Work around GTE CyberTrust/Baltimore CyberTrust cross-signing issues
OS X's lack of robust support for cross-signed certificates, combined with the
impending removal of the legacy GTE CyberTrust 1024-bit root in favour of
the 2048-bit Baltimore CyberTrust Root, will soon cause issues for sites that
need to use the cross-signed intermediate. Fix up the chain on the fly when
dealing with such sites.
BUG=236112
TEST=net_unittests
Review URL: https://chromiumcodereview.appspot.com/14492003
git-svn-id: http://src.chromium.org/svn/trunk/src/net@206274 4ff67af0-8c30-449e-8e8b-ad334ec8d88c
diff --git a/cert/cert_verify_proc_mac.cc b/cert/cert_verify_proc_mac.cc
index 77346df..da284d4 100644
--- a/cert/cert_verify_proc_mac.cc
+++ b/cert/cert_verify_proc_mac.cc
@@ -345,6 +345,179 @@
hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes));
}
+// Builds and evaluates a SecTrustRef for the certificate chain contained
+// in |cert_array|, using the verification policies in |trust_policies|. On
+// success, returns OK, and updates |trust_ref|, |trust_result|,
+// |verified_chain|, and |chain_info| with the verification results. On
+// failure, no output parameters are modified.
+//
+// Note: An OK return does not mean that |cert_array| is trusted, merely that
+// verification was performed successfully.
+//
+// This function should only be called while the Mac Security Services lock is
+// held.
+int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array,
+ CFArrayRef trust_policies,
+ int flags,
+ ScopedCFTypeRef<SecTrustRef>* trust_ref,
+ SecTrustResultType* trust_result,
+ ScopedCFTypeRef<CFArrayRef>* verified_chain,
+ CSSM_TP_APPLE_EVIDENCE_INFO** chain_info) {
+ SecTrustRef tmp_trust = NULL;
+ OSStatus status = SecTrustCreateWithCertificates(cert_array, trust_policies,
+ &tmp_trust);
+ if (status)
+ return NetErrorFromOSStatus(status);
+ ScopedCFTypeRef<SecTrustRef> scoped_tmp_trust(tmp_trust);
+
+ if (TestRootCerts::HasInstance()) {
+ status = TestRootCerts::GetInstance()->FixupSecTrustRef(tmp_trust);
+ if (status)
+ return NetErrorFromOSStatus(status);
+ }
+
+ CSSM_APPLE_TP_ACTION_DATA tp_action_data;
+ memset(&tp_action_data, 0, sizeof(tp_action_data));
+ tp_action_data.Version = CSSM_APPLE_TP_ACTION_VERSION;
+ // Allow CSSM to download any missing intermediate certificates if an
+ // authorityInfoAccess extension or issuerAltName extension is present.
+ tp_action_data.ActionFlags = CSSM_TP_ACTION_FETCH_CERT_FROM_NET |
+ CSSM_TP_ACTION_TRUST_SETTINGS;
+
+ // Note: For EV certificates, the Apple TP will handle setting these flags
+ // as part of EV evaluation.
+ if (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED) {
+ // Require a positive result from an OCSP responder or a CRL (or both)
+ // for every certificate in the chain. The Apple TP automatically
+ // excludes the self-signed root from this requirement. If a certificate
+ // is missing both a crlDistributionPoints extension and an
+ // authorityInfoAccess extension with an OCSP responder URL, then we
+ // will get a kSecTrustResultRecoverableTrustFailure back from
+ // SecTrustEvaluate(), with a
+ // CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK error code. In that case,
+ // we'll set our own result to include
+ // CERT_STATUS_NO_REVOCATION_MECHANISM. If one or both extensions are
+ // present, and a check fails (server unavailable, OCSP retry later,
+ // signature mismatch), then we'll set our own result to include
+ // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION.
+ tp_action_data.ActionFlags |= CSSM_TP_ACTION_REQUIRE_REV_PER_CERT;
+
+ // Note, even if revocation checking is disabled, SecTrustEvaluate() will
+ // modify the OCSP options so as to attempt OCSP checking if it believes a
+ // certificate may chain to an EV root. However, because network fetches
+ // are disabled in CreateTrustPolicies() when revocation checking is
+ // disabled, these will only go against the local cache.
+ }
+
+ CFDataRef action_data_ref =
+ CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
+ reinterpret_cast<UInt8*>(&tp_action_data),
+ sizeof(tp_action_data), kCFAllocatorNull);
+ if (!action_data_ref)
+ return ERR_OUT_OF_MEMORY;
+ ScopedCFTypeRef<CFDataRef> scoped_action_data_ref(action_data_ref);
+ status = SecTrustSetParameters(tmp_trust, CSSM_TP_ACTION_DEFAULT,
+ action_data_ref);
+ if (status)
+ return NetErrorFromOSStatus(status);
+
+ // Verify the certificate. A non-zero result from SecTrustGetResult()
+ // indicates that some fatal error occurred and the chain couldn't be
+ // processed, not that the chain contains no errors. We need to examine the
+ // output of SecTrustGetResult() to determine that.
+ SecTrustResultType tmp_trust_result;
+ status = SecTrustEvaluate(tmp_trust, &tmp_trust_result);
+ if (status)
+ return NetErrorFromOSStatus(status);
+ CFArrayRef tmp_verified_chain = NULL;
+ CSSM_TP_APPLE_EVIDENCE_INFO* tmp_chain_info;
+ status = SecTrustGetResult(tmp_trust, &tmp_trust_result, &tmp_verified_chain,
+ &tmp_chain_info);
+ if (status)
+ return NetErrorFromOSStatus(status);
+
+ trust_ref->swap(scoped_tmp_trust);
+ *trust_result = tmp_trust_result;
+ verified_chain->reset(tmp_verified_chain);
+ *chain_info = tmp_chain_info;
+
+ return OK;
+}
+
+// OS X ships with both "GTE CyberTrust Global Root" and "Baltimore CyberTrust
+// Root" as part of its trusted root store. However, a cross-certified version
+// of the "Baltimore CyberTrust Root" exists that chains to "GTE CyberTrust
+// Global Root". When OS X/Security.framework attempts to evaluate such a
+// certificate chain, it disregards the "Baltimore CyberTrust Root" that exists
+// within Keychain and instead attempts to terminate the chain in the "GTE
+// CyberTrust Global Root". However, the GTE root is scheduled to be removed in
+// a future OS X update (for sunsetting purposes), and once removed, such
+// chains will fail validation, even though a trust anchor still exists.
