blob: d75f9ddd580b7aa14206a9341edf24e165df5459 [file] [log] [blame]
[Created by: generate-target-has-keycertsign-but-not-ca.py]
Certificate chain with 1 intermediate, a trusted root, and a target
certificate that is not a CA, and yet has the keyCertSign bit set. Verification
is expected to fail, since keyCertSign should only be asserted when CA is
true.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Intermediate
Validity
Not Before: Jan 1 12:00:00 2015 GMT
Not After : Jan 1 12:00:00 2016 GMT
Subject: CN=Target
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:aa:e6:1b:b4:96:49:1d:88:99:c3:be:30:44:ed:
2a:6e:80:18:66:5a:66:26:44:14:8f:1a:1d:69:81:
8b:44:fb:ee:76:a1:c6:6d:e1:c1:ad:50:aa:99:a2:
d5:ce:ac:f4:86:04:93:02:d9:33:aa:24:ef:36:ef:
5c:93:9a:69:00:45:95:c3:82:37:67:df:25:3e:ea:
dc:d0:fb:08:7f:89:aa:ad:df:a6:b6:c8:09:a3:74:
dc:17:12:b4:03:7d:7d:86:7d:57:1e:ff:d2:16:f7:
9f:85:79:6e:5c:01:e3:cf:64:9d:55:e1:77:2c:43:
89:30:d1:eb:d0:2e:68:e6:d1:c1:2a:92:58:c8:e2:
9b:95:be:f6:d0:42:2d:38:fe:c8:17:a3:cf:37:76:
af:b1:0e:32:a5:6d:58:c9:de:4b:f4:2f:fa:8c:e4:
9c:c6:1c:88:7c:55:01:4b:48:81:b0:0f:4f:19:f7:
fa:12:e7:9e:27:27:85:47:e6:b8:07:d9:59:a3:9a:
ac:3f:7d:a6:14:16:c8:8b:8d:70:d7:7b:fa:46:d4:
32:fc:50:c7:83:82:e3:18:69:a5:a4:56:df:24:a3:
c5:7d:d5:f3:24:a4:67:22:4c:c8:b6:93:c2:05:fc:
01:1b:ae:9d:a4:76:f4:bb:d6:b6:a9:32:2c:3a:fe:
91:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
55:B5:67:E4:CD:8D:51:AD:5E:A2:25:B0:94:40:72:52:F4:17:24:4E
X509v3 Authority Key Identifier:
keyid:71:AE:42:1C:8C:C1:FB:35:F7:C0:9F:63:95:A7:7B:4F:9D:8E:D2:7A
Authority Information Access:
CA Issuers - URI:http://url-for-aia/Intermediate.cer
X509v3 CRL Distribution Points:
Full Name:
URI:http://url-for-crl/Intermediate.crl
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
25:e8:87:e7:07:ba:bd:47:c3:dd:5a:3c:29:bc:af:cb:fb:cd:
c6:55:e6:9c:7b:cd:0e:8f:1a:0a:e4:cb:06:db:42:44:02:e5:
37:6e:1a:a3:7d:23:96:c6:b2:67:cb:5a:1e:71:a1:e3:4f:15:
80:7f:a1:0d:59:60:b0:6f:c9:ab:0f:ef:20:d3:c2:45:e0:99:
aa:7e:e1:b7:31:dc:4b:b2:16:78:c5:06:27:a8:5e:c5:7b:3b:
dc:81:81:0d:eb:31:13:d5:4b:23:2e:4e:2c:86:fd:ce:58:96:
b5:cc:33:80:5c:7b:8a:ce:74:97:aa:df:fc:7c:1e:42:7d:12:
