From e5e9cc633794d12a163957731cf3f0f8e1fede20 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 31 Oct 2023 13:07:39 -0400 Subject: [PATCH] RFC5280: add serial number cases (#60) * RFC5280: add serial number cases These are marked with a "pedantic" feature flag, since many implementations choose not to enforce them. Signed-off-by: William Woodruff * fix import Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- harness/gocryptox509/main.go | 4 +- limbo-schema.json | 3 +- limbo.json | 384 ++++++++++++++++++++--------------- limbo/models.py | 5 + limbo/testcases/_core.py | 3 +- limbo/testcases/rfc5280.py | 42 +++- 6 files changed, 264 insertions(+), 177 deletions(-) diff --git a/harness/gocryptox509/main.go b/harness/gocryptox509/main.go index 7e785a87..4911e0d8 100644 --- a/harness/gocryptox509/main.go +++ b/harness/gocryptox509/main.go @@ -75,7 +75,7 @@ func main() { var context string switch r { case testcaseFailed: - fmt.Printf("%s\nerr=%+#v\n", tc.Description, err) + fmt.Printf("\terr=%+#v\n", err) context = err.Error() fail++ case testcasePassed: @@ -158,7 +158,7 @@ func evaluateTestcase(testcase Testcase) (testcaseResult, error) { } for _, elem := range testcase.ExtendedKeyUsage { - expected_eku := KnownEKUs(elem.(string)) + expected_eku := KnownEKUs(elem.(string)) ekus = append(ekus, extKeyUsagesMap[expected_eku]) } } diff --git a/limbo-schema.json b/limbo-schema.json index 3dbc6340..8a749533 100644 --- a/limbo-schema.json +++ b/limbo-schema.json @@ -10,7 +10,8 @@ "pedantic-public-suffix-wildcard", "name-constraint-dn", "eku", - "pedantic-webpki" + "pedantic-webpki", + "pedantic-serial-number" ], "type": "string" }, diff --git a/limbo.json b/limbo.json index 9a52df02..bafa0cd9 100644 --- a/limbo.json +++ b/limbo.json @@ -7,12 +7,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:0`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUjdfFtHvrxj8NjRV6277+dOzJ8QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARtwUdc8GkX/3T+P7dzJ7h+hcoJU0YmDqwsQAuC\nPqyzdBqCq2dlT5yOWHw7rU9r6On5GOPT982w69F+wdTsxaKzo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvHcWNfUf3HdLmN6RT0NeyXKX+WUwCgYIKoZIzj0EAwIDSAAwRQIh\nAOXq1ziNhvUzdg/Z4r9mpTalcjUQ/Y/AjWC7mEyXB4ZPAiA9JDI/zQXtmkowoYPK\nE6C277kkQSLeBKB36SNVg5boqw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCNkAEvn4nqchsV9r+1zuPz3YFIEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNggMNt78KY6Fcaig/NaFFGHokgD86wVeexUPr\nM5e6OWmpz1C3rhsMaNiRz9C31+iQcLBsmcppKKGM8QZmZDnDo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5uRBEeRt2/4UQ7YHr0IvX9yJuAAwCgYIKoZIzj0EAwIDSAAwRQIh\nAMUzRvc2zzrRBw8+JLJkOsh3Cwz/H5lJtz0jGyA+w5HuAiBYbPhbQq8uSmNtBnTC\n6BHuW4FZXZRn+Xt9tQl+eSfaKA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUW6oEDznA6odAXS6IiCcMfNHFWQ4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0NjkzNzIwNjc2MjU5MDI3NzYyMTM0\nMjk0MjAxOTExNDAyMDI2MzExODg5MTYxNjQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBElFP5EJI1CvFOpqo/WnPsuFNe7IY/S7zwOqkl1IVaiVCzg1QvTPLIi+a04rkxzo\ncl7nl1OW+HpcszOTl7D9AoSjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLx3FjX1\nH9x3S5jekU9DXslyl/llMB0GA1UdDgQWBBTIgyoLwKoLUTxFRkrulerBvTonLzAK\nBggqhkjOPQQDAgNJADBGAiEAw77zfvFTq1NkkhnobPBfOOfFGF8sYMpUHa9/dtSW\ny54CIQDh1GqZjeJAss2+XJMSDYKKOwTQDuP17TrUyfELNuqD2w==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaWgAwIBAgIUSDtkiyYNZXvAy53X6dT6ljlRViswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC81MDUxMTE5NDMzMjAyMzE0NDQyNjA3\nOTM4NjQ5MDE5MjYzNDM2MTY5MjAzNDE3NzEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nVi1hYSE6b254aQDd6+aLBPIqshRiJvFVKxMu9HOk7d4LnsNcQA711WkNpXQFEtJH\nT8vkOCMJ/wG8zQAVSt2C7qN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU5uRBEeRt\n2/4UQ7YHr0IvX9yJuAAwHQYDVR0OBBYEFOyf2MVaHiUa1Zq3SU/CCeep8TAUMAoG\nCCqGSM49BAMCA0cAMEQCIHfYPq11XMYVeuY8HOIp3UmJr94vqUGE4AdNrpz7IjjH\nAiAA36phw8jOqDX9FVHv+W/x8kXSFho3c+ZkqMV8WYsYFw==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUGtt5whSbjQFbKqBma4tw8kDLEG4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDY5MzcyMDY3NjI1OTAyNzc2MjEzNDI5NDIwMTkxMTQwMjAy\nNjMxMTg4OTE2MTY0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATB\nIeAI3XfW9LsD32oSW9tEYKc6KNqk+Ck9Yo8qyVq4U9b/7HhuWZ68asF+uXgMQk8d\nVEo0v9/xrQYAVl+G/bVuo3IwcDAdBgNVHQ4EFgQUdFK4H8z5JSxZIx6yyykmaC6+\nqSUwHwYDVR0jBBgwFoAUyIMqC8CqC1E8RUZK7pXqwb06Jy8wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAPjEdzspX4Crhy5smNi9j84iymutSBAjfAkkycxGAA9PAiBYe3l1bd7O\n1FayDwnsDt4HcF+rzM0vlaEf9s0fh8/c1g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZqgAwIBAgIUQarisIzt5mEUQeM0L9kPaSiLWs4wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNTA1MTExOTQzMzIwMjMxNDQ0MjYwNzkzODY0OTAxOTI2MzQz\nNjE2OTIwMzQxNzcxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowGDEWMBQG\nA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOFi\nv2J/0rYjngo2eRsABmYWMF0Im90DbLquSj1KzNN26VzfbRyLJ6ns7j4hwI8Eq9EA\n0aAV5eHbEqA6DCnHTnSjcjBwMB0GA1UdDgQWBBRt2jGf+NnsCl4XQO14dOhAd/qp\nOzAfBgNVHSMEGDAWgBTsn9jFWh4lGtWat0lPwgnnqfEwFDAJBgNVHRMEAjAAMAsG\nA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNI\nADBFAiB2phz9x7qs/l0Abc8G0klbgTOXG+YPBNuHBD3qQcj0sgIhAM2itlsRdArY\n3Zk3F6yaj1/OGc5yX3S0LbXHpsGitnsN\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -30,12 +30,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:1`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUX0dCYtxbJb8cNk+ysNKa6+to/QowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASH4ib0tqaWetJ6DzbZZ85iNUcZKo6T/N4zbV11\nl5ZkG3pMjdpcTQeR6zigH39wvf2U7Bl1tUNW2D9CJBz5Wpyao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlDlAO67OhTCPrF7GzugZmv8ae9MwCgYIKoZIzj0EAwIDSAAwRQIh\nAKghrDeRd+kbuxit1jycdAjDww/TCfFhrfZP95lKyIDkAiAnOtivhZEqxmDmyaOi\nI7BLKpOfciLWjOcZv70s2Llw4Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGtrRM6zc6UKa9khx5cW4PTJL+swwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQpJB/pgY2pr/Bzp9irEDudPXJyrE9jUWcnrPhb\n4LblKVLhZ25zG8vX53bvh9AV+VAZjbiPIiq+s+qkXdMwxwtmo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzD6V5By0EMTyuwVLkoCKVyhAoz0wCgYIKoZIzj0EAwIDSAAwRQIg\nMCnu4GEwWy4pqFSMR8eCdY63XVZ/2heleY71Oe9NFw0CIQDwTF8kOFyenGtLlM1I\nhWRxjRv2gW8NEmASrEOBfnRu8g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUPUGjTTsjr82OdHnFs9udI3cvqwswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1NDM5NDMyNTkxODg4MDczMDcxNTA3\nMTk1NzYyOTgwNDM3MzYxNjAwMjI4ODc2OTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBIuj5EnzvhWKLnqQ8rdJVb5YQKuQnGNPKr1Jj3retpqnLrS54PTN4hJMqaJzuExm\nqaRspd89XST3NO9EAhPPhYmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJQ5QDuu\nzoUwj6xexs7oGZr/GnvTMB0GA1UdDgQWBBTDLaMYlkYuPds54uv+yafcQ6WyTjAK\nBggqhkjOPQQDAgNIADBFAiA8al9Abwy33leecVUKmWnc/eT0FLU2GDFDxSY0mwXc\noAIhAIOEmoWuxO0OMpSiBPubtg3jYPsXJrMc7HAPSzJMAJpr\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUY7BSJmPFDnx004/8FM5vkEZ5e0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNTMzMTM1NDY1NDY2MzQyMDU5OTY2\nNjUzMDY4MDcyMTA0NTgyNjUwNzQ1MzEwMjAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBK4vR0CY5acoNh7VeSHcPzi6y5j/R+JzHTKryGBtcby+vaUKO/OkZybRdxgwfWOM\nssjae1IWx3FXW61HiKoB3zKjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFMw+leQc\ntBDE8rsFS5KAilcoQKM9MB0GA1UdDgQWBBSj7a6eLzpOzQ+UYnQOKjLURSt75DAK\nBggqhkjOPQQDAgNJADBGAiEAk2hEJiL8ehBHOQvX7eMWk7tXI5qH82HW8YNsO1KO\ngYkCIQClkH7gH0vyCu38WUjwox5J+6nP2ChpvU18jL8nkYx3UA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUdSrKNUZkAl5MrSXPbW8WlJ31cr4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTQzOTQzMjU5MTg4ODA3MzA3MTUwNzE5NTc2Mjk4MDQzNzM2\nMTYwMDIyODg3NjkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS1\nMR42Y300fFoY1moOlv7Spz7eTMcOi0fBCujsv6JGcBoO9/B0DWJke9yUb4JrMZSs\nWNMNOmhv7jjmWbirsv5So3IwcDAdBgNVHQ4EFgQUC40DQ9a38xpeUw6lNgPeW8Qy\neXwwHwYDVR0jBBgwFoAUwy2jGJZGLj3bOeLr/smn3EOlsk4wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgK24c2+GxhlWs3rJS10knoSaF8sNJwwlLS2dK9H0uVd8CIQCtcTjk3oAI\nIpGRt6c5aTOn8VzWqJm2ZbtveVyxzOa7bQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUYrwyPWhoX6uTbYbsTRa1G3KqCagwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTUzMzEzNTQ2NTQ2NjM0MjA1OTk2NjY1MzA2ODA3MjEwNDU4\nMjY1MDc0NTMxMDIwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ0\nJlwGzfaCuGjw5hEfzK1NRQaMtuS0u20d5ON4Joc7kqeyjACV+lx7oYV2zz3t/V5g\nsaxppne0rWHVqTRMr2dYo3IwcDAdBgNVHQ4EFgQUtIp4PWF92V4G3FE+JZlSGO/z\nxN4wHwYDVR0jBBgwFoAUo+2uni86Ts0PlGJ0Dioy1EUre+QwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAODZ8f0WIJZMEA3u8bXIwAXkqjOI59MnAXvuVAwBCdTfAiEA/YWdA+JS\nVIgj+HRm2Q2YgGUcoK2U6d6RX5DlqEmjj9M=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -53,12 +53,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:2) -> EE\n```\n\nThis is a \"trivial\" verification: the intermediate has a `pathlen:2`\nconstraint, but the leaf is an end entity and is therefore allowed.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbuZUk5NiJEG/nx9dNf1NRQASATowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATIfQX8bW62EcZLEbRlAN5WGAzx2pR1o+mJFUHn\nZIrSpMPIP8X0x40bPwpo4TCu/fHy0DdGjIZXkKA6Ae7BPLSCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnPK7gYytf9JPlitAeMW/8y4dp70wCgYIKoZIzj0EAwIDSAAwRQIg\nWgXg25U2PfBJnVjVsh++ReZyem+GHP1LFNqcMoBOHswCIQDnxu2/CHbxz43eAwTa\n4Aiw0sA+SxH/dG87DqnsGBMbOA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUNdedzaqSb+yXV2weymeakfAFPlUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR8E3kUlo7ofENLxn4Dv9mGxxQ5NpU9OsoDW7uH\nqO/apCO++C5jGYYVGOc8qg4XEpfnyAnCy2ThB/pZ1ROwKx/ao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWdHGgdjgBvStwiPaZbuADVDsc4UwCgYIKoZIzj0EAwIDSAAwRQIg\nOmBYqJFhtLWiaxMA7+25VP1EuSs+AHj4E75BY7UEbuECIQD8x8yUzvOVGiMDsAmW\niY3uwQnLku/KadUFJRkHytObwQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUQoVexDPiPKgjy1aVixABQWkJ3x4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MzMxMjU1MjM4MzU3MTY2OTIwNzUy\nNzA4MzI3ODk4Nzk0NzMxNDIyNzYxNjE4NTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBOI/jHTGECYv1G1mMIZVLfH6LX87PsMT7hzUT6IWgot3hf1uZVMOMeWpqK9jI7VD\n5bbQzfUOjeSgOg3ijqA9O8ijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJzyu4GM\nrX/ST5YrQHjFv/MuHae9MB0GA1UdDgQWBBQcCPHyxhe54sxhF/PgjAeW7/5xpjAK\nBggqhkjOPQQDAgNHADBEAiAa6MHuyh6e/8VZhiGEc//zChkqtH+a0j4FTKVcLWuK\n5gIgBtWfkQumLEskU6zfvI7rEpiK9g9EQc6w7GpvESgADdY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUf9Ct102DjZlFlUmVBgkbfjU73uYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMDczODQ5MTc2ODQ4NTMxODg2Mjc4\nMjc0MDA0MzgwMzkwMTY4Mjg4MTc0NTY3MjUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKHJ0CCMTErGh/3hrxSxBF4G+xmqa9+3UcgXBR7+G/f2PuImBPvK7wnU+/RxHrsW\nuCFSCXEVa1ExI7/w0w01w1WjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQIwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFnRxoHY\n4Ab0rcIj2mW7gA1Q7HOFMB0GA1UdDgQWBBQ5nkJBJ1y30hiksavEgtrN9ufMFjAK\nBggqhkjOPQQDAgNIADBFAiEAn6hvWe+uiBk6grutCibgtL8RvI8vJJornmzHY9x8\nW78CIAcJRi8nZAAIxuZh7rvb6TqY9Rh+ycjCbedMx7aLHDSM\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUXVGz4/lR8aKO56V/JSKrVTkwLQkwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjMzMTI1NTIzODM1NzE2NjkyMDc1MjcwODMyNzg5ODc5NDcz\nMTQyMjc2MTYxODUwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQS\n9MKYXytnqU0IrKV84zIZGlluZUD9qEMVyA3T3iAPrI8LjiE44CUfBP/tLjsH/NA0\nGfogb4ZBuHJeno2HJNdqo3IwcDAdBgNVHQ4EFgQUt14iIXVtjb6VdSSSi5zu61lh\nqBAwHwYDVR0jBBgwFoAUHAjx8sYXueLMYRfz4IwHlu/+caYwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhANImSVNVhLP3jdUTvzyV1R2P0mRoQLsHq6Q6zVgpaflnAiA5w3vDQDMd\nQKtKB0UAKdFBBam8PHZnrrkuKD+ioqJRqQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUAXsnaTuCto8KFaUbjFbjfyayaNMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzA3Mzg0OTE3Njg0ODUzMTg4NjI3ODI3NDAwNDM4MDM5MDE2\nODI4ODE3NDU2NzI1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATH\nDotgwRCEN3kaVNQbGORQlvgmFCJoNXJry1sN54p2D2mWxv4NwH5f7YnG+k1iuRiq\nAUCSzu8MVLjiIMhRf27ko3IwcDAdBgNVHQ4EFgQUkDP3YMc3lSG5Dc1wZfM7ZC2C\nABwwHwYDVR0jBBgwFoAUOZ5CQSdct9IYpLGrxILazfbnzBYwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgD/956a8EThJYT1XHka5r46K7RnPH/EUEU9qSl6iafIgCIBhKYbdI8IEB\nOrdfUv6l4+ibp+s6IOLUITv3KI2mGM0a\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -76,12 +76,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0)\n```\n\nThis is, unintuitively, a valid chain construction: [RFC 5280 4.2.1.9]\nnotes that the leaf certificate in a validation path is definitionally\nnot an intermediate, meaning that it is not included in the maximum\nnumber of intermediate certificates that may follow a path length\nconstrained CA certificate:\n\n> Note: The last certificate in the certification path is not an intermediate\n> certificate, and is not included in this limit. Usually, the last certificate\n> is an end entity certificate, but it can be a CA certificate.\n\n[RFC 5280 4.2.1.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOODjIWOBmS/ht8kkPFkbLtCyvNAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARyg2yDR/CA9lsKuJSwA/0PbEVgMztk2e0rxeX8\nYySXfj5pmGe9tutm7PHWfjripNQKGZ0dXU/pPCeRWpfWsJAUo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQg2SYkfd5V1ZIEVqS047Ln4I/JUwCgYIKoZIzj0EAwIDRwAwRAIg\nUJrh+joXP8XSCyQKFLq63wUJHddXxYjHQkE20hOuuNQCID3KvkUDtzIx3H5gBqQN\n9xdtuVm6C4uUpQZKHA1r83yI\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUaTIhsFabLLdSSFdh+pAWSu6miA4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASoMx5t95Hs/y3wXUbejn2YVImt/8EJTdGRezG9\nLxE2rFHhxtTCmNfi16cW+pSbY6rQgr9kJXhlbzH8+zETI5NWo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUgPmdaCAKsQ2SdISJvSWLVm00g0owCgYIKoZIzj0EAwIDRwAwRAIg\nXvhOds9wdvQw4r/kKWxtdH575OhVeQ8MP2/O+gJS2BACICI195loKbsLFVh7SGi0\ntYAJtOvgzIoiQPUQR82XdIW5\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUYJB0DmZyvXvzLfqfwP5pxlKQMnMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzMjQ3MTg2MzU5NDEwOTY5NzU3ODc0\nMjUxMDc1MjI3NTE4MjUzNjczMzE0MjEzOTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBLmTYM8eajoT7LWgeoIhJMIbIFCAdq/q51rCapiZB5gJOzU7vEBfRXQfow5pFG5Q\nfLyWFBHovevikD1Y3k4L+t+jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFEINkmJH\n3eVdWSBFaktOOy5+CPyVMB0GA1UdDgQWBBTzF9N1MCTv2hgXQp8c6rqr1E+ERTAK\nBggqhkjOPQQDAgNIADBFAiBkmj06OfwIpL3PgEmK4iM4CTGrd1TAq5Q1l7wMLN2A\nUwIhAJcVSYyseij+VxVqbpAgov/nI8ZqkwXZhCnokrX3xlIK\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUfx9MviWtxMsVuqieltLOwq+LsEgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2MDA1NjIwMDI5MDY2ODEzMjc5NzU2\nODI5OTE0Nzg2OTI2MjM1MDAwMzMwMzQyNTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFjZJyhu/QIg3kkSxh8Lsfs1hYj2r6688CHNHsX7MiKeJQJ6wb0BuvfUT9MpOr+g\nYckTbBvMsP1I16Pb0eo8V1qjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFID5nWgg\nCrENknSEib0li1ZtNINKMB0GA1UdDgQWBBSB6RYlNaGAKiXCe+It9+GYBFhvkDAK\nBggqhkjOPQQDAgNJADBGAiEAgTAEX2+JyZ23aNHBz6J0LkYWlRHXECRD3gAem2M2\nqhcCIQDHFh0JqHTHafCtM5XIMtpTufhDqrL0A+0kdtd2UFydsA==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTDCCAfKgAwIBAgITQyN987G3uYA468v5byMvodayqDAKBggqhkjOPQQDAjBn\nMTkwNwYDVQQLDDAzMjQ3MTg2MzU5NDEwOTY5NzU3ODc0MjUxMDc1MjI3NTE4MjUz\nNjczMzE0MjEzOTIxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMDAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwNTUxMjg0NTMxMjMyOTc1MjQ1NzQ4MTg2MzYzOTUyNTQ3OTQ1MTcxOTA1\nNDI2MDM1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrHiZU+tpwIewlqntI5Nmn46Rm\n84ptjOFHVHG+N5+peX1xVAL8swDy1jZJH69XsYgXR7bDJYXf5fDpUr44NV+Ho3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTzF9N1MCTv2hgXQp8c6rqr1E+ERTAdBgNV\nHQ4EFgQUFTym8fBPsGlAEKDcfzyWaAx3ps4wCgYIKoZIzj0EAwIDSAAwRQIgdfBz\nooJWof9a1P39op/G3wF8e8Sxpbt+S5Fv0kSQ1kgCIQDG/obogcjj0gwytLtVzLzI\niO1NGitVcvUJ1Q1r0CaJaw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUDXr2K5rx3SSjp7pxAUSLtBq4CjQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjAwNTYyMDAyOTA2NjgxMzI3OTc1NjgyOTkxNDc4NjkyNjIz\nNTAwMDMzMDM0MjU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDcyNTczOTgzNjIzMzI0NjI5MjI5NDk0MjY0MTQ5NjI5MjcyNDY1NTk4\nODEyNTc2ODEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWhjyfemHyMcWwHqKLejeGMlx\nhm1o3fF/Vt/ahxGimqcClPHuRgK/mu4W33gaq83o/q2I3Ch5x0DPJVRJw80gm6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUgekWJTWhgColwnviLffhmARYb5AwHQYD\nVR0OBBYEFPtesNQPeNxTrd4TtQ5kXOl0AGzwMAoGCCqGSM49BAMCA0gAMEUCIEp1\nwxyujkkDa27Eggs1P+pa2DKUmpEqAO4PdQv3KH36AiEAgd9hZkTe2glwgBsby5Zp\nXclb1aQcniut3MmmRXoUzeQ=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -99,13 +99,13 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the first intermediate's `pathlen:0` constraint,\nwhich requires that any subsequent certificate be an end-entity and not\na CA itself.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUf8wxRiPG4LMGszX4/MTgr7cwJ3EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ/erWpehA/s0amOiiOgT1qdoAIciIzU0Kb9H8O\nc5jkeU/N+6UQWW53FyoJepHCdAwqIybdIZdG4w9q5SPKgqIPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUV8BXRhUCbvKL1Ay66yqmGnO00D8wCgYIKoZIzj0EAwIDSAAwRQIg\nRSYDqMLW8ojAWkBCYgy9b9rHfIEm50OSkfFFHa1WTqQCIQDXgBmfmORgd/TPWPxB\nSHpSNsBYgSckMaMcJcyRKEa23A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUaKBrmdai/A+uPJFAIae8NoO678wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ+mmWDbYiuDiRrZ7sAE6G0SpobZM5hHn5QAlZ4\nDeGV8iRbX39Se0lRX0Nqk5AFeuoJ7ywRHox8JEbBlJefWS5Lo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqiV9cR2FkOBP+1R1r+tfz8IUoqowCgYIKoZIzj0EAwIDRwAwRAIg\nQUYoPb0KvCsSTVujDtYqFMHLLgnQlW/lk9xaxeMazAACIDT7LFbdytdRf156jZSv\nJ8xBI8G40Ws8KX/JMTvZrUHk\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUExV1CDCJulDValMokPAjG6BAQ/0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA3Mjk1OTU0NzIyODQ0NTk4MTk0OTAz\nODg1MDgxMjM5MDQ3NTk0MDk2MDQwNDQ2NTcxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBItcSP2xpSa4GnwuPz+22GPBtHBrJnaG7EXk3X8xKXb2pJlP1yt4LZXveLUcnUa8\nweW+fb++cDoAr9un02tvRsmjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFFfAV0YV\nAm7yi9QMuusqphpztNA/MB0GA1UdDgQWBBQQzSOLPfYJx0N3NptWl1F56pC/wjAK\nBggqhkjOPQQDAgNIADBFAiEAhbHv8AGWUPORbfKr1fqnOS8uQGpyYvypRfENbKsE\niSICIGP+PgAhZQ9lXHNeVL1+jDHqKXsY3awtNHBuTFPQ4bfJ\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUQGx9wM0oGlDSPFGnJrhuaZbzcmgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzI5NTk1NDcyMjg0NDU5ODE5NDkwMzg4NTA4MTIzOTA0NzU5\nNDA5NjA0MDQ0NjU3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDEwODk0OTMzNTIxOTA1MzExMjc2MjU1MDcwNjAzNTAyMDU1Nzg5MjQw\nODMyOTIxMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyNPjsSR+Q/cJEH3umFP8cIIK\ngg8o2k+mBKIG+0tmtObO27A1NaFC2U2ZuQ26PF3qWTOgkLQIeQajN+dy+wKyk6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUEM0jiz32CcdDdzabVpdReeqQv8IwHQYD\nVR0OBBYEFNA8ZAU3Mj5E2WouSy2Y4yTf78ZdMAoGCCqGSM49BAMCA0gAMEUCIQDD\nW9ngfSIDopr3SkZbqMqm0QD8tgWPOtqgK7Akw2dcnAIgZH+fiOmqZU8vAciUDk4k\ngoJfB0oJRtI9mc1Bzn0HyW0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUKAlCDwMjfJJmKRJnqO+fgrFWk94wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0NjYwNTIyNjk5OTAyOTA2MzIyOTkx\nNDM1MzUwMTg1OTczNzU1NjMzOTQ5MDI5NzUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBDd0nx49BGSjubB5NYW2ylMBuquO2vJ25PMsCPAny+Ipl/nEY2YWjMqXTPJemMU4\nY5IaWP5D5CnJseoU5QSTMBCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKolfXEd\nhZDgT/tUda/rX8/CFKKqMB0GA1UdDgQWBBQyggvQ+OW3jUYnKDsy0ho/86TcZDAK\nBggqhkjOPQQDAgNIADBFAiAviTAZeC/PwTrbr8Q/QUjPzGZovX5ZGabl0DJri9/u\nkgIhAMBftKsTGT01H22TEGgOMrmaiSGUIozUUPMIXN9SGeGJ\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUZEcBqrZBOARxDKMZ+SGkn2W8P5YwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDY2MDUyMjY5OTkwMjkwNjMyMjk5MTQzNTM1MDE4NTk3Mzc1\nNTYzMzk0OTAyOTc1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDIyODU2NjA5MjA1OTAxOTI5NzU2MzA3ODM3NjA1NDk2MTAzNDEyOTIy\nMDk5ODExMDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKnu5tkzGSo0Guw7deWny1x34\navCf2uKPqSJA4MOqHJA+sPVOWQk0D2ZRXTGUhOdGdAAR2wnhws55MJVlH9g6X6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUMoIL0Pjlt41GJyg7MtIaP/Ok3GQwHQYD\nVR0OBBYEFFl3wq9HgB8OtRf/NPVg7BtH23n9MAoGCCqGSM49BAMCA0kAMEYCIQDi\njtK5wG7vaMN38Fta/i+KuJDNxzWzA238VoOHtOu2gwIhAKpLJVz5xB9sflyqxgBa\ntDgrUUJmuR9chPEH+nl8Rnbq\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUJe/5BVu+qL1eYcl1qtyKevSkzHwwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTA4OTQ5MzM1MjE5MDUzMTEyNzYyNTUwNzA2MDM1MDIwNTU3\nODkyNDA4MzI5MjEzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARQ\nxAQNkzcMHyZFtRFAe+r21kQ7mu+1/TeYtSaSkPZcp45hGr8Pw0dqeH8MjwN+YpJp\nFWhNazqJuuSkGVL43tiLo3IwcDAdBgNVHQ4EFgQUQYGkCBhYLe0d9jLESJ4juzAM\nnxEwHwYDVR0jBBgwFoAU0DxkBTcyPkTZai5LLZjjJN/vxl0wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgQ5aiw0nnggX5Rw3LXnySyERuQ+OPgbIRA+CjEr7cnCMCIQCWZXb6HvLE\nekNCT1Nu0HEA7xBrpeaE/RhqwABJjBF3uw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUVZjUcJZP5evuzb+B5aWxKrAmkwUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMjI4NTY2MDkyMDU5MDE5Mjk3NTYzMDc4Mzc2MDU0OTYxMDM0\nMTI5MjIwOTk4MTEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQA\n6TesGeLq+CNbUaIjFbpp0M0RxGffwF2BYTccVsF3nebcZ10w7l8v9JX8kPuY0BBb\nyamLL3xwTnitQvu0lAguo3IwcDAdBgNVHQ4EFgQU6tKWwuCZYTBIm5lg92e1Isaf\nKJ0wHwYDVR0jBBgwFoAUWXfCr0eAHw61F/809WDsG0fbef0wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAN/0i0vVE8wvtMByqm1ZdZ0iQpy1A3SLLi8F+z3ibl1AAiEApGtV5Hnf\n5W42YAPoNkI8Ud1JCRFgQZInV02x/2RICdw=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -123,13 +123,13 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE\n```\n\nThis is a less straightforward case as the second intermediate's `pathlen:2`\nconstraint seems to contradict the first intermediate's `pathlen:1`\nconstraint.\n\nRFC 5280 permits this as part of supporting multiple validation paths.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQrooPmZOgtrw0mcAZ53Zc+5czOwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARLJNaqtnvKNt1yARnpEyEoVBGyLhSudrz4Fe9K\nmwk+9cVaro4PyUpuBcn9NwjnXcqHzYiUMUyUGKns7UCX0t8jo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUv2BRKltVTjAP7tOtX71mzbB2llkwCgYIKoZIzj0EAwIDSAAwRQIh\nAJLpNJrFtiOLJUtcNRNrzhppsuHGYfVFFkyOS+fe//KJAiBqeubTebe7nb3J+JC9\nFdEP2UUDYNDvmMOWD232IGsJQQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZhppNZLcbrGcIeJaNI2PCBLYQhEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6scFInXz63TSRKRlCEnTsKZo5LPayLqLlVhLI\n1+OTB6H81lc3dRjx+QCwVt6nQZ6fXpLG8QY8PXL2ky6WgMGGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUlSjsRzoyD+3ByOAYrOh20arRuRQwCgYIKoZIzj0EAwIDRwAwRAIg\nVaVgIoGgESMRoHjrffq4Fscgg6eSzdXAjWkJgJw1WCACIBFZ2CEKwprMNddZ6/sq\ntLaiQcEVV2egY5NOJVCf7uDY\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUSWz30vHfDRS9ZIAlcIi4hs5lyz0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzODA5NDQ4MzUyMDYyMzMwMzI3OTYz\nMDk1NDA4MjcwMzU0Njc3NjIwODA5OTI0OTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBFKSziZ3lTzojjLzawD1ATDFYty47SGBuFx3ymYpIb513FNeVDsSbg7hjmJj1o2v\nfWwuQfK97fdIL93NujDpYdCjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFL9gUSpb\nVU4wD+7TrV+9Zs2wdpZZMB0GA1UdDgQWBBRYLcySfIy5A4lCDUE52GRZZIrApzAK\nBggqhkjOPQQDAgNHADBEAiBxk2j0K8G7+H6SOzFY+/evgrgvI5mZ0jgKe5vWGldm\nigIgL353FxA9mN1aNKAFHPFb7rRuSeGvWHtGI7aAhIY1iiE=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUG1TUyZZ7Cjt581lInL7cdt7vgwswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzgwOTQ0ODM1MjA2MjMzMDMyNzk2MzA5NTQwODI3MDM1NDY3\nNzYyMDgwOTkyNDkyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDQxOTE4NjM5NTI2NzAwNTg4NTI0NDQyNDY1ODM0NDI2OTMwNzQ2NTkw\nNzQyNDA2MTEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQwHOAJzmgJlwLg2PDjsFXA72\ni6Hakz51n/56np2Nathg0sDf8ekVhDeemae43LSCltPyHY4cAbmCGBDrPzz4zaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUWC3MknyMuQOJQg1BOdhkWWSKwKcwHQYD\nVR0OBBYEFA2yQWpVGFvNmwMJW5klq87/VekOMAoGCCqGSM49BAMCA0kAMEYCIQDR\n5mkxWauQtN+tiRY+PtKMi/Q+gjGN7w/lWpa77TlExAIhAKVSpQR2tApLpOgvIQV/\nF4cQAwn6kSuEjwFgtURdFdoL\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHJxht/lrZLA+1Xm2yV8vb/y9ArEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1ODI5MDYwNDMwMTkzOTM1NDcxMzkz\nMzQyMzQ1MTI1NDc4MDk4ODg4NzA4NzU2NjUxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBA2N20Yj2c9dDYOEKTVVpKtF6bpKHUZKgDjR1XrID7Xe8ZRMJpZ/fVrGWAdRLGv1\n5wWncaPIJZocuFK5sSWFGuyjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFJUo7Ec6\nMg/twcjgGKzodtGq0bkUMB0GA1UdDgQWBBRIhShIrXHROJjVZu1ALDhiAw+PHDAK\nBggqhkjOPQQDAgNIADBFAiAXJjtd9Xf49oHvcVUlbB40aiLRR2dZMX5NCbvCv2xW\nTwIhALBkaUvHuMoexC4b43OLNK8JPJuozLl+2w+t+sFHuYvU\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUOZn4NBi++kszHmL0UTuhRhY2pI0wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTgyOTA2MDQzMDE5MzkzNTQ3MTM5MzM0MjM0NTEyNTQ3ODA5\nODg4ODcwODc1NjY1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE2MzMzOTE3MDMyODk4MjIwMDA4MzE0MTUzMDExODIxMTU2NTI1NzMw\nMzU4OTU1MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExqTWD8RfDBmq49S0i/mZYeSn\ngqkzoSI0JW6NNJ2it0qkjKqYpI5wMLT4Po4zHz79jQs00D1i9EaYKazXAeDlIaN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBAjALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUSIUoSK1x0TiY1WbtQCw4YgMPjxwwHQYD\nVR0OBBYEFG+rQZku39qgeuDjBD9np5uhxGIbMAoGCCqGSM49BAMCA0cAMEQCIHnl\n2OmXBGZMlv1+dOPqUwtS1QqsEozCnkdkQeQkmb0fAiA0qlQ6SpXtosVckSmXZydN\nuyhajAdjV1WLQ4Ga88FELg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIULhVb/DjFSVELys+SoAa4/7ltNb8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDE5MTg2Mzk1MjY3MDA1ODg1MjQ0NDI0NjU4MzQ0MjY5MzA3\nNDY1OTA3NDI0MDYxMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARC\neH4GDv6wo+Nult8QR9KpO/E7nYlzavEB+FyGQEXjSazdeTbVJCL62GUjj7T2Cfsj\nPNJwpZGS09EWnCLoVvK6o3IwcDAdBgNVHQ4EFgQUiYkEUlUPOEJnwNLxNRozUeKx\nE9AwHwYDVR0jBBgwFoAUDbJBalUYW82bAwlbmSWrzv9V6Q4wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgA5Rnkg5J8BmdMkzZCFP2i2o7CqslCWhxhUNZ8V0FuMkCIQDG0NBulIYO\nogzcjWC3JsociydED3N0WjW23qykzEZJIw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIURqxWMnqIRfRNqLRfBeFSsLd72wYwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTYzMzM5MTcwMzI4OTgyMjAwMDgzMTQxNTMwMTE4MjExNTY1\nMjU3MzAzNTg5NTUzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTIwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATF\nI4Ag0YojqVtawrbO7aLJH7rTdpWDYBCZqReJRu4dXgyNFgePcnMAG23cqDWmDPf9\nUPdf/7Jpj5O1bp8YV2yFo3IwcDAdBgNVHQ4EFgQUtBFyjH0L2bzb0Xs9bSEpYkg1\n+jAwHwYDVR0jBBgwFoAUb6tBmS7f2qB64OMEP2enm6HEYhswCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgNwdoQUaRSWFK7oKXfMP551TBNvhRrL60+eXYnQHRfjUCIGVMw0ut2gmC\nUOdP5RS1UUYFJWtcqXvzbSt4FQvm9TlZ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -147,14 +147,14 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE\n```\n\nThis violates the second intermediate's `pathlen:0` constraint, which\nforbids any subsequent issuing certificates (which the third intermediate\nis).