1*0957b409SSimon J. Gerraty; Most/all of these test chains use the same structure: 2*0957b409SSimon J. Gerraty; root -> ica1 -> ica2 -> ee 3*0957b409SSimon J. Gerraty; "ica1" is "Intermediate CA 1" 4*0957b409SSimon J. Gerraty; "ee" is "end-entity", i.e. the client or server certificate itself 5*0957b409SSimon J. Gerraty; 6*0957b409SSimon J. Gerraty; In SSL/TLS order, the EE comes first. The root may or may not be included 7*0957b409SSimon J. Gerraty; as a self-signed certificate. 8*0957b409SSimon J. Gerraty 9*0957b409SSimon J. Gerraty[key] 10*0957b409SSimon J. Gerratyname = root-rsa2048 11*0957b409SSimon J. Gerratytype = RSA 12*0957b409SSimon J. Gerratyn = B6D934D450FDB3AF7A73F1CE38BF5D6F45E1FD4EB198C6608326D217D1C5B79AA3C1DE6339979CF05E5CC81C17B988196DF0B62E3050A1546E93C0DBCF30CB9F1E2779F1C3995235AA3DB6DFB0AD7CCB49CDC0EDE766102AE9CE281F2150FA774C2DDAEF3C58EB4EBFCEE9FB1ADAA383A3CDA3CA9380DCDAF317CC7AAB33809CB2D47F463FC53CDC6194B727296E2ABC5B0936D4C63B0DEBBECEDB1D1CBC106A7171B3F2CA289A77F28AEC42EFB14A8EE2F21A322ACDC0A6462C9AC28537917F46A19381A17466DFBAB339209193FA1DA1A885E7E4F907F610F6A82701B67F12C340C3C9E2B0AB49183A64B659B795B59636DF2269AA726A544E2729A30E9715 13*0957b409SSimon J. Gerratye = 010001 14*0957b409SSimon J. Gerraty 15*0957b409SSimon J. Gerraty[key] 16*0957b409SSimon J. Gerratyname = root-p256 17*0957b409SSimon J. Gerratytype = EC 18*0957b409SSimon J. Gerratycurve = P-256 19*0957b409SSimon J. Gerratyq = 047174BAABB9302E81D5E557F9F320680C9CF964DBB4200D6DEA40D04A6E42FDB69A682544F6DF7BC4FCDEDD7BBBC5DB7C763F4166406EDBA787C2E5D8C5F37F8D 20*0957b409SSimon J. Gerraty 21*0957b409SSimon J. Gerraty[key] 22*0957b409SSimon J. Gerratyname = root-p384 23*0957b409SSimon J. Gerratytype = EC 24*0957b409SSimon J. Gerratycurve = P-384 25*0957b409SSimon J. Gerratyq = 040ED28B3F7F0A38A6DB72CB4DAC8198C3D595BFABEE2E4A3CC6797F1A272C57AD715F96B5FDA29C4DD87B75B1438B6A92C4FD0282A3080A857F28AB31FF8B49F805470A01EE551F7F27C914E7E780AE474558D6F5539BAE806626514FE560478B 26*0957b409SSimon J. Gerraty 27*0957b409SSimon J. Gerraty[key] 28*0957b409SSimon J. Gerratyname = root-p521 29*0957b409SSimon J. Gerratytype = EC 30*0957b409SSimon J. Gerratycurve = P-521 31*0957b409SSimon J. Gerratyq = 040168E669615D1B20F2E753D2C86312F51094D3E5C6CF49E8D73418278CD769FE40A84AD4F34865D59D94D5685B389E0CFD0450754CAE81ED1D4A91D0773F7A002ED701DEF2DBDEFC7554E74CD600693DBDE1A7E09CD9044774C744C7CE575BF8B645FF79FCCE06116F61D44FDAE62D3046F4EB41DECB8219B279A5B8CE2A47F3DF0D463B 32*0957b409SSimon J. Gerraty 33*0957b409SSimon J. Gerraty[key] 34*0957b409SSimon J. Gerratyname = root-new 35*0957b409SSimon J. Gerratytype = EC 36*0957b409SSimon J. Gerratycurve = P-256 37*0957b409SSimon J. Gerratyq = 0465D02336D3ACEB9A000B33A6EECA9745EFD72A0F7C0B138FAAA564E705A3269A479BB5A041DC1D244EA1D2BB9639C79187D3D63CEF79EDD1DC65E80027E75997 38*0957b409SSimon J. Gerraty 39*0957b409SSimon J. Gerraty[key] 40*0957b409SSimon J. Gerratyname = ica1-rsa2048 41*0957b409SSimon J. Gerratytype = RSA 42*0957b409SSimon J. Gerratyn = B3E86BAF9C1652E3810C50AB25CECC0DC7F21F7F50DF2C5C35D6622E632741A7E453A84B27FA1391A3FA094A2F3B5ECF77B38AC1CD49959C750D6474EFE4D74BB9A19B68D2307148EAF74B14DF3F47A9D8BBEC8F28CCFADFB41F947C96FC080528F9E8F42F2FEE629C8A3AE0855860B60F2D30B4C04154914C1F5FADF119F0C022A67DD83F793459427B5BB541C4647F52CF3C3722A12F7925942441C23FFAC775FB48B50D18A7F454F32E6ED84358C4AB50E805AD91B61E0175B3549CDEA09915FBACF15C974951CCEF58126F736BB33414010F5A9DFAAAD693D3E2EAC3ABBC4EEDCC51A1B8F894B6B42CA8862B1FF6514329525E1389B36A78604E4EC01BA5 43*0957b409SSimon J. Gerratye = 010001 44*0957b409SSimon J. Gerraty 45*0957b409SSimon J. Gerraty[key] 46*0957b409SSimon J. Gerratyname = ica2-rsa2048 47*0957b409SSimon J. Gerratytype = RSA 48*0957b409SSimon J. Gerratyn = AE15F7CBEEE3961BCA63D22681B2D8163423735684FCFDB2E98E9DD0D9D0D706A191EF8D4F604E16BDE6529EE557867B7A7FFCBC34AD86EC9150ADD5C7D18D83E95ABA2FDB0DB92131FAA2FD91EC37836261809C6A82253309DF8F7893EACFDB93B0A2687CEA873E369C4B379A71E52084C3789A2BA42C7E76D561A9131272F14B411BC6A555BA9D8965C06699C0F17C9B61B24E6601B0A9C4FDC8C1D0C789BE2746DE6271BA27F52A850F436026BC2A9D07AAD608DC26D86956A1D308DED858936B0EC2AF783E2574D49F001820BFD7158DB9D13D8900A01264E186C0D580F124B2D2FB4C677CAE3DC9BF47026DE47C0D4490518CCD026237F86FB96701C695 49*0957b409SSimon J. Gerratye = 010001 50*0957b409SSimon J. Gerraty 51*0957b409SSimon J. Gerraty[key] 52*0957b409SSimon J. Gerratyname = ee-rsa2048 53*0957b409SSimon J. Gerratytype = RSA 54*0957b409SSimon J. Gerratyn = D47A1D27BA2B3A67B2916AFBE78344CAED1C75ADDD4D8362D6AA6895B224217B15AE2A996815ED66F0B858E7D3F52EC6D92A5EE70E2EE7FC6759C0C8617D4BA46FDD9FD9C8858764C7BA1A0F29D496A8789A6B6220A932D0EEA98C286147A2502A63F621DEDAD8D5F07FC5008270E6A3BF5C89274F51927703C3B0CC2E3BEC23F22F5341AF8993FFD280B14397DED619A092127A3D6679E1C1BCE17770A28B3D4684533FE44E424137921E1FFD38B3F7EF873980D356CFF4E013DE64B072A40384C441ED6FFA3EE2CA0420D2D7DC2C822B7AE26DA11C48DBCF894F34973D28A853DAE7C1E17315A330767F8F2342143D5134D25AAD3C9BCBC8FE7F6E8E40F3BD 