+//
+// Rather than over-generalizing a solution that may mask a number of TLS
+// misconfigurations, attempt to specifically match the affected
+// cross-certified certificate and remove it from certificate chain processing.
+bool IsBadBaltimoreGTECertificate(SecCertificateRef cert) {
+ // Matches the GTE-signed Baltimore CyberTrust Root
+ // https://cacert.omniroot.com/Baltimore-to-GTE-04-12.pem
+ static const SHA1HashValue kBadBaltimoreHashNew =
+ { { 0x4D, 0x34, 0xEA, 0x92, 0x76, 0x4B, 0x3A, 0x31, 0x49, 0x11,
+ 0x99, 0x52, 0xF4, 0x19, 0x30, 0xCA, 0x11, 0x34, 0x83, 0x61 } };
+ // Matches the legacy GTE-signed Baltimore CyberTrust Root
+ // https://cacert.omniroot.com/gte-2-2025.pem
+ static const SHA1HashValue kBadBaltimoreHashOld =
+ { { 0x54, 0xD8, 0xCB, 0x49, 0x1F, 0xA1, 0x6D, 0xF8, 0x87, 0xDC,
+ 0x94, 0xA9, 0x34, 0xCC, 0x83, 0x6B, 0xDA, 0xA8, 0xA3, 0x69 } };
+
+ SHA1HashValue fingerprint = X509Certificate::CalculateFingerprint(cert);
+
+ return fingerprint.Equals(kBadBaltimoreHashNew) ||
+ fingerprint.Equals(kBadBaltimoreHashOld);
+}
+
+// Attempts to re-verify |cert_array| after adjusting the inputs to work around
+// known issues in OS X. To be used if BuildAndEvaluateSecTrustRef fails to
+// return a positive result for verification.
+//
+// This function should only be called while the Mac Security Services lock is
+// held.
+void RetrySecTrustEvaluateWithAdjustedChain(
+ CFArrayRef cert_array,
+ CFArrayRef trust_policies,
+ int flags,
+ ScopedCFTypeRef<SecTrustRef>* trust_ref,
+ SecTrustResultType* trust_result,
+ ScopedCFTypeRef<CFArrayRef>* verified_chain,
+ CSSM_TP_APPLE_EVIDENCE_INFO** chain_info) {
+ CFIndex count = CFArrayGetCount(*verified_chain);
+ CFIndex slice_point = 0;
+
+ for (CFIndex i = 1; i < count; ++i) {
+ SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
+ const_cast<void*>(CFArrayGetValueAtIndex(*verified_chain, i)));
+ if (cert == NULL)
+ return; // Strange times; can't fix things up.
+
+ if (IsBadBaltimoreGTECertificate(cert)) {
+ slice_point = i;
+ break;
+ }
+ }
+ if (slice_point == 0)
+ return; // Nothing to do.
+
+ ScopedCFTypeRef<CFMutableArrayRef> adjusted_cert_array(
+ CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks));
+ // Note: This excludes the certificate at |slice_point|.
+ CFArrayAppendArray(adjusted_cert_array, cert_array,
+ CFRangeMake(0, slice_point));
+
+ // Ignore the result; failure will preserve the old verification results.
+ BuildAndEvaluateSecTrustRef(
+ adjusted_cert_array, trust_policies, flags, trust_ref, trust_result,
+ verified_chain, chain_info);
+}
+
} // namespace
CertVerifyProcMac::CertVerifyProcMac() {}
@@ -378,85 +551,30 @@
// issues in OS X 10.6+ with multi-threaded access to Security.framework.
base::AutoLock lock(crypto::GetMacSecurityServicesLock());
- SecTrustRef trust_ref = NULL;
- status = SecTrustCreateWithCertificates(cert_array, trust_policies,
- &trust_ref);
- if (status)
- return NetErrorFromOSStatus(status);
- ScopedCFTypeRef<SecTrustRef> scoped_trust_ref(trust_ref);
+ ScopedCFTypeRef<SecTrustRef> trust_ref;
+ SecTrustResultType trust_result = kSecTrustResultDeny;
+ ScopedCFTypeRef<CFArrayRef> completed_chain;
+ CSSM_TP_APPLE_EVIDENCE_INFO* chain_info = NULL;
- if (TestRootCerts::HasInstance()) {
- status = TestRootCerts::GetInstance()->FixupSecTrustRef(trust_ref);
- if (status)
- return NetErrorFromOSStatus(status);
+ int rv = BuildAndEvaluateSecTrustRef(
+ cert_array, trust_policies, flags, &trust_ref, &trust_result,
+ &completed_chain, &chain_info);
+ if (rv != OK)
+ return rv;
+ if (trust_result != kSecTrustResultUnspecified &&
+ trust_result != kSecTrustResultProceed) {
+ RetrySecTrustEvaluateWithAdjustedChain(
+ cert_array, trust_policies, flags, &trust_ref, &trust_result,
+ &completed_chain, &chain_info);
}
- CSSM_APPLE_TP_ACTION_DATA tp_action_data;
- memset(&tp_action_data, 0, sizeof(tp_action_data));
- tp_action_data.Version = CSSM_APPLE_TP_ACTION_VERSION;
- // Allow CSSM to download any missing intermediate certificates if an
- // authorityInfoAccess extension or issuerAltName extension is present.
- tp_action_data.ActionFlags = CSSM_TP_ACTION_FETCH_CERT_FROM_NET |
- CSSM_TP_ACTION_TRUST_SETTINGS;
-
- // Note: For EV certificates, the Apple TP will handle setting these flags
- // as part of EV evaluation.