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUZ0eOF+AwqSgt0l+EGiut+Auh6XgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQc310/4+jRBNt5TMZNcMS37+eLHAB7GyX72kZR\ng/uJ3sYsK6T8U7y80nBfTnej2qaDNn/n2BWX+ORbtQiL/plYo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU61+tyxB8Uduikacm62ovnjqkOZMwCgYIKoZIzj0EAwIDRwAwRAIg\nMmfA3XJO1M5yFgKjMEhmnEHlIxDv4K6VuFuyw/shYnICIBPpIc7XH1pfxrOLQ1dI\nqiuCSam/njO/1ASjz4gaZupA\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUCBjK4eGm3OwwYUOIp8gbyLI5zSkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASYLPzXwrPhUrXJi08t4AR4AWnezhFHttfyJFFJ\np0ILZm6mSxIQG/TKfvqj+77GpMJ16XTPIgYXJSNJJjksZDMGo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUb9knBBocZB7fGu9qy8qugeiKEmQwCgYIKoZIzj0EAwIDSAAwRQIh\nAJr65fotujRkKZFoJVsDfxch3hcHaKfoQpXXn2y5b5PSAiBdW9Q71UvUNO6I/jtK\npC3JfA2E92SmZ2/1nTFQxUzpLA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUHfgSF00yURlc6fwabAj0HOrl8hwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1ODk2MjE3ODAzNzMwNDc2MjY1OTEy\nMzI4MzE1NDcxNDQyMzkyOTQyMzU5Mjg5NTIxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBGVKHq4RItuiZCY0n7n5T7zWY+YxP235dQyHCxUTFQYMgcoxlbP2sdy7+aND7j4t\nauyjFvvXmpkcamcUL95Hs0yjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOtfrcsQ\nfFHbopGnJutqL546pDmTMB0GA1UdDgQWBBSSeTKttVbcRQZJiIx6O2VgGwXuYTAK\nBggqhkjOPQQDAgNIADBFAiAU4hzcvYjnSlhC3V5sfjuWdNrNxZjahRkY5vI9aTbz\nXwIhAIk73+kG4EA+6x5ug+csoY59EuCxjLI0EOIhb4kBQcCR\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUQgnc/c/e4TQPV08icFyUVkL4gPMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTg5NjIxNzgwMzczMDQ3NjI2NTkxMjMyODMxNTQ3MTQ0MjM5\nMjk0MjM1OTI4OTUyMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE3MTA5Mjg5MzExMzM3OTk2NzAxMDg4OTA0Mjg1NTc4NTQxODM2NDg0\nNTE1ODk0MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhnewbij5DQH5faQoICgARJo7\naJentAx+2fLwMvsji33Zb42CNFJMdlPQJalzZnJrFE0D+VgHQm4BKBUf+mVVpKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUknkyrbVW3EUGSYiMejtlYBsF7mEwHQYD\nVR0OBBYEFFzJy+pP8t68Wck3KWqSbqQpz6X1MAoGCCqGSM49BAMCA0kAMEYCIQCH\nhF5sLlDNls1irvGJwUYoQL/CribX5YeQefd2DP5LlgIhAJDbsn9D2JHAs+TxXiZx\nltRfJQc4VpX9jqtX6rRoAY8I\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUdY0Ds5H+wc8MMg9L56pedjZ36mUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTcxMDkyODkzMTEzMzc5OTY3MDEwODg5MDQyODU1Nzg1NDE4\nMzY0ODQ1MTU4OTQwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM3NzAxMzM0ODY1MTgxMTQ1NTE1NjIwMDI0NjA3ODg2NDE2NjY0NjA1\nMzM3MjE0NzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKuqIZAo0ZIvpg6VwuR81RAea\nAm0n5Unaa5L0ju0zg5aKOrl79Ky0kjEYf0i+Bxwtu3Xo7Wr9uzC+EbBNI6cYmqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUXMnL6k/y3rxZyTcpapJupCnPpfUwHQYD\nVR0OBBYEFPiIwEw6bwrEO2MBwThl3hGy/eLDMAoGCCqGSM49BAMCA0gAMEUCIQC6\nZGoeA9d1+ERTJozTQU16AGqBKwpGrHaJ9xUmzS6J0QIgD6TP9Q/XKYcUWZcicSgS\nWkUbhAzCj7+2ADXb5IFQfMw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaWgAwIBAgIUfOB8Ssygzh836H3u58FOOqziUHgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBmMTgwNgYDVQQLDC80NjIyNDgxNzU5NjU4ODkyNTEwMzI5\nMzc4MDI2NjgxMTg1MjU3OTMxMTA0NTkyOTEqMCgGA1UEAwwheDUwOS1saW1iby1p\nbnRlcm1lZGlhdGUtcGF0aGxlbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nXYC1qvHHAYdCSX+My+J/7qWkFXgEfM4Hj9EhWMX5SCglmd6pk9O6CpHxC63toO6a\nKjr3pO0wn863sAWV04xxHaN7MHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUb9knBBoc\nZB7fGu9qy8qugeiKEmQwHQYDVR0OBBYEFAp9z0vwUxeerxjtwBTtSxoKmboMMAoG\nCCqGSM49BAMCA0gAMEUCIFD+66QaNuhQ1DLTcIIO52YECBeIM6YG7cuv55NozPnQ\nAiEArTH6aDojEd2ckX2958BCFZ9+c5FCzcxQFZeApDujarc=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfKgAwIBAgIUaPmW4Q9tcXfy7l3m5O3htVNn0h0wCgYIKoZIzj0EAwIw\nZjE4MDYGA1UECwwvNDYyMjQ4MTc1OTY1ODg5MjUxMDMyOTM3ODAyNjY4MTE4NTI1\nNzkzMTEwNDU5MjkxKjAoBgNVBAMMIXg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tMTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowZzE5MDcG\nA1UECwwwNzEyOTIxMDQ5ODgyOTc1MTEwMjk1ODg2ODYxMTA1Njg1MTM4NzcxNzI4\nODE0MjAwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1wYXRobGVu\nLTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpusCOWd9KnwWahutw7wyF5Sn1\n9A+5JRihW1OECYuMjmDLOTIZhdtMS4+CjOktdzsH+X+cz8PAsH9h70AMDumXo3sw\neTASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtl\neGFtcGxlLmNvbTAfBgNVHSMEGDAWgBQKfc9L8FMXnq8Y7cAU7UsaCpm6DDAdBgNV\nHQ4EFgQUZ2uWOdmcjFBTpxPdXpYDtMadPm4wCgYIKoZIzj0EAwIDSQAwRgIhAIRO\nFAZk1bilGhjKSRtelVt09tSDs+Swo23XWvUBj5rmAiEA+rB05EakmtU0mjDT1FhM\npzBOuV2Gncs0bNo5/HAlcEU=\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTTCCAfOgAwIBAgIUey3dLn9+amxnkbHvxUrp4Jj6b6MwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNzEyOTIxMDQ5ODgyOTc1MTEwMjk1ODg2ODYxMTA1Njg1MTM4\nNzcxNzI4ODE0MjAwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDU5OTMwMTA2OTE0NzA0MjQzODY0MDYxNDc1NjI4NzUzNjQwMTg1Njgw\nNjI0NDg5MzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0OU557b+Z4lXHqHtKlGikElQ\nMzeJra0ZCQOXVeoJ8VfvlQDu/WFN0XX/Rl/z6Zysn21e8O9U8pHTSuzPSpdpU6N7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUZ2uWOdmcjFBTpxPdXpYDtMadPm4wHQYD\nVR0OBBYEFCyCoceOvRxS2+gnELJYbIjQHBrVMAoGCCqGSM49BAMCA0gAMEUCIH+t\ntHe1iCg8wAXwyoUVCefpqDwA1UgonGC5LMHHFkj5AiEAl0/BEdI/xogQl0X27av9\nodlRXK956RphkNj4j1apIUo=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIULBgkZSbVikGW8IAIW+pw9bIiaaowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzc3MDEzMzQ4NjUxODExNDU1MTU2MjAwMjQ2MDc4ODY0MTY2\nNjQ2MDUzMzcyMTQ3MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATj\n82mKcbzkgXMjfyydz+9VqNNY8rT29N99pI4pvDrFTrSTgtC4h9rdZssC3StF1qA8\nD77KhqwYdiMkn384n/wIo3IwcDAdBgNVHQ4EFgQU2QznaJouicgWKTJ+EElsnCGN\nHfIwHwYDVR0jBBgwFoAU+IjATDpvCsQ7YwHBOGXeEbL94sMwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgMSfFZsfHFREZKxYESZ1cWWTF67JE16eF0xp3skX5uQ0CIQDhdjtRl8g2\nGO9dBWv/tQJO/SXeJc+d63/Bs++3ACmYNg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUdFhlIvu8yYJhueesmPhiu+qmdbgwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTk5MzAxMDY5MTQ3MDQyNDM4NjQwNjE0NzU2Mjg3NTM2NDAx\nODU2ODA2MjQ0ODkzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATG\n1VWfEuIPyiJMGieW4Kgv0N//fUemt5Q4wBoFEy2edU+JnfvWxrQeBkId4L8phRKF\nbk8Sw3x8KmUfp9U/67mIo3IwcDAdBgNVHQ4EFgQUGjKOOF/gWnETIKxLiBhB4m/k\nepIwHwYDVR0jBBgwFoAULIKhx469HFLb6CcQslhsiNAcGtUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAKpuuN7+pfwZ2CmTVgL8wHL09AlDxkCBS4sOsw3PLrD6AiBAfh0yzIX4\nRxeEYhkHylOiN/6xriFFWx+qPkBChYIASQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -172,14 +172,14 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE\n```\n\nThe second ICA' intermediate is a self-issued certificate. Self-issued certificates\nare certificates with identical issuers and subjects. While this chain trivially\nseems to violate the assigned path length constraints, the [RFC 5280 profile]\nstates that self issued certificates should not be counted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUd2NN3yEK3YVMxIq4GUqmZqgygWIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAShmxMb9GglTrGPZLMD1PISRia4vTKM/VmkP2o/\n9XnfoYlogdryNMt6G3YlKvHRYuPET0riPWmJ5CwWgPWZphmjo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU6/JA47FtpwCrIrqwmERpYmmoIxQwCgYIKoZIzj0EAwIDSQAwRgIh\nAOpaXqFjaIrke20WZ3ae6dgZf5NwuBwu56ryCP7Wjxn0AiEA97WPiVDMSDC3XbCB\nhE/g+KoP8rc8r6gn35adVThoEAA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUGxCUX0Kgg80o5UhihVX+I6NKx0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ6qVL1UN7Zf6n8Oh033viPI427VJOE68G+5Kdo\nSH5Nk+FqvJv8ikV9OKBwhydP2jBJOqB7rbkjfe5ccE6Z65IVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUOnuul4z8icAwQb/gJ0Cz4bkjI9AwCgYIKoZIzj0EAwIDSQAwRgIh\nAJxvWF4CivKlcZ+B4YBK4aOhRF9AmMLxT5MTTpf0P82CAiEA4Hsv0UKuEvSfYkQ6\nmHfrY/kPHR3Q7vrjix25AgdP6pQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUEZmpR/Xls/0Hgswm0hkWrBXr73EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA2ODE1ODQ0NTkwNzU1OTY5NDM3ODYx\nMzkzNTg3Mjc4NDcyNDUzMTY5ODQzMDgwNjYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBAaxxNsMTnj/QTiwUrGGakss4SNTTo0RLjDbg4bkNtoy+fWQt50SXMGBR26yHKFL\niMNDD1CJKX4Z4LeLcHP1osOjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFOvyQOOx\nbacAqyK6sJhEaWJpqCMUMB0GA1UdDgQWBBSeHdcMMAbluZdCJ5co/B3ckjHnUzAK\nBggqhkjOPQQDAgNHADBEAiA+1snyMwGWSa2tS3DC4A0cO9acg788FHp5hoLcnb0h\nrAIgJOr24zXG0oFwqy2fzNrmHAzNVluYa2yz9nuOSjm0rJE=\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUO2pSuUHJ+4Mq0V9Xchk6Akuf0hswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjgxNTg0NDU5MDc1NTk2OTQzNzg2MTM5MzU4NzI3ODQ3MjQ1\nMzE2OTg0MzA4MDY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDY4MTU4NDQ1OTA3NTU5Njk0Mzc4NjEzOTM1ODcyNzg0NzI0NTMxNjk4\nNDMwODA2NjEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgJrM6DaEU8SYr1pFVNmEysGh\n1G0/1ZkLmLOk0+r6LNyrb7k/2Bq+tdtxlGwC2BPW17/BNAkQobNMwoRIrsASkKN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUnh3XDDAG5bmXQieXKPwd3JIx51MwHQYD\nVR0OBBYEFM//N35XbLiNFJserFbmEqzv8KUAMAoGCCqGSM49BAMCA0cAMEQCIALE\nV8hssIdzYnL0ifwDUV5GLA+jpHR9an1dxIpsB27ZAiAj8pugHJgBz6QMnS9wA+Bi\necCIDrb7JjsenJdMB6yhIw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICTDCCAfOgAwIBAgIUHIxyU7Oa6E89bXeM3zXERbTVGp8wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNjgxNTg0NDU5MDc1NTk2OTQzNzg2MTM5MzU4NzI3ODQ3MjQ1\nMzE2OTg0MzA4MDY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDMzOTIwMTU0MDcxNjc4MzYzNTM2ODEzNTM2Mjk4NzczMDEwOTA0NTM1\nNzQwMDYwMzEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE40UVWrpBcfESHMVhgM1Rydaz\n5bxD5QLrG9vv+EbZ7dTHAWZEwWoL1bGjOrcWwuT+VywCElq3NvPHVKMjRofpzqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUz/83fldsuI0Umx6sVuYSrO/wpQAwHQYD\nVR0OBBYEFGyDQl9aqz2OChVbvK9+itfi9LNDMAoGCCqGSM49BAMCA0cAMEQCIACc\n3BkEbn1cfSaPGUM70m0jvXxpsJ2LdBZSSmVid8TZAiBdAcbhHQSOV95bXee9igND\nc4rf5iyJ5QdpuIp4sSXQRg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICATCCAaagAwIBAgIUFKviETWHZiMkB9/rH5W+Cmk/2TwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxNTQ1MTI0ODc3NjkxMjU0MDM1OTk0\nNzUxODU2MDkxNzM5MjIwMDAwODY0MTkyNjQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKx0DjrwMSIoA1MV+KI/NjRkSsIeCzhJKXmSYfnjm9vIQNnVhxr+FnHGL32oQuhF\n7NPqD/ydZUj2OAdaGNdiEiqjezB5MBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFDp7rpeM\n/InAMEG/4CdAs+G5IyPQMB0GA1UdDgQWBBSft/+GpdzI4X2eB6WG73M1f8PUETAK\nBggqhkjOPQQDAgNJADBGAiEA77CtYDOnp8yWGHcD/ebi1+c0cwcy6rBaKHqJeQ3q\nLHUCIQCyLqwTkQeA0ipA7BfWEN2JLpXjM+4ay9Qz7MAg6IcZPw==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIURNCDi9snbNvflWLBGmwy9ziBUZowCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTU0NTEyNDg3NzY5MTI1NDAzNTk5NDc1MTg1NjA5MTczOTIy\nMDAwMDg2NDE5MjY0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDE1NDUxMjQ4Nzc2OTEyNTQwMzU5OTQ3NTE4NTYwOTE3MzkyMjAwMDA4\nNjQxOTI2NDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWE7DgOr0N0fR8AcO7fLbYbwn\nRCre1VzQ3naOGMZKeHQg2JTzTeLkqwHCbmTw7k+tjva7Vx73B9YwJvaTX326RqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUn7f/hqXcyOF9ngelhu9zNX/D1BEwHQYD\nVR0OBBYEFP/DiZqNQjh5pXXydqF5rdBjA3xuMAoGCCqGSM49BAMCA0kAMEYCIQD7\nwJoNaGb59DyRwOwD4S4DCRwAphaK62DS8l59xY0bAgIhAOzrD000WTngfLkV4INs\n8jg4ho+Z5dJ4XyjWpfQCDWbP\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIICTjCCAfOgAwIBAgIUd08HRMWrrdIaslsidGzBuCyGBsIwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTU0NTEyNDg3NzY5MTI1NDAzNTk5NDc1MTg1NjA5MTczOTIy\nMDAwMDg2NDE5MjY0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTEwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMGcxOTA3\nBgNVBAsMMDM5Mjg2MTM4NjcxNzMyNzE1ODQzODgzMDMxNTE2OTk0NDM2NjIzNTA1\nOTgzNTI5MDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxl\nbi0wMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ZXab3JX/Odrq63GcAXxPnro\n6EnJy0pxm67TiEYBwo2RTyJotmXgpB0kAAU+VFS0ip/Wu/C2+Sd3V4JuqcwQFqN7\nMHkwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYIL\nZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAU/8OJmo1COHmldfJ2oXmt0GMDfG4wHQYD\nVR0OBBYEFA4UwjHxCpAznWEQG7ousgIOwTE5MAoGCCqGSM49BAMCA0kAMEYCIQCG\n/eQUldkgplGhnYKR0oGn9MLQXHrqrC3d2e55HDY6kQIhAKjoBhTDF1DUrTgTIMQd\n9GCdtU8ykOysBlSqD0H+RFxA\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUQh8ePtHdIDmymt9iAseRpBxHpJQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzM5MjAxNTQwNzE2NzgzNjM1MzY4MTM1MzYyOTg3NzMwMTA5\nMDQ1MzU3NDAwNjAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATC\nLURT9L9LbR94Wf/ZtVEjpg9Xn1nA4vfn+/P4ukSaYdqD9bllI8rAd+O0kki38jVT\n979q3n46ymPamd2MvzLfo3IwcDAdBgNVHQ4EFgQU2JPlj1m0904051JOR6y3wBpS\nK70wHwYDVR0jBBgwFoAUbINCX1qrPY4KFVu8r36K1+L0s0MwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgZn4eP5KRSFR6rmSyMRnLqx2xPkmagvlyolnaX1z4v0oCIGmV1kOCpqsq\nJX/aZvtN7C7npN0zP14fR0XXAh9wTTD+\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUKQy3aYO38dm5obV4Rnc4Hrg+G3EwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkyODYxMzg2NzE3MzI3MTU4NDM4ODMwMzE1MTY5OTQ0MzY2\nMjM1MDU5ODM1MjkwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQs\n5je9ywlWVtPOvUTLP/G4DANwsZ3mmvmrOspOGDXhrVtYf8Xjvc46xob/OR2LtYNF\nGMivzlWcBtOg41Mw8yGzo3IwcDAdBgNVHQ4EFgQUHHQX3Q5Y15UKuJnCxTjrp+JZ\nNDIwHwYDVR0jBBgwFoAUDhTCMfEKkDOdYRAbui6yAg7BMTkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgf82rJL4rJMBSEk4rGykWquZhwq/SvLMPWN6EUJYmoM0CIETnvKVjBE/2\nSWAiQ3XBffUsGT7rMo/G6OI1R1A2paRc\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -197,10 +197,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThis chain is invalid solely because of the EE cert's construction:\nit has an empty issuer name, which isn't allowed under the RFC 5280 profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARigAwIBAgIUVXkwDwGXFktIvZ5IpK/7AppX7BYwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsJlJKF8ZfhHe\ndhd0yn1EU2xHS01TzZTYOqnRw/iLr9HnqivMg/+ahrHvPMoIMW51UHngDDFQWfMp\n37iOmQNnS6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFLvoEP+Ad7tw2B6ZtS/K9GWFkj5X\nMAoGCCqGSM49BAMCA0YAMEMCHyEMNqRaAFvpJY3GAqUlJGgSkQoRfDkCrwej8Yz8\nTFUCICQDJN/i+sgZzvCsHlQ4rfF7oDo4BVf5or7QcO3gq1Q/\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcTCCARigAwIBAgIURupFSypEutLP/4Fey25UuSoZhOYwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowFzEVMBMGA1UEAwwM\nZW1wdHktaXNzdWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECWGTw34b8GG6\no03HCarTFrxkRoMOjdsfcFfDWecaxRzoGqtwoH5wFku7mTNcnVq7P9Zc1ugrMxdC\nt25eLK0pA6NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0R\nBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCkoMeLcfoIt1jTuyZdcsRRUmisk\nMAoGCCqGSM49BAMCA0cAMEQCICQUq6iLH12vMX1S7/b+RK1KjCFi+DnmyhGbG3+k\nYyAEAiBiUAqTIRfK37TzeeaXFLiDbkpcZUIhcd4eebx9Y8fwZg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUugAwIBAgIUL61FLsmDUUqZymQT0G/4fXNCfxswCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAExKk0ZOCPTEySe2OXQa2TEhQDWkEW2ghNOIm9coR1CCkc\np2EyrrhzaxRxkNOoFJqIHf/lUBJVJRTJyhha6FeBpaNyMHAwHQYDVR0OBBYEFJMF\nGfPjgk32fWoWBUpt9wBvzlPeMB8GA1UdIwQYMBaAFLvoEP+Ad7tw2B6ZtS/K9GWF\nkj5XMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIQDWQxKXPhYbAYNE1oU6xjCEnvY3tYdajLim\n8iLTUvXFEQIgVga8ctCVXu0osKRFH619CIaYiv6X8fzAa/qJXnU1IU0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUugAwIBAgIUamTDLkkn0cPJZCLbl/niJre6Jg0wCgYIKoZIzj0EAwIw\nFzEVMBMGA1UEAwwMZW1wdHktaXNzdWVyMCAXDTY5MTIzMTE5MDAwMFoYDzI5Njkw\nNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEzSd+IWdSN8/YFxaAnKtQQRRIQnB0sPxp3+cbp0C9BwNO\nST3gPoUbrmmZyBuhlvWisM0ZWetODF+k3RQQFi/3aaNyMHAwHQYDVR0OBBYEFEoF\nrUVgteYQBWMKe/TOAsDz2Yc3MB8GA1UdIwQYMBaAFCkoMeLcfoIt1jTuyZdcsRRU\nmiskMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIFA59IJflAbWgdhWY9+GbWf8CEquAABA1Ua2\nOiQNRmZZAiEAvfu0/uXy3EEzQmfeqBN18cGaqLrqES4XqMuVQeZA7Oc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -218,10 +218,10 @@ "description": "Produces an **invalid** chain due to an invalid CA cert.\n\nThe CA cert contains an empty Subject `SEQUENCE`, which is disallowed\nunder RFC 5280:\n\n> If the subject is a CA [...], then the subject field MUST be populated\n> with a non-empty distinguished name", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUH8a41o1e1PL9ucHGNjAnWfPdVcEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1BlmRL1B\n8mFhnWv+gdSJkKvywojnGkoFcuydKmJY9vLBrPL9neG7BF6ul/NLtBvTSOTjxEO3\nXre7mwJejXjdOqNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFLtfol4cwaPiMbH13zGG9xrz\nT7IhMAoGCCqGSM49BAMCA0gAMEUCIGozEUbWOUFN43iqoM7u1Zkbz4nANbH77lmx\nBmpflGsmAiEAqHecav7adokKRNXLxumKzGiGFD7AFrrdPmmEFPbjREU=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBdTCCARugAwIBAgIUFNwpYyA+pv3cVb5ByzGJcGGDz0YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIiC5oXmu\nTvuIudJyAnK2rdGDVClfPmxvdAUIR9iLtL4UAXbHWRMCdDpL98ftQ/GDVCzmVPvX\nF497usxCUmeU9KNXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYD\nVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFFwR2TkA+nvWmx4/s8NsWAa1\nIJCeMAoGCCqGSM49BAMCA0gAMEUCIQCnOukxe6FzEGziyV89gyhH/9SvqDTtUsSG\n7iEVFyUGpQIgMW6f78TuFbv2cP33FZi7EryjlcVbUopuZCoCqD9LKXY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUQSY6ID9yBYRBZuPk5PFo50SOwVEwCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowGDEWMBQGA1UEAwwN\neDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEpdaDdKcYgg\njhnOvyNXdwtJHicJN5tE98zyZxwGITETD2Vdi29KWwItkTDk6BHFp9w3hOGIyMhi\nKnlQsPyOonKjcjBwMB0GA1UdDgQWBBT+hvPB1S+vvf1me5L3MBdM+LqxvzAfBgNV\nHSMEGDAWgBS7X6JeHMGj4jGx9d8xhvca80+yITAJBgNVHRMEAjAAMAsGA1UdDwQE\nAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA\n+I9FTIpqgmNr8O7jAEu8LKJxbedIOql97uEl9cIFZNQCIQCf+FJiWW+bTZW86Upm\nNOIEmMTKODUTRSR1ExUGnQb8EA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUUW+N8TznPhGpFaWQ3BBTiTmokY8wCgYIKoZIzj0EAwIw\nADAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowGDEWMBQGA1UEAwwN\neDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI9huiINvUUB\nZntni5W56fJs/ajw9+D4jQ5/YxaNmRiTccsuk/+VPGS85W8RcHP7UdH+yf4lrxxn\na1tSo5E5AJqjcjBwMB0GA1UdDgQWBBR8MyC8YbVIytvlT79c4ZUKdk0y9jAfBgNV\nHSMEGDAWgBRcEdk5APp71pseP7PDbFgGtSCQnjAJBgNVHRMEAjAAMAsGA1UdDwQE\nAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA\n3PwiOVbKWfEhihTvyy09JUO9fn/YdqGylKz/W/rNAFECIQDr1K+RlLupUCy/FARv\nDYwRIB6WMpbO7l0PbiLCJR8Akw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -239,10 +239,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this EE.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVTnIR9f1BG7gD//7SjItGKIKk1gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASwOAQ/mf/ncMPfGtNVrppLsCP1/OrSLoFjpmsf\nG1FDCP1HagYQg9zEbU83BWNSWROzdHvzgL+sF8CaWLsXZUx7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXvxoSKqjE4crPnYzTRPxSRVwj2cwCgYIKoZIzj0EAwIDSAAwRQIg\nWzGYPeT1Ro3Bp4iifLBzuNUQ2lV3zkr1kGUVbK7hcFgCIQDgLnomPk1Oy3Rr4lqH\n/0J3dZUrWi9eK/NVGziZS4sMwQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUT2zYJ00Cm3JOnSYpVybz2u0JrG0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWKnGG+sgoA6PyyhT90Uibq3FcHnHhbzMAKEgm\n6jxQSmyKmrJI1iX2Vkd2UNCId/B2Y007shDTLS7Pe22XPQAQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUUuCbYL5aCM1/FgeE7dTWOZUgEGowCgYIKoZIzj0EAwIDSAAwRQIh\nAKZBAa7pOw93mb9YPXmA1OaDR4RnfZ955d1avVEo2cAoAiBfBWJTu8WmCysYWEjT\nu5FduXLRKk2lIBNUgl1V/2bXrg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvzCCAWSgAwIBAgIUUV+aI6B7qV5mqgiuL6Wp8ILa5WcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEg2+Kxl8ak5/NZqk0k+bGB613mHqUXVI1hU6nd+3n\nhCVWUihP/WLGsWh76GLVGZQmYiY8Hw9wrR5yXJE+mgUlB6OBhzCBhDAdBgNVHQ4E\nFgQU6L4hFOiIdzNWfg1sdj6I89Hr8DQwHwYDVR0jBBgwFoAUXvxoSKqjE4crPnYz\nTRPxSRVwj2cwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNJADBGAiEA\nkFvk9psvsr4zHviUlS80/Af5ciKE1cXa1xE8KtwwMXYCIQCyeqqgg0xYlBlts2WR\n8QPL1n1WhH3i05nwUW6Tu0wu3g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBvTCCAWSgAwIBAgIUcOCa7aX68Bj73/+7obB3n9MQzQMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEPnb3AqK3kml/1U1Z/8wQvQlgMqFk6Gf1xiGEkc72\nIgU3TtJW0XyDZPqE6pFNxX1L9567R1KwzRy26awLRFZs/KOBhzCBhDAdBgNVHQ4E\nFgQU8bO8Kwdf8IyYNO2Ir9c0JtdacRAwHwYDVR0jBBgwFoAUUuCbYL5aCM1/FgeE\n7dTWOZUgEGowCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wEgYLKwYBBAGDszqFGgEBAf8EADAKBggqhkjOPQQDAgNHADBEAiBn\nGNjXRc/P5d8YjQTuFTxZwPDXp7fvebBbNO0V4uLzOwIgbGfV3J/rxAMZJdxcySvY\nsFGOG3RzejWk7KFFdWWc8NI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -260,10 +260,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this root.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUCHmtFiqs/hmRoiX9nYhxhCNAh2cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQM/xxRuI4wWnEdNc48U53PZ+adTwowzb3Mw88g\nyFWoBNzcqriEuKTU8S06eLzHNUgGFesmCAYyA8CR/ngbeuY8o2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVxoX4SU/ZlY4zPBBLvGNopq3jOowEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNIADBFAiEA2ec2AgJnCF8Iq4cDYyEUMOlVD9eP6Sbxefdu\nOaTMaVkCIA8j5YsWbram2fnwBqCsAD542DMX0sw0ZUDYVTUX4msP\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIURx6+zlfX4qS3ivYdPkvAxB8gGvEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ08QYMaTe777Oi8MM5EBkhFC2eLKo8JbSx2SfC\nQSan8n9/1jERWlntBfv1peO9r5RfTejicV83kr9/2CixTBrwo2swaTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+i3HgZbPITucjUNiHl4yT2JU4/8wEgYLKwYBBAGDszqFGgEBAf8E\nADAKBggqhkjOPQQDAgNHADBEAiA8rKpxxtEjMRM5Yvd2V9QxrFbMK07VU6YMyt/L\nMqY9KwIgU09PqU0ScVwhNgqrPDBIct9Ep86YbM76Hml9jQl4SJg=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUFiKeDERNgzwyYI+fqpeSzh7tMe0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEiBtNGt58P1D15RncOlNIRifoZSvdhVQCvOf49hp+\n9jOMlr2uqD0q7nnlaGXoeSqUdS87Mx1KdR/c71jSW619ZaNyMHAwHQYDVR0OBBYE\nFKrvZgOiGZciDjzdBVA7TGX0TrzqMB8GA1UdIwQYMBaAFFcaF+ElP2ZWOMzwQS7x\njaKat4zqMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDqkgnu4mCeft+3U5mNv5IUYSTb6cyD\nh0gUtGn58vyIQQIhAKYv++qynsE6zOB4lQv9msQc6uMXxUpgdyM34/iG5FuJ\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUCfG/EypnYzY24sJDzLW4ahyVsUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEs20YznzEWieWw1j74EPKWNM5B/M8l4nralauyOx8\n4XZ2/L3aUQla3GeRwqX2tgQYd37vcVE1Q4ivsCooU1EhO6NyMHAwHQYDVR0OBBYE\nFPSBK68aKjLeAEARzdmsDCVni+hOMB8GA1UdIwQYMBaAFPotx4GWzyE7nI1DYh5e\nMk9iVOP/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQD6gcyx8f+DqFQNimGIGkz9LgpaC5Tm\nDnWrL99H41DewgIgXf06HTR+WZg4fqAMxnE+dzKMTMUajzF7z7LsqDXZF2A=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -281,12 +281,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate (pathlen:0) -> EE\n```\n\nThe intermediate has an extension, 1.3.6.1.4.1.55738.666.1, that no implementation\nshould recognize. As this unrecognized extension is marked as critical, a\nchain should not be built with this intermediate.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUF+a3v9nco49ZU/R2mjKg2PPV2dowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQOHIJZ8So6fZZ8P9hNnDZR9YvOl0hxfi8D+cws\n1imhRTyI+DPptcC21oUih6keeBccleMrWKZeo28X17Eb9uHPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtXcUhQam2iO9K9n/bD72XFHIf98wCgYIKoZIzj0EAwIDRwAwRAIg\nQ/OL3K7EJuT+Hvl59wv2H2o59TlocuDQfKmbwNtE8lYCIFlUf7PhUnRMPoppLVkg\niNKjX5J6WhznvGow9vapkSSv\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUU6g/plnim2o39xHc4dyfFwVA2qkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASndtTAYmFVRvtoUAGVJNR2m5+yovGxBszqFTxN\nqoVsO6PcHw6uxbWsvzlt6Em+MrMtU7Y3bTgLraV3DzoaT5BAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUs0+tMChlhAmulBGIvC8lpJvSdNcwCgYIKoZIzj0EAwIDRwAwRAIg\ndag169ToehIImGW0GZlPc+LHsaVv+Np5VKQg83LHPpkCIDNCFx/v4KqRuTYVu3HY\nIe3q4/DHHO3Jb0mmCz9z3J9I\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIICFTCCAbygAwIBAgIUbnBgja8OT6VvJ0chUWRd9qNAiyYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAxMzY0NTE5NjU5NTY0NTYwNDQxODg1\nNDEwODA0OTMwODAzNDU1MDQwMDA2MjkyMTAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCAXFZmQmClAwdm3fNs/I5Yl9YNqRESGI3xiuSWM/0WZs5PA0Vt+nsoIXWXE0zCZ\nZSOgb4oLQ6IH6QGR8U+qvjqjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUtXcU\nhQam2iO9K9n/bD72XFHIf98wHQYDVR0OBBYEFMow73vHCv6RlU87NF6VLtRPLLpX\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDRwAwRAIgbP4n36cHSvae\nLCWU6xTkmyom1P/z/4CSztRQPiE79YwCIGKhU9rr4QcCQk6Pa5QMmTL7FzD6Pi8n\nPnHK4Tb0EAeV\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIICFzCCAbygAwIBAgIUNzxsbv/lF+9v7lG3wGXzgBdJaUAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0Nzc1OTgzMDM4NTIwOTYzMzc4NzQz\nMzMxNTU1Nzg3MjA3NzU3Nzg5OTMyMzI1NTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHhZJ5uCteEkat6mDNYI3FWSn6LW/MhZMToPEOHogGb4CyC+edw2sbyLmipBQd+h\nUV8sa4T9TKn3GXgOhHi3iZmjgZAwgY0wEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUs0+t\nMChlhAmulBGIvC8lpJvSdNcwHQYDVR0OBBYEFGTHmf00c5odjzKtmlm3EikkQ+C+\nMBIGCysGAQQBg7M6hRoBAQH/BAAwCgYIKoZIzj0EAwIDSQAwRgIhAM697vGb7LLo\nL7wXW+OW0MvbpkwSL9eNDIz/knatt9QMAiEAhdsZDjjJLS9ZjkQlHAI//+jWXWuJ\nmsl+7/CQ33CNvtQ=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUBBkEaTUzU/pcy6LWjDUBEjaCxpQwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMTM2NDUxOTY1OTU2NDU2MDQ0MTg4NTQxMDgwNDkzMDgwMzQ1\nNTA0MDAwNjI5MjEwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARF\nkRhk2uoMfh41mVRxmQggVen0FEhxDW6pNNx6Ej1SnVw+WjYMO1pIWI13odzDwZ2N\n4Jm5+alaPy/txsXISnUAo3IwcDAdBgNVHQ4EFgQUBBmDRqQ+gakcxfc9XFvD+aeW\n7G8wHwYDVR0jBBgwFoAUyjDve8cK/pGVTzs0XpUu1E8sulcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIhAIxcDYaswBelyIr71Y+u94nVI1g+teMin0JXi9LlQxedAiByVx6qJDt5\n3wb7gb7xCf//zu+CbcHTylOdFUuMAwN6+g==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUNMMTPLzhXksY2eTG6ZzIv6NwVuUwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDc3NTk4MzAzODUyMDk2MzM3ODc0MzMzMTU1NTc4NzIwNzc1\nNzc4OTkzMjMyNTUzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASN\n7HqyETNFOE8/hkOSq0RFOdQcnyISCAc0B2qBKaYbiRQkJ624069XJCcFGKOjVZhg\n2XLefaNWSOVqxqvOCOr+o3IwcDAdBgNVHQ4EFgQUAliZGMBsSpSwn0GSx/YUZePU\nsfMwHwYDVR0jBBgwFoAUZMeZ/TRzmh2PMq2aWbcSKSRD4L4wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgECQ0CGZq1wXAW1OS0UtIusBSj3+sP4LD2gE9qfI7vPICIDdOeTwrJpCE\nq+QlQHCXC/6D8ngxHOrWdHXpxwh/F9VS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -304,10 +304,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an AKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUVMDwvgh0/rKbgLAvUQAXu5HLE60wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARNJDcmLWzOLZMgAl4aIl97a1bmu3UbIqg+rABb\nDCmV3J28FYfjBZFxDllAGkCyvWYEbELY2Yftb3gTTX712p7co3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBQ7CHEIWDyj3Zh59gHyc7au68+ipzAdBgNVHQ4EFgQUOwhx\nCFg8o92YefYB8nO2ruvPoqcwCgYIKoZIzj0EAwIDSAAwRQIgOotsuMNabpjn8va5\neY1kmEol/Jw9nfsiMHmnDPBHLhwCIQCeBww0do8oSJELOQWUtMn7YcAbi6W9CTHL\nGhc8m6M9ng==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUJRw2rehFeK6ivJ3ApFTwOQ7ysjEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQa0VYF2PcBy8wo0Fi8Rwnl9R6eKMVPNNcQcqC/\n2I/OKt+ziozSDby85DQXXNUygT074PwdvQL0p/KVvgOFsnt5o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAi\nBgNVHSMBAf8EGDAWgBRyaLINtaQnckDTcLsTfOy/NeaW3DAdBgNVHQ4EFgQUcmiy\nDbWkJ3JA03C7E3zsvzXmltwwCgYIKoZIzj0EAwIDSAAwRQIgQ4suVbVZuefAHD71\n7dLFp6PupDGGiiLfhsfezw9wfpMCIQCXTlqUhABVZsXdsvvniubnuuoUFFix2kgd\n1dg+rhlCHA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZ2iUgbQbPnHV9S32ffb/UFacqlcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEq2hap23RAbjOpJ0XhVRCaT5bbSW9rpbhqO93OgvX\nn8+vQadtBmVg9LhmrT0UfArn9+IT0bUK3uns2NJhmisJUaNyMHAwHQYDVR0OBBYE\nFJ5p82rfkqnAobc2KgMV5rzD+1jSMB8GA1UdIwQYMBaAFDsIcQhYPKPdmHn2AfJz\ntq7rz6KnMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIEPuhDLFuAYfjGE6w0zGJkJYy/sDDBAv\n94t+UOoF/BKIAiEAo1EXh//sRHXU90TsoYP/kXVAplivFu198z54QhVrREo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUPEcwisCYs1iq5YkGthNydtqlNk8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAED271lBacsAv4WCy1CZuxHx6XSkR+yzL3xh2AzZxk\nUkZhl7cxAzz+XeExJw8vC3rXiOSi7e7vMo5au0tKJK5YR6NyMHAwHQYDVR0OBBYE\nFH5Ct0Zb43mu1jpFjbdMc04nan4nMB8GA1UdIwQYMBaAFHJosg21pCdyQNNwuxN8\n7L815pbcMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC5w/aYAfXM4NQe5gZlgjUSzjqQFkX2\nl9MHBNah3etKKQIhANXyJZsu+cF1LCyOtGQ7XeI0qZnO3YsLOCyISdQLdFAW\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -325,10 +325,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the AKI extension, which is ordinarily forbidden\nunder the [RFC 5280 profile] **unless** the certificate is self-signed,\nwhich this root is:\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction. There is one exception;\n> where a CA distributes its public key in the form of a \"self-signed\"\n> certificate, the authority key identifier MAY be omitted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUfv4u8UPFM1OQXfhdZcsgyuylo7QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASz/+/ZmOQwjT9WIC6sXdOM2Wr/TwD5mUjjJ7EM\nDqcBt79r3qoN8nizPQgYkoykT9woHygoCPPsPpSWirOSelGxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXTfqQVZmy9QgEf++jJGyLunclAowCgYIKoZIzj0EAwIDSAAwRQIg\nMPM/mkyZY6KLRMVrobavgX+hOLnf6R0HzbOQKEyktLYCIQDFnySjlW7VSyQSesAW\nRDu1FvYEmJ83ImsgVyQhyFSD7g==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUBqtdUtR17g2rDtTKr8CXlno7++kwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQE6oo1qQjtjXYcW5uz9mfYZyFlcP4Q5xLk2osd\nFKmT1YSXaz7MCf/DG9t3b4ZV1BhOr/ez+2ip9JbihnoRMWWio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhbcztLzDsqoXNRBwjiq/CkTr+/QwCgYIKoZIzj0EAwIDRwAwRAIg\nXTDG96pjTlDuAoC6Z87TNzXD2rmTjChKWB1NaZVENF8CIChdOE2CIaLy2LPfTyic\nypApM6WkmrFzUq54GlxYoGFJ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUCtf6+UZdMljw491JGxpB0Lhwht0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEGtAXrMdh7Cq3VACnRzZjZwvS7kkZMFExl1/9/Rpe\nECeEd5WkChWTOYGKglLN5eU06BpG2u1v+ZWA/dbhB8uIlKNyMHAwHQYDVR0OBBYE\nFBZWDJ8Xi9Pwt9j2/EMwsqXgEfoZMB8GA1UdIwQYMBaAFF036kFWZsvUIBH/voyR\nsi7p3JQKMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCdxI4B/hmwYF5dgMhmA+xcWb4v2xoX\nm8uiCc8ItTHkxwIhAOoFWdlAO+DnQzjPfdlkm3MHSSi5EWZ0GpHszbOkoqRX\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUfuI5uF0ZHcjeP4yDYvp9KPkHT/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3ctcxDb7RxO1rXumNfOohjvd+BHqjo4fDAXlGSon\njwe7yl7kI7kW6Yuh0WAMQP+wrmXbL0nkA1eKKn7ZZfNu8aNyMHAwHQYDVR0OBBYE\nFMDxQjLxxoITgPYDK582mPKxDBU3MB8GA1UdIwQYMBaAFIW3M7S8w7KqFzUQcI4q\nvwpE6/v0MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDK8vyQGNCPbmrmkaspa67Euo2JtL/P\nzgLX5gXM7sVLOQIhAIgKhI5xkWjVoe8nroxZjL+9uAa4MuASNcgVnErLmunS\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -346,10 +346,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root is cross signed by another root but missing the AKI extension,\nwhich is ambiguous but potentially disallowed under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUedMDqoabQ9/iPt+23R31wceHw5owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTU2OTE1OTE0Mzc0MTI3MDMyMjUy\nMDUzMjU4NzU3MzQwMDcyODIwMDY3OTYzNTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBHIKemQ681HQg0UNyrQoI3EetnoEOAGVV8/QjE+DcP+YI56xiNxSg8x0Tm27ciVN\nvZPRXADzw6nYW8VA/xCvohejWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBSiKYWZsMJa\nG+wMlmYU2kJtA6XpFDAKBggqhkjOPQQDAgNJADBGAiEAkVz12Ize5yLqX2bDOIc8\n/ClaSS5hmlHvurzpqJukPywCIQD3m9sfHcz4TtkQRW//B+dThMbgj+81Fbj6CEu0\nCUUGwQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB3zCCAYWgAwIBAgIUJ6mtSWU/Xmpc415UBpj0PzQUBugwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzOTM0NzM4NDg2NzMyMjg4MTUzMTgz\nOTg3OTUwMDcxMjg2MTQ4OTQ1MzYzNTA2NzAxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBPHJrttZx8tZv9NVNeyWwYaCJ3/kqCuTlNFWlYANGGPoRAhTz09/VrJeQ5J4T8vh\nCZ5C5weaBvkdXgz/b99uI2qjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRQo9aN7eX9\nrBjfarvboqqr+jfSWTAKBggqhkjOPQQDAgNIADBFAiBh1ubBj5uWn85XpyvsTEJj\n2BrMU8xFDGcpqmLHUIe9IAIhAMkU0FTrDLHHq6Nb9dIF9w/xq87qyWhWteujxFJF\n3uKm\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9TCCAZugAwIBAgIUZ324pVePpxsSZuYIxRX5bpqUDDEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDk1NjkxNTkxNDM3NDEyNzAzMjI1MjA1MzI1ODc1NzM0MDA3\nMjgyMDA2Nzk2MzU0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASl\nd7sAoo+kyzbXp75FX5qrUF4Zi7SBMHhksj8GQqLplC9GSIQFMf7slsS/30x/do7r\n/ZgeJcX9YUbeSmYIpg5/o3IwcDAdBgNVHQ4EFgQUI6y3kAj4glfho9LnIkouE2cH\nq4IwHwYDVR0jBBgwFoAUoimFmbDCWhvsDJZmFNpCbQOl6RQwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSAAwRQIgJjnlKdpCjMtyZytblBsjksxcJ3raQpRm1+mtw8ou/soCIQCMQvPxt6E+\nfHf0ZhgCyZWkez20foBkSTk8oV8sP0DnbA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUQ2D/UYEOPa3f4PVkUzBOt2UdcSMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzkzNDczODQ4NjczMjI4ODE1MzE4Mzk4Nzk1MDA3MTI4NjE0\nODk0NTM2MzUwNjcwMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARa\npyzQI5HqCZFzJ7n4ErQpTHMPV+qKLevxIUpHZfG8G65EAVoCHdQi1aMMuuoWl61B\n1Ptj91CoManReQJu7V8Qo3IwcDAdBgNVHQ4EFgQU0fTBDbDliOFmVkoNZicX24Ao\nxFowHwYDVR0jBBgwFoAUUKPWje3l/awY32q726Kqq/o30lkwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAKziplKyByPJbza3bvwpW4PYSb8L0+/PGaBxCFVUayfJAiEAteoFdHWX\nf6NHWcX4K5pl6Hgwmzo2KBFwdYufuBccMA4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -367,12 +367,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate is signed by the root but missing the AKI extension, which\nis forbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUPqUTIHZVZTUf+3P3IWYVMqEgnXEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARFRAf+jwPrVlAM1+cYR/3WIIIrSVshNT449tYd\nJJR8aftl/FWbpUfzNbqW71dPlC0oxgO1JCTlCVsIGeclDHmio1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUW7MweaJTzBOsoPaDfv8WkL/Kw5QwCgYIKoZIzj0EAwIDSAAwRQIg\nHFLMF89PA6JIvu+z6RUQaAzx7QHgag33UCkh7p0vmFcCIQCMQHGatcVB6lr86rjx\nxr90D1UtDMXDKI5wkSJvT+1PqQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWcbeAruAMvPWQXILEnpT8EUPphswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT2bpcFOWQ4858ytfN4lsVh547yAhEOC34o5se1\nIYpK/WP0hsaPLiGAmSCkiBUTs2AqmzS9g/TkYj6kxJ/uryvAo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkQmvOezF4W72rt+eEhjWRiv9M64wCgYIKoZIzj0EAwIDSAAwRQIg\nPKk1cDdLFhoftR8hOB8eJ+o80cvpZT/ACppU7vuTVGUCIQC7xFoozoRMeZrqa3HW\nngH7oqsECQrkDGfOAjt5HJqD5w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUN7UrbAufoojA0XpjA9Sh9D0g7TIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDAzNTc2Mzg3MTY5Mjg1OTYzNDk3MDM0\nODE1NjkzNjI0MTk3MTU0NjY2OTUwNTY3NTMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBCJmzRcHeD4GpQ7qRMVTfpomLrj6rrwVN5Y+ng7IvXvt9VijdF98Ei9ebhovZbXW\ncZr9WW7uXKvJDKuibenKbTajWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBRYspp1UF1t\nfANSy9FiN7M9A4/gezAKBggqhkjOPQQDAgNJADBGAiEAnrDtn9v3Z33y0r2oh83H\nfVdojLi15tgUjTjpacXifh0CIQCOTOZziTWottwHUtLeql92lKM/xF+T8k9U6P3E\nJ8JX3A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB4DCCAYWgAwIBAgIUUmPnjhpmWb3bXgWE5UePx2gfSd0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MTI1MzUwNjYwMDk5MDM2NDgzMDQz\nMTA2NjUzMjc3Mjk5NzQxMjYzNTY0NDA2MDMxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBKRwKbKCJkc12YP+2gI9PV4oNbGDlh/LHo4YE5/5KZMxTIEDE3yP4ULtEeYS255Q\nso7BDyxDt5P3B4OK1UAtx3WjWjBYMBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBQosMvz9EYO\nId9GmpgIdVVQbFYY3zAKBggqhkjOPQQDAgNJADBGAiEAvE8nAp7rRvWkq8X1SZYZ\nYfVOmLnPx0VUbsM8akg/RfMCIQD4EFwjveFilLSqv9+S8c+Z+btap5j40w3V5kXn\nOPXYPg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUCrpMMjo/Ym8U0Ga8vl0PcCo70powCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwMzU3NjM4NzE2OTI4NTk2MzQ5NzAzNDgxNTY5MzYyNDE5NzE1\nNDY2Njk1MDU2NzUzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARM\nogD5EH1f6hYshQHGMxqVywBY0LGpeIiRzdgHaohok2b/6zStRXoXyYR5lERmkA6e\nx5AigPFkQzDtsZgQx0nOo3IwcDAdBgNVHQ4EFgQUlr+N1oDq629G8IdpmlNKdQn6\n+cMwHwYDVR0jBBgwFoAUWLKadVBdbXwDUsvRYjezPQOP4HswCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAIbut9tPrmraE/9KqGsdn892HA6xVsCFEvfcfx2ybymLAiEAkzHqWrtp\nNfhKHOUTotxmeiZ/rTRi+sD1PStTGvdQdVI=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUOrl1pRrDWvkj4+plqYq7/74flZ4wCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTEyNTM1MDY2MDA5OTAzNjQ4MzA0MzEwNjY1MzI3NzI5OTc0\nMTI2MzU2NDQwNjAzMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ2\nLopnaBSjMVgiMH8wPJSbShCin+/CwuA9nAxbJ3tCIpzrb+eHSQFOMKWEloyJsLxQ\n6fsh5Dmm0RhoQFN6UsNCo3IwcDAdBgNVHQ4EFgQUqXVE+MrDXCny4fDjVdYvYzNf\n3WAwHwYDVR0jBBgwFoAUKLDL8/RGDiHfRpqYCHVVUGxWGN8wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhANDpvERJ9ckmPgz9C8REB/lgrPmp5/psSxvvFlXxi9KwAiEAmSw0f7fq\nnEnDPJbEzYE2tTaDz6Mfo4RodnEYl2aOE7s=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -390,10 +390,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed by the root but missing the AKI extension, which is\nforbidden under the [RFC 5280 profile].\n\n> The keyIdentifier field of the authorityKeyIdentifier extension MUST\n> be included in all certificates generated by conforming CAs to\n> facilitate certification path construction.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUGYcqC1A3dW/SqfJ2uOaJKlN5Ra4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATMDzXt7hjWrN6JG5xRzEch3tJo8G85ky+qLGxn\n5xVVRZtPc/0aPEsZLVUNu7PNJClzk9p4agaWxyxTHHCH1hbqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUz5zuiT8JxUkFhKHd9AJs0HmCBoMwCgYIKoZIzj0EAwIDSAAwRQIh\nALQPOYwwdNxasRacioh2pRdV1zWtC0kh2t1ihm4WZpFPAiBnXYgnBHxV4g468D5X\nxf/foCJmpG5GEBSIUthkaeIr6Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUZpL36h+iZZQ192T090tF5nXZHpcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASl1xXYfFpg9ZhuIOxlNM33Ek5xDf0J8xOKPXbU\npusdh5apd3fyyl8YN2uwMBm8Q7UyIaNOaWt7ZKOg0FFmGnPXo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrAjVoz5TI0w85FWiN62v1H8iJGswCgYIKoZIzj0EAwIDSQAwRgIh\nALTMmzGqWqP/lDG/LSugnXxF+M3YKYJfbTxF6DDSdYgjAiEAs9enU1fZFx3xy/bV\npX2Yb3zgfzfZzh1yXSBZAOaGoGE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhzCCAS2gAwIBAgIUSRjGg6zgfRyGXaZ3oe8D9WrJPP8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE7fkRDkC1oGr7hIjN73iw9LNRb3Lj6jie4wvo90wp\n/VAwtjRWUImSzY+AofraU2Ks2hV0nNjh8IZtYBnbmupdcqNRME8wHQYDVR0OBBYE\nFDstfE17TpUcYQo4Cytr1TR4e3rnMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCVj+u4rbH3\nc8f7V3Vn4KsrOyoe0asJ2ECQSY5B/a0/XgIgbjFnWEriw7fAbYyFO5rYmnYBbiH+\nyMhz9XaGyowTB7Q=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBhzCCAS2gAwIBAgIUazc4Q9kwsvsu9pWiX4kPXTxCjpgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAErDrfNCsoMCdz1hRoVxcug0cnwPebkAFw6XK3Ydcw\nqjYEmmC4M90HhavUssinqO/qi8JqdOsUtbOpimu3YmDk0aNRME8wHQYDVR0OBBYE\nFLD6NYX++wtGY72mVPW/GhY0CF4wMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYG\nA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCwkMhFJKSr\nj3PXIdiIUwqR8TWiTPKAa77clBOK+r9T4gIgDic0P9aOcTlMhp4kA1SvAPImxCHy\nlNuPGCc4WW8Lzo8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -411,10 +411,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert has an SKI extension marked as critical, which is disallowed\nunder the [RFC 5280 profile].\n\n> Conforming CAs MUST mark this extension as non-critical.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIUZvFDgi/0P9YtXNUCc9ovLoQ6qnswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATVhem8KkkNw3b44MxBjDDVlLQpQugAMUUyaloE\nnr0pdqNQxfsA9ngIgv7EjZ+5a59jtzZtKcYRFctdpPSbAEwvo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQUSojPWer5d0w2S1Q0MgaiZSFqcv0wCgYIKoZIzj0EAwIDSAAw\nRQIgSHBVoJkNvBg1gJzbpc0coGjM0YYKvCxOFFtE/wmo7iQCIQC9MbtN4xVzpWF0\nWhjUHpDRvNwydGGNkZhR+XUmWn17lw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATigAwIBAgIUMENidDOgid0ZY1/Oyq3C1Hl6NdIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATdDJCCzsdQTdT27aG1fJOBZxJlkf1TnjFDTT/Y\nqSbGgamabRTQfp7H4k8K11YvNKhUk9iZky8p1rVFAc/PsjSIo1owWDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAg\nBgNVHQ4BAf8EFgQU8x8zCXRFR+vEFcQBY+AGCMRBAmwwCgYIKoZIzj0EAwIDSQAw\nRgIhANvNFok9H1IStb1wO5OSpryQ0HbaMvJdI+VOLC1fx1+xAiEAo7ZWe+a5RfL+\n2FVswO8bmZfd3eLG64bpPXFbsUn19DQ=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUB5OpCrSwP58DGbCIK/MXmt0jkskwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEzzVg8PM0Yw+7nk+liOPEtezI/O4pYThc+bMttcLF\n/ZDqkmN8/EPBt5mUhNxKiQd6yOGgrWB1tEQbQNECqPFqoaNyMHAwHQYDVR0OBBYE\nFKO/ArfEIPqyOWFHWLwireqvOrizMB8GA1UdIwQYMBaAFPmolT8XD+UtcQs+/k99\nvPjrpPG4MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDneus7VcK7WeJOeZiI/WmFQH3YYZx8\ndhgSWbjED9QM9AIhAMIUVSKo9gLZxG/twuSExIotN1EbYWASsZLlN57Gdo0m\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUUuPnKSOLakA8J9I0NQTixohEDlMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZgqmIOgMPuCbBnSYNegYOkrQRzfEnQgL5Iz+puiZ\nU+SlmZjiipFxh1bCb/bP8q7AmIXvhCQ5SMJ/0ZZYLYAVWKNyMHAwHQYDVR0OBBYE\nFM2zlGmU+Xoi1nfucdAo2EhwwFgFMB8GA1UdIwQYMBaAFJQY+zqVc7ue3B3JZVGX\nKa70GjE0MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIFOZYHZoZFOlEjOaHLSK5+G66itLjzaR\nCQACp2SiBvuEAiEAyOsaNVnCV6PxF2e9gwXj2skS/jzSEJdppTaymhGLwWM=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -432,10 +432,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is missing the SKI extension, which is disallowed under the\n[RFC 5280 profile].\n\n> To facilitate certification path construction, this extension MUST\n> appear in all conforming CA certificates, that is, all certificates\n> including the basic constraints extension (Section 4.2.1.9) where the\n> value of cA is TRUE.\n\nNote: for roots, the SKI should be the same value as the AKI, therefore,\nthis extension isn't strictly necessary, although required by the RFC.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUHuhlZaEwQTn05YQTEXo8TGFNy6cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhTSrPvCrX2vxMrQw3IFMi8MvWwVMcsTHfdoGH\nng65AOD4OCY31noKJh8CtvvDiQllSnD2dj5dJ9RSfr7w/NTzozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiEA9cvkKxpU97YiUM2kR31fjsN8K0udev5FEyPtI0C/\niHkCIGjfL1Bt8oBTv4yGdc6Q94vRw9+tlD5CUAoCluB4z7Pj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBcDCCARagAwIBAgIUDIoyY2z5dsxtFVITgrIvFCBhXd8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0mbSOipu8s/c3VTF29YmYaD+KxgI9tCuwUgAa\nXioBlIfzVO9e909m02EF4ldqhY3D+OvQB9ArQaEms5iuKVi5ozgwNjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAK\nBggqhkjOPQQDAgNIADBFAiB2Z3bwx2aAE+QdpgsGi5ugdWqFytEKseBIBXu/XYPW\nmQIhAPH9UKMBh6FtdRJp+7KQHvAjXcCxc2DfovaOhCznO5mM\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUKj8uIzvoDzgrWz2Jf01tqpCDSEAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEP5Y0jN6/oUY5b1un0zA5CIhqrgsulPECguyk4T6Y\nWB1wWCLyAWOTKPfZ46BrwIY0Vq+mmvjh8Ck7TPssdD8EKKNyMHAwHQYDVR0OBBYE\nFD14DMsF4I0Gdd7WiIEw8E/CqOW8MB8GA1UdIwQYMBaAFBCOyI0943zrJyrm/2Zg\nm5itkPLZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIC0QH2k3suXan5AlysnQ2e1TAOjoFAQY\nhxgkW/9PbNZQAiA7MBtgWNO6hFBnFkIimaSBuE6ytbq36BVW0TkblPI+qw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUNNxBftBu2tdBHqB29is+dd+2rS8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEn6wH073k3EjqFpA3AJm0D/nb+4V6Mm/q5YI9dSQO\nxMs+zOwilJECjeJwtlh5Q/WQix6heT/l/iXPKcVrByYzBqNyMHAwHQYDVR0OBBYE\nFJr3iMRKpdwu31622wjBi2IlkWrKMB8GA1UdIwQYMBaAFK1FH5j41KrhMAzfWCDQ\nOTGghR9KMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEHY+2yT9LLBnOn7AHDpUD7gsXjMLTlw\nC/5fE3rvpurnAiBH2pbcMgwCm8YbxWVU4kOR+ElzxiNRPgteZzT3aZVMvQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -453,13 +453,13 @@ "description": "Produces the following chain:\n\n```\nroot 2 -> intermediate (expired) -> root -> EE\n```\n\nBoth roots are trusted. A chain should be built successfully, disregarding\nthe expired intermediate certificate and the second root. This scenario is\nknown as the \"chain of pain\"; for further reference, see\nhttps://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUDikRryepoIIUGHwsdTdN60ACWkcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRSyNeBA9niq8dIC9KYP/CDIdjNem/acc0flVW\nCkN8MHF7lZ8JKheLxfd8qjedMzAoGujjQQIDBJ0kPLu+8urQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUA5IV+lcoZOYfXv+s+5aq0jYCOq4wCgYIKoZIzj0EAwIDSAAwRQIh\nAIhcwlGvDf9wjWnq1aOd66eogYahx0t/gWutefjxmPcbAiAlHfBLYSEChP4wtIqK\nr1j55KMzs+FK2jRHzuk2tHffPw==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUCpafwHFy2Evy6eGIxycQXdcIJbwwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcTduyp136HeUUlm42Vdkl2LdMd5AbM0j\nkq0usxNIlZrr0X/68qa7DjK1iMR+3r/K8nojJCnyLRCvLbHuMr80o6NXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFD2hZ21y8NMbE6McezdyjEvNphfqMAoGCCqGSM49BAMCA0gA\nMEUCIFSSlss+PB/xtkVKb+IZJfhKBA+xtGoI/3w1ncxUzuFQAiEAsl8bRXjpu71P\no2QUYNeHiy807Gu6zFN0SRYkTUI4gXw=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUAtvrBlUHB2BGZh4KNWjFniBXhzMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATR7t5hd1SQhWqSudgjbzZ24zlhsCF2pkqXcAO6\nKUr+EEtDRb0PWeOdB2djfe98hVrrU+u9g4DdnHskfWRR7Hp0o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIkypTOoo1rVE8fBuVTaAf2MnVp8wCgYIKoZIzj0EAwIDRwAwRAIg\nI+o2FMcMD3ovZf+8tmO32J180p6gGs/oWytcQPQzkHMCIHMKITjNGGABvNxF1v+l\n9GEiC0qFFQoUAa0ZXkjUd+v2\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIBkzCCATmgAwIBAgIUOMZOjI/NHk0nVJgtd1INEckM5eMwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwIBcNNjkxMjMxMTkwMDAwWhgP\nMjk2OTA1MDIxOTAwMDBaMBwxGjAYBgNVBAMMEXg1MDktbGltYm8tcm9vdC0yMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvED81zPBmJEZgSwLE5D5lcSqP8dBiVZm\nr1lV+mmOYO/KuFAYgGxnEjXcflhZudjF0iUPhd67RdBeHweo3EUsIKNXMFUwDwYD\nVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFKRuQfiyEd3OMAh8OWZ76EeNenHkMAoGCCqGSM49BAMCA0gA\nMEUCIB3U8QpFsdeIJcQ0t2FaH3HupB5ImVlBBhQg7lobBcLcAiEAn0OA8nVjyLuo\nknoVUV0YnQSZcFGe+pdI/5+zbobBg70=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIURu9sOOmXDs2fpjPSJx9d3uRLt3gwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATRSyNeBA9niq8dIC9KYP/CDIdjNem/acc0flVW\nCkN8MHF7lZ8JKheLxfd8qjedMzAoGujjQQIDBJ0kPLu+8urQo3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBQ9oWdtcvDTGxOjHHs3coxLzaYX6jAdBgNVHQ4EFgQUA5IV\n+lcoZOYfXv+s+5aq0jYCOq4wCgYIKoZIzj0EAwIDSAAwRQIhAOCgnlbKqxFD5D2o\nE2srYa+195RQ63RuqsWi03/OGw9nAiA60XHN2K1/BM3Q2dvPCwRSdcL+kvsRm/hv\ns9FxEs43rA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUSPAor58MGFAmN/7xWs/9L6EsN/QwCgYIKoZIzj0EAwIw\nHDEaMBgGA1UEAwwReDUwOS1saW1iby1yb290LTIwHhcNNjkxMjMxMTkwMDAwWhcN\nODgxMTI1MDAwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATR7t5hd1SQhWqSudgjbzZ24zlhsCF2pkqXcAO6\nKUr+EEtDRb0PWeOdB2djfe98hVrrU+u9g4DdnHskfWRR7Hp0o3sweTASBgNVHRMB\nAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNv\nbTAfBgNVHSMEGDAWgBSkbkH4shHdzjAIfDlme+hHjXpx5DAdBgNVHQ4EFgQUIkyp\nTOoo1rVE8fBuVTaAf2MnVp8wCgYIKoZIzj0EAwIDRwAwRAIgFdGpIQ3LcInZFIwC\nL0dUiKDELcjfAFU9IovtDncn82sCIBWZXW3CrfOGA8GwI/GXEnR1VRZ/DSTHjjud\nrkKSELBO\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUJKF9jH4wmxjGDrMZT9i4v/jo/ZowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE5queJojuzFMd8rpoPBI9kGg38EoF0KsDuLBkYBfK\nrDfNJMgEkSLqDM7rFjLh0KVHiOMKhOJl4DXHGfm+3wvdCqNyMHAwHQYDVR0OBBYE\nFOdCWOrPbdQE64mMG4lBCerZ9InZMB8GA1UdIwQYMBaAFAOSFfpXKGTmH17/rPuW\nqtI2AjquMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDdcyAbguX+nwKX0nLdI9oFKhuYE2ZN\ngscWPnS6c5L+WQIhAOifVbtwb5aEpjGOUyalzWvycBOT38Pbxgq/PwNfy/Z0\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUIR2Vp4hkAgWtIq/7+M45nsg5EZkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3xpvjMvo5J0uaPgCA13rtetlr4SuXJc2TlLlwxJy\nIQwxh/vFFLDHcCZvMoO7L8EyajOdH4jIZ28URxYkIeQ/J6NyMHAwHQYDVR0OBBYE\nFJgYJU8Gk7Vy0h57+RL6MCgyUWyFMB8GA1UdIwQYMBaAFCJMqUzqKNa1RPHwblU2\ngH9jJ1afMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCYHjrx7597ppaV8bjSYuN16CXcPr12\nktMaVRkWxUaaWQIhAK880bEFVBzP3ww2pbl/DsIK0llaB2pPzhw+9vs5/3fF\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -477,13 +477,13 @@ "description": "Produces the following chain:\n\n```\nroot (untrusted) -> intermediate -> EE\n```\n\nThe root is not in the trusted set, thus no chain should be built.\nVerification can't be achieved without trusted certificates so we add an\nunrelated root CA to create a more realistic scenario.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUeXHnp0he3l/Sg29rz9wwu3Rzu6MwCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNbVQTxHzL5F\nA3PGkdBcrS6zBx9yA4/pIklOpqmGsEXIVFsRakJdZ+DunWuS2EAl603w62nYp06A\nh+3hySQiYCajVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBStuhyayBVfmY0h1SbXbmwYyv2z\nPjAKBggqhkjOPQQDAgNHADBEAiBYT9EVW1AMgIDAMLlusJSBras/8OvVT+Eeg5Sh\nhSi4SwIgT4PQfMFX6FyX0ydbsLRX6rsgHdu40R7lA6sF011jqk0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUOUmqM8ZLIsg8+TuAE4WcMnEqw/8wCgYIKoZIzj0EAwIw\nJDEiMCAGA1UEAwwZeDUwOS1saW1iby11bnJlbGF0ZWQtcm9vdDAgFw02OTEyMzEx\nOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowJDEiMCAGA1UEAwwZeDUwOS1saW1iby11\nbnJlbGF0ZWQtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKcf1V2JXGDj\nxWuk0WH1VENeTceElDSV69xtJKYWJTPV9mQMMjtkEZj2a+dlm2xvft840zheYcoB\nu9IYsCoLMAujVzBVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1Ud\nEQQPMA2CC2V4YW1wbGUuY29tMB0GA1UdDgQWBBTwyzIWWVL44GHpT5FGgiVlcwip\n8DAKBggqhkjOPQQDAgNIADBFAiAtgm5AnKCFjpCPU+4stmCs8MrF1DsLToPaJAjR\nKd536wIhAKkaMVHrZpx5MN1tjBstV/7/45iN5R0AJs1EFJtsmBOp\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWZwEKpymEyB8fZE7tUZOCeKspkYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASH33HsNhKtdVsNLevQeTNBxwXo4fpHwFPIRZzY\n7f9vPbhTmiCltb5FjDI73r6+rLMWBt+7RSfOz65NG5qXBINQo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUvoOMxZaC3++l7Ycz/UNq/IJEb6UwCgYIKoZIzj0EAwIDSAAwRQIh\nAOB5v2ELtrAbdJkMX1a2AfW38Gyvdcb7xL+EudheGhhcAiBtfIyJotLdHixgiaf+\nOmeYHvkue96yYdAkqwj4ww0rSA==\n-----END CERTIFICATE-----\n", - "-----BEGIN CERTIFICATE-----\nMIICADCCAaagAwIBAgIUacJxT9C9BcoY/A4wa0ikPQr3ziwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA1MTE1Nzk0NTc4MDM1MTc1MDkxNDc4\nMDY2OTkzMTkyNzA1MDQxODczOTkyODQyOTQxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBJx6luav6DRFNO3jbziabyZWZh9V7X21b4bp8uISbHQvJHPpZcVWdnUO3oQbBV04\nzip6laxSarAjn9VoriDWqKijezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFL6DjMWW\ngt/vpe2HM/1DavyCRG+lMB0GA1UdDgQWBBQjyuX6DgQAUvSsk069XzhM5ARLQDAK\nBggqhkjOPQQDAgNIADBFAiACFvF2bzqOorV/B+hy8cYeIjwhVk5h+BvX9lgBT+xl\nOAIhANmRfjaJK5taTZoMRQ6Q8ijEvJAMeG4JDqjsxt0aIcbO\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVhXjxWxDe/w9piTkiCERxKRIpGYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQGujMk9ISkHjRPHjZtiMU+0s+Ii1TmCxIZF7Hn\ncSVkYYY/CCf420PH6bitDi4DWTYzACCkf5CCf52Fsf0Ch3koo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUukUGg9HRPdQ05wtzK+LRebXYICAwCgYIKoZIzj0EAwIDSAAwRQIg\nIcHS4L2fYvzDGtPsNVc2G1r1qz2r276Jq8T6aMaKe0UCIQCg75hU9UI87308dUH3\nX3Mp32u7kgMyupdiPXwUXts05g==\n-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\nMIIB/zCCAaagAwIBAgIUSfrmDkiz57iKMgJjxsEVUh1O1gcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBnMTkwNwYDVQQLDDA0OTE0NjEzNjM2MDg0NTkxNTczMjYx\nMzkxMDE0NjUxNTI4NTcwNzcxMjYzMDg5NjYxKjAoBgNVBAMMIXg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBK/OZop9EMT7lbHUofifXlfgtADce6XrqBnkj0D80/e3l1egnO/NbaM4d0zKv0u+\nXbxzJHziRYg/9oy+CJ7CiW6jezB5MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P\nBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFLpFBoPR\n0T3UNOcLcyvi0Xm12CAgMB0GA1UdDgQWBBTc5G/gPD8dLmz4RibvrmhndIxxlDAK\nBggqhkjOPQQDAgNHADBEAiBhpJVKlHFj5VcbMKskPQMEhyrs11wNIEbFQCyZ5KIY\nXQIgJx8qww8g4XvADJWU4MECz+bJST0YAABS+Ua2SJU6PbY=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUZSRffMeoL59/hK22atvn2KrOeRswCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTExNTc5NDU3ODAzNTE3NTA5MTQ3ODA2Njk5MzE5MjcwNTA0\nMTg3Mzk5Mjg0Mjk0MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATl\nboCESNu24Cj+9CCdGIdxlM3JiVeNSBC40TH0ANKneNoUY2n3WT41mZZVG99EWTS1\nwuYMw8t/GWxsanXOK7R5o3IwcDAdBgNVHQ4EFgQU8O7Uw1lw8dmfMl0FPwtAbeKm\nVYkwHwYDVR0jBBgwFoAUI8rl+g4EAFL0rJNOvV84TOQES0AwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAMaYd5isoRJR1f5rbkGRKfE27U/4HVWJvDjbStf/Kr48AiEAj8P2axWk\ng//to22/3vgA8uzaKt8HjwNOvI2Upb9g/t0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUYFQJdrIcFNTtbwqVp3TA9QUDsQMwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDkxNDYxMzYzNjA4NDU5MTU3MzI2MTM5MTAxNDY1MTUyODU3\nMDc3MTI2MzA4OTY2MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/\nIpKECdAIwv9RXO3VMo4Kn8npgtBuDPBWFBy9x70R1q0sIg4BpkFwmUeMAADgXine\nzpFm/AuEgH+vIMC7wPDko3IwcDAdBgNVHQ4EFgQUCaTs5suWWSnGMxrinG0vhDeX\nma4wHwYDVR0jBBgwFoAU3ORv4Dw/HS5s+EYm765oZ3SMcZQwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAMYZHginQrFpFZD5OF/5ny66wibU2w0dt39zLJYqlwPPAiEAqhjbAAVi\n5t3e+wAuspkaQa99gTZXDbsUnhAUr5vziH4=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -501,12 +501,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> EE\n```\n\nThe intermediate CA does not have the cA bit set in BasicConstraints, thus\nno valid chain to the leaf exists per the [RFC 5280 profile]:\n\n> If the basic constraints extension is not present in a version 3\n> certificate, or the extension is present but the cA boolean\n> is not asserted, then the certified public key MUST NOT be used to\n> verify certificate signatures.