mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-03-19 19:50:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Perform DANE-EE(3) name checks by default

Browse Source 
In light of potential UKS (unknown key share) attacks on some
applications, primarily browsers, despite RFC761, name checks are
by default applied with DANE-EE(3) TLSA records.  Applications for
which UKS is not a problem can optionally disable DANE-EE(3) name
checks via the new SSL_CTX_dane_set_flags() and friends.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Viktor Dukhovni 2016-07-10 20:36:02 -04:00
parent d83b7e1a58
commit 5ae4ceb92c
8 changed files with 200 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
crypto/x509/x509_vfy.c
View File

@ -2765,6 +2765,10 @@ static int dane_verify(X509_STORE_CTX *ctx)
/* Callback invoked as needed */
if (!check_leaf_suiteb(ctx, cert))
return 0;
/* Callback invoked as needed */
if ((dane->flags & DANE_FLAG_NO_DANE_EE_NAMECHECKS) == 0 &&
!check_id(ctx))
return 0;
/* Bypass internal_verify(), issue depth 0 success callback */
ctx->error_depth = 0;
ctx->current_cert = cert;

47
doc/ssl/SSL_CTX_dane_enable.pod
View File

@ -3,7 +3,9 @@
=head1 NAME
SSL_CTX_dane_enable, SSL_CTX_dane_mtype_set, SSL_dane_enable,
SSL_dane_tlsa_add, SSL_get0_dane_authority, SSL_get0_dane_tlsa -
SSL_dane_tlsa_add, SSL_get0_dane_authority, SSL_get0_dane_tlsa
SSL_CTX_dane_set_flags, SSL_CTX_dane_clear_flags,
SSL_dane_set_flags, SSL_dane_clear_flags -
enable DANE TLS authentication of the remote TLS server in the local
TLS client
@ -21,6 +23,10 @@ TLS client
int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
uint8_t *mtype, unsigned const char **data,
size_t *dlen);
unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags);
unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags);
unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags);
unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags);
=head1 DESCRIPTION
@ -124,6 +130,33 @@ The B<data> parameter is set to a short-term internal-copy of the associated
data field and must not be freed by the application.
Applications that need long-term access to this field need to copy the content.
SSL_CTX_dane_set_flags() and SSL_dane_set_flags() can be used to enable
optional DANE verification features.
SSL_CTX_dane_clear_flags() and SSL_dane_clear_flags() can be used to disable
the same features.
The B<flags> argument is a bitmask of the features to enable or disable.
The B<flags> set for an B<SSL_CTX> context are copied to each B<SSL> handle
associated with that context at the time the handle is created.
Subsequent changes in the context's B<flags> have no effect on the B<flags> set
for the handle.
At present, the only available option is B<DANE_FLAG_NO_DANE_EE_NAMECHECKS>
which can be used to disable server name checks when authenticating via
DANE-EE(3) TLSA records.
For some applications, primarily web browsers, it is not safe to disable name
checks due to "unknown key share" attacks, in which a malicious server can
convince a client that a connection to a victim server is instead a secure
connection to the malicious server.
The malicious server may then be able to violate cross-origin scripting
restrictions.
Thus, despite the text of RFC7671, name checks are by default enabled for
DANE-EE(3) TLSA records, and can be disabled in applications where it is safe
to do so.
In particular, SMTP and XMPP clients should set this option as SRV and MX
records already make it possible for a remote domain to redirect client
connections to any server of its choice, and in any case SMTP and XMPP clients
do not execute scripts downloaded from remote servers.
=head1 RETURN VALUES
The functions SSL_CTX_dane_enable(), SSL_CTX_dane_mtype_set(),
@ -142,6 +175,10 @@ non-negative value indicates the chain depth at which the TLSA record matched a
chain certificate, or the depth of the top-most certificate, when the TLSA
record is a full public key that is its signer.
The functions SSL_CTX_dane_set_flags(), SSL_CTX_dane_clear_flags(),
SSL_dane_set_flags() and SSL_dane_clear_flags() return the B<flags> in effect
before they were called.
=head1 EXAMPLE
Suppose "smtp.example.com" is the MX host of the domain "example.com", and has
@ -171,6 +208,14 @@ the lifetime of the SSL connection.
if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0)
/* handle error */
/*
* For many applications it is safe to skip DANE-EE(3) namechecks. Do not
* disable the checks unless "unknown key share" attacks pose no risk for
* your application.
*/
SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
if (!SSL_add1_host(ssl, nexthop_domain))
/* handle error */
SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);

