/src/mozilla-central/security/certverifier/ExtendedValidation.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- |
2 | | * |
3 | | * This Source Code Form is subject to the terms of the Mozilla Public |
4 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
5 | | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
6 | | |
7 | | #include "ExtendedValidation.h" |
8 | | |
9 | | #include "cert.h" |
10 | | #include "hasht.h" |
11 | | #include "mozilla/ArrayUtils.h" |
12 | | #include "mozilla/Assertions.h" |
13 | | #include "mozilla/Base64.h" |
14 | | #include "mozilla/Casting.h" |
15 | | #include "mozilla/PodOperations.h" |
16 | | #include "nsDependentString.h" |
17 | | #include "nsString.h" |
18 | | #include "pk11pub.h" |
19 | | #include "pkix/pkixtypes.h" |
20 | | |
21 | | namespace mozilla { namespace psm { |
22 | | |
23 | | struct EVInfo |
24 | | { |
25 | | // See bug 1338873 about making these fields const. |
26 | | const char* dottedOid; |
27 | | const char* oidName; // Set this to null to signal an invalid structure, |
28 | | // (We can't have an empty list, so we'll use a dummy entry) |
29 | | unsigned char sha256Fingerprint[SHA256_LENGTH]; |
30 | | const char* issuerBase64; |
31 | | const char* serialBase64; |
32 | | }; |
33 | | |
34 | | // HOWTO enable additional CA root certificates for EV: |
35 | | // |
36 | | // For each combination of "root certificate" and "policy OID", |
37 | | // one entry must be added to the array named kEVInfos. |
38 | | // |
39 | | // We use the combination of "issuer name" and "serial number" to |
40 | | // uniquely identify the certificate. In order to avoid problems |
41 | | // because of encodings when comparing certificates, we don't |
42 | | // use plain text representation, we rather use the original encoding |
43 | | // as it can be found in the root certificate (in base64 format). |
44 | | // |
45 | | // We can use the NSS utility named "pp" to extract the encoding. |
46 | | // |
47 | | // Build standalone NSS including the NSS tools, then run |
48 | | // pp -t certificate-identity -i the-cert-filename |
49 | | // |
50 | | // You will need the output from sections "Issuer", "Fingerprint (SHA-256)", |
51 | | // "Issuer DER Base64" and "Serial DER Base64". |
52 | | // |
53 | | // The new section consists of the following components: |
54 | | // |
55 | | // - a comment that should contain the human readable issuer name |
56 | | // of the certificate, as printed by the pp tool |
57 | | // - the EV policy OID that is associated to the EV grant |
58 | | // - a text description of the EV policy OID. The array can contain |
59 | | // multiple entries with the same OID. |
60 | | // Please make sure to use the identical OID text description for |
61 | | // all entries with the same policy OID (use the text search |
62 | | // feature of your text editor to find duplicates). |
63 | | // When adding a new policy OID that is not yet contained in the array, |
64 | | // please make sure that your new description is different from |
65 | | // all the other descriptions (again use the text search feature |
66 | | // to be sure). |
67 | | // - the SHA-256 fingerprint |
68 | | // - the "Issuer DER Base64" as printed by the pp tool. |
69 | | // Remove all whitespaces. If you use multiple lines, make sure that |
70 | | // only the final line will be followed by a comma. |
71 | | // - the "Serial DER Base64" (as printed by pp) |
72 | | // |
73 | | // After adding an entry, test it locally against the test site that |
74 | | // has been provided by the CA. Note that you must use a version of NSS |
75 | | // where the root certificate has already been added and marked as trusted |
76 | | // for issuing SSL server certificates (at least). |
77 | | // |
78 | | // If you are able to connect to the site without certificate errors, |
79 | | // but you don't see the EV status indicator, then most likely the CA |
80 | | // has a problem in their infrastructure. The most common problems are |
81 | | // related to the CA's OCSP infrastructure, either they use an incorrect |
82 | | // OCSP signing certificate, or OCSP for the intermediate certificates |
83 | | // isn't working, or OCSP isn't working at all. |
84 | | |
85 | | #ifdef DEBUG |
86 | | static const size_t NUM_TEST_EV_ROOTS = 2; |
87 | | #endif |
88 | | |
89 | | static const struct EVInfo kEVInfos[] = { |
90 | | // IMPORTANT! When extending this list, if you add another entry that uses |
91 | | // the same dottedOid as an existing entry, use the same oidName. |
92 | | #ifdef DEBUG |
93 | | // Debug EV certificates should all use the following OID: |
94 | | // 1.3.6.1.4.1.13769.666.666.666.1.500.9.1. |
95 | | // (multiple entries with the same OID is ok) |
96 | | // If you add or remove debug EV certs you must also modify NUM_TEST_EV_ROOTS |
97 | | // so that the correct number of certs are skipped as these debug EV certs are |
98 | | // NOT part of the default trust store. |
99 | | { |
100 | | // This is the PSM xpcshell testing EV certificate. It can be generated |
101 | | // using pycert.py and the following specification: |
102 | | // |
103 | | // issuer:evroot |
104 | | // subject:evroot |
105 | | // subjectKey:ev |
106 | | // issuerKey:ev |
107 | | // validity:20150101-20350101 |
108 | | // extension:basicConstraints:cA, |
109 | | // extension:keyUsage:keyCertSign,cRLSign |
110 | | // |
111 | | // If this ever needs to change, re-generate the certificate and update the |
112 | | // following entry with the new fingerprint, issuer, and serial number. |
113 | | "1.3.6.1.4.1.13769.666.666.666.1.500.9.1", |
114 | | "DEBUGtesting EV OID", |
115 | | { 0x70, 0xED, 0xCB, 0x5A, 0xCE, 0x02, 0xC7, 0xC5, 0x0B, 0xA3, 0xD2, 0xD7, |
116 | | 0xC6, 0xF5, 0x0E, 0x18, 0x02, 0x19, 0x17, 0xF5, 0x48, 0x08, 0x9C, 0xB3, |
117 | | 0x8E, 0xEF, 0x9A, 0x1A, 0x4D, 0x7F, 0x82, 0x94 }, |
118 | | "MBExDzANBgNVBAMMBmV2cm9vdA==", |
119 | | "IZSHsVgzcvhPgdfrgdMGlpSfMeg=", |
120 | | }, |
121 | | { |
122 | | // This is an RSA root with an inadequate key size. It is used to test that |
123 | | // minimum key sizes are enforced when verifying for EV. It can be |
124 | | // generated using pycert.py and the following specification: |
125 | | // |
126 | | // issuer:ev_root_rsa_2040 |
127 | | // subject:ev_root_rsa_2040 |
128 | | // issuerKey:evRSA2040 |
129 | | // subjectKey:evRSA2040 |
130 | | // validity:20150101-20350101 |
131 | | // extension:basicConstraints:cA, |
132 | | // extension:keyUsage:cRLSign,keyCertSign |
133 | | // |
134 | | // If this ever needs to change, re-generate the certificate and update the |
135 | | // following entry with the new fingerprint, issuer, and serial number. |
136 | | "1.3.6.1.4.1.13769.666.666.666.1.500.9.1", |
137 | | "DEBUGtesting EV OID", |
