My working unpac space for OCaml projects in development
Merge opam/patches/x509
+11830
+354
vendor/opam/x509/CHANGES.md
+354
vendor/opam/x509/CHANGES.md
···
1
+
## v1.0.6 (2025-04-15)
2
+
3
+
* Update tests to mirage-crypto-rng 1.2.0 API (@hannesm)
4
+
* Certificate.fold_pem_multiple: improve error message (#180 @hannesm)
5
+
6
+
## v1.0.5 (2024-10-28)
7
+
8
+
* Removed links to nqsb (we're no longer in charge of that domain)
9
+
(6398b0c2a24e1a09d494d93ac65423eca9d7de24)
10
+
11
+
## v1.0.4 (2024-09-29)
12
+
13
+
* **breaking change** Allow decoding of negative serial numbers (#177 @hannesm)
14
+
Now, `serial` returns the entire (integer) value as a string - previously the
15
+
potentially leading 0 byte was removed. So:
16
+
-serial d795 49bd 1a67 1751
17
+
+serial 00d7 9549 bd1a 6717 51
18
+
fixes in 38cc70a54d2d98526564733838769d82b10679fc and #179 (#178 @dinosaure)
19
+
* Add alternate SHA1RSA OID 1.3.14.3.2.29 (#176 @mefyl)
20
+
* Allow custom pretty printers for unknown X509 extensions (#175 @reynir)
21
+
* Minor code cleanups: remove unused algorithms, remove `def` and `def'`
22
+
(#177 @hannesm)
23
+
24
+
## v1.0.3 (2024-09-04)
25
+
26
+
* Use the opam package kdf instead of pbkdf (@hannesm #174)
27
+
28
+
## v1.0.2 (2024-08-25)
29
+
30
+
* Fix RSA public and private key encoding and decoding (@hannesm #172, reported
31
+
by @anmonteiro #171)
32
+
33
+
## v1.0.1 (2024-08-06)
34
+
35
+
* Speedup PEM decoding and encoding significantly (@hannesm #170)
36
+
37
+
## v1.0.0 (2024-07-20)
38
+
39
+
* **breaking change** Replace `Cstruct.t` by `string` (@dinosaure, @hannesm, #167)
40
+
* Remove P224 (@dinosaure, @hannes, #166) - which was removed in mirage-crypto-ec 1.0.0
41
+
* **breaking change** The serial number of certificates is a `string` and enforced to be a positive
42
+
integer of at most 20 bytes in length (@hannesm, #167)
43
+
* **breaking change** `Authenticator.server_key_fingerprint` and
44
+
`Authenticator.server_cert_fingerprint` are now known as
45
+
`Authenticator.key_fingerprint` and `Authenticator.cert_fingerprint`
46
+
respectively to better reflect that they do not check extended key usage is
47
+
"server" and may as well be used for authenticating clients (@reynir, #164)
48
+
* Add Certificate.fold_decode_pem_multiple to decode multiple pem encoded certificates and make the error handling explicit (ignore, log, fail on first error). Motivated by mirage/ca-certs#30 (@art-w #169)
49
+
50
+
## v0.16.5 (2023-07-03)
51
+
52
+
* Always embed local_key_id in PKCS12 bags (reported #163 by @NightBlues,
53
+
revised and implemented by @hannesm)
54
+
55
+
## v0.16.4 (2023-02-13)
56
+
57
+
* Adapt to mirage-crypto-rng 0.11.0 API changes (#162 @hannesm)
58
+
59
+
## v0.16.3 (2023-02-04)
60
+
61
+
* Validation: allow self-signed server certificate with BasicConstraints CA=true
62
+
(reported by @mbacarella in mirleft/ocaml-tls#446
63
+
(https://github.com/lightningnetwork/lnd/issues/5450), fix #161 by @hannesm)
64
+
65
+
## v0.16.2 (2022-10-05)
66
+
67
+
* Improve parse error message of Authenticator.of_string (mirage/ocaml-git#593
68
+
by @dinosaure, mirage/ocaml-git#582 by @reynir)
69
+
70
+
## v0.16.1 (2022-09-14)
71
+
72
+
* Support ECDSA signatures where the hash algorithm output length exceeds the
73
+
size of the elliptic curve (by truncating, and using the leftmost bits).
74
+
Reported as #158 by @torinnd, fixed in #159 by @hannesm
75
+
76
+
## v0.16.0 (2022-02-15)
77
+
78
+
* Provide X509.Authenticator.of_string to construct an Authenticator.t from
79
+
a string (@dinosaure #156, reviewed by @hannesm)
80
+
* Minor documentation fixes (#157 @hannesm)
81
+
82
+
## v0.15.2 (2021-11-22)
83
+
84
+
* Provide X509.Private_key.of_string (as used by awa and dns-certify). This
85
+
takes a b64 encoded raw private key or a seed. (@reynir @hannesm #155)
86
+
87
+
## v0.15.1 (2021-10-26)
88
+
89
+
* avoid usae of deprecated functions of fmt (@hannesm)
90
+
* remove rresult dependency (@hannesm)
91
+
92
+
## v0.15.0 (2021-09-27)
93
+
94
+
* FEATURE support validation of an IP address in the leaf certificate
95
+
(#152 #153 @reynir @hannesm)
96
+
* FEATURE provide Certificate.ips and Certificate.supports_ip
97
+
(#152 @reynir @hannesm)
98
+
* BREAKING revise certificate and public key fingerprint authenticators API:
99
+
now a single fingerprint is supported, previously a list of pairs of
100
+
hostname and fingerprint was used (#153 @hannesm)
101
+
* BREAKING The Authenticator.t type has been extended with ?ip:Ipaddr.t
102
+
(#153 @hannesm)
103
+
104
+
## v0.14.1 (2021-08-04)
105
+
106
+
* Use Cstruct.length instead of deprecated Cstruct.len, bump minimum cstruct
107
+
to 6.0.0 (#151 by @hannesm)
108
+
109
+
## v0.14.0 (2021-06-17)
110
+
111
+
* FEATURE support Online Certificate Status Protocol (OCSP, RFC 6960)
112
+
(#148 @NightBlues, #149 @hannesm)
113
+
114
+
## v0.13.0 (2021-04-22)
115
+
116
+
* FEATURE support for RFC 5915 "BEGIN EC PRIVATE KEY" pem encoded private keys
117
+
(#147 @hannesm, requested by @ulrikstrid)
118
+
* BREAKING remove EC_pub _ from Public_key.t and EC _ from Certificate.key_type
119
+
(#147 by @hannesm)
120
+
* BREAKING move Certificate.key_type to Key_type.t (#147 @hannesm)
121
+
* FEATURE some private key utilities (of_cstruct, generate, sign), and
122
+
Public_key.verify (#report #146, fix #147 @hannesm)
123
+
* BREAKING rename hash_whitelist to allowed_hashes (#147 @hannesm)
124
+
* BREAKING provide Key_type.signature_scheme and use across the API
125
+
(#147 @hannesm)
126
+
127
+
## v0.12.0 (2021-04-05)
128
+
129
+
* FEATURE PKCS12 support (#114 by @hannesm)
130
+
* FEATURE ECDSA and EDDSA support via mirage-crypto-ec (#145 by @hannesm)
131
+
This breaks some clients since the Private_key.t and Public_key.t variants
132
+
are extended (may result in partial pattern matches of users of this library).
133
+
* CRL.is_revoked has `crls` as last parameter to avoid warning 16
134
+
(4.12 compatibility) (#144 by @hannesm)
135
+
* Signing_request.sign: add optional labelled argument `~subject` to allow
136
+
changing the subject when signing a signing request (#139 by @reynir)
137
+
* BUGFIX Encoding of Distinguished_name components (adhere to specification)
138
+
DomainComponent and EMail are now serialised using a IA5String; Serialnumber,
139
+
CountryName and DnQualifier as PrintableString (reported in #69, fixed #140
140
+
by @NightBlues)
141
+
* BREAKING Remove `~sloppy` from Private_key.decode_{pem,der}. The seemingly
142
+
bad RSA keys were valid and should have been accepted by mirage-crypto.
143
+
(#142 by @psafont)
144
+
145
+
## v0.11.2 (2020-05-14)
146
+
147
+
* Private_key.decode_{pem,der} now has a `~sloppy` option to recover from
148
+
bad keys (where e.g. the private exponent d is wrong).
149
+
(#135 by @hannesm, reported by @mattjbray in mirage/mirage-crypto#62)
150
+
151
+
## v0.11.1 (2020-04-27)
152
+
153
+
* open variant for errors to make the composable (#133 by @dinosaure,
154
+
review by @hannesm)
155
+
* BUGFIX avoid fractional seconds in generalized_time: truncate on serialising,
156
+
validate them to be 0 on deserialising, as required in RFC 5280 4.1.2.5.2
157
+
(#134 by @hannesm, reported by @ansiwen)
158
+
159
+
## v0.11.0 (2020-04-07)
160
+
161
+
* BREAKING Validation.validate_raw_signature results in a
162
+
`(unit, signature_error) result` and logs (Logs.warn) if a weak (non-SHA2)
163
+
hash algorithm was used. This function is used for verifying signatures
164
+
on certificates, signing requests, and certificate revocation lists.
165
+
* The `` `CAInvalidSelfSignature `` constructor (Validation.ca_error) and
166
+
`` `ChainInvalidSignature `` constructor (Validation.chain_validation_error)
167
+
have been removed.
168
+
* BREAKING The polymorphic variant `Validation.chain_error` is now flat (the
169
+
tags `` `Chain `` and `` `Leaf `` have been removed)
170
+
* BREAKING Adapted return type of CRL.validate and CRL.verify
171
+
* The pretty-printer Public_key.pp is now provided
172
+
* All implemented by @hannesm in #132 based on private conversation with @cfcs
173
+
(who kindly reviewed the changes)
174
+
175
+
## v0.10.0 (2020-03-11)
176
+
177
+
* BREAKING #131 use mirage-crypto and mirage-crypto-pk instead of nocrypto
178
+
raise lower OCaml bound to 4.07.0, test 4.10.0 in CI
179
+
* BREAKING #131 Certificate.Host_set is now Host.Set, and has pretty-printers
180
+
* BREAKING #131 Authenticator.null was removed (fixes #130, suggested by @emillon)
181
+
* BREAKING #131 Authenticator.t now requires (non-optional) ~host and ~time
182
+
arguments which may return an option. This allows to more easily spot the
183
+
cases where None is provided. Also, time is (unit -> Ptime.t option) instead
184
+
of Ptime.t -- thus the timestamp at the time of certificate verification is
185
+
used instead of the time of Authenticator construction. Similar changes in
186
+
Validation for verify_chain, verify_chain_of_trust, trust_key_fingerprint,
187
+
trust_cert_fingerprint.
188
+
fixes #130, suggested by @emillon
189
+
190
+
## v0.9.0 (2020-01-22)
191
+
192
+
* BREAKING add a whitelist of hash algorithms used for signatures. The default
193
+
whitelist is the SHA-2 family (without SHA-224), Validation.valid_ca{,s} use
194
+
all algorithms as default
195
+
reported by @emillon in #123, fixed in #128
196
+
* BREAKING Certificate.hostnames and Signing_request.hostnames (new) return a
197
+
set of [`Wildcard|`Strict] * [`host] Domain_name.t (Certificate.Host_set.t)
198
+
reported by @mmaker in #88, fixed in #127
199
+
* BREAKING #127 Signing_request.sign returns a result type now, an error is
200
+
returned if the signing request was not properly signed
201
+
* BREAKING #127 Validation.{verify_chain_of_trust, trust_key_fingerprint,
202
+
trust_cert_fingerptint} and the type Authenticator.t changed, no longer use
203
+
of a Certificate.host, but instead a [`host] Domain_name.t (previously, it was
204
+
a pair)
205
+
* BUGFIX support AlgorithmIdentifier of RSA signature algorithms with parameter
206
+
not present
207
+
reported by @Ulrar in #108, fixed in #129
208
+
* BUGFIX #127 preserve a signed signing request (Country in a DN sometimes uses
209
+
a non-utf8 string encoding)
210
+
* remove deprecation from Validation.trust_cert_fingerprint and
211
+
Authenticator.server_cert_fingerprint
212
+
requested by @mben-romdhane in #125, fixed in #126
213
+
* Certificate.signature_algorithm, CRL.signature_algorithm, and
214
+
Signing_request.signature_algorithm are now provided, returning a
215
+
([`RSA|`ECDSA] * Nocrypto.Hash.hash) option
216
+
requested by @psafont in #123, fixed in #128
217
+
218
+
## v0.8.1 (2019-10-10)
219
+
220
+
* export Private_key.decode_der and encode_der
221
+
222
+
## v0.8.0 (2019-10-10)
223
+
224
+
* export X509.Distinguished_name.common_name : t -> string option, which
225
+
extracts the common name of a distinguished name
226
+
* Distinguished_name.t is now a Relative_distinguished_name.t list, a
227
+
Relative_distinguished_name is a Set.S with element type attribute, a variant.
228
+
It used to be an attribute (expressed as GADT) Gmap.t, but this representation
229
+
did not conform to RFC 5280, reported by @paurkedal (#117, fixed by #118)
230
+
* Now using Set.find_first_opt, which bumps lower OCaml bound to 4.05.0
231
+
* Improved pretty-printing for DNs including RFC 4514 conformance (@paurkedal, #119).
232
+
* Extension.pp now outputs extension key and its value (#120)
233
+
* rename Distinguished_name.SP constructor (stateOrProvince) to ST, as widely used (#121)
234
+
* support Street and UID in Distinguished_name to satisfy RFC 4514 demands (#121)
235
+
236
+
## v0.7.1 (2019-08-09)
237
+
238
+
* revert General_name.t (DNS and IP components) to string/Cstruct.t list
239
+
- NameConstraints uses DNSname with strings with leading dots (.example.com),
240
+
which are not valid RFC1034 domain names
241
+
- NameConstraints uses IP with IP/netmask, i.e. using 8 octets for an IPv4
242
+
address
243
+
- X509.Certificate.hostnames still return a Domain_name.Set.t
244
+
- reported by @reynir
245
+
* drop ipaddr dependency
246
+
247
+
## 0.7.0 (2019-07-24)
248
+
249
+
* major restructuring, it is unlikely any pre-0.7.0 users will work with 0.7.0+
250
+
* remove sexp de&encoders
251
+
* provide pretty-printers for validation errors (and types) instead of to_string functions
252
+
* use result type and Rresult instead of custom result types and control monad
253
+
* use a GADT map for certificate & csr extensions, distinguished names, general names (avoiding multiple extensions with the same OID, uses the gmap library)
254
+
* use domain-name library for hostname validation (instead of custom string matching)
255
+
* use ipaddr library for IPs in SubjectAlternativeName extension
256
+
* remove Encoding module, provide {en,de}code_{der,pem} in the respective modules (which decoders return (_, [> `Msg of string ]) result, no exceptions raised)
257
+
* fix DistributionPoint extension: the CRLissuer is a GeneralName, not a DistinguishedName
258
+
* remove Extension.reason_code (Extension.reason was there before, and is now used)
259
+
* remove bindings from toplevel, t is now Certificate.t, public_key is now Public_key.t
260
+
* use alcotest instead of oUnit
261
+
262
+
## 0.6.3 (2019-04-02)
263
+
264
+
* provide X509.Encoding.distinguished_name_of_cs -- similar to #87 which provided distinguished_name_to_cs
265
+
* provide X509.Encoding.{public_key_of_cstruct,public_key_to_cstruct}, as requested by @dinosaure
266
+
* support of cstruct 4.0.0, which split up the sexp de&encoders
267
+
* removes result dependency (now requires >= 4.04.2)
268
+
* upgrades opam file to version 2.0
269
+
* build system is now dune
270
+
271
+
## 0.6.2 (2018-08-24)
272
+
273
+
* compatibility with ppx_sexp_conv >v0.11.0 (#109), required for 4.07.0
274
+
275
+
## 0.6.1 (2017-12-21)
276
+
277
+
* provide X509.distinguished_name sexp converter (#103)
278
+
* drop non-exported X509_types module from distinguished_name (#102, @yomimono)
279
+
280
+
## 0.6.0 (2017-12-13)
281
+
282
+
* Certificate Revocation List (CRL) support (#99)
283
+
* track asn1-combinators 0.2.0 changes (#97)
284
+
* provide Extension.subject_alt_names (#95)
285
+
* compute length of certificate length, instead of hardcoding 4 (#95)
286
+
* enable safe-string (#89)
287
+
* use astring instead of custom String_ext.split (#89)
288
+
* use topkg instead of oasis (#88, #89)
289
+
* provide Encoding.cs_of_distinguished_name (#87 by @reynir)
290
+
291
+
## 0.5.3 (2016-09-13)
292
+
293
+
* provide Encoding.parse_signing_request and Encoding.cs_of_signing_request (#81)
294
+
* provide validity : t -> (Time.t * Time.t) (#86, fixes #85)
295
+
296
+
## 0.5.2 (2016-04-13)
297
+
298
+
* fix building of certificate paths
299
+
300
+
## 0.5.1 (2016-03-21)
301
+
302
+
* use ppx_sexp_conv instead of sexplib.syntax
303
+
* no more Stream syntax, use lists
304
+
305
+
## 0.5.0 (2015-12-04)
306
+
307
+
* avoid dependency on sexplib.syntax (#55)
308
+
* document how to combine extensions and a CSR into a certificate (@reynir, #63 #64)
309
+
* expose `fingerprint : t -> hash -> Cstruct.t`, the hash of the certificate (@cfcs, #66)
310
+
* trust_fingerprint / server_fingerprint are renamed to trust_cert_fingerprint / server_cert_fingerprint (now deprecated!)
311
+
* fingerprint public keys (rather than certificates): trust_key_fingerprint / server_key_fingerprint
312
+
* build certificate paths from the received set (RFC 4158) instead of requiring a strict chain (#74)
313
+
* the given trust anchors to `Authenticator.chain_of_trust` are not validated (to contain KeyUsage / BasicConstraint extensions) anymore, users can use `valid_ca` and `valid_cas` to filter CAs upfront
314
+
315
+
## 0.4.0 (2015-07-02)
316
+
317
+
* certificate signing request support (PKCS10)
318
+
* basic CA functionality (in CA module): create and sign certificate signing requests
319
+
* PEM encoding of X.509 certificates, RSA public and private keys, and certificate signing requests
320
+
* new module Extension contains X509v3 extensions as polymorphic variants
321
+
* expose distinguished_name as polymorphic variant
322
+
* type pubkey is now public_key
323
+
* function cert_pubkey is now public_key
324
+
* functions supports_usage, supports_extended_usage are now in Extension module
325
+
* types key_usage, extended_key_usage are now in Extension module
326
+
* Encoding.Pem.Cert has been renamed to Encoding.Pem.Certificate
327
+
* Encoding.Pem.PK has been renamed to Encoding.Pem.Private_key (now uses type private_key instead of Nocrypto.Rsa.priv)
328
+
329
+
## 0.3.1 (2015-05-02)
330
+
331
+
* PKCS8 private key info support (only unencrypted keys so far)
332
+
333
+
## 0.3.0 (2015-03-19)
334
+
335
+
* more detailed error messages (type certificate_failure modified)
336
+
* no longer Printf.printf debug messages
337
+
* error reporting: `Ok of certificate option | `Fail of certificate_failure
338
+
* fingerprint verification can work with None as host (useful for client authentication where host is not known upfront)
339
+
* API reshape: X509 is the only public module, X509.t is the abstract certificate
340
+
341
+
## 0.2.1 (2014-12-21)
342
+
343
+
* server_fingerprint authenticator which validates the server certificate based on a hash algorithm and (server_name * fingerprint) list instead of a set of trust anchors
344
+
* whitelist CAcert certificates (which do not include mandatory X.509v3 KeyUsage extension)
345
+
346
+
## 0.2.0 (2014-10-30)
347
+
348
+
* expose Certificate.cert_hostnames, wildcard_matches
349
+
* Certificate.verify_chain_of_trust and X509.authenticate both return now
350
+
[ `Ok of certificate | `Fail of certificate_failure ], where [certificate] is the trust anchor
351
+
352
+
## 0.1.0 (2014-07-08)
353
+
354
+
* initial beta release
+23
vendor/opam/x509/LICENSE.md
+23
vendor/opam/x509/LICENSE.md
···
1
+
Copyright (c) 2014, David Kaloper and Hannes Mehnert
2
+
All rights reserved.
3
+
4
+
Redistribution and use in source and binary forms, with or without
5
+
modification, are permitted provided that the following conditions are met:
6
+
7
+
* Redistributions of source code must retain the above copyright notice, this
8
+
list of conditions and the following disclaimer.
9
+
10
+
* Redistributions in binary form must reproduce the above copyright notice,
11
+
this list of conditions and the following disclaimer in the documentation
12
+
and/or other materials provided with the distribution.
13
+
14
+
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15
+
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16
+
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17
+
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18
+
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19
+
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20
+
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21
+
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22
+
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23
+
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+22
vendor/opam/x509/README.md
+22
vendor/opam/x509/README.md
···
1
+
## X.509 - Public Key Infrastructure purely in OCaml
2
+
3
+
%%VERSION%%
4
+
X.509 is a public key infrastructure used mostly on the Internet. It consists
5
+
of certificates which include public keys and identifiers, signed by an
6
+
authority. Authorities must be exchanged over a second channel to establish the
7
+
trust relationship. This library implements most parts of
8
+
[RFC5280](https://tools.ietf.org/html/rfc5280) and
9
+
[RFC6125](https://tools.ietf.org/html/rfc6125). The
10
+
[Public Key Cryptography Standards (PKCS)](https://en.wikipedia.org/wiki/PKCS)
11
+
defines encoding and decoding in ASN.1 DER and PEM format, which is also
12
+
implemented by this library - namely PKCS 1, PKCS 7, PKCS 8, PKCS 9 and PKCS 10.
13
+
14
+
Read our [Usenix Security 2015 paper](https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/kaloper-mersinjak).
15
+
16
+
## Documentation
17
+
18
+
[API documentation](https://mirleft.github.io/ocaml-x509/doc)
19
+
20
+
## Installation
21
+
22
+
`opam install x509` will install this library.
+385
vendor/opam/x509/lib/algorithm.ml
+385
vendor/opam/x509/lib/algorithm.ml
···
1
+
open Asn.S
2
+
open Asn_grammars
3
+
4
+
(* This type really conflates three things: the set of pk algos that describe
5
+
* the public key, the set of hashes, and the set of hash+pk algo combinations
6
+
* that describe digests. The three are conflated because they are generated by
7
+
* the same ASN grammar, AlgorithmIdentifier, to keep things close to the
8
+
* standards.
9
+
*
10
+
* It's expected that downstream code with pick a subset and add a catch-all
11
+
* that handles unsupported algos anyway.
12
+
*)
13
+
14
+
type ec_curve =
15
+
[ `SECP256R1 | `SECP384R1 | `SECP521R1 ]
16
+
17
+
let ec_curve_to_string = function
18
+
| `SECP256R1 -> "SECP256R1"
19
+
| `SECP384R1 -> "SECP384R1"
20
+
| `SECP521R1 -> "SECP521R1"
21
+
22
+
type t =
23
+
24
+
(* pk algos *)
25
+
(* any more? is the universe big enough? ramsey's theorem for pk cyphers? *)
26
+
| RSA
27
+
| EC_pub of ec_curve
28
+
29
+
(* sig algos *)
30
+
| MD5_RSA
31
+
| SHA1_RSA
32
+
| SHA256_RSA
33
+
| SHA384_RSA
34
+
| SHA512_RSA
35
+
| SHA224_RSA
36
+
| ECDSA_SHA1
37
+
| ECDSA_SHA224
38
+
| ECDSA_SHA256
39
+
| ECDSA_SHA384
40
+
| ECDSA_SHA512
41
+
42
+
| ED25519
43
+
44
+
(* digest algorithms *)
45
+
| MD5
46
+
| SHA1
47
+
| SHA256
48
+
| SHA384
49
+
| SHA512
50
+
| SHA224
51
+
52
+
(* HMAC algorithms *)
53
+
| HMAC_SHA1
54
+
| HMAC_SHA224
55
+
| HMAC_SHA256
56
+
| HMAC_SHA384
57
+
| HMAC_SHA512
58
+
59
+
(* symmetric block ciphers *)
60
+
| AES128_CBC of string
61
+
| AES192_CBC of string
62
+
| AES256_CBC of string
63
+
64
+
(* PBE encryption algorithms *)
65
+
| SHA_RC4_128 of string * int
66
+
| SHA_RC4_40 of string * int
67
+
| SHA_3DES_CBC of string * int
68
+
| SHA_2DES_CBC of string * int
69
+
| SHA_RC2_128_CBC of string * int
70
+
| SHA_RC2_40_CBC of string * int
71
+
72
+
| PBKDF2 of string * int * int option * t
73
+
| PBES2 of t * t
74
+
75
+
let to_string = function
76
+
| RSA -> "RSA"
77
+
| EC_pub curve -> ec_curve_to_string curve
78
+
| MD5_RSA -> "RSA MD5"
79
+
| SHA1_RSA -> "RSA SHA1"
80
+
| SHA256_RSA -> "RSA SHA256"
81
+
| SHA384_RSA -> "RSA SHA384"
82
+
| SHA512_RSA -> "RSA SHA512"
83
+
| SHA224_RSA -> "RSA SHA224"
84
+
| ECDSA_SHA1 -> "ECDSA SHA1"
85
+
| ECDSA_SHA224 -> "ECDSA SHA224"
86
+
| ECDSA_SHA256 -> "ECDSA SHA256"
87
+
| ECDSA_SHA384 -> "ECDSA SHA384"
88
+
| ECDSA_SHA512 -> "ECDSA SHA512"
89
+
| ED25519 -> "Ed25519"
90
+
| MD5 -> "MD5"
91
+
| SHA1 -> "SHA1"
92
+
| SHA256 -> "SHA256"
93
+
| SHA384 -> "SHA384"
94
+
| SHA512 -> "SHA512"
95
+
| SHA224 -> "SHA224"
96
+
| HMAC_SHA1 -> "HMAC SHA1"
97
+
| HMAC_SHA224 -> "HMAC SHA224"
98
+
| HMAC_SHA256 -> "HMAC SHA256"
99
+
| HMAC_SHA384 -> "HMAC SHA384"
100
+
| HMAC_SHA512 -> "HMAC SHA512"
101
+
| AES128_CBC _ -> "AES128 CBC"
102
+
| AES192_CBC _ -> "AES192 CBC"
103
+
| AES256_CBC _ -> "AES256 CBC"
104
+
| SHA_RC4_128 (_, _) -> "PBES: SHA RC4 128"
105
+
| SHA_RC4_40 (_, _) -> "PBES: SHA RC4 40"
106
+
| SHA_3DES_CBC (_, _) -> "PBES: SHA 3DES CBC"
107
+
| SHA_2DES_CBC (_, _) -> "PBES: SHA 2DES CBC"
108
+
| SHA_RC2_128_CBC (_, _) -> "PBES: SHA RC2 128"
109
+
| SHA_RC2_40_CBC (_, _) -> "PBES: SHA RC2 40"
110
+
| PBKDF2 (_, _, _, _) -> "PBKDF2"
111
+
| PBES2 (_, _) -> "PBES2"
112
+
113
+
let to_hash = function
114
+
| MD5 -> Some `MD5
115
+
| SHA1 -> Some `SHA1
116
+
| SHA224 -> Some `SHA224
117
+
| SHA256 -> Some `SHA256
118
+
| SHA384 -> Some `SHA384
119
+
| SHA512 -> Some `SHA512
120
+
| _ -> None
121
+
122
+
and of_hash = function
123
+
| `MD5 -> MD5
124
+
| `SHA1 -> SHA1
125
+
| `SHA224 -> SHA224
126
+
| `SHA256 -> SHA256
127
+
| `SHA384 -> SHA384
128
+
| `SHA512 -> SHA512
129
+
130
+
and to_hmac = function
131
+
| HMAC_SHA1 -> Some `SHA1
132
+
| HMAC_SHA224 -> Some `SHA224
133
+
| HMAC_SHA256 -> Some `SHA256
134
+
| HMAC_SHA384 -> Some `SHA384
135
+
| HMAC_SHA512 -> Some `SHA512
136
+
| _ -> None
137
+
138
+
and of_hmac = function
139
+
| `SHA1 -> HMAC_SHA1
140
+
| `SHA224 -> HMAC_SHA224
141
+
| `SHA256 -> HMAC_SHA256
142
+
| `SHA384 -> HMAC_SHA384
143
+
| `SHA512 -> HMAC_SHA512
144
+
145
+
and to_key_type = function
146
+
| RSA -> Some `RSA
147
+
| EC_pub curve -> Some (`EC curve)
148
+
| ED25519 -> Some `ED25519
149
+
| _ -> None
150
+
151
+
and of_key_type = function
152
+
| `RSA -> RSA
153
+
| `EC curve -> EC_pub curve
154
+
| `ED25519 -> ED25519
155
+
156
+
and to_signature_algorithm = function
157
+
| MD5_RSA -> Some (`RSA_PKCS1, `MD5)
158
+
| SHA1_RSA -> Some (`RSA_PKCS1, `SHA1)
159
+
| SHA256_RSA -> Some (`RSA_PKCS1, `SHA256)
160
+
| SHA384_RSA -> Some (`RSA_PKCS1, `SHA384)
161
+
| SHA512_RSA -> Some (`RSA_PKCS1, `SHA512)
162
+
| SHA224_RSA -> Some (`RSA_PKCS1, `SHA224)
163
+
| ECDSA_SHA1 -> Some (`ECDSA, `SHA1)
164
+
| ECDSA_SHA224 -> Some (`ECDSA, `SHA224)
165
+
| ECDSA_SHA256 -> Some (`ECDSA, `SHA256)
166
+
| ECDSA_SHA384 -> Some (`ECDSA, `SHA384)
167
+
| ECDSA_SHA512 -> Some (`ECDSA, `SHA512)
168
+
| ED25519 -> Some (`ED25519, `SHA512)
169
+
| _ -> None
170
+
171
+
and of_signature_algorithm public_key_algorithm digest =
172
+
match public_key_algorithm, digest with
173
+
| (`RSA_PKCS1, `MD5) -> MD5_RSA
174
+
| (`RSA_PKCS1, `SHA1) -> SHA1_RSA
175
+
| (`RSA_PKCS1, `SHA256) -> SHA256_RSA
176
+
| (`RSA_PKCS1, `SHA384) -> SHA384_RSA
177
+
| (`RSA_PKCS1, `SHA512) -> SHA512_RSA
178
+
| (`RSA_PKCS1, `SHA224) -> SHA224_RSA
179
+
| (`ECDSA, `SHA1) -> ECDSA_SHA1
180
+
| (`ECDSA, `SHA224) -> ECDSA_SHA224
181
+
| (`ECDSA, `SHA256) -> ECDSA_SHA256
182
+
| (`ECDSA, `SHA384) -> ECDSA_SHA384
183
+
| (`ECDSA, `SHA512) -> ECDSA_SHA512
184
+
| (`ED25519, _) -> ED25519
185
+
| _ -> failwith "unsupported signature scheme and hash"
186
+
187
+
(* XXX
188
+
*
189
+
* PKCS1/RFC5280 allows params to be `ANY', depending on the algorithm. I don't
190
+
* know of one that uses anything other than NULL and OID, however, so we accept
191
+
* only that.
192
+
193
+
RFC 3279 Section 2.2.1 defines for RSA Signature Algorithms SHALL have null
194
+
as parameter, but certificates in the wild don't contain the parameter field
195
+
at all (it is optional). We accept both, and output a null paramter.
196
+
Section 2.2.2 specifies DSA to have a null parameter,
197
+
Section 2.2.3 specifies ECDSA to have a null parameter,
198
+
Section 2.3.1 specifies rsaEncryption (for RSA public keys) requires null.
199
+
*)
200
+
201
+
let curve_of_oid, curve_to_oid =
202
+
let open Registry.ANSI_X9_62 in
203
+
(let default oid = Asn.(S.parse_error "Unknown algorithm %a" OID.pp oid) in
204
+
case_of_oid ~default [
205
+
(secp256r1, `SECP256R1) ;
206
+
(secp384r1, `SECP384R1) ;
207
+
(secp521r1, `SECP521R1) ;
208
+
]),
209
+
(function
210
+
| `SECP256R1 -> secp256r1
211
+
| `SECP384R1 -> secp384r1
212
+
| `SECP521R1 -> secp521r1)
213
+
214
+
let identifier =
215
+
let open Registry in
216
+
217
+
let f =
218
+
let none x = function
219
+
| None -> x
220
+
| _ -> parse_error "Algorithm: expected no parameters"
221
+
and null x = function
222
+
| Some (`C1 ()) -> x
223
+
| _ -> parse_error "Algorithm: expected null parameters"
224
+
and null_or_none x = function
225
+
| None | Some (`C1 ()) -> x
226
+
| _ -> parse_error "Algorithm: expected null or none parameter"
227
+
and oid f = function
228
+
| Some (`C2 id) -> f id
229
+
| _ -> parse_error "Algorithm: expected parameter OID"
230
+
and pbe f = function
231
+
| Some (`C3 `PBE pbe) -> f pbe
232
+
| _ -> parse_error "Algorithm: expected parameter PBE"
233
+
and pbkdf2 f = function
234
+
| Some (`C3 `PBKDF2 params) -> f params
235
+
| _ -> parse_error "Algorithm: expected parameter PBKDF2"
236
+
and pbes2 f = function
237
+
| Some (`C3 `PBES2 params) -> f params
238
+
| _ -> parse_error "Algorithm: expected parameter PBES2"
239
+
and octets f = function
240
+
| Some (`C4 salt) -> f salt
241
+
| _ -> parse_error "Algorithm: expected parameter octet_string"
242
+
and default oid = Asn.(S.parse_error "Unknown algorithm %a" OID.pp oid)
243
+
in
244
+
245
+
case_of_oid_f ~default [
246
+
247
+
(ANSI_X9_62.ec_pub_key, oid (fun id -> EC_pub (curve_of_oid id))) ;
248
+
249
+
(PKCS1.rsa_encryption , null RSA ) ;
250
+
(PKCS1.md5_rsa_encryption , null_or_none MD5_RSA ) ;
251
+
(PKCS1.sha1_rsa_encryption , null_or_none SHA1_RSA ) ;
252
+
(sha1_rsa_encryption , null_or_none SHA1_RSA ) ;
253
+
(PKCS1.sha256_rsa_encryption , null_or_none SHA256_RSA ) ;
254
+
(PKCS1.sha384_rsa_encryption , null_or_none SHA384_RSA ) ;
255
+
(PKCS1.sha512_rsa_encryption , null_or_none SHA512_RSA ) ;
256
+
(PKCS1.sha224_rsa_encryption , null_or_none SHA224_RSA ) ;
257
+
258
+
(ANSI_X9_62.ecdsa_sha1 , none ECDSA_SHA1 ) ;
259
+
(ANSI_X9_62.ecdsa_sha224 , none ECDSA_SHA224 ) ;
260
+
(ANSI_X9_62.ecdsa_sha256 , none ECDSA_SHA256 ) ;
261
+
(ANSI_X9_62.ecdsa_sha384 , none ECDSA_SHA384 ) ;
262
+
(ANSI_X9_62.ecdsa_sha512 , none ECDSA_SHA512 ) ;
263
+
264
+
(RFC8410.ed25519 , none ED25519 ) ;
265
+
266
+
(md5 , null MD5 ) ;
267
+
(sha1 , null SHA1 ) ;
268
+
(sha256 , null SHA256 ) ;
269
+
(sha384 , null SHA384 ) ;
270
+
(sha512 , null SHA512 ) ;
271
+
(sha224 , null SHA224 ) ;
272
+
273
+
(PKCS2.hmac_sha1 , null HMAC_SHA1 );
274
+
(PKCS2.hmac_sha224 , null HMAC_SHA224 );
275
+
(PKCS2.hmac_sha256 , null HMAC_SHA256 );
276
+
(PKCS2.hmac_sha384 , null HMAC_SHA384 );
277
+
(PKCS2.hmac_sha512 , null HMAC_SHA512 );
278
+
279
+
(PKCS5.aes128_cbc , octets (fun iv -> AES128_CBC iv));
280
+
(PKCS5.aes192_cbc , octets (fun iv -> AES192_CBC iv));
281
+
(PKCS5.aes256_cbc , octets (fun iv -> AES256_CBC iv));
282
+
283
+
(PKCS12.pbe_with_SHA_and_128Bit_RC4, pbe (fun (s, i) -> SHA_RC4_128 (s, i))) ;
284
+
(PKCS12.pbe_with_SHA_and_40Bit_RC4, pbe (fun (s, i) -> SHA_RC4_40 (s, i))) ;
285
+
(PKCS12.pbe_with_SHA_and_3_KeyTripleDES_CBC, pbe (fun (s, i) -> SHA_3DES_CBC (s, i))) ;
286
+
(PKCS12.pbe_with_SHA_and_2_KeyTripleDES_CBC, pbe (fun (s, i) -> SHA_2DES_CBC (s, i))) ;
287
+
(PKCS12.pbe_with_SHA_and_128Bit_RC2_CBC, pbe (fun (s, i) -> SHA_RC2_128_CBC (s, i))) ;
288
+
(PKCS12.pbe_with_SHA_and_40Bit_RC2_CBC, pbe (fun (s, i) -> SHA_RC2_40_CBC (s, i))) ;
289
+
290
+
(PKCS5.pbkdf2, pbkdf2 (fun (s, i, l, m) -> PBKDF2 (s, i, l, m))) ;
291
+
(PKCS5.pbes2, pbes2 (fun (oid, oid') -> PBES2 (oid, oid')))
292
+
]
293
+
294
+
and g =
295
+
let none = None
296
+
and null = Some (`C1 ())
297
+
and oid id = Some (`C2 id)
298
+
and pbe (s, i) = Some (`C3 (`PBE (s, i)))
299
+
and pbkdf2 (s, i, k, m) = Some (`C3 (`PBKDF2 (s, i, k, m)))
300
+
and pbes2 (oid, oid') = Some (`C3 (`PBES2 (oid, oid')))
301
+
and octets data = Some (`C4 data)
302
+
in
303
+
function
304
+
| EC_pub id -> (ANSI_X9_62.ec_pub_key , oid (curve_to_oid id))
305
+
306
+
| RSA -> (PKCS1.rsa_encryption , null)
307
+
| MD5_RSA -> (PKCS1.md5_rsa_encryption , null)
308
+
| SHA1_RSA -> (PKCS1.sha1_rsa_encryption , null)
309
+
| SHA256_RSA -> (PKCS1.sha256_rsa_encryption , null)
310
+
| SHA384_RSA -> (PKCS1.sha384_rsa_encryption , null)
311
+
| SHA512_RSA -> (PKCS1.sha512_rsa_encryption , null)
312
+
| SHA224_RSA -> (PKCS1.sha224_rsa_encryption , null)
313
+
314
+
| ECDSA_SHA1 -> (ANSI_X9_62.ecdsa_sha1 , none)
315
+
| ECDSA_SHA224 -> (ANSI_X9_62.ecdsa_sha224 , none)
316
+
| ECDSA_SHA256 -> (ANSI_X9_62.ecdsa_sha256 , none)
317
+
| ECDSA_SHA384 -> (ANSI_X9_62.ecdsa_sha384 , none)
318
+
| ECDSA_SHA512 -> (ANSI_X9_62.ecdsa_sha512 , none)
319
+
320
+
| ED25519 -> (RFC8410.ed25519 , none)
321
+
322
+
| MD5 -> (md5 , null)
323
+
| SHA1 -> (sha1 , null)
324
+
| SHA256 -> (sha256 , null)
325
+
| SHA384 -> (sha384 , null)
326
+
| SHA512 -> (sha512 , null)
327
+
| SHA224 -> (sha224 , null)
328
+
329
+
| HMAC_SHA1 -> (PKCS2.hmac_sha1 , null)
330
+
| HMAC_SHA224 -> (PKCS2.hmac_sha224 , null)
331
+
| HMAC_SHA256 -> (PKCS2.hmac_sha256 , null)
332
+
| HMAC_SHA384 -> (PKCS2.hmac_sha384 , null)
333
+
| HMAC_SHA512 -> (PKCS2.hmac_sha512 , null)
334
+
335
+
| AES128_CBC iv -> (PKCS5.aes128_cbc , octets iv)
336
+
| AES192_CBC iv -> (PKCS5.aes192_cbc , octets iv)
337
+
| AES256_CBC iv -> (PKCS5.aes256_cbc , octets iv)
338
+
339
+
| SHA_RC4_128 (s, i) -> (PKCS12.pbe_with_SHA_and_128Bit_RC4, pbe (s, i))
340
+
| SHA_RC4_40 (s, i) -> (PKCS12.pbe_with_SHA_and_40Bit_RC4, pbe (s, i))
341
+
| SHA_3DES_CBC (s, i) -> (PKCS12.pbe_with_SHA_and_3_KeyTripleDES_CBC, pbe (s, i))
342
+
| SHA_2DES_CBC (s, i) -> (PKCS12.pbe_with_SHA_and_2_KeyTripleDES_CBC, pbe (s, i))
343
+
| SHA_RC2_128_CBC (s, i) -> (PKCS12.pbe_with_SHA_and_128Bit_RC2_CBC, pbe (s, i))
344
+
| SHA_RC2_40_CBC (s, i) -> (PKCS12.pbe_with_SHA_and_40Bit_RC2_CBC, pbe (s, i))
345
+
346
+
| PBKDF2 (s, i, k, m) -> (PKCS5.pbkdf2, pbkdf2 (s, i, k, m))
347
+
| PBES2 (oid, oid') -> (PKCS5.pbes2, pbes2 (oid, oid'))
348
+
in
349
+
350
+
fix (fun id ->
351
+
let pbkdf2_or_pbe_or_pbes2_params =
352
+
(* TODO PBKDF2 should support `C2 oid (saltSources) *)
353
+
let f (salt, count, (* key_len, *) prf) =
354
+
match salt, count, (* key_len, *) prf with
355
+
| `C1 salt, Some count, (* None, *) None -> `PBE (salt, count)
356
+
| `C1 salt, Some count, (* x, *) Some prf -> `PBKDF2 (salt, count, None, prf)
357
+
| `C2 oid, None, (* None, *) Some oid' -> `PBES2 (oid, oid')
358
+
| _ -> parse_error "bad parameters"
359
+
and g = function
360
+
| `PBE (salt, count) -> (`C1 salt, Some count, (* None, *) None)
361
+
| `PBKDF2 (salt, count, _key_len, prf) -> (`C1 salt, Some count, (* key_len, *) Some prf)
362
+
| `PBES2 (oid, oid') -> (`C2 oid, None, (* None, *) Some oid')
363
+
in
364
+
map f g @@
365
+
sequence3
366
+
(required ~label:"salt" (choice2 octet_string id))
367
+
(optional ~label:"iteration count" int) (* modified - required for pbkdf2/pbes *)
368
+
(* (optional ~label:"key length" int) (* should be there and optional *) *)
369
+
(optional ~label:"prf" id) (* only present in pbkdf2 / pbes2 *)
370
+
in
371
+
map f g @@
372
+
sequence2
373
+
(required ~label:"algorithm" oid)
374
+
(optional ~label:"params"
375
+
(choice4 null oid pbkdf2_or_pbe_or_pbes2_params octet_string)))
376
+
377
+
let ecdsa_sig =
378
+
sequence2
379
+
(required ~label:"r" unsigned_integer)
380
+
(required ~label:"s" unsigned_integer)
381
+
382
+
let ecdsa_sig_of_octets, ecdsa_sig_to_octets =
383
+
projections_of Asn.der ecdsa_sig
384
+
385
+
let pp fmt x = Fmt.string fmt (to_string x)
+74
vendor/opam/x509/lib/asn_grammars.ml
+74
vendor/opam/x509/lib/asn_grammars.ml
···
1
+
let src = Logs.Src.create "x509.decoding" ~doc:"X509 decoding"
2
+
module Log = (val Logs.src_log src : Logs.LOG)
3
+
4
+
let ( let* ) = Result.bind
5
+
6
+
let decode codec cs =
7
+
let* a, cs = Asn.decode codec cs in
8
+
if String.length cs = 0 then Ok a else Error (`Parse "Leftover")
9
+
10
+
let projections_of encoding asn =
11
+
let c = Asn.codec encoding asn in (decode c, Asn.encode c)
12
+
13
+
module Hashtbl(T : Hashtbl.HashedType) = struct
14
+
include Hashtbl.Make (T)
15
+
let of_assoc xs =
16
+
let ht = create 16 in List.iter (fun (a, b) -> add ht a b) xs; ht
17
+
end
18
+
19
+
module OID_H = Hashtbl (struct
20
+
type t = Asn.oid let (equal, hash) = Asn.OID.(equal, hash)
21
+
end)
22
+
23
+
let case_of_oid ~default xs =
24
+
let ht = OID_H.of_assoc xs in fun a ->
25
+
try OID_H.find ht a with Not_found -> default a
26
+
27
+
let case_of_oid_f ~default xs =
28
+
let ht = OID_H.of_assoc xs in fun (a, b) ->
29
+
(try OID_H.find ht a with Not_found -> default a) b
30
+
31
+
(*
32
+
* A way to parse by propagating (and contributing to) exceptions, so those can
33
+
* be handles up in a single place. Meant for parsing embedded structures.
34
+
*
35
+
* XXX Would be nicer if combinators could handle embedded structures.
36
+
*)
37
+
let project_exn asn =
38
+
let c = Asn.(codec der) asn in
39
+
let dec cs = match decode c cs with
40
+
| Ok a -> a
41
+
| Error err -> Asn.S.error err in
42
+
(dec, Asn.encode c)
43
+
44
+
let err_to_msg f = Result.map_error (function `Parse msg -> `Msg msg) f
45
+
46
+
(* specified in RFC 5280 4.1.2.5.2 - "MUST NOT include fractional seconds" *)
47
+
let generalized_time_no_frac_s =
48
+
Asn.S.(map
49
+
(fun x ->
50
+
if Ptime.Span.(equal zero (Ptime.frac_s x)) then
51
+
x
52
+
else
53
+
parse_error "generalized time has fractional seconds")
54
+
(fun y -> Ptime.truncate ~frac_s:0 y)
55
+
generalized_time)
56
+
57
+
(* serial number, as defined in RFC 5280 4.1.2.2: must be > 0 and not be longer
58
+
than 20 octets. we accept 0.
59
+
we also accept < 0, but when encoding mandate >= 0!
60
+
*)
61
+
let serial =
62
+
Asn.S.(map
63
+
(fun x ->
64
+
if String.length x > 20 then parse_error "serial exceeds 20 octets";
65
+
if String.length x > 0 && String.get_uint8 x 0 > 0x7F then
66
+
Log.warn (fun m -> m "negative serial number %a" Ohex.pp x);
67
+
x)
68
+
(fun y ->
69
+
if String.length y > 20 then failwith "serial exceeds 20 octets";
70
+
if String.length y > 0 && String.get_uint8 y 0 > 0x7F then
71
+
"\x00" ^ y
72
+
else
73
+
y)
74
+
integer)
+83
vendor/opam/x509/lib/authenticator.ml
+83
vendor/opam/x509/lib/authenticator.ml
···
1
+
let ( let* ) = Result.bind
2
+
3
+
type t = ?ip:Ipaddr.t -> host:[`host] Domain_name.t option ->
4
+
Certificate.t list -> Validation.r
5
+
6
+
(* XXX
7
+
* Authenticator just hands off a list of certs. Should be indexed.
8
+
* *)
9
+
let chain_of_trust ~time ?crls ?(allowed_hashes = Validation.sha2) cas =
10
+
let revoked = match crls with
11
+
| None -> None
12
+
| Some crls -> Some (Crl.is_revoked crls ~allowed_hashes)
13
+
in
14
+
fun ?ip ~host certificates ->
15
+
Validation.verify_chain_of_trust ?ip ~host ~time ?revoked ~allowed_hashes
16
+
~anchors:cas certificates
17
+
18
+
let key_fingerprint ~time ~hash ~fingerprint =
19
+
fun ?ip ~host certificates ->
20
+
Validation.trust_key_fingerprint ?ip ~host ~time ~hash ~fingerprint certificates
21
+
22
+
let cert_fingerprint ~time ~hash ~fingerprint =
23
+
fun ?ip ~host certificates ->
24
+
Validation.trust_cert_fingerprint ?ip ~host ~time ~hash ~fingerprint certificates
25
+
26
+
let hash_of_string = function
27
+
| "sha224" -> Ok `SHA224
28
+
| "sha256" -> Ok `SHA256
29
+
| "sha384" -> Ok `SHA384
30
+
| "sha512" -> Ok `SHA512
31
+
| hash -> Error (`Msg (Fmt.str "Unknown hash algorithm %S" hash))
32
+
33
+
let fingerprint_of_string s =
34
+
let* d =
35
+
Result.map_error
36
+
(function `Msg m ->
37
+
`Msg (Fmt.str "Invalid base64 encoding in fingerprint (%s): %S" m s))
38
+
(Base64.decode ~pad:false s)
39
+
in
40
+
Ok d
41
+
42
+
let format =
43
+
{|
44
+
The format of an authenticator is:
45
+
- [none]: no authentication
46
+
- [key-fp(:<hash>?):<base64-encoded fingerprint>]: to authenticate a peer via
47
+
its key fingerprintf (hash is optional and defaults to SHA256)
48
+
- [cert-fp(:<hash>?):<base64-encoded fingerprint>]: to authenticate a peer via
49
+
its certificate fingerprint (hash is optional and defaults to SHA256)
50
+
- [trust-anchor(:<base64-encoded DER certificate>)+] to authenticate a peer from
51
+
a list of certificates (certificate must be in PEM format witthout header and
52
+
footer (----BEGIN CERTIFICATE----) and without newlines).
53
+
|}
54
+
55
+
let of_string str =
56
+
begin match String.split_on_char ':' str with
57
+
| [ "key-fp" ; hash ; tls_key_fingerprint ] ->
58
+
let* hash = hash_of_string (String.lowercase_ascii hash) in
59
+
let* fingerprint = fingerprint_of_string tls_key_fingerprint in
60
+
Ok (fun time -> key_fingerprint ~time ~hash ~fingerprint)
61
+
| [ "key-fp" ; tls_key_fingerprint ] ->
62
+
let* fingerprint = fingerprint_of_string tls_key_fingerprint in
63
+
Ok (fun time -> key_fingerprint ~time ~hash:`SHA256 ~fingerprint)
64
+
| [ "cert-fp" ; hash ; tls_cert_fingerprint ] ->
65
+
let* hash = hash_of_string (String.lowercase_ascii hash) in
66
+
let* fingerprint = fingerprint_of_string tls_cert_fingerprint in
67
+
Ok (fun time -> cert_fingerprint ~time ~hash ~fingerprint)
68
+
| [ "cert-fp" ; tls_cert_fingerprint ] ->
69
+
let* fingerprint = fingerprint_of_string tls_cert_fingerprint in
70
+
Ok (fun time -> cert_fingerprint ~time ~hash:`SHA256 ~fingerprint)
71
+
| "trust-anchor" :: certs ->
72
+
let* anchors =
73
+
List.fold_left (fun acc s ->
74
+
let* acc = acc in
75
+
let* der = Base64.decode ~pad:false s in
76
+
let* cert = Certificate.decode_der der in
77
+
Ok (cert :: acc))
78
+
(Ok []) certs
79
+
in
80
+
Ok (fun time -> chain_of_trust ~time (List.rev anchors))
81
+
| [ "none" ] -> Ok (fun _ ?ip:_ ~host:_ _ -> Ok None)
82
+
| _ -> Error (`Msg (Fmt.str "Invalid TLS authenticator: %S" str))
83
+
end |> Result.map_error (function `Msg e -> `Msg (e ^ format))
+264
vendor/opam/x509/lib/certificate.ml
+264
vendor/opam/x509/lib/certificate.ml
···
1
+
(*
2
+
* X509 certs
3
+
*)
4
+
type tBSCertificate = {
5
+
version : [ `V1 | `V2 | `V3 ] ;
6
+
serial : string ;
7
+
signature : Algorithm.t ;
8
+
issuer : Distinguished_name.t ;
9
+
validity : Ptime.t * Ptime.t ;
10
+
subject : Distinguished_name.t ;
11
+
pk_info : Public_key.t ;
12
+
issuer_id : string option ;
13
+
subject_id : string option ;
14
+
extensions : Extension.t
15
+
}
16
+
17
+
type certificate = {
18
+
tbs_cert : tBSCertificate ;
19
+
signature_algo : Algorithm.t ;
20
+
signature_val : string
21
+
}
22
+
23
+
(*
24
+
* There are two reasons to carry octets around:
25
+
* - we still need to hack on the octets to get bytes to hash
26
+
* ( this needs to go )
27
+
* - we need a cs to send to the peer
28
+
* It's a bit ugly to have two levels, and both are better solved by extending
29
+
* the asn parser and writer respectively, but until then there needs to be one
30
+
* place that hides the existence of this pair.
31
+
*)
32
+
type t = {
33
+
asn : certificate ;
34
+
raw : string
35
+
}
36
+
37
+
module Asn = struct
38
+
open Asn.S
39
+
open Asn_grammars
40
+
41
+
let version =
42
+
map (function 2 -> `V3 | 1 -> `V2 | 0 -> `V1 | _ -> parse_error "unknown version")
43
+
(function `V3 -> 2 | `V2 -> 1 | `V1 -> 0)
44
+
int
45
+
46
+
let time =
47
+
let f = function `C1 t -> t | `C2 t -> t
48
+
and g t =
49
+
let (y, _, _) = Ptime.to_date t in
50
+
if y < 2050 then `C1 t else `C2 t in
51
+
map f g (choice2 utc_time generalized_time_no_frac_s)
52
+
53
+
let validity =
54
+
sequence2
55
+
(required ~label:"not before" time)
56
+
(required ~label:"not after" time)
57
+
58
+
let unique_identifier = bit_string_octets
59
+
60
+
let tBSCertificate =
61
+
let f = fun (a, (b, (c, (d, (e, (f, (g, (h, (i, j))))))))) ->
62
+
let extn = match j with None -> Extension.empty | Some xs -> xs in
63
+
{ version = Option.value ~default:`V1 a ; serial = b ;
64
+
signature = c ; issuer = d ;
65
+
validity = e ; subject = f ;
66
+
pk_info = g ; issuer_id = h ;
67
+
subject_id = i ; extensions = extn }
68
+
and g = fun
69
+
{ version = a ; serial = b ;
70
+
signature = c ; issuer = d ;
71
+
validity = e ; subject = f ;
72
+
pk_info = g ; issuer_id = h ;
73
+
subject_id = i ; extensions = j } ->
74
+
let extn = if Extension.is_empty j then None else Some j in
75
+
((if a = `V1 then None else Some a),
76
+
(b, (c, (d, (e, (f, (g, (h, (i, extn)))))))))
77
+
in
78
+
map f g @@
79
+
sequence @@
80
+
(optional ~label:"version" @@ explicit 0 version) (* default v1 *)
81
+
@ (required ~label:"serialNumber" @@ serial)
82
+
@ (required ~label:"signature" @@ Algorithm.identifier)
83
+
@ (required ~label:"issuer" @@ Distinguished_name.Asn.name)
84
+
@ (required ~label:"validity" @@ validity)
85
+
@ (required ~label:"subject" @@ Distinguished_name.Asn.name)
86
+
@ (required ~label:"subjectPKInfo" @@ Public_key.Asn.pk_info_der)
87
+
(* if present, version is v2 or v3 *)
88
+
@ (optional ~label:"issuerUID" @@ implicit 1 unique_identifier)
89
+
(* if present, version is v2 or v3 *)
90
+
@ (optional ~label:"subjectUID" @@ implicit 2 unique_identifier)
91
+
(* v3 if present *)
92
+
-@ (optional ~label:"extensions" @@ explicit 3 Extension.Asn.extensions_der)
93
+
94
+
let (tbs_certificate_of_octets, tbs_certificate_to_octets) =
95
+
projections_of Asn.der tBSCertificate
96
+
97
+
let certificate =
98
+
let f (a, b, c) =
99
+
if a.signature <> b then
100
+
parse_error "signatureAlgorithm != tbsCertificate.signature"
101
+
else
102
+
{ tbs_cert = a; signature_algo = b; signature_val = c }
103
+
and g { tbs_cert = a; signature_algo = b; signature_val = c } = (a, b, c) in
104
+
map f g @@
105
+
sequence3
106
+
(required ~label:"tbsCertificate" tBSCertificate)
107
+
(required ~label:"signatureAlgorithm" Algorithm.identifier)
108
+
(required ~label:"signatureValue" bit_string_octets)
109
+
110
+
let (certificate_of_octets, certificate_to_octets) =
111
+
projections_of Asn.der certificate
112
+
113
+
let pkcs1_digest_info =
114
+
let open Algorithm in
115
+
let f (algo, cs) =
116
+
match to_hash algo with
117
+
| Some h -> (h, cs)
118
+
| None -> parse_error "pkcs1 digest info: unknown hash"
119
+
and g (h, cs) = (of_hash h, cs)
120
+
in
121
+
map f g @@
122
+
sequence2
123
+
(required ~label:"digestAlgorithm" Algorithm.identifier)
124
+
(required ~label:"digest" octet_string)
125
+
126
+
let (pkcs1_digest_info_of_octets, pkcs1_digest_info_to_octets) =
127
+
projections_of Asn.der pkcs1_digest_info
128
+
end
129
+
130
+
let decode_pkcs1_digest_info cs =
131
+
Asn_grammars.err_to_msg (Asn.pkcs1_digest_info_of_octets cs)
132
+
133
+
let encode_pkcs1_digest_info = Asn.pkcs1_digest_info_to_octets
134
+
135
+
let ( let* ) = Result.bind
136
+
137
+
let decode_der cs =
138
+
let* asn = Asn_grammars.err_to_msg (Asn.certificate_of_octets cs) in
139
+
Ok { asn ; raw = cs }
140
+
141
+
let encode_der { raw ; _ } = raw
142
+
143
+
let decode_pem_multiple cs =
144
+
let* data = Pem.parse cs in
145
+
let certs =
146
+
List.filter (fun (t, _) -> String.equal "CERTIFICATE" t) data
147
+
in
148
+
Pem.foldM (fun (_, cs) -> decode_der cs) certs
149
+
150
+
let fold_decode_pem_multiple fn acc cs =
151
+
List.fold_left
152
+
(fun acc data ->
153
+
let data = match data with
154
+
| Ok ("CERTIFICATE", cs) -> decode_der cs
155
+
| Ok (hdr, _) -> Error (`Msg ("ignore non certificate (" ^ hdr ^ ")"))
156
+
| Error e -> Error e
157
+
in
158
+
fn acc data)
159
+
acc
160
+
(Pem.parse_with_errors cs)
161
+
162
+
let decode_pem cs =
163
+
let* certs = decode_pem_multiple cs in
164
+
Pem.exactly_one ~what:"certificate" certs
165
+
166
+
let encode_pem v =
167
+
Pem.unparse ~tag:"CERTIFICATE" (encode_der v)
168
+
169
+
let encode_pem_multiple cs =
170
+
String.concat "" (List.map encode_pem cs)
171
+
172
+
let pp_version ppf v =
173
+
Fmt.string ppf (match v with `V1 -> "1" | `V2 -> "2" | `V3 -> "3")
174
+
175
+
let pp_hash ppf hash =
176
+
Fmt.string ppf (match hash with
177
+
| `MD5 -> "MD5" | `SHA1 -> "SHA1" | `SHA224 -> "SHA224"
178
+
| `SHA256 -> "SHA256" | `SHA384 -> "SHA384" | `SHA512 -> "SHA512")
179
+
180
+
let pp_sigalg ppf (asym, hash) =
181
+
Fmt.pf ppf "%a-%a" Key_type.pp_signature_scheme asym pp_hash hash
182
+
183
+
let pp' pp_custom_extensions ppf { asn ; _ } =
184
+
let tbs = asn.tbs_cert in
185
+
let sigalg = Algorithm.to_signature_algorithm tbs.signature in
186
+
Fmt.pf ppf "X.509 certificate@.version %a@.serial %a@.algorithm %a@.issuer %a@.valid from %a until %a@.subject %a@.extensions %a"
187
+
pp_version tbs.version Ohex.pp tbs.serial
188
+
Fmt.(option ~none:(any "NONE") pp_sigalg) sigalg
189
+
Distinguished_name.pp tbs.issuer
190
+
(Ptime.pp_human ~tz_offset_s:0 ()) (fst tbs.validity)
191
+
(Ptime.pp_human ~tz_offset_s:0 ()) (snd tbs.validity)
192
+
Distinguished_name.pp tbs.subject
193
+
(Extension.pp' pp_custom_extensions) tbs.extensions
194
+
195
+
let pp = pp' Extension.default_pp_custom_extension
196
+
197
+
let fingerprint hash cert =
198
+
let module Hash = (val (Digestif.module_of_hash' hash)) in
199
+
Hash.(to_raw_string (digest_string cert.raw))
200
+
201
+
let issuer { asn ; _ } = asn.tbs_cert.issuer
202
+
203
+
let subject { asn ; _ } = asn.tbs_cert.subject
204
+
205
+
let serial { asn ; _ } = asn.tbs_cert.serial
206
+
207
+
let validity { asn ; _ } = asn.tbs_cert.validity
208
+
209
+
let signature_algorithm { asn ; _ } =
210
+
Algorithm.to_signature_algorithm asn.signature_algo
211
+
212
+
let public_key { asn = cert ; _ } = cert.tbs_cert.pk_info
213
+
214
+
let supports_keytype c t =
215
+
match public_key c, t with
216
+
| (`RSA _), `RSA -> true
217
+
| _ -> false
218
+
219
+
let extensions { asn = cert ; _ } = cert.tbs_cert.extensions
220
+
221
+
(* RFC 6125, 6.4.4:
222
+
Therefore, if and only if the presented identifiers do not include a
223
+
DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types
224
+
supported by the client, then the client MAY as a last resort check
225
+
for a string whose form matches that of a fully qualified DNS domain
226
+
name in a Common Name field of the subject field (i.e., a CN-ID). If
227
+
the client chooses to compare a reference identifier of type CN-ID
228
+
against that string, it MUST follow the comparison rules for the DNS
229
+
domain name portion of an identifier of type DNS-ID, SRV-ID, or
230
+
URI-ID, as described under Section 6.4.1, Section 6.4.2, and
231
+
Section 6.4.3. *)
232
+
let hostnames { asn = cert ; _ } =
233
+
let subj =
234
+
match Distinguished_name.common_name cert.tbs_cert.subject with
235
+
| None -> Host.Set.empty
236
+
| Some x ->
237
+
match Host.host x with
238
+
| Some (wild, d) -> Host.Set.singleton (wild, d)
239
+
| None -> Host.Set.empty
240
+
in
241
+
match Extension.hostnames cert.tbs_cert.extensions with
242
+
| Some names -> names
243
+
| None -> subj
244
+
245
+
let supports_hostname cert name =
246
+
let names = hostnames cert in
247
+
let wc_name_opt =
248
+
match Domain_name.drop_label name with
249
+
| Error _ -> None
250
+
| Ok name -> match Domain_name.host name with
251
+
| Ok hostname -> Some hostname
252
+
| Error _ -> None
253
+
in
254
+
Host.Set.mem (`Strict, name) names
255
+
|| (match wc_name_opt with
256
+
| None -> false
257
+
| Some wc_name -> Host.Set.mem (`Wildcard, wc_name) names)
258
+
259
+
let ips { asn = cert ; _ } =
260
+
match Extension.ips cert.tbs_cert.extensions with
261
+
| None -> Ipaddr.Set.empty
262
+
| Some ips -> ips
263
+
264
+
let supports_ip cert ip = Ipaddr.Set.mem ip (ips cert)
+251
vendor/opam/x509/lib/crl.ml
+251
vendor/opam/x509/lib/crl.ml
···
1
+
type revoked_cert = {
2
+
serial : string ;
3
+
date : Ptime.t ;
4
+
extensions : Extension.t
5
+
}
6
+
7
+
type tBS_CRL = {
8
+
version : [ `V1 | `V2 ] ;
9
+
signature : Algorithm.t ;
10
+
issuer : Distinguished_name.t ;
11
+
this_update : Ptime.t ;
12
+
next_update : Ptime.t option ;
13
+
revoked_certs : revoked_cert list ;
14
+
extensions : Extension.t
15
+
}
16
+
17
+
type crl = {
18
+
tbs_crl : tBS_CRL ;
19
+
signature_algo : Algorithm.t ;
20
+
signature_val : string
21
+
}
22
+
23
+
module Asn = struct
24
+
open Asn.S
25
+
open Asn_grammars
26
+
27
+
let revokedCertificate =
28
+
let f (serial, date, e) =
29
+
let extensions = match e with None -> Extension.empty | Some xs -> xs in
30
+
{ serial ; date ; extensions }
31
+
and g { serial ; date ; extensions } =
32
+
let e = if Extension.is_empty extensions then None else Some extensions in
33
+
(serial, date, e)
34
+
in
35
+
map f g @@
36
+
sequence3
37
+
(required ~label:"userCertificate" @@ serial)
38
+
(required ~label:"revocationDate" @@ Certificate.Asn.time)
39
+
(optional ~label:"crlEntryExtensions" @@ Extension.Asn.extensions_der)
40
+
41
+
let version =
42
+
map
43
+
(function 0 -> `V1 | 1 -> `V2 | _ -> parse_error "unknown version")
44
+
(function `V2 -> 1 | `V1 -> 0)
45
+
int
46
+
47
+
let tBSCertList =
48
+
let f (a, (b, (c, (d, (e, (f, g)))))) =
49
+
{ version = Option.value ~default:`V1 a ; signature = b ; issuer = c ;
50
+
this_update = d ; next_update = e ;
51
+
revoked_certs = (match f with None -> [] | Some xs -> xs) ;
52
+
extensions = (match g with None -> Extension.empty | Some xs -> xs) }
53
+
and g { version = a ; signature = b ; issuer = c ;
54
+
this_update = d ; next_update = e ; revoked_certs = f ;
55
+
extensions = g } =
56
+
let f = match f with [] -> None | xs -> Some xs
57
+
and g = if Extension.is_empty g then None else Some g
58
+
in
59
+
((if a = `V1 then None else Some a), (b, (c, (d, (e, (f, g))))))
60
+
in
61
+
map f g @@
62
+
sequence @@
63
+
(optional ~label:"version" @@ version)
64
+
@ (required ~label:"signature" @@ Algorithm.identifier)
65
+
@ (required ~label:"issuer" @@ Distinguished_name.Asn.name)
66
+
@ (required ~label:"thisUpdate" @@ Certificate.Asn.time)
67
+
@ (optional ~label:"nextUpdate" @@ Certificate.Asn.time)
68
+
@ (optional ~label:"revokedCertificates" @@ sequence_of revokedCertificate)
69
+
-@ (optional ~label:"crlExtensions" @@ explicit 0 Extension.Asn.extensions_der)
70
+
71
+
let certificateList =
72
+
let f (cl, sa, sv) =
73
+
if cl.signature <> sa then
74
+
parse_error "signatureAlgorithm != tbsCertList.signature"
75
+
else
76
+
{ tbs_crl = cl ; signature_algo = sa ; signature_val = sv }
77
+
and g { tbs_crl ; signature_algo ; signature_val } =
78
+
(tbs_crl, signature_algo, signature_val)
79
+
in
80
+
map f g @@
81
+
sequence3
82
+
(required ~label:"tbsCertList" @@ tBSCertList)
83
+
(required ~label:"signatureAlgorithm" @@ Algorithm.identifier)
84
+
(required ~label:"signatureValue" @@ bit_string_octets)
85
+
86
+
let (crl_of_octets, crl_to_octets) =
87
+
projections_of Asn.der certificateList
88
+
89
+
let (tbs_CRL_of_octets, tbs_CRL_to_octets) =
90
+
projections_of Asn.der tBSCertList
91
+
end
92
+
93
+
type t = {
94
+
raw : string ;
95
+
asn : crl ;
96
+
}
97
+
98
+
let guard p e = if p then Ok () else Error e
99
+
100
+
let ( let* ) = Result.bind
101
+
102
+
let decode_der raw =
103
+
let* asn = Asn_grammars.err_to_msg (Asn.crl_of_octets raw) in
104
+
Ok { raw ; asn }
105
+
106
+
let encode_der { raw ; _ } = raw
107
+
108
+
let issuer { asn ; _ } = asn.tbs_crl.issuer
109
+
110
+
let this_update { asn ; _ } = asn.tbs_crl.this_update
111
+
112
+
let next_update { asn ; _ } = asn.tbs_crl.next_update
113
+
114
+
let extensions { asn ; _ } = asn.tbs_crl.extensions
115
+
116
+
let revoked_certificates { asn ; _ } = asn.tbs_crl.revoked_certs
117
+
118
+
let crl_number { asn ; _ } =
119
+
match Extension.(find CRL_number asn.tbs_crl.extensions) with
120
+
| None -> None
121
+
| Some (_, x) -> Some x
122
+
123
+
let signature_algorithm { asn ; _ } =
124
+
Algorithm.to_signature_algorithm asn.signature_algo
125
+
126
+
let validate { raw ; asn } ?(allowed_hashes = Validation.sha2) pub =
127
+
let tbs_raw = Validation.raw_cert_hack raw in
128
+
Validation.validate_raw_signature asn.tbs_crl.issuer allowed_hashes
129
+
tbs_raw asn.signature_algo asn.signature_val pub
130
+
131
+
type verification_error = [
132
+
| Validation.signature_error
133
+
| `Issuer_subject_mismatch of Distinguished_name.t * Distinguished_name.t
134
+
| `Not_yet_valid of Distinguished_name.t * Ptime.t * Ptime.t
135
+
| `Next_update_scheduled of Distinguished_name.t * Ptime.t * Ptime.t
136
+
]
137
+
138
+
let pp_verification_error ppf = function
139
+
| #Validation.signature_error as e -> Validation.pp_signature_error ppf e
140
+
| `Issuer_subject_mismatch (issuer, subj) ->
141
+
Fmt.pf ppf "issuer %a does not match subject %a"
142
+
Distinguished_name.pp issuer Distinguished_name.pp subj
143
+
| `Not_yet_valid (issuer, now, created) ->
144
+
Fmt.pf ppf "CRL %a not yet valid, valid from %a, now %a"
145
+
Distinguished_name.pp issuer
146
+
(Ptime.pp_human ~tz_offset_s:0 ()) created
147
+
(Ptime.pp_human ~tz_offset_s:0 ()) now
148
+
| `Next_update_scheduled (issuer, now, scheduled) ->
149
+
Fmt.pf ppf "CRL %a next update already scheduled at %a, now %a"
150
+
Distinguished_name.pp issuer
151
+
(Ptime.pp_human ~tz_offset_s:0 ()) scheduled
152
+
(Ptime.pp_human ~tz_offset_s:0 ()) now
153
+
154
+
let verify ({ asn ; _ } as crl) ?allowed_hashes ?time cert =
155
+
let subj = Certificate.subject cert in
156
+
let* () =
157
+
guard
158
+
(Distinguished_name.equal asn.tbs_crl.issuer subj)
159
+
(`Issuer_subject_mismatch (asn.tbs_crl.issuer, subj))
160
+
in
161
+
let* () =
162
+
match time with
163
+
| None -> Ok ()
164
+
| Some x ->
165
+
let* () =
166
+
guard (Ptime.is_later ~than:asn.tbs_crl.this_update x)
167
+
(`Not_yet_valid (subj, x, asn.tbs_crl.this_update))
168
+
in
169
+
match asn.tbs_crl.next_update with
170
+
| None -> Ok ()
171
+
| Some y -> guard (Ptime.is_earlier ~than:y x)
172
+
(`Next_update_scheduled (subj, x, y))
173
+
in
174
+
validate ?allowed_hashes crl (Certificate.public_key cert)
175
+
176
+
let reason (revoked : revoked_cert) =
177
+
match Extension.(find Reason revoked.extensions) with
178
+
| Some (_, x) -> Some x
179
+
| None -> None
180
+
181
+
let is_revoked ?allowed_hashes ~issuer:super ~cert (crls : t list) =
182
+
List.exists (fun crl ->
183
+
if
184
+
Distinguished_name.equal (Certificate.subject super) (issuer crl)
185
+
then
186
+
match validate ?allowed_hashes crl (Certificate.public_key super) with
187
+
| Ok () ->
188
+
begin try
189
+
let entry = List.find
190
+
(fun r -> String.equal (Certificate.serial cert) r.serial)
191
+
(revoked_certificates crl)
192
+
in
193
+
match reason entry with
194
+
| None -> true
195
+
| Some `Remove_from_CRL -> false
196
+
| Some _ -> true
197
+
with Not_found -> false
198
+
end
199
+
| Error _ -> false
200
+
else
201
+
false)
202
+
crls
203
+
204
+
let sign_tbs (tbs : tBS_CRL) key =
205
+
let tbs_raw = Asn.tbs_CRL_to_octets tbs in
206
+
match Algorithm.to_signature_algorithm tbs.signature with
207
+
| None -> Error (`Msg "couldn't parse signature algorithm")
208
+
| Some (_, hash) ->
209
+
let scheme = Key_type.x509_default_scheme (Private_key.key_type key) in
210
+
let* signature_val = Private_key.sign hash ~scheme key (`Message tbs_raw) in
211
+
let asn = { tbs_crl = tbs ; signature_algo = tbs.signature ; signature_val } in
212
+
let raw = Asn.crl_to_octets asn in
213
+
Ok { asn ; raw }
214
+
215
+
let revoke
216
+
?digest
217
+
~issuer
218
+
~this_update ?next_update
219
+
?(extensions = Extension.empty)
220
+
revoked_certs
221
+
key =
222
+
let digest = Signing_request.default_digest digest key in
223
+
let signature =
224
+
let scheme = Key_type.x509_default_scheme (Private_key.key_type key) in
225
+
Algorithm.of_signature_algorithm scheme digest
226
+
in
227
+
let tbs_crl = {
228
+
version = `V2 ;
229
+
signature ;
230
+
issuer ;
231
+
this_update ; next_update ;
232
+
revoked_certs ;
233
+
extensions
234
+
}
235
+
in
236
+
sign_tbs tbs_crl key
237
+
238
+
let revoke_certificates (revoked : revoked_cert list) ~this_update ?next_update ({ asn ; _ } as crl) key =
239
+
let tbs = asn.tbs_crl in
240
+
let count = match crl_number crl with None -> 0 | Some x -> succ x in
241
+
let extensions = Extension.(add CRL_number (false, count) tbs.extensions) in
242
+
let tbs = {
243
+
tbs with revoked_certs = tbs.revoked_certs @ revoked ;
244
+
this_update ; next_update ;
245
+
extensions
246
+
}
247
+
in
248
+
sign_tbs tbs key
249
+
250
+
let revoke_certificate revoked ~this_update ?next_update crl key =
251
+
revoke_certificates [revoked] ~this_update ?next_update crl key
+255
vendor/opam/x509/lib/distinguished_name.ml
+255
vendor/opam/x509/lib/distinguished_name.ml
···
1
+
type attribute =
2
+
| CN of string
3
+
| Serialnumber of string
4
+
| C of string
5
+
| L of string
6
+
| ST of string
7
+
| O of string
8
+
| OU of string
9
+
| T of string
10
+
| DNQ of string
11
+
| Mail of string
12
+
| DC of string
13
+
| Given_name of string
14
+
| Surname of string
15
+
| Initials of string
16
+
| Pseudonym of string
17
+
| Generation of string
18
+
| Street of string
19
+
| Userid of string
20
+
| Other of Asn.oid * string
21
+
22
+
(* Escaping is described in RFC4514. Escaing '=' is optional, otherwise the
23
+
* following is minimal, using the character instead of hex where possible. *)
24
+
let pp_attribute_value ?(osf = false) () ppf s =
25
+
let n = String.length s in
26
+
for i = 0 to n - 1 do
27
+
match s.[i] with
28
+
| '#' when i = 0 -> Fmt.string ppf "\\#"
29
+
| ' ' when i = 0 || i = n - 1 -> Fmt.string ppf "\\ "
30
+
| ',' when not osf -> Fmt.string ppf "\\,"
31
+
| ';' when not osf -> Fmt.string ppf "\\;"
32
+
| '/' when osf -> Fmt.string ppf "\\/"
33
+
| '"' | '+' | '<' | '=' | '>' | '\\' as c -> Fmt.pf ppf "\\%c" c
34
+
| '\x00' -> Fmt.string ppf "\\00"
35
+
| c -> Fmt.char ppf c
36
+
done
37
+
38
+
let pp_string_hex ppf s =
39
+
for i = 0 to String.length s - 1 do
40
+
Fmt.pf ppf "%02x" (Char.code s.[i])
41
+
done
42
+
43
+
let pp_attribute ?osf ?(ava_equal = Fmt.any "=") () ppf attr =
44
+
let aux a v =
45
+
Fmt.pf ppf "%s%a%a" a ava_equal () (pp_attribute_value ?osf ()) v in
46
+
match attr with
47
+
| CN s -> aux "CN" s
48
+
| Serialnumber s -> aux "Serialnumber" s
49
+
| C s -> aux "C" s
50
+
| L s -> aux "L" s
51
+
| ST s -> aux "ST" s
52
+
| O s -> aux "O" s
53
+
| OU s -> aux "OU" s
54
+
| T s -> aux "T" s
55
+
| DNQ s -> aux "DNQ" s
56
+
| Mail s -> aux "Mail" s
57
+
| DC s -> aux "DC" s
58
+
| Given_name s -> aux "Given_name" s
59
+
| Surname s -> aux "Surname" s
60
+
| Initials s -> aux "Initials" s
61
+
| Pseudonym s -> aux "Pseudonym" s
62
+
| Generation s -> aux "Generation" s
63
+
| Street s -> aux "Street" s
64
+
| Userid s -> aux "UID" s
65
+
| Other (oid, s) ->
66
+
Fmt.pf ppf "%a%a#%a" Asn.OID.pp oid ava_equal () pp_string_hex s
67
+
68
+
module K = struct
69
+
type t = attribute
70
+
71
+
let compare t t' =
72
+
match t, t' with
73
+
| CN a, CN b -> String.compare a b
74
+
| CN _, _ -> -1 | _, CN _ -> 1
75
+
| Serialnumber a, Serialnumber b -> String.compare a b
76
+
| Serialnumber _, _ -> -1 | _, Serialnumber _ -> 1
77
+
| C a, C b -> String.compare a b
78
+
| C _, _ -> -1 | _, C _ -> 1
79
+
| L a, L b -> String.compare a b
80
+
| L _, _ -> -1 | _, L _ -> 1
81
+
| ST a, ST b -> String.compare a b
82
+
| ST _, _ -> -1 | _, ST _ -> 1
83
+
| O a, O b -> String.compare a b
84
+
| O _, _ -> -1 | _, O _ -> 1
85
+
| OU a, OU b -> String.compare a b
86
+
| OU _, _ -> -1 | _, OU _ -> 1
87
+
| T a, T b -> String.compare a b
88
+
| T _, _ -> -1 | _, T _ -> 1
89
+
| DNQ a, DNQ b -> String.compare a b
90
+
| DNQ _, _ -> -1 | _, DNQ _ -> 1
91
+
| Mail a, Mail b -> String.compare a b
92
+
| Mail _, _ -> -1 | _, Mail _ -> 1
93
+
| DC a, DC b -> String.compare a b
94
+
| DC _, _ -> -1 | _, DC _ -> 1
95
+
| Given_name a, Given_name b -> String.compare a b
96
+
| Given_name _, _ -> -1 | _, Given_name _ -> 1
97
+
| Surname a, Surname b -> String.compare a b
98
+
| Surname _, _ -> -1 | _, Surname _ -> 1
99
+
| Initials a, Initials b -> String.compare a b
100
+
| Initials _, _ -> -1 | _, Initials _ -> 1
101
+
| Pseudonym a, Pseudonym b -> String.compare a b
102
+
| Pseudonym _, _ -> -1 | _, Pseudonym _ -> 1
103
+
| Generation a, Generation b -> String.compare a b
104
+
| Generation _, _ -> -1 | _, Generation _ -> 1
105
+
| Street a, Street b -> String.compare a b
106
+
| Street _, _ -> -1 | _, Street _ -> 1
107
+
| Userid a, Userid b -> String.compare a b
108
+
| Userid _, _ -> -1 | _, Userid _ -> 1
109
+
| Other (oid_a, v_a), Other (oid_b, v_b) ->
110
+
match Asn.OID.compare oid_a oid_b with
111
+
| 0 -> String.compare v_a v_b
112
+
| x when x < 0 -> -1
113
+
| _ -> 1
114
+
end
115
+
116
+
module Relative_distinguished_name = Set.Make(K)
117
+
118
+
(* TODO:
119
+
- each RDN should be a non-empty set
120
+
- nothing prevents a user from putting Other (base 2 5 <| 4 <| 3, "foo")
121
+
and Common_name "foo" into the same RDN -- which are identical (i.e. Other
122
+
should filter the other named constructors) *)
123
+
type t = Relative_distinguished_name.t list
124
+
125
+
let equal a b =
126
+
List.length a = List.length b &&
127
+
List.for_all2 Relative_distinguished_name.equal a b
128
+
129
+
let make_pp_rdn ?osf ?(spacing = `Tight) () =
130
+
let ava_sep, ava_equal =
131
+
match spacing with
132
+
| `Tight -> Fmt.(any "+" ++ cut, any "=")
133
+
| `Medium -> Fmt.(any " +" ++ sp, any "=")
134
+
| `Loose -> Fmt.(any " +" ++ sp, any " = ")
135
+
in
136
+
let pp_ava = pp_attribute ?osf ~ava_equal () in
137
+
Fmt.(using Relative_distinguished_name.elements @@ list ~sep:ava_sep pp_ava)
138
+
139
+
let make_pp ~format ?spacing () =
140
+
match format, spacing with
141
+
| `RFC4514, (None | Some `Tight) ->
142
+
Fmt.(using List.rev @@ list ~sep:(any "," ++ cut) (make_pp_rdn ()))
143
+
| `RFC4514, Some (`Medium | `Loose as spacing) ->
144
+
Fmt.(using List.rev @@ list ~sep:comma (make_pp_rdn ~spacing ()))
145
+
| `OpenSSL, (None | Some `Loose) ->
146
+
Fmt.(list ~sep:comma (make_pp_rdn ~spacing:`Loose ()))
147
+
| `OpenSSL, Some (`Tight | `Medium as spacing) ->
148
+
Fmt.(list ~sep:(any "," ++ cut) (make_pp_rdn ~spacing ()))
149
+
| `OSF, _ ->
150
+
Fmt.(any "/" ++ list ~sep:(any "/") (make_pp_rdn ~osf:true ()))
151
+
152
+
let pp = Fmt.hbox (make_pp ~format:`OSF ())
153
+
154
+
let common_name t =
155
+
let is_cn = function CN _ -> true | _ -> false
156
+
in
157
+
List.fold_left (fun acc dn ->
158
+
match Relative_distinguished_name.find_first_opt is_cn dn with
159
+
| Some CN x -> Some x | _ -> acc)
160
+
None t
161
+
162
+
module Asn = struct
163
+
open Asn.S
164
+
open Asn_grammars
165
+
166
+
(* ASN `Name' fragmet appears all over. *)
167
+
168
+
(* rfc5280 section 4.1.2.4 - name components we "must" handle. *)
169
+
(* A list of abbreviations: http://pic.dhe.ibm.com/infocenter/wmqv7/v7r1/index.jsp?topic=%2Fcom.ibm.mq.doc%2Fsy10570_.htm *)
170
+
(* Also rfc4519. *)
171
+
172
+
(* See rfc5280 section 4.1.2.4. *)
173
+
let directory_name =
174
+
choice6
175
+
utf8_string printable_string
176
+
ia5_string universal_string teletex_string bmp_string
177
+
178
+
(* We flatten the sequence-of-set-of-tuple here into a single list.
179
+
* This means that we can't write non-singleton sets back.
180
+
* Does anyone need that, ever?