2
include/internal/dane.h
View File

@ -57,6 +57,7 @@ struct dane_ctx_st {
const EVP_MD **mdevp; /* mtype -> digest */
uint8_t *mdord; /* mtype -> preference */
uint8_t mdmax; /* highest supported mtype */
unsigned long flags; /* feature bitmask */
};
/*
@ -71,6 +72,7 @@ struct ssl_dane_st {
uint32_t umask; /* Usages present */
int mdpth; /* Depth of matched cert */
int pdpth; /* Depth of PKIX trust */
unsigned long flags; /* feature bitmask */
};
#define DANETLS_ENABLED(dane) \

7
include/openssl/ssl.h
View File

@ -1499,6 +1499,13 @@ __owur int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
* offline testing in test/danetest.c
*/
SSL_DANE *SSL_get0_dane(SSL *ssl);
/*
* DANE flags
*/
unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags);
unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags);
unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags);
unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags);
__owur int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
__owur int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);

1
include/openssl/x509_vfy.h
View File

@ -376,6 +376,7 @@ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
* offline testing in test/danetest.c
*/
void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane);
#define DANE_FLAG_NO_DANE_EE_NAMECHECKS (1L << 0)
/* X509_VERIFY_PARAM functions */

37
ssl/ssl_lib.c
View File

@ -108,6 +108,9 @@ static int dane_ctx_enable(struct dane_ctx_st *dctx)
int n = ((int) mdmax) + 1; /* int to handle PrivMatch(255) */
size_t i;
if (dctx->mdevp != NULL)
return 1;
mdevp = OPENSSL_zalloc(n * sizeof(*mdevp));
mdord = OPENSSL_zalloc(n * sizeof(*mdord));
@ -182,6 +185,7 @@ static int ssl_dane_dup(SSL *to, SSL *from)
return 1;
dane_final(&to->dane);
to->dane.flags = from->dane.flags;
to->dane.dctx = &to->ctx->dane;
to->dane.trecs = sk_danetls_record_new_null();
@ -542,6 +546,7 @@ SSL *SSL_new(SSL_CTX *ctx)
RECORD_LAYER_init(&s->rlayer, s);
s->options = ctx->options;
s->dane.flags = ctx->dane.flags;
s->min_proto_version = ctx->min_proto_version;
s->max_proto_version = ctx->max_proto_version;
s->mode = ctx->mode;
@ -802,6 +807,22 @@ int SSL_CTX_dane_enable(SSL_CTX *ctx)
return dane_ctx_enable(&ctx->dane);
}
unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags)
{
unsigned long orig = ctx->dane.flags;
ctx->dane.flags |= flags;
return orig;
}
unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags)
{
unsigned long orig = ctx->dane.flags;
ctx->dane.flags &= ~flags;
return orig;
}
int SSL_dane_enable(SSL *s, const char *basedomain)
{
SSL_DANE *dane = &s->dane;
@ -845,6 +866,22 @@ int SSL_dane_enable(SSL *s, const char *basedomain)
return 1;
}
unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags)
{
unsigned long orig = ssl->dane.flags;
ssl->dane.flags |= flags;
return orig;
}
unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags)
{
unsigned long orig = ssl->dane.flags;
ssl->dane.flags &= ~flags;
return orig;
}
int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki)
{
SSL_DANE *dane = &s->dane;