138 | | { 0x40, 0xAB, 0x5D, 0xA5, 0x89, 0x15, 0xA9, 0x4B, 0x82, 0x87, 0xB8, 0xA6, |
139 | | 0x9A, 0x84, 0xB1, 0xDB, 0x7A, 0x9D, 0xDB, 0xB8, 0x4E, 0xE1, 0x23, 0xE3, |
140 | | 0xC6, 0x64, 0xE7, 0x50, 0xDC, 0x35, 0x8C, 0x68 }, |
141 | | "MBsxGTAXBgNVBAMMEGV2X3Jvb3RfcnNhXzIwNDA=", |
142 | | "J7nCMgtzNcSPG7jAh3CWzlTGHQg=", |
143 | | }, |
144 | | #endif |
145 | | { |
146 | | // CN=Cybertrust Global Root,O=Cybertrust, Inc |
147 | | "1.3.6.1.4.1.6334.1.100.1", |
148 | | "Cybertrust EV OID", |
149 | | { 0x96, 0x0A, 0xDF, 0x00, 0x63, 0xE9, 0x63, 0x56, 0x75, 0x0C, 0x29, |
150 | | 0x65, 0xDD, 0x0A, 0x08, 0x67, 0xDA, 0x0B, 0x9C, 0xBD, 0x6E, 0x77, |
151 | | 0x71, 0x4A, 0xEA, 0xFB, 0x23, 0x49, 0xAB, 0x39, 0x3D, 0xA3 }, |
152 | | "MDsxGDAWBgNVBAoTD0N5YmVydHJ1c3QsIEluYzEfMB0GA1UEAxMWQ3liZXJ0cnVz" |
153 | | "dCBHbG9iYWwgUm9vdA==", |
154 | | "BAAAAAABD4WqLUg=", |
155 | | }, |
156 | | { |
157 | | // CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH |
158 | | "2.16.756.1.89.1.2.1.1", |
159 | | "SwissSign EV OID", |
160 | | { 0x62, 0xDD, 0x0B, 0xE9, 0xB9, 0xF5, 0x0A, 0x16, 0x3E, 0xA0, 0xF8, |
161 | | 0xE7, 0x5C, 0x05, 0x3B, 0x1E, 0xCA, 0x57, 0xEA, 0x55, 0xC8, 0x68, |
162 | | 0x8F, 0x64, 0x7C, 0x68, 0x81, 0xF2, 0xC8, 0x35, 0x7B, 0x95 }, |
163 | | "MEUxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMT" |
164 | | "FlN3aXNzU2lnbiBHb2xkIENBIC0gRzI=", |
165 | | "ALtAHEP1Xk+w", |
166 | | }, |
167 | | { |
168 | | // CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US |
169 | | "2.16.840.1.114404.1.1.2.4.1", |
170 | | "Trustwave EV OID", |
171 | | { 0xCE, 0xCD, 0xDC, 0x90, 0x50, 0x99, 0xD8, 0xDA, 0xDF, 0xC5, 0xB1, |
172 | | 0xD2, 0x09, 0xB7, 0x37, 0xCB, 0xE2, 0xC1, 0x8C, 0xFB, 0x2C, 0x10, |
173 | | 0xC0, 0xFF, 0x0B, 0xCF, 0x0D, 0x32, 0x86, 0xFC, 0x1A, 0xA2 }, |
174 | | "MIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29t" |
175 | | "MSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMT" |
176 | | "JFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==", |
177 | | "UJRs7Bjq1ZxN1ZfvdY+grQ==", |
178 | | }, |
179 | | { |
180 | | // CN=SecureTrust CA,O=SecureTrust Corporation,C=US |
181 | | "2.16.840.1.114404.1.1.2.4.1", |
182 | | "Trustwave EV OID", |
183 | | { 0xF1, 0xC1, 0xB5, 0x0A, 0xE5, 0xA2, 0x0D, 0xD8, 0x03, 0x0E, 0xC9, |
184 | | 0xF6, 0xBC, 0x24, 0x82, 0x3D, 0xD3, 0x67, 0xB5, 0x25, 0x57, 0x59, |
185 | | 0xB4, 0xE7, 0x1B, 0x61, 0xFC, 0xE9, 0xF7, 0x37, 0x5D, 0x73 }, |
186 | | "MEgxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv" |
187 | | "bjEXMBUGA1UEAxMOU2VjdXJlVHJ1c3QgQ0E=", |
188 | | "DPCOXAgWpa1Cf/DrJxhZ0A==", |
189 | | }, |
190 | | { |
191 | | // CN=Secure Global CA,O=SecureTrust Corporation,C=US |
192 | | "2.16.840.1.114404.1.1.2.4.1", |
193 | | "Trustwave EV OID", |
194 | | { 0x42, 0x00, 0xF5, 0x04, 0x3A, 0xC8, 0x59, 0x0E, 0xBB, 0x52, 0x7D, |
195 | | 0x20, 0x9E, 0xD1, 0x50, 0x30, 0x29, 0xFB, 0xCB, 0xD4, 0x1C, 0xA1, |
196 | | 0xB5, 0x06, 0xEC, 0x27, 0xF1, 0x5A, 0xDE, 0x7D, 0xAC, 0x69 }, |
197 | | "MEoxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv" |
198 | | "bjEZMBcGA1UEAxMQU2VjdXJlIEdsb2JhbCBDQQ==", |
199 | | "B1YipOjUiolN9BPI8PjqpQ==", |
200 | | }, |
201 | | { |
202 | | // CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB |
203 | | "1.3.6.1.4.1.6449.1.2.1.5.1", |
204 | | "Comodo EV OID", |
205 | | { 0x17, 0x93, 0x92, 0x7A, 0x06, 0x14, 0x54, 0x97, 0x89, 0xAD, 0xCE, |
206 | | 0x2F, 0x8F, 0x34, 0xF7, 0xF0, 0xB6, 0x6D, 0x0F, 0x3A, 0xE3, 0xA3, |
207 | | 0xB8, 0x4D, 0x21, 0xEC, 0x15, 0xDB, 0xBA, 0x4F, 0xAD, 0xC7 }, |
208 | | "MIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw" |
209 | | "DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkG" |
210 | | "A1UEAxMiQ09NT0RPIEVDQyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==", |
211 | | "H0evqmIAcFBUTAGem2OZKg==", |
212 | | }, |
213 | | { |
214 | | // CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB |
215 | | "1.3.6.1.4.1.6449.1.2.1.5.1", |
216 | | "Comodo EV OID", |
217 | | { 0x0C, 0x2C, 0xD6, 0x3D, 0xF7, 0x80, 0x6F, 0xA3, 0x99, 0xED, 0xE8, |
218 | | 0x09, 0x11, 0x6B, 0x57, 0x5B, 0xF8, 0x79, 0x89, 0xF0, 0x65, 0x18, |
219 | | 0xF9, 0x80, 0x8C, 0x86, 0x05, 0x03, 0x17, 0x8B, 0xAF, 0x66 }, |
220 | | "MIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw" |
221 | | "DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEnMCUG" |
222 | | "A1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0aG9yaXR5", |
223 | | "ToEtioJl4AsC7j41AkblPQ==", |
224 | | }, |
225 | | { |
226 | | // CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE |
227 | | "1.3.6.1.4.1.6449.1.2.1.5.1", |
228 | | "Comodo EV OID", |
229 | | { 0x68, 0x7F, 0xA4, 0x51, 0x38, 0x22, 0x78, 0xFF, 0xF0, 0xC8, 0xB1, |
230 | | 0x1F, 0x8D, 0x43, 0xD5, 0x76, 0x67, 0x1C, 0x6E, 0xB2, 0xBC, 0xEA, |
231 | | 0xB4, 0x13, 0xFB, 0x83, 0xD9, 0x65, 0xD0, 0x6D, 0x2F, 0xF2 }, |
232 | | "MG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMd" |
233 | | "QWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0" |
234 | | "IEV4dGVybmFsIENBIFJvb3Q=", |
235 | | "AQ==", |
236 | | }, |
237 | | { |
238 | | // OU=Go Daddy Class 2 Certification Authority,O=\"The Go Daddy Group, Inc.\",C=US |
239 | | "2.16.840.1.114413.1.7.23.3", |
240 | | "Go Daddy EV OID a", |
241 | | { 0xC3, 0x84, 0x6B, 0xF2, 0x4B, 0x9E, 0x93, 0xCA, 0x64, 0x27, 0x4C, |
242 | | 0x0E, 0xC6, 0x7C, 0x1E, 0xCC, 0x5E, 0x02, 0x4F, 0xFC, 0xAC, 0xD2, |
243 | | 0xD7, 0x40, 0x19, 0x35, 0x0E, 0x81, 0xFE, 0x54, 0x6A, 0xE4 }, |
244 | | "MGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIElu" |
245 | | "Yy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRo" |
246 | | "b3JpdHk=", |
247 | | "AA==", |
248 | | }, |
249 | | { |
250 | | // CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US |
251 | | "2.16.840.1.114413.1.7.23.3", |
252 | | "Go Daddy EV OID a", |
253 | | { 0x45, 0x14, 0x0B, 0x32, 0x47, 0xEB, 0x9C, 0xC8, 0xC5, 0xB4, 0xF0, |
254 | | 0xD7, 0xB5, 0x30, 0x91, 0xF7, 0x32, 0x92, 0x08, 0x9E, 0x6E, 0x5A, |
255 | | 0x63, 0xE2, 0x74, 0x9D, 0xD3, 0xAC, 0xA9, 0x19, 0x8E, 0xDA }, |
256 | | "MIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv" |
257 | | "dHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMTAvBgNVBAMTKEdv" |
258 | | "IERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzI=", |
259 | | "AA==", |
260 | | }, |
261 | | { |
262 | | // OU=Starfield Class 2 Certification Authority,O=\"Starfield Technologies, Inc.\",C=US |
263 | | "2.16.840.1.114414.1.7.23.3", |
264 | | "Go Daddy EV OID b", |
265 | | { 0x14, 0x65, 0xFA, 0x20, 0x53, 0x97, 0xB8, 0x76, 0xFA, 0xA6, 0xF0, |
266 | | 0xA9, 0x95, 0x8E, 0x55, 0x90, 0xE4, 0x0F, 0xCC, 0x7F, 0xAA, 0x4F, |
267 | | 0xB7, 0xC2, 0xC8, 0x67, 0x75, 0x21, 0xFB, 0x5F, 0xB6, 0x58 }, |
268 | | "MGgxCzAJBgNVBAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVz" |
269 | | "LCBJbmMuMTIwMAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9u" |