58:bb:84:0f:2d:30:7c:a9:0c:1e:5c:c4:c6:ce:2b:c0:9d:bb:
7d:c2:51:04:5d:70:c3:63:43:59:57:40:e4:69:52:be:72:79:
b4:c5:74:51:30:af:9c:30:8e:33:89:be:69:69:4a:01:03:07:
d9:df:8b:0c:69:ff:cc:57:45:7c:c6:23:e5:4a:1f:19:94:19:
25:9d:eb:87:04:51:06:ba:9c:6b:72:da:2b:05:ef:72:21:e9:
95:5e:61:83:6a:7a:b6:30:f8:97:a1:99:dd:12:ea:47:50:ee:
26:02:3b:81:94:a8:19:29:a7:ad:b6:7c:28:10:53:09:53:a4:
61:74:57:ed
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxJbnRl
cm1lZGlhdGUwHhcNMTUwMTAxMTIwMDAwWhcNMTYwMTAxMTIwMDAwWjARMQ8wDQYD
VQQDDAZUYXJnZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq5hu0
lkkdiJnDvjBE7SpugBhmWmYmRBSPGh1pgYtE++52ocZt4cGtUKqZotXOrPSGBJMC
2TOqJO8271yTmmkARZXDgjdn3yU+6tzQ+wh/iaqt36a2yAmjdNwXErQDfX2GfVce
/9IW95+FeW5cAePPZJ1V4XcsQ4kw0evQLmjm0cEqkljI4puVvvbQQi04/sgXo883
dq+xDjKlbVjJ3kv0L/qM5JzGHIh8VQFLSIGwD08Z9/oS554nJ4VH5rgH2Vmjmqw/
faYUFsiLjXDXe/pG1DL8UMeDguMYaaWkVt8ko8V91fMkpGciTMi2k8IF/AEbrp2k
dvS71rapMiw6/pGTAgMBAAGjgekwgeYwHQYDVR0OBBYEFFW1Z+TNjVGtXqIlsJRA
clL0FyROMB8GA1UdIwQYMBaAFHGuQhyMwfs198CfY5Wne0+djtJ6MD8GCCsGAQUF
BwEBBDMwMTAvBggrBgEFBQcwAoYjaHR0cDovL3VybC1mb3ItYWlhL0ludGVybWVk
aWF0ZS5jZXIwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL3VybC1mb3ItY3JsL0lu
dGVybWVkaWF0ZS5jcmwwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAJeiH5we6vUfD3Vo8Kbyv
y/vNxlXmnHvNDo8aCuTLBttCRALlN24ao30jlsayZ8taHnGh408VgH+hDVlgsG/J
qw/vINPCReCZqn7htzHcS7IWeMUGJ6hexXs73IGBDesxE9VLIy5OLIb9zliWtcwz
gFx7is50l6rf/HweQn0SWLuEDy0wfKkMHlzExs4rwJ27fcJRBF1ww2NDWVdA5GlS
vnJ5tMV0UTCvnDCOM4m+aWlKAQMH2d+LDGn/zFdFfMYj5UofGZQZJZ3rhwRRBrqc
a3LaKwXvciHplV5hg2p6tjD4l6GZ3RLqR1DuJgI7gZSoGSmnrbZ8KBBTCVOkYXRX
7Q==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Root
Validity
Not Before: Jan 1 12:00:00 2015 GMT
Not After : Jan 1 12:00:00 2016 GMT
Subject: CN=Intermediate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:8f:d1:37:69:c5:65:2a:c8:df:6e:82:4d:1a:
ea:2c:59:9d:43:07:8b:d1:c3:01:3a:1d:7a:9f:81:
ad:b8:fb:10:35:ae:84:80:07:69:5b:47:eb:af:1c:
7b:43:21:f3:3c:13:8a:3b:62:c0:20:fa:96:06:9b:
50:04:82:05:c2:7a:e3:53:d1:34:ab:2e:94:a9:6b:
5f:6c:a9:66:0d:df:d0:73:79:f0:bd:ac:9c:99:68:
e7:1c:25:6f:c6:68:36:07:99:57:23:17:a8:8e:4e:
8c:b9:41:ef:25:7e:92:3d:08:8a:82:c2:de:fe:a3:
cc:05:ed:b5:8b:b8:2f:09:eb:87:29:4d:55:f1:4e:
ee:3a:91:54:dc:6f:6a:9e:d8:17:2a:3a:46:00:65:
f4:4d:ae:26:35:72:97:06:41:ef:4e:bd:af:83:ec:
9b:e2:96:24:61:2b:88:71:77:a7:e8:cf:2e:3e:79:
5b:a2:33:11:94:aa:e7:65:6b:06:a2:4e:94:c8:d7:
56:0f:cc:12:b9:9c:c1:b5:f6:bf:2a:a0:f8:b1:74:
34:54:0e:cb:f0:87:87:f6:93:3f:f4:5f:10:81:90:
78:51:ae:41:19:6e:c9:89:8c:9d:d9:85:64:18:de:
e5:d6:8c:a8:5a:4b:60:b0:44:5f:7a:1e:f4:d1:5b:
94:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
71:AE:42:1C:8C:C1:FB:35:F7:C0:9F:63:95:A7:7B:4F:9D:8E:D2:7A
X509v3 Authority Key Identifier:
keyid:F7:A4:4C:CA:BB:81:7B:10:63:6B:CC:BC:73:ED:C6:1C:56:55:40:1C
Authority Information Access:
CA Issuers - URI:http://url-for-aia/Root.cer
X509v3 CRL Distribution Points:
Full Name:
URI:http://url-for-crl/Root.crl
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
7b:29:bd:b8:c7:76:7f:09:90:d3:5d:e7:20:9e:f6:a0:bd:dc:
a1:cb:7c:c8:c8:17:d5:80:81:79:6a:88:e5:e8:c8:e3:56:37:
60:3f:9c:2a:14:86:fe:e0:79:2f:d6:ec:67:51:d4:d8:65:9d:
ce:3b:59:b6:42:06:7b:c8:2a:79:7f:40:2f:ed:fb:50:d3:78:
9e:99:fe:1d:fe:a1:4f:1d:58:c9:2d:b4:75:72:3f:6a:7a:db:
2e:7b:81:3b:00:3f:e4:95:47:63:42:90:fd:25:ba:db:53:0a:
01:37:28:78:7d:c6:cf:54:5e:2b:94:88:79:bb:4c:f7:06:e3:
7a:be:44:29:c3:2e:17:ea:61:c4:8f:16:f0:b6:e0:60:fe:19:
08:48:fd:a8:bf:95:ef:e5:32:1c:cf:e5:59:6b:04:1d:4c:6d:
ea:9b:4d:b4:f9:14:c2:00:a3:32:d6:1b:54:00:5a:17:29:8f:
85:0c:eb:ed:41:70:6f:52:f8:37:92:ed:2b:ae:8c:b8:e4:51:
aa:68:62:12:9b:97:62:1a:5b:27:46:b5:5f:8c:0e:c9:93:15:
d7:d8:85:99:67:56:ef:31:4a:55:1f:67:7c:09:fc:03:c9:a0:
67:b8:ed:32:d7:c0:0b:bd:b6:47:b9:50:78:f2:0a:ec:1d:bd:
d5:e9:06:b3
-----BEGIN CERTIFICATE-----
MIIDbTCCAlWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
MB4XDTE1MDEwMTEyMDAwMFoXDTE2MDEwMTEyMDAwMFowFzEVMBMGA1UEAwwMSW50
ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxI/RN2nF
ZSrI326CTRrqLFmdQweL0cMBOh16n4GtuPsQNa6EgAdpW0frrxx7QyHzPBOKO2LA
IPqWBptQBIIFwnrjU9E0qy6UqWtfbKlmDd/Qc3nwvaycmWjnHCVvxmg2B5lXIxeo
jk6MuUHvJX6SPQiKgsLe/qPMBe21i7gvCeuHKU1V8U7uOpFU3G9qntgXKjpGAGX0
Ta4mNXKXBkHvTr2vg+yb4pYkYSuIcXen6M8uPnlbojMRlKrnZWsGok6UyNdWD8wS
uZzBtfa/KqD4sXQ0VA7L8IeH9pM/9F8QgZB4Ua5BGW7JiYyd2YVkGN7l1oyoWktg
sERfeh700VuUlwIDAQABo4HLMIHIMB0GA1UdDgQWBBRxrkIcjMH7NffAn2OVp3tP