6
test/danetest.c
View File

@ -329,6 +329,7 @@ static int test_tlsafile(SSL_CTX *ctx, const char *basename,
STACK_OF(X509) *chain;
int ntlsa;
int ncert;
int noncheck;
int want;
int want_depth;
int off;
@ -341,7 +342,8 @@ static int test_tlsafile(SSL_CTX *ctx, const char *basename,
continue;
++testno;
if (sscanf(line, "%d %d %d %d%n", &ntlsa, &ncert, &want, &want_depth, &off) != 4
if (sscanf(line, "%d %d %d %d %d%n",
&ntlsa, &ncert, &noncheck, &want, &want_depth, &off) != 5
|| !allws(line + off)) {
fprintf(stderr, "Expected tlsa count, cert count and result"
" at test %d of %s\n", testno, path);
@ -355,6 +357,8 @@ static int test_tlsafile(SSL_CTX *ctx, const char *basename,
SSL_free(ssl);
return -1;
}
if (noncheck)
SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
for (i = 0; i < ntlsa; ++i) {
if ((line = read_to_eol(f)) == NULL || !tlsa_import_rr(ssl, line)) {

147
test/danetest.in
View File

@ -9,7 +9,7 @@
#
# The first line in each block takes the form:
#
# <TLSA-count> <cert-count> <desired-verify-result> <desired-match-depth>
# <TLSA-count> <cert-count> <nonamechecks> <desired-verify-result> <desired-match-depth>
#
# It is followed by <TLSA-count> lines of the form:
#
@ -49,7 +49,7 @@
## -- Anonymous and "never valid" leaf certificate DANE-EE(3) tests
# 1
1 1 0 0
1 1 1 0 0
3 0 1 588FD5F414E3327EAFE3169DC040AE161247D1296BF38304AB9CF464850A1365
subject=
issuer=
@ -64,7 +64,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 2
1 1 0 0
1 1 1 0 0
3 1 1 05C66146D7909EAE2379825F6D0F5284146B79598DA12E403DC29C33147CF33E
subject=
issuer=
@ -79,7 +79,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 3
1 1 0 0
1 1 1 0 0
3 0 2 42BEE929852C8063A0D619B53D0DD35703BBAD2FC25F2055F737C7A14DDFEA544491F8C00F50FA083BD0AD1B5C98529994FF811BBA5E5170CC6EE9F3ED5563E1
subject=
issuer=
@ -94,7 +94,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 4
1 1 0 0
1 1 1 0 0
3 1 2 D91A3E5DC34879CD77AD1E989F56FA78FACADF05EF8D445EDF5652BD58EE392C87C02F84C0119D62309041F2D5128A73399DF25D1F47BCD497357EAF1A1009A3
subject=
issuer=
@ -109,7 +109,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 5
1 1 65 -1
1 1 1 65 -1
3 0 1 588FD5F414E3327EAFE3169DC040AE161247D1296BF38304AB9CF464850A1366
subject=
issuer=
@ -124,7 +124,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 6
1 1 65 -1
1 1 1 65 -1
3 1 1 05C66146D7909EAE2379825F6D0F5284146B79598DA12E403DC29C33147CF33F
subject=
issuer=
@ -139,7 +139,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 7
1 1 65 -1
1 1 1 65 -1
3 0 2 42BEE929852C8063A0D619B53D0DD35703BBAD2FC25F2055F737C7A14DDFEA544491F8C00F50FA083BD0AD1B5C98529994FF811BBA5E5170CC6EE9F3ED5563E2
subject=
issuer=
@ -154,7 +154,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 8
1 1 65 -1
1 1 1 65 -1
3 1 2 D91A3E5DC34879CD77AD1E989F56FA78FACADF05EF8D445EDF5652BD58EE392C87C02F84C0119D62309041F2D5128A73399DF25D1F47BCD497357EAF1A1009A4
subject=
issuer=
@ -171,7 +171,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
## -- DANE-?? chain tests --
# 9
1 3 0 0
1 3 0 0 0
3 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -218,7 +218,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 10
1 3 0 0
1 3 0 0 0
3 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -265,7 +265,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 11
1 3 0 0
1 3 0 0 0
3 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9923
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -312,7 +312,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 12
1 3 0 0
1 3 0 0 0
3 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -359,7 +359,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 13
1 3 0 1
1 3 0 0 1
2 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -406,7 +406,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 14
1 3 0 1
1 3 0 0 1
2 1 1 65A457617072DA3E7F1152471EB3D406526530097D0A9AA34EB47C990A1FCDA3