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbO57cAVB3tefeCrXtUEVL+sFSkYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQKjDjTVzO7OyaB7eu7JtAGV3R/dErPGEkHTR7x\n1xonTSWJWqkT+e3gvMRctq9JtmJg6520B4HYwkiDCXss7Q9mo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpKkSiAKTrCCvFLBC+Y0+OsvHHN8wCgYIKoZIzj0EAwIDSAAwRQIg\nYcvtTPloPlZnUGhOjNIRdXO/2zB/42vAb5REl4MQ84gCIQD8LQEa5K+RYzM0skUc\nhf6wnOmh5xxsqelnGxZa4nfHww==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIURJNVTkK/qQ5HtJ2PTCkMpD3KQZMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS02AN8N1r+bZKwL+y9y9qSMylSmLyZ7G7kq6dG\nQKFWTPK+UVirxfMS8Y1gfCb4PwtQwRnSfykFMDyS1h1te/2Uo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUinGtgfyc1Gti4kTqXknI0UUdYmEwCgYIKoZIzj0EAwIDSAAwRQIg\nOaSHwPzurUi60I1zlDOg4rVu/R12ENmvX1ZkXK9f8EkCIQDy5pCmGBQ3mS3uXJHU\nwaHiUxl2osb1tnzQmh5mubIGdg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUcVNpPXIOhmvsawfAtxuHCeg5ukowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDA2MjE4ODkzMzM1MzYwMDc4MTc2MzMz\nODAxNjY3NjUxNTc4OTA3ODY1NDcwMjY1MDIxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABEHnpL4Ox6MxUTz4qqH2SUvf36kdxsKcK4eyCbvTqAVSj5BWp3Tpo6eL+K+H\nwagFRN1SUS5ru6LxvMwhlAxONQejdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKSpEogCk6wg\nrxSwQvmNPjrLxxzfMB0GA1UdDgQWBBSXh2LLugY75k+Sn7hnfeDPpF7SjTAKBggq\nhkjOPQQDAgNJADBGAiEAy/vUZNWdEUXK6nrZZ4p2eOHjvrHdnrBBxCc2CGmsct8C\nIQDKSjiqzZC9hK9HZN1kY9r7/6H0c2bj3Lu5+GDvIpskKQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIB/jCCAaOgAwIBAgIUQ/7dLMGbmLFIruocNHaPHvNo0skwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjBqMTkwNwYDVQQLDDAzOTE0OTcwMTMxMzUyNTgxMTM5ODQy\nMTgzMjU4NzE0NzgzMjMwOTAzMDM4OTM5MDcxLTArBgNVBAMMJHg1MDktbGltYm8t\naW50ZXJtZWRpYXRlLXBhdGhsZW4tTm9uZTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABGYh6xykQS9poZtqqlGeNE8dy+m1jKgLQurVMjkADOtbfT6juehl0sK3Xb9q\nyiaWbKYXG9aKUP9RLqIVw8EySKujdTBzMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD\nAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB8GA1UdIwQYMBaAFIpxrYH8nNRr\nYuJE6l5JyNFFHWJhMB0GA1UdDgQWBBTQr43JptSW+/6h+wpi+zvmAUmI0DAKBggq\nhkjOPQQDAgNJADBGAiEA3y6A9WOt58yh5QJIsOzLSY1j2Iv7B+e/gB4wt7eV9wkC\nIQD8hXUI/FVSQt04SCP01Ezx5y9hTT/ijnryDdKi3zr/sg==\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+DCCAZ6gAwIBAgIUGCQ4MZYpATeBkfOctTtrj+9a6cowCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNjIxODg5MzMzNTM2MDA3ODE3NjMzMzgwMTY2NzY1MTU3ODkw\nNzg2NTQ3MDI2NTAyMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAS45Iejq006v4o3O9g3jhbG9/07SmIUnG/TYacbdgNnrcXXIb8S+APG6Fjd1dWX\n+j0IxCpTRhB5jSMICe/T/WjQo3IwcDAdBgNVHQ4EFgQU5O5JN9Y0LBl1shn81WPZ\nL61QPkQwHwYDVR0jBBgwFoAUl4diy7oGO+ZPkp+4Z33gz6Re0o0wCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhALd5nEptbRtJtCh3soRDG94kc5a4ITY2OXH4LGedo/rrAiAFxCIl\nBAjl2prBmYHr77ye77iIHBVYUBx8CwOh1EcWTw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+TCCAZ6gAwIBAgIUJqTiAWiKNbpouokxJszOHsr/Gf0wCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwMzkxNDk3MDEzMTM1MjU4MTEzOTg0MjE4MzI1ODcxNDc4MzIz\nMDkwMzAzODkzOTA3MS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAATsp9q8Fm2Wx9rcba6aza6wRS5GimtXjpTBaiYK4YilTVa7kOCFvnwirddzEIrM\nf7tBepJG5hEo1aQmS/DwJMMxo3IwcDAdBgNVHQ4EFgQUs1x3OcvHg2YYvJK7D8ib\nNxH9HYswHwYDVR0jBBgwFoAU0K+NyabUlvv+ofsKYvs75gFJiNAwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSQAwRgIhAP+l/hspeDB+NZzSesqek6uCz25jz3pmGfPDcii9fnRhAiEAjq9W\n/VZ/Y5REDcOgQzx1sghDpHfLsdfKW24czs2Ht0o=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -524,10 +524,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUA859vWLnSWXEn1B8VnlV6jJfyD4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASDqr+Q5Avqpe+6StH4YW+IDNG7pWSjkkFBbypI\nbXTaz6YkcrIWTzZqsV9KGKjz1dYXdzJ7qNDetqrdLqqBBQEpo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiadP2djeKvrGMquicc/aXu8EGOowCgYIKoZIzj0EAwIDRwAwRAIg\nDzNSvQ/kggIysVJ6YZbq1Q/VOevLkPA4ZgHCme0XVGoCIBlL0DLI978J+X+s4WCe\nVII8ZXBt9O5sUxMHqJ1EABqu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUZlXVBtixqmuT+3lTUtKBYVDOV8QwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS0arB6ackNbDMe0PeN5TFbCA5dIIPgo0HrzlMW\ncbRNItqWFPCm7vEzQshZNDkjP6gg0chIvtA3U6knUajX7rylo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEnUSn05NcaK/poEwYK6caXeskBcwCgYIKoZIzj0EAwIDSAAwRQIg\ncgyFL1RRdOOJ142XTCwLzEA9Oy7G49tFf7dh70x4fcwCIQD/N5GBqbL10dFdwhxd\noK7YCWnk0CslyR8FZIHwnxNC/g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAZ2gAwIBAgIUZPgSaFVCRG2HHCJN6h99VJdMkPswCgYIKoZIzj0EAwIw\naTE4MDYGA1UECwwvMjE3MzE4NzkzMDM5NDI4OTc4NjgwOTY2NTQ2MTU0NDkxNjcx\nOTQ4MjY0NTkxOTgxLTArBgNVBAMMJHg1MDktbGltYm8taW50ZXJtZWRpYXRlLXBh\ndGhsZW4tTm9uZTAgFw02OTEyMzExOTAwMDBaGA8yOTY5MDUwMjE5MDAwMFowGDEW\nMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBA7aHXcYev9kJcbGJePayzJ1y1dLAh18DUiwQrhZOaqo1KyUlQ7SokHrl67jecsD\ntmohQhX0Xx/tQQT+KSFQXHijcjBwMB0GA1UdDgQWBBSs2V5+0yBifTNBcVdNho+q\nJi1N6DAfBgNVHSMEGDAWgBS6c3lNz1wUlVGMo/8V6eZ49b/w1jAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNIADBFAiBZubtq4se6osKtLkcIH2gQfjA7fQQ2BDdIFdjyd9UMTgIhAKULEesu\nVTo/eMgl7kJmduUNLGs7NBjVTBnif0xl3v0X\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB+TCCAZ6gAwIBAgIUPYrBQluY2RHjrO3LCkHzhMY9sCgwCgYIKoZIzj0EAwIw\najE5MDcGA1UECwwwNTg0MjMxMTc5MjEyNTQwMTQxMDYzMzI0NTM1ODc0OTkyMzgz\nOTE0MTA0NzM5NzgwMS0wKwYDVQQDDCR4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLU5vbmUwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgx\nFjAUBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAQBCBI6Agpt4WuZvVazNFZPZR9PQviRhhWD8+4YbOzyI/mPDFV9FzkpIXF3AbAc\nLoSKkzxNkdatp+9ICRVFxFOjo3IwcDAdBgNVHQ4EFgQU8O0MmfRgYI/EfJDRae2x\naRZBbSwwHwYDVR0jBBgwFoAUDpjYyqPR6Em/G95nrVJP8zytGLMwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSQAwRgIhAPL1uap3KJMm5icAdjCl926a+js/f6b46XzK4Ws6nvR+AiEA6GEe\nDoP6jnTx4WfD3Icgbk1s+EWIZUGjBIxMZu9pHXE=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -545,10 +545,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA is missing the BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBfjCCASSgAwIBAgIUIq3Jr35TeMIYuXJ+K3b0snrTFP8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQgxuIjB/zRCaPAWuitZ0oNrBAIyo8YsnE62lLG\nXkXdLLbgCFaZ/Gowd4dtaFdOkwSO30f3qxCq2BfYpkXfs/vXo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFCLt+CxpGJL/\nEwt4N4Wb+QrfVBLDMAoGCCqGSM49BAMCA0gAMEUCIQDnkTfFGKcKLU/K3uAlB2hD\n8vyT3T1bYyBdhZIvHTahOAIgEi5PJ1jTsOOPcUEBrzqk6muslD6xZ1G2GqXK9uSj\nUd0=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBfzCCASSgAwIBAgIUJGz4m8hFYyF+MRvuabf8WbZQszkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQXwNP6DbsKWXXt4VGlaf3gESQyy/AUhIMRYvCS\n5UhOyQbbV1vCjU8nPfdsBejSmTf5Aq3JMVUYvtDVR9xS5lzuo0YwRDALBgNVHQ8E\nBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFIrVa/KLOkPC\nOHSwooAKtmyei4pSMAoGCCqGSM49BAMCA0kAMEYCIQDAJ3o1CozFsLMo6s/JaNTy\nJqXWcO95b0eO+DFrR2R9EwIhANBA6uJCzt/OlfL9nUswUlj12/Z4EQO8KWhPnC6Z\nDAxn\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUBOCrlr+rlU+U7AtDzbPo0vEFWocwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE+9WPgESh8QjnUR/RH09LUa3LdwTpqU8GFsDgrfbC\ngEn5sNdPwwkkPvVu0swOBzSkEDk6sOAjGIzWDRB1J+UBUaNyMHAwHQYDVR0OBBYE\nFPyoKYo5xEeJ7hQPgz/FYzNDPhqQMB8GA1UdIwQYMBaAFCLt+CxpGJL/Ewt4N4Wb\n+QrfVBLDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBN28pRnHoJFDA+kGoA0u1O1qJbSa4Ca\neoGK9sEICZiIAiEArFrFJB7vbBRBTA0yYo1UTsG4m80/Q9hQeuYJ55IYjb0=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUeWIAhAdhaaopfdIHSzeubU1vuXgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZJkA1h0QYYTrmFWyOLbDDkXbVpfgqtCZ/ngjmRvM\no/q9YP2SfwlrUwA8Nhvls34554bsFODQkT4v7YmmYfUdtKNyMHAwHQYDVR0OBBYE\nFGdCrbDIMVS/1xr86pwn4lpkjbH3MB8GA1UdIwQYMBaAFIrVa/KLOkPCOHSwooAK\ntmyei4pSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIB28rvAjGVc0M7IRegeP6GDm761IzStQ\ngWTBtWMnH6aAAiEA9krBtwG8A23BGcIH8m6lkh0vHa1YvzMAqkSwH8YnKAg=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -566,10 +566,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has a non-critical BasicConstraints extension, which is disallowed\nunder the [RFC 5280 profile]:\n\n> Conforming CAs MUST include this extension in all CA certificates\n> that contain public keys used to validate digital signatures on\n> certificates and MUST mark the extension as critical in such\n> certificates.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjDCCATKgAwIBAgIUOsIP15na04R06sXH21FQNmGHsPwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR+i74DSB17pxuql9RpUQ7Ez/LpMaYT6D+xOixl\npjeovfuzWkq02RIPS97H2ovziefb9V5FCqx+S2pCKkEFKlRwo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUOVssD2h4UGG9sQuWohjNHMw52W0wCgYIKoZIzj0EAwIDSAAwRQIgLs/G\n+600kA4rwAKiBPhjT+Psin3LBBegLZWpHFj770MCIQC3+m9YhLs1OppISP95VXPB\nN+Vy0Y5aULiIITDae8HCSQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjTCCATKgAwIBAgIUWkvd465ZONBmEb07rcal1NjQuCQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATT1VG49EEjQ+9ODitneBGeVKzKWVfXtpM0LVwm\no1TCK7POlVHHQnNiaMiCk1hXI9z22xpQXIwiOloQYlrmnbjlo1QwUjAMBgNVHRME\nBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNV\nHQ4EFgQUHzKLoiDteajnCd8GA42LkiVXFgcwCgYIKoZIzj0EAwIDSQAwRgIhAMt9\nFyOTkT3Rw2/wZv3lNGensfVlCUGn9A6QkI3FfsACAiEA+x7GqIN8Qnf7S6O2YwsL\noPXGIDaZfPISgUXmRmZmCeY=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUFzWadWeAis/9AVXHH2CZM/U5FZcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE2YLFFhvVNb/0djZItnh9+JRZv210e0Q6BRFcTyR4\nZOVn2XC+/GRWvlrtkMBPzCsQ09nG2JRWJGhFBmAvaD7pmKNyMHAwHQYDVR0OBBYE\nFBNtCJ0FYnmcpoTXfAjV4VXxK29tMB8GA1UdIwQYMBaAFDlbLA9oeFBhvbELlqIY\nzRzMOdltMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCFjf8Jo/a7J6bMHs2El4X6ydzdtD4g\nH0UR6gxFyc/JLwIhAI+SA2TNGQotr8fxxXkSchcLo+UQVnFX65zO0KcbNTG9\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIURMCrzs+qmDEgC+EOq3WM+JkIWOEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE+8Zhf2YrxMH3uWaaNCBAO8nIb0OzZfcOH+YDXCwZ\nznIWK9QFsqN0gHw19tIt92Wiog6eUSoY8/ir9YXDh+vCXaNyMHAwHQYDVR0OBBYE\nFEBlYGWUp5CjedhhDSzMN3REsbM8MB8GA1UdIwQYMBaAFB8yi6Ig7Xmo5wnfBgON\ni5IlVxYHMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIDTlgOJW+jBhtkdXjDHt/OEujbiba1U5\nf38iliyqOqUiAiAnKLtV2ryfM+0+mxnm2O7ZPXIlwR0FQr27fp2IaLkzeA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -587,10 +587,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root CA has BasicConstraints.cA=TRUE and KeyUsage.keyCertSign=FALSE.\nAccording to the [RFC 5280 profile], these two fields are related in the\nfollowing ways:\n\n> If the keyCertSign bit is asserted, then the cA bit in the basic\n> constraints extension MUST also be asserted. (Section 4.2.1.3)\n\nand\n\n> If the cA boolean is not asserted, then the keyCertSign bit in the\n> key usage extension MUST NOT be asserted. (Section 4.2.1.9)\n\nAlthough the profile does not directly state that keyCertSign must be asserted\nwhen cA is asserted, this configuration is inconsistent and clients should\nreject it.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATSgAwIBAgIUXVE8zr98rmgNCy4a3hytVR3hwsIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQLlUJHVkDjUJMFsrOvWI1P7HrVK1nIYiIsFSzA\nTHFyFMKtPcqynNgiU3kTwlRrmfeYn5t9vI4X9J/htotwPpVWo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBQk8FDujSgkW/Cef7nGN/6yE05VtTAKBggqhkjOPQQDAgNIADBFAiEA\n+0jtJKjlWw2Jmw3K7wUSZEzj/Om5W0S4L4ubRjhbbSICIAE3nY+cWbCopz8/wnnd\nvonzOhLs4VApB4zTZsXYKnSG\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATSgAwIBAgIUaow7UUIV3SBLGI7HU3tSFhMCC3MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARbJTA9BX6N8hiRQSh0t68B8DpJWSX+OFA5AqNx\n1YeBJH3o7QHYzu/kS3gAH5y7s/SvckGYOJvPb+A/Q0f86xbBo1YwVDAPBgNVHRMB\nAf8EBTADAQH/MAoGA1UdDwQDAwEAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMB0G\nA1UdDgQWBBTztwyjo3LwQhuGLDEo5BmjI5/PQjAKBggqhkjOPQQDAgNJADBGAiEA\nnfNzPyTtuedd4awgXdtuFdgxiBRmpI7bwd3bavD8wG0CIQD2mpyD11ST6y2MXmIm\nCYINa/LfIlo9DoNKmxFxvUmCnw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUU+w4GBedV4xkmUn5HDJJNPiTfDAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXQTNoGcr2smU2oNzMp7HafaaDRt5LW9yopfX7g7p\nVkVaR5wwhV297bpWE386otGNIE4qcI6EzhriL7YAvQM/9aNyMHAwHQYDVR0OBBYE\nFPS1F/JUAjRGfTaweTRYqFHZQFrtMB8GA1UdIwQYMBaAFCTwUO6NKCRb8J5/ucY3\n/rITTlW1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD9YjvM57f/PTMn7nty9pvFxQfJL7Lw\nM3wqLXstN0Dr0gIhAPJvPCZFmLE7NeuppLKbEFlKecnOwqmn1edKhx+te9iO\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUfgbT2VdUYQmt1B3lxANhvO1Dp0IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEHi2L6mbUV1BnO97i9RlToY/7/rdTxA517TyYUd8g\n9UvbsqxoegFge8v+0IK0O35wC5A6u70IotYnS9NgXf/e/qNyMHAwHQYDVR0OBBYE\nFIf4Zx5ThcgkevfzhkQp6I9A4CVEMB8GA1UdIwQYMBaAFPO3DKOjcvBCG4YsMSjk\nGaMjn89CMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCOTeRT81kZR4aon7LYP2CFDmuW8k92\npnIalKvB5RJ3/AIhAMvHJn1Thuj+yJ38MJeV7EUNntq5on8HyWb9jSEOd4sQ\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -608,10 +608,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> ICA -> EE\n```\n\nThe intermediate CA includes BasicConstraints with pathLenConstraint=0 and\nKeyUsage.keyCertSign=FALSE, which is disallowed under the [RFC 5280 profile]:\n\n> CAs MUST NOT include the pathLenConstraint field unless the cA\n> boolean is asserted and the key usage extension asserts the\n> keyCertSign bit.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUSKN3JFkq7hsbchgmcNM6+HHV4BQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2OgquiI9qe76oRqt0AgrUhl7rU8nrDlRObvkU\nWtrMOaUT+OkVmMYKxIUBRr7snHxxBHyVWHqHJq/pigJSFEkqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU7eTpYOfOUWkAWemGCpNhkxpGgFswCgYIKoZIzj0EAwIDSAAwRQIg\nLiD/WcVkHtCFF//XWuWVq6O0cJ5Hi1oAK2t6uH7/7f0CIQDpVwwpczGS9zt6vP3A\n7V2bJqoHgaSBq+tJgBc+G3Iihg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUYgh2SrS/JHeaMtMW1bCN+XqArm8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASIT6T7rW1ZSzD/7WKO1uRCO0QznJD6iVB2i9md\nXdkqZCKv6tT6NszhVFNsHXoVHR8RgvH+L3rm+gl9emma2OBCo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUoMUIGSMiuioABzaq/LxJJTbz+BAwCgYIKoZIzj0EAwIDSAAwRQIh\nANfvF+SBFt2f94FSsyyhg1YLXTMfo7eqBM5i3Q1RqjekAiBwkVsEpizA0LxOZDh4\nuoIG3O+fBOi+3w+vP9TEwN0lug==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9DCCAZugAwIBAgIUAzDaKH3yzz9CCo/r9Iw5p7f8StEwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNDE0NjkyNzM1Njk3MzkyMjIzMzk0MDQ4MzczNDkxNDcyMjI5\nNjYxNDI5NTg3OTg4MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATy\nT8OdlXPuscCxdXOPV0+gbWw+Bb6cAYhtwsvFF2/hpf/v1qjHmtYxW69lpGS4dr/L\nCe2NpzeW7paqPzlIK929o3IwcDAdBgNVHQ4EFgQUVEFEy6MKZVaVoNxty+ZVont6\nwc0wHwYDVR0jBBgwFoAUQb1tL0vyug93cJmQIJhrKAiw2K0wCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nRwAwRAIgPUB5eyLGH32KArMTSXb3P50Oz2USTQ7qfNww+DvZuR4CIHi6P2DTPsrJ\nDmtrWr1jyCYS7Y0FZaiWk5ml2syqSMyt\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB9jCCAZugAwIBAgIUXOp0PSolv6yy5Nz6qWekuqiRJXAwCgYIKoZIzj0EAwIw\nZzE5MDcGA1UECwwwNTU5NjY5ODA2MTczMjEzMTI1ODAyNDE1MTk4MTgxNTkzNjUw\nOTI4OTA2NDQ4NDk1MSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVkaWF0ZS1w\nYXRobGVuLTAwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARn\n3nI5mgKKbkZDim6D5RRB6VIZhs7IxxqjHsly9ydY4vmekqfOPr+te9Fu0C5A0jUB\nTZKgNaRxoLAg8vw2Nsxro3IwcDAdBgNVHQ4EFgQUJ5daavX3T2VP8fL9F1lPdq31\nBBcwHwYDVR0jBBgwFoAUv9vEt0YJbOwYQbLXhxkXDm6qfxcwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhALZZbM6uF19YDlovxGHZeCFrMJ2bolc49xSXcgBZlvthAiEA41JZx4ge\n+ubqYFO6ovVxR6gCmfJOjQw/HoscC2V3+co=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -629,10 +629,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe leaf has a BasicConstraints extension with cA=FALSE and a KeyUsage\nextension with keyCertSign=TRUE. This is disallowed under the\n[RFC 5280 profile]:\n\n> The cA boolean indicates whether the certified public key may be used\n> to verify certificate signatures. If the cA boolean is not asserted,\n> then the keyCertSign bit in the key usage extension MUST NOT be\n> asserted.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCS7gnF6YgHTO/V5NE3guI2E1izgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATmblmk8N6OFTh873kYgdPw0MdtUO7nsZr8x/Mh\n2tBzemIsAnot1nP4DH/vPK/qSvlwj/eqjGIryw/m/bB8pfDvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUQ2o/fq25VoNGZmNIJBu/L3YMK+wwCgYIKoZIzj0EAwIDSQAwRgIh\nAMXS5StN+2u9NVwZl2B+Y3OCQs/obXS96ewzkL+kZq6XAiEA/9BnkyihFs76LH5w\nd1tZpFo1IsEk2OSH3L5N5D2QTPg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUHhIrcYdr4gtNVZnfO42gcY32WwgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATyhATp7Ar+7qr8Zeu3Dns2RM+RHgz8wzUvJVRT\n6j9Rj3bvanWrGDRzpjr3IxUXGbDXW9UPzy5QXofWskHpt3kMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+Oen39GGgjh2+gMawQmV0BTx1sUwCgYIKoZIzj0EAwIDSQAwRgIh\nALHoDCqNbO8Lo02pB9GQYk+P8TEpVZ9d0sroKbhcVjwqAiEA84TtnjkS8nuTGSKT\nN8+mDngJ4PMmRdcA8WpdmnCYCSk=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUCF36XFuc44Ys0kWUaKH8BFSqdk4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETuqgLFtrwH9YlPIXpQ7BQ6MIyczX6gvFnJc2ZGnc\nRfHZ72uQCK+fT9PgTDA/pSFJi6etIQls0m4tPe1S/w1IwqNyMHAwHQYDVR0OBBYE\nFLvLCLEsQH1nBMS9wYKXcxkS51xVMB8GA1UdIwQYMBaAFENqP36tuVaDRmZjSCQb\nvy92DCvsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDzVdmW9ff7x27MQW2+XmagjYbq3J0F\nmTnx/2Wqseh1CAIhAJxA/dZRItekdJ5hB08HTOXee2ef73B9a9/1vCulNhfn\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUQevromQs+7SkBrdRGOidoF5ftMQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEgXTe6BGzqBdZ4T+BSaGrJiDq28AIFdIWsYGFllI2\nVYUF05rb8pjIPo/u2HbtnghXPpLTp2ZJalM4ubdVbmiMKKNyMHAwHQYDVR0OBBYE\nFK8AnQh0/akESEJZLwXKVJ0ZodD0MB8GA1UdIwQYMBaAFPjnp9/RhoI4dvoDGsEJ\nldAU8dbFMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgKEMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDpUHcx048JMaukjo5ar6eDsrzQ4atP\nlY1q/ilqQl+flAIhAI4w9AjL4ceuJFGBoof33oqbrAdKKLCPfnEhsKbPyWrx\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -650,10 +650,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName with a\ndNSName of \"not-example.com\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIULVy1UMfZ6nfyCM9llsaWAu/gA/gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAToJjUmo0P8117VwJ0hJiaKEwNAYRfwnAypJOdx\n3rd18LgOCS1k30aysMhyHxaqNwx1pbYzmWg7GFd0PKyxtpsTo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUza5f7dRAE5LY5bDFv+2fq5Hd3+swHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCJYEBzkRUpQpyhZIctbw/2\nkg4DzxgrwKX8ksg6ItBfJgIgZyIucJOQgTxdc1NHrUBKx9Z2I2XnIBzdx7N/qpaG\nHOg=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUdZ6nDuhCBz3ViMDqlu6/htvH/b4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8qmhi0d2U5yhbUtx7yvBxGbca1OHgPfS42AEv\nABy/bYfqPD6ywDDhPLEzbh0E0xByo5YGjPdX3EQMFNVxbxCXo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU9kiQ+Yu62iYmDXhXtOGC5Tz46oEwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIE7bQOEeMvODYKk23FUh6PRe\nXthyk07DxretHusiSkJwAiB9ww4Af5arTtIG+ai1/gwf6WsaMbeoiBwz6/wZ+41i\niA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUIt9acl+QOpohXR6+mp1dM+RuC7AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZkyYoRlLZmBR6IJ3TynUFtNAqegMHJZ++ujjb1ng\neH66D3ggvDgB5HaT7A5wYh5nkdzCPnYtVlN33ArENnNtmqN2MHQwHQYDVR0OBBYE\nFMjfDgJ9JN1hiGk4OyhQJ54rRn1tMB8GA1UdIwQYMBaAFM2uX+3UQBOS2OWwxb/t\nn6uR3d/rMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAn5zngn40b1nVpB7fx2YBO8j5\nWvzN7idLs6uLfwX7DFkCIHwQyWiOqDUWy1TLLetG6NYuYT3esLpEd9pZTEvjNtFy\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUBuLS9Pl/rqjyP5e9garzJISZrAcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETJGr1xANW0tU2mbq9uhGdXjq+nM5W2vqrD9hO/9b\niOZLDJbbABmK5i22xk+BLcc7eJwl4+IdtOEkX3WZ8im+PKN2MHQwHQYDVR0OBBYE\nFCboBwP0SJdc/+zqkV20ieeCKo4tMB8GA1UdIwQYMBaAFPZIkPmLutomJg14V7Th\nguU8+OqBMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD25vdC1l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAj+BuscJvk737GC/5EhSTC5Xv\n1Ua+R1OZVXoD7EqjAUECIFCvLkHuv8mKN2MMAbO1UMSLsEf+przKrcc41sEvCJo4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -671,10 +671,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUHKWrBEx+jKwQxm4PoUy9IV7OMvQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARv6AJAxvGgvAZIy4xFb4jzzrmunSTZ63Pfjhtt\nEqbZ6CgFJniDPBViG5RDL5eB7BBTgxZ0tYIXxsxI+4a63Ylpo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfCMSMA0CZxGnTKKdXitM5eMqrD4wHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDjDK8QOveILQpdoxYrH2ns\n2Ezz1CEAb2T4f+7KRilq5QIhAM5+CS0H5G7b4jHrTpP5ysNtmNk6FvlSnlcF5twr\n+019\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUGntny5d8Ot9+dWxi3VtNlrgIVaYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQqCiBIGwpDIVb/ETxMB1jJP70oru+FC6hbB6h1\nbKX/heSrE1PaDEkuVME1lxzbsq7/NgrZjyqTx7sWbGdRkXTZo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQURvBftBQFSKO3ROMsC+C3xaU6sZswHQYDVR0eAQH/BBMwEaEPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIAV5AS3dwajLK4OwrhTXHy9o\nid+1lkyG5FFotCv36p7HAiEAvN92QAOcfVMXFNHAqxMaW+uCoKqEn3ntEYIgXdKQ\nrq4=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUYOwNiYRyDk1Lx8b6yU1M7uPaM/swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE0M9x19J8RJaPOX+8rPNGl0hDK7TGQxdHl2CpP7Jl\nKAHJpkX+CuNkFToFucswpH9eft/TVHPKzO0i/lI5PPYNF6NyMHAwHQYDVR0OBBYE\nFB+Y4ij/efHzjmgTS5z85WP5oNxCMB8GA1UdIwQYMBaAFHwjEjANAmcRp0yinV4r\nTOXjKqw+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD01ORC7BXl6osxfY/gstHODaj6HjvJ\nj5uexg9i8e0WEwIhAJdrN5SMWg2od4GhqIWm4ixqkLXbUNwkwh/RG4YcS9K2\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUcUxC/PUaMHR17LpamuIvA2CT4yAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBjKhpsXdanD7V96Dizs6qTYKU0CsxVmDPFCtmbLM\n0k/6cq4vxxnWKWIYeXPsf+KOcKT/Lrdr75XP6Qw4F1imWKNyMHAwHQYDVR0OBBYE\nFHgGyZGznZArIqABec5IeqD1cEvKMB8GA1UdIwQYMBaAFEbwX7QUBUijt0TjLAvg\nt8WlOrGbMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGsqG4IMmnS6DsSGmgvpIOFgCG+gXT7g\nAv+lckTeGKLbAiB2eGPoTSiYj+ucW7nVWTPkUu2hWVqRn8Yn01+qmg9GTA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -692,10 +692,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUQ5dqjw+LFrQQJqlFAjyo6pO+3m0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQl433N7DCN9CqLaVKAUsMCUuStrLIUrXZ8aeUX\naPmgO4MF8t+RUCy2tzL+mJB/CjNAsEWB6ZCkEjS2+64uFd8eo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0nJGSMnHI/qkDFdq3xSapVd0S68wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC3HodaraFcNiWZve2ZAgcl\nGsDCmngoRPnfV+W6vY3gKQIgEZSPYl7EUw0cvBgNFn0h3AH1/k0+Q5rrzAn2uFUi\n3GE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUGPIhZHREq4CLwQg1dZZp+mAPBDswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASxRBvxauY82YtNDBLuURvIzBUxEjrjBdpOnNhf\n+GCUn9vA7tDeNhBYlG+fiAq31yutPwCFTR947mHMzP442v5qo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUo/9eetID1aVbFL3MyZX/4rf/bQUwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIH2VVVXyPZeLxlvodnRJ7eeS\nGGup/nmIpI9wiwuoXW5xAiAFYZ6gSRv5uOn1Uf+KzaMuUAwdFwvX4oiNSEi/ECmA\nyQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUFTF5Ll6H18miRRGbJ5+1aEL5ZoUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEND/9CVBZ4l9GhfUIaTNSocTRCmDn9wQgno1i7Jtp\nkNKuVasC7mrbX3WPGzJ5XPw4OIiKSze4ETuOqMpEiPfNX6NyMHAwHQYDVR0OBBYE\nFDBAHV5QsQStsweR+iVda8YwB6UnMB8GA1UdIwQYMBaAFNJyRkjJxyP6pAxXat8U\nmqVXdEuvMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIGACjkK3IY6a/ggTn2Nn8WVgFFPqYIm/\nVac/qpDDsS4NAiEAyJ1CbYZLENTMTpBo/OAzuYO39DfUShtMo7YIyqUaddk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIURCTY6ny+zKYT65VFQ/WRt9rj3UAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEKuZDsyjzta+Uof0EiiVpR5iup8wa9JzeN/BkV4Z4\nlueIYhtIXLTBg+hnL3UJwAecQebJ637JBjQgcqO2fn/i56NyMHAwHQYDVR0OBBYE\nFGigNwOSAaPXA2vXb1JaK8FpO5F+MB8GA1UdIwQYMBaAFKP/XnrSA9WlWxS9zMmV\n/+K3/20FMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBy5cCgfPGg3g77wmAD6fuZNjb5O7tIB\nM+/iwvVpaN0TAiB8YkC3MP+Ou+aK0bq/mXt3XbvEVRM/jTkH9dhSoqxWFQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -713,10 +713,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\". The leaf's \"foo.bar.example.com\" satisfies this constraint\nper the [RFC 5280 profile]:\n\n> DNS name restrictions are expressed as host.example.com. Any DNS\n> name that can be constructed by simply adding zero or more labels to\n> the left-hand side of the name satisfies the name constraint. For\n> example, www.host.example.com would satisfy the constraint but\n> host1.example.com would not.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUGYlVz6H+HHbU9C02Qq76zkEUzowwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ7PMYeQ+A14VNZfEsJ9qpikuYk9GIXin/rA+BS\nrh2tEle7TbZFjwKtTHdc0EQeYTtaLOPxbeAYzD6tIOu2FHGAo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUIQ0XcxQFuxTtJLJwQRxPHYkg/LgwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCICp8sPphgyYy9YrN+h48zxGi\nCjVs9Cjhdl5h6UdyWLFsAiBSP68G27zM2do39ZeEvV3wv3SDYLqvpIIra4MyfdB8\nBg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUIc3uiOHARGIiZZojmcdD00H91i8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASdxME2eF5E0VAFoxXTnxPVsHTnYgxllKOHyTwi\nOs9SrJuDdMeGe5Fb/Sov7IQQSK6HWy3qANIEnd0+6i8cjY6Qo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSIrZpPF514pSOp3Sekcs9yibbeYwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCY9nZattjna4f8x6vLBpaC\npkxsXtNLc1RCcxJ4HHj64gIhAL08HyvAWS2a6HdZbWo6jXBpUhk+Y7jmZNEri5Kd\n+ak6\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVagAwIBAgIUbJYtAhlJmeFTQSMcF3jKIFlIWGowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE2oZFz6YuvEdE0//ALgL5Vg6auqLeQbpUHRvbmKip\nivuwd5z5DpT1ia6kREq6/olUj8j7QDmgUtla5moeQNasoKN6MHgwHQYDVR0OBBYE\nFIj9ZzH5VO9w5rVJ59SvXYNImWe1MB8GA1UdIwQYMBaAFCENF3MUBbsU7SSycEEc\nTx2JIPy4MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgArmvpJxE9uZjx8ftRc3W\nNKgfVrov5+BAD1BsUnTsSvcCIQDh6bvWdfNkd+xFE18EFJ1/qQkYOJ6hXGfyuzRL\n/m8hDQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBsTCCAVagAwIBAgIUSI+CHx1wTOxoyh3t6TXTM2NiIx4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEd+84N5G4YXNUNvcT8bwjzzFCG8PsjA4Pfdm3157E\naApWYFqHtfdF8zAJOxwQMG5lb4Z0tlkXxYhhqq6tcMMGDKN6MHgwHQYDVR0OBBYE\nFMMyLn8//wGDL277xEpdPCMWXNbbMB8GA1UdIwQYMBaAFEiK2aTxedeKUjqd0npH\nLPcom23mMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB4GA1UdEQQXMBWCE2Zvby5i\nYXIuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAOb1af5TJO/1Xehjd0e7\nWAzAxq2WO1Kt70dVKkHDcV1fAiEAq8Z7n5EaZhfDuljLBUpD/7v163wqUtbABmeP\nhfP+h/Q=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -734,10 +734,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded dNSName of\n\"not-allowed.example.com\". This should match the leaf's second\nSubjectAlternativeName entry.