181
+
*)
182
+
183
+
let name =
184
+
let open Registry in
185
+
let of_c = function
186
+
| `C1 x | `C2 x | `C3 x | `C4 x | `C5 x | `C6 x -> x in
187
+
188
+
let a_f = case_of_oid_f [
189
+
(domain_component , fun x -> DC (of_c x)) ;
190
+
(X520.common_name , fun x -> CN (of_c x)) ;
191
+
(X520.serial_number , fun x -> Serialnumber (of_c x)) ;
192
+
(X520.country_name , fun x -> C (of_c x)) ;
193
+
(X520.locality_name , fun x -> L (of_c x)) ;
194
+
(X520.state_or_province_name , fun x -> ST (of_c x)) ;
195
+
(X520.organization_name , fun x -> O (of_c x)) ;
196
+
(X520.organizational_unit_name , fun x -> OU (of_c x)) ;
197
+
(X520.title , fun x -> T (of_c x)) ;
198
+
(X520.dn_qualifier , fun x -> DNQ (of_c x)) ;
199
+
(PKCS9.email , fun x -> Mail (of_c x)) ;
200
+
(X520.given_name , fun x -> Given_name (of_c x)) ;
201
+
(X520.surname , fun x -> Surname (of_c x)) ;
202
+
(X520.initials , fun x -> Initials (of_c x)) ;
203
+
(X520.pseudonym , fun x -> Pseudonym (of_c x)) ;
204
+
(X520.generation_qualifier , fun x -> Generation (of_c x)) ;
205
+
(X520.street_address , fun x -> Street (of_c x)) ;
206
+
(userid , fun x -> Userid (of_c x))]
207
+
~default:(fun oid x -> Other (oid, of_c x))
208
+
209
+
and a_g = function
210
+
| DC x -> (domain_component, `C3 x )
211
+
| CN x -> (X520.common_name, `C1 x )
212
+
| Serialnumber x -> (X520.serial_number, `C2 x )
213
+
| C x -> (X520.country_name, `C2 x )
214
+
| L x -> (X520.locality_name, `C1 x )
215
+
| ST x -> (X520.state_or_province_name, `C1 x )
216
+
| O x -> (X520.organization_name, `C1 x )
217
+
| OU x -> (X520.organizational_unit_name, `C1 x )
218
+
| T x -> (X520.title, `C1 x )
219
+
| DNQ x -> (X520.dn_qualifier, `C2 x )
220
+
| Mail x -> (PKCS9.email, `C3 x )
221
+
| Given_name x -> (X520.given_name, `C1 x )
222
+
| Surname x -> (X520.surname, `C1 x )
223
+
| Initials x -> (X520.initials, `C1 x )
224
+
| Pseudonym x -> (X520.pseudonym, `C1 x )
225
+
| Generation x -> (X520.generation_qualifier, `C1 x )
226
+
| Street x -> (X520.street_address, `C1 x )
227
+
| Userid x -> (userid, `C1 x )
228
+
| Other (oid, x) -> (oid, `C1 x )
229
+
in
230
+
231
+
let attribute_tv =
232
+
map a_f a_g @@
233
+
sequence2
234
+
(required ~label:"attr type" oid)
235
+
(* This is ANY according to rfc5280. *)
236
+
(required ~label:"attr value" directory_name)
237
+
in
238
+
let rd_name =
239
+
let f exts =
240
+
List.fold_left
241
+
(fun set attr -> Relative_distinguished_name.add attr set)
242
+
Relative_distinguished_name.empty exts
243
+
and g map = Relative_distinguished_name.elements map
244
+
in
245
+
map f g @@ set_of attribute_tv
246
+
in
247
+
sequence_of rd_name (* A vacuous choice, in the standard. *)
248
+
249
+
let (name_of_octets, name_to_octets) =
250
+
projections_of Asn.der name
251
+
end
252
+
253
+
let decode_der cs = Asn_grammars.err_to_msg (Asn.name_of_octets cs)
254
+
255
+
let encode_der = Asn.name_to_octets
+10
vendor/opam/x509/lib/dune
+10
vendor/opam/x509/lib/dune
···
1
+
(library
2
+
(name x509)
3
+
(public_name x509)
4
+
(private_modules asn_grammars registry authenticator certificate validation
5
+
public_key private_key crl distinguished_name algorithm
6
+
extension pem signing_request general_name host rc2 p12
7
+
key_type)
8
+
(libraries asn1-combinators fmt ptime mirage-crypto mirage-crypto-pk
9
+
gmap domain-name base64 logs mirage-crypto-ec kdf.pbkdf
10
+
mirage-crypto-rng ipaddr ohex))
+695
vendor/opam/x509/lib/extension.ml
+695
vendor/opam/x509/lib/extension.ml
···
1
+
2
+
type key_usage = [
3
+
| `Digital_signature
4
+
| `Content_commitment
5
+
| `Key_encipherment
6
+
| `Data_encipherment
7
+
| `Key_agreement
8
+
| `Key_cert_sign
9
+
| `CRL_sign
10
+
| `Encipher_only
11
+
| `Decipher_only
12
+
]
13
+
14
+
let pp_key_usage ppf ku =
15
+
Fmt.string ppf
16
+
(match ku with
17
+
| `Digital_signature -> "digital signature"
18
+
| `Content_commitment -> "content commitment"
19
+
| `Key_encipherment -> "key encipherment"
20
+
| `Data_encipherment -> "data encipherment"
21
+
| `Key_agreement -> "key agreement"
22
+
| `Key_cert_sign -> "key cert sign"
23
+
| `CRL_sign -> "CRL sign"
24
+
| `Encipher_only -> "encipher only"
25
+
| `Decipher_only -> "decipher only")
26
+
27
+
type extended_key_usage = [
28
+
| `Any
29
+
| `Server_auth
30
+
| `Client_auth
31
+
| `Code_signing
32
+
| `Email_protection
33
+
| `Ipsec_end
34
+
| `Ipsec_tunnel
35
+
| `Ipsec_user
36
+
| `Time_stamping
37
+
| `Ocsp_signing
38
+
| `Other of Asn.oid
39
+
]
40
+
41
+
let pp_extended_key_usage ppf = function
42
+
| `Any -> Fmt.string ppf "any"
43
+
| `Server_auth -> Fmt.string ppf "server authentication"
44
+
| `Client_auth -> Fmt.string ppf "client authentication"
45
+
| `Code_signing -> Fmt.string ppf "code signing"
46
+
| `Email_protection -> Fmt.string ppf "email protection"
47
+
| `Ipsec_end -> Fmt.string ppf "ipsec end"
48
+
| `Ipsec_tunnel -> Fmt.string ppf "ipsec tunnel"
49
+
| `Ipsec_user -> Fmt.string ppf "ipsec user"
50
+
| `Time_stamping -> Fmt.string ppf "time stamping"
51
+
| `Ocsp_signing -> Fmt.string ppf "ocsp signing"
52
+
| `Other oid -> Asn.OID.pp ppf oid
53
+
54
+
type authority_key_id = string option * General_name.t * string option
55
+
56
+
let pp_authority_key_id ppf (id, issuer, serial) =
57
+
Fmt.pf ppf "identifier %a@ issuer %a@ serial %a@ "
58
+
Fmt.(option ~none:(any "none") Ohex.pp) id
59
+
General_name.pp issuer
60
+
Fmt.(option ~none:(any "none") Ohex.pp) serial
61
+
62
+
type priv_key_usage_period = [
63
+
| `Interval of Ptime.t * Ptime.t
64
+
| `Not_after of Ptime.t
65
+
| `Not_before of Ptime.t
66
+
]
67
+
68
+
let pp_priv_key_usage_period ppf =
69
+
let pp_ptime = Ptime.pp_human ~tz_offset_s:0 () in
70
+
function
71
+
| `Interval (start, stop) ->
72
+
Fmt.pf ppf "from %a till %a" pp_ptime start pp_ptime stop
73
+
| `Not_after after -> Fmt.pf ppf "not after %a" pp_ptime after
74
+
| `Not_before before -> Fmt.pf ppf "not before %a" pp_ptime before
75
+
76
+
type name_constraint = (General_name.b * int * int option) list
77
+
78
+
let pp_name_constraints ppf (permitted, excluded) =
79
+
let pp_one ppf (General_name.B (k, base), min, max) =
80
+
Fmt.pf ppf "base %a min %u max %a"
81
+
(General_name.pp_k k) base min Fmt.(option ~none:(any "none") int) max
82
+
in
83
+
Fmt.pf ppf "permitted %a@ excluded %a"
84
+
Fmt.(list ~sep:(any ", ") pp_one) permitted
85
+
Fmt.(list ~sep:(any ", ") pp_one) excluded
86
+
87
+
type policy = [ `Any | `Something of Asn.oid ]
88
+
89
+
let pp_policy ppf = function
90
+
| `Any -> Fmt.string ppf "any"
91
+
| `Something oid -> Fmt.pf ppf "some oid %a" Asn.OID.pp oid
92
+
93
+
type reason = [
94
+
| `Unspecified
95
+
| `Key_compromise
96
+
| `CA_compromise
97
+
| `Affiliation_changed
98
+
| `Superseded
99
+
| `Cessation_of_operation
100
+
| `Certificate_hold
101
+
| `Remove_from_CRL
102
+
| `Privilege_withdrawn
103
+
| `AA_compromise
104
+
]
105
+
106
+
let reason_to_int = function
107
+
| `Unspecified -> 0
108
+
| `Key_compromise -> 1
109
+
| `CA_compromise -> 2
110
+
| `Affiliation_changed -> 3
111
+
| `Superseded -> 4
112
+
| `Cessation_of_operation -> 5
113
+
| `Certificate_hold -> 6
114
+
(* 7 is not used *)
115
+
| `Remove_from_CRL -> 8
116
+
| `Privilege_withdrawn -> 9
117
+
| `AA_compromise -> 10
118
+
119
+
let reason_of_int = function
120
+
| 0 -> `Unspecified
121
+
| 1 -> `Key_compromise
122
+
| 2 -> `CA_compromise
123
+
| 3 -> `Affiliation_changed
124
+
| 4 -> `Superseded
125
+
| 5 -> `Cessation_of_operation
126
+
| 6 -> `Certificate_hold
127
+
(* 7 is not used *)
128
+
| 8 -> `Remove_from_CRL
129
+
| 9 -> `Privilege_withdrawn
130
+
| 10 -> `AA_compromise
131
+
| x -> Asn.S.parse_error "Unknown reason %d" x
132
+
133
+
let pp_reason ppf r =
134
+
Fmt.string ppf (match r with
135
+
| `Unspecified -> "unspecified"
136
+
| `Key_compromise -> "key compromise"
137
+
| `CA_compromise -> "CA compromise"
138
+
| `Affiliation_changed -> "affiliation changed"
139
+
| `Superseded -> "superseded"
140
+
| `Cessation_of_operation -> "cessation of operation"
141
+
| `Certificate_hold -> "certificate hold"
142
+
| `Remove_from_CRL -> "remove from CRL"
143
+
| `Privilege_withdrawn -> "privilege withdrawn"
144
+
| `AA_compromise -> "AA compromise")
145
+
146
+
type distribution_point_name =
147
+
[ `Full of General_name.t
148
+
| `Relative of Distinguished_name.t ]
149
+
150
+
let pp_distribution_point_name ppf = function
151
+
| `Full name -> Fmt.pf ppf "full %a" General_name.pp name
152
+
| `Relative name -> Fmt.pf ppf "relative %a" Distinguished_name.pp name
153
+
154
+
type distribution_point =
155
+
distribution_point_name option *
156
+
reason list option *
157
+
General_name.t option
158
+
159
+
let pp_distribution_point ppf (name, reasons, issuer) =
160
+
Fmt.pf ppf "name %a reason %a issuer %a"
161
+
Fmt.(option ~none:(any "none") pp_distribution_point_name) name
162
+
Fmt.(option ~none:(any "none") (list ~sep:(any ", ") pp_reason)) reasons
163
+
Fmt.(option ~none:(any "none") General_name.pp) issuer
164
+
165
+
let pp_issuing_distribution_point ppf (name, onlyuser, onlyca, onlysome, indirectcrl, onlyattributes) =
166
+
Fmt.pf ppf "name %a only user certs %B only CA certs %B only reasons %a indirectcrl %B only attribute certs %B"
167
+
Fmt.(option ~none:(any "none") pp_distribution_point_name) name
168
+
onlyuser onlyca
169
+
Fmt.(option ~none:(any "no") (list ~sep:(any ", ") pp_reason)) onlysome
170
+
indirectcrl onlyattributes
171
+
172
+
type 'a extension = bool * 'a
173
+
174
+
type _ k =
175
+
| Unsupported : Asn.oid -> string extension k
176
+
| Subject_alt_name : General_name.t extension k
177
+
| Authority_key_id : authority_key_id extension k
178
+
| Subject_key_id : string extension k
179
+
| Issuer_alt_name : General_name.t extension k
180
+
| Key_usage : key_usage list extension k
181
+
| Ext_key_usage : extended_key_usage list extension k
182
+
| Basic_constraints : (bool * int option) extension k
183
+
| CRL_number : int extension k
184
+
| Delta_CRL_indicator : int extension k
185
+
| Priv_key_period : priv_key_usage_period extension k
186
+
| Name_constraints : (name_constraint * name_constraint) extension k
187
+
| CRL_distribution_points : distribution_point list extension k
188
+
| Issuing_distribution_point : (distribution_point_name option * bool * bool * reason list option * bool * bool) extension k
189
+
| Freshest_CRL : distribution_point list extension k
190
+
| Reason : reason extension k
191
+
| Invalidity_date : Ptime.t extension k
192
+
| Certificate_issuer : General_name.t extension k
193
+
| Policies : policy list extension k
194
+
195
+
let pp_one' : type a. (Format.formatter -> Asn.oid * string -> unit) -> a k -> Format.formatter -> a -> unit = fun custom k ppf v ->
196
+
let c_to_str b = if b then "critical " else "" in
197
+
match k, v with
198
+
| Subject_alt_name, (crit, alt) ->
199
+
Fmt.pf ppf "%ssubjectAlternativeName %a" (c_to_str crit)
200
+
General_name.pp alt
201
+
| Authority_key_id, (crit, kid) ->
202
+
Fmt.pf ppf "%sauthorityKeyIdentifier %a" (c_to_str crit)
203
+
pp_authority_key_id kid
204
+
| Subject_key_id, (crit, kid) ->
205
+
Fmt.pf ppf "%ssubjectKeyIdentifier %a" (c_to_str crit)
206
+
Ohex.pp kid
207
+
| Issuer_alt_name, (crit, alt) ->
208
+
Fmt.pf ppf "%sissuerAlternativeNames %a" (c_to_str crit)
209
+
General_name.pp alt
210
+
| Key_usage, (crit, ku) ->
211
+
Fmt.pf ppf "%skeyUsage %a" (c_to_str crit)
212
+
Fmt.(list ~sep:(any ", ") pp_key_usage) ku
213
+
| Ext_key_usage, (crit, eku) ->
214
+
Fmt.pf ppf "%sextendedKeyUsage %a" (c_to_str crit)
215
+
Fmt.(list ~sep:(any ", ") pp_extended_key_usage) eku
216
+
| Basic_constraints, (crit, (ca, depth)) ->
217
+
Fmt.pf ppf "%sbasicConstraints CA %B depth %a" (c_to_str crit) ca
218
+
Fmt.(option ~none:(any "none") int) depth
219
+
| CRL_number, (crit, i) ->
220
+
Fmt.pf ppf "%scRLNumber %u" (c_to_str crit) i
221
+
| Delta_CRL_indicator, (crit, indicator) ->
222
+
Fmt.pf ppf "%sdeltaCRLIndicator %u" (c_to_str crit) indicator
223
+
| Priv_key_period, (crit, period) ->
224
+
Fmt.pf ppf "%sprivateKeyUsagePeriod %a" (c_to_str crit)
225
+
pp_priv_key_usage_period period
226
+
| Name_constraints, (crit, ncs) ->
227
+
Fmt.pf ppf "%snameConstraints %a" (c_to_str crit) pp_name_constraints ncs
228
+
| CRL_distribution_points, (crit, points) ->
229
+
Fmt.pf ppf "%scRLDistributionPoints %a" (c_to_str crit)
230
+
Fmt.(list ~sep:(any "; ") pp_distribution_point) points
231
+
| Issuing_distribution_point, (crit, point) ->
232
+
Fmt.pf ppf "%sissuingDistributionPoint %a" (c_to_str crit)
233
+
pp_issuing_distribution_point point
234
+
| Freshest_CRL, (crit, points) ->
235
+
Fmt.pf ppf "%sfreshestCRL %a" (c_to_str crit)
236
+
Fmt.(list ~sep:(any "; ") pp_distribution_point) points
237
+
| Reason, (crit, reason) ->
238
+
Fmt.pf ppf "%sreason %a" (c_to_str crit) pp_reason reason
239
+
| Invalidity_date, (crit, date) ->
240
+
Fmt.pf ppf "%sinvalidityDate %a" (c_to_str crit)
241
+
(Ptime.pp_human ~tz_offset_s:0 ()) date
242
+
| Certificate_issuer, (crit, name) ->
243
+
Fmt.pf ppf "%scertificateIssuer %a" (c_to_str crit) General_name.pp name
244
+
| Policies, (crit, pols) ->
245
+
Fmt.pf ppf "%spolicies %a" (c_to_str crit)
246
+
Fmt.(list ~sep:(any "; ") pp_policy) pols
247
+
| Unsupported oid, (crit, str) ->
248
+
Fmt.pf ppf "%s%a" (c_to_str crit) custom (oid, str)
249
+
250
+
let default_pp_custom_extension ppf (oid, str) =
251
+
Fmt.pf ppf "unsupported %a: %a" Asn.OID.pp oid Ohex.pp str
252
+
253
+
let pp_one k fmt =
254
+
pp_one' default_pp_custom_extension k fmt
255
+
256
+
module ID = Registry.Cert_extn
257
+
258
+
let to_oid : type a. a k -> Asn.oid = function
259
+
| Unsupported oid -> oid
260
+
| Subject_alt_name -> ID.subject_alternative_name
261
+
| Authority_key_id -> ID.authority_key_identifier
262
+
| Subject_key_id -> ID.subject_key_identifier
263
+
| Issuer_alt_name -> ID.issuer_alternative_name
264
+
| Key_usage -> ID.key_usage
265
+
| Ext_key_usage -> ID.extended_key_usage
266
+
| Basic_constraints -> ID.basic_constraints
267
+
| CRL_number -> ID.crl_number
268
+
| Delta_CRL_indicator -> ID.delta_crl_indicator
269
+
| Priv_key_period -> ID.private_key_usage_period
270
+
| Name_constraints -> ID.name_constraints
271
+
| CRL_distribution_points -> ID.crl_distribution_points
272
+
| Issuing_distribution_point -> ID.issuing_distribution_point
273
+
| Freshest_CRL -> ID.freshest_crl
274
+
| Reason -> ID.reason_code
275
+
| Invalidity_date -> ID.invalidity_date
276
+
| Certificate_issuer -> ID.certificate_issuer
277
+
| Policies -> ID.certificate_policies_2
278
+
279
+
let critical : type a. a k -> a -> bool = fun k v ->
280
+
match k, v with
281
+
| Unsupported _, (b, _) -> b
282
+
| Subject_alt_name, (b, _) -> b
283
+
| Authority_key_id, (b, _) -> b
284
+
| Subject_key_id, (b, _) -> b
285
+
| Issuer_alt_name, (b, _) -> b
286
+
| Key_usage, (b, _) -> b
287
+
| Ext_key_usage, (b, _) -> b
288
+
| Basic_constraints, (b, _) -> b
289
+
| CRL_number, (b, _) -> b
290
+
| Delta_CRL_indicator, (b, _) -> b
291
+
| Priv_key_period, (b, _) -> b
292
+
| Name_constraints, (b, _) -> b
293
+
| CRL_distribution_points, (b, _) -> b
294
+
| Issuing_distribution_point, (b, _) -> b
295
+
| Freshest_CRL, (b, _) -> b
296
+
| Reason, (b, _) -> b
297
+
| Invalidity_date, (b, _) -> b
298
+
| Certificate_issuer, (b, _) -> b
299
+
| Policies, (b, _) -> b
300
+
301
+
module K = struct
302
+
type 'a t = 'a k
303
+
304
+
let compare : type a b. a t -> b t -> (a, b) Gmap.Order.t = fun t t' ->
305
+
let open Gmap.Order in
306
+
match t, t' with
307
+
| Subject_alt_name, Subject_alt_name -> Eq
308
+
| Authority_key_id, Authority_key_id -> Eq
309
+
| Subject_key_id, Subject_key_id -> Eq
310
+
| Issuer_alt_name, Issuer_alt_name -> Eq
311
+
| Key_usage, Key_usage -> Eq
312
+
| Ext_key_usage, Ext_key_usage -> Eq
313
+
| Basic_constraints, Basic_constraints -> Eq
314
+
| CRL_number, CRL_number -> Eq
315
+
| Delta_CRL_indicator, Delta_CRL_indicator -> Eq
316
+
| Priv_key_period, Priv_key_period -> Eq
317
+
| Name_constraints, Name_constraints -> Eq
318
+
| CRL_distribution_points, CRL_distribution_points -> Eq
319
+
| Issuing_distribution_point, Issuing_distribution_point -> Eq
320
+
| Freshest_CRL, Freshest_CRL -> Eq
321
+
| Reason, Reason -> Eq
322
+
| Invalidity_date, Invalidity_date -> Eq
323
+
| Certificate_issuer, Certificate_issuer -> Eq
324
+
| Policies, Policies -> Eq
325
+
| Unsupported oid, Unsupported oid' when Asn.OID.equal oid oid' -> Eq
326
+
| a, b ->
327
+
let r = Asn.OID.compare (to_oid a) (to_oid b) in
328
+
if r = 0 then assert false else if r < 0 then Lt else Gt
329
+
end
330
+
331
+
include Gmap.Make(K)
332
+
333
+
let pp' custom ppf m =
334
+
iter (fun (B (k, v)) -> pp_one' custom k ppf v ; Fmt.sp ppf ()) m
335
+
336
+
let pp = pp' default_pp_custom_extension
337
+
338
+
let hostnames exts =
339
+
match find Subject_alt_name exts with
340
+
| None -> None
341
+
| Some (_, names) ->
342
+
match General_name.find DNS names with
343
+
| None -> None
344
+
| Some xs ->
345
+
let names =
346
+
List.fold_left (fun acc s ->
347
+
match Host.host s with
348
+
| Some (typ, hostname) -> Host.Set.add (typ, hostname) acc
349
+
| None -> acc)
350
+
Host.Set.empty xs
351
+
in
352
+
if Host.Set.is_empty names then None else Some names
353
+
354
+
let ips exts =
355
+
match find Subject_alt_name exts with
356
+
| None -> None
357
+
| Some (_, names) ->
358
+
match General_name.find IP names with
359
+
| None -> None
360
+
| Some xs ->
361
+
let ips =
362
+
List.fold_left (fun acc ip ->
363
+
match
364
+
match String.length ip with
365
+
| 4 -> Result.map (fun ip -> Ipaddr.V4 ip) (Ipaddr.V4.of_octets ip)
366
+
| 16 -> Result.map (fun ip -> Ipaddr.V6 ip) (Ipaddr.V6.of_octets ip)
367
+
| _ -> Error (`Msg "unknown IP address kind")
368
+
with
369
+
| Ok ip -> Ipaddr.Set.add ip acc
370
+
| Error _ -> acc)
371
+
Ipaddr.Set.empty xs
372
+
in
373
+
if Ipaddr.Set.is_empty ips then None else Some ips
374
+
375
+
module Asn = struct
376
+
open Asn.S
377
+
open Asn_grammars
378
+
379
+
let display_text =
380
+
map (function `C1 s -> s | `C2 s -> s | `C3 s -> s | `C4 s -> s)
381
+
(fun s -> `C4 s)
382
+
@@
383
+
choice4 ia5_string visible_string bmp_string utf8_string
384
+
385
+
module ID = Registry.Cert_extn
386
+
387
+
let key_usage : key_usage list Asn.t = bit_string_flags [
388
+
0, `Digital_signature
389
+
; 1, `Content_commitment
390
+
; 2, `Key_encipherment
391
+
; 3, `Data_encipherment
392
+
; 4, `Key_agreement
393
+
; 5, `Key_cert_sign
394
+
; 6, `CRL_sign
395
+
; 7, `Encipher_only
396
+
; 8, `Decipher_only
397
+
]
398
+
399
+
let ext_key_usage =
400
+
let open ID.Extended_usage in
401
+
let f = case_of_oid [
402
+
(any , `Any ) ;
403
+
(server_auth , `Server_auth ) ;
404
+
(client_auth , `Client_auth ) ;
405
+
(code_signing , `Code_signing ) ;
406
+
(email_protection , `Email_protection) ;
407
+
(ipsec_end_system , `Ipsec_end ) ;
408
+
(ipsec_tunnel , `Ipsec_tunnel ) ;
409
+
(ipsec_user , `Ipsec_user ) ;
410
+
(time_stamping , `Time_stamping ) ;
411
+
(ocsp_signing , `Ocsp_signing ) ]
412
+
~default:(fun oid -> `Other oid)
413
+
and g = function
414
+
| `Any -> any
415
+
| `Server_auth -> server_auth
416
+
| `Client_auth -> client_auth
417
+
| `Code_signing -> code_signing
418
+
| `Email_protection -> email_protection
419
+
| `Ipsec_end -> ipsec_end_system
420
+
| `Ipsec_tunnel -> ipsec_tunnel
421
+
| `Ipsec_user -> ipsec_user
422
+
| `Time_stamping -> time_stamping
423
+
| `Ocsp_signing -> ocsp_signing
424
+
| `Other oid -> oid
425
+
in
426
+
map (List.map f) (List.map g) @@ sequence_of oid
427
+
428
+
let basic_constraints =
429
+
map (fun (a, b) -> (Option.value ~default:false a, b))
430
+
(fun (a, b) -> ((if a = false then None else Some a), b))
431
+
@@
432
+
sequence2
433
+
(optional ~label:"cA" bool)
434
+
(optional ~label:"pathLen" int)
435
+
436
+
let authority_key_id =
437
+
map (fun (a, b, c) ->
438
+
(a, Option.value ~default:General_name.empty b, c))
439
+
(fun (a, b, c) ->
440
+
(a, (if General_name.is_empty b then None else Some b), c))
441
+
@@
442
+
sequence3
443
+
(optional ~label:"keyIdentifier" @@ implicit 0 octet_string)
444
+
(optional ~label:"authCertIssuer" @@ implicit 1 General_name.Asn.gen_names)
445
+
(optional ~label:"authCertSN" @@ implicit 2 serial)
446
+
447
+
let priv_key_usage_period =
448
+
let f = function
449
+
| (Some t1, Some t2) -> `Interval (t1, t2)
450
+
| (Some t1, None ) -> `Not_before t1
451
+
| (None , Some t2) -> `Not_after t2
452
+
| _ -> parse_error "empty PrivateKeyUsagePeriod"
453
+
and g = function
454
+
| `Interval (t1, t2) -> (Some t1, Some t2)
455
+
| `Not_before t1 -> (Some t1, None )
456
+
| `Not_after t2 -> (None , Some t2) in
457
+
map f g @@
458
+
sequence2
459
+
(optional ~label:"notBefore" @@ implicit 0 generalized_time_no_frac_s)
460
+
(optional ~label:"notAfter" @@ implicit 1 generalized_time_no_frac_s)
461
+
462
+
let name_constraints =
463
+
let subtree =
464
+
map
465
+
(fun (base, min, max) -> (base, Option.value ~default:0 min, max))
466
+
(fun (base, min, max) -> (base, (if min = 0 then None else Some min), max))
467
+
@@
468
+
sequence3
469
+
(required ~label:"base" General_name.Asn.general_name)
470
+
(optional ~label:"minimum" @@ implicit 0 int)
471
+
(optional ~label:"maximum" @@ implicit 1 int)
472
+
in
473
+
map
474
+
(fun (a, b) -> (Option.value ~default:[] a, Option.value ~default:[] b))
475
+
(fun (a, b) -> ((if a = [] then None else Some a),
476
+
(if b = [] then None else Some b)))
477
+
@@
478
+
sequence2
479
+
(optional ~label:"permittedSubtrees" @@ implicit 0 (sequence_of subtree))
480
+
(optional ~label:"excludedSubtrees" @@ implicit 1 (sequence_of subtree))
481
+
482
+
let cert_policies =
483
+
let open ID.Cert_policy in
484
+
let qualifier_info =
485
+
map (function | (oid, `C1 s) when oid = cps -> s
486
+
| (oid, `C2 s) when oid = unotice -> s
487
+
| _ -> parse_error "bad policy qualifier")
488
+
(function s -> (cps, `C1 s))
489
+
@@
490
+
sequence2
491
+
(required ~label:"qualifierId" oid)
492
+
(required ~label:"qualifier"
493
+
(choice2
494
+
ia5_string
495
+
@@
496
+
map (function (_, Some s) -> s | _ -> "#(BLAH BLAH)")
497
+
(fun s -> (None, Some s))
498
+
(sequence2
499
+
(optional ~label:"noticeRef"
500
+
(sequence2
501
+
(required ~label:"organization" display_text)
502
+
(required ~label:"numbers" (sequence_of integer))))
503
+
(optional ~label:"explicitText" display_text))))
504
+
in
505
+
(* "Optional qualifiers, which MAY be present, are not expected to change
506
+
* the definition of the policy."
507
+
* Hence, we just drop them. *)
508
+
sequence_of @@
509
+
map (function | (oid, _) when oid = any_policy -> `Any
510
+
| (oid, _) -> `Something oid)
511
+
(function | `Any -> (any_policy, None)
512
+
| `Something oid -> (oid, None))
513
+
@@
514
+
sequence2
515
+
(required ~label:"policyIdentifier" oid)
516
+
(optional ~label:"policyQualifiers" (sequence_of qualifier_info))
517
+
518
+
let reason : reason list Asn.t = bit_string_flags [
519
+
0, `Unspecified
520
+
; 1, `Key_compromise
521
+
; 2, `CA_compromise
522
+
; 3, `Affiliation_changed
523
+
; 4, `Superseded
524
+
; 5, `Cessation_of_operation
525
+
; 6, `Certificate_hold
526
+
; 7, `Privilege_withdrawn
527
+
; 8, `AA_compromise
528
+
]
529
+
530
+
let reason_enumerated : reason Asn.t =
531
+
enumerated reason_of_int reason_to_int
532
+
533
+
let distribution_point_name =
534
+
map (function | `C1 s -> `Full s | `C2 s -> `Relative s)
535
+
(function | `Full s -> `C1 s | `Relative s -> `C2 s)
536
+
@@
537
+
choice2
538
+
(implicit 0 General_name.Asn.gen_names)
539
+
(implicit 1 Distinguished_name.Asn.name)
540
+
541
+
let distribution_point =
542
+
sequence3
543
+
(optional ~label:"distributionPoint" @@ explicit 0 distribution_point_name)
544
+
(optional ~label:"reasons" @@ implicit 1 reason)
545
+
(optional ~label:"cRLIssuer" @@ implicit 2 General_name.Asn.gen_names)
546
+
547
+
let crl_distribution_points = sequence_of distribution_point
548
+
549
+
let issuing_distribution_point =
550
+
map
551
+
(fun (a, b, c, d, e, f) ->
552
+
(a,
553
+
Option.value ~default:false b,
554
+
Option.value ~default:false c,
555
+
d,
556
+
Option.value ~default:false e,
557
+
Option.value ~default:false f))
558
+
(fun (a, b, c, d, e, f) ->
559
+
(a,
560
+
(if b = false then None else Some b),
561
+
(if c = false then None else Some c),
562
+
d,
563
+
(if e = false then None else Some e),
564
+
(if f = false then None else Some f)))
565
+
@@
566
+
sequence6
567
+
(optional ~label:"distributionPoint" @@ explicit 0 distribution_point_name)
568
+
(optional ~label:"onlyContainsUserCerts" @@ implicit 1 bool)
569
+
(optional ~label:"onlyContainsCACerts" @@ implicit 2 bool)
570
+
(optional ~label:"onlySomeReasons" @@ implicit 3 reason)
571
+
(optional ~label:"indirectCRL" @@ implicit 4 bool)
572
+
(optional ~label:"onlyContainsAttributeCerts" @@ implicit 5 bool)
573
+
574
+
let crl_reason : reason Asn.t =
575
+
let alist = [
576
+
0, `Unspecified
577
+
; 1, `Key_compromise
578
+
; 2, `CA_compromise
579
+
; 3, `Affiliation_changed
580
+
; 4, `Superseded
581
+
; 5, `Cessation_of_operation
582
+
; 6, `Certificate_hold
583
+
; 8, `Remove_from_CRL
584
+
; 9, `Privilege_withdrawn
585
+
; 10, `AA_compromise
586
+
]
587
+
in
588
+
let rev = List.map (fun (k, v) -> (v, k)) alist in
589
+
enumerated (fun i -> List.assoc i alist) (fun k -> List.assoc k rev)
590
+
591
+
let gen_names_of_str, gen_names_to_str = project_exn General_name.Asn.gen_names
592
+
and auth_key_id_of_str, auth_key_id_to_str = project_exn authority_key_id
593
+
and subj_key_id_of_str, subj_key_id_to_str = project_exn octet_string
594
+
and key_usage_of_str, key_usage_to_str = project_exn key_usage
595
+
and e_key_usage_of_str, e_key_usage_to_str = project_exn ext_key_usage
596
+
and basic_constr_of_str, basic_constr_to_str = project_exn basic_constraints
597
+
and pr_key_peri_of_str, pr_key_peri_to_str = project_exn priv_key_usage_period
598
+
and name_con_of_str, name_con_to_str = project_exn name_constraints
599
+
and crl_distrib_of_str, crl_distrib_to_str = project_exn crl_distribution_points
600
+
and cert_pol_of_str, cert_pol_to_str = project_exn cert_policies
601
+
and int_of_str, int_to_str = project_exn int
602
+
and issuing_dp_of_str, issuing_dp_to_str = project_exn issuing_distribution_point
603
+
and crl_reason_of_str, crl_reason_to_str = project_exn crl_reason
604
+
and time_of_str, time_to_str = project_exn generalized_time_no_frac_s
605
+
606
+
(* XXX 4.2.1.4. - cert policies! ( and other x509 extensions ) *)
607
+
608
+
let reparse_extension_exn crit = case_of_oid_f [
609
+
(ID.subject_alternative_name,
610
+
fun cs -> B (Subject_alt_name, (crit, gen_names_of_str cs))) ;
611
+
(ID.issuer_alternative_name,
612
+
fun cs -> B (Issuer_alt_name, (crit, gen_names_of_str cs))) ;
613
+
(ID.authority_key_identifier,
614
+
fun cs -> B (Authority_key_id, (crit, auth_key_id_of_str cs))) ;
615
+
(ID.subject_key_identifier,
616
+
fun cs -> B (Subject_key_id, (crit, subj_key_id_of_str cs))) ;
617
+
(ID.key_usage,
618
+
fun cs -> B (Key_usage, (crit, key_usage_of_str cs))) ;
619
+
(ID.basic_constraints,
620
+
fun cs -> B (Basic_constraints, (crit, basic_constr_of_str cs))) ;
621
+
(ID.crl_number,
622
+
fun cs -> B (CRL_number, (crit, int_of_str cs))) ;
623
+
(ID.delta_crl_indicator,
624
+
fun cs -> B (Delta_CRL_indicator, (crit, int_of_str cs))) ;
625
+
(ID.extended_key_usage,
626
+
fun cs -> B (Ext_key_usage, (crit, e_key_usage_of_str cs))) ;
627
+
(ID.private_key_usage_period,
628
+
fun cs -> B (Priv_key_period, (crit, pr_key_peri_of_str cs))) ;
629
+
(ID.name_constraints,
630
+
fun cs -> B (Name_constraints, (crit, name_con_of_str cs))) ;
631
+
(ID.crl_distribution_points,
632
+
fun cs -> B (CRL_distribution_points, (crit, crl_distrib_of_str cs))) ;
633
+
(ID.issuing_distribution_point,
634
+
fun cs -> B (Issuing_distribution_point, (crit, issuing_dp_of_str cs))) ;
635
+
(ID.freshest_crl,
636
+
fun cs -> B (Freshest_CRL, (crit, crl_distrib_of_str cs))) ;
637
+
(ID.reason_code,
638
+
fun cs -> B (Reason, (crit, crl_reason_of_str cs))) ;
639
+
(ID.invalidity_date,
640
+
fun cs -> B (Invalidity_date, (crit, time_of_str cs))) ;
641
+
(ID.certificate_issuer,
642
+
fun cs -> B (Certificate_issuer, (crit, gen_names_of_str cs))) ;
643
+
(ID.certificate_policies_2,
644
+
fun cs -> B (Policies, (crit, cert_pol_of_str cs)))
645
+
]
646
+
~default:(fun oid -> fun cs -> B (Unsupported oid, (crit, cs)))
647
+
648
+
let unparse_extension (B (k, v)) =
649
+
let v' = match k, v with
650
+
| Subject_alt_name, (_, x) -> gen_names_to_str x
651
+
| Issuer_alt_name, (_, x) -> gen_names_to_str x
652
+
| Authority_key_id, (_, x) -> auth_key_id_to_str x
653
+
| Subject_key_id, (_, x) -> subj_key_id_to_str x
654
+
| Key_usage, (_, x) -> key_usage_to_str x
655
+
| Basic_constraints, (_, x) -> basic_constr_to_str x
656
+
| CRL_number, (_, x) -> int_to_str x
657
+
| Delta_CRL_indicator, (_, x) -> int_to_str x
658
+
| Ext_key_usage, (_, x) -> e_key_usage_to_str x
659
+
| Priv_key_period, (_, x) -> pr_key_peri_to_str x
660
+
| Name_constraints, (_, x) -> name_con_to_str x
661
+
| CRL_distribution_points, (_, x) -> crl_distrib_to_str x
662
+
| Issuing_distribution_point, (_, x) -> issuing_dp_to_str x
663
+
| Freshest_CRL, (_, x) -> crl_distrib_to_str x
664
+
| Reason, (_, x) -> crl_reason_to_str x
665
+
| Invalidity_date, (_, x) -> time_to_str x
666
+
| Certificate_issuer, (_, x) -> gen_names_to_str x
667
+
| Policies, (_, x) -> cert_pol_to_str x
668
+
| Unsupported _, (_, x) -> x
669
+
in
670
+
to_oid k, critical k v, v'
671
+
672
+
let extensions_der =
673
+
let extension =
674
+
let f (oid, crit, cs) =
675
+
reparse_extension_exn (Option.value ~default:false crit) (oid, cs)
676
+
and g b =
677
+
let oid, crit, cs = unparse_extension b in
678
+
(oid, (if crit = false then None else Some crit), cs)
679
+
in
680
+
map f g @@
681
+
sequence3
682
+
(required ~label:"id" oid)
683
+
(optional ~label:"critical" bool) (* default false *)
684
+
(required ~label:"value" octet_string)
685
+
in
686
+
let f exts =
687
+
List.fold_left (fun map (B (k, v)) ->
688
+
match add_unless_bound k v map with
689
+
| None -> parse_error "%a already bound" (pp_one k) v
690
+
| Some b -> b)
691
+
empty exts
692
+
and g map = bindings map
693
+
in
694
+
map f g @@ sequence_of extension
695
+
end
+170
vendor/opam/x509/lib/general_name.ml
+170
vendor/opam/x509/lib/general_name.ml
···
1
+
type _ k =
2
+
| Other : Asn.oid -> string list k
3
+
| Rfc_822 : string list k
4
+
| DNS : string list k
5
+
| X400_address : unit k
6
+
| Directory : Distinguished_name.t list k
7
+
| EDI_party : (string option * string) list k
8
+
| URI : string list k
9
+
| IP : string list k
10
+
| Registered_id : Asn.oid list k
11
+
12
+
module K = struct
13
+
type 'a t = 'a k
14
+
15
+
let compare : type a b. a t -> b t -> (a, b) Gmap.Order.t = fun t t' ->
16
+
let open Gmap.Order in
17
+
match t, t' with
18
+
| Rfc_822, Rfc_822 -> Eq | Rfc_822, _ -> Lt | _, Rfc_822 -> Gt
19
+
| DNS, DNS -> Eq | DNS, _ -> Lt | _, DNS -> Gt
20
+
| X400_address, X400_address -> Eq | X400_address, _ -> Lt | _, X400_address -> Gt
21
+
| Directory, Directory -> Eq | Directory, _ -> Lt | _, Directory -> Gt
22
+
| EDI_party, EDI_party -> Eq | EDI_party, _ -> Lt | _, EDI_party -> Gt
23
+
| URI, URI -> Eq | URI, _ -> Lt | _, URI -> Gt
24
+
| IP, IP -> Eq | IP, _ -> Lt | _, IP -> Gt
25
+
| Registered_id, Registered_id -> Eq | Registered_id, _ -> Lt | _, Registered_id -> Gt
26
+
| Other a, Other b -> match Asn.OID.compare a b with
27
+
| 0 -> Eq
28
+
| x when x < 0 -> Lt
29
+
| _ -> Gt
30
+
end
31
+
32
+
include Gmap.Make(K)
33
+
34
+
let pp_k : type a. a k -> Format.formatter -> a -> unit = fun k ppf v ->
35
+
let pp_strs = Fmt.(list ~sep:(any "; ") string) in
36
+
match k, v with
37
+
| Rfc_822, x -> Fmt.pf ppf "rfc822 %a" pp_strs x
38
+
| DNS, x ->
39
+
Fmt.pf ppf "dns %a" Fmt.(list ~sep:(any "; ") string) x
40
+
| X400_address, () -> Fmt.string ppf "x400 address"
41
+
| Directory, x ->
42
+
Fmt.pf ppf "directory %a"
43
+
Fmt.(list ~sep:(any "; ") Distinguished_name.pp) x
44
+
| EDI_party, xs ->
45
+
Fmt.pf ppf "edi party %a"
46
+
Fmt.(list ~sep:(any "; ")
47
+
(pair ~sep:(any ", ")
48
+
(option ~none:(any "") string) string)) xs
49
+
| URI, x -> Fmt.pf ppf "uri %a" pp_strs x
50
+
| IP, x -> Fmt.pf ppf "ip %a" Fmt.(list ~sep:(any ";") (fmt "%S")) x
51
+
| Registered_id, x ->
52
+
Fmt.pf ppf "registered id %a"
53
+
Fmt.(list ~sep:(any ";") Asn.OID.pp) x
54
+
| Other oid, x -> Fmt.pf ppf "other %a: %a" Asn.OID.pp oid pp_strs x
55
+
56
+
let pp ppf m = iter (fun (B (k, v)) -> pp_k k ppf v ; Fmt.sp ppf ()) m
57
+
58
+
let merge_values : type a. a k -> a -> a -> a = fun k v v' ->
59
+
match k, v, v' with
60
+
| Other _, a, b -> a @ b
61
+
| Registered_id, a, b -> a @ b
62
+
| IP, a, b -> a @ b
63
+
| URI, a, b -> a @ b
64
+
| EDI_party, a, b -> a @ b
65
+
| Directory, a, b -> a @ b
66
+
| X400_address, (), () -> ()
67
+
| DNS, a, b -> a @ b
68
+
| Rfc_822, a, b -> a @ b
69
+
70
+
module Asn = struct
71
+
open Asn.S
72
+
(* GeneralName is also pretty pervasive. *)
73
+
74
+
(* OID x ANY. Hunt down the alternatives.... *)
75
+
(* XXX
76
+
* Cross-check. NSS seems to accept *all* oids here and just assumes UTF8.
77
+
* *)
78
+
let another_name =
79
+
let open Registry in
80
+
let f = function
81
+
| (oid, `C1 n) -> (oid, n)
82
+
| (oid, `C2 n) -> (oid, n)
83
+
| (oid, `C3 _) -> (oid, "")
84
+
and g = function
85
+
| (oid, "") -> (oid, `C3 ())
86
+
| (oid, n ) when Name_extn.is_utf8_id oid -> (oid, `C1 n)
87
+
| (oid, n ) -> (oid, `C2 n) in
88
+
map f g @@
89
+
sequence2
90
+
(required ~label:"type-id" oid)
91
+
(required ~label:"value" @@
92
+
explicit 0
93
+
(choice3 utf8_string ia5_string null))
94
+
95
+
and or_address = null (* Horrible crap, need to fill it. *)
96
+
97
+
let dir_name =
98
+
let f = function | `C1 s -> s | `C2 s -> s | `C3 s -> s
99
+
| `C4 s -> s | `C5 s -> s | `C6 s -> s
100
+
and g s = `C1 s
101
+
in
102
+
Asn.S.map f g Distinguished_name.Asn.directory_name
103
+
104
+
let edi_party_name =
105
+
sequence2
106
+
(optional ~label:"nameAssigner" @@ implicit 0 dir_name)
107
+
(required ~label:"partyName" @@ implicit 1 dir_name)
108
+
109
+
let general_name =
110
+
let f = function
111
+
| `C1 (`C1 (oid, x)) -> B (Other oid, [ x ])
112
+
| `C1 (`C2 x) -> B (Rfc_822, [ x ])
113
+
| `C1 (`C3 x) -> B (DNS, [ x ])
114
+
| `C1 (`C4 _x) -> B (X400_address, ())
115
+
| `C1 (`C5 x) -> B (Directory, [ x ])
116
+
| `C1 (`C6 x) -> B (EDI_party, [ x ])
117
+
| `C2 (`C1 x) -> B (URI, [ x ])
118
+
| `C2 (`C2 x) -> B (IP, [ x ])
119
+
| `C2 (`C3 x) -> B (Registered_id, [ x ])
120
+
and g (B (k, v)) = match k, v with
121
+
| Other oid, [ x ] -> `C1 (`C1 (oid, x))
122
+
| Rfc_822, [ x ] -> `C1 (`C2 x)
123
+
| DNS, [ x ] -> `C1 (`C3 x)
124
+
| X400_address, () -> `C1 (`C4 ())
125
+
| Directory, [ x ] -> `C1 (`C5 x)
126
+
| EDI_party, [ x ] -> `C1 (`C6 x)
127
+
| URI, [ x ] -> `C2 (`C1 x)
128
+
| IP, [ x ] -> `C2 (`C2 x)
129
+
| Registered_id, [ x ] -> `C2 (`C3 x)
130
+
| _ -> Asn.S.error (`Parse "bad general name")
131
+
in
132
+
map f g @@
133
+
choice2
134
+
(choice6
135
+
(implicit 0 another_name)
136
+
(implicit 1 ia5_string)
137
+
(implicit 2 ia5_string)
138
+
(implicit 3 or_address)
139
+
(* Everybody uses this as explicit, contrary to x509 (?) *)
140
+
(explicit 4 Distinguished_name.Asn.name)
141
+
(implicit 5 edi_party_name))
142
+
(choice3
143
+
(implicit 6 ia5_string)
144
+
(implicit 7 octet_string)
145
+
(implicit 8 oid))
146
+
147
+
let gen_names =
148
+
let f exts =
149
+
List.fold_left (fun map (B (k, v)) ->
150
+
match find k map with
151
+
| None -> add k v map
152
+
| Some b -> add k (merge_values k b v) map)
153
+
empty exts
154
+
and g map =
155
+
List.flatten (List.map (fun (B (k, v)) ->
156
+
match k, v with
157
+
| Other oid, xs -> List.map (fun d -> B (Other oid, [ d ])) xs
158
+
| Registered_id, xs -> List.map (fun d -> B (Registered_id, [ d ])) xs
159
+
| IP, xs -> List.map (fun d -> B (IP, [ d ])) xs
160
+
| URI, xs -> List.map (fun d -> B (URI, [ d ])) xs
161
+
| EDI_party, xs -> List.map (fun d -> B (EDI_party, [ d ])) xs
162
+
| Directory, xs -> List.map (fun d -> B (Directory, [ d ])) xs
163
+
| X400_address, () -> [ B (X400_address, ()) ]
164
+
| DNS, xs -> List.map (fun d -> B (DNS, [ d ])) xs
165
+
| Rfc_822, xs -> List.map (fun d -> B (Rfc_822, [ d ])) xs)
166
+
(bindings map))
167
+
in
168
+
map f g @@ sequence_of general_name
169
+
end
170
+
+40
vendor/opam/x509/lib/host.ml
+40
vendor/opam/x509/lib/host.ml
···
1
+
type t = [ `Strict | `Wildcard ] * [ `host ] Domain_name.t
2
+
3
+
let pp_typ ppf = function
4
+
| `Strict -> Fmt.nop ppf ()
5
+
| `Wildcard -> Fmt.string ppf "*."
6
+
7
+
let pp ppf (typ, nam) =
8
+
Fmt.pf ppf "%a%a" pp_typ typ Domain_name.pp nam
9
+
10
+
module Set = struct
11
+
include Set.Make(struct
12
+
type nonrec t = t
13
+
let compare a b = match a, b with
14
+
| (`Strict, a), (`Strict, b)
15
+
| (`Wildcard, a), (`Wildcard, b) -> Domain_name.compare a b
16
+
| (`Strict, _), (`Wildcard, _) -> -1
17
+
| (`Wildcard, _), (`Strict, _) -> 1
18
+
end)
19
+
20
+
let pp ppf s =
21
+
Fmt.(list ~sep:(any ", ") pp) ppf (elements s)
22
+
end
23
+
24
+
let is_wildcard name =
25
+
match Domain_name.get_label name 0 with
26
+
| Ok "*" -> Some (Domain_name.drop_label_exn name)
27
+
| _ -> None
28
+
29
+
let host name =
30
+
match Domain_name.of_string name with
31
+
| Error _ -> None
32
+
| Ok dn ->
33
+
let wild, name = match is_wildcard dn with
34
+
| None -> `Strict, dn
35
+
| Some dn' -> `Wildcard, dn'
36
+
in
37
+
match Domain_name.host name with
38
+
| Error _ -> None
39
+
| Ok hostname -> Some (wild, hostname)
40
+
+47
vendor/opam/x509/lib/key_type.ml
+47
vendor/opam/x509/lib/key_type.ml
···
1
+
type t = [ `RSA | `ED25519 | `P256 | `P384 | `P521 ]
2
+
3
+
let strings =
4
+
[ ("rsa", `RSA) ; ("ed25519", `ED25519) ;
5
+
("p256", `P256) ; ("p384", `P384) ; ("p521", `P521) ]
6
+
7
+
let to_string kt = fst (List.find (fun (_, k) -> kt = k) strings)
8
+
9
+
let of_string s =
10
+
match List.assoc_opt (String.lowercase_ascii s) strings with
11
+
| Some kt -> Ok kt
12
+
| None ->
13
+
Error (`Msg (Fmt.str "unkown key type %s, supported are %a"
14
+
s Fmt.(list ~sep:(any ", ") string) (List.map fst strings)))
15
+
16
+
let pp ppf t = Fmt.string ppf (to_string t)
17
+
18
+
type signature_scheme = [ `RSA_PSS | `RSA_PKCS1 | `ECDSA | `ED25519 ]
19
+
20
+
let signature_scheme_to_string = function
21
+
| `RSA_PSS -> "RSA-PSS"
22
+
| `RSA_PKCS1 -> "RSA-PKCS1"
23
+
| `ECDSA -> "ECDSA"
24
+
| `ED25519 -> "ED25519"
25
+
26
+
let pp_signature_scheme ppf s = Fmt.string ppf (signature_scheme_to_string s)
27
+
28
+
let supports_signature_scheme key_typ scheme =
29
+
match key_typ, scheme with
30
+
| `RSA, (`RSA_PSS | `RSA_PKCS1) -> true
31
+
| `ED25519, `ED25519 -> true
32
+
| (`P256 | `P384 | `P521), `ECDSA -> true
33
+
| _ -> false
34
+
35
+
let opt_signature_scheme ?scheme kt =
36
+
match scheme with
37
+
| Some x -> x
38
+
| None -> match kt with
39
+
| `RSA -> `RSA_PSS
40
+
| `ED25519 -> `ED25519
41
+
| `P256 | `P384 | `P521 -> `ECDSA
42
+
43
+
(* the default of RSA keys should be PSS, but most deployed certificates still
44
+
use PKCS1 (and this library uses pkcs1 by default as well) *)
45
+
let x509_default_scheme = function
46
+
| `RSA -> `RSA_PKCS1
47
+
| x -> opt_signature_scheme x
+704
vendor/opam/x509/lib/ocsp.ml
+704
vendor/opam/x509/lib/ocsp.ml
···
1
+
(* https://tools.ietf.org/html/rfc6960 *)
2
+
3
+
let version_v1 = 0
4
+
5
+
(*
6
+
CertID ::= SEQUENCE {
7
+
hashAlgorithm AlgorithmIdentifier,
8
+
issuerNameHash OCTET STRING, -- Hash of issuer's DN
9
+
issuerKeyHash OCTET STRING, -- Hash of issuer's public key
10
+
serialNumber CertificateSerialNumber }
11
+
*)
12
+
type cert_id = {
13
+
hashAlgorithm: Algorithm.t;
14
+
issuerNameHash: string;
15
+
issuerKeyHash: string;
16
+
serialNumber: string;
17
+
}
18
+
19
+
let create_cert_id ?(hash=`SHA1) issuer serialNumber =
20
+
let hashAlgorithm = Algorithm.of_hash hash in
21
+
let module Hash = (val (Digestif.module_of_hash' (hash :> Digestif.hash'))) in
22
+
let issuerNameHash =
23
+
Certificate.subject issuer
24
+
|> Distinguished_name.encode_der
25
+
|> Hash.(fun x -> to_raw_string (digest_string x))
26
+
in
27
+
let issuerKeyHash =
28
+
Public_key.fingerprint ~hash (Certificate.public_key issuer)
29
+
in
30
+
{hashAlgorithm;issuerNameHash;issuerKeyHash;serialNumber}
31
+
32
+
let cert_id_serial {serialNumber;_} = serialNumber
33
+
34
+
let pp_cert_id ppf {hashAlgorithm;issuerNameHash;issuerKeyHash;serialNumber} =
35
+
Fmt.pf ppf "CertID @[<1>{@ algo=%a;@ issuerNameHash=%a;@ issuerKeyHash=%a;@ serialNumber=%a@ }@]"
36
+
Algorithm.pp hashAlgorithm
37
+
Ohex.pp issuerNameHash
38
+
Ohex.pp issuerKeyHash
39
+
Ohex.pp serialNumber
40
+
41
+
module Asn_common = struct
42
+
open Asn.S
43
+
44
+
let cert_id =
45
+
let f (hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber) =
46
+
{hashAlgorithm; issuerNameHash; issuerKeyHash; serialNumber;}
47
+
in
48
+
let g {hashAlgorithm;issuerNameHash;issuerKeyHash;serialNumber;} =
49
+
(hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber)
50
+
in
51
+
map f g @@
52
+
sequence4
53
+
(required ~label:"hashAlgorithm" Algorithm.identifier)
54
+
(required ~label:"issuerNameHash" octet_string)
55
+
(required ~label:"issuerKeyHash" octet_string)
56
+
(required ~label:"serialNumber" Asn_grammars.serial)
57
+
end
58
+
59
+
let ( let* ) = Result.bind
60
+
61
+
module Request = struct
62
+
(*
63
+
Request ::= SEQUENCE {
64
+
reqCert CertID,
65
+
singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
66
+
*)
67
+
type request = {
68
+
reqCert: cert_id;
69
+
singleRequestExtensions: Extension.t option;
70
+
}
71
+
72
+
let create_request ?singleRequestExtensions reqCert =
73
+
{reqCert;singleRequestExtensions}
74
+
75
+
let pp_request ppf {reqCert;singleRequestExtensions;} =
76
+
Fmt.pf ppf "Request @[<1>{@ reqCert=%a;@ singleRequestExtensions=%a;@ }@]"
77
+
pp_cert_id reqCert
78
+
(Fmt.option ~none:(Fmt.any "None") Extension.pp) singleRequestExtensions
79
+
80
+
(*
81
+
TBSRequest ::= SEQUENCE {
82
+
version [0] EXPLICIT Version DEFAULT v1,
83
+
requestorName [1] EXPLICIT GeneralName OPTIONAL,
84
+
requestList SEQUENCE OF Request,
85
+
requestExtensions [2] EXPLICIT Extensions OPTIONAL }
86
+
87
+
*)
88
+
type tbs_request = {
89
+
requestorName: General_name.b option;
90
+
requestList: request list;
91
+
requestExtensions: Extension.t option;
92
+
}
93
+
94
+
let create_tbs_request ?requestorName ?requestExtensions requests =
95
+
{ requestorName ; requestList=requests ; requestExtensions }
96
+
97
+
let pp_tbs_request ppf { requestorName ; requestList ; requestExtensions } =
98
+
let pp_general_name ppf x =
99
+
let open General_name in
100
+
match x with
101
+
| B (k, v) -> General_name.pp_k k ppf v
102
+
in
103
+
Fmt.pf ppf "TBSRequest @[<1>{@ requestorName=%a;@ requestList=[@ %a@ ];@ requestExtensions=%a@ }@]"
104
+
(Fmt.option ~none:(Fmt.any "None") pp_general_name) requestorName
105
+
(Fmt.list ~sep:Fmt.semi pp_request) requestList
106
+
(Fmt.option ~none:(Fmt.any "None") Extension.pp) requestExtensions
107
+
108
+
(*
109
+
Signature ::= SEQUENCE {
110
+
signatureAlgorithm AlgorithmIdentifier,
111
+
signature BIT STRING,
112
+
certs [0] EXPLICIT SEQUENCE OF Certificate
113
+
OPTIONAL}
114
+
*)
115
+
type signature = {
116
+
signatureAlgorithm: Algorithm.t;
117
+
signature: string;
118
+
certs: Certificate.t list option;
119
+
}
120
+
121
+
let pp_signature ppf {signatureAlgorithm;signature;certs;} =
122
+
Fmt.pf ppf "Signature @[<1>{@ signatureAlgorithm=%a;@ signature=%a;@ certs=%a}@]"
123
+
Algorithm.pp signatureAlgorithm
124
+
Ohex.pp signature
125
+
(Fmt.option ~none:(Fmt.any "None") @@
126
+
Fmt.brackets @@
127
+
Fmt.list ~sep:Fmt.semi Certificate.pp) certs
128
+
129
+
(*
130
+
OCSPRequest ::= SEQUENCE {
131
+
tbsRequest TBSRequest,
132
+
optionalSignature [0] EXPLICIT Signature OPTIONAL }
133
+
*)
134
+
type req = {
135
+
tbsRequest: tbs_request;
136
+
optionalSignature: signature option;
137
+
}
138
+
139
+
type t = {
140
+
raw : string ;
141
+
asn : req ;
142
+
}
143
+
144
+
let pp ppf { asn = { tbsRequest ; optionalSignature } ; _ } =
145
+
Fmt.pf ppf "OCSPRequest @[<1>{@ tbsRequest=%a;@ optionalSignature=%a@ }@]"
146
+
pp_tbs_request tbsRequest
147
+
(Fmt.option ~none:(Fmt.any "None") pp_signature) optionalSignature
148
+
149
+
let cert_ids { asn = { tbsRequest = { requestList ; _ } ; _ } ; _ } =
150
+
let cert_ids = List.map (fun {reqCert;_} -> reqCert) requestList in
151
+
cert_ids
152
+
153
+
let requestor_name { asn = { tbsRequest = { requestorName ; _ } ; _ } ; _ } =
154
+
requestorName
155
+
156
+
module Asn_ = Asn
157
+
158
+
module Asn = struct
159
+
open Asn_grammars
160
+
open Asn.S
161
+
162
+
let request =
163
+
let f (reqCert, singleRequestExtensions) =
164
+
{reqCert; singleRequestExtensions}
165
+
in
166
+
let g {reqCert; singleRequestExtensions} =
167
+
(reqCert, singleRequestExtensions)
168
+
in
169
+
map f g @@
170
+
sequence2
171
+
(required ~label:"reqCert" Asn_common.cert_id)
172
+
(optional ~label:"singleRequestExtensions" @@ explicit 0
173
+
Extension.Asn.extensions_der)
174
+
175
+
let tbs_request =
176
+
let f (version, requestorName, requestList, requestExtensions) =
177
+
match version with
178
+
| Some v when v <> version_v1 ->
179
+
Asn.S.parse_error "unsupported version %d" v
180
+
| _ ->
181
+
{ requestorName ; requestList ; requestExtensions }
182
+
in
183
+
let g { requestorName ; requestList ; requestExtensions } =
184
+
(None, requestorName, requestList, requestExtensions)
185
+
in
186
+
map f g @@
187
+
sequence4
188
+
(optional ~label:"version" @@ explicit 0 int)
189
+
(optional ~label:"requestorName" @@
190
+
explicit 1 General_name.Asn.general_name)
191
+
(required ~label:"requestList" @@ sequence_of request)
192
+
(optional ~label:"requestExtensions" @@ Extension.Asn.extensions_der)
193
+
194
+
let tbs_request_of_str,tbs_request_to_str =
195
+
projections_of Asn.der tbs_request
196
+
197
+
let signature =
198
+
let f (signatureAlgorithm,signature,certs) =
199
+
let certs = match certs with
200
+
| None -> None
201
+
| Some certs ->
202
+
let encode cert =
203
+
let raw = Certificate.Asn.certificate_to_octets cert in
204
+
Certificate.{raw; asn=cert}
205
+
in
206
+
Some (List.map encode certs)
207
+
in
208
+
{signatureAlgorithm;signature;certs}
209
+
in
210
+
let g {signatureAlgorithm;signature;certs} =
211
+
let certs = match certs with
212
+
| None -> None
213
+
| Some certs ->
214
+
Some (List.map (fun Certificate.{asn;_} -> asn) certs)
215
+
in
216
+
(signatureAlgorithm,signature,certs)
217
+
in
218
+
map f g @@
219
+
sequence3
220
+
(required ~label:"signatureAlgorithm" Algorithm.identifier)
221
+
(required ~label:"signature" bit_string_octets)
222
+
(optional ~label:"certs" @@ explicit 0 @@
223
+
sequence_of Certificate.Asn.certificate)
224
+
225
+
let ocsp_request =
226
+
let f (tbsRequest,optionalSignature) =
227
+
{tbsRequest;optionalSignature;}
228
+
in
229
+
let g {tbsRequest;optionalSignature;} =
230
+
(tbsRequest,optionalSignature)
231
+
in
232
+
map f g @@
233
+
sequence2
234
+
(required ~label:"tbsRequest" tbs_request)
235
+
(optional ~label:"optionalSignature" signature)
236
+
237
+
let (ocsp_request_of_octets, ocsp_request_to_octets) =
238
+
projections_of Asn.der ocsp_request
239
+
240
+
end
241
+
242
+
let decode_der raw =
243
+
let* asn = Asn.ocsp_request_of_octets raw in
244
+
Ok { asn ; raw }
245
+
246
+
let encode_der { raw ; _ } = raw
247
+
248
+
let create ?certs ?digest ?requestor_name:requestorName ?key cert_ids =
249
+
let requestList = List.map create_request cert_ids in
250
+
let tbsRequest = {
251
+
requestorName;
252
+
requestList;
253
+
requestExtensions=None;
254
+
}
255
+
in
256
+
let* optionalSignature =
257
+
match key with
258
+
| None -> Ok None
259
+
| Some key ->
260
+
let digest = Signing_request.default_digest digest key in
261
+
let scheme = Key_type.x509_default_scheme (Private_key.key_type key) in
262
+
let signatureAlgorithm = Algorithm.of_signature_algorithm scheme digest in
263
+
let tbs_der = Asn.tbs_request_to_str tbsRequest in
264
+
let* signature = Private_key.sign digest ~scheme key (`Message tbs_der) in
265
+
Ok (Some { signature ; signatureAlgorithm ; certs; })
266
+
in
267
+
let asn = { tbsRequest ; optionalSignature } in
268
+
let raw = Asn.ocsp_request_to_octets asn in
269
+
Ok { raw ; asn }
270
+
271
+
let validate { asn ; raw } ?(allowed_hashes = Validation.sha2) pub =
272
+
match asn.optionalSignature with
273
+
| None -> Error `No_signature
274
+
| Some sign ->
275
+
let tbs_raw = Validation.raw_cert_hack raw in
276
+
let dn =
277
+
let cn = "OCSP" in
278
+
[ Distinguished_name.(Relative_distinguished_name.singleton (CN cn)) ]
279
+
in
280
+
Validation.validate_raw_signature dn allowed_hashes tbs_raw
281
+
sign.signatureAlgorithm sign.signature pub
282
+
end
283
+
284
+
module Response = struct
285
+
286
+
(* OCSPResponseStatus ::= ENUMERATED {
287
+
* successful (0), -- Response has valid confirmations
288
+
* malformedRequest (1), -- Illegal confirmation request
289
+
* internalError (2), -- Internal error in issuer
290
+
* tryLater (3), -- Try again later
291
+
* -- (4) is not used
292
+
* sigRequired (5), -- Must sign the request
293
+
* unauthorized (6) -- Request unauthorized
294
+
* } *)
295
+
type status = [
296
+
| `Successful
297
+
| `MalformedRequest
298
+
| `InternalError
299
+
| `TryLater
300
+
| `SigRequired
301
+
| `Unauthorized
302
+
]
303
+
304
+
let status_to_int = function
305
+
| `Successful -> 0
306
+
| `MalformedRequest -> 1
307
+
| `InternalError -> 2
308
+
| `TryLater -> 3
309
+
| `SigRequired -> 5
310
+
| `Unauthorized -> 6
311
+
312
+
let status_of_int = function
313
+
| 0 -> `Successful
314
+
| 1 -> `MalformedRequest
315
+
| 2 -> `InternalError
316
+
| 3 -> `TryLater
317
+
| 5 -> `SigRequired
318
+
| 6 -> `Unauthorized
319
+
| x -> Asn.S.parse_error "Unknown status %d" x
320
+
321
+
322
+
let pp_status ppf = function
323
+
| `Successful -> Fmt.string ppf "Successful"
324
+
| `MalformedRequest -> Fmt.string ppf "MalformedRequest"
325
+
| `InternalError -> Fmt.string ppf "InternalError"
326
+
| `TryLater -> Fmt.string ppf "TryLater"
327
+
| `SigRequired -> Fmt.string ppf "SigRequired"
328
+
| `Unauthorized -> Fmt.string ppf "Unauthorized"
329
+
330
+
(* RevokedInfo ::= SEQUENCE {
331
+
* revocationTime GeneralizedTime,
332
+
* revocationReason [0] EXPLICIT CRLReason OPTIONAL } *)
333
+
type revoked_info = Ptime.t * Extension.reason option
334
+
335
+
let pp_revoked_info ppf (revocationTime,revocationReason) =
336
+
Fmt.pf ppf "RevokedInfo @[<1>{@ revocationTime=%a;@ revocationReason=%a;@ }@]"
337
+
Ptime.pp revocationTime
338
+
(Fmt.option ~none:(Fmt.any "None") @@ Extension.pp_reason)
339
+
revocationReason
340
+
341
+
(* CertStatus ::= CHOICE {
342
+
* good [0] IMPLICIT NULL,
343
+
* revoked [1] IMPLICIT RevokedInfo,
344
+
* unknown [2] IMPLICIT UnknownInfo } *)
345
+
346
+
type cert_status = [
347
+
| `Good
348
+
| `Revoked of revoked_info
349
+
| `Unknown
350
+
]
351
+
352
+
let pp_cert_status ppf = function
353
+
| `Good -> Fmt.pf ppf "Good"
354
+
| `Revoked info -> Fmt.pf ppf "Revoked of %a" pp_revoked_info info
355
+
| `Unknown -> Fmt.pf ppf "Unknown"
356
+
357
+
(* SingleResponse ::= SEQUENCE {
358
+
* certID CertID,
359
+
* certStatus CertStatus,
360
+
* thisUpdate GeneralizedTime,
361
+
* nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
362
+
* singleExtensions [1] EXPLICIT Extensions OPTIONAL } *)
363
+
364
+
type single_response = {
365
+
certID: cert_id;
366
+
certStatus: cert_status;
367
+
thisUpdate: Ptime.t;
368
+
nextUpdate: Ptime.t option;
369
+
singleExtensions: Extension.t option;
370
+
}
371
+
372
+
let create_single_response ?next_update:nextUpdate
373
+
?single_extensions:singleExtensions
374
+
certID certStatus thisUpdate =
375
+
{certID;certStatus;thisUpdate;nextUpdate;singleExtensions;}
376
+
377
+
let pp_single_response ppf {certID;certStatus;thisUpdate;nextUpdate;singleExtensions;} =
378
+
Fmt.pf ppf "SingleResponse @[<1>{@ certID=%a;@ certStatus=%a;@ thisUpdate=%a;@ nextUpdate=%a;@ singleExtensions=%a;@ }@]"
379
+
pp_cert_id certID
380
+
pp_cert_status certStatus
381
+
Ptime.pp thisUpdate
382
+
(Fmt.option ~none:(Fmt.any "None") @@ Ptime.pp) nextUpdate
383
+
(Fmt.option ~none:(Fmt.any "None") @@ Extension.pp) singleExtensions
384
+
385
+
let single_response_cert_id {certID;_} = certID
386
+
387
+
let single_response_status {certStatus;_} = certStatus
388
+
389
+
(* ResponderID ::= CHOICE {
390
+
* byName [1] Name,
391
+
* byKey [2] KeyHash }
392
+
* KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
393
+
(excluding the tag and length fields)
394
+
*)
395
+
type responder_id = [
396
+
| `ByName of Distinguished_name.t
397
+
| `ByKey of string
398
+
]
399
+
400
+
let create_responder_id pubkey =
401
+
let pubkey_fp = Public_key.fingerprint ~hash:`SHA1 pubkey in
402
+
`ByKey pubkey_fp
403
+
404
+
let pp_responder_id ppf = function
405
+
| `ByName dn -> Fmt.pf ppf "ByName %a" Distinguished_name.pp dn
406
+
| `ByKey hash -> Fmt.pf ppf "ByKey %a" Ohex.pp hash
407
+
408
+
(* ResponseData ::= SEQUENCE {
409
+
* version [0] EXPLICIT Version DEFAULT v1,
410
+
* responderID ResponderID,
411
+
* producedAt GeneralizedTime,
412
+
* responses SEQUENCE OF SingleResponse,
413
+
* responseExtensions [1] EXPLICIT Extensions OPTIONAL } *)
414
+
type response_data = {
415
+
responderID: responder_id;
416
+
producedAt: Ptime.t;
417
+
responses: single_response list;
418
+
responseExtensions: Extension.t option;
419
+
}
420
+
421
+
let pp_response_data ppf { responderID ; producedAt ; responses ; responseExtensions } =
422
+
Fmt.pf ppf "ResponseData @[<1>{@ responderID=%a;@ producedAt=%a;@ responses=%a;@ responseExtensions=%a@ }@]"
423
+
pp_responder_id responderID
424
+
Ptime.pp producedAt
425
+
(Fmt.list ~sep:Fmt.semi @@ pp_single_response) responses
426
+
(Fmt.option ~none:(Fmt.any "None") @@ Extension.pp) responseExtensions
427
+
428
+
(* BasicOCSPResponse ::= SEQUENCE {
429
+
* tbsResponseData ResponseData,
430
+
* signatureAlgorithm AlgorithmIdentifier,
431
+
* signature BIT STRING,
432
+
* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } *)
433
+
type basic_ocsp_response = {
434
+
tbsResponseData: response_data;
435
+
signatureAlgorithm: Algorithm.t;
436
+
signature: string;
437
+
certs: Certificate.t list option;
438
+
}
439
+
440
+
let pp_basic_ocsp_response ppf {tbsResponseData;signatureAlgorithm;signature;certs;} =
441
+
Fmt.pf ppf "BasicOCSPResponse @[<1>{@ tbsResponseData=%a;@ signatureAlgorithm=%a;@ signature=%a;@ certs=%a@ }@]"
442
+
pp_response_data tbsResponseData
443
+
Algorithm.pp signatureAlgorithm
444
+
Ohex.pp signature
445
+
(Fmt.option ~none:(Fmt.any "None") @@
446
+
Fmt.list ~sep:Fmt.semi @@ Certificate.pp) certs
447
+
448
+
(* ResponseBytes ::= SEQUENCE {
449
+
* responseType OBJECT IDENTIFIER,
450
+
* response OCTET STRING } *)
451
+
452
+
(* OCSPResponse ::= SEQUENCE {
453
+
* responseStatus OCSPResponseStatus,
454
+
* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } *)
455
+
456
+
type t = {
457
+
responseStatus: status;
458
+
responseBytes: (Asn.oid * basic_ocsp_response * string) option;
459
+
}
460
+
461
+
let pp ppf {responseStatus;responseBytes;} =
462
+
Fmt.pf ppf "OCSPResponse @[<1>{@ responseStatus=%a;@ responseBytes=%a@ }@]"
463
+
pp_status responseStatus
464
+
(Fmt.option ~none:(Fmt.any "None") @@
465
+
Fmt.pair ~sep:Fmt.comma Asn.OID.pp pp_basic_ocsp_response)
466
+
(match responseBytes with None -> None | Some (a, b, _) -> Some (a, b))
467
+
468
+
let status {responseStatus;_} = responseStatus
469
+
470
+
let responder_id = function
471
+
| {responseBytes=Some (_, {tbsResponseData={responderID;_};_}, _);_} ->
472
+
Ok responderID
473
+
| _ -> Error (`Msg "this response has no responseBytes")
474
+
475
+
let responses = function
476
+
| {responseBytes=Some (_, {tbsResponseData={responses;_};_}, _);_} ->
477
+
Ok responses
478
+
| _ -> Error (`Msg "this response has no responseBytes")
479
+
480
+
module Asn = struct
481
+
open Asn_grammars
482
+
open Asn.S
483
+
open Registry
484
+
485
+
let status : status Asn.t =
486
+
enumerated status_of_int status_to_int
487
+
488
+
let revoked_info =
489
+
sequence2
490
+
(required ~label:"revocationTime" generalized_time_no_frac_s)
491
+
(optional ~label:"revocationReason" @@ explicit 0 @@
492
+
Extension.Asn.reason_enumerated)
493
+
494
+
let cert_status : cert_status Asn.t =
495
+
let f = function
496
+
| `C1 () -> `Good
497
+
| `C2 ri -> `Revoked ri
498
+
| `C3 () -> `Unknown
499
+
in
500
+
let g = function
501
+
| `Good -> `C1 ()
502
+
| `Revoked ri -> `C2 ri
503
+
| `Unknown -> `C3 ()
504
+
in
505
+
map f g @@
506
+
choice3
507
+
(implicit 0 @@ null)
508
+
(implicit 1 @@ revoked_info)
509
+
(implicit 2 @@ null)
510
+
511
+
let single_response =
512
+
let f (certID,certStatus,thisUpdate,nextUpdate,singleExtensions) =
513
+
{certID;certStatus;thisUpdate;nextUpdate;singleExtensions;}
514
+
in
515
+
let g {certID;certStatus;thisUpdate;nextUpdate;singleExtensions;} =
516
+
(certID,certStatus,thisUpdate,nextUpdate,singleExtensions)
517
+
in
518
+
map f g @@
519
+
sequence5
520
+
(required ~label:"certID" @@ Asn_common.cert_id)
521
+
(required ~label:"certStatus" @@ cert_status)
522
+
(required ~label:"thisUpdate" @@ generalized_time_no_frac_s)
523
+
(optional ~label:"nextUpdate" @@ explicit 0 @@
524
+
generalized_time_no_frac_s)
525
+
(optional ~label:"singleExtensions" @@ explicit 1 @@
526
+
Extension.Asn.extensions_der)
527
+
528
+
let responder_id : responder_id Asn.t =
529
+
let f = function
530
+
| `C1 dn -> `ByName dn
531
+
| `C2 hash -> `ByKey hash
532
+
in
533
+
let g = function
534
+
| `ByName dn -> `C1 dn
535
+
| `ByKey hash -> `C2 hash
536
+
in
537
+
map f g @@
538
+
choice2 (explicit 1 Distinguished_name.Asn.name) (explicit 2 octet_string)
539
+
540
+
let response_data =
541
+
let f (version, responderID, producedAt, responses, responseExtensions) =
542
+
match version with
543
+
| Some v when v <> version_v1 ->
544
+
Asn.S.parse_error "unsupported version %d" v
545
+
| _ -> { responderID ; producedAt ; responses ; responseExtensions }
546
+
in
547
+
let g { responderID ; producedAt ; responses ; responseExtensions } =
548
+
(None, responderID, producedAt, responses, responseExtensions)
549
+
in
550
+
map f g @@
551
+
sequence5
552
+
(optional ~label:"version" @@ explicit 0 @@ int)
553
+
(required ~label:"responderID" responder_id)
554
+
(required ~label:"producedAt" generalized_time_no_frac_s)
555
+
(required ~label:"responses" @@ sequence_of single_response)
556
+
(optional ~label:"responseExtensions" @@ explicit 1 @@
557
+
Extension.Asn.extensions_der)
558
+
559
+
let response_data_of_str, response_data_to_str =
560
+
projections_of Asn.der response_data
561
+
562
+
let basic_ocsp_response =
563
+
let f (tbsResponseData,signatureAlgorithm,signature,certs) =
564
+
let certs = match certs with
565
+
| None -> None
566
+
| Some certs ->
567
+
let encode cert =
568
+
let raw = Certificate.Asn.certificate_to_octets cert in
569
+
Certificate.{raw; asn=cert}
570
+
in
571
+
Some (List.map encode certs)
572
+
in
573
+
{tbsResponseData;signatureAlgorithm;signature;certs}
574
+
in
575
+
let g {tbsResponseData;signatureAlgorithm;signature;certs} =
576
+
let certs = match certs with
577
+
| None -> None
578
+
| Some certs ->
579
+
Some (List.map (fun Certificate.{asn;_} -> asn) certs)
580
+
in
581
+
(tbsResponseData,signatureAlgorithm,signature,certs)
582
+
in
583
+
map f g @@
584
+
sequence4
585
+
(required ~label:"tbsResponseData" response_data)
586
+
(required ~label:"signatureAlgorithm" Algorithm.identifier)
587
+
(required ~label:"signature" bit_string_octets)
588
+
(optional ~label:"certs" @@ explicit 0 @@
589
+
sequence_of Certificate.Asn.certificate)
590
+
591
+
let basic_ocsp_response_of_str,basic_ocsp_response_to_str =
592
+
projections_of Asn.der basic_ocsp_response
593
+
594
+
let ocsp_basic_oid = Cert_extn.Private_internet_extensions.ad_ocsp_basic
595
+
596
+
let ocsp_response =
597
+
let f = function
598
+
| `Successful, None ->
599
+
parse_error "Successful status requires responseBytes"
600
+
| `Successful, Some (oid, response) ->
601
+
if Asn.OID.equal ocsp_basic_oid oid then
602
+
match basic_ocsp_response_of_str response with
603
+
| Error e -> error e
604
+
| Ok basic_response ->
605
+
{responseStatus=`Successful;
606
+
responseBytes=Some (oid, basic_response, response)}
607
+
else
608
+
parse_error "expected OID ad_ocsp_basic"
609
+
| (`InternalError
610
+
| `MalformedRequest
611
+
| `SigRequired
612
+
| `TryLater
613
+
|`Unauthorized) as s, None ->
614
+
{responseStatus=s;responseBytes=None}
615
+
| _, Some _ -> parse_error "Only Successful status supports non empty responseBytes"
616
+
in
617
+
let g {responseStatus;responseBytes} =
618
+
let responseBytes = match responseBytes with
619
+
| Some (oid, _basic_response, response) -> Some (oid, response)
620
+
| None -> None
621
+
in
622
+
(responseStatus,responseBytes)
623
+
in
624
+
map f g @@
625
+
sequence2
626
+
(required ~label:"responseStatus" status)
627
+
(optional ~label:"responseBytes" @@ explicit 0 @@
628
+
sequence2
629
+
(required ~label:"responseType" oid)
630
+
(required ~label:"response" octet_string))
631
+
632
+
let ocsp_response_of_str, ocsp_response_to_str =
633
+
projections_of Asn.der ocsp_response
634
+
635
+
end
636
+
637
+
let decode_der = Asn.ocsp_response_of_str
638
+
let encode_der = Asn.ocsp_response_to_str
639
+
640
+
let create_basic_ocsp_response ?digest ?certs
641
+
?response_extensions:responseExtensions key responderID producedAt
642
+
responses =
643
+
let digest = Signing_request.default_digest digest key in
644
+
let scheme = Key_type.x509_default_scheme (Private_key.key_type key) in
645
+
let signatureAlgorithm = Algorithm.of_signature_algorithm scheme digest in
646
+
let tbsResponseData = {
647
+
responderID;
648
+
producedAt;
649
+
responses;
650
+
responseExtensions;
651
+
} in
652
+
let resp_der = Asn.response_data_to_str tbsResponseData in
653
+
let* signature = Private_key.sign digest ~scheme key (`Message resp_der) in
654
+
Ok { tbsResponseData ; signatureAlgorithm ; signature;certs }
655
+
656
+
let create_success ?digest ?certs ?response_extensions
657
+
private_key responderID producedAt responses =
658
+
let* response =
659
+
create_basic_ocsp_response
660
+
?digest ?certs ?response_extensions private_key
661
+
responderID producedAt responses
662
+
in
663
+
let raw_resp = Asn.basic_ocsp_response_to_str response in
664
+
let responseBytes = Some (Asn.ocsp_basic_oid, response, raw_resp) in
665
+
Ok { responseStatus = `Successful ; responseBytes }
666
+
667
+
let create status =
668
+
let status = match status with
669
+
| `MalformedRequest -> `MalformedRequest
670
+
| `InternalError -> `InternalError
671
+
| `TryLater -> `TryLater
672
+
| `SigRequired -> `SigRequired
673
+
| `Unauthorized -> `Unauthorized
674
+
in
675
+
{responseStatus=status;responseBytes=None}
676
+
677
+
let validate t ?(allowed_hashes = Validation.sha2) ?now pub =
678
+
match t.responseBytes with
679
+
| None -> Error `No_signature
680
+
| Some (_oid, response, raw_resp) ->
681
+
let resp_der = Validation.raw_cert_hack raw_resp in
682
+
let dn =
683
+
let cn = "OCSP" in
684
+
[ Distinguished_name.(Relative_distinguished_name.singleton (CN cn)) ]
685
+
in
686
+
let* () =
687
+
Validation.validate_raw_signature dn allowed_hashes resp_der
688
+
response.signatureAlgorithm response.signature pub
689
+
in
690
+
match now with
691
+
| None -> Ok ()
692
+
| Some now ->
693
+
if
694
+
List.for_all (fun single_resp ->
695
+
Ptime.is_later ~than:single_resp.thisUpdate now &&
696
+
match single_resp.nextUpdate with
697
+
| None -> true
698
+
| Some until -> Ptime.is_earlier ~than:until now)
699
+
response.tbsResponseData.responses
700
+
then
701
+
Ok ()
702
+
else
703
+
Error `Time_invalid
704
+
end
+468
vendor/opam/x509/lib/p12.ml
+468
vendor/opam/x509/lib/p12.ml
···
1
+
(* partial PKCS12 implementation, as defined in RFC 7292
2
+
- no public/private key mode, only password privacy and integrity
3
+
- algorithmidentifier those I need for openssl interop (looking at the p12 I have on my disk)
4
+
- require version being 3
5
+
6
+
some definitions from PKCS7 (RFC 2315) are implemented as well, as needed
7
+
*)
8
+
9
+
type content_info = Asn.oid * string
10
+
11
+
type digest_info = Algorithm.t * string
12
+
13
+
type mac_data = digest_info * string * int
14
+
15
+
type t = string * mac_data
16
+
17
+
module Asn = struct
18
+
open Asn_grammars
19
+
open Asn.S
20
+
open Registry
21
+
22
+
let encrypted_content_info =
23
+
let f (oid, algo, content) =
24
+
if Asn.OID.equal PKCS7.data oid then
25
+
(algo, content)
26
+
else
27
+
parse_error "expected OID PKCS7 data"
28
+
and g (algo, content) =
29
+
(PKCS7.data, algo, content)
30
+
in
31
+
Asn.S.map f g @@
32
+
sequence3
33
+
(required ~label:"content type" oid) (* here we assume data!? *)
34
+
(required ~label:"content encryption algorithm" Algorithm.identifier)
35
+
(optional ~label:"encrypted content" (implicit 0 octet_string))
36
+
37
+
let encrypted_data =
38
+
let f (v, eci) =
39
+
if v = 0 then eci else parse_error "unknown encrypted data version"
40
+
and g eci = 0, eci
41
+
in
42
+
map f g @@
43
+
sequence2
44
+
(required ~label:"version" int)
45
+
(required ~label:"encrypted content info" encrypted_content_info)
46
+
47
+
let content_info =
48
+
let f (oid, data) =
49
+
match data with
50
+
| None -> parse_error "found no value for content info"
51
+
| Some `C1 data when Asn.OID.equal PKCS7.data oid -> `Data data
52
+
| Some `C2 eci when Asn.OID.equal PKCS7.encrypted_data oid -> `Encrypted eci
53
+
| _ -> parse_error "couldn't match PKCS7 oid with choice"
54
+
and g = function
55
+
| `Data data -> PKCS7.data, Some (`C1 data)
56
+
| `Encrypted eci -> PKCS7.encrypted_data, Some (`C2 eci)
57
+
in
58
+
map f g @@
59
+
sequence2
60
+
(required ~label:"content type" oid)
61
+
(optional ~label:"content" (explicit 0
62
+
(choice2 octet_string encrypted_data)))
63
+
64
+
let digest_info =
65
+
sequence2
66
+
(required ~label:"digest algorithm" Algorithm.identifier)
67
+
(required ~label:"digest" octet_string)
68
+
69
+
let mac_data =
70
+
sequence3
71
+
(required ~label:"mac" digest_info)
72
+
(required ~label:"mac salt" octet_string)
73
+
(required ~label:"iterations" int)
74
+
75
+
let pfx =
76
+
let f (version, content_info, mac_data) =
77
+
if version = 3 then
78
+
match content_info, mac_data with
79
+
| `Data data, Some md -> data, md
80
+
| _, None -> parse_error "missing mac_data"
81
+
| _, _ -> parse_error "unsupported content_info"
82
+
else
83
+
parse_error "unsupported pfx version"
84
+
and g (content, mac_data) =
85
+
(3, `Data content, Some mac_data)
86
+
in
87
+
map f g @@
88
+
sequence3
89
+
(required ~label:"version" int)
90
+
(required ~label:"auth safe" content_info)
91
+
(* contentType is signedData in public-key integrity mode and data in
92
+
password integrity mode *)
93
+
(optional ~label:"mac data" mac_data) (* not present if public keys used *)
94
+
95
+
let pfx_of_cs, pfx_to_cs = projections_of Asn.der pfx
96
+
97
+
(* payload is a sequence of content_info *)
98
+
let authenticated_safe = sequence_of content_info
99
+
100
+
let auth_safe_of_cs, auth_safe_to_cs =
101
+
projections_of Asn.der authenticated_safe
102
+
103
+
let pkcs12_attribute =
104
+
sequence2
105
+
(required ~label:"attribute id" oid)
106
+
(required ~label:"attribute value" (set_of octet_string))
107
+
108
+
(* here:
109
+
key_bag = PKCS8 private key
110
+
pkcs8_shrouded_key_bag = encrypted private key info ==
111
+
sequence2 Algorithm octet_string
112
+
cert_bag =
113
+
sequence2
114
+
cert_id (PKCS9 cert_types <| 1 (X509) or 2 (SDSI))
115
+
expl 0 cert_value (DER-encoded certificate)
116
+
crl_bag = sequence2 crl_id (PKCS9 crl_types <| 1) (expl 0 crl (DER-encoded))
117
+
118
+
^^^---^^^ those we plan to support
119
+
120
+
secret_bag = sequence2 secret_type (expl 0 secret_value)
121
+
safe_contents_bag = (any of the above) safe_contents (recursive!)