55*0957b409SSimon J. Gerratye = 010001 56*0957b409SSimon J. Gerraty 57*0957b409SSimon J. Gerraty[key] 58*0957b409SSimon J. Gerratyname = ee-p256 59*0957b409SSimon J. Gerratytype = EC 60*0957b409SSimon J. Gerratycurve = P-256 61*0957b409SSimon J. Gerratyq = 045F389DA7FF4D8AAFF63439461AFC3ADFF423AAA9EAFBC508DE008EBE79A537584C6DDD01CAAB47DF89B6C7171F38FC1D2014DD45C0E08F934E380BFCE999A149 62*0957b409SSimon J. Gerraty 63*0957b409SSimon J. Gerraty[key] 64*0957b409SSimon J. Gerratyname = ee-p384 65*0957b409SSimon J. Gerratytype = EC 66*0957b409SSimon J. Gerratycurve = P-384 67*0957b409SSimon J. Gerratyq = 0415A488877F3D14830E29A1C2F2C0745CE8CF5E684304D1668972389BA615B34E9648D5A7861E49DFFFBFFFEAD7FC6AF11BC4516C3557332DD86DDFDE2A236CCEA844EBD594CCD3ED5B7AE0061BD6595737B59FE754BCDAB6FE38D34D93DBBF30 68*0957b409SSimon J. Gerraty 69*0957b409SSimon J. Gerraty[key] 70*0957b409SSimon J. Gerratyname = ee-p521 71*0957b409SSimon J. Gerratytype = EC 72*0957b409SSimon J. Gerratycurve = P-521 73*0957b409SSimon J. Gerratyq = 040060547ACA9D520FB3272833236CBF8E71AC286A3001FBB1E2C3FD8BAB0817DDE4E4FA53550F120D678F4D55AE4FF36C7C8EAE9E32A08A44FC66F45331E08946077A0139B87FE54B986012A94838C8006034941CD0512E596436D2E8E61CA93585D5C06EAD5094585B5B2A3E013803B3E6AAA1D4156EF09E8352029BB70AC6BF338F918B 74*0957b409SSimon J. Gerraty 75*0957b409SSimon J. Gerraty; Trust anchor: the root. 76*0957b409SSimon J. Gerraty[anchor] 77*0957b409SSimon J. Gerratyname = root 78*0957b409SSimon J. GerratyDN_file = dn-root.der 79*0957b409SSimon J. Gerratykey = root-rsa2048 80*0957b409SSimon J. Gerratytype = CA 81*0957b409SSimon J. Gerraty 82*0957b409SSimon J. Gerraty; Trust anchor: root with an ECDSA key (in P-256 curve) 83*0957b409SSimon J. Gerraty[anchor] 84*0957b409SSimon J. Gerratyname = root-p256 85*0957b409SSimon J. GerratyDN_file = dn-root.der 86*0957b409SSimon J. Gerratykey = root-p256 87*0957b409SSimon J. Gerratytype = CA 88*0957b409SSimon J. Gerraty 89*0957b409SSimon J. Gerraty; Trust anchor: root with an ECDSA key (in P-384 curve) 90*0957b409SSimon J. Gerraty[anchor] 91*0957b409SSimon J. Gerratyname = root-p384 92*0957b409SSimon J. GerratyDN_file = dn-root.der 93*0957b409SSimon J. Gerratykey = root-p384 94*0957b409SSimon J. Gerratytype = CA 95*0957b409SSimon J. Gerraty 96*0957b409SSimon J. Gerraty; Trust anchor: root with an ECDSA key (in P-521 curve) 97*0957b409SSimon J. Gerraty[anchor] 98*0957b409SSimon J. Gerratyname = root-p521 99*0957b409SSimon J. GerratyDN_file = dn-root.der 100*0957b409SSimon J. Gerratykey = root-p521 101*0957b409SSimon J. Gerratytype = CA 102*0957b409SSimon J. Gerraty 103*0957b409SSimon J. Gerraty; Trust anchor: another root with an ECDSA key (in P-256 curve) 104*0957b409SSimon J. Gerraty[anchor] 105*0957b409SSimon J. Gerratyname = root-new 106*0957b409SSimon J. GerratyDN_file = dn-root-new.der 107*0957b409SSimon J. Gerratykey = root-new 108*0957b409SSimon J. Gerratytype = CA 109*0957b409SSimon J. Gerraty 110*0957b409SSimon J. Gerraty; Intermediate CA 1 as trust anchor. 111*0957b409SSimon J. Gerraty[anchor] 112*0957b409SSimon J. Gerratyname = ica1 113*0957b409SSimon J. GerratyDN_file = dn-ica1.der 114*0957b409SSimon J. Gerratykey = ica1-rsa2048 115*0957b409SSimon J. Gerratytype = CA 116*0957b409SSimon J. Gerraty 117*0957b409SSimon J. Gerraty; Intermediate CA 2 as trust anchor. 118*0957b409SSimon J. Gerraty[anchor] 119*0957b409SSimon J. Gerratyname = ica2 120*0957b409SSimon J. GerratyDN_file = dn-ica2.der 121*0957b409SSimon J. Gerratykey = ica2-rsa2048 122*0957b409SSimon J. Gerratytype = CA 123*0957b409SSimon J. Gerraty 124*0957b409SSimon J. Gerraty; EE certificate as trust anchor (direct trust only). 125*0957b409SSimon J. Gerraty[anchor] 126*0957b409SSimon J. Gerratyname = ee 127*0957b409SSimon J. GerratyDN_file = dn-ee.der 128*0957b409SSimon J. Gerratykey = ee-rsa2048 129*0957b409SSimon J. Gerratytype = EE 130*0957b409SSimon J. Gerraty 131*0957b409SSimon J. Gerraty; Base valid chain. 132*0957b409SSimon J. Gerraty[chain] 133*0957b409SSimon J. Gerratyname = base 134*0957b409SSimon J. Gerratyanchors = root 135*0957b409SSimon J. Gerratychain = ee.crt ica2.crt ica1.crt 136*0957b409SSimon J. Gerratyservername = www.example.com 137*0957b409SSimon J. Gerratykeytype = RSA 138*0957b409SSimon J. Gerratykeyusage = KEYX 139*0957b409SSimon J. Gerratyeekey = ee-rsa2048 140*0957b409SSimon J. Gerratystatus = 0 141*0957b409SSimon J. Gerraty 142*0957b409SSimon J. Gerraty; Valid chain except that no trust anchor is provided; this should fail 143*0957b409SSimon J. Gerraty; with BR_ERR_X509_NOT_TRUSTED. 144*0957b409SSimon J. Gerraty[chain] 145*0957b409SSimon J. Gerratyname = noTA 146*0957b409SSimon J. Gerratyanchors = 147*0957b409SSimon J. Gerratychain = ee.crt ica2.crt ica1.crt 148*0957b409SSimon J. Gerratyservername = www.example.com 149*0957b409SSimon J. Gerratykeytype = RSA 150*0957b409SSimon J. Gerratykeyusage = KEYX 151*0957b409SSimon J. Gerratystatus = 62 152*0957b409SSimon J. Gerraty 153*0957b409SSimon J. Gerraty; Use of intermediate CA 1 as anchor (extra certificates are ignored). 