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBvDCCAWKgAwIBAgIUSWSZWbWkrV3n+0+ysILWeBV4YwUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARojgbV/2bUbKaX7Ypbb4WIVLf2IlfMVLVC3hbZ\nRy8WFTAaaGp9fR9BGNKRhwm83r3Nk3gyaQ9l/UL0RomSFHGOo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRFtwxncR5E8JKQBzHZoLhMq/WyKjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIgdCJU\nqT4+XUnOY/qCvDKK0zapUis9XtXbugkjMqLsQXsCIQD579EqvGj6EhKil/E+JsuY\n/WzANB6gJ6ChCNJmqV0Tlg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBuzCCAWKgAwIBAgIUbUXBpFuR3xCwfPkd4nOZ4BSOyrswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASAiEw7/X1uLc8VlSXMxGFIsrLkn6OXhc2nrMyM\njLVmUZ8Ed4eHSG8nkaFAA+yy4FKnAWH7QToGeAmdcNqGsTSMo4GDMIGAMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBTpWxSL0Ip3H4vQsdsjmOdKI6y3JjApBgNVHR4BAf8EHzAdoRsw\nGYIXbm90LWFsbG93ZWQuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgfO5z\nNoQ/yejwyqK814IlyhUqHXHAcR8DLKk1kKnSUS0CIF1vB7zMpf35+/gCF3JSlxaD\nA+mF7VGlP6Kezvla3g2s\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBxDCCAWmgAwIBAgIUcLjKFUTbFJLe/4UcHgeRUm6k6P4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEYFjxRUbY0C86Ae8rDGxOwvWGccJf06dM9+g0pV/A\n1zUXozBxA3bdp1KK1UgssHqv+d7Z0O/TIX+q1RGnFzGE36OBjDCBiTAdBgNVHQ4E\nFgQUze2E5UtFtaF9QTR5KxuRgd3ySoIwHwYDVR0jBBgwFoAURbcMZ3EeRPCSkAcx\n2aC4TKv1siowCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kA\nMEYCIQCdwpa37MkDyLjzR9A8oreJeL/mt3RWCH8hzJcz0PLrCgIhAIE1QYe2Nv7z\nsPCO1jVJYcG9gQli3JvCFD+FwMkL3EdP\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWmgAwIBAgIUSLiqgYucFXD9969hyh/X9im4R8gwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEPc7FPGZJlz4UxuNTX4lhxC/tW9utfPg7IWlws03o\nYo2U21Me7Kcym6Jsm1AMgkfzgv1+7g5Pck7v+m/VC4eo56OBjDCBiTAdBgNVHQ4E\nFgQUojevBEIPTag4D2kZNLRTVBrEjjAwHwYDVR0jBBgwFoAU6VsUi9CKdx+L0LHb\nI5jnSiOstyYwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLwYDVR0RBCgwJoILZXhh\nbXBsZS5jb22CF25vdC1hbGxvd2VkLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA\nMEQCIGs5efpyhf86MdVK/4xWRf8JvmxtX24XywAXXF3ssugMAiBz7x6ikbSCOggQ\nv3SzHYgVQanldg2pq8nJmkk2Fg9zmQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -755,10 +755,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which does not match the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUAWLLWFbnh6RyL4adqcXSRZuW9yowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASY/Ii5o2KwKQ5yFc8gyUXSX0DZHPKDKMAEWMHq\nloRmDf1W+UEIKUdnCJR8+Zzaj/Vg0WQjXm/n85uxgzOwPEQ/o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjzLMZMT0H8/9sKhsa5oma1m0WjYwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIH4eSLST6D5D8r4K2hAV09QnBlMP\narosuQqH25IkfykaAiEA/3pRkoo1+Qc+JzoCl9L1TXnb+v2TEjJjrYFXgIFGAHY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUX5Za+N043eqCtZIL8aJRNHeMyiowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASM8ovLZQlubqxA8QfUqFgK9UPmOnoi/AVH7e82\nQHivm1A9Q0/M9tFsgPQiRo4gdNxMWTFRMRGprGHsgZr2birKo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYTq65LsSNaD1hYnoHL6peN3pT3UwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQDpC5Dw6WhuPsHSHSpT3yfoF+z4\nVlMPJcPKOYT03WZlCgIgNlb2+fmO34/qplGSvzLxaR/ilzfJKXCM8azDQ7LjGEE=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUI9CxympDNedMqQF76Mnlz8w2togwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEdJjPIr0Ya83S1YfHhy+OMSsci3pvYfluga6Zz2Nh\nuuIsE6BRSctBXE3saIjm73XSHB0LN9TJlY4xDMO4+XU336NrMGkwHQYDVR0OBBYE\nFBUEqw2I6D3kEjdYsUpi9tAjue82MB8GA1UdIwQYMBaAFI8yzGTE9B/P/bCobGua\nJmtZtFo2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDSAAwRQIhAMgCED3CeStIF/tFpQweTzgljK/LgaXJHXhjFxTg\nKyXsAiBv28Sdc6XA6kQB2AXHQpHSyufb+NOZ1cNAj9agUSYK5A==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUCooGxedj9fV9ZWZnIzPRJf7ZKSgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEPuvTlI9kzRY8oYAlp2IMsbEYesVJBQXn2m6+dDHY\nBOv1thIAyWOcwmaU4Cg7HRteBoTXSD2Zo9AH8OAxl9qFSaNrMGkwHQYDVR0OBBYE\nFAD8p8yv9UPj46UhFpUtufrPiikHMB8GA1UdIwQYMBaAFGE6uuS7EjWg9YWJ6By+\nqXjd6U91MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAwEw\nCgYIKoZIzj0EAwIDSAAwRQIhALrmTe1la4fodB+XbX9rzHro7THsgenYcDnU7jlP\nmzx9AiB1DnefmU+MeiC9Fjx/8D6wmfmeCwJeJbq2nHQFUkys4g==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -776,10 +776,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded iPAddress of\n192.0.2.0/24, matching the iPAddress in the SubjectAlternativeName of the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUUSIUW3NEPLeNBvg8vQyIAgZ4JZcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQw4LpEb6jGdRgrElm+Y5tg3bBKVcpYbV9/3WWN\noHiL+4yiHfxu1wrOdkxQcrneRKFqKXRlrDi2u6C+RaRR6SEdo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmmw65b3qurDzXAQ4hgaElxHH9x4wGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIFITGrCYp4awi1ApMN+FymusYnNd\n6azSsuwPNU+m46tkAiEA0orPK7idRX3vetzbIdeHynvArwffajdlJTFSrf5MqcE=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIUOIjD23qzNMVAOAHIj+f02wORP7EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQRGsrhwSUE0HgWKjfYcM/5fwimRbH94+ZjMvYr\nQ4NwFaOqK5TUolSvQndabVJvAzdR+gQNcnRt0vwDfpk9yOCVo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjYM3DMuH6kSMXL1lE27UE053XBMwGgYDVR0eAQH/BBAwDqEMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0cAMEQCIBulXOPJmFoAiYdY7Wia/kqDNnze\nBa4UFmtdgADOVFnoAiAXSR+9w/6G6uGOFayQoK0BGwP0UvF8415w5lkIwH7qOA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUPdeN+cYID9RNIIVIxq7dEfh3KuEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEDHaNFEKHNt6nleQrchZk/N8L3Cbn4RZTfsn+piDg\nf4D0TcGG3mYQwpC/EaVjXA0QhcXCRFMLSoOyt9NVshLGDqNrMGkwHQYDVR0OBBYE\nFKjrOcijAZ+9tMB1STQUF/gzZnmbMB8GA1UdIwQYMBaAFJpsOuW96rqw81wEOIYG\nhJcRx/ceMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIgQ/BPx5WXqK4wAp8/sBo2O50uKmqqcMAH2BUQsVKZ\nZeMCIQD6D51a0X4LyJDHYLVp1zXC9BbBk/M6n7f0AzsF1R7aCA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUGi07WuerxYEZ84BSQ7SkFBOukRQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/bur/1xfJhJQ/op23rspQP4W6sI46/3GjQQzzorI\nMhz9iUySJt7Eu961UCqeBdWROAIn9VTsIb7Wrt/tulBxeaNrMGkwHQYDVR0OBBYE\nFP5ak3wl3s0vDkjmpvvksXY7AjbvMB8GA1UdIwQYMBaAFI2DNwzLh+pEjFy9ZRNu\n1BNOd1wTMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIhAOpMC/5RoNA0kKkJKo4oUvgZgPu3fi1wKxu0vwsU\naXSKAiBxFCn/Oe4B1v7U+ljURuVs3oAK1kfNjt0tUe2OcVpTfQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -797,10 +797,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, which matches the iPAddress in the SubjectAlternativeName\nof the leaf.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUShjUPueNBDpNsUHvTEUarFbRMfUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/B/STst+jLSDKn5oMtmraU41l9doCi3zSEH/B\nl+A9guHHOZAfQdPzaLjlVC0ek+LizUJkRjUyj+Yg5LIodKs2o3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbp6+b2+FZX0+ZiTmxK6X2+AiPyAwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQCQ5Ldvpl07vZ263RiYuvqDkvsy\nCpK9s7CBC3aTEXOodgIhAIRnX/CLzG1rAiXV04YFkMYf/KA7zSWPIHfunlZeM5J7\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUG7ZP453OGlu6Y8YwbNqAbbGNBwIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASlMJf1TrM2S4MF83dPH7qIEuqXgiswtHVSUaj9\nT7dTj0PfCm5ltNNET0HyFFMZIZRGPsrZLZv0+jbSnOPpdX9No3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUhkQjgHLNpymC70RiaU65ghHEw1EwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIQD28tOn8Kfd1dawlpQlRmyz7e9q\nourImR/k3Jg5Omw1IAIgVBPKKHpIR88BoLYHiD0we+dbzrE4NWBY9NdQoGViE4g=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUfCrcVmbHgo6W7y9gMXy8JQwQJw4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpVtyhPQnYILqlVBOI9wFar4QAVwPDC0ZvG4PPaoP\nUc1YMLLvqbdMumc6/jr6aMly9CEuQEGQpNaJe7MAbP+1dKNrMGkwHQYDVR0OBBYE\nFHC/zXuaId4cnqnhvri9aUNpyS7fMB8GA1UdIwQYMBaAFG6evm9vhWV9PmYk5sSu\nl9vgIj8gMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIgW0rLsHsnqwdpAGhmqcU6qC1LZxSmlKXAw/u/UPrM\nUhoCIQCl7a1TlqSCcgZmE2xx515n0VpJMy+h2wrmDdusVObgTg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUZDGenulxtVCUMu5KkeYsZlTcv2YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE1zF10zhGCcWOVc3Xa6ADNZC2hIjrz9UPb5HbjPCM\nZ929+6AZqxYM9RZm4E5Q3v16BWaMU74B483kGcPO9icfj6NrMGkwHQYDVR0OBBYE\nFO806gdftAr0UO/pEnDMSDO8rUPwMB8GA1UdIwQYMBaAFIZEI4Byzacpgu9EYmlO\nuYIRxMNRMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBMAAAgEw\nCgYIKoZIzj0EAwIDSAAwRQIhANfqXArxZb69t7c4a42VqQsaawcnGXPP4ipkkkPn\n3xdjAiAWz5ZrTR/8O3R+USNbWi+35i+Co6kPA/qO/LAzdPsuVA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -820,10 +820,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\". This should not match the child's DirectoryName of \"CN=not-foo\".", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUb5ByrUT0dUHH8IcNCk5l9fDI584wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASw7peTufhC+H1+PHNd+LHfu1wDWWbEm+9jzojX\nUG0AzdAQxvgFFAqN3vL1VUM047DreLqhFUrn9pGu++8IMhGBo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU2ri2O/R/yOaXjUGFmpsHWgGPdmMwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhANlYdjSGDUXftGcl\n0VHiM/rBoenfCNQlmX1GseUbdKy3AiA61pjOPhZ+N6XXaMMD7wsA0UcU32RB89yw\nAbOHAkTG1A==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUcq3WHT1NBvGwdpPZcC7WRhm6hd0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASuaLjKlFmT+8DOEmkRX8BpLbVjByp9smCPSHSj\nBIVmJmBH3V4oyQSkCe/cWCoUDJFccrU2ZmOR/9nZUOkc6AHAo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULvlOj35Rosu3r8sEApQHGbuwuUgwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALQQPFyeUljXNj1I\ntX3C39Js8c03OX9ti2HcPiEySE21AiBMiTYU0MtrrzIhwieSCYLenYsjJULLkHNI\nguFy5YC3zQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUOx1PKjP3eFyFsc1+5Om5eak6GGMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEfLpLaNMRDLrzlUiDLtsWjTA/EDZobxKcO7HLzVSbeFcM3Cej\nk2tJMKm1hAZq0v+CLVkFSHMC+IZM8EfTtpEm9aN7MHkwHQYDVR0OBBYEFEzxG4t8\nvTpYjXVkfId7TnQJaBBnMB8GA1UdIwQYMBaAFNq4tjv0f8jml41BhZqbB1oBj3Zj\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0kAMEYCIQDJ7nyQdeBWwdmGzYRcww5ywdXE\n4ivdhUkJtRohiM9oKwIhAO5CvmTclsecQnG0DqjOGb3hE28I1w2sADkoYEVvza6G\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIURWK3YjmQKwnyQoeUgJsLQM7eGA4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEJ2ALHAK2wbheJidAugKjsVe5KkGKHqFMKwT35TeSBf/vgthz\nR4g4uwbSoDRP0A11Ljk8bDuQjRsKxQd/GftbIKN7MHkwHQYDVR0OBBYEFOvGzwpV\nG/A8GqFgUh8AcJHRzEq0MB8GA1UdIwQYMBaAFC75To9+UaLLt6/LBAKUBxm7sLlI\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB8GA1UdEQQYMBakFDASMRAwDgYDVQQD\nDAdub3QtZm9vMAoGCCqGSM49BAMCA0gAMEUCIGQRiBeU1sWFAC2lFie7N3ZLdSE0\n2VoOPu2/DJAuM0KQAiEAjpSnlhLLTggUvPBvioqOTkxBDsoNgGTbxLVjJ/zRQXc=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -843,10 +843,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIURP6+ancWM5IQTyTcI7dIvxsUFVgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQBiWHaIGZebJjkZ1fr+kUXaryI+FPf+RasKb6W\n5sWcZWB65yQ2E7eEIG+UBC9/B8UUATpQdQ1p1PDPqFOTzcRto3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUK+ygSPH1VRzHC6y2sHEZhDL5Hz4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAJKeP3PFWOO4TbUT\n7NL0mdsm4aJHiCdk7PoavuajydDoAiBbYQ5rWKCOFkSgBuiAtozvaDl1nWwQtP7T\nTOL+hJWlmA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUD6c47s393RF2j6I7eB405BVHAjQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARhBsgztsQWJfqA+8vqVNiDc0o3tfN4A24UxFqB\naAe5ViYqHktfY6gKuidQpgAaTXGkaMz9OG1hTVwbYeYidWC7o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqFFBFy5whuveVMgyqsojRjgztmQwIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAKo7QJeYCY2xjJwn\nfbyjhPFW/pW9KvySGmqIFKUEBNjtAiA0STqkG61KTMWLXSWxbWFlWUT4T/uiVCM/\nsYD15Y4dYA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUQezmOAOMJUArTEnYv6JTjWWFWmwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAATOkvN1te3Ct6cBVBMUXUjh2JXtvQe28JwEQ0TDxnrO86TDSlbF6uxP\n7reYyc9/xhkRYRAiERe9YBeKiQMp9GDzo3cwdTAdBgNVHQ4EFgQUNZczL2EuIGvz\ncNUrrBSPIk9k2bQwHwYDVR0jBBgwFoAUK+ygSPH1VRzHC6y2sHEZhDL5Hz4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNJADBGAiEAlGN9QC/sUOWIGkxnIsL7qCaau850b4wBStyR\nxCujYlICIQDljwWyewnolkOEr8SaxFnfKvQIMgMEbk5jYS7Lh0ipQQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUmgAwIBAgIUWqVDkcXMw65J0tB2M8hbd+CR9SwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQxnB8/JgjN1sW7NHPUFzYNbQdbb3q+TY6WSk4Nw6Nvji5dbPcRXdJl\n5Og4mpniNmqh31oy8oLmgEddQvOReNqOo3cwdTAdBgNVHQ4EFgQUgE0PWQvTyKoL\n7nOZChbA8N8inMgwHwYDVR0jBBgwFoAUqFFBFy5whuveVMgyqsojRjgztmQwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNIADBFAiEAj4fwk5CDRjyNaJKFE4JnEGn3hVGMavrTjJL5\nsggnLB0CIEbk+RZ2vIt5vOhLb1TfsX+j3iCYQvMQw897hhkM0Bh4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -866,10 +866,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVmgAwIBAgIUbkBJftUzUG9cZSWqENyNz1dJa6swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAREbdvIfywp/jGTmecHQW9wadvSFvGnygSIY8Kj\ngKoazDNbJKESH1khAo5Yxp59AKSVSMuOQum6T3ly1Xlz+iSFo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUyD66+nJpQwQ3EmNSBXS0pJMHY7EwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgMF2B9+k3OjvvKNnV\nwi+2iTbSiEDc14hdgRfoReAqGU8CIGb42k4N5F6oMznOegdV6jNqQi0U0V1gIjjR\nmUqFqF2X\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUCFiin9d8GMfFXV2qkBtxulSaURkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASG1QZQuGTOvyO9pWCj4/Ol5i0ns5Ngkap5/AGr\np6y03ikOcbaO3RtDOR8Hf1IiYx+VjPx6YDdGZMyOIDl/L2hxo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUn80vVeS7HLUjkKtyoRjghHGyKe8wIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhALstJcyJytPRRmnX\nymXgQCMQhrar/3V7cFvXwnjsRdleAiBuhC9HmejX7/uizkMC+akXkAZ6HMhuRD+x\nugRnmiqIFg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBojCCAUmgAwIBAgIUYcvKW7zs+UScx7DeDUmNDXZQXygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARmBga1ygKTJwRBpjbKEK71ocTLJZJ6WjiYyXk7v5ly8fO0JQvZmIKz\nx8yiplcLbwf0cvGN4xErr+H5la0+rQVTo3cwdTAdBgNVHQ4EFgQUbnugLN2slwGi\nOBsf18eqiekAY/MwHwYDVR0jBBgwFoAUyD66+nJpQwQ3EmNSBXS0pJMHY7EwCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNHADBEAiAGDGINt1HPCWZx7Z49jj8bA8L4jb9bASB4eJK8\n6ufrDAIgLsWpl9NDS97EXOTCdqL2v5dAZMVwac+FzBty8lutTcE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUmgAwIBAgIUNvU1HkiGZIu4yxSSuPVGdPRXJQUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAReM5zjuOV21W7hYSWnFK3EXScDLq5E+4NZl5ZEEzQIkZtvH1KwLYxg\nKCjfz1TTRjnVmKhw/PBIq9O2LvR2Igy3o3cwdTAdBgNVHQ4EFgQUtioT7eatxRKp\nSe5W22UxFqpVZDkwHwYDVR0jBBgwFoAUn80vVeS7HLUjkKtyoRjghHGyKe8wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwGwYDVR0RBBQwEqQQMA4xDDAKBgNVBAMMA2Zv\nbzAKBggqhkjOPQQDAgNJADBGAiEA2EHdUs27K+dmGF3ZhP1B733ExrK/3mAU6dO7\nVJznN+4CIQCvB4MzIMcpBRcER+dT/HeoIfZ+5Y617Lbav6eAS6aWCA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -889,10 +889,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted DirectoryName\nof \"CN=foo\", matching the leaf's SubjectAlternativeName but not its subject.\nThe leaf must be rejected per the [RFC5280 profile] due to this mismatch:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUAhhykAPeI4VKYu7SXpQ/D2SY2eYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASnLCLPLxu8H3E2Nw2gFVRu+0fNX3m8k8osA1gK\nUvVnMxLCRiU3GgOFwDqZkjNLUSwfh/iIkMAc5KAHTC14fE7Ao3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUf+BOKGw2xKzvggaYz0rVdaFJb4QwIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgXPEJRhiFTldrEVpy\nAbtpbctew9b5NwEAAMN1h5Q7ZU0CIQCAfTc4aTvocGy9sLdyifqZfhlcw43/lKnN\nT+Rt68PdZg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIUSx1UE2A7XVIgUh+YsMQmxc9o7nUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARpIu81nJxemCdSpL2x1SOp6khOTQAJrdsa8UMy\nLItlM1aAOm5NEDRcF3jfAC+m7Hr3uaM9/fPFe+d7qXFRMHW2o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUtegB/IBtiJnPuoqIk8/ALyY4+LowIgYDVR0eAQH/BBgwFqAUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIgBoRr7n2eJkFhdQBB\nHis3XA09QVoSwpRMtrpdk7HzS/QCIQCFApTtpnwqOpkXzsnxb3JbaK54UhJnNX28\nTKPx00DvLQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUBmKJ4FvnplORCcGwQSWoCGPcKAMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAE0zB0e/6PooT/8/dMajIduhrbcOJcfkyWWyRjjcTGSesYvRqe\n7CMZMSjOuXDD72gE69oQjvic+H6eNWxr53wMNaN3MHUwHQYDVR0OBBYEFFfnK/lD\n8nZSRpKcwOVohT5GVFldMB8GA1UdIwQYMBaAFH/gTihsNsSs74IGmM9K1XWhSW+E\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAPjNKswmw5aEIsCLTO0B3WOJvwkN5KtR\nAbWDcXycvJAAAiEAk8eCP51j4qaphOZsbVoBBzXEjvQ84tYWYN5l8lL1ZQU=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUBkkawGRuP/OsnJi5dRJHkyRVw0owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjASMRAwDgYDVQQDDAdub3QtZm9vMFkwEwYHKoZIzj0CAQYI\nKoZIzj0DAQcDQgAEptBUtSsXYKRv6Fb07AwLsLrwQsMhlXxIXZyjFv8BCTZ+gEEX\nO1zZ/RbxB934SsnRryRRHp0M8faKKkJWgwiQsqN3MHUwHQYDVR0OBBYEFNPRn3Jk\nbHJ+YhJZBaw1kF+AiqWYMB8GA1UdIwQYMBaAFLXoAfyAbYiZz7qKiJPPwC8mOPi6\nMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKkEDAOMQwwCgYDVQQD\nDANmb28wCgYIKoZIzj0EAwIDRwAwRAIgAPsruX4Ox7WWPV4u2Wg/SctSn7+rneW4\nynczxR+GpXECIEhngQTDhpVJf1HN9qdApjxwusVJgcuJFSrFS9Ll51n4\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -912,10 +912,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with an excluded DirectoryName\nof \"CN=foo\", matching the leaf's subject but not its SubjectAlternativeName.\nThe leaf must be rejected per the [RFC5280 profile] due to this match:\n\n> Restrictions of the form directoryName MUST be applied to the subject\n> field in the certificate (when the certificate includes a non-empty\n> subject field) and to any names of type directoryName in the\n> subjectAltName extension.\n\n[RFC5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVmgAwIBAgIURqYkk7pqDuoe8L/fl8w0Caih77owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASqbE1rIHLv9ya/X5vXEp35FF5hGeeB6TL6Es9O\nebQ9BGVghGz5Idc2HyXxzRBFMwYtENDeDrVBJIldpRAy2UQSo3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULlfFBusJ9FQs7xKEubqSxx+hKm4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSAAwRQIhAIHcpZAO/Y47y0ee\nw8Bqkpp0K4k/eVrM1ByRmgYW9eoAAiBSE2sLb4VmOIB3y8PWrk+WZbbxgyIIFhqo\nKFBZsUKhYg==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVmgAwIBAgIUWvxl+C0Ox/2Hs7LECd4UlaxbB3YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ4NgnF31wfHCweH23FJxKmGiqPFcqnka7tQPb8\nTtSzJ+GYUCgNHa5suUs/ml7W+pg4YXgwmjS10aAZCYYX3uG+o3sweTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrPscoXdbfshOwz9DJzccnc57At4wIgYDVR0eAQH/BBgwFqEUMBKk\nEDAOMQwwCgYDVQQDDANmb28wCgYIKoZIzj0EAwIDSQAwRgIhAK821ELL0DSTxSZt\naS/PJL8F+ZszOfNoWT0Hze+x5oOYAiEA2O9d4vZh6gOdRUSTCPeFYF5WreGRMOoD\n68fV3S/p07Q=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU2gAwIBAgIUBdaJa0nBXwJLSYCBuOm+83831oowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAARURKkD1jwupsL+oh2GD6/Uu8s9Q7O8tqiUlgT1F017ck/MrYmhSML4\nvBxsM6uOpDT2wrdgzKDSZNl5W0PdHiD1o3sweTAdBgNVHQ4EFgQUD4yk0m3XX1gp\ntyhYrhbrpPYhQiYwHwYDVR0jBBgwFoAULlfFBusJ9FQs7xKEubqSxx+hKm4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSQAwRgIhAOTIsHHKAgWlrxDgW9bKl40Gyx1r75//\nvmS4GaBDghYyAiEArfXsmtkk+X2m1Sdz+siBy1bPwoaaOiVPLpECw0iFMvc=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUOkOjNAL7EPe5/LN8hyT6hzFd4/YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAOMQwwCgYDVQQDDANmb28wWTATBgcqhkjOPQIBBggqhkjO\nPQMBBwNCAAQNlEP2tQeG1NgO2NiQDh7nw5MKyjzdp4NynEWj6QAJq8k9esLrEPlZ\nZUm3aerL9FSAWW+q05WWo4eVGTUadC9ko3sweTAdBgNVHQ4EFgQUnprmGnI5gtMf\nNjtl+c+C7gEfXFMwHwYDVR0jBBgwFoAUrPscoXdbfshOwz9DJzccnc57At4wCQYD\nVR0TBAIwADALBgNVHQ8EBAMCB4AwHwYDVR0RBBgwFqQUMBIxEDAOBgNVBAMMB25v\ndC1mb28wCgYIKoZIzj0EAwIDSAAwRQIhAOEZw2/5obfg3jcvsVPsN7AWfB3lCVrD\n3mmPxM5KNzBWAiA7stp9TjKwZhMHA1iiXUQfP3dGF3Yh/IDyINkFonn7kA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -933,12 +933,12 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the intermediate certificate has a\nSubjectAlternativeName with a dNSName of \"not-example.com\".\n\nNormally, this would mean that the chain would be rejected, however the\nintermediate is self-issued so name constraints don't apply to it.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUIbVPY2OJB7MVdMpBK/7ulcw0pW0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASk23SGrb3ylNZmthVagtmz2q2B2qTuNosaPKlT\n4GmNj/Dbdvzz9QbEJ1MP0KVRp+ytG+4v5DQlgGWpoBFjNjNDo3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFFAR5ViTNgfKvcx3e/84zPQri+CJMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAnGucl50FgqBkcjos\ntt5c6ASrDP5Ljh+xCm1fMRRcjLACIQC0ANKjoulGqEvNnoEuz14X9joe1T81Wq1F\n1ZlKWp2jVw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBszCCAVigAwIBAgIUWQ40+YiVqj2FiVaz5Hdez4BMVJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARh8ENbLzhsHna9nknJXpO1yiKOgjYE6/fd3pVV\n909LgCHdNQNKpExGoACNSu+UiGnplqFNtTk7cVd2UZyBr9Qto3oweDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHQYDVR0OBBYEFKv7GGzcc8zKEnXL4ujj502bx8dmMB0GA1UdHgEB/wQTMBGg\nDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA69pw5WiTyihH+PuE\nBRlINVv4RJTFC8sVu9CJek8jH7gCIQC6mgMtydUj5X7HBkNwbriQBWhY4IMsuNRI\n+DURu5YAEw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBtTCCAVqgAwIBAgIUK4VAfM3f/myh533FpyFnMEUUh4UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQQlpNLQLyX+bo7ePdm0skrzahqMIzhkE0E32KP\njtBCtJGJh2fO3ztxwlO/8BORtxsc9qX3l70drUiwBQ9LE+kho3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUUBHlWJM2B8q9zHd7/zjM9CuL4IkwHQYDVR0OBBYEFFDm\nBiZMWmbiL4s7aDMxuajQu2kaMAoGCCqGSM49BAMCA0kAMEYCIQD6KIbkN9GZSvYk\nBCKcRCT7Y5hFtCL8jYqgraS7d5Zo1QIhAPQ1YkRpQcobK+tZ0+3kFNvMVFzQFg2n\nOTQLyL4DY6T2\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUcZobqc7bxnlK5sLeWrNAl+H1N/owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARnOX/mzuTx81uNTMmQ43enwwUPeIjGo81aPSQH\njXQo2ZX+LiY4NMcZG8bf1wzqr8JKE5i6C1iauSvnzlgODWCro3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUq/sYbNxzzMoSdcvi6OPnTZvHx2YwHQYDVR0OBBYEFHFi\nQlR++oyPPmyzhqgEcWj1THcpMAoGCCqGSM49BAMCA0gAMEUCIQCoe+ERZzTa26bQ\nja7jmhY5ad88DqJ6T+Se5lMmneXkbwIgUofTxbbuB+Y5cKwjYekBZEQ0pPWlMddK\nYhG16GyNvi8=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUE3bExB2DMNvXFnDsaxe8UVAs/30wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEN9YUyhhoKYeBYQRUdd1oF4XuhEMMqJBYedse3WJk\ndQBH5AjMYFD+trK5zKpuMPb3XXCSwcCb5mkhA5EsKyEdtaNyMHAwHQYDVR0OBBYE\nFJ0kWgPQx9EDT1KSZybTdsddOrVyMB8GA1UdIwQYMBaAFFDmBiZMWmbiL4s7aDMx\nuajQu2kaMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDhZt6SiMmZpidP9JIl2F2kfzRB2wv3\noHkHI1ejRe6UcwIgBJOTn4LSyXcPyvRMGXFwiZEApYnR8exDMQvK6lvkPYE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUPv7KtAm6c2khyzJ59OQIfj9W1ygwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE+MoAFalhRlfelDVw6q2gy9TIPW/3m6N9I4kGlF0S\nUKOPPURLmeaNDjmZm9C5mB5KtfXfftDYCOrT/d63JIx+uqNyMHAwHQYDVR0OBBYE\nFLbqvtOQAkWNZOHnqb+0SO2LoeCMMB8GA1UdIwQYMBaAFHFiQlR++oyPPmyzhqgE\ncWj1THcpMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCETGHUFOwN3CQ33LrtfskoAn60k075\n5v/4khV7u29tcgIhAPK6/glbiSu6MNtX5t4T6gAFK2GKpMEy9ZGzB2kbYzKn\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -956,12 +956,12 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> intermediate -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted dNSName of\n\"example.com\", whereas the leaf certificate has a SubjectAlternativeName\nwith a dNSName of \"not-example.com\".\n\nIn this case, the chain would still be rejected as name constraints do apply\nto self-issued certificates if they are in the leaf position.\n\n> Name constraints are not applied to self-issued certificates (unless\n> the certificate is the final certificate in the path). (This could\n> prevent CAs that use name constraints from employing self-issued\n> certificates to implement key rollover.)", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUWyUFw3IpllRe2Y/ScI4TfMESJWwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATqCERV67FkzKoFLErFFWosaItsqGnJbp6huE4d\nWTnPiKZPudM+tYSTwFjSpQ08S/XyGaH670uU1n9DusRG2bklo3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUV4mtlpg2xEar2Yabg/tLwTDSPU8wHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICzB7NZeEUFLym1i3L8HM8SQ\nKUZK1mBPIT+9jfDXj8c/AiEAq4iShV8ivF9W/J2pKNotGcNCg2Z7n3tJkbAvW5jy\nl4A=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUULJxIv9zLUC3PYehraVFZuHDMS4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATdrQOub3DV7p/tOUNIg6eBuGtFQVWurkw4WOvK\ny4Hru0FDTvB+rPDpz43aTDGHxRfwDqLWjURO/zWW2ZccoN2ao3YwdDAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUl/8KrWbK6Z4wIO6mlx2YOQLvxnUwHQYDVR0eAQH/BBMwEaAPMA2C\nC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIEqG0jtRIgWSU8ZB8F8ZbZx3\n/nZ9gIHRdYGPWceVWsVVAiArbMWStYT2fy2tj2zkGvxuKgr74VEY2l50gmlaWogk\npw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUTZkg8wlKBRJneYLuC0wjySJ/H1cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARIbvF6SK5o9VtHqflKYn5eN2j+Od2aX6D9Te37\nDD/EMqk8rNAhfi5w4455MGnufeXLFXlopLMLSQW2ldzWyX8Uo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUV4mtlpg2xEar2Yabg/tLwTDSPU8wHQYDVR0OBBYEFOiE\nlVHoeU1GG13AGa7kQV2ZjDXIMAoGCCqGSM49BAMCA0cAMEQCIDY9lAGqTYbO4Dji\nrZbJBrxbsRkbUVUgnW+BWDP24iDmAiBYCdx6LQAi5eP9e8Hoxbp9+KK2q3bu7CgC\nur31seYLPA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUesJN1RP4LGIEP5nkKgLUwH/n0uowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASDw6QN0UC4079esimgCH41flFxlyIFywpZZxZk\nCRDpplKH28/LxZFwSjX/gmtYBhuqtjE2/NbNYJ/3YJ+tQMl/o3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAaBgNVHREEEzARgg9ub3QtZXhhbXBsZS5j\nb20wHwYDVR0jBBgwFoAUl/8KrWbK6Z4wIO6mlx2YOQLvxnUwHQYDVR0OBBYEFG8N\nhpxAb/VfOYTOV5Q8kq8g0YdUMAoGCCqGSM49BAMCA0gAMEUCIBBG9lbAdAup1hOh\ntWkzsd3PF4mQ3KD1PBlgiF8OipmuAiEAwZJo7b0U4cRFnWjPMMPnMjjKhDZtbjoq\nbAEH5Jalna0=\n-----END CERTIFICATE-----\n" ], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrjCCAVSgAwIBAgIUX0FCGPG3fZyz17qlim7Loc9sYa4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT8MkuprOsz64hXgPEGjtOiWXzYAv3O03WYHzcr\npWySrjqBEeoe5O+vraKDnGNKu8pRz8UgCTV4x9+hsI4tQoaCo3YwdDAdBgNVHQ4E\nFgQUWHOdLfEs9d5AAfa4Ymr6aOLxwJ4wHwYDVR0jBBgwFoAU6ISVUeh5TUYbXcAZ\nruRBXZmMNcgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCFMOP0hcWpiYyR0VaJKbaa\ni3zGQTq0DEkVgBCWPXdu4wIgH/YLeYmhUY8ok8vZJVKbr3UCDGzSBilK0Y+Cnsc0\nzW4=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUBqkED6TciEeFR344evgY/zArksMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPbm90LWV4YW1wbGUuY29tMCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA9ub3QtZXhhbXBsZS5jb20wWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQhn1fCs5HqUXhgLasiIEgHL+4/KdwxYNuJbIkX\nk9jgOmNIrY1pADPfgJM7C9ckImXoB3XTfq3eYWs9WTDeXf5Wo3YwdDAdBgNVHQ4E\nFgQUooj2KOFFF/+qpHou1R7JlaL+PG0wHwYDVR0jBBgwFoAUbw2GnEBv9V85hM5X\nlDySryDRh1QwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwGgYDVR0RBBMwEYIPbm90\nLWV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCUPnkwd35XH2gsIhhGjUKY\n6Uurnq0prnckLYVa5bkL4QIhAP3vGgAhZORCtzlMaUM8SxI6LNVBVg2c+e3+8QAx\nxSWH\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -979,10 +979,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted and excluded\ndNSName of \"example.com\", both of which match the leaf's\nSubjectAlternativeName.\n\nThe excluded constraint takes precedence over the the permitted so this\nchain should be marked as invalid.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBwDCCAWegAwIBAgIUOxNknRkB3g2NknZgf6NZfHBI8m4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASC1SgMSOs89NMcJjQpkifDHvJrWU+1uP1QF3iD\nAMLCR6vRe0w11CdfYnjxdwv4BnfRof2uIvXsuGg9W3pFNQpco4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBRFZCSY9vaoppwkV8eD7M3MWjsWqTAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBE\nAiBoUGRV8OZphos1TDr9NbkP56tmphBGSYTkNxwu4RWE9QIgX7ZscrMmBRUtj8px\n2VmYCXJY/OjIpYjsb5F59Du9zVs=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUdah6fIr55I2pfABlEeWHwqvaw/cwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQu1Nthb37ieJFuWWEsz3/w5iH9D/Z1EhNI2lid\nXm0zHlD5qhmsh/9pshKqiVU4EFWF6pAzcuwYn0ydt39mMY1Co4GIMIGFMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMB0GA1UdDgQWBBT3tzY2oXpInhT9UUxdA++UKdOuATAuBgNVHR4BAf8EJDAioA8w\nDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF\nAiEAq8YDrWrVloUhEScCFSbx1u78Z/GW4mQiL+tB0PuRg8QCIDkCeOgoI5memO2A\n6uM1MmsVL4vMFZRxXgUvEZVPKSSJ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUFXD3RcWfTlcBZIbCuz0tG9q8JvwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEKYJE26AiLXy6adIfBOk7UJ9raIXdOVRiEVBATiCy\nXrYhvYRXpBgG1jjwQyZnwP5T777QIAr+UWW9yoD9+Q5uHaNyMHAwHQYDVR0OBBYE\nFCQKmR8INOyOGtq5gXZTpzHtI0+dMB8GA1UdIwQYMBaAFEVkJJj29qimnCRXx4Ps\nzcxaOxapMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIB0oYq6pHy7TmvP+8MPlIQDopJ9wC8Cq\ny1nR7gog92jpAiEA9GCgEIk87qLfRmmRygCqQzYsHte84+RQpjFAh5tMZFE=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUaEoU2H8HKSXnswWEgctc4Yf6fVAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEvqIFpI2iyWuLfDDKp8TUEME+qZIFa/+tgh8W3ONV\ncU+UEEwdSBoiFeFh+T7JK+6TjwDhfb/XFjqlSA+6XqYgiKNyMHAwHQYDVR0OBBYE\nFH38jlw2pWdGPJ5DKz5lLQUtv+/mMB8GA1UdIwQYMBaAFPe3NjahekieFP1RTF0D\n75Qp064BMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBxqrZdmNn4Vri5ewRY3wfk0tMWZf4PX\nIMnr617iOMTNAiEAhYp+9rywRBpQTCvwSiEw3jaKEfqeHhlMbnWYH80oS9c=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1000,10 +1000,10 @@ "description": "Produces the following **valid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a permitted iPAddress of\n192.0.2.0/24, while the leaf's SubjectAlternativeName is a dNSName.