270 | | "IEF1dGhvcml0eQ==", |
271 | | "AA==", |
272 | | }, |
273 | | { |
274 | | // CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US |
275 | | "2.16.840.1.114414.1.7.23.3", |
276 | | "Go Daddy EV OID b", |
277 | | { 0x2C, 0xE1, 0xCB, 0x0B, 0xF9, 0xD2, 0xF9, 0xE1, 0x02, 0x99, 0x3F, |
278 | | 0xBE, 0x21, 0x51, 0x52, 0xC3, 0xB2, 0xDD, 0x0C, 0xAB, 0xDE, 0x1C, |
279 | | 0x68, 0xE5, 0x31, 0x9B, 0x83, 0x91, 0x54, 0xDB, 0xB7, 0xF5 }, |
280 | | "MIGPMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv" |
281 | | "dHRzZGFsZTElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEy" |
282 | | "MDAGA1UEAxMpU3RhcmZpZWxkIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0g" |
283 | | "RzI=", |
284 | | "AA==", |
285 | | }, |
286 | | { |
287 | | // CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US |
288 | | "2.16.840.1.114412.2.1", |
289 | | "DigiCert EV OID", |
290 | | { 0x74, 0x31, 0xE5, 0xF4, 0xC3, 0xC1, 0xCE, 0x46, 0x90, 0x77, 0x4F, |
291 | | 0x0B, 0x61, 0xE0, 0x54, 0x40, 0x88, 0x3B, 0xA9, 0xA0, 0x1E, 0xD0, |
292 | | 0x0B, 0xA6, 0xAB, 0xD7, 0x80, 0x6E, 0xD3, 0xB1, 0x18, 0xCF }, |
293 | | "MGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT" |
294 | | "EHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2ggQXNzdXJh" |
295 | | "bmNlIEVWIFJvb3QgQ0E=", |
296 | | "AqxcJmoLQJuPC3nyrkYldw==", |
297 | | }, |
298 | | { |
299 | | // CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM |
300 | | "1.3.6.1.4.1.8024.0.2.100.1.2", |
301 | | "Quo Vadis EV OID", |
302 | | { 0x85, 0xA0, 0xDD, 0x7D, 0xD7, 0x20, 0xAD, 0xB7, 0xFF, 0x05, 0xF8, |
303 | | 0x3D, 0x54, 0x2B, 0x20, 0x9D, 0xC7, 0xFF, 0x45, 0x28, 0xF7, 0xD6, |
304 | | 0x77, 0xB1, 0x83, 0x89, 0xFE, 0xA5, 0xE5, 0xC4, 0x9E, 0x86 }, |
305 | | "MEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYD" |
306 | | "VQQDExJRdW9WYWRpcyBSb290IENBIDI=", |
307 | | "BQk=", |
308 | | }, |
309 | | { |
310 | | // CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US |
311 | | "1.3.6.1.4.1.782.1.2.1.8.1", |
312 | | "Network Solutions EV OID", |
313 | | { 0x15, 0xF0, 0xBA, 0x00, 0xA3, 0xAC, 0x7A, 0xF3, 0xAC, 0x88, 0x4C, |
314 | | 0x07, 0x2B, 0x10, 0x11, 0xA0, 0x77, 0xBD, 0x77, 0xC0, 0x97, 0xF4, |
315 | | 0x01, 0x64, 0xB2, 0xF8, 0x59, 0x8A, 0xBD, 0x83, 0x86, 0x0C }, |
316 | | "MGIxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhOZXR3b3JrIFNvbHV0aW9ucyBMLkwu" |
317 | | "Qy4xMDAuBgNVBAMTJ05ldHdvcmsgU29sdXRpb25zIENlcnRpZmljYXRlIEF1dGhv" |
318 | | "cml0eQ==", |
319 | | "V8szb8JcFuZHFhfjkDFo4A==", |
320 | | }, |
321 | | { |
322 | | // CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US |
323 | | "2.16.840.1.114028.10.1.2", |
324 | | "Entrust EV OID", |
325 | | { 0x73, 0xC1, 0x76, 0x43, 0x4F, 0x1B, 0xC6, 0xD5, 0xAD, 0xF4, 0x5B, |
326 | | 0x0E, 0x76, 0xE7, 0x27, 0x28, 0x7C, 0x8D, 0xE5, 0x76, 0x16, 0xC1, |
327 | | 0xE6, 0xE6, 0x14, 0x1A, 0x2B, 0x2C, 0xBC, 0x7D, 0x8E, 0x4C }, |
328 | | "MIGwMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjE5MDcGA1UE" |
329 | | "CxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJl" |
330 | | "bmNlMR8wHQYDVQQLExYoYykgMjAwNiBFbnRydXN0LCBJbmMuMS0wKwYDVQQDEyRF" |
331 | | "bnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHk=", |
332 | | "RWtQVA==", |
333 | | }, |
334 | | { |
335 | | // CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE |
336 | | "1.3.6.1.4.1.4146.1.1", |
337 | | "GlobalSign EV OID", |
338 | | { 0xEB, 0xD4, 0x10, 0x40, 0xE4, 0xBB, 0x3E, 0xC7, 0x42, 0xC9, 0xE3, |
339 | | 0x81, 0xD3, 0x1E, 0xF2, 0xA4, 0x1A, 0x48, 0xB6, 0x68, 0x5C, 0x96, |
340 | | 0xE7, 0xCE, 0xF3, 0xC1, 0xDF, 0x6C, 0xD4, 0x33, 0x1C, 0x99 }, |
341 | | "MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYD" |
342 | | "VQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0E=", |
343 | | "BAAAAAABFUtaw5Q=", |
344 | | }, |
345 | | { |
346 | | // CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 |
347 | | "1.3.6.1.4.1.4146.1.1", |
348 | | "GlobalSign EV OID", |
349 | | { 0xCA, 0x42, 0xDD, 0x41, 0x74, 0x5F, 0xD0, 0xB8, 0x1E, 0xB9, 0x02, |
350 | | 0x36, 0x2C, 0xF9, 0xD8, 0xBF, 0x71, 0x9D, 0xA1, 0xBD, 0x1B, 0x1E, |
351 | | 0xFC, 0x94, 0x6F, 0x5B, 0x4C, 0x99, 0xF4, 0x2C, 0x1B, 0x9E }, |
352 | | "MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIyMRMwEQYDVQQKEwpH" |
353 | | "bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu", |
354 | | "BAAAAAABD4Ym5g0=", |
355 | | }, |
356 | | { |
357 | | // CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 |
358 | | "1.3.6.1.4.1.4146.1.1", |
359 | | "GlobalSign EV OID", |
360 | | { 0xCB, 0xB5, 0x22, 0xD7, 0xB7, 0xF1, 0x27, 0xAD, 0x6A, 0x01, 0x13, |
361 | | 0x86, 0x5B, 0xDF, 0x1C, 0xD4, 0x10, 0x2E, 0x7D, 0x07, 0x59, 0xAF, |
362 | | 0x63, 0x5A, 0x7C, 0xF4, 0x72, 0x0D, 0xC9, 0x63, 0xC5, 0x3B }, |
363 | | "MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpH" |
364 | | "bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu", |
365 | | "BAAAAAABIVhTCKI=", |
366 | | }, |
367 | | { |
368 | | // CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO |
369 | | "2.16.578.1.26.1.3.3", |
370 | | "Buypass EV OID", |
371 | | { 0xED, 0xF7, 0xEB, 0xBC, 0xA2, 0x7A, 0x2A, 0x38, 0x4D, 0x38, 0x7B, |
372 | | 0x7D, 0x40, 0x10, 0xC6, 0x66, 0xE2, 0xED, 0xB4, 0x84, 0x3E, 0x4C, |
373 | | 0x29, 0xB4, 0xAE, 0x1D, 0x5B, 0x93, 0x32, 0xE6, 0xB2, 0x4D }, |
374 | | "ME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2MzMyNzEg" |
375 | | "MB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAzIFJvb3QgQ0E=", |
376 | | "Ag==", |
377 | | }, |
378 | | { |
379 | | // CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU |
380 | | "1.3.6.1.4.1.17326.10.14.2.1.2", |
381 | | "Camerfirma EV OID a", |
382 | | { 0x06, 0x3E, 0x4A, 0xFA, 0xC4, 0x91, 0xDF, 0xD3, 0x32, 0xF3, 0x08, |
383 | | 0x9B, 0x85, 0x42, 0xE9, 0x46, 0x17, 0xD8, 0x93, 0xD7, 0xFE, 0x94, |
384 | | 0x4E, 0x10, 0xA7, 0x93, 0x7E, 0xE2, 0x9D, 0x96, 0x93, 0xC0 }, |
385 | | "MIGuMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBh" |
386 | | "ZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ" |
387 | | "QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xKTAnBgNVBAMT" |
388 | | "IENoYW1iZXJzIG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4", |
389 | | "AKPaQn6ksa7a", |
390 | | }, |
391 | | { |
392 | | // CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU |
393 | | "1.3.6.1.4.1.17326.10.8.12.1.2", |
394 | | "Camerfirma EV OID b", |
395 | | { 0x13, 0x63, 0x35, 0x43, 0x93, 0x34, 0xA7, 0x69, 0x80, 0x16, 0xA0, |
396 | | 0xD3, 0x24, 0xDE, 0x72, 0x28, 0x4E, 0x07, 0x9D, 0x7B, 0x52, 0x20, |
397 | | 0xBB, 0x8F, 0xBD, 0x74, 0x78, 0x16, 0xEE, 0xBE, 0xBA, 0xCA }, |
398 | | "MIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBh" |
399 | | "ZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ" |
400 | | "QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMT" |