154*0957b409SSimon J. Gerraty[chain] 155*0957b409SSimon J. Gerratyname = anchorICA1 156*0957b409SSimon J. Gerratyanchors = ica1 157*0957b409SSimon J. Gerratychain = ee.crt ica2.crt junk.crt junk.crt 158*0957b409SSimon J. Gerratyservername = www.example.com 159*0957b409SSimon J. Gerratykeytype = RSA 160*0957b409SSimon J. Gerratykeyusage = KEYX 161*0957b409SSimon J. Gerratyeekey = ee-rsa2048 162*0957b409SSimon J. Gerratystatus = 0 163*0957b409SSimon J. Gerraty 164*0957b409SSimon J. Gerraty; Use of intermediate CA 2 as anchor (extra certificates are ignored). 165*0957b409SSimon J. Gerraty[chain] 166*0957b409SSimon J. Gerratyname = anchorICA2 167*0957b409SSimon J. Gerratyanchors = ica2 168*0957b409SSimon J. Gerratychain = ee.crt junk.crt junk.crt 169*0957b409SSimon J. Gerratyservername = www.example.com 170*0957b409SSimon J. Gerratykeytype = RSA 171*0957b409SSimon J. Gerratykeyusage = KEYX 172*0957b409SSimon J. Gerratyeekey = ee-rsa2048 173*0957b409SSimon J. Gerratystatus = 0 174*0957b409SSimon J. Gerraty 175*0957b409SSimon J. Gerraty; Direct trust of EE. 176*0957b409SSimon J. Gerraty[chain] 177*0957b409SSimon J. Gerratyname = directTrust 178*0957b409SSimon J. Gerratyanchors = ee 179*0957b409SSimon J. Gerratychain = ee.crt junk.crt junk.crt 180*0957b409SSimon J. Gerratyservername = www.example.com 181*0957b409SSimon J. Gerratykeytype = RSA 182*0957b409SSimon J. Gerratykeyusage = KEYX 183*0957b409SSimon J. Gerratyeekey = ee-rsa2048 184*0957b409SSimon J. Gerratystatus = 0 185*0957b409SSimon J. Gerraty 186*0957b409SSimon J. Gerraty; Server name check: name does not match the SAN nor the CN. 187*0957b409SSimon J. Gerraty[chain] 188*0957b409SSimon J. Gerratyname = wrongName1 189*0957b409SSimon J. Gerratyanchors = root 190*0957b409SSimon J. Gerratychain = ee.crt ica2.crt ica1.crt 191*0957b409SSimon J. Gerratyservername = foo.example.com 192*0957b409SSimon J. Gerratykeytype = RSA 193*0957b409SSimon J. Gerratykeyusage = KEYX 194*0957b409SSimon J. Gerratystatus = 56 195*0957b409SSimon J. Gerraty 196*0957b409SSimon J. Gerraty; Server name check: name matches the CN but not the SAN, and there is 197*0957b409SSimon J. Gerraty; a SAN so the CN is ignored. 198*0957b409SSimon J. Gerraty[chain] 199*0957b409SSimon J. Gerratyname = wrongName2 200*0957b409SSimon J. Gerratyanchors = root 201*0957b409SSimon J. Gerratychain = ee-names.crt ica2.crt ica1.crt 202*0957b409SSimon J. Gerratyservername = www.example.com 203*0957b409SSimon J. Gerratykeytype = RSA 204*0957b409SSimon J. Gerratykeyusage = KEYX 205*0957b409SSimon J. Gerratystatus = 56 206*0957b409SSimon J. Gerraty 207*0957b409SSimon J. Gerraty; Server name check: name does not match CN, but matches the first SAN 208*0957b409SSimon J. Gerraty; name. 209*0957b409SSimon J. Gerraty[chain] 210*0957b409SSimon J. Gerratyname = goodName1 211*0957b409SSimon J. Gerratyanchors = root 212*0957b409SSimon J. Gerratychain = ee-names.crt ica2.crt ica1.crt 213*0957b409SSimon J. Gerratyservername = foo.example.com 214*0957b409SSimon J. Gerratykeytype = RSA 215*0957b409SSimon J. Gerratykeyusage = KEYX 216*0957b409SSimon J. Gerratyeekey = ee-rsa2048 217*0957b409SSimon J. Gerratystatus = 0 218*0957b409SSimon J. Gerraty 219*0957b409SSimon J. Gerraty; Server name check: name does not match CN, but matches the second SAN 220*0957b409SSimon J. Gerraty; name. 221*0957b409SSimon J. Gerraty[chain] 222*0957b409SSimon J. Gerratyname = goodName2 223*0957b409SSimon J. Gerratyanchors = root 224*0957b409SSimon J. Gerratychain = ee-names.crt ica2.crt ica1.crt 225*0957b409SSimon J. Gerratyservername = barqux.example.com 226*0957b409SSimon J. Gerratykeytype = RSA 227*0957b409SSimon J. Gerratykeyusage = KEYX 228*0957b409SSimon J. Gerratyeekey = ee-rsa2048 229*0957b409SSimon J. Gerratystatus = 0 230*0957b409SSimon J. Gerraty 231*0957b409SSimon J. Gerraty; Server name check: no SAN, but the CN matches the server name. 232*0957b409SSimon J. Gerraty[chain] 233*0957b409SSimon J. Gerratyname = goodName3 234*0957b409SSimon J. Gerratyanchors = root 235*0957b409SSimon J. Gerratychain = ee-names2.crt ica2.crt ica1.crt 236*0957b409SSimon J. Gerratyservername = www.example.com 237*0957b409SSimon J. Gerratykeytype = RSA 238*0957b409SSimon J. Gerratykeyusage = KEYX 239*0957b409SSimon J. Gerratyeekey = ee-rsa2048 240*0957b409SSimon J. Gerratystatus = 0 241*0957b409SSimon J. Gerraty 242*0957b409SSimon J. Gerraty; Server name check: no SAN, and the CN does not match the server name. 243*0957b409SSimon J. Gerraty[chain] 244*0957b409SSimon J. Gerratyname = wrongName3 245*0957b409SSimon J. Gerratyanchors = root 246*0957b409SSimon J. Gerratychain = ee-names2.crt ica2.crt ica1.crt 247*0957b409SSimon J. Gerratyservername = foo.example.com 248*0957b409SSimon J. Gerratykeytype = RSA 249*0957b409SSimon J. Gerratykeyusage = KEYX 250*0957b409SSimon J. Gerratystatus = 56 251*0957b409SSimon J. Gerraty 252*0957b409SSimon J. Gerraty; Server name check: no SAN, and the CN does not match the server name, 253*0957b409SSimon J. Gerraty; although its byte contents seem to match (but with BMPString encoding). 