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVGgAwIBAgIUEtoJpq6CAeejDqxskU11AMJnK8IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARQ7rVdyDRleygCm1n19dTl6cu8VxZ1s/+aYCuu\nxQbusWGgbirpXMPNKq58NMNRiDhEKb2U4dDnp+jDNv9ThqlJo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUweUivU098FjRR+utqY83iGyAppkwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0gAMEUCIByOh7oPfmvrgbEwVVl8MlX5d9Yn\notP+TZR87I5X/IA5AiEAj0SzNrXvj+Ix3SesPcx3Yi+ypR0+6n/Wv8SVQrTeJVA=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVGgAwIBAgIUc1ysPf3H8MflFoN1mzWn/Pwywd8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATi9KPZrtLHP6EmR6BuABbn8uza71O2G0qwYopw\ndiypdsXIXZc+YThHhefxz+RG7+NHyiTgricjFdczauHG+ngwo3MwcTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUCrYPCeL4/7bptNmZavOgmKQm+iIwGgYDVR0eAQH/BBAwDqAMMAqH\nCMAAAgD///8AMAoGCCqGSM49BAMCA0kAMEYCIQDEYZUrWlR7yffjrs8885K8Zy6q\nEeE6E583qGiHKkN4BwIhAPho8R/prAGbiL319qTHAi9GbuXTBRXfIlBS/XdcW1/V\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUWCJs3XC4O8dA9RaiGgCaYM6aVNcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEp8AsUFRpxF4290mVvc25ivlmzpqtLbXDmkPvpkxR\nXQUxP3dsPp0LwXiPu+8rng2Z5AIlWGMJtU3Gpkc1vRK5aaNyMHAwHQYDVR0OBBYE\nFHdLS6jTBjK2tJnvWBKcubzIZ391MB8GA1UdIwQYMBaAFMHlIr1NPfBY0UfrramP\nN4hsgKaZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDPChlZAW17jcdQPUGGUCiWTboN01l3\ns8uIzyRXfBhBJAIgWjf5LUpN3S3fvN+EaTCZ4lCc7/q2AfkM2y2a2ND7w3w=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUI//eknrdDiLoCoeKTh0n8tDpcrgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE3bnwFTW4zVy/wv4oJUhlEGeisscdvK8SYvSzRBWk\nOFxy9h3s42R7i+UrURAsRRtap0yApFWP+xQo9a0ve7s9zaNyMHAwHQYDVR0OBBYE\nFJNsjaJt0S3n5zuPP71CmH/JvP2XMB8GA1UdIwQYMBaAFAq2Dwni+P+26bTZmWrz\noJikJvoiMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDJcVHmUYp2ovMfHdpkz68PcqVhTTbv\nA3BlJI2AtYCyXgIgVWER2xQc5muEi6GejbuicUJacR8FfgiZqEGQz3QCOZo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1021,10 +1021,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed dNSName\n(uses a wildcard pattern, which is not permitted under RFC 5280).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUEYFUoMSYuiaO5BULZI/VUCclb14wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR2nT4dEMRyuau3+IwZ7PP+tHL2aShGxP+s1wo/\nvCmD3pPDVGWu2uCCgYlDweC/4xl2ZKYMfVP1DF/4IRqgC6Llo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUniNq+RF08G/jhmjgQQEu7tdKY0MwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgb7ICiwR5sqxnwpg57Oit\nknS89Uf/eceLKdvLT2vtXv0CICsyWPXFYi+5z7vtJV38An8ybFYWVv2j6D8QSc0/\nDz/a\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVagAwIBAgIUOkpVFzG2YOxqqxmijMVerTRDaFcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrzAKy3GoJ+qVxtzNFSvDh/jAsDltsFaI3WFNq\nJtcUUaiTa5V8BNrxS0w7qKmbc1pTOK4u/xxqXpQ0rg2/xx/Mo3gwdjAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUwJ8Lz/+yTfmXeuhaR2zZwueG8pcwHwYDVR0eAQH/BBUwE6ARMA+C\nDSouZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgJupYl0Ozr8uVkWUaVk08\nkmpgh4WqkQX/dXiltDCjXPICICLVPrnpJKKKrbmvObpIdA/HDV/kOA/+c84ZTfob\nhYyQ\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUCiTsKQszyPPWM4ab80Lu6CzoVsUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE0rkfUNADk469+uePBEqZ+csY+johlap1B3zMKpMQ\nGwJuljVhq+09m3cEoCX3BtFata4shLLBuGli6/+uQpXhnaN2MHQwHQYDVR0OBBYE\nFOg9VoJbxop6L4tDCHe4ycJ+yZI3MB8GA1UdIwQYMBaAFJ4javkRdPBv44Zo4EEB\nLu7XSmNDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2Zvby5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAw8ONQPgbCHfa2SGpoZH6J8xZ\nmjNyZWXdPK4ZEyk3awYCIDkDArEOhD4L8h9Fipuose2bQ/HkM2IPap97xgzv+yN6\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUMq+WAd2HjnKoAJ2aCXLO5ET27OgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXbRSvcIjM1HWHgPhGKqZKuCxkOdjcnXcuzbh8+IM\nHXPyXFHigohNFQJvzuWnEMlCM7FdLo/agBWpy2xx0X/E/qN2MHQwHQYDVR0OBBYE\nFJ1RX6rJCRhwEmoFzRy43zj5d1yHMB8GA1UdIwQYMBaAFMCfC8//sk35l3roWkds\n2cLnhvKXMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2Zvby5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA+zzgthdo4zTVte0aHKwNxGNx\ngmQ1jMTeokSDr1dI1uICIEI3G0lAl98R4VPcUZSEXd51NAQdMZhDY4Lxdd+tIM3d\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1042,10 +1042,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> leaf\n```\n\nThe root contains a NameConstraints extension with a malformed iPAddress\n(not in CIDR form).", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpjCCAU2gAwIBAgIUB3U4O0XDOWkMEJxrgC/F6wqVDmEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASKldcpz7NEZxcSLPheHeJqgHk23Bo1ND4zb/li\n5uAkFEnfYjiNn5Owcr0Msgene9NA4B26Ak+JNTu7W6fFPifbo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUI8plBJ5bzkgtYOhuyo2CFn0q9mwwFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgPXRDmuE6Qfm41q2r60IjqJfz+QmlL0GS\nxr16BIrL3iwCIBEi4S7+BXG2yazdsSW1rfLyXDzzg8TngOqi0iQxqH1J\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU2gAwIBAgIUSvZNxwc7HPR5levo2+6HSDt6v5IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR26cinohfXDsBNTFnH+rH8uSJPPVRphvrig+Tc\nO1705omQ4f1Kx4/nwAqdWqTqvTM5r+TFCTFHAr+xYHfA38Ffo28wbTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUbUJnDmDxjKsx/IXrWGOm5mRwZAowFgYDVR0eAQH/BAwwCqAIMAaH\nBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgIbZBdecDbpYH6deyF60lDibYpDPmLm3z\n24vX2YWFQS8CIQCxuWkAYJ98AREeWhvVFu1sbT2Eps0QiAP0QwiSd5GnQw==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUEUTW0rEqmY3Ox3HCksHqYq7ZtIAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEGdczDWVjroA/hjowFQPqEncH5t1jYfKH5MbdkrYB\nuVyaEHNqMerkx4Kw7woRrZbEhRx3HW6j/C0Tsi3+2j1kN6NrMGkwHQYDVR0OBBYE\nFMI74ptjBCFEDYMEsOztgPUJLl/YMB8GA1UdIwQYMBaAFCPKZQSeW85ILWDobsqN\nghZ9KvZsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBH8AAAEw\nCgYIKoZIzj0EAwIDSAAwRQIgDkDrZEG3KLbfQfwDoSryiX/UxwENX7igymdf98kE\nbWICIQDWOvzbcCSHVQDZ5oj9fvkDaSPKKlUv+RTFbLVl6rAXqg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUegAwIBAgIUZp0BkeLWoc7wo+w5FmCdmTwlduYwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEepBidwkpKLoNeN1rTqpLMtnnUN8VgP696woIe6jG\nFREVAzORguA3atkc+VX4K67Mt+g4DtCJOygO/ZWVu4+iSKNrMGkwHQYDVR0OBBYE\nFAE1NkATt/Drye7DcISm5fGprRlBMB8GA1UdIwQYMBaAFG1CZw5g8YyrMfyF61hj\npuZkcGQKMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMA8GA1UdEQQIMAaHBH8AAAEw\nCgYIKoZIzj0EAwIDSAAwRQIhAIrJFyYtzIJXFT3lmt1D8aFLau6xrLRIT6KiAJ9N\nlZZ5AiBEiEI0ffvJlZUUyNzwUySOPgzCazuiNzCZWhqvaClIWw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1063,10 +1063,10 @@ "description": "Produces a **valid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUL2DZk0nAgwzm2jPEZ/77bTSrcGcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASmgE2gicycSkjppGz6/MfPqyovqLQh8zmhyYee\nYhqdadg+c7hpBR/XnHBtkyDnYxCYj071RbI6VFYX4Obz3W+ao1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4O853HWZJ6iu5sF3dzjP9szUQyUwCgYIKoZIzj0EAwIDRwAwRAIg\nIPc4A9/+ZEAY+Da3HKhmPeAcBNtnHCO/+LziYP1gBtUCIFfVCJuhw/WOHXFKhAcH\nDDFUdHKwkyZTEHhbpyj1fyvF\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUW5/Mx0Mv1XUjLa2ClLib7TyI36AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARj2kdPhjwaFzqdwr0KYplqJnucCQOBU+qQ5Gte\nU9yQ8Nnchdhm3ZrAbcFE9BDFaAT9/EN8DMmriRnjT26eYzKvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUrTjjXzGHOk903V/IDAFCkrABmQ4wCgYIKoZIzj0EAwIDRwAwRAIg\naQvlt8eRmycUGIeEyUceWbR1+L6pBzNTQIVs+K4bdXwCIDhdYuU29ny/hbCe3RZ/\nHVrhwoh6pg0CQ8P1k2gl20ai\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB0jCCAXmgAwIBAgIUNVnKnrjaWn87qqDMhVmg/G96o2swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVdLCgJlIX/Tn8B2P/RAihGPcg/8aiuJpPU1Mr6Wa\n6uVghBtlJK4/2RC2tsV7f+DBYty8wW4mlCKsNHHIIRsQGqOBnDCBmTAdBgNVHQ4E\nFgQUEllIhWRv2lBXPzyKpWLaimv8yB0wHwYDVR0jBBgwFoAU4O853HWZJ6iu5sF3\ndzjP9szUQyUwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNHADBEAiBqHgK/9TQ3xGWfi6UcFP2p9SJrNKjZ/NL6aFh5\nPgx4pQIgEXPxeqafyygzZ6MOMbiTSsAFO4f71N1PBuBLhZ/Jdns=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1DCCAXmgAwIBAgIUKp4gzvkrqG80WYkiKBbT7CH5M8swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE8e6Kk+eLQxUIID8Qw2Pzj165zvRBZickAB6j0l8w\nbiVx3fxR793Tt7hFp+RzuvCFGnK9pcTxgPKV05LLMiyrlKOBnDCBmTAdBgNVHQ4E\nFgQUpoSJ4MiQSdC3gL2sqKVIscHtOe4wHwYDVR0jBBgwFoAUrTjjXzGHOk903V/I\nDAFCkrABmQ4wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wJwYIKwYBBQUHAQEEGzAZMBcGCCsGAQUFBzACggtleGFtcGxlLmNv\nbTAKBggqhkjOPQQDAgNJADBGAiEArmzHJK8yLRvWPpTuu2aJ2tjyV7TxEYxZhcB0\n7scHSzcCIQCA1AcTJFm3dTP4jwkPLkwtDWjsBwzuFKnejj0yIugXkA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1084,10 +1084,10 @@ "description": "Produces a **invalid** chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with a CA Issuer Access\nDescription. The AIA extension is marked as critical, which is disallowed\nunder RFC 5280:\n\n> Conforming CAs MUST mark this extension as non-critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUU3oVxRgwUAalAOkZEzmjnHNeGfswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARG/b9Kme9JY9wQvvpYBLf3LsoROtKpAj4bvVV3\nWPDy6C9NwE4dsUCXjE8maJ4+0LkJTjcAxhFfuhoCw/Sa+yz5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU5K8YjxjlDWnRXEFBVyK3AAq0SG4wCgYIKoZIzj0EAwIDSQAwRgIh\nAPnbMU4sNKYkvVJ29UirMVFTaVkchj8NSwteRC+n9NF/AiEAvSW4mLBg7SEQNQVs\nO/GPyipjsWaqd1B6ARpuIPXOoqo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQJwFZCEHEps3QcaVcPP7mtzOTy4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARsH7K5plQE0xDhukENo7sSNL9KL1wHesKvqjJ5\nDwLX4LRyycVeZQ0+ryfLY7wg+PDZ557HYzjgG2g/Ff7a8Eobo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUfEIQnLwVW/sNZBEhrF7Dm0mMq7YwCgYIKoZIzj0EAwIDRwAwRAIg\nBYK/sqz50VHlhLfab9+vXQPmWXK/dAuOyLVd1658m2wCIGqhzJ24tHhzCkAGjWMo\ny7vVqwysmt0Ri01yHpnHFlAP\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1TCCAXygAwIBAgIUCnHvC3XUwuoPScqd63RgGUMNCbUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXGnWazolqmodbj7IU+NF6HJd5dcS7pexi0Mr6oRT\nbUgClxQQtq444GJpo+JyrC9rB4wlxrc0Uy1C5CLra9dRD6OBnzCBnDAdBgNVHQ4E\nFgQUHWZ1TyeJPOAkHl0beV31h/q2JfkwHwYDVR0jBBgwFoAU5K8YjxjlDWnRXEFB\nVyK3AAq0SG4wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNHADBEAiBZR5Q3GzBusiotHytUUVK3/tHKgZ2XCP9y\nNsFTuZdTFQIgRmXWft/V5BHiQYZY3MPUA0APT3WCr9LqtfsV6xmFE9k=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIB1zCCAXygAwIBAgIUKKTa1HzEf9BZ61O+Ckay6JIHb90wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEJnx8MHBqGimpXXzUOe0zdff6JX8xjIodaSmRzwAZ\ndaUCc3+17TKEFB0w7Zzyr/mIMZyiSPo/phJ3lzqQl8nd+KOBnzCBnDAdBgNVHQ4E\nFgQUwhi87zsXwKom+ktn5qFwIB8moBIwHwYDVR0jBBgwFoAUfEIQnLwVW/sNZBEh\nrF7Dm0mMq7YwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wKgYIKwYBBQUHAQEBAf8EGzAZMBcGCCsGAQUFBzACggtleGFtcGxl\nLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA8TDPbRB8Cbl9IXiHjxHAzipQwjqkkoYL\nuzICAC+FuIYCIQDZwRK6Hk77KX1LSqVWd1Zo5ZYizWyjOpyJdhDDTDiTCA==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1105,10 +1105,56 @@ "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a non-critical Subject Alternative Name extension,\nwhich is disallowed when the cert's Subject is empty under\nRFC 5280:\n\n> If the subject field contains an empty sequence, then the issuing CA MUST\n> include a subjectAltName extension that is marked as critical.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUFkvoUj4nDntgR7sW/NTLDAuHNRswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASPPBp3uFnpjPB9CXP09GXdGsjFj5pglE0OvP7X\nDmj6peCL+qAXBySt6CKz64TSx5xTY4eS5a8o6XA4h0BoeQ6Bo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUxVgHxJ+Br6lqUEitWAjL9MDcUUUwCgYIKoZIzj0EAwIDSQAwRgIh\nAMA49x385gVyijvzJFs3yzkdF8Ii8sUKsICYQAmjkoPRAiEA8ZvkETmVHoNP61vR\nQfqeSTIH/c6dPRWHBqRMBVfDbGY=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUbB4tyTsOtYywha04jq7acZn0RecwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARDSzzzVeW0IdbyRegkd9FruSVPbfBo+z930GF5\ncq8F8TpjD2dR6AaeO4UetIooL/QQWXpIOypxETbgZqTbU+bvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4Kt1Ki00EAsAHchUyvELsVr9uikwCgYIKoZIzj0EAwIDSAAwRQIh\nAP3MpSpT3FkCAaUpSXZBBA67HcMacPZMq6mQzPBGdmQHAiBsU/bW8epJsMWxMgli\nIMaxIpjL+RU7qQzGq5UBHxYE0Q==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkDCCATagAwIBAgIURcMzCmpjt1RmwBnUVdaxBiGnwYwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeubdQOm3\nbw0PrksR5Z49stXQmcVNDCsjd1MsN9ZE8C37I7QgyNrGPDKXFOUzUB+yzsxHGaCs\ny6IAsI4tAub1tqNyMHAwHQYDVR0OBBYEFHRMrI42n9+YYa1L9IiKLTmWpU4KMB8G\nA1UdIwQYMBaAFMVYB8Sfga+palBIrVgIy/TA3FFFMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUC\nIBPMesJldlJRMJ1O6iidTEEpyt7naMV5ICpMKCrRQ/IcAiEA3KdlZzqUk49CRKfN\nfBF2G1xYCjggkiMePwYRDadBK1I=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBkTCCATagAwIBAgIUBj4Hteni3z53sFKu1te40/pZceAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIJPwcXs/\nlWIbJCLVO1NQNIeiDqwfQvUlmnwa01iDx/EjHJgBv806OZf7CWGDob9LqZ26AQcs\nGVpwR+d9kCLyoaNyMHAwHQYDVR0OBBYEFNw80oeyO4+IG3+i1mbrLJCwQWc6MB8G\nA1UdIwQYMBaAFOCrdSotNBALAB3IVMrxC7Fa/bopMAkGA1UdEwQCMAAwCwYDVR0P\nBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYC\nIQCuPkGDWB+xO/4KPBOGuQfUYWExFFF095kMVL148ELQxwIhAJ+eAe8imlfud3+/\ni9kpn8vqh1ByJLkAhi/yHnbwVVqk\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::serial-number-too-long", + "features": [ + "pedantic-serial-number" + ], + "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number longer than 20 octets, which is\ndisallowed under RFC 5280.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUaLmVxLb40TUnmzAium8ATjMnG0AwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARhpiIIIF1TQzIfq7V0N7muZWReVpr7bw4x+NdP\nZplCAI7cYaPY+VlDqkqM9dce0U3fIrriPukMmu8d1xBQrNs7o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUH4U18vfVx/Sii9RdiF2xDlkfwUIwCgYIKoZIzj0EAwIDSQAwRgIh\nAKE75NG6wWJw/xm8/V0J0xwXKGnnE6UJ/wko5z349UrOAiEAtEilS9d2BBSXLLrX\nwIB0ewMpaYaPzhGBzTECVHhsDoE=\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVGgAwIBAgIXALdIpF88+JgstJMMrxY3/cAhGH5PlPAwCgYIKoZIzj0E\nAwIwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY\nDzI5NjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEkMKD7TCzLslqKMHuE/9AFgjTu9nKKFec92sD\nlP3q78t5hrMxxjIkY5k/C/ZcVWD/CSs5VtDnLuXfzZdT9MngAqNyMHAwHQYDVR0O\nBBYEFIXGBpmoDKX20+/9eRU8JUTgjuhuMB8GA1UdIwQYMBaAFB+FNfL31cf0oovU\nXYhdsQ5ZH8FCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4\nYW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIH/kMgVkfMPWAo8PnTU5USEWxdVC\n/53dwOvNn6wmd6RhAiBRrtgcOgIqIbvgLhFNxL2swL0uwvRqHyJf1uYrGUh82Q==\n-----END CERTIFICATE-----\n", + "validation_time": null, + "signature_algorithms": null, + "key_usage": null, + "extended_key_usage": null, + "expected_result": "FAILURE", + "expected_peer_name": { + "kind": "DNS", + "value": "example.com" + }, + "expected_peer_names": null + }, + { + "id": "rfc5280::serial-number-zero", + "features": [ + "pedantic-serial-number" + ], + "description": "Produces an **invalid** chain due to an invalid EE cert.\n\nThe EE cert contains a serial number of zero, which is disallowed\nunder RFC 5280.", + "validation_kind": "SERVER", + "trusted_certs": [ + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUVuFxalLQdRYq2Xm70ynJMtnDc5EwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS+QoQ1gavLPcIQnv9BTfKxYz+xDn5f89xpNqkW\nftuFB0cdhXP5DZ+UtkLfrEvQDXuMdhC9A+u/NEXVbrgN+6bxo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUr6fxwhXG6njEYXYWqj5Mx8b0cOUwCgYIKoZIzj0EAwIDRwAwRAIg\nW4MJgKbLsDidqpIFXKVUolAziU7zaNTOB3EzMiFNMw0CIFjEh4VaLF5GltRw/dkv\n31jQ54SSSt8osXt9L7h0yhtY\n-----END CERTIFICATE-----\n" + ], + "untrusted_intermediates": [], + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBljCCATugAwIBAgIBADAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA94NTA5LWxp\nbWJvLXJvb3QwIBcNNjkxMjMxMTkwMDAwWhgPMjk2OTA1MDIxOTAwMDBaMBgxFjAU\nBgNVBAMMDXg1MDktbGltYm8tZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATi\nmVdieALrrbL0Vm5XlwseAAip4o3Aefau4tcL6BowGfNmNEjcaPDdF4AMP3oYt+uS\nAn/y5HTw3V3MXa20s2buo3IwcDAdBgNVHQ4EFgQUbXaFfYLenG2cI8kVW5gfBt7p\nAsIwHwYDVR0jBBgwFoAUr6fxwhXG6njEYXYWqj5Mx8b0cOUwCQYDVR0TBAIwADAL\nBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID\nSQAwRgIhAMObSATfxBkr3elONK/ijtczmZo0vDUEWcMYSi+HBO9oAiEAj8bgVl8J\nqUi2MerrdyQbIHgJCjTLyS/zK2xAcQtmgg0=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1174,10 +1220,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should verify successfully against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUCJhLV0HWIqFpHmluAQC+qi5lDuAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARCT0E9aZW06sMW/fAD9Ys6vTw3VL5Zy1q/bhnD\nc2T4fWUUKTc+hgUcDrEHVPwcW6hMxmUJ7cVk/ReEEcOWSzhRo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUljbuY+c6+huxT0uJvGeJtpvl1aEwCgYIKoZIzj0EAwIDSQAwRgIh\nANQVez50aTzq4nG7XarIMUv5ZRQ+WFigeLKEPzejkxe8AiEA/PzPwiahXMzS8scA\nN61cGERivbqweT+xhDrLBd+dQYM=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQF1v/9dcX8xvz9stIt3pvBDlONgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARusl54v3aQdaEwpTOVgiWboWUZKKxDWm8owfao\nZguLac24AJQBND7LYyFSLYgxQs9Y6g6/QV9vKdgSzeW7rc1eo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYcNwnh1/TyreGDT2uXaPU53iUNQwCgYIKoZIzj0EAwIDSAAwRQIh\nAIR0+osEiOwkZ51FXBO4AkQvqvoTYwLWsj+/Ep4n8DKLAiBSzgvnJLthTz5odLh3\nAHfiq+PYCG9OKEuXKEkPeyq5SQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUPIe1uc8p9JGOfApbd62KmoMXK0UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpizKJsYvrROwdmmQcZLnpVDV63TMITnusX1YQ5+T\nv3OxIK0LXfi/Xxjs8JAtID43NxgNYYbXM88ilKxQCxODbKNyMHAwHQYDVR0OBBYE\nFCCa938/Twumf8rgJFDFAvei8Mf5MB8GA1UdIwQYMBaAFJY27mPnOvobsU9Libxn\nibab5dWhMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGnLeqYF6+s+MRIfEVgErUm5dVLLgVCe\nMqqC7NtVEW7AAiBaEIltx35XSZ89mrSnlTknubH10ppvj7sii5qZCNSbPA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUL0rDGUHPUNAaKAjtSByazhtWAIIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEpFULyqYONxu/akgs/5YAVa1qKYp+6PhNSrOmHcu8\npHNX1xJ8LKNt+t25EBFRZpfIEJq52+ep4doa2EAnsdHHJqNyMHAwHQYDVR0OBBYE\nFAQQZDMIa/SCHDetvjRVr3cmvJxVMB8GA1UdIwQYMBaAFGHDcJ4df08q3hg09rl2\nj1Od4lDUMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBn1LqvF/ZsN7FYXEVoHXxypPbjAAqO0\nDV+UerXlnhGQAiEA6mmF7ZigZHH8LOdlwFSMhsJD2bBBzADsLOWZWa6TRNo=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1195,10 +1241,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"example2.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUeCG4c6nEcWkwuPc++u+RxjUZhBUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATiBGBLi7jXZF2iLs5vs6IBVIJ+yYk8HSoyJUdE\nYPcaLIqgNco4isTqeSSXR+J3DDsllzHFNc7HscPCTanImUHFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUqDhoZqtkjgcYrNMy3RMT4OJxEzAwCgYIKoZIzj0EAwIDSAAwRQIg\nMTPiwnTON9o5ehTO9G4Z+wrbsUHW+ujhAPmzYD2QFtcCIQDPZKDAqes7wMW+GeKX\nhCULCC+SJkeipZirAVnATgw1aQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVk2TYUXDnv7FTcqN7aH2ELWIvfswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASfVOPb8CBNIcq3oozwu4fDHST1lOi04FWRxBSF\nj3hSr4E23UEzqxbK1rEmeyLXxPGKNjVlbh3N1HGCHTv0MhX6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUYp+BthW59hhoO2BBmz/J1EitxhAwCgYIKoZIzj0EAwIDSAAwRQIh\nAMEVuDPTzUKTjcc2NcWWpelskeeo/B+0NGSFyUezpSMGAiAbj6pSPDo/loG0bbvr\ntu/O3qJmVCV4pgws1S2FHhbfJA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUWbzbyODwOTcHxs56i/y8Wuv5RHMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/iBo8FULqNuJT9zjTQHMLuSXiYTiPUjBVfinM4Ee\nw6V+fGs5n1Q9N8C68JqVUpDOJ6GJMn5hA2QTyqkxIKVVCqNyMHAwHQYDVR0OBBYE\nFOW+czlMvVmMXIik4iUvsX7MMqYRMB8GA1UdIwQYMBaAFKg4aGarZI4HGKzTMt0T\nE+DicRMwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQC5kC4Vc0uDvCnTcc3siwXah8j8p1p7\nBdwS7buWfmM2YwIhAJE4oMIr8p0g82aBCzvpAEym++8CBtLqpGC4Dr4SIPgV\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUWGGaottBxPRT+HlBs6uEgzxZlAowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE4Xi1GxPLGHlegfSBx7aa3Oxwv4YLH8NMU3FZhCgc\nSk+9/5XLl6tm3mZqLHIyjeXS7UllCAtDqN5tuR31zvBHVqNyMHAwHQYDVR0OBBYE\nFBKfjixw9UZXouh/H77u3NF5/Sw8MB8GA1UdIwQYMBaAFGKfgbYVufYYaDtgQZs/\nydRIrcYQMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDLWD/Et3eWB7dAGDK/sizTrIY4E+WB\ni5hTKC5k0mEW5QIgWZERsKsBp2y9NQhnR5rCaHmzPZBBjEcVt0AJEV3uS30=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1216,10 +1262,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"def.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOGmPlYIIxIJMMCLWjtvCZMal1/YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT79MH3jKtwdp3Ed2mQ6O6/HvyiIHFmNOYNS+6O\n+Cq6P/KMLykZfkNmekBUYg6UsAN35On3eYtPTw7Lg6qAZlU5o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUVfhpEQSPm6l8+q1L0DAVXAKMatcwCgYIKoZIzj0EAwIDRwAwRAIg\nacaVDePHwwqxBiHmXLRmR5BhEgOJjEWH6sU1gdttHwQCID1N5zLP6m4V/N89ccmL\nHCruCW1r+GVJ8naUCPnk4ogu\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUAaAgspevIuW8hv6h486BK13gLaswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASRbSvodDHpJHp9g34G5hQYfTe9XLTVCMAqG8RH\nZFzFb9lGADOs0xze91DeIqE0B8NMRNceb2Qgm73IFKfrl+6Ro1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmPh4DCXyrIFEm/tpwoR7SKtMpbYwCgYIKoZIzj0EAwIDSAAwRQIg\nPcMH2DpVllH9Hk3uyqrnDIgTL4GKqEChkuwOmpueZwACIQCVqHxdd2/u1UWH3rXr\nUPbMJsU7upGObY3qG9S8ohVkRQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUabgJ2oJA5BCnD6Qw3J+ZDq29FiwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEKSRRA4u0ScGvjcSDQ+V/U+fHtHEs9sViYYfZYAal\nBEgCDToijwyJxZM65eqU3pIepF1iOzcC01EDmZ1qXPjxr6N2MHQwHQYDVR0OBBYE\nFDv5J31g+pbYQMq8lUlI1+h13hDRMB8GA1UdIwQYMBaAFFX4aREEj5upfPqtS9Aw\nFVwCjGrXMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA9h/4THSmp/+7wohOSfYUdYRE\nxGUpQUsoyEVntI/ge/oCIEYDs24QtVBTojBbC7LJOOjiqXCW5/A473DjBl0VlMGp\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUK3DdE4PKVOori041Ps5K6K1gCAEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEZmuQeRnVLLgdbvnCDKFmhb33FwS/s5V+KHUxpIR7\nCcuD/Pp2+MtaQ3FaY+2utv+k1ZAPSqHtkxziNLt5lOGaqqN2MHQwHQYDVR0OBBYE\nFDqouf5JXFbRePg6aIGrbCQo/fpAMB8GA1UdIwQYMBaAFJj4eAwl8qyBRJv7acKE\ne0irTKW2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA7qkRePp90y+87T24+IhYwElN\nofbh3rrAjj+FoePkW0wCIQDa5Or43N/QYkpw6QQ8A2diAncEifkbkgLaZjhRACOq\niQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1237,10 +1283,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"example.com\".\nThis should **fail to verify** against the domain \"abc.example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUThohgt8Xz2P0CDqY3Hkjrxf4CiswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATAqrmg/y+z1tRUZ/ulVoNV9LIACtrOoe/1tp6T\nTsfQXpv7TMAO3scWXQkkCqkDAle86IgrD3s07sO/Oy7qtRYHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkd+XBeRZXwgkKzt7Ei7iJBGP/7cwCgYIKoZIzj0EAwIDSAAwRQIg\nPjCmHmcg4sj5UHn/qfrU4oMo1+PZ1cezB+5liT7hOA0CIQC7Rc2yt/CWg/gGh+c/\ncHMZbMnBrO3khh7S35dAAehYfQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQicRDY+pUvMPDkGXTTD1T4bJ35MwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT/wImXzXKF3t3C7AFl2YDBxW5Y0O9oquz/KnDM\n9ahB/tTdIhLLQ29X4v8lPKD85h96Tl8Lnbuk2rdMVA3CKp+No1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuIriSz+LZ1+SSTVEHyOAFYm0VMIwCgYIKoZIzj0EAwIDSAAwRQIg\nWVVG4esXBXJb6Y4lAtpXeQy83prf8DEJASw8lo2cj5UCIQCTNFyJHS7F9iVjP2V5\nGtv7DsrvDccjKm39yxNsi8rBmg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUfYh31CnCdzI9mnPut9Gaa1EGaq0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEYf0NTQ1KFIP6Xda2U8c8Sg6XVRUP8f4sNSsK5Z94\nI/BDFmQTaIyBmLrPfc1CbbS6k+mWfS8s36gatJi0w8WVJ6NyMHAwHQYDVR0OBBYE\nFA/JjqVPO/s5gWllhL7/bLwl1uB6MB8GA1UdIwQYMBaAFJHflwXkWV8IJCs7exIu\n4iQRj/+3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIQDCXX6thqfiDd4LYvYjYGiWkbxOVxhM\ndZOPpCldoYwXDwIfFK56cet12ILpbcTLp5tZnZ+AfGvsLmoouHXKDLDl4Q==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU6gAwIBAgIUcDlGwevs52Tkj8U1JbWvbExaBpUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE1EgmZugwqVBB3ikUOmEinlXgTp3akyMJD9Z3j204\ng3Caabx5A7YtfplfqPX9zECpWjSAl6+OleDR/DXKHmhX2qNyMHAwHQYDVR0OBBYE\nFLhM9YZ9s2fNgihbAUkYL8//ON5FMB8GA1UdIwQYMBaAFLiK4ks/i2dfkkk1RB8j\ngBWJtFTCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQCyCJtv+HY+j+BiSjtdH0a9XcOcbRBk\n1w/ndnfP2QOrqQIhAIW2/eCXRrXGY3znbhnsMSXpgUHBzhve+liNREoaXhHw\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1258,10 +1304,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"abc.example.com\".\nThis should **fail to verify** against the domain \"example.com\", per the\n[RFC 6125 profile].\n\n> Each label MUST match in order for the names to be considered to match,\n> except as supplemented by the rule about checking of wildcard labels.\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUC/IWlMOYevPFCQBvRfVcmAQzMLwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAR0Kh0/PRkY9l2RquvfdEuZt/HsPKcg8gaseVIg\nj0vhXaZMFYh88hTFNp6d/z07X1x4qVSjO0iGEm2nLWpVCoU3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUScTZyj5bpCz1JS2L+k6qjuPLtPEwCgYIKoZIzj0EAwIDSQAwRgIh\nAIov1SRvSBeJTP6U3zpBmtbezuaK4djOyAqOMGy5Ia3ZAiEAr5AZ6KwpfCg+sZnG\n3BjU3QMGeHbtrbGckLIlU7A63xo=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUAUNhcRiwqR71HVb0m2ZIodbh7YowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS2Hv7qbRBLaQudOhlnnMev5FE1LhmE42uHVTKF\nSjsV11nQpK1vjylQhEsHfKCoHJ05fReYu9BwLlD1UbpTAKAPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUAhD+B0Er8WE84nI2Ot2NOadY2vcwCgYIKoZIzj0EAwIDSQAwRgIh\nAMgEuvfkMBWpTmgVuFGUl01nE97trThxV2sGlWU4QDS0AiEA6J3MmZZlibvb7oL3\nBMiuLifI7Kdbb78DdRqtRILt6KI=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVKgAwIBAgIUY/thXtqgBYK83RuX7VYVc6qzTyUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE/QO1yNt1LgB/gDHY+Rr9V40C+7MtMkx0w+rYl/8A\nsNV6ogDdyIYUPXo/dkfwKOZAy/FF1a1LFlhLlL8SuA2faaN2MHQwHQYDVR0OBBYE\nFOlrwkxqJ9Ar+yi9iO7P3fj2WLwAMB8GA1UdIwQYMBaAFEnE2co+W6Qs9SUti/pO\nqo7jy7TxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBVJfmC5gcR4HocneeMV2J0FEkJ\netRqxuqUW6gmV7+iMQIhAJgy3voSMdoc69JEfETj2lYB2GSN1rhUar6HG4fVFTuB\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUcKY76Hz72Y/I0h837dLrHmUEGkEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE4nBIJvYnZCb3xWagkffmLbvmdqluPCSmHofqRk8L\njkSNftXmhMVePycESKqzIztukZtTiv6y23XWt4WHbWVwAKN2MHQwHQYDVR0OBBYE\nFPegbXRAjCle/oStuxK7jof8dsk+MB8GA1UdIwQYMBaAFAIQ/gdBK/FhPOJyNjrd\njTmnWNr3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2FiYy5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAvBTj+EIrF+OKzNT78HEJ5V1T\nZ6H2x1Hkbjm5bE1WD3ECIQDSVRA1u6eqw0/2kPG3J+taFrqjvgiDHAWFPJRzupe4\new==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1281,10 +1327,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative name with the dNSName \"*.com\".