401 | | "Hkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwOA==", |
402 | | "AMnN0+nVfSPO", |
403 | | }, |
404 | | { |
405 | | // CN=AffirmTrust Commercial,O=AffirmTrust,C=US |
406 | | "1.3.6.1.4.1.34697.2.1", |
407 | | "AffirmTrust EV OID a", |
408 | | { 0x03, 0x76, 0xAB, 0x1D, 0x54, 0xC5, 0xF9, 0x80, 0x3C, 0xE4, 0xB2, |
409 | | 0xE2, 0x01, 0xA0, 0xEE, 0x7E, 0xEF, 0x7B, 0x57, 0xB6, 0x36, 0xE8, |
410 | | 0xA9, 0x3C, 0x9B, 0x8D, 0x48, 0x60, 0xC9, 0x6F, 0x5F, 0xA7 }, |
411 | | "MEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwW" |
412 | | "QWZmaXJtVHJ1c3QgQ29tbWVyY2lhbA==", |
413 | | "d3cGJyapsXw=", |
414 | | }, |
415 | | { |
416 | | // CN=AffirmTrust Networking,O=AffirmTrust,C=US |
417 | | "1.3.6.1.4.1.34697.2.2", |
418 | | "AffirmTrust EV OID b", |
419 | | { 0x0A, 0x81, 0xEC, 0x5A, 0x92, 0x97, 0x77, 0xF1, 0x45, 0x90, 0x4A, |
420 | | 0xF3, 0x8D, 0x5D, 0x50, 0x9F, 0x66, 0xB5, 0xE2, 0xC5, 0x8F, 0xCD, |
421 | | 0xB5, 0x31, 0x05, 0x8B, 0x0E, 0x17, 0xF3, 0xF0, 0xB4, 0x1B }, |
422 | | "MEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwW" |
423 | | "QWZmaXJtVHJ1c3QgTmV0d29ya2luZw==", |
424 | | "fE8EORzUmS0=", |
425 | | }, |
426 | | { |
427 | | // CN=AffirmTrust Premium,O=AffirmTrust,C=US |
428 | | "1.3.6.1.4.1.34697.2.3", |
429 | | "AffirmTrust EV OID c", |
430 | | { 0x70, 0xA7, 0x3F, 0x7F, 0x37, 0x6B, 0x60, 0x07, 0x42, 0x48, 0x90, |
431 | | 0x45, 0x34, 0xB1, 0x14, 0x82, 0xD5, 0xBF, 0x0E, 0x69, 0x8E, 0xCC, |
432 | | 0x49, 0x8D, 0xF5, 0x25, 0x77, 0xEB, 0xF2, 0xE9, 0x3B, 0x9A }, |
433 | | "MEExCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEcMBoGA1UEAwwT" |
434 | | "QWZmaXJtVHJ1c3QgUHJlbWl1bQ==", |
435 | | "bYwURrGmCu4=", |
436 | | }, |
437 | | { |
438 | | // CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US |
439 | | "1.3.6.1.4.1.34697.2.4", |
440 | | "AffirmTrust EV OID d", |
441 | | { 0xBD, 0x71, 0xFD, 0xF6, 0xDA, 0x97, 0xE4, 0xCF, 0x62, 0xD1, 0x64, |
442 | | 0x7A, 0xDD, 0x25, 0x81, 0xB0, 0x7D, 0x79, 0xAD, 0xF8, 0x39, 0x7E, |
443 | | 0xB4, 0xEC, 0xBA, 0x9C, 0x5E, 0x84, 0x88, 0x82, 0x14, 0x23 }, |
444 | | "MEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwX" |
445 | | "QWZmaXJtVHJ1c3QgUHJlbWl1bSBFQ0M=", |
446 | | "dJclisc/elQ=", |
447 | | }, |
448 | | { |
449 | | // CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL |
450 | | "1.2.616.1.113527.2.5.1.1", |
451 | | "Certum EV OID", |
452 | | { 0x5C, 0x58, 0x46, 0x8D, 0x55, 0xF5, 0x8E, 0x49, 0x7E, 0x74, 0x39, |
453 | | 0x82, 0xD2, 0xB5, 0x00, 0x10, 0xB6, 0xD1, 0x65, 0x37, 0x4A, 0xCF, |
454 | | 0x83, 0xA7, 0xD4, 0xA3, 0x2D, 0xB7, 0x68, 0xC4, 0x40, 0x8E }, |
455 | | "MH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBT" |
456 | | "LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAg" |
457 | | "BgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0E=", |
458 | | "BETA", |
459 | | }, |
460 | | { |
461 | | // CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL |
462 | | "1.2.616.1.113527.2.5.1.1", |
463 | | "Certum EV OID", |
464 | | { 0xB6, 0x76, 0xF2, 0xED, 0xDA, 0xE8, 0x77, 0x5C, 0xD3, 0x6C, 0xB0, |
465 | | 0xF6, 0x3C, 0xD1, 0xD4, 0x60, 0x39, 0x61, 0xF4, 0x9E, 0x62, 0x65, |
466 | | 0xBA, 0x01, 0x3A, 0x2F, 0x03, 0x07, 0xB6, 0xD0, 0xB8, 0x04 }, |
467 | | "MIGAMQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg" |
468 | | "Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSQw" |
469 | | "IgYDVQQDExtDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBIDI=", |
470 | | "IdbQSk8lD8kyN/yqXhKN6Q==", |
471 | | }, |
472 | | { |
473 | | // CN=Izenpe.com,O=IZENPE S.A.,C=ES |
474 | | "1.3.6.1.4.1.14777.6.1.1", |
475 | | "Izenpe EV OID 1", |
476 | | { 0x25, 0x30, 0xCC, 0x8E, 0x98, 0x32, 0x15, 0x02, 0xBA, 0xD9, 0x6F, |
477 | | 0x9B, 0x1F, 0xBA, 0x1B, 0x09, 0x9E, 0x2D, 0x29, 0x9E, 0x0F, 0x45, |
478 | | 0x48, 0xBB, 0x91, 0x4F, 0x36, 0x3B, 0xC0, 0xD4, 0x53, 0x1F }, |
479 | | "MDgxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwK" |
480 | | "SXplbnBlLmNvbQ==", |
481 | | "ALC3WhZIX7/hy/WL1xnmfQ==", |
482 | | }, |
483 | | { |
484 | | // CN=Izenpe.com,O=IZENPE S.A.,C=ES |
485 | | "1.3.6.1.4.1.14777.6.1.2", |
486 | | "Izenpe EV OID 2", |
487 | | { 0x25, 0x30, 0xCC, 0x8E, 0x98, 0x32, 0x15, 0x02, 0xBA, 0xD9, 0x6F, |
488 | | 0x9B, 0x1F, 0xBA, 0x1B, 0x09, 0x9E, 0x2D, 0x29, 0x9E, 0x0F, 0x45, |
489 | | 0x48, 0xBB, 0x91, 0x4F, 0x36, 0x3B, 0xC0, 0xD4, 0x53, 0x1F }, |
490 | | "MDgxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwK" |
491 | | "SXplbnBlLmNvbQ==", |
492 | | "ALC3WhZIX7/hy/WL1xnmfQ==", |
493 | | }, |
494 | | { |
495 | | // CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE |
496 | | "1.3.6.1.4.1.7879.13.24.1", |
497 | | "T-Systems EV OID", |
498 | | { 0xFD, 0x73, 0xDA, 0xD3, 0x1C, 0x64, 0x4F, 0xF1, 0xB4, 0x3B, 0xEF, |
499 | | 0x0C, 0xCD, 0xDA, 0x96, 0x71, 0x0B, 0x9C, 0xD9, 0x87, 0x5E, 0xCA, |
500 | | 0x7E, 0x31, 0x70, 0x7A, 0xF3, 0xE9, 0x6D, 0x52, 0x2B, 0xBD }, |
501 | | "MIGCMQswCQYDVQQGEwJERTErMCkGA1UECgwiVC1TeXN0ZW1zIEVudGVycHJpc2Ug" |
502 | | "U2VydmljZXMgR21iSDEfMB0GA1UECwwWVC1TeXN0ZW1zIFRydXN0IENlbnRlcjEl" |
503 | | "MCMGA1UEAwwcVC1UZWxlU2VjIEdsb2JhbFJvb3QgQ2xhc3MgMw==", |
504 | | "AQ==", |
505 | | }, |
506 | | { |
507 | | // CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW |
508 | | "1.3.6.1.4.1.40869.1.1.22.3", |
509 | | "TWCA EV OID", |
510 | | { 0xBF, 0xD8, 0x8F, 0xE1, 0x10, 0x1C, 0x41, 0xAE, 0x3E, 0x80, 0x1B, |
511 | | 0xF8, 0xBE, 0x56, 0x35, 0x0E, 0xE9, 0xBA, 0xD1, 0xA6, 0xB9, 0xBD, |
512 | | 0x51, 0x5E, 0xDC, 0x5C, 0x6D, 0x5B, 0x87, 0x11, 0xAC, 0x44 }, |
513 | | "MF8xCzAJBgNVBAYTAlRXMRIwEAYDVQQKDAlUQUlXQU4tQ0ExEDAOBgNVBAsMB1Jv" |
514 | | "b3QgQ0ExKjAoBgNVBAMMIVRXQ0EgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0" |
515 | | "eQ==", |
516 | | "AQ==", |
517 | | }, |
518 | | { |
519 | | // CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE |
520 | | "1.3.6.1.4.1.4788.2.202.1", |
521 | | "D-TRUST EV OID", |
522 | | { 0xEE, 0xC5, 0x49, 0x6B, 0x98, 0x8C, 0xE9, 0x86, 0x25, 0xB9, 0x34, |
523 | | 0x09, 0x2E, 0xEC, 0x29, 0x08, 0xBE, 0xD0, 0xB0, 0xF3, 0x16, 0xC2, |
524 | | 0xD4, 0x73, 0x0C, 0x84, 0xEA, 0xF1, 0xF3, 0xD3, 0x48, 0x81 }, |
525 | | "MFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMM" |
526 | | "IUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOQ==", |
527 | | "CYP0", |
528 | | }, |
529 | | { |
530 | | // CN = Autoridad de Certificacion Firmaprofesional CIF A62634068, C = ES |
531 | | "1.3.6.1.4.1.13177.10.1.3.10", |
532 | | "Firmaprofesional EV OID", |
533 | | { 0x04, 0x04, 0x80, 0x28, 0xBF, 0x1F, 0x28, 0x64, 0xD4, 0x8F, 0x9A, |
534 | | 0xD4, 0xD8, 0x32, 0x94, 0x36, 0x6A, 0x82, 0x88, 0x56, 0x55, 0x3F, |
535 | | 0x3B, 0x14, 0x30, 0x3F, 0x90, 0x14, 0x7F, 0x5D, 0x40, 0xEF }, |
536 | | "MFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUgQ2VydGlmaWNh" |
537 | | "Y2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjg=", |