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -453,7 +453,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 15
1 3 0 1
1 3 0 0 1
2 0 2 6BC0C0F2500320A49392910965263A3EBDD594173D3E36CCE38A003D2EC3FAFBC315EDB776CD3139637DF494FB60359601542A4F821BF0542F926E6270C9762C
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -500,7 +500,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 16
1 3 0 1
1 3 0 0 1
2 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -547,7 +547,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 17
1 3 0 2
1 3 0 0 2
2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -594,7 +594,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 18
1 3 0 2
1 3 0 0 2
2 1 1 91D942E4A2D4226DDAF28CADAA7F13018E4ED0D9A43A529247E51C965188576C
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -641,7 +641,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 19
1 3 0 2
1 3 0 0 2
2 0 2 361029F20A3B59DAFAAF05D41811EFC1A9439B972BC6B9D7F13BC5469570E49ACAE0CB0C877C75D58346590EA950AC7A39AED6E8AA8004EA7F5DE3AB9462047E
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -688,7 +688,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 20
1 3 0 2
1 3 0 0 2
2 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -737,7 +737,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
## -- PKIX-?? chain tests --
# 21
1 2 0 0
1 2 0 0 0
1 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -770,7 +770,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
# 22
1 2 0 0
1 2 0 0 0
1 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -803,7 +803,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
# 23
1 3 0 0
1 3 0 0 0
1 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9923
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -850,7 +850,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 24
1 3 0 0
1 3 0 0 0
1 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -897,7 +897,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 25
1 2 0 1
1 2 0 0 1
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -930,7 +930,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
# 26
1 2 0 1
1 2 0 0 1
0 1 1 65A457617072DA3E7F1152471EB3D406526530097D0A9AA34EB47C990A1FCDA3
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -963,7 +963,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
# 27
1 3 0 1
1 3 0 0 1
0 0 2 6BC0C0F2500320A49392910965263A3EBDD594173D3E36CCE38A003D2EC3FAFBC315EDB776CD3139637DF494FB60359601542A4F821BF0542F926E6270C9762C
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1010,7 +1010,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 28
1 3 0 1
1 3 0 0 1
0 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1057,7 +1057,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 29
1 2 0 2
1 2 0 0 2
0 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1090,7 +1090,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
# 30
1 2 0 2
1 2 0 0 2
0 1 1 91D942E4A2D4226DDAF28CADAA7F13018E4ED0D9A43A529247E51C965188576C
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1123,7 +1123,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
# 31
1 3 0 2
1 3 0 0 2
0 0 2 361029F20A3B59DAFAAF05D41811EFC1A9439B972BC6B9D7F13BC5469570E49ACAE0CB0C877C75D58346590EA950AC7A39AED6E8AA8004EA7F5DE3AB9462047E
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1170,7 +1170,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
# 32
1 3 0 2
1 3 0 0 2
0 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1220,7 +1220,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
# 33
# Missing intermediate CA
1 1 20 0
1 1 0 20 0
1 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1240,7 +1240,7 @@ GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
# 34
# Missing PKIX intermediate, provided via DNS
2 1 0 0
2 1 0 0 0