\nConformant CAs should not issue such a certificate, according to the\n[CA/B BR profile]:\n\n> If the FQDN portion of any Wildcard Domain Name is \u201cregistry\u2010controlled\u201d\n> or is a \u201cpublic suffix\u201d, CAs MUST refuse issuance unless the Applicant\n> proves its rightful control of the entire Domain Namespace.\n\nWhile the Baseline Requirements do not specify how clients should behave\nwhen given such a certificate, it is generally safe to assume that wildcard\ncertificates spanning a gTLD are malicious, and clients should reject them.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUE1Ez+G8Fp5IIHRQk91BUj25aTNAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASv9OBC50OmFJYoOcc8xoKMQFcT/PCQ1zYKNSoS\nNQADuBPPweR24/8WuqG01WUMi4e0r9sEUTkUDvTK0u6atIl3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUnUI6eWBtmFLmPfar+Qgvi/SraQgwCgYIKoZIzj0EAwIDSAAwRQIg\nTxhTgIi5SSjqQEqp1I8Q0g0m9YdciiQIWFX+mMqxxG4CIQD2xa3n8k7G5HX6qXou\nJY4JkiHwKDUCvpLC2q8X/nj3Sw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUVgYTxqbCylvAthB1HkxJkmz4GjcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATrUSciHP1ClYowVKHnYfNANo9R1ETdhT2jQLTs\nXjERbxYdqiYejs7fimYwTssUNnP25QnVtKbzu3mas4cDaBPlo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU84EEFINdgyFPabgSPUmhGvCyTdEwCgYIKoZIzj0EAwIDSAAwRQIg\nYlgIogX2rgXxJmHpghUZxCvCu4DziVubR4jiUhRl1VECIQDgyfwq0F0nwPDijgfh\neHqdH0584XcQLPMc43arXpQTEg==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBoTCCAUigAwIBAgIUPGCQe9O3ObeQrwbf4uFrdZyn5QswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEJ8MP02FUodQSmPSXd6RiIK1RgTbGtff4G5qhkGvu\nAK0Japjdw8IOetDQSIEkZgte25TNrsLHjEHAE8LaPGE4VqNsMGowHQYDVR0OBBYE\nFJ/+w3raWjQ6ms3D98uGRGWzPRSqMB8GA1UdIwQYMBaAFJ1COnlgbZhS5j32q/kI\nL4v0q2kIMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0cAMEQCIH6EpdhXCV/G8ydQqMj2r0yuqQCG2BheJ/X/m5UE\nGofsAiBp2r+huPgj506hTxCAVWtaypGH5Hrgt2ivjJgfh53ZXw==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBozCCAUigAwIBAgIUT7WlbnpeXo8Owhj9fl+zbVCVDxIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE79U2OH+K5Re9m/izsr8u+fZxZnFtNu/FnVCPTgOh\nlP5tqOn5D76JbKKWCFNBvGuA912xl6a8x6cwZC5bUssgDqNsMGowHQYDVR0OBBYE\nFHWi/fQ9ViUKlp98NaJfMronjujtMB8GA1UdIwQYMBaAFPOBBBSDXYMhT2m4Ej1J\noRrwsk3RMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBAGA1UdEQQJMAeCBSouY29t\nMAoGCCqGSM49BAMCA0kAMEYCIQDKLna+ApmXR4lvJXXcYjDh9iOnH7/9ucMQcOrT\nUjZ+PAIhAIMMBa7ao+XyDZIHbpVnHfEM5VO881Q5KFlanIzYN1V9\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1302,10 +1348,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should verify successfully against the domain \"foo.example.com\", per the\n[RFC 6125 profile].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUWCw02c1ZByJeHj3nm4VskmRa2XAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYvKtsA351jw2podUbGuf1zURI5nq8P7+RQGNl\nwvYgkJx4DkyJIPsYhKLEQRbR8sjY18ceaZhj0rtkHDIygtjOo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUXufc55zdfkxGdOsUunelnyuBP+QwCgYIKoZIzj0EAwIDSAAwRQIg\nGrPzVL06H6nHRXPViXZpG/6g47hBLfITYNxc4OZNB2MCIQDc6Hzd+lS0sCekXNBg\nmRbKG6ox/VYn6Zna9mPGTXXtYA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUOo1m+qD4vhjoZaV/t8rKQUWT1lUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATq2I8ES6Rwzzn/oTyOb7bdkwH6Bym59N6Bs0zz\nUYR7SftTMx3SsvZb/2rDDYhzAu1INWFoCU0rWAS5zWK11iuqo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUjk1wTOIdEdvqts+RXGuqYrksXRswCgYIKoZIzj0EAwIDRwAwRAIg\nNOFmQtXZnMil5AWIwpXLJvXTTt9o5lwlHAmpb/x0WJ4CIHZqw5b4cHB/FBnj0mzG\nyUufLoCXCyeCed6rTKo9oGRD\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqjCCAVCgAwIBAgIUecT+6PlepK8VHquHuN6HzYsOV2owCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAES5ArpZKvuim+xw7hbjGglRsbjRwEQNC6iH1WoqTb\nQ+pOHG3FcFn2tVCjIOJf/0fSXgy6Ae112wg6NAumP/b3BKN0MHIwHQYDVR0OBBYE\nFJreUnk13r8j9PLNqZm85zLwJerXMB8GA1UdIwQYMBaAFF7n3Oec3X5MRnTrFLp3\npZ8rgT/kMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAPaoZiHniIfgOWIzFuFwV+89Vg7P\nNk9sXgU7xgh7a3FjAiB87TqziRz6jDDxuHK7PaKSQJfdgmHBrJCEzEUCK43WUQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUULhgX88BbwTVXs77VEhmIeQzV+swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAET/1sDVvq011MLgzrzUwts5R398/lZZ2J1s5uflHJ\nkuchnCzDEwhcNhDbTQGUFo4vtA1pIZWb/Xqhb/LijUwAO6N0MHIwHQYDVR0OBBYE\nFIOQDq9awa/17pU9oXzb5zvyXktpMB8GA1UdIwQYMBaAFI5NcEziHRHb6rbPkVxr\nqmK5LF0bMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgOYqIlwJ/Hh9kI1e/0/kjexcAYHzA\ncLzznpD3xK3scRcCIBdEQVh+OPRWUHtupeN3Fe4mi3LdmVjQ5fxYac2v5A/2\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1323,10 +1369,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"ba*.example.com\".\nThis should **fail to verify** against the domain \"baz.example.com\", per the\n[CA/B BR profile].\n\n> Wildcard Domain Name: A string starting with \u201c*.\u201d (U+002A ASTERISK, U+002E FULL STOP)\n> immediately followed by a Fully-Qualified Domain Name.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUEh7Jh3bIUr3XsnLFdoRkxk16gJUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQvebXjF5ENvFw++u0jirrm9Kr7KqHA+7F6zlin\nDmDwb/j/9eJLKN8HwzbWQ6JhsnE7lC+wzan1XMb3VblFUXaFo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUmkpe3vdND4GvOAQuCpmQIoiS/3YwCgYIKoZIzj0EAwIDRwAwRAIg\nBioe8oaUfjnXn942pTXI4Ompn8KqGcuyF9A+q90QcfkCIAnVzdWQpBvgLv31a5uI\nl2y+xIEfvl2Xl0C8NSqBXnxF\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUSSdRAIQZIrXhYWsM4pTGcNifwUIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT+w7B096Qlaz1n1T/HwmxOZ9k53liC9RxphOsv\nV6hIPWxbFiyx4L24C8+51/P2ueLu1J+4BeN+TijTHKF/7wqoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUemLU5cZxiorxF137kMYZ0aS9WTwwCgYIKoZIzj0EAwIDSQAwRgIh\nALralzEceIg5pN6Flohh76l3zVLvE35HwtLeFxVX9QWuAiEAhQutC8vW38HtxT/8\nz1JSEwbsz+PiN4pgUBJDjScnNIc=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUAueeQUXasWyJ+Id5zi55y7+NmYwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEt6rMI5v1JzNbcqrhCA9yHS8LqlAYWhiuMaZ4QDgA\n/xo+F1DEXU2vm1n9zw6QquJA2YLhvKnYF8N8pPjRChTj/aN2MHQwHQYDVR0OBBYE\nFKuzQVJr+MbOHIPSYDv7lDJ8dkZ5MB8GA1UdIwQYMBaAFJpKXt73TQ+BrzgELgqZ\nkCKIkv92MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAtP+23lAx1P0q3qmwEq9WNZqo\nU5Lnar6MTbTunlba2WkCIQC85ba8dkdJ9f6wB0OehDo424f+ckWLHDhdmgXhWDEK\nnQ==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUCtUSA5y3+LFOyrZAnSzmAhtqLdMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEqgREOVYbBNXcTfsZNq2e3s1Q2Y9b7LlGEcEl+TdT\nRKuVJAGI7nnQeSjdPyhx+fioa1K4YB0aYPfTkBWgBqse+qN2MHQwHQYDVR0OBBYE\nFJlTqMX/RFV6vjzzB8kU8pKymRoRMB8GA1UdIwQYMBaAFHpi1OXGcYqK8Rdd+5DG\nGdGkvVk8MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBoGA1UdEQQTMBGCD2JhKi5l\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAzG0Iw8s1n10OJmPc/tQlQ1EE\n5CoaTgyFjuVkxYapXusCIQC12NGDZDUBOKtcHqPIQAvTM1AQY5eoClrvHVNbCaOR\nvw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1344,10 +1390,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"foo.*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> The client SHOULD NOT attempt to match a presented identifier in\n> which the wildcard character comprises a label other than the\n> left-most label (e.g., do not match bar.*.example.net).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIULvYmlsUZDi1JltJq7dMpElEdFpEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATEqU5MtxoNt3amrt5DL6+y3cwo/jS7eGYDGlzG\nsHCDAUsxvoEEKRAfxXLv3eZNYZfu2b1E/bo+6D2fcbkUiAywo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUuBt8ikoYh+C+eTnY7VwZv7eHBfcwCgYIKoZIzj0EAwIDSAAwRQIg\nE66jnyrOFeLGEK8VdgeajnWiMGcZ6z47ycnzF8gKTl4CIQCfrCNXlSF46FcZiLKi\nt16LRugZnzneYj9Wv6nHVpz6vQ==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUa9v4mlUtNK/jY77ffRC+aO7534swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARKfEPit77/5P/gC0DNPiQV53SuJgnT8ijXHcKJ\nIbfVUm+/41Id76vv2AMPn4Pmsuf5yL0SQgZOFwRjWlaxxoDko1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU0pm/4M9yK4fsbLgwCrB8b67Mez8wCgYIKoZIzj0EAwIDSAAwRQIg\nBcv53Mg5nxVofa1Cw5C0rNbyk2ugUMTA2HwBiByXEpYCIQC1b8fyXGHhFIUDt4Oq\noTM3jfpd69Bh5prYcL0tzwtAgA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrzCCAVSgAwIBAgIUd6EwEtSpVNqZlzZ8wW4KxAvJTS4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAERDNmdcT/H3Ni9uIezY9NQMTQj3cHP23g73Xoexl3\nU72wtLd7FNqmjRRLivVO6QV4vVBcxMXZcTZbwHG/35IWhaN4MHYwHQYDVR0OBBYE\nFFZDUHHs/YSjeUIOiq3PRuYfVKomMB8GA1UdIwQYMBaAFLgbfIpKGIfgvnk52O1c\nGb+3hwX3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQD7410AbwKLkt3kFUH91G+9\nEXCCJeX2wpcHBnclSTWBLwIhAL2jMHTWlIovRltF6dNn4Gbb+JiycCKBpvq9+rAc\nsyS1\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVSgAwIBAgIUblLB+ZgGPUPXRWtBTVXngzXesREwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEycXIMa9HG/LDCh5nRjVHv2CYUKnqt8Mry9XHoIoX\niQPE9l/Lpfta4CUC9+KwgmCUAoTazLFU5yn4x/QfUIR/ZKN4MHYwHQYDVR0OBBYE\nFGsH0WyIwQtgkTcopTJCaH/+nhHYMB8GA1UdIwQYMBaAFNKZv+DPciuH7Gy4MAqw\nfG+uzHs/MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBwGA1UdEQQVMBOCEWZvby4q\nLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIBEaAyYnEkYH19QXDAU5K+lb\nOfz7UHnnqDnNwsJXBvAEAiBGxstkTCaKhrAdBg/aDOOgQkZTrXvcda1DBxknTP6I\nGQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1365,10 +1411,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"*.example.com\".\nThis should **fail to verify** against the domain \"foo.bar.example.com\", per the\n[RFC 6125 profile].\n\n> If the wildcard character is the only character of the left-most\n> label in the presented identifier, the client SHOULD NOT compare\n> against anything but the left-most label of the reference\n> identifier (e.g., *.example.com would match foo.example.com but\n> not bar.foo.example.com or example.com).\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUQWw7sgVkrQIdw4fME0vInkMLlmQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAS1blFe2dYlsRrZR9Thu5nEM77FQkx0BpQmP/bz\nuTa6RI+/OFLPDUDk6pRQQ3YXKnuMvio+kBa68yjWLqudy6pJo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQULfWgwQxuLxSvdW+jW40Bc5AwEXAwCgYIKoZIzj0EAwIDRwAwRAIg\nD1vbuKAQU4KvYDVFZUj7XLwyfkm4/fbiJaEF+lm8fhICIDNJNMExQgFu5RTNFMbS\n/EHaA9JVaW+1tO7ODPvZKuIj\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQLsEFKsY55i0NkQZ6P/KrjBYAtkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARKDcAMCS/HrAUewTgP9F021XF/s3oZVV+ee1nt\nz42pYuK/5KR46Qg7ZXED6B5XXJ5pkzZrFQnT454gmK0xyuySo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUzyYwYmszcHEAJVBD1+r07juqXgIwCgYIKoZIzj0EAwIDSAAwRQIh\nAKfqihzYjNG6gmrf+IVq5qDZG5Ij4B/EvAkX06vYCijnAiBLZ2ipzFzjL1WjzW78\n+zHpom2pKXkBC7NflF8h4SyUuQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUfQ/sQP+V9d7UkwIL6Fxc94ycgGowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEvQzm+EDMvyCnCm9MMUExEyPNmmIVKyubbD4bvqph\nfg3aJ6Fc22FqF45WAz700nVjREzoCag0f6kD0GNybHpAZqN0MHIwHQYDVR0OBBYE\nFDgg7onMsX+T00h5bU4h6lYbRxCqMB8GA1UdIwQYMBaAFC31oMEMbi8Ur3Vvo1uN\nAXOQMBFwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgY2j276lwwP5MG+NR2zfoCtRXv9Kq\nGfnqzyg2ltT93H0CIAi4ORIUedv5xuj5UEP1e0+6Y3C5G9YC5Wima/V1vLJb\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAVCgAwIBAgIUBy/ZFXxcDIpCu0uDnmcxCKqsFrAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEfAb04D65gUpdzyijRCCzpB0VPlSqQAVHcunGHJQu\nsn2TU2veu1HNtxPCNC7B0Kyj2aCAnmG6v3BJZMiuKRq14aN0MHIwHQYDVR0OBBYE\nFPxstF7ezMRsbiltnn7Upke4D3hAMB8GA1UdIwQYMBaAFM8mMGJrM3BxACVQQ9fq\n9O47ql4CMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBgGA1UdEQQRMA+CDSouZXhh\nbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgKQhlCAIq5loGHD7ZG5Z1jMHzocLr\nIB5INV2iDfP4Xk8CIHcI170Hk/1nmQEIl9p8t36kqCMiL7xGYfuBxRWYs0w5\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1386,10 +1432,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName\n\"xn--*-1b3c148a.example.com\". This should **fail to verify** against the domain\n\"xn--bliss-1b3c148a.example.com\", per the [RFC 6125 profile].\n\n> ... the client SHOULD NOT attempt to match a presented identifier\n> where the wildcard character is embedded within an A-label or\n> U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].\n\n[RFC 6125 profile]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.1", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUGQR4qDrlxzk6dfMF04vk2pLvDJEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT145MhXl1QOr+QfDvkkJY42mTASugsqjz2FIAq\noms/DdaNZ0UHBHaW2mzrbvOR4tzpnL5heyP6L+Ht7cpjXwM6o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUiavTbKz03U3ueVUQaF5Ebi33EkUwCgYIKoZIzj0EAwIDRwAwRAIg\nWQDRPxnDdkvtYFuoSSPdPyZgRR1V1kIew3t31e79XUYCIHgcRZTDJyjLlHS9Tnby\n1Y2eOk2bHjH+LtuMXZGj4swW\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUKb876o2LgRFJv1Hy1WPC6PD1ctUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARjO/lSNt+RMda+4u9lYGCKghU4GGjpegkv0O3N\nm62yv88dzA1BBd8PRZNsvsMKWNMm069R6ihf5KsBcmIEdB+3o1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4QnxsoG7w9WXvgBbvXcWGr6BOhwwCgYIKoZIzj0EAwIDSAAwRQIh\nALyk0Ar96LahOeZUxI070kZzC5rAg29kxH8HTW6DfXNhAiBgJ3olGsMwxfS/M6EV\nDNfjvQ1eBcZOptycMuPAJ54VyA==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUXi56JvHLGvD+cDp0zGQ658FBIJcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEXlQ1x1rfF5Q6ZbR3qTsAc6/hci4nES4Z725Rdyjy\nk86ifH31QjdzOUTPfCr9FKMjXMVOsP/0rUgvrsH79Tem7aOBgTB/MB0GA1UdDgQW\nBBRiM3sNkEV0n3273XpPSjKdSvqdRjAfBgNVHSMEGDAWgBSJq9NsrPTdTe55VRBo\nXkRuLfcSRTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiEA2x62LTXT\n+qHDajGk/gYABC7rtIokKR4jdAWGoH6H0dYCIFz1KlHRX/l7g5x4sK9/zzCRkxSb\ncZtuZgnwJYGJnWF0\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIUCVwh8jTljDlA0qyls9I/pXl3FHQwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAETNi/VXFB+hc2tjF0oNoWsKdVe57l4q+zKF0W/e9U\n81kkWoT8XCw1Z3yFgddUChc0twzM4OlOoVnlv4NSNM30VqOBgTB/MB0GA1UdDgQW\nBBQ7GXlxF67HXSlEMxsyoOv7spU93DAfBgNVHSMEGDAWgBThCfGygbvD1Ze+AFu9\ndxYavoE6HDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAlBgNVHREEHjAcghp4bi0t\nKi0xYjNjMTQ4YS5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiBEs+paNl2b\n7e08d4YqRv/yP/tKwLov78oQGfcZ8/W2ZwIhAIfcycFVEAsW7zTQzySjhXZDy78R\nUzLLLA0c5p1u6vY0\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1407,10 +1453,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains a Subject Alternative Name with the dNSName \"\ud83d\ude1c.example.com\",\nThis should **fail to verify** against the domain \"xn--628h.example.com\", per the\n[RFC 5280 profile].\n\n> IA5String is limited to the set of ASCII characters. To accommodate\n> internationalized domain names in the current structure, conforming\n> implementations MUST convert internationalized domain names to the\n> ASCII Compatible Encoding (ACE) format as specified in Section 4 of\n> RFC 3490 before storage in the dNSName field.\n\n[RFC 5280 profile]: https://datatracker.ietf.org/doc/html/rfc5280#section-7.2", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUQGKph2+Jn60mb9iCTG+Mh62PXsgwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARI+dZ1FuhrS4UFMmMnLcH+jrpsA5wwa+Vfzzf9\ny9FY53qlqVfv476zhXOrgkKKYfeGQXVymmC9ZxPsDY4m4WOho1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUSQgvZACc56M3MRShbM/Gy7Nr3pYwCgYIKoZIzj0EAwIDSAAwRQIg\nbeW9fH54ngLLQ0AyiZHi2adu6DwME8x+pj6ARWkFMCECIQDBlyzZJTNk7BmArvf2\ncjOhXw4yizz86jfLJWqZVi3wzw==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUOEDt1GFzsyJDkGxXL3gBaqixGK0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAT3iFuKmSPqgmzDn5R5ESMsqNnRnf1iNNZEGBlW\n2Vg2dnyBN8ZVPHIZKihlHiJya6BcU0Q3mOkfgX6HxKBtXS/do1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU4b85cCQxlrpjwL86m7k2EHK4A7MwCgYIKoZIzj0EAwIDSQAwRgIh\nAKM3YTl02q5eg8HKiM2H+SRvJHMNpUxln45V++vndJdQAiEA6BVMooOCWj2tyF67\n7zZZj1bD0gwJ1pF9+/qpQ4T2uX8=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrDCCAVOgAwIBAgIUJXTbUN8K8a4Qxnq9WS1eMp/rDm8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEr0366OijQhhFBt4wkU22d9Tv8VJT11BB9W19yY1+\nSMdYC0PakcAtXXEgzAMqsZRXMU0HqqXPkQHiq0Kdcz7FSqN3MHUwHQYDVR0OBBYE\nFMZekNIpEq8NwJCT4i/jDeXv7vkaMB8GA1UdIwQYMBaAFEkIL2QAnOejNzEUoWzP\nxsuza96WMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgaAxnJtr9nRyvnUpxqZjM5E2z\nU1uPku3mLXIH14jNnTgCIEywKIZheoW39yt8GA8MDBFL1YAynqgxDl/tsdQxJzCv\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVOgAwIBAgIUSSSSEOMXkLnyLVgr2NHGLsBs7DUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAE8eULKsOmfaNJhKguix8/+LTCIQALFzSWk+WyuRey\n/bGabRNUVmKoIMQDiib5s4J5jZjXDllgGPv7QiUP1IB9/aN3MHUwHQYDVR0OBBYE\nFNd8wjUXoDrJeL1epIXax7capXgrMB8GA1UdIwQYMBaAFOG/OXAkMZa6Y8C/Opu5\nNhByuAOzMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBsGA1UdEQQUMBKCEPCfmJwu\nZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAMLXLOIx8wI7oaMOHc1BdZve\nBvycyP6p3HM2te+sITKcAiAFBD78+JAn1qdnr+EgqBnsBWJsknhSSnTcXnItVVrA\n4w==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1428,10 +1474,10 @@ "description": "Produces a chain with an EE cert.\n\nThis EE cert contains an Authority Information Access extension with malformed\ncontents. This is **invalid** per the [CA/B BR profile].\n\n> The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUUYxSw0EJeCGPh+E+MtcG7WnOST0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAThNmJcG+GpBqEONFHGVFGIrKKBqhbBGO1MJcmn\nZ87pusX6ICvBBxpB8NI4aPiuqknXokNhV+ysUHirBO7T7sKNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUdppeynOXynJmYDNXYDro7TOAaa0wCgYIKoZIzj0EAwIDSAAwRQIh\nAJ+pE5hE7lCpWr4w96q+Brfo1W7A4CSqyWq22Gy/Wb6EAiBFJYAFaX3/8EKS6hbs\nFBpGVCDLFLbq2PfrauwRXlF9vA==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUP8UlwCrgw6sRNlp/P6Ip5e6+sTkwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASJYEfaMVt5Y+qZnc3G1+m3czbRBjWUde4MqfRv\nj3zWbBs3hlMfrluXkvxTTRaW/FBqJZ2hLTFZRlIz5Lj/Zvzvo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUZjzz9++e7BP9nY/fXbPqjBnGbNswCgYIKoZIzj0EAwIDRwAwRAIg\nFGeZ4vc8+EXy7XUmIRuCQ3N9t61IFW0Sm1pQfhfZ60cCIBMHUgywthknBOt3mmCm\nBfIFAXiEAYRaBOn7mduKg2vs\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwTCCAWegAwIBAgIUEL/kHwIN2bbot7QOTNHssA/BIzUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEky1VHgjaHYQJjZNJpjbiEEQmA8gvk9PtJzvDDn5z\nIwiHPpameMJ9zp3mQjE7Hk0I4ntrSXj5SYoKAm+GRwMGIaOBijCBhzAdBgNVHQ4E\nFgQUc4HRO61zOgzaofi873m4aEL5qDEwHwYDVR0jBBgwFoAUdppeynOXynJmYDNX\nYDro7TOAaa0wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNIADBF\nAiEAzQWAERojryBIkLm5SZwdDDsafllEZsiE8rjcT4jYu18CIA6qad5u6Kk597Ll\n+TbAAnU+0Jpt5Kf8YGgcI9CqxmFv\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBwjCCAWegAwIBAgIUMQBT18dsWFJBAY+fbhTvOZDob1swCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEafloo/r8396djbL6PyvQ0pBX6vthjcPCkws1EI7i\na6pIzhXvyDTEEa7cCJGODcrQvHERmb4jKCywoN5sIIA+O6OBijCBhzAdBgNVHQ4E\nFgQU2yHuP4LJUMrrkShM3kum1Deo/X8wHwYDVR0jBBgwFoAUZjzz9++e7BP9nY/f\nXbPqjBnGbNswCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhh\nbXBsZS5jb20wFQYIKwYBBQUHAQEECW1hbGZvcm1lZDAKBggqhkjOPQQDAgNJADBG\nAiEA8wATQl+pV4Vy6WRCXLwFvh7eZMJ3KU70preMm5cdS6cCIQDkrMP4OZJ3zcW6\nACzL06cCsO/cr3cqL11tahO4Pdxbuw==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1451,10 +1497,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the extKeyUsage extension, which is forbidden\nunder the [CA/B BR profile]:\n\n> 7.1.2.1.2 Root CA Extensions\n> Extension Presence Critical\n> ...\n> extKeyUsage MUST NOT N\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBpTCCAUqgAwIBAgIUe7DvZjoR3bEeI6ltWO3dEqMy4WAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARsyodOIMDtznW+IHWNR7SxrZMsaMNJgGQFwrpo\nd9OfPYuieynNJvEymN8id7W+NOc6P9zDvQP0ko0p2ju9msDDo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUM5TkY5+XivHskHf7FbjyvLQ3xbYwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSQAwRgIhAK61M6M6bj8F3Li7ugAo269tEM1MNxiHVFbq\nxeJNbsqbAiEAkPDqKQyuP3f+eGmlyhqER0hjuSmBBsYCtokeCFhVnn8=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBpDCCAUqgAwIBAgIUfh0NLINM7tp7zVvHxXETV7wTev8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATjfom6Dk8cgv9Lfpm+YHQV2/tiJAD3vtdFmnlh\nwRIj84GKj6N7roihX26sIsBLINdEi8XYopuqLPqOIa+92milo2wwajAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUeDJ13lFUBxeYpH3w/AH05fUmjUUwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwCgYIKoZIzj0EAwIDSAAwRQIhAJgxSNqRoLQXVcs3rEc10dM183Gt7z74Ak5y\n7nQ/YjH+AiBRfE9tOWw+hwuVR0xf/0aCnakNHHhfAsxAVwA3Pf4x7w==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBpzCCAU6gAwIBAgIUVj41MJHVr5n26MCqlCwXF9c3JbowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEGXuZ0t6XIHSwezPtuXTItq8aStRdkvo+PpgopdEV\n7z/LyBbS774TUQbXF9YG9Ar4gb+InaLmZ24BzsUs0AqX0KNyMHAwHQYDVR0OBBYE\nFMW1Up/VoM6rIcmqd1hDLqxsVipNMB8GA1UdIwQYMBaAFDOU5GOfl4rx7JB3+xW4\n8ry0N8W2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCID9VEN9EJmnFyan1+uGH6OPrzRmnhXJP\nQ3+T2mfn0OIXAiB3D39ge6Cn/k3PunVj32LQiAbVtHSnlJ3wL7mv9Hw4KA==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUe99184DvbOMae8DgHxqmJEvyCdIwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEm0UV4EOiZfKVChScFIwk2cLXDXsHBFMTS3zAGH8Y\neUmXwOQBCFWC2TLTeX8HNuug1jF+0WGHz+j+zZRI+0wYSKNyMHAwHQYDVR0OBBYE\nFDoKD7zBiww8QgemvWHr4gOxXy5QMB8GA1UdIwQYMBaAFHgydd5RVAcXmKR98PwB\n9OX1Jo1FMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDhQ1yBGpYz5hRWHCCtseMa9D3F2NZN\nH84qwafTVaEFTwIgD4RClbABj1qA7XHvritLE2yVPFIyoU6YIgPiACYqvfI=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1474,10 +1520,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer field, which is forbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBxzCCAW2gAwIBAgIUQoG0JyM7V5rKuJSlyxlcv5bVnR8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATWecFkkPCP67wNgR4VR95crye1HDh1VFhcHQP0\nQxqAkxBzvSHMTFJM19W1V8CuAzorhKge7QqtZZqUXEM59fYRo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFJTUhqum/j1KpvpzkaQ6TxRo8dlyoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBSU1Iarpv49Sqb6c5GkOk8UaPHZcjAKBggqhkjOPQQD\nAgNIADBFAiEA/irM8e53RvJPurwi4JEZAyTlEx44sxrfW/NcjazY9MkCIB9dbnOI\nURHiuWGICI+jQiYRaewlMunYomqBuM7XlLfI\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByDCCAW2gAwIBAgIUaJ0a0DRUpJqIwNU0jruBkvzmqYcwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARoNYYyjiRKcW25JIG8vuqxSEe/HtLwcLwHG7aN\nuMSVBkEGNDqMVyEdxoG9K4esn1tvXIGjyaptAoV7ViJPKLFBo4GOMIGLMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDQGA1UdIwQtMCuAFHLAENKrMkPMjP5Ry+Fv6vvL5m7PoROkETAPMQ0wCwYDVQQD\nDARteUNOMB0GA1UdDgQWBBRywBDSqzJDzIz+Ucvhb+r7y+ZuzzAKBggqhkjOPQQD\nAgNJADBGAiEA3uRD8L5uskHGuhMdKASAqUkEe4Exf8LS8b4v2IzewwUCIQCLLpcY\nLab8McRTx3G+I5W9AHzJZz3DxXcKRon5+CUk2g==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUVzLDfm5PfP77uD/5GpXkqacRn1YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEJKBGtb5ALYZAmExsDoDjIUXTxRzvbYHXEzTgmds6\no/j1PtLq13sKqdID7hKKXCE8b1nVZrI+OPMRZHGZBIv1z6NyMHAwHQYDVR0OBBYE\nFGNUuNtww49xchGsoGrKOcE01ibrMB8GA1UdIwQYMBaAFJTUhqum/j1KpvpzkaQ6\nTxRo8dlyMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIA0r4p0oNGSjZ2ye388p6Fhpoot/3rwq\ns30VCa2G6MAgAiEAvt5zzRjNh1qnHLb7U/UMNkeJUkiM8vfwBTLDfXdSgTM=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUcJsigmSaVGX1x/5InKu4hxaomRUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEfM+x0AuAtzSWMrf25OsP3HahzCK5hpntpGCC7JTg\nDdTxmwBGskh2Z/jb+6C0+yAooBldSy79iH0wVxlUSCPw/qNyMHAwHQYDVR0OBBYE\nFNMXAiBSDNOjoUVpSVRzazyUHfwOMB8GA1UdIwQYMBaAFHLAENKrMkPMjP5Ry+Fv\n6vvL5m7PMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCsTAVbBo2sUGQIABzTbVIJ694u00Wg\nQyXY3+OX24DBDgIgdzjd6Z7h0hAf4tAyFn+OQdpjoKjzQnmL1GiIF0GMT+w=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1495,10 +1541,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertSerialNumber field, which is forbidden under the\n[CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBszCCAVqgAwIBAgIUU83NDVmgs+vTZnsGIuo1YbWOmnEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARISdaAXMy0FyZRsUu1qkbBgeAlrX9L01LQ4n93\nvMtoirKkuYIodJR/W9hu5ovKPxKnvKKWujKESojqrDSOT8ceo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBTZwEZIbylu2qTzNI0gune4XqO9O4ICBNIwHQYDVR0OBBYEFNnA\nRkhvKW7apPM0jSC6d7heo707MAoGCCqGSM49BAMCA0cAMEQCICARaIJircI2NNEE\nLP7RJ86qU6Z+lzMNG+phJTKbgGKaAiAoofoaWsbF0DAeKb9xth7qZ2lPVLPHILtF\nki8D0zYQug==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBtDCCAVqgAwIBAgIUT3gs07irUf9IW2FEM8ugSibsFw8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARHB23ZR1Lsb4Q5BmCCMOe3pQIb16A3lTA1PQ76\nlq0pH/3tkYsbyfp5RwKrttQaqKpzH+Emkb2wCzSSYPhvI8FDo3wwejAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAj\nBgNVHSMEHDAagBQKgmhHifxaHNBIdmzfcBcem+VMUoICBNIwHQYDVR0OBBYEFAqC\naEeJ/Foc0Eh2bN9wFx6b5UxSMAoGCCqGSM49BAMCA0gAMEUCICa50OIlBNjGC2C8\nUJ6TJnbRbIejM8AQsUHHoPrlUcAqAiEAxDc6r53Xxi8E3ei+0krdbz1rLJbdSjpm\n696xRNSKj5Y=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZ+gsjOuUOpyyHd1oA1HDhjMivVswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEhtId9YKaI8J+GGO0PnusxZPSHKaNwxBzP7NkGwN4\nT94gX2cxhQ0K73+4Fa7+6UkApvSMn4uvyu75Mf0CgOh0DaNyMHAwHQYDVR0OBBYE\nFAXNDaGQUdPwhVHAkv8Rm+ZgWAikMB8GA1UdIwQYMBaAFNnARkhvKW7apPM0jSC6\nd7heo707MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHDx5rPKIXqD3whJAzqvWIRtuBJEN2w4\ns/fBJaTmS9ouAiEAmVjUNuBwQ4GHqU8/u9cXex7mEgwgtL71cOBxMW+Y1Zo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUZtPz8mu+rlfyAV6ITfifaKdcBk4wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEyX7dZAOB7gXRhNSvemg/aAJcS92Ow5pRqSYyctbz\nd4H8UCC0+zQd7ESoHwvSLDnwjDZTekimMfR9oLrzCe+53qNyMHAwHQYDVR0OBBYE\nFAzYC+LlYezPBWg8TLLla+u9NIK+MB8GA1UdIwQYMBaAFAqCaEeJ/Foc0Eh2bN9w\nFx6b5UxSMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIHPcvvHJHmlKs8GwtAzSxJUc6puYJcW9\nCiQsXc6MjiV5AiEAjwX0lep6REv4h3qv+h6MpwRMAKKY6TTLzzUsO6Hm6M8=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1516,10 +1562,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert includes the authorityKeyIdentifier extension with the\nauthorityCertIssuer and authorityCertSerialNumber fields, which is\nforbidden under the [CA/B BR profile]:\n\n> 7.1.2.1.3 Root CA Authority Key Identifier\n> Field Description\n> ...