538 | | "U+w77vuySF8=", |
539 | | }, |
540 | | { |
541 | | // CN = TWCA Global Root CA, OU = Root CA, O = TAIWAN-CA, C = TW |
542 | | "1.3.6.1.4.1.40869.1.1.22.3", |
543 | | "TWCA EV OID", |
544 | | { 0x59, 0x76, 0x90, 0x07, 0xF7, 0x68, 0x5D, 0x0F, 0xCD, 0x50, 0x87, |
545 | | 0x2F, 0x9F, 0x95, 0xD5, 0x75, 0x5A, 0x5B, 0x2B, 0x45, 0x7D, 0x81, |
546 | | 0xF3, 0x69, 0x2B, 0x61, 0x0A, 0x98, 0x67, 0x2F, 0x0E, 0x1B }, |
547 | | "MFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jv" |
548 | | "b3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0E=", |
549 | | "DL4=", |
550 | | }, |
551 | | { |
552 | | // CN = E-Tugra Certification Authority, OU = E-Tugra Sertifikasyon Merkezi, O = E-TuÄŸra EBG BiliÅŸim Teknolojileri ve Hizmetleri A.Åž., L = Ankara, C = TR |
553 | | "2.16.792.3.0.4.1.1.4", |
554 | | "ETugra EV OID", |
555 | | { 0xB0, 0xBF, 0xD5, 0x2B, 0xB0, 0xD7, 0xD9, 0xBD, 0x92, 0xBF, 0x5D, |
556 | | 0x4D, 0xC1, 0x3D, 0xA2, 0x55, 0xC0, 0x2C, 0x54, 0x2F, 0x37, 0x83, |
557 | | 0x65, 0xEA, 0x89, 0x39, 0x11, 0xF5, 0x5E, 0x55, 0xF2, 0x3C }, |
558 | | "MIGyMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1" |
559 | | "xJ9yYSBFQkcgQmlsacWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEu" |
560 | | "xZ4uMSYwJAYDVQQLDB1FLVR1Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYG" |
561 | | "A1UEAwwfRS1UdWdyYSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==", |
562 | | "amg+nFGby1M=", |
563 | | }, |
564 | | { |
565 | | // CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT |
566 | | "1.3.159.1.17.1", |
567 | | "Actalis EV OID", |
568 | | { 0x55, 0x92, 0x60, 0x84, 0xEC, 0x96, 0x3A, 0x64, 0xB9, 0x6E, 0x2A, |
569 | | 0xBE, 0x01, 0xCE, 0x0B, 0xA8, 0x6A, 0x64, 0xFB, 0xFE, 0xBC, 0xC7, |
570 | | 0xAA, 0xB5, 0xAF, 0xC1, 0x55, 0xB3, 0x7F, 0xD7, 0x60, 0x66 }, |
571 | | "MGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxp" |
572 | | "cyBTLnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGlj" |
573 | | "YXRpb24gUm9vdCBDQQ==", |
574 | | "VwoRl0LE48w=", |
575 | | }, |
576 | | { |
577 | | // CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US |
578 | | "2.16.840.1.114412.2.1", |
579 | | "DigiCert EV OID", |
580 | | { 0x7D, 0x05, 0xEB, 0xB6, 0x82, 0x33, 0x9F, 0x8C, 0x94, 0x51, 0xEE, |
581 | | 0x09, 0x4E, 0xEB, 0xFE, 0xFA, 0x79, 0x53, 0xA1, 0x14, 0xED, 0xB2, |
582 | | 0xF4, 0x49, 0x49, 0x45, 0x2F, 0xAB, 0x7D, 0x2F, 0xC1, 0x85 }, |
583 | | "MGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT" |
584 | | "EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQg" |
585 | | "Um9vdCBHMg==", |
586 | | "C5McOtY5Z+pnI7/Dr5r0Sw==", |
587 | | }, |
588 | | { |
589 | | // CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US |
590 | | "2.16.840.1.114412.2.1", |
591 | | "DigiCert EV OID", |
592 | | { 0x7E, 0x37, 0xCB, 0x8B, 0x4C, 0x47, 0x09, 0x0C, 0xAB, 0x36, 0x55, |
593 | | 0x1B, 0xA6, 0xF4, 0x5D, 0xB8, 0x40, 0x68, 0x0F, 0xBA, 0x16, 0x6A, |
594 | | 0x95, 0x2D, 0xB1, 0x00, 0x71, 0x7F, 0x43, 0x05, 0x3F, 0xC2 }, |
595 | | "MGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT" |
596 | | "EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQg" |
597 | | "Um9vdCBHMw==", |
598 | | "C6Fa+h3foLVJRK/NJKBs7A==", |
599 | | }, |
600 | | { |
601 | | // CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US |
602 | | "2.16.840.1.114412.2.1", |
603 | | "DigiCert EV OID", |
604 | | { 0xCB, 0x3C, 0xCB, 0xB7, 0x60, 0x31, 0xE5, 0xE0, 0x13, 0x8F, 0x8D, |
605 | | 0xD3, 0x9A, 0x23, 0xF9, 0xDE, 0x47, 0xFF, 0xC3, 0x5E, 0x43, 0xC1, |
606 | | 0x14, 0x4C, 0xEA, 0x27, 0xD4, 0x6A, 0x5A, 0xB1, 0xCB, 0x5F }, |
607 | | "MGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT" |
608 | | "EHd3dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290" |
609 | | "IEcy", |
610 | | "Azrx5qcRqaC7KGSxHQn65Q==", |
611 | | }, |
612 | | { |
613 | | // CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US |
614 | | "2.16.840.1.114412.2.1", |
615 | | "DigiCert EV OID", |
616 | | { 0x31, 0xAD, 0x66, 0x48, 0xF8, 0x10, 0x41, 0x38, 0xC7, 0x38, 0xF3, |
617 | | 0x9E, 0xA4, 0x32, 0x01, 0x33, 0x39, 0x3E, 0x3A, 0x18, 0xCC, 0x02, |
618 | | 0x29, 0x6E, 0xF9, 0x7C, 0x2A, 0xC9, 0xEF, 0x67, 0x31, 0xD0 }, |
619 | | "MGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT" |
620 | | "EHd3dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290" |
621 | | "IEcz", |
622 | | "BVVWvPJepDU1w6QP1atFcg==", |
623 | | }, |
624 | | { |
625 | | // CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US |
626 | | "2.16.840.1.114412.2.1", |
627 | | "DigiCert EV OID", |
628 | | { 0x55, 0x2F, 0x7B, 0xDC, 0xF1, 0xA7, 0xAF, 0x9E, 0x6C, 0xE6, 0x72, |
629 | | 0x01, 0x7F, 0x4F, 0x12, 0xAB, 0xF7, 0x72, 0x40, 0xC7, 0x8E, 0x76, |
630 | | 0x1A, 0xC2, 0x03, 0xD1, 0xD9, 0xD2, 0x0A, 0xC8, 0x99, 0x88 }, |
631 | | "MGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT" |
632 | | "EHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9v" |
633 | | "dCBHNA==", |
634 | | "BZsbV56OITLiOQe9p3d1XA==", |
635 | | }, |
636 | | { |
637 | | // CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM |
638 | | "1.3.6.1.4.1.8024.0.2.100.1.2", |
639 | | "QuoVadis EV OID", |
640 | | { 0x8F, 0xE4, 0xFB, 0x0A, 0xF9, 0x3A, 0x4D, 0x0D, 0x67, 0xDB, 0x0B, |
641 | | 0xEB, 0xB2, 0x3E, 0x37, 0xC7, 0x1B, 0xF3, 0x25, 0xDC, 0xBC, 0xDD, |
642 | | 0x24, 0x0E, 0xA0, 0x4D, 0xAF, 0x58, 0xB4, 0x7E, 0x18, 0x40 }, |
643 | | "MEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYD" |
644 | | "VQQDExVRdW9WYWRpcyBSb290IENBIDIgRzM=", |
645 | | "RFc0JFuBiZs18s64KztbpybwdSg=", |
646 | | }, |
647 | | { |
648 | | // CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB |
649 | | "1.3.6.1.4.1.6449.1.2.1.5.1", |
650 | | "Comodo EV OID", |
651 | | { 0x52, 0xF0, 0xE1, 0xC4, 0xE5, 0x8E, 0xC6, 0x29, 0x29, 0x1B, 0x60, |
652 | | 0x31, 0x7F, 0x07, 0x46, 0x71, 0xB8, 0x5D, 0x7E, 0xA8, 0x0D, 0x5B, |
653 | | 0x07, 0x27, 0x34, 0x63, 0x53, 0x4B, 0x32, 0xB4, 0x02, 0x34 }, |
654 | | "MIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw" |
655 | | "DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkG" |
656 | | "A1UEAxMiQ09NT0RPIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==", |
657 | | "TKr5yttjb+Af907YWwOGnQ==", |
658 | | }, |
659 | | { |
660 | | // CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US |
661 | | "1.3.6.1.4.1.6449.1.2.1.5.1", |
662 | | "Comodo EV OID", |
663 | | { 0xE7, 0x93, 0xC9, 0xB0, 0x2F, 0xD8, 0xAA, 0x13, 0xE2, 0x1C, 0x31, |
664 | | 0x22, 0x8A, 0xCC, 0xB0, 0x81, 0x19, 0x64, 0x3B, 0x74, 0x9C, 0x89, |
665 | | 0x89, 0x64, 0xB1, 0x74, 0x6D, 0x46, 0xC3, 0xD4, 0xCB, 0xD2 }, |
666 | | "MIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxML" |
667 | | "SmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwG" |
668 | | "A1UEAxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==", |
669 | | "Af1tMPyjylGoG7xkDjUDLQ==", |