122
+
*)
123
+
(* since asn1 does not yet support ANY defined BY, we develop a rather
124
+
complex grammar covering all supported bags *)
125
+
let safe_bag =
126
+
let cert_oid, crl_oid =
127
+
Asn.OID.(PKCS9.cert_types <| 1, PKCS9.crl_types <| 1)
128
+
in
129
+
let f (oid, (a, algo, data), attrs) =
130
+
match a, algo, data with
131
+
| `C1 v, Some a, `C1 data when Asn.OID.equal oid PKCS12.key_bag ->
132
+
let key = Private_key.Asn.reparse_private (v, a, data) in
133
+
`Private_key key, attrs
134
+
| `C2 id, None, `C2 data ->
135
+
if Asn.OID.equal oid PKCS12.cert_bag && Asn.OID.equal id cert_oid then
136
+
match Certificate.decode_der data with
137
+
| Error (`Msg e) -> error (`Parse e)
138
+
| Ok cert -> `Certificate cert, attrs
139
+
else if Asn.OID.equal oid PKCS12.crl_bag && Asn.OID.equal id crl_oid then
140
+
match Crl.decode_der data with
141
+
| Error (`Msg e) -> error (`Parse e)
142
+
| Ok crl -> `Crl crl, attrs
143
+
else
144
+
parse_error "crl bag with non-standard crl"
145
+
| `C3 algo, None, `C1 data when Asn.OID.equal oid PKCS12.pkcs8_shrouded_key_bag ->
146
+
`Encrypted_private_key (algo, data), attrs
147
+
| _ -> parse_error "safe bag OID not supported"
148
+
and g (v, attrs) =
149
+
let oid, d = match v with
150
+
| `Encrypted_private_key (algo, data) ->
151
+
PKCS12.pkcs8_shrouded_key_bag, (`C3 algo, None, `C1 data)
152
+
| `Private_key pk ->
153
+
let v, algo, data = Private_key.Asn.unparse_private pk in
154
+
PKCS12.key_bag, (`C1 v, Some algo, `C1 data)
155
+
| `Certificate cert -> PKCS12.cert_bag, (`C2 cert_oid, None, `C2 (Certificate.encode_der cert))
156
+
| `Crl crl -> PKCS12.crl_bag, (`C2 crl_oid, None, `C2 (Crl.encode_der crl))
157
+
in
158
+
(oid, d, attrs)
159
+
in
160
+
map f g @@
161
+
sequence3
162
+
(required ~label:"bag id" oid)
163
+
(required ~label:"bag value"
164
+
(explicit 0
165
+
(sequence3
166
+
(required ~label:"fst" (choice3 int oid Algorithm.identifier))
167
+
(optional ~label:"algorithm" Algorithm.identifier)
168
+
(required ~label:"data" (choice2 octet_string (explicit 0 octet_string))))))
169
+
(* (explicit 0 (* encrypted private key *)
170
+
(sequence2
171
+
(required ~label:"encryption algorithm" Algorithm.identifier)
172
+
(required ~label:"encrypted data" octet_string))) *)
173
+
(* (explicit 0 (* private key ] *)
174
+
(sequence3
175
+
(required ~label:"version" int)
176
+
(required ~label:"privateKeyAlgorithm" Algorithm.identifier)
177
+
(required ~label:"privateKey" octet_string))) *)
178
+
(* (explicit 0 (* cert / crl *)
179
+
(sequence2
180
+
(required ~label:"oid" oid)
181
+
(required ~label:"data" (explicit 0 octet_string)))) *)
182
+
(optional ~label:"bag attributes" (set_of pkcs12_attribute))
183
+
184
+
let safe_contents = sequence_of safe_bag
185
+
186
+
let safe_contents_of_cs, safe_contents_to_cs =
187
+
projections_of Asn.der safe_contents
188
+
end
189
+
190
+
let prepare_pw str =
191
+
let l = String.length str in
192
+
let cs = Bytes.make ((succ l) * 2) '\000' in
193
+
for i = 0 to pred l do
194
+
Bytes.set cs (succ (i * 2)) (String.get str i)
195
+
done;
196
+
Bytes.unsafe_to_string cs
197
+
198
+
let id len purpose =
199
+
let id = match purpose with
200
+
| `Encryption -> 1
201
+
| `Iv -> 2
202
+
| `Hmac -> 3
203
+
in
204
+
String.make len (Char.unsafe_chr id)
205
+
206
+
let v = function
207
+
| `MD5 | `SHA1 | `SHA224 | `SHA256 -> 512 / 8
208
+
| `SHA384 | `SHA512 -> 1024 / 8
209
+
210
+
let fill ~data ~out =
211
+
let len = Bytes.length out
212
+
and l = String.length data
213
+
in
214
+
let rec c off =
215
+
if off < len then begin
216
+
Bytes.blit_string data 0 out off (min (len - off) l);
217
+
c (off + l)
218
+
end
219
+
in
220
+
c 0
221
+
222
+
let fill_or_empty size data =
223
+
let l = String.length data in
224
+
if l = 0 then data
225
+
else
226
+
let len = size * ((l + size - 1) / size) in
227
+
let buf = Bytes.make len '\000' in
228
+
fill ~data ~out:buf;
229
+
Bytes.unsafe_to_string buf
230
+
231
+
let pbes algorithm purpose password salt iterations n =
232
+
let module Hash = (val (Digestif.module_of_hash' (algorithm :> Digestif.hash'))) in
233
+
let pw = prepare_pw password
234
+
and v = v algorithm
235
+
and u = Hash.digest_size
236
+
in
237
+
let diversifier = id v purpose in
238
+
let salt = fill_or_empty v salt in
239
+
let pass = fill_or_empty v pw in
240
+
let out = Bytes.make n '\000' in
241
+
let rec one off i =
242
+
let ai = ref Hash.(to_raw_string (digest_string (diversifier ^ i))) in
243
+
for _j = 1 to pred iterations do
244
+
ai := Hash.(to_raw_string (digest_string !ai));
245
+
done;
246
+
Bytes.blit_string !ai 0 out off (min (n - off) u);
247
+
if u >= n - off then () else
248
+
(* 6B *)
249
+
let b = Bytes.make v '\000' in
250
+
fill ~data:!ai ~out:b;
251
+
(* 6C *)
252
+
let i' = Bytes.create (String.length i) in
253
+
for j = 0 to pred (String.length i / v) do
254
+
let c = ref 1 in
255
+
for k = pred v downto 0 do
256
+
let idx = j * v + k in
257
+
c := (!c + String.get_uint8 i idx + Bytes.get_uint8 b k) land 0xFFFF;
258
+
Bytes.set_uint8 i' idx (!c land 0xFF);
259
+
c := !c lsr 8;
260
+
done;
261
+
done;
262
+
one (off + u) (Bytes.to_string i')
263
+
in
264
+
let i = salt ^ pass in
265
+
one 0 i;
266
+
Bytes.unsafe_to_string out
267
+
268
+
let split str off =
269
+
String.sub str 0 off,
270
+
String.sub str off (String.length str - off)
271
+
272
+
(* TODO PKCS5/7 padding is "k - (l mod k)" i.e. always > 0!
273
+
(and rc4 being a stream cipher has no padding!) *)
274
+
let unpad x =
275
+
(* TODO can there be bad padding in this scheme? *)
276
+
let l = String.length x in
277
+
if l > 0 then
278
+
let amount = String.get_uint8 x (pred l) in
279
+
let split_point = if l > amount then l - amount else l in
280
+
let data, pad = split x split_point in
281
+
let good = ref true in
282
+
for i = 0 to pred amount do
283
+
if String.get_uint8 pad i <> amount then good := false
284
+
done;
285
+
if !good then data else x
286
+
else
287
+
x
288
+
289
+
let pad bs x =
290
+
let l = String.length x in
291
+
let to_pad = bs - (l mod bs) in
292
+
let amount = String.make to_pad (Char.unsafe_chr to_pad) in
293
+
x ^ amount
294
+
295
+
let ( let* ) = Result.bind
296
+
297
+
(* there are 3 possibilities to encrypt / decrypt things:
298
+
- PKCS12 KDF (see above), with RC2/RC4/DES
299
+
- PKCS5 v1 (PBES, PBKDF1) -- not (yet?) supported
300
+
- PKCS5 v2 (PBES2, PBKDF2)
301
+
*)
302
+
let pkcs12_decrypt algo password data =
303
+
let open Algorithm in
304
+
let hash = `SHA1 in
305
+
let* salt, count, key_len, iv_len =
306
+
match algo with
307
+
| SHA_RC4_128 (s, i) -> Ok (s, i, 16, 0)
308
+
| SHA_RC4_40 (s, i) -> Ok (s, i, 5, 0)
309
+
| SHA_3DES_CBC (s, i) -> Ok (s, i, 24, 8)
310
+
| SHA_2DES_CBC (s, i) -> Ok (s, i, 16, 8) (* TODO 2des -> 3des keys (if relevant)*)
311
+
| SHA_RC2_128_CBC (s, i) -> Ok (s, i, 16, 8)
312
+
| SHA_RC2_40_CBC (s, i) -> Ok (s, i, 5, 8)
313
+
| _ -> Error (`Msg "unsupported algorithm")
314
+
in
315
+
let key = pbes hash `Encryption password salt count key_len
316
+
and iv = pbes hash `Iv password salt count iv_len
317
+
in
318
+
let open Mirage_crypto in
319
+
let* data =
320
+
match algo with
321
+
| SHA_RC2_40_CBC _ | SHA_RC2_128_CBC _ ->
322
+
Ok (Rc2.decrypt_cbc ~effective:(key_len * 8) ~key ~iv data)
323
+
| SHA_RC4_40 _ | SHA_RC4_128 _ ->
324
+
let key = ARC4.of_secret key in
325
+
let { ARC4.message ; _ } = ARC4.decrypt ~key data in
326
+
Ok message
327
+
| SHA_3DES_CBC _ ->
328
+
let key = DES.CBC.of_secret key in
329
+
Ok (DES.CBC.decrypt ~key ~iv data)
330
+
| _ -> Error (`Msg "encryption algorithm not supported")
331
+
in
332
+
Ok (unpad data)
333
+
334
+
let pkcs5_2_decrypt kdf enc password data =
335
+
let* dk_len, iv =
336
+
match enc with
337
+
| Algorithm.AES128_CBC iv -> Ok (16l, iv)
338
+
| Algorithm.AES192_CBC iv -> Ok (24l, iv)
339
+
| Algorithm.AES256_CBC iv -> Ok (32l, iv)
340
+
| _ -> Error (`Msg "unsupported encryption algorithm")
341
+
in
342
+
let* salt, count, prf =
343
+
match kdf with
344
+
| Algorithm.PBKDF2 (salt, iterations, _ (* todo handle keylength *), prf) ->
345
+
let* prf =
346
+
match Algorithm.to_hmac prf with
347
+
| Some prf -> Ok prf
348
+
| None -> Error (`Msg "unsupported PRF")
349
+
in
350
+
Ok (salt, iterations, prf)
351
+
| _ -> Error (`Msg "expected kdf being pbkdf2")
352
+
in
353
+
let key = Pbkdf.pbkdf2 ~prf ~password ~salt ~count ~dk_len in
354
+
let key = Mirage_crypto.AES.CBC.of_secret key in
355
+
let msg = Mirage_crypto.AES.CBC.decrypt ~key ~iv data in
356
+
Ok (unpad msg)
357
+
358
+
let pkcs5_2_encrypt (mac : [ `SHA1 | `SHA224 | `SHA256 | `SHA384 | `SHA512 ]) count algo password data =
359
+
let module Hash = (val (Digestif.module_of_hash' (mac :> Digestif.hash'))) in
360
+
let bs = Mirage_crypto.AES.CBC.block_size in
361
+
let iv = Mirage_crypto_rng.generate bs in
362
+
let enc, dk_len =
363
+
match algo with
364
+
| `AES128_CBC -> Algorithm.AES128_CBC iv, 16l
365
+
| `AES192_CBC -> Algorithm.AES192_CBC iv, 24l
366
+
| `AES256_CBC -> Algorithm.AES256_CBC iv, 32l
367
+
in
368
+
let salt = Mirage_crypto_rng.generate Hash.digest_size in
369
+
let key = Pbkdf.pbkdf2 ~prf:(mac :> Digestif.hash') ~password ~salt ~count ~dk_len in
370
+
let key = Mirage_crypto.AES.CBC.of_secret key in
371
+
let padded_data = pad bs data in
372
+
let enc_data =
373
+
Mirage_crypto.AES.CBC.encrypt ~key ~iv padded_data
374
+
in
375
+
let kdf = Algorithm.PBKDF2 (salt, count, None, Algorithm.of_hmac mac) in
376
+
Algorithm.PBES2 (kdf, enc), enc_data
377
+
378
+
let decrypt algo password data =
379
+
let open Algorithm in
380
+
match algo with
381
+
| SHA_RC4_128 _ | SHA_RC4_40 _
382
+
| SHA_3DES_CBC _ | SHA_2DES_CBC _
383
+
| SHA_RC2_128_CBC _ | SHA_RC2_40_CBC _ -> pkcs12_decrypt algo password data
384
+
| PBES2 (kdf, enc) -> pkcs5_2_decrypt kdf enc password data
385
+
| _ -> Error (`Msg "unsupported encryption algorithm")
386
+
387
+
let password_decrypt password (algo, data) =
388
+
match data with
389
+
| None -> Error (`Msg "no data to decrypt")
390
+
| Some data -> decrypt algo password data
391
+
392
+
let verify password (data, ((algorithm, digest), salt, iterations)) =
393
+
let* hash =
394
+
Option.to_result
395
+
~none:(`Msg "unsupported hash algorithm")
396
+
(Algorithm.to_hash algorithm)
397
+
in
398
+
let module Hash = (val (Digestif.module_of_hash' (hash :> Digestif.hash'))) in
399
+
let key =
400
+
pbes hash `Hmac password salt iterations Hash.digest_size
401
+
in
402
+
let computed = Hash.(to_raw_string (hmac_string ~key data)) in
403
+
if String.equal computed digest then begin
404
+
let* content = Asn_grammars.err_to_msg (Asn.auth_safe_of_cs data) in
405
+
let* safe_contents =
406
+
List.fold_left (fun acc c ->
407
+
let* acc = acc in
408
+
match c with
409
+
| `Data data -> Ok (data :: acc)
410
+
| `Encrypted data ->
411
+
let* data = password_decrypt password data in
412
+
Ok (data :: acc))
413
+
(Ok []) content
414
+
in
415
+
List.fold_left (fun acc cs ->
416
+
let* acc = acc in
417
+
let* bags = Asn_grammars.err_to_msg (Asn.safe_contents_of_cs cs) in
418
+
List.fold_left (fun acc bag ->
419
+
let* acc = acc in
420
+
match bag with
421
+
| `Certificate c, _ -> Ok (`Certificate c :: acc)
422
+
| `Crl c, _ -> Ok (`Crl c :: acc)
423
+
| `Private_key p, _ -> Ok (`Private_key p :: acc)
424
+
| `Encrypted_private_key (algo, enc_data), _ ->
425
+
let* data = decrypt algo password enc_data in
426
+
let* p =
427
+
Asn_grammars.err_to_msg (Private_key.Asn.private_of_octets data)
428
+
in
429
+
Ok (`Decrypted_private_key p :: acc))
430
+
(Ok acc) bags)
431
+
(Ok []) safe_contents
432
+
end else
433
+
Error (`Msg "invalid signature")
434
+
435
+
let create ?(mac = `SHA256) ?(algorithm = `AES256_CBC) ?(iterations = 2048) password certificates private_key =
436
+
let key_fp pub = Public_key.fingerprint pub in
437
+
let priv_fp = key_fp (Private_key.public private_key) in
438
+
let attributes = [ Registry.PKCS9.local_key_id, [ priv_fp ]] in
439
+
let maybe_attr c =
440
+
if String.equal priv_fp (key_fp (Certificate.public_key c)) then
441
+
Some attributes
442
+
else
443
+
None
444
+
in
445
+
let cert_sc =
446
+
Asn.safe_contents_to_cs (List.map (fun c -> `Certificate c, maybe_attr c) certificates)
447
+
and priv_sc =
448
+
let data = Private_key.Asn.private_to_octets private_key in
449
+
let algo, data = pkcs5_2_encrypt mac iterations algorithm password data in
450
+
Asn.safe_contents_to_cs [ `Encrypted_private_key (algo, data), Some attributes ]
451
+
in
452
+
let cert_sc_enc =
453
+
let algo, data = pkcs5_2_encrypt mac iterations algorithm password cert_sc in
454
+
algo, Some data
455
+
in
456
+
let auth_data =
457
+
Asn.auth_safe_to_cs [ `Encrypted cert_sc_enc ; `Data priv_sc ]
458
+
in
459
+
let module Hash = (val (Digestif.module_of_hash' (mac :> Digestif.hash'))) in
460
+
let mac_size = Hash.digest_size in
461
+
let salt = Mirage_crypto_rng.generate mac_size in
462
+
let key = pbes mac `Hmac password salt iterations mac_size in
463
+
let digest = Hash.(to_raw_string (hmac_string ~key auth_data)) in
464
+
auth_data, ((Algorithm.of_hash mac, digest), salt, iterations)
465
+
466
+
let decode_der cs = Asn_grammars.err_to_msg (Asn.pfx_of_cs cs)
467
+
468
+
let encode_der = Asn.pfx_to_cs
+108
vendor/opam/x509/lib/pem.ml
+108
vendor/opam/x509/lib/pem.ml
···
1
+
let ( let* ) = Result.bind
2
+
3
+
module Cs = struct
4
+
open String
5
+
6
+
let null cs = length cs = 0
7
+
8
+
let open_begin = "-----BEGIN "
9
+
and open_end = "-----END "
10
+
and close = "-----"
11
+
12
+
let tok_of_line cs =
13
+
if null cs then
14
+
`Empty
15
+
else if get cs 0 = '#' then
16
+
`Empty
17
+
else if starts_with ~prefix:open_begin cs && ends_with ~suffix:close cs then
18
+
`Begin (sub cs 11 (length cs - 16))
19
+
else if starts_with ~prefix:open_end cs && ends_with ~suffix:close cs then
20
+
`End (sub cs 9 (length cs - 14))
21
+
else
22
+
`Data cs
23
+
24
+
let lines data =
25
+
List.map tok_of_line
26
+
(List.map
27
+
(fun line ->
28
+
let ll = length line in
29
+
if ll > 0 && get line (ll - 1) = '\r' then sub line 0 (ll - 1) else line)
30
+
(String.split_on_char '\n' data))
31
+
32
+
let combine ilines =
33
+
let rec accumulate t acc = function
34
+
| `Empty :: tail -> accumulate t acc tail
35
+
| `Data cs :: tail -> accumulate t (cs :: acc) tail
36
+
| `End t' :: tail ->
37
+
if String.equal t t' then
38
+
let data = match Base64.decode (concat "" (List.rev acc)) with
39
+
| Ok data -> Ok (t, data)
40
+
| Error e -> Error e
41
+
in
42
+
data, tail
43
+
else
44
+
Error (`Msg ("invalid end, expected " ^ t ^ ", found " ^ t')), tail
45
+
| _ :: tail -> Error (`Msg "invalid line, expected data or end"), tail
46
+
| [] -> Error (`Msg "end of input"), []
47
+
in
48
+
49
+
let rec block acc = function
50
+
| `Begin t :: tail ->
51
+
let body, tail = accumulate t [] tail in
52
+
block (body :: acc) tail
53
+
| _ :: xs -> block acc xs
54
+
| [] -> List.rev acc
55
+
in
56
+
block [] ilines
57
+
58
+
let parse_with_errors data = combine (lines data)
59
+
60
+
let unparse ~tag value =
61
+
let split_at_64 data =
62
+
let dlen = length data in
63
+
let rec go acc off =
64
+
if dlen - off <= 64 then
65
+
List.rev (sub data off (dlen - off) :: acc)
66
+
else
67
+
let chunk = sub data off 64 in
68
+
go (chunk :: acc) (off + 64)
69
+
in
70
+
go [] 0
71
+
in
72
+
let raw = Base64.encode_string value in
73
+
let pieces = split_at_64 raw in
74
+
let nl = "\n" in
75
+
let lines = List.flatten (List.map (fun x -> [ x ; nl ]) pieces)
76
+
in
77
+
78
+
let first = [ open_begin ; tag ; close ; nl ]
79
+
and last = [ open_end ; tag ; close ; nl ]
80
+
in
81
+
concat "" (first @ lines @ last)
82
+
end
83
+
84
+
let parse_with_errors, unparse = Cs.(parse_with_errors, unparse)
85
+
86
+
let parse data =
87
+
let entries, errors =
88
+
List.partition_map
89
+
(function Ok v -> Either.Left v | Error e -> Either.Right e)
90
+
(parse_with_errors data)
91
+
in
92
+
match errors with
93
+
| [] -> Ok entries
94
+
| first_error :: _ -> Error first_error
95
+
96
+
let exactly_one ~what = function
97
+
| [] -> Error (`Msg ("No " ^ what))
98
+
| [x] -> Ok x
99
+
| _ -> Error (`Msg ("Multiple " ^ what ^ "s"))
100
+
101
+
let foldM f data =
102
+
let wrap acc data =
103
+
let* datas' = acc in
104
+
let* data = f data in
105
+
Ok (data :: datas')
106
+
in
107
+
let* res = List.fold_left wrap (Ok []) data in
108
+
Ok (List.rev res)
+289
vendor/opam/x509/lib/private_key.ml
+289
vendor/opam/x509/lib/private_key.ml
···
1
+
let ( let* ) = Result.bind
2
+
3
+
type ecdsa = [
4
+
| `P256 of Mirage_crypto_ec.P256.Dsa.priv
5
+
| `P384 of Mirage_crypto_ec.P384.Dsa.priv
6
+
| `P521 of Mirage_crypto_ec.P521.Dsa.priv
7
+
]
8
+
9
+
type t = [
10
+
ecdsa
11
+
| `RSA of Mirage_crypto_pk.Rsa.priv
12
+
| `ED25519 of Mirage_crypto_ec.Ed25519.priv
13
+
]
14
+
15
+
let key_type = function
16
+
| `RSA _ -> `RSA
17
+
| `ED25519 _ -> `ED25519
18
+
| `P256 _ -> `P256
19
+
| `P384 _ -> `P384
20
+
| `P521 _ -> `P521
21
+
22
+
let generate ?seed ?(bits = 4096) typ =
23
+
let g = match seed with
24
+
| None -> None
25
+
| Some seed -> Some Mirage_crypto_rng.(create ~seed (module Fortuna))
26
+
in
27
+
match typ with
28
+
| `RSA -> `RSA (Mirage_crypto_pk.Rsa.generate ?g ~bits ())
29
+
| `ED25519 -> `ED25519 (fst (Mirage_crypto_ec.Ed25519.generate ?g ()))
30
+
| `P256 -> `P256 (fst (Mirage_crypto_ec.P256.Dsa.generate ?g ()))
31
+
| `P384 -> `P384 (fst (Mirage_crypto_ec.P384.Dsa.generate ?g ()))
32
+
| `P521 -> `P521 (fst (Mirage_crypto_ec.P521.Dsa.generate ?g ()))
33
+
34
+
let of_octets data =
35
+
let open Mirage_crypto_ec in
36
+
let ec_err e =
37
+
Result.map_error
38
+
(fun e -> `Msg (Fmt.to_to_string Mirage_crypto_ec.pp_error e))
39
+
e
40
+
in
41
+
function
42
+
| `RSA -> Error (`Msg "cannot decode an RSA key")
43
+
| `ED25519 ->
44
+
let* k = ec_err (Ed25519.priv_of_octets data) in
45
+
Ok (`ED25519 k)
46
+
| `P256 ->
47
+
let* k = ec_err (P256.Dsa.priv_of_octets data) in
48
+
Ok (`P256 k)
49
+
| `P384 ->
50
+
let* k = ec_err (P384.Dsa.priv_of_octets data) in
51
+
Ok (`P384 k)
52
+
| `P521 ->
53
+
let* k = ec_err (P521.Dsa.priv_of_octets data) in
54
+
Ok (`P521 k)
55
+
56
+
let of_string ?seed_or_data ?bits typ data =
57
+
match seed_or_data with
58
+
| None ->
59
+
begin match typ with
60
+
| `RSA -> Ok (generate ~seed:data ?bits `RSA)
61
+
| _ ->
62
+
let* data = Base64.decode data in
63
+
of_octets data typ
64
+
end
65
+
| Some `Seed ->
66
+
Ok (generate ~seed:data ?bits typ)
67
+
| Some `Data ->
68
+
let* data = Base64.decode data in
69
+
of_octets data typ
70
+
71
+
let public = function
72
+
| `RSA priv -> `RSA (Mirage_crypto_pk.Rsa.pub_of_priv priv)
73
+
| `ED25519 priv -> `ED25519 (Mirage_crypto_ec.Ed25519.pub_of_priv priv)
74
+
| `P256 priv -> `P256 (Mirage_crypto_ec.P256.Dsa.pub_of_priv priv)
75
+
| `P384 priv -> `P384 (Mirage_crypto_ec.P384.Dsa.pub_of_priv priv)
76
+
| `P521 priv -> `P521 (Mirage_crypto_ec.P521.Dsa.pub_of_priv priv)
77
+
78
+
let sign hash ?scheme key data =
79
+
let open Mirage_crypto_ec in
80
+
let hashed () = Public_key.hashed hash data
81
+
and ecdsa_to_str s = Algorithm.ecdsa_sig_to_octets s
82
+
in
83
+
let scheme = Key_type.opt_signature_scheme ?scheme (key_type key) in
84
+
try
85
+
match key, scheme with
86
+
| `RSA key, `RSA_PSS ->
87
+
let module H = (val (Digestif.module_of_hash' hash)) in
88
+
let module PSS = Mirage_crypto_pk.Rsa.PSS(H) in
89
+
let* d = hashed () in
90
+
Ok (PSS.sign ~key (`Digest d))
91
+
| `RSA key, `RSA_PKCS1 ->
92
+
let* d = hashed () in
93
+
Ok (Mirage_crypto_pk.Rsa.PKCS1.sign ~key ~hash (`Digest d))
94
+
| `ED25519 key, `ED25519 ->
95
+
begin match data with
96
+
| `Message m -> Ok (Ed25519.sign ~key m)
97
+
| `Digest _ -> Error (`Msg "Ed25519 only suitable with raw message")
98
+
end
99
+
| #ecdsa as key, `ECDSA ->
100
+
let* d = hashed () in
101
+
Ok (ecdsa_to_str (match key with
102
+
| `P256 key -> P256.Dsa.(sign ~key (Public_key.trunc byte_length d))
103
+
| `P384 key -> P384.Dsa.(sign ~key (Public_key.trunc byte_length d))
104
+
| `P521 key -> P521.Dsa.(sign ~key (Public_key.trunc byte_length d))))
105
+
| _ -> Error (`Msg "invalid key and signature scheme combination")
106
+
with
107
+
| Mirage_crypto_pk.Rsa.Insufficient_key ->
108
+
Error (`Msg "RSA key of insufficient length")
109
+
| Message_too_long -> Error (`Msg "message too long")
110
+
111
+
module Asn = struct
112
+
open Asn.S
113
+
open Mirage_crypto_pk
114
+
115
+
(* RSA *)
116
+
let other_prime_infos =
117
+
sequence_of @@
118
+
(sequence3
119
+
(required ~label:"prime" unsigned_integer)
120
+
(required ~label:"exponent" unsigned_integer)
121
+
(required ~label:"coefficient" unsigned_integer))
122
+
123
+
let rsa_private_key =
124
+
let integer = map Z_extra.of_octets_be Z_extra.to_octets_be unsigned_integer in
125
+
let f (v, (n, (e, (d, (p, (q, (dp, (dq, (q', other))))))))) =
126
+
match (v, other) with
127
+
| (0, None) ->
128
+
begin match Rsa.priv ~e ~d ~n ~p ~q ~dp ~dq ~q' with
129
+
| Ok p -> p
130
+
| Error (`Msg m) -> parse_error "bad RSA private key %s" m
131
+
end
132
+
| _ -> parse_error "multi-prime RSA keys not supported"
133
+
and g { Rsa.e; d; n; p; q; dp; dq; q' } =
134
+
(0, (n, (e, (d, (p, (q, (dp, (dq, (q', None))))))))) in
135
+
map f g @@
136
+
sequence @@
137
+
(required ~label:"version" int)
138
+
@ (required ~label:"modulus" integer) (* n *)
139
+
@ (required ~label:"publicExponent" integer) (* e *)
140
+
@ (required ~label:"privateExponent" integer) (* d *)
141
+
@ (required ~label:"prime1" integer) (* p *)
142
+
@ (required ~label:"prime2" integer) (* q *)
143
+
@ (required ~label:"exponent1" integer) (* dp *)
144
+
@ (required ~label:"exponent2" integer) (* dq *)
145
+
@ (required ~label:"coefficient" integer) (* qinv *)
146
+
-@ (optional ~label:"otherPrimeInfos" other_prime_infos)
147
+
148
+
(* For outside uses. *)
149
+
let (rsa_private_of_octets, rsa_private_to_octets) =
150
+
Asn_grammars.projections_of Asn.der rsa_private_key
151
+
152
+
(* PKCS8 *)
153
+
let (rsa_priv_of_str, rsa_priv_to_str) =
154
+
Asn_grammars.project_exn rsa_private_key
155
+
156
+
let ec_to_err = function
157
+
| Ok x -> x
158
+
| Error e -> parse_error "%a" Mirage_crypto_ec.pp_error e
159
+
160
+
let ed25519_of_str, ed25519_to_str =
161
+
Asn_grammars.project_exn octet_string
162
+
163
+
let ec_private_key =
164
+
let f (v, pk, nc, pub) =
165
+
if v <> 1 then
166
+
parse_error "bad version for ec Private key"
167
+
else
168
+
let curve = match nc with
169
+
| Some c -> Some (Algorithm.curve_of_oid c)
170
+
| None -> None
171
+
in
172
+
pk, curve, pub
173
+
and g (pk, curve, pub) =
174
+
let nc = match curve with
175
+
| None -> None | Some c -> Some (Algorithm.curve_to_oid c)
176
+
in
177
+
(1, pk, nc, pub)
178
+
in
179
+
Asn.S.map f g @@
180
+
sequence4
181
+
(required ~label:"version" int) (* ecPrivkeyVer1(1) *)
182
+
(required ~label:"privateKey" octet_string)
183
+
(* from rfc5480: choice3, but only namedCurve is allowed in PKIX *)
184
+
(optional ~label:"namedCurve" (explicit 0 oid))
185
+
(optional ~label:"publicKey" (explicit 1 bit_string))
186
+
187
+
let ec_of_str, ec_to_str =
188
+
Asn_grammars.project_exn ec_private_key
189
+
190
+
let reparse_ec_private curve priv =
191
+
let open Mirage_crypto_ec in
192
+
match curve with
193
+
| `SECP256R1 -> let* p = P256.Dsa.priv_of_octets priv in Ok (`P256 p)
194
+
| `SECP384R1 -> let* p = P384.Dsa.priv_of_octets priv in Ok (`P384 p)
195
+
| `SECP521R1 -> let* p = P521.Dsa.priv_of_octets priv in Ok (`P521 p)
196
+
197
+
(* external use (result) *)
198
+
let ec_priv_of_str =
199
+
let dec, _ = Asn_grammars.projections_of Asn.der ec_private_key in
200
+
fun cs ->
201
+
let* priv, curve, _pub = dec cs in
202
+
match curve with
203
+
| None -> Error (`Parse "no curve provided")
204
+
| Some c ->
205
+
Result.map_error
206
+
(fun e -> `Parse (Fmt.to_to_string Mirage_crypto_ec.pp_error e))
207
+
(reparse_ec_private c priv)
208
+
209
+
let ec_of_str ?curve cs =
210
+
let (priv, named_curve, _pub) = ec_of_str cs in
211
+
let nc =
212
+
match curve, named_curve with
213
+
| Some c, None -> c
214
+
| None, Some c -> c
215
+
| Some c, Some c' -> if c = c' then c else parse_error "conflicting curve"
216
+
| None, None -> parse_error "unknown curve"
217
+
in
218
+
ec_to_err (reparse_ec_private nc priv)
219
+
220
+
let ec_to_str ?curve ?pub key = ec_to_str (key, curve, pub)
221
+
222
+
let reparse_private pk =
223
+
match pk with
224
+
| (0, Algorithm.RSA, cs) -> `RSA (rsa_priv_of_str cs)
225
+
| (0, Algorithm.ED25519, cs) ->
226
+
let data = ed25519_of_str cs in
227
+
`ED25519 (ec_to_err (Mirage_crypto_ec.Ed25519.priv_of_octets data))
228
+
| (0, Algorithm.EC_pub curve, cs) -> ec_of_str ~curve cs
229
+
| _ -> parse_error "unknown private key info"
230
+
231
+
let unparse_private p =
232
+
let open Mirage_crypto_ec in
233
+
let open Algorithm in
234
+
let alg, cs =
235
+
match p with
236
+
| `RSA pk -> RSA, rsa_priv_to_str pk
237
+
| `ED25519 pk -> ED25519, ed25519_to_str (Ed25519.priv_to_octets pk)
238
+
| `P256 pk -> EC_pub `SECP256R1, ec_to_str (P256.Dsa.priv_to_octets pk)
239
+
| `P384 pk -> EC_pub `SECP384R1, ec_to_str (P384.Dsa.priv_to_octets pk)
240
+
| `P521 pk -> EC_pub `SECP521R1, ec_to_str (P521.Dsa.priv_to_octets pk)
241
+
in
242
+
(0, alg, cs)
243
+
244
+
let private_key_info =
245
+
map reparse_private unparse_private @@
246
+
sequence3
247
+
(required ~label:"version" int)
248
+
(required ~label:"privateKeyAlgorithm" Algorithm.identifier)
249
+
(required ~label:"privateKey" octet_string)
250
+
(* TODO: there's an
251
+
(optional ~label:"attributes" @@ implicit 0 (SET of Attributes)
252
+
which are defined in X.501; but nobody seems to use them anyways *)
253
+
254
+
let (private_of_octets, private_to_octets) =
255
+
Asn_grammars.projections_of Asn.der private_key_info
256
+
end
257
+
258
+
let decode_der cs =
259
+
Asn_grammars.err_to_msg (Asn.private_of_octets cs)
260
+
261
+
let encode_der = Asn.private_to_octets
262
+
263
+
let decode_pem cs =
264
+
let* data = Pem.parse cs in
265
+
let rsa_p (t, _) = String.equal "RSA PRIVATE KEY" t
266
+
and ec_p (t, _) = String.equal "EC PRIVATE KEY" t
267
+
and pk_p (t, _) = String.equal "PRIVATE KEY" t
268
+
in
269
+
let r, _ = List.partition rsa_p data
270
+
and ec, _ = List.partition ec_p data
271
+
and p, _ = List.partition pk_p data
272
+
in
273
+
let* k =
274
+
Pem.foldM (fun (_, k) ->
275
+
let* k = Asn_grammars.err_to_msg (Asn.rsa_private_of_octets k) in
276
+
Ok (`RSA k)) r
277
+
in
278
+
let* k' =
279
+
Pem.foldM (fun (_, k) ->
280
+
Asn_grammars.err_to_msg (Asn.ec_priv_of_str k)) ec
281
+
in
282
+
let* k'' =
283
+
Pem.foldM (fun (_, k) ->
284
+
Asn_grammars.err_to_msg (Asn.private_of_octets k)) p
285
+
in
286
+
Pem.exactly_one ~what:"private key" (k @ k' @ k'')
287
+
288
+
let encode_pem p =
289
+
Pem.unparse ~tag:"PRIVATE KEY" (Asn.private_to_octets p)
+166
vendor/opam/x509/lib/public_key.ml
+166
vendor/opam/x509/lib/public_key.ml
···
1
+
let ( let* ) = Result.bind
2
+
3
+
type ecdsa = [
4
+
| `P256 of Mirage_crypto_ec.P256.Dsa.pub
5
+
| `P384 of Mirage_crypto_ec.P384.Dsa.pub
6
+
| `P521 of Mirage_crypto_ec.P521.Dsa.pub
7
+
]
8
+
9
+
type t = [
10
+
| ecdsa
11
+
| `RSA of Mirage_crypto_pk.Rsa.pub
12
+
| `ED25519 of Mirage_crypto_ec.Ed25519.pub
13
+
]
14
+
15
+
module Asn_oid = Asn.OID
16
+
17
+
module Asn = struct
18
+
open Asn_grammars
19
+
open Asn.S
20
+
open Mirage_crypto_pk
21
+
22
+
let rsa_public_key =
23
+
let f (n, e) =
24
+
let n = Z_extra.of_octets_be n
25
+
and e = Z_extra.of_octets_be e in
26
+
match Rsa.pub ~e ~n with
27
+
| Ok p -> p
28
+
| Error (`Msg m) -> parse_error "bad RSA public key %s" m
29
+
and g ({ Rsa.n; e } : Rsa.pub) = (Z_extra.to_octets_be n, Z_extra.to_octets_be e) in
30
+
map f g @@
31
+
sequence2
32
+
(required ~label:"modulus" unsigned_integer)
33
+
(required ~label:"publicExponent" unsigned_integer)
34
+
35
+
let (rsa_public_of_octets, rsa_public_to_octets) =
36
+
projections_of Asn.der rsa_public_key
37
+
38
+
let rsa_pub_of_octets, rsa_pub_to_octets = project_exn rsa_public_key
39
+
40
+
let to_err = function
41
+
| Ok r -> r
42
+
| Error e ->
43
+
parse_error "failed to decode public EC key %a"
44
+
Mirage_crypto_ec.pp_error e
45
+
46
+
let reparse_pk =
47
+
let open Mirage_crypto_ec in
48
+
let open Algorithm in
49
+
function
50
+
| (RSA , cs) -> `RSA (rsa_pub_of_octets cs)
51
+
| (ED25519 , cs) -> `ED25519 (to_err (Ed25519.pub_of_octets cs))
52
+
| (EC_pub `SECP256R1, cs) -> `P256 (to_err (P256.Dsa.pub_of_octets cs))
53
+
| (EC_pub `SECP384R1, cs) -> `P384 (to_err (P384.Dsa.pub_of_octets cs))
54
+
| (EC_pub `SECP521R1, cs) -> `P521 (to_err (P521.Dsa.pub_of_octets cs))
55
+
| _ -> parse_error "unknown public key algorithm"
56
+
57
+
let unparse_pk =
58
+
let open Mirage_crypto_ec in
59
+
let open Algorithm in
60
+
function
61
+
| `RSA pk -> (RSA, rsa_pub_to_octets pk)
62
+
| `ED25519 pk -> (ED25519, Ed25519.pub_to_octets pk)
63
+
| `P256 pk -> (EC_pub `SECP256R1, P256.Dsa.pub_to_octets pk)
64
+
| `P384 pk -> (EC_pub `SECP384R1, P384.Dsa.pub_to_octets pk)
65
+
| `P521 pk -> (EC_pub `SECP521R1, P521.Dsa.pub_to_octets pk)
66
+
67
+
let pk_info_der =
68
+
map reparse_pk unparse_pk @@
69
+
sequence2
70
+
(required ~label:"algorithm" Algorithm.identifier)
71
+
(required ~label:"subjectPK" bit_string_octets)
72
+
73
+
let (pub_info_of_octets, pub_info_to_octets) =
74
+
projections_of Asn.der pk_info_der
75
+
end
76
+
77
+
let id k =
78
+
let data = match k with
79
+
| `RSA p -> Asn.rsa_public_to_octets p
80
+
| `ED25519 pk -> Mirage_crypto_ec.Ed25519.pub_to_octets pk
81
+
| `P256 pk -> Mirage_crypto_ec.P256.Dsa.pub_to_octets pk
82
+
| `P384 pk -> Mirage_crypto_ec.P384.Dsa.pub_to_octets pk
83
+
| `P521 pk -> Mirage_crypto_ec.P521.Dsa.pub_to_octets pk
84
+
in
85
+
Digestif.(to_raw_string SHA1 (digest_string SHA1 data))
86
+
87
+
let fingerprint ?(hash = `SHA256) pub =
88
+
let module Hash = (val (Digestif.module_of_hash' (hash :> Digestif.hash'))) in
89
+
Hash.(to_raw_string (digest_string (Asn.pub_info_to_octets pub)))
90
+
91
+
let key_type = function
92
+
| `RSA _ -> `RSA
93
+
| `ED25519 _ -> `ED25519
94
+
| `P256 _ -> `P256
95
+
| `P384 _ -> `P384
96
+
| `P521 _ -> `P521
97
+
98
+
let sig_alg = function
99
+
| #ecdsa -> `ECDSA
100
+
| `RSA _ -> `RSA
101
+
| `ED25519 _ -> `ED25519
102
+
103
+
let pp ppf k =
104
+
Fmt.string ppf (Key_type.to_string (key_type k));
105
+
Fmt.sp ppf ();
106
+
Ohex.pp ppf (fingerprint k)
107
+
108
+
let hashed hash data =
109
+
let module Hash = (val (Digestif.module_of_hash' hash)) in
110
+
match data with
111
+
| `Message msg -> Ok Hash.(to_raw_string (digest_string msg))
112
+
| `Digest d ->
113
+
let n = String.length d and m = Hash.digest_size in
114
+
if n = m then Ok d else Error (`Msg "digested data of invalid size")
115
+
116
+
let trunc len data =
117
+
if String.length data > len then
118
+
String.sub data 0 len
119
+
else
120
+
data
121
+
122
+
let verify hash ?scheme ~signature key data =
123
+
let open Mirage_crypto_ec in
124
+
let ok_if_true p = if p then Ok () else Error (`Msg "bad signature") in
125
+
let ecdsa_of_str cs =
126
+
Result.map_error (function `Parse s -> `Msg s)
127
+
(Algorithm.ecdsa_sig_of_octets cs)
128
+
in
129
+
let scheme = Key_type.opt_signature_scheme ?scheme (key_type key) in
130
+
match key, scheme with
131
+
| `RSA key, `RSA_PSS ->
132
+
let module H = (val (Digestif.module_of_hash' hash)) in
133
+
let module PSS = Mirage_crypto_pk.Rsa.PSS(H) in
134
+
let* d = hashed hash data in
135
+
ok_if_true (PSS.verify ~key ~signature (`Digest d))
136
+
| `RSA key, `RSA_PKCS1 ->
137
+
let hashp x = x = hash in
138
+
let* d = hashed hash data in
139
+
ok_if_true (Mirage_crypto_pk.Rsa.PKCS1.verify ~hashp ~key ~signature (`Digest d))
140
+
| `ED25519 key, `ED25519 ->
141
+
begin match data with
142
+
| `Message msg -> ok_if_true (Ed25519.verify ~key signature ~msg)
143
+
| `Digest _ -> Error (`Msg "Ed25519 only suitable with raw message")
144
+
end
145
+
| #ecdsa as key, `ECDSA ->
146
+
let* d = hashed hash data in
147
+
let* s = ecdsa_of_str signature in
148
+
ok_if_true
149
+
(match key with
150
+
| `P256 key -> P256.Dsa.verify ~key s (trunc P256.Dsa.byte_length d)
151
+
| `P384 key -> P384.Dsa.verify ~key s (trunc P384.Dsa.byte_length d)
152
+
| `P521 key -> P521.Dsa.verify ~key s (trunc P521.Dsa.byte_length d))
153
+
| _ -> Error (`Msg "invalid key and signature scheme combination")
154
+
155
+
let encode_der = Asn.pub_info_to_octets
156
+
157
+
let decode_der cs = Asn_grammars.err_to_msg (Asn.pub_info_of_octets cs)
158
+
159
+
let decode_pem cs =
160
+
let* data = Pem.parse cs in
161
+
let pks = List.filter (fun (t, _) -> String.equal "PUBLIC KEY" t) data in
162
+
let* keys = Pem.foldM (fun (_, k) -> decode_der k) pks in
163
+
Pem.exactly_one ~what:"public key" keys
164
+
165
+
let encode_pem v =
166
+
Pem.unparse ~tag:"PUBLIC KEY" (encode_der v)
+175
vendor/opam/x509/lib/rc2.ml
+175
vendor/opam/x509/lib/rc2.ml
···
1
+
2
+
let pitable = [|
3
+
0xd9; 0x78; 0xf9; 0xc4; 0x19; 0xdd; 0xb5; 0xed; 0x28; 0xe9; 0xfd; 0x79; 0x4a; 0xa0; 0xd8; 0x9d;
4
+
0xc6; 0x7e; 0x37; 0x83; 0x2b; 0x76; 0x53; 0x8e; 0x62; 0x4c; 0x64; 0x88; 0x44; 0x8b; 0xfb; 0xa2;
5
+
0x17; 0x9a; 0x59; 0xf5; 0x87; 0xb3; 0x4f; 0x13; 0x61; 0x45; 0x6d; 0x8d; 0x09; 0x81; 0x7d; 0x32;
6
+
0xbd; 0x8f; 0x40; 0xeb; 0x86; 0xb7; 0x7b; 0x0b; 0xf0; 0x95; 0x21; 0x22; 0x5c; 0x6b; 0x4e; 0x82;
7
+
0x54; 0xd6; 0x65; 0x93; 0xce; 0x60; 0xb2; 0x1c; 0x73; 0x56; 0xc0; 0x14; 0xa7; 0x8c; 0xf1; 0xdc;
8
+
0x12; 0x75; 0xca; 0x1f; 0x3b; 0xbe; 0xe4; 0xd1; 0x42; 0x3d; 0xd4; 0x30; 0xa3; 0x3c; 0xb6; 0x26;
9
+
0x6f; 0xbf; 0x0e; 0xda; 0x46; 0x69; 0x07; 0x57; 0x27; 0xf2; 0x1d; 0x9b; 0xbc; 0x94; 0x43; 0x03;
10
+
0xf8; 0x11; 0xc7; 0xf6; 0x90; 0xef; 0x3e; 0xe7; 0x06; 0xc3; 0xd5; 0x2f; 0xc8; 0x66; 0x1e; 0xd7;
11
+
0x08; 0xe8; 0xea; 0xde; 0x80; 0x52; 0xee; 0xf7; 0x84; 0xaa; 0x72; 0xac; 0x35; 0x4d; 0x6a; 0x2a;
12
+
0x96; 0x1a; 0xd2; 0x71; 0x5a; 0x15; 0x49; 0x74; 0x4b; 0x9f; 0xd0; 0x5e; 0x04; 0x18; 0xa4; 0xec;
13
+
0xc2; 0xe0; 0x41; 0x6e; 0x0f; 0x51; 0xcb; 0xcc; 0x24; 0x91; 0xaf; 0x50; 0xa1; 0xf4; 0x70; 0x39;
14
+
0x99; 0x7c; 0x3a; 0x85; 0x23; 0xb8; 0xb4; 0x7a; 0xfc; 0x02; 0x36; 0x5b; 0x25; 0x55; 0x97; 0x31;
15
+
0x2d; 0x5d; 0xfa; 0x98; 0xe3; 0x8a; 0x92; 0xae; 0x05; 0xdf; 0x29; 0x10; 0x67; 0x6c; 0xba; 0xc9;
16
+
0xd3; 0x00; 0xe6; 0xcf; 0xe1; 0x9e; 0xa8; 0x2c; 0x63; 0x16; 0x01; 0x3f; 0x58; 0xe2; 0x89; 0xa9;
17
+
0x0d; 0x38; 0x34; 0x1b; 0xab; 0x33; 0xff; 0xb0; 0xbb; 0x48; 0x0c; 0x5f; 0xb9; 0xb1; 0xcd; 0x2e;
18
+
0xc5; 0xf3; 0xdb; 0x47; 0xe5; 0xa5; 0x9c; 0x77; 0x0a; 0xa6; 0x20; 0x68; 0xfe; 0x7f; 0xc1; 0xad
19
+
|]
20
+
21
+
(* effective is sometimes named t1 *)
22
+
let tm effective =
23
+
let t8 = (effective + 7) / 8 in
24
+
(* RFC says (TM = 255 MOD 2^(8 + effective - 8*T8)) *)
25
+
let bits = 8 + effective - 8 * t8 in
26
+
(* likely there's a smarter way to do this *)
27
+
let rec c acc = function
28
+
| 0 -> acc
29
+
| n -> c ((acc lsl 1) + 1) (pred n)
30
+
in
31
+
t8, c 0 bits
32
+
33
+
(* L[i] is the i-th byte of the key; K[i] is the i-th 16-bit-word of the key *)
34
+
let key_expansion effective key =
35
+
(* result is a 128 byte key, where we need the words.. *)
36
+
let t = String.length key in
37
+
let l = Array.init 128 (fun idx -> if idx < t then String.get_uint8 key idx else 0) in
38
+
let t8, tm = tm effective in
39
+
for i = t to 127 do
40
+
l.(i) <- pitable.((l.(i - 1) + l.(i - t)) mod 256)
41
+
done;
42
+
l.(128 - t8) <- pitable.(l.(128 - t8) land tm);
43
+
for i = 127 - t8 downto 0 do
44
+
l.(i) <- pitable.(l.(i + 1) lxor l.(i + t8));
45
+
done;
46
+
Array.init 64 (fun idx -> l.(2 * idx) + 256 * l.(2 * idx + 1))
47
+
48
+
let mod16 f = 0xFFFF land f
49
+
50
+
let rol16 x k = mod16 ((x lsl k) lor (x lsr (16 - k)))
51
+
52
+
let ror16 x k = mod16 ((x lsr k) lor (x lsl (16 - k)))
53
+
54
+
let not16 x = mod16 (lnot x)
55
+
56
+
let s = Array.init 4 (function 0 -> 1 | 1 -> 2 | 2 -> 3 | 3 -> 5 | _ -> assert false)
57
+
58
+
let pmod a =
59
+
let b = 4 in
60
+
let r = a mod b in
61
+
if r < 0 then (r + b) mod b else r
62
+
63
+
(* only used for encryption which we don't support
64
+
let mix r i k j =
65
+
r.(i) <- mod16 (r.(i) + k.(j) + r.(pmod (i - 1)) land r.(pmod (i - 2)) +
66
+
(not16 r.(pmod (i - 1))) land r.(pmod (i - 3)));
67
+
let j = succ j in
68
+
r.(i) <- rol16 r.(i) s.(i);
69
+
j
70
+
71
+
let mix_round r k j =
72
+
let j' = mix r 0 k j in
73
+
let j'' = mix r 1 k j' in
74
+
let j''' = mix r 2 k j'' in
75
+
let j'''' = mix r 3 k j''' in
76
+
j''''
77
+
78
+
let mash r i k =
79
+
r.(i) <- mod16 (r.(i) + k.(r.(pmod (i - 1)) land 63))
80
+
81
+
let mash_round r k =
82
+
mash r 0 k;
83
+
mash r 1 k;
84
+
mash r 2 k;
85
+
mash r 3 k
86
+
87
+
let encrypt_one ~key ~data =
88
+
let r = Array.init 4 (fun idx -> Cstruct.LE.get_uint16 data (idx * 2)) in
89
+
let j = 0 in
90
+
let j = mix_round r key j in
91
+
let j = mix_round r key j in
92
+
let j = mix_round r key j in
93
+
let j = mix_round r key j in
94
+
let j = mix_round r key j in
95
+
mash_round r key;
96
+
let j = mix_round r key j in
97
+
let j = mix_round r key j in
98
+
let j = mix_round r key j in
99
+
let j = mix_round r key j in
100
+
let j = mix_round r key j in
101
+
let j = mix_round r key j in
102
+
mash_round r key;
103
+
let j = mix_round r key j in
104
+
let j = mix_round r key j in
105
+
let j = mix_round r key j in
106
+
let j = mix_round r key j in
107
+
let _j = mix_round r key j in
108
+
let out = Cstruct.create 8 in
109
+
Cstruct.LE.set_uint16 out 0 r.(0);
110
+
Cstruct.LE.set_uint16 out 2 r.(1);
111
+
Cstruct.LE.set_uint16 out 4 r.(2);
112
+
Cstruct.LE.set_uint16 out 6 r.(3);
113
+
out
114
+
*)
115
+
116
+
let r_mix r i k j =
117
+
r.(i) <- ror16 r.(i) s.(i);
118
+
r.(i) <- mod16 (r.(i) - k.(j) -
119
+
(r.(pmod (i - 1)) land r.(pmod (i - 2))) -
120
+
(not16 r.(pmod (i - 1)) land (r.(pmod (i - 3)))));
121
+
pred j
122
+
123
+
let r_mix_round r k j =
124
+
let j' = r_mix r 3 k j in
125
+
let j'' = r_mix r 2 k j' in
126
+
let j''' = r_mix r 1 k j'' in
127
+
let j'''' = r_mix r 0 k j''' in
128
+
j''''
129
+
130
+
let r_mash r i k =
131
+
r.(i) <- mod16 (r.(i) - k.(r.(pmod (i - 1)) land 63))
132
+
133
+
let r_mash_round r k =
134
+
r_mash r 3 k;
135
+
r_mash r 2 k;
136
+
r_mash r 1 k;
137
+
r_mash r 0 k
138
+
139
+
let decrypt_one ~key ~data ?(off = 0) dst =
140
+
let r = Array.init 4 (fun idx -> String.get_uint16_le data (off + idx * 2)) in
141
+
let j = 63 in
142
+
let j = r_mix_round r key j in
143
+
let j = r_mix_round r key j in
144
+
let j = r_mix_round r key j in
145
+
let j = r_mix_round r key j in
146
+
let j = r_mix_round r key j in
147
+
r_mash_round r key;
148
+
let j = r_mix_round r key j in
149
+
let j = r_mix_round r key j in
150
+
let j = r_mix_round r key j in
151
+
let j = r_mix_round r key j in
152
+
let j = r_mix_round r key j in
153
+
let j = r_mix_round r key j in
154
+
r_mash_round r key;
155
+
let j = r_mix_round r key j in
156
+
let j = r_mix_round r key j in
157
+
let j = r_mix_round r key j in
158
+
let j = r_mix_round r key j in
159
+
let _j = r_mix_round r key j in
160
+
Bytes.set_uint16_le dst (off + 0) r.(0);
161
+
Bytes.set_uint16_le dst (off + 2) r.(1);
162
+
Bytes.set_uint16_le dst (off + 4) r.(2);
163
+
Bytes.set_uint16_le dst (off + 6) r.(3)
164
+
165
+
let decrypt_cbc ?(effective = 128) ~key ~iv data =
166
+
let block = 8 in
167
+
let key = key_expansion effective key in
168
+
let l = String.length data in
169
+
let dst = Bytes.create l in
170
+
for i = 0 to pred ((l + pred block) / block) do
171
+
decrypt_one ~key ~data ~off:(i * block) dst
172
+
done;
173
+
Mirage_crypto.Uncommon.unsafe_xor_into iv ~src_off:0 dst ~dst_off:0 block;
174
+
Mirage_crypto.Uncommon.unsafe_xor_into data ~src_off:0 dst ~dst_off:block (l - block);
175
+
Bytes.unsafe_to_string dst
+320
vendor/opam/x509/lib/registry.ml
+320
vendor/opam/x509/lib/registry.ml
···
1
+
2
+
(*
3
+
* Object Identifiers: magic numbers with a tie. Some OIDs also have an MBA.
4
+
*
5
+
* http://www.alvestrand.no/objectid/
6
+
* http://oid-info.com/
7
+
*)
8
+
9
+
open Asn.OID
10
+
11
+
let pkix = base 1 3 <| 6 <| 1 <| 5 <| 5 <| 7
12
+
13
+
let usa = base 1 2 <| 840
14
+
let rsadsi = usa <| 113549
15
+
let pkcs = rsadsi <| 1
16
+
17
+
let us_govt = base 2 16 <| 840 <| 1 <| 101
18
+
let nist_alg = us_govt <| 3 <| 4
19
+
let hash_algs = nist_alg <| 2
20
+
21
+
(* PKCS1 *)
22
+
23
+
and md5 = rsadsi <| 2 <| 5
24
+
and sha1 = base 1 3 <| 14 <| 3 <| 2 <| 26
25
+
and sha1_rsa_encryption = base 1 3 <| 14 <| 3 <| 2 <| 29
26
+
27
+
(* rfc5758 *)
28
+
29
+
let sha256 = hash_algs <| 1
30
+
and sha384 = hash_algs <| 2
31
+
and sha512 = hash_algs <| 3
32
+
and sha224 = hash_algs <| 4
33
+
34
+
module ANSI_X9_62 = struct
35
+
36
+
let ansi_x9_62 = usa <| 10045
37
+
38
+
let ecdsa_sha1 = ansi_x9_62 <| 1
39
+
let prime_field = ecdsa_sha1 <| 1
40
+
and characteristic_2_field = ecdsa_sha1 <| 2
41
+
42
+
let key_type = ansi_x9_62 <| 2
43
+
let ec_pub_key = key_type <| 1
44
+
45
+
let signatures = ansi_x9_62 <| 4
46
+
let field_type = signatures <| 1
47
+
and ecdsa_sha2 = signatures <| 3
48
+
49
+
let ecdsa_sha224 = ecdsa_sha2 <| 1
50
+
and ecdsa_sha256 = ecdsa_sha2 <| 2
51
+
and ecdsa_sha384 = ecdsa_sha2 <| 3
52
+
and ecdsa_sha512 = ecdsa_sha2 <| 4
53
+
54
+
(* from RFC 5480 *)
55
+
let certicom = base 1 3 <| 132 <| 0
56
+
let curves = ansi_x9_62 <| 3 <| 1
57
+
58
+
let secp224r1 = certicom <| 33
59
+
let secp256r1 = curves <| 7
60
+
let secp384r1 = certicom <| 34
61
+
let secp521r1 = certicom <| 35
62
+
end
63
+
64
+
module PKCS1 = struct
65
+
let pkcs1 = pkcs <| 1
66
+
67
+
let rsa_encryption = pkcs1 <| 1
68
+
and md5_rsa_encryption = pkcs1 <| 4
69
+
and sha1_rsa_encryption = pkcs1 <| 5
70
+
and rsaes_oaep = pkcs1 <| 7
71
+
and rsassa_pss = pkcs1 <| 10
72
+
and sha256_rsa_encryption = pkcs1 <| 11
73
+
and sha384_rsa_encryption = pkcs1 <| 12
74
+
and sha512_rsa_encryption = pkcs1 <| 13
75
+
and sha224_rsa_encryption = pkcs1 <| 14
76
+
end
77
+
78
+
module RFC8410 = struct
79
+
let thawte = base 1 3 <| 101
80
+
81
+
let x25519 = thawte <| 110
82
+
and x448 = thawte <| 111
83
+
and ed25519 = thawte <| 112
84
+
and ed448 = thawte <| 113
85
+
end
86
+
87
+
module PKCS2 = struct
88
+
let pkcs2 = rsadsi <| 2
89
+
90
+
let md4 = pkcs2 <| 4
91
+
and hmac_sha1 = pkcs2 <| 7
92
+
and hmac_sha224 = pkcs2 <| 8
93
+
and hmac_sha256 = pkcs2 <| 9
94
+
and hmac_sha384 = pkcs2 <| 10
95
+
and hmac_sha512 = pkcs2 <| 11
96
+
end
97
+
98
+
module PKCS5 = struct
99
+
let pkcs5 = pkcs <| 5
100
+
101
+
let pbe_md2_des_cbc = pkcs5 <| 1
102
+
and pbe_md5_des_cbc = pkcs5 <| 3
103
+
and pbe_md2_rc2_cbc = pkcs5 <| 4
104
+
and pbe_md5_rc2_cbc = pkcs5 <| 6
105
+
and pbe_md5_xor = pkcs5 <| 9
106
+
and pbe_sha1_des_cbc = pkcs5 <| 10
107
+
and pbe_sha1_rc2_cbc = pkcs5 <| 11
108
+
and pbkdf2 = pkcs5 <| 12
109
+
and pbes2 = pkcs5 <| 13
110
+
and pbmac1 = pkcs5 <| 14
111
+
112
+
let aes = nist_alg <| 1
113
+
let aes128_cbc = aes <| 2
114
+
and aes192_cbc = aes <| 22
115
+
and aes256_cbc = aes <| 42
116
+
end
117
+
118
+
module PKCS7 = struct
119
+
let pkcs7 = pkcs <| 7
120
+
121
+
let data = pkcs7 <| 1
122
+
and signed_data = pkcs7 <| 2
123
+
and enveloped_data = pkcs7 <| 3
124
+
and signed_and_enveloped_data = pkcs7 <| 4
125
+
and digested_data = pkcs7 <| 5
126
+
and encrypted_data = pkcs7 <| 6
127
+
end
128
+
129
+
module PKCS9 = struct
130
+
let pkcs9 = pkcs <| 9
131
+
132
+
let email = pkcs9 <| 1
133
+
and unstructured_name = pkcs9 <| 2
134
+
and content_type = pkcs9 <| 3
135
+
and message_digest = pkcs9 <| 4
136
+
and signing_time = pkcs9 <| 5
137
+
and challenge_password = pkcs9 <| 7
138
+
and unstructured_address = pkcs9 <| 8
139
+
and signing_description = pkcs9 <| 13
140
+
and extension_request = pkcs9 <| 14
141
+
and smime_capabilities = pkcs9 <| 15
142
+
and smime_oid_registry = pkcs9 <| 16
143
+
and friendly_name = pkcs9 <| 20
144
+
and local_key_id = pkcs9 <| 21
145
+
and cert_types = pkcs9 <| 22
146
+
and crl_types = pkcs9 <| 23
147
+
end
148
+
149
+
module PKCS12 = struct
150
+
let pkcs12 = pkcs <| 12
151
+
152
+
let bagtypes = pkcs12 <| 10 <| 1
153
+
154
+
let key_bag = bagtypes <| 1
155
+
and pkcs8_shrouded_key_bag = bagtypes <| 2
156
+
and cert_bag = bagtypes <| 3
157
+
and crl_bag = bagtypes <| 4
158
+
and secret_bag = bagtypes <| 5
159
+
and safe_contents_bag = bagtypes <| 6
160
+
161
+
let pbe_ids = pkcs12 <| 1
162
+
163
+
let pbe_with_SHA_and_128Bit_RC4 = pbe_ids <| 1
164
+
and pbe_with_SHA_and_40Bit_RC4 = pbe_ids <| 2
165
+
and pbe_with_SHA_and_3_KeyTripleDES_CBC = pbe_ids <| 3
166
+
and pbe_with_SHA_and_2_KeyTripleDES_CBC = pbe_ids <| 4
167
+
and pbe_with_SHA_and_128Bit_RC2_CBC = pbe_ids <| 5
168
+
and pbe_with_SHA_and_40Bit_RC2_CBC = pbe_ids <| 6
169
+
end
170
+
171
+
module X520 = struct
172
+
let x520 = base 2 5 <| 4
173
+
174
+
let object_class = x520 <| 0
175
+
and aliased_entry_name = x520 <| 1
176
+
and knowldgeinformation = x520 <| 2
177
+
and common_name = x520 <| 3
178
+
and surname = x520 <| 4
179
+
and serial_number = x520 <| 5
180
+
and country_name = x520 <| 6
181
+
and locality_name = x520 <| 7
182
+
and state_or_province_name = x520 <| 8
183
+
and street_address = x520 <| 9
184
+
and organization_name = x520 <| 10
185
+
and organizational_unit_name = x520 <| 11
186
+
and title = x520 <| 12
187
+
and description = x520 <| 13
188
+
and search_guide = x520 <| 14
189
+
and business_category = x520 <| 15
190
+
and postal_address = x520 <| 16
191
+
and postal_code = x520 <| 17
192
+
and post_office_box = x520 <| 18
193
+
and physical_delivery_office_name = x520 <| 19
194
+
and telephone_number = x520 <| 20
195
+
and telex_number = x520 <| 21
196
+
and teletex_terminal_identifier = x520 <| 22
197
+
and facsimile_telephone_number = x520 <| 23
198
+
and x121_address = x520 <| 24
199
+
and internationa_isdn_number = x520 <| 25
200
+
and registered_address = x520 <| 26
201
+
and destination_indicator = x520 <| 27
202
+
and preferred_delivery_method = x520 <| 28
203
+
and presentation_address = x520 <| 29
204
+
and supported_application_context = x520 <| 30
205
+
and member = x520 <| 31
206
+
and owner = x520 <| 32
207
+
and role_occupant = x520 <| 33
208
+
and see_also = x520 <| 34
209
+
and user_password = x520 <| 35
210
+
and user_certificate = x520 <| 36
211
+
and ca_certificate = x520 <| 37
212
+
and authority_revocation_list = x520 <| 38
213
+
and certificate_revocation_list = x520 <| 39
214
+
and cross_certificate_pair = x520 <| 40
215
+
and name = x520 <| 41
216
+
and given_name = x520 <| 42
217
+
and initials = x520 <| 43
218
+
and generation_qualifier = x520 <| 44
219
+
and unique_identifier = x520 <| 45
220
+
and dn_qualifier = x520 <| 46
221
+
and enhanced_search_guide = x520 <| 47
222
+
and protocol_information = x520 <| 48
223
+
and distinguished_name = x520 <| 49
224
+
and unique_member = x520 <| 50
225
+
and house_identifier = x520 <| 51
226
+
and supported_algorithms = x520 <| 52
227
+
and delta_revocation_list = x520 <| 53
228
+
and attribute_certificate = x520 <| 58
229
+
and pseudonym = x520 <| 65
230
+
end
231
+
232
+
let ucl_data_networks = base 0 9 <| 2342 <| 19200300
233
+
let directory_pilot = ucl_data_networks <| 100 <| 1
234
+
(* The single rfc4519 oid rfc5280 requires us to be aware of.... *)
235
+
let domain_component = directory_pilot <| 25
236
+
(* rfc4514 oid required for compliance *)
237
+
let userid = directory_pilot <| 1
238
+
239
+
module Cert_extn = struct
240
+
let ce = base 2 5 <| 29
241
+
242
+
let authority_key_identifier_old = ce <| 1
243
+
and primary_key_attributes_old = ce <| 2
244
+
and certificate_policies_1 = ce <| 3
245
+
and primary_key_usage_restriction = ce <| 4
246
+
and subject_directory_attributes = ce <| 9
247
+
and subject_key_identifier = ce <| 14
248
+
and key_usage = ce <| 15
249
+
and private_key_usage_period = ce <| 16
250
+
and subject_alternative_name = ce <| 17
251
+
and issuer_alternative_name = ce <| 18
252
+
and basic_constraints = ce <| 19
253
+
and crl_number = ce <| 20
254
+
and reason_code = ce <| 21
255
+
and hold_instruction_code = ce <| 23
256
+
and invalidity_date = ce <| 24
257
+
and delta_crl_indicator = ce <| 27
258
+
and issuing_distribution_point = ce <| 28
259
+
and certificate_issuer = ce <| 29
260
+
and name_constraints = ce <| 30
261
+
and crl_distribution_points = ce <| 31
262
+
and certificate_policies_2 = ce <| 32
263
+
and policy_mappings = ce <| 33
264
+
and authority_key_identifier = ce <| 35
265
+
and policy_constraints = ce <| 36
266
+
and extended_key_usage = ce <| 37
267
+
and freshest_crl = ce <| 46
268
+
and inhibit_any_policy = ce <| 54
269
+
270
+
(* https://tools.ietf.org/html/rfc5280#section-4.2.2.1 *)
271
+
module Private_internet_extensions = struct
272
+
let pe = pkix <| 1
273
+
let authority_info_access = pe <| 1
274
+
let ad = pkix <| 48
275
+
let ad_ca_issuer = ad <| 2
276
+
let ad_ocsp = ad <| 1
277
+
let ad_ocsp_basic = ad_ocsp <| 1
278
+
end
279
+
280
+
module Extended_usage = struct
281
+
let any = extended_key_usage <| 0
282
+
let key_purpose = pkix <| 3
283
+
let server_auth = key_purpose <| 1
284
+
and client_auth = key_purpose <| 2
285
+
and code_signing = key_purpose <| 3
286
+
and email_protection = key_purpose <| 4
287
+
and ipsec_end_system = key_purpose <| 5
288
+
and ipsec_tunnel = key_purpose <| 6
289
+
and ipsec_user = key_purpose <| 7
290
+
and time_stamping = key_purpose <| 8
291
+
and ocsp_signing = key_purpose <| 9
292
+
end
293
+
294
+
module Cert_policy = struct
295
+
let qt = pkix <| 2
296
+
let cps = qt <| 1
297
+
let unotice = qt <| 2
298
+
299
+
let any_policy = certificate_policies_2 <| 0
300
+
end
301
+
end
302
+
303
+
module Name_extn = struct
304
+
305
+
(* For the rarely-used feature of GeneralName: AnotherName. *)
306
+
307
+
let id_other_name = pkix <| 8
308
+
309
+
(* rfc6120 *)
310
+
let xmpp_addr = id_other_name <| 5
311
+
(* rfc4985 *)
312
+
let srv_name = id_other_name <| 7 (* an IA5String _Service.Name *)
313
+
314
+
let venezuela = base 2 16 <| 862
315
+
let venezuela_1 = venezuela <| 2 <| 1
316
+
and venezuela_2 = venezuela <| 2 <| 2
317
+
318
+
let is_utf8_id oid =
319
+
List.mem oid [ xmpp_addr ; venezuela_1 ; venezuela_2 ]
320
+
end
+238
vendor/opam/x509/lib/signing_request.ml
+238
vendor/opam/x509/lib/signing_request.ml
···
1
+
let ( let* ) = Result.bind
2
+
3
+
module Ext = struct
4
+
5
+
type _ k =
6
+
| Password : string k
7
+
| Name : string k
8
+
| Extensions : Extension.t k
9
+
10
+
module K = struct
11
+
type 'a t = 'a k
12
+
13
+
let compare : type a b . a t -> b t -> (a, b) Gmap.Order.t = fun t t' ->
14
+
let open Gmap.Order in
15
+
match t, t' with
16
+
| Password, Password -> Eq | Password, _ -> Lt | _, Password -> Gt
17
+
| Name, Name -> Eq | Name, _ -> Lt | _, Name -> Gt
18
+
| Extensions, Extensions -> Eq
19
+
end
20
+
21
+
include Gmap.Make(K)
22
+
23
+
let pp_one : type a. a k -> Format.formatter -> a -> unit = fun k ppf v ->
24
+
match k, v with
25
+
| Password, pass -> Fmt.pf ppf "password %s" pass
26
+
| Name, name -> Fmt.pf ppf "name %s" name
27
+
| Extensions, ext -> Fmt.pf ppf "extensions %a" Extension.pp ext
28
+
29
+
let pp ppf m = iter (fun (B (k, v)) -> pp_one k ppf v ; Fmt.sp ppf ()) m
30
+
end
31
+
32
+
type request_info = {
33
+
subject : Distinguished_name.t ;
34
+
public_key : Public_key.t ;
35
+
extensions : Ext.t ;
36
+
}
37
+
38
+
type request = {
39
+
info : request_info ;
40
+
signature_algorithm : Algorithm.t ;
41
+
signature : string
42
+
}
43
+
44
+
type t = {
45
+
asn : request ;
46
+
raw : string ;
47
+
}
48
+
49
+
module Asn = struct
50
+
open Asn_grammars
51
+
open Asn.S
52
+
open Registry
53
+
54
+
let attributes =
55
+
let f = function[@ocaml.warning "-8"]
56
+
| (oid, [`C1 p]) when oid = PKCS9.challenge_password -> Ext.B (Password, p)
57
+
| (oid, [`C1 n]) when oid = PKCS9.unstructured_name -> Ext.B (Name, n)
58
+
| (oid, [`C2 es]) when oid = PKCS9.extension_request -> Ext.B (Extensions, es)
59
+
and g (Ext.B (k, v)) : Asn.oid * [ `C1 of string | `C2 of Extension.t ] list = match k, v with
60
+
| Ext.Password, v -> (PKCS9.challenge_password, [`C1 v])
61
+
| Ext.Name, v -> (PKCS9.unstructured_name, [`C1 v])
62
+
| Ext.Extensions, v -> (PKCS9.extension_request, [`C2 v])
63
+
in
64
+
map f g @@
65
+
sequence2
66
+
(required ~label:"attr type" oid)
67
+
(required ~label:"attr value"
68
+
(set_of (choice2
69
+
utf8_string
70
+
Extension.Asn.extensions_der)))
71
+
let request_info =
72
+
let f = function
73
+
| (0, subject, public_key, extensions) ->
74
+
let extensions =
75
+
List.fold_left (fun map (Ext.B (k, v)) ->
76
+
match Ext.add_unless_bound k v map with
77
+
| None -> parse_error "request extension %a already bound"
78
+
(Ext.pp_one k) v
79
+
| Some b -> b)
80
+
Ext.empty extensions
81
+
in
82
+
{ subject ; public_key ; extensions }
83
+
| _ ->
84
+
parse_error "unknown certificate request info"
85
+
and g { subject ; public_key ; extensions } =
86
+
let extensions = Ext.bindings extensions in
87
+
(0, subject, public_key, extensions)
88
+
in
89
+
map f g @@
90
+
sequence4
91
+
(required ~label:"version" int)
92
+
(required ~label:"subject" Distinguished_name.Asn.name)
93
+
(required ~label:"subjectPKInfo" Public_key.Asn.pk_info_der)
94
+
(required ~label:"attributes" @@ implicit 0 (set_of attributes))
95
+
96
+
let request_info_of_str, request_info_to_str =
97
+
projections_of Asn.der request_info
98
+
99
+
let signing_request =
100
+
let f = fun (info, signature_algorithm, signature) ->
101
+
{ info ; signature_algorithm ; signature }
102
+
and g = fun { info ; signature_algorithm ; signature } ->
103
+
(info, signature_algorithm, signature)
104
+
in
105
+
map f g @@
106
+
sequence3
107
+
(required ~label:"certificationRequestInfo" request_info)
108
+
(required ~label:"signatureAlgorithm" Algorithm.identifier)
109
+
(required ~label:"signature" bit_string_octets)
110
+
111
+
let signing_request_of_str, signing_request_to_str =
112
+
projections_of Asn.der signing_request
113
+
end
114
+
115
+
let info { asn ; _ } = asn.info
116
+
117
+
let signature_algorithm { asn ; _ } =
118
+
Algorithm.to_signature_algorithm asn.signature_algorithm
119
+
120
+
let hostnames csr =
121
+
let info = info csr in
122
+
let subj =
123
+
match Distinguished_name.common_name info.subject with
124
+
| None -> Host.Set.empty
125
+
| Some x ->
126
+
match Host.host x with
127
+
| Some (typ, n) -> Host.Set.singleton (typ, n)
128
+
| None -> Host.Set.empty
129
+
in
130
+
match Ext.(find Extensions info.extensions) with
131
+
| None -> subj
132
+
| Some exts -> match Extension.hostnames exts with
133
+
| Some names -> names
134
+
| None -> subj
135
+
136
+
let validate_signature allowed_hashes { asn ; raw } =
137
+
let raw_data = Validation.raw_cert_hack raw in
138
+
Validation.validate_raw_signature asn.info.subject allowed_hashes raw_data
139
+
asn.signature_algorithm asn.signature asn.info.public_key
140
+
141
+
let decode_der ?(allowed_hashes = Validation.sha2) cs =
142
+
let* csr = Asn_grammars.err_to_msg (Asn.signing_request_of_str cs) in
143
+
let csr = { raw = cs ; asn = csr } in
144
+
let* () =
145
+
Result.map_error
146
+
(fun e -> `Msg (Fmt.to_to_string Validation.pp_signature_error e))
147
+
(validate_signature allowed_hashes csr)
148
+
in
149
+
Ok csr
150
+
151
+
let encode_der { raw ; _ } = raw
152
+
153
+
let decode_pem cs =
154
+
let* data = Pem.parse cs in
155
+
let crs =
156
+
List.filter (fun (t, _) -> String.equal "CERTIFICATE REQUEST" t) data
157
+
in
158
+
let* csrs = Pem.foldM (fun (_, cs) -> decode_der cs) crs in
159
+
Pem.exactly_one ~what:"certificate request" csrs
160
+
161
+
let encode_pem v =
162
+
Pem.unparse ~tag:"CERTIFICATE REQUEST" (encode_der v)
163
+
164
+
let digest_of_key = function
165
+
| `RSA _ -> `SHA256
166
+
| `ED25519 _ -> `SHA512
167
+
| `P256 _ -> `SHA256
168
+
| `P384 _ -> `SHA384
169
+
| `P521 _ -> `SHA512
170
+
171
+
let default_digest digest key =
172
+
match digest with None -> digest_of_key key | Some x -> x
173
+
174
+
let create subject ?digest ?(extensions = Ext.empty) (key : Private_key.t) =
175
+
let hash = default_digest digest key in
176
+
let public_key = Private_key.public key in
177
+
let info : request_info = { subject ; public_key ; extensions } in
178
+
let info_str = Asn.request_info_to_str info in
179
+
let scheme = Key_type.x509_default_scheme (Private_key.key_type key) in
180
+
let* signature = Private_key.sign hash ~scheme key (`Message info_str) in
181
+
let signature_algorithm = Algorithm.of_signature_algorithm scheme hash in
182
+
let asn = { info ; signature_algorithm ; signature } in
183
+
let raw = Asn.signing_request_to_str asn in
184
+
Ok { asn ; raw }
185
+
186
+
let sign signing_request
187
+
~valid_from ~valid_until
188
+
?(allowed_hashes = Validation.sha2)
189
+
?digest
190
+
?serial
191
+
?(extensions = Extension.empty)
192
+
?(subject = signing_request.asn.info.subject)
193
+
key issuer =
194
+
let hash = default_digest digest key in
195
+
let serial = match serial with
196
+
| Some s -> s
197
+
| None ->
198
+
(* we generate a positive integer, asn1-encoded: so if the high bit is
199
+
set, we prepend a 0 byte *)
200
+
(* if it starts with 0x00 followed by 0xNN with NN <= 0x7f, we prepend
201
+
0x7f to make the integer valid *)
202
+
let s = Mirage_crypto_rng.generate 10 in
203
+
let start = String.get_uint8 s 0 in
204
+
if start > 0x7f then
205
+
"\x00" ^ s
206
+
else if start = 0x00 && String.get_uint8 s 1 <= 0x7f then
207
+
"\x7f" ^ s
208
+
else
209
+
s
210
+
in
211
+
let* () = validate_signature allowed_hashes signing_request in
212
+
let signature_algo =
213
+
let scheme = Key_type.x509_default_scheme (Private_key.key_type key) in
214
+
Algorithm.of_signature_algorithm scheme hash
215
+
and info = signing_request.asn.info
216
+
in
217
+
let tbs_cert : Certificate.tBSCertificate = {
218
+
version = `V3 ;
219
+
serial ;
220
+
signature = signature_algo ;
221
+
issuer = issuer ;
222
+
validity = (valid_from, valid_until) ;
223
+
subject ;
224
+
pk_info = info.public_key ;
225
+
issuer_id = None ;
226
+
subject_id = None ;
227
+
extensions
228
+
} in
229
+
let tbs_raw = Certificate.Asn.tbs_certificate_to_octets tbs_cert in
230
+
let scheme = Key_type.x509_default_scheme (Private_key.key_type key) in
231
+
let* signature_val = Private_key.sign hash ~scheme key (`Message tbs_raw) in
232
+
let asn = {
233
+
Certificate.tbs_cert ;
234
+
signature_algo ;
235
+
signature_val ;
236
+
} in
237
+
let raw = Certificate.Asn.certificate_to_octets asn in
238
+
Ok { Certificate.asn ; raw }
+520
vendor/opam/x509/lib/validation.ml
+520
vendor/opam/x509/lib/validation.ml
···
1
+
let ( let* ) = Result.bind
2
+
3
+
let sha2 = [ `SHA256 ; `SHA384 ; `SHA512 ]
4
+
let all_hashes = [ `MD5 ; `SHA1 ; `SHA224 ] @ sha2
5
+
6
+
let src = Logs.Src.create "x509.validation" ~doc:"X509 validation"
7
+
module Log = (val Logs.src_log src : Logs.LOG)
8
+
9
+
type signature_error = [
10
+
| `Bad_signature of Distinguished_name.t * string
11
+
| `Bad_encoding of Distinguished_name.t * string * string
12
+
| `Hash_not_allowed of Distinguished_name.t * [ `MD5 | `SHA1 | `SHA224 | `SHA256 | `SHA384 | `SHA512 ]
13
+
| `Unsupported_keytype of Distinguished_name.t * Public_key.t
14
+
| `Unsupported_algorithm of Distinguished_name.t * string
15
+
| `Msg of string
16
+
]
17
+
18
+
let pp_signature_error ppf = function
19
+
| `Bad_signature (subj, msg) ->
20
+
Fmt.pf ppf "failed to verify signature of %a: %s"
21
+
Distinguished_name.pp subj msg
22
+
| `Bad_encoding (subj, err, sig_) ->
23
+
Fmt.pf ppf "bad signature encoding of %a, ASN error %s:@.%a"
24
+
Distinguished_name.pp subj err Ohex.pp sig_
25
+
| `Hash_not_allowed (subj, hash) ->
26
+
Fmt.pf ppf "hash algorithm %a is not allowed, but %a is signed using it"
27
+
Certificate.pp_hash hash Distinguished_name.pp subj
28
+
| `Unsupported_keytype (subj, pk) ->
29
+
Fmt.pf ppf "unsupported key used to sign %a: %a" Distinguished_name.pp subj
30
+
Public_key.pp pk
31
+
| `Unsupported_algorithm (subj, alg) ->
32
+
Fmt.pf ppf "unsupported algorithm used to sign %a: %s"
33
+
Distinguished_name.pp subj alg
34
+
| `Msg msg -> Fmt.string ppf msg
35
+
36
+
let maybe_validate_hostname cert = function
37
+
| None -> true
38
+
| Some x -> Certificate.supports_hostname cert x
39
+
40
+
let maybe_validate_ip cert = function
41
+
| None -> true
42
+
| Some ip -> Certificate.supports_ip cert ip
43
+
44
+
let issuer_matches_subject
45
+
{ Certificate.asn = parent ; _ } { Certificate.asn = cert ; _ } =
46
+
Distinguished_name.equal parent.tbs_cert.subject cert.tbs_cert.issuer
47
+
48
+
let is_self_signed cert = issuer_matches_subject cert cert
49
+
50
+
let validate_raw_signature subject allowed_hashes msg sig_alg signature pk =
51
+
match Algorithm.to_signature_algorithm sig_alg with
52
+
| Some (scheme, siga) ->
53
+
(* we check that siga is a member of allowed_hashes, to ensure not
54
+
using a weak one. *)
55
+
if not (List.mem siga allowed_hashes) then
56
+
Error (`Hash_not_allowed (subject, siga))
57
+
else if not (Key_type.supports_signature_scheme (Public_key.key_type pk) scheme) then
58
+
Error (`Unsupported_keytype (subject, pk))
59
+
else
60
+
let* () =
61
+
Result.map_error (function `Msg m -> `Bad_signature (subject, m))
62
+
(Public_key.verify siga ~scheme ~signature pk (`Message msg))
63
+
in
64
+
if not (List.mem siga sha2) then
65
+
Log.warn (fun m -> m "%a signature uses %a, a weak hash algorithm"
66
+
Distinguished_name.pp subject Certificate.pp_hash siga);
67
+
Ok ()
68
+
| None ->
69
+
Error (`Unsupported_algorithm (subject, Algorithm.to_string sig_alg))
70
+
71
+
let shift str off =
72
+
String.sub str off (String.length str - off)
73
+
74
+
(* XXX should return the tbs_cert blob from the parser, this is insane *)
75
+
let raw_cert_hack raw =
76
+
(* we only support definite-length *)
77
+
let loff = 1 in
78
+
let snd = String.get_uint8 raw loff in
79
+
let lenl = 2 + if 0x80 land snd = 0 then 0 else 0x7F land snd in
80
+
(* cut away the SEQUENCE and LENGTH from outer sequence (tbs, sigalg, sig) *)
81
+
let cert_buf = shift raw lenl in
82
+
let rec l acc idx last =
83
+
if idx = last then
84
+
acc
85
+
else
86
+
l (acc lsl 8 + String.get_uint8 cert_buf idx) (succ idx) last
87
+
in
88
+
let cert_len_byte = String.get_uint8 cert_buf loff in
89
+
let cert_len =
90
+
(* two cases: *)
91
+
if 0x80 land cert_len_byte = 0 then
92
+
(* length < 127: highest bit is zero and lower 7 bits encode the length *)
93
+
2 + (0x7F land cert_len_byte)
94
+
else
95
+
(* length > 127: highest bit is 1 and lower 7 bits encode the bytes used
96
+
to encode the length *)
97
+
let len_len = 2 + 0x7F land cert_len_byte in
98
+
len_len + (l 0 2 len_len)
99
+
in
100
+
String.sub cert_buf 0 cert_len
101
+
102
+
let validate_signature allowed_hashes { Certificate.asn = trusted ; _ } { Certificate.asn ; raw } =
103
+
let tbs_raw = raw_cert_hack raw in
104
+
validate_raw_signature asn.tbs_cert.subject allowed_hashes tbs_raw
105
+
asn.signature_algo asn.signature_val trusted.tbs_cert.pk_info
106
+
107
+
let validate_time time { Certificate.asn = cert ; _ } =
108
+
match time with
109
+
| None -> true
110
+
| Some now ->
111
+
let (not_before, not_after) = cert.tbs_cert.validity in
112
+
Ptime.(is_later ~than:not_before now && is_earlier ~than:not_after now)
113
+
114
+
let version_matches_extensions { Certificate.asn = cert ; _ } =
115
+
let tbs = cert.tbs_cert in
116
+
match tbs.version, Extension.is_empty tbs.extensions with
117
+
| (`V1 | `V2), true -> true
118
+
| (`V1 | `V2), _ -> false
119
+
| `V3, _ -> true
120
+
121
+
let validate_path_len pathlen { Certificate.asn = cert ; _ } =
122
+
(* X509 V1/V2 certificates do not contain X509v3 extensions! *)
123
+
(* thus, we cannot check the path length. this will only ever happen for trust anchors: *)
124
+
(* intermediate CAs are checked by is_cert_valid, which checks that the CA extensions are there *)
125
+
(* whereas trust anchor are ok with getting V1/2 certificates *)
126
+
(* TODO: make it configurable whether to accept V1/2 certificates at all *)
127
+
let exts = cert.tbs_cert.extensions in
128
+
match cert.tbs_cert.version, Extension.(find Basic_constraints exts) with
129
+
| (`V1 | `V2), _ -> true
130
+
| `V3, Some (_ , (true, None)) -> true
131
+
| `V3, Some (_ , (true, Some n)) -> n >= pathlen
132
+
| _ -> false
133
+
134
+
let validate_ca_extensions { Certificate.asn = cert ; _ } =
135
+
let exts = cert.tbs_cert.extensions in
136
+
(* comments from RFC5280 *)
137
+
(* 4.2.1.9 Basic Constraints *)
138
+
(* Conforming CAs MUST include this extension in all CA certificates used *)
139
+
(* to validate digital signatures on certificates and MUST mark the *)
140
+
(* extension as critical in such certificates *)
141
+
(* unfortunately, there are 8 CA certs (including the one which
142
+
signed google.com) which are _NOT_ marked as critical *)
143
+
( match Extension.(find Basic_constraints exts) with
144
+
| Some (_ , (true, _)) -> true
145
+
| _ -> false ) &&
146
+
147
+
(* 4.2.1.3 Key Usage *)
148
+
(* Conforming CAs MUST include key usage extension *)
149
+
(* CA Cert (cacert.org) does not *)
150
+
( match Extension.(find Key_usage exts) with
151
+
(* When present, conforming CAs SHOULD mark this extension as critical *)
152
+
(* yeah, you wish... *)
153
+
| Some (_, usage) -> List.mem `Key_cert_sign usage
154
+
| _ -> false ) &&
155
+
156
+
(* if we require this, we cannot talk to github.com
157
+
(* 4.2.1.12. Extended Key Usage
158
+
If a certificate contains both a key usage extension and an extended
159
+
key usage extension, then both extensions MUST be processed
160
+
independently and the certificate MUST only be used for a purpose
161
+
consistent with both extensions. If there is no purpose consistent
162
+
with both extensions, then the certificate MUST NOT be used for any
163
+
purpose. *)
164
+
( match extn_ext_key_usage cert with
165
+
| Some (_, Ext_key_usage usages) -> List.mem Any usages
166
+
| _ -> true ) &&
167
+
*)
168
+
169
+
(* Name Constraints - name constraints should match servername *)
170
+
171
+
(* check criticality *)
172
+
Extension.for_all (fun (Extension.B (k, v)) ->
173
+
match k with
174
+
| Extension.Key_usage -> true
175
+
| Extension.Basic_constraints -> true
176
+
| _ -> not (Extension.critical k v) )
177
+
exts
178
+
179
+
let validate_server_extensions cert =
180
+
Extension.for_all (fun (Extension.B (k, v)) ->
181
+
match k, v with
182
+
| Extension.Basic_constraints, (_, (true, _)) ->
183
+
if is_self_signed cert then
184
+
(Log.warn (fun m -> m "allowing self-signed certificate with BasicConstraints CA true");
185
+
true)
186
+
else
187
+
false
188
+
| Extension.Basic_constraints, (_, (false, _)) -> true
189
+
| Extension.Key_usage, _ -> true
190
+
| Extension.Ext_key_usage, _ -> true
191
+
| Extension.Subject_alt_name, _ -> true
192
+
| Extension.Policies, (crit, ps) -> not crit || List.mem `Any ps
193
+
(* we've to deal with _all_ extensions marked critical! *)
194
+
| _, _ -> not (Extension.critical k v))
195
+
cert.Certificate.asn.tbs_cert.extensions
196
+
197
+
let valid_trust_anchor_extensions cert =
198
+
match cert.Certificate.asn.tbs_cert.version with
199
+
| `V1 | `V2 -> true
200
+
| `V3 -> validate_ca_extensions cert
201
+
202
+
let ext_authority_matches_subject trusted cert =
203
+
match Extension.(find Authority_key_id (Certificate.extensions cert),
204
+
find Subject_key_id (Certificate.extensions trusted))
205
+
with
206
+
| (_, None) | (None, _) -> true (* not mandatory *)
207
+
| Some (_, (Some auth, _, _)), Some (_, au) -> String.equal auth au
208
+
(* TODO: check exact rules in RFC5280 *)
209
+
| Some (_, (None, _, _)), _ -> true (* not mandatory *)
210
+
211
+
(* t -> t list (* set *) -> t list list *)
212
+
let rec build_paths fst rst =
213
+
match
214
+
List.filter
215
+
(fun x -> Distinguished_name.equal (Certificate.issuer fst) (Certificate.subject x))
216
+
rst
217
+
with
218
+
| [] -> [[fst]]
219
+
| xs ->
220
+
let tails =
221
+
List.fold_left
222
+
(fun acc x -> acc @ build_paths x (List.filter (fun y -> x <> y) rst))
223
+
[[]]
224
+
xs
225
+
in
226
+
List.map (fun x -> fst :: x) tails
227
+
228
+
type ca_error = [
229
+
| signature_error
230
+
| `CAIssuerSubjectMismatch of Certificate.t
231
+
| `CAInvalidVersion of Certificate.t
232
+
| `CACertificateExpired of Certificate.t * Ptime.t option
233
+
| `CAInvalidExtensions of Certificate.t
234
+
]
235
+
236
+
let pp_ca_error ppf = function
237
+
| #signature_error as e -> pp_signature_error ppf e
238
+
| `CAIssuerSubjectMismatch c ->
239
+
Fmt.pf ppf "CA certificate %a: issuer does not match subject" Certificate.pp c
240
+
| `CAInvalidVersion c ->
241
+
Fmt.pf ppf "CA certificate %a: version 3 is required for extensions" Certificate.pp c
242
+
| `CAInvalidExtensions c ->
243
+
Fmt.pf ppf "CA certificate %a: invalid CA extensions" Certificate.pp c
244
+
| `CACertificateExpired (c, now) ->
245
+
let pp_pt = Ptime.pp_human ~tz_offset_s:0 () in
246
+
Fmt.pf ppf "CA certificate %a: expired (now %a)" Certificate.pp c
247
+
Fmt.(option ~none:(any "no timestamp provided") pp_pt) now
248
+
249
+
type leaf_validation_error = [
250
+
| `LeafCertificateExpired of Certificate.t * Ptime.t option
251
+
| `LeafInvalidIP of Certificate.t * Ipaddr.t option
252
+
| `LeafInvalidName of Certificate.t * [`host] Domain_name.t option
253
+
| `LeafInvalidVersion of Certificate.t
254
+
| `LeafInvalidExtensions of Certificate.t
255
+
]
256
+
257
+
let pp_leaf_validation_error ppf = function
258
+
| `LeafCertificateExpired (c, now) ->
259
+
let pp_pt = Ptime.pp_human ~tz_offset_s:0 () in
260
+
Fmt.pf ppf "leaf certificate %a expired (now %a)" Certificate.pp c
261
+
Fmt.(option ~none:(any "no timestamp provided") pp_pt) now
262
+
| `LeafInvalidIP (c, ip) ->
263
+
Fmt.pf ppf "leaf certificate %a does not contain the IP %a (IPs present: %a)String"
264
+
Certificate.pp c Fmt.(option ~none:(any "none") Ipaddr.pp) ip
265
+
Fmt.(list ~sep:(any ", ") Ipaddr.pp) (Certificate.ips c |> Ipaddr.Set.elements)
266
+
| `LeafInvalidName (c, n) ->
267
+
Fmt.pf ppf "leaf certificate %a does not contain the name %a"
268
+
Certificate.pp c Fmt.(option ~none:(any "none") Domain_name.pp) n
269
+
| `LeafInvalidVersion c ->
270
+
Fmt.pf ppf "leaf certificate %a: version 3 is required for extensions" Certificate.pp c
271
+
| `LeafInvalidExtensions c ->
272
+
Fmt.pf ppf "leaf certificate %a: invalid server extensions" Certificate.pp c
273
+
274
+
type chain_validation_error = [
275
+
| `IntermediateInvalidExtensions of Certificate.t
276
+
| `IntermediateCertificateExpired of Certificate.t * Ptime.t option
277
+
| `IntermediateInvalidVersion of Certificate.t
278
+
| `ChainIssuerSubjectMismatch of Certificate.t * Certificate.t
279
+
| `ChainAuthorityKeyIdSubjectKeyIdMismatch of Certificate.t * Certificate.t
280
+
| `ChainInvalidPathlen of Certificate.t * int
281
+
| `EmptyCertificateChain
282
+
| `NoTrustAnchor of Certificate.t
283
+
| `Revoked of Certificate.t
284
+
]
285
+
286
+
let pp_chain_validation_error ppf = function
287
+
| `IntermediateInvalidExtensions c ->
288
+
Fmt.pf ppf "intermediate certificate %a: invalid extensions" Certificate.pp c
289
+
| `IntermediateCertificateExpired (c, now) ->
290
+
let pp_pt = Ptime.pp_human ~tz_offset_s:0 () in
291
+
Fmt.pf ppf "intermediate certificate %a expired (now %a)" Certificate.pp c
292
+
Fmt.(option ~none:(any "no timestamp provided") pp_pt) now
293
+
| `IntermediateInvalidVersion c ->
294
+
Fmt.pf ppf "intermediate certificate %a: version 3 is required for extensions"
295
+
Certificate.pp c
296
+
| `ChainIssuerSubjectMismatch (c, parent) ->
297
+
Fmt.pf ppf "invalid chain: issuer of %a does not match subject of %a"
298
+
Certificate.pp c Certificate.pp parent
299
+
| `ChainAuthorityKeyIdSubjectKeyIdMismatch (c, parent) ->
300
+
Fmt.pf ppf "invalid chain: authority key id extension of %a does not match subject key id extension of %a"
301
+
Certificate.pp c Certificate.pp parent
302
+
| `ChainInvalidPathlen (c, pathlen) ->
303
+
Fmt.pf ppf "invalid chain: the path length of %a is smaller than the required path length %d"
304
+
Certificate.pp c pathlen
305
+
| `EmptyCertificateChain -> Fmt.string ppf "certificate chain is empty"
306
+
| `NoTrustAnchor c ->
307
+
Fmt.pf ppf "no trust anchor found for %a" Certificate.pp c
308
+
| `Revoked c ->
309
+
Fmt.pf ppf "certificate %a is revoked" Certificate.pp c
310
+
311
+
type chain_error = [
312
+
| signature_error
313
+
| leaf_validation_error
314
+
| chain_validation_error
315
+
]
316
+
317
+
let pp_chain_error ppf = function
318
+
| #signature_error as e -> pp_signature_error ppf e
319
+
| #leaf_validation_error as l -> pp_leaf_validation_error ppf l
320
+
| #chain_validation_error as c -> pp_chain_validation_error ppf c
321
+
322
+
type fingerprint_validation_error = [
323
+
| `InvalidFingerprint of Certificate.t * string * string
324
+
]
325
+
326
+
let pp_fingerprint_validation_error ppf = function
327
+
| `InvalidFingerprint (c, c_fp, fp) ->
328
+
Fmt.pf ppf "fingerprint for %a (computed %a) does not match, expected %a"
329
+
Certificate.pp c Ohex.pp c_fp Ohex.pp fp
330
+
331
+
type validation_error = [
332
+
| signature_error
333
+
| leaf_validation_error
334
+
| fingerprint_validation_error
335
+
| `EmptyCertificateChain
336
+
| `InvalidChain
337
+
]
338
+
339
+
let pp_validation_error ppf = function
340
+
| #signature_error as e -> pp_signature_error ppf e
341
+
| #leaf_validation_error as l -> pp_leaf_validation_error ppf l
342
+
| #fingerprint_validation_error as f -> pp_fingerprint_validation_error ppf f
343
+
| `EmptyCertificateChain ->
344
+
Fmt.string ppf "provided certificate chain is empty"
345
+
| `InvalidChain -> Fmt.string ppf "invalid certificate chain"
346
+
347
+
type r = ((Certificate.t list * Certificate.t) option, validation_error) result
348
+
349
+
(* TODO RFC 5280: A certificate MUST NOT include more than one
350
+
instance of a particular extension. *)
351
+
352
+
let is_cert_valid now cert =
353
+
match
354
+
validate_time now cert,
355
+
version_matches_extensions cert,
356
+
validate_ca_extensions cert
357
+
with
358
+
| (true, true, true) -> Ok ()
359
+
| (false, _, _) -> Error (`IntermediateCertificateExpired (cert, now))
360
+
| (_, false, _) -> Error (`IntermediateInvalidVersion cert)
361
+
| (_, _, false) -> Error (`IntermediateInvalidExtensions cert)
362
+
363
+
let is_ca_cert_valid allowed_hashes now cert =
364
+
match
365
+
is_self_signed cert,
366
+
version_matches_extensions cert,
367
+
validate_signature allowed_hashes cert cert,
368
+
validate_time now cert,
369
+
valid_trust_anchor_extensions cert
370
+
with
371
+
| (true, true, Ok (), true, true) -> Ok ()
372
+
| (false, _, _, _, _) -> Error (`CAIssuerSubjectMismatch cert)
373
+
| (_, false, _, _, _) -> Error (`CAInvalidVersion cert)
374
+
| (_, _, Error e, _, _) -> Error e
375
+
| (_, _, _, false, _) -> Error (`CACertificateExpired (cert, now))
376
+
| (_, _, _, _, false) -> Error (`CAInvalidExtensions cert)
377
+
378
+
let valid_ca ?(allowed_hashes = all_hashes) ?time cacert =
379
+
is_ca_cert_valid allowed_hashes time cacert
380
+
381
+
let is_server_cert_valid ip host now cert =
382
+
match
383
+
validate_time now cert,
384
+
maybe_validate_ip cert ip,
385
+
maybe_validate_hostname cert host,
386
+
version_matches_extensions cert,
387
+
validate_server_extensions cert
388
+
with
389
+
| (true, true, true, true, true) -> Ok ()
390
+
| (false, _, _, _, _) -> Error (`LeafCertificateExpired (cert, now))
391
+
| (_, false, _, _, _) -> Error (`LeafInvalidIP (cert, ip))
392
+
| (_, _, false, _, _) -> Error (`LeafInvalidName (cert, host))
393
+
| (_, _, _, false, _) -> Error (`LeafInvalidVersion cert)
394
+
| (_, _, _, _, false) -> Error (`LeafInvalidExtensions cert)
395
+
396
+
let signs hash pathlen trusted cert =
397
+
match
398
+
issuer_matches_subject trusted cert,
399
+
ext_authority_matches_subject trusted cert,
400
+
validate_signature hash trusted cert,
401
+
validate_path_len pathlen trusted
402
+
with
403
+
| (true, true, Ok (), true) -> Ok ()
404
+
| (false, _, _, _) -> Error (`ChainIssuerSubjectMismatch (trusted, cert))
405
+
| (_, false, _, _) -> Error (`ChainAuthorityKeyIdSubjectKeyIdMismatch (trusted, cert))
406
+
| (_, _, Error e, _) -> Error e
407
+
| (_, _, _, false) -> Error (`ChainInvalidPathlen (trusted, pathlen))
408
+
409
+
let issuer trusted cert =
410
+
List.filter (fun p -> issuer_matches_subject p cert) trusted
411
+
412
+
let rec validate_anchors revoked hash pathlen cert = function
413
+
| [] -> Error (`NoTrustAnchor cert)
414
+
| x::xs -> match signs hash pathlen x cert with
415
+
| Ok _ -> if revoked ~issuer:x ~cert then Error (`Revoked cert) else Ok x
416
+
| Error _ -> validate_anchors revoked hash pathlen cert xs
417
+
418
+
let verify_single_chain now ?(revoked = fun ~issuer:_ ~cert:_ -> false) hash anchors chain =
419
+
let rec climb pathlen = function
420
+
| cert :: issuer :: certs ->
421
+
let* () = is_cert_valid now issuer in
422
+
let* () = if revoked ~issuer ~cert then Error (`Revoked cert) else Ok () in
423
+
let* () = signs hash pathlen issuer cert in
424
+
climb (succ pathlen) (issuer :: certs)
425
+
| [c] ->
426
+
let anchors = issuer anchors c in
427
+
validate_anchors revoked hash pathlen c anchors
428
+
| [] -> Error `EmptyCertificateChain
429
+
in
430
+
climb 0 chain
431
+
432
+
let verify_chain ?ip ~host ~time ?revoked ?(allowed_hashes = sha2) ~anchors = function
433
+
| [] -> Error `EmptyCertificateChain
434
+
| server :: certs ->
435
+
let now = time () in
436
+
let anchors = List.filter (validate_time now) anchors in
437
+
let* () = is_server_cert_valid ip host now server in
438
+
verify_single_chain now ?revoked allowed_hashes anchors (server :: certs)
439
+
440
+
let rec any_m e f = function
441
+
| [] -> Error e
442
+
| c::cs -> match f c with
443
+
| Ok ta -> Ok (Some (c, ta))
444
+
| Error _ -> any_m e f cs
445
+
446
+
let verify_chain_of_trust ?ip ~host ~time ?revoked ?(allowed_hashes = sha2) ~anchors = function
447
+
| [] -> Error `EmptyCertificateChain
448
+
| server :: certs ->
449
+
let now = time () in
450
+
(* verify server! *)
451
+
let* () = is_server_cert_valid ip host now server in
452
+
(* build all paths *)
453
+
let paths = build_paths server certs
454
+
and anchors = List.filter (validate_time now) anchors
455
+
in
456
+
(* exists there one which is good? *)
457
+
any_m `InvalidChain (verify_single_chain now ?revoked allowed_hashes anchors) paths
458
+
459
+
let valid_cas ?(allowed_hashes = all_hashes) ?time cas =
460
+
List.filter (fun cert ->
461
+
Result.is_ok (is_ca_cert_valid allowed_hashes time cert))
462
+
cas
463
+
464
+
let fingerprint_verification ?ip host now fingerprint fp = function
465
+
| [] -> Error `EmptyCertificateChain
466
+
| server::_ ->
467
+
let computed_fingerprint = fp server in
468
+
if String.equal computed_fingerprint fingerprint then
469
+
match
470
+
validate_time now server,
471
+
maybe_validate_hostname server host,
472
+
maybe_validate_ip server ip
473
+
with
474
+
| true , true , true -> Ok None
475
+
| false, _ , _ -> Error (`LeafCertificateExpired (server, now))
476
+
| _ , false, _ -> Error (`LeafInvalidName (server, host))
477
+
| _ , _ , false -> Error (`LeafInvalidIP (server, ip))
478
+
else
479
+
Error (`InvalidFingerprint (server, computed_fingerprint, fingerprint))
480
+
481
+
let trust_key_fingerprint ?ip ~host ~time ~hash ~fingerprint =
482
+
let now = time () in
483
+
let fp cert = Public_key.fingerprint ~hash (Certificate.public_key cert) in
484
+
fingerprint_verification ?ip host now fingerprint fp
485
+
486
+
let trust_cert_fingerprint ?ip ~host ~time ~hash ~fingerprint =
487
+
let now = time () in
488
+
let fp = Certificate.fingerprint hash in
489
+
fingerprint_verification ?ip host now fingerprint fp
490
+
491
+
(* RFC5246 says 'root certificate authority MAY be omitted' *)
492
+
493
+
(* TODO: how to deal with
494
+
2.16.840.1.113730.1.1 - Netscape certificate type
495
+
2.16.840.1.113730.1.12 - SSL server name
496
+
2.16.840.1.113730.1.13 - Netscape certificate comment *)
497
+
498
+
(* stuff from 4366 (TLS extensions):
499
+
- root CAs
500
+
- client cert url *)
501
+
502
+
(* Future TODO Certificate Revocation Lists and OCSP (RFC6520)
503
+
2.16.840.1.113730.1.2 - Base URL
504
+
2.16.840.1.113730.1.3 - Revocation URL
505
+
2.16.840.1.113730.1.4 - CA Revocation URL
506
+
2.16.840.1.113730.1.7 - Renewal URL
507
+
2.16.840.1.113730.1.8 - Netscape CA policy URL
508
+
509
+
2.5.4.38 - id-at-authorityRevocationList
510
+
2.5.4.39 - id-at-certificateRevocationList
511
+
512
+
do not forget about 'authority information access' (private internet extension -- 4.2.2 of 5280) *)
513
+
514
+
(* Future TODO: Policies
515
+
2.5.29.32 - Certificate Policies
516
+
2.5.29.33 - Policy Mappings
517
+
2.5.29.36 - Policy Constraints
518
+
*)
519
+
520
+
(* Future TODO: anything with subject_id and issuer_id ? seems to be not used by anybody *)
+27
vendor/opam/x509/lib/x509.ml
+27
vendor/opam/x509/lib/x509.ml
···
1
+
module Host = Host
2
+
3
+
module Key_type = Key_type
4
+
5
+
module Public_key = Public_key
6
+
7
+
module Private_key = Private_key
8
+
9
+
module Distinguished_name = Distinguished_name
10
+
11
+
module General_name = General_name
12
+
13
+
module Certificate = Certificate
14
+
15
+
module Validation = Validation
16
+
17
+
module Extension = Extension
18
+
19
+
module Signing_request = Signing_request
20
+
21
+
module CRL = Crl
22
+
23
+
module Authenticator = Authenticator
24
+
25
+
module PKCS12 = P12
26
+
27
+
module OCSP = Ocsp
+1248
vendor/opam/x509/lib/x509.mli
+1248
vendor/opam/x509/lib/x509.mli
···
1
+
(** X509 encoding, generation, and validation.