- if (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED) {
- // Require a positive result from an OCSP responder or a CRL (or both)
- // for every certificate in the chain. The Apple TP automatically
- // excludes the self-signed root from this requirement. If a certificate
- // is missing both a crlDistributionPoints extension and an
- // authorityInfoAccess extension with an OCSP responder URL, then we
- // will get a kSecTrustResultRecoverableTrustFailure back from
- // SecTrustEvaluate(), with a
- // CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK error code. In that case,
- // we'll set our own result to include
- // CERT_STATUS_NO_REVOCATION_MECHANISM. If one or both extensions are
- // present, and a check fails (server unavailable, OCSP retry later,
- // signature mismatch), then we'll set our own result to include
- // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION.
- tp_action_data.ActionFlags |= CSSM_TP_ACTION_REQUIRE_REV_PER_CERT;
+ if (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED)
verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
- // Note, even if revocation checking is disabled, SecTrustEvaluate() will
- // modify the OCSP options so as to attempt OCSP checking if it believes a
- // certificate may chain to an EV root. However, because network fetches
- // are disabled in CreateTrustPolicies() when revocation checking is
- // disabled, these will only go against the local cache.
- }
-
- CFDataRef action_data_ref =
- CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
- reinterpret_cast<UInt8*>(&tp_action_data),
- sizeof(tp_action_data), kCFAllocatorNull);
- if (!action_data_ref)
- return ERR_OUT_OF_MEMORY;
- ScopedCFTypeRef<CFDataRef> scoped_action_data_ref(action_data_ref);
- status = SecTrustSetParameters(trust_ref, CSSM_TP_ACTION_DEFAULT,
- action_data_ref);
- if (status)
- return NetErrorFromOSStatus(status);
-
- // Verify the certificate. A non-zero result from SecTrustGetResult()
- // indicates that some fatal error occurred and the chain couldn't be
- // processed, not that the chain contains no errors. We need to examine the
- // output of SecTrustGetResult() to determine that.
- SecTrustResultType trust_result;
- status = SecTrustEvaluate(trust_ref, &trust_result);
- if (status)
- return NetErrorFromOSStatus(status);
- CFArrayRef completed_chain = NULL;
- CSSM_TP_APPLE_EVIDENCE_INFO* chain_info;
- status = SecTrustGetResult(trust_ref, &trust_result, &completed_chain,
- &chain_info);
- if (status)
- return NetErrorFromOSStatus(status);
- ScopedCFTypeRef<CFArrayRef> scoped_completed_chain(completed_chain);
-
if (crl_set && !CheckRevocationWithCRLSet(completed_chain, crl_set))
verify_result->cert_status |= CERT_STATUS_REVOKED;
- GetCertChainInfo(scoped_completed_chain.get(), chain_info, verify_result);
+ GetCertChainInfo(completed_chain, chain_info, verify_result);
// As of Security Update 2012-002/OS X 10.7.4, when an RSA key < 1024 bits
// is encountered, CSSM returns CSSMERR_TP_VERIFY_ACTION_FAILED and adds
diff --git a/cert/cert_verify_proc_unittest.cc b/cert/cert_verify_proc_unittest.cc
index 0645d74..eb9399f 100644
--- a/cert/cert_verify_proc_unittest.cc
+++ b/cert/cert_verify_proc_unittest.cc
@@ -859,6 +859,111 @@
EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
}
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+// Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust
+// Root can be successfully worked around once Apple completes removing the
+// older GTE CyberTrust Root from its trusted root store.
+//
+// The issue is caused by servers supplying the cross-certified intermediate
+// (necessary for certain mobile platforms), which OS X does not recognize
+// as already existing within its trust store.
+TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
+ CertificateList certs = CreateCertificateListFromFile(
+ GetTestCertsDirectory(),
+ "cybertrust_omniroot_chain.pem",
+ X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
+ ASSERT_EQ(2U, certs.size());
+
+ X509Certificate::OSCertHandles intermediates;
+ intermediates.push_back(certs[1]->os_cert_handle());
+
+ scoped_refptr<X509Certificate> cybertrust_basic =
+ X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
+ intermediates);
+ ASSERT_TRUE(cybertrust_basic.get());
+
+ scoped_refptr<X509Certificate> baltimore_root =
+ ImportCertFromFile(GetTestCertsDirectory(),
+ "cybertrust_baltimore_root.pem");
+ ASSERT_TRUE(baltimore_root.get());
+
+ ScopedTestRoot scoped_root(baltimore_root);
+
+ // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This
+ // simulates Keychain removing support for the GTE CyberTrust Root.
+ TestRootCerts::GetInstance()->SetAllowSystemTrust(false);
+ base::ScopedClosureRunner reset_system_trust(
+ base::Bind(&TestRootCerts::SetAllowSystemTrust,
+ base::Unretained(TestRootCerts::GetInstance()),
+ true));
+
+ // First, make sure a simple certificate chain from
+ // EE -> Public SureServer SV -> Baltimore CyberTrust
+ // works. Only the first two certificates are included in the chain.
+ int flags = 0;
+ CertVerifyResult verify_result;
+ int error = Verify(cybertrust_basic, "cacert.omniroot.com", flags, NULL,
+ empty_cert_list_, &verify_result);
+ EXPECT_EQ(OK, error);
+ EXPECT_EQ(0U, verify_result.cert_status);
+
+ // Attempt to verify with the first known cross-certified intermediate
+ // provided.
+ scoped_refptr<X509Certificate> baltimore_intermediate_1 =
+ ImportCertFromFile(GetTestCertsDirectory(),
+ "cybertrust_baltimore_cross_certified_1.pem");
+ ASSERT_TRUE(baltimore_intermediate_1.get());
+
+ X509Certificate::OSCertHandles intermediate_chain_1 =
+ cybertrust_basic->GetIntermediateCertificates();
+ intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle());
+
+ scoped_refptr<X509Certificate> baltimore_chain_1 =
+ X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
+ intermediate_chain_1);
+ error = Verify(baltimore_chain_1, "cacert.omniroot.com", flags, NULL,
+ empty_cert_list_, &verify_result);
+ EXPECT_EQ(OK, error);
+ EXPECT_EQ(0U, verify_result.cert_status);
+
+ // Attempt to verify with the second known cross-certified intermediate
+ // provided.