670 | | }, |
671 | | { |
672 | | // CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US |
673 | | "1.3.6.1.4.1.6449.1.2.1.5.1", |
674 | | "Comodo EV OID", |
675 | | { 0x4F, 0xF4, 0x60, 0xD5, 0x4B, 0x9C, 0x86, 0xDA, 0xBF, 0xBC, 0xFC, |
676 | | 0x57, 0x12, 0xE0, 0x40, 0x0D, 0x2B, 0xED, 0x3F, 0xBC, 0x4D, 0x4F, |
677 | | 0xBD, 0xAA, 0x86, 0xE0, 0x6A, 0xDC, 0xD2, 0xA9, 0xAD, 0x7A }, |
678 | | "MIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxML" |
679 | | "SmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwG" |
680 | | "A1UEAxMlVVNFUlRydXN0IEVDQyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==", |
681 | | "XIuZxVqUxdJxVt7NiYDMJg==", |
682 | | }, |
683 | | { |
684 | | // CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5 |
685 | | "1.3.6.1.4.1.4146.1.1", |
686 | | "GlobalSign EV OID", |
687 | | { 0x17, 0x9F, 0xBC, 0x14, 0x8A, 0x3D, 0xD0, 0x0F, 0xD2, 0x4E, 0xA1, |
688 | | 0x34, 0x58, 0xCC, 0x43, 0xBF, 0xA7, 0xF5, 0x9C, 0x81, 0x82, 0xD7, |
689 | | 0x83, 0xA5, 0x13, 0xF6, 0xEB, 0xEC, 0x10, 0x0C, 0x89, 0x24 }, |
690 | | "MFAxJDAiBgNVBAsTG0dsb2JhbFNpZ24gRUNDIFJvb3QgQ0EgLSBSNTETMBEGA1UE" |
691 | | "ChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbg==", |
692 | | "YFlJ4CYuu1X5CneKcflK2Gw=", |
693 | | }, |
694 | | { |
695 | | // CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net |
696 | | "2.16.840.1.114028.10.1.2", |
697 | | "Entrust EV OID", |
698 | | { 0x6D, 0xC4, 0x71, 0x72, 0xE0, 0x1C, 0xBC, 0xB0, 0xBF, 0x62, 0x58, |
699 | | 0x0D, 0x89, 0x5F, 0xE2, 0xB8, 0xAC, 0x9A, 0xD4, 0xF8, 0x73, 0x80, |
700 | | 0x1E, 0x0C, 0x10, 0xB9, 0xC8, 0x37, 0xD2, 0x1E, 0xB1, 0x77 }, |
701 | | "MIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3LmVudHJ1c3Qu" |
702 | | "bmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMG" |
703 | | "A1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50" |
704 | | "cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp", |
705 | | "OGPe+A==", |
706 | | }, |
707 | | { |
708 | | // CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL |
709 | | "2.16.528.1.1003.1.2.7", |
710 | | "Staat der Nederlanden EV OID", |
711 | | { 0x4D, 0x24, 0x91, 0x41, 0x4C, 0xFE, 0x95, 0x67, 0x46, 0xEC, 0x4C, |
712 | | 0xEF, 0xA6, 0xCF, 0x6F, 0x72, 0xE2, 0x8A, 0x13, 0x29, 0x43, 0x2F, |
713 | | 0x9D, 0x8A, 0x90, 0x7A, 0xC4, 0xCB, 0x5D, 0xAD, 0xC1, 0x5A }, |
714 | | "MFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4x" |
715 | | "KTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBSb290IENB", |
716 | | "AJiWjQ==", |
717 | | }, |
718 | | { |
719 | | // CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US |
720 | | "2.16.840.1.114028.10.1.2", |
721 | | "Entrust EV OID", |
722 | | { 0x43, 0xDF, 0x57, 0x74, 0xB0, 0x3E, 0x7F, 0xEF, 0x5F, 0xE4, 0x0D, |
723 | | 0x93, 0x1A, 0x7B, 0xED, 0xF1, 0xBB, 0x2E, 0x6B, 0x42, 0x73, 0x8C, |
724 | | 0x4E, 0x6D, 0x38, 0x41, 0x10, 0x3D, 0x3A, 0xA7, 0xF3, 0x39 }, |
725 | | "MIG+MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE" |
726 | | "CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMp" |
727 | | "IDIwMDkgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIw" |
728 | | "MAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH" |
729 | | "Mg==", |
730 | | "SlOMKA==", |
731 | | }, |
732 | | { |
733 | | // CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US |
734 | | "2.16.840.1.114028.10.1.2", |
735 | | "Entrust EV OID", |
736 | | { 0x02, 0xED, 0x0E, 0xB2, 0x8C, 0x14, 0xDA, 0x45, 0x16, 0x5C, 0x56, |
737 | | 0x67, 0x91, 0x70, 0x0D, 0x64, 0x51, 0xD7, 0xFB, 0x56, 0xF0, 0xB2, |
738 | | 0xAB, 0x1D, 0x3B, 0x8E, 0xB0, 0x70, 0xE5, 0x6E, 0xDF, 0xF5 }, |
739 | | "MIG/MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE" |
740 | | "CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMp" |
741 | | "IDIwMTIgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTMw" |
742 | | "MQYDVQQDEypFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBF" |
743 | | "QzE=", |
744 | | "AKaLeSkAAAAAUNCR+Q==", |
745 | | }, |
746 | | { |
747 | | // CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN |
748 | | "2.16.156.112554.3", |
749 | | "CFCA EV OID", |
750 | | { 0x5C, 0xC3, 0xD7, 0x8E, 0x4E, 0x1D, 0x5E, 0x45, 0x54, 0x7A, 0x04, |
751 | | 0xE6, 0x87, 0x3E, 0x64, 0xF9, 0x0C, 0xF9, 0x53, 0x6D, 0x1C, 0xCC, |
752 | | 0x2E, 0xF8, 0x00, 0xF3, 0x55, 0xC4, 0xC5, 0xFD, 0x70, 0xFD }, |
753 | | "MFYxCzAJBgNVBAYTAkNOMTAwLgYDVQQKDCdDaGluYSBGaW5hbmNpYWwgQ2VydGlm" |
754 | | "aWNhdGlvbiBBdXRob3JpdHkxFTATBgNVBAMMDENGQ0EgRVYgUk9PVA==", |
755 | | "GErM1g==", |
756 | | }, |
757 | | { |
758 | | // OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP |
759 | | "1.2.392.200091.100.721.1", |
760 | | "SECOM EV OID", |
761 | | { 0x51, 0x3B, 0x2C, 0xEC, 0xB8, 0x10, 0xD4, 0xCD, 0xE5, 0xDD, 0x85, |
762 | | 0x39, 0x1A, 0xDF, 0xC6, 0xC2, 0xDD, 0x60, 0xD8, 0x7B, 0xB7, 0x36, |
763 | | 0xD2, 0xB5, 0x21, 0x48, 0x4A, 0xA4, 0x7A, 0x0E, 0xBE, 0xF6 }, |
764 | | "MF0xCzAJBgNVBAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENP" |
765 | | "LixMVEQuMScwJQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTI=", |
766 | | "AA==", |
767 | | }, |
768 | | { |
769 | | // CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH |
770 | | "2.16.756.5.14.7.4.8", |
771 | | "WISeKey EV OID", |
772 | | { 0x6B, 0x9C, 0x08, 0xE8, 0x6E, 0xB0, 0xF7, 0x67, 0xCF, 0xAD, 0x65, |
773 | | 0xCD, 0x98, 0xB6, 0x21, 0x49, 0xE5, 0x49, 0x4A, 0x67, 0xF5, 0x84, |
774 | | 0x5E, 0x7B, 0xD1, 0xED, 0x01, 0x9F, 0x27, 0xB8, 0x6B, 0xD6 }, |
775 | | "MG0xCzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQLExlPSVNU" |
776 | | "RSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEds" |
777 | | "b2JhbCBSb290IEdCIENB", |
778 | | "drEgUnTwhYdGs/gjGvbCwA==", |
779 | | }, |
780 | | { |
781 | | // CN=Amazon Root CA 1,O=Amazon,C=US |
782 | | "2.23.140.1.1", |
783 | | "CA/Browser Forum EV OID", |
784 | | { 0x8E, 0xCD, 0xE6, 0x88, 0x4F, 0x3D, 0x87, 0xB1, 0x12, 0x5B, 0xA3, |
785 | | 0x1A, 0xC3, 0xFC, 0xB1, 0x3D, 0x70, 0x16, 0xDE, 0x7F, 0x57, 0xCC, |
786 | | 0x90, 0x4F, 0xE1, 0xCB, 0x97, 0xC6, 0xAE, 0x98, 0x19, 0x6E }, |
787 | | "MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv" |
788 | | "biBSb290IENBIDE=", |
789 | | "Bmyfz5m/jAo54vB4ikPmljZbyg==", |
790 | | }, |
791 | | { |
792 | | // CN=Amazon Root CA 2,O=Amazon,C=US |
793 | | "2.23.140.1.1", |
794 | | "CA/Browser Forum EV OID", |
795 | | { 0x1B, 0xA5, 0xB2, 0xAA, 0x8C, 0x65, 0x40, 0x1A, 0x82, 0x96, 0x01, |
796 | | 0x18, 0xF8, 0x0B, 0xEC, 0x4F, 0x62, 0x30, 0x4D, 0x83, 0xCE, 0xC4, |
797 | | 0x71, 0x3A, 0x19, 0xC3, 0x9C, 0x01, 0x1E, 0xA4, 0x6D, 0xB4 }, |
798 | | "MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv" |
799 | | "biBSb290IENBIDI=", |
800 | | "Bmyf0pY1hp8KD+WGePhbJruKNw==", |
801 | | }, |
802 | | { |
803 | | // CN=Amazon Root CA 3,O=Amazon,C=US |
804 | | "2.23.140.1.1", |