2
+
3
+
[X509] is a module for handling X.509 certificates and supplementary
4
+
material (such as public and private RSA or EC keys), as described in
5
+
{{:https://tools.ietf.org/html/rfc5280}RFC 5280}. X.509 describes a
6
+
hierarchical public key infrastructure, where all trust is delegated to
7
+
certificate authorities (CA). The task of a CA is to sign certificate
8
+
signing requests (CSR), which turns them into certificates, after
9
+
verification that the requestor is eligible.
10
+
11
+
An X.509 certificate is an authentication token: a public key, a subject
12
+
(e.g. server name), a validity period, optionally a purpose (usage), and
13
+
various other optional {{!Extension}Extensions}. The overall approach of
14
+
this package is to support decoding what is present in the real world,
15
+
including weak ciphers (various validation functions support an allow list
16
+
to avoid using weak hashes in chains if needed).
17
+
18
+
The public keys of trusted CAs are distributed with the software, or
19
+
configured manually. When an endpoint connects, it presents its
20
+
certificate chain, which are pairwise signed certificates. This chain is
21
+
verified: the signatures have to be valid, the last certificate must be
22
+
signed by a trusted CA, the name has to match the expected name, all
23
+
certificates must be valid at the current time, and the purpose of each
24
+
certificate must match its usage. An alternative validator checks that the
25
+
hash of the server certificate matches the given hash.
26
+
27
+
This module uses the [result] type for errors. No provided binging raises
28
+
an exception. Provided submodules include decoders and encoders (ASN.1 DER
29
+
and PEM encoding) of X.509v3 {{!Certificate}certificates},
30
+
{{!Distinguished_name}distinguished names}, {{!Public_key}public keys} and
31
+
{{!Private_key}private keys}
32
+
({{:http://tools.ietf.org/html/rfc5208}PKCS 8, RFC 5208}), and
33
+
{{!Signing_request}certificate signing requests}
34
+
({{:http://tools.ietf.org/html/rfc2986}PKCS 10, RFC 2986},
35
+
both use parts of
36
+
{{:https://tools.ietf.org/html/rfc2985}PKCS 9, RFC 2985}),
37
+
{{!Validation} certificate validation} by construction of
38
+
{{!Authenticator} authenticators}. Name validation, as defined in
39
+
{{:https://tools.ietf.org/html/rfc6125}RFC 6125}, is also implemented.
40
+
41
+
The archive format for certificates and private keys,
42
+
{{:https://tools.ietf.org/html/rfc7292}PKCS 12, RFC 7292}, is
43
+
implemented in the {!PKCS12} submodule. While PKCS 12 decryption
44
+
supports the weak algorithm used by default by widely used software (RC2!),
45
+
the encryption path only supports AES.
46
+
47
+
Missing is the handling of online certificate status protocol. Some X.509v3
48
+
extensions are not handled, but only parsed, such as name constraints. If any
49
+
extension is marked as critical in a certificate, but not handled, the
50
+
validation will fail.
51
+
52
+
{e %%VERSION%% - {{:%%PKG_HOMEPAGE%% }homepage}} *)
53
+
54
+
(** Hostnames (strict, wildcard), used for validation. *)
55
+
module Host : sig
56
+
(** The polymorphic variant for hostname validation. *)
57
+
type t = [ `Strict | `Wildcard ] * [ `host ] Domain_name.t
58
+
59
+
(** [pp ppf host] pretty-prints [host] on [ppf]: if it is a wildcard, "*." is
60
+
prefixed to the domain name. *)
61
+
val pp : t Fmt.t
62
+
63
+
(** The module for a set of hostnames. *)
64
+
module Set : sig
65
+
include Set.S with type elt = t
66
+
67
+
(** [pp ppf host_set] pretty-prints the [host_set]. *)
68
+
val pp : t Fmt.t
69
+
end
70
+
end
71
+
72
+
(** Types of keys *)
73
+
module Key_type : sig
74
+
(** The polymorphic variant of key types. *)
75
+
type t = [ `RSA | `ED25519 | `P256 | `P384 | `P521 ]
76
+
77
+
val strings : (string * t) list
78
+
(** [strings] is an associative list of string and key_type pairs. Useful for
79
+
{{:https://erratique.ch/software/cmdliner}cmdliner} (Arg.enum). *)
80
+
81
+
val to_string : t -> string
82
+
(** [to_string kt] is a string representation of [kt]. *)
83
+
84
+
val of_string : string -> (t, [> `Msg of string ]) result
85
+
(** [of_string s] is [Ok key_type] if the string could be decoded as
86
+
[key_type], or an [Error _]. *)
87
+
88
+
val pp : t Fmt.t
89
+
(** [pp ppf t] is a pretty printer of [t] on [ppf]. *)
90
+
91
+
(** The type of signature schemes. *)
92
+
type signature_scheme = [ `RSA_PSS | `RSA_PKCS1 | `ECDSA | `ED25519 ]
93
+
94
+
val pp_signature_scheme : signature_scheme Fmt.t
95
+
(** [pp_signature_scheme ppf s] is a pretty-printer of [s] on [ppf]. *)
96
+
97
+
val supports_signature_scheme : t -> signature_scheme -> bool
98
+
(** [supports_scheme key_type scheme] is [true] if the signature [scheme]
99
+
is supported with [key type]. *)
100
+
end
101
+
102
+
(** Public keys *)
103
+
module Public_key : sig
104
+
(** Public keys as specified in {{:http://tools.ietf.org/html/rfc5208}PKCS 8}
105
+
are supported in this module. *)
106
+
107
+
(** {1 The type for public keys} *)
108
+
109
+
(** The polymorphic variant of public keys, with
110
+
{{:http://tools.ietf.org/html/rfc5208}PKCS 8} encoding and decoding to
111
+
PEM. *)
112
+
type t = [
113
+
| `RSA of Mirage_crypto_pk.Rsa.pub
114
+
| `ED25519 of Mirage_crypto_ec.Ed25519.pub
115
+
| `P256 of Mirage_crypto_ec.P256.Dsa.pub
116
+
| `P384 of Mirage_crypto_ec.P384.Dsa.pub
117
+
| `P521 of Mirage_crypto_ec.P521.Dsa.pub
118
+
]
119
+
120
+
(** {1 Operations on public keys} *)
121
+
122
+
(** [pp ppf pub] pretty-prints the public key [pub] on [ppf]. *)
123
+
val pp : t Fmt.t
124
+
125
+
(** [id public_key] is [digest], the 160-bit [`SHA1] hash of the BIT
126
+
STRING subjectPublicKey (excluding tag, length, and number of
127
+
unused bits) for publicKeyInfo of [public_key].
128
+
129
+
{{:https://tools.ietf.org/html/rfc5280#section-4.2.1.2}RFC 5280, 4.2.1.2, variant (1)} *)
130
+
val id : t -> string
131
+
132
+
(** [fingerprint ?hash public_key] is [digest], the hash (by
133
+
default SHA256) of the DER encoded public key (equivalent to
134
+
[openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -HASH]). *)
135
+
val fingerprint : ?hash:Digestif.hash' -> t -> string
136
+
137
+
(** [key_type public_key] is its [key_type]. *)
138
+
val key_type : t -> Key_type.t
139
+
140
+
(** {1 Cryptographic verify operation} *)
141
+
142
+
(** [verify hash ~scheme ~signature key data] verifies whether the [signature]
143
+
on [data] is valid using the [key], or not. The [signature] must be in
144
+
ASN.1 DER encoding. The [scheme] defaults to [`RSA_PSS] for RSA,
145
+
[`ED25519] for ED25519, and [`ECDSA] for other EC keys. *)
146
+
val verify : Digestif.hash' ->
147
+
?scheme:Key_type.signature_scheme ->
148
+
signature:string -> t ->
149
+
[ `Message of string | `Digest of string ] ->
150
+
(unit, [> `Msg of string ]) result
151
+
152
+
(** {1 Decoding and encoding in ASN.1 DER and PEM format} *)
153
+
154
+
(** [encode_der pk] is [buffer], the ASN.1 encoding of the given public key. *)
155
+
val encode_der : t -> string
156
+
157
+
(** [decode_der buffer] is [pubkey], the public key of the ASN.1 encoded buffer. *)
158
+
val decode_der : string -> (t, [> `Msg of string ]) result
159
+
160
+
(** [decode_pem pem] is [t], where the public key of [pem] is extracted *)
161
+
val decode_pem : string -> (t, [> `Msg of string ]) result
162
+
163
+
(** [encode_pem public_key] is [pem], the pem encoded public key. *)
164
+
val encode_pem : t -> string
165
+
end
166
+
167
+
(** Private keys *)
168
+
module Private_key : sig
169
+
(** Private keys as defined in
170
+
{{:http://tools.ietf.org/html/rfc5208}PKCS 8}: decoding and encoding
171
+
in PEM format *)
172
+
173
+
(** {1 The type for private keys} *)
174
+
175
+
(** The polymorphic variant of private keys. *)
176
+
type t = [
177
+
| `RSA of Mirage_crypto_pk.Rsa.priv
178
+
| `ED25519 of Mirage_crypto_ec.Ed25519.priv
179
+
| `P256 of Mirage_crypto_ec.P256.Dsa.priv
180
+
| `P384 of Mirage_crypto_ec.P384.Dsa.priv
181
+
| `P521 of Mirage_crypto_ec.P521.Dsa.priv
182
+
]
183
+
184
+
(** {1 Constructing private keys} *)
185
+
186
+
(** [generate ~seed ~bits type] generates a private key of the given
187
+
key type. The argument [bits] is only used for the bit length of RSA keys.
188
+
If [seed] is provided, this is used to seed the random number generator.
189
+
*)
190
+
val generate : ?seed:string -> ?bits:int -> Key_type.t -> t
191
+
192
+
(** [of_octets data type] decodes the buffer as private key. Only supported
193
+
for elliptic curve keys. *)
194
+
val of_octets : string -> Key_type.t -> (t, [> `Msg of string ]) result
195
+
196
+
(** [of_string ~seed_or_data ~bits type data] attempts to decode the data as a
197
+
private key. If [seed_or_data] is provided and [`Seed], the [data] is
198
+
taken as seed and {!generate} is used. If it is [`Data], {!of_octets} is
199
+
used with the Base64 decoded [data]. By default, if [type] is RSA, the
200
+
data is used as seed, otherwise directly as the private key data. *)
201
+
val of_string : ?seed_or_data:[`Seed | `Data] -> ?bits:int -> Key_type.t ->
202
+
string -> (t, [> `Msg of string ]) result
203
+
204
+
(** {1 Operations on private keys} *)
205
+
206
+
(** [key_type priv] is the key type of [priv]. *)
207
+
val key_type : t -> Key_type.t
208
+
209
+
(** [public priv] is the corresponding public key of [priv]. *)
210
+
val public : t -> Public_key.t
211
+
212
+
(** {1 Cryptographic sign operation} *)
213
+
214
+
(** [sign hash ~scheme key data] signs [data] with [key] using [hash] and
215
+
[scheme]. If [data] is [`Message _], the [hash] will be applied before
216
+
the signature. The [scheme] defaults to [`RSA_PSS] for RSA keys,
217
+
[`ED25519] for ED25519, and [`ECDSA] for other EC keys. *)
218
+
val sign : Digestif.hash' ->
219
+
?scheme:Key_type.signature_scheme ->
220
+
t -> [ `Digest of string | `Message of string ] ->
221
+
(string, [> `Msg of string ]) result
222
+
223
+
(** {1 Decoding and encoding in ASN.1 DER and PEM format} *)
224
+
225
+
(** [decode_der der] is [t], where the private key of [der] is
226
+
extracted. It must be in PKCS8 (RFC 5208, Section 5) PrivateKeyInfo
227
+
structure. *)
228
+
val decode_der : string -> (t, [> `Msg of string ]) result
229
+
230
+
(** [encode_der key] is [der], the encoded private key as PKCS8 (RFC 5208,
231
+
Section 5) PrivateKeyInfo structure. *)
232
+
val encode_der : t -> string
233
+
234
+
(** [decode_pem pem] is [t], where the private key of [pem] is
235
+
extracted. Both RSA PRIVATE KEY and PRIVATE KEY stanzas are supported. *)
236
+
val decode_pem : string -> (t, [> `Msg of string ]) result
237
+
238
+
(** [encode_pem key] is [pem], the encoded private key (using [PRIVATE KEY]). *)
239
+
val encode_pem : t -> string
240
+
end
241
+
242
+
(** X.500 distinguished name *)
243
+
module Distinguished_name : sig
244
+
245
+
(** The variant of a relative distinguished name component, as defined in
246
+
X.500: an attribute type and value. *)
247
+
type attribute =
248
+
| CN of string
249
+
| Serialnumber of string
250
+
| C of string
251
+
| L of string
252
+
| ST of string
253
+
| O of string
254
+
| OU of string
255
+
| T of string
256
+
| DNQ of string
257
+
| Mail of string
258
+
| DC of string
259
+
| Given_name of string
260
+
| Surname of string
261
+
| Initials of string
262
+
| Pseudonym of string
263
+
| Generation of string
264
+
| Street of string
265
+
| Userid of string
266
+
| Other of Asn.oid * string
267
+
268
+
(** Relative_distinguished_name is a set of attributes. *)
269
+
module Relative_distinguished_name : Set.S with type elt = attribute
270
+
271
+
(** A distinguished name is a list of relative distinguished names, starting
272
+
with the most significant component. *)
273
+
type t = Relative_distinguished_name.t list
274
+
275
+
(** [equal a b] is [true] if the distinguished names [a] and [b] are equal. *)
276
+
val equal : t -> t -> bool
277
+
278
+
(** [make_pp ()] creates a customized pretty-printer for {!t}.
279
+
280
+
@param format
281
+
Determines RDN order, escaping rules, and the default spacing:
282
+
- [`RFC4514] produces the
283
+
{{:https://tools.ietf.org/html/rfc4514}RFC4514}.
284
+
RDNs are written in reverse order of the ASN.1 representation and
285
+
spacing defaults to tight.
286
+
- [`OpenSSL] produces the a format similar to OpenSSL. RDNs are written
287
+
in the order of the ASN.1 representation, and spacing defaults to
288
+
loose.
289
+
- [`OSF] emits RDNs in the order they occur in the ASN.1 representation,
290
+
each prefixed by a slashes, using tight spacing. This format is
291
+
designed by analogy to RFC4514, substituting slash for comma an
292
+
semicolon, and may currently not be fully compliant with the OSF
293
+
specifications.
294
+
295
+
@param spacing
296
+
Determines whether to add space around separators:
297
+
298
+
- [`Tight] to not add any redundant space,
299
+
- [`Medium] to add space after comma and around plus signs, and
300
+
- [`Loose] to also add space around equality signs.
301
+
302
+
This parameter is currently ignored for the OSF format.
303
+
304
+
The pretty-printer can be wrapped in a box to control line breaking and
305
+
set it apart, otherwise the RDN components will flow with the surrounding
306
+
text. *)
307
+
val make_pp :
308
+
format: [`RFC4514 | `OpenSSL | `OSF] ->
309
+
?spacing: [`Tight | `Medium | `Loose] ->
310
+
unit -> t Fmt.t
311
+
312
+
(** [pp ppf dn] pretty-prints the distinguished name. This is currently
313
+
[Fmt.hbox (make_pp ~format:`OSF ())]. If your application relies on the
314
+
precise format, it is advicable to create a custom formatter with
315
+
{!make_pp} to guard against future changes to the default format. *)
316
+
val pp : t Fmt.t
317
+
318
+
(** [common_name t] is [Some x] if the distinguished name [t] contains a
319
+
[CN x], [None] otherwise. *)
320
+
val common_name : t -> string option
321
+
322
+
(** [decode_der cs] is [dn], the ASN.1 decoded distinguished name of [cs]. *)
323
+
val decode_der : string -> (t, [> `Msg of string ]) result
324
+
325
+
(** [encode_der dn] is [octets], the ASN.1 encoded representation of the
326
+
distinguished name [dn]. *)
327
+
val encode_der : t -> string
328
+
end
329
+
330
+
(** A list of [general_name]s is the value of both
331
+
{{:https://tools.ietf.org/html/rfc5280#section-4.2.1.6}subjectAltName}
332
+
and
333
+
{{:https://tools.ietf.org/html/rfc5280#section-4.2.1.7}IssuerAltName}
334
+
extension. *)
335
+
module General_name : sig
336
+
type _ k =
337
+
| Other : Asn.oid -> string list k
338
+
| Rfc_822 : string list k
339
+
| DNS : string list k
340
+
| X400_address : unit k
341
+
| Directory : Distinguished_name.t list k
342
+
| EDI_party : (string option * string) list k
343
+
| URI : string list k
344
+
| IP : string list k
345
+
| Registered_id : Asn.oid list k
346
+
347
+
include Gmap.S with type 'a key = 'a k
348
+
349
+
val pp : t Fmt.t
350
+
end
351
+
352
+
353
+
(** X.509v3 extensions *)
354
+
module Extension : sig
355
+
356
+
(** The polymorphic variant of
357
+
{{:https://tools.ietf.org/html/rfc5280#section-4.2.1.3}key usages}. *)
358
+
type key_usage = [
359
+
| `Digital_signature
360
+
| `Content_commitment
361
+
| `Key_encipherment
362
+
| `Data_encipherment
363
+
| `Key_agreement
364
+
| `Key_cert_sign
365
+
| `CRL_sign
366
+
| `Encipher_only
367
+
| `Decipher_only
368
+
]
369
+
370
+
(** The polymorphic variant of
371
+
{{:https://tools.ietf.org/html/rfc5280#section-4.2.1.12}extended key usages}. *)
372
+
type extended_key_usage = [
373
+
| `Any
374
+
| `Server_auth
375
+
| `Client_auth
376
+
| `Code_signing
377
+
| `Email_protection
378
+
| `Ipsec_end
379
+
| `Ipsec_tunnel
380
+
| `Ipsec_user
381
+
| `Time_stamping
382
+
| `Ocsp_signing
383
+
| `Other of Asn.oid
384
+
]
385
+
386
+
(** The authority key identifier, as present in the
387
+
{{:https://tools.ietf.org/html/rfc5280#section-4.2.1.1}Authority Key Identifier}
388
+
extension. *)
389
+
type authority_key_id = string option * General_name.t * string option
390
+
391
+
(** The private key usage period, as defined in
392
+
{{:https://tools.ietf.org/html/rfc3280#section-4.2.1.4}RFC 3280}. *)
393
+
type priv_key_usage_period = [
394
+
| `Interval of Ptime.t * Ptime.t
395
+
| `Not_after of Ptime.t
396
+
| `Not_before of Ptime.t
397
+
]
398
+
399
+
(** Name constraints, as defined in
400
+
{{:https://tools.ietf.org/html/rfc5280#section-4.2.1.10}RFC 5280}. *)
401
+
type name_constraint = (General_name.b * int * int option) list
402
+
403
+
(** Certificate policies, the
404
+
{{:https://tools.ietf.org/html/rfc5280#section-4.2.1.4}policy extension}. *)
405
+
type policy = [ `Any | `Something of Asn.oid ]
406
+
407
+
(** Type of
408
+
{{:https://tools.ietf.org/html/rfc5280#section-5.3.1}revocation reasons}
409
+
for a given distribution point. *)
410
+
type reason = [
411
+
| `Unspecified
412
+
| `Key_compromise
413
+
| `CA_compromise
414
+
| `Affiliation_changed
415
+
| `Superseded
416
+
| `Cessation_of_operation
417
+
| `Certificate_hold
418
+
| `Remove_from_CRL
419
+
| `Privilege_withdrawn
420
+
| `AA_compromise
421
+
]
422
+
423
+
(** Distribution point name, either a full one using general names, or a
424
+
relative one using a distinguished name. *)
425
+
type distribution_point_name =
426
+
[ `Full of General_name.t
427
+
| `Relative of Distinguished_name.t ]
428
+
429
+
(** {{:https://tools.ietf.org/html/rfc5280#section-4.2.1.13}Distribution point},
430
+
consisting of an optional name, an optional list of allowed reasons, and
431
+
an optional issuer. *)
432
+
type distribution_point =
433
+
distribution_point_name option *
434
+
reason list option *
435
+
General_name.t option
436
+
437
+
(** The type of an extension: the critical flag and the value itself. *)
438
+
type 'a extension = bool * 'a
439
+
440
+
(** The type of supported
441
+
{{:https://tools.ietf.org/html/rfc5280#section-4.2}X509v3} and
442
+
{{:https://tools.ietf.org/html/rfc5280#section-5.2}CRL} extensions. *)
443
+
type _ k =
444
+
| Unsupported : Asn.oid -> string extension k
445
+
| Subject_alt_name : General_name.t extension k
446
+
| Authority_key_id : authority_key_id extension k
447
+
| Subject_key_id : string extension k
448
+
| Issuer_alt_name : General_name.t extension k
449
+
| Key_usage : key_usage list extension k
450
+
| Ext_key_usage : extended_key_usage list extension k
451
+
| Basic_constraints : (bool * int option) extension k
452
+
| CRL_number : int extension k
453
+
| Delta_CRL_indicator : int extension k
454
+
| Priv_key_period : priv_key_usage_period extension k
455
+
| Name_constraints : (name_constraint * name_constraint) extension k
456
+
| CRL_distribution_points : distribution_point list extension k
457
+
| Issuing_distribution_point : (distribution_point_name option * bool * bool * reason list option * bool * bool) extension k
458
+
| Freshest_CRL : distribution_point list extension k
459
+
| Reason : reason extension k
460
+
| Invalidity_date : Ptime.t extension k
461
+
| Certificate_issuer : General_name.t extension k
462
+
| Policies : policy list extension k
463
+
464
+
include Gmap.S with type 'a key = 'a k
465
+
466
+
(** [critical ext_key ext_value] is the critical bit in [ext_value]. *)
467
+
val critical : 'a key -> 'a -> bool
468
+
469
+
(** [pp ppf ext_map] pretty-prints the extension map. *)
470
+
val pp : t Fmt.t
471
+
472
+
(** [pp' custom ppf ext_map] pretty-prints the extension map using [custom]
473
+
to print [Unsupported _] extensions. *)
474
+
val pp' : (Asn.oid * string) Fmt.t -> t Fmt.t
475
+
end
476
+
477
+
(** X509v3 certificate *)
478
+
module Certificate : sig
479
+
480
+
(** [decode_pkcs1_digest_info buffer] is [hash, signature], the hash and raw
481
+
signature of the given [buffer] in ASN.1 DER encoding, or an error. *)
482
+
val decode_pkcs1_digest_info : string ->
483
+
([ `MD5 | `SHA1 | `SHA224 | `SHA256 | `SHA384 | `SHA512 ] * string, [> `Msg of string ]) result
484
+
485
+
(** [encode_pkcs1_digest_info (hash, signature)] is [data], the ASN.1 DER
486
+
encoded hash and signature. *)
487
+
val encode_pkcs1_digest_info : [ `MD5 | `SHA1 | `SHA224 | `SHA256 | `SHA384 | `SHA512 ] * string -> string
488
+
489
+
(** {1 Abstract certificate type} *)
490
+
491
+
(** The abstract type of a certificate. *)
492
+
type t
493
+
494
+
(** [pp ppf cert] pretty-prints the certificate. *)
495
+
val pp : t Fmt.t
496
+
497
+
(** [pp' pp_custom_extensions ppf cert] pretty-prints the certificate using
498
+
[pp_custom_extensions] for [Extension.Unsupported _] extension. *)
499
+
val pp' : (Asn.oid * string) Fmt.t -> t Fmt.t
500
+
501
+
(** {1 Encoding and decoding in ASN.1 DER and PEM format} *)
502
+
503
+
(** [decode_der octets] is [certificate], the ASN.1 decoded [certificate]
504
+
or an error. *)
505
+
val decode_der : string -> (t, [> `Msg of string ]) result
506
+
507
+
(** [encode_der certificate] is [octets], the ASN.1 encoded representation of
508
+
the [certificate]. *)
509
+
val encode_der : t -> string
510
+
511
+
(** [decode_pem_multiple pem] is [t list], where all certificates of the [pem]
512
+
are extracted *)
513
+
val decode_pem_multiple : string -> (t list, [> `Msg of string ]) result
514
+
515
+
(** [fold_decode_pem_multiple fn acc pem] is a fold of the function [fn],
516
+
with the initial accumulator [acc], over the certificates extracted
517
+
(and potential parsing errors) from the [pem]. *)
518
+
val fold_decode_pem_multiple : ('a -> (t, [> `Msg of string ]) result -> 'a) -> 'a -> string -> 'a
519
+
520
+
(** [decode_pem pem] is [t], where the single certificate of the
521
+
[pem] is extracted *)
522
+
val decode_pem : string -> (t, [> `Msg of string ]) result
523
+
524
+
(** [encode_pem_multiple certificates] is [pem], the pem encoded certificates. *)
525
+
val encode_pem_multiple : t list -> string
526
+
527
+
(** [encode_pem certificate] is [pem], the pem encoded certificate. *)
528
+
val encode_pem : t -> string
529
+
530
+
(** {1 Operations on certificates} *)
531
+
532
+
(** [supports_keytype certificate key_type] is [result], whether public key of
533
+
the [certificate] matches the given [key_type]. *)
534
+
val supports_keytype : t -> Key_type.t -> bool
535
+
536
+
(** [public_key certificate] is [pk], the public key of the [certificate]. *)
537
+
val public_key : t -> Public_key.t
538
+
539
+
(** [signature_algorithm certificate] is the algorithm used for the signature. *)
540
+
val signature_algorithm : t ->
541
+
(Key_type.signature_scheme * Digestif.hash') option
542
+
543
+
(** [hostnames certficate] is the set of domain names this
544
+
[certificate] is valid for. Currently, these are the DNS names of the
545
+
{{:https://tools.ietf.org/html/rfc5280#section-4.2.1.6}Subject Alternative Name}
546
+
extension, if present, or otherwise the singleton set containing the common
547
+
name of the certificate subject. *)
548
+
val hostnames : t -> Host.Set.t
549
+
550
+
(** [supports_hostname certificate hostname] is [result], whether the
551
+
[certificate] contains the given [hostname], using {!hostnames}. *)
552
+
val supports_hostname : t -> [`host] Domain_name.t -> bool
553
+
554
+
(** [ips certificate] are the IP addresses the certificate is valid
555
+
for (as specified in SubjectAlternativeName extensioni). *)
556
+
val ips : t -> Ipaddr.Set.t
557
+
558
+
(** [supports_ip cert ip] is [true] if the [ip] is mentioned in
559
+
the SubjectAlternativeName extension, [false] otherwise. *)
560
+
val supports_ip : t -> Ipaddr.t -> bool
561
+
562
+
(** [fingerprint hash cert] is [digest], the digest of [cert] using the
563
+
specified [hash] algorithm *)
564
+
val fingerprint : Digestif.hash' -> t -> string
565
+
566
+
(** [subject certificate] is [dn], the subject as distinguished name of
567
+
the [certificate]. *)
568
+
val subject : t -> Distinguished_name.t
569
+
570
+
(** [issuer certificate] is [dn], the issuer as distinguished name of
571
+
the [certificate]. *)
572
+
val issuer : t -> Distinguished_name.t
573
+
574
+
(** [serial certificate] is [sn], the serial number of the [certificate].
575
+
A serial is a positive number of at most 20 octets. 0 is supported. A
576
+
negative serial number is supported when decoding a certificate, but when
577
+
encoding, an octet of 0 is prepended making it positive. *)
578
+
val serial : t -> string
579
+
580
+
(** [validity certificate] is [from, until], the validity of the certificate. *)
581
+
val validity : t -> Ptime.t * Ptime.t
582
+
583
+
(** [extensions certificate] is the extension map of [certificate]. *)
584
+
val extensions : t -> Extension.t
585
+
end
586
+
587
+
(** Chain Validation. *)
588
+
module Validation : sig
589
+
(** A chain of pairwise signed X.509 certificates is sent to the endpoint,
590
+
which use these to authenticate the other endpoint. Usually a set of
591
+
trust anchors is configured on the endpoint, and the chain needs to be
592
+
rooted in one of the trust anchors. In reality, chains may be incomplete
593
+
or reversed, and there can be multiple paths from the leaf certificate to
594
+
a trust anchor.
595
+
596
+
RFC 5280 specifies a {{:https://tools.ietf.org/html/rfc5280#section-6}path
597
+
validation} algorithm for authenticating chains, but this does not handle
598
+
multiple possible paths. {{:https://tools.ietf.org/html/rfc4158}RFC 4158}
599
+
describes possible path building strategies.
600
+
601
+
This module provides path building, chain of trust verification, trust
602
+
anchor (certificate authority) validation, and validation via a
603
+
fingerprint list (for a trust on first use implementation).
604
+
*)
605
+
606
+
(** The type of signature verification errors. *)
607
+
type signature_error = [
608
+
| `Bad_signature of Distinguished_name.t * string
609
+
| `Bad_encoding of Distinguished_name.t * string * string
610
+
| `Hash_not_allowed of Distinguished_name.t * [ `MD5 | `SHA1 | `SHA224 | `SHA256 | `SHA384 | `SHA512 ]
611
+
| `Unsupported_keytype of Distinguished_name.t * Public_key.t
612
+
| `Unsupported_algorithm of Distinguished_name.t * string
613
+
| `Msg of string
614
+
]
615
+
616
+
(** [pp_signature_error ppf sige] pretty-prints the signature error [sige] on
617
+
[ppf]. *)
618
+
val pp_signature_error : signature_error Fmt.t
619
+
620
+
(** {1 Certificate Authorities} *)
621
+
622
+
(** The polymorphic variant of possible certificate authorities failures. *)
623
+
type ca_error = [
624
+
| signature_error
625
+
| `CAIssuerSubjectMismatch of Certificate.t
626
+
| `CAInvalidVersion of Certificate.t
627
+
| `CACertificateExpired of Certificate.t * Ptime.t option
628
+
| `CAInvalidExtensions of Certificate.t
629
+
]
630
+
631
+
(** [pp_ca_error ppf ca_error] pretty-prints the CA error [ca_error]. *)
632
+
val pp_ca_error : ca_error Fmt.t
633
+
634
+
(** [valid_ca ~allowed_hashes ~time certificate] is [result], which is [Ok ()]
635
+
if the given certificate is self-signed with any hash algorithm of
636
+
[hash_allowlist] (defaults to any hash), it is valid at [time], its
637
+
extensions are not present (if X.509 version 1 certificate), or are
638
+
appropriate for a CA (BasicConstraints is present and true, KeyUsage
639
+
extension contains keyCertSign). *)
640
+
val valid_ca : ?allowed_hashes:Digestif.hash' list -> ?time:Ptime.t ->
641
+
Certificate.t -> (unit, [> ca_error ]) result
642
+
643
+
(** [valid_cas ~allowed_hashes ~time certificates] is [valid_certificates],
644
+
only those certificates which pass the {!valid_ca} check. *)
645
+
val valid_cas : ?allowed_hashes:Digestif.hash' list -> ?time:Ptime.t ->
646
+
Certificate.t list -> Certificate.t list
647
+
648
+
(** {1 Chain of trust verification} *)
649
+
650
+
(** The polymorphic variant of a leaf certificate validation error. *)
651
+
type leaf_validation_error = [
652
+
| `LeafCertificateExpired of Certificate.t * Ptime.t option
653
+
| `LeafInvalidIP of Certificate.t * Ipaddr.t option
654
+
| `LeafInvalidName of Certificate.t * [`host] Domain_name.t option
655
+
| `LeafInvalidVersion of Certificate.t
656
+
| `LeafInvalidExtensions of Certificate.t
657
+
]
658
+
659
+
(** The polymorphic variant of a chain validation error. *)
660
+
type chain_validation_error = [
661
+
| `IntermediateInvalidExtensions of Certificate.t
662
+
| `IntermediateCertificateExpired of Certificate.t * Ptime.t option
663
+
| `IntermediateInvalidVersion of Certificate.t
664
+
| `ChainIssuerSubjectMismatch of Certificate.t * Certificate.t
665
+
| `ChainAuthorityKeyIdSubjectKeyIdMismatch of Certificate.t * Certificate.t
666
+
| `ChainInvalidPathlen of Certificate.t * int
667
+
| `EmptyCertificateChain
668
+
| `NoTrustAnchor of Certificate.t
669
+
| `Revoked of Certificate.t
670
+
]
671
+
672
+
(** [build_paths server rest] is [paths], which are all possible certificate
673
+
paths starting with [server]. These chains (C1..Cn) fulfill the predicate
674
+
that each certificate Cn is issued by the next one in the chain (C(n+1)):
675
+
the issuer of Cn matches the subject of C(n+1). This is as described in
676
+
{{:https://tools.ietf.org/html/rfc4158}RFC 4158}. *)
677
+
val build_paths : Certificate.t -> Certificate.t list -> Certificate.t list list
678
+
679
+
(** The polymorphic variant of a chain validation error: either the leaf
680
+
certificate is problematic, or the chain itself. *)
681
+
type chain_error = [
682
+
| signature_error
683
+
| leaf_validation_error
684
+
| chain_validation_error
685
+
]
686
+
687
+
(** [pp_chain_error ppf chain_error] pretty-prints the [chain_error]. *)
688
+
val pp_chain_error : chain_error Fmt.t
689
+
690
+
(** [verify_chain ~ip ~host ~time ~revoked ~allowed_hashes ~anchors chain] is
691
+
[result], either [Ok] and the trust anchor used to verify the chain, or
692
+
[Error] and the chain error. RFC 5280 describes the implemented
693
+
{{:https://tools.ietf.org/html/rfc5280#section-6.1}path validation}
694
+
algorithm: The validity period of the given certificates is checked
695
+
against the [time]. The signature algorithm must be present in
696
+
[allowed_hashes] (defaults to SHA-2). The X509v3 extensions of the
697
+
[chain] are checked, then a chain of trust from [anchors] to the server
698
+
certificate is validated. The path length constraints are checked. The
699
+
server certificate is checked to contain the given [host], using
700
+
{!Certificate.hostnames}. If [ip] is specified, the certificate is checked
701
+
to contain the given [ip], using {!Certificate.ips}. The returned
702
+
certificate is the root of the chain, a member of the given list of
703
+
[anchors]. *)
704
+
val verify_chain : ?ip:Ipaddr.t -> host:[`host] Domain_name.t option ->
705
+
time:(unit -> Ptime.t option) ->
706
+
?revoked:(issuer:Certificate.t -> cert:Certificate.t -> bool) ->
707
+
?allowed_hashes:Digestif.hash' list ->
708
+
anchors:(Certificate.t list) -> Certificate.t list ->
709
+
(Certificate.t, [> chain_error ]) result
710
+
711
+
(** The polymorphic variant of a fingerprint validation error. *)
712
+
type fingerprint_validation_error = [
713
+
| `InvalidFingerprint of Certificate.t * string * string
714
+
]
715
+
716
+
(** The polymorphic variant of validation errors. *)
717
+
type validation_error = [
718
+
| signature_error
719
+
| leaf_validation_error
720
+
| fingerprint_validation_error
721
+
| `EmptyCertificateChain
722
+
| `InvalidChain
723
+
]
724
+
725
+
(** [pp_validation_error ppf validation_error] pretty-prints the
726
+
[validation_error]. *)
727
+
val pp_validation_error : validation_error Fmt.t
728
+
729
+
type r = ((Certificate.t list * Certificate.t) option, validation_error) result
730
+
731
+
(** [verify_chain_of_trust ~ip ~host ~time ~revoked ~allowed_hashes ~anchors certificates]
732
+
is [result]. First, all possible paths are constructed using the
733
+
{!build_paths} function, the first certificate of the chain is verified to
734
+
be a valid leaf certificate (no BasicConstraints extension) and contains
735
+
the given [host] (using {!Certificate.hostnames}) or [ip] if specified
736
+
(using {!Certificate.ips}; if some path is valid, using
737
+
{!verify_chain}, the result will be [Ok] and contain the actual
738
+
certificate chain and the trust anchor. *)
739
+
val verify_chain_of_trust :
740
+
?ip:Ipaddr.t -> host:[`host] Domain_name.t option ->
741
+
time:(unit -> Ptime.t option) ->
742
+
?revoked:(issuer:Certificate.t -> cert:Certificate.t -> bool) ->
743
+
?allowed_hashes:Digestif.hash' list ->
744
+
anchors:(Certificate.t list) -> Certificate.t list -> r
745
+
746
+
(** {1 Fingerprint verification} *)
747
+
748
+
(** [trust_key_fingerprint ~ip ~host ~time ~hash ~fingerprint certificates] is
749
+
[result], the first element of [certificates] is verified against the
750
+
given [fingerprint] using {!Public_key.fingerprint}. If [time] is
751
+
provided, the certificate has to be valid at the given timestamp. If
752
+
[host] is provided, the certificate is checked for the given [host]
753
+
(using {!Certificate.hostnames}). If [ip] is provided, the certificate is
754
+
checked to include this IP address (using {!Certificate.ips}). *)
755
+
val trust_key_fingerprint :
756
+
?ip:Ipaddr.t -> host:[`host] Domain_name.t option ->
757
+
time:(unit -> Ptime.t option) -> hash:Digestif.hash' ->
758
+
fingerprint:string -> Certificate.t list -> r
759
+
760
+
(** [trust_cert_fingerprint host ~time ~hash ~fingerprint certificates] is
761
+
[result], the first element of [certificates] is verified to match the
762
+
given [fingerprint] using {!Certificate.fingerprint}. If [time] is
763
+
provided, the certificate is checked to be valid in at the given
764
+
timestamp. If [host] is provided, the certificate is checked for the given
765
+
[host] (using {!Certificate.hostnames}). If [ip] is provided, the
766
+
certificate is checked to include this IP address (using
767
+
{!Certificate.ips}). Note that
768
+
{{!trust_key_fingerprint}public key pinning} has
769
+
{{:https://www.imperialviolet.org/2011/05/04/pinning.html} advantages}
770
+
over certificate pinning. *)
771
+
val trust_cert_fingerprint :
772
+
?ip:Ipaddr.t -> host:[`host] Domain_name.t option ->
773
+
time:(unit -> Ptime.t option) -> hash:Digestif.hash' ->
774
+
fingerprint:string -> Certificate.t list -> r
775
+
end
776
+
777
+
(** Certificate Signing request *)
778
+
779
+
(** A certificate authority (CA) deals with
780
+
{{:https://tools.ietf.org/html/rfc2986}PKCS 10 certificate signing requests},
781
+
their construction and encoding, and provisioning using a private key to
782
+
generate a certificate with a signature thereof. *)
783
+
module Signing_request : sig
784
+
(** The abstract type of a (self-signed) certification request. *)
785
+
type t
786
+
787
+
(** {1 Decoding and encoding in ASN.1 DER and PEM format} *)
788
+
789
+
(** [decode_der ~allowed_hashes octets] is [signing_request], the ASN.1
790
+
decoded [octets] or an error. The signature on the signing request
791
+
is validated, and its hash algorithm must be in [allowed_hashes] (by
792
+
default only SHA-2 is accepted). *)
793
+
val decode_der : ?allowed_hashes:Digestif.hash' list -> string ->
794
+
(t, [> `Msg of string ]) result
795
+
796
+
(** [encode_der sr] is [octets], the ASN.1 encoded representation of the [sr]. *)
797
+
val encode_der : t -> string
798
+
799
+
(** [decode_pem pem] is [t], where the single signing request of the [pem] is extracted *)
800
+
val decode_pem : string -> (t, [> `Msg of string ]) result
801
+
802
+
(** [encode_pem signing_request] is [pem], the pem encoded signing request. *)
803
+
val encode_pem : t -> string
804
+
805
+
(** {1 Construction of a signing request} *)
806
+
807
+
module Ext : sig
808
+
(** The GADT of certificate request extensions, as defined in
809
+
{{:http://tools.ietf.org/html/rfc2985}PKCS 9 (RFC 2985)}. *)
810
+
type _ k =
811
+
| Password : string k
812
+
| Name : string k
813
+
| Extensions : Extension.t k
814
+
815
+
include Gmap.S with type 'a key = 'a k
816
+
817
+
val pp : t Fmt.t
818
+
end
819
+
820
+
(** The raw request info of a
821
+
{{:https://tools.ietf.org/html/rfc2986#section-4}PKCS 10 certification request info}. *)
822
+
type request_info = {
823
+
subject : Distinguished_name.t ;
824
+
public_key : Public_key.t ;
825
+
extensions : Ext.t ;
826
+
}
827
+
828
+
(** [info signing_request] is {!request_info}, the information inside the
829
+
signing_request. *)
830
+
val info : t -> request_info
831
+
832
+
(** [signature_algorithm signing_request] is the algorithm used for the signature. *)
833
+
val signature_algorithm : t ->
834
+
(Key_type.signature_scheme * Digestif.hash') option
835
+
836
+
(** [hostnames signing_request] is the set of domain names this
837
+
[signing_request] is requesting. This is either the content of the DNS
838
+
entries of the SubjectAlternativeName extension, or the common name of the
839
+
[signing_request]. *)
840
+
val hostnames : t -> Host.Set.t
841
+
842
+
(** [create subject ~digest ~extensions private] creates [signing_request],
843
+
a certification request using the given [subject], [digest] (defaults to
844
+
[`SHA256]) and list of [extensions]. *)
845
+
val create : Distinguished_name.t -> ?digest:Digestif.hash' ->
846
+
?extensions:Ext.t -> Private_key.t -> (t, [> `Msg of string ]) result
847
+
848
+
(** {1 Provision a signing request to a certificate} *)
849
+
850
+
(** [sign signing_request ~valid_from ~valid_until ~allowed_hashes ~digest ~serial ~extensions ~subject private issuer]
851
+
creates [certificate], a signed certificate. Signing can fail if the
852
+
signature on the [signing_request] is invalid, or its hash algorithm does
853
+
not occur in [allowed_hashes] (default all SHA-2 algorithms). Public key
854
+
and subject are taken from the [signing_request] unless [subject] is
855
+
passed, the [extensions] are added to the X.509 certificate. The
856
+
[private] key is used to sign the certificate, the [issuer] is recorded
857
+
in the certificate. The digest defaults to [`SHA256]. The [serial]
858
+
defaults to a random value between 1 and 2^64. Certificate version is
859
+
always 3. Please note that the extensions in the [signing_request] are
860
+
ignored, you can pass them using:
861
+
862
+
{[match Ext.find Extensions (info csr).extensions with
863
+
| Ok ext -> ext
864
+
| Error _ -> Extension.empty
865
+
]} *)
866
+
val sign : t -> valid_from:Ptime.t -> valid_until:Ptime.t ->
867
+
?allowed_hashes:Digestif.hash' list ->
868
+
?digest:Digestif.hash' -> ?serial:string -> ?extensions:Extension.t ->
869
+
?subject:Distinguished_name.t ->
870
+
Private_key.t -> Distinguished_name.t ->
871
+
(Certificate.t, Validation.signature_error) result
872
+
end
873
+
874
+
(** X.509 Certificate Revocation Lists. *)
875
+
module CRL : sig
876
+
(** A certificate revocation list is a signed structure consisting of an
877
+
issuer, a timestamp, possibly a timestamp when to expect the next update,
878
+
and a list of revoked certificates (represented by a serial, a revocation
879
+
date, and extensions (e.g. reason) - see
880
+
{{:https://tools.ietf.org/html/rfc5280#section-5.2}RFC 5280 section 5.2}
881
+
for a list of available extensions (not enforced)). It also may contain
882
+
any extensions, e.g. a CRL number and whether it is partial or complete. *)
883
+
884
+
(** The type of a revocation list, kept abstract. *)
885
+
type t
886
+
887
+
(** {1 Encoding and decoding in ASN.1 DER format} *)
888
+
889
+
(** [encode_der crl] is [buffer], the ASN.1 DER encoding of the given
890
+
certificate revocation list. *)
891
+
val encode_der : t -> string
892
+
893
+
(** [decode_der buffer] is [crl], the certificate revocation list of the
894
+
ASN.1 encoded buffer. *)
895
+
val decode_der : string -> (t, [> `Msg of string ]) result
896
+
897
+
(** {1 Operations on CRLs} *)
898
+
899
+
(** [issuer c] is the issuer of the revocation list. *)
900
+
val issuer : t -> Distinguished_name.t
901
+
902
+
(** [this_update t] is the timestamp of the revocation list. *)
903
+
val this_update : t -> Ptime.t
904
+
905
+
(** [next_update t] is either [None] or [Some ts], the timestamp of the next
906
+
update. *)
907
+
val next_update : t -> Ptime.t option
908
+
909
+
(** The type of a revoked certificate, which consists of a serial number, the
910
+
revocation date, and possibly extensions. See
911
+
{{:https://tools.ietf.org/html/rfc5280#section-5.3}RFC 5280 section 5.3}
912
+
for allowed extensions (not enforced). *)
913
+
type revoked_cert = {
914
+
serial : string ;
915
+
date : Ptime.t ;
916
+
extensions : Extension.t
917
+
}
918
+
919
+
(** [reason revoked] extracts the [Reason] extension from [revoked] if
920
+
present. *)
921
+
val reason : revoked_cert -> Extension.reason option
922
+
923
+
(** [revoked_certificates t] is the list of revoked certificates of the
924
+
revocation list. *)
925
+
val revoked_certificates : t -> revoked_cert list
926
+
927
+
(** [extensions t] is the list of extensions, see RFC 5280 section 5.2 for
928
+
possible values. *)
929
+
val extensions : t -> Extension.t
930
+
931
+
(** [crl_number t] is the number of the CRL. *)
932
+
val crl_number : t -> int option
933
+
934
+
(** [signature_algorithm t] is the algorithm used for the signature. *)
935
+
val signature_algorithm : t ->
936
+
(Key_type.signature_scheme * Digestif.hash') option
937
+
938
+
(** {1 Validation and verification of CRLs} *)
939
+
940
+
(** [validate t ~allowed_hashes pk] validates the digital signature of the
941
+
revocation list. The [allowed_hashes] defaults to SHA-2. *)
942
+
val validate : t -> ?allowed_hashes:Digestif.hash' list ->
943
+
Public_key.t -> (unit, [> Validation.signature_error ]) result
944
+
945
+
(** The type of CRL verification errors. *)
946
+
type verification_error = [
947
+
| Validation.signature_error
948
+
| `Issuer_subject_mismatch of Distinguished_name.t * Distinguished_name.t
949
+
| `Not_yet_valid of Distinguished_name.t * Ptime.t * Ptime.t
950
+
| `Next_update_scheduled of Distinguished_name.t * Ptime.t * Ptime.t
951
+
]
952
+
953
+
(** [pp_verification_error ppf vere] pretty-prints the CRL verification error
954
+
[vere] on [ppf]. *)
955
+
val pp_verification_error : verification_error Fmt.t
956
+
957
+
(** [verify t ~allowed_hashes ~time cert] verifies that the issuer of [t]
958
+
matches the subject of [cert], and validates the digital signature of the
959
+
revocation list. The used hash algorithm must be in the [allowed_hashes]
960
+
(defaults to SHA-2). If [time] is provided, it must be after [this_update]
961
+
and before [next_update] of [t]. *)
962
+
val verify : t -> ?allowed_hashes:Digestif.hash' list ->
963
+
?time:Ptime.t -> Certificate.t -> (unit, [> verification_error ]) result
964
+
965
+
(** [is_revoked ~allowed_hashes ~issuer ~cert crls] is [true] if there exists
966
+
a revocation of [cert] in [crls] which is signed by the [issuer]. The
967
+
subject of [issuer] must match the issuer of the crl. The hash algorithm
968
+
used for signing must be in the [allowed_hashes] (defaults to SHA-2). *)
969
+
val is_revoked : ?allowed_hashes:Digestif.hash' list ->
970
+
issuer:Certificate.t -> cert:Certificate.t -> t list -> bool
971
+
972
+
(** {1 Construction and signing of CRLs} *)
973
+
974
+
(** [revoked ~digest ~issuer ~this_update ~next_update ~extensions certs priv]
975
+
constructs a revocation list with the given parameters. *)
976
+
val revoke : ?digest:Digestif.hash' ->
977
+
issuer:Distinguished_name.t ->
978
+
this_update:Ptime.t -> ?next_update:Ptime.t ->
979
+
?extensions:Extension.t ->
980
+
revoked_cert list -> Private_key.t -> (t, [> `Msg of string ]) result
981
+
982
+
(** [revoke_certificate cert ~this_update ~next_update t priv] adds [cert] to
983
+
the revocation list, increments its counter, adjusts [this_update] and
984
+
[next_update] timestamps, and digitally signs it using [priv]. *)
985
+
val revoke_certificate : revoked_cert ->
986
+
this_update:Ptime.t -> ?next_update:Ptime.t -> t -> Private_key.t ->
987
+
(t, [> `Msg of string ]) result
988
+
989
+
(** [revoke_certificates certs ~this_update ~next_update t priv] adds [certs]
990
+
to the revocation list, increments its counter, adjusts [this_update] and
991
+
[next_update] timestamps, and digitally signs it using [priv]. *)
992
+
val revoke_certificates : revoked_cert list ->
993
+
this_update:Ptime.t -> ?next_update:Ptime.t -> t -> Private_key.t ->
994
+
(t, [> `Msg of string ]) result
995
+
end
996
+
997
+
(** Certificate chain authenticators *)
998
+
module Authenticator : sig
999
+
1000
+
(** An authenticator [t] is a function type which takes optionally an IP
1001
+
address, a hostname and a certificate stack to an authentication decision
1002
+
{!Validation.r}. If [ip] is specified, it needs to be present in the
1003
+
SubjectAlternativeName extension of the server certificate. *)
1004
+
type t = ?ip:Ipaddr.t -> host:[`host] Domain_name.t option ->
1005
+
Certificate.t list -> Validation.r
1006
+
1007
+
(** [chain_of_trust ~time ~crls ~allowed_hashes trust_anchors] is
1008
+
[authenticator], which uses the given [time] and list of [trust_anchors]
1009
+
to verify the certificate chain. All signatures must use a hash algorithm
1010
+
specified in [allowed_hashes], defaults to SHA-2. Signatures on revocation
1011
+
lists [crls] must also use a hash algorithm in [allowed_hashes]. This is
1012
+
an implementation of the algorithm described in
1013
+
{{:https://tools.ietf.org/html/rfc5280#section-6.1}RFC 5280}, using
1014
+
{!Validation.verify_chain_of_trust}. The given trust anchors are not
1015
+
validated, you can filter them with {!Validation.valid_cas} if desired. *)
1016
+
val chain_of_trust : time:(unit -> Ptime.t option) -> ?crls:CRL.t list ->
1017
+
?allowed_hashes:Digestif.hash' list -> Certificate.t list -> t
1018
+
1019
+
(** [key_fingerprint ~time hash fingerprint] is an [authenticator]
1020
+
that uses the given [time] and [fingerprint] to verify that the
1021
+
fingerprint of the first element of the certificate chain matches the
1022
+
given fingerprint, using {!Validation.trust_key_fingerprint}. *)
1023
+
val key_fingerprint : time:(unit -> Ptime.t option) ->
1024
+
hash:Digestif.hash' -> fingerprint:string -> t
1025
+
1026
+
(** [cert_fingerprint ~time hash fingerprint] is an [authenticator]
1027
+
that uses the given [time] and [fingerprint] to verify the first
1028
+
element of the certificate chain, using
1029
+
{!Validation.trust_cert_fingerprint}. Note that
1030
+
{{!key_fingerprint}public key pinning} has
1031
+
{{:https://www.imperialviolet.org/2011/05/04/pinning.html} advantages}
1032
+
over certificate pinning. *)
1033
+
val cert_fingerprint : time:(unit -> Ptime.t option) ->
1034
+
hash:Digestif.hash' -> fingerprint:string -> t
1035
+
1036
+
(** [of_string str] tries to parse the given [str] to an
1037
+
{!type:Authenticator.t}. The format of it is:
1038
+
- [none] no authentication,
1039
+
- [key-fp(:<hash>?):<base64-encoded fingerprint>] to authenticate a peer via
1040
+
its key fingerprint (hash is optional and defaults to SHA256),
1041
+
- [cert-fp(:<hash>?):<base64-encoded fingerprint>] to authenticate a peer via
1042
+
its certificate fingerprint (hash is optional and defaults to SHA256),
1043
+
- [trust-anchor(:<base64-encoded DER certificate>)+] to authenticate a
1044
+
peer from a list of certificates (certificate must be in PEM format
1045
+
without header and footer (----BEGIN CERTIFICATE-----) and without
1046
+
newlines).
1047
+
1048
+
If decoding is successful, the returned value expects a function which
1049
+
outputs the current timestamp ([unit -> Ptime.t option]) and is then
1050
+
an authenticator. If decoding fails, and error is returned. *)
1051
+
val of_string : string ->
1052
+
((unit -> Ptime.t option) -> t, [> `Msg of string ]) result
1053
+
end
1054
+
1055
+
(** PKCS12 archive files *)
1056
+
module PKCS12 : sig
1057
+
1058
+
(** A PKCS12 encoded archive file, *)
1059
+
type t
1060
+
1061
+
(** [decode_der buffer] is [t], the PKCS12 archive of [buffer]. *)
1062
+
val decode_der : string -> (t, [> `Msg of string ]) result
1063
+
1064
+
(** [encode_der t] is [buf], the PKCS12 encoded archive of [t]. *)
1065
+
val encode_der : t -> string
1066
+
1067
+
(** [verify password t] verifies and decrypts the PKCS12 archive [t]. The
1068
+
result is the contents of the archive. *)
1069
+
val verify : string -> t ->
1070
+
([ `Certificate of Certificate.t | `Crl of CRL.t
1071
+
| `Private_key of Private_key.t | `Decrypted_private_key of Private_key.t ]
1072
+
list, [> `Msg of string ]) result
1073
+
1074
+
(** [create ~mac ~algorithm ~iterations password certificates private_key]
1075
+
constructs a PKCS12 archive with [certificates] and [private_key]. They
1076
+
are encrypted with [algorithm] (using PBES2, PKCS5v2) and integrity
1077
+
protected using [mac]. A [local key id] is always embedded in the private
1078
+
key and matching certificate. *)
1079
+
val create : ?mac:[`SHA1 | `SHA224 | `SHA256 | `SHA384 | `SHA512 ] ->
1080
+
?algorithm:[ `AES128_CBC | `AES192_CBC | `AES256_CBC ] ->
1081
+
?iterations:int ->
1082
+
string -> Certificate.t list -> Private_key.t ->
1083
+
t
1084
+
end
1085
+
1086
+
1087
+
(** OCSP (Online Certificate Status Protocol) as described in
1088
+
{{:https://tools.ietf.org/html/rfc6960}RFC 6960}. *)
1089
+
module OCSP : sig
1090
+
1091
+
(** type for CertID to distinguish requested certs *)
1092
+
type cert_id
1093
+
1094
+
(** [create_cert_id issuer serial] creates cert_id for this serial *)
1095
+
val create_cert_id : ?hash:[ `MD5 | `SHA1 | `SHA224 | `SHA256 | `SHA384 | `SHA512 ] -> Certificate.t -> string ->
1096
+
cert_id
1097
+
1098
+
(** [cert_id_serial certid] is serial number of this certid *)
1099
+
val cert_id_serial : cert_id -> string
1100
+
1101
+
(** [pp_cert_id ppf cert_id] pretty prints cert_id *)
1102
+
val pp_cert_id : cert_id Fmt.t
1103
+
1104
+
(** Module for encoding and decoding OCSP requests. *)
1105
+
module Request : sig
1106
+
1107
+
(** type for Request *)
1108
+
type t
1109
+
1110
+
(** [pp ppf request] pretty prints request *)
1111
+
val pp : t Fmt.t
1112
+
1113
+
(** [create ~certs ~digest ~requestor_name ~key certids] creates request
1114
+
for given [certids] and, if [key] is provided, signs it using [digest].
1115
+
[requestorName] may be used by responder to distinguish requesters.
1116
+
[certs] may be used by responder to check requestor authority. *)
1117
+
val create : ?certs:Certificate.t list -> ?digest:Digestif.hash' ->
1118
+
?requestor_name:General_name.b -> ?key:Private_key.t -> cert_id list ->
1119
+
(t, [> `Msg of string ]) result
1120
+
1121
+
(** [validate request key] validates the signature of [request]
1122
+
with the pulic [key]. *)
1123
+
val validate : t -> ?allowed_hashes:Digestif.hash' list ->
1124
+
Public_key.t ->
1125
+
(unit, [> Validation.signature_error | `No_signature ]) result
1126
+
1127
+
(** [requestor_name request] is requestorName from this request *)
1128
+
val requestor_name : t -> General_name.b option
1129
+
1130
+
(** [cert_ids request] is cert ids from this request *)
1131
+
val cert_ids : t -> cert_id list
1132
+
1133
+
(** [decode_der buffer] decodes request in buffer *)
1134
+
val decode_der : string -> (t, Asn.error) result
1135
+
1136
+
(** [encode_der request] encodes request into buffer *)
1137
+
val encode_der : t -> string
1138
+
end
1139
+
1140
+
(** Module for encoding and decoding OCSP responses. *)
1141
+
module Response : sig
1142
+
1143
+
(** type for OCSPResponseStatus *)
1144
+
type status = [
1145
+
| `InternalError
1146
+
| `MalformedRequest
1147
+
| `SigRequired
1148
+
| `Successful
1149
+
| `TryLater
1150
+
| `Unauthorized
1151
+
]
1152
+
1153
+
(** [pp_status ppf status] pretty prints status *)
1154
+
val pp_status : status Fmt.t
1155
+
1156
+
(** type for CertStatus *)
1157
+
type cert_status = [
1158
+
| `Good
1159
+
| `Revoked of Ptime.t * Extension.reason option
1160
+
| `Unknown
1161
+
]
1162
+
1163
+
(** [pp_cert_status ppf status] pretty prints cert status *)
1164
+
val pp_cert_status : cert_status Fmt.t
1165
+
1166
+
(** type for SingleResponse *)
1167
+
type single_response
1168
+
1169
+
(** [create_single_response ~next_update ~single_extension cert_id
1170
+
cert_status this_update] creates response info for one cert,
1171
+
[this_update] should be current time. *)
1172
+
val create_single_response : ?next_update:Ptime.t ->
1173
+
?single_extensions:Extension.t -> cert_id -> cert_status -> Ptime.t ->
1174
+
single_response
1175
+
1176
+
(** [pp_single_response ppf response] pretty prints single [response] *)
1177
+
val pp_single_response : single_response Fmt.t
1178
+
1179
+
(** [single_response_cert_id response] is cert_id in this single [response] *)
1180
+
val single_response_cert_id : single_response -> cert_id
1181
+
1182
+
(** [single_response_cert_id response] is cert_status in this single
1183
+
[response] *)
1184
+
val single_response_status : single_response -> cert_status
1185
+
1186
+
(** type for ResponderID *)
1187
+
type responder_id = [
1188
+
| `ByKey of string
1189
+
| `ByName of Distinguished_name.t
1190
+
]
1191
+
1192
+
(** [create_responder_id pubkey] creates responderID identified by this key.
1193
+
Note: octets here contains SHA1 hash of public key, not itself. *)
1194
+
val create_responder_id : Public_key.t -> responder_id
1195
+
1196
+
(** [pp_responder_id ppf responderID] pretty prints [responderID] *)
1197
+
val pp_responder_id : responder_id Fmt.t
1198
+
1199
+
(** type for OCSPResponse *)
1200
+
type t
1201
+
1202
+
(** [create_success ~digest ~certs ~response_extensions priv_key
1203
+
responderID producedAt responses] creates response and signs it with
1204
+
[priv_key]. [producedAt] should be current timestamp. *)
1205
+
val create_success :
1206
+
?digest:Digestif.hash' ->
1207
+
?certs:Certificate.t list ->
1208
+
?response_extensions:Extension.t ->
1209
+
Private_key.t ->
1210
+
responder_id ->
1211
+
Ptime.t ->
1212
+
single_response list -> (t, [> `Msg of string ]) result
1213
+
1214
+
(** [create status] creates error response. Successful status is not
1215
+
allowed here because it requires responseBytes. *)
1216
+
val create : [
1217
+
| `MalformedRequest
1218
+
| `InternalError
1219
+
| `TryLater
1220
+
| `SigRequired
1221
+
| `Unauthorized
1222
+
] -> t
1223
+
1224
+
(** [pp ppf response] pretty prints response *)
1225
+
val pp : t Fmt.t
1226
+
1227
+
(** [status response] is response status *)
1228
+
val status : t -> status
1229
+
1230
+
(** [responder_id request] is responder id from response *)
1231
+
val responder_id : t -> (responder_id, [> `Msg of string ]) result
1232
+
1233
+
(** [responses response] is a list of responses (status per certificate). *)
1234
+
val responses : t -> (single_response list, [> `Msg of string ]) result
1235
+
1236
+
(** [decode_der buffer] decodes response in buffer *)
1237
+
val decode_der : string -> (t, Asn.error) result
1238
+
1239
+
(** [encode_der request] encodes response into buffer *)
1240
+
val encode_der : t -> string
1241
+
1242
+
(** [validate response key] validates the signature of [response]
1243
+
with the pulic [key]. *)
1244
+
val validate : t -> ?allowed_hashes:Digestif.hash' list ->
1245
+
?now:Ptime.t -> Public_key.t ->
1246
+
(unit, [> Validation.signature_error | `No_signature | `Time_invalid ]) result
1247
+
end
1248
+
end
vendor/opam/x509/tests/crl/1.crl
vendor/opam/x509/tests/crl/1.crl
This is a binary file and will not be displayed.