nY7SejAfBgNVHSMEGDAWgBT3pEzKu4F7EGNrzLxz7cYcVlVAHDA3BggrBgEFBQcB
AQQrMCkwJwYIKwYBBQUHMAKGG2h0dHA6Ly91cmwtZm9yLWFpYS9Sb290LmNlcjAs
BgNVHR8EJTAjMCGgH6AdhhtodHRwOi8vdXJsLWZvci1jcmwvUm9vdC5jcmwwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AHspvbjHdn8JkNNd5yCe9qC93KHLfMjIF9WAgXlqiOXoyONWN2A/nCoUhv7geS/W
7GdR1Nhlnc47WbZCBnvIKnl/QC/t+1DTeJ6Z/h3+oU8dWMkttHVyP2p62y57gTsA
P+SVR2NCkP0luttTCgE3KHh9xs9UXiuUiHm7TPcG43q+RCnDLhfqYcSPFvC24GD+
GQhI/ai/le/lMhzP5VlrBB1MbeqbTbT5FMIAozLWG1QAWhcpj4UM6+1BcG9S+DeS
7SuujLjkUapoYhKbl2IaWydGtV+MDsmTFdfYhZlnVu8xSlUfZ3wJ/APJoGe47TLX
wAu9tke5UHjyCuwdvdXpBrM=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Root
Validity
Not Before: Jan 1 12:00:00 2015 GMT
Not After : Jan 1 12:00:00 2016 GMT
Subject: CN=Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cd:6b:8f:1c:b6:4c:54:b3:0d:f7:e0:b8:5a:a6:
d3:cc:0b:63:89:cb:3a:5a:87:3c:39:65:aa:63:32:
79:fe:5c:67:f6:00:8c:32:b6:75:01:2f:7b:45:d3:
a4:53:f4:7a:47:7e:2d:ca:5a:d2:22:eb:22:8c:02:
e3:c1:91:ad:71:f8:67:43:62:8f:f1:60:17:77:ea:
a3:d6:78:64:b2:58:c2:fd:20:e0:a2:06:d5:18:a8:
36:9e:2e:b0:97:20:c7:72:a4:51:0d:d5:f0:f0:1f:
b2:05:8e:82:98:9e:b5:67:dd:55:bb:c1:03:e1:9f:
45:73:74:d7:11:aa:5b:de:c1:5d:5e:f2:29:85:29:
03:e3:14:fa:e8:91:f5:29:a3:8c:c0:78:1c:4c:18:
2b:49:2b:20:31:1e:bf:e1:55:7f:ed:76:25:4d:95:
a5:40:4c:cc:f4:8e:de:85:d3:88:0a:86:27:95:f4:
c8:4b:00:8d:16:b7:33:e9:76:12:aa:85:43:1e:89:
bb:ae:16:f2:f1:26:c4:a7:b9:44:89:76:1b:1a:2c:
34:50:4b:e0:68:bc:f1:fb:be:22:14:b0:2b:67:78:
22:f0:71:07:43:21:a3:24:d7:4e:28:a0:7d:04:16:
b1:a2:d8:35:2a:2b:2e:13:8e:6b:e9:c9:7f:78:7e:
98:df
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F7:A4:4C:CA:BB:81:7B:10:63:6B:CC:BC:73:ED:C6:1C:56:55:40:1C
X509v3 Authority Key Identifier:
keyid:F7:A4:4C:CA:BB:81:7B:10:63:6B:CC:BC:73:ED:C6:1C:56:55:40:1C
Authority Information Access:
CA Issuers - URI:http://url-for-aia/Root.cer
X509v3 CRL Distribution Points:
Full Name:
URI:http://url-for-crl/Root.crl
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
50:5f:b0:32:ec:41:85:3d:75:ff:8d:05:17:be:20:98:81:da:
48:39:17:20:24:a7:31:cf:63:35:90:29:26:d0:60:29:e1:68:
fe:35:fd:6c:61:c0:3a:cd:08:92:9b:cc:ad:73:d4:dd:a5:51:
0e:a9:65:04:7d:16:77:8b:b8:b4:9d:fb:c4:7a:4a:ab:8a:9e:
d0:70:47:45:74:a4:57:ab:c2:cd:b3:c5:44:6b:7e:3b:78:8f:
5b:7f:f0:f7:c3:ef:24:a2:40:fe:c6:71:cd:a8:a6:ac:63:22:
57:39:f5:98:c3:91:79:bf:47:6a:0b:c6:b1:61:c6:35:1b:1c:
10:cc:e7:bc:20:83:f6:48:26:4a:80:47:e0:22:fa:04:1f:b0:
06:9c:54:fa:46:45:9b:d5:20:a2:f0:ee:be:b5:a2:83:92:86:
5d:f5:40:f5:32:d0:85:35:eb:af:5d:9b:04:5d:21:b3:35:90:
e8:5f:0a:6c:90:85:eb:86:31:e4:89:81:c6:aa:73:4d:1e:3e:
af:40:07:f1:38:ae:30:ab:2d:aa:6d:2f:b2:1d:ff:d8:18:2e:
f3:d0:74:8e:ff:6d:24:97:30:cb:b6:e5:6f:cb:6b:c2:27:5e:
a5:f1:63:c0:d9:0d:c5:08:7f:86:8c:47:c4:9b:cb:e2:d9:da:
17:51:5b:12
-----BEGIN TRUST_ANCHOR_UNCONSTRAINED-----
MIIDZTCCAk2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
MB4XDTE1MDEwMTEyMDAwMFoXDTE2MDEwMTEyMDAwMFowDzENMAsGA1UEAwwEUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1rjxy2TFSzDffguFqm
08wLY4nLOlqHPDllqmMyef5cZ/YAjDK2dQEve0XTpFP0ekd+Lcpa0iLrIowC48GR
rXH4Z0Nij/FgF3fqo9Z4ZLJYwv0g4KIG1RioNp4usJcgx3KkUQ3V8PAfsgWOgpie
tWfdVbvBA+GfRXN01xGqW97BXV7yKYUpA+MU+uiR9SmjjMB4HEwYK0krIDEev+FV
f+12JU2VpUBMzPSO3oXTiAqGJ5X0yEsAjRa3M+l2EqqFQx6Ju64W8vEmxKe5RIl2
GxosNFBL4Gi88fu+IhSwK2d4IvBxB0MhoyTXTiigfQQWsaLYNSorLhOOa+nJf3h+
mN8CAwEAAaOByzCByDAdBgNVHQ4EFgQU96RMyruBexBja8y8c+3GHFZVQBwwHwYD
VR0jBBgwFoAU96RMyruBexBja8y8c+3GHFZVQBwwNwYIKwYBBQUHAQEEKzApMCcG
CCsGAQUFBzAChhtodHRwOi8vdXJsLWZvci1haWEvUm9vdC5jZXIwLAYDVR0fBCUw
IzAhoB+gHYYbaHR0cDovL3VybC1mb3ItY3JsL1Jvb3QuY3JsMA4GA1UdDwEB/wQE
AwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBQX7Ay7EGF
PXX/jQUXviCYgdpIORcgJKcxz2M1kCkm0GAp4Wj+Nf1sYcA6zQiSm8ytc9TdpVEO
qWUEfRZ3i7i0nfvEekqrip7QcEdFdKRXq8LNs8VEa347eI9bf/D3w+8kokD+xnHN
qKasYyJXOfWYw5F5v0dqC8axYcY1GxwQzOe8IIP2SCZKgEfgIvoEH7AGnFT6RkWb
1SCi8O6+taKDkoZd9UD1MtCFNeuvXZsEXSGzNZDoXwpskIXrhjHkiYHGqnNNHj6v
QAfxOK4wqy2qbS+yHf/YGC7z0HSO/20klzDLtuVvy2vCJ16l8WPA2Q3FCH+GjEfE
m8vi2doXUVsS
-----END TRUST_ANCHOR_UNCONSTRAINED-----
150302120000Z
-----BEGIN TIME-----
MTUwMzAyMTIwMDAwWg==
-----END TIME-----
FAIL
-----BEGIN VERIFY_RESULT-----
RkFJTA==
-----END VERIFY_RESULT-----
Target certificate looks like a CA but does not set all CA properties
-----BEGIN ERRORS-----
VGFyZ2V0IGNlcnRpZmljYXRlIGxvb2tzIGxpa2UgYSBDQSBidXQgZG9lcyBub3Qgc2V0IGFsbCBDQSBwcm9wZXJ0aWVz
-----END ERRORS-----