805 | | "CA/Browser Forum EV OID", |
806 | | { 0x18, 0xCE, 0x6C, 0xFE, 0x7B, 0xF1, 0x4E, 0x60, 0xB2, 0xE3, 0x47, |
807 | | 0xB8, 0xDF, 0xE8, 0x68, 0xCB, 0x31, 0xD0, 0x2E, 0xBB, 0x3A, 0xDA, |
808 | | 0x27, 0x15, 0x69, 0xF5, 0x03, 0x43, 0xB4, 0x6D, 0xB3, 0xA4 }, |
809 | | "MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv" |
810 | | "biBSb290IENBIDM=", |
811 | | "Bmyf1XSXNmY/Owua2eiedgPySg==", |
812 | | }, |
813 | | { |
814 | | // CN=Amazon Root CA 4,O=Amazon,C=US |
815 | | "2.23.140.1.1", |
816 | | "CA/Browser Forum EV OID", |
817 | | { 0xE3, 0x5D, 0x28, 0x41, 0x9E, 0xD0, 0x20, 0x25, 0xCF, 0xA6, 0x90, |
818 | | 0x38, 0xCD, 0x62, 0x39, 0x62, 0x45, 0x8D, 0xA5, 0xC6, 0x95, 0xFB, |
819 | | 0xDE, 0xA3, 0xC2, 0x2B, 0x0B, 0xFB, 0x25, 0x89, 0x70, 0x92 }, |
820 | | "MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv" |
821 | | "biBSb290IENBIDQ=", |
822 | | "Bmyf18G7EEwpQ+Vxe3ssyBrBDg==", |
823 | | }, |
824 | | { |
825 | | // CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US |
826 | | "2.23.140.1.1", |
827 | | "CA/Browser Forum EV OID", |
828 | | { 0x56, 0x8D, 0x69, 0x05, 0xA2, 0xC8, 0x87, 0x08, 0xA4, 0xB3, 0x02, |
829 | | 0x51, 0x90, 0xED, 0xCF, 0xED, 0xB1, 0x97, 0x4A, 0x60, 0x6A, 0x13, |
830 | | 0xC6, 0xE5, 0x29, 0x0F, 0xCB, 0x2A, 0xE6, 0x3E, 0xDA, 0xB5 }, |
831 | | "MIGYMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv" |
832 | | "dHRzZGFsZTElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7" |
833 | | "MDkGA1UEAxMyU3RhcmZpZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0" |
834 | | "aG9yaXR5IC0gRzI=", |
835 | | "AA==", |
836 | | }, |
837 | | { |
838 | | // CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU |
839 | | "1.3.171.1.1.10.5.2", |
840 | | "LuxTrust EV OID", |
841 | | { 0x54, 0x45, 0x5F, 0x71, 0x29, 0xC2, 0x0B, 0x14, 0x47, 0xC4, 0x18, |
842 | | 0xF9, 0x97, 0x16, 0x8F, 0x24, 0xC5, 0x8F, 0xC5, 0x02, 0x3B, 0xF5, |
843 | | 0xDA, 0x5B, 0xE2, 0xEB, 0x6E, 0x1D, 0xD8, 0x90, 0x2E, 0xD5 }, |
844 | | "MEYxCzAJBgNVBAYTAkxVMRYwFAYDVQQKDA1MdXhUcnVzdCBTLkEuMR8wHQYDVQQD" |
845 | | "DBZMdXhUcnVzdCBHbG9iYWwgUm9vdCAy", |
846 | | "Cn6m30tEntpqJIWe5rgV0xZ/u7E=", |
847 | | }, |
848 | | { |
849 | | // CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN |
850 | | "1.2.156.112559.1.1.6.1", |
851 | | "GDCA EV OID", |
852 | | { 0xBF, 0xFF, 0x8F, 0xD0, 0x44, 0x33, 0x48, 0x7D, 0x6A, 0x8A, 0xA6, |
853 | | 0x0C, 0x1A, 0x29, 0x76, 0x7A, 0x9F, 0xC2, 0xBB, 0xB0, 0x5E, 0x42, |
854 | | 0x0F, 0x71, 0x3A, 0x13, 0xB9, 0x92, 0x89, 0x1D, 0x38, 0x93 }, |
855 | | "MGIxCzAJBgNVBAYTAkNOMTIwMAYDVQQKDClHVUFORyBET05HIENFUlRJRklDQVRF" |
856 | | "IEFVVEhPUklUWSBDTy4sTFRELjEfMB0GA1UEAwwWR0RDQSBUcnVzdEFVVEggUjUg" |
857 | | "Uk9PVA==", |
858 | | "fQmX/vBH6no=", |
859 | | }, |
860 | | { |
861 | | // CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US |
862 | | "2.23.140.1.1", |
863 | | "CA/Browser Forum EV OID", |
864 | | { 0x22, 0xA2, 0xC1, 0xF7, 0xBD, 0xED, 0x70, 0x4C, 0xC1, 0xE7, 0x01, |
865 | | 0xB5, 0xF4, 0x08, 0xC3, 0x10, 0x88, 0x0F, 0xE9, 0x56, 0xB5, 0xDE, |
866 | | 0x2A, 0x4A, 0x44, 0xF9, 0x9C, 0x87, 0x3A, 0x25, 0xA7, 0xC8 }, |
867 | | "MH8xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3Rv" |
868 | | "bjEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMTQwMgYDVQQDDCtTU0wuY29tIEVW" |
869 | | "IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgRUND", |
870 | | "LCmcWxbtBZU=", |
871 | | }, |
872 | | { |
873 | | // CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US |
874 | | "2.23.140.1.1", |
875 | | "CA/Browser Forum EV OID", |
876 | | { 0x2E, 0x7B, 0xF1, 0x6C, 0xC2, 0x24, 0x85, 0xA7, 0xBB, 0xE2, 0xAA, |
877 | | 0x86, 0x96, 0x75, 0x07, 0x61, 0xB0, 0xAE, 0x39, 0xBE, 0x3B, 0x2F, |
878 | | 0xE9, 0xD0, 0xCC, 0x6D, 0x4E, 0xF7, 0x34, 0x91, 0x42, 0x5C }, |
879 | | "MIGCMQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0" |
880 | | "b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjE3MDUGA1UEAwwuU1NMLmNvbSBF" |
881 | | "ViBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFJTQSBSMg==", |
882 | | "VrYpzTS8ePY=", |
883 | | }, |
884 | | }; |
885 | | |
886 | | static SECOidTag sEVInfoOIDTags[ArrayLength(kEVInfos)]; |
887 | | |
888 | | static_assert(SEC_OID_UNKNOWN == 0, |
889 | | "We depend on zero-initialized globals being interpreted as SEC_OID_UNKNOWN."); |
890 | | static_assert(ArrayLength(sEVInfoOIDTags) == ArrayLength(kEVInfos), |
891 | | "These arrays are used in parallel and must have the same length."); |
892 | | |
893 | | static SECOidTag |
894 | | RegisterOID(const SECItem& oidItem, const char* oidName) |
895 | 0 | { |
896 | 0 | SECOidData od; |
897 | 0 | od.oid.len = oidItem.len; |
898 | 0 | od.oid.data = oidItem.data; |
899 | 0 | od.offset = SEC_OID_UNKNOWN; |
900 | 0 | od.desc = oidName; |
901 | 0 | od.mechanism = CKM_INVALID_MECHANISM; |
902 | 0 | od.supportedExtension = INVALID_CERT_EXTENSION; |
903 | 0 | return SECOID_AddEntry(&od); |
904 | 0 | } |
905 | | |
906 | | static SECOidTag sCABForumEVOIDTag = SEC_OID_UNKNOWN; |
907 | | |
908 | | static bool |
909 | | isEVPolicy(SECOidTag policyOIDTag) |
910 | 0 | { |
911 | 0 | if (policyOIDTag != SEC_OID_UNKNOWN && policyOIDTag == sCABForumEVOIDTag) { |
912 | 0 | return true; |
913 | 0 | } |
914 | 0 | |
915 | 0 | for (const SECOidTag& oidTag : sEVInfoOIDTags) { |
916 | 0 | if (policyOIDTag == oidTag) { |
917 | 0 | return true; |
918 | 0 | } |
919 | 0 | } |
920 | 0 |
|
921 | 0 | return false; |
922 | 0 | } |
923 | | |
924 | | bool |
925 | | CertIsAuthoritativeForEVPolicy(const UniqueCERTCertificate& cert, |
926 | | const mozilla::pkix::CertPolicyId& policy) |
927 | 0 | { |
928 | 0 | MOZ_ASSERT(cert); |
929 | 0 | if (!cert) { |
930 | 0 | return false; |
931 | 0 | } |
932 | 0 | |
933 | 0 | unsigned char fingerprint[SHA256_LENGTH]; |
934 | 0 | SECStatus srv = |
935 | 0 | PK11_HashBuf(SEC_OID_SHA256, fingerprint, cert->derCert.data, |
936 | 0 | AssertedCast<int32_t>(cert->derCert.len)); |
937 | 0 | if (srv != SECSuccess) { |
938 | 0 | return false; |
939 | 0 | } |
940 | 0 | |
941 | 0 | const SECOidData* cabforumOIDData = SECOID_FindOIDByTag(sCABForumEVOIDTag); |
942 | 0 | for (size_t i = 0; i < ArrayLength(kEVInfos); ++i) { |
943 | 0 | const EVInfo& entry = kEVInfos[i]; |
944 | 0 |
|
945 | 0 | // This check ensures that only the specific roots we approve for EV get |
946 | 0 | // that status, and not certs (roots or otherwise) that happen to have an |
947 | 0 | // OID that's already been approved for EV. |
948 | 0 | if (!ArrayEqual(fingerprint, entry.sha256Fingerprint)) { |
949 | 0 | continue; |
950 | 0 | } |
951 | 0 | |
952 | 0 | if (cabforumOIDData && cabforumOIDData->oid.len == policy.numBytes && |
953 | 0 | ArrayEqual(cabforumOIDData->oid.data, policy.bytes, policy.numBytes)) { |
954 | 0 | return true; |
955 | 0 | } |
956 | 0 | const SECOidData* oidData = SECOID_FindOIDByTag(sEVInfoOIDTags[i]); |
