIfGYuBKcWpuY2F\nZL6O\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUY6KOO9hVsBGH3kB/w3UcwwnPi7wwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMTk0NzE4Nzk4MDc3ODg4MTA4MjYzNDczMzI0MDQ1MzgyMDky\nNTgzMjk1Mzc3MTAyMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n/JNeunLMnn3YbSYfv8zuwBC8ZVUw+8GszD8ouJ3qf4DlWr8Iuf7gQsT03vSw5qDT\nf2YIUgF5od/dYqpJ+F1Z26N8MHowHQYDVR0OBBYEFCH5bLBFFjjGP5V83l1jsoiN\nuELwMB8GA1UdIwQYMBaAFKDCaME/UDtqmr7BU9BYzYj+55t7MAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiA/lq1TyRzWCIU8kUpVt0eSMbD/sHHNevrYaDHWcPqh\nRQIhAIFyvMYAXO1wmbjVxAwP8pLKZDs6P2SsmwUqTsoAPaHa\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUR388Jkg1N2dSu8OTSC/nsYeTAsIwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDQzMjY0OTYxOTUzNjA4NTY1MDM5MTgzMTYyNDIzMDM1OTc5\nMzE0MzM5MDIzNjM4MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n+ubTg3Y3iWpJzzFKVlksZqFPbw1Zh/YapwVdwi307uXspmZDKJ0tH2W5O2CoQmPg\nZPmJAlWujLjMbhqEAakaq6N8MHowHQYDVR0OBBYEFGrNVObaLZqKR9TsIQYucLfi\n2G7eMB8GA1UdIwQYMBaAFJICx7LfIXbRAmlzC62OwFqYXKLNMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiAhZa2lF4Ei150F9fQyQyLurlmCKKxDT42nQdPLeqH8\nOwIhAPohHyruR9pEvW8nogawbUG/yNjCoumRPmCa3Fk4USqB\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1904,12 +1976,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe intermediate contains a NameConstraints extension with empty sequences for\nboth permittedSubtrees and excludedSubtrees, which is forbidden under\nCABF 7.1.2.5.2.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUTB5K/fhwMBaulZdToG/MUfMRQ38wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR7q6MLqy2NH6VSYcw7uLkcG9QMmUE6nqOq/Zuw\n6m05WRj2Jcwi/PORTa/wqsGkqEzKDNGJPwubEtOKdgY/vJMZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZOOC6SkUCefG5GzC2EegRPlPCFIwCgYIKoZIzj0EAwIDSAAwRQIg\nZKNB9KN+VS11qnFyEy1OJpz8kncn6md8EUKn+TAwMR0CIQCMVe5G3IXT8SA1VQ1m\n+0Ofv5uaeg5SVdbzN0RZzpTsTQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIURH3uf6brFqt7LLERNaigUe8omTowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASitYI+S/ucR3xpZ+q5uKP9kz+1jhZXYvlU/9tL\ntLxEtc+YbNq3nYHbBJKCs9A5FBawRVgrWaDgTwOcAPCXsM00o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvuGkDnczUUwiRpBrnuIQDHsdqUIwCgYIKoZIzj0EAwIDRwAwRAIg\nSR2eiyI84wIGiP+3RbMflyOmIzWyEdZKhXM5e372cdgCIFxXCq3EjDoiseAJIF6b\nCgdCYIttkaRTgbTiWdC3iRIF\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICEzCCAbqgAwIBAgIUYpM0jON3pcMet1LAmxooo4M1XeAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDA0MzQ1NTg4NTM2NjkzOTY1NTkzNDcx\nNzQ5MzY3MDc3MTYxNTk1ODQ2MDUzODk2OTUxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABHhmNyWSzstSvlAC1d7CeVoJ8N46IoG7dL6oQry5/3utqkGKyJA9402PC3ey\n9p9jWsMOvPHelqOb0ngGYduSa2ejgYswgYgwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUZOOC\n6SkUCefG5GzC2EegRPlPCFIwHQYDVR0OBBYEFD7CUVg54VitFeJNHe83Pi89YrOD\nMBAGA1UdHgEB/wQGMASgAKEAMAoGCCqGSM49BAMCA0cAMEQCIEy0k45oFk1aVJ4e\n5hfHZ/wT+vK+APFImZ7jdQm46AC+AiA95vpZ7qzHnEEDQNZfYRSs2RwuAZKaN11K\naeMjn3k68A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFTCCAbqgAwIBAgIUXG+UIdnE0VwWyRORE7AZIyXP6YswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjBqMTkwNwYDVQQLDDAzOTEwMTk3NDE3Mjc2MjIyNzAyOTk2\nMzE5Nzk2MDIxMDUyODM3NDI5MTU5MjYzMzAxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABJwKMzcL2Ed79Mg/JnLMCtQQaV3YhqbDIvvr3AMMz/Lwpi06oiteJUaYFVBS\n40XV9HExjquz1MYk/iXeSitsbeqjgYswgYgwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUvuGk\nDnczUUwiRpBrnuIQDHsdqUIwHQYDVR0OBBYEFJyiVgvgraMk/U/jmQiVUbmY+iAB\nMBAGA1UdHgEB/wQGMASgAKEAMAoGCCqGSM49BAMCA0kAMEYCIQDfp9XkwRZav9C0\nyRzijvq0OY5MPIyQF4azY+Y4SESyhQIhAMOHQRmWeVjmmD7OozIb//32T0ZWFeQA\nqS+zWhWPVxwc\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUProlf77VSRypeyARfr3WrPlFqzUwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNDM0NTU4ODUzNjY5Mzk2NTU5MzQ3MTc0OTM2NzA3NzE2MTU5\nNTg0NjA1Mzg5Njk1MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nvoNf0j8KqtoNFub31wJjw0ieGu/rcspFTylBkLq0OJyIVGPkYoa5q+HGeTcU2808\nYCe/CSUVZrZsjTmYUM73P6N8MHowHQYDVR0OBBYEFIm/tKHG1GG+RMYLWsv8jE6p\nNbcbMB8GA1UdIwQYMBaAFD7CUVg54VitFeJNHe83Pi89YrODMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEAz+KyJAPSBz7NOM1wcUKXXz+tD5yj5rvROpojBC8b\n43UCIQCsDW77Tc2I8ZFEGSZY0FmWTp6BQTlrn2mOK7Mr3xYVOw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUKYuUmxUFrdJENNAzz54+pBcR9NYwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMzkxMDE5NzQxNzI3NjIyMjcwMjk5NjMxOTc5NjAyMTA1Mjgz\nNzQyOTE1OTI2MzMwMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNzAwMTAxMDAwMDAxWhgPMjk2OTA1MDMwMDAwMDFaMBYx\nFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nSb0hasmdFLQOATHhoOM9O5uZeA3IeicGwsVE1DMJQ5Wgu0yQbz12oiH3O4nrPle7\nJwH0HjYgnzGRSLOB8CXYoKN8MHowHQYDVR0OBBYEFDi/4YQK7ukwuR5Bublz+bdk\n4LO4MB8GA1UdIwQYMBaAFJyiVgvgraMk/U/jmQiVUbmY+iABMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNJADBGAiEA9aFabAalj3rJWePuEpUqsWCefhP4Heb3V9EiUgdZ\n/KwCIQCUMwQSk3l2+v0I3ev33p8bOnvqZeTAlWA7vEDF6bQIXw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1928,10 +2000,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURvmop+UOf7FglJSrs1eVCtbFr7QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQIkssEDIUB59ZBA4TTakil7oRM9CzkW6vYKp3F\niJawiKfI03bsfl2PceIefz4qeq0KV+pULfMIX4cwKNH954eeo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkpI2v5STA9gjZHGXQ6aT31yXIyAwCgYIKoZIzj0EAwIDSAAwRQIh\nAIpiR963JFA1Y5iMC948ez+6XYiimVQrlqq0k3hLRs+BAiBixP6ZXGHhhmmEXc9F\n7S0dT7/q2KEUch9Wvn9qm52Cgg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZRMNXKS4EgOXn5V4JSzPY0/XA9IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARvbo4AgLpItplV4cyHqOzIpwK3DLbvEl9gUHv8\nsPXPX8EMdFLUFyq44ytiOVX+8LW3+9o3KG1MfvJeKyc6Nm/Yo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbZabB7zHXqj2ZMJ0Y0Nb4TRAMtAwCgYIKoZIzj0EAwIDSQAwRgIh\nAIyJhR3ohfol9rRHnKYspKFNY3vms0nsl2Z53T/3XMDvAiEAnYcH799UCCjHr6Nf\nWN3Wl1GfURU+I1DN5N32Ym777XI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUTCpWach173vfsIeU35MxedfyybQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABH5xkjyHEF9YSJfJiCBjYmok6dI5j/jta0s39vvfaUaX\nYRdOu0jz0bjFkZeFgCbnLUhgEFc0VxxsgkJex30JUwCjfDB6MB0GA1UdDgQWBBRx\nz4GB9pOx+/lh3/otHk0i/umZmzAfBgNVHSMEGDAWgBSSkja/lJMD2CNkcZdDppPf\nXJcjIDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKj5Ri/ST1tj6wNKZL+m\nsPa8Yp4oTLwwdNMEgN6IOvhsAiEAn3YAaGqNvvmVACEIdVDF3pDQRr8l31221Npq\n6VwRMTo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUKasbmxW4qTI4CglxvJFH6IgjjjkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABCOF+dJ0Mf1oRpvZ6+2bi9zpVJhkn197x5cbbTuTN1yZ\nvUfyDoFkE4x8vzag/xzGoWAN6lQQr2CrtpES2ZPn1oOjfDB6MB0GA1UdDgQWBBRe\nSEPz31ZDQ+YbmHAkPfWvcLMmXjAfBgNVHSMEGDAWgBRtlpsHvMdeqPZkwnRjQ1vh\nNEAy0DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgetNC8kwkAOJCL+6tcKAI\nvB5LNAG0QeKTZFuWj0buoY4CIQDcZdyPSbTS/Q2KO3Lvk/PgUmTxQwaXxHGCreO9\ng2qtAQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1950,10 +2022,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUM5/rFBG44PGw+i30c2XBeAoDUaIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARX812xM1naefsBPk0MK4IXLqr5GjhAXCZwiuHG\nxbx7HaQtcPnqzyY86LetqD9WBlhkQSvMCdhRrqIsFc0LXEjRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkQlK+z6UNkpeWMSr/u8K1XoymXQwCgYIKoZIzj0EAwIDSQAwRgIh\nAKld5Tf8rwKIS8X3G7i5UvfJRwPN+gqJ4Oj8KI+QMHDnAiEAlCvgey9/okM0ZWXA\n/9Umu7Tpb5UlqTvRkl8LcmsPiEo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWROc6AuXimYHD7iQGmkMkRjRGzYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASK4MffNpYiJiG5X6/RoTQsBDqtpSwK5b60tTL2\n3b0rivS7VkjSfY49GydaPyO1yBcnt1NEsVftilIqlLAP3jsXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUP+5WUzYREfxktfvNE1VQxPUuWtIwCgYIKoZIzj0EAwIDSAAwRQIg\nDcIYQOORs1qeo0jIFQUJdpNBQRHDngcsGPLTU8N9qwgCIQC5tjcmcOXQyNgc+9Fy\niIlAQ5MEntRdLsuJ/v4u5YicFQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUO4ydM1rDgt60rlBu0yHrT1C4awowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABM+bGDx5z+foEgPW2YJFsLiobXRgAYrRDrRFp4RSiSeB\ned2wTkkFAzKhPgFR9VuA2y6RvFoDrh3WCmzpDWX3rU+jfDB6MB0GA1UdDgQWBBQf\nOHQOArcTjnpmDYo4VqwXQW9t+DAfBgNVHSMEGDAWgBSRCUr7PpQ2Sl5YxKv+7wrV\nejKZdDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJHiHwwQZ/Wf7nX9qhyg\ngc+oZNRTskIqMj7Ysp2K5USWAiAWqqQaQOtdGwL3YIv4nIpyjp2sJdiuK1YiKTCp\ngowqCw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUTYU0RERV6i+LV0tmC4d+0NckXyswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBmcbXqp8Z3vp1AKiuTHT234myd3AwzP8ZWlMOh0k7Pj\n4ftYzcOIgZTkkbmce0O2/pNjuaFws0vrUjlObwI9xi+jfDB6MB0GA1UdDgQWBBTz\nCJenml/anG/KXibMni0utKReGzAfBgNVHSMEGDAWgBQ/7lZTNhER/GS1+80TVVDE\n9S5a0jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgVdfkvRrwGmYrE/f4A2Ni\n6sKtJ2FcGxTdHqpL9gyNSZ4CIDMXLXg9BZpjNPm2oIUW1MXMg8muaRAzn44uC+Ja\ndGta\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1972,10 +2044,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUGoNiLtHwnzp7ALV9g9VijRnLVGgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATgkPBOaMhaCIZ6cRW4Oc1CWYCUlEDBnxc6QiOH\naqNG+JUb2b/9ciUKLMsRFfukyXEwczxGWXaptXocss9hmF0go1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUI0Hq0uAEFXvlhKkFIKnuDfkxW/4wCgYIKoZIzj0EAwIDRwAwRAIg\naRYkcf+nXdGT8yQz2zEzfBGpTOPVg4SXylrPsNQDg/kCIGnLX9KdHxdIIf06ejqD\n64QkLnVDORgrFbdZC3JB9150\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZGoSGfJMF7k6bvZ/bN1USCqSaz4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARb/FC+G128cmtw9kloLyUAm0feyJKbu+DS8xV3\nLBGYxA61QQCRLrvgZBfLD7T6X/JcxCvSF93FihIWUEdU5xVOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUDMvA2WBkyWVrRZHD80A9BgIK6lwwCgYIKoZIzj0EAwIDSAAwRQIh\nALwRk0p9FnbfidhzKZto9gsBfNnJbnd2HO9bnut8D8JtAiAQ6bkFSXyID7exNf7u\nsXKaznlPMZGJN7wR36OUiAP4Og==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUcCHw6/uqhDQRF7biMM7nOBTiq1QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGfnLGGvm16IuXQzfmzkkTDRFIyALg65alDx55RSiQXw\n2s9ScZ6ftxfysP2DFtYdcQ6wi4lpHq/0+rjNO7/zxIujgYAwfjAdBgNVHQ4EFgQU\n70OxqlXHMgGrGkQ59p39CAS79mowHwYDVR0jBBgwFoAUI0Hq0uAEFXvlhKkFIKnu\nDfkxW/4wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBbkfhrSoEg9Ow6\ngvAIHOIXaV6hlM1D0iLA8/Frxy73XwIgQtkGhkwSzs02nj/PKhUP6HjPvTQJaz64\nI5mNHY24/Uc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUIq5Eb9A8nHpDfrQ1TY9UERCJ84kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABNIkaZQrCWnmxz4Ny1n6eK0LwcyeIRCf62BaV3p8ZYlJ\ncYNPpGWAZUHWx+8qpEXMDmUHktX3uEb+Tc1lNJtMayGjgYAwfjAdBgNVHQ4EFgQU\nWFNfYxH6a9DA2rJSsZN7SzT5eNMwHwYDVR0jBBgwFoAUDMvA2WBkyWVrRZHD80A9\nBgIK6lwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA/bcePxRz6PrH\nDNz1QiFk/oZie+ZOPH/M2vw63r4UvScCIQCxrd9WLk4V9Tge20I68JqBouDQ6v1K\n3lMszckMe2UyZQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1994,10 +2066,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUd/elsDks7wzeTfx9amox5uILnm0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATeDLvv8wwElproLlDvcL4rX0OUbQYmmxZ07keW\n9O1PLejPWN5jG5vIYdmyarTMpENQ2h8v1yWcpkw4buKZ1GZ+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU115MHWHWeeSSD12rCSmY42u0tFYwCgYIKoZIzj0EAwIDSAAwRQIh\nAJY/dEJFfBmWtA2ow7xb+fUcpYo7FKxXhON2/h916zsDAiBB1NRmUKYnxWg9d/gX\nHDRVUW9faaVeZDbdFE3Vmqvzxg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUUsDGj2WSl1WJQ2rX1wLAMvt89OUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASLtsbwrOYi5VWQMipR/0r73sQFnERlF3FYwqtH\nvGesC7AURoIIyAyoT0BGYwFcGxzDK9o7nKMz7BTkU6wXMauno1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU77tT4nb/RbWyV8L1XfJUZq02n2EwCgYIKoZIzj0EAwIDSQAwRgIh\nANDLPbPzmciSyw/lySDRQVLUusWYyD3c8qobcVRyNMo1AiEAwSnpKg29Y9I3Lgx0\nYSzdEJgwVFBh3WXL1ON4WJTOs0g=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUVlq6Cu5kEs8oNWucEmqIJI1ZHN8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEOGZu7Cqajb/mjvxy3roIFZr0qKXBNC8xpgwpJ5eLvG\neRQ2Ns5Gs2RysSYtcFJNu21pLN8+e1dbNX8lnNJumMCjfDB6MB0GA1UdDgQWBBRI\ntStEBa2YpMpFmkzXwLBYz2dKBjAfBgNVHSMEGDAWgBTXXkwdYdZ55JIPXasJKZjj\na7S0VjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgFLG3XQWQYi7yh16O9RVn\nm8/MwwrOqputTG/9/eynmwUCIBxSM7jVL5AMpRarA7UlDnPcKnM6xH12H4vNdiRY\nBrYT\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUDPPrakyx4gx/OmGwtnCKyGP0hScwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIteb4k/JDUnnZLygXiOrQR8iLy2Dt5d6106kPTQGGHG\ne9fv4CqOOIYj2F0IB1K3xZfUCeyVOcLHXamoHo7en+ujfDB6MB0GA1UdDgQWBBTP\nCn5SDeJYP1cAclpDASslKJUCsDAfBgNVHSMEGDAWgBTvu1Pidv9FtbJXwvVd8lRm\nrTafYTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgKHDIBImNWud3pMbE6uWs\nZRk6OFiDs6w9nqCAYfZRkAcCIAvU8qGYwO0yL5PV0Aub6aeHl2EG2t7VRZEjfUvu\nUOTj\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2016,10 +2088,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUH8tye/qiKtHklf8OLhWRmgatqwMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT58chuY+YChUPPS5hc0eqpdt9602RHut1uWnqI\nqDOjOkwHo/NB8IstXlgxZtRWro1yKSn+Va88iPxmiS3dED6jo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7kj1203RFEjQmQ3xgVhfV31X2Z0wCgYIKoZIzj0EAwIDSAAwRQIh\nAK8kOj9zSe9w3Y6GUunFFGzZni+Y0p7MMDXbf+3lmu7rAiAlVaUVMi+ULotZZNv/\nnb+xj4e4GC7HpEscXif0EAocug==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUC2ASUvJwXhdgCnizMo/B3/MnlTAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATkL47VDAY0cM7wIpoGh6v8mbLv/FGXDvpHzoaO\njVtgmZPi6AWcE1rHLgDwLIGrHNvjasZJ4JO0BBMuUmiq1YgHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkWJPTiI1AjmvQvmxhGxcnC+eaWwwCgYIKoZIzj0EAwIDSAAwRQIg\nVZ4L0gjpB3zSg4jMUJvKIap1a5fUsolXqwaT3uVfh/4CIQDxlS82XfpIUL4LWRdA\nFAUAgPEVfAo7dgHGlcruxCgm0A==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVugAwIBAgIUInsFOuvYur5UJrFhCkI+xadjSoMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABA2q9TyOtfruAnbMtlG6wKVJNT2LGgAI380sHxlQPwmd\ntAkPswHoLE+aDHatOO1Aco80Q6YV4qoXfg8dF5tXklOjgYAwfjAdBgNVHQ4EFgQU\nSKaS94YjT/ZnR7WdVUBxuR4TndAwHwYDVR0jBBgwFoAU7kj1203RFEjQmQ3xgVhf\nV31X2Z0wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAmvxq2YQAYjblY\n6nJUsqUDeLdXvd9uH2FRX+hWHdHm9QIgLbTGogNebmXVIDoy0/Fpzv1uOql+2/NB\n2x4zAj6aq6I=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUAw3Uf2wIHTjOwES6+SebmysjzeMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLLSDy4jZhjDNKdL8VCdB/62o0yQm6sHLopZZBJoyUqq\nK2mvXh4S8/0E8SUeC9gs76nNFQ73uDV/sf754se/h2KjgYAwfjAdBgNVHQ4EFgQU\nbSt3hWNXc5+y+My0c2uX/968f1UwHwYDVR0jBBgwFoAUkWJPTiI1AjmvQvmxhGxc\nnC+eaWwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2FiYy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBaBRAleodgPAN8\nhbbwXLAweL/GDYGS6zVh60Dh12aLzgIhAIprUirPAQbzhzgkw8U6Y8XJDjiCc1VJ\nnr2jY/95yZ5Y\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2040,10 +2112,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUIUn+p+2mGpOkOrxN5zM33LGqpLowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASiJz4uiRENGO9P/ABUQ9CMLbv4X7OVhV034Oce\n9VCbqJKC5AtWHfd5bTDvwMWLyxPbEoWtPz5OfbVr+kwh+wvXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqoWDPdsj7O+jJ1exIUxGFSfBRyIwCgYIKoZIzj0EAwIDRwAwRAIg\nTNXHHcUta1Zfcte92YQVJpix5+ODkxhy2GPX5R+UMrQCID+LCGtnq3fUCbKA3PZy\n69uB0z2788YoFwhuztThJuPJ\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUO9c/ucbfEi5M4jrjFBWJaPNQB7wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQzHHKOL1pCbklaCXV6C591pAWUKpo/O3p/HxPC\nOw1iOrDjouRes0fjXwPLqLs3C54fvZrSzXiB4l9OQSd4hXxgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUNmNrcr0mSZRo0LGdS0eimzkxWfwwCgYIKoZIzj0EAwIDSQAwRgIh\nALAWpyOm8PP8M9hAnM5Bzh0jwY1jVuNS92/cQnXMoRU4AiEAu66mSSb4Kgi1FC+V\nSDTEzKCLr2z6+EEYJ1Tni5MreM4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUfMjug67/93eVmvlUUbexHDczmO0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOCuXFfYYTHxyWTlkD0XObxOW4Y1B0EL4O48AMh5TlQi\nsSN9z1uiy39f32L1rWNeF9eziEORlqo+hNImDbyOajijdjB0MB0GA1UdDgQWBBSL\n6Ai4YQhePP+Q7W24EqNkgORvmjAfBgNVHSMEGDAWgBSqhYM92yPs76MnV7EhTEYV\nJ8FHIjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSAAwRQIgEDCOR3b0yw58KfBdbBkxhqRqdSjf\ny2uj1UIt+hSg/4gCIQDe6A0QPk4cQe44x47WFN15j/+ZK6Ly14kvvCgQZMZM2Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVCgAwIBAgIUGEWWEVDWPifSQlPUHjEQLVuDfiEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABLrNSZE4cfquI6hCBjCzHJ2yM+plhm0KF5SIjBx22rkx\n4amqJA6hoRdDFJCdnI6GW9AFFnFMMqCwvszoucZEigWjdjB0MB0GA1UdDgQWBBSm\nr+ADnIzAwDxWtPsf9nPknu+FPDAfBgNVHSMEGDAWgBQ2Y2tyvSZJlGjQsZ1LR6Kb\nOTFZ/DALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEAYDVR0RBAkw\nB4IFKi5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKZf0xUlckVmMhi4mDfnLNX2Lym8\nxRm1oGp2KXKAsnluAiEA1sNOpaoePzIsl8tQnbDgp1262ajZES9hX1Hdaa2dgJ4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2062,10 +2134,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHPsLxr3ScUlT7u36YI+Z0njYixwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARrlqc1m33//lhHCw4KI5KKDVm+E92Zq1b3M+7B\nUtJy5ZKehia8ayvky9d8owDm85IlrM861iLD6ylJHFQgXRcio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUH+v0evJpmbEqvUIlKfoTkwR083MwCgYIKoZIzj0EAwIDSAAwRQIg\nVYWsfOmGKtCKPr/idDmjbGJw6V8XZZG2JR90CMmfCH4CIQC7z4Qf8fcfK8sovOeW\nvMRq4T4tVHdn87n0+uyDqElG3g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURORAJDKPEkQ90H/bNf2llwoSCRMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATIdbvwPSVDZnVS47OJt+Lyj38sW0dF2/kGC7gb\nPcD54LHlTe9i/pS3u2aw0ElSk39TQTdALOS2kSK1ISZNPVUIo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU1r8jynjnRCrqC3IDKJTDCG+ClmkwCgYIKoZIzj0EAwIDSQAwRgIh\nALHQfq6HlqMP/1kozg3A+VFEZ0sYAB39X3zsdFLuiqc+AiEAwUzzKE3t3KTNiLV/\nAXS4MkZ6hFm492jXWxN1V1OYV4c=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUOA5M5RMq2vAEkLMIc3Be7+1dwiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFB80v8xwwkDjAZulFkqHcXAOtphBxdYMyId2l/wVo2X\nkJxa9nitTa3Jrz2Q0rq7ZGvPOVxw3lAXrFIQjROCKdmjfjB8MB0GA1UdDgQWBBRP\nw68zuqvdWKY0xWsoDdTvpwedqTAfBgNVHSMEGDAWgBQf6/R68mmZsSq9QiUp+hOT\nBHTzczALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBQKmPsZBmlALCgEnl8\nPwrri0fLioWy3j5pICqaDx9OQQIgJTlYJYUYwrGQN/GDi9Wuh10ItwdJoX/l33bW\nXsWNnEU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVigAwIBAgIUR1HCDhs0VJSTKf2t74vIbwkW4a0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEojJ5URTXEhj/JB7tZVLLVRC07rClXQityldOURIVFR\nbs8KrC/0JNw228hpevTHD7DGnpooMg+Q1rvVYMBaUFajfjB8MB0GA1UdDgQWBBQX\nwaPQ9OeP/c7E5zlRdU2VidtzqjAfBgNVHSMEGDAWgBTWvyPKeOdEKuoLcgMolMMI\nb4KWaTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBpetM9gFGXo9qQXbS9\n97CTu7P5+DniZryG5y6QYs5d9gIgVot5opY0IFZ55rc58h5+BgIFKGEI+kvBvt1K\nlvEEdhQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2084,10 +2156,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUdlJhdtu7i7FI21p4enwBhz3xUKIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRCA+hbDPpzvbYgOA4a2zJzJfL2Q8dTAbT1IS+\nqjqbFQ/kb7XjNbdJGn9EUYdKL7L3x4CVYOWPmNRmjG+ipN0+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUX0nLxgslQwSmivVq6XBLvkbh08swCgYIKoZIzj0EAwIDSQAwRgIh\nAMRW4PEHOENFzUNJCF4Ead6I/w79P7b4QEORPP8+RySpAiEA2ERjKPyG1i6jtV2R\nKUJL/8FIRWNDfLsMAEIqpHz40tI=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZazi5CSg1LlGpICvasKcJooQL94wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRzlvXVBdDjuzPvpgTX00Nk9qMpyQjbgk4iFJR\nbn60ZK+8cfYTX7CAEQJIGqxoSMZYHJDwXAbyAmL8zR2FE6Iio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWXghkbquOvKR4h3yOCVxhVJx3xkwCgYIKoZIzj0EAwIDRwAwRAIg\nIJ0fHtoxw42BzHUl71iaO0Tw8dJZa87UsdRQmn/qxloCIG74fTNwGnfqrWWJjTpC\n4bxO6S+wVA6Rl5MtXsCzUIEm\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVugAwIBAgIUF9/zvl87Slk5b2sd32j/9Ki3/LAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABEH8HWnYvLWTwj+S6dDqUtIOB78a5KM78FI7cJ7z1vnP\n0iTpblOgxFpBj6QhVZht/KqAwvauMchPd+bR1MDxsSOjgYAwfjAdBgNVHQ4EFgQU\nJQREbQAuRgy4wUfV79cOFoFnj0swHwYDVR0jBBgwFoAUX0nLxgslQwSmivVq6XBL\nvkbh08swCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA/NoVRQOytdQx\n8vlnyH03uoi04JblWQvwC5aHy+uMnQcCIQDQ4ecMg4MBgfcDW4ju7AjFhQSu9e6k\nnLBQdLl6qvoITg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVugAwIBAgIUXo7t/OdaysnAcEgCF9hFJaiFB1IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABB/JCtCHuLKcEXH/Hv7CuwvfAbC9hWcIriynNBS+9jqF\nGeoe9gfldQepAayTiuj+wy/xh2R9Al4x6iv1MNu3PhqjgYAwfjAdBgNVHQ4EFgQU\nHCp5osaMYjOPta/cnqUpVzzmQgwwHwYDVR0jBBgwFoAUWXghkbquOvKR4h3yOCVx\nhVJx3xkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQT\nMBGCD2JhKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAk7ZB1g/UMXYV\nhf8v4LnBgXEVI36CpNdT2LPqm2PpMIgCIEEoe/SGi12LGjM9TsAS46pHN+riRJQM\nSbf3rMAA8ld0\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2106,10 +2178,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNjSAZshCrW/UDpbw1vyZUCvUjS8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ96iqrNR4+ByJHb2JdJp7smRE4fxl7yooKS4jZ\nq3qxwaWuc/XwRG4fCQ4OZ0LBZ1wKJWe8Hf8Ia+Kgpl4muS3mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0D9iaPNDcd0Hkvg9RcYQAEKBDLswCgYIKoZIzj0EAwIDSAAwRQIh\nAL8QHe65rnpeHmDu7M9qD96lxGYOQo7tiOLGp7v5JF/AAiA7RrfRxfXYq0+ebjql\nLzlPFYW8z3GIgc6Pw4KVwXg/Kg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWXW8me4AH+p3lfKq4MxySAGXZ5owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATIqCFFk0cQqUHoMOraFkRR40RRIkuExNQF4qYX\nF0DJKaC/RHulUlmvIf9YzOjWE/UQJ9SOH79HrU4mAPqC88D+o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrw1s2193tKeJpOL64/7xFPsoNxowCgYIKoZIzj0EAwIDSAAwRQIh\nAK/o+RBGhTv+tzTz6pwDk6gB/RhYLgq9gYVqerTlbZTZAiBgqv/K18nisGUhaHWS\nOg9AN5hxo5zE1QYQib9qqFEeWA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtzCCAV6gAwIBAgIUKxSgjSuK+z0uB13rOfVsXIyobH0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF/5g1Js1UV60vKLs+HY+2wqQlDh2bjF0DGsAqQSJ39G\nGzBqVLcQN4u74IArVBpCiinxBFX6vT2gxtwfQHQyhVejgYMwgYAwHQYDVR0OBBYE\nFJGk8UpF/X0XpRZ+Yub+7lPl4zD0MB8GA1UdIwQYMBaAFNA/YmjzQ3HdB5L4PUXG\nEABCgQy7MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiBXiQ/nE+XQ\ncdMtxJjcZiu0z0yHLtLkrfSroh/2/6prwgIgF4SuAmy+3EC5EcmAx7kD4ZAR9WR6\nJXoxtY26+mgZV7k=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUXEYsCC8cELArswTFoyWOoheVzAQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABGpNPOXOHdBIIV4yX4VE222W7pyzUN1FVOc18KnZWktg\nzdv9+sEBnU7JXM/G/jzLiaIy/xxSmQFnDVsmuYOpCeujgYMwgYAwHQYDVR0OBBYE\nFNKiHogW1e0bUbMKA29jNihNwLcjMB8GA1UdIwQYMBaAFK8NbNtfd7SniaTi+uP+\n8RT7KDcaMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAcBgNVHREE\nFTATghFmb28uKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAjmd89R1f\nArbIz0708ocLBwknZ4YElixrF0+gVBckIwoCIH0V5sB4K+1kIZMVQ7OsNWumrl0P\nMbvbdNHRWNzPauG9\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2128,10 +2200,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUXeqMEn6PfTHdTMGcl9Gv2HcJXeswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJUSygWCBoDmOFa0/m8p7UWNWLDXVidiccOEER\ntK/JsTRYS3FHxdkMroamtnAJqr2cOIdDbZF3Ec9vRRdclTG6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMAPlR5vBGCChM2SYZhjpG+5m3gwwCgYIKoZIzj0EAwIDRwAwRAIg\nNZfsooRplKPqJvXiGxxAaOlMCM01uQjtuIpnLow8s04CID8jBjvPcEX2btGwtST8\n5GB1nUqWbr6q/49cOXprJDJd\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUA+VKRL2A4ByxuoOzx96IKoVruUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJEDYThdMmO3feaKLiNxP+mvW9qzDvrQEb5rCj\nUEe+I2avvIbLwIjG2i7wpEV9zmSaqIJ9ZZZcW3nxekDSr6k6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdxw5/19xaUFNUVotwW0ayWb9DoowCgYIKoZIzj0EAwIDSAAwRQIh\nAOYhvr6f6QaoPuZR3nsp5j5zTNQMzkvnE7bNRR6PBbrvAiAK//oC+xwEUD01fyk7\nZqQl/DUyZzekSvn1x6wwKeL9Yg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUfTogJnl08L0tRF/C5gfsaidZP0owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABPY1w++7pfSPnI5QJqEz+YXmqEU+G91qCLPIUIrlEPrn\n0dmllilD0qPVVUFEG4Sg1e+10FZRGAG8bm7pf5UUn9ejfjB8MB0GA1UdDgQWBBT9\nfFYT2frlKjWTzhOK89BR/s1Y/TAfBgNVHSMEGDAWgBQwA+VHm8EYIKEzZJhmGOkb\n7mbeDDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA84pdncXHJMqFtbYl\nPT8S8L2NfYKPg0BlCwVDheNN68cCICxnLFkvcvWGzYJoiDvDObzZSbe4bvCpBGsJ\nQq5pbFxT\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIUUwIFah9YKKEOMUfPxxhJAeX1DGIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG5SAQWgmuCt5eV8rd59S31Ox8agZDRzw7g9l1kfg+JG\nx+K1KZ/8FBdeKymB1MzoAEtNl/wx+asz3sj+WWOmmJSjfjB8MB0GA1UdDgQWBBSw\nr+sxf3ty3u/Zx2xSyBTaSBYTLDAfBgNVHSMEGDAWgBR3HDn/X3FpQU1RWi3BbRrJ\nZv0OijALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGAYDVR0RBBEw\nD4INKi5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA/uREYSlkFNRzuxIN\n8hHD70xyIXxHl4i1JKLSXEHtC84CIF46AW4UfMoTpNVLgt6xTZSO8+DVjav5TyW4\nu01dXwlh\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2150,10 +2222,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZndDuuR1IdksQygh3a7XXaRROdswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS5S1oRX7u1AEhw1h5sujELI8rPJ7wUIReDl/vO\n2zeE60UUcsLe5snZ4Tw17xCXuDZTMHxKIPYw5J7595WPmeimo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUBTq3EQ2Nrv4rDW/+DcyqJubPTBQwCgYIKoZIzj0EAwIDSAAwRQIg\nEswRG+8wtMn58Sywlz9vyxTxXDxYxtutkBtyifMa+N4CIQCqYAe+grTGY4aorIXO\nmJAS+18rlPM03ALrveq5VklXiQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUN3hsRWhjJgqgYjdR0e7efiN+2QQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASnnlgorQrzpZCerD3x198pM3LO1e1ykv+yW1/e\nzvx41JyeHHrarfgZZA+VOfy2pfjD157yd83fhjPo93Z++yGMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUKfhw75+krN3xs2WeJKRiRz8wCJgwCgYIKoZIzj0EAwIDRwAwRAIg\nAPZzniwWRJR2CkIp1CNgZ8ju21JYaTS7UudusB9fDFECIGkQinin8Ry1opXwIjER\n6MzZh+3t3vI1ii9XHmyMY/lu\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUPxTeuVjxomWG/rGKGmyXc/et3/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABFGJrfqCEBKrJ33BbVuZlAo3ZlMq082FwRMVZ4OdOTf6\nLcDc+sj7giANmRyu60aL0yxsOTw6BAKxIqVlZVbT1eyjgYwwgYkwHQYDVR0OBBYE\nFLIcLKsff9o2aMkr3BXO9jm0qBOzMB8GA1UdIwQYMBaAFAU6txENja7+Kw1v/g3M\nqibmz0wUMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiAV1nf0ZJWLCPpKTARZFZIj/rv/Sz7zoVo4QngBJfXkYgIhAOrtQKiLbqhSw2dg\n7HZ2Kn0vkWeJYtpSPql2OGS7y6+u\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUG0rN0hwHRKvdc9I7DfoMrGRXvuowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABF90iqPZcGzL0Ll+Mi92P1xyNw50F6bfLUfxQYe94I69\nwi8owKB3IGrj9p1LJUx2eVLVR1ypRMm5wi7PG2EwhsmjgYwwgYkwHQYDVR0OBBYE\nFOxBDCn/W8Z1xCPywttgcuF0P/5gMB8GA1UdIwQYMBaAFCn4cO+fpKzd8bNlniSk\nYkc/MAiYMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAlBgNVHREE\nHjAcghp4bi0tKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiAfpOflALO2Q+jRf2x9izZR3VrzoKHLlREFOnYQ/xdLhwIhAK1ETevpsjmE3lqX\nRB34FVjDcVBQe11YtRRT+F5B1ChZ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2172,10 +2244,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWA+lC4ifRkQNSZfyCVI3X1B/SyowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAROrswWGvGTemvruXFgvG5TLEKrNxqGBwySBO8k\nPiRo8fVYUl16GphOy5OWnPx7rm59Th7PkJ7IXk5XujxAngP8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUn2pvwSJfSVGuQOwC5G3HmVAzDUwwCgYIKoZIzj0EAwIDSAAwRQIh\nAPAH+nAFBRzrCP1ljgOOSNDaEFFwr5CIhrlocwqv9QsbAiAGdci9rJ5spG7MQy0f\n1YgDIVrY/l5XgxiccWBzXpXBBg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUDQzwBtePaZEI4juy7SuMgjK3nMcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAShOBAGGCvhpDSAycRs+DW7kBCvyujMYMw2b6Wa\naxGKbc/QAEGrTUJgi0/Lh/izK16vDrEvAJoYB0FeBzCkjOP8o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUC2jI0rCEeeKdUYRSij6Zh9x0m7QwCgYIKoZIzj0EAwIDSQAwRgIh\nAJO+yaGSgw+Iw1EbxeT3LCNujDW9sZTQPj9v1HuuyXSqAiEAu3KtDyNDWbJxeNvy\nESkZKpSDsXLtuCrfQRgFjDbxsLg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUS/kkzM01c1eiD4h4yEbnbbeAE3IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABAhiXY2CHmhE5VgWDzNy/mm5PT6IitaR3mxIcZ3v/8oW\nVCUe/xH4LxVPCT9Mp6wEY0WZC8V9c4pJWZJKrauUQUCjgYEwfzAdBgNVHQ4EFgQU\nm/ZYypxBdjHFCGItRPNWth12+YEwHwYDVR0jBBgwFoAUn2pvwSJfSVGuQOwC5G3H\nmVAzDUwwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgNIFqp32cicIz\ncYXuxU/7L0LA9RVZiNtuCFGYDtNTxPICIBGcu/xoydZ8ooZVMP+BcyALjlgxZFF0\nh2i0WgqpHuNt\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIUHiTHlphBfeG5OpbBTw4W7vc8uLIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABE9AaaULcG6XeIgRJMP4WWHj+K4UN2a3jOS3VnaTgRhW\n5QxN+pITadQ9B2YnNqgVWA6uInQ55wCMeDYecumG+EijgYEwfzAdBgNVHQ4EFgQU\nsgT+tNYJ7lnUjrXnU8T0+lDQN18wHwYDVR0jBBgwFoAUC2jI0rCEeeKdUYRSij6Z\nh9x0m7QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQU\nMBKCEPCfmJwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJ0ByPTy/46M\nl/oQZdGz5mWNfO7av9Bql+KZwm98Ge8bAiB775QjFGsZvcT/ZK9a2Wq5aSUI2fha\nvCQGWtm3JIQ5mQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2194,10 +2266,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe chain is correctly constructed, but the EE cert does not have a\nSubject Alternative Name, which is required. This is invalid even when\nthe Subject contains a valid domain name in its Common Name component.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNgmHUzc1yx/whJXke9XnXSr94pwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARZRYsi3BEA+2o1BhOcw5Vx8xtAMbQejU1wyUKP\nwVGaY5CbtJOMwHt9kTzAzvE+g8o4b8f+rhIY+qITlSFfeu2oo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUt7ik+3kIJrkibvKvMsY6nKB0F18wCgYIKoZIzj0EAwIDSAAwRQIg\nITdaFx+ooK9A76T0YkffY2N7phu3mAhQzo/YhkKyDGICIQDSGdYr51Plu+YTldLK\nDygjohjhf8C1CTxIrXyM/kRZ9g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXSpj3h2/4JoAFQYVz/KbAm/QLBQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQwCGKVai0vzKuHbDR2EZPG0vNBmve/oxhfsvpK\nbZZg5BYPvPOVs+xMC22UpQuan7Wy0gOncsYum1nHEUKwCCceo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqlVjwFP8N2C9/C3Onfg0vDiu9YIwCgYIKoZIzj0EAwIDSAAwRQIh\nAM4+ky8WCkHB402KNoiwpDISyHUINNg/ESTm7BvsCWevAiBhzUL+Dt/PdV7BQTlw\nd+o86vgJZKgciR4Bx+MEBrNvaA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUKdW1l/RcWxLcix0qm0EbCA6HynEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABOrM2dHIR6bM1OLtxhFIAOFh++eLGG9BGiwuRgNMqZkF\nxTnKAckLVzgw0pc5F0TOtpNq6ORZdtpJdWOgEx4ASTmjZDBiMB0GA1UdDgQWBBQt\n3yKwTu8ZJVMNbedTHaPjNglcszAfBgNVHSMEGDAWgBS3uKT7eQgmuSJu8q8yxjqc\noHQXXzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDSAAwRQIhAL/d7ojfcCVexh1dhjEGUpFc6UJ7BkNN2tU30Mn5dwCQAiAmLPxb\ngo7KXQ2NM9+Bl2CsULhFoy3WGLe6h0INLwyTkg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBlzCCAT6gAwIBAgIUbM6t/y9ixg/YVco5cTmNL8YfItcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABK5kcCNZx5b+NyBlGMypm8dWBZXRJBtPlsXDQBoFXQe1\n0sIwnAhRUs+G7RqxWAqq4FourByos9zXDzDmqZ3pHy2jZDBiMB0GA1UdDgQWBBTZ\nouOQkuvf1w9nZU3VeNhOlCgErzAfBgNVHSMEGDAWgBSqVWPAU/w3YL38Lc6d+DS8\nOK71gjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0E\nAwIDRwAwRAIgMKrQJyt+TJWdyku1s1k7uvDMkJLHbkXDKtT4vt1XkUMCIDGx7eT5\nrGNayxB0nw3Om75UPe+CX2AZFp79h7ckEX8N\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2216,10 +2288,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDjH6mlyTQJqfdfjVhJOvD83v48EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATuQ9wSkDBFsuYWZMqNrCJSeik7xeMMoDFbQ7E7\nYO59hZYCgpJ0swXvC6Xdzpba6OR3/FCSSIryQkYj9f0MiPSSo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvcFgicjXZTzE6SrBM4rDiKOwyoowCgYIKoZIzj0EAwIDSAAwRQIg\nSbMSp9YaeLIb8XwFEjtcWMA5FJsj7tkNrzu/xIXVaW4CIQDLZzSvEMBGhGiD72dE\nv0IhsKWw8xExsiGtn95wENLjZg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPs74uZJ3wa4U2948QDaiMmbNs6swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARSJWUMoa/1+rcFcXN9n82HDwFIij8oY3+t/5it\nmy0Lrz8Hw1PFSTQaDeTrl5lKdoyLqUeQOrqK8oxqxExdA4O6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSMTjwiAveEBtj5h9Mdq/yNA+uA8wCgYIKoZIzj0EAwIDSAAwRQIh\nAIiIMyedLfJVsaHAOGtSit0GGbtkygfHWQjoSVEk9gqWAiAdwSip78UZ7IhGh4bq\nAAyjHh2sAxRVzl8pYRZxGHXLIw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtjCCAVygAwIBAgIULs6ne3zLZyF5bq1p1Lu8R/jm1AkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABGZzX0EzW1lkN92vpEiUjNCjnXii/2LzBhawXkPK\nnEOOuXoIRfdCjjPzns7c6o9DNaQzIKzV7b5gGj7U2O+txJajfzB9MB0GA1UdDgQW\nBBQ+0QQYSMzXdM2dHi3lj3jzEtZ41jAfBgNVHSMEGDAWgBS9wWCJyNdlPMTpKsEz\nisOIo7DKijALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgdt5+HInMe0Qq\n3A9WOvneXvehIuSwtOuv5quQrfRfQTYCIQD2jwo3ePig1WnTDVit3HLm0ne0aZ8d\nDooOfi3smDxLdQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVygAwIBAgIUWSe5QAEcChRnz0XcVMOBXAmH9SowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABNgOB14XxlKFJalQwy6hLs/ce8LLvB6//SUleQ2l\n/d5pcvW9ZTl/R7Vd4O2kVdz6fE6m8EUlfpalTs4IvEYNG5qjfzB9MB0GA1UdDgQW\nBBTim/H6OcPFlB+BUOFVuaVJVMelJzAfBgNVHSMEGDAWgBRIxOPCIC94QG2PmH0x\n2r/I0D64DzALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0R\nAQH/BA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgEW0cNYK1n5XV\nRfxXdoHuU1L28oh+lb5svPgYEcvHb8ICIA0SyiJnSRcwxsDslq9K7sWDKA5cd4VE\nSlBRJ1WvppS5\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2288,10 +2360,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIieKJLg0V0F21sy8Xv/DCrECbn4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQ4s9dqjH2VAdNj3oIBtPw5BY7jUgcXKkb2P3p\nITH02CZJZ0bIzerLHR0c4pi5xoHvLn/vcX1lP8hQSO94OsiYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZkDH1gcomapoC5Sk25JXHce7rqUwCgYIKoZIzj0EAwIDSAAwRQIg\nPXRCmEilWziM0AFXLD212jeuZavLKW/guFBGxuE/B30CIQCt8kWPzP33S21DmTMP\nEDCD4GVBGW0kgXL2ahqcaLvNbg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUN8gbkFfN2nDPkI7lUALsO9pEzJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARGoTb54NcrmUUDcZ/e2Rbd0e0Lhit2SgriYEiu\n9EMmKyDVgxikaJ8vOhybGi+aMgXJE0Lr1HLanpyHT22rhq5do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzTvxOjx7hy17cMoh3C+5Y5D2FsAwCgYIKoZIzj0EAwIDSAAwRQIh\nAJUXstVoMDVLHyC/oJ4+TsEAUwqDZnUGmc8G8s4B/3OxAiBwx4LETmgjsIee2bST\n2f2ziWZBeYA0pL5jNZMzhaaWwQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByTCCAW+gAwIBAgIUKDDs4nLm6JORxfkwV4X5Qrr3H7UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABDc6BzLdjkUCrbbuS3yLEu/g2CigrB3IcmLFiafSvdsG\nc2Q+GPlccozuu5kx2ujPRcrdkr93mbcXiCvfTs5Wv2ejgZQwgZEwHQYDVR0OBBYE\nFLq/VK62iEf6e0IPZBQjw4QL9UMpMB8GA1UdIwQYMBaAFGZAx9YHKJmqaAuUpNuS\nVx3Hu66lMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0gAMEUCIH84gjhx0dDA7tgvKcmZfmomxnt1rc9YCeBc86ZGHhsUAiEA4sD3\n+F27nxwTrTCw8pwaUDszGsnxCs9tc+Ynex4Ojpw=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIByDCCAW+gAwIBAgIUTGKj2cvEyu2Zv5swdrb1MaIANPEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABO7SGDmADR4IEZ3zHKblu39dw5c4r+PBbi3nSbENLf++\nv2Qa8wvalgttV1jvUe0IUFzpVnow0ToNHxw65xb82HSjgZQwgZEwHQYDVR0OBBYE\nFEqwzPvjz0GTQH/nCORhtY8wCKfFMB8GA1UdIwQYMBaAFM078To8e4cte3DKIdwv\nuWOQ9hbAMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE\nDzANggtleGFtcGxlLmNvbTAVBggrBgEFBQcBAQQJbWFsZm9ybWVkMAoGCCqGSM49\nBAMCA0cAMEQCIHkCV65QU7ZjHSDL/xONPHZL9wQz9Zyme0GI0asbTF+KAiBY9+sK\n/lyxgs/7MgJYT2kwEIF2EzQ0/8xW0ALlKjrkzw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2312,10 +2384,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUf1qAEJI+5g8zxoepENNd7GgGZD8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxJJn7dW+ol+EPJVQq+wBxSdOqOrrQ0WtHdRPL\n8JBQqVGfE7h+zGMAXupu9dI5B4Wf9ozq36CJUbyApUXc1HlKo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzP20282Odc0wWzUXEXYzfzAcwXAwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIgD1VGUHjPxHxI7wwWxyyIK+kSSN75YicluNnq\nk20UsQ0CIQDYPyz7hyaBU5eSBDsyoaJGj//34SqugPXVXw3MjlXm7A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUqgAwIBAgIUB2VlXiRIYH1Hv1pSCRaU4yuyCFgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQA7VoAsh+4+v2rvYBPJVwjyGpWxH758Sb5X/Ee\n7DYsJPi9iOr6p3nhaSkKFgv1Su83vXrhKaj5bcuYdKWqBvako2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUo/fawQ3hgTGkIWMf3wA15bbKUNowEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDRwAwRAIgGxQJMela96i2HyXcj921FqJt/oQ9oJX0yPXD\n2vpPLkoCICyWygOSl36qtKpxbcH2kt7TGkW4UeFH1JklZ6OnkBlj\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUWx4snCVLYI8kvDZWDrggATaZgJ8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABIitDo8uKdpCoBQY2SKb2EFpUACgjV8M1IsfZ6NljkW/\n8KEjNTS7vI/THbF42bErdpzhENyvN67uHuVO5jTJyVCjfDB6MB0GA1UdDgQWBBRw\nOetwDg5qhIwPU3Uuo+Oqm9Z4FTAfBgNVHSMEGDAWgBTM/bTbzY51zTBbNRcRdjN/\nMBzBcDALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAJrEQma5nW4R/yWwbbrc\nUFQMaGduzGruRoBIHhxijC1vAiANPg1VKiX+JWXvkOWWu30j1Rrot4aMKyRyyo+Z\nIc2bBQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUfTXNrZYcAOmR8YUjYa4J5iokE7EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABJw7Yx/0MHH/92m++lWgCVtXuX3CE+4kWiuyzAUXy0Hd\ng9D827lmz5iZvUqX/XDqKvb9jEl4/tggp+Qeo1AHpOejfDB6MB0GA1UdDgQWBBT0\n+eRan+Mi/8r5RQQY1N2A/8ZxbzAfBgNVHSMEGDAWgBSj99rBDeGBMaQhYx/fADXl\ntspQ2jALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8w\nDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgU5+MJdkYeXnMRqSLWNX8\n/CGCmGYT9JF1zCTcPysLzksCICy2nheRehHO52k4M+qAWFNOK2Denht7mIdrrEOa\nH5O+\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2338,10 +2410,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert contains a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUHfxkH2b4YJnmkwa87nbXeZyrnl8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQJdvd+Be6FPA0niLmAHLqG6ca6P5t7r6Xr2SL5\nnXB3QN9ejNnOTf/H8GKvGVaRwQC43ntYjTiZrRiHFdF8aHfOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSkHbkH+PbpNCw/gnMYqWPVsV1YkwCgYIKoZIzj0EAwIDSAAwRQIh\nALidjBP22DvAYzYuJ8C5HQCcoIl19NQywUryfsdjOj2wAiAYYFcyrOWPX7tQ3iaE\nz3r6hcDd09RO0YxA37otaICYWQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUGaryfwfs0l65ldeZdW+AOBEicmAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARYrU2d71xhV+0UsV9IW+DRiSCSahfVb864ObGA\n2l8ERJ4vjA3eKo0qfF8Yc2G07aVNUSDkhGbanqWSftVLC6SLo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6sxJJJT5UXw4GoSBKEW65Pk+s3EwCgYIKoZIzj0EAwIDRwAwRAIg\nTZs4uZjx8dzyOwQ61t717e/v/qWsLCt2LziVmxWCkscCID4tNdY0d4r3WvmOs97A\nIwvB0F6QxDB0Y6lKM6t6N/vq\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBnzCCAUagAwIBAgIUCvyjvJCzaWQb81pPsx2vufeOm+EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABNmpet5POCht36Kp2S2guwfK0J06RM422pCZrdUScKV/\nQAh5uea+FLrUjdJtZIZ1HaN8MHowHQYDVR0OBBYEFGcovL+UPQWiwQmA/CEnPwSJ\nKdvrMB8GA1UdIwQYMBaAFEpB25B/j26TQsP4JzGKlj1bFdWJMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNHADBEAiBu/Zsq4q9WH5JKH2i/FpvPwY6LBkZyucUmWY4hBNI8\n1gIgGaqAdgOswsNTGY+u91Ush5mEtLkq5MQSz73S1FupY+s=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoDCCAUagAwIBAgIUdDFgN9y8p9tnQ3l5voZ6eVYxWjkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBJMBMGByqGSM49\nAgEGCCqGSM49AwEBAzIABNA/WCdDEl7dlY5R59LobbKkKxKnzG64a5Y52+yrBEhF\nkP5cAMs/vQkK1vjjVvgSV6N8MHowHQYDVR0OBBYEFNRHdftrtJ90LRn1mojayFWM\nlZWeMB8GA1UdIwQYMBaAFOrMSSSU+VF8OBqEgShFuuT5PrNxMAsGA1UdDwQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEA1LKsw+mVxZuSUz9yOpPzKcPt0ocwKIp91OkFxdey\n8AQCIHbenBjPPbK5HHVDlDgHz7EB/KVt1W86D8M3s6sPJyU+\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2362,10 +2434,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUL4kRFGHFFGpas4ND0vlcg++7s9EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASk2vohUolfMvlT6IUuZZ26/90h/mAB2xFQcOHb\n/66GgKAo4Zfd+kN/F8naHsXp2mOTNxNImx44J7i6hSaFIJLMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUMmqUM8elPML4/yFkzI8gTeYiFMswCgYIKoZIzj0EAwIDSQAwRgIh\nAJF7X1lrTFpq6qF4HZSy0vAVSgDsDgEcyMr3PI/v+YQ8AiEAomCPmmnZgVB/MZKg\nc1GWCdRJINJ9jtUBxWM3pazqAoc=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNh5nl89zJCfQvouzletlexDj53cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyddFHuxYxwOj6QdadKvDy91c6WBJ8QIwXyLYZ\nnh32wbpbiPaS4kGGUpD6iyLO5UVddBe1WP5EUqIrCBXDWqtyo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU/LGZKdeJ+m3K4srgiWPGgWnmYKkwCgYIKoZIzj0EAwIDSAAwRQIh\nAO9rcyEaByPCE/a5gy2WDi5rFxbj2et3IXY4UY6vVnRVAiBEqLR85gh7UAdFFDGD\nxL0Tvtiu8HwoLcvrpgMTDJIgZw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGITCCBcegAwIBAgIUYY1gKu/946dBIEo2TvYRzETUhwQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMgwggM6Bgcq\nhkjOOAQBMIIDLQKCAYEA88hwRLg4sjFwDsvIfIUQoB7VgY1yxGHxwA0sWuU8NlkZ\nDA+HZExAe4qcU1RsYED/ipOZv+BXgpC1zFHe+mAuEQ+y3ip3vAcURFWuSL1cZ6Yr\nwbMGAyZn25ug0XzrBigTqjVZYKwOIEIJ5cA3qCdou/kl5+EP1WJVPXQgtu92csNt\n20rp8t9eVhJJ5FrSJJE+VmODj9SrGoSGEh8MoJviPxFl5YxsIwRclzy932tQ6UAf\nHrJnmDKUpOFafD/3RrPrajWaCBngYwxMuFzDMZscsbNaZt65ZBu2epJtlx04S3EP\nGVZTT66EDh5OZ4BNUAOEk+p4kqFRJyx1rb/5D4Htll5L56l47fWisNB3yaNV4Mw+\naNvIRzj/gRyGZEzy1G8iv96WoEKVGGD8egqV7z7jErtXX9sj5lS6tIj6LhFug+zB\ncXVti+rzm67N3n1VvTZDtM4bVgB/Hl5w+Wyi8q6D5whlYnwRHN/pljAQukfw4tgN\nntZMMAR4axYfmiFPRL1RAiEA2ucq9VTflF4uc8IQRN82WtNQS31/4i5fU0KIIbo3\nrxMCggGBANXYEGn2eFqWWeM6Tk+vQclAQK4LoJc+1KbHTMuBMW8Ig4JKrIr34qwl\nAyta5TCQM0KuaB5vXi5ccif6hiyibU5OZpjAmn0l7Vp5sX4mkS7/qSno7TaBeCgp\ne6Oe6b4deIv0Qa9k2vj7+c9NU/zk4KJ6aWBLUVoPBnlNqJ5kTzFe7U0HRJ6DO2FD\nhWPqNRYJZwlNiFpU2VHyGWbB4h9OjF1PgUEWizFHYZA5NNGLBgoaDFjogs7AR6tk\nuzZZQogwjdYZT5xqaUrqiQBKbStNfTazJch1A7SikOJqyQmbdyJqLlsgpss8PF7p\nfzqPHILgEc6z1UEomeu91MWSs4EHZXJnKDXXjql8uYFxRscnqUDQQD+r6NMfcIzT\nDtIyLH28tuht9micNK2YzPWuWTz1keuhcUmfY7EV823F2zp+J0tVYnfy96eDmiNv\n2cB7urC5rOo9pNi7oRZCCIp98vJLW//0rmfRsdU100Wvt+sEvt+jDnbJoDfu/mhL\nphcf3VnU6wOCAYYAAoIBgQCtcw0TkON90CnjfAi8zQF9wsDfPteZv3ynrgynNyhp\nFoy07QETzCgYJKvQNhebEhWi9Wjd2b/AYieOIPKjBwIhoO2PTbEokN1J5o9Dyp5C\nv5630jya+HQX/C9zmvJgQoHh3aFInFbFf6FUcaMJBagxguqXbyv1hWziPThf0XEf\nnwd9wMlioNL3Gb7ryLYMnFeLKUwXM28FSXNJ7xaZuBqV4U5dLpV9gjCwnUM2tt1i\n/7rXcRzuiq5WPmHYPYJZb1FxUDFlAczzH5MKW/ZMUfFMKZOzj6cg6ctaovRsl5Rc\n32gPXsKAwZhvti28rWFBTwHZ/17A9IwhkFEoCtLwC2VspRAUcVxFa8Al/wKW+d9W\n+extgoBglZZ+61WApRx7qCRd+iAU/3/tZndOZX7WhPxD8uCi815h5jWwVMuqgGjb\n1ovQlRAyasPlLcmSlKG7HHLaLf5bbRT5qXiK6X6ue/zrQbGaQdbG8QBeeInfeH+i\nQuV7QvANiHo5toZCMp5MyxWjfDB6MB0GA1UdDgQWBBR1VkUU56aPidmvsq803DRp\nAu1EFTAfBgNVHSMEGDAWgBQyapQzx6U8wvj/IWTMjyBN5iIUyzALBgNVHQ8EBAMC\nB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w\nCgYIKoZIzj0EAwIDSAAwRQIhAJgIY+aYvU41KW6GK8nyxTqZlxzbrmlDkmXJjzPf\nhI7/AiAIOLZwsL2AHLCcV6fr25AufsJZo6FWoUZ6rpWySSaMmQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGHzCCBcWgAwIBAgIUWO8cAFf1qiTSk1FyU2J0D62lx6wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAmbjiZHzZ5YFOvQC27ia8Z7nxdLoKJKRI05RXzr8CZIFN\nJ/DLTQ2vdr/4zPj4bDWSGtjuf76HpUs8ti5oGp2p2YrzsxZCPuOtebyX6qtEXgsC\nI/k45EnDp/Ho+Tkz2CM31eNMITmoeYORYYOJJ6BB5OjWRxU4NLu79tEur83Z2aWZ\nKAmKTqQ/NTpeHhJXLO1S8LE1byzgKBZnHxv45dOeJBo28X9K3NYFV5JcouBQ/bQY\neN2QiKGi+ecXvbvLrmDIMyjcb8yvwC6Qe/gdePb3sWFQk/O4Po2ckHWkiJ+ZTDGS\nLkHgFyyOHIzbruMdeIvnWUTjmUeKZPVLgBW+9FZ4oKjroPpUsbohIYvg/ozrnfcp\nQppbP8OJILE24n2PoBASTyG32kfPQ0QYc5FKl6eTIsBjrjxjWjVkklQDYKFHxhyE\nnEfs2ypD5Nh0DCJVI0qpjSo2GZssg8NKxkbKS7a+u3VIy3jnwIyeFUzgk60lzvS0\n3kw3XQQxh9iK8oEY43OxAiEAtRwOKgy9qUkhyJMZXQiXVAQcWXtinTTO7rUtdRmY\n5W0CggGAaV5WZaVvxjjrmMVkW1UgULuw6155X7vRamHZFrh2+6Osc4shvUgIyQZU\nTlA7Tf7D2w+/f8N2SBfP8NAo6IUKNxf5gE37pDxpp21WXzabm54WEiZACJ81popb\nrSILGiJcSpOx2WOaV+Sn3Fu1UrbZrxTTOrlzyXjx8f1nCHLXK2P2FC/CdDhl4ADj\nq7cfRzyB7eoZbUwb+wcwINUUgo5Tbr0Kl8fPfRuarBxATFsXlbVKS04XEhSR3Sxh\nMmWAsyRb3wWhumLavY+vfGioedAYM4BY1FnRuxaN9ovd33gZ63bEanXAE51BpQ5p\nBg8Zm/s5qBmkiLwRx9sPQgnUlRkyggB/kLOwy31p+0CvqcJyouXfixlmPOgS32p/\nWQI/8st8630OgqqDKP+7TvcV0ooz7RvBma/xak7uO6m2MnbOEGFXoGPzyDd72m9M\n3CdJYcytGZNAl1redoKmq3BuUFoiRq9gvrNUAEmgm2q2/ltLHlv504F2+gE+4Jkw\nmuc1g/PJA4IBhQACggGAVHIqjdpXLiD0sDJanmUpHKZXkJz0bMYz9caiY/Pe0u4T\n10ubfwriWjY0RgTS6IkjoPbZTzcErDxJJCXJt0x5LqqpVKpcFnIK0kgdpPmbLY0y\nrmJxEuncSgMNnPKLLvOfQaM9E9BW2qfVTX8iE92kNS/dcyu6wK0MId1l6E9f0j1B\n1K7OKGMsnfOMoLoLsUam+EgqPNfea3SPRHrjuTX1F5TTH+3Jwb05L7plafMbe2De\ngFjn+7xQmhVYmc8eC48fchi41ldVbqb6HwzzoDU1QBQ5iBu5Mau5uXHiJR5BABDP\n9VaT8+lo5iJPJJd05LRPegLvBatxMzEv5ElAwT8piBvh9Agwe533my7hlTkXt/er\n+O1IFnLnvNoj2BLp55Bnyxa0YXIXubxPKXVQX242cYHhg/H6tNjVdoJemhRG+Zex\nOEK0dRgc0/XT1qwgz45kqhaRBvno5DAJexE6hw6pIo5BKv5ghZPY9MtpfpzGaKkk\nHr7nrFem5IDIn1kD0Xvxo3wwejAdBgNVHQ4EFgQUmCrRBXbaJzcB0rcmDyok6WuG\nQn4wHwYDVR0jBBgwFoAU/LGZKdeJ+m3K4srgiWPGgWnmYKkwCwYDVR0PBAQDAgeA\nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoG\nCCqGSM49BAMCA0gAMEUCIQDzHhFqIUCdD4yjJQfWZ7MXbjYhr3CAqHeleIF3+UbB\nFgIgEpIOQrBI80Qyao5m7vnJMkpimeQTYcHuikNt+fK7fLQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2384,10 +2456,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGADCCBaagAwIBAgIUDKPk13drF5jxja1AHRhcjwwTLHYwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMDAwMDFaGA8y\nOTY5MDUwMzAwMDAwMVowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzkGByqGSM44BAEwggMsAoIBgQCggpNASDMex2qMTNI4eXg0YXx7w9iY2zzKHG0t\nVgqb38XJsY38ux0wKxH8Hf47DLQL8T7ljuKxpeZ0LQYLMP22lYnsyaz+7UtBzJNN\nOBo0BGQmkCNzucMETLX5P+eBpkAPR8mxwxXfk4B0UuiLEQcW7h6vF3o8/sNkgWI9\nxBGacQcOmeC0qHe2U6L0Z9ZDrCQ0p1L3F39MT/y08E3YMxcjD2wRebwspxaQ1Nig\nD+dzdkPU3tPZsSPYB/tHZteFk4uebqhlo2uvk4gzO1Nz0fUTcLgqOAnuNwuyGQbq\nnO7nRt6fM0xpmZbLwIO+WQuKKo1Cz83ug3ASD1HFedk5ZwFoZ8EGwsAKjlbvDdtl\nrtXccK1gmVrrHMS/iillBd0yHFnJcq/gIc3Tna13qhy00qtEiDY/z/GhJ/fqNlS6\nMytv7bm9vjFMCTxuEm3qUS4Z1DzWA+ccdrlc3s+4iaDFM2bHZAsXmLBXXE2H4d4b\nlSYlI8D9WDdBpK1T58ZS+sL5PR0CIQC/5vLBZGtDbRVEaWXJbjpZrMzbIihsUKTA\n/nkrewwhTQKCAYAOzO8/HCuvaySC7A/ivTq96JjJ8lcjMWz0hquH/a/fF/oKqaLG\nlIA2m8QAuUlm6+CVhwbVhjamYlKwgd2HiO5CoftioJpaYhg1w4mLi7Ke1UqmF22b\nbN4WH8ruR9qWswDNTu6zpB2UkrcUTOWmJypEQuK4Jj98WMXGmKbdinR58H2IC6Yi\nuLar9udLoYy7oIGopyEpEDfkoNLgn5olNaDPAoJ3XOjur8Et9bP2BpVv+N1zlgNa\nvEWVJn8m5t6hCFk8cEhwGyaUMHo4C1XUJ7wUcv+ASQylWcEiCcu1kmVAsrE1vdpJ\nKxHYM693wVFm/DoCu5LXpZC2VRnYXlfYdiwTx6gXxb7fc2HvOUlLzRIbmOm5lTDO\nF/JQuwFSOCMzorynP+bIe/MVXIHzvLw7xFreD7z94apS3XcqfGyjFlraOMocYLlZ\nwq6sOC/TKSVDuO8DQRKwCVebuNcCGCxR46uEGXJqaVlUGCQRC45yib0SFqFJtFi4\niMAo//9kAcazSToDggGGAAKCAYEAiK3Ft/mj8831s9Z55kkqp4n6xeW1M6SSn73j\nQ8RDUcTeZFfMl3ixt0GbSWm2xTRixwi8fYklq5aisj4/zSTiqJE4MgeZwoAlTFzm\n19nUY8po7nnoU+D11EPajaOn/UKbQqKrWEYzNBtpr4CLzOqkMXFy5e5CDWbTS8Lo\noGA6Bbt6uOMzM07WUPmzJxjPmkPSEUl3hkJJdxAqk8Kr1JFIL4rlvC4MYIzBpNGA\n4nydf/NINdXCWkslYIVyYda0LLBxDjyIMT21mCVr3uArN5IxiPrSatgWcExszxdG\n/veS2lDndnDA0P3eKF7/FHmdtXAq005Oip2lvUTYVvzV+mauIY8UM6oYX0YU5w+/\n7dh0Sxs4xkDwRMWfZ/1Z6l3CPQq1SKf+pOrCSk7A6nP8ZDpiX6jnn3d57n/6aVrs\nTtLFEspEz3Xez40ENV3tFAkMFNhVvGvJg6MvfdIwi8bT1Iijrfhk1UOEb4dAwy/S\nfr84/n275iHSYRHQ1qLix2s5cxbLo1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUupkhsqke\n+X79dAKrl9Rsm4AkE64wCwYJYIZIAWUDBAMCA0cAMEQCIGu+kdWJ9Nrc08O7yD5d\nW7HIpJ7+icAZBWEpThHuULYRAiBSqydpAYH9kFddQ5OtYCFhe2IrkJmQXN8aFQM2\nE1YTzA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGADCCBaWgAwIBAgIUCehTJK0MXn8iYVRea7O7Sv/YPN8wCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMDAwMDFaGA8y\nOTY5MDUwMzAwMDAwMVowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExjCC\nAzkGByqGSM44BAEwggMsAoIBgQDNt2CYaNOaOCpL825ifshGeWmBX93jYnjbPiPQ\n/a1RjjYuztRfM/swi5JkuKm+ZNzTbIuFFD/5g4eehg8E0Mrmrecl7gFl3T5PrMgq\ngsddGOuiPPs5vWHXYHMyQ71mED4rcFoFhZ5uJlI3n2P1NxpXqx1YBIYspCwnoHlB\nmp27iMz3m83RviaW5voxgodzkamUWk0y1NXJDQL1DlcuFei5V/M3K15wJ6mArbQD\nQfJuGUk5zjZ5gj1Q4rr4MymQM0O5aHspBZi+UX0+8KEzqDI8LEw27yXL2UFDkQXU\n586V2QVBSir5xWR08PSGGhtouDw6rHVE0b/2zhxHXuAM+WSKAnnIaPtPiASC54/1\noqh3V8SemviU4oRsATUb+RTDVW1gqnwXy9xQsQ1gtnmqf2zUBz7TQS7L800kaSTS\nulYLUDsfeyetleFYHYOlHzn89BFamZ1PHanUIkUeJD5w3lcOhIOYBQqHHtsO/rFu\n9SsjPitAkeUMVr4VZFNqKdB0/7MCIQD67llO4fWwG8cW8wrDbEQuiBEhEMvkqoAQ\nB//aBxZOuQKCAYBZnizzmUcIuyV+27YgZson91IsXm9T7h9nUYmLIZHxT8NVAHcL\nzTq0sTrcnHpaZ94ZyH8icr7Nwj3lwN+nKLRmw08yle8naU8xxByNapQdObZya6xZ\nycq19CvdD0HE8vCZ0Et8I9WtaXElDhicfJM1v5Q6rxtezdqFKJ+Zozj3KNtUgssE\nD5wMrQHOkX8WmQbCdZLWlbMKbAySs33BFFrrVdsvnrF4cfOX+2iWO+HxdQ6r8Mm6\nQQQp+MYQELOIU8K5mM37sSvYZmqC3lDAZLdc6H+R6ySKJVe+WKylCy783BNdYduc\nDKc0rk0cB5wZqgFHQQvD+YXZflrA+Sh3WmQd7T5m2g/EztcJ0TrcfemEZo3SQIJS\n9vEacOxez/fwDJ5sSvHBuwEhFT8/l/rf1MqNqpu+Raf9QymA28osdeK6veRBX6fp\nUqS/GSWkP04HS8D4usdABuV3DsDZPzInlnbp1xPGLq/Oii7JsD5qwwMe7LA3U0km\nrYhqJ9wogoRaSCoDggGFAAKCAYBAs76q+HDfrdABlzR8aVBiyUBkl2uNABVdG7DS\narvRfu+X47rDmP8SgMg6bInqLWlFwBJgKn3LkhmcwCByUl9NxY8ZZEIsNn/WNgSI\ngn0WQTrp9yq/lO7SyJm76b2Zoz2joLdum5zzRcNWvQMsUejEoDJMT+eCglQO7tf5\nJT4+R3TEw0ID7ttkNxBemLt8/alGAuF9nQNgSrXj7/3/xdLEl7fqQcthj1O8eFIl\nPGAIn69YU1wz7TWOzzcOiq/KJaHDEAmnJs1ypkb/I16DSDdMMJn6OcbdKYletYFA\nd79zZuy6U9FZAUfWJNJswcu5tJdzmzzTfBaLxdzgY35HoU8z6fMu36+06HECQszc\nDWVDN8wBcoElO6hsoSNLMbuyLwWM07z+O+rh3erDrymesHegONgvUAhbBLkic2wB\nz/lMJq+xnsI8yCBTUNBnK/O8krQmlDLzTUPGPMV3V5Al4470CR8b/1uFu4Br4uWV\niJoWnTOZ8SdkgrfaAXDe3zt5d7qjVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSAP5HzfJiR\ntFkG+mnd2M0FTTGhCDALBglghkgBZQMEAwIDSAAwRQIhAPDWQ1TJonObm4kzhAmN\nNMY8/I3WRZAr3hcUpfkM+3K/AiAbUHdNr7kL6ABwr38nN71O9agdtTxeEuVYaKs5\nhcaV2g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVegAwIBAgIUI9FvjQ3ApjRyct7MS+NOb7cWT1kwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMDAwMDFaGA8y\nOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAASQ0teYWh2U8Dh5KwHeTwZyaUnx8bpC/uXOAkNWAX/d\nvVP8TUtrqGvhKAzMva48YJwwqpccKK04mWZ6ReW5BE8Bo3wwejAdBgNVHQ4EFgQU\nX7tbsmk7eiYxr5DjmMdTw6KBhlAwHwYDVR0jBBgwFoAUupkhsqke+X79dAKrl9Rs\nm4AkE64wCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNHADBEAiBq5hDVZSPKF9D6nWDJ\nlsefo7eITLaABtY3/KFSOTk4pQIgKByEyB/6T+AG2i0yCWehYM1cXvNuykjjo8qJ\ncvdFR+Y=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBszCCAVegAwIBAgIUd0RD5kIIh5nBWHLk263VxScaIO4wCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw03MDAxMDEwMDAwMDFaGA8y\nOTY5MDUwMzAwMDAwMVowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAATL6lbYJ5GuP33sXyawiL6AfoPR7+gcVWCa7vjTMgy5\nUI4uvv1VjObPLoBAV8xRpMF8mGcebroBiPx94VNM2G00o3wwejAdBgNVHQ4EFgQU\n20QV8PX5LG3Uh5Z8QoJaAldPv2EwHwYDVR0jBBgwFoAUgD+R83yYkbRZBvpp3djN\nBU0xoQgwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQP\nMA2CC2V4YW1wbGUuY29tMAsGCWCGSAFlAwQDAgNJADBGAiEA5YXeoEvaea4sJ2b4\nqR+fwXGpuVJxy0wV8KuC2v3BS+8CIQDu+YvQwXPpTglsgnAiurcIfM1DQL6lBtY1\n9Nk7msC8gg==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2408,10 +2480,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUMURUsytXy4SF1mugKva1jluEPFYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATx3ZsRVJf5pbAn6lq0ggYduNfkA2u6RZZjIaMR\nR1Ho7nmT86VZAe5DnSsDTmDGomMYkANVSubpyTV/sAIXF07Xo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUI+scGq71JtxD934SPIbFvIKDfjQwCgYIKoZIzj0EAwIDSAAwRQIg\nZQx1V+Ku4/Dj4kIHq5ngb8CYt/KBAymrgaDDuqzNUa8CIQCKWTlaokjLZDvQVFg3\niEFdKJIxBZUAHpTiBWtXWlnXYA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOX3CDVW9ZbzEIro0q6yUjL/YqW0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATJONO9p20LKkBbzNV1FTFtC43SusM+NjOmgwZy\n9NCuDyh+LVsEZ8yyFgUiOikrB121Sc1awp43oYPtyhIuHEpgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUveUdXshTNoTZlMUljnzQH77j+OgwCgYIKoZIzj0EAwIDRwAwRAIg\nNqM51NxTXCMmgbecCnPanAVOCafr2O5/osBABgfPTZ0CIGSZfmyQDLIWSi38ISz+\nWYBii7OGT/gu+Vp3EReD6h1M\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGHzCCBcWgAwIBAgIUOAAFR5C2anCp3ecoLD9p94eJqjIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAiF42MwQzGTZm7xv1U8KYjJGEzxBfMIoWejIkGWRa9Aph\nl7/tMrafeEAKdu0gZtjOtvEY4u4gYxb9cpv/fEYO68gviw8lGtGEVBTZ+0zDOW+p\nFt9b2tCrkJge6e+KO/2GF50+Ygd+8AwAI+i6uB57Qip/FrpRouIxkpNEIw8Dq5Al\ndLGe0jDtM8bDo8q/WvGLFpKH5YCiQ70YvMB002RduEpIS7mkZ4fLWL7D3N9vPpxD\nHsOEIGul8AJ4HlTxINiMDdylMva5u2s+uLbNL44qwtbCHFRhcdFmuZPvG3wPAN88\n6Wzuu4VmOlZ68nRkBqM5eorOJgNnNyXN1UCWl2c9mtlJE1KYWDENFdVBLUraapsn\nG2xt5/Bj3vJlAcaqJ4lZYsijb7tB8lZ4GHGtkexCiJ45ZtQjSV1WvEFJ2V3E1+N8\nI9C4LlgL9bEGFiRc7fRM969fwkTygefZ/qcW9aSWaAs7M8il+vpR0dUeqQEt6tmh\nK8Y3Odh/DP3KvpgDFiTRAiEAl4Rfrxp18IHae86c0PZLuhhA2oVn3e6cpBBeUYxQ\nXKECggGAXm/Fojk78HD/cu8UolJjAg3xAWWudi0jZVh1n/sQwnkSpdMgWPPg1PiU\nJhVm+SBH8MvNCjPbgRYOJ35oUnioKaOVH5r4nc5PG2fhGtECzjlZeg/6M64QxSnB\nAyOVkPRSjkN0wRK/ADT1khrUSRZrtG+uPY+jR15AauOxF/BngnO/ctKca6ytLdS3\nL2FYHH1IKWQ7/vJeBcB6SBV7gMhzPlyA5xrgCsb2n0HTqV36XafhuFZ4DNQXNHfV\n4TQV+GR5zC53tUytvp7eU6gKXKSfj2o9/0aMURm+fPQ+wxZtfwnaXp6x858ePpjL\n2Ou9j1PSAvNtphh3b5RtdwdEvHES8v+Pc/sReb2ZvzrJLRPrrXEdrqIGGkih+fo9\nDAb+IyAldqd+Nh5SsV1dhmdp/HKJSm0WXj