+29
vendor/opam/x509/tests/crl/1.pem
+29
vendor/opam/x509/tests/crl/1.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIEvTCCA6WgAwIBAgIBADANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJFVTEn
3
+
MCUGA1UEChMeQUMgQ2FtZXJmaXJtYSBTQSBDSUYgQTgyNzQzMjg3MSMwIQYDVQQL
4
+
ExpodHRwOi8vd3d3LmNoYW1iZXJzaWduLm9yZzEiMCAGA1UEAxMZQ2hhbWJlcnMg
5
+
b2YgQ29tbWVyY2UgUm9vdDAeFw0wMzA5MzAxNjEzNDNaFw0zNzA5MzAxNjEzNDRa
6
+
MH8xCzAJBgNVBAYTAkVVMScwJQYDVQQKEx5BQyBDYW1lcmZpcm1hIFNBIENJRiBB
7
+
ODI3NDMyODcxIzAhBgNVBAsTGmh0dHA6Ly93d3cuY2hhbWJlcnNpZ24ub3JnMSIw
8
+
IAYDVQQDExlDaGFtYmVycyBvZiBDb21tZXJjZSBSb290MIIBIDANBgkqhkiG9w0B
9
+
AQEFAAOCAQ0AMIIBCAKCAQEAtzZV5aVdGDDg2olUkfzIx1L4L1DZ77F1c2VHfRtb
10
+
unXF/KGIJPov7coISjlUxFF6tdpg6jg8gbLL8bvZkSM/SAFwdakFKq0fcfPJVD0d
11
+
BmpAPrMMhe5cG3nCYsS4No41XQEMIwRHNaqbYE6gZj3LJgqcQKH0XZi/caulAGgq
12
+
7YN6D6IUtdQis4CwPAxaUWktWBiP7Zme8a7ileb2R6jWDA+wWFjbw2Y3npuRVDM3
13
+
0pQcakjJyfKl2qUMI/cjDpwyVV5xnIQFUZot/eZOKjRa3spAN2cMVCFVd9oKDMyX
14
+
roDclDZK9D7ONhMeU+SsTjoF7Nuucpw4i9A5O4kKPnf+dQIBA6OCAUQwggFAMBIG
15
+
A1UdEwEB/wQIMAYBAf8CAQwwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5j
16
+
aGFtYmVyc2lnbi5vcmcvY2hhbWJlcnNyb290LmNybDAdBgNVHQ4EFgQU45T1sU3p
17
+
26EpW1eLTXYGduHRooowDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIA
18
+
BzAnBgNVHREEIDAegRxjaGFtYmVyc3Jvb3RAY2hhbWJlcnNpZ24ub3JnMCcGA1Ud
19
+
EgQgMB6BHGNoYW1iZXJzcm9vdEBjaGFtYmVyc2lnbi5vcmcwWAYDVR0gBFEwTzBN
20
+
BgsrBgEEAYGHLgoDATA+MDwGCCsGAQUFBwIBFjBodHRwOi8vY3BzLmNoYW1iZXJz
21
+
aWduLm9yZy9jcHMvY2hhbWJlcnNyb290Lmh0bWwwDQYJKoZIhvcNAQEFBQADggEB
22
+
AAxBl8IahsAifJ/7kPMa0QOx7xP5IV8EnNrJpY0nbJaHkb5BkAFyk+cefV/2icZd
23
+
p0AJPaxJRUXcLo0waLIJuvvDL8y6C98/d3tGfToSJI6WjzwFCm/SlCgdbQzALogi
24
+
1djPHRPH8EjX1wWnz8dHnjs8NMiAT9QUu/wNUPf6s+xCX6ndbcj0dc97wXImsQEc
25
+
XCz9ek60AcUFV7nnPKoF2YjpB0ZBzu9Bga5Y34OirsrXdx/nADydb47kMgkdTXg0
26
+
eDQ8lJsm7U9xxhl6vSAiSFr+S30Dt+dYvsYyTnQeaN2oaFuzPu5ifdmA6Ap1erfu
27
+
tGWaIZDgqtCYvDi1czyL+Nw=
28
+
-----END CERTIFICATE-----
29
+
vendor/opam/x509/tests/crl/10.crl
vendor/opam/x509/tests/crl/10.crl
This is a binary file and will not be displayed.
+23
vendor/opam/x509/tests/crl/10.pem
+23
vendor/opam/x509/tests/crl/10.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIDqzCCApOgAwIBAgIRAMcoRwmzuGxFjB36JPU2TukwDQYJKoZIhvcNAQEFBQAw
3
+
PDEbMBkGA1UEAxMSQ29tU2lnbiBTZWN1cmVkIENBMRAwDgYDVQQKEwdDb21TaWdu
4
+
MQswCQYDVQQGEwJJTDAeFw0wNDAzMjQxMTM3MjBaFw0yOTAzMTYxNTA0NTZaMDwx
5
+
GzAZBgNVBAMTEkNvbVNpZ24gU2VjdXJlZCBDQTEQMA4GA1UEChMHQ29tU2lnbjEL
6
+
MAkGA1UEBhMCSUwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGtWhf
7
+
HZQVw6QIVS3joFd67+l0Kru5fFdJGhFeTymHDEjWaueP1H5XJLkGieQcPOqs49oh
8
+
gHMhCu95mGwfCP+hUH3ymBvJVG8+pSjsIQQPRbsHPaHA+iqYHU4Gk/v1iDurX8sW
9
+
v+bznkqH7Rnqwp9D5PGBpX8QTz7RSmKtUxvLg/8HZaWSLWapW7ha9B20IZFKF3ue
10
+
Mv5WJDmyVIRD9YTC2LxBkMyd1mja6YJQqTtoz7VdApRgFrFD2UNd3V2Hbuq7s8lr
11
+
9gOUCXDeFhF6K+h2j0kQmHe5Y1yLM5d19guMsqtb3nQgJT/j8xH5h2iGNXHDHYwt
12
+
6+UarA9z1YJZQIDTAgMBAAGjgacwgaQwDAYDVR0TBAUwAwEB/zBEBgNVHR8EPTA7
13
+
MDmgN6A1hjNodHRwOi8vZmVkaXIuY29tc2lnbi5jby5pbC9jcmwvQ29tU2lnblNl
14
+
Y3VyZWRDQS5jcmwwDgYDVR0PAQH/BAQDAgGGMB8GA1UdIwQYMBaAFMFL7XC29z58
15
+
ADsAj8c+DkWfHl3sMB0GA1UdDgQWBBTBS+1wtvc+fAA7AI/HPg5Fnx5d7DANBgkq
16
+
hkiG9w0BAQUFAAOCAQEAFs/ukhNQq3sUnjO2QiBq1BW9Cav8cujvR3qQrFHBZE7p
17
+
iL1DRYHjZiM/EoZNGeQFsOY3wo3aBijJD4mkU6l1P7CW+6tMM1X5eCZGbxs2mPtC
18
+
dsGCuY7e+0X5YxtiOzkGynd6qDwJz2w2PQ8KRUtpFhpFfTMDZflScZAmlaxMDPWL
19
+
kz/MdXSFmLr/YnpNH4n+rr2UAJm/EaXc4HnFFgt9AmEd6oX5AhVP51qJThRv4zdL
20
+
hfXBPGHg/QVBspJ/wx2g0K5SZGBrGMYmnNj1ZOQ2GmKfig8+/21OGVZOIJFsnzQz
21
+
OjRXUDpvgV4GxvU+fE6OK85lBi5d0ipTdF7Tbieejw==
22
+
-----END CERTIFICATE-----
23
+
vendor/opam/x509/tests/crl/11.crl
vendor/opam/x509/tests/crl/11.crl
This is a binary file and will not be displayed.
+23
vendor/opam/x509/tests/crl/11.pem
+23
vendor/opam/x509/tests/crl/11.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIDoTCCAomgAwIBAgILBAAAAAABD4WqLUgwDQYJKoZIhvcNAQEFBQAwOzEYMBYG
3
+
A1UEChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2Jh
4
+
bCBSb290MB4XDTA2MTIxNTA4MDAwMFoXDTIxMTIxNTA4MDAwMFowOzEYMBYGA1UE
5
+
ChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2JhbCBS
6
+
b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Mi8vRRQZhP/8NN5
7
+
7CPytxrHjoXxEnOmGaoQ25yiZXRadz5RfVb23CO21O1fWLE3TdVJDm71aofW0ozS
8
+
J8bi/zafmGWgE07GKmSb1ZASzxQG9Dvj1Ci+6A74q05IlG2OlTEQXO2iLb3VOm2y
9
+
HLtgwEZLAfVJrn5GitB0jaEMAs7u/OePuGtm839EAL9mJRQr3RAwHQeWP032a7iP
10
+
t3sMpTjr3kfb1V05/Iin89cqdPHoWqI7n1C6poxFNcJQZZXcY4Lv3b93TZxiyWNz
11
+
FtApD0mpSPCzqrdsxacwOUBdrsTiXSZT8M4cIwhhqJQZugRiQOwfOHB3EgZxpzAY
12
+
XSUnpQIDAQABo4GlMIGiMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/
13
+
MB0GA1UdDgQWBBS2CHsNesysIEyGVjJez6tuhS1wVzA/BgNVHR8EODA2MDSgMqAw
14
+
hi5odHRwOi8vd3d3Mi5wdWJsaWMtdHJ1c3QuY29tL2NybC9jdC9jdHJvb3QuY3Js
15
+
MB8GA1UdIwQYMBaAFLYIew16zKwgTIZWMl7Pq26FLXBXMA0GCSqGSIb3DQEBBQUA
16
+
A4IBAQBW7wojoFROlZfJ+InaRcHUowAl9B8Tq7ejhVhpwjCt2BWKLePJzYFa+HMj
17
+
Wqd8BfP9IjsO0QbE2zZMcwSO5bAi5MXzLqXZI+O4Tkogp24CJJ8iYGd7ix1yCcUx
18
+
XOl5n4BHPa2hCwcUPUf/A2kaDAtE52Mlp3+yybh2hO0j9n0Hq0V+09+zv+mKts2o
19
+
omcrUtW3ZfA5TGOgkXmTUg9U3YO7n9GPp1Nzw8v/MOx8BLjYRB+TX3EJIrduPuoc
20
+
A06dGiBh+4E37F78CkWr1+cXVdCg6mCbpvbjjFspwgZgFJ0tl0ypkxWdYcQBX0jW
21
+
WL1WMRJOEcgh4LMRkWXbtKaIOM5V
22
+
-----END CERTIFICATE-----
23
+
vendor/opam/x509/tests/crl/12.crl
vendor/opam/x509/tests/crl/12.crl
This is a binary file and will not be displayed.
+29
vendor/opam/x509/tests/crl/12.pem
+29
vendor/opam/x509/tests/crl/12.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
3
+
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
4
+
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
5
+
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
6
+
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
7
+
MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
8
+
ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
9
+
b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF
10
+
bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg
11
+
U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA
12
+
A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/
13
+
I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3
14
+
wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC
15
+
AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb
16
+
oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5
17
+
BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p
18
+
dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk
19
+
MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp
20
+
b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu
21
+
dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0
22
+
MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi
23
+
E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa
24
+
MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
25
+
hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
26
+
95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
27
+
2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
28
+
-----END CERTIFICATE-----
29
+
vendor/opam/x509/tests/crl/13.crl
vendor/opam/x509/tests/crl/13.crl
This is a binary file and will not be displayed.
+23
vendor/opam/x509/tests/crl/13.pem
+23
vendor/opam/x509/tests/crl/13.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
3
+
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
4
+
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
5
+
MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
6
+
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
7
+
hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
8
+
v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
9
+
eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
10
+
tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
11
+
C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
12
+
zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
13
+
mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
14
+
V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
15
+
bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
16
+
3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
17
+
J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
18
+
291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
19
+
ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
20
+
AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
21
+
TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
22
+
-----END CERTIFICATE-----
23
+
vendor/opam/x509/tests/crl/14.crl
vendor/opam/x509/tests/crl/14.crl
This is a binary file and will not be displayed.
+44
vendor/opam/x509/tests/crl/14.pem
+44
vendor/opam/x509/tests/crl/14.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIHqDCCBpCgAwIBAgIRAMy4579OKRr9otxmpRwsDxEwDQYJKoZIhvcNAQEFBQAw
3
+
cjELMAkGA1UEBhMCSFUxETAPBgNVBAcTCEJ1ZGFwZXN0MRYwFAYDVQQKEw1NaWNy
4
+
b3NlYyBMdGQuMRQwEgYDVQQLEwtlLVN6aWdubyBDQTEiMCAGA1UEAxMZTWljcm9z
5
+
ZWMgZS1Temlnbm8gUm9vdCBDQTAeFw0wNTA0MDYxMjI4NDRaFw0xNzA0MDYxMjI4
6
+
NDRaMHIxCzAJBgNVBAYTAkhVMREwDwYDVQQHEwhCdWRhcGVzdDEWMBQGA1UEChMN
7
+
TWljcm9zZWMgTHRkLjEUMBIGA1UECxMLZS1Temlnbm8gQ0ExIjAgBgNVBAMTGU1p
8
+
Y3Jvc2VjIGUtU3ppZ25vIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
9
+
ggEKAoIBAQDtyADVgXvNOABHzNuEwSFpLHSQDCHZU4ftPkNEU6+r+ICbPHiN1I2u
10
+
uO/TEdyB5s87lozWbxXGd36hL+BfkrYn13aaHUM86tnsL+4582pnS4uCzyL4ZVX+
11
+
LMsvfUh6PXX5qqAnu3jCBspRwn5mS6/NoqdNAoI/gqyFxuEPkEeZlApxcpMqyabA
12
+
vjxWTHOSJ/FrtfX9/DAFYJLG65Z+AZHCabEeHXtTRbjcQR/Ji3HWVBTji1R4P770
13
+
Yjtb9aPs1ZJ04nQw7wHb4dSrmZsqa/i9phyGI0Jf7Enemotb9HI6QMVJPqW+jqpx
14
+
62z69Rrkav17fVVA71hu5tnVvCSrwe+3AgMBAAGjggQ3MIIEMzBnBggrBgEFBQcB
15
+
AQRbMFkwKAYIKwYBBQUHMAGGHGh0dHBzOi8vcmNhLmUtc3ppZ25vLmh1L29jc3Aw
16
+
LQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuZS1zemlnbm8uaHUvUm9vdENBLmNydDAP
17
+
BgNVHRMBAf8EBTADAQH/MIIBcwYDVR0gBIIBajCCAWYwggFiBgwrBgEEAYGoGAIB
18
+
AQEwggFQMCgGCCsGAQUFBwIBFhxodHRwOi8vd3d3LmUtc3ppZ25vLmh1L1NaU1ov
19
+
MIIBIgYIKwYBBQUHAgIwggEUHoIBEABBACAAdABhAG4A+gBzAO0AdAB2AOEAbgB5
20
+
ACAA6QByAHQAZQBsAG0AZQB6AOkAcwDpAGgAZQB6ACAA6QBzACAAZQBsAGYAbwBn
21
+
AGEAZADhAHMA4QBoAG8AegAgAGEAIABTAHoAbwBsAGcA4QBsAHQAYQB0APMAIABT
22
+
AHoAbwBsAGcA4QBsAHQAYQB0AOEAcwBpACAAUwB6AGEAYgDhAGwAeQB6AGEAdABh
23
+
ACAAcwB6AGUAcgBpAG4AdAAgAGsAZQBsAGwAIABlAGwAagDhAHIAbgBpADoAIABo
24
+
AHQAdABwADoALwAvAHcAdwB3AC4AZQAtAHMAegBpAGcAbgBvAC4AaAB1AC8AUwBa
25
+
AFMAWgAvMIHIBgNVHR8EgcAwgb0wgbqggbeggbSGIWh0dHA6Ly93d3cuZS1zemln
26
+
bm8uaHUvUm9vdENBLmNybIaBjmxkYXA6Ly9sZGFwLmUtc3ppZ25vLmh1L0NOPU1p
27
+
Y3Jvc2VjJTIwZS1Temlnbm8lMjBSb290JTIwQ0EsT1U9ZS1Temlnbm8lMjBDQSxP
28
+
PU1pY3Jvc2VjJTIwTHRkLixMPUJ1ZGFwZXN0LEM9SFU/Y2VydGlmaWNhdGVSZXZv
29
+
Y2F0aW9uTGlzdDtiaW5hcnkwDgYDVR0PAQH/BAQDAgEGMIGWBgNVHREEgY4wgYuB
30
+
EGluZm9AZS1zemlnbm8uaHWkdzB1MSMwIQYDVQQDDBpNaWNyb3NlYyBlLVN6aWdu
31
+
w7MgUm9vdCBDQTEWMBQGA1UECwwNZS1TemlnbsOzIEhTWjEWMBQGA1UEChMNTWlj
32
+
cm9zZWMgS2Z0LjERMA8GA1UEBxMIQnVkYXBlc3QxCzAJBgNVBAYTAkhVMIGsBgNV
33
+
HSMEgaQwgaGAFMegSXUWYYTbMUuE0vE3QJDvTtz3oXakdDByMQswCQYDVQQGEwJI
34
+
VTERMA8GA1UEBxMIQnVkYXBlc3QxFjAUBgNVBAoTDU1pY3Jvc2VjIEx0ZC4xFDAS
35
+
BgNVBAsTC2UtU3ppZ25vIENBMSIwIAYDVQQDExlNaWNyb3NlYyBlLVN6aWdubyBS
36
+
b290IENBghEAzLjnv04pGv2i3GalHCwPETAdBgNVHQ4EFgQUx6BJdRZhhNsxS4TS
37
+
8TdAkO9O3PcwDQYJKoZIhvcNAQEFBQADggEBANMTnGZjWS7KXHAM/IO8VbH0jgds
38
+
ZifOwTsgqRy7RlRw7lrMoHfqaEQn6/Ip3Xep1fvj1KcExJW4C+FEaGAHQzAxQmHl
39
+
7tnlJNUb3+FKG6qfx1/4ehHqE5MAyopYse7tDk2016g2JnzgOsHVV4Lxdbb9iV/a
40
+
86g4nzUGCM4ilb7N1fy+W955a9x6qWVmvrElWl/tftOsRm1M9DKHtCAE4Gx4sHfR
41
+
hUZLphK3dehKyVZs15KrnfVJONJPU+NVkBHbmJbGSfI+9J8b4PeI3CVimUTYc78/
42
+
MPMMNz7UwiiAc7EBt51alhQBS6kRnSlqLtBdgcDPsiBDxwPgN05dCtxZICU=
43
+
-----END CERTIFICATE-----
44
+
vendor/opam/x509/tests/crl/15.crl
vendor/opam/x509/tests/crl/15.crl
This is a binary file and will not be displayed.
+24
vendor/opam/x509/tests/crl/15.pem
+24
vendor/opam/x509/tests/crl/15.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBi
3
+
MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu
4
+
MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp
5
+
dHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJV
6
+
UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO
7
+
ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqG
8
+
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwz
9
+
c7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPP
10
+
OCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl
11
+
mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnF
12
+
BgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4
13
+
qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjgZcw
14
+
gZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIB
15
+
BjAPBgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwu
16
+
bmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRob3Jp
17
+
dHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc8
18
+
6fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVRDuwduIj/
19
+
h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH
20
+
/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3Htv
21
+
wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHN
22
+
pGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey
23
+
-----END CERTIFICATE-----
24
+
vendor/opam/x509/tests/crl/16.crl
vendor/opam/x509/tests/crl/16.crl
This is a binary file and will not be displayed.
+23
vendor/opam/x509/tests/crl/16.pem
+23
vendor/opam/x509/tests/crl/16.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIDvDCCAqSgAwIBAgIQB1YipOjUiolN9BPI8PjqpTANBgkqhkiG9w0BAQUFADBK
3
+
MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x
4
+
GTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwHhcNMDYxMTA3MTk0MjI4WhcNMjkx
5
+
MjMxMTk1MjA2WjBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3Qg
6
+
Q29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwggEiMA0GCSqG
7
+
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvNS7YrGxVaQZx5RNoJLNP2MwhR/jxYDiJ
8
+
iQPpvepeRlMJ3Fz1Wuj3RSoC6zFh1ykzTM7HfAo3fg+6MpjhHZevj8fcyTiW89sa
9
+
/FHtaMbQbqR8JNGuQsiWUGMu4P51/pinX0kuleM5M2SOHqRfkNJnPLLZ/kG5VacJ
10
+
jnIFHovdRIWCQtBJwB1g8NEXLJXr9qXBkqPFwqcIYA1gBBCWeZ4WNOaptvolRTnI
11
+
HmX5k/Wq8VLcmZg9pYYaDDUz+kulBAYVHDGA76oYa8J719rO+TMg1fW9ajMtgQT7
12
+
sFzUnKPiXB3jqUJ1XnvUd+85VLrJChgbEplJL4hL/VBi0XPnj3pDAgMBAAGjgZ0w
13
+
gZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQF
14
+
MAMBAf8wHQYDVR0OBBYEFK9EBMJBfkiD2045AuzshHrmzsmkMDQGA1UdHwQtMCsw
15
+
KaAnoCWGI2h0dHA6Ly9jcmwuc2VjdXJldHJ1c3QuY29tL1NHQ0EuY3JsMBAGCSsG
16
+
AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjGghAfaReUw132HquHw0L
17
+
URYD7xh8yOOvaliTFGCRsoTciE6+OYo68+aCiV0BN7OrJKQVDpI1WkpEXk5X+nXO
18
+
H0jOZvQ8QCaSmGwb7iRGDBezUqXbpZGRzzfTb+cnCDpOGR86p1hcF895P4vkp9Mm
19
+
I50mD1hp/Ed+stCNi5O/KU9DaXR2Z0vPB4zmAve14bRDtUstFJ/53CYNv6ZHdAbY
20
+
iNE6KTCEztI5gGIbqMdXSbxqVVFnFUq+NQfk1XWYN3kwFNspnWzFacxHVaIw98xc
21
+
f8LDmBxrThaA63p4ZUWiABqvDA1VZDRIuJK58bRQKfJPIx/abKwfROHdI3hRW8cW
22
+
-----END CERTIFICATE-----
23
+
vendor/opam/x509/tests/crl/17.crl
vendor/opam/x509/tests/crl/17.crl
This is a binary file and will not be displayed.
+23
vendor/opam/x509/tests/crl/17.pem
+23
vendor/opam/x509/tests/crl/17.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBI
3
+
MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x
4
+
FzAVBgNVBAMTDlNlY3VyZVRydXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIz
5
+
MTE5NDA1NVowSDELMAkGA1UEBhMCVVMxIDAeBgNVBAoTF1NlY3VyZVRydXN0IENv
6
+
cnBvcmF0aW9uMRcwFQYDVQQDEw5TZWN1cmVUcnVzdCBDQTCCASIwDQYJKoZIhvcN
7
+
AQEBBQADggEPADCCAQoCggEBAKukgeWVzfX2FI7CT8rU4niVWJxB4Q2ZQCQXOZEz
8
+
Zum+4YOvYlyJ0fwkW2Gz4BERQRwdbvC4u/jep4G6pkjGnx29vo6pQT64lO0pGtSO
9
+
0gMdA+9tDWccV9cGrcrI9f4Or2YlSASWC12juhbDCE/RRvgUXPLIXgGZbf2IzIao
10
+
wW8xQmxSPmjL8xk037uHGFaAJsTQ3MBv396gwpEWoGQRS0S8Hvbn+mPeZqx2pHGj
11
+
7DaUaHp3pLHnDi+BeuK1cobvomuL8A/b01k/unK8RCSc43Oz969XL0Imnal0ugBS
12
+
8kvNU3xHCzaFDmapCJcWNFfBZveA4+1wVMeT4C4oFVmHursCAwEAAaOBnTCBmjAT
13
+
BgkrBgEEAYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
14
+
/zAdBgNVHQ4EFgQUQjK2FvoE/f5dS3rD/fdMQB1aQ68wNAYDVR0fBC0wKzApoCeg
15
+
JYYjaHR0cDovL2NybC5zZWN1cmV0cnVzdC5jb20vU1RDQS5jcmwwEAYJKwYBBAGC
16
+
NxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBADDtT0rhWDpSclu1pqNlGKa7UTt3
17
+
6Z3q059c4EVlew3KW+JwULKUBRSuSceNQQcSc5R+DCMh/bwQf2AQWnL1mA6s7Ll/
18
+
3XpvXdMc9P+IBWlCqQVxyLesJugutIxq/3HcuLHfmbx8IVQr5Fiiu1cprp6poxkm
19
+
D5kuCLDv/WnPmRoJjeOnnyvJNjR7JLN4TJUXpAYmHrZkUjZfYGfZnMUFdAvnZyPS
20
+
CPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR
21
+
3ItHuuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jE=
22
+
-----END CERTIFICATE-----
23
+
vendor/opam/x509/tests/crl/18.crl
vendor/opam/x509/tests/crl/18.crl
This is a binary file and will not be displayed.
+45
vendor/opam/x509/tests/crl/18.pem
+45
vendor/opam/x509/tests/crl/18.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
3
+
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
4
+
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
5
+
dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM2WhcNMzYwOTE3MTk0NjM2WjB9
6
+
MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
7
+
U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
8
+
cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA
9
+
A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk
10
+
pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf
11
+
OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C
12
+
Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT
13
+
Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi
14
+
HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM
15
+
Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w
16
+
+2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+
17
+
Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3
18
+
Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B
19
+
26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID
20
+
AQABo4ICUjCCAk4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAa4wHQYDVR0OBBYE
21
+
FE4L7xqkQFulF2mHMMo0aEPQQa7yMGQGA1UdHwRdMFswLKAqoCiGJmh0dHA6Ly9j
22
+
ZXJ0LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3Js
23
+
LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFM
24
+
BgsrBgEEAYG1NwEBATCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0
25
+
Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFy
26
+
dGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3Rh
27
+
cnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlh
28
+
YmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg
29
+
dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFp
30
+
bGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJ
31
+
YIZIAYb4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNT
32
+
TCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAgEAFmyZ
33
+
9GYMNPXQhV59CuzaEE44HF7fpiUFS5Eyweg78T3dRAlbB0mKKctmArexmvclmAk8
34
+
jhvh3TaHK0u7aNM5Zj2gJsfyOZEdUauCe37Vzlrk4gNXcGmXCPleWKYK34wGmkUW
35
+
FjgKXlf2Ysd6AgXmvB618p70qSmD+LIU424oh0TDkBreOKk8rENNZEXO3SipXPJz
36
+
ewT4F+irsfMuXGRuczE6Eri8sxHkfY+BUZo7jYn0TZNmezwD7dOaHZrzZVD1oNB1
37
+
ny+v8OqCQ5j4aZyJecRDjkZy42Q2Eq/3JR44iZB3fsNrarnDy0RLrHiQi+fHLB5L
38
+
EUTINFInzQpdn4XBidUaePKVEFMy3YCEZnXZtWgo+2EuvoSoOMCZEoalHmdkrQYu
39
+
L6lwhceWD3yJZfWOQ1QOq92lgDmUYMA0yZZwLKMS9R9Ie70cfmu3nZD0Ijuu+Pwq
40
+
yvqCUqDvr0tVk+vBtfAii6w0TiYiBKGHLHVKt+V9E9e4DGTANtLJL4YSjCMJwRuC
41
+
O3NJo2pXh5Tl1njFmUNj403gdy3hZZlyaQQaRwnmDwFWJPsfvw55qVguucQJAX6V
42
+
um0ABj6y6koQOdjQK/W/7HW/lwLFCRsI3FU34oH7N4RDYiDK51ZLZer+bMEkkySh
43
+
NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14=
44
+
-----END CERTIFICATE-----
45
+
vendor/opam/x509/tests/crl/19.crl
vendor/opam/x509/tests/crl/19.crl
This is a binary file and will not be displayed.
+28
vendor/opam/x509/tests/crl/19.pem
+28
vendor/opam/x509/tests/crl/19.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIEqjCCA5KgAwIBAgIOLmoAAQACH9dSISwRXDswDQYJKoZIhvcNAQEFBQAwdjEL
3
+
MAkGA1UEBhMCREUxHDAaBgNVBAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxIjAgBgNV
4
+
BAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDIgQ0ExJTAjBgNVBAMTHFRDIFRydXN0
5
+
Q2VudGVyIENsYXNzIDIgQ0EgSUkwHhcNMDYwMTEyMTQzODQzWhcNMjUxMjMxMjI1
6
+
OTU5WjB2MQswCQYDVQQGEwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21i
7
+
SDEiMCAGA1UECxMZVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMiBDQTElMCMGA1UEAxMc
8
+
VEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMiBDQSBJSTCCASIwDQYJKoZIhvcNAQEBBQAD
9
+
ggEPADCCAQoCggEBAKuAh5uO8MN8h9foJIIRszzdQ2Lu+MNF2ujhoF/RKrLqk2jf
10
+
tMjWQ+nEdVl//OEd+DFwIxuInie5e/060smp6RQvkL4DUsFJzfb95AhmC1eKokKg
11
+
uNV/aVyQMrKXDcpK3EY+AlWJU+MaWss2xgdW94zPEfRMuzBwBJWl9jmM/XOBCH2J
12
+
XjIeIqkiRUuwZi4wzJ9l/fzLganx4Duvo4bRierERXlQXa7pIXSSTYtZgo+U4+lK
13
+
8edJsBTj9WLL1XK9H7nSn6DNqPoByNkN39r8R52zyFTfSUrxIan+GE7uSNQZu+99
14
+
5OKdy1u2bv/jzVrndIIFuoAlOMvkaZ6vQaoahPUCAwEAAaOCATQwggEwMA8GA1Ud
15
+
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTjq1RMgKHbVkO3
16
+
kUrL84J6E1wIqzCB7QYDVR0fBIHlMIHiMIHfoIHcoIHZhjVodHRwOi8vd3d3LnRy
17
+
dXN0Y2VudGVyLmRlL2NybC92Mi90Y19jbGFzc18yX2NhX0lJLmNybIaBn2xkYXA6
18
+
Ly93d3cudHJ1c3RjZW50ZXIuZGUvQ049VEMlMjBUcnVzdENlbnRlciUyMENsYXNz
19
+
JTIwMiUyMENBJTIwSUksTz1UQyUyMFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290
20
+
Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/Y2VydGlmaWNhdGVSZXZvY2F0aW9u
21
+
TGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAjNfffu4bgBCzg/XbEeprS6iS
22
+
GNn3Bzn1LL4GdXpoUxUc6krtXvwjshOg0wn/9vYua0Fxec3ibf2uWWuFHbhOIprt
23
+
ZjluS5TmVfwLG4t3wVMTZonZKNaL80VKY7f9ewthXbhtvsPcW3nS7Yblok2+XnR8
24
+
au0WOB9/WIFaGusyiC2y8zl3gK9etmF1KdsjTYjKUCjLhdLTEKJZbtOTVAB6okaV
25
+
hgWcqRmY5TFyDADiZ9lA4CQze28suVyrZZ0srHbqNZn1l7kPJOzHdiEoZa5X6AeI
26
+
dUpWoNIFOqTmjZKILPPy4cHGYdtBxceb9w4aUUXCYWvcZCcXjFq32nQozZfkvQ==
27
+
-----END CERTIFICATE-----
28
+
vendor/opam/x509/tests/crl/2.crl
vendor/opam/x509/tests/crl/2.crl
This is a binary file and will not be displayed.
+29
vendor/opam/x509/tests/crl/2.pem
+29
vendor/opam/x509/tests/crl/2.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIExTCCA62gAwIBAgIBADANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFVTEn
3
+
MCUGA1UEChMeQUMgQ2FtZXJmaXJtYSBTQSBDSUYgQTgyNzQzMjg3MSMwIQYDVQQL
4
+
ExpodHRwOi8vd3d3LmNoYW1iZXJzaWduLm9yZzEgMB4GA1UEAxMXR2xvYmFsIENo
5
+
YW1iZXJzaWduIFJvb3QwHhcNMDMwOTMwMTYxNDE4WhcNMzcwOTMwMTYxNDE4WjB9
6
+
MQswCQYDVQQGEwJFVTEnMCUGA1UEChMeQUMgQ2FtZXJmaXJtYSBTQSBDSUYgQTgy
7
+
NzQzMjg3MSMwIQYDVQQLExpodHRwOi8vd3d3LmNoYW1iZXJzaWduLm9yZzEgMB4G
8
+
A1UEAxMXR2xvYmFsIENoYW1iZXJzaWduIFJvb3QwggEgMA0GCSqGSIb3DQEBAQUA
9
+
A4IBDQAwggEIAoIBAQCicKLQn0KuWxfH2H3PFIP8T8mhtxOviteePgQKkotgVvq0
10
+
Mi+ITaFgCPS3CU6gSS9J1tPfnZdan5QEcOw/Wdm3zGaLmFIoCQLfxS+EjXqXd7/s
11
+
QJ0lcqu1PzKY+7e3/HKE5TWH+VX6ox8Oby4o3Wmg2UIQxvi1RMLQQ3/bvOSiPGpV
12
+
eAp3qdjqGTK3L/5cPxvusZjsyq16aUXjlg9V9ubtdepl6DJWk0aJqCWKZQbua795
13
+
B9Dxt6/tLE2Su8CoX6dnfQTyFQhwrJLWfQTSM/tMtgsL+xrJxI0DqX5c8lCrEqWh
14
+
z0hQpe/SyBoT+rB/sYIcd2oPX9wLlY/vQ37mRQklAgEDo4IBUDCCAUwwEgYDVR0T
15
+
AQH/BAgwBgEB/wIBDDA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3JsLmNoYW1i
16
+
ZXJzaWduLm9yZy9jaGFtYmVyc2lnbnJvb3QuY3JsMB0GA1UdDgQWBBRDnDafsJ4w
17
+
TcbOX60Qq+UDpfqpFDAOBgNVHQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgAH
18
+
MCoGA1UdEQQjMCGBH2NoYW1iZXJzaWducm9vdEBjaGFtYmVyc2lnbi5vcmcwKgYD
19
+
VR0SBCMwIYEfY2hhbWJlcnNpZ25yb290QGNoYW1iZXJzaWduLm9yZzBbBgNVHSAE
20
+
VDBSMFAGCysGAQQBgYcuCgEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly9jcHMuY2hh
21
+
bWJlcnNpZ24ub3JnL2Nwcy9jaGFtYmVyc2lnbnJvb3QuaHRtbDANBgkqhkiG9w0B
22
+
AQUFAAOCAQEAPDtwkfkEVCeR4e3t/mh/YV3lQWVPMvEYBZRqHN4fcNs+ezICNLUM
23
+
bKGKfKX0j//U2K0X1S0E0T9YgOKBWYi+wONGkyT+kL0mojAt6JcmVzWJdJYY9hXi
24
+
ryQZVgICsroPFOrGimbBhkVVi76SvpykBMdJPJ7oKXqJ1/6v/2j1pReQvayZzKWG
25
+
VwlnRtvWFsJG8eSpUPWP0ZIV018+xgBJOm5YstHRJw0lyDL4IBHNfTIzSJRUTN3c
26
+
ecQwn+uOuFW114hcxWokPbLTBQNRxgfvzBRydD1ucs4YKIxKoHflCStFREest2d/
27
+
AYoFWpO+ocH/+OcOZ6RHSXZddZAa9SaP8A==
28
+
-----END CERTIFICATE-----
29
+
vendor/opam/x509/tests/crl/20.crl
vendor/opam/x509/tests/crl/20.crl
This is a binary file and will not be displayed.
+28
vendor/opam/x509/tests/crl/20.pem
+28
vendor/opam/x509/tests/crl/20.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIEqjCCA5KgAwIBAgIOSkcAAQAC5aBd1j8AUb8wDQYJKoZIhvcNAQEFBQAwdjEL
3
+
MAkGA1UEBhMCREUxHDAaBgNVBAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxIjAgBgNV
4
+
BAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDMgQ0ExJTAjBgNVBAMTHFRDIFRydXN0
5
+
Q2VudGVyIENsYXNzIDMgQ0EgSUkwHhcNMDYwMTEyMTQ0MTU3WhcNMjUxMjMxMjI1
6
+
OTU5WjB2MQswCQYDVQQGEwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21i
7
+
SDEiMCAGA1UECxMZVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMyBDQTElMCMGA1UEAxMc
8
+
VEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMyBDQSBJSTCCASIwDQYJKoZIhvcNAQEBBQAD
9
+
ggEPADCCAQoCggEBALTgu1G7OVyLBMVMeRwjhjEQY0NVJz/GRcekPewJDRoeIMJW
10
+
Ht4bNwcwIi9v8Qbxq63WyKthoy9DxLCyLfzDlml7forkzMA5EpBCYMnMNWju2l+Q
11
+
Vl/NHE1bWEnrDgFPZPosPIlY2C8u4rBo6SI7dYnWRBpl8huXJh0obazovVkdKyT2
12
+
1oQDZogkAHhg8fir/gKya/si+zXmFtGt9i4S5Po1auUZuV3bOx4a+9P/FRQI2Alq
13
+
ukWdFHlgfa9Aigdzs5OW03Q0jTo3Kd5c7PXuLjHCINy+8U9/I1LZW+Jk2ZyqBwi1
14
+
Rb3R0DHBq1SfqdLDYmAD8bs5SpJKPQq5ncWg/jcCAwEAAaOCATQwggEwMA8GA1Ud
15
+
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTUovyfs8PYA9NX
16
+
XAek0CSnwPIA1DCB7QYDVR0fBIHlMIHiMIHfoIHcoIHZhjVodHRwOi8vd3d3LnRy
17
+
dXN0Y2VudGVyLmRlL2NybC92Mi90Y19jbGFzc18zX2NhX0lJLmNybIaBn2xkYXA6
18
+
Ly93d3cudHJ1c3RjZW50ZXIuZGUvQ049VEMlMjBUcnVzdENlbnRlciUyMENsYXNz
19
+
JTIwMyUyMENBJTIwSUksTz1UQyUyMFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290
20
+
Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/Y2VydGlmaWNhdGVSZXZvY2F0aW9u
21
+
TGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEANmDkcPcGIEPZIxpC8vijsrlN
22
+
irTzwppVMXzEO2eatN9NDoqTSheLG43KieHPOh6sHfGcMrSOWXaiQYUlN6AT0PV8
23
+
TtXqluJucsG7Kv5sbviRmEb8yRtXW+rIGjs/sFGYPAfaLFkB2otE6OF0/ado3VS6
24
+
g0bsyEa1+K+XwDsJHI/OcpY9M1ZwvJbL2NV9IJqDnxrcOfHFcqMRA/07QlIp2+gB
25
+
95tejNaNhk4Z+rwcvsUhpYeeeC422wlxo3I0+GzjBgnyXlal092Y+tTmBvTwtiBj
26
+
S+opvaqCZh77gaqnN60TGOaSw4HBM7uIHqHn4rS9MWwOUT1v+5ZWgOI2F9Hc5A==
27
+
-----END CERTIFICATE-----
28
+
vendor/opam/x509/tests/crl/21.crl
vendor/opam/x509/tests/crl/21.crl
This is a binary file and will not be displayed.
+27
vendor/opam/x509/tests/crl/21.pem
+27
vendor/opam/x509/tests/crl/21.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIEXjCCA0agAwIBAgIQRL4Mi1AAIbQR0ypoBqmtaTANBgkqhkiG9w0BAQUFADCB
3
+
kzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
4
+
Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
5
+
dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xGzAZBgNVBAMTElVUTiAtIERBVEFDb3Jw
6
+
IFNHQzAeFw05OTA2MjQxODU3MjFaFw0xOTA2MjQxOTA2MzBaMIGTMQswCQYDVQQG
7
+
EwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYD
8
+
VQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cu
9
+
dXNlcnRydXN0LmNvbTEbMBkGA1UEAxMSVVROIC0gREFUQUNvcnAgU0dDMIIBIjAN
10
+
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3+5YEKIrblXEjr8uRgnn4AgPLit6
11
+
E5Qbvfa2gI5lBZMAHryv4g+OGQ0SR+ysraP6LnD43m77VkIVni5c7yPeIbkFdicZ
12
+
D0/Ww5y0vpQZY/KmEQrrU0icvvIpOxboGqBMpsn0GFlowHDyUwDAXlCCpVZvNvlK
13
+
4ESGoE1O1kduSUrLZ9emxAW5jh70/P/N5zbgnAVssjMiFdC04MwXwLLA9P4yPykq
14
+
lXvY8qdOD1R8oQ2AswkDwf9c3V6aPryuvEeKaq5xyh+xKrhfQgUL7EYw0XILyulW
15
+
bfXv33i+Ybqypa4ETLyorGkVl73v67SMvzX41MPRKA5cOp9wGDMgd8SirwIDAQAB
16
+
o4GrMIGoMAsGA1UdDwQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRT
17
+
MtGzz3/64PGgXYVOktKeRR20TzA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vY3Js
18
+
LnVzZXJ0cnVzdC5jb20vVVROLURBVEFDb3JwU0dDLmNybDAqBgNVHSUEIzAhBggr
19
+
BgEFBQcDAQYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMA0GCSqGSIb3DQEBBQUAA4IB
20
+
AQAnNZcAiosovcYzMB4p/OL31ZjUQLtgyr+rFywJNn9Q+kHcrpY6CiM+iVnJowft
21
+
Gzet/Hy+UUla3joKVAgWRcKZsYfNjGjgaQPpxE6YsjuMFrMOoAyYUJuTqXAJyCyj
22
+
j98C5OBxOvG0I3KgqgHf35g+FFCgMSa9KOlaMCZ1+XtgHI3zzVAmbQQnmt/VDUVH
23
+
KWss5nbZqSl9Mt3JNjy9rjXxEZ4du5A/EkdOjtd+D2JzHVImOBwYSf0wdJrE5SIv
24
+
2MCN7ZF6TACPcn9d2t0bi0Vr591pl6jFVkwPDPafepE39peC4N1xaf92P2BNPM/3
25
+
mfnGV/TJVTl4uix5yaaIK/QI
26
+
-----END CERTIFICATE-----
27
+
vendor/opam/x509/tests/crl/3.crl
vendor/opam/x509/tests/crl/3.crl
This is a binary file and will not be displayed.
+23
vendor/opam/x509/tests/crl/3.pem
+23
vendor/opam/x509/tests/crl/3.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIDkjCCAnqgAwIBAgIRAIW9S/PY2uNp9pTXX8OlRCMwDQYJKoZIhvcNAQEFBQAw
3
+
PTELMAkGA1UEBhMCRlIxETAPBgNVBAoTCENlcnRwbHVzMRswGQYDVQQDExJDbGFz
4
+
cyAyIFByaW1hcnkgQ0EwHhcNOTkwNzA3MTcwNTAwWhcNMTkwNzA2MjM1OTU5WjA9
5
+
MQswCQYDVQQGEwJGUjERMA8GA1UEChMIQ2VydHBsdXMxGzAZBgNVBAMTEkNsYXNz
6
+
IDIgUHJpbWFyeSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxQ
7
+
ltAS+DXSCHh6tlJw/W/uz7kRy1134ezpfgSN1sxvc0NXYKwzCkTsA18cgCSR5aiR
8
+
VhKC9+Ar9NuuYS6JEI1rbLqzAr3VNsVINyPi8Fo3UjMXEuLRYE2+L0ER4/YXJQyL
9
+
kcAbmXuZVg2v7tK8R1fjeUl7NIknJITesezpWE7+Tt9avkGtrAjFGA7v0lPubNCd
10
+
EgETjdyAYveVqUSISnFOYFWe2yMZeVYHDD9jC1yw4r5+FfyUM1hBOHTE4Y+L3yas
11
+
H7WLO7dDWWuwJKZtkIvEcupdM5i3y95ee++U8Rs+yskhwcWYAqqi9lt3m/V+llU0
12
+
HGdpwPFC40es/CgcZlUCAwEAAaOBjDCBiTAPBgNVHRMECDAGAQH/AgEKMAsGA1Ud
13
+
DwQEAwIBBjAdBgNVHQ4EFgQU43Mt38sOKAze3bOkynm4jrvoMIkwEQYJYIZIAYb4
14
+
QgEBBAQDAgEGMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly93d3cuY2VydHBsdXMu
15
+
Y29tL0NSTC9jbGFzczIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCnVM+IRBnL39R/
16
+
AN9WM2K191EBkOvDP9GIROkkXe/nFL0gt5o8AP5tn9uQ3Nf0YtaLcF3n5QRIqWh8
17
+
yfFC82x/xXp8HVGIutIKPidd3i1RTtMTZGnkLuPT55sJmabglZvOGtd/vjzOUrMR
18
+
FcEPF80Du5wlFbqidon8BvEY0JNLDnyCt6X09l/+7UCmnYR0ObncHoUW2ikbhiMA
19
+
ybuJfm6AiB4vFLQDJKgybwOaRywwvlbGp0ICcBvqQNi6BQNwB6SW//1IMwrh3KWB
20
+
kJtN3X3n57LNXMhqlfil9o3EXXgIvnsG1knPGTZQIy4I5p4FTUcY1Rbpsda2ENW7
21
+
l7+ijrRU
22
+
-----END CERTIFICATE-----
23
+
vendor/opam/x509/tests/crl/4.crl
vendor/opam/x509/tests/crl/4.crl
This is a binary file and will not be displayed.
+26
vendor/opam/x509/tests/crl/4.pem
+26
vendor/opam/x509/tests/crl/4.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
3
+
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
4
+
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
5
+
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
6
+
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
7
+
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
8
+
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
9
+
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
10
+
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
11
+
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
12
+
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
13
+
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
14
+
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
15
+
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
16
+
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
17
+
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
18
+
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
19
+
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
20
+
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
21
+
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
22
+
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
23
+
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
24
+
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
25
+
-----END CERTIFICATE-----
26
+
vendor/opam/x509/tests/crl/5.crl
vendor/opam/x509/tests/crl/5.crl
This is a binary file and will not be displayed.
+26
vendor/opam/x509/tests/crl/5.pem
+26
vendor/opam/x509/tests/crl/5.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB
3
+
gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk
4
+
MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY
5
+
UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx
6
+
NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3
7
+
dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy
8
+
dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB
9
+
dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6
10
+
38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP
11
+
KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q
12
+
DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4
13
+
qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa
14
+
JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi
15
+
PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P
16
+
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs
17
+
jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0
18
+
eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD
19
+
ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR
20
+
vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt
21
+
qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa
22
+
IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy
23
+
i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ
24
+
O+7ETPTsJ3xCwnR8gooJybQDJbw=
25
+
-----END CERTIFICATE-----
26
+
vendor/opam/x509/tests/crl/6.crl
vendor/opam/x509/tests/crl/6.crl
This is a binary file and will not be displayed.
+26
vendor/opam/x509/tests/crl/6.pem
+26
vendor/opam/x509/tests/crl/6.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIEHTCCAwWgAwIBAgIQToEtioJl4AsC7j41AkblPTANBgkqhkiG9w0BAQUFADCB
3
+
gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
4
+
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
5
+
BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEyMDEwMDAw
6
+
MDBaFw0yOTEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
7
+
YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
8
+
RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0
9
+
aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3
10
+
UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI
11
+
2GqGd0S7WWaXUF601CxwRM/aN5VCaTwwxHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8
12
+
Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp
13
+
+2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+
14
+
DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O
15
+
nKVIrLsm9wIDAQABo4GOMIGLMB0GA1UdDgQWBBQLWOWLxkwVN6RAqTCpIb5HNlpW
16
+
/zAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBJBgNVHR8EQjBAMD6g
17
+
PKA6hjhodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9DZXJ0aWZpY2F0aW9u
18
+
QXV0aG9yaXR5LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAPpiem/Yb6dc5t3iuHXIY
19
+
SdOH5EOC6z/JqvWote9VfCFSZfnVDeFs9D6Mk3ORLgLETgdxb8CPOGEIqB6BCsAv
20
+
IC9Bi5HcSEW88cbeunZrM8gALTFGTO3nnc+IlP8zwFboJIYmuNg4ON8qa90SzMc/
21
+
RxdMosIGlgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4
22
+
zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
23
+
BA6+C4OmF4O5MBKgxTMVBbkN+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IB
24
+
ZQ==
25
+
-----END CERTIFICATE-----
26
+
vendor/opam/x509/tests/crl/7.crl
vendor/opam/x509/tests/crl/7.crl
This is a binary file and will not be displayed.
+26
vendor/opam/x509/tests/crl/7.pem
+26
vendor/opam/x509/tests/crl/7.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIEPzCCAyegAwIBAgIBATANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJHQjEb
3
+
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
4
+
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEkMCIGA1UEAwwbU2VjdXJlIENlcnRp
5
+
ZmljYXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVow
6
+
fjELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
7
+
A1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxJDAiBgNV
8
+
BAMMG1NlY3VyZSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEB
9
+
BQADggEPADCCAQoCggEBAMBxM4KK0HDrc4eCQNUd5MvJDkKQ+d40uaG6EfQlhfPM
10
+
cm3ye5drswfxdySRXyWP9nQ95IDC+DwN879A6vfIUtFyb+/Iq0G4bi4XKpVpDM3S
11
+
HpR7LZQdqnXXs5jLrLxkU0C8j6ysNstcrbvd4JQX7NFc0L/vpZXJkMWwrPsbQ996
12
+
CF23uPJAGysnnlDOXmWCiIxe004MeuoIkbY2qitC++rCoznl2yY4rYsK7hljxxwk
13
+
3wN42ubqwUcaCwtGCd0C/N7Lh1/XMGNooa7cMqG6vv5Eq2i2pRcV/b3Vp6ea5EQz
14
+
6YiO/O1R65NxTq0B50SOqy3LqP4BSUjwwN3HaNiS/j0CAwEAAaOBxzCBxDAdBgNV
15
+
HQ4EFgQUPNiTiMLAggnMAZkGkyDpnnAJY08wDgYDVR0PAQH/BAQDAgEGMA8GA1Ud
16
+
EwEB/wQFMAMBAf8wgYEGA1UdHwR6MHgwO6A5oDeGNWh0dHA6Ly9jcmwuY29tb2Rv
17
+
Y2EuY29tL1NlY3VyZUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDmgN6A1hjNodHRw
18
+
Oi8vY3JsLmNvbW9kby5uZXQvU2VjdXJlQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmww
19
+
DQYJKoZIhvcNAQEFBQADggEBAIcBbSMdflsXfcFhMs+P5/OKlFlm4J4oqF7Tt/Q0
20
+
5qo5spcWxYJvMqTpjOev/e/C6LlLqqP05tqNZSH7uoDrJiiFGv45jN5bBAS0VPmj
21
+
Z55B+glSzAVIqMk/IQQezkhr/IXownuvf7fM+F86/TXGDe+X3EyrEeFryzHRbPtI
22
+
gKvcnDe4IRRLDXE97IMzbtFuMhbsmMcWi1mmNKsFVy2T96oTy9IT4rcuO81rUBcJ
23
+
aD61JlfutuC23bkpgHl9j6PwpCikFcSF9CfUa7/lXORlAnZUtOM3ZiTTGWHIUhDl
24
+
izeauan5Hb/qmZJhlv8BzaFfDbxxvA6sCx1HRR3B7Hzs/Sk=
25
+
-----END CERTIFICATE-----
26
+
vendor/opam/x509/tests/crl/8.crl
vendor/opam/x509/tests/crl/8.crl
This is a binary file and will not be displayed.
+26
vendor/opam/x509/tests/crl/8.pem
+26
vendor/opam/x509/tests/crl/8.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIEQzCCAyugAwIBAgIBATANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJHQjEb
3
+
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
4
+
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDElMCMGA1UEAwwcVHJ1c3RlZCBDZXJ0
5
+
aWZpY2F0ZSBTZXJ2aWNlczAeFw0wNDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTla
6
+
MH8xCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
7
+
BgNVBAcMB1NhbGZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSUwIwYD
8
+
VQQDDBxUcnVzdGVkIENlcnRpZmljYXRlIFNlcnZpY2VzMIIBIjANBgkqhkiG9w0B
9
+
AQEFAAOCAQ8AMIIBCgKCAQEA33FvNlhTWvI2VFeAxHQIIO0Yfyod5jWaHiWsnOWW
10
+
fnJSoBVC21ndZHoa0Lh73TkVvFVIxO06AOoxEbrycXQaZ7jPM8yoMa+j49d/vzMt
11
+
TGo87IvDktJTdyR0nAducPy9C1t2ul/y/9c3S0pgePfw+spwtOpZqqPOSC+pw7IL
12
+
fhdyFgymBwwbOM/JYrc/oJOlh0Hyt3BAd9i+FHzjqMB6juljatEPmsbS9Is6FARW
13
+
1O24zG71++IsWL1/T2sr92AkWCTOJu80kTrV44HQsvAEAtdbtz6SrGsSivnkBbA7
14
+
kUlcsutT6vifR4buv5XAwAaf0lteERv0xwQ1KdJVXOTt6wIDAQABo4HJMIHGMB0G
15
+
A1UdDgQWBBTFe1i97doladL3WRaoszLAeydb9DAOBgNVHQ8BAf8EBAMCAQYwDwYD
16
+
VR0TAQH/BAUwAwEB/zCBgwYDVR0fBHwwejA8oDqgOIY2aHR0cDovL2NybC5jb21v
17
+
ZG9jYS5jb20vVHJ1c3RlZENlcnRpZmljYXRlU2VydmljZXMuY3JsMDqgOKA2hjRo
18
+
dHRwOi8vY3JsLmNvbW9kby5uZXQvVHJ1c3RlZENlcnRpZmljYXRlU2VydmljZXMu
19
+
Y3JsMA0GCSqGSIb3DQEBBQUAA4IBAQDIk4E7ibSvuIQSTI3S8NtwuleGFTQQuS9/
20
+
HrCoiWChisJ3DFBKmwCL2Iv0QeLQg4pKHBQGsKNoBXAxMKdTmw7pSqBYaWcOrp32
21
+
pSxBvzwGa+RZzG0Q8ZZvH9/0BAKkn0U+yNj6NkZEUD+Cl5EfKNsYEYwq5GWDVxIS
22
+
jBc/lDb+XbDABHcTuPQV1T84zJQ6VdCsmPW6AF/ghhmBeC8owH7TzEIK9a5QoNE+
23
+
xqFx7D+gIIxmOom0jtTYsU0lR+4viMi14QVFwL4Ucd56/Y57fU0IlqUSc/Atyjcn
24
+
dBInTMu2l+nZrghtWjlA3QVHdWpaIbOjGM9O9y5Xt5hwXsjEeLBi
25
+
-----END CERTIFICATE-----
26
+
vendor/opam/x509/tests/crl/9.crl
vendor/opam/x509/tests/crl/9.crl
This is a binary file and will not be displayed.
+23
vendor/opam/x509/tests/crl/9.pem
+23
vendor/opam/x509/tests/crl/9.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIDkzCCAnugAwIBAgIQFBOWgxRVjOp7Y+X8NId3RDANBgkqhkiG9w0BAQUFADA0
3
+
MRMwEQYDVQQDEwpDb21TaWduIENBMRAwDgYDVQQKEwdDb21TaWduMQswCQYDVQQG
4
+
EwJJTDAeFw0wNDAzMjQxMTMyMThaFw0yOTAzMTkxNTAyMThaMDQxEzARBgNVBAMT
5
+
CkNvbVNpZ24gQ0ExEDAOBgNVBAoTB0NvbVNpZ24xCzAJBgNVBAYTAklMMIIBIjAN
6
+
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8ORUaSvTx49qROR+WCf4C9DklBKK
7
+
8Rs4OC8fMZwG1Cyn3gsqrhqg455qv588x26i+YtkbDqthVVRVKU4VbirgwTyP2Q2
8
+
98CNQ0NqZtH3FyrV7zb6MBBC11PN+fozc0yz6YQgitZBJzXkOPqUm7h65HkfM/sb
9
+
2CEJKHxNGGleZIp6GZPKfuzzcuc3B1hZKKxC+cX/zT/npfo4sdAMx9lSGlPWgcxC
10
+
ejVb7Us6eva1jsz/D3zkYDaHL63woSV9/9JLEYhwVKZBqGdTUkJe5DSe5L6j7Kpi
11
+
Xd3DTKaCQeQzC6zJMw9kglcq/QytNuEMrkvF7zuZ2SOzW120V+x0cAwqTwIDAQAB
12
+
o4GgMIGdMAwGA1UdEwQFMAMBAf8wPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2Zl
13
+
ZGlyLmNvbXNpZ24uY28uaWwvY3JsL0NvbVNpZ25DQS5jcmwwDgYDVR0PAQH/BAQD
14
+
AgGGMB8GA1UdIwQYMBaAFEsBmz5WGmU2dst7l6qSBe4y5ygxMB0GA1UdDgQWBBRL
15
+
AZs+VhplNnbLe5eqkgXuMucoMTANBgkqhkiG9w0BAQUFAAOCAQEA0Nmlfv4pYEWd
16
+
foPPbrxHbvUanlR2QnG0PFg/LUAlQvaBnPGJEMgOqnhPOAlXsDzACPw1jvFIUY0M
17
+
cXS6hMTXcpuEfDhOZAYnKuGntewImbQKDdSFc8gS4TXt8QUxHXOZDOuWyt3T5oWq
18
+
8Ir7dcHyCTxlZWTzTNity4hp8+SDtwy9F1qWF8pb/627HOkthIDYIb6FUtnUdLlp
19
+
hbpN7Sgy6/lhSuTENh4Z3G+EER+V9YMoGKgzkkMn3V0TBEVPh9VGzT2ouvDzuFYk
20
+
Res3x+F2T3I5GN9+dHLHcy056mDmrRGiVod7w2ia/viMcKjfZTL0pECMocJEAw6U
21
+
AGegcQCCSA==
22
+
-----END CERTIFICATE-----
23
+
+61
vendor/opam/x509/tests/crltests.ml
+61
vendor/opam/x509/tests/crltests.ml
···
1
+
open X509
2
+
3
+
let of_ic ic =
4
+
let ln = in_channel_length ic in
5
+
let rs = Bytes.create ln in
6
+
really_input ic rs 0 ln;
7
+
Bytes.unsafe_to_string rs
8
+
9
+
let with_loaded_files file ~f =
10
+
let pre = "./crl/" in
11
+
let fullpath1 = pre ^ file ^ ".pem"
12
+
and fullpath2 = pre ^ file ^ ".crl"
13
+
in
14
+
let fd1 = open_in fullpath1
15
+
and fd2 = open_in fullpath2
16
+
in
17
+
let buf1 = of_ic fd1
18
+
and buf2 = of_ic fd2
19
+
in
20
+
try let r = f buf1 buf2 in close_in fd1 ; close_in fd2 ;
21
+
match r with
22
+
| Ok x -> x
23
+
| Error (`Msg e) -> Alcotest.failf "decoding error %s" e
24
+
with e -> close_in fd1 ; close_in fd2 ;
25
+
Alcotest.failf "exception %s" (Printexc.to_string e)
26
+
27
+
let allowed_hashes = [ `SHA1 ; `SHA256 ; `SHA384 ; `SHA512 ]
28
+
29
+
let one f () =
30
+
with_loaded_files f ~f:(fun cert crl ->
31
+
let ( let* ) = Result.bind in
32
+
let* cert = Certificate.decode_pem cert in
33
+
let pubkey = Certificate.public_key cert in
34
+
let* crl = CRL.decode_der crl in
35
+
Result.map_error
36
+
(fun e -> `Msg (Fmt.to_to_string Validation.pp_signature_error e))
37
+
(CRL.validate crl ~allowed_hashes pubkey))
38
+
39
+
let crl_tests = [
40
+
"CRL 1 is good", `Quick, one "1" ;
41
+
"CRL 2 is good", `Quick, one "2" ;
42
+
"CRL 3 is good", `Quick, one "3" ;
43
+
"CRL 4 is good", `Quick, one "4" ;
44
+
"CRL 5 is good", `Quick, one "5" ;
45
+
"CRL 6 is good", `Quick, one "6" ;
46
+
"CRL 7 is good", `Quick, one "7" ;
47
+
"CRL 8 is good", `Quick, one "8" ;
48
+
"CRL 9 is good", `Quick, one "9" ;
49
+
"CRL 10 is good", `Quick, one "10" ;
50
+
"CRL 11 is good", `Quick, one "11" ;
51
+
"CRL 12 is good", `Quick, one "12" ;
52
+
"CRL 13 is good", `Quick, one "13" ;
53
+
"CRL 14 is good", `Quick, one "14" ;
54
+
"CRL 15 is good", `Quick, one "15" ;
55
+
"CRL 16 is good", `Quick, one "16" ;
56
+
"CRL 17 is good", `Quick, one "17" ;
57
+
"CRL 18 is good", `Quick, one "18" ;
58
+
"CRL 19 is good", `Quick, one "19" ;
59
+
"CRL 20 is good", `Quick, one "20" ;
60
+
"CRL 21 is good", `Quick, one "21" ;
61
+
]
+17
vendor/opam/x509/tests/csr/wild-bar.pem
+17
vendor/opam/x509/tests/csr/wild-bar.pem
···
1
+
-----BEGIN CERTIFICATE REQUEST-----
2
+
MIICrDCCAZQCAQAwEjEQMA4GA1UEAwwHZm9vLmNvbTCCASIwDQYJKoZIhvcNAQEB
3
+
BQADggEPADCCAQoCggEBAMQibfgxbLeWXHbhy9olGapJd7zUQXWmbMkVUF0BWWaI
4
+
2BmdYHJYhupoK3kY5NQL/ghz3TwHU+K8lKMzQt0sX0w44VzHv8hG8wYHEjKvyL81
5
+
o97c/eYxT703oGu1h9WwtwtRVOcZB+hHaQej/KYBJ3Npsy/gtMwnkCMIZrNziBR/
6
+
6OHH2DmZ/k02tMdFGkcAuUFpnHQoRUr7xdh204lXbb6vvg7dnntZpW79Q3e2CZSZ
7
+
Sbb3Q5AD2jQ+qO8A/78hExnpesH8vl9AjGNdM/XUlRwXmkj2SRsKd8RBg75GC8nr
8
+
xyjCb3EmUAWJaQwDaaj4Wsqtu48D1QLDGfXjdjC2qvMCAwEAAaBVMFMGCSqGSIb3
9
+
DQEJDjFGMEQwQgYDVR0RBDswOYITeW91ci1uZXctZG9tYWluLmNvbYIXd3d3Lnlv
10
+
dXItbmV3LWRvbWFpbi5jb22CCSouYmFyLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
11
+
iKYGNYylPp0qMdxYvS1tIlzGSLs8NA2H9vzohlBPaqU0yYrUh7YwDoDtWjkofBax
12
+
fxJsZlO9wBCGNMaTwNxx3uvJ0mPhlQDJvBFcTeOaUwH7Fys2/DKI5JylXEnGbzzk
13
+
pw4SqOblw+yGoossvpSWEaXvwX+XiLa3JpMWOT6E+qSqRUUKoJz8tHXBel1T0tL3
14
+
SSpSeTBELAkwXV/BWmY8HmsphKGGUKVvdIRrgR7YWMGEU3TR3VhTayc5EO1HpEB7
15
+
gZqaVwT29OnQYRfM9EbXRYnqX2guiM/KoouSoLy9NhyVawoOqfAaf6Ysl5JayNL9
16
+
QFkrH58zDK3hkOVni7NQ4g==
17
+
-----END CERTIFICATE REQUEST-----
+15
vendor/opam/x509/tests/csr/wild-foo-cn.pem
+15
vendor/opam/x509/tests/csr/wild-foo-cn.pem
···
1
+
-----BEGIN CERTIFICATE REQUEST-----
2
+
MIICWTCCAUECAQAwFDESMBAGA1UEAwwJKi5mb28uY29tMIIBIjANBgkqhkiG9w0B
3
+
AQEFAAOCAQ8AMIIBCgKCAQEA1IoUG5fJRRxiYDxhZa5BPv7SWN9LDVD6DJ3F4cLx
4
+
rbcXOooeCbbAIbBdmeVDa/kuHdFDb0ug69w+qRehi1NSJE2Q7JDAWg7hxWFnWKjB
5
+
BD3Dlv6RJ90ClFUXhkJsoZbgOQaMAq4O6sC6YhGTw6L4QrkgZS+1xyERfQqa951q
6
+
QHbXLFBsi/Ek/DGzphDuuSA7vbIwHKYQ4UXQTcPmCs+i/FxHd3bMkV0iHVD6xS6h
7
+
la3k4YYi7Kr0QRbRxEvqGbVOqivPP4IFg3ZCItASLTbKGUFCgKvB9gspbFpc0eUH
8
+
sr+NNoRuRq5mjaGmcHMLfY8KH2nxxKTQFh+cE6z30YQfHwIDAQABoAAwDQYJKoZI
9
+
hvcNAQELBQADggEBAFHU22XEkexb31Wug07xi/QvNjDapeuhO+pzhSQ5lt3E2arU
10
+
eQJqaMcl3Kzon93u8Hp5vcc48rBFe69xl/VTlwPTW4wt98MQKu7jgv2QDeH+Sq3+
11
+
b1wmMAslc+ORXlRFAk7U9bjHHMP6BN7l2C2ujBw6iK3OmiBfI4M3Si2PxCzVXReJ
12
+
IMgUZOwa6BBmQ5D1a6njJiJCSMY2T0ttXU4e1/KxURYcvtzLxySxlbyvfwCtqNSY
13
+
EMIiBxrfjIaLZ8CG4ybF9STqQP9B9s3NdiDJ7RQsXF1xlQrtXH88/YpW8Pf5u9O/
14
+
Ajf2IL7UZnriamhlAV3hofWiDJbqmh4n/9u14qs=
15
+
-----END CERTIFICATE REQUEST-----
+21
vendor/opam/x509/tests/csr/your-new-domain-raw.pem
+21
vendor/opam/x509/tests/csr/your-new-domain-raw.pem
···
1
+
-----BEGIN CERTIFICATE REQUEST-----
2
+
MIIDYDCCAkgCAQAwgdAxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazES
3
+
MBAGA1UEBwwJUm9jaGVzdGVyMRIwEAYDVQQKDAlFbmQgUG9pbnQxFzAVBgNVBAsM
4
+
DlRlc3RpbmcgRG9tYWluMUswSQYJKoZIhvcNAQkBFjx5b3VyLWFkbWluaXN0cmF0
5
+
aXZlLWFkZHJlc3NAeW91ci1hd2Vzb21lLWV4aXN0aW5nLWRvbWFpbi5jb20xIDAe
6
+
BgNVBAMMF3d3dy55b3VyLW5ldy1kb21haW4uY29tMIIBIjANBgkqhkiG9w0BAQEF
7
+
AAOCAQ8AMIIBCgKCAQEAzARXVEb2i5eR/bhyFrO34kQ4tdFK72j3hUMTRs2hdvUw
8
+
LxKQPcRA+XeXdbJHiLXEJHHn0cd+7FQB1DPMCzEZY6eJGDi3iwaeZ/ybiHEcoNqH
9
+
5xV4QSNUaDfNzrSOnTRvhfg8Bn/YTCRaDhwxVZt0nU8p4ntrFieCyMD0Js70uFAM
10
+
KAo4HWjd576jhL3fYROBWiwttP3JPJPzYjsvF7kgYeckfw88ORkrFxxxKaLZCtmr
11
+
chDKZRQa6qu6Pd9KQFw2W+F9JzbYVTwiR2RmS9kqP7iajpNvKJTWVDM7Ixdw/lTd
12
+
jOHYzoPFqbgVtjbNRwo1eNvqJbTcV/NCYJvj3s/KfQIDAQABoEowSAYJKoZIhvcN
13
+
AQkOMTswOTA3BgNVHREEMDAughN5b3VyLW5ldy1kb21haW4uY29tghd3d3cueW91
14
+
ci1uZXctZG9tYWluLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAss2p+UK+ZygWtiKm
15
+
HBKTqjRHwUKO485uNG2XBIQJzKOYjvRj2vA7qCi2Hb1Pr1ReWY29oqMXN1RdMrcb
16
+
Ic+Wt4Jxipg8Pu5O/+cQNc49D8U2umpY99nO/DMkjKVAhbOOFwTqahcPfrKuTOpb
17
+
UC7KzVcYi3HFoSdRRJ7Cf3bpxKIJjl2ju/8Tay4+zEYsJgdBEqTcMw4RhaD8T0vB
18
+
h0n1Bt5cE6Meic2+gaz4sIhAiFH9oH4lJutcWoRxXEAwMorFk7DlzrGzc1XB2oqI
19
+
KXczg1QAUmAGNq4gyQ1F3czq94XYtNGsUT644lS3Fh8hGIQUI7gYNAGY7Niba1YM
20
+
KfAccQ==
21
+
-----END CERTIFICATE REQUEST-----
+17
vendor/opam/x509/tests/csr/your-new-domain.pem
+17
vendor/opam/x509/tests/csr/your-new-domain.pem
···
1
+
-----BEGIN CERTIFICATE REQUEST-----
2
+
MIICsTCCAZkCAQAwIjEgMB4GA1UEAwwXd3d3LnlvdXItbmV3LWRvbWFpbi5jb20w
3
+
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD55xIzpxhQ5Jgz7mc5kZzQ
4
+
OiRRuOAx392yBlr0T36rYSpOObwmQtdNou4ireQXIQ27U/t4Kiw4n2xStCSOK2EP
5
+
mxgC0JrlL7w7dRDfy4kChzzxoyRVR55VOejhR5XGLy67BchyMCI+pt/0cWCpECrK
6
+
UorOgm5eHLDt0djtqaPtdqjwSiiPX/bK3+8vg8NwRvyBekC41znWoTwMNH1FDCHa
7
+
/mOQT75c3gmIaUVYBD/yEM5EWEgpkQSSsIi6XynbeAZCeDodNJQt2c7z1iYPHw1Q
8
+
wJqLBKrGsGfKlnfF0THf9hzndBEh+RSF1uvt5NbsPHMD5AZEClOwBoJ34IltR1wV
9
+
AgMBAAGgSjBIBgkqhkiG9w0BCQ4xOzA5MDcGA1UdEQQwMC6CE3lvdXItbmV3LWRv
10
+
bWFpbi5jb22CF3d3dy55b3VyLW5ldy1kb21haW4uY29tMA0GCSqGSIb3DQEBCwUA
11
+
A4IBAQDBaQbBgdtWV2+Xzd6AvfnCl1lE8NNyZBNOmhL5yotJhPqKgByzHjCd1pBV
12
+
guGd941hVNDqPbrKWbeUf1zgaX/oN2HbbedisH2ntocs4UWsAD2cDzh3P8aE3ixX
13
+
JgjnqmMKwLQHupFVIFHOY/9UgFcc+fgvQkOGiJWpB1AYds/++Ucn5SmPEIbJmXBN
14
+
9+tL2vCH0Dd4rV22SfpENqKf1whFjJEDrrvwwlj9eQjkaqm7APi2ypiTiMDQvzr1
15
+
nDszGkTwXQCRto4NSNSexAWQhH00iI/jqssjVVhrwCTfJfEMP8BIf2+ONAWmAoxC
16
+
ttuCrpcG94ErCLrrCHpMRiy5iLKO
17
+
-----END CERTIFICATE REQUEST-----
+10
vendor/opam/x509/tests/custom_pp/custom_pp.expected
+10
vendor/opam/x509/tests/custom_pp/custom_pp.expected
···
1
+
Certificate: X.509 certificate
2
+
version 3
3
+
serial 00d7 9549 bd1a 6717 51
4
+
algorithm ECDSA-SHA256
5
+
issuer /CN=FT FIDO 0200
6
+
valid from 2019-02-26 00:00:00 +00:00 until 2034-02-25 23:59:59 +00:00
7
+
subject /CN=FT FIDO P2047001341412
8
+
extensions id-fido-u2f-ce-transports NFC,USB,BluetoothLowEnergy
9
+
subjectKeyIdentifier 525e a96c 47b9 a479 33a0 9b48 71c3 98df 6407 aaa4
10
+
+58
vendor/opam/x509/tests/custom_pp/custom_pp.ml
+58
vendor/opam/x509/tests/custom_pp/custom_pp.ml
···
1
+
let fido_u2f_transport_oid =
2
+
Asn.OID.(base 1 3 <| 6 <| 1 <| 4 <| 1 <| 45724 <| 2 <| 1 <| 1)
3
+
4
+
let fido_u2f_transport_oid_name = "id-fido-u2f-ce-transports"
5
+
6
+
type transport = [
7
+
| `Bluetooth_classic
8
+
| `Bluetooth_low_energy
9
+
| `Usb
10
+
| `Nfc
11
+
| `Usb_internal
12
+
]
13
+
14
+
let pp_transport ppf = function
15
+
| `Bluetooth_classic -> Fmt.string ppf "BluetoothClassic"
16
+
| `Bluetooth_low_energy -> Fmt.string ppf "BluetoothLowEnergy"
17
+
| `Usb -> Fmt.string ppf "USB"
18
+
| `Nfc -> Fmt.string ppf "NFC"
19
+
| `Usb_internal -> Fmt.string ppf "USBInternal"
20
+
21
+
let transports =
22
+
let opts = [
23
+
(0, `Bluetooth_classic);
24
+
(1, `Bluetooth_low_energy);
25
+
(2, `Usb);
26
+
(3, `Nfc);
27
+
(4, `Usb_internal);
28
+
] in
29
+
Asn.S.bit_string_flags opts
30
+
31
+
let decode_transports cs =
32
+
match Asn.decode (Asn.codec Asn.der transports) cs with
33
+
| Ok (a, cs) ->
34
+
if String.length cs = 0 then Ok a else Error (`Msg "trailing bytes")
35
+
| Error (`Parse msg) -> Error (`Msg msg)
36
+
37
+
let custom_pp ppf (oid, data) =
38
+
if Asn.OID.equal oid fido_u2f_transport_oid then
39
+
match decode_transports data with
40
+
| Error `Msg _e ->
41
+
Fmt.pf ppf "%s invalid-data" fido_u2f_transport_oid_name
42
+
| Ok transports ->
43
+
Fmt.pf ppf "%s %a" fido_u2f_transport_oid_name Fmt.(list ~sep:(any ",") pp_transport) transports
44
+
else
45
+
Fmt.pf ppf "unsupported %a: %a" Asn.OID.pp oid (Ohex.pp_hexdump ()) data
46
+
47
+
let () =
48
+
let fullpath = "../testcertificates/fido.pem" in
49
+
let fd = open_in fullpath in
50
+
let ln = in_channel_length fd in
51
+
let buf = Bytes.create ln in
52
+
really_input fd buf 0 ln;
53
+
close_in_noerr fd;
54
+
let buf = Bytes.unsafe_to_string buf in
55
+
match X509.Certificate.decode_pem buf with
56
+
| Error `Msg e -> failwith e
57
+
| Ok cert ->
58
+
Format.printf "Certificate: %a\n" (X509.Certificate.pp' custom_pp) cert
+12
vendor/opam/x509/tests/custom_pp/dune
+12
vendor/opam/x509/tests/custom_pp/dune
···
1
+
(executable
2
+
(name custom_pp)
3
+
(modules custom_pp)
4
+
(libraries x509 asn1-combinators fmt))
5
+
6
+
(rule
7
+
(with-stdout-to custom_pp.output (run ./custom_pp.exe)))
8
+
9
+
(rule
10
+
(alias runtest)
11
+
(deps (source_tree ../testcertificates))
12
+
(action (diff custom_pp.expected custom_pp.output)))
+4
vendor/opam/x509/tests/dune
+4
vendor/opam/x509/tests/dune
+128
vendor/opam/x509/tests/ocsp.ml
+128
vendor/opam/x509/tests/ocsp.ml
···
1
+
open X509
2
+
3
+
(*
4
+
How files for test1 were generated:
5
+
key.pem:
6
+
openssl genpkey -algorithm RSA -out key.pem -outform PEM
7
+
8
+
certificate.pem:
9
+
openssl req -new -x509 -days 3650 -key key.pem -out certificate.pem -subj '/CN=example.com/' -sha256
10
+
11
+
test1.pem:
12
+
openssl req -new -key key.pem -nodes -out test1.csr \
13
+
-subj '/CN=test1.example.com/'
14
+
openssl x509 -req -days 3650 -in test1.csr -CA certificate.pem \
15
+
-CAkey key.pem -set_serial 10000 -out test1.pem
16
+
openssl x509 -in test1.pem -noout -text
17
+
18
+
request.der:
19
+
openssl ocsp -issuer certificate.pem \
20
+
-cert test1.pem \
21
+
-no_nonce -reqout request.der
22
+
openssl ocsp -reqin request.der -text
23
+
24
+
response.der:
25
+
openssl ocsp -index index.txt -rsigner certificate.pem \
26
+
-rkey key.pem -CA certificate.pem \
27
+
-reqin request.der -respout response.der
28
+
openssl ocsp -respin response.der -CAfile certificate.pem -text
29
+
30
+
*)
31
+
32
+
let mmap file =
33
+
let ic = open_in file in
34
+
let ln = in_channel_length ic in
35
+
let rs = Bytes.create ln in
36
+
really_input ic rs 0 ln;
37
+
close_in ic;
38
+
Bytes.unsafe_to_string rs
39
+
40
+
let data file = mmap ("./ocsp/" ^ file)
41
+
42
+
let responder_cert = match Certificate.decode_pem (data "certificate.pem") with
43
+
| Ok c -> c
44
+
| Error _ -> assert false
45
+
let responder_dn = Certificate.subject responder_cert
46
+
let test1_serial = "\x27\x10"
47
+
48
+
let responder_key = match Private_key.decode_pem (data "key.pem") with
49
+
| Ok k -> k
50
+
| Error _ -> assert false
51
+
52
+
let cert_dn_testable = Alcotest.testable Distinguished_name.pp Distinguished_name.equal
53
+
54
+
let test_request () =
55
+
let open OCSP.Request in
56
+
match decode_der (data "request.der") with
57
+
| Error _ -> Alcotest.fail "could not decode OCSP request"
58
+
| Ok request ->
59
+
(* Fmt.pr "request=%a" pp request; *)
60
+
(* TODO: verify *)
61
+
match cert_ids request with
62
+
| [certid] ->
63
+
let serialNumber = OCSP.cert_id_serial certid in
64
+
Alcotest.(check string __LOC__ test1_serial serialNumber)
65
+
| _ -> Alcotest.fail "something wrong with OCSP request"
66
+
67
+
let test_response () =
68
+
let open OCSP.Response in
69
+
match decode_der (data "response.der") with
70
+
| Error e ->
71
+
Alcotest.failf "could not decode OCSP response: %a" Asn.pp_error e
72
+
| Ok response ->
73
+
(* Fmt.pr "response=%a" pp response; *)
74
+
(match validate response (Private_key.public responder_key) with
75
+
| Ok () -> ()
76
+
| Error _ -> Alcotest.fail "cannot verify the signature of OCSP response");
77
+
let responder = match responder_id response with
78
+
| Ok (`ByName r) -> r
79
+
| Ok _ -> Alcotest.fail "expected responder identifyed by name"
80
+
| Error (`Msg e) -> Alcotest.fail e
81
+
in
82
+
let response = match responses response with
83
+
| Ok [r] -> r
84
+
| Ok _ -> Alcotest.fail "must be exactly one response"
85
+
| Error (`Msg e) -> Alcotest.fail e
86
+
in
87
+
let certid = single_response_cert_id response in
88
+
let serialNumber = OCSP.cert_id_serial certid in
89
+
Alcotest.(check string __LOC__ test1_serial serialNumber);
90
+
Alcotest.(check cert_dn_testable __LOC__ responder responder_dn)
91
+
92
+
let test_simple_responder () =
93
+
match OCSP.Request.decode_der (data "request.der") with
94
+
| Error _ -> Alcotest.fail "could not decode OCSP request"
95
+
| Ok request ->
96
+
let certids = OCSP.Request.cert_ids request in
97
+
let now = Ptime_clock.now () in
98
+
let response_logic cert_id =
99
+
let serial = OCSP.cert_id_serial cert_id in
100
+
let cert_status =
101
+
if String.equal test1_serial serial then
102
+
`Revoked (now, None)
103
+
else
104
+
`Good
105
+
in
106
+
OCSP.Response.create_single_response cert_id cert_status now
107
+
in
108
+
let responses = List.map response_logic certids in
109
+
let responder_id = `ByName responder_dn in
110
+
(* Fmt.pr "keytype = %a" Key_type.pp (Private_key.key_type responder_key); *)
111
+
match OCSP.Response.create_success ~certs:[responder_cert] responder_key responder_id now responses with
112
+
| Error (`Msg e) -> Alcotest.fail e
113
+
| Ok resp ->
114
+
match OCSP.Response.validate resp (Private_key.public responder_key) with
115
+
| Ok () -> ()
116
+
| Error e ->
117
+
let pp_e ppf = function
118
+
| #Validation.signature_error as e -> X509.Validation.pp_signature_error ppf e
119
+
| `No_signature -> Fmt.string ppf "no signature"
120
+
| `Time_invalid -> Fmt.string ppf "time invalid"
121
+
in
122
+
Alcotest.failf "cannot verify the signature of OCSP response: %a" pp_e e
123
+
124
+
let tests = [
125
+
"OpenSSL request", `Quick, test_request ;
126
+
"OpenSSL response", `Quick, test_response ;
127
+
"Simple OCSP responder", `Quick, test_simple_responder ;
128
+
]
+14
vendor/opam/x509/tests/ocsp/certificate.pem
+14
vendor/opam/x509/tests/ocsp/certificate.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICDDCCAW+gAwIBAgIIQcOa7kqxp9cwCgYIKoZIzj0EAwQwFjEUMBIGA1UEAwwL
3
+
ZXhhbXBsZS5jb20wHhcNMjEwNDA0MTcwMTU3WhcNMjIwNDA0MTcwMTU3WjAWMRQw
4
+
EgYDVQQDDAtleGFtcGxlLmNvbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAXIK
5
+
VyKRhKOJjxXQtKJiTX9nM3lZs6qy632NYmG9BwJ74FidW1NYlT0eiN71nMHU9FOH
6
+
BZ76AH0ISrbo3hjG7uFzAPMplhTwTlA7IcQoR8FOGjrN0w+H5YJZRtkfYU0hFETU
7
+
F4quomVmbrxtcIgFRWLJdf7qciYYJyYc8ZlTZoHpZY02o2QwYjAdBgNVHQ4EFgQU
8
+
nku+GxZTewB6/D2bJFQcOkBN4QMwDwYDVR0PAQH/BAUDAwfGADAPBgNVHRMBAf8E
9
+
BTADAQH/MB8GA1UdIwQYMBaAFJ5LvhsWU3sAevw9myRUHDpATeEDMAoGCCqGSM49
10
+
BAMEA4GKADCBhgJBfZBX4o5Df/fJUnzmQKo6KFFWlc70VkO3hXH6lUhVRLcT+Ame
11
+
6gJUjgYy65GryW4Tx/pFTI7tdX19UDm+kBvgv1sCQRIgxgt/eJ74VsRgt7Br3Smm
12
+
px1uULyS4PIGBKT4O4C4bWS1wdzw8ZOlegss1+pkxYYrfJFNJYyBaqY0ScTpvE4F
13
+
-----END CERTIFICATE-----
14
+
----
+1
vendor/opam/x509/tests/ocsp/index.txt
+1
vendor/opam/x509/tests/ocsp/index.txt
···
1
+
V 260517090452Z 2710 unknown /CN=test1.example.com/
+5
vendor/opam/x509/tests/ocsp/key.pem
+5
vendor/opam/x509/tests/ocsp/key.pem
vendor/opam/x509/tests/ocsp/request.der
vendor/opam/x509/tests/ocsp/request.der
This is a binary file and will not be displayed.
vendor/opam/x509/tests/ocsp/response.der
vendor/opam/x509/tests/ocsp/response.der
This is a binary file and will not be displayed.
+11
vendor/opam/x509/tests/ocsp/test1.pem
+11
vendor/opam/x509/tests/ocsp/test1.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIBozCCAQQCAicQMAoGCCqGSM49BAMCMBYxFDASBgNVBAMMC2V4YW1wbGUuY29t
3
+
MB4XDTIxMDUxOTE0NDIxMFoXDTMxMDUxNzE0NDIxMFowHDEaMBgGA1UEAwwRdGVz
4
+
dDEuZXhhbXBsZS5jb20wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAFyClcikYSj
5
+
iY8V0LSiYk1/ZzN5WbOqsut9jWJhvQcCe+BYnVtTWJU9Hoje9ZzB1PRThwWe+gB9
6
+
CEq26N4Yxu7hcwDzKZYU8E5QOyHEKEfBTho6zdMPh+WCWUbZH2FNIRRE1BeKrqJl
7
+
Zm68bXCIBUViyXX+6nImGCcmHPGZU2aB6WWNNjAKBggqhkjOPQQDAgOBjAAwgYgC
8
+
QgCAu0cwvmP9SIfsbv17zFpoEPvBRc6UH4La7iVmq/un8N5qcBnTNsY3CNzXkT68
9
+
P9XQhBzqZOvUIkjw0UgVPk8uvwJCAWXwCHa3nw0C/4qrlm3IIRjWAwygXojPHOxu
10
+
Y+XLaPIpLLja2BzfP4uHWlyJAvZW/1SiMuFFv19ICbGmnRQdQyDY
11
+
-----END CERTIFICATE-----
+64
vendor/opam/x509/tests/pkcs12.ml
+64
vendor/opam/x509/tests/pkcs12.ml
···
1
+
open X509
2
+
3
+
let mmap file =
4
+
let ic = open_in file in
5
+
let ln = in_channel_length ic in
6
+
let rs = Bytes.create ln in
7
+
really_input ic rs 0 ln;
8
+
close_in ic;
9
+
Bytes.unsafe_to_string rs
10
+
11
+
let data file = mmap ("./pkcs12/" ^ file)
12
+
13
+
let cert = match Certificate.decode_pem (data "certificate.pem") with
14
+
| Ok c -> c
15
+
| Error _ -> assert false
16
+
17
+
let key = match Private_key.decode_pem (data "key.pem") with
18
+
| Ok k -> k
19
+
| Error _ -> assert false
20
+
21
+
let pass = "1234"
22
+
23
+
let cert_and_key xs =
24
+
match xs with
25
+
| [ `Certificate c ; `Decrypted_private_key k ] ->
26
+
Alcotest.(check bool __LOC__ true (c = cert && k = key))
27
+
| _ -> Alcotest.fail "expected certificate and key"
28
+
29
+
let openssl1 () =
30
+
match PKCS12.decode_der (data "ossl.p12") with
31
+
| Error `Msg m -> Alcotest.fail ("failed to decode ossl.p12: " ^ m)
32
+
| Ok data ->
33
+
match PKCS12.verify pass data with
34
+
| Ok xs -> cert_and_key xs
35
+
| Error `Msg m -> Alcotest.fail ("failed to verify ossl.p12: " ^ m)
36
+
37
+
let openssl2 () =
38
+
match PKCS12.decode_der (data "ossl_aes.p12") with
39
+
| Error _ -> Alcotest.fail "failed to decode ossl_aes.p12"
40
+
| Ok data ->
41
+
match PKCS12.verify pass data with
42
+
| Ok xs -> cert_and_key xs
43
+
| Error _ -> Alcotest.fail "failed to verify ossl_aes.p12"
44
+
45
+
let ours () =
46
+
match PKCS12.decode_der (data "ours.p12") with
47
+
| Error _ -> Alcotest.fail "failed to decode ours.p12"
48
+
| Ok data ->
49
+
match PKCS12.verify pass data with
50
+
| Ok xs -> cert_and_key xs
51
+
| Error _ -> Alcotest.fail "failed to verify ours.p12"
52
+
53
+
let roundtrip () =
54
+
let p12 = PKCS12.create pass [ cert ] key in
55
+
match PKCS12.verify pass p12 with
56
+
| Ok xs -> cert_and_key xs
57
+
| Error _ -> Alcotest.fail "failed roundtrip"
58
+
59
+
let tests = [
60
+
"OpenSSL basic", `Quick, openssl1 ;
61
+
"OpenSSL AES 256", `Quick, openssl2 ;
62
+
"OCaml-X509 AES 256", `Quick, ours ;
63
+
"OCaml-X509 create and verify", `Quick, roundtrip ;
64
+
]
+14
vendor/opam/x509/tests/pkcs12/certificate.pem
+14
vendor/opam/x509/tests/pkcs12/certificate.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICDDCCAW+gAwIBAgIIQcOa7kqxp9cwCgYIKoZIzj0EAwQwFjEUMBIGA1UEAwwL
3
+
ZXhhbXBsZS5jb20wHhcNMjEwNDA0MTcwMTU3WhcNMjIwNDA0MTcwMTU3WjAWMRQw
4
+
EgYDVQQDDAtleGFtcGxlLmNvbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAXIK
5
+
VyKRhKOJjxXQtKJiTX9nM3lZs6qy632NYmG9BwJ74FidW1NYlT0eiN71nMHU9FOH
6
+
BZ76AH0ISrbo3hjG7uFzAPMplhTwTlA7IcQoR8FOGjrN0w+H5YJZRtkfYU0hFETU
7
+
F4quomVmbrxtcIgFRWLJdf7qciYYJyYc8ZlTZoHpZY02o2QwYjAdBgNVHQ4EFgQU
8
+
nku+GxZTewB6/D2bJFQcOkBN4QMwDwYDVR0PAQH/BAUDAwfGADAPBgNVHRMBAf8E
9
+
BTADAQH/MB8GA1UdIwQYMBaAFJ5LvhsWU3sAevw9myRUHDpATeEDMAoGCCqGSM49
10
+
BAMEA4GKADCBhgJBfZBX4o5Df/fJUnzmQKo6KFFWlc70VkO3hXH6lUhVRLcT+Ame
11
+
6gJUjgYy65GryW4Tx/pFTI7tdX19UDm+kBvgv1sCQRIgxgt/eJ74VsRgt7Br3Smm
12
+
px1uULyS4PIGBKT4O4C4bWS1wdzw8ZOlegss1+pkxYYrfJFNJYyBaqY0ScTpvE4F
13
+
-----END CERTIFICATE-----
14
+
----
+5
vendor/opam/x509/tests/pkcs12/key.pem
+5
vendor/opam/x509/tests/pkcs12/key.pem
vendor/opam/x509/tests/pkcs12/ossl.p12
vendor/opam/x509/tests/pkcs12/ossl.p12
This is a binary file and will not be displayed.
vendor/opam/x509/tests/pkcs12/ossl_aes.p12
vendor/opam/x509/tests/pkcs12/ossl_aes.p12
This is a binary file and will not be displayed.
vendor/opam/x509/tests/pkcs12/ours.p12
vendor/opam/x509/tests/pkcs12/ours.p12
This is a binary file and will not be displayed.