\n> authorityCertIssuer MUST NOT be present\n> authorityCertSerialNumber MUST NOT be present\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIByzCCAXGgAwIBAgIUPwRKGZdexwyHcS2JrTe5iJONnoEwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQNC6huK059wZ6d/RPAvbEZL165p8xQ5r9SvyxI\nTwNqrvUz2Bbw+Bs3v+lr0w2XE0ERhDFkplBV/aIA+rtetrm8o4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFKONxNUNBB0shAe5sQHgBsy41EG1oROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUo43E1Q0EHSyEB7mxAeAGzLjUQbUwCgYIKoZI\nzj0EAwIDSAAwRQIhAPDY+aCz39IKTUzw7DJTVGov97D1dBx3w+XC5Y9bKvHvAiB1\n5ormQ1XjCpCUh8BR9unV/TXMeP+7gTI/IgsRncTv9Q==\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIByjCCAXGgAwIBAgIUP7o6+7wjkooklhdnlEGflbqxDYMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARJvZvrnn8Cs7OeAq3k2OkNQlEmFtOXKDvB0j2G\nHdhNQT/5/gX+XsVQ3h2eHNDVKU5RFFLDSnx33IVAazHGJAg9o4GSMIGPMA8GA1Ud\nEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t\nMDgGA1UdIwQxMC+AFAGJGvs+5esdBlovUHy1KL0429S9oROkETAPMQ0wCwYDVQQD\nDARteUNOggIE0jAdBgNVHQ4EFgQUAYka+z7l6x0GWi9QfLUovTjb1L0wCgYIKoZI\nzj0EAwIDRwAwRAIgS/bd5M0+86C+PPrRP02JYTdYR4Vw4B0dFjBVFlITLG4CIGWR\nIT+aX6p2QNrq202KkHqpffB/CqDbjXARUAPivg+5\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUM0DqajKrtJWrannkDZmbVpgLXjMwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEVjM5Jydzd2frt3ep4CWweq0U+e3aYOzM0kLgZH/s\nCM28KEcNuabeTCHJG56O3/c9kW0iXuhInRekxQpYKCM5yKNyMHAwHQYDVR0OBBYE\nFAZGvtqwIM442pczS42gC6IqJjDEMB8GA1UdIwQYMBaAFKONxNUNBB0shAe5sQHg\nBsy41EG1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCKkV4PW31o3yC7+1TGr6BB+jcZNFA7\nQI8xTOYpLuaGgwIgeQMPEdGPLeAtPaVg/2sZOjkRiMf2Zo93Ro4zKjrp8rk=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqDCCAU6gAwIBAgIUCkKgE2yLMTUGliiXZfW0u7Q5FYowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEHUpOODhvC+/GqDepzAliTGXSjJp3SV4o0Qn6LWmx\nEWUfMsZ18mHwKwt9Z9Yxq8l4DQekPQ3TdZ9H5IwOJRh/aqNyMHAwHQYDVR0OBBYE\nFPsu+gp4xyHhQbAoX7AV/L87DkDLMB8GA1UdIwQYMBaAFAGJGvs+5esdBlovUHy1\nKL0429S9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1w\nbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQC+B4Zim4+ozJZuwHASWCr3Xw17hN/D\n1Fuqlry4lBNs6gIgFBmC4i0vmtqZ4PCYh9LMj43bBlr+nGKQZ0zpVwpcG3g=\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1537,10 +1583,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert includes a critical subjectAlternativeName extension, which\nis forbidden under the [CA/B BR profile]:\n\n> If the subject field of the certificate is an empty SEQUENCE, this\n> extension MUST be marked critical, as specified in RFC 5280,\n> Section 4.2.1.6. Otherwise, this extension MUST NOT be marked\n> critical.\n\n[CA/B BR profile]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUP3OCey6tHn/Ki7lSaI++Bxd/86wwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQCVRtcNAXtxue2RIfDp/RRgRK44KuZXJra5Nab\n5HZHjlQPSgCc9oc3YdU3lw83HNgOGVt1LT8AvZZqfwwKL+mZo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUTnw0/N7dqJgr0VbGM+Lft1cLoPUwCgYIKoZIzj0EAwIDSQAwRgIh\nAI74Wf5/uPNWdW1qKqUHK/jKZfTjgyCN0BlXZIFTqopcAiEA7LKwgQ5q7hF7BEY6\nHxQJOqXWmkIoso/UlfbECz676Wk=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUIKGeS8uyPVrb/y/HA3mcznx6QIUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAAQ8VPYYCV5w7Vv57o5R829xPe90lm094wafEevj\n9Q3UBzjqspYWmhhcIRXk5dvz61JLwZ6C1G2i9wJU6UIDORcVo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUX6zTgwAluxqiBn7+8/W5aza6kWcwCgYIKoZIzj0EAwIDSAAwRQIg\nL9p9aJN6b1z7oZbyEQvPMKSqfxIl1wLek57MT8K4VKwCIQDTBQbPWs98Bpjaxmse\nqLndx4Fnjx7Ps+kjD1eryWYMYQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqzCCAVKgAwIBAgIULd66vd36K9Mj5PHPi85OUlBCy8IwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABFWoQYvZq19o0IIqtfqOTg+galn0F8+BgqkXPqnp\ntpYmT+3ijZ4Ba1+AODnFZ2JW/5Lt+2VVGm3LnIsFZaVF1LWjdTBzMB0GA1UdDgQW\nBBQmal8B5mQh2gg6/kLyd+BzKBTuLDAfBgNVHSMEGDAWgBROfDT83t2omCvRVsYz\n4t+3Vwug9TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNHADBEAiAumG5UwOJnsbtHvoZ4jwLdHQ1m\nDpySvvILOGATVWtcJQIgNS6TbrA+9Sp8B+QO0NKAvBzecVZMN8AzL+He4hnbi7I=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBrTCCAVKgAwIBAgIUU++hYgj8JOirkDSQRtYaLTVNyXUwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAZMRcwFQYDVQQDDA5zb21ldGhpbmctZWxzZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABP/CKXK4PutYFRWL9nGsIeNjHQGDtigKPiwobSkx\nKnFjsbU07kH6MQxTRGyQL4yH4QsZjlpxQpGrFsuvIBW2PeKjdTBzMB0GA1UdDgQW\nBBRF3Qja4Erms66qezfj4HK2AFBi1DAfBgNVHSMEGDAWgBRfrNODACW7GqIGfv7z\n9blrNrqRZzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAZBgNVHREBAf8EDzANggtl\neGFtcGxlLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAsqPnzVEgABFzw7I7D5QF2Axg\nzvmQjRnp28spk/VN5SQCIQCdx9HdBNIuXICLZpi0mqX/ThJRDv0BexTM62t5egFJ\nog==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1558,10 +1604,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a P-192 key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBkDCCATWgAwIBAgIUT6dm5sedu912UHzApT3g2z3YLu0wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASy8VulTXBF5J7vDjGDp8rgR3tMvnMRKhziDrt+\noUZWjFIFmCDLjpzGZxPounVXvVzgOSa+2LVok+p6ZRziFYmNo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUEDZfEObMOQDmrKQAUR0qhU5qbCUwCgYIKoZIzj0EAwIDSQAwRgIh\nAJY/baCOUUvzYtnC42Dsuei73ol1yQPwO2DTJPGYxbT0AiEA2vs+Wx14F/T0YnDl\nJkko8jIef81UpJEP2qxQz5njS/s=\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUf9tRkIYc/dxu3wiYGw/0S/jJ+aAwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATcrA+ccSngdg5w3gZnNfHYHocvlFk78At19YEG\nbBkP4lvw5PRuoQXf5MtKfrSTcVXXJI22rks8LRFYCiDHTbNPo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUl9GHignU2qhiB6W5oxRiZZx7toIwCgYIKoZIzj0EAwIDSAAwRQIh\nAPuPkHsE/xQzG0DCPiDu5gzXuRLDUroDSmHWIaUfV705AiAtVBpoEZlT2ZFrsCW3\ns6ou549TeWP+3lJNcDxU1m3NRQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUEXvvFrXpUKdEVtEHS+5tYkXcRtwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMEkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQEDMgAEse5FohEGEmibimAFO62DaEFmmnio9saEXh2tPSly\nDO5SRGSF+c8CzXE+I4CmZipbo3IwcDAdBgNVHQ4EFgQUqzd5AoMAYm+n1DmnXyej\nlO0/JpIwHwYDVR0jBBgwFoAUEDZfEObMOQDmrKQAUR0qhU5qbCUwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhAPQ1oEUP3Ydq2C+7Ln+jEG0+dNQi5Qs4t7TU6T1GAi3uAiBv/pzz\nHIXNuJOofePXIWkApI62Cziukeh8F5DwilSwyg==\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBmDCCAT6gAwIBAgIUWlLn6XBCcK9M8ZU5nc6iHipwbLowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMEkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQEDMgAEc7nLsqlMcc+0Q0cdXE+7eRhzUTnzoZw9ulMITFje\nu4KCdn0hSI8tIevvGSR3aO40o3IwcDAdBgNVHQ4EFgQUd5q4QrqF7ATEwWcsTVzQ\np1wHfaEwHwYDVR0jBBgwFoAUl9GHignU2qhiB6W5oxRiZZx7toIwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhAOf58+/ZkXfTjXC5uqGJYTybmcu1gtDOcYH49P7V4XczAiAsy5p0\npFpCld78W2JnkMQ3E0d1TsvI+mMicYK/wHyUhQ==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1579,10 +1625,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA key, which is not one of the permitted\npublic keys under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUUo1Iz5z7wRqM0C90DRmJkHQjWd8wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAASjyVxqwx+rrtD6BxB3dw556gQN7Uf3nikWFLvX\n0YcWB4k6jBJmz1f2djWh7tf4ixSUg+LMiIIj9bKhjuWtXDGMo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQU+qRaoexOGHAjWLzJmbLK8k4Lz3YwCgYIKoZIzj0EAwIDRwAwRAIg\nMBSxeJxqmCE/BgqBWLArtrLjc04Cx5OQB7Lo44dtt2ECIBB3DmX4lgiMioNwM6dA\nDviZYqIOSW9dFs1RIgh2nP8+\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUdMcv8RFCBNQEV5f+VzwwcAyWiRwwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARf22Lo1BfEQK+NBiRLk8ALuGcs4tHFz86LO+cF\nJ3G5KKTvh/vwJS/lpoCpV/4PkpIWjv9DaYAbPZno72OdlOfHo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUWI7p0SbK4Asm5YCA3sCRUo4YGC8wCgYIKoZIzj0EAwIDRwAwRAIg\nU7q6onauvB2eqX1Rz9JavP9mOQOKS48F1USSGU5WzrMCIDZypEkKzuxj/qkYMpfH\nDICrp3uKikg4P2X9IqF+B7zr\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFjCCBb2gAwIBAgIUD4YIWlO3QO6vMiYHon45WJG8Q58wCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExjCCAzkG\nByqGSM44BAEwggMsAoIBgQCJpziEj4iKi843hzrt1ZfdM2lwNMAs4MRsXx3j5Z9t\njaRnKQ8h+ohXs4lk77lviZhuVNaN5D5osJj3MwKqNAm4fy/5gsaUIkCQ7/9u3tlB\nLgSkUlTuHuE6xhMUaJDWkr6AzjHgqhkmEeeyayuOs3MAnp5hyXdIobsICD7xV9VY\nwR2xuBl6NdGb6u3i8VZAz5QHIH4MKYzi8XRUnnlVp3Z+Ir6UZMLZPrVPPVrlUKSd\nN5ZuK8WGW/VqXGrYQ9z1QvQ70GIddGOc85mNAFj+DcjCtUQC7dymRW9Xk0+7ZJGj\nLTIwo/zMNLpd308oNEY01mc+bkHCglPVYThNiEuVQj41e7BrfzCv5BMw1ZH7Yh33\nxIcpmTeS4U5e/bX9iDkwx2AktjIdVJ//VhF71pG34PWccneCcikNGJr4iTeEHm4q\n7q0g8x7GpMIKKUiKNoE+SYcxgAXbHYGPDzzBuIhORd/b2grz62tnL3neS9J9rglm\nJunIMsXJ9r44kIP+YuJjv6sCIQCfFEjEWtXX4OORxP2aTmtccEUGu/kGjNy27CmM\ncWy+KwKCAYBpTgIJTJpalOwkY6Lge/Aqjef9eQP5ucv7shdtpG2Qt/OfXbzI64X4\nu8arDwds+B0YeXW2ZCCYhIMqKZ2nde4dWpg9fEjcqathlJOx/4sGwSaD2Kfn6EuS\nZ22GPXmPBaXvF2mcBEkiiIx5kAGhaP4hapmAOKdGkHP2lPi2dNCEIt1R+zR6n9Rn\nGID0lvRsoydwEutezVOZKO3qhqxgpiUgFBjvs67AkhBKpaiM55m72ALWtMkl4J0z\nVYrGu67YYJu4rQlUux1/RIdRMuZJhwMKDf8UVle7MPdHwtsy+jZacCEWB3I94PnN\nrXwKV9tN0G6TXLF5GPWK30dDRot5LcstRBuPPOKnPiKIItwD602CDFb/KgVdzTmY\n3TZUh615QuIKghCUdvkhhLl3qHaRrFEs9reW5dWEk8PqMb6D5nzHSesLL6Lj6hYD\nPx5yaxqFuOAlOkbUV08NebaXg8/vZoUGlbN+Ule3gSYvgED9PPUiRXZbWAgOpjxA\nacQuS6cfqXADggGFAAKCAYBhP96OxtDS9jzTtORiItqgj/I6hXr9wh4DbMSEIEq5\nd0VicaonxQ1+j2EJtFMy9x0PLHASOiTjU1ba3g4bpXAZUmAaNqWbaQ8VOo10sMOy\nv8LSzaxsdK32sqh5MLmblai0e06CU7yIExMVbd2KwARnEPLhkh2vcQcE8tmXF/k/\npe4cQqQzZ7p9jZEbHf7MZNNLSUWHhJ9a5dfXcy3ImkvF40sRbxMXu3x4aB5CiBlK\n4Us6CZVJYf8hUff2obqW/JloAckWg9U9K6nkUfxhuRhrgw3Z68CSjkWmQEXpReSM\nQVajMK8DYg3INWUkBjPxbXgrCYPb5dSuW/Jrl9KUqDKl/vwWGn2NrNfXmjIlN6Jw\ngkpIkYwuV+lctHtg9lbMV36aDUAWx71INliU6dgm71nfsTApems3Y+ULi3cjg8YE\naaF578815uvmLVr0oB59FVb1Ptzkqbc25+iYoThzAs+2SWolomT1scsvh5msj6Gm\nn/fWgjrciiH7XhSDNi+b79ujcjBwMB0GA1UdDgQWBBTxCD0i3EFpS5hxO18dSpUJ\ntAZ9rjAfBgNVHSMEGDAWgBT6pFqh7E4YcCNYvMmZssryTgvPdjAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNHADBEAiAKCrNn1kSLIcmPrnGDVQ3nSjdVZ4HH+lhUf3eDHxZ/WgIgHYjElSku\nnB4FG8hTqcGmkIWQpNVrU+RLA4357YwwJ5Y=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGFzCCBb2gAwIBAgIUBOENTQ9NfwRjYN+SD1XkbjuiS9YwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExjCCAzkG\nByqGSM44BAEwggMsAoIBgQCk5hJvPU4YlrU9p4o/FE+mQ5TDnMfSXKcXyD4pzao0\nBscfMWi1ICYlDbkxftwx5UqvpZPpD9NqcfgPhXIiesoPhEq6J8yECYnUNSZFFCst\nB8D7cDjn3epw0vkdvfkeP+DmOW/0DI1/mFGxfMLkTE0dFr0RwnCsOD4bO5A3ZGoL\nFoVBY64V06vKiDZ5ZuvQ4ceMCiD6wCXBg7dSwzZfqExkoIntbtqTmzd30aWzll3v\nCVDU7wE+K+z048DsPhqKtEPbZh9sSP8/dUwh10bG8EaI0NEYmUECtbwj7vIwsaZi\nn2wFyL0iArOafvOkjeM65HZFYGxlPAu0SjwFHqR5dBW+IRVt98tFIvR4VUuQo/Pg\nXaoRUHzP+QT6m0rqiUkPjENgmdrXlur4rkUQzsbJlCZ2IedPDTApaqYLj7Cm0icL\nWyKtAneJR5cSpQdmh2gV5qYsmgYQDxFQ7dY1dWuONioia0Hro/X1VadBNMgTmM9r\noHdihJS5zQZNO5YaZK04ZgECIQCdmQ/ySWyqIQHK/oKbykPcjbkFRmVKOb3CIQjj\nQTg0EQKCAYBUSRjUDrn2znwk/bi57TCbEVXWa2HP7BCBA0YPOtCUky84ENnTlzht\nxZuUbw7UmXfFqhWlX7UBCLGw+IjMk5nSpFKftsWd/n4sDmj7YvUEHbmD+zsvhqgK\nAXxYT6dyvGCNo+cs6AOtqnreLSTpLyfnqwKGfpzqkGSizyIMccePLyO8yEEVAhQo\nu+el59T6k7HXNX3XxFkSv051IXRkuBHjYfC+T0xjoJlKAZzXff0hLit7TTEwxnHI\npUniVOodK9K1J4zmuOCAq2SUjUx+yjUqIXWci3z7YJAa58oGQ/jc/dqudOvOuRu0\nduaTfHUnNDnAb0MbUQsD7tT0oHJToTBoQLHPjcTU/LzZhg+ervpdsw8imJ6EX9J5\nLT/jdyMCOK/1dHbuaFzMFiEEhbOQdLWMqaGXiW40HxA4O4Hw+rAI4maHAWwP0BJn\no/i4fmjZfFokffo88TBQIGHT0MjbXJZPm9+i2vEaOy0UddCt/qb4qhm436K1bgJj\nuK3E+zr3UyoDggGFAAKCAYAn8DrYk8drFjGDgsQoPPL0TDM68ETvXsr747dwZL5g\nLm9thUq2BIH1QJm2wzveTSYWKohovI4hPWxFyeZ21kM3fbstv0M8IjOzuOc5rTvO\nHyYOn8ezxoriP6TQYibraaJMktpJa2d2zlWZfiUHmPBBMdyZjbhM6IyTlKuMjdaB\nGKk+eWZfKek5Xw3GO6lXdOJhzih/PeVSiN3AWErpzRWK/QeORABUBnix3D+fcGN0\n0mgAj6LRSHfgwxZjg9/Xq3YbmENdtRxLUUr42gusy4t1JPHpvnGDIMQOrzPBDUz8\nkAciIdqySnMFy8MbZ4idQ5a6QfQCt8e2mc2NnVEbEl8tdK+zVZORpTgeU9F3g2Hw\nXePRWyJIY2yVBxjWyUro1y7+OBkefj0BJ/+H0X6DwkZ7XlOC5Wmr86mY8lJytXM+\nd9UkZgp8uBQb1dEXBd6FyLzCUhowhsSiIUR+8xa/du9ghhzntfakTHBf0B9QCHw3\naWcsv2JaN6DQvbYsuUW2xv6jcjBwMB0GA1UdDgQWBBQxb4J68QC/dG9xP9wnE2Jr\nHtwpbDAfBgNVHSMEGDAWgBRYjunRJsrgCyblgIDewJFSjhgYLzAJBgNVHRMEAjAA\nMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAKBggqhkjOPQQD\nAgNIADBFAiEAuzDedUSPpx6DxjcpyS/N1dY8/kWhD9BQBc6PQdQ338oCIHudmhOE\nVclIZ1tZfhJybOw4qDi/cLXeEk9N3gtn59au\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1600,10 +1646,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe root cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIGAjCCBaegAwIBAgIUdqPR1tjYGDoK/IUyIWNkgpHDgtEwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIEyDCC\nAzoGByqGSM44BAEwggMtAoIBgQDkPSZfnFfpEKuuxFT0vI2wxzTFhGQw98vjLei7\n+VCZgiJFiMOXwd22YuPcNaK/7Ix0FfUB9f0eX7hQVWP1YSqDTPvhUpSRzgkd5Fgb\njeSs3nrFcaLhPO3FVcsTvyZ4iUKOBZQZsOmtX1/3361QsPe5B5JtU7rn1avlkyI7\n2YkgM/IP0/V+iGE4y64YPN4A1v+cNnaVRA+uvWcrpB16T34n/hmFiiqzyVHPZvba\nCAiSI7r2cy45vZmu8e7N+oTObvGyiaYu5v7B27u/9d9/iuDg2Hs7Jn1qDY0sJ7GU\nFpIn3/W5Wc1yXC2FZL0MvAqmhnLTCcVSIBjzw1dIFjDw8nHG8T+gPO6ILjWgR9Oc\nxXyKbmXjUpAKezaWKuxQV9ICPQxs8FBLh4onc4vfWjYAlC+kT8rlhdTgtSvOBIBy\nm2u4OJw4FkSizRQjXfFChmy1u8FAjti7KlJ7XZJCqVwwrtkQQ13FwBLX3s1PR5nh\nJyvLQ+OtrnL5dLIxq7tU+aH3u1MCIQD1sYhmQi/fgV2U2AVTVAYqq7bcFCf/sCyP\n8KrVzTbSCQKCAYEAwf85TwKAS/iyBgRJE6EIT6fbs9n/z+Is4Jn3ePd1yl7j9cEW\n8K1BsSCSnc3WpJOcrRQB2dfWm6MUDQm9Mi8EPZMzw4m3iQIRJJs3/CnDrGCwBbAh\nRR+/8e7xFC387hDJlmXm3LUJ5vK61nVvCf45XUofmXnIamSaq+03aahqNhf8l5oT\nO+2ndUZDjDr+bR34eAM0dlcLJOunoAojivbPiu4HBD2z1x9IFVXpJ28icU1wbfhU\ns4Y8F/w0sTasSzEGsGhP7QqTAFgAlX9SlyElterd1bnkTAXF5WJk7Y7euWnCXU0p\ncUTOJpvoaTD7KKN5lE7DVUKVm12fldIsNqKGM6WZZHFPGGimGV96wkrOricbvPwB\nDlQNwImvk3BK31v0LcggswB8HM1tVrndb0TZM4rCQhiZXhXymVab2TkaT8bI3kau\nGjV8pG9E1g22aKzTuR+/oXbFg+6hHeVyCX/uMOUov9SrWjGcYXPK83uwyGlW2fdg\nnwLIANP+4FAzz9a8A4IBhgACggGBAIZdydjbzpPw7LssT5pvQ2V70iUwKojqJEKv\nViL/Rg6JJnP4n+4KzUNmdkDTxSXZNQD/xNh9e/jdpnZ7BeeNIe/yZxU3xY9lkcCH\nKlpH8TO+QCb0RwhrjQT9kQ/JKYalr4JoXj4VvToGnsELxIMcszp6xlORgiguaH4j\nRETG5zMQX3AOLNwhDnCqS2k374iGfWDs+uDGhvg9Oi8VRW0Kj93sO9tLfSHVfUCS\nSArCgK0Lhm9DNwTBjPXHqK7Kw4G8MAyeel5MkDv7stH+YDtiyLFnX+2kBFqjLcQG\njDUL3+khrktJ737v4yJg3Q/WoYzEbspXFkfnEJbxmbdGiriy21j1Mhqx8ZYYkq1/\nFnQGjjbyd2mH3b0EEd8sqDSCVRhz9DJfCngFDVvLtCMiOCvvTkrO07qwyx02z8l3\nAev/xvRE1okE1WxVUSEZO9yvGiha+ELSFyceuxkKh7XraecBwEoFJ64YmC5A9/X0\nVW3sBSnDZ6DLNS38nHPJ8zdTq51186NXMFUwDwYDVR0TAQH/BAUwAwEB/zALBgNV\nHQ8EBAMCAgQwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wHQYDVR0OBBYEFLlqlXIL\nkIDQewGSLLbPlluDaltCMAsGCWCGSAFlAwQDAgNIADBFAiA4Nt5QuCmYESDZ84VD\n6WDEmGsIBYzEPocnqGKzyKngrwIhAOp9qk512RYrZEWwCI0MqP3gDZ3Lvxl4NacS\nkznTL5eC\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIGATCCBaagAwIBAgIUPdNwiPm0wse+T6mt8ytm2N5ytgowCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MIIExzCC\nAzkGByqGSM44BAEwggMsAoIBgQDzXk0xIYe6aqIbFPDXXAE2Jduk/ZJ4+qtve8sD\nxp2G7H2YK5feUSYVFXKIVbVXcMnGAUSZxqjOL2IwaFzAF7ifYeb7FJTGYiu7RSrG\nwvJKuD+gMEijBqbT+dSPZp3mIIqftmNeXiyrhXUKJawDpcwxq8DRynWPLS2otaLA\nQvmQAIzMv9+id0zlEjqIvlQoK9niRlt/dlowbyeOD2QxJfKckrgTnDVwRk6KUroS\nNRCnu7WH3BWZcvsXTg++pKC/n2kWQBLO9e96aCqO/cwXMaKikBGNu8h4nnENyLe5\nU6dLvOseC9BzUY1Q5ZIecL4GJdO35fE4taUZ/XClKsIUgfX0q4pYlzPGdCCNDPJV\nRZB+KzU3ot9XUvq8OMwRj3i2f7dr0tt/IsdeGWhZTsiJkfrrHH2y9ebrLlbFascJ\n19eY4GX7ErguZABlzK2V1chPjAy0iTLdPaMxtEuNFYq9OX4iBsVLSZ3E83QuM3IJ\n/DInnXGXdCBMFzTlfjfnY0GdqBsCIQCK/dXBVKdgVkYX1032jRkC8SMUlC/qLM1D\nEtaZno1wQQKCAYBiD0GFn7OPzyqulgtetWk/ma0/IW84vW6rDm7qTGjZyeV66BWU\nrSDi5hRlQCdt3nPn9vy7poHDBtQ4+3IJzsiNMy5ObeS0ZrNVbyx57j5EDhudpTkp\nqe3pl1q2FvydhOczmnCqDumGehzoC6k7Rpg9RioN4f8EU7OSy+ZgEW/JcKhSOqp7\nvd0/R18aaxxsvBzeAuYMHU9jPUSGtXA4fb0Hnd1ACsEiWCjWk2qgJrsm3WaT1Hh/\nYN9xIkB9zuT/YwLLRSnGExQjoEjlSc9lyJuK9bueiuxiwORBGY8aOmJREwwvYV68\n4YabIWprtEH8fBkLnfoHrzQXag5+dfOiR9R5dZfx6/FirbDDpsl6+bxfg9+lex+Q\nX7RYqqalCjYRCVlKo8OZcCwi927670t/YvW/KkOOBimxKuTtSKItwJNPUgZAd4mc\n4uDLNvSBFhlg/kSIQuJG+pcAr+yVBQ282f3oKKiy/Z0XfUaWQhcWmLs0u3CmLknw\nYTJgX3kAEQqioTwDggGGAAKCAYEAlt2hXb2d6fyliy4XB+iJ4eQA0p0ULX33+yps\n9YheLqaPUVU7PdC6DfqROJDSdoRS/T+ROvlxyOl/NOPW3uxVVfOPcWqdcCRPZRJo\nkCxZI7agmWq9GUzi6+EeBzULchEe5pcMNaVVMmrafzHZcDjQIRBUywPoUUxzi7qM\nOvBmqjqjXFgWXcUezWOeYQuTCun5xVh/oT7G92ImOgzZyosgsjmQlqyC11rXfoOR\nVcqX+86Q5izQTb/+wpDa25dZnnlIY5c8d4jV+cCMHquq3l6kFtknY///d9uewIVn\nfiiAYiQP72WXE31HLd50Pl/zJDnEeibl1bVzGrsre0keL0DD8cOTrlrZubENZwGc\nGkpMwNUtfx1WFZoePxF1wmtHpfofdAEvMzVsZivPRt8uQxro7Fzvy7M4ooghmwYH\nIMRjo/YnwR8I8QrG8BPzMFsi5sV7APRJqx+YlVp+V8IiLw5YjDPqAkwR2qKNxvIT\nkJdeGBxGk8aB2NJpJ3yJa1jzRH16o1cwVTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud\nDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAdBgNVHQ4EFgQUgvgQi1YU\n7XenURkFKopQW890UBIwCwYJYIZIAWUDBAMCA0gAMEUCICyuDYon7MOKP+c7y3ee\nllaYkzuGrh7xow/Zn+pSf00HAiEAir6w02nR2p5fMysYYkQGm0raaSOXNZU97DAH\nGFgiCY0=\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUJSa6BHZgOfU/KXuE7UAFldAS2f4wCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGDEWMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABKDWHClg3k9inDvNOwE0uOTR8Y9XkP7dxvPbzqJN\nn8ePIgvamOmc3ltw6M6FrqQeQCVyVzhc8f5d0+4TlwMRHeqjcjBwMB0GA1UdDgQW\nBBSkk2kR6PJF4+nBsqVYWHzf73pxqTAfBgNVHSMEGDAWgBS5apVyC5CA0HsBkiy2\nz5Zbg2pbQjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTALBglghkgBZQMEAwIDRwAwRAIgHZJGGK72d+SBz9wz9rmBFyMXRZJj\nN4h9TasQSdfdzJICIAkoLPdvRuJ16nbpDF0O/cDrWrcpfmBnPCQQPsreFNdK\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIBqTCCAU+gAwIBAgIUWJ47cSC3jtZdFK9d7PfVbZrLgAMwCwYJYIZIAWUDBAMC\nMBoxGDAWBgNVBAMMD3g1MDktbGltYm8tcm9vdDAgFw02OTEyMzExOTAwMDBaGA8y\nOTY5MDUwMjE5MDAwMFowGDEWMBQGA1UEAwwNeDUwOS1saW1iby1lZTBZMBMGByqG\nSM49AgEGCCqGSM49AwEHA0IABEOdC6ssyDhu0cUW+w3pDe355sTG8mDHLIdNueLW\nIwFMkn8IbTRZR2YIz5tSUQQClgcQQdpV+jKc3WTA9tL4A3yjcjBwMB0GA1UdDgQW\nBBS6O//Ss9soci9BY9WbQU56HJAb5TAfBgNVHSMEGDAWgBSC+BCLVhTtd6dRGQUq\nilBbz3RQEjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAWBgNVHREEDzANggtleGFt\ncGxlLmNvbTALBglghkgBZQMEAwIDRwAwRAIgTowDDnyuWvYu9Y2Gjgi6sAVJExs3\ncPza20DESmfEaEICIGRXdU7OmJoxJjgnUM5caWSWbCLfuSqXYWVb1NwcmeDV\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, @@ -1623,10 +1669,10 @@ "description": "Produces the following **invalid** chain:\n\n```\nroot -> EE\n```\n\nThe EE cert is signed with a DSA-3072 key, which is not one of the\npermitted signature algorithms under the CA/B BR profile.\n\nThis case is distinct from `forbidden_signature_algorithm_in_root`,\nas DSA keys are forbidden in both places but not all implementations\ncheck both.", "validation_kind": "SERVER", "trusted_certs": [ - "-----BEGIN CERTIFICATE-----\nMIIBjjCCATWgAwIBAgIUd5HqXJ7iI8xrkX+o3o7nCMCMJ/UwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAATYX38Gj23R9mwnTO1Xf+IvAFHFIXqUD0Gaa1gn\nechyzKL0UAFaohCSkc5zs3T4xFUOCBlfiVZqEwYlwCG6T1meo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUkIeef4K7wZrsuzlaW2IHXIRWvzcwCgYIKoZIzj0EAwIDRwAwRAIg\nF+cF+BFXJI49ogDQAUvPTb+xOfZQQ+UmB4AarQ/VYNMCIHXrpHsAKotibojq7+Zy\nr6bWmfTh6YNk2JHl3PR8Cz5F\n-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\nMIIBjzCCATWgAwIBAgIUXkhBf1ySwv+3ttHFHZbKwvwHsucwCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARcpGa4Wf/h6cc2ovTItz0uKmUEMwUtOcH/qWly\nfBLG1IOU5cYr+6LBfFcJ5lH/21hprBD6LJ9fqfSikAtPlVFoo1cwVTAPBgNVHRMB\nAf8EBTADAQH/MAsGA1UdDwQEAwICBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAd\nBgNVHQ4EFgQUpOsG4JSj6uxs0iyFAi4UnoNaZjYwCgYIKoZIzj0EAwIDSAAwRQIh\nAJLmgn1wT7jvc1Yc/9ndLOddi61wwIDQF/TpGQCaA0cEAiBGOUC9QwZfVhuwUXkQ\n/lJ+A1D7tNCJ/lpjP0+qHKOjFQ==\n-----END CERTIFICATE-----\n" ], "untrusted_intermediates": [], - "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGGTCCBb+gAwIBAgIUdeR6mvhb0Wq3uGcQtKfPqYDN3PswCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIEyDCCAzoG\nByqGSM44BAEwggMtAoIBgQDpNooXkmxcF7t92tgnldf8emwmmtMo5P4YN5tSfMXF\n0X2kYa0X7lrCxAUAeQvRr8VeC7OxpcWfceUQkZRX6aj8IKXPrDWQEFUCgymH7/xc\nnW0fMaSt9sXhilUUfH0uVfWBcbU6t5Ig2zwsehadApyPkDnR85tU1mQuxZ7wvwwM\nZCIAXL4xFt0iVYMouGweUlzIlD6lg7BHcroBGr4+WqTuHghfEEUFNmLokWQadVFo\n4JMqy11LtcslytvZYEK60ZA7epvwGR3flrhQLHjCts9JMPLYKZPB++0i/+IHSQrY\nWZ1k8z7ze+VeqB+hHrBWD6X6hGo0idSlJdTfaKhZ2tcDR4Jf+ZxnjCa4qxTVcuOB\nUhgyvaqCOB9dp6pwjSLmQSG4O8kNi7Ifgrtf52r9rLahX1SSQ8cyuGfWuLf55ZhV\n0pGAWdt5Sl3p+P6NA/eyoLuyH4mBMzD0kHoZCTZbawMFq+nhgpcfcIj36iBuCvR1\nGvMg4rIDk4M+wtJ4IPoeaKsCIQD1+/dHuyoA6h/eit3QzirEpWLykThtXO+id51Q\nIGs4ewKCAYEAt/Ki7eSKEATE/baJztwNodJfR20ACJLf0dchptwMkWf6lwBI3QTM\n4m0S2nW5vEnkaR66bxloUs/1A/6SEn0YDIZwiVdLJyLECTJeWKiPDeddfCrZIusI\nFWpX+l072mz652T0XnrtTV+fVxMbXQf8VPTmY/aqPzLQR9yh5BF6IK6UmfFrZT7q\nWb3gPyOar1RRocvOgeTaTbwtm+nWCdM8ZEt7HBP7dMqOLgAoyfgEiCV5ap7OG8nH\nQKTx6AYqc1PX+WW67UPToUdfCy5FoZ3FxNPUA92aQ18tSlCx8iqVmtzdtlLvJoT7\nYTJclIAZjIxNgbawuACUVtBQBuzVnV3cgtx6gH9siqQrVSCs/6wLzM1tTXzsT1wI\n8vmt3uFvvOPBl+9WEWmR6QbfNqvQlgxhJ65aMIZPyVsh66Jd/J5uGiNcMHMpIAsl\nwYkdWvkh5yiCoR6ejwP9Jg2mw/uDGY8/rlQ8IOK2h7umsQ3wxSJLUWhOyvT3WUtg\nnLVh9zlODf3sA4IBhgACggGBAKlK0GDzir5nVhTZZdSf0aUUk40ybYcFEJ0gqriy\nfJSrLlGsi5EIXih5krMjJ0kX4iRA5hL1ol1rurvVFbGl9VZ85MaS0BRJFawa9tsg\nk9mcGocJV08ogYHVEqNJHsDhrQg6xGu1hOf7lA4UWYJcjVDSYM9VobvucPs2oIA2\nqijkDGlxG6AggUT+klMGtmhxDyW3wynHczWAZs7Yqgenhd3ueENK+qszjxR112PF\nc7A9oOX14wSPti58Jst8DDRZatTrPMnu6Pkwk+9zhS6to/u3Ac6VnoOzs/c7XTI2\nbCkCY4rgPK0kT23c14QY/gddTZnc30FLj+Dzt8ny9BWY5Cg4Z2A60tUmDICGANAY\nhCoOEzOO2g5caqPzjXwpjwXrnOiwQpKjY7Pn3q+SfoxbDnGyOcIP+X8x3qHiw8j+\n9mWE+QFAcW/CfI7mWFqUVayVZfaXMfTigTxx0aR6K7FFv5gGkJLQTpJo/jfIf65n\n16E51OEZOEZ5huGiENeX9Hl/UKNyMHAwHQYDVR0OBBYEFF8y93eKUEsqDBKgvXrx\nyNi61RAqMB8GA1UdIwQYMBaAFJCHnn+Cu8Ga7Ls5WltiB1yEVr83MAkGA1UdEwQC\nMAAwCwYDVR0PBAQDAgeAMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49\nBAMCA0gAMEUCIQDwlclxHNVg/Fc406pMjxC6QEHDMWSTwsgj7zOxR+fPegIgaFFl\n5Vgv9fZYNB+cOsSzzzdvYZ6OpMqI/pJ/ZJPMKSo=\n-----END CERTIFICATE-----\n", + "peer_certificate": "-----BEGIN CERTIFICATE-----\nMIIGGDCCBb6gAwIBAgIUXrPMvhwnLbHdEKdJUem/gaqQJgowCgYIKoZIzj0EAwIw\nGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoYDzI5\nNjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14NTA5LWxpbWJvLWVlMIIExzCCAzoG\nByqGSM44BAEwggMtAoIBgQD5JTfiQ9cDByf5nZvKI8oHR0R819fAaoGOhpiOk9qo\nm1AlNK+f2YxbCUc+Hf++isI6g2o0Lc5Ulo+tn+TCqm155KrSavoHjDCXgM6hS/ZV\n2aEzbCgIpZf8mvRNNb4N8Mk8RnWIY49FlK+VjRv3podXC8ojtRzcCQPOvjSsdsqN\nLjIJmjLHCstMkSV954dd4f6C7X/5KNgAoyOcYKIIfJlCg13JQKGGD8Ao9V7P8rpQ\n7cqfI087bSUuB0i4fuvpY4W6kfhy8Q9VJGdScMwm9LsXSn0qutZ1eYx6QWi3E8ZU\nlzkON4lMoa+5khoGbWgWpPwmpkDln839+9pFdpXnCwn3aqEYA0izRcES9TDUjVE2\nCX9dnP+NQunAlASK+57FUzLsL5O9e0YUFGZL/yjWcJe0MJwEvIz4axL7EAKSjjvS\nvuawcwSQnq5GSNlmqywpR+7nhzdDG204VgvItHh6YqktAWM72Io04E30Ei9iNsDG\nqoXd0a+BFl5LJJ3/gnzfVKUCIQCOcMe+jtoWV2Jog98fxgjLxvdQL9Wx4v1cJrId\nh+DydQKCAYEAiJMBqTkAUVw/BHNGpkA9rHLi2/6f3/roq4s45/tKqgpuog2MY8eH\nc2RejdC72/7xL2i2D0tXT43fiZB7RllJmNAfW84SMWJqAjhgIaW6lDz5+ApCxjnb\n/uFVnPoEbaZ2aj0dBO/0y8HFx5k0zF4H4Moj+usQzlvFbZoBXRLfoanq1j2fjs1T\nlzdAQgseWPIEYCeSRhmkpcoYV5O1hYjzHHAO3nCBYVhIXPT2eiHgs9lIrBKOC/Yp\nzEFssaI++bVVYiYhm0R64ARNUj2sbKlgfVC06tJtdDjbUlHZf4K+a+W097XX4e3S\nPFcqJwGjqoc6dRC3U9dzP5wBJYQZGLuaHlUH8Z6TZALW78kf2mQJK2umW5CnRu/h\nFxwPRADOBy88VXai7KGtQfiqg7w45J0dZVgPolcKhOtbHTJwHBwnOnLGubQL4abz\n4yvtE5kq4MWevNudYrSs/tX8hGYslGdzg+oUR2Y485Umy9jpqwnKXd4VdKIPxmhD\nVbDFQmK/DBB+A4IBhQACggGAO+gDG6xWT7T8btYuGn8V3dG80ywcs/tB7T48tzWC\nQMAzXkMf2sM6Uw/KdZ0mkUfvuKtjnPPznTAuasMbW69Sv68wCgq7ilxJJsS6a3zJ\nV+XFPaznf5/MX79jrQtat9/PmiMR7SnuWBbLg+nUR56cl5JjFK+hrPlOO5mnSNAA\ntzW/2nnYtTpSD0bajh6duXgopaw6DpLJSsTYSfqhFWi1tJhX4NLxA3SwSyuk3I3H\nx7nAstTx4cawvwnNk0U9sW7Ks7Mdb5ssnL56UJLi1+Mq10pavAu9jvfOwvKpEie0\nqGlDPy1nORwbmnlG/YE3RvMLvDpSGF++wSC428rYvsiyPoAYhM98aVmmADWGdmSB\nzQCbQMEzTMc4zoKmfUdMDhDRDKCikmmLakDbGGR/MxZkHNUhwjdh+OF0VBKQTIO8\nKN3yGJlZXmMPQasiEleRUe3WGTRxA/bM8jSewKMl4T+PlE/33DfimAcGldTzYiPV\nUSlw7E2I9Weo5Sl2BU5q82RBo3IwcDAdBgNVHQ4EFgQUGke8dl1ot95PzXdWNx3Z\nLDly9z8wHwYDVR0jBBgwFoAUpOsG4JSj6uxs0iyFAi4UnoNaZjYwCQYDVR0TBAIw\nADALBgNVHQ8EBAMCB4AwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0E\nAwIDSAAwRQIhAPcayTRfHxg7dkybh6kuqPAo+9bdp0azdqSLXDtECt+FAiAE6wLH\nOoUORc8KvC8csHAcyyhLRkQUOo5naOPhd9Uv7A==\n-----END CERTIFICATE-----\n", "validation_time": null, "signature_algorithms": null, "key_usage": null, diff --git a/limbo/models.py b/limbo/models.py index 4bfdd539..05afac9a 100644 --- a/limbo/models.py +++ b/limbo/models.py @@ -154,6 +154,11 @@ class Feature(str, Enum): Tests that exercise "pedantic" corners of the CABF profile. """ + pedantic_serial_number = "pedantic-serial-number" + """ + Tests that exercise "pedantic" serial number handling. + """ + class Testcase(BaseModel): """ diff --git a/limbo/testcases/_core.py b/limbo/testcases/_core.py index f8328557..faf7e914 100644 --- a/limbo/testcases/_core.py +++ b/limbo/testcases/_core.py @@ -285,12 +285,11 @@ def leaf_cert( if key is None: key = ec.generate_private_key(ec.SECP256R1()) - builder = x509.CertificateBuilder() + builder = x509.CertificateBuilder(serial_number=serial) builder = builder.subject_name(subject) builder = builder.issuer_name(issuer) builder = builder.not_valid_before(not_before) builder = builder.not_valid_after(not_after) - builder = builder.serial_number(serial) builder = builder.public_key(key.public_key()) # type: ignore[arg-type] builder = builder.add_extension( x509.SubjectKeyIdentifier.from_public_key(key.public_key()), # type: ignore[arg-type] diff --git a/limbo/testcases/rfc5280.py b/limbo/testcases/rfc5280.py index 26aef3e1..9236f46a 100644 --- a/limbo/testcases/rfc5280.py +++ b/limbo/testcases/rfc5280.py @@ -2,6 +2,7 @@ RFC5280 profile tests. """ +import random from datetime import datetime from ipaddress import IPv4Address, IPv4Network @@ -144,9 +145,6 @@ def unknown_critical_extension_intermediate(builder: Builder) -> None: ) -# TODO: Empty serial number, overlength serial number. - - @testcase def critical_aki(builder: Builder) -> None: """ @@ -1409,3 +1407,41 @@ def san_noncritical_with_empty_subject(builder: Builder) -> None: builder.trusted_certs(root).peer_certificate(leaf).expected_peer_name( PeerName(kind="DNS", value="example.com") ).fails() + + +@testcase +def serial_number_too_long(builder: Builder) -> None: + """ + Produces an **invalid** chain due to an invalid EE cert. + + The EE cert contains a serial number longer than 20 octets, which is + disallowed under RFC 5280. + """ + + root = builder.root_ca() + # NOTE: Intentionally generate 22 octets, since many implementations are + # permissive of 21-octet encodings due to signedness errors. + leaf = builder.leaf_cert(root, serial=int.from_bytes(random.randbytes(22), signed=False)) + + builder = builder.server_validation().features([Feature.pedantic_serial_number]) + builder.trusted_certs(root).peer_certificate(leaf).expected_peer_name( + PeerName(kind="DNS", value="example.com") + ).fails() + + +@testcase +def serial_number_zero(builder: Builder) -> None: + """ + Produces an **invalid** chain due to an invalid EE cert. + + The EE cert contains a serial number of zero, which is disallowed + under RFC 5280. + """ + + root = builder.root_ca() + leaf = builder.leaf_cert(root, serial=0) + + builder = builder.server_validation().features([Feature.pedantic_serial_number]) + builder.trusted_certs(root).peer_certificate(leaf).expected_peer_name( + PeerName(kind="DNS", value="example.com") + ).fails()