+2oryfOs0GoaFomzQW46OcVNygW4o4\npkvrLiTIU6dSkXcuJB6RvwrYXBx/sfsiprPo5PvLrmrFuda6A88EFNQKCpiWqIHo\nWUYlitAqA4IBhQACggGAHb+vaXjvm998xTi6mExsfY5lzUR2mQAqvF1w1ZawAC5e\nmJip3ud2ExkvdfjbOtybZZmvDuXRUH01Ho49IYhKjS/3XEWAJF6QymFIwasPpDId\nV+82okoDT1iNvvWqkY3uIth3w7Ylw4zzDXbY/Y6RCl/aLD++Uec8MNJ9X77esr02\nvMsatdX01WHfI9tU/0w72K8s1MXFXtbHAnrliAH++gSqrmzVyLriBisavCNZXkVd\ne8vbb/WWT90mTq1okc4oWNpSIZjPvj16j1I4jkxXTYlf9Gcipo18gzSe+W2aR9sz\nLS8Dnxo4lcKSR/aCRPYu0qeH5G9ssUDFUXFtlQteAL8E/2/tKW8tELdce+p8z1gG\nKKDpqQE1+/PAY6ukiEXRreL7B7k6eBINAcRr4r3FypqkHE0LtWGJ1HB2C1v3rXQ3\nCWDjS2YQtvmD6X6bXGwiMvsqP4Je0yg4qFC1yvXbtRERSEKDKikPvdRIoNdAbTdp\nJ7MvvTUFkXRXNFZcKoX4o3wwejAdBgNVHQ4EFgQUPjzDaJ65Y9W4hFKXch+nReKG\nGCgwHwYDVR0jBBgwFoAUI+scGq71JtxD934SPIbFvIKDfjQwCwYDVR0PBAQDAgeA\nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoG\nCCqGSM49BAMCA0gAMEUCIQDMdRVPBV/SpHnu82CEc9xfa9llHA8E/q5hBuuNNwea\nEQIgewumh3lpJsksuBCCj2PIZmRPErNB3nebx7Nl0ruLopU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGHjCCBcWgAwIBAgIUVC0zeJce4elNzGkpESuBDw0aclAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCBMYwggM5Bgcq\nhkjOOAQBMIIDLAKCAYEAoy1blQvJf6VryFMBIQzyZGRD+sEens5QAZMw/yw5+imL\nH5YDSCAOVo4hnfiUikD9kjbTl/AMLZkfGOpjU5Ud5R4BMhwH+HbUQLciatiUtTJR\nPd19DZ2yNPK7+nvHsXjgsEuJYkWfAg2ZU66ax0G+Rb3Bkj1oR5XhgEyAvHUahUyJ\ngfgJ5eXVgDIsBMOpZcoo8qJmGAKKT+O0qOmOJZr46GS/6jgdLzrhnOOhBP/wfUFN\nhAEuNNSq+yprRBFduzpZejKfT/WgIaGoPnGUa7cQ4sft0Fpap8X/2DWnXfAIg0p6\nxV4ZN96Mk0SvnBFIidm9NZADOkC7h0b7i7bm9q/QzTsg1QjOa51udFR5Rfoa0Xje\nRb0MtV50TnJrKSZ8Iu5+ub3/K87Ab2s8G6liZuFcQUhaSvOJdpE2vwa5pvCkefda\n4IV2MOIilXoazRPaHMAEOH1MvSa5yrKsUWfpX5gl/OsUZKZob6TfS2YX3i0tXOHG\nQJXjR1GyCMCtGTAYAs5PAiEA+2W9IjJSVWYQ4uK8v2YoiXdHf9S7z8893mA97dmR\nYpECggGAAvGIr3yf4fBLBKBzIBrKc/MkJmCNVKw+7GdOS1+BoBFWcDGFw4NNBXBg\nn9fqPLf3I4GX1TBSoeWbvpy6FR7k2EZu62Dkxtkgv/jGxdpY3zrTGP+pfCvkNih7\n4SMabYn5zbLU3Ny84YUnZGNqGDgANR8+yihtH85xQLg+1BDGE8f4q1zvPwCvmqek\nZqotAs9dpyiTFcB9KgYBIM7BV+ynJTMILGaT+exSyDqYa9RxnTA3tWzp57CuQ2YM\nKkh+Mc2r4mJeSVA7/QaHLsKmTyfT2s0d3hH+6jqNUHt3eQxfEu09jSFxVOBlczWu\nkFq8p6mv6101AzHuT0E03snSTg+3tNFQ0a8V4tVx5mPb/ksoswGmEFfmve87+nPB\n4WdENVvlCwUjOC6tNCKs3FKKX8Hq/bTep+lKm04UvbTtM9xEyc95KoODDBVi+VvB\nVaSVRnAOXU94KVsLT2Zd9CaByvWgOqEawfcl2TWOQo166SbSvFXXBcYN6CEG9Dzq\nTUIyVQUbA4IBhQACggGAFfGy1yUL4J3akTd705sA0QMCQ580h9kX7z6NlVYTvgFI\n/zoZxs2sDpt/09cWfdJbjSA9MxoXhH4drb+gJBBI4bdYyleMjH9t8dl0nIelVDTe\nbllLKivRfsoVjPUCC2YoKQOYHcx0fRZlzntgxB/Kh3z3EnQ4S8YVniFEQiEY6BgS\nP1SvhV5X6+dDGZucgr15aFmzqvbOHzaR5/nryExN0Gk8TFVrlIqTLUxAzE22wVFt\nR5vaFsNT+fCI4CBsFi8tpH6T/6ZUXAGBgMc3maaINQEtu8QrLU/mf7Qk5Apn9hob\n1g3zt6u0ZhvcuOptB8iu2OQFZGGf2SHVYDqZigfGy5oiID4ztDff7sWoaaYsvAC1\nxoTII8yt8nnpxXDrvEYWAYiAmyDuGu28v3DGPVTfAuPngCpOw+PXs8q7edh6+eRM\nNb7gYNkvseYDx9jcP51Ki3rkKJa7NZaOa7WMl1D+3xGcGH9EdaFfYr8uDgZM0QjT\nrvRtiOPyK03gX34HKgCEo3wwejAdBgNVHQ4EFgQUuiAtCsosA1FbPLancxrYsdnq\nxAMwHwYDVR0jBBgwFoAUveUdXshTNoTZlMUljnzQH77j+OgwCwYDVR0PBAQDAgeA\nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoG\nCCqGSM49BAMCA0cAMEQCICoDcCXVhxJXpfdwEgSK9q2aY4zsK/Z3+pFOL42Ya2yl\nAiABOlMVtx/iONZTwsRHDgscF8RsIUJRf9SV+QH8fciG7A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2430,10 +2502,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert is marked with\nversion 2 (ordinal 1) rather than version 3 (ordinal 2). This is invalid,\nper CA/B 7.1.1:\n\n> Certificates MUST be of type X.509 v3.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUKxktKj7aUmNAmddvarwhFaS0HYIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ/xMKiCC5t6uhTfkY42i3UD2QYgKJTdUIV//4h\nHH8n0A8VLAMqgX0/KnLm0/EZXuyF9NI/C97YKVvALdSunP0Qo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCMnAOQiF1JG6fg9JetjRGGyIYQ4wCgYIKoZIzj0EAwIDRwAwRAIg\nGr0OSHI+a9SoC+ehqhn+jQUWnNJl8JwZieobpgdWDXECICmitKYduzdCQQYbkdXp\nuyruwkK0qCVvg3U/WEDtCOdV\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIh2tLgNo71ECYrjoclXBiiJSzUMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASHEfilvxWtFGztev6OF5GJVI1ayPRAlkksD9LJ\nBBAFjxD0llP/V5iQj50F++qDilyAVZCKwiRSZTZhWpdx7V3so1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUPUZGbyML1xDFpeY7TH67QmiVJWAwCgYIKoZIzj0EAwIDSAAwRQIh\nALhrbtt3HmJM2KKTWno/4L0yMaSmH5sqMvjgbTrkMnWrAiBDiOrUgkAdoPsqMFjb\nQQT+12eN6dVFA3+jS+Vt/gq5wA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBKzCB0wIUC7bki7STzvRbsePpQbrfM/KPvE8wCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5NjkwNTAz\nMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABI81rjiTeRBN0nYlZxLiZvNU5S9hQRPCzExUIWNuN+em0xDJIMxh\nw66DkbudPNGFycOKXhMgxVoe0aohL2emPwAwCgYIKoZIzj0EAwIDRwAwRAIgPody\n+3fGDNbbj6ed2kwBbcLdlQ/yMaqnuwC2Zu+MfQICIAspWmZSIewPXJMPlOi98Sbk\nCAj46CAGoZVH4XhjXfUu\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBLDCB0wIUPF2VEMRhNGc0lAw7ryPuhTx2bscwCgYIKoZIzj0EAwIwGjEYMBYG\nA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5NjkwNTAz\nMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABGi9poWD3yXddIIhgprX+aluXjKA30jzbA9NiVALcdMvNUvAiZYu\nPACGHPQ7syol1eDzHQJbzYeLBTPy0TEJq18wCgYIKoZIzj0EAwIDSAAwRQIgFBWb\nFD1YyagSENJ65FmcHHK6KOJkss+8J4CD6lpVAAoCIQDFpt8fNc721oQYH/dDNa99\n63UoUB/VBK8sTzBBMqL4rQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2454,10 +2526,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is correctly constructed, but the EE cert contains an\nExtended Key Usage extension that contains `anyExtendedKeyUsage`,\nwhich is explicitly forbidden under CA/B 7.1.2.7.10.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUdvAnZTvC2yOxqfS9kR27SKJdx1wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQdqczaA4E3/q1p4dxO0ribrrsbxQqYMWxAYyp+\nrHngwLw/64uFUdSxTC5POoHX/zJAbJZ6HwNSnazGWEls8DzFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUaPXLltDECeK8lDuHLknTpt8FtAswCgYIKoZIzj0EAwIDSAAwRQIh\nAJmwqbx6b4MIdoTFADsSF7EQWMIKnHErATR5+1D892dKAiAPjF+OiHpqjfcw2CpL\nl+rGVYpwbnC+CpVm3ZURB7mhBw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGAfVEcCGpTOhlSrutSwSodUXsCIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT58hBT7t2AwTs3tep72IFXhJAZCdugF0goqJJ+\nbp81L1ZwawIAH71eE3so1NHiGokr000Qqv37kbCyBR4LWH/7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdpNsbXsnFGgDyG9SgB4eEPX621YwCgYIKoZIzj0EAwIDSAAwRQIh\nAPVqiwLD5wb/QC0v8bX6M2h3zl/4RrlViKDVLyKND9oDAiAe85br7AYB0qcmLlsZ\n92a14efTxdPD6ICrdDfcErpC1g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUA3ZbGcmH5lrY8TLrCi3BjCLfyeowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABL1+/LrRmqfxYJ3nsGJwufcO5A2cG/X6PC+KzMPL+lxT\nJX4AVZAaFONDfYz3WqZeRSLjITeYUF0++KfqgwRk4KmjgYMwgYAwHQYDVR0OBBYE\nFIgQ8RgLYUCWEIMBBXsDlP69uJdyMB8GA1UdIwQYMBaAFGj1y5bQxAnivJQ7hy5J\n06bfBbQLMAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAp5Q5s995R\nM2qlg9Fh6dcAESWQUiYGgH+8NkQE92Ez6AIhAOpnion3Rpklv4BKYG8KaVUZIhaU\nKzFu5PXAriLOuI+M\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUcw1XrKam3dv/7KF7rcS8PwyNeYQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG+V8s75vmL0GjA+rEQXjwuexZVmwcGZpib5pDRisFwQ\nS/lAVzI+wW+36JUvGFTUpp/af1eHJ0JTvXPk0lyeO7CjgYMwgYAwHQYDVR0OBBYE\nFArBoHkZu5tZRTSg1GGwYH897Q95MB8GA1UdIwQYMBaAFHaTbG17JxRoA8hvUoAe\nHhD1+ttWMAsGA1UdDwQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAQYEVR0lADAW\nBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAg8D2YleV\nSmqBIXwgw8w5U1v3t4b36BpaION46QcvcpsCIBezAROMPgMjXWvlcDAGGhq+/kdY\nu/OuZCBc9jfYuG8f\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -2478,10 +2550,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE certificate has `keyUsage.keyCertSign=FALSE` but\n`basicConstraints.cA=TRUE`, which is explicitly forbidden under\nCA/B 7.1.2.7.8:\n\n> cA MUST be FALSE", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWPHFkvgkeZu6dRlD0CgHypPEbLgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR75Pem6PEXfuUP2VqhevdiOEOMM647ZBa3/j6G\nvmsJj7oLRQVUu7MsVlQD3urJNHcwzRhwiJ5oUjRVQwm5r695o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU3dSDyvU3XoMTGMmCaybfvd/TiEYwCgYIKoZIzj0EAwIDSAAwRQIh\nAJMQIBI3+vRbIm7YhiFSY2/HREHcAF5izlXRV30EQPhEAiBMO+QX2hDJ36eTqcCi\nQF/rc/9jhDXCK9HI9L5rsIXtNA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIURG01wSoUN9mdP4233CxTj78fqTgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASQNux6gGP/J2nfuXRTm1RLFsoSNPnabwa72Q5L\nTW4uNXiCudTU+Kdyo230RYlFXqCTotjTJfn7x8ja/WOZ5WDgo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5i4KkJArfva4ujr59CXugGHGAHUwCgYIKoZIzj0EAwIDSQAwRgIh\nAMHumuM5JQRJobmZlvl+laLhebtxYyqkyQY3DSYowNp7AiEA9bhzI5Pk+PPfMNE2\nX5faO9QeOVqjgyW1vCxO0M3/hoY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWmgAwIBAgIUdfCOTkcgeoRcdBaftPFKKgEWC08wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABBFbXy5NLtdtHuxrc2TIv8bANetoh/zR4ZQArmfR+GTv\nHNno7QY+r/HIbXx2nTduP0oIAcx5JQcrjrEsToCJRsWjgY4wgYswHQYDVR0OBBYE\nFA6FQcHSM4ZPCs7fnclCR62twAQGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAU3dSDyvU3XoMTGMmCaybfvd/TiEYwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIB0zhxF9wSWWqE7u3Q4qFroeNh6ZORW6Uj3z/G3gjzxuAiAUvqHe0qNmZiun\nH6ef743XIF8KGyeX437tEjbB7vIR5A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIUdZAzcwUDbAmuml9YqbMbrp9gPKYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5\nNjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49\nAgEGCCqGSM49AwEHA0IABG2HwUtkhuWmp5oCEZiNCBrC2MvpWRZrich6UcX+j9I7\nCWt7BgLDlZD8KfM+9Bbus5j7VCS/qjFej1OcBMp70+2jgY4wgYswHQYDVR0OBBYE\nFEFVad2/8t6RI6NhOh/jNiyG3KZvMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw\nFoAU5i4KkJArfva4ujr59CXugGHGAHUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gA\nMEUCIQCeEsN0yDb7K60ciwG3YZ8df6LduTyT9An7BptsIi3pGAIgYlmLdjm3SNHJ\n+h/xPSUZfhVsT+KiaxntYm4fUEPiWqw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, diff --git a/limbo/testcases/rfc5280/__init__.py b/limbo/testcases/rfc5280/__init__.py index 9094cff1..81efc6cc 100644 --- a/limbo/testcases/rfc5280/__init__.py +++ b/limbo/testcases/rfc5280/__init__.py @@ -6,13 +6,16 @@ from datetime import datetime from cryptography import x509 -from cryptography.hazmat.primitives.asymmetric import ec from limbo.assets import ASSETS_PATH, Certificate, ext from limbo.models import Feature, KnownEKUs, PeerName from limbo.testcases._core import Builder, testcase +from .aki import * # noqa: F403 from .nc import * # noqa: F403 +from .san import * # noqa: F403 +from .ski import * # noqa: F403 +from .validity import * # noqa: F403 @testcase @@ -144,195 +147,6 @@ def unknown_critical_extension_intermediate(builder: Builder) -> None: ) -@testcase -def critical_aki(builder: Builder) -> None: - """ - Produces the following **invalid** chain: - - ``` - root -> EE - ``` - - The root cert has an AKI extension marked as critical, which is disallowed - under the [RFC 5280 profile]: - - > Conforming CAs MUST mark this extension as non-critical. - - [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 - """ - key = ec.generate_private_key(ec.SECP256R1()) - root = builder.root_ca( - key=key, - aki=ext( - x509.AuthorityKeyIdentifier.from_issuer_public_key(key.public_key()), critical=True - ), - ) - leaf = builder.leaf_cert(root) - - builder = builder.server_validation() - builder = builder.trusted_certs(root).peer_certificate(leaf).fails() - - -@testcase -def self_signed_root_missing_aki(builder: Builder) -> None: - """ - Produces the following **valid** chain: - - ``` - root -> EE - ``` - - The root cert is missing the AKI extension, which is ordinarily forbidden - under the [RFC 5280 profile] **unless** the certificate is self-signed, - which this root is: - - > The keyIdentifier field of the authorityKeyIdentifier extension MUST - > be included in all certificates generated by conforming CAs to - > facilitate certification path construction. There is one exception; - > where a CA distributes its public key in the form of a "self-signed" - > certificate, the authority key identifier MAY be omitted. - - [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 - """ - root = builder.root_ca(aki=None) - leaf = builder.leaf_cert(root) - - builder = builder.server_validation() - builder = builder.trusted_certs(root).peer_certificate(leaf).succeeds() - - -@testcase -def cross_signed_root_missing_aki(builder: Builder) -> None: - """ - Produces the following **invalid** chain: - - ``` - root -> EE - ``` - - The root is cross signed by another root but missing the AKI extension, - which is ambiguous but potentially disallowed under the [RFC 5280 profile]. - - > The keyIdentifier field of the authorityKeyIdentifier extension MUST - > be included in all certificates generated by conforming CAs to - > facilitate certification path construction. - - [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 - """ - xsigner_root = builder.root_ca() - root = builder.intermediate_ca(xsigner_root, pathlen=0, aki=None) - leaf = builder.leaf_cert(root) - - builder = builder.server_validation().features([Feature.pedantic_rfc5280]) - builder.trusted_certs(root).peer_certificate(leaf).fails() - - -@testcase -def intermediate_missing_aki(builder: Builder) -> None: - """ - Produces the following **invalid** chain: - - ``` - root -> intermediate -> EE - ``` - - The intermediate is signed by the root but missing the AKI extension, which - is forbidden under the [RFC 5280 profile]. - - > The keyIdentifier field of the authorityKeyIdentifier extension MUST - > be included in all certificates generated by conforming CAs to - > facilitate certification path construction. - - [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 - """ - root = builder.root_ca() - intermediate = builder.intermediate_ca(root, pathlen=0, aki=None) - leaf = builder.leaf_cert(intermediate) - - builder = builder.server_validation() - builder.trusted_certs(root).untrusted_intermediates(intermediate).peer_certificate(leaf).fails() - - -@testcase -def leaf_missing_aki(builder: Builder) -> None: - """ - Produces the following **invalid** chain: - - ``` - root -> EE - ``` - - The EE cert is signed by the root but missing the AKI extension, which is - forbidden under the [RFC 5280 profile]. - - > The keyIdentifier field of the authorityKeyIdentifier extension MUST - > be included in all certificates generated by conforming CAs to - > facilitate certification path construction. - - [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 - """ - root = builder.root_ca() - leaf = builder.leaf_cert(root, aki=None) - - builder = builder.server_validation() - builder.trusted_certs(root).peer_certificate(leaf).fails() - - -@testcase -def critical_ski(builder: Builder) -> None: - """ - Produces the following **invalid** chain: - - ``` - root -> EE - ``` - - The root cert has an SKI extension marked as critical, which is disallowed - under the [RFC 5280 profile]. - - > Conforming CAs MUST mark this extension as non-critical. - - [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2 - """ - key = ec.generate_private_key(ec.SECP256R1()) - root = builder.root_ca( - ski=ext(x509.SubjectKeyIdentifier.from_public_key(key.public_key()), critical=True), - ) - leaf = builder.leaf_cert(root) - - builder = builder.server_validation() - builder = builder.trusted_certs(root).peer_certificate(leaf).fails() - - -@testcase -def missing_ski(builder: Builder) -> None: - """ - Produces the following **invalid** chain: - - ``` - root -> EE - ``` - - The root cert is missing the SKI extension, which is disallowed under the - [RFC 5280 profile]. - - > To facilitate certification path construction, this extension MUST - > appear in all conforming CA certificates, that is, all certificates - > including the basic constraints extension (Section 4.2.1.9) where the - > value of cA is TRUE. - - Note: for roots, the SKI should be the same value as the AKI, therefore, - this extension isn't strictly necessary, although required by the RFC. - - [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2 - """ - root = builder.root_ca(ski=None) - leaf = builder.leaf_cert(root) - - builder = builder.server_validation() - builder = builder.trusted_certs(root).peer_certificate(leaf).fails() - - @testcase def chain_untrusted_root(builder: Builder) -> None: """ @@ -657,32 +471,6 @@ def ee_critical_aia_invalid(builder: Builder) -> None: ).fails() -@testcase -def san_noncritical_with_empty_subject(builder: Builder) -> None: - """ - Produces an **invalid** chain due to an invalid EE cert. - - The EE cert contains a non-critical Subject Alternative Name extension, - which is disallowed when the cert's Subject is empty under - RFC 5280: - - > If the subject field contains an empty sequence, then the issuing CA MUST - > include a subjectAltName extension that is marked as critical. - """ - - root = builder.root_ca() - leaf = builder.leaf_cert( - root, - subject=x509.Name([]), - san=ext(x509.SubjectAlternativeName([x509.DNSName("example.com")]), critical=False), - ) - - builder = builder.server_validation() - builder.trusted_certs(root).peer_certificate(leaf).expected_peer_name( - PeerName(kind="DNS", value="example.com") - ).fails() - - @testcase def serial_number_too_long(builder: Builder) -> None: """ @@ -887,26 +675,3 @@ def mismatching_signature_algorithm(builder: Builder) -> None: .untrusted_intermediates(*chain) .expected_peer_name(PeerName(kind="DNS", value="cryptography.io")) ).fails() - - -@testcase -def malformed_subject_alternative_name(builder: Builder) -> None: - """ - Produces the following **invalid** chain: - - ``` - root -> EE - ``` - - The EE cert has a SubjectAlternativeName with a value in ASCII bytes, rather - than in the expected DER encoding. - """ - root = builder.root_ca() - malformed_san = ext( - x509.UnrecognizedExtension(x509.OID_SUBJECT_ALTERNATIVE_NAME, b"example.com"), - critical=False, - ) - leaf = builder.leaf_cert(root, san=None, extra_extension=malformed_san) - - builder = builder.server_validation() - builder = builder.trusted_certs(root).peer_certificate(leaf).fails() diff --git a/limbo/testcases/rfc5280/aki.py b/limbo/testcases/rfc5280/aki.py new file mode 100644 index 00000000..6b8a1cc6 --- /dev/null +++ b/limbo/testcases/rfc5280/aki.py @@ -0,0 +1,143 @@ +""" +RFC 5280 Authority Key Identifier (AKI) testcases. +""" + +from cryptography import x509 +from cryptography.hazmat.primitives.asymmetric import ec + +from limbo.models import Feature +from limbo.testcases._core import Builder, ext, testcase + + +@testcase +def critical_aki(builder: Builder) -> None: + """ + Produces the following **invalid** chain: + + ``` + root -> EE + ``` + + The root cert has an AKI extension marked as critical, which is disallowed + under the [RFC 5280 profile]: + + > Conforming CAs MUST mark this extension as non-critical. + + [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 + """ + key = ec.generate_private_key(ec.SECP256R1()) + root = builder.root_ca( + key=key, + aki=ext( + x509.AuthorityKeyIdentifier.from_issuer_public_key(key.public_key()), critical=True + ), + ) + leaf = builder.leaf_cert(root) + + builder = builder.server_validation() + builder = builder.trusted_certs(root).peer_certificate(leaf).fails() + + +@testcase +def leaf_missing_aki(builder: Builder) -> None: + """ + Produces the following **invalid** chain: + + ``` + root -> EE + ``` + + The EE cert is signed by the root but missing the AKI extension, which is + forbidden under the [RFC 5280 profile]. + + > The keyIdentifier field of the authorityKeyIdentifier extension MUST + > be included in all certificates generated by conforming CAs to + > facilitate certification path construction. + + [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 + """ + root = builder.root_ca() + leaf = builder.leaf_cert(root, aki=None) + + builder = builder.server_validation() + builder.trusted_certs(root).peer_certificate(leaf).fails() + + +@testcase +def intermediate_missing_aki(builder: Builder) -> None: + """ + Produces the following **invalid** chain: + + ``` + root -> intermediate -> EE + ``` + + The intermediate is signed by the root but missing the AKI extension, which + is forbidden under the [RFC 5280 profile]. + + > The keyIdentifier field of the authorityKeyIdentifier extension MUST + > be included in all certificates generated by conforming CAs to + > facilitate certification path construction. + + [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 + """ + root = builder.root_ca() + intermediate = builder.intermediate_ca(root, pathlen=0, aki=None) + leaf = builder.leaf_cert(intermediate) + + builder = builder.server_validation() + builder.trusted_certs(root).untrusted_intermediates(intermediate).peer_certificate(leaf).fails() + + +@testcase +def self_signed_root_missing_aki(builder: Builder) -> None: + """ + Produces the following **valid** chain: + + ``` + root -> EE + ``` + + The root cert is missing the AKI extension, which is ordinarily forbidden + under the [RFC 5280 profile] **unless** the certificate is self-signed, + which this root is: + + > The keyIdentifier field of the authorityKeyIdentifier extension MUST + > be included in all certificates generated by conforming CAs to + > facilitate certification path construction. There is one exception; + > where a CA distributes its public key in the form of a "self-signed" + > certificate, the authority key identifier MAY be omitted. + + [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 + """ + root = builder.root_ca(aki=None) + leaf = builder.leaf_cert(root) + + builder = builder.server_validation() + builder = builder.trusted_certs(root).peer_certificate(leaf).succeeds() + + +@testcase +def cross_signed_root_missing_aki(builder: Builder) -> None: + """ + Produces the following **invalid** chain: + + ``` + root -> EE + ``` + + The root is cross signed by another root but missing the AKI extension, + which is ambiguous but potentially disallowed under the [RFC 5280 profile]. + + > The keyIdentifier field of the authorityKeyIdentifier extension MUST + > be included in all certificates generated by conforming CAs to + > facilitate certification path construction. + + [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 + """ + xsigner_root = builder.root_ca() + root = builder.intermediate_ca(xsigner_root, pathlen=0, aki=None) + leaf = builder.leaf_cert(root) + + builder = builder.server_validation().features([Feature.pedantic_rfc5280]) + builder.trusted_certs(root).peer_certificate(leaf).fails() diff --git a/limbo/testcases/rfc5280/nc.py b/limbo/testcases/rfc5280/nc.py index d09abd2d..0ed9eb2c 100644 --- a/limbo/testcases/rfc5280/nc.py +++ b/limbo/testcases/rfc5280/nc.py @@ -1,5 +1,5 @@ """ -RFC 5280 Name Constraints (nc) testcases. +RFC 5280 Name Constraints (NC) testcases. """ from ipaddress import IPv4Address, IPv4Network, IPv6Address, IPv6Network diff --git a/limbo/testcases/rfc5280/san.py b/limbo/testcases/rfc5280/san.py new file mode 100644 index 00000000..d684ed4a --- /dev/null +++ b/limbo/testcases/rfc5280/san.py @@ -0,0 +1,59 @@ +""" +RFC 5280 Subject Alternative Name (SAN) testcases. +""" + + +from cryptography import x509 + +from limbo.assets import ext +from limbo.models import PeerName +from limbo.testcases._core import Builder, testcase + + +@testcase +def malformed(builder: Builder) -> None: + """ + Produces the following **invalid** chain: + + ``` + root -> EE + ``` + + The EE cert has a SubjectAlternativeName with a value in ASCII bytes, rather + than in the expected DER encoding. + """ + root = builder.root_ca() + malformed_san = ext( + x509.UnrecognizedExtension(x509.OID_SUBJECT_ALTERNATIVE_NAME, b"example.com"), + critical=False, + ) + leaf = builder.leaf_cert(root, san=None, extra_extension=malformed_san) + + builder = builder.server_validation() + builder = builder.trusted_certs(root).peer_certificate(leaf).fails() + + +@testcase +def noncritical_with_empty_subject(builder: Builder) -> None: + """ + Produces an **invalid** chain due to an invalid EE cert. + + The EE cert contains a non-critical Subject Alternative Name extension, + which is disallowed when the cert's Subject is empty under + RFC 5280: + + > If the subject field contains an empty sequence, then the issuing CA MUST + > include a subjectAltName extension that is marked as critical. + """ + + root = builder.root_ca() + leaf = builder.leaf_cert( + root, + subject=x509.Name([]), + san=ext(x509.SubjectAlternativeName([x509.DNSName("example.com")]), critical=False), + ) + + builder = builder.server_validation() + builder.trusted_certs(root).peer_certificate(leaf).expected_peer_name( + PeerName(kind="DNS", value="example.com") + ).fails() diff --git a/limbo/testcases/rfc5280/ski.py b/limbo/testcases/rfc5280/ski.py new file mode 100644 index 00000000..5f878004 --- /dev/null +++ b/limbo/testcases/rfc5280/ski.py @@ -0,0 +1,63 @@ +""" +RFC 5280 Subject Key Identifier (SKI) testcases. +""" + +from cryptography import x509 +from cryptography.hazmat.primitives.asymmetric import ec + +from limbo.testcases._core import Builder, ext, testcase + + +@testcase +def critical_ski(builder: Builder) -> None: + """ + Produces the following **invalid** chain: + + ``` + root -> EE + ``` + + The root cert has an SKI extension marked as critical, which is disallowed + under the [RFC 5280 profile]. + + > Conforming CAs MUST mark this extension as non-critical. + + [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2 + """ + key = ec.generate_private_key(ec.SECP256R1()) + root = builder.root_ca( + ski=ext(x509.SubjectKeyIdentifier.from_public_key(key.public_key()), critical=True), + ) + leaf = builder.leaf_cert(root) + + builder = builder.server_validation() + builder = builder.trusted_certs(root).peer_certificate(leaf).fails() + + +@testcase +def missing_ski(builder: Builder) -> None: + """ + Produces the following **invalid** chain: + + ``` + root -> EE + ``` + + The root cert is missing the SKI extension, which is disallowed under the + [RFC 5280 profile]. + + > To facilitate certification path construction, this extension MUST + > appear in all conforming CA certificates, that is, all certificates + > including the basic constraints extension (Section 4.2.1.9) where the + > value of cA is TRUE. + + Note: for roots, the SKI should be the same value as the AKI, therefore, + this extension isn't strictly necessary, although required by the RFC. + + [RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2 + """ + root = builder.root_ca(ski=None) + leaf = builder.leaf_cert(root) + + builder = builder.server_validation() + builder = builder.trusted_certs(root).peer_certificate(leaf).fails() diff --git a/limbo/testcases/rfc5280/validity.py b/limbo/testcases/rfc5280/validity.py new file mode 100644 index 00000000..5973eeac --- /dev/null +++ b/limbo/testcases/rfc5280/validity.py @@ -0,0 +1,143 @@ +""" +RFC 5280 validity testcases. +""" + + +from datetime import datetime + +from limbo.testcases._core import Builder, testcase + + +@testcase +def expired_root(builder: Builder) -> None: + """ + Produces the following **invalid** chain: + + ``` + root -> intermediate -> EE + ``` + + All three certificates are well-formed, but the root + (and only the root) is expired at the validation time. + """ + + # Root is valid from 2016 to 2020. + root = builder.root_ca( + not_before=datetime.fromisoformat("2016-01-01T00:00:00Z"), + not_after=datetime.fromisoformat("2020-01-01T00:00:00Z"), + ) + + # Intermediate is valid from 2016 to 2026. + intermediate = builder.intermediate_ca( + root, + not_before=datetime.fromisoformat("2016-01-01T00:00:00Z"), + not_after=datetime.fromisoformat("2026-01-01T00:00:00Z"), + ) + + # Leaf is valid from 2018 to 2023. + leaf = builder.leaf_cert( + intermediate, + not_before=datetime.fromisoformat("2018-01-01T00:00:00Z"), + not_after=datetime.fromisoformat("2023-01-01T00:00:00Z"), + ) + + builder = ( + builder.server_validation() + .trusted_certs(root) + .untrusted_intermediates(intermediate) + .peer_certificate(leaf) + # We validate in 2022, which is valid for the intermediate and leaf + # but not the root. + .validation_time(datetime.fromisoformat("2022-01-01T00:00:00Z")) + .fails() + ) + + +@testcase +def expired_intermediate(builder: Builder) -> None: + """ + Produces the following **invalid** chain: + + ``` + root -> intermediate -> EE + ``` + + All three certificates are well-formed, but the intermediate + (and only the intermediate) is expired at the validation time. + """ + + # Root is valid from 2016 to 2026. + root = builder.root_ca( + not_before=datetime.fromisoformat("2016-01-01T00:00:00Z"), + not_after=datetime.fromisoformat("2026-01-01T00:00:00Z"), + ) + + # Intermediate is valid from 2016 to 2020. + intermediate = builder.intermediate_ca( + root, + not_before=datetime.fromisoformat("2016-01-01T00:00:00Z"), + not_after=datetime.fromisoformat("2020-01-01T00:00:00Z"), + ) + + # Leaf is valid from 2018 to 2023. + leaf = builder.leaf_cert( + intermediate, + not_before=datetime.fromisoformat("2018-01-01T00:00:00Z"), + not_after=datetime.fromisoformat("2023-01-01T00:00:00Z"), + ) + + builder = ( + builder.server_validation() + .trusted_certs(root) + .untrusted_intermediates(intermediate) + .peer_certificate(leaf) + # We validate in 2022, which is valid for the root and leaf + # but not the intermediate. + .validation_time(datetime.fromisoformat("2022-01-01T00:00:00Z")) + .fails() + ) + + +@testcase +def expired_leaf(builder: Builder) -> None: + """ + Produces the following **invalid** chain: + + ``` + root -> intermediate -> EE + ``` + + All three certificates are well-formed, but the leaf + (and only the leaf) is expired at the validation time. + """ + + # Root is valid from 2016 to 2026. + root = builder.root_ca( + not_before=datetime.fromisoformat("2016-01-01T00:00:00Z"), + not_after=datetime.fromisoformat("2026-01-01T00:00:00Z"), + ) + + # Intermediate is valid from 2016 to 2026. + intermediate = builder.intermediate_ca( + root, + not_before=datetime.fromisoformat("2016-01-01T00:00:00Z"), + not_after=datetime.fromisoformat("2026-01-01T00:00:00Z"), + ) + + # Leaf is valid from 2018 to 2021. + leaf = builder.leaf_cert( + intermediate, + not_before=datetime.fromisoformat("2018-01-01T00:00:00Z"), + not_after=datetime.fromisoformat("2021-01-01T00:00:00Z"), + ) + + builder = ( + builder.server_validation() + .trusted_certs(root) + .untrusted_intermediates(intermediate) + .peer_certificate(leaf) + # We validate in 2022, which is valid for the root and intermediate + # but not the leaf. + .validation_time(datetime.fromisoformat("2022-01-01T00:00:00Z")) + .fails() + )