+ scoped_refptr<X509Certificate> baltimore_intermediate_2 =
+ ImportCertFromFile(GetTestCertsDirectory(),
+ "cybertrust_baltimore_cross_certified_2.pem");
+ ASSERT_TRUE(baltimore_intermediate_2.get());
+
+ X509Certificate::OSCertHandles intermediate_chain_2 =
+ cybertrust_basic->GetIntermediateCertificates();
+ intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle());
+
+ scoped_refptr<X509Certificate> baltimore_chain_2 =
+ X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
+ intermediate_chain_2);
+ error = Verify(baltimore_chain_2, "cacert.omniroot.com", flags, NULL,
+ empty_cert_list_, &verify_result);
+ EXPECT_EQ(OK, error);
+ EXPECT_EQ(0U, verify_result.cert_status);
+
+ // Attempt to verify when both a cross-certified intermediate AND
+ // the legacy GTE root are provided.
+ scoped_refptr<X509Certificate> cybertrust_root =
+ ImportCertFromFile(GetTestCertsDirectory(),
+ "cybertrust_gte_root.pem");
+ ASSERT_TRUE(cybertrust_root.get());
+
+ intermediate_chain_2.push_back(cybertrust_root->os_cert_handle());
+ scoped_refptr<X509Certificate> baltimore_chain_with_root =
+ X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
+ intermediate_chain_2);
+ error = Verify(baltimore_chain_with_root, "cacert.omniroot.com", flags,
+ NULL, empty_cert_list_, &verify_result);
+ EXPECT_EQ(OK, error);
+ EXPECT_EQ(0U, verify_result.cert_status);
+
+}
+#endif
+
#if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX)
static const uint8 kCRLSetThawteSPKIBlocked[] = {
0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
diff --git a/cert/test_root_certs.h b/cert/test_root_certs.h
index 543adbd..8257717 100644
--- a/cert/test_root_certs.h
+++ b/cert/test_root_certs.h
@@ -63,6 +63,12 @@
// certificates stored in |temporary_roots_|. If IsEmpty() is true, this
// does not modify |trust_ref|.
OSStatus FixupSecTrustRef(SecTrustRef trust_ref) const;
+
+ // Configures whether or not the default/system root store should also
+ // be trusted. By default, this is true, indicating that the TestRootCerts
+ // are used in addition to OS trust store.
+ void SetAllowSystemTrust(bool allow_system_trust);
+
#elif defined(OS_WIN)
HCERTSTORE temporary_roots() const { return temporary_roots_; }
@@ -91,6 +97,7 @@
HCERTSTORE temporary_roots_;
#elif defined(OS_MACOSX)
base::mac::ScopedCFTypeRef<CFMutableArrayRef> temporary_roots_;
+ bool allow_system_trust_;
#endif
#if defined(OS_WIN) || defined(USE_OPENSSL)
diff --git a/cert/test_root_certs_mac.cc b/cert/test_root_certs_mac.cc
index 2728248..50c4b80 100644
--- a/cert/test_root_certs_mac.cc
+++ b/cert/test_root_certs_mac.cc
@@ -77,12 +77,18 @@
temporary_roots_);
if (status)
return status;
- // Trust system store in addition to trusting |temporary_roots_|.
- return SecTrustSetAnchorCertificatesOnly(trust_ref, false);
+ return SecTrustSetAnchorCertificatesOnly(trust_ref, !allow_system_trust_);
}
- // For OS X 10.6, emulate the functionality by copying the system roots
- // in addition to |temporary_roots_|.
+ if (!allow_system_trust_) {
+ // Avoid any copying if system roots are not to be trusted. This acts as
+ // an exclusive list on 10.6, replacing the built-ins.
+ return SecTrustSetAnchorCertificates(trust_ref, temporary_roots_);
+ }
+
+ // Otherwise, both system trust and temporary_roots_ must be trusted.
+ // Emulate the functionality of SecTrustSetAnchorCertificatesOnly by
+ // creating a copy of the system roots and merging with temporary_roots_.
CFArrayRef system_roots = NULL;
OSStatus status = SecTrustCopyAnchorCertificates(&system_roots);
if (status)
@@ -96,11 +102,16 @@
return SecTrustSetAnchorCertificates(trust_ref, scoped_roots);
}
+void TestRootCerts::SetAllowSystemTrust(bool allow_system_trust) {
+ allow_system_trust_ = allow_system_trust;
+}
+
TestRootCerts::~TestRootCerts() {}
void TestRootCerts::Init() {
temporary_roots_.reset(CFArrayCreateMutable(kCFAllocatorDefault, 0,
&kCertArrayCallbacks));
+ allow_system_trust_ = true;
}
} // namespace net
diff --git a/data/ssl/certificates/README b/data/ssl/certificates/README
index e4e7e64..8f9e4a7 100644
--- a/data/ssl/certificates/README
+++ b/data/ssl/certificates/README
@@ -193,3 +193,18 @@
containing the intermediate, which can be served via a URLRequestFilter.
aia-intermediate.der is stored in DER form for convenience, since that is
the form expected of certificates discovered via AIA.
+
+- cybertrust_gte_root.pem
+- cybertrust_baltimore_root.pem
+- cybertrust_omniroot_chain.pem
+- cybertrust_baltimore_cross_certified_1.pem
+- cybertrust_baltimore_cross_certified_2.pem
+ These certificates are reflect a portion of the CyberTrust (Verizon
+ Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is
+ still widely supported, while _baltimore_root.pem reflects the newer
+ 2048-bit root. For clients that only support the GTE root, two versions
+ of the Baltimore root were cross-signed by GTE, namely
+ _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate
+ chain that was issued under the Baltimore root. Combined, these
+ certificates can be used to test real-world cross-signing; in practice,
+ they are used to test certain workarounds for OS X's chain building code.