1 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838
0 0 0 308201683082010DA003020102020102300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233323030395A180F33303135303431353233323030395A30143112301006035504030C094973737565722043413059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AFA350304E301D0603551D0E041604147AB75A3CD295CA5DF7C5150916E18FF5CC376A15301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D0403020349003046022100831DCD882DA8785D50E41020898C0248879DDDF72D701D1DC1DE6BE08155B43E022100B84B2FB519C4CD3CBC791603D4488F7707597DB7980D9C173E7FDD0ECD7CA308
subject= /CN=example.com
@ -1261,7 +1261,7 @@ GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
# 35
# Wrong leaf digest
1 3 65 -1
1 3 0 65 -1
1 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9924
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1309,7 +1309,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
# 36
# Wrong intermediate digest
1 2 65 -1
1 2 0 65 -1
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBE
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1343,7 +1343,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
# 37
# Wrong root digest
1 2 65 -1
1 2 0 65 -1
0 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3D
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1379,7 +1379,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
# 38
# DANE-EE(3) beats DANE-TA(2)
1 3 0 0
1 3 0 0 0
3 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
2 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
subject= /CN=example.com
@ -1428,7 +1428,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
# 39
# DANE-TA(2) depth 1 beats DANE-TA(2) depth 2
1 3 0 1
1 3 0 0 1
2 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
2 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
subject= /CN=example.com
@ -1477,7 +1477,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
# 40
# DANE-TA(2) depth 2 beats PKIX-TA(0) depth 1
1 3 0 2
1 3 0 0 2
2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
subject= /CN=example.com
@ -1526,7 +1526,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
# 41
# DANE-TA(2) depth 2 beats PKIX-EE depth 0
1 3 0 2
1 3 0 0 2
2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
subject= /CN=example.com
@ -1575,7 +1575,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
# 42
# DANE-TA(2) Full(0) root "from DNS":
1 2 0 2
1 2 0 0 2
2 0 0 308201643082010BA003020102020101300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233313330385A180F33303135303431353233313330385A30123110300E06035504030C07526F6F742043413059301306072A8648CE3D020106082A8648CE3D03010703420004D1DA578FD18FB86456B0D91B5656BDD68D4DDBD250E337571127C75E0560F41D0AF91BFAF8805F80C28C026A14D4FE8C30A9673B9EC0C05A84AA810D1341B76CA350304E301D0603551D0E04160414E4BD405F052A820DDF9883F93D7D3F90AAEC723F301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D040302034700304402206869E6AA9F9B4D4BF308091A5A7AB2C30E3619B0D75E528819468E4BB926F4C9022017F1B8458611966FBC109CAED3582966BF25FC0598EABA6C793C58DCC3537CC5
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1609,7 +1609,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
# 43
# DANE-TA(2) Full(0) intermediate "from DNS":
1 1 0 1
1 1 0 0 1
2 0 0 308201683082010DA003020102020102300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233323030395A180F33303135303431353233323030395A30143112301006035504030C094973737565722043413059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AFA350304E301D0603551D0E041604147AB75A3CD295CA5DF7C5150916E18FF5CC376A15301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D0403020349003046022100831DCD882DA8785D50E41020898C0248879DDDF72D701D1DC1DE6BE08155B43E022100B84B2FB519C4CD3CBC791603D4488F7707597DB7980D9C173E7FDD0ECD7CA308
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1629,7 +1629,7 @@ GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