254*0957b409SSimon J. Gerraty[chain] 255*0957b409SSimon J. Gerratyname = wrongName4 256*0957b409SSimon J. Gerratyanchors = root 257*0957b409SSimon J. Gerratychain = ee-names3.crt ica2.crt ica1.crt 258*0957b409SSimon J. Gerratyservername = www1.example.com 259*0957b409SSimon J. Gerratykeytype = RSA 260*0957b409SSimon J. Gerratykeyusage = KEYX 261*0957b409SSimon J. Gerratystatus = 56 262*0957b409SSimon J. Gerraty 263*0957b409SSimon J. Gerraty; Server name check: no SAN, and the CN uses BMPString encoding, but we 264*0957b409SSimon J. Gerraty; do not actually request a server name check, so this should pass. 265*0957b409SSimon J. Gerraty[chain] 266*0957b409SSimon J. Gerratyname = ignoreName1 267*0957b409SSimon J. Gerratyanchors = root 268*0957b409SSimon J. Gerratychain = ee-names3.crt ica2.crt ica1.crt 269*0957b409SSimon J. Gerratykeytype = RSA 270*0957b409SSimon J. Gerratykeyusage = KEYX 271*0957b409SSimon J. Gerratyeekey = ee-rsa2048 272*0957b409SSimon J. Gerratystatus = 0 273*0957b409SSimon J. Gerraty 274*0957b409SSimon J. Gerraty; Wildcard processing: the name 'localhost' should not match because 275*0957b409SSimon J. Gerraty; the engine recognises the wildcard only in a '*.' starting sequence, 276*0957b409SSimon J. Gerraty; so the lone '*' in a SAN will not be accepted. 277*0957b409SSimon J. Gerraty[chain] 278*0957b409SSimon J. Gerratyname = wildcard1 279*0957b409SSimon J. Gerratyanchors = root 280*0957b409SSimon J. Gerratychain = ee-names4.crt ica2.crt ica1.crt 281*0957b409SSimon J. Gerratyservername = localhost 282*0957b409SSimon J. Gerratykeytype = RSA 283*0957b409SSimon J. Gerratykeyusage = KEYX 284*0957b409SSimon J. Gerratystatus = 56 285*0957b409SSimon J. Gerraty 286*0957b409SSimon J. Gerraty; Wildcard processing: the name 'example.com' will be matched by '*.com'. 287*0957b409SSimon J. Gerraty[chain] 288*0957b409SSimon J. Gerratyname = wildcard2 289*0957b409SSimon J. Gerratyanchors = root 290*0957b409SSimon J. Gerratychain = ee-names4.crt ica2.crt ica1.crt 291*0957b409SSimon J. Gerratyservername = example.com 292*0957b409SSimon J. Gerratykeytype = RSA 293*0957b409SSimon J. Gerratykeyusage = KEYX 294*0957b409SSimon J. Gerratyeekey = ee-rsa2048 295*0957b409SSimon J. Gerratystatus = 0 296*0957b409SSimon J. Gerraty 297*0957b409SSimon J. Gerraty; Wildcard processing: the name 'www.example.com' will be matched by 298*0957b409SSimon J. Gerraty; '*.example.com'. 299*0957b409SSimon J. Gerraty[chain] 300*0957b409SSimon J. Gerratyname = wildcard3 301*0957b409SSimon J. Gerratyanchors = root 302*0957b409SSimon J. Gerratychain = ee-names4.crt ica2.crt ica1.crt 303*0957b409SSimon J. Gerratyservername = www.example.com 304*0957b409SSimon J. Gerratykeytype = RSA 305*0957b409SSimon J. Gerratykeyusage = KEYX 306*0957b409SSimon J. Gerratyeekey = ee-rsa2048 307*0957b409SSimon J. Gerratystatus = 0 308*0957b409SSimon J. Gerraty 309*0957b409SSimon J. Gerraty; Wildcard processing: the name 'foo.foo.example.com' will not be matched by 310*0957b409SSimon J. Gerraty; 'foo.*.example.com' because we accept the wildcard only in the first name 311*0957b409SSimon J. Gerraty; component. 312*0957b409SSimon J. Gerraty[chain] 313*0957b409SSimon J. Gerratyname = wildcard4 314*0957b409SSimon J. Gerratyanchors = root 315*0957b409SSimon J. Gerratychain = ee-names4.crt ica2.crt ica1.crt 316*0957b409SSimon J. Gerratyservername = foo.foo.example.com 317*0957b409SSimon J. Gerratykeytype = RSA 318*0957b409SSimon J. Gerratykeyusage = KEYX 319*0957b409SSimon J. Gerratystatus = 56 320*0957b409SSimon J. Gerraty 321*0957b409SSimon J. Gerraty; Wildcard processing: the name 'foo.bar.example.com' will not be matched by 322*0957b409SSimon J. Gerraty; 'foo.*.example.com', but '*.bar.example.com' will fit. 323*0957b409SSimon J. Gerraty[chain] 324*0957b409SSimon J. Gerratyname = wildcard5 325*0957b409SSimon J. Gerratyanchors = root 326*0957b409SSimon J. Gerratychain = ee-names4.crt ica2.crt ica1.crt 327*0957b409SSimon J. Gerratyservername = foo.bar.example.com 328*0957b409SSimon J. Gerratykeytype = RSA 329*0957b409SSimon J. Gerratykeyusage = KEYX 330*0957b409SSimon J. Gerratyeekey = ee-rsa2048 331*0957b409SSimon J. Gerratystatus = 0 332*0957b409SSimon J. Gerraty 333*0957b409SSimon J. Gerraty; Wildcard processing: the name 'foo.bar.example.foobar' will not be matched by 334*0957b409SSimon J. Gerraty; '*.*.example.foobar' because we support only a single level of wildcard. 335*0957b409SSimon J. Gerraty[chain] 336*0957b409SSimon J. Gerratyname = wildcard6 337*0957b409SSimon J. Gerratyanchors = root 338*0957b409SSimon J. Gerratychain = ee-names4.crt ica2.crt ica1.crt 339*0957b409SSimon J. Gerratyservername = foo.bar.example.foobar 340*0957b409SSimon J. Gerratykeytype = RSA 341*0957b409SSimon J. Gerratykeyusage = KEYX 342*0957b409SSimon J. Gerratystatus = 56 343*0957b409SSimon J. Gerraty 344*0957b409SSimon J. Gerraty; Wildcard processing: the name 'foo.