+40
vendor/opam/x509/tests/priv.ml
+40
vendor/opam/x509/tests/priv.ml
···
1
+
open X509
2
+
3
+
let pk_equal a b =
4
+
String.equal
5
+
Digestif.SHA256.(to_raw_string (digest_string (Private_key.encode_der a)))
6
+
Digestif.SHA256.(to_raw_string (digest_string (Private_key.encode_der b)))
7
+
8
+
let generate_rsa () =
9
+
let seed = "Test1234" in
10
+
let pk = Private_key.generate ~seed `RSA in
11
+
let pk' = Result.get_ok (Private_key.of_string `RSA seed) in
12
+
let pk'' = Result.get_ok (Private_key.of_string ~seed_or_data:`Seed `RSA seed) in
13
+
Alcotest.(check bool "generate and of_string" true (pk_equal pk pk'));
14
+
Alcotest.(check bool "generate and of_string ~seed" true (pk_equal pk pk''));
15
+
match Private_key.of_string ~seed_or_data:`Data `RSA seed with
16
+
| Error _ -> ()
17
+
| Ok _ -> Alcotest.fail "expected failure (of_string `Data `RSA)"
18
+
19
+
let b64_dec s = Base64.decode_exn s
20
+
21
+
let test_ec (key_type, data) () =
22
+
let pk = Result.get_ok (Private_key.of_octets (b64_dec data) key_type) in
23
+
let pk' = Result.get_ok (Private_key.of_string key_type data) in
24
+
let pk'' = Result.get_ok (Private_key.of_string ~seed_or_data:`Data key_type data) in
25
+
Alcotest.(check bool "generate and of_string" true (pk_equal pk pk'));
26
+
Alcotest.(check bool "generate and of_string ~data" true (pk_equal pk pk''));
27
+
match Private_key.of_string ~seed_or_data:`Seed key_type data with
28
+
| Error _ -> Alcotest.fail "expected ok (of_string `Seed)"
29
+
| Ok pk''' -> Alcotest.(check bool "generate and of_String ~seed" false (pk_equal pk pk'''))
30
+
31
+
let ec_data = [
32
+
`ED25519, "W0p4c4tBHtSaTj4zij4oARCjhFbIi8voYg+65bl7wLU=" ;
33
+
`P256, "arvDmHpdTdzbc0uo+KCXoArmrmAs2GAvfk14D8gi6gM=" ;
34
+
`P384, "UEZz/xVx2f3s7W8/cFy/w38LkjAq0xfMYJiXamdwgW9zwSK18+vrhKzgE23sFnyq" ;
35
+
`P521, "AVb4DIpMO5hzyfX1n4qi4xtj/JBDCTCwyOLasKnnVS6FHW2hEZbGwd1c2J4rwpNKZqTKNsKu3dVJAmlp3EFhqv5T" ;
36
+
]
37
+
38
+
let tests =
39
+
("Generate RSA", `Quick, generate_rsa) ::
40
+
List.map (fun d -> Key_type.to_string (fst d), `Quick, test_ec d) ec_data
+412
vendor/opam/x509/tests/regression.ml
+412
vendor/opam/x509/tests/regression.ml
···
1
+
open X509
2
+
3
+
let mmap file =
4
+
let ic = open_in file in
5
+
let ln = in_channel_length ic in
6
+
let rs = Bytes.create ln in
7
+
really_input ic rs 0 ln;
8
+
close_in ic;
9
+
Bytes.unsafe_to_string rs
10
+
11
+
let regression file =
12
+
mmap ("./regression/" ^ file ^ ".pem")
13
+
14
+
let cert file =
15
+
match Certificate.decode_pem (regression file) with
16
+
| Ok cert -> cert
17
+
| Error (`Msg m) -> Alcotest.failf "certificate %s decoding error %s" file m
18
+
19
+
let jc = cert "jabber.ccc.de"
20
+
let cacert = cert "cacert"
21
+
22
+
let time () = None
23
+
24
+
let host str = Some (Domain_name.host_exn (Domain_name.of_string_exn str))
25
+
26
+
let test_jc_jc () =
27
+
match Validation.verify_chain_of_trust ~host:(host "jabber.ccc.de") ~time ~anchors:[jc] [jc] with
28
+
| Error `InvalidChain -> ()
29
+
| Error e -> Alcotest.failf "something went wrong with jc_jc (expected invalid_chain, got %a"
30
+
Validation.pp_validation_error e
31
+
| Ok _ -> Alcotest.fail "chain validated when it shouldn't"
32
+
33
+
let test_jc_ca_fail () =
34
+
match Validation.verify_chain_of_trust ~host:(host "jabber.ccc.de") ~time ~anchors:[cacert] [jc ; cacert] with
35
+
| Error `InvalidChain -> ()
36
+
| _ -> Alcotest.fail "something went wrong with jc_ca"
37
+
38
+
let test_jc_ca_all_hashes () =
39
+
match Validation.verify_chain_of_trust ~allowed_hashes:[`SHA1] ~host:(host "jabber.ccc.de") ~time ~anchors:[cacert] [jc ; cacert] with
40
+
| Ok _ -> ()
41
+
| _ -> Alcotest.fail "something went wrong with jc_ca"
42
+
43
+
let telesec = cert "telesec"
44
+
let jfd = [ cert "jabber.fu-berlin.de" ; cert "fu-berlin" ; cert "dfn" ]
45
+
46
+
let test_jfd_ca () =
47
+
match Validation.verify_chain_of_trust ~host:(host "jabber.fu-berlin.de") ~time ~anchors:[telesec] (jfd@[telesec]) with
48
+
| Ok _ -> ()
49
+
| _ -> Alcotest.fail "something went wrong with jfd_ca"
50
+
51
+
let test_jfd_ca' () =
52
+
match Validation.verify_chain_of_trust ~host:(host "jabber.fu-berlin.de") ~time ~anchors:[telesec] jfd with
53
+
| Ok _ -> ()
54
+
| _ -> Alcotest.fail "something went wrong with jfd_ca'"
55
+
56
+
let test_izenpe () =
57
+
let crt = cert "izenpe" in
58
+
let _, san = Extension.(get Subject_alt_name (Certificate.extensions crt)) in
59
+
Alcotest.(check int "two SAN (mail + dir)" 2 (General_name.cardinal san));
60
+
Alcotest.(check (list string) "mail in SAN is correct" [ "info@izenpe.com" ]
61
+
General_name.(get Rfc_822 san));
62
+
let dir = General_name.(get Directory san) in
63
+
Alcotest.(check int "directory san len is 1" 1 (List.length dir));
64
+
let data = Fmt.to_to_string Distinguished_name.pp (List.hd dir) in
65
+
let expected = "/O=IZENPE S.A. - CIF A01337260-RMerc.Vitoria-Gasteiz T1055 F62 S8/Street=Avda del Mediterraneo Etorbidea 14 - 01010 Vitoria-Gasteiz" in
66
+
Alcotest.(check string "directory in SAN is correct" expected data)
67
+
68
+
let test_name_constraints () =
69
+
ignore (cert "name-constraints")
70
+
71
+
let check_dn =
72
+
(module Distinguished_name: Alcotest.TESTABLE with type t = Distinguished_name.t)
73
+
74
+
let test_distinguished_name () =
75
+
let open Distinguished_name in
76
+
let crt = cert "PostaCARoot" in
77
+
let expected = [
78
+
Relative_distinguished_name.singleton (DC "rs") ;
79
+
Relative_distinguished_name.singleton (DC "posta") ;
80
+
Relative_distinguished_name.singleton (DC "ca") ;
81
+
Relative_distinguished_name.singleton (CN "Configuration") ;
82
+
Relative_distinguished_name.singleton (CN "Services") ;
83
+
Relative_distinguished_name.singleton (CN "Public Key Services") ;
84
+
Relative_distinguished_name.singleton (CN "AIA") ;
85
+
Relative_distinguished_name.singleton (CN "Posta CA Root")
86
+
] in
87
+
Alcotest.(check check_dn "complex issuer is good"
88
+
expected (Certificate.issuer crt)) ;
89
+
Alcotest.(check check_dn "complex subject is good"
90
+
expected (Certificate.subject crt))
91
+
92
+
let test_distinguished_name_pp () =
93
+
let module Dn = struct
94
+
include Distinguished_name
95
+
let cn s = Relative_distinguished_name.singleton (CN s)
96
+
let o s = Relative_distinguished_name.singleton (O s)
97
+
let initials s = Relative_distinguished_name.singleton (Initials s)
98
+
let (+) = Relative_distinguished_name.union
99
+
end in
100
+
let dn1 = "DN1", Dn.[o "Blanc";
101
+
cn "John Doe" + initials "J.D." + initials "N.N."] in
102
+
let dn2 = "DN2", Dn.[o " Escapist"; cn "# 2"; cn " \"+,;/<>\\ "] in
103
+
let pp1 = "RFC4514", Fmt.hbox (Dn.make_pp ~format:`RFC4514 ()) in
104
+
let pp2 = "RFC4514-spacy",
105
+
Fmt.hbox (Dn.make_pp ~format:`RFC4514 ~spacing:`Loose ()) in
106
+
let pp3 = "OpenSSL", Fmt.hbox (Dn.make_pp ~format:`OpenSSL ()) in
107
+
let pp4 = "OSF", Fmt.hbox (Dn.make_pp ~format:`OSF ()) in
108
+
let pp5 = "RFC4514-vbox", Fmt.vbox (Dn.make_pp ~format:`RFC4514 ()) in
109
+
let check (pp_desc, pp) (dn_desc, dn) expected =
110
+
Alcotest.(check string) (Printf.sprintf "%s %s" pp_desc dn_desc)
111
+
expected (Fmt.to_to_string pp dn)
112
+
in
113
+
check pp1 dn1 {|CN=John Doe+Initials=J.D.+Initials=N.N.,O=Blanc|} ;
114
+
check pp1 dn2 {|CN=\ \"\+\,\;/\<\>\\ \ ,CN=\# 2,O=\ Escapist|} ;
115
+
check pp2 dn1 {|CN = John Doe + Initials = J.D. + Initials = N.N., O = Blanc|} ;
116
+
check pp2 dn2 {|CN = \ \"\+\,\;/\<\>\\ \ , CN = \# 2, O = \ Escapist|} ;
117
+
check pp3 dn1 {|O = Blanc, CN = John Doe + Initials = J.D. + Initials = N.N.|} ;
118
+
check pp3 dn2 {|O = \ Escapist, CN = \# 2, CN = \ \"\+\,\;/\<\>\\ \ |} ;
119
+
check pp4 dn1 {|/O=Blanc/CN=John Doe+Initials=J.D.+Initials=N.N.|} ;
120
+
check pp4 dn2 {|/O=\ Escapist/CN=\# 2/CN=\ \"\+,;\/\<\>\\ \ |} ;
121
+
check pp5 dn1 "CN=John Doe+\nInitials=J.D.+\nInitials=N.N.,\nO=Blanc"
122
+
123
+
let test_yubico () =
124
+
ignore (cert "yubico")
125
+
126
+
let test_frac_s () =
127
+
let file = "until_frac_s" in
128
+
match Certificate.decode_pem (regression file) with
129
+
| Ok _ -> Alcotest.failf "certificate %s, expected decoding error" file
130
+
| Error (`Msg _) -> ()
131
+
132
+
let decode_valid_pem file =
133
+
let data = regression file in
134
+
match Private_key.decode_pem data with
135
+
| Ok _ -> ()
136
+
| Error (`Msg _) ->
137
+
Alcotest.failf "private key %s failed to be verified" file
138
+
139
+
let test_gcloud_key () =
140
+
(* discussion in https://github.com/mirage/mirage-crypto/issues/62 *)
141
+
let file = "gcloud" in
142
+
decode_valid_pem file
143
+
144
+
let test_openssl_2048_key () =
145
+
(* this key has a d > lcm (p - 1) (q - 1) *)
146
+
let file = "openssl_2048" in
147
+
decode_valid_pem file
148
+
149
+
let ed25519_priv =
150
+
Ohex.decode "D4EE72DBF913584AD5B6D8F1F769F8AD3AFE7C28CBF1D4FBE097A88F44755842"
151
+
152
+
let ed25519_priv_key () =
153
+
let data =
154
+
{|-----BEGIN PRIVATE KEY-----
155
+
MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
156
+
-----END PRIVATE KEY-----
157
+
|}
158
+
in
159
+
match Private_key.decode_pem data with
160
+
| Ok (`ED25519 k as ke) when String.equal ed25519_priv (Mirage_crypto_ec.Ed25519.priv_to_octets k) ->
161
+
let encoded = Private_key.encode_pem ke in
162
+
if not (String.equal encoded data) then
163
+
Alcotest.failf "ED25519 encoding failed"
164
+
| Ok (`ED25519 _) -> Alcotest.failf "wrong ED25519 private key"
165
+
| Ok _ | Error (`Msg _) -> Alcotest.failf "ED25519 private key decode failure"
166
+
167
+
let ed25519_pub_key () =
168
+
let data =
169
+
{|-----BEGIN PUBLIC KEY-----
170
+
MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
171
+
-----END PUBLIC KEY-----
172
+
|}
173
+
and pub =
174
+
match Mirage_crypto_ec.Ed25519.priv_of_octets ed25519_priv with
175
+
| Error _ -> Alcotest.fail "couldn't decode private Ed25519 key"
176
+
| Ok p ->
177
+
match Private_key.public (`ED25519 p) with
178
+
| `ED25519 p -> p
179
+
| _ -> Alcotest.fail "couldn't convert private Ed25519 key to public"
180
+
in
181
+
let to_cs = Mirage_crypto_ec.Ed25519.pub_to_octets in
182
+
match Public_key.decode_pem data with
183
+
| Ok (`ED25519 k) when String.equal (to_cs pub) (to_cs k) ->
184
+
let encoded = Public_key.encode_pem (`ED25519 k) in
185
+
if not (String.equal encoded data) then
186
+
Alcotest.failf "ED25519 public key encoding failure"
187
+
| _ -> Alcotest.failf "bad ED25519 public key"
188
+
189
+
let p384_key () =
190
+
let priv_data = {|-----BEGIN PRIVATE KEY-----
191
+
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDzBTbwp91ON4CNuDE+
192
+
pjKsehNV7I3eTpyKpMlSUqHAguO8hK+t28A/730TP2L0rPyhZANiAATZbEoUICtu
193
+
yXyN4G6DDHaUHwwe2bfcsTvY9LnlLCPvu24JTuGjf7pT2faiuvjGb49jk8C2KJWt
194
+
0DISTEJ945y41DY0cIPl1okaN+E3yJ66kKpJ0XeKoOJ0rTTopazzjzI=
195
+
-----END PRIVATE KEY-----
196
+
|}
197
+
and pub_data = {|-----BEGIN PUBLIC KEY-----
198
+
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE2WxKFCArbsl8jeBugwx2lB8MHtm33LE7
199
+
2PS55Swj77tuCU7ho3+6U9n2orr4xm+PY5PAtiiVrdAyEkxCfeOcuNQ2NHCD5daJ
200
+
GjfhN8ieupCqSdF3iqDidK006KWs848y
201
+
-----END PUBLIC KEY-----
202
+
|}
203
+
in
204
+
match
205
+
Private_key.decode_pem priv_data,
206
+
Public_key.decode_pem pub_data
207
+
with
208
+
| Ok (`P384 priv), Ok (`P384 pub) ->
209
+
let to_cs = Mirage_crypto_ec.P384.Dsa.pub_to_octets in
210
+
let pub' = Mirage_crypto_ec.P384.Dsa.pub_of_priv priv in
211
+
Alcotest.(check bool __LOC__ true (String.equal (to_cs pub) (to_cs pub')));
212
+
let pub_data' = Public_key.encode_pem (`P384 pub) in
213
+
Alcotest.(check bool __LOC__ true
214
+
(String.equal pub_data pub_data'));
215
+
let priv_data' = Private_key.encode_pem (`P384 priv) in
216
+
begin match Private_key.decode_pem priv_data' with
217
+
| Ok (`P384 priv) ->
218
+
let pub' = Mirage_crypto_ec.P384.Dsa.pub_of_priv priv in
219
+
Alcotest.(check bool __LOC__ true
220
+
(String.equal (to_cs pub) (to_cs pub')))
221
+
| _ -> Alcotest.failf "cannot decode re-encoded P384 private key"
222
+
end
223
+
| _ -> Alcotest.failf "bad P384 key"
224
+
225
+
let ed25519_cert () =
226
+
let file = "example-25519" in
227
+
match Certificate.decode_pem (regression file) with
228
+
| Error (`Msg msg) ->
229
+
Alcotest.failf "ED25519 certificate %s, decoding error %s" file msg
230
+
| Ok cert ->
231
+
match Validation.valid_ca cert with
232
+
| Error e ->
233
+
Alcotest.failf "verifying 25519 ca certificate failed %a"
234
+
Validation.pp_ca_error e
235
+
| Ok () ->
236
+
match Validation.verify_chain ~host:(host "www.example.com") ~time ~anchors:[cert] [cert] with
237
+
| Ok _ -> ()
238
+
| Error e ->
239
+
Alcotest.failf "verifying 25519 certificate failed %a"
240
+
Validation.pp_chain_error e
241
+
242
+
let le_p384_root () =
243
+
let file = "letsencrypt-root-x2" in
244
+
match Certificate.decode_pem (regression file) with
245
+
| Error (`Msg msg) ->
246
+
Alcotest.failf "let's encrypt P384 certificate %s, decoding error %s"
247
+
file msg
248
+
| Ok cert ->
249
+
match Validation.valid_ca cert with
250
+
| Error e ->
251
+
Alcotest.failf "verifying P384 ca certificate failed %a"
252
+
Validation.pp_ca_error e
253
+
| Ok () -> ()
254
+
255
+
let p256_key () =
256
+
let file = "priv_p256" in
257
+
match Private_key.decode_pem (regression file) with
258
+
| Error (`Msg msg) ->
259
+
Alcotest.failf "private P256 key %s decoding error %s" file msg
260
+
| Ok _ -> ()
261
+
262
+
let ip_address () =
263
+
let c = cert "1.1.1.1" in
264
+
let ta = cert "digicert" in
265
+
match
266
+
Validation.verify_chain ~ip:(Ipaddr.of_string_exn "1.1.1.1")
267
+
~host:None ~time:(fun () -> None) ~anchors:[ta] [c]
268
+
with
269
+
| Ok _ -> ()
270
+
| Error ce -> Alcotest.failf "validation of IP address failed: %a"
271
+
Validation.pp_chain_error ce
272
+
273
+
let alternate_sha1rsa_oid () =
274
+
let file = "alternate-sha1rsa-oid" in
275
+
match Certificate.decode_pem (regression file) with
276
+
| Error (`Msg msg) ->
277
+
Alcotest.failf "alternate SHA1RSA OID certificate %s, decoding error %s" file msg
278
+
| Ok _cert -> ()
279
+
280
+
let p256_sha384 () =
281
+
let file = "p256_sha384" in
282
+
match Certificate.decode_pem (regression file) with
283
+
| Error (`Msg msg) ->
284
+
Alcotest.failf "P256 certificate with SHA384 %s, decoding error %s"
285
+
file msg
286
+
| Ok cert ->
287
+
match Validation.valid_ca cert with
288
+
| Error e ->
289
+
Alcotest.failf "verifying P256 certificate failed %a"
290
+
Validation.pp_ca_error e
291
+
| Ok () -> ()
292
+
293
+
let rsa_pub () =
294
+
let file = "rsa_pub" in
295
+
let data = regression file in
296
+
match Public_key.decode_pem data with
297
+
| Error (`Msg msg) ->
298
+
Alcotest.failf "RSA public key %s, decoding error %s" file msg
299
+
| Ok pub ->
300
+
let pem = Public_key.encode_pem pub in
301
+
Alcotest.(check string "PEM encoding of RSA public key is identical"
302
+
data pem)
303
+
304
+
let rsa_priv () =
305
+
let file = "rsa_priv" in
306
+
let data = regression file in
307
+
match Private_key.decode_pem data with
308
+
| Error (`Msg msg) ->
309
+
Alcotest.failf "RSA private key %s, decoding error %s" file msg
310
+
| Ok priv ->
311
+
let pem = Private_key.encode_pem priv in
312
+
Alcotest.(check string "PEM encoding of RSA private key is identical"
313
+
data pem);
314
+
let pub = regression "rsa_pub" in
315
+
Alcotest.(check string "PEM encoding of RSA public key (derived from private key) is identical"
316
+
pub (Public_key.encode_pem (Private_key.public priv)))
317
+
318
+
let ec_pub file () =
319
+
let data = regression file in
320
+
match Public_key.decode_pem data with
321
+
| Error (`Msg msg) ->
322
+
Alcotest.failf "EC public key %s, decoding error %s" file msg
323
+
| Ok pub ->
324
+
let pem = Public_key.encode_pem pub in
325
+
Alcotest.(check string "PEM encoding of EC public key is identical"
326
+
data pem)
327
+
328
+
let ec_priv file pub_file () =
329
+
let data = regression file in
330
+
match Private_key.decode_pem data with
331
+
| Error (`Msg msg) ->
332
+
Alcotest.failf "EC private key %s, decoding error %s" file msg
333
+
| Ok priv ->
334
+
let pem = Private_key.encode_pem priv in
335
+
Alcotest.(check string "PEM encoding of EC private key is identical"
336
+
data pem);
337
+
let pub = regression pub_file in
338
+
Alcotest.(check string "PEM encoding of EC public key (derived from private key) is identical"
339
+
pub (Public_key.encode_pem (Private_key.public priv)))
340
+
341
+
let regression_tests = [
342
+
"RSA: key too small (jc_jc)", `Quick, test_jc_jc ;
343
+
"jc_ca", `Quick, test_jc_ca_fail ;
344
+
"jc_ca", `Quick, test_jc_ca_all_hashes ;
345
+
"jfd_ca", `Quick, test_jfd_ca ;
346
+
"jfd_ca'", `Quick, test_jfd_ca' ;
347
+
"SAN dir explicit or implicit", `Quick, test_izenpe ;
348
+
"name constraint parsing (DNS: .gr)", `Quick, test_name_constraints ;
349
+
"complex distinguished name", `Quick, test_distinguished_name ;
350
+
"distinguished name pp", `Quick, test_distinguished_name_pp ;
351
+
"algorithm without null", `Quick, test_yubico ;
352
+
"valid until generalized_time with fractional seconds", `Quick, test_frac_s ;
353
+
"parse valid key where 1 <> d * e mod (p - 1) * (q - 1)", `Quick, test_gcloud_key ;
354
+
"parse valid key where d <> e ^ -1 mod lcm ((p - 1) (q - 1))", `Quick, test_openssl_2048_key ;
355
+
"ed25519 private key", `Quick, ed25519_priv_key ;
356
+
"ed25519 public key", `Quick, ed25519_pub_key ;
357
+
"p384 key", `Quick, p384_key ;
358
+
"ed25519 certificate", `Quick, ed25519_cert ;
359
+
"p384 certificate", `Quick, le_p384_root ;
360
+
"p256 key", `Quick, p256_key ;
361
+
"ip_address", `Quick, ip_address ;
362
+
"alternative SHA1RSA OID", `Quick, alternate_sha1rsa_oid;
363
+
"p256 with sha384", `Quick, p256_sha384 ;
364
+
"rsa public key", `Quick, rsa_pub ;
365
+
"rsa private key", `Quick, rsa_priv ;
366
+
] @ List.flatten (List.map (fun file ->
367
+
[ "public " ^ file, `Quick, ec_pub ("pub_" ^ file) ;
368
+
"private " ^ file, `Quick, ec_priv ("priv_" ^ file) ("pub_" ^ file)
369
+
]) [ "p521" ; "p384" ; "p256_2" ])
370
+
371
+
let host_set_test =
372
+
let module M = struct
373
+
type t = Host.Set.t
374
+
let pp ppf hs =
375
+
let pp_one ppf (typ, name) =
376
+
Fmt.pf ppf "%s%a"
377
+
(match typ with `Strict -> "" | `Wildcard -> "*.")
378
+
Domain_name.pp name
379
+
in
380
+
Fmt.(list ~sep:(any ", ") pp_one) ppf (Host.Set.elements hs)
381
+
let equal = Host.Set.equal
382
+
end in (module M: Alcotest.TESTABLE with type t = M.t)
383
+
384
+
let cert_hostnames cert names () =
385
+
Alcotest.check host_set_test __LOC__ (Certificate.hostnames cert) names
386
+
387
+
let csr file =
388
+
let data = mmap ("./csr/" ^ file ^ ".pem") in
389
+
match Signing_request.decode_pem data with
390
+
| Ok csr -> csr
391
+
| Error (`Msg m) ->
392
+
Alcotest.failf "signing request %s decoding error %s" file m
393
+
394
+
let csr_hostnames cert names () =
395
+
Alcotest.check host_set_test __LOC__ (Signing_request.hostnames cert) names
396
+
397
+
let host_set xs =
398
+
Host.Set.of_list
399
+
(List.map (fun n -> `Strict, Domain_name.(host_exn (of_string_exn n))) xs)
400
+
401
+
let hostname_tests = [
402
+
"cacert hostnames", `Quick, cert_hostnames cacert Host.Set.empty;
403
+
"izenpe hostnames", `Quick, cert_hostnames (cert "izenpe") (host_set ["izenpe.com"]);
404
+
"jabber.ccc.de hostnames", `Quick, cert_hostnames jc (host_set [ "jabber.ccc.de" ; "conference.jabber.ccc.de" ; "jabberd.jabber.ccc.de" ; "pubsub.jabber.ccc.de" ; "vjud.jabber.ccc.de" ]);
405
+
"jaber.fu-berlin.de hostnames", `Quick, cert_hostnames (cert "jabber.fu-berlin.de") (host_set [ "jabber.fu-berlin.de" ; "conference.jabber.fu-berlin.de" ; "proxy.jabber.fu-berlin.de" ; "echo.jabber.fu-berlin.de" ; "file.jabber.fu-berlin.de" ; "jitsi-videobridge.jabber.fu-berlin.de" ; "multicast.jabber.fu-berlin.de" ; "pubsub.jabber.fu-berlin.de" ]);
406
+
"pads.ccc.de hostnames", `Quick, cert_hostnames (cert "pads.ccc.de") (Host.Set.add (`Wildcard, Domain_name.(host_exn (of_string_exn "pads.ccc.de"))) (host_set ["pads.ccc.de"]));
407
+
"first hostnames", `Quick, cert_hostnames (cert "../testcertificates/first/first") (host_set ["foo.foobar.com"; "foobar.com"]);
408
+
"CSR your_new_domain hostnames", `Quick, csr_hostnames (csr "your-new-domain") (host_set ["your-new-domain.com" ; "www.your-new-domain.com"]);
409
+
"CSR your_new_domain_raw hostnames", `Quick, csr_hostnames (csr "your-new-domain-raw") (host_set ["your-new-domain.com" ; "www.your-new-domain.com"]);
410
+
"CSR bar.com hostnames", `Quick, csr_hostnames (csr "wild-bar") (Host.Set.add (`Wildcard, Domain_name.(host_exn (of_string_exn "bar.com"))) (host_set ["your-new-domain.com" ; "www.your-new-domain.com"]));
411
+
"CSR foo.com hostnames", `Quick, csr_hostnames (csr "wild-foo-cn") (Host.Set.singleton (`Wildcard, Domain_name.(host_exn (of_string_exn "foo.com"))));
412
+
]
+32
vendor/opam/x509/tests/regression/1.1.1.1.pem
+32
vendor/opam/x509/tests/regression/1.1.1.1.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIFhjCCBQ2gAwIBAgIQBQdvZtEbaSJWzKzVRv/sUzAKBggqhkjOPQQDAzBWMQsw
3
+
CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp
4
+
Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjEwMTExMDAw
5
+
MDAwWhcNMjIwMTE4MjM1OTU5WjByMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
6
+
aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRm
7
+
bGFyZSwgSW5jLjEbMBkGA1UEAxMSY2xvdWRmbGFyZS1kbnMuY29tMFkwEwYHKoZI
8
+
zj0CAQYIKoZIzj0DAQcDQgAEF60f6DWvcNONnJ5k/UceW5cMCtEQqCYyETZmTRKZ
9
+
w+Exu/UhY3PdpcHBoPBtpMRe4cLb2vkNNIAa97ngOvLVdKOCA58wggObMB8GA1Ud
10
+
IwQYMBaAFAq8CCkXjKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBThtvwG+bmLBfTB
11
+
4kibArkLwbU9eTCBpgYDVR0RBIGeMIGbghJjbG91ZGZsYXJlLWRucy5jb22CFCou
12
+
Y2xvdWRmbGFyZS1kbnMuY29tgg9vbmUub25lLm9uZS5vbmWHBAEBAQGHBAEAAAGH
13
+
BKKfJAGHBKKfLgGHECYGRwBHAAAAAAAAAAAAERGHECYGRwBHAAAAAAAAAAAAEAGH
14
+
ECYGRwBHAAAAAAAAAAAAAGSHECYGRwBHAAAAAAAAAAAAZAAwDgYDVR0PAQH/BAQD
15
+
AgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBlwYDVR0fBIGPMIGM
16
+
MESgQqBAhj5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNIeWJy
17
+
aWRFQ0NTSEEzODQyMDIwQ0ExLmNybDBEoEKgQIY+aHR0cDovL2NybDQuZGlnaWNl
18
+
cnQuY29tL0RpZ2lDZXJ0VExTSHlicmlkRUNDU0hBMzg0MjAyMENBMS5jcmwwSwYD
19
+
VR0gBEQwQjA2BglghkgBhv1sAQEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5k
20
+
aWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsG
21
+
AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0
22
+
dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NI
23
+
QTM4NDIwMjBDQTEuY3J0MAwGA1UdEwEB/wQCMAAwggEEBgorBgEEAdZ5AgQCBIH1
24
+
BIHyAPAAdgApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAXby6BKo
25
+
AAAEAwBHMEUCIQDRsvaM+FOVneTUUwY0ggKKCuqKp7wnHvtWHtEUZB+uZwIgJbGG
26
+
3Rsq548BxED2wxZ4q2G/9jo0/EeIEwdl9GC7NEIAdgAiRUUHWVUkVpY/oS/x922G
27
+
4CMmY63AS39dxoNcbuIPAgAAAXby6BMPAAAEAwBHMEUCIQCV3RpnSizsrJ1vi/48
28
+
/qT1PoclZYI3N51mveRdD2gkWQIgdWX+MLuAa8ziuKGIlqjoAiaOvs/4IfqthaAN
29
+
h6HW8TQwCgYIKoZIzj0EAwMDZwAwZAIwJMLPbL32rtHJ1R9KdC48PdHAPtzXG9OU
30
+
cVv+pYYWJoIBItMKbvyYtdLiueUHaXeWAjBFe2+Cpn22YsMxhdW1NV1PTISIrBoA
31
+
PQyEQNywp8ocEycVHjf5RsOu2f35uSOLfyo=
32
+
-----END CERTIFICATE-----
+41
vendor/opam/x509/tests/regression/PostaCARoot.pem
+41
vendor/opam/x509/tests/regression/PostaCARoot.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIHHzCCBgegAwIBAgIESPx+9TANBgkqhkiG9w0BAQUFADCBrjESMBAGCgmSJomT
3
+
8ixkARkWAnJzMRUwEwYKCZImiZPyLGQBGRYFcG9zdGExEjAQBgoJkiaJk/IsZAEZ
4
+
FgJjYTEWMBQGA1UEAxMNQ29uZmlndXJhdGlvbjERMA8GA1UEAxMIU2VydmljZXMx
5
+
HDAaBgNVBAMTE1B1YmxpYyBLZXkgU2VydmljZXMxDDAKBgNVBAMTA0FJQTEWMBQG
6
+
A1UEAxMNUG9zdGEgQ0EgUm9vdDAeFw0wODEwMjAxMjIyMDhaFw0yODEwMjAxMjUy
7
+
MDhaMIGuMRIwEAYKCZImiZPyLGQBGRYCcnMxFTATBgoJkiaJk/IsZAEZFgVwb3N0
8
+
YTESMBAGCgmSJomT8ixkARkWAmNhMRYwFAYDVQQDEw1Db25maWd1cmF0aW9uMREw
9
+
DwYDVQQDEwhTZXJ2aWNlczEcMBoGA1UEAxMTUHVibGljIEtleSBTZXJ2aWNlczEM
10
+
MAoGA1UEAxMDQUlBMRYwFAYDVQQDEw1Qb3N0YSBDQSBSb290MIIBIjANBgkqhkiG
11
+
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqPK9iL7Ar0S+m0qiYxzWVqsdKbIcqhUeRdGs
12
+
naBh1TX55FqDNmND3jhXFfzwlGL0B4BXg1eosxW8+00jeF/a9seBFr6r3+fcg1Nz
13
+
K7bdY4iNRfMN3X2/6IiwZsFDXTfSbaGcmkbDsz/QwqCKlC6DpjzDYL0szB6LY4J2
14
+
QSjkFWtcDGE5VThByshm6Me4l1IQJnC3B7cJHqYTXq6ZWiZvZD3sxNOluVx2ZK1j
15
+
fYiD4kvMDd7UxtMIQvVbF/Vx4ZEtA5+eHNyLcqToR2QQh2Qwc9jytPFXJpNXy7bH
16
+
DYiLHc8FMF0E1nY36CAyV78PnDPGCIz2tMKpBrBbMKEeLRK6PwIDAQABo4IDQTCC
17
+
Az0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwgboGA1UdIASBsjCB
18
+
rzCBrAYLKwYBBAH6OAoKAQEwgZwwMAYIKwYBBQUHAgEWJGh0dHA6Ly93d3cuY2Eu
19
+
cG9zdGEucnMvZG9rdW1lbnRhY2lqYTBoBggrBgEFBQcCAjBcGlpPdm8gamUgZWxl
20
+
a3Ryb25za2kgc2VydGlmaWthdCBST09UIENBIHNlcnZlcmEgU2VydGlmaWthY2lv
21
+
bm9nIHRlbGEgUG9zdGU6ICJQb3N0YSBDQSBSb290Ii4wEQYJYIZIAYb4QgEBBAQD
22
+
AgAHMIIBvAYDVR0fBIIBszCCAa8wgcmggcaggcOkgcAwgb0xEjAQBgoJkiaJk/Is
23
+
ZAEZFgJyczEVMBMGCgmSJomT8ixkARkWBXBvc3RhMRIwEAYKCZImiZPyLGQBGRYC
24
+
Y2ExFjAUBgNVBAMTDUNvbmZpZ3VyYXRpb24xETAPBgNVBAMTCFNlcnZpY2VzMRww
25
+
GgYDVQQDExNQdWJsaWMgS2V5IFNlcnZpY2VzMQwwCgYDVQQDEwNBSUExFjAUBgNV
26
+
BAMTDVBvc3RhIENBIFJvb3QxDTALBgNVBAMTBENSTDEwgeCggd2ggdqGgaNsZGFw
27
+
Oi8vbGRhcC5jYS5wb3N0YS5ycy9jbj1Qb3N0YSUyMENBJTIwUm9vdCxjbj1BSUEs
28
+
Y249UHVibGljJTIwS2V5JTIwU2VydmljZXMsY249U2VydmljZXMsY249Q29uZmln
29
+
dXJhdGlvbixkYz1jYSxkYz1wb3N0YSxkYz1ycz9jZXJ0aWZpY2F0ZVJldm9jYXRp
30
+
b25MaXN0JTNCYmluYXJ5hjJodHRwOi8vc2VydGlmaWthdGkuY2EucG9zdGEucnMv
31
+
Y3JsL1Bvc3RhQ0FSb290LmNybDArBgNVHRAEJDAigA8yMDA4MTAyMDEyMjIwOFqB
32
+
DzIwMjgxMDIwMTI1MjA4WjAfBgNVHSMEGDAWgBTyy43iNe8QQ8Tae8r664kDoSKv
33
+
uDAdBgNVHQ4EFgQU8suN4jXvEEPE2nvK+uuJA6Eir7gwHQYJKoZIhvZ9B0EABBAw
34
+
DhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4IBAQBwRqHI5BcFZg+d4kMx
35
+
SB2SkBnEhQGFFm74ks57rlIWxJeNCih91cts49XlDjJPyGgtNAg9c6iTQikzRgxE
36
+
Z/HQmpxpAeWR8Q3JaTwzS04Zk2MzBSkhodj/PlSrnvahegLX3P+lPlR4+dPByhKV
37
+
+YmeFOLyoUSyy+ktdTXMllW7OAuIJtrWrO/TUqILSzpT2ksiU8zKKiSaYqrEMpp+
38
+
3MzBsmzNj9m0wM/1AsCMK4RbG0C8ENBQ4WHWZlaaBJGl49W9oC4igbHZONrkqIdf
39
+
PEYElt7Jmju/rXhsHUlJtGm5cA8Fkla2/a+u+CAtRyPPthzNxJuATvm/McBUvrsx
40
+
f/M+
41
+
-----END CERTIFICATE-----
+12
vendor/opam/x509/tests/regression/alternate-sha1rsa-oid.pem
+12
vendor/opam/x509/tests/regression/alternate-sha1rsa-oid.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIBwjCCAS+gAwIBAgIQj2d4hVEz0L1DYFVhA9CxCzAJBgUrDgMCHQUAMA8xDTAL
3
+
BgNVBAMTBFZQUzEwHhcNMDcwODE4MDkyODUzWhcNMDgwODE3MDkyODUzWjAPMQ0w
4
+
CwYDVQQDEwRWUFMxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaqKn40uaU
5
+
DbFL1NXXZ8/b4ZqDJ6eSI5lysMZHfZDs60G3ocbNKofBvURIutabrFuBCB2S5f/z
6
+
ICan0LR4uFpGuZ2I/PuVaU8X5fT8gBh7L636cWzHPPScYts00OyywEq381UB7XwX
7
+
YuWpM5kUW5rkbq1JV3ystTR/4YnLl48YtQIDAQABoycwJTATBgNVHSUEDDAKBggr
8
+
BgEFBQcDATAOBgNVHQ8EBwMFALAAAAAwCQYFKw4DAh0FAAOBgQBuUrU+J2Z5WKcO
9
+
VNjJHFUKo8qpbn8jKQZDl2nvVaXCTXQZblz/qxOm4FaGGzJ/m3GybVZNVfdyHg+U
10
+
lmDpFpOITkvcyNc3xjJCf2GVBo/VvdtVt7Myq0IQtAi/CXRK22BRNhSt9uu2EcRu
11
+
HIXdFWHEzi6eD4PpNw/0X3ID6Gxk4A==
12
+
-----END CERTIFICATE-----
+41
vendor/opam/x509/tests/regression/cacert.pem
+41
vendor/opam/x509/tests/regression/cacert.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
3
+
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
4
+
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
5
+
Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
6
+
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
7
+
MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
8
+
ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
9
+
CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
10
+
8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
11
+
zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
12
+
fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
13
+
w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
14
+
G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
15
+
epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
16
+
laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
17
+
QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
18
+
fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
19
+
YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
20
+
ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
21
+
gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
22
+
MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
23
+
IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
24
+
dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
25
+
czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
26
+
dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
27
+
aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
28
+
AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
29
+
b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
30
+
ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
31
+
nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
32
+
18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
33
+
gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
34
+
Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
35
+
sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
36
+
SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
37
+
CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
38
+
GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
39
+
zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
40
+
omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
41
+
-----END CERTIFICATE-----
+29
vendor/opam/x509/tests/regression/dfn.pem
+29
vendor/opam/x509/tests/regression/dfn.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIE1TCCA72gAwIBAgIIUE7G9T0RtGQwDQYJKoZIhvcNAQELBQAwcTELMAkGA1UE
3
+
BhMCREUxHDAaBgNVBAoTE0RldXRzY2hlIFRlbGVrb20gQUcxHzAdBgNVBAsTFlQt
4
+
VGVsZVNlYyBUcnVzdCBDZW50ZXIxIzAhBgNVBAMTGkRldXRzY2hlIFRlbGVrb20g
5
+
Um9vdCBDQSAyMB4XDTE0MDcyMjEyMDgyNloXDTE5MDcwOTIzNTkwMFowWjELMAkG
6
+
A1UEBhMCREUxEzARBgNVBAoTCkRGTi1WZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kx
7
+
JDAiBgNVBAMTG0RGTi1WZXJlaW4gUENBIEdsb2JhbCAtIEcwMTCCASIwDQYJKoZI
8
+
hvcNAQEBBQADggEPADCCAQoCggEBAOmbw2eF+Q2u9Y1Uw5ZQNT1i6W5M7ZTXAFuV
9
+
InTUIOs0j9bswDEEC5mB4qYU0lKgKCOEi3SJBF5b4OJ4wXjLFssoNTl7LZBF0O2g
10
+
AHp8v0oOGwDDhulcKzERewzzgiRDjBw4i2poAJru3E94q9LGE5t2re7eJujvAa90
11
+
D8EJovZrzr3TzRQwT/Xl46TIYpuCGgMnMA0CZWBN7dEJIyqWNVgn03bGcbaQHcTt
12
+
/zWGfW8zs9sPxRHCioOhlF1Ba9jSEPVM/cpRrNm975KDu9rrixZWVkPP4dUTPaYf
13
+
JzDNSVTbyRM0mnF1xWzqpwuY+SGdJ68+ozk5SGqMrcmZ+8MS8r0CAwEAAaOCAYYw
14
+
ggGCMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUSbfGz+g9H3/qRHsTKffxCnA+
15
+
3mQwHwYDVR0jBBgwFoAUMcN5G7r1U9cX4Il6LRdsCrMrnTMwEgYDVR0TAQH/BAgw
16
+
BgEB/wIBAjBiBgNVHSAEWzBZMBEGDysGAQQBga0hgiwBAQQCAjARBg8rBgEEAYGt
17
+
IYIsAQEEAwAwEQYPKwYBBAGBrSGCLAEBBAMBMA8GDSsGAQQBga0hgiwBAQQwDQYL
18
+
KwYBBAGBrSGCLB4wPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL3BraTAzMzYudGVs
19
+
ZXNlYy5kZS9ybC9EVF9ST09UX0NBXzIuY3JsMHgGCCsGAQUFBwEBBGwwajAsBggr
20
+
BgEFBQcwAYYgaHR0cDovL29jc3AwMzM2LnRlbGVzZWMuZGUvb2NzcHIwOgYIKwYB
21
+
BQUHMAKGLmh0dHA6Ly9wa2kwMzM2LnRlbGVzZWMuZGUvY3J0L0RUX1JPT1RfQ0Ff
22
+
Mi5jZXIwDQYJKoZIhvcNAQELBQADggEBAGMgKP2cIYZyvjlGWTkyJbypAZsNzMp9
23
+
QZyGbQpuLLMTWXWxM5IbYScW/8Oy1TWC+4QqAUm9ZrtmL7LCBl1uP27jAVpbykNj
24
+
XJW24TGnH9UHX03mZYJOMvnDfHpLzU1cdO4h8nUC7FI+0slq05AjbklnNb5/TVak
25
+
7Mwvz7ehl6hyPsm8QNZapAg91ryCw7e3Mo6xLI5qbbc1AhnP9TlEWGOnJAAQsLv8
26
+
Tq9uLzi7pVdJP9huUG8sl5bcHUaaZYnPrszy5dmfU7M+oS+SqdgLxoQfBMbrHuif
27
+
fbV7pQLxJMUkYxE0zFqTICp5iDolQpCpZTt8htMSFSMp/CzazDlbVBc=
28
+
-----END CERTIFICATE-----
29
+
+25
vendor/opam/x509/tests/regression/digicert.pem
+25
vendor/opam/x509/tests/regression/digicert.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIEQzCCAyugAwIBAgIQCidf5wTW7ssj1c1bSxpOBDANBgkqhkiG9w0BAQwFADBh
3
+
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
4
+
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
5
+
QTAeFw0yMDA5MjMwMDAwMDBaFw0zMDA5MjIyMzU5NTlaMFYxCzAJBgNVBAYTAlVT
6
+
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMDAuBgNVBAMTJ0RpZ2lDZXJ0IFRMUyBI
7
+
eWJyaWQgRUNDIFNIQTM4NCAyMDIwIENBMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA
8
+
BMEbxppbmNmkKaDp1AS12+umsmxVwP/tmMZJLwYnUcu/cMEFesOxnYeJuq20ExfJ
9
+
qLSDyLiQ0cx0NTY8g3KwtdD3ImnI8YDEe0CPz2iHJlw5ifFNkU3aiYvkA8ND5b8v
10
+
c6OCAa4wggGqMB0GA1UdDgQWBBQKvAgpF4ylOW16Ds4zxy6z7fvDejAfBgNVHSME
11
+
GDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l
12
+
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwdgYI
13
+
KwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
14
+
b20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp
15
+
Q2VydEdsb2JhbFJvb3RDQS5jcnQwewYDVR0fBHQwcjA3oDWgM4YxaHR0cDovL2Ny
16
+
bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA3oDWgM4Yx
17
+
aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNy
18
+
bDAwBgNVHSAEKTAnMAcGBWeBDAEBMAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EM
19
+
AQIDMA0GCSqGSIb3DQEBDAUAA4IBAQDeOpcbhb17jApY4+PwCwYAeq9EYyp/3YFt
20
+
ERim+vc4YLGwOWK9uHsu8AjJkltz32WQt960V6zALxyZZ02LXvIBoa33llPN1d9R
21
+
JzcGRvJvPDGJLEoWKRGC5+23QhST4Nlg+j8cZMsywzEXJNmvPlVv/w+AbxsBCMqk
22
+
BGPI2lNM8hkmxPad31z6n58SXqJdH/bYF462YvgdgbYKOytobPAyTgr3mYI5sUje
23
+
CzqJx1+NLyc8nAK8Ib2HxnC+IrrWzfRLvVNve8KaN9EtBH7TuMwNW4SpDCmGr6fY
24
+
1h3tDjHhkTb9PA36zoaJzu0cIw265vZt6hCmYWJC+/j+fgZwcPwL
25
+
-----END CERTIFICATE-----
+8
vendor/opam/x509/tests/regression/example-25519.pem
+8
vendor/opam/x509/tests/regression/example-25519.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIBCDCBuwIURHJlLlP4SM/dDu22B8MqFTMZ5uAwBQYDK2VwMCcxCzAJBgNVBAYT
3
+
AkRFMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wHhcNMjAxMTE2MTYwMzAxWhcN
4
+
MjIxMDE3MTYwMzAxWjAnMQswCQYDVQQGEwJERTEYMBYGA1UEAwwPd3d3LmV4YW1w
5
+
bGUuY29tMCowBQYDK2VwAyEAygKTwKSBIgaBMrYlbm7ib5HIWVppEazdP+MOPvud
6
+
gpgwBQYDK2VwA0EArdE+8IE/aN2CCd/QEBCsvIGbf+l2JvctYjZ8GGmbBvSzYOKZ
7
+
v4USO7H+2weZmbIWqqAVtrEKG0bk2GB4+61fCA==
8
+
-----END CERTIFICATE-----
+33
vendor/opam/x509/tests/regression/fu-berlin.pem
+33
vendor/opam/x509/tests/regression/fu-berlin.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIFjzCCBHegAwIBAgIHF5BgzPm5bjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQG
3
+
EwJERTETMBEGA1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIG
4
+
A1UEAxMbREZOLVZlcmVpbiBQQ0EgR2xvYmFsIC0gRzAxMB4XDTE0MDUxMjE1MDUz
5
+
MloXDTE5MDcwOTIzNTkwMFowgbUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJs
6
+
aW4xDzANBgNVBAcTBkJlcmxpbjEiMCAGA1UEChMZRnJlaWUgVW5pdmVyc2l0YWV0
7
+
IEJlcmxpbjEOMAwGA1UECxMFWkVEQVQxMDAuBgNVBAMTJ0ZyZWllIFVuaXZlcnNp
8
+
dGFldCBCZXJsaW4gLSBGVS1DQSAtIEcwMTEeMBwGCSqGSIb3DQEJARYPY2FARlUt
9
+
QmVybGluLkRFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjYUI0048
10
+
zDNevkmXipCDjSpIr+sEbhiXPzWnZnCnkmLOrEMFaNDWDX6kcVQ1VP71opEfGuR5
11
+
LtW0P6N+JM8E8y5HXdap62bD4Yfg0KQEmlh9vpMQ75BckReW7wRKH/Ntcrg8gwn9
12
+
7d17Hs8hgRGk8cpBRAs5v5hcqRZcjR63mKCismsjld6MVdWSNYhZJhpcnb0dVzMa
13
+
3A7Rf1OsXHwDXrhusCNph1+Pazuw2XbIKWSCsFS4qlhHOj5QA375qk5IjjsUnw2F
14
+
qljLiziu9xB4/jhSx1fz6+5RVnTe5Tb9GMbk5RVR+dvPTnzF96T/yW5DqsFIL+xB
15
+
YQ8juFoBQog3MwIDAQABo4IB/DCCAfgwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNV
16
+
HQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAAMB0GA1UdDgQWBBQG4T30b/Qw
17
+
t3o7V7AxBYl7DVhabDAfBgNVHSMEGDAWgBRJt8bP6D0ff+pEexMp9/EKcD7eZDAa
18
+
BgNVHREEEzARgQ9jYUBGVS1CZXJsaW4uREUwgYgGA1UdHwSBgDB+MD2gO6A5hjdo
19
+
dHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9jcmwvY2Fj
20
+
cmwuY3JsMD2gO6A5hjdodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290
21
+
LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIHXBggrBgEFBQcBAQSByjCBxzAzBggrBgEF
22
+
BQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEcG
23
+
CCsGAQUFBzAChjtodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNh
24
+
L3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDBHBggrBgEFBQcwAoY7aHR0cDovL2NkcDIu
25
+
cGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQw
26
+
DQYJKoZIhvcNAQELBQADggEBADRy38buZjrfDN8mZiukEjlsx+6s/DKj5YYWaAvU
27
+
B5kqhL2TM58bPyq4sYAVCDWALifAk11Gx4/Rp1PLNFd4tnoRcQsfgN8ywECpWBbg
28
+
ESOC73tfa6ZSPEY8uZ4yUk0o2nwxkgU0V3/b7/51XLp5TA5gBeL3aYcjYQ17QN14
29
+
Mh12MiXFp5VbPBDTHkinUXt316A8Qj09wJnHMOjt5M+ZDn82YYC7vFDzjNkNmw46
30
+
PRL3hZOfZb1IS+fhVlR4eW0FBLqmGg+4Y7Y4KKrwBcBK3OzME5jN71LkdNu1lkB4
31
+
3OfT+YOMT+pqZp1l0U6DGZa3SZy5xfWY3EL5BYVM8xAfoZg=
32
+
-----END CERTIFICATE-----
33
+
+28
vendor/opam/x509/tests/regression/gcloud.pem
+28
vendor/opam/x509/tests/regression/gcloud.pem
···
1
+
-----BEGIN PRIVATE KEY-----
2
+
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC0Iuq7GtFgSVnO
3
+
CG27r4pN5Xsqz7hzomdNLM+hadpbOGZC0fa7bdtXGcKIZs8IZg8ZFjmGvxu3UX8O
4
+
JCKURbK5UZXKWrsQjwFivr+YJL3zISqwWh3ibIHp/bs/6azYSW9AZaPhRr/BD2M4
5
+
V05C+sL0CBSXX3b+Rr23rW57jqkYAP9TpFGZU2VuqBql/kcD32YNRuVE9ak1Gudt
6
+
Du4O9G0EGuOFXIxcPa6TRzVBPtenRSzbeij4Iqf04jM+FgaFz7cUM1fjvEWIuvEV
7
+
1vNwssEPN7sXTYqpWnQOGHI70an5pJ75npo8ZKrwVzAFotSxDPNbBTR0D8vBsFhG
8
+
TlmwgtJ9AgMBAAECggEAGJ+fQ5VOYqGUN5A6Y8oCl1RTqk37sj7UbR2/ghqEoSyL
9
+
+f1Wg1dogLcCOwAGs+izjqPVmEA+aygmPIoe+fKvFBr9ZUxSvtg1gch+Sy9WkcoK
10
+
WlHvPNjFR3WKJ5nrKSOcpApgxPYVVzAhyX1RsuExTgdevTRtASQtYdLAw/4DykZ5
11
+
58nbfMLa9cZ0zu+BTIkKhAAEvjMVnzvuDQWhAShLMQISGbcHVApTzSbj7nCR/tn0
12
+
2B7znmu/YcHTBsNdee1Ic9/cfLWWueGeYt1z2RUo6h9H4ILJ8Vju/pUqCAUFj2c0
13
+
tTLs1pKgxbQv/PEW1OKbeM1MqO6ya0buCJy++up9xwKBgQDbKnzQCRtmSIRSCsHW
14
+
IYeWwIWvhrQIaQuUtaJ5A/42sKPvIu/HdoScZuZzXsC+WIsmr1XEFUSaxJnAbDhM
15
+
73fuUdNlzoQa+dw3x8eoL2KPhHUMgXgGR//eMMegorzSwR7Lmeu2w1G7UZFVfRby
16
+
6cqBMMvExoMT017UvdEegwoz3wKBgQDSaTNM2eSIlSHWilaudvjzFyFnoYrNd4ep
17
+
52XiSBA/3KMlBv3ZbWmiNlwgKZq77DYnUZGMYdXXbB2edAK5a/ikphNLPRhn1zNq
18
+
hVEDXuOwkcyGyNol1P2z9G3n9B+rNy+1RYFAKPJ9/eAqtuxj6kgNDPReXk/a+vtj
19
+
+DMsWzGlIwKBgAieLhQ8F3C5L0LOm3qhDOTXoyoYwOGHx+XMEpxxlMBvx7JyjD0q
20
+
ouJHhY5JzohtkOMvh87TC0SOsIEJgFk+HVgorYhWS4mIA6nJ2Eb7vgNosPWR7bdJ
21
+
g30oK+FcJNKgt2ZIIiWonoEgHvfemFVq7gSQd6LAL41LBXKWGC/79R2/AoGACUGN
22
+
eyz+q697zJdLVuNu8iqrUoa9t2oxspy2U6z94gFPv/o9wonYosUnalbKMsgiXbpt
23
+
37ISGSbtaqIJ2KRSTNPtd1rZrv+9iEsTFEXhWEwhpjBBwHZNLtRq3VBU8FA+Lgg/
24
+
tlXWzQoVCWwAnCibQM+4FEqr0qNF2dD6V1IvrecCgYEAr8VENgxbQ+mZq6bIfMqC
25
+
vCj0DNppYs0llOlu/9JZZzEHnas9afg+rNlK/Hd5iMgzJ/0bxlI+u/G3do2QJ8dP
26
+
z5ewonMpLxmcxWoB/47FdaNhtiMpZkwpi7EOvapzN8jgr8DWeMTl2aA4iMEOk0lj
27
+
v7+MqvYwLMfQTrTzGu9VjFo=
28
+
-----END PRIVATE KEY-----
+11
vendor/opam/x509/tests/regression/gen_ec.sh
+11
vendor/opam/x509/tests/regression/gen_ec.sh
···
1
+
#!/bin/sh
2
+
3
+
curve="secp521r1"
4
+
file="p521.pem"
5
+
6
+
openssl ecparam -name $curve -genkey -noout -out priv_$file
7
+
openssl ec -in priv_$file -pubout -out pub_$file
8
+
9
+
openssl ec -in priv_$file -no_public -out priv_$file.2
10
+
openssl pkcs8 -in priv_$file.2 -nocrypt -topk8 -out priv_$file
11
+
rm priv_$file.2
+34
vendor/opam/x509/tests/regression/izenpe.pem
+34
vendor/opam/x509/tests/regression/izenpe.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/hy/WL1xnmfTANBgkqhkiG9w0BAQsFADA4
3
+
MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6
4
+
ZW5wZS5jb20wHhcNMDcxMjEzMTMwODI4WhcNMzcxMjEzMDgyNzI1WjA4MQswCQYD
5
+
VQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5j
6
+
b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ03rKDx6sp4boFmVq
7
+
scIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAKClaO
8
+
xdgmlOHZSOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6H
9
+
LmYRY2xU+zydcsC8Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFX
10
+
uaOKmMPsOzTFlUFpfnXCPCDFYbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQD
11
+
yCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxTOTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+
12
+
JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieFUCbKF7jJeodWLBoBHmy+E60Q
13
+
rLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUbQc/hhqfK0GqfvEyN
14
+
BjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnvmfzAuU8L
15
+
hij+0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIB
16
+
QFqNeb+Lz0vPqhbBleStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+
17
+
HMh3/1uaD7euBUbl8agW7EekFwIDAQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2lu
18
+
Zm9AaXplbnBlLmNvbaSBkTCBjjFHMEUGA1UECgw+SVpFTlBFIFMuQS4gLSBDSUYg
19
+
QTAxMzM3MjYwLVJNZXJjLlZpdG9yaWEtR2FzdGVpeiBUMTA1NSBGNjIgUzgxQzBB
20
+
BgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJyYW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAx
21
+
MCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
22
+
AQYwHQYDVR0OBBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0GCSqGSIb3DQEBCwUA
23
+
A4ICAQB4pgwWSp9MiDrAyw6lFn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHzP7MOeIWb
24
+
laQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbgakEyrkgPH7UIBzg/YsfqikuFgba56
25
+
awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8qhT/AQKM6WfxZSzwo
26
+
JNu0FXWuDYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Csg1lw
27
+
LDXWrzY0tM07+DKo7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCT
28
+
VyvehQP5aTfLnnhqBbTFMXiJ7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGk
29
+
LhObNA5me0mrZJfQRsN5nXJQY6aYWwa9SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJb
30
+
UjWumDqtujWTI6cfSN01RpiyEGjkpTHCClguGYEQyVB1/OpaFs4R1+7vUIgtYf8/
31
+
QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZoQ0iy2+tzJOeRf1SktoA+
32
+
naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1ZWrOZyGls
33
+
QyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw==
34
+
-----END CERTIFICATE-----
+33
vendor/opam/x509/tests/regression/jabber.ccc.de.pem
+33
vendor/opam/x509/tests/regression/jabber.ccc.de.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIFmTCCA4GgAwIBAgIDDfTyMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
3
+
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
4
+
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
5
+
dEBjYWNlcnQub3JnMB4XDTEzMTAxNzIwNTAxOVoXDTE1MTAxNzIwNTAxOVowbDEL
6
+
MAkGA1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcx
7
+
ITAfBgNVBAoTGENoYW9zIENvbXB1dGVyIENsdWIgZS5WLjEWMBQGA1UEAxMNamFi
8
+
YmVyLmNjYy5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMixz4WE
9
+
HJn+wfBI6m1d/lITevEBgLXvPS5KdEzuWd/GvPswvXeBVroa1E8f5CjIq9xMS1c5
10
+
EvIQ9nPSynzys9YfLgIodWP2SdoaWDXTqj7IYxRgFsbHGhTptG9CMtsIuDxskNxO
11
+
QCfqT0Ioab/1Q35ZWmFK+7fRH+4Y1wAEjmGlp2ScZgSX5T5lq+M2SP02o+hqoBGd
12
+
2BaPz4rUz/3rEEFE8iXz4XwJ8X5NJ6aftqvfjXVQDfSCJmVKqfU6vkhk8AuM77qF
13
+
Ti6f6IsSQKYJz3wqnWIz61m6gc96+w43KKVFLivCi6ZA3fqqZOOmuahVk43aW8Dx
14
+
YkbZF6/6T8P5aWkCAwEAAaOCATUwggExMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/
15
+
BAQDAgOoMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQB
16
+
BgorBgEEAYI3CgMDMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDov
17
+
L29jc3AuY2FjZXJ0Lm9yZy8wMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5j
18
+
YWNlcnQub3JnL3Jldm9rZS5jcmwwcwYDVR0RBGwwaoINamFiYmVyLmNjYy5kZYIY
19
+
Y29uZmVyZW5jZS5qYWJiZXIuY2NjLmRlghVqYWJiZXJkLmphYmJlci5jY2MuZGWC
20
+
FHB1YnN1Yi5qYWJiZXIuY2NjLmRlghJ2anVkLmphYmJlci5jY2MuZGUwDQYJKoZI
21
+
hvcNAQEFBQADggIBAD94CY3aF3oUqB++4fZrweiT0T2wN4cwK7xrEWBEct7Nc3E7
22
+
hOYtec5qbOZ2hQ7l7RcCkwg3TXN1vm8+MJD4hCmFEJYjX/ZQ1K5MhUh9rBx80Xuj
23
+
zAGiuIa+wGeiohq2lDqRTenPYN1Plq+YV9zPoGNVNZiXzZVzEwKVcacjpMmAX2i0
24
+
kfEr0g4AzjnXwjRmzCajRjwuXMsaxzcs+7BNlLCNYyUPVSIXVhSlflVmZ2YweUcW
25
+
xEjwT/1y8cfADtPJuaLqZyFjilsWrUpzA8Q3IMFrozhHTor9M6GiMCsbCpDrqvFn
26
+
aW+wPARL2mQGqCpj4QztlcNMFvrTAvuShkJJpNTcJuo6BKvfP5DSvA56LUqWLaM4
27
+
cUcXQQ9sKL52rM/6cW1fK2zmwdJ5YPcp43WJYRIbVEYKBjjf81HuS+W5AptuWmhB
28
+
Z12zaUegpifupWyMMgNgSD5J90JUdPsvsy+8YW2zhYWmllGbd7WSLn0zW/HyWlAt
29
+
0O/JJ6FIkRP2uDwQyzxxhMcRu1dIga5XDcVmRH42KRGSQGfw7cbjXV4qB6ijaTF3
30
+
wEUhdUe4/8pDfA9llJ+rc9xzQ2ltBhUDBIpUHye0VPAVlgb4+tJsUhDXdlsExRMz
31
+
5j8efW3YT5V/vmlYp7kTjRkK+0XYjctcXnWITsexrOruGVFkUnlu1hj8DceV
32
+
-----END CERTIFICATE-----
33
+
+39
vendor/opam/x509/tests/regression/jabber.fu-berlin.de.pem
+39
vendor/opam/x509/tests/regression/jabber.fu-berlin.de.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIGxDCCBaygAwIBAgIHGu0AwHrK3zANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UE
3
+
BhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMSIwIAYDVQQK
4
+
ExlGcmVpZSBVbml2ZXJzaXRhZXQgQmVybGluMQ4wDAYDVQQLEwVaRURBVDEwMC4G
5
+
A1UEAxMnRnJlaWUgVW5pdmVyc2l0YWV0IEJlcmxpbiAtIEZVLUNBIC0gRzAxMR4w
6
+
HAYJKoZIhvcNAQkBFg9jYUBGVS1CZXJsaW4uREUwHhcNMTYwMjI0MTAxNzIxWhcN
7
+
MTkwNTIzMTAxNzIxWjCBgTELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEP
8
+
MA0GA1UEBwwGQmVybGluMSIwIAYDVQQKDBlGcmVpZSBVbml2ZXJzaXRhZXQgQmVy
9
+
bGluMQ4wDAYDVQQLDAVaRURBVDEcMBoGA1UEAwwTamFiYmVyLmZ1LWJlcmxpbi5k
10
+
ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALt8ASnemyham6bEfR5A
11
+
Njc/pYErDscO0X+io3duNOxbHqwM8qqEYI8UEnMtafqSEkbdiwPG3vn4GxOLZi+l
12
+
MJNsAhFizbHVY//doplFSVMULXq9MReSSv4OQQSSeCUqt1dl7SONBYuXdnMxmlgz
13
+
3+R/KbaJYNN20X6d51OVxBxD0QZQXQLOFn6q6eNmBnhQHaxvrFwjgUB0brj6iquB
14
+
G6kJV908Db6abkY+qsWIE3dx4yt5l0fgWZyDao9GQljKeXBfaExmS/mYATJin8gp
15
+
xFUyPHNRo3TUnYc9n7L+Mt65Apxn6FBoHF11v0Q9pXxC0FSxj9Wylt9vFJuuGNMk
16
+
OFECAwEAAaOCAwkwggMFMFkGA1UdIARSMFAwEQYPKwYBBAGBrSGCLAEBBAMEMBEG
17
+
DysGAQQBga0hgiwCAQQDATAPBg0rBgEEAYGtIYIsAQEEMA0GCysGAQQBga0hgiwe
18
+
MAgGBmeBDAECAjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAdBgNVHSUEFjAUBggr
19
+
BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFMtj5x3aWWTi8IM2pfxzfoSym8Or
20
+
MB8GA1UdIwQYMBaAFAbhPfRv9DC3ejtXsDEFiXsNWFpsMIHxBgNVHREEgekwgeaC
21
+
E2phYmJlci5mdS1iZXJsaW4uZGWCHmNvbmZlcmVuY2UuamFiYmVyLmZ1LWJlcmxp
22
+
bi5kZYIZcHJveHkuamFiYmVyLmZ1LWJlcmxpbi5kZYIYZWNoby5qYWJiZXIuZnUt
23
+
YmVybGluLmRlghhmaWxlLmphYmJlci5mdS1iZXJsaW4uZGWCJWppdHNpLXZpZGVv
24
+
YnJpZGdlLmphYmJlci5mdS1iZXJsaW4uZGWCHW11bHRpY2FzdC5qYWJiZXIuZnUt
25
+
YmVybGluLmRlghpwdWJzdWIuamFiYmVyLmZ1LWJlcmxpbi5kZTB1BgNVHR8EbjBs
26
+
MDSgMqAwhi5odHRwOi8vY2RwMS5wY2EuZGZuLmRlL2Z1LWNhL3B1Yi9jcmwvY2Fj
27
+
cmwuY3JsMDSgMqAwhi5odHRwOi8vY2RwMi5wY2EuZGZuLmRlL2Z1LWNhL3B1Yi9j
28
+
cmwvY2FjcmwuY3JsMIHFBggrBgEFBQcBAQSBuDCBtTAzBggrBgEFBQcwAYYnaHR0
29
+
cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMD4GCCsGAQUFBzAC
30
+
hjJodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2Z1LWNhL3B1Yi9jYWNlcnQvY2FjZXJ0
31
+
LmNydDA+BggrBgEFBQcwAoYyaHR0cDovL2NkcDIucGNhLmRmbi5kZS9mdS1jYS9w
32
+
dWIvY2FjZXJ0L2NhY2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBAHkluh+KgJJO
33
+
dn+AlTGtM6ArYQCJFky1jN0wZFtgiPKYBZFMMoTzAoxGkOHXukWYaL2EcDPka4dp
34
+
nfQ5zHZtOi4StpcuipAMcD/wc5GBXLQoKk7Et1g683FzjHotHnpWF+dQEJAIRo+H
35
+
Z5VUoGz24crKe64EaSZr4m41Kkdmr4EbTEX4jfapbVN3WRkym6GsNDMr3x3zSp+Q
36
+
Cx4J8Da3yf7hnBuO1/zR0STtvRnfNTaIHhPUuPKLSfmhYY6FPG7HYQHrbT7vUGtS
37
+
4AKOsmcPXmlb568ef08c7UNLOYyLKUlX7I42H2s5jdccVu/8dK+9QUKPN935ZxQ/
38
+
2okVaf5AZuI=
39
+
-----END CERTIFICATE-----
+14
vendor/opam/x509/tests/regression/letsencrypt-root-x2.pem
+14
vendor/opam/x509/tests/regression/letsencrypt-root-x2.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
3
+
CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
4
+
R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
5
+
MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
6
+
ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
7
+
EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
8
+
+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
9
+
ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
10
+
AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
11
+
zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
12
+
tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
13
+
/q4AaOeMSQ+2b1tbFfLn
14
+
-----END CERTIFICATE-----
+25
vendor/opam/x509/tests/regression/name-constraints.pem
+25
vendor/opam/x509/tests/regression/name-constraints.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIEMTCCAxmgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCR1Ix
3
+
RDBCBgNVBAoTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1
4
+
dGlvbnMgQ2VydC4gQXV0aG9yaXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1p
5
+
YyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIFJvb3RDQSAyMDExMB4XDTExMTIw
6
+
NjEzNDk1MloXDTMxMTIwMTEzNDk1MlowgZUxCzAJBgNVBAYTAkdSMUQwQgYDVQQK
7
+
EztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENl
8
+
cnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl
9
+
c2VhcmNoIEluc3RpdHV0aW9ucyBSb290Q0EgMjAxMTCCASIwDQYJKoZIhvcNAQEB
10
+
BQADggEPADCCAQoCggEBAKlTAOMupvaO+mDYLZU++CwqVE7NuYRhlFhPjz2L5EPz
11
+
dYmNUeTDN9KKiE15HrcS3UN4SoqS5tdI1Q+kOilENbgH9mgdVc04UfCMJDGFr4PJ
12
+
fel3r+0ae50X+bOdOFAPplp5kYCvN66m0zH7tSYJnTxa71HFK9+WXesyHgLacEns
13
+
bgzImjeN9/E2YEsmLIKe0HjzDQ9jpFEw4fkrJxIH2Oq9GGKYsFk3fb7u8yBRQlqD
14
+
75O6aRXxYp2fmTmCobd0LovUxQt7L/DICto9eQqakxylKHJzkUOap9FNhYS5qXSP
15
+
FEDH3N6sQWRstBmbAmNtJGSPRLIl6s5ddAxjMlyNh+UCAwEAAaOBiTCBhjAPBgNV
16
+
HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUppFC/RNhSiOeCKQp
17
+
5dgTBCPuQSUwRwYDVR0eBEAwPqA8MAWCAy5ncjAFggMuZXUwBoIELmVkdTAGggQu
18
+
b3JnMAWBAy5ncjAFgQMuZXUwBoEELmVkdTAGgQQub3JnMA0GCSqGSIb3DQEBBQUA
19
+
A4IBAQAf73lB4XtuP7KMhjdCSk4cNx6NZrokgclPEg8hwAOXhiVtXdMiKahsog2p
20
+
6z0GW5k6x8zDmjR/qw7IThzh+uTczQ2+vyT+bOdrwg3IBp5OjWEopmr95fZi6hg8
21
+
TqBTnbI6nOulnJEWtk2C4AwFSKls9cz4y51JtPACpf1wA+2KIaWuE4ZJwzNzvoc7
22
+
dIsXRSZMFpGD/md9zU1jZ/rzAxKWeAaNsWftjj++n08C9bMJL/NMh98qy5V8Acys
23
+
Nnq/onN694/BtZqhFLKPM58N7yLcZnuEvUUXBj08yrl3NI/K6s8/MT7jiOOASSXI
24
+
l7WdmplNsDz4SgCbZN2fOUvRJ9e4
25
+
-----END CERTIFICATE-----
+28
vendor/opam/x509/tests/regression/openssl_2048.pem
+28
vendor/opam/x509/tests/regression/openssl_2048.pem
···
1
+
-----BEGIN PRIVATE KEY-----
2
+
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDN/TPIzwalLAgD
3
+
o5mTsxKSZhKavdF851DBEvteyx/cNd4Apxtt+4qWuI3Mboqeh/llhGLxJ8ZdiQCI
4
+
bhhHsqXjM640AJq2kLm8f0bEweZknT/KD+ThqObNLmhcgaJpjFjG+Z2ZmC5XDi3C
5
+
OZKLD/rnuBuDbZqN8n1Tde6S58duI8M2kGvRcVfYPSc+WjMf5yMRMlPOWbYiC+JO
6
+
5afjS/FGOG+RBVVDrxq70UoIJdUd9SssfRB79pGED/3hfTT/Mt2AI7rpgsQOYgrd
7
+
4eut3UsUGZoLR8hLSaG58WjGqQRgsuih+JHAiWcfhploD0Yx8kR99GzxA/8nGYgg
8
+
6RlT389xAgMBAAECggEBAKk+Pkvg/R68fKEwy7/0w2+Refu1tecfztOzmuCZl8XA
9
+
ZHS41+qXX5jSbX7n2/DA24IzMW/eNDcpl0yA2GYgO/fewGRtkrApXNGo6SZEAd3s
10
+
7TpBsNZPhcJTPN+0ixKZg1+IO5q01G4mciZAU0z6hjXYqJJlfTTfZWUrYidFVDAC
11
+
rIsSAlMAsjzHWugWey8MolMZYBBsEGyXlMc1vf/E2i5lvglEgmgD6Xn86nPS8y9t
12
+
2Z3O01OynMa8sE3LVg09HksvfNL+txfZoxbK8z9CHELvI8gVUJcT6EGEiHeDqXjr
13
+
wThK7WCv2yf/lCYE3zxw1bjLzBlI+20ywEvrIry5xAECgYEA7hAHLi9ip7xG4fRo
14
+
1+32d1ZpklyCLJ/lF+UUFfa6wpuXR0muHS+FpOxZO0cNRLE1OMsL7KxeLoBqQfvp
15
+
nmhTDsCVq9RBnJPqoB1k11I1gNVHZe1aoqYy17A8TfNetR5RwBjo9XYZfrXeHg9s
16
+
qi8uk1D1d3q1AvDvsoHzv5d9dRECgYEA3YKCmNz8oA08MFqCetxm0XEmqqJwlWGr
17
+
jX9c1jK6HfamsHS93a2Seb9Zm+fps3PixZZWEEI9n/yJmkM4CkmJBlzUA31gN+gU
18
+
AAjsxt8YiSdxO0L1BscxqebOoD2CnWXvk9SHr8kE7WfKe98Bf8/CjN+qL3gNkAp4
19
+
dqVXY/yfNGECgYEAvQylZxviMGnnsFAzYiZq72ID/GLSTTW87DjSto50yU5d2BK+
20
+
3hZ6/vlh8xz9gGtpZGx6T7yiHjOELloqr80RCEoPkaDBaeJdFEHDbuqt6l10kZDn
21
+
xPpOrdIaUZzOvO4S5YXimerrXCB4/04ocQ1+4yYLiJI9ZNSIxS1FsARRcMECgYEA
22
+
2LJhcovVs/nepOsWdH0DNOe9zPYmr2yiOEWdm4p6mu99uGgsih3QirwQPL4O2ViI
23
+
Q4XD4hn7UXTrZHdX7nBr1Uagvl078NVgI3yXriH4TczBMBlbvWrHAhBimU4zZimf
24
+
y34B040S/fEonC/YtqGYENqKEfAfTIeBu4gayx0K3mECgYBmE7Or+YnhIDr3fuDS
25
+
lspBeejV17mI/kd7xKBbgirMvIzh/6Wi7PooySLrlcu23/lba3FPl6ZobfHAUCLS
26
+
LDttnjIsDJkxXh3fOwJmad9J/hSDt/QdkIivnEgrvCt7s2Tji3OaPTujtaQT0SOZ
27
+
ZfOHUpM7RHfGV5KS3qr2C8BjVw==
28
+
-----END PRIVATE KEY-----
+13
vendor/opam/x509/tests/regression/p256_sha384.pem
+13
vendor/opam/x509/tests/regression/p256_sha384.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICADCCAaagAwIBAgIUHyCUM78QgqYYqanmNGJYTXnAk20wCgYIKoZIzj0EAwMw
3
+
TzELMAkGA1UEBhMCQVUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
4
+
ZDEdMBsGA1UEAwwUcDI1NiBrZXkgd2l0aCBzaGEzODQwHhcNMjIwOTEzMTA1NDQ1
5
+
WhcNMjMwOTA4MTA1NDQ1WjBPMQswCQYDVQQGEwJBVTEhMB8GA1UECgwYSW50ZXJu
6
+
ZXQgV2lkZ2l0cyBQdHkgTHRkMR0wGwYDVQQDDBRwMjU2IGtleSB3aXRoIHNoYTM4
7
+
NDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFjrBgci81MwGVNjEtG2gexFcJbK
8
+
Y2niGcoU2rAmQrB6PyfbhBHFCwmVwPEGyB39bRI+Toy6qFMMSK35EktMmGujYDBe
9
+
MB0GA1UdDgQWBBRqwn0D+5XJdoUbL0JWG+eYO+xRcDAfBgNVHSMEGDAWgBRqwn0D
10
+
+5XJdoUbL0JWG+eYO+xRcDAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwICBDAK
11
+
BggqhkjOPQQDAwNIADBFAiACu3r0M9V45MGoH9Pv2eXPwNfSiEtcEI5VzxbvO24z
12
+
/AIhAKATujXQk8FiBG0jH2982DzQBIQ03OkoA7MmReOomiY/
13
+
-----END CERTIFICATE-----
+37
vendor/opam/x509/tests/regression/pads.ccc.de.pem
+37
vendor/opam/x509/tests/regression/pads.ccc.de.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIGXTCCBUWgAwIBAgISBDkcRJF02Qx8APXR8rCrg/9eMA0GCSqGSIb3DQEBCwUA
3
+
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
4
+
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTExMDExNjA3NTVaFw0y
5
+
MDAxMzAxNjA3NTVaMBYxFDASBgNVBAMTC3BhZHMuY2NjLmRlMIICIjANBgkqhkiG
6
+
9w0BAQEFAAOCAg8AMIICCgKCAgEA09UMHZpbLq3EhSaXzjxjLcPpS5B2l6E/rDkd
7
+
lQGy6Dc2JnvxJKengEvESDuU5ry61bdDNg8RAYKQwGpNeKsca+86rE9lgCWmbIfQ
8
+
6+Af9B2EE93hEL2N+EMew6ZbO+PqPdvtRupfiNEWdt4M5OPpM2qAwJVxkdyOxk3c
9
+
v0JqZ0nKSzIu2pfQ5IEiRtcjEQEJ6BEILY5H1IeiX0y8QDiGjPrqdqQShUd4o0r0
10
+
o1Iet1EEVyDZSm6LWvdPQmL+n7GVrKuo40zFh9CqVJo3lZuNgQmzNWefPqUbFq9t
11
+
WPbWJQOAbrg1w1H9OWl9cs+f0zEUzLCb7ofMx5bxq7wxYw3t2BE1CwndQqBGA0n4
12
+
NduZLu9c9tQGkWcfo9S0OkjcoXip9eoT3UM2r5Cb9FgmjXCbRBpKGQj5pZcrYZt6
13
+
yp503fiffiDJYC5x8Cx0Kjanrafbwvi1ZozguDC467OYsj9sPqyPtGDdmfx1LdgF
14
+
JVGyH6VBzLCudCjvAtU/ByHFECmCi+c/bvf0fV1hLnZ+rh5rJRsjPjvaUVdiFTGT
15
+
/qDVAsvriZdY06ErrbxVIFVF3Z1XzTLCTVH9f0e/4LFS4/xVHAiHsnWyBmEBCBcF
16
+
iHeuJZB8oli5SgCLPqhRVAopQNFc7J4vcFBgH60NU+L7+29MxuKmGwDo6CsPjwU3
17
+
bwh80ucCAwEAAaOCAm8wggJrMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
18
+
BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU5oDnFCqI
19
+
6EDcML4z3CiQR4TmkTcwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEw
20
+
bwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMu
21
+
bGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMu
22
+
bGV0c2VuY3J5cHQub3JnLzAlBgNVHREEHjAcgg0qLnBhZHMuY2NjLmRlggtwYWRz
23
+
LmNjYy5kZTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYG
24
+
CCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB
25
+
1nkCBAIEgfUEgfIA8AB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVY
26
+
AAABbifwEksAAAQDAEcwRQIhALwTIEEy2IFSWsox04rolhV2u7ZhUu+uhZ8GfqXA
27
+
/kXiAiBqpoRu5eAGtp/OIGIE5lIxrFvGXulL6qXuA4KgozympQB2AAe3XBvlfWj/
28
+
8bDGHSMVx7rmV3xXlLdq7rxhOhpp06IcAAABbifwEnMAAAQDAEcwRQIgU8vJo3ZO
29
+
U4LEFh588taYBRL4kyYbgs72ptlP3ZNaDrQCIQCqLVvbuAn0YT4t1BJLHpQjITfX
30
+
aUlnbi/c0unrKPIm4jANBgkqhkiG9w0BAQsFAAOCAQEABau9X2OKT3SRDwd9/gLt
31
+
QXHCWirT+OH1K+1A0TPUb2PL0hRvET1Ens8Lf2uN/cbJTjB1M75IXH0wHb+IHRsG
32
+
Fe9H6qplpEuNxKCn8e/WKm4OpJlVKw+ZmiM/o5oIFCpjMxiFljTpa626CikZZUil
33
+
wUQ/Upd1O0qWdFR0BPI8xjRU8v0Ck9zNJUgZgyvOOQPIFHqhp4w+tP5DjGsgUJUG
34
+
qg3mqxDbyPKe+qhuYqKC8T+FhZlsa0860T9n9tjcSwupemNUNAPRM+sFV6bZzWhb
35
+
GcmpYpdj3v1IxCV2yTx+Lmw2VgSnL0pzFFriu118HGtOs/7D7YNMrf4EnsecBV+L
36
+
oQ==
37
+
-----END CERTIFICATE-----
+5
vendor/opam/x509/tests/regression/priv_p256.pem
+5
vendor/opam/x509/tests/regression/priv_p256.pem
+4
vendor/opam/x509/tests/regression/priv_p256_2.pem
+4
vendor/opam/x509/tests/regression/priv_p256_2.pem
+4
vendor/opam/x509/tests/regression/priv_p384.pem
+4
vendor/opam/x509/tests/regression/priv_p384.pem
+5
vendor/opam/x509/tests/regression/priv_p521.pem
+5
vendor/opam/x509/tests/regression/priv_p521.pem
+4
vendor/opam/x509/tests/regression/pub_p256_2.pem
+4
vendor/opam/x509/tests/regression/pub_p256_2.pem
+5
vendor/opam/x509/tests/regression/pub_p384.pem
+5
vendor/opam/x509/tests/regression/pub_p384.pem
+6
vendor/opam/x509/tests/regression/pub_p521.pem
+6
vendor/opam/x509/tests/regression/pub_p521.pem
+28
vendor/opam/x509/tests/regression/rsa_priv.pem
+28
vendor/opam/x509/tests/regression/rsa_priv.pem
···
1
+
-----BEGIN PRIVATE KEY-----
2
+
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQChM8H/t7Nhyehr
3
+
o2zgYlDviceO7Mld/7hdZXOu7Eur7ZKLHFZ/fb9NJoEQfEmgksQZNzAfbmoO/s+F
4
+
ZF5BVutmyjqn/TPytZT7VOO8uVmXOcCF7Hujm42oLxKy4BW8S8GfdS/A6jJ2ynq4
5
+
BV8vFNuiLVJXA2VS/QIoImEgnMEha3TepZC7Af6COmT4+gHi0tzgZgyn6UiCP3hA
6
+
88qc6RJWGHVQbkO2QOaCvOSqaSe0tBieYAQj509MfU4OMwwqAMHNK8dlmXIpOVzv
7
+
pvJaEVzmVCZi9fdLZ+gyAElYGRyRqSIY6V9MGMg+AV7GjvT55doUYS6WXeFJpRgj
8
+
3DIrwYw5AgMBAAECggEAAuXFRO1uYgGZFeY4HMhnoAaf+aez7uabz8H1FF3W9l4s
9
+
1idKPrxp5d8dTsiNIj/BGprtWINJkL9vx3wIXbBMRuq3pzFb767n4KSj+05xl9BH
10
+
76BSkJxJLY67DVAN0/agolce5p7PDWeSUSB3l4cOc5nQ8xNyjM1Tbpk/mbB3oDwg
11
+
6VOGSynp5oNbyuprxC7giVLVV/tWOljN8yr3bKyDmf27/8Jd4iNrhIPPkn9U5scW
12
+
WCELWrgDga2p7Wi0MbKcLFG5Juz4nU0oz0nJ/g3IyIBORMTo6dRfcYW90KcLNAvO
13
+
/drOr/c1SYfw63e8+nLSkgfKSI24MoV9bVFsOzC1qQKBgQDaK++9V/ph/JaRqGWJ
14
+
DHVnHSSGwTt8j3qanuf963kQ3Z0PZzNOE6Y8A/LHOhxhqH0y1S63YEFwMYfy5Vsy
15
+
jH8XoxGUolcXrReYoj/qGvhx8FFwV+Aj0xqCwOEhehOxzphV35EdrM1MTXVWnFsT
16
+
a1Yq70NLE5cXorwntnKdsjgOAwKBgQC9JxkBTv3RdGpjHozvXIcHUmNHkjY5+s1+
17
+
dDXUmD32frYTcMHGJnMwYILQ4D1B5RmIgnrdjJYs+M10keM8n/CGUovAv1IZqkCa
18
+
C6R42eA7vbS+gJ2AS0FibBVNmEr9bobK/kcwEaBme1z+S/YQ5DpGNmx9TAMJ7PRA
19
+
OYGVNfbWEwKBgQCu9vlmsb2dA4KFAbWb+R/WN+rpHuJj/HTot3N5kXQf8HpatfrR
20
+
LLTuAISc/Z9xOjxdndW/PjR8k1xhkUpX+ZCbFi2tM5wA4tG/mK8FQefpCD9nhzG7
21
+
yTrDjYd+33YX7IUCqS6py8FA5gWqFe58XmJWQFeJSAat79ZRSuIUUa7enQKBgQC6
22
+
LhCrvA+TKe5Jj9mTBNUXvN1hpiXf3eCElmgh0JQ02rXm3rasjk4VEPnSFNXW1WTT
23
+
e/LpvSZYL7EzCyHLG3aJEBjk6Kwr/OtHdSw3k+TliK2uUTQ2AlziPpadYMh3OWJN
24
+
zglN5Buoo8Z9u1EBgVNmps0Ua0wWafhkevX0Y0CJpwKBgFmFp46Wr/lV7IF3O30S
25
+
25dgZD47hWAcEEaxE5RQioVrqbUKdvJoQsfoGFwdbhV0V2fLRXgHm0kbcnw0kaN9
26
+
E2afghYQRBFskYVft6ROcxbB8dhW1fNMLYHKsbiNyId/XkmEw71gG244yDJP8Q9h
27
+
gIwYC+CThlQ9qL+oLurpvy1M
28
+
-----END PRIVATE KEY-----
+9
vendor/opam/x509/tests/regression/rsa_pub.pem
+9
vendor/opam/x509/tests/regression/rsa_pub.pem
···
1
+
-----BEGIN PUBLIC KEY-----
2
+
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoTPB/7ezYcnoa6Ns4GJQ
3
+
74nHjuzJXf+4XWVzruxLq+2SixxWf32/TSaBEHxJoJLEGTcwH25qDv7PhWReQVbr
4
+
Zso6p/0z8rWU+1TjvLlZlznAhex7o5uNqC8SsuAVvEvBn3UvwOoydsp6uAVfLxTb
5
+
oi1SVwNlUv0CKCJhIJzBIWt03qWQuwH+gjpk+PoB4tLc4GYMp+lIgj94QPPKnOkS
6
+
Vhh1UG5DtkDmgrzkqmkntLQYnmAEI+dPTH1ODjMMKgDBzSvHZZlyKTlc76byWhFc
7
+
5lQmYvX3S2foMgBJWBkckakiGOlfTBjIPgFexo70+eXaFGEull3hSaUYI9wyK8GM
8
+
OQIDAQAB
9
+
-----END PUBLIC KEY-----
+23
vendor/opam/x509/tests/regression/telesec.pem
+23
vendor/opam/x509/tests/regression/telesec.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEc
3
+
MBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2Vj
4
+
IFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENB
5
+
IDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5MjM1OTAwWjBxMQswCQYDVQQGEwJE
6
+
RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxl
7
+
U2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290
8
+
IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEU
9
+
ha88EOQ5bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhC
10
+
QN/Po7qCWWqSG6wcmtoIKyUn+WkjR/Hg6yx6m/UTAtB+NHzCnjwAWav12gz1Mjwr
11
+
rFDa1sPeg5TKqAyZMg4ISFZbavva4VhYAUlfckE8FQYBjl2tqriTtM2e66foai1S
12
+
NNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aKSe5TBY8ZTNXeWHmb0moc
13
+
QqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTVjlsB9WoH
14
+
txa2bkp/AgMBAAGjQjBAMB0GA1UdDgQWBBQxw3kbuvVT1xfgiXotF2wKsyudMzAP
15
+
BgNVHRMECDAGAQH/AgEFMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOC
16
+
AQEAlGRZrTlk5ynrE/5aw4sTV8gEJPB0d8Bg42f76Ymmg7+Wgnxu1MM9756Abrsp
17
+
tJh6sTtU6zkXR34ajgv8HzFZMQSyzhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpa
18
+
IzpXl/V6ME+un2pMSyuOoAPjPuCp1NJ70rOo4nI8rZ7/gFnkm0W09juwzTkZmDLl
19
+
6iFhkOQxIY40sfcvNUqFENrnijchvllj4PKFiDFT1FQUhXB59C4Gdyd1Lx+4ivn+
20
+
xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU
21
+
Cm26OWMohpLzGITY+9HPBVZkVw==
22
+
-----END CERTIFICATE-----
23
+
+21
vendor/opam/x509/tests/regression/until_frac_s.pem
+21
vendor/opam/x509/tests/regression/until_frac_s.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIDZjCCAk6gAwIBAgIJAK8XzYo2Lc2EMA0GCSqGSIb3DQEBCwUAMDIxMDAuBgNV
3
+
BAMMJ3ZhbGlkX3VudGlsX2NvbnRhaW5zX2ZyYWN0aW9uYWxfc2Vjb25kczAkFw0y
4
+
MDA0MjcwOTM0NTNaGBM5OTk5MTIzMTIzNTk1OS45OTlaMDIxMDAuBgNVBAMMJ3Zh
5
+
bGlkX3VudGlsX2NvbnRhaW5zX2ZyYWN0aW9uYWxfc2Vjb25kczCCASIwDQYJKoZI
6
+
hvcNAQEBBQADggEPADCCAQoCggEBALcbxMTFe2X1kKGSd1zK0W7fY2eDzgng1UzN
7
+
1oLOFFpPlT88cJADtJIpFvdntLBWphAu/hq53tUYS/TSrTy1f+WH4fFuBiJPO8FW
8
+
8xsRhdmx5XwIAyYUhO5onXeBH0nhGS/VxAE/QUj0T1cxgEjJjiwbbF2z3+/4vygM
9
+
Ob+0eMdJZD7LL4YBDG5Ttm60s6Gcuw2zapfDI8x7E9rmAGHpqD4XJXuPDoXsh5UC
10
+
lOaXH36MNjBdHWcxNzGm3Uwe3EUrumrKXhIzqL1l+/Ku0gJ7nQD9etyLTaJEsxfz
11
+
xheAfq/4mnZvYaFq41fp/bCg0etNupFY0Eb4YJVPZrkl/xAh59cCAwEAAaN5MHcw
12
+
HQYDVR0OBBYEFDhp/reJqyj1UqrTKuKilkA9Q79cMA8GA1UdDwEB/wQFAwMHoAAw
13
+
DAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQ4af63iaso9VKq0yriopZAPUO/XDAW
14
+
BgNVHSUBAf8EDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAAdaTDIV4
15
+
wR7xrqLWO9Gt+QS1wUfAe014KJ3WF/8IObHGU1mLPP5KqFnR4w7PikJxqHvdQOC3
16
+
NA1ApbkqiNOGEciF6Q5wew42GLOr6EdT0/3L3PLkV/MEIkbT2qqLhIkyzi9BmIFq
17
+
pW6w2r3fzyhWsBZm8+odY8WVLnNR1kczc4RE4pYOn8Nyxdo7la4k0op7jawWfLJK
18
+
VVXLng0bmXjmVqbzIQQbTyXAC6bPh4iF1uXQ28k4g87xOBYJOkEHqwvJaSuXfPAg
19
+
rTJaozrqyrzolduRX23yLMyNSU+I1IN8qbi7R1JZMxTlDS2tMmXCU3HC0YdEg/5T
20
+
/WxH7VMSXkFZuA==
21
+
-----END CERTIFICATE-----
+14
vendor/opam/x509/tests/regression/yubico.pem
+14
vendor/opam/x509/tests/regression/yubico.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICGzCCAQWgAwIBAgIEQMQSJTALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXVi
3
+
aWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAw
4
+
WhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2Vy
5
+
aWFsIDEwODY1OTE1MjUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAStoklVeyhj
6
+
RHTxPqBxr6GzZx1cOmWerwd4zSGAdQuLd9jrnB8zMHh6jOQgDEjAx7X6db7iWGok
7
+
EpO42+jOPFrXoxIwEDAOBgorBgEEAYLECgEBBAAwCwYJKoZIhvcNAQELA4IBAQFY
8
+
NAaBBxBKeCyS2D2BQAkRkvFmYl5AgPHK2C4Bp873yl8D8MiiZVM2Mcb+caEa5ec4
9
+
5CFF4WeJpx2VbJ4/RGP1Rg7kUcyl+2LcU2aRWZ+3o92m4y4XJE5JEPwIVJJj+1bi
10
+
tgFi4GLEvHoxlKroIQbCr4f/OLsUwBK+QUvjhoNsou1CI3fFtJzgnOhDfHf/MAoj
11
+
zo7dmP/kyqSy01yrM5OFJ1jc0XcQU4ZgQaayQWWxdVclUbyZuckSwabYdxvCjL67
12
+
eDbtxHKI/0NeeCCaVntQ6dbqQxSzhvZ1gkUJNuWNuuJPQQyEn6rPsB71IyKNog5y
13
+
peVFaGrk1mk+zOirhMJe
14
+
-----END CERTIFICATE-----
+193
vendor/opam/x509/tests/revoke.ml
+193
vendor/opam/x509/tests/revoke.ml
···
1
+
open X509
2
+
3
+
let time () = None
4
+
5
+
(* some revocation scenarios to convince myself *)
6
+
let ca_exts ?pathlen () =
7
+
let ku =
8
+
[ `Key_cert_sign ; `CRL_sign ; `Digital_signature ; `Content_commitment ]
9
+
in
10
+
Extension.(add Basic_constraints (true, (true, pathlen))
11
+
(singleton Key_usage (true, ku)))
12
+
13
+
let key_ids exts subject_pubkey issuer_pubkey =
14
+
let subject_key_id =
15
+
false, Public_key.id subject_pubkey
16
+
and authority_key_id =
17
+
let cs = Public_key.id issuer_pubkey in
18
+
false, (Some cs, General_name.empty, None)
19
+
in
20
+
Extension.(add Subject_key_id subject_key_id
21
+
(add Authority_key_id authority_key_id exts))
22
+
23
+
let leaf_exts =
24
+
Extension.(add Key_usage (true, [ `Digital_signature ; `Key_encipherment ])
25
+
(add Ext_key_usage (true, [ `Server_auth ])
26
+
(singleton Basic_constraints (true, (false, None)))))
27
+
28
+
let validity now =
29
+
match Ptime.add_span now (Ptime.Span.of_int_s 3600) with
30
+
| Some fut -> (now, fut)
31
+
| None -> invalid_arg "couldn't add 3600 seconds to now"
32
+
33
+
let key () =
34
+
let key = Mirage_crypto_pk.Rsa.generate ~bits:1024 () in
35
+
(`RSA (Mirage_crypto_pk.Rsa.pub_of_priv key), `RSA key)
36
+
37
+
let selfsigned ?(name = "test") now =
38
+
let pub, priv = key () in
39
+
let name = [ Distinguished_name.(Relative_distinguished_name.singleton (CN name)) ] in
40
+
match Signing_request.create name priv with
41
+
| Error _ -> assert false
42
+
| Ok req ->
43
+
let valid_from, valid_until = validity now in
44
+
match X509.Signing_request.sign req ~valid_from ~valid_until ~extensions:(ca_exts ()) priv name with
45
+
| Ok cacert -> (cacert, pub, priv)
46
+
| Error _ -> assert false
47
+
48
+
let cert ?serial ?(name = "sub") now ca pubca privca issuer =
49
+
let pub, priv = key () in
50
+
let name = [ Distinguished_name.(Relative_distinguished_name.singleton (CN name)) ] in
51
+
match Signing_request.create name priv with
52
+
| Error _ -> assert false
53
+
| Ok req ->
54
+
let valid_from, valid_until = validity now in
55
+
let extensions = key_ids (if ca then ca_exts () else leaf_exts) pub pubca in
56
+
match X509.Signing_request.sign req ~valid_from ~valid_until ?serial ~extensions privca issuer with
57
+
| Ok cert -> (cert, pub, priv)
58
+
| Error _ -> assert false
59
+
60
+
let verify () =
61
+
let now = Ptime_clock.now () in
62
+
let ca, capub, capriv = selfsigned now in
63
+
let cert, _, _ = cert now false capub capriv (Certificate.subject ca) in
64
+
match Validation.verify_chain ~host:None ~time ~anchors:[ca] [cert] with
65
+
| Ok _ -> ()
66
+
| Error _ -> Alcotest.fail "expected verification to succeed"
67
+
68
+
let crl () =
69
+
let now = Ptime_clock.now () in
70
+
let ca, capub, capriv = selfsigned now in
71
+
let serial = "\x42" in
72
+
let issuer = Certificate.subject ca in
73
+
let cert, _, _ = cert ~serial now false capub capriv issuer in
74
+
let revoked = { CRL.serial ; date = now ; extensions = Extension.empty } in
75
+
let extensions = Extension.(singleton CRL_number (false, 1)) in
76
+
match CRL.revoke ~issuer ~this_update:now ~extensions [revoked] capriv with
77
+
| Error _ -> Alcotest.fail "couldn't revoke"
78
+
| Ok crl ->
79
+
let revoked = CRL.is_revoked [crl] ?allowed_hashes:None in
80
+
match Validation.verify_chain ~host:None ~time ~revoked ~anchors:[ca] [cert] with
81
+
| Ok _ -> Alcotest.fail "expected revocation"
82
+
| Error (`Revoked _) -> ()
83
+
| Error _ -> Alcotest.fail "expected revoked failure!"