# 44
# DANE-TA(2) SPKI(1) Full(0) intermediate "from DNS":
1 1 0 0
1 1 0 0 0
2 1 0 3059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AF
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1649,7 +1649,7 @@ GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
# 45
# DANE-TA(2) SPKI(1) Full(0) root "from DNS":
1 2 0 1
1 2 0 0 1
2 1 0 3059301306072A8648CE3D020106082A8648CE3D03010703420004D1DA578FD18FB86456B0D91B5656BDD68D4DDBD250E337571127C75E0560F41D0AF91BFAF8805F80C28C026A14D4FE8C30A9673B9EC0C05A84AA810D1341B76C
subject= /CN=example.com
issuer= /CN=Issuer CA
@ -1684,7 +1684,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
# 46
# Mismatched name "example.org", should still succeed given a
# DANE-EE(3) match.
1 3 0 0
1 3 1 0 0
3 1 1 ee1477190203f5d8b4767f4451b89e7367cdec7f6965a4988227983562ac8270
subject= CN = example.org
issuer= CN = CA2
@ -1733,7 +1733,7 @@ fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
# 47
# Mismatched name "example.org", should fail despite a DANE-TA(2)
# match for the intermediate CA.
1 3 62 1
1 3 0 62 1
2 1 1 946af0956378efaba7ee1bbedc17af110ea8de19c079a98e77398724a3708a1f
subject= CN = example.org
issuer= CN = CA2
@ -1782,7 +1782,7 @@ fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
# 48
# Mismatched name "example.org", should fail despite a DANE-TA(2)
# match for the root CA.
1 3 62 2
1 3 0 62 2
2 1 1 34474f2fbc39da44dfbd11215bdafadf9507406c04de1f65dbd2a1bc4f2165cc
subject= CN = example.org
issuer= CN = CA2
@ -1827,3 +1827,52 @@ FoAUFFv7+que2ySx6ZtqShlPBNmTwBcwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
-----END CERTIFICATE-----
# 49
# Mismatched name "example.org", should fail when name checks
# are not disabled for DANE-EE(3).
1 3 0 62 0
3 1 1 ee1477190203f5d8b4767f4451b89e7367cdec7f6965a4988227983562ac8270
subject= CN = example.org
issuer= CN = CA2
notBefore=Feb 6 22:39:47 2016 GMT
notAfter=Feb 7 22:39:47 2116 GMT
-----BEGIN CERTIFICATE-----
MIIBkDCCATWgAwIBAgIBAjAKBggqhkjOPQQDAjAOMQwwCgYDVQQDDANDQTIwIBcN
MTYwMjA2MjIzOTQ3WhgPMjExNjAyMDcyMjM5NDdaMBYxFDASBgNVBAMMC2V4YW1w
bGUub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/YCEn0pxClPTvpjioxU4
ajopRa4j/6XTqxy9zqn1AcMCiVWp6j22B6RpLmKEHoRHQxFzebd2juTXIDq81CID
z6N6MHgwHQYDVR0OBBYEFOrSA+2YKXa5KR6k0687CZuhai5OMB8GA1UdIwQYMBaA
FLTY4vqgjcQ01aCcB8AYVbUhEU7VMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwCgYIKoZIzj0EAwIDSQAwRgIh
AKSsLwlidPiSrgda6XWihov4D4KHu6ZX3ZAAZ2uiBAefAiEArCq5WiO3Zeunl0Ct
PyDiaL1QKbJ7lnqPQCS1o8xn+RI=
-----END CERTIFICATE-----
subject= CN = CA2
issuer= CN = Root CA2
notBefore=Feb 6 22:39:13 2016 GMT
notAfter=Feb 7 22:39:13 2116 GMT
-----BEGIN CERTIFICATE-----
MIIBYjCCAQigAwIBAgIBAjAKBggqhkjOPQQDAjATMREwDwYDVQQDDAhSb290IENB
MjAgFw0xNjAyMDYyMjM5MTNaGA8yMTE2MDIwNzIyMzkxM1owDjEMMAoGA1UEAwwD
Q0EyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYr6zgBxpsxA31IFiGyb6uaGC
CQdNMyJfDgqCihsU1eOEuauzXO7tydCbjfRmhqQK1EGd254IjcGY+37tZEbvPKNQ
ME4wHQYDVR0OBBYEFLTY4vqgjcQ01aCcB8AYVbUhEU7VMB8GA1UdIwQYMBaAFBRb
+/qrntsksembakoZTwTZk8AXMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSAAw
RQIgX2fmMykyiuryf1AeKyc1j8HgmM8u/nyQfJnTCwvYUcECIQC6JHd3ybV9eJQo
7sfr/jV+rRlZY2iaRv160BWYd82L7g==
-----END CERTIFICATE-----
subject= CN = Root CA2
issuer= CN = Root CA2
notBefore=Feb 6 22:38:48 2016 GMT
notAfter=Feb 7 22:38:48 2116 GMT
-----BEGIN CERTIFICATE-----
MIIBaDCCAQ2gAwIBAgIBATAKBggqhkjOPQQDAjATMREwDwYDVQQDDAhSb290IENB
MjAgFw0xNjAyMDYyMjM4NDhaGA8yMTE2MDIwNzIyMzg0OFowEzERMA8GA1UEAwwI
Um9vdCBDQTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATlTxAPKteg+L1LmxMl
sbAFMxj6/322nR5RRGeF07KZRBFPaFZLgwZ1DuNrwM3wxxNdUyoZ6iAyDmwNf3K1
42/Uo1AwTjAdBgNVHQ4EFgQUFFv7+que2ySx6ZtqShlPBNmTwBcwHwYDVR0jBBgw
FoAUFFv7+que2ySx6ZtqShlPBNmTwBcwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
-----END CERTIFICATE-----