*.example.foobar' will be matched 345*0957b409SSimon J. Gerraty; by '*.*.example.foobar' because the '*' in the provided server name matches 346*0957b409SSimon J. Gerraty; the second '*' in '*.*.example.foobar'. This is a corner case with no 347*0957b409SSimon J. Gerraty; practical impact because expected server names are usually extracted from 348*0957b409SSimon J. Gerraty; URL and cannot have embedded '*' in them. 349*0957b409SSimon J. Gerraty[chain] 350*0957b409SSimon J. Gerratyname = wildcard7 351*0957b409SSimon J. Gerratyanchors = root 352*0957b409SSimon J. Gerratychain = ee-names4.crt ica2.crt ica1.crt 353*0957b409SSimon J. Gerratyservername = foo.*.example.com 354*0957b409SSimon J. Gerratykeytype = RSA 355*0957b409SSimon J. Gerratykeyusage = KEYX 356*0957b409SSimon J. Gerratyeekey = ee-rsa2048 357*0957b409SSimon J. Gerratystatus = 0 358*0957b409SSimon J. Gerraty 359*0957b409SSimon J. Gerraty; Hash function support: the chain uses only SHA-256. 360*0957b409SSimon J. Gerraty[chain] 361*0957b409SSimon J. Gerratyname = hashSHA256Only 362*0957b409SSimon J. Gerratyanchors = root 363*0957b409SSimon J. Gerratychain = ee.crt ica2.crt ica1.crt 364*0957b409SSimon J. Gerratyservername = www.example.com 365*0957b409SSimon J. Gerratykeytype = RSA 366*0957b409SSimon J. Gerratykeyusage = KEYX 367*0957b409SSimon J. Gerratyhashes = sha256 368*0957b409SSimon J. Gerratyeekey = ee-rsa2048 369*0957b409SSimon J. Gerratystatus = 0 370*0957b409SSimon J. Gerraty 371*0957b409SSimon J. Gerraty; Hash function support: the chain uses only SHA-256. 372*0957b409SSimon J. Gerraty[chain] 373*0957b409SSimon J. Gerratyname = hashSHA256Unsupported 374*0957b409SSimon J. Gerratyanchors = root 375*0957b409SSimon J. Gerratychain = ee.crt ica2.crt ica1.crt 376*0957b409SSimon J. Gerratyservername = www.example.com 377*0957b409SSimon J. Gerratykeytype = RSA 378*0957b409SSimon J. Gerratykeyusage = KEYX 379*0957b409SSimon J. Gerratyhashes = md5 sha1 sha224 sha384 sha512 380*0957b409SSimon J. Gerratystatus = 49 381*0957b409SSimon J. Gerraty 382*0957b409SSimon J. Gerraty; Hash function support: signature on EE uses SHA-1. 383*0957b409SSimon J. Gerraty[chain] 384*0957b409SSimon J. Gerratyname = hashSHA1 385*0957b409SSimon J. Gerratyanchors = root 386*0957b409SSimon J. Gerratychain = ee-sha1.crt ica2.crt ica1.crt 387*0957b409SSimon J. Gerratyservername = www.example.com 388*0957b409SSimon J. Gerratykeytype = RSA 389*0957b409SSimon J. Gerratykeyusage = KEYX 390*0957b409SSimon J. Gerratyeekey = ee-rsa2048 391*0957b409SSimon J. Gerratystatus = 0 392*0957b409SSimon J. Gerraty 393*0957b409SSimon J. Gerraty; Hash function support: signature on EE uses SHA-224. 394*0957b409SSimon J. Gerraty[chain] 395*0957b409SSimon J. Gerratyname = hashSHA224 396*0957b409SSimon J. Gerratyanchors = root 397*0957b409SSimon J. Gerratychain = ee-sha224.crt ica2.crt ica1.crt 398*0957b409SSimon J. Gerratyservername = www.example.com 399*0957b409SSimon J. Gerratykeytype = RSA 400*0957b409SSimon J. Gerratykeyusage = KEYX 401*0957b409SSimon J. Gerratyeekey = ee-rsa2048 402*0957b409SSimon J. Gerratystatus = 0 403*0957b409SSimon J. Gerraty 404*0957b409SSimon J. Gerraty; Hash function support: signature on EE uses SHA-384. 405*0957b409SSimon J. Gerraty[chain] 406*0957b409SSimon J. Gerratyname = hashSHA384 407*0957b409SSimon J. Gerratyanchors = root 408*0957b409SSimon J. Gerratychain = ee-sha384.crt ica2.crt ica1.crt 409*0957b409SSimon J. Gerratyservername = www.example.com 410*0957b409SSimon J. Gerratykeytype = RSA 411*0957b409SSimon J. Gerratykeyusage = KEYX 412*0957b409SSimon J. Gerratyeekey = ee-rsa2048 413*0957b409SSimon J. Gerratystatus = 0 414*0957b409SSimon J. Gerraty 415*0957b409SSimon J. Gerraty; Hash function support: signature on EE uses SHA-512. 416*0957b409SSimon J. Gerraty[chain] 417*0957b409SSimon J. Gerratyname = hashSHA512 418*0957b409SSimon J. Gerratyanchors = root 419*0957b409SSimon J. Gerratychain = ee-sha512.crt ica2.crt ica1.crt 420*0957b409SSimon J. Gerratyservername = www.example.com 421*0957b409SSimon J. Gerratykeytype = RSA 422*0957b409SSimon J. Gerratykeyusage = KEYX 423*0957b409SSimon J. Gerratyeekey = ee-rsa2048 424*0957b409SSimon J. Gerratystatus = 0 425*0957b409SSimon J. Gerraty 426*0957b409SSimon J. Gerraty; Hash function support: signature on EE uses MD5. This is rejected by 427*0957b409SSimon J. Gerraty; the engine (even though MD5 is supported as a hash function). 428*0957b409SSimon J. Gerraty[chain] 429*0957b409SSimon J. Gerratyname = hashMD5 430*0957b409SSimon J. Gerratyanchors = root 431*0957b409SSimon J. Gerratychain = ee-md5.crt ica2.crt ica1.crt 432*0957b409SSimon J. Gerratyservername = www.example.com 433*0957b409SSimon J. Gerratykeytype = RSA 434*0957b409SSimon J. Gerratykeyusage = KEYX 435*0957b409SSimon J. Gerratystatus = 49 436*0957b409SSimon J. Gerraty 437*0957b409SSimon J. Gerraty; EE certificate has trailing garbage (an extra byte), which should be 438*0957b409SSimon J. Gerraty; rejected. 