diff --git a/data/ssl/certificates/cybertrust_baltimore_cross_certified_1.pem b/data/ssl/certificates/cybertrust_baltimore_cross_certified_1.pem
new file mode 100644
index 0000000..31bb088
--- /dev/null
+++ b/data/ssl/certificates/cybertrust_baltimore_cross_certified_1.pem
@@ -0,0 +1,82 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 120033005 (0x7278eed)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root
+ Validity
+ Not Before: Apr 18 16:36:18 2012 GMT
+ Not After : Aug 13 16:35:17 2018 GMT
+ Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:04:bb:22:ab:98:3d:57:e8:26:72:9a:b5:79:
+ d4:29:e2:e1:e8:95:80:b1:b0:e3:5b:8e:2b:29:9a:
+ 64:df:a1:5d:ed:b0:09:05:6d:db:28:2e:ce:62:a2:
+ 62:fe:b4:88:da:12:eb:38:eb:21:9d:c0:41:2b:01:
+ 52:7b:88:77:d3:1c:8f:c7:ba:b9:88:b5:6a:09:e7:
+ 73:e8:11:40:a7:d1:cc:ca:62:8d:2d:e5:8f:0b:a6:
+ 50:d2:a8:50:c3:28:ea:f5:ab:25:87:8a:9a:96:1c:
+ a9:67:b8:3f:0c:d5:f7:f9:52:13:2f:c2:1b:d5:70:
+ 70:f0:8f:c0:12:ca:06:cb:9a:e1:d9:ca:33:7a:77:
+ d6:f8:ec:b9:f1:68:44:42:48:13:d2:c0:c2:a4:ae:
+ 5e:60:fe:b6:a6:05:fc:b4:dd:07:59:02:d4:59:18:
+ 98:63:f5:a5:63:e0:90:0c:7d:5d:b2:06:7a:f3:85:
+ ea:eb:d4:03:ae:5e:84:3e:5f:ff:15:ed:69:bc:f9:
+ 39:36:72:75:cf:77:52:4d:f3:c9:90:2c:b9:3d:e5:
+ c9:23:53:3f:1f:24:98:21:5c:07:99:29:bd:c6:3a:
+ ec:e7:6e:86:3a:6b:97:74:63:33:bd:68:18:31:f0:
+ 78:8d:76:bf:fc:9e:8e:5d:2a:86:a7:4d:90:dc:27:
+ 1a:39
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE, pathlen:3
+ X509v3 Certificate Policies:
+ Policy: X509v3 Any Policy
+ CPS: http://cybertrust.omniroot.com/repository
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
+ serial:01:A5
+
+ X509v3 CRL Distribution Points:
+ URI:http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:1d:fe:8b:ae:46:ec:cb:a9:0f:ab:e5:ef:ca:b2:68:16:68:
+ d8:8f:fa:13:a9:af:b3:cb:2d:e7:4b:6e:8e:69:2a:c2:2b:10:
+ 0a:8d:f6:ae:73:b6:b9:fb:14:fd:5f:6d:b8:50:b6:c4:8a:d6:
+ 40:7e:d7:c3:cb:73:dc:c9:5d:5b:af:b0:41:b5:37:eb:ea:dc:
+ 20:91:c4:34:6a:f4:a1:f3:96:9d:37:86:97:e1:71:a4:dd:7d:
+ fa:44:84:94:ae:d7:09:04:22:76:0f:64:51:35:a9:24:0f:f9:
+ 0b:db:32:da:c2:fe:c1:b9:2a:5c:7a:27:13:ca:b1:48:3a:71:
+ d0:43
+-----BEGIN CERTIFICATE-----
+MIIEFTCCA36gAwIBAgIEByeO7TANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
+UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
+cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
+b2JhbCBSb290MB4XDTEyMDQxODE2MzYxOFoXDTE4MDgxMzE2MzUxN1owWjELMAkG
+A1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9yZTETMBEGA1UECxMKQ3liZXJUcnVz
+dDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVyVHJ1c3QgUm9vdDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKrmD1X6CZymrV51Cni4eiVgLGw41uO
+KymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjrIZ3AQSsBUnuId9Mcj8e6uYi1agnn
+c+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeKmpYcqWe4PwzV9/lSEy/CG9VwcPCP
+wBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSuXmD+tqYF/LTdB1kC1FkYmGP1pWPg
+kAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZydc93Uk3zyZAsuT3lySNTPx8kmCFc
+B5kpvcY67Oduhjprl3RjM71oGDHweI12v/yejl0qhqdNkNwnGjkCAwEAAaOCAUcw
+ggFDMBIGA1UdEwEB/wQIMAYBAf8CAQMwSgYDVR0gBEMwQTA/BgRVHSAAMDcwNQYI
+KwYBBQUHAgEWKWh0dHA6Ly9jeWJlcnRydXN0Lm9tbmlyb290LmNvbS9yZXBvc2l0
+b3J5MA4GA1UdDwEB/wQEAwIBBjCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYT
+AlVTMRgwFgYDVQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJl
+clRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3Qg
+R2xvYmFsIFJvb3SCAgGlMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVi
+bGljLXRydXN0LmNvbS9jZ2ktYmluL0NSTC8yMDE4L2NkcC5jcmwwDQYJKoZIhvcN
+AQEFBQADgYEAkx3+i65G7MupD6vl78qyaBZo2I/6E6mvs8st50tujmkqwisQCo32
+rnO2ufsU/V9tuFC2xIrWQH7Xw8tz3MldW6+wQbU36+rcIJHENGr0ofOWnTeGl+Fx
+pN19+kSElK7XCQQidg9kUTWpJA/5C9sy2sL+wbkqXHonE8qxSDpx0EM=
+-----END CERTIFICATE-----
diff --git a/data/ssl/certificates/cybertrust_baltimore_cross_certified_2.pem b/data/ssl/certificates/cybertrust_baltimore_cross_certified_2.pem
new file mode 100644
index 0000000..8d3445b
--- /dev/null
+++ b/data/ssl/certificates/cybertrust_baltimore_cross_certified_2.pem