957 | 0 | if (oidData && oidData->oid.len == policy.numBytes && |
958 | 0 | ArrayEqual(oidData->oid.data, policy.bytes, policy.numBytes)) { |
959 | 0 | return true; |
960 | 0 | } |
961 | 0 | } |
962 | 0 |
|
963 | 0 | return false; |
964 | 0 | } |
965 | | |
966 | | nsresult |
967 | | LoadExtendedValidationInfo() |
968 | 0 | { |
969 | 0 | static const char* sCABForumOIDString = "2.23.140.1.1"; |
970 | 0 | static const char* sCABForumOIDDescription = "CA/Browser Forum EV OID"; |
971 | 0 |
|
972 | 0 | ScopedAutoSECItem cabforumOIDItem; |
973 | 0 | if (SEC_StringToOID(nullptr, &cabforumOIDItem, sCABForumOIDString, 0) |
974 | 0 | != SECSuccess) { |
975 | 0 | return NS_ERROR_FAILURE; |
976 | 0 | } |
977 | 0 | sCABForumEVOIDTag = RegisterOID(cabforumOIDItem, sCABForumOIDDescription); |
978 | 0 | if (sCABForumEVOIDTag == SEC_OID_UNKNOWN) { |
979 | 0 | return NS_ERROR_FAILURE; |
980 | 0 | } |
981 | 0 | |
982 | 0 | for (size_t i = 0; i < ArrayLength(kEVInfos); ++i) { |
983 | 0 | const EVInfo& entry = kEVInfos[i]; |
984 | 0 |
|
985 | 0 | SECStatus srv; |
986 | | #ifdef DEBUG |
987 | | // This section of code double-checks that we calculated the correct |
988 | | // certificate hash given the issuer and serial number and that it is |
989 | | // actually present in our loaded root certificates module. It is |
990 | | // unnecessary to check this in non-debug builds since we will safely fall |
991 | | // back to DV if the EV information is incorrect. |
992 | | nsAutoCString derIssuer; |
993 | | nsresult rv = Base64Decode(nsDependentCString(entry.issuerBase64), |
994 | | derIssuer); |
995 | | MOZ_ASSERT(NS_SUCCEEDED(rv), "Could not base64-decode built-in EV issuer"); |
996 | | if (NS_FAILED(rv)) { |
997 | | return rv; |
998 | | } |
999 | | |
1000 | | nsAutoCString serialNumber; |
1001 | | rv = Base64Decode(nsDependentCString(entry.serialBase64), serialNumber); |
1002 | | MOZ_ASSERT(NS_SUCCEEDED(rv), "Could not base64-decode built-in EV serial"); |
1003 | | if (NS_FAILED(rv)) { |
1004 | | return rv; |
1005 | | } |
1006 | | |
1007 | | CERTIssuerAndSN ias; |
1008 | | ias.derIssuer.data = |
1009 | | BitwiseCast<unsigned char*, const char*>(derIssuer.get()); |
1010 | | ias.derIssuer.len = derIssuer.Length(); |
1011 | | ias.serialNumber.data = |
1012 | | BitwiseCast<unsigned char*, const char*>(serialNumber.get()); |
1013 | | ias.serialNumber.len = serialNumber.Length(); |
1014 | | ias.serialNumber.type = siUnsignedInteger; |
1015 | | |
1016 | | UniqueCERTCertificate cert(CERT_FindCertByIssuerAndSN(nullptr, &ias)); |
1017 | | |
1018 | | // If an entry is missing in the NSS root database, it may be because the |
1019 | | // root database is out of sync with what we expect (e.g. a different |
1020 | | // version of system NSS is installed). |
1021 | | if (!cert) { |
1022 | | // The entries for the debug EV roots are at indices 0 through |
1023 | | // NUM_TEST_EV_ROOTS - 1. Since they're not built-in, they probably |
1024 | | // haven't been loaded yet. |
1025 | | MOZ_ASSERT(i < NUM_TEST_EV_ROOTS, "Could not find built-in EV root"); |
1026 | | } else { |
1027 | | unsigned char certFingerprint[SHA256_LENGTH]; |
1028 | | srv = PK11_HashBuf(SEC_OID_SHA256, certFingerprint, cert->derCert.data, |
1029 | | AssertedCast<int32_t>(cert->derCert.len)); |
1030 | | MOZ_ASSERT(srv == SECSuccess, "Could not hash EV root"); |
1031 | | if (srv != SECSuccess) { |
1032 | | return NS_ERROR_FAILURE; |
1033 | | } |
1034 | | bool same = ArrayEqual(certFingerprint, entry.sha256Fingerprint); |
1035 | | MOZ_ASSERT(same, "EV root fingerprint mismatch"); |
1036 | | if (!same) { |
1037 | | return NS_ERROR_FAILURE; |
1038 | | } |
1039 | | } |
1040 | | #endif |
1041 | | // This is the code that actually enables these roots for EV. |
1042 | 0 | ScopedAutoSECItem evOIDItem; |
1043 | 0 | srv = SEC_StringToOID(nullptr, &evOIDItem, entry.dottedOid, 0); |
1044 | 0 | MOZ_ASSERT(srv == SECSuccess, "SEC_StringToOID failed"); |
1045 | 0 | if (srv != SECSuccess) { |
1046 | 0 | return NS_ERROR_FAILURE; |
1047 | 0 | } |
1048 | 0 | sEVInfoOIDTags[i] = RegisterOID(evOIDItem, entry.oidName); |
1049 | 0 | if (sEVInfoOIDTags[i] == SEC_OID_UNKNOWN) { |
1050 | 0 | return NS_ERROR_FAILURE; |
1051 | 0 | } |
1052 | 0 | } |
1053 | 0 |
|
1054 | 0 | return NS_OK; |
1055 | 0 | } |
1056 | | |
1057 | | // Helper function for GetFirstEVPolicy(): returns the first suitable policy |
1058 | | // from the given list of policies. |
1059 | | bool |
1060 | | GetFirstEVPolicyFromPolicyList(const UniqueCERTCertificatePolicies& policies, |
1061 | | /*out*/ mozilla::pkix::CertPolicyId& policy, |
1062 | | /*out*/ SECOidTag& policyOidTag) |
1063 | 0 | { |
1064 | 0 | for (size_t i = 0; policies->policyInfos[i]; i++) { |
1065 | 0 | const CERTPolicyInfo* policyInfo = policies->policyInfos[i]; |
1066 | 0 | SECOidTag policyInfoOID = policyInfo->oid; |
1067 | 0 | if (policyInfoOID == SEC_OID_UNKNOWN || !isEVPolicy(policyInfoOID)) { |
1068 | 0 | continue; |
1069 | 0 | } |
1070 | 0 | |
1071 | 0 | const SECOidData* oidData = SECOID_FindOIDByTag(policyInfoOID); |
1072 | 0 | MOZ_ASSERT(oidData); |
1073 | 0 | MOZ_ASSERT(oidData->oid.data); |
1074 | 0 | MOZ_ASSERT(oidData->oid.len > 0); |
1075 | 0 | MOZ_ASSERT(oidData->oid.len <= mozilla::pkix::CertPolicyId::MAX_BYTES); |
1076 | 0 | if (!oidData || !oidData->oid.data || oidData->oid.len == 0 || |
1077 | 0 | oidData->oid.len > mozilla::pkix::CertPolicyId::MAX_BYTES) { |
1078 | 0 | continue; |
1079 | 0 | } |
1080 | 0 | |
1081 | 0 | policy.numBytes = AssertedCast<uint16_t>(oidData->oid.len); |
1082 | 0 | PodCopy(policy.bytes, oidData->oid.data, policy.numBytes); |
1083 | 0 | policyOidTag = policyInfoOID; |
1084 | 0 | return true; |
1085 | 0 | } |
1086 | 0 |
|
1087 | 0 | return false; |
1088 | 0 | } |
1089 | | |
1090 | | bool |
1091 | | GetFirstEVPolicy(CERTCertificate& cert, |
1092 | | /*out*/ mozilla::pkix::CertPolicyId& policy, |
1093 | | /*out*/ SECOidTag& policyOidTag) |
1094 | 0 | { |
1095 | 0 | if (!cert.extensions) { |
1096 | 0 | return false; |
1097 | 0 | } |
1098 | 0 | |
1099 | 0 | for (size_t i = 0; cert.extensions[i]; i++) { |
1100 | 0 | const CERTCertExtension* extension = cert.extensions[i]; |
1101 | 0 | if (SECOID_FindOIDTag(&extension->id) != SEC_OID_X509_CERTIFICATE_POLICIES) { |
1102 | 0 | continue; |
1103 | 0 | } |
1104 | 0 | |
1105 | 0 | UniqueCERTCertificatePolicies policies( |
1106 | 0 | CERT_DecodeCertificatePoliciesExtension(&extension->value)); |
1107 | 0 | if (!policies) { |
1108 | 0 | continue; |
1109 | 0 | } |
1110 | 0 | |
1111 | 0 | if (GetFirstEVPolicyFromPolicyList(policies, policy, policyOidTag)) { |
1112 | 0 | return true; |
1113 | 0 | } |
1114 | 0 | } |
1115 | 0 |
|
1116 | 0 | return false; |
1117 | 0 | } |
1118 | | |
1119 | | } } // namespace mozilla::psm |