439*0957b409SSimon J. Gerraty[chain] 440*0957b409SSimon J. Gerratyname = trailingGarbage 441*0957b409SSimon J. Gerratyanchors = root 442*0957b409SSimon J. Gerratychain = ee-trailing.crt ica2.crt ica1.crt 443*0957b409SSimon J. Gerratyservername = www.example.com 444*0957b409SSimon J. Gerratykeytype = RSA 445*0957b409SSimon J. Gerratykeyusage = KEYX 446*0957b409SSimon J. Gerratystatus = 40 447*0957b409SSimon J. Gerraty 448*0957b409SSimon J. Gerraty; Signature on EE certificate is incorrect (one byte modified in signature). 449*0957b409SSimon J. Gerraty[chain] 450*0957b409SSimon J. Gerratyname = badSignature1 451*0957b409SSimon J. Gerratyanchors = root 452*0957b409SSimon J. Gerratychain = ee-badsig1.crt ica2.crt ica1.crt 453*0957b409SSimon J. Gerratyservername = www.example.com 454*0957b409SSimon J. Gerratykeytype = RSA 455*0957b409SSimon J. Gerratykeyusage = KEYX 456*0957b409SSimon J. Gerratystatus = 52 457*0957b409SSimon J. Gerraty 458*0957b409SSimon J. Gerraty; Signature on EE certificate is incorrect (one byte modified in serial 459*0957b409SSimon J. Gerraty; number). 460*0957b409SSimon J. Gerraty[chain] 461*0957b409SSimon J. Gerratyname = badSignature2 462*0957b409SSimon J. Gerratyanchors = root 463*0957b409SSimon J. Gerratychain = ee-badsig2.crt ica2.crt ica1.crt 464*0957b409SSimon J. Gerratyservername = www.example.com 465*0957b409SSimon J. Gerratykeytype = RSA 466*0957b409SSimon J. Gerratykeyusage = KEYX 467*0957b409SSimon J. Gerratystatus = 52 468*0957b409SSimon J. Gerraty 469*0957b409SSimon J. Gerraty; Signature on EE certificate is incorrect but this is ignored because we 470*0957b409SSimon J. Gerraty; use a direct trust model here. 471*0957b409SSimon J. Gerraty[chain] 472*0957b409SSimon J. Gerratyname = ignoredSignature1 473*0957b409SSimon J. Gerratyanchors = ee 474*0957b409SSimon J. Gerratychain = ee-badsig1.crt ica2.crt ica1.crt 475*0957b409SSimon J. Gerratyservername = www.example.com 476*0957b409SSimon J. Gerratykeytype = RSA 477*0957b409SSimon J. Gerratykeyusage = KEYX 478*0957b409SSimon J. Gerratyeekey = ee-rsa2048 479*0957b409SSimon J. Gerratystatus = 0 480*0957b409SSimon J. Gerraty 481*0957b409SSimon J. Gerraty; Signature on EE certificate is incorrect but this is ignored because we 482*0957b409SSimon J. Gerraty; use a direct trust model here. 483*0957b409SSimon J. Gerraty[chain] 484*0957b409SSimon J. Gerratyname = ignoredSignature2 485*0957b409SSimon J. Gerratyanchors = ee 486*0957b409SSimon J. Gerratychain = ee-badsig2.crt ica2.crt ica1.crt 487*0957b409SSimon J. Gerratyservername = www.example.com 488*0957b409SSimon J. Gerratykeytype = RSA 489*0957b409SSimon J. Gerratykeyusage = KEYX 490*0957b409SSimon J. Gerratyeekey = ee-rsa2048 491*0957b409SSimon J. Gerratystatus = 0 492*0957b409SSimon J. Gerraty 493*0957b409SSimon J. Gerraty; Intermediate CA 1 has a 1016-bit RSA key, which should be rejected 494*0957b409SSimon J. Gerraty; with BR_ERR_X509_WEAK_PUBLIC_KEY. 495*0957b409SSimon J. Gerraty[chain] 496*0957b409SSimon J. Gerratyname = rsa1016 497*0957b409SSimon J. Gerratyanchors = root 498*0957b409SSimon J. Gerratychain = ee.crt ica2-1016.crt ica1-1016.crt 499*0957b409SSimon J. Gerratyservername = www.example.com 500*0957b409SSimon J. Gerratykeytype = RSA 501*0957b409SSimon J. Gerratykeyusage = KEYX 502*0957b409SSimon J. Gerratystatus = 60 503*0957b409SSimon J. Gerraty 504*0957b409SSimon J. Gerraty; Intermediate CA 1 has a 1017-bit RSA key, which should be accepted 505*0957b409SSimon J. Gerraty; (because that's 128 bytes, which is the lower limit). 506*0957b409SSimon J. Gerraty[chain] 507*0957b409SSimon J. Gerratyname = rsa1017 508*0957b409SSimon J. Gerratyanchors = root 509*0957b409SSimon J. Gerratychain = ee.crt ica2-1017.crt ica1-1017.crt 510*0957b409SSimon J. Gerratyservername = www.example.com 511*0957b409SSimon J. Gerratykeytype = RSA 512*0957b409SSimon J. Gerratykeyusage = KEYX 513*0957b409SSimon J. Gerratyeekey = ee-rsa2048 514*0957b409SSimon J. Gerratystatus = 0 515*0957b409SSimon J. Gerraty 516*0957b409SSimon J. Gerraty; Intermediate CA 1 has a 4096-bit RSA key, which should be supported. 517*0957b409SSimon J. Gerraty[chain] 518*0957b409SSimon J. Gerratyname = rsa4096 519*0957b409SSimon J. Gerratyanchors = root 520*0957b409SSimon J. Gerratychain = ee.crt ica2-4096.crt ica1-4096.crt 521*0957b409SSimon J. Gerratyservername = www.example.com 522*0957b409SSimon J. Gerratykeytype = RSA 523*0957b409SSimon J. Gerratykeyusage = KEYX 524*0957b409SSimon J. Gerratyeekey = ee-rsa2048 525*0957b409SSimon J. Gerratystatus = 0 526*0957b409SSimon J. Gerraty 527*0957b409SSimon J. Gerraty; EE is valid from 2010/02/17 11:40:35 to 2098/07/20 15:11:08. The 528*0957b409SSimon J. Gerraty; start date is in UTCTime, the end date is in GeneralizedTime. 