@@ -0,0 +1,85 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 120024505 (0x7276db9)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root
+ Validity
+ Not Before: Nov 30 16:35:21 2010 GMT
+ Not After : Aug 10 15:34:26 2018 GMT
+ Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:04:bb:22:ab:98:3d:57:e8:26:72:9a:b5:79:
+ d4:29:e2:e1:e8:95:80:b1:b0:e3:5b:8e:2b:29:9a:
+ 64:df:a1:5d:ed:b0:09:05:6d:db:28:2e:ce:62:a2:
+ 62:fe:b4:88:da:12:eb:38:eb:21:9d:c0:41:2b:01:
+ 52:7b:88:77:d3:1c:8f:c7:ba:b9:88:b5:6a:09:e7:
+ 73:e8:11:40:a7:d1:cc:ca:62:8d:2d:e5:8f:0b:a6:
+ 50:d2:a8:50:c3:28:ea:f5:ab:25:87:8a:9a:96:1c:
+ a9:67:b8:3f:0c:d5:f7:f9:52:13:2f:c2:1b:d5:70:
+ 70:f0:8f:c0:12:ca:06:cb:9a:e1:d9:ca:33:7a:77:
+ d6:f8:ec:b9:f1:68:44:42:48:13:d2:c0:c2:a4:ae:
+ 5e:60:fe:b6:a6:05:fc:b4:dd:07:59:02:d4:59:18:
+ 98:63:f5:a5:63:e0:90:0c:7d:5d:b2:06:7a:f3:85:
+ ea:eb:d4:03:ae:5e:84:3e:5f:ff:15:ed:69:bc:f9:
+ 39:36:72:75:cf:77:52:4d:f3:c9:90:2c:b9:3d:e5:
+ c9:23:53:3f:1f:24:98:21:5c:07:99:29:bd:c6:3a:
+ ec:e7:6e:86:3a:6b:97:74:63:33:bd:68:18:31:f0:
+ 78:8d:76:bf:fc:9e:8e:5d:2a:86:a7:4d:90:dc:27:
+ 1a:39
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE, pathlen:3
+ X509v3 Certificate Policies:
+ Policy: X509v3 Any Policy
+ CPS: http://cybertrust.omniroot.com/repository.cfm
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
+ serial:01:A5
+
+ X509v3 CRL Distribution Points:
+ URI:http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl
+
+ X509v3 Subject Key Identifier:
+ E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
+ Signature Algorithm: sha1WithRSAEncryption
+ 16:b4:2c:c9:f1:5e:e1:a2:7b:9b:78:20:7a:4a:70:70:86:19:
+ 00:b7:05:2a:e8:c9:25:39:0f:c3:64:3c:75:09:d9:89:15:80:
+ 07:c2:8d:bc:29:a5:64:50:cf:71:75:47:23:bd:4d:d8:7f:77:
+ 9a:51:10:6e:4e:1f:20:3c:47:9c:43:74:7f:96:84:10:4c:13:
+ 43:be:f8:e0:72:2e:ff:bf:ae:3c:0a:03:60:82:4b:6f:f9:9a:
+ c5:1e:f6:af:90:3b:9f:61:3b:3e:de:9b:05:1a:c6:2c:3c:57:
+ 21:08:0f:54:fa:28:63:6c:e8:1b:9c:0f:cf:dd:30:44:13:b9:
+ 57:fe
+-----BEGIN CERTIFICATE-----
+MIIEODCCA6GgAwIBAgIEBydtuTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
+UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
+cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
+b2JhbCBSb290MB4XDTEwMTEzMDE2MzUyMVoXDTE4MDgxMDE1MzQyNlowWjELMAkG
+A1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9yZTETMBEGA1UECxMKQ3liZXJUcnVz
+dDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVyVHJ1c3QgUm9vdDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKrmD1X6CZymrV51Cni4eiVgLGw41uO
+KymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjrIZ3AQSsBUnuId9Mcj8e6uYi1agnn
+c+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeKmpYcqWe4PwzV9/lSEy/CG9VwcPCP
+wBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSuXmD+tqYF/LTdB1kC1FkYmGP1pWPg
+kAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZydc93Uk3zyZAsuT3lySNTPx8kmCFc
+B5kpvcY67Oduhjprl3RjM71oGDHweI12v/yejl0qhqdNkNwnGjkCAwEAAaOCAWow
+ggFmMBIGA1UdEwEB/wQIMAYBAf8CAQMwTgYDVR0gBEcwRTBDBgRVHSAAMDswOQYI
+KwYBBQUHAgEWLWh0dHA6Ly9jeWJlcnRydXN0Lm9tbmlyb290LmNvbS9yZXBvc2l0
+b3J5LmNmbTAOBgNVHQ8BAf8EBAMCAQYwgYkGA1UdIwSBgTB/oXmkdzB1MQswCQYD
+VQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUg
+Q3liZXJUcnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRy
+dXN0IEdsb2JhbCBSb290ggIBpTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vd3d3
+LnB1YmxpYy10cnVzdC5jb20vY2dpLWJpbi9DUkwvMjAxOC9jZHAuY3JsMB0GA1Ud
+DgQWBBTlnVkwgkdYzKz6CFQ2hns6tQRN8DANBgkqhkiG9w0BAQUFAAOBgQAWtCzJ
+8V7honubeCB6SnBwhhkAtwUq6MklOQ/DZDx1CdmJFYAHwo28KaVkUM9xdUcjvU3Y
+f3eaURBuTh8gPEecQ3R/loQQTBNDvvjgci7/v648CgNggktv+ZrFHvavkDufYTs+
+3psFGsYsPFchCA9U+ihjbOgbnA/P3TBEE7lX/g==
+-----END CERTIFICATE-----
diff --git a/data/ssl/certificates/cybertrust_baltimore_root.pem b/data/ssl/certificates/cybertrust_baltimore_root.pem
new file mode 100644
index 0000000..43a6c0f
--- /dev/null
+++ b/data/ssl/certificates/cybertrust_baltimore_root.pem
@@ -0,0 +1,77 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 33554617 (0x20000b9)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
+ Validity
+ Not Before: May 12 18:46:00 2000 GMT
+ Not After : May 12 23:59:00 2025 GMT
+ Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a3:04:bb:22:ab:98:3d:57:e8:26:72:9a:b5:79:
+ d4:29:e2:e1:e8:95:80:b1:b0:e3:5b:8e:2b:29:9a:
+ 64:df:a1:5d:ed:b0:09:05:6d:db:28:2e:ce:62:a2:
+ 62:fe:b4:88:da:12:eb:38:eb:21:9d:c0:41:2b:01:
+ 52:7b:88:77:d3:1c:8f:c7:ba:b9:88:b5:6a:09:e7:
+ 73:e8:11:40:a7:d1:cc:ca:62:8d:2d:e5:8f:0b:a6:
+ 50:d2:a8:50:c3:28:ea:f5:ab:25:87:8a:9a:96:1c:
+ a9:67:b8:3f:0c:d5:f7:f9:52:13:2f:c2:1b:d5:70:
+ 70:f0:8f:c0:12:ca:06:cb:9a:e1:d9:ca:33:7a:77:
+ d6:f8:ec:b9:f1:68:44:42:48:13:d2:c0:c2:a4:ae:
+ 5e:60:fe:b6:a6:05:fc:b4:dd:07:59:02:d4:59:18:
+ 98:63:f5:a5:63:e0:90:0c:7d:5d:b2:06:7a:f3:85:
+ ea:eb:d4:03:ae:5e:84:3e:5f:ff:15:ed:69:bc:f9:
+ 39:36:72:75:cf:77:52:4d:f3:c9:90:2c:b9:3d:e5:
+ c9:23:53:3f:1f:24:98:21:5c:07:99:29:bd:c6:3a:
+ ec:e7:6e:86:3a:6b:97:74:63:33:bd:68:18:31:f0:
+ 78:8d:76:bf:fc:9e:8e:5d:2a:86:a7:4d:90:dc:27:
+ 1a:39
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
+ X509v3 Basic Constraints: critical
+ CA:TRUE, pathlen:3
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha1WithRSAEncryption
+ 85:0c:5d:8e:e4:6f:51:68:42:05:a0:dd:bb:4f:27:25:84:03:
+ bd:f7:64:fd:2d:d7:30:e3:a4:10:17:eb:da:29:29:b6:79:3f:
+ 76:f6:19:13:23:b8:10:0a:f9:58:a4:d4:61:70:bd:04:61:6a:
+ 12:8a:17:d5:0a:bd:c5:bc:30:7c:d6:e9:0c:25:8d:86:40:4f:
+ ec:cc:a3:7e:38:c6:37:11:4f:ed:dd:68:31:8e:4c:d2:b3:01:
+ 74:ee:be:75:5e:07:48:1a:7f:70:ff:16:5c:84:c0:79:85:b8:
+ 05:fd:7f:be:65:11:a3:0f:c0:02:b4:f8:52:37:39:04:d5:a9:
+ 31:7a:18:bf:a0:2a:f4:12:99:f7:a3:45:82:e3:3c:5e:f5:9d:
+ 9e:b5:c8:9e:7c:2e:c8:a4:9e:4e:08:14:4b:6d:fd:70:6d:6b:
+ 1a:63:bd:64:e6:1f:b7:ce:f0:f2:9f:2e:bb:1b:b7:f2:50:88:
+ 73:92:c2:e2:e3:16:8d:9a:32:02:ab:8e:18:dd:e9:10:11:ee:
+ 7e:35:ab:90:af:3e:30:94:7a:d0:33:3d:a7:65:0f:f5:fc:8e:
+ 9e:62:cf:47:44:2c:01:5d:bb:1d:b5:32:d2:47:d2:38:2e:d0:
+ fe:81:dc:32:6a:1e:b5:ee:3c:d5:fc:e7:81:1d:19:c3:24:42:
+ ea:63:39:a9
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
+DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
+ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
+VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
+mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
+IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
+mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
+XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
+dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
+jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
+BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
+9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
+jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
+Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
+ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
+R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
+-----END CERTIFICATE-----
diff --git a/data/ssl/certificates/cybertrust_gte_root.pem b/data/ssl/certificates/cybertrust_gte_root.pem
new file mode 100644
index 0000000..27fcceb
--- /dev/null
+++ b/data/ssl/certificates/cybertrust_gte_root.pem
@@ -0,0 +1,48 @@
+Certificate:
+ Data:
+ Version: 1 (0x0)
+ Serial Number: 421 (0x1a5)
+ Signature Algorithm: md5WithRSAEncryption
+ Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root
+ Validity
+ Not Before: Aug 13 00:29:00 1998 GMT
+ Not After : Aug 13 23:59:00 2018 GMT
+ Subject: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:95:0f:a0:b6:f0:50:9c:e8:7a:c7:88:cd:dd:17:
+ 0e:2e:b0:94:d0:1b:3d:0e:f6:94:c0:8a:94:c7:06:
+ c8:90:97:c8:b8:64:1a:7a:7e:6c:3c:53:e1:37:28:
+ 73:60:7f:b2:97:53:07:9f:53:f9:6d:58:94:d2:af:
+ 8d:6d:88:67:80:e6:ed:b2:95:cf:72:31:ca:a5:1c:
+ 72:ba:5c:02:e7:64:42:e7:f9:a9:2c:d6:3a:0d:ac:
+ 8d:42:aa:24:01:39:e6:9c:3f:01:85:57:0d:58:87:
+ 45:f8:d3:85:aa:93:69:26:85:70:48:80:3f:12:15:
+ c7:79:b4:1f:05:2f:3b:62:99
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: md5WithRSAEncryption
+ 6d:eb:1b:09:e9:5e:d9:51:db:67:22:61:a4:2a:3c:48:77:e3:
+ a0:7c:a6:de:73:a2:14:03:85:3d:fb:ab:0e:30:c5:83:16:33:
+ 81:13:08:9e:7b:34:4e:df:40:c8:74:d7:b9:7d:dc:f4:76:55:
+ 7d:9b:63:54:18:e9:f0:ea:f3:5c:b1:d9:8b:42:1e:b9:c0:95:
+ 4e:ba:fa:d5:e2:7c:f5:68:61:bf:8e:ec:05:97:5f:5b:b0:d7:
+ a3:85:34:c4:24:a7:0d:0f:95:93:ef:cb:94:d8:9e:1f:9d:5c:
+ 85:6d:c7:aa:ae:4f:1f:22:b5:cd:95:ad:ba:a7:cc:f9:ab:0b:
+ 7a:7f
+-----BEGIN CERTIFICATE-----
+MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
+VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
+bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
+b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
+UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
+cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
+b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
+iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
+r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
+04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
+GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
+3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
+lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
+-----END CERTIFICATE-----
diff --git a/data/ssl/certificates/cybertrust_omniroot_chain.pem b/data/ssl/certificates/cybertrust_omniroot_chain.pem
new file mode 100644
index 0000000..af584a1
--- /dev/null
+++ b/data/ssl/certificates/cybertrust_omniroot_chain.pem
@@ -0,0 +1,48 @@
+-----BEGIN CERTIFICATE-----
+MIID/TCCAuWgAwIBAgIOAgAAAAABPSFwPhps5l0wDQYJKoZIhvcNAQEFBQAwRjEX
+MBUGA1UEChMOQ3liZXJ0cnVzdCBJbmMxKzApBgNVBAMTIkN5YmVydHJ1c3QgUHVi
+bGljIFN1cmVTZXJ2ZXIgU1YgQ0EwHhcNMTMwMjI4MTU0NjQxWhcNMTYwMjI5MTU0
+NjQxWjA9MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHVmVyaXpvbjEcMBoGA1UEAxMT
+Y2FjZXJ0Lm9tbmlyb290LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAN0nfD4v5g24/aThycyY8BQVHq6Ehs6/5NsoNHuLCy2MRagK4sxD9qU0Ue8z
+HwaULEa4sWKEIMg765tkbiyEfo06SM1QXQDXb+z7QNZAdpZA3q8Caw7LPx4Z8GL9
+rDUaLEd5RJ33a2AiGJebbUQAo//PZrtksy3QAOZF7bXuUyhZrJwKUPrcG+bOK6CU
+oRBDKMaqBYG+pjxZ07Pp9saiQeIT2OM4hQRGO8oN7oCvYKAx9TBxGPT2G8cswJh2
+UrikRNZDnyAoosI+fWWIamVXDirJSlbi3TpHHwL/QtuXOlXhipb7gZLYyMaOIJMX
+ymB0W3pSkVvY0PEfanGxNHjf3/cCAwEAAaOB8TCB7jAfBgNVHSMEGDAWgBQEmGDf
+gBuWSV1lVi2lLAkkCuzcuTA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3JsLm9t
+bmlyb290LmNvbS9QdWJsaWNTdXJlU2VydmVyU1YuY3JsMB0GA1UdDgQWBBQ4hF16
+ABr+XdLRPxE4TPPgGWqd+DAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYJYIZIAYb4QgEBBAQDAgbAMB4G
+A1UdEQQXMBWCE2NhY2VydC5vbW5pcm9vdC5jb20wDQYJKoZIhvcNAQEFBQADggEB
+ACfEzbzAnq0UqfKUvoVGTnhRLd8cwTP0lvZBn4DZMgEziU7YMN33OQCKZqVdzOzl
+6y78glpFpkkWBvnUaAKgS8GxuigZX6AefB8bVxbsW76DoE+BYG6zJYZkeoUgv6qh
+rjnX2S1q/+wfbuuq1OR7BGpqZ8uDmq2k+qePWj+Mgd3ZtLbBaGWn5XrxvWSLjDlU
+eVOmSHvTcXQyeJpF1Eqsjt+9CjFSnexfVuVjst+iRr87qM9L8/QbIqNyDV7nNTfE
+Z+5bk9WtxFzkkBhwprFLMjtxoJ+JEjhK5WmrQ6wVT/ggmIz0d9oDhEcVh95LBES0
+E4qr4DvFQ2FdPKYoFFPm5uM=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEGzCCAwOgAwIBAgIEByc3DDANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTEwMDkwODE3MzUxNloX
+DTIwMDkwODE3MzQwOFowRjEXMBUGA1UEChMOQ3liZXJ0cnVzdCBJbmMxKzApBgNV
+BAMTIkN5YmVydHJ1c3QgUHVibGljIFN1cmVTZXJ2ZXIgU1YgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjupmNt+HNc4j5ud3e9AXzJfU/xVIeUVo/
+mv9NhLdQf/EQil1/ZFUcO6Pz/5d/HEvtb3/pVOyXKkIDZ3+5yGyil/hAkyTDJV6l
+ZouGvde5JiJu0maDs3jBfFh2EesWVUcy8Lk0EL2PJqIlaMEUK6Jz1mY9RIdcE39Y
+kWI9V39srkLoEn69ePHxrFw1YGhFvFNzhxEdxS76YDXakfna8lVsv8qiV1zIZLyp
+WxWg/BzzRC69BvJo2EAtu7NhJZKTJRx3RpC/0K+3g6A8h16lkaj/wTEbtkusEjQI
+1dvsiYdjBqdT+NX15masXoRlRsn0OiUPbMwPZriaVaFGbPyRI1+9AgMBAAGjgfww
+gfkwEgYDVR0TAQH/BAgwBgEB/wIBADBPBgNVHSAESDBGMEQGCSsGAQQBsT4BMjA3
+MDUGCCsGAQUFBwIBFilodHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVw
+b3NpdG9yeTAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgwFoAU5Z1ZMIJHWMys+ghU
+NoZ7OrUETfAwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NkcDEucHVibGljLXRy
+dXN0LmNvbS9DUkwvT21uaXJvb3QyMDI1LmNybDAdBgNVHQ4EFgQUBJhg34Ablkld
+ZVYtpSwJJArs3LkwDQYJKoZIhvcNAQEFBQADggEBAF/fi88peXgr83z0gl954OGz
+KL0IdUHOjIjXDlW5ArUFeT67UjGzSx6x/tOiIUPSkdMW+mt55I5NGexMhmg0Urdv
+wr2ceL7wbz89np9JdMR8lxlFV6xv+lo+P9PW4yvcivjICg1rjD+UeDeYiGGR31kU
+DwnFY1T79Pavl+z8Y2RDprzM5OMf33Owbve1yCmbriVSuLRy4d6TSPEon35mPz+L
+VQ/4FgdxBddlnNcbPDTmRBY6vdhgk4ODDIiWZTNA32qs//6UUWG7iT/3rMTks0fi
+/aJqMoPifm/wEo6jZnZAl/sR4fdzH9qLHDFCi58RxUmlYO1IKwWEFasviixRcsA=
+-----END CERTIFICATE-----