84
+
85
+
let verify' () =
86
+
let now = Ptime_clock.now () in
87
+
let ca, capub, capriv = selfsigned now in
88
+
let serial = "\x42" in
89
+
let issuer = Certificate.subject ca in
90
+
let ica, ipub, ipriv = cert ~name:"subCA" ~serial now true capub capriv issuer in
91
+
let cert, _pub, _priv = cert now false ipub ipriv (Certificate.subject ica) in
92
+
match Validation.verify_chain ~host:None ~time ~anchors:[ca] [cert ; ica] with
93
+
| Ok _ -> ()
94
+
| Error _ -> Alcotest.fail "expected verification!"
95
+
96
+
let crl' () =
97
+
let now = Ptime_clock.now () in
98
+
let ca, capub, capriv = selfsigned now in
99
+
let serial = "\x42" in
100
+
let issuer = Certificate.subject ca in
101
+
let ica, ipub, ipriv = cert ~name:"subCA" ~serial now true capub capriv issuer in
102
+
let cert, _pub, _priv = cert now false ipub ipriv (Certificate.subject ica) in
103
+
let revoked = { CRL.serial ; date = now ; extensions = Extension.empty } in
104
+
let extensions = Extension.(singleton CRL_number (false, 1)) in
105
+
match CRL.revoke ~issuer ~this_update:now ~extensions [revoked] capriv with
106
+
| Error _ -> Alcotest.fail "couldn't revoke"
107
+
| Ok crl ->
108
+
let revoked = CRL.is_revoked [crl] ?allowed_hashes:None in
109
+
match Validation.verify_chain ~host:None ~time ~revoked ~anchors:[ca] [cert ; ica] with
110
+
| Ok _ -> Alcotest.fail "expected revocation"
111
+
| Error (`Revoked _) -> ()
112
+
| Error _ -> Alcotest.fail "expected revoked failure!"
113
+
114
+
let crl'leaf () =
115
+
let now = Ptime_clock.now () in
116
+
let ca, capub, capriv = selfsigned now in
117
+
let serial = "\x42" in
118
+
let ica, ipub, ipriv = cert ~name:"subCA" now true capub capriv (Certificate.subject ca) in
119
+
let issuer = Certificate.subject ica in
120
+
let cert, _pub, _priv = cert ~serial now false ipub ipriv issuer in
121
+
let revoked = { CRL.serial ; date = now ; extensions = Extension.empty } in
122
+
let extensions = Extension.(singleton CRL_number (false, 1)) in
123
+
match CRL.revoke ~issuer ~this_update:now ~extensions [revoked] ipriv with
124
+
| Error _ -> Alcotest.fail "couldn't revoke"
125
+
| Ok crl ->
126
+
let revoked = CRL.is_revoked [crl] ?allowed_hashes:None in
127
+
match Validation.verify_chain ~host:None ~time ~revoked ~anchors:[ca] [cert ; ica] with
128
+
| Ok _ -> Alcotest.fail "expected revocation"
129
+
| Error (`Revoked _) -> ()
130
+
| Error _ -> Alcotest.fail "expected revoked failure!"
131
+
132
+
let crl'leaf'wrong () =
133
+
let now = Ptime_clock.now () in
134
+
let ca, capub, capriv = selfsigned now in
135
+
let serial = "\x42" in
136
+
let issuer = Certificate.subject ca in
137
+
let ica, ipub, ipriv = cert ~name:"subCA" now true capub capriv issuer in
138
+
let cert, _pub, _priv = cert ~serial now false ipub ipriv (Certificate.subject ica) in
139
+
let revoked = { CRL.serial ; date = now ; extensions = Extension.empty } in
140
+
let extensions = Extension.(singleton CRL_number (false, 1)) in
141
+
match CRL.revoke ~issuer ~this_update:now ~extensions [revoked] ipriv with
142
+
| Error _ -> Alcotest.fail "couldn't revoke"
143
+
| Ok crl ->
144
+
let revoked = CRL.is_revoked [crl] ?allowed_hashes:None in
145
+
match Validation.verify_chain ~host:None ~time ~revoked ~anchors:[ca] [cert ; ica] with
146
+
| Ok _ -> ()
147
+
| Error _ -> Alcotest.fail "expected success!"
148
+
149
+
let verify'' () =
150
+
let now = Ptime_clock.now () in
151
+
let ca, capub, capriv = selfsigned now in
152
+
let serial = "\x42" in
153
+
let issuer = Certificate.subject ca in
154
+
let ica, ipub, ipriv = cert ~name:"subCA" now true capub capriv issuer in
155
+
let cert, _pub, _priv = cert now false ipub ipriv (Certificate.subject ica) in
156
+
let revoked = { CRL.serial ; date = now ; extensions = Extension.empty } in
157
+
let extensions = Extension.(singleton CRL_number (false, 1)) in
158
+
match CRL.revoke ~issuer ~this_update:now ~extensions [revoked] capriv with
159
+
| Error _ -> Alcotest.fail "couldn't revoke"
160
+
| Ok crl ->
161
+
let revoked = CRL.is_revoked [crl] ?allowed_hashes:None in
162
+
match Validation.verify_chain ~host:None ~time ~revoked ~anchors:[ca] [cert ; ica] with
163
+
| Ok _ -> ()
164
+
| Error _ -> Alcotest.fail "expected verify to succeed!"
165
+
166
+
let crl'' () =
167
+
let now = Ptime_clock.now () in
168
+
let ca, capub, capriv = selfsigned now in
169
+
let serial = "\x42" in
170
+
let issuer = Certificate.subject ca in
171
+
let ica, ipub, ipriv = cert ~name:"subCA" ~serial now true capub capriv issuer in
172
+
let cert, _pub, _priv = cert now false ipub ipriv (Certificate.subject ica) in
173
+
let extensions = Extension.(singleton Reason (false, `Remove_from_CRL)) in
174
+
let revoked = { CRL.serial ; date = now ; extensions } in
175
+
let extensions = Extension.(singleton CRL_number (false, 1)) in
176
+
match CRL.revoke ~issuer ~this_update:now ~extensions [revoked] capriv with
177
+
| Error _ -> Alcotest.fail "couldn't revoke"
178
+
| Ok crl ->
179
+
let revoked = CRL.is_revoked [crl] ?allowed_hashes:None in
180
+
match Validation.verify_chain ~host:None ~time ~revoked ~anchors:[ca] [cert ; ica] with
181
+
| Ok _ -> ()
182
+
| Error _ -> Alcotest.fail "expected proper verification!"
183
+
184
+
let revoke_tests = [
185
+
"Verify with a chain works", `Quick, verify ;
186
+
"Verify with a revoked leaf fails", `Quick, crl ;
187
+
"Verify with a longer chain works", `Quick, verify' ;
188
+
"Verify with a revoked intermediate fails", `Quick, crl' ;
189
+
"Verify with a longer chain works, even if some random serial is revoked", `Quick, verify'' ;
190
+
"Verify with a revoked `Remove_from_CRL works", `Quick, crl'' ;
191
+
"Verify with revoked leaf fails", `Quick, crl'leaf ;
192
+
"Verify with wrongly revoked leaf works", `Quick, crl'leaf'wrong ;
193
+
]
+15
vendor/opam/x509/tests/testcertificates/cacert-basicconstraint-ca-false.pem
+15
vendor/opam/x509/tests/testcertificates/cacert-basicconstraint-ca-false.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICZTCCAc6gAwIBAgIJAPcD62VeqwKRMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
3
+
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
4
+
aWRnaXRzIFB0eSBMdGQwHhcNMTQwNjA2MTQ0OTE4WhcNMjQwNjAzMTQ0OTE4WjBF
5
+
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
6
+
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
7
+
gQDnYbQH7pFmGO6qTj4spAWZyjdt/lYJ/8xy4oCPlKamxOkR/cjN71CgueqD05Ty
8
+
Hd3j0iT2qvxzU4IwPIlPoqK9+gzFybn0u8rjP4UouRqcGS9w+ZPYPW8QrwWgf4pG
9
+
ALgWlbSm8VkYS6Z1QAQmNrYAve6puiNkXv3Nmwa1ViI7AQIDAQABo10wWzAdBgNV
10
+
HQ4EFgQUn3MQYUIRTYLK8P836RfDIMjbHkowHwYDVR0jBBgwFoAUn3MQYUIRTYLK
11
+
8P836RfDIMjbHkowDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
12
+
AQEFBQADgYEArlKvupOurdhs55LfUJsLDtWSNE91uFsMMXBPYEar479oF8dhiZ48
13
+
xFmB2kKaFPP6M/IKkAsbfPb9tC1SjeytG7ee/yTKTxyW39p1LIL6VJjeHs6lASfp
14
+
raJ6S9KiA5p/NYU+FJHIccyjnMSHyIEq59M10udwQEBcNaz/OC6Piag=
15
+
-----END CERTIFICATE-----
+16
vendor/opam/x509/tests/testcertificates/cacert-ext-usage-timestamping.pem
+16
vendor/opam/x509/tests/testcertificates/cacert-ext-usage-timestamping.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICgDCCAemgAwIBAgIJAKmh6BrU3QWMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
3
+
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
4
+
aWRnaXRzIFB0eSBMdGQwHhcNMTQwNjA3MTQyOTIyWhcNMjQwNjA0MTQyOTIyWjBF
5
+
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
6
+
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
7
+
gQDnYbQH7pFmGO6qTj4spAWZyjdt/lYJ/8xy4oCPlKamxOkR/cjN71CgueqD05Ty
8
+
Hd3j0iT2qvxzU4IwPIlPoqK9+gzFybn0u8rjP4UouRqcGS9w+ZPYPW8QrwWgf4pG
9
+
ALgWlbSm8VkYS6Z1QAQmNrYAve6puiNkXv3Nmwa1ViI7AQIDAQABo3gwdjAdBgNV
10
+
HQ4EFgQUn3MQYUIRTYLK8P836RfDIMjbHkowHwYDVR0jBBgwFoAUn3MQYUIRTYLK
11
+
8P836RfDIMjbHkowDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwFgYDVR0l
12
+
AQH/BAwwCgYIKwYBBQUHAwgwDQYJKoZIhvcNAQEFBQADgYEAjDf6zUCyJkvOsDrk
13
+
ehK3svOhOorccDBflNO590ToMfWXXF3sU5dpZ2tZ0/UZSlFyc5Uzj/nGpielSMcK
14
+
zEpQRQS7ZGV7JZ08aNEz7g4n8VxUWW+y2w2R+oX2IEyIdIkSkQK32+TOXkPMHizN
15
+
pAeW++JBXYY6QmJW499y2z1UquE=
16
+
-----END CERTIFICATE-----
+16
vendor/opam/x509/tests/testcertificates/cacert-ext-usage.pem
+16
vendor/opam/x509/tests/testcertificates/cacert-ext-usage.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICfDCCAeWgAwIBAgIJAIoGsKuY0469MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
3
+
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
4
+
aWRnaXRzIFB0eSBMdGQwHhcNMTQwNjA3MTQyODUwWhcNMjQwNjA0MTQyODUwWjBF
5
+
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
6
+
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
7
+
gQDnYbQH7pFmGO6qTj4spAWZyjdt/lYJ/8xy4oCPlKamxOkR/cjN71CgueqD05Ty
8
+
Hd3j0iT2qvxzU4IwPIlPoqK9+gzFybn0u8rjP4UouRqcGS9w+ZPYPW8QrwWgf4pG
9
+
ALgWlbSm8VkYS6Z1QAQmNrYAve6puiNkXv3Nmwa1ViI7AQIDAQABo3QwcjAdBgNV
10
+
HQ4EFgQUn3MQYUIRTYLK8P836RfDIMjbHkowHwYDVR0jBBgwFoAUn3MQYUIRTYLK
11
+
8P836RfDIMjbHkowDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwEgYDVR0l
12
+
AQH/BAgwBgYEVR0lADANBgkqhkiG9w0BAQUFAAOBgQByiIZb2wNUHIT3WHTJD4lD
13
+
ExMnKn2BSoP24vCJHi/iDbbsMCoaTDv3e5YxBUMoEFEhT1ozHfpU0u+VfFIy9VFC
14
+
Ks7Ths7n+7lyzecEJ9eJiq9f8vRCgr4ZhEbK/c7yH707PqOeQ5pSVT9FCM889ZSr
15
+
4EkUhWofJr+JGbnSzn/rxQ==
16
+
-----END CERTIFICATE-----
+15
vendor/opam/x509/tests/testcertificates/cacert-keyusage-crlsign.pem
+15
vendor/opam/x509/tests/testcertificates/cacert-keyusage-crlsign.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICaDCCAdGgAwIBAgIJAIr4AbIHNEAnMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
3
+
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
4
+
aWRnaXRzIFB0eSBMdGQwHhcNMTQwNjA2MTQ0ODM1WhcNMjQwNjAzMTQ0ODM1WjBF
5
+
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
6
+
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
7
+
gQDnYbQH7pFmGO6qTj4spAWZyjdt/lYJ/8xy4oCPlKamxOkR/cjN71CgueqD05Ty
8
+
Hd3j0iT2qvxzU4IwPIlPoqK9+gzFybn0u8rjP4UouRqcGS9w+ZPYPW8QrwWgf4pG
9
+
ALgWlbSm8VkYS6Z1QAQmNrYAve6puiNkXv3Nmwa1ViI7AQIDAQABo2AwXjAdBgNV
10
+
HQ4EFgQUn3MQYUIRTYLK8P836RfDIMjbHkowHwYDVR0jBBgwFoAUn3MQYUIRTYLK
11
+
8P836RfDIMjbHkowDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQIwDQYJKoZI
12
+
hvcNAQEFBQADgYEALzv9za/FuK9or2E2gNjK3seGlM8L2p8UjrbOBRv1U6SlErA/
13
+
smGfRefwtisUkkXTsR6WuGvTZhbjgIh2d/HaUqekQlcTNd3WNESfBek4wjkE6LR3
14
+
sZQ5+cAQI9zsENCp+fE7dfgRtRgEYEaHxchNQVmYde8cHL1ye0AKcakvtWY=
15
+
-----END CERTIFICATE-----
+15
vendor/opam/x509/tests/testcertificates/cacert-pathlen-0.pem
+15
vendor/opam/x509/tests/testcertificates/cacert-pathlen-0.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICazCCAdSgAwIBAgIJAO2nNZ05JgguMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
3
+
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
4
+
aWRnaXRzIFB0eSBMdGQwHhcNMTQwNjA2MTQ0NzAyWhcNMjQwNjAzMTQ0NzAyWjBF
5
+
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
6
+
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
7
+
gQDnYbQH7pFmGO6qTj4spAWZyjdt/lYJ/8xy4oCPlKamxOkR/cjN71CgueqD05Ty
8
+
Hd3j0iT2qvxzU4IwPIlPoqK9+gzFybn0u8rjP4UouRqcGS9w+ZPYPW8QrwWgf4pG
9
+
ALgWlbSm8VkYS6Z1QAQmNrYAve6puiNkXv3Nmwa1ViI7AQIDAQABo2MwYTAdBgNV
10
+
HQ4EFgQUn3MQYUIRTYLK8P836RfDIMjbHkowHwYDVR0jBBgwFoAUn3MQYUIRTYLK
11
+
8P836RfDIMjbHkowEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJ
12
+
KoZIhvcNAQEFBQADgYEAvt+gNpcPebMBYJ3O4346P3ClBfp+jje3GczWqZcWaZMB
13
+
JLxLAIhBu62+10R6zEFIEsfefQhX+tFXNI6o1c2eHAeXb1DBnx/iMSoZG4P2UY25
14
+
trpv9k0FrLhJlXesgZUV8QyISEoGDv9bghwikArxxvu1Lpw2W1v5eedQMTCVWDg=
15
+
-----END CERTIFICATE-----
+16
vendor/opam/x509/tests/testcertificates/cacert-unknown-critical-extension.pem
+16
vendor/opam/x509/tests/testcertificates/cacert-unknown-critical-extension.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICijCCAfOgAwIBAgIJAMtobgMI4HeQMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
3
+
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
4
+
aWRnaXRzIFB0eSBMdGQwHhcNMTQwNjA2MTQ0NjIyWhcNMjQwNjAzMTQ0NjIyWjBF
5
+
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
6
+
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
7
+
gQDnYbQH7pFmGO6qTj4spAWZyjdt/lYJ/8xy4oCPlKamxOkR/cjN71CgueqD05Ty
8
+
Hd3j0iT2qvxzU4IwPIlPoqK9+gzFybn0u8rjP4UouRqcGS9w+ZPYPW8QrwWgf4pG
9
+
ALgWlbSm8VkYS6Z1QAQmNrYAve6puiNkXv3Nmwa1ViI7AQIDAQABo4GBMH8wHQYD
10
+
VR0OBBYEFJ9zEGFCEU2CyvD/N+kXwyDI2x5KMB8GA1UdIwQYMBaAFJ9zEGFCEU2C
11
+
yvD/N+kXwyDI2x5KMBIGA1UdEwEB/wQIMAYBAf8CAWQwCwYDVR0PBAQDAgEGMBwG
12
+
AyoDBAEB/wQSDBBTb21lIHJhbmRvbSBkYXRhMA0GCSqGSIb3DQEBBQUAA4GBAOaD
13
+
h3bVjpAdkP6T0D5iVMRS1+cHevvv0HctwxpXwLdqkKU/I2/wR7y99ts9a6ro33Pg
14
+
dWCT8plnDsUyU86OJ2+j21U94pihBZ/bn8+cfP0WTT112ZnjOzvMftG4b0I+VnHp
15
+
RVGg7KV/er29BP0LA1iZbbLe45ADJGkQR1Ggm3rF
16
+
-----END CERTIFICATE-----
+16
vendor/opam/x509/tests/testcertificates/cacert-unknown-extension.pem
+16
vendor/opam/x509/tests/testcertificates/cacert-unknown-extension.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICgzCCAeygAwIBAgIJAJtKIRp+wJhvMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
3
+
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
4
+
aWRnaXRzIFB0eSBMdGQwHhcNMTQwNjA2MTcxODE5WhcNMjQwNjAzMTcxODE5WjBF
5
+
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
6
+
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
7
+
gQDnYbQH7pFmGO6qTj4spAWZyjdt/lYJ/8xy4oCPlKamxOkR/cjN71CgueqD05Ty
8
+
Hd3j0iT2qvxzU4IwPIlPoqK9+gzFybn0u8rjP4UouRqcGS9w+ZPYPW8QrwWgf4pG
9
+
ALgWlbSm8VkYS6Z1QAQmNrYAve6puiNkXv3Nmwa1ViI7AQIDAQABo3sweTAdBgNV
10
+
HQ4EFgQUn3MQYUIRTYLK8P836RfDIMjbHkowHwYDVR0jBBgwFoAUn3MQYUIRTYLK
11
+
8P836RfDIMjbHkowDwYDVR0TAQH/BAUwAwEB/zAZBgMqAwQEEgwQU29tZSByYW5k
12
+
b20gZGF0YTALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEFBQADgYEAzri5kJWI1YTQ
13
+
EHCZIf5BXFxpdFKNmMIidkrynGHHVKluVzbroG23I5elnxP3z97za33NpQlk6p1h
14
+
TUfFB/+J4FpguXKW6JW3BpY/1jYKKC18NhY3OHubYNdGjqZKPybVm2ZaH3B23q0D
15
+
3IpbNRIxzTmSaWAJZ/zibkW5o2sNRAo=
16
+
-----END CERTIFICATE-----
+13
vendor/opam/x509/tests/testcertificates/cacert-v1.pem
+13
vendor/opam/x509/tests/testcertificates/cacert-v1.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICATCCAWoCCQD9ajF8CeIw7jANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
3
+
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
4
+
cyBQdHkgTHRkMB4XDTE0MDYwNzEzNTE1MVoXDTI0MDYwNDEzNTE1MVowRTELMAkG
5
+
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
6
+
IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA52G0
7
+
B+6RZhjuqk4+LKQFmco3bf5WCf/McuKAj5SmpsTpEf3Ize9QoLnqg9OU8h3d49Ik
8
+
9qr8c1OCMDyJT6KivfoMxcm59LvK4z+FKLkanBkvcPmT2D1vEK8FoH+KRgC4FpW0
9
+
pvFZGEumdUAEJja2AL3uqbojZF79zZsGtVYiOwECAwEAATANBgkqhkiG9w0BAQUF
10
+
AAOBgQDj8fzfzrhaLooJV+6IGwPbmsL0448vt/0QUY5Q82FfLo1KHNp5j/axSmw3
11
+
b90T8OUq6EAAJyW+KLed0Q0YGcz/OcOTh68ellTpeSei3AxNdKxV6ucK70QdR0Wk
12
+
mp6jOTmLFTTBoqCRxlbrwgN/nmx77/j002yXcXiGe1Tos9zUKQ==
13
+
-----END CERTIFICATE-----
+15
vendor/opam/x509/tests/testcertificates/cacert.pem
+15
vendor/opam/x509/tests/testcertificates/cacert.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIICazCCAdSgAwIBAgIJAM7c1BlUjOksMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
3
+
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
4
+
aWRnaXRzIFB0eSBMdGQwHhcNMTQwNjA2MTI1NjI1WhcNMjQwNjAzMTI1NjI1WjBF
5
+
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
6
+
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
7
+
gQDnYbQH7pFmGO6qTj4spAWZyjdt/lYJ/8xy4oCPlKamxOkR/cjN71CgueqD05Ty
8
+
Hd3j0iT2qvxzU4IwPIlPoqK9+gzFybn0u8rjP4UouRqcGS9w+ZPYPW8QrwWgf4pG
9
+
ALgWlbSm8VkYS6Z1QAQmNrYAve6puiNkXv3Nmwa1ViI7AQIDAQABo2MwYTAdBgNV
10
+
HQ4EFgQUn3MQYUIRTYLK8P836RfDIMjbHkowHwYDVR0jBBgwFoAUn3MQYUIRTYLK
11
+
8P836RfDIMjbHkowEgYDVR0TAQH/BAgwBgEB/wIBZDALBgNVHQ8EBAMCAQYwDQYJ
12
+
KoZIhvcNAQEFBQADgYEAX0qcQDr2Dw6qJkMVZZUmdrnGZ0npmYG7mPH4IN45h1IS
13
+
NhpsLAxY0kfPF/gcwGmRzzifUnAZ4huDudUrOWVvVg7Wi5OE1JF2g8nFUzV/z0Cs
14
+
1tUEcSFgWnP8a8CNfXOXq1CSd9IctfoLJ7C/e9vOqw+n5MT85TCbHr/Ib2eYzaQ=
15
+
-----END CERTIFICATE-----
+10
vendor/opam/x509/tests/testcertificates/fido.pem
+10
vendor/opam/x509/tests/testcertificates/fido.pem
···
1
+
-----BEGIN CERTIFICATE-----
2
+
MIIBZzCCAQ2gAwIBAgIJANeVSb0aZxdRMAoGCCqGSM49BAMCMBcxFTATBgNVBAMM
3
+
DEZUIEZJRE8gMDIwMDAgFw0xOTAyMjYwMDAwMDBaGA8yMDM0MDIyNTIzNTk1OVow
4
+
ITEfMB0GA1UEAwwWRlQgRklETyBQMjA0NzAwMTM0MTQxMjBZMBMGByqGSM49AgEG
5
+
CCqGSM49AwEHA0IABNhGWkOirKU/pjNetYRT4r3eXo677lNwTe3rmqVQ3Va3k8wK
6
+
nc8fma17E4+jxJ1F8Ytvxg0nS5O0H50LIOfp+ACjNjA0MB0GA1UdDgQWBBRSXqls
7
+
R7mkeTOgm0hxw5jfZAeqpDATBgsrBgEEAYLlHAIBAQQEAwIEcDAKBggqhkjOPQQD
8
+
AgNIADBFAiEAp9D/XnMfhqABUJoJ40XCM2Mol6RfT/ClpPf44Kv1GnECIEIX/bzu
9
+
uGEKdE2Xrk6AZlBY8bF/jsP/syYjh5rheDIr
10
+
-----END CERTIFICATE-----
+59
vendor/opam/x509/tests/testcertificates/first/first-basicconstraint-true.pem
+59
vendor/opam/x509/tests/testcertificates/first/first-basicconstraint-true.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 6 (0x6)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 6 17:23:19 2014 GMT
9
+
Not After : Jun 3 17:23:19 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=ca.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints:
27
+
CA:TRUE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
34
+
35
+
Signature Algorithm: sha1WithRSAEncryption
36
+
45:b6:bc:bb:49:8b:12:ce:07:14:68:4f:d1:d1:e5:60:a6:9b:
37
+
9a:b0:8e:40:d0:9c:9d:63:3d:5e:ef:5c:1c:80:4b:2d:ba:45:
38
+
d5:46:2a:08:06:d1:4f:ce:20:7c:3f:04:c2:69:fe:29:6e:be:
39
+
e9:27:fe:7a:7a:6c:75:7f:b1:8f:c8:97:52:85:c3:35:53:b4:
40
+
e8:69:f7:ce:fa:a1:48:aa:36:41:37:c3:7d:9f:3f:dc:b3:dd:
41
+
7e:ba:73:b5:94:89:6c:b1:b1:15:c7:48:d1:2f:a7:28:d5:6d:
42
+
c3:de:a2:93:da:80:d5:8b:5d:0f:10:47:36:70:a2:10:38:3e:
43
+
57:8e
44
+
-----BEGIN CERTIFICATE-----
45
+
MIICdTCCAd6gAwIBAgIBBjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
46
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
47
+
dHkgTHRkMB4XDTE0MDYwNjE3MjMxOVoXDTI0MDYwMzE3MjMxOVowXTELMAkGA1UE
48
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
49
+
ZGdpdHMgUHR5IEx0ZDEWMBQGA1UEAwwNY2EuZm9vYmFyLmNvbTCBnzANBgkqhkiG
50
+
9w0BAQEFAAOBjQAwgYkCgYEA5BPn8JeHYl/izHmyVXfXwri501G5cm8VE7WU51SO
51
+
wRg3bNgLkFqkXaUOQnROfq3pNDenbeUwxkF7+IXpYYTM2IDyf69uIrwszicfSv02
52
+
vByd9V/ptJYPiDGPp204VKh+LBwccowvCwpxb9LVxqzp4Ol+ckZDoABgM2LXev8e
53
+
f3cCAwEAAaNdMFswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCBeAwHQYDVR0OBBYE
54
+
FEr36OtXG6tJQSPoAmQjgyMXDsoFMB8GA1UdIwQYMBaAFJ9zEGFCEU2CyvD/N+kX
55
+
wyDI2x5KMA0GCSqGSIb3DQEBBQUAA4GBAEW2vLtJixLOBxRoT9HR5WCmm5qwjkDQ
56
+
nJ1jPV7vXByASy26RdVGKggG0U/OIHw/BMJp/iluvukn/np6bHV/sY/Il1KFwzVT
57
+
tOhp9876oUiqNkE3w32fP9yz3X66c7WUiWyxsRXHSNEvpyjVbcPeopPagNWLXQ8Q
58
+
RzZwohA4PleO
59
+
-----END CERTIFICATE-----
+61
vendor/opam/x509/tests/testcertificates/first/first-keyusage-and-timestamping.pem
+61
vendor/opam/x509/tests/testcertificates/first/first-keyusage-and-timestamping.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 14 (0xe)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 7 14:36:13 2014 GMT
9
+
Not After : Jun 4 14:36:13 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=ext.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Extended Key Usage:
31
+
Time Stamping
32
+
X509v3 Subject Key Identifier:
33
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
34
+
X509v3 Authority Key Identifier:
35
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
36
+
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
aa:94:49:20:a4:23:a8:ff:c1:0f:0c:18:e4:23:c9:04:ed:b6:
39
+
2f:f5:6f:8a:89:4b:37:ca:18:e7:8b:27:d9:7a:fa:9b:fe:d9:
40
+
5f:f1:00:2b:bc:f7:cd:32:b8:00:8b:37:4d:c1:6f:20:08:b7:
41
+
68:76:fe:39:d8:cd:e1:3c:cb:fe:c6:e8:6e:e2:39:08:d9:fa:
42
+
47:01:82:ab:84:56:fa:48:a8:f6:dc:a5:dd:18:34:35:d4:60:
43
+
b0:50:22:3a:da:38:64:bd:9b:c5:55:e2:75:41:82:13:bd:5f:
44
+
b8:36:dc:21:d6:1c:a1:63:c0:c6:2f:c5:4c:4f:18:6d:6e:36:
45
+
3b:5b
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICizCCAfSgAwIBAgIBDjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMB4XDTE0MDYwNzE0MzYxM1oXDTI0MDYwNDE0MzYxM1owXjELMAkGA1UE
50
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
51
+
ZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAwwOZXh0LmZvb2Jhci5jb20wgZ8wDQYJKoZI
52
+
hvcNAQEBBQADgY0AMIGJAoGBAOQT5/CXh2Jf4sx5slV318K4udNRuXJvFRO1lOdU
53
+
jsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23lMMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9
54
+
NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKMLwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/
55
+
Hn93AgMBAAGjcjBwMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgXgMBMGA1UdJQQM
56
+
MAoGCCsGAQUFBwMIMB0GA1UdDgQWBBRK9+jrVxurSUEj6AJkI4MjFw7KBTAfBgNV
57
+
HSMEGDAWgBSfcxBhQhFNgsrw/zfpF8MgyNseSjANBgkqhkiG9w0BAQUFAAOBgQCq
58
+
lEkgpCOo/8EPDBjkI8kE7bYv9W+KiUs3yhjniyfZevqb/tlf8QArvPfNMrgAizdN
59
+
wW8gCLdodv452M3hPMv+xuhu4jkI2fpHAYKrhFb6SKj23KXdGDQ11GCwUCI62jhk
60
+
vZvFVeJ1QYITvV+4Ntwh1hyhY8DGL8VMTxhtbjY7Ww==
61
+
-----END CERTIFICATE-----
+61
vendor/opam/x509/tests/testcertificates/first/first-keyusage-any.pem
+61
vendor/opam/x509/tests/testcertificates/first/first-keyusage-any.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 15 (0xf)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 7 14:38:14 2014 GMT
9
+
Not After : Jun 4 14:38:14 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=any.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Extended Key Usage:
31
+
Any Extended Key Usage, Time Stamping
32
+
X509v3 Subject Key Identifier:
33
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
34
+
X509v3 Authority Key Identifier:
35
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
36
+
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
91:08:7d:2c:a4:b7:85:af:62:c8:21:96:8a:1d:1f:81:fa:a4:
39
+
67:d4:2b:78:62:44:e6:83:c8:a4:3c:fd:64:f0:b9:fa:bd:c4:
40
+
99:a4:dd:82:f0:8a:75:8f:d1:4b:dd:f7:d3:1b:79:4f:d4:2d:
41
+
16:b1:86:23:54:93:7f:3e:99:b5:4f:f3:e4:fe:6a:76:21:d4:
42
+
b0:d5:62:2d:de:63:a2:3a:c7:ae:f3:6d:68:c6:fe:a9:2f:e4:
43
+
ef:36:85:42:85:f3:d3:0e:61:44:53:70:93:d0:b2:d4:06:f2:
44
+
d7:96:e8:e1:b4:8d:9f:46:a5:a4:0b:08:20:41:8a:ee:04:c8:
45
+
63:4d
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICkTCCAfqgAwIBAgIBDzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMB4XDTE0MDYwNzE0MzgxNFoXDTI0MDYwNDE0MzgxNFowXjELMAkGA1UE
50
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
51
+
ZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAwwOYW55LmZvb2Jhci5jb20wgZ8wDQYJKoZI
52
+
hvcNAQEBBQADgY0AMIGJAoGBAOQT5/CXh2Jf4sx5slV318K4udNRuXJvFRO1lOdU
53
+
jsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23lMMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9
54
+
NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKMLwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/
55
+
Hn93AgMBAAGjeDB2MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgXgMBkGA1UdJQQS
56
+
MBAGBFUdJQAGCCsGAQUFBwMIMB0GA1UdDgQWBBRK9+jrVxurSUEj6AJkI4MjFw7K
57
+
BTAfBgNVHSMEGDAWgBSfcxBhQhFNgsrw/zfpF8MgyNseSjANBgkqhkiG9w0BAQUF
58
+
AAOBgQCRCH0spLeFr2LIIZaKHR+B+qRn1Ct4YkTmg8ikPP1k8Ln6vcSZpN2C8Ip1
59
+
j9FL3ffTG3lP1C0WsYYjVJN/Ppm1T/Pk/mp2IdSw1WIt3mOiOseu821oxv6pL+Tv
60
+
NoVChfPTDmFEU3CT0LLUBvLXlujhtI2fRqWkCwggQYruBMhjTQ==
61
+
-----END CERTIFICATE-----
+59
vendor/opam/x509/tests/testcertificates/first/first-keyusage-nonrep.pem
+59
vendor/opam/x509/tests/testcertificates/first/first-keyusage-nonrep.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 7 (0x7)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 6 17:24:10 2014 GMT
9
+
Not After : Jun 3 17:24:10 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=key.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints:
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Non Repudiation
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
34
+
35
+
Signature Algorithm: sha1WithRSAEncryption
36
+
7b:67:67:33:93:3a:16:9b:1b:93:71:3c:0b:90:0c:ba:37:cd:
37
+
53:c7:84:94:6b:c8:ea:6c:3a:c8:da:70:e8:1f:ec:ab:9e:fe:
38
+
4f:f4:69:8d:e4:c0:82:fc:48:9e:f3:a3:a0:91:d7:ef:a0:ac:
39
+
80:38:f5:84:b9:5f:29:9a:57:9c:e3:be:ba:6e:3a:fa:59:89:
40
+
cc:c2:36:5f:5a:c0:83:3d:48:3c:3f:51:55:f3:ae:2e:64:40:
41
+
06:8d:de:87:a0:08:33:4f:85:f3:ec:92:f2:eb:a8:0a:5b:94:
42
+
56:a6:23:9a:5f:02:4c:01:9a:d7:f3:5c:67:2c:81:4a:2c:ca:
43
+
ae:14
44
+
-----BEGIN CERTIFICATE-----
45
+
MIICczCCAdygAwIBAgIBBzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
46
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
47
+
dHkgTHRkMB4XDTE0MDYwNjE3MjQxMFoXDTI0MDYwMzE3MjQxMFowXjELMAkGA1UE
48
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
49
+
ZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAwwOa2V5LmZvb2Jhci5jb20wgZ8wDQYJKoZI
50
+
hvcNAQEBBQADgY0AMIGJAoGBAOQT5/CXh2Jf4sx5slV318K4udNRuXJvFRO1lOdU
51
+
jsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23lMMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9
52
+
NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKMLwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/
53
+
Hn93AgMBAAGjWjBYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgZAMB0GA1UdDgQWBBRK
54
+
9+jrVxurSUEj6AJkI4MjFw7KBTAfBgNVHSMEGDAWgBSfcxBhQhFNgsrw/zfpF8Mg
55
+
yNseSjANBgkqhkiG9w0BAQUFAAOBgQB7Z2czkzoWmxuTcTwLkAy6N81Tx4SUa8jq
56
+
bDrI2nDoH+yrnv5P9GmN5MCC/Eie86OgkdfvoKyAOPWEuV8pmlec4766bjr6WYnM
57
+
wjZfWsCDPUg8P1FV864uZEAGjd6HoAgzT4Xz7JLy66gKW5RWpiOaXwJMAZrX81xn
58
+
LIFKLMquFA==
59
+
-----END CERTIFICATE-----
+64
vendor/opam/x509/tests/testcertificates/first/first-unknown-critical-extension.pem
+64
vendor/opam/x509/tests/testcertificates/first/first-unknown-critical-extension.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 2 (0x2)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 6 17:16:32 2014 GMT
9
+
Not After : Jun 3 17:16:32 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=blafasel.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints:
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
34
+
35
+
X509v3 Subject Alternative Name:
36
+
DNS:foo.foobar.com, DNS:foobar.com
37
+
1.2.3.4: critical
38
+
..Some random data
39
+
Signature Algorithm: sha1WithRSAEncryption
40
+
59:43:8c:77:b5:d8:ad:98:b3:2c:e3:47:60:5b:b0:a6:b4:b5:
41
+
1a:22:b2:16:15:d0:2d:6f:9a:a0:2b:f3:45:c8:77:9c:dd:e1:
42
+
82:1d:55:9d:be:ff:53:45:2b:82:d1:ca:fd:a8:7f:6a:2d:47:
43
+
b2:79:bc:70:e8:48:8e:48:3a:5f:0b:d9:ee:40:be:87:77:5e:
44
+
0e:69:45:ff:8e:06:b1:b5:87:eb:da:ea:26:d7:7d:e5:b3:d6:
45
+
e3:4d:db:53:53:dd:5d:3f:7e:6b:98:a6:bd:db:79:35:f1:13:
46
+
b4:1b:e1:8a:9c:84:f9:32:20:31:60:27:8d:e4:1c:c3:f9:dd:
47
+
6d:56
48
+
-----BEGIN CERTIFICATE-----
49
+
MIICuDCCAiGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
50
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
51
+
dHkgTHRkMB4XDTE0MDYwNjE3MTYzMloXDTI0MDYwMzE3MTYzMlowXDELMAkGA1UE
52
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
53
+
ZGdpdHMgUHR5IEx0ZDEVMBMGA1UEAwwMYmxhZmFzZWwuY29tMIGfMA0GCSqGSIb3
54
+
DQEBAQUAA4GNADCBiQKBgQDkE+fwl4diX+LMebJVd9fCuLnTUblybxUTtZTnVI7B
55
+
GDds2AuQWqRdpQ5CdE5+rek0N6dt5TDGQXv4helhhMzYgPJ/r24ivCzOJx9K/Ta8
56
+
HJ31X+m0lg+IMY+nbThUqH4sHBxyjC8LCnFv0tXGrOng6X5yRkOgAGAzYtd6/x5/
57
+
dwIDAQABo4GgMIGdMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRK
58
+
9+jrVxurSUEj6AJkI4MjFw7KBTAfBgNVHSMEGDAWgBSfcxBhQhFNgsrw/zfpF8Mg
59
+
yNseSjAlBgNVHREEHjAcgg5mb28uZm9vYmFyLmNvbYIKZm9vYmFyLmNvbTAcBgMq
60
+
AwQBAf8EEgwQU29tZSByYW5kb20gZGF0YTANBgkqhkiG9w0BAQUFAAOBgQBZQ4x3
61
+
tditmLMs40dgW7CmtLUaIrIWFdAtb5qgK/NFyHec3eGCHVWdvv9TRSuC0cr9qH9q
62
+
LUeyebxw6EiOSDpfC9nuQL6Hd14OaUX/jgaxtYfr2uom133ls9bjTdtTU91dP35r
63
+
mKa923k18RO0G+GKnIT5MiAxYCeN5BzD+d1tVg==
64
+
-----END CERTIFICATE-----
+61
vendor/opam/x509/tests/testcertificates/first/first-unknown-extension.pem
+61
vendor/opam/x509/tests/testcertificates/first/first-unknown-extension.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 3 (0x3)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 6 17:20:25 2014 GMT
9
+
Not After : Jun 3 17:20:25 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints:
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
34
+
35
+
1.2.3.4:
36
+
..Some random data
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
b7:2d:23:88:43:67:46:46:61:df:b8:04:cc:db:54:71:2a:56:
39
+
37:47:13:78:9e:c6:7f:ee:4a:3e:be:41:c9:74:ac:ea:14:e7:
40
+
ff:20:4e:92:72:96:e7:72:a2:65:af:ee:6c:d0:d3:d6:f4:24:
41
+
38:e7:e9:b2:ff:40:3e:a1:9b:51:41:b2:2a:55:66:56:c0:fb:
42
+
43:cf:94:7f:b7:d4:0f:9b:61:8b:48:31:f5:49:11:c0:77:af:
43
+
a0:6e:57:5c:43:fb:e4:15:90:f2:e3:83:9b:e3:fb:7b:5f:8d:
44
+
88:bc:ce:ab:f3:8f:a6:c6:d8:57:04:65:04:2b:cc:8c:98:9d:
45
+
a1:9a
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICijCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMB4XDTE0MDYwNjE3MjAyNVoXDTI0MDYwMzE3MjAyNVowWjELMAkGA1UE
50
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
51
+
ZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKZm9vYmFyLmNvbTCBnzANBgkqhkiG9w0B
52
+
AQEFAAOBjQAwgYkCgYEA5BPn8JeHYl/izHmyVXfXwri501G5cm8VE7WU51SOwRg3
53
+
bNgLkFqkXaUOQnROfq3pNDenbeUwxkF7+IXpYYTM2IDyf69uIrwszicfSv02vByd
54
+
9V/ptJYPiDGPp204VKh+LBwccowvCwpxb9LVxqzp4Ol+ckZDoABgM2LXev8ef3cC
55
+
AwEAAaN1MHMwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFEr36OtX
56
+
G6tJQSPoAmQjgyMXDsoFMB8GA1UdIwQYMBaAFJ9zEGFCEU2CyvD/N+kXwyDI2x5K
57
+
MBkGAyoDBAQSDBBTb21lIHJhbmRvbSBkYXRhMA0GCSqGSIb3DQEBBQUAA4GBALct
58
+
I4hDZ0ZGYd+4BMzbVHEqVjdHE3iexn/uSj6+Qcl0rOoU5/8gTpJyludyomWv7mzQ
59
+
09b0JDjn6bL/QD6hm1FBsipVZlbA+0PPlH+31A+bYYtIMfVJEcB3r6BuV1xD++QV
60
+
kPLjg5vj+3tfjYi8zqvzj6bG2FcEZQQrzIyYnaGa
61
+
-----END CERTIFICATE-----
+61
vendor/opam/x509/tests/testcertificates/first/first-wildcard-subjaltname.pem
+61
vendor/opam/x509/tests/testcertificates/first/first-wildcard-subjaltname.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 5 (0x5)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 6 17:21:48 2014 GMT
9
+
Not After : Jun 3 17:21:48 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=www.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints:
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
34
+
35
+
X509v3 Subject Alternative Name:
36
+
DNS:*.foobar.com
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
be:5b:6d:d0:3d:c6:8c:1c:9f:ae:dc:2e:ca:78:8a:55:dd:01:
39
+
34:62:2d:9c:2b:ae:ac:68:5d:97:2d:8c:5e:f8:44:2d:89:f9:
40
+
84:79:94:67:75:13:f1:b4:fa:f2:21:ab:e3:59:15:a4:1c:0e:
41
+
9b:17:51:e4:b0:98:22:d9:33:c1:ef:06:88:f5:f4:78:76:92:
42
+
c2:e0:99:ff:d7:24:ef:26:a7:33:8c:1e:7c:56:8b:b5:3a:93:
43
+
6c:3e:00:cb:b6:db:4c:51:5d:9c:0d:94:7f:0f:79:e6:d0:dc:
44
+
1b:18:ab:b1:74:6d:b1:72:76:fb:e8:89:00:d1:f7:99:cb:e3:
45
+
d8:77
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICjDCCAfWgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMB4XDTE0MDYwNjE3MjE0OFoXDTI0MDYwMzE3MjE0OFowXjELMAkGA1UE
50
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
51
+
ZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAwwOd3d3LmZvb2Jhci5jb20wgZ8wDQYJKoZI
52
+
hvcNAQEBBQADgY0AMIGJAoGBAOQT5/CXh2Jf4sx5slV318K4udNRuXJvFRO1lOdU
53
+
jsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23lMMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9
54
+
NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKMLwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/
55
+
Hn93AgMBAAGjczBxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRK
56
+
9+jrVxurSUEj6AJkI4MjFw7KBTAfBgNVHSMEGDAWgBSfcxBhQhFNgsrw/zfpF8Mg
57
+
yNseSjAXBgNVHREEEDAOggwqLmZvb2Jhci5jb20wDQYJKoZIhvcNAQEFBQADgYEA
58
+
vltt0D3GjByfrtwuyniKVd0BNGItnCuurGhdly2MXvhELYn5hHmUZ3UT8bT68iGr
59
+
41kVpBwOmxdR5LCYItkzwe8GiPX0eHaSwuCZ/9ck7yanM4wefFaLtTqTbD4Ay7bb
60
+
TFFdnA2Ufw955tDcGxirsXRtsXJ2++iJANH3mcvj2Hc=
61
+
-----END CERTIFICATE-----
+59
vendor/opam/x509/tests/testcertificates/first/first-wildcard.pem
+59
vendor/opam/x509/tests/testcertificates/first/first-wildcard.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 4 (0x4)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 6 17:21:03 2014 GMT
9
+
Not After : Jun 3 17:21:03 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=*.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints:
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
34
+
35
+
Signature Algorithm: sha1WithRSAEncryption
36
+
68:c1:17:fa:0c:e4:04:cd:2b:19:ea:e7:a6:02:27:73:f2:e2:
37
+
54:b9:6c:8d:2f:06:be:a5:82:83:41:37:ae:f2:5c:cf:62:a0:
38
+
2a:79:37:7c:79:6c:cc:9f:f0:64:a9:8a:1b:93:62:f9:c2:08:
39
+
88:e2:73:77:77:73:f7:3f:9e:d6:b1:2c:56:65:a7:cb:10:b9:
40
+
79:7b:c6:4b:56:8e:08:d7:51:59:f0:47:6f:fd:b9:32:b0:b8:
41
+
69:f1:74:97:a9:9b:11:5a:86:03:14:2a:3b:a7:11:cb:0c:02:
42
+
67:dd:45:db:5d:a3:d0:8a:41:2c:13:3f:7f:37:24:2f:49:d4:
43
+
07:c1
44
+
-----BEGIN CERTIFICATE-----
45
+
MIICcTCCAdqgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
46
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
47
+
dHkgTHRkMB4XDTE0MDYwNjE3MjEwM1oXDTI0MDYwMzE3MjEwM1owXDELMAkGA1UE
48
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
49
+
ZGdpdHMgUHR5IEx0ZDEVMBMGA1UEAwwMKi5mb29iYXIuY29tMIGfMA0GCSqGSIb3
50
+
DQEBAQUAA4GNADCBiQKBgQDkE+fwl4diX+LMebJVd9fCuLnTUblybxUTtZTnVI7B
51
+
GDds2AuQWqRdpQ5CdE5+rek0N6dt5TDGQXv4helhhMzYgPJ/r24ivCzOJx9K/Ta8
52
+
HJ31X+m0lg+IMY+nbThUqH4sHBxyjC8LCnFv0tXGrOng6X5yRkOgAGAzYtd6/x5/
53
+
dwIDAQABo1owWDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUSvfo
54
+
61cbq0lBI+gCZCODIxcOygUwHwYDVR0jBBgwFoAUn3MQYUIRTYLK8P836RfDIMjb
55
+
HkowDQYJKoZIhvcNAQEFBQADgYEAaMEX+gzkBM0rGernpgInc/LiVLlsjS8GvqWC
56
+
g0E3rvJcz2KgKnk3fHlszJ/wZKmKG5Ni+cIIiOJzd3dz9z+e1rEsVmWnyxC5eXvG
57
+
S1aOCNdRWfBHb/25MrC4afF0l6mbEVqGAxQqO6cRywwCZ91F212j0IpBLBM/fzck
58
+
L0nUB8E=
59
+
-----END CERTIFICATE-----
+61
vendor/opam/x509/tests/testcertificates/first/first.pem
+61
vendor/opam/x509/tests/testcertificates/first/first.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 1 (0x1)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 6 17:11:44 2014 GMT
9
+
Not After : Jun 3 17:11:44 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=bar.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints:
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
34
+
35
+
X509v3 Subject Alternative Name:
36
+
DNS:foo.foobar.com, DNS:foobar.com
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
9c:93:69:c4:94:ac:a3:c5:29:38:48:2f:bb:95:83:a2:62:81:
39
+
30:b7:a0:d1:dd:f2:c7:8c:b7:3e:27:54:1e:a7:43:da:18:90:
40
+
05:d0:ce:08:7e:26:c9:f9:65:7b:65:ce:33:55:95:47:c8:1d:
41
+
4e:bf:0f:64:e9:ae:b1:b8:4a:23:0a:84:15:c2:8d:aa:65:9b:
42
+
fa:1c:9c:cb:d8:2d:0a:9c:ee:a6:a0:91:1b:0b:a3:61:48:05:
43
+
45:e1:1e:22:2e:52:0a:9c:0c:9a:80:cc:d4:8f:20:d2:60:2b:
44
+
ed:60:7b:51:1c:3d:bc:75:b2:eb:45:67:51:6e:53:24:51:b8:
45
+
6f:8e
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICmzCCAgSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMB4XDTE0MDYwNjE3MTE0NFoXDTI0MDYwMzE3MTE0NFowXjELMAkGA1UE
50
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
51
+
ZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAwwOYmFyLmZvb2Jhci5jb20wgZ8wDQYJKoZI
52
+
hvcNAQEBBQADgY0AMIGJAoGBAOQT5/CXh2Jf4sx5slV318K4udNRuXJvFRO1lOdU
53
+
jsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23lMMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9
54
+
NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKMLwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/
55
+
Hn93AgMBAAGjgYEwfzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQU
56
+
Svfo61cbq0lBI+gCZCODIxcOygUwHwYDVR0jBBgwFoAUn3MQYUIRTYLK8P836RfD
57
+
IMjbHkowJQYDVR0RBB4wHIIOZm9vLmZvb2Jhci5jb22CCmZvb2Jhci5jb20wDQYJ
58
+
KoZIhvcNAQEFBQADgYEAnJNpxJSso8UpOEgvu5WDomKBMLeg0d3yx4y3PidUHqdD
59
+
2hiQBdDOCH4myflle2XOM1WVR8gdTr8PZOmusbhKIwqEFcKNqmWb+hycy9gtCpzu
60
+
pqCRGwujYUgFReEeIi5SCpwMmoDM1I8g0mAr7WB7URw9vHWy60VnUW5TJFG4b44=
61
+
-----END CERTIFICATE-----
+61
vendor/opam/x509/tests/testcertificates/intermediate/cacert-any-ext.pem
+61
vendor/opam/x509/tests/testcertificates/intermediate/cacert-any-ext.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 19 (0x13)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 7 15:06:35 2014 GMT
9
+
Not After : Jun 4 15:06:35 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:ca:53:26:f9:ea:f4:1b:8a:70:c0:8c:17:17:c4:
16
+
af:69:61:7a:62:8f:79:81:9e:16:9c:22:5c:64:25:
17
+
fa:b3:be:bd:d1:84:98:7b:06:18:35:92:3a:c6:4b:
18
+
77:b4:90:61:6d:e1:6e:e9:bd:0a:72:a7:fb:27:51:
19
+
ac:c6:43:5f:b9:60:41:a7:af:28:ff:6b:62:6a:ff:
20
+
54:16:06:84:48:94:4e:26:fe:bb:2b:f3:b2:8a:be:
21
+
a2:a1:88:d1:4c:89:8e:29:60:41:9f:16:55:31:55:
22
+
86:c0:90:f4:b0:5e:63:7d:18:d8:d9:fb:0a:f3:df:
23
+
92:90:b1:78:e6:2e:c8:09:15
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Subject Key Identifier:
27
+
70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
28
+
X509v3 Authority Key Identifier:
29
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
30
+
31
+
X509v3 Basic Constraints: critical
32
+
CA:TRUE
33
+
X509v3 Key Usage:
34
+
Certificate Sign, CRL Sign
35
+
X509v3 Extended Key Usage:
36
+
Any Extended Key Usage
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
5b:69:22:ab:5a:ae:15:d8:a3:35:ff:66:fc:c8:44:25:a3:c2:
39
+
32:26:b2:b8:68:29:30:97:52:a1:31:1f:86:e0:97:6c:00:98:
40
+
75:1f:e8:3d:66:bd:9f:7f:51:e8:3f:d0:28:10:1c:0a:0b:3b:
41
+
8a:69:a8:30:c9:14:22:92:fa:09:bb:04:ab:15:6b:6e:89:14:
42
+
63:26:7b:e3:6d:3d:f3:94:f3:16:9d:25:7f:d6:70:af:fa:99:
43
+
f4:a4:38:1e:47:69:87:e1:5c:80:b7:0f:34:36:e2:ba:35:c3:
44
+
f0:c3:02:90:16:b5:be:22:84:6e:1e:83:8c:91:55:62:40:23:
45
+
71:c5
46
+
-----BEGIN CERTIFICATE-----
47
+
MIIChjCCAe+gAwIBAgIBEzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMB4XDTE0MDYwNzE1MDYzNVoXDTI0MDYwNDE1MDYzNVowWjELMAkGA1UE
50
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
51
+
ZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKc2lnbmluZyBDQTCBnzANBgkqhkiG9w0B
52
+
AQEFAAOBjQAwgYkCgYEAylMm+er0G4pwwIwXF8SvaWF6Yo95gZ4WnCJcZCX6s769
53
+
0YSYewYYNZI6xkt3tJBhbeFu6b0Kcqf7J1GsxkNfuWBBp68o/2tiav9UFgaESJRO
54
+
Jv67K/Oyir6ioYjRTImOKWBBnxZVMVWGwJD0sF5jfRjY2fsK89+SkLF45i7ICRUC
55
+
AwEAAaNxMG8wHQYDVR0OBBYEFHBGSRvCcS7AUNNLGFiKxBAcrrNZMB8GA1UdIwQY
56
+
MBaAFJ9zEGFCEU2CyvD/N+kXwyDI2x5KMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P
57
+
BAQDAgEGMA8GA1UdJQQIMAYGBFUdJQAwDQYJKoZIhvcNAQEFBQADgYEAW2kiq1qu
58
+
FdijNf9m/MhEJaPCMiayuGgpMJdSoTEfhuCXbACYdR/oPWa9n39R6D/QKBAcCgs7
59
+
immoMMkUIpL6CbsEqxVrbokUYyZ7420985TzFp0lf9Zwr/qZ9KQ4Hkdph+FcgLcP
60
+
NDbiujXD8MMCkBa1viKEbh6DjJFVYkAjccU=
61
+
-----END CERTIFICATE-----
+59
vendor/opam/x509/tests/testcertificates/intermediate/cacert-ba-false.pem
+59
vendor/opam/x509/tests/testcertificates/intermediate/cacert-ba-false.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 16 (0x10)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 7 15:04:42 2014 GMT
9
+
Not After : Jun 4 15:04:42 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:ca:53:26:f9:ea:f4:1b:8a:70:c0:8c:17:17:c4:
16
+
af:69:61:7a:62:8f:79:81:9e:16:9c:22:5c:64:25:
17
+
fa:b3:be:bd:d1:84:98:7b:06:18:35:92:3a:c6:4b:
18
+
77:b4:90:61:6d:e1:6e:e9:bd:0a:72:a7:fb:27:51:
19
+
ac:c6:43:5f:b9:60:41:a7:af:28:ff:6b:62:6a:ff:
20
+
54:16:06:84:48:94:4e:26:fe:bb:2b:f3:b2:8a:be:
21
+
a2:a1:88:d1:4c:89:8e:29:60:41:9f:16:55:31:55:
22
+
86:c0:90:f4:b0:5e:63:7d:18:d8:d9:fb:0a:f3:df:
23
+
92:90:b1:78:e6:2e:c8:09:15
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Subject Key Identifier:
27
+
70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
28
+
X509v3 Authority Key Identifier:
29
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
30
+
31
+
X509v3 Basic Constraints: critical
32
+
CA:FALSE
33
+
X509v3 Key Usage:
34
+
Certificate Sign, CRL Sign
35
+
Signature Algorithm: sha1WithRSAEncryption
36
+
5a:fb:c5:0a:22:3d:76:de:b6:3a:85:06:9f:dc:97:e7:44:2c:
37
+
88:c5:4f:6f:3e:f9:31:8f:55:25:28:d0:0f:0c:5d:f9:08:b6:
38
+
3e:50:be:5d:ee:d7:bb:47:87:02:d0:a3:73:f4:95:ee:99:d0:
39
+
89:07:f7:a7:89:0a:7d:07:3b:a3:75:8a:af:22:23:30:33:2b:
40
+
96:b1:8d:59:1b:32:63:e4:6c:99:ef:9c:66:30:9b:e7:36:31:
41
+
5d:1e:d8:7e:1b:fa:65:cd:e3:25:28:aa:d6:6a:35:a2:a7:77:
42
+
9b:ca:4d:12:0a:91:3a:5b:74:05:7d:57:9c:4d:d0:a0:74:e5:
43
+
12:73
44
+
-----BEGIN CERTIFICATE-----
45
+
MIICcjCCAdugAwIBAgIBEDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
46
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
47
+
dHkgTHRkMB4XDTE0MDYwNzE1MDQ0MloXDTI0MDYwNDE1MDQ0MlowWjELMAkGA1UE
48
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
49
+
ZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKc2lnbmluZyBDQTCBnzANBgkqhkiG9w0B
50
+
AQEFAAOBjQAwgYkCgYEAylMm+er0G4pwwIwXF8SvaWF6Yo95gZ4WnCJcZCX6s769
51
+
0YSYewYYNZI6xkt3tJBhbeFu6b0Kcqf7J1GsxkNfuWBBp68o/2tiav9UFgaESJRO
52
+
Jv67K/Oyir6ioYjRTImOKWBBnxZVMVWGwJD0sF5jfRjY2fsK89+SkLF45i7ICRUC
53
+
AwEAAaNdMFswHQYDVR0OBBYEFHBGSRvCcS7AUNNLGFiKxBAcrrNZMB8GA1UdIwQY
54
+
MBaAFJ9zEGFCEU2CyvD/N+kXwyDI2x5KMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQD
55
+
AgEGMA0GCSqGSIb3DQEBBQUAA4GBAFr7xQoiPXbetjqFBp/cl+dELIjFT28++TGP
56
+
VSUo0A8MXfkItj5Qvl3u17tHhwLQo3P0le6Z0IkH96eJCn0HO6N1iq8iIzAzK5ax
57
+
jVkbMmPkbJnvnGYwm+c2MV0e2H4b+mXN4yUoqtZqNaKnd5vKTRIKkTpbdAV9V5xN
58
+
0KB05RJz
59
+
-----END CERTIFICATE-----
+59
vendor/opam/x509/tests/testcertificates/intermediate/cacert-ku-critical.pem
+59
vendor/opam/x509/tests/testcertificates/intermediate/cacert-ku-critical.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 22 (0x16)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 7 20:30:46 2014 GMT
9
+
Not After : Jun 4 20:30:46 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:ca:53:26:f9:ea:f4:1b:8a:70:c0:8c:17:17:c4:
16
+
af:69:61:7a:62:8f:79:81:9e:16:9c:22:5c:64:25:
17
+
fa:b3:be:bd:d1:84:98:7b:06:18:35:92:3a:c6:4b:
18
+
77:b4:90:61:6d:e1:6e:e9:bd:0a:72:a7:fb:27:51:
19
+
ac:c6:43:5f:b9:60:41:a7:af:28:ff:6b:62:6a:ff:
20
+
54:16:06:84:48:94:4e:26:fe:bb:2b:f3:b2:8a:be:
21
+
a2:a1:88:d1:4c:89:8e:29:60:41:9f:16:55:31:55:
22
+
86:c0:90:f4:b0:5e:63:7d:18:d8:d9:fb:0a:f3:df:
23
+
92:90:b1:78:e6:2e:c8:09:15
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Subject Key Identifier:
27
+
70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
28
+
X509v3 Authority Key Identifier:
29
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
30
+
31
+
X509v3 Basic Constraints: critical
32
+
CA:TRUE
33
+
X509v3 Key Usage: critical
34
+
Certificate Sign, CRL Sign
35
+
Signature Algorithm: sha1WithRSAEncryption
36
+
16:a1:47:40:d9:71:b8:ab:84:8f:f7:da:f3:53:cd:ad:a6:4d:
37
+
d9:39:32:e9:d5:5c:6d:e3:45:05:00:1e:a3:45:28:c9:a1:c1:
38
+
07:0e:3f:52:ba:70:18:4d:ee:89:5a:80:05:af:dd:24:d6:4a:
39
+
b2:c2:2f:a4:2c:4d:2e:60:86:01:6b:07:8f:70:d8:6a:07:a6:
40
+
4a:ce:b0:d0:4b:13:b5:a4:87:ac:ba:45:25:0a:8a:a2:a2:2f:
41
+
59:dd:9c:94:d7:0d:1d:e1:23:44:99:d5:63:5b:46:35:e0:87:
42
+
bb:cb:53:24:89:48:e1:5f:0c:d7:02:e2:15:97:37:b1:dd:0d:
43
+
4e:bd
44
+
-----BEGIN CERTIFICATE-----
45
+
MIICeDCCAeGgAwIBAgIBFjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
46
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
47
+
dHkgTHRkMB4XDTE0MDYwNzIwMzA0NloXDTI0MDYwNDIwMzA0NlowWjELMAkGA1UE
48
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
49
+
ZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKc2lnbmluZyBDQTCBnzANBgkqhkiG9w0B
50
+
AQEFAAOBjQAwgYkCgYEAylMm+er0G4pwwIwXF8SvaWF6Yo95gZ4WnCJcZCX6s769
51
+
0YSYewYYNZI6xkt3tJBhbeFu6b0Kcqf7J1GsxkNfuWBBp68o/2tiav9UFgaESJRO
52
+
Jv67K/Oyir6ioYjRTImOKWBBnxZVMVWGwJD0sF5jfRjY2fsK89+SkLF45i7ICRUC
53
+
AwEAAaNjMGEwHQYDVR0OBBYEFHBGSRvCcS7AUNNLGFiKxBAcrrNZMB8GA1UdIwQY
54
+
MBaAFJ9zEGFCEU2CyvD/N+kXwyDI2x5KMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
55
+
AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBABahR0DZcbirhI/32vNTza2mTdk5
56
+
MunVXG3jRQUAHqNFKMmhwQcOP1K6cBhN7olagAWv3STWSrLCL6QsTS5ghgFrB49w
57
+
2GoHpkrOsNBLE7Wkh6y6RSUKiqKiL1ndnJTXDR3hI0SZ1WNbRjXgh7vLUySJSOFf
58
+
DNcC4hWXN7HdDU69
59
+
-----END CERTIFICATE-----
+56
vendor/opam/x509/tests/testcertificates/intermediate/cacert-no-bc.pem
+56
vendor/opam/x509/tests/testcertificates/intermediate/cacert-no-bc.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 21 (0x15)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 7 20:17:41 2014 GMT
9
+
Not After : Jun 4 20:17:41 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:ca:53:26:f9:ea:f4:1b:8a:70:c0:8c:17:17:c4:
16
+
af:69:61:7a:62:8f:79:81:9e:16:9c:22:5c:64:25:
17
+
fa:b3:be:bd:d1:84:98:7b:06:18:35:92:3a:c6:4b:
18
+
77:b4:90:61:6d:e1:6e:e9:bd:0a:72:a7:fb:27:51:
19
+
ac:c6:43:5f:b9:60:41:a7:af:28:ff:6b:62:6a:ff:
20
+
54:16:06:84:48:94:4e:26:fe:bb:2b:f3:b2:8a:be:
21
+
a2:a1:88:d1:4c:89:8e:29:60:41:9f:16:55:31:55:
22
+
86:c0:90:f4:b0:5e:63:7d:18:d8:d9:fb:0a:f3:df:
23
+
92:90:b1:78:e6:2e:c8:09:15
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Subject Key Identifier:
27
+
70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
28
+
X509v3 Authority Key Identifier:
29
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
30
+
31
+
X509v3 Key Usage:
32
+
Certificate Sign, CRL Sign
33
+
Signature Algorithm: sha1WithRSAEncryption
34
+
32:a8:c9:7d:d8:a5:3c:da:f3:58:07:bb:e7:04:e2:fa:db:a3:
35
+
85:bd:06:49:fc:ca:a3:87:cb:5b:43:de:b2:8e:fd:c5:3e:35:
36
+
ea:d7:ab:36:d2:f4:b2:05:41:4b:12:6d:82:9f:98:81:49:ad:
37
+
53:a1:d1:72:2e:4e:f3:87:13:c0:b7:4e:1c:a3:b6:66:a1:0d:
38
+
36:8a:58:3c:7f:29:46:a8:88:8a:f9:f8:d2:3d:de:31:00:f3:
39
+
2c:8e:cd:7b:58:11:39:b9:74:10:38:95:d2:84:71:f5:ee:6f:
40
+
e4:ed:cd:c6:9a:67:4f:42:d7:ae:4f:9a:ac:22:6c:d3:80:76:
41
+
1f:79
42
+
-----BEGIN CERTIFICATE-----
43
+
MIICZDCCAc2gAwIBAgIBFTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
44
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
45
+
dHkgTHRkMB4XDTE0MDYwNzIwMTc0MVoXDTI0MDYwNDIwMTc0MVowWjELMAkGA1UE
46
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
47
+
ZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKc2lnbmluZyBDQTCBnzANBgkqhkiG9w0B
48
+
AQEFAAOBjQAwgYkCgYEAylMm+er0G4pwwIwXF8SvaWF6Yo95gZ4WnCJcZCX6s769
49
+
0YSYewYYNZI6xkt3tJBhbeFu6b0Kcqf7J1GsxkNfuWBBp68o/2tiav9UFgaESJRO
50
+
Jv67K/Oyir6ioYjRTImOKWBBnxZVMVWGwJD0sF5jfRjY2fsK89+SkLF45i7ICRUC
51
+
AwEAAaNPME0wHQYDVR0OBBYEFHBGSRvCcS7AUNNLGFiKxBAcrrNZMB8GA1UdIwQY
52
+
MBaAFJ9zEGFCEU2CyvD/N+kXwyDI2x5KMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
53
+
AQUFAAOBgQAyqMl92KU82vNYB7vnBOL626OFvQZJ/Mqjh8tbQ96yjv3FPjXq16s2
54
+
0vSyBUFLEm2Cn5iBSa1TodFyLk7zhxPAt04co7ZmoQ02ilg8fylGqIiK+fjSPd4x
55
+
APMsjs17WBE5uXQQOJXShHH17m/k7c3GmmdPQteuT5qsImzTgHYfeQ==
56
+
-----END CERTIFICATE-----
+56
vendor/opam/x509/tests/testcertificates/intermediate/cacert-no-keyusage.pem
+56
vendor/opam/x509/tests/testcertificates/intermediate/cacert-no-keyusage.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 18 (0x12)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 7 15:05:29 2014 GMT
9
+
Not After : Jun 4 15:05:29 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:ca:53:26:f9:ea:f4:1b:8a:70:c0:8c:17:17:c4:
16
+
af:69:61:7a:62:8f:79:81:9e:16:9c:22:5c:64:25:
17
+
fa:b3:be:bd:d1:84:98:7b:06:18:35:92:3a:c6:4b:
18
+
77:b4:90:61:6d:e1:6e:e9:bd:0a:72:a7:fb:27:51:
19
+
ac:c6:43:5f:b9:60:41:a7:af:28:ff:6b:62:6a:ff:
20
+
54:16:06:84:48:94:4e:26:fe:bb:2b:f3:b2:8a:be:
21
+
a2:a1:88:d1:4c:89:8e:29:60:41:9f:16:55:31:55:
22
+
86:c0:90:f4:b0:5e:63:7d:18:d8:d9:fb:0a:f3:df:
23
+
92:90:b1:78:e6:2e:c8:09:15
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Subject Key Identifier:
27
+
70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
28
+
X509v3 Authority Key Identifier:
29
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
30
+
31
+
X509v3 Basic Constraints: critical
32
+
CA:TRUE
33
+
Signature Algorithm: sha1WithRSAEncryption
34
+
6e:6c:e2:73:b6:77:9a:a4:14:34:2d:f9:93:3a:4e:0b:26:f7:
35
+
f0:63:c7:8f:1e:2b:cf:fb:f3:db:6d:e1:13:eb:ec:c6:62:f5:
36
+
87:d7:f7:9e:db:55:d2:3f:79:b0:b8:61:5a:2a:c1:2f:e8:b4:
37
+
f5:7d:55:fa:9b:d9:cd:09:62:d8:84:d7:86:e1:82:a1:c8:da:
38
+
41:92:5f:aa:f8:6e:59:b2:7d:d0:0a:f0:44:f6:c8:44:91:7d:
39
+
2d:71:59:27:6f:e7:22:0e:65:d5:62:bf:f0:98:53:34:76:16:
40
+
1a:61:46:4a:13:a0:db:71:b6:ca:8e:8e:d6:2a:4e:88:e1:8c:
41
+
99:8b
42
+
-----BEGIN CERTIFICATE-----
43
+
MIICaDCCAdGgAwIBAgIBEjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
44
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
45
+
dHkgTHRkMB4XDTE0MDYwNzE1MDUyOVoXDTI0MDYwNDE1MDUyOVowWjELMAkGA1UE
46
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
47
+
ZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKc2lnbmluZyBDQTCBnzANBgkqhkiG9w0B
48
+
AQEFAAOBjQAwgYkCgYEAylMm+er0G4pwwIwXF8SvaWF6Yo95gZ4WnCJcZCX6s769
49
+
0YSYewYYNZI6xkt3tJBhbeFu6b0Kcqf7J1GsxkNfuWBBp68o/2tiav9UFgaESJRO
50
+
Jv67K/Oyir6ioYjRTImOKWBBnxZVMVWGwJD0sF5jfRjY2fsK89+SkLF45i7ICRUC
51
+
AwEAAaNTMFEwHQYDVR0OBBYEFHBGSRvCcS7AUNNLGFiKxBAcrrNZMB8GA1UdIwQY
52
+
MBaAFJ9zEGFCEU2CyvD/N+kXwyDI2x5KMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
53
+
hvcNAQEFBQADgYEAbmzic7Z3mqQUNC35kzpOCyb38GPHjx4rz/vz223hE+vsxmL1
54
+
h9f3nttV0j95sLhhWirBL+i09X1V+pvZzQli2ITXhuGCocjaQZJfqvhuWbJ90Arw
55
+
RPbIRJF9LXFZJ2/nIg5l1WK/8JhTNHYWGmFGShOg23G2yo6O1ipOiOGMmYs=
56
+
-----END CERTIFICATE-----
+61
vendor/opam/x509/tests/testcertificates/intermediate/cacert-timestamp.pem
+61
vendor/opam/x509/tests/testcertificates/intermediate/cacert-timestamp.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 17 (0x11)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 7 15:05:04 2014 GMT
9
+
Not After : Jun 4 15:05:04 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:ca:53:26:f9:ea:f4:1b:8a:70:c0:8c:17:17:c4:
16
+
af:69:61:7a:62:8f:79:81:9e:16:9c:22:5c:64:25:
17
+
fa:b3:be:bd:d1:84:98:7b:06:18:35:92:3a:c6:4b:
18
+
77:b4:90:61:6d:e1:6e:e9:bd:0a:72:a7:fb:27:51:
19
+
ac:c6:43:5f:b9:60:41:a7:af:28:ff:6b:62:6a:ff:
20
+
54:16:06:84:48:94:4e:26:fe:bb:2b:f3:b2:8a:be:
21
+
a2:a1:88:d1:4c:89:8e:29:60:41:9f:16:55:31:55:
22
+
86:c0:90:f4:b0:5e:63:7d:18:d8:d9:fb:0a:f3:df:
23
+
92:90:b1:78:e6:2e:c8:09:15
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Subject Key Identifier:
27
+
70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
28
+
X509v3 Authority Key Identifier:
29
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
30
+
31
+
X509v3 Basic Constraints: critical
32
+
CA:TRUE
33
+
X509v3 Key Usage:
34
+
Certificate Sign, CRL Sign
35
+
X509v3 Extended Key Usage:
36
+
Time Stamping
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
a4:df:66:b2:ac:06:4d:0a:2d:68:77:8e:a0:cd:10:cb:de:f5:
39
+
38:46:99:b8:ee:2e:cb:e0:56:c7:67:4a:8b:a9:28:1b:9d:50:
40
+
bc:c9:c2:7f:98:45:17:2a:cf:f1:be:2b:bc:e9:03:e8:b7:97:
41
+
d6:d5:15:d2:87:1f:03:8b:02:b3:8f:62:5d:55:7e:27:4c:c9:
42
+
a7:bd:ed:5d:e2:c6:fc:d5:d9:88:cc:b0:71:c9:36:61:d7:d8:
43
+
28:95:e7:45:e3:7e:e9:d5:5f:af:1f:a0:51:02:34:b9:21:19:
44
+
b0:7b:d5:c5:8e:72:97:33:cc:96:14:93:ef:b3:95:db:c0:d0:
45
+
57:0b
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICijCCAfOgAwIBAgIBETANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMB4XDTE0MDYwNzE1MDUwNFoXDTI0MDYwNDE1MDUwNFowWjELMAkGA1UE
50
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
51
+
ZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKc2lnbmluZyBDQTCBnzANBgkqhkiG9w0B
52
+
AQEFAAOBjQAwgYkCgYEAylMm+er0G4pwwIwXF8SvaWF6Yo95gZ4WnCJcZCX6s769
53
+
0YSYewYYNZI6xkt3tJBhbeFu6b0Kcqf7J1GsxkNfuWBBp68o/2tiav9UFgaESJRO
54
+
Jv67K/Oyir6ioYjRTImOKWBBnxZVMVWGwJD0sF5jfRjY2fsK89+SkLF45i7ICRUC
55
+
AwEAAaN1MHMwHQYDVR0OBBYEFHBGSRvCcS7AUNNLGFiKxBAcrrNZMB8GA1UdIwQY
56
+
MBaAFJ9zEGFCEU2CyvD/N+kXwyDI2x5KMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P
57
+
BAQDAgEGMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEBBQUAA4GBAKTf
58
+
ZrKsBk0KLWh3jqDNEMve9ThGmbjuLsvgVsdnSoupKBudULzJwn+YRRcqz/G+K7zp
59
+
A+i3l9bVFdKHHwOLArOPYl1VfidMyae97V3ixvzV2YjMsHHJNmHX2CiV50XjfunV
60
+
X68foFECNLkhGbB71cWOcpczzJYUk++zldvA0FcL
61
+
-----END CERTIFICATE-----
+61
vendor/opam/x509/tests/testcertificates/intermediate/cacert-unknown.pem
+61
vendor/opam/x509/tests/testcertificates/intermediate/cacert-unknown.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 20 (0x14)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 7 15:07:08 2014 GMT
9
+
Not After : Jun 4 15:07:08 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:ca:53:26:f9:ea:f4:1b:8a:70:c0:8c:17:17:c4:
16
+
af:69:61:7a:62:8f:79:81:9e:16:9c:22:5c:64:25:
17
+
fa:b3:be:bd:d1:84:98:7b:06:18:35:92:3a:c6:4b:
18
+
77:b4:90:61:6d:e1:6e:e9:bd:0a:72:a7:fb:27:51:
19
+
ac:c6:43:5f:b9:60:41:a7:af:28:ff:6b:62:6a:ff:
20
+
54:16:06:84:48:94:4e:26:fe:bb:2b:f3:b2:8a:be:
21
+
a2:a1:88:d1:4c:89:8e:29:60:41:9f:16:55:31:55:
22
+
86:c0:90:f4:b0:5e:63:7d:18:d8:d9:fb:0a:f3:df:
23
+
92:90:b1:78:e6:2e:c8:09:15
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Subject Key Identifier:
27
+
70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
28
+
X509v3 Authority Key Identifier:
29
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
30
+
31
+
X509v3 Basic Constraints: critical
32
+
CA:TRUE
33
+
X509v3 Key Usage:
34
+
Certificate Sign, CRL Sign
35
+
1.2.3.4: critical
36
+
..Some random data
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
8f:f1:30:c0:f0:33:18:2f:09:bc:cc:70:4b:f5:9a:e5:7c:33:
39
+
d7:39:5a:af:bc:10:f9:b4:bf:ce:b5:07:67:26:87:b3:31:67:
40
+
ce:41:a3:23:ba:51:85:10:dd:41:2d:e0:16:a0:a3:d0:0c:89:
41
+
92:d0:a8:bc:a9:b2:73:ca:7e:0a:4b:2c:ff:66:f7:61:75:43:
42
+
f1:07:32:6b:ec:61:76:35:8c:4d:08:e8:18:d4:ce:75:3e:25:
43
+
1f:cc:0f:66:a0:c4:25:cb:6a:f1:04:da:ad:e6:e7:0a:62:f4:
44
+
a5:88:de:ca:70:12:a1:33:05:85:e2:ea:27:97:ac:7d:ef:f8:
45
+
0b:9c
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICkzCCAfygAwIBAgIBFDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMB4XDTE0MDYwNzE1MDcwOFoXDTI0MDYwNDE1MDcwOFowWjELMAkGA1UE
50
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
51
+
ZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKc2lnbmluZyBDQTCBnzANBgkqhkiG9w0B
52
+
AQEFAAOBjQAwgYkCgYEAylMm+er0G4pwwIwXF8SvaWF6Yo95gZ4WnCJcZCX6s769
53
+
0YSYewYYNZI6xkt3tJBhbeFu6b0Kcqf7J1GsxkNfuWBBp68o/2tiav9UFgaESJRO
54
+
Jv67K/Oyir6ioYjRTImOKWBBnxZVMVWGwJD0sF5jfRjY2fsK89+SkLF45i7ICRUC
55
+
AwEAAaN+MHwwHQYDVR0OBBYEFHBGSRvCcS7AUNNLGFiKxBAcrrNZMB8GA1UdIwQY
56
+
MBaAFJ9zEGFCEU2CyvD/N+kXwyDI2x5KMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P
57
+
BAQDAgEGMBwGAyoDBAEB/wQSDBBTb21lIHJhbmRvbSBkYXRhMA0GCSqGSIb3DQEB
58
+
BQUAA4GBAI/xMMDwMxgvCbzMcEv1muV8M9c5Wq+8EPm0v861B2cmh7MxZ85BoyO6
59
+
UYUQ3UEt4Bago9AMiZLQqLypsnPKfgpLLP9m92F1Q/EHMmvsYXY1jE0I6BjUznU+
60
+
JR/MD2agxCXLavEE2q3m5wpi9KWI3spwEqEzBYXi6ieXrH3v+Auc
61
+
-----END CERTIFICATE-----
+47
vendor/opam/x509/tests/testcertificates/intermediate/cacert-v1.pem
+47
vendor/opam/x509/tests/testcertificates/intermediate/cacert-v1.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 23 (0x17)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 8 07:10:36 2014 GMT
9
+
Not After : Jun 5 07:10:36 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:ca:53:26:f9:ea:f4:1b:8a:70:c0:8c:17:17:c4:
16
+
af:69:61:7a:62:8f:79:81:9e:16:9c:22:5c:64:25:
17
+
fa:b3:be:bd:d1:84:98:7b:06:18:35:92:3a:c6:4b:
18
+
77:b4:90:61:6d:e1:6e:e9:bd:0a:72:a7:fb:27:51:
19
+
ac:c6:43:5f:b9:60:41:a7:af:28:ff:6b:62:6a:ff:
20
+
54:16:06:84:48:94:4e:26:fe:bb:2b:f3:b2:8a:be:
21
+
a2:a1:88:d1:4c:89:8e:29:60:41:9f:16:55:31:55:
22
+
86:c0:90:f4:b0:5e:63:7d:18:d8:d9:fb:0a:f3:df:
23
+
92:90:b1:78:e6:2e:c8:09:15
24
+
Exponent: 65537 (0x10001)
25
+
Signature Algorithm: sha1WithRSAEncryption
26
+
ae:5a:77:70:95:f8:37:1e:38:90:3d:ad:ed:23:d9:27:0f:f6:
27
+
22:0d:7f:77:59:2d:62:84:97:12:88:10:48:2d:3e:35:1a:00:
28
+
65:32:1d:b6:fb:90:3b:f8:01:88:8b:d1:8c:1b:da:d8:19:7a:
29
+
a3:f2:29:28:c1:a2:f2:2b:a8:42:75:58:d5:4a:69:f0:3f:d4:
30
+
70:49:73:6e:3f:6d:3f:ff:c1:dc:0c:90:1c:c4:08:f0:88:4b:
31
+
6d:25:ab:db:b8:d4:6b:55:cf:23:28:79:11:c0:31:c9:a6:e9:
32
+
85:61:5d:b5:cb:e2:fc:3c:aa:d5:6f:b1:bc:b4:17:7b:89:3f:
33
+
9b:48
34
+
-----BEGIN CERTIFICATE-----
35
+
MIICEzCCAXygAwIBAgIBFzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
36
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
37
+
dHkgTHRkMB4XDTE0MDYwODA3MTAzNloXDTI0MDYwNTA3MTAzNlowWjELMAkGA1UE
38
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
39
+
ZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKc2lnbmluZyBDQTCBnzANBgkqhkiG9w0B
40
+
AQEFAAOBjQAwgYkCgYEAylMm+er0G4pwwIwXF8SvaWF6Yo95gZ4WnCJcZCX6s769
41
+
0YSYewYYNZI6xkt3tJBhbeFu6b0Kcqf7J1GsxkNfuWBBp68o/2tiav9UFgaESJRO
42
+
Jv67K/Oyir6ioYjRTImOKWBBnxZVMVWGwJD0sF5jfRjY2fsK89+SkLF45i7ICRUC
43
+
AwEAATANBgkqhkiG9w0BAQUFAAOBgQCuWndwlfg3HjiQPa3tI9knD/YiDX93WS1i
44
+
hJcSiBBILT41GgBlMh22+5A7+AGIi9GMG9rYGXqj8ikowaLyK6hCdVjVSmnwP9Rw
45
+
SXNuP20//8HcDJAcxAjwiEttJavbuNRrVc8jKHkRwDHJpumFYV21y+L8PKrVb7G8
46
+
tBd7iT+bSA==
47
+
-----END CERTIFICATE-----
+59
vendor/opam/x509/tests/testcertificates/intermediate/cacert.pem
+59
vendor/opam/x509/tests/testcertificates/intermediate/cacert.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 8 (0x8)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