529*0957b409SSimon J. Gerraty[chain] 530*0957b409SSimon J. Gerratyname = date1 531*0957b409SSimon J. Gerratyanchors = ica2 532*0957b409SSimon J. Gerratychain = ee-dates.crt ica2.crt ica1.crt 533*0957b409SSimon J. Gerratytime = 2010-02-17 11:40:34Z 534*0957b409SSimon J. Gerratyservername = www.example.com 535*0957b409SSimon J. Gerratykeytype = RSA 536*0957b409SSimon J. Gerratykeyusage = KEYX 537*0957b409SSimon J. Gerratystatus = 54 538*0957b409SSimon J. Gerraty 539*0957b409SSimon J. Gerraty; EE is valid from 2010/02/17 11:40:35 to 2098/07/20 15:11:08. The 540*0957b409SSimon J. Gerraty; start date is in UTCTime, the end date is in GeneralizedTime. 541*0957b409SSimon J. Gerraty[chain] 542*0957b409SSimon J. Gerratyname = date2 543*0957b409SSimon J. Gerratyanchors = ica2 544*0957b409SSimon J. Gerratychain = ee-dates.crt ica2.crt ica1.crt 545*0957b409SSimon J. Gerratytime = 2010-02-17 11:40:36Z 546*0957b409SSimon J. Gerratyservername = www.example.com 547*0957b409SSimon J. Gerratykeytype = RSA 548*0957b409SSimon J. Gerratykeyusage = KEYX 549*0957b409SSimon J. Gerratyeekey = ee-rsa2048 550*0957b409SSimon J. Gerratystatus = 0 551*0957b409SSimon J. Gerraty 552*0957b409SSimon J. Gerraty; EE is valid from 2010/02/17 11:40:35 to 2098/07/20 15:11:08. The 553*0957b409SSimon J. Gerraty; start date is in UTCTime, the end date is in GeneralizedTime. 554*0957b409SSimon J. Gerraty[chain] 555*0957b409SSimon J. Gerratyname = date3 556*0957b409SSimon J. Gerratyanchors = ica2 557*0957b409SSimon J. Gerratychain = ee-dates.crt ica2.crt ica1.crt 558*0957b409SSimon J. Gerratytime = 2098-07-20 15:11:07Z 559*0957b409SSimon J. Gerratyservername = www.example.com 560*0957b409SSimon J. Gerratykeytype = RSA 561*0957b409SSimon J. Gerratykeyusage = KEYX 562*0957b409SSimon J. Gerratyeekey = ee-rsa2048 563*0957b409SSimon J. Gerratystatus = 0 564*0957b409SSimon J. Gerraty 565*0957b409SSimon J. Gerraty; EE is valid from 2010/02/17 11:40:35 to 2098/07/20 15:11:08. The 566*0957b409SSimon J. Gerraty; start date is in UTCTime, the end date is in GeneralizedTime. 567*0957b409SSimon J. Gerraty[chain] 568*0957b409SSimon J. Gerratyname = date4 569*0957b409SSimon J. Gerratyanchors = ica2 570*0957b409SSimon J. Gerratychain = ee-dates.crt ica2.crt ica1.crt 571*0957b409SSimon J. Gerratytime = 2098-07-20 15:11:09Z 572*0957b409SSimon J. Gerratyservername = www.example.com 573*0957b409SSimon J. Gerratykeytype = RSA 574*0957b409SSimon J. Gerratykeyusage = KEYX 575*0957b409SSimon J. Gerratystatus = 54 576*0957b409SSimon J. Gerraty 577*0957b409SSimon J. Gerraty; Intermediate CA 2 certificate is not a CA. 578*0957b409SSimon J. Gerraty[chain] 579*0957b409SSimon J. Gerratyname = notCA 580*0957b409SSimon J. Gerratyanchors = root 581*0957b409SSimon J. Gerratychain = ee-dates.crt ica2-notCA.crt ica1.crt 582*0957b409SSimon J. Gerratyservername = www.example.com 583*0957b409SSimon J. Gerratykeytype = RSA 584*0957b409SSimon J. Gerratykeyusage = KEYX 585*0957b409SSimon J. Gerratystatus = 58 586*0957b409SSimon J. Gerraty 587*0957b409SSimon J. Gerraty; A chain using ECDSA with P-256. 588*0957b409SSimon J. Gerraty[chain] 589*0957b409SSimon J. Gerratyname = secp256r1 590*0957b409SSimon J. Gerratyanchors = root-p256 591*0957b409SSimon J. Gerratychain = ee-p256.crt ica2-p256.crt ica1-p256.crt 592*0957b409SSimon J. Gerratyservername = www.example.com 593*0957b409SSimon J. Gerratykeytype = EC 594*0957b409SSimon J. Gerratykeyusage = SIGN 595*0957b409SSimon J. Gerratyeekey = ee-p256 596*0957b409SSimon J. Gerratystatus = 0 597*0957b409SSimon J. Gerraty 598*0957b409SSimon J. Gerraty; A chain using ECDSA with P-384. 599*0957b409SSimon J. Gerraty[chain] 600*0957b409SSimon J. Gerratyname = secp384r1 601*0957b409SSimon J. Gerratyanchors = root-p384 602*0957b409SSimon J. Gerratychain = ee-p384.crt ica2-p384.crt ica1-p384.crt 603*0957b409SSimon J. Gerratyservername = www.example.com 604*0957b409SSimon J. Gerratykeytype = EC 605*0957b409SSimon J. Gerratykeyusage = SIGN 606*0957b409SSimon J. Gerratyeekey = ee-p384 607*0957b409SSimon J. Gerratystatus = 0 608*0957b409SSimon J. Gerraty 609*0957b409SSimon J. Gerraty; A chain using ECDSA with P-521. 610*0957b409SSimon J. Gerraty[chain] 611*0957b409SSimon J. Gerratyname = secp521r1 612*0957b409SSimon J. Gerratyanchors = root-p521 613*0957b409SSimon J. Gerratychain = ee-p521.crt ica2-p521.crt ica1-p521.crt 614*0957b409SSimon J. Gerratyservername = www.example.com 615*0957b409SSimon J. Gerratykeytype = EC 616*0957b409SSimon J. Gerratykeyusage = SIGN 617*0957b409SSimon J. Gerratyeekey = ee-p521 618*0957b409SSimon J. Gerratystatus = 0 619*0957b409SSimon J. Gerraty 620*0957b409SSimon J. Gerraty; A chain using ECDSA with P-256, signature on EE uses SHA-1. 621*0957b409SSimon J. Gerraty[chain] 622*0957b409SSimon J. Gerratyname = secp256r1-sha1 623*0957b409SSimon J. Gerratyanchors = root-p256 624*0957b409SSimon J. Gerratychain = ee-p256-sha1.crt ica2-p256.crt ica1-p256.crt 625*0957b409SSimon J. Gerratyservername = www.example.com 626*0957b409SSimon J. Gerratykeytype = EC 627*0957b409SSimon J. Gerratykeyusage = SIGN 628*0957b409SSimon J. Gerratyeekey = ee-p256 629*0957b409SSimon J. Gerratystatus = 0 630*0957b409SSimon J. Gerraty 631*0957b409SSimon J. Gerraty; A chain using ECDSA with P-256, signature on EE uses SHA-224. 