7
+
Validity
8
+
Not Before: Jun 7 14:06:12 2014 GMT
9
+
Not After : Jun 4 14:06:12 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:ca:53:26:f9:ea:f4:1b:8a:70:c0:8c:17:17:c4:
16
+
af:69:61:7a:62:8f:79:81:9e:16:9c:22:5c:64:25:
17
+
fa:b3:be:bd:d1:84:98:7b:06:18:35:92:3a:c6:4b:
18
+
77:b4:90:61:6d:e1:6e:e9:bd:0a:72:a7:fb:27:51:
19
+
ac:c6:43:5f:b9:60:41:a7:af:28:ff:6b:62:6a:ff:
20
+
54:16:06:84:48:94:4e:26:fe:bb:2b:f3:b2:8a:be:
21
+
a2:a1:88:d1:4c:89:8e:29:60:41:9f:16:55:31:55:
22
+
86:c0:90:f4:b0:5e:63:7d:18:d8:d9:fb:0a:f3:df:
23
+
92:90:b1:78:e6:2e:c8:09:15
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:TRUE
28
+
X509v3 Key Usage:
29
+
Certificate Sign
30
+
X509v3 Subject Key Identifier:
31
+
70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
32
+
X509v3 Authority Key Identifier:
33
+
keyid:9F:73:10:61:42:11:4D:82:CA:F0:FF:37:E9:17:C3:20:C8:DB:1E:4A
34
+
35
+
Signature Algorithm: sha1WithRSAEncryption
36
+
1d:9e:fa:5f:8f:1e:15:e9:d9:c7:9c:1c:30:0e:78:3c:ac:01:
37
+
4b:5c:42:03:e8:01:c3:1c:22:04:f4:ef:6f:f1:55:cc:fc:70:
38
+
a3:75:ae:98:ea:f2:b6:77:a5:46:14:49:56:85:e7:dd:d7:57:
39
+
a2:32:12:86:ec:7b:19:4c:d5:76:0b:7c:f5:64:3a:4c:52:b4:
40
+
6b:49:15:58:73:f9:21:23:de:dc:1c:6f:fa:d5:0a:93:1b:7d:
41
+
68:70:a8:47:2d:41:5f:ea:94:a5:6f:69:8d:f8:2f:40:b1:a5:
42
+
d2:33:af:6e:32:fe:43:7b:70:73:3e:2b:fa:d7:fa:c7:1e:73:
43
+
10:23
44
+
-----BEGIN CERTIFICATE-----
45
+
MIICdTCCAd6gAwIBAgIBCDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET
46
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
47
+
dHkgTHRkMB4XDTE0MDYwNzE0MDYxMloXDTI0MDYwNDE0MDYxMlowWjELMAkGA1UE
48
+
BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
49
+
ZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKc2lnbmluZyBDQTCBnzANBgkqhkiG9w0B
50
+
AQEFAAOBjQAwgYkCgYEAylMm+er0G4pwwIwXF8SvaWF6Yo95gZ4WnCJcZCX6s769
51
+
0YSYewYYNZI6xkt3tJBhbeFu6b0Kcqf7J1GsxkNfuWBBp68o/2tiav9UFgaESJRO
52
+
Jv67K/Oyir6ioYjRTImOKWBBnxZVMVWGwJD0sF5jfRjY2fsK89+SkLF45i7ICRUC
53
+
AwEAAaNgMF4wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwHQYDVR0OBBYE
54
+
FHBGSRvCcS7AUNNLGFiKxBAcrrNZMB8GA1UdIwQYMBaAFJ9zEGFCEU2CyvD/N+kX
55
+
wyDI2x5KMA0GCSqGSIb3DQEBBQUAA4GBAB2e+l+PHhXp2cecHDAOeDysAUtcQgPo
56
+
AcMcIgT072/xVcz8cKN1rpjq8rZ3pUYUSVaF593XV6IyEobsexlM1XYLfPVkOkxS
57
+
tGtJFVhz+SEj3twcb/rVCpMbfWhwqEctQV/qlKVvaY34L0CxpdIzr24y/kN7cHM+
58
+
K/rX+scecxAj
59
+
-----END CERTIFICATE-----
+15
vendor/opam/x509/tests/testcertificates/intermediate/private/cakey.pem
+15
vendor/opam/x509/tests/testcertificates/intermediate/private/cakey.pem
···
1
+
-----BEGIN RSA PRIVATE KEY-----
2
+
MIICXAIBAAKBgQDKUyb56vQbinDAjBcXxK9pYXpij3mBnhacIlxkJfqzvr3RhJh7
3
+
Bhg1kjrGS3e0kGFt4W7pvQpyp/snUazGQ1+5YEGnryj/a2Jq/1QWBoRIlE4m/rsr
4
+
87KKvqKhiNFMiY4pYEGfFlUxVYbAkPSwXmN9GNjZ+wrz35KQsXjmLsgJFQIDAQAB
5
+
AoGAJnKix39UoB8wygZVJRklVFtHzI8DQhRuq4EEGav19k5a+APAjjBcTWHadXBF
6
+
8TQ2r5DVaOmZoKw3WAN3V73Z5KNy8qG7BUi/c7uMkJAnDfXVRGZU58b+K/ga8AeZ
7
+
bQ+agYmyo18//EtxHrrcG/bmz/5DEN796npmaDMICrY4X0ECQQD68e9bB93w5/Qk
8
+
OwCyT1AaJeblVzDfxvMZfG31UPaZLGS9F12yUAiXy/B+6KGKuLcItHz2Rr5MCD7S
9
+
1/EtkeEpAkEAzmZ+eJouwxtdLow71eE5fzrT8ZFoEOEMUDHVTAUckUzmtuUVkYCg
10
+
LmL+2wXf0NsFGw5N7fmAGsc8Ao4XnXQKDQJAL+XP1uM4hIvxeJzedCpZUrRbTvkG
11
+
diAGNJ4gasuKVhA4JjN4idlm2nptq/uBIfZB0WKJ24QDPIXyX9Ih0Z3fiQJAQ4gv
12
+
i0BPWpEifO9vSHyntmRGIn0EArnPsJGNi5EEltoFhwQPeYsPXf4QCxOx9oEi+4ZD
13
+
o0CGVLypeuCJA4CLJQJBAPp2SyfdblsIez+wzzt3e/W6lhBX1BiRgg9pZ7GUwhTN
14
+
IQ1FKqflqank2Gk/7mcgHDDtNGgQ+ewxjsdAWX/veX0=
15
+
-----END RSA PRIVATE KEY-----
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-any.pem
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-any.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 4 (0x4)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
7
+
Validity
8
+
Not Before: Jun 7 15:12:00 2014 GMT
9
+
Not After : Jun 4 15:12:00 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=second.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
34
+
35
+
X509v3 Extended Key Usage:
36
+
Any Extended Key Usage
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
5f:3b:4b:a3:70:1a:82:3e:9c:bb:cb:16:95:f3:b2:ef:3a:a6:
39
+
09:1d:1c:b9:cb:ce:56:82:29:98:41:b8:c5:58:cb:35:27:45:
40
+
9d:2e:f5:41:e1:a0:7c:5f:ee:2d:0c:9c:9b:42:31:61:27:fb:
41
+
5f:d6:ce:a6:dc:c6:9b:b2:d1:3b:72:1e:b3:f1:20:73:7f:86:
42
+
8a:1d:44:c8:d7:bc:f2:92:4a:2c:48:97:b5:12:63:99:f3:90:
43
+
e5:79:bf:68:fe:11:34:1d:ac:75:80:d2:22:7f:53:2d:70:50:
44
+
d2:a0:fc:7b:b9:8f:b3:5e:6c:70:b8:55:0b:52:d5:84:b7:7c:
45
+
84:9b
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICnzCCAgigAwIBAgIBBDANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMRMwEQYDVQQDDApzaWduaW5nIENBMB4XDTE0MDYwNzE1MTIwMFoXDTI0
50
+
MDYwNDE1MTIwMFowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
51
+
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vj
52
+
b25kLmZvb2Jhci5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOQT5/CX
53
+
h2Jf4sx5slV318K4udNRuXJvFRO1lOdUjsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23l
54
+
MMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKM
55
+
LwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/Hn93AgMBAAGjbjBsMAwGA1UdEwEB/wQC
56
+
MAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRK9+jrVxurSUEj6AJkI4MjFw7KBTAf
57
+
BgNVHSMEGDAWgBRwRkkbwnEuwFDTSxhYisQQHK6zWTAPBgNVHSUECDAGBgRVHSUA
58
+
MA0GCSqGSIb3DQEBBQUAA4GBAF87S6NwGoI+nLvLFpXzsu86pgkdHLnLzlaCKZhB
59
+
uMVYyzUnRZ0u9UHhoHxf7i0MnJtCMWEn+1/Wzqbcxpuy0TtyHrPxIHN/hoodRMjX
60
+
vPKSSixIl7USY5nzkOV5v2j+ETQdrHWA0iJ/Uy1wUNKg/Hu5j7NebHC4VQtS1YS3
61
+
fISb
62
+
-----END CERTIFICATE-----
+59
vendor/opam/x509/tests/testcertificates/intermediate/second/second-bc-true.pem
+59
vendor/opam/x509/tests/testcertificates/intermediate/second/second-bc-true.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 2 (0x2)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
7
+
Validity
8
+
Not Before: Jun 7 15:09:33 2014 GMT
9
+
Not After : Jun 4 15:09:33 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=second.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:TRUE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
34
+
35
+
Signature Algorithm: sha1WithRSAEncryption
36
+
5d:9d:36:2b:33:c8:43:c8:78:13:10:c7:a8:7f:ac:60:f6:19:
37
+
46:36:24:8b:8e:db:20:00:b5:f8:c7:a5:ac:49:56:a6:e1:e6:
38
+
dd:fd:07:10:44:2b:aa:42:f5:76:56:81:86:3d:74:53:03:24:
39
+
e0:9a:6e:d7:e6:3c:d7:31:87:82:2a:72:fc:67:8f:0e:5a:3b:
40
+
05:c9:5c:52:61:6d:a0:4d:78:ba:8d:97:a5:4c:e1:a6:07:43:
41
+
61:81:c5:94:84:37:47:91:aa:13:b6:57:19:af:57:8d:82:8a:
42
+
50:eb:cc:07:76:cb:1b:35:c3:db:98:2d:ab:d6:cf:d2:c3:a8:
43
+
e5:1b
44
+
-----BEGIN CERTIFICATE-----
45
+
MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJBVTET
46
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
47
+
dHkgTHRkMRMwEQYDVQQDDApzaWduaW5nIENBMB4XDTE0MDYwNzE1MDkzM1oXDTI0
48
+
MDYwNDE1MDkzM1owYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
49
+
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vj
50
+
b25kLmZvb2Jhci5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOQT5/CX
51
+
h2Jf4sx5slV318K4udNRuXJvFRO1lOdUjsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23l
52
+
MMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKM
53
+
LwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/Hn93AgMBAAGjYDBeMA8GA1UdEwEB/wQF
54
+
MAMBAf8wCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRK9+jrVxurSUEj6AJkI4MjFw7K
55
+
BTAfBgNVHSMEGDAWgBRwRkkbwnEuwFDTSxhYisQQHK6zWTANBgkqhkiG9w0BAQUF
56
+
AAOBgQBdnTYrM8hDyHgTEMeof6xg9hlGNiSLjtsgALX4x6WsSVam4ebd/QcQRCuq
57
+
QvV2VoGGPXRTAyTgmm7X5jzXMYeCKnL8Z48OWjsFyVxSYW2gTXi6jZelTOGmB0Nh
58
+
gcWUhDdHkaoTtlcZr1eNgopQ68wHdssbNcPbmC2r1s/Sw6jlGw==
59
+
-----END CERTIFICATE-----
+59
vendor/opam/x509/tests/testcertificates/intermediate/second/second-no-cn.pem
+59
vendor/opam/x509/tests/testcertificates/intermediate/second/second-no-cn.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 10 (0xa)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
7
+
Validity
8
+
Not Before: Jun 7 20:19:45 2014 GMT
9
+
Not After : Jun 4 20:19:45 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
34
+
35
+
Signature Algorithm: sha1WithRSAEncryption
36
+
86:ff:aa:35:31:07:ab:76:8d:44:3a:a6:63:40:ce:ac:13:56:
37
+
c0:90:12:e1:23:af:0d:b9:16:88:48:7b:a1:00:85:6c:b8:32:
38
+
4d:ed:04:dc:32:05:e9:27:77:e1:1b:16:0b:8e:dc:23:fb:cd:
39
+
fc:c7:63:27:35:bd:69:4d:45:ae:ab:b9:06:bb:a1:5e:b5:7e:
40
+
89:72:cc:fe:3e:90:3c:09:bc:e1:1c:b0:bf:c6:d2:40:61:a7:
41
+
d6:20:9b:cd:e9:f5:d6:09:f3:1e:ee:6b:6e:d2:31:6e:0d:15:
42
+
8d:dd:9d:f7:8e:d9:96:df:42:7e:e2:0f:0d:37:f4:a8:ef:79:
43
+
c1:88
44
+
-----BEGIN CERTIFICATE-----
45
+
MIICcjCCAdugAwIBAgIBCjANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJBVTET
46
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
47
+
dHkgTHRkMRMwEQYDVQQDDApzaWduaW5nIENBMB4XDTE0MDYwNzIwMTk0NVoXDTI0
48
+
MDYwNDIwMTk0NVowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
49
+
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0B
50
+
AQEFAAOBjQAwgYkCgYEA5BPn8JeHYl/izHmyVXfXwri501G5cm8VE7WU51SOwRg3
51
+
bNgLkFqkXaUOQnROfq3pNDenbeUwxkF7+IXpYYTM2IDyf69uIrwszicfSv02vByd
52
+
9V/ptJYPiDGPp204VKh+LBwccowvCwpxb9LVxqzp4Ol+ckZDoABgM2LXev8ef3cC
53
+
AwEAAaNdMFswDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFEr3
54
+
6OtXG6tJQSPoAmQjgyMXDsoFMB8GA1UdIwQYMBaAFHBGSRvCcS7AUNNLGFiKxBAc
55
+
rrNZMA0GCSqGSIb3DQEBBQUAA4GBAIb/qjUxB6t2jUQ6pmNAzqwTVsCQEuEjrw25
56
+
FohIe6EAhWy4Mk3tBNwyBeknd+EbFguO3CP7zfzHYyc1vWlNRa6ruQa7oV61foly
57
+
zP4+kDwJvOEcsL/G0kBhp9Ygm83p9dYJ8x7ua27SMW4NFY3dnfeO2ZbfQn7iDw03
58
+
9KjvecGI
59
+
-----END CERTIFICATE-----
+59
vendor/opam/x509/tests/testcertificates/intermediate/second/second-nonrepud.pem
+59
vendor/opam/x509/tests/testcertificates/intermediate/second/second-nonrepud.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 5 (0x5)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
7
+
Validity
8
+
Not Before: Jun 7 15:12:35 2014 GMT
9
+
Not After : Jun 4 15:12:35 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=second.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Non Repudiation
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
34
+
35
+
Signature Algorithm: sha1WithRSAEncryption
36
+
a4:9d:d9:79:78:68:e8:e3:2f:ac:3b:25:6c:f3:05:8d:ab:08:
37
+
3a:ff:a9:85:4e:c2:77:df:38:56:50:d3:7a:77:1f:fd:53:f6:
38
+
eb:f0:43:2f:39:61:d0:f6:1b:c8:3b:30:a4:53:c2:a4:eb:02:
39
+
02:ec:11:ee:d6:4c:e9:d5:25:2e:15:ce:e3:c5:9a:04:e3:00:
40
+
45:34:c5:26:69:b4:89:51:fa:41:f5:0a:5e:60:23:b7:ef:f7:
41
+
3e:c9:7a:94:57:31:b1:86:58:31:34:df:25:56:03:a2:3e:c9:
42
+
3f:db:43:58:39:c7:1a:a5:1f:d8:49:cc:09:96:da:0b:e7:21:
43
+
b6:06
44
+
-----BEGIN CERTIFICATE-----
45
+
MIICjjCCAfegAwIBAgIBBTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJBVTET
46
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
47
+
dHkgTHRkMRMwEQYDVQQDDApzaWduaW5nIENBMB4XDTE0MDYwNzE1MTIzNVoXDTI0
48
+
MDYwNDE1MTIzNVowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
49
+
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vj
50
+
b25kLmZvb2Jhci5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOQT5/CX
51
+
h2Jf4sx5slV318K4udNRuXJvFRO1lOdUjsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23l
52
+
MMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKM
53
+
LwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/Hn93AgMBAAGjXTBbMAwGA1UdEwEB/wQC
54
+
MAAwCwYDVR0PBAQDAgZAMB0GA1UdDgQWBBRK9+jrVxurSUEj6AJkI4MjFw7KBTAf
55
+
BgNVHSMEGDAWgBRwRkkbwnEuwFDTSxhYisQQHK6zWTANBgkqhkiG9w0BAQUFAAOB
56
+
gQCkndl5eGjo4y+sOyVs8wWNqwg6/6mFTsJ33zhWUNN6dx/9U/br8EMvOWHQ9hvI
57
+
OzCkU8Kk6wIC7BHu1kzp1SUuFc7jxZoE4wBFNMUmabSJUfpB9QpeYCO37/c+yXqU
58
+
VzGxhlgxNN8lVgOiPsk/20NYOccapR/YScwJltoL5yG2Bg==
59
+
-----END CERTIFICATE-----
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-subj-wild.pem
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-subj-wild.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 9 (0x9)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
7
+
Validity
8
+
Not Before: Jun 7 15:15:26 2014 GMT
9
+
Not After : Jun 4 15:15:26 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=second.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
34
+
35
+
X509v3 Subject Alternative Name:
36
+
DNS:*.foobar.com, DNS:foo.foobar.com
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
c8:c4:d0:4a:98:c8:d1:92:54:da:e0:a8:71:05:4e:76:e0:51:
39
+
5f:5f:c0:3f:38:9d:d4:d2:ea:68:c1:61:4c:67:74:22:19:54:
40
+
a1:1d:cf:2a:41:69:2a:2b:82:e8:f6:ca:54:4f:c2:bd:5a:0e:
41
+
f0:e1:c8:12:5f:9a:75:c0:d2:23:66:ea:dd:a7:2f:a6:7e:ae:
42
+
38:7e:14:2a:f4:d1:90:26:91:cb:0a:9a:5d:de:d6:25:bd:97:
43
+
34:c0:4f:8e:3b:3c:fc:7b:ee:c7:6c:6f:80:e6:a9:4f:6d:87:
44
+
94:d8:6d:cf:be:92:5b:7e:23:e5:eb:55:cb:5c:9b:27:bf:78:
45
+
ce:0d
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICuTCCAiKgAwIBAgIBCTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMRMwEQYDVQQDDApzaWduaW5nIENBMB4XDTE0MDYwNzE1MTUyNloXDTI0
50
+
MDYwNDE1MTUyNlowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
51
+
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vj
52
+
b25kLmZvb2Jhci5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOQT5/CX
53
+
h2Jf4sx5slV318K4udNRuXJvFRO1lOdUjsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23l
54
+
MMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKM
55
+
LwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/Hn93AgMBAAGjgYcwgYQwDAYDVR0TAQH/
56
+
BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFEr36OtXG6tJQSPoAmQjgyMXDsoF
57
+
MB8GA1UdIwQYMBaAFHBGSRvCcS7AUNNLGFiKxBAcrrNZMCcGA1UdEQQgMB6CDCou
58
+
Zm9vYmFyLmNvbYIOZm9vLmZvb2Jhci5jb20wDQYJKoZIhvcNAQEFBQADgYEAyMTQ
59
+
SpjI0ZJU2uCocQVOduBRX1/APzid1NLqaMFhTGd0IhlUoR3PKkFpKiuC6PbKVE/C
60
+
vVoO8OHIEl+adcDSI2bq3acvpn6uOH4UKvTRkCaRywqaXd7WJb2XNMBPjjs8/Hvu
61
+
x2xvgOapT22HlNhtz76SW34j5etVy1ybJ794zg0=
62
+
-----END CERTIFICATE-----
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-subj.pem
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-subj.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 8 (0x8)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
7
+
Validity
8
+
Not Before: Jun 7 15:15:01 2014 GMT
9
+
Not After : Jun 4 15:15:01 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=second.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
34
+
35
+
X509v3 Subject Alternative Name:
36
+
DNS:foobar.com, DNS:foo.foobar.com
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
77:a1:83:7f:ed:4f:5c:a5:86:55:11:2a:6e:89:0c:07:be:0e:
39
+
1e:5a:b8:94:7f:0d:74:ef:e1:b4:e4:72:68:96:95:2b:00:a2:
40
+
29:a2:4e:16:cd:e8:04:fc:e7:ac:73:04:9a:fc:2a:5d:c2:59:
41
+
aa:92:0f:7c:fb:25:39:f9:b9:ed:d2:1a:04:93:8f:e0:d2:41:
42
+
eb:81:8d:c6:89:b0:54:de:1d:24:e6:6d:3b:a7:e2:80:61:32:
43
+
98:22:4d:a1:fb:61:5c:ed:15:87:ba:26:5e:91:53:54:47:a9:
44
+
76:b8:4b:bb:00:53:5b:c6:3c:8c:a4:80:d0:13:fa:b0:3c:d4:
45
+
0f:44
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICtzCCAiCgAwIBAgIBCDANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMRMwEQYDVQQDDApzaWduaW5nIENBMB4XDTE0MDYwNzE1MTUwMVoXDTI0
50
+
MDYwNDE1MTUwMVowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
51
+
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vj
52
+
b25kLmZvb2Jhci5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOQT5/CX
53
+
h2Jf4sx5slV318K4udNRuXJvFRO1lOdUjsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23l
54
+
MMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKM
55
+
LwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/Hn93AgMBAAGjgYUwgYIwDAYDVR0TAQH/
56
+
BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFEr36OtXG6tJQSPoAmQjgyMXDsoF
57
+
MB8GA1UdIwQYMBaAFHBGSRvCcS7AUNNLGFiKxBAcrrNZMCUGA1UdEQQeMByCCmZv
58
+
b2Jhci5jb22CDmZvby5mb29iYXIuY29tMA0GCSqGSIb3DQEBBQUAA4GBAHehg3/t
59
+
T1ylhlURKm6JDAe+Dh5auJR/DXTv4bTkcmiWlSsAoimiThbN6AT856xzBJr8Kl3C
60
+
WaqSD3z7JTn5ue3SGgSTj+DSQeuBjcaJsFTeHSTmbTun4oBhMpgiTaH7YVztFYe6
61
+
Jl6RU1RHqXa4S7sAU1vGPIykgNAT+rA81A9E
62
+
-----END CERTIFICATE-----
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-subjaltemail.pem
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-subjaltemail.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 11 (0xb)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
7
+
Validity
8
+
Not Before: Jun 7 20:27:58 2014 GMT
9
+
Not After : Jun 4 20:27:58 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=second.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
34
+
35
+
X509v3 Subject Alternative Name:
36
+
email:foobar.com
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
37:e6:be:0f:75:4a:b8:c2:e1:7f:e2:70:31:41:12:41:cc:05:
39
+
72:8f:ce:8c:2c:c2:1e:78:03:bb:61:f5:9a:76:cf:36:bb:66:
40
+
cf:4c:f1:33:ba:9d:a7:7e:20:92:7c:bb:9c:01:53:ba:c9:13:
41
+
2c:6e:c4:bf:04:ee:76:bc:eb:d3:87:e8:05:5c:62:f1:0e:7c:
42
+
51:12:25:c8:4f:e6:8e:46:c1:15:2a:55:fb:e4:8a:e3:04:7f:
43
+
9f:86:1d:03:e1:25:b4:6b:9a:bd:b6:02:ba:07:d4:82:04:06:
44
+
fb:fd:7d:9b:7b:37:96:f2:04:0e:a4:f3:43:6c:9a:f1:fb:1f:
45
+
4b:bc
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICpTCCAg6gAwIBAgIBCzANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMRMwEQYDVQQDDApzaWduaW5nIENBMB4XDTE0MDYwNzIwMjc1OFoXDTI0
50
+
MDYwNDIwMjc1OFowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
51
+
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vj
52
+
b25kLmZvb2Jhci5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOQT5/CX
53
+
h2Jf4sx5slV318K4udNRuXJvFRO1lOdUjsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23l
54
+
MMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKM
55
+
LwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/Hn93AgMBAAGjdDByMAwGA1UdEwEB/wQC
56
+
MAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRK9+jrVxurSUEj6AJkI4MjFw7KBTAf
57
+
BgNVHSMEGDAWgBRwRkkbwnEuwFDTSxhYisQQHK6zWTAVBgNVHREEDjAMgQpmb29i
58
+
YXIuY29tMA0GCSqGSIb3DQEBBQUAA4GBADfmvg91SrjC4X/icDFBEkHMBXKPzows
59
+
wh54A7th9Zp2zza7Zs9M8TO6nad+IJJ8u5wBU7rJEyxuxL8E7na869OH6AVcYvEO
60
+
fFESJchP5o5GwRUqVfvkiuMEf5+GHQPhJbRrmr22AroH1IIEBvv9fZt7N5byBA6k
61
+
80NsmvH7H0u8
62
+
-----END CERTIFICATE-----
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-time.pem
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-time.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 3 (0x3)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
7
+
Validity
8
+
Not Before: Jun 7 15:11:22 2014 GMT
9
+
Not After : Jun 4 15:11:22 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=second.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
34
+
35
+
X509v3 Extended Key Usage:
36
+
Time Stamping
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
2e:95:20:c3:be:29:0f:f7:3c:eb:e3:02:e1:11:18:21:88:6f:
39
+
16:d8:e1:04:4b:d8:56:80:4f:e2:78:c0:35:10:b4:0f:11:0d:
40
+
3d:96:0a:77:aa:56:be:27:7c:53:4c:c4:e7:f2:42:9a:3f:c0:
41
+
e5:8c:5e:9b:ff:c9:c2:13:d1:57:4a:9c:53:86:c2:c7:04:fa:
42
+
0b:8d:ac:52:0a:d8:e3:5d:d5:a6:f3:c0:67:db:de:43:0b:fd:
43
+
21:2a:7d:67:bd:de:f5:48:5a:f3:a5:d4:ed:18:4a:37:f9:c4:
44
+
6f:6e:7c:ff:b4:4e:db:5a:7b:6d:92:79:68:5d:ce:74:a0:b9:
45
+
96:38
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICozCCAgygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMRMwEQYDVQQDDApzaWduaW5nIENBMB4XDTE0MDYwNzE1MTEyMloXDTI0
50
+
MDYwNDE1MTEyMlowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
51
+
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vj
52
+
b25kLmZvb2Jhci5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOQT5/CX
53
+
h2Jf4sx5slV318K4udNRuXJvFRO1lOdUjsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23l
54
+
MMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKM
55
+
LwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/Hn93AgMBAAGjcjBwMAwGA1UdEwEB/wQC
56
+
MAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRK9+jrVxurSUEj6AJkI4MjFw7KBTAf
57
+
BgNVHSMEGDAWgBRwRkkbwnEuwFDTSxhYisQQHK6zWTATBgNVHSUEDDAKBggrBgEF
58
+
BQcDCDANBgkqhkiG9w0BAQUFAAOBgQAulSDDvikP9zzr4wLhERghiG8W2OEES9hW
59
+
gE/ieMA1ELQPEQ09lgp3qla+J3xTTMTn8kKaP8DljF6b/8nCE9FXSpxThsLHBPoL
60
+
jaxSCtjjXdWm88Bn295DC/0hKn1nvd71SFrzpdTtGEo3+cRvbnz/tE7bWnttknlo
61
+
Xc50oLmWOA==
62
+
-----END CERTIFICATE-----
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-unknown-noncrit.pem
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-unknown-noncrit.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 7 (0x7)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
7
+
Validity
8
+
Not Before: Jun 7 15:14:08 2014 GMT
9
+
Not After : Jun 4 15:14:08 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=second.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
34
+
35
+
1.2.3.4:
36
+
..Some random data
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
ad:f0:9c:da:6a:61:bd:5f:bd:bb:43:4c:c9:31:ca:07:6c:b0:
39
+
49:1f:9d:f0:72:b7:58:f8:91:a3:c5:d3:9a:46:c7:c7:ad:50:
40
+
7f:2c:05:c0:e2:ba:82:a7:22:2b:33:3a:60:87:dd:c7:18:01:
41
+
52:13:c4:da:63:88:65:cf:a2:a2:db:7f:83:85:11:94:12:82:
42
+
d2:d5:91:01:40:7c:9b:8a:a7:33:e7:e0:ab:39:de:b6:ee:56:
43
+
49:50:f8:b5:e7:f0:50:3e:96:e1:ea:5d:5b:00:26:c3:1b:13:
44
+
bc:12:da:35:b7:33:f0:cc:bc:ca:b1:1a:79:69:b3:34:22:35:
45
+
31:7f
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICqTCCAhKgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMRMwEQYDVQQDDApzaWduaW5nIENBMB4XDTE0MDYwNzE1MTQwOFoXDTI0
50
+
MDYwNDE1MTQwOFowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
51
+
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vj
52
+
b25kLmZvb2Jhci5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOQT5/CX
53
+
h2Jf4sx5slV318K4udNRuXJvFRO1lOdUjsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23l
54
+
MMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKM
55
+
LwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/Hn93AgMBAAGjeDB2MAwGA1UdEwEB/wQC
56
+
MAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRK9+jrVxurSUEj6AJkI4MjFw7KBTAf
57
+
BgNVHSMEGDAWgBRwRkkbwnEuwFDTSxhYisQQHK6zWTAZBgMqAwQEEgwQU29tZSBy
58
+
YW5kb20gZGF0YTANBgkqhkiG9w0BAQUFAAOBgQCt8JzaamG9X727Q0zJMcoHbLBJ
59
+
H53wcrdY+JGjxdOaRsfHrVB/LAXA4rqCpyIrMzpgh93HGAFSE8TaY4hlz6Ki23+D
60
+
hRGUEoLS1ZEBQHybiqcz5+CrOd627lZJUPi15/BQPpbh6l1bACbDGxO8Eto1tzPw
61
+
zLzKsRp5abM0IjUxfw==
62
+
-----END CERTIFICATE-----
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-unknown.pem
+62
vendor/opam/x509/tests/testcertificates/intermediate/second/second-unknown.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 6 (0x6)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
7
+
Validity
8
+
Not Before: Jun 7 15:13:35 2014 GMT
9
+
Not After : Jun 4 15:13:35 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=second.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
34
+
35
+
1.2.3.4: critical
36
+
..Some random data
37
+
Signature Algorithm: sha1WithRSAEncryption
38
+
22:43:ed:d2:8f:20:da:b4:31:1d:54:54:80:d4:b7:3b:c8:db:
39
+
81:30:1b:29:c3:e7:76:6c:7c:c1:1d:86:97:d7:98:99:e7:99:
40
+
87:25:11:30:9e:63:e2:4e:b2:a3:c9:97:aa:b0:a6:9c:73:76:
41
+
c3:a0:15:b2:05:3e:3f:92:38:aa:62:26:78:56:85:c0:bb:1e:
42
+
39:fa:f7:c8:40:25:9c:f9:c0:ce:70:b9:8a:b0:56:35:f7:54:
43
+
91:b5:b6:33:85:f2:18:ae:f4:ca:a4:d9:a8:41:34:4a:7b:23:
44
+
5d:41:77:87:6d:f9:65:07:62:6d:50:5a:f1:14:13:a3:c8:2f:
45
+
7a:3d
46
+
-----BEGIN CERTIFICATE-----
47
+
MIICrDCCAhWgAwIBAgIBBjANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJBVTET
48
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
49
+
dHkgTHRkMRMwEQYDVQQDDApzaWduaW5nIENBMB4XDTE0MDYwNzE1MTMzNVoXDTI0
50
+
MDYwNDE1MTMzNVowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
51
+
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vj
52
+
b25kLmZvb2Jhci5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOQT5/CX
53
+
h2Jf4sx5slV318K4udNRuXJvFRO1lOdUjsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23l
54
+
MMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKM
55
+
LwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/Hn93AgMBAAGjezB5MAwGA1UdEwEB/wQC
56
+
MAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRK9+jrVxurSUEj6AJkI4MjFw7KBTAf
57
+
BgNVHSMEGDAWgBRwRkkbwnEuwFDTSxhYisQQHK6zWTAcBgMqAwQBAf8EEgwQU29t
58
+
ZSByYW5kb20gZGF0YTANBgkqhkiG9w0BAQUFAAOBgQAiQ+3SjyDatDEdVFSA1Lc7
59
+
yNuBMBspw+d2bHzBHYaX15iZ55mHJREwnmPiTrKjyZeqsKacc3bDoBWyBT4/kjiq
60
+
YiZ4VoXAux45+vfIQCWc+cDOcLmKsFY191SRtbYzhfIYrvTKpNmoQTRKeyNdQXeH
61
+
bfllB2JtUFrxFBOjyC96PQ==
62
+
-----END CERTIFICATE-----
+16
vendor/opam/x509/tests/testcertificates/intermediate/second/second.key
+16
vendor/opam/x509/tests/testcertificates/intermediate/second/second.key
···
1
+
-----BEGIN PRIVATE KEY-----
2
+
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAOQT5/CXh2Jf4sx5
3
+
slV318K4udNRuXJvFRO1lOdUjsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23lMMZBe/iF
4
+
6WGEzNiA8n+vbiK8LM4nH0r9NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKMLwsKcW/S
5
+
1cas6eDpfnJGQ6AAYDNi13r/Hn93AgMBAAECgYB4qOtIhfGSoqWKhUtKGfekRTPR
6
+
zudr2cZtwd9/rmVDVDtmMrmTadCQ1hRAJeWs8PZxsIu8AMcX62bZaIa6F5aCZ7IU
7
+
Jwwd9rt6o9pbBh2lcBO+iy+oCwFv7BImP6jFH7ODC7DYrwich2iEWIqNbhoLD8+7
8
+
0B9klyIlpc39fbL+2QJBAPH+cGq330uE8GVWyw3A8GVnkMrrcKKG+EAXMp0cCdSe
9
+
YhoGPURk/Uww78GKfCmRFAVkNRQj4fJ+sIc16+nTf4sCQQDxR0Zk5T7sH2A9N2da
10
+
Al6q/523sA5AkF/wJ9xmcT5HfZ/xFx0R96TSHR6SplbvXALUeQTWTmbuHkInraxi
11
+
Sz1FAkEAk34I9oJrTpQQETP9PrzByIx+667kT6sD08xPxQI526VNFZ+H6A/FcpLB
12
+
Dq1hT9Rk54RT9ZqJNEuTPFXZHAMUUQJAXe5rn1gIORC1/N8W41nM1TGSizKFOel7
13
+
EBnUmiU4I8jqfYeMD7SjfBFOF7WeXq0phOJgWbZIKCerhZr9Y377KQJAdYo+p8B8
14
+
uwp+Yq/9S+JrXtwLYOFYDm5lPykGp1rHZKzJdU6hYMednsSZ0FWZn2M5l0lhgPPs
15
+
mPVCW2CSvF+p9Q==
16
+
-----END PRIVATE KEY-----
+59
vendor/opam/x509/tests/testcertificates/intermediate/second/second.pem
+59
vendor/opam/x509/tests/testcertificates/intermediate/second/second.pem
···
1
+
Certificate:
2
+
Data:
3
+
Version: 3 (0x2)
4
+
Serial Number: 1 (0x1)
5
+
Signature Algorithm: sha1WithRSAEncryption
6
+
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=signing CA
7
+
Validity
8
+
Not Before: Jun 7 14:46:24 2014 GMT
9
+
Not After : Jun 4 14:46:24 2024 GMT
10
+
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=second.foobar.com
11
+
Subject Public Key Info:
12
+
Public Key Algorithm: rsaEncryption
13
+
Public-Key: (1024 bit)
14
+
Modulus:
15
+
00:e4:13:e7:f0:97:87:62:5f:e2:cc:79:b2:55:77:
16
+
d7:c2:b8:b9:d3:51:b9:72:6f:15:13:b5:94:e7:54:
17
+
8e:c1:18:37:6c:d8:0b:90:5a:a4:5d:a5:0e:42:74:
18
+
4e:7e:ad:e9:34:37:a7:6d:e5:30:c6:41:7b:f8:85:
19
+
e9:61:84:cc:d8:80:f2:7f:af:6e:22:bc:2c:ce:27:
20
+
1f:4a:fd:36:bc:1c:9d:f5:5f:e9:b4:96:0f:88:31:
21
+
8f:a7:6d:38:54:a8:7e:2c:1c:1c:72:8c:2f:0b:0a:
22
+
71:6f:d2:d5:c6:ac:e9:e0:e9:7e:72:46:43:a0:00:
23
+
60:33:62:d7:7a:ff:1e:7f:77
24
+
Exponent: 65537 (0x10001)
25
+
X509v3 extensions:
26
+
X509v3 Basic Constraints: critical
27
+
CA:FALSE
28
+
X509v3 Key Usage:
29
+
Digital Signature, Non Repudiation, Key Encipherment
30
+
X509v3 Subject Key Identifier:
31
+
4A:F7:E8:EB:57:1B:AB:49:41:23:E8:02:64:23:83:23:17:0E:CA:05
32
+
X509v3 Authority Key Identifier:
33
+
keyid:70:46:49:1B:C2:71:2E:C0:50:D3:4B:18:58:8A:C4:10:1C:AE:B3:59
34
+
35
+
Signature Algorithm: sha1WithRSAEncryption
36
+
ba:87:d8:55:8c:17:44:eb:c3:5b:9e:9a:d2:c7:78:d9:b0:00:
37
+
6e:a0:be:68:ed:a6:70:06:46:5b:79:f6:39:1b:d2:be:2d:d1:
38
+
22:4b:28:a7:4d:f5:53:f1:e1:10:c0:fd:11:47:cd:b0:0f:57:
39
+
c0:4f:dc:c8:09:0d:77:01:2c:21:e4:37:99:69:81:cb:87:d1:
40
+
64:60:9e:92:56:9b:27:36:e9:e4:d8:5f:86:60:a8:d9:8f:0e:
41
+
75:b1:1a:ef:d7:3a:9b:59:04:2c:e4:7f:16:73:09:b1:86:91:
42
+
03:23:37:25:f3:4c:0a:77:3d:e1:f7:0e:29:35:c1:64:4d:e2:
43
+
62:bb
44
+
-----BEGIN CERTIFICATE-----
45
+
MIICjjCCAfegAwIBAgIBATANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJBVTET
46
+
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
47
+
dHkgTHRkMRMwEQYDVQQDDApzaWduaW5nIENBMB4XDTE0MDYwNzE0NDYyNFoXDTI0
48
+
MDYwNDE0NDYyNFowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
49
+
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vj
50
+
b25kLmZvb2Jhci5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOQT5/CX
51
+
h2Jf4sx5slV318K4udNRuXJvFRO1lOdUjsEYN2zYC5BapF2lDkJ0Tn6t6TQ3p23l
52
+
MMZBe/iF6WGEzNiA8n+vbiK8LM4nH0r9NrwcnfVf6bSWD4gxj6dtOFSofiwcHHKM
53
+
LwsKcW/S1cas6eDpfnJGQ6AAYDNi13r/Hn93AgMBAAGjXTBbMAwGA1UdEwEB/wQC
54
+
MAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRK9+jrVxurSUEj6AJkI4MjFw7KBTAf
55
+
BgNVHSMEGDAWgBRwRkkbwnEuwFDTSxhYisQQHK6zWTANBgkqhkiG9w0BAQUFAAOB
56
+
gQC6h9hVjBdE68NbnprSx3jZsABuoL5o7aZwBkZbefY5G9K+LdEiSyinTfVT8eEQ
57
+
wP0RR82wD1fAT9zICQ13ASwh5DeZaYHLh9FkYJ6SVpsnNunk2F+GYKjZjw51sRrv
58
+
1zqbWQQs5H8WcwmxhpEDIzcl80wKdz3h9w4pNcFkTeJiuw==
59
+
-----END CERTIFICATE-----
+278
vendor/opam/x509/tests/testcertificates/openssl.cnf
+278
vendor/opam/x509/tests/testcertificates/openssl.cnf
···
1
+
# This definition stops the following lines choking if HOME isn't
2
+
# defined.
3
+
HOME = .
4
+
RANDFILE = $ENV::HOME/.rnd
5
+
6
+
# Extra OBJECT IDENTIFIER info:
7
+
#oid_file = $ENV::HOME/.oid
8
+
oid_section = new_oids
9
+
10
+
# To use this configuration file with the "-extfile" option of the
11
+
# "openssl x509" utility, name here the section containing the
12
+
# X.509v3 extensions to use:
13
+
# extensions =
14
+
# (Alternatively, use a configuration file that has only
15
+
# X.509v3 extensions in its main [= default] section.)
16
+
17
+
[ new_oids ]
18
+
19
+
####################################################################
20
+
[ ca ]
21
+
default_ca = CA_default # The default ca section
22
+
23
+
####################################################################
24
+
[ CA_default ]
25
+
26
+
dir = . # Where everything is kept
27
+
certs = $dir/certs # Where the issued certs are kept
28
+
crl_dir = $dir/crl # Where the issued crl are kept
29
+
database = $dir/index.txt # database index file.
30
+
unique_subject = no # Set to 'no' to allow creation of
31
+
# several ctificates with same subject.
32
+
new_certs_dir = $dir/newcerts # default place for new certs.
33
+
34
+
certificate = $dir/cacert.pem # The CA certificate
35
+
serial = $dir/serial # The current serial number
36
+
crlnumber = $dir/crlnumber # the current crl number
37
+
# must be commented out to leave a V1 CRL
38
+
crl = $dir/crl.pem # The current CRL
39
+
private_key = $dir/private/cakey.pem# The private key
40
+
RANDFILE = $dir/private/.rand # private random number file
41
+
42
+
x509_extensions = usr_cert # The extentions to add to the cert
43
+
44
+
# Comment out the following two lines for the "traditional"
45
+
# (and highly broken) format.
46
+
name_opt = ca_default # Subject Name options
47
+
cert_opt = ca_default # Certificate field options
48
+
49
+
# Extension copying option: use with caution.
50
+
# copy_extensions = copy
51
+
52
+
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
53
+
# so this is commented out by default to leave a V1 CRL.
54
+
# crlnumber must also be commented out to leave a V1 CRL.
55
+
# crl_extensions = crl_ext
56
+
57
+
default_days = 3650 # how long to certify for
58
+
default_crl_days= 30 # how long before next CRL
59
+
default_md = default # use public key default MD
60
+
preserve = no # keep passed DN ordering
61
+
62
+
# A few difference way of specifying how similar the request should look
63
+
# For type CA, the listed attributes must be the same, and the optional
64
+
# and supplied fields are just that :-)
65
+
policy = policy_match
66
+
67
+
# For the CA policy
68
+
[ policy_match ]
69
+
countryName = match
70
+
stateOrProvinceName = match
71
+
organizationName = match
72
+
organizationalUnitName = optional
73
+
commonName = supplied
74
+
emailAddress = optional
75
+
76
+
# For the 'anything' policy
77
+
# At this point in time, you must list all acceptable 'object'
78
+
# types.
79
+
[ policy_anything ]
80
+
countryName = optional
81
+
stateOrProvinceName = optional
82
+
localityName = optional
83
+
organizationName = optional
84
+
organizationalUnitName = optional
85
+
commonName = supplied
86
+
emailAddress = optional
87
+
88
+
####################################################################
89
+
[ req ]
90
+
default_bits = 1024
91
+
default_keyfile = privkey.pem
92
+
distinguished_name = req_distinguished_name
93
+
attributes = req_attributes
94
+
#x509_extensions = v3_ca # The extentions to add to the self signed cert
95
+
96
+
# Passwords for private keys if not present they will be prompted for
97
+
# input_password = secret
98
+
# output_password = secret
99
+
100
+
# This sets a mask for permitted string types. There are several options.
101
+
# default: PrintableString, T61String, BMPString.
102
+
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
103
+
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
104
+
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
105
+
# MASK:XXXX a literal mask value.
106
+
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
107
+
string_mask = utf8only
108
+
109
+
# req_extensions = v3_req # The extensions to add to a certificate request
110
+
111
+
[ req_distinguished_name ]
112
+
countryName = Country Name (2 letter code)
113
+
countryName_default = AU
114
+
countryName_min = 2
115
+
countryName_max = 2
116
+
117
+
stateOrProvinceName = State or Province Name (full name)
118
+
stateOrProvinceName_default = Some-State
119
+
120
+
localityName = Locality Name (eg, city)
121
+
122
+
0.organizationName = Organization Name (eg, company)
123
+
0.organizationName_default = Internet Widgits Pty Ltd
124
+
125
+
# we can do this but it is not needed normally :-)
126
+
#1.organizationName = Second Organization Name (eg, company)
127
+
#1.organizationName_default = World Wide Web Pty Ltd
128
+
129
+
organizationalUnitName = Organizational Unit Name (eg, section)
130
+
#organizationalUnitName_default =
131
+
132
+
commonName = Common Name (e.g. server FQDN or YOUR name)
133
+
commonName_max = 64
134
+
135
+
emailAddress = Email Address
136
+
emailAddress_max = 64
137
+
138
+
# SET-ex3 = SET extension number 3
139
+
140
+
[ req_attributes ]
141
+
challengePassword = A challenge password
142
+
challengePassword_min = 4
143
+
challengePassword_max = 20
144
+
145
+
unstructuredName = An optional company name
146
+
147
+
[ usr_cert ]
148
+
149
+
basicConstraints=critical,CA:FALSE
150
+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
151
+
subjectKeyIdentifier=hash
152
+
authorityKeyIdentifier=keyid,issuer
153
+
154
+
#keyUsage = cRLSign, keyCertSign
155
+
#extendedKeyUsage = 2.5.29.37.0,timeStamping
156
+
157
+
# This stuff is for subjectAltName and issuerAltname.
158
+
# Import the email address.
159
+
#subjectAltName=DNS:*.foobar.com
160
+
161
+
[ usr_bc_true ]
162
+
basicConstraints=critical,CA:TRUE
163
+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
164
+
subjectKeyIdentifier=hash
165
+
authorityKeyIdentifier=keyid,issuer
166
+
167
+
[ usr_time ]
168
+
basicConstraints=critical,CA:FALSE
169
+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
170
+
subjectKeyIdentifier=hash
171
+
authorityKeyIdentifier=keyid,issuer
172
+
extendedKeyUsage = timeStamping
173
+
174
+
[ usr_any ]
175
+
basicConstraints=critical,CA:FALSE
176
+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
177
+
subjectKeyIdentifier=hash
178
+
authorityKeyIdentifier=keyid,issuer
179
+
extendedKeyUsage = 2.5.29.37.0
180
+
181
+
[ usr_nonrepud ]
182
+
basicConstraints=critical,CA:FALSE
183
+
keyUsage = nonRepudiation
184
+
subjectKeyIdentifier=hash
185
+
authorityKeyIdentifier=keyid,issuer
186
+
187
+
[ usr_unknown ]
188
+
basicConstraints=critical,CA:FALSE
189
+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
190
+
subjectKeyIdentifier=hash
191
+
authorityKeyIdentifier=keyid,issuer
192
+
1.2.3.4 = critical,ASN1:UTF8String:Some random data
193
+
194
+
[ usr_unknown_noncrit ]
195
+
basicConstraints=critical,CA:FALSE
196
+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
197
+
subjectKeyIdentifier=hash
198
+
authorityKeyIdentifier=keyid,issuer
199
+
1.2.3.4 = ASN1:UTF8String:Some random data
200
+
201
+
[ usr_subj ]
202
+
basicConstraints=critical,CA:FALSE
203
+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
204
+
subjectKeyIdentifier=hash
205
+
authorityKeyIdentifier=keyid,issuer
206
+
subjectAltName=DNS:foobar.com,DNS:foo.foobar.com
207
+
208
+
[ usr_subj_xx ]
209
+
basicConstraints=critical,CA:FALSE
210
+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
211
+
subjectKeyIdentifier=hash
212
+
authorityKeyIdentifier=keyid,issuer
213
+
subjectAltName=email:foobar.com
214
+
215
+
[ usr_subj_wild ]
216
+
basicConstraints=critical,CA:FALSE
217
+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
218
+
subjectKeyIdentifier=hash
219
+
authorityKeyIdentifier=keyid,issuer
220
+
subjectAltName=DNS:*.foobar.com,DNS:foo.foobar.com
221
+
222
+
223
+
[ v3_req ]
224
+
# Extensions to add to a certificate request
225
+
basicConstraints = CA:FALSE
226
+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
227
+
subjectAltName=DNS:foobar.com,DNS:foo.foobar.com
228
+
229
+
[ v3_ca ]
230
+
subjectKeyIdentifier=hash
231
+
authorityKeyIdentifier=keyid:always,issuer
232
+
basicConstraints = critical,CA:true
233
+
keyUsage = cRLSign, keyCertSign
234
+
235
+
[ v3_ca_int_ca_no_bc ]
236
+
subjectKeyIdentifier=hash
237
+
authorityKeyIdentifier=keyid:always,issuer
238
+
keyUsage = cRLSign, keyCertSign
239
+
240
+
[ v3_int_ca_ba_false ]
241
+
subjectKeyIdentifier=hash
242
+
authorityKeyIdentifier=keyid:always,issuer
243
+
basicConstraints = critical,CA:false
244
+
keyUsage = cRLSign, keyCertSign
245
+
246
+
[ v3_int_ca_time ]
247
+
subjectKeyIdentifier=hash
248
+
authorityKeyIdentifier=keyid:always,issuer
249
+
basicConstraints = critical,CA:true
250
+
keyUsage = cRLSign, keyCertSign
251
+
extendedKeyUsage = timeStamping
252
+
253
+
[ v3_int_ca_no_ku ]
254
+
subjectKeyIdentifier=hash
255
+
authorityKeyIdentifier=keyid:always,issuer
256
+
basicConstraints = critical,CA:true
257
+
258
+
[ v3_int_ca_any ]
259
+
subjectKeyIdentifier=hash
260
+
authorityKeyIdentifier=keyid:always,issuer
261
+
basicConstraints = critical,CA:true
262
+
keyUsage = cRLSign, keyCertSign
263
+
extendedKeyUsage = 2.5.29.37.0
264
+
265
+
[ v3_int_ca_ku_crit ]
266
+
subjectKeyIdentifier=hash
267
+
authorityKeyIdentifier=keyid:always,issuer
268
+
basicConstraints = critical,CA:true
269
+
keyUsage = critical, cRLSign, keyCertSign
270
+
271
+
[ v3_int_ca_unknown ]
272
+
subjectKeyIdentifier=hash
273
+
authorityKeyIdentifier=keyid:always,issuer
274
+
basicConstraints = critical,CA:true
275
+
keyUsage = cRLSign, keyCertSign
276
+
1.2.3.4 = critical,ASN1:UTF8String:Some random data
277
+
278
+
[ none ]
+15
vendor/opam/x509/tests/testcertificates/private/cakey.pem
+15
vendor/opam/x509/tests/testcertificates/private/cakey.pem
···
1
+
-----BEGIN RSA PRIVATE KEY-----
2
+
MIICXQIBAAKBgQDnYbQH7pFmGO6qTj4spAWZyjdt/lYJ/8xy4oCPlKamxOkR/cjN
3
+
71CgueqD05TyHd3j0iT2qvxzU4IwPIlPoqK9+gzFybn0u8rjP4UouRqcGS9w+ZPY
4
+
PW8QrwWgf4pGALgWlbSm8VkYS6Z1QAQmNrYAve6puiNkXv3Nmwa1ViI7AQIDAQAB
5
+
AoGAHDLREQJnH+078O92LlSTBioZ1ULg03kkPoASMO1p3fszeGjYdxiKV/wwc35u
6
+
sY8oQqKStKkj+R4dSKmoBleIw6kJivVOnYOakHJcO5MYevXNi0B0Ban3ODi/AMye
7
+
zJBS6TXeqaK0/SFGma79SrCVViIlFYP883oRdUX7DEw/NBECQQD1oML+/DNUCuLy
8
+
VzwrGYgD1+BsSgQyeXjVNTDqP4Z1IEJc7w6pRBDOUrJcPNKZ5+qVUhwNlHl22ptn
9
+
VxuI/MbdAkEA8SbwVbNgWDPFjWwLBpUX2z9dE4u5P2Z5f6T84X4fL0zHJstxtghn
10
+
7QFbT4Gn2XJc0WxDBb6IN8HHY+n9olc4dQJBAKYJdubAer3r4f9pQq3rw0q9yeHJ
11
+
os6v2CNfomImcPCJzvJdUq7O6QFfW1wIbWBGKgeoCniPjg/utDAF7QILxS0CQQCu
12
+
QaH3e6gJ9FczizgoaIIVpyLd5eBVxPnU1+b4Fof4SPW7vdUMYeSfKZTOzfT5Nx+F
13
+
IUMJGpYaHEe1ljb2ISqlAkA4qD6bweRPfRVC3FIH/l0//5yPZ5KpUadtmyF427Pf
14
+
8gbIdJsMLE37Ah0NHz3nS4eWYPoHBjcd4Hc8aJxvpK4s
15
+
-----END RSA PRIVATE KEY-----
+16
vendor/opam/x509/tests/tests.ml
+16
vendor/opam/x509/tests/tests.ml
···
1
+
let suites =
2
+
X509tests.x509_tests @ [
3
+
"Regression", Regression.regression_tests ;
4
+
"Host names", Regression.hostname_tests ;
5
+
"Revoke", Revoke.revoke_tests ;
6
+
"CRL", Crltests.crl_tests ;
7
+
"PKCS12", Pkcs12.tests ;
8
+
"OCSP", Ocsp.tests ;
9
+
"Private Key", Priv.tests ;
10
+
]
11
+
12
+
13
+
let () =
14
+
Printexc.record_backtrace true;
15
+
Mirage_crypto_rng_unix.use_default ();
16
+
Alcotest.run "X509 tests" suites
+327
vendor/opam/x509/tests/x509tests.ml
+327
vendor/opam/x509/tests/x509tests.ml
···
1
+
open X509
2
+
3
+
let time () = None
4
+
5
+
let with_loaded_file file ~f =
6
+
let fullpath = "./testcertificates/" ^ file ^ ".pem" in
7
+
let fd = open_in fullpath in
8
+
let ln = in_channel_length fd in
9
+
let buf = Bytes.create ln in
10
+
really_input fd buf 0 ln;
11
+
let buf = Bytes.unsafe_to_string buf in
12
+
try
13
+
let r = f buf in
14
+
close_in fd;
15
+
match r with
16
+
| Ok data -> data
17
+
| Error (`Msg m) -> Alcotest.failf "decoding error in %s: %s" fullpath m
18
+
with e ->
19
+
close_in fd;
20
+
Alcotest.failf "exception in %s: %s" fullpath (Printexc.to_string e)
21
+
22
+
let priv =
23
+
match with_loaded_file "private/cakey" ~f:Private_key.decode_pem with
24
+
| `RSA x -> x
25
+
| _ -> assert false
26
+
27
+
let cert name = with_loaded_file name ~f:Certificate.decode_pem
28
+
29
+
let host name = Domain_name.host_exn (Domain_name.of_string_exn name)
30
+
31
+
let invalid_cas = [
32
+
"cacert-basicconstraint-ca-false";
33
+
"cacert-unknown-critical-extension" ;
34
+
"cacert-keyusage-crlsign" ;
35
+
"cacert-ext-usage-timestamping"
36
+
]
37
+
38
+
let cert_public_is_pub cert =
39
+
let pub = Mirage_crypto_pk.Rsa.pub_of_priv priv in
40
+
( match Certificate.public_key cert with
41
+
| `RSA pub' when pub = pub' -> ()
42
+
| _ -> Alcotest.fail "public / private key doesn't match" )
43
+
44
+
let test_invalid_ca name () =
45
+
let c = cert name in
46
+
cert_public_is_pub c ;
47
+
Alcotest.(check int "CA list is empty" 0
48
+
(List.length (Validation.valid_cas [c])))
49
+
50
+
let invalid_ca_tests =
51
+
List.mapi
52
+
(fun i args -> "invalid CA " ^ string_of_int i, `Quick, test_invalid_ca args)
53
+
invalid_cas
54
+
55
+
let cacert = cert "cacert"
56
+
let cacert_pathlen0 = cert "cacert-pathlen-0"
57
+
let cacert_ext = cert "cacert-unknown-extension"
58
+
let cacert_ext_ku = cert "cacert-ext-usage"
59
+
let cacert_v1 = cert "cacert-v1"
60
+
61
+
let test_valid_ca c () =
62
+
cert_public_is_pub c ;
63
+
Alcotest.(check int "CA is valid" 1
64
+
(List.length (Validation.valid_cas [c])))
65
+
66
+
let valid_ca_tests = [
67
+
"valid CA cacert", `Quick, test_valid_ca cacert ;
68
+
"valid CA cacert_pathlen0", `Quick, test_valid_ca cacert_pathlen0 ;
69
+
"valid CA cacert_ext", `Quick, test_valid_ca cacert_ext ;
70
+
"valid CA cacert_v1", `Quick, test_valid_ca cacert_v1
71
+
]
72
+
73
+
let first_cert name =
74
+
with_loaded_file ("first/" ^ name) ~f:Certificate.decode_pem
75
+
76
+
(* ok, now some real certificates *)
77
+
let first_certs = [
78
+
( "first", true,
79
+
[ "foo.foobar.com" ; "foobar.com" ], (* commonName: "bar.foobar.com" *)
80
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
81
+
( "first-basicconstraint-true" , false, [ "ca.foobar.com" ], (* no subjAltName *)
82
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
83
+
( "first-keyusage-and-timestamping", true, [ "ext.foobar.com" ], (* no subjAltName *)
84
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], Some [`Time_stamping] ) ;
85
+
( "first-keyusage-any", true, [ "any.foobar.com" ], (* no subjAltName *)
86
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], Some [`Time_stamping; `Any] ) ;
87
+
( "first-keyusage-nonrep", true, [ "key.foobar.com" ], (* no subjAltName *)
88
+
[ `Content_commitment ], None ) ;
89
+
( "first-unknown-critical-extension", false, (* commonName: "blafasel.com" *)
90
+
[ "foo.foobar.com" ; "foobar.com" ],
91
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
92
+
( "first-unknown-extension", true, [ "foobar.com" ], (* no subjAltName *)
93
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
94
+
]
95
+
96
+
let allowed_hashes = [ `MD5 ; `SHA1 ; `SHA224 ; `SHA256 ; `SHA384 ; `SHA512 ]
97
+
98
+
let test_valid_ca_cert ?(allowed_hashes = allowed_hashes) server chain valid name ca () =
99
+
let anchors = ca
100
+
and host = Some (host name)
101
+
and full_chain = server :: chain
102
+
in
103
+
match valid, Validation.verify_chain_of_trust ~time ~allowed_hashes ~host ~anchors full_chain with
104
+
| false, Ok _ -> Alcotest.fail "expected to fail, but didn't"
105
+
| false, Error _ -> ()
106
+
| true , Ok _ -> ()
107
+
| true , Error c -> Alcotest.failf "valid certificate %a" Validation.pp_validation_error c
108
+
109
+
let test_cert c usages extusage () =
110
+
let ku, eku =
111
+
let exts = Certificate.extensions c in
112
+
let ku = match Extension.(find Key_usage exts) with
113
+
| None -> []
114
+
| Some (_crit, ku) -> ku
115
+
and eku = match Extension.(find Ext_key_usage exts) with
116
+
| None -> []
117
+
| Some (_crit, eku) -> eku
118
+
in
119
+
ku, eku
120
+
in
121
+
( if List.for_all (fun u -> List.mem u ku) usages then
122
+
()
123
+
else
124
+
Alcotest.fail "key usage is different" ) ;
125
+
( match extusage with
126
+
| None -> ()
127
+
| Some x when List.for_all (fun u -> List.mem u eku) x -> ()
128
+
| _ -> Alcotest.fail "extended key usage is broken" )
129
+
130
+
let first_cert_tests =
131
+
List.mapi
132
+
(fun i (name, _, _, us, eus) ->
133
+
"certificate property testing " ^ string_of_int i, `Quick,
134
+
test_cert (first_cert name) us eus)
135
+
first_certs
136
+
137
+
let first_cert_ca_test (ca, x) =
138
+
List.flatten
139
+
(List.map
140
+
(fun (name, valid, cns, _, _) ->
141
+
let c = first_cert name in
142
+
("verification CA " ^ x ^ " cn blablbalbala", `Quick, test_valid_ca_cert c [] false "blablabalbal" [ca]) ::
143
+
List.mapi (fun i cn ->
144
+
"certificate verification testing using CA " ^ x ^ " and CN " ^ cn ^ " " ^ string_of_int i,
145
+
`Quick, test_valid_ca_cert c [] valid cn [ca])
146
+
cns)
147
+
first_certs)
148
+
149
+
let ca_tests f =
150
+
List.flatten (List.map f
151
+
[ (cacert, "cacert") ;
152
+
(cacert_pathlen0, "cacert_pathlen0") ;
153
+
(cacert_ext, "cacert_ext") ;
154
+
(cacert_ext_ku, "cacert_ext_ku") ;
155
+
(cacert_v1, "cacert_v1") ])
156
+
157
+
let first_wildcard_certs = [
158
+
( "first-wildcard-subjaltname",
159
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
160
+
( "first-wildcard",
161
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
162
+
]
163
+
164
+
let first_wildcard_cert_tests =
165
+
List.mapi
166
+
(fun i (name, us, eus) ->
167
+
"wildcard certificate property testing " ^ string_of_int i, `Quick, test_cert (first_cert name) us eus)
168
+
first_wildcard_certs
169
+
170
+
let first_wildcard_cert_ca_test (ca, x) =
171
+
List.flatten
172
+
(List.map
173
+
(fun (name, _, _) ->
174
+
let c = first_cert name in
175
+
("verification CA " ^ x ^ " cn blablbalbala", `Quick, test_valid_ca_cert c [] false "blablabalbal" [ca]) ::
176
+
List.mapi (fun i cn ->
177
+
"wildcard certificate CA " ^ x ^ " and CN " ^ cn ^ " " ^ string_of_int i,
178
+
`Quick, test_valid_ca_cert c [] true cn [ca])
179
+
[ "foo.foobar.com" ; "bar.foobar.com" ; "www.foobar.com" ] @
180
+
List.mapi (fun i cn ->
181
+
"wildcard certificate CA " ^ x ^ " and CN " ^ cn ^ " " ^ string_of_int i,
182
+
`Quick, test_valid_ca_cert c [] false cn [ca])
183
+
[ "foo.foo.foobar.com" ; "bar.fbar.com" ; "foobar.com" ; "com" ; "foobar.com.bla" ]
184
+
)
185
+
first_wildcard_certs)
186
+
187
+
let intermediate_cas = [
188
+
(true, "cacert") ;
189
+
(true, "cacert-any-ext") ;
190
+
(false, "cacert-ba-false") ;
191
+
(false, "cacert-no-bc") ;
192
+
(false, "cacert-no-keyusage") ;
193
+
(true, "cacert-ku-critical") ;
194
+
(true, "cacert-timestamp") ; (* if we require CAs to have ext_key_usage any, github.com doesn't talk to us *)
195
+
(false, "cacert-unknown") ;
196
+
(false, "cacert-v1")
197
+
]
198
+
199
+
let im_cert name =
200
+
with_loaded_file ("intermediate/" ^ name) ~f:Certificate.decode_pem
201
+
202
+
let second_certs = [
203
+
("second", [ "second.foobar.com" ], true, (* no subjAltName *)
204
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
205
+
("second-any", [ "second.foobar.com" ], true, (* no subjAltName *)
206
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], Some [ `Any ] ) ;
207
+
("second-subj", [ "foobar.com" ; "foo.foobar.com" ], true, (* commonName: "second.foobar.com" *)
208
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
209
+
("second-unknown-noncrit", [ "second.foobar.com" ], true, (* no subjAltName *)
210
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
211
+
("second-nonrepud", [ "second.foobar.com" ], true, (* no subjAltName *)
212
+
[ `Content_commitment ], None ) ;
213
+
("second-time", [ "second.foobar.com" ], true, (* no subjAltName *)
214
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], Some [ `Time_stamping ]) ;
215
+
("second-subj-wild", [ "foo.foobar.com" ], true, (* commonName: "second.foobar.com" *)
216
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
217
+
("second-bc-true", [ "second.foobar.com" ], false, (* no subjAltName *)
218
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
219
+
("second-unknown", [ "second.foobar.com" ], false, (* no subjAltName *)
220
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
221
+
("second-no-cn", [ ], false, (* no subjAltName *)
222
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
223
+
("second-subjaltemail", [ ], false, (* email in subjAltName, do not use CN *)
224
+
[ `Digital_signature ; `Content_commitment ; `Key_encipherment ], None ) ;
225
+
]
226
+
227
+
let second_cert name =
228
+
with_loaded_file ("intermediate/second/" ^ name) ~f:Certificate.decode_pem
229
+
230
+
let second_cert_tests =
231
+
List.mapi
232
+
(fun i (name, _, _, us, eus) ->
233
+
"second certificate property testing " ^ string_of_int i, `Quick, test_cert (second_cert name) us eus)
234
+
second_certs
235
+
236
+
let second_cert_ca_test (cavalid, ca, x) =
237
+
List.flatten
238
+
(List.flatten
239
+
(List.map
240
+
(fun (imvalid, im) ->
241
+
let chain = [im_cert im] in
242
+
List.map
243
+
(fun (name, cns, valid, _, _) ->
244
+
let c = second_cert name in
245
+
("verification CA " ^ x ^ " cn blablbalbala", `Quick, test_valid_ca_cert c chain false "blablabalbal" [ca]) ::
246
+
List.mapi (fun i cn ->
247
+
"strict certificate verification testing using CA " ^ x ^ " and CN " ^ cn ^ " " ^ string_of_int i,
248
+
`Quick, test_valid_ca_cert c chain (cavalid && imvalid && valid) cn [ca])
249
+
cns)
250
+
second_certs)
251
+
intermediate_cas))
252
+
253
+
let im_ca_tests f =
254
+
List.flatten (List.map f
255
+
[ (true, cacert, "cacert") ;
256
+
(true, cacert_ext, "cacert_ext") ;
257
+
(true, cacert_ext_ku, "cacert_ext_ku") ;
258
+
(true, cacert_v1, "cacert_v1") ;
259
+
(false, cacert_pathlen0, "cacert_pathlen0") ])
260
+
261
+
let second_wildcard_cert_ca_test (cavalid, ca, x) =
262
+
List.flatten
263
+
(List.map
264
+
(fun (imvalid, im) ->
265
+
let chain = [im_cert im] in
266
+
let c = second_cert "second-subj-wild" in
267
+
("verification CA " ^ x ^ " cn blablbalbala", `Quick, test_valid_ca_cert c chain false "blablabalbal" [ca]) ::
268
+
List.mapi (fun i cn ->
269
+
"wildcard certificate verification CA " ^ x ^ " and CN " ^ cn ^ " " ^ string_of_int i,
270
+
`Quick, test_valid_ca_cert c chain (cavalid && imvalid) cn [ca])
271
+
[ "a.foobar.com" ; "foo.foobar.com" ; "foobar.foobar.com" ; "www.foobar.com" ] @
272
+
List.mapi (fun i cn ->
273
+
"wildcard certificate verification CA " ^ x ^ " and CN " ^ cn ^ " " ^ string_of_int i,
274
+
`Quick, test_valid_ca_cert c chain false cn [ca])
275
+
[ "a.b.foobar.com" ; "f.foobar.com.com" ; "f.f.f." ; "foobar.com.uk" ; "foooo.bar.com" ; "foobar.com" ])
276
+
intermediate_cas)
277
+
278
+
let second_no_cn_cert_ca_test (_, ca, x) =
279
+
List.flatten
280
+
(List.map
281
+
(fun (_, im) ->
282
+
let chain = [im_cert im] in
283
+
let c = second_cert "second-no-cn" in
284
+
("verification CA " ^ x ^ " cn blablbalbala", `Quick, test_valid_ca_cert c chain false "blablabalbal" [ca]) ::
285
+
List.mapi (fun i cn ->
286
+
"certificate verification CA " ^ x ^ " and CN " ^ cn ^ " " ^ string_of_int i,
287
+
`Quick, test_valid_ca_cert c chain false cn [ca])
288
+
[ "a.foobar.com" ; "foo.foobar.com" ; "foobar.foobar.com" ; "foobar.com" ; "www.foobar.com" ] @
289
+
List.mapi (fun i cn ->
290
+
"certificate verification CA " ^ x ^ " and CN " ^ cn ^ " " ^ string_of_int i,
291
+
`Quick, test_valid_ca_cert c chain false cn [ca])
292
+
[ "a.b.foobar.com" ; "f.foobar.com.com" ; "f.f.f." ; "foobar.com.uk" ; "foooo.bar.com" ])
293
+
intermediate_cas)
294
+
295
+
let invalid_tests =
296
+
let c = second_cert "second" in
297
+
let h = "second.foobar.com" in
298
+
let allowed_hashes = [ `SHA256 ; `SHA384 ; `SHA512 ] in
299
+
[
300
+
"invalid chain", `Quick, test_valid_ca_cert c [] false h [cacert] ;
301
+
"broken chain", `Quick, test_valid_ca_cert c [cacert] false h [cacert] ;
302
+
"no trust anchor", `Quick, test_valid_ca_cert c [im_cert "cacert"] false h [] ;
303
+
"2chain invalid", `Quick, test_valid_ca_cert ~allowed_hashes c [im_cert "cacert" ; cacert] false h [cacert] ;
304
+
"2chain valid", `Quick, test_valid_ca_cert c [im_cert "cacert" ; cacert] true h [cacert] ;
305
+
"3chain invalid", `Quick, test_valid_ca_cert ~allowed_hashes c [im_cert "cacert" ; cacert ; cacert] false h [cacert] ;
306
+
"3chain valid", `Quick, test_valid_ca_cert c [im_cert "cacert" ; cacert ; cacert] true h [cacert] ;
307
+
"chain-order invalid", `Quick, test_valid_ca_cert ~allowed_hashes c [im_cert "cacert" ; im_cert "cacert" ; cacert] false h [cacert] ;
308
+
"chain-order valid", `Quick, test_valid_ca_cert c [im_cert "cacert" ; im_cert "cacert" ; cacert] true h [cacert] ;
309
+
"not a CA", `Quick, (fun _ -> Alcotest.(check int "is not a CA" 0
310
+
(List.length (Validation.valid_cas [im_cert "cacert"])))) ;
311
+
"not a CA", `Quick, (fun _ -> Alcotest.(check int "is also not a CA" 0
312
+
(List.length (Validation.valid_cas [c])))) ;
313
+
]
314
+
315
+
let x509_tests = [
316
+
"Invalid CA", invalid_ca_tests ;
317
+
"Valid CA", valid_ca_tests ;
318
+
"Certificate", first_cert_tests ;
319
+
"CA tests with certificate", ca_tests first_cert_ca_test ;
320
+
"Wildcard certificate", first_wildcard_cert_tests ;
321
+
"CA tests with wildcard certificate", ca_tests first_wildcard_cert_ca_test ;
322
+
"Second certificate test", second_cert_tests ;
323
+
"Intermediate CA with second certificate", im_ca_tests second_cert_ca_test ;
324
+
"Intermediate CA with CA and second", im_ca_tests second_wildcard_cert_ca_test ;
325
+
"Intermediate CA with second no common name", im_ca_tests second_no_cn_cert_ca_test ;
326
+
"Tests with invalid data", invalid_tests
327
+
]
+51
vendor/opam/x509/x509.opam
+51
vendor/opam/x509/x509.opam
···
1
+
opam-version: "2.0"
2
+
maintainer: [
3
+
"Hannes Mehnert <hannes@mehnert.org>"
4
+
]
5
+
authors: [
6
+
"Hannes Mehnert <hannes@mehnert.org>"
7
+
"David Kaloper <dk505@cam.ac.uk>"
8
+
]
9
+
license: "BSD-2-Clause"
10
+
tags: "org:mirage"
11
+
homepage: "https://github.com/mirleft/ocaml-x509"
12
+
doc: "https://mirleft.github.io/ocaml-x509/doc"
13
+
bug-reports: "https://github.com/mirleft/ocaml-x509/issues"
14
+
depends: [
15
+
"ocaml" {>= "4.13.0"}
16
+
"dune" {>= "2.0"}
17
+
"asn1-combinators" {>= "0.3.1"}
18
+
"ptime"
19
+
"base64" {>= "3.3.0"}
20
+
"mirage-crypto" {>= "1.0.0"}
21
+
"mirage-crypto-pk"
22
+
"mirage-crypto-ec" {>= "0.10.7"}
23
+
"mirage-crypto-rng"
24
+
"mirage-crypto-rng" {with-test & >= "1.2.0"}
25
+
"fmt" {>= "0.8.7"}
26
+
"alcotest" {with-test}
27
+
"gmap" {>= "0.3.0"}
28
+
"domain-name" {>= "0.3.0"}
29
+
"logs"
30
+
"kdf" {>= "1.0.0"}
31
+
"ohex" {>= "0.2.0"}
32
+
"ipaddr" {>= "5.2.0"}
33
+
]
34
+
conflicts: [ "result" {< "1.5"} ]
35
+
build: [
36
+
["dune" "subst"] {dev}
37
+
["dune" "build" "-p" name "-j" jobs]
38
+
["dune" "runtest" "-p" name "-j" jobs] {with-test}
39
+
]
40
+
dev-repo: "git+https://github.com/mirleft/ocaml-x509.git"
41
+
synopsis: "Public Key Infrastructure (RFC 5280, PKCS) purely in OCaml"
42
+
description: """
43
+
X.509 is a public key infrastructure used mostly on the Internet. It consists
44
+
of certificates which include public keys and identifiers, signed by an
45
+
authority. Authorities must be exchanged over a second channel to establish the
46
+
trust relationship. This library implements most parts of RFC5280 and RFC6125.
47
+
The Public Key Cryptography Standards (PKCS) defines encoding and decoding
48
+
(in ASN.1 DER and PEM format), which is also implemented by this library -
49
+
namely PKCS 1, PKCS 5, PKCS 7, PKCS 8, PKCS 9, PKCS 10, and PKCS 12.
50
+
"""
51
+
x-maintenance-intent: [ "(latest)" ]