632*0957b409SSimon J. Gerraty[chain] 633*0957b409SSimon J. Gerratyname = secp256r1-sha224 634*0957b409SSimon J. Gerratyanchors = root-p256 635*0957b409SSimon J. Gerratychain = ee-p256-sha224.crt ica2-p256.crt ica1-p256.crt 636*0957b409SSimon J. Gerratyservername = www.example.com 637*0957b409SSimon J. Gerratykeytype = EC 638*0957b409SSimon J. Gerratykeyusage = SIGN 639*0957b409SSimon J. Gerratyeekey = ee-p256 640*0957b409SSimon J. Gerratystatus = 0 641*0957b409SSimon J. Gerraty 642*0957b409SSimon J. Gerraty; A chain using ECDSA with P-256, signature on EE uses SHA-256. 643*0957b409SSimon J. Gerraty[chain] 644*0957b409SSimon J. Gerratyname = secp256r1-sha256 645*0957b409SSimon J. Gerratyanchors = root-p256 646*0957b409SSimon J. Gerratychain = ee-p256-sha256.crt ica2-p256.crt ica1-p256.crt 647*0957b409SSimon J. Gerratyservername = www.example.com 648*0957b409SSimon J. Gerratykeytype = EC 649*0957b409SSimon J. Gerratykeyusage = SIGN 650*0957b409SSimon J. Gerratyeekey = ee-p256 651*0957b409SSimon J. Gerratystatus = 0 652*0957b409SSimon J. Gerraty 653*0957b409SSimon J. Gerraty; A chain using ECDSA with P-256, signature on EE uses SHA-384. 654*0957b409SSimon J. Gerraty[chain] 655*0957b409SSimon J. Gerratyname = secp256r1-sha384 656*0957b409SSimon J. Gerratyanchors = root-p256 657*0957b409SSimon J. Gerratychain = ee-p256-sha384.crt ica2-p256.crt ica1-p256.crt 658*0957b409SSimon J. Gerratyservername = www.example.com 659*0957b409SSimon J. Gerratykeytype = EC 660*0957b409SSimon J. Gerratykeyusage = SIGN 661*0957b409SSimon J. Gerratyeekey = ee-p256 662*0957b409SSimon J. Gerratystatus = 0 663*0957b409SSimon J. Gerraty 664*0957b409SSimon J. Gerraty; A chain using ECDSA with P-256, signature on EE uses SHA-512. 665*0957b409SSimon J. Gerraty[chain] 666*0957b409SSimon J. Gerratyname = secp256r1-sha512 667*0957b409SSimon J. Gerratyanchors = root-p256 668*0957b409SSimon J. Gerratychain = ee-p256-sha512.crt ica2-p256.crt ica1-p256.crt 669*0957b409SSimon J. Gerratyservername = www.example.com 670*0957b409SSimon J. Gerratykeytype = EC 671*0957b409SSimon J. Gerratykeyusage = SIGN 672*0957b409SSimon J. Gerratyeekey = ee-p256 673*0957b409SSimon J. Gerratystatus = 0 674*0957b409SSimon J. Gerraty 675*0957b409SSimon J. Gerraty; EE certificate has a Certificate Policies extension, but it is not 676*0957b409SSimon J. Gerraty; critical. 677*0957b409SSimon J. Gerraty[chain] 678*0957b409SSimon J. Gerratyname = certpol-noncrit 679*0957b409SSimon J. Gerratyanchors = root-new 680*0957b409SSimon J. Gerratychain = ee-cp1.crt 681*0957b409SSimon J. Gerratyservername = www.example.com 682*0957b409SSimon J. Gerratykeytype = RSA 683*0957b409SSimon J. Gerratykeyusage = KEYX 684*0957b409SSimon J. Gerratyeekey = ee-rsa2048 685*0957b409SSimon J. Gerratystatus = 0 686*0957b409SSimon J. Gerraty 687*0957b409SSimon J. Gerraty; EE certificate has a critical Certificate Policies extension, but it 688*0957b409SSimon J. Gerraty; contains no policy qualifier. 689*0957b409SSimon J. Gerraty[chain] 690*0957b409SSimon J. Gerratyname = certpol-noqual 691*0957b409SSimon J. Gerratyanchors = root-new 692*0957b409SSimon J. Gerratychain = ee-cp2.crt 693*0957b409SSimon J. Gerratyservername = www.example.com 694*0957b409SSimon J. Gerratykeytype = RSA 695*0957b409SSimon J. Gerratykeyusage = KEYX 696*0957b409SSimon J. Gerratyeekey = ee-rsa2048 697*0957b409SSimon J. Gerratystatus = 0 698*0957b409SSimon J. Gerraty 699*0957b409SSimon J. Gerraty; EE certificate has a critical Certificate Policies extension, and it 700*0957b409SSimon J. Gerraty; contains some qualifiers, but they are all id-qt-cps. 701*0957b409SSimon J. Gerraty[chain] 702*0957b409SSimon J. Gerratyname = certpol-qualcps 703*0957b409SSimon J. Gerratyanchors = root-new 704*0957b409SSimon J. Gerratychain = ee-cp3.crt 705*0957b409SSimon J. Gerratyservername = www.example.com 706*0957b409SSimon J. Gerratykeytype = RSA 707*0957b409SSimon J. Gerratykeyusage = KEYX 708*0957b409SSimon J. Gerratyeekey = ee-rsa2048 709*0957b409SSimon J. Gerratystatus = 0 710*0957b409SSimon J. Gerraty 711*0957b409SSimon J. Gerraty; EE certificate has a critical Certificate Policies extension, and it 712*0957b409SSimon J. Gerraty; contains a qualifier distinct from id-qt-cps. This implies rejection 713*0957b409SSimon J. Gerraty; of the path. 714*0957b409SSimon J. Gerraty[chain] 715*0957b409SSimon J. Gerratyname = certpol-qualother 716*0957b409SSimon J. Gerratyanchors = root-new 717*0957b409SSimon J. Gerratychain = ee-cp4.crt 718*0957b409SSimon J. Gerratyservername = www.example.com 719*0957b409SSimon J. Gerratykeytype = RSA 720*0957b409SSimon J. Gerratykeyusage = KEYX 721*0957b409SSimon J. Gerratyeekey = ee-rsa2048 722*0957b409SSimon J. Gerratystatus = 57 723